Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-09-22 Thread Jan Cholasta 

On 22.9.2015 17:23, Simo Sorce wrote:

On Tue, 2015-09-22 at 10:45 +0200, Jan Cholasta wrote:

4) pylint fails with:

daemons/ipa-custodia/ipakeys/kem.py:156: [E1002(super-on-old-class),
IPAKEMKeys.__init__] Use of super on an old style class)
daemons/ipa-custodia/ipakeys/kem.py:178: [E1101(no-member),
IPAKEMKeys.generate_server_keys] Instance of 'IPAKEMKeys' has no
'config' member)
daemons/ipa-custodia/ipakeys/kem.py:187: [E1101(no-member),
IPAKEMKeys.server_keys] Instance of 'IPAKEMKeys' has no 'config'
member)


I do not know why pylint gives you these errors.
The top level class for IPAKEMKeys is is ultimatile the custodia class
called HTTPAuthorizer which is defined as a new-style class (derives
from object), that class also unconditionally inits config.
Maybe you ran pylint w/o custodia installed ?


Yes, that was it. Sorry.

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 494] install: create kdcproxy user during server install

2015-09-22 Thread Simo Sorce 
On Tue, 2015-09-22 at 16:35 +0200, Jan Cholasta wrote:
> On 22.9.2015 15:11, Martin Babinsky wrote:
> > On 09/22/2015 01:33 PM, Jan Cholasta wrote:
> >> Hi,
> >>
> >> the attached patch fixes .
> >>
> >> Honza
> >>
> >>
> >>
> > ACK
> >
> 
> Thanks.
> 
> Pushed to:
> master: 0de860318332114ca739a8dd45902f7cc9a3c722
> ipa-4-2: 4663625bbb3456db7f13578e6cac0c3e5fae2591

This patch is somehow broken.

I see that %{kdcproxy_home} has been removed from the spec file but not
from everywhere, and it is simply undefined.

On upgrade of my server I have no kdcproxy user and http fails to
operate complaining that /var/lib/kdcproxy does not exist.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 494] install: create kdcproxy user during server install

2015-09-22 Thread Simo Sorce 
On Tue, 2015-09-22 at 20:09 -0400, Simo Sorce wrote:
> On Tue, 2015-09-22 at 16:35 +0200, Jan Cholasta wrote:
> > On 22.9.2015 15:11, Martin Babinsky wrote:
> > > On 09/22/2015 01:33 PM, Jan Cholasta wrote:
> > >> Hi,
> > >>
> > >> the attached patch fixes .
> > >>
> > >> Honza
> > >>
> > >>
> > >>
> > > ACK
> > >
> > 
> > Thanks.
> > 
> > Pushed to:
> > master: 0de860318332114ca739a8dd45902f7cc9a3c722
> > ipa-4-2: 4663625bbb3456db7f13578e6cac0c3e5fae2591
> 
> This patch is somehow broken.
> 
> I see that %{kdcproxy_home} has been removed from the spec file but not
> from everywhere, and it is simply undefined.
> 
> On upgrade of my server I have no kdcproxy user and http fails to
> operate complaining that /var/lib/kdcproxy does not exist.

Correction, the HTTP server works, but it spits lots of errors in
error_log about /var/lib/kdcproxy not existing.

Is the KDCProxy supposed to be installked/enabled on upgrade ?
If not, why not ?
Even if it is not enabled, shouldn't the user be created just in case ?

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHES 466-468] install: Add common base class for server and replica install

2015-09-22 Thread Martin Babinsky 

On 09/16/2015 10:44 AM, Jan Cholasta wrote:

On 16.9.2015 08:11, Jan Cholasta wrote:

On 15.9.2015 07:22, Jan Cholasta wrote:

On 10.8.2015 16:58, Martin Babinsky wrote:

On 08/06/2015 08:22 AM, Jan Cholasta wrote:

Hi,

the attached patch fixes part of
.

See also Martin Babinsky's patch 51:
.





Honza



Sorry but NACK, see below:

1.) it seems that passing kwargs to Server components doesn't work as
expected. See these logs (install on fresh F22 VM):

http://fpaste.org/253416/21363814/
http://fpaste.org/253419/43921374/


Fixed.



2.) the following code blows up in BaseServers' __init__:
(http://fpaste.org/253400/21225314/)

392 if not self.dns.setup_dns:
393 if self.dns.forwarders:
394 raise RuntimeError(
395 "You cannot specify a --forwarder option
without
the "
396 "--setup-dns option")


I think that the check should be:

392 if not self.setup_dns:
393 if self.dns.forwarders:


Fixed.



IMHO BaseServerDNS class shouldn't have setup_dns knob, that should be
set in the parent class (BaseServer)


Fixed.



3.) Is there any reason why BaseServer doesn't have 'master_password',
'idmax' and 'idstart' knobs? I know that these are then brought in by
the derived Server class, but the check for them is in parent's
__init__() method and it is IMHO a bit confusing


The check should be in Server, fixed.



4.) please add license header to the beginning of
'ipaserver/install/server/common.py' file


Added.

Updated patches attached.


Self-NACK, I broke ipa-server-install --uninstall.


Fixed.



ACK to all three patches.

