[Freeipa-devel] [freeipa PR#17] Tests: Random issuer certificate can be added to a service (opened)

[mirielka]

mirielka's pull request #17: "Tests: Random issuer certificate can be added to 
a service" was opened

PR body:
"""
Changing negative test case that verified that a certificate with different
than expected issuer cannot be added to a service to a positive one that
verifies that this operation now proceeds successfully. Corresponds to changes
made in scope of https://fedorahosted.org/freeipa/ticket/4559 implementation.

https://fedorahosted.org/freeipa/ticket/6258
"""

See the full pull-request at https://github.com/freeipa/freeipa/pull/17
... or pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/17/head:pr17
git checkout pr17


freeipa-pr-17.patch
Description: application/text/diff
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] Karma Requests for pki-core-10.3.5-3

[Matthew Harmsen]

*The following updated candidate builds of pki-core 10.3.5 on Fedora 24, 
25, and 26 (rawhide) consist of the following:*


 * *Fedora 24*
 o *pki-core-10.3.5-3.fc24
   
   *
 * *Fedora 25*
 o *pki-core-10.3.5-3.fc25
   
   *
 * *Fedora 26*
 o *pki-core-10.3.5-3.fc26
   
   *

*Additionally, the CentOS 7 COPR EPEL Builds of Dogtag 10.3.3 were also 
updated:

*

 * 
https://copr.fedorainfracloud.org/coprs/g/pki/10.3.3/repo/epel-7/group_pki-10.3.3-epel-7.repo

   [group_pki-10.3.3]
   name=Copr repo for 10.3.3 owned by @pki
   
baseurl=https://copr-be.cloud.fedoraproject.org/results/@pki/10.3.3/epel-7-$basearch/
   skip_if_unavailable=True
   gpgcheck=1
   gpgkey=https://copr-be.cloud.fedoraproject.org/results/@pki/10.3.3/pubkey.gpg
   enabled=1
   enabled_metadata=1

*These builds address the following PKI tickets:
*

 * PKI TRAC Ticket #690 - pki-tools man pages --- CMCEnroll
   
 * PKI TRAC Ticket #833 - pki user-mod fullName="" gives an error
   message "PKIException: LDAP error (21): error result"
   
 * PKI TRAC Ticket #2429 - [RFE] TPS UI: profile property needs to be
   added one by one can we add in bulk
   
 * PKI TRAC Ticket #2431 - Errors noticed during ipa server upgrade.
   
 * PKI TRAC Ticket #2432 - Kra-selftest behavior is not as expected
   
 * PKI TRAC Ticket #2436 - Dogtag 10.3.6: Miscellaneous Enhancements
   
 o include JSS cert validation error message in selftest log
 o add debug messages to ConfigurationUtils.handleCerts()
 o apply RFC 7468 
   Headers/Trailers to PKI tools
 * PKI TRAC Ticket #2437 - TPS UI: while adding certs for users from
   TPSUI pem format with/without header works while pkcs7 with header
   is not allowed 
 * PKI TRAC Ticket #2440 - Optional CA signing CSR for migration
   

*Please provide Karma for the following builds:
*

 * *Fedora 24*
 o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-4d226a5f7e
   pki-core-10.3.5-1.fc24 + resteasy-3.0.17-3.fc24
   *
 + *IMPORTANT:  This combination build MUST be pushed first
   since pki-core-10.3.5-3.fc24 DEPENDS upon resteasy-3.0.17!!!
   *
 o *https://bodhi.fedoraproject.org/updates/pki-core-10.3.5-3.fc24
   pki-core-10.3.5-3.fc24
   
   *
 * *Fedora 25*
 o *https://bodhi.fedoraproject.org/updates/FEDORA-2016-456eb9f4b7
   pki-core-10.3.5-3.fc25
   *


*
*

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0004 Fix ipa-server-install in pure IPv6 environment

[Martin Basti]

On 19.08.2016 14:09, Tomas Krizek wrote:

Hi,

please review the attached patch.

Make sure the hostname isn't resolved to link local IPv6(feXX:...) 
during testing, which doesn't work (and isn't supposed to).





It did not work for me,

pki-ca-spawn.log:
/ca/getStatus (Caused by 
NewConnectionError('object at 0x7f3d35854310>: Failed to establish a new connection: [Errno 
111] Connection refused',))

2016-08-24 18:07:12 pkispawn: ERROR... server failed to restart
2016-08-24 18:07:12 pkispawn: DEBUG... Error Type: Exception
2016-08-24 18:07:12 pkispawn: DEBUG... Error Message: server 
failed to restart
2016-08-24 18:07:12 pkispawn: DEBUG...   File 
"/usr/sbin/pkispawn", line 528, in main

scriptlet.spawn(deployer)
  File 
"/usr/lib/python2.7/site-packages/pki/server/deployment/scriptlets/configuration.py", 
line 375, in spawn

raise Exception("server failed to restart")


