[Freeipa-devel] [freeipa PR#5982][closed] [Backport][ipa-4-9] schema plugin: Generate stable fingerprint
URL: https://github.com/freeipa/freeipa/pull/5982 Author: flo-renaud Title: #5982: [Backport][ipa-4-9] schema plugin: Generate stable fingerprint Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5982/head:pr5982 git checkout pr5982 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5991][opened] extdom: return LDAP_NO_SUCH_OBJECT if domains differ
URL: https://github.com/freeipa/freeipa/pull/5991 Author: sumit-bose Title: #5991: extdom: return LDAP_NO_SUCH_OBJECT if domains differ Action: opened PR body: """ If a client sends a request to lookup an object from a given trusted domain by UID or GID and an object with matching ID is only found in a different domain the extdom should return LDAP_NO_SUCH_OBJECT to indicate to the client that the requested ID does not exists in the given domain. Resolves: https://pagure.io/freeipa/issue/8965 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5991/head:pr5991 git checkout pr5991 From 78fc4aba2dc7f5278e53e8ad5faeb1869731b5b7 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Wed, 25 Aug 2021 17:10:29 +0200 Subject: [PATCH] extdom: return LDAP_NO_SUCH_OBJECT if domains differ If a client sends a request to lookup an object from a given trusted domain by UID or GID and an object with matching ID is only found in a different domain the extdom should return LDAP_NO_SUCH_OBJECT to indicate to the client that the requested ID does not exists in the given domain. Resolves: https://pagure.io/freeipa/issue/8965 --- .../ipa-extdom-extop/ipa_extdom_common.c | 8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c index 5d97ff6137d..6f646b9f49e 100644 --- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c @@ -542,7 +542,9 @@ int pack_ber_user(struct ipa_extdom_ctx *ctx, if (strcasecmp(locat+1, domain_name) == 0 ) { locat[0] = '\0'; } else { -ret = LDAP_INVALID_SYNTAX; +/* The found object is from a different domain than requested, + * that means it does not exist in the requested domain */ +ret = LDAP_NO_SUCH_OBJECT; goto done; } } @@ -655,7 +657,9 @@ int pack_ber_group(enum response_types response_type, if (strcasecmp(locat+1, domain_name) == 0 ) { locat[0] = '\0'; } else { -ret = LDAP_INVALID_SYNTAX; +/* The found object is from a different domain than requested, + * that means it does not exist in the requested domain */ +ret = LDAP_NO_SUCH_OBJECT; goto done; } } ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5990][opened] Temp commit
URL: https://github.com/freeipa/freeipa/pull/5990 Author: tiran Title: #5990: Temp commit Action: opened PR body: """ None """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5990/head:pr5990 git checkout pr5990 From e6ef275388f92cccf70ee92485c266caeb6a38c8 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Wed, 25 Aug 2021 17:34:00 +0200 Subject: [PATCH 1/2] Temp commit --- .freeipa-pr-ci.yaml| 2 +- ipatests/prci_definitions/temp_commit.yaml | 18 +++--- 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/.freeipa-pr-ci.yaml b/.freeipa-pr-ci.yaml index abcf8c5b634..80656690080 12 --- a/.freeipa-pr-ci.yaml +++ b/.freeipa-pr-ci.yaml @@ -1 +1 @@ -ipatests/prci_definitions/gating.yaml \ No newline at end of file +ipatests/prci_definitions/temp_commit.yaml \ No newline at end of file diff --git a/ipatests/prci_definitions/temp_commit.yaml b/ipatests/prci_definitions/temp_commit.yaml index 4b0398b9218..7f0df366a6e 100644 --- a/ipatests/prci_definitions/temp_commit.yaml +++ b/ipatests/prci_definitions/temp_commit.yaml @@ -61,14 +61,26 @@ jobs: timeout: 1800 topology: *build - fedora-latest/temp_commit: + fedora-latest/dns_locations: requires: [fedora-latest/build] priority: 50 job: class: RunPytest args: build_url: '{fedora-latest/build_url}' -test_suite: test_integration/test_REPLACEME.py +test_suite: test_integration/test_dns_locations.py template: *ci-master-latest timeout: 3600 -topology: *master_1repl_1client +topology: *master_2repl_1client + + fedora-latest/test_installation_TestInstallMaster: +requires: [fedora-latest/build] +priority: 100 +job: + class: RunPytest + args: +build_url: '{fedora-latest/build_url}' +test_suite: test_integration/test_installation.py::TestInstallMaster +template: *ci-master-latest +timeout: 7200 +topology: *master_1repl From b25ff23d2971874d9e555d16a0e14370d69f5b21 Mon Sep 17 00:00:00 2001 From: Christian Heimes Date: Wed, 25 Aug 2021 17:13:55 +0200 Subject: [PATCH 2/2] Add URI system records for KDC MIT KRB5 1.15 introduced KDC service discovery with URI records. _kerberos and _kpasswd URI records can provide TCP, UDP, and Kerberos KDC-Proxy references. URI lookups take precedence over SRV lookups, falling back to SRV lookups if no URI records are found. See: https://web.mit.edu/kerberos/krb5-latest/doc/admin/realm_config.html#kdc-discovery Fixes: https://pagure.io/freeipa/issue/8968 Signed-off-by: Christian Heimes --- ipaserver/dns_data_management.py | 65 - .../test_integration/test_dns_locations.py| 97 --- .../test_installation_client.py | 4 + 3 files changed, 152 insertions(+), 14 deletions(-) diff --git a/ipaserver/dns_data_management.py b/ipaserver/dns_data_management.py index aad00062a48..bd12259933d 100644 --- a/ipaserver/dns_data_management.py +++ b/ipaserver/dns_data_management.py @@ -32,6 +32,7 @@ IPA_DEFAULT_MASTER_SRV_REC = ( # srv record name, port (DNSName('_ldap._tcp'), 389), +# Kerberos records are provided for MIT KRB5 < 1.15 and AD (DNSName('_kerberos._tcp'), 88), (DNSName('_kerberos._udp'), 88), (DNSName('_kerberos-master._tcp'), 88), @@ -40,6 +41,20 @@ (DNSName('_kpasswd._udp'), 464), ) +IPA_DEFAULT_MASTER_URI_REC = ( +# URI record name, URI template + +# MIT KRB5 1.15+ prefers URI records for service discovery +# scheme (always krb5srv) +# flags (empty or 'm' for master) +# transport ('tcp', 'udp', or 'kkdcp') +# residual: 'hostname', 'hostname:port', or 'https://' URL +(DNSName('_kerberos'), "krb5srv:m:tcp:{hostname}"), +(DNSName('_kerberos'), "krb5srv:m:udp:{hostname}"), +(DNSName('_kpasswd'), "krb5srv:m:tcp:{hostname}"), +(DNSName('_kpasswd'), "krb5srv:m:udp:{hostname}"), +) + IPA_DEFAULT_ADTRUST_SRV_REC = ( # srv record name, port (DNSName('_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs'), 389), @@ -67,6 +82,8 @@ class IPASystemRecords: # fixme do it configurable PRIORITY_HIGH = 0 PRIORITY_LOW = 50 +# FIXME: use TTL from config +TTL = 86400 def __init__(self, api_instance, all_servers=False): self.api_instance = api_instance @@ -134,7 +151,35 @@ def __add_srv_records( rdataset = zone_obj.get_rdataset( r_name, rdatatype.SRV, create=True) -rdataset.add(rd, ttl=86400) # FIXME: use TTL from config +rdataset.add(rd, ttl=self.TTL) + +def __add_uri_records( +self, zone_obj, hostname, rname_uri_map, +weight=100, priority=0, location=None +): +assert isinstance(hostname, DNSName) +assert isinstance(priority, int) +assert isinstance(weight, int) + +
[Freeipa-devel] [freeipa PR#5989][closed] [Backport][ipa-4-9] ipatests: use whole date for journalctl --since
URL: https://github.com/freeipa/freeipa/pull/5989 Author: fcami Title: #5989: [Backport][ipa-4-9] ipatests: use whole date for journalctl --since Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5989/head:pr5989 git checkout pr5989 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5989][opened] [Backport][ipa-4-9] ipatests: use whole date for journalctl --since
