Re: [Freeipa-devel] Failed push to github

On 03/08/2013 12:38 AM, Nathaniel McCallum wrote: I tried to push my branch of FreeIPA to github and it failed with the following message. I don't know if anything can be done to fix it, but I figured I'd mention it. error: object 0b36ce6dcbfc8d7e6cda632e06a09c369428a2db:invalid

Re: [Freeipa-devel] [PATCH] 376-377 Use tkey-gssapi-keytab in named.conf

On 8.3.2013 00:14, Rob Crittenden wrote: Martin Kosek wrote: Remove obsolete BIND GSSAPI configuration options tkey-gssapi-credential and tkey-domain and replace them with tkey-gssapi-keytab which avoids unnecessary Kerberos checks on BIND startup and can cause issues when KDC is not available.

Re: [Freeipa-devel] [PROPOSAL] Kerberos flags

On Thu, Mar 07, 2013 at 03:15:18PM -0500, Rob Crittenden wrote: Based on a comment from Sumit in ticket https://fedorahosted.org/freeipa/ticket/3329 here is a bare outline of how one might do it: http://freeipa.org/page/V3/Kerberos_Flags There is a bit of hand waving going on around how the

Re: [Freeipa-devel] [PROPOSAL] Kerberos flags

Hi, On 7.3.2013 21:15, Rob Crittenden wrote: Based on a comment from Sumit in ticket https://fedorahosted.org/freeipa/ticket/3329 here is a bare outline of how one might do it: http://freeipa.org/page/V3/Kerberos_Flags Can we have one multi-valued attribute which contains names of flags to

Re: [Freeipa-devel] [PATCHES] 94-99 Read and use per-service PAC type

On 03/07/2013 06:32 PM, Sumit Bose wrote: On Wed, Mar 06, 2013 at 05:33:43PM +0100, Sumit Bose wrote: On Wed, Mar 06, 2013 at 08:51:47AM -0500, Simo Sorce wrote: On Wed, 2013-03-06 at 14:49 +0100, Martin Kosek wrote: On 03/06/2013 10:41 AM, Sumit Bose wrote: On Tue, Mar 05, 2013 at

Re: [Freeipa-devel] [PROPOSAL] Kerberos flags

On Fri, Mar 08, 2013 at 10:31:58AM +0100, Jan Cholasta wrote: Hi, On 7.3.2013 21:15, Rob Crittenden wrote: Based on a comment from Sumit in ticket https://fedorahosted.org/freeipa/ticket/3329 here is a bare outline of how one might do it: http://freeipa.org/page/V3/Kerberos_Flags Can we

Re: [Freeipa-devel] [PATCH 0038] Perform secondary rid range overlap check for local ranges

On 03/05/2013 12:59 PM, Tomas Babej wrote: Hi, Any of the following checks: - overlap between primary RID range and secondary RID range - overlap between secondary RID range and secondary RID range is performed now only if both of the ranges involved are local domain ranges.

[Freeipa-devel] [PATCH] 383 Use new 389-ds-base cleartext password API

The way how unhashed password is stored in the entry was changed in 389-ds-base-1.3.0, it is now stored in an entry extension rather than in a magic attribute unhashed#user#password. New API using an entry extension was introduced. ipa-pwd-extop should take advantage of the new API as the old one

Re: [Freeipa-devel] [PATCH] 1088 Recover DNA ranges when deleting a master

On 03/07/2013 08:27 PM, Rob Crittenden wrote: Petr Viktorin wrote: On 03/06/2013 09:52 PM, Rob Crittenden wrote: Petr Viktorin wrote: [...] On new installs, the ACI on cn=Posix IDs,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config is added before the entry itself. I didn't test

Re: [Freeipa-devel] [PATCHES] 116-119 Make LDAP schema retrieval optional

On 03/07/2013 06:21 PM, Jan Cholasta wrote: On 7.3.2013 17:59, Petr Viktorin wrote: On 03/07/2013 04:33 PM, Jan Cholasta wrote: On 7.3.2013 14:53, Petr Viktorin wrote: On 03/07/2013 01:43 PM, Jan Cholasta wrote: Hi, these patches add flags to LDAPClient and IPAdmin constructors which can be

[Freeipa-devel] [RFE] Multiple trust servers per realm

Hi, http://www.freeipa.org/page/V3/MultipleTrustServers covers RFE to have multiple domain controllers exposed to trusted domains. Attached patch also implements needed changes for ipa-adtrust-install part. Global trust configuration options are already implemented and available in git master,

Re: [Freeipa-devel] [PROPOSAL] Kerberos flags

On Thu, 2013-03-07 at 15:15 -0500, Rob Crittenden wrote: Based on a comment from Sumit in ticket https://fedorahosted.org/freeipa/ticket/3329 here is a bare outline of how one might do it: http://freeipa.org/page/V3/Kerberos_Flags There is a bit of hand waving going on around how the flags

Re: [Freeipa-devel] [PATCHES] 116-119 Make LDAP schema retrieval optional

On 03/08/2013 02:13 PM, Petr Viktorin wrote: On 03/07/2013 06:21 PM, Jan Cholasta wrote: On 7.3.2013 17:59, Petr Viktorin wrote: On 03/07/2013 04:33 PM, Jan Cholasta wrote: On 7.3.2013 14:53, Petr Viktorin wrote: On 03/07/2013 01:43 PM, Jan Cholasta wrote: Hi, these patches add flags to

Re: [Freeipa-devel] [PATCH 0037] Add support for re-enrolling hosts using keytab

On Thu 07 Mar 2013 11:01:33 PM CET, Rob Crittenden wrote: Petr Viktorin wrote: On 03/07/2013 04:27 PM, Tomas Babej wrote: On 03/07/2013 04:12 PM, Petr Viktorin wrote: Thanks! I just have two more very minor nitpicks. On 03/06/2013 01:04 PM, Tomas Babej wrote: On 03/05/2013 02:10 PM, Petr

Re: [Freeipa-devel] [PATCH 0038] Perform secondary rid range overlap check for local ranges

On 03/07/2013 11:48 PM, Rob Crittenden wrote: Tomas Babej wrote: Hi, Any of the following checks: - overlap between primary RID range and secondary RID range - overlap between secondary RID range and secondary RID range is performed now only if both of the ranges involved are local

Re: [Freeipa-devel] [PATCH] 0190 Fix installing server with external CA

On 03/05/2013 05:27 PM, Jan Cholasta wrote: On 5.3.2013 16:12, Jan Cholasta wrote: Hi, On 4.3.2013 15:29, Petr Viktorin wrote: I did not test the external CA case when we merged DS instances some time ago, so it ended up broken. Here is a fix. Our DsInstance class could only be initialized

Re: [Freeipa-devel] [PATCH 0038] Perform secondary rid range overlap check for local ranges

On 03/08/2013 12:10 PM, Martin Kosek wrote: On 03/05/2013 12:59 PM, Tomas Babej wrote: Hi, Any of the following checks: - overlap between primary RID range and secondary RID range - overlap between secondary RID range and secondary RID range is performed now only if both of the ranges

Re: [Freeipa-devel] [PROPOSAL] Kerberos flags

Sumit Bose wrote: On Thu, Mar 07, 2013 at 03:15:18PM -0500, Rob Crittenden wrote: Based on a comment from Sumit in ticket https://fedorahosted.org/freeipa/ticket/3329 here is a bare outline of how one might do it: http://freeipa.org/page/V3/Kerberos_Flags There is a bit of hand waving going on

Re: [Freeipa-devel] [PROPOSAL] Kerberos flags

On Fri, 2013-03-08 at 10:27 +0100, Sumit Bose wrote: On Thu, Mar 07, 2013 at 03:15:18PM -0500, Rob Crittenden wrote: Based on a comment from Sumit in ticket https://fedorahosted.org/freeipa/ticket/3329 here is a bare outline of how one might do it: http://freeipa.org/page/V3/Kerberos_Flags

Re: [Freeipa-devel] [PROPOSAL] Kerberos flags

On 8.3.2013 16:45, Rob Crittenden wrote: One would need to pass in the object type they are dealing with: ipa krbflags --type=user --ok-as-delegate=false sbose ipa krbflags --type=service --ok-as-delegate=true HTTP/ipa.example.com We *could* avoid type potentially but it would expand our

Re: [Freeipa-devel] [PROPOSAL] Kerberos flags

On Fri, Mar 08, 2013 at 12:28:03PM -0500, Nathaniel McCallum wrote: On Fri, 2013-03-08 at 10:27 +0100, Sumit Bose wrote: On Thu, Mar 07, 2013 at 03:15:18PM -0500, Rob Crittenden wrote: Based on a comment from Sumit in ticket https://fedorahosted.org/freeipa/ticket/3329 here is a bare

Re: [Freeipa-devel] [PROPOSAL] Kerberos flags

On Fri, 2013-03-08 at 18:53 +0100, Sumit Bose wrote: On Fri, Mar 08, 2013 at 12:28:03PM -0500, Nathaniel McCallum wrote: On Fri, 2013-03-08 at 10:27 +0100, Sumit Bose wrote: On Thu, Mar 07, 2013 at 03:15:18PM -0500, Rob Crittenden wrote: Based on a comment from Sumit in ticket

Re: [Freeipa-devel] [PROPOSAL] Kerberos flags

Petr Spacek wrote: On 8.3.2013 16:45, Rob Crittenden wrote: One would need to pass in the object type they are dealing with: ipa krbflags --type=user --ok-as-delegate=false sbose ipa krbflags --type=service --ok-as-delegate=true HTTP/ipa.example.com We *could* avoid type potentially but it