[Freeipa-devel] [freeipa PR#5982][closed] [Backport][ipa-4-9] schema plugin: Generate stable fingerprint
URL: https://github.com/freeipa/freeipa/pull/5982 Author: flo-renaud Title: #5982: [Backport][ipa-4-9] schema plugin: Generate stable fingerprint Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5982/head:pr5982 git checkout pr5982 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5991][opened] extdom: return LDAP_NO_SUCH_OBJECT if domains differ
URL: https://github.com/freeipa/freeipa/pull/5991
Author: sumit-bose
Title: #5991: extdom: return LDAP_NO_SUCH_OBJECT if domains differ
Action: opened
PR body:
"""
If a client sends a request to lookup an object from a given trusted
domain by UID or GID and an object with matching ID is only found in a
different domain the extdom should return LDAP_NO_SUCH_OBJECT to
indicate to the client that the requested ID does not exists in the
given domain.
Resolves: https://pagure.io/freeipa/issue/8965
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5991/head:pr5991
git checkout pr5991
From 78fc4aba2dc7f5278e53e8ad5faeb1869731b5b7 Mon Sep 17 00:00:00 2001
From: Sumit Bose
Date: Wed, 25 Aug 2021 17:10:29 +0200
Subject: [PATCH] extdom: return LDAP_NO_SUCH_OBJECT if domains differ
If a client sends a request to lookup an object from a given trusted
domain by UID or GID and an object with matching ID is only found in a
different domain the extdom should return LDAP_NO_SUCH_OBJECT to
indicate to the client that the requested ID does not exists in the
given domain.
Resolves: https://pagure.io/freeipa/issue/8965
---
.../ipa-extdom-extop/ipa_extdom_common.c | 8 ++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
index 5d97ff6137d..6f646b9f49e 100644
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
@@ -542,7 +542,9 @@ int pack_ber_user(struct ipa_extdom_ctx *ctx,
if (strcasecmp(locat+1, domain_name) == 0 ) {
locat[0] = '\0';
} else {
-ret = LDAP_INVALID_SYNTAX;
+/* The found object is from a different domain than requested,
+ * that means it does not exist in the requested domain */
+ret = LDAP_NO_SUCH_OBJECT;
goto done;
}
}
@@ -655,7 +657,9 @@ int pack_ber_group(enum response_types response_type,
if (strcasecmp(locat+1, domain_name) == 0 ) {
locat[0] = '\0';
} else {
-ret = LDAP_INVALID_SYNTAX;
+/* The found object is from a different domain than requested,
+ * that means it does not exist in the requested domain */
+ret = LDAP_NO_SUCH_OBJECT;
goto done;
}
}
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5990][opened] Temp commit
URL: https://github.com/freeipa/freeipa/pull/5990
Author: tiran
Title: #5990: Temp commit
Action: opened
PR body:
"""
None
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5990/head:pr5990
git checkout pr5990
From e6ef275388f92cccf70ee92485c266caeb6a38c8 Mon Sep 17 00:00:00 2001
From: Christian Heimes
Date: Wed, 25 Aug 2021 17:34:00 +0200
Subject: [PATCH 1/2] Temp commit
---
.freeipa-pr-ci.yaml| 2 +-
ipatests/prci_definitions/temp_commit.yaml | 18 +++---
2 files changed, 16 insertions(+), 4 deletions(-)
diff --git a/.freeipa-pr-ci.yaml b/.freeipa-pr-ci.yaml
index abcf8c5b634..80656690080 12
--- a/.freeipa-pr-ci.yaml
+++ b/.freeipa-pr-ci.yaml
@@ -1 +1 @@
-ipatests/prci_definitions/gating.yaml
\ No newline at end of file
+ipatests/prci_definitions/temp_commit.yaml
\ No newline at end of file
diff --git a/ipatests/prci_definitions/temp_commit.yaml b/ipatests/prci_definitions/temp_commit.yaml
index 4b0398b9218..7f0df366a6e 100644
--- a/ipatests/prci_definitions/temp_commit.yaml
+++ b/ipatests/prci_definitions/temp_commit.yaml
@@ -61,14 +61,26 @@ jobs:
timeout: 1800
topology: *build
- fedora-latest/temp_commit:
+ fedora-latest/dns_locations:
requires: [fedora-latest/build]
priority: 50
job:
class: RunPytest
args:
build_url: '{fedora-latest/build_url}'
-test_suite: test_integration/test_REPLACEME.py
+test_suite: test_integration/test_dns_locations.py
template: *ci-master-latest
timeout: 3600
-topology: *master_1repl_1client
+topology: *master_2repl_1client
+
+ fedora-latest/test_installation_TestInstallMaster:
+requires: [fedora-latest/build]
+priority: 100
+job:
+ class: RunPytest
+ args:
+build_url: '{fedora-latest/build_url}'
+test_suite: test_integration/test_installation.py::TestInstallMaster
+template: *ci-master-latest
+timeout: 7200
+topology: *master_1repl
From b25ff23d2971874d9e555d16a0e14370d69f5b21 Mon Sep 17 00:00:00 2001
From: Christian Heimes
Date: Wed, 25 Aug 2021 17:13:55 +0200
Subject: [PATCH 2/2] Add URI system records for KDC
MIT KRB5 1.15 introduced KDC service discovery with URI records.
