Re: [Freeipa-devel] bind-dyndb-ldap: [PATCH] Handle termination of SyncRepl watcher thread

2016-12-19 Thread Petr Spacek
On 19.12.2016 13:04, Tomas Krizek wrote: > Hi Thierry, > > could you please take a look at this bind-dyndb-ldap patch? I was trying > to fix https://fedorahosted.org/bind-dyndb-ldap/ticket/149 > > I wasn't able to reproduce the issue, but I think the problem is fixed

[Freeipa-devel] using Reviewer field on Github instead of Trac

2016-12-09 Thread Petr Spacek
Dear FreeIPA developers, I just noticed that Github PRs now have Reviewers field. Can we replace reviewed-by field in Trac with Reviewers field on Github? It is easier to set myself as Reviewer on Github as it does not force me to edit ticket. Assuming the Github workflow works, the ipatool

Re: [Freeipa-devel] NTP in FreeIPA

2016-11-29 Thread Petr Spacek
On 29.11.2016 16:02, Rob Crittenden wrote: > Petr Spacek wrote: >> On 29.11.2016 09:11, Jan Cholasta wrote: >>> On 28.11.2016 20:57, Rob Crittenden wrote: >>>> David Kupka wrote: >>>>> On 22/11/16 23:15, Gabe Alford wrote: >>>>>>

Re: [Freeipa-devel] NTP in FreeIPA

2016-11-29 Thread Petr Spacek
On 29.11.2016 09:11, Jan Cholasta wrote: > On 28.11.2016 20:57, Rob Crittenden wrote: >> David Kupka wrote: >>> On 22/11/16 23:15, Gabe Alford wrote: I would say that it is worth keeping in FreeIPA. I know myself and some customers use its functionality by having the clients sync to the

Re: [Freeipa-devel] NTP in FreeIPA

2016-11-24 Thread Petr Spacek
On 24.11.2016 17:14, Martin Basti wrote: > If NTP is still configured on the IPA server, this may be less of an issue. > Not everyone has/is/will be using ansible. Also in secure environments, DHCP > is not allowed/used at all. If DHCP is not good enough for your environment then you *must not*

Re: [Freeipa-devel] client-only FreeIPA build

2016-11-24 Thread Petr Spacek
On 23.11.2016 13:53, Lukas Slebodnik wrote: > On (22/11/16 11:25), Rob Crittenden wrote: >> Lukas Slebodnik wrote: >>> On (22/11/16 16:29), Petr Spacek wrote: >>>> On 22.11.2016 16:27, Jan Cholasta wrote: >>>>> Hi, >>>>>

Re: [Freeipa-devel] client-only FreeIPA build

2016-11-22 Thread Petr Spacek
On 22.11.2016 16:14, Lukas Slebodnik wrote: > On (22/11/16 16:04), Petr Spacek wrote: >> Hello, >> >> the recent changes with regard to >> http://www.freeipa.org/page/V4/Integration_Improvements >> beg a question whether we should invest into supporting clien

[Freeipa-devel] client-only FreeIPA build

2016-11-22 Thread Petr Spacek
Hello, the recent changes with regard to http://www.freeipa.org/page/V4/Integration_Improvements beg a question whether we should invest into supporting client-only builds in FreeIPA build system. Right now, FreeIPA can be built on all architectures we care about so there is no incentive to

Re: [Freeipa-devel] Design document: Integration Improvements

2016-11-21 Thread Petr Spacek
On 21.11.2016 14:15, Christian Heimes wrote: > On 2016-11-21 13:31, Jan Cholasta wrote: >> Hi, >> >> On 11.11.2016 15:25, Christian Heimes wrote: >>> Hello, >>> >>> I have released the first version of a new design document. It describes >>> how I'm going to improve integration of FreeIPA's client

Re: [Freeipa-devel] Design document: Integration Improvements: ipaplatform

2016-11-16 Thread Petr Spacek
On 11.11.2016 15:25, Christian Heimes wrote: > Hello, > > I have released the first version of a new design document. It describes > how I'm going to improve integration of FreeIPA's client libraries > (ipalib, ipapython, ipaclient, ipaplatform) for third party developers. > >

[Freeipa-devel] Build system refactoring was pushed to master

2016-11-09 Thread Petr Spacek
Hi FreeIPA gang, we just pushed Build system refactoring to master. Most visible change is that you need to use command "./makerpms.sh" instead of "make rpms" when building FreeIPA from clean Git tree. "make rpms" will work as usual after initial autoreconf -i && ./configure combo so this

[Freeipa-devel] Is checks/check-ra.py still useful?

2016-11-02 Thread Petr Spacek
Hi, when working on build system refactoring, I've noticed file checks/check-ra.py. README follows: > This directory is for integration tests that require a live backend (LDAP, > Certificate Server, etc.). It's named "checks" so nose wont discover tests > here. Is it still useful? As far as I

Re: [Freeipa-devel] What would break if loopback addresses were allowed for IPA server?

2016-10-18 Thread Petr Spacek
On 17.10.2016 17:55, Simo Sorce wrote: > On Mon, 2016-10-17 at 09:02 +0200, Petr Spacek wrote: >> On 27.9.2016 14:31, Jan Pazdziora wrote: >>> On Wed, Sep 21, 2016 at 12:01:44PM +0200, Jan Pazdziora wrote: >>>> >>>> I've recently hit again the situa

Re: [Freeipa-devel] What would break if loopback addresses were allowed for IPA server?

2016-10-17 Thread Petr Spacek
On 27.9.2016 14:31, Jan Pazdziora wrote: > On Wed, Sep 21, 2016 at 12:01:44PM +0200, Jan Pazdziora wrote: >> >> I've recently hit again the situation of IPA installer not happy >> about the provided IP address not being local to it, this time in >> containerized environment: >> >>

Re: [Freeipa-devel] Heimdal Kerberos support for client

2016-10-13 Thread Petr Spacek
On 12.10.2016 20:22, Rob Crittenden wrote: > Petr Spacek wrote: >> Hello list, >> >> I just noticed that client/configure.ac contains some checks to detect and >> support Heimdal Kerberos libraries. >> >> Was it tested? Does it work? Can I drop it? :-) >&

Re: [Freeipa-devel] links to docs in the messages from code

2016-10-13 Thread Petr Spacek
On 13.10.2016 08:54, Martin Basti wrote: > > > On 12.10.2016 19:56, Petr Spacek wrote: >> Hello FreeIPA developers, >> >> looking at freeipa-users mailing list, a lot of questions could be answered >> by >> just quick glance to the docs. >> &g

[Freeipa-devel] Heimdal Kerberos support for client

2016-10-12 Thread Petr Spacek
Hello list, I just noticed that client/configure.ac contains some checks to detect and support Heimdal Kerberos libraries. Was it tested? Does it work? Can I drop it? :-) -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list:

[Freeipa-devel] links to docs in the messages from code

2016-10-12 Thread Petr Spacek
Hello FreeIPA developers, looking at freeipa-users mailing list, a lot of questions could be answered by just quick glance to the docs. I wonder if we should add links HTML version of docs on access.redhat.com to the messages generated by the code. If we really want, we can make these

Re: [Freeipa-devel] Broken IPA installation caused by new python-dns package

2016-10-12 Thread Petr Spacek
On 10.10.2016 10:28, Martin Basti wrote: > https://bodhi.fedoraproject.org/updates/FEDORA-2016-1857421df6 > > > Please set karma accordingly > > > Traceback: > > ... > > File "/usr/lib/python2.7/site-packages/ipaserver/dns_data_management.py", > line 426, in update_dns_records >

Re: [Freeipa-devel] Build system refactoring - design document

2016-10-11 Thread Petr Spacek
On 11.10.2016 15:47, Petr Vobornik wrote: > On 10/07/2016 11:56 AM, Petr Spacek wrote: >> Dear FreeIPA developers and packagers, >> >> you can find first version of the Build system refactoring design document >> on: >> http://www.freeipa.org/page/V4/Build_s

Re: [Freeipa-devel] Build system refactoring - design document

2016-10-11 Thread Petr Spacek
On 11.10.2016 10:04, Jan Cholasta wrote: > On 11.10.2016 09:36, Petr Spacek wrote: >> On 11.10.2016 09:00, Jan Cholasta wrote: >>> Hi, >>> >>> On 7.10.2016 11:56, Petr Spacek wrote: >>>> Dear FreeIPA developers and packagers, >>>> >

Re: [Freeipa-devel] Build system refactoring - design document

2016-10-11 Thread Petr Spacek
On 11.10.2016 09:00, Jan Cholasta wrote: > Hi, > > On 7.10.2016 11:56, Petr Spacek wrote: >> Dear FreeIPA developers and packagers, >> >> you can find first version of the Build system refactoring design document >> on: >> http://www.freeipa.org/page/V4/B

Re: [Freeipa-devel] kinit: Cannot contact any KDC for realm... from Freeipa clinet (Active Directory trust setup)

2016-10-10 Thread Petr Spacek
On 10.10.2016 05:23, rajat gupta wrote: > Hi, > > I am trying to setup the freeipa Active Directory trust setup and i am > following > the http://www.freeipa.org/page/Active_Directory_trust_setup documentation. > > I am able to login on freeipa Server with AD users. > > But when i am trying to

Re: [Freeipa-devel] Build system refactoring - design document

2016-10-07 Thread Petr Spacek
On 7.10.2016 12:59, Martin Basti wrote: > > > On 07.10.2016 11:56, Petr Spacek wrote: >> Dear FreeIPA developers and packagers, >> >> you can find first version of the Build system refactoring design document >> on: >> http://www.freeipa.org/page/V4/B

Re: [Freeipa-devel] Build system refactoring - design document

2016-10-07 Thread Petr Spacek
On 7.10.2016 11:56, Petr Spacek wrote: > Dear FreeIPA developers and packagers, > > you can find first version of the Build system refactoring design document on: > http://www.freeipa.org/page/V4/Build_system_refactoring > > If you do not care about implementation details,

[Freeipa-devel] Build system refactoring - design document

2016-10-07 Thread Petr Spacek
Dear FreeIPA developers and packagers, you can find first version of the Build system refactoring design document on: http://www.freeipa.org/page/V4/Build_system_refactoring If you do not care about implementation details, please be so kind and quickly scan through chapter

Re: [Freeipa-devel] CA-less installs: passive certmonger - watch-and-warn mode

2016-09-27 Thread Petr Spacek
On 18.7.2016 08:22, Jan Cholasta wrote: > On 8.7.2016 15:59, Rob Crittenden wrote: >> Petr Spacek wrote: >>> On 8.7.2016 15:31, Rob Crittenden wrote: >>>> Petr Spacek wrote: >>>>> Hi, >>>>> >>>>> our docs >>>&g

Re: [Freeipa-devel] pylint: remove unused variables

2016-09-23 Thread Petr Spacek
On 23.9.2016 07:28, Jan Cholasta wrote: > On 22.9.2016 16:39, Martin Basti wrote: >> Hello all, >> >> In 4.5, I would like to remove all unused variables from code and enable >> pylint check. Due to big amount of unused variables in the code this >> will be longterm effort. >> >> Why this?: >> >>

Re: [Freeipa-devel] [DESIGN] Text-based rules for CSR autogeneration using Jinja2

2016-09-02 Thread Petr Spacek
On 2.9.2016 04:19, Ben Lipton wrote: > On 07/27/2016 02:42 PM, Ben Lipton wrote: >> On 07/21/2016 11:43 AM, Petr Spacek wrote: >>> Besides this nit, >>> http://www.freeipa.org/page/V4/Automatic_Certificate_Request_Generation/Mapping_Rules#Planned_implementation >&g

Re: [Freeipa-devel] [PATCH] 0014

2016-09-02 Thread Petr Spacek
On 2.9.2016 05:22, Fraser Tweedale wrote: > On Thu, Sep 01, 2016 at 07:37:53PM +0200, Tomas Krizek wrote: >> On 09/01/2016 03:58 PM, Florence Blanc-Renaud wrote: >>> Hi, >>> >>> please find attached a patch for ipa-certupdate in CA-less deployment. >>> https://fedorahosted.org/freeipa/ticket/6288

Re: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies

2016-09-01 Thread Petr Spacek
On 1.9.2016 14:09, Standa Laznicka wrote: > On 09/01/2016 01:26 PM, Standa Laznicka wrote: >> On 08/31/2016 12:57 PM, Petr Spacek wrote: >>> On 31.8.2016 12:42, Standa Laznicka wrote: >>>> On 08/30/2016 03:34 PM, Simo Sorce wrote: >>>>> On Tue, 201

Re: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies

2016-08-31 Thread Petr Spacek
On 31.8.2016 12:42, Standa Laznicka wrote: > On 08/30/2016 03:34 PM, Simo Sorce wrote: >> On Tue, 2016-08-30 at 08:47 +0200, Standa Laznicka wrote: >>> On 08/26/2016 05:37 PM, Simo Sorce wrote: On Fri, 2016-08-26 at 11:26 -0400, Simo Sorce wrote: > On Fri, 2016-08-26 at 18:09 +0300,

Re: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies

2016-08-29 Thread Petr Spacek
On 29.8.2016 16:34, Simo Sorce wrote: > On Mon, 2016-08-29 at 09:13 +0200, Petr Spacek wrote: >> On 26.8.2016 17:40, Simo Sorce wrote: >>> On Fri, 2016-08-26 at 11:37 -0400, Simo Sorce wrote: >>>> Ie we could set both "allow" and "allow_with_time"

Re: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies

2016-08-29 Thread Petr Spacek
On 26.8.2016 17:40, Simo Sorce wrote: > On Fri, 2016-08-26 at 11:37 -0400, Simo Sorce wrote: >> Ie we could set both "allow" and "allow_with_time" on an object for >> cases where the admin wants to enforce the time part only o newer >> client >> but otherwise apply the rule to any client. > > I

Re: [Freeipa-devel] FreeIPA wiki - fighting the spammers

2016-08-19 Thread Petr Spacek
On 18.8.2016 16:25, Martin Kosek wrote: > Hello everyone, > > As some of you noticed, we had lately an increasing number of spam attacks > against FreeIPA.org wiki. Even though we did not accept user registration > through the standard Mediawiki User Creation form (which is often misused by >

Re: [Freeipa-devel] [PATCH 689] tests: fix test_ipalib.test_frontend.test_Object

2016-08-18 Thread Petr Spacek
On 18.8.2016 10:08, Jan Cholasta wrote: > SSIA Could you add one sentence or a link to a ticket which forced this change? When reading the patch, I have no way to say why the change is necessary - so it is impossible to verify correctness. (Sure, the test will pass, but I have no way to

[Freeipa-devel] Announcing bind-dyndb-ldap version 10.1

2016-08-17 Thread Petr Spacek
The FreeIPA team is proud to announce bind-dyndb-ldap version 10.1. It can be downloaded from https://fedorahosted.org/released/bind-dyndb-ldap/ The new version has also been built for Fedora 24+: https://bodhi.fedoraproject.org/updates/FEDORA-2016-ea30aafae1 Latest news: 10.1 [1]

Re: [Freeipa-devel] [PATCH] 0207, 0218-0219 Solving trust conflicts and external trust topology fixes

2016-08-17 Thread Petr Spacek
On 17.8.2016 12:41, Alexander Bokovoy wrote: > On Wed, 17 Aug 2016, Martin Babinsky wrote: >> On 08/15/2016 06:06 PM, Alexander Bokovoy wrote: >>> On Mon, 15 Aug 2016, Alexander Bokovoy wrote: Hi! Attached are trust-related patches. 0207 is a pre-requisite. I did send it

[Freeipa-devel] [PATCH 0435-0436] Preparation for bind-dyndb-ldap 10.1 release

2016-08-17 Thread Petr Spacek
Hello, Pushed to master: d7ae9e2e0206f770dd252c81abdc8b1be3fd30e2 Bump NVR to 10.1. fddb67672e458c8cbb0fd7997e42f94adb288181 Update NEWS for upcoming 10.1 release. Tagged as v10.1. -- Petr^2 Spacek From fddb67672e458c8cbb0fd7997e42f94adb288181 Mon Sep 17 00:00:00 2001 From: Petr Spacek <p

Re: [Freeipa-devel] [PATCH 0433-0434] Fix zone removal to respect forward configuration inheritance + Remove preserve_forwarding parameter from ldap_delete_zone2()

2016-08-17 Thread Petr Spacek
rom ldap_delete_zone2(). Petr^2 Spacek > > Martin > > On 08/12/2016 12:37 PM, Petr Spacek wrote: >> Hello, >> >> please review attached patch set. It fixes >> https://fedorahosted.org/bind-dyndb-ldap/ticket/167 >> >> The code is also available on Github:

Re: [Freeipa-devel] [PATCH 0004-0012] Automatic CSR generation

2016-08-16 Thread Petr Spacek
On 16.8.2016 02:07, Fraser Tweedale wrote: > On Mon, Aug 15, 2016 at 03:58:40PM +0200, Petr Spacek wrote: >> On 15.8.2016 15:54, Fraser Tweedale wrote: >>> On Mon, Aug 15, 2016 at 03:31:20PM +0200, Petr Spacek wrote: >>>> On 15.8.2016 15:16, Fraser Tweedale wrote: &g

Re: [Freeipa-devel] [PATCH 0004-0012] Automatic CSR generation

2016-08-15 Thread Petr Spacek
On 15.8.2016 15:54, Fraser Tweedale wrote: > On Mon, Aug 15, 2016 at 03:31:20PM +0200, Petr Spacek wrote: >> On 15.8.2016 15:16, Fraser Tweedale wrote: >>> On Mon, Aug 15, 2016 at 02:52:46PM +0200, Petr Spacek wrote: >>>> On 2.8.2016 05:57, Fraser Tweedale wrote: &

Re: [Freeipa-devel] [PATCH 0004-0012] Automatic CSR generation

2016-08-15 Thread Petr Spacek
On 15.8.2016 15:16, Fraser Tweedale wrote: > On Mon, Aug 15, 2016 at 02:52:46PM +0200, Petr Spacek wrote: >> On 2.8.2016 05:57, Fraser Tweedale wrote: >>>>> Hah! This is what I get for thinking I know what the output has to look >>>>> like, and not te

Re: [Freeipa-devel] [PATCH] 0090, 0092..0094 cert-show: show subject alternative names

2016-08-15 Thread Petr Spacek
On 15.8.2016 15:07, Fraser Tweedale wrote: > On Mon, Aug 15, 2016 at 07:48:22AM +0200, Jan Cholasta wrote: >> On 12.8.2016 18:57, Petr Spacek wrote: >>> On 12.8.2016 11:33, Jan Cholasta wrote: >>>> On 4.8.2016 18:18, Petr Vobornik wrote: >>>>>

Re: [Freeipa-devel] [PATCH 0004-0012] Automatic CSR generation

2016-08-15 Thread Petr Spacek
On 2.8.2016 05:57, Fraser Tweedale wrote: >> > Hah! This is what I get for thinking I know what the output has to look >> > like, and not testing all the way through to requesting the cert. I'll >> > change the profile to generate a subject with CN= instead of UID=. Updated >> > patch is attached.

[Freeipa-devel] [PATCH 0159] Tests: fix test_forward_zones in test_xmlrpc/test_dns_plugin

2016-08-12 Thread Petr Spacek
-zones/locally-served-dns-zones.xhtml To fix this I simply removed the warning from set of expected results. https://fedorahosted.org/freeipa/ticket/6213 -- Petr^2 Spacek From 663178e3f305d25cd9ad53bbb85b80a89181b5b9 Mon Sep 17 00:00:00 2001 From: Petr Spacek <pspa...@redhat.com> Dat

Re: [Freeipa-devel] [PATCH 0003][Tests] Fix for integration tests replication layouts

2016-08-12 Thread Petr Spacek
On 9.8.2016 16:55, Ganna Kaihorodova wrote: > Hello! > > Domain level 0 doesn't allow to create replica file on CA master, testcase > was skipped with Domain level 0 You mean on CA-less master, right? Petr^2 Spacek > https://fedorahosted.org/freeipa/ticket/6134 -- Manage your subscription

Re: [Freeipa-devel] [PATCH] 0090, 0092..0094 cert-show: show subject alternative names

2016-08-12 Thread Petr Spacek
On 12.8.2016 11:33, Jan Cholasta wrote: > On 4.8.2016 18:18, Petr Vobornik wrote: >> On 07/22/2016 07:13 AM, Fraser Tweedale wrote: >>> On Tue, Jul 19, 2016 at 08:50:34AM +0200, Jan Cholasta wrote: Hi, On 14.7.2016 13:44, Fraser Tweedale wrote: > Hi all, > > The attached

Re: [Freeipa-devel] [DESIGN][UPDATE] Time-Based HBAC Policies

2016-08-12 Thread Petr Spacek
On 11.8.2016 12:34, Stanislav Laznicka wrote: > Hello, > > I updated the design of the Time-Based HBAC Policies according to the > discussion we led here earlier. Please check the design page > http://www.freeipa.org/page/V4/Time-Based_Account_Policies. The biggest > changes are in the

[Freeipa-devel] [PATCH 0158] DNS: allow to add forward zone to already broken sub-domain

2016-08-12 Thread Petr Spacek
://fedorahosted.org/freeipa/ticket/6062 -- Petr^2 Spacek From cf6e9499db8b23d8f55e9caa32ee97c7ca1533e5 Mon Sep 17 00:00:00 2001 From: Petr Spacek <pspa...@redhat.com> Date: Fri, 12 Aug 2016 17:08:30 +0200 Subject: [PATCH] DNS: allow to add forward zone to already broken sub-domain Errors during DNS reso

[Freeipa-devel] [PATCH 0433-0434] Fix zone removal to respect forward configuration inheritance + Remove preserve_forwarding parameter from ldap_delete_zone2()

2016-08-12 Thread Petr Spacek
From: Petr Spacek <pspa...@redhat.com> Date: Thu, 11 Aug 2016 12:40:39 +0200 Subject: [PATCH] Remove preserve_forwarding parameter from ldap_delete_zone2(). The parameter was TRUE only when called from zone_security_change(). zone_security_change() is calling ldap_delete_zone2() in exclusiv

Re: [Freeipa-devel] [PATCH 0155] DNS server upgrade: do not fail when DNS server did not respond

2016-08-11 Thread Petr Spacek
On 11.8.2016 15:08, Petr Spacek wrote: > Hello, > > DNS server upgrade: do not fail when DNS server did not respond > > Previously, update_dnsforward_emptyzones failed with an exeception if > DNS query failed for some reason. Now the error is logged and upgrade > con

Re: [Freeipa-devel] [PATCH 0156] server upgrade: do not start BIND if it was not running before the upgrad

2016-08-11 Thread Petr Spacek
On 11.8.2016 15:17, Petr Spacek wrote: > On 11.8.2016 15:10, Petr Spacek wrote: >> Hello, >> >> server upgrade: do not start BIND if it was not running before the upgrade >> >> https://fedorahosted.org/freeipa/ticket/6206 > > Here is variant for master branc

Re: [Freeipa-devel] [PATCH 0156] server upgrade: do not start BIND if it was not running before the upgrad

2016-08-11 Thread Petr Spacek
On 11.8.2016 15:10, Petr Spacek wrote: > Hello, > > server upgrade: do not start BIND if it was not running before the upgrade > > https://fedorahosted.org/freeipa/ticket/6206 Here is variant for master branch. -- Petr^2 Spacek From 4816abee9150db26b330fa4ce99b4fb8f51597a1 Mon

[Freeipa-devel] [PATCH 0156] server upgrade: do not start BIND if it was not running before the upgrad

2016-08-11 Thread Petr Spacek
Hello, server upgrade: do not start BIND if it was not running before the upgrade https://fedorahosted.org/freeipa/ticket/6206 -- Petr^2 Spacek From a01799ca093cc5572c11d9f73c90b8ee71a48d70 Mon Sep 17 00:00:00 2001 From: Petr Spacek <pspa...@redhat.com> Date: Thu, 11 Aug 2016 15:10:04

[Freeipa-devel] [PATCH 0155] DNS server upgrade: do not fail when DNS server did not respond

2016-08-11 Thread Petr Spacek
:00:00 2001 From: Petr Spacek <pspa...@redhat.com> Date: Thu, 11 Aug 2016 13:44:29 +0200 Subject: [PATCH] DNS server upgrade: do not fail when DNS server did not respond Previously, update_dnsforward_emptyzones failed with an exeception if DNS query failed for some reason. Now the error is

Re: [Freeipa-devel] [PATCH 0013-0015] Automatic CSR generation - usability improvements

2016-08-10 Thread Petr Spacek
On 9.8.2016 22:07, Ben Lipton wrote: > Aaand there's a typo in patch 15. Updated version attached. Ben, it would be great if you can always send whole patch set, including the patches which were not changed from the previous iteration. It is getting quite hard to follow and mix-and-match

Re: [Freeipa-devel] [PATCH 0151-0152] install: Call hostnamectl set-hostname only if --hostname option is use server-install: Fix --hostname option to always override api.env value

2016-08-10 Thread Petr Spacek
On 10.8.2016 08:21, Jan Cholasta wrote: > On 1.8.2016 17:42, Petr Spacek wrote: >> On 1.8.2016 08:27, Jan Cholasta wrote: >>> On 28.7.2016 16:55, Petr Spacek wrote: >>>> On 28.7.2016 16:44, Jan Cholasta wrote: >>>>> On 28.7.2016 16:37, Petr Spacek w

Re: [Freeipa-devel] [PATCH 0561] backup: backup /etc/tmpfiles.d/dirsrv-instance-*

2016-08-09 Thread Petr Spacek
On 9.8.2016 12:37, Martin Basti wrote: > https://fedorahosted.org/freeipa/ticket/6165 ACK -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0002] Fix ipa-caacl-add-service error message

2016-08-09 Thread Petr Spacek
On 9.8.2016 16:16, Tomas Krizek wrote: > Hi, > > please review the attached patch. ACK -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 686] Revert "spec: add conflict with bind-chroot to freeipa-server-dns"

2016-08-09 Thread Petr Spacek
On 9.8.2016 14:16, Jan Cholasta wrote: > Hi, > > the attached patch fixes . ACK For historians: Further discussion can be found in https://bugzilla.redhat.com/show_bug.cgi?id=1309700. -- Petr^2 Spacek -- Manage your subscription for the

Re: [Freeipa-devel] [PATCH 0154] client: RPM require initscripts to get *-domainname.service

2016-08-08 Thread Petr Spacek
On 8.8.2016 13:37, Jan Cholasta wrote: > Hi, > > On 8.8.2016 13:22, Petr Spacek wrote: >> Hello, >> >> client: RPM require initscripts to get *-domainname.service >> >> https://fedorahosted.org/freeipa/ticket/4831 > > IIRC there was a t

[Freeipa-devel] [PATCH 0154] client: RPM require initscripts to get *-domainname.service

2016-08-08 Thread Petr Spacek
Hello, client: RPM require initscripts to get *-domainname.service https://fedorahosted.org/freeipa/ticket/4831 -- Petr^2 Spacek From b542e09b6d52b7ce22e47b6c08eb692b9f3b91b7 Mon Sep 17 00:00:00 2001 From: Petr Spacek <pspa...@redhat.com> Date: Mon, 8 Aug 2016 13:13:18 +0200 Subject:

Re: [Freeipa-devel] [PATCH 0214] Support schema files for external plugins

2016-08-08 Thread Petr Spacek
On 8.8.2016 11:34, Alexander Bokovoy wrote: > Hi! > > Attached patch is what is needed to allow external plugins for FreeIPA > framework to be functional if they need to extend a schema. > > The idea is that we would have a separate directory as > /usr/share/ipa/schema.d and will allow to use

Re: [Freeipa-devel] [PATCH 0153] Fix ipa-replica-prepare's error message about missing local CA instanc

2016-08-04 Thread Petr Spacek
On 3.8.2016 22:56, Ben Lipton wrote: > > On 08/01/2016 11:38 AM, Petr Spacek wrote: >> Hello, >> >> Fix ipa-replica-prepare's error message about missing local CA instance >> >> ipa-replica-prepare must be run on a replica with CA or all the certs >&

Re: [Freeipa-devel] [PATCH]: 0098-99 : Split make lint to more targets and add jslint

2016-08-02 Thread Petr Spacek
On 2.8.2016 17:12, Rob Crittenden wrote: > Pavel Vomacka wrote: >> Hello, >> >> please review attached patches which Split make lint to more targets and >> add jslint > > What's the driver to split the checks out into separate targets? > > You are moving the makeapi and makeaci from

Re: [Freeipa-devel] [PATCH]: 0098-99 : Split make lint to more targets and add jslint

2016-08-02 Thread Petr Spacek
On 2.8.2016 17:12, Rob Crittenden wrote: > Pavel Vomacka wrote: >> Hello, >> >> please review attached patches which Split make lint to more targets and >> add jslint > > What's the driver to split the checks out into separate targets? Most importantly, makeapi and makeaci do not need to be

Re: [Freeipa-devel] [PATCH] 0001 six.u function instead of the decode

2016-08-01 Thread Petr Spacek
On 1.8.2016 18:31, Martin Basti wrote: > > > On 28.07.2016 18:29, Ariel Barria wrote: >> 2016-07-28 7:10 GMT-05:00 Petr Spacek <pspa...@redhat.com>: >>> On 27.7.2016 18:26, Ariel Barria wrote: >>>> 2016-07-26 9:39 GMT-05:00 Petr Spacek <pspa...@redhat

[Freeipa-devel] [PATCH 0153] Fix ipa-replica-prepare's error message about missing local CA instanc

2016-08-01 Thread Petr Spacek
CA instance into one text. https://fedorahosted.org/freeipa/ticket/6134 -- Petr^2 Spacek From c47c6966107f7d913137667cb9164f5f43c5daaa Mon Sep 17 00:00:00 2001 From: Petr Spacek <pspa...@redhat.com> Date: Mon, 1 Aug 2016 17:32:04 +0200 Subject: [PATCH] Fix ipa-replica-prepare's error message

Re: [Freeipa-devel] [PATCH 0151-0152] install: Call hostnamectl set-hostname only if --hostname option is use server-install: Fix --hostname option to always override api.env value

2016-08-01 Thread Petr Spacek
On 1.8.2016 08:27, Jan Cholasta wrote: > On 28.7.2016 16:55, Petr Spacek wrote: >> On 28.7.2016 16:44, Jan Cholasta wrote: >>> On 28.7.2016 16:37, Petr Spacek wrote: >>>> On 28.7.2016 16:35, Jan Cholasta wrote: >>>>> On 28.7.2016 16:20, Petr Spacek wro

Re: [Freeipa-devel] [PATCH 0004-0012] Automatic CSR generation

2016-07-29 Thread Petr Spacek
On 27.7.2016 19:06, Ben Lipton wrote: > Hi all, > > I think the automatic CSR generation feature > (https://fedorahosted.org/freeipa/ticket/4899, > http://www.freeipa.org/page/V4/Automatic_Certificate_Request_Generation) is > stable enough to review now. The following are summaries of the

Re: [Freeipa-devel] [PATCH 0151-0152] install: Call hostnamectl set-hostname only if --hostname option is use server-install: Fix --hostname option to always override api.env value

2016-07-28 Thread Petr Spacek
On 28.7.2016 16:44, Jan Cholasta wrote: > On 28.7.2016 16:37, Petr Spacek wrote: >> On 28.7.2016 16:35, Jan Cholasta wrote: >>> On 28.7.2016 16:20, Petr Spacek wrote: >>>> Hello, >>>> >>>> install: Call hostnamectl set-hostname only if --hos

Re: [Freeipa-devel] [PATCH 0151-0152] install: Call hostnamectl set-hostname only if --hostname option is use server-install: Fix --hostname option to always override api.env value

2016-07-28 Thread Petr Spacek
On 28.7.2016 16:35, Jan Cholasta wrote: > On 28.7.2016 16:20, Petr Spacek wrote: >> Hello, >> >> install: Call hostnamectl set-hostname only if --hostname option is used >> >> This commit also splits hostname backup and configuration into two separate >&

[Freeipa-devel] [PATCH 0151-0152] install: Call hostnamectl set-hostname only if --hostname option is use server-install: Fix --hostname option to always override api.env value

2016-07-28 Thread Petr Spacek
set should fix problems you have seen in containers. -- Petr^2 Spacek From 39a514f6818811d45e495da9bff7411df199a3fb Mon Sep 17 00:00:00 2001 From: Petr Spacek <pspa...@redhat.com> Date: Tue, 12 Jul 2016 17:42:40 +0200 Subject: [PATCH] server-install: Fix --hostname option to always ov

Re: [Freeipa-devel] [PATCH] 0001 six.u function instead of the decode

2016-07-28 Thread Petr Spacek
On 27.7.2016 18:26, Ariel Barria wrote: > 2016-07-26 9:39 GMT-05:00 Petr Spacek <pspa...@redhat.com>: >> On 26.7.2016 16:28, Jan Cholasta wrote: >>> Hi, >>> >>> On 26.7.2016 16:09, Martin Basti wrote: >>>> >>>> >>>> On

Re: [Freeipa-devel] [PATCH] 0002 Add client install option to set ipa_backup_server

2016-07-28 Thread Petr Spacek
On 27.7.2016 20:03, Martin Basti wrote: > > > On 26.07.2016 17:01, Ariel Barria wrote: >> Hello everyone. >> >> I send patch for review. >> >> Regards, >> >> > Hello, thank you for the patch, but I have a few comments: > > 1) > can you please use option --backup-server instead of

[Freeipa-devel] documentation: Manually Configuring a Linux Client & host-add-managedby

2016-07-27 Thread Petr Spacek
Hello list, question from users led me to reading about host-add-managedby. While doing so I found out procedure listed on https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html-single/Linux_Domain_Identity_Authentication_and_Policy_Guide/#host-setup-proc and I wonder if it

Re: [Freeipa-devel] [PATCH] 0001 six.u function instead of the decode

2016-07-26 Thread Petr Spacek
On 26.7.2016 16:28, Jan Cholasta wrote: > Hi, > > On 26.7.2016 16:09, Martin Basti wrote: >> >> >> On 22.07.2016 00:14, Ariel Barria wrote: >>> Hello everyone. >>> >>> I send patch for review. > > NACK, six.u() is supposed to be used on string literals *only* [1]. > > A proper fix would be

Re: [Freeipa-devel] [PATCH 0003] Fix several small typos

2016-07-26 Thread Petr Spacek
On 25.7.2016 17:00, Ben Lipton wrote: > On 07/18/2016 04:54 PM, Lukas Slebodnik wrote: >> On (18/07/16 16:38), Petr Spacek wrote: >>> On 14.7.2016 16:11, Ben Lipton wrote: >>>> On 07/14/2016 04:09 AM, Alexander Bokovoy wrote: >>>>> On Wed, 13 Jul 2016,

Re: [Freeipa-devel] [PATCH 0150] replica-install: Fix --domain

2016-07-25 Thread Petr Spacek
On 25.7.2016 16:16, Jan Cholasta wrote: > On 25.7.2016 15:55, Petr Spacek wrote: >> Hello, >> >> replica-install: Fix --domain >> >> Replica installation must not check existence of --domain - the domain >> must (logically) exist. >> >> htt

[Freeipa-devel] [PATCH 0150] replica-install: Fix --domain

2016-07-25 Thread Petr Spacek
Hello, replica-install: Fix --domain Replica installation must not check existence of --domain - the domain must (logically) exist. https://fedorahosted.org/freeipa/ticket/6130 -- Petr^2 Spacek From 2a038b63f0ad6bc1e68ca62821efa8ced4f32a59 Mon Sep 17 00:00:00 2001 From: Petr Spacek <p

[Freeipa-devel] [PATCH 0432] Prevent crash while reloading an invalid DNS zone

2016-07-22 Thread Petr Spacek
record to ns.test. -> CRASH! https://fedorahosted.org/bind-dyndb-ldap/ticket/166 -- Petr^2 Spacek From 97897d97c68f34d35b95aaf05bb0d2e2da727932 Mon Sep 17 00:00:00 2001 From: Petr Spacek <pspa...@redhat.com> Date: Fri, 22 Jul 2016 16:44:17 +0200 Subject: [PATCH] Prevent crash while

Re: [Freeipa-devel] [PATCH] 0012 Fix session cookies

2016-07-22 Thread Petr Spacek
On 22.7.2016 10:08, Florence Blanc-Renaud wrote: > Hi, > > please find attached a patch related to session cookies used by IPA API. > > https://fedorahosted.org/freeipa/ticket/5984 ACK -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list:

Re: [Freeipa-devel] [PATCH 0555] AVC: use copy during instalation to keep SELinux context valid

2016-07-22 Thread Petr Spacek
On 21.7.2016 19:49, Martin Basti wrote: > https://fedorahosted.org/freeipa/ticket/6111 > > I was able to reproduce this locally with vagrant, but I haven't been able to > reproduce this in LAB, I don't know where differences are (cloud vs desktop > fedora?) > > > Patch attached. ACK --

Re: [Freeipa-devel] [PATCH 0556] host-del: fix behavior of --updatedns and PTR records

2016-07-22 Thread Petr Spacek
On 21.7.2016 20:01, Martin Basti wrote: > https://fedorahosted.org/freeipa/ticket/6060 > > > Patch attached. ACK -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA:

Re: [Freeipa-devel] [PATCH 0149] help: Add dnsserver commands to help topic 'dns'

2016-07-22 Thread Petr Spacek
On 15.7.2016 12:05, David Kupka wrote: > On 12/07/16 12:54, Petr Spacek wrote: >> Hello, >> >> help: Add dnsserver commands to help topic 'dns' >> >> https://bugzilla.redhat.com/show_bug.cgi?id=1353888 >> > Hi! > > Your patch turns dnsserver to

Re: [Freeipa-devel] [DESIGN] Text-based rules for CSR autogeneration using Jinja2

2016-07-21 Thread Petr Spacek
On 20.7.2016 19:25, Ben Lipton wrote: > On 07/20/2016 12:21 PM, Simo Sorce wrote: >> On Wed, 2016-07-20 at 12:14 -0400, Ben Lipton wrote: >>> On 07/20/2016 10:37 AM, Simo Sorce wrote: On Wed, 2016-07-20 at 10:17 -0400, Ben Lipton wrote: > On 07/20/2016 06:27 AM, Simo Sorce wrote: >>

Re: [Freeipa-devel] Using RPZ to overcome multi Kerberos domains and multiple DNS authorities.

