[Freeipa-devel] [freeipa PR#1544][opened] [Backport][ipa-4-6] ipa-kdb: use magic value to check if ipadb is used

[tiran via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1544
Author: tiran
 Title: #1544: [Backport][ipa-4-6] ipa-kdb: use magic value to check if ipadb 
is used
Action: opened

PR body:
"""
Manual backport of PR #1537 

The certauth plugin is configured in /etc/krb5.conf independently form
the database module. As a result the IPA certauth plugin can be added to
the configuration without the IPA DAL driver. Since the IPA certauth
plugin depends on the presence of the IPA DAL driver this patch adds a
magic value at the beginning of struct ipadb_context which can be
checked to see if the IPA DAL driver is properly initialized.

Resolves https://pagure.io/freeipa/issue/7261

Reviewed-By: Christian Heimes 
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1544/head:pr1544
git checkout pr1544
From 8b8947831f394bedcb6fc2344166e623e937b707 Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Wed, 7 Feb 2018 17:10:08 +0100
Subject: [PATCH] ipa-kdb: use magic value to check if ipadb is used

The certauth plugin is configured in /etc/krb5.conf independently form
the database module. As a result the IPA certauth plugin can be added to
the configuration without the IPA DAL driver. Since the IPA certauth
plugin depends on the presence of the IPA DAL driver this patch adds a
magic value at the beginning of struct ipadb_context which can be
checked to see if the IPA DAL driver is properly initialized.

Resolves https://pagure.io/freeipa/issue/7261

Reviewed-By: Christian Heimes 
---
 daemons/ipa-kdb/ipa_kdb.c  | 1 +
 daemons/ipa-kdb/ipa_kdb.h  | 2 ++
 daemons/ipa-kdb/ipa_kdb_certauth.c | 2 +-
 3 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
index c0f1e276ca..d547eb01b6 100644
--- a/daemons/ipa-kdb/ipa_kdb.c
+++ b/daemons/ipa-kdb/ipa_kdb.c
@@ -522,6 +522,7 @@ static krb5_error_code ipadb_init_module(krb5_context kcontext,
 if (!ipactx) {
 return ENOMEM;
 }
+ipactx->magic = IPA_CONTEXT_MAGIC;
 
 /* only check for unsupported 'temporary' value for now */
 for (i = 0; db_args != NULL && db_args[i] != NULL; i++) {
diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
index 72573a61ad..cffe330baa 100644
--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@@ -101,7 +101,9 @@ struct ipadb_global_config {
 bool disable_preauth_for_spns;
 };
 
+#define IPA_CONTEXT_MAGIC 0x0c027ea7
 struct ipadb_context {
+int magic;
 char *uri;
 char *base;
 char *realm;
diff --git a/daemons/ipa-kdb/ipa_kdb_certauth.c b/daemons/ipa-kdb/ipa_kdb_certauth.c
index 66c2d08cbb..432379b333 100644
--- a/daemons/ipa-kdb/ipa_kdb_certauth.c
+++ b/daemons/ipa-kdb/ipa_kdb_certauth.c
@@ -131,7 +131,7 @@ static krb5_error_code ipa_get_init_data(krb5_context kcontext,
 krb5_klog_syslog(LOG_INFO, "Initializing IPA certauth plugin.");
 
 ipactx = ipadb_get_context(kcontext);
-if (ipactx == NULL) {
+if (ipactx == NULL || ipactx->magic != IPA_CONTEXT_MAGIC) {
 return KRB5_KDB_DBNOTINITED;
 }
 
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1543][opened] [Backport][ipa-4-6] ipa-kdb: use magic value to check if ipadb is used

[tiran via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1543
Author: tiran
 Title: #1543: [Backport][ipa-4-6] ipa-kdb: use magic value to check if ipadb 
is used
Action: opened

PR body:
"""
This PR was opened automatically because PR #1537 was pushed to master and 
backport to ipa-4-6 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1543/head:pr1543
git checkout pr1543
From 470358fa03797dd5b89811bd4ae9fbe60b0281b4 Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Wed, 7 Feb 2018 17:10:08 +0100
Subject: [PATCH] ipa-kdb: use magic value to check if ipadb is used

The certauth plugin is configured in /etc/krb5.conf independently form
the database module. As a result the IPA certauth plugin can be added to
the configuration without the IPA DAL driver. Since the IPA certauth
plugin depends on the presence of the IPA DAL driver this patch adds a
magic value at the beginning of struct ipadb_context which can be
checked to see if the IPA DAL driver is properly initialized.

Resolves https://pagure.io/freeipa/issue/7261
---
 daemons/ipa-kdb/ipa_kdb.c  | 1 +
 daemons/ipa-kdb/ipa_kdb.h  | 2 ++
 daemons/ipa-kdb/ipa_kdb_certauth.c | 2 +-
 3 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
index b11153eccd..222900ae7a 100644
--- a/daemons/ipa-kdb/ipa_kdb.c
+++ b/daemons/ipa-kdb/ipa_kdb.c
@@ -522,6 +522,7 @@ static krb5_error_code ipadb_init_module(krb5_context kcontext,
 if (!ipactx) {
 return ENOMEM;
 }
+ipactx->magic = IPA_CONTEXT_MAGIC;
 
 /* only check for unsupported 'temporary' value for now */
 for (i = 0; db_args != NULL && db_args[i] != NULL; i++) {
diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
index be2f457522..d187d969f5 100644
--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@@ -101,7 +101,9 @@ struct ipadb_global_config {
 bool disable_preauth_for_spns;
 };
 
+#define IPA_CONTEXT_MAGIC 0x0c027ea7
 struct ipadb_context {
+int magic;
 char *uri;
 char *base;
 char *realm;
diff --git a/daemons/ipa-kdb/ipa_kdb_certauth.c b/daemons/ipa-kdb/ipa_kdb_certauth.c
index 35e5e7d086..82589f2f92 100644
--- a/daemons/ipa-kdb/ipa_kdb_certauth.c
+++ b/daemons/ipa-kdb/ipa_kdb_certauth.c
@@ -131,7 +131,7 @@ static krb5_error_code ipa_get_init_data(krb5_context kcontext,
 krb5_klog_syslog(LOG_INFO, "Initializing IPA certauth plugin.");
 
 ipactx = ipadb_get_context(kcontext);
-if (ipactx == NULL) {
+if (ipactx == NULL || ipactx->magic != IPA_CONTEXT_MAGIC) {
 return KRB5_KDB_DBNOTINITED;
 }
 
