Re: [Freeipa-devel] 4.3 on rawhide build task fail
On (22/12/15 16:31), Petr Vobornik wrote: >Build of 4.3 on Fedora rawhide failed at the end on rpmdiff check. Builds for >all arches were successful and also works in COPR. > 0 free 1 open 4 done 0 failed >12284450 build (rawhide, /freeipa:b2442d51ba3f2a5f907f72e9bd90c5889bd89c0e): >open (buildppcle-07.phx2.fedoraproject.org) -> FAILED: BuildError: mismatch >when analyzing python3-ipatests-4.3.0-1.fc24.noarch.rpm, rpmdiff output was: >error: cannot open Packages index using db5 - Permission denied (13) >error: cannot open Packages database in /var/lib/rpm >error: cannot open Packages database in /var/lib/rpm >removed REQUIRES python3-ipalib(armv7hl-32) = 4.3.0-1.fc24 >added REQUIRES python3-ipalib(x86-64) = 4.3.0-1.fc24 >0 free 0 open 4 done 1 failed I think that log file is crystal clear. The noarch package "python3-ipatests-4.3.0-1.fc24.noarch.rpm" requires packages with strict architecture. sh$ wget https://kojipkgs.fedoraproject.org//work/tasks/4513/12284513/python3-ipatests-4.3.0-1.fc24.noarch.rpm sh $rpm -qp --requires python3-ipatests-4.3.0-1.fc24.noarch.rpm /usr/bin/python3 freeipa-client-common = 4.3.0-1.fc24 python(abi) = 3.5 python3-coverage python3-ipalib(x86-64) = 4.3.0-1.fc24 python3-nose python3-polib python3-pytest >= 2.6 python3-pytest-multihost >= 0.5 python3-pytest-sourceorder rpmlib(CompressedFileNames) <= 3.0.4-1 rpmlib(FileDigests) <= 4.6.0-1 rpmlib(PayloadFilesHavePrefix) <= 4.0-1 rpmlib(PayloadIsXz) <= 5.2-1 tar xz noarch pacakges are build for each architecture: armv7hl-32, x86-64, i686 But the same package should be built on each platform. In your case requires, provides are different. This is a reason why rpmdiff failed for some noarch packages. Attached are two patches which fix issues with build in koji. The 1st patch removes usage of %{_isa} in noarch packages. The second one violates python packaging guidelines http://fedoraproject.org/wiki/Packaging:Python#Reviewer_checklist But there seems to be bug (in rpmbuild???) because "rpm --eval" does not generate provides with architecture. sh$ wget https://kojipkgs.fedoraproject.org//work/tasks/4513/12284513/python2-ipatests-4.3.0-1.fc24.noarch.rpm sh$ rpm -qp --provides python2-ipatests-4.3.0-1.fc24.noarch.rpm freeipa-tests(x86-64) = 4.3.0-1.fc24 ipa-tests(x86-64) = 4.3.0 python-ipatests = 4.3.0-1.fc24 python-ipatests(x86-64) = 4.3.0-1.fc24 python2-ipatests = 4.3.0-1.fc24 sh$ rpm --eval "%{?python_provide:%python_provide python2-ipatests}" Provides: python-ipatests = %{version}-%{release} Obsoletes: python-ipatests < %{version}-%{release} So better workaround could be to replace macro "%python_provide" with manually generated "Provides" and "Obsoletes" It's up to you and discussion with python experts :-) LS >From 0674e1e6aae2423c050be520b9c1b13f8feeb3d8 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik Date: Mon, 4 Jan 2016 19:02:24 +0100 Subject: [PATCH 1/2] Remove _isa from requires and provides --- freeipa.spec | 14 +++--- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/freeipa.spec b/freeipa.spec index 9c32876a0faa45dbe6aac49551264c0366777b03..a1de4dc5dd2442899c6a36cb48a732fd49ad7909 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -365,7 +365,7 @@ BuildArch: noarch %{?python_provide:%python_provide python2-ipaclient} Requires: %{name}-client-common = %{version}-%{release} Requires: %{name}-common = %{version}-%{release} -Requires: python2-ipalib%{?_isa} = %{version}-%{release} +Requires: python2-ipalib = %{version}-%{release} Requires: python-dns >= 1.11.1 %description -n python2-ipaclient @@ -402,7 +402,7 @@ Summary: IPA administrative tools Group: System Environment/Base BuildArch: noarch Requires: %{name}-client-common = %{version}-%{release} -Requires: python2-ipalib%{?_isa} = %{version}-%{release} +Requires: python2-ipalib = %{version}-%{release} Requires: python-ldap Provides: %{alt_name}-admintools = %{version} @@ -425,7 +425,7 @@ BuildArch: noarch Obsoletes: %{name}-python < 4.2.91 Provides: %{name}-python = %{version}-%{release} Requires: %{name}-common = %{version}-%{release} -Requires: python2-ipalib%{?_isa} = %{version}-%{release} +Requires: python2-ipalib = %{version}-%{release} Provides: %{alt_name}-python-compat = %{version} Conflicts: %{alt_name}-python-compat @@ -561,10 +561,10 @@ If you are using IPA, you need to install this package. Summary: IPA tests and test tools BuildArch: noarch Obsoletes: %{name}-tests < 4.2.91 -Provides: %{name}-tests%{?_isa} = %{version}-%{release} +Provides: %{name}-tests = %{version}-%{release} %{?python_provide:%python_provide python2-ipatests} Requires: %{name}-client-common = %{version}-%{release} -Requires: python2-ipalib%{?_isa} = %{version}-%{release} +Requires: python2-ipalib = %{version}-%{release} Requires: tar Requires: xz Requires: python-nose @@ -575,7 +575,7 @@ Requires: python-polib Requires: python-pytest-multihost >= 0.5 Requires: python-pytest-sourceorder -Provides: %{alt_name}-tests%{?_isa}
