Re: [Freeipa-devel] [PATCH] 0640 Add managed read permissions for compat tree

On Thu, 04 Sep 2014, Martin Kosek wrote: On 09/04/2014 02:40 PM, Alexander Bokovoy wrote: On Wed, 03 Sep 2014, Martin Kosek wrote: On 09/03/2014 03:15 PM, Petr Viktorin wrote: On 09/03/2014 02:27 PM, Petr Viktorin wrote: On 09/03/2014 01:27 PM, Petr Viktorin wrote: Hello, This adds managed

Re: [Freeipa-devel] [PATCH] 0640 Add managed read permissions for compat tree

On Fri, 05 Sep 2014, Alexander Bokovoy wrote: On Thu, 04 Sep 2014, Martin Kosek wrote: On 09/04/2014 02:40 PM, Alexander Bokovoy wrote: On Wed, 03 Sep 2014, Martin Kosek wrote: On 09/03/2014 03:15 PM, Petr Viktorin wrote: On 09/03/2014 02:27 PM, Petr Viktorin wrote: On 09/03/2014 01:27 PM,

Re: [Freeipa-devel] [PATCH] 0640 Add managed read permissions for compat tree

On 09/05/2014 09:03 AM, Alexander Bokovoy wrote: On Fri, 05 Sep 2014, Alexander Bokovoy wrote: On Thu, 04 Sep 2014, Martin Kosek wrote: On 09/04/2014 02:40 PM, Alexander Bokovoy wrote: On Wed, 03 Sep 2014, Martin Kosek wrote: On 09/03/2014 03:15 PM, Petr Viktorin wrote: On 09/03/2014 02:27

Re: [Freeipa-devel] [PATCH] 0011 Allow user to force Kerberos realm during installation

On 09/04/2014 01:22 PM, Jan Cholasta wrote: Dne 4.9.2014 v 12:42 David Kupka napsal(a): On 09/03/2014 05:09 PM, Jan Cholasta wrote: Hi, Dne 27.8.2014 v 13:56 David Kupka napsal(a): Usually it isn't wise to allow something like this. But in environment with broken DNS (described in ticket)

Re: [Freeipa-devel] [PATCH 0119] Fix dnsrecord-mod, regression in 4.x

On 09/04/2014 05:12 PM, Jan Cholasta wrote: Dne 4.9.2014 v 16:45 Martin Basti napsal(a): On 04/09/14 16:36, Jan Cholasta wrote: Hi, Dne 4.9.2014 v 16:13 Martin Basti napsal(a): Regression is caused by different output types for dnsrecord-mod and dnsrecord-del. dnsrecord-mod internally calls

Re: [Freeipa-devel] [PATCH] 1109 No client machine cert

On 09/04/2014 05:13 PM, Rob Crittenden wrote: Jan Cholasta wrote: Hi, Dne 3.9.2014 v 21:23 Rob Crittenden napsal(a): No longer request and install a cert for the IPA client machine. rob The original plan was to keep generating the certificate, but in /etc/ipa/nssdb instead of

Re: [Freeipa-devel] [PATCH] 0640 Add managed read permissions for compat tree

On 09/04/2014 04:44 PM, Ludwig Krispenz wrote: On 09/04/2014 04:38 PM, Martin Kosek wrote: On 09/04/2014 04:10 PM, Alexander Bokovoy wrote: ... createTimestamp is operational attribute and is synthesized by slapi-nis, there is no problem allowing access to it. I think we can allow

Re: [Freeipa-devel] [PATCH] 0008 Use certmonger D-Bus API instead of messing with its files.

On 09/04/2014 03:09 PM, Jan Cholasta wrote: Dne 4.9.2014 v 13:40 Martin Kosek napsal(a): On 09/04/2014 01:19 PM, Jan Cholasta wrote: Dne 4.9.2014 v 12:31 David Kupka napsal(a): On 09/03/2014 04:45 PM, Jan Cholasta wrote: Dne 3.9.2014 v 16:25 David Kupka napsal(a): On 09/03/2014 04:05 PM, Jan

Re: [Freeipa-devel] [PATCH] 1109 No client machine cert

On Fri, 05 Sep 2014, Martin Kosek wrote: On 09/04/2014 05:13 PM, Rob Crittenden wrote: Jan Cholasta wrote: Hi, Dne 3.9.2014 v 21:23 Rob Crittenden napsal(a): No longer request and install a cert for the IPA client machine. rob The original plan was to keep generating the certificate, but

Re: [Freeipa-devel] [PATCH] 0640 Add managed read permissions for compat tree

On Fri, 05 Sep 2014, Martin Kosek wrote: On 09/04/2014 04:44 PM, Ludwig Krispenz wrote: On 09/04/2014 04:38 PM, Martin Kosek wrote: On 09/04/2014 04:10 PM, Alexander Bokovoy wrote: ... createTimestamp is operational attribute and is synthesized by slapi-nis, there is no problem allowing

Re: [Freeipa-devel] [PATCH] 318 Backup CS.cfg before modifying it

On 09/03/2014 06:35 PM, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4166. Honza ACK Neither patch applies to 4.1, though. Could you send a version for that as well? -- Petr³ ___ Freeipa-devel

Re: [Freeipa-devel] [PATCHES 0109-0110] DNS: fix DS record validation

On 09/04/2014 01:11 PM, Petr Spacek wrote: On 4.9.2014 13:02, Martin Basti wrote: On 04/09/14 11:46, Petr Spacek wrote: On 3.9.2014 16:42, Martin Basti wrote: On 02/09/14 17:16, Petr Spacek wrote: On 20.8.2014 19:26, Martin Basti wrote: Part of DNSSEC Patches attached. NACK # ipa

Re: [Freeipa-devel] [PATCHES 0111-0113] Fix NS record coexistence validation

On 09/04/2014 01:12 PM, Petr Spacek wrote: On 3.9.2014 16:51, Martin Basti wrote: On 03/09/14 12:30, Martin Kosek wrote: On 09/02/2014 05:38 PM, Petr Spacek wrote: On 21.8.2014 19:21, Martin Basti wrote: During work on DNSSEC we found a wrong validation of NS records Patch 0113 fixes an

[Freeipa-devel] [PATCH] Do not restart apache server when not necessary.

https://fedorahosted.org/freeipa/ticket/4352 -- David Kupka From 9f081c8f1cab3f0d7cb0d55054ae7ad8f1ed8a10 Mon Sep 17 00:00:00 2001 From: David Kupka dku...@redhat.com Date: Fri, 5 Sep 2014 09:55:23 +0200 Subject: [PATCH] Do not restart apache server when not necessary.

Re: [Freeipa-devel] [PATCH 0107-0108] Fix DNS wildcard validation

On 3.9.2014 14:40, Martin Basti wrote: On 02/09/14 17:33, Petr Spacek wrote: On 21.8.2014 10:58, Martin Basti wrote: On 21/08/14 08:43, Petr Spacek wrote: On 20.8.2014 17:37, Martin Basti wrote: +# dissallowed wildcard (RFC 4592) +no_wildcard_rtypes = ['CNAME', 'DNAME', 'DS',

Re: [Freeipa-devel] [PATCH 0107-0108] Fix DNS wildcard validation

On 09/05/2014 12:21 PM, Petr Spacek wrote: On 3.9.2014 14:40, Martin Basti wrote: On 02/09/14 17:33, Petr Spacek wrote: On 21.8.2014 10:58, Martin Basti wrote: On 21/08/14 08:43, Petr Spacek wrote: On 20.8.2014 17:37, Martin Basti wrote: +# dissallowed wildcard (RFC 4592) +

[Freeipa-devel] Fwd: [freeipa] update to Java/8

Petr, why do we require java-1.7.0-openjdk in BuildRequires anyway? Shouldn't rhino be enough? Original Message Subject: [freeipa] update to Java/8 Date: Tue, 2 Sep 2014 17:41:13 + (UTC) From: Pádraig Brady pbr...@fedoraproject.org To: freeipa-ow...@fedoraproject.org,

Re: [Freeipa-devel] [PATCH 0282] Create temporary directories with ug=rwx, o= permissions

On 4.9.2014 18:31, Martin Basti wrote: On 04/09/14 17:55, Petr Spacek wrote: Hello, Create temporary directories with ug=rwx,o= permissions. Zero group permissions do not allow to use POSIX ACLs which is undesirable. NACK It creates drwxr-x--- permissions (umask problem) Thank you for

Re: [Freeipa-devel] [PATCH 0282] Create temporary directories with ug=rwx, o= permissions

On 05/09/14 12:43, Petr Spacek wrote: On 4.9.2014 18:31, Martin Basti wrote: On 04/09/14 17:55, Petr Spacek wrote: Hello, Create temporary directories with ug=rwx,o= permissions. Zero group permissions do not allow to use POSIX ACLs which is undesirable. NACK It creates drwxr-x---

Re: [Freeipa-devel] [PATCH] 0640 Add managed read permissions for compat tree

On 09/05/2014 09:18 AM, Martin Kosek wrote: On 09/05/2014 09:03 AM, Alexander Bokovoy wrote: On Fri, 05 Sep 2014, Alexander Bokovoy wrote: On Thu, 04 Sep 2014, Martin Kosek wrote: On 09/04/2014 02:40 PM, Alexander Bokovoy wrote: On Wed, 03 Sep 2014, Martin Kosek wrote: On 09/03/2014 03:15

Re: [Freeipa-devel] [PATCH] Do not restart apache server when not necessary.

On 09/05/2014 12:17 PM, David Kupka wrote: https://fedorahosted.org/freeipa/ticket/4352 Thanks, ACK. Pushed to master, ipa-4-1, ipa-4-0. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com

Re: [Freeipa-devel] [PATCH] 0640 Add managed read permissions for compat tree

On Fri, 05 Sep 2014, Petr Viktorin wrote: On 09/05/2014 09:18 AM, Martin Kosek wrote: On 09/05/2014 09:03 AM, Alexander Bokovoy wrote: On Fri, 05 Sep 2014, Alexander Bokovoy wrote: On Thu, 04 Sep 2014, Martin Kosek wrote: On 09/04/2014 02:40 PM, Alexander Bokovoy wrote: On Wed, 03 Sep 2014,

Re: [Freeipa-devel] [PATCH] 318 Backup CS.cfg before modifying it

Dne 5.9.2014 v 12:05 Petr Viktorin napsal(a): On 09/03/2014 06:35 PM, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4166. Honza ACK Neither patch applies to 4.1, though. Could you send a version for that as well? Sure. -- Jan Cholasta From

Re: [Freeipa-devel] [PATCH] 0640 Add managed read permissions for compat tree

On 09/05/2014 01:34 PM, Alexander Bokovoy wrote: On Fri, 05 Sep 2014, Petr Viktorin wrote: On 09/05/2014 09:18 AM, Martin Kosek wrote: ... Thanks! Looks sane to me. We would just need to remove Views related ACIs for the 4.0.x version that we will need for today. Thanks indeed! Here is the

Re: [Freeipa-devel] [PATCH] Make CA-less ipa-server-install option --root-ca-file optional

On 08/07/2014 05:46 PM, Petr Viktorin wrote: On 08/06/2014 09:42 AM, Jan Cholasta wrote: Dne 5.8.2014 v 10:30 Jan Cholasta napsal(a): Hi, the attached patch fixes the code part of https://fedorahosted.org/freeipa/ticket/4457. Works for me, thanks! Pushed to: master:

Re: [Freeipa-devel] [PATCH] 0011 Allow user to force Kerberos realm during installation

Dne 5.9.2014 v 09:25 David Kupka napsal(a): On 09/04/2014 01:22 PM, Jan Cholasta wrote: Dne 4.9.2014 v 12:42 David Kupka napsal(a): On 09/03/2014 05:09 PM, Jan Cholasta wrote: Hi, Dne 27.8.2014 v 13:56 David Kupka napsal(a): Usually it isn't wise to allow something like this. But in

Re: [Freeipa-devel] [PATCH] 1109 No client machine cert

On Fri, 2014-09-05 at 10:43 +0200, Martin Kosek wrote: On 09/04/2014 05:13 PM, Rob Crittenden wrote: Jan Cholasta wrote: Hi, Dne 3.9.2014 v 21:23 Rob Crittenden napsal(a): No longer request and install a cert for the IPA client machine. rob The original plan was to keep

Re: [Freeipa-devel] [PATCH] 0640 Add managed read permissions for compat tree

On Fri, 2014-09-05 at 12:12 +0300, Alexander Bokovoy wrote: On Fri, 05 Sep 2014, Martin Kosek wrote: On 09/04/2014 04:44 PM, Ludwig Krispenz wrote: On 09/04/2014 04:38 PM, Martin Kosek wrote: On 09/04/2014 04:10 PM, Alexander Bokovoy wrote: ... createTimestamp is operational attribute

Re: [Freeipa-devel] [PATCH] 0011 Allow user to force Kerberos realm during installation

On 09/05/2014 02:44 PM, Jan Cholasta wrote: Dne 5.9.2014 v 09:25 David Kupka napsal(a): On 09/04/2014 01:22 PM, Jan Cholasta wrote: Dne 4.9.2014 v 12:42 David Kupka napsal(a): On 09/03/2014 05:09 PM, Jan Cholasta wrote: Hi, Dne 27.8.2014 v 13:56 David Kupka napsal(a): Usually it isn't wise

Re: [Freeipa-devel] [PATCH 0282] Create temporary directories with ug=rwx, o= permissions

On 5.9.2014 13:08, Martin Basti wrote: On 05/09/14 12:43, Petr Spacek wrote: On 4.9.2014 18:31, Martin Basti wrote: On 04/09/14 17:55, Petr Spacek wrote: Hello, Create temporary directories with ug=rwx,o= permissions. Zero group permissions do not allow to use POSIX ACLs which is

Re: [Freeipa-devel] [PATCH] 748 webui: extract complex pkey on Add and Edit

On 09/04/2014 12:53 AM, Endi Sukma Dewata wrote: On 9/2/2014 10:15 AM, Petr Vobornik wrote: DNS zone 'Add and Edit' failed because of new DNS name encoding. This patch makes sure that keys are extracted properly. https://fedorahosted.org/freeipa/ticket/4520 ACK. Pushed to: master:

Re: [Freeipa-devel] [PATCH] 1109 No client machine cert

Alexander Bokovoy wrote: On Fri, 05 Sep 2014, Martin Kosek wrote: On 09/04/2014 05:13 PM, Rob Crittenden wrote: Jan Cholasta wrote: Hi, Dne 3.9.2014 v 21:23 Rob Crittenden napsal(a): No longer request and install a cert for the IPA client machine. rob The original plan was to keep

Re: [Freeipa-devel] [PATCH] 1109 No client machine cert

On 09/05/2014 03:15 PM, Rob Crittenden wrote: Alexander Bokovoy wrote: On Fri, 05 Sep 2014, Martin Kosek wrote: On 09/04/2014 05:13 PM, Rob Crittenden wrote: Jan Cholasta wrote: Hi, Dne 3.9.2014 v 21:23 Rob Crittenden napsal(a): No longer request and install a cert for the IPA client

[Freeipa-devel] FreeIPA 4.0.2

Hello Team, The time has come and we are about to spin the release wheels for FreeIPA 4.0.2! Let us do quick check before the release. This version Release Man is Petr Viktorin. I created candidate release notes in http://www.freeipa.org/page/Releases/4.0.2. Please fee free to amend. ==

Re: [Freeipa-devel] [PATCH] 1109 No client machine cert

Martin Kosek wrote: On 09/05/2014 03:15 PM, Rob Crittenden wrote: Alexander Bokovoy wrote: On Fri, 05 Sep 2014, Martin Kosek wrote: On 09/04/2014 05:13 PM, Rob Crittenden wrote: Jan Cholasta wrote: Hi, Dne 3.9.2014 v 21:23 Rob Crittenden napsal(a): No longer request and install a cert for

Re: [Freeipa-devel] [PATCH] 1109 No client machine cert

On Fri, 05 Sep 2014, Rob Crittenden wrote: Alexander Bokovoy wrote: On Fri, 05 Sep 2014, Martin Kosek wrote: On 09/04/2014 05:13 PM, Rob Crittenden wrote: Jan Cholasta wrote: Hi, Dne 3.9.2014 v 21:23 Rob Crittenden napsal(a): No longer request and install a cert for the IPA client machine.

Re: [Freeipa-devel] [PATCH] 0640 Add managed read permissions for compat tree

On 09/05/2014 01:51 PM, Petr Viktorin wrote: On 09/05/2014 01:34 PM, Alexander Bokovoy wrote: On Fri, 05 Sep 2014, Petr Viktorin wrote: On 09/05/2014 09:18 AM, Martin Kosek wrote: ... Thanks! Looks sane to me. We would just need to remove Views related ACIs for the 4.0.x version that we will

Re: [Freeipa-devel] [PATCH] Make CA-less ipa-server-install option --root-ca-file optional

On 09/05/2014 02:03 PM, Petr Viktorin wrote: On 08/07/2014 05:46 PM, Petr Viktorin wrote: On 08/06/2014 09:42 AM, Jan Cholasta wrote: Dne 5.8.2014 v 10:30 Jan Cholasta napsal(a): Hi, the attached patch fixes the code part of https://fedorahosted.org/freeipa/ticket/4457. Works for me,

Re: [Freeipa-devel] [PATCH 0282] Create temporary directories with ug=rwx, o= permissions

On 05/09/14 14:51, Petr Spacek wrote: On 5.9.2014 13:08, Martin Basti wrote: On 05/09/14 12:43, Petr Spacek wrote: On 4.9.2014 18:31, Martin Basti wrote: On 04/09/14 17:55, Petr Spacek wrote: Hello, Create temporary directories with ug=rwx,o= permissions. Zero group permissions do not

Re: [Freeipa-devel] [PATCH] 318 Backup CS.cfg before modifying it

On 09/05/2014 01:47 PM, Jan Cholasta wrote: Dne 5.9.2014 v 12:05 Petr Viktorin napsal(a): On 09/03/2014 06:35 PM, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4166. Honza ACK Neither patch applies to 4.1, though. Could you send a version for

Re: [Freeipa-devel] FreeIPA 4.0.2

On 09/05/2014 03:19 PM, Martin Kosek wrote: Hello Team, The time has come and we are about to spin the release wheels for FreeIPA 4.0.2! Let us do quick check before the release. This version Release Man is Petr Viktorin. I can start the release process in a few hours, if the new

Re: [Freeipa-devel] FreeIPA 4.0.2

On 09/05/2014 04:17 PM, Petr Viktorin wrote: On 09/05/2014 03:19 PM, Martin Kosek wrote: Hello Team, The time has come and we are about to spin the release wheels for FreeIPA 4.0.2! Let us do quick check before the release. This version Release Man is Petr Viktorin. I can start the

Re: [Freeipa-devel] FreeIPA 4.0.2

On Fri, 05 Sep 2014, Martin Kosek wrote: Hello Team, The time has come and we are about to spin the release wheels for FreeIPA 4.0.2! Let us do quick check before the release. This version Release Man is Petr Viktorin. I created candidate release notes in

[Freeipa-devel] [PATCH 0283] Fix root zone handling

Hello, Fix root zone handling. syncrepl_update() was buggy in a way which could cause accidental zone removal. Test case: A server with two zones: '.' and 'test.' Zone '.': . NS ns1.test. . NS ns2.test. test. NS ns1.test. test. NS ns2.test. Zone 'test.': test. NS ns1.test. test.

Re: [Freeipa-devel] [PATCH] 1109 No client machine cert

On 09/03/2014 09:23 PM, Rob Crittenden wrote: No longer request and install a cert for the IPA client machine. https://fedorahosted.org/freeipa/ticket/4449 ACK Pushed to: master: c1bf5203937827369c7ce023d03c75d2da6d83ee ipa-4-1: 058c1f453c4e2df38eec57ba605cd5dc492eb978 ipa-4-0:

Re: [Freeipa-devel] [PATCH 0283] Fix root zone handling

On 5.9.2014 17:40, Petr Spacek wrote: Hello, Fix root zone handling. syncrepl_update() was buggy in a way which could cause accidental zone removal. Test case: A server with two zones: '.' and 'test.' Zone '.': . NS ns1.test. . NS ns2.test. test. NS ns1.test. test. NS ns2.test. Zone