On Mon, 01 Oct 2012, Martin Kosek wrote:
On 10/01/2012 04:35 PM, Alexander Bokovoy wrote:
On Mon, 01 Oct 2012, Martin Kosek wrote:
On 10/01/2012 11:24 AM, Alexander Bokovoy wrote:
Hi,
The patch attached fixes Fedora build system issue with unified samba
package (samba/samba4 packages got
18 box with new unified samba
packages.
Aside from binary compatibility, there are regulard rebuilds of Rawhide
and they failed for us on Friday, as Stephen has discovered. So, maybe
we'd better update Rawhide with the patch?
--
/ Alexander Bokovoy
___
F
create
a helper method that would accept:
- ldif file name,
- cn component
- name of the plugin for the "already configured" message
Then every __add_* method would call simply the helper with appropriate
arguments.
--
/ Alexand
On Thu, 04 Oct 2012, Sumit Bose wrote:
On Thu, Oct 04, 2012 at 12:13:57PM +0300, Alexander Bokovoy wrote:
On Thu, 04 Oct 2012, Sumit Bose wrote:
>Hi,
>
>this patch tries to avoid the ldapmodiy error messages during
>ipa-adtrust-install by checking if the related object already ex
On Thu, 04 Oct 2012, Sumit Bose wrote:
Hi,
this patch fixes unattended installation for ipa-adtrust-install and
ticket https://fedorahosted.org/freeipa/ticket/3023 .
ACK. Thanks!
--
/ Alexander Bokovoy
___
Freeipa-devel mailing list
Freeipa-devel
On Thu, 04 Oct 2012, Sumit Bose wrote:
On Thu, Oct 04, 2012 at 12:39:07PM +0300, Alexander Bokovoy wrote:
On Thu, 04 Oct 2012, Sumit Bose wrote:
>On Thu, Oct 04, 2012 at 12:13:57PM +0300, Alexander Bokovoy wrote:
>>On Thu, 04 Oct 2012, Sumit Bose wrote:
>>>Hi,
>>>
&
On Thu, 04 Oct 2012, Martin Kosek wrote:
On 09/25/2012 04:30 PM, Alexander Bokovoy wrote:
Hi,
I did have bug filed against python-ldap in January and for some reason
my patch to accomodate two ways of making LDAP controls was not included
in March 2012 when I presented it as part of trusts
please create DNS zone for domain 'ad.local1' first and then
set forwarder and forward policy
---
Web UI looks like this: http://abbra.fedorapeople.org/.paste/ui.png
--
/ Alexander Bokovoy
>From 9916c6cf35e93c4ad
On Fri, 05 Oct 2012, Petr Vobornik wrote:
On 10/04/2012 05:06 PM, Alexander Bokovoy wrote:
Hi,
two attached patches attempt to solve
https://fedorahosted.org/freeipa/ticket/3103
We cannot make educated guess where trusted domain's DNS server is
located as we ended up with NotFound exce
I do not see any special reasons why it shouldn't
but I also do not have any special reason why we should.
Anyone can think of any pros/cons of doing that ?
Since it only has special meaning within the same domain and we are not
using it for anything, it should be fine.
--
/ Alexander Boko
is fix by the first patch.
The second patch actually use this new objectclass in ipasam. Currenlty
ipasam generates a hardcoded SID for the trusted domain user which might
lead to confusion. With the second patch the trusted domain user has a
proper SID.
ACK, works for me.
--
/ Alexander Bokovoy
On Thu, 04 Oct 2012, Sumit Bose wrote:
Hi,
this patch should fix the reopend
https://fedorahosted.org/freeipa/ticket/3019 .
ACK.
--
/ Alexander Bokovoy
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo
On Wed, 03 Oct 2012, Sumit Bose wrote:
Hi,
this patch adds a new option to ipa-adtrust-install to generate the SID
for users and groups at the end of the run. This fixes
https://fedorahosted.org/freeipa/ticket/3104 .
ACK, works for me too.
--
/ Alexander Bokovoy
patchset and apart from the non-obvious extension
description displayed when installing it, which is based on a certificate,
everything is great.
ACK.