Re: [Freeipa-devel] 4.3 on rawhide build task fail
On (05/01/16 10:37), Lukas Slebodnik wrote: >On (22/12/15 16:31), Petr Vobornik wrote: >>Build of 4.3 on Fedora rawhide failed at the end on rpmdiff check. Builds for >>all arches were successful and also works in COPR. >> 0 free 1 open 4 done 0 failed >>12284450 build (rawhide, /freeipa:b2442d51ba3f2a5f907f72e9bd90c5889bd89c0e): >>open (buildppcle-07.phx2.fedoraproject.org) -> FAILED: BuildError: mismatch >>when analyzing python3-ipatests-4.3.0-1.fc24.noarch.rpm, rpmdiff output was: >>error: cannot open Packages index using db5 - Permission denied (13) >>error: cannot open Packages database in /var/lib/rpm >>error: cannot open Packages database in /var/lib/rpm >>removed REQUIRES python3-ipalib(armv7hl-32) = 4.3.0-1.fc24 >>added REQUIRES python3-ipalib(x86-64) = 4.3.0-1.fc24 >>0 free 0 open 4 done 1 failed >I think that log file is crystal clear. > >The noarch package "python3-ipatests-4.3.0-1.fc24.noarch.rpm" >requires packages with strict architecture. > >sh$ wget >https://kojipkgs.fedoraproject.org//work/tasks/4513/12284513/python3-ipatests-4.3.0-1.fc24.noarch.rpm > >sh $rpm -qp --requires python3-ipatests-4.3.0-1.fc24.noarch.rpm >/usr/bin/python3 >freeipa-client-common = 4.3.0-1.fc24 >python(abi) = 3.5 >python3-coverage >python3-ipalib(x86-64) = 4.3.0-1.fc24 >python3-nose >python3-polib >python3-pytest >= 2.6 >python3-pytest-multihost >= 0.5 >python3-pytest-sourceorder >rpmlib(CompressedFileNames) <= 3.0.4-1 >rpmlib(FileDigests) <= 4.6.0-1 >rpmlib(PayloadFilesHavePrefix) <= 4.0-1 >rpmlib(PayloadIsXz) <= 5.2-1 >tar >xz > >noarch pacakges are build for each architecture: armv7hl-32, x86-64, i686 >But the same package should be built on each platform. > >In your case requires, provides are different. This is a reason >why rpmdiff failed for some noarch packages. > >Attached are two patches which fix issues with build in koji. >The 1st patch removes usage of %{_isa} in noarch packages. > >The second one violates python packaging guidelines >http://fedoraproject.org/wiki/Packaging:Python#Reviewer_checklist >But there seems to be bug (in rpmbuild???) because "rpm --eval" does not >generate provides with architecture. > >sh$ wget >https://kojipkgs.fedoraproject.org//work/tasks/4513/12284513/python2-ipatests-4.3.0-1.fc24.noarch.rpm > >sh$ rpm -qp --provides python2-ipatests-4.3.0-1.fc24.noarch.rpm >freeipa-tests(x86-64) = 4.3.0-1.fc24 >ipa-tests(x86-64) = 4.3.0 >python-ipatests = 4.3.0-1.fc24 >python-ipatests(x86-64) = 4.3.0-1.fc24 >python2-ipatests = 4.3.0-1.fc24 > >sh$ rpm --eval "%{?python_provide:%python_provide python2-ipatests}" >Provides: python-ipatests = %{version}-%{release} >Obsoletes: python-ipatests < %{version}-%{release} > >So better workaround could be to replace macro "%python_provide" >with manually generated "Provides" and "Obsoletes" >It's up to you and discussion with python experts :-) > >LS >>From 0674e1e6aae2423c050be520b9c1b13f8feeb3d8 Mon Sep 17 00:00:00 2001 >From: Lukas Slebodnik >Date: Mon, 4 Jan 2016 19:02:24 +0100 >Subject: [PATCH 1/2] Remove _isa from requires and provides > And here is a link to koji build with the patches http://koji.fedoraproject.org/koji/taskinfo?taskID=12405513 LS -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 536] ipapython: remove default_encoding_utf8
On 01/05/2016 08:54 AM, Jan Cholasta wrote: > Hi, > > the attached patch replaces the default_encoding_utf8 binary module with > 2 lines of equivalent Python code. > > Honza > > > This looks fine to me, however, I wonder, why this approach was ever taken? The sys.setdefaultencoding is available in all versions of Python ever supported by FreeIPA. Is it possible we're missing something here? Or was this option simply overlooked? Ccing Rob. Tomas -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 536] ipapython: remove default_encoding_utf8
On Tue, 05 Jan 2016, Tomas Babej wrote: On 01/05/2016 08:54 AM, Jan Cholasta wrote: Hi, the attached patch replaces the default_encoding_utf8 binary module with 2 lines of equivalent Python code. Honza This looks fine to me, however, I wonder, why this approach was ever taken? The sys.setdefaultencoding is available in all versions of Python ever supported by FreeIPA. Is it possible we're missing something here? Or was this option simply overlooked? There is more history to it and it is mostly ugly: https://bugzilla.redhat.com/show_bug.cgi?id=243541 -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] 4.3 on rawhide build task fail
