date:20161212

[Freeipa-devel] [freeipa PR#329][comment] experiment: did pull/177 break ci?

2016-12-12 Thread frasertweedale

  URL: https://github.com/freeipa/freeipa/pull/329
Title: #329: experiment: did pull/177 break ci?

frasertweedale commented:
"""
Yes, it looks like I broke CI.  Feel free to merge this PR if I don't find a 
fix quickly enough.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/329#issuecomment-266608752
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#329][opened] experiment: did pull/177 break ci?

2016-12-12 Thread frasertweedale

   URL: https://github.com/freeipa/freeipa/pull/329
Author: frasertweedale
 Title: #329: experiment: did pull/177 break ci?
Action: opened

PR body:
"""
This PR reverts the commits from pull/177 to test the hypothesis
that something in these commits broke CI.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/329/head:pr329
git checkout pr329
From 8e13b7c01311e44eb3ec1dc16dac26b8d3287139 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Tue, 13 Dec 2016 10:50:50 +1000
Subject: [PATCH 1/3] Revert "Add options to write lightweight CA cert or chain
 to file"

This reverts commit 32b1743e5fb318b226a602ec8d9a4b6ef2a25c9d.
---
 API.txt   |  6 +--
 VERSION.m4|  4 +-
 ipaclient/plugins/ca.py   | 53 -
 ipaserver/plugins/ca.py   | 65 +++
 ipaserver/plugins/dogtag.py   | 12 --
 ipatests/test_xmlrpc/tracker/ca_plugin.py | 31 ---
 ipatests/test_xmlrpc/xmlrpc_test.py   | 17 
 7 files changed, 16 insertions(+), 172 deletions(-)
 delete mode 100644 ipaclient/plugins/ca.py

diff --git a/API.txt b/API.txt
index 543cec5..bad3b92 100644
--- a/API.txt
+++ b/API.txt
@@ -445,11 +445,10 @@ option: Str('version?')
 output: Output('count', type=[])
 output: Output('results', type=[, ])
 command: ca_add/1
-args: 1,8,3
+args: 1,7,3
 arg: Str('cn', cli_name='name')
 option: Str('addattr*', cli_name='addattr')
 option: Flag('all', autofill=True, cli_name='all', default=False)
-option: Flag('chain', autofill=True, default=False)
 option: Str('description?', cli_name='desc')
 option: DNParam('ipacasubjectdn', cli_name='subject')
 option: Flag('raw', autofill=True, cli_name='raw', default=False)
@@ -520,10 +519,9 @@ output: Entry('result')
 output: Output('summary', type=[, ])
 output: PrimaryKey('value')
 command: ca_show/1
-args: 1,5,3
+args: 1,4,3
 arg: Str('cn', cli_name='name')
 option: Flag('all', autofill=True, cli_name='all', default=False)
-option: Flag('chain', autofill=True, default=False)
 option: Flag('raw', autofill=True, cli_name='raw', default=False)
 option: Flag('rights', autofill=True, default=False)
 option: Str('version?')
diff --git a/VERSION.m4 b/VERSION.m4
index 36929ee..7d9e107 100644
--- a/VERSION.m4
+++ b/VERSION.m4
@@ -73,8 +73,8 @@ define(IPA_DATA_VERSION, 2010061412)
 #  #
 
 define(IPA_API_VERSION_MAJOR, 2)
-define(IPA_API_VERSION_MINOR, 217)
-# Last change: Add options to write lightweight CA cert or chain to file
+define(IPA_API_VERSION_MINOR, 216)
+# Last change: DNS: Support URI resource record type
 
 
 
diff --git a/ipaclient/plugins/ca.py b/ipaclient/plugins/ca.py
deleted file mode 100644
index fcdf484..000
--- a/ipaclient/plugins/ca.py
+++ /dev/null
@@ -1,53 +0,0 @@
-#
-# Copyright (C) 2016  FreeIPA Contributors see COPYING for license
-#
-
-import base64
-from ipaclient.frontend import MethodOverride
-from ipalib import util, x509, Str
-from ipalib.plugable import Registry
-from ipalib.text import _
-
-register = Registry()
-
-
-class WithCertOutArgs(MethodOverride):
-
-takes_options = (
-Str(
-'certificate_out?',
-doc=_('Write certificate (chain if --chain used) to file'),
-include='cli',
-cli_metavar='FILE',
-),
-)
-
-def forward(self, *keys, **options):
-filename = None
-if 'certificate_out' in options:
-filename = options.pop('certificate_out')
-util.check_writable_file(filename)
-
-result = super(WithCertOutArgs, self).forward(*keys, **options)
-if filename:
-def to_pem(x):
-return x509.make_pem(x)
-if options.get('chain', False):
-ders = result['result']['certificate_chain']
-data = '\n'.join(to_pem(base64.b64encode(der)) for der in ders)
-else:
-data = to_pem(result['result']['certificate'])
-with open(filename, 'wb') as f:
-f.write(data)
-
-return result
-
-
-@register(override=True, no_fail=True)
-class ca_add(WithCertOutArgs):
-pass
-
-
-@register(override=True, no_fail=True)
-class ca_show(WithCertOutArgs):
-pass
diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py
index ef1d68c..d9ae8c8 100644
--- a/ipaserver/plugins/ca.py
+++ b/ipaserver/plugins/ca.py
@@ -2,18 +2,14 @@
 # Copyright (C) 2016  FreeIPA Contributors see COPYING for license
 #
 
-import base64
-
-import six
-
-from ipalib import api, errors, output, Bytes, DNParam, Flag, Str
+from ipalib import api, errors, output, DNParam, Str
 from ipalib.constants import IPA_CA_CN
 from ipalib.plugable import

[Freeipa-devel] [freeipa PR#328][opened] fix: regression in API version comparison

2016-12-12 Thread mbasti-rh

   URL: https://github.com/freeipa/freeipa/pull/328
Author: mbasti-rh
 Title: #328: fix: regression in API version comparison
Action: opened

PR body:
"""
Commint 2cbaf156045769b54150e4d4c3c1071f164a16fb introduced a regression
in API version comparison. In case that newer client is trying to call
older server an error is returned, but it should work. This commit fixes
it.

https://fedorahosted.org/freeipa/ticket/6468
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/328/head:pr328
git checkout pr328
From 36dfd4524acb3d3ab595c3ea126035f8781a451f Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Mon, 12 Dec 2016 18:28:53 +0100
Subject: [PATCH] fix: regression in API version comparison

Commint 2cbaf156045769b54150e4d4c3c1071f164a16fb introduced a regression
in API version comparison. In case that newer client is trying to call
older server an error is returned, but it should work. This commit fixes
it.

https://fedorahosted.org/freeipa/ticket/6468
---
 ipalib/frontend.py | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/ipalib/frontend.py b/ipalib/frontend.py
index dfa6cdf..41dcd4a 100644
--- a/ipalib/frontend.py
+++ b/ipalib/frontend.py
@@ -776,8 +776,7 @@ def verify_client_version(self, client_version):
sver=self.api_version,
server=self.env.xmlrpc_uri)
 
-if (client_apiver.major != server_apiver.major
-or client_apiver > server_apiver):
+if client_apiver.major != server_apiver.major:
 raise VersionError(cver=client_version,
sver=self.api_version,
server=self.env.xmlrpc_uri)
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#325][comment] WebUI: Hide incorrectly shown buttons on hosts tab in ID Views

2016-12-12 Thread pvoborni

  URL: https://github.com/freeipa/freeipa/pull/325
Title: #325: WebUI: Hide incorrectly shown buttons on hosts tab in ID Views

pvoborni commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/17392b0ef754781775a10973b2fee8a6d1697f5d
ipa-4-4:
https://fedorahosted.org/freeipa/changeset/cd62808c0e62013f594b0a31acf5bc65f4ce0683
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/325#issuecomment-266495282
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#325][+pushed] WebUI: Hide incorrectly shown buttons on hosts tab in ID Views

2016-12-12 Thread pvoborni

  URL: https://github.com/freeipa/freeipa/pull/325
Title: #325: WebUI: Hide incorrectly shown buttons on hosts tab in ID Views

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#325][closed] WebUI: Hide incorrectly shown buttons on hosts tab in ID Views

2016-12-12 Thread pvoborni

   URL: https://github.com/freeipa/freeipa/pull/325
Author: pvomacka
 Title: #325: WebUI: Hide incorrectly shown buttons on hosts tab in ID Views
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/325/head:pr325
git checkout pr325
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#325][+ack] WebUI: Hide incorrectly shown buttons on hosts tab in ID Views

2016-12-12 Thread pvoborni

  URL: https://github.com/freeipa/freeipa/pull/325
Title: #325: WebUI: Hide incorrectly shown buttons on hosts tab in ID Views

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#325][comment] WebUI: Hide incorrectly shown buttons on hosts tab in ID Views

2016-12-12 Thread pvoborni

  URL: https://github.com/freeipa/freeipa/pull/325
Title: #325: WebUI: Hide incorrectly shown buttons on hosts tab in ID Views

pvoborni commented:
"""
Works for me
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/325#issuecomment-266495026
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#313][+ack] ipaclient.plugins: Use api_version from internally called commands

2016-12-12 Thread mbasti-rh

  URL: https://github.com/freeipa/freeipa/pull/313
Title: #313: ipaclient.plugins: Use api_version from internally called commands

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#313][comment] ipaclient.plugins: Use api_version from internally called commands

2016-12-12 Thread mbasti-rh

  URL: https://github.com/freeipa/freeipa/pull/313
Title: #313: ipaclient.plugins: Use api_version from internally called commands

mbasti-rh commented:
"""
Works for me
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/313#issuecomment-266491681
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#272][synchronized] Build: makerpms.sh generates Python 2 & 3 packages at the same time

2016-12-12 Thread pspacek

   URL: https://github.com/freeipa/freeipa/pull/272
Author: pspacek
 Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same 
time
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/272/head:pr272
git checkout pr272
From 9f7eda35726515e6acf91c64dcadb7f0e22d6e8a Mon Sep 17 00:00:00 2001
From: Petr Spacek 
Date: Thu, 24 Nov 2016 17:35:24 +0100
Subject: [PATCH 1/3] Build: makerpms.sh generates Python 2 & 3 packages at the
 same time

Petr Viktorin recommended me to copy the whole build directory and run
configure twice, with different values for PYTHON variable.

After thinking a bit about that, it seems as cleanest approach.
Building for two versions of Python at the same time should be
temporary state so I decided not to complicate Autotools build system
with conditional spagetti for two versions of Python.

For proper Python2/3 distiction in the two separate builds, I added
find/grep/sed combo which replaces shebangs with system-wide Python
interpreter as necessary. This is workaround for the fact that FreeIPA
does not use setuptools properly. Honza told me that proper use of
setuptools is not trivial so we decided to go with this for now.

https://fedorahosted.org/freeipa/ticket/157
---
 freeipa.spec.in | 158 
 1 file changed, 103 insertions(+), 55 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index cba40c2..4d5d110 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -5,7 +5,7 @@
 %if 0%{?rhel}
 %global with_python3 0
 %else
-%global with_python3 0
+%global with_python3 1
 %endif
 
 # lint is not executed during rpmbuild
@@ -268,6 +268,37 @@ and integration with Active Directory based infrastructures (Trusts).
 If you are installing an IPA server, you need to install this package.
 
