date:20150707


On 07/07/15 10:33, Tomas Babej wrote:

Hi,

* Hide topology and domainlevel commands in the CLI
* Hide topology and domainlevel in the WebUI
* Set maximum allowed domain level to 0
* Do not configure and enable the topology plugin

https://fedorahosted.org/freeipa/ticket/5097



ACK

--
Martin Basti

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0055] ipa-replica-prepare: Do not create DNS zone it automatically.


On 03/07/15 06:17, David Kupka wrote:
Since ipa-replica-* tools will be soon removed I think this simple 
check should be enough.





ACK

--
Martin Basti

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0024..0025 Add missing certprofile features


On 04/07/15 16:58, Fraser Tweedale wrote:

On Fri, Jul 03, 2015 at 10:34:07PM +1000, Fraser Tweedale wrote:

On Thu, Jul 02, 2015 at 08:12:12PM +1000, Fraser Tweedale wrote:

On Thu, Jul 02, 2015 at 11:23:49AM +0200, Jan Cholasta wrote:

Hi,

Dne 2.7.2015 v 11:15 Fraser Tweedale napsal(a):

Attached patches fix a couple of important gaps in certprofile
plugin:

- Add --out option to export Dogtag profile data to file
   https://fedorahosted.org/freeipa/ticket/5091

- Add --file option to update existing profile in Dogtag
   https://fedorahosted.org/freeipa/ticket/5093


NACK on patchset v2; does not work (even after makeapi, which I
forgot to include in updated patchset).  I keep getting error
``ipa: ERROR: Unknown option: file''.  Need to investigate why,
but other patches are taking priority right now.

Here is patchset v3, which is just v1 rebased on latest master.

Thanks,
Fraser


Updated patch 0025 (v4).  Profile now gets re-enabled if profile
update fails.  Patch 0024 remains at v3.

Thanks,
Fraser



ACK

--
Martin Basti

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0046] add option to skip client API version check and proceed at user's own risk


On 03/07/15 16:41, Martin Babinsky wrote:

On 07/02/2015 01:58 PM, Martin Babinsky wrote:

First attempt at https://fedorahosted.org/freeipa/ticket/4768




Attaching reworked patch.




ACK

--
Martin Basti

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0276] Fix: ipa-dns-install will add CA records if CA is installed


https://fedorahosted.org/freeipa/ticket/5101

Patch attached.

--
Martin Basti

From f5de8e7a9ecd8f8220bd542d9ff264ce7917a829 Mon Sep 17 00:00:00 2001
From: Martin Basti mba...@redhat.com
Date: Tue, 7 Jul 2015 16:28:48 +0200
Subject: [PATCH] Fix regression: ipa-dns-install will add CA records if
 required

https://fedorahosted.org/freeipa/ticket/5101
---
 install/tools/ipa-dns-install | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/install/tools/ipa-dns-install b/install/tools/ipa-dns-install
index 3fcda04e71d77e25ef328e2037b9e147ed1403bc..34b952859e56c6aa5ae861a4d1fb615f0a2d8f55 100755
--- a/install/tools/ipa-dns-install
+++ b/install/tools/ipa-dns-install
@@ -120,7 +120,7 @@ def main():
 
 api.Backend.ldap2.connect(autobind=True)
 
-options.setup_ca = False
+options.setup_ca = None  # must be None to enable autodetection
 
 dns_installer.install_check(True, False, options, hostname=api.env.host)
 dns_installer.install(True, False, options)
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [MAN] [PATCH] 0004 Fix phrasing in man page for stageuser.py



On 07/04/2015 02:03 PM, Jérôme Fenal wrote:
 Hi all,
 
 A quick patch to the man page part of stageuser to avoid ambiguity in
 the phrasing, spotted while translating the page.
 
 Regards,
 
 J.
 
 
 

Thanks, ACK.

I will not push this patch to master until we branch off 4.2 development
branch as it would disrupt already translated strings in the other
languages.

Tomas

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHES 0252-0253, 268, 50 - 51] DNSSEC: allow to move DNSSEC key master to another IPA server

On 07/01/2015 12:47 PM, Petr Spacek wrote:
On 1.7.2015 12:35, Martin Basti wrote:
On 30/06/15 22:09, Petr Spacek wrote:
On 30.6.2015 16:04, Martin Basti wrote:
On 30/06/15 10:25, Martin Basti wrote:
On 29/06/15 15:16, Martin Basti wrote:
On 25/06/15 13:46, Petr Spacek wrote:
On 17.6.2015 13:37, Martin Basti wrote:
On 17/06/15 13:26, Petr Spacek wrote:
On 16.6.2015 15:40, Martin Basti wrote:
On 05/06/15 12:54, Petr Spacek wrote:
On 20.5.2015 18:00, Martin Basti wrote:
This patch allows to disable DNSSEC key master on IPA server, or
replace
current DNSSEC key master with another IPA server.

Only for master branch.

https://fedorahosted.org/freeipa/ticket/4657

Patches attached.
NACK. This happens on DNSSEC key master:
$ ipa-dns-install --disable-dnssec-master

Do you want to disable current DNSSEC key master? [no]: yes
Unexpected error - see /var/log/ipaserver-install.log for details:
TypeError: sequence item 0: expected string, DNSName found
2015-06-05T10:52:35Z DEBUG File
/usr/lib/python2.7/site-packages/ipaserver/install/installutils.py,
line
733, in run_script
return_value = main_function()

File /sbin/ipa-dns-install, line 128, in main
dns_installer.disable_dnssec_master(options.unattended)

File
/usr/lib/python2.7/site-packages/ipaserver/install/dns.py,
line
112,
in disable_dnssec_master
, .join(dnssec_zones))

2015-06-05T10:52:35Z DEBUG The ipa-dns-install command failed,
exception:
TypeError: sequence item 0: expected string, DNSName found

Updated patches attached.

Due new installers, more changes were required.
Sorry, NACK, I'm not able to apply this patch set to current master
(69607250b9762a6c9b657dd31653b03d54a7b411).

Rebased patches attached.
NACK.

0) ipa-dns-install --replace-dnssec-master always puts file into
/root/ipa-kasp.db.

It would be better to put it into local working directory or
/var/lib/ipa (as
with replica files).

1) I installed DNSSEC key master role on the vm-134 but DNSSEC services
were
not stopped by ipactl stop:

[root@vm-134 review]# ipactl stop
Stopping ipa-otpd Service
Stopping httpd Service
Stopping ipa_memcached Service
Stopping kadmin Service
Stopping krb5kdc Service
Stopping Directory Service
ipa: INFO: The ipactl command was successful

[root@vm-134 review]# ipactl start
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Starting ipa_memcached Service
Starting httpd Service
Starting ipa-otpd Service
Starting ipa-ods-exporter Service
Starting ods-enforcerd Service
Starting ipa-dnskeysyncd Service

Subsequent ipactl stop worked fine, only the first one is affected.

2a) vm-134 was the original master. I ran this:

[root@vm-134 review]# ipa-dns-install
--replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com

... and then attempted to install master to vm-059:
[root@vm-059 review]# ipa-dns-install --dnssec-master

This command was accepted despite of missing --kasp-db option and wrong
replica name.

It should error out and tell the user to run the command with --kasp-db
option.

Even better, we could get rid of explicit replica name specification in
--replace-dnssec-master option and allow to run installation with
--kasp-db on
any replica as long as the kasp.db file is provided.

2b) Attempt to move DNSSEC key master from vm-134 to vm-090 *without*
specifying --kasp-db option was accepted.

[root@vm-090 review]# ipa-dns-install --dnssec-master

As in case (2a), it should print what user is supposed to do.

I propose following text:

Current DNSSEC key master vm-134.abc.idm.lab.eng.brq.redhat.com is
being
moved to different server.

You need to copy kasp.db file from
vm-134.abc.idm.lab.eng.brq.redhat.com
and
run following command to complete the transition:

# ipa-dns-install --dnssec-master --kasp-db=/path/to/the/copied/kasp.db

3) [root@vm-134 review]# ipa-dns-install
--replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com
does not remove ISMASTER option from file
/etc/sysconfig/ipa-dnskeysyncd .

4) [root@vm-134 review]# ipa-dns-install
--replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com

it is possible to run

[root@vm-134 review]# ipa-dns-install --dnssec-master

again without --kasp-db and it is accepted.

Moreover, in this case ipaConfigString NEW_DNSSEC_MASTER is not
properly
removed from
cn=DNSKeySync,cn=vm-090.abc.idm.lab.eng.brq.redhat.com,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example.

5) Sequence of commands
[root@vm-134 review]# ipa-dns-install
--replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com

[root@vm-090 review]# ipa-replica-manage del
vm-134.abc.idm.lab.eng.brq.redhat.com

allows me to run
[root@vm-090 review]# ipa-dns-install --dnssec-master

without --kasp-db option, it does not throw an error, and the
information
that
some other master existed somewhere is lost.

It would be probably better

Re: [Freeipa-devel] [PATCH] Password vault

2015-07-07 Thread Jan Cholasta


Dne 3.7.2015 v 15:44 Endi Sukma Dewata napsal(a):

Here is the rebased patch for vault access control.



LGTM, except:

@@ -356,6 +386,13 @@ class vault(LDAPObject):
 {
 'objectclass': ['nsContainer'],
 'cn': rdn['cn'],
+'aci':
+'(targetfilter=(objectClass=ipaVault))' +
+'(version 3.0; ' +
+'acl User can manage private vaults; ' +
+'allow(read, search, compare, add, delete) ' +
+'userdn=ldap:///%s;;)'
+% owner_dn
 })

 # if entry can be added, return

I don't think dynamically creating ACIs with hardcoded userdn is 
something we want to do. This should be handled by a single ACI in 
cn=vaults.


