[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code stlaz commented: """ I would put broken KRA cert migration to lowest priority since https://github.com/freeipa/freeipa/pull/367 moves the original KRA cert anyway. """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-280078231 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code tiran commented: """ Cookie parsing bug with FreeIPA 4.4 client: https://fedorahosted.org/freeipa/ticket/6676 """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-280012485 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code tiran commented: """ FYI, KRA and vault are broken because KRA cert is not migrated: https://fedorahosted.org/freeipa/ticket/6675 """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-280008032 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code HonzaCholasta commented: """ Fixed upstream master: https://fedorahosted.org/freeipa/changeset/c894ebefc5c4c4c7ea340d6ddc4cd3c081917e4a https://fedorahosted.org/freeipa/changeset/38c66896de1769077cd5b057133606ec5eeaf62b https://fedorahosted.org/freeipa/changeset/b109f5d850ce13585d4392ca48896dc069a746e5 https://fedorahosted.org/freeipa/changeset/b6741d81e187fc84177c12ef8ad900d3b5cda6a4 https://fedorahosted.org/freeipa/changeset/d2f5fc304f1938d23171ae330fa20b213ceed54e https://fedorahosted.org/freeipa/changeset/d124e307f3b7d88bca53784f030ed6043b224432 https://fedorahosted.org/freeipa/changeset/f648c5631afa5e7954eee9a84fb1222d3bce3bf1 https://fedorahosted.org/freeipa/changeset/c2b1b2a36200b50babfda1eca37fb4b51fefa9c6 https://fedorahosted.org/freeipa/changeset/4fd89833ee5421b05c10329d627d0e0fc8496046 https://fedorahosted.org/freeipa/changeset/4bd2d6ad46c9151e11f9223dd5383555fdedb249 https://fedorahosted.org/freeipa/changeset/00a9d2f94dee17e28e39cdae0c32acc3d1fe51ed https://fedorahosted.org/freeipa/changeset/41c1efc44a6b809445facd4772574595029553b1 https://fedorahosted.org/freeipa/changeset/09c92e2bc1ca9db5b73d5ab8483b42dbd6b9a0e9 https://fedorahosted.org/freeipa/changeset/e4d462ad53597fd5410aa4e94a57bb15b92a3f13 """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-279925508 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code HonzaCholasta commented: """ Thank you. """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-279925390 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ Done """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-279859272 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code HonzaCholasta commented: """ I would personally go with: * Change session handling: 5959 * Generate tmpfiles config at install time: 5959 * Drop use of kinit_as_http from trust code: 5959 * Use Anonymous user to obtain FAST armor ccache: 5959 * Configure HTTPD to work via Gss-Proxy: 4189, 5959 * Separate RA cert store from the HTTP cert store: 5959 * Simplify NSSDatabase password file handling: 5959 * Always use /etc/ipa/ca.crt as CA cert file: 5959 * Add a new user to run the framework code: 5959 * Rationalize creation of RA and HTTPD NSS databases: 5959 * Fix uninstall stopping ipa.service: 5959 * Allow rpc callers to pass ccache and service names: 6543 * Explicitly pass down ccache names for connections: 6543 * Insure removal of session on identity change: 6543 """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-279729055 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code HonzaCholasta commented: """ @simo5, is there an umbrella ticket? 5959 perhaps? """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-279716045 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ For some commits I was sure what ticket to use, for some I was not, so I elected not to put a specific ticket in there. If you have a good idea of what ticket (of the External Authentication project) to apply to specific commits let me know and I can amend commit messages. """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-279709846 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code HonzaCholasta commented: """ @simo5, most of the commits do not have a ticket link, is this intentional? """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-279708615 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ Ok split the last stuff in 3 commits. I remove the use of private ccache for a few reasons: 1. touches environment variables. 2. will unconditionally remove a ccache even when passed in, so it may end up removing the wrong thing 3. private_ccache is used in dcerpc code and I do not want to change semantics and risk breaking tat code path 4. This fix is much smaller and removes one more yield, which is not a bad thing as it makes the code easier to read. """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-279700179 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code HonzaCholasta commented: """ @simo5, I don't agree, the changes in `ipalib/rpc.py` are a pre-requisite for the changes in `ipatests/util.py`, but that doesn't mean they should be in the same commit, as they affect every use of `RPCClient`, not just the one in the tests. Following your logic, the whole PR should be just a single commit, which would be equally wrong. """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-279695377 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ We actually record the principal, change the patch to destroy session_cookie in create_connection if the principal is different. """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-279692958 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ The changes in ipalib/rpc.py are connected to the changes in ipatest/util.py, it makes no sense to keep them separate as in eahc patch I add respecively to connect() and disconnect() arguments that are use in ipatest/util.py As for resetting session_cookie, when principal change, I am all for it, except we do not record the principal in the rpc context ... """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-279691469 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code HonzaCholasta commented: """ @simo5, I don't think this is the correct approach. Rather than deleting `context.session_cookie` in `RPCClient.destroy_connection()` when requested, it should be done automatically in `RPCClient.create_connection()` when the principal name in the ccache is different from the principal name of the cookie. Also, IMHO it would be preferable to keep the changes in `ipatest/util.py` in a separate commit and not mix them with the generic changes not related only to tests in `ipalib/rpc.py`. """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-279675537 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ @HonzaCholasta push it before we break it again! :-) """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-279538680 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ So I am not sure what is going on here, after fiddling with the failing tests to print out what was going on, they suddenly started working (and a 3 other started failing). It is not clear to me what is going on, but it may be unclean environment too.. after running testes a few times for example I found out my user KRB5CCNAME environment variable had been changed (this is not ok it's a bug in the tests and will make things unreliable). Anyway after a full rebuild and reinstall I was not able to go back to a state where I could reproduce the issues in caacl tests. I rebased the patchset on latest master and pushed it, let's see what CI says. """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-278981716 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ Mi last push fixes the deadlock and another problem in ipalib/krb_utils.py I haven't figured out exactly what happens in change_password, I see from logs sent from @martbab that the kinit as the user alice is performed, but apache see only admin connections. I suspect that the issue is in ipalib/rpc.py in create_connection, where apply_session_cookie() is called, but can't be sure. I need a way to repro these tests locally to confirm. """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-278704831 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ Mi last push fixes the deadlock and another problem in ipalib/krb_utils.py I haven't figured out exactly what happens in change_password, I see from logs sent from @martbab that the kinit as the user alice is performed, but apache see only admin connections. I suspect that the issue is in ipalib/rpc.py in create_connection, where apply_session_cookie() is called, but can't be sure. I need a way to repro these tests locally to confirm. """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-278704831 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ I think I know what is going on here, can you add an actual test to the testsuite that checks this ? I will fix my PR to not cause this deadlock, I've reproduce it here. """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-278635045 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code HonzaCholasta commented: """ While investigating the CI test failures, I stumbled upon another issue - two simultaneous login requests will deadlock httpd until it is restarted. This is how I did it: ```bash ( export KRB5CCNAME=$(mktemp) echo password | kinit admin curl https://$HOSTNAME/ipa/session/login_kerberos --cacert /etc/ipa/ca.crt --negotiate -u : -e https://$HOSTNAME/ipa/session/json -D - ) & ( export KRB5CCNAME=$(mktemp) echo password | kinit notadmin curl https://$HOSTNAME/ipa/session/login_kerberos --cacert /etc/ipa/ca.crt --negotiate -u : -e https://$HOSTNAME/ipa/session/json -D - ) ``` It is not reproducible on the master branch. """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-278611793 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ I added 1.5.0 as a dep in freeipa.spec.in and rebased the PR """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-278008429 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code martbab commented: """ I have figured out that the previous Travis failures were caused by missing version in mod_auth_gssapi Requires. If I downgrade the package to mod_auth_gssapi-1.4.1-1.fc25.x86_64 apache crashes on unknown directive: ``` Feb 07 13:32:41 master1.ipa.test httpd[45040]: Invalid command 'GssapiDelegCcachePerms', perhaps misspelled or defined by a module not included in the server configuration Feb 07 13:32:41 master1.ipa.test systemd[1]: httpd.service: Main process exited, code=exited, status=1/FAILURE Feb 07 13:32:41 master1.ipa.test systemd[1]: Failed to start The Apache HTTP Server. Feb 07 13:32:41 master1.ipa.test systemd[1]: httpd.service: Unit entered failed state. Feb 07 13:32:41 master1.ipa.test systemd[1]: httpd.service: Failed with result 'exit-code'. ``` We will need bump requires to mod_auth_gssapi-1.5.0-1. """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-277991477 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code martbab commented: """ I have disabled updates-testing in the CI because of multitude of unrelated breakages (recent openldap-client vs. nss breakage comes to mind), but we may take the SRPMS from koji and stick them to copr. """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-276348713 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ The correct packages are now in updates-testing in Fedora 25, pick from there. """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-276340645 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code pvoborni commented: """ Could we rather add the mod_auth_gssapi and gssproxy packages into @freeipa/freeipa-master copr repo? Without the rpms in master copr repo, other people's automation will be broken after merging the PR. """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-276106097 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code martbab commented: """ @simo5 the simplest way to fix CI is to add WIP commit that enables your COPR repos during 'builddep' step like this (untested): ```diff diff --git a/.test_runner_config.yaml b/.test_runner_config.yaml index dc08d79..da64631 100644 --- a/.test_runner_config.yaml +++ b/.test_runner_config.yaml @@ -27,6 +27,8 @@ steps: - make V=0 ${make_target} builddep: - rm -rf /var/cache/dnf/* + - dnf copr enable -y simo/mod_auth_gssapi + - dnf copr enable -y simo/gssproxy - "dnf makecache fast || :" - dnf builddep -y ${builddep_opts} --spec freeipa.spec.in --best --allowerasing cleanup: ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-276055855 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code HonzaCholasta commented: """ Both replica install and CA-less install now work, but: * `ipa-replica-install` creates `/var/lib/ipa/radb` owned by `root` rather than `ipaapi`. * `/var/lib/ipa/radb` should not be created in CA-less install. * Upgrade from 4.4 fails in various ways: * on the first master: https://transfer.sh/JgKTV/ipaupgrade.log * on a replica: https://transfer.sh/LTMvO/ipaupgrade.log * Could you please add a command to enable your COPR repositories to `.test_runner_config.yaml` so that CI starts working properly? @martbab can advise. @MartinBasti: we agreed to document all new functions last week, this PR was first submitted months ago, so IMO the rule does not apply here. """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-276032900 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ With this last rebase I can install again both ca and ca-less without issues. """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-275168299 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ Ok reproduced, it is not clar how to me yet, but at some point ca.crt get zeroed out and that's why the ldap command fails, investigating """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-275101642 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code HonzaCholasta commented: """ @simo5, it turns out the request fails not on the replica, but on the initial master, so it's actually `ipa-server-install` which is broken - if you install server from current master and replica from this PR it works fine. Steps to reproduce: ``` server# certutil -d /etc/httpd/alias -L | tail -n +5 | sed -r 's/ +[^ ]+ *$//' | xargs -I nickname -r sh -c "certutil -d /etc/httpd/alias -D -n 'nickname'" server# rm -rf /etc/ipa/ca.crt /etc/httpd/alias/kra-agent.pem /var/lib/ipa/radb server# ipa-server-install -n abc.idm.lab.eng.brq.redhat.com -r ABC.IDM.LAB.ENG.BRQ.REDHAT.COM -p blablabla -a blablabla -U ... replica# certutil -d /etc/httpd/alias -L | tail -n +5 | sed -r 's/ +[^ ]+ *$//' | xargs -I nickname -r sh -c "certutil -d /etc/httpd/alias -D -n 'nickname'" replica# rm -rf /etc/ipa/ca.crt /etc/httpd/alias/kra-agent.pem /var/lib/ipa/radb replica# ipa-replica-install -n abc.idm.lab.eng.brq.redhat.com --server vm-226.abc.idm.lab.eng.brq.redhat.com -P admin -p blablabla ``` Note that you won't actually be able to do the above, as the `ipa-server-install` step will fail with: ``` Restarting the KDC Please add records in this file to your DNS system: /tmp/ipa.system.records.xLK2pI.db Unable to set admin password Command '/usr/bin/ldappasswd -h vm-226.abc.idm.lab.eng.brq.redhat.com -ZZ -x -D cn=Directory Manager -y /var/lib/ipa/tmpKyxwZX -T /var/lib/ipa/tmpMY13CP uid=admin,cn=users,cn=accounts,dc=abc,dc=idm,dc=lab,dc=eng,dc=brq,dc=redhat,dc=com' returned non-zero exit status 1 Configuring client side components Using existing certificate '/etc/ipa/ca.crt'. Skip vm-226.abc.idm.lab.eng.brq.redhat.com: cannot verify if this is an IPA server Failed to verify that vm-226.abc.idm.lab.eng.brq.redhat.com is an IPA Server. This may mean that the remote server is not up or is not reachable due to network or firewall settings. Please make sure the following ports are opened in the firewall settings: TCP: 80, 88, 389 UDP: 88 (at least one of TCP/UDP ports 88 has to be open) Also note that following ports are necessary for ipa-client working properly after enrollment: TCP: 464 UDP: 464, 123 (if NTP enabled) The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR Configuration of client side components failed! ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERRORThe ipa-server-install command failed. See /var/log/ipaserver-install.log for more information ``` This does not happen with current master. """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-275044170 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ Ok, with this latest push I can install servers and replicas both with CA and CA-less. I cannot reproduce the failure @HonzaCholasta sees, so from my side I am done. """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-274832504 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code HonzaCholasta commented: """ @simo5, replica install still fails for me in the same way as before. """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-274741477 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ The latest rebase installs a replica correctly here, haven't got to fix ca-less yet, but everything else should be ready to go. """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-274577459 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code HonzaCholasta commented: """ Here's what I did ``` # certutil -d /etc/httpd/alias -L | tail -n +5 | sed -r 's/ +[^ ]+ *$//' | xargs -I nickname -r sh -c "certutil -d /etc/httpd/alias -D -n 'nickname'" # rm -rf /var/lib/ipa/radb # ipa-replica-install --domain abc.idm.lab.eng.brq.redhat.com --server vm-226.abc.idm.lab.eng.brq.redhat.com --principal admin --password blablabla ... [28/45]: retrieving DS Certificate [error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE) Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR Certificate issuance failed (CA_UNREACHABLE) ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information # getcert list Number of certificates and requests being tracked: 1. Request ID '20170120063423': status: CA_UNREACHABLE ca-error: Server at https://vm-226.abc.idm.lab.eng.brq.redhat.com/ipa/xml failed request, will retry: 907 (RPC failed at server. cannot connect to 'https://vm-226.abc.idm.lab.eng.brq.redhat.com:443/ca/rest/account/login': (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format.). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM',nickname='Server-Cert' CA: IPA issuer: subject: expires: unknown pre-save command: post-save command: track: yes auto-renew: yes # certutil -d /var/lib/ipa/radb -L certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format. # stat /var/lib/ipa/radb stat: cannot stat '/var/lib/ipa/radb': No such file or directory ``` Here's the full replica install log: http://pastebin.com/kwj8nFcC """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-273991634 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ I cannot get a replica install to fail like your did, can you post some logs ? """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-273891819 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code HonzaCholasta commented: """ @simo5, I can confirm that the ldapi error occurs every other install. I can also confirm that it does not occur during the initial server install on a clean machine, so I agree it can be fixed later. * CA-less install is still broken. To reproduce the bug, make sure to delete all certificates from `/etc/httpd/alias` before running the install, otherwise [ticket 4639](https://fedorahosted.org/freeipa/ticket/4639) will hide the bug. I use: ```bash certutil -d /etc/httpd/alias -L | tail -n +5 | sed -r 's/ +[^ ]+ *$//' | xargs -I nickname -r sh -c "certutil -d /etc/httpd/alias -D -n 'nickname'" ``` * Replica install fails when `/var/lib/ipa/radb` does not exist prior to running the install: ``` [28/45]: retrieving DS Certificate [error] RuntimeError: Certificate issuance failed (CA_UNREACHABLE) ``` * `/var/lib/ipa/radb` should be removed on uninstall. """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-273737162 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ Thanks @HonzaCholasta I already fixed the service thing but didn't push as I started getting another error on install, buit before I fix that I am working on releasing gssproxy where wer are hitting another heisenbug just in the testing suite (works as expected when installed). On the ldapi error I have seen it too during development, for a period I was getting it every time once on install ie: install, play, uninstall, install, Error!, uninstall, install, play ... So I had to install - uninstall - reinstall for each test, but it had disappeared for a while. It seem some uninstall snag to me, if I can find some info on why it occurs I'll open a bug (or fix it if it is due to my code changes). """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-272171891 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code HonzaCholasta commented: """ Not sure if it's this PR or not, but `ipa-server-install` *sometimes* fails with: ``` [11/22]: setting up ssl [error] NetworkError: cannot connect to 'ldapi://%2fvar%2frun%2fslapd-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM.socket': ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR cannot connect to 'ldapi://%2fvar%2frun%2fslapd-ABC-IDM-LAB-ENG-BRQ-REDHAT-COM.socket': ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERRORThe ipa-server-install command failed. See /var/log/ipaserver-install.log for more information ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-272106420 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code HonzaCholasta commented: """ @simo5, I can't reproduce the bug anymore with the latest update. Pylint found one trivial issue: ``` ipaserver/install/server/upgrade.py:83: [E0602(undefined-variable), uninstall_ipa_memcached] Undefined variable 'SimpleServiceInstance') ``` (It should be `service.SimpleServiceInstance`.) """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-272100308 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ I switched all endpoints to use GSSAPI (and transparently use a session cookie once one transation is successful), so there may be some parts of the code a bit surprised about it, do you have apache logs to chare that show the problem ? (enabling ipa debug would probably help too) """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-270654342 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code HonzaCholasta commented: """ @simo5, I might have fixed the certmonger issue, see HonzaCholasta@907ef3cff2045edd4625d4c422d1d0ae473fe51c, however I'm hitting the "No valid Negotiate header in server response" error again. Any idea what might be causing it? """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-270606660 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ Rebased on master and fixed a couple minor lint issues """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-270394337 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code rcritten commented: """ You can specify the nickname using -n/--nickname. You'll probably also want to set --cafile=/etc/ipa/ca.crt, --dbdir=/etc/httpd/alias and sslpinfile=/etc/httpd/alias/pwdfile.txt to maintain current behavior. """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-270165993 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ Why is dogtag-ipa-renew-agent-submit part of the certmonger package ? And how do we fix it now ? """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-270163719 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code HonzaCholasta commented: """ * Dogtag certificates and RA certificate renewal is broken: ``` ca-error: Server at "https://vm-226.abc.idm.lab.eng.brq.redhat.com:8443/ca/agent/ca/profileProcess; replied: 1: You did not provide a valid certificate for this operation ``` This is because certmonger's `/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit` expects an `ipaCert` in `/etc/httpd/alias`. * CA-less server install fails: ``` [13/21]: publish CA cert [error] CalledProcessError: Command '/usr/bin/certutil -d /etc/httpd/alias -L -n ABC.IDM.LAB.ENG.BRQ.REDHAT.COM IPA CA -a' returned non-zero exit status 255 ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR Command '/usr/bin/certutil -d /etc/httpd/alias -L -n ABC.IDM.LAB.ENG.BRQ.REDHAT.COM IPA CA -a' returned non-zero exit status 255 ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information ``` ``` 2017-01-03T05:21:43Z DEBUG Starting external process 2017-01-03T05:21:43Z DEBUG args=/usr/bin/certutil -d /var/lib/ipa/radb -L -n ABC.IDM.LAB.ENG.BRQ.REDHAT.COM IPA CA -a 2017-01-03T05:21:43Z DEBUG Process finished, return code=255 2017-01-03T05:21:43Z DEBUG stdout= 2017-01-03T05:21:43Z DEBUG stderr=certutil: Could not find cert: ABC.IDM.LAB.ENG.BRQ.REDHAT.COM IPA CA : PR_FILE_NOT_FOUND_ERROR: File not found ``` If I work around the above, it fails further down with: ``` trying https://vm-058-236.abc.idm.lab.eng.brq.redhat.com/ipa/json Forwarding 'schema' to json server 'https://vm-058-236.abc.idm.lab.eng.brq.redhat.com/ipa/json' No valid Negotiate header in server response The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR Configuration of client side components failed! ipa.ipapython.install.cli.install_tool(CompatServerMasterInstall): ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-270059781 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ I think this code is ready to be included. I am still playing with a minor change in mod_auth_gssapi, but that can also go in later. """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-267997245 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ @pspacek I added workflows to the Design page, please verify """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-265734321 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ Note: this PR also depends on and includes commits from #206 """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-265432380 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code pspacek commented: """ @simo5 Please extend the design page with image description which explains each of the steps. There are numbers and letters in the image which are not explained anywhere. A detailed end-to-end example of interaction could be useful for detailed review. Thank you! """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-265424963 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ Updated branch, hopefully lint will be happy. While there I discovered dcerpc.py ws using the HTTP keytab, after discussing with @abbra we decided to just remove such use for now and see later if we need any changes. The use was rare and in the importnat cases we have already a better option in the code. """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-265410793 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code simo5 commented: """ Yeah going through those right now """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-265234514 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#314][comment] RFC: privilege separation for ipa framework code
URL: https://github.com/freeipa/freeipa/pull/314 Title: #314: RFC: privilege separation for ipa framework code tiran commented: """ @simo5 TravisCI's pep8 checker is complaining about some PEP8 violations: ``` ./ipalib/install/kinit.py:64:1: E302 expected 2 blank lines, found 1 ./ipalib/rpc.py:702:80: E501 line too long (93 > 79 characters) ./ipaplatform/redhat/tasks.py:437:13: E128 continuation line under-indented for visual indent ./ipaserver/install/httpinstance.py:117:1: E302 expected 2 blank lines, found 1 ./ipaserver/install/httpinstance.py:127:1: E302 expected 2 blank lines, found 1 ./ipaserver/rpcserver.py:428:80: E501 line too long (83 > 79 characters) ./ipaserver/rpcserver.py:625:80: E501 line too long (82 > 79 characters) ./ipaserver/rpcserver.py:932:80: E501 line too long (111 > 79 characters) ./ipaserver/rpcserver.py:941:80: E501 line too long (80 > 79 characters) ``` """ See the full comment at https://github.com/freeipa/freeipa/pull/314#issuecomment-265221871 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code