Re: [Freeipa-devel] [PATCH 0070] install: Run all validators at once.

On 8.12.2015 07:51, David Kupka wrote: On 07/12/15 14:05, David Kupka wrote: Running validators after all Knobs are set allows use of other Knob value during validation. Updated patch attached. Works for me, ACK. Pushed to master: 2c5a662fd80f7152834dfebf45628d3a7b8a68bf -- Jan Cholasta

Re: [Freeipa-devel] [PATCH 0070] install: Run all validators at once.

On 07/12/15 14:05, David Kupka wrote: Running validators after all Knobs are set allows use of other Knob value during validation. Updated patch attached. -- David Kupka From 7f18ac0d8b78ea08ed797ceb9393c6b3121b734d Mon Sep 17 00:00:00 2001 From: David Kupka Date: Mon, 7

Re: [Freeipa-devel] [PATCH 0391] replicainstall: Add check for domain if server is specified

On 7.12.2015 16:43, Martin Kosek wrote: On 12/07/2015 02:17 PM, Tomas Babej wrote: On 12/04/2015 08:22 PM, Rob Crittenden wrote: Martin Kosek wrote: On 12/04/2015 07:17 PM, Tomas Babej wrote: Hi, Avoids failing in the later stages during the ipa-client-install command. Tomas Is this

Re: [Freeipa-devel] [PATCH 0058, 0064] dns: do not add (forward)zone if it is already resolvable.

On 7.12.2015 14:41, David Kupka wrote: > +def is_host_resolvable(fqdn): > +if not isinstance(fqdn, DNSName): > +fqdn = DNSName(fqdn) > +for rdtype in (rdatatype.A, rdatatype.): > +try: > +resolver.query(fqdn.make_absolute(), rdtype) > +except

Re: [Freeipa-devel] [PATCH 0391] replicainstall: Add check for domain if server is specified

On 12/08/2015 07:57 AM, Jan Cholasta wrote: > On 7.12.2015 16:43, Martin Kosek wrote: >> On 12/07/2015 02:17 PM, Tomas Babej wrote: >>> >>> >>> On 12/04/2015 08:22 PM, Rob Crittenden wrote: Martin Kosek wrote: > On 12/04/2015 07:17 PM, Tomas Babej wrote: >> Hi, >> >> Avoids

Re: [Freeipa-devel] [PATCH 522] replica promotion: allow OTP bulk client enrollment

On 7.12.2015 21:11, Martin Basti wrote: On 07.12.2015 08:21, Jan Cholasta wrote: On 2.12.2015 16:23, Jan Cholasta wrote: Hi, the attached patch fixes . Note that you still have to provide admin password in ipa-replica-install, either using

Re: [Freeipa-devel] [PATCH 0391] replicainstall: Add check for domain if server is specified

On 8.12.2015 08:23, Martin Kosek wrote: On 12/08/2015 07:57 AM, Jan Cholasta wrote: On 7.12.2015 16:43, Martin Kosek wrote: On 12/07/2015 02:17 PM, Tomas Babej wrote: On 12/04/2015 08:22 PM, Rob Crittenden wrote: Martin Kosek wrote: On 12/04/2015 07:17 PM, Tomas Babej wrote: Hi, Avoids

Re: [Freeipa-devel] You cannot specify '--admin-password' option(s) with replica file

On 12/07/2015 10:36 AM, Oleg Fayans wrote: > This is an error message that I received at the attempt to install > replica with the following command: > > ipa-replica-install --setup-ca -p -w > /var/lib/ipa/replica-info-replica2.justfor.test.gpg > > However, if I remove the '-w ', then I get

Re: [Freeipa-devel] [PATCH 0393] replicainstall: Admin password should not conflict with

On 12/07/2015 02:33 PM, Tomas Babej wrote: > Hi, > > The --admin-password (-w) has its use both in domain level 0 and 1. > > https://fedorahosted.org/freeipa/ticket/5517 > > > ACK. Pushed to master: dcb6626e870bcededb62d801720721d5d6c9795f -- Manage your subscription for the