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH] Proper fix for ticket 5306

2015-09-22 Thread Oleg Fayans 


--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.
From 6650cc39b9704191d3099cf1780c477b2c0ef9af Mon Sep 17 00:00:00 2001
From: Oleg Fayans 
Date: Tue, 22 Sep 2015 10:38:08 +0200
Subject: [PATCH] Added a proper workaround for dnssec test failures in Beaker
 environment

In beaker lab the situation when master and replica have ip addresses from
different subnets is quite frequent. When a replica has ip from different
subnet than master's, ipa-replica-prepare looks up a proper reverse zone to
add a pointer record, and if it does not find it, it asks a user for permission
to create it automatically. It breaks the tests adding the unexpected input.
The workaround is to always create a reverse zone for a new replica.

Corresponding ticket is https://fedorahosted.org/freeipa/ticket/5306
---
 ipatests/test_integration/tasks.py | 14 +++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index 06049d4ae01332e0af4d8775b745342406fc868d..c17e5e3fbacb85281eb63d7616531d7b2810a4ec 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -58,6 +58,14 @@ def check_arguments_are(slice, instanceof):
 return wrapped
 return wrapper
 
+def prepare_reverse_zone(host, ip):
+nums = ip.split('.')[:-1]
+zone = ".".join(reversed(nums)) + ".in-addr.arpa."
+host.run_command(["ipa",
+  "dnszone-add",
+  zone,
+  "--name-from-ip=%s" % ip], raiseonerr=False)
+
 
 def prepare_host(host):
 if isinstance(host, Host):
@@ -240,17 +248,17 @@ def install_replica(master, replica, setup_ca=True, setup_dns=False):
 
 apply_common_fixes(replica)
 fix_apache_semaphores(replica)
-
+prepare_reverse_zone(master, replica.ip)
 master.run_command(['ipa-replica-prepare',
 '-p', replica.config.dirman_password,
-'--ip-address', replica.ip, '--no-reverse',
+'--ip-address', replica.ip,
 replica.hostname])
 replica_bundle = master.get_file_contents(
 paths.REPLICA_INFO_GPG_TEMPLATE % replica.hostname)
 replica_filename = os.path.join(replica.config.test_dir,
 'replica-info.gpg')
 replica.put_file_contents(replica_filename, replica_bundle)
-args = ['ipa-replica-install', '-U', '--no-host-dns',
+args = ['ipa-replica-install', '-U',
 '-p', replica.config.dirman_password,
 '-w', replica.config.admin_password,
 '--ip-address', replica.ip,
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH] improved logging in dnssec tests

2015-09-22 Thread Oleg Fayans 

Hi all,

I've noticed that in some tests some low-level functions can return 
False in a number of different conditions, which severely complicates 
test debugging.
This patch implements the approach widely used in the Go language (and 
maybe, some other): The function returns not only a boolean, but a 
boolean plus any error message caught during the execution. This error 
message may be used by the higher level code for logging. For example, 
compare these outputs:
1. AssertionError: Zone example.test. is not signed (master): request 
timed out

2. AssertionError: Zone example.test. is not signed (master)

What do you think?

--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.
From 4b896eaf6be490d43b1a02ff76515d19be65f68d Mon Sep 17 00:00:00 2001
From: Oleg Fayans 
Date: Tue, 22 Sep 2015 11:01:33 +0200
Subject: [PATCH] Added error propagation for imroved debugging in dnssec tests

In a lot of tests low-level functions designed in a way that they return False
in a number of different conditions. It complicates the debugging a lot. This
patch offers an approach to return not only the boolean, but the text of an
error caught during the function execution, so that higher-level code could use
this text in logging.
---
 ipatests/test_integration/test_dnssec.py | 257 +++
 1 file changed, 159 insertions(+), 98 deletions(-)

diff --git a/ipatests/test_integration/test_dnssec.py b/ipatests/test_integration/test_dnssec.py
index 098b227f6543fa221ed6c75d1e98e9f056761977..9f9b30e1b0ab2a04012df166a86e5d5123dc 100644
--- a/ipatests/test_integration/test_dnssec.py
+++ b/ipatests/test_integration/test_dnssec.py
@@ -39,15 +39,17 @@ def get_RRSIG_record(nameserver, query, log, rtype="SOA"):
 dns.rdataclass.IN, dns.rdatatype.RRSIG,
 dns.rdatatype.from_text(rtype))
 
-
 def is_record_signed(nameserver, query, log, rtype="SOA"):
 try:
-get_RRSIG_record(nameserver, query, log, rtype=rtype)
-except KeyError:
-return False
-except dns.exception.DNSException:
-return False
-return True
+ans = resolve_with_dnssec(nameserver, query, log, rtype=rtype)
+ans.response.find_rrset(ans.response.answer, dns.name.from_text(query),
+dns.rdataclass.IN, dns.rdatatype.RRSIG,
+dns.rdatatype.from_text(rtype))
+except KeyError as e:
+return False, e.message
+except dns.exception.DNSException as e:
+return False, e.message
+return True, ""
 
 
 def wait_until_record_is_signed(nameserver, record, log, rtype="SOA",
@@ -65,10 +67,11 @@ def wait_until_record_is_signed(nameserver, record, log, rtype="SOA",
  "sec)", rtype, record, nameserver, timeout)
 wait_until = time.time() + timeout
 while time.time() < wait_until:
-if is_record_signed(nameserver, record, log, rtype=rtype):
-return True
+result, error = is_record_signed(nameserver, record, log, rtype=rtype)
+if result:
+return result, error
 time.sleep(1)
-return False
+return False, "request timed out"
 
 
 class TestInstallDNSSECLast(IntegrationTest):
@@ -106,14 +109,19 @@ class TestInstallDNSSECLast(IntegrationTest):
 self.master.run_command(args)
 