2016-07-19 Thread Petr Spacek
On 18.7.2016 19:44, Jim Glenz wrote: > IPA DNS configuration using Response Policy Zone (RPZ). > > IPA utilizes DNS extensively to locate service records (SRV) and text > records (TXT) associated with the Kerberos realm. > IPA also heavily require DNS A records and PTR records to function >

Re: [Freeipa-devel] [PATCH 0003] Fix several small typos

2016-07-18 Thread Petr Spacek
On 14.7.2016 16:11, Ben Lipton wrote: > On 07/14/2016 04:09 AM, Alexander Bokovoy wrote: >> On Wed, 13 Jul 2016, Ben Lipton wrote: >>> Nothing too exciting, just fixes a few typos I've noticed in comments. >> ACK. However, please file a ticket and mention it in the commit message. Is it worth the

Re: [Freeipa-devel] CI DNS locations: basic test for SRV records

2016-07-18 Thread Petr Spacek
On 8.7.2016 14:01, Martin Basti wrote: > See commit message for details. Patch attached. > > > This test does not cover: > > * NTP service records > > * ipa-ca A/ records > > * ADTrust records > > Should I open tickets to cover cases above? ACK -- Petr^2 Spacek -- Manage your

Re: [Freeipa-devel] [PATCH] spec: require Dogtag >= 10.3.3-3

2016-07-12 Thread Petr Spacek
On 8.7.2016 06:52, Fraser Tweedale wrote: > On Thu, Jul 07, 2016 at 01:16:04PM +0200, Petr Spacek wrote: >> Hello, >> >> IPA 4.4.0 requires Dogtag >= 10.3.4. Is this version going to be built for >> Fedora any time soon? >> >> Or should I update my script

[Freeipa-devel] [PATCH 0149] help: Add dnsserver commands to help topic 'dns'

2016-07-12 Thread Petr Spacek
Hello, help: Add dnsserver commands to help topic 'dns' https://bugzilla.redhat.com/show_bug.cgi?id=1353888 -- Petr^2 Spacek From 28e5f4d195c891a2eba2970c8a915469a2b0447f Mon Sep 17 00:00:00 2001 From: Petr Spacek <pspa...@redhat.com> Date: Tue, 12 Jul 2016 12:53:52 +0200 Subject: [PATCH

Re: [Freeipa-devel] CA-less installs: passive certmonger - watch-and-warn mode

2016-07-08 Thread Petr Spacek
On 8.7.2016 15:31, Rob Crittenden wrote: > Petr Spacek wrote: >> Hi, >> >> our docs >> >> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#in

[Freeipa-devel] CA-less installs: passive certmonger - watch-and-warn mode

2016-07-08 Thread Petr Spacek
Hi, our docs https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-determine-ca claim this: "The certmonger service is not used to track certificates. Therefore, it does not warn you of

Re: [Freeipa-devel] Proposed patch to resolve #828866 [RFE] enhance --subject option for ipa-server-install

2016-07-08 Thread Petr Spacek
On 8.7.2016 05:42, Fraser Tweedale wrote: > > 2. If argument contains CN but it is not the "most specific" > RDN, move it to the front (to satisfy requirement of Dogtag > profile). I wonder if we can relax the requirement in Dogtag so no reordering is needed. After all, DN is

[Freeipa-devel] IPA clients in AD DNS domain & Kerberos referrals

2016-07-07 Thread Petr Spacek
Hello, this is probably a silly idea ... I wonder if there is some way to use Kerberos referrals on AD side in a way which would return cross-realm referral to IPA realm. Maybe it could be used in Frankenstein setup where IPA client belongs to a DNS domain managed by AD ... I do not know, just

Re: [Freeipa-devel] [PATCH] kdb: check for local realm in enterprise principals

2016-07-07 Thread Petr Spacek
On 7.7.2016 13:52, Sumit Bose wrote: > On Thu, Jul 07, 2016 at 01:31:03PM +0200, Petr Vobornik wrote: >> On 07/06/2016 07:01 PM, Sumit Bose wrote: >>> Hi, >>> >>> although enterprise principals for trusted domains now are working as >>> expected they do not work for the local domain: >>> >>> #

[Freeipa-devel] Dogtag 10.3.4 in Fedora 24?

2016-07-07 Thread Petr Spacek
Hello, IPA 4.4.0 requires Dogtag >= 10.3.4. Is this version going to be built for Fedora any time soon? Or should I update my scripts to automatically enable COPR @freeipa/freeipa-master in my testing VMs? Thanks. Petr^2 Spacek > commit 45daffa22fcc6c481a8302f1947a5e0ded0b3eb8 > CommitDate:

Re: [Freeipa-devel] [PATCH 0548] Fix replica install with CA

2016-07-01 Thread Petr Spacek
On 30.6.2016 18:05, Martin Basti wrote: > > > On 30.06.2016 13:20, Martin Basti wrote: >> >> >> On 30.06.2016 13:18, Petr Spacek wrote: >>> On 30.6.2016 13:04, Martin Basti wrote: >>>> https://fedorahosted.org/freeipa/ticket/5966 &g

Re: [Freeipa-devel] [PATCH] 0046 Create server certs with DNS altname

2016-07-01 Thread Petr Spacek
On 20.1.2016 05:04, Fraser Tweedale wrote: > On Tue, Dec 08, 2015 at 07:06:39PM +1000, Fraser Tweedale wrote: >> On Mon, Dec 07, 2015 at 05:50:05PM -0500, Rob Crittenden wrote: >>> Fraser Tweedale wrote: On Mon, Dec 07, 2015 at 01:53:15PM +0100, Martin Kosek wrote: > On 12/07/2015 06:26

  1   2   3   4   5   6   7   8   9   10   >