date:20170217

[Freeipa-devel] python-ipaserver & freeipa-server-trust-ad split

2017-02-17 Thread Timo Aaltonen


Hi,

So Fedora puts all of dist-packages/ipaserver/* in python-ipaserver,
but dcerpc.py imports python-samba which -ipaserver does not depend on.
So I've kept dcerpc.py and adtrustinstance.py in freeipa-server-trust-ad
on Debian, but now with 4.4.3 (because of fd8c17252fbc) it seems that
ipa-server-install wants to import adtrustinstance and fails to run if
it's not installed.

Traceback (most recent call last):
  File "/usr/sbin/ipa-server-install", line 25, in 
from ipaserver.install.server import Server
  File
"/usr/lib/python2.7/dist-packages/ipaserver/install/server/__init__.py",
line 8, in 
from .upgrade import upgrade_check, upgrade
  File
"/usr/lib/python2.7/dist-packages/ipaserver/install/server/upgrade.py",
line 49, in 
from ipaserver.install import adtrustinstance
ImportError: cannot import name adtrustinstance


So what to do here? I can't remember exactly what problems I hit when
everything was in python-ipaserver while testing 4.3.0, but I think they
were about the samba stuff.. and don't want to test again without asking
first. Should the upgrader stuff be split?

-- 
t

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#403][comment] Add new ipa passwd-generate command

2017-02-17 Thread redhatrises

  URL: https://github.com/freeipa/freeipa/pull/403
Title: #403: Add new ipa passwd-generate command

redhatrises commented:
"""
Thanks @abbra 

The command would have been `ipa passwd-generate --user user1` without piping 
any commands to it and would have kept the initial password as well as only run 
as an IPA admin. I also had forgotten about using `--random`. Will look at 
`ipa-advise` at some point in the future. Closing this PR for now.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/403#issuecomment-280749987
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#403][closed] Add new ipa passwd-generate command

2017-02-17 Thread redhatrises

   URL: https://github.com/freeipa/freeipa/pull/403
Author: redhatrises
 Title: #403: Add new ipa passwd-generate command
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/403/head:pr403
git checkout pr403
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#453][synchronized] Cleanup certdb

2017-02-17 Thread tiran

   URL: https://github.com/freeipa/freeipa/pull/453
Author: tiran
 Title: #453: Cleanup certdb
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/453/head:pr453
git checkout pr453
From 29e1c390fe8e998aabbdd89a72da08cbf0ee4a25 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Thu, 9 Feb 2017 14:55:45 +0100
Subject: [PATCH] Cleanup certdb

* use with statement to open/close files
* prefer fchmod/fchown when a file descriptor is available
* set permission before data is written to file
* remove chdir() hack with proper cwd argument to ipautil.run()

Do not ever change the working directory of a program. It's a really bad
idea. Just consider what is going to happen if two threads or two
different parts of a process decide to own control over the working
directory?

Signed-off-by: Christian Heimes 
---
 ipaserver/install/certs.py | 147 -
 1 file changed, 65 insertions(+), 82 deletions(-)

diff --git a/ipaserver/install/certs.py b/ipaserver/install/certs.py
index bca2504..c3543b3 100644
--- a/ipaserver/install/certs.py
+++ b/ipaserver/install/certs.py
@@ -96,10 +96,6 @@ def __init__(self, realm, nssdir=paths.IPA_RADB_DIR, fstore=None,
 self.host_name = host_name
 self.ca_subject = ca_subject
 self.subject_base = subject_base
-try:
-self.cwd = os.getcwd()
-except OSError as e:
-raise RuntimeError("Unable to determine the current directory: %s" % str(e))
 
 self.cacert_name = get_ca_nickname(self.realm)
 
@@ -142,10 +138,8 @@ def passwd_fname(self):
 def __del__(self):
 if self.reqdir is not None:
 shutil.rmtree(self.reqdir, ignore_errors=True)
-try:
-os.chdir(self.cwd)
-except OSError:
-pass
+self.reqdir = None
+self.nssdb.close()
 
 def setup_cert_request(self):
 """
@@ -162,23 +156,21 @@ def setup_cert_request(self):
 self.certreq_fname = self.reqdir + "/tmpcertreq"
 self.certder_fname = self.reqdir + "/tmpcert.der"
 
-# When certutil makes a request it creates a file in the cwd, make
-# sure we are in a unique place when this happens
-os.chdir(self.reqdir)
-
-def set_perms(self, fname, write=False, uid=None):
-if uid:
-pent = pwd.getpwnam(uid)
-os.chown(fname, pent.pw_uid, pent.pw_gid)
-else:
-os.chown(fname, self.uid, self.gid)
+def set_perms(self, fname, write=False):
 perms = stat.S_IRUSR
 if write:
 perms |= stat.S_IWUSR
-os.chmod(fname, perms)
+if hasattr(fname, 'fileno'):
+os.fchown(fname.fileno(), self.uid, self.gid)
+os.fchmod(fname.fileno(), perms)
+else:
+os.chown(fname, self.uid, self.gid)
+os.chmod(fname, perms)
 
 def run_certutil(self, args, stdin=None, **kwargs):
-return self.nssdb.run_certutil(args, stdin, **kwargs)
+# When certutil makes a request it creates a file in the cwd, make
+# sure we are in a unique place when this happens
+return self.nssdb.run_certutil(args, stdin, cwd=self.reqdir, **kwargs)
 
 def run_signtool(self, args, stdin=None):
 with open(self.passwd_fname, "r") as f:
@@ -186,24 +178,23 @@ def run_signtool(self, args, stdin=None):
 new_args = [paths.SIGNTOOL, "-d", self.secdir, "-p", password]
 
 new_args = new_args + args
-ipautil.run(new_args, stdin)
+ipautil.run(new_args, stdin, cwd=self.reqdir)
 
 def create_noise_file(self):
 if ipautil.file_exists(self.noise_fname):
 os.remove(self.noise_fname)
-f = open(self.noise_fname, "w")
-f.write(ipautil.ipa_generate_password())
-self.set_perms(self.noise_fname)
+with open(self.noise_fname, "w") as f:
+self.set_perms(f)
+f.write(ipautil.ipa_generate_password())
 
 def create_passwd_file(self, passwd=None):
 ipautil.backup_file(self.passwd_fname)
-f = open(self.passwd_fname, "w")
-if passwd is not None:
-f.write("%s\n" % passwd)
-else:
-f.write(ipautil.ipa_generate_password())
-f.close()
-self.set_perms(self.passwd_fname)
+with open(self.passwd_fname, "w") as f:
+self.set_perms(f)
+if passwd is not None:
+f.write("%s\n" % passwd)
+else:
+f.write(ipautil.ipa_generate_password())
 
 def create_certdbs(self):
 self.nssdb.create_db(user=self.user, group=self.group, mode=self.mode,
@@ -241,20 +232,21 @@ def export_ca_cert(self, nickname, create_pkcs12=False):
 # export the CA cert for use with other apps
 ipautil.backup_file(cacert_fname)
 root_nicknames =

[Freeipa-devel] [freeipa PR#442][closed] Add option to run tests in-tree and out-of-tree mode

2017-02-17 Thread tiran

   URL: https://github.com/freeipa/freeipa/pull/442
Author: tiran
 Title: #442: Add option to run tests in-tree and out-of-tree mode
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/442/head:pr442
git checkout pr442
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#442][comment] Add option to run tests in-tree and out-of-tree mode

2017-02-17 Thread tiran

  URL: https://github.com/freeipa/freeipa/pull/442
Title: #442: Add option to run tests in-tree and out-of-tree mode

tiran commented:
"""
Not useful or relevant any more.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/442#issuecomment-280708021
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#442][+rejected] Add option to run tests in-tree and out-of-tree mode

2017-02-17 Thread tiran

  URL: https://github.com/freeipa/freeipa/pull/442
Title: #442: Add option to run tests in-tree and out-of-tree mode

Label: +rejected
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#479][opened] Merge AD trust installer into composite ones

2017-02-17 Thread martbab

   URL: https://github.com/freeipa/freeipa/pull/479
Author: martbab
 Title: #479: Merge AD trust installer into composite ones
Action: opened

PR body:
"""
This PR implements setup of Samba/Winbind as a part of server/replica install.
I will update installation tests in a separate PR in order not to inflate an
already sizeable amount of code touched in this one.

I also updated man pages of ipa-server/replica-install, but since the entries
are a bit chatty, it may be a good idea to write a more terse option
descriptions and provide a link to `ipa-adtrust-install` for more thorough
explanation.

The commits from https://github.com/freeipa/freeipa/pull/457 are on the bottom
of the branch in order to provide working AD trust installer in cases where
admin password is not provided.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/479/head:pr479
git checkout pr479
From befb5e97602d1e523157b503d33a3ca8f8f84a9d Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Fri, 3 Feb 2017 17:14:20 +0100
Subject: [PATCH 01/15] allow for more flexibility when requesting service
 keytab

The service installers can now override the methods for cleaning up
stale keytabs and changing file ownership of the newly acquired keytabs.