--
/ Alexander Bokovoy
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
On Fri, 05 Oct 2012, Endi Sukma Dewata wrote:
On 10/5/2012 8:56 AM, Alexander Bokovoy wrote:
On Thu, 04 Oct 2012, Petr Vobornik wrote:
On 10/03/2012 04:19 PM, Simo Sorce wrote:
On Wed, 2012-10-03 at 15:50 +0200, Petr Vobornik wrote:
As Alexander proposed in other channel. I will remove the
On Fri, 05 Oct 2012, Petr Vobornik wrote:
On 10/05/2012 03:24 PM, Alexander Bokovoy wrote:
On Fri, 05 Oct 2012, Petr Vobornik wrote:
On 10/04/2012 05:06 PM, Alexander Bokovoy wrote:
Hi,
two attached patches attempt to solve
https://fedorahosted.org/freeipa/ticket/3103
We cannot make
On Fri, 05 Oct 2012, Simo Sorce wrote:
A onliner but better to have it validated by a second pair of eyes.
Yep. Go ahead.
The origin of USES_RC4_ENCRYPTION comes from Samba 3 code in net utility
that Sumit implemented ~1.5 year ago.
--
/ Alexander Bokovoy
On Mon, 08 Oct 2012, Petr Vobornik wrote:
On 10/05/2012 08:14 PM, Alexander Bokovoy wrote:
On Fri, 05 Oct 2012, Petr Vobornik wrote:
On 10/05/2012 03:24 PM, Alexander Bokovoy wrote:
On Fri, 05 Oct 2012, Petr Vobornik wrote:
On 10/04/2012 05:06 PM, Alexander Bokovoy wrote:
Hi,
two attached
upgrading from older versions would not be possible due to
referencing non-existent principal in updates.
https://fedorahosted.org/freeipa/ticket/3041
--
/ Alexander Bokovoy
>From 2c29b1ee8e4bc0752be61889f254fb37f701dcbc Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy
Date: Mon, 8 Oct 2012 13:27
Hi,
this patch avoids reconfiguring SELinux if required variable is already
enabled. This would save you couple minutes on re-run of
ipa-adtrust-install.
No ticket for it yet and the patch might wait until 3.0.1 but
"I had enogh patience" :)
--
/ Alexander Bok
ed.
But your question sparkled another one: should we backport
firefox extension work to 2.2? Since it is client-side that gets
upgraded to Firefox 15, chances are high that soon existing 2.2 installs
would not be manageable via browser on newer clients unless
ornik
Date: Tue, 9 Oct 2012 10:17:16 +0200
Subject: [PATCH] Add mime type to httpd ipa.conf for xpi exetension
Some configuration doesn't give proper mime type to xpi files. This patch
explicitly sets it.
https://fedorahosted.org/freeipa/ticket/3094
ACK.
--
/ Alexand
installing samba{,4}-winbind-krb5-locator after
freeipa-server-trust-ad subpackage is installed.
Obsoletes: tag would force removal of samba{,4}-winbind-krb5-locator
during the install of freeipa-server-trust-ad.
https://fedorahosted.org/freeipa/ticket/3102
--
/ Alexander Bokovoy
>F
Warn about manual DNA plugin configuration when working with local ID ranges
since we currently do not support automatic pick up of the changed
settings for local ID ranges by the DNA plugin.
https://fedorahosted.org/freeipa/ticket/3116
--
/ Alexander Bokovoy
>F
Hi,
Domain Admins RID is -512, not -513. Fix the documentation text.
--
/ Alexander Bokovoy
>From 152c2f7aae533594599bd86f5779978cf656e600 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy
Date: Wed, 10 Oct 2012 10:04:25 +0300
Subject: [PATCH 5/5] Fix wrong RID for Domain Admins in
On Wed, 10 Oct 2012, Alexander Bokovoy wrote:
Hi,
Since use of winbind on FreeIPA server that is configured with trusts is
conflicting with krb5 locator based on winbind, make sure there is
conflict that will force removing samba{,4}-winbind-krb5-locator package
when -server-trust-ad subpackage
On Wed, 10 Oct 2012, Alexander Bokovoy wrote:
On Wed, 10 Oct 2012, Alexander Bokovoy wrote:
Hi,
Since use of winbind on FreeIPA server that is configured with trusts is
conflicting with krb5 locator based on winbind, make sure there is
conflict that will force removing samba{,4}-winbind-krb5
On Wed, 10 Oct 2012, Alexander Bokovoy wrote:
On Wed, 10 Oct 2012, Alexander Bokovoy wrote:
On Wed, 10 Oct 2012, Alexander Bokovoy wrote:
Hi,
Since use of winbind on FreeIPA server that is configured with trusts is
conflicting with krb5 locator based on winbind, make sure there is
conflict
On Wed, 10 Oct 2012, Sumit Bose wrote:
On Wed, Oct 10, 2012 at 10:51:11AM +0300, Alexander Bokovoy wrote:
Warn about manual DNA plugin configuration when working with local ID ranges
since we currently do not support automatic pick up of the changed
settings for local ID ranges by the DNA
On Wed, 10 Oct 2012, Sumit Bose wrote:
On Wed, Oct 10, 2012 at 12:04:06PM +0300, Alexander Bokovoy wrote:
On Wed, 10 Oct 2012, Alexander Bokovoy wrote:
>On Wed, 10 Oct 2012, Alexander Bokovoy wrote:
>>Hi,
>>
>>Since use of winbind on FreeIPA server that is conf
it is preferrable to get that
one in instead. :)
--
/ Alexander Bokovoy
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Bokovoy
>From 44550cf83aac289363e3ca2acc789bc81cef351d Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy
Date: Wed, 10 Oct 2012 15:33:50 +0300
Subject: [PATCH 5/5] Clarify trust-add help regarding multiple runs against
the same domain
Since trust-add re-establishes the trust every time it is run
On Thu, 11 Oct 2012, Petr Viktorin wrote:
On 10/08/2012 02:22 PM, Alexander Bokovoy wrote:
On Mon, 08 Oct 2012, Petr Vobornik wrote:
On 10/05/2012 08:14 PM, Alexander Bokovoy wrote:
On Fri, 05 Oct 2012, Petr Vobornik wrote:
On 10/05/2012 03:24 PM, Alexander Bokovoy wrote:
On Fri, 05 Oct
On Thu, 11 Oct 2012, Petr Viktorin wrote:
On 10/11/2012 12:27 PM, Alexander Bokovoy wrote:
On Thu, 11 Oct 2012, Petr Viktorin wrote:
On 10/08/2012 02:22 PM, Alexander Bokovoy wrote:
On Mon, 08 Oct 2012, Petr Vobornik wrote:
On 10/05/2012 08:14 PM, Alexander Bokovoy wrote:
On Fri, 05 Oct
On Thu, 11 Oct 2012, Petr Viktorin wrote:
On 10/11/2012 02:44 PM, Alexander Bokovoy wrote:
On Thu, 11 Oct 2012, Petr Viktorin wrote:
On 10/11/2012 12:27 PM, Alexander Bokovoy wrote:
On Thu, 11 Oct 2012, Petr Viktorin wrote:
On 10/08/2012 02:22 PM, Alexander Bokovoy wrote:
On Mon, 08 Oct
is on a separate line).
Checking the entire message would make the test more straightforward.
Squash in the attached patch if you agree.
I purposedly went regexp way because of _("Additional instructions"). I
know that our testsuite is not passing when running it localized
n
changes like dotless i to I to i and others) where regressions might
appear.
--
/ Alexander Bokovoy
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Hi!
We don't use smbpasswd in adtrustinstance anymore so the check is
bogus.
One-liner.
--
/ Alexander Bokovoy
>From 687f448a4b7d12ddb356f8e2a35a93fe9611b7cb Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy
Date: Mon, 15 Oct 2012 16:01:26 +0300
Subject: [PATCH] Remove bogus c
On Mon, 15 Oct 2012, Rob Crittenden wrote:
Sumit Bose wrote:
On Mon, Oct 15, 2012 at 04:10:45PM +0300, Alexander Bokovoy wrote:
Hi!
We don't use smbpasswd in adtrustinstance anymore so the check is
bogus.
One-liner.
--
/ Alexander Bokovoy
ACK
NACK. Please fix the error message to
the only repo where bind 9.9.2 is
available is updates-testing.
Petr, Adam, could any of you rebuild bind-dyndb-ldap in ipa-devel repo
against bind in updates-testing for F17?
Without this rebuild managed DNS is not possible to use in
F17+ipa-devel.
--
/ Alexander Bokovoy
ntact them directly.
At least for FreeIPA and SSSD there are builds triggered from commits to the
git repo.
--
/ Alexander Bokovoy
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
is in the directory (0700,
root, root) permissions so nobody can modify it but root. Root already
has possibility to shutdown whatever services are there. I think we are
OK here -- but whoever packages the change, would need to be careful and
copy accompanying spec-file changes.