 
+%if 0%{?with_python3}
+
+%package -n python3-ipaserver
+Summary: Python libraries used by IPA server
+Group: System Environment/Libraries
+BuildArch: noarch
+%{?python_provide:%python_provide python3-ipaserver}
+Requires: %{name}-server-common = %{version}-%{release}
+Requires: %{name}-common = %{version}-%{release}
+Requires: python3-ipaclient = %{version}-%{release}
+Requires: python3-pyldap >= 2.4.15
+Requires: python3-lxml
+Requires: python3-gssapi >= 1.1.2
+Requires: python3-sssdconfig
+Requires: python3-pyasn1
+Requires: python3-dbus
+Requires: python3-dns >= 1.11.1
+Requires: python3-kdcproxy >= 0.3
+Requires: rpm-libs
+
+%description -n python3-ipaserver
+IPA is an integrated solution to provide centrally managed Identity (users,
+hosts, services), Authentication (SSO, 2FA), and Authorization
+(host access control, SELinux user roles, services). The solution provides
+features for further integration with Linux based clients (SUDO, automount)
+and integration with Active Directory based infrastructures (Trusts).
+If you are installing an IPA server, you need to install this package.
+
+%endif  # with_python3
+
+
 %package server-common
 Summary: Common files used by IPA server
 Group: System Environment/Base
@@ -687,6 +718,11 @@ This package contains tests that verify IPA functionality under Python 3.
 
 %prep
 %setup -n freeipa-%{version} -q
+%if 0%{?with_python3}
+# Workaround: We want to build Python things twice. To be sure we do not mess
+# up something, do two separate builds in separate directories.
+cp -r %{_builddir}/freeipa-%{version} %{_builddir}/freeipa-%{version}-python3
+%endif # with_python3
 
 
 %build
@@ -694,10 +730,33 @@ This package contains tests that verify IPA functionality under Python 3.
 export JAVA_STACK_SIZE="8m"
 # PATH is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1005235
 export PATH=/usr/bin:/usr/sbin:$PATH
+export PYTHON=%{__python2}
+# Workaround: make sure all shebangs are pointing to Python 2
+# This should be solved properly using setuptools
+# and this hack should be removed.
+find \
+	! -name '*.pyc' -a \
+	! -name '*.pyo' -a \
+	-type f -exec grep -qsm1 '^#!.*\bpython' {} \; \
+	-exec sed -i -e '1 s|^#!.*\bpython[^ ]*|#!%{__python2}|' {} \;
 %configure --with-vendor-suffix=-%{release}
 # -Onone is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1398405
 %make_build -Onone
 
+%if 0%{?with_python3}
+pushd %{_builddir}/freeipa-%{version}-python3
+export PYTHON=%{__python3}
+# Workaround: make sure all shebangs are pointing to Python 3
+# This should be solved properly using setuptools
+# and this hack should be removed.
+find \
+	! -name '*.pyc' -a \
+	! -name '*.pyo' -a \
+	-type f -exec grep -qsm1 '^#!.*\bpython' {} \; \
+	-exec sed -i -e '1 s|^#!.*\bpython[^ ]*|#!%{__python3}|' {} \;
+%configure --with-vendor-suffix=-%{release}
+popd
+%endif # with_python3
 
 %check
 %if ! %{ONLY_CLIENT}
@@ -716,16 +775,23 @@ make %{?_smp_mflags} client-check VERBOSE=yes LIBDIR=%{_libdir}
 # All files and directories created by spec install should be marked as ghost.
 #

[Freeipa-devel] [freeipa PR#272][comment] Build: makerpms.sh generates Python 2 & 3 packages at the same time

2016-12-12 Thread pspacek

  URL: https://github.com/freeipa/freeipa/pull/272
Title: #272: Build: makerpms.sh generates Python 2 & 3 packages at the same time

pspacek commented:
"""
I've found the root cause - incorrect order of operations in freeipa.spec.in. 
Now it should work.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/272#issuecomment-266471594
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#326][comment] adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf

2016-12-12 Thread martbab

  URL: https://github.com/freeipa/freeipa/pull/326
Title: #326: adtrust: remove FILE: prefix from 'dedicated keytab file' in 
smb.conf

martbab commented:
"""
Rebased and pushed to ipa-4-4

https://fedorahosted.org/freeipa/changeset/fd8c17252fbc3efccad66cdcd373195c0fc53ce3

"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/326#issuecomment-266463807
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#326][closed] adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf

2016-12-12 Thread martbab

   URL: https://github.com/freeipa/freeipa/pull/326
Author: abbra
 Title: #326: adtrust: remove FILE: prefix from 'dedicated keytab file' in 
smb.conf
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/326/head:pr326
git checkout pr326
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#326][comment] adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf

2016-12-12 Thread martbab

  URL: https://github.com/freeipa/freeipa/pull/326
Title: #326: adtrust: remove FILE: prefix from 'dedicated keytab file' in 
smb.conf

martbab commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/38cc01b1c92da36653e0ce4d8f7066282fd1d102
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/326#issuecomment-266463244
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#326][+ack] adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf

2016-12-12 Thread martbab

  URL: https://github.com/freeipa/freeipa/pull/326
Title: #326: adtrust: remove FILE: prefix from 'dedicated keytab file' in 
smb.conf

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#326][synchronized] adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf

2016-12-12 Thread abbra

   URL: https://github.com/freeipa/freeipa/pull/326
Author: abbra
 Title: #326: adtrust: remove FILE: prefix from 'dedicated keytab file' in 
smb.conf
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/326/head:pr326
git checkout pr326
From 912b131bbdec8bc0a45ac2f464f8035a2efe177f Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy 
Date: Mon, 12 Dec 2016 10:30:51 +0200
Subject: [PATCH] adtrust: remove FILE: prefix from 'dedicated keytab file' in
 smb.conf

Samba 4.5 does not allow to specify access mode for the keytab (FILE: or
WRFILE:) from external sources. Thus, change the defaults to a path
(implies FILE: prefix) while Samba Team fixes the code to allow the
access mode prefix for keytabs.

On upgrade we need to replace 'dedicated keytab file' value with the
path to the Samba keytab that FreeIPA maintains. Since the configuration
is stored in the Samba registry, we use net utility to manipulate the
configuration:

net conf setparm global 'dedicated keytab file' /etc/samba/samba.keytab

Fixes https://fedorahosted.org/freeipa/ticket/6551
---
 install/share/smb.conf.template |  2 +-
 ipaserver/install/server/upgrade.py | 22 ++
 2 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/install/share/smb.conf.template b/install/share/smb.conf.template
index 2908b99..17bde5d 100644
--- a/install/share/smb.conf.template
+++ b/install/share/smb.conf.template
@@ -3,7 +3,7 @@ workgroup = $NETBIOS_NAME
 netbios name = $HOST_NETBIOS_NAME
 realm = $REALM
 kerberos method = dedicated keytab
-dedicated keytab file = FILE:/etc/samba/samba.keytab
+dedicated keytab file = /etc/samba/samba.keytab
 create krb5 conf = no
 security = user
 domain master = yes
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 0ebe9af..5d8e596 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -48,6 +48,7 @@
 from ipaserver.install import krainstance
 from ipaserver.install import dogtaginstance
 from ipaserver.install import krbinstance
+from ipaserver.install import adtrustinstance
 from ipaserver.install.upgradeinstance import IPAUpgrade
 from ipaserver.install.ldapupdate import BadSyntax
 
@@ -268,6 +269,26 @@ def cleanup_adtrust(fstore):
 root_logger.debug('Removing %s from backup', backed_up_file)
 
 
+def upgrade_adtrust_config():
+"""
+Upgrade 'dedicated keytab file' in smb.conf to omit FILE: prefix
+"""
+
+if not adtrustinstance.ipa_smb_conf_exists():
+return
+
+root_logger.info("[Remove FILE: prefix from 'dedicated keytab file' "
+ "in Samba configuration]")
+
+args = [paths.NET, "conf", "setparm", "global",
+"dedicated keytab file", paths.SAMBA_KEYTAB]
+
+try:
+ipautil.run(args)
+except ipautil.CalledProcessError as e:
+root_logger.warning("Error updating Samba registry: %s", e)
+
+
 def ca_configure_profiles_acl(ca):
 root_logger.info('[Authorizing RA Agent to modify profiles]')
 
@@ -1668,6 +1689,7 @@ def upgrade_configuration():
 
 cleanup_kdc(fstore)
 cleanup_adtrust(fstore)
+upgrade_adtrust_config()
 
 bind = bindinstance.BindInstance(fstore)
 if bind.is_configured() and not bind.is_running():
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#326][comment] adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf

2016-12-12 Thread martbab

  URL: https://github.com/freeipa/freeipa/pull/326
Title: #326: adtrust: remove FILE: prefix from 'dedicated keytab file' in 
smb.conf

martbab commented:
"""
The branch needs a rebase. Otherwise works as expected and has no PEP8 errors 
despite what crazy Travis CI claims.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/326#issuecomment-266452154
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#324][synchronized] Check for conflict entries before raising domain level

2016-12-12 Thread tbordaz

   URL: https://github.com/freeipa/freeipa/pull/324
Author: tbordaz
 Title: #324: Check for conflict entries before raising domain level
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/324/head:pr324
git checkout pr324
From 5e544ae0477cda154996b158960006878d1a09dc Mon Sep 17 00:00:00 2001
From: Ludwig Krispenz 
Date: Fri, 9 Dec 2016 15:04:21 +0100
Subject: [PATCH] Check for conflict entries before raising domain level

Checking of conflicts is not only done in topology container as
tests showed it can occurs elsewhere

https://fedorahosted.org/freeipa/ticket/6534
---
 ipaserver/plugins/domainlevel.py | 26 ++
 1 file changed, 26 insertions(+)

diff --git a/ipaserver/plugins/domainlevel.py b/ipaserver/plugins/domainlevel.py
index 42603d7..749dce3 100644
--- a/ipaserver/plugins/domainlevel.py
+++ b/ipaserver/plugins/domainlevel.py
@@ -48,6 +48,29 @@ def get_domainlevel_range(master_entry):
 return DomainLevelRange(0, 0)
 
 
+def check_conflict_entries(ldap, api, desired_value):
+"""
+Check if conflict entries exist in topology subtree
+"""
+
+container_dn = DN(
+('cn', 'ipa'),
+('cn', 'etc'),
+api.env.basedn
+)
+
+try:
+ldap.get_entries(
+filter="(&(nsds5replconflict=*)(|(objectclass=ldapsubentry)(objectclass=*)))",
+base_dn=container_dn,
+scope=ldap.SCOPE_SUBTREE)
+message = _("Domain Level cannot be raised to {0}, "
+"existing replication conflicts have to be resolved."
+.format(desired_value))
+raise errors.InvalidDomainLevelError(reason=message)
+except errors.NotFound:
+pass
+
 def get_master_entries(ldap, api):
 """
 Returns list of LDAPEntries representing IPA masters.
@@ -131,6 +154,9 @@ def execute(self, *args, **options):
 .format(desired_value, master['cn'][0]))
 raise errors.InvalidDomainLevelError(reason=message)
 