The default actions should be usable by most installers without specific
overriding.

https://fedorahosted.org/freeipa/ticket/6638
---
 ipaserver/install/service.py | 41 ++---
 1 file changed, 26 insertions(+), 15 deletions(-)

diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index b9d1ffc..80bb4bb 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -540,22 +540,35 @@ def _add_service_principal(self):
 except errors.DuplicateEntry:
 pass
 
+def clean_previous_keytab(self, keytab=None):
+if keytab is None:
+keytab = self.keytab
+
+self.fstore.backup_file(keytab)
+try:
+os.unlink(keytab)
+except OSError:
+pass
+
+def set_keytab_owner(self, keytab=None, owner=None):
+if keytab is None:
+keytab = self.keytab
+if owner is None:
+owner = self.service_user
+
+pent = pwd.getpwnam(owner)
+os.chown(keytab, pent.pw_uid, pent.pw_gid)
+
 def run_getkeytab(self, ldap_uri, keytab, principal, retrieve=False):
 """
-backup and remove old service keytab (if present) and fetch a new one
-using ipa-getkeytab. This assumes that the service principal is already
-created in LDAP. By default GSSAPI authentication is used unless:
+retrieve service keytab using ipa-getkeytab. This assumes that the
+service principal is already created in LDAP. By default GSSAPI
+authentication is used unless:
 * LDAPI socket is used and effective process UID is 0, then
   autobind is used by EXTERNAL SASL mech
 * self.dm_password is not none, then DM credentials are used to
   fetch keytab
 """
-self.fstore.backup_file(keytab)
-try:
-os.unlink(keytab)
-except OSError:
-pass
-
 args = [paths.IPA_GETKEYTAB,
 '-k', keytab,
 '-p', principal,
@@ -576,17 +589,15 @@ def run_getkeytab(self, ldap_uri, keytab, principal, retrieve=False):
 ipautil.run(args, nolog=nolog)
 
 def _request_service_keytab(self):
-if any(attr is None for attr in (self.principal, self.keytab,
- self.service_user)):
+if any(attr is None for attr in (self.principal, self.keytab)):
 raise NotImplementedError(
 "service must have defined principal "
-"name, keytab, and username")
+"name and keytab")
 
 self._add_service_principal()
+self.clean_previous_keytab()
 self.run_getkeytab(self.api.env.ldap_uri, self.keytab, self.principal)
-
-pent = pwd.getpwnam(self.keytab_user)
-os.chown(self.keytab, pent.pw_uid, pent.pw_gid)
+self.set_keytab_owner()
 
 
 class SimpleServiceInstance(Service):

From 54a7975465e965efc677e5e6efde2be239ac25d3 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Fri, 17 Feb 2017 14:31:55 +0100
Subject: [PATCH 02/15] Make request_service_keytab into a public method

a cosmetic change: we had private method comprising of calls to public
ones, which did not make much sense in our case

https://fedorahosted.org/freeipa/ticket/6638
---
 ipaserver/install/dsinstance.py   | 6 +++---
 ipaserver/install/httpinstance.py | 2 +-
 ipaserver/install/service.py  | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 9172b65..bf80ae0 100644
---

[Freeipa-devel] [freeipa PR#368][+pushed] WebUI: fix incorrect behavior of ESC button on combobox

2017-02-17 Thread martbab

  URL: https://github.com/freeipa/freeipa/pull/368
Title: #368: WebUI: fix incorrect behavior of ESC button on combobox 

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#368][closed] WebUI: fix incorrect behavior of ESC button on combobox

2017-02-17 Thread martbab

   URL: https://github.com/freeipa/freeipa/pull/368
Author: pvomacka
 Title: #368: WebUI: fix incorrect behavior of ESC button on combobox 
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/368/head:pr368
git checkout pr368
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#368][comment] WebUI: fix incorrect behavior of ESC button on combobox

2017-02-17 Thread martbab

  URL: https://github.com/freeipa/freeipa/pull/368
Title: #368: WebUI: fix incorrect behavior of ESC button on combobox 

martbab commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/1a96e7f9e737941480436269668ccde0a50395f9
https://fedorahosted.org/freeipa/changeset/6c6c68df544ac1046741d91dfdc59ef8d96b863c
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/368#issuecomment-280703637
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#472][synchronized] Packaging: Add placeholder packages

2017-02-17 Thread tiran

   URL: https://github.com/freeipa/freeipa/pull/472
Author: tiran
 Title: #472: Packaging: Add placeholder packages
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/472/head:pr472
git checkout pr472
From 61f40dcc205710cf04dcfe9dab7b68d7acfa04e2 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Thu, 16 Feb 2017 15:27:49 +0100
Subject: [PATCH 1/3] Packaging: Add placeholder packages

The ipa and freeipa packages are placeholders to prevent PyPI squashing
attacks and reserve the names for future use. `pip install ipa` installs
ipaclient.

Signed-off-by: Christian Heimes 
---
 Makefile.am   |  4 +++-
 Makefile.python.am| 21 +
 configure.ac  |  3 +++
 packaging/Makefile.am | 10 ++
 packaging/freeipa/Makefile.am |  3 +++
 packaging/freeipa/README.txt  |  2 ++
 packaging/freeipa/setup.cfg   |  6 ++
 packaging/freeipa/setup.py| 23 +++
 packaging/ipa/Makefile.am |  3 +++
 packaging/ipa/README.txt  |  2 ++
 packaging/ipa/setup.cfg   |  6 ++
 packaging/ipa/setup.py| 23 +++
 12 files changed, 97 insertions(+), 9 deletions(-)
 create mode 100644 packaging/Makefile.am
 create mode 100644 packaging/freeipa/Makefile.am
 create mode 100644 packaging/freeipa/README.txt
 create mode 100644 packaging/freeipa/setup.cfg
 create mode 100755 packaging/freeipa/setup.py
 create mode 100644 packaging/ipa/Makefile.am
 create mode 100644 packaging/ipa/README.txt
 create mode 100644 packaging/ipa/setup.cfg
 create mode 100755 packaging/ipa/setup.py

diff --git a/Makefile.am b/Makefile.am
index 30ad9bb..a6faa11 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1,7 +1,7 @@
 ACLOCAL_AMFLAGS = -I m4
 
 IPACLIENT_SUBDIRS = ipaclient ipalib ipapython
-SUBDIRS = asn1 util client contrib daemons init install $(IPACLIENT_SUBDIRS) ipaplatform ipaserver ipatests po
+SUBDIRS = asn1 util client contrib daemons init install $(IPACLIENT_SUBDIRS) ipaplatform ipaserver ipatests packaging po
 
 MOSTLYCLEANFILES = ipasetup.pyc ipasetup.pyo \
 		   ignore_import_errors.pyc ignore_import_errors.pyo \
@@ -206,6 +206,8 @@ $(WHEELBUNDLEDIR):
 	mkdir -p $(WHEELBUNDLEDIR)
 
 bdist_wheel: $(WHEELDISTDIR)
+	$(MAKE) $(AM_MAKEFLAGS) -C packaging/ipa bdist_wheel || exit 1;
+	$(MAKE) $(AM_MAKEFLAGS) -C packaging/freeipa bdist_wheel || exit 1;
 	for dir in $(IPACLIENT_SUBDIRS); do \
 	$(MAKE) $(AM_MAKEFLAGS) -C $${dir} $@ || exit 1; \
 	done
diff --git a/Makefile.python.am b/Makefile.python.am
index 665893f..9c34fe3 100644
--- a/Makefile.python.am
+++ b/Makefile.python.am
@@ -1,5 +1,6 @@
 pkgname = $(shell basename "$(abs_srcdir)")
 pkgpythondir = $(pythondir)/$(pkgname)
+pkginstall = true
 
 if VERBOSE_MAKE
 VERBOSITY="--verbose"
@@ -19,16 +20,20 @@ all-local: $(top_builddir)/ipasetup.py
 		--build-base "$(abs_builddir)/build"
 
 install-exec-local: $(top_builddir)/ipasetup.py
-	$(PYTHON) $(srcdir)/setup.py \
-		$(VERBOSITY) \
-		install \
-		--prefix "$(DESTDIR)$(prefix)" \
-		--single-version-externally-managed \
-		--record "$(DESTDIR)$(pkgpythondir)/install_files.txt" \
-		--optimize 1
+	if [ "x$(pkginstall)" = "xtrue" ]; then \
+	$(PYTHON) $(srcdir)/setup.py \
+		$(VERBOSITY) \
+		install \
+		--prefix "$(DESTDIR)$(prefix)" \
+		--single-version-externally-managed \
+		--record "$(DESTDIR)$(pkgpythondir)/install_files.txt" \
+		--optimize 1; \
+	fi
 
 uninstall-local:
-	cat "$(DESTDIR)$(pkgpythondir)/install_files.txt" | xargs rm -rf
+	if [ -f "$(DESTDIR)$(pkgpythondir)/install_files.txt" ]; then \
+	cat "$(DESTDIR)$(pkgpythondir)/install_files.txt" | xargs rm -rf ; \
+	fi
 	rm -rf "$(DESTDIR)$(pkgpythondir)"
 
 clean-local: $(top_builddir)/ipasetup.py
diff --git a/configure.ac b/configure.ac
index 44dc11b..f48ba14 100644
--- a/configure.ac
+++ b/configure.ac
@@ -577,6 +577,9 @@ AC_CONFIG_FILES([
 ipaserver/Makefile
 ipatests/Makefile
 ipatests/man/Makefile
+packaging/Makefile
+packaging/freeipa/Makefile
+packaging/ipa/Makefile
 po/Makefile.in
 po/Makefile.hack
 util/Makefile
diff --git a/packaging/Makefile.am b/packaging/Makefile.am
new file mode 100644
index 000..5725ed9
--- /dev/null
+++ b/packaging/Makefile.am
@@ -0,0 +1,10 @@
+# This file will be processed with automake-1.7 to create Makefile.in
+#
+AUTOMAKE_OPTIONS = 1.7 subdir-objects
+
+NULL =
+
+SUBDIRS =			\
+	freeipa			\
+	ipa			\
+	$(NULL)
diff --git a/packaging/freeipa/Makefile.am b/packaging/freeipa/Makefile.am
new file mode 100644
index 000..15d86ce
--- /dev/null
+++ b/packaging/freeipa/Makefile.am
@@ -0,0 +1,3 @@
+include $(top_srcdir)/Makefile.python.am
+
+pkginstall = false
diff --git a/packaging/freeipa/README.txt b/packaging/freeipa/README.txt
new file mode 100644
index 000..b58448f
--- /dev/null
+++ b/packaging/freeipa/README.txt

[Freeipa-devel] [freeipa PR#368][+ack] WebUI: fix incorrect behavior of ESC button on combobox

2017-02-17 Thread pvoborni

  URL: https://github.com/freeipa/freeipa/pull/368
Title: #368: WebUI: fix incorrect behavior of ESC button on combobox 

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#368][comment] WebUI: fix incorrect behavior of ESC button on combobox

2017-02-17 Thread pvoborni

  URL: https://github.com/freeipa/freeipa/pull/368
Title: #368: WebUI: fix incorrect behavior of ESC button on combobox 

pvoborni commented:
"""
ACK given that Martin did functional testing
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/368#issuecomment-280700948
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#472][comment] Packaging: Add placeholder packages

2017-02-17 Thread tiran

  URL: https://github.com/freeipa/freeipa/pull/472
Title: #472: Packaging: Add placeholder packages

tiran commented:
"""
At the moment wheels are not required for RPM building. python-wheel is not 
available on RHEL, but I can work around it. Should the RPM spec file only 
contain dependencies for RPM packaging or also dependencies for general 
development and general packaging?

I can create placeholder modules for ipaserver, ipaplatform and ipatests, too. 
It's going to be a bit more tricky. Let's see...
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/472#issuecomment-280690085
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#478][opened] [4.4] Do not configure PKI ajp redirection to use "::1"

2017-02-17 Thread flo-renaud

   URL: https://github.com/freeipa/freeipa/pull/478
Author: flo-renaud
 Title: #478: [4.4] Do not configure PKI ajp redirection to use "::1"
Action: opened

PR body:
"""
When ipa-server-install configures PKI, it provides a configuration file
with the parameter pki_ajp_host set to ::1. This parameter is used to configure
Tomcat redirection in /etc/pki/pki-tomcat/server.xml:

ie all requests to port 8009 are redirected to port 8443 on address ::1.

