[Freeipa-devel] [freeipa PR#607][comment] Backup ipa-specific httpd unit-file

[stlaz]

  URL: https://github.com/freeipa/freeipa/pull/607
Title: #607: Backup ipa-specific httpd unit-file

stlaz commented:
"""
We need to perform `paths.SYSTEMCTL --system daemon-reload` here as well.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/607#issuecomment-287091722
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#607][synchronized] Backup ipa-specific httpd unit-file

[stlaz]

   URL: https://github.com/freeipa/freeipa/pull/607
Author: stlaz
 Title: #607: Backup ipa-specific httpd unit-file
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/607/head:pr607
git checkout pr607
From 6c29861853a8857c3b6b3e1d6a85778e9ed13097 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Thu, 16 Mar 2017 10:22:59 +0100
Subject: [PATCH] Backup ipa-specific httpd unit-file

On backup-restore, the ipa unit file for httpd was not backed up.
This file however contains setting for httpd to communicate with
gssproxy so not backing it up will result in httpd not knowing
how to get credentials.

https://pagure.io/freeipa/issue/6748
---
 ipaserver/install/ipa_backup.py  | 1 +
 ipaserver/install/ipa_restore.py | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/ipaserver/install/ipa_backup.py b/ipaserver/install/ipa_backup.py
index 07c50c8..56583c0 100644
--- a/ipaserver/install/ipa_backup.py
+++ b/ipaserver/install/ipa_backup.py
@@ -166,6 +166,7 @@ class Backup(admintool.AdminTool):
 paths.KDC_CERT,
 paths.KDC_KEY,
 paths.SYSTEMD_IPA_SERVICE,
+paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF,
 paths.SYSTEMD_SSSD_SERVICE,
 paths.SYSTEMD_CERTMONGER_SERVICE,
 paths.SYSTEMD_PKI_TOMCAT_SERVICE,
diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py
index d798654..2552bbd 100644
--- a/ipaserver/install/ipa_restore.py
+++ b/ipaserver/install/ipa_restore.py
@@ -414,6 +414,8 @@ def run(self):
 sssd = services.service('sssd', api)
 sssd.restart()
 http.remove_httpd_ccaches()
+# have the daemons pick up their restored configs
+run([paths.SYSTEMCTL, "--system", "daemon-reload"])
 finally:
 try:
 os.chdir(cwd)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#610][opened] [4.3] Fix cookie with Max-Age processing

[stlaz]

   URL: https://github.com/freeipa/freeipa/pull/610
Author: stlaz
 Title: #610: [4.3] Fix cookie with Max-Age processing
Action: opened

PR body:
"""
When cookie has Max-Age set it tries to get expiration by adding
to a timestamp. Without this patch the timestamp would be set to
None and thus the addition of timestamp + max_age fails

https://pagure.io/freeipa/issue/6718
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/610/head:pr610
git checkout pr610
From 23eb7a27f00b418314beb1c69efeff5d45403607 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Thu, 2 Mar 2017 09:11:34 +0100
Subject: [PATCH] Fix cookie with Max-Age processing

When cookie has Max-Age set it tries to get expiration by adding
to a timestamp. Without this patch the timestamp would be set to
None and thus the addition of timestamp + max_age fails

https://pagure.io/freeipa/issue/6718
---
 ipalib/rpc.py   | 13 +
 ipapython/cookie.py |  5 -
 2 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 207149e..ef3a2a7 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -693,8 +693,11 @@ def store_session_cookie(self, cookie_header):
 
 # Search for the session cookie
 try:
-session_cookie = Cookie.get_named_cookie_from_string(cookie_header,
- COOKIE_NAME, request_url)
+session_cookie = (
+Cookie.get_named_cookie_from_string(
+cookie_header, COOKIE_NAME, request_url,
+timestamp=datetime.datetime.utcnow())
+)
 except Exception as e:
 root_logger.error("unable to parse cookie header '%s': %s", cookie_header, e)
 return
@@ -788,8 +791,10 @@ def get_session_cookie_from_persistent_storage(self, principal):
 
 # Search for the session cookie within the cookie string
 try:
-session_cookie = Cookie.get_named_cookie_from_string(cookie_string, COOKIE_NAME)
-except Exception as e:
+session_cookie = Cookie.get_named_cookie_from_string(
+cookie_string, COOKIE_NAME,
+timestamp=datetime.datetime.utcnow())
+except Exception:
 return None
 
 return session_cookie
diff --git a/ipapython/cookie.py b/ipapython/cookie.py
index d32640a..6f7bc6c 100644
--- a/ipapython/cookie.py
+++ b/ipapython/cookie.py
@@ -321,7 +321,8 @@ def parse(cls, cookie_string, request_url=None):
 return cookies
 
 @classmethod
-def get_named_cookie_from_string(cls, cookie_string, cookie_name, request_url=None):
+def get_named_cookie_from_string(cls, cookie_string, cookie_name,
+ request_url=None, timestamp=None):
 '''
 A cookie string may contain multiple cookies, parse the cookie
 string and return the last cookie in the string matching the
@@ -343,6 +344,8 @@ def get_named_cookie_from_string(cls, cookie_string, cookie_name, request_url=No
 if cookie.key == cookie_name:
 target_cookie = cookie
 
+if timestamp is not None:
+target_cookie.timestamp = timestamp
 if request_url is not None:
 target_cookie.normalize(request_url)
 return target_cookie
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#609][edited] [4.4] Fix cookie with Max-Age processing

[stlaz]

   URL: https://github.com/freeipa/freeipa/pull/609
Author: stlaz
 Title: #609: [4.4] Fix cookie with Max-Age processing
Action: edited

 Changed field: body
Original value:
"""
When cookie has Max-Age set it tries to get expiration by adding
to a timestamp. Without this patch the timestamp would be set to
None and thus the addition of timestamp + max_age fails

https://pagure.io/freeipa/issue/6718

Reviewed-By: Simo Sorce 
"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#609][synchronized] [4.4] Fix cookie with Max-Age processing

[stlaz]

   URL: https://github.com/freeipa/freeipa/pull/609
Author: stlaz
 Title: #609: [4.4] Fix cookie with Max-Age processing
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/609/head:pr609
git checkout pr609
From 3fe71ab3e2febcf01a7187bcac2773e86b917844 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Thu, 2 Mar 2017 09:11:34 +0100
Subject: [PATCH] Fix cookie with Max-Age processing

When cookie has Max-Age set it tries to get expiration by adding
to a timestamp. Without this patch the timestamp would be set to
None and thus the addition of timestamp + max_age fails

https://pagure.io/freeipa/issue/6718
---
 ipalib/rpc.py   | 13 +
 ipapython/cookie.py |  5 -
 2 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 1c00289..cd14d91 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -699,8 +699,11 @@ def store_session_cookie(self, cookie_header):
 
 # Search for the session cookie
 try:
-session_cookie = Cookie.get_named_cookie_from_string(cookie_header,
- COOKIE_NAME, request_url)
+session_cookie = (
+Cookie.get_named_cookie_from_string(
+cookie_header, COOKIE_NAME, request_url,
+timestamp=datetime.datetime.utcnow())
+)
 except Exception as e:
 root_logger.error("unable to parse cookie header '%s': %s", cookie_header, e)
 return
@@ -794,8 +797,10 @@ def get_session_cookie_from_persistent_storage(self, principal):
 
 # Search for the session cookie within the cookie string
 try:
-session_cookie = Cookie.get_named_cookie_from_string(cookie_string, COOKIE_NAME)
-except Exception as e:
+session_cookie = Cookie.get_named_cookie_from_string(
+cookie_string, COOKIE_NAME,
+timestamp=datetime.datetime.utcnow())
+except Exception:
 return None
 
 return session_cookie
diff --git a/ipapython/cookie.py b/ipapython/cookie.py
index 89c3e3c..2831394 100644
--- a/ipapython/cookie.py
+++ b/ipapython/cookie.py
@@ -320,7 +320,8 @@ def parse(cls, cookie_string, request_url=None):
 return cookies
 
 @classmethod
-def get_named_cookie_from_string(cls, cookie_string, cookie_name, request_url=None):
+def get_named_cookie_from_string(cls, cookie_string, cookie_name,
+ request_url=None, timestamp=None):
 '''
 A cookie string may contain multiple cookies, parse the cookie
 string and return the last cookie in the string matching the
@@ -342,6 +343,8 @@ def get_named_cookie_from_string(cls, cookie_string, cookie_name, request_url=No
 if cookie.key == cookie_name:
 target_cookie = cookie
 
+if timestamp is not None:
+target_cookie.timestamp = timestamp
 if request_url is not None:
 target_cookie.normalize(request_url)
 return target_cookie
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#609][opened] [4.4] Fix cookie with Max-Age processing

[stlaz]

   URL: https://github.com/freeipa/freeipa/pull/609
Author: stlaz
 Title: #609: [4.4] Fix cookie with Max-Age processing
Action: opened

PR body:
"""
When cookie has Max-Age set it tries to get expiration by adding
to a timestamp. Without this patch the timestamp would be set to
None and thus the addition of timestamp + max_age fails

https://pagure.io/freeipa/issue/6718

Reviewed-By: Simo Sorce 
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/609/head:pr609
git checkout pr609
From ff09ec7debf00a690f3a9e1f27891439bd6221c5 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Thu, 2 Mar 2017 09:11:34 +0100
Subject: [PATCH] Fix cookie with Max-Age processing

When cookie has Max-Age set it tries to get expiration by adding
to a timestamp. Without this patch the timestamp would be set to
None and thus the addition of timestamp + max_age fails

https://pagure.io/freeipa/issue/6718

Reviewed-By: Simo Sorce 
---
 ipalib/rpc.py   | 13 +
 ipapython/cookie.py |  5 -
 2 files changed, 13 insertions(+), 5 deletions(-)

diff --git a/ipalib/rpc.py b/ipalib/rpc.py
index 1c00289..cd14d91 100644
--- a/ipalib/rpc.py
+++ b/ipalib/rpc.py
@@ -699,8 +699,11 @@ def store_session_cookie(self, cookie_header):
 
 # Search for the session cookie
 try:
-session_cookie = Cookie.get_named_cookie_from_string(cookie_header,
- COOKIE_NAME, request_url)
+session_cookie = (
+Cookie.get_named_cookie_from_string(
+cookie_header, COOKIE_NAME, request_url,
+timestamp=datetime.datetime.utcnow())
+)
 except Exception as e:
 root_logger.error("unable to parse cookie header '%s': %s", cookie_header, e)
 return
@@ -794,8 +797,10 @@ def get_session_cookie_from_persistent_storage(self, principal):
 
 # Search for the session cookie within the cookie string
 try:
-session_cookie = Cookie.get_named_cookie_from_string(cookie_string, COOKIE_NAME)
-except Exception as e:
+session_cookie = Cookie.get_named_cookie_from_string(
+cookie_string, COOKIE_NAME,
+timestamp=datetime.datetime.utcnow())
+except Exception:
 return None
 
 return session_cookie
diff --git a/ipapython/cookie.py b/ipapython/cookie.py
index 89c3e3c..2831394 100644
--- a/ipapython/cookie.py
+++ b/ipapython/cookie.py
@@ -320,7 +320,8 @@ def parse(cls, cookie_string, request_url=None):
 return cookies
 
 @classmethod
-def get_named_cookie_from_string(cls, cookie_string, cookie_name, request_url=None):
+def get_named_cookie_from_string(cls, cookie_string, cookie_name,
+ request_url=None, timestamp=None):
 '''
 A cookie string may contain multiple cookies, parse the cookie
 string and return the last cookie in the string matching the
@@ -342,6 +343,8 @@ def get_named_cookie_from_string(cls, cookie_string, cookie_name, request_url=No
 if cookie.key == cookie_name:
 target_cookie = cookie
 
+if timestamp is not None:
+target_cookie.timestamp = timestamp
 if request_url is not None:
 target_cookie.normalize(request_url)
 return target_cookie
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#397][synchronized] Improve wheel building and provide ipaserver wheel for local testing

[tiran]

   URL: https://github.com/freeipa/freeipa/pull/397
Author: tiran
 Title: #397: Improve wheel building and provide ipaserver wheel for local 
testing
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/397/head:pr397
git checkout pr397
From 3388a271d88e40df67ee79a69f5e10404dc1449d Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Tue, 17 Jan 2017 08:49:54 +0100
Subject: [PATCH 1/3] Conditionally import pyhbac

The pyhbac module is part of SSSD. It's not available as stand-alone
PyPI package. It would take a lot of effort to package it because the
code is deeply tight into SSSD.

Let's follow the example of other SSSD Python packages and make the
import of pyhbac conditionally. It's only necessary for caacl and
hbactest plugins.

I renamed convert_to_ipa_rule() to _convert_to_ipa_rule() because it
does not check for presence of pyhbac package itself. The check is
performed earlier in execute(). The prefix indicates that it is an
internal function and developers have to think twice before using it
in another place.

This makes it much easier to install ipaserver with instrumented build
of Python with a different ABI or in isolated virtual envs to profile
and debug the server.

Signed-off-by: Christian Heimes 
---
 ipaserver/plugins/caacl.py| 86 -
 ipaserver/plugins/cert.py | 90 ++-
 ipaserver/plugins/hbactest.py | 19 +++--
 3 files changed, 105 insertions(+), 90 deletions(-)

diff --git a/ipaserver/plugins/caacl.py b/ipaserver/plugins/caacl.py
index ff1178a..43a397d 100644
--- a/ipaserver/plugins/caacl.py
+++ b/ipaserver/plugins/caacl.py
@@ -2,12 +2,10 @@
 # Copyright (C) 2015  FreeIPA Contributors see COPYING for license
 #
 
-import pyhbac
 import six
 
 from ipalib import api, errors, output
 from ipalib import Bool, Str, StrEnum
-from ipalib.constants import IPA_CA_CN
 from ipalib.plugable import Registry
 from .baseldap import (
 LDAPObject, LDAPSearch, LDAPCreate, LDAPDelete, LDAPQuery,
@@ -80,90 +78,6 @@
 register = Registry()
 
 
-def _acl_make_request(principal_type, principal, ca_id, profile_id):
-"""Construct HBAC request for the given principal, CA and profile"""
-
-req = pyhbac.HbacRequest()
-req.targethost.name = ca_id
-req.service.name = profile_id
-if principal_type == 'user':
-req.user.name = principal.username
-elif principal_type == 'host':
-req.user.name = principal.hostname
-elif principal_type == 'service':
-req.user.name = unicode(principal)
-groups = []
-if principal_type == 'user':
-user_obj = api.Command.user_show(principal.username)['result']
-groups = user_obj.get('memberof_group', [])
-groups += user_obj.get('memberofindirect_group', [])
-elif principal_type == 'host':
-host_obj = api.Command.host_show(principal.hostname)['result']
-groups = host_obj.get('memberof_hostgroup', [])
-groups += host_obj.get('memberofindirect_hostgroup', [])
-req.user.groups = sorted(set(groups))
-return req
-
-
-def _acl_make_rule(principal_type, obj):
-"""Turn CA ACL object into HBAC rule.
-
-``principal_type``
-String in {'user', 'host', 'service'}
-"""
-rule = pyhbac.HbacRule(obj['cn'][0])
-rule.enabled = obj['ipaenabledflag'][0]
-rule.srchosts.category = {pyhbac.HBAC_CATEGORY_ALL}
-
-# add CA(s)
-if 'ipacacategory' in obj and obj['ipacacategory'][0].lower() == 'all':
-rule.targethosts.category = {pyhbac.HBAC_CATEGORY_ALL}
-else:
-# For compatibility with pre-lightweight-CAs CA ACLs,
-# no CA members implies the host authority (only)
-rule.targethosts.names = obj.get('ipamemberca_ca', [IPA_CA_CN])
-
-# add profiles
-if ('ipacertprofilecategory' in obj
-and obj['ipacertprofilecategory'][0].lower() == 'all'):
-rule.services.category = {pyhbac.HBAC_CATEGORY_ALL}
-else:
-attr = 'ipamembercertprofile_certprofile'
-rule.services.names = obj.get(attr, [])
-
-# add principals and principal's groups
-category_attr = '{}category'.format(principal_type)
-if category_attr in obj and obj[category_attr][0].lower() == 'all':
-rule.users.category = {pyhbac.HBAC_CATEGORY_ALL}
-else:
-if principal_type == 'user':
-rule.users.names = obj.get('memberuser_user', [])
-rule.users.groups = obj.get('memberuser_group', [])
-elif principal_type == 'host':
-rule.users.names = obj.get('memberhost_host', [])
-rule.users.groups = obj.get('memberhost_hostgroup', [])
-elif principal_type == 'service':
-rule.users.names = [
-unicode(principal)
-for principal in obj.get('memberservice_service', [])
-]
-
-return rule

[Freeipa-devel] [freeipa PR#542][comment] Implementation independent interface for CSR generation

[HonzaCholasta]

  URL: https://github.com/freeipa/freeipa/pull/542
Title: #542: Implementation independent interface for CSR generation

HonzaCholasta commented:
"""
@MartinBasti, it is an internal, user invisible API. @LiptonB, it is OK to 
change it.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/542#issuecomment-286966192
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#605][+ack] Set development version to 4.5.90

[stlaz]

  URL: https://github.com/freeipa/freeipa/pull/605
Title: #605: Set development version to 4.5.90

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#605][closed] Set development version to 4.5.90

[pvomacka]

   URL: https://github.com/freeipa/freeipa/pull/605
Author: MartinBasti
 Title: #605: Set development version to 4.5.90
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/605/head:pr605
git checkout pr605
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#605][comment] Set development version to 4.5.90

