Re: [Freeipa-devel] [PATCH 0060] Incomplete ports for IPA AD Trust
On Thu, 29 Oct 2015, Gabe Alford wrote: Hello, Fix for https://fedorahosted.org/freeipa/ticket/5414 Thanks, Gabe From 515582d66252521a3cbf6a6a48f33745bd788c86 Mon Sep 17 00:00:00 2001 From: GabeDate: Thu, 29 Oct 2015 20:28:27 -0600 Subject: [PATCH] Incomplete ports for IPA AD Trust https://fedorahosted.org/freeipa/ticket/5414 --- install/tools/ipa-adtrust-install | 1 + 1 file changed, 1 insertion(+) diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install index 1f41cc437e8a930c350eac0fb34e5bebc9f9b55b..84e28b57524b2c3308e52cc56b4b370276add0b7 100755 --- a/install/tools/ipa-adtrust-install +++ b/install/tools/ipa-adtrust-install @@ -472,6 +472,7 @@ Setup complete You must make sure these network ports are open: \tTCP Ports: +\t * 135: epmap \t * 138: netbios-dgm \t * 139: netbios-ssn \t * 445: microsoft-ds This is good but not complete. What end-point mapper does is creating a listener based on the incoming request and access to the listener needs to be provided as well. A listener is created currently in the range of 1024..1300/TCP but we already have request to make this range configurable (it is hard coded right now in Samba code) because with Windows 2008 Microsoft moved it from 1025..5000 to 49152..65535: https://support.microsoft.com/en-us/kb/929851 We were thinking to add a call out hook on Samba side to call firewall-related script that could do hole punching on demand but it is not there yet. What we could do in ipa-adtrust-install, is to add section about TCP/UDP ports to the manual page and explicitly reference that one in case of epmap line: \t *135: epmap (see ipa-adtrust-install(1) man page for details) We don't have the firewall section in the manpage at all, btw. What do you think? -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0020-0021] some topology plugin fixes
On 10/29/2015 01:28 PM, thierry bordaz wrote: On 10/23/2015 10:44 AM, Ludwig Krispenz wrote: Hi, the attached two patches address issues I found when testing ca management in the topology plugin Thanks for review, Ludwig Hi Ludwig, Patch 20 is good to me. I have one remark, you call ipa_topo_cfg_host_find with lock flag. So that the replica config is not updated during the test. Now the lock protects each call separately. The risk is very low that the target host could become unmanaged by the time we test the source host. yes, and if two paralle operations do related things like adding an agreement and making a host managed/unmanaged there is a race for the lock. The lock itself cannot prevent these things, it only can protect the data structures from being read while modified. Also with two separate locked calls the second call has a chance to be aware of parallel changes ACK. Patch 21 is also good. Just in ipa_topo_util_init_hosts, why not calling ipa_topo_cfg_host_add to not duplicate the source ? no reason, revised patch is attached, thanks for noticing thanks thierry >From 8efbeb6ecbc39c8019d66c69e4759d7ffb34a991 Mon Sep 17 00:00:00 2001 From: Ludwig KrispenzDate: Fri, 30 Oct 2015 09:44:21 +0100 Subject: [PATCH] update list of managed servers when a suffix becomes managed when a suffix becomes managed for a host, the host needs to be added to the managed servers, otherwise connectivity check would fail --- daemons/ipa-slapi-plugins/topology/topology.h | 3 +- daemons/ipa-slapi-plugins/topology/topology_cfg.c | 36 ++ daemons/ipa-slapi-plugins/topology/topology_post.c | 5 +-- daemons/ipa-slapi-plugins/topology/topology_util.c | 28 - 4 files changed, 42 insertions(+), 30 deletions(-) diff --git a/daemons/ipa-slapi-plugins/topology/topology.h b/daemons/ipa-slapi-plugins/topology/topology.h index fea8281ac5f0865aca4052f6139e4384f5665b87..d264ed9c1e3e903d7554963b843d1f98385ec47a 100644 --- a/daemons/ipa-slapi-plugins/topology/topology.h +++ b/daemons/ipa-slapi-plugins/topology/topology.h @@ -178,7 +178,7 @@ void ipa_topo_lock_conf(void); void ipa_topo_unlock_conf(void); int ipa_topo_acquire_startup_inprogress(void); void ipa_topo_release_startup_inprogress(void); -void ipa_topo_cfg_host_add(Slapi_Entry *hostentry); +void ipa_topo_cfg_host_add(TopoReplica *tconf, char *host); void ipa_topo_cfg_host_del(Slapi_Entry *hostentry); TopoReplicaHost *ipa_topo_cfg_host_find(TopoReplica *tconf, char *host, int lock); TopoReplicaHost *ipa_topo_cfg_host_new(char *newhost); @@ -283,6 +283,7 @@ int ipa_topo_util_setup_servers(void); void ipa_topo_util_update_segments_for_host(TopoReplica *conf, char *hostname); char *ipa_topo_util_get_ldap_principal(char *repl_root, char *hostname); void ipa_topo_util_disable_repl_for_principal(char *repl_root, char *principal); +void ipa_topo_util_init_hosts(Slapi_Entry *hostentry); void ipa_topo_util_add_host(Slapi_Entry *hostentry); void ipa_topo_util_delete_host(Slapi_Entry *hostentry); void ipa_topo_util_update_host(Slapi_Entry *hostentry, LDAPMod **mods); diff --git a/daemons/ipa-slapi-plugins/topology/topology_cfg.c b/daemons/ipa-slapi-plugins/topology/topology_cfg.c index d211f20f6bf267ecf4eca79b423a600e53bc5795..3ca61a8ea7c463c45f3dbf2e13a9790c5079e2d7 100644 --- a/daemons/ipa-slapi-plugins/topology/topology_cfg.c +++ b/daemons/ipa-slapi-plugins/topology/topology_cfg.c @@ -471,38 +471,22 @@ ipa_topo_cfg_host_new(char *newhost) } void -ipa_topo_cfg_host_add(Slapi_Entry *hostentry) +ipa_topo_cfg_host_add(TopoReplica *replica, char *newhost) { -char *newhost; -char **repl_root = NULL; TopoReplicaHost *hostnode = NULL; -TopoReplica *replica = NULL; -int i; +if (replica == NULL || newhost == NULL) return; -newhost = slapi_entry_attr_get_charptr(hostentry,"cn"); -if (newhost == NULL) return; - -repl_root = slapi_entry_attr_get_charray(hostentry,"ipaReplTopoManagedSuffix"); -if (repl_root == NULL || *repl_root == NULL) return; - -for (i=0; repl_root[i];i++) { -replica = ipa_topo_cfg_replica_find(repl_root[i], 1); -if (replica == NULL) continue; - -slapi_lock_mutex(replica->repl_lock); -if (ipa_topo_cfg_host_find(replica, newhost, 0)) { -/* log error */ -slapi_unlock_mutex(replica->repl_lock); -continue; -} -hostnode = ipa_topo_cfg_host_new(slapi_ch_strdup(newhost)); -hostnode->next = replica->hosts; -replica->hosts = hostnode; +slapi_lock_mutex(replica->repl_lock); +if (ipa_topo_cfg_host_find(replica, newhost, 0)) { +/* host already added */ slapi_unlock_mutex(replica->repl_lock); +return; } +hostnode = ipa_topo_cfg_host_new(slapi_ch_strdup(newhost)); +hostnode->next = replica->hosts; +replica->hosts = hostnode; +slapi_unlock_mutex(replica->repl_lock); -
Re: [Freeipa-devel] [PATCH 0061] Remove 50-lockout-policy.update file
On Thu, 29 Oct 2015, Gabe Alford wrote: Hello, Fix for https://fedorahosted.org/freeipa/ticket/5418 ACK but can you please add something like this in the commit message: Remove lockout policy update file because all currently supported FreeIPA versions already have krbPwdMaxFailure defaulting to 6 and krbPwdLockoutDuration defaulting to 600. Keeping lockout policy update file prevents from creating a more strict policy in environments where it is subject to regulatory compliance. Thanks, Gabe From 7a9086162717bc414a1d65ea71a2d65729f6fa7e Mon Sep 17 00:00:00 2001 From: GabeDate: Thu, 29 Oct 2015 20:30:35 -0600 Subject: [PATCH] Remove 50-lockout-policy.update file https://fedorahosted.org/freeipa/ticket/5418 --- install/updates/50-lockout-policy.update | 4 install/updates/Makefile.am | 1 - 2 files changed, 5 deletions(-) delete mode 100644 install/updates/50-lockout-policy.update diff --git a/install/updates/50-lockout-policy.update b/install/updates/50-lockout-policy.update deleted file mode 100644 index a5730709e2b649466118502ece1cc530c10e0b40.. --- a/install/updates/50-lockout-policy.update +++ /dev/null @@ -1,4 +0,0 @@ -dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX -replace:krbPwdLockoutDuration:10::600 -replace: krbPwdMaxFailure:3::6 - diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index 26e4c04ed66a4a2061a3bb3ca2f4a6cd84502598..04ddeb96de4e88d5909f13b13885d3207184e798 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -39,7 +39,6 @@ app_DATA =\ 45-roles.update \ 50-7_bit_check.update \ 50-dogtag10-migration.update\ - 50-lockout-policy.update\ 50-groupuuid.update \ 50-hbacservice.update \ 50-krbenctypes.update \ -- 2.4.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0060] Incomplete ports for IPA AD Trust
On 30.10.2015 07:54, Alexander Bokovoy wrote: > On Thu, 29 Oct 2015, Gabe Alford wrote: >> Hello, >> >> Fix for https://fedorahosted.org/freeipa/ticket/5414 >> >> Thanks, >> >> Gabe > >> From 515582d66252521a3cbf6a6a48f33745bd788c86 Mon Sep 17 00:00:00 2001 >> From: Gabe>> Date: Thu, 29 Oct 2015 20:28:27 -0600 >> Subject: [PATCH] Incomplete ports for IPA AD Trust >> >> https://fedorahosted.org/freeipa/ticket/5414 >> --- >> install/tools/ipa-adtrust-install | 1 + >> 1 file changed, 1 insertion(+) >> >> diff --git a/install/tools/ipa-adtrust-install >> b/install/tools/ipa-adtrust-install >> index >> 1f41cc437e8a930c350eac0fb34e5bebc9f9b55b..84e28b57524b2c3308e52cc56b4b370276add0b7 >> 100755 >> --- a/install/tools/ipa-adtrust-install >> +++ b/install/tools/ipa-adtrust-install >> @@ -472,6 +472,7 @@ Setup complete >> >> You must make sure these network ports are open: >> \tTCP Ports: >> +\t * 135: epmap >> \t * 138: netbios-dgm >> \t * 139: netbios-ssn >> \t * 445: microsoft-ds > This is good but not complete. What end-point mapper does is creating a > listener based on the incoming request and access to the listener needs > to be provided as well. A listener is created currently in the range of > 1024..1300/TCP but we already have request to make this range > configurable (it is hard coded right now in Samba code) because with > Windows 2008 Microsoft moved it from 1025..5000 to 49152..65535: > https://support.microsoft.com/en-us/kb/929851 > > We were thinking to add a call out hook on Samba side to call > firewall-related script that could do hole punching on demand but it is > not there yet. > > What we could do in ipa-adtrust-install, is to add section about TCP/UDP > ports to the manual page and explicitly reference that one in case of > epmap line: > \t *135: epmap (see ipa-adtrust-install(1) man page for details) > > We don't have the firewall section in the manpage at all, btw. > > What do you think? Maybe I'm missing something, but ... Could we simply put current range 1024..1300/TCP to the installer now and do other changes as Samba evolves? I think that it is good enough as a hotfix and that we do not need to over-complicate it in the beginning. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0020-0021] some topology plugin fixes
On 10/30/2015 09:57 AM, Ludwig Krispenz wrote: On 10/29/2015 01:28 PM, thierry bordaz wrote: On 10/23/2015 10:44 AM, Ludwig Krispenz wrote: Hi, the attached two patches address issues I found when testing ca management in the topology plugin Thanks for review, Ludwig Hi Ludwig, Patch 20 is good to me. I have one remark, you call ipa_topo_cfg_host_find with lock flag. So that the replica config is not updated during the test. Now the lock protects each call separately. The risk is very low that the target host could become unmanaged by the time we test the source host. yes, and if two paralle operations do related things like adding an agreement and making a host managed/unmanaged there is a race for the lock. The lock itself cannot prevent these things, it only can protect the data structures from being read while modified. Also with two separate locked calls the second call has a chance to be aware of parallel changes ACK. Patch 21 is also good. Just in ipa_topo_util_init_hosts, why not calling ipa_topo_cfg_host_add to not duplicate the source ? no reason, revised patch is attached, thanks for noticing Thanks Ludwig for the changes. ACK thanks thierry -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0060] Incomplete ports for IPA AD Trust
On Fri, 30 Oct 2015, Petr Spacek wrote: On 30.10.2015 07:54, Alexander Bokovoy wrote: On Thu, 29 Oct 2015, Gabe Alford wrote: Hello, Fix for https://fedorahosted.org/freeipa/ticket/5414 Thanks, Gabe From 515582d66252521a3cbf6a6a48f33745bd788c86 Mon Sep 17 00:00:00 2001 From: GabeDate: Thu, 29 Oct 2015 20:28:27 -0600 Subject: [PATCH] Incomplete ports for IPA AD Trust https://fedorahosted.org/freeipa/ticket/5414 --- install/tools/ipa-adtrust-install | 1 + 1 file changed, 1 insertion(+) diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install index 1f41cc437e8a930c350eac0fb34e5bebc9f9b55b..84e28b57524b2c3308e52cc56b4b370276add0b7 100755 --- a/install/tools/ipa-adtrust-install +++ b/install/tools/ipa-adtrust-install @@ -472,6 +472,7 @@ Setup complete You must make sure these network ports are open: \tTCP Ports: +\t * 135: epmap \t * 138: netbios-dgm \t * 139: netbios-ssn \t * 445: microsoft-ds This is good but not complete. What end-point mapper does is creating a listener based on the incoming request and access to the listener needs to be provided as well. A listener is created currently in the range of 1024..1300/TCP but we already have request to make this range configurable (it is hard coded right now in Samba code) because with Windows 2008 Microsoft moved it from 1025..5000 to 49152..65535: https://support.microsoft.com/en-us/kb/929851 We were thinking to add a call out hook on Samba side to call firewall-related script that could do hole punching on demand but it is not there yet. What we could do in ipa-adtrust-install, is to add section about TCP/UDP ports to the manual page and explicitly reference that one in case of epmap line: \t *135: epmap (see ipa-adtrust-install(1) man page for details) We don't have the firewall section in the manpage at all, btw. What do you think? Maybe I'm missing something, but ... Could we simply put current range 1024..1300/TCP to the installer now and do other changes as Samba evolves? I think that it is good enough as a hotfix and that we do not need to over-complicate it in the beginning. That's essentially what I said too -- but I want to have firewall requirements documented in the manpage so that they are available beforehand _and_ people actually read them when they are referenced in the output. I'm not asking for anything else here. Documentation is needed. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0060-0061] DNSSEC improvements in uninstaller
On 30.10.2015 10:55, Martin Basti wrote: > > > On 30.10.2015 10:41, Petr Spacek wrote: >> Hello, >> >> DNSSEC: on uninstall, do not restore OpenDNSSEC kasp.db if backup failed >> DNSSEC: improve log messages in uninstaller >> >> This is suitable for ipa-4-2 branch and newer. >> > NACK > > Please extract the list from for cycle to separate variable and do extend with > that variable. > > Also this code doesnt work, I tried simillar in python and I got: > > In [1]: t=[1] > > In [2]: for f in [10, 20, 30].extend(t): >...: print f >...: > --- > TypeError Traceback (most recent call last) > in () > > 1 for f in [10, 20, 30].extend(t): > 2 print f > 3 > > TypeError: 'NoneType' object is not iterable Thank you for catching this. I believed to lint and that was a bad idea! Push only to master is fine with me, I'm not willing to go though more bureaucracy for this small change. -- Petr^2 Spacek From e24e4a5a19c8e66e342bdd6def7b9372a8c799b1 Mon Sep 17 00:00:00 2001 From: Petr SpacekDate: Fri, 30 Oct 2015 10:39:49 +0100 Subject: [PATCH] DNSSEC: on uninstall, do not restore OpenDNSSEC kasp.db if backup failed --- ipaserver/install/opendnssecinstance.py | 13 + 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/ipaserver/install/opendnssecinstance.py b/ipaserver/install/opendnssecinstance.py index 02fc61e468735070d3f6a5985bf1ea8333a6689e..322eec5861e8b2101c2e26874e95b2415246f5b4 100644 --- a/ipaserver/install/opendnssecinstance.py +++ b/ipaserver/install/opendnssecinstance.py @@ -343,6 +343,9 @@ class OpenDNSSECInstance(service.Service): 'ISMASTER', None, quotes=False, separator='=') +restore_list = [paths.OPENDNSSEC_CONF_FILE, paths.OPENDNSSEC_KASP_FILE, +paths.SYSCONFIG_ODS, paths.OPENDNSSEC_ZONELIST_FILE] + if ipautil.file_exists(paths.OPENDNSSEC_KASP_DB): # force to export data @@ -359,14 +362,16 @@ class OpenDNSSECInstance(service.Service): paths.IPA_KASP_DB_BACKUP) except IOError as e: root_logger.error( -"Unable to backup OpenDNSSEC database: %s", e) +"Unable to backup OpenDNSSEC database %s, " +"restore will be skipped: %s", paths.OPENDNSSEC_KASP_DB, e) else: root_logger.info("OpenDNSSEC database backed up in %s", paths.IPA_KASP_DB_BACKUP) +# restore OpenDNSSEC's KASP DB only if backup succeeded +# removing the file without backup could totally break DNSSEC +restore_list.append(paths.OPENDNSSEC_KASP_DB) -for f in [paths.OPENDNSSEC_CONF_FILE, paths.OPENDNSSEC_KASP_FILE, - paths.OPENDNSSEC_KASP_DB, paths.SYSCONFIG_ODS, - paths.OPENDNSSEC_ZONELIST_FILE]: +for f in restore_list: try: self.fstore.restore_file(f) except ValueError as error: -- 2.4.3 From b4618410c8f5c833f5828dd6196989e83df603b7 Mon Sep 17 00:00:00 2001 From: Petr Spacek Date: Fri, 30 Oct 2015 10:32:43 +0100 Subject: [PATCH] DNSSEC: improve log messages in uninstaller --- ipaserver/install/opendnssecinstance.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/opendnssecinstance.py b/ipaserver/install/opendnssecinstance.py index 34dce0f32109b6677737199a90832a45c8f30983..02fc61e468735070d3f6a5985bf1ea8333a6689e 100644 --- a/ipaserver/install/opendnssecinstance.py +++ b/ipaserver/install/opendnssecinstance.py @@ -349,9 +349,10 @@ class OpenDNSSECInstance(service.Service): ods_enforcerd = services.knownservices.ods_enforcerd cmd = [paths.IPA_ODS_EXPORTER, 'ipa-full-update'] try: +self.print_msg("Exporting DNSSEC data before uninstallation") ipautil.run(cmd, runas=ods_enforcerd.get_user_name()) except CalledProcessError: -root_logger.debug("OpenDNSSEC database has not been updated") +root_logger.error("DNSSEC data export failed") try: shutil.copy(paths.OPENDNSSEC_KASP_DB, -- 2.4.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0060-0061] DNSSEC improvements in uninstaller
