[Freeipa-devel] [PATCH] Fix typos in help of sudorule and sudocmd
Hi, Fixed the following typos: 1. # ipa help sudorule [...] sudorule-show Dispaly Sudo Rule. 2. # ipa help sudocmd [...] Create a new commnad -- Regards, Shanks Looking to carve out IT costs? www.redhat.com/carveoutcosts/ From 4a048ccb0bf6a25cb5d1f7da0d4e9fa6cf94690f Mon Sep 17 00:00:00 2001 From: Gowrishankar Rajaiyan g...@redhat.com Date: Mon, 30 May 2011 09:14:49 -0400 Subject: [PATCH] Fixes typos in help of sudorule and sudocmd-add --- install/po/ipa.pot |4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/install/po/ipa.pot b/install/po/ipa.pot index 96acd1e0c70de03d09e5abd7660d662378252913..225b064eed923dbd37d042278363c60f36e72486 100644 --- a/install/po/ipa.pot +++ b/install/po/ipa.pot @@ -5924,7 +5924,7 @@ msgid \n EXAMPLES:\n \n - Create a new commnad\n + Create a new command\n ipa sudocmd-add --desc='For reading log files' /usr/bin/less\n \n Remove a command\n @@ -6233,7 +6233,7 @@ msgstr #: ipalib/plugins/sudorule.py:213 msgid \n -Dispaly Sudo Rule.\n +Display Sudo Rule.\n msgstr -- 1.7.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 784 limit what attributes may be modified
On Fri, 2011-05-27 at 19:21 +0200, Martin Kosek wrote: On Fri, 2011-05-27 at 11:10 -0400, Rob Crittenden wrote: Martin Kosek wrote: On Mon, 2011-05-16 at 17:46 -0400, Rob Crittenden wrote: Add option to limit the attributes allowed in an entry. Kerberos ticket policy can update policy in a user entry. This allowed set/addattr to be used to modify attributes outside of the ticket policy perview, also bypassing all validation/normalization. Likewise the ticket policy was updatable by the user plugin bypassing all validation. Add two new LDAPObject values to control this behavior: limit_object_classes: only attributes in these are allowed disallow_object_classes: attributes in these are disallowed By default both of these lists are empty so are skipped. ticket 744 rob NACK. I have some concerns with this patch. In function _check_limit_object_class: 1) You change input attribute 'attrs' by removing the items from it. If user passes the same list of attrs to be checked and the function is run twice, the 'attrs' parameter in second run is corrupt. You can try it by running e.g. `ipa krbtpolicy-mod --maxrenew=24044' and checking the value of this parameter in the function. Good catch, updated patch attached. 2) The purpose of this statement is not clear to me: +if len(attrs) 0 and allow_only: +raise errors.ObjectclassViolation(info='attribute %(attribute)s not allowed' % dict(attribute=attrs[0])) Maybe just the exception text is misleading. This function has 2 modes: allow only the attributes in these objectclasses or specifically deny the attributes in these objectclasses. This enforces the first type. If when we've gone through all the attributes there are any left over they must not be allowed so raise an error. This is documented in the function header. Thanks for explanation, now I get it. It all looks OK, ACK. Martin Checked again as I had some second thoughts. But no problem found. Pushed to master, ipa-2-0. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 18 Parse netmasks in IP addresses passed to server install
On Fri, 2011-05-27 at 22:09 +0200, Jan Cholasta wrote: On 27.5.2011 18:59, Martin Kosek wrote: On Fri, 2011-05-27 at 16:47 +0200, Jan Cholasta wrote: On 24.5.2011 15:38, Jan Cholasta wrote: On 20.5.2011 20:27, Jan Cholasta wrote: On 10.5.2011 20:06, Jan Cholasta wrote: Parse netmasks in IP addresses passed to server install. ticket 1212 Patch updated. TODO: Write unit test for ipapython.ipautil.CheckedIPAddress TODO: Clean unreachable code paths off of ipa-server-install (?) TODO: Workarounds for netaddr bugs (?) ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Fixed ipa-replica-prepare and added a unit test. Another update. Honza Can you please rebase your patches? My patch 070 fixing add_reverse_zone() function was pushed today. Unfortunately, it made your patches 18 and 3 not applicable. Done. You may want to look closer at the patch 070 as it is relevant to your patch set and also to make sure the fix is still functional after your set of patches. It seems it's ok. Thanks, Martin Honza Everything seems to work fine, ACK. Pushed to master. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 19 Do stricter checking of IP addressed passed to server install