If the /etc/hosts config file does not define ::1 for localhost, then AJP
redirection fails and replica install is not able to request a certificate
for the replica.

Since PKI has been fixed (see PKI ticket 2570) to configure by default the AJP
redirection with "localhost", FreeIPA does not need any more to override
this setting.
The code now depends on pki 10.3.5-11 which provides the fix in the template
and the upgrade.

https://fedorahosted.org/freeipa/ticket/6575
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/478/head:pr478
git checkout pr478
From bd406539f48eb9ab9bc84413dcbdddae8422c412 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud 
Date: Fri, 17 Feb 2017 15:59:57 +0100
Subject: [PATCH] [4.4] Do not configure PKI ajp redirection to use "::1"

When ipa-server-install configures PKI, it provides a configuration file
with the parameter pki_ajp_host set to ::1. This parameter is used to configure
Tomcat redirection in /etc/pki/pki-tomcat/server.xml:

ie all requests to port 8009 are redirected to port 8443 on address ::1.

If the /etc/hosts config file does not define ::1 for localhost, then AJP
redirection fails and replica install is not able to request a certificate
for the replica.

Since PKI has been fixed (see PKI ticket 2570) to configure by default the AJP
redirection with "localhost", FreeIPA does not need any more to override
this setting.
The code now depends on pki 10.3.5-11 which provides the fix in the template
and the upgrade.

https://fedorahosted.org/freeipa/ticket/6575
---
 freeipa.spec.in | 4 ++--
 ipaserver/install/cainstance.py | 4 
 2 files changed, 2 insertions(+), 6 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 8a8e3a5..8081a93 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -161,8 +161,8 @@ Requires(post): systemd-units
 Requires: selinux-policy >= %{selinux_policy_version}
 Requires(post): selinux-policy-base >= %{selinux_policy_version}
 Requires: slapi-nis >= %{slapi_nis_version}
-Requires: pki-ca >= 10.3.5-6
-Requires: pki-kra >= 10.3.5-6
+Requires: pki-ca >= 10.3.5-11
+Requires: pki-kra >= 10.3.5-11
 Requires(preun): python systemd-units
 Requires(postun): python systemd-units
 Requires: zip
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index c8c7c28..6bf5917 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -578,10 +578,6 @@ def __spawn_instance(self):
 config.set("CA", "pki_external_ca_cert_chain_path", cert_chain_file.name)
 config.set("CA", "pki_external_step_two", "True")
 
-# PKI IPv6 Configuration
-config.add_section("Tomcat")
-config.set("Tomcat", "pki_ajp_host", "::1")
-
 # Generate configuration file
 with open(cfg_file, "wb") as f:
 config.write(f)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server

2017-02-17 Thread tiran

  URL: https://github.com/freeipa/freeipa/pull/364
Title: #364: Client-only builds with --disable-server

tiran commented:
"""
Thanks for your contribution. I added your patch to my PR. On my system I ran 
into a minor issue. Some C99 types like ```uint8_t``` were not defined and I 
had to include ```stdint.h```.

By the way I'm just going to ignore your snidely and snarky comment.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/364#issuecomment-280687364
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#457][comment] adtrustinstance: use LDAPI/EXTERNAL to retrieve CIFS keytab

2017-02-17 Thread martbab

  URL: https://github.com/freeipa/freeipa/pull/457
Title: #457: adtrustinstance: use LDAPI/EXTERNAL to retrieve CIFS keytab

martbab commented:
"""
I have added some commits to cope with changes made during privliege spearation 
work
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/457#issuecomment-280681170
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#472][comment] Packaging: Add placeholder packages

2017-02-17 Thread MartinBasti

  URL: https://github.com/freeipa/freeipa/pull/472
Title: #472: Packaging: Add placeholder packages

MartinBasti commented:
"""
I'm not an expert about how PyPI is working, but shouldn't be there also 
placeholder packages for:
- ipaserver
- ipaplatform
- ipatests


How about [free]ipa-server and friends, can a bad person use this for an attack 
when somebody uses `pip install freeipa-server` ?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/472#issuecomment-280682669
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#364][synchronized] Client-only builds with --disable-server

2017-02-17 Thread tiran

   URL: https://github.com/freeipa/freeipa/pull/364
Author: tiran
 Title: #364: Client-only builds with --disable-server
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/364/head:pr364
git checkout pr364
From f8714aa599a216a3eb4a2a93f464f512516570a7 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Tue, 3 Jan 2017 14:32:05 +0100
Subject: [PATCH 1/3] Client-only builds with --disable-server

https://fedorahosted.org/freeipa/ticket/6517
---
 Makefile.am  |   9 +++-
 configure.ac | 159 +--
 server.m4| 131 
 3 files changed, 172 insertions(+), 127 deletions(-)
 create mode 100644 server.m4

diff --git a/Makefile.am b/Makefile.am
index 30ad9bb..b12a77e 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1,7 +1,14 @@
 ACLOCAL_AMFLAGS = -I m4
 
+if ENABLE_SERVER
+SERVER_SUBDIRS = daemons init install ipaserver
+else
+SERVER_SUBDIRS =
+endif
 IPACLIENT_SUBDIRS = ipaclient ipalib ipapython
-SUBDIRS = asn1 util client contrib daemons init install $(IPACLIENT_SUBDIRS) ipaplatform ipaserver ipatests po
+SUBDIRS = asn1 util client contrib po \
+	$(IPACLIENT_SUBDIRS) ipaplatform ipatests $(SERVER_SUBDIRS)
+
 
 MOSTLYCLEANFILES = ipasetup.pyc ipasetup.pyo \
 		   ignore_import_errors.pyc ignore_import_errors.pyo \
diff --git a/configure.ac b/configure.ac
index 44dc11b..6192e4b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -24,6 +24,17 @@ LT_INIT
 
 AC_HEADER_STDC
 
+PKG_PROG_PKG_CONFIG
+
+AC_ARG_ENABLE([server],
+[  --disable-serverDisable server support],
+[case "${enableval}" in
+  yes) enable_server=true ;;
+  no)  enable_server=false ;;
+  *) AC_MSG_ERROR([bad value ${enableval} for --disable-server]) ;;
+esac],[enable_server=true])
+AM_CONDITIONAL([ENABLE_SERVER], [test x$enable_server = xtrue])
+
 AM_CONDITIONAL([HAVE_GCC], [test "$ac_cv_prog_gcc" = yes])
 
 dnl ---
@@ -33,37 +44,10 @@ PKG_CHECK_MODULES([NSPR], [nspr])
 PKG_CHECK_MODULES([NSS], [nss])
 
 dnl ---
-dnl - Check for DS slapi plugin
-dnl ---
-
-# Need to hack CPPFLAGS to be able to correctly detetct slapi-plugin.h
-SAVE_CPPFLAGS=$CPPFLAGS
-CPPFLAGS=$NSPR_CFLAGS
-AC_CHECK_HEADER(dirsrv/slapi-plugin.h)
-if test "x$ac_cv_header_dirsrv_slapi-plugin_h" = "xno" ; then
-	AC_MSG_ERROR([Required 389-ds header not available (389-ds-base-devel)])
-fi
-AC_CHECK_HEADER(dirsrv/repl-session-plugin.h)
-if test "x$ac_cv_header_dirsrv_repl_session_plugin_h" = "xno" ; then
-	AC_MSG_ERROR([Required 389-ds header not available (389-ds-base-devel)])
-fi
-CPPFLAGS=$SAVE_CPPFLAGS
-
-if test "x$ac_cv_header_dirsrv_slapi_plugin_h" = "xno" ; then
-	AC_MSG_ERROR([Required DS slapi plugin header not available (fedora-ds-base-devel)])
-fi
-
-dnl ---
 dnl - Check for KRB5
 dnl ---
 
 PKG_CHECK_MODULES([KRB5], [krb5])
-AC_CHECK_HEADER(krad.h, [], [AC_MSG_ERROR([krad.h not found])])
-AC_CHECK_LIB(krad, main, [], [AC_MSG_ERROR([libkrad not found])])
-KRAD_LIBS="-lkrad"
-krb5rundir="${localstatedir}/run/krb5kdc"
-AC_SUBST(KRAD_LIBS)
-AC_SUBST(krb5rundir)
 
 AC_CHECK_HEADER(kdb.h, [], [AC_MSG_ERROR([kdb.h not found])])
 AC_CHECK_MEMBER(
@@ -105,11 +89,6 @@ dnl ---
 PKG_CHECK_MODULES([CRYPTO], [libcrypto])
 
 dnl ---
-dnl - Check for UUID library
-dnl ---
-PKG_CHECK_MODULES([UUID], [uuid])
-
-dnl ---
 dnl - Check for Python
 dnl ---
 
@@ -122,69 +101,6 @@ if test "x$PYTHON" = "x" ; then
 fi
 
 dnl ---
-dnl Check for ndr_krb5pac and other samba libraries
-dnl ---
-
-PKG_PROG_PKG_CONFIG()
-PKG_CHECK_MODULES([TALLOC], [talloc])
-PKG_CHECK_MODULES([TEVENT], [tevent])
-PKG_CHECK_MODULES([NDRPAC], [ndr_krb5pac])
-PKG_CHECK_MODULES([NDRNBT], [ndr_nbt])
-PKG_CHECK_MODULES([NDR], [ndr])
-PKG_CHECK_MODULES([SAMBAUTIL], [samba-util])
-SAMBA40EXTRA_LIBPATH="-L`$PKG_CONFIG --variable=libdir samba-util`/samba -Wl,-rpath=`$PKG_CONFIG --variable=libdir samba-util`/samba"
-AC_SUBST(SAMBA40EXTRA_LIBPATH)
-
-bck_cflags="$CFLAGS"
-CFLAGS="$NDRPAC_CFLAGS"
-AC_CHECK_MEMBER(
-[struct PAC_DOMAIN_GROUP_MEMBERSHIP.domain_sid],
-

[Freeipa-devel] [freeipa PR#457][synchronized] adtrustinstance: use LDAPI/EXTERNAL to retrieve CIFS keytab

2017-02-17 Thread martbab

   URL: https://github.com/freeipa/freeipa/pull/457
Author: martbab
 Title: #457: adtrustinstance: use LDAPI/EXTERNAL to retrieve CIFS keytab
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/457/head:pr457
git checkout pr457
From befb5e97602d1e523157b503d33a3ca8f8f84a9d Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Fri, 3 Feb 2017 17:14:20 +0100
Subject: [PATCH 1/4] allow for more flexibility when requesting service keytab

The service installers can now override the methods for cleaning up
stale keytabs and changing file ownership of the newly acquired keytabs.