Re: [Freeipa-devel] [PATCH 0372] CI: installation tests

Hi, On 12/07/2015 02:37 PM, Martin Basti wrote: > > > On 07.12.2015 14:32, Martin Basti wrote: >> >> >> On 07.12.2015 13:24, Oleg Fayans wrote: >>> Hi Martin, >>> >>> I would prefer both install_kra and install_ca methods to have >>> raiseonerr parameter set to True by default. We need a way to

Re: [Freeipa-devel] [PATCH 0391] replicainstall: Add check for domain if server is specified

On 12/07/2015 02:17 PM, Tomas Babej wrote: > > > On 12/04/2015 08:22 PM, Rob Crittenden wrote: >> Martin Kosek wrote: >>> On 12/04/2015 07:17 PM, Tomas Babej wrote: Hi, Avoids failing in the later stages during the ipa-client-install command. Tomas >>> >>> Is this

Re: [Freeipa-devel] [PATCH 0370] CI: test various topologies with 3 replicas

On 07.12.2015 15:55, Oleg Fayans wrote: ACK On 12/06/2015 10:01 PM, Martin Basti wrote: Patch attached, to work properly it requires all patches I sent today + workaround patch attached (Martin3 will provide proper fix). The last two test are failing due to bug in test framework

[Freeipa-devel] [PATCH 0026] Workarounds for SELinux execmem violations in cryptography

The patch fixes SELinux violations in Fedora 23. Background: Recent versions of cryptography cause SELinux violation which will lead to a segfault, see https://bugzilla.redhat.com/show_bug.cgi?id=1277224 . The segfault only occurs in the context of Apache HTTPD (FreeIPA web ui) when

Re: [Freeipa-devel] [PATCH] 0749 Package ipapython, ipalib, ipaplatform, ipatests for Python 3

On 2.12.2015 13:38, Petr Viktorin wrote: On 12/01/2015 02:37 PM, Jan Cholasta wrote: [...] /etc/ipa/default.conf is managed by freeipa-client and thus should be owned by it. This is a common pattern in other packages (even other FreeIPA sub-packages) and I don't see any reason not to follow

Re: [Freeipa-devel] You cannot specify '--admin-password' option(s) with replica file

Hi, On 12/07/2015 02:22 PM, Tomas Babej wrote: > > > On 12/07/2015 10:36 AM, Oleg Fayans wrote: >> This is an error message that I received at the attempt to install >> replica with the following command: >> >> ipa-replica-install --setup-ca -p -w >>

Re: [Freeipa-devel] [PATCH 0065]

Bump for review. On Mon, Nov 30, 2015 at 7:31 PM, Gabe Alford wrote: > Hello, > > Patch fix for the following tickets: > > https://fedorahosted.org/freeipa/ticket/5022 > https://fedorahosted.org/freeipa/ticket/5320 > > Thanks, > > Gabe > -- Manage your subscription for

Re: [Freeipa-devel] [PATCH 0364, 0367] ipa-kra-install: allow first KRA to be installed on replica

On 07.12.2015 14:32, Martin Babinsky wrote: On 11/30/2015 07:24 PM, Simo Sorce wrote: On Mon, 2015-11-30 at 19:22 +0100, Martin Basti wrote: On 30.11.2015 19:20, Simo Sorce wrote: On Mon, 2015-11-30 at 18:29 +0100, Martin Basti wrote: On 30.11.2015 14:16, Martin Babinsky wrote: On

Re: [Freeipa-devel] [PATCH 0372] CI: installation tests

On 12/07/2015 03:51 PM, Martin Basti wrote: > > > On 07.12.2015 15:49, Oleg Fayans wrote: >> Hi, >> >> On 12/07/2015 02:37 PM, Martin Basti wrote: >>> >>> On 07.12.2015 14:32, Martin Basti wrote: On 07.12.2015 13:24, Oleg Fayans wrote: > Hi Martin, > > I would prefer both

[Freeipa-devel] [PATCH 0393] replicainstall: Admin password should not conflict with