 # test master
-assert wait_until_record_is_signed(
-self.master.ip, test_zone, self.log, timeout=100
-), "Zone %s is not signed (master)" % test_zone
+result1, error1 = wait_until_record_is_signed(self.master.ip,
+  test_zone,
+  self.log,
+  timeout=100)
+assert(result1 is True), "Zone %s is not signed (master): %s" % (test_zone,
+ error1)
 
 # test replica
-assert wait_until_record_is_signed(
+result2, error2 = wait_until_record_is_signed(
 self.replicas[0].ip, test_zone, self.log, timeout=200
-), "DNS zone %s is not signed (replica)" % test_zone
+)
+assert(result2 is True), "DNS zone %s is not signed (replica): %s" % (test_zone,
+  error2)
 
 def test_if_zone_is_signed_replica(self):
 # add zone with enabled DNSSEC signing on replica
@@ -125,16 +133,21 @@ class TestInstallDNSSECLast(IntegrationTest):
 self.replicas[0].run_command(args)
 
 # test replica
-assert wait_until_record_is_signed(
-self.replicas[0].ip, test_zone_repl, self.log, timeout=300
-), "Zone %s is not signed (replica)" % test_zone_repl
+result1, error1 = wait_until_record_is_signed(self.replicas[0].ip,
+  test_zone_repl,
+

Re: [Freeipa-devel] [PATCH 0055] dnssec options missing in ipa-dns-install man page

2015-09-22 Thread Gabe Alford 
Thanks! Added and attached updated patch.

Gabe

On Tue, Sep 22, 2015 at 1:17 AM, Martin Basti  wrote:

>
>
> On 09/21/2015 05:37 PM, Gabe Alford wrote:
>
> Hello,
>
> Fix for https://fedorahosted.org/freeipa/ticket/5300
>
> Thanks,
>
> Gabe
>
>
> Thank you!
>
> The option --no-dnssec-validation is used also in ipa-server-install and
> ipa-replica-install, so this option should be documented in multiple
> manpages.
>
> Martin
>
From 6db931c2d12060a5938d5e160f83df8c08cf6889 Mon Sep 17 00:00:00 2001
From: Gabe 
Date: Tue, 22 Sep 2015 07:28:22 -0600
Subject: [PATCH] dnssec options missing in man pages

- Add DNSSEC options to ipa-dns-install and ipa-replica-install man pages

https://fedorahosted.org/freeipa/ticket/5300
---
 ...tions-missing-in-ipa-dns-install-man-page.patch | 36 ++
 install/tools/man/ipa-dns-install.1| 12 
 install/tools/man/ipa-replica-install.1|  3 ++
 3 files changed, 51 insertions(+)
 create mode 100644 install/tools/man/freeipa-rga-0055-dnssec-options-missing-in-ipa-dns-install-man-page.patch

diff --git a/install/tools/man/freeipa-rga-0055-dnssec-options-missing-in-ipa-dns-install-man-page.patch b/install/tools/man/freeipa-rga-0055-dnssec-options-missing-in-ipa-dns-install-man-page.patch
new file mode 100644
index ..d0f3d610dd1f8ef6bb1d1b6385f648cb79cd931b
--- /dev/null
+++ b/install/tools/man/freeipa-rga-0055-dnssec-options-missing-in-ipa-dns-install-man-page.patch
@@ -0,0 +1,36 @@
+From e13330dfdff13101aa625e1651289304bd4d73bf Mon Sep 17 00:00:00 2001
+From: Gabe 
+Date: Mon, 21 Sep 2015 09:30:31 -0600
+Subject: [PATCH] dnssec options missing in ipa-dns-install man page
+
+https://fedorahosted.org/freeipa/ticket/5300
+---
+ install/tools/man/ipa-dns-install.1 | 12 
+ 1 file changed, 12 insertions(+)
+
+diff --git a/install/tools/man/ipa-dns-install.1 b/install/tools/man/ipa-dns-install.1
+index 23427b1b15ddf21ff1aba5617adab395d2f25112..229aaedfa09cbe3c4590eca5b66e325769a7f642 100644
+--- a/install/tools/man/ipa-dns-install.1
 b/install/tools/man/ipa-dns-install.1
+@@ -44,6 +44,18 @@ The reverse DNS zone to use. This option can be used multiple times to specify m
+ \fB\-\-no\-reverse\fR
+ Do not create new reverse DNS zone. If used on a replica and a reverse DNS zone already exists for the subnet, it will be used.
+ .TP
++\fB\-\-no\-dnssec\-validation\fR
++Disable DNSSEC validation on this server.
++.TP
++\fB\-\-dnssec\-master\fR
++Setup server to be DNSSEC key master.
++.TP
++\fB\-\-disable\-dnssec\-master\fR
++Disable the DNSSEC master on this server.
++.TP
++\fB\-\-kasp\-db\fR=\fIKASP_DB\fR
++Copy OpenDNSSEC metadata from the specified kasp.db file. This will not create a new kasp.db file. 
++.TP
+ \fB\-\-zonemgr\fR
+ The e\-mail address of the DNS zone manager. Defaults to hostmaster@DOMAIN
+ .TP
+-- 
+1.8.3.1
+
diff --git a/install/tools/man/ipa-dns-install.1 b/install/tools/man/ipa-dns-install.1
index 23427b1b15ddf21ff1aba5617adab395d2f25112..66afe7fae5e82f48c7dc4d7c763f0483a41ecda1 100644
--- a/install/tools/man/ipa-dns-install.1
+++ b/install/tools/man/ipa-dns-install.1
@@ -44,6 +44,18 @@ The reverse DNS zone to use. This option can be used multiple times to specify m
 \fB\-\-no\-reverse\fR
 Do not create new reverse DNS zone. If used on a replica and a reverse DNS zone already exists for the subnet, it will be used.
 .TP
+\fB\-\-no\-dnssec\-validation\fR
+Disable DNSSEC validation on this server.
+.TP
+\fB\-\-dnssec\-master\fR
+Setup server to be DNSSEC key master.
+.TP
+\fB\-\-disable\-dnssec\-master\fR
+Disable the DNSSEC master on this server.
+.TP
+\fB\-\-kasp\-db\fR=\fIKASP_DB\fR
+Copy OpenDNSSEC metadata from the specified kasp.db file. This will not create a new kasp.db file.
+.TP
 \fB\-\-zonemgr\fR
 The e\-mail address of the DNS zone manager. Defaults to hostmaster@DOMAIN
 .TP
diff --git a/install/tools/man/ipa-replica-install.1 b/install/tools/man/ipa-replica-install.1
index 780febf9d597d7d36b6104c0fc1be8f3d1f8fdee..ff4d7d1c09a875bff6a49070fbba3d13fb63 100644
--- a/install/tools/man/ipa-replica-install.1
+++ b/install/tools/man/ipa-replica-install.1
@@ -109,6 +109,9 @@ Do not use DNS for hostname lookup during installation
 .TP
 \fB\-\-no\-dns\-sshfp\fR
 Do not automatically create DNS SSHFP records.
+.TP
+\fB\-\-no\-dnssec\-validation\fR
+Disable DNSSEC validation on this server.
 
 .SH "EXIT STATUS"
 0 if the command was successful
-- 
1.8.3.1

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHES 466-468] install: Add common base class for server and replica install

2015-09-22 Thread Jan Cholasta 

On 22.9.2015 10:29, Martin Babinsky wrote:

On 09/16/2015 10:44 AM, Jan Cholasta wrote:

On 16.9.2015 08:11, Jan Cholasta wrote:

On 15.9.2015 07:22, Jan Cholasta wrote:

On 10.8.2015 16:58, Martin Babinsky wrote:

On 08/06/2015 08:22 AM, Jan Cholasta wrote:

Hi,

the attached patch fixes part of
.

See also Martin Babinsky's patch 51:
.






Honza



Sorry but NACK, see below:

1.) it seems that passing kwargs to Server components doesn't work as
expected. See these logs (install on fresh F22 VM):

http://fpaste.org/253416/21363814/
http://fpaste.org/253419/43921374/


Fixed.



2.) the following code blows up in BaseServers' __init__:
(http://fpaste.org/253400/21225314/)

392 if not self.dns.setup_dns:
393 if self.dns.forwarders:
394 raise RuntimeError(
395 "You cannot specify a --forwarder option
without
the "
396 "--setup-dns option")


I think that the check should be:

392 if not self.setup_dns:
393 if self.dns.forwarders:


Fixed.



IMHO BaseServerDNS class shouldn't have setup_dns knob, that should be
set in the parent class (BaseServer)


Fixed.



3.) Is there any reason why BaseServer doesn't have 'master_password',
'idmax' and 'idstart' knobs? I know that these are then brought in by
the derived Server class, but the check for them is in parent's
__init__() method and it is IMHO a bit confusing


The check should be in Server, fixed.



4.) please add license header to the beginning of
'ipaserver/install/server/common.py' file


Added.

Updated patches attached.


Self-NACK, I broke ipa-server-install --uninstall.


Fixed.



ACK to all three patches.



Thanks.

Pushed to:
master: 86edd6abeb9749e159a529b83cfce6443fff4ba5
ipa-4-2: 42d16b02cd153ac89ebd8ae07c98611dc3b6e471

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0368] ipa-backup: Add mechanism to store empty directory structure

2015-09-22 Thread Martin Basti 



On 09/21/2015 04:31 PM, Tomas Babej wrote:


On 09/21/2015 12:57 PM, Jan Cholasta wrote:

Hi,

On 21.9.2015 09:47, Tomas Babej wrote:


On 09/17/2015 05:13 PM, Tomas Babej wrote:

Hi,

Certain subcomponents of IPA, such as Dogtag, cannot function if
non-critical directories (such as log directories) have not been
stored in the backup.

This patch implements storage of selected empty directories,
while preserving attributes and SELinux context.

https://fedorahosted.org/freeipa/ticket/5297


Attaching a patch for gzip requires. This is more a formal thing than
anything else, gzip is required by systemd anyway.

Please squash this change into the previous patch, there is no benefit
in having it in a separate patch.

Honza


Sure, this was more of an afterthought, attached.

I also added some helpful comments that Martin^2 requested.