On 30.10.2015 10:41, Petr Spacek wrote: Hello, DNSSEC: on uninstall, do not restore OpenDNSSEC kasp.db if backup failed DNSSEC: improve log messages in uninstaller This is suitable for ipa-4-2 branch and newer. NACK Please extract the list from for cycle to separate variable and do extend with that variable. Also this code doesnt work, I tried simillar in python and I got: In [1]: t=[1] In [2]: for f in [10, 20, 30].extend(t): ...: print f ...: --- TypeError Traceback (most recent call last) in () > 1 for f in [10, 20, 30].extend(t): 2 print f 3 TypeError: 'NoneType' object is not iterable -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0090] show optionally configured components in server-find/show command output
On 10/26/2015 01:41 PM, Martin Babinsky wrote: On 10/22/2015 04:13 PM, Martin Basti wrote: On 22.10.2015 10:44, Martin Babinsky wrote: https://fedorahosted.org/freeipa/ticket/5181 Thank you for the patch. 1) +OPTIONAL_SERVICES = { +'DNS', +'CA', +'KRA', +'ADTRUST', +'EXTID', +'DNSKeyExporter', +'DNSSEC', +'DNSKeySync', +} This did not scale well, maybe we should improve it to use some general solution for whole IPA to distinct mandratory and optionl service, but I do not know how (or if it is possible) Yes this does not scale well. After some playing around with relocating the SERVICE_LIST object in 'ipaserver/install/service.py' I found out that more refactoring would be needed to improve the layout and availability of LDAP service names to both server and client code. I have put the list of core services to ipalib/constants.py for now, and I suggest to open a separate ticket for more general solution. 2) +search_filter=('(&(objectclass=ipaConfigObject)' + '(ipaConfigString=enabledService))') Common user cannot read ipaConfigString, so this will work only for admins, I do not see any limitations of access in code for other users. I think that you agreed with Petr^2 that this filter is OK. I left it as it is but I have rewritten it as a call to ldap.make_filter to improve readability and/or potential extensibility a bit. 3) +opt_components = [ +r['cn'][0] for r in result if r['cn'][0] in OPTIONAL_SERVICES +] Probably instead of indexing, you may use result.single_value['cn'] Martin^2 Attaching updated patch. Self-NACK, I found a bug in the patch during work on topology management stuff. -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0060] Incomplete ports for IPA AD Trust
On 30.10.2015 11:10, Alexander Bokovoy wrote: > On Fri, 30 Oct 2015, Petr Spacek wrote: >> On 30.10.2015 07:54, Alexander Bokovoy wrote: >>> On Thu, 29 Oct 2015, Gabe Alford wrote: Hello, Fix for https://fedorahosted.org/freeipa/ticket/5414 Thanks, Gabe >>> From 515582d66252521a3cbf6a6a48f33745bd788c86 Mon Sep 17 00:00:00 2001 From: GabeDate: Thu, 29 Oct 2015 20:28:27 -0600 Subject: [PATCH] Incomplete ports for IPA AD Trust https://fedorahosted.org/freeipa/ticket/5414 --- install/tools/ipa-adtrust-install | 1 + 1 file changed, 1 insertion(+) diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install index 1f41cc437e8a930c350eac0fb34e5bebc9f9b55b..84e28b57524b2c3308e52cc56b4b370276add0b7 100755 --- a/install/tools/ipa-adtrust-install +++ b/install/tools/ipa-adtrust-install @@ -472,6 +472,7 @@ Setup complete You must make sure these network ports are open: \tTCP Ports: +\t * 135: epmap \t * 138: netbios-dgm \t * 139: netbios-ssn \t * 445: microsoft-ds >>> This is good but not complete. What end-point mapper does is creating a >>> listener based on the incoming request and access to the listener needs >>> to be provided as well. A listener is created currently in the range of >>> 1024..1300/TCP but we already have request to make this range >>> configurable (it is hard coded right now in Samba code) because with >>> Windows 2008 Microsoft moved it from 1025..5000 to 49152..65535: >>> https://support.microsoft.com/en-us/kb/929851 >>> >>> We were thinking to add a call out hook on Samba side to call >>> firewall-related script that could do hole punching on demand but it is >>> not there yet. >>> >>> What we could do in ipa-adtrust-install, is to add section about TCP/UDP >>> ports to the manual page and explicitly reference that one in case of >>> epmap line: >>> \t *135: epmap (see ipa-adtrust-install(1) man page for details) >>> >>> We don't have the firewall section in the manpage at all, btw. >>> >>> What do you think? >> >> Maybe I'm missing something, but ... Could we simply put current range >> 1024..1300/TCP to the installer now and do other changes as Samba evolves? I >> think that it is good enough as a hotfix and that we do not need to >> over-complicate it in the beginning. > That's essentially what I said too -- but I want to have firewall > requirements documented in the manpage so that they are available > beforehand _and_ people actually read them when they are referenced in > the output. > > I'm not asking for anything else here. Documentation is needed. Thanks for clarification, I was under the impression that you wanted to put it only into the man page :-) -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [draft] Fate of ipa-replica-manage and ipa-csreplica-manage tools
On 10/27/2015 04:40 PM, Ludwig Krispenz wrote: On 10/27/2015 03:54 PM, Petr Vobornik wrote: Both tools serve primarily for managing replication agreements and replicas. ipa-replica-manage also manages winsync agreements and DNA ranges. FreeIPA 4.3 will introduce managed topology which affects these tools. Let's go trough all sub-commands of both tools and decide what is the fate of them/how they should be replaced. Comments are welcome. In text, term 'disable' means: print an error message with help what is the new alternative. For domain level == 0 all sub-commands should behave the same way as before. Proposals are for domain level 1 if not stated otherwise. == ipa-replica-manage == === list === Lists all IPA server or replication agreements of a specific IPA server including winsync agreements. Note that people are used to use "-v" switch to show status of these agreements. There would need to be a replacement for this functionality to get rid of this command. Server list is replaced by ipa server-find Replication agreements by: ipa topologysegment-find realm I see following paths: 1. do not change (current state) 2. list only winsync agreements - IMO it will be easier to maintain If winsync was not in play we could 'disable' it but winsync is not planned to be centrally managed. Mainly because the preferred alternative is trust. 2 may be a good choice, but we first need to find the alternative for above. I do not think deprecating a list is a "must" for 4.3. === connect === Allow for winsync, disable for REALM agmts. (current state) === disconenct === Allow for winsync, disable for REALM agmts. (current state) +1. === del === (current state) With domain level 0: - removes replica and repl. agmts for REALM suffix and winsync With domain level 1: - removes replica entry and therefore repl. agmts for all suffices(REALM, CS) - ensure last services, e.g. sets renewal master - does additional cleanup I'm not aware of any operation which needs directory manager. IMO it can be moved to API in future release(e.g. 4.4), especially if ipa-server-install --uninstall is modified to do most of the cleanup. Ok. === re-initialize === Not changed. Can be disabled (long-term solution) Same capability is in topologysegment_reinitialize API command. The only difference is that no API command shows state of the pending operation. Should we transform presence of 'start' and 'stop' in nsds5beginreplicarefresh;left|right attribute into an output of topologysegment_show, e.g.: 'initialization in progress', 'cancellation of re-initialization requested'. yes, something like this would be possible, maybe this can be part of the replication monitoring work, allowing to query the state of specific agreements. Can topologysegment-reinitialize simply wait? The behavior and related options could be similar as with automember-rebuild. I am wondering if topologysegment-reinitialize is not too low level. Normally, the problem you are solving is that some of your master is out of sync and cannot be fixed. Then you want to have some command to re-intitialize *the master*, with the command potentially picking the best topologysegment to be used. === force-sync === no change yet Currently done by setting nsDS5ReplicaUpdateSchedule attribute of repl. agreement. 1. Is it required? 2. Should the functionality be transferred to topologysegment/topology plugin? 3. Is current approach good? in fact it is a hack, it uses the fact that a change in the replication agremeent will trigger a fresh start of the protocol thread. It woul be more clean to have "sendupdatesnow" attribute or as a value of the refresh attribute, would require a change in DS Change in DS to support some of the Topology functionality is tricky. Is this a blocker for releasing 4.3 with DL 1? Where I am coming from is that if Topology functionality depend on a DS function, we cannot be sure that the Topology call works for all masters. And I do not think we want to release DL 2 to support also this command. IMO if we want to preserve the possibility then the long-term solution is to move it to topology plugin. yes Yes, but see above. === list-ruv, clean-ruv, abort-clean-ruv, list-clean-ruv === Commands manages clean-all-ruv operations on REALM suffix. ipa-csreplica-manage doesn't have these commands #4987. These operations are meant for removal of dangling ruvs but they can also remove "correct" RUV which is not desired. The UX is not the best because if replica still exists it won't tell the admin what is the correct RUV and which are the dangling one(s) and therefore admin must get the info in cn=replica,cn=$SUFFIX,cn=mapping tree,cn=config We have a ticket to automate it: https://fedorahosted.org/freeipa/ticket/5411 Is it possible to manage it in topology plugin in centralized manner? I see $5411 as short-term solution for 4.3 or 4.4. + {list|clean|abort-clean-list-clean}-ruv sub-commands should be
[Freeipa-devel] [PATCH 0060-0061] DNSSEC improvements in uninstaller
Hello, DNSSEC: on uninstall, do not restore OpenDNSSEC kasp.db if backup failed DNSSEC: improve log messages in uninstaller This is suitable for ipa-4-2 branch and newer. -- Petr^2 Spacek From b4618410c8f5c833f5828dd6196989e83df603b7 Mon Sep 17 00:00:00 2001 From: Petr SpacekDate: Fri, 30 Oct 2015 10:32:43 +0100 Subject: [PATCH] DNSSEC: improve log messages in uninstaller --- ipaserver/install/opendnssecinstance.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/opendnssecinstance.py b/ipaserver/install/opendnssecinstance.py index 34dce0f32109b6677737199a90832a45c8f30983..02fc61e468735070d3f6a5985bf1ea8333a6689e 100644 --- a/ipaserver/install/opendnssecinstance.py +++ b/ipaserver/install/opendnssecinstance.py @@ -349,9 +349,10 @@ class OpenDNSSECInstance(service.Service): ods_enforcerd = services.knownservices.ods_enforcerd cmd = [paths.IPA_ODS_EXPORTER, 'ipa-full-update'] try: +self.print_msg("Exporting DNSSEC data before uninstallation") ipautil.run(cmd, runas=ods_enforcerd.get_user_name()) except CalledProcessError: -root_logger.debug("OpenDNSSEC database has not been updated") +root_logger.error("DNSSEC data export failed") try: shutil.copy(paths.OPENDNSSEC_KASP_DB, -- 2.4.3 From de001cfa0e15b0e602c1f2af10a87a590527a21a Mon Sep 17 00:00:00 2001 From: Petr Spacek Date: Fri, 30 Oct 2015 10:39:49 +0100 Subject: [PATCH] DNSSEC: on uninstall, do not restore OpenDNSSEC kasp.db if backup failed --- ipaserver/install/opendnssecinstance.py | 11 --- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/ipaserver/install/opendnssecinstance.py b/ipaserver/install/opendnssecinstance.py index 02fc61e468735070d3f6a5985bf1ea8333a6689e..c962c3625d34853e81605358ba200883de901ed1 100644 --- a/ipaserver/install/opendnssecinstance.py +++ b/ipaserver/install/opendnssecinstance.py @@ -343,6 +343,7 @@ class OpenDNSSECInstance(service.Service): 'ISMASTER', None, quotes=False, separator='=') +kasp_db_to_restore = [] if ipautil.file_exists(paths.OPENDNSSEC_KASP_DB): # force to export data @@ -359,14 +360,18 @@ class OpenDNSSECInstance(service.Service): paths.IPA_KASP_DB_BACKUP) except IOError as e: root_logger.error( -"Unable to backup OpenDNSSEC database: %s", e) +"Unable to backup OpenDNSSEC database %s, " +"restore will be skipped: %s", paths.OPENDNSSEC_KASP_DB, e) else: root_logger.info("OpenDNSSEC database backed up in %s", paths.IPA_KASP_DB_BACKUP) +kasp_db_to_restore = [paths.OPENDNSSEC_KASP_DB] +# do not restore OpenDNSSEC's KASP DB if backup failed +# removing the file without backup could totally break DNS setup for f in [paths.OPENDNSSEC_CONF_FILE, paths.OPENDNSSEC_KASP_FILE, - paths.OPENDNSSEC_KASP_DB, paths.SYSCONFIG_ODS, - paths.OPENDNSSEC_ZONELIST_FILE]: + paths.SYSCONFIG_ODS, paths.OPENDNSSEC_ZONELIST_FILE].extend( + kasp_db_to_restore): try: self.fstore.restore_file(f) except ValueError as error: -- 2.4.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0060-0061] DNSSEC improvements in uninstaller
On 30.10.2015 11:16, Petr Spacek wrote: On 30.10.2015 10:55, Martin Basti wrote: On 30.10.2015 10:41, Petr Spacek wrote: Hello, DNSSEC: on uninstall, do not restore OpenDNSSEC kasp.db if backup failed DNSSEC: improve log messages in uninstaller This is suitable for ipa-4-2 branch and newer. NACK Please extract the list from for cycle to separate variable and do extend with that variable. Also this code doesnt work, I tried simillar in python and I got: In [1]: t=[1] In [2]: for f in [10, 20, 30].extend(t): ...: print f ...: --- TypeError Traceback (most recent call last) in () > 1 for f in [10, 20, 30].extend(t): 2 print f 3 TypeError: 'NoneType' object is not iterable Thank you for catching this. I believed to lint and that was a bad idea! Push only to master is fine with me, I'm not willing to go though more bureaucracy for this small change. ACK Pushed to master: 6f855dcc5cbd4a316ae03cdf0e2cc7e8c21bec88 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0339] ipa-csreplica-manage: disable connect/disconnect/del subcommands
On 10/30/2015 02:09 PM, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5405 Patch attached Hi Martin, NACK since I'm not a big fan of having (nearly) the same function defined in multiple modules: """ $ git grep -n 'def exit_on_managed_topology' install/tools/ipa-csreplica-manage:397:def exit_on_managed_topology(what, hint="topologysegment"): install/tools/ipa-replica-manage:1386:def exit_on_managed_topology(what): """ Otherwise the patch works fine. -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0061] Remove 50-lockout-policy.update file
On Fri, 30 Oct 2015, Gabe Alford wrote: From 24bcde6042d90322883350b5fd97aa41f2e4d77d Mon Sep 17 00:00:00 2001 From: GabeDate: Fri, 30 Oct 2015 06:27:11 -0600 Subject: [PATCH] Remove 50-lockout-policy.update file Remove lockout policy update file because all currently supported versions have krbPwdMaxFailure defaulting to 6 and krbPwdLockoutDuration defaulting to 600. Keeping lockout policy update file prevents from creating a more scrict policy in environments subject to regulatory compliance https://fedorahosted.org/freeipa/ticket/5418 --- install/updates/50-lockout-policy.update | 4 install/updates/Makefile.am | 1 - 2 files changed, 5 deletions(-) delete mode 100644 install/updates/50-lockout-policy.update ACK -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0339] ipa-csreplica-manage: disable connect/disconnect/del subcommands
https://fedorahosted.org/freeipa/ticket/5405 Patch attached From 5b0ac9ea79ed657022cdca164eda3313e790aab6 Mon Sep 17 00:00:00 2001 From: Martin BastiDate: Fri, 30 Oct 2015 13:06:21 +0100 Subject: [PATCH] ipa-csreplica-manage: disable connect/disconnect/del with domain level > 0 * ipa-csreplica-manage {connect|disconnect} - a user should use 'ipa topologysegment-*' commands * ipa-csreplica-manage del - a user should use ipa-replica-manage del https://fedorahosted.org/freeipa/ticket/5405 --- install/tools/ipa-csreplica-manage | 25 + install/tools/ipa-replica-manage | 14 ++ ipalib/util.py | 5 + 3 files changed, 36 insertions(+), 8 deletions(-) diff --git a/install/tools/ipa-csreplica-manage b/install/tools/ipa-csreplica-manage index 202a3cc74a12e1072ae3ccc15fa71269e74f0fa9..88ca629bb4b3d3fa8193ebf739eee46358dbe7f5 100755 --- a/install/tools/ipa-csreplica-manage +++ b/install/tools/ipa-csreplica-manage @@ -30,6 +30,7 @@ from ipaserver.install import (replication, installutils, bindinstance, cainstance, certs) from ipalib import api, errors from ipalib.constants import CACERT +from ipalib.util import has_managed_topology from ipapython import ipautil, ipaldap, version, dogtag from ipapython.dn import DN @@ -392,6 +393,19 @@ def set_renewal_master(realm, replica): print("%s is now the renewal master" % replica) + +def exit_on_managed_topology(what, hint="topologysegment"): +if hint == "topologysegment": +hinttext = ("Please use `ipa topologysegment-*` commands to manage " + "the topology.") +elif hint == "ipa-replica-manage-del": +hinttext = ("Please use the `ipa-replica-manage del` command.") +else: +assert False, "Unexpected value" +sys.exit("{0} is deprecated with managed IPA replication topology. {1}" + .format(what, hinttext)) + + def main(): options, args = parse_options() @@ -427,12 +441,19 @@ def main(): options.dirman_passwd = dirman_passwd +api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')), + bind_pw=options.dirman_passwd) + if args[0] == "list": replica = None if len(args) == 2: replica = args[1] list_replicas(realm, host, replica, dirman_passwd, options.verbose) elif args[0] == "del": +if has_managed_topology(api): +exit_on_managed_topology( +"Removal of IPA CS replication agreement and replication data", +hint="ipa-replica-manage-del") del_master(realm, args[1], options) elif args[0] == "re-initialize": re_initialize(realm, options) @@ -441,6 +462,8 @@ def main(): sys.exit("force-sync requires the option --from ") force_sync(realm, host, options.fromhost, options.dirman_passwd) elif args[0] == "connect": +if has_managed_topology(api): +exit_on_managed_topology("Creation of IPA CS replication agreement") if len(args) == 3: replica1 = args[1] replica2 = args[2] @@ -449,6 +472,8 @@ def main(): replica2 = args[1] add_link(realm, replica1, replica2, dirman_passwd, options) elif args[0] == "disconnect": +if has_managed_topology(api): +exit_on_managed_topology("Removal of IPA CS replication agreement") if len(args) == 3: replica1 = args[1] replica2 = args[2] diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage index 1350590b625e5dcab36abbcef75fe5eafc5f7123..b9998da44dcc1f01c5eb342ee713634de0ee84ee 100755 --- a/install/tools/ipa-replica-manage +++ b/install/tools/ipa-replica-manage @@ -37,8 +37,9 @@ from ipaserver.install import bindinstance, cainstance, certs from ipaserver.install import opendnssecinstance, dnskeysyncinstance from ipapython import version, ipaldap from ipalib import api, errors, util -from ipalib.constants import CACERT, DOMAIN_LEVEL_0 -from ipalib.util import create_topology_graph, get_topology_connection_errors +from ipalib.constants import CACERT +from ipalib.util import (create_topology_graph, +get_topology_connection_errors, has_managed_topology) from ipapython.ipa_log_manager import * from ipapython.dn import DN from ipapython.config import IPAOptionParser @@ -247,7 +248,7 @@ def del_link(realm, replica1, replica2, dirman_passwd, force=False): repl2 = None what = "Removal of IPA replication agreement" -managed_topology = has_managed_topology() +managed_topology = has_managed_topology(api) try: repl1 = replication.ReplicationManager(realm, replica1, dirman_passwd) @@ -698,7 +699,7 @@ def cleanup_server_dns_entries(realm, hostname, suffix, options): def del_master(realm, hostname, options): -if has_managed_topology(): +if has_managed_topology(api):
Re: [Freeipa-devel] [PATCH 0020-0021] some topology plugin fixes
On 30.10.2015 10:08, thierry bordaz wrote: On 10/30/2015 09:57 AM, Ludwig Krispenz wrote: On 10/29/2015 01:28 PM, thierry bordaz wrote: On 10/23/2015 10:44 AM, Ludwig Krispenz wrote: Hi, the attached two patches address issues I found when testing ca management in the topology plugin Thanks for review, Ludwig Hi Ludwig, Patch 20 is good to me. I have one remark, you call ipa_topo_cfg_host_find with lock flag. So that the replica config is not updated during the test. Now the lock protects each call separately. The risk is very low that the target host could become unmanaged by the time we test the source host. yes, and if two paralle operations do related things like adding an agreement and making a host managed/unmanaged there is a race for the lock. The lock itself cannot prevent these things, it only can protect the data structures from being read while modified. Also with two separate locked calls the second call has a chance to be aware of parallel changes ACK. Patch 21 is also good. Just in ipa_topo_util_init_hosts, why not calling ipa_topo_cfg_host_add to not duplicate the source ? no reason, revised patch is attached, thanks for noticing Thanks Ludwig for the changes. ACK Pushed to master: 3f70c9aed7d1357ac5031b8f8b48af320acba567 thanks thierry -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0061] Remove 50-lockout-policy.update file
Can do Alexander. Here is the updated patch. Gabe On Fri, Oct 30, 2015 at 12:56 AM, Alexander Bokovoywrote: > On Thu, 29 Oct 2015, Gabe Alford wrote: > >> Hello, >> >> Fix for https://fedorahosted.org/freeipa/ticket/5418 >> > ACK but can you please add something like this in the commit message: > > > Remove lockout policy update file because all currently supported > FreeIPA versions already have krbPwdMaxFailure defaulting to 6 and > krbPwdLockoutDuration defaulting to 600. > > Keeping lockout policy update file prevents from creating a more strict > policy in environments where it is subject to regulatory compliance. > > > >> Thanks, >> >> Gabe >> > > From 7a9086162717bc414a1d65ea71a2d65729f6fa7e Mon Sep 17 00:00:00 2001 >> From: Gabe >> Date: Thu, 29 Oct 2015 20:30:35 -0600 >> Subject: [PATCH] Remove 50-lockout-policy.update file >> >> https://fedorahosted.org/freeipa/ticket/5418 >> --- >> install/updates/50-lockout-policy.update | 4 >> install/updates/Makefile.am | 1 - >> 2 files changed, 5 deletions(-) >> delete mode 100644 install/updates/50-lockout-policy.update >> >> diff --git a/install/updates/50-lockout-policy.update >> b/install/updates/50-lockout-policy.update >> deleted file mode 100644 >> index >> a5730709e2b649466118502ece1cc530c10e0b40.. >> --- a/install/updates/50-lockout-policy.update >> +++ /dev/null >> @@ -1,4 +0,0 @@ >> -dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX >> -replace:krbPwdLockoutDuration:10::600 >> -replace: krbPwdMaxFailure:3::6 >> - >> diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am >> index >> 26e4c04ed66a4a2061a3bb3ca2f4a6cd84502598..04ddeb96de4e88d5909f13b13885d3207184e798 >> 100644 >> --- a/install/updates/Makefile.am >> +++ b/install/updates/Makefile.am >> @@ -39,7 +39,6 @@ app_DATA =\ >> 45-roles.update \ >> 50-7_bit_check.update \ >> 50-dogtag10-migration.update\ >> - 50-lockout-policy.update\ >> 50-groupuuid.update \ >> 50-hbacservice.update \ >> 50-krbenctypes.update \ >> -- >> 2.4.3 >> >> > -- >> Manage your subscription for the Freeipa-devel mailing list: >> https://www.redhat.com/mailman/listinfo/freeipa-devel >> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code >> > > > -- > / Alexander Bokovoy > From 24bcde6042d90322883350b5fd97aa41f2e4d77d Mon Sep 17 00:00:00 2001 From: Gabe Date: Fri, 30 Oct 2015 06:27:11 -0600 Subject: [PATCH] Remove 50-lockout-policy.update file Remove lockout policy update file because all currently supported versions have krbPwdMaxFailure defaulting to 6 and krbPwdLockoutDuration defaulting to 600. Keeping lockout policy update file prevents from creating a more scrict policy in environments subject to regulatory compliance https://fedorahosted.org/freeipa/ticket/5418 --- install/updates/50-lockout-policy.update | 4 install/updates/Makefile.am | 1 - 2 files changed, 5 deletions(-) delete mode 100644 install/updates/50-lockout-policy.update diff --git a/install/updates/50-lockout-policy.update b/install/updates/50-lockout-policy.update deleted file mode 100644 index a5730709e2b649466118502ece1cc530c10e0b40.. --- a/install/updates/50-lockout-policy.update +++ /dev/null @@ -1,4 +0,0 @@ -dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX -replace:krbPwdLockoutDuration:10::600 -replace: krbPwdMaxFailure:3::6 - diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am index 26e4c04ed66a4a2061a3bb3ca2f4a6cd84502598..04ddeb96de4e88d5909f13b13885d3207184e798 100644 --- a/install/updates/Makefile.am +++ b/install/updates/Makefile.am @@ -39,7 +39,6 @@ app_DATA =\ 45-roles.update \ 50-7_bit_check.update \ 50-dogtag10-migration.update \ - 50-lockout-policy.update \ 50-groupuuid.update \ 50-hbacservice.update \ 50-krbenctypes.update \ -- 1.8.3.1 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH] ca-less tests updated - POC
Hi, The following patches contain updates to ca-less integration tests. It's still a proof of concept: 2 tests still fail seemingly due to the change in target system logic (marked as xfail with "ask jcholast comment") The test output looks like this: $ ipa-run-tests test_integration/test_caless.py --pdb test session starts = platform linux2 -- Python 2.7.10 -- py-1.4.30 -- pytest-2.6.4 plugins: multihost, sourceorder collected 88 items test_integration/test_caless.py ..xx..sssss.ss.xx..ssxx. 53 passed, 29 skipped, 6 xfailed in 5620.17 seconds = Numerous skips correspond to the tests related to ipa-replica-prepare (unsupported under domain level 1) -- Oleg Fayans Quality Engineer FreeIPA team RedHat. From 6ec4a0a3ca087bd1bb8e21ff448472cb1a58f0b4 Mon Sep 17 00:00:00 2001 From: Oleg FayansDate: Fri, 30 Oct 2015 13:19:39 +0100 Subject: [PATCH] Updated the script creating test certificate chains https://fedorahosted.org/freeipa/ticket/4589 --- .../test_integration/scripts/caless-create-pki | 31 +- 1 file changed, 19 insertions(+), 12 deletions(-) diff --git a/ipatests/test_integration/scripts/caless-create-pki b/ipatests/test_integration/scripts/caless-create-pki index f428ebae16e05644a875a35faf192f75eb149740..4058abae62f2e9bc9c6ed7caa664a139af91a508 100644 --- a/ipatests/test_integration/scripts/caless-create-pki +++ b/ipatests/test_integration/scripts/caless-create-pki @@ -3,7 +3,17 @@ profile_ca=(-t CT,C,C -v 120) profile_server=(-t ,, -v 12) -crl_path=${crl_path-$(readlink -f $dbdir)} +# crl_path=${crl_path-$(readlink -f $dbdir)} +profile_ca_request_options=(-1 -2 -4) +profile_ca_request_input="\$'0\n1\n5\n6\n9\ny\ny\n\ny\n1\n7\nfile://'\$(readlink -f \$dbdir)/\$ca.crl\$'\n-1\n-1\n-1\nn\nn\n'" +profile_ca_create_options=(-v 120) +profile_ca_add_options=(-t ,,) + +profile_server_request_options=(-4) +profile_server_request_input="\$'1\n7\nfile://'\$(readlink -f \$dbdir)/\$ca.crl\$'\n-1\n-1\n-1\nn\nn\n'" +profile_server_create_options=(-v 12) +profile_server_add_options=(-t ,,) + serial_number=0 @@ -17,8 +27,12 @@ gen_cert() { if [ "$ca" = "." ]; then ca="$nick" fi - + +echo $profile eval "options=(\"\${profile_$profile[@]}\")" +eval "request_options=(\"\${profile_${profile}_request_options[@]}\")" +eval "eval request_input=(\"\${profile_${profile}_request_input[@]}\")" + if [ "$ca" = "$nick" ]; then options=("${options[@]}" -x -m 1) else @@ -38,16 +52,7 @@ gen_cert() { csr="$(mktemp)" crt="$(mktemp)" -certutil -R -d "$dbdir" -s "$subject" -f "$pwfile" -z "$noise" -o "$csr" -4 >/dev/null Date: Fri, 30 Oct 2015 14:07:28 +0100 Subject: [PATCH] Updated ca-less tests. The patch depends on my patch 0011 A preview. All tests except 2 pass. Those 2 failing ones need a consulting from jcholast (so far marked as xfail). https://fedorahosted.org/freeipa/ticket/4589 --- ipatests/test_integration/test_caless.py | 248 ++- 1 file changed, 146 insertions(+), 102 deletions(-) diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py index 9cfba3ee29114badf5a703ccc1d47a1d3e0c41b7..7507ca69ef49e472f507f26693818e4acd64bbd5 100644 --- a/ipatests/test_integration/test_caless.py +++ b/ipatests/test_integration/test_caless.py @@ -32,13 +32,15 @@ from ipaplatform.paths import paths from ipapython.dn import DN from ipatests.test_integration.base import IntegrationTest from ipatests.test_integration import tasks +from env_config import get_global_config _DEFAULT = object() +config = get_global_config() +reasoning = "ipa-replica-prepare disabled for domain levels > 0" def get_install_stdin(cert_passwords=()): lines = [ -'yes', # Existing BIND configuration detected, overwrite? [no] '', # Server host name (has default) '', # Confirm domain name (has
Re: [Freeipa-devel] [PATCH 0339] ipa-csreplica-manage: disable connect/disconnect/del subcommands
On 30.10.2015 14:49, Martin Babinsky wrote: On 10/30/2015 02:09 PM, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5405 Patch attached Hi Martin, NACK since I'm not a big fan of having (nearly) the same function defined in multiple modules: """ $ git grep -n 'def exit_on_managed_topology' install/tools/ipa-csreplica-manage:397:def exit_on_managed_topology(what, hint="topologysegment"): install/tools/ipa-replica-manage:1386:def exit_on_managed_topology(what): """ Otherwise the patch works fine. I tried to do that, but I could not find any suitable module for that, and the method do just exit() with proper error message, thus it can be just copy paste (as ipa-csreplica-manage is full of it). -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0339] ipa-csreplica-manage: disable connect/disconnect/del subcommands
On 30.10.2015 15:49, Rob Crittenden wrote: Martin Basti wrote: On 30.10.2015 14:49, Martin Babinsky wrote: On 10/30/2015 02:09 PM, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5405 Patch attached Hi Martin, NACK since I'm not a big fan of having (nearly) the same function defined in multiple modules: """ $ git grep -n 'def exit_on_managed_topology' install/tools/ipa-csreplica-manage:397:def exit_on_managed_topology(what, hint="topologysegment"): install/tools/ipa-replica-manage:1386:def exit_on_managed_topology(what): """ Otherwise the patch works fine. I tried to do that, but I could not find any suitable module for that, and the method do just exit() with proper error message, thus it can be just copy paste (as ipa-csreplica-manage is full of it). Some common code can be found in ipaserver/install/replication.py rob I prefer not to mess replication.py module with this method, it is just wrapped exit, anything useful. Martin^2 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0339] ipa-csreplica-manage: disable connect/disconnect/del subcommands
Martin Basti wrote: > > > On 30.10.2015 14:49, Martin Babinsky wrote: >> On 10/30/2015 02:09 PM, Martin Basti wrote: >>> https://fedorahosted.org/freeipa/ticket/5405 >>> >>> >>> Patch attached >>> >>> >> Hi Martin, >> >> NACK since I'm not a big fan of having (nearly) the same function >> defined in multiple modules: >> >> """ >> $ git grep -n 'def exit_on_managed_topology' >> install/tools/ipa-csreplica-manage:397:def >> exit_on_managed_topology(what, hint="topologysegment"): >> install/tools/ipa-replica-manage:1386:def exit_on_managed_topology(what): >> """ >> >> Otherwise the patch works fine. >> > I tried to do that, but I could not find any suitable module for that, > and the method do just exit() with proper error message, thus it can be > just copy paste (as ipa-csreplica-manage is full of it). > Some common code can be found in ipaserver/install/replication.py rob -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0339] ipa-csreplica-manage: disable connect/disconnect/del subcommands
On 10/30/2015 03:47 PM, Martin Basti wrote: On 30.10.2015 14:49, Martin Babinsky wrote: On 10/30/2015 02:09 PM, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5405 Patch attached Hi Martin, NACK since I'm not a big fan of having (nearly) the same function defined in multiple modules: """ $ git grep -n 'def exit_on_managed_topology' install/tools/ipa-csreplica-manage:397:def exit_on_managed_topology(what, hint="topologysegment"): install/tools/ipa-replica-manage:1386:def exit_on_managed_topology(what): """ Otherwise the patch works fine. I tried to do that, but I could not find any suitable module for that, and the method do just exit() with proper error message, thus it can be just copy paste (as ipa-csreplica-manage is full of it). Yes it is a nice plate of copypasta anyway. ACK then. -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0093] perform connectivity checks for all topology suffixes during node deletion
patch for https://fedorahosted.org/freeipa/ticket/5309 The ticket itself is about connectivity checks in topology suffixes, but there is a code (install/tools/ipa-replica-manage starting at line 788 after applying my patch) which monitors whether the segments pointing to/from the deleted host are already deleted. These checks are currently hardcoded for 'realm' prefix, should we generalize them as well or is it a part of other effort? -- Martin^3 Babinsky From 7ef87f07500b361d84e18ac3784c7f9ba9596b1f Mon Sep 17 00:00:00 2001 From: Martin BabinskyDate: Fri, 30 Oct 2015 13:59:03 +0100 Subject: [PATCH] perform connectivity checks for all topology suffixes during node deletion The code in ipa-replica-manage which checks for disconnected topology before and after deletion of a node in a topology plugin-managed domain was generalized so that it now performs these checks for all suffixes to which the node belongs. https://fedorahosted.org/freeipa/ticket/5309 --- install/tools/ipa-replica-manage | 47 ++-- 1 file changed, 40 insertions(+), 7 deletions(-) diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage index 1350590b625e5dcab36abbcef75fe5eafc5f7123..05ac28cec4036676994942ad7150c9a6ae82a528 100755 --- a/install/tools/ipa-replica-manage +++ b/install/tools/ipa-replica-manage @@ -569,7 +569,7 @@ def check_last_link(delrepl, realm, dirman_passwd, force): else: return None -def check_last_link_managed(api, masters, hostname, force): +def check_last_link_managed(api, hostname, masters, suffix_name, force): """ Check if 'hostname' is safe to delete. @@ -577,13 +577,31 @@ def check_last_link_managed(api, masters, hostname, force): (current_errors, new_errors) """ -segments = api.Command.topologysegment_find(u'realm', sizelimit=0).get('result') -graph = create_topology_graph(masters, segments) +suffix = api.Command.topologysuffix_show(suffix_name)['result'] +suffix_members = [] +for m in masters: +if suffix['iparepltopoconfroot'][0] in m['iparepltopomanagedsuffix']: +suffix_members.append(m) + +member_cns = {member['cn'][0] for member in suffix_members} + +if hostname not in member_cns: +print( +"'{}' is not a part of topology suffix '{}'".format( +hostname, suffix_name +) +) +print("Not checking connectivity") +return [], [] + +segments = api.Command.topologysegment_find(suffix_name, sizelimit=0).get('result') +graph = create_topology_graph(suffix_members, segments) # check topology before removal orig_errors = get_topology_connection_errors(graph) if orig_errors: -print("Current topology is disconnected:") +print("Current topology in suffix '{}' is disconnected:".format( +suffix_name)) print("Changes are not replicated to all servers and data are probably inconsistent.") print("You need to add segments to reconnect the topology.") print_connect_errors(orig_errors) @@ -596,7 +614,8 @@ def check_last_link_managed(api, masters, hostname, force): new_errors = get_topology_connection_errors(graph) if new_errors: -print("WARNING: Topology after removal of %s will be disconnected." % hostname) +print("WARNING: Removal of '{}' will lead to disconnected topology " + "in suffix '{}'".format(hostname, suffix_name)) print("Changes will not be replicated to all servers and data will become inconsistent.") print("You need to add segments to prevent disconnection of the topology.") print("Errors in topology after removal:") @@ -724,8 +743,22 @@ def del_master_managed(realm, hostname, options): # 2. Get all masters masters = api.Command.server_find('', sizelimit=0)['result'] -# 3. Check topology -topo_errors = check_last_link_managed(api, masters, hostname, options.force) +# 3. Check topology connectivity in all suffices +suffices = api.Command.topologysuffix_find('', sizelimit=0)['result'] +# initialize the error tuple here and extend it by errors found in each +# suffix +topo_errors = ([], []) + +for suffix in suffices: +suffix_name = suffix['cn'][0] +print("Checking connectivity in topology suffix '{}'".format( +suffix_name)) + +suffix_errors = check_last_link_managed( +api, hostname, masters, suffix_name, options.force) + +topo_errors[0].extend(suffix_errors[0]) +topo_errors[1].extend(suffix_errors[1]) # 4. Check that we are not leaving the installation without CA and/or DNS #And pick new CA master. -- 2.4.3 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0093] perform connectivity checks for all topology suffixes during node deletion
On 10/30/2015 03:26 PM, Martin Babinsky wrote: patch for https://fedorahosted.org/freeipa/ticket/5309 The ticket itself is about connectivity checks in topology suffixes, but there is a code (install/tools/ipa-replica-manage starting at line 788 after applying my patch) which monitors whether the segments pointing to/from the deleted host are already deleted. These checks are currently hardcoded for 'realm' prefix, should we generalize them as well or is it a part of other effort? Could be separate patch but yes. -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0093] perform connectivity checks for all topology suffixes during node deletion
On 10/30/2015 03:38 PM, Petr Vobornik wrote: On 10/30/2015 03:26 PM, Martin Babinsky wrote: patch for https://fedorahosted.org/freeipa/ticket/5309 The ticket itself is about connectivity checks in topology suffixes, but there is a code (install/tools/ipa-replica-manage starting at line 788 after applying my patch) which monitors whether the segments pointing to/from the deleted host are already deleted. These checks are currently hardcoded for 'realm' prefix, should we generalize them as well or is it a part of other effort? Could be separate patch but yes. Ok I have included it in the attached patch so that both of these operations are performed for all suffixes. -- Martin^3 Babinsky From 356fbe7c3f542938b87f50c864c28de8b65a9b36 Mon Sep 17 00:00:00 2001 From: Martin BabinskyDate: Fri, 30 Oct 2015 13:59:03 +0100 Subject: [PATCH] check for disconnected topology and deleted agreements for all suffices The code in ipa-replica-manage which checks for disconnected topology and deleted agreements during node removal was generalized so that it now performs these checks for all suffixes to which the node belongs. https://fedorahosted.org/freeipa/ticket/5309 --- install/tools/ipa-replica-manage | 87 ++-- 1 file changed, 66 insertions(+), 21 deletions(-) diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage index 1350590b625e5dcab36abbcef75fe5eafc5f7123..f754d699e89785666dd35386a2fbb1a6017f5d1f 100755 --- a/install/tools/ipa-replica-manage +++ b/install/tools/ipa-replica-manage @@ -569,7 +569,7 @@ def check_last_link(delrepl, realm, dirman_passwd, force): else: return None -def check_last_link_managed(api, masters, hostname, force): +def check_last_link_managed(api, hostname, masters, suffix_name, force): """ Check if 'hostname' is safe to delete. @@ -577,13 +577,31 @@ def check_last_link_managed(api, masters, hostname, force): (current_errors, new_errors) """ -segments = api.Command.topologysegment_find(u'realm', sizelimit=0).get('result') -graph = create_topology_graph(masters, segments) +suffix = api.Command.topologysuffix_show(suffix_name)['result'] +suffix_members = [] +for m in masters: +if suffix['iparepltopoconfroot'][0] in m['iparepltopomanagedsuffix']: +suffix_members.append(m) + +member_cns = {member['cn'][0] for member in suffix_members} + +if hostname not in member_cns: +print( +"'{}' is not a part of topology suffix '{}'".format( +hostname, suffix_name +) +) +print("Not checking connectivity") +return [], [] + +segments = api.Command.topologysegment_find(suffix_name, sizelimit=0).get('result') +graph = create_topology_graph(suffix_members, segments) # check topology before removal orig_errors = get_topology_connection_errors(graph) if orig_errors: -print("Current topology is disconnected:") +print("Current topology in suffix '{}' is disconnected:".format( +suffix_name)) print("Changes are not replicated to all servers and data are probably inconsistent.") print("You need to add segments to reconnect the topology.") print_connect_errors(orig_errors) @@ -596,7 +614,8 @@ def check_last_link_managed(api, masters, hostname, force): new_errors = get_topology_connection_errors(graph) if new_errors: -print("WARNING: Topology after removal of %s will be disconnected." % hostname) +print("WARNING: Removal of '{}' will lead to disconnected topology " + "in suffix '{}'".format(hostname, suffix_name)) print("Changes will not be replicated to all servers and data will become inconsistent.") print("You need to add segments to prevent disconnection of the topology.") print("Errors in topology after removal:") @@ -724,8 +743,22 @@ def del_master_managed(realm, hostname, options): # 2. Get all masters masters = api.Command.server_find('', sizelimit=0)['result'] -# 3. Check topology -topo_errors = check_last_link_managed(api, masters, hostname, options.force) +# 3. Check topology connectivity in all suffices +suffices = api.Command.topologysuffix_find('', sizelimit=0)['result'] +suffix_names = [s['cn'][0] for s in suffices] +# initialize the error tuple here and extend it by errors found in each +# suffix +topo_errors = ([], []) + +for suffix_name in suffix_names: +print("Checking connectivity in topology suffix '{}'".format( +suffix_name)) + +suffix_errors = check_last_link_managed( +api, hostname, masters, suffix_name, options.force) + +topo_errors[0].extend(suffix_errors[0]) +topo_errors[1].extend(suffix_errors[1]) # 4. Check that we are not leaving the installation without CA and/or DNS #
Re: [Freeipa-devel] [draft] Fate of ipa-replica-manage and ipa-csreplica-manage tools
On 10/30/2015 10:42 AM, Martin Kosek wrote: On 10/27/2015 04:40 PM, Ludwig Krispenz wrote: On 10/27/2015 03:54 PM, Petr Vobornik wrote: Both tools serve primarily for managing replication agreements and replicas. ipa-replica-manage also manages winsync agreements and DNA ranges. FreeIPA 4.3 will introduce managed topology which affects these tools. Let's go trough all sub-commands of both tools and decide what is the fate of them/how they should be replaced. Comments are welcome. In text, term 'disable' means: print an error message with help what is the new alternative. For domain level == 0 all sub-commands should behave the same way as before. Proposals are for domain level 1 if not stated otherwise. == ipa-replica-manage == === list === Lists all IPA server or replication agreements of a specific IPA server including winsync agreements. Note that people are used to use "-v" switch to show status of these agreements. There would need to be a replacement for this functionality to get rid of this command. I always forgot about this option - from help it's not clear which commands supports it. Yes, this implies that it should remain enabled, till we have the functionality in topo plugin. Server list is replaced by ipa server-find Replication agreements by: ipa topologysegment-find realm I see following paths: 1. do not change (current state) 2. list only winsync agreements - IMO it will be easier to maintain If winsync was not in play we could 'disable' it but winsync is not planned to be centrally managed. Mainly because the preferred alternative is trust. 2 may be a good choice, but we first need to find the alternative for above. I do not think deprecating a list is a "must" for 4.3. +1 === connect === Allow for winsync, disable for REALM agmts. (current state) === disconenct === Allow for winsync, disable for REALM agmts. (current state) +1. === del === (current state) With domain level 0: - removes replica and repl. agmts for REALM suffix and winsync With domain level 1: - removes replica entry and therefore repl. agmts for all suffices(REALM, CS) - ensure last services, e.g. sets renewal master - does additional cleanup I'm not aware of any operation which needs directory manager. IMO it can be moved to API in future release(e.g. 4.4), especially if ipa-server-install --uninstall is modified to do most of the cleanup. Ok. === re-initialize === Not changed. Can be disabled (long-term solution) Same capability is in topologysegment_reinitialize API command. The only difference is that no API command shows state of the pending operation. Should we transform presence of 'start' and 'stop' in nsds5beginreplicarefresh;left|right attribute into an output of topologysegment_show, e.g.: 'initialization in progress', 'cancellation of re-initialization requested'. yes, something like this would be possible, maybe this can be part of the replication monitoring work, allowing to query the state of specific agreements. Can topologysegment-reinitialize simply wait? The behavior and related options could be similar as with automember-rebuild. Then we risk that CLI will timeout, same issue is in automember-rebuild and migrate-ds (there is a ticket for improving long running tasks). I am wondering if topologysegment-reinitialize is not too low level. Normally, the problem you are solving is that some of your master is out of sync and cannot be fixed. Then you want to have some command to re-intitialize *the master*, with the command potentially picking the best topologysegment to be used. It is quite low-level. That is also one of the reasons why I didn't put it to Web UI. === force-sync === no change yet Currently done by setting nsDS5ReplicaUpdateSchedule attribute of repl. agreement. 1. Is it required? 2. Should the functionality be transferred to topologysegment/topology plugin? 3. Is current approach good? in fact it is a hack, it uses the fact that a change in the replication agremeent will trigger a fresh start of the protocol thread. It woul be more clean to have "sendupdatesnow" attribute or as a value of the refresh attribute, would require a change in DS Change in DS to support some of the Topology functionality is tricky. Is this a blocker for releasing 4.3 with DL 1? I don't think so. Where I am coming from is that if Topology functionality depend on a DS function, we cannot be sure that the Topology call works for all masters. And I do not think we want to release DL 2 to support also this command. We don't. We need some general approach for this. Every time we will add some new functionality to topology plugin or fix a bug there this very question will be raised again. The simplest thing to do is have it enabled so the servers which don't support it will still have a usable method. IMO if we want to preserve the possibility then the long-term solution is to move it to topology plugin. yes Yes, but see above.
Re: [Freeipa-devel] [PATCH 0060] Incomplete ports for IPA AD Trust
Okay. Added the port range to ipa-adtrust-install and updated the man page to reflect firewall requirements. The firewall section seems a little rough, so let me know what you think it would need to be smoothed over (if anything). thanks, Gabe On Fri, Oct 30, 2015 at 4:12 AM, Petr Spacekwrote: > On 30.10.2015 11:10, Alexander Bokovoy wrote: > > On Fri, 30 Oct 2015, Petr Spacek wrote: > >> On 30.10.2015 07:54, Alexander Bokovoy wrote: > >>> On Thu, 29 Oct 2015, Gabe Alford wrote: > Hello, > > Fix for https://fedorahosted.org/freeipa/ticket/5414 > > Thanks, > > Gabe > >>> > From 515582d66252521a3cbf6a6a48f33745bd788c86 Mon Sep 17 00:00:00 2001 > From: Gabe > Date: Thu, 29 Oct 2015 20:28:27 -0600 > Subject: [PATCH] Incomplete ports for IPA AD Trust > > https://fedorahosted.org/freeipa/ticket/5414 > --- > install/tools/ipa-adtrust-install | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/install/tools/ipa-adtrust-install > b/install/tools/ipa-adtrust-install > index > > 1f41cc437e8a930c350eac0fb34e5bebc9f9b55b..84e28b57524b2c3308e52cc56b4b370276add0b7 > > 100755 > --- a/install/tools/ipa-adtrust-install > +++ b/install/tools/ipa-adtrust-install > @@ -472,6 +472,7 @@ Setup complete > > You must make sure these network ports are open: > \tTCP Ports: > +\t * 135: epmap > \t * 138: netbios-dgm > \t * 139: netbios-ssn > \t * 445: microsoft-ds > >>> This is good but not complete. What end-point mapper does is creating a > >>> listener based on the incoming request and access to the listener needs > >>> to be provided as well. A listener is created currently in the range of > >>> 1024..1300/TCP but we already have request to make this range > >>> configurable (it is hard coded right now in Samba code) because with > >>> Windows 2008 Microsoft moved it from 1025..5000 to 49152..65535: > >>> https://support.microsoft.com/en-us/kb/929851 > >>> > >>> We were thinking to add a call out hook on Samba side to call > >>> firewall-related script that could do hole punching on demand but it is > >>> not there yet. > >>> > >>> What we could do in ipa-adtrust-install, is to add section about > TCP/UDP > >>> ports to the manual page and explicitly reference that one in case of > >>> epmap line: > >>> \t *135: epmap (see ipa-adtrust-install(1) man page for details) > >>> > >>> We don't have the firewall section in the manpage at all, btw. > >>> > >>> What do you think? > >> > >> Maybe I'm missing something, but ... Could we simply put current range > >> 1024..1300/TCP to the installer now and do other changes as Samba > evolves? I > >> think that it is good enough as a hotfix and that we do not need to > >> over-complicate it in the beginning. > > That's essentially what I said too -- but I want to have firewall > > requirements documented in the manpage so that they are available > > beforehand _and_ people actually read them when they are referenced in > > the output. > > > > I'm not asking for anything else here. Documentation is needed. > > Thanks for clarification, I was under the impression that you wanted to > put it > only into the man page :-) > > -- > Petr^2 Spacek > > -- > Manage your subscription for the Freeipa-devel mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-devel > Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code > From 227cf5ae9f7e1c0d5ce96c996baa75448430ce99 Mon Sep 17 00:00:00 2001 From: Gabe Date: Fri, 30 Oct 2015 09:11:00 -0600 Subject: [PATCH] Incomplete ports for IPA AD Trust - Add subsection to ipa-adtrust-install man page - Update port information in ipa-adtrust-install https://fedorahosted.org/freeipa/ticket/5414 --- install/tools/ipa-adtrust-install | 4 install/tools/man/ipa-adtrust-install.1 | 25 + 2 files changed, 29 insertions(+) diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install index 1f41cc437e8a930c350eac0fb34e5bebc9f9b55b..ff69d69e2c11ce08b8b648a5a78777c472da2ac9 100755 --- a/install/tools/ipa-adtrust-install +++ b/install/tools/ipa-adtrust-install @@ -472,15 +472,19 @@ Setup complete You must make sure these network ports are open: \tTCP Ports: +\t * 135: epmap \t * 138: netbios-dgm \t * 139: netbios-ssn \t * 445: microsoft-ds +\t * 1024..1300: epmap listener range \tUDP Ports: \t * 138: netbios-dgm \t * 139: netbios-ssn \t * 389: (C)LDAP \t * 445: microsoft-ds +See the ipa-adtrust-install(1) man page for more details + = """) if admin_password: diff --git a/install/tools/man/ipa-adtrust-install.1 b/install/tools/man/ipa-adtrust-install.1 index 06378b5983e55bb6c34971b0f5129246f9f14fd3..36c468336909c705c68a2794dec699f3f05579d9 100644 ---