+# Check if conflict entries exist in topology subtree, should be resolved first
+check_conflict_entries(ldap, self.api, desired_value)
+
 current_entry.single_value['ipaDomainLevel'] = desired_value
 ldap.update_entry(current_entry)
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA

2016-12-12 Thread pspacek

  URL: https://github.com/freeipa/freeipa/pull/317
Title: #317: Unify password generation across FreeIPA

pspacek commented:
"""
Talk is cheap so here is the code!
~~~
import math
import string
import random


class TokenGenerator(object):
"""Tunable token generator."""
# without: = # ' " \ `
_special = '!$%&()*+,-./:;<>?@[]^_{|}~'
def_charsets = {
 'uppercase':
 {'chars': string.ascii_uppercase,
  'entropy': math.log(len(string.ascii_uppercase), 2)},
 'lowercase':
 {'chars': string.ascii_lowercase,
  'entropy': math.log(len(string.ascii_lowercase), 2)},
 'digits':
 {'chars': string.digits,
  'entropy': math.log(len(string.digits), 2)},
 'special':
 {'chars': _special,
  'entropy': math.log(len(_special), 2)},
}

def __init__(self, uppercase=0, lowercase=0, digits=0, special=0,
 min_len=0):
"""Specify character contraints on generated tokens.

Integer values specify minimal number of characters from given
character class and length.
Value False prevents given character from appearing in the token.

Example:
TokenGenerator(uppercase=3, lowercase=3, digits=0, special=False)

At least 3 upper and 3 lower case ASCII chars, may contain digits,
no special chars.
"""
self.rng = random.SystemRandom()
self.min_len = min_len
self.req_classes = dict(
uppercase=uppercase,
lowercase=lowercase,
digits=digits,
special=special
)

self.todo_charsets = self.def_charsets.copy()
# 'all' class is used when adding entropy to too-short tokens
# it contains characters from all allowed classes
self.todo_charsets['all'] = {'chars': ''.join(
[charclass['chars']
 for charclass_name, charclass
 in self.todo_charsets.items()
 if self.req_classes[charclass_name] is not False]
)}
self.todo_charsets['all']['entropy'] = math.log(
len(self.todo_charsets['all']['chars']), 2)

def __call__(self, req_entropy=128):
"""Generate token containing at least req_entropy bits.

req_entropy is minimal number of entropy bits attacker has to guess:
128 bits entropy: secure
256 bits of entropy: secure enough if you care about quantum computers

The generated token will fulfill containts specified in init.
"""
todo_entropy = req_entropy
password = ''
# Generate required character classes:
# The order of generated characters is fixed to comply with check in
# NSS function sftk_newPinCheck() in nss/lib/softoken/fipstokn.c.
for charclass_name in ['digits', 'uppercase', 'lowercase', 'special']:
charclass = self.todo_charsets[charclass_name]
todo_characters = self.req_classes[charclass_name]
while todo_characters > 0:
password += random.choice(charclass['chars'])
todo_entropy -= charclass['entropy']
todo_characters -= 1

# required character classes do not provide sufficient entropy
# or does not fulfill minimal length constraint
allchars = self.todo_charsets['all']
while todo_entropy > 0 or len(password) < self.min_len:
password += random.choice(allchars['chars'])
todo_entropy -= allchars['entropy']

return password


if __name__ == '__main__':
pwgen = TokenGenerator()
for i in range(100):
print(pwgen(256))
~~~

This code deterministically generates passwords. If character constraints are 
specified, the code might generate slightly longer passwords than the 
brute-force method. For example, 256 bit password with FIPS-compliant 
constrains (3 character classes) the difference is 41 vs. 40 characters. Given 
this different, I think that determinism trumphs shorter passwords.


Also, I think that it does not make sense to have `req_entropy` parameter in 
`__call__`. IMHO it makes sense to specify it along with other constrains in 
`__init__`.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/317#issuecomment-266439544
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] ABI report for Samba libraries

2016-12-12 Thread Alexander Bokovoy


On ma, 12 joulu 2016, Ponomarenko Andrey wrote:

Hi Alexander,
 
The report is updated on Mon,Wed and Fri at 11:00 UTC: https://abi-
laboratory.pro/index.php?view=abi-tracker

Ok, thanks.

Could you please extend the report to include all libraries that are
built as part of Samba? E.g. not only public ones but also the privately
used by the Samba itself.


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] ABI report for Samba libraries

2016-12-12 Thread Ponomarenko Andrey

Hi Alexander, The report is updated on Mon,Wed and Fri at 11:00 UTC: https://abi-laboratory.pro/index.php?view=abi-tracker Thank you.  12.12.2016, 16:39, "Alexander Bokovoy" :> Hi Andrey,>> On ma, 12 joulu 2016, Ponomarenko Andrey wrote:>> Hello, The ABI analysis report for the latest versions of Samba: https://abi-laboratory.pro/tracker/timeline/samba/ Hope the report will be helpful for users and maintainers of Samba libraries.>> Yes, thank you for the report.>> Are you going to keep reports generating with each upstream release?>> --> / Alexander Bokovoy

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#313][synchronized] ipaclient.plugins: Use api_version from internally called commands

2016-12-12 Thread dkupka

   URL: https://github.com/freeipa/freeipa/pull/313
Author: dkupka
 Title: #313: ipaclient.plugins: Use api_version from internally called commands
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/313/head:pr313
git checkout pr313
From ce8e8a5de53a2bfdbeb21985682d74a7da4c4670 Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Tue, 6 Dec 2016 12:35:23 +0100
Subject: [PATCH] ipaclient.plugins: Use api_version from internally called
 commands

In client plugins make sure the api_version is 'inherited' from server command
that is internally called. Otherwise the api_version is obtained from client
API instance. When calling server command from client command 'version' is
passed in options and it overrides the right one. Server then refuses to handle
such call.

https://fedorahosted.org/freeipa/ticket/6539
---
 ipaclient/plugins/automount.py|  4 
 ipaclient/plugins/otptoken_yubikey.py |  4 
 ipaclient/plugins/vault.py| 16 
 3 files changed, 24 insertions(+)

diff --git a/ipaclient/plugins/automount.py b/ipaclient/plugins/automount.py
index 540bd59..650c748 100644
--- a/ipaclient/plugins/automount.py
+++ b/ipaclient/plugins/automount.py
@@ -60,6 +60,10 @@ def __NO_CLI_getter(cls):
 
 NO_CLI = classproperty(__NO_CLI_getter)
 
+@property
+def api_version(self):
+return self.api.Command.automountlocation_show.api_version
+
 def output_for_cli(self, textui, result, *keys, **options):
 maps = result['result']['maps']
 keys = result['result']['keys']
diff --git a/ipaclient/plugins/otptoken_yubikey.py b/ipaclient/plugins/otptoken_yubikey.py
index 1075b6d..759b722 100644
--- a/ipaclient/plugins/otptoken_yubikey.py
+++ b/ipaclient/plugins/otptoken_yubikey.py
@@ -81,6 +81,10 @@ def __NO_CLI_getter(cls):
 
 NO_CLI = classproperty(__NO_CLI_getter)
 
+@property
+def api_version(self):
+return self.api.Command.otptoken_add.api_version
+
 def get_args(self):
 for arg in self.api.Command.otptoken_add.args():
 yield arg
diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py
index c099e9e..29157c7 100644
--- a/ipaclient/plugins/vault.py
+++ b/ipaclient/plugins/vault.py
@@ -209,6 +209,10 @@ def __NO_CLI_getter(cls):
 
 NO_CLI = classproperty(__NO_CLI_getter)
 
+@property
+def api_version(self):
+return self.api.Command.vault_add_internal.api_version
+
 def get_args(self):
 for arg in self.api.Command.vault_add_internal.args():
 yield arg
@@ -415,6 +419,10 @@ def __NO_CLI_getter(cls):
 
 NO_CLI = classproperty(__NO_CLI_getter)
 
+@property
+def api_version(self):
+return self.api.Command.vault_mod_internal.api_version
+
 def get_args(self):
 for arg in self.api.Command.vault_mod_internal.args():
 yield arg
@@ -602,6 +610,10 @@ def __NO_CLI_getter(cls):
 
 NO_CLI = classproperty(__NO_CLI_getter)
 
+@property
+def api_version(self):
+return self.api.Command.vault_archive_internal.api_version
+
 def get_args(self):
 for arg in self.api.Command.vault_archive_internal.args():
 yield arg
@@ -855,6 +867,10 @@ def __NO_CLI_getter(cls):
 
 NO_CLI = classproperty(__NO_CLI_getter)
 
+@property
+def api_version(self):
+return self.api.Command.vault_retrieve_internal.api_version
+
 def get_args(self):
 for arg in self.api.Command.vault_retrieve_internal.args():
 yield arg
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] CSR autogeneration next steps

2016-12-12 Thread Fraser Tweedale

On Mon, Dec 12, 2016 at 02:04:37PM +0100, Jan Cholasta wrote:
> On 12.12.2016 13:49, Fraser Tweedale wrote:
> > (This is a tangential discussion, but...)
> > 
> > On Mon, Dec 12, 2016 at 09:52:02AM +0100, Jan Cholasta wrote:
> > > IMO profile ID should default to caIPAserviceCert on the client as well.
> > > 
> > NACK.  Default profile (although fixed at the present time) should
> > be considered server-side policy.  If we eventually make it
> > configurable, we don't want older clients overriding it.
> 
> I didn't mean the default value should be overriden on the clients, just
> that profile ID should stay optional on the client and use the default
> profile ID when unspecified.
> 
OK, thanks for clarifying.

> > 
> > Thanks,
> > Fraser
> > 
> 
> 
> -- 
> Jan Cholasta

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#323][closed] ipactl: pass api as argument to services

2016-12-12 Thread mbasti-rh

   URL: https://github.com/freeipa/freeipa/pull/323
Author: mbasti-rh
 Title: #323: ipactl: pass api as argument to services
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/323/head:pr323
git checkout pr323
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#323][comment] ipactl: pass api as argument to services

2016-12-12 Thread mbasti-rh

  URL: https://github.com/freeipa/freeipa/pull/323
Title: #323: ipactl: pass api as argument to services

mbasti-rh commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/15351ab6e7c188fb492e6815026d1d75c4d4d29b
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/323#issuecomment-266429139
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#323][+pushed] ipactl: pass api as argument to services

2016-12-12 Thread mbasti-rh

  URL: https://github.com/freeipa/freeipa/pull/323
Title: #323: ipactl: pass api as argument to services

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#323][+ack] ipactl: pass api as argument to services

2016-12-12 Thread stlaz

  URL: https://github.com/freeipa/freeipa/pull/323
Title: #323: ipactl: pass api as argument to services

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#323][comment] ipactl: pass api as argument to services

2016-12-12 Thread stlaz

  URL: https://github.com/freeipa/freeipa/pull/323
Title: #323: ipactl: pass api as argument to services

stlaz commented:
"""
Works as expected. ACK.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/323#issuecomment-266427247
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] CSR autogeneration next steps

2016-12-12 Thread Jan Cholasta


On 12.12.2016 13:49, Fraser Tweedale wrote:

(This is a tangential discussion, but...)

On Mon, Dec 12, 2016 at 09:52:02AM +0100, Jan Cholasta wrote:

IMO profile ID should default to caIPAserviceCert on the client as well.