On 01/05/2016 10:55 AM, Lukas Slebodnik wrote: On (05/01/16 10:37), Lukas Slebodnik wrote: On (22/12/15 16:31), Petr Vobornik wrote: Build of 4.3 on Fedora rawhide failed at the end on rpmdiff check. Builds for all arches were successful and also works in COPR. 0 free 1 open 4 done 0 failed 12284450 build (rawhide, /freeipa:b2442d51ba3f2a5f907f72e9bd90c5889bd89c0e): open (buildppcle-07.phx2.fedoraproject.org) -> FAILED: BuildError: mismatch when analyzing python3-ipatests-4.3.0-1.fc24.noarch.rpm, rpmdiff output was: error: cannot open Packages index using db5 - Permission denied (13) error: cannot open Packages database in /var/lib/rpm error: cannot open Packages database in /var/lib/rpm removed REQUIRES python3-ipalib(armv7hl-32) = 4.3.0-1.fc24 added REQUIRES python3-ipalib(x86-64) = 4.3.0-1.fc24 0 free 0 open 4 done 1 failed I think that log file is crystal clear. The noarch package "python3-ipatests-4.3.0-1.fc24.noarch.rpm" requires packages with strict architecture. sh$ wget https://kojipkgs.fedoraproject.org//work/tasks/4513/12284513/python3-ipatests-4.3.0-1.fc24.noarch.rpm sh $rpm -qp --requires python3-ipatests-4.3.0-1.fc24.noarch.rpm /usr/bin/python3 freeipa-client-common = 4.3.0-1.fc24 python(abi) = 3.5 python3-coverage python3-ipalib(x86-64) = 4.3.0-1.fc24 python3-nose python3-polib python3-pytest >= 2.6 python3-pytest-multihost >= 0.5 python3-pytest-sourceorder rpmlib(CompressedFileNames) <= 3.0.4-1 rpmlib(FileDigests) <= 4.6.0-1 rpmlib(PayloadFilesHavePrefix) <= 4.0-1 rpmlib(PayloadIsXz) <= 5.2-1 tar xz noarch pacakges are build for each architecture: armv7hl-32, x86-64, i686 But the same package should be built on each platform. In your case requires, provides are different. This is a reason why rpmdiff failed for some noarch packages. Attached are two patches which fix issues with build in koji. The 1st patch removes usage of %{_isa} in noarch packages. The second one violates python packaging guidelines http://fedoraproject.org/wiki/Packaging:Python#Reviewer_checklist But there seems to be bug (in rpmbuild???) because "rpm --eval" does not generate provides with architecture. sh$ wget https://kojipkgs.fedoraproject.org//work/tasks/4513/12284513/python2-ipatests-4.3.0-1.fc24.noarch.rpm sh$ rpm -qp --provides python2-ipatests-4.3.0-1.fc24.noarch.rpm freeipa-tests(x86-64) = 4.3.0-1.fc24 ipa-tests(x86-64) = 4.3.0 python-ipatests = 4.3.0-1.fc24 python-ipatests(x86-64) = 4.3.0-1.fc24 python2-ipatests = 4.3.0-1.fc24 sh$ rpm --eval "%{?python_provide:%python_provide python2-ipatests}" Provides: python-ipatests = %{version}-%{release} Obsoletes: python-ipatests < %{version}-%{release} So better workaround could be to replace macro "%python_provide" with manually generated "Provides" and "Obsoletes" It's up to you and discussion with python experts :-) LS >From 0674e1e6aae2423c050be520b9c1b13f8feeb3d8 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik Date: Mon, 4 Jan 2016 19:02:24 +0100 Subject: [PATCH 1/2] Remove _isa from requires and provides And here is a link to koji build with the patches http://koji.fedoraproject.org/koji/taskinfo?taskID=12405513 LS Thanks Lukas, especially for the second part. I found out the first part yesterday [1]. I'm still not sure if it wouldn't be better to change the noarch packages to arch specific. We wouldn't have to use the workaround and we could keep the arch specific requires. [1] https://fedorahosted.org/freeipa/ticket/5568 -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Added kpasswd_server directive in client krb5.conf
On 2016-01-04 23:38, Nalin Dahyabhai wrote: > On Mon, Dec 21, 2015 at 12:17:08PM +0530, Abhijeet Kasurde wrote: >> Hi All, >> >> Please review patches attached. > > The port number should probably be changed from 749 to 464. Nalin is correct. kpasswd and admin server use different ports: $ getent services kpasswd kpasswd 464/tcp kpwd $ getent services kerberos-adm kerberos-adm 749/tcp Except for the port number, the patch looks good to me. Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 027] Require Dogtag 10.2.6-13 to fix KRA uninstall
The combination of a bug in Dogtag's sslget command and a new feature in mod_nss causes an incomplete uninstallation of KRA. The bug has been fixed in Dogtag 10.2.6-13. https://fedorahosted.org/freeipa/ticket/5469 https://fedorahosted.org/pki/ticket/1704 Signed-off-by: Christian Heimes From 9b3eae352513851be0e32b1e15fb00e8d08f8098 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Tue, 5 Jan 2016 12:14:03 +0100 Subject: [PATCH] Require Dogtag 10.2.6-13 to fix KRA uninstall The combination of a bug in Dogtag's sslget command and a new feature in mod_nss causes an incomplete uninstallation of KRA. The bug has been fixed in Dogtag 10.2.6-13. https://fedorahosted.org/freeipa/ticket/5469 https://fedorahosted.org/pki/ticket/1704 Signed-off-by: Christian Heimes --- freeipa.spec.in | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index d4e23bce1d8d07bc6dfe550564f3d26be1b52470..7e956538d0f6c24bab636579303e0c7b5eeec199 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -156,8 +156,8 @@ Requires(post): systemd-units Requires: selinux-policy >= %{selinux_policy_version} Requires(post): selinux-policy-base >= %{selinux_policy_version} Requires: slapi-nis >= 0.54.2-1 -Requires: pki-ca >= 10.2.6-12 -Requires: pki-kra >= 10.2.6-12 +Requires: pki-ca >= 10.2.6-13 +Requires: pki-kra >= 10.2.6-13 Requires(preun): python systemd-units Requires(postun): python systemd-units Requires: zip -- 2.5.0 signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 027] Require Dogtag 10.2.6-13 to fix KRA uninstall