--
/ Alexand
On Wed, 17 Oct 2012, Sumit Bose wrote:
On Wed, Oct 10, 2012 at 12:59:53PM +0300, Alexander Bokovoy wrote:
On Wed, 10 Oct 2012, Sumit Bose wrote:
>On Wed, Oct 10, 2012 at 10:51:11AM +0300, Alexander Bokovoy wrote:
>>
>>Warn about manual DNA plugin configuration when working with
On Wed, 17 Oct 2012, Petr Viktorin wrote:
On 10/17/2012 12:10 PM, Alexander Bokovoy wrote:
On Wed, 17 Oct 2012, Sumit Bose wrote:
On Wed, Oct 10, 2012 at 12:59:53PM +0300, Alexander Bokovoy wrote:
On Wed, 10 Oct 2012, Sumit Bose wrote:
On Wed, Oct 10, 2012 at 10:51:11AM +0300, Alexander
On Wed, 17 Oct 2012, Martin Kosek wrote:
On 10/17/2012 12:14 PM, Petr Viktorin wrote:
On 10/17/2012 12:10 PM, Alexander Bokovoy wrote:
On Wed, 17 Oct 2012, Sumit Bose wrote:
On Wed, Oct 10, 2012 at 12:59:53PM +0300, Alexander Bokovoy wrote:
On Wed, 10 Oct 2012, Sumit Bose wrote:
>On Wed,
On Wed, 17 Oct 2012, Martin Kosek wrote:
On 10/17/2012 12:42 PM, Alexander Bokovoy wrote:
On Wed, 17 Oct 2012, Petr Viktorin wrote:
On 10/17/2012 12:10 PM, Alexander Bokovoy wrote:
On Wed, 17 Oct 2012, Sumit Bose wrote:
On Wed, Oct 10, 2012 at 12:59:53PM +0300, Alexander Bokovoy wrote:
On
On Tue, 02 Oct 2012, Sumit Bose wrote:
Hi,
this patch fixes a couple of resource leaks and unchecked return and an
uninitialised value found by Coverity.
ACK.
--
/ Alexander Bokovoy
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https
the corresponding SID and then the SID is looked up.
FreeIPA ticket is https://fedorahosted.org/freeipa/ticket/3166 .
ACK.
--
/ Alexander Bokovoy
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa
AAAze8BAQQy1QhmzheAyAUAAA==
sAMAccountName: IPATEAM$
sAMAccountType: 805306370
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ad,DC=local
dSCorePropagationData: 1601010100.0Z
lastLogonTimestamp: 129950556201332000
# search result
search: 4
result:
updated if we do a post-install of DNS or the CA?
It isn't now which would leave some services running.
Same for ipa-adtrust-install.
--
/ Alexander Bokovoy
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/lis
On Thu, 18 Oct 2012, Sumit Bose wrote:
On Thu, Oct 18, 2012 at 10:00:54PM +0300, Alexander Bokovoy wrote:
Hi,
this is work in progress, shared mostly to get comments.
Simo, Sumit, this is an attempt to resolve external group members from
trusted domains using their Global Catalog services
On Thu, 18 Oct 2012, Sumit Bose wrote:
On Thu, Oct 18, 2012 at 11:42:34PM +0300, Alexander Bokovoy wrote:
On Thu, 18 Oct 2012, Sumit Bose wrote:
>On Thu, Oct 18, 2012 at 10:00:54PM +0300, Alexander Bokovoy wrote:
>>Hi,
>>
>>this is work in progress, shared mostly to ge
oftware
availability. We wanted to avoid embedding package manager-specific
knowledge which might not be possible to use during upgrades (to avoid
potential lock ups on parallel access to the same database in some
package managers).
So, for httpd it is correctly reporting that the service is instal
icket/3211
Alexander Bokovoy (1):
Resolve external members from trusted domain via Global Catalog
ipalib/plugins/group.py| 32 +
ipaserver/dcerpc.py| 172 +
ipaserver/plugins/ldap2.py | 3 +
3 files changed, 181 insertions(+), 26
A sequence is following:
1. Match external member against existing trusted domain
2. Find trusted domain's domain controller
3. Fetch trusted domain account auth info
4. Set up ccache in /var/run/ipa/ipa_memcached/krb5cc_TRUSTEDDOMAIN with
principal ourdomain$@trusted.domain
5. Do LDAP SASL intera
On Mon, 29 Oct 2012, Simo Sorce wrote:
On Mon, 2012-10-29 at 19:59 +0200, Alexander Bokovoy wrote:
A sequence is following:
1. Match external member against existing trusted domain
2. Find trusted domain's domain controller
3. Fetch trusted domain account auth info
4. Set up ccache in /va
to misconfiguration and explain what
to fix. This step is rather open right now, since we don't really know
why it failes (barring DNS issues).
