Re: [Freeipa-devel] Design Review Keytab Retrieval

On 06/16/2014 05:34 PM, Simo Sorce wrote: Although the code is all done it would be nice to have a review of the feature, to see if it has all been captured: http://www.freeipa.org/page/V4/Keytab_Retrieval Simo. Thanks! I was not deeply involved in the review, but from the high level it

Re: [Freeipa-devel] [PATCH 0257] Fix race condition during zone loading

- Original Message - On 28.5.2014 13:26, Tomas Hozza wrote: On 05/27/2014 03:59 PM, Petr Spacek wrote: On 27.5.2014 15:54, Petr Spacek wrote: Fix race condition during zone loading. DNS zone has to be added to DNS view before dns_zone_load() is called. It is necessary to

Re: [Freeipa-devel] [PATCHES 202-222] Ipaplatform refactoring

On 06/16/2014 07:50 PM, Petr Viktorin wrote: On 06/16/2014 02:53 PM, Tomas Babej wrote: On 06/10/2014 05:07 PM, Petr Viktorin wrote: On 06/10/2014 10:13 AM, Tomas Babej wrote: On 06/06/2014 01:04 PM, Petr Viktorin wrote: On 06/05/2014 03:14 PM, Petr Viktorin wrote: On 06/04/2014 11:42 AM,

[Freeipa-devel] [PATCH 0266] (aka 257.5) Fix zone reloading for in-line signed zones

Hello, I forgot to send one patch between no. 257 and 258, so here it is :-) Fix zone reloading for in-line signed zones. A invalid secure zone (e.g. without NS records) is now automatically reloaded when data inside the zone are changed. https://fedorahosted.org/bind-dyndb-ldap/ticket/56 --

Re: [Freeipa-devel] [PATCH 0266] (aka 257.5) Fix zone reloading for in-line signed zones

- Original Message - Hello, I forgot to send one patch between no. 257 and 258, so here it is :-) Fix zone reloading for in-line signed zones. A invalid secure zone (e.g. without NS records) is now automatically reloaded when data inside the zone are changed.

Re: [Freeipa-devel] [PATCH 0258] Fix run-time zone addition for secure zones

- Original Message - Subject: Re: [Freeipa-devel] [PATCH 0258] Fix run-time zone addition for secure zones Date: Wed, 04 Jun 2014 17:34:29 +0200 From: Petr Spacek pspa...@redhat.com Organization: Red Hat To: freeipa-devel@redhat.com On 3.6.2014 10:53, Petr Spacek wrote: Hello,

Re: [Freeipa-devel] [PATCHES 202-222] Ipaplatform refactoring

On 17.06.2014 11:16, Martin Kosek wrote: On 06/16/2014 07:50 PM, Petr Viktorin wrote: On 06/16/2014 02:53 PM, Tomas Babej wrote: On 06/10/2014 05:07 PM, Petr Viktorin wrote: On 06/10/2014 10:13 AM, Tomas Babej wrote: On 06/06/2014 01:04 PM, Petr Viktorin wrote: On 06/05/2014 03:14 PM, Petr

[Freeipa-devel] [PATCH 0227] sudorule: Allow unsetting sudoorder

Hi, After setting sudoorder, you are unable to unset it, since the check for uniqueness of order of sudorules is applied incorrectly. Fix the behaviour and cover it in the test suite. https://fedorahosted.org/freeipa/ticket/4360 -- Tomas Babej Associate Software Engineer | Red Hat | Identity

Re: [Freeipa-devel] [RFC] Sending group-memberships to SSSD clients

On Mon, Jun 02, 2014 at 03:03:19PM +0200, Sumit Bose wrote: Hi, I'm preparing a design page for https://fedorahosted.org/freeipa/ticket/4031 [RFE] Support initgroups for unauthenticated AD users. Since we are using SSSD in ipa-server-mode in the server, the IPA server is able to resolve

Re: [Freeipa-devel] [PATCHES 202-222] Ipaplatform refactoring

On 17.6.2014 14:15, Tomas Babej wrote: On 06/17/2014 12:03 PM, Timo Aaltonen wrote: On 17.06.2014 11:16, Martin Kosek wrote: On 06/16/2014 07:50 PM, Petr Viktorin wrote: On 06/16/2014 02:53 PM, Tomas Babej wrote: On 06/10/2014 05:07 PM, Petr Viktorin wrote: On 06/10/2014 10:13 AM, Tomas

Re: [Freeipa-devel] [RFC] Extdom plugin enhancement: grouplist

On Fri, Jun 06, 2014 at 07:24:14PM +0200, Sumit Bose wrote: Hi, I've created a design page about enhancing the extdom plugin to send the list of groups of a user together with the POSIX data to IPA clients with SSSD at http://www.freeipa.org/page/V4/Extdom_plugin_enhancement_grouplist

Re: [Freeipa-devel] [PATCHES 202-222] Ipaplatform refactoring

On 06/17/2014 02:44 PM, Petr Spacek wrote: On 17.6.2014 14:15, Tomas Babej wrote: On 06/17/2014 12:03 PM, Timo Aaltonen wrote: On 17.06.2014 11:16, Martin Kosek wrote: On 06/16/2014 07:50 PM, Petr Viktorin wrote: On 06/16/2014 02:53 PM, Tomas Babej wrote: On 06/10/2014 05:07 PM, Petr

Re: [Freeipa-devel] [PATCHES 202-222] Ipaplatform refactoring

On 17.06.2014 15:15, Tomas Babej wrote: On 06/17/2014 12:03 PM, Timo Aaltonen wrote: On 17.06.2014 11:16, Martin Kosek wrote: On 06/16/2014 07:50 PM, Petr Viktorin wrote: On 06/16/2014 02:53 PM, Tomas Babej wrote: On 06/10/2014 05:07 PM, Petr Viktorin wrote: On 06/10/2014 10:13 AM, Tomas

Re: [Freeipa-devel] [PATCHES 202-222] Ipaplatform refactoring

On 17.6.2014 14:50, Tomas Babej wrote: On 06/17/2014 02:44 PM, Petr Spacek wrote: On 17.6.2014 14:15, Tomas Babej wrote: On 06/17/2014 12:03 PM, Timo Aaltonen wrote: On 17.06.2014 11:16, Martin Kosek wrote: On 06/16/2014 07:50 PM, Petr Viktorin wrote: On 06/16/2014 02:53 PM, Tomas Babej

Re: [Freeipa-devel] [PATCHES 202-222] Ipaplatform refactoring

On 06/17/2014 03:12 PM, Petr Spacek wrote: On 17.6.2014 14:50, Tomas Babej wrote: On 06/17/2014 02:44 PM, Petr Spacek wrote: On 17.6.2014 14:15, Tomas Babej wrote: On 06/17/2014 12:03 PM, Timo Aaltonen wrote: On 17.06.2014 11:16, Martin Kosek wrote: On 06/16/2014 07:50 PM, Petr Viktorin

Re: [Freeipa-devel] Design Review Keytab Retrieval

On Tue, 2014-06-17 at 09:18 +0200, Martin Kosek wrote: On 06/16/2014 05:34 PM, Simo Sorce wrote: Although the code is all done it would be nice to have a review of the feature, to see if it has all been captured: http://www.freeipa.org/page/V4/Keytab_Retrieval Simo. Thanks! I was

[Freeipa-devel] [PATCH 0068] Fix ipa.service restart

Patch attached. Ticket: https://fedorahosted.org/freeipa/ticket/4243 -- Martin^2 Basti From 548b78dab657d9eced4a924ec16e7108e1bd9d2b Mon Sep 17 00:00:00 2001 From: Martin Basti mba...@redhat.com Date: Tue, 17 Jun 2014 16:12:47 +0200 Subject: [PATCH] Fix ipa.service restart Ticket:

Re: [Freeipa-devel] [PATCH 0260] Add wrappers for isc_task_*exclusive()

- Original Message - Hello, Add wrappers for isc_task_*exclusive(). This patch replaces scattered isc_task_* calls and associated locking to one place. It helps with debugging sometimes. -- Petr^2 Spacek Looks good. ACK. Regards, -- Tomas Hozza Software Engineer - EMEA

Re: [Freeipa-devel] [PATCH 0261-0262] Support run-time changes in idnsSecInlineSigning attribute

- Original Message - Hello, This patch set allows you to change DNSSEC zone configuration at run-time. -- Petr^2 Spacek Looks good. ACK. Regards, -- Tomas Hozza Software Engineer - EMEA ENG Developer Experience PGP: 1D9F3C2D Red Hat Inc.

Re: [Freeipa-devel] [PATCH 0259] Fix run-time zone addition for invalid secure zones

- Original Message - Hello, Fix run-time zone addition for invalid secure zones. It is important *not* to delete invalid zones to prevent ldap_parse_master_zoneentry() from entering infinite cycle. Zone addition in ldap_parse_master_zoneentry() enforces serial write-back to

Re: [Freeipa-devel] [PATCH 0263-0265] Support root master zone in LDAP Follow BIND semantics for forwarders

- Original Message - Hello, This patch set contains necessary changes for supporting root master zone in LDAP. I had to remove one hack so now we follow BIND semantics for forwarders. Please see commit messages. https://fedorahosted.org/bind-dyndb-ldap/ticket/122 -- Petr^2

Re: [Freeipa-devel] User Life Cycle: enforce ipaUniqueID generation by the server

On 06/16/2014 03:04 PM, Rob Crittenden wrote: thierry bordaz wrote: Hello, When a stage user is activate (ipa stageuse-activate), UUID plugin (DS) checks that the ipaUniqueID value of the new active user is 'autogenerate'. This is useful to prevent a provisioning systems

Re: [Freeipa-devel] User Life Cycle: enforce ipaUniqueID generation by the server

thierry bordaz wrote: On 06/16/2014 03:04 PM, Rob Crittenden wrote: thierry bordaz wrote: Hello, When a stage user is activate (ipa stageuse-activate), UUID plugin (DS) checks that the ipaUniqueID value of the new active user is 'autogenerate'. This is useful to prevent a

Re: [Freeipa-devel] User Life Cycle: enforce ipaUniqueID generation by the server

On 06/17/2014 07:35 PM, Rob Crittenden wrote: thierry bordaz wrote: On 06/16/2014 03:04 PM, Rob Crittenden wrote: thierry bordaz wrote: Hello, When a stage user is activate (ipa stageuse-activate), UUID plugin (DS) checks that the ipaUniqueID value of the new active user is

Re: [Freeipa-devel] User Life Cycle: enforce ipaUniqueID generation by the server

On Tue, 2014-06-17 at 17:59 +0200, thierry bordaz wrote: * ipa stageuser-add login --from-delete It moves a deleted entry to staging container where uidNumber: unchanged, so it is preserved from the prevous active account

Re: [Freeipa-devel] User Life Cycle: enforce ipaUniqueID generation by the server

On 06/17/2014 08:39 PM, Simo Sorce wrote: On Tue, 2014-06-17 at 17:59 +0200, thierry bordaz wrote: * ipa stageuser-add login --from-delete It moves a deleted entry to staging container where uidNumber: unchanged, so it is preserved from the

Re: [Freeipa-devel] User Life Cycle: enforce ipaUniqueID generation by the server

Simo Sorce wrote: On Tue, 2014-06-17 at 17:59 +0200, thierry bordaz wrote: * ipa stageuser-add login --from-delete It moves a deleted entry to staging container where uidNumber: unchanged, so it is preserved from the prevous active

Re: [Freeipa-devel] User Life Cycle: enforce ipaUniqueID generation by the server

On Tue, 2014-06-17 at 20:43 +0200, thierry bordaz wrote: On 06/17/2014 08:39 PM, Simo Sorce wrote: On Tue, 2014-06-17 at 17:59 +0200, thierry bordaz wrote: * ipa stageuser-add login --from-delete It moves a deleted entry to staging container where

Re: [Freeipa-devel] User Life Cycle: enforce ipaUniqueID generation by the server

On Tue, 2014-06-17 at 15:23 -0400, Rob Crittenden wrote: Simo Sorce wrote: On Tue, 2014-06-17 at 17:59 +0200, thierry bordaz wrote: * ipa stageuser-add login --from-delete It moves a deleted entry to staging container where uidNumber: unchanged,

Re: [Freeipa-devel] [PATCH] #3859: Better mechanism to retrieve keytabs

Simo Sorce wrote: On Mon, 2014-06-16 at 09:53 +0200, Petr Viktorin wrote: On 06/13/2014 10:20 PM, Simo Sorce wrote: [...] 2) and I think this is a MUCH bigger issue, the Admin users are unbounded and pass any Access Control Check and this means they can now retrieve any key for users or

Re: [Freeipa-devel] [PATCH] #3859: Better mechanism to retrieve keytabs

On Tue, 2014-06-17 at 15:30 -0400, Rob Crittenden wrote: Simo Sorce wrote: On Mon, 2014-06-16 at 09:53 +0200, Petr Viktorin wrote: On 06/13/2014 10:20 PM, Simo Sorce wrote: [...] 2) and I think this is a MUCH bigger issue, the Admin users are unbounded and pass any Access Control Check

Re: [Freeipa-devel] User Life Cycle: enforce ipaUniqueID generation by the server

On 06/17/2014 09:29 PM, Simo Sorce wrote: On Tue, 2014-06-17 at 15:23 -0400, Rob Crittenden wrote: Simo Sorce wrote: On Tue, 2014-06-17 at 17:59 +0200, thierry bordaz wrote: * ipa stageuser-add login --from-delete It moves a deleted entry to staging container where

Re: [Freeipa-devel] User Life Cycle: enforce ipaUniqueID generation by the server

On Tue, 2014-06-17 at 21:36 +0200, thierry bordaz wrote: On 06/17/2014 09:29 PM, Simo Sorce wrote: On Tue, 2014-06-17 at 15:23 -0400, Rob Crittenden wrote: Simo Sorce wrote: On Tue, 2014-06-17 at 17:59 +0200, thierry bordaz wrote: * ipa stageuser-add login --from-delete

Re: [Freeipa-devel] [PATCH] #3859: Better mechanism to retrieve keytabs

Simo Sorce wrote: On Tue, 2014-06-17 at 15:30 -0400, Rob Crittenden wrote: Simo Sorce wrote: On Mon, 2014-06-16 at 09:53 +0200, Petr Viktorin wrote: On 06/13/2014 10:20 PM, Simo Sorce wrote: [...] 2) and I think this is a MUCH bigger issue, the Admin users are unbounded and pass any Access

Re: [Freeipa-devel] [PATCH] #3859: Better mechanism to retrieve keytabs

On Tue, 2014-06-17 at 15:49 -0400, Rob Crittenden wrote: Simo Sorce wrote: On Tue, 2014-06-17 at 15:30 -0400, Rob Crittenden wrote: Simo Sorce wrote: On Mon, 2014-06-16 at 09:53 +0200, Petr Viktorin wrote: On 06/13/2014 10:20 PM, Simo Sorce wrote: [...] 2) and I think this is a MUCH