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1537][closed] ipa-kdb: use magic value to check if ipadb is used

[tiran via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1537
Author: sumit-bose
 Title: #1537: ipa-kdb: use magic value to check if ipadb is used
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1537/head:pr1537
git checkout pr1537
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1540][closed] [Backport][ipa-4-6] ipa_tests: test subca key replication

[tiran via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1540
Author: tiran
 Title: #1540: [Backport][ipa-4-6] ipa_tests: test subca key replication
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1540/head:pr1540
git checkout pr1540
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1542][opened] [Backport][ipa-4-6] Bump SELinux policy for DNSSEC

[tiran via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1542
Author: tiran
 Title: #1542: [Backport][ipa-4-6] Bump SELinux policy for DNSSEC
Action: opened

PR body:
"""
This PR was opened automatically because PR #1509 was pushed to master and 
backport to ipa-4-6 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1542/head:pr1542
git checkout pr1542
From 149bd1442e9511686e7136cdddc731b838e3c791 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Tue, 6 Feb 2018 08:53:54 +0100
Subject: [PATCH] Bump SELinux policy for DNSSEC

selinux-policy-3.13.1-283.24 fixes an AVC with OpenDNSSEC ods-signer.

See: https://bugzilla.redhat.com/show_bug.cgi?id=1537971
See: https://pagure.io/freeipa/issue/7378
Signed-off-by: Christian Heimes 
---
 freeipa.spec.in | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 7f4f93c70d..45bf53c09e 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -57,7 +57,8 @@
 %global python_netaddr_version 0.7.16
 # Require 4.7.0 which brings Python 3 bindings
 %global samba_version 2:4.7.0
-%global selinux_policy_version 3.13.1-158.4
+# DNSSEC AVC violation, RHBZ#1537971
+%global selinux_policy_version 3.13.1-283.24
 %global slapi_nis_version 0.56.1
 
 # Use python3-pyldap to be compatible with old python3-pyldap 2.x and new
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1509][closed] Bump SELinux policy for DNSSEC

[tiran via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1509
Author: tiran
 Title: #1509: Bump SELinux policy for DNSSEC
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1509/head:pr1509
git checkout pr1509
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1541][opened] [Backport][ipa-4-6] ipa-server-upgrade now checks custodia server keys

[tiran via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1541
Author: tiran
 Title: #1541: [Backport][ipa-4-6] ipa-server-upgrade now checks custodia 
server keys
Action: opened

PR body:
"""
This PR was opened automatically because PR #1507 was pushed to master and 
backport to ipa-4-6 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1541/head:pr1541
git checkout pr1541
From e257bfccba15efd8fffa7aeb187a4b3ca9f9745d Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Wed, 31 Jan 2018 09:57:26 +0100
Subject: [PATCH] ipa-server-upgrade now checks custodia server keys

The ipa-server-upgrade command now checks for presence of ipa-custodia's
config and server keys. In case any of the files is missing, it
re-creates both files.

Partly resolves https://pagure.io/freeipa/issue/6893. The upgrader does
not auto-detect broken or mismatching keys yet.

Signed-off-by: Christian Heimes 
---
 ipaserver/install/custodiainstance.py | 12 +++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/custodiainstance.py b/ipaserver/install/custodiainstance.py
index 748f84763a..9bc1b2f41d 100644
--- a/ipaserver/install/custodiainstance.py
+++ b/ipaserver/install/custodiainstance.py
@@ -92,7 +92,17 @@ def __gen_keys(self):
 keystore.generate_server_keys()
 
 def upgrade_instance(self):
-if not sysupgrade.get_upgrade_state("custodia", "installed"):
+installed = sysupgrade.get_upgrade_state("custodia", "installed")
+if installed:
+if (not os.path.isfile(self.server_keys)
+or not os.path.isfile(self.config_file)):
+logger.warning(
+"Custodia server keys or config are missing, forcing "
+"reinstallation of ipa-custodia."
+)
+installed = False
+
+if not installed:
 logger.info("Custodia service is being configured")
 self.create_instance()
 else:
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1507][closed] ipa-server-upgrade now checks custodia server keys

[tiran via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1507
Author: tiran
 Title: #1507: ipa-server-upgrade now checks custodia server keys
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1507/head:pr1507
git checkout pr1507
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] Re: FreeIPA developement good practices

[Rob Crittenden via FreeIPA-devel]

Felipe Barreto via FreeIPA-devel wrote:
> Hi flo,
> 
> that sounds great. Thank you for doing it.
> 
> I would like to add just one more topic:
> - The use of "make fastlint" to check pep8 issues

+1. Looks great to me, thanks for taking the lead on this.

rob

> 
> On 02/07/2018 02:52 PM, Florence Blanc-Renaud via FreeIPA-devel wrote:
>> Hi all,
>>
>> in order to promote good development practices, I would like to write
>> a wiki page stating FreeIPA expectations and helping contributors to
>> remain on track (or extend the Contribute/Code wiki page).
>>
>> The topics include a description explaining our use of the tools (such
>> as github, pagure etc), but also general development habits that
>> everyone should enforce.
>>
>> A draft is available below for your comments/suggestions.
>>
>> Thanks,
>> Flo
>>
>>
>> ___
>> FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
>> To unsubscribe send an email to
>> freeipa-devel-le...@lists.fedorahosted.org
>>
> ___
> FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1539][closed] [Backport][ipa-4-6] Python 3 support for DNSSEC

[tiran via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1539
Author: tiran
 Title: #1539: [Backport][ipa-4-6] Python 3 support for DNSSEC
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1539/head:pr1539
git checkout pr1539
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1540][opened] [Backport][ipa-4-6] ipa_tests: test subca key replication

[tiran via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1540
Author: tiran
 Title: #1540: [Backport][ipa-4-6] ipa_tests: test subca key replication
Action: opened

PR body:
"""
This PR was opened automatically because PR #1516 was pushed to master and 
backport to ipa-4-6 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1540/head:pr1540
git checkout pr1540
From 5e892c2be26a7e9a9d7401a1f89031ed5820 Mon Sep 17 00:00:00 2001
From: Michal Reznik 
Date: Thu, 1 Feb 2018 13:17:48 +0100
Subject: [PATCH] ipa_tests: test subca key replication

Test if key replication is not failing.

https://pagure.io/freeipa/issue/7387
---
 .../test_integration/test_replica_promotion.py | 49 --
 1 file changed, 46 insertions(+), 3 deletions(-)

diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
index 4629d1ff05..67b596209f 100644
--- a/ipatests/test_integration/test_replica_promotion.py
+++ b/ipatests/test_integration/test_replica_promotion.py
@@ -10,9 +10,9 @@
 from ipatests.pytest_plugins.integration import tasks
 from ipatests.pytest_plugins.integration.tasks import (
 assert_error, replicas_cleanup)
-from ipalib.constants import DOMAIN_LEVEL_0
-from ipalib.constants import DOMAIN_LEVEL_1
-from ipalib.constants import DOMAIN_SUFFIX_NAME
+from ipalib.constants import (
+DOMAIN_LEVEL_0, DOMAIN_LEVEL_1, DOMAIN_SUFFIX_NAME, IPA_CA_NICKNAME)
+from ipaplatform.paths import paths
 
 
 class ReplicaPromotionBase(IntegrationTest):
@@ -527,3 +527,46 @@ def test_replica_install_with_existing_entry(self):
 master.run_command(arg)
 
 tasks.install_replica(master, replica)
+
+
+class TestSubCAkeyReplication(IntegrationTest):
+"""
+Test if subca key replication is not failing.
+"""
+topology = 'line'
+num_replicas = 1
+
+SUBCA = 'test_subca'
+SUBCA_CN = 'cn=' + SUBCA
+
+PKI_DEBUG_PATH = '/var/log/pki/pki-tomcat/ca/debug'
+
+ERR_MESS = 'Caught exception during cert/key import'
+
+def test_sub_ca_key_replication(self):
+master = self.master
+replica = self.replicas[0]
+
+result = master.run_command(['ipa', 'ca-add', self.SUBCA, '--subject',
+ self.SUBCA_CN])
+
+uuid = '[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}'
+auth_id_re = re.compile('Authority ID: ({})'.format(uuid),
+re.IGNORECASE)
+auth_id = "".join(re.findall(auth_id_re, result.stdout_text))
+
+cert_nick = '{} {}'.format(IPA_CA_NICKNAME, auth_id)
+
+# give replication some time
+time.sleep(30)
+
+replica.run_command(['ipa-certupdate'])
+replica.run_command(['ipa', 'ca-show', self.SUBCA])
+
+tasks.run_certutil(replica, ['-L', '-n', cert_nick],
+   paths.PKI_TOMCAT_ALIAS_DIR)
+
+pki_debug_log = replica.get_file_contents(self.PKI_DEBUG_PATH,
+  encoding='utf-8')
+# check for cert/key import error message
+assert self.ERR_MESS not in pki_debug_log
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] Re: FreeIPA developement good practices

[Petr Vobornik via FreeIPA-devel]

On Wed, Feb 7, 2018 at 5:52 PM, Florence Blanc-Renaud via
FreeIPA-devel  wrote:
> Hi all,
>
> in order to promote good development practices, I would like to write a wiki
> page stating FreeIPA expectations and helping contributors to remain on
> track (or extend the Contribute/Code wiki page).
>
> The topics include a description explaining our use of the tools (such as
> github, pagure etc), but also general development habits that everyone
> should enforce.
>
> A draft is available below for your comments/suggestions.
>

Hi Flo,

good stuff.

Btw when I was reviewing https://www.freeipa.org/page/Contribute/Code
today, it reminded me that we already have some basis there. E.g.
https://www.freeipa.org/page/Coding_Best_Practices but this page is
quite specific to only some project aspects and lacks more general
ideas.

-- 
Petr Vobornik
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] Re: Handling of postponed/abandoned efforts

[Felipe Barreto via FreeIPA-devel]

On 02/07/2018 02:48 PM, Petr Vobornik via FreeIPA-devel wrote:

Hi all,

you could see that I and Christian closed some old postponed PRs.

I was thinking how to keep track of such closed efforts in case we
would like to return to some.

An Idea I have is a postponed page on FreeIPA wiki.
   https://www.freeipa.org/page/Postponed

Which is also added to Roadmap to be discoverable:
   https://www.freeipa.org/page/Roadmap

I'm not sure with one thing. Usually, we close pr with rejected label.
But if we close postponed PR with only "we don't have time" reason, we
might want to keep postponed label there so that it can be easily
found (query: is:pr is:closed label:postponed ).


Do you see value in the page or the practice?


I would go with the practice, a page in wiki doesn't seem so easy to
maintain as a GH label. We could use the label postponed and
leave a comment as you mentioned.



Thank you


___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] Re: Handling of postponed/abandoned efforts

[Scott Poore via FreeIPA-devel]

- Original Message -
> From: "Petr Vobornik via FreeIPA-devel" 
> To: "Discussion of the development of FreeIPA" 
> 
> Cc: "Petr Vobornik" 
> Sent: Wednesday, February 7, 2018 10:48:14 AM
> Subject: [Freeipa-devel] Handling of postponed/abandoned efforts
> 
> Hi all,
> 
> you could see that I and Christian closed some old postponed PRs.
> 
> I was thinking how to keep track of such closed efforts in case we
> would like to return to some.
> 
> An Idea I have is a postponed page on FreeIPA wiki.
>   https://www.freeipa.org/page/Postponed
> 
> Which is also added to Roadmap to be discoverable:
>   https://www.freeipa.org/page/Roadmap
> 
> I'm not sure with one thing. Usually, we close pr with rejected label.
> But if we close postponed PR with only "we don't have time" reason, we
> might want to keep postponed label there so that it can be easily
> found (query: is:pr is:closed label:postponed ).
> 
> 
> Do you see value in the page or the practice?

Would you also triage that page occasionally and decide to keep or completely 
close PRs?  Would you have some age cutoff?  I'd say after some period in time 
it's unlikely to ever be completed.  After 5 years the PR gets tossed.

I'm just thinking you may end up with a lot of stuff there you'll never have 
time to do.

> 
> Thank you
> --
> Petr Vobornik
> ___
> FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
> 
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] FreeIPA developement good practices

[Florence Blanc-Renaud via FreeIPA-devel]

Hi all,

in order to promote good development practices, I would like to write a 
wiki page stating FreeIPA expectations and helping contributors to 
remain on track (or extend the Contribute/Code wiki page).


The topics include a description explaining our use of the tools (such 
as github, pagure etc), but also general development habits that 
everyone should enforce.


A draft is available below for your comments/suggestions.

Thanks,
Flo
Developing for FreeIPA

1 Opening an issue

* FreeIPA is using pagure.io to track its upstream issues (either corresponding 
to bugs or requests for enhancements): https://pagure.io/freeipa/issues
* Bugs against released Fedora version can be logged in Bugzilla 
(https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora=freeipa) 
with the freeipa component.
* Bugs against released Red Hat Enterprise Linux versions of Identity 
Management product can be logged in Bugzilla 
(https://bugzilla.redhat.com/enter_bug.cgi?product=Red%20Hat%20Enterprise%20Linux%207=ipa)
 with the ipa component.

When opening an issue, please refer to 
https://www.freeipa.org/page/Troubleshooting#Reporting_bugs advices in order to 
include the relevant information. The page for new issue 
(https://pagure.io/freeipa/new_issue) will display a template guiding you.

2 Working on an issue

When you start working on a pagure.io ticket,
* assign the ticket to yourself by clicking on the "Take" button, in order to 
avoid multiple developers working on the same issues.
* follow the Contribute/Code guidelines 
(https://www.freeipa.org/page/Contribute/Code).
* create a corresponding test for each ticket

As soon as your code is ready for review:
* create a Pull Request (PR) following 
https://www.freeipa.org/page/Pull_request_on_Github
* update the pagure.io ticket: click on "Edit metadata" and edit the on_review 
field with the link to the PR

The PR will trigger only a subset of the tests. Please keep in mind that, due 
to resource limitations, all the tests from the source tree will not be 
executed. 
We expect you to check if the PR-CI tests are indeed testing your fix. If some 
parts of your code are not executed by the PR-CI, then you need to:
* check if there are tests in ipatests/ which validate your fix
* run these tests using the instructions in https://www.freeipa.org/page/Testing
* list these tests in your PR
* mention which commands or scenarios should be thoroughfully checked by the 
reviewer
* describe the manual tests than you have run

A good habit is also to try to reproduce the issue first: build a scenario that 
consistently shows the issue, then implement the fix, and re-run the same 
scenario to make sure that the fix is correct.

Once the review is in progress, please remember that the fix is still under 
your responsibility as long as no ACK has been given. This means that you 
should answer to questions or requests for modifications and update your PR by 
taking into accounts all the comments.

If the PR does not progress for a while, you can ask assign the review to a 
developer by setting an Assignee (in the PR page, click on Assignees and pick a 
reviewer).


3 Reviewing a PR

When you start reviewing a PR, add your name to the Assignees list in order to 
avoid duplication of effort.

The reviewer responsibilities include the following steps:
* check that the PR-CI was successful (otherwise comment the PR asking for a 
fix, for instance because lint failed ...)
* check that the PR includes a corresponding test and that the test scenario 
exhibits the issue
* build with the patch
* install and run
* try to consider how you would have fixed the issue and compare with the 
proposed fix if a different strategy was picked
* try to consider the potential regressions (for instance if a method is 
modified, identify which parts of the code are using this method, and check 
whether they are tested)
* if the PR-CI does not validate the fix, check if there are existing tests 
that are relevant and launch them, or perform a manual verification.

Remember that a reviewer also has a teaching or guiding role: suggest 
enhancements or point to existing portions of code that could be reused, 
promote good practices and always assume good intent. The PR submitter may be 
new to FreeIPA or even new to python development and is certainly willing to 
improve and learn from others.

In the review comments, list the checks that you manually did or the scenario 
that you tested. Make objective and argumented comments (avoid "I don't like 
that..." but rather explain "this should not be done this way because...") and 
suggest improvements or alternate strategies when you request a change.

Finally, when you are OK with the fix, give the ACK label to the PR so that the 
fix can be pushed by one of the FreeIPA members.



___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to 

[Freeipa-devel] Re: Discussion: Removing special characters from host-add random one-time-password generation

[Rob Crittenden via FreeIPA-devel]

John Larson via FreeIPA-devel wrote:
> I recently experienced an issue where special characters in the "ipa
> host-add" operation were interpreted by bash in an unattended
> provisioning script. In checking the log after the provisioning failure,
> I saw the password was considered incorrect by the server.
> 
> I never had this issue before 4.5.0 was released because prior to that,
> a smaller subset of special characters were allowed and any special
> character that needed to be escaped was removed. Upon further
> inspection, I discovered that the script I was using to provision my
> servers did not have the password quoted properly. I was able to modify
> that and the issue was resloved.
> 
> Would it be better to exclude all special characters in the random
> password generation for host-add moving forward? When the special
> character set was expanded in 4.5.0, this could cause issues for people
> who were operating under the assumption that troublesome special
> characters were excluded.
> 
> Here are some references for consideration.
> 
> This is the original bug and the fix from 2012. This "fix" was removed
> in 4.5.0 and all special characters are now valid:
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=827392
> 
> Here is my pull request that will remove special characters from random
> OTP generation moving forward:
> 
>  https://github.com/freeipa/freeipa/pull/1505
> 
> Do you think it should be left to the user to properly quote variables
> or remove the possibility of the issue by removing special characters
> for the the host-add operation? Do you think that, since the whole array
> of special characters was opened up in 4.5.0, that this can be perceived
> as a "regression"?

I consider it a regression in that we used to specifically not return a
set of characters and now it is possible. Certainly any consumers of
that data should do proper quoting but if they bothered to look they
would have seen that we excluded characters which made the shell blow up.

I think passing in special=None for a host OTP is sufficient given the
entropy of the password shouldn't change (the string just gets a bit
longer).

rob
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#310][closed] WIP: CLI testing

[pvoborni via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/310
Author: mirielka
 Title: #310: WIP: CLI testing
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/310/head:pr310
git checkout pr310
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1538][opened] Replace hard-coded paths with path constants

[tiran via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1538
Author: tiran
 Title: #1538: Replace hard-coded paths with path constants
Action: opened

PR body:
"""
Several run() calls used hard-coded paths rather than pre-defined paths
from ipaplatform.paths. The patch fixes all places that I was able to
find with a simple search.

Signed-off-by: Christian Heimes 
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1538/head:pr1538
git checkout pr1538
From f63e2dc563f836fb856cbf39842968ee9f443785 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Wed, 7 Feb 2018 17:18:07 +0100
Subject: [PATCH] Replace hard-coded paths with path constants

Several run() calls used hard-coded paths rather than pre-defined paths
from ipaplatform.paths. The patch fixes all places that I was able to
find with a simple search.

Signed-off-by: Christian Heimes 
---
 client/ipa-client-automount|  2 +-
 install/tools/ipa-adtrust-install  |  2 +-
 install/tools/ipa-ca-install   |  2 +-
 install/tools/ipa-dns-install  |  2 +-
 ipaclient/install/client.py|  6 +++---
 ipaplatform/base/paths.py  |  4 
 ipapython/kernel_keyring.py| 24 +++---
 ipaserver/install/adtrustinstance.py   |  6 --
 ipaserver/install/installutils.py  | 17 ++-
 ipaserver/install/ipa_backup.py|  4 ++--
 ipaserver/install/ipa_restore.py   |  4 ++--
 ipatests/pytest_plugins/integration/__init__.py|  3 ++-
 ipatests/test_integration/test_caless.py   |  2 +-
 .../test_xmlrpc/test_caacl_profile_enforcement.py  |  3 ++-
 ipatests/test_xmlrpc/test_cert_plugin.py   |  2 +-
 15 files changed, 54 insertions(+), 29 deletions(-)

diff --git a/client/ipa-client-automount b/client/ipa-client-automount
index ee55d655c9..6c2816c410 100755
--- a/client/ipa-client-automount
+++ b/client/ipa-client-automount
@@ -92,7 +92,7 @@ def wait_for_sssd():
 time.sleep(1)
 while n < 10 and not found:
 try:
-ipautil.run(["getent", "passwd", "admin@%s" % api.env.realm])
+ipautil.run([paths.GETENT, "passwd", "admin@%s" % api.env.realm])
 found = True
 except Exception:
 time.sleep(1)
diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install
index d4e5d4c09c..6e0c60a042 100755
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@@ -110,7 +110,7 @@ def read_admin_password(admin_name):
 
 def ensure_admin_kinit(admin_name, admin_password):
 try:
-ipautil.run(['kinit', admin_name], stdin=admin_password+'\n')
+ipautil.run([paths.KINIT, admin_name], stdin=admin_password+'\n')
 except ipautil.CalledProcessError:
 print("There was error to automatically re-kinit your admin user "
   "ticket.")
diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index 812dcb235e..212c432a1d 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -341,7 +341,7 @@ def main():
 install(safe_options, options, filename)
 
 # execute ipactl to refresh services status
-ipautil.run(['ipactl', 'start', '--ignore-service-failures'],
+ipautil.run([paths.IPACTL, 'start', '--ignore-service-failures'],
 raiseonerr=False)
 
 api.Backend.ldap2.disconnect()
diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install
index a7f136b16a..0e527b2e83 100755
--- a/install/tools/ipa-dns-install
+++ b/install/tools/ipa-dns-install
@@ -150,7 +150,7 @@ def main():
 dns_installer.install(True, False, options)
 
 # execute ipactl to refresh services status
-ipautil.run(['ipactl', 'start', '--ignore-service-failures'],
+ipautil.run([paths.IPACTL, 'start', '--ignore-service-failures'],
 raiseonerr=False)
 
 api.Backend.ldap2.disconnect()
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index 5173d90bfe..2c7f2d3163 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -2576,7 +2576,7 @@ def _install(options):
 subject_base = DN(subject_base)
 
 if options.principal is not None:
-run(["kdestroy"], raiseonerr=False, env=env)
+run([paths.KDESTROY], raiseonerr=False, env=env)
 
 # Obtain the TGT. We do it with the temporary krb5.conf, so that
 # only the KDC we're installing under is contacted.
@@ -2911,7 +2911,7 @@ def _install(options):
 # Particulary, SSSD might take longer than 6-8 seconds.
 while n < 10 and not found:
 try:
-ipautil.run(["getent", "passwd", user])
+

[Freeipa-devel] [freeipa PR#1537][opened] ipa-kdb: use magic value to check if ipadb is used

[sumit-bose via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1537
Author: sumit-bose
 Title: #1537: ipa-kdb: use magic value to check if ipadb is used
Action: opened

PR body:
"""
The certauth plugin is configured in /etc/krb5.conf independently form
the database module. As a result the IPA certauth plugin can be added to
the configuration without the IPA DAL driver. Since the IPA certauth
plugin depends on the presence of the IPA DAL driver this patch adds a
magic value at the beginning of struct ipadb_context which can be
checked to see if the IPA DAL driver is properly initialized.

Resolves https://pagure.io/freeipa/issue/7261
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1537/head:pr1537
git checkout pr1537
From 86347cdaec7bb67335251d9ea3c718533584590a Mon Sep 17 00:00:00 2001
From: Sumit Bose 
Date: Wed, 7 Feb 2018 17:10:08 +0100
Subject: [PATCH] ipa-kdb: use magic value to check if ipadb is used

The certauth plugin is configured in /etc/krb5.conf independently form
the database module. As a result the IPA certauth plugin can be added to
the configuration without the IPA DAL driver. Since the IPA certauth
plugin depends on the presence of the IPA DAL driver this patch adds a
magic value at the beginning of struct ipadb_context which can be
checked to see if the IPA DAL driver is properly initialized.

Resolves https://pagure.io/freeipa/issue/7261
---
 daemons/ipa-kdb/ipa_kdb.c  | 1 +
 daemons/ipa-kdb/ipa_kdb.h  | 2 ++
 daemons/ipa-kdb/ipa_kdb_certauth.c | 2 +-
 3 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
index b11153eccd..222900ae7a 100644
--- a/daemons/ipa-kdb/ipa_kdb.c
+++ b/daemons/ipa-kdb/ipa_kdb.c
@@ -522,6 +522,7 @@ static krb5_error_code ipadb_init_module(krb5_context kcontext,
 if (!ipactx) {
 return ENOMEM;
 }
+ipactx->magic = IPA_CONTEXT_MAGIC;
 
 /* only check for unsupported 'temporary' value for now */
 for (i = 0; db_args != NULL && db_args[i] != NULL; i++) {
diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
index be2f457522..d187d969f5 100644
--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@@ -101,7 +101,9 @@ struct ipadb_global_config {
 bool disable_preauth_for_spns;
 };
 
+#define IPA_CONTEXT_MAGIC 0x0c027ea7
 struct ipadb_context {
+int magic;
 char *uri;
 char *base;
 char *realm;
diff --git a/daemons/ipa-kdb/ipa_kdb_certauth.c b/daemons/ipa-kdb/ipa_kdb_certauth.c
index 35e5e7d086..82589f2f92 100644
--- a/daemons/ipa-kdb/ipa_kdb_certauth.c
+++ b/daemons/ipa-kdb/ipa_kdb_certauth.c
@@ -131,7 +131,7 @@ static krb5_error_code ipa_get_init_data(krb5_context kcontext,
 krb5_klog_syslog(LOG_INFO, "Initializing IPA certauth plugin.");
 
 ipactx = ipadb_get_context(kcontext);
-if (ipactx == NULL) {
+if (ipactx == NULL || ipactx->magic != IPA_CONTEXT_MAGIC) {
 return KRB5_KDB_DBNOTINITED;
 }
 
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1533][closed] [Backport][ipa-4-6] ipa-advise for smartcards updated

[flo-renaud via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1533
Author: flo-renaud
 Title: #1533: [Backport][ipa-4-6] ipa-advise for smartcards updated
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1533/head:pr1533
git checkout pr1533
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1532][closed] [Backport][ipa-4-5] ipa-advise for smartcards updated

[flo-renaud via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1532
Author: flo-renaud
 Title: #1532: [Backport][ipa-4-5] ipa-advise for smartcards updated
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1532/head:pr1532
git checkout pr1532
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1527][closed] [Backport][ipa-4-5] Fix replica_promotion-domlevel0 test failures

[tiran via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1527
Author: tiran
 Title: #1527: [Backport][ipa-4-5] Fix replica_promotion-domlevel0 test failures
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1527/head:pr1527
git checkout pr1527
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1534][closed] [Backport][ipa-4-6] Make IntegrationTest fail if an error happened during uninstall

[tiran via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1534
Author: tiran
 Title: #1534: [Backport][ipa-4-6] Make IntegrationTest fail if an error 
happened during uninstall
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1534/head:pr1534
git checkout pr1534
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1536][opened] Fix multiple uninstallation of server

[tiran via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1536
Author: tiran
 Title: #1536: Fix multiple uninstallation of server
Action: opened

PR body:
"""
"ipa-server-install --uninstall" no longer fails with error message
"'Env' object has no attribute 'basedn'" when executed on a system that
has no freeIPA server installation.

Fixes: https://pagure.io/freeipa/issue/7063
Signed-off-by: Christian Heimes 
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1536/head:pr1536
git checkout pr1536
From 8026c6d8e1803d2e8f3e5ee0dd54a696a421e9d1 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Wed, 7 Feb 2018 14:22:06 +0100
Subject: [PATCH] Fix multiple uninstallation of server

"ipa-server-install --uninstall" no longer fails with error message
"'Env' object has no attribute 'basedn'" when executed on a system that
has no freeIPA server installation.

Fixes: https://pagure.io/freeipa/issue/7063
Signed-off-by: Christian Heimes 
---
 ipalib/config.py | 10 ++
 ipaserver/secrets/kem.py | 20 
 2 files changed, 22 insertions(+), 8 deletions(-)

diff --git a/ipalib/config.py b/ipalib/config.py
index 4ee10d2a80..52b032a25a 100644
--- a/ipalib/config.py
+++ b/ipalib/config.py
@@ -576,6 +576,16 @@ def _finalize_core(self, **defaults):
 if 'log' not in self:
 self.log = self._join('logdir', '%s.log' % self.context)
 
+# Workaround for ipa-server-install --uninstall. When no config file
+# is available, we set realm, domain, and basedn to RFC 2606 reserved
+# suffix to suppress attribute errors during uninstallation.
+if (self.in_server and self.context == 'installer' and
+not getattr(self, 'config_loaded', False)):
+if 'realm' not in self:
+self.realm = 'UNCONFIGURED.INVALID'
+if 'domain' not in self:
+self.domain = self.realm.lower()
+
 if 'basedn' not in self and 'domain' in self:
 self.basedn = DN(*(('dc', dc) for dc in self.domain.split('.')))
 
diff --git a/ipaserver/secrets/kem.py b/ipaserver/secrets/kem.py
index 5521c4772b..ad932b6b68 100644
--- a/ipaserver/secrets/kem.py
+++ b/ipaserver/secrets/kem.py
@@ -207,12 +207,15 @@ class IPAKEMKeys(KEMKeysStore):
 def __init__(self, config=None, ipaconf=paths.IPA_DEFAULT_CONF):
 super(IPAKEMKeys, self).__init__(config)
 conf = ConfigParser()
-conf.read(ipaconf)
-self.host = conf.get('global', 'host')
-self.realm = conf.get('global', 'realm')
+self.host = None
+self.realm = None
 self.ldap_uri = config.get('ldap_uri', None)
-if self.ldap_uri is None:
-self.ldap_uri = conf.get('global', 'ldap_uri', raw=True)
+if conf.read(ipaconf):
+self.host = conf.get('global', 'host')
+self.realm = conf.get('global', 'realm')
+if self.ldap_uri is None:
+self.ldap_uri = conf.get('global', 'ldap_uri', raw=True)
+
 self._server_keys = None
 
 def find_key(self, kid, usage):
@@ -259,9 +262,10 @@ def remove_keys(self, servicename):
 """
 self.remove_server_keys_file()
 principal = '%s/%s@%s' % (servicename, self.host, self.realm)
-ldapconn = KEMLdap(self.ldap_uri)
-ldapconn.del_key(KEY_USAGE_SIG, principal)
-ldapconn.del_key(KEY_USAGE_ENC, principal)
+if self.ldap_uri is not None:
+ldapconn = KEMLdap(self.ldap_uri)
+ldapconn.del_key(KEY_USAGE_SIG, principal)
+ldapconn.del_key(KEY_USAGE_ENC, principal)
 
 @property
 def server_keys(self):
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1535][opened] [WIP] Deprecate NTP

[Tiboris via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1535
Author: Tiboris
 Title: #1535: [WIP] Deprecate NTP
Action: opened

PR body:
"""

"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1535/head:pr1535
git checkout pr1535
From 6ceb7bf604777a0069e1fc871d154bcef5a1519d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tibor=20Dudl=C3=A1k?= 
Date: Fri, 2 Feb 2018 13:16:29 +0100
Subject: [PATCH] [WIP] Deprecate NTP

---
 freeipa.spec.in | 11 ---
 ipaclient/install/client.py |  2 +-
 2 files changed, 1 insertion(+), 12 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index be2cb869a5..24793eceb8 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -322,7 +322,6 @@ Requires(post): krb5-server >= %{krb5_version}
 Requires(post): krb5-server >= %{krb5_base_version}, krb5-server < %{krb5_base_version}.100
 Requires: krb5-pkinit-openssl >= %{krb5_version}
 Requires: cyrus-sasl-gssapi%{?_isa}
-Requires: ntp
 Requires: httpd >= 2.4.6-31
 %if 0%{with_python3}
 Requires(preun): python3
@@ -579,7 +578,6 @@ Requires: python2-ldap >= %{python2_ldap_version}
 Requires: python2-sssdconfig
 %endif
 Requires: cyrus-sasl-gssapi%{?_isa}
-Requires: ntp
 Requires: krb5-workstation >= %{krb5_version}
 Requires: authconfig
 Requires: curl
@@ -1269,15 +1267,6 @@ if [ $1 -gt 1 ] ; then
 fi
 fi
 
-if [ -f '/etc/sysconfig/ntpd' -a $restore -ge 2 ]; then
-if grep -E -q 'OPTIONS=.*-u ntp:ntp' /etc/sysconfig/ntpd 2>/dev/null; then
-sed -r '/OPTIONS=/ { s/\s+-u ntp:ntp\s+/ /; s/\s*-u ntp:ntp\s*// }' /etc/sysconfig/ntpd >/etc/sysconfig/ntpd.ipanew
-mv -Z /etc/sysconfig/ntpd.ipanew /etc/sysconfig/ntpd
-
-/bin/systemctl condrestart ntpd.service 2>&1 || :
-fi
-fi
-
 if [ $restore -ge 2 ]; then
 %{python} -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' >/var/log/ipaupgrade.log 2>&1
 fi
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index 5173d90bfe..543697c460 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -3442,7 +3442,7 @@ class ClientInstallInterface(hostname_.HostNameInstallInterface,
 ntp_servers = enroll_only(ntp_servers)
 
 no_ntp = knob(
-None,
+None, True,
 description="do not configure ntp",
 cli_names=[None, '-N'],
 )
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1534][opened] [Backport][ipa-4-6] Make IntegrationTest fail if an error happened during uninstall

[tiran via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1534
Author: tiran
 Title: #1534: [Backport][ipa-4-6] Make IntegrationTest fail if an error 
happened during uninstall
Action: opened

PR body:
"""
This PR was opened automatically because PR #1459 was pushed to master and 
backport to ipa-4-6 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1534/head:pr1534
git checkout pr1534
From be54239bfc51913216c2f362c911308731900667 Mon Sep 17 00:00:00 2001
From: Felipe Barreto 
Date: Fri, 26 Jan 2018 14:31:14 -0200
Subject: [PATCH] Make IntegrationTest fail if an error happened during
 uninstall

Before this change, if the uninstall process fails, the test would not fail, due
to the raiseonerr=False.

It's necessary to remove the uninstall call in CALessBase because in
TestIntegration there is another uninstall call. So, without the
raiseonerr=False, it would make the uninstall process fail, since the master is
already uninstalled.

https://pagure.io/freeipa/issue/7357
---
 ipatests/pytest_plugins/integration/tasks.py | 2 +-
 ipatests/test_integration/test_caless.py | 2 --
 2 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/ipatests/pytest_plugins/integration/tasks.py b/ipatests/pytest_plugins/integration/tasks.py
index a6fdca39e6..d9ba187d92 100644
--- a/ipatests/pytest_plugins/integration/tasks.py
+++ b/ipatests/pytest_plugins/integration/tasks.py
@@ -710,7 +710,7 @@ def uninstall_master(host, ignore_topology_disconnect=True,
 if ignore_last_of_role and host_domain_level != DOMAIN_LEVEL_0:
 uninstall_cmd.append('--ignore-last-of-role')
 
-host.run_command(uninstall_cmd, raiseonerr=False)
+host.run_command(uninstall_cmd)
 host.run_command(['pkidestroy', '-s', 'CA', '-i', 'pki-tomcat'],
  raiseonerr=False)
 host.run_command(['rm', '-rf',
diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
index 76f40292fd..09973dd1f8 100644
--- a/ipatests/test_integration/test_caless.py
+++ b/ipatests/test_integration/test_caless.py
@@ -159,8 +159,6 @@ def install(cls, mh):
 def uninstall(cls, mh):
 # Remove the NSS database
 shutil.rmtree(cls.cert_dir)
-for host in cls.get_all_hosts():
-tasks.uninstall_master(host)
 super(CALessBase, cls).uninstall(mh)
 
 @classmethod
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1459][closed] Make IntegrationTest fail if an error happened during uninstall

[tiran via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1459
Author: felipevolpone
 Title: #1459: Make IntegrationTest fail if an error happened during uninstall
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1459/head:pr1459
git checkout pr1459
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] Contribute/Code wiki page updated

[Petr Vobornik via FreeIPA-devel]

Hi all,

I've updated Contribute/Code wiki page to reflect reality:

https://www.freeipa.org/index.php?title=Contribute%2FCode=revision=15186=15023

Main changes:
- removal of contribution process through sending emails with a patch.
We have not received such contribution for very long time. It makes
the page unnecessarily long and we require CI checks to pass so pull
request is a must. If somebody sends it via email then we will deal
with it, but no need to advertise it.
- replacement of mentions and link to Trac with Pagure
- updated review process that it requires to pass CI checks
- updated devel mailing list link

-- 
Petr Vobornik

Associate Manager, Engineering, Identity Management
Red Hat
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1532][opened] [Backport][ipa-4-5] ipa-advise for smartcards updated

[flo-renaud via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1532
Author: flo-renaud
 Title: #1532: [Backport][ipa-4-5] ipa-advise for smartcards updated
Action: opened

PR body:
"""
This PR was opened automatically because PR #1469 was pushed to master and 
backport to ipa-4-5 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1532/head:pr1532
git checkout pr1532
From fe1a5462e619b27ad194e7eebdf0e9fd51ee50b7 Mon Sep 17 00:00:00 2001
From: amitkuma 
Date: Tue, 16 Jan 2018 15:56:25 +0530
Subject: [PATCH] ipa-advise for smartcards updated

..
authconfig --enablesmartcard --smartcardmodule=sssd --updateall

Advise is updated to:
authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd
--smartcardaction=1 --updateall

Resolves: https://pagure.io/freeipa/issue/7358
---
 ipaserver/advise/plugins/smart_card_auth.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ipaserver/advise/plugins/smart_card_auth.py b/ipaserver/advise/plugins/smart_card_auth.py
index fb328f29ca..109e9ba381 100644
--- a/ipaserver/advise/plugins/smart_card_auth.py
+++ b/ipaserver/advise/plugins/smart_card_auth.py
@@ -315,7 +315,8 @@ def add_pkcs11_module_to_systemwide_db(self):
 
 def run_authconfig_to_configure_smart_card_auth(self):
 self.log.exit_on_failed_command(
-'authconfig --enablesmartcard --smartcardmodule=sssd --updateall',
+ 'authconfig --enablesssd --enablesssdauth --enablesmartcard '
+ '--smartcardmodule=sssd --smartcardaction=1 --updateall',
 [
 'Failed to configure Smart Card authentication in SSSD'
 ]
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1533][opened] [Backport][ipa-4-6] ipa-advise for smartcards updated

[flo-renaud via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1533
Author: flo-renaud
 Title: #1533: [Backport][ipa-4-6] ipa-advise for smartcards updated
Action: opened

PR body:
"""
This PR was opened automatically because PR #1469 was pushed to master and 
backport to ipa-4-6 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1533/head:pr1533
git checkout pr1533
From 79cc5781760e4980677f98ab1108be6955463d9f Mon Sep 17 00:00:00 2001
From: amitkuma 
Date: Tue, 16 Jan 2018 15:56:25 +0530
Subject: [PATCH] ipa-advise for smartcards updated

..
authconfig --enablesmartcard --smartcardmodule=sssd --updateall

Advise is updated to:
authconfig --enablesssd --enablesssdauth --enablesmartcard --smartcardmodule=sssd
--smartcardaction=1 --updateall

Resolves: https://pagure.io/freeipa/issue/7358
---
 ipaserver/advise/plugins/smart_card_auth.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ipaserver/advise/plugins/smart_card_auth.py b/ipaserver/advise/plugins/smart_card_auth.py
index fb328f29ca..109e9ba381 100644
--- a/ipaserver/advise/plugins/smart_card_auth.py
+++ b/ipaserver/advise/plugins/smart_card_auth.py
@@ -315,7 +315,8 @@ def add_pkcs11_module_to_systemwide_db(self):
 
 def run_authconfig_to_configure_smart_card_auth(self):
 self.log.exit_on_failed_command(
-'authconfig --enablesmartcard --smartcardmodule=sssd --updateall',
+ 'authconfig --enablesssd --enablesssdauth --enablesmartcard '
+ '--smartcardmodule=sssd --smartcardaction=1 --updateall',
 [
 'Failed to configure Smart Card authentication in SSSD'
 ]
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1469][closed] ipa-advise for smartcards updated

[flo-renaud via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1469
Author: amitkumar50
 Title: #1469: ipa-advise for smartcards updated
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1469/head:pr1469
git checkout pr1469
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1420][closed] Fix python-ldap byte warnings

[tiran via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1420
Author: tiran
 Title: #1420: Fix python-ldap byte warnings
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1420/head:pr1420
git checkout pr1420
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#927][closed] WebUI: Cockpit integration

[tiran via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/927
Author: pvomacka
 Title: #927: WebUI: Cockpit integration
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/927/head:pr927
git checkout pr927
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1458][closed] Prepare migration of mod_nss NSSDB to sql format

[tiran via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1458
Author: tiran
 Title: #1458: Prepare migration of mod_nss NSSDB to sql format
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1458/head:pr1458
git checkout pr1458
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#1339][closed] Bump 389-ds-base to 1.3.7.8-1

[tiran via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/1339
Author: stlaz
 Title: #1339: Bump 389-ds-base to 1.3.7.8-1
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1339/head:pr1339
git checkout pr1339
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org