On Fri, 2011-05-27 at 16:50 +0200, Jan Cholasta wrote: On 25.5.2011 09:46, Martin Kosek wrote: On Tue, 2011-05-24 at 15:42 +0200, Jan Cholasta wrote: On 24.5.2011 14:44, Jan Cholasta wrote: On 24.5.2011 14:43, Martin Kosek wrote: On Fri, 2011-05-20 at 20:34 +0200, Jan Cholasta wrote: On 18.5.2011 10:51, Martin Kosek wrote: On Mon, 2011-05-16 at 19:15 +0200, Jan Cholasta wrote: On 16.5.2011 17:26, Martin Kosek wrote: On Tue, 2011-05-10 at 20:11 +0200, Jan Cholasta wrote: Split from patch 3, requires patch 18. https://fedorahosted.org/freeipa/ticket/1213 Honza I tested all patches (3.6, 18, 19), but I think some work still needs to be done: 1) What about adding /sbin/ip package to Requires in spec? I thought there was an agreement to do it. Will do. Ok. 2) When I run `ipa-server-install --ip-address=$ADDR`, and $ADDR is invalid address (e.g. $ADDR==foo), loopback address (e.g. $ADDR==127.0.0.1) or just another that the local address (e.g. $ADDR==123.123.123.123) the installer always fails with the hostname resolves to an IP address that is different from the one provided on the command line. I think we may want a different error message in those 3 cases - it should be easy to do it now, with the improved IP handling. It looks like the print statements from verify_ip_address doesn't actually print anything to the user. Will look onto that. Ok. 3) When I pass netmask to ipa-server-install --ip-address=$ADDR, the installation always fails with the above message. Even though I took the addr+netmask from /sbin/ip address output. Works for me. Please make sure you've added your hostname to /etc/hosts. I think I had. But I will recheck when you send a fix. 4) I miss IP address checks in --ip-address and --forwarder parameters of ipa-dns-install script. I can pass invalid or local addresses to these parameters. This breaks Bind configuration. --ip-address is checked, but --forwarder is not. Will fix that. Ok, I will recheck both of them when you do. 5) I think we may want to check also for local address in #ipa host-add $HOST --ip-address=127.0.0.1 6) I couldn't add IP address with netmask in host module: # ipa host-add $HOST --ip-address=10.16.78.102/22 ipa: ERROR: invalid 'ip_address': invalid IP address The patches are for the installer, as are the tickets they fix, so these issues are out of scope. A new ticket should be opened for them. You touched this parameter in your patches, that's why I tested it. I created a new ticket for it: https://fedorahosted.org/freeipa/ticket/1234 Ticket 1234, yey :-) 7) Why is the _ParsedIPAddress named with a leading underscore? It's not really an internal use since it is returned by new IP handling functions and used in other modules. _ParsedIPAddress is not for public use. The fact that object of this class is returned by parse_ip_address doesn't really matter - this is Python, not C++ or Java. Hm, snappy... And I was wondering why my /usr/bin/java doesn't want to run FreeIPA, now I know - it's because its Python. Martin Patch updated. Requires patch 18.1 Honza All reported issues were fixed, good idea with a new type for our IPAOptionParser. Still, NACK from me: ipa-replica-install doesn't use IPAOptionParser, but the good old OptionParser which doesn't know the new type. This makes ipa-replica-prepare crash all the time. I know, I am nitpicker :-) Martin Thanks, I missed that. Honza Fixed and added a unit test. NACK. Please test your patches before you send them for a review. It saves reviewer's time. Sorry, I'll do better next time. 1) Unwanted warning about unmatching network interface when replica is installed: # ipa-replica-prepare vm-059.idm.lab.bos.redhat.com --ip-address=10.16.78.59 Warning: No network interface matches IP address 10.16.78.59 Directory Manager (existing master) password: ... Fixed. 2) ipa-replica-install crashes # ipa-replica-install /home/mkosek/replica-info-vm-059.idm.lab.bos.redhat.com.gpg Directory Manager (existing master) password: Configuring ntpd [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd done configuring ntpd. creation of replica failed: unsupported operand type(s) for /: 'NoneType' and 'int' Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa-replica-install log: 2011-05-25 03:36:18,503 DEBUG unsupported operand type(s) for /: 'NoneType' and 'int' File /usr/sbin/ipa-replica-install, line 550, inmodule main() File /usr/sbin/ipa-replica-install, line 496, in main install_dns_records(config, options) File /usr/sbin/ipa-replica-install, line 329, in
