Re: [Freeipa-devel] [SSSD] [RFC] Matching and Mapping Certificates

2017-04-07 Thread Jakub Hrozek
On Thu, Oct 06, 2016 at 12:49:30PM +0200, Sumit Bose wrote: > Hi, > > I've started to write a SSSD design page about enhancing the current > mapping of certificates to users and how to select/match a suitable > certificate if multiple certificates are on a Smartcard. > > My currently thoughts

Re: [Freeipa-devel] [DRAFT] Release notes FreeIPA 4.5.0

2017-03-14 Thread Jakub Hrozek
On Tue, Mar 14, 2017 at 01:51:19PM +0100, Martin Basti wrote: > Hello, > > DRAFT for FreeIPA 4.5.0 release notes is ready > http://www.freeipa.org/page/Releases/4.5.0 > > Please update/let me know what is missing, what is extra. Please update this paragraph: AD User Short Names Support

Re: [Freeipa-devel] Please review: V4/AD user short names design draft

2017-03-02 Thread Jakub Hrozek
On Thu, Mar 02, 2017 at 02:47:24PM +0100, Martin Babinsky wrote: > On 03/02/2017 10:25 AM, Jakub Hrozek wrote: > > On Thu, Mar 02, 2017 at 08:12:04AM +0100, Martin Babinsky wrote: > > > On 03/01/2017 05:28 PM, Alexander Bokovoy wrote: > > > > On ke, 01

Re: [Freeipa-devel] Please review: V4/AD user short names design draft

2017-03-02 Thread Jakub Hrozek
On Thu, Mar 02, 2017 at 08:12:04AM +0100, Martin Babinsky wrote: > On 03/01/2017 05:28 PM, Alexander Bokovoy wrote: > > On ke, 01 maalis 2017, Simo Sorce wrote: > > > > > My take is: cut API/UI work, and do the underlying infrastructure work > > > > > for the widest set of serves/clients possible

Re: [Freeipa-devel] FedoraHosted.org sunset

2016-09-23 Thread Jakub Hrozek
On Thu, Sep 22, 2016 at 06:09:43PM +0200, Petr Vobornik wrote: > Hi all, > > As you know, FedoraHosted.org will be decommissioned. > https://communityblog.fedoraproject.org/fedorahosted-sunset-2017-02-28/ > > We use Trac instance there. Let's discuss where we should migrate and > what are our

Re: [Freeipa-devel] pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ilt-gif-ipa01.ipa.preprod.local user=adu...@corp.addomain.com

2016-08-18 Thread Jakub Hrozek
On Thu, Aug 18, 2016 at 09:48:59AM +0200, rajat gupta wrote: > Thanks. > > When i am trying to accesses user with password i am getting below message > in logs. > > *Aug 18 09:38:17 ilt-gif-ipa02 [sssd[krb5_child[8505]]]: Cannot find KDC > for realm "ADDOMAON.COM "* > >

Re: [Freeipa-devel] pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ilt-gif-ipa01.ipa.preprod.local user=adu...@corp.addomain.com

2016-08-16 Thread Jakub Hrozek
On Tue, Aug 16, 2016 at 02:28:50PM +0200, rajat gupta wrote: > Hi, > > > I have done IPA AD trust between IPA and AD server. But trust is showing > offline always. But we are able to get the AD user information. And able to > grant the KRB ticket. > > > > # wbinfo --online-status > BUILTIN :

Re: [Freeipa-devel] [PATCH] kdb: check for local realm in enterprise principals

2016-07-06 Thread Jakub Hrozek
On Wed, Jul 06, 2016 at 07:01:50PM +0200, Sumit Bose wrote: > Hi, > > although enterprise principals for trusted domains now are working as > expected they do not work for the local domain: > > # kinit -E admin@IPA.DEVEL >

Re: [Freeipa-devel] [PATCH] 0156 extdom: add certificate request

2016-06-09 Thread Jakub Hrozek
On Fri, May 20, 2016 at 09:23:46PM +0200, Sumit Bose wrote: > Hi, > > this patch allows the extom plugin to lookup users by certificate which > is needed in the case where a IPA client wants to lookup an AD user who > has the certificate stored in AD. To make this work the related patches > I

Re: [Freeipa-devel] Questions on git

2016-05-23 Thread Jakub Hrozek
On Mon, May 23, 2016 at 04:33:29PM +0200, Martin Basti wrote: > > > On 23.05.2016 16:24, Florence Blanc-Renaud wrote: > > Hi all, > > > > as I am ramping up with git, I have a few questions. Let's imagine the > > following development workflow: > > > > - I start working on a specific issue and

Re: [Freeipa-devel] [DESIGN] Time-Based HBAC Policies

2016-05-18 Thread Jakub Hrozek
On Wed, May 18, 2016 at 05:13:11PM +0300, Alexander Bokovoy wrote: > On Wed, 18 May 2016, Stanislav Laznicka wrote: > > On 05/18/2016 02:19 PM, Alexander Bokovoy wrote: > > > On Wed, 18 May 2016, Stanislav Laznicka wrote: > > > > > > when removal succeeds but addition fails for some > > > > > >

Re: [Freeipa-devel] Generate report of user access levels on each system

2016-05-09 Thread Jakub Hrozek
On Sun, May 08, 2016 at 12:14:57PM -0400, Jerel Gilmer wrote: > Hello all - > > I've been using IdM and was tasked by my management with generating two > system reports: > > - List of what users have access to what services on each system > - List of sudo rules for each system The list of

Re: [Freeipa-devel] Improving bug reporting

2016-05-03 Thread Jakub Hrozek
On Tue, May 03, 2016 at 01:45:39PM +0200, David Kupka wrote: > Hello everyone! > > I often miss proper reproducer and other important info in trac tickets. > Asking for the missing info or guessing and trying is as ineffective as it > sounds and costs us a lot of time and effort. I believe we can