--
/ Alexander Bokovoy
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
On Mon, 29 Oct 2012, Simo Sorce wrote:
On Mon, 2012-10-29 at 23:03 +0200, Alexander Bokovoy wrote:
On Mon, 29 Oct 2012, Simo Sorce wrote:
>On Mon, 2012-10-29 at 19:59 +0200, Alexander Bokovoy wrote:
>> A sequence is following:
>> 1. Match external member against existing trus
talog host
- properly find Global Catalog hosts via DNS SRV records
- refactor functions to hide implementation details
- add more comments and function descriptions
- add more documentation to group/trust plugins
https://fedorahosted.org/freeipa/ticket/3211
Alexander Bokovoy (1):
Resolve extern
A sequence is following:
1. Match external member against existing trusted domain
2. Find trusted domain's domain controller and preferred GC hosts
3. Fetch trusted domain account auth info
4. Set up ccache in /var/run/ipa_memcached/krb5cc_TD with principal
ourdomain$@trusted.domain
5. Do LDAP SAS
On Wed, 17 Oct 2012, Martin Kosek wrote:
On 10/17/2012 12:52 PM, Sumit Bose wrote:
On Wed, Oct 10, 2012 at 06:05:02PM +0300, Alexander Bokovoy wrote:
Hi,
this patch originated from off-list discussion regarding multiple runs
of ipa trust-add against the same domain.
Since trust-add re
at startup. This is sort
of maintenance machinery that needs to be done for all additional IPA
plugins.
--
/ Alexander Bokovoy
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
On Fri, 02 Nov 2012, Martin Kosek wrote:
On 11/02/2012 01:19 PM, Alexander Bokovoy wrote:
On Wed, 17 Oct 2012, Martin Kosek wrote:
On 10/17/2012 12:52 PM, Sumit Bose wrote:
On Wed, Oct 10, 2012 at 06:05:02PM +0300, Alexander Bokovoy wrote:
Hi,
this patch originated from off-list discussion
On Fri, 09 Nov 2012, Martin Kosek wrote:
As named.conf and bind-dyndb-plugin is not set up yet during DNS
configuration phase, IPA hostname (i.e. the nameserver) should not
be required be to resolvable in this phase.
https://fedorahosted.org/freeipa/ticket/3248
ACK.
--
/ Alexander Bokovoy
gzilla about
mod_wsgi failures in recent Apache updates on F18. Cannot find them now.
* any suggestions for diagnosing this?
Try to set LimitCORE in httpd.service to non-zero value (as in
RLIMIT_CORE from setrlimit(2)).
Reload systemd configuration with 'systemctl daemon-reload' and
On Sat, 10 Nov 2012, Alexander Bokovoy wrote:
On Fri, 09 Nov 2012, John Dennis wrote:
I'm wondering if anyone else has seen this. I've been running the
server with debug=True to verify it's behaving properly which means
I've been reading /var/log/httpd/error_log and what t
ad package is installed.
We can move this method to some common place since it does not require
trusts per se and then re-use it in several places.
--
/ Alexander Bokovoy
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
indd[18693]: bind_callback:
ldap_sasl_interactive_bind_s() call returned 0, kerberos code is 0
as you can see, winbindd has recovered automatically.
--
/ Alexander Bokovoy
>From a6159484e0c3f1533df2b222e66b7418ee55f309 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy
Date: Tue, 20 Nov 2012 1
this patch I was able to re-establish trusts with Windows 2008R2
without any trouble and verified that it worked afterwards for resolving
remote users since the code that searches Global Catalog is using the trust
auth blob for obtaining Kerberos ticket against AD KDC.
--
/ Alexander Bokovoy
>F
/3231
I haven't tested it against Windows Server 2012 yet but sending the
patch out for early check and verification.
--
/ Alexander Bokovoy
>From 5c95c684722e3418352aa7ab971b2e7234e58769 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy
Date: Thu, 22 Nov 2012 17:45:40 +0200
Subject: [P
itial
credentials'
--
/ Alexander Bokovoy
>From bc2c4e9cb2595e02b1fd92e64d822459f40bd417 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy
Date: Tue, 27 Nov 2012 20:31:02 +0200
Subject: [PATCH 2/2] Propagate kinit errors with trust account
When using Global Catalog for resolving users and grou
latform on Fedora 18?
'fedora18' platform would inherit from fedora16 code and only override
these two methods.
--
/ Alexander Bokovoy
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
On Wed, 05 Dec 2012, Martin Kosek wrote:
On 12/05/2012 11:17 AM, Alexander Bokovoy wrote:
On Wed, 05 Dec 2012, Martin Kosek wrote:
Fedora+systemd changed deprecated /etc/sysconfig/network which was
used by IPA to store static hostname for the IPA machine. See
https://bugzilla.redhat.com
On Thu, 22 Nov 2012, Simo Sorce wrote:
On Thu, 2012-11-22 at 17:59 +0200, Alexander Bokovoy wrote:
Hi,
attached patch attempts to bring us up to MS-KILE version 25.0 support
by
verifying that if number of additional SIDs in KERB_VALIDATION_INFO
structure is equal to one then this SID must be
On Wed, 05 Dec 2012, Simo Sorce wrote:
On Wed, 2012-12-05 at 14:16 +0200, Alexander Bokovoy wrote:
[..]
Attached is a prototype to implement logic above. I haven't added
filtering for anything but our own domain SIDs yet, want to get review
for this part before going further.
Comments i
On Wed, 05 Dec 2012, Simo Sorce wrote:
On Wed, 2012-12-05 at 14:16 +0200, Alexander Bokovoy wrote:
[..]
Attached is a prototype to implement logic above. I haven't added
filtering for anything but our own domain SIDs yet, want to get review
for this part before going further.
Comments i
D/ as we also refer it as RID in our help...
Martin
Fixed. However, lower-case rid is used in ipa_range_check.c 389 plugin.
We might want to consider filing a naming convention ticket then.
RID is RID as it is abbreviation of Relative ID.
See http://msdn.microsoft.com/en-us/library/cc246018.aspx for details of
SID (and RID as it is part of SID).
--
/ Alexander Bokovoy
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
ld later grow into an imitation of a separate method class anyway.
--
/ Alexander Bokovoy
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
ling archive of freeipa-devel@ is as stable as our
wiki, if not more resilient. ;)
--
/ Alexander Bokovoy
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
On Tue, 15 Jan 2013, Dmitri Pal wrote:
On 01/15/2013 06:56 AM, Alexander Bokovoy wrote:
On Tue, 15 Jan 2013, Ana Krivokapic wrote:
crond was not included in the list of default HBAC services - it
needed to be added manually. As crond is a commonly used service, it
is now included as a default
into its
Punycode (RFC3492) to avoid breaking out of alpha-numeric space.
I'd suggest replacing dots with underscores.
File name is irrelevant to libkrb5 after it was read as part of
includedir processing, and files are only written by the SSSD.
--
/ Alexander Bokovoy
___
On Tue, 29 Jan 2013, Jakub Hrozek wrote:
On Tue, Jan 29, 2013 at 10:50:02PM +0200, Alexander Bokovoy wrote:
And here I'm coming to grave error in the SSSD code: the name of
explicit mapping file contains non-filtered domain name, which contains
dot. krb5.conf manual page states that inclu
efer to
ipa-adtrust-install(1) man page"
+print "for details."
+print ""
+if ipautil.user_input("Do you want to run the ipa-sidgen
task?", default=False,
+ allow_empty=
context=krbV.default_context()).principal().name
setattr(context, 'principal', principal)
else:
# no kerberos ccache, use simple bind or external sasl
--
/ Alexander Bokovoy
___
Freeipa-d
On Thu, 31 Jan 2013, Martin Kosek wrote:
On 01/31/2013 04:29 PM, Alexander Bokovoy wrote:
On Thu, 31 Jan 2013, Martin Kosek wrote:
When ipa-adtrust-install is run, check if there are any objects
that need to have SID generated. If yes, interactively ask the user
if the sidgen task should be
On Thu, 31 Jan 2013, Martin Kosek wrote:
On 01/31/2013 05:01 PM, Alexander Bokovoy wrote:
On Wed, 30 Jan 2013, Martin Kosek wrote:
Some parts of install scripts used only ccache name as returned by
krbV.CCache.name attribute. However, when this name is used again
to initialize krbV.CCache
ld test?
I think we need to find solution that does not force KDC to issue
referral to its own domain.
Ideally, if we could use separate krb5.conf for KDC where domain_realm
mapping for own domain does not exist, we could have solved referral
issue.
st type values...
+except ValueError:
+# The search is performed for groups with "posixgroup" objectclass
+# and not "ipausergroup" so that it can also match groups like
+# "Default SMG Group&quo
added but API.txt wasn't changed. As result, 'make rpms'
does not work.
Could you please fix the patch and re-send it?
--
/ Alexander Bokovoy
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
On Fri, 01 Feb 2013, Martin Kosek wrote:
On 02/01/2013 03:55 PM, Alexander Bokovoy wrote:
On Tue, 29 Jan 2013, Martin Kosek wrote:
trust_output_params = (
@@ -482,3 +499,158 @@ api.register(trust_mod)
api.register(trust_del)
api.register(trust_find)
api.register(trust_show
/etc/krb5.conf.
--
/ Alexander Bokovoy
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
atching invalid SIDs.
Updated patches attached.
Work for me fine against Windows 2012 server.
However, I'd like you to rebase on top of your previous patches. VERSION
file is causing conflict since your patchset for trustconfig command
increments to the same version as this one
On Mon, 11 Feb 2013, Martin Kosek wrote:
On 02/11/2013 03:34 PM, Alexander Bokovoy wrote:
On Fri, 08 Feb 2013, Martin Kosek wrote:
On 02/08/2013 10:47 AM, Martin Kosek wrote:
Sending patches according to RFE:
http://www.freeipa.org/page/V3/Configurable_SID_Blacklists
How this works:
1
On Fri, 01 Feb 2013, Martin Kosek wrote:
On 01/31/2013 07:06 PM, Alexander Bokovoy wrote:
On Thu, 31 Jan 2013, Martin Kosek wrote:
On 01/31/2013 04:29 PM, Alexander Bokovoy wrote:
On Thu, 31 Jan 2013, Martin Kosek wrote:
When ipa-adtrust-install is run, check if there are any objects
that
On Fri, 08 Feb 2013, Tomas Babej wrote:
On 02/08/2013 03:25 PM, Alexander Bokovoy wrote:
On Mon, 04 Feb 2013, Tomas Babej wrote:
Hi,
When adding/modifying an ID range for a trusted domain, the newly
added option --dom-name can be used. This looks up SID of the
trusted domain in LDAP and
turn False
-return False
+if not found_flatname:
+raise errors.ValidationError(name=_('trusted domain object'),
+error= _('no trusted domain matched the specified flat
name'))
+if not entries:
+ raise e
added.
https://fedorahosted.org/freeipa/ticket/2945
ACK, works perfectly.
We need to decide on the questions still open in the
http://www.freeipa.org/page/V3/Realm_Domains but the decision should not
prevent this work from being committed.
Thanks!
--
/ Alexander Bokovoy
On Wed, 13 Feb 2013, Martin Kosek wrote:
On 02/13/2013 02:14 PM, Alexander Bokovoy wrote:
On Wed, 13 Feb 2013, Martin Kosek wrote:
On 02/01/2013 01:35 PM, Martin Kosek wrote:
On 01/24/2013 03:04 PM, Simo Sorce wrote:
On Thu, 2013-01-24 at 08:15 +0100, Martin Kosek wrote:
On 01/23/2013 02:23
main SID of the trusted domain: S-1-5-21-3502988750-125904550-3683905862-1
Range type: Active Directory domain range
Now this range is completely unusable due to the fact that there is no
way to match the domain SID against the range.
I think we need to make the check against established trusts mor
On Fri, 15 Feb 2013, Tomas Babej wrote:
On 02/14/2013 05:37 PM, Alexander Bokovoy wrote:
On Thu, 14 Feb 2013, Tomas Babej wrote:
+ Str('ipanttrusteddomainname?',
+ cli_name='dom_name',
+ flags=('no_search', 'virtual_attribute'),
+ label=_('Name
401 - 500 of 1673 matches
Mail list logo