Re: [Freeipa-devel] [PATCH] 317 Improve StrEnum validation error message
On 10/01/2012 09:19 AM, Jan Cholasta wrote:
Dne 27.9.2012 14:28, Martin Kosek napsal(a):
Do not print list of possible values as %r but simply as a list
of quoted values which should make it easier to read for users.
Also add a special case when there is just one allowed value.
https://fedorahosted.org/freeipa/ticket/2869
Examples of the improved Enum validation error messages:
# ipa automember-add foo --type=bar
ipa: ERROR: invalid 'type': must be one of 'group', 'hostgroup'
# ipa trust-add foo --type=foo
ipa: ERROR: invalid 'type': must be 'ad'
Martin
IMO instead of doing this:
+else:
+return _(must be empty)
we should not allow empty values kwarg in Enum at all, i.e. check that
len(self.values) 0 in Enum.__init__.
Right, I fixed it. I also added a relevant test case to our unit tests.
Also, I have opened https://fedorahosted.org/freeipa/ticket/3121, as we use
%r in more places where we should not.
Honza
Thanks. New patch attached.
Martin
From ba830b681b95b347675031e27fff5cde8a9242fb Mon Sep 17 00:00:00 2001
From: Martin Kosek mko...@redhat.com
Date: Thu, 27 Sep 2012 14:18:02 +0200
Subject: [PATCH] Improve StrEnum validation error message
Do not print list of possible values as %r but simply as a list
of quoted values which should make it easier to read for users.
Also add a special case when there is just one allowed value.
https://fedorahosted.org/freeipa/ticket/2869
---
ipalib/parameters.py | 15 ++-
tests/test_ipalib/test_parameters.py | 25 +++--
2 files changed, 33 insertions(+), 7 deletions(-)
diff --git a/ipalib/parameters.py b/ipalib/parameters.py
index 53756a80a422135e99a3ecd1e9511e037e52c0dc..b3a75f288f895449cfa460c4c1512853248c8cd9 100644
--- a/ipalib/parameters.py
+++ b/ipalib/parameters.py
@@ -1595,12 +1595,17 @@ class Enum(Param):
TYPE_ERROR % (n, self.type, v, type(v))
)
+if len(self.values) 1:
+raise ValueError(
+'%s: list of values must not be empty' % self.nice)
+
def _rule_values(self, _, value, **kw):
if value not in self.values:
-return _('must be one of %(values)r') % dict(
-values=self.values,
-)
-
+if len(self.values) == 1:
+return _(must be '%(value)s') % dict(value=self.values[0])
+else:
+values = u', '.join('%s' % value for value in self.values)
+return _('must be one of %(values)s') % dict(values=values)
class BytesEnum(Enum):
@@ -1622,7 +1627,7 @@ class StrEnum(Enum):
enum.validate(u'Four', 'cli')
Traceback (most recent call last):
...
-ValidationError: invalid 'my_enum': must be one of (u'One', u'Two', u'Three')
+ValidationError: invalid 'my_enum': must be one of 'One', 'Two', 'Three'
type = unicode
diff --git a/tests/test_ipalib/test_parameters.py b/tests/test_ipalib/test_parameters.py
index 0b6fae375639ee0e012a9cee12311adc62b63934..e6ac91db787c4b494f525641dd1aab989eb55ef0 100644
--- a/tests/test_ipalib/test_parameters.py
+++ b/tests/test_ipalib/test_parameters.py
@@ -1140,6 +1140,12 @@ class test_StrEnum(ClassChecker):
StrEnum('my_enum') values[1], unicode, 'naughty', str
)
+# Test that ValueError is raised when list of values is empty
+badvalues = tuple()
+e = raises(ValueError, self.cls, 'empty_enum', values=badvalues)
+assert_equal(str(e), StrEnum('empty_enum'): list of values must not
+be empty)
+
def test_rules_values(self):
Test the `ipalib.parameters.StrEnum._rule_values` method.
@@ -1147,7 +1153,7 @@ class test_StrEnum(ClassChecker):
values = (u'Hello', u'naughty', u'nurse!')
o = self.cls('my_enum', values=values)
rule = o._rule_values
-translation = u'values=%(values)s'
+translation = uvalues='Hello', 'naughty', 'nurse!'
dummy = dummy_ugettext(translation)
# Test with passing values:
@@ -1161,7 +1167,22 @@ class test_StrEnum(ClassChecker):
rule(dummy, val),
translation % dict(values=values),
)
-assert_equal(dummy.message, 'must be one of %(values)r')
+assert_equal(dummy.message, must be one of %(values)s)
+dummy.reset()
+
+# test a special case when we have just one allowed value
+values = (u'Hello', )
+o = self.cls('my_enum', values=values)
+rule = o._rule_values
+translation = uvalue='Hello'
+dummy = dummy_ugettext(translation)
+
+for val in (u'Howdy', u'quiet', u'library!'):
+assert_equal(
+rule(dummy, val),
+translation % dict(values=values),
+)
+assert_equal(dummy.message, must be '%(value)s')
dummy.reset()
--
Re: [Freeipa-devel] [PATCH] 317 Improve StrEnum validation error message
Dne 1.10.2012 10:05, Martin Kosek napsal(a): On 10/01/2012 09:19 AM, Jan Cholasta wrote: Dne 27.9.2012 14:28, Martin Kosek napsal(a): Do not print list of possible values as %r but simply as a list of quoted values which should make it easier to read for users. Also add a special case when there is just one allowed value. https://fedorahosted.org/freeipa/ticket/2869 Examples of the improved Enum validation error messages: # ipa automember-add foo --type=bar ipa: ERROR: invalid 'type': must be one of 'group', 'hostgroup' # ipa trust-add foo --type=foo ipa: ERROR: invalid 'type': must be 'ad' Martin IMO instead of doing this: +else: +return _(must be empty) we should not allow empty values kwarg in Enum at all, i.e. check that len(self.values) 0 in Enum.__init__. Right, I fixed it. I also added a relevant test case to our unit tests. Also, I have opened https://fedorahosted.org/freeipa/ticket/3121, as we use %r in more places where we should not. Honza Thanks. New patch attached. Martin ACK. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0081 Support both unified samba and samba/samba4-packages
Hi, The patch attached fixes Fedora build system issue with unified samba package (samba/samba4 packages got merged in Fedora 18 and Rawhide recently) since we depend on a wbclient.h header file path to which included versioned directory name previously (samba-4.0/ vs samba/). -- / Alexander Bokovoy From 45a8c7255199dc3b8bf1c0bbb6c4535abf75c899 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Mon, 1 Oct 2012 12:18:36 +0300 Subject: [PATCH 2/2] Support both unified samba and samba/samba4 packages for wbclient.h Fedora 18 (and beyond) has moved to unified samba package, while previous versions and RHEL 6.x are still using separate samba and samba4 packages. We need to access wbclient.h header which may now be either samba-4.0/wbclient.h or samba/wbclient.h depending on a setup. This patch fixes the issue found by Fedora build system. --- daemons/configure.ac| 8 ++-- daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h | 10 +- 2 files changed, 15 insertions(+), 3 deletions(-) diff --git a/daemons/configure.ac b/daemons/configure.ac index ebf625ebffd8a92e0a3b050955b9376e002ed6c9..581d5640221b3ba29bf85620d3bf742ceffb3cfb 100644 --- a/daemons/configure.ac +++ b/daemons/configure.ac @@ -241,8 +241,12 @@ PKG_CHECK_MODULES([SAMBAUTIL], [samba-util]) SAMBA40EXTRA_LIBPATH=-L`$PKG_CONFIG --variable=libdir samba-util`/samba -Wl,-rpath=`$PKG_CONFIG --variable=libdir samba-util`/samba AC_SUBST(SAMBA40EXTRA_LIBPATH) AC_CHECK_HEADERS([samba-4.0/wbclient.h], - , - [AC_MSG_ERROR([samba-4.0/wbclient.h not found])], +, +[AC_CHECK_HEADERS([samba/wbclient.h], + , + [AC_MSG_ERROR([samba/wbclient.h not found])], + [#include stdbool.h + #include stdint.h])], [#include stdbool.h #include stdint.h]) AC_CHECK_LIB([wbclient], diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h index 5c2eeddceb3983fa5793c1a7fa86c5001c47beba..f6fd0aaa2dacb037dbdda49fa7454fd6bbd1aaab 100644 --- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h @@ -54,7 +54,15 @@ #include stdlib.h #include stdint.h -#include samba-4.0/wbclient.h +#ifdef HAVE_SAMBA_4_0_WBCLIENT_H +# include samba-4.0/wbclient.h +#else +# ifdef HAVE_SAMBA_WBCLIENT_H +#include samba/wbclient.h +# else +#error wbclient.h header from Samba was not found +# endif +#endif #include dirsrv/slapi-plugin.h #include lber.h -- 1.7.12 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 317 Improve StrEnum validation error message
On 10/01/2012 11:16 AM, Jan Cholasta wrote: Dne 1.10.2012 10:05, Martin Kosek napsal(a): On 10/01/2012 09:19 AM, Jan Cholasta wrote: Dne 27.9.2012 14:28, Martin Kosek napsal(a): Do not print list of possible values as %r but simply as a list of quoted values which should make it easier to read for users. Also add a special case when there is just one allowed value. https://fedorahosted.org/freeipa/ticket/2869 Examples of the improved Enum validation error messages: # ipa automember-add foo --type=bar ipa: ERROR: invalid 'type': must be one of 'group', 'hostgroup' # ipa trust-add foo --type=foo ipa: ERROR: invalid 'type': must be 'ad' Martin IMO instead of doing this: +else: +return _(must be empty) we should not allow empty values kwarg in Enum at all, i.e. check that len(self.values) 0 in Enum.__init__. Right, I fixed it. I also added a relevant test case to our unit tests. Also, I have opened https://fedorahosted.org/freeipa/ticket/3121, as we use %r in more places where we should not. Honza Thanks. New patch attached. Martin ACK. Honza Pushed to master, ipa-3-0. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Changes to use a single database for dogtag and IPA
On 09/27/2012 10:26 AM, Petr Viktorin wrote:
On 09/20/2012 05:58 AM, Ade Lee wrote:
Changes to use a single database for dogtag and IPA
New servers that are installed with dogtag 10 instances will use
a single database instance for dogtag and IPA, albeit with different
suffixes. Dogtag will communicate with the instance through a
database user with permissions to modify the dogtag suffix only.
This user will authenticate using client auth using the subsystem
cert
for the instance.
This patch includes changes to allow the creation of masters and
clones
with single ds instances.
I have tested being able to create a master and a clone using f17 and
dogtag 10. Note that you will need to use the latest builds on the
dogtag repo to get some changes that were checked in today. We'll kick
off another official f18 dogtag build in a day or so.
This is a pretty big change - so I expect many issues to come up as
things get tested. But as this will take awhile to get resolved, its
better to get this out for review as fast as possible.
Happy reviewing.
Ade
Attaching a rebased patch with a couple of style issues fixed.
- PEP8 compliance (remove trailing whitespace, use parentheses rather
than \ for line continuation, wrap touched lines at 80 characters)
- for files, use the with statement instead of the open/close sandwich
- don't mix tabs and spaces in install/share/certmap.conf.template
I've also adjusted the spec file, as we need dogtag 10.0 and pki-server
now obsoletes pki-setup.
I still need selinux in permissive mode to install on f17, and I still
need to exclude *.i686 packages when updating.
Are the following limitations expected?
IPA and Dogtag have to be updated simultaneously; it's not possible to
have current IPA master with Dogtag 10, or IPA with this patch with D9.
