Re: [Freeipa-devel] Stage users - inconsistent permission names

2015-06-10 Thread David Kupka
is this permission needed, isn't System: Modify Preserved Users enough? Hello, it's probably my fault, I should have paid more attention when reviewing the patch set. I created ticket https://fedorahosted.org/freeipa/ticket/5057 and can fix it. -- David Kupka -- Manage your subscription

Re: [Freeipa-devel] [PATCH] 0005 User life cycle: del/mod/find/show stageuser commands

2015-06-10 Thread David Kupka
Dne 20.5.2015 v 11:26 Jan Cholasta napsal(a): Dne 18.5.2015 v 10:33 thierry bordaz napsal(a): On 05/15/2015 04:44 PM, David Kupka wrote: Hello Thierry, thanks for the patch set. Overall functionality of ULC feature looks good to me and is definitely alpha ready. I found following issues

[Freeipa-devel] [PATCH 0050] Allow to skip lint when building FreeIPA.

2015-06-04 Thread David Kupka
-- David Kupka From f68607e9a3db4cd8893c465d804615aac34afc29 Mon Sep 17 00:00:00 2001 From: David Kupka dku...@redhat.com Date: Thu, 4 Jun 2015 12:10:37 +0200 Subject: [PATCH] Allow to skip lint when building FreeIPA. Target 'lint' does nothing when SKIP_LINT is set to anything else than

Re: [Freeipa-devel] [PATCH] 0005 User life cycle: del/mod/find/show stageuser commands

2015-06-18 Thread David Kupka
/2015 02:02 PM, Jan Cholasta wrote: Dne 20.5.2015 v 11:26 Jan Cholasta napsal(a): Dne 18.5.2015 v 10:33 thierry bordaz napsal(a): On 05/15/2015 04:44 PM, David Kupka wrote: Hello Thierry, thanks for the patch set. Overall functionality of ULC feature looks good to me and is definitely alpha

[Freeipa-devel] [PATCH 0053] upgrade: Raise error when certmonger is not running.

2015-06-26 Thread David Kupka
https://fedorahosted.org/freeipa/ticket/5080 -- David Kupka From f5467b5a338647a20aef5e5657b9e21be5b0a2f5 Mon Sep 17 00:00:00 2001 From: David Kupka dku...@redhat.com Date: Fri, 26 Jun 2015 10:42:23 +0200 Subject: [PATCH] upgrade: Raise error when certmonger is not running. Certmonger should

Re: [Freeipa-devel] [PATCHES 434, 443, 444] vault: Fix ipa-kra-install

2015-06-10 Thread David Kupka
Dne 10.6.2015 v 18:08 David Kupka napsal(a): Dne 10.6.2015 v 13:25 Jan Cholasta napsal(a): Hi, the attached patches fix several shortcomings in ipa-kra-install, see commit messages. https://fedorahosted.org/freeipa/ticket/3872 (Patch 434 was introduced in https://www.redhat.com/archives

Re: [Freeipa-devel] [PATCHES 434, 443, 444] vault: Fix ipa-kra-install

2015-06-10 Thread David Kupka
There are two issues: 1) https://fedorahosted.org/freeipa/ticket/5059 but it is just missing check and can be fixed later. 2) kra.install() was called before http_install() but kra installation needs httpd running. This is fixed in attached patch. -- David Kupka From

Re: [Freeipa-devel] [PATCH 0052] Stage User: Fix permissions naming and split them where, apropriate.

2015-06-11 Thread David Kupka
Dne 11.6.2015 v 16:17 Martin Kosek napsal(a): On 06/11/2015 03:55 PM, David Kupka wrote: Dne 11.6.2015 v 14:12 thierry bordaz napsal(a): On 06/10/2015 02:14 PM, David Kupka wrote: https://fedorahosted.org/freeipa/ticket/5057 Hello David, The patch looks ok except it removes a permission

Re: [Freeipa-devel] [PATCH 0052] Stage User: Fix permissions naming and split them where, apropriate.

2015-06-11 Thread David Kupka
Dne 11.6.2015 v 14:12 thierry bordaz napsal(a): On 06/10/2015 02:14 PM, David Kupka wrote: https://fedorahosted.org/freeipa/ticket/5057 Hello David, The patch looks ok except it removes a permission to update 'uid' from an active user. This permission is required to delete(preserve) an active

[Freeipa-devel] [PATCH 0054] cermonger: Use private unix socket when DBus SystemBus is not, available.

2015-07-01 Thread David Kupka
-- David Kupka From ece6e155007e5ab1c13c4cb61977fec5c68c8e51 Mon Sep 17 00:00:00 2001 From: David Kupka dku...@redhat.com Date: Wed, 1 Jul 2015 16:26:15 +0200 Subject: [PATCH] cermonger: Use private unix socket when DBus SystemBus is not available. --- ipaplatform/base/paths.py | 1

Re: [Freeipa-devel] [PATCH 0054] cermonger: Use private unix socket when DBus SystemBus is not, available.

2015-07-02 Thread David Kupka
On 01/07/15 16:31, David Kupka wrote: Updated patch attached. -- David Kupka From 65eb52bff00135f4feb84dfde1e56a69bc8ea438 Mon Sep 17 00:00:00 2001 From: David Kupka dku...@redhat.com Date: Wed, 1 Jul 2015 16:26:15 +0200 Subject: [PATCH] cermonger: Use private unix socket when DBus

Re: [Freeipa-devel] [PATCH] 878 topology: check topology in ipa-replica-manage del

2015-06-29 Thread David Kupka
with the deletion if any errors are found. https://fedorahosted.org/freeipa/ticket/4302 Patch with * changed error messages * removed question to force removal (--force is needed) attached. Works for me, ACK. -- David Kupka -- Manage your subscription for the Freeipa-devel mailing list

Re: [Freeipa-devel] [PATCH] 879 Verify replication topology for a suffix

2015-06-29 Thread David Kupka
indegree and outdegree of each node is easy as well. Additional checks can be also added later. https://fedorahosted.org/freeipa/ticket/4302 Rebased patch attached. No new check was implemented. Works for me, ACK. -- David Kupka -- Manage your subscription for the Freeipa-devel mailing list

Re: [Freeipa-devel] [PATCH] 877 fix force-sync, re-initialize of replica and a check for replication agreement existence

2015-06-29 Thread David Kupka
for me, ACK. -- David Kupka -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [RFC] Community Portal - Where to go next?

2015-07-02 Thread David Kupka
package it together, iow in freeipa-server. Or create another package depending on freeipa-server. -- David Kupka -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 885 topology: make cn of new segment consistent with topology plugin

2015-07-02 Thread David Kupka
On 30/06/15 16:16, Petr Vobornik wrote: SSIA Works for me, ACK. -- David Kupka -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 884 topologysegment: hide direction and enable options

2015-07-02 Thread David Kupka
On 30/06/15 16:15, Petr Vobornik wrote: These options should not be touched by users yet. https://fedorahosted.org/freeipa/ticket/5061 Works for me, ACK. -- David Kupka -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 882 ipa-replica-manage del: relax segment deletement check if, topology is disconnected

2015-07-02 Thread David Kupka
of the segment has to be ignored. part of: https://fedorahosted.org/freeipa/ticket/5072 patch 883 adds 180s timeout to the check and changes check interval from 1s to 2s. Works for me, ACK. -- David Kupka -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman

Re: [Freeipa-devel] [PATCH 0257] ULC: Fix: Upgrade for stage user admins failed

2015-05-25 Thread David Kupka
On 05/22/2015 05:59 PM, Martin Basti wrote: Patch attached. Thanks for patch. Works for me, ACK. -- David Kupka -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute

Re: [Freeipa-devel] [PATCH 0055] ipa-replica-prepare: Do not create DNS zone it automatically.

2015-07-07 Thread David Kupka
On 03/07/15 06:17, David Kupka wrote: Since ipa-replica-* tools will be soon removed I think this simple check should be enough. Updated patch attached. -- David Kupka From 3df59261538f6b28e158802d8f6e4a47dadeab84 Mon Sep 17 00:00:00 2001 From: David Kupka dku...@redhat.com Date: Fri, 3 Jul

[Freeipa-devel] [PATCH 0060] user-undel: Fix error messages.

2015-08-13 Thread David Kupka
https://fedorahosted.org/freeipa/ticket/5207 Requires patch freeipa-jcholast-471.1. -- David Kupka From 3fbef326a6235297b95703edd2e77f8e7ab4e446 Mon Sep 17 00:00:00 2001 From: David Kupka dku...@redhat.com Date: Thu, 13 Aug 2015 08:11:38 +0200 Subject: [PATCH] user-undel: Fix error messages

Re: [Freeipa-devel] [PATCH 0060] user-undel: Fix error messages.

2015-08-17 Thread David Kupka
On 14/08/15 17:18, Martin Basti wrote: On 08/13/2015 08:17 AM, David Kupka wrote: https://fedorahosted.org/freeipa/ticket/5207 Requires patch freeipa-jcholast-471.1. NACK This patch causes internal server error ipa user-del user --preserve [Fri Aug 14 17:16:13.691565 2015] [wsgi:error

Re: [Freeipa-devel] [PATCH] 0035 client: Update DNS with all available local IP addresses.

2015-08-18 Thread David Kupka
On 31/07/15 18:31, Martin Basti wrote: On 28/07/15 09:52, David Kupka wrote: On 27/07/15 16:45, David Kupka wrote: On 15/01/15 17:13, David Kupka wrote: On 01/15/2015 03:22 PM, David Kupka wrote: On 01/15/2015 12:43 PM, David Kupka wrote: On 01/12/2015 06:34 PM, Martin Basti wrote: On 09

[Freeipa-devel] Subject: [PATCH 0061-2] Fix backup/restore (#5071)

2015-08-19 Thread David Kupka
https://fedorahosted.org/freeipa/ticket/5071 -- David Kupka From c4a72b64aab5abfde15f06b037da1c3ab2cfa220 Mon Sep 17 00:00:00 2001 From: David Kupka dku...@redhat.com Date: Thu, 13 Aug 2015 16:41:23 +0200 Subject: [PATCH 1/2] Add /etc/tmpfiles.d/dirsrv-serverid.conf to backup https

Re: [Freeipa-devel] Subject: [PATCH 0061-2] Fix backup/restore (#5071)

2015-08-19 Thread David Kupka
On 19/08/15 09:21, David Kupka wrote: https://fedorahosted.org/freeipa/ticket/5071 Updated patches attached. -- David Kupka From 2924ddd15f5a7ee7a5c2dcdb3fdb37fedf1a5f3a Mon Sep 17 00:00:00 2001 From: David Kupka dku...@redhat.com Date: Thu, 13 Aug 2015 16:41:23 +0200 Subject: [PATCH 1/2] Add

Re: [Freeipa-devel] [PATCH 0053] upgrade: Raise error when certmonger is not running.

2015-06-29 Thread David Kupka
On 26/06/15 19:45, Rob Crittenden wrote: Petr Vobornik wrote: On 06/26/2015 10:54 AM, David Kupka wrote: https://fedorahosted.org/freeipa/ticket/5080 ACK Is there a reason we don't simply start certmonger and quit if it fails to start? Woudln't that be friendlier? rob Yes

Re: [Freeipa-devel] [PATCH] 0035 client: Update DNS with all available local IP addresses.

2015-07-28 Thread David Kupka
On 27/07/15 16:45, David Kupka wrote: On 15/01/15 17:13, David Kupka wrote: On 01/15/2015 03:22 PM, David Kupka wrote: On 01/15/2015 12:43 PM, David Kupka wrote: On 01/12/2015 06:34 PM, Martin Basti wrote: On 09/01/15 14:43, David Kupka wrote: On 01/07/2015 04:15 PM, Martin Basti wrote

Re: [Freeipa-devel] [PATCH 0294] ULC: fix stageuser-add --from-delete command

2015-07-28 Thread David Kupka
this should be separate command, I will open a discussion. Works for me, ACK. It would be better to leave the ticket open until the issue is fully resolved. -- David Kupka -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0286, 0290] Sysrestore: copy files instead of moving them to avoid SELinux issues

2015-07-29 Thread David Kupka
the file and raises AVC. In this case we can freely use mv -z since target platforms are Fedora and newest RHEL. The new patch fixing specfile attached. Works for me, ACK. -- David Kupka -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo

Re: [Freeipa-devel] Replace stageuser-add --from-delete with user-undel --to-staged

2015-08-12 Thread David Kupka
Thomas ack on that. Just a question about the other verbs user-disable/user-enable. I know they are doing something different but do you think there is a risk of confusion for admin when he should do user-stage or user-disable ? thanks thierry Adding Tomas to the loop. -- David Kupka -- Manage

Re: [Freeipa-devel] [PATCH 471] ULC: Prevent preserved users from being assigned membership

2015-08-12 Thread David Kupka
On 12/08/15 12:22, Jan Cholasta wrote: Hi, the attached patch fixes https://fedorahosted.org/freeipa/ticket/5170. Honza Works for me, ACK. -- David Kupka -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute

Re: [Freeipa-devel] [PATCH] 907 webui: add LDAP vs Kerberos behavior description to user auth types

2015-08-10 Thread David Kupka
for me, ACK. -- David Kupka -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0059] dbus: Create empty dbus.Array with specified signature

2015-08-10 Thread David Kupka
I was installing freeipa-server earlier today and it failed with Unable to guess signature from empty list. I was unable to reproduce it but there is now harm in explicitly specifying the signature of the empty list to prevent this issue. -- David Kupka From

Re: [Freeipa-devel] [PATCH] 0035 client: Update DNS with all available local IP addresses.

2015-07-27 Thread David Kupka
On 15/01/15 17:13, David Kupka wrote: On 01/15/2015 03:22 PM, David Kupka wrote: On 01/15/2015 12:43 PM, David Kupka wrote: On 01/12/2015 06:34 PM, Martin Basti wrote: On 09/01/15 14:43, David Kupka wrote: On 01/07/2015 04:15 PM, Martin Basti wrote: On 07/01/15 12:27, David Kupka wrote

Re: [Freeipa-devel] [PATCH 0284] stageuser-activate: show user name in error message instead of DN

2015-07-13 Thread David Kupka
On 10/07/15 14:51, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5038 I reworded the error message to keep the same format as stageuser-add and user-add. Patch attached. Works for me, ACK. -- David Kupka -- Manage your subscription for the Freeipa-devel mailing list: https

Re: [Freeipa-devel] [PATCH 0283] copy-schema-to-ca: allow to overwrite schema files

2015-07-14 Thread David Kupka
On 10/07/15 14:31, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5034 Patch attached. Works for me, ACK. -- David Kupka -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http

Re: [Freeipa-devel] [PATCH 0057] Do not use anonymous bind in migration UI.

2015-07-16 Thread David Kupka
On 15/07/15 16:04, David Kupka wrote: On 15/07/15 15:34, Jan Cholasta wrote: Dne 15.7.2015 v 15:21 David Kupka napsal(a): https://fedorahosted.org/freeipa/ticket/4953 To test this patch: 1. Migrate users from LDAP or other FreeIPA server (https://www.freeipa.org/page/Howto/Migration) 2

Re: [Freeipa-devel] [PATCH 0054] cermonger: Use private unix socket when DBus SystemBus is not, available.

2015-07-20 Thread David Kupka
On 15/07/15 13:41, Jan Cholasta wrote: Dne 7.7.2015 v 16:51 David Kupka napsal(a): On 03/07/15 08:46, Martin Kosek wrote: On 07/03/2015 08:41 AM, Jan Cholasta wrote: Dne 2.7.2015 v 14:34 David Kupka napsal(a): On 01/07/15 16:31, David Kupka wrote: Updated patch attached. Client

Re: [Freeipa-devel] [PATCH 0057] Do not use anonymous bind in migration UI.

2015-07-15 Thread David Kupka
On 15/07/15 15:34, Jan Cholasta wrote: Dne 15.7.2015 v 15:21 David Kupka napsal(a): https://fedorahosted.org/freeipa/ticket/4953 To test this patch: 1. Migrate users from LDAP or other FreeIPA server (https://www.freeipa.org/page/Howto/Migration) 2. Disable anonymous bind to Directory Server

[Freeipa-devel] [PATCH 0057] Do not use anonymous bind in migration UI.

2015-07-15 Thread David Kupka
-binds.html) 3. Go to FreeIPA migration page (ipa.example.com/ipa/migration/) and enter name and password of one of the migrated users. Without this patch you will get an error page. -- David Kupka From a9c50987842a08eb6928bd662a1db57b85d4b3cd Mon Sep 17 00:00:00 2001 From: David Kupka dku

Re: [Freeipa-devel] [PATCH 0342] Use domain level constants in topology plugin

2015-11-10 Thread David Kupka
On 03/11/15 10:45, Martin Basti wrote: Patch attached. Works for me, ACK. -- David Kupka -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] admintool: Add error message with path to log on failure.

2015-10-15 Thread David Kupka
On 15/10/15 13:02, Tomas Babej wrote: On 10/15/2015 12:33 PM, David Kupka wrote: Currently, when there is unhanded exception without any message, installer ends with error code but without any error message. Adding line stating that some error occurred and where are logs located should help

[Freeipa-devel] [PATCH] admintool: Add error message with path to log on failure.

2015-10-15 Thread David Kupka
Currently, when there is unhanded exception without any message, installer ends with error code but without any error message. Adding line stating that some error occurred and where are logs located should help with debugging. -- David Kupka From 15f98f44bf936434f9cbf8ab81b124cd783d3ebf Mon

Re: [Freeipa-devel] [PATCHES 0069-0077] support for proper Kerberos principal canonicalization

2015-10-08 Thread David Kupka
On 07/10/15 17:32, thierry bordaz wrote: On 10/07/2015 05:29 PM, Simo Sorce wrote: On 07/10/15 11:06, thierry bordaz wrote: On 10/07/2015 03:10 PM, David Kupka wrote: On 06/10/15 17:52, Jakub Hrozek wrote: On Tue, Oct 06, 2015 at 08:32:29AM -0400, Simo Sorce wrote: On 06/10/15 08:04, David

Re: [Freeipa-devel] [PATCHES 0069-0077] support for proper Kerberos principal canonicalization

2015-10-07 Thread David Kupka
On 06/10/15 17:52, Jakub Hrozek wrote: On Tue, Oct 06, 2015 at 08:32:29AM -0400, Simo Sorce wrote: On 06/10/15 08:04, David Kupka wrote: On 06/10/15 13:35, Simo Sorce wrote: On 06/10/15 03:51, thierry bordaz wrote: On 10/06/2015 07:19 AM, David Kupka wrote: On 05/10/15 16:12, Simo Sorce

Re: [Freeipa-devel] [PATCHES 0069-0077] support for proper Kerberos principal canonicalization

2015-10-05 Thread David Kupka
? Is that bug fixed in 389ds ? Simo. The issue is still there. Thierry investigated this in 389 DS and IIUC he is not sure if it's bug or completely missing feature. Therefore we still don't know how much time is needed there. -- David Kupka -- Manage your subscription for the Freeipa-devel

Re: [Freeipa-devel] [PATCH] 0026..0027 #5096 enforce caacl for SAN principals

2015-07-08 Thread David Kupka
On 03/07/15 16:26, Fraser Tweedale wrote: The attached patches fix: - a bug that caused caacl false negatives for hosts principals - #5096 cert-request: enforce caacl for subjectAltName principals Thanks, Fraser Works for me, ACK. -- David Kupka -- Manage your subscription

Re: [Freeipa-devel] Meaning of two strings in plugins/service.py

2015-07-08 Thread David Kupka
of this code and should know better. -- David Kupka -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0054] cermonger: Use private unix socket when DBus SystemBus is not, available.

2015-07-07 Thread David Kupka
On 03/07/15 08:46, Martin Kosek wrote: On 07/03/2015 08:41 AM, Jan Cholasta wrote: Dne 2.7.2015 v 14:34 David Kupka napsal(a): On 01/07/15 16:31, David Kupka wrote: Updated patch attached. Client install works, but uninstall does not: # ipa-client-install --uninstall -U certmonger

Re: [Freeipa-devel] [PATCH] 897 fix error message when certificate CN is invalid

2015-07-09 Thread David Kupka
On 09/07/15 00:28, Petr Vobornik wrote: The error message was probably copied from mail address check below. ACK. -- David Kupka -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http

[Freeipa-devel] [PATCH 0065] vault: Limit size of data stored in vault

2015-08-26 Thread David Kupka
https://fedorahosted.org/freeipa/ticket/5231 -- David Kupka From f86f4f89d1083c1474d8c470ae3b0f85ed1eb6bb Mon Sep 17 00:00:00 2001 From: David Kupka dku...@redhat.com Date: Wed, 26 Aug 2015 14:11:21 +0200 Subject: [PATCH] vault: Limit size of data stored in vault https://fedorahosted.org/freeipa

[Freeipa-devel] [PATCH 0066] ipactl: Do not start/stop/restart single service multiple times

2015-08-26 Thread David Kupka
https://fedorahosted.org/freeipa/ticket/5248 -- David Kupka From 349e8ada21526cb704d9d876a151aaa2764970f8 Mon Sep 17 00:00:00 2001 From: David Kupka dku...@redhat.com Date: Wed, 26 Aug 2015 15:10:16 +0200 Subject: [PATCH] ipactl: Do not start/stop/restart single service multiple times In case

Re: [Freeipa-devel] [PATCH 0065] vault: Limit size of data stored in vault

2015-08-26 Thread David Kupka
On 26/08/15 15:45, Petr Vobornik wrote: On 08/26/2015 02:13 PM, David Kupka wrote: https://fedorahosted.org/freeipa/ticket/5231 Attaching updated patch. With changes discussed offline. Changes works for me, ACK. Not related to the patch: This patch limits the size to 1MB instead

Re: [Freeipa-devel] [PATCH 0066] ipactl: Do not start/stop/restart single service multiple times

2015-08-27 Thread David Kupka
On 26/08/15 17:49, Tomas Babej wrote: On 08/26/2015 03:16 PM, David Kupka wrote: https://fedorahosted.org/freeipa/ticket/5248 +def deduplicate(lst): +new_lst = [] +s = set(lst) +for i in lst: +if i in s: +s.remove(i) +new_lst.append(i

Re: [Freeipa-devel] [PATCHES] changes in preparation of replica promotion work

2015-08-27 Thread David Kupka
on replica. The attached patch fixes it. Works for me, ACK. -- David Kupka -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0002] Port from python-krbV to python-gssapi

2015-08-31 Thread David Kupka
causing tracebacks when expired or missing kerberos ticket (https://fedorahosted.org/freeipa/ticket/5272). -- David Kupka -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] fixing Kerberos principal aliases handling in IPA

2015-09-02 Thread David Kupka
ld write down a table with all possible forms a principal can be in on rows, and old/new server states in columns, and mark what will happen for various operations in each case. Simo. -- David Kupka -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/lis

Re: [Freeipa-devel] fixing Kerberos principal aliases handling in IPA

2015-09-03 Thread David Kupka
On 02/09/15 14:27, Simo Sorce wrote: On Wed, 2015-09-02 at 08:11 +0200, David Kupka wrote: On 01/09/15 16:53, Simo Sorce wrote: On Tue, 2015-09-01 at 16:39 +0200, Martin Babinsky wrote: Hi list, I own the following ticket https://fedorahosted.org/freeipa/ticket/3864 and I would like

Re: [Freeipa-devel] fixing Kerberos principal aliases handling in IPA

2015-09-07 Thread David Kupka
On 04/09/15 12:49, thierry bordaz wrote: On 09/03/2015 04:03 PM, David Kupka wrote: On 02/09/15 14:27, Simo Sorce wrote: On Wed, 2015-09-02 at 08:11 +0200, David Kupka wrote: On 01/09/15 16:53, Simo Sorce wrote: On Tue, 2015-09-01 at 16:39 +0200, Martin Babinsky wrote: Hi list, I own

Re: [Freeipa-devel] [PATCH 0058, 0064] dns: do not add (forward)zone if it is already resolvable.

2015-09-08 Thread David Kupka
On 28/08/15 13:36, Martin Basti wrote: On 08/28/2015 10:03 AM, Petr Spacek wrote: On 27.8.2015 14:22, David Kupka wrote: @@ -2101,11 +2101,25 @@ class DNSZoneBase(LDAPObject): class DNSZoneBase_add(LDAPCreate): +takes_options = LDAPCreate.takes_options + ( +Flag('force

Re: [Freeipa-devel] fixing Kerberos principal aliases handling in IPA

2015-09-02 Thread David Kupka
intain backwards compatibility with no additional effort. David bye, Sumit -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code -- David Kupka -- Manage your subs

Re: [Freeipa-devel] [PATCH 0304] Installer: do not modify /etc/hosts before user agreement

2015-09-03 Thread David Kupka
On 02/09/15 14:12, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/4561 This also fixes: https://fedorahosted.org/freeipa/ticket/5266 Patch attached. Looks good an works for me, ACK. -- David Kupka -- Manage your subscription for the Freeipa-devel mailing list: https

Re: [Freeipa-devel] [PATCH 0058, 0064] dns: do not add (forward)zone if it is already resolvable.

2015-08-25 Thread David Kupka
On 25/08/15 10:37, David Kupka wrote: On 24/08/15 16:51, Martin Basti wrote: On 08/20/2015 10:28 AM, David Kupka wrote: On 31/07/15 13:32, Martin Basti wrote: On 30/07/15 14:38, Martin Basti wrote: On 29/07/15 16:12, David Kupka wrote: https://fedorahosted.org/freeipa/ticket/5087 NACK

Re: [Freeipa-devel] [PATCH 0058, 0064] dns: do not add (forward)zone if it is already resolvable.

2015-09-08 Thread David Kupka
On 28/08/15 10:03, Petr Spacek wrote: On 27.8.2015 14:22, David Kupka wrote: @@ -2101,11 +2101,25 @@ class DNSZoneBase(LDAPObject): class DNSZoneBase_add(LDAPCreate): +takes_options = LDAPCreate.takes_options + ( +Flag('force', + label=_('Force'), + doc

Re: [Freeipa-devel] [PATCH PoC] proper support of kerberos principal aliases

2015-09-09 Thread David Kupka
ing the principal with the exactly same value though effectively not changing it. -- David Kupka -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0314] Server Upgrade: backup CS.cfg when dogtag is turnend off

2015-09-11 Thread David Kupka
On 10/09/15 18:50, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5287 Patch attached. Works for me, ACK. -- David Kupka -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http

Re: [Freeipa-devel] [PATCH 0291, 0292] Limit max age of replication changelog

2015-09-15 Thread David Kupka
. -- David Kupka -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0066] fix for regression in ipa-restore

2015-09-29 Thread David Kupka
On 25/09/15 18:13, Martin Babinsky wrote: fixes https://fedorahosted.org/freeipa/ticket/5328 Fixes the issue for me, ACK. -- David Kupka -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http

Re: [Freeipa-devel] [PATCH 0066] fix for regression in ipa-restore

2015-10-01 Thread David Kupka
On 01/10/15 14:18, Martin Kosek wrote: On 09/29/2015 03:27 PM, David Kupka wrote: On 25/09/15 18:13, Martin Babinsky wrote: fixes https://fedorahosted.org/freeipa/ticket/5328 Fixes the issue for me, ACK. Just checking - what is the impact here, will ipa-restore still work on a clean

Re: [Freeipa-devel] [PATCH 0004] Rewrap errors in get_principal to CCacheError

2015-09-22 Thread David Kupka
more places where kerberos errors were used. Michael Thanks, patch works for me, ACK. -- David Kupka -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHES] More Python 3 porting

2015-09-22 Thread David Kupka
d8\xa7\xd9' + + b'\x84\xd9\x91\xd8\xb3\xd9\x84\xd8\xa7') -- David Kupka -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHES 0069-0077] support for proper Kerberos principal canonicalization

2015-10-06 Thread David Kupka
On 06/10/15 13:35, Simo Sorce wrote: On 06/10/15 03:51, thierry bordaz wrote: On 10/06/2015 07:19 AM, David Kupka wrote: On 05/10/15 16:12, Simo Sorce wrote: On 05/10/15 09:00, Martin Babinsky wrote: These patches implement the plumbing required to properly support canonicalization

Re: [Freeipa-devel] [PATCH 0070] install: Run all validators at once.

2015-12-07 Thread David Kupka
On 07/12/15 14:05, David Kupka wrote: Running validators after all Knobs are set allows use of other Knob value during validation. Updated patch attached. -- David Kupka From 7f18ac0d8b78ea08ed797ceb9393c6b3121b734d Mon Sep 17 00:00:00 2001 From: David Kupka <dku...@redhat.com> Date:

Re: [Freeipa-devel] [PATCH 0058, 0064] dns: do not add (forward)zone if it is already resolvable.

2015-12-07 Thread David Kupka
On 07/12/15 14:06, David Kupka wrote: On 09/09/15 13:39, Petr Spacek wrote: On 8.9.2015 16:30, David Kupka wrote: On 28/08/15 13:36, Martin Basti wrote: On 08/28/2015 10:03 AM, Petr Spacek wrote: On 27.8.2015 14:22, David Kupka wrote: @@ -2101,11 +2101,25 @@ class DNSZoneBase(LDAPObject

Re: [Freeipa-devel] [PATCH 0058, 0064] dns: do not add (forward)zone if it is already resolvable.

2015-12-08 Thread David Kupka
On 08/12/15 08:56, Petr Spacek wrote: On 7.12.2015 14:41, David Kupka wrote: +def is_host_resolvable(fqdn): +if not isinstance(fqdn, DNSName): +fqdn = DNSName(fqdn) +for rdtype in (rdatatype.A, rdatatype.): +try: +resolver.query(fqdn.make_absolute

[Freeipa-devel] [PATCH 0071] replica: Fix ipa-replica-install with replica file (domain, level 0).

2015-12-08 Thread David Kupka
https://fedorahosted.org/freeipa/ticket/5531 -- David Kupka From eee2c606aeba8aff61777cbf54fdb6c006e8c755 Mon Sep 17 00:00:00 2001 From: David Kupka <dku...@redhat.com> Date: Tue, 8 Dec 2015 14:22:01 +0100 Subject: [PATCH] replica: Fix ipa-replica-install with replica file (domain l

Re: [Freeipa-devel] [PATCH 0071] replica: Fix ipa-replica-install with replica file (domain, level 0).

2015-12-08 Thread David Kupka
On 08/12/15 16:33, Tomas Babej wrote: On 12/08/2015 04:20 PM, Oleg Fayans wrote: ACK. The initial issue is fixed. On 12/08/2015 03:03 PM, David Kupka wrote: https://fedorahosted.org/freeipa/ticket/5531 Can we get some more love for the patch and provide at least a sentence worth

Re: [Freeipa-devel] [PATCH 0069] ipa-replica-install support caless install with promotion.

2015-12-02 Thread David Kupka
On 02/12/15 07:58, Jan Cholasta wrote: On 1.12.2015 14:27, David Kupka wrote: On 30/11/15 17:24, Jan Cholasta wrote: Hi, On 27.11.2015 07:57, David Kupka wrote: On 26/11/15 15:22, David Kupka wrote: On 26/11/15 15:13, David Kupka wrote: On 26/11/15 15:01, David Kupka wrote: https

[Freeipa-devel] [PATCH 0070] install: Run all validators at once.

2015-12-07 Thread David Kupka
Running validators after all Knobs are set allows use of other Knob value during validation. -- David Kupka From b9a8ae178e770a4b84fc8d05d04218531642d3eb Mon Sep 17 00:00:00 2001 From: David Kupka <dku...@redhat.com> Date: Mon, 7 Dec 2015 13:35:49 +0100 Subject: [PATCH] install: R

Re: [Freeipa-devel] [PATCH 0058, 0064] dns: do not add (forward)zone if it is already resolvable.

2015-12-07 Thread David Kupka
On 09/09/15 13:39, Petr Spacek wrote: On 8.9.2015 16:30, David Kupka wrote: On 28/08/15 13:36, Martin Basti wrote: On 08/28/2015 10:03 AM, Petr Spacek wrote: On 27.8.2015 14:22, David Kupka wrote: @@ -2101,11 +2101,25 @@ class DNSZoneBase(LDAPObject): class DNSZoneBase_add(LDAPCreate

Re: [Freeipa-devel] [PATCH 0113] properly add ACIs to custodia container during IPA upgrade

2015-12-11 Thread David Kupka
On 10/12/15 10:14, Martin Babinsky wrote: On 12/08/2015 10:45 AM, Martin Babinsky wrote: fixes https://fedorahosted.org/freeipa/ticket/5524 Attaching updated patch with simpler fix suggested by Jan. Thanks for the patch. Works for me, ACK. -- David Kupka -- Manage your subscription

Re: [Freeipa-devel] [PATCH 0058, 0064] dns: do not add (forward)zone if it is already resolvable.

2015-12-11 Thread David Kupka
On 10/12/15 18:10, Petr Spacek wrote: On 10.12.2015 17:31, David Kupka wrote: On 09/12/15 18:55, Petr Spacek wrote: On 9.12.2015 13:37, David Kupka wrote: On 08/12/15 15:24, Petr Spacek wrote: On 8.12.2015 12:19, David Kupka wrote: On 08/12/15 08:56, Petr Spacek wrote: On 7.12.2015 14:41

Re: [Freeipa-devel] [PATCH 0058, 0064] dns: do not add (forward)zone if it is already resolvable.

2015-12-13 Thread David Kupka
On 08/12/15 15:24, Petr Spacek wrote: On 8.12.2015 12:19, David Kupka wrote: On 08/12/15 08:56, Petr Spacek wrote: On 7.12.2015 14:41, David Kupka wrote: +def is_host_resolvable(fqdn): +if not isinstance(fqdn, DNSName): +fqdn = DNSName(fqdn) +for rdtype in (rdatatype.A

[Freeipa-devel] [PATCH 0074] spec file: Add dbus-python to BuildRequires

2015-12-14 Thread David Kupka
During work on ticket #5497 [0] the need for dbus-python in build time was introduced but it was not added in spec file. [0] https://fedorahosted.org/freeipa/ticket/5497 -- David Kupka From 6d1f5532de420efbe5c5f251681b8e7496ecb065 Mon Sep 17 00:00:00 2001 From: David Kupka <dku...@redhat.

Re: [Freeipa-devel] [PATCH 0376] KRA: add RA cert during replica promotion

2015-12-14 Thread David Kupka
On 10/12/15 19:40, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5512 patch attached. Hi, thanks for the patch. It works but only when WAIT_AFTER_ARCHIVE is raised. Patch attached. -- David Kupka From a209343652b8bedfcbca83c7eafc699e72c0a261 Mon Sep 17 00:00:00 2001 From: David

Re: [Freeipa-devel] [PATCH 0365] Remove unused KRA code from ipa-server-install

2015-12-14 Thread David Kupka
On 14/12/15 16:54, Alexander Bokovoy wrote: On Mon, 14 Dec 2015, David Kupka wrote: On 14/12/15 15:05, Alexander Bokovoy wrote: On Mon, 14 Dec 2015, David Kupka wrote: On 30/11/15 16:31, Martin Basti wrote: First instance of KRA should be installed only by ipa-kra-install Patch attached

Re: [Freeipa-devel] [PATCH 0058, 0064] dns: do not add (forward)zone if it is already resolvable.

2015-12-14 Thread David Kupka
On 14/12/15 15:25, David Kupka wrote: On 14/12/15 14:52, David Kupka wrote: On 11/12/15 15:00, Petr Spacek wrote: On 11.12.2015 12:35, David Kupka wrote: On 10/12/15 18:10, Petr Spacek wrote: On 10.12.2015 17:31, David Kupka wrote: On 09/12/15 18:55, Petr Spacek wrote: On 9.12.2015 13:37

Re: [Freeipa-devel] [PATCH 0365] Remove unused KRA code from ipa-server-install

2015-12-14 Thread David Kupka
possible combinations of features. But this is neither of it. This just brings another inconsistency into FreeIPA behavior. -- David Kupka -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org

Re: [Freeipa-devel] [PATCH 0058, 0064] dns: do not add (forward)zone if it is already resolvable.

