Re: [Freeipa-devel] [PATCH 0057] Do not use anonymous bind in migration UI.
On 07/17/2015 07:18 AM, Alexander Bokovoy wrote: On Fri, 17 Jul 2015, Jan Cholasta wrote: Dne 16.7.2015 v 12:16 David Kupka napsal(a): On 15/07/15 16:04, David Kupka wrote: On 15/07/15 15:34, Jan Cholasta wrote: Dne 15.7.2015 v 15:21 David Kupka napsal(a): https://fedorahosted.org/freeipa/ticket/4953 To test this patch: 1. Migrate users from LDAP or other FreeIPA server (https://www.freeipa.org/page/Howto/Migration) 2. Disable anonymous bind to Directory Server (https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/disabling-anon-binds.html) 3. Go to FreeIPA migration page (ipa.example.com/ipa/migration/) and enter name and password of one of the migrated users. Without this patch you will get an error page. NACK, you are calling do_bind with wrong arguments. Updated patch attached. With Honza, we've found better solution. Instead of binding to the LDAP just to get base DN we can instantiate api and use api.env.basedn variable. In the same time we can use api.anv.ldap_uri instead of searching filesystem for ldapi socket. Patch attached. LGTM, but since I had a part in this, I'd like someone else (Petr?) to ACK this. I went through the code and I think it is also a better approach than it was before, so ACK. ACK as well. Pushed to: master: e5d179b5b96bba5048a05135693acc5507d38163 ipa-4-2: 65877820b821884ac3b539e7f64e12c2cb3dd34f -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0052] Create server-dns sub-package
On 07/17/2015 05:46 AM, Jan Cholasta wrote: > Dne 16.7.2015 v 16:50 Alexander Bokovoy napsal(a): >> On Thu, 16 Jul 2015, Petr Spacek wrote: >>> Third version of the patch is attached, please view. >>> >>> Behavior: >>> - freeipa-server package continues to exist and does not include DNS >>> dependencies >>> - freeipa-server-dns package is new and requires all DNS dependencies >>> - install freeipa-server will not pull DNS dependencies >>> - upgrade from freeipa-server < 4.2.0 will pull freeipa-server-dns >>> package >>> >>> It turns out that nobody noticed missing Obsoletes in freeipa-server >>> package. >>> >>> Please review. >> I like this. Looks clean and does keep previous behavior. I think we can >> live with upgrade pulling freeipa-server-dns even in the environments >> where DNS wasn't really used. >> >>> >>> Note: Condition "Obsoletes: %{name}-server < 4.2.0" >>> should be amended per-distro/per-repo so it contains latest version >>> number >>> which was available in form of RPM packages for that distro/repo (COPR). >> >> May be just add the comment above into commit message? This and we'll >> need to add an entry into RPM changelog in the actual Fedora package >> that upgrade from pre-4.2.0 will pull freeipa-server-dns even if >> integrated DNS server is not used and recommend people to remove the >> package is they are not interested. >> >> ACK. > > +1 > >> >>> From c8486993b0b624ab7aa7b118e8ee7e420dd97891 Mon Sep 17 00:00:00 2001 >>> From: Petr Spacek >>> Date: Thu, 16 Jul 2015 15:09:45 +0200 >>> Subject: [PATCH] Create server-dns sub-package. >>> >>> This allows us to automatically pull in package bind-pkcs11 >>> and thus create upgrade path for on CentOS 7.1 -> 7.2. >>> >>> IPA previously had no requires on BIND packages and these had to be >>> installed manually before first ipa-dns-install run. >>> We need to pull additional bind-pkcs11 package during RPM upgrade >>> so ipa-dns-install cannot help with this. >>> >>> https://fedorahosted.org/freeipa/ticket/4058 >>> --- >>> freeipa.spec.in | 51 +++ >>> 1 file changed, 35 insertions(+), 16 deletions(-) >>> >>> diff --git a/freeipa.spec.in b/freeipa.spec.in >>> index >>> fabfaee619d4cf0203b2f87d7fe804c2e72026f3..60c28fd5d8b4c14f5fd583735db469a65cdb5331 >>> >>> 100644 >>> --- a/freeipa.spec.in >>> +++ b/freeipa.spec.in >>> @@ -165,25 +165,13 @@ Requires: %{etc_systemd_dir} >>> >>> Conflicts: %{alt_name}-server >>> Obsoletes: %{alt_name}-server < %{version} >>> +# upgrade path from monolithic -server to -server + -server-dns >>> +Obsoletes: %{name}-server < 4.2.0 > > Nitpick: I'd like to keep this visually separate from the alt_name > bussiness, please move it below the "Obsoletes: freeipa-server-selinux < > 3.3.0" line and separate them with an empty line. > >>> >>> # With FreeIPA 3.3, package freeipa-server-selinux was obsoleted as the >>> # entire SELinux policy is stored in the system policy >>> Obsoletes: freeipa-server-selinux < 3.3.0 >>> >>> -# We have a soft-requires on bind. It is an optional part of >>> -# IPA but if it is configured we need a way to require versions >>> -# that work for us. >>> -Conflicts: bind-dyndb-ldap < 6.0-4 >>> -%if 0%{?fedora} >= 21 >>> -Conflicts: bind < 9.9.6-3 >>> -Conflicts: bind-utils < 9.9.6-3 >>> -%else >>> -Conflicts: bind < 9.9.4-21 >>> -Conflicts: bind-utils < 9.9.4-21 >>> -%endif >>> -# DNSSEC >>> -Conflicts: opendnssec < 1.4.6-4 >>> - >>> # Versions of nss-pam-ldapd < 0.8.4 require a mapping from >>> uniqueMember to >>> # member. >>> Conflicts: nss-pam-ldapd < 0.8.4 >>> @@ -197,6 +185,35 @@ to install this package (in other words, most >>> people should NOT install >>> this package). >>> >>> >>> +%package server-dns >>> +Summary: IPA integrated DNS server with support for automatic DNSSEC >>> signing >>> +Group: System Environment/Base >>> +Requires: %{name}-server = %{version}-%{release} >>> +Requires: bind-dyndb-ldap >= 6.0-4 >>> +%if 0%{?fedora} >= 21 >>> +Requires: bind >= 9.9.6-3 >>> +Requires: bind-utils >= 9.9.6-3 >>> +Requires: bind-pkcs11 >= 9.9.6-3 >>> +Requires: bind-pkcs11-utils >= 9.9.6-3 >>> +%else >>> +Requires: bind >= 9.9.4-21 >>> +Requires: bind-utils >= 9.9.4-21 >>> +Requires: bind-pkcs11 >= 9.9.4-21 >>> +Requires: bind-pkcs11-utils >= 9.9.4-21 >>> +%endif >>> +Requires: opendnssec >= 1.4.6-4 >>> + >>> +Conflicts: %{alt_name}-server-dns >>> +Obsoletes: %{alt_name}-server-dns < %{version} >>> + >>> +# upgrade path from monolithic -server to -server + -server-dns >>> +Obsoletes: %{name}-server < 4.2.0 >>> + >>> +%description server-dns >>> +IPA integrated DNS server with support for automatic DNSSEC signing. >>> +Integrated DNS server is BIND 9. OpenDNSSEC provides key management. >>> + >>> + >>> %package server-trust-ad >>> Summary: Virtual package to install packages required for Active >>> Directory trusts >>> Group: System Environment/Base >>> @@ -683,7 +700,6 @@ fi >>> %{_sbindir}/ipa-backup >>> %{_sbindir}/ipa-restore >>> %{
[Freeipa-devel] [PATCH 013] Fix minor typos
This patch from Yuri Chornoivan fixes some typos. All fixes look ok to me. https://fedorahosted.org/freeipa/ticket/5109 https://bugzilla.redhat.com/show_bug.cgi?id=1239132 From 9554caac8965671840e2361cbb62884333c12e3c Mon Sep 17 00:00:00 2001 From: Yuri Chornoivan Date: Fri, 3 Jul 2015 19:14:42 +0300 Subject: [PATCH] Fix minor typos -> overriden -> overridden ablity -> ability enties -> entries the the -> the https://fedorahosted.org/freeipa/ticket/5109 Reviewed-By: Christian Heimes --- daemons/ipa-slapi-plugins/ipa-dns/ipa_dns.c| 2 +- install/ui/src/freeipa/_base/Singleton_registry.js | 2 +- ipalib/__init__.py | 2 +- ipalib/plugins/idviews.py | 4 ++-- ipalib/plugins/servicedelegation.py| 2 +- ipalib/plugins/stageuser.py| 2 +- ipalib/plugins/trust.py| 2 +- ipalib/plugins/vault.py| 2 +- ipaserver/advise/base.py | 2 +- ipatests/test_xmlrpc/ldaptracker.py| 2 +- 10 files changed, 11 insertions(+), 11 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-dns/ipa_dns.c b/daemons/ipa-slapi-plugins/ipa-dns/ipa_dns.c index c70385dd608147dc08736cb915b506f715108527..bffaa0120387b72ff4a201c4201c741b871e55f3 100644 --- a/daemons/ipa-slapi-plugins/ipa-dns/ipa_dns.c +++ b/daemons/ipa-slapi-plugins/ipa-dns/ipa_dns.c @@ -129,7 +129,7 @@ ipadns_entry_iszone( Slapi_Entry *entry ) { * The server calls this plug-in function before executing LDAP ADD operation. * * ipadns_add function adds default value to idnsSOAserial attribute - * in idnsZone objects if the the attribute is not present. + * in idnsZone objects if the attribute is not present. * * Default value is added only to objects coming from other servers * via replication. diff --git a/install/ui/src/freeipa/_base/Singleton_registry.js b/install/ui/src/freeipa/_base/Singleton_registry.js index 18b0c420a702ed16abeece3e1fb7f5d48894ec1e..eca7898f5992b919326b61b73b93234e22539363 100644 --- a/install/ui/src/freeipa/_base/Singleton_registry.js +++ b/install/ui/src/freeipa/_base/Singleton_registry.js @@ -54,7 +54,7 @@ define(['dojo/_base/declare', * * When an object is passed in, the function returns it. * - * @param {string|Object} type Type's name. Or the the object itself. + * @param {string|Object} type Type's name. Or the object itself. * @return {Object|null} */ get: function(type) { diff --git a/ipalib/__init__.py b/ipalib/__init__.py index 44aacd0916454e03c6611f106088b98ea0169979..5ba2c9760891c5d45f7bf9841a54c59fc99da01e 100644 --- a/ipalib/__init__.py +++ b/ipalib/__init__.py @@ -711,7 +711,7 @@ assume these variables will all exist by the time the module containing their plugin (or plugins) is imported. `Env._bootstrap()`, which is called by `API.bootstrap()`, will create several -run-time variables that connot be overriden in configuration files or through +run-time variables that connot be overridden in configuration files or through command-line options. Here is an overview of this run-time information: = = === diff --git a/ipalib/plugins/idviews.py b/ipalib/plugins/idviews.py index 67f52f886f0e19288a829616603c7aef6768f8db..4a14162249959088ab389b99df3867f872a34030 100644 --- a/ipalib/plugins/idviews.py +++ b/ipalib/plugins/idviews.py @@ -339,7 +339,7 @@ class baseidview_apply(LDAPQuery): class idview_apply(baseidview_apply): __doc__ = _('Applies ID View to specified hosts or current members of ' 'specified hostgroups. If any other ID View is applied to ' -'the host, it is overriden.') +'the host, it is overridden.') member_count_out = (_('ID View applied to %i host.'), _('ID View applied to %i hosts.')) @@ -462,7 +462,7 @@ def resolve_object_to_anchor(ldap, obj_type, obj, fallback_to_ldap): raise errors.ValidationError( name=_('IPA object'), error=_('system IPA objects (e.g system groups, user ' -'private groups) cannot be overriden') +'private groups) cannot be overridden') ) # The domain prefix, this will need to be reworked once we diff --git a/ipalib/plugins/servicedelegation.py b/ipalib/plugins/servicedelegation.py index 34312e39a844eb798d55c659ab850da57ab126f7..37de916389c46d99f17b66c1cac16e391265491d 100644 --- a/ipalib/plugins/servicedelegation.py +++ b/ipalib/plugins/servicedelegation.py @@ -65,7 +65,7 @@ the bound user's behalf. It is strongly discouraged to modify the delegations that ship with IPA, ipa-http-delegation and its targets ipa-cifs-delegation-targets and -ipa-ldap-delegation-targets. Incorrect changes can remove the ablity +ipa-ldap-delega
Re: [Freeipa-devel] [PATCHES 0279-0280] Backport index fixes into IPA 4.1
On 07/09/2015 01:50 PM, Martin Basti wrote: Backport following commits into IPA 4-1: 57fba7a56f88c517b3ebb03842f1cc18bc129ebb 16f47ed4520d4f89db39d1dc58be7a8efb1d8612 Patches attached. ACK -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0285] DNS: consolidate RR types in API and LDAP schema
On 15/07/15 18:13, Petr Spacek wrote: On 15.7.2015 17:39, Martin Basti wrote: On 15/07/15 17:38, Petr Spacek wrote: On 15.7.2015 17:33, Martin Basti wrote: On 15/07/15 16:03, Martin Basti wrote: On 15/07/15 15:39, Petr Vobornik wrote: On 07/15/2015 02:42 PM, Martin Basti wrote: Patch attached. https://fedorahosted.org/freeipa/ticket/4934 https://fedorahosted.org/freeipa/ticket/5055 Why are you adding RP, APL, IPSEC, DHCID, HIP, SPF records? Is there a plan to use them? Can't we just not use unsupported records in LDAPSearch'? (which would fix #5055) I had discussion with Petr2, and we decided to do it this way, because these records are valid. Removing unsupported records from search changes the behavior of the DNS commands. Now IPA shows even unsupported records which cannot be modified by API. AFAIK we want to keep this behavior. Updated patch attached. I forgot to remove DNSKEY from object class definition. Are you 100 % sure that it will not break on upgrade? Please double-check that with Thierry. IT was my change before we decided that DNSKEY should not be there, it is not in git repo. I see, okay. Updated patch attached. -- Martin Basti From 19da155358ba1e5b9b8f87d7e964e046d1a9de0b Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Wed, 15 Jul 2015 09:44:07 +0200 Subject: [PATCH] DNS: Consolidate DNS RR types in API and schema * Remove NSEC3, DNSKEY, TSIG, TKEY, TA records from API: These records never worked, they dont have attributes in schema. TSIG and TKEY are meta-RR should not be in LDAP TA is not supported by BIND NSEC3, DNSKEY are DNSSEC records generated by BIND, should not be in LDAP. *! SIG, NSEC are already defined in schema, must stay in API. * Add HINFO, MINFO, MD, NXT records to API as unsupported records These records are already defined in LDAP schema * Add schema for RP, APL, IPSEC, DHCID, HIP, SPF records These records were defined in IPA API as unsupported, but schema definition was missing. This causes that ACI cannot be created for these records and dnszone-find failed. (#5055) https://fedorahosted.org/freeipa/ticket/4934 https://fedorahosted.org/freeipa/ticket/5055 --- ACI.txt | 4 +- API.txt | 28 ++-- VERSION | 4 +- install/share/60ipadns.ldif | 8 +++- install/share/dns.ldif| 2 +- install/updates/40-dns.update | 4 +- ipalib/plugins/dns.py | 101 ++ 7 files changed, 71 insertions(+), 80 deletions(-) diff --git a/ACI.txt b/ACI.txt index 76a7ff70e27c032bdd8fa26e076271e02b23d3b3..60607b98deb74d0b7f45d24ee9359b0cf8162b0d 100644 --- a/ACI.txt +++ b/ACI.txt @@ -61,13 +61,13 @@ aci: (targetattr = "ipaprivatekey || ipapublickey || ipasecretkey || ipasecretke dn: dc=ipa,dc=example aci: (targetattr = "cn || idnssecalgorithm || idnsseckeyactivate || idnsseckeycreated || idnsseckeydelete || idnsseckeyinactive || idnsseckeypublish || idnsseckeyref || idnsseckeyrevoke || idnsseckeysep || idnsseckeyzone || objectclass")(target = "ldap:///cn=dns,dc=ipa,dc=example";)(targetfilter = "(objectclass=idnsSecKey)")(version 3.0;acl "permission:System: Manage DNSSEC metadata";allow (all) groupdn = "ldap:///cn=System: Manage DNSSEC metadata,cn=permissions,cn=pbac,dc=ipa,dc=example";) dn: dc=ipa,dc=example -aci: (targetattr = "a6record || record || afsdbrecord || arecord || certrecord || cn || cnamerecord || createtimestamp || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || entryusn || hinforecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || modifytimestamp || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || objectclass || ptrrecord || rrsigrecord || sigrecord || srvrecord || sshfprecord || tlsarecord || txtrecord || unknownrecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example";)(version 3.0;acl "permission:System: Read DNS Entries";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";) +aci: (targetattr = "a6record || record || afsdbrecord || aplrecord || arecord || certrecord || cn || cnamerecord || createtimestamp || dhcidrecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || entryusn || hinforecord || hiprecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial ||
Re: [Freeipa-devel] [PATCH 0286] Sysrestore: copy files instead of moving them to avoid SELinux issues
On Wed, 15 Jul 2015, Martin Basti wrote: On 15/07/15 18:01, Alexander Bokovoy wrote: On Wed, 15 Jul 2015, Martin Basti wrote: Moved files temporarily exist without a proper SElinux context which causes issues when running SSSD/ntpd tries to work with files. https://fedorahosted.org/freeipa/ticket/4923 Patch attached. -- Martin Basti From a86424429eea3bede519284e2d986c4fad8755f8 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Wed, 15 Jul 2015 16:20:59 +0200 Subject: [PATCH] sysrestore: copy files instead of moving them to avoind SELinux issues Copying files restores SELinux context. https://fedorahosted.org/freeipa/ticket/4923 --- ipapython/sysrestore.py | 12 ++-- 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/ipapython/sysrestore.py b/ipapython/sysrestore.py index c058ff7c04d4604ba96c2a4ece68d476b5b6491f..354897240b542c2671b662a4fdad1a089652f899 100644 --- a/ipapython/sysrestore.py +++ b/ipapython/sysrestore.py @@ -186,12 +186,12 @@ class FileStore: if new_path is not None: path = new_path -shutil.move(backup_path, path) +shutil.copy(backup_path, path) # SELinux needs copy +os.remove(backup_path) + os.chown(path, int(uid), int(gid)) os.chmod(path, int(mode)) -tasks.restore_context(path) - Please keep restorecon calls because we might have a case when old label was wrong in the backup. del self.files[filename] self.save() @@ -217,12 +217,12 @@ class FileStore: root_logger.debug(" -> Not restoring - '%s' doesn't exist", backup_path) continue -shutil.move(backup_path, path) +shutil.copy(backup_path, path) # SELinux needs copy +os.remove(backup_path) + os.chown(path, int(uid), int(gid)) os.chmod(path, int(mode)) -tasks.restore_context(path) - Same here. Sorry I don't get it. Label is not copied from backup_file. I changed Selinux context, then copy to original location and context was restored when file does not exist. Do you mean case when the target file has different label than it should have? Yes, it could happen quite often. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 013] Fix minor typos
On 07/17/2015 12:21 PM, Christian Heimes wrote: This patch from Yuri Chornoivan fixes some typos. All fixes look ok to me. +1, one minor issue though. Btw, the Reviewed-By line is added by ipatool utility on push. https://fedorahosted.org/freeipa/ticket/5109 https://bugzilla.redhat.com/show_bug.cgi?id=1239132 freeipa-cheimes-0013-Fix-minor-typos.patch index 44aacd0916454e03c6611f106088b98ea0169979..5ba2c9760891c5d45f7bf9841a54c59fc99da01e 100644 --- a/ipalib/__init__.py +++ b/ipalib/__init__.py @@ -711,7 +711,7 @@ assume these variables will all exist by the time the module containing their plugin (or plugins) is imported. `Env._bootstrap()`, which is called by `API.bootstrap()`, will create several -run-time variables that connot be overriden in configuration files or through +run-time variables that connot be overridden in configuration files or through command-line options. Here is an overview of this run-time information: connot -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0286] Sysrestore: copy files instead of moving them to avoid SELinux issues
On 17/07/15 13:04, Alexander Bokovoy wrote: On Wed, 15 Jul 2015, Martin Basti wrote: On 15/07/15 18:01, Alexander Bokovoy wrote: On Wed, 15 Jul 2015, Martin Basti wrote: Moved files temporarily exist without a proper SElinux context which causes issues when running SSSD/ntpd tries to work with files. https://fedorahosted.org/freeipa/ticket/4923 Patch attached. -- Martin Basti From a86424429eea3bede519284e2d986c4fad8755f8 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Wed, 15 Jul 2015 16:20:59 +0200 Subject: [PATCH] sysrestore: copy files instead of moving them to avoind SELinux issues Copying files restores SELinux context. https://fedorahosted.org/freeipa/ticket/4923 --- ipapython/sysrestore.py | 12 ++-- 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/ipapython/sysrestore.py b/ipapython/sysrestore.py index c058ff7c04d4604ba96c2a4ece68d476b5b6491f..354897240b542c2671b662a4fdad1a089652f899 100644 --- a/ipapython/sysrestore.py +++ b/ipapython/sysrestore.py @@ -186,12 +186,12 @@ class FileStore: if new_path is not None: path = new_path -shutil.move(backup_path, path) +shutil.copy(backup_path, path) # SELinux needs copy +os.remove(backup_path) + os.chown(path, int(uid), int(gid)) os.chmod(path, int(mode)) -tasks.restore_context(path) - Please keep restorecon calls because we might have a case when old label was wrong in the backup. del self.files[filename] self.save() @@ -217,12 +217,12 @@ class FileStore: root_logger.debug(" -> Not restoring - '%s' doesn't exist", backup_path) continue -shutil.move(backup_path, path) +shutil.copy(backup_path, path) # SELinux needs copy +os.remove(backup_path) + os.chown(path, int(uid), int(gid)) os.chmod(path, int(mode)) -tasks.restore_context(path) - Same here. Sorry I don't get it. Label is not copied from backup_file. I changed Selinux context, then copy to original location and context was restored when file does not exist. Do you mean case when the target file has different label than it should have? Yes, it could happen quite often. Updated patch attached. -- Martin Basti From d480d244266a84fb6c2c6b50011b1aba809e2aef Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Thu, 16 Jul 2015 16:26:55 +0200 Subject: [PATCH] Allow value 'no' for replica-certify-all attr in abort-clean-ruv subcommand --force option set replica-certify-all to 'no' during abort-clean-ruv subcommand https://fedorahosted.org/freeipa/ticket/4988 --- install/tools/ipa-replica-manage | 2 +- install/tools/man/ipa-replica-manage.1 | 2 +- ipaserver/install/replication.py | 3 ++- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage index e525a02f4c60350b7a943abab4b4aedd957e984a..50a57f70ec452c0df5bf2ea55d2a136e8149aa41 100755 --- a/install/tools/ipa-replica-manage +++ b/install/tools/ipa-replica-manage @@ -470,7 +470,7 @@ def abort_clean_ruv(realm, ruv, options): print thisrepl = replication.ReplicationManager(realm, options.host, options.dirman_passwd) -thisrepl.abortcleanallruv(ruv) +thisrepl.abortcleanallruv(ruv, options.force) print "Cleanup task stopped" diff --git a/install/tools/man/ipa-replica-manage.1 b/install/tools/man/ipa-replica-manage.1 index 8a7c78f39eeb6c7902ed99e7bed37e32eb0e92dc..c09ed362f3143e6e38716e1b3a96e90001a64674 100644 --- a/install/tools/man/ipa-replica-manage.1 +++ b/install/tools/man/ipa-replica-manage.1 @@ -49,7 +49,7 @@ Manages the replication agreements of an IPA server. The available commands are: \- Run the CLEANALLRUV task to remove a replication ID. .TP \fBabort\-clean\-ruv\fR [REPLICATION_ID] -\- Abort a running CLEANALLRUV task. +\- Abort a running CLEANALLRUV task. With \-\-force option the task does not wait for all the replica servers to have been sent the abort task, or be online, before completing. .TP \fBlist\-clean\-ruv\fR \- List all running CLEANALLRUV and abort CLEANALLRUV tasks. diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py index 0f420106e093e8a7a277016857d27aaa48daa4dc..e9af88dc4356d4fd5495f4fea399ab09c75db953 100644 --- a/ipaserver/install/replication.py +++ b/ipaserver/install/replication.py @@ -1451,7 +1451,7 @@ class ReplicationManager(object): wait_for_task(self.conn, dn) -def abortcleanallruv(self, replicaId): +def abortcleanallruv(self, replicaId, force=False): """ Create a task to abort a CLEANALLRUV operation. """ @@ -1465,6 +1465,7 @@ class ReplicationManager(object): 'replica-id': [replicaId], 'objectclass': ['top', 'extensibleObject'], 'cn': ['abort %d' % replicaId], +'replica-ce
Re: [Freeipa-devel] [PATCH 0286] Sysrestore: copy files instead of moving them to avoid SELinux issues
On Fri, 17 Jul 2015, Martin Basti wrote: On 17/07/15 13:04, Alexander Bokovoy wrote: On Wed, 15 Jul 2015, Martin Basti wrote: On 15/07/15 18:01, Alexander Bokovoy wrote: On Wed, 15 Jul 2015, Martin Basti wrote: Moved files temporarily exist without a proper SElinux context which causes issues when running SSSD/ntpd tries to work with files. https://fedorahosted.org/freeipa/ticket/4923 Patch attached. -- Martin Basti From a86424429eea3bede519284e2d986c4fad8755f8 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Wed, 15 Jul 2015 16:20:59 +0200 Subject: [PATCH] sysrestore: copy files instead of moving them to avoind SELinux issues Copying files restores SELinux context. https://fedorahosted.org/freeipa/ticket/4923 --- ipapython/sysrestore.py | 12 ++-- 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/ipapython/sysrestore.py b/ipapython/sysrestore.py index c058ff7c04d4604ba96c2a4ece68d476b5b6491f..354897240b542c2671b662a4fdad1a089652f899 100644 --- a/ipapython/sysrestore.py +++ b/ipapython/sysrestore.py @@ -186,12 +186,12 @@ class FileStore: if new_path is not None: path = new_path -shutil.move(backup_path, path) +shutil.copy(backup_path, path) # SELinux needs copy +os.remove(backup_path) + os.chown(path, int(uid), int(gid)) os.chmod(path, int(mode)) -tasks.restore_context(path) - Please keep restorecon calls because we might have a case when old label was wrong in the backup. del self.files[filename] self.save() @@ -217,12 +217,12 @@ class FileStore: root_logger.debug(" -> Not restoring - '%s' doesn't exist", backup_path) continue -shutil.move(backup_path, path) +shutil.copy(backup_path, path) # SELinux needs copy +os.remove(backup_path) + os.chown(path, int(uid), int(gid)) os.chmod(path, int(mode)) -tasks.restore_context(path) - Same here. Sorry I don't get it. Label is not copied from backup_file. I changed Selinux context, then copy to original location and context was restored when file does not exist. Do you mean case when the target file has different label than it should have? Yes, it could happen quite often. Updated patch attached. You attached wrong patch -- Martin Basti From d480d244266a84fb6c2c6b50011b1aba809e2aef Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Thu, 16 Jul 2015 16:26:55 +0200 Subject: [PATCH] Allow value 'no' for replica-certify-all attr in abort-clean-ruv subcommand --force option set replica-certify-all to 'no' during abort-clean-ruv subcommand https://fedorahosted.org/freeipa/ticket/4988 --- install/tools/ipa-replica-manage | 2 +- install/tools/man/ipa-replica-manage.1 | 2 +- ipaserver/install/replication.py | 3 ++- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage index e525a02f4c60350b7a943abab4b4aedd957e984a..50a57f70ec452c0df5bf2ea55d2a136e8149aa41 100755 --- a/install/tools/ipa-replica-manage +++ b/install/tools/ipa-replica-manage @@ -470,7 +470,7 @@ def abort_clean_ruv(realm, ruv, options): print thisrepl = replication.ReplicationManager(realm, options.host, options.dirman_passwd) -thisrepl.abortcleanallruv(ruv) +thisrepl.abortcleanallruv(ruv, options.force) print "Cleanup task stopped" diff --git a/install/tools/man/ipa-replica-manage.1 b/install/tools/man/ipa-replica-manage.1 index 8a7c78f39eeb6c7902ed99e7bed37e32eb0e92dc..c09ed362f3143e6e38716e1b3a96e90001a64674 100644 --- a/install/tools/man/ipa-replica-manage.1 +++ b/install/tools/man/ipa-replica-manage.1 @@ -49,7 +49,7 @@ Manages the replication agreements of an IPA server. The available commands are: \- Run the CLEANALLRUV task to remove a replication ID. .TP \fBabort\-clean\-ruv\fR [REPLICATION_ID] -\- Abort a running CLEANALLRUV task. +\- Abort a running CLEANALLRUV task. With \-\-force option the task does not wait for all the replica servers to have been sent the abort task, or be online, before completing. .TP \fBlist\-clean\-ruv\fR \- List all running CLEANALLRUV and abort CLEANALLRUV tasks. diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py index 0f420106e093e8a7a277016857d27aaa48daa4dc..e9af88dc4356d4fd5495f4fea399ab09c75db953 100644 --- a/ipaserver/install/replication.py +++ b/ipaserver/install/replication.py @@ -1451,7 +1451,7 @@ class ReplicationManager(object): wait_for_task(self.conn, dn) -def abortcleanallruv(self, replicaId): +def abortcleanallruv(self, replicaId, force=False): """ Create a task to abort a CLEANALLRUV operation. """ @@ -1465,6 +1465,7 @@ class ReplicationManager(object): 'replica-id': [replicaId], 'objectclass': ['top', 'extensibleObject'], 'cn': ['abort
Re: [Freeipa-devel] [PATCH 0286] Sysrestore: copy files instead of moving them to avoid SELinux issues
On 17/07/15 13:25, Alexander Bokovoy wrote: On Fri, 17 Jul 2015, Martin Basti wrote: On 17/07/15 13:04, Alexander Bokovoy wrote: On Wed, 15 Jul 2015, Martin Basti wrote: On 15/07/15 18:01, Alexander Bokovoy wrote: On Wed, 15 Jul 2015, Martin Basti wrote: Moved files temporarily exist without a proper SElinux context which causes issues when running SSSD/ntpd tries to work with files. https://fedorahosted.org/freeipa/ticket/4923 Patch attached. -- Martin Basti From a86424429eea3bede519284e2d986c4fad8755f8 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Wed, 15 Jul 2015 16:20:59 +0200 Subject: [PATCH] sysrestore: copy files instead of moving them to avoind SELinux issues Copying files restores SELinux context. https://fedorahosted.org/freeipa/ticket/4923 --- ipapython/sysrestore.py | 12 ++-- 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/ipapython/sysrestore.py b/ipapython/sysrestore.py index c058ff7c04d4604ba96c2a4ece68d476b5b6491f..354897240b542c2671b662a4fdad1a089652f899 100644 --- a/ipapython/sysrestore.py +++ b/ipapython/sysrestore.py @@ -186,12 +186,12 @@ class FileStore: if new_path is not None: path = new_path -shutil.move(backup_path, path) +shutil.copy(backup_path, path) # SELinux needs copy +os.remove(backup_path) + os.chown(path, int(uid), int(gid)) os.chmod(path, int(mode)) -tasks.restore_context(path) - Please keep restorecon calls because we might have a case when old label was wrong in the backup. del self.files[filename] self.save() @@ -217,12 +217,12 @@ class FileStore: root_logger.debug(" -> Not restoring - '%s' doesn't exist", backup_path) continue -shutil.move(backup_path, path) +shutil.copy(backup_path, path) # SELinux needs copy +os.remove(backup_path) + os.chown(path, int(uid), int(gid)) os.chmod(path, int(mode)) -tasks.restore_context(path) - Same here. Sorry I don't get it. Label is not copied from backup_file. I changed Selinux context, then copy to original location and context was restored when file does not exist. Do you mean case when the target file has different label than it should have? Yes, it could happen quite often. Updated patch attached. You attached wrong patch -- Martin Basti From d480d244266a84fb6c2c6b50011b1aba809e2aef Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Thu, 16 Jul 2015 16:26:55 +0200 Subject: [PATCH] Allow value 'no' for replica-certify-all attr in abort-clean-ruv subcommand --force option set replica-certify-all to 'no' during abort-clean-ruv subcommand https://fedorahosted.org/freeipa/ticket/4988 --- install/tools/ipa-replica-manage | 2 +- install/tools/man/ipa-replica-manage.1 | 2 +- ipaserver/install/replication.py | 3 ++- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage index e525a02f4c60350b7a943abab4b4aedd957e984a..50a57f70ec452c0df5bf2ea55d2a136e8149aa41 100755 --- a/install/tools/ipa-replica-manage +++ b/install/tools/ipa-replica-manage @@ -470,7 +470,7 @@ def abort_clean_ruv(realm, ruv, options): print thisrepl = replication.ReplicationManager(realm, options.host, options.dirman_passwd) -thisrepl.abortcleanallruv(ruv) +thisrepl.abortcleanallruv(ruv, options.force) print "Cleanup task stopped" diff --git a/install/tools/man/ipa-replica-manage.1 b/install/tools/man/ipa-replica-manage.1 index 8a7c78f39eeb6c7902ed99e7bed37e32eb0e92dc..c09ed362f3143e6e38716e1b3a96e90001a64674 100644 --- a/install/tools/man/ipa-replica-manage.1 +++ b/install/tools/man/ipa-replica-manage.1 @@ -49,7 +49,7 @@ Manages the replication agreements of an IPA server. The available commands are: \- Run the CLEANALLRUV task to remove a replication ID. .TP \fBabort\-clean\-ruv\fR [REPLICATION_ID] -\- Abort a running CLEANALLRUV task. +\- Abort a running CLEANALLRUV task. With \-\-force option the task does not wait for all the replica servers to have been sent the abort task, or be online, before completing. .TP \fBlist\-clean\-ruv\fR \- List all running CLEANALLRUV and abort CLEANALLRUV tasks. diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py index 0f420106e093e8a7a277016857d27aaa48daa4dc..e9af88dc4356d4fd5495f4fea399ab09c75db953 100644 --- a/ipaserver/install/replication.py +++ b/ipaserver/install/replication.py @@ -1451,7 +1451,7 @@ class ReplicationManager(object): wait_for_task(self.conn, dn) -def abortcleanallruv(self, replicaId): +def abortcleanallruv(self, replicaId, force=False): """ Create a task to abort a CLEANALLRUV operation. """ @@ -1465,6 +1465,7 @@ class ReplicationManager(object): 'replica-id': [replicaId], 'objectclass': ['top', 'extensibleObject'], 'cn':
Re: [Freeipa-devel] [PATCH 0285] DNS: consolidate RR types in API and LDAP schema
On 17.7.2015 13:00, Martin Basti wrote: > On 15/07/15 18:13, Petr Spacek wrote: >> On 15.7.2015 17:39, Martin Basti wrote: >>> On 15/07/15 17:38, Petr Spacek wrote: On 15.7.2015 17:33, Martin Basti wrote: > On 15/07/15 16:03, Martin Basti wrote: >> On 15/07/15 15:39, Petr Vobornik wrote: >>> On 07/15/2015 02:42 PM, Martin Basti wrote: Patch attached. https://fedorahosted.org/freeipa/ticket/4934 https://fedorahosted.org/freeipa/ticket/5055 >>> Why are you adding RP, APL, IPSEC, DHCID, HIP, SPF records? Is there a >>> plan >>> to use them? Can't we just not use unsupported records in LDAPSearch'? >>> (which would fix #5055) >> I had discussion with Petr2, and we decided to do it this way, because >> these >> records are valid. >> >> Removing unsupported records from search changes the behavior of the DNS >> commands. Now IPA shows even unsupported records which cannot be >> modified by >> API. AFAIK we want to keep this behavior. >> > Updated patch attached. > > I forgot to remove DNSKEY from object class definition. Are you 100 % sure that it will not break on upgrade? Please double-check that with Thierry. >>> IT was my change before we decided that DNSKEY should not be there, it is >>> not >>> in git repo. >> I see, okay. >> > Updated patch attached. The intent described in the commit message LGTM. Unfortunately I do not have time for further review, please find somebody else :-) -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0057] Do not use anonymous bind in migration UI.
