[Freeipa-devel] [freeipa PR#329][comment] experiment: did pull/177 break ci?
URL: https://github.com/freeipa/freeipa/pull/329 Title: #329: experiment: did pull/177 break ci? frasertweedale commented: """ Yes, it looks like I broke CI. Feel free to merge this PR if I don't find a fix quickly enough. """ See the full comment at https://github.com/freeipa/freeipa/pull/329#issuecomment-266608752 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#329][opened] experiment: did pull/177 break ci?
URL: https://github.com/freeipa/freeipa/pull/329 Author: frasertweedale Title: #329: experiment: did pull/177 break ci? Action: opened PR body: """ This PR reverts the commits from pull/177 to test the hypothesis that something in these commits broke CI. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/329/head:pr329 git checkout pr329 From 8e13b7c01311e44eb3ec1dc16dac26b8d3287139 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 13 Dec 2016 10:50:50 +1000 Subject: [PATCH 1/3] Revert "Add options to write lightweight CA cert or chain to file" This reverts commit 32b1743e5fb318b226a602ec8d9a4b6ef2a25c9d. --- API.txt | 6 +-- VERSION.m4| 4 +- ipaclient/plugins/ca.py | 53 - ipaserver/plugins/ca.py | 65 +++ ipaserver/plugins/dogtag.py | 12 -- ipatests/test_xmlrpc/tracker/ca_plugin.py | 31 --- ipatests/test_xmlrpc/xmlrpc_test.py | 17 7 files changed, 16 insertions(+), 172 deletions(-) delete mode 100644 ipaclient/plugins/ca.py diff --git a/API.txt b/API.txt index 543cec5..bad3b92 100644 --- a/API.txt +++ b/API.txt @@ -445,11 +445,10 @@ option: Str('version?') output: Output('count', type=[]) output: Output('results', type=[, ]) command: ca_add/1 -args: 1,8,3 +args: 1,7,3 arg: Str('cn', cli_name='name') option: Str('addattr*', cli_name='addattr') option: Flag('all', autofill=True, cli_name='all', default=False) -option: Flag('chain', autofill=True, default=False) option: Str('description?', cli_name='desc') option: DNParam('ipacasubjectdn', cli_name='subject') option: Flag('raw', autofill=True, cli_name='raw', default=False) @@ -520,10 +519,9 @@ output: Entry('result') output: Output('summary', type=[, ]) output: PrimaryKey('value') command: ca_show/1 -args: 1,5,3 +args: 1,4,3 arg: Str('cn', cli_name='name') option: Flag('all', autofill=True, cli_name='all', default=False) -option: Flag('chain', autofill=True, default=False) option: Flag('raw', autofill=True, cli_name='raw', default=False) option: Flag('rights', autofill=True, default=False) option: Str('version?') diff --git a/VERSION.m4 b/VERSION.m4 index 36929ee..7d9e107 100644 --- a/VERSION.m4 +++ b/VERSION.m4 @@ -73,8 +73,8 @@ define(IPA_DATA_VERSION, 2010061412) # # define(IPA_API_VERSION_MAJOR, 2) -define(IPA_API_VERSION_MINOR, 217) -# Last change: Add options to write lightweight CA cert or chain to file +define(IPA_API_VERSION_MINOR, 216) +# Last change: DNS: Support URI resource record type diff --git a/ipaclient/plugins/ca.py b/ipaclient/plugins/ca.py deleted file mode 100644 index fcdf484..000 --- a/ipaclient/plugins/ca.py +++ /dev/null @@ -1,53 +0,0 @@ -# -# Copyright (C) 2016 FreeIPA Contributors see COPYING for license -# - -import base64 -from ipaclient.frontend import MethodOverride -from ipalib import util, x509, Str -from ipalib.plugable import Registry -from ipalib.text import _ - -register = Registry() - - -class WithCertOutArgs(MethodOverride): - -takes_options = ( -Str( -'certificate_out?', -doc=_('Write certificate (chain if --chain used) to file'), -include='cli', -cli_metavar='FILE', -), -) - -def forward(self, *keys, **options): -filename = None -if 'certificate_out' in options: -filename = options.pop('certificate_out') -util.check_writable_file(filename) - -result = super(WithCertOutArgs, self).forward(*keys, **options) -if filename: -def to_pem(x): -return x509.make_pem(x) -if options.get('chain', False): -ders = result['result']['certificate_chain'] -data = '\n'.join(to_pem(base64.b64encode(der)) for der in ders) -else: -data = to_pem(result['result']['certificate']) -with open(filename, 'wb') as f: -f.write(data) - -return result - - -@register(override=True, no_fail=True) -class ca_add(WithCertOutArgs): -pass - - -@register(override=True, no_fail=True) -class ca_show(WithCertOutArgs): -pass diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py index ef1d68c..d9ae8c8 100644 --- a/ipaserver/plugins/ca.py +++ b/ipaserver/plugins/ca.py @@ -2,18 +2,14 @@ # Copyright (C) 2016 FreeIPA Contributors see COPYING for license # -import base64 - -import six - -from ipalib import api, errors, output, Bytes, DNParam, Flag, Str +from ipalib import api, errors, output, DNParam, Str from ipalib.constants import IPA_CA_CN from ipalib.plugable import Registry from ipaserver
[Freeipa-devel] [freeipa PR#328][opened] fix: regression in API version comparison
URL: https://github.com/freeipa/freeipa/pull/328 Author: mbasti-rh Title: #328: fix: regression in API version comparison Action: opened PR body: """ Commint 2cbaf156045769b54150e4d4c3c1071f164a16fb introduced a regression in API version comparison. In case that newer client is trying to call older server an error is returned, but it should work. This commit fixes it. https://fedorahosted.org/freeipa/ticket/6468 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/328/head:pr328 git checkout pr328 From 36dfd4524acb3d3ab595c3ea126035f8781a451f Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Mon, 12 Dec 2016 18:28:53 +0100 Subject: [PATCH] fix: regression in API version comparison Commint 2cbaf156045769b54150e4d4c3c1071f164a16fb introduced a regression in API version comparison. In case that newer client is trying to call older server an error is returned, but it should work. This commit fixes it. https://fedorahosted.org/freeipa/ticket/6468 --- ipalib/frontend.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/ipalib/frontend.py b/ipalib/frontend.py index dfa6cdf..41dcd4a 100644 --- a/ipalib/frontend.py +++ b/ipalib/frontend.py @@ -776,8 +776,7 @@ def verify_client_version(self, client_version): sver=self.api_version, server=self.env.xmlrpc_uri) -if (client_apiver.major != server_apiver.major -or client_apiver > server_apiver): +if client_apiver.major != server_apiver.major: raise VersionError(cver=client_version, sver=self.api_version, server=self.env.xmlrpc_uri) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#325][comment] WebUI: Hide incorrectly shown buttons on hosts tab in ID Views
URL: https://github.com/freeipa/freeipa/pull/325 Title: #325: WebUI: Hide incorrectly shown buttons on hosts tab in ID Views pvoborni commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/17392b0ef754781775a10973b2fee8a6d1697f5d ipa-4-4: https://fedorahosted.org/freeipa/changeset/cd62808c0e62013f594b0a31acf5bc65f4ce0683 """ See the full comment at https://github.com/freeipa/freeipa/pull/325#issuecomment-266495282 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#325][+pushed] WebUI: Hide incorrectly shown buttons on hosts tab in ID Views
URL: https://github.com/freeipa/freeipa/pull/325 Title: #325: WebUI: Hide incorrectly shown buttons on hosts tab in ID Views Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#325][closed] WebUI: Hide incorrectly shown buttons on hosts tab in ID Views
URL: https://github.com/freeipa/freeipa/pull/325 Author: pvomacka Title: #325: WebUI: Hide incorrectly shown buttons on hosts tab in ID Views Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/325/head:pr325 git checkout pr325 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#325][+ack] WebUI: Hide incorrectly shown buttons on hosts tab in ID Views
URL: https://github.com/freeipa/freeipa/pull/325 Title: #325: WebUI: Hide incorrectly shown buttons on hosts tab in ID Views Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#325][comment] WebUI: Hide incorrectly shown buttons on hosts tab in ID Views
URL: https://github.com/freeipa/freeipa/pull/325 Title: #325: WebUI: Hide incorrectly shown buttons on hosts tab in ID Views pvoborni commented: """ Works for me """ See the full comment at https://github.com/freeipa/freeipa/pull/325#issuecomment-266495026 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#313][+ack] ipaclient.plugins: Use api_version from internally called commands
URL: https://github.com/freeipa/freeipa/pull/313 Title: #313: ipaclient.plugins: Use api_version from internally called commands Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#313][comment] ipaclient.plugins: Use api_version from internally called commands
URL: https://github.com/freeipa/freeipa/pull/313 Title: #313: ipaclient.plugins: Use api_version from internally called commands mbasti-rh commented: """ Works for me """ See the full comment at https://github.com/freeipa/freeipa/pull/313#issuecomment-266491681 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#272][synchronized] Build: makerpms.sh generates Python 2 & 3 packages at the same time
URL: https://github.com/freeipa/freeipa/pull/272 Author: pspacek Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/272/head:pr272 git checkout pr272 From 9f7eda35726515e6acf91c64dcadb7f0e22d6e8a Mon Sep 17 00:00:00 2001 From: Petr Spacek Date: Thu, 24 Nov 2016 17:35:24 +0100 Subject: [PATCH 1/3] Build: makerpms.sh generates Python 2 & 3 packages at the same time Petr Viktorin recommended me to copy the whole build directory and run configure twice, with different values for PYTHON variable. After thinking a bit about that, it seems as cleanest approach. Building for two versions of Python at the same time should be temporary state so I decided not to complicate Autotools build system with conditional spagetti for two versions of Python. For proper Python2/3 distiction in the two separate builds, I added find/grep/sed combo which replaces shebangs with system-wide Python interpreter as necessary. This is workaround for the fact that FreeIPA does not use setuptools properly. Honza told me that proper use of setuptools is not trivial so we decided to go with this for now. https://fedorahosted.org/freeipa/ticket/157 --- freeipa.spec.in | 158 1 file changed, 103 insertions(+), 55 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index cba40c2..4d5d110 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -5,7 +5,7 @@ %if 0%{?rhel} %global with_python3 0 %else -%global with_python3 0 +%global with_python3 1 %endif # lint is not executed during rpmbuild @@ -268,6 +268,37 @@ and integration with Active Directory based infrastructures (Trusts). If you are installing an IPA server, you need to install this package. +%if 0%{?with_python3} + +%package -n python3-ipaserver +Summary: Python libraries used by IPA server +Group: System Environment/Libraries +BuildArch: noarch +%{?python_provide:%python_provide python3-ipaserver} +Requires: %{name}-server-common = %{version}-%{release} +Requires: %{name}-common = %{version}-%{release} +Requires: python3-ipaclient = %{version}-%{release} +Requires: python3-pyldap >= 2.4.15 +Requires: python3-lxml +Requires: python3-gssapi >= 1.1.2 +Requires: python3-sssdconfig +Requires: python3-pyasn1 +Requires: python3-dbus +Requires: python3-dns >= 1.11.1 +Requires: python3-kdcproxy >= 0.3 +Requires: rpm-libs + +%description -n python3-ipaserver +IPA is an integrated solution to provide centrally managed Identity (users, +hosts, services), Authentication (SSO, 2FA), and Authorization +(host access control, SELinux user roles, services). The solution provides +features for further integration with Linux based clients (SUDO, automount) +and integration with Active Directory based infrastructures (Trusts). +If you are installing an IPA server, you need to install this package. + +%endif # with_python3 + + %package server-common Summary: Common files used by IPA server Group: System Environment/Base @@ -687,6 +718,11 @@ This package contains tests that verify IPA functionality under Python 3. %prep %setup -n freeipa-%{version} -q +%if 0%{?with_python3} +# Workaround: We want to build Python things twice. To be sure we do not mess +# up something, do two separate builds in separate directories. +cp -r %{_builddir}/freeipa-%{version} %{_builddir}/freeipa-%{version}-python3 +%endif # with_python3 %build @@ -694,10 +730,33 @@ This package contains tests that verify IPA functionality under Python 3. export JAVA_STACK_SIZE="8m" # PATH is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1005235 export PATH=/usr/bin:/usr/sbin:$PATH +export PYTHON=%{__python2} +# Workaround: make sure all shebangs are pointing to Python 2 +# This should be solved properly using setuptools +# and this hack should be removed. +find \ + ! -name '*.pyc' -a \ + ! -name '*.pyo' -a \ + -type f -exec grep -qsm1 '^#!.*\bpython' {} \; \ + -exec sed -i -e '1 s|^#!.*\bpython[^ ]*|#!%{__python2}|' {} \; %configure --with-vendor-suffix=-%{release} # -Onone is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1398405 %make_build -Onone +%if 0%{?with_python3} +pushd %{_builddir}/freeipa-%{version}-python3 +export PYTHON=%{__python3} +# Workaround: make sure all shebangs are pointing to Python 3 +# This should be solved properly using setuptools +# and this hack should be removed. +find \ + ! -name '*.pyc' -a \ + ! -name '*.pyo' -a \ + -type f -exec grep -qsm1 '^#!.*\bpython' {} \; \ + -exec sed -i -e '1 s|^#!.*\bpython[^ ]*|#!%{__python3}|' {} \; +%configure --with-vendor-suffix=-%{release} +popd +%endif # with_python3 %check %if ! %{ONLY_CLIENT} @@ -716,16 +775,23 @@ make %{?_smp_mflags} client-check VERBOSE=yes LIBDIR=%{_libdir} # All files and directories created by spec install should be marked as ghost. # (These are typically
[Freeipa-devel] [freeipa PR#272][comment] Build: makerpms.sh generates Python 2 & 3 packages at the same time
URL: https://github.com/freeipa/freeipa/pull/272 Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time pspacek commented: """ I've found the root cause - incorrect order of operations in freeipa.spec.in. Now it should work. """ See the full comment at https://github.com/freeipa/freeipa/pull/272#issuecomment-266471594 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#326][comment] adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf
URL: https://github.com/freeipa/freeipa/pull/326 Title: #326: adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf martbab commented: """ Rebased and pushed to ipa-4-4 https://fedorahosted.org/freeipa/changeset/fd8c17252fbc3efccad66cdcd373195c0fc53ce3 """ See the full comment at https://github.com/freeipa/freeipa/pull/326#issuecomment-266463807 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#326][closed] adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf
URL: https://github.com/freeipa/freeipa/pull/326 Author: abbra Title: #326: adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/326/head:pr326 git checkout pr326 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#326][comment] adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf
URL: https://github.com/freeipa/freeipa/pull/326 Title: #326: adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/38cc01b1c92da36653e0ce4d8f7066282fd1d102 """ See the full comment at https://github.com/freeipa/freeipa/pull/326#issuecomment-266463244 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#326][+pushed] adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf
URL: https://github.com/freeipa/freeipa/pull/326 Title: #326: adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#326][+ack] adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf
URL: https://github.com/freeipa/freeipa/pull/326 Title: #326: adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#326][comment] adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf
URL: https://github.com/freeipa/freeipa/pull/326 Title: #326: adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf abbra commented: """ Rebased to git master. """ See the full comment at https://github.com/freeipa/freeipa/pull/326#issuecomment-266454397 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#326][synchronized] adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf
URL: https://github.com/freeipa/freeipa/pull/326 Author: abbra Title: #326: adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/326/head:pr326 git checkout pr326 From 912b131bbdec8bc0a45ac2f464f8035a2efe177f Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Mon, 12 Dec 2016 10:30:51 +0200 Subject: [PATCH] adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf Samba 4.5 does not allow to specify access mode for the keytab (FILE: or WRFILE:) from external sources. Thus, change the defaults to a path (implies FILE: prefix) while Samba Team fixes the code to allow the access mode prefix for keytabs. On upgrade we need to replace 'dedicated keytab file' value with the path to the Samba keytab that FreeIPA maintains. Since the configuration is stored in the Samba registry, we use net utility to manipulate the configuration: net conf setparm global 'dedicated keytab file' /etc/samba/samba.keytab Fixes https://fedorahosted.org/freeipa/ticket/6551 --- install/share/smb.conf.template | 2 +- ipaserver/install/server/upgrade.py | 22 ++ 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/install/share/smb.conf.template b/install/share/smb.conf.template index 2908b99..17bde5d 100644 --- a/install/share/smb.conf.template +++ b/install/share/smb.conf.template @@ -3,7 +3,7 @@ workgroup = $NETBIOS_NAME netbios name = $HOST_NETBIOS_NAME realm = $REALM kerberos method = dedicated keytab -dedicated keytab file = FILE:/etc/samba/samba.keytab +dedicated keytab file = /etc/samba/samba.keytab create krb5 conf = no security = user domain master = yes diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 0ebe9af..5d8e596 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -48,6 +48,7 @@ from ipaserver.install import krainstance from ipaserver.install import dogtaginstance from ipaserver.install import krbinstance +from ipaserver.install import adtrustinstance from ipaserver.install.upgradeinstance import IPAUpgrade from ipaserver.install.ldapupdate import BadSyntax @@ -268,6 +269,26 @@ def cleanup_adtrust(fstore): root_logger.debug('Removing %s from backup', backed_up_file) +def upgrade_adtrust_config(): +""" +Upgrade 'dedicated keytab file' in smb.conf to omit FILE: prefix +""" + +if not adtrustinstance.ipa_smb_conf_exists(): +return + +root_logger.info("[Remove FILE: prefix from 'dedicated keytab file' " + "in Samba configuration]") + +args = [paths.NET, "conf", "setparm", "global", +"dedicated keytab file", paths.SAMBA_KEYTAB] + +try: +ipautil.run(args) +except ipautil.CalledProcessError as e: +root_logger.warning("Error updating Samba registry: %s", e) + + def ca_configure_profiles_acl(ca): root_logger.info('[Authorizing RA Agent to modify profiles]') @@ -1668,6 +1689,7 @@ def upgrade_configuration(): cleanup_kdc(fstore) cleanup_adtrust(fstore) +upgrade_adtrust_config() bind = bindinstance.BindInstance(fstore) if bind.is_configured() and not bind.is_running(): -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#326][comment] adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf
URL: https://github.com/freeipa/freeipa/pull/326 Title: #326: adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf martbab commented: """ The branch needs a rebase. Otherwise works as expected and has no PEP8 errors despite what crazy Travis CI claims. """ See the full comment at https://github.com/freeipa/freeipa/pull/326#issuecomment-266452154 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#324][synchronized] Check for conflict entries before raising domain level
URL: https://github.com/freeipa/freeipa/pull/324 Author: tbordaz Title: #324: Check for conflict entries before raising domain level Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/324/head:pr324 git checkout pr324 From 5e544ae0477cda154996b158960006878d1a09dc Mon Sep 17 00:00:00 2001 From: Ludwig Krispenz Date: Fri, 9 Dec 2016 15:04:21 +0100 Subject: [PATCH] Check for conflict entries before raising domain level Checking of conflicts is not only done in topology container as tests showed it can occurs elsewhere https://fedorahosted.org/freeipa/ticket/6534 --- ipaserver/plugins/domainlevel.py | 26 ++ 1 file changed, 26 insertions(+) diff --git a/ipaserver/plugins/domainlevel.py b/ipaserver/plugins/domainlevel.py index 42603d7..749dce3 100644 --- a/ipaserver/plugins/domainlevel.py +++ b/ipaserver/plugins/domainlevel.py @@ -48,6 +48,29 @@ def get_domainlevel_range(master_entry): return DomainLevelRange(0, 0) +def check_conflict_entries(ldap, api, desired_value): +""" +Check if conflict entries exist in topology subtree +""" + +container_dn = DN( +('cn', 'ipa'), +('cn', 'etc'), +api.env.basedn +) + +try: +ldap.get_entries( +filter="(&(nsds5replconflict=*)(|(objectclass=ldapsubentry)(objectclass=*)))", +base_dn=container_dn, +scope=ldap.SCOPE_SUBTREE) +message = _("Domain Level cannot be raised to {0}, " +"existing replication conflicts have to be resolved." +.format(desired_value)) +raise errors.InvalidDomainLevelError(reason=message) +except errors.NotFound: +pass + def get_master_entries(ldap, api): """ Returns list of LDAPEntries representing IPA masters. @@ -131,6 +154,9 @@ def execute(self, *args, **options): .format(desired_value, master['cn'][0])) raise errors.InvalidDomainLevelError(reason=message) +# Check if conflict entries exist in topology subtree, should be resolved first +check_conflict_entries(ldap, self.api, desired_value) + current_entry.single_value['ipaDomainLevel'] = desired_value ldap.update_entry(current_entry) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA
URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA pspacek commented: """ Talk is cheap so here is the code! ~~~ import math import string import random class TokenGenerator(object): """Tunable token generator.""" # without: = # ' " \ ` _special = '!$%&()*+,-./:;<>?@[]^_{|}~' def_charsets = { 'uppercase': {'chars': string.ascii_uppercase, 'entropy': math.log(len(string.ascii_uppercase), 2)}, 'lowercase': {'chars': string.ascii_lowercase, 'entropy': math.log(len(string.ascii_lowercase), 2)}, 'digits': {'chars': string.digits, 'entropy': math.log(len(string.digits), 2)}, 'special': {'chars': _special, 'entropy': math.log(len(_special), 2)}, } def __init__(self, uppercase=0, lowercase=0, digits=0, special=0, min_len=0): """Specify character contraints on generated tokens. Integer values specify minimal number of characters from given character class and length. Value False prevents given character from appearing in the token. Example: TokenGenerator(uppercase=3, lowercase=3, digits=0, special=False) At least 3 upper and 3 lower case ASCII chars, may contain digits, no special chars. """ self.rng = random.SystemRandom() self.min_len = min_len self.req_classes = dict( uppercase=uppercase, lowercase=lowercase, digits=digits, special=special ) self.todo_charsets = self.def_charsets.copy() # 'all' class is used when adding entropy to too-short tokens # it contains characters from all allowed classes self.todo_charsets['all'] = {'chars': ''.join( [charclass['chars'] for charclass_name, charclass in self.todo_charsets.items() if self.req_classes[charclass_name] is not False] )} self.todo_charsets['all']['entropy'] = math.log( len(self.todo_charsets['all']['chars']), 2) def __call__(self, req_entropy=128): """Generate token containing at least req_entropy bits. req_entropy is minimal number of entropy bits attacker has to guess: 128 bits entropy: secure 256 bits of entropy: secure enough if you care about quantum computers The generated token will fulfill containts specified in init. """ todo_entropy = req_entropy password = '' # Generate required character classes: # The order of generated characters is fixed to comply with check in # NSS function sftk_newPinCheck() in nss/lib/softoken/fipstokn.c. for charclass_name in ['digits', 'uppercase', 'lowercase', 'special']: charclass = self.todo_charsets[charclass_name] todo_characters = self.req_classes[charclass_name] while todo_characters > 0: password += random.choice(charclass['chars']) todo_entropy -= charclass['entropy'] todo_characters -= 1 # required character classes do not provide sufficient entropy # or does not fulfill minimal length constraint allchars = self.todo_charsets['all'] while todo_entropy > 0 or len(password) < self.min_len: password += random.choice(allchars['chars']) todo_entropy -= allchars['entropy'] return password if __name__ == '__main__': pwgen = TokenGenerator() for i in range(100): print(pwgen(256)) ~~~ This code deterministically generates passwords. If character constraints are specified, the code might generate slightly longer passwords than the brute-force method. For example, 256 bit password with FIPS-compliant constrains (3 character classes) the difference is 41 vs. 40 characters. Given this different, I think that determinism trumphs shorter passwords. Also, I think that it does not make sense to have `req_entropy` parameter in `__call__`. IMHO it makes sense to specify it along with other constrains in `__init__`. """ See the full comment at https://github.com/freeipa/freeipa/pull/317#issuecomment-266439544 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] ABI report for Samba libraries
On ma, 12 joulu 2016, Ponomarenko Andrey wrote: Hi Alexander, The report is updated on Mon,Wed and Fri at 11:00 UTC: https://abi- laboratory.pro/index.php?view=abi-tracker Ok, thanks. Could you please extend the report to include all libraries that are built as part of Samba? E.g. not only public ones but also the privately used by the Samba itself. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] ABI report for Samba libraries
Hi Alexander, The report is updated on Mon,Wed and Fri at 11:00 UTC: https://abi-laboratory.pro/index.php?view=abi-tracker Thank you. 12.12.2016, 16:39, "Alexander Bokovoy" :> Hi Andrey,>> On ma, 12 joulu 2016, Ponomarenko Andrey wrote:>> Hello, The ABI analysis report for the latest versions of Samba: https://abi-laboratory.pro/tracker/timeline/samba/ Hope the report will be helpful for users and maintainers of Samba libraries.>> Yes, thank you for the report.>> Are you going to keep reports generating with each upstream release?>> --> / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#210][synchronized] Tests: Stage User Tracker implementation
URL: https://github.com/freeipa/freeipa/pull/210 Author: gkaihorodova Title: #210: Tests: Stage User Tracker implementation Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/210/head:pr210 git checkout pr210 From af0eabb8582513275240cd625e7d3f307fa0ebe0 Mon Sep 17 00:00:00 2001 From: Ganna Kaihorodova Date: Wed, 2 Nov 2016 15:02:30 +0100 Subject: [PATCH 1/2] Tests: Stage User Tracker implementation Fix provide possibility of creation stage user with minimal values, with uid not specified and check for non-empty unicode string for attributes requested in init method https://fedorahosted.org/freeipa/ticket/6448 --- ipatests/test_xmlrpc/tracker/stageuser_plugin.py | 36 ++-- 1 file changed, 28 insertions(+), 8 deletions(-) diff --git a/ipatests/test_xmlrpc/tracker/stageuser_plugin.py b/ipatests/test_xmlrpc/tracker/stageuser_plugin.py index 82d7e06..07c1a25 100644 --- a/ipatests/test_xmlrpc/tracker/stageuser_plugin.py +++ b/ipatests/test_xmlrpc/tracker/stageuser_plugin.py @@ -61,23 +61,43 @@ class StageUserTracker(Tracker): find_keys = retrieve_keys - {u'has_keytab', u'has_password'} find_all_keys = retrieve_all_keys - {u'has_keytab', u'has_password'} -def __init__(self, name, givenname, sn, **kwargs): +def __init__(self, name=None, givenname=None, sn=None, **kwargs): +""" Check for non-empty unicode string for the required attributes +in the init method """ + +if not (isinstance(givenname, six.string_types) and givenname): +raise ValueError("Invalid first name provided: %r" % givenname) +if not (isinstance(sn, six.string_types) and sn): +raise ValueError("Invalid second name provided: %r" % sn) + super(StageUserTracker, self).__init__(default_version=None) -self.uid = name -self.givenname = givenname -self.sn = sn +self.uid = unicode(name) +self.givenname = unicode(givenname) +self.sn = unicode(sn) self.dn = DN( ('uid', self.uid), api.env.container_stageuser, api.env.basedn) self.kwargs = kwargs def make_create_command(self, options=None): -""" Make function that creates a staged user using stageuser-add """ +""" Make function that creates a staged user using stageuser-add +with all set of attributes and with minimal values, +where uid is not specified """ + if options is not None: self.kwargs = options -return self.make_command('stageuser_add', self.uid, - givenname=self.givenname, - sn=self.sn, **self.kwargs) +if self.uid is not None: +return self.make_command( +'stageuser_add', self.uid, +givenname=self.givenname, +sn=self.sn, **self.kwargs +) +else: +return self.make_command( +'stageuser_add', +givenname=self.givenname, +sn=self.sn, **self.kwargs +) def make_delete_command(self): """ Make function that deletes a staged user using stageuser-del """ From e6c30ddbef30a7a914cb8e41f9f0335304322abe Mon Sep 17 00:00:00 2001 From: Ganna Kaihorodova Date: Mon, 12 Dec 2016 14:11:52 +0100 Subject: [PATCH 2/2] Stage User: Test to create stage user with minimal values Test to create stage user with minimal values, where uid is not specified https://fedorahosted.org/freeipa/ticket/6448 --- ipatests/test_xmlrpc/test_stageuser_plugin.py | 11 +++ 1 file changed, 11 insertions(+) diff --git a/ipatests/test_xmlrpc/test_stageuser_plugin.py b/ipatests/test_xmlrpc/test_stageuser_plugin.py index 4a859e8..95cb26a 100644 --- a/ipatests/test_xmlrpc/test_stageuser_plugin.py +++ b/ipatests/test_xmlrpc/test_stageuser_plugin.py @@ -85,6 +85,11 @@ def stageduser(request): return tracker.make_fixture(request) +@pytest.fixture(scope='class') +def stageduser_min(request): +tracker = StageUserTracker(givenname=u'stagedmin', sn=u'usermin') +return tracker.make_fixture(request) + @pytest.fixture(scope='class', params=options_ok, ids=options_ids) def stageduser2(request): tracker = StageUserTracker(u'suser2', u'staged', u'user', **request.param) @@ -191,6 +196,12 @@ def test_activate_nonexistent(self, stageduser): @pytest.mark.tier1 class TestStagedUser(XMLRPC_test): +def test_create_with_min_values(self, stageduser_min): +""" Create user with uid not specified """ +stageduser_min.ensure_missing() +command = stageduser_min.make_create_command() +command() + def test_create_duplicate(self, stageduser): stageduser.ensure_exists() command = stageduser.make_create_command() -- Manage your subscription for the Freeipa-devel mailing li
Re: [Freeipa-devel] ABI report for Samba libraries
Hi Andrey, On ma, 12 joulu 2016, Ponomarenko Andrey wrote: Hello, The ABI analysis report for the latest versions of Samba: https://abi-laboratory.pro/tracker/timeline/samba/ Hope the report will be helpful for users and maintainers of Samba libraries. Yes, thank you for the report. Are you going to keep reports generating with each upstream release? -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] ABI report for Samba libraries
Hello, The ABI analysis report for the latest versions of Samba: https://abi-laboratory.pro/tracker/timeline/samba/ Hope the report will be helpful for users and maintainers of Samba libraries. It is generated by the open-source ABICC 2.0 tool: https://github.com/lvc/abi-compliance-checker Thank you. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#313][synchronized] ipaclient.plugins: Use api_version from internally called commands
URL: https://github.com/freeipa/freeipa/pull/313 Author: dkupka Title: #313: ipaclient.plugins: Use api_version from internally called commands Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/313/head:pr313 git checkout pr313 From ce8e8a5de53a2bfdbeb21985682d74a7da4c4670 Mon Sep 17 00:00:00 2001 From: David Kupka Date: Tue, 6 Dec 2016 12:35:23 +0100 Subject: [PATCH] ipaclient.plugins: Use api_version from internally called commands In client plugins make sure the api_version is 'inherited' from server command that is internally called. Otherwise the api_version is obtained from client API instance. When calling server command from client command 'version' is passed in options and it overrides the right one. Server then refuses to handle such call. https://fedorahosted.org/freeipa/ticket/6539 --- ipaclient/plugins/automount.py| 4 ipaclient/plugins/otptoken_yubikey.py | 4 ipaclient/plugins/vault.py| 16 3 files changed, 24 insertions(+) diff --git a/ipaclient/plugins/automount.py b/ipaclient/plugins/automount.py index 540bd59..650c748 100644 --- a/ipaclient/plugins/automount.py +++ b/ipaclient/plugins/automount.py @@ -60,6 +60,10 @@ def __NO_CLI_getter(cls): NO_CLI = classproperty(__NO_CLI_getter) +@property +def api_version(self): +return self.api.Command.automountlocation_show.api_version + def output_for_cli(self, textui, result, *keys, **options): maps = result['result']['maps'] keys = result['result']['keys'] diff --git a/ipaclient/plugins/otptoken_yubikey.py b/ipaclient/plugins/otptoken_yubikey.py index 1075b6d..759b722 100644 --- a/ipaclient/plugins/otptoken_yubikey.py +++ b/ipaclient/plugins/otptoken_yubikey.py @@ -81,6 +81,10 @@ def __NO_CLI_getter(cls): NO_CLI = classproperty(__NO_CLI_getter) +@property +def api_version(self): +return self.api.Command.otptoken_add.api_version + def get_args(self): for arg in self.api.Command.otptoken_add.args(): yield arg diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py index c099e9e..29157c7 100644 --- a/ipaclient/plugins/vault.py +++ b/ipaclient/plugins/vault.py @@ -209,6 +209,10 @@ def __NO_CLI_getter(cls): NO_CLI = classproperty(__NO_CLI_getter) +@property +def api_version(self): +return self.api.Command.vault_add_internal.api_version + def get_args(self): for arg in self.api.Command.vault_add_internal.args(): yield arg @@ -415,6 +419,10 @@ def __NO_CLI_getter(cls): NO_CLI = classproperty(__NO_CLI_getter) +@property +def api_version(self): +return self.api.Command.vault_mod_internal.api_version + def get_args(self): for arg in self.api.Command.vault_mod_internal.args(): yield arg @@ -602,6 +610,10 @@ def __NO_CLI_getter(cls): NO_CLI = classproperty(__NO_CLI_getter) +@property +def api_version(self): +return self.api.Command.vault_archive_internal.api_version + def get_args(self): for arg in self.api.Command.vault_archive_internal.args(): yield arg @@ -855,6 +867,10 @@ def __NO_CLI_getter(cls): NO_CLI = classproperty(__NO_CLI_getter) +@property +def api_version(self): +return self.api.Command.vault_retrieve_internal.api_version + def get_args(self): for arg in self.api.Command.vault_retrieve_internal.args(): yield arg -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] CSR autogeneration next steps
On Mon, Dec 12, 2016 at 02:04:37PM +0100, Jan Cholasta wrote: > On 12.12.2016 13:49, Fraser Tweedale wrote: > > (This is a tangential discussion, but...) > > > > On Mon, Dec 12, 2016 at 09:52:02AM +0100, Jan Cholasta wrote: > > > IMO profile ID should default to caIPAserviceCert on the client as well. > > > > > NACK. Default profile (although fixed at the present time) should > > be considered server-side policy. If we eventually make it > > configurable, we don't want older clients overriding it. > > I didn't mean the default value should be overriden on the clients, just > that profile ID should stay optional on the client and use the default > profile ID when unspecified. > OK, thanks for clarifying. > > > > Thanks, > > Fraser > > > > > -- > Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#323][closed] ipactl: pass api as argument to services
URL: https://github.com/freeipa/freeipa/pull/323 Author: mbasti-rh Title: #323: ipactl: pass api as argument to services Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/323/head:pr323 git checkout pr323 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#323][+pushed] ipactl: pass api as argument to services
URL: https://github.com/freeipa/freeipa/pull/323 Title: #323: ipactl: pass api as argument to services Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#323][comment] ipactl: pass api as argument to services
URL: https://github.com/freeipa/freeipa/pull/323 Title: #323: ipactl: pass api as argument to services mbasti-rh commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/15351ab6e7c188fb492e6815026d1d75c4d4d29b """ See the full comment at https://github.com/freeipa/freeipa/pull/323#issuecomment-266429139 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#323][+ack] ipactl: pass api as argument to services
URL: https://github.com/freeipa/freeipa/pull/323 Title: #323: ipactl: pass api as argument to services Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#323][comment] ipactl: pass api as argument to services
URL: https://github.com/freeipa/freeipa/pull/323 Title: #323: ipactl: pass api as argument to services stlaz commented: """ Works as expected. ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/323#issuecomment-266427247 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] CSR autogeneration next steps
On 12.12.2016 13:49, Fraser Tweedale wrote: (This is a tangential discussion, but...) On Mon, Dec 12, 2016 at 09:52:02AM +0100, Jan Cholasta wrote: IMO profile ID should default to caIPAserviceCert on the client as well. NACK. Default profile (although fixed at the present time) should be considered server-side policy. If we eventually make it configurable, we don't want older clients overriding it. I didn't mean the default value should be overriden on the clients, just that profile ID should stay optional on the client and use the default profile ID when unspecified. Thanks, Fraser -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#299][comment] Remove "Request Certificate with SubjectAltName" permission
URL: https://github.com/freeipa/freeipa/pull/299 Title: #299: Remove "Request Certificate with SubjectAltName" permission martbab commented: """ I have put on my Travis moustache and found these two failing tests, you will have to fix them: ``` === FAILURES === test_permission_legacy.test_command[: permission_find: Check that some legacy permission is found in $SUFFIX] self = index = 0 declarative_test_definition = {'command': ('permission_find', [], {'ipapermlocation': ipapython.dn.DN('dc=ipa,dc=test'), 'version': '2.216'}), 'desc...6e430230>, 'truncated': False}, 'nice': ': permission_find: Check that some legacy permission is found in $SUFFIX'} def test_command(self, index, declarative_test_definition): """Run an individual test The arguments are provided by the pytest plugin. """ if callable(declarative_test_definition): declarative_test_definition(self) else: > self.check(**declarative_test_definition) /usr/lib/python2.7/site-packages/ipatests/test_xmlrpc/xmlrpc_test.py:318: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ /usr/lib/python2.7/site-packages/ipatests/test_xmlrpc/xmlrpc_test.py:330: in check self.check_output(nice, cmd, args, options, expected, extra_check) /usr/lib/python2.7/site-packages/ipatests/test_xmlrpc/xmlrpc_test.py:379: in check_output assert_deepequal(expected, got, nice) /usr/lib/python2.7/site-packages/ipatests/util.py:388: in assert_deepequal assert_deepequal(e_sub, g_sub, doc, stack + (key,)) /usr/lib/python2.7/site-packages/ipatests/util.py:390: in assert_deepequal if not expected(got): _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ results = [{'attrs': ('objectclass',), 'cn': ('Certificate Remove Hold',), 'dn': 'cn=Certificate Remove Hold,cn=permissions,cn=p...eve Certificates from the CA,cn=permissions,cn=pbac,dc=ipa,dc=test', 'ipapermbindruletype': ('permission',), ...}, ...] def check_legacy_results(results): """Check that the expected number of legacy permissions are in $SUFFIX""" legacy_permissions = [p for p in results if not p.get('ipapermissiontype')] print(legacy_permissions) > assert len(legacy_permissions) == 9, len(legacy_permissions) E AssertionError: 8 E assert 8 == 9 E+ where 8 = len([{'attrs': ('objectclass',), 'cn': ('Certificate Remove Hold',), 'dn': 'cn=Certificate Remove Hold,cn=permissions,cn=p...eve Certificates from the CA,cn=permissions,cn=pbac,dc=ipa,dc=test', 'ipapermbindruletype': ('permission',), ...}, ...]) /usr/lib/python2.7/site-packages/ipatests/test_xmlrpc/test_permission_plugin.py:3128: AssertionError ``` I also wonder if there is a possibility for this removal to break replica install against older (IPA v3) masters. """ See the full comment at https://github.com/freeipa/freeipa/pull/299#issuecomment-266423674 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] CSR autogeneration next steps
(This is a tangential discussion, but...) On Mon, Dec 12, 2016 at 09:52:02AM +0100, Jan Cholasta wrote: > IMO profile ID should default to caIPAserviceCert on the client as well. > NACK. Default profile (although fixed at the present time) should be considered server-side policy. If we eventually make it configurable, we don't want older clients overriding it. Thanks, Fraser -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#245][synchronized] Allow full customisability of IPA CA subject DN
URL: https://github.com/freeipa/freeipa/pull/245 Author: frasertweedale Title: #245: Allow full customisability of IPA CA subject DN Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/245/head:pr245 git checkout pr245 From 64bf0106b65b30e5bd74d80a1a4b6140a04b5991 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Fri, 11 Nov 2016 18:54:01 +1000 Subject: [PATCH 1/7] Remove unused function argument Remove an unused function argument. Also rename the function to have a more accurate name. Part of: https://fedorahosted.org/freeipa/ticket/2614 --- ipaserver/install/server/install.py | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index b5b9cb4..4eadde3 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -242,7 +242,7 @@ def check_dirsrv(unattended): raise ScriptError(msg) -def set_subject_in_config(realm_name, dm_password, suffix, subject_base): +def set_subject_base_in_config(realm_name, dm_password, subject_base): ldapuri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % ( installutils.realm_to_serverid(realm_name) ) @@ -846,8 +846,7 @@ def install(installer): os.chmod(paths.IPA_CA_CRT, 0o644) ca_db.publish_ca_cert(paths.IPA_CA_CRT) -set_subject_in_config(realm_name, dm_password, - ipautil.realm_to_suffix(realm_name), options.subject) +set_subject_base_in_config(realm_name, dm_password, options.subject_base) # Apply any LDAP updates. Needs to be done after the configuration file # is created. DS is restarted in the process. From 7d5b85e1b54104e9f681a3420973a8315fb3038e Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Wed, 16 Nov 2016 19:31:19 +1000 Subject: [PATCH 2/7] installutils: remove hardcoded subject DN assumption `installutils.load_external_cert` assumes that the IPA CA subject DN is `CN=Certificate Authority, {subject_base}`. In preparation for full customisability of IPA CA subject DN, push this assumption out of this function to call sites (which will be updated in a subsequent commit). Part of: https://fedorahosted.org/freeipa/ticket/2614 --- ipaserver/install/ca.py| 4 +++- ipaserver/install/installutils.py | 7 --- ipaserver/install/ipa_cacert_manage.py | 7 +-- 3 files changed, 12 insertions(+), 6 deletions(-) diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py index 4f64d99..4229053 100644 --- a/ipaserver/install/ca.py +++ b/ipaserver/install/ca.py @@ -100,7 +100,9 @@ def install_check(standalone, replica_config, options): "--external-ca.") external_cert_file, external_ca_file = installutils.load_external_cert( -options.external_cert_files, options.subject) +options.external_cert_files, +DN(('CN', 'Certificate Authority'), options.subject) +) elif options.external_ca: if cainstance.is_step_one_done(): raise ScriptError( diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py index a6cde89..2f311b4 100644 --- a/ipaserver/install/installutils.py +++ b/ipaserver/install/installutils.py @@ -1092,7 +1092,8 @@ def check_entropy(): except ValueError as e: root_logger.debug("Invalid value in %s %s", paths.ENTROPY_AVAIL, e) -def load_external_cert(files, subject_base): + +def load_external_cert(files, ca_subject): """ Load and verify external CA certificate chain from multiple files. @@ -1100,7 +1101,7 @@ def load_external_cert(files, subject_base): chain formats. :param files: Names of files to import -:param subject_base: Subject name base for IPA certificates +:param ca_subject: IPA CA subject DN :returns: Temporary file with the IPA CA certificate and temporary file with the external CA certificate chain """ @@ -1114,7 +1115,7 @@ def load_external_cert(files, subject_base): except RuntimeError as e: raise ScriptError(str(e)) -ca_subject = DN(('CN', 'Certificate Authority'), subject_base) +ca_subject = DN(ca_subject) ca_nickname = None cache = {} for nickname, _trust_flags in nssdb.list_certs(): diff --git a/ipaserver/install/ipa_cacert_manage.py b/ipaserver/install/ipa_cacert_manage.py index 5a278f4..4082dfa 100644 --- a/ipaserver/install/ipa_cacert_manage.py +++ b/ipaserver/install/ipa_cacert_manage.py @@ -192,8 +192,6 @@ def renew_external_step_2(self, ca, old_cert_der): options = self.options conn = api.Backend.ldap2 -cert_file, ca_file = installutils.load_external_cert( -options.external_cert_files, x509.subject_base()) old_cert_obj = x509.load_certificate(old_cert_der, x509.DER) old_der_subject =
[Freeipa-devel] [freeipa PR#324][comment] Check for conflict entries before raising domain level
URL: https://github.com/freeipa/freeipa/pull/324 Title: #324: Check for conflict entries before raising domain level martbab commented: """ I am still not happy with the the PR, see review comments. """ See the full comment at https://github.com/freeipa/freeipa/pull/324#issuecomment-266420463 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#62][+pushed] Configure Anonymous PKINIT on server install
URL: https://github.com/freeipa/freeipa/pull/62 Title: #62: Configure Anonymous PKINIT on server install Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#62][closed] Configure Anonymous PKINIT on server install
URL: https://github.com/freeipa/freeipa/pull/62 Author: simo5 Title: #62: Configure Anonymous PKINIT on server install Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/62/head:pr62 git checkout pr62 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install
URL: https://github.com/freeipa/freeipa/pull/62 Title: #62: Configure Anonymous PKINIT on server install jcholast commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/ca4e6c1fdfac9b545b26f885dc4865f22ca36ae6 """ See the full comment at https://github.com/freeipa/freeipa/pull/62#issuecomment-266420855 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#62][synchronized] Configure Anonymous PKINIT on server install
URL: https://github.com/freeipa/freeipa/pull/62 Author: simo5 Title: #62: Configure Anonymous PKINIT on server install Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/62/head:pr62 git checkout pr62 From dcda82da3ca6f6adac0f09d00df2aec3cc660817 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Tue, 26 Jul 2016 11:19:01 -0400 Subject: [PATCH] Configure Anonymous PKINIT on server install Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST authentication (necessary for 2FA for example) using an anonymous krbtgt obtained via Pkinit. https://fedorahosted.org/freeipa/ticket/5678 Signed-off-by: Simo Sorce --- install/share/kdc.conf.template | 2 +- install/share/profiles/KDCs_PKINIT_Certs.cfg | 109 +++ install/share/profiles/Makefile.am | 1 + ipaclient/install/client.py | 2 +- ipalib/install/certmonger.py | 43 +++ ipaplatform/base/paths.py| 3 +- ipapython/dogtag.py | 4 + ipaserver/install/cainstance.py | 2 +- ipaserver/install/certs.py | 10 ++- ipaserver/install/dsinstance.py | 2 +- ipaserver/install/httpinstance.py| 2 +- ipaserver/install/krbinstance.py | 62 +++ ipaserver/install/server/__init__.py | 4 +- ipaserver/install/server/install.py | 21 +++--- ipaserver/install/server/replicainstall.py | 4 +- ipaserver/install/server/upgrade.py | 35 + ipaserver/plugins/cert.py| 86 - ipaserver/plugins/dogtag.py | 2 + 18 files changed, 325 insertions(+), 69 deletions(-) create mode 100644 install/share/profiles/KDCs_PKINIT_Certs.cfg diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template index 296b75b..ec53a1f 100644 --- a/install/share/kdc.conf.template +++ b/install/share/kdc.conf.template @@ -12,6 +12,6 @@ dict_file = $DICT_WORDS default_principal_flags = +preauth ; admin_keytab = $KRB5KDC_KADM5_KEYTAB - pkinit_identity = FILE:$KDC_PEM + pkinit_identity = FILE:$KDC_CERT,$KDC_KEY pkinit_anchors = FILE:$CACERT_PEM } diff --git a/install/share/profiles/KDCs_PKINIT_Certs.cfg b/install/share/profiles/KDCs_PKINIT_Certs.cfg new file mode 100644 index 000..c5e412b --- /dev/null +++ b/install/share/profiles/KDCs_PKINIT_Certs.cfg @@ -0,0 +1,109 @@ +profileId=KDCs_PKINIT_Certs +classId=caEnrollImpl +desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication. +visible=false +enable=true +enableBy=admin +auth.instance_id=raCertAuth +name=IPA-RA Agent-Authenticated Server Certificate Enrollment +input.list=i1,i2 +input.i1.class_id=certReqInputImpl +input.i2.class_id=submitterInfoInputImpl +output.list=o1 +output.o1.class_id=certOutputImpl +policyset.list=serverCertSet +policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11 +policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl +policyset.serverCertSet.1.constraint.name=Subject Name Constraint +policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+ +policyset.serverCertSet.1.constraint.params.accept=true +policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl +policyset.serverCertSet.1.default.name=Subject Name Default +policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O +policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl +policyset.serverCertSet.2.constraint.name=Validity Constraint +policyset.serverCertSet.2.constraint.params.range=740 +policyset.serverCertSet.2.constraint.params.notBeforeCheck=false +policyset.serverCertSet.2.constraint.params.notAfterCheck=false +policyset.serverCertSet.2.default.class_id=validityDefaultImpl +policyset.serverCertSet.2.default.name=Validity Default +policyset.serverCertSet.2.default.params.range=731 +policyset.serverCertSet.2.default.params.startTime=0 +policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl +policyset.serverCertSet.3.constraint.name=Key Constraint +policyset.serverCertSet.3.constraint.params.keyType=RSA +policyset.serverCertSet.3.constraint.params.keyParameters=2048,3072,4096 +policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl +policyset.serverCertSet.3.default.name=Key Default +policyset.serverCertSet.4.constraint.class_id=noConstraintImpl +policyset.serverCertSet.4.constraint.name=No Constraint +policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl +policyset.serverCertSet.4.default.name=Authority Key Identifier Default +policyset.serverCertSet.5.constraint.class_id=noConstraintImpl +policyset.serverCertSet.5.constraint.name=No Constraint +policyset.serverCertSet.5.default.class_id=authInfoAccessExtDefaultImpl +policyset.serverCertSet.5.defau
Re: [Freeipa-devel] [PATCH] webui: 0084, 0101: refactoring rpc module
Moved to PR: https://github.com/freeipa/freeipa/pull/327 On 11/10/2016 07:47 PM, Petr Vobornik wrote: On 08/09/2016 01:29 PM, Pavel Vomacka wrote: Hello, please review attached patches. The rpc module is now separated from display layer and changing activity text while loading metadata. https://fedorahosted.org/freeipa/ticket/6144 patch 84: Looks good, works fine, it just needed rebase(I could provide that). Idea, but that doesn't have to be implemented, or sometime in future, right now it is not useful: What about providing the rpc object in the event, and having unique id for each rpc call so that we could track all rpc which are executed. patch 101: 1. It's event name but the property name looks like that it contains a text: that.change_text = 'change-activity-text'; Should it be rather: that.change_text_event. Or even, why does it compare previous text? Does it matter? Wouldn't be better to have 'set-activity' event. And then the handler would call something new set_text method: set_text(new_activity) that.dots = 0 that.text = new_activity that.make_step() -- Pavel^3 Vomacka -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#327][comment] WebUI: RPC refactoring
URL: https://github.com/freeipa/freeipa/pull/327 Title: #327: WebUI: RPC refactoring pvomacka commented: """ Patch 84: Yes, that is really good idea, but as you said - we don't have usecase for it right now. But I created a ticket to not forget about it. https://fedorahosted.org/freeipa/ticket/6553 Patch 101: I changed the name of event to 'set-activity-event', now it accepts one parameter which is new text of activity widget. But it can be extended in the future to accept more parameters and set more attributes. I think that creating new method "that.set_text" or something similar can lead to calling that method instead of using topics (events). That's the reason why I left the setting of text in anonymous function (event listener). """ See the full comment at https://github.com/freeipa/freeipa/pull/327#issuecomment-266419398 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#324][synchronized] Check for conflict entries before raising domain level
URL: https://github.com/freeipa/freeipa/pull/324 Author: tbordaz Title: #324: Check for conflict entries before raising domain level Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/324/head:pr324 git checkout pr324 From ffbddc0323a6169ee4cb3a824504f0b7805f869d Mon Sep 17 00:00:00 2001 From: Ludwig Krispenz Date: Fri, 9 Dec 2016 15:04:21 +0100 Subject: [PATCH] Check for conflict entries before raising domain level Checking of conflicts is not only done in topology container as tests showed it can occurs elsewhere https://fedorahosted.org/freeipa/ticket/6534 --- ipaserver/plugins/domainlevel.py | 27 +++ 1 file changed, 27 insertions(+) diff --git a/ipaserver/plugins/domainlevel.py b/ipaserver/plugins/domainlevel.py index 42603d7..e536145 100644 --- a/ipaserver/plugins/domainlevel.py +++ b/ipaserver/plugins/domainlevel.py @@ -48,6 +48,26 @@ def get_domainlevel_range(master_entry): return DomainLevelRange(0, 0) +def check_conflict_entries(ldap, api): +""" +Returns true if conflict entries exist in topology subtree +""" + +container_dn = DN( +('cn', 'ipa'), +('cn', 'etc'), +api.env.basedn +) + +try: +ldap.get_entries( +filter="(&(nsds5replconflict=*)(|(objectclass=ldapsubentry)(objectclass=*)))", +base_dn=container_dn, +scope=ldap.SCOPE_SUBTREE) +return True +except errors.NotFound: +return False + def get_master_entries(ldap, api): """ Returns list of LDAPEntries representing IPA masters. @@ -131,6 +151,13 @@ def execute(self, *args, **options): .format(desired_value, master['cn'][0])) raise errors.InvalidDomainLevelError(reason=message) +# Check if conflict entries exist in topology subtree, should be resolved first +if check_conflict_entries(ldap, self.api): +message = _("Domain Level cannot be raised to {0}, " +"existing replication conflicts have to be resolved." +.format(desired_value)) +raise errors.InvalidDomainLevelError(reason=message) + current_entry.single_value['ipaDomainLevel'] = desired_value ldap.update_entry(current_entry) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#196][comment] ipatests: unresolvable nested netgroups
URL: https://github.com/freeipa/freeipa/pull/196 Title: #196: ipatests: unresolvable nested netgroups apophys commented: """ The rewrite to integration test is in my queue. """ See the full comment at https://github.com/freeipa/freeipa/pull/196#issuecomment-266418775 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#210][comment] Tests: Stage User Tracker implementation
URL: https://github.com/freeipa/freeipa/pull/210 Title: #210: Tests: Stage User Tracker implementation martbab commented: """ Bump for review. """ See the full comment at https://github.com/freeipa/freeipa/pull/210#issuecomment-266418295 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#196][comment] ipatests: unresolvable nested netgroups
URL: https://github.com/freeipa/freeipa/pull/196 Title: #196: ipatests: unresolvable nested netgroups martbab commented: """ Any update on this PR? """ See the full comment at https://github.com/freeipa/freeipa/pull/196#issuecomment-266418147 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#327][comment] WebUI: RPC refactoring
URL: https://github.com/freeipa/freeipa/pull/327 Title: #327: WebUI: RPC refactoring pvomacka commented: """ The last comment from pvoborni: "patch 84: Looks good, works fine, it just needed rebase(I could provide that). Idea, but that doesn't have to be implemented, or sometime in future, right now it is not useful: What about providing the rpc object in the event, and having unique id for each rpc call so that we could track all rpc which are executed. patch 101: 1. It's event name but the property name looks like that it contains a text: that.change_text = 'change-activity-text'; Should it be rather: that.change_text_event. Or even, why does it compare previous text? Does it matter? Wouldn't be better to have 'set-activity' event. And then the handler would call something new set_text method: set_text(new_activity) that.dots = 0 that.text = new_activity that.make_step() -- Petr Vobornik" """ See the full comment at https://github.com/freeipa/freeipa/pull/327#issuecomment-266417734 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#327][opened] WebUI: RPC refactoring
URL: https://github.com/freeipa/freeipa/pull/327 Author: pvomacka Title: #327: WebUI: RPC refactoring Action: opened PR body: """ Moved from ML ( https://www.redhat.com/archives/freeipa-devel/2016-November/msg00338.html ) to PR. """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/327/head:pr327 git checkout pr327 From 6f83cd83c29ff7e419f6c0f294fb84abc404d8c2 Mon Sep 17 00:00:00 2001 From: Pavel Vomacka Date: Thu, 28 Jul 2016 15:29:23 +0200 Subject: [PATCH 1/2] Refactoring of rpc module The rpc module is now separated from display layer. There are two new global topics: - 'rpc-start' for showing the widget which indicates execution of rpc calls - 'rpc-end' for hiding the widget which indicates execution of rpc calls. These two global topics replace the original methods IPA.display_activity_icon() and IPA.hide_activity_icon(). There is also new property of a command (notify_globally), which allows to turn off the widget which indicates network activity. Instead of classic activity indicator there can be called custom function at the beginning and at the end of network activity. There are also changes in internal communication in rpc.js module. There are four new events, two for calling on_success and on_error methods and two for calling custom functions at the beginning and at the end of network activity. https://fedorahosted.org/freeipa/ticket/6144 --- install/ui/src/freeipa/certificate.js | 60 + install/ui/src/freeipa/ipa.js | 55 ++-- install/ui/src/freeipa/plugins/login.js | 2 +- install/ui/src/freeipa/rpc.js | 85 +++-- install/ui/src/freeipa/widget.js| 16 +++-- install/ui/src/freeipa/widgets/SyncOTPScreen.js | 7 +- 6 files changed, 152 insertions(+), 73 deletions(-) diff --git a/install/ui/src/freeipa/certificate.js b/install/ui/src/freeipa/certificate.js index 9ab4002..4666b1a 100755 --- a/install/ui/src/freeipa/certificate.js +++ b/install/ui/src/freeipa/certificate.js @@ -780,19 +780,35 @@ IPA.cert.request_action = function(spec) { IPA.cert.perform_revoke = function(spec, sn, revocation_reason, cacn) { -spec.hide_activity_icon = spec.hide_activity_icon || false; +/** + * Sets whether activity notification box will be shown + * during executing command or not. + */ +spec.notify_globally = spec.notify_globally === undefined ? true : +spec.notify_globally; + + +/** + * Specifies function which will be called before command execution starts. + */ +spec.start_handler = spec.start_handler || null; + +/** + * Specifies function which will be called after command execution ends. + */ +spec.end_handler = spec.end_handler || null; rpc.command({ entity: 'cert', method: 'revoke', -hide_activity_icon: spec.hide_activity_icon, args: [ sn ], options: { revocation_reason: revocation_reason, cacn: cacn }, -notify_activity_start: spec.notify_activity_start, -notify_activity_end: spec.notify_activity_end, +notify_globally: spec.notify_globally, +start_handler: spec.start_handler, +end_handler: spec.end_handler, on_success: spec.on_success, on_error: spec.on_error }).execute(); @@ -906,6 +922,25 @@ IPA.cert.remove_hold_action = function(spec) { IPA.cert.perform_remove_hold = function(spec, sn, cacn) { +/** + * Sets whether activity notification box will be shown + * during executing command or not. + */ +spec.notify_globally = spec.notify_globally === undefined ? true : +spec.notify_globally; + + +/** + * Specifies function which will be called before command execution starts. + */ +spec.start_handler = spec.start_handler || null; + +/** + * Specifies function which will be called after command execution ends. + */ +spec.end_handler = spec.end_handler || null; + + rpc.command({ entity: 'cert', method: 'remove_hold', @@ -913,7 +948,10 @@ IPA.cert.perform_remove_hold = function(spec, sn, cacn) { options: { cacn: cacn }, -on_success: spec.on_success +on_success: spec.on_success, +notify_globally: spec.notify_globally, +start_handler: spec.start_handler, +end_handler: spec.end_handler }).execute(); }; @@ -1409,11 +1447,11 @@ IPA.cert.cert_widget = function(spec) { on_ok: function() { var command_spec = { -hide_activity_icon: true, -notify_activity_end: function() { +notify_globally: false, +end_handler: function() { that.spinner.emit('hide-spinner'); }, -no
[Freeipa-devel] [freeipa PR#181][comment] Tests : User Tracker creation of user with minimal values
URL: https://github.com/freeipa/freeipa/pull/181 Title: #181: Tests : User Tracker creation of user with minimal values martbab commented: """ Bump for review. """ See the full comment at https://github.com/freeipa/freeipa/pull/181#issuecomment-266416346 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#326][comment] adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf
URL: https://github.com/freeipa/freeipa/pull/326 Title: #326: adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf abbra commented: """ Thanks, fixed it. """ See the full comment at https://github.com/freeipa/freeipa/pull/326#issuecomment-266415709 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#326][synchronized] adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf
URL: https://github.com/freeipa/freeipa/pull/326 Author: abbra Title: #326: adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/326/head:pr326 git checkout pr326 From 74fcf5c3d5520146a5b35d7c3ced2454c9a6e7e5 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Mon, 12 Dec 2016 10:30:51 +0200 Subject: [PATCH] adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf Samba 4.5 does not allow to specify access mode for the keytab (FILE: or WRFILE:) from external sources. Thus, change the defaults to a path (implies FILE: prefix) while Samba Team fixes the code to allow the access mode prefix for keytabs. On upgrade we need to replace 'dedicated keytab file' value with the path to the Samba keytab that FreeIPA maintains. Since the configuration is stored in the Samba registry, we use net utility to manipulate the configuration: net conf setparm global 'dedicated keytab file' /etc/samba/samba.keytab Fixes https://fedorahosted.org/freeipa/ticket/6551 --- install/share/smb.conf.template | 2 +- ipaserver/install/server/upgrade.py | 22 ++ 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/install/share/smb.conf.template b/install/share/smb.conf.template index 2908b99..17bde5d 100644 --- a/install/share/smb.conf.template +++ b/install/share/smb.conf.template @@ -3,7 +3,7 @@ workgroup = $NETBIOS_NAME netbios name = $HOST_NETBIOS_NAME realm = $REALM kerberos method = dedicated keytab -dedicated keytab file = FILE:/etc/samba/samba.keytab +dedicated keytab file = /etc/samba/samba.keytab create krb5 conf = no security = user domain master = yes diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 2454507..9fbce88 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -47,6 +47,7 @@ from ipaserver.install import dnskeysyncinstance from ipaserver.install import krainstance from ipaserver.install import dogtaginstance +from ipaserver.install import adtrustinstance from ipaserver.install.upgradeinstance import IPAUpgrade from ipaserver.install.ldapupdate import BadSyntax @@ -267,6 +268,26 @@ def cleanup_adtrust(fstore): root_logger.debug('Removing %s from backup', backed_up_file) +def upgrade_adtrust_config(): +""" +Upgrade 'dedicated keytab file' in smb.conf to omit FILE: prefix +""" + +if not adtrustinstance.ipa_smb_conf_exists(): +return + +root_logger.info("[Remove FILE: prefix from 'dedicated keytab file' " + "in Samba configuration]") + +args = [paths.NET, "conf", "setparm", "global", +"dedicated keytab file", paths.SAMBA_KEYTAB] + +try: +ipautil.run(args) +except ipautil.CalledProcessError as e: +root_logger.warning("Error updating Samba registry: %s", e) + + def ca_configure_profiles_acl(ca): root_logger.info('[Authorizing RA Agent to modify profiles]') @@ -1653,6 +1674,7 @@ def upgrade_configuration(): cleanup_kdc(fstore) cleanup_adtrust(fstore) +upgrade_adtrust_config() bind = bindinstance.BindInstance(fstore) if bind.is_configured() and not bind.is_running(): -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file
URL: https://github.com/freeipa/freeipa/pull/177 Title: #177: Add options to write lightweight CA cert or chain to file martbab commented: """ @jcholast @frasertweedale I hope you did notice those failures in Travis CI before acking/pushing... """ See the full comment at https://github.com/freeipa/freeipa/pull/177#issuecomment-266415516 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#323][comment] ipactl: pass api as argument to services
URL: https://github.com/freeipa/freeipa/pull/323 Title: #323: ipactl: pass api as argument to services mbasti-rh commented: """ I don't know """ See the full comment at https://github.com/freeipa/freeipa/pull/323#issuecomment-266415165 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#177][closed] Add options to write lightweight CA cert or chain to file
URL: https://github.com/freeipa/freeipa/pull/177 Author: frasertweedale Title: #177: Add options to write lightweight CA cert or chain to file Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/177/head:pr177 git checkout pr177 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#177][+pushed] Add options to write lightweight CA cert or chain to file
URL: https://github.com/freeipa/freeipa/pull/177 Title: #177: Add options to write lightweight CA cert or chain to file Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file
URL: https://github.com/freeipa/freeipa/pull/177 Title: #177: Add options to write lightweight CA cert or chain to file jcholast commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/c7ea56c049ec8ab1a5500852eca6faf750b1479f https://fedorahosted.org/freeipa/changeset/cc5b88e5d4ac1171374be9ae8e6e60730243dd3d https://fedorahosted.org/freeipa/changeset/32b1743e5fb318b226a602ec8d9a4b6ef2a25c9d """ See the full comment at https://github.com/freeipa/freeipa/pull/177#issuecomment-266414213 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#139][comment] WebUI: Vault Management
URL: https://github.com/freeipa/freeipa/pull/139 Title: #139: WebUI: Vault Management mbasti-rh commented: """ > I understand that the difference between those two sections could not be very > clear. If you have any idea on how to improve this feel free to put a comment > here or open a ticket. I have, you can extend vault-find command :) """ See the full comment at https://github.com/freeipa/freeipa/pull/139#issuecomment-266413702 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#177][+ack] Add options to write lightweight CA cert or chain to file
URL: https://github.com/freeipa/freeipa/pull/177 Title: #177: Add options to write lightweight CA cert or chain to file Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#326][comment] adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf
URL: https://github.com/freeipa/freeipa/pull/326 Title: #326: adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf martbab commented: """ Pylint complaints about undefined function because you made a typo. """ See the full comment at https://github.com/freeipa/freeipa/pull/326#issuecomment-266408970 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#177][synchronized] Add options to write lightweight CA cert or chain to file
URL: https://github.com/freeipa/freeipa/pull/177 Author: frasertweedale Title: #177: Add options to write lightweight CA cert or chain to file Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/177/head:pr177 git checkout pr177 From 9fc99100221906cf304493877f3c1885c3f8da87 Mon Sep 17 00:00:00 2001 From: Fraser Tweedale Date: Tue, 16 Aug 2016 13:16:58 +1000 Subject: [PATCH 1/3] Add function for extracting PEM certs from PKCS #7 Add a single function for extracting X.509 certs in PEM format from a PKCS #7 object. Refactor sites that execute ``openssl pkcs7`` to use the new function. Part of: https://fedorahosted.org/freeipa/ticket/6178 --- ipalib/x509.py | 29 ++- ipapython/certdb.py | 9 ++- ipaserver/install/cainstance.py | 52 +++-- 3 files changed, 49 insertions(+), 41 deletions(-) diff --git a/ipalib/x509.py b/ipalib/x509.py index e1c3867..851af5a 100644 --- a/ipalib/x509.py +++ b/ipalib/x509.py @@ -49,6 +49,14 @@ from ipalib import util from ipalib import errors from ipapython.dn import DN +from ipapython import ipautil + +try: +from ipaplatform.paths import paths +except ImportError: +OPENSSL = '/usr/bin/openssl' +else: +OPENSSL = paths.OPENSSL if six.PY3: unicode = str @@ -56,7 +64,9 @@ PEM = 0 DER = 1 -PEM_REGEX = re.compile(r'(?<=-BEGIN CERTIFICATE-).*?(?=-END CERTIFICATE-)', re.DOTALL) +PEM_REGEX = re.compile( +r'-BEGIN CERTIFICATE-.*?-END CERTIFICATE-', +re.DOTALL) EKU_SERVER_AUTH = '1.3.6.1.5.5.7.3.1' EKU_CLIENT_AUTH = '1.3.6.1.5.5.7.3.2' @@ -145,6 +155,23 @@ def load_certificate_list_from_file(filename): return load_certificate_list(f.read()) +def pkcs7_to_pems(data, datatype=PEM): +""" +Extract certificates from a PKCS #7 object. + +Return a ``list`` of X.509 PEM strings. + +May throw ``ipautil.CalledProcessError`` on invalid data. + +""" +cmd = [ +OPENSSL, "pkcs7", "-print_certs", +"-inform", "PEM" if datatype == PEM else "DER", +] +result = ipautil.run(cmd, stdin=data, capture_output=True) +return PEM_REGEX.findall(result.output) + + def is_self_signed(certificate, datatype=PEM): cert = load_certificate(certificate, datatype) return cert.issuer == cert.subject diff --git a/ipapython/certdb.py b/ipapython/certdb.py index af98a77..6599a69 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -239,13 +239,8 @@ def import_files(self, files, db_password_filename, import_keys=False, continue if label in ('PKCS7', 'PKCS #7 SIGNED DATA', 'CERTIFICATE'): -args = [ -OPENSSL, 'pkcs7', -'-print_certs', -] try: -result = ipautil.run( -args, stdin=body, capture_output=True) +certs = x509.pkcs7_to_pems(body) except ipautil.CalledProcessError as e: if label == 'CERTIFICATE': root_logger.warning( @@ -257,7 +252,7 @@ def import_files(self, files, db_password_filename, import_keys=False, filename, line, e) continue else: -extracted_certs += result.output + '\n' +extracted_certs += '\n'.join(certs) + '\n' loaded = True continue diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index bf79821..29acd7e 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py @@ -749,44 +749,30 @@ def __import_ca_chain(self): # makes openssl throw up. data = base64.b64decode(chain) -result = ipautil.run( -[paths.OPENSSL, - "pkcs7", - "-inform", - "DER", - "-print_certs", - ], stdin=data, capture_output=True) -certlist = result.output +certlist = x509.pkcs7_to_pems(data, x509.DER) # Ok, now we have all the certificates in certs, walk through it # and pull out each certificate and add it to our database -st = 1 -en = 0 -subid = 0 ca_dn = DN(('CN','Certificate Authority'), self.subject_base) -while st > 0: -st = certlist.find('-BEGIN', en) -en = certlist.find('-END', en+1) -if st > 0: -try: -(chain_fd, chain_name) = tempfile.mkstemp() -os.write(chain_fd, certlist[st:en+25]) -os.close(chain_fd) -
[Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file
URL: https://github.com/freeipa/freeipa/pull/177 Title: #177: Add options to write lightweight CA cert or chain to file frasertweedale commented: """ @jcholast right you are. PR updated with conditional import. Thanks. """ See the full comment at https://github.com/freeipa/freeipa/pull/177#issuecomment-266400860 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#319][+pushed] [master] gracefully handle setting replica bind dn group on old masters
URL: https://github.com/freeipa/freeipa/pull/319 Title: #319: [master] gracefully handle setting replica bind dn group on old masters Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#319][closed] [master] gracefully handle setting replica bind dn group on old masters
URL: https://github.com/freeipa/freeipa/pull/319 Author: martbab Title: #319: [master] gracefully handle setting replica bind dn group on old masters Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/319/head:pr319 git checkout pr319 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#319][comment] [master] gracefully handle setting replica bind dn group on old masters
URL: https://github.com/freeipa/freeipa/pull/319 Title: #319: [master] gracefully handle setting replica bind dn group on old masters martbab commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/95e602598a481f9c4a3b69ce8a861bf3816aa8ba """ See the full comment at https://github.com/freeipa/freeipa/pull/319#issuecomment-266399054 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA
URL: https://github.com/freeipa/freeipa/pull/317 Title: #317: Unify password generation across FreeIPA pspacek commented: """ The main problem here is that we are mixing two approaches together, i.e. entropy specification using bits + specification using character classes etc. which used to be means of expressing entropy requirements in a way understandable by ordinary users. If I understand it correctly, the encoding here is just to please password-quality checkers because the real password strength should be provided by the `entropy` parameter. So I propose to use character classes only for encoding but not during generation. That should simplify the code and make it easier to understand. """ See the full comment at https://github.com/freeipa/freeipa/pull/317#issuecomment-266397912 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#319][+ack] [master] gracefully handle setting replica bind dn group on old masters
URL: https://github.com/freeipa/freeipa/pull/319 Title: #319: [master] gracefully handle setting replica bind dn group on old masters Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#319][comment] [master] gracefully handle setting replica bind dn group on old masters
URL: https://github.com/freeipa/freeipa/pull/319 Title: #319: [master] gracefully handle setting replica bind dn group on old masters flo-renaud commented: """ Hi, thanks for the patch. It works as expected. """ See the full comment at https://github.com/freeipa/freeipa/pull/319#issuecomment-266396960 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Anonymous PKINIT and kdcproxy
On Mon, 2016-12-12 at 09:42 +0100, Christian Heimes wrote: > Hi Simo, > > I'm wondering if we need to change kdcproxy for anon pkinit. What kind > of Kerberos requests are performed by anon pkinit and to establish a > FAST tunnel? python-kdcproxy allows only request types AS-REQ, TGS-REQ > and AP-REQ+KRB-PRV. Responses are not filtered. No changes needed, we only use AS and TGS request types. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#301][comment] scripts, tests: explicitly set confdir in the rest of server code
URL: https://github.com/freeipa/freeipa/pull/301 Title: #301: scripts, tests: explicitly set confdir in the rest of server code tiran commented: """ I'll review the patch by the end of the week. Some changes are not required. """ See the full comment at https://github.com/freeipa/freeipa/pull/301#issuecomment-266384886 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Anonymous PKINIT and kdcproxy
On 2016-12-12 10:37, Alexander Bokovoy wrote: > On ma, 12 joulu 2016, Alexander Bokovoy wrote: >> On ma, 12 joulu 2016, Christian Heimes wrote: >>> On 2016-12-12 09:54, Alexander Bokovoy wrote: On ma, 12 joulu 2016, Christian Heimes wrote: > Hi Simo, > > I'm wondering if we need to change kdcproxy for anon pkinit. What kind > of Kerberos requests are performed by anon pkinit and to establish a > FAST tunnel? python-kdcproxy allows only request types AS-REQ, TGS-REQ > and AP-REQ+KRB-PRV. Responses are not filtered. Anonymous principal as configured in FreeIPA can only be used to obtain a TGT, nothing else. See https://tools.ietf.org/html/rfc6112 for a spec definition. >>> >>> That doesn't answer my question for me. Or does 'only TGT' imply that >>> request types are limited to AS-REQ and TGS-REQ? RFC 6112 just talks >>> about the two request types. >> You can only obtain a TGT and this TGT can only be used for FAST >> channel. You cannot obtain any service ticket with this TGT. > To close the loop, no changes in kdcproxy are needed because PKINIT is a > pre-authentication scheme and it works just fine with kdcproxy as it is. > I just tested this. Alexander, thanks for your tests! I have created an issue to add test cases to kdcproxy to ensure that we stay compatible with PKINIT, https://github.com/latchset/kdcproxy/issues/23 Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Anonymous PKINIT and kdcproxy
On ma, 12 joulu 2016, Alexander Bokovoy wrote: On ma, 12 joulu 2016, Christian Heimes wrote: On 2016-12-12 09:54, Alexander Bokovoy wrote: On ma, 12 joulu 2016, Christian Heimes wrote: Hi Simo, I'm wondering if we need to change kdcproxy for anon pkinit. What kind of Kerberos requests are performed by anon pkinit and to establish a FAST tunnel? python-kdcproxy allows only request types AS-REQ, TGS-REQ and AP-REQ+KRB-PRV. Responses are not filtered. Anonymous principal as configured in FreeIPA can only be used to obtain a TGT, nothing else. See https://tools.ietf.org/html/rfc6112 for a spec definition. That doesn't answer my question for me. Or does 'only TGT' imply that request types are limited to AS-REQ and TGS-REQ? RFC 6112 just talks about the two request types. You can only obtain a TGT and this TGT can only be used for FAST channel. You cannot obtain any service ticket with this TGT. To close the loop, no changes in kdcproxy are needed because PKINIT is a pre-authentication scheme and it works just fine with kdcproxy as it is. I just tested this. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Anonymous PKINIT and kdcproxy
On ma, 12 joulu 2016, Christian Heimes wrote: On 2016-12-12 09:54, Alexander Bokovoy wrote: On ma, 12 joulu 2016, Christian Heimes wrote: Hi Simo, I'm wondering if we need to change kdcproxy for anon pkinit. What kind of Kerberos requests are performed by anon pkinit and to establish a FAST tunnel? python-kdcproxy allows only request types AS-REQ, TGS-REQ and AP-REQ+KRB-PRV. Responses are not filtered. Anonymous principal as configured in FreeIPA can only be used to obtain a TGT, nothing else. See https://tools.ietf.org/html/rfc6112 for a spec definition. That doesn't answer my question for me. Or does 'only TGT' imply that request types are limited to AS-REQ and TGS-REQ? RFC 6112 just talks about the two request types. You can only obtain a TGT and this TGT can only be used for FAST channel. You cannot obtain any service ticket with this TGT. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#139][comment] WebUI: Vault Management
URL: https://github.com/freeipa/freeipa/pull/139 Title: #139: WebUI: Vault Management pvomacka commented: """ @mbasti-rh Thank you for review. 1. Fixed 2. Fixed Additionally I fixed two more issues which I found during testing. The tables on User Vaults or Service Vaults didn't show different (different users/services) vaults which have the same name - FIXED now. The second issue was that when i.e. admin add user/share vault on service page, the search page with new vault was not refreshed - FIXED now. 3. My User Vaults calls vault-find which returns all Vaults which have currently logged user is in Owners or Members group. It is called without --pkey-only, because we want to get also information about vault type in response. User Vaults shows all user vaults (of all users) and there is --pkey-only because we call vault-show for each user vault which is returned and in each vault-show response we get all (and several more) information which are also in vault-find (without --pkey-only). So, we don't need to transfer data (those parts which are in both responses) twice. I understand that the difference between those two sections could not be very clear. If you have any idea on how to improve this feel free to put a comment here or open a ticket. """ See the full comment at https://github.com/freeipa/freeipa/pull/139#issuecomment-266378821 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#326][synchronized] adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf
URL: https://github.com/freeipa/freeipa/pull/326 Author: abbra Title: #326: adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/326/head:pr326 git checkout pr326 From 93c1e574ed44d3195aa1402eece5b8391fd6d93d Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Mon, 12 Dec 2016 10:30:51 +0200 Subject: [PATCH] adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf Samba 4.5 does not allow to specify access mode for the keytab (FILE: or WRFILE:) from external sources. Thus, change the defaults to a path (implies FILE: prefix) while Samba Team fixes the code to allow the access mode prefix for keytabs. On upgrade we need to replace 'dedicated keytab file' value with the path to the Samba keytab that FreeIPA maintains. Since the configuration is stored in the Samba registry, we use net utility to manipulate the configuration: net conf setparm global 'dedicated keytab file' /etc/samba/samba.keytab Fixes https://fedorahosted.org/freeipa/ticket/6551 --- install/share/smb.conf.template | 2 +- ipaserver/install/server/upgrade.py | 22 ++ 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/install/share/smb.conf.template b/install/share/smb.conf.template index 2908b99..17bde5d 100644 --- a/install/share/smb.conf.template +++ b/install/share/smb.conf.template @@ -3,7 +3,7 @@ workgroup = $NETBIOS_NAME netbios name = $HOST_NETBIOS_NAME realm = $REALM kerberos method = dedicated keytab -dedicated keytab file = FILE:/etc/samba/samba.keytab +dedicated keytab file = /etc/samba/samba.keytab create krb5 conf = no security = user domain master = yes diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 2454507..4ade2f9 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -47,6 +47,7 @@ from ipaserver.install import dnskeysyncinstance from ipaserver.install import krainstance from ipaserver.install import dogtaginstance +from ipaserver.install import adtrustinstance from ipaserver.install.upgradeinstance import IPAUpgrade from ipaserver.install.ldapupdate import BadSyntax @@ -267,6 +268,26 @@ def cleanup_adtrust(fstore): root_logger.debug('Removing %s from backup', backed_up_file) +def upgrade_adtrust_config(): +""" +Upgrade 'dedicated keytab file' in smb.conf to omit FILE: prefix +""" + +if not adtrustinstance.ipa_smb_conf_exists(): +return + +root_logger.info("[Remove FILE: prefix from 'dedicated keytab file' " + "in Samba configuration]") + +args = [paths.NET, "conf", "setparm", "global", +"dedicated keytab file", paths.SAMBA_KEYTAB] + +try: +ipautil.run(args) +except ipautil.CalledProcessError as e: +root_logger.warning("Error updating Samba registry: %s", e) + + def ca_configure_profiles_acl(ca): root_logger.info('[Authorizing RA Agent to modify profiles]') @@ -1653,6 +1674,7 @@ def upgrade_configuration(): cleanup_kdc(fstore) cleanup_adtrust(fstore) +upgrade_atrust_config() bind = bindinstance.BindInstance(fstore) if bind.is_configured() and not bind.is_running(): -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Anonymous PKINIT and kdcproxy
On 2016-12-12 09:54, Alexander Bokovoy wrote: > On ma, 12 joulu 2016, Christian Heimes wrote: >> Hi Simo, >> >> I'm wondering if we need to change kdcproxy for anon pkinit. What kind >> of Kerberos requests are performed by anon pkinit and to establish a >> FAST tunnel? python-kdcproxy allows only request types AS-REQ, TGS-REQ >> and AP-REQ+KRB-PRV. Responses are not filtered. > Anonymous principal as configured in FreeIPA can only be used to obtain > a TGT, nothing else. > > See https://tools.ietf.org/html/rfc6112 for a spec definition. That doesn't answer my question for me. Or does 'only TGT' imply that request types are limited to AS-REQ and TGS-REQ? RFC 6112 just talks about the two request types. Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#326][opened] adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf
URL: https://github.com/freeipa/freeipa/pull/326 Author: abbra Title: #326: adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf Action: opened PR body: """ Samba 4.5 does not allow to specify access mode for the keytab (FILE: or WRFILE:) from external sources. Thus, change the defaults to a path (implies FILE: prefix) while Samba Team fixes the code to allow the access mode prefix for keytabs. On upgrade we need to replace 'dedicated keytab file' value with the path to the Samba keytab that FreeIPA maintains. Since the configuration is stored in the Samba registry, we use net utility to manipulate the configuration: net conf setparm global 'dedicated keytab file' /etc/samba/samba.keytab Fixes https://fedorahosted.org/freeipa/ticket/6551 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/326/head:pr326 git checkout pr326 From 04aba48840c95a95e48fc397545b3e7d67516575 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Mon, 12 Dec 2016 10:30:51 +0200 Subject: [PATCH] adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf Samba 4.5 does not allow to specify access mode for the keytab (FILE: or WRFILE:) from external sources. Thus, change the defaults to a path (implies FILE: prefix) while Samba Team fixes the code to allow the access mode prefix for keytabs. On upgrade we need to replace 'dedicated keytab file' value with the path to the Samba keytab that FreeIPA maintains. Since the configuration is stored in the Samba registry, we use net utility to manipulate the configuration: net conf setparm global 'dedicated keytab file' /etc/samba/samba.keytab Fixes https://fedorahosted.org/freeipa/ticket/6551 --- install/share/smb.conf.template | 2 +- ipaserver/install/server/upgrade.py | 20 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/install/share/smb.conf.template b/install/share/smb.conf.template index 2908b99..17bde5d 100644 --- a/install/share/smb.conf.template +++ b/install/share/smb.conf.template @@ -3,7 +3,7 @@ workgroup = $NETBIOS_NAME netbios name = $HOST_NETBIOS_NAME realm = $REALM kerberos method = dedicated keytab -dedicated keytab file = FILE:/etc/samba/samba.keytab +dedicated keytab file = /etc/samba/samba.keytab create krb5 conf = no security = user domain master = yes diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py index 2454507..77a1f11 100644 --- a/ipaserver/install/server/upgrade.py +++ b/ipaserver/install/server/upgrade.py @@ -47,6 +47,7 @@ from ipaserver.install import dnskeysyncinstance from ipaserver.install import krainstance from ipaserver.install import dogtaginstance +from ipaserver.install import adtrustinstance from ipaserver.install.upgradeinstance import IPAUpgrade from ipaserver.install.ldapupdate import BadSyntax @@ -266,6 +267,24 @@ def cleanup_adtrust(fstore): fstore.untrack_file(backed_up_file) root_logger.debug('Removing %s from backup', backed_up_file) +def upgrade_adtrust_config(): +""" +Upgrade 'dedicated keytab file' in smb.conf to omit FILE: prefix +""" + +if not adtrustinstance.ipa_smb_conf_exists(): +return + +root_logger.info("[Remove FILE: prefix from 'dedicated keytab file' " + "in Samba configuration]") + +args = [paths.NET, "conf", "setparm", "global", +"dedicated keytab file", paths.SAMBA_KEYTAB] + +try: +ipautil.run(args) +except ipautil.CalledProcessError as e: +root_logger.warning("Error updating Samba registry: %s", e) def ca_configure_profiles_acl(ca): root_logger.info('[Authorizing RA Agent to modify profiles]') @@ -1653,6 +1672,7 @@ def upgrade_configuration(): cleanup_kdc(fstore) cleanup_adtrust(fstore) +upgrade_atrust_config() bind = bindinstance.BindInstance(fstore) if bind.is_configured() and not bind.is_running(): -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#325][opened] WebUI: Hide incorrectly shown buttons on hosts tab in ID Views
URL: https://github.com/freeipa/freeipa/pull/325 Author: pvomacka Title: #325: WebUI: Hide incorrectly shown buttons on hosts tab in ID Views Action: opened PR body: """ There was missing default value for evaluator adapter. In that case the adapter variable could be undefined and it crashes on building adapter. Therefore it did not evaluate all evaluators. That is the reason why 'Delete' and 'Add' buttons were incorrectly shown. Default value is now set to empty object. https://fedorahosted.org/freeipa/ticket/6546 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/325/head:pr325 git checkout pr325 From b7d617e0c44562401c55ef7ce22867e1b2ef7885 Mon Sep 17 00:00:00 2001 From: Pavel Vomacka Date: Mon, 12 Dec 2016 09:44:40 +0100 Subject: [PATCH] WebUI: Hide incorrectly shown buttons on hosts tab in ID Views There was missing default value for evaluator adapter. In that case the adapter variable could be undefined and it crashes on building adapter. Therefore it did not evaluate all evaluators. That is the reason why 'Delete' and 'Add' buttons were incorrectly shown. Default value is now set to empty object. https://fedorahosted.org/freeipa/ticket/6546 --- install/ui/src/freeipa/details.js | 1 + 1 file changed, 1 insertion(+) diff --git a/install/ui/src/freeipa/details.js b/install/ui/src/freeipa/details.js index e274e6f..9f0e632 100644 --- a/install/ui/src/freeipa/details.js +++ b/install/ui/src/freeipa/details.js @@ -1647,6 +1647,7 @@ exp.value_state_evaluator = IPA.value_state_evaluator = function(spec) { spec.name = spec.name || 'value_state_evaluator'; spec.event = spec.event || 'post_load'; +spec.adapter = spec.adapter || {}; var that = IPA.state_evaluator(spec); -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Anonymous PKINIT and kdcproxy
On ma, 12 joulu 2016, Christian Heimes wrote: Hi Simo, I'm wondering if we need to change kdcproxy for anon pkinit. What kind of Kerberos requests are performed by anon pkinit and to establish a FAST tunnel? python-kdcproxy allows only request types AS-REQ, TGS-REQ and AP-REQ+KRB-PRV. Responses are not filtered. Anonymous principal as configured in FreeIPA can only be used to obtain a TGT, nothing else. See https://tools.ietf.org/html/rfc6112 for a spec definition. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] CSR autogeneration next steps
On 5.12.2016 16:48, Ben Lipton wrote: Hi Jan, thanks for the comments. On 12/05/2016 04:25 AM, Jan Cholasta wrote: Hi Ben, On 3.11.2016 00:12, Ben Lipton wrote: Hi everybody, Soon I'm going to have to reduce the amount of time I spend on new development work for the CSR autogeneration project, and I want to leave the project in as organized a state as possible. So, I'm taking inventory of the work I've done in order to make sure that what's ready for review can get reviewed and the ideas that have been discussed get prototyped or at least recorded so they won't be forgotten. Thanks, I have some questions and comments, see below. Code that's ready for review (I will continue to put in as much time as needed to help get these ready for submission): - Current PR: https://github.com/freeipa/freeipa/pull/10 How hard would it be to update the PR to use the "new" interface from the design thread? By this I mean that currently there is a command (cert_get_requestdata), which creates a CSR from profile id + principal + helper, but in the design we discussed a command which creates a CertificationRequestInfo from profile id + principal + public key. Internally it could use the OpenSSL helper, no need to implement the full "new" design. With your build_requestinfo.c code below it looks like it should be pretty straightforward. This is probably doable with the cffi, but I'm concerned about usability. A user can run the current command to get a (reusable) script, and run the script to get a CSR. It works with keys in both PEM files and NSS databases already. If we change to outputting a CertificationRequestInfo, in order to make this usable on the command line, we'll need: - An additional tool to sign a CSR given a CertificationRequestInfo (for both types of key storage). - A way to extract a SubjectPublicKeyInfo structure from a key within the ipa command (like [1] but we need it for both types of key storage) Since as far as I know there's no standard encoding for files containing only a CertificationRequestInfo or a SubjectPublicKeyInfo, we'll be writing and distributing these ourselves. I think that's where most of the extra work will come in. For PEM files, this is easily doable using python-cryptography (to extract SubjectPublicKeyInfo and sign CertificationRequestInfo) and PyASN1 (to create a CSR from the CertificationRequestInfo and the signature). For NSS databases, this will be trickier and will require calling C functions, as neither certutil nor python-nss provide a way to a) address existing keys in the database by key ID b) get SubjectPublicKeyInfo for a given key. As for encoding, the obvious choice is DER. It does not really matter there is no standard file format, as we won't be transferring these as files anyway. Would it be ok to stick with the current design in this PR? I'd feel much better if we could get the basic functionality into the repo and then iterate on it rather than changing the plan at this point. I can create a separate PR to change cert_get_requestdata to this new interface and at the same time add the necessary adapters (bullet points above) to make it user-friendly. Works for me. I would probably just implement the adapters within the cert_build/cert_request client code unless you think having standalone tools is valuable. I suppose certmonger is going to need these features too, but I don't know how well sharing code between them is going to work. cert-request is exactly the place where it should be :-) I wouldn't bother with certmonger until we have a server-side csrgen. - Allow some fields to be specified by the user at creation time: https://github.com/LiptonB/freeipa/commits/local-user-data Good idea :-) - Automation for the full process from getting CSR data to requesting cert: https://github.com/LiptonB/freeipa/commits/local-cert-build LGTM, although I would prefer if this was a client-side extension of cert-request rather than a completely new command. I did try that at first, but I struggled to figure out the interface for the modified cert-request. (Not that the current solution is so great, what with the copying of options from cert_request and certreq.) If I remember correctly, I was uncertain how to implement parameters that are required/invalid based on other parameters: the current cert-request takes a signed CSR (required), a principal (required), and a profile ID; the new cert-request (what I implemented as cert-build) takes a principal (required), a profile ID (required), and a key location (required). I can't remember if that was the only problem, but I'll try again to merge the commands and get back to you. To make the CSR argument optional on the client, you can do this: def get_options(self): for option in super(cert_request, self).get_options(): if option.name == 'csr': option = option.clone(required=False) yield IMO profile ID should default to
[Freeipa-devel] Anonymous PKINIT and kdcproxy
Hi Simo, I'm wondering if we need to change kdcproxy for anon pkinit. What kind of Kerberos requests are performed by anon pkinit and to establish a FAST tunnel? python-kdcproxy allows only request types AS-REQ, TGS-REQ and AP-REQ+KRB-PRV. Responses are not filtered. Regards, Christian signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#323][comment] ipactl: pass api as argument to services
URL: https://github.com/freeipa/freeipa/pull/323 Title: #323: ipactl: pass api as argument to services stlaz commented: """ Do we need a ticket for this? I notice the original commit did not have it either. """ See the full comment at https://github.com/freeipa/freeipa/pull/323#issuecomment-266368348 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code