Re: [Freeipa-devel] [PATCH 0082] remove Kerberos authenticators after service uninstall

On 12.10.2015 13:38, Martin Babinsky wrote: > > each service possessing Kerberos keytab wiil now remove it and destroy any > associated credentials cache during its uninstall > > https://fedorahosted.org/freeipa/ticket/5243 BTW some time ago Simo proposed that we should remove caches and old key

Re: [Freeipa-devel] [PATCH 0082] remove Kerberos authenticators after service uninstall

On 10/13/2015 09:17 AM, Petr Spacek wrote: On 12.10.2015 13:38, Martin Babinsky wrote: each service possessing Kerberos keytab wiil now remove it and destroy any associated credentials cache during its uninstall https://fedorahosted.org/freeipa/ticket/5243 BTW some time ago Simo proposed tha

Re: [Freeipa-devel] [PATCH 0083] perform an unlimited search for reverse zones when adding DNS records

On 12.10.2015 16:35, Martin Babinsky wrote: > https://fedorahosted.org/freeipa/ticket/5200 > --- > ipalib/plugins/dns.py | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py > index > 84086f4c77d02922f237937d58031cc42d55410e..c3

Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

On 1.10.2015 15:22, Simo Sorce wrote: On 01/10/15 07:42, Jan Cholasta wrote: Hi, I have just imported python-jwcrypto, custodia and pki-core-10.2.7 into mkosek/freeipa-master as well, to (hopefully) make things easier. Simo, custodia failed to build F22, any idea why? See

Re: [Freeipa-devel] [PATCH 0084] hide topology segment direction in topology command CLI and webui interface

NACK UI still shows the connectivity information at http:///ipa/ui/#/e/topologysuffix/topologysegment/realm CLI is OK, though On 10/12/2015 05:57 PM, Martin Babinsky wrote: https://fedorahosted.org/freeipa/ticket/5222 -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your s

Re: [Freeipa-devel] [PATCH 0082] remove Kerberos authenticators after service uninstall

On 13.10.2015 09:34, Martin Babinsky wrote: > On 10/13/2015 09:17 AM, Petr Spacek wrote: >> On 12.10.2015 13:38, Martin Babinsky wrote: >>> >>> each service possessing Kerberos keytab wiil now remove it and destroy any >>> associated credentials cache during its uninstall >>> >>> https://fedorahost

Re: [Freeipa-devel] [PATCH 0084] hide topology segment direction in topology command CLI and webui interface

On 10/13/2015 10:02 AM, Oleg Fayans wrote: NACK UI still shows the connectivity information at http:///ipa/ui/#/e/topologysuffix/topologysegment/realm Showing it is correct and desired - both in CLI and Web UI. The end state should be that UIs will create new segments with direction=both an

[Freeipa-devel] [PATCH 504] vault: fix service name normalization

Hi, the attached patch fixes . Honza -- Jan Cholasta From b9a05d4123a419a56ffa6762b6a8f1a3a660a62e Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Tue, 13 Oct 2015 10:10:48 +0200 Subject: [PATCH] vault: fix service name normalization https://fed

Re: [Freeipa-devel] [PATCH 0084] hide topology segment direction in topology command CLI and webui interface

On 10/13/2015 10:15 AM, Petr Vobornik wrote: On 10/13/2015 10:02 AM, Oleg Fayans wrote: NACK UI still shows the connectivity information at http:///ipa/ui/#/e/topologysuffix/topologysegment/realm Showing it is correct and desired - both in CLI and Web UI. Well, CLI does not show the conn

Re: [Freeipa-devel] [PATCH 0084] hide topology segment direction in topology command CLI and webui interface

On 10/13/2015 10:15 AM, Petr Vobornik wrote: On 10/13/2015 10:02 AM, Oleg Fayans wrote: NACK UI still shows the connectivity information at http:///ipa/ui/#/e/topologysuffix/topologysegment/realm Showing it is correct and desired - both in CLI and Web UI. agree, it is also information help

Re: [Freeipa-devel] [PATCH 0084] hide topology segment direction in topology command CLI and webui interface

On 10/13/2015 10:15 AM, Petr Vobornik wrote: On 10/13/2015 10:02 AM, Oleg Fayans wrote: NACK UI still shows the connectivity information at http:///ipa/ui/#/e/topologysuffix/topologysegment/realm Showing it is correct and desired - both in CLI and Web UI. So IIUC the segment connectivity

