Re: [Freeipa-devel] [PATCH 0169-0170] Modernize autotools configuration
On (04/07/13 15:23), Petr Spacek wrote: Hello, several warnings from autotools popped up after upgrade to Fedora 19. Attached patches should make autotools configuration more modern. -- Petr^2 Spacek From 07caec808e394bfcbd898905e917731cb3778e68 Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Thu, 4 Jul 2013 14:04:57 +0200 Subject: [PATCH] Add missing ar check to configure.ac. Signed-off-by: Petr Spacek pspa...@redhat.com --- configure.ac | 1 + 1 file changed, 1 insertion(+) diff --git a/configure.ac b/configure.ac index 222e520e0aa61bca58cff81bea672fcab04355b3..b6d66de1b862a6860226a5f9ae4a3f33842e6100 100644 --- a/configure.ac +++ b/configure.ac @@ -10,6 +10,7 @@ AC_CONFIG_HEADERS([config.h]) AC_DISABLE_STATIC # Checks for programs. +AM_PROG_AR AC_PROG_CC AC_PROG_LIBTOOL -- 1.8.3.1 This solution is not very portable. Automake = 1.11 does not contain this macro. configure.ac:14: warning: macro `AM_PROG_AR' not found in library configure.ac:14: error: possibly undefined macro: AM_PROG_AR If this token and others are legitimate, please use m4_pattern_allow. See the Autoconf documentation. autoreconf: /usr/bin/autoconf failed with exit status: 1 Better solution will be: m4_ifdef([AM_PROG_AR], [AM_PROG_AR]) You can find more information about this in mail thread http://lists.gnu.org/archive/html/automake/2012-05/msg00014.html From 282f9763d0b0cc63a56161b402091c9f1fe7f279 Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Thu, 4 Jul 2013 14:05:57 +0200 Subject: [PATCH] Put m4 macros from autotools to separate sub-directory. Signed-off-by: Petr Spacek pspa...@redhat.com --- Makefile.am | 2 ++ configure.ac | 1 + 2 files changed, 3 insertions(+) diff --git a/Makefile.am b/Makefile.am index 8d713c44a889b6a8f1d80ba9780de1287d641227..f5ff369861e3a8fd686f3eb36934df01c38fe597 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,3 +1,5 @@ +ACLOCAL_AMFLAGS = -I m4 + SUBDIRS = doc src doc_DATA = README NEWS diff --git a/configure.ac b/configure.ac index b6d66de1b862a6860226a5f9ae4a3f33842e6100..dfe0ac39adcd779e9df8ba6feab723d32af20c48 100644 --- a/configure.ac +++ b/configure.ac @@ -5,6 +5,7 @@ AM_INIT_AUTOMAKE([-Wall foreign dist-bzip2]) AC_CONFIG_SRCDIR([src/zone_manager.h]) AC_CONFIG_HEADERS([config.h]) +AC_CONFIG_MACRO_DIR([m4]) # Disable static libraries AC_DISABLE_STATIC -- 1.8.3.1 ACK to the 2nd patch LS ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0169-0170] Modernize autotools configuration
On Wed, Jul 10, 2013 at 10:29:35AM +0200, Lukas Slebodnik wrote: On (04/07/13 15:23), Petr Spacek wrote: Hello, several warnings from autotools popped up after upgrade to Fedora 19. Attached patches should make autotools configuration more modern. -- Petr^2 Spacek From 07caec808e394bfcbd898905e917731cb3778e68 Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Thu, 4 Jul 2013 14:04:57 +0200 Subject: [PATCH] Add missing ar check to configure.ac. Signed-off-by: Petr Spacek pspa...@redhat.com --- configure.ac | 1 + 1 file changed, 1 insertion(+) diff --git a/configure.ac b/configure.ac index 222e520e0aa61bca58cff81bea672fcab04355b3..b6d66de1b862a6860226a5f9ae4a3f33842e6100 100644 --- a/configure.ac +++ b/configure.ac @@ -10,6 +10,7 @@ AC_CONFIG_HEADERS([config.h]) AC_DISABLE_STATIC # Checks for programs. +AM_PROG_AR AC_PROG_CC AC_PROG_LIBTOOL -- 1.8.3.1 This solution is not very portable. Automake = 1.11 does not contain this macro. configure.ac:14: warning: macro `AM_PROG_AR' not found in library configure.ac:14: error: possibly undefined macro: AM_PROG_AR If this token and others are legitimate, please use m4_pattern_allow. See the Autoconf documentation. autoreconf: /usr/bin/autoconf failed with exit status: 1 Better solution will be: m4_ifdef([AM_PROG_AR], [AM_PROG_AR]) You can find more information about this in mail thread http://lists.gnu.org/archive/html/automake/2012-05/msg00014.html Even better is: m4_pattern_allow([AM_PROG_AR]) AM_PROG_AR ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0169-0170] Modernize autotools configuration
On (10/07/13 10:48), Jakub Hrozek wrote: On Wed, Jul 10, 2013 at 10:29:35AM +0200, Lukas Slebodnik wrote: On (04/07/13 15:23), Petr Spacek wrote: Hello, several warnings from autotools popped up after upgrade to Fedora 19. Attached patches should make autotools configuration more modern. -- Petr^2 Spacek From 07caec808e394bfcbd898905e917731cb3778e68 Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Thu, 4 Jul 2013 14:04:57 +0200 Subject: [PATCH] Add missing ar check to configure.ac. Signed-off-by: Petr Spacek pspa...@redhat.com --- configure.ac | 1 + 1 file changed, 1 insertion(+) diff --git a/configure.ac b/configure.ac index 222e520e0aa61bca58cff81bea672fcab04355b3..b6d66de1b862a6860226a5f9ae4a3f33842e6100 100644 --- a/configure.ac +++ b/configure.ac @@ -10,6 +10,7 @@ AC_CONFIG_HEADERS([config.h]) AC_DISABLE_STATIC # Checks for programs. +AM_PROG_AR AC_PROG_CC AC_PROG_LIBTOOL -- 1.8.3.1 This solution is not very portable. Automake = 1.11 does not contain this macro. configure.ac:14: warning: macro `AM_PROG_AR' not found in library configure.ac:14: error: possibly undefined macro: AM_PROG_AR If this token and others are legitimate, please use m4_pattern_allow. See the Autoconf documentation. autoreconf: /usr/bin/autoconf failed with exit status: 1 Better solution will be: m4_ifdef([AM_PROG_AR], [AM_PROG_AR]) You can find more information about this in mail thread http://lists.gnu.org/archive/html/automake/2012-05/msg00014.html You probably did not read this page ^ Even better is: m4_pattern_allow([AM_PROG_AR]) AM_PROG_AR m4_pattern_allow should be used for another things. http://www.gnu.org/software/autoconf/manual/autoconf.html#Forbidden-Patterns LS ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0169-0170] Modernize autotools configuration
On Wed, Jul 10, 2013 at 10:59:10AM +0200, Lukas Slebodnik wrote: On (10/07/13 10:48), Jakub Hrozek wrote: On Wed, Jul 10, 2013 at 10:29:35AM +0200, Lukas Slebodnik wrote: On (04/07/13 15:23), Petr Spacek wrote: Hello, several warnings from autotools popped up after upgrade to Fedora 19. Attached patches should make autotools configuration more modern. -- Petr^2 Spacek From 07caec808e394bfcbd898905e917731cb3778e68 Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Thu, 4 Jul 2013 14:04:57 +0200 Subject: [PATCH] Add missing ar check to configure.ac. Signed-off-by: Petr Spacek pspa...@redhat.com --- configure.ac | 1 + 1 file changed, 1 insertion(+) diff --git a/configure.ac b/configure.ac index 222e520e0aa61bca58cff81bea672fcab04355b3..b6d66de1b862a6860226a5f9ae4a3f33842e6100 100644 --- a/configure.ac +++ b/configure.ac @@ -10,6 +10,7 @@ AC_CONFIG_HEADERS([config.h]) AC_DISABLE_STATIC # Checks for programs. +AM_PROG_AR AC_PROG_CC AC_PROG_LIBTOOL -- 1.8.3.1 This solution is not very portable. Automake = 1.11 does not contain this macro. configure.ac:14: warning: macro `AM_PROG_AR' not found in library configure.ac:14: error: possibly undefined macro: AM_PROG_AR If this token and others are legitimate, please use m4_pattern_allow. See the Autoconf documentation. autoreconf: /usr/bin/autoconf failed with exit status: 1 Better solution will be: m4_ifdef([AM_PROG_AR], [AM_PROG_AR]) You can find more information about this in mail thread http://lists.gnu.org/archive/html/automake/2012-05/msg00014.html You probably did not read this page ^ No I didn't :) But what the guy says there isn't true, m4_pattern_allow works just fine even with the old autoconf version in RHEL5. Even better is: m4_pattern_allow([AM_PROG_AR]) AM_PROG_AR m4_pattern_allow should be used for another things. http://www.gnu.org/software/autoconf/manual/autoconf.html#Forbidden-Patterns Dunno, I think it'quite pretty established pattern. Is there something wrong with it? ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0169-0170] Modernize autotools configuration
On (10/07/13 11:14), Jakub Hrozek wrote: On Wed, Jul 10, 2013 at 10:59:10AM +0200, Lukas Slebodnik wrote: On (10/07/13 10:48), Jakub Hrozek wrote: On Wed, Jul 10, 2013 at 10:29:35AM +0200, Lukas Slebodnik wrote: On (04/07/13 15:23), Petr Spacek wrote: Hello, several warnings from autotools popped up after upgrade to Fedora 19. Attached patches should make autotools configuration more modern. -- Petr^2 Spacek From 07caec808e394bfcbd898905e917731cb3778e68 Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Thu, 4 Jul 2013 14:04:57 +0200 Subject: [PATCH] Add missing ar check to configure.ac. Signed-off-by: Petr Spacek pspa...@redhat.com --- configure.ac | 1 + 1 file changed, 1 insertion(+) diff --git a/configure.ac b/configure.ac index 222e520e0aa61bca58cff81bea672fcab04355b3..b6d66de1b862a6860226a5f9ae4a3f33842e6100 100644 --- a/configure.ac +++ b/configure.ac @@ -10,6 +10,7 @@ AC_CONFIG_HEADERS([config.h]) AC_DISABLE_STATIC # Checks for programs. +AM_PROG_AR AC_PROG_CC AC_PROG_LIBTOOL -- 1.8.3.1 This solution is not very portable. Automake = 1.11 does not contain this macro. configure.ac:14: warning: macro `AM_PROG_AR' not found in library configure.ac:14: error: possibly undefined macro: AM_PROG_AR If this token and others are legitimate, please use m4_pattern_allow. See the Autoconf documentation. autoreconf: /usr/bin/autoconf failed with exit status: 1 Better solution will be: m4_ifdef([AM_PROG_AR], [AM_PROG_AR]) You can find more information about this in mail thread http://lists.gnu.org/archive/html/automake/2012-05/msg00014.html You probably did not read this page ^ No I didn't :) But what the guy says there isn't true, m4_pattern_allow works just fine even with the old autoconf version in RHEL5. Even better is: m4_pattern_allow([AM_PROG_AR]) AM_PROG_AR m4_pattern_allow should be used for another things. http://www.gnu.org/software/autoconf/manual/autoconf.html#Forbidden-Patterns Dunno, I think it'quite pretty established pattern. Is there something wrong with it? Macro m4_pattern_allow only suppresses autotool error possibly undefined macro, but there still will be a warning macro `AM_PROG_AR' not found in library Autreconf will not fail with older versions of automake (=1.11), but macro AM_PROG_AR will not be expanded and you can find this unexpanded text in configure script. It is harmless. Everything will work well, but we don't like warnings. LS ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0169-0170] Modernize autotools configuration
On 10.7.2013 10:29, Lukas Slebodnik wrote: On (04/07/13 15:23), Petr Spacek wrote: Hello, several warnings from autotools popped up after upgrade to Fedora 19. Attached patches should make autotools configuration more modern. -- Petr^2 Spacek From 07caec808e394bfcbd898905e917731cb3778e68 Mon Sep 17 00:00:00 2001 From: Petr Spacekpspa...@redhat.com Date: Thu, 4 Jul 2013 14:04:57 +0200 Subject: [PATCH] Add missing ar check to configure.ac. Signed-off-by: Petr Spacekpspa...@redhat.com --- configure.ac | 1 + 1 file changed, 1 insertion(+) diff --git a/configure.ac b/configure.ac index 222e520e0aa61bca58cff81bea672fcab04355b3..b6d66de1b862a6860226a5f9ae4a3f33842e6100 100644 --- a/configure.ac +++ b/configure.ac @@ -10,6 +10,7 @@ AC_CONFIG_HEADERS([config.h]) AC_DISABLE_STATIC # Checks for programs. +AM_PROG_AR AC_PROG_CC AC_PROG_LIBTOOL -- 1.8.3.1 This solution is not very portable. Automake = 1.11 does not contain this macro. configure.ac:14: warning: macro `AM_PROG_AR' not found in library configure.ac:14: error: possibly undefined macro: AM_PROG_AR If this token and others are legitimate, please use m4_pattern_allow. See the Autoconf documentation. autoreconf: /usr/bin/autoconf failed with exit status: 1 Better solution will be: m4_ifdef([AM_PROG_AR], [AM_PROG_AR]) You can find more information about this in mail thread http://lists.gnu.org/archive/html/automake/2012-05/msg00014.html Thank you for catching this. Fixed patch is attached. -- Petr^2 Spacek From 3bec5eda866bd9b518c2b11db3abc0cc9dcdfa1a Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Thu, 4 Jul 2013 14:04:57 +0200 Subject: [PATCH] Add missing ar check to configure.ac. Signed-off-by: Petr Spacek pspa...@redhat.com --- configure.ac | 1 + 1 file changed, 1 insertion(+) diff --git a/configure.ac b/configure.ac index 222e520e0aa61bca58cff81bea672fcab04355b3..9ecd8a467f255dcdaa82c36547f8b958cb3565a1 100644 --- a/configure.ac +++ b/configure.ac @@ -10,6 +10,7 @@ AC_CONFIG_HEADERS([config.h]) AC_DISABLE_STATIC # Checks for programs. +m4_ifdef([AM_PROG_AR], [AM_PROG_AR]) AC_PROG_CC AC_PROG_LIBTOOL -- 1.8.3.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0029 Make sure replication works after DM password is changed
On Monday 08 of July 2013 16:58:18 Ana Krivokapic wrote:
On 06/25/2013 05:28 PM, Ana Krivokapic wrote:
On 06/24/2013 02:27 PM, Tomas Babej wrote:
On 06/11/2013 04:42 PM, Ade Lee wrote:
[snip]
Just FYI, we plan to do a new release of pki-core today (pki-
core-10.0.3-2)
to address this issue.
--
Regards,
Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.
Ok, so I tested the patch, since pki-core has the PkiExport command fixed
now.
I'm getting a little bit further now.
[tbabej@vm-127 ~]$ sudo ipa-replica-prepare --ip-address 10.34.47.129
vm-129.idm.lab.eng.brq.redhat.com
Directory Manager (existing master) password:
Preparing replica for vm-129.idm.lab.eng.brq.redhat.com from
vm-127.idm.lab.eng.brq.redhat.com
Constraint violation: Failed to update password
With debug output, I get (snipped out irrelevant parts):
Directory Manager (existing master) password:
ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Created connection
context.ldap2_57668944
ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for
SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket
conn=ldap.ldapobject.SimpleLDAPObject instance at 0x3700ab8
ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Destroyed connection
context.ldap2_57668944
ipa: DEBUG: Search DNS for vm-129.idm.lab.eng.brq.redhat.com
ipa: DEBUG: Search failed: [Errno -2] Name or service not known
ipa.ipapython.ipaldap.SchemaCache: DEBUG: flushing
ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket from
SchemaCache
ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for
SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket
conn=ldap.ldapobject.SimpleLDAPObject instance at 0x4c704d0
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: Not
logging
to a file
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG:
ipa-replica-prepare was invoked with arguments
['vm-129.idm.lab.eng.brq.redhat.com'] and options: {'log_file': None,
'verbose': True, 'reverse_zone': None, 'setup_pkinit': True, 'http_pin':
None,
'quiet': False, 'http_pkcs12': None, 'pkinit_pkcs12': None, 'ca_file':
'/root/cacert.p12', 'no_reverse': False, 'dirsrv_pkcs12': None,
'password':
None, 'ip_address': CheckedIPAddress('10.34.47.129'), 'dirsrv_pin': None,
'pkinit_pin': None}
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: INFO: Preparing
replica for vm-129.idm.lab.eng.brq.redhat.com from
vm-127.idm.lab.eng.brq.redhat.com
ipa.ipapython.ipaldap.SchemaCache: DEBUG: flushing
ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket from
SchemaCache
ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for
SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket
conn=ldap.ldapobject.SimpleLDAPObject instance at 0x3700710
ipa: DEBUG: Starting external process
ipa: DEBUG: args=/usr/bin/PKCS12Export -d /etc/pki/pki-tomcat/alias/ -p
/tmp/tmprgUrso -w /tmp/tmp6SBBXF -o /root/cacert.p12
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=
ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Created connection
context.ldap2_139884970376144
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File
/usr/lib/python2.7/site-packages/ipapython/admintool.py, line 171, in
execute
return_value = self.run()
File
/usr/lib/python2.7/site-
packages/ipaserver/install/ipa_replica_prepare.py,
line 245, in run
self.copy_ds_certificate()
File
/usr/lib/python2.7/site-
packages/ipaserver/install/ipa_replica_prepare.py,
line 281, in copy_ds_certificate
self.update_pki_admin_password()
File
/usr/lib/python2.7/site-
packages/ipaserver/install/ipa_replica_prepare.py,
line 520, in update_pki_admin_password
ldap.modify_password(dn, self.dirman_password)
File /usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py,
line
332, in modify_password
self.conn.passwd_s(dn, old_pass, new_pass)
File /usr/lib64/python2.7/contextlib.py, line 35, in __exit__
self.gen.throw(type, value, traceback)
File /usr/lib/python2.7/site-packages/ipapython/ipaldap.py, line 919,
in
error_handler
raise errors.DatabaseError(desc=desc, info=info)
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The
ipa-replica-prepare command failed, exception: DatabaseError: Constraint
violation: Failed to update password
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR:
Constraint
violation: Failed to update password
Tomas
It seems that this time the culprit is 389-ds-base packages. The password
change
is rejected when using the latest version of 389-ds-base
(389-ds-base-1.3.1.2-1.fc19.x86_64). I tried testing it with a previous
version
(389-ds-base-1.3.0.5-1.fc19.x86_64) and it works.
I open an upstream ticket for the 389
Re: [Freeipa-devel] [PATCH 0169-0170] Modernize autotools configuration
On Wed, Jul 10, 2013 at 11:59:32AM +0200, Lukas Slebodnik wrote: On (10/07/13 11:14), Jakub Hrozek wrote: On Wed, Jul 10, 2013 at 10:59:10AM +0200, Lukas Slebodnik wrote: On (10/07/13 10:48), Jakub Hrozek wrote: On Wed, Jul 10, 2013 at 10:29:35AM +0200, Lukas Slebodnik wrote: On (04/07/13 15:23), Petr Spacek wrote: Hello, several warnings from autotools popped up after upgrade to Fedora 19. Attached patches should make autotools configuration more modern. -- Petr^2 Spacek From 07caec808e394bfcbd898905e917731cb3778e68 Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Thu, 4 Jul 2013 14:04:57 +0200 Subject: [PATCH] Add missing ar check to configure.ac. Signed-off-by: Petr Spacek pspa...@redhat.com --- configure.ac | 1 + 1 file changed, 1 insertion(+) diff --git a/configure.ac b/configure.ac index 222e520e0aa61bca58cff81bea672fcab04355b3..b6d66de1b862a6860226a5f9ae4a3f33842e6100 100644 --- a/configure.ac +++ b/configure.ac @@ -10,6 +10,7 @@ AC_CONFIG_HEADERS([config.h]) AC_DISABLE_STATIC # Checks for programs. +AM_PROG_AR AC_PROG_CC AC_PROG_LIBTOOL -- 1.8.3.1 This solution is not very portable. Automake = 1.11 does not contain this macro. configure.ac:14: warning: macro `AM_PROG_AR' not found in library configure.ac:14: error: possibly undefined macro: AM_PROG_AR If this token and others are legitimate, please use m4_pattern_allow. See the Autoconf documentation. autoreconf: /usr/bin/autoconf failed with exit status: 1 Better solution will be: m4_ifdef([AM_PROG_AR], [AM_PROG_AR]) You can find more information about this in mail thread http://lists.gnu.org/archive/html/automake/2012-05/msg00014.html You probably did not read this page ^ No I didn't :) But what the guy says there isn't true, m4_pattern_allow works just fine even with the old autoconf version in RHEL5. Even better is: m4_pattern_allow([AM_PROG_AR]) AM_PROG_AR m4_pattern_allow should be used for another things. http://www.gnu.org/software/autoconf/manual/autoconf.html#Forbidden-Patterns Dunno, I think it'quite pretty established pattern. Is there something wrong with it? Macro m4_pattern_allow only suppresses autotool error possibly undefined macro, but there still will be a warning macro `AM_PROG_AR' not found in library Autreconf will not fail with older versions of automake (=1.11), but macro AM_PROG_AR will not be expanded and you can find this unexpanded text in configure script. It is harmless. Everything will work well, but we don't like warnings. Sounds like we should patch the same in SSSD then. Thanks for the investigation! ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0029 Make sure replication works after DM password is changed
On 07/10/2013 01:33 PM, Tomas Babej wrote:
On Monday 08 of July 2013 16:58:18 Ana Krivokapic wrote:
On 06/25/2013 05:28 PM, Ana Krivokapic wrote:
On 06/24/2013 02:27 PM, Tomas Babej wrote:
On 06/11/2013 04:42 PM, Ade Lee wrote:
[snip]
Just FYI, we plan to do a new release of pki-core today
(pki-core-10.0.3-2)
to address this issue.
--
Regards,
Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.
Ok, so I tested the patch, since pki-core has the PkiExport command fixed
now.
I'm getting a little bit further now.
[tbabej@vm-127 ~]$ sudo ipa-replica-prepare --ip-address 10.34.47.129
vm-129.idm.lab.eng.brq.redhat.com
Directory Manager (existing master) password:
Preparing replica for vm-129.idm.lab.eng.brq.redhat.com from
vm-127.idm.lab.eng.brq.redhat.com
Constraint violation: Failed to update password
With debug output, I get (snipped out irrelevant parts):
Directory Manager (existing master) password:
ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Created connection
context.ldap2_57668944
ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for
SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket
conn=ldap.ldapobject.SimpleLDAPObject instance at 0x3700ab8
ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Destroyed connection
context.ldap2_57668944
ipa: DEBUG: Search DNS for vm-129.idm.lab.eng.brq.redhat.com
ipa: DEBUG: Search failed: [Errno -2] Name or service not known
ipa.ipapython.ipaldap.SchemaCache: DEBUG: flushing
ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket from
SchemaCache
ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for
SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket
conn=ldap.ldapobject.SimpleLDAPObject instance at 0x4c704d0
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: Not
logging
to a file
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG:
ipa-replica-prepare was invoked with arguments
['vm-129.idm.lab.eng.brq.redhat.com'] and options: {'log_file': None,
'verbose': True, 'reverse_zone': None, 'setup_pkinit': True, 'http_pin':
None,
'quiet': False, 'http_pkcs12': None, 'pkinit_pkcs12': None, 'ca_file':
'/root/cacert.p12', 'no_reverse': False, 'dirsrv_pkcs12': None,
'password':
None, 'ip_address': CheckedIPAddress('10.34.47.129'), 'dirsrv_pin': None,
'pkinit_pin': None}
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: INFO: Preparing
replica for vm-129.idm.lab.eng.brq.redhat.com from
vm-127.idm.lab.eng.brq.redhat.com
ipa.ipapython.ipaldap.SchemaCache: DEBUG: flushing
ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket from
SchemaCache
ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for
SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-IDM-LAB-ENG-BRQ-REDHAT-COM.socket
conn=ldap.ldapobject.SimpleLDAPObject instance at 0x3700710
ipa: DEBUG: Starting external process
ipa: DEBUG: args=/usr/bin/PKCS12Export -d /etc/pki/pki-tomcat/alias/ -p
/tmp/tmprgUrso -w /tmp/tmp6SBBXF -o /root/cacert.p12
ipa: DEBUG: Process finished, return code=0
ipa: DEBUG: stdout=
ipa: DEBUG: stderr=
ipa.ipaserver.plugins.ldap2.ldap2: DEBUG: Created connection
context.ldap2_139884970376144
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: File
/usr/lib/python2.7/site-packages/ipapython/admintool.py, line 171, in
execute
return_value = self.run()
File
/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py,
line 245, in run
self.copy_ds_certificate()
File
/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py,
line 281, in copy_ds_certificate
self.update_pki_admin_password()
File
/usr/lib/python2.7/site-packages/ipaserver/install/ipa_replica_prepare.py,
line 520, in update_pki_admin_password
ldap.modify_password(dn, self.dirman_password)
File /usr/lib/python2.7/site-packages/ipaserver/plugins/ldap2.py, line
332, in modify_password
self.conn.passwd_s(dn, old_pass, new_pass)
File /usr/lib64/python2.7/contextlib.py, line 35, in __exit__
self.gen.throw(type, value, traceback)
File /usr/lib/python2.7/site-packages/ipapython/ipaldap.py, line 919,
in
error_handler
raise errors.DatabaseError(desc=desc, info=info)
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: DEBUG: The
ipa-replica-prepare command failed, exception: DatabaseError: Constraint
violation: Failed to update password
ipa.ipaserver.install.ipa_replica_prepare.ReplicaPrepare: ERROR:
Constraint
violation: Failed to update password
Tomas
It seems that this time the culprit is 389-ds-base packages. The password
change
is
Re: [Freeipa-devel] [PATCHES] 0230-0240 Integration testing framework
On 25.6.2013 14:08, Petr Viktorin wrote:
Adding two additional patches for better Beaker integration:
Patch 0241 allows e.g. adding ticket numbers for automatic test case
management
Patch 0242 should bring the BeakerLib logging closer to what traditional
Beaker tests output
make test seems to run fine with patches 230-242 applied, however
ipa-run-tests produces the following output:
==
ERROR: Test that `ipa help` only writes to stdout
--
Traceback (most recent call last):
File /usr/lib/python2.7/site-packages/nose/case.py, line 197, in
runTest
self.test(*self.arg)
File
/usr/lib/python2.7/site-packages/ipatests/test_cmdline/test_help.py,
line 63, in test_ipa_help
return_value = api.Backend.cli.run(['help'])
File /usr/lib/python2.7/site-packages/ipalib/cli.py, line 1067, in run
result = self.execute(name, **kw)
File /usr/lib/python2.7/site-packages/ipalib/backend.py, line 146,
in execute
raise error #pylint: disable=E0702
InternalError: an internal error has occurred
begin captured logging
IPA: DEBUG: [ipa.ipalib.cli.help] raw: help(None, version=u'2.60')
IPA: DEBUG: [ipa.ipalib.cli.help] help(None, version=u'2.60')
IPA: ERROR: [ipa.ipalib.cli.cli] non-public: AttributeError: 'API'
object has no attribute 'parser'
Traceback (most recent call last):
File /usr/lib/python2.7/site-packages/ipalib/backend.py, line 129,
in execute
result = self.Command[_name](*args, **options)
File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 435,
in __call__
ret = self.run(*args, **options)
File /usr/lib/python2.7/site-packages/ipalib/cli.py, line 765, in run
self.api.parser.print_help(outfile)
AttributeError: 'API' object has no attribute 'parser'
IPA: DEBUG: [ipa.ipalib.rpc.xmlclient] Destroyed connection
context.xmlclient
- end captured logging -
==
ERROR: Failure: IOError ([Errno 2] No such file or directory:
'ipatests/test_xmlrpc/service.crt')
--
Traceback (most recent call last):
File /usr/lib/python2.7/site-packages/nose/loader.py, line 413, in
loadTestsFromName
addr.filename, addr.module)
File /usr/lib/python2.7/site-packages/nose/importer.py, line 47, in
importFromPath
return self.importFromDir(dir_path, fqname)
File /usr/lib/python2.7/site-packages/nose/importer.py, line 94, in
importFromDir
mod = load_module(part_fqname, fh, filename, desc)
File
/usr/lib/python2.7/site-packages/ipatests/test_xmlrpc/test_host_plugin.py,
line 59, in module
fd = open('ipatests/test_xmlrpc/service.crt', 'r')
IOError: [Errno 2] No such file or directory:
'ipatests/test_xmlrpc/service.crt'
==
ERROR: Failure: IOError ([Errno 2] No such file or directory:
'ipatests/test_xmlrpc/service.crt')
--
Traceback (most recent call last):
File /usr/lib/python2.7/site-packages/nose/loader.py, line 413, in
loadTestsFromName
addr.filename, addr.module)
File /usr/lib/python2.7/site-packages/nose/importer.py, line 47, in
importFromPath
return self.importFromDir(dir_path, fqname)
File /usr/lib/python2.7/site-packages/nose/importer.py, line 94, in
importFromDir
mod = load_module(part_fqname, fh, filename, desc)
File
/usr/lib/python2.7/site-packages/ipatests/test_xmlrpc/test_service_plugin.py,
line 42, in module
fd = open('ipatests/test_xmlrpc/service.crt', 'r')
IOError: [Errno 2] No such file or directory:
'ipatests/test_xmlrpc/service.crt'
==
FAIL: Test that `ipa` errors out, and prints the help to stderr
--
Traceback (most recent call last):
File /usr/lib/python2.7/site-packages/nose/case.py, line 197, in
runTest
self.test(*self.arg)
File
/usr/lib/python2.7/site-packages/ipatests/test_cmdline/test_help.py,
line 71, in test_ipa_without_arguments
api.Backend.cli.run([])
File
/usr/lib/python2.7/site-packages/ipatests/test_cmdline/test_help.py,
line 55, in __exit__
assert isinstance(exc_value, self.exception), exc_value
AssertionError: 'API' object has no attribute 'parser'
begin captured logging
IPA: DEBUG: [ipa.ipalib.cli.help] raw: help(None,
outfile=StringIO.StringIO instance at 0x486cb48)
IPA: DEBUG: [ipa.ipalib.cli.help] help(None, outfile=StringIO.StringIO
instance at 0x486cb48)
- end captured logging -
I guess the location of the test certificate should be made
Re: [Freeipa-devel] [PATCH 0169-0170] Modernize autotools configuration
On (10/07/13 12:27), Petr Spacek wrote: On 10.7.2013 10:29, Lukas Slebodnik wrote: On (04/07/13 15:23), Petr Spacek wrote: Hello, several warnings from autotools popped up after upgrade to Fedora 19. Attached patches should make autotools configuration more modern. -- Petr^2 Spacek From 07caec808e394bfcbd898905e917731cb3778e68 Mon Sep 17 00:00:00 2001 From: Petr Spacekpspa...@redhat.com Date: Thu, 4 Jul 2013 14:04:57 +0200 Subject: [PATCH] Add missing ar check to configure.ac. Signed-off-by: Petr Spacekpspa...@redhat.com --- configure.ac | 1 + 1 file changed, 1 insertion(+) diff --git a/configure.ac b/configure.ac index 222e520e0aa61bca58cff81bea672fcab04355b3..b6d66de1b862a6860226a5f9ae4a3f33842e6100 100644 --- a/configure.ac +++ b/configure.ac @@ -10,6 +10,7 @@ AC_CONFIG_HEADERS([config.h]) AC_DISABLE_STATIC # Checks for programs. +AM_PROG_AR AC_PROG_CC AC_PROG_LIBTOOL -- 1.8.3.1 This solution is not very portable. Automake = 1.11 does not contain this macro. configure.ac:14: warning: macro `AM_PROG_AR' not found in library configure.ac:14: error: possibly undefined macro: AM_PROG_AR If this token and others are legitimate, please use m4_pattern_allow. See the Autoconf documentation. autoreconf: /usr/bin/autoconf failed with exit status: 1 Better solution will be: m4_ifdef([AM_PROG_AR], [AM_PROG_AR]) You can find more information about this in mail thread http://lists.gnu.org/archive/html/automake/2012-05/msg00014.html Thank you for catching this. Fixed patch is attached. -- Petr^2 Spacek ACK LS ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 116 Add PAC to master host TGTs
On Tue, 2013-07-09 at 22:39 +0200, Jakub Hrozek wrote: On Tue, Jul 09, 2013 at 02:12:33PM +0300, Alexander Bokovoy wrote: On Tue, 09 Jul 2013, Jakub Hrozek wrote: On Wed, Jul 03, 2013 at 02:53:55PM +0200, Sumit Bose wrote: On Wed, Jul 03, 2013 at 01:00:43PM +0300, Alexander Bokovoy wrote: On Mon, 01 Jul 2013, Sumit Bose wrote: Hi, this patch fixes https://fedorahosted.org/freeipa/ticket/3651 but only to allow SSSD running on a FreeIPA server to access the AD LDAP server. In the ticket a more generic solution is described but since there is no other use case so far I think this patch is sufficient for the time being. bye, Sumit From a707d8f9d771dfe4fb8487e051519dba0ef72449 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Mon, 1 Jul 2013 13:47:22 +0200 Subject: [PATCH] Add PAC to master host TGTs For a proper SALS bind with GSSAPI against an AD LDAP server a PAC is needed. To allow SSSD in ipa_server_mode to access the LDAP or GC server of a trusted domain with the credentials of a FreeIPA server host a PAC must be added to the TGT for the host. s/SALS/SASL/ Thank you for the review, I've fixed the typo and added the numerical values for the well-known RIDs to the commit message. To determine if a host is a FreeIPA server or not it is checked if there is an entry for the host in cn=master,cn=ipa,cn=etc,$base. Unfortunately this requires an additional LDAP lookup. But since TGS-REQs for hosts should be rare I think it is acceptable for the time being. I think it is better to change this lookup to cn=ADTRUST,cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX, it would explicitly limit us to the IPA masters running AD trusts. I'm not sure if this restriction is needed. With SSSD's ipa_server_mode any IPA master (which networkwise can access an AD server of the trusted domain) can read AD user and group data, no running smbd or winbind is required. So it would be possible to run the extdom plugin or the compat plugin for the legacy clients on any IPA server which would allow a much better load balancing. If there are other concerns I'm happy to add the restriction. bye, Sumit I don't think I know the code good enough to provide a full review, but the patch enables the lookups from an IPA master without any additional hacks. So ack on functionality at least. Ok. I've extended this functionality to generate MS-PAC also for services running on IPA masters. Patch attached. This is needed to finally get rid of access to trust auth material for IPA python code. HTTP/fqdn@REALM will now be able to authenticate against AD LDAP server and look up needed information directly, without elevating privileges to trust admins. This should also help for AD range discovery Tomas is working on. Hi, The patch looks good to me so I'm giving my +1. I would appreciate other review too before a full ack, though. I've nacked the approach, although the results are as expected. Alexander will send a simplified patch that avoids the extra search and use of managedby which is not ok. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0169-0170] Modernize autotools configuration
On 07/10/2013 12:27 PM, Petr Spacek wrote: On 10.7.2013 10:29, Lukas Slebodnik wrote: On (04/07/13 15:23), Petr Spacek wrote: Hello, several warnings from autotools popped up after upgrade to Fedora 19. Attached patches should make autotools configuration more modern. -- Petr^2 Spacek From 07caec808e394bfcbd898905e917731cb3778e68 Mon Sep 17 00:00:00 2001 From: Petr Spacekpspa...@redhat.com Date: Thu, 4 Jul 2013 14:04:57 +0200 Subject: [PATCH] Add missing ar check to configure.ac. Signed-off-by: Petr Spacekpspa...@redhat.com --- configure.ac | 1 + 1 file changed, 1 insertion(+) diff --git a/configure.ac b/configure.ac index 222e520e0aa61bca58cff81bea672fcab04355b3..b6d66de1b862a6860226a5f9ae4a3f33842e6100 100644 --- a/configure.ac +++ b/configure.ac @@ -10,6 +10,7 @@ AC_CONFIG_HEADERS([config.h]) AC_DISABLE_STATIC # Checks for programs. +AM_PROG_AR AC_PROG_CC AC_PROG_LIBTOOL -- 1.8.3.1 This solution is not very portable. Automake = 1.11 does not contain this macro. configure.ac:14: warning: macro `AM_PROG_AR' not found in library configure.ac:14: error: possibly undefined macro: AM_PROG_AR If this token and others are legitimate, please use m4_pattern_allow. See the Autoconf documentation. autoreconf: /usr/bin/autoconf failed with exit status: 1 Better solution will be: m4_ifdef([AM_PROG_AR], [AM_PROG_AR]) You can find more information about this in mail thread http://lists.gnu.org/archive/html/automake/2012-05/msg00014.html Thank you for catching this. Fixed patch is attached. ACK Regards, Tomas Hozza ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0171-0172] Fix potential problems found by Clang static analyzer
On 07/08/2013 10:51 AM, Petr Spacek wrote: Hello, several warnings from Clang static analyzer popped up after upgrade to Fedora 19. Attached patches should fix all problems found by clang-analyzer-3.3-0.6.rc3.fc19.x86_64. ACK Regards, Tomas Hozza ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0067] Add --use-posix option that forces trusted range type
On Monday 24 of June 2013 16:22:01 Petr Viktorin wrote:
On 06/20/2013 12:56 PM, Tomas Babej wrote:
On 06/17/2013 02:34 PM, Ana Krivokapic wrote:
On 06/06/2013 11:10 AM, Tomas Babej wrote:
Hi,
Adds --use-posix option to ipa trust-add command. It takes two
allowed values:
'yes' : the 'ipa-ad-trust-posix' range type is enforced
'no' : the 'ipa-ad-trust' range type is enforced
When --use-posix option is not specified, the range type should be
determined by ID range discovery.
https://fedorahosted.org/freeipa/ticket/3650
Tomas
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
The patch works nicely, but I have a few comments:
1) You added a new option to the API, but you forgot to bump the
IPA_API_VERSION_MINOR in the VERSION file.
2) Typo in commit message: shold instead of should.
3) This construct:
+if range_type is not None:
+if range_type != old_range_type:
can be replaced with a more readable variant which also avoids nested
ifs:
+if range_type and range_type != old_range_type:
All fixed.
4) Some unit tests to cover the behavior of the newly added option
would be nice.
This is not doable at the moment, we have no unit test framework to test
the trust-add command.
--
Regards,
Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Tomas
I don't know much about AD trusts, but a command-line/API option that
takes a 'yes' or 'no' string raised a tiny warning flag for me.
It looks like it's possible that there can be other range types in the
future than posix and algorithmic? If that's the case, there should be a
--range-type option instead. (If not, I'd still go for --range-type but
that would just be bikeshedding.)
In any case I think an explicit 'auto' option would be nice.
But that's just an outsider's view, maybe --use-posix makes more sense.
I replaced --use-posix with more versatile --range-type. It supports only
trust-related values for now, and can be extended.
Rebased patch attached.
AFAIK, for CLI changes there should be a a design page; is this covered
anywhere?
Design page for the umbrella ticket is here:
http://www.freeipa.org/page/V3/Use_posix_attributes_defined_in_AD
--
PetrĀ³
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-develFrom 784021ef93694bb19e8a30c509dbbec8cb06cdf0 Mon Sep 17 00:00:00 2001
From: Tomas Babej tba...@redhat.com
Date: Tue, 25 Jun 2013 14:25:44 +0200
Subject: [PATCH] Add --range-type option that forces range type of the trusted
domain
Adds --range-type option to ipa trust-add command. It takes two
allowed values: 'ipa-ad-trust-posix' and 'ipa-ad-trust'.
When --range-type option is not specified, the range type should be
determined by ID range discovery.
https://fedorahosted.org/freeipa/ticket/3650
---
API.txt | 3 ++-
VERSION | 2 +-
ipalib/plugins/idrange.py | 4 ++--
ipalib/plugins/trust.py | 40 ++--
4 files changed, 43 insertions(+), 6 deletions(-)
diff --git a/API.txt b/API.txt
index 067955ef77332374bf242655187ef9f912b0c2c0..44b3dd444964c8dac595177f8601c82d0235eabe 100644
--- a/API.txt
+++ b/API.txt
@@ -3278,12 +3278,13 @@ output: Entry('result', type 'dict', Gettext('A dictionary representing an LDA
output: Output('summary', (type 'unicode', type 'NoneType'), None)
output: Output('value', type 'unicode', None)
command: trust_add
-args: 1,12,3
+args: 1,13,3
arg: Str('cn', attribute=True, cli_name='realm', multivalue=False, primary_key=True, required=True)
option: Str('addattr*', cli_name='addattr', exclude='webui')
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Int('base_id?', cli_name='base_id')
option: Int('range_size?', autofill=True, cli_name='range_size', default=20)
+option: StrEnum('range_type?', cli_name='range_type', values=(u'ipa-ad-trust-posix', u'ipa-ad-trust'))
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
option: Str('realm_admin?', cli_name='admin')
option: Password('realm_passwd?', cli_name='password', confirm=False)
diff --git a/VERSION b/VERSION
index c713b18b7ce42db7fb290912ec6028342015f142..8606d724e6c8c785ba9d554ed3effa905573e25f 100644
--- a/VERSION
+++ b/VERSION
@@ -89,4 +89,4 @@ IPA_DATA_VERSION=2010061412
# #
IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=60
Re: [Freeipa-devel] [PATCH] 116 Add PAC to master host TGTs
On Wed, 10 Jul 2013, Simo Sorce wrote:
On Tue, 2013-07-09 at 22:39 +0200, Jakub Hrozek wrote:
On Tue, Jul 09, 2013 at 02:12:33PM +0300, Alexander Bokovoy wrote:
On Tue, 09 Jul 2013, Jakub Hrozek wrote:
On Wed, Jul 03, 2013 at 02:53:55PM +0200, Sumit Bose wrote:
On Wed, Jul 03, 2013 at 01:00:43PM +0300, Alexander Bokovoy wrote:
On Mon, 01 Jul 2013, Sumit Bose wrote:
Hi,
this patch fixes https://fedorahosted.org/freeipa/ticket/3651 but only
to allow SSSD running on a FreeIPA server to access the AD LDAP server.
In the ticket a more generic solution is described but since there is no
other use case so far I think this patch is sufficient for the time
being.
bye,
Sumit
From a707d8f9d771dfe4fb8487e051519dba0ef72449 Mon Sep 17 00:00:00 2001
From: Sumit Bose sb...@redhat.com
Date: Mon, 1 Jul 2013 13:47:22 +0200
Subject: [PATCH] Add PAC to master host TGTs
For a proper SALS bind with GSSAPI against an AD LDAP server a PAC is
needed. To allow SSSD in ipa_server_mode to access the LDAP or GC server
of a trusted domain with the credentials of a FreeIPA server host a
PAC must be added to the TGT for the host.
s/SALS/SASL/
Thank you for the review, I've fixed the typo and added the numerical
values for the well-known RIDs to the commit message.
To determine if a host is a FreeIPA server or not it is checked if there
is an entry for the host in cn=master,cn=ipa,cn=etc,$base. Unfortunately
this requires an additional LDAP lookup. But since TGS-REQs for hosts
should be rare I think it is acceptable for the time being.
I think it is better to change this lookup to
cn=ADTRUST,cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX, it would
explicitly limit us to the IPA masters running AD trusts.
I'm not sure if this restriction is needed. With SSSD's ipa_server_mode
any IPA master (which networkwise can access an AD server of the trusted
domain) can read AD user and group data, no running smbd or winbind is
required. So it would be possible to run the extdom plugin or the compat
plugin for the legacy clients on any IPA server which would allow a much
better load balancing.
If there are other concerns I'm happy to add the restriction.
bye,
Sumit
I don't think I know the code good enough to provide a full review, but
the patch enables the lookups from an IPA master without any additional
hacks. So ack on functionality at least.
Ok.
I've extended this functionality to generate MS-PAC also for services
running on IPA masters. Patch attached.
This is needed to finally get rid of access to trust auth material for
IPA python code. HTTP/fqdn@REALM will now be able to authenticate
against AD LDAP server and look up needed information directly, without
elevating privileges to trust admins.
This should also help for AD range discovery Tomas is working on.
Hi,
The patch looks good to me so I'm giving my +1. I would appreciate other
review too before a full ack, though.
I've nacked the approach, although the results are as expected.
Alexander will send a simplified patch that avoids the extra search and
use of managedby which is not ok.
New patch attached.
--
/ Alexander Bokovoy
From e150e2abd67538db1b53d5b5dd096bd15e2ffe58 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy aboko...@redhat.com
Date: Tue, 9 Jul 2013 14:05:02 +0300
Subject: [PATCH 15/15] Generate syntethic MS-PAC for all services running on
IPA master
MS-PAC is required to be present in TGT if one wants to connect to
AD services using this TGT. Users get MS-PAC by default, SSSD in
ipa_server_mode uses host/fqdn@REALM principal to talk to AD LDAP.
This patch enables other services running on IPA master to connect
to AD services. This is required for IPA python code doing discovery
of remote AD domain settings shortly after IPA-AD trust has been
established.
---
daemons/ipa-kdb/ipa_kdb_mspac.c | 56 +++--
1 file changed, 49 insertions(+), 7 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 92dc8dd..4944bb8 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -392,13 +392,14 @@ static krb5_error_code ipadb_fill_info3(struct
ipadb_context *ipactx,
struct dom_sid sid;
gid_t prigid = -1;
time_t timeres;
-char *strres;
+char *strres, *strhost, *strat;
int intres;
int ret;
char **objectclasses = NULL;
size_t c;
bool is_host = false;
bool is_user = false;
+bool is_service = false;
ret = ipadb_ldap_attr_to_strlist(lcontext, lentry, objectClass,
objectclasses);
@@ -407,6 +408,9 @@ static krb5_error_code ipadb_fill_info3(struct
ipadb_context *ipactx,
if (strcasecmp(objectclasses[c], ipaHost) == 0) {
is_host = true;
}
+if (strcasecmp(objectclasses[c], ipaService) == 0) {
+is_service = true;
+
Re: [Freeipa-devel] [PATCH] 140 Check trust chain length in CA-less install
Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/3707. Honza This patch seems to work ok but I've been unable to test it with an external CA installation because that seems to be broken (unrelated to this patch). I filed https://fedorahosted.org/freeipa/ticket/3773 rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 117 extdom: replace winbind calls with POSIX/SSSD calls
On Tue, 09 Jul 2013, Jakub Hrozek wrote:
On Tue, Jul 09, 2013 at 11:42:00AM +0200, Jakub Hrozek wrote:
On Tue, Jul 09, 2013 at 10:33:19AM +0300, Alexander Bokovoy wrote:
On Mon, 08 Jul 2013, Jakub Hrozek wrote:
On Mon, Jul 08, 2013 at 07:32:41PM +0300, Alexander Bokovoy wrote:
On Mon, 08 Jul 2013, Jakub Hrozek wrote:
On Mon, Jul 08, 2013 at 04:15:39PM +0300, Alexander Bokovoy wrote:
On Mon, 08 Jul 2013, Alexander Bokovoy wrote:
On Wed, 03 Jul 2013, Sumit Bose wrote:
Hi,
with this patch the extdom plugin, the LDAP extended operation that
allows IPA clients with recent SSSD to lookup AD users and groups, will
not use winbind for the lookup anymore but will use SSSD running in
ipa_server_mode.
Since now no plugin uses the winbind client libraries anymore, the
second patch removes the related configures checks.
I think for the time being we cannot remove winbind completely because
it might be needed for msbd to work properly in a trusted environment.
s/msbd/smbd/
ACK. I need to add 'ipa_server_mode = True' support to
the installer code and then these patches can go in.
Actually, the code still doesn't work due to some bug in sssd which
fails to respond properly to getsidbyname() request in libsss_nss_idmap.
Additionally I've found one missing treatment of domain_name for
INP_NAME requests.
We are working with Jakub on tracking down what's wrong on SSSD side.
Indeed, there was a casing issue in sysdb. You can continue testing with
lowercase user names in the meantime. A patch is already on the SSSD
list.
In addition, we need to disqualify user name when returning back a
packet from extdom operation as this is what SSSD expects.
Attached patch does it for all types of requests.
--
/ Alexander Bokovoy
From 3659059c646f7b584ee07fb9e780759bcc0bb08e Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy aboko...@redhat.com
Date: Mon, 8 Jul 2013 19:19:56 +0300
Subject: [PATCH] Fix extdom plugin to provide unqualified name in response
as
sssd expects
extdom plugin handles external operation over which SSSD asks IPA server
about
trusted domain users not found through normal paths but detected to belong
to the trusted domains associated with IPA realm.
SSSD expects that user or group name in the response will be unqualified
because domain name for the user or group is also included in the response.
Strip domain name from the name if getgrnam_r/getpwnam_r calls returned
fully
qualified name which includes the domain name we are asked to handle.
The code already expects that fully-qualified names are following
user@domain
convention so we are simply tracking whether '@' symbol is present and is
followed
by the domain name.
---
.../ipa-extdom-extop/ipa_extdom_common.c | 26
++
1 file changed, 26 insertions(+)
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
index 8aa22e1..290da4e 100644
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
@@ -295,6 +295,7 @@ int handle_request(struct ipa_extdom_ctx *ctx, struct
extdom_req *req,
grp_result);
}
}
+domain_name = strdup(req-data.name.domain_name);
I would prefer if this was a separate patch. But this is a correct
change.
Separated.
Ack to this patch.
break;
default:
ret = LDAP_PROTOCOL_ERROR;
@@ -338,6 +339,7 @@ int create_response(struct extdom_req *req, struct
pwd_grp *pg_data,
const char *domain_name, struct extdom_res **_res)
{
int ret = EFAULT;
+char *locat = NULL;
struct extdom_res *res;
res = calloc(1, sizeof(struct extdom_res));
@@ -354,10 +356,20 @@ int create_response(struct extdom_req *req, struct
pwd_grp *pg_data,
switch(id_type) {
case SSS_ID_TYPE_UID:
case SSS_ID_TYPE_BOTH:
+if ((locat = strchr(pg_data-data.pwd.pw_name,
'@')) != NULL) {
+if (strstr(locat, domain_name) != NULL ) {
strstr doesn't work correctly in my case. In SSSD, the domain names are
case-insensitive, so you can use strcasestr here. In my case, the
condition is never hit as the domain case differs:
407 res-data.user.domain_name = strdup(domain_name);
(gdb)
408 if ((locat = strchr(pg_data-data.pwd.pw_name,
'@')) != NULL) {
(gdb) n
409 if (strstr(locat, domain_name) != NULL) {
(gdb)
414
strdup(pg_data-data.pwd.pw_name);
(gdb) p domain_name
$1 = 0x7f2e800f0690 AD.EXAMPLE.COM
(gdb) p locat
$2 = 0x7f2e8006500d @ad.example.com
Replaced by strcasestr.
Also, this is good enough for the beta
Re: [Freeipa-devel] [PATCHES] 0039-0040 systemd ipactl fixes
On 07/08/2013 08:32 AM, Alexander Bokovoy wrote:
On Thu, 20 Jun 2013, Ana Krivokapic wrote:
Hello,
Attached patches fix systemd and ipactl related bugs:
https://fedorahosted.org/freeipa/ticket/3730
https://fedorahosted.org/freeipa/ticket/3729
NACK. For me upgrade case fails (rpm -Uhv), dirsrv didn't restart on
upgrade properly and everything else has failed afterwards.
This was caused due to 'systemctl is-active' returning exit status 3
('activating'), and our code treating the non-zero exit status as a failure. I
handled this case in the updated patch.
As for the ipa.service and dependency ordering, I have done some further testing
and found out the adding the '--ignore-dependencies' switch alone solves the
shutdown issue. So I think that no modification of ipa.service file is
necessary.
Updated patches are attached.
--
Regards,
Ana Krivokapic
Associate Software Engineer
FreeIPA team
Red Hat Inc.
From c8d6d367f686d9477f66984e6b18de419cb28242 Mon Sep 17 00:00:00 2001
From: Ana Krivokapic akriv...@redhat.com
Date: Thu, 20 Jun 2013 11:53:29 +0200
Subject: [PATCH] Use correct DS instance in ipactl status
Make sure ipactl status check for correct DS instance. It should check for
'dirsrv@IPA-REALM' and not 'dirsrv.target'.
https://fedorahosted.org/freeipa/ticket/3730
---
ipapython/ipautil.py | 5 +++--
ipapython/platform/base/systemd.py | 39 +++---
2 files changed, 31 insertions(+), 13 deletions(-)
diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
index 3d174ed021bdad7fef52061ecbb2470ee02ebe19..f2ca9d6a907a4a5fddc8e79b8c07a9d52c1b370e 100644
--- a/ipapython/ipautil.py
+++ b/ipapython/ipautil.py
@@ -58,9 +58,10 @@ class CalledProcessError(Exception):
This exception is raised when a process run by check_call() returns
a non-zero exit status. The exit status will be stored in the
returncode attribute.
-def __init__(self, returncode, cmd):
+def __init__(self, returncode, cmd, output=None):
self.returncode = returncode
self.cmd = cmd
+self.output = output
def __str__(self):
return Command '%s' returned non-zero exit status %d % (self.cmd, self.returncode)
@@ -319,7 +320,7 @@ def run(args, stdin=None, raiseonerr=True,
root_logger.debug('stderr=%s' % stderr)
if p.returncode != 0 and raiseonerr:
-raise CalledProcessError(p.returncode, arg_string)
+raise CalledProcessError(p.returncode, arg_string, stdout)
return (stdout, stderr, p.returncode)
diff --git a/ipapython/platform/base/systemd.py b/ipapython/platform/base/systemd.py
index a9c1ec03261ae8694b1a308b2e86f342f27e9e62..9721ac1a92077048d8dd0248014ed7cb11bb61a8 100644
--- a/ipapython/platform/base/systemd.py
+++ b/ipapython/platform/base/systemd.py
@@ -18,8 +18,6 @@
#
import os
-import shutil
-import sys
from ipapython import ipautil
from ipapython.platform import base
@@ -36,12 +34,18 @@ def __init__(self, service_name, systemd_name):
self.lib_path = os.path.join(self.SYSTEMD_LIB_PATH, self.systemd_name)
self.lib_path_exists = None
-def service_instance(self, instance_name):
+def service_instance(self, instance_name, operation=None):
if self.lib_path_exists is None:
self.lib_path_exists = os.path.exists(self.lib_path)
elements = self.systemd_name.split(@)
+# Make sure the correct DS instance is returned
+if (elements[0] == 'dirsrv' and
+not instance_name and
+operation == 'is-active'):
+return 'dirsrv@%s.service' % str(api.env.realm.replace('.', '-'))
+
# Short-cut: if there is already exact service name, return it
if self.lib_path_exists and len(instance_name) == 0:
if len(elements) == 1:
@@ -118,14 +122,27 @@ def restart(self, instance_name=, capture_output=True, wait=True):
self.__wait_for_open_ports(self.service_instance(instance_name))
def is_running(self, instance_name=):
-ret = True
-try:
-(sout, serr, rcode) = ipautil.run([/bin/systemctl, is-active, self.service_instance(instance_name)],capture_output=True)
-if rcode != 0:
-ret = False
-except ipautil.CalledProcessError:
-ret = False
-return ret
+instance = self.service_instance(instance_name, 'is-active')
+
+while True:
+try:
+(sout, serr, rcode) = ipautil.run(
+[/bin/systemctl, is-active, instance],
+capture_output=True
+)
+except ipautil.CalledProcessError as e:
+if e.returncode == 3 and 'activating' in str(e.output):
+continue
+return False
+else:
+# activating
+if rcode == 3 and 'activating' in str(sout):
+
Re: [Freeipa-devel] [PATCH] 117 extdom: replace winbind calls with POSIX/SSSD calls
On Wed, 2013-07-10 at 19:15 +0300, Alexander Bokovoy wrote:
On Tue, 09 Jul 2013, Jakub Hrozek wrote:
On Tue, Jul 09, 2013 at 11:42:00AM +0200, Jakub Hrozek wrote:
On Tue, Jul 09, 2013 at 10:33:19AM +0300, Alexander Bokovoy wrote:
On Mon, 08 Jul 2013, Jakub Hrozek wrote:
On Mon, Jul 08, 2013 at 07:32:41PM +0300, Alexander Bokovoy wrote:
On Mon, 08 Jul 2013, Jakub Hrozek wrote:
On Mon, Jul 08, 2013 at 04:15:39PM +0300, Alexander Bokovoy wrote:
On Mon, 08 Jul 2013, Alexander Bokovoy wrote:
On Wed, 03 Jul 2013, Sumit Bose wrote:
Hi,
with this patch the extdom plugin, the LDAP extended operation that
allows IPA clients with recent SSSD to lookup AD users and groups,
will
not use winbind for the lookup anymore but will use SSSD running in
ipa_server_mode.
Since now no plugin uses the winbind client libraries anymore, the
second patch removes the related configures checks.
I think for the time being we cannot remove winbind completely
because
it might be needed for msbd to work properly in a trusted
environment.
s/msbd/smbd/
ACK. I need to add 'ipa_server_mode = True' support to
the installer code and then these patches can go in.
Actually, the code still doesn't work due to some bug in sssd which
fails to respond properly to getsidbyname() request in
libsss_nss_idmap.
Additionally I've found one missing treatment of domain_name for
INP_NAME requests.
We are working with Jakub on tracking down what's wrong on SSSD side.
Indeed, there was a casing issue in sysdb. You can continue testing
with
lowercase user names in the meantime. A patch is already on the SSSD
list.
In addition, we need to disqualify user name when returning back a
packet from extdom operation as this is what SSSD expects.
Attached patch does it for all types of requests.
--
/ Alexander Bokovoy
From 3659059c646f7b584ee07fb9e780759bcc0bb08e Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy aboko...@redhat.com
Date: Mon, 8 Jul 2013 19:19:56 +0300
Subject: [PATCH] Fix extdom plugin to provide unqualified name in
response as
sssd expects
extdom plugin handles external operation over which SSSD asks IPA
server about
trusted domain users not found through normal paths but detected to
belong
to the trusted domains associated with IPA realm.
SSSD expects that user or group name in the response will be
unqualified
because domain name for the user or group is also included in the
response.
Strip domain name from the name if getgrnam_r/getpwnam_r calls
returned fully
qualified name which includes the domain name we are asked to handle.
The code already expects that fully-qualified names are following
user@domain
convention so we are simply tracking whether '@' symbol is present and
is followed
by the domain name.
---
.../ipa-extdom-extop/ipa_extdom_common.c | 26
++
1 file changed, 26 insertions(+)
diff --git
a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
index 8aa22e1..290da4e 100644
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
@@ -295,6 +295,7 @@ int handle_request(struct ipa_extdom_ctx *ctx,
struct extdom_req *req,
grp_result);
}
}
+domain_name = strdup(req-data.name.domain_name);
I would prefer if this was a separate patch. But this is a correct
change.
Separated.
Ack to this patch.
break;
default:
ret = LDAP_PROTOCOL_ERROR;
@@ -338,6 +339,7 @@ int create_response(struct extdom_req *req, struct
pwd_grp *pg_data,
const char *domain_name, struct extdom_res **_res)
{
int ret = EFAULT;
+char *locat = NULL;
struct extdom_res *res;
res = calloc(1, sizeof(struct extdom_res));
@@ -354,10 +356,20 @@ int create_response(struct extdom_req *req,
struct pwd_grp *pg_data,
switch(id_type) {
case SSS_ID_TYPE_UID:
case SSS_ID_TYPE_BOTH:
+if ((locat =
strchr(pg_data-data.pwd.pw_name, '@')) != NULL) {
+if (strstr(locat, domain_name) != NULL ) {
strstr doesn't work correctly in my case. In SSSD, the domain names are
case-insensitive, so you can use strcasestr here. In my case, the
condition is never hit as the domain case differs:
407 res-data.user.domain_name =
strdup(domain_name);
(gdb)
408 if ((locat =
strchr(pg_data-data.pwd.pw_name, '@')) != NULL) {
(gdb) n
Re: [Freeipa-devel] [PATCH] 116 Add PAC to master host TGTs
On Wed, 10 Jul 2013, Alexander Bokovoy wrote: On Wed, 10 Jul 2013, Simo Sorce wrote: On Tue, 2013-07-09 at 22:39 +0200, Jakub Hrozek wrote: On Tue, Jul 09, 2013 at 02:12:33PM +0300, Alexander Bokovoy wrote: On Tue, 09 Jul 2013, Jakub Hrozek wrote: On Wed, Jul 03, 2013 at 02:53:55PM +0200, Sumit Bose wrote: On Wed, Jul 03, 2013 at 01:00:43PM +0300, Alexander Bokovoy wrote: On Mon, 01 Jul 2013, Sumit Bose wrote: Hi, this patch fixes https://fedorahosted.org/freeipa/ticket/3651 but only to allow SSSD running on a FreeIPA server to access the AD LDAP server. In the ticket a more generic solution is described but since there is no other use case so far I think this patch is sufficient for the time being. bye, Sumit From a707d8f9d771dfe4fb8487e051519dba0ef72449 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Mon, 1 Jul 2013 13:47:22 +0200 Subject: [PATCH] Add PAC to master host TGTs For a proper SALS bind with GSSAPI against an AD LDAP server a PAC is needed. To allow SSSD in ipa_server_mode to access the LDAP or GC server of a trusted domain with the credentials of a FreeIPA server host a PAC must be added to the TGT for the host. s/SALS/SASL/ Thank you for the review, I've fixed the typo and added the numerical values for the well-known RIDs to the commit message. To determine if a host is a FreeIPA server or not it is checked if there is an entry for the host in cn=master,cn=ipa,cn=etc,$base. Unfortunately this requires an additional LDAP lookup. But since TGS-REQs for hosts should be rare I think it is acceptable for the time being. I think it is better to change this lookup to cn=ADTRUST,cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX, it would explicitly limit us to the IPA masters running AD trusts. I'm not sure if this restriction is needed. With SSSD's ipa_server_mode any IPA master (which networkwise can access an AD server of the trusted domain) can read AD user and group data, no running smbd or winbind is required. So it would be possible to run the extdom plugin or the compat plugin for the legacy clients on any IPA server which would allow a much better load balancing. If there are other concerns I'm happy to add the restriction. bye, Sumit I don't think I know the code good enough to provide a full review, but the patch enables the lookups from an IPA master without any additional hacks. So ack on functionality at least. Ok. I've extended this functionality to generate MS-PAC also for services running on IPA masters. Patch attached. This is needed to finally get rid of access to trust auth material for IPA python code. HTTP/fqdn@REALM will now be able to authenticate against AD LDAP server and look up needed information directly, without elevating privileges to trust admins. This should also help for AD range discovery Tomas is working on. Hi, The patch looks good to me so I'm giving my +1. I would appreciate other review too before a full ack, though. I've nacked the approach, although the results are as expected. Alexander will send a simplified patch that avoids the extra search and use of managedby which is not ok. New patch attached. After discussion with Simo on IRC, I decided to use krb5_parse_name() to properly parse krbPrincipalName attribute for the service and veto it against pre-defined set of services we support generating MS-PAC for on the IPA master. The list currently includes only cifs/ipa.master@REALM and HTTP/ipa.master@REALM as host/ipa.master@REALM is handled by the is_host case. I verified it by initializing ccache with /etc/httpd/conf/ipa.keytab and accessing AD over LDAP, it worked well (same result for host/): - # kinit -kt /etc/httpd/conf/ipa.keytab HTTP/ipa.example@example.com # ldapsearch -Y GSSAPI -h altai.ad.lan -b dc=ad,dc=lan '(cn=IPAX$)' SASL/GSSAPI authentication started SASL username: HTTP/ipa.example@example.com SASL SSF: 56 SASL data security layer installed. # extended LDIF # # LDAPv3 # base dc=ad,dc=lan with scope subtree # filter: (cn=IPAX$) # requesting: ALL # # IPAX$, Users, ad.lan dn: CN=IPAX$,CN=Users,DC=ad,DC=lan objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: IPAX$ distinguishedName: CN=IPAX$,CN=Users,DC=ad,DC=lan instanceType: 4 whenCreated: 20130708091622.0Z whenChanged: 20130710123914.0Z uSNCreated: 98603 uSNChanged: 102524 name: IPAX$ objectGUID:: FxL42tGLnEOfKkuMw6sVVw== userAccountControl: 2080 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 130179335549552172 pwdLastSet: 130177485824178582 primaryGroupID: 513 objectSid:: AQUAAAUVzl3L0KYmgQdG8ZPbeQQAAA== accountExpires: 9223372036854775807 logonCount: 1 sAMAccountName: IPAX$ sAMAccountType: 805306370 objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ad,DC=lan isCriticalSystemObject: TRUE
Re: [Freeipa-devel] [PATCH] 116 Add PAC to master host TGTs
On Wed, 2013-07-10 at 19:55 +0300, Alexander Bokovoy wrote: The patch looks good to me so I'm giving my +1. I would appreciate other review too before a full ack, though. I've nacked the approach, although the results are as expected. Alexander will send a simplified patch that avoids the extra search and use of managedby which is not ok. New patch attached. After discussion with Simo on IRC, I decided to use krb5_parse_name() to properly parse krbPrincipalName attribute for the service and veto it against pre-defined set of services we support generating MS-PAC for on the IPA master. The list currently includes only cifs/ipa.master@REALM and HTTP/ipa.master@REALM as host/ipa.master@REALM is handled by the is_host case. LGTM. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Fix for small syntax error in OTP schema
https://fedorahosted.org/freeipa/ticket/3765 Due to the potentially bad ramifications of a schema syntax error, I tested this in both single server and replica configurations. The worst case in both is a truncated attribute description. The above patch fixes the problem in both cases with a simple ipa-ldap-updater. Nathaniel From 3cc534671a63970d9ed21c44193347ae41bc192b Mon Sep 17 00:00:00 2001 From: Nathaniel McCallum npmccal...@redhat.com Date: Wed, 10 Jul 2013 14:47:21 -0400 Subject: [PATCH] Fix for small syntax error in OTP schema https://fedorahosted.org/freeipa/ticket/3765 --- install/share/70ipaotp.ldif| 2 +- install/updates/10-70ipaotp.update | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/install/share/70ipaotp.ldif b/install/share/70ipaotp.ldif index 3cfe8723749706f26a44ed99047c23d937e37583..d9ae251905d14648f61c6ee61834cd92608b97f8 100644 --- a/install/share/70ipaotp.ldif +++ b/install/share/70ipaotp.ldif @@ -18,7 +18,7 @@ attributeTypes: (2.16.840.1.113730.3.8.16.1.13 NAME 'ipatokenOwner' DESC 'User e attributeTypes: (2.16.840.1.113730.3.8.16.1.14 NAME 'ipatokenRadiusUserName' DESC 'Corresponding Radius username' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA OTP') attributeTypes: (2.16.840.1.113730.3.8.16.1.15 NAME 'ipatokenRadiusConfigLink' DESC 'Corresponding Radius Configuration link' SUP distinguishedName SINGLE-VALUE X-ORIGIN 'IPA OTP') attributeTypes: (2.16.840.1.113730.3.8.16.1.16 NAME 'ipatokenRadiusServer' DESC 'Server String Configuration' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA OTP') -attributeTypes: (2.16.840.1.113730.3.8.16.1.17 NAME 'ipatokenRadiusSecret' DESC 'Server's Secret' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN 'IPA OTP') +attributeTypes: (2.16.840.1.113730.3.8.16.1.17 NAME 'ipatokenRadiusSecret' DESC 'Server Secret' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN 'IPA OTP') attributeTypes: (2.16.840.1.113730.3.8.16.1.18 NAME 'ipatokenRadiusTimeout' DESC 'Server Timeout' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA OTP') attributeTypes: (2.16.840.1.113730.3.8.16.1.19 NAME 'ipatokenRadiusRetries' DESC 'Number of allowed Retries' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA OTP') attributeTypes: (2.16.840.1.113730.3.8.16.1.20 NAME 'ipatokenUserMapAttribute' DESC 'Attribute to map from the user entry for RADIUS server authentication' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA OTP') diff --git a/install/updates/10-70ipaotp.update b/install/updates/10-70ipaotp.update index 600ef9cf56e12edc7263da49584d33b516ba8b38..ad9e45ba5bd354fdcf9146be63ca5aeba67c0a4e 100644 --- a/install/updates/10-70ipaotp.update +++ b/install/updates/10-70ipaotp.update @@ -15,7 +15,7 @@ add:attributeTypes: (2.16.840.1.113730.3.8.16.1.13 NAME 'ipatokenOwner' DESC 'Us add:attributeTypes: (2.16.840.1.113730.3.8.16.1.14 NAME 'ipatokenRadiusUserName' DESC 'Corresponding Radius username' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA OTP') add:attributeTypes: (2.16.840.1.113730.3.8.16.1.15 NAME 'ipatokenRadiusConfigLink' DESC 'Corresponding Radius Configuration link' SUP distinguishedName SINGLE-VALUE X-ORIGIN 'IPA OTP') add:attributeTypes: (2.16.840.1.113730.3.8.16.1.16 NAME 'ipatokenRadiusServer' DESC 'Server String Configuration' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 X-ORIGIN 'IPA OTP') -add:attributeTypes: (2.16.840.1.113730.3.8.16.1.17 NAME 'ipatokenRadiusSecret' DESC 'Server's Secret' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN 'IPA OTP') +add:attributeTypes: (2.16.840.1.113730.3.8.16.1.17 NAME 'ipatokenRadiusSecret' DESC 'Server Secret' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 SINGLE-VALUE X-ORIGIN 'IPA OTP') add:attributeTypes: (2.16.840.1.113730.3.8.16.1.18 NAME 'ipatokenRadiusTimeout' DESC 'Server Timeout' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA OTP') add:attributeTypes: (2.16.840.1.113730.3.8.16.1.19 NAME 'ipatokenRadiusRetries' DESC 'Number of allowed Retries' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN 'IPA OTP') add:attributeTypes: (2.16.840.1.113730.3.8.16.1.20 NAME 'ipatokenUserMapAttribute' DESC 'Attribute to map from the user entry for RADIUS server authentication' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE X-ORIGIN 'IPA OTP') -- 1.8.3.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Remove unused variable
Hi,
I was doing quite a few builds of freeipa for testing and patch reviews
lately and found a couple of unused variables. The attached patch
removed the variables.
From f3408502fe3e4392dff4085b58670241cd1956ae Mon Sep 17 00:00:00 2001
From: Jakub Hrozek jhro...@redhat.com
Date: Tue, 9 Jul 2013 21:55:04 +0200
Subject: [PATCH] Remove unused variable
---
daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c| 4
daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c | 1 -
2 files changed, 5 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c
b/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c
index
fcd4d30a3d813204cc36c499fd9c0fa64156974f..0b3b84108476b0c6fc153b49cd0f65f9279035f2
100644
--- a/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c
+++ b/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c
@@ -232,7 +232,6 @@ int ipalockout_getpolicy(Slapi_Entry *target_entry,
Slapi_Entry **policy_entry,
char **errstr)
{
int ldrc = 0;
-int flags = 0;
int type_name_disposition = 0;
Slapi_DN *pdn = NULL;
@@ -415,7 +414,6 @@ static int ipalockout_postop(Slapi_PBlock *pb)
char *lastfail = NULL;
int tries = 0;
int failure = 1;
-int type_name_disposition = 0;
char *actual_type_name = NULL;
int attr_free_flags = 0;
Slapi_ValueSet *values = NULL;
@@ -665,7 +663,6 @@ static int ipalockout_preop(Slapi_PBlock *pb)
Slapi_Entry *target_entry = NULL;
Slapi_Entry *policy_entry = NULL;
Slapi_DN *sdn = NULL;
-Slapi_DN *pdn = NULL;
Slapi_Value *objectclass = NULL;
char *errstr = NULL;
int ldrc = 0;
@@ -678,7 +675,6 @@ static int ipalockout_preop(Slapi_PBlock *pb)
time_t last_failed = 0;
char *lastfail = NULL;
char *unlock_time = NULL;
-int type_name_disposition = 0;
char *actual_type_name = NULL;
int attr_free_flags = 0;
Slapi_ValueSet *values = NULL;
diff --git a/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c
b/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c
index
ae7adecb6e04b5a736fa04b458d51a6fa3860d05..65ceaea685a276db91aab356dab617e260095873
100644
--- a/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c
+++ b/daemons/ipa-slapi-plugins/ipa-winsync/ipa-winsync-config.c
@@ -853,7 +853,6 @@ ipa_winsync_config_refresh_domain(
int loopdone = 0;
int search_scope = LDAP_SCOPE_SUBTREE;
int ret = LDAP_SUCCESS;
-Slapi_Value *sv = NULL;
int acct_disable;
char *inactivated_filter = NULL;
char *activated_filter = NULL;
--
1.8.3.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