On 07/17/2015 10:31 AM, Petr Vobornik wrote: On 07/17/2015 07:18 AM, Alexander Bokovoy wrote: On Fri, 17 Jul 2015, Jan Cholasta wrote: Dne 16.7.2015 v 12:16 David Kupka napsal(a): On 15/07/15 16:04, David Kupka wrote: On 15/07/15 15:34, Jan Cholasta wrote: Dne 15.7.2015 v 15:21 David Kupka napsal(a): https://fedorahosted.org/freeipa/ticket/4953 To test this patch: 1. Migrate users from LDAP or other FreeIPA server (https://www.freeipa.org/page/Howto/Migration) 2. Disable anonymous bind to Directory Server (https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/disabling-anon-binds.html) 3. Go to FreeIPA migration page (ipa.example.com/ipa/migration/) and enter name and password of one of the migrated users. Without this patch you will get an error page. NACK, you are calling do_bind with wrong arguments. Updated patch attached. With Honza, we've found better solution. Instead of binding to the LDAP just to get base DN we can instantiate api and use api.env.basedn variable. In the same time we can use api.anv.ldap_uri instead of searching filesystem for ldapi socket. Patch attached. LGTM, but since I had a part in this, I'd like someone else (Petr?) to ACK this. I went through the code and I think it is also a better approach than it was before, so ACK. ACK as well. Pushed to: master: e5d179b5b96bba5048a05135693acc5507d38163 ipa-4-2: 65877820b821884ac3b539e7f64e12c2cb3dd34f Also tested and pushed to 4-1 (ticket is in 4-1) e40a6bc0824020af6ae9d95f444c69a09457cb24 -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0286] Sysrestore: copy files instead of moving them to avoid SELinux issues
On Fri, 17 Jul 2015, Martin Basti wrote: From b05f4a2e17ae00e5c20e5eb7bd046472f100e0ad Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Wed, 15 Jul 2015 16:20:59 +0200 Subject: [PATCH] sysrestore: copy files instead of moving them to avoind SELinux issues Copying files restores SELinux context. https://fedorahosted.org/freeipa/ticket/4923 --- ipapython/sysrestore.py | 8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/ipapython/sysrestore.py b/ipapython/sysrestore.py index c058ff7c04d4604ba96c2a4ece68d476b5b6491f..99d78b1b40c82a3350a7c5ba5ad9bf1f77ba887b 100644 --- a/ipapython/sysrestore.py +++ b/ipapython/sysrestore.py @@ -186,7 +186,9 @@ class FileStore: if new_path is not None: path = new_path -shutil.move(backup_path, path) +shutil.copy(backup_path, path) # SELinux needs copy +os.remove(backup_path) + os.chown(path, int(uid), int(gid)) os.chmod(path, int(mode)) @@ -217,7 +219,9 @@ class FileStore: root_logger.debug(" -> Not restoring - '%s' doesn't exist", backup_path) continue -shutil.move(backup_path, path) +shutil.copy(backup_path, path) # SELinux needs copy +os.remove(backup_path) + os.chown(path, int(uid), int(gid)) os.chmod(path, int(mode)) -- 2.4.3 ACK. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0286] Sysrestore: copy files instead of moving them to avoid SELinux issues
On 07/17/2015 01:44 PM, Alexander Bokovoy wrote: On Fri, 17 Jul 2015, Martin Basti wrote: From b05f4a2e17ae00e5c20e5eb7bd046472f100e0ad Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Wed, 15 Jul 2015 16:20:59 +0200 Subject: [PATCH] sysrestore: copy files instead of moving them to avoind SELinux issues Copying files restores SELinux context. https://fedorahosted.org/freeipa/ticket/4923 --- ipapython/sysrestore.py | 8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/ipapython/sysrestore.py b/ipapython/sysrestore.py index c058ff7c04d4604ba96c2a4ece68d476b5b6491f..99d78b1b40c82a3350a7c5ba5ad9bf1f77ba887b 100644 --- a/ipapython/sysrestore.py +++ b/ipapython/sysrestore.py @@ -186,7 +186,9 @@ class FileStore: if new_path is not None: path = new_path -shutil.move(backup_path, path) +shutil.copy(backup_path, path) # SELinux needs copy +os.remove(backup_path) + os.chown(path, int(uid), int(gid)) os.chmod(path, int(mode)) @@ -217,7 +219,9 @@ class FileStore: root_logger.debug(" -> Not restoring - '%s' doesn't exist", backup_path) continue -shutil.move(backup_path, path) +shutil.copy(backup_path, path) # SELinux needs copy +os.remove(backup_path) + os.chown(path, int(uid), int(gid)) os.chmod(path, int(mode)) -- 2.4.3 ACK. Pushed to: master: 9f701283534745bf93b41a1886183e9ef1d06566 ipa-4-2: 92a73e8b2a5f26744b036a36de4b9956e8883f61 -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0286] Sysrestore: copy files instead of moving them to avoid SELinux issues
On 07/17/2015 01:46 PM, Petr Vobornik wrote: On 07/17/2015 01:44 PM, Alexander Bokovoy wrote: On Fri, 17 Jul 2015, Martin Basti wrote: From b05f4a2e17ae00e5c20e5eb7bd046472f100e0ad Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Wed, 15 Jul 2015 16:20:59 +0200 Subject: [PATCH] sysrestore: copy files instead of moving them to avoind SELinux issues ACK. Pushed to: master: 9f701283534745bf93b41a1886183e9ef1d06566 ipa-4-2: 92a73e8b2a5f26744b036a36de4b9956e8883f61 Does it really fix the whole ticket? There is also in freeipa.spec.in %post client (i.e. upgrade): cat /etc/krb5.conf >> /etc/krb5.conf.ipanew mv /etc/krb5.conf.ipanew /etc/krb5.conf /sbin/restorecon /etc/krb5.conf + some others. Between the mv and restorecon, SSSD tries to access the file and raises AVC. In this case we can freely use mv -z since target platforms are Fedora and newest RHEL. -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0286] Sysrestore: copy files instead of moving them to avoid SELinux issues
On 17/07/15 13:57, Petr Vobornik wrote: On 07/17/2015 01:46 PM, Petr Vobornik wrote: On 07/17/2015 01:44 PM, Alexander Bokovoy wrote: On Fri, 17 Jul 2015, Martin Basti wrote: From b05f4a2e17ae00e5c20e5eb7bd046472f100e0ad Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Wed, 15 Jul 2015 16:20:59 +0200 Subject: [PATCH] sysrestore: copy files instead of moving them to avoind SELinux issues ACK. Pushed to: master: 9f701283534745bf93b41a1886183e9ef1d06566 ipa-4-2: 92a73e8b2a5f26744b036a36de4b9956e8883f61 Does it really fix the whole ticket? There is also in freeipa.spec.in %post client (i.e. upgrade): cat /etc/krb5.conf >> /etc/krb5.conf.ipanew mv /etc/krb5.conf.ipanew /etc/krb5.conf /sbin/restorecon /etc/krb5.conf + some others. Between the mv and restorecon, SSSD tries to access the file and raises AVC. In this case we can freely use mv -z since target platforms are Fedora and newest RHEL. I didn't inspect specfile, I will take a look. Thank you for catch. -- Martin Basti -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCHES 0279-0280] Backport index fixes into IPA 4.1
On 07/17/2015 12:55 PM, Martin Babinsky wrote: On 07/09/2015 01:50 PM, Martin Basti wrote: Backport following commits into IPA 4-1: 57fba7a56f88c517b3ebb03842f1cc18bc129ebb 16f47ed4520d4f89db39d1dc58be7a8efb1d8612 Patches attached. ACK pushed to ipa-4-1: * cf2587ce726f8ba5f374689b3ad818e04cabaadd Fix indicies ntUserDomainId, ntUniqueId * f6901e5a10434849cb64228ce0dcba31b52bc968 Server Upgrade: fix memberUid index -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 013] Fix minor typos
On 07/17/2015 01:17 PM, Petr Vobornik wrote: On 07/17/2015 12:21 PM, Christian Heimes wrote: This patch from Yuri Chornoivan fixes some typos. All fixes look ok to me. +1, one minor issue though. Btw, the Reviewed-By line is added by ipatool utility on push. https://fedorahosted.org/freeipa/ticket/5109 https://bugzilla.redhat.com/show_bug.cgi?id=1239132 freeipa-cheimes-0013-Fix-minor-typos.patch index 44aacd0916454e03c6611f106088b98ea0169979..5ba2c9760891c5d45f7bf9841a54c59fc99da01e 100644 --- a/ipalib/__init__.py +++ b/ipalib/__init__.py @@ -711,7 +711,7 @@ assume these variables will all exist by the time the module containing their plugin (or plugins) is imported. `Env._bootstrap()`, which is called by `API.bootstrap()`, will create several -run-time variables that connot be overriden in configuration files or through +run-time variables that connot be overridden in configuration files or through command-line options. Here is an overview of this run-time information: connot fixed and Pushed to: master: 75fde43491872d3e2f52e8a523af9e60486fd0e0 ipa-4-2: 2cd77df8f4eea0534b64aa703b59eecc4fef874d -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0274] DNS: Check if dns package is installed
On 03/07/15 09:03, Tomas Babej wrote: On 07/02/2015 02:03 PM, Petr Spacek wrote: On 2.7.2015 13:54, Jan Cholasta wrote: Dne 2.7.2015 v 13:34 Petr Spacek napsal(a): On 2.7.2015 12:57, Tomas Babej wrote: On 07/02/2015 08:50 AM, Petr Spacek wrote: On 1.7.2015 20:29, Tomas Babej wrote: On 07/01/2015 04:45 PM, Petr Spacek wrote: On 1.7.2015 15:32, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/4058 Requires patch freeipa-pspacek-0052 ACK I must admit I don't really like wrapping a constant in the method in the TaskNamespace object. We're interested in the constant itself - there's no case I can imagine where the name of the freeipa's dns package will be dynamic. For paths we have BasePathNamespace that contains all the paths, maybe we should introduce something similar for the non-path platform dependent constants? Generally I support this but it seems like a 4.3 material (and out of scope of #4058). We need to finish 4.2 now. Please ACK or NACK ASAP. It's fairly straightforward to introduce a new platform namespace for constants. See attached patch, it implements the namespace and already contains the proper values for the dns package name. The original patch 274 would only need to use: >>> from ipaplatform.constants import constants >>> constants.DNS_PACKAGE_NAME 'freeipa-server-dns' I'm okay with that if Honza or somebody else knowledgable about the whole platform-thingy can ACK this, amend Martin^2's patch 274 and test the whole thing. Unfortunately I do not have time for it myself. If nobody does that please push the original patch (when it's dependency pspacek-0052 gets ACK). I think you are overengineering this a little bit, adding whatever ipaplatform stuff just because of an error message seems rather unnecessary to me. I think changing the error message to "Integrated DNS requires 'freeipa-server-dns' package" or even "Integrated DNS requires IPA DNS server package" would be perfectly fine. The message should be as specific as possible but I do not care how it will be implemented. Alright, let's not get stuck. Petr insists on specific message on each platform. Given that package name is platform dependent, I think we should keep it as platform constant, task makes little sense. Given that Martin's not available right now, I'll amend his patches and send the updated version. Tomas Updated patches attached. ACK for 332 I just removed DNS constants from 332 patch -- Martin Basti From 4194a9df1e384b8713ecc92d1b8563c322e30dcf Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Wed, 1 Jul 2015 15:05:45 +0200 Subject: [PATCH 2/2] DNS: check if DNS package is installed Instead of separate checking of DNS required packages, we need just check if IPA DNS package is installed. https://fedorahosted.org/freeipa/ticket/4058 --- ipaplatform/base/constants.py | 2 +- ipaplatform/base/paths.py | 1 + ipaplatform/rhel/constants.py | 2 +- ipaserver/install/bindinstance.py | 19 +-- ipaserver/install/dns.py| 11 ++- ipaserver/install/dnskeysyncinstance.py | 6 -- ipaserver/install/opendnssecinstance.py | 8 7 files changed, 10 insertions(+), 39 deletions(-) diff --git a/ipaplatform/base/constants.py b/ipaplatform/base/constants.py index 70485055fa5a12fac878ace3dea11ea442ebe6be..cef829e2d3886db00ae6d0299ddcf325d1add80e 100644 --- a/ipaplatform/base/constants.py +++ b/ipaplatform/base/constants.py @@ -8,4 +8,4 @@ This base platform module exports platform dependant constants. class BaseConstantsNamespace(object): -pass +IPA_DNS_PACKAGE_NAME = "freeipa-server-dns" diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index 9fef3e7a1351dd42895fe560bb3c1bc5a1c852b4..6ca4965d3deab61030d09b4b07582ff27e6af120 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py @@ -218,6 +218,7 @@ class BasePathNamespace(object): GROUPADD = "/usr/sbin/groupadd" HTTPD = "/usr/sbin/httpd" IPA_CLIENT_INSTALL = "/usr/sbin/ipa-client-install" +IPA_DNS_INSTALL = "/usr/sbin/ipa-dns-install" SBIN_IPA_JOIN = "/usr/sbin/ipa-join" IPA_REPLICA_CONNCHECK = "/usr/sbin/ipa-replica-conncheck" IPA_RMKEYTAB = "/usr/sbin/ipa-rmkeytab" diff --git a/ipaplatform/rhel/constants.py b/ipaplatform/rhel/constants.py index eaca48030fa28804c70c161b07228646a95fc1a3..17abde1f861778bec83067cb01e9a1faae325527 100644 --- a/ipaplatform/rhel/constants.py +++ b/ipaplatform/rhel/constants.py @@ -11,6 +11,6 @@ from ipaplatform.redhat.constants import RedHatConstantsNamespace class RHELConstantsNamespace(RedHatConstantsNamespace): -pass +IPA_DNS_PACKAGE_NAME = "ipa-server-dns" constants = RHELConstantsNamespace() diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py index 2228342dc40ee415d1adf2687a7ae91a5963d3c7..9705e845a76191a252bfa963b54d9c31d83ad18e 100644 --- a/ipaserver/install/bindinstance
Re: [Freeipa-devel] [PATCH 0052] Create server-dns sub-package
- Original Message - > From: "Jan Cholasta" > To: "Simo Sorce" , "Petr Spacek" > Cc: freeipa-devel@redhat.com, "Alexander Bokovoy" > Sent: Thursday, July 16, 2015 2:08:09 AM > Subject: Re: [Freeipa-devel] [PATCH 0052] Create server-dns sub-package > > Dne 15.7.2015 v 19:39 Simo Sorce napsal(a): > > - Original Message - > >> From: "Petr Spacek" > >> To: "Jan Cholasta" , freeipa-devel@redhat.com, > >> "Alexander Bokovoy" > >> Cc: "Simo Sorce" > >> Sent: Tuesday, July 14, 2015 10:33:41 AM > >> Subject: Re: [Freeipa-devel] [PATCH 0052] Create server-dns sub-package > >> > >> On 14.7.2015 16:29, Jan Cholasta wrote: > >>> Dne 14.7.2015 v 14:33 Petr Spacek napsal(a): > On 2.7.2015 09:56, Petr Spacek wrote: > > On 2.7.2015 09:36, Alexander Bokovoy wrote: > >> On Thu, 02 Jul 2015, Jan Cholasta wrote: > >>> Can this be done without adding server-core? > >> I'm not aware of such method (except of adding all DNS > >> dependencies > >> as > >> Requires straight into freeipa-server package). > >> > >>> Because it's not server core, > >>> it's the whole thing! Or maybe just rename it to server-common? > >> > >> I'm fine with 'common'. Ticket 4058 calls for sub-package for CA > >> too > >> so my > >> idea was to create 'core' package which will be gradually reduced > >> more and more. > > > > Well, I don't like the fact that in order to install IPA server > > without DNS you have to install freeipa-server-core instead of just > > freeipa-server. Fedora packaging guidelines [1] state that the > > metapackage should be named freeipa-server-compat, so I guess > > renaming > > freeipa-server to freeipa-server-compat and freeipa-server-core to > > freeipa-server is good enough. > I think you are misunderstanding what the guidelines say. -compat > subpackage is something that only contains Requires: and Obsoletes:, > to > help to pull the right packages. It is not supposed to be a > full-featured package with content. > >>> > >>> With Petr's patch, freeipa-server is exactly that - a metapackage > >>> with > >>> requires and obsoletes only - hence my suggestion to rename it > >>> according to > >>> the guidelines. > >> That's not good. > >> > I think we are good enough with freeipa-server-dns. We have the same > situation with freeipa-server-trust-ad -- it is not required by the > main > package and pulls in Samba-related bits. We also don't have any > -compat > or metapackage for it. > >>> > >>> freeipa-server-dns is fine, what is IMO not fine is that it *is* > >>> required by > >>> the main freeipa-server package, *unlike* freeipa-server-trust-ad. > >>> > >>> We don't have a compat metapackage for freeipa-server-trust-ad, > >>> because > >>> there are no upgrade issues with it, which is what Petr is trying to > >>> solve > >>> with his patch. > >> So, the issue is that for installed bind+bind-dyndb-ldap combination > >> we > >> need to switch to bind-pkcs11+bind-dyndb-ldap. Maybe instead of > >> modifying main freeipa package we could modify bind-dyndb-ldap package > >> to require bind-pkcs11 and corresponding bits of freeipa packages? > > > > Unfortunately, no. > > - bind-dyndb-ldap itself is used & supported even without FreeIPA. > > - bind-pkcs11 depends on properly configured SoftHSM (or other PKCS#11 > > provider) > > => upgrade could break non-FreeIPA installations. > > > > I'm attempting to rework the patch now, stay tuned. > > Apparently this thread was abandoned during my PTO so I'm sending new > patch > here. It includes the -compat package and works with YUM and DNF. > >>> > >>> I don't like that freeipa-server got renamed to freeipa-server-core, but > >>> I > >>> won't push against it if Alexander and others (CCing Simo) are OK with > >>> it. > >> > >> For the record, I was not able to make it work without the rename. > > > > My opinion is that if we run dnf install freeipa-server, then we need to > > get freeipa server packages. > > If this is what happens I am ok with patches, otherwise I am not. > > Without the patch, "dnf install freeipa-server" installs freeipa server > without DNS dependencies. > > With the first version of the patch, "dnf install freeipa-server" > installs freeipa server with all DNS dependencies. To install freeipa > server without DNS dependencies, you need to run "dnf install > freeipa-server-core". (Note that with this patch freeipa-server is a > meta-package with no files.) > > With the second version of the patch, "dnf install freeipa-server" > fails, because there is no freeipa-server anymore. To install freeipa > server without DNS
Re: [Freeipa-devel] [PATCH 0052] Create server-dns sub-package