On (05/01/16 12:24), Christian Heimes wrote: >The combination of a bug in Dogtag's sslget command and a new feature >in mod_nss causes an incomplete uninstallation of KRA. The bug has been >fixed in Dogtag 10.2.6-13. > and it ins in fedora 23 stable for a week https://bodhi.fedoraproject.org/updates/FEDORA-2015-c7dd78ac78 LS >https://fedorahosted.org/freeipa/ticket/5469 >https://fedorahosted.org/pki/ticket/1704 > >Signed-off-by: Christian Heimes -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 536] ipapython: remove default_encoding_utf8
On 5.1.2016 11:54, Alexander Bokovoy wrote: On Tue, 05 Jan 2016, Tomas Babej wrote: On 01/05/2016 08:54 AM, Jan Cholasta wrote: Hi, the attached patch replaces the default_encoding_utf8 binary module with 2 lines of equivalent Python code. Honza This looks fine to me, however, I wonder, why this approach was ever taken? The sys.setdefaultencoding is available in all versions of Python ever supported by FreeIPA. Is it possible we're missing something here? Or was this option simply overlooked? There is more history to it and it is mostly ugly: https://bugzilla.redhat.com/show_bug.cgi?id=243541 What is actually ugly is badly written code which assumes a specific encoding anywhere instead of using an encoding appropriate in the given context. Rather than working around it using hacks such as changing the default encoding, the preferrable solution should be to fix the badly written code itself (which is not always easy, as is the case with IPA). -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0120] prevent crash of CA-less server upgrade due to absent certmonger
fixes https://fedorahosted.org/freeipa/ticket/5519 -- Martin^3 Babinsky From d5e6dadf7e092b389284a753ec55e2448446f3d5 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Tue, 5 Jan 2016 13:00:24 +0100 Subject: [PATCH] prevent crash of CA-less server upgrade due to absent certmonger ipa-server-upgrade tests whether certmonger service is running before attempting to upgrade IPA master. This causes the upgrader to always fail when there is no CA installer and certmonger is not needed, effectively preventing CA-less IPA master to upgrade succefuly. This test is now skipped if CA is not enabled. https://fedorahosted.org/freeipa/ticket/5519 --- ipaserver/install/server/upgrade.py | 30 -- 1 file changed, 28 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index f37a8fea504d828f9bce5a870ad0b48f154b4e88..20379f19c652cb0b5911a4c2f1c67eae7f763379 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -291,6 +291,24 @@ def setup_firefox_extension(fstore): http.setup_firefox_extension(realm, domain) +def is_ca_enabled(): +""" +check whether there is an active CA master +:return: True if there is an active CA in topology, False otherwise +""" +ldap2 = api.Backend.ldap2 +was_connected = ldap2.isconnected() + +if not was_connected: +ldap2.connect() + +try: +return api.Command.ca_is_enabled()['result'] +finally: +if not was_connected: +ldap2.disconnect() + + def ca_configure_profiles_acl(ca): root_logger.info('[Authorizing RA Agent to modify profiles]') @@ -1477,7 +1495,10 @@ def upgrade_configuration(): http = httpinstance.HTTPInstance(fstore) http.configure_selinux_for_httpd() http.change_mod_nss_port_from_http() -http.configure_certmonger_renewal_guard() + +if is_ca_enabled(): +http.configure_certmonger_renewal_guard() + http.enable_and_start_oddjobd() ds.configure_dirsrv_ccache() @@ -1629,7 +1650,12 @@ def upgrade_check(options): print(unicode(e)) sys.exit(1) -if not services.knownservices.certmonger.is_running(): +try: +ca_is_enabled = is_ca_enabled() +except Exception as e: +raise RuntimeError("Cannot connect to LDAP server: {0}".format(e)) + +if not services.knownservices.certmonger.is_running() and ca_is_enabled: raise RuntimeError('Certmonger is not running. Start certmonger and run upgrade again.') if not options.skip_version_check: -- 2.5.0 From 9ea7ddfd7262f57700f89f4ff531a80dfedfd3e4 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Tue, 5 Jan 2016 13:00:24 +0100 Subject: [PATCH] prevent crash of CA-less server upgrade due to absent certmonger ipa-server-upgrade tests whether certmonger service is running before attempting to upgrade