The default actions should be usable by most installers without specific
overriding.

https://fedorahosted.org/freeipa/ticket/6638
---
 ipaserver/install/service.py | 41 ++---
 1 file changed, 26 insertions(+), 15 deletions(-)

diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index b9d1ffc..80bb4bb 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -540,22 +540,35 @@ def _add_service_principal(self):
 except errors.DuplicateEntry:
 pass
 
+def clean_previous_keytab(self, keytab=None):
+if keytab is None:
+keytab = self.keytab
+
+self.fstore.backup_file(keytab)
+try:
+os.unlink(keytab)
+except OSError:
+pass
+
+def set_keytab_owner(self, keytab=None, owner=None):
+if keytab is None:
+keytab = self.keytab
+if owner is None:
+owner = self.service_user
+
+pent = pwd.getpwnam(owner)
+os.chown(keytab, pent.pw_uid, pent.pw_gid)
+
 def run_getkeytab(self, ldap_uri, keytab, principal, retrieve=False):
 """
-backup and remove old service keytab (if present) and fetch a new one
-using ipa-getkeytab. This assumes that the service principal is already
-created in LDAP. By default GSSAPI authentication is used unless:
+retrieve service keytab using ipa-getkeytab. This assumes that the
+service principal is already created in LDAP. By default GSSAPI
+authentication is used unless:
 * LDAPI socket is used and effective process UID is 0, then
   autobind is used by EXTERNAL SASL mech
 * self.dm_password is not none, then DM credentials are used to
   fetch keytab
 """
-self.fstore.backup_file(keytab)
-try:
-os.unlink(keytab)
-except OSError:
-pass
-
 args = [paths.IPA_GETKEYTAB,
 '-k', keytab,
 '-p', principal,
@@ -576,17 +589,15 @@ def run_getkeytab(self, ldap_uri, keytab, principal, retrieve=False):
 ipautil.run(args, nolog=nolog)
 
 def _request_service_keytab(self):
-if any(attr is None for attr in (self.principal, self.keytab,
- self.service_user)):
+if any(attr is None for attr in (self.principal, self.keytab)):
 raise NotImplementedError(
 "service must have defined principal "
-"name, keytab, and username")
+"name and keytab")
 
 self._add_service_principal()
+self.clean_previous_keytab()
 self.run_getkeytab(self.api.env.ldap_uri, self.keytab, self.principal)
-
-pent = pwd.getpwnam(self.keytab_user)
-os.chown(self.keytab, pent.pw_uid, pent.pw_gid)
+self.set_keytab_owner()
 
 
 class SimpleServiceInstance(Service):

From 54a7975465e965efc677e5e6efde2be239ac25d3 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Fri, 17 Feb 2017 14:31:55 +0100
Subject: [PATCH 2/4] Make request_service_keytab into a public method

a cosmetic change: we had private method comprising of calls to public
ones, which did not make much sense in our case

https://fedorahosted.org/freeipa/ticket/6638
---
 ipaserver/install/dsinstance.py   | 6 +++---
 ipaserver/install/httpinstance.py | 2 +-
 ipaserver/install/service.py  | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 9172b65..bf80ae0 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -393,7 +393,7 @@ def create_replica(self, realm_name, master_fqdn, fqdn,
 self.__common_setup(enable_ssl=(not self.promote))
 self.step("restarting directory server", self.__restart_instance)
 
-self.step("creating DS keytab", self._request_service_keytab)
+self.step("creating DS keytab", self.request_service_keytab)
 if self.promote:
 if self.pkcs12_info:
 self.step("configuring TLS for DS instance", self.__enable_ssl)
@@ -1221,8 +1221,8 @@ def __set_domain_level(self):
 if self.domainlevel is not

[Freeipa-devel] [freeipa PR#472][comment] Packaging: Add placeholder packages

2017-02-17 Thread MartinBasti

  URL: https://github.com/freeipa/freeipa/pull/472
Title: #472: Packaging: Add placeholder packages

MartinBasti commented:
"""
Shouldn't we have build dependency on `python[3]-wheel` without it 
`bdist_wheel` target is not working
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/472#issuecomment-280679788
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server

2017-02-17 Thread lslebodn

  URL: https://github.com/freeipa/freeipa/pull/364
Title: #364: Client-only builds with --disable-server

lslebodn commented:
"""
It looks like @tiran does not want to move this PR forward.

So here is a link to patch which does not misuse client-only
build and add configure time option to install ipatests.

https://paste.fedoraproject.org/paste/~u7iDljnMTvinxmLFoc25V5M1UNdIGYhyRLivL9gydE=/

As part of this work I found out that 4 dependencies can be simply
moved to server only build: `libuuid`, `DIRSRV`, `libsss_idmap`,
`libsss_nss_idmap`.

Result => Client only build require less C-dependencies.

LS

"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/364#issuecomment-280675665
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#368][comment] WebUI: fix incorrect behavior of ESC button on combobox

2017-02-17 Thread MartinBasti

  URL: https://github.com/freeipa/freeipa/pull/368
Title: #368: WebUI: fix incorrect behavior of ESC button on combobox 

MartinBasti commented:
"""
Works for me
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/368#issuecomment-280669975
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#468][synchronized] Remove non-sensical kdestroy on https stop

2017-02-17 Thread simo5

   URL: https://github.com/freeipa/freeipa/pull/468
Author: simo5
 Title: #468: Remove non-sensical kdestroy on https stop
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/468/head:pr468
git checkout pr468
From 7a8212217891ad2f9453b82d136cf30ad0b0dd74 Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Wed, 15 Feb 2017 04:44:59 -0500
Subject: [PATCH] Remove non-sensical kdestroy on https stop

This kdestroy runs as root and wipes root's own ccachs ...
this is totally inappropriate.
Use a file ccache that ends up in the private tmp, so that if the
service is restarted the file is automatically removed.

https://fedorahosted.org/freeipa/ticket/6673

Signed-off-by: Simo Sorce 
---
 install/share/ipa-httpd.conf.template | 2 +-
 ipaplatform/base/paths.py | 1 +
 ipaplatform/debian/paths.py   | 1 -
 ipaplatform/redhat/tasks.py   | 2 +-
 4 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/install/share/ipa-httpd.conf.template b/install/share/ipa-httpd.conf.template
index 8822066..39bcfcc 100644
--- a/install/share/ipa-httpd.conf.template
+++ b/install/share/ipa-httpd.conf.template
@@ -1,7 +1,7 @@
 # Do not edit. Created by IPA installer.
 
 [Service]
+Environment=KRB5CCNAME=$KRB5CC_HTTPD
 Environment=GSS_USE_PROXY=yes
 Environment=KDCPROXY_CONFIG=$KDCPROXY_CONFIG
 ExecStartPre=$IPA_HTTPD_KDCPROXY
-ExecStopPost=$POST
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 8db9e61..9993c38 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -351,5 +351,6 @@ class BasePathNamespace(object):
 IPA_GETKEYTAB = '/usr/sbin/ipa-getkeytab'
 EXTERNAL_SCHEMA_DIR = '/usr/share/ipa/schema.d'
 GSSPROXY_CONF = '/etc/gssproxy/10-ipa.conf'
+KRB5CC_HTTPD = '/tmp/krb5cc-httpd'
 
 path_namespace = BasePathNamespace
diff --git a/ipaplatform/debian/paths.py b/ipaplatform/debian/paths.py
index 5cbe9b8..ad0e13c 100644
--- a/ipaplatform/debian/paths.py
+++ b/ipaplatform/debian/paths.py
@@ -89,7 +89,6 @@ class DebianPathNamespace(BasePathNamespace):
 VAR_OPENDNSSEC_DIR = "/var/lib/opendnssec"
 OPENDNSSEC_KASP_DB = "/var/lib/opendnssec/db/kasp.db"
 IPA_ODS_EXPORTER_CCACHE = "/var/lib/opendnssec/tmp/ipa-ods-exporter.ccache"
-KRB5CC_HTTPD = "/var/run/apache2/ipa/krbcache/krb5ccache"
 IPA_CUSTODIA_SOCKET = "/run/apache2/ipa-custodia.sock"
 IPA_CUSTODIA_AUDIT_LOG = '/var/log/ipa-custodia.audit.log'
 
diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py
index 5bddd14..123595e 100644
--- a/ipaplatform/redhat/tasks.py
+++ b/ipaplatform/redhat/tasks.py
@@ -458,7 +458,7 @@ def configure_httpd_service_ipa_conf(self):
 dict(
 KDCPROXY_CONFIG=paths.KDCPROXY_CONFIG,
 IPA_HTTPD_KDCPROXY=paths.IPA_HTTPD_KDCPROXY,
-POST='-{kdestroy} -A'.format(kdestroy=paths.KDESTROY)
+KRB5CC_HTTPD=paths.KRB5CC_HTTPD,
 )
 )
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#468][synchronized] Remove non-sensical kdestroy on https stop

2017-02-17 Thread simo5

   URL: https://github.com/freeipa/freeipa/pull/468
Author: simo5
 Title: #468: Remove non-sensical kdestroy on https stop
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/468/head:pr468
git checkout pr468
From 4cec7509d7601c155e8182ad9cfdb4eecfc33c70 Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Wed, 15 Feb 2017 04:44:59 -0500
Subject: [PATCH] Remove non-sensical kdestroy on https stop

This kdestroy runs as root and wipes root's own ccachs ...
this is totally inappropriate.
Use a file ccache that ends up in the private tmp, so that if the
service is restarted the file is automatically removed.

https://fedorahosted.org/freeipa/ticket/6673

Signed-off-by: Simo Sorce 
---
 install/share/ipa-httpd.conf.template | 2 +-
 ipaplatform/base/paths.py | 1 +
 ipaplatform/redhat/tasks.py   | 2 +-
 3 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/install/share/ipa-httpd.conf.template b/install/share/ipa-httpd.conf.template
index 8822066..39bcfcc 100644
--- a/install/share/ipa-httpd.conf.template
+++ b/install/share/ipa-httpd.conf.template
@@ -1,7 +1,7 @@
 # Do not edit. Created by IPA installer.
 
 [Service]
+Environment=KRB5CCNAME=$KRB5CC_HTTPD
 Environment=GSS_USE_PROXY=yes
 Environment=KDCPROXY_CONFIG=$KDCPROXY_CONFIG
 ExecStartPre=$IPA_HTTPD_KDCPROXY
-ExecStopPost=$POST
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 8db9e61..9993c38 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -351,5 +351,6 @@ class BasePathNamespace(object):
 IPA_GETKEYTAB = '/usr/sbin/ipa-getkeytab'
 EXTERNAL_SCHEMA_DIR = '/usr/share/ipa/schema.d'
 GSSPROXY_CONF = '/etc/gssproxy/10-ipa.conf'
+KRB5CC_HTTPD = '/tmp/krb5cc-httpd'
 
 path_namespace = BasePathNamespace
diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py
index 5bddd14..123595e 100644
--- a/ipaplatform/redhat/tasks.py
+++ b/ipaplatform/redhat/tasks.py
@@ -458,7 +458,7 @@ def configure_httpd_service_ipa_conf(self):
 dict(
 KDCPROXY_CONFIG=paths.KDCPROXY_CONFIG,
 IPA_HTTPD_KDCPROXY=paths.IPA_HTTPD_KDCPROXY,
-POST='-{kdestroy} -A'.format(kdestroy=paths.KDESTROY)
+KRB5CC_HTTPD=paths.KRB5CC_HTTPD,
 )
 )
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#477][comment] Use RemoveOnStop to cleanup systemd sockets

2017-02-17 Thread MartinBasti

  URL: https://github.com/freeipa/freeipa/pull/477
Title: #477: Use RemoveOnStop to cleanup systemd sockets

MartinBasti commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/d05d1115e409962fee3576a4bfc5cecfacef4fd3
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/477#issuecomment-280661655
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#477][+pushed] Use RemoveOnStop to cleanup systemd sockets

2017-02-17 Thread MartinBasti

  URL: https://github.com/freeipa/freeipa/pull/477
Title: #477: Use RemoveOnStop to cleanup systemd sockets

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#477][closed] Use RemoveOnStop to cleanup systemd sockets

2017-02-17 Thread MartinBasti

   URL: https://github.com/freeipa/freeipa/pull/477
Author: npmccallum
 Title: #477: Use RemoveOnStop to cleanup systemd sockets
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/477/head:pr477
git checkout pr477
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#469][+rejected] Ignore unlink error in ipa-otpd.socket

2017-02-17 Thread MartinBasti

  URL: https://github.com/freeipa/freeipa/pull/469
Title: #469: Ignore unlink error in ipa-otpd.socket

Label: +rejected
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#477][+ack] Use RemoveOnStop to cleanup systemd sockets

2017-02-17 Thread tiran

  URL: https://github.com/freeipa/freeipa/pull/477
Title: #477: Use RemoveOnStop to cleanup systemd sockets

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#477][comment] Use RemoveOnStop to cleanup systemd sockets

2017-02-17 Thread tiran

  URL: https://github.com/freeipa/freeipa/pull/477
Title: #477: Use RemoveOnStop to cleanup systemd sockets

tiran commented:
"""
RemoveonStop was added in systemd-214. Let me figure which version is on RHEL.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/477#issuecomment-280660280
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#469][comment] Ignore unlink error in ipa-otpd.socket

2017-02-17 Thread npmccallum

  URL: https://github.com/freeipa/freeipa/pull/469
Title: #469: Ignore unlink error in ipa-otpd.socket

npmccallum commented:
"""
This PR can be closed.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/469#issuecomment-280660092
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#477][comment] Use RemoveOnStop to cleanup systemd sockets

2017-02-17 Thread tiran

  URL: https://github.com/freeipa/freeipa/pull/477
Title: #477: Use RemoveOnStop to cleanup systemd sockets

tiran commented:
"""
RemoveonStop was added in systemd-214. Let me figure which version is on RHEL.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/477#issuecomment-280660280
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#477][comment] Use RemoveOnStop to cleanup systemd sockets

2017-02-17 Thread npmccallum

  URL: https://github.com/freeipa/freeipa/pull/477
Title: #477: Use RemoveOnStop to cleanup systemd sockets

npmccallum commented:
"""
This PR supersedes PR #469.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/477#issuecomment-280659813
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#477][opened] Use RemoveOnStop to cleanup systemd sockets

2017-02-17 Thread npmccallum

   URL: https://github.com/freeipa/freeipa/pull/477
Author: npmccallum
 Title: #477: Use RemoveOnStop to cleanup systemd sockets
Action: opened

PR body:
"""

"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/477/head:pr477
git checkout pr477
From cc7763c8456c28b79222920d304d41d264f3b6ca Mon Sep 17 00:00:00 2001
From: Nathaniel McCallum 
Date: Fri, 17 Feb 2017 09:10:14 -0500
Subject: [PATCH] Use RemoveOnStop to cleanup systemd sockets

---
 daemons/ipa-otpd/ipa-otpd.socket.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/daemons/ipa-otpd/ipa-otpd.socket.in b/daemons/ipa-otpd/ipa-otpd.socket.in
index ce3596d..e98a73f 100644
--- a/daemons/ipa-otpd/ipa-otpd.socket.in
+++ b/daemons/ipa-otpd/ipa-otpd.socket.in
@@ -3,7 +3,7 @@ Description=ipa-otpd socket
 
 [Socket]
 ListenStream=@krb5rundir@/DEFAULT.socket
-ExecStopPre=@UNLINK@ @krb5rundir@/DEFAULT.socket
+RemoveOnStop=true
 SocketMode=0600
 Accept=true
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#471][comment] Fix some privilege separation regressions

2017-02-17 Thread tiran

  URL: https://github.com/freeipa/freeipa/pull/471
Title: #471: Fix some privilege separation regressions

tiran commented:
"""
@HonzaCholasta, we got merge conflicts.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/471#issuecomment-280659419
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#469][comment] Ignore unlink error in ipa-otpd.socket

2017-02-17 Thread npmccallum

  URL: https://github.com/freeipa/freeipa/pull/469
Title: #469: Ignore unlink error in ipa-otpd.socket

npmccallum commented:
"""
We shouldn't use either. We should use RemoveOnStop= now.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/469#issuecomment-280657734
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#469][comment] Ignore unlink error in ipa-otpd.socket

2017-02-17 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/469
Title: #469: Ignore unlink error in ipa-otpd.socket

simo5 commented:
"""
@tiran I do not know, @npmccallum may know.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/469#issuecomment-280656899
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#395][comment] Configure PKI ajp redirection to use "localhost" instead of "::1"

2017-02-17 Thread MartinBasti

  URL: https://github.com/freeipa/freeipa/pull/395
Title: #395: Configure PKI ajp redirection to use "localhost" instead of "::1"

MartinBasti commented:
"""
Please create a backport PR for IPA 4.4.x
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/395#issuecomment-280656391
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#395][comment] Configure PKI ajp redirection to use "localhost" instead of "::1"

2017-02-17 Thread MartinBasti

  URL: https://github.com/freeipa/freeipa/pull/395
Title: #395: Configure PKI ajp redirection to use "localhost" instead of "::1"

MartinBasti commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/eaa87c75b9f57500265b2dc9480b996b2b92e1e3
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/395#issuecomment-280656272
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#395][closed] Configure PKI ajp redirection to use "localhost" instead of "::1"

2017-02-17 Thread MartinBasti

   URL: https://github.com/freeipa/freeipa/pull/395
Author: flo-renaud
 Title: #395: Configure PKI ajp redirection to use "localhost" instead of "::1"
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/395/head:pr395
git checkout pr395
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#395][+pushed] Configure PKI ajp redirection to use "localhost" instead of "::1"

2017-02-17 Thread MartinBasti

  URL: https://github.com/freeipa/freeipa/pull/395
Title: #395: Configure PKI ajp redirection to use "localhost" instead of "::1"

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#468][synchronized] Remove non-sensical kdestroy on https stop

2017-02-17 Thread simo5

   URL: https://github.com/freeipa/freeipa/pull/468
Author: simo5
 Title: #468: Remove non-sensical kdestroy on https stop
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/468/head:pr468
git checkout pr468
From f12cd62b561891c428ce0540c45e7a1ca71784a3 Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Wed, 15 Feb 2017 04:44:59 -0500
Subject: [PATCH] Remove non-sensical kdestroy on https stop

This kdestroy runs as root and wipes root's own ccachs ...
this is totally inappropriate.
Use a file ccache that ends up in the private tmp, so that if the
service is restarted the file is automatically removed.

https://fedorahosted.org/freeipa/ticket/6673

Signed-off-by: Simo Sorce 
---
 install/share/ipa-httpd.conf.template | 2 +-
 ipaplatform/redhat/tasks.py   | 1 -
 2 files changed, 1 insertion(+), 2 deletions(-)

diff --git a/install/share/ipa-httpd.conf.template b/install/share/ipa-httpd.conf.template
index 8822066..17106f1 100644
--- a/install/share/ipa-httpd.conf.template
+++ b/install/share/ipa-httpd.conf.template
@@ -1,7 +1,7 @@
 # Do not edit. Created by IPA installer.
 
 [Service]
+Environment=KRB5CCNAME=/tmp/krb5-httpd
 Environment=GSS_USE_PROXY=yes
 Environment=KDCPROXY_CONFIG=$KDCPROXY_CONFIG
 ExecStartPre=$IPA_HTTPD_KDCPROXY
-ExecStopPost=$POST
diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py
index 5bddd14..a5f0077 100644
--- a/ipaplatform/redhat/tasks.py
+++ b/ipaplatform/redhat/tasks.py
@@ -458,7 +458,6 @@ def configure_httpd_service_ipa_conf(self):
 dict(
 KDCPROXY_CONFIG=paths.KDCPROXY_CONFIG,
 IPA_HTTPD_KDCPROXY=paths.IPA_HTTPD_KDCPROXY,
-POST='-{kdestroy} -A'.format(kdestroy=paths.KDESTROY)
 )
 )
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#395][+ack] Configure PKI ajp redirection to use "localhost" instead of "::1"

2017-02-17 Thread tomaskrizek

  URL: https://github.com/freeipa/freeipa/pull/395
Title: #395: Configure PKI ajp redirection to use "localhost" instead of "::1"

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#468][comment] Remove non-sensical kdestroy on https stop

2017-02-17 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/468
Title: #468: Remove non-sensical kdestroy on https stop

simo5 commented:
"""
Uhm I just tried setting KRB5CCNAME=/tmp/krb5_httpd in my install and ... I 
found out we do not actually generate an httpd ccache, so why are we trying to 
destroy the ccache again ?
Anyway, I am going to add this Environment line to the unit file just in case, 
so that we can address the issue if we ever need a ccache.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/468#issuecomment-280655007
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#468][comment] Remove non-sensical kdestroy on https stop

2017-02-17 Thread simo5

  URL: https://github.com/freeipa/freeipa/pull/468
Title: #468: Remove non-sensical kdestroy on https stop

simo5 commented:
"""
I guess we can simply set KRB5CCNAME=/tmp/krb5_httpd in the unit file and we 
should be ok then.
@martbab or @mbasti, can you try that ?
If it solves your scenario we can change this PR to replace the POST with that 
Env in the unit file.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/468#issuecomment-280653150
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#454][closed] Move AD trust installation code to a separate module

2017-02-17 Thread MartinBasti

   URL: https://github.com/freeipa/freeipa/pull/454
Author: martbab
 Title: #454: Move AD trust installation code to a separate module
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/454/head:pr454
git checkout pr454
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#454][+pushed] Move AD trust installation code to a separate module

2017-02-17 Thread MartinBasti

  URL: https://github.com/freeipa/freeipa/pull/454
Title: #454: Move AD trust installation code to a separate module

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#454][comment] Move AD trust installation code to a separate module

2017-02-17 Thread MartinBasti

  URL: https://github.com/freeipa/freeipa/pull/454
Title: #454: Move AD trust installation code to a separate module

MartinBasti commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/98bf0cc9663ac281247ac8d9ee8488e3ab8102eb
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/454#issuecomment-280637842
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#454][+ack] Move AD trust installation code to a separate module

2017-02-17 Thread MartinBasti

  URL: https://github.com/freeipa/freeipa/pull/454
Title: #454: Move AD trust installation code to a separate module

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#368][comment] WebUI: fix incorrect behavior of ESC button on combobox

2017-02-17 Thread pvoborni

  URL: https://github.com/freeipa/freeipa/pull/368
Title: #368: WebUI: fix incorrect behavior of ESC button on combobox 

pvoborni commented:
"""
Code LGTM, but I did not tests the behavior, so cannot give ACK now.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/368#issuecomment-280628318
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#470][comment] WebUI: Size limit warning on details pages fixed

2017-02-17 Thread pvoborni

  URL: https://github.com/freeipa/freeipa/pull/470
Title: #470: WebUI: Size limit warning on details pages fixed

pvoborni commented:
"""
Would it be better to suppress the warning and use sensible size limit. I.e. 
the entity select doesn't need to show all entries. I'm afraid that it might 
have negative performance impact.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/470#issuecomment-280627755
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#25][closed] Added install check before executing ipa-* command

2017-02-17 Thread Akasurde

   URL: https://github.com/freeipa/freeipa/pull/25
Author: Akasurde
 Title: #25: Added install check before executing ipa-* command
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/25/head:pr25
git checkout pr25
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#476][opened] vault: cache the transport certificate on client

2017-02-17 Thread HonzaCholasta

   URL: https://github.com/freeipa/freeipa/pull/476
Author: HonzaCholasta
 Title: #476: vault: cache the transport certificate on client
Action: opened

PR body:
"""
https://fedorahosted.org/freeipa/ticket/6652
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/476/head:pr476
git checkout pr476
From 0c51e0a6ab0cb4e08a8720f6eb45ba8b244682af Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Fri, 17 Feb 2017 11:25:17 +0100
Subject: [PATCH] vault: cache the transport certificate on client

https://fedorahosted.org/freeipa/ticket/6652
---
 ipaclient/plugins/vault.py   | 173 ---
 ipaclient/remote_plugins/__init__.py |   3 +-
 ipaclient/remote_plugins/schema.py   |  12 +--
 ipalib/constants.py  |  14 +++
 4 files changed, 158 insertions(+), 44 deletions(-)

diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py
index 9efb1f1..52ffbd8 100644
--- a/ipaclient/plugins/vault.py
+++ b/ipaclient/plugins/vault.py
@@ -20,15 +20,17 @@
 from __future__ import print_function
 
 import base64
+import errno
 import getpass
 import io
 import json
 import os
 import sys
+import tempfile
 
 from cryptography.fernet import Fernet, InvalidToken
 from cryptography.hazmat.backends import default_backend
-from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives import hashes, serialization
 from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
 from cryptography.hazmat.primitives.asymmetric import padding
 from cryptography.hazmat.primitives.serialization import load_pem_public_key,\
@@ -37,12 +39,21 @@
 import nss.nss as nss
 
 from ipaclient.frontend import MethodOverride
+from ipalib import x509
+from ipalib.constants import USER_CACHE_PATH
 from ipalib.frontend import Local, Method, Object
 from ipalib.util import classproperty
 from ipalib import api, errors
 from ipalib import Bytes, Flag, Str
 from ipalib.plugable import Registry
 from ipalib import _
+from ipapython.dnsutil import DNSName
+from ipapython.ipa_log_manager import log_mgr
+
+logger = log_mgr.get_logger(__name__)
+
+TRANSPORT_CERT_CACHE_PATH = (
+os.path.join(USER_CACHE_PATH, 'ipa', 'kra-transport-certs'))
 
 
 def validated_read(argname, filename, mode='r', encoding=None):
@@ -169,6 +180,58 @@ def decrypt(data, symmetric_key=None, private_key=None):
 message=_('Invalid credentials'))
 
 
+def get_cached_transport_cert(domain):
+basename = DNSName(domain).ToASCII() + '.pem'
+filename = os.path.join(TRANSPORT_CERT_CACHE_PATH, basename)
+
+try:
+try:
+return x509.load_certificate_from_file(filename)
+except EnvironmentError as e:
+if e.errno != errno.ENOENT:
+raise
+except Exception as e:
+logger.warning("Failed to load %s: %s", filename, e)
+
+raise KeyError(domain)
+
+
+def set_cached_transport_cert(domain, cert):
+basename = DNSName(domain).ToASCII() + '.pem'
+filename = os.path.join(TRANSPORT_CERT_CACHE_PATH, basename)
+
+try:
+data = cert.public_bytes(serialization.Encoding.PEM)
+try:
+os.makedirs(TRANSPORT_CERT_CACHE_PATH)
+except EnvironmentError as e:
+if e.errno != errno.EEXIST:
+raise
+with tempfile.NamedTemporaryFile(dir=TRANSPORT_CERT_CACHE_PATH,
+ delete=False) as f:
+f.write(data)
+os.rename(f.name, filename)
+except Exception as e:
+logger.warning("Failed to save %s: %s", filename, e)
+
+
+def del_cached_transport_cert(domain):
+basename = DNSName(domain).ToASCII() + '.pem'
+filename = os.path.join(TRANSPORT_CERT_CACHE_PATH, basename)
+
+try:
+try:
+os.remove(filename)
+return
+except EnvironmentError as e:
+if e.errno != errno.ENOENT:
+raise
+except Exception as e:
+logger.warning("Failed to remove %s: %s", filename, e)
+
+raise KeyError(domain)
+
+
 @register(no_fail=True)
 class _fake_vault(Object):
 name = 'vault'
@@ -765,27 +828,12 @@ def forward(self, *args, **options):
 # initialize NSS database
 nss.nss_init(api.env.nss_dir)
 
-# retrieve transport certificate
-config = self.api.Command.vaultconfig_show()['result']
-transport_cert_der = config['transport_cert']
-nss_transport_cert = nss.Certificate(transport_cert_der)
-
 # generate session key
 mechanism = nss.CKM_DES3_CBC_PAD
 slot = nss.get_best_slot(mechanism)
 key_length = slot.get_best_key_length(mechanism)
 session_key = slot.key_gen(mechanism, None, key_length)
 
-# wrap session key with transport certificate
-# pylint: disable=no-member
-public_key = nss_transport_cert.subject_public_key_info.public_key
-#

[Freeipa-devel] [freeipa PR#421][comment] Update warning message for replica install

2017-02-17 Thread Akasurde

  URL: https://github.com/freeipa/freeipa/pull/421
Title: #421: Update warning message for replica install

Akasurde commented:
"""
@MartinBasti Thanks for your comments.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/421#issuecomment-280624790
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#421][comment] Update warning message for replica install

2017-02-17 Thread Akasurde

  URL: https://github.com/freeipa/freeipa/pull/421
Title: #421: Update warning message for replica install

Akasurde commented:
"""
@stlaz Thanks for your comments.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/421#issuecomment-280624689
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#421][comment] Update warning message for replica install

2017-02-17 Thread MartinBasti

  URL: https://github.com/freeipa/freeipa/pull/421
Title: #421: Update warning message for replica install

MartinBasti commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/c913f810715705c560ae8bd05a33084785f59583
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/421#issuecomment-280624523
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#421][+pushed] Update warning message for replica install

2017-02-17 Thread MartinBasti

  URL: https://github.com/freeipa/freeipa/pull/421
Title: #421: Update warning message for replica install

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#421][closed] Update warning message for replica install

2017-02-17 Thread MartinBasti

   URL: https://github.com/freeipa/freeipa/pull/421
Author: Akasurde
 Title: #421: Update warning message for replica install
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/421/head:pr421
git checkout pr421
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#421][comment] Update warning message for replica install

2017-02-17 Thread stlaz

  URL: https://github.com/freeipa/freeipa/pull/421
Title: #421: Update warning message for replica install

stlaz commented:
"""
Wonderful, thank you for your patch.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/421#issuecomment-280624285
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#421][+ack] Update warning message for replica install

2017-02-17 Thread stlaz

  URL: https://github.com/freeipa/freeipa/pull/421
Title: #421: Update warning message for replica install

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#421][synchronized] Update warning message for replica install

2017-02-17 Thread Akasurde

   URL: https://github.com/freeipa/freeipa/pull/421
Author: Akasurde
 Title: #421: Update warning message for replica install
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/421/head:pr421
git checkout pr421
From d0a8a4404159ca92970a3e03b92c65512854c3a1 Mon Sep 17 00:00:00 2001
From: Abhijeet Kasurde 
Date: Mon, 30 Jan 2017 19:22:12 +0530
Subject: [PATCH] Update warning message for replica install

New warning message in replica install describes more about
"insufficient privilege" error