[pvomacka]

  URL: https://github.com/freeipa/freeipa/pull/605
Title: #605: Set development version to 4.5.90

pvomacka commented:
"""
master:

* 9ac62bec44b642838cbb175d94efd90acb417ecc Set development version to 4.5.90
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/605#issuecomment-287004023
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#605][+pushed] Set development version to 4.5.90

[pvomacka]

  URL: https://github.com/freeipa/freeipa/pull/605
Title: #605: Set development version to 4.5.90

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#517][comment] [WIP] Use Custodia 0.3 features

[tiran]

  URL: https://github.com/freeipa/freeipa/pull/517
Title: #517: [WIP] Use Custodia 0.3 features

tiran commented:
"""
This PR must be merged into 4.5 ASAP. Without the fix it is not possible to 
define proper SELinux policies for ipa-custodia and stand-alone custodia.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/517#issuecomment-286993273
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#606][opened] [ipa-4-4] ipa-kdb: support KDB DAL version 6.1

[tomaskrizek]

   URL: https://github.com/freeipa/freeipa/pull/606
Author: tomaskrizek
 Title: #606: [ipa-4-4] ipa-kdb: support KDB DAL version 6.1
Action: opened

PR body:
"""
Rebased patch for ipa-4-4. It's already in F26/rawhide.

Oiginal PR: #410
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/606/head:pr606
git checkout pr606
From 6997574dcb84d92126d5517a5454520143e81e1a Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy 
Date: Tue, 24 Jan 2017 11:02:30 +0200
Subject: [PATCH] ipa-kdb: support KDB DAL version 6.1

DAL version 6.0 removed support for a callback to free principal.
This broke KDB drivers which had complex e_data structure within
the principal structure. As result, FreeIPA KDB driver was leaking
memory with DAL version 6.0 (krb5 1.15).

DAL version 6.1 added a special callback for freeing e_data structure.
See details at krb5/krb5#596

Restructure KDB driver code to provide this callback in case
we are built against DAL version that supports it. For DAL version
prior to 6.0 use this callback in the free_principal callback to
tidy the code.

Use explicit KDB version dependency in Fedora 26+ via BuildRequires.

With new DAL version, freeipa package will fail to build and
we'll have to add a support for new DAL version explicitly.

https://fedorahosted.org/freeipa/ticket/6619
---
 daemons/configure.ac |  21 ++
 daemons/ipa-kdb/ipa_kdb.c| 140 +--
 daemons/ipa-kdb/ipa_kdb.h|   2 +
 daemons/ipa-kdb/ipa_kdb_principals.c |  42 ++-
 freeipa.spec.in  |   9 +++
 5 files changed, 157 insertions(+), 57 deletions(-)

diff --git a/daemons/configure.ac b/daemons/configure.ac
index 5c5a104..77a3be0 100644
--- a/daemons/configure.ac
+++ b/daemons/configure.ac
@@ -66,6 +66,27 @@ AC_SUBST(KRB5_LIBS)
 AC_SUBST(KRAD_LIBS)
 AC_SUBST(krb5rundir)
 
+AC_CHECK_HEADER(kdb.h, [], [AC_MSG_ERROR([kdb.h not found])])
+AC_CHECK_MEMBER(
+	[kdb_vftabl.free_principal],
+	[AC_DEFINE([HAVE_KDB_FREEPRINCIPAL], [1],
+		   [KDB driver API has free_principal callback])],
+	[AC_MSG_NOTICE([KDB driver API has no free_principal callback])],
+	[[#include ]])
+AC_CHECK_MEMBER(
+	[kdb_vftabl.free_principal_e_data],
+	[AC_DEFINE([HAVE_KDB_FREEPRINCIPAL_EDATA], [1],
+		   [KDB driver API has free_principal_e_data callback])],
+	[AC_MSG_NOTICE([KDB driver API has no free_principal_e_data callback])],
+	[[#include ]])
+
+if test "x$ac_cv_member_kdb_vftabl_free_principal" = "xno" \
+		-a "x$ac_cv_member_kdb_vftable_free_principal_e_data" = "xno" ; then
+AC_MSG_WARN([KDB driver API does not allow to free Kerberos principal data.])
+AC_MSG_WARN([KDB driver will leak memory on Kerberos principal use])
+AC_MSG_WARN([See https://github.com/krb5/krb5/pull/596 for details])
+fi
+
 dnl ---
 dnl - Check for Mozilla LDAP and OpenLDAP SDK
 dnl ---
diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
index fbcb03b..e74ab56 100644
--- a/daemons/ipa-kdb/ipa_kdb.c
+++ b/daemons/ipa-kdb/ipa_kdb.c
@@ -625,45 +625,107 @@ static void ipadb_free(krb5_context context, void *ptr)
 
 /* KDB Virtual Table */
 
+/* We explicitly want to keep different ABI tables below separate. */
+/* Do not merge them together. Older ABI does not need to be updated */
+
+#if KRB5_KDB_DAL_MAJOR_VERSION == 5
+kdb_vftabl kdb_function_table = {
+.maj_ver = KRB5_KDB_DAL_MAJOR_VERSION,
+.min_ver = 0,
+.init_library = ipadb_init_library,
+.fini_library = ipadb_fini_library,
+.init_module = ipadb_init_module,
+.fini_module = ipadb_fini_module,
+.create = ipadb_create,
+.get_age = ipadb_get_age,
+.get_principal = ipadb_get_principal,
+.free_principal = ipadb_free_principal,
+.put_principal = ipadb_put_principal,
+.delete_principal = ipadb_delete_principal,
+.iterate = ipadb_iterate,
+.create_policy = ipadb_create_pwd_policy,
+.get_policy = ipadb_get_pwd_policy,
+.put_policy = ipadb_put_pwd_policy,
+.iter_policy = ipadb_iterate_pwd_policy,
+.delete_policy = ipadb_delete_pwd_policy,
+.free_policy = ipadb_free_pwd_policy,
+.alloc = ipadb_alloc,
+.free = ipadb_free,
+.fetch_master_key = ipadb_fetch_master_key,
+.store_master_key_list = ipadb_store_master_key_list,
+.change_pwd = ipadb_change_pwd,
+.sign_authdata = ipadb_sign_authdata,
+.check_transited_realms = ipadb_check_transited_realms,
+.check_policy_as = ipadb_check_policy_as,
+.audit_as_req = ipadb_audit_as_req,
+.check_allowed_to_delegate = ipadb_check_allowed_to_delegate
+};
+#endif
+
+#if (KRB5_KDB_DAL_MAJOR_VERSION == 6) && !defined(HAVE_KDB_FREEPRINCIPAL_EDATA)
 kdb_vftabl kdb_function_table = {
-KRB5_KDB_DAL_MAJOR_VERSION, /* major version number */
-0,  

