[Freeipa-devel] [freeipa PR#237][opened] Update man page for ipa-adtrust-install by removing --no-msdcs option
URL: https://github.com/freeipa/freeipa/pull/237 Author: pspacek Title: #237: Update man page for ipa-adtrust-install by removing --no-msdcs option Action: opened PR body: """ https://bugzilla.redhat.com/show_bug.cgi?id=1392778 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/237/head:pr237 git checkout pr237 From f9e5691800b5077ffb419674d9c941c758d5352f Mon Sep 17 00:00:00 2001 From: Petr Spacek Date: Mon, 14 Nov 2016 08:55:52 +0100 Subject: [PATCH] Update man page for ipa-adtrust-install by removing --no-msdcs option https://bugzilla.redhat.com/show_bug.cgi?id=1392778 --- install/tools/man/ipa-adtrust-install.1 | 27 --- 1 file changed, 27 deletions(-) diff --git a/install/tools/man/ipa-adtrust-install.1 b/install/tools/man/ipa-adtrust-install.1 index fbf430a..6e8438b 100644 --- a/install/tools/man/ipa-adtrust-install.1 +++ b/install/tools/man/ipa-adtrust-install.1 @@ -75,33 +75,6 @@ ipa\-adtrust\-install for a second time with a different NetBIOS name will change the name. Please note that changing the NetBIOS name might break existing trust relationships to other domains. .TP -\fB\-\-no\-msdcs\fR -Do not create DNS service records for Windows in managed DNS server. Since those -DNS service records are the only way to discover domain controllers of other -domains they must be added manually to a different DNS server to allow trust -realationships work properly. All needed service records are listed when -ipa\-adtrust\-install finishes and either \-\-no\-msdcs was given or no IPA DNS -service is configured. Typically service records for the following service names -are needed for the IPA domain which should point to all IPA servers: -.IP -\(bu _ldap._tcp -.IP -\(bu _kerberos._tcp -.IP -\(bu _kerberos._udp -.IP -\(bu _ldap._tcp.dc._msdcs -.IP -\(bu _kerberos._tcp.dc._msdcs -.IP -\(bu _kerberos._udp.dc._msdcs -.IP -\(bu _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs -.IP -\(bu _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs -.IP -\(bu _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs -.TP \fB\-\-add\-sids\fR Add SIDs to existing users and groups as on of final steps of the ipa\-adtrust\-install run. If there a many existing users and groups and a -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#210][comment] Tests: Stage User Tracker implementation
URL: https://github.com/freeipa/freeipa/pull/210 Title: #210: Tests: Stage User Tracker implementation mirielka commented: """ Review notes: same as in https://github.com/freeipa/freeipa/pull/181 """ See the full comment at https://github.com/freeipa/freeipa/pull/210#issuecomment-260255679 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#181][comment] Tests : User Tracker creation of user with minimal values
URL: https://github.com/freeipa/freeipa/pull/181 Title: #181: Tests : User Tracker creation of user with minimal values mirielka commented: """ Having "None" default values for obligatory arguments does not seem to be a good idea. If the method was called with default values, it would fail. It would be best if obligatory arguments ("givenname" and "sn") were provided as positional arguments and voluntary "name" as keyword argument. Please note that such a change will cause failure of existing tests that use this tracker, therefore it's necessary to fix them as well - include this in separate commit of this PR. Also please don't forget to add testcases for which this PR was created originally - creating user without the "name" argument (both positive and negative testcases). """ See the full comment at https://github.com/freeipa/freeipa/pull/181#issuecomment-260255613 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#227][edited] cert-request: match names against principal aliases
URL: https://github.com/freeipa/freeipa/pull/227 Author: frasertweedale Title: #227: cert-request: match names against principal aliases Action: edited Changed field: title Original value: """ cert-request: match names against principal alises """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#174][comment] add log module
URL: https://github.com/freeipa/freeipa/pull/174 Title: #174: add log module shanyin commented: """ @mbasti-rh I've already finished my translation basically On Zanata. The URL is https://fedora.zanata.org/webtrans/translate?project=freeipa&iteration=master&localeId=zh-CN&locale=en-US&dswid=9896#view:doc;doc:po/ipa """ See the full comment at https://github.com/freeipa/freeipa/pull/174#issuecomment-260230505 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#227][synchronized] cert-request: match names against principal alises
URL: https://github.com/freeipa/freeipa/pull/227 Author: frasertweedale Title: #227: cert-request: match names against principal alises Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/227/head:pr227 git checkout pr227 From 6156cf748f7ac901f3f05f7f32abec1283fc9be7 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 26 Oct 2016 09:48:19 +1000 Subject: [PATCH] cert-request: match names against principal aliases Currently we do not check Kerberos principal aliases when validating a CSR. Enhance cert-request to accept the following scenarios: - for hosts and services: CN and SAN dnsNames match a principal alias (realm and service name must be same as nominated principal) - for all principal types: UPN or KRB5PrincipalName othername match any principal alias. Fixes: https://fedorahosted.org/freeipa/ticket/6295 --- ipaserver/plugins/cert.py | 125 - .../test_xmlrpc/test_caacl_profile_enforcement.py | 86 -- 2 files changed, 171 insertions(+), 40 deletions(-) diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py index 3571ef1..f814138 100644 --- a/ipaserver/plugins/cert.py +++ b/ipaserver/plugins/cert.py @@ -649,11 +649,13 @@ def execute(self, csr, all=False, raw=False, **kw): cn = cns[-1].value # "most specific" is end of list if principal_type in (SERVICE, HOST): -if cn.lower() != principal.hostname.lower(): -raise errors.ACIError( -info=_("hostname in subject of request '%(cn)s' " -"does not match principal hostname '%(hostname)s'") -% dict(cn=cn, hostname=principal.hostname)) +if not _dns_name_matches_principal(cn, principal, principal_obj): +raise errors.ValidationError( +name='csr', +error=_( +"hostname in subject of request '%(cn)s' does not " +"match name or aliases of principal '%(principal)s'" +) % dict(cn=cn, principal=principal)) elif principal_type == USER: # check user name if cn != principal.username: @@ -686,26 +688,32 @@ def execute(self, csr, all=False, raw=False, **kw): generalnames = x509.process_othernames(ext_san.value) for gn in generalnames: if isinstance(gn, cryptography.x509.general_name.DNSName): +if principal.is_user: +raise errors.ValidationError( +name='csr', +error=_( +"subject alt name type %s is forbidden " +"for user principals") % "DNSName" +) + name = gn.value -alt_principal = None + +if _dns_name_matches_principal(name, principal, principal_obj): +continue # nothing more to check for this alt name + +# no match yet; check for an alternative principal with +# same realm and service type as subject principal. +components = list(principal.components) +components[-1] = name +alt_principal = kerberos.Principal(components, principal.realm) alt_principal_obj = None try: if principal_type == HOST: -alt_principal = kerberos.Principal( -(u'host', name), principal.realm) -alt_principal_obj = api.Command['host_show'](name, all=True) +alt_principal_obj = api.Command['host_show']( +name, all=True) elif principal_type == SERVICE: -alt_principal = kerberos.Principal( -(principal.service_name, name), principal.realm) alt_principal_obj = api.Command['service_show']( alt_principal, all=True) -elif principal_type == USER: -raise errors.ValidationError( -name='csr', -error=_( -"subject alt name type %s is forbidden " -"for user principals") % "DNSName" -) except errors.NotFound: # We don't want to issue any certificates referencing # machines we don't know about. Nothing is stored in this @@ -713,18 +721,23 @@ def execute(self, csr, all=False, raw=False, **kw): raise errors.NotFound(reason=_('The service principal for ' 'subject alt name %s in certificate request does not ' 'exi
[Freeipa-devel] [freeipa PR#174][comment] add log module
URL: https://github.com/freeipa/freeipa/pull/174 Title: #174: add log module shanyin commented: """ I tried to use the centralized logging, but My system is Ubuntu, and the ipa-log-config tool is only supported by RHEL 7 / CentOS 7 currently. So, the centralized logging is not configured successfully. -- 祝: 工作顺利!生活愉快! -- 长沙研发中心 郑磊 电话:18684703229 邮箱:zheng...@kylinos.cn 公司:天津麒麟信息技术有限公司 地址:湖南长沙市开福区三一大道工美大厦十四楼 -- Original -- From: "mbasti-rh"; Date: Fri, Nov 11, 2016 07:36 PM To: "freeipa/freeipa"; Cc: "shanyin"; "Mention"; Subject: Re: [freeipa/freeipa] add log module (#174) @shanyin Did centralized logging meet your requirements? — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub, or mute the thread. """ See the full comment at https://github.com/freeipa/freeipa/pull/174#issuecomment-260226824 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#235][comment] Remove unused Knob function
URL: https://github.com/freeipa/freeipa/pull/235 Title: #235: Remove unused Knob function stlaz commented: """ From our offline discussion I got the impression the Knob function was still used somewhere, therefore the ACK. I'm not sure what was the reason of keeping Knob there even if unused, you may need checking with @jcholast. """ See the full comment at https://github.com/freeipa/freeipa/pull/235#issuecomment-260173516 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code