Re: [Freeipa-devel] [PATCH 0060] Incomplete ports for IPA AD Trust

2015-10-30 Thread Alexander Bokovoy 

On Thu, 29 Oct 2015, Gabe Alford wrote:

Hello,

Fix for https://fedorahosted.org/freeipa/ticket/5414

Thanks,

Gabe



From 515582d66252521a3cbf6a6a48f33745bd788c86 Mon Sep 17 00:00:00 2001
From: Gabe 
Date: Thu, 29 Oct 2015 20:28:27 -0600
Subject: [PATCH] Incomplete ports for IPA AD Trust

https://fedorahosted.org/freeipa/ticket/5414
---
install/tools/ipa-adtrust-install | 1 +
1 file changed, 1 insertion(+)

diff --git a/install/tools/ipa-adtrust-install 
b/install/tools/ipa-adtrust-install
index 
1f41cc437e8a930c350eac0fb34e5bebc9f9b55b..84e28b57524b2c3308e52cc56b4b370276add0b7
 100755
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@@ -472,6 +472,7 @@ Setup complete

You must make sure these network ports are open:
\tTCP Ports:
+\t  * 135: epmap
\t  * 138: netbios-dgm
\t  * 139: netbios-ssn
\t  * 445: microsoft-ds

This is good but not complete. What end-point mapper does is creating a
listener based on the incoming request and access to the listener needs
to be provided as well. A listener is created currently in the range of
1024..1300/TCP but we already have request to make this range
configurable (it is hard coded right now in Samba code) because with
Windows 2008 Microsoft moved it from 1025..5000 to 49152..65535:
https://support.microsoft.com/en-us/kb/929851

We were thinking to add a call out hook on Samba side to call
firewall-related script that could do hole punching on demand but it is
not there yet.

What we could do in ipa-adtrust-install, is to add section about TCP/UDP
ports to the manual page and explicitly reference that one in case of
epmap line:
\t  *135: epmap (see ipa-adtrust-install(1) man page for details)

We don't have the firewall section in the manpage at all, btw.

What do you think?
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0020-0021] some topology plugin fixes

2015-10-30 Thread Ludwig Krispenz 


On 10/29/2015 01:28 PM, thierry bordaz wrote:

On 10/23/2015 10:44 AM, Ludwig Krispenz wrote:

Hi,
the attached two patches address issues I found when testing ca 
management in the topology plugin


Thanks for review,
Ludwig



Hi Ludwig,

Patch 20 is good to me. I have one remark, you call 
ipa_topo_cfg_host_find with lock flag. So that the replica config is 
not updated during the test.
Now the lock protects each call separately. The risk is very low that 
the target host could become unmanaged by the time we test the source 
host.
yes, and if two paralle operations do related things like adding an 
agreement and making a host managed/unmanaged there is a race for the 
lock. The lock itself cannot prevent these things, it only can protect 
the data structures from being read while modified.
Also with two separate locked calls the second call has a chance to be 
aware of parallel changes

ACK.

Patch 21 is also good. Just in ipa_topo_util_init_hosts, why not 
calling ipa_topo_cfg_host_add to not duplicate the source ?

no reason, revised patch is attached, thanks for noticing


thanks
thierry


>From 8efbeb6ecbc39c8019d66c69e4759d7ffb34a991 Mon Sep 17 00:00:00 2001
From: Ludwig Krispenz 
Date: Fri, 30 Oct 2015 09:44:21 +0100
Subject: [PATCH] update list of managed servers when a suffix becomes managed

when a suffix becomes managed for a host, the host needs to
be added to the managed servers, otherwise connectivity check would fail
---
 daemons/ipa-slapi-plugins/topology/topology.h  |  3 +-
 daemons/ipa-slapi-plugins/topology/topology_cfg.c  | 36 ++
 daemons/ipa-slapi-plugins/topology/topology_post.c |  5 +--
 daemons/ipa-slapi-plugins/topology/topology_util.c | 28 -
 4 files changed, 42 insertions(+), 30 deletions(-)

diff --git a/daemons/ipa-slapi-plugins/topology/topology.h b/daemons/ipa-slapi-plugins/topology/topology.h
index fea8281ac5f0865aca4052f6139e4384f5665b87..d264ed9c1e3e903d7554963b843d1f98385ec47a 100644
--- a/daemons/ipa-slapi-plugins/topology/topology.h
+++ b/daemons/ipa-slapi-plugins/topology/topology.h
@@ -178,7 +178,7 @@ void ipa_topo_lock_conf(void);
 void ipa_topo_unlock_conf(void);
 int ipa_topo_acquire_startup_inprogress(void);
 void ipa_topo_release_startup_inprogress(void);
-void ipa_topo_cfg_host_add(Slapi_Entry *hostentry);
+void ipa_topo_cfg_host_add(TopoReplica *tconf, char *host);
 void ipa_topo_cfg_host_del(Slapi_Entry *hostentry);
 TopoReplicaHost *ipa_topo_cfg_host_find(TopoReplica *tconf, char *host, int lock);
 TopoReplicaHost *ipa_topo_cfg_host_new(char *newhost);
@@ -283,6 +283,7 @@ int ipa_topo_util_setup_servers(void);
 void ipa_topo_util_update_segments_for_host(TopoReplica *conf, char *hostname);
 char *ipa_topo_util_get_ldap_principal(char *repl_root, char *hostname);
 void ipa_topo_util_disable_repl_for_principal(char *repl_root, char *principal);
+void ipa_topo_util_init_hosts(Slapi_Entry *hostentry);
 void ipa_topo_util_add_host(Slapi_Entry *hostentry);
 void ipa_topo_util_delete_host(Slapi_Entry *hostentry);
 void ipa_topo_util_update_host(Slapi_Entry *hostentry, LDAPMod **mods);
diff --git a/daemons/ipa-slapi-plugins/topology/topology_cfg.c b/daemons/ipa-slapi-plugins/topology/topology_cfg.c
index d211f20f6bf267ecf4eca79b423a600e53bc5795..3ca61a8ea7c463c45f3dbf2e13a9790c5079e2d7 100644
--- a/daemons/ipa-slapi-plugins/topology/topology_cfg.c
+++ b/daemons/ipa-slapi-plugins/topology/topology_cfg.c
@@ -471,38 +471,22 @@ ipa_topo_cfg_host_new(char *newhost)
 }
 
 void
-ipa_topo_cfg_host_add(Slapi_Entry *hostentry)
+ipa_topo_cfg_host_add(TopoReplica *replica, char *newhost)
 {
-char *newhost;
-char **repl_root = NULL;
 TopoReplicaHost *hostnode = NULL;
-TopoReplica *replica = NULL;
-int i;
+if (replica == NULL || newhost == NULL) return;
 
-newhost = slapi_entry_attr_get_charptr(hostentry,"cn");
-if (newhost == NULL) return;
-
-repl_root = slapi_entry_attr_get_charray(hostentry,"ipaReplTopoManagedSuffix");
-if (repl_root == NULL || *repl_root == NULL) return;
-
-for (i=0; repl_root[i];i++) {
-replica = ipa_topo_cfg_replica_find(repl_root[i], 1);
-if (replica == NULL) continue;
-
-slapi_lock_mutex(replica->repl_lock);
-if (ipa_topo_cfg_host_find(replica, newhost, 0)) {
-/* log error */
-slapi_unlock_mutex(replica->repl_lock);
-continue;
-}
-hostnode = ipa_topo_cfg_host_new(slapi_ch_strdup(newhost));
-hostnode->next = replica->hosts;
-replica->hosts = hostnode;
+slapi_lock_mutex(replica->repl_lock);
+if (ipa_topo_cfg_host_find(replica, newhost, 0)) {
+/* host already added */
 slapi_unlock_mutex(replica->repl_lock);
+return;
 }
+hostnode = ipa_topo_cfg_host_new(slapi_ch_strdup(newhost));
+hostnode->next = replica->hosts;
+replica->hosts = hostnode;
+slapi_unlock_mutex(replica->repl_lock);
 
-

Re: [Freeipa-devel] [PATCH 0061] Remove 50-lockout-policy.update file

2015-10-30 Thread Alexander Bokovoy 

On Thu, 29 Oct 2015, Gabe Alford wrote:

Hello,

Fix for https://fedorahosted.org/freeipa/ticket/5418

ACK but can you please add something like this in the commit message:


Remove lockout policy update file because all currently supported
FreeIPA versions already have krbPwdMaxFailure defaulting to 6 and
krbPwdLockoutDuration defaulting to 600.

Keeping lockout policy update file prevents from creating a more strict
policy in environments where it is subject to regulatory compliance.




Thanks,

Gabe



From 7a9086162717bc414a1d65ea71a2d65729f6fa7e Mon Sep 17 00:00:00 2001
From: Gabe 
Date: Thu, 29 Oct 2015 20:30:35 -0600
Subject: [PATCH] Remove 50-lockout-policy.update file

https://fedorahosted.org/freeipa/ticket/5418
---
install/updates/50-lockout-policy.update | 4 
install/updates/Makefile.am  | 1 -
2 files changed, 5 deletions(-)
delete mode 100644 install/updates/50-lockout-policy.update

diff --git a/install/updates/50-lockout-policy.update 
b/install/updates/50-lockout-policy.update
deleted file mode 100644
index 
a5730709e2b649466118502ece1cc530c10e0b40..
--- a/install/updates/50-lockout-policy.update
+++ /dev/null
@@ -1,4 +0,0 @@
-dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX
-replace:krbPwdLockoutDuration:10::600
-replace: krbPwdMaxFailure:3::6
-
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
index 
26e4c04ed66a4a2061a3bb3ca2f4a6cd84502598..04ddeb96de4e88d5909f13b13885d3207184e798
 100644
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@@ -39,7 +39,6 @@ app_DATA =\
45-roles.update \
50-7_bit_check.update   \
50-dogtag10-migration.update\
-   50-lockout-policy.update\
50-groupuuid.update \
50-hbacservice.update   \
50-krbenctypes.update   \
--
2.4.3




--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code



--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0060] Incomplete ports for IPA AD Trust

2015-10-30 Thread Petr Spacek 
On 30.10.2015 07:54, Alexander Bokovoy wrote:
> On Thu, 29 Oct 2015, Gabe Alford wrote:
>> Hello,
>>
>> Fix for https://fedorahosted.org/freeipa/ticket/5414
>>
>> Thanks,
>>
>> Gabe
> 
>> From 515582d66252521a3cbf6a6a48f33745bd788c86 Mon Sep 17 00:00:00 2001
>> From: Gabe 
>> Date: Thu, 29 Oct 2015 20:28:27 -0600
>> Subject: [PATCH] Incomplete ports for IPA AD Trust
>>
>> https://fedorahosted.org/freeipa/ticket/5414
>> ---
>> install/tools/ipa-adtrust-install | 1 +
>> 1 file changed, 1 insertion(+)
>>
>> diff --git a/install/tools/ipa-adtrust-install
>> b/install/tools/ipa-adtrust-install
>> index
>> 1f41cc437e8a930c350eac0fb34e5bebc9f9b55b..84e28b57524b2c3308e52cc56b4b370276add0b7
>> 100755
>> --- a/install/tools/ipa-adtrust-install
>> +++ b/install/tools/ipa-adtrust-install
>> @@ -472,6 +472,7 @@ Setup complete
>>
>> You must make sure these network ports are open:
>> \tTCP Ports:
>> +\t  * 135: epmap
>> \t  * 138: netbios-dgm
>> \t  * 139: netbios-ssn
>> \t  * 445: microsoft-ds
> This is good but not complete. What end-point mapper does is creating a
> listener based on the incoming request and access to the listener needs
> to be provided as well. A listener is created currently in the range of
> 1024..1300/TCP but we already have request to make this range
> configurable (it is hard coded right now in Samba code) because with
> Windows 2008 Microsoft moved it from 1025..5000 to 49152..65535:
> https://support.microsoft.com/en-us/kb/929851
> 
> We were thinking to add a call out hook on Samba side to call
> firewall-related script that could do hole punching on demand but it is
> not there yet.
> 
> What we could do in ipa-adtrust-install, is to add section about TCP/UDP
> ports to the manual page and explicitly reference that one in case of
> epmap line:
> \t  *135: epmap (see ipa-adtrust-install(1) man page for details)
> 
> We don't have the firewall section in the manpage at all, btw.
> 
> What do you think?

Maybe I'm missing something, but ... Could we simply put current range
1024..1300/TCP to the installer now and do other changes as Samba evolves? I
think that it is good enough as a hotfix and that we do not need to
over-complicate it in the beginning.

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0020-0021] some topology plugin fixes

2015-10-30 Thread thierry bordaz 

On 10/30/2015 09:57 AM, Ludwig Krispenz wrote:


On 10/29/2015 01:28 PM, thierry bordaz wrote:

On 10/23/2015 10:44 AM, Ludwig Krispenz wrote:

Hi,
the attached two patches address issues I found when testing ca 
management in the topology plugin


Thanks for review,
Ludwig



Hi Ludwig,

Patch 20 is good to me. I have one remark, you call 
ipa_topo_cfg_host_find with lock flag. So that the replica config is 
not updated during the test.
Now the lock protects each call separately. The risk is very low that 
the target host could become unmanaged by the time we test the source 
host.
yes, and if two paralle operations do related things like adding an 
agreement and making a host managed/unmanaged there is a race for the 
lock. The lock itself cannot prevent these things, it only can protect 
the data structures from being read while modified.
Also with two separate locked calls the second call has a chance to be 
aware of parallel changes

ACK.

Patch 21 is also good. Just in ipa_topo_util_init_hosts, why not 
calling ipa_topo_cfg_host_add to not duplicate the source ?

no reason, revised patch is attached, thanks for noticing


Thanks Ludwig for the changes.

ACK



thanks
thierry




-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0060] Incomplete ports for IPA AD Trust

2015-10-30 Thread Alexander Bokovoy 

On Fri, 30 Oct 2015, Petr Spacek wrote:

On 30.10.2015 07:54, Alexander Bokovoy wrote:

On Thu, 29 Oct 2015, Gabe Alford wrote:

Hello,

Fix for https://fedorahosted.org/freeipa/ticket/5414

Thanks,

Gabe



From 515582d66252521a3cbf6a6a48f33745bd788c86 Mon Sep 17 00:00:00 2001
From: Gabe 
Date: Thu, 29 Oct 2015 20:28:27 -0600
Subject: [PATCH] Incomplete ports for IPA AD Trust

https://fedorahosted.org/freeipa/ticket/5414
---
install/tools/ipa-adtrust-install | 1 +
1 file changed, 1 insertion(+)

diff --git a/install/tools/ipa-adtrust-install
b/install/tools/ipa-adtrust-install
index
1f41cc437e8a930c350eac0fb34e5bebc9f9b55b..84e28b57524b2c3308e52cc56b4b370276add0b7
100755
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@@ -472,6 +472,7 @@ Setup complete

You must make sure these network ports are open:
\tTCP Ports:
+\t  * 135: epmap
\t  * 138: netbios-dgm
\t  * 139: netbios-ssn
\t  * 445: microsoft-ds

This is good but not complete. What end-point mapper does is creating a
listener based on the incoming request and access to the listener needs
to be provided as well. A listener is created currently in the range of
1024..1300/TCP but we already have request to make this range
configurable (it is hard coded right now in Samba code) because with
Windows 2008 Microsoft moved it from 1025..5000 to 49152..65535:
https://support.microsoft.com/en-us/kb/929851

We were thinking to add a call out hook on Samba side to call
firewall-related script that could do hole punching on demand but it is
not there yet.

What we could do in ipa-adtrust-install, is to add section about TCP/UDP
ports to the manual page and explicitly reference that one in case of
epmap line:
\t  *135: epmap (see ipa-adtrust-install(1) man page for details)

We don't have the firewall section in the manpage at all, btw.

What do you think?


Maybe I'm missing something, but ... Could we simply put current range
1024..1300/TCP to the installer now and do other changes as Samba evolves? I
think that it is good enough as a hotfix and that we do not need to
over-complicate it in the beginning.

That's essentially what I said too -- but I want to have firewall
requirements documented in the manpage so that they are available
beforehand _and_ people actually read them when they are referenced in
the output.

I'm not asking for anything else here. Documentation is needed.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0060-0061] DNSSEC improvements in uninstaller

2015-10-30 Thread Petr Spacek 
On 30.10.2015 10:55, Martin Basti wrote:
> 
> 
> On 30.10.2015 10:41, Petr Spacek wrote:
>> Hello,
>>
>> DNSSEC: on uninstall, do not restore OpenDNSSEC kasp.db if backup failed
>> DNSSEC: improve log messages in uninstaller
>>
>> This is suitable for ipa-4-2 branch and newer.
>>
> NACK
> 
> Please extract the list from for cycle to separate variable and do extend with
> that variable.
> 
> Also this code doesnt work, I tried simillar in python and I got:
> 
> In [1]: t=[1]
> 
> In [2]: for f in [10, 20, 30].extend(t):
>...: print f
>...:
> ---
> TypeError Traceback (most recent call last)
>  in ()
> > 1 for f in [10, 20, 30].extend(t):
>   2 print f
>   3
> 
> TypeError: 'NoneType' object is not iterable

Thank you for catching this. I believed to lint and that was a bad idea!

Push only to master is fine with me, I'm not willing to go though more
bureaucracy for this small change.

-- 
Petr^2 Spacek
From e24e4a5a19c8e66e342bdd6def7b9372a8c799b1 Mon Sep 17 00:00:00 2001
From: Petr Spacek 
Date: Fri, 30 Oct 2015 10:39:49 +0100
Subject: [PATCH] DNSSEC: on uninstall, do not restore OpenDNSSEC kasp.db if
 backup failed

---
 ipaserver/install/opendnssecinstance.py | 13 +
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/ipaserver/install/opendnssecinstance.py b/ipaserver/install/opendnssecinstance.py
index 02fc61e468735070d3f6a5985bf1ea8333a6689e..322eec5861e8b2101c2e26874e95b2415246f5b4 100644
--- a/ipaserver/install/opendnssecinstance.py
+++ b/ipaserver/install/opendnssecinstance.py
@@ -343,6 +343,9 @@ class OpenDNSSECInstance(service.Service):
'ISMASTER', None,
quotes=False, separator='=')
 
+restore_list = [paths.OPENDNSSEC_CONF_FILE, paths.OPENDNSSEC_KASP_FILE,
+paths.SYSCONFIG_ODS, paths.OPENDNSSEC_ZONELIST_FILE]
+
 if ipautil.file_exists(paths.OPENDNSSEC_KASP_DB):
 
 # force to export data
@@ -359,14 +362,16 @@ class OpenDNSSECInstance(service.Service):
 paths.IPA_KASP_DB_BACKUP)
 except IOError as e:
 root_logger.error(
-"Unable to backup OpenDNSSEC database: %s", e)
+"Unable to backup OpenDNSSEC database %s, "
+"restore will be skipped: %s", paths.OPENDNSSEC_KASP_DB, e)
 else:
 root_logger.info("OpenDNSSEC database backed up in %s",
  paths.IPA_KASP_DB_BACKUP)
+# restore OpenDNSSEC's KASP DB only if backup succeeded
+# removing the file without backup could totally break DNSSEC
+restore_list.append(paths.OPENDNSSEC_KASP_DB)
 