_kerberos and _kpasswd URI records can provide TCP, UDP, and Kerberos
KDC-Proxy references. URI lookups take precedence over SRV lookups,
falling back to SRV lookups if no URI records are found.
See: https://web.mit.edu/kerberos/krb5-latest/doc/admin/realm_config.html#kdc-discovery
Fixes: https://pagure.io/freeipa/issue/8968
Signed-off-by: Christian Heimes
---
ipaserver/dns_data_management.py | 65 -
.../test_integration/test_dns_locations.py| 97 ---
.../test_installation_client.py | 4 +
3 files changed, 152 insertions(+), 14 deletions(-)
diff --git a/ipaserver/dns_data_management.py b/ipaserver/dns_data_management.py
index aad00062a48..bd12259933d 100644
--- a/ipaserver/dns_data_management.py
+++ b/ipaserver/dns_data_management.py
@@ -32,6 +32,7 @@
IPA_DEFAULT_MASTER_SRV_REC = (
# srv record name, port
(DNSName('_ldap._tcp'), 389),
+# Kerberos records are provided for MIT KRB5 < 1.15 and AD
(DNSName('_kerberos._tcp'), 88),
(DNSName('_kerberos._udp'), 88),
(DNSName('_kerberos-master._tcp'), 88),
@@ -40,6 +41,20 @@
(DNSName('_kpasswd._udp'), 464),
)
+IPA_DEFAULT_MASTER_URI_REC = (
+# URI record name, URI template
+
+# MIT KRB5 1.15+ prefers URI records for service discovery
+# scheme (always krb5srv)
+# flags (empty or 'm' for master)
+# transport ('tcp', 'udp', or 'kkdcp')
+# residual: 'hostname', 'hostname:port', or 'https://' URL
+(DNSName('_kerberos'), "krb5srv:m:tcp:{hostname}"),
+(DNSName('_kerberos'), "krb5srv:m:udp:{hostname}"),
+(DNSName('_kpasswd'), "krb5srv:m:tcp:{hostname}"),
+(DNSName('_kpasswd'), "krb5srv:m:udp:{hostname}"),
+)
+
IPA_DEFAULT_ADTRUST_SRV_REC = (
# srv record name, port
(DNSName('_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs'), 389),
@@ -67,6 +82,8 @@ class IPASystemRecords:
# fixme do it configurable
PRIORITY_HIGH = 0
PRIORITY_LOW = 50
+# FIXME: use TTL from config
+TTL = 86400
def __init__(self, api_instance, all_servers=False):
self.api_instance = api_instance
@@ -134,7 +151,35 @@ def __add_srv_records(
rdataset = zone_obj.get_rdataset(
r_name, rdatatype.SRV, create=True)
-rdataset.add(rd, ttl=86400) # FIXME: use TTL from config
+rdataset.add(rd, ttl=self.TTL)
+
+def __add_uri_records(
+self, zone_obj, hostname, rname_uri_map,
+weight=100, priority=0, location=None
+):
+assert isinstance(hostname, DNSName)
+assert isinstance(priority, int)
+assert isinstance(weight, int)
+
+
[Freeipa-devel] [freeipa PR#5989][closed] [Backport][ipa-4-9] ipatests: use whole date for journalctl --since
URL: https://github.com/freeipa/freeipa/pull/5989 Author: fcami Title: #5989: [Backport][ipa-4-9] ipatests: use whole date for journalctl --since Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5989/head:pr5989 git checkout pr5989 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5989][opened] [Backport][ipa-4-9] ipatests: use whole date for journalctl --since
URL: https://github.com/freeipa/freeipa/pull/5989
Author: fcami
Title: #5989: [Backport][ipa-4-9] ipatests: use whole date for journalctl
--since
Action: opened
PR body:
"""
This PR was opened automatically because PR #5984 was pushed to master and
backport to ipa-4-9 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5989/head:pr5989
git checkout pr5989
From eb1ff887e3a55c008a94d92d89dce84b2a4581e3 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud
Date: Thu, 19 Aug 2021 10:51:01 +0200
Subject: [PATCH] ipatests: use whole date for journalctl --since
When a test is executed around midnight and is checking the
journal content with --since=date, it needs to specify the
whole date (with day and time) to avoid missing entries.