[Freeipa-devel] [PATCH 373-374] idoverrides: Ignore SID conversion error and add coverage

Hi, this couple of patches fixes and improves the coverage for referential integrity of ID overrides. Note: Last test in the patch 374 is supposed to be failing (for now). https://fedorahosted.org/freeipa/ticket/5322 From 17fab1cf2ff1966b97507477455ecda6bc91bdbd Mon Sep 17 00:00:00 2001 From: To

Re: [Freeipa-devel] [PATCH 504] vault: fix service name normalization

On 13.10.2015 10:18, Jan Cholasta wrote: Hi, the attached patch fixes . Honza Decided to use a slightly different approach, updated patch attached. -- Jan Cholasta From cda42f4388e2c8b20294b246ac973c1c3e011944 Mon Sep 17 00:00:00 2001 From: Jan C

Re: [Freeipa-devel] [PATCH 0084] hide topology segment direction in topology command CLI and webui interface

On 10/13/2015 12:19 PM, Martin Babinsky wrote: On 10/13/2015 10:15 AM, Petr Vobornik wrote: On 10/13/2015 10:02 AM, Oleg Fayans wrote: NACK UI still shows the connectivity information at http:///ipa/ui/#/e/topologysuffix/topologysegment/realm Showing it is correct and desired - both in CLI

Re: [Freeipa-devel] [PATCH 0084] hide topology segment direction in topology command CLI and webui interface

Hi guys, On 10/13/2015 12:34 PM, Petr Vobornik wrote: On 10/13/2015 12:19 PM, Martin Babinsky wrote: On 10/13/2015 10:15 AM, Petr Vobornik wrote: On 10/13/2015 10:02 AM, Oleg Fayans wrote: NACK UI still shows the connectivity information at http:///ipa/ui/#/e/topologysuffix/topologysegment/

Re: [Freeipa-devel] [PATCH 0059] ipa-adtrust-install: Print complete SRV record

On 10/09/2015 02:59 PM, Petr Spacek wrote: > Hello, > > I found this when reviewing DNS parts of IdM and AD integration guides. > > ipa-adtrust-install: Print complete SRV records. > https://fedorahosted.org/freeipa/ticket/5358 > > > ACK, generates correct output. _ldap._tcp.Default-First-

Re: [Freeipa-devel] [PATCH 0084] hide topology segment direction in topology command CLI and webui interface

On 10/13/2015 12:43 PM, Oleg Fayans wrote: Hi guys, On 10/13/2015 12:34 PM, Petr Vobornik wrote: On 10/13/2015 12:19 PM, Martin Babinsky wrote: On 10/13/2015 10:15 AM, Petr Vobornik wrote: On 10/13/2015 10:02 AM, Oleg Fayans wrote: NACK UI still shows the connectivity information at http:

Re: [Freeipa-devel] [PATCH 0009] WebUI: Disappearing automember rule expressions

On 10/09/2015 01:46 PM, Stanislav Laznicka wrote: > Hi, > please see the patch attached. > > Standa L. > > ACK, works as desired. Tomas -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.fr

[Freeipa-devel] [PATCH 5] The delegation uris are not set, match message to code

One-liner. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat >From 612495129cb84fca972c0331adc591ea59dafd21 Mon Sep 17 00:00:00 2001 From: Jan Pazdziora Date: Tue, 13 Oct 2015 13:07:24 +0200 Subject: [PATCH] The delegation uris are not set, match mess

Re: [Freeipa-devel] [PATCH 5] The delegation uris are not set, match message to code

On 10/13/2015 01:14 PM, Jan Pazdziora wrote: > > One-liner. > > > ACK, network.negotiate-auth.delegation-uris is indeed not being set. Tomas -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://

Re: [Freeipa-devel] [PATCH 5] The delegation uris are not set, match message to code

On 10/13/2015 01:18 PM, Tomas Babej wrote: > > > On 10/13/2015 01:14 PM, Jan Pazdziora wrote: >> >> One-liner. >> >> >> > > ACK, network.negotiate-auth.delegation-uris is indeed not being set. > > Tomas > Pushed to master: 9d7abfaf7a97f3ea0831d1870898c00b7e8d93e3 -- Manage your subscripti

Re: [Freeipa-devel] [PATCH 0084] hide topology segment direction in topology command CLI and webui interface

Hi Ludwig, On 10/13/2015 12:55 PM, Ludwig Krispenz wrote: On 10/13/2015 12:43 PM, Oleg Fayans wrote: Hi guys, On 10/13/2015 12:34 PM, Petr Vobornik wrote: On 10/13/2015 12:19 PM, Martin Babinsky wrote: On 10/13/2015 10:15 AM, Petr Vobornik wrote: On 10/13/2015 10:02 AM, Oleg Fayans wrote:

Re: [Freeipa-devel] [PATCH 0083] perform an unlimited search for reverse zones when adding DNS records

On 10/13/2015 09:36 AM, Petr Spacek wrote: On 12.10.2015 16:35, Martin Babinsky wrote: https://fedorahosted.org/freeipa/ticket/5200 --- ipalib/plugins/dns.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py index 84086f4c77d0

Re: [Freeipa-devel] [PATCH 0082] remove Kerberos authenticators after service uninstall

On 13.10.2015 10:04, Petr Spacek wrote: On 13.10.2015 09:34, Martin Babinsky wrote: On 10/13/2015 09:17 AM, Petr Spacek wrote: On 12.10.2015 13:38, Martin Babinsky wrote: each service possessing Kerberos keytab wiil now remove it and destroy any associated credentials cache during its uninst

Re: [Freeipa-devel] [PATCH 0066] ipactl: Do not start/stop/restart single service multiple times

On 08/27/2015 08:07 AM, David Kupka wrote: > On 26/08/15 17:49, Tomas Babej wrote: >> >> >> On 08/26/2015 03:16 PM, David Kupka wrote: >>> https://fedorahosted.org/freeipa/ticket/5248 >>> >>> >> >> +def deduplicate(lst): >> +new_lst = [] >> +s = set(lst) >> +for i in lst: >> +

Re: [Freeipa-devel] [PATCHES] More Python3 porting

On 10/08/2015 05:17 PM, Petr Viktorin wrote: > Hello, > Here is another batch of Python 3 porting patches. > I went through the patches both code-wise and functional-tests wise (xmlrpc, CI, manual). Looks&works fine. ACK, thanks for the patchset. Tomas -- Manage your subscription for the Fr

Re: [Freeipa-devel] [PATCH 0082] remove Kerberos authenticators after service uninstall

On Tue, 13 Oct 2015, Martin Basti wrote: On 13.10.2015 10:04, Petr Spacek wrote: On 13.10.2015 09:34, Martin Babinsky wrote: On 10/13/2015 09:17 AM, Petr Spacek wrote: On 12.10.2015 13:38, Martin Babinsky wrote: each service possessing Kerberos keytab wiil now remove it and destroy any asso

Re: [Freeipa-devel] [PATCHES] More Python3 porting

On 10/13/2015 02:15 PM, Tomas Babej wrote: > > > On 10/08/2015 05:17 PM, Petr Viktorin wrote: >> Hello, >> Here is another batch of Python 3 porting patches. >> > > I went through the patches both code-wise and functional-tests wise > (xmlrpc, CI, manual). Looks&works fine. > > ACK, thanks fo

Re: [Freeipa-devel] [PATCH 504] vault: fix service name normalization

On 10/13/2015 12:24 PM, Jan Cholasta wrote: On 13.10.2015 10:18, Jan Cholasta wrote: Hi, the attached patch fixes . Honza Decided to use a slightly different approach, updated patch attached. Works for me, ACK -- Petr Vobornik -- Manage your

Re: [Freeipa-devel] [PATCH 504] vault: fix service name normalization

On 13.10.2015 14:18, Petr Vobornik wrote: On 10/13/2015 12:24 PM, Jan Cholasta wrote: On 13.10.2015 10:18, Jan Cholasta wrote: Hi, the attached patch fixes . Honza Decided to use a slightly different approach, updated patch attached. Works fo

Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

On 13/10/15 03:40, Jan Cholasta wrote: On 1.10.2015 15:22, Simo Sorce wrote: On 01/10/15 07:42, Jan Cholasta wrote: Hi, I have just imported python-jwcrypto, custodia and pki-core-10.2.7 into mkosek/freeipa-master as well, to (hopefully) make things easier. Simo, custodia failed to build F22,

Re: [Freeipa-devel] [PATCH 0082] remove Kerberos authenticators after service uninstall

On 13/10/15 04:04, Petr Spacek wrote: On 13.10.2015 09:34, Martin Babinsky wrote: On 10/13/2015 09:17 AM, Petr Spacek wrote: On 12.10.2015 13:38, Martin Babinsky wrote: each service possessing Kerberos keytab wiil now remove it and destroy any associated credentials cache during its uninstall

Re: [Freeipa-devel] [PATCH 0082] remove Kerberos authenticators after service uninstall

On 13.10.2015 14:52, Simo Sorce wrote: > On 13/10/15 04:04, Petr Spacek wrote: >> On 13.10.2015 09:34, Martin Babinsky wrote: >>> On 10/13/2015 09:17 AM, Petr Spacek wrote: On 12.10.2015 13:38, Martin Babinsky wrote: > > each service possessing Kerberos keytab wiil now remove it and de

Re: [Freeipa-devel] [PATCH 0082] remove Kerberos authenticators after service uninstall

On 13/10/15 08:58, Petr Spacek wrote: On 13.10.2015 14:52, Simo Sorce wrote: On 13/10/15 04:04, Petr Spacek wrote: On 13.10.2015 09:34, Martin Babinsky wrote: On 10/13/2015 09:17 AM, Petr Spacek wrote: On 12.10.2015 13:38, Martin Babinsky wrote: each service possessing Kerberos keytab wiil

Re: [Freeipa-devel] [PATCH 0057] Warn in no installation found when running ipa-server-install --uninstall

No worries Petr. All a part of the review process. I have attached an updated patch that prints only a warning message. thanks, Gabe On Tue, Oct 13, 2015 at 12:39 AM, Petr Spacek wrote: > Hello Gabe, > > I would like to apologize for the confusion regarding this patch and the > repeated rewor

Re: [Freeipa-devel] [PATCH 373-374] idoverrides: Ignore SID conversion error and add coverage

On 10/13/2015 12:21 PM, Tomas Babej wrote: Hi, this couple of patches fixes and improves the coverage for referential integrity of ID overrides. Note: Last test in the patch 374 is supposed to be failing (for now). https://fedorahosted.org/freeipa/ticket/5322 Hi Tomas, Patch 373: I stil

Re: [Freeipa-devel] [PATCH 0082] remove Kerberos authenticators after service uninstall

Alexander Bokovoy wrote: > On Tue, 13 Oct 2015, Martin Basti wrote: >> >> >> On 13.10.2015 10:04, Petr Spacek wrote: >>> On 13.10.2015 09:34, Martin Babinsky wrote: On 10/13/2015 09:17 AM, Petr Spacek wrote: > On 12.10.2015 13:38, Martin Babinsky wrote: >> each service possessing Kerbe

Re: [Freeipa-devel] [PATCH 0083] perform an unlimited search for reverse zones when adding DNS records

On 13.10.2015 13:37, Martin Babinsky wrote: > On 10/13/2015 09:36 AM, Petr Spacek wrote: >> On 12.10.2015 16:35, Martin Babinsky wrote: >>> https://fedorahosted.org/freeipa/ticket/5200 >>> --- >>> ipalib/plugins/dns.py | 3 ++- >>> 1 file changed, 2 insertions(+), 1 deletion(-) >>> >>> diff --gi

[Freeipa-devel] Stageuser capability in UI

Hi, I've been told to do some tests of stageuser UI capabilities ASAP. I think I covered most of the test cases from test plan (http://www.freeipa.org/page/V4/User_Life-Cycle_Management/Test_Plan) (will check that tomorrow morning, as I need to go soon). I haven't found any really serious bug,

Re: [Freeipa-devel] [PATCH 0056] Enable nsaccountlock in user.py cli

On 09.10.2015 19:17, Gabe Alford wrote: Hello, This patch enables nsaccountlock in user.py cli. It is very handy to be able to search and find users with disabled/enabled accounts, etc. That said, I couldn't find why it was no_option in the first place, so I am not 100% sure if it breaks so

Re: [Freeipa-devel] [PATCH] 0001 cert-show: Remove check if hostname != CN

> The restriction was there so that hosts had limited visibility. This > applies that limitation to all users. I think the host check needs to be > re-added. I am confused, correct me if I am wrong, but the "if hostname:" check seems always redundat because it would raise exception before either h

Re: [Freeipa-devel] [PATCHES 0318 - 0320, 0323] installer: allow to modify dse.ldif during installation

On 12.10.2015 12:30, Martin Babinsky wrote: On 10/08/2015 05:58 PM, Martin Basti wrote: The attached patches fix following tickets: https://fedorahosted.org/freeipa/ticket/4949 https://fedorahosted.org/freeipa/ticket/4048 https://fedorahosted.org/freeipa/ticket/1930 With these

[Freeipa-devel] [PATCHES 0324 - 0325] DNSSEC: warn user if DNSSEC key master is not installed on any replica

https://fedorahosted.org/freeipa/ticket/5290 Patches attached. From a8ee0440a363e11b82878609a4a0204039ce5b7e Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Tue, 13 Oct 2015 14:08:35 +0200 Subject: [PATCH 1/2] DNSSEC: Remove service containers from LDAP after uninstalling The service contai

Re: [Freeipa-devel] [PATCH 0056] Enable nsaccountlock in user.py cli

Thanks Martin, What about adding no_create and no_update flags? Gabe On Tue, Oct 13, 2015 at 9:54 AM, Martin Basti wrote: > > > On 09.10.2015 19:17, Gabe Alford wrote: > > Hello, > > This patch enables nsaccountlock in user.py cli. It is very handy to be > able to search and find users with di

Re: [Freeipa-devel] [PATCH 0084] hide topology segment direction in topology command CLI and webui interface

On 10/13/2015 10:15 AM, Petr Vobornik wrote: On 10/13/2015 10:02 AM, Oleg Fayans wrote: NACK UI still shows the connectivity information at http:///ipa/ui/#/e/topologysuffix/topologysegment/realm Showing it is correct and desired - both in CLI and Web UI. The end state should be that UIs wi

Re: [Freeipa-devel] [PATCH 0058] Remove bind configuration detected question

On 09.10.2015 19:17, Gabe Alford wrote: Hello, Fix for https://fedorahosted.org/freeipa/ticket/5351 Thanks, Gabe ACK Pushed to: master: d0bdc37679ef6807d16f2f3b216366834f9d6de0 ipa-4-2: 1d78cbb036760261f8d8e57fc0b7109e9e1c7568 -- Manage your subscription for the Freeipa-devel mailing l

Re: [Freeipa-devel] [PATCH 0056] Enable nsaccountlock in user.py cli

On 13.10.2015 18:53, Gabe Alford wrote: Thanks Martin, What about adding no_create and no_update flags? Gabe Yes, that may work, also please increment minor version of API and add ticket into commit message (https://fedorahosted.org/freeipa/ticket/5366)

Re: [Freeipa-devel] [PATCH 0084] hide topology segment direction in topology command CLI and webui interface

On 10/13/2015 06:55 PM, Martin Babinsky wrote: mbabinsk - hide segment direction from topology commands Ooops forgot to regenerate API.txt. Attaching updated patch. -- Martin^3 Babinsky From 2964ac74100ec2ded3acf15b1bc1ab327c6cd00f Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Mon, 12

Re: [Freeipa-devel] [PATCH 0056] Enable nsaccountlock in user.py cli

Updated patch attached. On Tue, Oct 13, 2015 at 10:59 AM, Martin Basti wrote: > > > On 13.10.2015 18:53, Gabe Alford wrote: > > Thanks Martin, > > What about adding no_create and no_update flags? > > Gabe > > Yes, that may work, also please increment minor version of API and add > ticket into co

Re: [Freeipa-devel] [PATCH] 0001 cert-show: Remove check if hostname != CN

Jan Orel wrote: >> The restriction was there so that hosts had limited visibility. This >> applies that limitation to all users. I think the host check needs to be >> re-added. > > I am confused, correct me if I am wrong, but the "if hostname:" check > seems always redundat because it would raise

Re: [Freeipa-devel] [PATCH 0082] remove Kerberos authenticators after service uninstall

On 10/13/2015 02:52 PM, Simo Sorce wrote: On 13/10/15 04:04, Petr Spacek wrote: On 13.10.2015 09:34, Martin Babinsky wrote: On 10/13/2015 09:17 AM, Petr Spacek wrote: On 12.10.2015 13:38, Martin Babinsky wrote: each service possessing Kerberos keytab wiil now remove it and destroy any associ