IPA master. This causes the upgrader to always fail when there is no CA installer and certmonger is not needed, effectively preventing CA-less IPA master to upgrade succefuly. This test is now skipped if CA is not enabled. https://fedorahosted.org/freeipa/ticket/5519 --- ipaserver/install/server/upgrade.py | 29 +++-- 1 file changed, 27 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 945cb3ebd63767cb1d57083e1da7c5605ac5a2f9..616fba5c1a5b3737481aecbb09ab5344641a3b04 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -292,6 +292,24 @@ def setup_firefox_extension(fstore): http.setup_firefox_extension(realm, domain) +def is_ca_enabled(): +""" +check whether there is an active CA master +:return: True if there is an active CA in topology, False otherwise +""" +ldap2 = api.Backend.ldap2 +was_connected = ldap2.isconnected() + +if not was_connected: +ldap2.connect() + +try: +return api.Command.ca_is_enabled()['result'] +finally: +if not was_connected: +ldap2.disconnect() + + def ca_configure_profiles_acl(ca): root_logger.info('[Authorizing RA Agent to modify profiles]') @@ -1416,7 +1434,9 @@ def upgrade_configuration(): http = httpinstance.HTTPInstance(fstore) http.configure_selinux_for_httpd() http.change_mod_nss_port_from_http() -http.configure_certmonger_renewal_guard() + +if is_ca_enabled(): +http.configure_certmonger_renewal_guard() ds.configure_dirsrv_ccache() @@ -1562,7 +1582,12 @@ def upgrade_check(options): print unicode(e) sys.exit(1) -if not services.knownservices.certmonger.is_running(): +try: +ca_is_enabled = is_ca_enabled() +except Exception as e: +raise RuntimeError("Cannot connect to LDAP server: {0}".format(e)) + +if not services.knownservices.certmonger.is_running() and ca_is_enabled: raise Run
[Freeipa-devel] [PATCH 154] ipa-kdb: map_groups() consider all results
Hi, to find out to which local group a external user is mapped we do a dereference search over the external groups with the SIDs related to the external user. If a SID is mapped to more than one external group we currently consider only the first returned match. With this patch all results are taken into account. This makes sure all expected local group memberships are added to the PAC which resolves https://fedorahosted.org/freeipa/ticket/5573. bye, Sumit From 60748d2da05261df937eba85cee27c2ea0d7e893 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Wed, 16 Dec 2015 12:38:16 +0100 Subject: [PATCH] ipa-kdb: map_groups() consider all results Resolves https://fedorahosted.org/freeipa/ticket/5573 --- daemons/ipa-kdb/ipa_kdb_mspac.c | 118 +--- 1 file changed, 61 insertions(+), 57 deletions(-) diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index daa42e369014f2ed401742474453ebb1aadef07c..45721f0dc06d90479f8fc2858c462c3647f7a3c6 100644 --- a/daemons/ipa-kdb/ipa_kdb_mspac.c +++ b/daemons/ipa-kdb/ipa_kdb_mspac.c @@ -1082,68 +1082,72 @@ static int map_groups(TALLOC_CTX *memctx, krb5_context kcontext, continue; } -ldap_derefresponse_free(deref_results); -ret = ipadb_ldap_deref_results(ipactx->lcontext, lentry, &deref_results); -switch (ret) { -case ENOENT: -/* No entry found, try next SID */ -break; -case 0: -if (deref_results == NULL) { -krb5_klog_syslog(LOG_ERR, "No results."); +do { +ldap_derefresponse_free(deref_results); +ret = ipadb_ldap_deref_results(ipactx->lcontext, lentry, &deref_results); +switch (ret) { +case ENOENT: +/* No entry found, try next SID */ break; -} +case 0: +if (deref_results == NULL) { +krb5_klog_syslog(LOG_ERR, "No results."); +break; +} -for (dres = deref_results; dres; dres = dres->next) { -count++; -} +for (dres = deref_results; dres; dres = dres->next) { +count++; +} -sids = talloc_realloc(memctx, sids, struct dom_sid, count); -if (sids == NULL) { -krb5_klog_syslog(LOG_ERR, "talloc_realloc failed."); -kerr = ENOMEM; +sids = talloc_realloc(memctx, sids, struct dom_sid, count); +if (sids == NULL) { +krb5_klog_syslog(LOG_ERR, "talloc_realloc failed."); +kerr = ENOMEM; +goto done; +} + +for (dres = deref_results; dres; dres = dres->next) { +gid = 0; +memset(&sid, '\0', sizeof(struct dom_sid)); +for (dval = dres->attrVals; dval; dval = dval->next) { +if (strcasecmp(dval->type, "gidNumber") == 0) { +errno = 0; +gid = strtoul((char *)dval->vals[0].bv_val, + &endptr,10); +if (gid == 0 || gid >= UINT32_MAX || errno != 0 || +*endptr != '\0') { +continue; +} +} +if (strcasecmp(dval->type, + "ipaNTSecurityIdentifier") == 0) { +kerr = string_to_sid((char *)dval->vals[0].bv_val, &sid); +if (kerr != 0) { +continue; +} +} +} +if (gid != 0 && sid.sid_rev_num != 0) { +/* TODO: check if gid maps to sid */ +if (sid_index >= count) { +krb5_klog_syslog(LOG_ERR, "Index larger than " + "array, this shoould " + "never happen."); +kerr = EFAULT; +goto done; +} +memcpy(&sids[sid_index], &sid, sizeof(struct dom_sid)); +sid_index++; +} +} + +break; +default: goto done; -} +} -for (dres = deref_results; dres; dres = dres-