NACK.  Default profile (although fixed at the present time) should
be considered server-side policy.  If we eventually make it
configurable, we don't want older clients overriding it.


I didn't mean the default value should be overriden on the clients, just 
that profile ID should stay optional on the client and use the default 
profile ID when unspecified.




Thanks,
Fraser




--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#299][comment] Remove "Request Certificate with SubjectAltName" permission

2016-12-12 Thread martbab

  URL: https://github.com/freeipa/freeipa/pull/299
Title: #299: Remove "Request Certificate with SubjectAltName" permission

martbab commented:
"""
I have put on my Travis moustache and found these two failing tests, you will 
have to fix them:

```
=== FAILURES ===
 test_permission_legacy.test_command[: permission_find: Check that some 
legacy permission is found in $SUFFIX]


self = 
index = 0
declarative_test_definition = {'command': ('permission_find', [], 
{'ipapermlocation': ipapython.dn.DN('dc=ipa,dc=test'), 'version': '2.216'}), 
'desc...6e430230>, 'truncated': False}, 'nice': ': permission_find: Check 
that some legacy permission is found in $SUFFIX'}
def test_command(self, index, declarative_test_definition):
"""Run an individual test

The arguments are provided by the pytest plugin.
"""
if callable(declarative_test_definition):
declarative_test_definition(self)

else:

>   self.check(**declarative_test_definition)

/usr/lib/python2.7/site-packages/ipatests/test_xmlrpc/xmlrpc_test.py:318:
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
/usr/lib/python2.7/site-packages/ipatests/test_xmlrpc/xmlrpc_test.py:330: in 
check
self.check_output(nice, cmd, args, options, expected, extra_check)
/usr/lib/python2.7/site-packages/ipatests/test_xmlrpc/xmlrpc_test.py:379: in 
check_output
assert_deepequal(expected, got, nice)
/usr/lib/python2.7/site-packages/ipatests/util.py:388: in assert_deepequal
assert_deepequal(e_sub, g_sub, doc, stack + (key,))
/usr/lib/python2.7/site-packages/ipatests/util.py:390: in assert_deepequal
if not expected(got):
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

results = [{'attrs': ('objectclass',), 'cn': ('Certificate Remove Hold',), 
'dn': 'cn=Certificate Remove Hold,cn=permissions,cn=p...eve Certificates from 
the CA,cn=permissions,cn=pbac,dc=ipa,dc=test', 'ipapermbindruletype': 
('permission',), ...}, ...]

def check_legacy_results(results):
"""Check that the expected number of legacy permissions are in 
$SUFFIX"""
legacy_permissions = [p for p in results
  if not p.get('ipapermissiontype')]

print(legacy_permissions)

>   assert len(legacy_permissions) == 9, len(legacy_permissions)
E   AssertionError: 8
E   assert 8 == 9

E+  where 8 = len([{'attrs': ('objectclass',), 'cn': ('Certificate 
Remove Hold',), 'dn': 'cn=Certificate Remove Hold,cn=permissions,cn=p...eve 
Certificates from the CA,cn=permissions,cn=pbac,dc=ipa,dc=test', 
'ipapermbindruletype': ('permission',), ...}, ...])

/usr/lib/python2.7/site-packages/ipatests/test_xmlrpc/test_permission_plugin.py:3128:
 AssertionError
```

I also wonder if there is a possibility for this removal to break replica 
install against older (IPA v3) masters.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/299#issuecomment-266423674
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#245][synchronized] Allow full customisability of IPA CA subject DN

2016-12-12 Thread frasertweedale

   URL: https://github.com/freeipa/freeipa/pull/245
Author: frasertweedale
 Title: #245: Allow full customisability of IPA CA subject DN
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/245/head:pr245
git checkout pr245
From 64bf0106b65b30e5bd74d80a1a4b6140a04b5991 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Fri, 11 Nov 2016 18:54:01 +1000
Subject: [PATCH 1/7] Remove unused function argument

Remove an unused function argument.  Also rename the function to
have a more accurate name.

Part of: https://fedorahosted.org/freeipa/ticket/2614
---
 ipaserver/install/server/install.py | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index b5b9cb4..4eadde3 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -242,7 +242,7 @@ def check_dirsrv(unattended):
 raise ScriptError(msg)
 
 
-def set_subject_in_config(realm_name, dm_password, suffix, subject_base):
+def set_subject_base_in_config(realm_name, dm_password, subject_base):
 ldapuri = 'ldapi://%%2fvar%%2frun%%2fslapd-%s.socket' % (
 installutils.realm_to_serverid(realm_name)
 )
@@ -846,8 +846,7 @@ def install(installer):
 os.chmod(paths.IPA_CA_CRT, 0o644)
 ca_db.publish_ca_cert(paths.IPA_CA_CRT)
 
-set_subject_in_config(realm_name, dm_password,
-  ipautil.realm_to_suffix(realm_name), options.subject)
+set_subject_base_in_config(realm_name, dm_password, options.subject_base)
 
 # Apply any LDAP updates. Needs to be done after the configuration file
 # is created. DS is restarted in the process.

From 7d5b85e1b54104e9f681a3420973a8315fb3038e Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Wed, 16 Nov 2016 19:31:19 +1000
Subject: [PATCH 2/7] installutils: remove hardcoded subject DN assumption

`installutils.load_external_cert` assumes that the IPA CA subject
DN is `CN=Certificate Authority, {subject_base}`.  In preparation
for full customisability of IPA CA subject DN, push this assumption
out of this function to call sites (which will be updated in a
subsequent commit).

Part of: https://fedorahosted.org/freeipa/ticket/2614
---
 ipaserver/install/ca.py| 4 +++-
 ipaserver/install/installutils.py  | 7 ---
 ipaserver/install/ipa_cacert_manage.py | 7 +--
 3 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
index 4f64d99..4229053 100644
--- a/ipaserver/install/ca.py
+++ b/ipaserver/install/ca.py
@@ -100,7 +100,9 @@ def install_check(standalone, replica_config, options):
   "--external-ca.")
 
 external_cert_file, external_ca_file = installutils.load_external_cert(
-options.external_cert_files, options.subject)
+options.external_cert_files,
+DN(('CN', 'Certificate Authority'), options.subject)
+)
 elif options.external_ca:
 if cainstance.is_step_one_done():
 raise ScriptError(
diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index a6cde89..2f311b4 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -1092,7 +1092,8 @@ def check_entropy():
 except ValueError as e:
 root_logger.debug("Invalid value in %s %s", paths.ENTROPY_AVAIL, e)
 
-def load_external_cert(files, subject_base):
+
+def load_external_cert(files, ca_subject):
 """
 Load and verify external CA certificate chain from multiple files.
 
@@ -1100,7 +1101,7 @@ def load_external_cert(files, subject_base):
 chain formats.
 
 :param files: Names of files to import
-:param subject_base: Subject name base for IPA certificates
+:param ca_subject: IPA CA subject DN
 :returns: Temporary file with the IPA CA certificate and temporary file
 with the external CA certificate chain
 """
@@ -1114,7 +1115,7 @@ def load_external_cert(files, subject_base):
 except RuntimeError as e:
 raise ScriptError(str(e))
 
-ca_subject = DN(('CN', 'Certificate Authority'), subject_base)
+ca_subject = DN(ca_subject)
 ca_nickname = None
 cache = {}
 for nickname, _trust_flags in nssdb.list_certs():
diff --git a/ipaserver/install/ipa_cacert_manage.py b/ipaserver/install/ipa_cacert_manage.py
index 5a278f4..4082dfa 100644
--- a/ipaserver/install/ipa_cacert_manage.py
+++ b/ipaserver/install/ipa_cacert_manage.py
@@ -192,8 +192,6 @@ def renew_external_step_2(self, ca, old_cert_der):
 
 options = self.options
 conn = api.Backend.ldap2
-cert_file, ca_file = installutils.load_external_cert(
-options.external_cert_files, x509.subject_base())
 
 old_cert_obj =

[Freeipa-devel] [freeipa PR#62][+pushed] Configure Anonymous PKINIT on server install

2016-12-12 Thread jcholast

  URL: https://github.com/freeipa/freeipa/pull/62
Title: #62: Configure Anonymous PKINIT on server install

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#62][closed] Configure Anonymous PKINIT on server install

2016-12-12 Thread jcholast

   URL: https://github.com/freeipa/freeipa/pull/62
Author: simo5
 Title: #62: Configure Anonymous PKINIT on server install
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/62/head:pr62
git checkout pr62
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#62][comment] Configure Anonymous PKINIT on server install

2016-12-12 Thread jcholast

  URL: https://github.com/freeipa/freeipa/pull/62
Title: #62: Configure Anonymous PKINIT on server install

jcholast commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/ca4e6c1fdfac9b545b26f885dc4865f22ca36ae6
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/62#issuecomment-266420855
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#62][synchronized] Configure Anonymous PKINIT on server install

2016-12-12 Thread simo5

   URL: https://github.com/freeipa/freeipa/pull/62
Author: simo5
 Title: #62: Configure Anonymous PKINIT on server install
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/62/head:pr62
git checkout pr62
From dcda82da3ca6f6adac0f09d00df2aec3cc660817 Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Tue, 26 Jul 2016 11:19:01 -0400
Subject: [PATCH] Configure Anonymous PKINIT on server install

Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST
authentication (necessary for 2FA for example) using an anonymous krbtgt
obtained via Pkinit.

https://fedorahosted.org/freeipa/ticket/5678

Signed-off-by: Simo Sorce 
---
 install/share/kdc.conf.template  |   2 +-
 install/share/profiles/KDCs_PKINIT_Certs.cfg | 109 +++
 install/share/profiles/Makefile.am   |   1 +
 ipaclient/install/client.py  |   2 +-
 ipalib/install/certmonger.py |  43 +++
 ipaplatform/base/paths.py|   3 +-
 ipapython/dogtag.py  |   4 +
 ipaserver/install/cainstance.py  |   2 +-
 ipaserver/install/certs.py   |  10 ++-
 ipaserver/install/dsinstance.py  |   2 +-
 ipaserver/install/httpinstance.py|   2 +-
 ipaserver/install/krbinstance.py |  62 +++
 ipaserver/install/server/__init__.py |   4 +-
 ipaserver/install/server/install.py  |  21 +++---
 ipaserver/install/server/replicainstall.py   |   4 +-
 ipaserver/install/server/upgrade.py  |  35 +
 ipaserver/plugins/cert.py|  86 -
 ipaserver/plugins/dogtag.py  |   2 +
 18 files changed, 325 insertions(+), 69 deletions(-)
 create mode 100644 install/share/profiles/KDCs_PKINIT_Certs.cfg