Fixes https://fedorahosted.org/freeipa/ticket/6352

Signed-off-by: Abhijeet Kasurde 
---
 ipaserver/install/server/replicainstall.py | 6 +-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 0d3a69f..84e86a9 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -1245,7 +1245,11 @@ def promote_check(installer):
 
 except errors.ACIError:
 root_logger.debug(traceback.format_exc())
-raise ScriptError("\nInsufficient privileges to promote the server.")
+raise ScriptError("\nInsufficient privileges to promote the server."
+  "\nPossible issues:"
+  "\n- A user has insufficient privileges"
+  "\n- This client has insufficient privileges "
+  "to become an IPA replica")
 except errors.LDAPError:
 root_logger.debug(traceback.format_exc())
 raise ScriptError("\nUnable to connect to LDAP server %s" %
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#429][+pushed] [py3] ipactl restart: log httplib failues as debug

2017-02-17 Thread MartinBasti

  URL: https://github.com/freeipa/freeipa/pull/429
Title: #429: [py3] ipactl restart: log httplib failues as debug

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#429][comment] [py3] ipactl restart: log httplib failues as debug

2017-02-17 Thread MartinBasti

  URL: https://github.com/freeipa/freeipa/pull/429
Title: #429: [py3] ipactl restart: log httplib failues as debug

MartinBasti commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/53c8e9a53f026d83d5328896d1ea0cf72690cf24
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/429#issuecomment-280623004
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#429][closed] [py3] ipactl restart: log httplib failues as debug

2017-02-17 Thread MartinBasti

   URL: https://github.com/freeipa/freeipa/pull/429
Author: MartinBasti
 Title: #429: [py3] ipactl restart: log httplib failues as debug
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/429/head:pr429
git checkout pr429
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#468][comment] Remove non-sensical kdestroy on https stop

2017-02-17 Thread tiran

  URL: https://github.com/freeipa/freeipa/pull/468
Title: #468: Remove non-sensical kdestroy on https stop