Re: [Freeipa-devel] URI in HBAC - design page

2016-03-30 Thread Jakub Hrozek
(Sorry to come late into this thread..) On Thu, Mar 24, 2016 at 02:49:39PM +0100, Jan Pazdziora wrote: > On Thu, Mar 24, 2016 at 02:30:06PM +0100, Petr Spacek wrote: > > > > I really do not like 'excludes'... Was an approach with longest prefix match > > considered as an option? I do not see it

[Freeipa-devel] [PATCH] sudo: Fix a typo in the --help output of sudocmdgroup

2016-03-11 Thread Jakub Hrozek
Hi, attached is a trivial patch. >From 21ff083a3bf08e914f3df6682b88265f39254ea1 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek <jakub.hro...@posteo.se> Date: Fri, 11 Mar 2016 18:01:11 +0100 Subject: [PATCH] sudo: Fix a typo in the --help output of sudocmdgroup --- ipalib/plugins/sudocm

Re: [Freeipa-devel] Disabling Schema Compatibility rule

2016-03-04 Thread Jakub Hrozek
On Fri, Mar 04, 2016 at 11:10:47AM +0200, Alexander Bokovoy wrote: > On the other hand, if no users are going to use the configuration, it > should not hurt anymore to have it enabled. With current slapi-nis state > there should be no problems anymore. I admit I haven't been following the

Re: [Freeipa-devel] URI in HBAC rules - patch - request for feedback

2016-02-28 Thread Jakub Hrozek
On Fri, Feb 26, 2016 at 11:33:26AM -0500, Simo Sorce wrote: > On Fri, 2016-02-26 at 17:17 +0100, Jakub Hrozek wrote: > > On Fri, Feb 26, 2016 at 10:58:57AM -0500, Simo Sorce wrote: > > > On Fri, 2016-02-26 at 13:17 +0100, Lukáš Hellebrandt wrote: > > > > Hi

Re: [Freeipa-devel] URI in HBAC rules - patch - request for feedback

2016-02-26 Thread Jakub Hrozek
On Fri, Feb 26, 2016 at 10:58:57AM -0500, Simo Sorce wrote: > On Fri, 2016-02-26 at 13:17 +0100, Lukáš Hellebrandt wrote: > > Hi, FreeIPA and SSSD communities! > > > > I am working on adding URI to HBAC as my thesis [1]. The goal is to > > control access not only based on (user, host, service),

Re: [Freeipa-devel] [PATCH 154] ipa-kdb: map_groups() consider all results

2016-02-01 Thread Jakub Hrozek
On Tue, Jan 05, 2016 at 07:55:33PM +0100, Sumit Bose wrote: > Hi, > > to find out to which local group a external user is mapped we do a > dereference search over the external groups with the SIDs related to the > external user. If a SID is mapped to more than one external group we > currently

Re: [Freeipa-devel] limiting SyncRepl's scope

2015-12-16 Thread Jakub Hrozek
On Wed, Dec 16, 2015 at 09:26:11AM +0100, Sumit Bose wrote: > On Wed, Dec 16, 2015 at 08:49:04AM +0100, Petr Spacek wrote: > > On 15.12.2015 19:10, Christian Heimes wrote: > > > Hi, > > > > > > in ticket https://fedorahosted.org/freeipa/ticket/5538 Ludwig has > > > suggested to exclude Dogtag's

Re: [Freeipa-devel] patch acceptance criteria

2015-12-03 Thread Jakub Hrozek
On Thu, Dec 03, 2015 at 09:59:46AM -0500, Rob Crittenden wrote: > Lukas Slebodnik wrote: > > On (02/12/15 13:14), Rob Crittenden wrote: > >> Is it still mandatory that tests pass the unit tests before acceptance? > > Unit test could be executed as part of "%check" phase in spec files. > > I

Re: [Freeipa-devel] [Update]Time-Based Account Policies

2015-11-13 Thread Jakub Hrozek
On Fri, Nov 13, 2015 at 10:40:27AM -0500, Simo Sorce wrote: > On 13/11/15 10:17, Martin Basti wrote: > > > > > >On 13.11.2015 14:41, Simo Sorce wrote: > >>On 11/11/15 09:30, Martin Basti wrote: > >>> > >>> > >>>On 11.11.2015 14:52, Martin Basti wrote: > Comments inline > Martin^2 > >

Re: [Freeipa-devel] [PATCHES 0069-0077] support for proper Kerberos principal canonicalization

2015-10-06 Thread Jakub Hrozek
On Tue, Oct 06, 2015 at 08:32:29AM -0400, Simo Sorce wrote: > On 06/10/15 08:04, David Kupka wrote: > >On 06/10/15 13:35, Simo Sorce wrote: > >>On 06/10/15 03:51, thierry bordaz wrote: > >>>On 10/06/2015 07:19 AM, David Kupka wrote: > On 05/10/15 16:12, Simo Sorce wrote: > >On 05/10/15

Re: [Freeipa-devel] Linking tickets in the commit messages

2015-09-17 Thread Jakub Hrozek
On Thu, Sep 17, 2015 at 03:55:35PM +0300, Alexander Bokovoy wrote: > >Speaking as IPA package maitainer in RHEL, I would like to have ticket > >link in every commit in maintenance branches. If a commit goes to the > >master branch only, I'm OK with it not having a ticket link. So that's > >where I

Re: [Freeipa-devel] FreeIPA 4.2.1 checklist

2015-09-04 Thread Jakub Hrozek
On Fri, Sep 04, 2015 at 09:30:39AM +0200, Jakub Hrozek wrote: > On Fri, Sep 04, 2015 at 09:25:59AM +0200, Martin Kosek wrote: > > On 09/04/2015 09:23 AM, Jakub Hrozek wrote: > > > On Fri, Sep 04, 2015 at 09:19:16AM +0200, Martin Kosek wrote: > > >> On 09/04/201

Re: [Freeipa-devel] FreeIPA 4.2.1 checklist

2015-09-04 Thread Jakub Hrozek
On Fri, Sep 04, 2015 at 09:19:16AM +0200, Martin Kosek wrote: > On 09/04/2015 09:12 AM, Jakub Hrozek wrote: > > On Fri, Sep 04, 2015 at 08:42:47AM +0200, Martin Kosek wrote: > >> Hello everyone, > >> > >> It is now only couple days before Fedora 23 Beta fre

Re: [Freeipa-devel] FreeIPA 4.2.1 checklist

2015-09-04 Thread Jakub Hrozek
On Fri, Sep 04, 2015 at 09:25:59AM +0200, Martin Kosek wrote: > On 09/04/2015 09:23 AM, Jakub Hrozek wrote: > > On Fri, Sep 04, 2015 at 09:19:16AM +0200, Martin Kosek wrote: > >> On 09/04/2015 09:12 AM, Jakub Hrozek wrote: > >>> On Fri, Sep 04, 2015 at 08:42:

Re: [Freeipa-devel] FreeIPA 4.2.1 checklist

2015-09-04 Thread Jakub Hrozek
On Fri, Sep 04, 2015 at 08:42:47AM +0200, Martin Kosek wrote: > Hello everyone, > > It is now only couple days before Fedora 23 Beta freeze [1] and as we > discussed, we would like to release FreeIPA 4.2.1, which already contains 148 > patches on top of FreeIPA 4.2.0, mostly stabilization of the

Re: [Freeipa-devel] C coding style guide update

2015-07-27 Thread Jakub Hrozek
On Mon, Jul 27, 2015 at 03:54:22PM +0200, Michal Židek wrote: - Line-comments (//, aka C++ comments) should be still avoided, though I really do not know what people have against line comments, but this is not the first time I see someone resisting them, so I guess there is some

Re: [Freeipa-devel] C coding style guide update

2015-07-26 Thread Jakub Hrozek
On Thu, Jul 23, 2015 at 06:21:25PM +0200, Michal Židek wrote: Hi, in SSSD we use the freeipa coding guidelines which are located here: http://www.freeipa.org/page/Coding_Style However this coding style guide is already dated and there are some rules we follow in SSSD which are not

Re: [Freeipa-devel] [PATCH 0051] Clear SSSD caches when uninstalling the client

2015-06-29 Thread Jakub Hrozek
On Fri, Jun 05, 2015 at 11:31:54AM -0600, Gabe Alford wrote: Thanks. Updated patch attached. On Fri, Jun 5, 2015 at 9:53 AM, Jakub Hrozek jhro...@redhat.com wrote: On Fri, Jun 05, 2015 at 09:46:05AM -0600, Gabe Alford wrote: How should ​ https://www.redhat.com/archives/freeipa-users

Re: [Freeipa-devel] FreeIPA 4.2 Alpha preparations

2015-06-18 Thread Jakub Hrozek
On Thu, Jun 18, 2015 at 08:02:23PM +0200, Petr Vobornik wrote: On 06/18/2015 02:05 PM, Petr Vobornik wrote: I'm going to tag alpha_1-4-3-0 today at 15:00 CET. I'm not aware of any alpha blockers on FreeIPA side. Please contact me if there are patches which should make the release. This

Re: [Freeipa-devel] [PATCH 0051] Clear SSSD caches when uninstalling the client

2015-06-05 Thread Jakub Hrozek
On Fri, Jun 05, 2015 at 09:46:05AM -0600, Gabe Alford wrote: How should ​ https://www.redhat.com/archives/freeipa-users/2015-June/msg00116.html be handled where the user cleared out the db cache? Ah, I confused that one with another issue Jan Pazdziora had, which was incidentally about client

Re: [Freeipa-devel] using pyhbac for CA ACLs

2015-05-25 Thread Jakub Hrozek
On Mon, May 25, 2015 at 02:28:52PM +0300, Alexander Bokovoy wrote: On Mon, 25 May 2015, Martin Kosek wrote: On 05/25/2015 09:35 AM, Fraser Tweedale wrote: Hi everyone, CA ACLs (the forthcoming `caacl' plugin) will be used to declare which users/hosts/services can get certificates from which

Re: [Freeipa-devel] One-way trust design

2015-04-01 Thread Jakub Hrozek
Thank you, the design page reads well to me. I had a short chat with Alexander where we cleared up some confusion. On Mon, Feb 23, 2015 at 06:02:53PM +0200, Alexander Bokovoy wrote: == New design == In order to support one-way trust to Active Directory, we need to switch SSSD in IPA master

Re: [Freeipa-devel] Time-based account policies

2015-03-24 Thread Jakub Hrozek
On Tue, Mar 24, 2015 at 08:07:53AM +0100, Martin Kosek wrote: On 03/24/2015 07:16 AM, Jan Cholasta wrote: Dne 23.3.2015 v 20:17 Standa Láznička napsal(a): ... Given the above, HBAC rules could contain (time, anchor), where anchor is UTC, user local time or host local time. Truth is, it

Re: [Freeipa-devel] [PATCH 140] extdom: migrate check-based test to cmocka

2015-03-18 Thread Jakub Hrozek
On Wed, Mar 18, 2015 at 11:01:35AM +0100, Sumit Bose wrote: On Fri, Mar 13, 2015 at 03:14:55PM +0100, Jakub Hrozek wrote: On Fri, Mar 13, 2015 at 11:56:46AM +0100, Sumit Bose wrote: On Wed, Mar 04, 2015 at 06:42:05PM +0100, Sumit Bose wrote: Hi, this is the first patch for https

Re: [Freeipa-devel] [PATCHES 137-139] extdom: add err_msg member to request context

2015-03-18 Thread Jakub Hrozek
On Wed, Mar 18, 2015 at 10:58:51AM +0100, Sumit Bose wrote: Please find attached a new version where the typo is fixed. bye, Sumit ACK I think the IPA gatekeepers shoudl feel free to just fix these trivial errors before pushing in the future. -- Manage your subscription for the