It is not possible to create a replica from a machine with a single DS
to an older version without the patch -- the older version will try the
wrong ports.
I've tried to run ipa-ca-install on a D10 replica cloned from an
upgraded (unpatched→patched IPA, D9→D10) master, and I got Failed to
obtain installation token from security domain (see attached log).
AFAICS pkispawn returns with exit code 0 on error, so our installation
script fails later, on missing
/var/lib/pki/pki-tomcat/alias/ca_backup_keys.p12. It would be nice if
pkispawn told us it failed.
--
Petr³
2012-10-01T13:31:07Z DEBUG /sbin/ipa-ca-install was invoked with argument /home/pviktori/replica-info-vm-076.idm.lab.bos.redhat.com.gpg and options: {'debug': False, 'unattended': False, 'skip_conncheck': False, 'no_host_dns': False}
2012-10-01T13:31:07Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2012-10-01T13:31:07Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2012-10-01T13:31:07Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
2012-10-01T13:31:07Z DEBUG importing all plugin modules in '/usr/lib/python2.7/site-packages/ipalib/plugins'...
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/aci.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/automember.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/automount.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/batch.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/cert.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/config.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/delegation.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/dns.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/entitle.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/group.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacrule.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacsvc.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbacsvcgroup.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hbactest.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/host.py'
2012-10-01T13:31:07Z DEBUG importing plugin module '/usr/lib/python2.7/site-packages/ipalib/plugins/hostgroup.py'
2012-10-01T13:31:07Z
Re: [Freeipa-devel] [PATCH 0014] Improve user addition to default group in host-add
On 09/26/2012 04:12 PM, Martin Kosek wrote:
On 09/26/2012 03:23 PM, Tomas Babej wrote:
On 09/25/2012 12:37 PM, Tomas Babej wrote:
Hi,
On adding new user, host-add tries to make it a member of default
user group. This, however, can raise AlreadyGroupMember when the
user is already member of this group due to automember rule or
default group configured. This patch makes sure AlreadyGroupMember
exception is caught in such cases.
https://fedorahosted.org/freeipa/ticket/3097
Tomas
I fixed the typo in the commit message. It refers to the proper command now.
Tomas
I would also like to see the tests that Petr Viktorin already asked for.
Setting an automember default group to ipausers, adding a user and checking the
result should be enough.
Martin
I added a relevant test to the test_host_plugin.py file.
Tomas
From 1fde7997741ed113cebcc1122f6d8b49c2aac959 Mon Sep 17 00:00:00 2001
From: Tomas Babej tba...@redhat.com
Date: Tue, 25 Sep 2012 06:20:49 -0400
Subject: [PATCH] Improve user addition to default group in user-add
On adding new user, user-add tries to make it a member of default
user group. This, however, can raise AlreadyGroupMember when the
user is already member of this group due to automember rule or
default group configured. This patch makes sure AlreadyGroupMember
exception is caught in such cases.
https://fedorahosted.org/freeipa/ticket/3097
---
ipalib/plugins/user.py| 10 +-
tests/test_xmlrpc/test_user_plugin.py | 65 +++
2 files changed, 74 insertions(+), 1 deletion(-)
diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
index e6eb0d9cb3f483ab7c92a8ccc78be3c867360d28..5d667dc94d483c2775d4a1d793624fc081615047 100644
--- a/ipalib/plugins/user.py
+++ b/ipalib/plugins/user.py
@@ -538,7 +538,15 @@ class user_add(LDAPCreate):
# add the user we just created into the default primary group
def_primary_group = config.get('ipadefaultprimarygroup')
group_dn = self.api.Object['group'].get_dn(def_primary_group)
-ldap.add_entry_to_group(dn, group_dn)
+
+# if the user is already a member of default primary group,
+# do not raise error
+# this can happen if automember rule or default group is set
+try:
+ldap.add_entry_to_group(dn, group_dn)
+except errors.AlreadyGroupMember:
+pass
+
if self.api.env.wait_for_attr:
newentry = wait_for_value(ldap, dn, 'memberOf', def_primary_group)
entry_from_entry(entry_attrs, newentry)
diff --git a/tests/test_xmlrpc/test_user_plugin.py b/tests/test_xmlrpc/test_user_plugin.py
index 63a24cd64105bdf510ff930c0adc7b9c7aa511cb..50630a0f9f8073e9130aa027c32323558b248bf8 100644
--- a/tests/test_xmlrpc/test_user_plugin.py
+++ b/tests/test_xmlrpc/test_user_plugin.py
@@ -66,6 +66,7 @@ class test_user(Declarative):
cleanup_commands = [
('user_del', [user1, user2, renameduser1, admin2], {'continue': True}),
('group_del', [group1], {}),
+('automember_default_group_remove', [], {'type': u'group'}),
]
tests = [
@@ -1682,4 +1683,68 @@ class test_user(Declarative):
container=admins_group),
),
+dict(
+desc='Set default automember group for groups as ipausers',
+command=(
+'automember_default_group_set', [], dict(
+type=u'group',
+automemberdefaultgroup=u'ipausers'
+)
+),
+expected=dict(
+result=dict(
+cn=[u'Group'],
+automemberdefaultgroup=[DN(('cn', 'ipausers'), ('cn', 'groups'), ('cn', 'accounts'), api.env.basedn)],
+),
+value=u'group',
+summary=u'Set default (fallback) group for automember group',
+),
+),
+
+dict(
+desc='Delete %s' % user2,
+command=('user_del', [user2], {}),
+expected=dict(
+result=dict(failed=u''),
+summary=u'Deleted user %s' % user2,
+value=user2,
+),
+),
+
+dict(
+desc='Create %r' % user2,
+command=(
+'user_add', [user2], dict(givenname=u'Test', sn=u'User2')
+),
+expected=dict(
+value=user2,
+summary=u'Added user tuser2',
+result=dict(
+gecos=[u'Test User2'],
+givenname=[u'Test'],
+homedirectory=[u'/home/tuser2'],
+krbprincipalname=[u'tuser2@' + api.env.realm],
+has_keytab=False,
+has_password=False,
+loginshell=[u'/bin/sh'],
+objectclass=objectclasses.user,
+sn=[u'User2'],
+uid=[user2],
+
Re: [Freeipa-devel] [PATCH] 0081 Support both unified samba and samba/samba4-packages
On 10/01/2012 11:24 AM, Alexander Bokovoy wrote:
Hi,
The patch attached fixes Fedora build system issue with unified samba
package (samba/samba4 packages got merged in Fedora 18 and Rawhide
recently) since we depend on a wbclient.h header file path to which
included versioned directory name previously (samba-4.0/ vs samba/).
I am not convinced this is a correct approach, this was failing on my Fedora 18
instance anyway:
# make rpms
...
checking for NDR... yes
checking for SAMBAUTIL... yes
checking for samba-4.0/wbclient.h... no
checking for samba/wbclient.h... no
configure: error: samba/wbclient.h not found
make: *** [bootstrap-autogen] Error 1
The problem was that samba-devel package is no longer providing wbclient.h
header file:
# rpm -qR samba-devel-4.0.0-150.fc18.rc1.x86_64 | grep wbclient.h
#
I had a discussion with Andreas (CC-ed), the root cause was a missing
libwbclient-devel package which is the new provider of the samba-4.0/wbclient.h
file. He was also not aware of /usr/include/samba-4.0/ - /usr/include/samba/
change.
I created a new patch with recommended approach (attached). Could you please
check if it is OK? It worked for me on both Fedora 17 and 18.
Thanks,
Martin
From cc2c6be1c677a5ed8c923742d76827e1a2887470 Mon Sep 17 00:00:00 2001
From: Martin Kosek mko...@redhat.com
Date: Mon, 1 Oct 2012 15:32:36 +0200
Subject: [PATCH] Add support for unified samba packages
Fedora 18 and later has moved unified samba and samba4 packages. Update
Requires and BuildRequires in spec file to require correct versions.
Also require libwbclient-devel which now provides libwbclient.h instead
of samba4-devel package.
---
freeipa.spec.in | 18 +-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index ef9678ec25d5ab8ed064657904c17a4f52e85eac..c86c08acca0c895e858aeea3f167254536cecd83 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -31,8 +31,14 @@ BuildRequires: policycoreutils = %{POLICYCOREUTILSVER}
%if 0%{?fedora} = 16
BuildRequires: systemd-units
%endif
+%if 0%{?fedora} = 18
+BuildRequires: samba-devel = 4.0.0-150
+BuildRequires: samba-python
+BuildRequires: libwbclient-devel
+%else
BuildRequires: samba4-devel = 4.0.0-139
BuildRequires: samba4-python
+%endif
BuildRequires: libtalloc-devel
BuildRequires: libtevent-devel
%endif
@@ -214,10 +220,16 @@ Summary: Virtual package to install packages required for Active Directory trust
Group: System Environment/Base
Requires: %{name}-server = %version-%release
Requires: python-crypto
+%if 0%{?fedora} = 18
+Requires: samba-python
+Requires: samba
+Requires: samba-winbind
+%else
Requires: samba4-python
Requires: samba4
-Requires: libsss_idmap
Requires: samba4-winbind
+%endif
+Requires: libsss_idmap
%description server-trust-ad
Cross-realm trusts with Active Directory in IPA require working Samba 4 installation.
@@ -748,6 +760,10 @@ fi
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
%changelog
+* Mon Oct 1 2012 Martin Kosek mko...@redhat.com - 2.99.0-47
+- Require samba packages instead of samba4 packages obsoleted in Fedora 18 and later
+- Add libwbclient-devel BuildRequires to pick up libwbclient.h on Fedora 18 and later
+
* Tue Sep 18 2012 Petr Viktorin pvikt...@redhat.com - 2.99.0-46
- Set certmonger minimum version to 0.60 for Dogtag 10 support.
--
1.7.11.4
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Changes to use a single database for dogtag and IPA
On 10/01/2012 03:35 PM, Petr Viktorin wrote: On 09/27/2012 10:26 AM, Petr Viktorin wrote: On 09/20/2012 05:58 AM, Ade Lee wrote: Changes to use a single database for dogtag and IPA New servers that are installed with dogtag 10 instances will use a single database instance for dogtag and IPA, albeit with different suffixes. Dogtag will communicate with the instance through a database user with permissions to modify the dogtag suffix only. This user will authenticate using client auth using the subsystem cert for the instance. This patch includes changes to allow the creation of masters and clones with single ds instances. I have tested being able to create a master and a clone using f17 and dogtag 10. Note that you will need to use the latest builds on the dogtag repo to get some changes that were checked in today. We'll kick off another official f18 dogtag build in a day or so. This is a pretty big change - so I expect many issues to come up as things get tested. But as this will take awhile to get resolved, its better to get this out for review as fast as possible. Happy reviewing. Ade Attaching a rebased patch with a couple of style issues fixed. - PEP8 compliance (remove trailing whitespace, use parentheses rather than \ for line continuation, wrap touched lines at 80 characters) - for files, use the with statement instead of the open/close sandwich - don't mix tabs and spaces in install/share/certmap.conf.template I've also adjusted the spec file, as we need dogtag 10.0 and pki-server now obsoletes pki-setup. I still need selinux in permissive mode to install on f17, and I still need to exclude *.i686 packages when updating. Are the following limitations expected? IPA and Dogtag have to be updated simultaneously; it's not possible to have current IPA master with Dogtag 10, or IPA with this patch with D9. It is not possible to create a replica from a machine with a single DS to an older version without the patch -- the older version will try the wrong ports. In this case, I think we are covered - we do not support installation of a replica with a lower version than the master where the replica info file was created. Rob's patch 26dfbe61dd399e9c34f6f5bdeb25a197f1f461cb should ensure this for next version release. For 3.0 I think we will have to settle with a note in Documentation. We just need to make sure, that 3.0 replica made out of 2.x master will work. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0081 Support both unified samba and samba/samba4-packages
On Mon, 01 Oct 2012, Martin Kosek wrote:
On 10/01/2012 11:24 AM, Alexander Bokovoy wrote:
Hi,
The patch attached fixes Fedora build system issue with unified samba
package (samba/samba4 packages got merged in Fedora 18 and Rawhide
recently) since we depend on a wbclient.h header file path to which
included versioned directory name previously (samba-4.0/ vs samba/).
I am not convinced this is a correct approach, this was failing on my Fedora 18
instance anyway:
# make rpms
...
checking for NDR... yes
checking for SAMBAUTIL... yes
checking for samba-4.0/wbclient.h... no
checking for samba/wbclient.h... no
configure: error: samba/wbclient.h not found
make: *** [bootstrap-autogen] Error 1
The problem was that samba-devel package is no longer providing wbclient.h
header file:
# rpm -qR samba-devel-4.0.0-150.fc18.rc1.x86_64 | grep wbclient.h
#
I had a discussion with Andreas (CC-ed), the root cause was a missing
libwbclient-devel package which is the new provider of the samba-4.0/wbclient.h
file. He was also not aware of /usr/include/samba-4.0/ - /usr/include/samba/
change.
I created a new patch with recommended approach (attached). Could you please
check if it is OK? It worked for me on both Fedora 17 and 18.
ACK for your patch except one change:
@@ -214,10 +220,16 @@ Summary: Virtual package to install packages required for
Active Directory trust
Group: System Environment/Base
Requires: %{name}-server = %version-%release
Requires: python-crypto
+%if 0%{?fedora} = 18
+Requires: samba-python
+Requires: samba
+Requires: samba-winbind
+%else
Requires: samba4-python
Requires: samba4
-Requires: libsss_idmap
Why libsss_idmap is removed? I'd assume this is a mistake.
--
/ Alexander Bokovoy
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 1037 optimize restoring SELinux booleans
The web uninstall step can be very long because we restore two SELinux
booleans individually. This patch combines them into a single step, and
skips setting them if the values won't actually change.
rob
From f9cfa7252e7a5d967ca0786c56431589b4489660 Mon Sep 17 00:00:00 2001
From: Rob Crittenden rcrit...@redhat.com
Date: Wed, 26 Sep 2012 16:45:52 -0400
Subject: [PATCH] Selectively restore SELinux booleans on uninstall
Restore only those values that have changed and do the restoration
in a single step instead of one at a time. This improves uninstall
performance in the web server step.
https://fedorahosted.org/freeipa/ticket/2934
---
ipaserver/install/httpinstance.py | 17 ++---
1 file changed, 14 insertions(+), 3 deletions(-)
diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index e1d8b6db8503cf8eacc337b58f49054f3590eda4..ee6506f62001d057403e02b4b64716223959d220 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -340,14 +340,25 @@ class HTTPInstance(service.Service):
installutils.remove_file(/etc/httpd/conf.d/ipa.conf)
installutils.remove_file(/etc/httpd/conf.d/ipa-pki-proxy.conf)
+changes = []
for var in [httpd_can_network_connect, httpd_manage_ipa]:
sebool_state = self.restore_state(var)
if not sebool_state is None:
try:
-ipautil.run([/usr/sbin/setsebool, -P, var, sebool_state])
+(stdout, stderr, returncode) = ipautil.run([/usr/sbin/getsebool, var])
except ipautil.CalledProcessError, e:
-self.print_msg(Cannot restore SELinux boolean '%s' back to '%s': %s \
-% (var, sebool_state, e))
+self.print_msg(Cannot get current state of SELinux boolean: %s % e)
+else:
+current_state = stdout.split()[2]
+if current_state != sebool_state:
+changes.append('%s=%s' % (var, sebool_state))
+if changes:
+args = [/usr/sbin/setsebool, -P]
+args.extend(changes)
+try:
+ipautil.run(args)
+except ipautil.CalledProcessError, e:
+self.print_msg(Cannot restore SELinux booleans: %s % e)
if not running is None and running:
self.start()
--
1.7.11.4
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0081 Support both unified samba and samba/samba4-packages
On 10/01/2012 04:35 PM, Alexander Bokovoy wrote:
On Mon, 01 Oct 2012, Martin Kosek wrote:
On 10/01/2012 11:24 AM, Alexander Bokovoy wrote:
Hi,
The patch attached fixes Fedora build system issue with unified samba
package (samba/samba4 packages got merged in Fedora 18 and Rawhide
recently) since we depend on a wbclient.h header file path to which
included versioned directory name previously (samba-4.0/ vs samba/).
I am not convinced this is a correct approach, this was failing on my Fedora
18
instance anyway:
# make rpms
...
checking for NDR... yes
checking for SAMBAUTIL... yes
checking for samba-4.0/wbclient.h... no
checking for samba/wbclient.h... no
configure: error: samba/wbclient.h not found
make: *** [bootstrap-autogen] Error 1
The problem was that samba-devel package is no longer providing wbclient.h
header file:
# rpm -qR samba-devel-4.0.0-150.fc18.rc1.x86_64 | grep wbclient.h
#
I had a discussion with Andreas (CC-ed), the root cause was a missing
libwbclient-devel package which is the new provider of the
samba-4.0/wbclient.h
file. He was also not aware of /usr/include/samba-4.0/ - /usr/include/samba/
change.
I created a new patch with recommended approach (attached). Could you please
check if it is OK? It worked for me on both Fedora 17 and 18.