Tomas

ACK

Pushed to:
ipa-4-2: 210a4254153fa96a61056a3d3d58b992191de880
master: cfeea91828ad47e1d321947d04f5f6de0e3d1c8c

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0004] Rewrap errors in get_principal to CCacheError

2015-09-22 Thread David Kupka 

On 04/09/15 17:07, Michael Šimáček wrote:

On 2015-09-03 14:32, Tomas Babej wrote:



On 09/03/2015 12:54 PM, Michael Šimáček wrote:

After porting to gssapi, the ipa command prints ugly traceback when
kerberos credentials are not available. Rewrapping to CCacheError when
getting the principal name results in nicer error message.

https://fedorahosted.org/freeipa/ticket/5272




This fixes the issue, however, I am getting a trailing forward slash in
the error message:

$ ipa user-find
ipa: ERROR: Kerberos error: did not receive Kerberos credentials/



Attaching updated revision. I altered more places where kerberos errors
were used.

Michael



Thanks, patch works for me, ACK.

--
David Kupka

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 494] install: create kdcproxy user during server install

2015-09-22 Thread Jan Cholasta 

Hi,

the attached patch fixes .

Honza

--
Jan Cholasta
From 6853b55e7c072737c4e8e83a5dc1cca958ac08ae Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Mon, 21 Sep 2015 10:09:50 +0200
Subject: [PATCH] install: create kdcproxy user during server install

This change makes kdcproxy user creation consistent with DS and CA user
creation. Before, the user was created in the spec file, in %pre scriptlet
of freeipa-server.

https://fedorahosted.org/freeipa/ticket/5314
---
 freeipa.spec.in | 12 
 ipaserver/install/httpinstance.py   | 14 ++
 ipaserver/install/ipa_restore.py|  4 +++-
 ipaserver/install/server/upgrade.py |  1 +
 4 files changed, 18 insertions(+), 13 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index ab8af30..7a199a5 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -24,10 +24,6 @@
 
 %define _hardened_build 1
 
-%define kdcproxy_user kdcproxy
-%define kdcproxy_group kdcproxy
-%define kdcproxy_home %{_sharedstatedir}/kdcproxy
-
 Name:   freeipa
 Version:__VERSION__
 Release:__RELEASE__%{?dist}
@@ -583,13 +579,6 @@ if [ -e /usr/sbin/ipa_kpasswd ]; then
 # END
 fi
 
-# create kdcproxy user
-getent group %{kdcproxy_group} >/dev/null || groupadd -r %{kdcproxy_group}
-getent passwd %{kdcproxy_user} >/dev/null || \
-/usr/sbin/useradd -r -c "IPA KDC Proxy User" -s /sbin/nologin \
--g %{kdcproxy_group} -d %{kdcproxy_home} %{kdcproxy_user}
-exit 0
-
 %postun server-trust-ad
 if [ "$1" -ge "1" ]; then
 if [ "`readlink %{_sysconfdir}/alternatives/winbind_krb5_locator.so`" == "/dev/null" ]; then
@@ -726,7 +715,6 @@ fi
 %{_libexecdir}/ipa/ipa-ods-exporter
 %{_libexecdir}/ipa/ipa-httpd-kdcproxy
 %dir %attr(0755,root,root) %{_sysconfdir}/ipa/kdcproxy
-%dir %attr(0700,%{kdcproxy_user},%{kdcproxy_group}) %{kdcproxy_home}
 %config(noreplace) %{_sysconfdir}/sysconfig/ipa_memcached
 %config(noreplace) %{_sysconfdir}/sysconfig/ipa-dnskeysyncd
 %config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 9354a22..7358511 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -51,6 +51,8 @@ SELINUX_BOOLEAN_SETTINGS = dict(
 httpd_run_ipa='on',
 )
 
+KDCPROXY_USER = 'kdcproxy'
+
 
 def httpd_443_configured():
 """
@@ -77,6 +79,17 @@ def httpd_443_configured():
 
 return False
 
+
+def create_kdcproxy_user():
+"""Create KDC proxy user/group if it doesn't exist yet."""
+tasks.create_system_user(
+name=KDCPROXY_USER,
+group=KDCPROXY_USER,
+homedir=paths.VAR_LIB,
+shell=paths.NOLOGIN,
+)
+
+
 class WebGuiInstance(service.SimpleServiceInstance):
 def __init__(self):
 service.SimpleServiceInstance.__init__(self, "ipa_webgui")
@@ -141,6 +154,7 @@ class HTTPInstance(service.Service):
 self.step("clean up any existing httpd ccache", self.remove_httpd_ccache)
 self.step("configuring SELinux for httpd", self.configure_selinux_for_httpd)
 if not self.is_kdcproxy_configured():
+self.step("create KDC proxy user", create_kdcproxy_user)
 self.step("create KDC proxy config", self.create_kdcproxy_conf)
 self.step("enable KDC proxy", self.enable_kdcproxy)
 self.step("restarting httpd", self.__start)
diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py
index b7af88d..6f24a48 100644
--- a/ipaserver/install/ipa_restore.py
+++ b/ipaserver/install/ipa_restore.py
@@ -370,6 +370,7 @@ class Restore(admintool.AdminTool):
 
 self.restore_selinux_booleans()
 
+http = httpinstance.HTTPInstance()
 
 # We do either a full file restore or we restore data.
 if restore_type == 'FULL':
@@ -381,6 +382,8 @@ class Restore(admintool.AdminTool):
 self.cert_restore()
 if 'CA' in self.backup_services:
 self.__create_dogtag_log_dirs()
+if http.is_kdcproxy_configured():
+httpinstance.create_kdcproxy_user()
 