journalctl:
Aug 24 18:06:22 vm-058-188.abc.idm.lab.eng.brq.redhat.com server[58257]: 
Java virtual machine used: /usr/lib/jvm/jre-1.8.0-openjdk/bin/java
Aug 24 18:06:22 vm-058-188.abc.idm.lab.eng.brq.redhat.com server[58257]: 
classpath used: 
/usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/lib/java/commons-daemon.jar
Aug 24 18:06:22 vm-058-188.abc.idm.lab.eng.brq.redhat.com server[58257]: 
main class used: org.apache.catalina.startup.Bootstrap
Aug 24 18:06:22 vm-058-188.abc.idm.lab.eng.brq.redhat.com server[58257]: 
flags used: -DRESTEASY_LIB=/usr/share/java/resteasy 
-Djava.library.path=/usr/lib64/nuxwdog-jni
Aug 24 18:06:22 vm-058-188.abc.idm.lab.eng.brq.redhat.com server[58257]: 
options used: -Dcatalina.base=/var/lib/pki/pki-tomcat 
-Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= 
-Djava.io.tmpdir=/var/lib/pk
Aug 24 18:06:22 vm-058-188.abc.idm.lab.eng.brq.redhat.com server[58257]: 
arguments used: stop
Aug 24 18:06:22 vm-058-188.abc.idm.lab.eng.brq.redhat.com server[58257]: 
Aug 24, 2016 6:06:22 PM org.apache.catalina.startup.Catalina stopServer
Aug 24 18:06:22 vm-058-188.abc.idm.lab.eng.brq.redhat.com server[58257]: 
SEVERE: Catalina.stop:
Aug 24 18:06:22 vm-058-188.abc.idm.lab.eng.brq.redhat.com server[58257]: 
java.net.SocketException: Network is unreachable
Aug 24 18:06:22 vm-058-188.abc.idm.lab.eng.brq.redhat.com 
server[58257]: at java.net.PlainSocketImpl.socketConnect(Native 
Method)
Aug 24 18:06:22 vm-058-188.abc.idm.lab.eng.brq.redhat.com 
server[58257]: at 
java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
Aug 24 18:06:22 vm-058-188.abc.idm.lab.eng.brq.redhat.com 
server[58257]: at 
java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
Aug 24 18:06:22 vm-058-188.abc.idm.lab.eng.brq.redhat.com 
server[58257]: at 
java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
Aug 24 18:06:22 vm-058-188.abc.idm.lab.eng.brq.redhat.com 
server[58257]: at 
java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
Aug 24 18:06:22 vm-058-188.abc.idm.lab.eng.brq.redhat.com 
server[58257]: at java.net.Socket.connect(Socket.java:589)
Aug 24 18:06:22 vm-058-188.abc.idm.lab.eng.brq.redhat.com 
server[58257]: at java.net.Socket.connect(Socket.java:538)
Aug 24 18:06:22 vm-058-188.abc.idm.lab.eng.brq.redhat.com 
server[58257]: at java.net.Socket.(Socket.java:434)
Aug 24 18:06:22 vm-058-188.abc.idm.lab.eng.brq.redhat.com 
server[58257]: at java.net.Socket.(Socket.java:211)
Aug 24 18:06:22 vm-058-188.abc.idm.lab.eng.brq.redhat.com 
server[58257]: at 
org.apache.catalina.startup.Catalina.stopServer(Catalina.java:450)
Aug 24 18:06:22 vm-058-188.abc.idm.lab.eng.brq.redhat.com 
server[58257]: at 
sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
Aug 24 18:06:22 vm-058-188.abc.idm.lab.eng.brq.redhat.com 
server[58257]: at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
Aug 24 18:06:22 vm-058-188.abc.idm.lab.eng.brq.redhat.com 
server[58257]: at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
Aug 24 18:06:22 vm-058-188.abc.idm.lab.eng.brq.redhat.com 
server[58257]: at java.lang.reflect.Method.invoke(Method.java:498)
Aug 24 18:06:22 vm-058-188.abc.idm.lab.eng.brq.redhat.com 
server[58257]: at 
org.apache.catalina.startup.Bootstrap.stopServer(Bootstrap.java:400)
Aug 24 18:06:22 vm-058-188.abc.idm.lab.eng.brq.redhat.com 
server[58257]: at 
org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:487)
Aug 24 18:06:22 vm-058-188.abc.idm.lab.eng.brq.redhat.com systemd[1]: 
pki-tomcatd@pki-tomcat.service: Control process exited, code=exited status=1
Aug 24 18:06:22 vm-058-188.abc.idm.lab.eng.brq.redhat.com systemd[1]: 
pki-tomcatd@pki-tomcat.service: Unit entered failed state.
Aug 24 18:06:22 vm-058-188.abc.idm.lab.eng.brq.redhat.com systemd[1]: 
pki-tomcatd@pki-tomcat.service: 

[Freeipa-devel] [freeipa PR#16] Require httpd 2.4.6-31 with mod_proxy Unix socket support (comment)

[mbasti-rh]

mbasti-rh commented on a pull request

"""
I realized that we should use 2.4.7 in upstream specfile, to make porting of 
IPA easier
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/16#issuecomment-242108719
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#13] Handled empty hostname in server-del command (comment)

[Akasurde]

Akasurde commented on a pull request

"""
@mbasti-rh @stlaz Thanks for comments
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/13#issuecomment-242105659
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#16] Require httpd 2.4.6-31 with mod_proxy Unix socket support (comment)

[mbasti-rh]

mbasti-rh commented on a pull request

"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/17bb9b9a9ba983020c66f4b83a5918be636ef3bd
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/16#issuecomment-242103959
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#15] Secure permissions of Custodia server.keys (closed)

[mbasti-rh]

tiran's pull request #15: "Secure permissions of Custodia server.keys" was 
closed

See the full pull-request at https://github.com/freeipa/freeipa/pull/15
... or pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/15/head:pr15
git checkout pr15
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#15] Secure permissions of Custodia server.keys (+pushed)

[mbasti-rh]

tiran's pull request #15: "Secure permissions of Custodia server.keys" label 
*pushed* has been added

See the full pull-request at https://github.com/freeipa/freeipa/pull/15
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#15] Secure permissions of Custodia server.keys (comment)

[mbasti-rh]

mbasti-rh commented on a pull request

"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/d9ab0097e15618b0c614b3fdfa2ac4ea52b902c0
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/15#issuecomment-242095453
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#15] Secure permissions of Custodia server.keys (+ack)

[mbasti-rh]

tiran's pull request #15: "Secure permissions of Custodia server.keys" label 
*ack* has been added

See the full pull-request at https://github.com/freeipa/freeipa/pull/15
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0036, 0037][Tests] Host/service tests do not recognize newly added attribute

[Martin Basti]

On 24.08.2016 15:49, Ganna Kaihorodova wrote:

Hello!

[0036] ACK
[0037] ACK

Best regards,
Ganna Kaihorodova
Associate Software Quality Engineer


- Original Message -
From: "Lenka Doudova" 
To: "freeipa-devel" 
Sent: Monday, August 22, 2016 12:17:23 PM
Subject: [Freeipa-devel] [PATCH 0036, 0037][Tests] Host/service tests do not 
recognize newly added attribute

Hi,

attached patches fix test fails occuring since patch for [1] was pushed.

Ticket for tests: https://fedorahosted.org/freeipa/ticket/6240

Lenka


[1] https://fedorahosted.org/freeipa/ticket/5764



Pushed to master: 9021b649661ed135a4ee18ffe3728d661e6674a6

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#13] Handled empty hostname in server-del command (closed)

[mbasti-rh]

Akasurde's pull request #13: "Handled empty hostname in server-del command" was 
closed

See the full pull-request at https://github.com/freeipa/freeipa/pull/13
... or pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/13/head:pr13
git checkout pr13
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#13] Handled empty hostname in server-del command (+pushed)

[mbasti-rh]

Akasurde's pull request #13: "Handled empty hostname in server-del command" 
label *pushed* has been added

See the full pull-request at https://github.com/freeipa/freeipa/pull/13
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#13] Handled empty hostname in server-del command (comment)

[mbasti-rh]

mbasti-rh commented on a pull request

Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/95a594af4c99255ea4da27e609cf41b79ca7ed91

See the full comment at 
https://github.com/freeipa/freeipa/pull/13#issuecomment-242071162
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#13] Handled empty hostname in server-del command (+ack)

[mbasti-rh]

Akasurde's pull request #13: "Handled empty hostname in server-del command" 
label *ack* has been added

See the full pull-request at https://github.com/freeipa/freeipa/pull/13
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] certmonger "failed to verify signature on server response" after receiving valid certificate

[Marx, Peter]

it depends on the depth of the cert chain if the verification fails or not.

fails: RootCA-> SubCA-> end-entity
works: RootCA-> SubCA-> SubSubCA->end-entity
works: RootCA-> SubCA-> SubCA-> SubSubCA-> SubSubSubCA->end-entity

when looking into the CA file, in cases where it works I see an extra entry  

ca_encryption_cert_pool=-BEGIN CERTIFICATE-
 MIIDHjCCAgagAwIBAgIIePjDfE7m7rMwDQYJKoZIhvcNAQEFBQAwGTEXMBUGA1UE
 
 EmkPKOf2v44U2E8ghQYKu8p4peuBqpInwOpsMj+x6zrlDw==
 -END CERTIFICATE-
 -BEGIN CERTIFICATE-
 MIIEQDCCAiigAwIBAgIIAWN7R90xPZYwDQYJKoZIhvcNAQELBQAwQjELMAkGA1UE
 BhMCREUxHDAaBgNVBAoME0tCIElULVNlcnZpY2VzIEdtYkgxFTATBgNVBAMMDGlD
 T00gUm9vdCBDQTAeFw0xNjA2MDkxNDI2MTFaFw0yNjA2MDkxNDI2MTFaMBkxFzAV
 BgNVBAMMDmlDT00gS3VuZGUxIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB

-END CERTIFICATE-

This entry is missing when the verification fails !

I got a valid cert in all test cases using jSCEP client and also in all 
certmonger test cases the server did generate and send the right cert.

I suspect a bug in certmonger (scep-submit). Maybe related to handling the 
certificate chain.