ACK for your patch except one change:
@@ -214,10 +220,16 @@ Summary: Virtual package to install packages required
for Active Directory trust
Group: System Environment/Base
Requires: %{name}-server = %version-%release
Requires: python-crypto
+%if 0%{?fedora} = 18
+Requires: samba-python
+Requires: samba
+Requires: samba-winbind
+%else
Requires: samba4-python
Requires: samba4
-Requires: libsss_idmap
Why libsss_idmap is removed? I'd assume this is a mistake.
I just moved it to the end of the Requires list so that I can group samba
Fedora-version-dependent Requires together:
...
+%else
Requires: samba4-python
Requires: samba4
-Requires: libsss_idmap
Requires: samba4-winbind
+%endif
+Requires: libsss_idmap
Martin
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1037 optimize restoring SELinux booleans
On 10/01/2012 04:41 PM, Rob Crittenden wrote: The web uninstall step can be very long because we restore two SELinux booleans individually. This patch combines them into a single step, and skips setting them if the values won't actually change. rob Is there a reason to not reuse the code that sets the values on install? As far as I can tell it does the same thing slightly differently. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0081 Support both unified samba and samba/samba4-packages
On Mon, 01 Oct 2012, Martin Kosek wrote:
On 10/01/2012 04:35 PM, Alexander Bokovoy wrote:
On Mon, 01 Oct 2012, Martin Kosek wrote:
On 10/01/2012 11:24 AM, Alexander Bokovoy wrote:
Hi,
The patch attached fixes Fedora build system issue with unified samba
package (samba/samba4 packages got merged in Fedora 18 and Rawhide
recently) since we depend on a wbclient.h header file path to which
included versioned directory name previously (samba-4.0/ vs samba/).
I am not convinced this is a correct approach, this was failing on my Fedora 18
instance anyway:
# make rpms
...
checking for NDR... yes
checking for SAMBAUTIL... yes
checking for samba-4.0/wbclient.h... no
checking for samba/wbclient.h... no
configure: error: samba/wbclient.h not found
make: *** [bootstrap-autogen] Error 1
The problem was that samba-devel package is no longer providing wbclient.h
header file:
# rpm -qR samba-devel-4.0.0-150.fc18.rc1.x86_64 | grep wbclient.h
#
I had a discussion with Andreas (CC-ed), the root cause was a missing
libwbclient-devel package which is the new provider of the samba-4.0/wbclient.h
file. He was also not aware of /usr/include/samba-4.0/ - /usr/include/samba/
change.
I created a new patch with recommended approach (attached). Could you please
check if it is OK? It worked for me on both Fedora 17 and 18.
ACK for your patch except one change:
@@ -214,10 +220,16 @@ Summary: Virtual package to install packages required
for Active Directory trust
Group: System Environment/Base
Requires: %{name}-server = %version-%release
Requires: python-crypto
+%if 0%{?fedora} = 18
+Requires: samba-python
+Requires: samba
+Requires: samba-winbind
+%else
Requires: samba4-python
Requires: samba4
-Requires: libsss_idmap
Why libsss_idmap is removed? I'd assume this is a mistake.
I just moved it to the end of the Requires list so that I can group samba
Fedora-version-dependent Requires together:
...
+%else
Requires: samba4-python
Requires: samba4
-Requires: libsss_idmap
Requires: samba4-winbind
+%endif
+Requires: libsss_idmap
:) Thanks.
I was not looking properly.
ACK
--
/ Alexander Bokovoy
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Changes to use a single database for dogtag and IPA
On Mon, 2012-10-01 at 16:09 +0200, Martin Kosek wrote: On 10/01/2012 03:35 PM, Petr Viktorin wrote: On 09/27/2012 10:26 AM, Petr Viktorin wrote: On 09/20/2012 05:58 AM, Ade Lee wrote: Changes to use a single database for dogtag and IPA New servers that are installed with dogtag 10 instances will use a single database instance for dogtag and IPA, albeit with different suffixes. Dogtag will communicate with the instance through a database user with permissions to modify the dogtag suffix only. This user will authenticate using client auth using the subsystem cert for the instance. This patch includes changes to allow the creation of masters and clones with single ds instances. I have tested being able to create a master and a clone using f17 and dogtag 10. Note that you will need to use the latest builds on the dogtag repo to get some changes that were checked in today. We'll kick off another official f18 dogtag build in a day or so. This is a pretty big change - so I expect many issues to come up as things get tested. But as this will take awhile to get resolved, its better to get this out for review as fast as possible. Happy reviewing. Ade Attaching a rebased patch with a couple of style issues fixed. - PEP8 compliance (remove trailing whitespace, use parentheses rather than \ for line continuation, wrap touched lines at 80 characters) - for files, use the with statement instead of the open/close sandwich - don't mix tabs and spaces in install/share/certmap.conf.template I've also adjusted the spec file, as we need dogtag 10.0 and pki-server now obsoletes pki-setup. I still need selinux in permissive mode to install on f17, and I still need to exclude *.i686 packages when updating. Are the following limitations expected? IPA and Dogtag have to be updated simultaneously; it's not possible to have current IPA master with Dogtag 10, or IPA with this patch with D9. It is not possible to create a replica from a machine with a single DS to an older version without the patch -- the older version will try the wrong ports. In this case, I think we are covered - we do not support installation of a replica with a lower version than the master where the replica info file was created. Rob's patch 26dfbe61dd399e9c34f6f5bdeb25a197f1f461cb should ensure this for next version release. For 3.0 I think we will have to settle with a note in Documentation. There is currently a dogtag bug where when the master is dogtag 9 (or dogtag 9 converted to 10), and the clone is dogtag 10, the clone will fail to get the installation token from the security domain. This is because the dogtag 10 code tries the new restful interface call -- which is not present on a dogtag 9 subsystem. https://fedorahosted.org/pki/ticket/334 This has been fixed in the latest dogtag 10 nightly builds. And will be in the next dogtag 10 official build, which we plan to create and release today. Incidentally, to see whats coming up in the new dogtag build, look for the 10.0.0-0.X.a2 milestone (plus some of what is closed in 9.0.24) We just need to make sure, that 3.0 replica made out of 2.x master will work. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 319 Make ipakrbprincipal objectclass optional
From IPA 3.0, services have by default ipakrbprincipal objectclass which
allows ipakrbprincipalalias attribute used for case-insensitive principal
searches. However, as services created in previous version do not have
this objectclass (and attribute), they are not listed in service list
produced by service-find.
Treat the ipakrbprincipal as optional to avoid missing services in
service-find command. Add flag to service-mod command which can fill
ipakrbprincipalalias attribute when case-insensitive principal searches
for a 2.x service are required.
https://fedorahosted.org/freeipa/ticket/3106
-
I am still pondering about a right way to fill ipakrbprincipalalias used in for
IPA 3.0 case-insensitive searches, so far I implemented this command:
ipa service-mod PRINCIPAL --update-principal-alias
But I am thinking it may be a better approach to generalize it and do something
like that:
ipa service-mod PRINCIPAL --upgrade/--update
This command would do a general update of service entry to an up-to-date 3.0
style, in this case it could do 2 things:
* fill ipakrbprincipalalias
* fill ipakrbauthzdata (based on default value in IPA config).
Suggestions or comments welcome.
Martin
From 95065cf15e29631e80cdf2edb73fcdab4fd45854 Mon Sep 17 00:00:00 2001
From: Martin Kosek mko...@redhat.com
Date: Mon, 1 Oct 2012 16:49:34 +0200
Subject: [PATCH] Make ipakrbprincipal objectclass optional
From IPA 3.0, services have by default ipakrbprincipal objectclass which
allows ipakrbprincipalalias attribute used for case-insensitive principal
searches. However, as services created in previous version do not have
this objectclass (and attribute), they are not listed in service list
produced by service-find.
Treat the ipakrbprincipal as optional to avoid missing services in
service-find command. Add flag to service-mod command which can fill
ipakrbprincipalalias attribute when case-insensitive principal searches
for a 2.x service are required.
https://fedorahosted.org/freeipa/ticket/3106
---
API.txt | 3 ++-
VERSION | 2 +-
ipalib/plugins/service.py | 25 -
3 files changed, 27 insertions(+), 3 deletions(-)
diff --git a/API.txt b/API.txt
index 1906e22fe92f76f1a628d37fcdb23d73a1b1297f..76b29a6f8ade87d98ddc7dc16f202047b56f5ebf 100644
--- a/API.txt
+++ b/API.txt
@@ -2789,7 +2789,7 @@ output: ListOfEntries('result', (type 'list', type 'tuple'), Gettext('A list
output: Output('count', type 'int', None)
output: Output('truncated', type 'bool', None)
command: service_mod
-args: 1,9,3
+args: 1,10,3
arg: Str('krbprincipalname', attribute=True, cli_name='principal', multivalue=False, primary_key=True, query=True, required=True)
option: Bytes('usercertificate', attribute=True, autofill=False, cli_name='certificate', multivalue=False, required=False)
option: StrEnum('ipakrbauthzdata', attribute=True, autofill=False, cli_name='pac_type', csv=True, multivalue=True, required=False, values=(u'MS-PAC', u'PAD'))
@@ -2797,6 +2797,7 @@ option: Str('setattr*', cli_name='setattr', exclude='webui')
option: Str('addattr*', cli_name='addattr', exclude='webui')
option: Str('delattr*', cli_name='delattr', exclude='webui')
option: Flag('rights', autofill=True, default=False)
+option: Flag('update_principal_alias', autofill=True, default=False)
option: Flag('all', autofill=True, cli_name='all', default=False, exclude='webui')
option: Flag('raw', autofill=True, cli_name='raw', default=False, exclude='webui')
option: Str('version?', exclude='webui')
diff --git a/VERSION b/VERSION
index 962d476e7e152c0c189361ea38de0a5642798971..c1f1bceffe53b3fcfa6526448f6aebca475073b2 100644
--- a/VERSION
+++ b/VERSION
@@ -79,4 +79,4 @@ IPA_DATA_VERSION=2010061412
# #
IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=43
+IPA_API_VERSION_MINOR=44
diff --git a/ipalib/plugins/service.py b/ipalib/plugins/service.py
index a7201f525941023fb5caa8610836156a6df79bab..2751b0cbe9b2207c6799b1a152956bb28c9d2755 100644
--- a/ipalib/plugins/service.py
+++ b/ipalib/plugins/service.py
@@ -218,8 +218,9 @@ class service(LDAPObject):
object_name_plural = _('services')
object_class = [
'krbprincipal', 'krbprincipalaux', 'krbticketpolicyaux', 'ipaobject',
-'ipaservice', 'pkiuser', 'ipakrbprincipal'
+'ipaservice', 'pkiuser'
]
+possible_objectclasses = ['ipakrbprincipal']
search_attributes = ['krbprincipalname', 'managedby', 'ipakrbauthzdata']
default_attributes = ['krbprincipalname', 'usercertificate', 'managedby',
'ipakrbauthzdata',]
@@ -311,6 +312,10 @@ class service_add(LDAPCreate):
# schema
entry_attrs['ipakrbprincipalalias'] = keys[-1]
+# Objectclass ipakrbprincipal providing ipakrbprincipalalias is not in
+# in a list of default objectclasses, add it manually
+
Re: [Freeipa-devel] [PATCH] 0081 Support both unified samba and samba/samba4-packages
On 10/01/2012 04:54 PM, Alexander Bokovoy wrote:
On Mon, 01 Oct 2012, Martin Kosek wrote:
On 10/01/2012 04:35 PM, Alexander Bokovoy wrote:
On Mon, 01 Oct 2012, Martin Kosek wrote:
On 10/01/2012 11:24 AM, Alexander Bokovoy wrote:
Hi,
The patch attached fixes Fedora build system issue with unified samba
package (samba/samba4 packages got merged in Fedora 18 and Rawhide
recently) since we depend on a wbclient.h header file path to which
included versioned directory name previously (samba-4.0/ vs samba/).
I am not convinced this is a correct approach, this was failing on my
Fedora 18
instance anyway:
# make rpms
...
checking for NDR... yes
checking for SAMBAUTIL... yes
checking for samba-4.0/wbclient.h... no
checking for samba/wbclient.h... no
configure: error: samba/wbclient.h not found
make: *** [bootstrap-autogen] Error 1
The problem was that samba-devel package is no longer providing wbclient.h
header file:
# rpm -qR samba-devel-4.0.0-150.fc18.rc1.x86_64 | grep wbclient.h
#
I had a discussion with Andreas (CC-ed), the root cause was a missing
libwbclient-devel package which is the new provider of the
samba-4.0/wbclient.h
file. He was also not aware of /usr/include/samba-4.0/ -
/usr/include/samba/
change.
I created a new patch with recommended approach (attached). Could you
please
check if it is OK? It worked for me on both Fedora 17 and 18.
ACK for your patch except one change:
@@ -214,10 +220,16 @@ Summary: Virtual package to install packages required
for Active Directory trust
Group: System Environment/Base
Requires: %{name}-server = %version-%release
Requires: python-crypto
+%if 0%{?fedora} = 18
+Requires: samba-python
+Requires: samba
+Requires: samba-winbind
+%else
Requires: samba4-python
Requires: samba4
-Requires: libsss_idmap
Why libsss_idmap is removed? I'd assume this is a mistake.
I just moved it to the end of the Requires list so that I can group samba
Fedora-version-dependent Requires together:
...
+%else
Requires: samba4-python
Requires: samba4
-Requires: libsss_idmap
Requires: samba4-winbind
+%endif
+Requires: libsss_idmap
:) Thanks.
I was not looking properly.
ACK
Pushed to master, ipa-3-0.
I just added ticket #3118 to patch description (I discovered there is already a
filed ticket for this change).
I think we do not need to update our Fedora packages until RC2 release since
dependencies are not broken - samba packages have samba4 provides... I verified
by installing freeipa-server-3.0.0-0.6.fc18 on F18 box with new unified samba
packages.
Martin
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0081 Support both unified samba and samba/samba4-packages
On Mon, 01 Oct 2012, Martin Kosek wrote: +%else Requires: samba4-python Requires: samba4 -Requires: libsss_idmap Requires: samba4-winbind +%endif +Requires: libsss_idmap :) Thanks. I was not looking properly. ACK Pushed to master, ipa-3-0. I just added ticket #3118 to patch description (I discovered there is already a filed ticket for this change). I think we do not need to update our Fedora packages until RC2 release since dependencies are not broken - samba packages have samba4 provides... I verified by installing freeipa-server-3.0.0-0.6.fc18 on F18 box with new unified samba packages. Aside from binary compatibility, there are regulard rebuilds of Rawhide and they failed for us on Friday, as Stephen has discovered. So, maybe we'd better update Rawhide with the patch? -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0016] Adds port to connection error message in ipa-client-install
On 09/26/2012 09:32 PM, Rob Crittenden wrote: Tomas Babej wrote: Hi, Connection error message in ipa-client-install now warns the user about the need of opening 389 port for directory server. https://fedorahosted.org/freeipa/ticket/2816 I think this can be pushed as a one-liner. I think we should list all ports that are required for client enrollment. From my calculations we need at a minimum tcp ports 80 and 389, either or both udp/tcp for port 88 and if NTP is enabled 123 udp for enrollment alone. The NTP failure won't cause enrollment to fail though, so we may be able to skip that. Similarly 464 should be enabled but we don't use it during enrollment. rob I improved the error message. Please check if there are any issues. Thanks Tomas From 397745847ad1612e37c093a803a6f2a3b06d6b3d Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Wed, 26 Sep 2012 08:52:50 -0400 Subject: [PATCH] Adds port to connection error message in ipa-client-install Connection error message in ipa-client-install now warns the user about the need of opening 389 port for directory server. https://fedorahosted.org/freeipa/ticket/2816 --- ipa-client/ipa-install/ipa-client-install | 12 ++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index ee8e5831866e1f5d960cbbca290606a944b0f357..9323b22be4b8e8746804eb849689775389fa961b 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -1390,8 +1390,16 @@ def install(options, env, fstore, statestore): if ret != 0: root_logger.error(Failed to verify that %s is an IPA Server., cli_server[0]) -root_logger.error(This may mean that the remote server is not up + -or is not reachable due to network or firewall settings.) +root_logger.error(This may mean that the remote server is not up +or is not reachable due to network or firewall settings. +Please make sure the following ports are opened in the firewall settings:\n + TCP: 80, 88, 389\n + UDP: 88\n +Also note that following ports are necessary for ipa-client +working properly after enrollment:\n + TCP: 464\n + UDP: 464, 123 (if NTP enabled) + ) root_logger.debug((%s: %s), cli_server[0], cli_server_source) return CLIENT_INSTALL_ERROR -- 1.7.11.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1037 optimize restoring SELinux booleans
Petr Viktorin wrote: On 10/01/2012 04:41 PM, Rob Crittenden wrote: The web uninstall step can be very long because we restore two SELinux booleans individually. This patch combines them into a single step, and skips setting them if the values won't actually change. rob Is there a reason to not reuse the code that sets the values on install? As far as I can tell it does the same thing slightly differently. The differences are enough that trying to consolidate them would likely end up taking considerable more time, require considerable more testing, etc. It would be worthwhile to revisit this at the beginning of a new version, but at the end it seems safer to take the simplest route. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