--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] Password vault

2015-07-07 Thread Jan Cholasta


Dne 3.7.2015 v 14:23 Endi Sukma Dewata napsal(a):

On 7/1/2015 1:53 AM, Jan Cholasta wrote:

I think it would be better to use a new attribute type which
inherits
from ipaPublicKey (ipaVaultPublicKey?) rather than ipaPublicKey
directly
for assymetric vault public keys, so that assymetric public key and
escrow public key are on the same level and you can still use
ipaPublicKey to refer to either one:

 ipaPublicKey
 ipaVaultPublicKey
 ipaEscrowPublicKey


OK. To be consistent the parameters need to be renamed too:
--vault-public-key and --vault-public-key-file.


It doesn't need to, there is no requirement for CLI names to always
match attribute names. (Also I don't insist on the name
ipaVaultPublicKey, feel free to change it if you want.)


It's unchanged for now. In a previous discussion it was advised to
reuse
the existing attribute type whenever possible.


Well, in this discussion, it is not. Escrow public key should also
reuse
ipaPublicKey, but it can't if you use it for vault public key. By using
ipaPublicKey subtypes you can distinguish between the two uses and
still
use ipaPublicKey to refer to either of them.


So what's changed? This is what you said when I posted the same patch
six months ago:


In this patch I'm adding ipaVaultSalt and ipaVaultPublicKey attribute
types to store salt and public key for vault. Are there existing
attribute types that I can use instead? I see there's an ipaPublicKey,
should I use that and maybe add ipaSalt/ipaEncSalt? Thanks.


yes, please re-use existing attributes where possible.

Honza


What changed is that I now know there is also escrow public key, which I
didn't know six months ago.


Here's patch #368 to be applied on top of patch #357-5, but see comments
below.


Thanks for the patch.




Could you show me how to use ipaPublicKey to refer to ipaVaultPublicKey
and ipaEscrowPublicKey? Under what situation would that be useful?


For example for ipaPublicKey searches - if ipaVaultPublicKey and
ipaEscrowPublicKey both inherit from ipaPublicKey, then an ipaPublicKey
search will look in both ipaVaultPublicKey and ipaEscrowPublicKey. This
is not something we actually need right now, but once the schema is
done, it can't be fixed and I don't think we should prevent this,
especially since we can get it for free. BTW even the core LDAP schema
does this, see for example how the cn attribute inherits from the more
general name attribute:
https://tools.ietf.org/html/rfc4519#section-2.3.


I don't think that's how LDAP works.


It is, see https://tools.ietf.org/html/rfc4512#section-2.5.3.


The RFC doesn't say that either.
The cn does inherit from name, but if you search for name it won't
match/return cn. See queries below:

$ ldapsearch -LLL -x -b dc=example,dc=com (cn=Accounting Managers)
dn: cn=Accounting Managers,ou=Groups,dc=example,dc=com
objectClass: top
objectClass: groupOfUniqueNames
cn: Accounting Managers
ou: groups
description: People who can manage accounting entries
uniqueMember: cn=Directory Manager

$ ldapsearch -LLL -x -b dc=example,dc=com (cn=Accounting Managers) \
   name
dn: cn=Accounting Managers,ou=Groups,dc=example,dc=com
(no cn attribute)

$ ldapsearch -LLL -x -b dc=example,dc=com (name=Accounting Managers)
(no result)


This seems like a bug in 389 DS, it works correctly with OpenLDAP:

$ ldapsearch -H ldap://localhost -D 'cn=Manager,dc=example,dc=com' -w 
password -b 'dc=example,dc=com' '(name=Manager)'

dn: cn=Manager,dc=example,dc=com
objectClass: organizationalRole
cn: Manager



Assuming this is what you meant, which doesn't seem to be working, is
there still a valid reason to add a new ipaVaultPublicKey instead of
using the existing ipaPublicKey?


I think everything mentioned in the RFC section I linked above is a good 
enough reason.





* CLI options will be identical to client and server API options (i.e.
no CLI-only, client-only, or server-only options)


Actually, you can create CLI-only options (add include='cli' to the
param's kwargs).


I need to look at this more closely. If I understand correctly in
user_del there are two 'preserve' options, the Bool preserve is for
client and server API, and the Flag preserve is for CLI. Wouldn't it be
better if they are stored in separate lists (or maybe separate classes)?
And it looks like you still need to delete the CLI options explicitly
anyway.


Well, it would be better if there was no Flag class at all and flags
were handled by CLI exclusively, because parameter classes should
reflect the data type (bool) and not the presentation (flag).


That indicates there should be a separation between client API and the
CLI too because, as you see in user_del, they can be different.


Not really, what there should be is separation between data type and 
presentation. This is what the web UI already does and so should the CLI.





Does the API.txt actually show the CLI options, the client API options,
or the server API options? I only see the Flag preserve, not the Bool

Re: [Freeipa-devel] [PATCH] 892 webui: add mangedby tab to otptoken



On 07/03/2015 02:49 PM, Martin Babinsky wrote:
 On 07/01/2015 06:59 PM, Petr Vobornik wrote:
 Added managedby_user tab to manage users who can manage the token.

 https://fedorahosted.org/freeipa/ticket/5003

 Nathaniel, I could not reproduce the following part of the ticket:
 
 Careful interaction is required here. In the current code, this also
 creates a bug since all UI created tokens are owned but not managed.
 When users of these tokens are deleted, their self-created tokens are
 orphaned rather than deleted.

 Self-created tokens MUST be both self-owned AND self-managed.
 

 The self-created tokens which I created in Web UI as admin or normal
 user were in both cases managed by the same user who created them.


 (Once again, this time also reply to the list)
 
 The patch itself does what it is supposed to.
 
 So ACK from me.
 
 However, I have found out that the token's manager is correctly set
 *only* when it is directly created by the user that should own it. In
 this case when the manager is not specified, the code works as expected
 and fill in the logged-in user as manager.
 
 However, if e.g. admin creates a token for another user and does not set
 him as the manager explicitly, the 'managedBy' attribute is not set.
 

Pushed to:
master: b258bcee8337063259aa38b4387b9bb5721fb380
ipa-4-1: 5439e7a8fa46a8eab0d23689807a4894f20ecea7

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0334] Hide topology and domainlevel features

Hi,

* Hide topology and domainlevel commands in the CLI
* Hide topology and domainlevel in the WebUI
* Set maximum allowed domain level to 0
* Do not configure and enable the topology plugin

https://fedorahosted.org/freeipa/ticket/5097
From 8cdc723d334540258fdc408933b3f47ccebf5b53 Mon Sep 17 00:00:00 2001
From: Tomas Babej tba...@redhat.com
Date: Tue, 7 Jul 2015 09:36:32 +0200
Subject: [PATCH] Hide topology and domainlevel features

* Hide topology and domainlevel commands in the CLI
* Hide topology and domainlevel in the WebUI
* Set maximum allowed domain level to 0
* Do not configure and enable the topology plugin

https://fedorahosted.org/freeipa/ticket/5097
---
 install/ui/src/freeipa/app.js  |  3 ++-
 install/ui/src/freeipa/navigation/menu_spec.js |  4 ++--
 ipalib/constants.py|  2 +-
 ipalib/plugins/domainlevel.py  |  2 ++
 ipalib/plugins/topology.py | 11 +++
 ipaserver/install/dsinstance.py|  3 ++-
 6 files changed, 20 insertions(+), 5 deletions(-)

diff --git a/install/ui/src/freeipa/app.js b/install/ui/src/freeipa/app.js
index f05e8213c0b17e21515fdfce5ab496516a02692e..92613b4a4cec1487a6bde1bdc0049b16d3321418 100644
--- a/install/ui/src/freeipa/app.js
+++ b/install/ui/src/freeipa/app.js
@@ -48,7 +48,8 @@ define([
 './service',
 './sudo',
 './trust',
-'./topology',
+// Hide topology for now
+// './topology',
 './user',
 './stageuser',
 'dojo/domReady!'
diff --git a/install/ui/src/freeipa/navigation/menu_spec.js b/install/ui/src/freeipa/navigation/menu_spec.js
index 120cba37dca7aa355bdb94b1ef16615b95afeb28..4265e98710cdaff0d2ea77ab1e62be1071b19c33 100644
--- a/install/ui/src/freeipa/navigation/menu_spec.js
+++ b/install/ui/src/freeipa/navigation/menu_spec.js
@@ -184,7 +184,7 @@ var nav = {};
 { entity: 'trustconfig' }
 ]
 },
-{
+/*  {
 entity: 'topologysuffix',
 label: '@i18n:tabs.topology',
 facet: 'search',
@@ -205,7 +205,7 @@ var nav = {};
 hidden: true
 }
 ]
-},
+},*/
 {
 name: 'apibrowser',
 label: 'API browser',
diff --git a/ipalib/constants.py b/ipalib/constants.py
index a062505c349436332d430af4fd29c76d20c85343..fac937b5dc4900b5988c1b1d937c0061430c5e1d 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -234,4 +234,4 @@ IPA_ANCHOR_PREFIX = ':IPA:'
 SID_ANCHOR_PREFIX = ':SID:'
 
 MIN_DOMAIN_LEVEL = 0
-MAX_DOMAIN_LEVEL = 1
+MAX_DOMAIN_LEVEL = 0
diff --git a/ipalib/plugins/domainlevel.py b/ipalib/plugins/domainlevel.py
index 64e383006722fb2f32f5300d627b18b6daf051d4..9012a3203323f381c2b927f76371d2b1df4b32a0 100644
--- a/ipalib/plugins/domainlevel.py
+++ b/ipalib/plugins/domainlevel.py
@@ -74,6 +74,7 @@ def get_master_entries(ldap, api):
 @register()
 class domainlevel_get(Command):
 __doc__ = _('Query current Domain Level.')
+NO_CLI = True
 
 has_output = domainlevel_output
 
@@ -90,6 +91,7 @@ class domainlevel_get(Command):
 @register()
 class domainlevel_set(Command):
 __doc__ = _('Change current Domain Level.')
+NO_CLI = True
 
 has_output = domainlevel_output
 
diff --git a/ipalib/plugins/topology.py b/ipalib/plugins/topology.py
index de5ceb97583c9a40b4fe3783ec0fa40e6c325d0f..574e0d7ed42386f62a805272b6ec106bb946116c 100644
--- a/ipalib/plugins/topology.py
+++ b/ipalib/plugins/topology.py
@@ -41,6 +41,7 @@ class topologysegment(LDAPObject):
 
 Topology segment.
 