If for instance --since=23:59:00 is used and the current time is
now 00:01:00, --since=23:59:00 would refer to a date in the
future and no journal entry will be found.
Fixes: https://pagure.io/freeipa/issue/8953
---
ipatests/test_integration/test_cert.py | 2 +-
ipatests/test_integration/test_commands.py | 3 ++-
ipatests/test_integration/test_nfs.py | 2 +-
3 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/ipatests/test_integration/test_cert.py b/ipatests/test_integration/test_cert.py
index 9a90db5e2a2..7d51b76ee34 100644
--- a/ipatests/test_integration/test_cert.py
+++ b/ipatests/test_integration/test_cert.py
@@ -69,7 +69,7 @@ def install(cls, mh):
# time to look into journal logs in
# test_certmonger_ipa_responder_jsonrpc
-cls.since = time.strftime('%H:%M:%S')
+cls.since = time.strftime('%Y-%m-%d %H:%M:%S')
def test_cacert_file_appear_with_option_F(self):
"""Test if getcert creates cacert file with -F option
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
index 4d9a8165248..fd5d1b47264 100644
--- a/ipatests/test_integration/test_commands.py
+++ b/ipatests/test_integration/test_commands.py
@@ -1208,7 +1208,8 @@ def test_login_wrong_password(self, user_creation_deletion):
# start to look at logs a bit before "now"
# https://pagure.io/freeipa/issue/8432
since = time.strftime(
-'%H:%M:%S', (datetime.now() - timedelta(seconds=10)).timetuple()
+'%Y-%m-%d %H:%M:%S',
+(datetime.now() - timedelta(seconds=10)).timetuple()
)
password = 'WrongPassword'
diff --git a/ipatests/test_integration/test_nfs.py b/ipatests/test_integration/test_nfs.py
index 9a6153409d4..dc53a6da9ee 100644
--- a/ipatests/test_integration/test_nfs.py
+++ b/ipatests/test_integration/test_nfs.py
@@ -130,7 +130,7 @@ def test_krb5_nfs_manual_configuration(self):
nfsclt = self.clients[1]
# for journalctl --since
-since = time.strftime('%H:%M:%S')
+since = time.strftime('%Y-%m-%d %H:%M:%S')
nfsclt.run_command(["systemctl", "restart", "rpc-gssd"])
time.sleep(WAIT_AFTER_INSTALL)
mountpoints = ("/mnt/krb", "/mnt/std", "/home")
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5984][closed] ipatests: use whole date for journalctl --since
URL: https://github.com/freeipa/freeipa/pull/5984 Author: flo-renaud Title: #5984: ipatests: use whole date for journalctl --since Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5984/head:pr5984 git checkout pr5984 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5988][closed] [Backport][ipa-4-9] Azure: Run pycodestyle check in Lint job
URL: https://github.com/freeipa/freeipa/pull/5988 Author: fcami Title: #5988: [Backport][ipa-4-9] Azure: Run pycodestyle check in Lint job Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5988/head:pr5988 git checkout pr5988 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