diff --git a/install/share/kdc.conf.template b/install/share/kdc.conf.template
index 296b75b..ec53a1f 100644
--- a/install/share/kdc.conf.template
+++ b/install/share/kdc.conf.template
@@ -12,6 +12,6 @@
   dict_file = $DICT_WORDS
   default_principal_flags = +preauth
 ;  admin_keytab = $KRB5KDC_KADM5_KEYTAB
-  pkinit_identity = FILE:$KDC_PEM
+  pkinit_identity = FILE:$KDC_CERT,$KDC_KEY
   pkinit_anchors = FILE:$CACERT_PEM
  }
diff --git a/install/share/profiles/KDCs_PKINIT_Certs.cfg b/install/share/profiles/KDCs_PKINIT_Certs.cfg
new file mode 100644
index 000..c5e412b
--- /dev/null
+++ b/install/share/profiles/KDCs_PKINIT_Certs.cfg
@@ -0,0 +1,109 @@
+profileId=KDCs_PKINIT_Certs
+classId=caEnrollImpl
+desc=This certificate profile is for enrolling server certificates with IPA-RA agent authentication.
+visible=false
+enable=true
+enableBy=admin
+auth.instance_id=raCertAuth
+name=IPA-RA Agent-Authenticated Server Certificate Enrollment
+input.list=i1,i2
+input.i1.class_id=certReqInputImpl
+input.i2.class_id=submitterInfoInputImpl
+output.list=o1
+output.o1.class_id=certOutputImpl
+policyset.list=serverCertSet
+policyset.serverCertSet.list=1,2,3,4,5,6,7,8,9,10,11
+policyset.serverCertSet.1.constraint.class_id=subjectNameConstraintImpl
+policyset.serverCertSet.1.constraint.name=Subject Name Constraint
+policyset.serverCertSet.1.constraint.params.pattern=CN=[^,]+,.+
+policyset.serverCertSet.1.constraint.params.accept=true
+policyset.serverCertSet.1.default.class_id=subjectNameDefaultImpl
+policyset.serverCertSet.1.default.name=Subject Name Default
+policyset.serverCertSet.1.default.params.name=CN=$$request.req_subject_name.cn$$, $SUBJECT_DN_O
+policyset.serverCertSet.2.constraint.class_id=validityConstraintImpl
+policyset.serverCertSet.2.constraint.name=Validity Constraint
+policyset.serverCertSet.2.constraint.params.range=740
+policyset.serverCertSet.2.constraint.params.notBeforeCheck=false
+policyset.serverCertSet.2.constraint.params.notAfterCheck=false
+policyset.serverCertSet.2.default.class_id=validityDefaultImpl
+policyset.serverCertSet.2.default.name=Validity Default
+policyset.serverCertSet.2.default.params.range=731
+policyset.serverCertSet.2.default.params.startTime=0
+policyset.serverCertSet.3.constraint.class_id=keyConstraintImpl
+policyset.serverCertSet.3.constraint.name=Key Constraint
+policyset.serverCertSet.3.constraint.params.keyType=RSA
+policyset.serverCertSet.3.constraint.params.keyParameters=2048,3072,4096
+policyset.serverCertSet.3.default.class_id=userKeyDefaultImpl
+policyset.serverCertSet.3.default.name=Key Default
+policyset.serverCertSet.4.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.4.constraint.name=No Constraint
+policyset.serverCertSet.4.default.class_id=authorityKeyIdentifierExtDefaultImpl
+policyset.serverCertSet.4.default.name=Authority Key Identifier Default
+policyset.serverCertSet.5.constraint.class_id=noConstraintImpl
+policyset.serverCertSet.5.constraint.name=No Constraint

Re: [Freeipa-devel] [PATCH] webui: 0084, 0101: refactoring rpc module

2016-12-12 Thread Pavel Vomacka


Moved to PR: https://github.com/freeipa/freeipa/pull/327


On 11/10/2016 07:47 PM, Petr Vobornik wrote:

On 08/09/2016 01:29 PM, Pavel Vomacka wrote:

Hello,

please review attached patches.

The rpc module is now separated from display layer
and changing activity text while loading metadata.

https://fedorahosted.org/freeipa/ticket/6144




patch 84:

Looks good, works fine, it just needed rebase(I could provide that).

Idea, but that doesn't have to be implemented, or sometime in future,
right now it is not useful: What about providing the rpc object in the
event, and having unique id for each rpc call so that we could track all
rpc which are executed.


patch 101:

1. It's event name but the property name looks like that it contains a text:
that.change_text = 'change-activity-text';

Should it be rather: that.change_text_event.

Or even, why does it compare previous text? Does it matter? Wouldn't be
better to have 'set-activity' event. And then the handler would call
something new set_text method:

set_text(new_activity)
   that.dots = 0
   that.text = new_activity
   that.make_step()




--
Pavel^3 Vomacka

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#327][comment] WebUI: RPC refactoring

2016-12-12 Thread pvomacka

  URL: https://github.com/freeipa/freeipa/pull/327
Title: #327: WebUI: RPC refactoring

pvomacka commented:
"""
Patch 84: Yes, that is really good idea, but as you said - we don't have 
usecase for it right now. But I created a ticket to not forget about it. 
https://fedorahosted.org/freeipa/ticket/6553

Patch 101: I changed the name of event to 'set-activity-event', now it accepts 
one parameter which is new text of activity widget. But it can be extended in 
the future to accept more parameters and set more attributes. 

I think that creating new method "that.set_text" or something similar can lead 
to calling that method instead of using topics (events). That's the reason why 
I left the setting of text in anonymous function (event listener). 
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/327#issuecomment-266419398
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#196][comment] ipatests: unresolvable nested netgroups

2016-12-12 Thread apophys

  URL: https://github.com/freeipa/freeipa/pull/196
Title: #196: ipatests: unresolvable nested netgroups

apophys commented:
"""
The rewrite to integration test is in my queue.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/196#issuecomment-266418775
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#210][comment] Tests: Stage User Tracker implementation

2016-12-12 Thread martbab

  URL: https://github.com/freeipa/freeipa/pull/210
Title: #210: Tests: Stage User Tracker implementation

martbab commented:
"""
Bump for review.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/210#issuecomment-266418295
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#196][comment] ipatests: unresolvable nested netgroups

2016-12-12 Thread martbab

  URL: https://github.com/freeipa/freeipa/pull/196
Title: #196: ipatests: unresolvable nested netgroups

martbab commented:
"""
Any update on this PR?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/196#issuecomment-266418147
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#327][comment] WebUI: RPC refactoring

2016-12-12 Thread pvomacka

  URL: https://github.com/freeipa/freeipa/pull/327
Title: #327: WebUI: RPC refactoring

pvomacka commented:
"""
The last comment from pvoborni: 
"patch 84:

Looks good, works fine, it just needed rebase(I could provide that).

Idea, but that doesn't have to be implemented, or sometime in future,
right now it is not useful: What about providing the rpc object in the
event, and having unique id for each rpc call so that we could track all
rpc which are executed.


patch 101:

1. It's event name but the property name looks like that it contains a text:
   that.change_text = 'change-activity-text';

Should it be rather: that.change_text_event.

Or even, why does it compare previous text? Does it matter? Wouldn't be
better to have 'set-activity' event. And then the handler would call
something new set_text method:

set_text(new_activity)
  that.dots = 0
  that.text = new_activity
  that.make_step()


-- 
Petr Vobornik"

"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/327#issuecomment-266417734
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#327][opened] WebUI: RPC refactoring

2016-12-12 Thread pvomacka

   URL: https://github.com/freeipa/freeipa/pull/327
Author: pvomacka
 Title: #327: WebUI: RPC refactoring
Action: opened

PR body:
"""
Moved from ML ( 
https://www.redhat.com/archives/freeipa-devel/2016-November/msg00338.html ) to 
PR. 


"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/327/head:pr327
git checkout pr327
From 6f83cd83c29ff7e419f6c0f294fb84abc404d8c2 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Thu, 28 Jul 2016 15:29:23 +0200
Subject: [PATCH 1/2] Refactoring of rpc module

The rpc module is now separated from display layer.

There are two new global topics:
- 'rpc-start' for showing the widget which indicates execution of rpc calls
- 'rpc-end' for hiding the widget which indicates execution of rpc calls.
These two global topics replace the original methods IPA.display_activity_icon() and
IPA.hide_activity_icon().

There is also new property of a command (notify_globally), which allows to turn off the widget
which indicates network activity. Instead of classic activity indicator there can be
called custom function at the beginning and at the end of network activity.

There are also changes in internal communication in rpc.js module. There are four new
events, two for calling on_success and on_error methods and two for calling custom functions
at the beginning and at the end of network activity.

https://fedorahosted.org/freeipa/ticket/6144
---
 install/ui/src/freeipa/certificate.js   | 60 +
 install/ui/src/freeipa/ipa.js   | 55 ++--
 install/ui/src/freeipa/plugins/login.js |  2 +-
 install/ui/src/freeipa/rpc.js   | 85 +++--
 install/ui/src/freeipa/widget.js| 16 +++--
 install/ui/src/freeipa/widgets/SyncOTPScreen.js |  7 +-
 6 files changed, 152 insertions(+), 73 deletions(-)

diff --git a/install/ui/src/freeipa/certificate.js b/install/ui/src/freeipa/certificate.js
index 9ab4002..4666b1a 100755
--- a/install/ui/src/freeipa/certificate.js
+++ b/install/ui/src/freeipa/certificate.js
@@ -780,19 +780,35 @@ IPA.cert.request_action = function(spec) {
 
 IPA.cert.perform_revoke = function(spec, sn, revocation_reason, cacn) {
 
-spec.hide_activity_icon = spec.hide_activity_icon || false;
+/**
+ * Sets whether activity notification box will be shown
+ * during executing command or not.
+ */
+spec.notify_globally = spec.notify_globally === undefined ? true :
+spec.notify_globally;
+
+
+/**
+ * Specifies function which will be called before command execution starts.
+ */
+spec.start_handler = spec.start_handler || null;
+
+/**
+ * Specifies function which will be called after command execution ends.
+ */
+spec.end_handler = spec.end_handler || null;
 
 rpc.command({
 entity: 'cert',
 method: 'revoke',
-hide_activity_icon: spec.hide_activity_icon,
 args: [ sn ],
 options: {
 revocation_reason: revocation_reason,
 cacn: cacn
 },
-notify_activity_start: spec.notify_activity_start,
-notify_activity_end: spec.notify_activity_end,
+notify_globally: spec.notify_globally,
+start_handler: spec.start_handler,
+end_handler: spec.end_handler,
 on_success: spec.on_success,
 on_error: spec.on_error
 }).execute();
@@ -906,6 +922,25 @@ IPA.cert.remove_hold_action = function(spec) {
 
 IPA.cert.perform_remove_hold = function(spec, sn, cacn) {
 
+/**
+ * Sets whether activity notification box will be shown
+ * during executing command or not.
+ */
+spec.notify_globally = spec.notify_globally === undefined ? true :
+spec.notify_globally;
+
+
+/**
+ * Specifies function which will be called before command execution starts.
+ */
+spec.start_handler = spec.start_handler || null;
+
+/**
+ * Specifies function which will be called after command execution ends.
+ */
+spec.end_handler = spec.end_handler || null;
+
+
 rpc.command({
 entity: 'cert',
 method: 'remove_hold',
@@ -913,7 +948,10 @@ IPA.cert.perform_remove_hold = function(spec, sn, cacn) {
 options: {
 cacn: cacn
 },
-on_success: spec.on_success
+on_success: spec.on_success,
+notify_globally: spec.notify_globally,
+start_handler: spec.start_handler,
+end_handler: spec.end_handler
 }).execute();
 };
 
@@ -1409,11 +1447,11 @@ IPA.cert.cert_widget = function(spec) {
 on_ok: function() {
 
 var command_spec = {
-hide_activity_icon: true,
-notify_activity_end: function() {
+notify_globally: false,
+end_handler: function() {
 that.spinner.emit('hide-spinner');
 },
-

[Freeipa-devel] [freeipa PR#181][comment] Tests : User Tracker creation of user with minimal values

2016-12-12 Thread martbab

  URL: https://github.com/freeipa/freeipa/pull/181
Title: #181: Tests : User Tracker creation of user with minimal values

martbab commented:
"""
Bump for review.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/181#issuecomment-266416346
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#326][comment] adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf

2016-12-12 Thread abbra

  URL: https://github.com/freeipa/freeipa/pull/326
Title: #326: adtrust: remove FILE: prefix from 'dedicated keytab file' in 
smb.conf

abbra commented:
"""
Thanks, fixed it.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/326#issuecomment-266415709
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#326][synchronized] adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf

2016-12-12 Thread abbra

   URL: https://github.com/freeipa/freeipa/pull/326
Author: abbra
 Title: #326: adtrust: remove FILE: prefix from 'dedicated keytab file' in 
smb.conf
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/326/head:pr326
git checkout pr326
From 74fcf5c3d5520146a5b35d7c3ced2454c9a6e7e5 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy 
Date: Mon, 12 Dec 2016 10:30:51 +0200
Subject: [PATCH] adtrust: remove FILE: prefix from 'dedicated keytab file' in
 smb.conf

Samba 4.5 does not allow to specify access mode for the keytab (FILE: or
WRFILE:) from external sources. Thus, change the defaults to a path
(implies FILE: prefix) while Samba Team fixes the code to allow the
access mode prefix for keytabs.

On upgrade we need to replace 'dedicated keytab file' value with the
path to the Samba keytab that FreeIPA maintains. Since the configuration
is stored in the Samba registry, we use net utility to manipulate the
configuration:

net conf setparm global 'dedicated keytab file' /etc/samba/samba.keytab

Fixes https://fedorahosted.org/freeipa/ticket/6551
---
 install/share/smb.conf.template |  2 +-
 ipaserver/install/server/upgrade.py | 22 ++
 2 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/install/share/smb.conf.template b/install/share/smb.conf.template
index 2908b99..17bde5d 100644
--- a/install/share/smb.conf.template
+++ b/install/share/smb.conf.template
@@ -3,7 +3,7 @@ workgroup = $NETBIOS_NAME
 netbios name = $HOST_NETBIOS_NAME
 realm = $REALM
 kerberos method = dedicated keytab
-dedicated keytab file = FILE:/etc/samba/samba.keytab
+dedicated keytab file = /etc/samba/samba.keytab
 create krb5 conf = no
 security = user
 domain master = yes
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 2454507..9fbce88 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -47,6 +47,7 @@
 from ipaserver.install import dnskeysyncinstance
 from ipaserver.install import krainstance
 from ipaserver.install import dogtaginstance
+from ipaserver.install import adtrustinstance
 from ipaserver.install.upgradeinstance import IPAUpgrade
 from ipaserver.install.ldapupdate import BadSyntax
 
@@ -267,6 +268,26 @@ def cleanup_adtrust(fstore):
 root_logger.debug('Removing %s from backup', backed_up_file)
 
 
+def upgrade_adtrust_config():
+"""
+Upgrade 'dedicated keytab file' in smb.conf to omit FILE: prefix
+"""
+
+if not adtrustinstance.ipa_smb_conf_exists():
+return
+
+root_logger.info("[Remove FILE: prefix from 'dedicated keytab file' "
+ "in Samba configuration]")
+
+args = [paths.NET, "conf", "setparm", "global",
+"dedicated keytab file", paths.SAMBA_KEYTAB]
+
+try:
+ipautil.run(args)
+except ipautil.CalledProcessError as e:
+root_logger.warning("Error updating Samba registry: %s", e)
+
+
 def ca_configure_profiles_acl(ca):
 root_logger.info('[Authorizing RA Agent to modify profiles]')
 
@@ -1653,6 +1674,7 @@ def upgrade_configuration():
 
 cleanup_kdc(fstore)
 cleanup_adtrust(fstore)
+upgrade_adtrust_config()
 
 bind = bindinstance.BindInstance(fstore)
 if bind.is_configured() and not bind.is_running():
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file

2016-12-12 Thread martbab

  URL: https://github.com/freeipa/freeipa/pull/177
Title: #177: Add options to write lightweight CA cert or chain to file

martbab commented:
"""
@jcholast @frasertweedale I hope you did notice those failures in Travis CI 
before acking/pushing...
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/177#issuecomment-266415516
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#323][comment] ipactl: pass api as argument to services

2016-12-12 Thread mbasti-rh

  URL: https://github.com/freeipa/freeipa/pull/323
Title: #323: ipactl: pass api as argument to services

mbasti-rh commented:
"""
I don't know
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/323#issuecomment-266415165
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#177][closed] Add options to write lightweight CA cert or chain to file

2016-12-12 Thread jcholast

   URL: https://github.com/freeipa/freeipa/pull/177
Author: frasertweedale
 Title: #177: Add options to write lightweight CA cert or chain to file
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/177/head:pr177
git checkout pr177
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#177][+pushed] Add options to write lightweight CA cert or chain to file

2016-12-12 Thread jcholast

  URL: https://github.com/freeipa/freeipa/pull/177
Title: #177: Add options to write lightweight CA cert or chain to file

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file

2016-12-12 Thread jcholast

  URL: https://github.com/freeipa/freeipa/pull/177
Title: #177: Add options to write lightweight CA cert or chain to file

jcholast commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/c7ea56c049ec8ab1a5500852eca6faf750b1479f
https://fedorahosted.org/freeipa/changeset/cc5b88e5d4ac1171374be9ae8e6e60730243dd3d
https://fedorahosted.org/freeipa/changeset/32b1743e5fb318b226a602ec8d9a4b6ef2a25c9d
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/177#issuecomment-266414213
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#139][comment] WebUI: Vault Management

2016-12-12 Thread mbasti-rh

  URL: https://github.com/freeipa/freeipa/pull/139
Title: #139: WebUI: Vault Management

mbasti-rh commented:
"""
> I understand that the difference between those two sections could not be very 
> clear. If you have any idea on how to improve this feel free to put a comment 
> here or open a ticket.

I have, you can extend vault-find command :)
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/139#issuecomment-266413702
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#177][+ack] Add options to write lightweight CA cert or chain to file

2016-12-12 Thread jcholast

  URL: https://github.com/freeipa/freeipa/pull/177
Title: #177: Add options to write lightweight CA cert or chain to file

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#326][comment] adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf

2016-12-12 Thread martbab

  URL: https://github.com/freeipa/freeipa/pull/326
Title: #326: adtrust: remove FILE: prefix from 'dedicated keytab file' in 
smb.conf

martbab commented:
"""
Pylint complaints about undefined function because you made a typo.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/326#issuecomment-266408970
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#177][synchronized] Add options to write lightweight CA cert or chain to file

2016-12-12 Thread frasertweedale

   URL: https://github.com/freeipa/freeipa/pull/177
Author: frasertweedale
 Title: #177: Add options to write lightweight CA cert or chain to file
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/177/head:pr177
git checkout pr177
From 9fc99100221906cf304493877f3c1885c3f8da87 Mon Sep 17 00:00:00 2001
From: Fraser Tweedale 
Date: Tue, 16 Aug 2016 13:16:58 +1000
Subject: [PATCH 1/3] Add function for extracting PEM certs from PKCS #7

Add a single function for extracting X.509 certs in PEM format from
a PKCS #7 object.  Refactor sites that execute ``openssl pkcs7`` to
use the new function.

Part of: https://fedorahosted.org/freeipa/ticket/6178
---
 ipalib/x509.py  | 29 ++-
 ipapython/certdb.py |  9 ++-
 ipaserver/install/cainstance.py | 52 +++--
 3 files changed, 49 insertions(+), 41 deletions(-)

diff --git a/ipalib/x509.py b/ipalib/x509.py
index e1c3867..851af5a 100644
--- a/ipalib/x509.py
+++ b/ipalib/x509.py
@@ -49,6 +49,14 @@
 from ipalib import util
 from ipalib import errors
 from ipapython.dn import DN
+from ipapython import ipautil
+
+try:
+from ipaplatform.paths import paths
+except ImportError:
+OPENSSL = '/usr/bin/openssl'
+else:
+OPENSSL = paths.OPENSSL
 
 if six.PY3:
 unicode = str
@@ -56,7 +64,9 @@
 PEM = 0
 DER = 1
 
-PEM_REGEX = re.compile(r'(?<=-BEGIN CERTIFICATE-).*?(?=-END CERTIFICATE-)', re.DOTALL)
+PEM_REGEX = re.compile(
+r'-BEGIN CERTIFICATE-.*?-END CERTIFICATE-',
+re.DOTALL)
 
 EKU_SERVER_AUTH = '1.3.6.1.5.5.7.3.1'
 EKU_CLIENT_AUTH = '1.3.6.1.5.5.7.3.2'
@@ -145,6 +155,23 @@ def load_certificate_list_from_file(filename):
 return load_certificate_list(f.read())
 
 
+def pkcs7_to_pems(data, datatype=PEM):
+"""
+Extract certificates from a PKCS #7 object.
+
+Return a ``list`` of X.509 PEM strings.
+
+May throw ``ipautil.CalledProcessError`` on invalid data.
+
+"""
+cmd = [
+OPENSSL, "pkcs7", "-print_certs",
+"-inform", "PEM" if datatype == PEM else "DER",
+]
+result = ipautil.run(cmd, stdin=data, capture_output=True)
+return PEM_REGEX.findall(result.output)
+
+
 def is_self_signed(certificate, datatype=PEM):
 cert = load_certificate(certificate, datatype)
 return cert.issuer == cert.subject
diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index af98a77..6599a69 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -239,13 +239,8 @@ def import_files(self, files, db_password_filename, import_keys=False,
 continue
 
 if label in ('PKCS7', 'PKCS #7 SIGNED DATA', 'CERTIFICATE'):
-args = [
-OPENSSL, 'pkcs7',
-'-print_certs',
-]
 try:
-result = ipautil.run(
-args, stdin=body, capture_output=True)
+certs = x509.pkcs7_to_pems(body)
 except ipautil.CalledProcessError as e:
 if label == 'CERTIFICATE':
 root_logger.warning(
@@ -257,7 +252,7 @@ def import_files(self, files, db_password_filename, import_keys=False,
 filename, line, e)
 continue
 else:
-extracted_certs += result.output + '\n'
+extracted_certs += '\n'.join(certs) + '\n'
 loaded = True
 continue
 
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index bf79821..29acd7e 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -749,44 +749,30 @@ def __import_ca_chain(self):
 # makes openssl throw up.
 data = base64.b64decode(chain)
 
-result = ipautil.run(
-[paths.OPENSSL,
- "pkcs7",
- "-inform",
- "DER",
- "-print_certs",
- ], stdin=data, capture_output=True)
-certlist = result.output
+certlist = x509.pkcs7_to_pems(data, x509.DER)
 
 # Ok, now we have all the certificates in certs, walk through it
 # and pull out each certificate and add it to our database
 
-st = 1
-en = 0
-subid = 0
 ca_dn = DN(('CN','Certificate Authority'), self.subject_base)
-while st > 0:
-st = certlist.find('-BEGIN', en)
-en = certlist.find('-END', en+1)
-if st > 0:
-try:
-(chain_fd, chain_name) = tempfile.mkstemp()
-os.write(chain_fd, certlist[st:en+25])
-

[Freeipa-devel] [freeipa PR#177][comment] Add options to write lightweight CA cert or chain to file

2016-12-12 Thread frasertweedale

  URL: https://github.com/freeipa/freeipa/pull/177
Title: #177: Add options to write lightweight CA cert or chain to file

frasertweedale commented:
"""
@jcholast right you are.  PR updated with conditional import.

Thanks.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/177#issuecomment-266400860
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#319][+pushed] [master] gracefully handle setting replica bind dn group on old masters

2016-12-12 Thread martbab

  URL: https://github.com/freeipa/freeipa/pull/319
Title: #319: [master] gracefully handle setting replica bind dn group on old 
masters

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#319][closed] [master] gracefully handle setting replica bind dn group on old masters

2016-12-12 Thread martbab

   URL: https://github.com/freeipa/freeipa/pull/319
Author: martbab
 Title: #319: [master] gracefully handle setting replica bind dn group on old 
masters
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/319/head:pr319
git checkout pr319
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#319][comment] [master] gracefully handle setting replica bind dn group on old masters

2016-12-12 Thread martbab

  URL: https://github.com/freeipa/freeipa/pull/319
Title: #319: [master] gracefully handle setting replica bind dn group on old 
masters

martbab commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/95e602598a481f9c4a3b69ce8a861bf3816aa8ba
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/319#issuecomment-266399054
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#317][comment] Unify password generation across FreeIPA

2016-12-12 Thread pspacek

  URL: https://github.com/freeipa/freeipa/pull/317
Title: #317: Unify password generation across FreeIPA

pspacek commented:
"""
The main problem here is that we are mixing two approaches together, i.e. 
entropy specification using bits + specification using character classes etc. 
which used to be means of expressing entropy requirements in a way 
understandable by ordinary users.

If I understand it correctly, the encoding here is just to please 
password-quality checkers because the real password strength should be provided 
by the `entropy` parameter.

So I propose to use character classes only for encoding but not during 
generation. That should simplify the code and make it easier to understand.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/317#issuecomment-266397912
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#319][+ack] [master] gracefully handle setting replica bind dn group on old masters

2016-12-12 Thread flo-renaud

  URL: https://github.com/freeipa/freeipa/pull/319
Title: #319: [master] gracefully handle setting replica bind dn group on old 
masters

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#319][comment] [master] gracefully handle setting replica bind dn group on old masters

2016-12-12 Thread flo-renaud

  URL: https://github.com/freeipa/freeipa/pull/319
Title: #319: [master] gracefully handle setting replica bind dn group on old 
masters

flo-renaud commented:
"""
Hi,
thanks for the patch. It works as expected.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/319#issuecomment-266396960
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Anonymous PKINIT and kdcproxy

2016-12-12 Thread Simo Sorce

On Mon, 2016-12-12 at 09:42 +0100, Christian Heimes wrote:
> Hi Simo,
> 
> I'm wondering if we need to change kdcproxy for anon pkinit. What kind
> of Kerberos requests are performed by anon pkinit and to establish a
> FAST tunnel? python-kdcproxy allows only request types AS-REQ, TGS-REQ
> and AP-REQ+KRB-PRV. Responses are not filtered.

No changes needed, we only use AS and TGS request types.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#301][comment] scripts, tests: explicitly set confdir in the rest of server code

2016-12-12 Thread tiran

  URL: https://github.com/freeipa/freeipa/pull/301
Title: #301: scripts, tests: explicitly set confdir in the rest of server code

tiran commented:
"""
I'll review the patch by the end of the week. Some changes are not required.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/301#issuecomment-266384886
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Anonymous PKINIT and kdcproxy

2016-12-12 Thread Christian Heimes

On 2016-12-12 10:37, Alexander Bokovoy wrote:
> On ma, 12 joulu 2016, Alexander Bokovoy wrote:
>> On ma, 12 joulu 2016, Christian Heimes wrote:
>>> On 2016-12-12 09:54, Alexander Bokovoy wrote:
 On ma, 12 joulu 2016, Christian Heimes wrote:
> Hi Simo,
>
> I'm wondering if we need to change kdcproxy for anon pkinit. What kind
> of Kerberos requests are performed by anon pkinit and to establish a
> FAST tunnel? python-kdcproxy allows only request types AS-REQ, TGS-REQ
> and AP-REQ+KRB-PRV. Responses are not filtered.
 Anonymous principal as configured in FreeIPA can only be used to obtain
 a TGT, nothing else.

 See https://tools.ietf.org/html/rfc6112 for a spec definition.
>>>
>>> That doesn't answer my question for me. Or does 'only TGT' imply that
>>> request types are limited to AS-REQ and TGS-REQ? RFC 6112 just talks
>>> about the two request types.
>> You can only obtain a TGT and this TGT can only be used for FAST
>> channel. You cannot obtain any service ticket with this TGT.
> To close the loop, no changes in kdcproxy are needed because PKINIT is a
> pre-authentication scheme and it works just fine with kdcproxy as it is.
> I just tested this.

Alexander, thanks for your tests!

I have created an issue to add test cases to kdcproxy to ensure that we
stay compatible with PKINIT, https://github.com/latchset/kdcproxy/issues/23

Christian



signature.asc
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Anonymous PKINIT and kdcproxy

2016-12-12 Thread Alexander Bokovoy


On ma, 12 joulu 2016, Alexander Bokovoy wrote:

On ma, 12 joulu 2016, Christian Heimes wrote:

On 2016-12-12 09:54, Alexander Bokovoy wrote:

On ma, 12 joulu 2016, Christian Heimes wrote:

Hi Simo,

I'm wondering if we need to change kdcproxy for anon pkinit. What kind
of Kerberos requests are performed by anon pkinit and to establish a
FAST tunnel? python-kdcproxy allows only request types AS-REQ, TGS-REQ
and AP-REQ+KRB-PRV. Responses are not filtered.

Anonymous principal as configured in FreeIPA can only be used to obtain
a TGT, nothing else.

See https://tools.ietf.org/html/rfc6112 for a spec definition.


That doesn't answer my question for me. Or does 'only TGT' imply that
request types are limited to AS-REQ and TGS-REQ? RFC 6112 just talks
about the two request types.

You can only obtain a TGT and this TGT can only be used for FAST
channel. You cannot obtain any service ticket with this TGT.

To close the loop, no changes in kdcproxy are needed because PKINIT is a
pre-authentication scheme and it works just fine with kdcproxy as it is.
I just tested this.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#326][synchronized] adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf

2016-12-12 Thread abbra

   URL: https://github.com/freeipa/freeipa/pull/326
Author: abbra
 Title: #326: adtrust: remove FILE: prefix from 'dedicated keytab file' in 
smb.conf
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/326/head:pr326
git checkout pr326
From 93c1e574ed44d3195aa1402eece5b8391fd6d93d Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy 
Date: Mon, 12 Dec 2016 10:30:51 +0200
Subject: [PATCH] adtrust: remove FILE: prefix from 'dedicated keytab file' in
 smb.conf

Samba 4.5 does not allow to specify access mode for the keytab (FILE: or
WRFILE:) from external sources. Thus, change the defaults to a path
(implies FILE: prefix) while Samba Team fixes the code to allow the
access mode prefix for keytabs.

On upgrade we need to replace 'dedicated keytab file' value with the
path to the Samba keytab that FreeIPA maintains. Since the configuration
is stored in the Samba registry, we use net utility to manipulate the
configuration:

net conf setparm global 'dedicated keytab file' /etc/samba/samba.keytab

Fixes https://fedorahosted.org/freeipa/ticket/6551
---
 install/share/smb.conf.template |  2 +-
 ipaserver/install/server/upgrade.py | 22 ++
 2 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/install/share/smb.conf.template b/install/share/smb.conf.template
index 2908b99..17bde5d 100644
--- a/install/share/smb.conf.template
+++ b/install/share/smb.conf.template
@@ -3,7 +3,7 @@ workgroup = $NETBIOS_NAME
 netbios name = $HOST_NETBIOS_NAME
 realm = $REALM
 kerberos method = dedicated keytab
-dedicated keytab file = FILE:/etc/samba/samba.keytab
+dedicated keytab file = /etc/samba/samba.keytab
 create krb5 conf = no
 security = user
 domain master = yes
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 2454507..4ade2f9 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -47,6 +47,7 @@
 from ipaserver.install import dnskeysyncinstance
 from ipaserver.install import krainstance
 from ipaserver.install import dogtaginstance
+from ipaserver.install import adtrustinstance
 from ipaserver.install.upgradeinstance import IPAUpgrade
 from ipaserver.install.ldapupdate import BadSyntax
 
@@ -267,6 +268,26 @@ def cleanup_adtrust(fstore):
 root_logger.debug('Removing %s from backup', backed_up_file)
 
 
+def upgrade_adtrust_config():
+"""
+Upgrade 'dedicated keytab file' in smb.conf to omit FILE: prefix
+"""
+
+if not adtrustinstance.ipa_smb_conf_exists():
+return
+
+root_logger.info("[Remove FILE: prefix from 'dedicated keytab file' "
+ "in Samba configuration]")
+
+args = [paths.NET, "conf", "setparm", "global",
+"dedicated keytab file", paths.SAMBA_KEYTAB]
+
+try:
+ipautil.run(args)
+except ipautil.CalledProcessError as e:
+root_logger.warning("Error updating Samba registry: %s", e)
+
+
 def ca_configure_profiles_acl(ca):
 root_logger.info('[Authorizing RA Agent to modify profiles]')
 
@@ -1653,6 +1674,7 @@ def upgrade_configuration():
 
 cleanup_kdc(fstore)
 cleanup_adtrust(fstore)
+upgrade_atrust_config()
 
 bind = bindinstance.BindInstance(fstore)
 if bind.is_configured() and not bind.is_running():
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Anonymous PKINIT and kdcproxy

2016-12-12 Thread Christian Heimes

On 2016-12-12 09:54, Alexander Bokovoy wrote:
> On ma, 12 joulu 2016, Christian Heimes wrote:
>> Hi Simo,
>>
>> I'm wondering if we need to change kdcproxy for anon pkinit. What kind
>> of Kerberos requests are performed by anon pkinit and to establish a
>> FAST tunnel? python-kdcproxy allows only request types AS-REQ, TGS-REQ
>> and AP-REQ+KRB-PRV. Responses are not filtered.
> Anonymous principal as configured in FreeIPA can only be used to obtain
> a TGT, nothing else.
> 
> See https://tools.ietf.org/html/rfc6112 for a spec definition.

That doesn't answer my question for me. Or does 'only TGT' imply that
request types are limited to AS-REQ and TGS-REQ? RFC 6112 just talks
about the two request types.

Christian



signature.asc
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#326][opened] adtrust: remove FILE: prefix from 'dedicated keytab file' in smb.conf

2016-12-12 Thread abbra

   URL: https://github.com/freeipa/freeipa/pull/326
Author: abbra
 Title: #326: adtrust: remove FILE: prefix from 'dedicated keytab file' in 
smb.conf
Action: opened

PR body:
"""
Samba 4.5 does not allow to specify access mode for the keytab (FILE: or
WRFILE:) from external sources. Thus, change the defaults to a path
(implies FILE: prefix) while Samba Team fixes the code to allow the
access mode prefix for keytabs.

On upgrade we need to replace 'dedicated keytab file' value with the
path to the Samba keytab that FreeIPA maintains. Since the configuration
is stored in the Samba registry, we use net utility to manipulate the
configuration:

net conf setparm global 'dedicated keytab file' /etc/samba/samba.keytab

Fixes https://fedorahosted.org/freeipa/ticket/6551
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/326/head:pr326
git checkout pr326
From 04aba48840c95a95e48fc397545b3e7d67516575 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy 
Date: Mon, 12 Dec 2016 10:30:51 +0200
Subject: [PATCH] adtrust: remove FILE: prefix from 'dedicated keytab file' in
 smb.conf

Samba 4.5 does not allow to specify access mode for the keytab (FILE: or
WRFILE:) from external sources. Thus, change the defaults to a path
(implies FILE: prefix) while Samba Team fixes the code to allow the
access mode prefix for keytabs.

On upgrade we need to replace 'dedicated keytab file' value with the
path to the Samba keytab that FreeIPA maintains. Since the configuration
is stored in the Samba registry, we use net utility to manipulate the
configuration:

net conf setparm global 'dedicated keytab file' /etc/samba/samba.keytab

Fixes https://fedorahosted.org/freeipa/ticket/6551
---
 install/share/smb.conf.template |  2 +-
 ipaserver/install/server/upgrade.py | 20 
 2 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/install/share/smb.conf.template b/install/share/smb.conf.template
index 2908b99..17bde5d 100644
--- a/install/share/smb.conf.template
+++ b/install/share/smb.conf.template
@@ -3,7 +3,7 @@ workgroup = $NETBIOS_NAME
 netbios name = $HOST_NETBIOS_NAME
 realm = $REALM
 kerberos method = dedicated keytab
-dedicated keytab file = FILE:/etc/samba/samba.keytab
+dedicated keytab file = /etc/samba/samba.keytab
 create krb5 conf = no
 security = user
 domain master = yes
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 2454507..77a1f11 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -47,6 +47,7 @@
 from ipaserver.install import dnskeysyncinstance
 from ipaserver.install import krainstance
 from ipaserver.install import dogtaginstance
+from ipaserver.install import adtrustinstance
 from ipaserver.install.upgradeinstance import IPAUpgrade
 from ipaserver.install.ldapupdate import BadSyntax
 
@@ -266,6 +267,24 @@ def cleanup_adtrust(fstore):
 fstore.untrack_file(backed_up_file)
 root_logger.debug('Removing %s from backup', backed_up_file)
 
+def upgrade_adtrust_config():
+"""
+Upgrade 'dedicated keytab file' in smb.conf to omit FILE: prefix
+"""
+
+if not adtrustinstance.ipa_smb_conf_exists():
+return
+
+root_logger.info("[Remove FILE: prefix from 'dedicated keytab file' "
+ "in Samba configuration]")
+
+args = [paths.NET, "conf", "setparm", "global",
+"dedicated keytab file", paths.SAMBA_KEYTAB]
+
+try:
+ipautil.run(args)
+except ipautil.CalledProcessError as e:
+root_logger.warning("Error updating Samba registry: %s", e)
 
 def ca_configure_profiles_acl(ca):
 root_logger.info('[Authorizing RA Agent to modify profiles]')
@@ -1653,6 +1672,7 @@ def upgrade_configuration():
 
 cleanup_kdc(fstore)
 cleanup_adtrust(fstore)
+upgrade_atrust_config()
 
 bind = bindinstance.BindInstance(fstore)
 if bind.is_configured() and not bind.is_running():
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#325][opened] WebUI: Hide incorrectly shown buttons on hosts tab in ID Views

2016-12-12 Thread pvomacka

   URL: https://github.com/freeipa/freeipa/pull/325
Author: pvomacka
 Title: #325: WebUI: Hide incorrectly shown buttons on hosts tab in ID Views
Action: opened

PR body:
"""
There was missing default value for evaluator adapter.
In that case the adapter variable could be undefined and
it crashes on building adapter. Therefore it did not
evaluate all evaluators. That is the reason why 'Delete'
and 'Add' buttons were incorrectly shown.
Default value is now set to empty object.

https://fedorahosted.org/freeipa/ticket/6546
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/325/head:pr325
git checkout pr325
From b7d617e0c44562401c55ef7ce22867e1b2ef7885 Mon Sep 17 00:00:00 2001
From: Pavel Vomacka 
Date: Mon, 12 Dec 2016 09:44:40 +0100
Subject: [PATCH] WebUI: Hide incorrectly shown buttons on hosts tab in ID
 Views

There was missing default value for evaluator adapter.
In that case the adapter variable could be undefined and
it crashes on building adapter. Therefore it did not
evaluate all evaluators. That is the reason why 'Delete'
and 'Add' buttons were incorrectly shown.
Default value is now set to empty object.

https://fedorahosted.org/freeipa/ticket/6546
---
 install/ui/src/freeipa/details.js | 1 +
 1 file changed, 1 insertion(+)

diff --git a/install/ui/src/freeipa/details.js b/install/ui/src/freeipa/details.js
index e274e6f..9f0e632 100644
--- a/install/ui/src/freeipa/details.js
+++ b/install/ui/src/freeipa/details.js
@@ -1647,6 +1647,7 @@ exp.value_state_evaluator = IPA.value_state_evaluator = function(spec) {
 
 spec.name = spec.name || 'value_state_evaluator';
 spec.event = spec.event || 'post_load';
+spec.adapter = spec.adapter || {};
 
 var that = IPA.state_evaluator(spec);
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Anonymous PKINIT and kdcproxy

2016-12-12 Thread Alexander Bokovoy


On ma, 12 joulu 2016, Christian Heimes wrote:

Hi Simo,

I'm wondering if we need to change kdcproxy for anon pkinit. What kind
of Kerberos requests are performed by anon pkinit and to establish a
FAST tunnel? python-kdcproxy allows only request types AS-REQ, TGS-REQ
and AP-REQ+KRB-PRV. Responses are not filtered.

Anonymous principal as configured in FreeIPA can only be used to obtain
a TGT, nothing else.

See https://tools.ietf.org/html/rfc6112 for a spec definition.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] CSR autogeneration next steps

2016-12-12 Thread Jan Cholasta


On 5.12.2016 16:48, Ben Lipton wrote:

Hi Jan, thanks for the comments.


On 12/05/2016 04:25 AM, Jan Cholasta wrote:

Hi Ben,

On 3.11.2016 00:12, Ben Lipton wrote:

Hi everybody,

Soon I'm going to have to reduce the amount of time I spend on new
development work for the CSR autogeneration project, and I want to leave
the project in as organized a state as possible. So, I'm taking
inventory of the work I've done in order to make sure that what's ready
for review can get reviewed and the ideas that have been discussed get
prototyped or at least recorded so they won't be forgotten.


Thanks, I have some questions and comments, see below.



Code that's ready for review (I will continue to put in as much time as
needed to help get these ready for submission):

- Current PR: https://github.com/freeipa/freeipa/pull/10


How hard would it be to update the PR to use the "new" interface from
the design thread? By this I mean that currently there is a command
(cert_get_requestdata), which creates a CSR from profile id +
principal + helper, but in the design we discussed a command which
creates a CertificationRequestInfo from profile id + principal +
public key.

Internally it could use the OpenSSL helper, no need to implement the
full "new" design. With your build_requestinfo.c code below it looks
like it should be pretty straightforward.


This is probably doable with the cffi, but I'm concerned about
usability. A user can run the current command to get a (reusable)
script, and run the script to get a CSR. It works with keys in both PEM
files and NSS databases already. If we change to outputting a
CertificationRequestInfo, in order to make this usable on the command
line, we'll need:
- An additional tool to sign a CSR given a CertificationRequestInfo (for
both types of key storage).
- A way to extract a SubjectPublicKeyInfo structure from a key within
the ipa command (like [1] but we need it for both types of key storage)
Since as far as I know there's no standard encoding for files containing
only a CertificationRequestInfo or a SubjectPublicKeyInfo, we'll be
writing and distributing these ourselves. I think that's where most of
the extra work will come in.


For PEM files, this is easily doable using python-cryptography (to 
extract SubjectPublicKeyInfo and sign CertificationRequestInfo) and 
PyASN1 (to create a CSR from the CertificationRequestInfo and the 
signature).


For NSS databases, this will be trickier and will require calling C 
functions, as neither certutil nor python-nss provide a way to a) 
address existing keys in the database by key ID b) get 
SubjectPublicKeyInfo for a given key.


As for encoding, the obvious choice is DER. It does not really matter 
there is no standard file format, as we won't be transferring these as 
files anyway.




Would it be ok to stick with the current design in this PR? I'd feel
much better if we could get the basic functionality into the repo and
then iterate on it rather than changing the plan at this point. I can
create a separate PR to change cert_get_requestdata to this new
interface and at the same time add the necessary adapters (bullet points
above) to make it user-friendly.


Works for me.



I would probably just implement the adapters within the
cert_build/cert_request client code unless you think having standalone
tools is valuable. I suppose certmonger is going to need these features
too, but I don't know how well sharing code between them is going to work.


cert-request is exactly the place where it should be :-) I wouldn't 
bother with certmonger until we have a server-side csrgen.






- Allow some fields to be specified by the user at creation time:
https://github.com/LiptonB/freeipa/commits/local-user-data


Good idea :-)



- Automation for the full process from getting CSR data to requesting
cert: https://github.com/LiptonB/freeipa/commits/local-cert-build


LGTM, although I would prefer if this was a client-side extension of
cert-request rather than a completely new command.


I did try that at first, but I struggled to figure out the interface for
the modified cert-request. (Not that the current solution is so great,
what with the copying of options from cert_request and certreq.) If I
remember correctly, I was uncertain how to implement parameters that are
required/invalid based on other parameters: the current cert-request
takes a signed CSR (required), a principal (required), and a profile ID;
the new cert-request (what I implemented as cert-build) takes a
principal (required), a profile ID (required), and a key location
(required). I can't remember if that was the only problem, but I'll try
again to merge the commands and get back to you.


To make the CSR argument optional on the client, you can do this:

def get_options(self):
for option in super(cert_request, self).get_options():
if option.name == 'csr':
option = option.clone(required=False)
yield

IMO profile ID should default to

[Freeipa-devel] Anonymous PKINIT and kdcproxy

2016-12-12 Thread Christian Heimes

Hi Simo,

I'm wondering if we need to change kdcproxy for anon pkinit. What kind
of Kerberos requests are performed by anon pkinit and to establish a
FAST tunnel? python-kdcproxy allows only request types AS-REQ, TGS-REQ
and AP-REQ+KRB-PRV. Responses are not filtered.

Regards,
Christian



signature.asc
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#323][comment] ipactl: pass api as argument to services

2016-12-12 Thread stlaz

  URL: https://github.com/freeipa/freeipa/pull/323
Title: #323: ipactl: pass api as argument to services

stlaz commented:
"""
Do we need a ticket for this? I notice the original commit did not have it 
either.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/323#issuecomment-266368348
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

74 matches

Mail list logo