[Freeipa-devel] [PATCH 560] Allow to set allowed krb authz data type per user

This patch is untested and mostly an RFC. I think it is all we need to allow to specify authz data types per user and by setting the attribute to NONE preventing a user from getting MS-PAC data in their ticket. Alexander you changed quite a bit the code around here so I'd like to know if you

[Freeipa-devel] [PATCH 558] Allow disabling requireing preauth by default for Service Principal Names

This addresses #3860, giving admins the option to not require preauth for Hosts and services. I did not add this option by default, although it does reduce the load on the KDC as well as speed up TGT acquisition for service principal accounts that acquire TGTs. Tested and working as expected

[Freeipa-devel] [PATCH] Add option to disable setkeytab extended operations

Since some time we use the getkeytab operation to fetch keytabs on newer clients. According to bug #232 setkeytab can be used to circumvent password quality controls so it needs to be slowly retired. The attached patches implement #5485 in 2 parts. The first introduces the option

Re: [Freeipa-devel] [PATCH] Add option to disable setkeytab extended operations

On Tue, 2015-11-24 at 14:57 -0500, Simo Sorce wrote: > On Tue, 2015-11-24 at 14:42 -0500, Simo Sorce wrote: > > Since some time we use the getkeytab operation to fetch keytabs on newer > > clients. According to bug #232 setkeytab can be used to circumvent > > password quality controls so it needs

Re: [Freeipa-devel] [PATCH] Add option to disable setkeytab extended operations

On Tue, 2015-11-24 at 14:42 -0500, Simo Sorce wrote: > Since some time we use the getkeytab operation to fetch keytabs on newer > clients. According to bug #232 setkeytab can be used to circumvent > password quality controls so it needs to be slowly retired. > > The attached patches implement

Re: [Freeipa-devel] [IPAQE][REVIEW-REQUEST][TEST PLAN] Replica promotion

- Original Message - > Hi Jenny, > > We have numerous tests checking the functionality of replicas. The tests > are adapted to the new replica installation workflow (promotion), which > means that there is presumably no need to create any additional tests. > Our goal is to test the bits

Re: [Freeipa-devel] [PATCH] Allow ipa-getkeytab to find server name from config file

On Tue, Nov 24, 2015 at 02:36:17PM -0500, Simo Sorce wrote: > On Tue, 2015-11-24 at 17:34 +0100, Jan Cholasta wrote: > > On 24.11.2015 17:30, Simo Sorce wrote: > > > On Tue, 2015-11-24 at 09:14 +0100, Jan Cholasta wrote: > > >> On 24.11.2015 09:06, Petr Spacek wrote: > > >>> On 24.11.2015 07:32,

Re: [Freeipa-devel] [PATCH 0104] do not disconnect when using existing connection to check default CA ACLs

On Tue, Nov 24, 2015 at 05:38:45PM +0100, Jan Cholasta wrote: > On 24.11.2015 17:17, Martin Babinsky wrote: > >On 11/24/2015 05:10 PM, Martin Babinsky wrote: > >>On 11/24/2015 05:01 PM, Martin Babinsky wrote: > >>>On 11/24/2015 04:58 PM, Jan Cholasta wrote: > On 24.11.2015 16:48, Martin

Re: [Freeipa-devel] [PATCH 0104] do not disconnect when using existing connection to check default CA ACLs

On 25.11.2015 05:56, Fraser Tweedale wrote: On Tue, Nov 24, 2015 at 05:38:45PM +0100, Jan Cholasta wrote: On 24.11.2015 17:17, Martin Babinsky wrote: On 11/24/2015 05:10 PM, Martin Babinsky wrote: On 11/24/2015 05:01 PM, Martin Babinsky wrote: On 11/24/2015 04:58 PM, Jan Cholasta wrote: On

Re: [Freeipa-devel] [PATCH] Add option to disable setkeytab extended operations

On 24.11.2015 22:17, Simo Sorce wrote: On Tue, 2015-11-24 at 14:57 -0500, Simo Sorce wrote: On Tue, 2015-11-24 at 14:42 -0500, Simo Sorce wrote: Since some time we use the getkeytab operation to fetch keytabs on newer clients. According to bug #232 setkeytab can be used to circumvent password

Re: [Freeipa-devel] [PATCH 560] Allow to set allowed krb authz data type per user

On 25.11.2015 00:09, Simo Sorce wrote: This patch is untested and mostly an RFC. I think it is all we need to allow to specify authz data types per user and by setting the attribute to NONE preventing a user from getting MS-PAC data in their ticket. Alexander you changed quite a bit the code

Re: [Freeipa-devel] [PATCH 0357] Installer: force service-add during replica install

On 11/24/2015 01:58 PM, Martin Basti wrote: > https://fedorahosted.org/freeipa/ticket/5420 > > Patch attached. > > ACK. Pushed to master: 5427e7a8c7216b0aa54159a668951d71fb009139 -- Manage your subscription for the Freeipa-devel mailing list:

Re: [Freeipa-devel] [IPAQE][REVIEW-REQUEST][TEST PLAN] Replica promotion

> Hi, > Is anyone providing feedback? Yes, it is on DQE's plate (and on freeipa devel) This was an outcome of the retrospective we had that DQE will be involved as UQE writes test plan, and the subject header is as proposed to catch the attn :) But currently, are busy with Update1

Re: [Freeipa-devel] [PATCH 0104] do not disconnect when using existing connection to check default CA ACLs

On 11/24/2015 05:01 PM, Martin Babinsky wrote: On 11/24/2015 04:58 PM, Jan Cholasta wrote: On 24.11.2015 16:48, Martin Babinsky wrote: On 11/24/2015 04:44 PM, Martin Babinsky wrote: https://fedorahosted.org/freeipa/ticket/5459 forgot to attach the actual file *slaps himself*

Re: [Freeipa-devel] [PATCH 0104] do not disconnect when using existing connection to check default CA ACLs

On 11/24/2015 05:10 PM, Martin Babinsky wrote: On 11/24/2015 05:01 PM, Martin Babinsky wrote: On 11/24/2015 04:58 PM, Jan Cholasta wrote: On 24.11.2015 16:48, Martin Babinsky wrote: On 11/24/2015 04:44 PM, Martin Babinsky wrote: https://fedorahosted.org/freeipa/ticket/5459 forgot to attach

Re: [Freeipa-devel] [PATCH 0358] ipa-getkeytab: do not return error if translations cannot be loaded

On 24.11.2015 16:52, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5483 Patch attached. Doesn't init_gettext() itself already print to stderr on failure? -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list:

Re: [Freeipa-devel] [PATCH] 0748 Handle encoding for ipautil.run

On 11/23/2015 10:50 AM, Jan Cholasta wrote: > On 23.11.2015 07:43, Jan Cholasta wrote: >> On 19.11.2015 00:55, Petr Viktorin wrote: >>> On 11/03/2015 02:39 PM, Petr Viktorin wrote: Hello, Python 3's strings are Unicode, so data coming to or leaving a Python program needs to be

Re: [Freeipa-devel] [PATCH 0358] ipa-getkeytab: do not return error if translations cannot be loaded

On Tue, 2015-11-24 at 16:52 +0100, Martin Basti wrote: > https://fedorahosted.org/freeipa/ticket/5483 > > Patch attached. > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA:

Re: [Freeipa-devel] [PATCH] Allow ipa-getkeytab to find server name from config file

On Tue, 2015-11-24 at 09:14 +0100, Jan Cholasta wrote: > On 24.11.2015 09:06, Petr Spacek wrote: > > On 24.11.2015 07:32, Jan Cholasta wrote: > >> On 23.11.2015 21:18, Simo Sorce wrote: > >>> Fixes #2203 by reading the server name from /etc/ipa/default.conf if not > >>> provided on the command

Re: [Freeipa-devel] [PATCH] Allow ipa-getkeytab to find server name from config file

On 24.11.2015 17:30, Simo Sorce wrote: On Tue, 2015-11-24 at 09:14 +0100, Jan Cholasta wrote: On 24.11.2015 09:06, Petr Spacek wrote: On 24.11.2015 07:32, Jan Cholasta wrote: On 23.11.2015 21:18, Simo Sorce wrote: Fixes #2203 by reading the server name from /etc/ipa/default.conf if not

Re: [Freeipa-devel] [PATCH 0104] do not disconnect when using existing connection to check default CA ACLs

On 24.11.2015 17:17, Martin Babinsky wrote: On 11/24/2015 05:10 PM, Martin Babinsky wrote: On 11/24/2015 05:01 PM, Martin Babinsky wrote: On 11/24/2015 04:58 PM, Jan Cholasta wrote: On 24.11.2015 16:48, Martin Babinsky wrote: On 11/24/2015 04:44 PM, Martin Babinsky wrote:

Re: [Freeipa-devel] [PATCH 0358] ipa-getkeytab: do not return error if translations cannot be loaded

On 24.11.2015 17:33, Jan Cholasta wrote: On 24.11.2015 16:52, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5483 Patch attached. Doesn't init_gettext() itself already print to stderr on failure? Nope -- Manage your subscription for the Freeipa-devel mailing list:

Re: [Freeipa-devel] [IPAQE][REVIEW-REQUEST][TEST PLAN] Replica promotion

Hi Jenny, We have numerous tests checking the functionality of replicas. The tests are adapted to the new replica installation workflow (promotion), which means that there is presumably no need to create any additional tests. Our goal is to test the bits that were directly affected by the

Re: [Freeipa-devel] [PATCH] Allow ipa-getkeytab to find server name from config file

On Tue, 2015-11-24 at 17:34 +0100, Jan Cholasta wrote: > On 24.11.2015 17:30, Simo Sorce wrote: > > On Tue, 2015-11-24 at 09:14 +0100, Jan Cholasta wrote: > >> On 24.11.2015 09:06, Petr Spacek wrote: > >>> On 24.11.2015 07:32, Jan Cholasta wrote: > On 23.11.2015 21:18, Simo Sorce wrote: >

[Freeipa-devel] [PATCH 561] Catch up with upstream kerberos.ldif schema

Not much action here, but it will close a ticket (#2086) and get us on par with upstream. Simo. -- Simo Sorce * Red Hat, Inc * New York From 8e39277a86cf83a4008465533446c20493e63d59 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 24 Nov 2015 18:38:08 -0500 Subject:

Re: [Freeipa-devel] [PATCH] Allow ipa-getkeytab to find server name from config file

On 24.11.2015 07:32, Jan Cholasta wrote: > On 23.11.2015 21:18, Simo Sorce wrote: >> Fixes #2203 by reading the server name from /etc/ipa/default.conf if not >> provided on the command line. >> >> Simo. > > Just a thought: it would be nice if we had libipaconfig and used it everywhere > (the

Re: [Freeipa-devel] [PATCH] Allow ipa-getkeytab to find server name from config file

On 24.11.2015 09:06, Petr Spacek wrote: On 24.11.2015 07:32, Jan Cholasta wrote: On 23.11.2015 21:18, Simo Sorce wrote: Fixes #2203 by reading the server name from /etc/ipa/default.conf if not provided on the command line. Simo. Just a thought: it would be nice if we had libipaconfig and

[Freeipa-devel] [PATCH 0067] ipa-client-install: add support for Ed25519 SSH keys (RFC 7479)

Hello, ipa-client-install: add support for Ed25519 SSH keys (RFC 7479) https://fedorahosted.org/freeipa/ticket/5471 -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA:

Re: [Freeipa-devel] [PATCH 0067] ipa-client-install: add support for Ed25519 SSH keys (RFC 7479)

On 24.11.2015 09:56, Petr Spacek wrote: > Hello, > > ipa-client-install: add support for Ed25519 SSH keys (RFC 7479) > > https://fedorahosted.org/freeipa/ticket/5471 > Once again ... -- Petr^2 Spacek From a5f14b8f3bc268fab031844414b2b689490c34a3 Mon Sep 17 00:00:00 2001 From: Petr Spacek

Re: [Freeipa-devel] [PATCH] 0044-0045 Add profiles and default CA ACL on migration

On 24.11.2015 08:37, Fraser Tweedale wrote: On Mon, Nov 23, 2015 at 10:05:32AM +0100, Jan Cholasta wrote: On 23.11.2015 06:54, Fraser Tweedale wrote: Hi all, The attached patches fix #5459[1]: Default CA ACL rule is not created during ipa-replica-install. These patches apply on branch

Re: [Freeipa-devel] [PATCH 0350] raise time limit for ldapsearch in upgrade

On 20.11.2015 09:00, Jan Cholasta wrote: On 19.11.2015 14:13, Jan Cholasta wrote: On 19.11.2015 14:09, Martin Babinsky wrote: On 11/19/2015 01:08 PM, Martin Basti wrote: On 18.11.2015 14:26, Martin Basti wrote: On 18.11.2015 14:24, Martin Kosek wrote: On 11/18/2015 02:18 PM, Martin

Re: [Freeipa-devel] [PATCH 0355-0365] Prevent using replica file with ipa-ca-install and domain

On 11/24/2015 10:21 AM, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5455 Patches attached. A question/proposal which Martin K.raises during triage, adding here so it won't be overlooked: """ Do we want to keep replica file as optional with DL or reject it? Maybe it could

Re: [Freeipa-devel] [PATCH 0385] replicainstall: Add possiblity to install client in one

On 23.11.2015 16:43, Jan Cholasta wrote: Hi, On 23.11.2015 12:50, Tomas Babej wrote: Hi, this patch implements the single command replica promotion for #5310. Tomas https://fedorahosted.org/freeipa/ticket/5310 1) ensure_enrolled() should be called from promote_check() after the client

[Freeipa-devel] [PATCH 0355-0365] Prevent using replica file with ipa-ca-install and domain

https://fedorahosted.org/freeipa/ticket/5455 Patches attached. From 5130ff9ed226e21a75f22fa1fa44bd28a40e5f79 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Thu, 19 Nov 2015 15:40:20 +0100 Subject: [PATCH 1/2] ipa-ca-install: error when replica file is passed with domain

Re: [Freeipa-devel] [PATCH 0355-0365] Prevent using replica file with ipa-ca-install and domain

On 24.11.2015 10:33, Petr Vobornik wrote: On 11/24/2015 10:21 AM, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5455 Patches attached. A question/proposal which Martin K.raises during triage, adding here so it won't be overlooked: """ Do we want to keep replica file as

Re: [Freeipa-devel] [IPAQE][REVIEW-REQUEST][TEST PLAN] Replica promotion

Hi, Is anyone providing feedback? At first glance (quick read through), it looks like it is just to see if commands work. Is there any functional followup testing after promotion to check if the replica is actually working. Object replication and authentication requests? Certificate

Re: [Freeipa-devel] [PATCH 0102] disconnect ldap2 backend after adding default CA ACL profiles

On 11/24/2015 03:26 PM, Martin Babinsky wrote: > This patch fixes the server/replica installer crash caused by leaking > ldap2 connection introduced by commit > 620036d26e98fdcefff00168e9e5463a8257d49c during fixing > https://fedorahosted.org/freeipa/ticket/5459 > > > ACK. Pushed to: master:

[Freeipa-devel] [PATCH 0102] disconnect ldap2 backend after adding default CA ACL profiles

This patch fixes the server/replica installer crash caused by leaking ldap2 connection introduced by commit 620036d26e98fdcefff00168e9e5463a8257d49c during fixing https://fedorahosted.org/freeipa/ticket/5459 -- Martin^3 Babinsky From eb3cf31f741c137371a30f567dac8471ab5a9c83 Mon Sep 17

Re: [Freeipa-devel] [PATCH 0385] replicainstall: Add possiblity to install client in one

On 11/23/2015 04:43 PM, Jan Cholasta wrote: > Hi, > > On 23.11.2015 12:50, Tomas Babej wrote: >> Hi, >> >> this patch implements the single command replica promotion >> for #5310. >> >> Tomas >> >> https://fedorahosted.org/freeipa/ticket/5310 > > 1) ensure_enrolled() should be called from

Re: [Freeipa-devel] [PATCH] 928-936 webui: topology visualization

On 11/24/2015 12:10 PM, Ludwig Krispenz wrote: Hi Petr, I'm testing these patches.Two observations so far: - in Topology->IPA Servers I see a table of my servers and the managed suffix column I see both suffixes, ipaca and the realm, but if I select one of the servers I Only see the realm

Re: [Freeipa-devel] [PATCH] 928-936 webui: topology visualization

Hi Petr, I'm testing these patches.Two observations so far: - in Topology->IPA Servers I see a table of my servers and the managed suffix column I see both suffixes, ipaca and the realm, but if I select one of the servers I Only see the realm suffix, this was different in the demo video - the

[Freeipa-devel] [DRAFT] FreeIPA 4.1.5 release notes

Hello all, Given the numerous stabilization and Fedora bug fixes, we have agreed to release a new FreeIPA 4.1 for Fedora 22. I prepared the release notes on FreeIPA.org wiki: http://www.freeipa.org/page/Releases/4.1.5 Updates or improvements to release notes page welcome. Particularly if you

[Freeipa-devel] [PATCH 0357] Installer: force service-add during replica install

https://fedorahosted.org/freeipa/ticket/5420 Patch attached. From 0194690a93b05905efc8573fe4e7523523509aa0 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Mon, 23 Nov 2015 16:11:04 +0100 Subject: [PATCH] Install: Force service add during replica promotion Replica does not

Re: [Freeipa-devel] [PATCH] 928-936 webui: topology visualization

On 11/24/2015 12:17 PM, Petr Vobornik wrote: On 11/24/2015 12:10 PM, Ludwig Krispenz wrote: Hi Petr, I'm testing these patches.Two observations so far: - in Topology->IPA Servers I see a table of my servers and the managed suffix column I see both suffixes, ipaca and the realm, but if I

Re: [Freeipa-devel] [PATCH] 928-936 webui: topology visualization

On 11/24/2015 12:17 PM, Petr Vobornik wrote: On 11/24/2015 12:10 PM, Ludwig Krispenz wrote: Hi Petr, I'm testing these patches.Two observations so far: - in Topology->IPA Servers I see a table of my servers and the managed suffix column I see both suffixes, ipaca and the realm, but if I select

Re: [Freeipa-devel] [PATCH] Allow ipa-getkeytab to find server name from config file

On Tue, 2015-11-24 at 07:32 +0100, Jan Cholasta wrote: > On 23.11.2015 21:18, Simo Sorce wrote: > > Fixes #2203 by reading the server name from /etc/ipa/default.conf if not > > provided on the command line. > > > > Simo. > > Just a thought: it would be nice if we had libipaconfig and used it >

Re: [Freeipa-devel] [PATCH] Allow ipa-getkeytab to find server name from config file

Petr Spacek wrote: > On 24.11.2015 07:32, Jan Cholasta wrote: >> On 23.11.2015 21:18, Simo Sorce wrote: >>> Fixes #2203 by reading the server name from /etc/ipa/default.conf if not >>> provided on the command line. >>> >>> Simo. >> >> Just a thought: it would be nice if we had libipaconfig and

Re: [Freeipa-devel] [PATCH 507] install: drop support for Dogtag 9

On 10/11/15 09:52, Jan Cholasta wrote: On 10.11.2015 09:28, Jan Cholasta wrote: Hi, the attached patch fixes . Honza Actually working patch attached. Hi, thanks for the patch. It works for me but needs trivial rebase. ACK when rebased. --

[Freeipa-devel] [PATCH 0104] do not disconnect when using existing connection to check default CA ACLs

https://fedorahosted.org/freeipa/ticket/5459 -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0104] do not disconnect when using existing connection to check default CA ACLs

On 11/24/2015 04:44 PM, Martin Babinsky wrote: https://fedorahosted.org/freeipa/ticket/5459 forgot to attach the actual file *slaps himself* -- Martin^3 Babinsky From 3ca5e8348cf1448dd61a069dc4b01e2fdf7ed201 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Tue, 24

[Freeipa-devel] [PATCH 0358] ipa-getkeytab: do not return error if translations cannot be loaded

https://fedorahosted.org/freeipa/ticket/5483 Patch attached. From 16fcbab598a7d2b18a9b6ad2f625ca912a26abfa Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Tue, 24 Nov 2015 16:45:00 +0100 Subject: [PATCH] ipa-getkeytab: do not return error when translations cannot be loaded

Re: [Freeipa-devel] [PATCH 0355-0365] Prevent using replica file with ipa-ca-install and domain

On 24.11.2015 10:21, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5455 Patches attached. +def run(self): +self._run() Wouldn't it be better to rename _run() to run() instead? -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list:

Re: [Freeipa-devel] [PATCH 0104] do not disconnect when using existing connection to check default CA ACLs

On 24.11.2015 16:48, Martin Babinsky wrote: On 11/24/2015 04:44 PM, Martin Babinsky wrote: https://fedorahosted.org/freeipa/ticket/5459 forgot to attach the actual file *slaps himself* ipaserver/install/cainstance.py:1849: [E1101(no-member), ensure_default_caacl] Instance of 'API' has no

Re: [Freeipa-devel] [PATCH 0104] do not disconnect when using existing connection to check default CA ACLs

On 11/24/2015 04:58 PM, Jan Cholasta wrote: On 24.11.2015 16:48, Martin Babinsky wrote: On 11/24/2015 04:44 PM, Martin Babinsky wrote: https://fedorahosted.org/freeipa/ticket/5459 forgot to attach the actual file *slaps himself* ipaserver/install/cainstance.py:1849: [E1101(no-member),