-for f in [paths.OPENDNSSEC_CONF_FILE, paths.OPENDNSSEC_KASP_FILE,
-  paths.OPENDNSSEC_KASP_DB, paths.SYSCONFIG_ODS,
-  paths.OPENDNSSEC_ZONELIST_FILE]:
+for f in restore_list:
 try:
 self.fstore.restore_file(f)
 except ValueError as error:
-- 
2.4.3

From b4618410c8f5c833f5828dd6196989e83df603b7 Mon Sep 17 00:00:00 2001
From: Petr Spacek 
Date: Fri, 30 Oct 2015 10:32:43 +0100
Subject: [PATCH] DNSSEC: improve log messages in uninstaller

---
 ipaserver/install/opendnssecinstance.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/opendnssecinstance.py b/ipaserver/install/opendnssecinstance.py
index 34dce0f32109b6677737199a90832a45c8f30983..02fc61e468735070d3f6a5985bf1ea8333a6689e 100644
--- a/ipaserver/install/opendnssecinstance.py
+++ b/ipaserver/install/opendnssecinstance.py
@@ -349,9 +349,10 @@ class OpenDNSSECInstance(service.Service):
 ods_enforcerd = services.knownservices.ods_enforcerd
 cmd = [paths.IPA_ODS_EXPORTER, 'ipa-full-update']
 try:
+self.print_msg("Exporting DNSSEC data before uninstallation")
 ipautil.run(cmd, runas=ods_enforcerd.get_user_name())
 except CalledProcessError:
-root_logger.debug("OpenDNSSEC database has not been updated")
+root_logger.error("DNSSEC data export failed")
 
 try:
 shutil.copy(paths.OPENDNSSEC_KASP_DB,
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0060-0061] DNSSEC improvements in uninstaller

2015-10-30 Thread Martin Basti 



On 30.10.2015 10:41, Petr Spacek wrote:

Hello,

DNSSEC: on uninstall, do not restore OpenDNSSEC kasp.db if backup failed
DNSSEC: improve log messages in uninstaller

This is suitable for ipa-4-2 branch and newer.


NACK

Please extract the list from for cycle to separate variable and do 
extend with that variable.


Also this code doesnt work, I tried simillar in python and I got:

In [1]: t=[1]

In [2]: for f in [10, 20, 30].extend(t):
   ...: print f
   ...:
---
TypeError Traceback (most recent call last)
 in ()
> 1 for f in [10, 20, 30].extend(t):
  2 print f
  3

TypeError: 'NoneType' object is not iterable

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0090] show optionally configured components in server-find/show command output

2015-10-30 Thread Martin Babinsky 

On 10/26/2015 01:41 PM, Martin Babinsky wrote:

On 10/22/2015 04:13 PM, Martin Basti wrote:



On 22.10.2015 10:44, Martin Babinsky wrote:

https://fedorahosted.org/freeipa/ticket/5181





Thank you for the patch.

1)
+OPTIONAL_SERVICES = {
+'DNS',
+'CA',
+'KRA',
+'ADTRUST',
+'EXTID',
+'DNSKeyExporter',
+'DNSSEC',
+'DNSKeySync',
+}

This did not scale well, maybe we should improve it to use some general
solution for whole IPA to distinct mandratory and optionl service, but I
do not know how (or if it is possible)


Yes this does not scale well. After some playing around with relocating
the SERVICE_LIST object in 'ipaserver/install/service.py' I found out
that more refactoring would be needed to improve the layout and
availability of LDAP service names to both server and client code. I
have put the list of core services to ipalib/constants.py for now, and I
suggest to open a separate ticket for more general solution.


2)
+search_filter=('(&(objectclass=ipaConfigObject)'
+   '(ipaConfigString=enabledService))')

Common user cannot read ipaConfigString, so this will work only for
admins, I do not see any limitations of access in code for other users.



I think that you agreed with Petr^2 that this filter is OK. I left it as
it is but I have rewritten it as a call to ldap.make_filter to improve
readability and/or potential extensibility a bit.


3)
+opt_components = [
+r['cn'][0] for r in result if r['cn'][0] in
OPTIONAL_SERVICES
+]
Probably instead of indexing, you may use result.single_value['cn']

Martin^2


Attaching updated patch.



Self-NACK, I found a bug in the patch during work on topology management 
stuff.


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0060] Incomplete ports for IPA AD Trust

2015-10-30 Thread Petr Spacek 
On 30.10.2015 11:10, Alexander Bokovoy wrote:
> On Fri, 30 Oct 2015, Petr Spacek wrote:
>> On 30.10.2015 07:54, Alexander Bokovoy wrote:
>>> On Thu, 29 Oct 2015, Gabe Alford wrote:
 Hello,

 Fix for https://fedorahosted.org/freeipa/ticket/5414

 Thanks,

 Gabe
>>>
 From 515582d66252521a3cbf6a6a48f33745bd788c86 Mon Sep 17 00:00:00 2001
 From: Gabe 
 Date: Thu, 29 Oct 2015 20:28:27 -0600
 Subject: [PATCH] Incomplete ports for IPA AD Trust

 https://fedorahosted.org/freeipa/ticket/5414
 ---
 install/tools/ipa-adtrust-install | 1 +
 1 file changed, 1 insertion(+)

 diff --git a/install/tools/ipa-adtrust-install
 b/install/tools/ipa-adtrust-install
 index
 1f41cc437e8a930c350eac0fb34e5bebc9f9b55b..84e28b57524b2c3308e52cc56b4b370276add0b7

 100755
 --- a/install/tools/ipa-adtrust-install
 +++ b/install/tools/ipa-adtrust-install
 @@ -472,6 +472,7 @@ Setup complete

 You must make sure these network ports are open:
 \tTCP Ports:
 +\t  * 135: epmap
 \t  * 138: netbios-dgm
 \t  * 139: netbios-ssn
 \t  * 445: microsoft-ds
>>> This is good but not complete. What end-point mapper does is creating a
>>> listener based on the incoming request and access to the listener needs
>>> to be provided as well. A listener is created currently in the range of
>>> 1024..1300/TCP but we already have request to make this range
>>> configurable (it is hard coded right now in Samba code) because with
>>> Windows 2008 Microsoft moved it from 1025..5000 to 49152..65535:
>>> https://support.microsoft.com/en-us/kb/929851
>>>
>>> We were thinking to add a call out hook on Samba side to call
>>> firewall-related script that could do hole punching on demand but it is
>>> not there yet.
>>>
>>> What we could do in ipa-adtrust-install, is to add section about TCP/UDP
>>> ports to the manual page and explicitly reference that one in case of
>>> epmap line:
>>> \t  *135: epmap (see ipa-adtrust-install(1) man page for details)
>>>
>>> We don't have the firewall section in the manpage at all, btw.
>>>
>>> What do you think?
>>
>> Maybe I'm missing something, but ... Could we simply put current range
>> 1024..1300/TCP to the installer now and do other changes as Samba evolves? I
>> think that it is good enough as a hotfix and that we do not need to
>> over-complicate it in the beginning.
> That's essentially what I said too -- but I want to have firewall
> requirements documented in the manpage so that they are available
> beforehand _and_ people actually read them when they are referenced in
> the output.
> 
> I'm not asking for anything else here. Documentation is needed.

Thanks for clarification, I was under the impression that you wanted to put it
only into the man page :-)

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [draft] Fate of ipa-replica-manage and ipa-csreplica-manage tools

2015-10-30 Thread Martin Kosek 

On 10/27/2015 04:40 PM, Ludwig Krispenz wrote:


On 10/27/2015 03:54 PM, Petr Vobornik wrote:

Both tools serve primarily for managing replication agreements and replicas.
ipa-replica-manage also manages winsync agreements and DNA ranges.

FreeIPA 4.3 will introduce managed topology which affects these tools.

Let's go trough all sub-commands of both tools and decide what is the fate of
them/how they should be replaced. Comments are welcome.

In text, term 'disable' means: print an error message with help what is the
new alternative.

For domain level == 0 all sub-commands should behave the same way as before.
Proposals are for domain level 1 if not stated otherwise.

== ipa-replica-manage ==
=== list ===
Lists all IPA server or replication agreements of a specific IPA server
including winsync agreements.


Note that people are used to use "-v" switch to show status of these 
agreements. There would need to be a replacement for this functionality to get 
rid of this command.



Server list is replaced by
  ipa server-find
Replication agreements by:
  ipa topologysegment-find realm

I see following paths:
1. do not change (current state)
2. list only winsync agreements - IMO it will be easier to maintain

If winsync was not in play we could 'disable' it but winsync is not planned
to be centrally managed. Mainly because the preferred alternative is trust.


2 may be a good choice, but we first need to find the alternative for above. I 
do not think deprecating a list is a "must" for 4.3.



=== connect ===
Allow for winsync, disable for REALM agmts. (current state)

=== disconenct ===
Allow for winsync, disable for REALM agmts. (current state)


+1.


=== del ===
(current state)
With domain level 0:
- removes replica and repl. agmts for REALM suffix and winsync
With domain level 1:
- removes replica entry and therefore repl. agmts for all suffices(REALM, CS)
- ensure last services, e.g. sets renewal master
- does additional cleanup

I'm not aware of any operation which needs directory manager. IMO it can be
moved to API in future release(e.g. 4.4), especially if ipa-server-install
--uninstall is modified to do most of the cleanup.


Ok.



=== re-initialize ===
Not changed.

Can be disabled (long-term solution)

Same capability is in topologysegment_reinitialize API command. The only
difference is that no API command shows state of the pending operation.
Should we transform presence of 'start' and 'stop' in
nsds5beginreplicarefresh;left|right attribute into an output of
topologysegment_show, e.g.: 'initialization in progress', 'cancellation of
re-initialization requested'.

yes, something like this would be possible,
maybe this can be part of the replication monitoring work, allowing to query
the state of specific agreements.


Can topologysegment-reinitialize simply wait? The behavior and related options 
could be similar as with automember-rebuild.


I am wondering if topologysegment-reinitialize is not too low level. Normally, 
the problem you are solving is that some of your master is out of sync and 
cannot be fixed. Then you want to have some command to re-intitialize *the 
master*, with the command potentially picking the best topologysegment to be used.



=== force-sync ===
no change yet

Currently done by setting nsDS5ReplicaUpdateSchedule attribute of repl.
agreement.

1. Is it required?
2. Should the functionality be transferred to topologysegment/topology plugin?
3. Is current approach good?

in fact it is a hack, it uses the fact that a change in the replication
agremeent will trigger a fresh start of the protocol thread. It woul be more
clean to have "sendupdatesnow" attribute or as a value of the refresh
attribute, would require a change in DS


Change in DS to support some of the Topology functionality is tricky. Is this a 
blocker for releasing 4.3 with DL 1?


Where I am coming from is that if Topology functionality depend on a DS 
function, we cannot be sure that the Topology call works for all masters. And I 
do not think we want to release DL 2 to support also this command.



IMO if we want to preserve the possibility then the long-term solution is to
move it to topology plugin.

yes


Yes, but see above.


=== list-ruv, clean-ruv, abort-clean-ruv, list-clean-ruv ===
Commands manages clean-all-ruv operations on REALM suffix.
ipa-csreplica-manage doesn't have these commands #4987. These operations are
meant for removal of dangling ruvs but they can also remove "correct" RUV
which is not desired.

The UX is not the best because if replica still exists it won't tell the
admin what is the correct RUV and which are the dangling one(s) and therefore
admin must get the info in cn=replica,cn=$SUFFIX,cn=mapping tree,cn=config

We have a ticket to automate it: https://fedorahosted.org/freeipa/ticket/5411

Is it possible to manage it in topology plugin in centralized manner?

I see $5411 as short-term solution for 4.3 or 4.4. +
{list|clean|abort-clean-list-clean}-ruv sub-commands should be

[Freeipa-devel] [PATCH 0060-0061] DNSSEC improvements in uninstaller

2015-10-30 Thread Petr Spacek 
Hello,

DNSSEC: on uninstall, do not restore OpenDNSSEC kasp.db if backup failed
DNSSEC: improve log messages in uninstaller

This is suitable for ipa-4-2 branch and newer.

-- 
Petr^2 Spacek
From b4618410c8f5c833f5828dd6196989e83df603b7 Mon Sep 17 00:00:00 2001
From: Petr Spacek 
Date: Fri, 30 Oct 2015 10:32:43 +0100
Subject: [PATCH] DNSSEC: improve log messages in uninstaller

---
 ipaserver/install/opendnssecinstance.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ipaserver/install/opendnssecinstance.py b/ipaserver/install/opendnssecinstance.py
index 34dce0f32109b6677737199a90832a45c8f30983..02fc61e468735070d3f6a5985bf1ea8333a6689e 100644
--- a/ipaserver/install/opendnssecinstance.py
+++ b/ipaserver/install/opendnssecinstance.py
@@ -349,9 +349,10 @@ class OpenDNSSECInstance(service.Service):
 ods_enforcerd = services.knownservices.ods_enforcerd
 cmd = [paths.IPA_ODS_EXPORTER, 'ipa-full-update']
 try:
+self.print_msg("Exporting DNSSEC data before uninstallation")
 ipautil.run(cmd, runas=ods_enforcerd.get_user_name())
 except CalledProcessError:
-root_logger.debug("OpenDNSSEC database has not been updated")
+root_logger.error("DNSSEC data export failed")
 
 try:
 shutil.copy(paths.OPENDNSSEC_KASP_DB,
-- 
2.4.3

From de001cfa0e15b0e602c1f2af10a87a590527a21a Mon Sep 17 00:00:00 2001
From: Petr Spacek 
Date: Fri, 30 Oct 2015 10:39:49 +0100
Subject: [PATCH] DNSSEC: on uninstall, do not restore OpenDNSSEC kasp.db if
 backup failed

---
 ipaserver/install/opendnssecinstance.py | 11 ---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/ipaserver/install/opendnssecinstance.py b/ipaserver/install/opendnssecinstance.py
index 02fc61e468735070d3f6a5985bf1ea8333a6689e..c962c3625d34853e81605358ba200883de901ed1 100644
--- a/ipaserver/install/opendnssecinstance.py
+++ b/ipaserver/install/opendnssecinstance.py
@@ -343,6 +343,7 @@ class OpenDNSSECInstance(service.Service):
'ISMASTER', None,
quotes=False, separator='=')
 
+kasp_db_to_restore = []
 if ipautil.file_exists(paths.OPENDNSSEC_KASP_DB):
 
 # force to export data
@@ -359,14 +360,18 @@ class OpenDNSSECInstance(service.Service):
 paths.IPA_KASP_DB_BACKUP)
 except IOError as e:
 root_logger.error(
-"Unable to backup OpenDNSSEC database: %s", e)
+"Unable to backup OpenDNSSEC database %s, "
+"restore will be skipped: %s", paths.OPENDNSSEC_KASP_DB, e)
 else:
 root_logger.info("OpenDNSSEC database backed up in %s",
  paths.IPA_KASP_DB_BACKUP)
+kasp_db_to_restore = [paths.OPENDNSSEC_KASP_DB]
 
+# do not restore OpenDNSSEC's KASP DB if backup failed
+# removing the file without backup could totally break DNS setup
 for f in [paths.OPENDNSSEC_CONF_FILE, paths.OPENDNSSEC_KASP_FILE,
-  paths.OPENDNSSEC_KASP_DB, paths.SYSCONFIG_ODS,
-  paths.OPENDNSSEC_ZONELIST_FILE]:
+  paths.SYSCONFIG_ODS, paths.OPENDNSSEC_ZONELIST_FILE].extend(
+  kasp_db_to_restore):
 try:
 self.fstore.restore_file(f)
 except ValueError as error:
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0060-0061] DNSSEC improvements in uninstaller

2015-10-30 Thread Martin Basti 



On 30.10.2015 11:16, Petr Spacek wrote:

On 30.10.2015 10:55, Martin Basti wrote:


On 30.10.2015 10:41, Petr Spacek wrote:

Hello,

DNSSEC: on uninstall, do not restore OpenDNSSEC kasp.db if backup failed
DNSSEC: improve log messages in uninstaller

This is suitable for ipa-4-2 branch and newer.


NACK

Please extract the list from for cycle to separate variable and do extend with
that variable.

Also this code doesnt work, I tried simillar in python and I got:

In [1]: t=[1]

In [2]: for f in [10, 20, 30].extend(t):
...: print f
...:
---
TypeError Traceback (most recent call last)
 in ()
> 1 for f in [10, 20, 30].extend(t):
   2 print f
   3

TypeError: 'NoneType' object is not iterable

Thank you for catching this. I believed to lint and that was a bad idea!

Push only to master is fine with me, I'm not willing to go though more
bureaucracy for this small change.


ACK
Pushed to master: 6f855dcc5cbd4a316ae03cdf0e2cc7e8c21bec88

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0339] ipa-csreplica-manage: disable connect/disconnect/del subcommands

2015-10-30 Thread Martin Babinsky 

On 10/30/2015 02:09 PM, Martin Basti wrote:

https://fedorahosted.org/freeipa/ticket/5405


Patch attached



Hi Martin,

NACK since I'm not a big fan of having (nearly) the same function 
defined in multiple modules:


"""
$ git grep -n 'def exit_on_managed_topology'
install/tools/ipa-csreplica-manage:397:def 
exit_on_managed_topology(what, hint="topologysegment"):

install/tools/ipa-replica-manage:1386:def exit_on_managed_topology(what):
"""

Otherwise the patch works fine.

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0061] Remove 50-lockout-policy.update file

2015-10-30 Thread Alexander Bokovoy 

On Fri, 30 Oct 2015, Gabe Alford wrote:

From 24bcde6042d90322883350b5fd97aa41f2e4d77d Mon Sep 17 00:00:00 2001
From: Gabe 
Date: Fri, 30 Oct 2015 06:27:11 -0600
Subject: [PATCH] Remove 50-lockout-policy.update file

Remove lockout policy update file because all currently supported versions
have krbPwdMaxFailure defaulting to 6 and krbPwdLockoutDuration defaulting to 
600.

Keeping lockout policy update file prevents from creating a more scrict policy 
in
environments subject to regulatory compliance

https://fedorahosted.org/freeipa/ticket/5418
---
install/updates/50-lockout-policy.update | 4 
install/updates/Makefile.am  | 1 -
2 files changed, 5 deletions(-)
delete mode 100644 install/updates/50-lockout-policy.update


ACK

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0339] ipa-csreplica-manage: disable connect/disconnect/del subcommands

2015-10-30 Thread Martin Basti 

https://fedorahosted.org/freeipa/ticket/5405


Patch attached
From 5b0ac9ea79ed657022cdca164eda3313e790aab6 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Fri, 30 Oct 2015 13:06:21 +0100
Subject: [PATCH] ipa-csreplica-manage: disable connect/disconnect/del with
 domain level > 0

* ipa-csreplica-manage {connect|disconnect} - a user should use 'ipa
topologysegment-*' commands
* ipa-csreplica-manage del - a user should use ipa-replica-manage del

https://fedorahosted.org/freeipa/ticket/5405
---
 install/tools/ipa-csreplica-manage | 25 +
 install/tools/ipa-replica-manage   | 14 ++
 ipalib/util.py |  5 +
 3 files changed, 36 insertions(+), 8 deletions(-)

diff --git a/install/tools/ipa-csreplica-manage b/install/tools/ipa-csreplica-manage
index 202a3cc74a12e1072ae3ccc15fa71269e74f0fa9..88ca629bb4b3d3fa8193ebf739eee46358dbe7f5 100755
--- a/install/tools/ipa-csreplica-manage
+++ b/install/tools/ipa-csreplica-manage
@@ -30,6 +30,7 @@ from ipaserver.install import (replication, installutils, bindinstance,
 cainstance, certs)
 from ipalib import api, errors
 from ipalib.constants import CACERT
+from ipalib.util import has_managed_topology
 from ipapython import ipautil, ipaldap, version, dogtag
 from ipapython.dn import DN
 
@@ -392,6 +393,19 @@ def set_renewal_master(realm, replica):
 
 print("%s is now the renewal master" % replica)
 
+
+def exit_on_managed_topology(what, hint="topologysegment"):
+if hint == "topologysegment":
+hinttext = ("Please use `ipa topologysegment-*` commands to manage "
+   "the topology.")
+elif hint == "ipa-replica-manage-del":
+hinttext = ("Please use the `ipa-replica-manage del` command.")
+else:
+assert False, "Unexpected value"
+sys.exit("{0} is deprecated with managed IPA replication topology. {1}"
+ .format(what, hinttext))
+
+
 def main():
 options, args = parse_options()
 
@@ -427,12 +441,19 @@ def main():
 
 options.dirman_passwd = dirman_passwd
 
+api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')),
+  bind_pw=options.dirman_passwd)
+
 if args[0] == "list":
 replica = None
 if len(args) == 2:
 replica = args[1]
 list_replicas(realm, host, replica, dirman_passwd, options.verbose)
 elif args[0] == "del":
+if has_managed_topology(api):
+exit_on_managed_topology(
+"Removal of IPA CS replication agreement and replication data",
+hint="ipa-replica-manage-del")
 del_master(realm, args[1], options)
 elif args[0] == "re-initialize":
 re_initialize(realm, options)
@@ -441,6 +462,8 @@ def main():
 sys.exit("force-sync requires the option --from ")
 force_sync(realm, host, options.fromhost, options.dirman_passwd)
 elif args[0] == "connect":
+if has_managed_topology(api):
+exit_on_managed_topology("Creation of IPA CS replication agreement")
 if len(args) == 3:
 replica1 = args[1]
 replica2 = args[2]
@@ -449,6 +472,8 @@ def main():
 replica2 = args[1]
 add_link(realm, replica1, replica2, dirman_passwd, options)
 elif args[0] == "disconnect":
+if has_managed_topology(api):
+exit_on_managed_topology("Removal of IPA CS replication agreement")
 if len(args) == 3:
 replica1 = args[1]
 replica2 = args[2]
diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage
index 1350590b625e5dcab36abbcef75fe5eafc5f7123..b9998da44dcc1f01c5eb342ee713634de0ee84ee 100755
--- a/install/tools/ipa-replica-manage
+++ b/install/tools/ipa-replica-manage
@@ -37,8 +37,9 @@ from ipaserver.install import bindinstance, cainstance, certs
 from ipaserver.install import opendnssecinstance, dnskeysyncinstance
 from ipapython import version, ipaldap
 from ipalib import api, errors, util
-from ipalib.constants import CACERT, DOMAIN_LEVEL_0
-from ipalib.util import create_topology_graph, get_topology_connection_errors
+from ipalib.constants import CACERT
+from ipalib.util import (create_topology_graph,
+get_topology_connection_errors, has_managed_topology)
 from ipapython.ipa_log_manager import *
 from ipapython.dn import DN
 from ipapython.config import IPAOptionParser
@@ -247,7 +248,7 @@ def del_link(realm, replica1, replica2, dirman_passwd, force=False):
 
 repl2 = None
 what = "Removal of IPA replication agreement"
-managed_topology = has_managed_topology()
+managed_topology = has_managed_topology(api)
 
 try:
 repl1 = replication.ReplicationManager(realm, replica1, dirman_passwd)
@@ -698,7 +699,7 @@ def cleanup_server_dns_entries(realm, hostname, suffix, options):
 
 def del_master(realm, hostname, options):
 
-if has_managed_topology():
+if has_managed_topology(api):

Re: [Freeipa-devel] [PATCH 0020-0021] some topology plugin fixes

2015-10-30 Thread Martin Basti 



On 30.10.2015 10:08, thierry bordaz wrote:

On 10/30/2015 09:57 AM, Ludwig Krispenz wrote:


On 10/29/2015 01:28 PM, thierry bordaz wrote:

On 10/23/2015 10:44 AM, Ludwig Krispenz wrote:

Hi,
the attached two patches address issues I found when testing ca 
management in the topology plugin


Thanks for review,
Ludwig



Hi Ludwig,

Patch 20 is good to me. I have one remark, you call 
ipa_topo_cfg_host_find with lock flag. So that the replica config is 
not updated during the test.
Now the lock protects each call separately. The risk is very low 
that the target host could become unmanaged by the time we test the 
source host.
yes, and if two paralle operations do related things like adding an 
agreement and making a host managed/unmanaged there is a race for the 
lock. The lock itself cannot prevent these things, it only can 
protect the data structures from being read while modified.
Also with two separate locked calls the second call has a chance to 
be aware of parallel changes

ACK.

Patch 21 is also good. Just in ipa_topo_util_init_hosts, why not 
calling ipa_topo_cfg_host_add to not duplicate the source ?

no reason, revised patch is attached, thanks for noticing


Thanks Ludwig for the changes.

ACK


Pushed to master: 3f70c9aed7d1357ac5031b8f8b48af320acba567




thanks
thierry








-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0061] Remove 50-lockout-policy.update file

2015-10-30 Thread Gabe Alford 
Can do Alexander. Here is the updated patch.


Gabe

On Fri, Oct 30, 2015 at 12:56 AM, Alexander Bokovoy 
wrote:

> On Thu, 29 Oct 2015, Gabe Alford wrote:
>
>> Hello,
>>
>> Fix for https://fedorahosted.org/freeipa/ticket/5418
>>
> ACK but can you please add something like this in the commit message:
>
> 
> Remove lockout policy update file because all currently supported
> FreeIPA versions already have krbPwdMaxFailure defaulting to 6 and
> krbPwdLockoutDuration defaulting to 600.
>
> Keeping lockout policy update file prevents from creating a more strict
> policy in environments where it is subject to regulatory compliance.
> 
>
>
>> Thanks,
>>
>> Gabe
>>
>
> From 7a9086162717bc414a1d65ea71a2d65729f6fa7e Mon Sep 17 00:00:00 2001
>> From: Gabe 
>> Date: Thu, 29 Oct 2015 20:30:35 -0600
>> Subject: [PATCH] Remove 50-lockout-policy.update file
>>
>> https://fedorahosted.org/freeipa/ticket/5418
>> ---
>> install/updates/50-lockout-policy.update | 4 
>> install/updates/Makefile.am  | 1 -
>> 2 files changed, 5 deletions(-)
>> delete mode 100644 install/updates/50-lockout-policy.update
>>
>> diff --git a/install/updates/50-lockout-policy.update
>> b/install/updates/50-lockout-policy.update
>> deleted file mode 100644
>> index
>> a5730709e2b649466118502ece1cc530c10e0b40..
>> --- a/install/updates/50-lockout-policy.update
>> +++ /dev/null
>> @@ -1,4 +0,0 @@
>> -dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX
>> -replace:krbPwdLockoutDuration:10::600
>> -replace: krbPwdMaxFailure:3::6
>> -
>> diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
>> index
>> 26e4c04ed66a4a2061a3bb3ca2f4a6cd84502598..04ddeb96de4e88d5909f13b13885d3207184e798
>> 100644
>> --- a/install/updates/Makefile.am
>> +++ b/install/updates/Makefile.am
>> @@ -39,7 +39,6 @@ app_DATA =\
>> 45-roles.update \
>> 50-7_bit_check.update   \
>> 50-dogtag10-migration.update\
>> -   50-lockout-policy.update\
>> 50-groupuuid.update \
>> 50-hbacservice.update   \
>> 50-krbenctypes.update   \
>> --
>> 2.4.3
>>
>>
> --
>> Manage your subscription for the Freeipa-devel mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-devel
>> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
>>
>
>
> --
> / Alexander Bokovoy
>
From 24bcde6042d90322883350b5fd97aa41f2e4d77d Mon Sep 17 00:00:00 2001
From: Gabe 
Date: Fri, 30 Oct 2015 06:27:11 -0600
Subject: [PATCH] Remove 50-lockout-policy.update file

Remove lockout policy update file because all currently supported versions
have krbPwdMaxFailure defaulting to 6 and krbPwdLockoutDuration defaulting to 600.

Keeping lockout policy update file prevents from creating a more scrict policy in
environments subject to regulatory compliance

https://fedorahosted.org/freeipa/ticket/5418
---
 install/updates/50-lockout-policy.update | 4 
 install/updates/Makefile.am  | 1 -
 2 files changed, 5 deletions(-)
 delete mode 100644 install/updates/50-lockout-policy.update

diff --git a/install/updates/50-lockout-policy.update b/install/updates/50-lockout-policy.update
deleted file mode 100644
index a5730709e2b649466118502ece1cc530c10e0b40..
--- a/install/updates/50-lockout-policy.update
+++ /dev/null
@@ -1,4 +0,0 @@
-dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX
-replace:krbPwdLockoutDuration:10::600
-replace: krbPwdMaxFailure:3::6
-
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
index 26e4c04ed66a4a2061a3bb3ca2f4a6cd84502598..04ddeb96de4e88d5909f13b13885d3207184e798 100644
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@@ -39,7 +39,6 @@ app_DATA =\
 	45-roles.update			\
 	50-7_bit_check.update	\
 	50-dogtag10-migration.update	\
-	50-lockout-policy.update	\
 	50-groupuuid.update		\
 	50-hbacservice.update		\
 	50-krbenctypes.update		\
-- 
1.8.3.1

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH] ca-less tests updated - POC

2015-10-30 Thread Oleg Fayans 

Hi,

The following patches contain updates to ca-less integration tests.
It's still a proof of concept: 2 tests still fail seemingly due to the 
change in target system logic (marked as xfail with "ask jcholast comment")


The test output looks like this:

$ ipa-run-tests test_integration/test_caless.py --pdb
 
test session starts 
=

platform linux2 -- Python 2.7.10 -- py-1.4.30 -- pytest-2.6.4
plugins: multihost, sourceorder
collected 88 items

test_integration/test_caless.py 
..xx..sssss.ss.xx..ssxx.


 53 
passed, 29 skipped, 6 xfailed in 5620.17 seconds 
=


Numerous skips correspond to the tests related to ipa-replica-prepare 
(unsupported under domain level 1)


--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.
From 6ec4a0a3ca087bd1bb8e21ff448472cb1a58f0b4 Mon Sep 17 00:00:00 2001
From: Oleg Fayans 
Date: Fri, 30 Oct 2015 13:19:39 +0100
Subject: [PATCH] Updated the script creating test certificate chains

https://fedorahosted.org/freeipa/ticket/4589
---
 .../test_integration/scripts/caless-create-pki | 31 +-
 1 file changed, 19 insertions(+), 12 deletions(-)

diff --git a/ipatests/test_integration/scripts/caless-create-pki b/ipatests/test_integration/scripts/caless-create-pki
index f428ebae16e05644a875a35faf192f75eb149740..4058abae62f2e9bc9c6ed7caa664a139af91a508 100644
--- a/ipatests/test_integration/scripts/caless-create-pki
+++ b/ipatests/test_integration/scripts/caless-create-pki
@@ -3,7 +3,17 @@
 profile_ca=(-t CT,C,C -v 120)
 profile_server=(-t ,, -v 12)
 
-crl_path=${crl_path-$(readlink -f $dbdir)}
+# crl_path=${crl_path-$(readlink -f $dbdir)}
+profile_ca_request_options=(-1 -2 -4)
+profile_ca_request_input="\$'0\n1\n5\n6\n9\ny\ny\n\ny\n1\n7\nfile://'\$(readlink -f \$dbdir)/\$ca.crl\$'\n-1\n-1\n-1\nn\nn\n'"
+profile_ca_create_options=(-v 120)
+profile_ca_add_options=(-t ,,)
+
+profile_server_request_options=(-4)
+profile_server_request_input="\$'1\n7\nfile://'\$(readlink -f \$dbdir)/\$ca.crl\$'\n-1\n-1\n-1\nn\nn\n'"
+profile_server_create_options=(-v 12)
+profile_server_add_options=(-t ,,)
+
 
 serial_number=0
 
@@ -17,8 +27,12 @@ gen_cert() {
 if [ "$ca" = "." ]; then
 ca="$nick"
 fi
-
+   
+echo $profile
 eval "options=(\"\${profile_$profile[@]}\")"
+eval "request_options=(\"\${profile_${profile}_request_options[@]}\")"
+eval "eval request_input=(\"\${profile_${profile}_request_input[@]}\")"
+
 if [ "$ca" = "$nick" ]; then
 options=("${options[@]}" -x -m 1)
 else
@@ -38,16 +52,7 @@ gen_cert() {
 
 csr="$(mktemp)"
 crt="$(mktemp)"
-certutil -R -d "$dbdir" -s "$subject" -f "$pwfile" -z "$noise" -o "$csr" -4 >/dev/null 
Date: Fri, 30 Oct 2015 14:07:28 +0100
Subject: [PATCH] Updated ca-less tests.

The patch depends on my patch 0011
A preview. All tests except 2 pass. Those 2 failing ones need a consulting from
jcholast (so far marked as xfail).

https://fedorahosted.org/freeipa/ticket/4589
---
 ipatests/test_integration/test_caless.py | 248 ++-
 1 file changed, 146 insertions(+), 102 deletions(-)

diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
index 9cfba3ee29114badf5a703ccc1d47a1d3e0c41b7..7507ca69ef49e472f507f26693818e4acd64bbd5 100644
--- a/ipatests/test_integration/test_caless.py
+++ b/ipatests/test_integration/test_caless.py
@@ -32,13 +32,15 @@ from ipaplatform.paths import paths
 from ipapython.dn import DN
 from ipatests.test_integration.base import IntegrationTest
 from ipatests.test_integration import tasks
+from env_config import get_global_config
 
 _DEFAULT = object()
+config = get_global_config()
+reasoning = "ipa-replica-prepare disabled for domain levels > 0"
 
 
 def get_install_stdin(cert_passwords=()):
 lines = [
-'yes',  # Existing BIND configuration detected, overwrite? [no]
 '',  # Server host name (has default)
 '',  # Confirm domain name (has

Re: [Freeipa-devel] [PATCH 0339] ipa-csreplica-manage: disable connect/disconnect/del subcommands

2015-10-30 Thread Martin Basti 



On 30.10.2015 14:49, Martin Babinsky wrote:

On 10/30/2015 02:09 PM, Martin Basti wrote:

https://fedorahosted.org/freeipa/ticket/5405


Patch attached



Hi Martin,

NACK since I'm not a big fan of having (nearly) the same function 
defined in multiple modules:


"""
$ git grep -n 'def exit_on_managed_topology'
install/tools/ipa-csreplica-manage:397:def 
exit_on_managed_topology(what, hint="topologysegment"):

install/tools/ipa-replica-manage:1386:def exit_on_managed_topology(what):
"""

Otherwise the patch works fine.

I tried to do that, but I could not find any suitable module for that, 
and the method do just exit() with proper error message, thus it can be 
just copy paste (as ipa-csreplica-manage is full of it).


--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0339] ipa-csreplica-manage: disable connect/disconnect/del subcommands

2015-10-30 Thread Martin Basti 



On 30.10.2015 15:49, Rob Crittenden wrote:

Martin Basti wrote:


On 30.10.2015 14:49, Martin Babinsky wrote:

On 10/30/2015 02:09 PM, Martin Basti wrote:

https://fedorahosted.org/freeipa/ticket/5405


Patch attached



Hi Martin,

NACK since I'm not a big fan of having (nearly) the same function
defined in multiple modules:

"""
$ git grep -n 'def exit_on_managed_topology'
install/tools/ipa-csreplica-manage:397:def
exit_on_managed_topology(what, hint="topologysegment"):
install/tools/ipa-replica-manage:1386:def exit_on_managed_topology(what):
"""

Otherwise the patch works fine.


I tried to do that, but I could not find any suitable module for that,
and the method do just exit() with proper error message, thus it can be
just copy paste (as ipa-csreplica-manage is full of it).


Some common code can be found in ipaserver/install/replication.py

rob
I prefer not to mess replication.py module with this method, it is just 
wrapped exit, anything useful.

Martin^2

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0339] ipa-csreplica-manage: disable connect/disconnect/del subcommands

2015-10-30 Thread Rob Crittenden 
Martin Basti wrote:
> 
> 
> On 30.10.2015 14:49, Martin Babinsky wrote:
>> On 10/30/2015 02:09 PM, Martin Basti wrote:
>>> https://fedorahosted.org/freeipa/ticket/5405
>>>
>>>
>>> Patch attached
>>>
>>>
>> Hi Martin,
>>
>> NACK since I'm not a big fan of having (nearly) the same function
>> defined in multiple modules:
>>
>> """
>> $ git grep -n 'def exit_on_managed_topology'
>> install/tools/ipa-csreplica-manage:397:def
>> exit_on_managed_topology(what, hint="topologysegment"):
>> install/tools/ipa-replica-manage:1386:def exit_on_managed_topology(what):
>> """
>>
>> Otherwise the patch works fine.
>>
> I tried to do that, but I could not find any suitable module for that,
> and the method do just exit() with proper error message, thus it can be
> just copy paste (as ipa-csreplica-manage is full of it).
> 

Some common code can be found in ipaserver/install/replication.py

rob

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0339] ipa-csreplica-manage: disable connect/disconnect/del subcommands

2015-10-30 Thread Martin Babinsky 

On 10/30/2015 03:47 PM, Martin Basti wrote:



On 30.10.2015 14:49, Martin Babinsky wrote:

On 10/30/2015 02:09 PM, Martin Basti wrote:

https://fedorahosted.org/freeipa/ticket/5405


Patch attached



Hi Martin,

NACK since I'm not a big fan of having (nearly) the same function
defined in multiple modules:

"""
$ git grep -n 'def exit_on_managed_topology'
install/tools/ipa-csreplica-manage:397:def
exit_on_managed_topology(what, hint="topologysegment"):
install/tools/ipa-replica-manage:1386:def exit_on_managed_topology(what):
"""

Otherwise the patch works fine.


I tried to do that, but I could not find any suitable module for that,
and the method do just exit() with proper error message, thus it can be
just copy paste (as ipa-csreplica-manage is full of it).

Yes it is a nice plate of copypasta anyway.

ACK then.

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0093] perform connectivity checks for all topology suffixes during node deletion

2015-10-30 Thread Martin Babinsky 

patch for https://fedorahosted.org/freeipa/ticket/5309

The ticket itself is about connectivity checks in topology suffixes, but 
there is a code (install/tools/ipa-replica-manage starting at line 788 
after applying my patch) which monitors whether the segments pointing 
to/from the deleted host are already deleted.


These checks are currently hardcoded for 'realm' prefix, should we 
generalize them as well or is it a part of other effort?


--
Martin^3 Babinsky
From 7ef87f07500b361d84e18ac3784c7f9ba9596b1f Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Fri, 30 Oct 2015 13:59:03 +0100
Subject: [PATCH] perform connectivity checks for all topology suffixes during
 node deletion

The code in ipa-replica-manage which checks for disconnected topology before
and after deletion of a node in a topology plugin-managed domain was
generalized so that it now performs these checks for all suffixes to which the
node belongs.

https://fedorahosted.org/freeipa/ticket/5309
---
 install/tools/ipa-replica-manage | 47 ++--
 1 file changed, 40 insertions(+), 7 deletions(-)

diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage
index 1350590b625e5dcab36abbcef75fe5eafc5f7123..05ac28cec4036676994942ad7150c9a6ae82a528 100755
--- a/install/tools/ipa-replica-manage
+++ b/install/tools/ipa-replica-manage
@@ -569,7 +569,7 @@ def check_last_link(delrepl, realm, dirman_passwd, force):
 else:
 return None
 
-def check_last_link_managed(api, masters, hostname, force):
+def check_last_link_managed(api, hostname, masters, suffix_name, force):
 """
 Check if 'hostname' is safe to delete.
 
@@ -577,13 +577,31 @@ def check_last_link_managed(api, masters, hostname, force):
   (current_errors, new_errors)
 """
 
-segments = api.Command.topologysegment_find(u'realm', sizelimit=0).get('result')
-graph = create_topology_graph(masters, segments)
+suffix = api.Command.topologysuffix_show(suffix_name)['result']
+suffix_members = []
+for m in masters:
+if suffix['iparepltopoconfroot'][0] in m['iparepltopomanagedsuffix']:
+suffix_members.append(m)
+
+member_cns = {member['cn'][0] for member in suffix_members}
+
+if hostname not in member_cns:
+print(
+"'{}' is not a part of topology suffix '{}'".format(
+hostname, suffix_name
+)
+)
+print("Not checking connectivity")
+return [], []
+
+segments = api.Command.topologysegment_find(suffix_name, sizelimit=0).get('result')
+graph = create_topology_graph(suffix_members, segments)
 
 # check topology before removal
 orig_errors = get_topology_connection_errors(graph)
 if orig_errors:
-print("Current topology is disconnected:")
+print("Current topology in suffix '{}' is disconnected:".format(
+suffix_name))
 print("Changes are not replicated to all servers and data are probably inconsistent.")
 print("You need to add segments to reconnect the topology.")
 print_connect_errors(orig_errors)
@@ -596,7 +614,8 @@ def check_last_link_managed(api, masters, hostname, force):
 
 new_errors = get_topology_connection_errors(graph)
 if new_errors:
-print("WARNING: Topology after removal of %s will be disconnected." % hostname)
+print("WARNING: Removal of '{}' will lead to disconnected topology "
+  "in suffix '{}'".format(hostname, suffix_name))
 print("Changes will not be replicated to all servers and data will become inconsistent.")
 print("You need to add segments to prevent disconnection of the topology.")
 print("Errors in topology after removal:")
@@ -724,8 +743,22 @@ def del_master_managed(realm, hostname, options):
 # 2. Get all masters
 masters = api.Command.server_find('', sizelimit=0)['result']
 
-# 3. Check topology
-topo_errors = check_last_link_managed(api, masters, hostname, options.force)
+# 3. Check topology connectivity in all suffices
+suffices = api.Command.topologysuffix_find('', sizelimit=0)['result']
+# initialize the error tuple here and extend it by errors found in each
+# suffix
+topo_errors = ([], [])
+
+for suffix in suffices:
+suffix_name = suffix['cn'][0]
+print("Checking connectivity in topology suffix '{}'".format(
+suffix_name))
+
+suffix_errors = check_last_link_managed(
+api, hostname, masters, suffix_name, options.force)
+
+topo_errors[0].extend(suffix_errors[0])
+topo_errors[1].extend(suffix_errors[1])
 
 # 4. Check that we are not leaving the installation without CA and/or DNS
 #And pick new CA master.
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0093] perform connectivity checks for all topology suffixes during node deletion

2015-10-30 Thread Petr Vobornik 

On 10/30/2015 03:26 PM, Martin Babinsky wrote:

patch for https://fedorahosted.org/freeipa/ticket/5309

The ticket itself is about connectivity checks in topology suffixes, but
there is a code (install/tools/ipa-replica-manage starting at line 788
after applying my patch) which monitors whether the segments pointing
to/from the deleted host are already deleted.

These checks are currently hardcoded for 'realm' prefix, should we
generalize them as well or is it a part of other effort?



Could be separate patch but yes.
--
Petr Vobornik

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0093] perform connectivity checks for all topology suffixes during node deletion

2015-10-30 Thread Martin Babinsky 

On 10/30/2015 03:38 PM, Petr Vobornik wrote:

On 10/30/2015 03:26 PM, Martin Babinsky wrote:

patch for https://fedorahosted.org/freeipa/ticket/5309

The ticket itself is about connectivity checks in topology suffixes, but
there is a code (install/tools/ipa-replica-manage starting at line 788
after applying my patch) which monitors whether the segments pointing
to/from the deleted host are already deleted.

These checks are currently hardcoded for 'realm' prefix, should we
generalize them as well or is it a part of other effort?



Could be separate patch but yes.
Ok I have included it in the attached patch so that both of these 
operations are performed for all suffixes.


--
Martin^3 Babinsky
From 356fbe7c3f542938b87f50c864c28de8b65a9b36 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Fri, 30 Oct 2015 13:59:03 +0100
Subject: [PATCH] check for disconnected topology and deleted agreements for
 all suffices

The code in ipa-replica-manage which checks for disconnected topology and
deleted agreements during node removal was generalized so that it now performs
these checks for all suffixes to which the node belongs.

https://fedorahosted.org/freeipa/ticket/5309
---
 install/tools/ipa-replica-manage | 87 ++--
 1 file changed, 66 insertions(+), 21 deletions(-)

diff --git a/install/tools/ipa-replica-manage b/install/tools/ipa-replica-manage
index 1350590b625e5dcab36abbcef75fe5eafc5f7123..f754d699e89785666dd35386a2fbb1a6017f5d1f 100755
--- a/install/tools/ipa-replica-manage
+++ b/install/tools/ipa-replica-manage
@@ -569,7 +569,7 @@ def check_last_link(delrepl, realm, dirman_passwd, force):
 else:
 return None
 
-def check_last_link_managed(api, masters, hostname, force):
+def check_last_link_managed(api, hostname, masters, suffix_name, force):
 """
 Check if 'hostname' is safe to delete.
 
@@ -577,13 +577,31 @@ def check_last_link_managed(api, masters, hostname, force):
   (current_errors, new_errors)
 """
 
-segments = api.Command.topologysegment_find(u'realm', sizelimit=0).get('result')
-graph = create_topology_graph(masters, segments)
+suffix = api.Command.topologysuffix_show(suffix_name)['result']
+suffix_members = []
+for m in masters:
+if suffix['iparepltopoconfroot'][0] in m['iparepltopomanagedsuffix']:
+suffix_members.append(m)
+
+member_cns = {member['cn'][0] for member in suffix_members}
+
+if hostname not in member_cns:
+print(
+"'{}' is not a part of topology suffix '{}'".format(
+hostname, suffix_name
+)
+)
+print("Not checking connectivity")
+return [], []
+
+segments = api.Command.topologysegment_find(suffix_name, sizelimit=0).get('result')
+graph = create_topology_graph(suffix_members, segments)
 
 # check topology before removal
 orig_errors = get_topology_connection_errors(graph)
 if orig_errors:
-print("Current topology is disconnected:")
+print("Current topology in suffix '{}' is disconnected:".format(
+suffix_name))
 print("Changes are not replicated to all servers and data are probably inconsistent.")
 print("You need to add segments to reconnect the topology.")
 print_connect_errors(orig_errors)
@@ -596,7 +614,8 @@ def check_last_link_managed(api, masters, hostname, force):
 
 new_errors = get_topology_connection_errors(graph)
 if new_errors:
-print("WARNING: Topology after removal of %s will be disconnected." % hostname)
+print("WARNING: Removal of '{}' will lead to disconnected topology "
+  "in suffix '{}'".format(hostname, suffix_name))
 print("Changes will not be replicated to all servers and data will become inconsistent.")
 print("You need to add segments to prevent disconnection of the topology.")
 print("Errors in topology after removal:")
@@ -724,8 +743,22 @@ def del_master_managed(realm, hostname, options):
 # 2. Get all masters
 masters = api.Command.server_find('', sizelimit=0)['result']
 
-# 3. Check topology
-topo_errors = check_last_link_managed(api, masters, hostname, options.force)
+# 3. Check topology connectivity in all suffices
+suffices = api.Command.topologysuffix_find('', sizelimit=0)['result']
+suffix_names = [s['cn'][0] for s in suffices]
+# initialize the error tuple here and extend it by errors found in each
+# suffix
+topo_errors = ([], [])
+
+for suffix_name in suffix_names:
+print("Checking connectivity in topology suffix '{}'".format(
+suffix_name))
+
+suffix_errors = check_last_link_managed(
+api, hostname, masters, suffix_name, options.force)
+
+topo_errors[0].extend(suffix_errors[0])
+topo_errors[1].extend(suffix_errors[1])
 
 # 4. Check that we are not leaving the installation without CA and/or DNS
 #

Re: [Freeipa-devel] [draft] Fate of ipa-replica-manage and ipa-csreplica-manage tools

2015-10-30 Thread Petr Vobornik 

On 10/30/2015 10:42 AM, Martin Kosek wrote:

On 10/27/2015 04:40 PM, Ludwig Krispenz wrote:


On 10/27/2015 03:54 PM, Petr Vobornik wrote:

Both tools serve primarily for managing replication agreements and
replicas.
ipa-replica-manage also manages winsync agreements and DNA ranges.

