Re: [Freeipa-devel] [PATCH] 0079 Enable Retro Changelog and Content Synchronization DS plugins
On 10/29/2013 06:57 PM, Ana Krivokapic wrote: On 10/29/2013 12:46 PM, Martin Kosek wrote: On 10/25/2013 05:03 PM, Ana Krivokapic wrote: Hello, This patch addresses ticket https://fedorahosted.org/freeipa/ticket/3967. NACK. I do not think this will work well with the case when DNS is not used. As bind-dyndb-ldap is not required component, FreeIPA could be installed on a machine without bind installed. And in that case, /var/named/ won't be there. I think that this directory will follow similar pattern as %{_localstatedir}/lib/ipa/pki-ca/publish and be just %ghost and be created in when bind-dyndb-ldap is being configured in bindinstance.py. Martin Fixed, updated patch attached. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel The patch needed a rebase. -- Regards, Ana Krivokapic Associate Software Engineer FreeIPA team Red Hat Inc. From 0b0b9e24afadcac34e5c02428b736b9d9b019594 Mon Sep 17 00:00:00 2001 From: Ana Krivokapic akriv...@redhat.com Date: Fri, 25 Oct 2013 12:41:25 +0200 Subject: [PATCH] Enable Retro Changelog and Content Synchronization DS plugins Enable Retro Changelog and Content Synchronization DS plugins which are required for SyncRepl support. Create a working directory /var/named/ipa required by bind-dyndb-ldap v4+. https://fedorahosted.org/freeipa/ticket/3967 --- freeipa.spec.in| 1 + install/tools/ipa-upgradeconfig| 5 - install/updates/20-syncrepl.update | 9 + install/updates/Makefile.am| 1 + ipaserver/install/bindinstance.py | 13 + 5 files changed, 28 insertions(+), 1 deletion(-) create mode 100644 install/updates/20-syncrepl.update diff --git a/freeipa.spec.in b/freeipa.spec.in index 35b87148c1074ae7e1e8909e981d3473c4a46258..97c47983106be0a2b04a121636b628b032721427 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -745,6 +745,7 @@ fi %{_mandir}/man1/ipa-backup.1.gz %{_mandir}/man1/ipa-restore.1.gz %{_mandir}/man1/ipa-advise.1.gz +%ghost %{_localstatedir}/named/ipa %files server-trust-ad %{_sbindir}/ipa-adtrust-install diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig index 10526f226798c78ae75972b82a2f72b200a8aacf..9b1cc91f2570c9359d14814184135d214ca73001 100644 --- a/install/tools/ipa-upgradeconfig +++ b/install/tools/ipa-upgradeconfig @@ -1079,6 +1079,10 @@ def main(): setup_firefox_extension(fstore) add_ca_dns_records() +bind = bindinstance.BindInstance(fstore) +if bind.is_configured(): +bind.create_dir('/var/named/ipa', 0700) + # Any of the following functions returns True iff the named.conf file # has been altered named_conf_changes = ( @@ -1092,7 +1096,6 @@ def main(): if any(named_conf_changes): # configuration has changed, restart the name server root_logger.info('Changes to named.conf have been made, restart named') -bind = bindinstance.BindInstance(fstore) try: bind.restart() except ipautil.CalledProcessError, e: diff --git a/install/updates/20-syncrepl.update b/install/updates/20-syncrepl.update new file mode 100644 index ..6901370f9cb302ff2c0c8bcc3f7b51aadef83e8e --- /dev/null +++ b/install/updates/20-syncrepl.update @@ -0,0 +1,9 @@ +# Enable Retro changelog +dn: cn=Retro Changelog Plugin,cn=plugins,cn=config +only:nsslapd-pluginEnabled: on +add:nsslapd-attribute: nsuniqueid:targetUniqueId +add:nsslapd-changelogmaxage: nsslapd-changelogmaxage: 2d + +# Enable SyncRepl +dn: cn=Content Synchronization,cn=plugins,cn=config +only:nsslapd-pluginEnabled: on diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index 66f0cd57617b6902fd4a74a8e7ac986f29babf20..67c33eef5ef31efffd7d3940a45f04bbf31927e9 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -14,6 +14,7 @@ app_DATA =\ 20-indices.update \ 20-nss_ldap.update \ 20-replication.update \ + 20-syncrepl.update \ 20-user_private_groups.update \ 20-winsync_index.update \ 21-replicas_container.update \ diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py index 6d5a1d44d30c89278c24fe7ab5278355cb65b0b4..4baeb4e077c64a7abebd1c071012f6c1e02dc1ae 100644 --- a/ipaserver/install/bindinstance.py +++ b/ipaserver/install/bindinstance.py @@ -22,6 +22,7 @@ import pwd import netaddr import re +import errno import ldap @@ -509,6 +510,16 @@ def create_sample_bind_zone(self): os.close(bind_fd) print Sample zone file for bind has been created in +bind_name +def create_dir(self, path, mode): +try: +os.makedirs(path, mode) +except OSError as e: +if e.errno != errno.EEXIST: +raise e + +pent = pwd.getpwnam(self.named_user or 'named') +os.chown(path, pent.pw_uid, pent.pw_gid) +
Re: [Freeipa-devel] [PATCH] 0128 subdomains: Use AD admin credentials when trust is being established
On Wed, 27 Nov 2013, Alexander Bokovoy wrote: Hi! Attached patch should solve an issue when fetching subdomains fails shortly after trust has been established due to MS-PAC caching effects on KDC. We have already made an alternative path to use when AD admin credentials are available but failed to actually use them here. Details in the patch. https://fedorahosted.org/freeipa/ticket/4046 New version attached. It makes sure we use correct domain name when constructing credentials for NTLMSSP authentication if AD administrator credentials do not include one. Many thanks to Scott Poore who kindly provided Windows Server 2008R2 setup which failed for the original case and also for the first version of this patch. -- / Alexander Bokovoy From 2c96624d6a1ec00e2f80bc8a5790eeace2865f7d Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy aboko...@redhat.com Date: Wed, 27 Nov 2013 12:17:43 +0200 Subject: [PATCH 2/2] subdomains: Use AD admin credentials when trust is being established When AD administrator credentials passed, they stored in realm_passwd, not realm_password in the options. When passing credentials to ipaserver.dcerpc.fetch_domains(), make sure to normalize them. Additionally, force Samba auth module to use NTLMSSP in case we have credentials because at the point when trust is established, KDC is not yet ready to issue tickets to a service in the other realm due to MS-PAC information caching effects. The logic is a bit fuzzy because credentials code makes decisions on what to use based on the smb.conf parameters and Python bindings to set parameters to smb.conf make it so that auth module believes these parameters were overidden by the user through the command line and ignore some of options. We have to do calls in the right order to forse NTLMSSP use instead of Kerberos. Fixes https://fedorahosted.org/freeipa/ticket/4046 --- ipalib/plugins/trust.py | 8 ++-- ipaserver/dcerpc.py | 41 +++-- 2 files changed, 33 insertions(+), 16 deletions(-) diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py index 5ba0905..b6ea099 100644 --- a/ipalib/plugins/trust.py +++ b/ipalib/plugins/trust.py @@ -1231,9 +1231,13 @@ api.register(trustdomain_del) def fetch_domains_from_trust(self, trustinstance, trust_entry, **options): trust_name = trust_entry['cn'][0] creds = None -password = options.get('realm_password', None) +password = options.get('realm_passwd', None) if password: -creds = u%s%%%s % (options.get('realm_admin'), password) +admin_name = options.get('realm_admin') +sp = admin_name.split('\\') +if len(sp) == 1: +sp.insert(0, trustinstance.remote_domain.info['name']) +creds = u{name}%{password}.format(name=\\.join(sp), password=password) domains = ipaserver.dcerpc.fetch_domains(self.api, trustinstance.local_flatname, trust_name, creds=creds) result = [] if not domains: diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py index 0dde347..999dbcd 100644 --- a/ipaserver/dcerpc.py +++ b/ipaserver/dcerpc.py @@ -655,7 +655,7 @@ class TrustDomainInstance(object): except RuntimeError, (num, message): raise assess_dcerpc_exception(num=num, message=message) -def __init_lsa_pipe(self, remote_host): +def init_lsa_pipe(self, remote_host): Try to initialize connection to the LSA pipe at remote host. This method tries consequently all possible transport options @@ -692,7 +692,7 @@ class TrustDomainInstance(object): There are multiple transports to issue LSA calls. However, depending on a system in use they may be blocked by local operating system policies. -Generate all we can use. __init_lsa_pipe() will try them one by one until +Generate all we can use. init_lsa_pipe() will try them one by one until there is one working. We try NCACN_NP before NCACN_IP_TCP and signed sessions before unsigned. @@ -753,7 +753,7 @@ class TrustDomainInstance(object): return naming_ref.match(context).group(1) def retrieve(self, remote_host): -self.__init_lsa_pipe(remote_host) +self.init_lsa_pipe(remote_host) objectAttribute = lsa.ObjectAttribute() objectAttribute.sec_qos = lsa.QosInfo() @@ -964,34 +964,47 @@ def fetch_domains(api, mydomain, trustdomain, creds=None): NETR_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL = 0x0040) def communicate(td): -td.creds.guess(td.parm) -netrc = net.Net(creds=td.creds, lp=td.parm) -try: -result = netrc.finddc(domain=trustdomain, flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS) -except RuntimeError, e: -raise assess_dcerpc_exception(message=str(e)) -if not result: -return None -td.retrieve(unicode(result.pdc_dns_name)) - +td.init_lsa_pipe(td.info['dc']) netr_pipe =
Re: [Freeipa-devel] [PATCH 0016] Add RADIUS proxy support to ipalib CLI
Everything looks good to me. +1 On Thu, 2013-11-28 at 12:18 +0100, Petr Viktorin wrote: Thanks! Just a bit of cleaning up now, sending a patch with proposed changes to speed things up. Patch needs a tiny rebase. Points I missed: - There are some unused imports. - ValidationError takes the attribute name in `name` rather than the name of the CLI option. Now the validation is too strict, a port is not accepted. Fixed. invalid! is pretty bad for an error message. I put it in as a placeholder, but I wasn't clear about that, sorry! Should non-FQDN hostnames be allowed? I agree they should not. Fixed. validate_hostname() has a check_fqdn argument, no need to do this manually. ipatokenusermapattribute is also not validated. Not sure if it needs to be. I don't think validation is really possible outside of the permitted characters for an LDAP attribute. I think if $%^* is allowed, we'll get a bug from QA soon enough. Fixed. The `sre` module is named `re` since Python 2.5. We generally output lists; this should also be a list with one element. Fixed. Attaching updated tests. A few of these tests are still failing for me, but it is not immediately obvious why. They seem to be getting answers from previous queries. I'm not sure if this is something wrong with my code or the tests. Can you take a look at it? My bad, I've used a wrong variable name. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Debian client support
On (05/09/13 23:25), Lukas Slebodnik wrote: On (03/09/13 00:43), Timo Aaltonen wrote: This fixes https://fedorahosted.org/freeipa/ticket/1887 and https://fedorahosted.org/freeipa/ticket/2455 the first three patches fix some bugs in how python is used fourth patch checks if dbus is already running before trying to start it fifth fixes some compilation warnings sixth finally adds the Debian platform module there are also distro patches that aren't upstreamable as-is, that do stuff like - give--install-layout=deb to setup.py - disable make-testcert since it needs a server running - fix hardcoded NFS related paths and a variable in ipa-client-automount - fix ldap.conf path in ipa-client-install - fix ntpdate options in ntpconf.py (Debian doesn't patch ntpdate like Fedora) - change nss includes in ipa_pwd.c (nss/.. not nss3/..) Solution is simple. Use pkg-config generated NSS_CFLAGS bash$ pkg-config --cflags nss -I/usr/include/nss -I/usr/include/nspr bash$ uname -a Linux positron 3.10-2-686-pae #1 SMP Debian 3.10.5-1 (2013-08-07) i686 GNU/Linux bash$pkg-config --cflags nss -I/usr/include/nss3 -I/usr/include/nspr4 bash$uname -a Linux unused-4-233.brq.redhat.com 3.10.10-200.fc19.x86_64 #1 SMP Thu Aug 29 19:05:45 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux It works in sssd. I can send a patch. LS Attached patch should fix problem with compilation on different distros. debian: http://anonscm.debian.org/gitweb/?p=pkg-freeipa/freeipa.git;a=blob;f=debian/patches/fix-nss-include.diff;h=1dac0709ed7344c7546c55225365c9434e6a930a;hb=HEAD arch: https://github.com/chenxiaolong/ArchLinux-Packages/blob/master/freeipa/0006_Fix_nss_includes.patch Timo can you test patch on debian/ubuntu? LS From 2d9e290970e71d373b91cd0cd1db52b991636889 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik lsleb...@redhat.com Date: Thu, 28 Nov 2013 15:32:07 +0100 Subject: [PATCH] BUILD: Fix portability of NSS in file ipa_pwd.c --- daemons/ipa-kdb/Makefile.am | 4 +++- daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am | 1 + util/ipa_pwd.c | 8 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/daemons/ipa-kdb/Makefile.am b/daemons/ipa-kdb/Makefile.am index dc543dd..b3d6a1b 100644 --- a/daemons/ipa-kdb/Makefile.am +++ b/daemons/ipa-kdb/Makefile.am @@ -21,6 +21,7 @@ AM_CPPFLAGS = \ $(KRB5_CFLAGS) \ $(WARN_CFLAGS) \ $(NDRPAC_CFLAGS)\ + $(NSS_CFLAGS) \ $(NULL) plugindir = $(libdir)/krb5/plugins/kdb @@ -51,6 +52,7 @@ ipadb_la_LIBADD = \ $(LDAP_LIBS)\ $(NDRPAC_LIBS) \ $(UNISTRING_LIBS) \ + $(NSS_LIBS) \ $(NULL) if HAVE_CHECK @@ -77,7 +79,7 @@ ipa_kdb_tests_LDADD = \ $(KRB5_LIBS)\ $(LDAP_LIBS)\ $(NDRPAC_LIBS) \ - -lnss3 \ + $(NSS_LIBS) \ -lkdb5 \ -lsss_idmap \ $(NULL) diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am b/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am index b53b2e1..3323d72 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am @@ -22,6 +22,7 @@ AM_CPPFLAGS = \ $(LDAP_CFLAGS) \ $(KRB5_CFLAGS) \ $(SSL_CFLAGS) \ + $(NSS_CFLAGS) \ $(WARN_CFLAGS) \ $(NULL) diff --git a/util/ipa_pwd.c b/util/ipa_pwd.c index 761d1ef..f6564c8 100644 --- a/util/ipa_pwd.c +++ b/util/ipa_pwd.c @@ -27,10 +27,10 @@ #include stdio.h #include time.h #include ctype.h -#include nss3/nss.h -#include nss3/nssb64.h -#include nss3/hasht.h -#include nss3/pk11pub.h +#include nss.h +#include nssb64.h +#include hasht.h +#include pk11pub.h #include errno.h #include ipa_pwd.h -- 1.8.4.2 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel