Re: [Freeipa-devel] [PATCH] 0081 Support both unified samba and samba/samba4-packages

for me on both Fedora 17 and 18. Thanks, Martin From cc2c6be1c677a5ed8c923742d76827e1a2887470 Mon Sep 17 00:00:00 2001 From: Martin Kosek Date: Mon, 1 Oct 2012 15:32:36 +0200 Subject: [PATCH] Add support for unified samba packages Fedora 18 and later has moved unified samba and samba4 packa

Re: [Freeipa-devel] [PATCH] Changes to use a single database for dogtag and IPA

On 10/01/2012 03:35 PM, Petr Viktorin wrote: > On 09/27/2012 10:26 AM, Petr Viktorin wrote: >> On 09/20/2012 05:58 AM, Ade Lee wrote: >>> Changes to use a single database for dogtag and IPA >>> >>> New servers that are installed with dogtag 10 instances will use >>> a single database inst

Re: [Freeipa-devel] [PATCH] 0081 Support both unified samba and samba/samba4-packages

On 10/01/2012 04:35 PM, Alexander Bokovoy wrote: > On Mon, 01 Oct 2012, Martin Kosek wrote: >> On 10/01/2012 11:24 AM, Alexander Bokovoy wrote: >>> Hi, >>> >>> The patch attached fixes Fedora build system issue with unified samba >>> package (samb

[Freeipa-devel] [PATCH] 319 Make ipakrbprincipal objectclass optional

ome. Martin From 95065cf15e29631e80cdf2edb73fcdab4fd45854 Mon Sep 17 00:00:00 2001 From: Martin Kosek Date: Mon, 1 Oct 2012 16:49:34 +0200 Subject: [PATCH] Make ipakrbprincipal objectclass optional From IPA 3.0, services have by default ipakrbprincipal objectclass which allows ipakrbprincipalal

Re: [Freeipa-devel] [PATCH] 0081 Support both unified samba and samba/samba4-packages

On 10/01/2012 04:54 PM, Alexander Bokovoy wrote: > On Mon, 01 Oct 2012, Martin Kosek wrote: >> On 10/01/2012 04:35 PM, Alexander Bokovoy wrote: >>> On Mon, 01 Oct 2012, Martin Kosek wrote: >>>> On 10/01/2012 11:24 AM, Alexander Bokovoy wrote: >>>>> Hi

Re: [Freeipa-devel] [PATCH] 0081 Support both unified samba and samba/samba4-packages

On 10/01/2012 06:08 PM, Alexander Bokovoy wrote: > On Mon, 01 Oct 2012, Martin Kosek wrote: >>>> +%else >>>> Requires: samba4-python >>>> Requires: samba4 >>>> -Requires: libsss_idmap >>>> Requires: samba4-winbind >>>> +%

Re: [Freeipa-devel] [PATCH] 316 Improve DN usage in ipa-client-install

On 10/02/2012 10:49 AM, Petr Viktorin wrote: > On 09/27/2012 01:35 PM, Martin Kosek wrote: >> A hotfix pushed in a scope of ticket 3088 forced conversion of DN >> object (baseDN) in IPA client discovery so that ipa-client-install >> does not crash when creating an IPA defaul

Re: [Freeipa-devel] [PATCH] 316 Improve DN usage in ipa-client-install

On 10/02/2012 01:33 PM, Petr Viktorin wrote: > On 10/02/2012 12:48 PM, Martin Kosek wrote: >> On 10/02/2012 10:49 AM, Petr Viktorin wrote: >>> On 09/27/2012 01:35 PM, Martin Kosek wrote: >>>> A hotfix pushed in a scope of ticket 3088 forced conversion of DN >

Re: [Freeipa-devel] [PATCH] 319 Make ipakrbprincipal objectclass optional

On 10/02/2012 12:19 PM, Petr Viktorin wrote: > On 10/01/2012 05:28 PM, Martin Kosek wrote: >>> From IPA 3.0, services have by default ipakrbprincipal objectclass which >> allows ipakrbprincipalalias attribute used for case-insensitive principal >> searches. However, as serv

[Freeipa-devel] [PATCH] 320 Only use service PAC type as an override

NONE value of service PAC type was planned in a scope of ticket #2960. From 957e814b2c43637d3f493e8b902b8e494df5b04b Mon Sep 17 00:00:00 2001 From: Martin Kosek Date: Tue, 2 Oct 2012 17:06:10 +0200 Subject: [PATCH] Only use service PAC type as an override PAC type (ipakrbauthzdata attribute) was

Re: [Freeipa-devel] [PATCH] 319 Make ipakrbprincipal objectclass optional

On 10/02/2012 03:04 PM, Martin Kosek wrote: > On 10/02/2012 12:19 PM, Petr Viktorin wrote: >> On 10/01/2012 05:28 PM, Martin Kosek wrote: >>>> From IPA 3.0, services have by default ipakrbprincipal objectclass which >>> allows ipakrbprincipalalias attribute used

Re: [Freeipa-devel] [PATCH] 320 Only use service PAC type as an override

On 10/02/2012 10:31 PM, Rob Crittenden wrote: > Martin Kosek wrote: >> PAC type (ipakrbauthzdata attribute) was being filled for all new >> service automatically. However, the PAC type attribute was designed >> to serve only as an override to default PAC type configured in &g

Re: [Freeipa-devel] [PATCH 0015] Restrict admins group modifications

On 10/02/2012 02:33 PM, Tomas Babej wrote: > On 09/26/2012 05:44 PM, Martin Kosek wrote: >> On 09/25/2012 02:59 PM, Tomas Babej wrote: >>> On 09/25/2012 02:31 PM, Martin Kosek wrote: >>>> On 09/25/2012 02:22 PM, Tomas Babej wrote: >>>>> Hi, >>&g

Re: [Freeipa-devel] [PATCH 0014] Improve user addition to default group in host-add

On 10/01/2012 03:38 PM, Tomas Babej wrote: > On 09/26/2012 04:12 PM, Martin Kosek wrote: >> On 09/26/2012 03:23 PM, Tomas Babej wrote: >>> On 09/25/2012 12:37 PM, Tomas Babej wrote: >>>> Hi, >>>> >>>> On adding new user, host-add tries to make

Re: [Freeipa-devel] [PATCHES] 3 enhancements for the ipa-adtrust-install page

On 10/02/2012 09:54 AM, Sumit Bose wrote: > Hi, > > the following three patches should fix > https://fedorahosted.org/freeipa/ticket/2967 > https://fedorahosted.org/freeipa/ticket/2972 > https://fedorahosted.org/freeipa/ticket/3038 respectively. > > bye, > Sumit > > 3x ACK. Pushed all three to

Re: [Freeipa-devel] [PATCH 0015] Restrict admins group modifications

On 10/03/2012 11:49 AM, Tomas Babej wrote: > On 10/03/2012 09:18 AM, Martin Kosek wrote: >> On 10/02/2012 02:33 PM, Tomas Babej wrote: >>> On 09/26/2012 05:44 PM, Martin Kosek wrote: >>>> On 09/25/2012 02:59 PM, Tomas Babej wrote: >>>>> On 09/25/2012

Re: [Freeipa-devel] [PATCH] 1058 clear session key

On 10/02/2012 08:23 PM, Rob Crittenden wrote: > Clear the host session key when enrolling a client. > > Make sure dbdir is preserved when a new connection is created. > > rob > I tested repeatedly installing, uninstalling client and unlike previously, I did not receive any NSS initialization er

Re: [Freeipa-devel] [PATCH] 0084 Wait for secure Dogtag ports when starting the pki services

On 09/25/2012 04:38 PM, Petr Viktorin wrote: > > Dogtag opens not only the insecure port (8080 or 9180, for d10 or > d9 respectively), but also secure ports (8443 or 9443&9444). > Wait for them when starting. > > > Part of the fix for https://fedorahosted.org/freeipa/ticket/3084. I found that >

Re: [Freeipa-devel] [PATCH] 1058 clear session key

- Original Message - > From: "Rob Crittenden" > To: "Martin Kosek" > Cc: "freeipa-devel" > Sent: Wednesday, October 3, 2012 5:49:52 PM > Subject: Re: [Freeipa-devel] [PATCH] 1058 clear session key > > Martin Kosek wrote: > > On

Re: [Freeipa-devel] [PATCH] 81 ipa-adtrust-install: remove wrong check for dm_password

On 10/04/2012 11:54 AM, Alexander Bokovoy wrote: > On Thu, 04 Oct 2012, Sumit Bose wrote: >> Hi, >> >> this patch fixes unattended installation for ipa-adtrust-install and >> ticket https://fedorahosted.org/freeipa/ticket/3023 . > ACK. Thanks! > Pushed to master, ipa-3-0. Martin ___

Re: [Freeipa-devel] [PATCH] 0079 support creating LDAP control by python-ldap 2.3 (RHEL) and newer versions (Fedora)

On 09/25/2012 04:30 PM, Alexander Bokovoy wrote: > Hi, > > I did have bug filed against python-ldap in January and for some reason > my patch to accomodate two ways of making LDAP controls was not included > in March 2012 when I presented it as part of trusts, but yesterday we > found it is really

Re: [Freeipa-devel] [PATCH] 0079 support creating LDAP control by python-ldap 2.3 (RHEL) and newer versions (Fedora)

On 10/04/2012 04:48 PM, Alexander Bokovoy wrote: > On Thu, 04 Oct 2012, Martin Kosek wrote: >> On 09/25/2012 04:30 PM, Alexander Bokovoy wrote: >>> Hi, >>> >>> I did have bug filed against python-ldap in January and for some reason >>> my patch to ac

Re: [Freeipa-devel] [PATCH] 1059 single CRL generator

On 10/04/2012 06:17 PM, Rob Crittenden wrote: > This changes the way IPA generates CRLs for new installs only. > > The first master installed is configured as the CRL generator. An entry is > added to cn=masters that designates it. > > When a replica is installed it queries this entry so it knows

Re: [Freeipa-devel] [PATCH] 75-78 Add fallback group

On 10/05/2012 03:27 PM, Alexander Bokovoy wrote: > On Tue, 02 Oct 2012, Simo Sorce wrote: >> On Tue, 2012-10-02 at 21:29 +0200, Sumit Bose wrote: >>> Hi, >>> >>> this patch should fix https://fedorahosted.org/freeipa/ticket/2955 by >>> adding a fallback group as described in comment 2 of the ticket

Re: [Freeipa-devel] [PATCH] 1059 single CRL generator

On 10/05/2012 10:59 AM, Martin Kosek wrote: > On 10/04/2012 06:17 PM, Rob Crittenden wrote: >> This changes the way IPA generates CRLs for new installs only. >> >> The first master installed is configured as the CRL generator. An entry is >> added to cn=masters that

Re: [Freeipa-devel] [PATCH] 1059 single CRL generator

On 10/05/2012 09:36 PM, Ade Lee wrote: > On Fri, 2012-10-05 at 12:26 -0400, Simo Sorce wrote: >> On Fri, 2012-10-05 at 12:19 -0400, Ade Lee wrote: >>> On Fri, 2012-10-05 at 16:45 +0200, Martin Kosek wrote: >>>> On 10/05/2012 10:59 AM, Martin Kosek wrote: >

[Freeipa-devel] [PATCH] 321 Move CRL publish directory to IPA owned directory

a hotfix in that case, which would only fix the permission of the pki-ca directory. Martin From 3e58780af9e8a482b1e39aace311a6f49b5597eb Mon Sep 17 00:00:00 2001 From: Martin Kosek Date: Mon, 8 Oct 2012 15:58:48 +0200 Subject: [PATCH] Move CRL publish directory to IPA owned directory Currently

Re: [Freeipa-devel] [PATCH] 321 Move CRL publish directory to IPA owned directory

- Original Message - > From: "Rob Crittenden" > To: "Martin Kosek" > Cc: freeipa-devel@redhat.com > Sent: Monday, October 8, 2012 8:18:47 PM > Subject: Re: [Freeipa-devel] [PATCH] 321 Move CRL publish directory to IPA > owned directory > >

Re: [Freeipa-devel] [PATCH] 1051 Fix CS replica management

On 10/08/2012 05:12 PM, Jan Cholasta wrote: > Hi, > > On 20.9.2012 19:38, Rob Crittenden wrote: >> Jan Cholasta wrote: >>> Hi, >>> >>> Dne 31.8.2012 19:43, Rob Crittenden napsal(a): The naming in CS replication agreements is different from IPA agreements, we have to live with what the cr

Re: [Freeipa-devel] [PATCH] 0082/0083 Handle NotFound exception when establishing trust

On 10/08/2012 02:22 PM, Alexander Bokovoy wrote: > On Mon, 08 Oct 2012, Petr Vobornik wrote: >> On 10/05/2012 08:14 PM, Alexander Bokovoy wrote: >>> On Fri, 05 Oct 2012, Petr Vobornik wrote: On 10/05/2012 03:24 PM, Alexander Bokovoy wrote: > On Fri, 05 Oct 2012, Petr Vobornik wrote: >>

Re: [Freeipa-devel] [PATCH] ipa-adtrust-install: create fallback group with ldif file

On 10/08/2012 07:50 PM, Simo Sorce wrote: > On Mon, 2012-10-08 at 18:35 +0200, Sumit Bose wrote: >> >> Thank you for the review, both issues are fixed in the new version. >> > Ack, > Simo. > Pushed to master, ipa-3-0. Martin ___ Freeipa-devel mailing

Re: [Freeipa-devel] [RFC] Reload trust data in ipadb

On 10/08/2012 10:54 PM, Simo Sorce wrote: > On Mon, 2012-10-08 at 22:40 +0200, Sumit Bose wrote: >> On Fri, Oct 05, 2012 at 08:44:41AM -0400, Simo Sorce wrote: >>> On Fri, 2012-10-05 at 13:32 +0200, Sumit Bose wrote: > >>> This part look fine, I wonder if we shouldn't make it even longer than 1 >

Re: [Freeipa-devel] [PATCH] Fix up trust attributes on trust-add

On 10/08/2012 06:32 PM, Sumit Bose wrote: > On Fri, Oct 05, 2012 at 09:17:47PM +0300, Alexander Bokovoy wrote: >> On Fri, 05 Oct 2012, Simo Sorce wrote: >>> A onliner but better to have it validated by a second pair of eyes. >> Yep. Go ahead. >> >> The origin of USES_RC4_ENCRYPTION comes from Samba

Re: [Freeipa-devel] [PATCH] ipa-adtrust-install: create fallback group with ldif file

On 10/09/2012 10:23 AM, Martin Kosek wrote: > On 10/08/2012 07:50 PM, Simo Sorce wrote: >> On Mon, 2012-10-08 at 18:35 +0200, Sumit Bose wrote: >>> >>> Thank you for the review, both issues are fixed in the new version. >>> >> Ack, >> Simo. >

Re: [Freeipa-devel] [PATCH] 321 Move CRL publish directory to IPA owned directory

On 10/08/2012 09:29 PM, Rob Crittenden wrote: > Martin Kosek wrote: >> - Original Message - >>> From: "Rob Crittenden" >>> To: "Martin Kosek" >>> Cc: freeipa-devel@redhat.com >>> Sent: Monday, October 8, 2012 8:18:47

Re: [Freeipa-devel] [PATCH] 221 Add mime type to httpd ipa.conf for xpi exetension

On 10/09/2012 01:52 PM, Alexander Bokovoy wrote: > On Tue, 09 Oct 2012, Petr Vobornik wrote: >> Some configuration doesn't give proper mime type to xpi files. This patch >> explicitly sets it. >> >> https://fedorahosted.org/freeipa/ticket/3094 >> -- >> Petr Vobornik > >> From f35fd8856fdb9e16361b

Re: [Freeipa-devel] [PATCH] 321 Move CRL publish directory to IPA owned directory

On 10/09/2012 03:48 PM, Rob Crittenden wrote: > Martin Kosek wrote: >> On 10/08/2012 09:29 PM, Rob Crittenden wrote: >>> Martin Kosek wrote: >>>> - Original Message - >>>>> From: "Rob Crittenden" >>>>> To: "Mart

Re: [Freeipa-devel] [PATCH] 1055 update audit cert renewal time

On 09/21/2012 12:37 AM, yi zhang wrote: > On 09/20/2012 02:58 PM, Rob Crittenden wrote: >> Updated patch. The value of >> policyset.caLogSigningSet.2.constraint.params.range needs to be bumped to 720 >> as well. > I keep doing my test and let everyone know the test result. > > Yi > Hello Yi, any

Re: [Freeipa-devel] [PATCH] 1055 update audit cert renewal time

On 09/20/2012 11:58 PM, Rob Crittenden wrote: > Rob Crittenden wrote: >> The CA audit certificate is initially valid for two years but its >> profile has it renewing at six months. This bumps the value up to two >> years to match the other certificates. >> >> This relies on Petr's and Ade's dogtag

Re: [Freeipa-devel] [PATCH] 1056 sudorule cn uniqueness

On 09/14/2012 05:13 PM, Rob Crittenden wrote: > Rob Crittenden wrote: >> A sudorule dn uses ipaUniqueId as the cn so we have to do a search to >> ensure uniqueness. This leaves us vulnerable to a race. Configure the >> uniqueness plugin to ensure no dups. >> >> rob > > Add missing attribute to the

Re: [Freeipa-devel] [PATCH] 1055 update audit cert renewal time

On 10/09/2012 05:29 PM, Rob Crittenden wrote: > Martin Kosek wrote: >> On 09/20/2012 11:58 PM, Rob Crittenden wrote: >>> Rob Crittenden wrote: >>>> The CA audit certificate is initially valid for two years but its >>>> profile has it renewing at

Re: [Freeipa-devel] [PATCH] 1059 single CRL generator

On 10/09/2012 04:43 PM, Rob Crittenden wrote: > Martin Kosek wrote: >> On 10/04/2012 06:17 PM, Rob Crittenden wrote: >>> This changes the way IPA generates CRLs for new installs only. >>> >>> The first master installed is configured as the CRL generator. An e

Re: [Freeipa-devel] [PATCH] 321 Move CRL publish directory to IPA owned directory

On 10/10/2012 11:07 AM, Petr Viktorin wrote: > On 10/09/2012 04:11 PM, Martin Kosek wrote: >> On 10/09/2012 03:48 PM, Rob Crittenden wrote: >>> Martin Kosek wrote: >>>> On 10/08/2012 09:29 PM, Rob Crittenden wrote: >>>>> Martin Kosek wrote: >>&

[Freeipa-devel] [PATCH] 322 Fix CA CRL migration crash in ipa-upgradeconfig

icket/3159 From cb119ccf053109101e1a835d8466acfb91f75869 Mon Sep 17 00:00:00 2001 From: Martin Kosek Date: Wed, 10 Oct 2012 12:37:24 +0200 Subject: [PATCH] Fix CA CRL migration crash in ipa-upgradeconfig CRL migrate procedure did not check if a CA was actually configured on an updated master/rep

Re: [Freeipa-devel] [PATCH] 322 Fix CA CRL migration crash in ipa-upgradeconfig

On 10/10/2012 02:13 PM, Petr Viktorin wrote: > On 10/10/2012 01:05 PM, Martin Kosek wrote: >> CRL migrate procedure did not check if a CA was actually configured >> on an updated master/replica. This caused ipa-upgradeconfig to >> crash on replicas without a CA. >> &g

Re: [Freeipa-devel] [PATCH] 0088 Fix typo in the documentation for trusts: RID for Domain Admins is -512

On 10/10/2012 11:40 AM, Sumit Bose wrote: > On Wed, Oct 10, 2012 at 10:52:18AM +0300, Alexander Bokovoy wrote: >> Hi, >> >> Domain Admins RID is -512, not -513. Fix the documentation text. >> >> >> -- >> / Alexander Bokovoy > > ACK > > bye, > Sumit > Pushed to master, ipa-3-0. Martin ___

Re: [Freeipa-devel] [PATCH] 1059 single CRL generator

On 10/10/2012 12:46 AM, Rob Crittenden wrote: > Rob Crittenden wrote: >> Martin Kosek wrote: >>> On 10/09/2012 04:43 PM, Rob Crittenden wrote: >>>> Martin Kosek wrote: >>>>> On 10/04/2012 06:17 PM, Rob Crittenden wrote: >>>>>>

Re: [Freeipa-devel] [PATCHES] 0086-0088 Generate Firefox extension on upgrades

On 10/10/2012 10:55 AM, Petr Viktorin wrote: > On 10/09/2012 06:01 PM, Petr Vobornik wrote: >> On 10/09/2012 05:26 PM, Petr Viktorin wrote: >>> On 10/09/2012 05:16 PM, Petr Viktorin wrote: https://fedorahosted.org/freeipa/ticket/3150 Patch 0086: I found an old unused functi

Re: [Freeipa-devel] [PATCH] 1059 single CRL generator

On 10/10/2012 04:12 PM, Rob Crittenden wrote: > Martin Kosek wrote: >> On 10/10/2012 12:46 AM, Rob Crittenden wrote: >>> Rob Crittenden wrote: >>>> Martin Kosek wrote: >>>>> On 10/09/2012 04:43 PM, Rob Crittenden wrote: >>>>>> Mar

Re: [Freeipa-devel] [PATCHES] 0086-0088 Generate Firefox extension on upgrades

On 10/10/2012 04:23 PM, Petr Viktorin wrote: > On 10/10/2012 03:37 PM, Martin Kosek wrote: >> On 10/10/2012 10:55 AM, Petr Viktorin wrote: >>> On 10/09/2012 06:01 PM, Petr Vobornik wrote: >>>> On 10/09/2012 05:26 PM, Petr Viktorin wrote: >>>>>

Re: [Freeipa-devel] [PATCH] 1059 single CRL generator

On 10/10/2012 05:29 PM, Rob Crittenden wrote: > Martin Kosek wrote: >> On 10/10/2012 04:12 PM, Rob Crittenden wrote: >>> Martin Kosek wrote: >>>> On 10/10/2012 12:46 AM, Rob Crittenden wrote: >>>>> Rob Crittenden wrote: >>>>>> Mar

Re: [Freeipa-devel] [PATCH] 87 Do not show full SSH public keys in command output by default

On 10/11/2012 11:25 AM, Jan Cholasta wrote: > Hi, > > in my fix for I have > accidentally changed the behavior of user and host commands to always show > full > SSH public keys in their output. The attached patch fixes this. > > Honza > Works fine

Re: [Freeipa-devel] [PATCH 0018] Make service naming in ipa-server-install consistent

On 10/11/2012 12:26 PM, Tomas Babej wrote: > Hi, > > This patch forces more consistency into ipa-server-install output. All > descriptions of services that are not instances of > SimpleServiceInstance are now in the following format: > > () > > Furthermore, start_creation method has been modifi

Re: [Freeipa-devel] [PATCH] 1061 disable betxn plugins

On 10/11/2012 04:45 AM, Rob Crittenden wrote: > 389-ds-base 1.3.0 was released to Fedora 18 updates-testing this week. There > is > the chance of deadlock in the schema compat plugin at the moment. We have a > candidate patch for addressing it but it is not yet reviewed. > > This is an interim pa

Re: [Freeipa-devel] [PATCH] 1061 disable betxn plugins

On 10/11/2012 03:03 PM, Rob Crittenden wrote: > Rob Crittenden wrote: >> Martin Kosek wrote: >>> On 10/11/2012 04:45 AM, Rob Crittenden wrote: >>>> 389-ds-base 1.3.0 was released to Fedora 18 updates-testing this >>>> week. There is >>>> the

[Freeipa-devel] Unit tests failing on F18

Hello, I was investigating global unit test failure on Fedora 18 for most of today, I would like to share results I found so far. Unit test and its related scripts on F18 now reports NSS BUSY exception, just like this one: # ./make-testcert Traceback (most recent call last): File "./make-testc

Re: [Freeipa-devel] Unit tests failing on F18

On 10/12/2012 06:16 PM, John Dennis wrote: > On 10/12/2012 11:20 AM, Martin Kosek wrote: >> Hello, >> >> I was investigating global unit test failure on Fedora 18 for most of today, >> I >> would like to share results I found so far. >> >> Unit test a

Re: [Freeipa-devel] Unit tests failing on F18

On 10/12/2012 06:21 PM, Rob Crittenden wrote: > John Dennis wrote: >> On 10/12/2012 11:20 AM, Martin Kosek wrote: >>> Hello, >>> >>> I was investigating global unit test failure on Fedora 18 for most of >>> today, I >>> would like to share res

Re: [Freeipa-devel] [Freeipa-users] Announcing FreeIPA v3.0.0 Release

On 10/12/2012 08:06 PM, Rob Crittenden wrote: > The FreeIPA team is proud to announce version FreeIPA v3.0.0. > > It can be downloaded from http://www.freeipa.org/Downloads. Correction: FreeIPA 3.0.0 can be downloaded from http://www.freeipa.org/page/Downloads Martin __

Re: [Freeipa-devel] [PATCH] 1062 fix dogtag replication

On 10/12/2012 09:00 PM, Rob Crittenden wrote: > This patch changes the replication protocol from SSL to TLS. This will fix > installing a replica CA along with an updated version of dogtag that fixes > other issues. > > rob > I tested 2.0 -> 3.0 and 3.0 -> 3.0 CA replicas and the recent dogtag +

Re: [Freeipa-devel] [PATCH] 0092 Remove bogus check for smbpasswd

On 10/15/2012 06:52 PM, Alexander Bokovoy wrote: > On Mon, 15 Oct 2012, Rob Crittenden wrote: >> Sumit Bose wrote: >>> On Mon, Oct 15, 2012 at 04:10:45PM +0300, Alexander Bokovoy wrote: Hi! We don't use smbpasswd in adtrustinstance anymore so the check is bogus. One-li

Re: [Freeipa-devel] [PATCH by nkondras] Add uninstall command hints to ipa-*-install

On 10/11/2012 04:44 PM, Petr Viktorin wrote: > The patch was submitted via Trac at > https://fedorahosted.org/freeipa/ticket/3065. Thanks, Nikolai! Please use this > list next time to speed things up. > > I took the liberty of adding one more message, re-formatting the code a bit, > and mentioning

Re: [Freeipa-devel] [PATCH] 1063 Allow no reverse domain

On 10/16/2012 05:21 PM, Rob Crittenden wrote: > A reverse zone is always created unless --no-reverse is passed. > > rob > Yeah, this is much better. I would just unify our summary printed before installation. Now when running ipa-server-install with --no-reverse: ... BIND DNS server will be con

Re: [Freeipa-devel] [PATCH] 1063 Allow no reverse domain

On 10/16/2012 07:27 PM, Rob Crittenden wrote: > Martin Kosek wrote: >> On 10/16/2012 05:21 PM, Rob Crittenden wrote: >>> A reverse zone is always created unless --no-reverse is passed. >>> >>> rob >>> >> >> Yeah, this is much better. I wo

Re: [Freeipa-devel] [PATCH] 0087 Warn about DNA plugin configuration when working with local ID ranges

On 10/17/2012 11:43 AM, Sumit Bose wrote: > On Wed, Oct 10, 2012 at 12:59:53PM +0300, Alexander Bokovoy wrote: >> On Wed, 10 Oct 2012, Sumit Bose wrote: >>> On Wed, Oct 10, 2012 at 10:51:11AM +0300, Alexander Bokovoy wrote: Warn about manual DNA plugin configuration when working with loca

Re: [Freeipa-devel] [PATCH] 0087 Warn about DNA plugin configuration when working with local ID ranges

On 10/17/2012 12:14 PM, Petr Viktorin wrote: > On 10/17/2012 12:10 PM, Alexander Bokovoy wrote: >> On Wed, 17 Oct 2012, Sumit Bose wrote: >>> On Wed, Oct 10, 2012 at 12:59:53PM +0300, Alexander Bokovoy wrote: On Wed, 10 Oct 2012, Sumit Bose wrote: >On Wed, Oct 10, 2012 at 10:51:11AM +0300

Re: [Freeipa-devel] [PATCH] 0087 Warn about DNA plugin configuration when working with local ID ranges

On 10/17/2012 12:42 PM, Alexander Bokovoy wrote: > On Wed, 17 Oct 2012, Petr Viktorin wrote: >> On 10/17/2012 12:10 PM, Alexander Bokovoy wrote: >>> On Wed, 17 Oct 2012, Sumit Bose wrote: On Wed, Oct 10, 2012 at 12:59:53PM +0300, Alexander Bokovoy wrote: > On Wed, 10 Oct 2012, Sumit Bose w

Re: [Freeipa-devel] [PATCH] 0089 Clarify trust-add help regarding multiple runs against the same domain

On 10/17/2012 12:52 PM, Sumit Bose wrote: > On Wed, Oct 10, 2012 at 06:05:02PM +0300, Alexander Bokovoy wrote: >> Hi, >> >> this patch originated from off-list discussion regarding multiple runs >> of ipa trust-add against the same domain. >> >> Since trust-add re-establishes the trust every time i

[Freeipa-devel] [PATCH] 323 Report ipa-upgradeconfig errors during RPM upgrade

artin From bcc791c27a55a98d051d6920a8fbb2ad9a4f1d10 Mon Sep 17 00:00:00 2001 From: Martin Kosek Date: Wed, 17 Oct 2012 13:05:24 +0200 Subject: [PATCH] Report ipa-upgradeconfig errors during RPM upgrade Report errors just like with ipa-ldap-updater. These messages should warn user that some parts of the upgrades may have not been success

Re: [Freeipa-devel] [PATCH] support AES for cross-realm TGTs

On 10/17/2012 01:29 PM, Sumit Bose wrote: > On Wed, Sep 26, 2012 at 06:36:40PM -0400, Simo Sorce wrote: >> >> This patch allows Windows to send us TGTs using AES. >> >> Simo. >> >> -- >> Simo Sorce * Red Hat, Inc. * New York > > (sorry for the long delay) > > ACK, patch is working as expected wi

Re: [Freeipa-devel] [PATCH] Fix various issues found by Coverity

On 10/17/2012 02:14 PM, Alexander Bokovoy wrote: > On Tue, 02 Oct 2012, Sumit Bose wrote: >> Hi, >> >> this patch fixes a couple of resource leaks and unchecked return and an >> uninitialised value found by Coverity. > ACK. > Pushed to master, ipa-3-0. Martin ___

Re: [Freeipa-devel] Unit tests failing on F18

On 10/18/2012 12:04 AM, Rob Crittenden wrote: > Martin Kosek wrote: >> Hello, >> >> I was investigating global unit test failure on Fedora 18 for most of today, >> I >> would like to share results I found so far. >> >> Unit test and its related script

Re: [Freeipa-devel] [PATCH] 87 extdom: handle INP_POSIX_UID and INP_POSIX_GID requests

On 10/17/2012 02:15 PM, Alexander Bokovoy wrote: > On Thu, 11 Oct 2012, Sumit Bose wrote: >> Hi, >> >> I found this issue while working on a related sssd bug >> https://fedorahosted.org/sssd/ticket/1561 . >> >> This patch allows the clients to send a request map a UID or GID for a >> trusted user t

Re: [Freeipa-devel] [PATCH 0018] Make service naming in ipa-server-install consistent

On 10/11/2012 05:11 PM, Tomas Babej wrote: > On 10/11/2012 12:32 PM, Martin Kosek wrote: >> On 10/11/2012 12:26 PM, Tomas Babej wrote: >>> Hi, >>> >>> This patch forces more consistency into ipa-server-install output. All >>> descr

[Freeipa-devel] [PATCH] 324 Add fallback for httpd restarts

restarts succeed when run in a small time distance. Add fallback procedure that adds additional waiting time after such failed restart attempt, and then try to stop and start the service again. https://fedorahosted.org/freeipa/ticket/2965 -- Martin Kosek Senior Software Engineer - Identity

Re: [Freeipa-devel] [PATCH] 324 Add fallback for httpd restarts

On 10/18/2012 02:47 PM, Rob Crittenden wrote: > Martin Kosek wrote: >> Attaching a script I used to reproduce the issue on machine with sysV (RHEL >> 6.4 >> in my case). With the patch applied, httpd restarts correctly fallback-ed. >> >> If you think that the wai

Re: [Freeipa-devel] [PATCH] 324 Add fallback for httpd restarts

On 10/18/2012 04:36 PM, Rob Crittenden wrote: > Martin Kosek wrote: >> On 10/18/2012 02:47 PM, Rob Crittenden wrote: >>> Martin Kosek wrote: >>>> Attaching a script I used to reproduce the issue on machine with sysV (RHEL >>>> 6.4 >>>> in my c

Re: [Freeipa-devel] [PATCH] 323 Report ipa-upgradeconfig errors during RPM upgrade

On 10/18/2012 05:22 PM, Rob Crittenden wrote: > Martin Kosek wrote: >> Report errors just like with ipa-ldap-updater. These messages should warn >> user that some parts of the upgrades may have not been successful and >> he should follow up on them. Otherwise, user may n

Re: [Freeipa-devel] [PATCH] 323 Report ipa-upgradeconfig errors during RPM upgrade

On 10/18/2012 05:51 PM, Rob Crittenden wrote: > Martin Kosek wrote: >> On 10/18/2012 05:22 PM, Rob Crittenden wrote: >>> Martin Kosek wrote: >>>> Report errors just like with ipa-ldap-updater. These messages should warn >>>> user that some parts of the

Re: [Freeipa-devel] [PATCH 0019] Forbid overlapping primary and secondary rid ranges

On 10/18/2012 10:00 PM, Sumit Bose wrote: > On Thu, Oct 18, 2012 at 08:31:50AM +0200, Tomas Babej wrote: >> On 10/17/2012 08:12 PM, Sumit Bose wrote: >>> On Wed, Oct 17, 2012 at 03:29:11PM +0200, Tomas Babej wrote: On 10/17/2012 02:34 PM, Sumit Bose wrote: > On Wed, Oct 17, 2012 at 12:59:5

Re: [Freeipa-devel] [PATCH] 1066 requesting certs with subject alt name

On 10/18/2012 09:42 PM, Rob Crittenden wrote: > We were seeing a unicode failure when trying to request a certificate with > subject alt names. This one-liner should fix it. > > rob > Yup, this fixes it, works fine on --selfsign IPA CA too. Just when testing your patch, I found out we don't tre

Re: [Freeipa-devel] [PATCH 75] log dogtag errors

On 10/19/2012 09:45 AM, Petr Viktorin wrote: > On 10/18/2012 07:20 PM, John Dennis wrote: >> On 10/18/2012 05:06 AM, Petr Viktorin wrote: >>> This looks much better. I found one more issue, though. >>> +if detail is not None: +err_msg += ' (%s)' % detail >>> >>> Here I

Re: [Freeipa-devel] [PATCH 0018] Make service naming in ipa-server-install consistent

On 10/19/2012 01:26 PM, Tomas Babej wrote: > On 10/18/2012 11:27 AM, Martin Kosek wrote: >> On 10/11/2012 05:11 PM, Tomas Babej wrote: >>> On 10/11/2012 12:32 PM, Martin Kosek wrote: >>>> On 10/11/2012 12:26 PM, Tomas Babej wrote: >>>>> Hi, >>&g

Re: [Freeipa-devel] [PATCH 0018] Make service naming in ipa-server-install consistent

On 10/19/2012 02:49 PM, Tomas Babej wrote: > On 10/19/2012 01:44 PM, Martin Kosek wrote: >> On 10/19/2012 01:26 PM, Tomas Babej wrote: >>> On 10/18/2012 11:27 AM, Martin Kosek wrote: >>>> On 10/11/2012 05:11 PM, Tomas Babej wrote: >>>>> On 10/11/2012

[Freeipa-devel] [PATCH] 325 Create reverse zone in unattended mode

d9c06a5bb374962b004bd7f89e2b621eb9fefac7 Mon Sep 17 00:00:00 2001 From: Martin Kosek Date: Fri, 19 Oct 2012 15:34:49 +0200 Subject: [PATCH] Create reverse zone in unattended mode Previous fix for ticket #3161 caused ipa-{server,dns}-install to skip creation of reverse zone when running in unattended mode. Make sure

Re: [Freeipa-devel] [PATCH] 323 Report ipa-upgradeconfig errors during RPM upgrade

On 10/19/2012 03:23 PM, Rob Crittenden wrote: > Petr Viktorin wrote: >> On 10/19/2012 08:15 AM, Martin Kosek wrote: >>> On 10/18/2012 05:51 PM, Rob Crittenden wrote: >>>> Martin Kosek wrote: >>>>> On 10/18/2012 05:22 PM, Rob Crittenden wrote: >>

Re: [Freeipa-devel] [PATCH] 1066 requesting certs with subject alt name

On 10/19/2012 03:46 PM, Rob Crittenden wrote: > Petr Spacek wrote: >> On 10/19/2012 03:10 PM, Rob Crittenden wrote: >>> Petr Spacek wrote: >>>> On 10/19/2012 10:10 AM, Martin Kosek wrote: >>>>> On 10/18/2012 09:42 PM, Rob Crittenden wrote: >>&

Re: [Freeipa-devel] [PATCH] 325 Create reverse zone in unattended mode

On 10/19/2012 03:40 PM, Rob Crittenden wrote: > Martin Kosek wrote: >> Previous fix for ticket #3161 caused ipa-{server,dns}-install to >> skip creation of reverse zone when running in unattended mode. Make >> sure that reverse zone is created also in unattended mode (unle

Re: [Freeipa-devel] [PATCH] 1066 requesting certs with subject alt name

On 10/22/2012 12:40 PM, Petr Spacek wrote: > On 10/19/2012 03:46 PM, Rob Crittenden wrote: >> Petr Spacek wrote: >>> On 10/19/2012 03:10 PM, Rob Crittenden wrote: >>>> Petr Spacek wrote: >>>>> On 10/19/2012 10:10 AM, Martin Kosek wrote: >&g

Re: [Freeipa-devel] [PATCHES] backport of Firefox extension to FreeIPA 2.2

On 10/17/2012 12:02 PM, Petr Vobornik wrote: > On 10/16/2012 06:10 PM, Endi Sukma Dewata wrote: >> On 10/12/2012 5:55 AM, Petr Viktorin wrote: >>> On 10/11/2012 02:55 PM, Petr Vobornik wrote: This bunch of patches is a backport of Firefox extension to FreeIPA 2.2. First apply pvoborn

Re: [Freeipa-devel] [PATCH] client: include the directory with domain-realm mappings in krb5.conf

On 10/08/2012 08:27 PM, Rob Crittenden wrote: > Jakub Hrozek wrote: >> On Fri, Aug 17, 2012 at 12:20:27PM -0400, Simo Sorce wrote: >>> >>> >>> - Original Message - Hi, the attached patches add the directory the SSSD writes domain-realm mappings as includedir to krb5.conf

Re: [Freeipa-devel] [PATCHES] backport of Firefox extension to FreeIPA 2.2

On 10/22/2012 05:38 PM, Petr Vobornik wrote: > On 10/22/2012 05:01 PM, Martin Kosek wrote: >> On 10/17/2012 12:02 PM, Petr Vobornik wrote: >>> On 10/16/2012 06:10 PM, Endi Sukma Dewata wrote: >>>> On 10/12/2012 5:55 AM, Petr Viktorin wrote: >>>>>

[Freeipa-devel] Announcing FreeIPA v2.2.1 Release

permission. Jan Cholasta (1): * SSH configuration fixes. Martin Kosek (1): * Become IPA 2.2.1 Petr Viktorin (2): * replica-install: Don't copy Firefox config extension files if they're not in the replica file * Create Firefox extension on upgrade and replica-install Petr V

Re: [Freeipa-devel] [PATCH] 1065 Close connection after each request

On 10/23/2012 04:52 PM, Rob Crittenden wrote: > Close connection after each request, avoid NSS shutdown problem. > > The unit tests were failing when executed against an Apache server > in F-18 due to dangling references causing NSS shutdown to fail, and > potentially other places like adding host

Re: [Freeipa-devel] Experimental patchwork server

On 10/23/2012 03:53 PM, John Dennis wrote: > On 10/23/2012 09:00 AM, Simo Sorce wrote: >> I strongly suggest you use git-send-email instead of thunderbird, it >> makes everything a lot faster, see the instructions I sent in my >> followup email. > > I wrote a python script to manage my patch submi

[Freeipa-devel] [PATCH] 326 Improve compatibility of LDAP rename_s call

they are not supported. NotImplementedException is raised when the options are used with this version. https://fedorahosted.org/freeipa/ticket/3199 From e644f0dd80b2f46369005430de0b8389703a775d Mon Sep 17 00:00:00 2001 From: Martin Kosek Date: Wed, 24 Oct 2012 10:42:44 +0200 Subject: [PATCH

Re: [Freeipa-devel] [PATCH] 88 ipa-adtrust-install: restart httpd to pick up new plugins

On 10/24/2012 12:19 PM, Sumit Bose wrote: > Hi, > > this patches fixes https://fedorahosted.org/freeipa/ticket/3185 by > restarting httpd as one of the last steps of ipa-adtrust-install. > > bye, > Sumit > This patch is targeted to pick up trust plugins (adtrustinstance, dcerpc) installed durin

[Freeipa-devel] [PATCH] 327 Avoid uninstalling dependencies during package lifetime

following is done on a top of IPA 3.0.0 GA. https://fedorahosted.org/freeipa/ticket/3189 From 5ab0db2195ad24c26059a8d4768b3a23194cc60a Mon Sep 17 00:00:00 2001 From: Martin Kosek Date: Wed, 24 Oct 2012 12:35:36 +0200 Subject: [PATCH] Avoid uninstalling dependencies during package lifetime Requires(pre

Re: [Freeipa-devel] [PATCH] 88 ipa-adtrust-install: restart httpd to pick up new plugins

On 10/24/2012 12:48 PM, Sumit Bose wrote: > On Wed, Oct 24, 2012 at 12:31:57PM +0200, Martin Kosek wrote: >> On 10/24/2012 12:19 PM, Sumit Bose wrote: >>> Hi, >>> >>> this patches fixes https://fedorahosted.org/freeipa/ticket/3185 by >>> restarting

Re: [Freeipa-devel] [PATCH] 327 Avoid uninstalling dependencies during package lifetime

On 10/24/2012 08:25 PM, Rob Crittenden wrote: > Martin Kosek wrote: >> Requires(pre) only guarantees that package will be present before >> package scriptlets are run. However, the package can be removed >> after installation is finished without removing also IPA. Add >

<    5   6   7   8   9   10   11   12   13   14   >