Re: [Freeipa-devel] [PATCH] 3 Add ability to specify netmask with IP addresses during installation
On Fri, 2011-05-27 at 22:09 +0200, Jan Cholasta wrote: On 27.5.2011 16:49, Jan Cholasta wrote: On 20.5.2011 20:29, Jan Cholasta wrote: On 12.5.2011 14:47, Jan Cholasta wrote: Rewrote host.py so that it doesn't use get_reverse_zone from ipaserver.bindinstance (which fixes the pylint errors). Honza Patch updated. Requires patch 18.1. Another update, requires patch 18.3. Honza Updated, requires 18.4. ACK, pushed to master. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 762 Let the framework be able to override the hostname
On Fri, 2011-05-27 at 15:39 -0400, Rob Crittenden wrote: Martin Kosek wrote: On Wed, 2011-05-25 at 11:29 -0400, Rob Crittenden wrote: Martin Kosek wrote: On Fri, 2011-04-01 at 11:47 -0400, Rob Crittenden wrote: The hostname is passed in during the server installation. We should use this hostname for the resulting server as well. It was being discarded and we always used the system hostname value. ticket 1052 rob I have to NACK this again. I have a problem communicating with IPA on a master machine. I reproduced in on 2 different machines. Please, correct my steps if I am wrong, I do the following procedure 1) I prepare a fresh minimal F-15 2) Install freeipa-server (current master with your patches) 3) Add custom hostname to /etc/hosts 4) Install IPA server: ipa-server-install -p secret123 -a secret123 --hostname ipa.idm.lab.bos.redhat.com --setup-dns --forwarder=10.16.255.2 5) # kinit admin Password for ad...@idm.lab.bos.redhat.com: 6) # ipa user-show admin ipa: ERROR: cannot connect to 'any of the configured servers': https://ipa.idm.lab.bos.redhat.com/ipa/xml, https://ipa.idm.lab.bos.redhat.com/ipa/xml # ping -c 1 ipa.idm.lab.bos.redhat.com PING ipa.idm.lab.bos.redhat.com (10.16.78.140) 56(84) bytes of data. 64 bytes from ipa.idm.lab.bos.redhat.com (10.16.78.140): icmp_req=1 ttl=64 time=0.049 ms Apache error_log shows relevant errors: [Wed May 25 06:42:38 2011] [error] ipa: ERROR: Failed to start IPA: Unable to retrieve LDAP schema: Invalid credentials: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Permission denied) [Wed May 25 06:42:38 2011] [error] ipa: ERROR: Failed to start IPA: Unable to retrieve LDAP schema: Invalid credentials: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Permission denied) [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) inmodule 'threading' from '/usr/lib64/python2.7/threading.pyc' ignored [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) inmodule 'threading' from '/usr/lib64/python2.7/threading.pyc' ignored [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) inmodule 'threading' from '/usr/lib64/python2.7/threading.pyc' ignored [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) inmodule 'threading' from '/usr/lib64/python2.7/threading.pyc' ignored [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) inmodule 'threading' from '/usr/lib64/python2.7/threading.pyc' ignored [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) inmodule 'threading' from '/usr/lib64/python2.7/threading.pyc' ignored [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) inmodule 'threading' from '/usr/lib64/python2.7/threading.pyc' ignored [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) inmodule 'threading' from '/usr/lib64/python2.7/threading.pyc' ignored [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) inmodule 'threading' from '/usr/lib64/python2.7/threading.pyc' ignored [Wed May 25 06:43:55 