- Original Message - > From: "Petr Spacek" > To: "Alexander Bokovoy" , "Jan Cholasta" > > Cc: "Simo Sorce" , freeipa-devel@redhat.com > Sent: Thursday, July 16, 2015 7:47:57 AM > Subject: Re: [Freeipa-devel] [PATCH 0052] Create server-dns sub-package > > On 16.7.2015 08:33, Alexander Bokovoy wrote: > > On Thu, 16 Jul 2015, Jan Cholasta wrote: > >> Dne 15.7.2015 v 19:39 Simo Sorce napsal(a): > >>> - Original Message - > From: "Petr Spacek" > To: "Jan Cholasta" , freeipa-devel@redhat.com, > "Alexander Bokovoy" > Cc: "Simo Sorce" > Sent: Tuesday, July 14, 2015 10:33:41 AM > Subject: Re: [Freeipa-devel] [PATCH 0052] Create server-dns sub-package > > On 14.7.2015 16:29, Jan Cholasta wrote: > > Dne 14.7.2015 v 14:33 Petr Spacek napsal(a): > >> On 2.7.2015 09:56, Petr Spacek wrote: > >>> On 2.7.2015 09:36, Alexander Bokovoy wrote: > On Thu, 02 Jul 2015, Jan Cholasta wrote: > > Can this be done without adding server-core? > I'm not aware of such method (except of adding all DNS > dependencies > as > Requires straight into freeipa-server package). > > > Because it's not server core, > > it's the whole thing! Or maybe just rename it to server-common? > > I'm fine with 'common'. Ticket 4058 calls for sub-package for CA > too > so my > idea was to create 'core' package which will be gradually > reduced > more and more. > >>> > >>> Well, I don't like the fact that in order to install IPA server > >>> without DNS you have to install freeipa-server-core instead of > >>> just > >>> freeipa-server. Fedora packaging guidelines [1] state that the > >>> metapackage should be named freeipa-server-compat, so I guess > >>> renaming > >>> freeipa-server to freeipa-server-compat and freeipa-server-core > >>> to > >>> freeipa-server is good enough. > >> I think you are misunderstanding what the guidelines say. -compat > >> subpackage is something that only contains Requires: and > >> Obsoletes:, > >> to > >> help to pull the right packages. It is not supposed to be a > >> full-featured package with content. > > > > With Petr's patch, freeipa-server is exactly that - a metapackage > > with > > requires and obsoletes only - hence my suggestion to rename it > > according to > > the guidelines. > That's not good. > > >> I think we are good enough with freeipa-server-dns. We have the > >> same > >> situation with freeipa-server-trust-ad -- it is not required by > >> the > >> main > >> package and pulls in Samba-related bits. We also don't have any > >> -compat > >> or metapackage for it. > > > > freeipa-server-dns is fine, what is IMO not fine is that it *is* > > required by > > the main freeipa-server package, *unlike* freeipa-server-trust-ad. > > > > We don't have a compat metapackage for freeipa-server-trust-ad, > > because > > there are no upgrade issues with it, which is what Petr is trying > > to > > solve > > with his patch. > So, the issue is that for installed bind+bind-dyndb-ldap combination > we > need to switch to bind-pkcs11+bind-dyndb-ldap. Maybe instead of > modifying main freeipa package we could modify bind-dyndb-ldap > package > to require bind-pkcs11 and corresponding bits of freeipa packages? > >>> > >>> Unfortunately, no. > >>> - bind-dyndb-ldap itself is used & supported even without FreeIPA. > >>> - bind-pkcs11 depends on properly configured SoftHSM (or other > >>> PKCS#11 > >>> provider) > >>> => upgrade could break non-FreeIPA installations. > >>> > >>> I'm attempting to rework the patch now, stay tuned. > >> > >> Apparently this thread was abandoned during my PTO so I'm sending new > >> patch > >> here. It includes the -compat package and works with YUM and DNF. > > > > I don't like that freeipa-server got renamed to freeipa-server-core, > > but I > > won't push against it if Alexander and others (CCing Simo) are OK with > > it. > > For the record, I was not able to make it work without the rename. > >>> > >>> My opinion is that if we run dnf install freeipa-server, then we need to > >>> get freeipa server packages. > >>> If this is what happens I am ok with patches, otherwise I am not. > >> > >> Without the patch, "dnf install freeipa-server" installs freeipa server > >> without DNS dependencies. > >> > >> With the first version of the patch, "dnf install freeipa-s
[Freeipa-devel] [PATCH 0289] [Py3] Replace tabs with space
I accidentally found several tabs in code, so I fixed it, as py3 does not allow to mix tabs and spaces. Patch attached. -- Martin Basti From 74e0ac4f24e3bc329abb2d08c3729945324d945d Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Fri, 17 Jul 2015 13:25:32 +0200 Subject: [PATCH] Py3: replace tab with space python3 does not allow to mix spaces and tabs --- ipapython/sysrestore.py| 2 +- ipaserver/dcerpc.py| 2 +- ipatests/test_xmlrpc/test_old_permission_plugin.py | 6 +++--- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/ipapython/sysrestore.py b/ipapython/sysrestore.py index 99d78b1b40c82a3350a7c5ba5ad9bf1f77ba887b..935e4c6ce2b51f5529e931b81de8347e39f401f3 100644 --- a/ipapython/sysrestore.py +++ b/ipapython/sysrestore.py @@ -227,7 +227,7 @@ class FileStore: tasks.restore_context(path) - #force file to be deleted +# force file to be deleted self.files = {} self.save() diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index 4de5afb540e880e8948749c2cfa9a019eb807c47..87f978cfd398d5b00e057f03ad2dee6d34fd0435 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -1276,7 +1276,7 @@ class TrustDomainJoins(object): if self.local_domain.read_only: return - self.local_domain.ftinfo_records = [] +self.local_domain.ftinfo_records = [] realm_domains = self.api.Command.realmdomains_show()['result'] # Use realmdomains' modification timestamp to judge records last update time diff --git a/ipatests/test_xmlrpc/test_old_permission_plugin.py b/ipatests/test_xmlrpc/test_old_permission_plugin.py index b8f06e28cfadf057150958616518b50c0b782128..c254bf70abee2bb5d1cdf50b479b1bc0fe0eb5a0 100644 --- a/ipatests/test_xmlrpc/test_old_permission_plugin.py +++ b/ipatests/test_xmlrpc/test_old_permission_plugin.py @@ -1030,7 +1030,7 @@ class test_old_permission(Declarative): 'permission_add', [permission3], dict( type=u'user', permissions=u'write', - attrs=[u'cn'] + attrs=[u'cn'] ) ), expected=dict( @@ -1057,7 +1057,7 @@ class test_old_permission(Declarative): value=permission3, summary=None, result=dict( - dn=permission3_dn, +dn=permission3_dn, cn=[permission3], objectclass=objectclasses.permission, type=u'user', @@ -1080,7 +1080,7 @@ class test_old_permission(Declarative): value=permission3, summary=u'Modified permission "%s"' % permission3, result=dict( - dn=permission3_dn, +dn=permission3_dn, cn=[permission3], objectclass=objectclasses.permission, type=u'user', -- 2.4.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0289] [Py3] Replace tabs with space
On 2015-07-17 15:51, Martin Basti wrote: > I accidentally found several tabs in code, so I fixed it, as py3 does > not allow to mix tabs and spaces. ACK The other tabs are only in comments and doc strings: $ find . -name '*.py' | xargs grep -P '\t' ./ipaserver/dcerpc.py: self.local_domain.ftinfo_records = [] ./ipa-client/ipaclient/ntpconf.py:#broadcast 192.168.1.255 key 42 # broadcast server ./ipa-client/ipaclient/ntpconf.py:#broadcastclient # broadcast client ./ipa-client/ipaclient/ntpconf.py:#broadcast 224.0.1.1 key 42 # multicast server ./ipa-client/ipaclient/ntpconf.py:#multicastclient 224.0.1.1 # multicast client ./ipa-client/ipaclient/ntpconf.py:#manycastserver 239.255.254.254 # manycast server ./ipa-client/ipaclient/ntpconf.py:#manycastclient 239.255.254.254 key 42 # manycast client ./ipa-client/ipaclient/ntpconf.py:server127.127.1.0 # local clock ./ipa-client/ipaclient/ntpconf.py:#fudge127.127.1.0 stratum 10 ./ipalib/plugins/automount.py:/-auto.direct ./ipalib/plugins/automount.py:/mnt auto.mnt ./ipapython/dn.py:ava = AVA('cn', 'Bob')# case 1: two strings ./ipapython/sysrestore.py: #force file to be deleted ./ipatests/test_xmlrpc/test_old_permission_plugin.py: attrs=[u'cn'] ./ipatests/test_xmlrpc/test_old_permission_plugin.py: dn=permission3_dn, ./ipatests/test_xmlrpc/test_old_permission_plugin.py: dn=permission3_dn, ./daemons/ipa-otpd/test.py:ATTRIBUTEUser-Name 1 string ./daemons/ipa-otpd/test.py:ATTRIBUTEUser-Password 2 string ./daemons/ipa-otpd/test.py:ATTRIBUTENAS-Identifier 32 string signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0286, 0290] Sysrestore: copy files instead of moving them to avoid SELinux issues
On 17/07/15 13:57, Petr Vobornik wrote: On 07/17/2015 01:46 PM, Petr Vobornik wrote: On 07/17/2015 01:44 PM, Alexander Bokovoy wrote: On Fri, 17 Jul 2015, Martin Basti wrote: From b05f4a2e17ae00e5c20e5eb7bd046472f100e0ad Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Wed, 15 Jul 2015 16:20:59 +0200 Subject: [PATCH] sysrestore: copy files instead of moving them to avoind SELinux issues ACK. Pushed to: master: 9f701283534745bf93b41a1886183e9ef1d06566 ipa-4-2: 92a73e8b2a5f26744b036a36de4b9956e8883f61 Does it really fix the whole ticket? There is also in freeipa.spec.in %post client (i.e. upgrade): cat /etc/krb5.conf >> /etc/krb5.conf.ipanew mv /etc/krb5.conf.ipanew /etc/krb5.conf /sbin/restorecon /etc/krb5.conf + some others. Between the mv and restorecon, SSSD tries to access the file and raises AVC. In this case we can freely use mv -z since target platforms are Fedora and newest RHEL. The new patch fixing specfile attached. -- Martin Basti From 287da2ddfb8633a3a1a26c6b325e95ce5668e7f7 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Fri, 17 Jul 2015 16:12:07 +0200 Subject: [PATCH] Use 'mv -Z' in specfile to restore SELinux context There might be AVC denial between moving file and restoring context. Using 'mv -Z' will solve this issue. https://fedorahosted.org/freeipa/ticket/4923 --- freeipa.spec.in | 9 +++-- 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index 928425fdc65a092f67a28d97101c32b7392bf1c8..b11f25a2d173bc93c6fc49303f278191f64727e4 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -633,16 +633,14 @@ if [ $1 -gt 1 ] ; then if ! grep -E -q '/var/lib/sss/pubconf/krb5.include.d/' /etc/krb5.conf 2>/dev/null ; then echo "includedir /var/lib/sss/pubconf/krb5.include.d/" > /etc/krb5.conf.ipanew cat /etc/krb5.conf >> /etc/krb5.conf.ipanew -mv /etc/krb5.conf.ipanew /etc/krb5.conf -/sbin/restorecon /etc/krb5.conf +mv -Z /etc/krb5.conf.ipanew /etc/krb5.conf fi fi if [ -f '/etc/sysconfig/ntpd' -a $restore -ge 2 ]; then if grep -E -q 'OPTIONS=.*-u ntp:ntp' /etc/sysconfig/ntpd 2>/dev/null; then sed -r '/OPTIONS=/ { s/\s+-u ntp:ntp\s+/ /; s/\s*-u ntp:ntp\s*// }' /etc/sysconfig/ntpd >/etc/sysconfig/ntpd.ipanew -mv /etc/sysconfig/ntpd.ipanew /etc/sysconfig/ntpd -/sbin/restorecon /etc/sysconfig/ntpd +mv -Z /etc/sysconfig/ntpd.ipanew /etc/sysconfig/ntpd /bin/systemctl condrestart ntpd.service 2>&1 || : fi @@ -688,8 +686,7 @@ if [ -f '/etc/ssh/sshd_config' -a $restore -ge 2 ]; then ' /etc/ssh/sshd_config.ipanew fi -mv /etc/ssh/sshd_config.ipanew /etc/ssh/sshd_config -/sbin/restorecon /etc/ssh/sshd_config +mv -Z /etc/ssh/sshd_config.ipanew /etc/ssh/sshd_config chmod 600 /etc/ssh/sshd_config /bin/systemctl condrestart sshd.service 2>&1 || : -- 2.4.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0288] ipa-replica-manage: Allow value 'no' for replica-certify-all attr in abort-clean-ruv subcommand
On 07/16/2015 06:22 PM, Martin Basti wrote: On 16/07/15 17:07, Rob Crittenden wrote: Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/4988 Patch attached. IMHO this should be mentioned in the man page. rob Updated patch attached. ACK Pushed to: master: 82aaa1e6d07a13429381b94ffe4b5fc562427213 ipa-4-2: 58d0d335a4591398102f02c62a15290d64806cc4 -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] right way to connect to DS with Directory Manager creds from the test
Hi everybody, What is the right way to connect to the Directory Server using Directory Manager credentials from the autotest? I need to execute something like ldapsearch -D "cn=Directory Manager" -w '' -b "cn=IPA Topology Configuration,cn=plugins,cn=config" form the python code. A quick look through the code showed that the following method is generally used to connect to ldap: self.ldapuri = 'ldap://%s' % ipautil.format_netloc(api.env.host) self.conn = ldap2(api, ldap_uri=self.ldapuri) self.conn.connect() (See ipatests/test_ipaserver/test_ldap.py) But this is an anonymous access. The existing solution to use the kerberos ticket cache to login as admin: self.ccache = paths.TMP_KRB5CC % os.getuid() self.conn.connect(ccache='FILE:%s' % self.ccache) (ipatests/test_ipaserver/test_ldap.py:test_GSSAPI) has two drawbacks: 1. It would never work if directory manager has different password than admin 2. It does not work anyway, because kerberos is configured to store the cache not in the FILE:/tmp/krb5cc_%{uid}file (as the test expects), but rather in KEYRING:persistent:%{uid}:%{gid} Thank you in advance. -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0339] trusts: Check for AD root domain among our trusted domains
On 07/15/2015 02:41 PM, Tomas Babej wrote: On 07/15/2015 02:31 PM, Alexander Bokovoy wrote: On Wed, 15 Jul 2015, Tomas Babej wrote: Hi, Check for the presence of the forest root DNS domain of the AD realm among the IPA realm domains prior to esablishing the trust. This prevents creation of a failing setup, as trusts would not work properly in this case. https://fedorahosted.org/freeipa/ticket/4799 LGTM. The only comment I have is for the error message text. Would it make sense to point to 'ipa realmdomans-mod --del-domain' command? Sure, why not. I actually abstained from generating the whole command (including the AD domain argument), as I believe it's better the users are discouraged from blindly copying commands around. Updated patch attached. Toams ACK Pushed to: master: 45958d62197296eabe5513ea392e204e1d49d5c6 ipa-4-2: ddec4500161cce0fd258cbc011efca27ef1f5392 -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] right way to connect to DS with Directory Manager creds from the test
Oleg Fayans wrote: Hi everybody, What is the right way to connect to the Directory Server using Directory Manager credentials from the autotest? I need to execute something like ldapsearch -D "cn=Directory Manager" -w '' -b "cn=IPA Topology Configuration,cn=plugins,cn=config" form the python code. A quick look through the code showed that the following method is generally used to connect to ldap: self.ldapuri = 'ldap://%s' % ipautil.format_netloc(api.env.host) self.conn = ldap2(api, ldap_uri=self.ldapuri) self.conn.connect() (See ipatests/test_ipaserver/test_ldap.py) But this is an anonymous access. In that same file is an example on how to do a simple bind with DM credentials: self.conn = ldap2(shared_instance=False, ldap_uri=self.ldapuri) self.conn.connect(bind_dn=DN(('cn', 'directory manager')), bind_pw=dm_password) rob -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] right way to connect to DS with Directory Manager creds from the test
On 17/07/15 17:03, Oleg Fayans wrote: Hi everybody, What is the right way to connect to the Directory Server using Directory Manager credentials from the autotest? I need to execute something like ldapsearch -D "cn=Directory Manager" -w '' -b "cn=IPA Topology Configuration,cn=plugins,cn=config" form the python code. A quick look through the code showed that the following method is generally used to connect to ldap: self.ldapuri = 'ldap://%s' % ipautil.format_netloc(api.env.host) self.conn = ldap2(api, ldap_uri=self.ldapuri) self.conn.connect() (See ipatests/test_ipaserver/test_ldap.py) But this is an anonymous access. The existing solution to use the kerberos ticket cache to login as admin: self.ccache = paths.TMP_KRB5CC % os.getuid() self.conn.connect(ccache='FILE:%s' % self.ccache) (ipatests/test_ipaserver/test_ldap.py:test_GSSAPI) has two drawbacks: 1. It would never work if directory manager has different password than admin 2. It does not work anyway, because kerberos is configured to store the cache not in the FILE:/tmp/krb5cc_%{uid}file (as the test expects), but rather in KEYRING:persistent:%{uid}:%{gid} Thank you in advance. You can use IPAdmin class in ipaldap conn = ipaldap.IPAdmin(host=api.env.host) conn.do_simple_bind(bindpw=password) # directory manager is default user there entry = conn.get_entry(...) Martin Basti -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0289] [Py3] Replace tabs with space
On 07/17/2015 03:58 PM, Christian Heimes wrote: On 2015-07-17 15:51, Martin Basti wrote: I accidentally found several tabs in code, so I fixed it, as py3 does not allow to mix tabs and spaces. ACK Pushed to: master: c6c84faecf5b7017c0d648d76ba0db4a2eba2f03 ipa-4-2: 7e5a0be8d81c3648a0163ff454cd963eadd70ea9 The other tabs are only in comments and doc strings: $ find . -name '*.py' | xargs grep -P '\t' ./ipaserver/dcerpc.py: self.local_domain.ftinfo_records = [] ./ipa-client/ipaclient/ntpconf.py:#broadcast 192.168.1.255 key 42 # broadcast server ./ipa-client/ipaclient/ntpconf.py:#broadcastclient # broadcast client ./ipa-client/ipaclient/ntpconf.py:#broadcast 224.0.1.1 key 42 # multicast server ./ipa-client/ipaclient/ntpconf.py:#multicastclient 224.0.1.1 # multicast client ./ipa-client/ipaclient/ntpconf.py:#manycastserver 239.255.254.254 # manycast server ./ipa-client/ipaclient/ntpconf.py:#manycastclient 239.255.254.254 key 42 # manycast client ./ipa-client/ipaclient/ntpconf.py:server127.127.1.0 # local clock ./ipa-client/ipaclient/ntpconf.py:#fudge127.127.1.0 stratum 10 ./ipalib/plugins/automount.py:/-auto.direct ./ipalib/plugins/automount.py:/mnt auto.mnt ./ipapython/dn.py:ava = AVA('cn', 'Bob')# case 1: two strings ./ipapython/sysrestore.py: #force file to be deleted ./ipatests/test_xmlrpc/test_old_permission_plugin.py: attrs=[u'cn'] ./ipatests/test_xmlrpc/test_old_permission_plugin.py: dn=permission3_dn, ./ipatests/test_xmlrpc/test_old_permission_plugin.py: dn=permission3_dn, ./daemons/ipa-otpd/test.py:ATTRIBUTEUser-Name 1 string ./daemons/ipa-otpd/test.py:ATTRIBUTEUser-Password 2 string ./daemons/ipa-otpd/test.py:ATTRIBUTENAS-Identifier 32 string -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code