tiran commented:
"""
That's my point. Why is the ccache file not stored in ```PrivateTmp```? The 
ccache can be removed at any time. It doesn't have to be retained.

 ```PrivateTmp``` solves the issue for us. We just have to figure out how to 
combine ```tmpfiles.d``` with ```PrivateTmp``` to create ```/var/run/apache``` 
in private temp.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/468#issuecomment-280621569
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server

2017-02-17 Thread lslebodn

  URL: https://github.com/freeipa/freeipa/pull/364
Title: #364: Client-only builds with --disable-server

lslebodn commented:
"""
On (17/02/17 01:12), Petr Vobornik wrote:
>I still fail to see why we should care about `make dist` with `configure 
>--disable-server` this is not a combination of options which should be used 
>together, there is no point in it except theoretical exercise.
>

`make dist` works

>> then I will need to send PR to fix client-only build and it will not install 
>> ipatests with --disable-server.
>
>Why?

The main problem with `client-only` build and `ipatests`
is that there are not test for it.

* all integration test assume that server will be installed first
  and not that server is already available somewhere.
* unit test should be run as part of build (e.g. `make check`)

So there is not any reason to install `ipatests` for client only build.

Client only build was tested just in downstream :-(

LS

"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/364#issuecomment-280621474
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#468][comment] Remove non-sensical kdestroy on https stop

2017-02-17 Thread abbra

  URL: https://github.com/freeipa/freeipa/pull/468
Title: #468: Remove non-sensical kdestroy on https stop

abbra commented:
"""
@tiran we do use PrivateTmp already. This is not about PrivateTmp, though, 
because we don't store credentials caches in a private tmp.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/468#issuecomment-280618508
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#468][comment] Remove non-sensical kdestroy on https stop

2017-02-17 Thread tiran

  URL: https://github.com/freeipa/freeipa/pull/468
Title: #468: Remove non-sensical kdestroy on https stop

tiran commented:
"""
How about we use systemd PrivateTmp for temporary files? It is not only more 
secure but it also automatically removes all temporary files when the service 
is stopped: 
https://www.freedesktop.org/software/systemd/man/systemd.exec.html#PrivateTmp=
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/468#issuecomment-280617436
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#469][comment] Ignore unlink error in ipa-otpd.socket

2017-02-17 Thread tiran

  URL: https://github.com/freeipa/freeipa/pull/469
Title: #469: Ignore unlink error in ipa-otpd.socket

tiran commented:
"""
Would you rather use ```/usr/bin/rm -f``` to only ignore missing files but 
propagate permission errors? I'm not sure why unlink was used in favor of rm. 
@simo5 ?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/469#issuecomment-280604757
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#468][comment] Remove non-sensical kdestroy on https stop

2017-02-17 Thread abbra

  URL: https://github.com/freeipa/freeipa/pull/468
Title: #468: Remove non-sensical kdestroy on https stop

abbra commented:
"""
Yes, when namespaced /tmp is used, unit file does not have any view into that.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/468#issuecomment-280604409
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#475][synchronized] Add options to run only ipaclient unittests

2017-02-17 Thread tiran

   URL: https://github.com/freeipa/freeipa/pull/475
Author: tiran
 Title: #475: Add options to run only ipaclient unittests
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/475/head:pr475
git checkout pr475
From e9a2ebd82cc4a3e612d068258bece9ddf202914f Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Fri, 17 Feb 2017 08:39:54 +0100
Subject: [PATCH] Add options to run only ipaclient unittests

A new option for ipa-run-tests makes the test runner ignore
subdirectories or skips tests that depend on the ipaserver package or on
a running framework for RPC integration tests. The new option enables
testing of client-only builds.

$ ipatests/ipa-run-tests --ipaclient-unittests
...
platform linux2 -- Python 2.7.13, pytest-2.9.2, py-1.4.32, pluggy-0.3.1
rootdir: /home/heimes/redhat, inifile: tox.ini
plugins: sourceorder-0.5, cov-2.3.0, betamax-0.7.1, multihost-1.1
collected 451 items

test_util.py 
util.py ..
test_ipaclient/test_csrgen.py .....
test_ipalib/test_aci.py ...
test_ipalib/test_backend.py 
test_ipalib/test_base.py ...
test_ipalib/test_capabilities.py .
test_ipalib/test_cli.py ...
test_ipalib/test_config.py ...
test_ipalib/test_crud.py ...
test_ipalib/test_errors.py ...
test_ipalib/test_frontend.py 
test_ipalib/test_messages.py 
test_ipalib/test_output.py ...
test_ipalib/test_parameters.py .
test_ipalib/test_plugable.py 
test_ipalib/test_rpc.py ..
test_ipalib/test_text.py .
test_ipalib/test_x509.py ...
test_ipapython/test_cookie.py 
test_ipapython/test_dn.py ...
test_ipapython/test_ipautil.py ..
test_ipapython/test_ipavalidate.py ..
test_ipapython/test_kerberos.py ..
test_ipapython/test_keyring.py ..
test_ipapython/test_ssh.py ...
test_pkcs10/test_pkcs10.py .

https://fedorahosted.org/freeipa/ticket/6517

Signed-off-by: Christian Heimes 
---
 ipatests/conftest.py   | 63 +-
 ipatests/setup.py  |  1 -
 ipatests/test_ipaclient/test_csrgen.py |  1 +
 ipatests/test_ipalib/test_rpc.py   |  2 ++
 ipatests/util.py   | 15 ++--
 5 files changed, 78 insertions(+), 4 deletions(-)

diff --git a/ipatests/conftest.py b/ipatests/conftest.py
index 511d7b7..6c13e23 100644
--- a/ipatests/conftest.py
+++ b/ipatests/conftest.py
@@ -3,17 +3,26 @@
 #
 from __future__ import print_function
 
+import fnmatch
 import os
 import pprint
+import re
 import sys
 
+import pytest
+
 from ipalib import api
 from ipalib.cli import cli_plugins
 try:
+import ipaplatform
+except ImportError:
+ipaplatform = None
+try:
 import ipaserver
 except ImportError:
 ipaserver = None
 
+HERE = os.path.dirname(os.path.abspath(__file__))
 
 pytest_plugins = [
 'ipatests.pytest_plugins.additional_config',
@@ -31,6 +40,7 @@
 'tier1: functional API tests',
 'cs_acceptance: Acceptance test suite for Dogtag Certificate Server',
 'ds_acceptance: Acceptance test suite for 389 Directory Server',
+'skip_ipaclient_unittest: Skip in ipaclient unittest mode',
 ]
 
 
@@ -46,6 +56,28 @@
 'install/share'
 ]
 
+
+SKIP_IPASERVER_PATTERNS = [
+# fnmatch patterns
+'test_cmdline/*',
+'test_install/*',
+'test_integration/*',
+'test_ipaserver/*',
+'test_webui/*',
+'test_xmlrpc/*'
+]
+
+if ipaplatform is None:
+# test depends on ipaplatform
+SKIP_IPASERVER_PATTERNS.append('test_ipaclient/test_csrgen.py')
+
+SKIP_IPASERVER_RE = re.compile(
+'(' +
+'|'.join(fnmatch.translate(pat) for pat in SKIP_IPASERVER_PATTERNS) +
+')'
+)
+
+
 INIVALUES = {
 'python_classes': ['test_', 'Test'],
 'python_files': ['test_*.py'],
@@ -75,13 +107,27 @@ def pytest_configure(config):
 config.option.doctestmodules = True
 
 
+def pytest_addoption(parser):
+group = parser.getgroup("IPA integration tests")
+group.addoption(
+'--ipaclient-unittests',
+help='Run ipaclient unit tests only (no RPC and ipaserver)',
+action='store_true'
+)
+
+
 def pytest_cmdline_main(config):
 api.bootstrap(
 context=u'cli', in_server=False, in_tree=True, fallback=False
 )
 for klass in cli_plugins:
 api.add_plugin(klass)
-api.finalize()
+
+# XXX workaround until https://fedorahosted.org/freeipa/ticket/6408 has
+# been resolved.
+if ipaserver is not None:
+api.finalize()
+
 if config.option.verbose:
 print('api.env: ')
 pprint.pprint({k: api.env[k] for k in api.env})
@@ -89,3 +135,18 @@ def

[Freeipa-devel] [freeipa PR#429][comment] [py3] ipactl restart: log httplib failues as debug

2017-02-17 Thread stlaz

  URL: https://github.com/freeipa/freeipa/pull/429
Title: #429: [py3] ipactl restart: log httplib failues as debug

stlaz commented:
"""
Thanks, ACK.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/429#issuecomment-280602243
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#429][+ack] [py3] ipactl restart: log httplib failues as debug

2017-02-17 Thread stlaz

  URL: https://github.com/freeipa/freeipa/pull/429
Title: #429: [py3] ipactl restart: log httplib failues as debug

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#429][comment] [py3] ipactl restart: log httplib failues as debug

2017-02-17 Thread MartinBasti

  URL: https://github.com/freeipa/freeipa/pull/429
Title: #429: [py3] ipactl restart: log httplib failues as debug

MartinBasti commented:
"""
Ticket corrected, commit msg ammended
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/429#issuecomment-280601652
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#429][synchronized] [py3] ipactl restart: log httplib failues as debug

2017-02-17 Thread MartinBasti

   URL: https://github.com/freeipa/freeipa/pull/429
Author: MartinBasti
 Title: #429: [py3] ipactl restart: log httplib failues as debug
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/429/head:pr429
git checkout pr429
From 06181a8276edfdaf64402a29faf0cb26fda269bd Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Tue, 31 Jan 2017 22:51:31 +0100
Subject: [PATCH] ipactl restart: log httplib failues as debug

There are several excerptions ConnectionRefusedError raised
before ipactl is able to connect to dogtag after restart. These
exception should be logged on debug level until timeout is reached.

https://fedorahosted.org/freeipa/ticket/6674
---
 ipapython/dogtag.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py
index 01fc5cb..b171754 100644
--- a/ipapython/dogtag.py
+++ b/ipapython/dogtag.py
@@ -209,7 +209,7 @@ def _httplib_request(
 http_body = res.read()
 conn.close()
 except Exception as e:
-root_logger.exception("httplib request failed:")
+root_logger.debug("httplib request failed:", exc_info=True)
 raise NetworkError(uri=uri, error=str(e))
 
 root_logger.debug('response status %d',http_status)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#421][synchronized] Update warning message for replica install

2017-02-17 Thread Akasurde

   URL: https://github.com/freeipa/freeipa/pull/421
Author: Akasurde
 Title: #421: Update warning message for replica install
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/421/head:pr421
git checkout pr421
From b3508ec22b69df42ad78298a8a2e85a0a845ff69 Mon Sep 17 00:00:00 2001
From: Abhijeet Kasurde 
Date: Mon, 30 Jan 2017 19:22:12 +0530
Subject: [PATCH] Update warning message for replica install

New warning message in replica install describes more about
"insufficient privilege" error

Fixes https://fedorahosted.org/freeipa/ticket/6352

Signed-off-by: Abhijeet Kasurde 
---
 ipaserver/install/server/replicainstall.py | 6 +-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 0d3a69f..9b9bc05 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -1245,7 +1245,11 @@ def promote_check(installer):
 
 except errors.ACIError:
 root_logger.debug(traceback.format_exc())
-raise ScriptError("\nInsufficient privileges to promote the server.")
+raise ScriptError("\nInsufficient privileges to promote the server."
+  "\nPossible issues:"
+  "\n- A user has insufficient privileges"
+  "\n- This Client has insufficient privileges "
+  "to become an IPA replica")
 except errors.LDAPError:
 root_logger.debug(traceback.format_exc())
 raise ScriptError("\nUnable to connect to LDAP server %s" %
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#429][comment] [py3] ipactl restart: log httplib failues as debug

2017-02-17 Thread stlaz

  URL: https://github.com/freeipa/freeipa/pull/429
Title: #429: [py3] ipactl restart: log httplib failues as debug

stlaz commented:
"""
I don't see what this has to do with Py3. The issue is the same on Py2. Swap 
the ticket for the one of @tiran and I'll ack this. If this gets triaged for 
4.4 as well we can backport it later.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/429#issuecomment-280600572
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#394][comment] Add fix for ipa plugins command

2017-02-17 Thread MartinBasti

  URL: https://github.com/freeipa/freeipa/pull/394
Title: #394: Add fix for ipa plugins command

MartinBasti commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/b3c41f21e51e5389d95b5486dcdfdc3f9a8b0424
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/394#issuecomment-280599222
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#394][closed] Add fix for ipa plugins command

2017-02-17 Thread MartinBasti

   URL: https://github.com/freeipa/freeipa/pull/394
Author: Akasurde
 Title: #394: Add fix for ipa plugins command
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/394/head:pr394
git checkout pr394
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#394][+pushed] Add fix for ipa plugins command

2017-02-17 Thread MartinBasti

  URL: https://github.com/freeipa/freeipa/pull/394
Title: #394: Add fix for ipa plugins command

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#394][+ack] Add fix for ipa plugins command

2017-02-17 Thread MartinBasti

  URL: https://github.com/freeipa/freeipa/pull/394
Title: #394: Add fix for ipa plugins command

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#464][closed] Bump required python-cryptography version

2017-02-17 Thread martbab

   URL: https://github.com/freeipa/freeipa/pull/464
Author: stlaz
 Title: #464: Bump required python-cryptography version
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/464/head:pr464
git checkout pr464
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#464][+pushed] Bump required python-cryptography version

2017-02-17 Thread martbab

  URL: https://github.com/freeipa/freeipa/pull/464
Title: #464: Bump required python-cryptography version

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#464][comment] Bump required python-cryptography version

2017-02-17 Thread martbab

  URL: https://github.com/freeipa/freeipa/pull/464
Title: #464: Bump required python-cryptography version

martbab commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/66867319d903f7693a535471d3b81716a258ce9d
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/464#issuecomment-280597487
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#446][comment] Add password file to certutil calls in ipapython.certdb module

2017-02-17 Thread MartinBasti

  URL: https://github.com/freeipa/freeipa/pull/446
Title: #446: Add password file to certutil calls in ipapython.certdb module

MartinBasti commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/ca457eb5ce12291f555f1bf771114d6d7d191987
https://fedorahosted.org/freeipa/changeset/b20b0489ea06931bfa7d46bdbd6623bc3f09219b
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/446#issuecomment-280597237
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#446][+pushed] Add password file to certutil calls in ipapython.certdb module

2017-02-17 Thread MartinBasti

  URL: https://github.com/freeipa/freeipa/pull/446
Title: #446: Add password file to certutil calls in ipapython.certdb module

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#446][closed] Add password file to certutil calls in ipapython.certdb module

2017-02-17 Thread MartinBasti

   URL: https://github.com/freeipa/freeipa/pull/446
Author: stlaz
 Title: #446: Add password file to certutil calls in ipapython.certdb module
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/446/head:pr446
git checkout pr446
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server

2017-02-17 Thread pvoborni

  URL: https://github.com/freeipa/freeipa/pull/364
Title: #364: Client-only builds with --disable-server

pvoborni commented:
"""
I still fail to see why we should care about `make dist` with `configure 
--disable-server` this is not a combination of options which should be used 
together, there is no point in it except theoretical exercise.

> then I will need to send PR to fix client-only build and it will not install 
> ipatests with --disable-server.

Why?

"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/364#issuecomment-280596786
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#464][comment] Bump required python-cryptography version

2017-02-17 Thread stlaz

  URL: https://github.com/freeipa/freeipa/pull/464
Title: #464: Bump required python-cryptography version

stlaz commented:
"""
@martbab  Sure, done.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/464#issuecomment-280596751
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#464][synchronized] Bump required python-cryptography version

2017-02-17 Thread stlaz

   URL: https://github.com/freeipa/freeipa/pull/464
Author: stlaz
 Title: #464: Bump required python-cryptography version
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/464/head:pr464
git checkout pr464
From 0f2477c98be82817736dbfe6cb94ecc0cf7a423f Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Thu, 16 Feb 2017 16:14:24 +0100
Subject: [PATCH] Bump python-cryptography version in ipasetup.py.in

When bumping version of python-cryptography in freeipa.spec.in,
ipasetup.py.in was forgotten about.

https://fedorahosted.org/freeipa/ticket/6631
---
 ipasetup.py.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipasetup.py.in b/ipasetup.py.in
index c221e0d..915f0ed 100644
--- a/ipasetup.py.in
+++ b/ipasetup.py.in
@@ -63,7 +63,7 @@ if SETUPTOOLS_VERSION < (8, 0, 0):
 
 
 PACKAGE_VERSION = {
-'cryptography': 'cryptography >= 1.3.1',
+'cryptography': 'cryptography >= 1.4',
 'dnspython': 'dnspython >= 1.15',
 'gssapi': 'gssapi >= 1.2.0',
 'ipaclient': 'ipaclient == {}'.format(VERSION),
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#465][comment] Tests: search for disabled users

2017-02-17 Thread MartinBasti

  URL: https://github.com/freeipa/freeipa/pull/465
Title: #465: Tests: search for disabled users

MartinBasti commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/79b3fbf97d66adb1f5c960e5473b90f85cbe145a
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/465#issuecomment-280595632
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#465][+pushed] Tests: search for disabled users

2017-02-17 Thread MartinBasti

  URL: https://github.com/freeipa/freeipa/pull/465
Title: #465: Tests: search for disabled users

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#465][closed] Tests: search for disabled users

2017-02-17 Thread MartinBasti

   URL: https://github.com/freeipa/freeipa/pull/465
Author: MartinBasti
 Title: #465: Tests: search for disabled users
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/465/head:pr465
git checkout pr465
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#396][+pushed] Explicitly remove support of SSLv2

2017-02-17 Thread MartinBasti

  URL: https://github.com/freeipa/freeipa/pull/396
Title: #396: Explicitly remove support of SSLv2

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#396][comment] Explicitly remove support of SSLv2

2017-02-17 Thread MartinBasti

  URL: https://github.com/freeipa/freeipa/pull/396
Title: #396: Explicitly remove support of SSLv2

MartinBasti commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/ac6f573a3014aa09811ca1559d470afe75eadbec
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/396#issuecomment-280595283
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#474][comment] Update man page of ipa-server-install

2017-02-17 Thread Akasurde

  URL: https://github.com/freeipa/freeipa/pull/474
Title: #474: Update man page of ipa-server-install

Akasurde commented:
"""
@martbab @stlaz Thanks for review
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/474#issuecomment-280595269
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#396][closed] Explicitly remove support of SSLv2

2017-02-17 Thread MartinBasti

   URL: https://github.com/freeipa/freeipa/pull/396
Author: stlaz
 Title: #396: Explicitly remove support of SSLv2
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/396/head:pr396
git checkout pr396
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#473][comment] Fix session/cookie related issues introduced with the privilege separation patches

2017-02-17 Thread MartinBasti

  URL: https://github.com/freeipa/freeipa/pull/473
Title: #473: Fix session/cookie related issues introduced with the privilege 
separation patches

MartinBasti commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/b895f4a34bcbd0b1787d2bfc1db25f34c3584b9c
https://fedorahosted.org/freeipa/changeset/d0642bfa55e9c24429675f623bc0e35824bc9fb0
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/473#issuecomment-280593308
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

1 2 >

1 - 100 of 107 matches

Mail list logo