Peter


-Original Message-
From: Rob Crittenden [mailto:rcrit...@redhat.com] 
Sent: Monday, August 22, 2016 4:09 PM
To: Marx, Peter; freeipa-devel@redhat.com
Subject: Re: [Freeipa-devel] certmonger "failed to verify signature on server 
response" after receiving valid certificate

Marx, Peter wrote:
> I'm testing with certmonger 0.78.6 (patched for the GETCACertChain 
> bug) against two EJBCA servers. For verification I a use a second SCEP 
> client called jSCEP.
>
> I started certmonger in debug mode with
>   "/usr/libexec/certmonger/certmonger-session -n -d 15"
>
> The CA file in /root/.config/certmonger/cas  looks like this:
>
> id=Test_Sweden
>
> ca_aka=SCEP (certmonger 0.78.6)
>
> ca_is_default=0
>
> ca_type=EXTERNAL
>
> ca_external_helper=/usr/libexec/certmonger/scep-submit -u 
> http://ejbca-test2.primekey.se:8080/ejbca/publicweb/apply/scep/mxrates
> t/pkiclient.exe
> -i "mx_kd3"
>
> ca_capabilities=POSTPKIOperation,Renewal,SHA-1
>
> scep_ca_identifier=iCOM Kunde1 Schweden
>
> ca_encryption_cert=-BEGIN CERTIFICATE-
>
> 
>
> -END CERTIFICATE-
>
> ca_encryption_issuer_cert=-BEGIN CERTIFICATE-
>
> 
>
> -END CERTIFICATE-

It looks to me that certmonger can't verify the signature of the returned 
PKCS#7 data. I'd double check the value of ca_encryption_issuer_cert.

rob

>
> Issuing the request
>
> "getcert request -c Test_Sweden -v -d /tmp/nssdb -g 2048 -I husky201 
> -p /tmp/pwd.txt -n husky201 -L abcd -N CN='husky201' -s"
>
> gives this log:
>
> 2016-08-22 10:31:13 [22931] Handling D-Bus traffic (Read) on FD 8 for 
> 0x7fbe6b0c02e0.
>
> 2016-08-22 10:31:13 [22931] message
> 0x7fbe6b0c02e0(method_call)->org.fedorahosted.certmonger:/org/fedoraho
> sted/certmonger:org.fedorahosted.certmonger.add_request
>
> 2016-08-22 10:31:13 [22931] Pending GetConnectionUnixUser serial 135
>
> 2016-08-22 10:31:13 [22931] Pending GetConnectionUnixProcessID serial 
> 136
>
> 2016-08-22 10:31:13 [22931] Queuing FD 8 for Read for 
> 0x7fbe6b0c02e0:0x7fbe6b0aa690.
>
> 2016-08-22 10:31:13 [22931] Dequeuing FD 8 for Read for 
> 0x7fbe6b0c02e0:0x7fbe6b0aa690.
>
> 2016-08-22 10:31:13 [22931] Handling D-Bus traffic (Read) on FD 8 for 
> 0x7fbe6b0c02e0.
>
> 2016-08-22 10:31:13 [22931] message 
> 0x7fbe6b0c02e0(method_return)->135->73
>
> 2016-08-22 10:31:13 [22931] message 
> 0x7fbe6b0c02e0(method_return)->136->74
>
> 2016-08-22 10:31:13 [22931] User ID 0 PID 23133 called 
> /org/fedorahosted/certmonger:org.fedorahosted.certmonger.add_request.
>
> 2016-08-22 10:31:13 [23135] Read value "0" from 
> "/proc/sys/crypto/fips_enabled".
>
> 2016-08-22 10:31:13 [23135] Not attempting to set NSS FIPS mode.
>
> 2016-08-22 10:31:13 [23135] Skipping NSS internal slot (NSS Generic 
> Crypto Services).
>
> 2016-08-22 10:31:13 [23135] Found token 'NSS Certificate DB'.
>
> 2016-08-22 10:31:13 [23135] Located the key 'husky201'.
>
> 2016-08-22 10:31:13 [23135] Converted private key 'husky201' to public key.
>
> 2016-08-22 10:31:13 [23135] Key is an RSA key.
>
> 2016-08-22 10:31:13 [23135] Key size is 2048.
>
> 2016-08-22 10:31:13 [23136] Read value "0" from 
> "/proc/sys/crypto/fips_enabled".
>
> 2016-08-22 10:31:13 [23136] Not attempting to set NSS FIPS mode.
>
> 2016-08-22 10:31:13 [23136] Found token 'NSS Generic Crypto Services'.
>
> 2016-08-22 10:31:13 [23136] Cert storage slot still needs user PIN to 
> be set.
>
> 2016-08-22 10:31:13 [23136] Found token 'NSS Certificate DB'.
>
> 2016-08-22 10:31:13 [23136] Error locating certificate.
>
> 2016-08-22 10:31:13 [22931] Request7('husky201') starts in state 
> 'NEWLY_ADDED'
>
> 2016-08-22 10:31:13 [22931] Request7('husky201') taking writing lock
>
> 2016-08-22 10:31:13 [22931] Request7('husky201') moved to state 
> 'NEWLY_ADDED_START_READING_KEYINFO'
>
> 2016-08-22 10:31:13 [22931] Will revisit Request7('husky201') now.
>
> 2016-08-22 10:31:13 [22931] 

Re: [Freeipa-devel] [PATCH] 0003 Validate key in otptoken-add

[Martin Basti]

On 24.08.2016 13:32, Tomas Krizek wrote:

Fixed the typo in error message.

On 08/23/2016 12:15 PM, Tomas Krizek wrote:

In that case, the first version of the patch solves the issue.

I'm attaching the patch once again, but it's the same as the one in 
the original message.



On 08/23/2016 11:53 AM, Jan Cholasta wrote:

On 22.8.2016 19:08, Tomas Krizek wrote:
I've attached the updated patch. Hopefully I didn't forget anything 
else

this time.


On 08/22/2016 05:48 PM, Martin Basti wrote:


On 22.08.2016 10:22, Tomas Krizek wrote:


Seems like a good idea, I'm attaching the updated patch. Autofill
does work when the param is required.


On 08/19/2016 04:19 PM, Martin Basti wrote:




On 16.08.2016 17:35, Tomas Krizek wrote:

Hi,

the attached patch fixes an error message when user provides an
empty key while adding otp token.

https://fedorahosted.org/freeipa/ticket/6200





I'm curious why we don't fix it here:

OTPTokenKey('ipatokenotpkey?',
cli_name='key',
label=_('Key'),
doc=_('Token secret (Base32; default: random)'),
default_from=lambda: os.urandom(KEY_LENGTH),
autofill=True,
flags=('no_display', 'no_update', 'no_search'),
),


If OTPTokenKey is mandratory, it should be required param (autofill
should work in this case too)

Martin^2


--
Tomas Krizek


You changed API, you must regenerate API.txt (./makeapi) and 
increment

minor version in VERSION file

Option 'ipatokenotpkey?' in command 'otptoken_add/1' in API file 
not found

Options count in otptoken_add of 22 doesn't match expected: 23
Option ipatokenotpkey of command otptoken_add in ipalib, not in 
API file:

OTPTokenKey('ipatokenotpkey', autofill=True, cli_name='key')


NACK, this is a backward incompatible change.

AFAICT the option should remain optional, see the doc string:

Token secret (Base32; default: random)
  ^^^







--
Tomas Krizek


ACK

Pushed to master: 6f9a029bf5d33e6c8267cb330bd48033c5517188


http://www.freeipa.org/page/Pull_request_on_Github
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0003 Validate key in otptoken-add

[Martin Basti]

On 24.08.2016 13:32, Tomas Krizek wrote:

Fixed the typo in error message.

On 08/23/2016 12:15 PM, Tomas Krizek wrote:

In that case, the first version of the patch solves the issue.

I'm attaching the patch once again, but it's the same as the one in 
the original message.



On 08/23/2016 11:53 AM, Jan Cholasta wrote:

On 22.8.2016 19:08, Tomas Krizek wrote:
I've attached the updated patch. Hopefully I didn't forget anything 
else

this time.


On 08/22/2016 05:48 PM, Martin Basti wrote:


On 22.08.2016 10:22, Tomas Krizek wrote:


Seems like a good idea, I'm attaching the updated patch. Autofill
does work when the param is required.


On 08/19/2016 04:19 PM, Martin Basti wrote:




On 16.08.2016 17:35, Tomas Krizek wrote:

Hi,

the attached patch fixes an error message when user provides an
empty key while adding otp token.

https://fedorahosted.org/freeipa/ticket/6200





I'm curious why we don't fix it here:

OTPTokenKey('ipatokenotpkey?',
cli_name='key',
label=_('Key'),
doc=_('Token secret (Base32; default: random)'),
default_from=lambda: os.urandom(KEY_LENGTH),
autofill=True,
flags=('no_display', 'no_update', 'no_search'),
),


If OTPTokenKey is mandratory, it should be required param (autofill
should work in this case too)

Martin^2


--
Tomas Krizek


You changed API, you must regenerate API.txt (./makeapi) and 
increment

minor version in VERSION file

Option 'ipatokenotpkey?' in command 'otptoken_add/1' in API file 
not found

Options count in otptoken_add of 22 doesn't match expected: 23
Option ipatokenotpkey of command otptoken_add in ipalib, not in 
API file:

OTPTokenKey('ipatokenotpkey', autofill=True, cli_name='key')


NACK, this is a backward incompatible change.

AFAICT the option should remain optional, see the doc string:

Token secret (Base32; default: random)
  ^^^







--
Tomas Krizek

Pushed to master: 6f9a029bf5d33e6c8267cb330bd48033c5517188

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0035] Remove Custodia server keys from LDAP

[Petr Vobornik]

On 08/24/2016 12:21 PM, Martin Basti wrote:
> 
> 
> On 24.08.2016 11:25, Christian Heimes wrote:
>> On 2016-08-23 12:42, Petr Vobornik wrote:
>>> On 08/11/2016 04:13 PM, Martin Basti wrote:

 On 08.08.2016 16:10, Christian Heimes wrote:
> The server-del plugin now removes the Custodia keys for encryption and
> key signing from LDAP.
>
> https://fedorahosted.org/freeipa/ticket/6015
>
>
 ACK for master

 For 4.3, it requires new patch

 Martin

>>> bump
>> I haven't worked out a patch for 4.3. The server_del plugin in 4.3 is
>> much simpler than in 4.4. It's not possible to hook the clean-up code to
>> server_del like I did for 4.4. I would have to rewrite and redesign the
>> patch completely which I neither have the time nor resources to at the
>> moment.
>>
>> I vote for WONTFIX for 4.3.
> +1

works for me

> 
> Martin^2
>>
>> Christian
>>
-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0039][Tests] ID views tests do not recognize 'krbcanonicalname' attribute

[Martin Basti]

On 22.08.2016 15:46, Lenka Doudova wrote:

Hi,

ID views tests still do not recognize 'krbcanonicalname' attribute - 
fix attached.


Lenka




ACK

Pushed to master: 775c37bb812604496594524d8c6c7d936b4d3b15

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [Test][patch-0058] Fixed topology tests failures in CI

[Oleg Fayans]

Hi Martin,

Updated the test according to our discussion.
There are 2 patches: the one related to the dynamic segment naming and 
the one that xfails one of the tests which fails due to trac ticket 6250.


Please, disregard my previous patch

On 08/12/2016 04:05 PM, Martin Basti wrote:



On 12.08.2016 15:48, Oleg Fayans wrote:

Hi Martin,



On 08/11/2016 10:05 AM, Martin Basti wrote:



On 10.08.2016 20:32, Oleg Fayans wrote:





Hello,

before we jump into fixing tests, my question is: Was this planned
change and not reflected by test, or switched values are unwanted side
effect and thus bug for us?


That's a marvelous question! The test used to pass, which means that
at some point the convention of naming the segments must have changed.
Is it a bug? I do not think so: the feature still works as expected.


Ludwig, do you know details about this change, why positions of server
names are different than used to be in topology name?





Ticket contains almost no info, except a traceback and it says nothing.
Commit message says at least something.

I'm not sure if this patch fixes that ticket, because traceback in test
shows error message that "removal of segment will disconnect topology",
but this patch only swap order of replica names in segment name. I would
expect that you should get different error, something like segment does
not exist.

Which I do get in jenkins job N 37: "segment not found"

In fact, the error in the issue is unrelated to the fix, you are right.



To tell the truth, I just put a random error from one of the jenkins
topology testruns into the issue.

This is very good way how to report tickets:
* nobody knows what happened
* nobody can search in current tickets,  what is wrong without proper
description
* developers cannot investigate issue, because there is even no name of
exact test in ticket, no steps to reproduce, nothing
* without proper tickets it is hard to backport patches correctly, if
patch fixes different issue than is reported

I'm closing ticket as invalid, please follow
http://www.chiark.greenend.org.uk/~sgtatham/bugs.html and file a new
proper ticket.


This particular error message was caused by a previous replica
installation failure, which resulted in existing only one segment
instead of three:
master <-> replica1
instead of:
master <-> replica1,
master <-> replica2
replica1 <-> replica2

In fact the patch supplied fixes 2 tests at once:
The first test tries to remove the unexisting segment master <->
replica2 and fails, the second test expects the line topology
master <-> replica1 <-> replica2.
It removes the connection between replica1 and replica2, expects the
operation to fail but it does not because the connection between
master and replica2 exists

the output from the testrun with the patch applied:


-bash-4.3$ ipa-run-tests test_integration/test_topology.py --pdb
WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13]
Permission denied: 'lextab.py'
WARNING: yacc table file version is out of date
WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission
denied: 'yacctab.py'

test session starts
=

platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1
rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini
plugins: sourceorder-0.5, multihost-1.0
collected 3 items

test_integration/test_topology.py ...


3 passed in 2156.82 seconds
=




I don't care about test output until there is no valid description of
problem, fixing test may just cover real issue.
Martin^2


Martin^2








--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.
From 6be984e1ff3ffa0dcbe3bc9fc415b7355a833c24 Mon Sep 17 00:00:00 2001
From: Oleg Fayans 
Date: Wed, 24 Aug 2016 13:48:56 +0200
Subject: [PATCH] Fixed segment naming in topology tests

As the segment name is a stochastic valu, which can have either of the two
nodes as the left node, we need to adapt the tests to not expect some
particular segment name but rather to calculate it dynamically based on node
names and the output of topologysegment-find ipa call
---
 ipatests/test_integration/test_topology.py | 33 --
 1 file changed, 22 insertions(+), 11 deletions(-)

diff --git a/ipatests/test_integration/test_topology.py b/ipatests/test_integration/test_topology.py
index e956563c27eafd84deed5786274a73d0d3594642..a3e0488eacc116d5ac3fe83b021b8bf85bcc2ef3 100644
--- a/ipatests/test_integration/test_topology.py
+++ b/ipatests/test_integration/test_topology.py
@@ -15,6 +15,18 @@ from ipatests.util import assert_deepequal
 config = get_global_config()
 reasoning = "Topology plugin disabled due to domain level 0"

Re: [Freeipa-devel] [Test][patch-0058] Fixed topology tests failures in CI

[Oleg Fayans]

And here is how the run looks like:

$ ipa-run-tests test_integration/test_topology.py
WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13] 
Permission denied: 'lextab.py'

WARNING: yacc table file version is out of date
WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission 
denied: 'yacctab.py'
 
test session starts 
=

platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1
rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini
plugins: sourceorder-0.5, multihost-1.0
collected 3 items

test_integration/test_topology.py ..x

=== 
2 passed, 1 xfailed in 1558.66 seconds 
===




On 08/12/2016 04:05 PM, Martin Basti wrote:



On 12.08.2016 15:48, Oleg Fayans wrote:

Hi Martin,



On 08/11/2016 10:05 AM, Martin Basti wrote:



On 10.08.2016 20:32, Oleg Fayans wrote:





Hello,

before we jump into fixing tests, my question is: Was this planned
change and not reflected by test, or switched values are unwanted side
effect and thus bug for us?


That's a marvelous question! The test used to pass, which means that
at some point the convention of naming the segments must have changed.
Is it a bug? I do not think so: the feature still works as expected.


Ludwig, do you know details about this change, why positions of server
names are different than used to be in topology name?





Ticket contains almost no info, except a traceback and it says nothing.
Commit message says at least something.

I'm not sure if this patch fixes that ticket, because traceback in test
shows error message that "removal of segment will disconnect topology",
but this patch only swap order of replica names in segment name. I would
expect that you should get different error, something like segment does
not exist.

Which I do get in jenkins job N 37: "segment not found"

In fact, the error in the issue is unrelated to the fix, you are right.



To tell the truth, I just put a random error from one of the jenkins
topology testruns into the issue.

This is very good way how to report tickets:
* nobody knows what happened
* nobody can search in current tickets,  what is wrong without proper
description
* developers cannot investigate issue, because there is even no name of
exact test in ticket, no steps to reproduce, nothing
* without proper tickets it is hard to backport patches correctly, if
patch fixes different issue than is reported

I'm closing ticket as invalid, please follow
http://www.chiark.greenend.org.uk/~sgtatham/bugs.html and file a new
proper ticket.


This particular error message was caused by a previous replica
installation failure, which resulted in existing only one segment
instead of three:
master <-> replica1
instead of:
master <-> replica1,
master <-> replica2
replica1 <-> replica2

In fact the patch supplied fixes 2 tests at once:
The first test tries to remove the unexisting segment master <->
replica2 and fails, the second test expects the line topology
master <-> replica1 <-> replica2.
It removes the connection between replica1 and replica2, expects the
operation to fail but it does not because the connection between
master and replica2 exists

the output from the testrun with the patch applied:


-bash-4.3$ ipa-run-tests test_integration/test_topology.py --pdb
WARNING: Couldn't write lextab module 'pycparser.lextab'. [Errno 13]
Permission denied: 'lextab.py'
WARNING: yacc table file version is out of date
WARNING: Couldn't create 'pycparser.yacctab'. [Errno 13] Permission
denied: 'yacctab.py'

test session starts
=

platform linux2 -- Python 2.7.11, pytest-2.9.2, py-1.4.31, pluggy-0.3.1
rootdir: /usr/lib/python2.7/site-packages/ipatests, inifile: pytest.ini
plugins: sourceorder-0.5, multihost-1.0
collected 3 items

test_integration/test_topology.py ...


3 passed in 2156.82 seconds
=




I don't care about test output until there is no valid description of
problem, fixing test may just cover real issue.
Martin^2


Martin^2








--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0003 Validate key in otptoken-add

[Tomas Krizek]

Fixed the typo in error message.

On 08/23/2016 12:15 PM, Tomas Krizek wrote:

In that case, the first version of the patch solves the issue.

I'm attaching the patch once again, but it's the same as the one in 
the original message.



On 08/23/2016 11:53 AM, Jan Cholasta wrote:

On 22.8.2016 19:08, Tomas Krizek wrote:
I've attached the updated patch. Hopefully I didn't forget anything 
else

this time.


On 08/22/2016 05:48 PM, Martin Basti wrote:


On 22.08.2016 10:22, Tomas Krizek wrote:


Seems like a good idea, I'm attaching the updated patch. Autofill
does work when the param is required.


On 08/19/2016 04:19 PM, Martin Basti wrote:




On 16.08.2016 17:35, Tomas Krizek wrote:

Hi,

the attached patch fixes an error message when user provides an
empty key while adding otp token.

https://fedorahosted.org/freeipa/ticket/6200





I'm curious why we don't fix it here:

OTPTokenKey('ipatokenotpkey?',
cli_name='key',
label=_('Key'),
doc=_('Token secret (Base32; default: random)'),
default_from=lambda: os.urandom(KEY_LENGTH),
autofill=True,
flags=('no_display', 'no_update', 'no_search'),
),


If OTPTokenKey is mandratory, it should be required param (autofill
should work in this case too)

Martin^2


--
Tomas Krizek


You changed API, you must regenerate API.txt (./makeapi) and increment
minor version in VERSION file

Option 'ipatokenotpkey?' in command 'otptoken_add/1' in API file 
not found

Options count in otptoken_add of 22 doesn't match expected: 23
Option ipatokenotpkey of command otptoken_add in ipalib, not in API 
file:

OTPTokenKey('ipatokenotpkey', autofill=True, cli_name='key')


NACK, this is a backward incompatible change.

AFAICT the option should remain optional, see the doc string:

Token secret (Base32; default: random)
  ^^^







--
Tomas Krizek

From 14ecfa5f5730af5f8d1d54f8524d546d42f5ce2e Mon Sep 17 00:00:00 2001
From: Tomas Krizek 
Date: Wed, 24 Aug 2016 13:29:37 +0200
Subject: [PATCH] Validate key in otptoken-add

Verify that key is not empty when adding otp token. If it is empty, raise an
appropriate error.

https://fedorahosted.org/freeipa/ticket/6200
---
 ipaserver/plugins/otptoken.py | 4 
 1 file changed, 4 insertions(+)

diff --git a/ipaserver/plugins/otptoken.py b/ipaserver/plugins/otptoken.py
index 15b25e07a905257f016de68a3d9e182447699d0e..a7b436aa5690c42b56d7937e608b9d574b22e10b 100644
--- a/ipaserver/plugins/otptoken.py
+++ b/ipaserver/plugins/otptoken.py
@@ -323,6 +323,10 @@ class otptoken_add(LDAPCreate):
 except (NotFound, IndexError):
 pass
 
+# Check if key is not empty
+if entry_attrs['ipatokenotpkey'] is None:
+raise ValidationError(name='key', error=_(u'cannot be empty'))
+
 # Build the URI parameters
 args = {}
 args['issuer'] = issuer
-- 
2.7.4

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#16] Require httpd 2.4.6-31 with mod_proxy Unix socket support (opened)

[tiran]

tiran's pull request #16: "Require httpd 2.4.6-31 with mod_proxy Unix socket 
support" was opened

PR body:
httpd 2.4.6-6 does not support mod_proxy ProxyPass for Unix sockets. The
feature is provided by 2.4.7 upstream was backported to 2.4.6-31
(bz1168081). It's required to proxy Custodia.

https://bugzilla.redhat.com/show_bug.cgi?id=1168081
https://httpd.apache.org/docs/trunk/mod/mod_proxy.html#proxypass

https://fedorahosted.org/freeipa/ticket/6251

Signed-off-by: Christian Heimes 

See the full pull-request at https://github.com/freeipa/freeipa/pull/16
... or pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/16/head:pr16
git checkout pr16


freeipa-pr-16.patch
Description: application/text/diff
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0035] Remove Custodia server keys from LDAP

[Martin Basti]

On 24.08.2016 11:25, Christian Heimes wrote:

On 2016-08-23 12:42, Petr Vobornik wrote:

On 08/11/2016 04:13 PM, Martin Basti wrote:


On 08.08.2016 16:10, Christian Heimes wrote:

The server-del plugin now removes the Custodia keys for encryption and
key signing from LDAP.

https://fedorahosted.org/freeipa/ticket/6015



ACK for master

For 4.3, it requires new patch

Martin


bump

I haven't worked out a patch for 4.3. The server_del plugin in 4.3 is
much simpler than in 4.4. It's not possible to hook the clean-up code to
server_del like I did for 4.4. I would have to rewrite and redesign the
patch completely which I neither have the time nor resources to at the
moment.

I vote for WONTFIX for 4.3.

+1

Martin^2


Christian




--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0035] Remove Custodia server keys from LDAP

[Christian Heimes]

On 2016-08-23 12:42, Petr Vobornik wrote:
> On 08/11/2016 04:13 PM, Martin Basti wrote:
>>
>>
>> On 08.08.2016 16:10, Christian Heimes wrote:
>>> The server-del plugin now removes the Custodia keys for encryption and
>>> key signing from LDAP.
>>>
>>> https://fedorahosted.org/freeipa/ticket/6015
>>>
>>>
>> ACK for master
>>
>> For 4.3, it requires new patch
>>
>> Martin
>>
> 
> bump

I haven't worked out a patch for 4.3. The server_del plugin in 4.3 is
much simpler than in 4.4. It's not possible to hook the clean-up code to
server_del like I did for 4.4. I would have to rewrite and redesign the
patch completely which I neither have the time nor resources to at the
moment.

I vote for WONTFIX for 4.3.

Christian




signature.asc
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0034] Secure permissions of Custodia server.keys

[Christian Heimes]

On 2016-08-23 12:49, Petr Vobornik wrote:
> On 08/09/2016 01:53 PM, Martin Basti wrote:
>>
>>
>> On 08.08.2016 16:09, Christian Heimes wrote:
>>> I have split up patch 0032 into two smaller patches. This patch only
>>> addresses the server.keys file.
>>>
>>> Custodia's server.keys file contain the private RSA keys for encrypting
>>> and signing Custodia messages. The file was created with permission 644
>>> and is only secured by permission 700 of the directory
>>> /etc/ipa/custodia. The installer and upgrader ensure that the file
>>> has 600.
>>>
>>> https://bugzilla.redhat.com/show_bug.cgi?id=1353936
>>> https://fedorahosted.org/freeipa/ticket/6056
>>>
>>>
>> Pylint is running, please wait ...
>> * Module ipapython.secrets.kem
>> ipapython/secrets/kem.py:147: [E0602(undefined-variable), newServerKeys] 
>> Undefined variable 'os')
>> ipapython/secrets/kem.py:148: [E0602(undefined-variable), newServerKeys] 
>> Undefined variable 'os')
>> * Module ipaserver.install.custodiainstance
>> ipaserver/install/custodiainstance.py:77: [E0602(undefined-variable), 
>> CustodiaInstance.upgrade_instance] Undefined variable 'stat')
>>
>>
>>
> 
> this review looks stuck

Thanks, I didn't notice that it was stuck. I have pushed it to github
and made a PR:

https://github.com/freeipa/freeipa/pull/15




signature.asc
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#15] Secure permissions of Custodia server.keys (opened)

[tiran]

tiran's pull request #15: "Secure permissions of Custodia server.keys" was 
opened

PR body:
Custodia's server.keys file contain the private RSA keys for encrypting
and signing Custodia messages. The file was created with permission 644
and is only secured by permission 700 of the directory
/etc/ipa/custodia. The installer and upgrader ensure that the file
has 600.

https://bugzilla.redhat.com/show_bug.cgi?id=1353936
https://fedorahosted.org/freeipa/ticket/6056

See the full pull-request at https://github.com/freeipa/freeipa/pull/15
... or pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/15/head:pr15
git checkout pr15


freeipa-pr-15.patch
Description: application/text/diff
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code