+NO_CLI = True
 parent_object = 'topologysuffix'
 container_dn = api.env.container_topology
 object_name = _('segment')
@@ -195,6 +196,7 @@ class topologysegment(LDAPObject):
 class topologysegment_find(LDAPSearch):
 __doc__ = _('Search for topology segments.')
 
+NO_CLI = True
 msg_summary = ngettext(
 '%(count)d segment matched',
 '%(count)d segments matched', 0
@@ -205,6 +207,7 @@ class topologysegment_find(LDAPSearch):
 class topologysegment_add(LDAPCreate):
 __doc__ = _('Add a new segment.')
 
+NO_CLI = True
 msg_summary = _('Added segment %(value)s')
 
 def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
@@ -218,6 +221,7 @@ class topologysegment_add(LDAPCreate):
 class topologysegment_del(LDAPDelete):
 __doc__ = _('Delete a segment.')
 
+NO_CLI = True
 msg_summary = _('Deleted segment %(value)s')
 
 def pre_callback(self, ldap, dn, *keys, **options):
@@ -230,6 +234,7 @@ class topologysegment_del(LDAPDelete):
 class topologysegment_mod(LDAPUpdate):
 __doc__ = _('Modify a segment.')
 
+NO_CLI = True
 msg_summary = _('Modified segment %(value)s')
 
 def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
@@

Re: [Freeipa-devel] [PATCHES 330-331] Update translations and introduce Zanata configuration



On 07/07/2015 09:09 AM, Tomas Babej wrote:
 
 
 On 06/24/2015 04:33 PM, Tomas Babej wrote:
 On 06/24/2015 04:29 PM, Martin Basti wrote:
 On 24/06/15 14:39, Tomas Babej wrote:
 +msgid Automount location name.
 +msgstr Job Title
 +

 in german po file

 +msgid Automount location name.
 +msgstr Job Title
 +


 AFAIK, this is not german language.


 Nice catch!

 You can show off your German language skills by entering the correct
 translation here:

 https://fedora.zanata.org/webtrans/Application.seam?project=freeipaiteration=masterlocaleId=delocale=en#view:doc;doc:install/po/ipa;search:Automount%20location%20name

 So far, I removed the wrong translation string in Zanata.

 Tomas

 
 Attaching updated patches, with fresh translations.
 
 Thanks to all the translators!
 
 Tomas
 
 
 

There is a small error in the UK translation, line 491 should read:

На сервері DNS %(server)s не...

instead of:

На сервері DNS (server)s не...

Fixed. I am not sending a updated version of the patch to the list,
given its size.

Tomas

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0055] ipa-replica-prepare: Do not create DNS zone it automatically.

2015-07-07 Thread David Kupka


On 03/07/15 06:17, David Kupka wrote:

Since ipa-replica-* tools will be soon removed I think this simple check
should be enough.




Updated patch attached.

--
David Kupka
From 3df59261538f6b28e158802d8f6e4a47dadeab84 Mon Sep 17 00:00:00 2001
From: David Kupka dku...@redhat.com
Date: Fri, 3 Jul 2015 05:59:55 +0200
Subject: [PATCH] ipa-replica-prepare: Do not create DNS zone it automatically.

When --ip-address is specified check if relevant DNS zone exists
in IPA managed DNS server, exit with error when not.

https://fedorahosted.org/freeipa/ticket/5014
---
 ipaserver/install/ipa_replica_prepare.py | 13 -
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/ipaserver/install/ipa_replica_prepare.py b/ipaserver/install/ipa_replica_prepare.py
index 46ac886e5a0f86574531861159d955bd149648c4..5246f5f5469c85571d04c99d872f38018802abaa 100644
--- a/ipaserver/install/ipa_replica_prepare.py
+++ b/ipaserver/install/ipa_replica_prepare.py
@@ -264,6 +264,14 @@ class ReplicaPrepare(admintool.AdminTool):
 options.reverse_zones = bindinstance.check_reverse_zones(
 options.ip_addresses, options.reverse_zones, options, False,
 True)
+
+host, zone = self.replica_fqdn.split('.', 1)
+if not bindinstance.dns_zone_exists(zone, api=api):
+self.log.error(DNS zone %s does not exist in IPA managed DNS 
+   server. Either create DNS zone or omit 
+   --ip-address option. % zone)
+raise admintool.ScriptError(Cannot add DNS record)
+
 if disconnect:
 api.Backend.ldap2.disconnect()
 
@@ -481,11 +489,6 @@ class ReplicaPrepare(admintool.AdminTool):
 api.Backend.ldap2.connect(
 bind_dn=DN(('cn', 'Directory Manager')),
 bind_pw=self.dirman_password)
-try:
-add_zone(domain)
-except errors.PublicError, e:
-raise admintool.ScriptError(
-Could not create master DNS zone for the replica: %s % e)
 
 for reverse_zone in options.reverse_zones:
 self.log.info(Adding reverse zone %s, reverse_zone)
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0276] Fix: ipa-dns-install will add CA records if CA is installed



On 07/07/2015 07:36 PM, Martin Basti wrote:
 https://fedorahosted.org/freeipa/ticket/5101
 
 Patch attached.
 
 
 

ACK.

Pushed to master: 1d9bdb240943527e1e19704acd183eae254267ae

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0046] add option to skip client API version check and proceed at user's own risk



On 07/07/2015 07:49 PM, Martin Basti wrote:
 On 03/07/15 16:41, Martin Babinsky wrote:
 On 07/02/2015 01:58 PM, Martin Babinsky wrote:
 First attempt at https://fedorahosted.org/freeipa/ticket/4768



 Attaching reworked patch.



 ACK
 
 -- 
 Martin Basti
 
 
 

Pushed to master: ea7f392bb98c1f1c4558ec5d6e84ee7a7c613474

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0334] Hide topology and domainlevel features



On 07/07/2015 07:16 PM, Martin Basti wrote:
 On 07/07/15 10:33, Tomas Babej wrote:
 Hi,

 * Hide topology and domainlevel commands in the CLI
 * Hide topology and domainlevel in the WebUI
 * Set maximum allowed domain level to 0
 * Do not configure and enable the topology plugin

 https://fedorahosted.org/freeipa/ticket/5097


 ACK
 
 -- 
 Martin Basti
 

Pushed to master: 62e8002bc43ddd890c3db35a123cb7daf35e3121

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHES 145-148] ipa-kdb: add unit-test for filter_logon_info()



On 07/07/2015 03:49 PM, Sumit Bose wrote:
 On Tue, May 26, 2015 at 01:36:35PM +0200, Martin Kosek wrote:
 On 05/26/2015 01:33 PM, Sumit Bose wrote:
 Hi,

 these patches add some unit tests and some additional improvements
 related to the issues described in
 https://bugzilla.redhat.com/show_bug.cgi?id=1222475 . The original issue
 is fixed by a patch from Alexander attached to the ticket.

 The first patch converts the existing check-based test to cmocka. If I
 see it correctly all check-based test are converted now.

 Cool! Before pushing, we should also reference ticket
 https://fedorahosted.org/freeipa/ticket/4922
 in the patch (no need to rebase right now).


 The second adds tests for filter_logon_info() where the original issue
 occurred. The wrong behavior in filter_logon_info() caused a crash in
 dom_sid_string() which is made a bit more robust together with
 string_to_sid() in the 3rd patch. The last patch add unit tests for
 those two calls as well.
 
 New version rebased on one-way trust patches attached.
 
 Please note that the unit-test will fail with the initial version of the
 one-way trust patches which does not allow an empty group list in the
 PAC.
 
 bye,
 Sumit
 
 
 

ACK.

Pushed to master: 5017726ebaf6eea3dedb1325efe00c0d6c4b6187

Tomas

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 144] extdom: add unit-test for get_user_grouplist()



On 07/07/2015 03:47 PM, Sumit Bose wrote:
 On Tue, May 26, 2015 at 02:47:02PM +0300, Alexander Bokovoy wrote:
 On Tue, 26 May 2015, Sumit Bose wrote:
 On Tue, May 26, 2015 at 01:24:30PM +0200, Petr Vobornik wrote:
 On 05/26/2015 01:21 PM, Sumit Bose wrote:
 Hi,

 this tests should have gone together with
 c1114ef82516002de08e004a930b5ba4a1791b25 but got lost somehow during the
 bugzilla processing.

 bye,
 Sumit


 So it has been acked? And we can push it?

 I have to admit that I'm not sure, there were just to many related
 tickets. Alexander, do you remember seeing this patch? If not, I think
 it would be good if someone can review it. Since it is only a
 unit-test, it is not urgent.
 I've seen this patch and I thought I've acked it by the time...
 
 New version rebased on one-way trust patches is attached.
 
 bye,
 Sumit
 
 -- 
 / Alexander Bokovoy



ACK.

Pushed to master: 7b524e783515a16102aeffdb69fa9ed5fca07c1b

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0180-0190 oneway trust and other trust-related patches



On 07/07/2015 04:31 PM, Alexander Bokovoy wrote:
 On Tue, 07 Jul 2015, Alexander Bokovoy wrote:
 Hi,

 attached are patches to introduce one-way trust support and few more to
 fix currently outstanding trust-related bugs.

 More details are in the commit messages.

 For oddjobd-activated helper, if you want to test the one-way trust
 setup, you need to put SELinux into permissive. We have bugs for both
 Fedora and RHEL to add the policy
 (https://bugzilla.redhat.com/show_bug.cgi?id=1238163 for RHEL7), it is
 in works.
 Updated patch 0181 after discussion with Simo and Sumit about empty rid
 array.
 
