[Freeipa-devel] [freeipa PR#768][comment] Ticket#6854 caless

2017-05-09 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/768 Title: #768: Ticket#6854 caless abbra commented: """ PKINIT certificates are using by `krb5kdc` which uses OpenSSL. It means they cannot be placed in an NSSDB. """ See the full comment at https://githu

[Freeipa-devel] [freeipa PR#756][comment] Added plugins directory to paclient subpackages

2017-05-03 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/756 Title: #756: Added plugins directory to paclient subpackages abbra commented: """ Note that we want this fix in 4.4 branch as well -- it affects F25. """ See the full comment at https://github.com/freeipa/freeipa/p

[Freeipa-devel] [freeipa PR#751][+ack] ipa-client-install: remove extra space in pkinit_anchors definition

2017-05-02 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/751 Title: #751: ipa-client-install: remove extra space in pkinit_anchors definition Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA:

[Freeipa-devel] [freeipa PR#751][comment] ipa-client-install: remove extra space in pkinit_anchors definition

2017-05-02 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/751 Title: #751: ipa-client-install: remove extra space in pkinit_anchors definition abbra commented: """ LGTM. For the record, this is broken since cf1c4e84e74ea15fe5cf7219872cf131bd53281e which is in 4.5.0 release. So we n

[Freeipa-devel] [freeipa PR#724][comment] upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust is…

2017-04-20 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/724 Title: #724: upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust is… abbra commented: """ LGTM """ See the full comment at https://github.com/freeipa/freeipa/pull/724#issuecomment-29585549

[Freeipa-devel] [freeipa PR#724][+ack] upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust is…

2017-04-20 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/724 Title: #724: upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust is… Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA:

[Freeipa-devel] [freeipa PR#694][comment] RFC: implement local PKINIT deployment in server/replica install

2017-04-20 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/694 Title: #694: RFC: implement local PKINIT deployment in server/replica install abbra commented: """ Yep. Then this PR can be merged once you removed distinction external/full. """ See the full comment at https://g

[Freeipa-devel] [freeipa PR#694][comment] RFC: implement local PKINIT deployment in server/replica install

2017-04-20 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/694 Title: #694: RFC: implement local PKINIT deployment in server/replica install abbra commented: """ I agree that it is internal detail whether we use local pkinit or not. However, we need to know that it is existing as oposed

[Freeipa-devel] [freeipa PR#694][+ack] RFC: implement local PKINIT deployment in server/replica install

2017-04-20 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/694 Title: #694: RFC: implement local PKINIT deployment in server/replica install Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA:

[Freeipa-devel] [freeipa PR#694][comment] RFC: implement local PKINIT deployment in server/replica install

2017-04-20 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/694 Title: #694: RFC: implement local PKINIT deployment in server/replica install abbra commented: """ I read through the code and I believe it addresses all use cases we have been discussing. LGTM. """ See the full

[Freeipa-devel] [freeipa PR#699][comment] ipaclient/ipapython macOS compatibility fixes

2017-04-19 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/699 Title: #699: ipaclient/ipapython macOS compatibility fixes abbra commented: """ Well, given that it is not officially supported yet, go ahead. """ See the full comment at https://github.com/freeipa/freeipa/p

[Freeipa-devel] [freeipa PR#716][comment] Fix minor typos

2017-04-16 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/716 Title: #716: Fix minor typos abbra commented: """ Thanks for this pull request. There are no tickets associated with these changes. The changes themselves are controversial. Do not change `--forwarder-*` to `--forward

[Freeipa-devel] [freeipa PR#709][+ack] Fix s4u2self with adtrust

2017-04-11 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/709 Title: #709: Fix s4u2self with adtrust Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#682][synchronized] ipaserver/dcerpc: unify error processing

2017-04-11 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/682 Author: abbra Title: #682: ipaserver/dcerpc: unify error processing Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/682/head:pr682 git checkout pr682 From

[Freeipa-devel] [freeipa PR#682][synchronized] ipaserver/dcerpc: unify error processing

2017-04-11 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/682 Author: abbra Title: #682: ipaserver/dcerpc: unify error processing Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/682/head:pr682 git checkout pr682 From

[Freeipa-devel] [freeipa PR#682][edited] ipaserver/dcerpc: unify error processing

2017-04-10 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/682 Author: abbra Title: #682: ipaserver/dcerpc: unify error processing Action: edited Changed field: title Original value: """ ipserver/dcerpc: unify error processing """ -- Manage your subscription for the Fre

[Freeipa-devel] [freeipa PR#682][synchronized] ipserver/dcerpc: unify error processing

2017-04-10 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/682 Author: abbra Title: #682: ipserver/dcerpc: unify error processing Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/682/head:pr682 git checkout pr682 From

[Freeipa-devel] [freeipa PR#682][synchronized] ipserver/dcerpc: unify error processing

2017-04-10 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/682 Author: abbra Title: #682: ipserver/dcerpc: unify error processing Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/682/head:pr682 git checkout pr682 From

[Freeipa-devel] [freeipa PR#699][comment] ipaclient/ipapython macOS compatibility fixes

2017-04-10 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/699 Title: #699: ipaclient/ipapython macOS compatibility fixes abbra commented: """ Ok, so far I cannot build a wheel from git repo on Mac OS X as we have a number of limitations ourselves -- we need to fix our configure to allow j

[Freeipa-devel] [freeipa PR#699][comment] ipaclient/ipapython macOS compatibility fixes

2017-04-10 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/699 Title: #699: ipaclient/ipapython macOS compatibility fixes abbra commented: """ I still need to test the whole set on Mac OS X myself as we have no way to test that in CI. Thus, this PR will depend on me (or some one else fro

[Freeipa-devel] [freeipa PR#699][comment] ipaclient/ipapython macOS compatibility fixes

2017-04-10 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/699 Title: #699: ipaclient/ipapython macOS compatibility fixes abbra commented: """ Note that we need something similar to https://github.com/untitaker/python-atomicwrites/commit/2bdd9dae62b7434c7b2383ce45fb515bdf70c3c3 to behave pro

[Freeipa-devel] [freeipa PR#699][comment] ipaclient/ipapython macOS compatibility fixes

2017-04-10 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/699 Title: #699: ipaclient/ipapython macOS compatibility fixes abbra commented: """ Please don't set ACK yet, I'm not finished with review. I do not want to replace fdatasync() with fsync(), this is not correct towards other platf

[Freeipa-devel] [freeipa PR#699][-ack] ipaclient/ipapython macOS compatibility fixes

2017-04-10 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/699 Title: #699: ipaclient/ipapython macOS compatibility fixes Label: -ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA:

[Freeipa-devel] [freeipa PR#682][edited] [WIP] ipserver/dcerpc: unify error processing

2017-04-07 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/682 Author: abbra Title: #682: [WIP] ipserver/dcerpc: unify error processing Action: edited Changed field: title Original value: """ [WIP] ipserver/dcerpc: unify error processing """ -- Manage your subscription for

[Freeipa-devel] [freeipa PR#682][comment] [WIP] ipserver/dcerpc: unify error processing

2017-04-07 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/682 Title: #682: [WIP] ipserver/dcerpc: unify error processing abbra commented: """ Updated patches and descriptions to include bug references. """ See the full comment at https://github.com/freeipa/freeipa/p

[Freeipa-devel] [freeipa PR#682][synchronized] [WIP] ipserver/dcerpc: unify error processing

2017-04-07 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/682 Author: abbra Title: #682: [WIP] ipserver/dcerpc: unify error processing Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/682/head:pr682 git checkout pr682

[Freeipa-devel] [freeipa PR#699][comment] Fix libkrb5 filename for macOS

2017-04-07 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/699 Title: #699: Fix libkrb5 filename for macOS abbra commented: """ There is a PEP8 error: PEP-8 errors: ./ipapython/session_storage.py:11:21: E225 missing whitespace around operator """ See the full comment

[Freeipa-devel] [freeipa PR#699][comment] Fix libkrb5 filename for macOS

2017-04-07 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/699 Title: #699: Fix libkrb5 filename for macOS abbra commented: """ Ok. Let me look at it next week when I'll have time. Could you please add a short step by step instruction how you configured IPA client on Mac OS X? "&quo

[Freeipa-devel] [freeipa PR#699][comment] Fix libkrb5 filename for macOS

2017-04-07 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/699 Title: #699: Fix libkrb5 filename for macOS abbra commented: """ Thanks. Do you have IPA client code working on Mac OS X? """ See the full comment at https://github.com/freeipa/freeipa/pull/699#issuecom

[Freeipa-devel] [freeipa PR#632][comment] ipa-sam: create the gidNumber attribute in the trusted domain entry

2017-04-06 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/632 Title: #632: ipa-sam: create the gidNumber attribute in the trusted domain entry abbra commented: """ LGTM. `nltest /sc_verify:ipa.example.test` works thanks to this pull request: ``` C:\Users\Administrator>nltest /sc_quer

[Freeipa-devel] [freeipa PR#632][+ack] ipa-sam: create the gidNumber attribute in the trusted domain entry

2017-04-06 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/632 Title: #632: ipa-sam: create the gidNumber attribute in the trusted domain entry Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA:

[Freeipa-devel] [freeipa PR#632][comment] ipa-sam: create the gidNumber attribute in the trusted domain entry

2017-04-03 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/632 Title: #632: ipa-sam: create the gidNumber attribute in the trusted domain entry abbra commented: """ Thanks. I read through the code and it looks good to me. I'm going to test it together with my work on ipasam_update_sam_acc

[Freeipa-devel] [freeipa PR#682][comment] ipserver/dcerpc: unify error processing

2017-04-03 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/682 Title: #682: ipserver/dcerpc: unify error processing abbra commented: """ Note: this is WIP, I'm waiting for Sudhir to provide a bug and logs that show the changes he encountered when running existing test suite against Samba

[Freeipa-devel] [freeipa PR#682][opened] ipserver/dcerpc: unify error processing

2017-04-03 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/682 Author: abbra Title: #682: ipserver/dcerpc: unify error processing Action: opened PR body: """ Samba error code reporting changes from version to version but we also did not provide proper input into DCE RPC error processing

[Freeipa-devel] [freeipa PR#672][comment] IPA-KDB: use relative path in ipa-certmap config snippet

2017-03-30 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/672 Title: #672: IPA-KDB: use relative path in ipa-certmap config snippet abbra commented: """ > @sumit-bose What happens when the shared library is missing? Does 32bit kinit > fail or work on a X86_64 system when 32bi

[Freeipa-devel] [freeipa PR#629][synchronized] adtrust: make sure that runtime hostname result is consistent with the configuration

2017-03-29 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/629 Author: abbra Title: #629: adtrust: make sure that runtime hostname result is consistent with the configuration Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa

[Freeipa-devel] [freeipa PR#629][comment] adtrust: make sure that runtime hostname result is consistent with the configuration

2017-03-29 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/629 Title: #629: adtrust: make sure that runtime hostname result is consistent with the configuration abbra commented: """ Removed backslashes and also moved the check to be the first step when creating an instance. "&quo

[Freeipa-devel] [freeipa PR#629][synchronized] adtrust: make sure that runtime hostname result is consistent with the configuration

2017-03-29 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/629 Author: abbra Title: #629: adtrust: make sure that runtime hostname result is consistent with the configuration Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa

[Freeipa-devel] [freeipa PR#669][comment] server: make sure we test for sss_nss_getlistbycert

2017-03-29 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/669 Title: #669: server: make sure we test for sss_nss_getlistbycert abbra commented: """ On the systems where pkg-config is available, positive result from pkg-config check means headers are available because pkg-config

[Freeipa-devel] [freeipa PR#668][comment] spec file: bump libsss_nss_idmap-devel BuildRequires

2017-03-29 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/668 Title: #668: spec file: bump libsss_nss_idmap-devel BuildRequires abbra commented: """ I submitted https://github.com/freeipa/freeipa/pull/669 for that """ See the full comment at https://github.com/freeipa

[Freeipa-devel] [freeipa PR#669][opened] server: make sure we test for sss_nss_getlistbycert

2017-03-29 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/669 Author: abbra Title: #669: server: make sure we test for sss_nss_getlistbycert Action: opened PR body: """ Fixes https://pagure.io/freeipa/issue/6828 """ To pull the PR as Git branch: git remote add ghfreeipa http

[Freeipa-devel] [freeipa PR#668][comment] spec file: bump libsss_nss_idmap-devel BuildRequires

2017-03-29 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/668 Title: #668: spec file: bump libsss_nss_idmap-devel BuildRequires abbra commented: """ No, It will make downstream harder because RHEL downstream will only have 1.15.2 with patches on top of that version. I have a pull

[Freeipa-devel] [freeipa PR#649][+ack] Session cookie storage and handling fixes

2017-03-27 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/649 Title: #649: Session cookie storage and handling fixes Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA:

[Freeipa-devel] [freeipa PR#649][comment] Session cookie storage and handling fixes

2017-03-27 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/649 Title: #649: Session cookie storage and handling fixes abbra commented: """ LGTM to me. @simo5 explained that `expiry=...` substring is part of the actual cookie `mod_session` adds (it is timestamp in nanonseconds) -- Cookie clas

[Freeipa-devel] [freeipa PR#640][comment] Remove pkinit options from master/replica on DL0

2017-03-24 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/640 Title: #640: Remove pkinit options from master/replica on DL0 abbra commented: """ Good question. I think we should remove all mentioning of PKINIT options for DL0 and explicitly configure local CA there. On DL1 we already requ

[Freeipa-devel] [freeipa PR#617][comment] Allow renaming of sudo and HBAC rules

2017-03-24 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/617 Title: #617: Allow renaming of sudo and HBAC rules abbra commented: """ I haven't seen any custom plugin that used `rdn_is_private_key`. We can document the change in release notes. """ See the full comment

[Freeipa-devel] [freeipa PR#649][comment] Session cookie storage and handling fixes

2017-03-24 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/649 Title: #649: Session cookie storage and handling fixes abbra commented: """ @simo5, I think I found why it happened -- I actually had krbMaxTicketLife set for HTTP/... principal to 300 seconds. So I think your patches are goo

[Freeipa-devel] [freeipa PR#639][comment] WebUI: Login for AD Users

2017-03-24 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/639 Title: #639: WebUI: Login for AD Users abbra commented: """ LGTM and works just fine: ![](https://vda.li/images/freeipa-web-ui-login-ad-user.png) """ See the full comment at https://github.com/freeipa/freeipa/p

[Freeipa-devel] [freeipa PR#649][comment] Session cookie storage and handling fixes

2017-03-24 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/649 Title: #649: Session cookie storage and handling fixes abbra commented: """ I tested the whole patchset. It worked for me first time I've got cookie expired. However, it broke in ~10 minutes afterwards -- apparently, keyring c

[Freeipa-devel] [freeipa PR#575][comment] IPA certauth plugin

2017-03-23 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/575 Title: #575: IPA certauth plugin abbra commented: """ The code LGTM. Once updated SSSD is added to freeipa-master copr, let's see what CI says. Authentication indicators' handling would need to be added in a separate PR onc

[Freeipa-devel] [freeipa PR#644][comment] extdom: improve certificate request

2017-03-23 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/644 Title: #644: extdom: improve certificate request abbra commented: """ LGTM. I read the code but since SSSD counterpart is currently on review, travis fails the build. """ See the full comment at https://githu

[Freeipa-devel] [freeipa PR#638][comment] ipalib/rpc.py: Fix session handling for KEYRING: ccaches

2017-03-22 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/638 Title: #638: ipalib/rpc.py: Fix session handling for KEYRING: ccaches abbra commented: """ Yes, KCM will work. However, I wonder if we could use a different approach by storing cookie in a fake ticket with a proper lifetime se

[Freeipa-devel] [freeipa PR#617][comment] Allow renaming of sudo and HBAC rules

2017-03-22 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/617 Title: #617: Allow renaming of sudo and HBAC rules abbra commented: """ I like the idea but please address @HonzaCholasta comments. """ See the full comment at https://github.com/freeipa/freeipa/pull/617#issuecom

[Freeipa-devel] [freeipa PR#637][synchronized] ldap2: use LDAP whoami operation to retrieve bind DN for current connection

2017-03-22 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/637 Author: abbra Title: #637: ldap2: use LDAP whoami operation to retrieve bind DN for current connection Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/637

[Freeipa-devel] [freeipa PR#637][comment] ldap2: use LDAP whoami operation to retrieve bind DN for current connection

2017-03-22 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/637 Title: #637: ldap2: use LDAP whoami operation to retrieve bind DN for current connection abbra commented: """ Removed try: finally: block, I agree that it is better to propagate error up the stack. """

[Freeipa-devel] [freeipa PR#638][comment] ipalib/rpc.py: Fix session handling for KEYRING: ccaches

2017-03-22 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/638 Title: #638: ipalib/rpc.py: Fix session handling for KEYRING: ccaches abbra commented: """ Note: this is WIP, please test it against KEYRING: ccaches. """ See the full comment at https://github.com/freeipa

[Freeipa-devel] [freeipa PR#638][opened] ipalib/rpc.py: Fix session handling for KEYRING: ccaches

2017-03-22 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/638 Author: abbra Title: #638: ipalib/rpc.py: Fix session handling for KEYRING: ccaches Action: opened PR body: """ MIT Kerberos allows to store configuration entries in the ccache. Unfortunately, there are big differences betwe

[Freeipa-devel] [freeipa PR#637][opened] ldap2: use LDAP whoami operation to retrieve bind DN for current connection

2017-03-22 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/637 Author: abbra Title: #637: ldap2: use LDAP whoami operation to retrieve bind DN for current connection Action: opened PR body: """ For external users which are mapped to some DN in LDAP server, we wouldn't neccesary be able to

[Freeipa-devel] [freeipa PR#621][comment] Add --force-password-reset to user_mod in user.py

2017-03-20 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/621 Title: #621: Add --force-password-reset to user_mod in user.py abbra commented: """ Ok, let's go with `user-mod` as original request goes, based on the fact that we are not changing the password, we are changing its properties.

[Freeipa-devel] [freeipa PR#621][comment] Add --force-password-reset to user_mod in user.py

2017-03-20 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/621 Title: #621: Add --force-password-reset to user_mod in user.py abbra commented: """ Hm. `ipa user-mod` has --random and also supports specifying --password, so yes, both interfaces should be provided. """

[Freeipa-devel] [freeipa PR#629][opened] adtrust: make sure that runtime hostname result is consistent with the configuration

2017-03-20 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/629 Author: abbra Title: #629: adtrust: make sure that runtime hostname result is consistent with the configuration Action: opened PR body: """ FreeIPA's `ipasam` module to Samba uses gethostname() call to identify own ser

[Freeipa-devel] [freeipa PR#621][comment] Add --force-password-reset to user_mod in user.py

2017-03-18 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/621 Title: #621: Add --force-password-reset to user_mod in user.py abbra commented: """ I would prefer this to be an option in `ipa passwd`, e.g. `ipa passwd --force-reset` which instead of modifying a user passwo

[Freeipa-devel] [freeipa PR#617][comment] Allow renaming of sudo rules

2017-03-17 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/617 Title: #617: Allow renaming of sudo rules abbra commented: """ I don't like it is done on the client side. This will not work for Web UI, for example. Additionally, no validation of cn={newname} is here to be a single value

[Freeipa-devel] [freeipa PR#600][comment] CONFIGURE: Improve detection of xmlrpc_c flags

2017-03-15 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/600 Title: #600: CONFIGURE: Improve detection of xmlrpc_c flags abbra commented: """ LGTM. Falling back to a standard check is fine. """ See the full comment at https://github.com/freeipa/freeipa/pull/600#issuecom

[Freeipa-devel] [freeipa PR#573][comment] Provide centralized management of user short name resolution

2017-03-14 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/573 Title: #573: Provide centralized management of user short name resolution abbra commented: """ Yes, it is expected too. Remember that 'Default Trust View' is a view that applies globally. You have already global setting to

[Freeipa-devel] [freeipa PR#582][comment] Remove pkinit from ipa-replica-prepare

2017-03-14 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/582 Title: #582: Remove pkinit from ipa-replica-prepare abbra commented: """ They were in DL0 in `ipa-server-install` for very long time and never worked. We left them there to make sure we can get them back to work sometime

[Freeipa-devel] [freeipa PR#582][comment] Remove pkinit from ipa-replica-prepare

2017-03-14 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/582 Title: #582: Remove pkinit from ipa-replica-prepare abbra commented: """ LGTM. """ See the full comment at https://github.com/freeipa/freeipa/pull/582#issuecomment-286447734 -- Manage your subscription for the Fre

[Freeipa-devel] [freeipa PR#573][comment] Provide centralized management of user short name resolution

2017-03-13 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/573 Title: #573: Provide centralized management of user short name resolution abbra commented: """ I don't see ACI.txt regenerated. """ See the full comment at https://github.com/freeipa/freeipa/pull/573#issuecom

[Freeipa-devel] [freeipa PR#570][opened] ipaserver/dcerpc.py: use arcfour_encrypt from samba

2017-03-10 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/570 Author: abbra Title: #570: ipaserver/dcerpc.py: use arcfour_encrypt from samba Action: opened PR body: """ Samba Python bindings provide samba.arcfour_encrypt(key, data). Instead of implementing own wrapper, use Samba's.

[Freeipa-devel] [freeipa PR#564][comment] Reconfigure Kerberos library config as the last step of KDC install

2017-03-09 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/564 Title: #564: Reconfigure Kerberos library config as the last step of KDC install abbra commented: """ @simo5 KDC starts just fine with missing certs. It disables PKINIT if certs aren't reachable. However, if KDC is not running at

[Freeipa-devel] [freeipa PR#564][comment] Reconfigure Kerberos library config as the last step of KDC install

2017-03-09 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/564 Title: #564: Reconfigure Kerberos library config as the last step of KDC install abbra commented: """ LGTM. """ See the full comment at https://github.com/freeipa/freeipa/pull/564#issuecomment-28541839

[Freeipa-devel] [freeipa PR#535][comment] add whoami command

2017-03-09 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/535 Title: #535: add whoami command abbra commented: """ Done. I've also updated the design page to reflect the changes. """ See the full comment at https://github.com/freeipa/freeipa/pull/535#issuecomment-28534046

[Freeipa-devel] [freeipa PR#535][synchronized] add whoami command

2017-03-09 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/535 Author: abbra Title: #535: add whoami command Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/535/head:pr535 git checkout pr535 From

[Freeipa-devel] [freeipa PR#535][comment] add whoami command

2017-03-09 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/535 Title: #535: add whoami command abbra commented: """ Updated. """ See the full comment at https://github.com/freeipa/freeipa/pull/535#issuecomment-285310604 -- Manage your subscription for the Freeipa-devel mailin

[Freeipa-devel] [freeipa PR#535][synchronized] add whoami command

2017-03-09 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/535 Author: abbra Title: #535: add whoami command Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/535/head:pr535 git checkout pr535 From

[Freeipa-devel] [freeipa PR#535][synchronized] add whoami command

2017-03-09 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/535 Author: abbra Title: #535: add whoami command Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/535/head:pr535 git checkout pr535 From

[Freeipa-devel] [freeipa PR#535][comment] add whoami command

2017-03-08 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/535 Title: #535: add whoami command abbra commented: """ We can disable it for CLI, that's not a problem. """ See the full comment at https://github.com/freeipa/freeipa/pull/535#issuecomment-285085254 -- Manage you

[Freeipa-devel] [freeipa PR#535][comment] add whoami command

2017-03-08 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/535 Title: #535: add whoami command abbra commented: """ Uhm, no, I don't want that. It makes the command behaving differently depending on a context and that would be broken. For client-side plugin that would also be an abuse of int

[Freeipa-devel] [freeipa PR#420][comment] Allow login to WebUI using Kerberos aliases/enterprise principals

2017-03-08 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/420 Title: #420: Allow login to WebUI using Kerberos aliases/enterprise principals abbra commented: """ Thanks. LGTM and works for me with IPA user, IPA host principal, and AD user. The latter cannot yet actually use Web UI but that i

[Freeipa-devel] [freeipa PR#420][+ack] Allow login to WebUI using Kerberos aliases/enterprise principals

2017-03-08 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/420 Title: #420: Allow login to WebUI using Kerberos aliases/enterprise principals Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA:

[Freeipa-devel] [freeipa PR#547][comment] Use GSS-SPNEGO if connecting locally

2017-03-07 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/547 Title: #547: Use GSS-SPNEGO if connecting locally abbra commented: """ LGTM but I think we should also update Requires: in the spec file to use cyrus-sasl-2.1.26-29.fc26 or later. """ See the full comment at http

[Freeipa-devel] [freeipa PR#545][comment] install_check: require IPv6 stack to be enabled

2017-03-07 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/545 Title: #545: install_check: require IPv6 stack to be enabled abbra commented: """ how the /proc check going to play with containers? """ See the full comment at https://github.com/freeipa/freeipa/pull/545#issuecom

[Freeipa-devel] [freeipa PR#543][comment] Add options to allow ticket caching

2017-03-07 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/543 Title: #543: Add options to allow ticket caching abbra commented: """ LGTM. Here I'd also like to bump gssproxy and krb5 dependencies in the spec file. We need to ensure gssproxy is actually updated. """

[Freeipa-devel] [freeipa PR#444][comment] Allow nsaccountlock to be searched in user-find commands

2017-03-06 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/444 Title: #444: Allow nsaccountlock to be searched in user-find commands abbra commented: """ You are correct in the fact that the search filter need to be modified to allow matching entries without nsAccountLock attribute set. &q

[Freeipa-devel] [freeipa PR#444][comment] Allow nsaccountlock to be searched in user-find commands

2017-03-05 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/444 Title: #444: Allow nsaccountlock to be searched in user-find commands abbra commented: """ The nsaccountlock *is* virtual attribute in 389-ds: attributeTypes: ( 2.16.840.1.113730.3.1.610 NAME 'nsAccountLock' DE

[Freeipa-devel] [freeipa PR#444][comment] Allow nsaccountlock to be searched in user-find commands

2017-03-02 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/444 Title: #444: Allow nsaccountlock to be searched in user-find commands abbra commented: """ Yes, you can add nsaccountlock attribute retrieval in the `pre_callback` and process it in the `post_callback`. nsaccountlock is an operat

[Freeipa-devel] [freeipa PR#535][comment] add whoami command

2017-03-02 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/535 Title: #535: add whoami command abbra commented: """ Design page: http://www.freeipa.org/page/V4/Who_Am_I_Command """ See the full comment at https://github.com/freeipa/freeipa/pull/535#issuecomment-28371655

[Freeipa-devel] [freeipa PR#535][opened] add whoami command

2017-03-02 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/535 Author: abbra Title: #535: add whoami command Action: opened PR body: """ `ipa whoami` command allows to query details about currently authenticated identity. The command returns following information: * object class na

[Freeipa-devel] [freeipa PR#526][comment] server install: do not attempt to issue PKINIT cert in CA-less

2017-03-01 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/526 Title: #526: server install: do not attempt to issue PKINIT cert in CA-less abbra commented: """ ACK for the patch. However, I'm not claiming that CA does not need to be trusted. What I'm saying is that for Anonymous PKINIT's u

[Freeipa-devel] [freeipa PR#526][+ack] server install: do not attempt to issue PKINIT cert in CA-less

2017-03-01 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/526 Title: #526: server install: do not attempt to issue PKINIT cert in CA-less Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA:

[Freeipa-devel] [freeipa PR#526][comment] server install: properly handle PKINIT-related options

2017-03-01 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/526 Title: #526: server install: properly handle PKINIT-related options abbra commented: """ This PR does not handle upgrade case which is what Local CA considers. We don't need other systems trust the certificate and we don't need

[Freeipa-devel] [freeipa PR#526][comment] server install: properly handle PKINIT-related options

2017-03-01 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/526 Title: #526: server install: properly handle PKINIT-related options abbra commented: """ No, you are wrong. Certmonger has own local self-signed CA in all installs: # getcert list-cas CA 'local':

[Freeipa-devel] [freeipa PR#526][comment] server install: properly handle PKINIT-related options

2017-03-01 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/526 Title: #526: server install: properly handle PKINIT-related options abbra commented: """ This was, perhaps, missed in the original commit, though. The idea was that in CA-less mode we change request to use Local CA. "&quo

[Freeipa-devel] [freeipa PR#526][comment] server install: properly handle PKINIT-related options

2017-03-01 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/526 Title: #526: server install: properly handle PKINIT-related options abbra commented: """ An idea behind the original solution was to always produce PKINIT certificate by certmonger in case of CA-less install to be able to have a

[Freeipa-devel] [freeipa PR#444][comment] Allow nsaccountlock to be searched in user-find commands

2017-02-28 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/444 Title: #444: Allow nsaccountlock to be searched in user-find commands abbra commented: """ nsaccountlock is an operational attribute, not a normal one. I don't like it being created all the time. You have to request it explici

[Freeipa-devel] [freeipa PR#516][comment] IdM Server: list all Employees with matching Smart Card

2017-02-28 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/516 Title: #516: IdM Server: list all Employees with matching Smart Card abbra commented: """ One thing I don't like is that SELinux policy requirements aren't mentioned. To allow ipaapi user to talk to SSSD dbus interface, you have t

[Freeipa-devel] [freeipa PR#479][comment] Merge AD trust installer into composite ones

2017-02-27 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/479 Title: #479: Merge AD trust installer into composite ones abbra commented: """ Unless you specified --add-sids to ipa-adtrust-install (or `add_sids=True` in ADTrustInstance.setup() call), no task would be run. 'Activating sidgen t

[Freeipa-devel] [freeipa PR#508][comment] Fix ipa.service unit re. gssproxy

2017-02-27 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/508 Title: #508: Fix ipa.service unit re. gssproxy abbra commented: """ Good point. I think we shouldn't restart ourselves as we anyway are listening on all interfaces with 0.0.0.0. """ See the full comment at http

[Freeipa-devel] [freeipa PR#479][comment] Merge AD trust installer into composite ones

2017-02-27 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/479 Title: #479: Merge AD trust installer into composite ones abbra commented: """ If you can differentiate how the installer is being run, then for composite installer always run add_sids. """ See the full comment

[Freeipa-devel] [freeipa PR#508][+ack] Fix ipa.service unit re. gssproxy

2017-02-24 Thread abbra
URL: https://github.com/freeipa/freeipa/pull/508 Title: #508: Fix ipa.service unit re. gssproxy Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

  1   2   >