Re: [Freeipa-devel] [PATCH 536] ipapython: remove default_encoding_utf8
On Tue, 05 Jan 2016, Jan Cholasta wrote: On 5.1.2016 11:54, Alexander Bokovoy wrote: On Tue, 05 Jan 2016, Tomas Babej wrote: On 01/05/2016 08:54 AM, Jan Cholasta wrote: Hi, the attached patch replaces the default_encoding_utf8 binary module with 2 lines of equivalent Python code. Honza This looks fine to me, however, I wonder, why this approach was ever taken? The sys.setdefaultencoding is available in all versions of Python ever supported by FreeIPA. Is it possible we're missing something here? Or was this option simply overlooked? There is more history to it and it is mostly ugly: https://bugzilla.redhat.com/show_bug.cgi?id=243541 What is actually ugly is badly written code which assumes a specific encoding anywhere instead of using an encoding appropriate in the given context. Rather than working around it using hacks such as changing the default encoding, the preferrable solution should be to fix the badly written code itself (which is not always easy, as is the case with IPA). I do agree with you in general but this case is sufficiently different enough to warrant what we have in place. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 565] Fix potential aborts in KDB driver
The LDAP context was not checked on the first api call and a context may be null on some error conditions (LDAP server unreachable). Always check that we have a valid context before calling the ldap API. Builds abut it is untested. Simo. -- Simo Sorce * Red Hat, Inc * New York From 934568405c8868016dad0dbdcae91e5eada29c8a Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 5 Jan 2016 16:04:49 -0500 Subject: [PATCH] Always verify we have a valid ldap context. LDAP calls just assert if an invalid (NULL) context is passed in, so we need to be sure we have a valid connection context before calling into LDAP APIs and fail outright if a context can't be obtained. Signed-off-by: Simo Sorce --- daemons/ipa-kdb/ipa_kdb_common.c | 29 + 1 file changed, 29 insertions(+) diff --git a/daemons/ipa-kdb/ipa_kdb_common.c b/daemons/ipa-kdb/ipa_kdb_common.c index 112086b57c9f83895589538b5494ae81fb14a948..7438f35049ba4e88c401f85a1703323c38c063cc 100644 --- a/daemons/ipa-kdb/ipa_kdb_common.c +++ b/daemons/ipa-kdb/ipa_kdb_common.c @@ -158,6 +158,14 @@ static bool ipadb_need_retry(struct ipadb_context *ipactx, int error) return false; } +static int ipadb_check_connection(struct ipadb_context *ipactx) +{ +if (ipactx->lcontext == NULL) { +return ipadb_get_connection(ipactx); +} +return 0; +} + krb5_error_code ipadb_simple_search(struct ipadb_context *ipactx, char *basedn, int scope, char *filter, char **attrs, @@ -165,6 +173,10 @@ krb5_error_code ipadb_simple_search(struct ipadb_context *ipactx, { int ret; +ret = ipadb_check_connection(ipactx); +if (ret != 0) +return ipadb_simple_ldap_to_kerr(ret); + ret = ldap_search_ext_s(ipactx->lcontext, basedn, scope, filter, attrs, 0, NULL, NULL, &std_timeout, LDAP_NO_LIMIT, @@ -187,6 +199,10 @@ krb5_error_code ipadb_simple_delete(struct ipadb_context *ipactx, char *dn) { int ret; +ret = ipadb_check_connection(ipactx); +if (ret != 0) +return ipadb_simple_ldap_to_kerr(ret); + ret = ldap_delete_ext_s(ipactx->lcontext, dn, NULL, NULL); /* first test if we need to retry to connect */ @@ -204,6 +220,10 @@ krb5_error_code ipadb_simple_add(struct ipadb_context *ipactx, { int ret; +ret = ipadb_check_connection(ipactx); +if (ret != 0) +return ipadb_simple_ldap_to_kerr(ret); + ret = ldap_add_ext_s(ipactx->lcontext, dn, mods, NULL, NULL); /* first test if we need to retry to connect */ @@ -221,6 +241,10 @@ krb5_error_code ipadb_simple_modify(struct ipadb_context *ipactx, { int ret; +ret = ipadb_check_connection(ipactx); +if (ret != 0) +return ipadb_simple_ldap_to_kerr(ret); + ret = ldap_modify_ext_s(ipactx->lcontext, dn, mods, NULL, NULL); /* first test if we need to retry to connect */ @@ -320,6 +344,11 @@ krb5_error_code ipadb_deref_search(struct ipadb_context *ipactx, retry = true; while (retry) { times--; + +ret = ipadb_check_connection(ipactx); +if (ret != 0) +break; + ret = ldap_search_ext_s(ipactx->lcontext, base_dn, scope, filter, entry_attrs, 0, -- 2.5.0 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 565] Fix potential aborts in KDB driver
On Tue, 2016-01-05 at 16:15 -0500, Simo Sorce wrote: > The LDAP context was not checked on the first api call and a context may > be null on some error conditions (LDAP server unreachable). > > Always check that we have a valid context before calling the ldap API. > > Builds abut it is untested. Forgot to mention that this bug affects all 4.x versions and should probably be backported on all maintained branches. I opened a bug to track it too: https://fedorahosted.org/freeipa/ticket/5577 Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH] 0048 Decode HTTP reason phrase as iso-8859-1
Happy new year, all. The attached patch fixes a unicode decode error triggered in some locales, which causes failure of installation (and probably other oprations, if locale is changed under an existing server). https://fedorahosted.org/freeipa/ticket/5578 Cheers, Fraser From 9fb59b95553d3f02aa401142a87723e5d0fb2b8a Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 6 Jan 2016 14:50:42 +1100 Subject: [PATCH] Decode HTTP reason phrase as iso-8859-1 The HTTP reason phrase sent by Dogtag is encoded in iso-8859-1; use this charset instead of utf8 when decoding it to avoid decoding errors when characters > 127 appear. Fixes: https://fedorahosted.org/freeipa/ticket/5578 --- ipapython/dogtag.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py index 010e49652687680444d18e2e8f784fb6167a0df5..c99847013c70c7e82796a99234c1e684f32ddfac 100644 --- a/ipapython/dogtag.py +++ b/ipapython/dogtag.py @@ -219,7 +219,7 @@ def _httplib_request( res = conn.getresponse() http_status = res.status -http_reason_phrase = unicode(res.reason, 'utf-8') +http_reason_phrase = unicode(res.reason, 'iso-8859-1') http_headers = res.msg.dict http_body = res.read() conn.close() -- 2.5.0 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] Added kpasswd_server directive in client krb5.conf
Hi All, On 01/05/2016 04:52 PM, Christian Heimes wrote: On 2016-01-04 23:38, Nalin Dahyabhai wrote: On Mon, Dec 21, 2015 at 12:17:08PM +0530, Abhijeet Kasurde wrote: Hi All, Please review patches attached. The port number should probably be changed from 749 to 464. Nalin is correct. kpasswd and admin server use different ports: $ getent services kpasswd kpasswd 464/tcp kpwd $ getent services kerberos-adm kerberos-adm 749/tcp Except for the port number, the patch looks good to me. Changed port number from 749 to 464. Thanks Nalin and Christian. Please review patches attached. Christian Thanks, Abhijeet Kasurde From ace7705e73e0af67253d0484d7dad2f7f1fa4e77 Mon Sep 17 00:00:00 2001 From: Abhijeet Kasurde Date: Mon, 21 Dec 2015 12:11:31 +0530 Subject: [PATCH] Added kpasswd_server directive in client krb5.conf While configuring ipa client using ipa-client-install can configure kpasswd_server explicitly using directive in client's krb5.conf https://fedorahosted.org/freeipa/ticket/5547 Signed-off-by: Abhijeet Kasurde --- ipa-client/ipa-install/ipa-client-install | 4 1 file changed, 4 insertions(+) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 789ff591591673744ee3b922e5c0181233ad553c..14d1dc98a23fed8ffe147c0c03711e7d7467edef 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -1103,6 +1103,10 @@ def configure_krb5_conf(cli_realm, cli_domain, cli_server, cli_kdc, dnsok, kropts.append({'name':'kdc', 'type':'option', 'value':ipautil.format_netloc(server, 88)}) kropts.append({'name':'master_kdc', 'type':'option', 'value':ipautil.format_netloc(server, 88)}) kropts.append({'name':'admin_server', 'type':'option', 'value':ipautil.format_netloc(server, 749)}) +kropts.append({'name': 'kpasswd_server', + 'type': 'option', + 'value': ipautil.format_netloc(server, 464) + }) kropts.append({'name':'default_domain', 'type':'option', 'value':cli_domain}) kropts.append({'name':'pkinit_anchors', 'type':'option', 'value':'FILE:%s' % CACERT}) ropts = [{'name':cli_realm, 'type':'subsection', 'value':kropts}] -- 2.4.3 From bfb646e2a77151bd0fcfd61d50e23afb04266581 Mon Sep 17 00:00:00 2001 From: Abhijeet Kasurde Date: Mon, 21 Dec 2015 12:03:10 +0530 Subject: [PATCH] Added kpasswd_server directive in client krb5.conf While configuring ipa client using ipa-client-install can configure kpasswd_server explicitly using directive in client's krb5.conf https://fedorahosted.org/freeipa/ticket/5547 Signed-off-by: Abhijeet Kasurde --- ipa-client/ipa-install/ipa-client-install | 4 1 file changed, 4 insertions(+) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index af8d27bd0da9b847fef917d3bcc2ebd1837c5fb0..443a4429f45e6c3f572d4f21a795549c0257 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -1106,6 +1106,10 @@ def configure_krb5_conf(cli_realm, cli_domain, cli_server, cli_kdc, dnsok, kropts.append({'name':'kdc', 'type':'option', 'value':ipautil.format_netloc(server, 88)}) kropts.append({'name':'master_kdc', 'type':'option', 'value':ipautil.format_netloc(server, 88)}) kropts.append({'name':'admin_server', 'type':'option', 'value':ipautil.format_netloc(server, 749)}) +kropts.append({'name': 'kpasswd_server', + 'type': 'option', + 'value': ipautil.format_netloc(server, 464) + }) kropts.append({'name':'default_domain', 'type':'option', 'value':cli_domain}) kropts.append({'name':'pkinit_anchors', 'type':'option', 'value':'FILE:%s' % CACERT}) ropts = [{'name':cli_realm, 'type':'subsection', 'value':kropts}] -- 2.4.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [pytest-multihost-devel][PATCH] Warn user about missing multihost conf file
Hi All, Please review attached patch Fixes : https://fedorahosted.org/python-pytest-multihost/ticket/3 Thanks, Abhijeet Kasurde From 0fc2238dd0bd26a789232ffaec058ac59f304e43 Mon Sep 17 00:00:00 2001 From: Abhijeet Kasurde Date: Wed, 6 Jan 2016 11:38:24 +0530 Subject: [PATCH] Added error handling in config file handling. The fix provides error handling in multihost configuration file handling, by notifying user about exact error message about missing or wrong configuration file. https://fedorahosted.org/python-pytest-multihost/ticket/3 Signed-off-by: Abhijeet Kasurde --- pytest_multihost/plugin.py | 27 --- 1 file changed, 16 insertions(+), 11 deletions(-) diff --git a/pytest_multihost/plugin.py b/pytest_multihost/plugin.py index af1441fc9fa7d701dfd4a12336277960ff708858..dc6ffac1ba5ad2f896977d812db7962db6178396 100644 --- a/pytest_multihost/plugin.py +++ b/pytest_multihost/plugin.py @@ -26,17 +26,22 @@ def pytest_addoption(parser): def pytest_load_initial_conftests(args, early_config, parser): ns = early_config.known_args_namespace if ns.multihost_config: -with open(ns.multihost_config) as conffile: -if yaml: -confdict = yaml.safe_load(conffile) -else: -try: -confdict = json.load(conffile) -except Exception: -traceback.print_exc() -raise exit( -'Could not load %s. If it is a YAML file, you need ' -'PyYAML installed.' % ns.multihost_config) +try: +with open(ns.multihost_config) as conffile: +if yaml: +confdict = yaml.safe_load(conffile) +else: +try: +confdict = json.load(conffile) +except Exception: +traceback.print_exc() +raise exit( +'Could not load %s. If it is a YAML file, you need ' +'PyYAML installed.' % ns.multihost_config) +except IOError as e: +raise exit('Unable to find multihost configuration file (%s),\n' + 'Please check path of configuration file and retry.' + % (ns.multihost_config)) plugin = MultihostPlugin(confdict) pluginmanager = early_config.pluginmanager.register( plugin, 'MultihostPlugin') -- 2.4.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 559] Fix kadmin for new users
On 11/25/2015 03:41 PM, Martin Kosek wrote: On 11/25/2015 03:32 PM, Simo Sorce wrote: On Wed, 2015-11-25 at 14:13 +0100, Tomas Babej wrote: On 11/25/2015 02:13 PM, Tomas Babej wrote: On 11/25/2015 02:00 PM, Martin Babinsky wrote: On 11/24/2015 11:32 PM, Simo Sorce wrote: Ticket #937 was reopened a while ago because one corner case, new users that have never been assigned a password cause kadmin/kadmin.local to throw a fit when they try to visualize information about those user's principals. This patch fakes up modification information when no krbExtraData is available for the principal so that kadmin is happy. Tested and working as designed. Simo. ACK Pushed to master: 0f52eddd1d2781ccc1941c191e9ab6e3ccf6919d On a related note, should we backport this to later branches? It wouldn't hurt, it should apply straight to any 4.x and probably latest 3.x branches too. I would not fix anything older than FreeIPA 4.1.x which is in F22, which is the oldest supported Fedora (or rather fill be, one month after F23 GA). https://fedorahosted.org/freeipa/ticket/937 is included in 4.2.4 milestone with priority critical. Shouldn't we backport the patch to ipa-4-2 branch? -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 559] Fix kadmin for new users
On 01/06/2016 08:37 AM, Martin Babinsky wrote: > On 11/25/2015 03:41 PM, Martin Kosek wrote: >> On 11/25/2015 03:32 PM, Simo Sorce wrote: >>> On Wed, 2015-11-25 at 14:13 +0100, Tomas Babej wrote: On 11/25/2015 02:13 PM, Tomas Babej wrote: > > > On 11/25/2015 02:00 PM, Martin Babinsky wrote: >> On 11/24/2015 11:32 PM, Simo Sorce wrote: >>> Ticket #937 was reopened a while ago because one corner case, new users >>> that have never been assigned a password cause kadmin/kadmin.local to >>> throw a fit when they try to visualize information about those user's >>> principals. >>> >>> This patch fakes up modification information when no krbExtraData is >>> available for the principal so that kadmin is happy. >>> >>> Tested and working as designed. >>> >>> Simo. >>> >>> >>> >> ACK >> > > Pushed to master: 0f52eddd1d2781ccc1941c191e9ab6e3ccf6919d > On a related note, should we backport this to later branches? >>> >>> It wouldn't hurt, it should apply straight to any 4.x and probably >>> latest 3.x branches too. >> >> I would not fix anything older than FreeIPA 4.1.x which is in F22, which is >> the >> oldest supported Fedora (or rather fill be, one month after F23 GA). >> > > https://fedorahosted.org/freeipa/ticket/937 is included in 4.2.4 milestone > with > priority critical. Shouldn't we backport the patch to ipa-4-2 branch? We should... Petr? -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code