 
 

Works fine for me, thanks. ACK.

Pushed to master: 5017726ebaf6eea3dedb1325efe00c0d6c4b6187

During review, I also pushed the attached oneliner.

Tomas
From d011ca36f1db5d0cb76ab53ef07a33bec54d9003 Mon Sep 17 00:00:00 2001
From: Tomas Babej tba...@redhat.com
Date: Wed, 8 Jul 2015 01:24:10 +0200
Subject: [PATCH] dcerpc: Raise ACIError correctly

---
 ipaserver/dcerpc.py | 8 +---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index bc75a60265de241f01b7e22c0274dc8a8523eeec..a1da0a641064f59a79639d97489ff73181787a4a 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -1093,9 +1093,11 @@ class TrustDomainInstance(object):
 if self.validation_attempts  10:
 sleep(5)
 return self.verify_trust(another_domain)
-raise errors.ACIError(reason=_('IPA master denied trust validation requests from AD DC '
-   '%(count)d times. Most likely AD DC contacted a replica '
-   'that has no trust information replicated yet.' % (self.validation_attempts)))
+raise errors.ACIError(
+info=_('IPA master denied trust validation requests from AD DC '
+   '%(count)d times. Most likely AD DC contacted a replica '
+   'that has no trust information replicated yet.')
+   % dict(count=self.validation_attempts))
 raise assess_dcerpc_exception(*result.pdc_connection_status)
 return True
 return False
-- 
2.1.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0024..0025 Add missing certprofile features



On 07/07/2015 07:30 PM, Martin Basti wrote:
 On 04/07/15 16:58, Fraser Tweedale wrote:
 On Fri, Jul 03, 2015 at 10:34:07PM +1000, Fraser Tweedale wrote:
 On Thu, Jul 02, 2015 at 08:12:12PM +1000, Fraser Tweedale wrote:
 On Thu, Jul 02, 2015 at 11:23:49AM +0200, Jan Cholasta wrote:
 Hi,

 Dne 2.7.2015 v 11:15 Fraser Tweedale napsal(a):
 Attached patches fix a couple of important gaps in certprofile
 plugin:

 - Add --out option to export Dogtag profile data to file
   https://fedorahosted.org/freeipa/ticket/5091

 - Add --file option to update existing profile in Dogtag
   https://fedorahosted.org/freeipa/ticket/5093

 NACK on patchset v2; does not work (even after makeapi, which I
 forgot to include in updated patchset).  I keep getting error
 ``ipa: ERROR: Unknown option: file''.  Need to investigate why,
 but other patches are taking priority right now.

 Here is patchset v3, which is just v1 rebased on latest master.

 Thanks,
 Fraser

 Updated patch 0025 (v4).  Profile now gets re-enabled if profile
 update fails.  Patch 0024 remains at v3.

 Thanks,
 Fraser


 ACK
 
 -- 
 Martin Basti
 
 
 

Patches required a little API rebase due to stale minor API number
reference.

Pushed to master: 462e0b9eb16f52b66b723744c4b42c19ef4782c3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0055] ipa-replica-prepare: Do not create DNS zone it automatically.



On 07/07/2015 07:16 PM, Martin Basti wrote:
 On 03/07/15 06:17, David Kupka wrote:
 Since ipa-replica-* tools will be soon removed I think this simple
 check should be enough.



 ACK
 
 -- 
 Martin Basti
 
 
 

Pushed to master: 6a91893ff50fee6d7c71d9bc982d85a3ec8b7583

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHES 330-331] Update translations and introduce Zanata configuration



On 07/07/2015 11:48 AM, Martin Basti wrote:
 On 07/07/15 10:37, Tomas Babej wrote:

 On 07/07/2015 09:09 AM, Tomas Babej wrote:

 On 06/24/2015 04:33 PM, Tomas Babej wrote:
 On 06/24/2015 04:29 PM, Martin Basti wrote:
 On 24/06/15 14:39, Tomas Babej wrote:
 +msgid Automount location name.
 +msgstr Job Title
 +
 in german po file

 +msgid Automount location name.
 +msgstr Job Title
 +


 AFAIK, this is not german language.

 Nice catch!

 You can show off your German language skills by entering the correct
 translation here:

 https://fedora.zanata.org/webtrans/Application.seam?project=freeipaiteration=masterlocaleId=delocale=en#view:doc;doc:install/po/ipa;search:Automount%20location%20name


 So far, I removed the wrong translation string in Zanata.

 Tomas

 Attaching updated patches, with fresh translations.

 Thanks to all the translators!

 Tomas



 There is a small error in the UK translation, line 491 should read:

 На сервері DNS %(server)s не...

 instead of:

 На сервері DNS (server)s не...

 Fixed. I am not sending a updated version of the patch to the list,
 given its size.

 Tomas

 ACK, we will fix minor issues later.
 

Pushed to master: 12b053df300cb58aad157797f4e30283e45033f5

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0180-0190 oneway trust and other trust-related patches


On Tue, 07 Jul 2015, Alexander Bokovoy wrote:

From 4a856d8ff597ec516cc1eb05f06e062bb4ecca5b Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy aboko...@redhat.com
Date: Thu, 28 May 2015 11:49:58 +
Subject: [PATCH 05/11] trusts: pass AD DC hostname if specified explicitly

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1222047

This is upstream ticket https://fedorahosted.org/freeipa/ticket/5031

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] error handling in httpd.service and ipa-httpd-kdcproxy

2015-07-07 Thread Nathaniel McCallum


 On Jul 6, 2015, at 11:35 AM, Christian Heimes chei...@redhat.com wrote:
 
 Hello,
 
 I like to ask for your opinion regarding the pre-exec hook
 'ipa-httpd-kdcproxy' in httpd.service. Alex has asked me to handle error
 cases like LDAP connection timeout more gracefully. At the moment any
 error causes the script to return a non-zero exit code. This breaks the
 service and apparently also offline RPM upgrades.
 
 How should I handle error cases? I can change httpd.service to simply
 ignore the exit code of ipa-httpd-kdcproxy. But that might lead to an
 invalid state. I could modify the script to catch connection errors and
 to disable kdcproxy in case of an error.
 
 The options are:
 
 1) httpd.service ignores exit code of ipa-httpd-kdcproxy
 2) ipa-httpd-kdcproxy removes kdcproxy config file in case of a
 connection error
 3) 1 + 2
 
 What do you think?

If ipa-httpd-kdcproxy cannot contact LDAP, kdcproxy MUST NOT be enabled. So #2.

However, ipa-httpd-kdcproxy should leave error codes to real catastrophic 
failures and http.service should be aware of these. So not #1.

Nathaniel

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0180-0190 oneway trust and other trust-related patches

On Tue, 07 Jul 2015, Alexander Bokovoy wrote:

From b7a3b206deb3257b3a78939f0d2a6a114e48b758 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy aboko...@redhat.com
Date: Thu, 26 Mar 2015 14:34:06 +0200
Subject: [PATCH 01/11] add one-way trust support to ipasam

When trust is established, ipasam module creates a number of objects in LDAP
to represent the trust information. Among them, for one-way trust we create
a principal named IPA$@AD where IPA is a NetBIOS (flat) name of the IPA forest
and AD is a realm of the trusted Active Directory forest root domain.

This principal is then used by SSSD on IPA masters to authenticate against
trusted Active Directory domain controllers and retrieve information about
user and group identities.

FreeIPA also uses this principal's credentials to retrieve domain topology.

The access to the keys of the principal should be well-protected. We only
allow to retrieve the keytab for it for members of cn=adtrust agents group.
This group is populated with host/ and cifs/ principals from IPA masters.

Starting with FreeIPA 4.2 the group will also have host/ principals of IPA 
masters
where no ipa-adtrust-install was run. To add them, run ipa-adtrust-install
on the master which will be configured to be a domain controller (e.g.
run Samba with ipasam), and specify --add-agents option to trigger activation
of the interactive mode to specify which IPA masters to enable.

Fixes https://fedorahosted.org/freeipa/ticket/4962
Part of fixes for https://fedorahosted.org/freeipa/ticket/4546

... and fixes ticket https://fedorahosted.org/freeipa/ticket/5005 too

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHES 330-331] Update translations and introduce Zanata configuration


On 07/07/15 10:37, Tomas Babej wrote:


On 07/07/2015 09:09 AM, Tomas Babej wrote:


On 06/24/2015 04:33 PM, Tomas Babej wrote:

On 06/24/2015 04:29 PM, Martin Basti wrote:

On 24/06/15 14:39, Tomas Babej wrote:

+msgid Automount location name.
+msgstr Job Title
+

in german po file

+msgid Automount location name.
+msgstr Job Title
+


AFAIK, this is not german language.


Nice catch!

You can show off your German language skills by entering the correct
translation here:

https://fedora.zanata.org/webtrans/Application.seam?project=freeipaiteration=masterlocaleId=delocale=en#view:doc;doc:install/po/ipa;search:Automount%20location%20name

So far, I removed the wrong translation string in Zanata.

Tomas


Attaching updated patches, with fresh translations.

Thanks to all the translators!

Tomas




There is a small error in the UK translation, line 491 should read:

На сервері DNS %(server)s не...

instead of:

На сервері DNS (server)s не...

Fixed. I am not sending a updated version of the patch to the list,
given its size.

Tomas


ACK, we will fix minor issues later.

--
Martin Basti

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH] 0180-0190 oneway trust and other trust-related patches


Hi,

attached are patches to introduce one-way trust support and few more to
fix currently outstanding trust-related bugs.

More details are in the commit messages.

For oddjobd-activated helper, if you want to test the one-way trust
setup, you need to put SELinux into permissive. We have bugs for both
Fedora and RHEL to add the policy
(https://bugzilla.redhat.com/show_bug.cgi?id=1238163 for RHEL7), it is
in works.
--
/ Alexander Bokovoy
From 0e252fb1f8455daa87dccbc6dcba61b08570b444 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy aboko...@redhat.com
Date: Wed, 20 May 2015 18:24:52 +0300
Subject: [PATCH 03/11] ipa-kdb: use proper memory chunk size when moving sids

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1222475
---
 daemons/ipa-kdb/ipa_kdb_mspac.c | 20 +---
 1 file changed, 17 insertions(+), 3 deletions(-)

diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 0e53a80..390111f 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -1394,7 +1394,15 @@ static krb5_error_code filter_logon_info(krb5_context 
context,
 if (result) {
 filter_logon_info_log_message(info-info-info3.sids[i].sid);
 } else {
+/* Go over incoming SID blacklist */
 for(k = 0; k  domain-len_sid_blacklist_incoming; k++) {
+/* if SID is an exact match, filter it out */
+result = dom_sid_check(domain-sid_blacklist_incoming[k], 
info-info-info3.sids[i].sid, true);
+if (result) {
+
filter_logon_info_log_message(info-info-info3.sids[i].sid);
+break;
+}
+/* if SID is a suffix of the blacklist element, filter it 
out*/
 result = 
dom_sid_is_prefix(domain-sid_blacklist_incoming[k], 
info-info-info3.sids[i].sid);
 if (result) {
 
filter_logon_info_log_message(info-info-info3.sids[i].sid);
@@ -1403,11 +1411,17 @@ static krb5_error_code filter_logon_info(krb5_context 
context,
 }
 }
 if (result) {
+k = count - i - j - 1;
+if (k != 0) {
+memmove(info-info-info3.sids+i,
+info-info-info3.sids+i+1,
+sizeof(struct netr_SidAttr)*k);
+}
 j++;
-memmove(info-info-info3.sids+i, info-info-info3.sids+i+1, 
count-i-1);
+} else {
+i++;
 }
-i++;
-} while (i  count);
+} while ((i + j)  count);
 
 if (j != 0) {
 count = count-j;
-- 
2.4.3

From a797874359544e431bdd96dd11e26f404c578db0 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy aboko...@redhat.com
Date: Thu, 28 May 2015 08:33:51 +
Subject: [PATCH 04/11] ipa-kdb: filter out group membership from MS-PAC for
 exact SID matches too

When incoming SID blacklist contains exact SIDs of users and groups,
attempt to filter them out as well, according to [MS-PAC] 4.1.1.2.

Note that we treat user's SID and primary group RID filtering as violation
of the KDC policy because the resulting MS-PAC will have no user SID or
primary group and thus will be invalid.

For group RIDs we filter them out and in unlikely event of empty
list of groups treat that as violation of the KDC policy as well.

Part of fix for https://bugzilla.redhat.com/show_bug.cgi?id=1222475
---
 daemons/ipa-kdb/ipa_kdb_mspac.c | 102 +++-
 1 file changed, 101 insertions(+), 1 deletion(-)

diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 390111f..df19880 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -1317,6 +1317,22 @@ static void filter_logon_info_log_message(struct dom_sid 
*sid)
 }
 }
 
+static void filter_logon_info_log_message_rid(struct dom_sid *sid, uint32_t 
rid)
+{
+char *domstr = NULL;
+
+domstr = dom_sid_string(NULL, sid);
+if (domstr) {
+krb5_klog_syslog(LOG_ERR, PAC filtering issue: SID [%s-%d] is not 
allowed 
+  from a trusted source and will be 
excluded., domstr, rid);
+talloc_free(domstr);
+} else {
+krb5_klog_syslog(LOG_ERR, PAC filtering issue: SID is not allowed 
+  from a trusted source and will be excluded.
+  Unable to allocate memory to display SID.);
+}
+}
+
 static krb5_error_code filter_logon_info(krb5_context context,
  TALLOC_CTX *memctx,
  krb5_data realm,
@@ -1328,9 +1344,21 @@ static krb5_error_code filter_logon_info(krb5_context 
context,
  * attempt at getting us to sign fake credentials with the help of a
  * compromised trusted realm

Re: [Freeipa-devel] [PATCH] 0180-0190 oneway trust and other trust-related patches


On Tue, 07 Jul 2015, Alexander Bokovoy wrote:

Hi,

attached are patches to introduce one-way trust support and few more to
fix currently outstanding trust-related bugs.

More details are in the commit messages.

For oddjobd-activated helper, if you want to test the one-way trust
setup, you need to put SELinux into permissive. We have bugs for both
Fedora and RHEL to add the policy
(https://bugzilla.redhat.com/show_bug.cgi?id=1238163 for RHEL7), it is
in works.

Attached is a rebase of two patches that modified VERSION as it
conflicted with last minute push that Tomas did.

--
/ Alexander Bokovoy
From 07bd53b528abd39aac6f11f47eec38ff5a73c5e3 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy aboko...@redhat.com
Date: Thu, 28 May 2015 11:49:58 +
Subject: [PATCH 05/11] trusts: pass AD DC hostname if specified explicitly

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1222047
---
 API.txt |  3 ++-
 VERSION |  4 ++--
 ipalib/plugins/trust.py |  9 -
 ipaserver/dcerpc.py | 10 +++---
 4 files changed, 19 insertions(+), 7 deletions(-)

diff --git a/API.txt b/API.txt
index 99fa528..a76458b 100644
--- a/API.txt
+++ b/API.txt
@@ -4998,10 +4998,11 @@ output: Output('result', type 'dict', None)
 output: Output('summary', (type 'unicode', type 'NoneType'), None)
 output: ListOfPrimaryKeys('value', None, None)
 command: trust_fetch_domains
-args: 1,4,4
+args: 1,5,4
 arg: Str('cn', attribute=True, cli_name='realm', multivalue=False, 
primary_key=True, query=True, required=True)
 option: Flag('all', autofill=True, cli_name='all', default=False, 
exclude='webui')
 option: Flag('raw', autofill=True, cli_name='raw', default=False, 
exclude='webui')
+option: Str('realm_server?', cli_name='server')
 option: Flag('rights', autofill=True, default=False)
 option: Str('version?', exclude='webui')
 output: Output('count', type 'int', None)
diff --git a/VERSION b/VERSION
index 2d9ad26..bf68be2 100644
--- a/VERSION
+++ b/VERSION
@@ -90,5 +90,5 @@ IPA_DATA_VERSION=2010061412
 #  #
 
 IPA_API_VERSION_MAJOR=2
-IPA_API_VERSION_MINOR=139
-# Last change: edewata - added ipaVaultPublicKey attribute
+IPA_API_VERSION_MINOR=140
+# Last change: ab - trusts: pass AD DC hostname if specified explicitly
diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
index 5b884ca..13ac52d 100644
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -1302,9 +1302,10 @@ def fetch_domains_from_trust(self, trustinstance, 
trust_entry, **options):
 sp.insert(0, trustinstance.remote_domain.info['name'])
 creds = u{name}%{password}.format(name=\\.join(sp),
 password=password)
+server = options.get('realm_server', None)
 domains = ipaserver.dcerpc.fetch_domains(self.api,
  trustinstance.local_flatname,
- trust_name, creds=creds)
+ trust_name, creds=creds, 
server=server)
 result = []
 if not domains:
 return result
@@ -1342,6 +1343,12 @@ class trust_fetch_domains(LDAPRetrieve):
 __doc__ = _('Refresh list of the domains associated with the trust')
 
 has_output = output.standard_list_of_entries
+takes_options = LDAPRetrieve.takes_options + (
+Str('realm_server?',
+cli_name='server',
+label=_('Domain controller for the Active Directory domain 
(optional)'),
+),
+)
 
 def execute(self, *keys, **options):
 if not _bindings_installed:
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index 725b2cd..753e10e 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -1046,7 +1046,7 @@ class TrustDomainInstance(object):
 return False
 
 
-def fetch_domains(api, mydomain, trustdomain, creds=None):
+def fetch_domains(api, mydomain, trustdomain, creds=None, server=None):
 trust_flags = dict(
 NETR_TRUST_FLAG_IN_FOREST = 0x0001,
 NETR_TRUST_FLAG_OUTBOUND  = 0x0002,
@@ -1087,8 +1087,12 @@ def fetch_domains(api, mydomain, trustdomain, 
creds=None):
 cr.set_workstation(domain_validator.flatname)
 netrc = net.Net(creds=cr, lp=td.parm)
 try:
-result = netrc.finddc(domain=trustdomain,
-  flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS)
+if server:
+result = netrc.finddc(address=server,
+  flags=nbt.NBT_SERVER_LDAP | 
nbt.NBT_SERVER_DS)
+else:
+result = netrc.finddc(domain=trustdomain,
+  flags=nbt.NBT_SERVER_LDAP | 
nbt.NBT_SERVER_DS)
 except RuntimeError, e:
 raise assess_dcerpc_exception(message=str(e))
 
-- 
2.4.3

From 850566818840e5aa37a08ff0cc50d503d78c3b63 Mon Sep 17 00:00:00 2001
From:

Re: [Freeipa-devel] [PATCH] 0180-0190 oneway trust and other trust-related patches

On Tue, 07 Jul 2015, Alexander Bokovoy wrote:

From a4e2034028d64a8b2b533af9541e698a68388fb2 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy aboko...@redhat.com
Date: Thu, 4 Jun 2015 21:29:36 +
Subject: [PATCH 07/11] ipa-adtrust-install: allow configuring of trust agents

Trust agents are IPA master without Samba which can serve
information about users from trusted forests. Such IPA masters
cannot be used to configure trust but they can resolve AD users and groups
for IPA clients enrolled to them.

Since support from both FreeIPA and SSSD is needed to enable
trust agent support, we currently only consider those IPA masters
which have been upgraded to FreeIPA 4.2 or later.

Part of https://fedorahosted.org/freeipa/ticket/4951

And also fixes https://fedorahosted.org/freeipa/ticket/5004 which is
more specific ticket for host principals.