[Freeipa-devel] [freeipa PR#607][opened] Backup ipa-specific httpd unit-file

[stlaz]

   URL: https://github.com/freeipa/freeipa/pull/607
Author: stlaz
 Title: #607: Backup ipa-specific httpd unit-file
Action: opened

PR body:
"""
On backup-restore, the ipa unit file for httpd was not backed up.
This file however contains setting for httpd to communicate with
gssproxy so not backing it up will result in httpd not knowing
how to get credentials.

https://pagure.io/freeipa/issue/6748
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/607/head:pr607
git checkout pr607
From 510da02a1e78ae9571c72ef538edff8174f30efe Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Thu, 16 Mar 2017 10:22:59 +0100
Subject: [PATCH] Backup ipa-specific httpd unit-file

On backup-restore, the ipa unit file for httpd was not backed up.
This file however contains setting for httpd to communicate with
gssproxy so not backing it up will result in httpd not knowing
how to get credentials.

https://pagure.io/freeipa/issue/6748
---
 ipaserver/install/ipa_backup.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ipaserver/install/ipa_backup.py b/ipaserver/install/ipa_backup.py
index 07c50c8..56583c0 100644
--- a/ipaserver/install/ipa_backup.py
+++ b/ipaserver/install/ipa_backup.py
@@ -166,6 +166,7 @@ class Backup(admintool.AdminTool):
 paths.KDC_CERT,
 paths.KDC_KEY,
 paths.SYSTEMD_IPA_SERVICE,
+paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF,
 paths.SYSTEMD_SSSD_SERVICE,
 paths.SYSTEMD_CERTMONGER_SERVICE,
 paths.SYSTEMD_PKI_TOMCAT_SERVICE,
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#604][+ack] [4.5] Set zanata version to ipa-4-5

[stlaz]

  URL: https://github.com/freeipa/freeipa/pull/604
Title: #604: [4.5] Set zanata version to ipa-4-5

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#379][-postponed] Packaging: Add IPA commands package

[tiran]

  URL: https://github.com/freeipa/freeipa/pull/379
Title: #379: Packaging: Add IPA commands package

Label: -postponed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#379][synchronized] Packaging: Add placeholder and IPA commands packages

[tiran]

   URL: https://github.com/freeipa/freeipa/pull/379
Author: tiran
 Title: #379: Packaging: Add placeholder and IPA commands packages
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/379/head:pr379
git checkout pr379
From 380b2df4fded9ca2848853b5741b409ae58a58d4 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Thu, 16 Feb 2017 15:27:49 +0100
Subject: [PATCH] Packaging: Add IPA commands package

The ipacommands package contains ipa-getkeytab and ipa-rmkeytab for
installation in a virtual env. The programs are compiled with distutils
/ setuptools.

https://fedorahosted.org/freeipa/ticket/6484

Signed-off-by: Christian Heimes 
---
 .gitignore   |   7 ++
 Makefile.am  |   6 +-
 configure.ac |   1 +
 pypi/Makefile.am |   1 +
 pypi/ipacommands/MANIFEST.in |  25 ++
 pypi/ipacommands/Makefile.am |  79 ++
 pypi/ipacommands/setup.cfg   |   5 ++
 pypi/ipacommands/setup.py| 194 +++
 8 files changed, 317 insertions(+), 1 deletion(-)
 create mode 100644 pypi/ipacommands/MANIFEST.in
 create mode 100644 pypi/ipacommands/Makefile.am
 create mode 100644 pypi/ipacommands/setup.cfg
 create mode 100644 pypi/ipacommands/setup.py

diff --git a/.gitignore b/.gitignore
index 7e78a93..2e82174 100644
--- a/.gitignore
+++ b/.gitignore
@@ -113,3 +113,10 @@ freeipa2-dev-doc
 /ipaplatform/paths.py
 /ipaplatform/services.py
 /ipaplatform/tasks.py
+
+/pypi/ipacommands/COPYING
+/pypi/ipacommands/Contributors.txt
+/pypi/ipacommands/asn1
+/pypi/ipacommands/client
+/pypi/ipacommands/ipasetup.py
+/pypi/ipacommands/util
diff --git a/Makefile.am b/Makefile.am
index df4e05a..068eefb 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -228,12 +228,16 @@ $(WHEELBUNDLEDIR):
 	mkdir -p $(WHEELBUNDLEDIR)
 
 bdist_wheel: $(WHEELDISTDIR)
+	$(MAKE) $(AM_MAKEFLAGS) -C pypi/ipacommands sdist || exit 1;
 	for dir in $(IPACLIENT_SUBDIRS); do \
 	$(MAKE) $(AM_MAKEFLAGS) -C $${dir} $@ || exit 1; \
 	done
 
 wheel_bundle: $(WHEELBUNDLEDIR) bdist_wheel
-	$(PYTHON) -m pip wheel --wheel-dir $(WHEELBUNDLEDIR) $(WHEELDISTDIR)/*.whl
+	$(PYTHON) -m pip wheel \
+		--wheel-dir $(WHEELBUNDLEDIR) \
+		$(WHEELDISTDIR)/*.whl \
+		$(WHEELDISTDIR)/*.tar.gz
 
 wheel_placeholder: $(WHEELDISTDIR)
 	for dir in $(IPA_PLACEHOLDERS); do \
diff --git a/configure.ac b/configure.ac
index 2d84426..f3ff64f 100644
--- a/configure.ac
+++ b/configure.ac
@@ -538,6 +538,7 @@ AC_CONFIG_FILES([
 pypi/Makefile
 pypi/freeipa/Makefile
 pypi/ipa/Makefile
+pypi/ipacommands/Makefile
 pypi/ipaplatform/Makefile
 pypi/ipaserver/Makefile
 pypi/ipatests/Makefile
diff --git a/pypi/Makefile.am b/pypi/Makefile.am
index 5d8be9c..be572c6 100644
--- a/pypi/Makefile.am
+++ b/pypi/Makefile.am
@@ -7,6 +7,7 @@ NULL =
 SUBDIRS =			\
 	freeipa			\
 	ipa\
+	ipacommands		\
 	ipaplatform		\
 	ipaserver		\
 	ipatests		\
diff --git a/pypi/ipacommands/MANIFEST.in b/pypi/ipacommands/MANIFEST.in
new file mode 100644
index 000..659a1f5
--- /dev/null
+++ b/pypi/ipacommands/MANIFEST.in
@@ -0,0 +1,25 @@
+include asn1/*.c
+include asn1/*.h
+include asn1/asn1c/*.c
+include asn1/asn1c/*.h
+include asn1/asn1c/ipa.asn1
+
+include client/config.c
+include client/config.h
+include client/ipa-client-common.c
+include client/ipa-client-common.h
+include client/ipa-getkeytab.c
+include client/ipa-join.c
+include client/ipa-rmkeytab.c
+
+include util/ipa_krb5.c
+include util/ipa_krb5.h
+
+prune client/asn1
+prune client/client
+prune client/util
+
+include Contributors.txt COPYING
+include config.h
+include ipasetup.py
+include setup.cfg
diff --git a/pypi/ipacommands/Makefile.am b/pypi/ipacommands/Makefile.am
new file mode 100644
index 000..645ce7a
--- /dev/null
+++ b/pypi/ipacommands/Makefile.am
@@ -0,0 +1,79 @@
+# This file will be processed with automake-1.7 to create Makefile.in
+#
+AUTOMAKE_OPTIONS = 1.7
+
+NULL =
+
+pkgname = $(shell basename "$(abs_srcdir)")
+
+# hack to handle back-in-the-hierarchy depedency on ipasetup.py
+.PHONY: $(top_builddir)/ipasetup.py
+$(top_builddir)/ipasetup.py:
+	(cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) ipasetup.py)
+
+DEPENDENCIES = \
+	asn1\
+	client\
+	util\
+	COPYING\
+	Contributors.txt		\
+	config.h			\
+	ipasetup.py			\
+	$(NULL)
+
+# Python setup.py can handle symlinks to directories fine
+asn1: $(top_srcdir)/asn1
+	if [ ! -e "$@" ]; then ln -rs "$<"; fi
+
+client: $(top_srcdir)/client
+	if [ ! -e "$@" ]; then ln -rs "$<"; fi
+
+util: $(top_srcdir)/util
+	if [ ! -e "$@" ]; then ln -rs "$<"; fi
+
+# On the other hand files must be copied to create proper sdist
+COPYING: $(top_srcdir)/COPYING
+	cp -p "$<" "$@"
+
+Contributors.txt: $(top_srcdir)/Contributors.txt
+	cp -p "$<" "$@"
+
+ipasetup.py: $(top_builddir)/ipasetup.py
+	cp -p "$<" "$@"
+
+config.h: $(top_builddir)/config.h
+	cp -p 

[Freeipa-devel] [freeipa PR#379][edited] Packaging: Add IPA commands package

[tiran]

   URL: https://github.com/freeipa/freeipa/pull/379
Author: tiran
 Title: #379: Packaging: Add IPA commands package
Action: edited

 Changed field: title
Original value:
"""
Packaging: Add placeholder and IPA commands packages
"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#608][synchronized] tasks: run `systemctl daemon-reload` after httpd.service.d updates

[HonzaCholasta]

   URL: https://github.com/freeipa/freeipa/pull/608
Author: HonzaCholasta
 Title: #608: tasks: run `systemctl daemon-reload` after httpd.service.d updates
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/608/head:pr608
git checkout pr608
From 4f46130eb09c53d8baebee070229312405c618f7 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Thu, 16 Mar 2017 12:51:29 +
Subject: [PATCH] tasks: run `systemctl daemon-reload` after httpd.service.d
 updates

Run `systemctl daemon-reload` after
`/etc/systemd/system/httpd.service.d/ipa.conf` is created or deleted,
otherwise systemd will not merge the file into httpd.service and therefore
required environment variables will not be set for httpd.

This fixes authentication failures ("No valid Negotiate header in server
response") due to missing `GSS_USE_PROXY=yes` in httpd environment.

https://pagure.io/freeipa/issue/6773
---
 ipaplatform/redhat/tasks.py | 7 +++
 1 file changed, 7 insertions(+)

diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py
index c1b574e..d0ef5fb 100644
--- a/ipaplatform/redhat/tasks.py
+++ b/ipaplatform/redhat/tasks.py
@@ -483,6 +483,9 @@ def configure_httpd_service_ipa_conf(self):
 os.chmod(paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF, 0o644)
 self.restore_context(paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF)
 
+ipautil.run([paths.SYSTEMCTL, "--system", "daemon-reload"],
+raiseonerr=False)
+
 def configure_http_gssproxy_conf(self):
 ipautil.copy_template_file(
 os.path.join(paths.USR_SHARE_IPA_DIR, 'gssproxy.conf.template'),
@@ -513,6 +516,10 @@ def remove_httpd_service_ipa_conf(self):
 'Error removing %s: %s',
 paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF, e
 )
+return
+
+ipautil.run([paths.SYSTEMCTL, "--system", "daemon-reload"],
+raiseonerr=False)
 
 def set_hostname(self, hostname):
 ipautil.run([paths.BIN_HOSTNAMECTL, 'set-hostname', hostname])
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#608][edited] tasks: run `systemctl daemon-reload` after httpd.service.d updates

[HonzaCholasta]

   URL: https://github.com/freeipa/freeipa/pull/608
Author: HonzaCholasta
 Title: #608: tasks: run `systemctl daemon-reload` after httpd.service.d updates
Action: edited

 Changed field: body
Original value:
"""
Run `systemctl daemon-reload` after
`/etc/systemd/system/httpd.service.d/ipa.conf` is created or deleted,
otherwise systemd will not merge the file into httpd.service and therefore
required environment variables will not be set for httpd.

This fixes authentication failures ("No valid Negotiate header in server
response") due to missing GSS_USE_PROXY=yes in httpd environment.

https://pagure.io/freeipa/issue/6773
"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#543][comment] Add options to allow ticket caching

[martbab]

  URL: https://github.com/freeipa/freeipa/pull/543
Title: #543: Add options to allow ticket caching

martbab commented:
"""
I think that we have all dependencies in spec already so I do not see a reason 
not to.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/543#issuecomment-287038339
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#543][+ack] Add options to allow ticket caching

[martbab]

  URL: https://github.com/freeipa/freeipa/pull/543
Title: #543: Add options to allow ticket caching

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#543][+pushed] Add options to allow ticket caching

[martbab]

  URL: https://github.com/freeipa/freeipa/pull/543
Title: #543: Add options to allow ticket caching

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#543][comment] Add options to allow ticket caching

[martbab]

  URL: https://github.com/freeipa/freeipa/pull/543
Title: #543: Add options to allow ticket caching

martbab commented:
"""
master:

* 4ee7e4ee6d6500d8b8935c9033388adc4cdbe672 Add options to allow ticket caching
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/543#issuecomment-287038542
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#543][closed] Add options to allow ticket caching

[martbab]

   URL: https://github.com/freeipa/freeipa/pull/543
Author: simo5
 Title: #543: Add options to allow ticket caching
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/543/head:pr543
git checkout pr543
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#517][comment] [WIP] Use Custodia 0.3 features

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/517
Title: #517: [WIP] Use Custodia 0.3 features

MartinBasti commented:
"""
I assume that this is not WIP anymore then
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/517#issuecomment-287066488
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#610][comment] [4.3] Fix cookie with Max-Age processing

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/610
Title: #610: [4.3] Fix cookie with Max-Age processing

MartinBasti commented:
"""
Please open a new ticket `Backport ...`. Ticket you used is closed in closed 
milestone
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/610#issuecomment-287195160
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#604][+pushed] [4.5] Set zanata version to ipa-4-5

[pvomacka]

  URL: https://github.com/freeipa/freeipa/pull/604
Title: #604: [4.5] Set zanata version to ipa-4-5

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#604][comment] [4.5] Set zanata version to ipa-4-5

[pvomacka]

  URL: https://github.com/freeipa/freeipa/pull/604
Title: #604: [4.5] Set zanata version to ipa-4-5

pvomacka commented:
"""
ipa-4-5:

* a1f2754f18f93752f97d14168b74fb0f299d795d Set zanata version to ipa-4-5
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/604#issuecomment-287004757
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#607][comment] Backup ipa-specific httpd unit-file

[tiran]

  URL: https://github.com/freeipa/freeipa/pull/607
Title: #607: Backup ipa-specific httpd unit-file

tiran commented:
"""
LGTM

Did you check if there are more files missing after backup, uninstall, restore? 
You could use ```find /etc /usr /var >before_uninstall``` before uninstall and 
after restore, then compare the files with diff.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/607#issuecomment-287009174
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#543][synchronized] Add options to allow ticket caching

[simo5]

   URL: https://github.com/freeipa/freeipa/pull/543
Author: simo5
 Title: #543: Add options to allow ticket caching
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/543/head:pr543
git checkout pr543
From 2b309c896728f188959c022635ff131347e2f266 Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Mon, 6 Mar 2017 13:46:44 -0500
Subject: [PATCH] Add options to allow ticket caching

This new option (planned to land in gssproxy 0.7) we cache the ldap
ticket properly and avoid a ticket lookup to the KDC on each and every
ldap connection. (Also requires krb5 libs 1.15.1 to benefit from caching).

Ticket: https://pagure.io/freeipa/issue/6771

Signed-off-by: Simo Sorce 
---
 install/share/gssproxy.conf.template | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/install/share/gssproxy.conf.template b/install/share/gssproxy.conf.template
index fbb158a..9d11100 100644
--- a/install/share/gssproxy.conf.template
+++ b/install/share/gssproxy.conf.template
@@ -4,6 +4,7 @@
   cred_store = keytab:$HTTP_KEYTAB
   cred_store = client_keytab:$HTTP_KEYTAB
   allow_protocol_transition = true
+  allow_client_ccache_sync = true
   cred_usage = both
   euid = $HTTPD_USER
 
@@ -12,5 +13,6 @@
   cred_store = keytab:$HTTP_KEYTAB
   cred_store = client_keytab:$HTTP_KEYTAB
   allow_constrained_delegation = true
+  allow_client_ccache_sync = true
   cred_usage = initiate
   euid = $IPAAPI_USER
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#607][comment] Backup ipa-specific httpd unit-file

[stlaz]

  URL: https://github.com/freeipa/freeipa/pull/607
Title: #607: Backup ipa-specific httpd unit-file

stlaz commented:
"""
Thanks, @tiran, this is a good idea, I noticed also KDCProxy conf symlink was 
missing.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/607#issuecomment-287029314
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#607][comment] Backup ipa-specific httpd unit-file

[tiran]

  URL: https://github.com/freeipa/freeipa/pull/607
Title: #607: Backup ipa-specific httpd unit-file

tiran commented:
"""
The symlink is generated by a script when httpd is started.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/607#issuecomment-287029814
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#607][synchronized] Backup ipa-specific httpd unit-file

[stlaz]

   URL: https://github.com/freeipa/freeipa/pull/607
Author: stlaz
 Title: #607: Backup ipa-specific httpd unit-file
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/607/head:pr607
git checkout pr607
From d684e43ffc9a3ca8411cad6b63348b30ed7ed2e5 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Thu, 16 Mar 2017 10:22:59 +0100
Subject: [PATCH] Backup ipa-specific httpd unit-file

On backup-restore, the ipa unit file for httpd was not backed up.
This file however contains setting for httpd to communicate with
gssproxy so not backing it up will result in httpd not knowing
how to get credentials.

The kdcproxy configuration symlink to enable kdcproxy was missing
as well, adding it on top of it.

https://pagure.io/freeipa/issue/6748
---
 ipaserver/install/ipa_backup.py | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/ipaserver/install/ipa_backup.py b/ipaserver/install/ipa_backup.py
index 07c50c8..ed3fcf8 100644
--- a/ipaserver/install/ipa_backup.py
+++ b/ipaserver/install/ipa_backup.py
@@ -144,6 +144,7 @@ class Backup(admintool.AdminTool):
 paths.HTTPD_PASSWORD_CONF,
 paths.HTTP_KEYTAB,
 paths.HTTPD_IPA_KDCPROXY_CONF,
+paths.HTTPD_IPA_KDCPROXY_CONF_SYMLINK,
 paths.HTTPD_IPA_PKI_PROXY_CONF,
 paths.HTTPD_IPA_REWRITE_CONF,
 paths.HTTPD_NSS_CONF,
@@ -166,6 +167,7 @@ class Backup(admintool.AdminTool):
 paths.KDC_CERT,
 paths.KDC_KEY,
 paths.SYSTEMD_IPA_SERVICE,
+paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF,
 paths.SYSTEMD_SSSD_SERVICE,
 paths.SYSTEMD_CERTMONGER_SERVICE,
 paths.SYSTEMD_PKI_TOMCAT_SERVICE,
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#607][synchronized] Backup ipa-specific httpd unit-file

[stlaz]

   URL: https://github.com/freeipa/freeipa/pull/607
Author: stlaz
 Title: #607: Backup ipa-specific httpd unit-file
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/607/head:pr607
git checkout pr607
From 657ac1620da3982a497b598b737b59935e6d7a58 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Thu, 16 Mar 2017 10:22:59 +0100
Subject: [PATCH] Backup ipa-specific httpd unit-file

On backup-restore, the ipa unit file for httpd was not backed up.
This file however contains setting for httpd to communicate with
gssproxy so not backing it up will result in httpd not knowing
how to get credentials.

The kdcproxy configuration symlink to enable kdcproxy was missing
as well, adding it on top of it.

https://pagure.io/freeipa/issue/6748
---
 ipaserver/install/ipa_backup.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ipaserver/install/ipa_backup.py b/ipaserver/install/ipa_backup.py
index 07c50c8..56583c0 100644
--- a/ipaserver/install/ipa_backup.py
+++ b/ipaserver/install/ipa_backup.py
@@ -166,6 +166,7 @@ class Backup(admintool.AdminTool):
 paths.KDC_CERT,
 paths.KDC_KEY,
 paths.SYSTEMD_IPA_SERVICE,
+paths.SYSTEMD_SYSTEM_HTTPD_IPA_CONF,
 paths.SYSTEMD_SSSD_SERVICE,
 paths.SYSTEMD_CERTMONGER_SERVICE,
 paths.SYSTEMD_PKI_TOMCAT_SERVICE,
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#607][comment] Backup ipa-specific httpd unit-file

[stlaz]

  URL: https://github.com/freeipa/freeipa/pull/607
Title: #607: Backup ipa-specific httpd unit-file

stlaz commented:
"""
Ah, right.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/607#issuecomment-287032822
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#543][synchronized] Add options to allow ticket caching

[simo5]

   URL: https://github.com/freeipa/freeipa/pull/543
Author: simo5
 Title: #543: Add options to allow ticket caching
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/543/head:pr543
git checkout pr543
From d2c6121af9b4b366d0ff954a59f9a4917c634fc8 Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Mon, 6 Mar 2017 13:46:44 -0500
Subject: [PATCH] Add options to allow ticket caching

This new option (planned to land in gssproxy 0.7) we cache the ldap
ticket properly and avoid a ticket lookup to the KDC on each and every
ldap connection. (Also requires krb5 libs 1.15.1 to benefit from caching).

Ticket: https://pagure.io/freeipa/issue/6656

Signed-off-by: Simo Sorce 
---
 install/share/gssproxy.conf.template | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/install/share/gssproxy.conf.template b/install/share/gssproxy.conf.template
index fbb158a..9d11100 100644
--- a/install/share/gssproxy.conf.template
+++ b/install/share/gssproxy.conf.template
@@ -4,6 +4,7 @@
   cred_store = keytab:$HTTP_KEYTAB
   cred_store = client_keytab:$HTTP_KEYTAB
   allow_protocol_transition = true
+  allow_client_ccache_sync = true
   cred_usage = both
   euid = $HTTPD_USER
 
@@ -12,5 +13,6 @@
   cred_store = keytab:$HTTP_KEYTAB
   cred_store = client_keytab:$HTTP_KEYTAB
   allow_constrained_delegation = true
+  allow_client_ccache_sync = true
   cred_usage = initiate
   euid = $IPAAPI_USER
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#604][closed] [4.5] Set zanata version to ipa-4-5

[pvomacka]

   URL: https://github.com/freeipa/freeipa/pull/604
Author: MartinBasti
 Title: #604: [4.5] Set zanata version to ipa-4-5
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/604/head:pr604
git checkout pr604
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#543][comment] Add options to allow ticket caching

[simo5]

  URL: https://github.com/freeipa/freeipa/pull/543
Title: #543: Add options to allow ticket caching

simo5 commented:
"""
@MartinBasti can we push this ? It makes a big difference in framework 
performance and load on the KDC
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/543#issuecomment-287024418
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code