FreeIPA 4.3 will introduce managed topology which affects these tools.

Let's go trough all sub-commands of both tools and decide what is the
fate of
them/how they should be replaced. Comments are welcome.

In text, term 'disable' means: print an error message with help what
is the
new alternative.

For domain level == 0 all sub-commands should behave the same way as
before.
Proposals are for domain level 1 if not stated otherwise.

== ipa-replica-manage ==
=== list ===
Lists all IPA server or replication agreements of a specific IPA server
including winsync agreements.


Note that people are used to use "-v" switch to show status of these
agreements. There would need to be a replacement for this functionality
to get rid of this command.


I always forgot about this option - from help it's not clear which 
commands supports it.


Yes, this implies that it should remain enabled, till we have the 
functionality in topo plugin.





Server list is replaced by
  ipa server-find
Replication agreements by:
  ipa topologysegment-find realm

I see following paths:
1. do not change (current state)
2. list only winsync agreements - IMO it will be easier to maintain

If winsync was not in play we could 'disable' it but winsync is not
planned
to be centrally managed. Mainly because the preferred alternative is
trust.


2 may be a good choice, but we first need to find the alternative for
above. I do not think deprecating a list is a "must" for 4.3.


+1




=== connect ===
Allow for winsync, disable for REALM agmts. (current state)

=== disconenct ===
Allow for winsync, disable for REALM agmts. (current state)


+1.


=== del ===
(current state)
With domain level 0:
- removes replica and repl. agmts for REALM suffix and winsync
With domain level 1:
- removes replica entry and therefore repl. agmts for all
suffices(REALM, CS)
- ensure last services, e.g. sets renewal master
- does additional cleanup

I'm not aware of any operation which needs directory manager. IMO it
can be
moved to API in future release(e.g. 4.4), especially if
ipa-server-install
--uninstall is modified to do most of the cleanup.


Ok.



=== re-initialize ===
Not changed.

Can be disabled (long-term solution)

Same capability is in topologysegment_reinitialize API command. The only
difference is that no API command shows state of the pending operation.
Should we transform presence of 'start' and 'stop' in
nsds5beginreplicarefresh;left|right attribute into an output of
topologysegment_show, e.g.: 'initialization in progress',
'cancellation of
re-initialization requested'.

yes, something like this would be possible,
maybe this can be part of the replication monitoring work, allowing to
query
the state of specific agreements.


Can topologysegment-reinitialize simply wait? The behavior and related
options could be similar as with automember-rebuild.


Then we risk that CLI will timeout, same issue is in automember-rebuild 
and migrate-ds (there is a ticket for improving long running tasks).




I am wondering if topologysegment-reinitialize is not too low level.
Normally, the problem you are solving is that some of your master is out
of sync and cannot be fixed. Then you want to have some command to
re-intitialize *the master*, with the command potentially picking the
best topologysegment to be used.


It is quite low-level. That is also one of the reasons why I didn't put 
it to Web UI.





=== force-sync ===
no change yet

Currently done by setting nsDS5ReplicaUpdateSchedule attribute of repl.
agreement.

1. Is it required?
2. Should the functionality be transferred to
topologysegment/topology plugin?
3. Is current approach good?

in fact it is a hack, it uses the fact that a change in the replication
agremeent will trigger a fresh start of the protocol thread. It woul
be more
clean to have "sendupdatesnow" attribute or as a value of the refresh
attribute, would require a change in DS


Change in DS to support some of the Topology functionality is tricky. Is
this a blocker for releasing 4.3 with DL 1?


I don't think so.



Where I am coming from is that if Topology functionality depend on a DS
function, we cannot be sure that the Topology call works for all
masters. And I do not think we want to release DL 2 to support also this
command.


We don't. We need some general approach for this. Every time we will add 
some new functionality to topology plugin or fix a bug there this very 
question will be raised again.


The simplest thing to do is have it enabled so the servers which don't 
support it will still have a usable method.





IMO if we want to preserve the possibility then the long-term
solution is to
move it to topology plugin.

yes


Yes, but see above.

Re: [Freeipa-devel] [PATCH 0060] Incomplete ports for IPA AD Trust

2015-10-30 Thread Gabe Alford 
Okay. Added the port range to ipa-adtrust-install and updated the man page
to reflect firewall requirements.
The firewall section seems a little rough, so let me know what you think it
would need to be smoothed over (if anything).

thanks,

Gabe

On Fri, Oct 30, 2015 at 4:12 AM, Petr Spacek  wrote:

> On 30.10.2015 11:10, Alexander Bokovoy wrote:
> > On Fri, 30 Oct 2015, Petr Spacek wrote:
> >> On 30.10.2015 07:54, Alexander Bokovoy wrote:
> >>> On Thu, 29 Oct 2015, Gabe Alford wrote:
>  Hello,
> 
>  Fix for https://fedorahosted.org/freeipa/ticket/5414
> 
>  Thanks,
> 
>  Gabe
> >>>
>  From 515582d66252521a3cbf6a6a48f33745bd788c86 Mon Sep 17 00:00:00 2001
>  From: Gabe 
>  Date: Thu, 29 Oct 2015 20:28:27 -0600
>  Subject: [PATCH] Incomplete ports for IPA AD Trust
> 
>  https://fedorahosted.org/freeipa/ticket/5414
>  ---
>  install/tools/ipa-adtrust-install | 1 +
>  1 file changed, 1 insertion(+)
> 
>  diff --git a/install/tools/ipa-adtrust-install
>  b/install/tools/ipa-adtrust-install
>  index
> 
> 1f41cc437e8a930c350eac0fb34e5bebc9f9b55b..84e28b57524b2c3308e52cc56b4b370276add0b7
> 
>  100755
>  --- a/install/tools/ipa-adtrust-install
>  +++ b/install/tools/ipa-adtrust-install
>  @@ -472,6 +472,7 @@ Setup complete
> 
>  You must make sure these network ports are open:
>  \tTCP Ports:
>  +\t  * 135: epmap
>  \t  * 138: netbios-dgm
>  \t  * 139: netbios-ssn
>  \t  * 445: microsoft-ds
> >>> This is good but not complete. What end-point mapper does is creating a
> >>> listener based on the incoming request and access to the listener needs
> >>> to be provided as well. A listener is created currently in the range of
> >>> 1024..1300/TCP but we already have request to make this range
> >>> configurable (it is hard coded right now in Samba code) because with
> >>> Windows 2008 Microsoft moved it from 1025..5000 to 49152..65535:
> >>> https://support.microsoft.com/en-us/kb/929851
> >>>
> >>> We were thinking to add a call out hook on Samba side to call
> >>> firewall-related script that could do hole punching on demand but it is
> >>> not there yet.
> >>>
> >>> What we could do in ipa-adtrust-install, is to add section about
> TCP/UDP
> >>> ports to the manual page and explicitly reference that one in case of
> >>> epmap line:
> >>> \t  *135: epmap (see ipa-adtrust-install(1) man page for details)
> >>>
> >>> We don't have the firewall section in the manpage at all, btw.
> >>>
> >>> What do you think?
> >>
> >> Maybe I'm missing something, but ... Could we simply put current range
> >> 1024..1300/TCP to the installer now and do other changes as Samba
> evolves? I
> >> think that it is good enough as a hotfix and that we do not need to
> >> over-complicate it in the beginning.
> > That's essentially what I said too -- but I want to have firewall
> > requirements documented in the manpage so that they are available
> > beforehand _and_ people actually read them when they are referenced in
> > the output.
> >
> > I'm not asking for anything else here. Documentation is needed.
>
> Thanks for clarification, I was under the impression that you wanted to
> put it
> only into the man page :-)
>
> --
> Petr^2 Spacek
>
> --
> Manage your subscription for the Freeipa-devel mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-devel
> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
>
From 227cf5ae9f7e1c0d5ce96c996baa75448430ce99 Mon Sep 17 00:00:00 2001
From: Gabe 
Date: Fri, 30 Oct 2015 09:11:00 -0600
Subject: [PATCH] Incomplete ports for IPA AD Trust

- Add subsection to ipa-adtrust-install man page
- Update port information in ipa-adtrust-install

https://fedorahosted.org/freeipa/ticket/5414
---
 install/tools/ipa-adtrust-install   |  4 
 install/tools/man/ipa-adtrust-install.1 | 25 +
 2 files changed, 29 insertions(+)

diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install
index 1f41cc437e8a930c350eac0fb34e5bebc9f9b55b..ff69d69e2c11ce08b8b648a5a78777c472da2ac9 100755
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@@ -472,15 +472,19 @@ Setup complete
 
 You must make sure these network ports are open:
 \tTCP Ports:
+\t  * 135: epmap
 \t  * 138: netbios-dgm
 \t  * 139: netbios-ssn
 \t  * 445: microsoft-ds
+\t  * 1024..1300: epmap listener range
 \tUDP Ports:
 \t  * 138: netbios-dgm
 \t  * 139: netbios-ssn
 \t  * 389: (C)LDAP
 \t  * 445: microsoft-ds
 
+See the ipa-adtrust-install(1) man page for more details
+
 =
 """)
 if admin_password:
diff --git a/install/tools/man/ipa-adtrust-install.1 b/install/tools/man/ipa-adtrust-install.1
index 06378b5983e55bb6c34971b0f5129246f9f14fd3..36c468336909c705c68a2794dec699f3f05579d9 100644
---