--
/ Alexander Bokovoy

signature.asc
Description: PGP signature
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] Password vault

2015-07-07 Thread Martin Kosek

On 07/07/2015 10:51 AM, Jan Cholasta wrote:
 Dne 3.7.2015 v 15:44 Endi Sukma Dewata napsal(a):
 Here is the rebased patch for vault access control.

 
 LGTM, except:
 
 @@ -356,6 +386,13 @@ class vault(LDAPObject):
  {
  'objectclass': ['nsContainer'],
  'cn': rdn['cn'],
 +'aci':
 +'(targetfilter=(objectClass=ipaVault))' +
 +'(version 3.0; ' +
 +'acl User can manage private vaults; ' +
 +'allow(read, search, compare, add, delete) ' +
 +'userdn=ldap:///%s;;)'
 +% owner_dn
  })
 
  # if entry can be added, return
 
 I don't think dynamically creating ACIs with hardcoded userdn is something we
 want to do. This should be handled by a single ACI in cn=vaults.

+1. Single ACI like

+default: aci: (targetfilter=(objectClass=ipaVault))(version 3.0; acl Vault
owners can manage the vault; allow(read, search, compare, write)
userattr=owner#USERDN;)

you already have there is more preferred.

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] error handling in httpd.service and ipa-httpd-kdcproxy

2015-07-07 Thread Christian Heimes

On 2015-07-07 15:41, Simo Sorce wrote:
 On Tue, 2015-07-07 at 08:48 -0400, Nathaniel McCallum wrote:
 On Jul 6, 2015, at 11:35 AM, Christian Heimes chei...@redhat.com wrote:

 Hello,

 I like to ask for your opinion regarding the pre-exec hook
 'ipa-httpd-kdcproxy' in httpd.service. Alex has asked me to handle error
 cases like LDAP connection timeout more gracefully. At the moment any
 error causes the script to return a non-zero exit code. This breaks the
 service and apparently also offline RPM upgrades.

 How should I handle error cases? I can change httpd.service to simply
 ignore the exit code of ipa-httpd-kdcproxy. But that might lead to an
 invalid state. I could modify the script to catch connection errors and
 to disable kdcproxy in case of an error.

 The options are:

 1) httpd.service ignores exit code of ipa-httpd-kdcproxy
 2) ipa-httpd-kdcproxy removes kdcproxy config file in case of a
 connection error
 3) 1 + 2

 What do you think?

 If ipa-httpd-kdcproxy cannot contact LDAP, kdcproxy MUST NOT be
 enabled. So #2.

 However, ipa-httpd-kdcproxy should leave error codes to real
 catastrophic failures and http.service should be aware of these. So
 not #1.

 Nathaniel

 
 IMO it is ok for httpd to fail to start if the kdc-proxy cannot contact
 LDAP, because other stuff will fail too if that's the case anyway.
 
 In fact I had to change my replica promotion patches to account for this
 as it was failing here, for various reasons, on one restart during the
 install. :-)

Without LDAP non of the IPA services in Apache are usable. From that
perspective it doesn't make much of a difference.

However Alexander is worried about a different thing. When LDAP isn't
running or GSSAPI fails, then the service can't be restarted and offline
RPM update fails. We can either fix the offline update problem in the
spec file (ignore systemctl failures) or in the ipa-httpd-kdcproxy script.

Since my script is new and changes behavior, I'm reluctant to say that
I'm to blame. :)

Christian




signature.asc
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 004 Improve error handling in ipa-httpd-kdcproxy

2015-07-07 Thread Nathaniel McCallum

This LGTM. However, I’ll let Alexander give the ACK.

 On Jul 7, 2015, at 10:11 AM, Christian Heimes chei...@redhat.com wrote:
 
 Hi,
 
 the patch addresses the error handling of ipa-httpd-kdcproxy as
 discussed in the other thread.
 
 Christian
 freeipa-cheimes-0004-Improve-error-handling-in-ipa-httpd-kdcproxy.patch-- 
 Manage your subscription for the Freeipa-devel mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-devel
 Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] error handling in httpd.service and ipa-httpd-kdcproxy

2015-07-07 Thread Simo Sorce

On Tue, 2015-07-07 at 08:48 -0400, Nathaniel McCallum wrote:
  On Jul 6, 2015, at 11:35 AM, Christian Heimes chei...@redhat.com wrote:
  
  Hello,
  
  I like to ask for your opinion regarding the pre-exec hook
  'ipa-httpd-kdcproxy' in httpd.service. Alex has asked me to handle error
  cases like LDAP connection timeout more gracefully. At the moment any
  error causes the script to return a non-zero exit code. This breaks the
  service and apparently also offline RPM upgrades.
  
  How should I handle error cases? I can change httpd.service to simply
  ignore the exit code of ipa-httpd-kdcproxy. But that might lead to an
  invalid state. I could modify the script to catch connection errors and
  to disable kdcproxy in case of an error.
  
  The options are:
  
  1) httpd.service ignores exit code of ipa-httpd-kdcproxy
  2) ipa-httpd-kdcproxy removes kdcproxy config file in case of a
  connection error
  3) 1 + 2
  
  What do you think?
 
 If ipa-httpd-kdcproxy cannot contact LDAP, kdcproxy MUST NOT be
 enabled. So #2.
 
 However, ipa-httpd-kdcproxy should leave error codes to real
 catastrophic failures and http.service should be aware of these. So
 not #1.
 
 Nathaniel
 

IMO it is ok for httpd to fail to start if the kdc-proxy cannot contact
LDAP, because other stuff will fail too if that's the case anyway.

In fact I had to change my replica promotion patches to account for this
as it was failing here, for various reasons, on one restart during the
install. :-)

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHES 145-148] ipa-kdb: add unit-test for filter_logon_info()

2015-07-07 Thread Sumit Bose

On Tue, May 26, 2015 at 01:36:35PM +0200, Martin Kosek wrote:
 On 05/26/2015 01:33 PM, Sumit Bose wrote:
 Hi,
 
 these patches add some unit tests and some additional improvements
 related to the issues described in
 https://bugzilla.redhat.com/show_bug.cgi?id=1222475 . The original issue
 is fixed by a patch from Alexander attached to the ticket.
 
 The first patch converts the existing check-based test to cmocka. If I
 see it correctly all check-based test are converted now.
 
 Cool! Before pushing, we should also reference ticket
 https://fedorahosted.org/freeipa/ticket/4922
 in the patch (no need to rebase right now).
 
 
 The second adds tests for filter_logon_info() where the original issue
 occurred. The wrong behavior in filter_logon_info() caused a crash in
 dom_sid_string() which is made a bit more robust together with
 string_to_sid() in the 3rd patch. The last patch add unit tests for
 those two calls as well.

New version rebased on one-way trust patches attached.

Please note that the unit-test will fail with the initial version of the
one-way trust patches which does not allow an empty group list in the
PAC.

bye,
Sumit
From 4a31cfdd848e0ef51ee32817e634340d1e90c97f Mon Sep 17 00:00:00 2001
From: Sumit Bose sb...@redhat.com
Date: Wed, 20 May 2015 18:31:19 +0200
Subject: [PATCH 145/148] ipa-kdb: convert test to cmocka

---
 daemons/ipa-kdb/Makefile.am   |   6 +-
 daemons/ipa-kdb/tests/ipa_kdb_tests.c | 129 --
 2 files changed, 48 insertions(+), 87 deletions(-)

diff --git a/daemons/ipa-kdb/Makefile.am b/daemons/ipa-kdb/Makefile.am
index 
80747491f8315a9cb0b38965423ba5d160946278..a4ea366b01b248d3f0fbc0b694e02d00c2e4c3d1
 100644
--- a/daemons/ipa-kdb/Makefile.am
+++ b/daemons/ipa-kdb/Makefile.am
@@ -55,7 +55,7 @@ ipadb_la_LIBADD = \
$(NSS_LIBS) \
$(NULL)
 
-if HAVE_CHECK
+if HAVE_CMOCKA
 TESTS = ipa_kdb_tests
 check_PROGRAMS = ipa_kdb_tests
 endif
@@ -73,9 +73,9 @@ ipa_kdb_tests_SOURCES =\
ipa_kdb_audit_as.c  \
$(KRB5_UTIL_SRCS)   \
$(NULL)
-ipa_kdb_tests_CFLAGS = $(CHECK_CFLAGS)
+ipa_kdb_tests_CFLAGS = $(CMOCKA_CFLAGS)
 ipa_kdb_tests_LDADD =  \
-   $(CHECK_LIBS)   \
+   $(CMOCKA_LIBS)  \
$(KRB5_LIBS)\
$(LDAP_LIBS)\
$(NDRPAC_LIBS)  \
diff --git a/daemons/ipa-kdb/tests/ipa_kdb_tests.c 
b/daemons/ipa-kdb/tests/ipa_kdb_tests.c
index 
e1ae06a6e359e65873241116581f028f1a4e1bf3..1ff1cd49a4e409545ee908f0f7842520ae82e0a0
 100644
--- a/daemons/ipa-kdb/tests/ipa_kdb_tests.c
+++ b/daemons/ipa-kdb/tests/ipa_kdb_tests.c
@@ -1,49 +1,30 @@
-/** BEGIN COPYRIGHT BLOCK
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation, either version 3 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program.  If not, see http://www.gnu.org/licenses/.
- *
- * Additional permission under GPLv3 section 7:
- *
- * In the following paragraph, GPL means the GNU General Public
- * License, version 3 or any later version, and Non-GPL Code means
- * code that is governed neither by the GPL nor a license
- * compatible with the GPL.
- *
- * You may link the code of this Program with Non-GPL Code and convey
- * linked combinations including the two, provided that such Non-GPL
- * Code only links to the code of this Program through those well
- * defined interfaces identified in the file named EXCEPTION found in
- * the source code files (the Approved Interfaces). The files of
- * Non-GPL Code may instantiate templates or use macros or inline
- * functions from the Approved Interfaces without causing the resulting
- * work to be covered by the GPL. Only the copyright holders of this
- * Program may make changes or additions to the list of Approved
- * Interfaces.
- *
- * Authors:
- * Sumit Bose sb...@redhat.com
- *
- * Copyright (C) 2013 Red Hat, Inc.
- * All rights reserved.
- * END COPYRIGHT BLOCK **/
+/*
+Authors:
+Sumit Bose sb...@redhat.com
 
-#include check.h
-#include stdlib.h
+Copyright (C) 2015 Red Hat
+
+ipa-kdb tests
+
+This program is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+

[Freeipa-devel] [PATCH] 004 Improve error handling in ipa-httpd-kdcproxy

2015-07-07 Thread Christian Heimes

Hi,

the patch addresses the error handling of ipa-httpd-kdcproxy as
discussed in the other thread.