URL: https://github.com/freeipa/freeipa/pull/5989 Author: fcami Title: #5989: [Backport][ipa-4-9] ipatests: use whole date for journalctl --since Action: opened PR body: """ This PR was opened automatically because PR #5984 was pushed to master and backport to ipa-4-9 is required. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5989/head:pr5989 git checkout pr5989 From eb1ff887e3a55c008a94d92d89dce84b2a4581e3 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Thu, 19 Aug 2021 10:51:01 +0200 Subject: [PATCH] ipatests: use whole date for journalctl --since When a test is executed around midnight and is checking the journal content with --since=date, it needs to specify the whole date (with day and time) to avoid missing entries. If for instance --since=23:59:00 is used and the current time is now 00:01:00, --since=23:59:00 would refer to a date in the future and no journal entry will be found. Fixes: https://pagure.io/freeipa/issue/8953 --- ipatests/test_integration/test_cert.py | 2 +- ipatests/test_integration/test_commands.py | 3 ++- ipatests/test_integration/test_nfs.py | 2 +- 3 files changed, 4 insertions(+), 3 deletions(-) diff --git a/ipatests/test_integration/test_cert.py b/ipatests/test_integration/test_cert.py index 9a90db5e2a2..7d51b76ee34 100644 --- a/ipatests/test_integration/test_cert.py +++ b/ipatests/test_integration/test_cert.py @@ -69,7 +69,7 @@ def install(cls, mh): # time to look into journal logs in # test_certmonger_ipa_responder_jsonrpc -cls.since = time.strftime('%H:%M:%S') +cls.since = time.strftime('%Y-%m-%d %H:%M:%S') def test_cacert_file_appear_with_option_F(self): """Test if getcert creates cacert file with -F option diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py index 4d9a8165248..fd5d1b47264 100644 --- a/ipatests/test_integration/test_commands.py +++ b/ipatests/test_integration/test_commands.py @@ -1208,7 +1208,8 @@ def test_login_wrong_password(self, user_creation_deletion): # start to look at logs a bit before "now" # https://pagure.io/freeipa/issue/8432 since = time.strftime( -'%H:%M:%S', (datetime.now() - timedelta(seconds=10)).timetuple() +'%Y-%m-%d %H:%M:%S', +(datetime.now() - timedelta(seconds=10)).timetuple() ) password = 'WrongPassword' diff --git a/ipatests/test_integration/test_nfs.py b/ipatests/test_integration/test_nfs.py index 9a6153409d4..dc53a6da9ee 100644 --- a/ipatests/test_integration/test_nfs.py +++ b/ipatests/test_integration/test_nfs.py @@ -130,7 +130,7 @@ def test_krb5_nfs_manual_configuration(self): nfsclt = self.clients[1] # for journalctl --since -since = time.strftime('%H:%M:%S') +since = time.strftime('%Y-%m-%d %H:%M:%S') nfsclt.run_command(["systemctl", "restart", "rpc-gssd"]) time.sleep(WAIT_AFTER_INSTALL) mountpoints = ("/mnt/krb", "/mnt/std", "/home") ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5984][closed] ipatests: use whole date for journalctl --since
URL: https://github.com/freeipa/freeipa/pull/5984 Author: flo-renaud Title: #5984: ipatests: use whole date for journalctl --since Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5984/head:pr5984 git checkout pr5984 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[Freeipa-devel] [freeipa PR#5988][closed] [Backport][ipa-4-9] Azure: Run pycodestyle check in Lint job
URL: https://github.com/freeipa/freeipa/pull/5988 Author: fcami Title: #5988: [Backport][ipa-4-9] Azure: Run pycodestyle check in Lint job Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/5988/head:pr5988 git checkout pr5988 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure