Re: [Freeipa-devel] [PATCH 487] ldap: Make ldap2 connection management thread-safe again

[Tomas Babej]

On 09/02/2015 04:47 PM, Jan Cholasta wrote:
> On 2.9.2015 16:20, thierry bordaz wrote:
>> On 09/02/2015 03:16 PM, Jan Cholasta wrote:
>>> On 2.9.2015 14:51, Martin Basti wrote:


 On 09/02/2015 02:32 PM, Jan Cholasta wrote:
> Hi,
>
> the attached patch fixes
> .
>
> Honza
>
>
>

 This patch needs a big rebase to ipa-4-2 branch
>>>
>>> Patch attached.
>>>
>>>
>>>
>> Hello,
>>
>> Two minors questions. LDAPClient close/__del__/__exit__ are now just
>> resetting self._conn without disconnecting the connection.
> 
> They do the same even without the patch, "object.__setattr__(self,
> '_conn', None)" is effectively the same as "self._conn = None".
> 
>> Only ldap2.close() disconnect the connection. Could it be a risk to see
>> connection leaks with __del__ or __exit__ ?
> 
> This behavior is unchanged, and so far no one complained about
> connection leaks.
> 
>>
>> Also in the fix there is:
>>
>> @@ -118,10 +115,11 @@ class ldap2(CrudBackend, LDAPClient):
>>   if debug_level:
>>   _ldap.set_option(_ldap.OPT_DEBUG_LEVEL, debug_level)
>>
>> -LDAPClient._connect(self)
>> -conn = self._conn
>> +client = LDAPClient(self.ldap_uri,
>> +   
>> force_schema_updates=self._force_schema_updates)
>> +conn = client._conn
>>
>>
>> Is it the same as 'conn = client.conn()' ?
> 
> No. It's the same as "conn = client.conn", but I'd like to get rid of
> LDAPClient.conn in the future (internal attributes should not be
> public), hence the use of self._conn.
> 
>>
>> Thanks
>> thierry
>>
> 

This fixes the connection issue, ACK.

Tomas

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCHES 362-366] Realmdomains handling improvements

[Tomas Babej]

Hi,

this couple of patches fix https://fedorahosted.org/freeipa/ticket/5278
and improve our handling of realmdomains in general.

Tomas
From 7298b240843b5a86569b3e99cd793f42fd007acf Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Thu, 3 Sep 2015 12:13:32 +0200
Subject: [PATCH] util: Add detect_dns_zone_realm_type helper

https://fedorahosted.org/freeipa/ticket/5278
---
 ipalib/util.py | 55 +++
 1 file changed, 55 insertions(+)

diff --git a/ipalib/util.py b/ipalib/util.py
index 5a761fb0f7ee6c0851d6f1128cecc4ddd8b397f2..23f36a63dd5747239102e6153b6c0c1e774daa59 100644
--- a/ipalib/util.py
+++ b/ipalib/util.py
@@ -799,3 +799,58 @@ def get_topology_connection_errors(graph):
 if not_visited:
 connect_errors.append((m, list(visited), list(not_visited)))
 return connect_errors
+
+def detect_dns_zone_realm_type(api, domain):
+"""
+Detects the type of the realm that the given DNS zone belongs to.
+Note: This method is heuristic. Possible values:
+  - 'current': For IPA domains belonging in the current realm.
+  - 'foreign': For domains belonging in a foreing kerberos realm.
+  - 'unknown': For domains whose allegiance could not be detected.
+"""
+
+# First, try to detect _kerberos TXT record in the domain
+# This would indicate that the domain belongs to IPA realm
+
+kerberos_prefix = DNSName('_kerberos')
+domain_suffix = DNSName(domain)
+kerberos_record_name = kerberos_prefix + domain_suffix
+
+response = None
+
+try:
+result = resolver.query(kerberos_record_name, rdatatype.TXT)
+answer = result.response.answer
+
+# IPA domain will have only one _kerberos TXT record
+if (len(answer) == 1 and
+len(answer[0]) == 1 and
+answer[0].rdtype == rdatatype.TXT):
+
+record = answer[0][0]
+
+# If the record contains our current realm, it is 'ipa-current'
+if record.to_text() == '"{0}"'.format(api.env.realm):
+return 'current'
+else:
+return 'foreign'
+
+except DNSException as e:
+pass
+
+# Try to detect AD specific record in the zone.
+# This would indicate that the domain belongs to foreign (AD) realm
+
+gc_prefix = DNSName('_ldap._tcp.gc._msdcs')
+ad_specific_record_name = gc_prefix + domain_suffix
+
+try:
+# The presence of this record is enough, return foreign in such case
+result = resolver.query(ad_specific_record_name, rdatatype.SRV)
+return 'foreign'
+
+except DNSException as e:
+pass
+
+# If we could not detect type with certainity, return unknown
+return 'unknown'
-- 
2.1.0

From cb6efd05e12b441f70385c7e8c5cdf605c173456 Mon Sep 17 00:00:00 2001
From: Tomas Babej <tba...@redhat.com>
Date: Thu, 3 Sep 2015 12:40:17 +0200
Subject: [PATCH] realmdomains: Minor style and wording improvements

https://fedorahosted.org/freeipa/ticket/5278
---
 ipalib/plugins/realmdomains.py | 75 +-
 1 file changed, 60 insertions(+), 15 deletions(-)

diff --git a/ipalib/plugins/realmdomains.py b/ipalib/plugins/realmdomains.py
index 871ea79c4b6225919d2700420a56eebb816bc025..83c8abd76a220f365f751ec399e6b1535a8e575e 100644
--- a/ipalib/plugins/realmdomains.py
+++ b/ipalib/plugins/realmdomains.py
@@ -133,16 +133,46 @@ class realmdomains_mod(LDAPUpdate):
 del_domain = entry_attrs.get('del_domain')
 force = options.get('force')
 
+current_domain = get_domain_name()
+
+missing_soa_ns_record_error = _(
+"DNS zone for each realmdomain must contain "
+"SOA or NS records. No records found for: %s"
+)
+
+# User specified the list of domains explicitly
 if associateddomain:
 if add_domain or del_domain:
-raise errors.MutuallyExclusiveError(reason=_("you cannot specify the --domain option together with --add-domain or --del-domain"))
-if get_domain_name() not in associateddomain:
-raise errors.ValidationError(name='domain', error=_("cannot delete domain of IPA server"))
+raise errors.MutuallyExclusiveError(
+reason=_(
+"The --domain option cannot be used together "
+"with --add-domain or --del-domain. Use --domain "
+"to specify the whole realm domain list explicitly, "
+"to add/remove individual domains, use "
+"--add-domain/del-domain.")
+)
+
+# Make sure our domain is included in the list
+if current_domain not in associateddomain:
+   

Re: [Freeipa-devel] [PATCH 0004] Rewrap errors in get_principal to CCacheError

[Tomas Babej]

On 09/03/2015 12:54 PM, Michael Šimáček wrote:
> After porting to gssapi, the ipa command prints ugly traceback when
> kerberos credentials are not available. Rewrapping to CCacheError when
> getting the principal name results in nicer error message.
> 
> https://fedorahosted.org/freeipa/ticket/5272
> 
> 

This fixes the issue, however, I am getting a trailing forward slash in
the error message:

$ ipa user-find
ipa: ERROR: Kerberos error: did not receive Kerberos credentials/

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] cert profiles - test plan + patches

[Tomas Babej]

On 09/03/2015 01:40 PM, Lenka Doudova wrote:
> Hi,
> 
> I took a look at it at Milan's request.
> 
> patch 0008 - tracker looks ok, ACK
> patch 0009 - test cases look ok as well, but can't get it to run, 10 out
> of 14 tests fail, starting with internal error, which I haven't been
> able to track down, nor fix it.

You can investigate the internal error by inspecting the
/var/log/httpd/error_log on the IPA server that executed the command.

There should be a traceback.

> 
> Lenka
> 
> === FAILURES
> ===
>  TestProfileCRUD.test_create_duplicate
> _
> 
> self =  object at 0x7f36459e7110>
> user_profile =
>  at 0x7f36459e73d0>
> 
> def test_create_duplicate(self, user_profile):
> msg = u'Certificate Profile with name "{}" already exists'
>>   user_profile.ensure_exists()
> 
> ipatests/test_xmlrpc/test_certprofile_plugin.py:178:
> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
> _ _ _ _
> ipatests/test_xmlrpc/ldaptracker.py:169: in ensure_exists
> self.create(force=True)
> ipatests/test_xmlrpc/ldaptracker.py:206: in create
> result = command()
> ipatests/test_xmlrpc/ldaptracker.py:127: in run_command
> result = cmd(*args, **options)
> ipalib/frontend.py:443: in __call__
> ret = self.run(*args, **options)
> ipalib/frontend.py:761: in run
> return self.forward(*args, **options)
> ipalib/frontend.py:782: in forward
> return self.Backend.rpcclient.forward(self.name, *args, **kw)
> ipalib/rpc.py:947: in forward
> return self._call_command(command, params)
> ipalib/rpc.py:924: in _call_command
> return command(*params)
> ipalib/rpc.py:1075: in _call
> return self.__request(name, args)
> _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
> _ _ _ _
> 
> self = 
> name = 'certprofile_import'
> args = (('caIPAserviceCert_mod',), {'all': False, 'description':
> 'Storing copy of a profile', 'file': 'profileId=caIPAservice...sion Default
> policyset.serverCertSet.11.default.params.userExtOID=2.5.29.17
> ', 'ipacertprofilestoreissued': True, ...})
> 
> def __request(self, name, args):
> payload = {'method': unicode(name), 'params': args, 'id': 0}
> version = args[1].get('version', VERSION_WITHOUT_CAPABILITIES)
> payload = json_encode_binary(payload, version)
>
> if self.__verbose >= 2:
> root_logger.info('Request: %s',
>  json.dumps(payload, sort_keys=True, indent=4))
>
> response = self.__transport.request(
> self.__host,
> self.__handler,
> json.dumps(payload),
> verbose=self.__verbose >= 3,
> )
>
> try:
> response = json_decode_binary(json.loads(response))
> except ValueError as e:
> raise JSONError(str(e))
>
> if self.__verbose >= 2:
> root_logger.info(
> 'Response: %s',
> json.dumps(json_encode_binary(response, version),
>sort_keys=True, indent=4)
> )
> error = response.get('error')
> if error:
> try:
> error_class = errors_by_code[error['code']]
> except KeyError:
> raise UnknownError(
> code=error.get('code'),
> error=error.get('message'),
> server=self.__host,
> )
> else:
>>   raise error_class(message=error['message'])
> E   InternalError: an internal error has occurred
> 
> 
> 
> 
> On 08/31/2015 03:25 PM, Fraser Tweedale wrote:
>> On Mon, Aug 31, 2015 at 12:24:13PM +0200, Martin Basti wrote:
>>>
>>> On 08/18/2015 04:06 PM, Milan Kubík wrote:
 On 08/11/2015 03:17 AM, Fraser Tweedale wrote:
> On Mon, Aug 10, 2015 at 11:36:31AM +0200, Milan Kubík wrote:
>> On 08/05/2015 02:57 PM, Milan Kubík wrote:
>>> Hi list,
>>>
>>> I'm sending the test plan [1] for certificate profiles and preliminary
>>> patches for it.
>>> The plan covers basic CRUD test and some corner cases. I'm open to
>>> more
>>> suggestions.
>>>
>>> More complicated tests involving certificate profiles will require the
>>> code (and tests)
>>> for CA ACLs merged, so it's not there at the moment.
>>>
>>> There are some unfinished test cases in places I wasn't sure what the
>>> result should be.
>>> We need to iterate through these to fix it.
>>>
>>>
>>> [1]: http://www.freeipa.org/page/V4/Certificate_Profiles/Test_Plan
>>>
>>> Cheers,
>>> Milan
>> Hi all,
>>
>> have you had some time to look at the code and proposal?
>> Today I want to write a basic CRUD test for the ACLs as well as a few
>> test
>> cases to check if the ACL is being enforced. It should make it into
>> 

Re: [Freeipa-devel] [PATCH] Updated no of legacy permission in ipatests

[Tomas Babej]

On 09/03/2015 08:16 AM, Abhijeet Kasurde wrote:
> Ping
> 
> On 08/27/2015 10:37 AM, Abhijeet Kasurde wrote:
>> Hi All,
>>
>> This patch fixes bug - https://fedorahosted.org/freeipa/ticket/5264
>>
>> Thanks,
>> Abhijeet Kasurde
> 

ACK, the patch needs a minor rebase on master due to python3 refactoring.

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

[Tomas Babej]

On 08/26/2015 11:27 PM, Simo Sorce wrote:
> This patchset implements https://fedorahosted.org/freeipa/ticket/2888
> and introduces a number of required  changes and dependencies to achieve
> this goal.
> This work requires the custodia project to securely transfer keys
> between ipa servers.
> 
> This work is not 100% complete, it still misses the ability to install
> kra instances and the ability to install a CA (via ipa-ca-install) with
> externally signed certs.
> 
> However it is massive enough that warrants review and pushing, the resat
> of the changes can be applied later as this work should not disrupt the
> classic install methods.
> 
> In order to build my previous patches (530-533) are needed as well as a
> number of updated components.
> 
> I used the following coprs for testing:
> simo/jwcrypto
> simo/custodia
> abbra/sssd-kkdcproxy (for sssd 1.13.1)
> lkrispen/389-ds-current (for 389 > 1.3.4.4)
> vakwetu/dogtag_10.2.7_test_builds (for dogtag 10.2.7)
> mkosek/freeipa-4.2-fedora-22 (misc)
> fedora/updates-testing (python-gssapi 1.1.2)
> 
> Ludwig's copr is necessary to have a functional DNA plugin in replicas,
> eventually his patches should be committed in 389-ds-base 1.3.4.4 when
> it will be released.
> 
> We are aware of a dogtag bug https://fedorahosted.org/pki/ticket/1580
> that may cause installation issues in some case (re-install of a
> replica).
> 
> The domain must be raised to level 1 in order to use replica promotion.
> 
> In order to promote a replica the server must be first joined as a
> regular client to the domain.
> 
> This is the flow I usually use for testing:
> 
> # ipa-client-install
> # kinit admin
> # ipa-replica-install --promote --setup-ca
>  etc...>
> 
> These patches are also available in this git tree rebnase on current
> master:
> https://fedorapeople.org/cgit/simo/public_git/freeipa.git/log/?h=custodia-review
> 
> Simo.
> 
> 
> 

I'm running in a issue when upgrading RPMs:

2015-08-31T10:53:32Z DEBUG   File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
execute
return_value = self.run()
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
line 48, in run
server.upgrade()
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1596, in upgrade
upgrade_configuration()
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1508, in upgrade_configuration
custodia.upgrade_instance()
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line
57, in upgrade_instance
self.__gen_keys()
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line
51, in __gen_keys
KeyStore.generate_server_keys()
  File "/usr/lib/python2.7/site-packages/ipakeys/kem.py", line 181, in
generate_server_keys
ldapconn.set_key(KEY_USAGE_SIG, self.host, principal, pubkeys[0])
  File "/usr/lib/python2.7/site-packages/ipakeys/kem.py", line 127, in
set_key
conn.modify_s(dn, mods)
  File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line
364, in modify_s
return self.result(msgid,all=1,timeout=self.timeout)
  File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line
465, in result
resp_type, resp_data, resp_msgid = self.result2(msgid,all,timeout)
  File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line
469, in result2
resp_type, resp_data, resp_msgid, resp_ctrls =
self.result3(msgid,all,timeout)
  File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line
476, in result3
resp_ctrl_classes=resp_ctrl_classes
  File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line
483, in result4
ldap_result =
self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
  File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line
106, in _ldap_call
result = func(*args,**kwargs)

2015-08-31T10:53:32Z DEBUG The ipa-server-upgrade command failed,
exception: NO_SUCH_OBJECT: {'desc': 'No such object'}
2015-08-31T10:53:32Z ERROR LDAP error: NO_SUCH_OBJECT
No such object

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

[Tomas Babej]

On 08/31/2015 02:56 PM, Simo Sorce wrote:
> On Mon, 2015-08-31 at 14:45 +0200, Tomas Babej wrote:
>>
>> On 08/26/2015 11:27 PM, Simo Sorce wrote:
>>> This patchset implements https://fedorahosted.org/freeipa/ticket/2888
>>> and introduces a number of required  changes and dependencies to achieve
>>> this goal.
>>> This work requires the custodia project to securely transfer keys
>>> between ipa servers.
>>>
>>> This work is not 100% complete, it still misses the ability to install
>>> kra instances and the ability to install a CA (via ipa-ca-install) with
>>> externally signed certs.
>>>
>>> However it is massive enough that warrants review and pushing, the resat
>>> of the changes can be applied later as this work should not disrupt the
>>> classic install methods.
>>>
>>> In order to build my previous patches (530-533) are needed as well as a
>>> number of updated components.
>>>
>>> I used the following coprs for testing:
>>> simo/jwcrypto
>>> simo/custodia
>>> abbra/sssd-kkdcproxy (for sssd 1.13.1)
>>> lkrispen/389-ds-current (for 389 > 1.3.4.4)
>>> vakwetu/dogtag_10.2.7_test_builds (for dogtag 10.2.7)
>>> mkosek/freeipa-4.2-fedora-22 (misc)
>>> fedora/updates-testing (python-gssapi 1.1.2)
>>>
>>> Ludwig's copr is necessary to have a functional DNA plugin in replicas,
>>> eventually his patches should be committed in 389-ds-base 1.3.4.4 when
>>> it will be released.
>>>
>>> We are aware of a dogtag bug https://fedorahosted.org/pki/ticket/1580
>>> that may cause installation issues in some case (re-install of a
>>> replica).
>>>
>>> The domain must be raised to level 1 in order to use replica promotion.
>>>
>>> In order to promote a replica the server must be first joined as a
>>> regular client to the domain.
>>>
>>> This is the flow I usually use for testing:
>>>
>>> # ipa-client-install
>>> # kinit admin
>>> # ipa-replica-install --promote --setup-ca
>>> >> etc...>
>>>
>>> These patches are also available in this git tree rebnase on current
>>> master:
>>> https://fedorapeople.org/cgit/simo/public_git/freeipa.git/log/?h=custodia-review
>>>
>>> Simo.
>>>
>>>
>>>
>>
>> I'm running in a issue when upgrading RPMs:
> 
> What version are you upgrading from ?
> 
> Also do you have logs telling which update is failing ? I can guess it
> is the topology stuff but that would be surprising.
> 
> Simo.
> 

It was a master devel machine with some wear on it, clean 4.2.
install does not blow up on upgrade for me.

Will investigate further.

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0066] ipactl: Do not start/stop/restart single service multiple times

[Tomas Babej]

On 08/26/2015 03:16 PM, David Kupka wrote:
 https://fedorahosted.org/freeipa/ticket/5248
 
 

+def deduplicate(lst):
+new_lst = []
+s = set(lst)
+for i in lst:
+if i in s:
+s.remove(i)
+new_lst.append(i)
+
+return new_lst
+

Imho, this method deserves a docstring or at least a comment. It is not
entrirely clear from the name, that its job is to remove the duplicates
while preserving the order of the entries.

Anyway, deduplication can be implemented in a more readable way:

 from collections import OrderedDict
 sample_list = [3,2,1,2,1,5,3]
 OrderedDict.fromkeys(sample_list).keys()
[3, 2, 1, 5]

Tomas

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 914 webui: add option to establish bidirectional trust

[Tomas Babej]

On 08/25/2015 05:19 PM, Petr Vobornik wrote:
 https://fedorahosted.org/freeipa/ticket/5259
 
 

ACK.

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] First part of integration tests for Topology Plugin

[Tomas Babej]

On 08/26/2015 11:44 AM, Oleg Fayans wrote:
 Hi Martin,
 
 On 08/20/2015 11:18 AM, Martin Basti wrote:


 On 08/20/2015 10:26 AM, Martin Basti wrote:


 On 08/19/2015 04:17 PM, Martin Basti wrote:
 I got this:

 https://paste.fedoraproject.org/256746/43999380/
 FYI replica install failure. (I will retest it, but I'm pretty sure
 that it was clean VM, test for some reason install client first)

   File
 /usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py,

 line 295, in decorated
 func(installer)
   File
 /usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py,

 line 319, in install_check
 sys.exit(IPA client is already configured on this system.\n

 2015-08-19T14:14:15Z DEBUG The ipa-replica-install command failed,
 exception: SystemExit: IPA client is already configured on this system.
 Please uninstall it first before configuring the replica, using
 'ipa-client-install --uninstall'.
 2015-08-19T14:14:15Z ERROR IPA client is already configured on this
 system.
 Please uninstall it first before configuring the replica, using
 'ipa-client-install --uninstall'.
 Confirm I got same error.
 Fixed. It was a regex error.
 


 On 08/19/2015 09:00 AM, Oleg Fayans wrote:
 Hi Martin,

 As discussed, here is a new version with pep8-related fixes


 On 08/14/2015 10:44 AM, Oleg Fayans wrote:
 Hi Martin,

 Already noticed that. Implemented the named groups as Tomas advised.
 Added the third test for
 http://www.freeipa.org/page/V4/Manage_replication_topology/Test_plan#Test_case:_Removal_of_a_topology_segment_is_allowed_only_if_there_is_at_least_one_more_segment_connecting_the_given_replica






 On 08/13/2015 05:06 PM, Martin Basti wrote:


 On 08/11/2015 03:36 PM, Oleg Fayans wrote:
 Hi Martin,

 On 08/11/2015 02:02 PM, Martin Basti wrote:
 NACK, comments inline.

 On 11/08/15 13:25, Oleg Fayans wrote:
 Hi Martin,

 Thanks for the review!

 On 08/10/2015 07:08 PM, Martin Basti wrote:
 Thank you for patch, I have a few nitpicks:

 1)
 On 10/08/15 13:05, Oleg Fayans wrote:
 +def create_segment(master, leftnode, rightnode):
 +create_segment(master, leftnode, rightnode)
 Why do you add the name of method in docstring?
 My bad, fixed.

 still there

 +tokenize_topologies(command_output)
 +takes an output of `ipa topologysegment-find` and
 returns an
 array of

 Fixed, sorry.



 2)

 +def create_segment(master, leftnode, rightnode):
 +create_segment(master, leftnode, rightnode)
 +creates a topology segment. The first argument is a node to
 run the
 command on
 +The first 3 arguments should be objects of class Host
 +Returns a hash object containing segment's name, leftnode,
 rightnode information
 +

 I would prefer to add assert there instead of just document
 that a
 Host
 object is needed
 assert(isinstance(master, Host))
 ...

 Fixed. Created a decorator that checks the type of arguments

 This does not scale well.
 If we will want to add new argument that is not host object, you
 need
 change it again.

 Agreed. Modified the decorator so that you can specify a slice of
 arguments to be checked and a class to compare to. This does
 scale :)

 This might be used as function with specified variables that
 have to be
 host objects


 3)
 +def destroy_segment(master, segment_name):
 +
 +destroy_segment(master, segment_name)
 +Destroys topology segment. First argument should be
 object of
 class
 Host

 Instead of description of params as first, second etc., you
 may use
 following:

 +def destroy_segment(master, segment_name):
 +
 +Destroys topology segment.
 +:param master: reference to master object of class Host
 +:param segment: name fo segment
 and eventually this in other methods
 +:returns: Lorem ipsum sit dolor mit amet
 +:raises NotFound: if segment is not found

 Fixed

 4)

 cls.replicas[:len(cls.replicas) - 1],

 I suggest cls.replicas[:-1]

 In [2]: a = [1, 2, 3, 4, 5]

 In [3]: a[:-1]
 Out[3]: [1, 2, 3, 4]

 Fixed

 5)
 Why re.findall() and then you just use the first result?
 'leftnode': self.leftnode_re.findall(i)[0]

 Isn't just re.search() enough?
 leftnode_re.search(value).group(1)

 in fact
 leftnode_re.findall(string)[0]
 and
 leftnode_re.search(string).group(1),
 Are equally bad from the readability point of view. The first
 one is
 even shorter a bit, so why change? :)

 It depends on point of view,  because when I reviewed it
 yesterday my
 brain raises exception that you are trying to add multiple
 values to
 single value attribute, because you used findall, I expected
 that you
 need multiple values, and then I saw that index [0] at the end,
 and I
 was pretty confused what are you trying to achieve.

 And because findall is not effective in case when you need to
 find just
 one occurrence.

 I got it. Fixed.






 Python 3 nitpick:
 I'm not sure if time when we should enforce python 2/3
 compability
 already comes, but just for record:
 instead of open(file, 'r'), 

Re: [Freeipa-devel] [PATCH] 0196 trusts: format Kerberos principal properly when fetching trust topology

[Tomas Babej]

On 08/20/2015 02:21 PM, Alexander Bokovoy wrote:
 Hi,
 
 one more fix for the problem with trusts that Scott Poore found when
 verifying fixes to bug https://bugzilla.redhat.com/show_bug.cgi?id=1250190
 
 Details are in the commit message.
 
 
 

ACK, this fixes the issue in case of two-way trusts.

$ echo Secret123456 | ipa trust-add --type=ad ad.test --range-type
ipa-ad-trust --admin Administrator --password --two-way=TRUE

Added Active Directory trust for realm ad.test

  Realm name: ad.test
  Domain NetBIOS name: AD
...
  Trust direction: Two-way trust
  Trust type: Active Directory domain
  Trust status: Established and verified

$ ipa idrange-find

3 ranges matched

  Range name: AD.TEST_id_range
...
  Range type: Active Directory domain range

  Range name: IPA.TEST_id_range
...
  Range type: local domain range

  Range name: SUB.AD.TEST_id_range
...
  Range type: Active Directory domain range

Number of entries returned 3


Tomas

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0003] Added PyYAML as a dependency for ipa-tests, fixed a replica preparation in RHEL

[Tomas Babej]

On 08/20/2015 12:08 PM, Martin Babinsky wrote:
 On 08/20/2015 11:48 AM, Oleg Fayans wrote:
 Fixed two failures of integration tests under RHEL:
 1. PyYAML, needed for integration tests is not installed as a dependency
 2. ipa-replica-prepare requests a reverse zone info under RHEL.




 
 Hi Oleg,
 
 it is a good practice to fix unrelated issues in separate patches, not a
 single one.
 
 Also, I am not sure PyYAML should be marked as required dependency.
 According to http://www.freeipa.org/page/Integration_testing_configuration
 the YAML/JSON configuration of tests is optional besides using
 environment variables.
 
 I might be better to handle the ImportError when IPATEST_YAML_CONFIG is
 set without PyYAML installed (see
 `ipatests/test_integration/env_config.py` line 110) and print some error
 message instructing the user to install the package.
 

This is correct, YAML is not a required dependency, environment
variables can be used as a substitute.

Tomas

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Regression in client-install [master]

[Tomas Babej]

On 08/18/2015 03:25 AM, Simo Sorce wrote:
 I see a regression in the client install now that the python-kerberos -
 python-gssapi patches have landed.
 Reverting that single patch makes the issue go away, is anyone else
 seeing this ?
 
 Simo.
 

I believe you're talking about https://fedorahosted.org/freeipa/ticket/5225

I can confirm reverting the gssapi patch did solve the issue yesterday
(this is obvious, since the exception originates in the python-gssapi code).

Tomas

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0195 harden trust-fetch-domains oddjobd script

[Tomas Babej]

On 08/18/2015 11:56 AM, Alexander Bokovoy wrote:
 On Tue, 18 Aug 2015, Alexander Bokovoy wrote:
 On Mon, 17 Aug 2015, Tomas Babej wrote:


 On 08/17/2015 09:03 AM, Alexander Bokovoy wrote:
 On Mon, 17 Aug 2015, Tomas Babej wrote:


 On 08/13/2015 04:29 PM, Alexander Bokovoy wrote:
 Hi,

 see commit message for details.




 Hi,

 code-wise this looks good to me. Unfortunately, I have not been
 able to
 verify in my setup that it fixes the issue in the linked BZ:

 $ echo Secret123456 | ipa trust-add --type=ad ad.test --range-type
 ipa-ad-trust --admin Administrator --password
 
 Added Active Directory trust for realm ad.test
 
 Realm name: ad.test
 Domain NetBIOS name: AD
 Domain Security Identifier: S-1-5-21-1469936554-2294197481-461507924
 SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7,
 S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8,
 S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14,
 S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2,
 S-1-1, S-1-0, S-1-5-19, S-1-5-18
 SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7,
 S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8,
 S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14,
 S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2,
 S-1-1, S-1-0, S-1-5-19, S-1-5-18
 Trust direction: Trusting forest
 Trust type: Active Directory domain
 Trust status: Established and verified

 $ idrange-find

 
 2 ranges matched
 
 Range name: AD.TEST_id_range
 First Posix ID of the range: 19120
 Number of IDs in the range: 20
 First RID of the corresponding RID range: 0
 Domain SID of the trusted domain:
 S-1-5-21-1469936554-2294197481-461507924
 Range type: Active Directory domain range

 Range name: IPA.TEST_id_range
 First Posix ID of the range: 69520
 Number of IDs in the range: 20
 First RID of the corresponding RID range: 1000
 First RID of the secondary RID range: 1
 Range type: local domain range
 
 Number of entries returned 2
 

 However, I have one child subdomain in the setup:

 $ ipa trustdomain-find
 Realm name: ad.test
 Domain name: ad.test
 Domain NetBIOS name: AD
 Domain Security Identifier: S-1-5-21-1469936554-2294197481-461507924
 Domain enabled: True

 Domain name: sub.ad.test
 Domain NetBIOS name: SUB
 Domain Security Identifier: S-1-5-21-10134726-2575992721-4229914074
 Domain enabled: True
 
 Number of entries returned 2
 
 Look for AVCs, if there are any.

 Also start abrtd and it should pick up any python exceptions in the
 helper as 'crashes'.


 Right. Insufficient LDAP permissions caused the following backtrace in
 the oddjob helper:

 ipaldap.py:948:error_handler:ACIError: Insufficient access: Insufficient
 'add' privilege to add the entry
 'cn=SUB.AD.TEST_id_range,cn=ranges,cn=etc,dc=ipa,dc=test'.

 Traceback (most recent call last):
 File /usr/libexec/ipa/com.redhat.idm.trust-fetch-domains, line 216,
 in module
   trusted_domain, name, **dom)
 File /usr/lib/python2.7/site-packages/ipalib/plugins/trust.py, line
 347, in add_range
   ipanttrusteddomainsid=dom_sid)
 File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 443,
 in __call__
   ret = self.run(*args, **options)
 File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 760,
 in run
   return self.execute(*args, **options)
 File /usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py,
 line 1234, in execute
   self._exc_wrapper(keys, options, ldap.add_entry)(entry_attrs)
 File /usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py,
 line 1145, in wrapped
   return func(*call_args, **call_kwargs)
 File /usr/lib/python2.7/site-packages/ipapython/ipaldap.py, line
 1442, in add_entry
   self.conn.add_s(str(entry.dn), attrs.items())
 File /usr/lib64/python2.7/contextlib.py, line 35, in __exit__
   self.gen.throw(type, value, traceback)
 File /usr/lib/python2.7/site-packages/ipapython/ipaldap.py, line
 948, in error_handler
   raise errors.ACIError(info=info)
 ACIError: Insufficient access: Insufficient 'add' privilege to add the
 entry 'cn=SUB.AD.TEST_id_range,cn=ranges,cn=etc,dc=ipa,dc=test'.

 Local variables in innermost frame:
 info: Insufficient 'add' privilege to add the entry
 'cn=SUB.AD.TEST_id_range,cn=ranges,cn=etc,dc=ipa,dc=test'.
 arg_desc: None
 self: ipaserver.plugins.ldap2.ldap2()
 e: INSUFFICIENT_ACCESS({'info': Insufficient 'add' privilege to add the
 entry 'cn=SUB.AD.TEST_id_range,cn=ranges,cn=etc,dc=ipa,dc=test'.\n,
 'desc': 'Insufficient access'},)
 desc: 'Insufficient access'
 Updated patch attached.

 You can install freeipa from my COPR abbra/freeipa-oneway (you need
 mkosek/freeipa-master COPR for dependencies) to test.
 .. and use abbra/sssd-kkdcproxy for sssd git master

[Freeipa-devel] [PATCHES 0360-0361] winsync-migrate: Add PassSync warnings

[Tomas Babej]

Hi,

the following pair of patches fixes:

https://fedorahosted.org/freeipa/ticket/5162
From ab4f6e4ebdd91e9f57540acd11ecf0c13f1f2d81 Mon Sep 17 00:00:00 2001
From: Tomas Babej tba...@redhat.com
Date: Mon, 17 Aug 2015 08:46:52 +0200
Subject: [PATCH] winsync-migrate: Add warning about passsync

https://fedorahosted.org/freeipa/ticket/5162
---
 ipaserver/install/ipa_winsync_migrate.py | 8 
 1 file changed, 8 insertions(+)

diff --git a/ipaserver/install/ipa_winsync_migrate.py b/ipaserver/install/ipa_winsync_migrate.py
index 73f79249a1f6e3f0cefa347fa20d472b5723ed9e..097b8c806cfb4df2ea98db86da7b34d99176a9c4 100644
--- a/ipaserver/install/ipa_winsync_migrate.py
+++ b/ipaserver/install/ipa_winsync_migrate.py
@@ -302,6 +302,12 @@ class WinsyncMigrate(admintool.AdminTool):
 object_container_dn=DN(api.env.container_selinux, api.env.basedn),
 )
 
+def warn_passsync(self):
+self.log.warning(Migration completed. Please note that if PassSync 
+was configured on the given Active Directory server, 
+it needs to be manually removed, otherwise it may try 
+to reset password for accounts that are no longer existent.)
+
 @classmethod
 def main(cls, argv):
 
@@ -343,3 +349,5 @@ class WinsyncMigrate(admintool.AdminTool):
 self.migrate_hbac_memberships(entry)
 self.migrate_selinux_memberships(entry)
 self.ldap.delete_entry(entry)
+
+self.warn_passsync()
-- 
2.1.0

From 9a77a959fbe2886792821c315918244e12d13160 Mon Sep 17 00:00:00 2001
From: Tomas Babej tba...@redhat.com
Date: Mon, 17 Aug 2015 08:46:20 +0200
Subject: [PATCH] winsync-migrate: Expand the man page

https://fedorahosted.org/freeipa/ticket/5162
---
 install/tools/man/ipa-winsync-migrate.1 | 27 ++-
 1 file changed, 26 insertions(+), 1 deletion(-)

diff --git a/install/tools/man/ipa-winsync-migrate.1 b/install/tools/man/ipa-winsync-migrate.1
index a1e01c83da6017d5cbe10297dbe84a4dd1741ec7..88702bad6fca66206dcbc1a90fce495eb33598fb 100644
--- a/install/tools/man/ipa-winsync-migrate.1
+++ b/install/tools/man/ipa-winsync-migrate.1
@@ -16,7 +16,7 @@
 .\
 .\ Author: Tomas Babej tba...@redhat.com
 .\
-.TH ipa-advise 1 Mar 10 2015 FreeIPA FreeIPA Manual Pages
+.TH ipa-winsync-migrate 1 Mar 10 2015 FreeIPA FreeIPA Manual Pages
 .SH NAME
 ipa\-winsync\-migrate \- Seamless migration of AD users created by winsync to native AD users.
 .SH SYNOPSIS
@@ -25,3 +25,28 @@ ipa\-winsync\-migrate
 Migrates AD users created by winsync agreement to ID overrides in
 the Default Trust View, thus preserving the actual POSIX attributes
 already established.
+
+Prior to the actual migration, the winsync replication agreement
+will be removed to protect the removal of the user accounts
+on the Active Directory side.
+
+During the migration, group, assigned roles, HBAC rules and SELinux
+memberships of the synced users will be preserved. Any local copies
+(created by winsync) of the migrated users will be removed.
+
+.SH WARNINGS
+After the migration, any PassSync agreements need to be removed
+from Active Directory Domain Controllers, otherwise they might
+attempt to update passwords for accounts that no longer exist
+on the IPA server.
+
+.SH OPTIONS
+.TP
+\fB\-\-realm\fR
+The Active Directory realm the winsynced users belong to.
+.TP
+\fB\-\-server\fR
+The hostname of Active Directory Domain Controller the winsync replication agreement is established with.
+.TP
+\fB\-\-unattended\fR
+Never prompts for user input.
-- 
2.1.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0195 harden trust-fetch-domains oddjobd script

[Tomas Babej]

On 08/13/2015 04:29 PM, Alexander Bokovoy wrote:
 Hi,
 
 see commit message for details.
 
 
 

Hi,

code-wise this looks good to me. Unfortunately, I have not been able to
verify in my setup that it fixes the issue in the linked BZ:

$ echo Secret123456 | ipa trust-add --type=ad ad.test --range-type
ipa-ad-trust --admin Administrator --password

Added Active Directory trust for realm ad.test

  Realm name: ad.test
  Domain NetBIOS name: AD
  Domain Security Identifier: S-1-5-21-1469936554-2294197481-461507924
  SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7,
S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8,
  S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14,
S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2,
  S-1-1, S-1-0, S-1-5-19, S-1-5-18
  SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7,
S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8,
  S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14,
S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2,
  S-1-1, S-1-0, S-1-5-19, S-1-5-18
  Trust direction: Trusting forest
  Trust type: Active Directory domain
  Trust status: Established and verified

$ idrange-find


2 ranges matched

  Range name: AD.TEST_id_range
  First Posix ID of the range: 19120
  Number of IDs in the range: 20
  First RID of the corresponding RID range: 0
  Domain SID of the trusted domain: S-1-5-21-1469936554-2294197481-461507924
  Range type: Active Directory domain range

  Range name: IPA.TEST_id_range
  First Posix ID of the range: 69520
  Number of IDs in the range: 20
  First RID of the corresponding RID range: 1000
  First RID of the secondary RID range: 1
  Range type: local domain range

Number of entries returned 2


However, I have one child subdomain in the setup:

$ ipa trustdomain-find
Realm name: ad.test
  Domain name: ad.test
  Domain NetBIOS name: AD
  Domain Security Identifier: S-1-5-21-1469936554-2294197481-461507924
  Domain enabled: True

  Domain name: sub.ad.test
  Domain NetBIOS name: SUB
  Domain Security Identifier: S-1-5-21-10134726-2575992721-4229914074
  Domain enabled: True

Number of entries returned 2


Tomas

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0195 harden trust-fetch-domains oddjobd script

[Tomas Babej]

On 08/17/2015 09:03 AM, Alexander Bokovoy wrote:
 On Mon, 17 Aug 2015, Tomas Babej wrote:


 On 08/13/2015 04:29 PM, Alexander Bokovoy wrote:
 Hi,

 see commit message for details.




 Hi,

 code-wise this looks good to me. Unfortunately, I have not been able to
 verify in my setup that it fixes the issue in the linked BZ:

 $ echo Secret123456 | ipa trust-add --type=ad ad.test --range-type
 ipa-ad-trust --admin Administrator --password
 
 Added Active Directory trust for realm ad.test
 
  Realm name: ad.test
  Domain NetBIOS name: AD
  Domain Security Identifier: S-1-5-21-1469936554-2294197481-461507924
  SID blacklist incoming: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7,
 S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8,
  S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14,
 S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2,
  S-1-1, S-1-0, S-1-5-19, S-1-5-18
  SID blacklist outgoing: S-1-5-20, S-1-5-3, S-1-5-2, S-1-5-1, S-1-5-7,
 S-1-5-6, S-1-5-5, S-1-5-4, S-1-5-9, S-1-5-8,
  S-1-5-17, S-1-5-16, S-1-5-15, S-1-5-14,
 S-1-5-13, S-1-5-12, S-1-5-11, S-1-5-10, S-1-3, S-1-2,
  S-1-1, S-1-0, S-1-5-19, S-1-5-18
  Trust direction: Trusting forest
  Trust type: Active Directory domain
  Trust status: Established and verified

 $ idrange-find

 
 2 ranges matched
 
  Range name: AD.TEST_id_range
  First Posix ID of the range: 19120
  Number of IDs in the range: 20
  First RID of the corresponding RID range: 0
  Domain SID of the trusted domain:
 S-1-5-21-1469936554-2294197481-461507924
  Range type: Active Directory domain range

  Range name: IPA.TEST_id_range
  First Posix ID of the range: 69520
  Number of IDs in the range: 20
  First RID of the corresponding RID range: 1000
  First RID of the secondary RID range: 1
  Range type: local domain range
 
 Number of entries returned 2
 

 However, I have one child subdomain in the setup:

 $ ipa trustdomain-find
 Realm name: ad.test
  Domain name: ad.test
  Domain NetBIOS name: AD
  Domain Security Identifier: S-1-5-21-1469936554-2294197481-461507924
  Domain enabled: True

  Domain name: sub.ad.test
  Domain NetBIOS name: SUB
  Domain Security Identifier: S-1-5-21-10134726-2575992721-4229914074
  Domain enabled: True
 
 Number of entries returned 2
 
 Look for AVCs, if there are any.
 
 Also start abrtd and it should pick up any python exceptions in the
 helper as 'crashes'.
 

Right. Insufficient LDAP permissions caused the following backtrace in
the oddjob helper:

ipaldap.py:948:error_handler:ACIError: Insufficient access: Insufficient
'add' privilege to add the entry
'cn=SUB.AD.TEST_id_range,cn=ranges,cn=etc,dc=ipa,dc=test'.

Traceback (most recent call last):
  File /usr/libexec/ipa/com.redhat.idm.trust-fetch-domains, line 216,
in module
trusted_domain, name, **dom)
  File /usr/lib/python2.7/site-packages/ipalib/plugins/trust.py, line
347, in add_range
ipanttrusteddomainsid=dom_sid)
  File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 443,
in __call__
ret = self.run(*args, **options)
  File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 760,
in run
return self.execute(*args, **options)
  File /usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py,
line 1234, in execute
self._exc_wrapper(keys, options, ldap.add_entry)(entry_attrs)
  File /usr/lib/python2.7/site-packages/ipalib/plugins/baseldap.py,
line 1145, in wrapped
return func(*call_args, **call_kwargs)
  File /usr/lib/python2.7/site-packages/ipapython/ipaldap.py, line
1442, in add_entry
self.conn.add_s(str(entry.dn), attrs.items())
  File /usr/lib64/python2.7/contextlib.py, line 35, in __exit__
self.gen.throw(type, value, traceback)
  File /usr/lib/python2.7/site-packages/ipapython/ipaldap.py, line
948, in error_handler
raise errors.ACIError(info=info)
ACIError: Insufficient access: Insufficient 'add' privilege to add the
entry 'cn=SUB.AD.TEST_id_range,cn=ranges,cn=etc,dc=ipa,dc=test'.

Local variables in innermost frame:
info: Insufficient 'add' privilege to add the entry
'cn=SUB.AD.TEST_id_range,cn=ranges,cn=etc,dc=ipa,dc=test'.
arg_desc: None
self: ipaserver.plugins.ldap2.ldap2()
e: INSUFFICIENT_ACCESS({'info': Insufficient 'add' privilege to add the
entry 'cn=SUB.AD.TEST_id_range,cn=ranges,cn=etc,dc=ipa,dc=test'.\n,
'desc': 'Insufficient access'},)
desc: 'Insufficient access'

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [patch]-pytest-multihost-Return File Attributes to sftp.put

[Tomas Babej]

On 08/13/2015 01:55 PM, Niranjan wrote:
 Greetings,
 
 This patch is regarding pytest-multihost plugin. 
 Including a patch to return FileAttributes for sftp.put function
 used in the function.
 
 Current put_file function in transport.py in ParamikoTransport Class doesn't
 return any value. So when using this function it's not clear if the operation
 was sucessfull or not. 
 
 Returning FileAttributes to put_file function helps in checking if operation
 was indeed succesful. 
 
 Requesting feedback on the patch attached.
 
 Regards
 Niranjan 
 
 
 

Note that ParamikoTransport is not the only kind of Transport class in
the python-multihost. So using the FileAttributes to distinguish
success/failure does not seem like the way to go.

If you want to distinguish between a successful/unsuccessful put_file
call, we should return a boolean value, or rather raise an exception.

Cc-ing Petr to chime in.

Tomas

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] First part of integration tests for Topology Plugin

[Tomas Babej]

On 08/13/2015 05:06 PM, Martin Basti wrote:
 
 
 On 08/11/2015 03:36 PM, Oleg Fayans wrote:
 Hi Martin,

 On 08/11/2015 02:02 PM, Martin Basti wrote:
 NACK, comments inline.

 On 11/08/15 13:25, Oleg Fayans wrote:
 Hi Martin,

 Thanks for the review!

 On 08/10/2015 07:08 PM, Martin Basti wrote:
 Thank you for patch, I have a few nitpicks:

 1)
 On 10/08/15 13:05, Oleg Fayans wrote:
 +def create_segment(master, leftnode, rightnode):
 +create_segment(master, leftnode, rightnode)
 Why do you add the name of method in docstring?
 My bad, fixed.

 still there

 +tokenize_topologies(command_output)
 +takes an output of `ipa topologysegment-find` and returns an
 array of

 Fixed, sorry.



 2)

 +def create_segment(master, leftnode, rightnode):
 +create_segment(master, leftnode, rightnode)
 +creates a topology segment. The first argument is a node to
 run the
 command on
 +The first 3 arguments should be objects of class Host
 +Returns a hash object containing segment's name, leftnode,
 rightnode information
 +

 I would prefer to add assert there instead of just document that a
 Host
 object is needed
 assert(isinstance(master, Host))
 ...

 Fixed. Created a decorator that checks the type of arguments

 This does not scale well.
 If we will want to add new argument that is not host object, you need
 change it again.

 Agreed. Modified the decorator so that you can specify a slice of
 arguments to be checked and a class to compare to. This does scale :)

 This might be used as function with specified variables that have to be
 host objects


 3)
 +def destroy_segment(master, segment_name):
 +
 +destroy_segment(master, segment_name)
 +Destroys topology segment. First argument should be object of
 class
 Host

 Instead of description of params as first, second etc., you may use
 following:

 +def destroy_segment(master, segment_name):
 +
 +Destroys topology segment.
 +:param master: reference to master object of class Host
 +:param segment: name fo segment
 and eventually this in other methods
 +:returns: Lorem ipsum sit dolor mit amet
 +:raises NotFound: if segment is not found

 Fixed

 4)

 cls.replicas[:len(cls.replicas) - 1],

 I suggest cls.replicas[:-1]

 In [2]: a = [1, 2, 3, 4, 5]

 In [3]: a[:-1]
 Out[3]: [1, 2, 3, 4]

 Fixed

 5)
 Why re.findall() and then you just use the first result?
 'leftnode': self.leftnode_re.findall(i)[0]

 Isn't just re.search() enough?
 leftnode_re.search(value).group(1)

 in fact
 leftnode_re.findall(string)[0]
 and
 leftnode_re.search(string).group(1),
 Are equally bad from the readability point of view. The first one is
 even shorter a bit, so why change? :)

 It depends on point of view,  because when I reviewed it yesterday my
 brain raises exception that you are trying to add multiple values to
 single value attribute, because you used findall, I expected that you
 need multiple values, and then I saw that index [0] at the end, and I
 was pretty confused what are you trying to achieve.

 And because findall is not effective in case when you need to find just
 one occurrence.

 I got it. Fixed.






 Python 3 nitpick:
 I'm not sure if time when we should enforce python 2/3 compability
 already comes, but just for record:
 instead of open(file, 'r'), please use io.open(file, 'r') (import io
 before)

 Done.





 1)

 +#

 empty comment here (several times)

 Removed


 
 NACK
 
 you changed it wrong
 
 group() returns everything, you need use group(1) to return content in
 braces.
 

I'd suggest using named groups in this case, it leads to clearer
expressions.

See: https://docs.python.org/2/library/re.html , (?Pname...) section.

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 909 validate mutually exclusive options in vault-add

[Tomas Babej]

On 08/12/2015 04:28 PM, Tomas Babej wrote:
 
 
 On 08/12/2015 01:00 PM, Petr Vobornik wrote:
 https://fedorahosted.org/freeipa/ticket/5195


 
 I did a small grammar change could - can in the error message.
 
 Otherwise ACK.
 

Pushed to master: 7d7ffb62526595433412633c05af5af7909124c8
Pushed to ipa-4-2: dc0d4f73200065c209eb007a3be3ebd3d3b6dd64

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0055] raise an exception when user tries to modify a local ID range

[Tomas Babej]

On 08/12/2015 04:38 PM, Tomas Babej wrote:
 
 
 On 08/10/2015 10:50 AM, Martin Babinsky wrote:
 On 08/07/2015 05:25 PM, Tomas Babej wrote:


 On 08/07/2015 05:09 PM, Martin Babinsky wrote:
 On 08/07/2015 04:51 PM, Tomas Babej wrote:


 On 08/07/2015 04:22 PM, Martin Babinsky wrote:
 Short term fix for https://fedorahosted.org/freeipa/ticket/4826




 Hi,

 couple of minor issues:

 1.) Please create a separate constant for the WARNING section, now this
 segment is copy-pasted at three different places in the plugin.

 2.) It would be nice to fix the broken indentation in the help texts
 for
 ipa idrange-add/mod whlie poking at that part of the code.

 How should these sections be indented (especially the warning parts)?


 The section is indented using 4 spaces in ipa help idrange-mod (-add).
 I see no point in doing so, Additionally, being a separate block of
 text, it is not visually separated from the options block.

 3.) 'ipa help idranges' does not produce any info, it error message
 needs to suggest 'ipa help idrange'

 Otherwise looks and works good.

 Tomas




 Attaching updated patch. I have tried to improve the visibility of the
 warning message.

 
 Thanks, much better now.
 
 ACK.
 

Pushed to:
master: 55feea500be1f4ae7bf02ef3c48377a6751ca71d
ipa-4-2: 5738cdb1145f6bce7f31a6d29bd39ceadbe62c88

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0359] adtrust-install: Correctly determine 4.2 FreeIPA servers

[Tomas Babej]

On 08/11/2015 04:58 PM, Alexander Bokovoy wrote:
 On Tue, 11 Aug 2015, Tomas Babej wrote:
 Hi,

 We need to detect a list of FreeIPA 4.2 (and above) servers, since
 only there is the required version of SSSD present.

 Since the maximum domain level for 4.2 is 0 (and not 1), we can filter
 for any value of ipaMaxDomainLevel / ipaMinDomainLevel attributes
 to generate the list.

 https://fedorahosted.org/freeipa/ticket/5199
 
 From 31bf121e4603bc1287eac88653ff48198c2f69c3 Mon Sep 17 00:00:00 2001
 From: Tomas Babej tba...@redhat.com
 Date: Tue, 11 Aug 2015 16:05:32 +0200
 Subject: [PATCH] adtrust-install: Correctly determine 4.2 FreeIPA servers

 We need to detect a list of FreeIPA 4.2 (and above) servers, since
 only there is the required version of SSSD present.

 Since the maximum domain level for 4.2 is 0 (and not 1), we can filter
 for any value of ipaMaxDomainLevel / ipaMinDomainLevel attributes
 to generate the list.

 https://fedorahosted.org/freeipa/ticket/5199
 ---
 install/tools/ipa-adtrust-install | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

 diff --git a/install/tools/ipa-adtrust-install
 b/install/tools/ipa-adtrust-install
 index
 5340c31d16ed78da0cb39725d9ae93c76470b698..21e58dd9f25e82429ce8d0c776d1b512c2661809
 100755
 --- a/install/tools/ipa-adtrust-install
 +++ b/install/tools/ipa-adtrust-install
 @@ -396,7 +396,7 @@ def main():
 # Search only masters which have support for domain levels
 # because only these masters will have SSSD recent enough
 to support AD trust agents
 (entries_m, truncated) = smb.admin_conn.find_entries(
 -   
 filter=((objectclass=ipaSupportedDomainLevelConfig)(!(ipaMaxDomainLevel=0))),

 +   
 filter=((objectclass=ipaSupportedDomainLevelConfig)(ipaMaxDomainLevel=*)(ipaMinDomainLevel=*)),

 base_dn=masters_dn, attrs_list=['cn'],
 scope=ldap.SCOPE_ONELEVEL)
 except errors.NotFound:
 pass
 
 ACK. I tested a manual version of this patch in the morning.
 

* master: 1fc21e980bb901bf71f7ee024cdbb15c1caec3a7
* ipa-4-2: ef192fb17be348c526029e8fa5165b9108e1f6da

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 909 validate mutually exclusive options in vault-add

[Tomas Babej]

On 08/12/2015 01:00 PM, Petr Vobornik wrote:
 https://fedorahosted.org/freeipa/ticket/5195
 
 

I did a small grammar change could - can in the error message.

Otherwise ACK.

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0055] raise an exception when user tries to modify a local ID range

[Tomas Babej]

On 08/10/2015 10:50 AM, Martin Babinsky wrote:
 On 08/07/2015 05:25 PM, Tomas Babej wrote:


 On 08/07/2015 05:09 PM, Martin Babinsky wrote:
 On 08/07/2015 04:51 PM, Tomas Babej wrote:


 On 08/07/2015 04:22 PM, Martin Babinsky wrote:
 Short term fix for https://fedorahosted.org/freeipa/ticket/4826




 Hi,

 couple of minor issues:

 1.) Please create a separate constant for the WARNING section, now this
 segment is copy-pasted at three different places in the plugin.

 2.) It would be nice to fix the broken indentation in the help texts
 for
 ipa idrange-add/mod whlie poking at that part of the code.

 How should these sections be indented (especially the warning parts)?


 The section is indented using 4 spaces in ipa help idrange-mod (-add).
 I see no point in doing so, Additionally, being a separate block of
 text, it is not visually separated from the options block.

 3.) 'ipa help idranges' does not produce any info, it error message
 needs to suggest 'ipa help idrange'

 Otherwise looks and works good.

 Tomas



 
 Attaching updated patch. I have tried to improve the visibility of the
 warning message.
 

Thanks, much better now.

ACK.

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 470] install: Fix server and replica install options

[Tomas Babej]

On 08/12/2015 03:42 PM, Martin Babinsky wrote:
 On 08/12/2015 07:52 AM, Jan Cholasta wrote:
 Hi,

 the attached patch fixes https://fedorahosted.org/freeipa/ticket/5184.

 Honza



 
 ACK
 

master: a651be3eec2a08bd2865b16b0eed767db69aab0f
ipa-4-2: 8e1a9b49397ee9dbef9fce4b61277246ea65ca8d

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0031 certprofile: add profile format explanation

[Tomas Babej]

On 08/12/2015 06:24 PM, Tomas Babej wrote:
 
 
 On 08/05/2015 06:10 AM, Fraser Tweedale wrote:
 The attached patch addresses
 https://fedorahosted.org/freeipa/ticket/5089

 Thanks,
 Fraser



 
 ACK, thanks for the explanations. I gather this concludes the
 https://fedorahosted.org/freeipa/ticket/5089 ticket then?
 
 Tomas
 

Ah, I just noticed you say so in the initial email. There was a previous
note in the ticket about not closing, so I got confused by that, but it
referred to a former commit.

Pushed to:
master: f6b32d8eea82d686ab3cf92153fa7e1f5ded70ac
ipa-4-2: 5afe202d5bbe1481ee6472e9676b636b3afd380c

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHES] 0691-0695 Modernization

[Tomas Babej]

On 08/12/2015 06:16 PM, Tomas Babej wrote:
 
 
 On 08/12/2015 06:12 PM, Christian Heimes wrote:
 On 2015-08-12 18:10, Tomas Babej wrote:


 On 08/10/2015 05:39 PM, Petr Viktorin wrote:
 On 08/03/2015 11:07 AM, Christian Heimes wrote:
 On 2015-07-31 19:14, Petr Viktorin wrote:
 Hello,
 Here is a batch of mostly mechanical changes: removing deprecated
 features to prepare for Python 3.

 Out of curiosity, what tool did you use for patch 695-absolute-imports?
 Python-modernize adds from __future__ import absolute_imports and
 changes imports to explicit relative imports.

 I used modernize to find all the occurences, and fixed imports by hand.
 Most of IPA uses absolute imports, as recommended by PEP 8.

 In patch 693 you have removed test cases for CIDict.has_key(), but
 CIDict still provides the function. You should either keep the tests
 around or remove has_key() from CIDict.

 I haven't removed them: test_haskey is only skipped under Python 3. I
 assumed that's enough to verify that `has_key` works well (i.e. the same
 as `in`), so in the other tests I do use `in` instead.

 I'm attaching updated patches, under Python 3 they remove CIDict.has_key
 a bit more formally. They're also rebased.

 The rest looks good to me, but I haven't studied every change
 thoroughly. It's just too much.

 Anything I can do to help?

 Let's not sit on this for too long, it will a pain to rebase. I went
 through the gargatuan patches manually and did not discover any issues.

 Additionally, the patchset introduces no new unit-test failures.

 So I am inclined to ACK it, unless Christian has any objections.

 I've skimmed over the patches and didn't find any issues, too.

 pylint --py3k is going to complain about missing from __future__ import
 absolute_import lines. We can add them later, though.

 Christian


 
 Either that, or we can simply ignore no-absolute-import (W1618).
 
 Thus ACK for the patchset.
 
 Tomas
 

Pushed to master: 5435a8a32a2e88675e84d22d6f9b97e67f6f5264

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0031 certprofile: add profile format explanation

[Tomas Babej]

On 08/05/2015 06:10 AM, Fraser Tweedale wrote:
 The attached patch addresses
 https://fedorahosted.org/freeipa/ticket/5089
 
 Thanks,
 Fraser
 
 
 

ACK, thanks for the explanations. I gather this concludes the
https://fedorahosted.org/freeipa/ticket/5089 ticket then?

Tomas

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHES] 0691-0695 Modernization

[Tomas Babej]

On 08/12/2015 06:12 PM, Christian Heimes wrote:
 On 2015-08-12 18:10, Tomas Babej wrote:


 On 08/10/2015 05:39 PM, Petr Viktorin wrote:
 On 08/03/2015 11:07 AM, Christian Heimes wrote:
 On 2015-07-31 19:14, Petr Viktorin wrote:
 Hello,
 Here is a batch of mostly mechanical changes: removing deprecated
 features to prepare for Python 3.

 Out of curiosity, what tool did you use for patch 695-absolute-imports?
 Python-modernize adds from __future__ import absolute_imports and
 changes imports to explicit relative imports.

 I used modernize to find all the occurences, and fixed imports by hand.
 Most of IPA uses absolute imports, as recommended by PEP 8.

 In patch 693 you have removed test cases for CIDict.has_key(), but
 CIDict still provides the function. You should either keep the tests
 around or remove has_key() from CIDict.

 I haven't removed them: test_haskey is only skipped under Python 3. I
 assumed that's enough to verify that `has_key` works well (i.e. the same
 as `in`), so in the other tests I do use `in` instead.

 I'm attaching updated patches, under Python 3 they remove CIDict.has_key
 a bit more formally. They're also rebased.

 The rest looks good to me, but I haven't studied every change
 thoroughly. It's just too much.

 Anything I can do to help?

 Let's not sit on this for too long, it will a pain to rebase. I went
 through the gargatuan patches manually and did not discover any issues.

 Additionally, the patchset introduces no new unit-test failures.

 So I am inclined to ACK it, unless Christian has any objections.
 
 I've skimmed over the patches and didn't find any issues, too.
 
 pylint --py3k is going to complain about missing from __future__ import
 absolute_import lines. We can add them later, though.
 
 Christian
 
 

Either that, or we can simply ignore no-absolute-import (W1618).

Thus ACK for the patchset.

Tomas

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 908 adjust search so that it works for non-admin users

[Tomas Babej]

On 08/12/2015 12:59 PM, Petr Vobornik wrote:
 Non-admin user can now search for:
 - hosts
 - hostgroups
 - netgroups
 - servers
 - services
 
 (Fixes ACI issue where search returns nothing when user does't have
 read rights for an attribute in search_attributes.
 
 https://fedorahosted.org/freeipa/ticket/5167
 
 

ACK.

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 908 adjust search so that it works for non-admin users

[Tomas Babej]

On 08/12/2015 04:13 PM, Tomas Babej wrote:
 
 
 On 08/12/2015 12:59 PM, Petr Vobornik wrote:
 Non-admin user can now search for:
 - hosts
 - hostgroups
 - netgroups
 - servers
 - services

 (Fixes ACI issue where search returns nothing when user does't have
 read rights for an attribute in search_attributes.

 https://fedorahosted.org/freeipa/ticket/5167


 
 ACK.
 

Pushed to master: 196ef09bd25d727865aee72a03d59f9930c65149cd
Pushed to ipa-4-2: e37821af8026958e08f7354df3f84dd42f93d60f

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0359] adtrust-install: Correctly determine 4.2 FreeIPA servers

[Tomas Babej]

Hi,

 We need to detect a list of FreeIPA 4.2 (and above) servers, since
only there is the required version of SSSD present.

Since the maximum domain level for 4.2 is 0 (and not 1), we can filter
for any value of ipaMaxDomainLevel / ipaMinDomainLevel attributes
to generate the list.

https://fedorahosted.org/freeipa/ticket/5199
From 31bf121e4603bc1287eac88653ff48198c2f69c3 Mon Sep 17 00:00:00 2001
From: Tomas Babej tba...@redhat.com
Date: Tue, 11 Aug 2015 16:05:32 +0200
Subject: [PATCH] adtrust-install: Correctly determine 4.2 FreeIPA servers

We need to detect a list of FreeIPA 4.2 (and above) servers, since
only there is the required version of SSSD present.

Since the maximum domain level for 4.2 is 0 (and not 1), we can filter
for any value of ipaMaxDomainLevel / ipaMinDomainLevel attributes
to generate the list.

https://fedorahosted.org/freeipa/ticket/5199
---
 install/tools/ipa-adtrust-install | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install
index 5340c31d16ed78da0cb39725d9ae93c76470b698..21e58dd9f25e82429ce8d0c776d1b512c2661809 100755
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@@ -396,7 +396,7 @@ def main():
 # Search only masters which have support for domain levels
 # because only these masters will have SSSD recent enough to support AD trust agents
 (entries_m, truncated) = smb.admin_conn.find_entries(
-filter=((objectclass=ipaSupportedDomainLevelConfig)(!(ipaMaxDomainLevel=0))),
+filter=((objectclass=ipaSupportedDomainLevelConfig)(ipaMaxDomainLevel=*)(ipaMinDomainLevel=*)),
 base_dn=masters_dn, attrs_list=['cn'], scope=ldap.SCOPE_ONELEVEL)
 except errors.NotFound:
 pass
-- 
2.1.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0055] raise an exception when user tries to modify a local ID range

[Tomas Babej]

On 08/07/2015 05:09 PM, Martin Babinsky wrote:
 On 08/07/2015 04:51 PM, Tomas Babej wrote:


 On 08/07/2015 04:22 PM, Martin Babinsky wrote:
 Short term fix for https://fedorahosted.org/freeipa/ticket/4826




 Hi,

 couple of minor issues:

 1.) Please create a separate constant for the WARNING section, now this
 segment is copy-pasted at three different places in the plugin.

 2.) It would be nice to fix the broken indentation in the help texts for
 ipa idrange-add/mod whlie poking at that part of the code.

 How should these sections be indented (especially the warning parts)?
 

The section is indented using 4 spaces in ipa help idrange-mod (-add).
I see no point in doing so, Additionally, being a separate block of
text, it is not visually separated from the options block.

 3.) 'ipa help idranges' does not produce any info, it error message
 needs to suggest 'ipa help idrange'

 Otherwise looks and works good.

 Tomas

 
 

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0055] raise an exception when user tries to modify a local ID range

[Tomas Babej]

On 08/07/2015 04:22 PM, Martin Babinsky wrote:
 Short term fix for https://fedorahosted.org/freeipa/ticket/4826
 
 
 

Hi,

couple of minor issues:

1.) Please create a separate constant for the WARNING section, now this
segment is copy-pasted at three different places in the plugin.

2.) It would be nice to fix the broken indentation in the help texts for
ipa idrange-add/mod whlie poking at that part of the code.

3.) 'ipa help idranges' does not produce any info, it error message
needs to suggest 'ipa help idrange'

Otherwise looks and works good.

Tomas

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0357] trusts: Detect domain clash with IPA domain when adding a AD

[Tomas Babej]

Hi,

When IPA is deployed in the same domain as AD, trust-add fails since
the names of the local domain and trusted domain ranges is the same
- it's always DOMAIN.NAME_id_range.

When adding a trusted domain, we look for previous ranges for
this domain (which may have been left behind by previous trust
attempts). Since AD and IPA are in the same domain, we find
a local domain range, which does not have a SID.

Detect such domain collisions early and bail out with an appropriate
error message.

https://fedorahosted.org/freeipa/ticket/4549
From ea8b725d5bc4c31a03dc998ef85d91d463542b8c Mon Sep 17 00:00:00 2001
From: Tomas Babej tba...@redhat.com
Date: Thu, 6 Aug 2015 10:54:47 +0200
Subject: [PATCH] trusts: Detect domain clash with IPA domain when adding a AD
 trust

When IPA is deployed in the same domain as AD, trust-add fails since
the names of the local domain and trusted domain ranges is the same
- it's always DOMAIN.NAME_id_range.

When adding a trusted domain, we look for previous ranges for
this domain (which may have been left behind by previous trust
attempts). Since AD and IPA are in the same domain, we find
a local domain range, which does not have a SID.

Detect such domain collisions early and bail out with an appropriate
error message.

https://fedorahosted.org/freeipa/ticket/4549
---
 ipalib/plugins/trust.py | 8 
 1 file changed, 8 insertions(+)

diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
index ba80eefe4735a8800cc530e60b4435c3d8cdcf4d..b64a550216ea534ce58d6c825484ebe837671462 100644
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -730,6 +730,14 @@ sides.
 error=_('only ad is supported')
 )
 
+# Detect IPA-AD domain clash
+if self.api.env.domain.lower() == trusted_realm_domain.lower():
+raise errors.ValidationError(
+name=_('domain'),
+error=_('Cannot establish a trust to AD deployed in the same '
+'domain as IPA. Such setup is not supported.')
+)
+
 # If domain name and realm does not match, IPA server is not be able
 # to establish trust with Active Directory.
 
-- 
2.1.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0356] trusts: Detect missing Samba instance

[Tomas Babej]

Hi,

In the event of invocation of trust related commands, IPA server needs
to contact local Samba instance. This is not possible on servers that
merely act as AD trust agents, since they do not have Samba instance
running.

Properly detect the absence of the Samba instance and output
user-friendly
message which includes list of servers that are capable of running
the command, if such exist.

List of commands affected:
* ipa trust-add
* ipa trust-fetch-domains
* all of the trustdomain commands available via CLI

https://fedorahosted.org/freeipa/ticket/5165
From 128ee05bbebe17f77272b8f2a6bd5039cfbc26b0 Mon Sep 17 00:00:00 2001
From: Tomas Babej tba...@redhat.com
Date: Thu, 6 Aug 2015 10:10:04 +0200
Subject: [PATCH] trusts: Detect missing Samba instance

In the event of invocation of trust related commands, IPA server needs to
contact local Samba instance. This is not possible on servers that
merely act as AD trust agents, since they do not have Samba instance
running.

Properly detect the absence of the Samba instance and output
user-friendly
message which includes list of servers that are capable of running
the command, if such exist.

List of commands affected:
* ipa trust-add
* ipa trust-fetch-domains
* all of the trustdomain commands available via CLI

https://fedorahosted.org/freeipa/ticket/5165
---
 ipalib/plugins/trust.py | 99 +++--
 1 file changed, 79 insertions(+), 20 deletions(-)

diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
index 940e06a5ffa387c6cc18983d7b56f089f58a236e..ba80eefe4735a8800cc530e60b4435c3d8cdcf4d 100644
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -199,6 +199,73 @@ def make_trust_dn(env, trust_type, dn):
 return DN(dn, container_dn)
 return dn
 
+def find_adtrust_masters(ldap, api):
+
+Returns a list of names of IPA servers with ADTRUST component configured.
+
+
+try:
+entries, truncated = ldap.find_entries(
+cn=ADTRUST,
+base_dn=api.env.container_masters + api.env.basedn
+)
+except errors.NotFound:
+entries = []
+
+return [entry.dn[1].value for entry in entries]
+
+def verify_samba_component_presence(ldap, api):
+
+Verifies that Samba is installed and configured on this particular master.
+If Samba is not available, provide a heplful hint with the list of masters
+capable of running the commands.
+
+
+adtrust_present = api.Command['adtrust_is_enabled']()['result']
+
+hint = _(
+' Alternatively, following servers are capable of running this '
+'command: %(masters)s'
+)
+
+def raise_missing_component_error(message):
+masters_with_adtrust = find_adtrust_masters(ldap, api)
+
+# If there are any masters capable of running Samba requiring commands
+# let's advertise them directly
+if masters_with_adtrust:
+message += hint % dict(masters=', '.join(masters_with_adtrust))
+
+raise errors.NotFound(
+name=_('AD Trust setup'),
+reason=message,
+)
+
+# We're ok in this case, bail out
+if adtrust_present and _bindings_installed:
+return
+
+# First check for packages missing
+elif not _bindings_installed:
+error_message=_(
+'Cannot perform the selected command without Samba 4 support '
+'installed. Make sure you have installed server-trust-ad '
+'sub-package of IPA.'
+)
+
+raise_missing_component_error(error_message)
+
+# Packages present, but ADTRUST instance is not configured
+elif not adtrust_present:
+error_message=_(
+'Cannot perform the selected command without Samba 4 instance '
+'configured on this machine. Make sure you have run '
+'ipa-adtrust-install on this server.'
+)
+
+raise_missing_component_error(error_message)
+
+
 def generate_creds(trustinstance, style, **options):
 
 Generate string representing credentials using trust instance
@@ -554,6 +621,10 @@ sides.
 has_output_params = LDAPCreate.has_output_params + trust_output_params
 
 def execute(self, *keys, **options):
+ldap = self.obj.backend
+
+verify_samba_component_presence(ldap, self.api)
+
 full_join = self.validate_options(*keys, **options)
 old_range, range_name, dom_sid = self.validate_range(*keys, **options)
 result = self.execute_ad(full_join, *keys, **options)
@@ -569,7 +640,6 @@ sides.
 created_range_type = old_range['result']['iparangetype'][0]
 
 trust_filter = cn=%s % result['value']
-ldap = self.obj.backend
 (trusts, truncated) = ldap.find_entries(
  base_dn=DN(self.api.env.container_trusts, self.api.env.basedn),
  filter=trust_filter)
@@ -642,16 +712,6 @@ sides.
 def validate_options(self, *keys, **options

Re: [Freeipa-devel] [PATCH] 0194 Fix selector of protocol for LSA RPC binding string

[Tomas Babej]

On 08/05/2015 08:40 PM, Alexander Bokovoy wrote:
 Hi,
 
 attached patch fixes a bug
 https://bugzilla.redhat.com/show_bug.cgi?id=1249455
 
 details are in the commit message.
 
 
 

Looks good to me, generates bindings strings as described in the BZ.

Just a readability nitpick, can we get rid of the binding_template
lambda abstraction and use something like this?

binding_template=u'%s:%s[%s]'
return [binding_template % (t, remote_host, o) for t in transports
for o in options]

or just plain:

return [u'%s:%s[%s]' % (t, remote_host, o) for t in transports for o
in options]

instead of:

binding_template=lambda x,y,z: u'%s:%s[%s]' % (x, y, z)
return [binding_template(t, remote_host, o) for t in transports for
o in options]

Tomas

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0032 Fix otptoken-remove-managedby command summary

[Tomas Babej]

On 08/05/2015 07:51 AM, Fraser Tweedale wrote:
 Small doc fix.
 
 Cheers,
 Fraser
 
 
 

ACK, thanks for catching this.

Pushed to:
master: e28a45072004d93ced9bf81b3810fbd2652664b5
ipa-4-2: dc0745650a0172bb66350fb453ec4285e31a32ad

Tomas

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Exporting users access formulars

[Tomas Babej]

On 08/04/2015 03:13 PM, Florian Crouzat wrote:
 Hey,
 
 For security reason (mostly PCI-DSS) I have to print and sign-off access
 formular for every users, and also to maintain these formulars in time
 which means that every time I add a host to a hostgroup for example, I
 should reprint all access formulars for users with access to this
 hostgroup...
 
 I was wondering if it was possible to develop a feature that would allow
 one to select a user(s) from GUI and generate a csv/pdf/whatever file
 with all direct and indirect memberships/access for HBAC, groups and
 sudo-rule for the selected user(s).
 
 Maybe a first step would be to script something around ipa CLI commands
 (not sure if possible to dig into HBAC and groups from CLI though).
 
 What are your thoughts on such need, am I the only one wanting to export
 my users privileges directly from the software managing these privileges ?
 
 Regards,
 Florian
 

I'd recommend building a script to generate such a report, I'm not
really sure it's a feature that would fit directly into the core at this
state.

You can access IPA's API directly using Python, which can be leveraged
to generate a report using a suitable Python library, such as reportlab.

Using the API you will get access to all the information available to
you via the ipa command line tool.

Examples of using Python API are available on the net, for example
here's one user's submission which landed on the list some time ago:

https://github.com/firemanxbr/freeipa-tools/blob/master/freeipa.py

API can be easily inspected in 4.2 using our new API browser:

https://fedorahosted.org/freeipa/ticket/3129

If you're on a older release, adding -vv flag to any ipa command will do
the job as well.

HTH,

Tomas

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0355] Fix incorrect type comparison in trust-fetch-domains

[Tomas Babej]

Hi,

 Value needs to be unpacked from the list and converted before comparison.

https://fedorahosted.org/freeipa/ticket/5182
From dee59d971acb733c1dee06a61cc0d79ac2f4fdb7 Mon Sep 17 00:00:00 2001
From: Tomas Babej tba...@redhat.com
Date: Wed, 5 Aug 2015 17:31:47 +0200
Subject: [PATCH] Fix incorrect type comparison in trust-fetch-domains

Value needs to be unpacked from the list and converted before comparison.

https://fedorahosted.org/freeipa/ticket/5182
---
 ipalib/plugins/trust.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
index 91ffaf7feadba0d180e0e95c54f7187cf71d0170..940e06a5ffa387c6cc18983d7b56f089f58a236e 100644
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -1487,7 +1487,7 @@ class trust_fetch_domains(LDAPRetrieve):
 result['truncated'] = False
 
 # For one-way trust fetch over DBus. we don't get the list in this case.
-if trust['ipanttrustdirection']  TRUST_BIDIRECTIONAL != TRUST_BIDIRECTIONAL:
+if int(trust['ipanttrustdirection'][0]) != TRUST_BIDIRECTIONAL:
 fetch_trusted_domains_over_dbus(self.api, self.log, keys[0])
 result['summary'] = unicode(_('List of trust domains successfully refreshed. Use trustdomain-find command to list them.'))
 return result
-- 
2.1.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] 4.1 branch is broken

[Tomas Babej]

On 08/04/2015 03:44 PM, Rob Crittenden wrote:
 Commit 4d2ef43f broke the 4.1 branch. There is no ipaplatform/paths.py.
 
 rob
 

I don't think so, that particular commit is from May 29 2014, which
predates the release of FreeIPA 4.0.

This file (along with couple of other platform dependant files) is
generated as part of make version-update.

Tomas

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] New freeipa-tools repo

[Tomas Babej]

On 07/30/2015 01:58 PM, Martin Kosek wrote:
 On 07/30/2015 01:51 PM, Alexander Bokovoy wrote:
 On Thu, 30 Jul 2015, Martin Kosek wrote:
 Hello all,

 Right now, the people pushing patches to FreeIPA use Petr's great ipatool
 that is part of Petr's (CCed) ipa-tools repo forked from my old ipa-tools
 repository.

 Recently, we have found that ipatool needs update due to 4.2 being 
 released,
 so I think this is a great moment to make this tool more official and use a
 shared team repository so that people on the team can contribute and freely
 improve it.

 As we have our shiny organization on github, I simply created new
 freeipa-tools repo and with Petr's permission, moved ipa-tools content
 there:

 https://github.com/freeipa/freeipa-tools

 If there are no objections, I would use that as the authoritative version of
 the tools repo for the team.

 FreeIPA developers, please feel free to request access to
 https://github.com/orgs/freeipa/teams/freeipa
 if you want to commit to this repo.
 The link does not exist, you'd get 404 trying to access it.
 I don't see any way to add myself or request addition at
 https://github.com/freeipa
 
 Ah, looks like the github teams work differently then I though. You may need 
 to
 send me your github logins so that I can add people.
 
 If there is better way, please let me know.
 

As a heads up - the freeipa-ci repository containing the FreeIPA
integration tests definitions under jenkins-job-builder is now available
under freeipa organization as well.

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0028 add --out option to user-show

[Tomas Babej]

On 07/24/2015 05:34 PM, Martin Basti wrote:
 On 24/07/15 16:52, Tomas Babej wrote:

 On 07/24/2015 03:40 PM, Fraser Tweedale wrote:
 The attached patch adds --out option to user-show for saving user's
 certificate(s) to file.

 Thanks,
 Fraser



 I hate to nitpick here, but is out really a descriptive option name
 here? I'd prefer something more explicit, like '--save-cert-to', or
 maybe even have this operation implemented as a separate command
 altogether.

 Tomas

 This keyword was already used with several commands. For consistency
 might be better to have it the same.
 

True. I see this options is being used in the following commands:

 - cert-show
 - vault-retrieve
 - host-show
 - service-show
 - user-show (proposed)

While the first two seem to be an acceptable fit for an option called
--out, as they mainly deal with cert/secret, using the '--out' for the
latter three is a poor decision imho.

I agree the consistency is important, I'm just not happy to see this
spread further.

Tomas

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0028 add --out option to user-show

[Tomas Babej]

On 07/24/2015 03:40 PM, Fraser Tweedale wrote:
 The attached patch adds --out option to user-show for saving user's
 certificate(s) to file.
 
 Thanks,
 Fraser
 
 
 

I hate to nitpick here, but is out really a descriptive option name
here? I'd prefer something more explicit, like '--save-cert-to', or
maybe even have this operation implemented as a separate command altogether.

Tomas

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHES 0351-0353] Improvements to ID override type validation

[Tomas Babej]

On 07/23/2015 03:32 PM, Alexander Bokovoy wrote:
 On Thu, 23 Jul 2015, Tomas Babej wrote:
 +def get_trusted_domain_object_type(self, name_or_sid):
 +
 +Return the type of the object corresponding to the given
 name in
 +the trusted domain, which is either 'user', 'group' or 'both'.
 +The 'both' types is used for users with magic private groups.
 +
 +
 +object_type = None
 +
 +if is_sid_valid(name_or_sid):
 +result = pysss_nss_idmap.getnamebysid(name_or_sid)
 +else:
 +result = pysss_nss_idmap.getsidbyname(name_or_sid)
 +
 +if name_or_sid in result:
 +object_type =
 result[name_or_sid].get(pysss_nss_idmap.TYPE_KEY)
 If user or group not found, pysss_nss_idmap.getsidbyname() will return
 empty dict and the line above will fail:
 import pysss_nss_idmap
 pysss_nss_idmap.getsidbyname('some-name')
 {}

 It will return {}, however, that line is prefixed by the

 +if name_or_sid in result:

 condition, hence it won't get executed in this case.
 Ok, and then you get conversion dict.get(None) - None which then
 wouldn't match anything in the caller.
 
 Sounds good. The rest was fine.
 
 ACK.
 

Pushed to:
master: aa066f31a5341079197f7b5a79fe2fa1045688bb
ipa-4-2: a60f4ad7d0bbdaca2fbec2c9c491e976bf935f7e

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHES 0351-0353] Improvements to ID override type validation

[Tomas Babej]

On 07/23/2015 03:08 PM, Alexander Bokovoy wrote:
 On Thu, 23 Jul 2015, Tomas Babej wrote:
 Hi,

 this patchset deals mainly with the ticket:

 https://fedorahosted.org/freeipa/ticket/5029

 Details in the commit messages.

 Tomas
 
 From 83defa7e286b9e65a147598b4056abc47b4647bf Mon Sep 17 00:00:00 2001
 From: Tomas Babej tba...@redhat.com
 Date: Wed, 22 Jul 2015 14:00:37 +0200
 Subject: [PATCH] dcerpc: Add get_trusted_domain_object_type method

 https://fedorahosted.org/freeipa/ticket/5029
 ---
 ipaserver/dcerpc.py | 29 +
 1 file changed, 29 insertions(+)

 diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
 index
 7220c440d16816abf5c022c840e9744f321878c4..be6313e1586cb9e3296361a8d07041d496d3223f
 100644
 --- a/ipaserver/dcerpc.py
 +++ b/ipaserver/dcerpc.py
 @@ -107,6 +107,14 @@ dcerpc_error_messages = {
  errors.RequirementError(name=_('At least the domain or IP
 address should be specified')),
 }

 +pysss_type_key_translation_dict = {
 +pysss_nss_idmap.ID_USER: 'user',
 +pysss_nss_idmap.ID_GROUP: 'group',
 +# Used for users with magic private groups
 +pysss_nss_idmap.ID_BOTH: 'both',
 +}
 +
 +
 def assess_dcerpc_exception(num=None,message=None):
 
 Takes error returned by Samba bindings and converts it into
 @@ -368,6 +376,27 @@ class DomainValidator(object):
 raise errors.ValidationError(name=_('trusted domain object'),
error= _('Trusted domain did not return a valid SID for
 the object'))

 +def get_trusted_domain_object_type(self, name_or_sid):
 +
 +Return the type of the object corresponding to the given name in
 +the trusted domain, which is either 'user', 'group' or 'both'.
 +The 'both' types is used for users with magic private groups.
 +
 +
 +object_type = None
 +
 +if is_sid_valid(name_or_sid):
 +result = pysss_nss_idmap.getnamebysid(name_or_sid)
 +else:
 +result = pysss_nss_idmap.getsidbyname(name_or_sid)
 +
 +if name_or_sid in result:
 +object_type =
 result[name_or_sid].get(pysss_nss_idmap.TYPE_KEY)
 If user or group not found, pysss_nss_idmap.getsidbyname() will return
 empty dict and the line above will fail:
 import pysss_nss_idmap
 pysss_nss_idmap.getsidbyname('some-name')
 {}

It will return {}, however, that line is prefixed by the

+if name_or_sid in result:

condition, hence it won't get executed in this case.

I just ran a quick check and it seems to run as expected:

 import ipaserver.dcerpc
 validator = DomainValidator(api)
 validator.get_trusted_domain_object_type('some-name')


Tomas

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0049] fix broken search for users by their manager

[Tomas Babej]

On 07/23/2015 11:31 AM, Martin Babinsky wrote:
 On 07/23/2015 11:18 AM, Tomas Babej wrote:


 On 07/23/2015 10:55 AM, Martin Babinsky wrote:
 Fixes https://fedorahosted.org/freeipa/ticket/5146




 The patch fixes the mentioned issue.

 However, there is some code made redundant in stageuser_find.execute,
 which does the same thing, can you please remove it?

 Tomas

 
 Sorry I didn't notice that. Actually, now the whole
 stageuser_find.execute is made obsolete so I removed the whole method.
 
 Attaching updated patch.
 

ACK.

Pushed to master: 7ceaa8e26c3073f3ff3f253025177d49259072f0
Pushed to ipa-4-2: dae3d0ecab7c1b9f4e8cde618d1593edff579a9f

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0049] fix broken search for users by their manager

[Tomas Babej]

On 07/23/2015 10:55 AM, Martin Babinsky wrote:
 Fixes https://fedorahosted.org/freeipa/ticket/5146
 
 
 

The patch fixes the mentioned issue.

However, there is some code made redundant in stageuser_find.execute,
which does the same thing, can you please remove it?

Tomas

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0342] idviews: Check for the Default Trust View only if applying

[Tomas Babej]

On 07/22/2015 09:04 AM, Martin Basti wrote:
 On 21/07/15 12:47, Tomas Babej wrote:
 Hi,

 Currently, the code wrongly validates the idview-unapply command. Move
 check for the forbidden application of the Default Trust View into
 the correct logical branch.

 https://fedorahosted.org/freeipa/ticket/4969

 Tomas


 
 ACK
 
 -- 
 Martin Basti
 

Pushed to master: a76c92ccd44ff0a28b789fdbfed5cf45d164eb80
Pushed to ipa-4-2: bcb82784ebdde12f8aa94477d20dc352f7c74b81

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0345] tests: realmdomains_plugin: Add explanatory comment

[Tomas Babej]

On 07/22/2015 09:07 AM, Martin Basti wrote:
 On 21/07/15 18:02, Tomas Babej wrote:
 Hi,

 The realmdomains_mod command will fail if the testing environment
 is configured improperly and the IPA domain's NS/SOA records are
 not resolvable. This can easily happen if the machine's DNS server
 is not configured to the IPA server.

 Leave a explanatory note in the class.

 Tomas


 
 ACK
 
 -- 
 Martin Basti
 

Pushed to:
master: 5f8fd8a8e3dfbd8542d4948f799e5f6ee986c957
ipa-4-2: 4292641eddced3f3482c2cc604fbd093f1163cff

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0344] tests: service_plugin: Make sure the cert is decoded from

[Tomas Babej]

On 07/22/2015 08:40 AM, Martin Babinsky wrote:
 On 07/21/2015 06:01 PM, Tomas Babej wrote:
 Hi,

 this patch fixes an issue in tests where the certificate was not decoded
 from base64 representation.

 Tomas



 ACK
 

Pushed to:
master: 12395a94f38f4db23e356a6f7d96629155c02532
ipa-4-2: 0fe31fa58a45ad0f957d3b6e4eb87d776c41bd48

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0347] tests: vault_plugin: Skip tests if KRA not available

[Tomas Babej]

On 07/22/2015 08:41 AM, Martin Babinsky wrote:
 On 07/21/2015 06:03 PM, Tomas Babej wrote:
 Hi,

 the vault tests should be skipped in case the KRA is not available on
 the machine.

 Tomas



 ACK
 

Pushed to:
master: 8eb26e9230e43eb2683778b8d667c6c7e632ec36
ipa-4-2: dafab2ab3b4fa4a88d59557e29ee266b8b956ede

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0349] tests: test_cert: Services can have multiple certificates

[Tomas Babej]

On 07/22/2015 08:44 AM, Martin Babinsky wrote:
 On 07/21/2015 06:03 PM, Tomas Babej wrote:
 Hi,

 Old certificates of the services are no longer removed and revoked
 after new ones have been issued.

 Check that both old and new certificates are present.

 Tomas



 ACK
 

Pushed to:
master: 106e9043379231a8cebf76d5088927364d098112
ipa-4-2: 1a5ada51647f95540837105d03f777d631febe6c

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0348] tests: test_rpc: Create connection for the current thread

[Tomas Babej]

On 07/22/2015 09:09 AM, Martin Basti wrote:
 On 21/07/15 18:03, Tomas Babej wrote:
 Hi,

 Both context.xmlclient and context.xmlclient_id need to be created
 in order to successfully call the Command.forward method.

 Tomas


 ACK
 
 -- 
 Martin Basti
 

Pushed to:
master: d71899696ab30c76a220a9fe444fc577a246a978
ipa-4-2: 86cc9c2ba2d4ac8bd26652907c30615eb309a2b3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0346] tests: Version is currently generated during command call

[Tomas Babej]

Hi,

In the previous versions, version in the response was generated
as part of the process_keyword_arguments method. This is no longer true,
and so the explicit check for it should be removed.

Tomas
From 6f3b99589257711cbfa349cc6b21055b430a2d87 Mon Sep 17 00:00:00 2001
From: Tomas Babej tba...@redhat.com
Date: Tue, 21 Jul 2015 15:30:47 +0200
Subject: [PATCH] tests: Version is currently generated during command call

In the previous versions, version in the response was generated
as part of the process_keyword_arguments method. This is no longer true,
and so the explicit check for it should be removed.
---
 ipatests/test_cmdline/test_cli.py | 51 ---
 1 file changed, 16 insertions(+), 35 deletions(-)

diff --git a/ipatests/test_cmdline/test_cli.py b/ipatests/test_cmdline/test_cli.py
index 1f7775ea85fd301f71d8e028f0f8efc49346700f..1a97608a4ce4f74da25b4bcb6a90384e1a3aa4e4 100644
--- a/ipatests/test_cmdline/test_cli.py
+++ b/ipatests/test_cmdline/test_cli.py
@@ -42,8 +42,7 @@ class TestCLIParsing(object):
 sys.stdin = old_stdin
 
 def test_ping(self):
-self.check_command('ping', 'ping',
-version=API_VERSION)
+self.check_command('ping', 'ping')
 
 def test_user_show(self):
 self.check_command('user-show admin', 'user_show',
@@ -51,8 +50,7 @@ class TestCLIParsing(object):
 rights=False,
 no_members=False,
 raw=False,
-all=False,
-version=API_VERSION)
+all=False)
 
 def test_user_show_underscore(self):
 self.check_command('user_show admin', 'user_show',
@@ -60,8 +58,7 @@ class TestCLIParsing(object):
 rights=False,
 no_members=False,
 raw=False,
-all=False,
-version=API_VERSION)
+all=False)
 
 def test_group_add(self):
 self.check_command('group-add tgroup1 --desc=Test group',
@@ -72,8 +69,7 @@ class TestCLIParsing(object):
 external=False,
 no_members=False,
 raw=False,
-all=False,
-version=API_VERSION)
+all=False)
 
 def test_sudocmdgroup_add_member(self):
 # Test CSV splitting is not done
@@ -85,8 +81,7 @@ class TestCLIParsing(object):
 sudocmd=[u'ab,c', u'd'],
 no_members=False,
 raw=False,
-all=False,
-version=API_VERSION)
+all=False)
 
 def test_group_add_nonposix(self):
 self.check_command('group-add tgroup1 --desc=Test group --nonposix',
@@ -97,8 +92,7 @@ class TestCLIParsing(object):
 external=False,
 no_members=False,
 raw=False,
-all=False,
-version=API_VERSION)
+all=False)
 
 def test_group_add_gid(self):
 self.check_command('group-add tgroup1 --desc=Test group --gid=1234',
@@ -110,8 +104,7 @@ class TestCLIParsing(object):
 external=False,
 no_members=False,
 raw=False,
-all=False,
-version=API_VERSION)
+all=False)
 
 def test_group_add_interactive(self):
 with self.fake_stdin('Test group\n'):
@@ -121,8 +114,7 @@ class TestCLIParsing(object):
 external=False,
 no_members=False,
 raw=False,
-all=False,
-version=API_VERSION)
+all=False)
 
 def test_dnsrecord_add(self):
 self.check_command('dnsrecord-add test-example.com ns --a-rec=1.2.3.4',
@@ -133,8 +125,7 @@ class TestCLIParsing(object):
 structured=False,
 force=False,
 raw=False,
-all=False,
-version=API_VERSION)
+all=False)
 
 def test_dnsrecord_del_all(self):
 try:
@@ -151,16 +142,14 @@ class TestCLIParsing(object):
 dnszoneidnsname=u'test-example.com',
 idnsname=u'ns',
 del_all=True,
-structured=False,
-version=API_VERSION)
+structured=False)
 with self.fake_stdin('YeS\n'):
 self.check_command('dnsrecord_del test-example.com ns',
 'dnsrecord_del',
 dnszoneidnsname=u'test-example.com',
 idnsname=u'ns',
 del_all=True,
-structured=False,
-version=API_VERSION)
+structured=False)
 finally:
 self.run_command('dnszone_del', idnsname=u'test-example.com')
 
@@ -183,8 +172,7 @@ class TestCLIParsing(object):
 idnsname=u'ns',
 del_all=False,
 sshfprecord=records,
-structured=False,
-version=API_VERSION)
+structured=False)
 finally

[Freeipa-devel] [PATCH 0345] tests: realmdomains_plugin: Add explanatory comment

[Tomas Babej]

Hi,

The realmdomains_mod command will fail if the testing environment
is configured improperly and the IPA domain's NS/SOA records are
not resolvable. This can easily happen if the machine's DNS server
is not configured to the IPA server.

Leave a explanatory note in the class.

Tomas
From c5fdaf229b67e4b6f331c3e9c9f42e751853f15b Mon Sep 17 00:00:00 2001
From: Tomas Babej tba...@redhat.com
Date: Tue, 21 Jul 2015 14:12:31 +0200
Subject: [PATCH] tests: realmdomains_plugin: Add explanatory comment

The realmdomains_mod command will fail if the testing environment
is configured improperly and the IPA domain's NS/SOA records are
not resolvable. This can easily happen if the machine's DNS server
is not configured to the IPA server.

Leave a explanatory note in the class.
---
 ipatests/test_xmlrpc/test_realmdomains_plugin.py | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/ipatests/test_xmlrpc/test_realmdomains_plugin.py b/ipatests/test_xmlrpc/test_realmdomains_plugin.py
index fc04e2ae5948249c55048b5587faca6f480c0e39..703f77d1ea8dd12be82fc08411b2748500bfbf4f 100644
--- a/ipatests/test_xmlrpc/test_realmdomains_plugin.py
+++ b/ipatests/test_xmlrpc/test_realmdomains_plugin.py
@@ -36,6 +36,9 @@ bad_domain = u'doesnotexist.test'
 
 class test_realmdomains(Declarative):
 
+# Make sure your environment has sound DNS configuration where
+# the IPA domain has either NS or SOA record. Check your resolver
+# if getting errors with the realmdomains_mod cleanup command.
 cleanup_commands = [
 ('realmdomains_mod', [], {'associateddomain': [our_domain]}),
 ]
-- 
2.1.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0343] tests: user_plugin: Add preserved flag when --all is used

[Tomas Babej]

Hi,

this patch fixes failing tests for the user plugin where preserved
attribute is missing.

Tomas


From bb209a5679fcebfd5329f3dfd1537d8bb7802c22 Mon Sep 17 00:00:00 2001
From: Tomas Babej tba...@redhat.com
Date: Tue, 21 Jul 2015 13:17:56 +0200
Subject: [PATCH] tests: user_plugin: Add preserved flag when --all is used

---
 ipatests/test_xmlrpc/test_user_plugin.py | 5 -
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/ipatests/test_xmlrpc/test_user_plugin.py b/ipatests/test_xmlrpc/test_user_plugin.py
index 304a6d99288b1ccc72cddc45e7f4150402975972..1e226d0d8e180850adc8f6f544a18150571f71e3 100644
--- a/ipatests/test_xmlrpc/test_user_plugin.py
+++ b/ipatests/test_xmlrpc/test_user_plugin.py
@@ -300,7 +300,8 @@ class test_user(Declarative):
 objectclass=add_oc(
 objectclasses.user,
 u'ipantuserattrs'
-) + [u'ipauser']
+) + [u'ipauser'],
+preserved=False
 ),
 ],
 summary=u'1 user matched',
@@ -1162,6 +1163,7 @@ class test_user(Declarative):
 manager=[renameduser1],
 objectclass=add_oc(objectclasses.user_base,
u'ipantuserattrs'),
+preserved=False,
 omit=['mepmanagedentry'],
 ),
 value=user2,
@@ -1191,6 +1193,7 @@ class test_user(Declarative):
 memberof_group=[group1],
 objectclass=add_oc(objectclasses.user_base,
u'ipantuserattrs'),
+preserved=False,
 omit=['mepmanagedentry'],
 ),
 value=user2,
-- 
2.1.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0344] tests: service_plugin: Make sure the cert is decoded from

[Tomas Babej]

Hi,

this patch fixes an issue in tests where the certificate was not decoded
from base64 representation.

Tomas

From 4bf69e94984d72d1f52dfb2afd65574c73838ece Mon Sep 17 00:00:00 2001
From: Tomas Babej tba...@redhat.com
Date: Tue, 21 Jul 2015 13:58:13 +0200
Subject: [PATCH] tests: service_plugin: Make sure the cert is decoded from
 base64

---
 ipatests/test_xmlrpc/test_service_plugin.py | 6 +-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/ipatests/test_xmlrpc/test_service_plugin.py b/ipatests/test_xmlrpc/test_service_plugin.py
index 006c35999a2ca8540116ff62b8ee6176b2518c2f..78ba60a691a625d3fdce2ea0df0f2aef9ef3caac 100644
--- a/ipatests/test_xmlrpc/test_service_plugin.py
+++ b/ipatests/test_xmlrpc/test_service_plugin.py
@@ -383,7 +383,11 @@ class test_service(Declarative):
 
 dict(
 desc='Update %r with a bad certificate' % service1,
-command=('service_mod', [service1], dict(usercertificate=badservercert)),
+command=(
+'service_mod',
+[service1],
+dict(usercertificate=base64.b64decode(badservercert))
+),
 expected=errors.CertificateOperationError(
 error=u'Issuer CN=IPA Test Certificate Authority does not ' +
 u'match the expected issuer'),
-- 
2.1.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0347] tests: vault_plugin: Skip tests if KRA not available

[Tomas Babej]

Hi,

the vault tests should be skipped in case the KRA is not available on
the machine.

Tomas
From dcfc274d400b5cd4bb2bdba6f1774952c63f9a5b Mon Sep 17 00:00:00 2001
From: Tomas Babej tba...@redhat.com
Date: Tue, 21 Jul 2015 15:43:35 +0200
Subject: [PATCH] tests: vault_plugin: Skip tests if KRA not available

---
 ipatests/test_xmlrpc/test_vault_plugin.py | 11 +++
 1 file changed, 11 insertions(+)

diff --git a/ipatests/test_xmlrpc/test_vault_plugin.py b/ipatests/test_xmlrpc/test_vault_plugin.py
index fe2f2f67d664e0640fdda99fd3e2f068ee61cb01..77c5154137bf440b38f4da225545c6aef5faabb6 100644
--- a/ipatests/test_xmlrpc/test_vault_plugin.py
+++ b/ipatests/test_xmlrpc/test_vault_plugin.py
@@ -21,6 +21,7 @@
 Test the `ipalib/plugins/vault.py` module.
 
 
+import nose
 from ipalib import api, errors
 from xmlrpc_test import Declarative, fuzzy_string
 
@@ -82,6 +83,16 @@ kUlCMj24a8XsShzYTWBIyW2ngvGe3pQ9PfjkUdm0LGZjYITCBvgOKw==
 
 class test_vault_plugin(Declarative):
 
+@classmethod
+def setup_class(cls):
+if not api.Backend.rpcclient.isconnected():
+api.Backend.rpcclient.connect(fallback=False)
+
+if not api.Command.kra_is_enabled()['result']:
+raise nose.SkipTest('KRA service is not enabled')
+
+super(test_vault_plugin, cls).setup_class()
+
 cleanup_commands = [
 ('vault_del', [vault_name], {'continue': True}),
 ('vault_del', [vault_name], {
-- 
2.1.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0349] tests: test_cert: Services can have multiple certificates

[Tomas Babej]

Hi,

Old certificates of the services are no longer removed and revoked
after new ones have been issued.

Check that both old and new certificates are present.

Tomas
From d1445c61bab5d9ee5efc4fe68d7fc8caf7758f75 Mon Sep 17 00:00:00 2001
From: Tomas Babej tba...@redhat.com
Date: Tue, 21 Jul 2015 17:39:47 +0200
Subject: [PATCH] tests: test_cert: Services can have multiple certificates

Old certificates of the services are no longer removed and revoked
after new ones have been issued.

Check that both old and new certificates are present.
---
 ipatests/test_xmlrpc/test_cert_plugin.py | 8 
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/ipatests/test_xmlrpc/test_cert_plugin.py b/ipatests/test_xmlrpc/test_cert_plugin.py
index c878504b2a831970ab421ef286b145d276402164..01fadfdb5a13f1f516a27c81dd7d77438a679c36 100644
--- a/ipatests/test_xmlrpc/test_cert_plugin.py
+++ b/ipatests/test_xmlrpc/test_cert_plugin.py
@@ -183,10 +183,10 @@ class test_cert(XMLRPC_test):
 global cert, newcert
 
 res = api.Command['service_show'](self.service_princ)['result']
-# It should no longer match our old cert
-assert base64.b64encode(res['usercertificate'][0]) != cert
-# And it should match the new one
-assert base64.b64encode(res['usercertificate'][0]) == newcert
+
+# Both the old and the new certs should be listed as certificates now
+certs_encoded = (base64.b64encode(cert) for cert in res['usercertificate'])
+assert set(certs_encoded) == set([cert, newcert])
 
 def test_0007_cleanup(self):
 
-- 
2.1.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0343] tests: user_plugin: Add preserved flag when --all is used

[Tomas Babej]

On 07/21/2015 06:51 PM, Martin Basti wrote:
 On 21/07/15 18:01, Tomas Babej wrote:
 Hi,

 this patch fixes failing tests for the user plugin where preserved
 attribute is missing.

 Tomas




 ACK
 
 -- 
 Martin Basti
 

Pushed to:
master: 705603a396bff251a453aec73fc973a5d85c6d44
ipa-4-2: e59127e5c12679bf85ee494f378197912932c82b

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0342] idviews: Check for the Default Trust View only if applying

[Tomas Babej]

Hi,

Currently, the code wrongly validates the idview-unapply command. Move
check for the forbidden application of the Default Trust View into
the correct logical branch.

https://fedorahosted.org/freeipa/ticket/4969

Tomas
From 989b6b1c4b5e18af5131aa5e874f3db24f9d3c76 Mon Sep 17 00:00:00 2001
From: Tomas Babej tba...@redhat.com
Date: Tue, 21 Jul 2015 12:44:37 +0200
Subject: [PATCH] idviews: Check for the Default Trust View only if applying
 the view

Currently, the code wrongly validates the idview-unapply command. Move
check for the forbidden application of the Default Trust View into
the correct logical branch.

https://fedorahosted.org/freeipa/ticket/4969
---
 ipalib/plugins/idviews.py | 14 --
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/ipalib/plugins/idviews.py b/ipalib/plugins/idviews.py
index 4a14162249959088ab389b99df3867f872a34030..48f646b812c424435233327e8fcfa363e17104f2 100644
--- a/ipalib/plugins/idviews.py
+++ b/ipalib/plugins/idviews.py
@@ -256,17 +256,19 @@ class baseidview_apply(LDAPQuery):
 if not options.get('clear_view', False):
 view_dn = self.api.Object['idview'].get_dn_if_exists(view)
 assert isinstance(view_dn, DN)
+
+# Check that we're not applying the Default Trust View
+if view.lower() == DEFAULT_TRUST_VIEW_NAME:
+raise errors.ValidationError(
+name=_('ID View'),
+error=_('Default Trust View cannot be applied on hosts')
+)
+
 else:
 # In case we are removing assigned view, we modify the host setting
 # the ipaAssignedIDView to None
 view_dn = None
 
-if view.lower() == DEFAULT_TRUST_VIEW_NAME:
-raise errors.ValidationError(
-name=_('ID View'),
-error=_('Default Trust View cannot be applied on hosts')
-)
-
 completed = 0
 succeeded = {'host': []}
 failed = {
-- 
2.1.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] general error message at the attempt to set domain level to 0

[Tomas Babej]

On 07/20/2015 01:32 PM, Martin Basti wrote:
 On 20/07/15 13:21, Oleg Fayans wrote:
 Hi Martin,

 [Mon Jul 20 06:41:09.540097 2015] [wsgi:error] [pid 15186] ipa: ERROR:
 non-public: ValueError: non-generic 'InvalidDomainLevelError' needs
 format=None; got format=Gettext('Domain Level cannot be lowered.',
 domain='ipa', localedir=None)
 [Mon Jul 20 06:41:09.540118 2015] [wsgi:error] [pid 15186] Traceback
 (most recent call last):
 [Mon Jul 20 06:41:09.540121 2015] [wsgi:error] [pid 15186]   File
 /usr/lib/python2.7/site-packages/ipaserver/rpcserver.py, line 347,
 in wsgi_execute
 [Mon Jul 20 06:41:09.540122 2015] [wsgi:error] [pid 15186] result =
 self.Command[name](*args, **options)
 [Mon Jul 20 06:41:09.540124 2015] [wsgi:error] [pid 15186]   File
 /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 443, in
 __call__
 [Mon Jul 20 06:41:09.540125 2015] [wsgi:error] [pid 15186] ret =
 self.run(*args, **options)
 [Mon Jul 20 06:41:09.540127 2015] [wsgi:error] [pid 15186]   File
 /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 760, in run
 [Mon Jul 20 06:41:09.540128 2015] [wsgi:error] [pid 15186] return
 self.execute(*args, **options)
 [Mon Jul 20 06:41:09.540129 2015] [wsgi:error] [pid 15186]   File
 /usr/lib/python2.7/site-packages/ipalib/plugins/domainlevel.py, line
 123, in execute
 [Mon Jul 20 06:41:09.540131 2015] [wsgi:error] [pid 15186] raise
 errors.InvalidDomainLevelError(message)
 [Mon Jul 20 06:41:09.540132 2015] [wsgi:error] [pid 15186]   File
 /usr/lib/python2.7/site-packages/ipalib/errors.py, line 248, in
 __init__
 [Mon Jul 20 06:41:09.540133 2015] [wsgi:error] [pid 15186]
 messages.process_message_arguments(self, format, message, **kw)
 [Mon Jul 20 06:41:09.540135 2015] [wsgi:error] [pid 15186]   File
 /usr/lib/python2.7/site-packages/ipalib/messages.py, line 52, in
 process_message_arguments
 [Mon Jul 20 06:41:09.540136 2015] [wsgi:error] [pid 15186] name, format)

 Can you please file this as a bug?
 We need fix it in 4.3
 
 Thank you.

 On 07/20/2015 01:04 PM, Martin Basti wrote:
 On 20/07/15 12:47, Oleg Fayans wrote:
 Hi everybody,

 I keep receiving the same non-specific error message during attepts
 to set domain level to 0:
 $ ipa domainlevel-set 0
 ipa: ERROR: an internal error has occurred

 This error does not get recorded in the directory server errors log.
 Real-time observations on the access log show that only the
 following lines get added:

 [20/Jul/2015:06:45:07 -0400] conn=151 op=0 BIND dn= method=sasl
 version=3 mech=GSSAPI
 [20/Jul/2015:06:45:07 -0400] conn=2 op=984 RESULT err=0 tag=101
 nentries=1 etime=0
 [20/Jul/2015:06:45:07 -0400] conn=151 op=0 RESULT err=14 tag=97
 nentries=0 etime=0, SASL bind in progress
 [20/Jul/2015:06:45:08 -0400] conn=151 op=1 BIND dn= method=sasl
 version=3 mech=GSSAPI
 [20/Jul/2015:06:45:08 -0400] conn=151 op=2 BIND dn= method=sasl
 version=3 mech=GSSAPI
 [20/Jul/2015:06:45:08 -0400] conn=151 op=3 SRCH
 base=cn=ipaconfig,cn=etc,dc=pesen,dc=net scope=0
 filter=(objectClass=*) attrs=ALL
 [20/Jul/2015:06:45:08 -0400] conn=151 op=2 RESULT err=0 tag=97
 nentries=0 etime=0 dn=uid=admin,cn=users,cn=accounts,dc=pesen,dc=net
 [20/Jul/2015:06:45:08 -0400] conn=151 op=3 RESULT err=0 tag=101
 nentries=1 etime=0
 [20/Jul/2015:06:45:08 -0400] conn=151 op=4 SRCH base=cn=Domain
 Level,cn=ipa,cn=etc,dc=pesen,dc=net scope=0
 filter=(objectClass=*) attrs=ALL
 [20/Jul/2015:06:45:08 -0400] conn=151 op=4 RESULT err=0 tag=101
 nentries=1 etime=0
 [20/Jul/2015:06:45:08 -0400] conn=151 op=1 RESULT err=14 tag=97
 nentries=0 etime=0, SASL bind in progress
 [20/Jul/2015:06:45:08 -0400] conn=151 op=5 UNBIND
 [20/Jul/2015:06:45:08 -0400] conn=151 op=5 fd=102 closed - U1

 According to Ludwig, decreasing of the domain level is not
 supported, so we should provide some meaningfull error message in
 this case

 P. S.
 $ rpm -q freeipa-server
 freeipa-server-4.2.90.201507171036GITf1f3ef4-0.fc22.x86_64
 The packages were built on Friday from the upstream master.

 Can you paste apache error log here please?


 
 

This is just an incorrect initialization of the InvalidDomainLevelError.

Pushed to master: 37b1af9a7cea72f41ac468ab80259f39b0a7b3db
From 711f4cc96215e9aeb9b5896ce70f71e64e422a6c Mon Sep 17 00:00:00 2001
From: Tomas Babej tba...@redhat.com
Date: Mon, 20 Jul 2015 13:49:41 +0200
Subject: [PATCH] domainlevel: Fix incorrect initializations of
 InvalidDomainLevelError exceptions

---
 ipalib/plugins/domainlevel.py | 4 ++--
 ipalib/plugins/topology.py| 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/ipalib/plugins/domainlevel.py b/ipalib/plugins/domainlevel.py
index 64e383006722fb2f32f5300d627b18b6daf051d4..838a518e7727ede34958add47c0c24845d6e3f07 100644
--- a/ipalib/plugins/domainlevel.py
+++ b/ipalib/plugins/domainlevel.py
@@ -120,7 +120,7 @@ class domainlevel_set(Command):
 # Domain level cannot be lowered
 if int(desired_value)  int(current_value):
 message = _(Domain Level cannot be lowered

Re: [Freeipa-devel] [PATCH 0052] Create server-dns sub-package

[Tomas Babej]

On 07/17/2015 05:46 AM, Jan Cholasta wrote:
 Dne 16.7.2015 v 16:50 Alexander Bokovoy napsal(a):
 On Thu, 16 Jul 2015, Petr Spacek wrote:
 Third version of the patch is attached, please view.

 Behavior:
 - freeipa-server package continues to exist and does not include DNS
 dependencies
 - freeipa-server-dns package is new and requires all DNS dependencies
 - install freeipa-server will not pull DNS dependencies
 - upgrade from freeipa-server  4.2.0 will pull freeipa-server-dns
 package

 It turns out that nobody noticed missing Obsoletes in freeipa-server
 package.

 Please review.
 I like this. Looks clean and does keep previous behavior. I think we can
 live with upgrade pulling freeipa-server-dns even in the environments
 where DNS wasn't really used.


 Note: Condition Obsoletes: %{name}-server  4.2.0
 should be amended per-distro/per-repo so it contains latest version
 number
 which was available in form of RPM packages for that distro/repo (COPR).

 May be just add the comment above into commit message? This and we'll
 need to add an entry into RPM changelog in the actual Fedora package
 that upgrade from pre-4.2.0 will pull freeipa-server-dns even if
 integrated DNS server is not used and recommend people to remove the
 package is they are not interested.

 ACK.
 
 +1
 

 From c8486993b0b624ab7aa7b118e8ee7e420dd97891 Mon Sep 17 00:00:00 2001
 From: Petr Spacek pspa...@redhat.com
 Date: Thu, 16 Jul 2015 15:09:45 +0200
 Subject: [PATCH] Create server-dns sub-package.

 This allows us to automatically pull in package bind-pkcs11
 and thus create upgrade path for on CentOS 7.1 - 7.2.

 IPA previously had no requires on BIND packages and these had to be
 installed manually before first ipa-dns-install run.
 We need to pull additional bind-pkcs11 package during RPM upgrade
 so ipa-dns-install cannot help with this.

 https://fedorahosted.org/freeipa/ticket/4058
 ---
 freeipa.spec.in | 51 +++
 1 file changed, 35 insertions(+), 16 deletions(-)

 diff --git a/freeipa.spec.in b/freeipa.spec.in
 index
 fabfaee619d4cf0203b2f87d7fe804c2e72026f3..60c28fd5d8b4c14f5fd583735db469a65cdb5331

 100644
 --- a/freeipa.spec.in
 +++ b/freeipa.spec.in
 @@ -165,25 +165,13 @@ Requires: %{etc_systemd_dir}

 Conflicts: %{alt_name}-server
 Obsoletes: %{alt_name}-server  %{version}
 +# upgrade path from monolithic -server to -server + -server-dns
 +Obsoletes: %{name}-server  4.2.0
 
 Nitpick: I'd like to keep this visually separate from the alt_name
 bussiness, please move it below the Obsoletes: freeipa-server-selinux 
 3.3.0 line and separate them with an empty line.
 

 # With FreeIPA 3.3, package freeipa-server-selinux was obsoleted as the
 # entire SELinux policy is stored in the system policy
 Obsoletes: freeipa-server-selinux  3.3.0

 -# We have a soft-requires on bind. It is an optional part of
 -# IPA but if it is configured we need a way to require versions
 -# that work for us.
 -Conflicts: bind-dyndb-ldap  6.0-4
 -%if 0%{?fedora} = 21
 -Conflicts: bind  9.9.6-3
 -Conflicts: bind-utils  9.9.6-3
 -%else
 -Conflicts: bind  9.9.4-21
 -Conflicts: bind-utils  9.9.4-21
 -%endif
 -# DNSSEC
 -Conflicts: opendnssec  1.4.6-4
 -
 # Versions of nss-pam-ldapd  0.8.4 require a mapping from
 uniqueMember to
 # member.
 Conflicts: nss-pam-ldapd  0.8.4
 @@ -197,6 +185,35 @@ to install this package (in other words, most
 people should NOT install
 this package).


 +%package server-dns
 +Summary: IPA integrated DNS server with support for automatic DNSSEC
 signing
 +Group: System Environment/Base
 +Requires: %{name}-server = %{version}-%{release}
 +Requires: bind-dyndb-ldap = 6.0-4
 +%if 0%{?fedora} = 21
 +Requires: bind = 9.9.6-3
 +Requires: bind-utils = 9.9.6-3
 +Requires: bind-pkcs11 = 9.9.6-3
 +Requires: bind-pkcs11-utils = 9.9.6-3
 +%else
 +Requires: bind = 9.9.4-21
 +Requires: bind-utils = 9.9.4-21
 +Requires: bind-pkcs11 = 9.9.4-21
 +Requires: bind-pkcs11-utils = 9.9.4-21
 +%endif
 +Requires: opendnssec = 1.4.6-4
 +
 +Conflicts: %{alt_name}-server-dns
 +Obsoletes: %{alt_name}-server-dns  %{version}
 +
 +# upgrade path from monolithic -server to -server + -server-dns
 +Obsoletes: %{name}-server  4.2.0
 +
 +%description server-dns
 +IPA integrated DNS server with support for automatic DNSSEC signing.
 +Integrated DNS server is BIND 9. OpenDNSSEC provides key management.
 +
 +
 %package server-trust-ad
 Summary: Virtual package to install packages required for Active
 Directory trusts
 Group: System Environment/Base
 @@ -683,7 +700,6 @@ fi
 %{_sbindir}/ipa-backup
 %{_sbindir}/ipa-restore
 %{_sbindir}/ipa-ca-install
 -%{_sbindir}/ipa-dns-install
 %{_sbindir}/ipa-kra-install
 %{_sbindir}/ipa-server-install
 %{_sbindir}/ipa-replica-conncheck
 @@ -857,7 +873,6 @@ fi
 %{_mandir}/man1/ipa-server-certinstall.1.gz
 %{_mandir}/man1/ipa-server-install.1.gz
 %{_mandir}/man1/ipa-server-upgrade.1.gz
 -%{_mandir}/man1/ipa-dns-install.1.gz
 %{_mandir}/man1/ipa-ca-install.1.gz
 

Re: [Freeipa-devel] [PATCH] 904 do not import memcache on client

[Tomas Babej]

On 07/16/2015 10:25 AM, Petr Vobornik wrote:
 Fixes regression caused by cd3ca94ff2ef738cb3a9eae502193413058f976d.
 
 Which caused:
 * client installation failure (missing memcache)
 * invalid warning in CLI on server
 
 https://fedorahosted.org/freeipa/ticket/5133
 
 

Thanks for fixing this one!

ACK.


Pushed to:
master: 9d69ad24282d19575295f1b2dd756ad9dd865c63
ipa-4-2: 6275d94df30c0c17d2317ad0fba3b28d433efa06

Tomas

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0191 Add SELinux boolean for oddjobd-activated services

[Tomas Babej]

On 07/14/2015 01:31 PM, Alexander Bokovoy wrote:
 Hi!
 
 An SELinux policy we need for one-way trust is now in Fedora
 updates-testing repository.
 Attached patch adds support for 'httpd_run_ipa' SELinux boolean.
 
 Below is how one-way trust is using the communication with oddjobd (it
 is a slightly fixed copy of the description of bug
 https://bugzilla.redhat.com/show_bug.cgi?id=1238165 for SELinux policy):
 
 ---
 In FreeIPA 4.2 we added support to establish one-way trust to Active
 Directory. As a consequence of this, we need to change how certain
 operations against AD LDAP are performed. Right now we are using a
 feature of bi-directional cross-realm Kerberos trust: we authenticate as
 HTTP/ipa.master@IPA.REALM from within Apache process and then talk to
 ldap/ad.dc@AD.REALM or to cifs/ad.dc@AD.REALM services in AD.
 
 With one-way trust we cannot use this approach anymore because there is
 no cross-realm Kerberos trust from IPA to AD, only the other way around.
 Instead, there is an object in AD LDAP which represents IPA and we have
 to authenticate as this object.
 
 Access to this object is highly regulated (by us) because possession of
 the trust domain object (TDO) credentials impersonates whole trust link.
 Thus, we want to avoid authenticating as TDO within Apache process.
 
 To achieve this I've implemented a scheme similar to oddjob-mkhomedir,
 by providing a helper script which is executed by oddjobd on request
 from Apache:
 
 Apache process sends DBus request to oddjobd daemon. Oddjobd daemon
 executes an IPA helper. IPA helper accesses /etc/samba/samba.keytab and
 authenticates as cifs/ipa.master@IPA.REALM. It then fetches TDO
 credentials from IPA LDAP and authenticates with them to AD DC. Once
 operation is performed, it connects again to IPA LDAP and updates it.
 
 Now, there are several moving parts here:
 
 1. /etc/samba/samba.keytab is root:root, 0600,
 unconfined_u:object_r:samba_etc_t:s0
It is created by /usr/sbin/ipa-adtrust-install
 
 2. /var/lib/sss/keytabs/ad.test.keytab is sssd:sssd, 0600,
 unconfined_u:object_r:sssd_var_lib_t:s0
It can be created by IPA helper or by SSSD, whoever runs into need
of the keytab first. The name is dependent on the AD forest root
name (ad.test in my case).
 
 3. /usr/libexec/ipa/com.redhat.idm.trust-fetch-domains is root:root, 0755,
system_u:object_r:ipa_helper_exec_t:s0 label.
It is the IPA helper oddjobd daemon will be calling in response to
 Apache request.
The helper is written in Python.
 
 4. /var/run/ipa/krb5cc_oddjob_trusts{,_fetch} -- credential caches used
 by the helper.
They are root:root, 0600, system_u:object_r:ipa_var_run_t:s0 label.
 
 5. oddjobd daemon runs under system_u:system_r:oddjob_t:s0-s0:c0.c1023
 context.
 -
 
 
 
 

ACK.

Pushed to:
master: 706c00361544a8255c4c05b253e5e9969187a68c
ipa-4-2: 5b9ea329cef4d976694794f1b1b91714f6ac07c2

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0340] dcerpc: Expand explanation for WERR_ACCESS_DENIED

[Tomas Babej]

Hi,

 It's possible for AD to contact a wrong IPA server in case the DNS
SRV records on the AD sides are not properly configured.

Mention this case in the error message as well.

https://fedorahosted.org/freeipa/ticket/5013
From fee75ea269d70ca700a83037a1db9b07ea6e49bf Mon Sep 17 00:00:00 2001
From: Tomas Babej tba...@redhat.com
Date: Wed, 15 Jul 2015 15:38:50 +0200
Subject: [PATCH] dcerpc: Expand explanation for WERR_ACCESS_DENIED

It's possible for AD to contact a wrong IPA server in case the DNS
SRV records on the AD sides are not properly configured.

Mention this case in the error message as well.

https://fedorahosted.org/freeipa/ticket/5013
---
 ipaserver/dcerpc.py | 36 +---
 1 file changed, 29 insertions(+), 7 deletions(-)

diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index 4de5afb540e880e8948749c2cfa9a019eb807c47..b7fa57fd00b277d404d42499db9bbb01c1851f08 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -1090,22 +1090,44 @@ class TrustDomainInstance(object):
 result = retrieve_netlogon_info_2(None, self,
   netlogon.NETLOGON_CONTROL_TC_VERIFY,
   another_domain.info['dns_domain'])
-if (result and (result.flags and netlogon.NETLOGON_VERIFY_STATUS_RETURNED)):
-if (result.pdc_connection_status[0] != 0) and (result.tc_connection_status[0] != 0):
+
+if result and result.flags and netlogon.NETLOGON_VERIFY_STATUS_RETURNED:
+if result.pdc_connection_status[0] != 0 and result.tc_connection_status[0] != 0:
 if result.pdc_connection_status[1] == WERR_ACCESS_DENIED:
 # Most likely AD DC hit another IPA replica which yet has no trust secret replicated
+
 # Sleep and repeat again
 self.validation_attempts += 1
 if self.validation_attempts  10:
 sleep(5)
 return self.verify_trust(another_domain)
-raise errors.ACIError(
-info=_('IPA master denied trust validation requests from AD DC '
-   '%(count)d times. Most likely AD DC contacted a replica '
-   'that has no trust information replicated yet.')
-   % dict(count=self.validation_attempts))
+
+# If we get here, we already failed 10 times
+srv_record_templates = (
+'_ldap._tcp.%s',
+'_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.%s'
+)
+
+srv_records = ', '.join(
+[srv_record % api.env.domain
+ for srv_record in srv_record_templates]
+)
+
+error_message = _(
+'IPA master denied trust validation requests from AD '
+'DC %(count)d times. Most likely AD DC contacted a '
+'replica that has no trust information replicated '
+'yet. Additionally, please check that AD DNS is able '
+'to resolve %(records)s SRV records to the correct '
+'IPA server.') % dict(count=self.validation_attempts,
+  records=srv_records)
+
+raise errors.ACIError(info=error_message)
+
 raise assess_dcerpc_exception(*result.pdc_connection_status)
+
 return True
+
 return False
 
 
-- 
2.1.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 012] Fix selinux denial during kdcproxy user creation

[Tomas Babej]

On 07/16/2015 12:51 PM, Christian Heimes wrote:
 Hi,
 
 the patch fixes the SELinux denial for kdcproxy's home directory. I have
 successfully tested a migration from FreeIPA 4.1. The user, group and
 home directory are successfully created with the correct permissions.
 
 https://fedorahosted.org/freeipa/ticket/5135
 
 Christian
 
 
 

This appears to be an incorrect patch :)

Tomas

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] 4.3 Branch?

[Tomas Babej]

On 07/16/2015 01:13 PM, Petr Vobornik wrote:
 On 07/14/2015 03:23 PM, Nathaniel McCallum wrote:
 4.3 is going to be a very narrow feature release. Should we branch
 4.3 early so that we can still land new features on master during
 4.3?

 
 I did not like it at first but we should do it.

We will have some little maintenance burden, as we will need to push to
two branches concurrently.

However, I find rebasing patches that do not apply cleanly painful..
when we release 4.3 and decide to land ~50-100 patches of fixes that
didn't belong there, it might turn out to be a huge pain.

I'd much rather go with the separate branch approach, as Nathaniel suggests.

Tomas

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0192 oddjob: avoid chown keytab to sssd if sssd user does not exist

[Tomas Babej]

On 07/16/2015 01:19 PM, Alexander Bokovoy wrote:
 Hi,
 
 a simple optimisation to allow FreeIPA 4.2 to work with SSSD 1.13
 running as root instead of sssd user. Details in the commit message.
 
 This also fixes a simple exception in current Fedora 22 +
 mkosek/freeipa-4.2 repo because user 'sssd' does not exist.
 
 Fixes ticket  https://fedorahosted.org/freeipa/ticket/5136
 
 
 

ACK!

Pushed to:
master: c6a1bd591e81cd82c0715c01bcc82f2947adf3bb
ipa-4-2: d7f91dce493efc4e505ea758b073040716249561

Tomas

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 012] Fix selinux denial during kdcproxy user creation

[Tomas Babej]

On 07/16/2015 01:35 PM, Christian Heimes wrote:
 On 2015-07-16 12:51, Christian Heimes wrote:
 Hi,

 the patch fixes the SELinux denial for kdcproxy's home directory. I have
 successfully tested a migration from FreeIPA 4.1. The user, group and
 home directory are successfully created with the correct permissions.

 https://fedorahosted.org/freeipa/ticket/5135
 
 I accidentally pushed the spec file fix for PKI. Here is the correct
 patch for FreeIPA.
 
 
 

ACK! Thanks for fixing this issue, actually it was haunting me for some
time as I was unable to pinpoint the issue.

Pushed to:
master: 0700d340c7c88c295a62dd5d1a7d6866650d9de3
ipa-4-2: 9c3368a3eb091acab10b65ff3fc33d41d0d4c556

Tomas

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0339] trusts: Check for AD root domain among our trusted domains

[Tomas Babej]

On 07/15/2015 02:31 PM, Alexander Bokovoy wrote:
 On Wed, 15 Jul 2015, Tomas Babej wrote:
 Hi,

 Check for the presence of the forest root DNS domain of the AD realm
 among the IPA realm domains prior to esablishing the trust.

 This prevents creation of a failing setup, as trusts would not work
 properly in this case.

 https://fedorahosted.org/freeipa/ticket/4799
 LGTM.
 
 The only comment I have is for the error message text. Would it make
 sense to point to 'ipa realmdomans-mod --del-domain' command?
 
 

Sure, why not.

I actually abstained from generating the whole command (including the AD
domain argument), as I believe it's better the users are discouraged
from blindly copying commands around.

Updated patch attached.

Toams
From 345abc73709bb20f2bb6f57b9109be86463fc8d2 Mon Sep 17 00:00:00 2001
From: Tomas Babej tba...@redhat.com
Date: Wed, 15 Jul 2015 14:22:48 +0200
Subject: [PATCH] trusts: Check for AD root domain among our trusted domains

Check for the presence of the forest root DNS domain of the AD realm
among the IPA realm domains prior to esablishing the trust.

This prevents creation of a failing setup, as trusts would not work
properly in this case.

https://fedorahosted.org/freeipa/ticket/4799
---
 ipalib/plugins/trust.py | 21 -
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
index 196df5926e7965dc1f0165f301bd5ac11528d1cd..6232e4fe9d3d5e957d22a3557cdcf4bb12cec0ea 100644
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -640,6 +640,8 @@ sides.
self.params['realm_passwd'].label, confirm=False)
 
 def validate_options(self, *keys, **options):
+trusted_realm_domain = keys[-1]
+
 if not _bindings_installed:
 raise errors.NotFound(
 name=_('AD Trust setup'),
@@ -692,6 +694,23 @@ sides.
 )
 )
 
+# Obtain a list of IPA realm domains
+result = self.api.Command.realmdomains_show()['result']
+realm_domains = result['associateddomain']
+
+# Do not allow the AD's trusted realm domain in the list
+# of our realm domains
+if trusted_realm_domain.lower() in realm_domains:
+raise errors.ValidationError(
+name=_('AD Trust setup'),
+error=_(
+'Trusted domain %(domain)s is included among '
+'IPA realm domains. It needs to be removed '
+'prior to establishing the trust. See the '
+'ipa realmdomains-mod --del-domain command.'
+) % dict(domain=trusted_realm_domain)
+)
+
 self.realm_server = options.get('realm_server')
 self.realm_admin = options.get('realm_admin')
 self.realm_passwd = options.get('realm_passwd')
@@ -702,7 +721,7 @@ sides.
 if len(names)  1:
 # realm admin name is in UPN format, user@realm, check that
 # realm is the same as the one that we are attempting to trust
-if keys[-1].lower() != names[-1].lower():
+if trusted_realm_domain.lower() != names[-1].lower():
 raise errors.ValidationError(
 name=_('AD Trust setup'),
 error=_(
-- 
2.1.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0339] trusts: Check for AD root domain among our trusted domains

[Tomas Babej]

Hi,

 Check for the presence of the forest root DNS domain of the AD realm
among the IPA realm domains prior to esablishing the trust.

This prevents creation of a failing setup, as trusts would not work
properly in this case.

https://fedorahosted.org/freeipa/ticket/4799

Tomas
From 03dabf99d538747051f1c898e6a58162425e7b28 Mon Sep 17 00:00:00 2001
From: Tomas Babej tba...@redhat.com
Date: Wed, 15 Jul 2015 14:22:48 +0200
Subject: [PATCH] trusts: Check for AD root domain among our trusted domains

Check for the presence of the forest root DNS domain of the AD realm
among the IPA realm domains prior to esablishing the trust.

This prevents creation of a failing setup, as trusts would not work
properly in this case.

https://fedorahosted.org/freeipa/ticket/4799
---
 ipalib/plugins/trust.py | 20 +++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
index 196df5926e7965dc1f0165f301bd5ac11528d1cd..f28f2fdca9ef31b5b143f988616a75b25cc60016 100644
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -640,6 +640,8 @@ sides.
self.params['realm_passwd'].label, confirm=False)
 
 def validate_options(self, *keys, **options):
+trusted_realm_domain = keys[-1]
+
 if not _bindings_installed:
 raise errors.NotFound(
 name=_('AD Trust setup'),
@@ -692,6 +694,22 @@ sides.
 )
 )
 
+# Obtain a list of IPA realm domains
+result = self.api.Command.realmdomains_show()['result']
+realm_domains = result['associateddomain']
+
+# Do not allow the AD's trusted realm domain in the list
+# of our realm domains
+if trusted_realm_domain.lower() in realm_domains:
+raise errors.ValidationError(
+name=_('AD Trust setup'),
+error=_(
+'Trusted domain %(domain)s is included among '
+'IPA realm domains. It needs to be removed '
+'prior to establishing the trust.'
+) % dict(domain=trusted_realm_domain)
+)
+
 self.realm_server = options.get('realm_server')
 self.realm_admin = options.get('realm_admin')
 self.realm_passwd = options.get('realm_passwd')
@@ -702,7 +720,7 @@ sides.
 if len(names)  1:
 # realm admin name is in UPN format, user@realm, check that
 # realm is the same as the one that we are attempting to trust
-if keys[-1].lower() != names[-1].lower():
+if trusted_realm_domain.lower() != names[-1].lower():
 raise errors.ValidationError(
 name=_('AD Trust setup'),
 error=_(
-- 
2.1.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 011] [py3] Replace file() with open()

[Tomas Babej]

On 07/14/2015 01:29 PM, Christian Heimes wrote:
 On 2015-07-14 13:24, Christian Heimes wrote:
 The patch replaces file() with open() and a proper with statement.

 The patch is related to https://fedorahosted.org/freeipa/ticket/5127

 Christian
 
 The first patch has a typo.
 
 Note to self: save file first, then commit
 
 Christian
 
 
 

ACK.

Pushed to master: 18d417e981045830f5dd359cf912caf3b0b9e6d3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 007-010] Remove tuple unpacking from except clause

[Tomas Babej]

On 07/14/2015 12:45 PM, Alexander Bokovoy wrote:
 On Tue, 14 Jul 2015, Christian Heimes wrote:
 On 2015-07-13 16:29, Alexander Bokovoy wrote:
 I will pushmark the commit there.
 Please do not push this specific version of the patch yet. Christian
 will do the changes with four separate commits as discussed on the IRC,
 to avoid future problems with maintenance and backports.

 Alex,

 please have a look at the patches. I have split the patch into four
 files, one for every file. Is that right?
 Yes, perfect!
 
 ACK for all four patches.
 

Pushed to master: 35e219f996b933c8f9a5e5624bbffd6174f4c55c

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 007] Remove tuple unpacking from except clause

[Tomas Babej]

On 07/13/2015 02:59 PM, Rob Crittenden wrote:
 Christian Heimes wrote:
 The patch replaces implicit tuple unpacking from except clauses with
 explicit unpacking of the exception objects' args attribute.

 Example:

 e = RuntimeError('num', 'messages')
 num, message = e
 num, message
 ('num', 'messages')
 e.args
 ('num', 'messages')
 num, message = e.args
 num, message
 ('num', 'messages')

 
 Not related to this patch directly but I think it would be a good idea
 to create a Python 3 tracking ticket to make it easy to find python
 3-specific changes.
 
 Then create tickets to fix particular issues and link those with the
 tracking ticket.
 
 rob
 

ACK

Otherwise, I agree with Rob. Can you create an umbrella ticket?

I will pushmark the commit there.

Tomas

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0001 Enhance the DNSNotARecordError message

[Tomas Babej]

On 07/09/2015 01:49 PM, Veronika Kabatova wrote:
 The attached patch solves the https://fedorahosted.org/freeipa/ticket/3959 
 ticket.
 
 Veronika Kabatova
 
 
 

Hello,

thanks for the patch.

Actually, the doctest does not pass:

$ ipa-run-tests /usr/lib/python2.7/site-packages/ipalib/errors.py
--doctest-modules
=
test session starts
=
platform linux2 -- Python 2.7.10 -- py-1.4.28 -- pytest-2.6.4
plugins: multihost, sourceorder
collected 85 items

../ipalib/errors.py
...F..F..

==
FAILURES
===
_
[doctest] ipalib.errors.DNSNotARecordError
__
1137 
1138 **4019** Raised when a hostname is not a DNS A/ record
1139
1140 For example:
1141
1142  raise DNSNotARecordError()
Differences (unified diff with -expected +actual):
@@ -1,4 +1,6 @@
 Traceback (most recent call last):
-  ...
-DNSNotARecordError: Host does not have corresponding DNS A/ record,
-use --force to continue anyway
+  File /usr/lib64/python2.7/doctest.py, line 1315, in __run
+compileflags, 1) in test.globs
+  File doctest ipalib.errors.DNSNotARecordError[0], line 1, in
module
+raise DNSNotARecordError()
+DNSNotARecordError: Host does not have corresponding DNS A/
record, use --force to continue anyway

/usr/lib/python2.7/site-packages/ipalib/errors.py:1142: DocTestFailure

The reason for the mismatch here is that you wrapped the line - in this
case, we need to violate the PEP8, and allow the length of the line
exceed 80 characters.

HTH,

Tomas

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0334] Hide topology and domainlevel features

[Tomas Babej]

On 07/10/2015 03:07 PM, Simo Sorce wrote:
 On Wed, 2015-07-08 at 00:09 +0200, Tomas Babej wrote:

 On 07/07/2015 07:16 PM, Martin Basti wrote:
 On 07/07/15 10:33, Tomas Babej wrote:
 Hi,

 * Hide topology and domainlevel commands in the CLI
 * Hide topology and domainlevel in the WebUI
 * Set maximum allowed domain level to 0
 * Do not configure and enable the topology plugin

 https://fedorahosted.org/freeipa/ticket/5097


 ACK

 -- 
 Martin Basti


 Pushed to master: 62e8002bc43ddd890c3db35a123cb7daf35e3121

 
 Can we revert the Max Domain Level change in master ?
 It should have been changed only in the 4.2 branch!
 
 Simo.
 

This was pushed prior to the branching of the ipa-4-2 branch.

I will prepare a patch.

Tomas

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [patch 0006] ipalib: pass api instance into textui in doctest snippets

[Tomas Babej]

On 07/10/2015 02:15 PM, Milan Kubik wrote:
 On 07/10/2015 01:57 PM, Milan Kubik wrote:
 Hi,

 the recent set of patches that modified api broke the tests that are
 included in ipalib/cli.py

 This patch fixes the problems by passing api instance to textui() calls.

 Milan


 This may not be the complete solution. Similar problems arise in the
 rest of the tests in ipalib modules.
 I guess the code examples (doctest test cases) are all affected by the
 changes to the api object.
 
 

ACK for this patch.

Pushed to:
master: 61f41df9493acfbfd1cda017b40cf6786afd8815
ipa-4-2: c210b3d2843326e5bc934d397831d4d128c1b603

As far as the other modules go, I see most failures in the frontend:

../ipalib/__init__.py F
../ipalib/base.py .
../ipalib/cli.py 
../ipalib/config.py .
../ipalib/crud.py F
../ipalib/errors.py
.
../ipalib/frontend.py .FFF
../ipalib/messages.py .
../ipalib/output.py .
../ipalib/parameters.py ...
../ipalib/text.py ..

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0337] ipalib: Fix missing format for InvalidDomainLevelError

[Tomas Babej]

Hi,

this patch fixes missing format for the InvalidDomainLevelError exception.

Pushed to, under oneliner rule:
master: 8a4e79c9e6ebb92e5bcc3c53e3f0073c10333227
ipa-4-2: fe69b2cbe48c9874ac0ee1d34cce1cdb244abadc

Tomas
From 6d099e3a24c530f894d94b118e20baa1424e7f9c Mon Sep 17 00:00:00 2001
From: Tomas Babej tba...@redhat.com
Date: Fri, 10 Jul 2015 14:59:21 +0200
Subject: [PATCH] ipalib: Fix missing format for InvalidDomainLevelError

---
 ipalib/errors.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ipalib/errors.py b/ipalib/errors.py
index d874e68829e1a5491dec402d5976c3adfa556e84..74a29f40472ab19352b668e791e76a7d58ce74e6 100644
--- a/ipalib/errors.py
+++ b/ipalib/errors.py
@@ -1361,6 +1361,7 @@ class InvalidDomainLevelError(ExecutionError):
 
 
 errno = 4032
+format = _('%(reason)s')
 
 class BuiltinError(ExecutionError):
 
-- 
2.1.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0338] Revert Hide topology and domainlevel features

[Tomas Babej]

On 07/10/2015 03:25 PM, Simo Sorce wrote:
 On Fri, 2015-07-10 at 15:18 +0200, Tomas Babej wrote:
 Hi,

 This reverts commit 62e8002bc43ddd890c3db35a123cb7daf35e3121.

 Hiding of the topology and domainlevel features was necessary
 for the 4.2 branch only.

 Tomas
 
 ACK
 
 Simo,
 

Pushed to master: 510642196184e588b3014db1d1fdd7bc4aa2f5dd

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0338] Revert Hide topology and domainlevel features

[Tomas Babej]

Hi,

This reverts commit 62e8002bc43ddd890c3db35a123cb7daf35e3121.

Hiding of the topology and domainlevel features was necessary
for the 4.2 branch only.

Tomas
From 89e55240b3e3820b42e85b63cd1849816690321a Mon Sep 17 00:00:00 2001
From: Tomas Babej tba...@redhat.com
Date: Fri, 10 Jul 2015 15:16:31 +0200
Subject: [PATCH] Revert Hide topology and domainlevel features

This reverts commit 62e8002bc43ddd890c3db35a123cb7daf35e3121.

Hiding of the topology and domainlevel features was necessary
for the 4.2 branch only.
---
 install/ui/src/freeipa/app.js  |  3 +--
 install/ui/src/freeipa/navigation/menu_spec.js |  4 ++--
 ipalib/constants.py|  2 +-
 ipalib/plugins/domainlevel.py  |  2 --
 ipalib/plugins/topology.py | 11 ---
 ipaserver/install/dsinstance.py|  3 +--
 6 files changed, 5 insertions(+), 20 deletions(-)

diff --git a/install/ui/src/freeipa/app.js b/install/ui/src/freeipa/app.js
index 1057120c02c000e5c21ad62c1517ccb59115f0cc..daf17b7ba021d3db8288f2de89a8ae4814172a70 100644
--- a/install/ui/src/freeipa/app.js
+++ b/install/ui/src/freeipa/app.js
@@ -50,8 +50,7 @@ define([
 './service',
 './sudo',
 './trust',
-// Hide topology for now
-// './topology',
+'./topology',
 './user',
 './stageuser',
 'dojo/domReady!'
diff --git a/install/ui/src/freeipa/navigation/menu_spec.js b/install/ui/src/freeipa/navigation/menu_spec.js
index 32bbd6aaab9e47854e74d26b7f23b89d8bfe7410..8140ddf252e87cf8c51c3f786974ba6a1f2eb390 100644
--- a/install/ui/src/freeipa/navigation/menu_spec.js
+++ b/install/ui/src/freeipa/navigation/menu_spec.js
@@ -205,7 +205,7 @@ var nav = {};
 { entity: 'trustconfig' }
 ]
 },
-/*  {
+{
 entity: 'topologysuffix',
 label: '@i18n:tabs.topology',
 facet: 'search',
@@ -226,7 +226,7 @@ var nav = {};
 hidden: true
 }
 ]
-},*/
+},
 {
 name: 'apibrowser',
 label: 'API browser',
diff --git a/ipalib/constants.py b/ipalib/constants.py
index 1509151bac7e0abca081cbba033701db410fc54c..53c3106cdd16fef0eba42a70518f7633b3fd95d1 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -238,4 +238,4 @@ IPA_ANCHOR_PREFIX = ':IPA:'
 SID_ANCHOR_PREFIX = ':SID:'
 
 MIN_DOMAIN_LEVEL = 0
-MAX_DOMAIN_LEVEL = 0
+MAX_DOMAIN_LEVEL = 1
diff --git a/ipalib/plugins/domainlevel.py b/ipalib/plugins/domainlevel.py
index 9012a3203323f381c2b927f76371d2b1df4b32a0..64e383006722fb2f32f5300d627b18b6daf051d4 100644
--- a/ipalib/plugins/domainlevel.py
+++ b/ipalib/plugins/domainlevel.py
@@ -74,7 +74,6 @@ def get_master_entries(ldap, api):
 @register()
 class domainlevel_get(Command):
 __doc__ = _('Query current Domain Level.')
-NO_CLI = True
 
 has_output = domainlevel_output
 
@@ -91,7 +90,6 @@ class domainlevel_get(Command):
 @register()
 class domainlevel_set(Command):
 __doc__ = _('Change current Domain Level.')
-NO_CLI = True
 
 has_output = domainlevel_output
 
diff --git a/ipalib/plugins/topology.py b/ipalib/plugins/topology.py
index 574e0d7ed42386f62a805272b6ec106bb946116c..de5ceb97583c9a40b4fe3783ec0fa40e6c325d0f 100644
--- a/ipalib/plugins/topology.py
+++ b/ipalib/plugins/topology.py
@@ -41,7 +41,6 @@ class topologysegment(LDAPObject):
 
 Topology segment.
 
-NO_CLI = True
 parent_object = 'topologysuffix'
 container_dn = api.env.container_topology
 object_name = _('segment')
@@ -196,7 +195,6 @@ class topologysegment(LDAPObject):
 class topologysegment_find(LDAPSearch):
 __doc__ = _('Search for topology segments.')
 
-NO_CLI = True
 msg_summary = ngettext(
 '%(count)d segment matched',
 '%(count)d segments matched', 0
@@ -207,7 +205,6 @@ class topologysegment_find(LDAPSearch):
 class topologysegment_add(LDAPCreate):
 __doc__ = _('Add a new segment.')
 
-NO_CLI = True
 msg_summary = _('Added segment %(value)s')
 
 def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
@@ -221,7 +218,6 @@ class topologysegment_add(LDAPCreate):
 class topologysegment_del(LDAPDelete):
 __doc__ = _('Delete a segment.')
 
-NO_CLI = True
 msg_summary = _('Deleted segment %(value)s')
 
 def pre_callback(self, ldap, dn, *keys, **options):
@@ -234,7 +230,6 @@ class topologysegment_del(LDAPDelete):
 class topologysegment_mod(LDAPUpdate):
 __doc__ = _('Modify a segment.')
 
-NO_CLI = True
 msg_summary = _('Modified segment %(value)s')
 
 def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
@@ -249,7 +244,6 @@ class topologysegment_reinitialize(LDAPQuery):
 __doc__ = _('Request a full re-initialization of the node

Re: [Freeipa-devel] [PATCH] 901 Bump 4.3 development version to 4.2.90

[Tomas Babej]

On 07/09/2015 12:36 PM, Petr Vobornik wrote:
 
 
 

ACK, pushed to master: 0569910fead3b33a0806b216823738cf17283108

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 463] spec file: Update minimal versions of required packages

[Tomas Babej]

On 07/08/2015 01:28 PM, Alexander Bokovoy wrote:
 On Wed, 08 Jul 2015, Jan Cholasta wrote:
 Hi,

 the attached patch fixes https://fedorahosted.org/freeipa/ticket/5103.
 ACK.
 

Pushed to master: 7c0e7f7e3ca3a971d4db64f80f02d4f79e5f5c4d

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0026..0027 #5096 enforce caacl for SAN principals

[Tomas Babej]

On 07/08/2015 04:30 PM, David Kupka wrote:
 On 03/07/15 16:26, Fraser Tweedale wrote:
 The attached patches fix:

 - a bug that caused caacl false negatives for hosts principals
 - #5096 cert-request: enforce caacl for subjectAltName principals

 Thanks,
 Fraser



 Works for me, ACK.
 

Pushed to master: ec7e5e0cac4d93f4a0bb62c1de28be46f362740b

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0278] Fix API logging

[Tomas Babej]

On 07/08/2015 02:18 PM, Martin Basti wrote:
 log must be initilized before first usage in API, otherwise traceback is
 shown:
 
 # ipa -e random-nonexistent-key=1 user-find
 Traceback (most recent call last):
   File /bin/ipa, line 32, in module
 cli.run(api)
   File /usr/lib/python2.7/site-packages/ipalib/cli.py, line 1346, in run
 api.log.exception('%s: %s', e.__class__.__name__, str(e))
 AttributeError: 'API' object has no attribute 'log'
 
 Patch attached.
 
 
 

ACK.

Pushed to master: e51bb1bc668bf3008c8cca1dcbb0ebda7fa5c703

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHES 0335-0336] adtrustinstance: Enable and start oddjobd

[Tomas Babej]

On 07/08/2015 05:12 PM, Alexander Bokovoy wrote:
 On Wed, 08 Jul 2015, Tomas Babej wrote:
 From 66d39f12a77d23e8d8ac2c11650258ed9f3eb200 Mon Sep 17 00:00:00 2001
 From: Tomas Babej tba...@redhat.com
 Date: Wed, 8 Jul 2015 15:44:13 +0200
 Subject: [PATCH] adtrustinstance: Enable and start oddjobd

 Enable and start the oddjobd service as part of the
 ipa-adtrust-install for the new IPA installations.
 ACK
 

Pushed to master: 9c5df3cf76c921d268e7892ef9d9e7a7d2ad89f9

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCHES 0335-0336] adtrustinstance: Enable and start oddjobd

[Tomas Babej]

Hi,

Enable and start the oddjobd service as part of the
ipa-adtrust-install for the new IPA installations and upgraded ones.

Tomas
From 66d39f12a77d23e8d8ac2c11650258ed9f3eb200 Mon Sep 17 00:00:00 2001
From: Tomas Babej tba...@redhat.com
Date: Wed, 8 Jul 2015 15:44:13 +0200
Subject: [PATCH] adtrustinstance: Enable and start oddjobd

Enable and start the oddjobd service as part of the
ipa-adtrust-install for the new IPA installations.
---
 ipaserver/install/adtrustinstance.py | 19 +++
 ipaserver/install/installutils.py| 11 +++
 2 files changed, 30 insertions(+)

diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
index 8343f81826b661e0ab5a34073b0df9b477589ffa..ff0e8cc3e6dd7a78bd5a6ab06918757ca343970c 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -706,6 +706,9 @@ class ADTRUSTInstance(service.Service):
 except Exception, e:
 root_logger.critical(Enabling nsswitch support in slapi-nis failed with error '%s' % e)
 
+def  __enable_and_start_oddjobd(self):
+installutils.enable_and_start_oddjobd(self.sstore)
+
 def __start(self):
 try:
 self.start()
@@ -852,6 +855,7 @@ class ADTRUSTInstance(service.Service):
 self.step(adding Default Trust View, self.__add_default_trust_view)
 self.step(setting SELinux booleans, \
   self.__configure_selinux_for_smbd)
+self.step(enabling oddjobd, self.__enable_and_start_oddjobd)
 self.step(starting CIFS services, self.__start)
 
 if self.add_sids:
@@ -880,6 +884,21 @@ class ADTRUSTInstance(service.Service):
 except Exception:
 pass
 
+# Restore oddjobd to its original state
+oddjobd = services.service('oddjobd')
+
+if not self.sstore.restore_state('oddjobd', 'running'):
+try:
+oddjobd.stop()
+except Exception:
+pass
+
+if not self.sstore.restore_state('oddjobd', 'enabled'):
+try:
+oddjobd.disable()
+except Exception:
+pass
+
 # Since we do not guarantee restoring back to working samba state,
 # we should not restore smb.conf
 
diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index 08620c472b9478511d7d08a0d174e7da3f732207..02e8526317dbab909ed48a1823000922ce6e6b7a 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -1081,3 +1081,14 @@ def check_version():
 
 def realm_to_serverid(realm_name):
 return -.join(realm_name.split(.))
+
+def enable_and_start_oddjobd(sstore):
+oddjobd = services.service('oddjobd')
+sstore.backup_state('oddjobd', 'running', oddjobd.is_running())
+sstore.backup_state('oddjobd', 'enabled', oddjobd.is_enabled())
+
+try:
+oddjobd.enable()
+oddjobd.start()
+except Exception as e:
+root_logger.critical(Unable to start oddjobd: {0}.format(str(e)))
-- 
2.1.0

From c6135d634cbccbdbb30ab3906c32cd3720bca95e Mon Sep 17 00:00:00 2001
From: Tomas Babej tba...@redhat.com
Date: Wed, 8 Jul 2015 15:45:18 +0200
Subject: [PATCH] upgrade: Enable and start oddjobd if adtrust is available

If ipa-adtrust-install has already been run on the system,
enable and start the oddjobd service.
---
 install/updates/90-post_upgrade_plugins.update |  1 +
 ipaserver/install/plugins/adtrust.py   | 24 
 2 files changed, 25 insertions(+)

diff --git a/install/updates/90-post_upgrade_plugins.update b/install/updates/90-post_upgrade_plugins.update
index 8e8fe09414eac57d2e8c15dcfc4aed64b6e35cd5..3df3a4574705dbd8df8f25149c13877898afb66b 100644
--- a/install/updates/90-post_upgrade_plugins.update
+++ b/install/updates/90-post_upgrade_plugins.update
@@ -18,3 +18,4 @@ plugin: update_managed_post
 plugin: update_managed_permissions
 plugin: update_idrange_baserid
 plugin: update_passync_privilege_update
+plugin: update_oddjobd_for_adtrust
diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py
index d96bfe83e3b9d1d3e64b9fde385fbf520ed20a3a..45bcc5f2fe532446342300ff0c5e1e7149cf023b 100644
--- a/ipaserver/install/plugins/adtrust.py
+++ b/ipaserver/install/plugins/adtrust.py
@@ -19,8 +19,11 @@
 
 from ipalib import api, errors
 from ipalib import Updater
+from ipaplatform.paths import paths
 from ipapython.dn import DN
 from ipapython.ipa_log_manager import *
+from ipapython import sysrestore
+from ipaserver.install import installutils
 
 DEFAULT_ID_RANGE_SIZE = 20
 
@@ -161,5 +164,26 @@ class update_default_trust_view(Updater):
 
 return False, [update]
 
+
+class update_oddjobd_for_adtrust(Updater):
+
+Enables and starts oddjobd daemon if ipa-adtrust-install has been run
+on this system.
+
+
+def execute(self, **options):
+adtrust_is_enabled = self.api.Command['adtrust_is_enabled

Re: [Freeipa-devel] [PATCH] 894-896 webui: certificate profiles and acls

[Tomas Babej]

On 07/08/2015 04:54 PM, Martin Basti wrote:
 On 08/07/15 15:11, Petr Vobornik wrote:
 On 07/08/2015 02:24 PM, Petr Vobornik wrote:
 add Web UI for new certificate objects

 [PATCH] 894 webui: certificate profiles
 [PATCH] 895 webui: caacl
 [PATCH] 896 webui: hide facet tab in certificate details facet



 Fixed bug (adding profiles to caacl) in patch 895.


 ACK
 
 -- 
 Martin Basti
 
 
 

Pushed to master: f13cce2d9c7d0b31b366fd7b5af518fbccb10ee8

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 893 move session_logout command to ipalib/plugins directory

[Tomas Babej]

On 07/08/2015 02:33 PM, Martin Basti wrote:
 On 08/07/15 13:46, Petr Vobornik wrote:
 On 07/08/2015 01:20 PM, Martin Basti wrote:
 On 08/07/15 12:51, Martin Basti wrote:
 On 08/07/15 12:20, Petr Vobornik wrote:
 On 07/08/2015 10:37 AM, Petr Vobornik wrote:
 API refactoring caused that session_logout command was not
 registered.

 Commands in ipalib/plugins directory are automatically registered.


 ercategory

 User category the ACL applies to


 Added NO_CLI = True to hide the command in CLI.


 Works for me.

 -- 
 Martin Basti


 NACK, It works but you should update API.txt

 Command session_logout in ipalib, not in API

 There are one or more new commands defined.
 Update API.txt and increment the minor version in VERSION.


 updated patch attached.
 
 ACK
 

Pushed to master: cd3ca94ff2ef738cb3a9eae502193413058f976d

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [MAN] [PATCH] 0004 Fix phrasing in man page for stageuser.py

[Tomas Babej]

On 07/04/2015 02:03 PM, Jérôme Fenal wrote:
 Hi all,
 
 A quick patch to the man page part of stageuser to avoid ambiguity in
 the phrasing, spotted while translating the page.
 
 Regards,
 
 J.
 
 
 

Thanks, ACK.

I will not push this patch to master until we branch off 4.2 development
branch as it would disrupt already translated strings in the other
languages.

Tomas

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHES 0252-0253, 268, 50 - 51] DNSSEC: allow to move DNSSEC key master to another IPA server

[Tomas Babej]

On 07/01/2015 12:47 PM, Petr Spacek wrote:
 On 1.7.2015 12:35, Martin Basti wrote:
 On 30/06/15 22:09, Petr Spacek wrote:
 On 30.6.2015 16:04, Martin Basti wrote:
 On 30/06/15 10:25, Martin Basti wrote:
 On 29/06/15 15:16, Martin Basti wrote:
 On 25/06/15 13:46, Petr Spacek wrote:
 On 17.6.2015 13:37, Martin Basti wrote:
 On 17/06/15 13:26, Petr Spacek wrote:
 On 16.6.2015 15:40, Martin Basti wrote:
 On 05/06/15 12:54, Petr Spacek wrote:
 On 20.5.2015 18:00, Martin Basti wrote:
 This patch allows to disable DNSSEC key master on IPA server, or
 replace
 current DNSSEC key master with another IPA server.

 Only for master branch.

 https://fedorahosted.org/freeipa/ticket/4657

 Patches attached.
 NACK. This happens on DNSSEC key master:
 $ ipa-dns-install --disable-dnssec-master

 Do you want to disable current DNSSEC key master? [no]: yes
 Unexpected error - see /var/log/ipaserver-install.log for details:
 TypeError: sequence item 0: expected string, DNSName found
2015-06-05T10:52:35Z DEBUG   File
 /usr/lib/python2.7/site-packages/ipaserver/install/installutils.py,
 line
 733, in run_script
 return_value = main_function()

   File /sbin/ipa-dns-install, line 128, in main
 dns_installer.disable_dnssec_master(options.unattended)

   File 
 /usr/lib/python2.7/site-packages/ipaserver/install/dns.py,
 line
 112,
 in disable_dnssec_master
 , .join(dnssec_zones))

 2015-06-05T10:52:35Z DEBUG The ipa-dns-install command failed,
 exception:
 TypeError: sequence item 0: expected string, DNSName found

 Updated patches attached.

 Due new installers, more changes were required.
 Sorry, NACK, I'm not able to apply this patch set to current master
 (69607250b9762a6c9b657dd31653b03d54a7b411).

 Rebased patches attached.
 NACK.


 0) ipa-dns-install --replace-dnssec-master always puts file into
 /root/ipa-kasp.db.

 It would be better to put it into local working directory or
 /var/lib/ipa (as
 with replica files).


 1) I installed DNSSEC key master role on the vm-134 but DNSSEC services
 were
 not stopped by ipactl stop:

 [root@vm-134 review]# ipactl stop
 Stopping ipa-otpd Service
 Stopping httpd Service
 Stopping ipa_memcached Service
 Stopping kadmin Service
 Stopping krb5kdc Service
 Stopping Directory Service
 ipa: INFO: The ipactl command was successful

 [root@vm-134 review]# ipactl start
 Starting Directory Service
 Starting krb5kdc Service
 Starting kadmin Service
 Starting named Service
 Starting ipa_memcached Service
 Starting httpd Service
 Starting ipa-otpd Service
 Starting ipa-ods-exporter Service
 Starting ods-enforcerd Service
 Starting ipa-dnskeysyncd Service

 Subsequent ipactl stop worked fine, only the first one is affected.


 2a) vm-134 was the original master. I ran this:

 [root@vm-134 review]# ipa-dns-install
 --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com

 ... and then attempted to install master to vm-059:
 [root@vm-059 review]# ipa-dns-install --dnssec-master

 This command was accepted despite of missing --kasp-db option and wrong
 replica name.

 It should error out and tell the user to run the command with --kasp-db
 option.

 Even better, we could get rid of explicit replica name specification in
 --replace-dnssec-master option and allow to run installation with
 --kasp-db on
 any replica as long as the kasp.db file is provided.



 2b) Attempt to move DNSSEC key master from vm-134 to vm-090 *without*
 specifying --kasp-db option was accepted.

 [root@vm-090 review]# ipa-dns-install --dnssec-master

 As in case (2a), it should print what user is supposed to do.

 I propose following text:

 Current DNSSEC key master vm-134.abc.idm.lab.eng.brq.redhat.com is 
 being
 moved to different server.

 You need to copy kasp.db file from 
 vm-134.abc.idm.lab.eng.brq.redhat.com
 and
 run following command to complete the transition:

 # ipa-dns-install --dnssec-master --kasp-db=/path/to/the/copied/kasp.db



 3) [root@vm-134 review]# ipa-dns-install
 --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com
 does not remove ISMASTER option from file 
 /etc/sysconfig/ipa-dnskeysyncd .


 4) [root@vm-134 review]# ipa-dns-install
 --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com

 it is possible to run

 [root@vm-134 review]# ipa-dns-install --dnssec-master

 again without --kasp-db and it is accepted.

 Moreover, in this case ipaConfigString NEW_DNSSEC_MASTER is not 
 properly
 removed from
 cn=DNSKeySync,cn=vm-090.abc.idm.lab.eng.brq.redhat.com,cn=masters,cn=ipa,cn=etc,dc=ipa,dc=example.





 5) Sequence of commands
 [root@vm-134 review]# ipa-dns-install
 --replace-dnssec-master=vm-090.abc.idm.lab.eng.brq.redhat.com

 [root@vm-090 review]# ipa-replica-manage del
 vm-134.abc.idm.lab.eng.brq.redhat.com

 allows me to run
 [root@vm-090 review]# ipa-dns-install --dnssec-master

 without --kasp-db option, it does not throw an error, and the 
 information
 that
 some other master existed somewhere is lost.

 It would be probably better 

Re: [Freeipa-devel] [PATCH] 892 webui: add mangedby tab to otptoken

[Tomas Babej]

On 07/03/2015 02:49 PM, Martin Babinsky wrote:
 On 07/01/2015 06:59 PM, Petr Vobornik wrote:
 Added managedby_user tab to manage users who can manage the token.

 https://fedorahosted.org/freeipa/ticket/5003

 Nathaniel, I could not reproduce the following part of the ticket:
 
 Careful interaction is required here. In the current code, this also
 creates a bug since all UI created tokens are owned but not managed.
 When users of these tokens are deleted, their self-created tokens are
 orphaned rather than deleted.

 Self-created tokens MUST be both self-owned AND self-managed.
 

 The self-created tokens which I created in Web UI as admin or normal
 user were in both cases managed by the same user who created them.


 (Once again, this time also reply to the list)
 
 The patch itself does what it is supposed to.
 
 So ACK from me.
 
 However, I have found out that the token's manager is correctly set
 *only* when it is directly created by the user that should own it. In
 this case when the manager is not specified, the code works as expected
 and fill in the logged-in user as manager.
 
 However, if e.g. admin creates a token for another user and does not set
 him as the manager explicitly, the 'managedBy' attribute is not set.
 

Pushed to:
master: b258bcee8337063259aa38b4387b9bb5721fb380
ipa-4-1: 5439e7a8fa46a8eab0d23689807a4894f20ecea7

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0334] Hide topology and domainlevel features

[Tomas Babej]

Hi,

* Hide topology and domainlevel commands in the CLI
* Hide topology and domainlevel in the WebUI
* Set maximum allowed domain level to 0
* Do not configure and enable the topology plugin

https://fedorahosted.org/freeipa/ticket/5097
From 8cdc723d334540258fdc408933b3f47ccebf5b53 Mon Sep 17 00:00:00 2001
From: Tomas Babej tba...@redhat.com
Date: Tue, 7 Jul 2015 09:36:32 +0200
Subject: [PATCH] Hide topology and domainlevel features

* Hide topology and domainlevel commands in the CLI
* Hide topology and domainlevel in the WebUI
* Set maximum allowed domain level to 0
* Do not configure and enable the topology plugin

https://fedorahosted.org/freeipa/ticket/5097
---
 install/ui/src/freeipa/app.js  |  3 ++-
 install/ui/src/freeipa/navigation/menu_spec.js |  4 ++--
 ipalib/constants.py|  2 +-
 ipalib/plugins/domainlevel.py  |  2 ++
 ipalib/plugins/topology.py | 11 +++
 ipaserver/install/dsinstance.py|  3 ++-
 6 files changed, 20 insertions(+), 5 deletions(-)

diff --git a/install/ui/src/freeipa/app.js b/install/ui/src/freeipa/app.js
index f05e8213c0b17e21515fdfce5ab496516a02692e..92613b4a4cec1487a6bde1bdc0049b16d3321418 100644
--- a/install/ui/src/freeipa/app.js
+++ b/install/ui/src/freeipa/app.js
@@ -48,7 +48,8 @@ define([
 './service',
 './sudo',
 './trust',
-'./topology',
+// Hide topology for now
+// './topology',
 './user',
 './stageuser',
 'dojo/domReady!'
diff --git a/install/ui/src/freeipa/navigation/menu_spec.js b/install/ui/src/freeipa/navigation/menu_spec.js
index 120cba37dca7aa355bdb94b1ef16615b95afeb28..4265e98710cdaff0d2ea77ab1e62be1071b19c33 100644
--- a/install/ui/src/freeipa/navigation/menu_spec.js
+++ b/install/ui/src/freeipa/navigation/menu_spec.js
@@ -184,7 +184,7 @@ var nav = {};
 { entity: 'trustconfig' }
 ]
 },
-{
+/*  {
 entity: 'topologysuffix',
 label: '@i18n:tabs.topology',
 facet: 'search',
@@ -205,7 +205,7 @@ var nav = {};
 hidden: true
 }
 ]
-},
+},*/
 {
 name: 'apibrowser',
 label: 'API browser',
diff --git a/ipalib/constants.py b/ipalib/constants.py
index a062505c349436332d430af4fd29c76d20c85343..fac937b5dc4900b5988c1b1d937c0061430c5e1d 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -234,4 +234,4 @@ IPA_ANCHOR_PREFIX = ':IPA:'
 SID_ANCHOR_PREFIX = ':SID:'
 
 MIN_DOMAIN_LEVEL = 0
-MAX_DOMAIN_LEVEL = 1
+MAX_DOMAIN_LEVEL = 0
diff --git a/ipalib/plugins/domainlevel.py b/ipalib/plugins/domainlevel.py
index 64e383006722fb2f32f5300d627b18b6daf051d4..9012a3203323f381c2b927f76371d2b1df4b32a0 100644
--- a/ipalib/plugins/domainlevel.py
+++ b/ipalib/plugins/domainlevel.py
@@ -74,6 +74,7 @@ def get_master_entries(ldap, api):
 @register()
 class domainlevel_get(Command):
 __doc__ = _('Query current Domain Level.')
+NO_CLI = True
 
 has_output = domainlevel_output
 
@@ -90,6 +91,7 @@ class domainlevel_get(Command):
 @register()
 class domainlevel_set(Command):
 __doc__ = _('Change current Domain Level.')
+NO_CLI = True
 
 has_output = domainlevel_output
 
diff --git a/ipalib/plugins/topology.py b/ipalib/plugins/topology.py
index de5ceb97583c9a40b4fe3783ec0fa40e6c325d0f..574e0d7ed42386f62a805272b6ec106bb946116c 100644
--- a/ipalib/plugins/topology.py
+++ b/ipalib/plugins/topology.py
@@ -41,6 +41,7 @@ class topologysegment(LDAPObject):
 
 Topology segment.
 
+NO_CLI = True
 parent_object = 'topologysuffix'
 container_dn = api.env.container_topology
 object_name = _('segment')
@@ -195,6 +196,7 @@ class topologysegment(LDAPObject):
 class topologysegment_find(LDAPSearch):
 __doc__ = _('Search for topology segments.')
 
+NO_CLI = True
 msg_summary = ngettext(
 '%(count)d segment matched',
 '%(count)d segments matched', 0
@@ -205,6 +207,7 @@ class topologysegment_find(LDAPSearch):
 class topologysegment_add(LDAPCreate):
 __doc__ = _('Add a new segment.')
 
+NO_CLI = True
 msg_summary = _('Added segment %(value)s')
 
 def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
@@ -218,6 +221,7 @@ class topologysegment_add(LDAPCreate):
 class topologysegment_del(LDAPDelete):
 __doc__ = _('Delete a segment.')
 
+NO_CLI = True
 msg_summary = _('Deleted segment %(value)s')
 
 def pre_callback(self, ldap, dn, *keys, **options):
@@ -230,6 +234,7 @@ class topologysegment_del(LDAPDelete):
 class topologysegment_mod(LDAPUpdate):
 __doc__ = _('Modify a segment.')
 
+NO_CLI = True
 msg_summary = _('Modified segment %(value)s')
 
 def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options

Re: [Freeipa-devel] [PATCHES 330-331] Update translations and introduce Zanata configuration

[Tomas Babej]

On 07/07/2015 09:09 AM, Tomas Babej wrote:
 
 
 On 06/24/2015 04:33 PM, Tomas Babej wrote:
 On 06/24/2015 04:29 PM, Martin Basti wrote:
 On 24/06/15 14:39, Tomas Babej wrote:
 +msgid Automount location name.
 +msgstr Job Title
 +

 in german po file

 +msgid Automount location name.
 +msgstr Job Title
 +


 AFAIK, this is not german language.


 Nice catch!

 You can show off your German language skills by entering the correct
 translation here:

 https://fedora.zanata.org/webtrans/Application.seam?project=freeipaiteration=masterlocaleId=delocale=en#view:doc;doc:install/po/ipa;search:Automount%20location%20name

 So far, I removed the wrong translation string in Zanata.

 Tomas

 
 Attaching updated patches, with fresh translations.
 
 Thanks to all the translators!
 
 Tomas
 
 
 

There is a small error in the UK translation, line 491 should read:

На сервері DNS %(server)s не...

instead of:

На сервері DNS (server)s не...

Fixed. I am not sending a updated version of the patch to the list,
given its size.

Tomas

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0276] Fix: ipa-dns-install will add CA records if CA is installed

[Tomas Babej]

On 07/07/2015 07:36 PM, Martin Basti wrote:
 https://fedorahosted.org/freeipa/ticket/5101
 
 Patch attached.
 
 
 

ACK.

Pushed to master: 1d9bdb240943527e1e19704acd183eae254267ae

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0046] add option to skip client API version check and proceed at user's own risk

[Tomas Babej]

On 07/07/2015 07:49 PM, Martin Basti wrote:
 On 03/07/15 16:41, Martin Babinsky wrote:
 On 07/02/2015 01:58 PM, Martin Babinsky wrote:
 First attempt at https://fedorahosted.org/freeipa/ticket/4768



 Attaching reworked patch.



 ACK
 
 -- 
 Martin Basti
 
 
 

Pushed to master: ea7f392bb98c1f1c4558ec5d6e84ee7a7c613474

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0334] Hide topology and domainlevel features

[Tomas Babej]

On 07/07/2015 07:16 PM, Martin Basti wrote:
 On 07/07/15 10:33, Tomas Babej wrote:
 Hi,

 * Hide topology and domainlevel commands in the CLI
 * Hide topology and domainlevel in the WebUI
 * Set maximum allowed domain level to 0
 * Do not configure and enable the topology plugin

 https://fedorahosted.org/freeipa/ticket/5097


 ACK
 
 -- 
 Martin Basti
 

Pushed to master: 62e8002bc43ddd890c3db35a123cb7daf35e3121

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHES 145-148] ipa-kdb: add unit-test for filter_logon_info()

[Tomas Babej]

On 07/07/2015 03:49 PM, Sumit Bose wrote:
 On Tue, May 26, 2015 at 01:36:35PM +0200, Martin Kosek wrote:
 On 05/26/2015 01:33 PM, Sumit Bose wrote:
 Hi,

 these patches add some unit tests and some additional improvements
 related to the issues described in
 https://bugzilla.redhat.com/show_bug.cgi?id=1222475 . The original issue
 is fixed by a patch from Alexander attached to the ticket.

 The first patch converts the existing check-based test to cmocka. If I
 see it correctly all check-based test are converted now.

 Cool! Before pushing, we should also reference ticket
 https://fedorahosted.org/freeipa/ticket/4922
 in the patch (no need to rebase right now).


 The second adds tests for filter_logon_info() where the original issue
 occurred. The wrong behavior in filter_logon_info() caused a crash in
 dom_sid_string() which is made a bit more robust together with
 string_to_sid() in the 3rd patch. The last patch add unit tests for
 those two calls as well.
 
 New version rebased on one-way trust patches attached.
 
 Please note that the unit-test will fail with the initial version of the
 one-way trust patches which does not allow an empty group list in the
 PAC.
 
 bye,
 Sumit
 
 
 

ACK.

Pushed to master: 5017726ebaf6eea3dedb1325efe00c0d6c4b6187

Tomas

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 144] extdom: add unit-test for get_user_grouplist()

[Tomas Babej]

On 07/07/2015 03:47 PM, Sumit Bose wrote:
 On Tue, May 26, 2015 at 02:47:02PM +0300, Alexander Bokovoy wrote:
 On Tue, 26 May 2015, Sumit Bose wrote:
 On Tue, May 26, 2015 at 01:24:30PM +0200, Petr Vobornik wrote:
 On 05/26/2015 01:21 PM, Sumit Bose wrote:
 Hi,

 this tests should have gone together with
 c1114ef82516002de08e004a930b5ba4a1791b25 but got lost somehow during the
 bugzilla processing.

 bye,
 Sumit


 So it has been acked? And we can push it?

 I have to admit that I'm not sure, there were just to many related
 tickets. Alexander, do you remember seeing this patch? If not, I think
 it would be good if someone can review it. Since it is only a
 unit-test, it is not urgent.
 I've seen this patch and I thought I've acked it by the time...
 
 New version rebased on one-way trust patches is attached.
 
 bye,
 Sumit
 
 -- 
 / Alexander Bokovoy



ACK.

Pushed to master: 7b524e783515a16102aeffdb69fa9ed5fca07c1b

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code