[Freeipa-devel] [PATCH] extop: For printf formatting warning

2015-03-18 Thread Jakub Hrozek
I could swear I sent the patch last time when I was reviewing Sumit's patches but apparently not. It's better to use %zu instead of %d for size_t formatting with recent compilers. From a088e8c8a9bd29b4c22f1579f2c3705652bf2730 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek jhro...@redhat.com Date

Re: [Freeipa-devel] [PATCH] extop: For printf formatting warning

2015-03-18 Thread Jakub Hrozek
On Wed, Mar 18, 2015 at 11:39:15AM +0100, Sumit Bose wrote: On Wed, Mar 18, 2015 at 11:25:14AM +0100, Jakub Hrozek wrote: I could swear I sent the patch last time when I was reviewing Sumit's patches but apparently not. It's better to use %zu instead of %d for size_t formatting

Re: [Freeipa-devel] [PATCH 140] extdom: migrate check-based test to cmocka

2015-03-13 Thread Jakub Hrozek
On Fri, Mar 13, 2015 at 11:56:46AM +0100, Sumit Bose wrote: On Wed, Mar 04, 2015 at 06:42:05PM +0100, Sumit Bose wrote: Hi, this is the first patch for https://fedorahosted.org/freeipa/ticket/4922 which converts the check-based tests of the extdom plugin to cmocka. bye, Sumit

Re: [Freeipa-devel] [PATCHES 137-139] extdom: add err_msg member to request context

2015-03-13 Thread Jakub Hrozek
On Fri, Mar 13, 2015 at 11:55:09AM +0100, Sumit Bose wrote: On Wed, Mar 04, 2015 at 06:35:22PM +0100, Sumit Bose wrote: Hi, this patch series improves error reporting of the extdom plugin especially on the client side. Currently there is only SSSD ticket

Re: [Freeipa-devel] Purpose of default user group

2015-03-10 Thread Jakub Hrozek
On Tue, Mar 10, 2015 at 03:52:44PM +0100, Martin Kosek wrote: On 03/10/2015 03:27 PM, Rob Crittenden wrote: Petr Vobornik wrote: Hi, I would like to ask what is a purpose of a default user group - by default ipausers? Default group is also a required field in ipa config. To be able

Re: [Freeipa-devel] Time-based account policies

2015-03-10 Thread Jakub Hrozek
On Tue, Mar 10, 2015 at 03:47:10PM +0100, Martin Kosek wrote: This is where importing iCal is helpful because it allows you to outsource the task of creating such event to something else. Parsing event information would produce a rule definition we would store and SSSD would apply as

Re: [Freeipa-devel] Time-based account policies

2015-03-09 Thread Jakub Hrozek
On Mon, Mar 09, 2015 at 04:08:46PM +0100, Martin Kosek wrote: On 03/09/2015 03:58 PM, Alexander Bokovoy wrote: On Mon, 09 Mar 2015, Martin Kosek wrote: ... One of bigger issues we had was lack of versatile ical format parser to handle calendar-like specification of events -- we need to

Re: [Freeipa-devel] [PATCH 0185] Use dyndns_update instead of deprecated ipa_dyndns_update in sssd.conf

2015-01-19 Thread Jakub Hrozek
On Mon, Jan 19, 2015 at 01:13:12PM +0100, Martin Kosek wrote: On 01/19/2015 01:03 PM, Martin Basti wrote: ipa_dyndns_update option is deprecated in sssd. Patch attached. Can you please create a ticket? It is a non-trivial change. I am also wondering if somebody from SSSD could double

Re: [Freeipa-devel] Move FreeIPA translations to Zanata?

2015-01-09 Thread Jakub Hrozek
On Fri, Jan 09, 2015 at 01:42:25PM +0100, Martin Kosek wrote: I am forwarding my conversation with the Noriko from Fedora localization team to the devel list, see below. What do you guys think? Any concerns with moving FreeIPA translations from Transifex to Zanata? SSSD project is moving there

Re: [Freeipa-devel] Move FreeIPA translations to Zanata?

2015-01-09 Thread Jakub Hrozek
On Fri, Jan 09, 2015 at 04:01:57PM +0100, Martin Kosek wrote: My only requirement is that the uploading/downloading process and Localization process overall is well documented and/or scripted in our git. We should also add it as a step to our Release wiki page (to make sure translations are

Re: [Freeipa-devel] [PATCH 0019] Prefer TCP connections to UDP in krb5 clients

2014-11-14 Thread Jakub Hrozek
On Thu, Nov 13, 2014 at 02:40:28PM -0500, Simo Sorce wrote: On Thu, 13 Nov 2014 14:20:14 -0500 Nathaniel McCallum npmccal...@redhat.com wrote: On Thu, 2014-11-13 at 14:02 -0500, Nathaniel McCallum wrote: On Fri, 2014-11-07 at 15:39 +0100, Martin Kosek wrote: On 11/07/2014 03:28 PM,

Re: [Freeipa-devel] FreeIPA translations

2014-11-13 Thread Jakub Hrozek
On Thu, Nov 13, 2014 at 09:56:54AM +0100, Petr Viktorin wrote: On 11/13/2014 12:35 AM, Tomas Babej wrote: On 11/12/2014 01:44 PM, Martin Kosek wrote: Hi folks, With Petr changing focus out of FreeIPA, somebody will need to replace his work as the person behind FreeIPA Transifex

Re: [Freeipa-devel] FreeIPA translations

2014-11-13 Thread Jakub Hrozek
On Thu, Nov 13, 2014 at 11:52:29AM +0200, Alexander Bokovoy wrote: On Thu, 13 Nov 2014, Jakub Hrozek wrote: On Thu, Nov 13, 2014 at 09:56:54AM +0100, Petr Viktorin wrote: On 11/13/2014 12:35 AM, Tomas Babej wrote: On 11/12/2014 01:44 PM, Martin Kosek wrote: Hi folks, With Petr changing