2015-12-14 Thread David Kupka
On 11/12/15 15:00, Petr Spacek wrote: On 11.12.2015 12:35, David Kupka wrote: On 10/12/15 18:10, Petr Spacek wrote: On 10.12.2015 17:31, David Kupka wrote: On 09/12/15 18:55, Petr Spacek wrote: On 9.12.2015 13:37, David Kupka wrote: On 08/12/15 15:24, Petr Spacek wrote: On 8.12.2015 12:19

Re: [Freeipa-devel] [PATCH 0058, 0064] dns: do not add (forward)zone if it is already resolvable.

2015-12-14 Thread David Kupka
On 14/12/15 14:52, David Kupka wrote: On 11/12/15 15:00, Petr Spacek wrote: On 11.12.2015 12:35, David Kupka wrote: On 10/12/15 18:10, Petr Spacek wrote: On 10.12.2015 17:31, David Kupka wrote: On 09/12/15 18:55, Petr Spacek wrote: On 9.12.2015 13:37, David Kupka wrote: On 08/12/15 15:24

Re: [Freeipa-devel] [PATCH 0365] Remove unused KRA code from ipa-server-install

2015-12-14 Thread David Kupka
On 14/12/15 15:05, Alexander Bokovoy wrote: On Mon, 14 Dec 2015, David Kupka wrote: On 30/11/15 16:31, Martin Basti wrote: First instance of KRA should be installed only by ipa-kra-install Patch attached. Hi, patch works, but I don't like the approach. Do we really want to remove

[Freeipa-devel] [PATCH 0077] ipa-dns-install: Do not check for zone overlap when DNS, installed.

2015-12-18 Thread David Kupka
Standalone DNS installer always performed overlap check effectively preventing installation on replica when other DNS instance was already installed in topology. -- David Kupka From d9b9c861ea3090d62bbe011c402d82243a166754 Mon Sep 17 00:00:00 2001 From: David Kupka <dku...@redhat.com> Dat

Re: [Freeipa-devel] [PATCH 0077] ipa-dns-install: Do not check for zone overlap when DNS, installed.

2015-12-18 Thread David Kupka
On 18/12/15 12:04, Petr Vobornik wrote: On 12/18/2015 11:26 AM, David Kupka wrote: Standalone DNS installer always performed overlap check effectively preventing installation on replica when other DNS instance was already installed in topology. I don't like the position of api argument

Re: [Freeipa-devel] [PATCH 0075-0076] Fix installer regression

2015-12-18 Thread David Kupka
On 17/12/15 13:44, Jan Cholasta wrote: On 17.12.2015 13:26, David Kupka wrote: On 17/12/15 12:14, Petr Vobornik wrote: On 12/16/2015 02:31 PM, David Kupka wrote: https://www.redhat.com/archives/freeipa-users/2015-December/msg00203.html please link the patch to https://fedorahosted.org

Re: [Freeipa-devel] [PATCH 0075-0076] Fix installer regression

2015-12-18 Thread David Kupka
On 18/12/15 13:57, David Kupka wrote: On 17/12/15 13:44, Jan Cholasta wrote: On 17.12.2015 13:26, David Kupka wrote: On 17/12/15 12:14, Petr Vobornik wrote: On 12/16/2015 02:31 PM, David Kupka wrote: https://www.redhat.com/archives/freeipa-users/2015-December/msg00203.html please link

[Freeipa-devel] [PATCH 0075-0076] Fix installer regression

2015-12-16 Thread David Kupka
https://www.redhat.com/archives/freeipa-users/2015-December/msg00203.html -- David Kupka From 114b4e2c1ffaa5c09dbfed54bb1f90cfa41f4678 Mon Sep 17 00:00:00 2001 From: David Kupka <dku...@redhat.com> Date: Wed, 16 Dec 2015 12:43:13 + Subject: [PATCH 1/2] installer: Propagate option value

Re: [Freeipa-devel] [PATCH 0071] dns: Handle SERVFAIL in check if domain already exists

2015-12-16 Thread David Kupka
, ACK. -- David Kupka -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] ca-less tests updated - POC

2015-12-16 Thread David Kupka
it will still need modification before push just because inappropriate commit message. Thank you! -- David Kupka From 2a6e8f02ecd00da2b86d2f3f9847a86caa35e74d Mon Sep 17 00:00:00 2001 From: David Kupka <dku...@redhat.com> Date: Wed, 16 Dec 2015 09:12:56 +0100 Subject: [PATCH]

Re: [Freeipa-devel] [PATCH 0376] KRA: add RA cert during replica promotion

2015-12-14 Thread David Kupka
On 14/12/15 11:00, David Kupka wrote: On 10/12/15 19:40, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/5512 patch attached. Hi, thanks for the patch. It works but only when WAIT_AFTER_ARCHIVE is raised. Patch attached. IOW, your patch works for me, ACK. To let tests pass

Re: [Freeipa-devel] [PATCH 0058, 0064] dns: do not add (forward)zone if it is already resolvable.

2015-12-10 Thread David Kupka
On 09/12/15 18:55, Petr Spacek wrote: On 9.12.2015 13:37, David Kupka wrote: On 08/12/15 15:24, Petr Spacek wrote: On 8.12.2015 12:19, David Kupka wrote: On 08/12/15 08:56, Petr Spacek wrote: On 7.12.2015 14:41, David Kupka wrote: +def is_host_resolvable(fqdn): +if not isinstance(fqdn

<    1   2   3   4   5   >