Re: [Freeipa-devel] [PATCH] 354 Modififed NSSConnection not to shutdown existing database.
Hi, Dne 28.10.2014 v 23:17 Endi Sukma Dewata napsal(a): On 10/22/2014 9:15 AM, Endi Sukma Dewata wrote: The NSSConnection class has been modified not to shutdown the existing NSS database if the database is already opened to establish an SSL connection, or is already opened by another code that uses an NSS database without establishing an SSL connection such as vault CLIs. Ticket #4638 New patch attached. It's identical except for the ticket URL in the commit log. ACK. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0671 ipa-restore: Don't crash if AD trust is not installed
On 11/10/2014 04:36 PM, Martin Kosek wrote: On 11/10/2014 02:52 PM, Petr Viktorin wrote: This is a fix for: https://fedorahosted.org/freeipa/ticket/4668 And the patch is...? Here, sorry. -- Petr³ From 45c939b7fcd8b07ad9b70bdb8eef4b6d5814867d Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Mon, 10 Nov 2014 13:29:58 +0100 Subject: [PATCH] ipa-restore: Don't crash if AD trust is not installed https://fedorahosted.org/freeipa/ticket/4668 --- ipaserver/install/ipa_restore.py | 13 +++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py index 7898de0f6f6613db95ea93bb4a91bd44a2c68951..cfe3dff9fff539a7df038b20063ca3da36c8a64f 100644 --- a/ipaserver/install/ipa_restore.py +++ b/ipaserver/install/ipa_restore.py @@ -37,13 +37,17 @@ get_cs_replication_manager) from ipaserver.install import installutils from ipaserver.install import httpinstance -from ipaserver.install import adtrustinstance from ipapython import ipaldap import ipapython.errors from ipaplatform.tasks import tasks from ipaplatform import services from ipaplatform.paths import paths +try: +from ipaserver.install import adtrustinstance +except ImportError: +adtrustinstance = None + def recursive_chown(path, uid, gid): ''' @@ -645,7 +649,12 @@ def __create_dogtag_log_dirs(self): def restore_selinux_booleans(self): bools = dict(httpinstance.SELINUX_BOOLEAN_SETTINGS) if 'ADTRUST' in self.backup_services: -bools.update(adtrustinstance.SELINUX_BOOLEAN_SETTINGS) +if adtrustinstance: +bools.update(adtrustinstance.SELINUX_BOOLEAN_SETTINGS) +else: +self.log.error( +'The AD trust package was not found, ' +'not setting SELinux booleans.') try: tasks.set_selinux_booleans(bools) except ipapython.errors.SetseboolError as e: -- 2.1.0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 354 Modififed NSSConnection not to shutdown existing database.
On 11/11/2014 09:02 AM, Jan Cholasta wrote: Hi, Dne 28.10.2014 v 23:17 Endi Sukma Dewata napsal(a): On 10/22/2014 9:15 AM, Endi Sukma Dewata wrote: The NSSConnection class has been modified not to shutdown the existing NSS database if the database is already opened to establish an SSL connection, or is already opened by another code that uses an NSS database without establishing an SSL connection such as vault CLIs. Ticket #4638 New patch attached. It's identical except for the ticket URL in the commit log. ACK. Honza Pushed to master: 80a8df3f193aa800740f1627a269e6973f57aa0a -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0035] fix misleading Directory Manager --help output
On 11/10/2014 08:25 AM, Jan Cholasta wrote: Hi, Dne 7.11.2014 v 17:18 Gabe Alford napsal(a): Hello. Fix for https://fedorahosted.org/freeipa/ticket/4694 Thanks, Gabe ACK. Honza Pushed to: master: d95d557ce5dc8c9c0a629af90bf7ae2224de0eb0 ipa-4-1: 488c10e9208957baa8171ddbf8a10aaed220b011 -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0028 Remove unneeded internal methods. Move code to public, methods.
On 11/10/2014 08:21 AM, Jan Cholasta wrote: Hi, ACK. Pushed to master: 82c3c2b242c3f2b8113c2021cf4d17cab54c2a86 -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 365 Fix CA certificate backup and restore
Dne 10.11.2014 v 17:46 Jan Cholasta napsal(a):
Hi,
the attached patch fixes https://fedorahosted.org/freeipa/ticket/4711.
Honza
Forgot to include /etc/pki/ca-trust/source/anchors/ipa-ca.crt in backup.
Updated patch attached.
--
Jan Cholasta
From f61c3b242e9eb83fa585b091da4d60b7262d124f Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Mon, 10 Nov 2014 16:24:22 +
Subject: [PATCH] Fix CA certificate backup and restore
Backup and restore /etc/pki/ca-trust/source/ipa.p11-kit.
Create /etc/ipa/nssdb after restore if necessary.
https://fedorahosted.org/freeipa/ticket/4711
---
ipaplatform/base/paths.py| 2 +-
ipaplatform/base/tasks.py| 9 +
ipaplatform/redhat/tasks.py | 43
ipaserver/install/ipa_backup.py | 2 ++
ipaserver/install/ipa_restore.py | 35 +++-
5 files changed, 67 insertions(+), 24 deletions(-)
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index af50262..e28147a 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -92,7 +92,7 @@ class BasePathNamespace(object):
PAM_LDAP_CONF = /etc/pam_ldap.conf
PASSWD = /etc/passwd
ETC_PKI_CA_DIR = /etc/pki-ca
-SYSTEMWIDE_CA_STORE = /etc/pki/ca-trust/source/anchors/
+SYSTEMWIDE_IPA_CA_CRT = /etc/pki/ca-trust/source/anchors/ipa-ca.crt
IPA_P11_KIT = /etc/pki/ca-trust/source/ipa.p11-kit
NSS_DB_DIR = /etc/pki/nssdb
PKI_TOMCAT = /etc/pki/pki-tomcat
diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py
index f2ba81f..9b15119 100644
--- a/ipaplatform/base/tasks.py
+++ b/ipaplatform/base/tasks.py
@@ -55,6 +55,15 @@ class BaseTaskNamespace(object):
return
+def reload_systemwide_ca_store(self):
+
+Reloads the systemwide CA store.
+
+Returns True if the operation succeeded, False otherwise.
+
+
+return True
+
def insert_ca_certs_into_systemwide_ca_store(self, ca_certs):
Adds CA certificates from 'ca_certs' to the systemwide CA store
diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py
index 3f5fc90..d0e3cde 100644
--- a/ipaplatform/redhat/tasks.py
+++ b/ipaplatform/redhat/tasks.py
@@ -158,8 +158,19 @@ class RedHatTaskNamespace(BaseTaskNamespace):
auth_config.add_option(nostart)
auth_config.execute()
+def reload_systemwide_ca_store(self):
+try:
+ipautil.run([paths.UPDATE_CA_TRUST])
+except CalledProcessError, e:
+root_logger.error(
+Could not update systemwide CA trust database: %s, e)
+return False
+else:
+root_logger.info(Systemwide CA database updated.)
+return True
+
def insert_ca_certs_into_systemwide_ca_store(self, ca_certs):
-new_cacert_path = os.path.join(paths.SYSTEMWIDE_CA_STORE, 'ipa-ca.crt')
+new_cacert_path = paths.SYSTEMWIDE_IPA_CA_CRT
if os.path.exists(new_cacert_path):
try:
@@ -248,24 +259,18 @@ class RedHatTaskNamespace(BaseTaskNamespace):
f.close()
# Add the CA to the systemwide CA trust database
-try:
-ipautil.run([paths.UPDATE_CA_TRUST])
-except CalledProcessError, e:
-root_logger.info(Failed to add CA to the systemwide
- CA trust database: %s % str(e))
-else:
-root_logger.info('Added the CA to the systemwide CA trust '
- 'database.')
-return True
+if not self.reload_systemwide_ca_store():
+return False
-return False
+return True
def remove_ca_certs_from_systemwide_ca_store(self):
-ipa_ca_crt = os.path.join(paths.SYSTEMWIDE_CA_STORE, 'ipa-ca.crt')
+result = True
update = False
# Remove CA cert from systemwide store
-for new_cacert_path in (paths.IPA_P11_KIT, ipa_ca_crt):
+for new_cacert_path in (paths.IPA_P11_KIT,
+paths.SYSTEMWIDE_IPA_CA_CRT):
if not os.path.exists(new_cacert_path):
continue
try:
@@ -273,21 +278,15 @@ class RedHatTaskNamespace(BaseTaskNamespace):
except OSError, e:
root_logger.error(
Could not remove %s: %s, new_cacert_path, e)
+result = False
else:
update = True
if update:
-try:
-ipautil.run([paths.UPDATE_CA_TRUST])
-except CalledProcessError, e:
-root_logger.error(
-Could not update systemwide CA trust database: %s, e)
+if not self.reload_systemwide_ca_store():
return False
-else:
-root_logger.info(Systemwide CA database updated.)
-return True
-return False
+return
Re: [Freeipa-devel] FreeIPA 4.1 release preparations
On 8.11.2014 14:43, Lukas Slebodnik wrote: On (20/10/14 16:08), Martin Kosek wrote: On 10/20/2014 04:00 PM, Jan Pazdziora wrote: On Mon, Oct 20, 2014 at 03:58:27PM +0200, Petr Vobornik wrote: The plan is to release 4.1 and then 4.0.4. Besides usual tarballs, 4.1 will go into Fedora rawhide, f21-updates-testing and mkosek/freeipa copr repo (to be usable on F20). And RHEL 7 / CentOS 7? For now, I would only maintain RHEL/CentOS 7.0 compatibility for main mkosek/freeipa repo. It is almost 3 weeks from this mail and freeipa-server cannot be installed from mkosek/freeipa repo on RHEL/CentOS 7.0. bash-4.2# yum install freeipa-server //snip --- Package pki-base.noarch 0:10.2.0-3.el7.centos will be installed -- Processing Dependency: jackson-jaxrs-json-provider for package: pki-base-10.2.0-3.el7.centos.noarch -- Finished Dependency Resolution Error: Package: pki-base-10.2.0-3.el7.centos.noarch (mkosek-freeipa) Requires: jackson-jaxrs-json-provider You could try using --skip-broken to work around the problem You could try running: rpm -Va --nofiles --nodigest There were some promises on freeipa-users but nothing has changed. Is somebody working on this problem? BTW I tried to build few missing packages but I gave it up, the dependency tree is pretty long. Anyway, nothing prevents you from grabbing SRPMs from Koji, editing them as appropriate and rebuilding them in mkosek's COPR :-) Maybe it is another candidate for inegtation tests. -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0671 ipa-restore: Don't crash if AD trust is not installed
Dne 11.11.2014 v 09:08 Petr Viktorin napsal(a): On 11/10/2014 04:36 PM, Martin Kosek wrote: On 11/10/2014 02:52 PM, Petr Viktorin wrote: This is a fix for: https://fedorahosted.org/freeipa/ticket/4668 And the patch is...? Here, sorry. Thanks, ACK. Pushed to: master: a8e2a242bec1ce68d6b14be27e1b5b8d94f0deb9 ipa-4-1: d6b79a3ce7dd253737c41854e81273b01bc4a4c4 Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] FreeIPA 4.1 release preparations
On 11/11/2014 10:48 AM, Petr Spacek wrote: On 8.11.2014 14:43, Lukas Slebodnik wrote: On (20/10/14 16:08), Martin Kosek wrote: On 10/20/2014 04:00 PM, Jan Pazdziora wrote: On Mon, Oct 20, 2014 at 03:58:27PM +0200, Petr Vobornik wrote: The plan is to release 4.1 and then 4.0.4. Besides usual tarballs, 4.1 will go into Fedora rawhide, f21-updates-testing and mkosek/freeipa copr repo (to be usable on F20). And RHEL 7 / CentOS 7? For now, I would only maintain RHEL/CentOS 7.0 compatibility for main mkosek/freeipa repo. It is almost 3 weeks from this mail and freeipa-server cannot be installed from mkosek/freeipa repo on RHEL/CentOS 7.0. bash-4.2# yum install freeipa-server //snip --- Package pki-base.noarch 0:10.2.0-3.el7.centos will be installed -- Processing Dependency: jackson-jaxrs-json-provider for package: pki-base-10.2.0-3.el7.centos.noarch -- Finished Dependency Resolution Error: Package: pki-base-10.2.0-3.el7.centos.noarch (mkosek-freeipa) Requires: jackson-jaxrs-json-provider You could try using --skip-broken to work around the problem You could try running: rpm -Va --nofiles --nodigest There were some promises on freeipa-users but nothing has changed. Is somebody working on this problem? BTW I tried to build few missing packages but I gave it up, the dependency tree is pretty long. Anyway, nothing prevents you from grabbing SRPMs from Koji, editing them as appropriate and rebuilding them in mkosek's COPR :-) Right. I tried to follow up on Petr's attempts, did some progress but stopped with this dependency: http://copr-be.cloud.fedoraproject.org/results/mkosek/freeipa/epel-7-x86_64/jackson-dataformat-smile-2.2.2-2.fc20/build.log I asked Dogtag team to help with the packaging as this Java dependency hell is outside of our reach. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 366-372 Additional Coverity fixes
Dne 10.11.2014 v 19:25 Jan Cholasta napsal(a):
Hi,
the attached patches provide additional fixes for
https://fedorahosted.org/freeipa/ticket/4651.
I'm not 100% sure if the fixes for ipa-sam and ipa-kdb are correct,
please check them carefully.
Honza
Changed the ticket to https://fedorahosted.org/freeipa/ticket/4713.
Updated patches attached.
--
Jan Cholasta
From c2a03a9e062df5691431babeb55119dbda6b2c67 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Mon, 10 Nov 2014 17:20:18 +
Subject: [PATCH 1/7] Remove redefinition of LOG from ipa-otp-lasttoken
https://fedorahosted.org/freeipa/ticket/4713
---
daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c b/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c
index d20fca1..15b404d 100644
--- a/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c
+++ b/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c
@@ -47,9 +47,6 @@
#include util.h
#define PLUGIN_NAME ipa-otp-lasttoken
-#define LOG(sev, ...) \
-slapi_log_error(SLAPI_LOG_ ## sev, PLUGIN_NAME, \
-%s: %s\n, __func__, __VA_ARGS__), -1
static void *plugin_id;
static const Slapi_PluginDesc preop_desc = {
--
2.1.0
From 10b309f53852665050465df8aa44290dfe232291 Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Mon, 10 Nov 2014 17:33:23 +
Subject: [PATCH 2/7] Unload P11_Helper object's library when it is finalized
in ipap11helper
https://fedorahosted.org/freeipa/ticket/4713
---
ipapython/ipap11helper/library.c | 5 +
ipapython/ipap11helper/p11helper.c | 9 +++--
2 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/ipapython/ipap11helper/library.c b/ipapython/ipap11helper/library.c
index 51e24eb..619604d 100644
--- a/ipapython/ipap11helper/library.c
+++ b/ipapython/ipap11helper/library.c
@@ -70,6 +70,11 @@ CK_C_GetFunctionList loadLibrary(char* module, void** moduleHandle)
// Retrieve the entry point for C_GetFunctionList
pGetFunctionList = (CK_C_GetFunctionList) dlsym(pDynLib, C_GetFunctionList);
+ if (pGetFunctionList == NULL)
+ {
+ dlclose(pDynLib);
+ return NULL;
+ }
// Store the handle so we can dlclose it later
*moduleHandle = pDynLib;
diff --git a/ipapython/ipap11helper/p11helper.c b/ipapython/ipap11helper/p11helper.c
index 038c26c..558185e 100644
--- a/ipapython/ipap11helper/p11helper.c
+++ b/ipapython/ipap11helper/p11helper.c
@@ -66,6 +66,7 @@ PyObject_HEAD
CK_SLOT_ID slot;
CK_FUNCTION_LIST_PTR p11;
CK_SESSION_HANDLE session;
+void *module_handle;
} P11_Helper;
typedef enum {
@@ -478,6 +479,7 @@ P11_Helper_new(PyTypeObject *type, PyObject *args, PyObject *kwds) {
self-slot = 0;
self-session = 0;
self-p11 = NULL;
+self-module_handle = NULL;
}
return (PyObject *) self;
@@ -496,12 +498,12 @@ static int P11_Helper_init(P11_Helper *self, PyObject *args, PyObject *kwds) {
CK_C_GetFunctionList pGetFunctionList = loadLibrary(library_path,
module_handle);
if (!pGetFunctionList) {
-if (module_handle != NULL)
-unloadLibrary(module_handle);
PyErr_SetString(ipap11helperError, Could not load the library.);
return -1;
}
+self-module_handle = module_handle;
+
/*
* Load the function list
*/
@@ -567,9 +569,12 @@ P11_Helper_finalize(P11_Helper* self) {
*/
self-p11-C_Finalize(NULL);
+unloadLibrary(self-module_handle);
+
self-p11 = NULL;
self-session = 0;
self-slot = 0;
+self-module_handle = NULL;
return Py_None;
}
--
2.1.0
From 7ca2b25b93f1e3bff1e4c54ef1794cad462e533a Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Mon, 10 Nov 2014 17:40:35 +
Subject: [PATCH 3/7] Fix Kerberos error handling in ipa-sam
https://fedorahosted.org/freeipa/ticket/4713
---
daemons/ipa-sam/ipa_sam.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index 3b69f9e..e711299 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -4233,7 +4233,7 @@ static int bind_callback(LDAP *ldap_struct, struct smbldap_state *ldap_state, vo
krb5_free_principal(data.context, in_creds.server);
krb5_free_principal(data.context, in_creds.client);
- if (rc) {
+ if (rc != 0 rc != KRB5KRB_AP_ERR_TKT_NYV rc != KRB5KRB_AP_ERR_TKT_EXPIRED) {
rc = bind_callback_obtain_creds(data);
if (rc) {
bind_callback_cleanup(data, rc);
--
2.1.0
From 82d7d37ca310af015018ebb2da2f9a72c4dabcaa Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Mon, 10 Nov 2014 18:10:27 +
Subject: [PATCH 4/7] Fix unchecked return value in ipa-kdb
https://fedorahosted.org/freeipa/ticket/4713
---
daemons/ipa-kdb/ipa_kdb_mspac.c | 3 +++
1 file changed, 3 insertions(+)
Re: [Freeipa-devel] [PATCHES] 366-372 Additional Coverity fixes
On Tue, 11 Nov 2014, Jan Cholasta wrote:
From 7ca2b25b93f1e3bff1e4c54ef1794cad462e533a Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Mon, 10 Nov 2014 17:40:35 +
Subject: [PATCH 3/7] Fix Kerberos error handling in ipa-sam
https://fedorahosted.org/freeipa/ticket/4713
---
daemons/ipa-sam/ipa_sam.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
index 3b69f9e..e711299 100644
--- a/daemons/ipa-sam/ipa_sam.c
+++ b/daemons/ipa-sam/ipa_sam.c
@@ -4233,7 +4233,7 @@ static int bind_callback(LDAP *ldap_struct, struct
smbldap_state *ldap_state, vo
krb5_free_principal(data.context, in_creds.server);
krb5_free_principal(data.context, in_creds.client);
- if (rc) {
+ if (rc != 0 rc != KRB5KRB_AP_ERR_TKT_NYV rc !=
KRB5KRB_AP_ERR_TKT_EXPIRED) {
rc = bind_callback_obtain_creds(data);
if (rc) {
bind_callback_cleanup(data, rc);
ACK
--
/ Alexander Bokovoy
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 366-372 Additional Coverity fixes
On Tue, 11 Nov 2014, Jan Cholasta wrote:
From 82d7d37ca310af015018ebb2da2f9a72c4dabcaa Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Mon, 10 Nov 2014 18:10:27 +
Subject: [PATCH 4/7] Fix unchecked return value in ipa-kdb
https://fedorahosted.org/freeipa/ticket/4713
---
daemons/ipa-kdb/ipa_kdb_mspac.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index c8f6c76..debcd1b 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -2071,6 +2071,9 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
ipactx-kdc_hostname, strlen(ipactx-kdc_hostname),
NULL, NULL, result) == 0) {
kerr = ipadb_reinit_mspac(ipactx, true);
+if (kerr != 0 kerr != ENOENT) {
+goto done;
+}
}
}
I'm not sure we should drop the sign_authdata request here. If we were
able to re-initialize our view of trusted domains, we simply cannot
re-sign incoming PAC but this is handled in ipadb_verify_pac() and
ipadb_sign_pac() and if the former returns NULL value for PAC, we exit
with a return code of 0 while this change will fail a cross-realm TGT
request unconditionally.
--
/ Alexander Bokovoy
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 773-777 ranges: prohibit setting --rid-base with ipa-trust-ad-posix type
On 11/04/2014 01:05 PM, Petr Vobornik wrote: On 10/15/2014 02:20 PM, Petr Vobornik wrote: ticket: https://fedorahosted.org/freeipa/ticket/4221 updated version of patch 773 attached. Fixes issue in interactive_prompt_callback. Not related to this ticket: - should we show interactive prompt for domain name when user specifies --type=ipa-adtrust or ipa-adtrust-posix? Atm it will prompt for values related to local range. ACK for the whole patchset, works in my testing. Pushed to ipa-4-1: c2ac4a88775274e2cb8f199d104a1393a1d4a81e Pushed to master: 8248f696275e2e63dab860a25467e2868aa17036 Regarding the issue, yes, I agree, prompting for values for the local ranges should not happen. I think the most reasonable behaviour is as follows: - first value that intractive callback asks for should be type, if not specified or cannot be derived explicitly from used parameters (and after the range's name) - after that, the interactive prompt should ask for relevant attributes only. -- Tomas Babej Associate Software Engineer | Red Hat | Identity Management RHCE | Brno Site | IRC: tbabej | freeipa.org ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 773-777 ranges: prohibit setting --rid-base with ipa-trust-ad-posix type
On 11.11.2014 12:13, Tomas Babej wrote: On 11/04/2014 01:05 PM, Petr Vobornik wrote: On 10/15/2014 02:20 PM, Petr Vobornik wrote: ticket: https://fedorahosted.org/freeipa/ticket/4221 updated version of patch 773 attached. Fixes issue in interactive_prompt_callback. Not related to this ticket: - should we show interactive prompt for domain name when user specifies --type=ipa-adtrust or ipa-adtrust-posix? Atm it will prompt for values related to local range. ACK for the whole patchset, works in my testing. Pushed to ipa-4-1: c2ac4a88775274e2cb8f199d104a1393a1d4a81e Pushed to master: 8248f696275e2e63dab860a25467e2868aa17036 Regarding the issue, yes, I agree, prompting for values for the local ranges should not happen. I think the most reasonable behaviour is as follows: - first value that intractive callback asks for should be type, if not specified or cannot be derived explicitly from used parameters (and after the range's name) - after that, the interactive prompt should ask for relevant attributes only. +1 https://fedorahosted.org/freeipa/ticket/4714 -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 366-372 Additional Coverity fixes
Dne 11.11.2014 v 11:40 Alexander Bokovoy napsal(a):
On Tue, 11 Nov 2014, Jan Cholasta wrote:
From 82d7d37ca310af015018ebb2da2f9a72c4dabcaa Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Mon, 10 Nov 2014 18:10:27 +
Subject: [PATCH 4/7] Fix unchecked return value in ipa-kdb
https://fedorahosted.org/freeipa/ticket/4713
---
daemons/ipa-kdb/ipa_kdb_mspac.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c
b/daemons/ipa-kdb/ipa_kdb_mspac.c
index c8f6c76..debcd1b 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -2071,6 +2071,9 @@ krb5_error_code ipadb_sign_authdata(krb5_context
context,
ipactx-kdc_hostname,
strlen(ipactx-kdc_hostname),
NULL, NULL, result) == 0) {
kerr = ipadb_reinit_mspac(ipactx, true);
+if (kerr != 0 kerr != ENOENT) {
+goto done;
+}
}
}
I'm not sure we should drop the sign_authdata request here. If we were
able to re-initialize our view of trusted domains, we simply cannot
re-sign incoming PAC but this is handled in ipadb_verify_pac() and
ipadb_sign_pac() and if the former returns NULL value for PAC, we exit
with a return code of 0 while this change will fail a cross-realm TGT
request unconditionally.
OK, what would be a proper fix? Just ignore the return value of
ipadb_reinit_mspac here?
--
Jan Cholasta
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] Add help string on how to configure multiple DNS forwards on cli
The ipa-server-install man page is more descriptive on how to configure multiple DNS forwarders than the cli help. The cli help is more verbose now. https://fedorahosted.org//ticket/4465 Cheers, Thorsten From 11dcf90ba36f00f9c4ee74a33c6aa6f8773210ff Mon Sep 17 00:00:00 2001 From: Thorsten Scherf tsch...@redhat.com Date: Tue, 11 Nov 2014 13:30:44 +0100 Subject: [PATCH] Add help string on how to configure multiple DNS forwards on cli The ipa-server-install man page is more descriptive on how to configure multiple DNS forwarders than the cli help. This cli help is more verbose now. https://fedorahosted.org//ticket/4465 --- install/tools/ipa-server-install | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index cb79cfbbc09966950f4e5fb51984008b20600143..1280b631db4f7b6ad69d1151d047a8190ca5215a 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -282,7 +282,7 @@ def parse_options(): dns_group.add_option(--setup-dns, dest=setup_dns, action=store_true, default=False, help=configure bind with our zone) dns_group.add_option(--forwarder, dest=forwarders, action=append, - type=ip, help=Add a DNS forwarder) + type=ip, help=Add a DNS forwarder. This option can be used multiple times) dns_group.add_option(--no-forwarders, dest=no_forwarders, action=store_true, default=False, help=Do not add any DNS forwarders, use root servers instead) dns_group.add_option(--reverse-zone, dest=reverse_zones, help=The reverse DNS zone to use, -- 1.9.3 pgpXRNtyKmKSd.pgp Description: PGP signature ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Add help string on how to configure multiple DNS forwards on cli
On 11/11/14 13:37, Thorsten Scherf wrote: The ipa-server-install man page is more descriptive on how to configure multiple DNS forwarders than the cli help. The cli help is more verbose now. https://fedorahosted.org//ticket/4465 Cheers, Thorsten Hello, thanks for patch, but I have a few objections. 1) Trac link in commit is corrupted 2) The forwarder option is in more installation scripts: * ipa-dns-install * ipa-replica-install * ipa-server-install Martin^2 -- Martin Basti ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0036] Add missing python files to Makefile
Hello, Fix for https://fedorahosted.org/freeipa/ticket/4700 Thanks, Gabe From b6674996bb00ac82943b90248a20114d4ca43073 Mon Sep 17 00:00:00 2001 From: Gabe redhatri...@gmail.com Date: Tue, 11 Nov 2014 07:02:15 -0700 Subject: [PATCH] Add missing python files to Makefiles https://fedorahosted.org/freeipa/ticket/4700 --- ipaserver/install/Makefile.am | 32 ipaserver/install/plugins/Makefile.am | 11 +++ 2 files changed, 31 insertions(+), 12 deletions(-) diff --git a/ipaserver/install/Makefile.am b/ipaserver/install/Makefile.am index 9fcad4e77c93cf44ed5fcf3ff793233ba35482c1..4002e14df3392591788e5491420a967b9d43ef3f 100644 --- a/ipaserver/install/Makefile.am +++ b/ipaserver/install/Makefile.am @@ -3,20 +3,36 @@ NULL = appdir = $(pythondir)/ipaserver app_PYTHON = \ __init__.py \ + adtrustinstance.py \ bindinstance.py \ cainstance.py \ + certs.py \ + dnskeysyncinstance.py \ + dogtaginstance.py \ dsinstance.py \ - ipaldap.py \ - krbinstance.py \ httpinstance.py \ - ntpinstance.py \ - adtrustinstance.py \ - service.py \ installutils.py \ + ipa_backup.py \ + ipa_cacert_manage.py \ + ipa_kra_install.py \ + ipa_ldap_updater.py \ + ipa_otptoken_import.py \ + ipa_replica_prepare.py \ + ipa_restore.py \ + ipa_server_certinstall.py \ + krainstance.py \ + krbinstance.py \ + ldapupdate.py \ + memcacheinstance.py \ + ntpinstance.py \ + odsexporterinstance.py \ + opendnssecinstance.py \ + otpdinstance.py \ replication.py \ - certs.py \ -ldapupdate.py \ -certmonger.py \ + schemaupdate.py \ + service.py \ + sysupgrade.py \ + upgradeinstance.py \ $(NULL) EXTRA_DIST = \ diff --git a/ipaserver/install/plugins/Makefile.am b/ipaserver/install/plugins/Makefile.am index 635877d8c2160a91208276498cdb4cd9bc82d56b..11a3be6555e0ee3df5b2d22554434f1d2bd83e45 100644 --- a/ipaserver/install/plugins/Makefile.am +++ b/ipaserver/install/plugins/Makefile.am @@ -3,16 +3,19 @@ NULL = appdir = $(pythondir)/ipaserver/install app_PYTHON = \ __init__.py \ + adtrust.py \ baseupdate.py \ + ca_renewal_master.py \ + dns.py \ fix_replica_agreements.py \ rename_managed.py \ - dns.py \ updateclient.py \ - update_services.py \ - update_anonymous_aci.py \ + update_idranges.py \ + update_managed_permissions.py \ update_pacs.py \ - ca_renewal_master.py \ + update_services.py \ update_uniqueness.py \ + upload_cacrt.py \ $(NULL) EXTRA_DIST = \ -- 1.7.1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Add help string on how to configure multiple DNS forwards on cli
On [Tue, 11.11.2014 13:57], Martin Basti wrote: On 11/11/14 13:37, Thorsten Scherf wrote: The ipa-server-install man page is more descriptive on how to configure multiple DNS forwarders than the cli help. The cli help is more verbose now. https://fedorahosted.org//ticket/4465 Cheers, Thorsten Hello, thanks for patch, but I have a few objections. 1) Trac link in commit is corrupted 2) The forwarder option is in more installation scripts: * ipa-dns-install * ipa-replica-install * ipa-server-install Please find the new patch attached. https://fedorahosted.org/freeipa/ticket/4465 Cheers, Thorsten From 64faa16b953190d60e06598eeceef928afeaefe3 Mon Sep 17 00:00:00 2001 From: Thorsten Scherf tsch...@redhat.com Date: Tue, 11 Nov 2014 15:38:01 +0100 Subject: [PATCH] Add help string on how to configure multiple DNS forwards for various cli tools The man pages for various FreeIPA setup tools are more descriptive on how to configure multiple DNS forwarders than the corresponding cli help. This patch makes the cli help more verbose now for the following tools: * ipa-dns-install * ipa-replica-install * ipa-server-install https://fedorahosted.org/freeipa/ticket/4465 --- install/tools/ipa-dns-install | 2 +- install/tools/ipa-replica-install | 2 +- install/tools/ipa-server-install | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install index 73afadf56a1b6594d11fd87b0efdeb6cc179bc0d..7d9bf6a8b223b586e7923137abec557036f650da 100755 --- a/install/tools/ipa-dns-install +++ b/install/tools/ipa-dns-install @@ -47,7 +47,7 @@ def parse_options(): default=[], action=append, type=ip, ip_local=True, help=Master Server IP Address) parser.add_option(--forwarder, dest=forwarders, action=append, - type=ip, help=Add a DNS forwarder) + type=ip, help=Add a DNS forwarder. This option can be used multiple times) parser.add_option(--no-forwarders, dest=no_forwarders, action=store_true, default=False, help=Do not add any DNS forwarders, use root servers instead) parser.add_option(--reverse-zone, dest=reverse_zones, diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index 8f0ce86667b3603cb2a72fbc9b78e074db73cdd9..409f1f61b42ccb2a4f2053689a7452f4fe344b4d 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -109,7 +109,7 @@ def parse_options(): dns_group.add_option(--setup-dns, dest=setup_dns, action=store_true, default=False, help=configure bind with our zone) dns_group.add_option(--forwarder, dest=forwarders, action=append, - type=ip, help=Add a DNS forwarder) + type=ip, help=Add a DNS forwarder. This option can be used multiple times) dns_group.add_option(--no-forwarders, dest=no_forwarders, action=store_true, default=False, help=Do not add any DNS forwarders, use root servers instead) dns_group.add_option(--reverse-zone, dest=reverse_zones, default=[], diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index cb79cfbbc09966950f4e5fb51984008b20600143..1280b631db4f7b6ad69d1151d047a8190ca5215a 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -282,7 +282,7 @@ def parse_options(): dns_group.add_option(--setup-dns, dest=setup_dns, action=store_true, default=False, help=configure bind with our zone) dns_group.add_option(--forwarder, dest=forwarders, action=append, - type=ip, help=Add a DNS forwarder) + type=ip, help=Add a DNS forwarder. This option can be used multiple times) dns_group.add_option(--no-forwarders, dest=no_forwarders, action=store_true, default=False, help=Do not add any DNS forwarders, use root servers instead) dns_group.add_option(--reverse-zone, dest=reverse_zones, help=The reverse DNS zone to use, -- 1.9.3 pgpXYQOW7Psbi.pgp Description: PGP signature ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 365 Fix CA certificate backup and restore
On 11/11/2014 09:52 AM, Jan Cholasta wrote: Dne 10.11.2014 v 17:46 Jan Cholasta napsal(a): Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/4711. Honza Forgot to include /etc/pki/ca-trust/source/anchors/ipa-ca.crt in backup. Updated patch attached. Looks good ACK, pushed to: master: 2639997dfee43d66e94ef9b5441289816c465e7d ipa-4-1: 7c2aad17da8bd5f50b9c1409f91c413bc454ce28 -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0161] Fix dyndb-ldap working dir permission
Using specfile to create file doesn't work if named user is not on system.
Appropriate permission have to be set during ipa-dns installation.
Patch attached
--
Martin Basti
From 44593f97c51cc683218ac4ed81f821ee751ee6c5 Mon Sep 17 00:00:00 2001
From: Martin Basti mba...@redhat.com
Date: Tue, 11 Nov 2014 13:00:18 +0100
Subject: [PATCH] Fix named working directory permissions
Just adding dir to specfile doesnt work, because is not guarantee the
named is installed, during RPM installation.
Ticket: https://fedorahosted.org/freeipa/ticket/4657#comment:6
---
freeipa.spec.in | 3 +--
ipaplatform/base/paths.py | 1 +
ipaserver/install/dnskeysyncinstance.py | 21 +
3 files changed, 23 insertions(+), 2 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 36c2a35e7a0c60d4f68e2d945688ee30506e47c6..d0e9f910e2247ce1620e9b62f412d43ff663652d 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -420,7 +420,6 @@ mkdir -p %{buildroot}%{_usr}/share/ipa/html/
/bin/touch %{buildroot}%{_usr}/share/ipa/html/preferences.html
mkdir -p %{buildroot}%{_initrddir}
mkdir %{buildroot}%{_sysconfdir}/sysconfig/
-mkdir -p %{buildroot}%{_localstatedir}/named/dyndb-ldap/ipa/
install -m 644 init/ipa_memcached.conf %{buildroot}%{_sysconfdir}/sysconfig/ipa_memcached
install -m 644 init/ipa-dnskeysyncd.conf %{buildroot}%{_sysconfdir}/sysconfig/ipa-dnskeysyncd
install -m 644 init/ipa-ods-exporter.conf %{buildroot}%{_sysconfdir}/sysconfig/ipa-ods-exporter
@@ -660,7 +659,6 @@ fi
%config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter
%dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/
%dir %attr(0700,root,root) %{_localstatedir}/run/ipa/
-%dir %attr(0770,named,named) %{_localstatedir}/named/dyndb-ldap/ipa/
# NOTE: systemd specific section
%{_tmpfilesdir}/%{name}.conf
%attr(644,root,root) %{_unitdir}/ipa.service
@@ -774,6 +772,7 @@ fi
%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysupgrade
%attr(755,root,root) %dir %{_localstatedir}/lib/ipa/pki-ca
%ghost %{_localstatedir}/lib/ipa/pki-ca/publish
+%ghost %{_localstatedir}/named/dyndb-ldap/ipa
%attr(755,root,root) %{_libdir}/krb5/plugins/kdb/ipadb.so
%{_mandir}/man1/ipa-replica-conncheck.1.gz
%{_mandir}/man1/ipa-replica-install.1.gz
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index af502628e493ad7b4d8d30ed1acb98bba8cb39e4..e4970e9b684b06ad98d56605d6d0419cb9e39cb2 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -189,6 +189,7 @@ class BasePathNamespace(object):
BIN_WGET = /usr/bin/wget
ZIP = /usr/bin/zip
BIND_LDAP_SO = /usr/lib/bind/ldap.so
+BIND_LDAP_DNS_IPA_WORKDIR = /var/named/dyndb-ldap/ipa/
BIND_LDAP_DNS_ZONE_WORKDIR = /var/named/dyndb-ldap/ipa/master/
USR_LIB_DIRSRV = /usr/lib/dirsrv
USR_LIB_SLAPD_INSTANCE_TEMPLATE = /usr/lib/dirsrv/slapd-%s
diff --git a/ipaserver/install/dnskeysyncinstance.py b/ipaserver/install/dnskeysyncinstance.py
index 1dd9a0983fb689f14656431496dfd4b2bb2e30a9..f3d225fc114c1a8ffed1637a90448122b862b745 100644
--- a/ipaserver/install/dnskeysyncinstance.py
+++ b/ipaserver/install/dnskeysyncinstance.py
@@ -119,6 +119,8 @@ class DNSKeySyncInstance(service.Service):
self.ldap_connect()
# checking status step must be first
self.step(checking status, self.__check_dnssec_status)
+self.step(setting up bind-dyndb-ldap working directory,
+ self.__setup_dyndb_ldap_workdir)
self.step(setting up kerberos principal, self.__setup_principal)
self.step(setting up SoftHSM, self.__setup_softhsm)
self.step(adding DNSSEC containers, self.__setup_dnssec_containers)
@@ -171,6 +173,25 @@ class DNSKeySyncInstance(service.Service):
self._ldap_mod(dnssec.ldif, {'SUFFIX': self.suffix, })
+def __setup_dyndb_ldap_workdir(self):
+named = services.knownservices.named
+
+try:
+named_uid = pwd.getpwnam(named.get_user_name()).pw_uid
+except KeyError:
+raise RuntimeError(Named UID not found)
+
+try:
+named_gid = grp.getgrnam(named.get_group_name()).gr_gid
+except KeyError:
+raise RuntimeError(Named GID not found)
+
+if not os.path.exists(paths.BIND_LDAP_DNS_IPA_WORKDIR):
+os.mkdir(paths.BIND_LDAP_DNS_IPA_WORKDIR, 0770)
+# dnssec daemons require to have access into the directory
+os.chmod(paths.BIND_LDAP_DNS_IPA_WORKDIR, 0770)
+os.chown(paths.BIND_LDAP_DNS_IPA_WORKDIR, named_uid, named_gid)
+
def __setup_softhsm(self):
assert self.ods_uid is not None
assert self.named_gid is not None
--
1.8.3.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] FreeIPA integration with external DNS services
Hello, this thread is about RFE IPA servers when installed should register themselves in the external DNS https://fedorahosted.org/freeipa/ticket/4424 It is not a complete design, just a raw idea. Use case FreeIPA installation to a network with existing DNS infrastructure + network administrator who is not willing to add/maintain new DNS servers just for FreeIPA. High-level idea === - Transform dns* commands from FreeIPA framework to equivalent nsupdate commands and send DNS updates to existing DNS servers. - Provide necessary encryption/signing keys to nsupdate. 1) Integration to FreeIPA framework === First of all, we need to decide if external DNS integration can be used at the same time with FreeIPA-integrated DNS or not. Side-question is what to do if a first server is installed with external-DNS but another replica is being installed with integrated-DNS and so on. In other words, the question is if current dns.py plugin shipped with FreeIPA framework should be: a) Extended dns.py with dnsexternal-* commands -- Disadvantages: - It complicate FreeIPA DNS interface which is a complex beast even now. - We would have add condition to every DNS API call in installers which would increase horribleness of the installer code even more (or add another layer of abstraction...). - I don't see a point in using integrated-DNS with external-DNS at the same time. To use integrated-DNS you have to get a proper DNS delegation from parent domain - and if you can get the delegation then there is no point in using external DNS ... Advantages: - You can use external integrated DNS at the same time. b) Replace dns.py with another implementation of current dnszone-* dnsrecord-* API. - This seems like a cleaner approach to me. It could be shipped as ipa-server-dns-external package (opposed to standard ipa-server-dns package). Advantages: - It could seamlessly work with FreeIPA client installer because the dns*-nsupdate command transformation would be done on FreeIPA server and client doesn't need to know about it. - Does not require re-training/not much new documentation because commands are the same. Disadvantages: - You can't use integrated external DNS at the same time (but I don't think it justifies the added complexity). Petr^3 or anyone else, what do you propose? 2) Authentication to external DNS server/keys = This is separate problem from FreeIPA framework integration. We will have to somehow store raw symmetric keys (for DNS TSIG) or keytabs (for DNS GSS-TSIG) and distribute them somehow to replicas so every replica can update DNS records as necessary. This will be the funny part because in case of AD trusts we have chicken-egg problem. You need to establish trust to get ticket for DNS/dc1.ad.example@AD principal but you can't (I guess) establish trust until proper DNS records are in place ... For 'experimental' phase I would go with pre-populated CCcache, i.e. admin will manually do kinit Administrator@AD and then run FreeIPA installer. Maybe we can re-use trust secret somehow? I don't know, I will reach out to AD experts with questions. This area needs more research but for now it seems feasible to re-use DNSSEC key distribution system for TSIG keys and keytabs so only the chicken-egg problem is left. This will need new LDAP schema but I will propose something when I'm done with investigation. -- Petr^2 Spacek ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Add help string on how to configure multiple DNS forwards on cli
On 11/11/14 15:42, Thorsten Scherf wrote: On [Tue, 11.11.2014 13:57], Martin Basti wrote: On 11/11/14 13:37, Thorsten Scherf wrote: The ipa-server-install man page is more descriptive on how to configure multiple DNS forwarders than the cli help. The cli help is more verbose now. https://fedorahosted.org//ticket/4465 Cheers, Thorsten Hello, thanks for patch, but I have a few objections. 1) Trac link in commit is corrupted 2) The forwarder option is in more installation scripts: * ipa-dns-install * ipa-replica-install * ipa-server-install Please find the new patch attached. https://fedorahosted.org/freeipa/ticket/4465 Cheers, Thorsten Thank you, ACK. Please read how to format a patch for future. http://www.freeipa.org/page/Contribute/Patch_Format -- Martin Basti ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 0672 - ipaplatform: Use the dirsrv service, not target
https://fedorahosted.org/freeipa/ticket/4709
With this patch, IPA should no longer call systemctl on dirsrv.tagret,
but rather on its concrete service.
Since systemctl stop waits for shutdown of services (but not targets),
we can assume dirsrv will be down (and the database unlocked) after
stop() is done.
There's a DS ticket [0] to explicitly tell systemd which process to wait
on, but in my experience, systemd guesses correctly even without that fix.
[0] https://fedorahosted.org/389/ticket/47951
--
Petr³
From b963c58bf340edc0a5f316e2a574f17229bd0bcc Mon Sep 17 00:00:00 2001
From: Petr Viktorin pvikt...@redhat.com
Date: Tue, 11 Nov 2014 16:07:37 +0100
Subject: [PATCH] ipaplatform: Use the dirsrv service, not target
IPA only uses one instance of the directory server. When an instance
is not specified to a call to service.start/stop/restart/...,
use IPA's instance.
Stopping a systemd service is synchronous (bby default), but stopping
a target is not. This will change ensures that the directory server
is actually down when stop() finishes.
https://fedorahosted.org/freeipa/ticket/4709
---
ipaplatform/base/services.py | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/ipaplatform/base/services.py b/ipaplatform/base/services.py
index 01d95b39cc7b845bdc612d40b3eea29d6de2961a..5921da920f88455395b7804101b9136349fbba7c 100644
--- a/ipaplatform/base/services.py
+++ b/ipaplatform/base/services.py
@@ -187,8 +187,7 @@ def service_instance(self, instance_name, operation=None):
elements = self.systemd_name.split(@)
# Make sure the correct DS instance is returned
-if (elements[0] == 'dirsrv' and not instance_name and
-operation == 'is-active'):
+if elements[0] == 'dirsrv' and not instance_name:
return ('dirsrv@%s.service'
% str(self.api.env.realm.replace('.', '-')))
--
2.1.0
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0161] Fix dyndb-ldap working dir permission
Hi, Dne 11.11.2014 v 16:22 Martin Basti napsal(a): Using specfile to create file doesn't work if named user is not on system. Appropriate permission have to be set during ipa-dns installation. Patch attached Why is the directory set up in dnskeysyncinstance instead of bindinstance? The original patch was released with 4.1.1, shouldn't there be update in ipa-upgradeconfig? Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] 366-372 Additional Coverity fixes
On 11.11.2014 12:27, Jan Cholasta wrote:
Dne 11.11.2014 v 11:40 Alexander Bokovoy napsal(a):
On Tue, 11 Nov 2014, Jan Cholasta wrote:
From 82d7d37ca310af015018ebb2da2f9a72c4dabcaa Mon Sep 17 00:00:00 2001
From: Jan Cholasta jchol...@redhat.com
Date: Mon, 10 Nov 2014 18:10:27 +
Subject: [PATCH 4/7] Fix unchecked return value in ipa-kdb
https://fedorahosted.org/freeipa/ticket/4713
---
daemons/ipa-kdb/ipa_kdb_mspac.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c
b/daemons/ipa-kdb/ipa_kdb_mspac.c
index c8f6c76..debcd1b 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -2071,6 +2071,9 @@ krb5_error_code ipadb_sign_authdata(krb5_context
context,
ipactx-kdc_hostname,
strlen(ipactx-kdc_hostname),
NULL, NULL, result) == 0) {
kerr = ipadb_reinit_mspac(ipactx, true);
+if (kerr != 0 kerr != ENOENT) {
+goto done;
+}
}
}
I'm not sure we should drop the sign_authdata request here. If we were
able to re-initialize our view of trusted domains, we simply cannot
re-sign incoming PAC but this is handled in ipadb_verify_pac() and
ipadb_sign_pac() and if the former returns NULL value for PAC, we exit
with a return code of 0 while this change will fail a cross-realm TGT
request unconditionally.
OK, what would be a proper fix? Just ignore the return value of
ipadb_reinit_mspac here?
Guys, I did not see the code but all instances of ignore return code I have
seen were wrong, including cases where code comment explicitly said we ignore
return code on purpose :-)
At least log an error message if you can't think of anything better ...
--
Petr^2 Spacek
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