Christian
From 85dc0cc3f597accdee6f6de9d7b4d41b2173a8d9 Mon Sep 17 00:00:00 2001
From: Christian Heimes chei...@redhat.com
Date: Tue, 7 Jul 2015 16:05:48 +0200
Subject: [PATCH] Improve error handling in ipa-httpd-kdcproxy

The pre start script 'ipa-httpd-kdcproxy' for httpd.service now handles
connection and authentication errors more gracefully. If the script is
not able to conenct to LDAP, it only prints a warning and exits with
status code 0. All other errors are still reported as fatal error and
result in a non-zero exit code.

This fixes a problem with offline RPM updates. A restart of Apache no
longer fails when LDAP is not running.
---
 install/tools/ipa-httpd-kdcproxy | 75 +---
 1 file changed, 55 insertions(+), 20 deletions(-)

diff --git a/install/tools/ipa-httpd-kdcproxy b/install/tools/ipa-httpd-kdcproxy
index c71f9cccfe0c05e1484aac7cfcd6801050ed51ab..60b22f2cc321d416871c74f3b4d580594c186a85 100755
--- a/install/tools/ipa-httpd-kdcproxy
+++ b/install/tools/ipa-httpd-kdcproxy
@@ -37,8 +37,26 @@ DEBUG = False
 TIME_LIMIT = 2
 
 
-class CheckError(Exception):
-An unrecoverable error has occured
+class Error(Exception):
+Base error class
+
+
+class ConfigFileError(Error):
+Something is wrong with the config file
+
+
+class CheckError(Error):
+An unrecoverable error has occured
+
+The exit code is 0.
+
+
+
+class FatalError(Error):
+A fatal error has occured
+
+Fatal errors cause the command to exit with a non-null exit code.
+
 
 
 class KDCProxyConfig(object):
@@ -64,14 +82,16 @@ class KDCProxyConfig(object):
 self.con.ldapi = True
 self.con.do_bind(timeout=self.time_limit)
 except errors.NetworkError as e:
-msg = 'Failed to get setting from dirsrv: %s' % e
-self.log.exception(msg)
+msg = 'Unable to connect to dirsrv: %s' % e
+raise CheckError(msg)
+except errors.AuthorizationError as e:
+msg = 'Authorization error: %s' % e
 raise CheckError(msg)
 except Exception as e:
 msg = ('Unknown error while retrieving setting from %s: %s' %
(self.ldap_uri, e))
 self.log.exception(msg)
-raise CheckError(msg)
+raise FatalError(msg)
 
 def _find_entry(self, dn, attrs, filter, scope=IPAdmin.SCOPE_BASE):
 Find an LDAP entry, handles NotFound and Limit
@@ -87,7 +107,7 @@ class KDCProxyConfig(object):
 msg = ('Unknown error while retrieving setting from %s: %s' %
(self.ldap_uri, e))
 self.log.exception(msg)
-raise CheckError(msg)
+raise FatalError(msg)
 return entries[0]
 
 def is_host_enabled(self):
@@ -105,19 +125,21 @@ class KDCProxyConfig(object):
 if not os.path.exists(self.conflink):
 return False
 if not os.path.islink(self.conflink):
-raise CheckError('%s' already exists, but it is not a symlink %
- self.conflink)
+raise ConfigFileError(
+'%s' already exists, but it is not a symlink
+% self.conflink)
 dest = os.readlink(self.conflink)
 if dest != self.conf:
-raise CheckError('%s' points to '%s', expected '%s'
- % (self.conflink, dest, self.conf))
+raise ConfigFileError(
+'%s' points to '%s', expected '%s'
+% (self.conflink, dest, self.conf))
 return True
 
 def create_symlink(self):
 Create symlink to enable KDC proxy support
 try:
 valid = self.validate_symlink()
-except CheckError as e:
+except ConfigFileError as e:
 self.log.warn(Cannot enable KDC proxy: %s  % e)
 return False
 
@@ -165,16 +187,29 @@ class KDCProxyConfig(object):
 def main(debug=DEBUG, time_limit=TIME_LIMIT):
 # initialize API without file logging
 if not api.isdone('bootstrap'):
-api.bootstrap(context='kdcproxyshim', log=None, debug=debug)
+api.bootstrap(context='ipa-httpd-kdcproxy', log=None, debug=debug)
 standard_logging_setup(verbose=True, debug=debug)
 
-with KDCProxyConfig(time_limit) as cfg:
-if cfg.is_host_enabled():
-if cfg.create_symlink():
-api.log.info('KDC proxy enabled')
-else:
-if cfg.remove_symlink():
-api.log.info('KDC proxy disabled')
+try:
+cfg = KDCProxyConfig(time_limit)
+with cfg:
+if cfg.is_host_enabled():
+if cfg.create_symlink():
+api.log.info('KDC proxy enabled')
+return 0
+else:
+if cfg.remove_symlink():
+api.log.info('KDC proxy

Re: [Freeipa-devel] [PATCH 144] extdom: add unit-test for get_user_grouplist()

2015-07-07 Thread Sumit Bose

On Tue, May 26, 2015 at 02:47:02PM +0300, Alexander Bokovoy wrote:
 On Tue, 26 May 2015, Sumit Bose wrote:
 On Tue, May 26, 2015 at 01:24:30PM +0200, Petr Vobornik wrote:
 On 05/26/2015 01:21 PM, Sumit Bose wrote:
 Hi,
 
 this tests should have gone together with
 c1114ef82516002de08e004a930b5ba4a1791b25 but got lost somehow during the
 bugzilla processing.
 
 bye,
 Sumit
 
 
 So it has been acked? And we can push it?
 
 I have to admit that I'm not sure, there were just to many related
 tickets. Alexander, do you remember seeing this patch? If not, I think
 it would be good if someone can review it. Since it is only a
 unit-test, it is not urgent.
 I've seen this patch and I thought I've acked it by the time...

New version rebased on one-way trust patches is attached.

bye,
Sumit

 -- 
 / Alexander Bokovoy
From 5b5c9250416bf1e55a453c5430ac6be914054aa9 Mon Sep 17 00:00:00 2001
From: Sumit Bose sb...@redhat.com
Date: Thu, 26 Feb 2015 14:08:06 +0100
Subject: [PATCH 144/148] extdom: add unit-test for get_user_grouplist()

---
 .../ipa-extdom-extop/ipa_extdom.h  |2 +
 .../ipa-extdom-extop/ipa_extdom_cmocka_tests.c |   41 +
 .../ipa-extdom-extop/ipa_extdom_common.c   |4 +-
 .../ipa-extdom-extop/test_data/group   | 1000 
 4 files changed, 1045 insertions(+), 2 deletions(-)

diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h 
b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h
index 
65dd43ea35726db6231386a0fcbba9be1bd71412..a77711977186b702caafa2729dc13090c6031791
 100644
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h
@@ -185,6 +185,8 @@ int getgrnam_r_wrapper(size_t buf_max, const char *name,
struct group *grp, char **_buf, size_t *_buf_len);
 int getgrgid_r_wrapper(size_t buf_max, gid_t gid,
struct group *grp, char **_buf, size_t *_buf_len);
+int get_user_grouplist(const char *name, gid_t gid,
+   size_t *_ngroups, gid_t **_groups);
 int pack_ber_sid(const char *sid, struct berval **berval);
 int pack_ber_name(const char *domain_name, const char *name,
   struct berval **berval);
diff --git 
a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_cmocka_tests.c 
b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_cmocka_tests.c
index 
42d588d08a96f8a26345f85aade9523e05f6f56e..ec553fe62c27738f258defc267fe761c72157df0
 100644
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_cmocka_tests.c
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_cmocka_tests.c
@@ -213,6 +213,46 @@ void test_getgrgid_r_wrapper(void **state)
 free(buf);
 }
 
+void test_get_user_grouplist(void **state)
+{
+int ret;
+size_t ngroups;
+gid_t *groups;
+size_t c;
+
+/* This is a bit odd behaviour of getgrouplist() it does not check if the
+ * user exists, only if memberships of the user can be found. */
+ret = get_user_grouplist(non_exisiting_user, 23456, ngroups, groups);
+assert_int_equal(ret, LDAP_SUCCESS);
+assert_int_equal(ngroups, 1);
+assert_int_equal(groups[0], 23456);
+free(groups);
+
+ret = get_user_grouplist(member0001, 23456, ngroups, groups);
+assert_int_equal(ret, LDAP_SUCCESS);
+assert_int_equal(ngroups, 3);
+assert_int_equal(groups[0], 23456);
+assert_int_equal(groups[1], 1);
+assert_int_equal(groups[2], 2);
+free(groups);
+
+ret = get_user_grouplist(member0003, 23456, ngroups, groups);
+assert_int_equal(ret, LDAP_SUCCESS);
+assert_int_equal(ngroups, 2);
+assert_int_equal(groups[0], 23456);
+assert_int_equal(groups[1], 2);
+free(groups);
+
+ret = get_user_grouplist(user_big, 23456, ngroups, groups);
+assert_int_equal(ret, LDAP_SUCCESS);
+assert_int_equal(ngroups, 1001);
+assert_int_equal(groups[0], 23456);
+for (c = 1; c  ngroups; c++) {
+assert_int_equal(groups[c], 2 + c);
+}
+free(groups);
+}
+
 struct test_data {
 struct extdom_req *req;
 struct ipa_extdom_ctx *ctx;
@@ -398,6 +438,7 @@ int main(int argc, const char *argv[])
 unit_test(test_getpwuid_r_wrapper),
 unit_test(test_getgrnam_r_wrapper),
 unit_test(test_getgrgid_r_wrapper),
+unit_test(test_get_user_grouplist),
 unit_test_setup_teardown(test_set_err_msg,
  extdom_req_setup, extdom_req_teardown),
 unit_test_setup_teardown(test_encode,
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c 
b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
index 
b2e690471cd045154454a26aa6756c2628bbc262..f5905c78e5f6eb635fcd0acf0afeda3bdb3b9baa
 100644
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
@@ -400,8 +400,8 @@ int check_request(struct

Re: [Freeipa-devel] [PATCH 0046] add option to skip client API version check and proceed at user's own risk

2015-07-07 Thread Jan Cholasta


Dne 8.7.2015 v 00:37 Tomas Babej napsal(a):



On 07/07/2015 07:49 PM, Martin Basti wrote:

On 03/07/15 16:41, Martin Babinsky wrote:

On 07/02/2015 01:58 PM, Martin Babinsky wrote:

First attempt at https://fedorahosted.org/freeipa/ticket/4768




Attaching reworked patch.




ACK

--
Martin Basti





Pushed to master: ea7f392bb98c1f1c4558ec5d6e84ee7a7c613474



NACK! This won't work, as it breaks capabilities.

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0051] Clear SSSD caches when uninstalling the client



On 06/30/2015 05:40 PM, Simo Sorce wrote:
 On Tue, 2015-06-30 at 16:10 +0200, Martin Basti wrote:
 On 30/06/15 15:18, Martin Basti wrote:
 On 30/06/15 14:47, Simo Sorce wrote:
 On Tue, 2015-06-30 at 13:19 +0200, Tomas Babej wrote:
 On 06/30/2015 01:08 PM, Martin Basti wrote:
 On 30/06/15 13:00, Tomas Babej wrote:
 On 06/29/2015 03:50 PM, Martin Basti wrote:
 On 29/06/15 13:46, Jakub Hrozek wrote:
 On Fri, Jun 05, 2015 at 11:31:54AM -0600, Gabe Alford wrote:
 Thanks. Updated patch attached.

 On Fri, Jun 5, 2015 at 9:53 AM, Jakub Hrozek jhro...@redhat.com
 wrote:

 On Fri, Jun 05, 2015 at 09:46:05AM -0600, Gabe Alford wrote:
 How should 
 https://www.redhat.com/archives/freeipa-users/2015-June/msg00116.html
  


 be
 handled where the user cleared out the db cache?
 Ah, I confused that one with another issue Jan Pazdziora had,
 which was
 incidentally about client uninstall as well.

 In that case, you can just remove the single ldb file that
 corresponds
 to the domain that the client is leaving. Maybe it would be safer
 to mv
 the files instead of remove them, but I guess if you run 
 --uninstall,
 you really want just to purge everything..

 btw do the ipa installer tools support multiple domains at all?

 -- 
 Manage your subscription for the Freeipa-devel mailing list:
 https://www.redhat.com/mailman/listinfo/freeipa-devel
 Contribute to FreeIPA: 
 http://www.freeipa.org/page/Contribute/Code

From 40f7c3780baaf0b42d10c94c8527c9359a42247f Mon Sep 17 
 00:00:00
 2001
 From: Gabe redhatri...@gmail.com
 Date: Fri, 5 Jun 2015 11:27:46 -0600
 Subject: [PATCH] Clear SSSD caches when uninstalling the client

 https://fedorahosted.org/freeipa/ticket/5049
 Conceptually LGTM, but I haven't tested the patch.

 ACK, I did testing.

 Pushed to master: 37729936dd6fe9c3396cbb8a682a4674af8b5537

 For ipa-4-1 the patch requires a rebase.
 Rebased patch for ipa-4-1 attached.

 Pushed to ipa-4-1: 222427cb37a037f24ca76a9bcf614a2711a2ba96

 This patch break ipa-client-install --uninstall when the first part of
 sssd uninstall fails, and exception is thrown and we 'pass', but then
 domain is not set and we use it.

 Please revert or fix it.

 Simo.

 I will fix it.

 Fix attached.
 
 Tested on my server and it seem to work correctly.
 Code-wise also LGTM.
 
 ACK.
 Simo.
 

Pushed to master: 6fa123447f8acfbbdb442a1cbac38997a8e81208
Pushed to ipa-4-1: 56db66371eaa4995fa2a672663d9b8ff1520f63d

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 004 Improve error handling in ipa-httpd-kdcproxy


On Tue, 07 Jul 2015, Nathaniel McCallum wrote:

This LGTM. However, I’ll let Alexander give the ACK.

Looks good for me too.

--
/ Alexander Bokovoy


signature.asc
Description: PGP signature
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0180-0190 oneway trust and other trust-related patches


On Tue, 07 Jul 2015, Alexander Bokovoy wrote:

Hi,

attached are patches to introduce one-way trust support and few more to
fix currently outstanding trust-related bugs.

More details are in the commit messages.

For oddjobd-activated helper, if you want to test the one-way trust
setup, you need to put SELinux into permissive. We have bugs for both
Fedora and RHEL to add the policy
(https://bugzilla.redhat.com/show_bug.cgi?id=1238163 for RHEL7), it is
in works.

Updated patch 0181 after discussion with Simo and Sumit about empty rid
array.

--
/ Alexander Bokovoy
From e5b073d0a4cb75ef79eb199352f95f29594a4740 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy aboko...@redhat.com
Date: Thu, 28 May 2015 08:33:51 +
Subject: [PATCH 02/11] ipa-kdb: filter out group membership from MS-PAC for
 exact SID matches too

When incoming SID blacklist contains exact SIDs of users and groups,
attempt to filter them out as well, according to [MS-PAC] 4.1.1.2.

Note that we treat user's SID and primary group RID filtering as violation
of the KDC policy because the resulting MS-PAC will have no user SID or
primary group and thus will be invalid.

For group RIDs we filter them out. According to [MS-KILE] 3.3.5.6.3.1
it is OK to have empty group RIDs array as GroupCount SHOULD be
equal to Groups.MembershipCount returned by SamrGetGroupsForUser
[MS-SAMR] 3.1.5.9.1, not MUST, thus it may be empty.

Part of fix for https://bugzilla.redhat.com/show_bug.cgi?id=1222475
---
 daemons/ipa-kdb/ipa_kdb_mspac.c | 100 +++-
 1 file changed, 99 insertions(+), 1 deletion(-)

diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 390111f..b1490ef 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -1317,6 +1317,22 @@ static void filter_logon_info_log_message(struct dom_sid 
*sid)
 }
 }
 
+static void filter_logon_info_log_message_rid(struct dom_sid *sid, uint32_t 
rid)
+{
+char *domstr = NULL;
+
+domstr = dom_sid_string(NULL, sid);
+if (domstr) {
+krb5_klog_syslog(LOG_ERR, PAC filtering issue: SID [%s-%d] is not 
allowed 
+  from a trusted source and will be 
excluded., domstr, rid);
+talloc_free(domstr);
+} else {
+krb5_klog_syslog(LOG_ERR, PAC filtering issue: SID is not allowed 
+  from a trusted source and will be excluded.
+  Unable to allocate memory to display SID.);
+}
+}
+
 static krb5_error_code filter_logon_info(krb5_context context,
  TALLOC_CTX *memctx,
  krb5_data realm,
@@ -1328,9 +1344,21 @@ static krb5_error_code filter_logon_info(krb5_context 
context,
  * attempt at getting us to sign fake credentials with the help of a
  * compromised trusted realm */
 
+/* NOTE: there are two outcomes from filtering:
+ * REJECT TICKET -- ticket is rejected if domain SID of
+ *  the principal with MS-PAC is filtered out or
+ *  its primary group RID is filtered out
+ *
+ * REMOVE SID-- SIDs are removed from the list of SIDs associated
+ *  with the principal if they are filtered out
+ *  This applies also to secondary RIDs of the principal
+ *  if domain_sid-secondary RID is filtered out
+ */
+
 struct ipadb_context *ipactx;
 struct ipadb_adtrusts *domain;
-int i, j, k, count;
+int i, j, k, l, count;
+uint32_t rid;
 bool result;
 char *domstr = NULL;
 
@@ -1377,6 +1405,76 @@ static krb5_error_code filter_logon_info(krb5_context 
context,
 }
 }
 
+/* Check if this user's SIDs membership is filtered too */
+for(k = 0; k  domain-len_sid_blacklist_incoming; k++) {
+/* Short-circuit if there are no RIDs. This may happen if we filtered 
everything already.
+ * In normal situation there would be at least primary gid as RID in 
the RIDs array
+ * but if we filtered out the primary RID, this MS-PAC is invalid */
+count = info-info-info3.base.groups.count;
+result = dom_sid_is_prefix(info-info-info3.base.domain_sid,
+   domain-sid_blacklist_incoming[k]);
+if (result) {
+i = 0;
+j = 0;
+if (domain-sid_blacklist_incoming[k].num_auths - 
info-info-info3.base.domain_sid-num_auths != 1) {
+krb5_klog_syslog(LOG_ERR, Incoming SID blacklist element 
matching domain [%s with SID %s] 
+  has more than one RID component. 
Invalid check skipped.,
+ domain-domain_name, domain-domain_sid);
+break;
+}
+rid = 
domain-sid_blacklist_incoming[k].sub_auths[domain-sid_blacklist_incoming[k].num_auths
 - 1];
+if (rid ==

Re: [Freeipa-devel] [PATCH] 004 Improve error handling in ipa-httpd-kdcproxy