[Freeipa-devel] [freeipa PR#746][edited] KDC proxy URI records

[MartinBasti]

   URL: https://github.com/freeipa/freeipa/pull/746
Author: MartinBasti
 Title: #746: KDC proxy URI records
Action: edited

 Changed field: body
Original value:
"""
Automatic creation of KDC proxy URI records

Enables creation of following KDC proxy URL records per each replica:
 ```   
 _kerberos.example.com. IN URI   
"krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy;
 _kpasswd.example.com. IN URI   
"krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy;
```
Records are created for each replica in topology as KDC proxy is enabled
by default. (If KDC proxy is manually disabled this record will be
created anyway)

URI records for kadmin discovery are not created because FreeIPA doesn't
support kadmin.

See: https://k5wiki.kerberos.org/wiki/Projects/KDC_Discovery

https://pagure.io/freeipa/issue/6337


### TODO
- [x] Add URI records for 88/UDP, 88/TCP with higher priority to keep client 
asking directly KDC first
- [ ] Add URI records for HTTPS only when kdc proxy is enabled on server 
(requires to update server roles with role attribute KDC proxy)
- [ ] Update release notes
- `Postponed`: Fix https://pagure.io/freeipa/issue/6906 to allow enroll FreeIPA 
clients using HTTPS KDC proxy
"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#746][comment] KDC proxy URI records

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/746
Title: #746: KDC proxy URI records

MartinBasti commented:
"""
@simo5 not really a 4.5 material then
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/746#issuecomment-298039065
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#746][synchronized] KDC proxy URI records

[MartinBasti]

   URL: https://github.com/freeipa/freeipa/pull/746
Author: MartinBasti
 Title: #746: KDC proxy URI records
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/746/head:pr746
git checkout pr746
From 0c6e1bf34b92cfe5ff29b29843826181970bcff2 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 26 Apr 2017 18:49:47 +0200
Subject: [PATCH] Automatic creation of KDC URI records

Enables creation of following records per each replica:

KDC URI records:
_kerberos.example.com. IN URI   "krb5srv:M:tcp:ipaserver.example.com"
_kpasswd.example.com. IN URI   "krb5srv:M:tcp:ipaserver.example.com"
_kerberos.example.com. IN URI   "krb5srv:M:udp:ipaserver.example.com"
_kpasswd.example.com. IN URI   "krb5srv:M:udp:ipaserver.example.com"

KDC proxy URI records:
_kerberos.example.com. IN URI +10  "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy;
_kpasswd.example.com. IN URI +10  "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy;

URI records for kadmin discovery are not created because FreeIPA doesn't
support kadmin.

KDC URI records (tcp, udp) must have higher priority than KDC proxy
(https) to prefer direct communication with KDC. Also there is a bug
that prevents ipa-client-install to enroll client with using only KDC
proxy in some cases (see https://pagure.io/freeipa/issue/6906).

All records are created for each replica in topology as KDC proxy is enabled
by default. (Please note if KDC proxy is manually disabled KDC Proxy records will be
created anyway)

See: https://k5wiki.kerberos.org/wiki/Projects/KDC_Discovery

https://pagure.io/freeipa/issue/6337
---
 ipaserver/dns_data_management.py| 88 -
 ipatests/test_integration/test_dns_locations.py | 52 +++
 2 files changed, 138 insertions(+), 2 deletions(-)

diff --git a/ipaserver/dns_data_management.py b/ipaserver/dns_data_management.py
index d4dc42e..0dbedde 100644
--- a/ipaserver/dns_data_management.py
+++ b/ipaserver/dns_data_management.py
@@ -37,6 +37,23 @@
 (DNSName(u'_kpasswd._udp'), 464),
 )
 
+IPA_DEFAULT_KDC_URI_REC = (
+# URI record name, target
+(DNSName(u'_kpasswd'), u'krb5srv:M:tcp:{server}'),
+(DNSName(u'_kpasswd'), u'krb5srv:M:udp:{server}'),
+(DNSName(u'_kerberos'), u'krb5srv:M:tcp:{server}'),
+(DNSName(u'_kerberos'), u'krb5srv:M:udp:{server}'),
+)
+
+# URI records for KDCProxy must have lower priority than for KDC, clients must
+# prefer to connect directly to KDC
+IPA_KDCPROXY_PRIORITY_PENALIZATION = 10
+IPA_DEFAULT_KDCPROXY_URI_REC = (
+# URI record name, target
+(DNSName(u'_kpasswd'), u'krb5srv:M:kkdcp:https://{server}/KdcProxy'),
+(DNSName(u'_kerberos'), u'krb5srv:M:kkdcp:https://{server}/KdcProxy'),
+)
+
 IPA_DEFAULT_ADTRUST_SRV_REC = (
 # srv record name, port
 (DNSName(u'_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs'), 389),
@@ -127,6 +144,34 @@ def __add_srv_records(
 r_name, rdatatype.SRV, create=True)
 rdataset.add(rd, ttl=86400)  # FIXME: use TTL from config
 
+def __add_kdc_uri_records(
+self, zone_obj, hostname, rname_target_map,
+weight=100, priority=0, location=None
+):
+assert isinstance(hostname, DNSName)
+assert isinstance(priority, int)
+assert isinstance(weight, int)
+
+if location:
+suffix = self.__get_location_suffix(location)
+else:
+suffix = self.domain_abs
+
+for name, target in rname_target_map:
+rd = rdata.from_text(
+rdataclass.IN, rdatatype.URI,
+'{0} {1} {2}'.format(
+priority, weight,
+target.format(server=hostname.ToASCII())
+)
+)
+
+r_name = name.derelativize(suffix)
+
+rdataset = zone_obj.get_rdataset(
+r_name, rdatatype.URI, create=True)
+rdataset.add(rd, ttl=86400)  # FIXME: use TTL from config
+
 def __add_ca_records_from_hostname(self, zone_obj, hostname):
 assert isinstance(hostname, DNSName) and hostname.is_absolute()
 r_name = DNSName('ipa-ca') + self.domain_abs
@@ -173,6 +218,7 @@ def _add_base_dns_records_for_server(
 else:
 eff_roles = server['roles']
 hostname_abs = DNSName(hostname).make_absolute()
+hostname_rel = DNSName(hostname)
 
 if include_kerberos_realm:
 self.__add_kerberos_txt_rec(zone_obj)
@@ -185,6 +231,21 @@ def _add_base_dns_records_for_server(
 IPA_DEFAULT_MASTER_SRV_REC,
 weight=server['weight']
 )
+self.__add_kdc_uri_records(
+zone_obj,
+hostname_rel,
+IPA_DEFAULT_KDC_URI_REC,
+weight=server['weight']
+)
+
+# FIXME: create KDC Proxy records only when KDC proxy is enabled
+ 

[Freeipa-devel] [freeipa PR#746][comment] KDC proxy URI records

[simo5]

  URL: https://github.com/freeipa/freeipa/pull/746
Title: #746: KDC proxy URI records

simo5 commented:
"""
We can probably defer.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/746#issuecomment-298087667
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] Blog post: Debugging FreeIPA 4.5 privilege separation code

[Alexander Bokovoy]

Hi,

Simo and I wrote an article on how to debug FreeIPA 4.5 privilege
separation code. It is not about debugging, in fact, but on where to
look for various types of logs and how to interpret them. The article
also provides a high level explanation of how privilege separation in
FreeIPA works and what it allows us to achieve.

You can read the article here: https://vda.li/en/docs/freeipa-debug-privsep/


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] Automated Fedora update testing

[Adam Williamson]

Hi folks! I thought this might be of interest to the FreeIPA community,
so I thought I'd write it up here in case anyone missed it elsewhere.

I work on the Fedora QA team, and we have been using the openQA
automated test system (developed by our friends at SUSE) to run various
functional tests on Fedora composes for the last couple of years.

As FreeIPA is considered a critical part of Fedora Server, we run a few
tests that exercise FreeIPA. The tests set up a FreeIPA server, run
some basic checks on it, and also enrol two systems as clients of the
domain, one using the 'realm join' command directly, one using Cockpit.
The client tests do some basic client functionality testing (getent,
logging in as a domain user, changing passwords, etc.) and also test
the web UI to some extent.

Until recently we ran these tests only on Fedora's nightly development
release distribution composes. Recently, though, we deployed some
enhancements to our openQA setup that let us run tests on Fedora
distribution updates as well, and have the results made visible through
the Fedora update system (Bodhi). The tests are automatically run on
any critical path package, and as of today, they are also run on any
update containing any of a manually-tended list of FreeIPA-related
packages:

389-ds
389-ds-base
bind
bind-dyndb-ldap
certmonger
ding-libs
freeipa
krb5-server
pki-core
sssd
tomcat
cockpit

This means that for any Fedora update containing one of these or any
critical path package, Fedora's openQA FreeIPA tests should run, and
you should see the results in the Fedora update system (Bodhi). You can
see the results in Bodhi by clicking the Automated Updates tab for any
update. For instance, here's a recent 389-ds-base update for Fedora 26:

https://bodhi.fedoraproject.org/updates/FEDORA-2017-15e2a038b2

If you look at the Automated Tests tab, you can see passes for:

update.server_role_deploy_domain_controller
update.realmd_join_cockpit
update.realmd_join_sssd

indicating that this update didn't cause any problems for FreeIPA.
Clicking on any test result will take you to the openQA page for the
test, where you can diagnose failures and so on (explaining how to do
this is a bit beyond the scope of this mail, please do ask me if you're
interested!)

I hope this stuff will help us avoid shipping updates that break
FreeIPA (and other key components). If you have any questions,
concerns, comments, or suggestions, please do ask!

To anticipate one question: you can cause *all* the tests for an update
to be re-run by editing the update in any way (you don't have to change
the package loadout, just changing a single character in the
description or something will do). If you think just one test result is
bogus and want it re-run, currently, you'll have to ask someone with
the necessary power - either me or Jan Sedlak (garretraziel on IRC).
I'm in North America and he's in Europe, so we should have most
timezones covered between us. We're hoping to set up a better mechanism
for this in future.

Note, if you're interested in the results for the nightly Fedora
distribution composes, an email summary of the results for those is
sent each time they're run to the Fedora test@ and devel@ lists, look
for mails with "compose check report" in the subject. Any time any of
the FreeIPA tests fails, the failure will be listed in the mail (passed
tests are not specifically listed, just a count of them). I usually
keep an eye on those results and analyze failures and file bugs,
though.
-- 
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net
http://www.happyassassin.net

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#738][+rejected] restore: restart gssproxy after restore

[pvoborni]

  URL: https://github.com/freeipa/freeipa/pull/738
Title: #738: restore: restart gssproxy after restore

Label: +rejected
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#729][synchronized] Turn on NSSOCSP check in mod_nss conf

[pvomacka]

   URL: https://github.com/freeipa/freeipa/pull/729
Author: pvomacka
 Title: #729: Turn on NSSOCSP check in mod_nss conf
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/729/head:pr729
git checkout pr729
From 96447296da8dd4ee565d9b5dcf5991e160e87091 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Thu, 6 Apr 2017 16:15:47 +0200
Subject: [PATCH 1/2] Turn on NSSOCSP check in mod_nss conf

Turn on NSSOCSP directive during install/replica install/upgrade.
That check whether the certificate which is used for login is
revoked or not using OSCP.

Marks the server cert in httpd NSS DB as trusted peer ('P,,')
to avoid chicken and egg problem when it is needed to contact
the OCSP responder when httpd is starting.

https://pagure.io/freeipa/issue/6370
---
 freeipa.spec.in   |  1 +
 install/restart_scripts/restart_httpd | 14 +-
 ipaserver/install/httpinstance.py | 19 +++
 ipaserver/install/server/upgrade.py   | 24 
 4 files changed, 57 insertions(+), 1 deletion(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index fbc67cb..9077734 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -306,6 +306,7 @@ Requires: oddjob
 Requires: gssproxy >= 0.7.0-2
 # 1.15.2: FindByNameAndCertificate (https://pagure.io/SSSD/sssd/issue/3050)
 Requires: sssd-dbus >= 1.15.2
+Requires: python-augeas
 
 Provides: %{alt_name}-server = %{version}
 Conflicts: %{alt_name}-server
diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd
index d168481..b661b82 100644
--- a/install/restart_scripts/restart_httpd
+++ b/install/restart_scripts/restart_httpd
@@ -21,11 +21,23 @@
 
 import syslog
 import traceback
+from ipalib import api
 from ipaplatform import services
-from ipaserver.install import certs
+from ipaplatform.paths import paths
+from ipaserver.install import certs, installutils
 
 
 def _main():
+
+api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA)
+api.finalize()
+
+db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR)
+nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname")
+
+# Add trust flag which set certificate trusted for SSL connections.
+db.trust_root_cert(nickname, "P,,")
+
 syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd')
 
 try:
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index aeb5c5e..90f918b 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -29,6 +29,7 @@
 import locale
 
 import six
+import augeas
 
 from ipalib.constants import IPAAPI_USER
 from ipalib.install import certmonger
@@ -156,6 +157,7 @@ def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None,
   self.set_mod_nss_protocol)
 self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile)
 self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate)
+self.step("enabling mod_nss OCSP", self.enable_mod_nss_ocsp)
 self.step("adding URL rewriting rules", self.__add_include)
 self.step("configuring httpd", self.__configure_http)
 self.step("setting up httpd keytab", self.request_service_keytab)
@@ -263,6 +265,20 @@ def enable_mod_nss_renegotiate(self):
 installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False)
 installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False)
 
+def enable_mod_nss_ocsp(self):
+aug = augeas.Augeas(flags=Augeas.NO_LOAD | Augeas.NO_MODL_AUTOLOAD)
+
+aug.set('/augeas/load/Httpd/lens', 'Httpd.lens')
+aug.set('/augeas/load/Httpd/incl', paths.HTTPD_NSS_CONF)
+aug.load()
+
+path = os.path.join('/files', paths.HTTPD_NSS_CONF[1:], 'VirtualHost')
+
+aug.set('{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path), 'NSSOCSP')
+aug.rename('{}/#comment[.="NSSOCSP"]'.format(path), 'directive')
+aug.set('{}/directive[. = "NSSOCSP"]/arg'.format(path), 'on')
+aug.save()
+
 def set_mod_nss_cipher_suite(self):
 ciphers = ','.join(NSS_CIPHER_SUITE)
 installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSCipherSuite', ciphers, False)
@@ -369,6 +385,7 @@ def __setup_ssl(self):
   create=True)
 self.disable_system_trust()
 self.create_password_conf()
+
 if self.pkcs12_info:
 if self.ca_is_configured:
 trust_flags = 'CT,C,C'
@@ -393,6 +410,8 @@ def __setup_ssl(self):
 self.__set_mod_nss_nickname(nickname)
 self.add_cert_to_service()
 
+db.trust_root_cert(nickname, "P,,")
+
 else:
 if not self.promote:
 ca_args = [
diff --git a/ipaserver/install/server/upgrade.py 

[Freeipa-devel] [freeipa PR#747][closed] vault: piped input for ipa vault-add fails

[MartinBasti]

   URL: https://github.com/freeipa/freeipa/pull/747
Author: flo-renaud
 Title: #747: vault: piped input for ipa vault-add fails
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/747/head:pr747
git checkout pr747
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#747][+pushed] vault: piped input for ipa vault-add fails

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/747
Title: #747: vault: piped input for ipa vault-add fails

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#735][+ack] automount install: do not wait for sssd restart on uninstallation

[tomaskrizek]

  URL: https://github.com/freeipa/freeipa/pull/735
Title: #735: automount install: do not wait for sssd restart on uninstallation

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#747][comment] vault: piped input for ipa vault-add fails

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/747
Title: #747: vault: piped input for ipa vault-add fails

MartinBasti commented:
"""
master:

* d5c41ed4ad370c7d74296a830993a5bd3fd32e5f vault: piped input for ipa vault-add 
fails


ipa-4-5:

* c8ca0f89a68b5d57c56344fdeb12fd436976c726 vault: piped input for ipa vault-add 
fails


"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/747#issuecomment-297973494
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#741][comment] 6.9 -> 7.4 migration fixes

[stlaz]

  URL: https://github.com/freeipa/freeipa/pull/741
Title: #741: 6.9 -> 7.4 migration fixes

stlaz commented:
"""
For the record - the tests are passing on my machine, etwas stimmt hier nicht.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/741#issuecomment-297969953
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#733][synchronized] [4.5] Fix CA/server cert validation in FIPS

[stlaz]

   URL: https://github.com/freeipa/freeipa/pull/733
Author: stlaz
 Title: #733: [4.5] Fix CA/server cert validation in FIPS
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/733/head:pr733
git checkout pr733
From 906c2010d594cc7a0e74f7ef80f41ed00581979f Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Wed, 26 Apr 2017 08:19:27 +0200
Subject: [PATCH] Fix CA/server cert validation in FIPS

In FIPS, the NSS library needs to be passed passwords to perform
certificate validation. Should we not have passed it and the NSS
guys have not fixed this yet, we would get SEC_ERROR_BAD_SIGNATURE
which is completely different error than one would expect but
that's just how things are with NSS right now.

https://pagure.io/freeipa/issue/6897
---
 ipapython/certdb.py | 13 +++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index 0665f94..ea73ec1 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -77,6 +77,11 @@ def find_cert_from_txt(cert, start=0):
 return (cert, e)
 
 
+def get_file_cont(slot, token, filename):
+with open(filename) as f:
+return f.read()
+
+
 class NSSDatabase(object):
 """A general-purpose wrapper around a NSS cert database
 
@@ -547,12 +552,14 @@ def verify_server_cert_validity(self, nickname, hostname):
 if nss.nss_is_initialized():
 nss.nss_shutdown()
 nss.nss_init(self.secdir)
+nss.set_password_callback(get_file_cont)
 try:
 certdb = nss.get_default_certdb()
 cert = nss.find_cert_from_nickname(nickname)
 intended_usage = nss.certificateUsageSSLServer
 try:
-approved_usage = cert.verify_now(certdb, True, intended_usage)
+approved_usage = cert.verify_now(certdb, True, intended_usage,
+ self.pwd_file)
 except NSPRError as e:
 if e.errno != -8102:
 raise ValueError(e.strerror)
@@ -572,6 +579,7 @@ def verify_ca_cert_validity(self, nickname):
 if nss.nss_is_initialized():
 nss.nss_shutdown()
 nss.nss_init(self.secdir)
+nss.set_password_callback(get_file_cont)
 try:
 certdb = nss.get_default_certdb()
 cert = nss.find_cert_from_nickname(nickname)
@@ -586,7 +594,8 @@ def verify_ca_cert_validity(self, nickname):
 raise ValueError("not a CA certificate")
 intended_usage = nss.certificateUsageSSLCA
 try:
-approved_usage = cert.verify_now(certdb, True, intended_usage)
+approved_usage = cert.verify_now(certdb, True, intended_usage,
+ self.pwd_file)
 except NSPRError as e:
 if e.errno != -8102:# SEC_ERROR_INADEQUATE_KEY_USAGE
 raise ValueError(e.strerror)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#735][closed] automount install: do not wait for sssd restart on uninstallation

[MartinBasti]

   URL: https://github.com/freeipa/freeipa/pull/735
Author: pvoborni
 Title: #735: automount install: do not wait for sssd restart on uninstallation
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/735/head:pr735
git checkout pr735
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#735][+pushed] automount install: do not wait for sssd restart on uninstallation

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/735
Title: #735: automount install: do not wait for sssd restart on uninstallation

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#735][comment] automount install: do not wait for sssd restart on uninstallation

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/735
Title: #735: automount install: do not wait for sssd restart on uninstallation

MartinBasti commented:
"""
master:

* b4e447fa6fc7d659ae6a3b6285d4ddda0baa0be4 automount install: fix checking of 
SSSD functionality on uninstall


ipa-4-5:

* ff513d6b20ee0a2ca90b06b8c114386f1e5751d9 automount install: fix checking of 
SSSD functionality on uninstall


"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/735#issuecomment-297977040
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#748][comment] restore: restart/reload gssproxy after restore

[pvoborni]

  URL: https://github.com/freeipa/freeipa/pull/748
Title: #748: restore: restart/reload gssproxy after restore

pvoborni commented:
"""
Obsoletes PR #738 
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/748#issuecomment-297962322
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#738][closed] restore: restart gssproxy after restore

[pvoborni]

   URL: https://github.com/freeipa/freeipa/pull/738
Author: pvoborni
 Title: #738: restore: restart gssproxy after restore
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/738/head:pr738
git checkout pr738
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#738][comment] restore: restart gssproxy after restore

[pvoborni]

  URL: https://github.com/freeipa/freeipa/pull/738
Title: #738: restore: restart gssproxy after restore

pvoborni commented:
"""
PR #748 obsoletes this one - this PR was created badly and so I cannot force 
update it. New one uses reload-or-restart
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/738#issuecomment-297962651
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#748][opened] restore: restart/reload gssproxy after restore

[pvoborni]

   URL: https://github.com/freeipa/freeipa/pull/748
Author: pvoborni
 Title: #748: restore: restart/reload gssproxy after restore
Action: opened

PR body:
"""
So that gssproxy picks up new configuration and therefore related
usages like authentication of CLI against server works

https://pagure.io/freeipa/issue/6902
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/748/head:pr748
git checkout pr748
From d49d50c8af896425f5c63950edde08bd88dbb46f Mon Sep 17 00:00:00 2001
From: Petr Vobornik 
Date: Wed, 26 Apr 2017 18:47:53 +0200
Subject: [PATCH] restore: restart/reload gssproxy after restore

So that gssproxy picks up new configuration and therefore related
usages like authentication of CLI against server works

https://pagure.io/freeipa/issue/6902
---
 ipaplatform/base/services.py | 21 ++---
 ipaserver/install/ipa_restore.py |  3 +++
 2 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/ipaplatform/base/services.py b/ipaplatform/base/services.py
index 068b972..fca6298 100644
--- a/ipaplatform/base/services.py
+++ b/ipaplatform/base/services.py
@@ -154,6 +154,10 @@ def stop(self, instance_name="", capture_output=True,
 
 return
 
+def reload_or_restart(self, instance_name="", capture_output=True,
+  wait=True):
+return
+
 def restart(self, instance_name="", capture_output=True, wait=True):
 return
 
@@ -298,14 +302,25 @@ def start(self, instance_name="", capture_output=True, wait=True):
 instance_name,
 update_service_list=update_service_list)
 
-def restart(self, instance_name="", capture_output=True, wait=True):
-ipautil.run([paths.SYSTEMCTL, "restart",
- self.service_instance(instance_name)],
+def _restart_base(self, instance_name, operation, capture_output=True,
+  wait=False):
+
+ipautil.run([paths.SYSTEMCTL, operation,
+self.service_instance(instance_name)],
 skip_output=not capture_output)
 
 if wait and self.is_running(instance_name):
 self.wait_for_open_ports(self.service_instance(instance_name))
 
+def reload_or_restart(self, instance_name="", capture_output=True,
+  wait=True):
+self._restart_base(instance_name, "reload-or-restart",
+   capture_output, wait)
+
+def restart(self, instance_name="", capture_output=True, wait=True):
+self._restart_base(instance_name, "restart",
+   capture_output, wait)
+
 def is_running(self, instance_name="", wait=True):
 instance = self.service_instance(instance_name, 'is-active')
 
diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py
index 378c013..96fc493 100644
--- a/ipaserver/install/ipa_restore.py
+++ b/ipaserver/install/ipa_restore.py
@@ -401,6 +401,9 @@ def run(self):
 services.knownservices.pki_tomcatd.enable()
 services.knownservices.pki_tomcatd.disable()
 
+self.log.info('Restarting GSS-proxy')
+gssproxy = services.service('gssproxy', api)
+gssproxy.reload_or_restart()
 self.log.info('Starting IPA services')
 run(['ipactl', 'start'])
 self.log.info('Restarting SSSD')
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#749][opened] Added plugins directory to python2-ipaclient subpackage

[olivergs]

   URL: https://github.com/freeipa/freeipa/pull/749
Author: olivergs
 Title: #749: Added plugins directory to python2-ipaclient subpackage
Action: opened

PR body:
"""
Subpackage does not own that directory and could create conflicts if a plugin 
creates it on its onwn
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/749/head:pr749
git checkout pr749
From 90e8eba2f1f3f40f3ffc1a557f6278d2dfe0f4e7 Mon Sep 17 00:00:00 2001
From: Oliver Gutierrez 
Date: Fri, 28 Apr 2017 15:21:49 +0100
Subject: [PATCH] Added plugins directory to python2-ipaclient
 subpackage\n\nSubpackage does not own that directory and could create
 conflicts if a plugin creates it on its onwn

---
 freeipa.spec.in | 1 +
 1 file changed, 1 insertion(+)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index ee9a36b..ada60d4 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -1402,6 +1402,7 @@ fi
 %doc README.md Contributors.txt
 %license COPYING
 %dir %{python_sitelib}/ipaclient
+%dir %{python_sitelib}/ipaclient/plugins
 %{python_sitelib}/ipaclient/*.py*
 %{python_sitelib}/ipaclient/install/*.py*
 %{python_sitelib}/ipaclient/plugins/*.py*
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] "blocker" tag for pull request

[Tomas Krizek]

On 04/28/2017 10:15 AM, Petr Vobornik wrote:
> Hi all,
>
> I created "blocker" tag for FreeIPA Git Hub PRs.
>
> It is should be used to mark PRs which solves test blocker or other
> functional blockers - e.g. blocks creation of demo. I.e. should be
> used rather rarely.
>
> I don't like the tag name, but I couldn't find better.
I think we could use the name "high-priority". It could have other uses
besides marking a blocker, e.g. requesting prompt execution of tests in
PR CI.
>
> Note: blocker priority in pagure doesn't imply blocker tag in PR. But
> testblocker tag in pagure does. Actually I'm thinking about changing
> Pagure priority names to: "highest, high, medium, low, patchwelcome"
>
+1, but I'd prefer "critical" instead of "highest"

-- 
Tomas Krizek

PGP: 4A8B A48C 2AED 933B D495  C509 A1FB A5F7 EF8C 4869




signature.asc
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#733][comment] [4.5] Fix CA/server cert validation in FIPS

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/733
Title: #733: [4.5] Fix CA/server cert validation in FIPS

MartinBasti commented:
"""
ipa-4-5:

* 651d132b701b773b2bbeb41496d6c5ddbf6d19b3 Fix CA/server cert validation in FIPS


"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/733#issuecomment-297982146
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#733][closed] [4.5] Fix CA/server cert validation in FIPS

[MartinBasti]

   URL: https://github.com/freeipa/freeipa/pull/733
Author: stlaz
 Title: #733: [4.5] Fix CA/server cert validation in FIPS
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/733/head:pr733
git checkout pr733
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#733][+pushed] [4.5] Fix CA/server cert validation in FIPS

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/733
Title: #733: [4.5] Fix CA/server cert validation in FIPS

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#732][+postponed] ipa-custodia: use Dogtag's alias/pwdfile.txt

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/732
Title: #732: ipa-custodia: use Dogtag's alias/pwdfile.txt

Label: +postponed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#744][closed] [4.5] Correct PyPI package dependencies

[tomaskrizek]

   URL: https://github.com/freeipa/freeipa/pull/744
Author: tiran
 Title: #744: [4.5] Correct PyPI package dependencies
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/744/head:pr744
git checkout pr744
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#744][+pushed] [4.5] Correct PyPI package dependencies

[tomaskrizek]

  URL: https://github.com/freeipa/freeipa/pull/744
Title: #744: [4.5] Correct PyPI package dependencies

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#744][comment] [4.5] Correct PyPI package dependencies

[tomaskrizek]

  URL: https://github.com/freeipa/freeipa/pull/744
Title: #744: [4.5] Correct PyPI package dependencies

tomaskrizek commented:
"""
ipa-4-5:

* b91ee1294bb3139f3d9df62c75dd429a5821bf40 Correct PyPI package dependencies


"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/744#issuecomment-297991379
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#732][comment] ipa-custodia: use Dogtag's alias/pwdfile.txt

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/732
Title: #732: ipa-custodia: use Dogtag's alias/pwdfile.txt

MartinBasti commented:
"""
Postponing, ticket milestone is 4.7
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/732#issuecomment-297988800
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#744][+ack] [4.5] Correct PyPI package dependencies

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/744
Title: #744: [4.5] Correct PyPI package dependencies

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#748][comment] restore: restart/reload gssproxy after restore

[tomaskrizek]

  URL: https://github.com/freeipa/freeipa/pull/748
Title: #748: restore: restart/reload gssproxy after restore

tomaskrizek commented:
"""
Ok, everything looks good then.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/748#issuecomment-297990127
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#748][closed] restore: restart/reload gssproxy after restore

[tomaskrizek]

   URL: https://github.com/freeipa/freeipa/pull/748
Author: pvoborni
 Title: #748: restore: restart/reload gssproxy after restore
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/748/head:pr748
git checkout pr748
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#748][+pushed] restore: restart/reload gssproxy after restore

[tomaskrizek]

  URL: https://github.com/freeipa/freeipa/pull/748
Title: #748: restore: restart/reload gssproxy after restore

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#748][comment] restore: restart/reload gssproxy after restore

[tomaskrizek]

  URL: https://github.com/freeipa/freeipa/pull/748
Title: #748: restore: restart/reload gssproxy after restore

tomaskrizek commented:
"""
How is this patch going to work for Debian? Shouldn't we also implement 
`reload_or_restart` for `DebianSysvService`?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/748#issuecomment-297980381
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#729][synchronized] Turn on NSSOCSP check in mod_nss conf

[pvomacka]

   URL: https://github.com/freeipa/freeipa/pull/729
Author: pvomacka
 Title: #729: Turn on NSSOCSP check in mod_nss conf
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/729/head:pr729
git checkout pr729
From 2da6692288d276e199f3d4d92a69fd59f31ff138 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Thu, 6 Apr 2017 16:15:47 +0200
Subject: [PATCH] Turn on NSSOCSP check in mod_nss conf

Turn on NSSOCSP directive during install/replica install/upgrade.
That check whether the certificate which is used for login is
revoked or not using OSCP.

Marks the server cert in httpd NSS DB as trusted peer ('P,,')
to avoid chicken and egg problem when it is needed to contact
the OCSP responder when httpd is starting.

https://pagure.io/freeipa/issue/6370
---
 freeipa.spec.in   |  1 +
 install/restart_scripts/restart_httpd | 14 +-
 ipaserver/install/httpinstance.py | 30 ++
 ipaserver/install/server/upgrade.py   | 24 
 4 files changed, 68 insertions(+), 1 deletion(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index fbc67cb..9077734 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -306,6 +306,7 @@ Requires: oddjob
 Requires: gssproxy >= 0.7.0-2
 # 1.15.2: FindByNameAndCertificate (https://pagure.io/SSSD/sssd/issue/3050)
 Requires: sssd-dbus >= 1.15.2
+Requires: python-augeas
 
 Provides: %{alt_name}-server = %{version}
 Conflicts: %{alt_name}-server
diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd
index d168481..b661b82 100644
--- a/install/restart_scripts/restart_httpd
+++ b/install/restart_scripts/restart_httpd
@@ -21,11 +21,23 @@
 
 import syslog
 import traceback
+from ipalib import api
 from ipaplatform import services
-from ipaserver.install import certs
+from ipaplatform.paths import paths
+from ipaserver.install import certs, installutils
 
 
 def _main():
+
+api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA)
+api.finalize()
+
+db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR)
+nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname")
+
+# Add trust flag which set certificate trusted for SSL connections.
+db.trust_root_cert(nickname, "P,,")
+
 syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd')
 
 try:
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index aeb5c5e..f291580 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -29,6 +29,7 @@
 import locale
 
 import six
+from augeas import Augeas
 
 from ipalib.constants import IPAAPI_USER
 from ipalib.install import certmonger
@@ -156,6 +157,7 @@ def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None,
   self.set_mod_nss_protocol)
 self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile)
 self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate)
+self.step("enabling mod_nss OCSP", self.enable_mod_nss_ocsp)
 self.step("adding URL rewriting rules", self.__add_include)
 self.step("configuring httpd", self.__configure_http)
 self.step("setting up httpd keytab", self.request_service_keytab)
@@ -263,6 +265,31 @@ def enable_mod_nss_renegotiate(self):
 installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False)
 installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False)
 
+def enable_mod_nss_ocsp(self):
+aug = Augeas(flags=Augeas.NO_LOAD | Augeas.NO_MODL_AUTOLOAD)
+
+aug.set('/augeas/load/Httpd/lens', 'Httpd.lens')
+aug.set('/augeas/load/Httpd/incl', paths.HTTPD_NSS_CONF)
+aug.load()
+
+path = os.path.join('/files', paths.HTTPD_NSS_CONF[1:], 'VirtualHost')
+
+ocsp_comment = aug.get(
+'{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path))
+ocsp_dir = aug.get('{}/directive[.="NSSOCSP"]'.format(path))
+
+if ocsp_dir is None and ocsp_comment is not None:
+# Directive is missing, comment is present
+aug.set('{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path),
+'NSSOCSP')
+aug.rename('{}/#comment[.="NSSOCSP"]'.format(path), 'directive')
+elif ocsp_dir is None:
+# Directive is missing and comment is missing
+aug.set('{}/directive[last()+1]'.format(path), "NSSOCSP")
+
+aug.set('{}/directive[. = "NSSOCSP"]/arg'.format(path), 'on')
+aug.save()
+
 def set_mod_nss_cipher_suite(self):
 ciphers = ','.join(NSS_CIPHER_SUITE)
 installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSCipherSuite', ciphers, False)
@@ -369,6 +396,7 @@ def __setup_ssl(self):
   create=True)
 

[Freeipa-devel] [freeipa PR#748][comment] restore: restart/reload gssproxy after restore

[pvoborni]

  URL: https://github.com/freeipa/freeipa/pull/748
Title: #748: restore: restart/reload gssproxy after restore

pvoborni commented:
"""
Should work:

```
def debian_service_class_factory(name, api=None):
if name == 'dirsrv':
return redhat_services.RedHatDirectoryService(name, api)
if name == 'domainname':
return DebianNoService(name, api)
if name == 'ipa':
return redhat_services.RedHatIPAService(name, api)
if name == 'messagebus':
return DebianNoService(name, api)
if name == 'ntpd':
return DebianSysvService("ntp", api)
return DebianService(name, api)
```
so it's `DebianService`

```
class DebianService(redhat_services.RedHatService):
system_units = debian_system_units
```
then
```
class RedHatService(base_services.SystemdService):
```

I.e. it is not `DebianSysvService`
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/748#issuecomment-297987349
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] "blocker" tag for pull request

[Martin Bašti]

On 28.04.2017 14:17, Tomas Krizek wrote:

On 04/28/2017 10:15 AM, Petr Vobornik wrote:

Hi all,

I created "blocker" tag for FreeIPA Git Hub PRs.

It is should be used to mark PRs which solves test blocker or other
functional blockers - e.g. blocks creation of demo. I.e. should be
used rather rarely.

I don't like the tag name, but I couldn't find better.

I think we could use the name "high-priority". It could have other uses
besides marking a blocker, e.g. requesting prompt execution of tests in
PR CI.

Sounds good or maybe "prioritized", IMHO "blocker" word is overused.


Note: blocker priority in pagure doesn't imply blocker tag in PR. But
testblocker tag in pagure does. Actually I'm thinking about changing
Pagure priority names to: "highest, high, medium, low, patchwelcome"


+1, but I'd prefer "critical" instead of "highest"




+1 for critical

pyldap uses "help wanted" instead "patchwelcome", it sounds better to 
me. I'd use it as separate tag instead of priority. Even high 
prioritized issues can be made by contributors in early phase of 
development if they are easy enough.


Martin^2

--
Martin Bašti
Software Engineer
Red Hat Czech

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#748][+ack] restore: restart/reload gssproxy after restore

[tomaskrizek]

  URL: https://github.com/freeipa/freeipa/pull/748
Title: #748: restore: restart/reload gssproxy after restore

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#748][comment] restore: restart/reload gssproxy after restore

[tomaskrizek]

  URL: https://github.com/freeipa/freeipa/pull/748
Title: #748: restore: restart/reload gssproxy after restore

tomaskrizek commented:
"""
master:

* 3a4c8e39c3e38ec651cfcbb3cac59e0e92e04fe0 restore: restart/reload gssproxy 
after restore


ipa-4-5:

* 04ed1fa3acdf002ecc37dde4f5d226c0fbe5aa30 restore: restart/reload gssproxy 
after restore


"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/748#issuecomment-297990747
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#750][+ack] Fixed typo in ipa-client-install help output

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/750
Title: #750: Fixed typo in ipa-client-install help output

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#746][synchronized] KDC proxy URI records

[MartinBasti]

   URL: https://github.com/freeipa/freeipa/pull/746
Author: MartinBasti
 Title: #746: KDC proxy URI records
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/746/head:pr746
git checkout pr746
From 342158b9f427057c08b9a115b68825f918554ee1 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 26 Apr 2017 18:49:47 +0200
Subject: [PATCH] Automatic creation of KDC URI records

Enables creation of following records per each replica:

KDC URI records:
_kerberos.example.com. IN URI   "krb5srv:M:tcp:ipaserver.example.com"
_kpasswd.example.com. IN URI   "krb5srv:M:tcp:ipaserver.example.com"
_kerberos.example.com. IN URI   "krb5srv:M:udp:ipaserver.example.com"
_kpasswd.example.com. IN URI   "krb5srv:M:udp:ipaserver.example.com"

KDC proxy URI records:
_kerberos.example.com. IN URI +10  "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy;
_kpasswd.example.com. IN URI +10  "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy;

URI records for kadmin discovery are not created because FreeIPA doesn't
support kadmin.

KDC URI records (tcp, udp) must have higher priority than KDC proxy
(https) to prefer direct communication with KDC. Also there is a bug
that prevents ipa-client-install to enroll client with using only KDC
proxy in some cases (see https://pagure.io/freeipa/issue/6906).

All records are created for each replica in topology as KDC proxy is enabled
by default. (Please note if KDC proxy is manually disabled KDC Proxy records will be
created anyway)

See: https://k5wiki.kerberos.org/wiki/Projects/KDC_Discovery

https://pagure.io/freeipa/issue/6337
---
 ipaserver/dns_data_management.py| 88 -
 ipatests/test_integration/test_dns_locations.py | 47 +
 2 files changed, 133 insertions(+), 2 deletions(-)

diff --git a/ipaserver/dns_data_management.py b/ipaserver/dns_data_management.py
index d4dc42e..0dbedde 100644
--- a/ipaserver/dns_data_management.py
+++ b/ipaserver/dns_data_management.py
@@ -37,6 +37,23 @@
 (DNSName(u'_kpasswd._udp'), 464),
 )
 
+IPA_DEFAULT_KDC_URI_REC = (
+# URI record name, target
+(DNSName(u'_kpasswd'), u'krb5srv:M:tcp:{server}'),
+(DNSName(u'_kpasswd'), u'krb5srv:M:udp:{server}'),
+(DNSName(u'_kerberos'), u'krb5srv:M:tcp:{server}'),
+(DNSName(u'_kerberos'), u'krb5srv:M:udp:{server}'),
+)
+
+# URI records for KDCProxy must have lower priority than for KDC, clients must
+# prefer to connect directly to KDC
+IPA_KDCPROXY_PRIORITY_PENALIZATION = 10
+IPA_DEFAULT_KDCPROXY_URI_REC = (
+# URI record name, target
+(DNSName(u'_kpasswd'), u'krb5srv:M:kkdcp:https://{server}/KdcProxy'),
+(DNSName(u'_kerberos'), u'krb5srv:M:kkdcp:https://{server}/KdcProxy'),
+)
+
 IPA_DEFAULT_ADTRUST_SRV_REC = (
 # srv record name, port
 (DNSName(u'_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs'), 389),
@@ -127,6 +144,34 @@ def __add_srv_records(
 r_name, rdatatype.SRV, create=True)
 rdataset.add(rd, ttl=86400)  # FIXME: use TTL from config
 
+def __add_kdc_uri_records(
+self, zone_obj, hostname, rname_target_map,
+weight=100, priority=0, location=None
+):
+assert isinstance(hostname, DNSName)
+assert isinstance(priority, int)
+assert isinstance(weight, int)
+
+if location:
+suffix = self.__get_location_suffix(location)
+else:
+suffix = self.domain_abs
+
+for name, target in rname_target_map:
+rd = rdata.from_text(
+rdataclass.IN, rdatatype.URI,
+'{0} {1} {2}'.format(
+priority, weight,
+target.format(server=hostname.ToASCII())
+)
+)
+
+r_name = name.derelativize(suffix)
+
+rdataset = zone_obj.get_rdataset(
+r_name, rdatatype.URI, create=True)
+rdataset.add(rd, ttl=86400)  # FIXME: use TTL from config
+
 def __add_ca_records_from_hostname(self, zone_obj, hostname):
 assert isinstance(hostname, DNSName) and hostname.is_absolute()
 r_name = DNSName('ipa-ca') + self.domain_abs
@@ -173,6 +218,7 @@ def _add_base_dns_records_for_server(
 else:
 eff_roles = server['roles']
 hostname_abs = DNSName(hostname).make_absolute()
+hostname_rel = DNSName(hostname)
 
 if include_kerberos_realm:
 self.__add_kerberos_txt_rec(zone_obj)
@@ -185,6 +231,21 @@ def _add_base_dns_records_for_server(
 IPA_DEFAULT_MASTER_SRV_REC,
 weight=server['weight']
 )
+self.__add_kdc_uri_records(
+zone_obj,
+hostname_rel,
+IPA_DEFAULT_KDC_URI_REC,
+weight=server['weight']
+)
+
+# FIXME: create KDC Proxy records only when KDC proxy is enabled
+   

[Freeipa-devel] [freeipa PR#750][opened] Fixed typo in ipa-client-install help output

[tscherf]

   URL: https://github.com/freeipa/freeipa/pull/750
Author: tscherf
 Title: #750: Fixed typo in ipa-client-install help output
Action: opened

PR body:
"""
Fixed typo in option "--all-ip-addresses" from "ipa-client-install".

"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/750/head:pr750
git checkout pr750
From 74025761b44b7e3456a10f0c6d4b74f4296e577a Mon Sep 17 00:00:00 2001
From: Thorsten Scherf 
Date: Fri, 28 Apr 2017 16:40:17 +0200
Subject: [PATCH] Fixed typo in ipa-client-install output

---
 ipalib/install/hostname.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipalib/install/hostname.py b/ipalib/install/hostname.py
index 74c569d..ecc2963 100644
--- a/ipalib/install/hostname.py
+++ b/ipalib/install/hostname.py
@@ -41,7 +41,7 @@ def ip_addresses(self, values):
 
 all_ip_addresses = knob(
 None,
-description="All routable IP addresses configured on any inteface "
+description="All routable IP addresses configured on any interface "
 "will be added to DNS",
 )
 all_ip_addresses = prepare_only(all_ip_addresses)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#746][synchronized] KDC proxy URI records

[MartinBasti]

   URL: https://github.com/freeipa/freeipa/pull/746
Author: MartinBasti
 Title: #746: KDC proxy URI records
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/746/head:pr746
git checkout pr746
From d79bc35de7315c9a49605c4acb0798441ce67997 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 26 Apr 2017 18:49:47 +0200
Subject: [PATCH] Automatic creation of KDC URI records

Enables creation of following records per each replica:

KDC URI records:
_kerberos.example.com. IN URI   "krb5srv:M:tcp:ipaserver.example.com"
_kpasswd.example.com. IN URI   "krb5srv:M:tcp:ipaserver.example.com"
_kerberos.example.com. IN URI   "krb5srv:M:udp:ipaserver.example.com"
_kpasswd.example.com. IN URI   "krb5srv:M:udp:ipaserver.example.com"

KDC proxy URI records:
_kerberos.example.com. IN URI +10  "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy;
_kpasswd.example.com. IN URI +10  "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy;

URI records for kadmin discovery are not created because FreeIPA doesn't
support kadmin.

KDC URI records (tcp, udp) must have higher priority than KDC proxy
(https) to prefer direct communication with KDC. Also there is a bug
that prevents ipa-client-install to enroll client with using only KDC
proxy in some cases (see https://pagure.io/freeipa/issue/6906).

All records are created for each replica in topology as KDC proxy is enabled
by default. (Please note if KDC proxy is manually disabled KDC Proxy records will be
created anyway)

See: https://k5wiki.kerberos.org/wiki/Projects/KDC_Discovery

https://pagure.io/freeipa/issue/6337
---
 ipaserver/dns_data_management.py| 88 -
 ipatests/test_integration/test_dns_locations.py | 47 +
 2 files changed, 133 insertions(+), 2 deletions(-)

diff --git a/ipaserver/dns_data_management.py b/ipaserver/dns_data_management.py
index d4dc42e..0dbedde 100644
--- a/ipaserver/dns_data_management.py
+++ b/ipaserver/dns_data_management.py
@@ -37,6 +37,23 @@
 (DNSName(u'_kpasswd._udp'), 464),
 )
 
+IPA_DEFAULT_KDC_URI_REC = (
+# URI record name, target
+(DNSName(u'_kpasswd'), u'krb5srv:M:tcp:{server}'),
+(DNSName(u'_kpasswd'), u'krb5srv:M:udp:{server}'),
+(DNSName(u'_kerberos'), u'krb5srv:M:tcp:{server}'),
+(DNSName(u'_kerberos'), u'krb5srv:M:udp:{server}'),
+)
+
+# URI records for KDCProxy must have lower priority than for KDC, clients must
+# prefer to connect directly to KDC
+IPA_KDCPROXY_PRIORITY_PENALIZATION = 10
+IPA_DEFAULT_KDCPROXY_URI_REC = (
+# URI record name, target
+(DNSName(u'_kpasswd'), u'krb5srv:M:kkdcp:https://{server}/KdcProxy'),
+(DNSName(u'_kerberos'), u'krb5srv:M:kkdcp:https://{server}/KdcProxy'),
+)
+
 IPA_DEFAULT_ADTRUST_SRV_REC = (
 # srv record name, port
 (DNSName(u'_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs'), 389),
@@ -127,6 +144,34 @@ def __add_srv_records(
 r_name, rdatatype.SRV, create=True)
 rdataset.add(rd, ttl=86400)  # FIXME: use TTL from config
 
+def __add_kdc_uri_records(
+self, zone_obj, hostname, rname_target_map,
+weight=100, priority=0, location=None
+):
+assert isinstance(hostname, DNSName)
+assert isinstance(priority, int)
+assert isinstance(weight, int)
+
+if location:
+suffix = self.__get_location_suffix(location)
+else:
+suffix = self.domain_abs
+
+for name, target in rname_target_map:
+rd = rdata.from_text(
+rdataclass.IN, rdatatype.URI,
+'{0} {1} {2}'.format(
+priority, weight,
+target.format(server=hostname.ToASCII())
+)
+)
+
+r_name = name.derelativize(suffix)
+
+rdataset = zone_obj.get_rdataset(
+r_name, rdatatype.URI, create=True)
+rdataset.add(rd, ttl=86400)  # FIXME: use TTL from config
+
 def __add_ca_records_from_hostname(self, zone_obj, hostname):
 assert isinstance(hostname, DNSName) and hostname.is_absolute()
 r_name = DNSName('ipa-ca') + self.domain_abs
@@ -173,6 +218,7 @@ def _add_base_dns_records_for_server(
 else:
 eff_roles = server['roles']
 hostname_abs = DNSName(hostname).make_absolute()
+hostname_rel = DNSName(hostname)
 
 if include_kerberos_realm:
 self.__add_kerberos_txt_rec(zone_obj)
@@ -185,6 +231,21 @@ def _add_base_dns_records_for_server(
 IPA_DEFAULT_MASTER_SRV_REC,
 weight=server['weight']
 )
+self.__add_kdc_uri_records(
+zone_obj,
+hostname_rel,
+IPA_DEFAULT_KDC_URI_REC,
+weight=server['weight']
+)
+
+# FIXME: create KDC Proxy records only when KDC proxy is enabled
+   

[Freeipa-devel] [freeipa PR#746][edited] KDC proxy URI records

[MartinBasti]

   URL: https://github.com/freeipa/freeipa/pull/746
Author: MartinBasti
 Title: #746: KDC proxy URI records
Action: edited

 Changed field: body
Original value:
"""
Automatic creation of KDC proxy URI records

Enables creation of following KDC proxy URL records per each replica:
 ```   
 _kerberos.example.com. IN URI   
"krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy;
 _kpasswd.example.com. IN URI   
"krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy;
```
Records are created for each replica in topology as KDC proxy is enabled
by default. (If KDC proxy is manually disabled this record will be
created anyway)

URI records for kadmin discovery are not created because FreeIPA doesn't
support kadmin.

See: https://k5wiki.kerberos.org/wiki/Projects/KDC_Discovery

https://pagure.io/freeipa/issue/6337


### TODO
- [ ] Add URI records for 88/UDP, 88/TCP with higher priority to keep client 
asking directly KDC first
- [ ] Add URI records for HTTPS only when kdc proxy is enabled on server 
(requires to update server roles with role attribute KDC proxy)
- [ ] Fix https://pagure.io/freeipa/issue/6906 to allow enroll FreeIPA clients 
using HTTPS KDC proxy
"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#746][comment] KDC proxy URI records

[simo5]

  URL: https://github.com/freeipa/freeipa/pull/746
Title: #746: KDC proxy URI records

simo5 commented:
"""
I am not entirely sure we want to care for the cse where an admin disables KDC 
Proxy in an automatic fashion; otherwise we would also need to check if TCP or 
UDP are disabled and change that too.
FreeIPA as a product enables TCP/UDP and proxy and an admin that wants to 
change this by manually changing configurations should also take care of 
manually changing the URI records in DNS I think. Just like they would need to 
change records in DNS if either TCP or UDP protocols were disabled.
However if it is overly simple to detect and update records based on enabled 
protocols I am not against doing so.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/746#issuecomment-298032999
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#746][comment] KDC proxy URI records

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/746
Title: #746: KDC proxy URI records

MartinBasti commented:
"""
@simo5 we don't support manual changes of IPA system records, it is regenerated 
automatically, so any manual changes are overwritten when: new replica is 
added/replica is removed/user executes manually `ipa dns-update-system-records`
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/746#issuecomment-298034002
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#746][comment] KDC proxy URI records

[simo5]

  URL: https://github.com/freeipa/freeipa/pull/746
Title: #746: KDC proxy URI records

simo5 commented:
"""
@MartinBasti In this case we need a way to tell the system what are the 
priorities and which protocols are enabled, priorities are important too, 
admins need to be able to change them as they see fit.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/746#issuecomment-298037434
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#694][comment] RFC: implement local PKINIT deployment in server/replica install

[HonzaCholasta]

  URL: https://github.com/freeipa/freeipa/pull/694
Title: #694: RFC: implement local PKINIT deployment in server/replica install

HonzaCholasta commented:
"""
Works for me, ACK.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/694#issuecomment-297940885
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] KDC proxy URI records

[Christian Heimes]

On 2017-04-27 14:00, Martin Bašti wrote:
> 
> 
> On 26.04.2017 20:41, Simo Sorce wrote:
>> On Wed, 2017-04-26 at 12:57 +0200, Martin Bašti wrote:
>>> On 25.04.2017 16:57, Martin Bašti wrote:
 Hello all,

 I'm going to implement automatic URI records for kdc proxy and I'd
 like to clarify if following URI records are the right one.


 _kerberos-adm.example.com. IN URI  0
 "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy;

 _krb5kdc.example.com. IN URI  0
 "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy;

 _kpasswd.example.com. IN URI  0
 "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy;


 I assume we want to use "kkdcp" and "https", and "M" flag as all IPA
 servers are masters, please confirm.


 Sources:

 https://k5wiki.kerberos.org/wiki/Projects/KDC_Discovery

 https://tools.ietf.org/id/draft-mccallum-kitten-krb-service-discovery-02.txt




 Thank you

>>> I found out that wiki page differs from the RFC draft and from the
>>> source in git
>>>
>>> There is "_kerberos.REALM" record instead of "_krb5kdc.REALM"
>>>
>>>
>>> And I'm not sure if _kerberos-adm should be included as we don't really
>>> support kadmin.
>> We shouldn't.
>>
>> Simo.
>>
> 
> I would like to discuss consequences of adding kdc URI records:
> 
> 1. basically all ipa clients enrolled using autodiscovery will use
> kdcproxy instead of KDC on port 88, because URI takes precedence over
> SRV in KRB5 client implementation. Are we ok with such a big change?

Update: It's correct that URI records have a higher priority than SRV
records. A client with URI discovery support will never check SRV
records when it is able to retrieve URI records. For newer clients we
have to include TCP and UDP URI records, too.

I did some testing. MIT KRB5 prefers UDP/TCP over MSKKDP for records
with same priority. That fact is not stated in the RFC. I'm writing a
mail to Nathaniel and Simo to discuss the matter.

Christian

-- 
Christian Heimes
Senior Software Engineer, Identity Management and Platform Security

Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Michael Cunningham, Michael
O'Neill, Eric Shander



signature.asc
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#694][+ack] RFC: implement local PKINIT deployment in server/replica install

[HonzaCholasta]

  URL: https://github.com/freeipa/freeipa/pull/694
Title: #694: RFC: implement local PKINIT deployment in server/replica install

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#694][+pushed] RFC: implement local PKINIT deployment in server/replica install

[HonzaCholasta]

  URL: https://github.com/freeipa/freeipa/pull/694
Title: #694: RFC: implement local PKINIT deployment in server/replica install

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#694][comment] RFC: implement local PKINIT deployment in server/replica install

[HonzaCholasta]

  URL: https://github.com/freeipa/freeipa/pull/694
Title: #694: RFC: implement local PKINIT deployment in server/replica install

HonzaCholasta commented:
"""
master:

* b1a1e104391c84cb9af7b0a7c8748c8652442ddb separate function to set 
ipaConfigString values on service entry
* fb52f7a1f328b126626525179d5250692daca2cd Allow for configuration of all three 
PKINIT variants when deploying KDC
* 86972299d937960bcb713fc73b447cddb4ea44bd API for retrieval of master's PKINIT 
status and publishing it in LDAP
* 3adb9ca875f8eb99e99a29e17a471a2b6f408a4a Use only anonymous PKINIT to fetch 
armor ccache
* 68c6a4d4e1340ce01bdc7ec5dd394604a3da7688 Stop requesting anonymous keytab and 
purge all references of it
* 2374b648d0dfd08ec4cfbcc35f7987fa8b8a6ffa Use local anchor when armoring 
password requests
* a194055c92c7ca4eba29323f990ec3b92026221b Upgrade: configure local/full PKINIT 
depending on the master status
* 960e361f68a3d7acd9bcf16ec6fe8f6d5376c4ae Do not test anonymous PKINIT after 
install/upgrade


ipa-4-5:

* 31a24436592304db6e84270e4a95df34d1e0af46 separate function to set 
ipaConfigString values on service entry
* b49e075c90a7ab43e82f422aa11dc7540e2fb2c0 Allow for configuration of all three 
PKINIT variants when deploying KDC
* a0e2a09292ffa2adbf97c2e7e4facc9693dbc311 API for retrieval of master's PKINIT 
status and publishing it in LDAP
* fca378c9a65f582ac3dcda4b6201e8847ed9e512 Use only anonymous PKINIT to fetch 
armor ccache
* 9fcc794dac6ffb1f1cc6c92a588ea0911be5ba14 Stop requesting anonymous keytab and 
purge all references of it
* 5031929b6d710336f6308d7f46779c9e8e98103a Use local anchor when armoring 
password requests
* 2452e6e5f3a7e7a25eadf5243a28da75a47f9d2c Upgrade: configure local/full PKINIT 
depending on the master status
* d497c4589cc7506ef9a88b691b8b1d97ad1f1009 Do not test anonymous PKINIT after 
install/upgrade


"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/694#issuecomment-297941980
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#694][closed] RFC: implement local PKINIT deployment in server/replica install

[HonzaCholasta]

   URL: https://github.com/freeipa/freeipa/pull/694
Author: martbab
 Title: #694: RFC: implement local PKINIT deployment in server/replica install
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/694/head:pr694
git checkout pr694
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#729][comment] Turn on NSSOCSP check in mod_nss conf

[HonzaCholasta]

  URL: https://github.com/freeipa/freeipa/pull/729
Title: #729: Turn on NSSOCSP check in mod_nss conf

HonzaCholasta commented:
"""
@pvomacka, CI fails because you forgot to include python-augeas in lint 
BuildRequires.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/729#issuecomment-297918182
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#729][comment] Turn on NSSOCSP check in mod_nss conf

[HonzaCholasta]

  URL: https://github.com/freeipa/freeipa/pull/729
Title: #729: Turn on NSSOCSP check in mod_nss conf

HonzaCholasta commented:
"""
@pvomacka, CI fails because you forgot to include python-augeas in lint 
BuildRequires.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/729#issuecomment-297918182
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] KDC proxy URI records

[Martin Kosek]

On 04/27/2017 04:16 PM, Simo Sorce wrote:
> On Thu, 2017-04-27 at 15:56 +0200, Petr Vobornik wrote:
>> On 04/27/2017 02:19 PM, Christian Heimes wrote:
>>> On 2017-04-27 14:00, Martin Bašti wrote:
 I would like to discuss consequences of adding kdc URI records:

 1. basically all ipa clients enrolled using autodiscovery will
 use
 kdcproxy instead of KDC on port 88, because URI takes precedence
 over
 SRV in KRB5 client implementation. Are we ok with such a big
 change?
>>>
>>> Does the client also prefer KKDCP if you give the Kerberos 88/UDP
>>> and
>>> 88/TCP URIs a higher priority than the KKDCP HTTPS URIs?
>>>
 2. probably client installer must be updated because currently
 with
 CA-full installation it is not working.

 ipa-client-install (with autodiscovery) failed on kinit, see
 KRB5_TRACE
 bellow that it refuses self signed certificate
>>>
>>> Actually it is not a self-sigend EE certificate. The validation
>>> message
>>> is bogus because FreeIPA TLS configuration is slightly buggy. We
>>> send
>>> the trust anchor (root CA) although a server should not include its
>>> trust anchor in its ServerHello message. OpenSSL detects an
>>> untrusted
>>> root CA in the ServerHello peer chain and emits the message.
>>>
>>> If I read the 600 lines (!) function
>>> ipaclient.install.client._install
>>> correctly, then ipa-client-install first attempts to negotiate a
>>> TGT and
>>> then installs the trust anchor in the global trust store. It should
>>> be
>>> enough to reverse the order and inject the trust anchor first.
>>>
>>> Christian
>>>
>>
>> By reading this, even if we do the change in client install, I'd
>> rather 
>> not generate the DNS records in 4.5.1 release and rather make sure
>> that 
>> everything works during 4.6 development.

I agree. My original assumption why I suggested this RFE was that it would be
very contained change and only used only by clients that do not have classic
Kerberos ports available. Given how much it influences rest of the framework,
we indeed should not push on it in a bugfix release.

>> The reason is that there might also be something else not working and
>> it 
>> is better to time test it + the fix would not fix older clients.
>>
>> If anybody wants to use/try it, then the records can be created
>> manually.
> 
> 
> 
> We need to ix clients regardless, o someone enabling it will find the
> same issues.

Right. Can someone please file the ticket so that it can be triaged later?


Thanks,
Martin

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] KDC proxy URI records

[Martin Bašti]

On 28.04.2017 09:32, Martin Kosek wrote:

On 04/27/2017 04:16 PM, Simo Sorce wrote:

On Thu, 2017-04-27 at 15:56 +0200, Petr Vobornik wrote:

On 04/27/2017 02:19 PM, Christian Heimes wrote:

On 2017-04-27 14:00, Martin Bašti wrote:

I would like to discuss consequences of adding kdc URI records:

1. basically all ipa clients enrolled using autodiscovery will
use
kdcproxy instead of KDC on port 88, because URI takes precedence
over
SRV in KRB5 client implementation. Are we ok with such a big
change?

Does the client also prefer KKDCP if you give the Kerberos 88/UDP
and
88/TCP URIs a higher priority than the KKDCP HTTPS URIs?


2. probably client installer must be updated because currently
with
CA-full installation it is not working.

ipa-client-install (with autodiscovery) failed on kinit, see
KRB5_TRACE
bellow that it refuses self signed certificate

Actually it is not a self-sigend EE certificate. The validation
message
is bogus because FreeIPA TLS configuration is slightly buggy. We
send
the trust anchor (root CA) although a server should not include its
trust anchor in its ServerHello message. OpenSSL detects an
untrusted
root CA in the ServerHello peer chain and emits the message.

If I read the 600 lines (!) function
ipaclient.install.client._install
correctly, then ipa-client-install first attempts to negotiate a
TGT and
then installs the trust anchor in the global trust store. It should
be
enough to reverse the order and inject the trust anchor first.

Christian


By reading this, even if we do the change in client install, I'd
rather
not generate the DNS records in 4.5.1 release and rather make sure
that
everything works during 4.6 development.

I agree. My original assumption why I suggested this RFE was that it would be
very contained change and only used only by clients that do not have classic
Kerberos ports available. Given how much it influences rest of the framework,
we indeed should not push on it in a bugfix release.


The reason is that there might also be something else not working and
it
is better to time test it + the fix would not fix older clients.

If anybody wants to use/try it, then the records can be created
manually.



We need to ix clients regardless, o someone enabling it will find the
same issues.

Right. Can someone please file the ticket so that it can be triaged later?


ticket is here https://pagure.io/freeipa/issue/6906



Thanks,
Martin


--
Martin Bašti
Software Engineer
Red Hat Czech

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#741][synchronized] 6.9 -> 7.4 migration fixes

[stlaz]

   URL: https://github.com/freeipa/freeipa/pull/741
Author: stlaz
 Title: #741: 6.9 -> 7.4 migration fixes
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/741/head:pr741
git checkout pr741
From fddf366557e23806a5e05ba06c8471828c8daa7b Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Thu, 27 Apr 2017 12:51:30 +0200
Subject: [PATCH 1/2] Refresh Dogtag RestClient.ca_host property

Refresh the ca_host property of the Dogtag's RestClient class when
it's requested as a context manager.

This solves the problem which would occur on DL0 when installing
CA against an old master which does not have port 8443 accessible.
The setup tries to update the cert profiles via this port but
fail. This operation should be performed against the local instance
anyway.

https://pagure.io/freeipa/issue/6878
---
 ipaserver/plugins/dogtag.py | 34 ++
 1 file changed, 22 insertions(+), 12 deletions(-)

diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py
index 3997531..2ac4674 100644
--- a/ipaserver/plugins/dogtag.py
+++ b/ipaserver/plugins/dogtag.py
@@ -1202,7 +1202,6 @@ def select_any_master(ldap2, service='CA'):
 import random
 from ipaserver.plugins import rabase
 from ipalib.constants import TYPE_ERROR
-from ipalib.util import cachedproperty
 from ipalib import _
 from ipaplatform.paths import paths
 
@@ -1250,34 +1249,45 @@ def __init__(self, api):
 self.client_keyfile = paths.RA_AGENT_KEY
 super(RestClient, self).__init__(api)
 
+self._ca_host = None
 # session cookie
 self.override_port = None
 self.cookie = None
 
-@cachedproperty
+@property
 def ca_host(self):
 """
-:return:   host
-   as str
+:returns: FQDN of a host hopefully providing a CA service
 
-Select our CA host.
+Select our CA host, cache it for the first time.
 """
+if self._ca_host is not None:
+return self._ca_host
+
 ldap2 = self.api.Backend.ldap2
 if host_has_service(api.env.ca_host, ldap2, "CA"):
-return api.env.ca_host
-if api.env.host != api.env.ca_host:
+self._ca_host = api.env.ca_host
+elif api.env.host != api.env.ca_host:
 if host_has_service(api.env.host, ldap2, "CA"):
-return api.env.host
-host = select_any_master(ldap2)
-if host:
-return host
+self._ca_host = api.env.host
 else:
-return api.env.ca_host
+self._ca_host = select_any_master(ldap2)
+if self._ca_host is None:
+self._ca_host = api.env.ca_host
+return self._ca_host
+
+@ca_host.setter
+def ca_host(self, value):
+self._ca_host = value
 
 def __enter__(self):
 """Log into the REST API"""
 if self.cookie is not None:
 return
+
+# Refresh the ca_host property
+self._ca_host = None
+
 status, resp_headers, _resp_body = dogtag.https_request(
 self.ca_host, self.override_port or self.env.ca_agent_port,
 url='/ca/rest/account/login',

From 6d7589e8654d11a7d73256d862ecad8168a5e4da Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Fri, 28 Apr 2017 09:31:45 +0200
Subject: [PATCH 2/2] Remove the cachedproperty class

The cachedproperty class was used in one special use-case where it only
caused issues. Let's get rid of it.

https://pagure.io/freeipa/issue/6878
---
 ipalib/util.py | 34 --
 1 file changed, 34 deletions(-)

diff --git a/ipalib/util.py b/ipalib/util.py
index e9d4105..8973a19 100644
--- a/ipalib/util.py
+++ b/ipalib/util.py
@@ -34,7 +34,6 @@
 import encodings
 import sys
 import ssl
-from weakref import WeakKeyDictionary
 
 import netaddr
 from dns import resolver, rdatatype
@@ -492,39 +491,6 @@ def remove_sshpubkey_from_output_list_post(context, entries):
 delattr(context, 'ipasshpubkey_added')
 
 
-class cachedproperty(object):
-"""
-A property-like attribute that caches the return value of a method call.
-
-When the attribute is first read, the method is called and its return
-value is saved and returned. On subsequent reads, the saved value is
-returned.
-
-Typical usage:
-class C(object):
-@cachedproperty
-def attr(self):
-return 'value'
-"""
-__slots__ = ('getter', 'store')
-
-def __init__(self, getter):
-self.getter = getter
-self.store = WeakKeyDictionary()
-
-def __get__(self, obj, cls):
-if obj is None:
-return None
-if obj not in self.store:
-self.store[obj] = self.getter(obj)
-return self.store[obj]
-
-def __set__(self, obj, value):
-raise AttributeError("can't set attribute")
-

[Freeipa-devel] [freeipa PR#694][+blocker] RFC: implement local PKINIT deployment in server/replica install

[pvoborni]

  URL: https://github.com/freeipa/freeipa/pull/694
Title: #694: RFC: implement local PKINIT deployment in server/replica install

Label: +blocker
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#747][-ack] vault: piped input for ipa vault-add fails

[stlaz]

  URL: https://github.com/freeipa/freeipa/pull/747
Title: #747: vault: piped input for ipa vault-add fails

Label: -ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#747][comment] vault: piped input for ipa vault-add fails

[stlaz]

  URL: https://github.com/freeipa/freeipa/pull/747
Title: #747: vault: piped input for ipa vault-add fails

stlaz commented:
"""
@Akasurde: Don't add ACK label when the PR is not OK!
@flo-renaud: You will need to specify a ticket for this PR.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/747#issuecomment-297933288
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#741][+blocker] 6.9 -> 7.4 migration fixes

[pvoborni]

  URL: https://github.com/freeipa/freeipa/pull/741
Title: #741: 6.9 -> 7.4 migration fixes

Label: +blocker
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#747][synchronized] vault: piped input for ipa vault-add fails

[flo-renaud]

   URL: https://github.com/freeipa/freeipa/pull/747
Author: flo-renaud
 Title: #747: vault: piped input for ipa vault-add fails
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/747/head:pr747
git checkout pr747
From 4b11def7359308d43bda011a622339156a4b0b43 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud 
Date: Thu, 27 Apr 2017 18:20:06 +0200
Subject: [PATCH] vault: piped input for ipa vault-add fails

An exception is raised when using echo "Secret123\n" | ipa vault-add myvault

This happens because the code is using (string).decode(sys.stdin.encoding)
and sys.stdin.encoding is None when the input is read from a pipe.
The fix is using the prompt_password method defined by Backend.textui,
which gracefully handles this issue.

https://pagure.io/freeipa/issue/6907
---
 ipaclient/plugins/vault.py | 37 -
 1 file changed, 8 insertions(+), 29 deletions(-)

diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py
index 3fb4900..f21dc4d 100644
--- a/ipaclient/plugins/vault.py
+++ b/ipaclient/plugins/vault.py
@@ -21,11 +21,9 @@
 
 import base64
 import errno
-import getpass
 import io
 import json
 import os
-import sys
 import tempfile
 
 from cryptography.fernet import Fernet, InvalidToken
@@ -84,29 +82,6 @@ def validated_read(argname, filename, mode='r', encoding=None):
 MAX_VAULT_DATA_SIZE = 2**20  # = 1 MB
 
 
-def get_new_password():
-"""
-Gets new password from user and verify it.
-"""
-while True:
-password = getpass.getpass('New password: ').decode(
-sys.stdin.encoding)
-password2 = getpass.getpass('Verify password: ').decode(
-sys.stdin.encoding)
-
-if password == password2:
-return password
-
-print('  ** Passwords do not match! **')
-
-
-def get_existing_password():
-"""
-Gets existing password from user.
-"""
-return getpass.getpass('Password: ').decode(sys.stdin.encoding)
-
-
 def generate_symmetric_key(password, salt):
 """
 Generates symmetric key from password and salt.
@@ -304,7 +279,8 @@ def forward(self, *args, **options):
 password = password.rstrip('\n')
 
 else:
-password = get_new_password()
+password = self.api.Backend.textui.prompt_password(
+'New password')
 
 # generate vault salt
 options['ipavaultsalt'] = os.urandom(16)
@@ -887,9 +863,11 @@ def forward(self, *args, **options):
 
 else:
 if override_password:
-password = get_new_password()
+password = self.api.Backend.textui.prompt_password(
+'New password')
 else:
-password = get_existing_password()
+password = self.api.Backend.textui.prompt_password(
+'Password', confirm=False)
 
 if not override_password:
 # verify password by retrieving existing data
@@ -1112,7 +1090,8 @@ def forward(self, *args, **options):
 password = password.rstrip('\n')
 
 else:
-password = get_existing_password()
+password = self.api.Backend.textui.prompt_password(
+'Password', confirm=False)
 
 # generate encryption key from password
 encryption_key = generate_symmetric_key(password, salt)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#747][comment] vault: piped input for ipa vault-add fails

[flo-renaud]

  URL: https://github.com/freeipa/freeipa/pull/747
Title: #747: vault: piped input for ipa vault-add fails

flo-renaud commented:
"""
@stlaz 
Thank you for the reminder. Commit msg updated with issue 6907
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/747#issuecomment-297935155
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#747][comment] vault: piped input for ipa vault-add fails

[stlaz]

  URL: https://github.com/freeipa/freeipa/pull/747
Title: #747: vault: piped input for ipa vault-add fails

stlaz commented:
"""
Thank you for the brief action taken. Re-adding the ACK label.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/747#issuecomment-297935390
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#747][+ack] vault: piped input for ipa vault-add fails

[stlaz]

  URL: https://github.com/freeipa/freeipa/pull/747
Title: #747: vault: piped input for ipa vault-add fails

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#723][-pushed] Store GSSAPI session key in /var/run/httpd

[pvoborni]

  URL: https://github.com/freeipa/freeipa/pull/723
Title: #723: Store GSSAPI session key in /var/run/httpd

Label: -pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#723][-ack] Store GSSAPI session key in /var/run/httpd

[pvoborni]

  URL: https://github.com/freeipa/freeipa/pull/723
Title: #723: Store GSSAPI session key in /var/run/httpd

Label: -ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] "blocker" tag for pull request

[Petr Vobornik]

Hi all,

I created "blocker" tag for FreeIPA Git Hub PRs.

It is should be used to mark PRs which solves test blocker or other 
functional blockers - e.g. blocks creation of demo. I.e. should be used 
rather rarely.


I don't like the tag name, but I couldn't find better.

Note: blocker priority in pagure doesn't imply blocker tag in PR. But 
testblocker tag in pagure does. Actually I'm thinking about changing 
Pagure priority names to: "highest, high, medium, low, patchwelcome"


--
Petr Vobornik

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#737][closed] Vault: Explicitly default to 3DES CBC

[MartinBasti]

   URL: https://github.com/freeipa/freeipa/pull/737
Author: tiran
 Title: #737: Vault: Explicitly default to 3DES CBC
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/737/head:pr737
git checkout pr737
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#737][+pushed] Vault: Explicitly default to 3DES CBC

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/737
Title: #737: Vault: Explicitly default to 3DES CBC

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#737][comment] Vault: Explicitly default to 3DES CBC

[MartinBasti]

  URL: https://github.com/freeipa/freeipa/pull/737
Title: #737: Vault: Explicitly default to 3DES CBC

MartinBasti commented:
"""
master:

* 5197422ef65e7239fc56c562ab87d99388a38a8d Vault: Explicitly default to 3DES CBC


ipa-4-5:

* e94a1d18653fe2e9558ac0b70bdf2ddd1f78d150 Vault: Explicitly default to 3DES CBC


"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/737#issuecomment-297917887
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code