Hi, The --admin-password (-w) has its use both in domain level 0 and 1. https://fedorahosted.org/freeipa/ticket/5517 From 9f5a6c6b257955ccad03840090d1b8fd2463bf6d Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Mon, 7 Dec 2015 14:32:11 +0100 Subject: [PATCH] replicainstall:

Re: [Freeipa-devel] [PATCH 0372] CI: installation tests

On 07.12.2015 14:32, Martin Basti wrote: On 07.12.2015 13:24, Oleg Fayans wrote: Hi Martin, I would prefer both install_kra and install_ca methods to have raiseonerr parameter set to True by default. We need a way to test negatives and analyze results. Mine looks like this: def

Re: [Freeipa-devel] [PATCH 0370] CI: test various topologies with 3 replicas

ACK On 12/06/2015 10:01 PM, Martin Basti wrote: > Patch attached, to work properly it requires all patches I sent today + > workaround patch attached (Martin3 will provide proper fix). > > The last two test are failing due to bug in test framework > (ipa-replica-manage should not be used with

Re: [Freeipa-devel] [PATCH 0026] Workarounds for SELinux execmem violations in cryptography

On 2015-12-07 16:17, Alexander Bokovoy wrote: > On Mon, 07 Dec 2015, Christian Heimes wrote: >> The patch fixes SELinux violations in Fedora 23. >> >> Background: Recent versions of cryptography cause SELinux violation >> which will lead to a segfault, see >>

Re: [Freeipa-devel] [PATCH 0364, 0367] ipa-kra-install: allow first KRA to be installed on replica

On 12/02/2015 05:24 PM, Martin Basti wrote: On 02.12.2015 14:52, Martin Babinsky wrote: On 11/30/2015 06:29 PM, Martin Basti wrote: On 30.11.2015 14:16, Martin Babinsky wrote: On 11/27/2015 05:02 PM, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5460 I tested just master,

Re: [Freeipa-devel] [PATCH] 0001 Refactor test_user_plugin

NACK. $ ./make-lint * Module ipatests.test_xmlrpc.test_user_plugin ipatests/test_xmlrpc/test_user_plugin.py:42: [E0611(no-name-in-module), ] No name 'ldaptracker' in module 'ipatests.test_xmlrpc') $ grep ldaptracker ipatests/test_xmlrpc/test_user_plugin.py from

Re: [Freeipa-devel] [PATCH 0372] CI: installation tests

On 07.12.2015 15:49, Oleg Fayans wrote: Hi, On 12/07/2015 02:37 PM, Martin Basti wrote: On 07.12.2015 14:32, Martin Basti wrote: On 07.12.2015 13:24, Oleg Fayans wrote: Hi Martin, I would prefer both install_kra and install_ca methods to have raiseonerr parameter set to True by default.

[Freeipa-devel] [PATCHES 516-517] spec file: put Python modules into standalone packages

Hi, the attached patches partially fix . This is done to allow the addition of Python 3 packages, see . See commit messages for more information. In order to test: 1.

Re: [Freeipa-devel] [PATCH 0372] CI: installation tests

On 07.12.2015 13:24, Oleg Fayans wrote: Hi Martin, I would prefer both install_kra and install_ca methods to have raiseonerr parameter set to True by default. We need a way to test negatives and analyze results. Mine looks like this: def install_kra(host, domain_level=None,

Re: [Freeipa-devel] [PATCH 0364, 0367] ipa-kra-install: allow first KRA to be installed on replica

On 11/30/2015 07:24 PM, Simo Sorce wrote: On Mon, 2015-11-30 at 19:22 +0100, Martin Basti wrote: On 30.11.2015 19:20, Simo Sorce wrote: On Mon, 2015-11-30 at 18:29 +0100, Martin Basti wrote: On 30.11.2015 14:16, Martin Babinsky wrote: On 11/27/2015 05:02 PM, Martin Basti wrote:

Re: [Freeipa-devel] [PATCH 0058, 0064] dns: do not add (forward)zone if it is already resolvable.