Re: [Freeipa-devel] FreeIPA Copr repo plan

2014-11-10 Thread Jakub Hrozek
On Mon, Nov 10, 2014 at 12:07:46PM +0100, Martin Kosek wrote: Hi guys, Some time ago we started managing FreeIPA Copr repos (mkosek/freeipa) with a target to have the latest greatest FreeIPA available for older arches (read - RHEL/CentOS) and to allow people using older stable Fedoras (read

Re: [Freeipa-devel] FreeIPA Copr repo plan

2014-11-10 Thread Jakub Hrozek
On Mon, Nov 10, 2014 at 02:04:34PM +0100, Lukas Slebodnik wrote: It *is not* possible to merge one COPR repo into another. It is possible to add another yum repo into build dependencies in COPR Ah, right. Adding the build dependencies allows you to add another SRPM, to be built though.. but

Re: [Freeipa-devel] [PATCH] 131-132 extdom: add support for sss_nss_getorigbyname()

2014-10-20 Thread Jakub Hrozek
On Mon, Oct 20, 2014 at 10:43:07AM +0200, Sumit Bose wrote: On Sun, Oct 19, 2014 at 10:04:29PM +0200, Jakub Hrozek wrote: On Fri, Oct 17, 2014 at 11:53:44AM +0200, Sumit Bose wrote: Hi, the first patch replaces sss_nss_getsidbyname() by sss_nss_getorigbyname() for the new version

Re: [Freeipa-devel] [PATCH] 131-132 extdom: add support for sss_nss_getorigbyname()

2014-10-19 Thread Jakub Hrozek
On Fri, Oct 17, 2014 at 11:53:44AM +0200, Sumit Bose wrote: Hi, the first patch replaces sss_nss_getsidbyname() by sss_nss_getorigbyname() for the new version of the extdom interface. The new call returns more data about the original object and allows the IPA client to have the same

Re: [Freeipa-devel] [PATCH] slapi-nis: normalize memberUid search filter term for AD users

2014-10-19 Thread Jakub Hrozek
On Thu, Oct 09, 2014 at 02:01:16PM +0300, Alexander Bokovoy wrote: Hi, memberUid attribute has case-sensitive comparison defined but when we construct memberUid for AD users (coming through SSSD), they are normalized to lower case. Interestingly enough, 'uid' attribute has case-insensitive

Re: [Freeipa-devel] [PATCH 130] extdom: add support for new version

2014-09-29 Thread Jakub Hrozek
On Mon, Sep 29, 2014 at 06:16:30PM +0200, Sumit Bose wrote: Hi, Jakub found another issue which is fixed with this new version. bye, Sumit and now with patch ... Thank you, ACK ___ Freeipa-devel mailing list Freeipa-devel@redhat.com

Re: [Freeipa-devel] FreeIPA on RHEL/CentOS 7.0

2014-09-25 Thread Jakub Hrozek
On Thu, Sep 25, 2014 at 08:55:46AM +0200, Martin Kosek wrote: On 09/24/2014 06:19 PM, Jan Pazdziora wrote: On Wed, Sep 24, 2014 at 11:00:21AM +0200, Martin Kosek wrote: I just rebuilt latest fixed pki-coretomcat for our Copr (http://copr.fedoraproject.org/coprs/mkosek/freeipa/builds/). We

Re: [Freeipa-devel] [PATCH] 129 ipa-kdb: fix unit tests

2014-09-24 Thread Jakub Hrozek
On Tue, Jul 22, 2014 at 05:24:51PM +0200, Sumit Bose wrote: Hi, it looks like the ipa-kdb unit test is broken. This patch tries to fix it. bye, Sumit ACK Without the patch, I got: ipa_kdb_tests-ipa_kdb_common.o: In function `ipadb_ldap_attr_has_value':

Re: [Freeipa-devel] [PATCH 130] extdom: add support for new version

2014-09-24 Thread Jakub Hrozek
On Tue, Sep 23, 2014 at 05:11:01PM +0200, Sumit Bose wrote: Hi, this patch should fix https://fedorahosted.org/freeipa/ticket/4031 and with the corresponding SSSD part it would be possible to get the full list of group memberships with the id command even for user who didn't log in before.

Re: [Freeipa-devel] [PATCH] 0640 Add managed read permissions for compat tree

2014-09-04 Thread Jakub Hrozek
On Thu, Sep 04, 2014 at 10:30:11AM -0400, Simo Sorce wrote: On Thu, 2014-09-04 at 15:55 +0200, Martin Kosek wrote: On 09/04/2014 02:40 PM, Alexander Bokovoy wrote: On Wed, 03 Sep 2014, Martin Kosek wrote: On 09/03/2014 03:15 PM, Petr Viktorin wrote: On 09/03/2014 02:27 PM, Petr

Re: [Freeipa-devel] [PATCH] CLIENT: Explicitly require python-backports-ssl_match_hostname

2014-09-01 Thread Jakub Hrozek
On Mon, Sep 01, 2014 at 11:01:23AM +0200, Martin Kosek wrote: On 08/25/2014 07:36 PM, Jakub Hrozek wrote: Hi, ipa-client-install was failing for me on a fresh F-21 machine until I manually dragged in python-backports-ssl_match_hostname Umh, thanks for the fix, but I do not think

[Freeipa-devel] [PATCH] CLIENT: Explicitly require python-backports-ssl_match_hostname

2014-08-25 Thread Jakub Hrozek
Hi, ipa-client-install was failing for me on a fresh F-21 machine until I manually dragged in python-backports-ssl_match_hostname From d5ff5ec7cb2ee0b3f116b4e9a25d2907bb8140d9 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek jhro...@redhat.com Date: Mon, 25 Aug 2014 19:33:30 +0200 Subject: [PATCH

Re: [Freeipa-devel] Release platforms for 4.0

2014-07-04 Thread Jakub Hrozek
On Fri, Jul 04, 2014 at 05:13:35PM +0200, Martin Kosek wrote: Given that Fedora 20 is now in stable phase and FreeIPA 4.0 adds a lot of functionality, we agreed that we will not publish FreeIPA 4.0 in stable Fedora 20 updates now. When releasing 4.0, we need to: 1) Prepare a COPR build for

Re: [Freeipa-devel] #4389: DS deref broken after ACI refactoring

2014-06-20 Thread Jakub Hrozek
On Fri, Jun 20, 2014 at 04:06:16PM +0200, Martin Kosek wrote: Hello all, I would like to discuss what should we do with the latest issue we found in SSSD-DS communication which is broken after the ACI refactoring. It's not just SSSD-DS communication, any client, including ldapsearch

Re: [Freeipa-devel] #4389: DS deref broken after ACI refactoring

2014-06-20 Thread Jakub Hrozek
On Fri, Jun 20, 2014 at 04:45:45PM +0200, Martin Kosek wrote: On 06/20/2014 04:24 PM, Jakub Hrozek wrote: On Fri, Jun 20, 2014 at 04:06:16PM +0200, Martin Kosek wrote: Hello all, I would like to discuss what should we do with the latest issue we found in SSSD-DS communication which

Re: [Freeipa-devel] [RFC] Sending group-memberships to SSSD clients

2014-06-17 Thread Jakub Hrozek
On Mon, Jun 02, 2014 at 03:03:19PM +0200, Sumit Bose wrote: Hi, I'm preparing a design page for https://fedorahosted.org/freeipa/ticket/4031 [RFE] Support initgroups for unauthenticated AD users. Since we are using SSSD in ipa-server-mode in the server, the IPA server is able to resolve

Re: [Freeipa-devel] [RFC] Extdom plugin enhancement: grouplist

2014-06-17 Thread Jakub Hrozek
On Fri, Jun 06, 2014 at 07:24:14PM +0200, Sumit Bose wrote: Hi, I've created a design page about enhancing the extdom plugin to send the list of groups of a user together with the POSIX data to IPA clients with SSSD at http://www.freeipa.org/page/V4/Extdom_plugin_enhancement_grouplist

Re: [Freeipa-devel] faster ways to build/test dogtag?

2014-05-27 Thread Jakub Hrozek
On Tue, May 27, 2014 at 12:20:46PM +0200, Martin Kosek wrote: On 05/27/2014 09:00 AM, Fraser Tweedale wrote: Hi all, I've been working on a fix for a profile issue (https://fedorahosted.org/freeipa/ticket/2915). Unfortunately I find the scripts/compose_pki_core_packages - yum install

Re: [Freeipa-devel] [RFC] Migrating existing environments to Trust

2014-05-27 Thread Jakub Hrozek
On Tue, May 27, 2014 at 04:01:41PM +0200, Sumit Bose wrote: On Tue, Apr 15, 2014 at 11:13:38AM +0200, Sumit Bose wrote: Hi, I have started to write a design page for 'Migrating existing environments to Trust' http://www.freeipa.org/page/V3/Migrating_existing_environments_to_Trust It

Re: [Freeipa-devel] OTP Sync Client Design

2014-05-15 Thread Jakub Hrozek
On Wed, May 14, 2014 at 05:23:34PM -0400, Nathaniel McCallum wrote: IMO SSSD should probably have a way to sync the token. From usability point of view it should be a part of the standard stock client software, not a part of the IPA client or ipa tools. It should probably have a good UI

Re: [Freeipa-devel] [PATCH 0167] ipa-client-install: Configure sudo to use SSSD as data source

2014-05-07 Thread Jakub Hrozek
On Wed, May 07, 2014 at 05:29:37PM +0200, Tomas Babej wrote: On 04/30/2014 02:44 PM, Jakub Hrozek wrote: On Wed, Apr 30, 2014 at 11:05:52AM +0200, Tomas Babej wrote: On 03/24/2014 03:27 PM, Jan Pazdziora wrote: On Mon, Mar 24, 2014 at 02:57:30PM +0100, Martin Kosek wrote: On 03/24/2014

Re: [Freeipa-devel] [PATCHES 180-182] ipatests: Improvements!

2014-05-02 Thread Jakub Hrozek
On Wed, Apr 30, 2014 at 03:59:01PM +0200, Tomas Babej wrote: Hi, * patch 180 fixes incorrect hostname usage when connecting to legacy clients * patch 181 sets up SSSD in debug_level 7 by default * patch 182 does the same, but on the legacy clients -- Tomas Babej Associate Software

Re: [Freeipa-devel] [PATCH 0167] ipa-client-install: Configure sudo to use SSSD as data source

2014-04-30 Thread Jakub Hrozek
On Wed, Apr 30, 2014 at 11:05:52AM +0200, Tomas Babej wrote: On 03/24/2014 03:27 PM, Jan Pazdziora wrote: On Mon, Mar 24, 2014 at 02:57:30PM +0100, Martin Kosek wrote: On 03/24/2014 02:47 PM, Jan Pazdziora wrote: On Mon, Mar 03, 2014 at 08:24:41PM +0100, Tomas Babej wrote: Hi, Makes

Re: [Freeipa-devel] incorrect permission when creating home directory automatically

2014-04-14 Thread Jakub Hrozek
On Sun, Apr 13, 2014 at 01:23:11PM +0430, farzad niazmand wrote: Hi I enabled --enablemkhomedir option when configured Clients to automatically create home directories as user logs in. The problem I have is whenever a users logs in for the first time and a home directory creates for it, the

Re: [Freeipa-devel] [PATCH 0159] ipatests: test_trust: Change expected home directories for

2014-03-20 Thread Jakub Hrozek
On Thu, Mar 20, 2014 at 01:49:30PM +0100, Tomas Babej wrote: Hi, Information from the AD about the home directories is not leveraged at all, but is generated from the username and domain. Fix the assumptions in the tests. Right, until we enhance the extop plugin to send the full set of

Re: [Freeipa-devel] DNSSEC design page: key wrapping

2014-03-06 Thread Jakub Hrozek
On Wed, Mar 05, 2014 at 05:56:25PM +0100, Jan Cholasta wrote: On 5.3.2014 16:02, Petr Spacek wrote: On 5.3.2014 14:21, Simo Sorce wrote: On Wed, 2014-03-05 at 10:53 +0100, Petr Spacek wrote: On 5.3.2014 08:48, Jan Cholasta wrote: On 5.3.2014 05:10, Simo Sorce wrote: On Tue, 2014-03-04 at

Re: [Freeipa-devel] Reviewer in Trac

2014-02-25 Thread Jakub Hrozek
On Thu, Feb 20, 2014 at 02:11:08PM -0500, Simo Sorce wrote: On Thu, 2014-02-20 at 17:29 +0100, Petr Viktorin wrote: Patchwork: patch arrives: nothing mark self as reviewer: use web interface send review: reply, find patch in Patchwork, mark status send fixed patch: send the

Re: [Freeipa-devel] Reviewer in Trac

2014-02-20 Thread Jakub Hrozek
On Thu, Feb 20, 2014 at 01:22:56PM +0100, Petr Viktorin wrote: On 02/20/2014 01:14 PM, Martin Kosek wrote: We had a discussion with other developers how better track who is reviewing which patch. Recently, we introduced the Reviewed-By tag in a commit message, but that is a post-review tag

Re: [Freeipa-devel] Reviewer in Trac

2014-02-20 Thread Jakub Hrozek
On Thu, Feb 20, 2014 at 10:15:23AM -0500, Simo Sorce wrote: On Thu, 2014-02-20 at 16:13 +0100, Martin Kosek wrote: On 02/20/2014 04:09 PM, Simo Sorce wrote: On Thu, 2014-02-20 at 15:59 +0100, Martin Kosek wrote: On 02/20/2014 03:52 PM, Jakub Hrozek wrote: On Thu, Feb 20, 2014 at 01:22

Re: [Freeipa-devel] [PATCH 0039] Enable FAST support in SSSD by default

2014-02-11 Thread Jakub Hrozek
On Tue, Feb 11, 2014 at 02:57:40PM +0200, Alexander Bokovoy wrote: On Mon, 10 Feb 2014, Jakub Hrozek wrote: On Mon, Feb 10, 2014 at 04:06:37PM -0500, Nathaniel McCallum wrote: https://fedorahosted.org/freeipa/ticket/4173 I do have one question. Do we ever try to upgrade the SSSD config

Re: [Freeipa-devel] Using the Reviewed-by git tag

2014-02-10 Thread Jakub Hrozek
) Martin Kosek 3) Petr Viktorin 4) ... 99) Others: Reviewed-By choice [0]: _ Martin For SSSD I simply added a ~/.vimrc snippet based on: https://wiki.samba.org/index.php/CodeReview It currently includes: function! CommitMessages() nmap R iReviewed-by: Jakub Hrozek jhro...@redhat.comCRESC

Re: [Freeipa-devel] [PATCH 0039] Enable FAST support in SSSD by default

2014-02-10 Thread Jakub Hrozek
On Mon, Feb 10, 2014 at 04:06:37PM -0500, Nathaniel McCallum wrote: https://fedorahosted.org/freeipa/ticket/4173 I do have one question. Do we ever try to upgrade the SSSD config? If so, should we try to upgrade the SSSD config to enable FAST by default? Nathaniel What if we changed the

Re: [Freeipa-devel] FreeIPA OTP End-to-End

2014-01-13 Thread Jakub Hrozek
On Sun, Jan 12, 2014 at 10:07:49PM +0200, Alexander Bokovoy wrote: There seem to be two parts, one is covered by this bug and another one is related to SSSD/logind communication: allow sssd_t systemd_logind_var_run_t:dir search; allow sssd_t systemd_logind_var_run_t:file { read getattr open

Re: [Freeipa-devel] FreeIPA OTP End-to-End

2014-01-12 Thread Jakub Hrozek
On Sat, Jan 11, 2014 at 01:20:59AM +0200, Alexander Bokovoy wrote: On Thu, 09 Jan 2014, Nathaniel McCallum wrote: New RPMs are up: http://npmccallum.fedorapeople.org/freeipa-otp/rpms/ Just as a note -- we can use copr service to provide a better experience for testing. I made a copr repo with

Re: [Freeipa-devel] [PATCH 0026] Enable building in C99 mode

2013-12-17 Thread Jakub Hrozek
On Tue, Dec 17, 2013 at 08:19:09AM +0100, Jan Cholasta wrote: Hi, On 16.12.2013 22:12, Nathaniel McCallum wrote: Patch attached. Care to elaborate? There's no ticket or explanation why this is beneficial or necessary. We had a short chat with Nathaniel yesterday on IRC about which C

Re: [Freeipa-devel] [PATCH 0026] Enable building in C99 mode

2013-12-17 Thread Jakub Hrozek
On Tue, Dec 17, 2013 at 10:29:03AM +0100, Petr Spacek wrote: On 17.12.2013 10:12, Jakub Hrozek wrote: On Tue, Dec 17, 2013 at 08:19:09AM +0100, Jan Cholasta wrote: Hi, On 16.12.2013 22:12, Nathaniel McCallum wrote: Patch attached. Care to elaborate? There's no ticket or explanation why

Re: [Freeipa-devel] [PATCHES] 204-205 Spec file fixes

2013-12-02 Thread Jakub Hrozek
for the SLAPI plugins? I am not sure, I would like to hear what the experts say. Martin On 11/27/2013 03:37 PM, Jakub Hrozek wrote: I'm sorry, I removed Martin's e-mail by accident so I'll reply here. I think defining the hardened build globally is fine, the only performance impact

Re: [Freeipa-devel] [PATCHES] 204-205 Spec file fixes

2013-11-27 Thread Jakub Hrozek
On Wed, Nov 27, 2013 at 02:26:20PM +0100, Jan Cholasta wrote: Hi, the attached patches fix https://fedorahosted.org/freeipa/ticket/4010. Honza -- Jan Cholasta From 27fe562102962416f3db17b1b30be978a8c201b3 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Wed, 27

Re: [Freeipa-devel] Reminder: Patchwork

2013-10-31 Thread Jakub Hrozek
On Thu, Oct 31, 2013 at 06:52:10PM +0100, Ana Krivokapic wrote: Hello IPA developers, I would like to remind everyone about our Patchwork instance[1]. This tool helps us to better coordinate work and be more efficient, so let's try to remember to use it consistently. It takes only a few

Re: [Freeipa-devel] Reminder: Patchwork

2013-10-31 Thread Jakub Hrozek
On Thu, Oct 31, 2013 at 02:50:21PM -0400, Simo Sorce wrote: On Thu, 2013-10-31 at 19:26 +0100, Jakub Hrozek wrote: On Thu, Oct 31, 2013 at 06:52:10PM +0100, Ana Krivokapic wrote: Hello IPA developers, I would like to remind everyone about our Patchwork instance[1]. This tool helps

Re: [Freeipa-devel] [RFE] CA certificate renewal

2013-10-08 Thread Jakub Hrozek
On Tue, Oct 08, 2013 at 09:21:10AM +0200, Petr Spacek wrote: On 8.10.2013 09:16, Jan Cholasta wrote: On 8.10.2013 08:37, Petr Spacek wrote: On 7.10.2013 20:20, Jan Cholasta wrote: Automatic renewal of IPA CA certificate. certmonger currently has no notification capabilities. How will anyone

Re: [Freeipa-devel] Multiple CA certificates in LDAP, questions

2013-09-13 Thread Jakub Hrozek
On Thu, Sep 05, 2013 at 10:28:36AM +0200, Jan Cholasta wrote: On 3.9.2013 18:16, Dmitri Pal wrote: On 09/02/2013 04:49 AM, Petr Spacek wrote: On 22.8.2013 15:43, Jan Cholasta wrote: Hi, I'm currently investigating support for multiple CA certificates in LDAP

Re: [Freeipa-devel] [PATCH] Debian client support

2013-09-03 Thread Jakub Hrozek
On Tue, Sep 03, 2013 at 11:00:07AM +0200, Petr Viktorin wrote: fifth fixes some compilation warnings Looks good to my eyes, perhaps a C expert can look at this one too. I wonder why these warnings aren't enabled in our builds, though. They look good to me, too. (Does this answer make me a C

Re: [Freeipa-devel] [PATCH] Debian client support

2013-09-03 Thread Jakub Hrozek
On Tue, Sep 03, 2013 at 01:34:48PM +0200, Petr Viktorin wrote: On 09/03/2013 11:22 AM, Jakub Hrozek wrote: On Tue, Sep 03, 2013 at 11:00:07AM +0200, Petr Viktorin wrote: fifth fixes some compilation warnings Looks good to my eyes, perhaps a C expert can look at this one too. I wonder why

Re: [Freeipa-devel] [SSSD] FreeIPA on Debian

2013-09-02 Thread Jakub Hrozek
On Sun, Sep 01, 2013 at 09:20:30PM +0300, Timo Aaltonen wrote: 3) Someone needs to own packages in Debian and maintain them, someone with good knowledge of the distro and time to take ownership of about 50 packages. I'm doing this on my spare time, which has meant obvious delays in

[Freeipa-devel] [PATCH] EXTDOM: Do not overwrite domain_name for INP_SID

2013-08-26 Thread Jakub Hrozek
d24e37c5a32203fa2a2210a736f2c7dda5c3425e Mon Sep 17 00:00:00 2001 From: Jakub Hrozek jhro...@redhat.com Date: Sun, 25 Aug 2013 14:39:27 +0200 Subject: [PATCH] EXTDOM: Do not overwrite domain_name for INP_SID --- daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c | 2 -- 1 file changed, 2

Re: [Freeipa-devel] [PATCH] 0052 Add ipa-advise plugins for legacy clients

2013-08-05 Thread Jakub Hrozek
On Mon, Aug 05, 2013 at 09:55:26PM +0300, Alexander Bokovoy wrote: On Mon, 05 Aug 2013, Ana Krivokapic wrote: +except errors.NotFound: +return dict(result=False) + +attr = groups_entry.get('schema-compat-lookup-sssd') same here. It needs my patch 0112 too -- it

Re: [Freeipa-devel] [PATCH 0081] Skip referrals when converting LDAP result to LDAPEntry

2013-07-25 Thread Jakub Hrozek
On Thu, Jul 25, 2013 at 03:39:59PM +0200, Tomas Babej wrote: On Thursday 25 of July 2013 09:30:22 Jan Cholasta wrote: On 25.7.2013 09:11, Petr Spacek wrote: On 25.7.2013 09:03, Alexander Bokovoy wrote: On Thu, 25 Jul 2013, Petr Spacek wrote: On 24.7.2013 22:18, Tomas Babej wrote:

[Freeipa-devel] [PATCH] Two minor IPA KDB MS-PAC fixes

2013-07-23 Thread Jakub Hrozek
clang found one branch with undefined variable return and one unused variable. From 09962a9a40cd589c4694ecab4b4faa3c39e8a4a3 Mon Sep 17 00:00:00 2001 From: Jakub Hrozek jhro...@redhat.com Date: Tue, 23 Jul 2013 15:07:39 +0200 Subject: [PATCH 1/2] IPA KDB MS-PAC: return ENOMEM if allocation fails

  1   2   3   4   5   >