 # Always restore the data from ldif
 # If we are restoring PKI-IPA then we need to restore the
@@ -409,7 +412,6 @@ class Restore(admintool.AdminTool):
 self.log.info('Restarting SSSD')
 sssd = services.service('sssd')
 sssd.restart()
-http = httpinstance.HTTPInstance()
 http.remove_httpd_ccache()
 finally:
 try:
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 571e71b..4df6219 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1445,6 +1445,7 @@ def upgrade_configuration():
 http.realm = api.env.realm
 http.suffix =

Re: [Freeipa-devel] [PATCH 0004] Rewrap errors in get_principal to CCacheError

2015-09-22 Thread Jan Cholasta 

On 22.9.2015 13:20, David Kupka wrote:

On 04/09/15 17:07, Michael Šimáček wrote:

On 2015-09-03 14:32, Tomas Babej wrote:



On 09/03/2015 12:54 PM, Michael Šimáček wrote:

After porting to gssapi, the ipa command prints ugly traceback when
kerberos credentials are not available. Rewrapping to CCacheError when
getting the principal name results in nicer error message.

https://fedorahosted.org/freeipa/ticket/5272




This fixes the issue, however, I am getting a trailing forward slash in
the error message:

$ ipa user-find
ipa: ERROR: Kerberos error: did not receive Kerberos credentials/



Attaching updated revision. I altered more places where kerberos errors
were used.

Michael



Thanks, patch works for me, ACK.



Pushed to master: bdccebbcdb9eb7da476762743121c1e73f95fa10

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0064] destroy httpd ccache after stopping the service

2015-09-22 Thread Martin Babinsky 
This patch fixes https://fedorahosted.org/freeipa/ticket/5296 and 
generally makes cleaning up of httpd ccache more thorough.


--
Martin^3 Babinsky
From 02ec4a4d080a1dab28d14fa46a037ef1731431fb Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Wed, 16 Sep 2015 18:35:21 +0200
Subject: [PATCH] destroy httpd ccache after stopping the service

This will force recreation of the file-based ccache after IPA restore and
prevent a mismatch between cached and restored Kerberos keys.

https://fedorahosted.org/freeipa/ticket/5296
---
 init/systemd/httpd.service | 1 +
 1 file changed, 1 insertion(+)

diff --git a/init/systemd/httpd.service b/init/systemd/httpd.service
index e68f39eca759db50ad18d8db1faa3b704cb15ede..7ce8f04d8b9bb3663e59d4fdc610af0eb4478178 100644
--- a/init/systemd/httpd.service
+++ b/init/systemd/httpd.service
@@ -4,3 +4,4 @@
 Environment=KRB5CCNAME=/var/run/httpd/ipa/krbcache/krb5ccache
 Environment=KDCPROXY_CONFIG=/etc/ipa/kdcproxy/kdcproxy.conf
 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy
+ExecStopPost=-/usr/bin/kdestroy -A
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 494] install: create kdcproxy user during server install

2015-09-22 Thread Jan Cholasta 

On 22.9.2015 15:11, Martin Babinsky wrote:

On 09/22/2015 01:33 PM, Jan Cholasta wrote:

Hi,

the attached patch fixes .

Honza




ACK



Thanks.

Pushed to:
master: 0de860318332114ca739a8dd45902f7cc9a3c722
ipa-4-2: 4663625bbb3456db7f13578e6cac0c3e5fae2591

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-09-22 Thread Simo Sorce 
On Tue, 2015-09-22 at 10:45 +0200, Jan Cholasta wrote:
> Hi,
> 
> On 9.9.2015 20:25, Simo Sorce wrote:
> > On Wed, 2015-08-26 at 17:27 -0400, Simo Sorce wrote:
> >> This patchset implements https://fedorahosted.org/freeipa/ticket/2888
> >> and introduces a number of required  changes and dependencies to achieve
> >> this goal.
> >> This work requires the custodia project to securely transfer keys
> >> between ipa servers.
> >>
> >> This work is not 100% complete, it still misses the ability to install
> >> kra instances and the ability to install a CA (via ipa-ca-install) with
> >> externally signed certs.
> >>
> >> However it is massive enough that warrants review and pushing, the resat
> >> of the changes can be applied later as this work should not disrupt the
> >> classic install methods.
> >>
> >> In order to build my previous patches (530-533) are needed as well as a
> >> number of updated components.
> >>
> >> I used the following coprs for testing:
> >> simo/jwcrypto
> >> simo/custodia
> >> abbra/sssd-kkdcproxy (for sssd 1.13.1)
> >> lkrispen/389-ds-current (for 389 > 1.3.4.4)
> >> vakwetu/dogtag_10.2.7_test_builds (for dogtag 10.2.7)
> >> mkosek/freeipa-4.2-fedora-22 (misc)
> >> fedora/updates-testing (python-gssapi 1.1.2)
> >>
> >> Ludwig's copr is necessary to have a functional DNA plugin in replicas,
> >> eventually his patches should be committed in 389-ds-base 1.3.4.4 when
> >> it will be released.
> >>
> >> We are aware of a dogtag bug https://fedorahosted.org/pki/ticket/1580
> >> that may cause installation issues in some case (re-install of a
> >> replica).
> >>
> >> The domain must be raised to level 1 in order to use replica promotion.
> >>
> >> In order to promote a replica the server must be first joined as a
> >> regular client to the domain.
> >>
> >> This is the flow I usually use for testing:
> >>
> >> # ipa-client-install
> >> # kinit admin
> >> # ipa-replica-install --promote --setup-ca
> >>  >> etc...>
> >>
> >> These patches are also available in this git tree rebnase on current
> >> master:
> >> https://fedorapeople.org/cgit/simo/public_git/freeipa.git/log/?h=custodia-review
> >
> > FYI: I rebased this branch on top of master and applied minor changes to
> > one of the DNS patches. I also added the missing support to install KRA.
> >
> > DS 1.3.4.4 is also in Fedora updates testing, so ludwig's copr is not
> > needed anymore.
> >
> > Dogtag's ticket is not fixed yet so running both --setup-ca and
> > --setup-kra at the same time will still yield an error and install will
> > fail.
> >
> > Please let me know if there are any major issues with this patchset, I'd
> > like to push it to master and attack the remaining issues as add ons
> > (install with external certs not supported yet for example)
> 
> So far I have only read through the code without running it (mostly).
> 
> 
> "Remove unused arguments": ACK
> 
> 
> "Simplify the install_replica_ca function": ACK

Thanks for pushing these.

> 
> "IPA Custodia Daemon":
> 
> 1) Instead of putting the code in "ipakeys" package, could you put it in 
> "ipapython.keys"? This way it would be consistent with DNSSEC, which has 
> binaries in daemons/dnssec/ and modules in ipapython/dnssec/.

I think I can do this, it was originally all in daemon becuse that's
where I had the custodia submodules, but we do not carry a copy anymore.

> 2) Is it safe to create cn=custodia in update file only? Updates are 
> executed late in ipa-server-install. Is is guaranteed that nothing will 
> try to access cn=custodia before the updates are run?
> 
> (Nevermind, it is added to bootstrap-template.ldif 2 commits below.)
> 
> 3) Shouldn't cn=custodia be created only when domain level >= 1?

It is used only at >= 1 level, but we have to create it when we update
the code, otherwise you cannot switch to level 1.
Switching a level ion LDAP cannot cause an update script to be run so
you would have incomplete servers publicizing level 1 but not offering a
critical service for level 1.

> 4) pylint fails with:
> 
> daemons/ipa-custodia/ipakeys/kem.py:156: [E1002(super-on-old-class), 
> IPAKEMKeys.__init__] Use of super on an old style class)
> daemons/ipa-custodia/ipakeys/kem.py:178: [E1101(no-member), 
> IPAKEMKeys.generate_server_keys] Instance of 'IPAKEMKeys' has no 
> 'config' member)
> daemons/ipa-custodia/ipakeys/kem.py:187: [E1101(no-member), 
> IPAKEMKeys.server_keys] Instance of 'IPAKEMKeys' has no 'config' member)

On what pylint version ?
I had to disable pylint for a while but it currently runs and doesn't
complain to me ...

> 5) There are some PEP8 transgressions:
> 
> ./daemons/ipa-custodia/ipakeys/kem.py:202:80: E501 line too long (82 > 
> 79 characters)
> ./daemons/ipa-custodia/ipakeys/kem.py:203:80: E501 line too long (82 > 
> 79 characters)
> ./daemons/ipa-custodia/ipakeys/store.py:33:1: E302 expected 2 blank 
> lines, found 1
> ./daemons/ipa-custodia/setup.py:8:9: E251 unexpected spaces around 
> keyword / parameter equals
>

Re: [Freeipa-devel] [PATCHES] More Python 3 porting

2015-09-22 Thread David Kupka 

On 18/09/15 17:00, Petr Viktorin wrote:

Hello,
Here are more patches that bring IPA closer to Python 3 compatibility.






Hi Petr,
thanks for another batch of Python 3 compatibility patches.
Unfortunately I hit a lot of pylint errors. Some of them are false 
positives for sure. Could you please look at them, mark the false 
positive with "pylint: disable=E" directive and fix the rest?


http://fpaste.org/270090/92665414/

And one nitpick, I believe that the plus signs are not needed.


-self.arabic_hello_utf8 = '\xd9\x85\xd9\x83\xd9\x8a\xd9\x84' + \
- '\xd8\xb9\x20\xd9\x85\xd8\xa7\xd9' + \
- '\x84\xd9\x91\xd8\xb3\xd9\x84\xd8\xa7'
+self.arabic_hello_utf8 = (b'\xd9\x85\xd9\x83\xd9\x8a\xd9\x84' +
+  b'\xd8\xb9\x20\xd9\x85\xd8\xa7\xd9' +
+  b'\x84\xd9\x91\xd8\xb3\xd9\x84\xd8\xa7')


--
David Kupka

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 494] install: create kdcproxy user during server install

2015-09-22 Thread Martin Babinsky 

On 09/22/2015 01:33 PM, Jan Cholasta wrote:

Hi,

the attached patch fixes .

Honza




ACK

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHES 362-366] Realmdomains handling improvements

2015-09-22 Thread Tomas Babej 
On 09/03/2015 04:34 PM, Alexander Bokovoy wrote:
> On Thu, 03 Sep 2015, Tomas Babej wrote:
>> Hi,
>>
>> this couple of patches fix https://fedorahosted.org/freeipa/ticket/5278
>> and improve our handling of realmdomains in general.
> The code looks good to me. I haven't tested it yet, though.
> 

Rebased on top of current master.
From 6071024ee951221685c283f23dd9c43667cc4bd9 Mon Sep 17 00:00:00 2001
From: Tomas Babej 
Date: Thu, 3 Sep 2015 12:13:32 +0200
Subject: [PATCH] util: Add detect_dns_zone_realm_type helper

https://fedorahosted.org/freeipa/ticket/5278
---
 ipalib/util.py | 55 +++
 1 file changed, 55 insertions(+)

diff --git a/ipalib/util.py b/ipalib/util.py
index 7c7da6af7bbb290dd25832e188d5445a23e5571e..e5e0b5c40d39c4761405c35130e5cdc077d717eb 100644
--- a/ipalib/util.py
+++ b/ipalib/util.py
@@ -802,3 +802,58 @@ def get_topology_connection_errors(graph):
 if not_visited:
 connect_errors.append((m, list(visited), list(not_visited)))
 return connect_errors
+
+def detect_dns_zone_realm_type(api, domain):
+"""
+Detects the type of the realm that the given DNS zone belongs to.
+Note: This method is heuristic. Possible values:
+  - 'current': For IPA domains belonging in the current realm.
+  - 'foreign': For domains belonging in a foreing kerberos realm.
+  - 'unknown': For domains whose allegiance could not be detected.
+"""
+
+# First, try to detect _kerberos TXT record in the domain
+# This would indicate that the domain belongs to IPA realm
+
+kerberos_prefix = DNSName('_kerberos')
+domain_suffix = DNSName(domain)
+kerberos_record_name = kerberos_prefix + domain_suffix
+
+response = None
+
+try:
+result = resolver.query(kerberos_record_name, rdatatype.TXT)
+answer = result.response.answer
+
+# IPA domain will have only one _kerberos TXT record
+if (len(answer) == 1 and
+len(answer[0]) == 1 and
+answer[0].rdtype == rdatatype.TXT):
+
+record = answer[0][0]
+
+# If the record contains our current realm, it is 'ipa-current'
+if record.to_text() == '"{0}"'.format(api.env.realm):
+return 'current'
+else:
+return 'foreign'
+
+except DNSException as e:
+pass
+
+# Try to detect AD specific record in the zone.
+# This would indicate that the domain belongs to foreign (AD) realm
+
+gc_prefix = DNSName('_ldap._tcp.gc._msdcs')
+ad_specific_record_name = gc_prefix + domain_suffix
+
+try:
+# The presence of this record is enough, return foreign in such case
+result = resolver.query(ad_specific_record_name, rdatatype.SRV)
+return 'foreign'
+
+except DNSException as e:
+pass
+
+# If we could not detect type with certainity, return unknown
+return 'unknown'
-- 
2.1.0

From 2099722b982866537ed11f21cee328d9ff17af4d Mon Sep 17 00:00:00 2001
From: Tomas Babej 
Date: Thu, 3 Sep 2015 12:40:17 +0200
Subject: [PATCH] realmdomains: Minor style and wording improvements

https://fedorahosted.org/freeipa/ticket/5278
---
 ipalib/plugins/realmdomains.py | 75 +-
 1 file changed, 60 insertions(+), 15 deletions(-)

diff --git a/ipalib/plugins/realmdomains.py b/ipalib/plugins/realmdomains.py
index f8f838d0ede85ee747a4b2f19129dc757fe837eb..4e618f1d1a71ba2133b03384bc056d069c505f43 100644
--- a/ipalib/plugins/realmdomains.py
+++ b/ipalib/plugins/realmdomains.py
@@ -137,16 +137,46 @@ class realmdomains_mod(LDAPUpdate):
 del_domain = entry_attrs.get('del_domain')
 force = options.get('force')
 
+current_domain = get_domain_name()
+
+missing_soa_ns_record_error = _(
+"DNS zone for each realmdomain must contain "
+"SOA or NS records. No records found for: %s"
+)
+
+# User specified the list of domains explicitly
 if associateddomain:
 if add_domain or del_domain:
-raise errors.MutuallyExclusiveError(reason=_("you cannot specify the --domain option together with --add-domain or --del-domain"))
-if get_domain_name() not in associateddomain:
-raise errors.ValidationError(name='domain', error=_("cannot delete domain of IPA server"))
+raise errors.MutuallyExclusiveError(
+reason=_(
+"The --domain option cannot be used together "
+"with --add-domain or --del-domain. Use --domain "
+"to specify the whole realm domain list explicitly, "
+"to add/remove individual domains, use "
+"--add-domain/del-domain.")
+)
+
+# Make sure our domain is included in the list
+if current_domain not in associateddomain:
+

Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-09-22 Thread Simo Sorce 
On Tue, 2015-09-22 at 10:45 +0200, Jan Cholasta wrote:
> 4) pylint fails with:
> 
> daemons/ipa-custodia/ipakeys/kem.py:156: [E1002(super-on-old-class), 
> IPAKEMKeys.__init__] Use of super on an old style class)
> daemons/ipa-custodia/ipakeys/kem.py:178: [E1101(no-member), 
> IPAKEMKeys.generate_server_keys] Instance of 'IPAKEMKeys' has no 
> 'config' member)
> daemons/ipa-custodia/ipakeys/kem.py:187: [E1101(no-member), 
> IPAKEMKeys.server_keys] Instance of 'IPAKEMKeys' has no 'config'
> member)

I do not know why pylint gives you these errors.
The top level class for IPAKEMKeys is is ultimatile the custodia class
called HTTPAuthorizer which is defined as a new-style class (derives
from object), that class also unconditionally inits config.
Maybe you ran pylint w/o custodia installed ?

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code