On 07/12/15 14:06, David Kupka wrote: On 09/09/15 13:39, Petr Spacek wrote: On 8.9.2015 16:30, David Kupka wrote: On 28/08/15 13:36, Martin Basti wrote: On 08/28/2015 10:03 AM, Petr Spacek wrote: On 27.8.2015 14:22, David Kupka wrote: @@ -2101,11 +2101,25 @@ class DNSZoneBase(LDAPObject):

Re: [Freeipa-devel] [PATCH 0065]

Yup you are right. I meant to bump the other one. > It is on my TODO list. Awesome. On Mon, Dec 7, 2015 at 7:20 AM, Martin Basti wrote: > > > On 07.12.2015 14:55, Gabe Alford wrote: > > Bump for review. > > On Mon, Nov 30, 2015 at 7:31 PM, Gabe Alford

Re: [Freeipa-devel] [PATCH] ca-less tests updated - POC

Anyone to review it guys? On 11/06/2015 02:04 PM, Oleg Fayans wrote: > Hi Jan, > > On 11/06/2015 09:01 AM, Jan Cholasta wrote: >> Actually it might be better to keep them, but fix them to expect >> ipa-server-certinstall to success. > > Done. Updated patch attached. > Also in the patch 0013 I

Re: [Freeipa-devel] [PATCH 0111] prevent crashes of server uninstall check caused by failed, 5 LDAP connections

On 12/04/2015 08:49 PM, Rob Crittenden wrote: Martin Babinsky wrote: https://fedorahosted.org/freeipa/ticket/5409 Should it also warn about the potential loss of the DNSSEC master? rob Probably, but that warrants a separate ticket IMHO. IIRC these checks are a part of replica deletion

Re: [Freeipa-devel] [PATCH 0026] Workarounds for SELinux execmem violations in cryptography

On Mon, 07 Dec 2015, Christian Heimes wrote: The patch fixes SELinux violations in Fedora 23. Background: Recent versions of cryptography cause SELinux violation which will lead to a segfault, see https://bugzilla.redhat.com/show_bug.cgi?id=1277224 . The segfault only occurs in the context of

Re: [Freeipa-devel] [PATCH 0002] Refactor test_group_plugin

On 12/03/2015 08:15 PM, Filip Škola wrote: On Mon, 30 Nov 2015 17:18:30 +0100 Milan Kubík wrote: On 11/23/2015 04:42 PM, Filip Škola wrote: Sending updated patch. F. On Mon, 23 Nov 2015 14:59:34 +0100 Filip Škola wrote: Found couple of issues (broke

Re: [Freeipa-devel] [PATCH 0369] Force creation of service during replica install

On 12/06/2015 09:45 PM, Martin Basti wrote: Replica install should not fail due a missing A record, if there are proper entries in hosts. Patch attached. ACK. -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list:

Re: [Freeipa-devel] [PATCH 0392] tests: Fix incorrect uninstall method invocation

On 12/07/2015 10:58 AM, Tomas Babej wrote: > Hi, > > this fixes: https://fedorahosted.org/freeipa/ticket/5516 > > Tomas > Pushed under oneliner rule: master: 5cb003f0b4b85dce47499f594c410b34b5c961e2 ipa-4-2: e5189ef6e23e4691f6c74541da5bc1a0b0f2e73f -- Manage your subscription for the

[Freeipa-devel] [PATCH 0112] CI tests: ignore disconnected domain level 1 topology on IPA master teardown

This patch should fix teardown methods in replication-related CI tests ran at non-zero domain level. -- Martin^3 Babinsky From 52919ed0237c4bf6fe5580a9d99af79661a9bf53 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Fri, 4 Dec 2015 18:24:31 +0100 Subject: [PATCH] CI

[Freeipa-devel] [PATCH 0392] tests: Fix incorrect uninstall method invocation

Hi, this fixes: https://fedorahosted.org/freeipa/ticket/5516 Tomas From efd1304be61c792c23c8e8560db6508c63fdd5e6 Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Sat, 5 Dec 2015 16:54:04 +0100 Subject: [PATCH] tests: Fix incorrect uninstall method invocation

Re: [Freeipa-devel] [PATCH 0392] tests: Fix incorrect uninstall method invocation

Hi Tomaš, Could you please review my patch regarding caless tests. I's been on the list since ages. It contains this particular change together with a lot more of them. On 12/07/2015 10:59 AM, Tomas Babej wrote: > On 12/07/2015 10:58 AM, Tomas Babej wrote: >> Hi, >> >> this fixes:

[Freeipa-devel] You cannot specify '--admin-password' option(s) with replica file

This is an error message that I received at the attempt to install replica with the following command: ipa-replica-install --setup-ca -p -w /var/lib/ipa/replica-info-replica2.justfor.test.gpg However, if I remove the '-w ', then I get the password prompt for admin password interactively. The

Re: [Freeipa-devel] [PATCH 0112] CI tests: ignore disconnected domain level 1 topology on IPA master teardown

Hi Martin, CONFIGURED_DOMAIN_LEVEL is declared, but not used. The rest looks fine to me On 12/07/2015 11:05 AM, Martin Babinsky wrote: > This patch should fix teardown methods in replication-related CI tests > ran at non-zero domain level. > > > -- Oleg Fayans Quality Engineer FreeIPA team

Re: [Freeipa-devel] [PATCH 0004] Refactor test_attr

Now the tier marker have lost somewhere on the way... which is corrected in this patch. /me apologizes for the noise F. On Mon, 7 Dec 2015 13:00:41 +0100 Filip Škola wrote: > Self-NACK, resubmitting with the last commit which includes > UserTracker from the right

Re: [Freeipa-devel] [PATCH 0372] CI: installation tests

Hi Martin, I would prefer both install_kra and install_ca methods to have raiseonerr parameter set to True by default. We need a way to test negatives and analyze results. Mine looks like this: def install_kra(host, domain_level=None, first_instance=False, raiseonerr=True):

Re: [Freeipa-devel] [PATCH 0004] Refactor test_attr

Self-NACK, resubmitting with the last commit which includes UserTracker from the right location... F. On Fri, 4 Dec 2015 16:24:16 +0100 Filip Škola wrote: > Hi, > > sending a new version of test_attr. > > F. >From 786b0004f3793bb557b8c9b2b7e034784969da8e Mon Sep 17

[Freeipa-devel] [PATCH] bz 1288863 Fix minor typos

attached patch was attached to https://bugzilla.redhat.com/show_bug.cgi?id=1288863 ACK Pushed to master: 2180d5db8a8e99007c39466c19759a4b1bf098fa -- Petr Vobornik From 782d40bd434a57b88a72c53debf090f155b05fb9 Mon Sep 17 00:00:00 2001 From: Yuri Chornoivan Date: Sun, 6 Dec

Re: [Freeipa-devel] [PATCH 0112] CI tests: ignore disconnected domain level 1 topology on IPA master teardown

On 12/07/2015 12:07 PM, Oleg Fayans wrote: Hi Martin, CONFIGURED_DOMAIN_LEVEL is declared, but not used. The rest looks fine to me On 12/07/2015 11:05 AM, Martin Babinsky wrote: This patch should fix teardown methods in replication-related CI tests ran at non-zero domain level. Ah that

Re: [Freeipa-devel] [PATCH] 0046 Create server certs with DNS altname

On 12/07/2015 06:26 AM, Fraser Tweedale wrote: > The attached patch fixes > https://fedorahosted.org/freeipa/ticket/4970. > > Note that the problem is addressed by adding the appropriate request > extension to the CSR; the fix does not involve changing the default > profile behaviour, which is

Re: [Freeipa-devel] [PATCH 0392] tests: Fix incorrect uninstall method invocation

On (07/12/15 11:12), Oleg Fayans wrote: >Hi Tomaš, > >Could you please review my patch regarding caless tests. I's been on the >list since ages. It contains this particular change together with a lot >more of them. > We are used to sending "bump" mails on sssd-devel. It's better then sending mail

[Freeipa-devel] [PATCH 0070] install: Run all validators at once.

Running validators after all Knobs are set allows use of other Knob value during validation. -- David Kupka From b9a8ae178e770a4b84fc8d05d04218531642d3eb Mon Sep 17 00:00:00 2001 From: David Kupka Date: Mon, 7 Dec 2015 13:35:49 +0100 Subject: [PATCH] install: Run all

Re: [Freeipa-devel] [PATCH 0058, 0064] dns: do not add (forward)zone if it is already resolvable.

On 09/09/15 13:39, Petr Spacek wrote: On 8.9.2015 16:30, David Kupka wrote: On 28/08/15 13:36, Martin Basti wrote: On 08/28/2015 10:03 AM, Petr Spacek wrote: On 27.8.2015 14:22, David Kupka wrote: @@ -2101,11 +2101,25 @@ class DNSZoneBase(LDAPObject): class DNSZoneBase_add(LDAPCreate):

Re: [Freeipa-devel] [PATCH 0391] replicainstall: Add check for domain if server is specified

On 12/04/2015 08:22 PM, Rob Crittenden wrote: > Martin Kosek wrote: >> On 12/04/2015 07:17 PM, Tomas Babej wrote: >>> Hi, >>> >>> Avoids failing in the later stages during the ipa-client-install >>> command. >>> >>> Tomas >> >> Is this change needed? Wouldn't it be better to update >>

Re: [Freeipa-devel] [PATCH 522] replica promotion: allow OTP bulk client enrollment

On 07.12.2015 08:21, Jan Cholasta wrote: On 2.12.2015 16:23, Jan Cholasta wrote: Hi, the attached patch fixes . Note that you still have to provide admin password in ipa-replica-install, either using --admin-password or interactively, because:

[Freeipa-devel] [PATCH 564] Implement pwd policy iteration in the kdb driver

Subject says it all. Tested via kadmin.local list_policies Ticket: 3015 Simo. -- Simo Sorce * Red Hat, Inc * New York From f3f6e6d1e80aa2cce042022c102d156998576545 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Mon, 7 Dec 2015 14:09:35 -0500 Subject: [PATCH] Implement pwd

Re: [Freeipa-devel] [PATCH 0372] CI: installation tests

On 07.12.2015 15:51, Oleg Fayans wrote: On 12/07/2015 03:51 PM, Martin Basti wrote: On 07.12.2015 15:49, Oleg Fayans wrote: Hi, On 12/07/2015 02:37 PM, Martin Basti wrote: On 07.12.2015 14:32, Martin Basti wrote: On 07.12.2015 13:24, Oleg Fayans wrote: Hi Martin, I would prefer both

Re: [Freeipa-devel] [PATCH] 0046 Create server certs with DNS altname

On Mon, Dec 07, 2015 at 01:53:15PM +0100, Martin Kosek wrote: > On 12/07/2015 06:26 AM, Fraser Tweedale wrote: > > The attached patch fixes > > https://fedorahosted.org/freeipa/ticket/4970. > > > > Note that the problem is addressed by adding the appropriate request > > extension to the CSR; the

Re: [Freeipa-devel] [PATCH] 0046 Create server certs with DNS altname

Fraser Tweedale wrote: > On Mon, Dec 07, 2015 at 01:53:15PM +0100, Martin Kosek wrote: >> On 12/07/2015 06:26 AM, Fraser Tweedale wrote: >>> The attached patch fixes >>> https://fedorahosted.org/freeipa/ticket/4970. >>> >>> Note that the problem is addressed by adding the appropriate request >>>

Re: [Freeipa-devel] [PATCH 0369] Force creation of service during replica install

On 07.12.2015 18:27, Martin Babinsky wrote: On 12/06/2015 09:45 PM, Martin Basti wrote: Replica install should not fail due a missing A record, if there are proper entries in hosts. Patch attached. ACK. Pushed to master: cac756b87d2eb521f038d0fb2ddb2a98569cf1af -- Manage your

Re: [Freeipa-devel] [PATCH] 0046 Create server certs with DNS altname

On Tue, Dec 08, 2015 at 08:46:39AM +1000, Fraser Tweedale wrote: > On Mon, Dec 07, 2015 at 01:53:15PM +0100, Martin Kosek wrote: > > On 12/07/2015 06:26 AM, Fraser Tweedale wrote: > > > The attached patch fixes > > > https://fedorahosted.org/freeipa/ticket/4970. > > > > > > Note that the problem