Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)

2015-06-23 Thread Petr Spacek
On 23.6.2015 15:16, Christian Heimes wrote: On 2015-06-23 15:14, Nathaniel McCallum wrote: On Tue, 2015-06-23 at 15:11 +0200, Christian Heimes wrote: On 2015-06-23 14:58, Nathaniel McCallum wrote: I agree. One other small nitpick is that the python-kdcproxy dependency is still wrong. Please

[Freeipa-devel] Announcing bind-dyndb-ldap version 8.0

2015-06-23 Thread Petr Spacek
The FreeIPA team is proud to announce bind-dyndb-ldap version 8.0. It can be downloaded from https://fedorahosted.org/released/bind-dyndb-ldap/ The new version has also been built for Fedora 23+ (rawhide). This version is also available from FreeIPA 4.2 COPR repo:

Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)

2015-06-23 Thread Christian Heimes
On 2015-06-23 16:55, Nathaniel McCallum wrote: - Original Message - Ah, got it! What's the simplest way to download and test the new package on my VM? Download the package from koji. http://koji.fedoraproject.org/koji/packageinfo?packageID=19292 Ah, that's much simpler than

[Freeipa-devel] [PATCH 0037] Hide traceback in ipa-dnskeysyncd if kinit failed

2015-06-23 Thread Petr Spacek
Hello, Hide traceback in ipa-dnskeysyncd if kinit failed. https://fedorahosted.org/freeipa/ticket/4657 -- Petr^2 Spacek From 1b27dc0c667569f4bbe653b350e0f95a43b6b341 Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Tue, 23 Jun 2015 14:14:33 +0200 Subject: [PATCH] Hide

Re: [Freeipa-devel] topology-related issues

2015-06-23 Thread Ludwig Krispenz
On 06/23/2015 11:44 AM, Oleg Fayans wrote: It looks like the second issue was caused by not running ipa service on vm-244.idm.lab.eng.brq.redhat.com. However, after manual start of the ipa service on thios node, I was still unable to setup the segment: [11:38:39]ofayans@vm-069:~]$ ipa

Re: [Freeipa-devel] [PATCH 0384-0385] Replace isc_atomic_* in with reference counter

2015-06-23 Thread Petr Spacek
On 23.6.2015 14:18, Tomas Hozza wrote: On 23.06.2015 11:32, Petr Spacek wrote: On 10.6.2015 19:07, Petr Spacek wrote: Hello, Replace isc_atomic_* in MetaLDAP with reference counter abstraction. + Replace isc_atomic_* in instance tainting with reference counter abstraction. Reference

[Freeipa-devel] [PATCH 0036] Bump minimal BIND version for CentOS

2015-06-23 Thread Petr Spacek
Hello, Bump minimal BIND version for CentOS. DNSSEC support added dependency on bind-pkcs11 sub-package. https://fedorahosted.org/freeipa/ticket/4657 -- Petr^2 Spacek From 3c2b78b46870d3692b502db4468e70a190d6958f Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Tue, 23 Jun

Re: [Freeipa-devel] topology-related issues

2015-06-23 Thread Ludwig Krispenz
On 06/23/2015 02:27 PM, Ludwig Krispenz wrote: On 06/23/2015 11:44 AM, Oleg Fayans wrote: It looks like the second issue was caused by not running ipa service on vm-244.idm.lab.eng.brq.redhat.com. However, after manual start of the ipa service on thios node, I was still unable to setup the

Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)

2015-06-23 Thread Christian Heimes
On 2015-06-23 11:37, Christian Heimes wrote: Hi, I've created a new patch that implements the KDC switch as a ExecStartPre hook in httpd.service. My patch has a bug. Apache's SetEnv doesn't set an operating system env var. The information is only available as WSGI env var. I'm going to set

Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)

2015-06-23 Thread Christian Heimes
This is hopefully the final patch. I've tested a fresh installation and upgrade from 4.2 alpha 1. Christian From f503bb15304edea863ba1bad91657b1f880f0e4b Mon Sep 17 00:00:00 2001 From: Christian Heimes chei...@redhat.com Date: Tue, 23 Jun 2015 17:01:00 +0200 Subject: [PATCH] Provide Kerberos over

Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)

2015-06-23 Thread Nathaniel McCallum
typo: is_kdcprox_configured You need to update the commit message (don't do changes since last patch). Also, I'm pretty sure this is the case, but the code in ipaserver/install/httpinstance.py only executes during initial installation, right? - Original Message - This is hopefully

Re: [Freeipa-devel] [PATCH 0037] Hide traceback in ipa-dnskeysyncd if kinit failed

2015-06-23 Thread Martin Babinsky
On 06/23/2015 02:15 PM, Petr Spacek wrote: Hello, Hide traceback in ipa-dnskeysyncd if kinit failed. https://fedorahosted.org/freeipa/ticket/4657 ACK -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)

2015-06-23 Thread Nathaniel McCallum
- Original Message - Ah, got it! What's the simplest way to download and test the new package on my VM? Download the package from koji. http://koji.fedoraproject.org/koji/packageinfo?packageID=19292 -- Manage your subscription for the Freeipa-devel mailing list:

Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)

2015-06-23 Thread Nathaniel McCallum
On Tue, 2015-06-23 at 08:56 -0400, Simo Sorce wrote: On Tue, 2015-06-23 at 11:37 +0200, Christian Heimes wrote: Hi, I've created a new patch that implements the KDC switch as a ExecStartPre hook in httpd.service. Testing: If you are doing an upgrade of an existing installation,

Re: [Freeipa-devel] [PATCH 0384-0385] Replace isc_atomic_* in with reference counter

2015-06-23 Thread Tomas Hozza
On 23.06.2015 11:32, Petr Spacek wrote: On 10.6.2015 19:07, Petr Spacek wrote: Hello, Replace isc_atomic_* in MetaLDAP with reference counter abstraction. + Replace isc_atomic_* in instance tainting with reference counter abstraction. Reference counters are used as abstraction

Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)

2015-06-23 Thread Christian Heimes
On 2015-06-23 14:58, Nathaniel McCallum wrote: I agree. One other small nitpick is that the python-kdcproxy dependency is still wrong. Please make it depend on 0.3. 0.3 is already in RHEL and Fedora. The only remaining step here is to push python-kdcproxy in the same update as the next FreeIPA

Re: [Freeipa-devel] topology-related issues

2015-06-23 Thread Oleg Fayans
On 06/23/2015 02:27 PM, Ludwig Krispenz wrote: On 06/23/2015 11:44 AM, Oleg Fayans wrote: It looks like the second issue was caused by not running ipa service on vm-244.idm.lab.eng.brq.redhat.com. However, after manual start of the ipa service on thios node, I was still unable to setup the

Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)

2015-06-23 Thread Simo Sorce
On Tue, 2015-06-23 at 11:37 +0200, Christian Heimes wrote: Hi, I've created a new patch that implements the KDC switch as a ExecStartPre hook in httpd.service. Testing: If you are doing an upgrade of an existing installation, then you have to run ipa-server-update first. The update

Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)

2015-06-23 Thread Christian Heimes
On 2015-06-23 14:56, Simo Sorce wrote: Why are you using #!/usr/bin/env python2.7 ? We do not use this idiom, as it breaks in some cases, at most in some sources that are v2 only we use #!/usr/bin/python2, please change it. Force of habit. I'm used to use /usr/bin/env in my own packages.

[Freeipa-devel] [PATCH 0386-0389] Release 8.0

2015-06-23 Thread Petr Spacek
Hello, Pushed to master: 5c59bb14e4ec2f66b16062f83edc04b9df59b744 Update URL pointing to dyndb API repo. 1cf4d03cee4452d67bdf409ac2fe8d201c19c922 Update NEWS for upcoming 8.0 release. c0be113f6365abb7c77541129ffd086c80ea9fc3 releng/bumpver: Always create signed commits.

Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)

2015-06-23 Thread Christian Heimes
On 2015-06-23 15:14, Nathaniel McCallum wrote: On Tue, 2015-06-23 at 15:11 +0200, Christian Heimes wrote: On 2015-06-23 14:58, Nathaniel McCallum wrote: I agree. One other small nitpick is that the python-kdcproxy dependency is still wrong. Please make it depend on 0.3. 0.3 is already in

Re: [Freeipa-devel] topology-related issues

2015-06-23 Thread Ludwig Krispenz
On 06/23/2015 03:43 PM, Oleg Fayans wrote: On 06/23/2015 02:27 PM, Ludwig Krispenz wrote: On 06/23/2015 11:44 AM, Oleg Fayans wrote: It looks like the second issue was caused by not running ipa service on vm-244.idm.lab.eng.brq.redhat.com. However, after manual start of the ipa service on

Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)

2015-06-23 Thread Nathaniel McCallum
On Tue, 2015-06-23 at 15:11 +0200, Christian Heimes wrote: On 2015-06-23 14:58, Nathaniel McCallum wrote: I agree. One other small nitpick is that the python-kdcproxy dependency is still wrong. Please make it depend on 0.3. 0.3 is already in RHEL and Fedora. The only remaining step

Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)

2015-06-23 Thread Christian Heimes
On 2015-06-23 17:35, Nathaniel McCallum wrote: typo: is_kdcprox_configured You need to update the commit message (don't do changes since last patch). Also, I'm pretty sure this is the case, but the code in ipaserver/install/httpinstance.py only executes during initial installation,

Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)

2015-06-23 Thread Nathaniel McCallum
The behavior I'm worried about here is this: 1. Admin installs or updates FreeIPA (w/ kdcproxy) 2. Admin disables kdcproxy 3. Admin updates to the next version After step #3, is kdcproxy enabled or disabled? I don't have a clear answer to this (or at least I'm not seeing it). Other than this,

Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)

2015-06-23 Thread Nathaniel McCallum
On Jun 23, 2015, at 2:55 PM, Simo Sorce s...@redhat.com wrote: On Tue, 2015-06-23 at 18:51 +0200, Christian Heimes wrote: +WSGIImportScript /usr/lib/python2.7/site-packages/kdcproxy/__init__.py \ + process-group=kdcproxy application-group=kdcproxy +WSGIScriptAlias /KdcProxy

Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)

2015-06-23 Thread Christian Heimes
On 2015-06-23 19:55, Nathaniel McCallum wrote: The behavior I'm worried about here is this: 1. Admin installs or updates FreeIPA (w/ kdcproxy) 2. Admin disables kdcproxy 3. Admin updates to the next version After step #3, is kdcproxy enabled or disabled? I don't have a clear answer to

Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)

2015-06-23 Thread Nathaniel McCallum
I’m sold. ACK Simo, speak now or forever hold your peace (or patch it later). On Jun 23, 2015, at 2:20 PM, Christian Heimes chei...@redhat.com wrote: On 2015-06-23 19:55, Nathaniel McCallum wrote: The behavior I'm worried about here is this: 1. Admin installs or updates FreeIPA (w/

Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)

2015-06-23 Thread Simo Sorce
On Tue, 2015-06-23 at 18:51 +0200, Christian Heimes wrote: +WSGIImportScript /usr/lib/python2.7/site-packages/kdcproxy/__init__.py \ + process-group=kdcproxy application-group=kdcproxy +WSGIScriptAlias /KdcProxy /usr/lib/python2.7/site-packages/kdcproxy/__init__.py I find sticking an

[Freeipa-devel] [PATCH] 528 Remove option added by mistake

2015-06-23 Thread Simo Sorce
An option was added by mistake to ipa-replica-install during the refactoring. Simo. -- Simo Sorce * Red Hat, Inc * New York From 8665d4c9122db296855d82d200dc8df811f57427 Mon Sep 17 00:00:00 2001 From: Simo Sorce s...@redhat.com Date: Tue, 23 Jun 2015 16:33:34 -0400 Subject: [PATCH] Replicas

Re: [Freeipa-devel] IPA Python API

2015-06-23 Thread Drew Erny
Resurrecting this thread, because the problem is getting me again. If I go through the python interpreter and import the code that calls the ipalib, and then manually call it myself the way the webserver does, the code works. If the same code is run in the course of the web server process, I

[Freeipa-devel] [PATCHES 0042-45] new commands for adding/removing certificates from entries

2015-06-23 Thread Martin Babinsky
This patchset implements new API commands for manipulating user/host/service userCertificate attribute alongside some underlying plumbing. PATCH 0045 is a small test suite that I slapped together since manual testing of this stuff is very cumbersome. It requires my PATCH 0040 to apply and

Re: [Freeipa-devel] [PATCH] 528 Remove option added by mistake

2015-06-23 Thread Jan Cholasta
Hi, Dne 23.6.2015 v 22:37 Simo Sorce napsal(a): An option was added by mistake to ipa-replica-install during the refactoring. ACK. Pushed to master: 49d708f00fd13903dbd96193aac2c608e3512398 -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list:

[Freeipa-devel] topology-related issues

2015-06-23 Thread Oleg Fayans
Hi Ludwig, team, I have a couple of issues with the topology plugin. 1. I was able to remove the middle node in a line topology, which resulted in disconnecting a segment. I had master - replica1 - replica2 - replica3 - replica4 I removed replica2 with a standard `ipa-replica-manage del` And

Re: [Freeipa-devel] [PATCH 0384-0385] Replace isc_atomic_* in with reference counter

2015-06-23 Thread Petr Spacek
On 10.6.2015 19:07, Petr Spacek wrote: Hello, Replace isc_atomic_* in MetaLDAP with reference counter abstraction. + Replace isc_atomic_* in instance tainting with reference counter abstraction. Reference counters are used as abstraction which hides missing isc_atomic_*() functions on

Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)

2015-06-23 Thread Christian Heimes
Hi, I've created a new patch that implements the KDC switch as a ExecStartPre hook in httpd.service. Testing: If you are doing an upgrade of an existing installation, then you have to run ipa-server-update first. The update creates the config file /etc/ipa/kdcproxy/ipa-kdc-proxy.conf from a

Re: [Freeipa-devel] [PATCH 0383] Fix metadb_iterator_destroy() to accept NULL iterators

2015-06-23 Thread Petr Spacek
On 23.6.2015 10:43, Tomas Hozza wrote: On 08.06.2015 14:08, Petr Spacek wrote: Hello, Fix metadb_iterator_destroy() to accept NULL iterators. This prevents potential crash in error handling, e.g. if memory allocation failed. Hi. I did formal review. The patch looks good. ACK.

Re: [Freeipa-devel] topology-related issues

2015-06-23 Thread Oleg Fayans
It looks like the second issue was caused by not running ipa service on vm-244.idm.lab.eng.brq.redhat.com. However, after manual start of the ipa service on thios node, I was still unable to setup the segment: [11:38:39]ofayans@vm-069:~]$ ipa topologysegment-add realm Left node:

Re: [Freeipa-devel] [PATCH 0040] generalize certificate creation during testing

2015-06-23 Thread Petr Vobornik
On 06/16/2015 10:35 AM, Milan Kubik wrote: On 06/09/2015 01:14 PM, Martin Babinsky wrote: A slight hack to ipatests/test_xmlrpc/testcert.py module in order to enable generation of multiple host/service/user certificates. It should make writing tests for new CA profile/sub-CA/user certificate

Re: [Freeipa-devel] [PATCH 0383] Fix metadb_iterator_destroy() to accept NULL iterators

2015-06-23 Thread Tomas Hozza
On 08.06.2015 14:08, Petr Spacek wrote: Hello, Fix metadb_iterator_destroy() to accept NULL iterators. This prevents potential crash in error handling, e.g. if memory allocation failed. Hi. I did formal review. The patch looks good. ACK. Regards, -- Tomas Hozza Software Engineer - EMEA

Re: [Freeipa-devel] [PATCH 0003] Fix for a typo in certprofile mod command.

2015-06-23 Thread Petr Vobornik
On 06/19/2015 12:27 PM, Fraser Tweedale wrote: On Fri, Jun 19, 2015 at 12:04:43PM +0200, Milan Kubik wrote: Patch attached. Milan ACK Pushed to master: b3c7805e881c250db061c44a3b5061f3f7030c5f -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list:

Re: [Freeipa-devel] topology-related issues

2015-06-23 Thread Petr Vobornik
On 06/23/2015 11:27 AM, Oleg Fayans wrote: Hi Ludwig, team, I have a couple of issues with the topology plugin. 1. I was able to remove the middle node in a line topology, which resulted in disconnecting a segment. I had master - replica1 - replica2 - replica3 - replica4 I removed replica2