2011] [error] Exception KeyError: KeyError(140250828974112,) inmodule 'threading' from '/usr/lib64/python2.7/threading.pyc' ignored [Wed May 25 06:43:56 2011] [notice] caught SIGTERM, shutting down [Wed May 25 06:43:56 2011] [notice] SELinux policy enabled; httpd running as context system_u:system_r:kernel_t:s0 [Wed May 25 06:43:57 2011] [notice] Digest: generating secret for digest authentication ... [Wed May 25 06:43:57 2011] [notice] Digest: done [Wed May 25 06:43:57 2011] [notice] Apache/2.2.17 (Unix) DAV/2 mod_auth_kerb/5.4 mod_nss/2.2.17 NSS/3.12.9.0 mod_wsgi/3.2 Python/2.7.1 configured -- resuming normal operations [Wed May 25 06:44:04 2011] [error] ipa: INFO: *** PROCESS START *** [Wed May 25 06:44:04 2011] [error] ipa: INFO: *** PROCESS START *** [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] mod_wsgi (pid=5192): Exception occurred processing WSGI script '/usr/share/ipa/wsgi.py'. [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] Traceback (most recent call last): [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File /usr/share/ipa/wsgi.py, line 48, in application [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] return api.Backend.session(environ, start_response) [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] File /usr/lib/python2.7/site-packages/ipaserver/rpcserver.py, line 141, in __call__ [Wed May 25 06:45:25 2011] [error] [client 10.16.78.140] self.create_context(ccache=environ.get('KRB5CCNAME'))
[Freeipa-devel] [PATCH] 071 Fix forward zone creation in ipa-replica-prepare
This case was missed in patch 070 Fix reverse zone creation in ipa-replica-prepare. There are 2 patches, one for master and one for stable ipa-2-0 (without the newest IP address enhancement). Martin From 4f2e7e20dcb41b5f818aeb29a05225663ded7c6c Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Mon, 30 May 2011 14:47:31 +0200 Subject: [PATCH] Fix forward zone creation in ipa-replica-prepare When a new forward zone is created in ipa-replica-prepare the master DNS address gets corrupted by invalid A/ record. https://fedorahosted.org/freeipa/ticket/1260 --- install/tools/ipa-replica-prepare |5 +++-- 1 files changed, 3 insertions(+), 2 deletions(-) diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare index 2765e4a0e5635d5400241d83070f58c46a13f840..df44934de8c15cf88ea7fc313a108c963197d3e4 100755 --- a/install/tools/ipa-replica-prepare +++ b/install/tools/ipa-replica-prepare @@ -430,6 +430,8 @@ def main(): ip_address = str(ip) ip_prefixlen = ip.prefixlen +ns_ip_address = resolve_host(api.env.host) + if ip.defaultnet: revzone = ip.reverse_dns if ip.version == 4: @@ -448,10 +450,9 @@ def main(): if prefix 0: ip_prefixlen = prefix else: -ns_ip_address = resolve_host(api.env.host) add_reverse_zone(ip_address, ip_prefixlen, ns_ip_address) -zone = add_zone(domain, nsaddr=ip_address) +zone = add_zone(domain, nsaddr=ns_ip_address) add_fwd_rr(zone, name, ip_address) add_ptr_rr(ip_address, ip_prefixlen, replica_fqdn) -- 1.7.5.2 From 168916d61cc15d345e9e745d85541d1fce9b4eba Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Mon, 30 May 2011 14:51:27 +0200 Subject: [PATCH] Fix forward zone creation in ipa-replica-prepare When a new forward zone is created in ipa-replica-prepare the master DNS address gets corrupted by invalid A/ record. https://fedorahosted.org/freeipa/ticket/1260 --- install/tools/ipa-replica-prepare |4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/install/tools/ipa-replica-prepare b/install/tools/ipa-replica-prepare index a41ca5121cd451093af3ee7c9d7282e300df53ca..914225f91106a43992ce9554e8b7f2d015034c00 100755 --- a/install/tools/ipa-replica-prepare +++ b/install/tools/ipa-replica-prepare @@ -426,9 +426,9 @@ def main(): name = domain.pop(0) domain = ..join(domain) -zone = add_zone(domain, nsaddr=options.ip_address) -add_rr(zone, name, A, options.ip_address) ns_ip_address = resolve_host(api.env.host) +zone = add_zone(domain, nsaddr=ns_ip_address) +add_rr(zone, name, A, options.ip_address) add_reverse_zone(options.ip_address, ns_ip_address) add_ptr_rr(options.ip_address, replica_fqdn) -- 1.7.5.2 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel