Re: [Freeipa-devel] [PATCH 0082] remove Kerberos authenticators after service uninstall

2015-10-13 Thread Martin Babinsky
On 10/13/2015 09:17 AM, Petr Spacek wrote: On 12.10.2015 13:38, Martin Babinsky wrote: each service possessing Kerberos keytab wiil now remove it and destroy any associated credentials cache during its uninstall https://fedorahosted.org/freeipa/ticket/5243 BTW some time ago Simo proposed

Re: [Freeipa-devel] [PATCH 0084] hide topology segment direction in topology command CLI and webui interface

2015-10-13 Thread Petr Vobornik
On 10/13/2015 10:02 AM, Oleg Fayans wrote: NACK UI still shows the connectivity information at http:///ipa/ui/#/e/topologysuffix/topologysegment/realm Showing it is correct and desired - both in CLI and Web UI. The end state should be that UIs will create new segments with direction=both

Re: [Freeipa-devel] [PATCH 0057] Warn in no installation found when running ipa-server-install --uninstall

2015-10-13 Thread Jan Cholasta
Hi, I don't think this is the correct approach. We are aiming to have idempotent installers, which means that running uninstall on a system without IPA installed should be a no-op. This is the current behavior, so your patch is actually moving us back. The proper fix would be to *remove*

Re: [Freeipa-devel] [PATCH 0083] perform an unlimited search for reverse zones when adding DNS records

2015-10-13 Thread Petr Spacek
On 12.10.2015 16:35, Martin Babinsky wrote: > https://fedorahosted.org/freeipa/ticket/5200 > --- > ipalib/plugins/dns.py | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py > index >

Re: [Freeipa-devel] [PATCH 0082] remove Kerberos authenticators after service uninstall

2015-10-13 Thread Petr Spacek
On 13.10.2015 09:34, Martin Babinsky wrote: > On 10/13/2015 09:17 AM, Petr Spacek wrote: >> On 12.10.2015 13:38, Martin Babinsky wrote: >>> >>> each service possessing Kerberos keytab wiil now remove it and destroy any >>> associated credentials cache during its uninstall >>> >>>

Re: [Freeipa-devel] [PATCH 0084] hide topology segment direction in topology command CLI and webui interface

2015-10-13 Thread Oleg Fayans
On 10/13/2015 10:15 AM, Petr Vobornik wrote: On 10/13/2015 10:02 AM, Oleg Fayans wrote: NACK UI still shows the connectivity information at http:///ipa/ui/#/e/topologysuffix/topologysegment/realm Showing it is correct and desired - both in CLI and Web UI. Well, CLI does not show the

[Freeipa-devel] [PATCH 504] vault: fix service name normalization

2015-10-13 Thread Jan Cholasta
Hi, the attached patch fixes . Honza -- Jan Cholasta From b9a05d4123a419a56ffa6762b6a8f1a3a660a62e Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Tue, 13 Oct 2015 10:10:48 +0200 Subject: [PATCH] vault: fix service name

Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-10-13 Thread Jan Cholasta
On 1.10.2015 15:22, Simo Sorce wrote: On 01/10/15 07:42, Jan Cholasta wrote: Hi, I have just imported python-jwcrypto, custodia and pki-core-10.2.7 into mkosek/freeipa-master as well, to (hopefully) make things easier. Simo, custodia failed to build F22, any idea why? See

Re: [Freeipa-devel] [PATCH 0057] Warn in no installation found when running ipa-server-install --uninstall

2015-10-13 Thread Petr Spacek
Hello Gabe, I would like to apologize for the confusion regarding this patch and the repeated reworking. Unfortunately Honza's position is not mentioned in the ticket so you could not know what to do, but Honza is our "installer architect" so he has final say. Petr^2 Spacek On 13.10.2015

Re: [Freeipa-devel] [PATCH 0084] hide topology segment direction in topology command CLI and webui interface

2015-10-13 Thread Oleg Fayans
NACK UI still shows the connectivity information at http:///ipa/ui/#/e/topologysuffix/topologysegment/realm CLI is OK, though On 10/12/2015 05:57 PM, Martin Babinsky wrote: https://fedorahosted.org/freeipa/ticket/5222 -- Oleg Fayans Quality Engineer FreeIPA team RedHat. -- Manage your

Re: [Freeipa-devel] [PATCH 0082] remove Kerberos authenticators after service uninstall

2015-10-13 Thread Petr Spacek
On 12.10.2015 13:38, Martin Babinsky wrote: > > each service possessing Kerberos keytab wiil now remove it and destroy any > associated credentials cache during its uninstall > > https://fedorahosted.org/freeipa/ticket/5243 BTW some time ago Simo proposed that we should remove caches and old

Re: [Freeipa-devel] [PATCH 0084] hide topology segment direction in topology command CLI and webui interface

2015-10-13 Thread Oleg Fayans
Hi guys, On 10/13/2015 12:34 PM, Petr Vobornik wrote: On 10/13/2015 12:19 PM, Martin Babinsky wrote: On 10/13/2015 10:15 AM, Petr Vobornik wrote: On 10/13/2015 10:02 AM, Oleg Fayans wrote: NACK UI still shows the connectivity information at

Re: [Freeipa-devel] [PATCH 0059] ipa-adtrust-install: Print complete SRV record

2015-10-13 Thread Tomas Babej
On 10/09/2015 02:59 PM, Petr Spacek wrote: > Hello, > > I found this when reviewing DNS parts of IdM and AD integration guides. > > ipa-adtrust-install: Print complete SRV records. > https://fedorahosted.org/freeipa/ticket/5358 > > > ACK, generates correct output.

Re: [Freeipa-devel] [PATCH 0084] hide topology segment direction in topology command CLI and webui interface

2015-10-13 Thread Ludwig Krispenz
On 10/13/2015 12:43 PM, Oleg Fayans wrote: Hi guys, On 10/13/2015 12:34 PM, Petr Vobornik wrote: On 10/13/2015 12:19 PM, Martin Babinsky wrote: On 10/13/2015 10:15 AM, Petr Vobornik wrote: On 10/13/2015 10:02 AM, Oleg Fayans wrote: NACK UI still shows the connectivity information at

Re: [Freeipa-devel] [PATCH 0057] Warn in no installation found when running ipa-server-install --uninstall

2015-10-13 Thread Gabe Alford
No worries Petr. All a part of the review process. I have attached an updated patch that prints only a warning message. thanks, Gabe On Tue, Oct 13, 2015 at 12:39 AM, Petr Spacek wrote: > Hello Gabe, > > I would like to apologize for the confusion regarding this patch and

Re: [Freeipa-devel] [PATCH 373-374] idoverrides: Ignore SID conversion error and add coverage

2015-10-13 Thread Martin Babinsky
On 10/13/2015 12:21 PM, Tomas Babej wrote: Hi, this couple of patches fixes and improves the coverage for referential integrity of ID overrides. Note: Last test in the patch 374 is supposed to be failing (for now). https://fedorahosted.org/freeipa/ticket/5322 Hi Tomas, Patch 373: I

Re: [Freeipa-devel] [PATCH 0083] perform an unlimited search for reverse zones when adding DNS records

2015-10-13 Thread Petr Spacek
On 13.10.2015 13:37, Martin Babinsky wrote: > On 10/13/2015 09:36 AM, Petr Spacek wrote: >> On 12.10.2015 16:35, Martin Babinsky wrote: >>> https://fedorahosted.org/freeipa/ticket/5200 >>> --- >>> ipalib/plugins/dns.py | 3 ++- >>> 1 file changed, 2 insertions(+), 1 deletion(-) >>> >>> diff

Re: [Freeipa-devel] [PATCH 0082] remove Kerberos authenticators after service uninstall

2015-10-13 Thread Rob Crittenden
Alexander Bokovoy wrote: > On Tue, 13 Oct 2015, Martin Basti wrote: >> >> >> On 13.10.2015 10:04, Petr Spacek wrote: >>> On 13.10.2015 09:34, Martin Babinsky wrote: On 10/13/2015 09:17 AM, Petr Spacek wrote: > On 12.10.2015 13:38, Martin Babinsky wrote: >> each service possessing

[Freeipa-devel] Stageuser capability in UI

2015-10-13 Thread Lenka Doudova
Hi, I've been told to do some tests of stageuser UI capabilities ASAP. I think I covered most of the test cases from test plan (http://www.freeipa.org/page/V4/User_Life-Cycle_Management/Test_Plan) (will check that tomorrow morning, as I need to go soon). I haven't found any really serious bug,

Re: [Freeipa-devel] [PATCH 5] The delegation uris are not set, match message to code

2015-10-13 Thread Tomas Babej
On 10/13/2015 01:14 PM, Jan Pazdziora wrote: > > One-liner. > > > ACK, network.negotiate-auth.delegation-uris is indeed not being set. Tomas -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA:

Re: [Freeipa-devel] [PATCH 0083] perform an unlimited search for reverse zones when adding DNS records

2015-10-13 Thread Martin Babinsky
On 10/13/2015 09:36 AM, Petr Spacek wrote: On 12.10.2015 16:35, Martin Babinsky wrote: https://fedorahosted.org/freeipa/ticket/5200 --- ipalib/plugins/dns.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py index

Re: [Freeipa-devel] [PATCH 504] vault: fix service name normalization

2015-10-13 Thread Jan Cholasta
On 13.10.2015 14:18, Petr Vobornik wrote: On 10/13/2015 12:24 PM, Jan Cholasta wrote: On 13.10.2015 10:18, Jan Cholasta wrote: Hi, the attached patch fixes . Honza Decided to use a slightly different approach, updated patch attached. Works

Re: [Freeipa-devel] [PATCH 0082] remove Kerberos authenticators after service uninstall

2015-10-13 Thread Simo Sorce
On 13/10/15 04:04, Petr Spacek wrote: On 13.10.2015 09:34, Martin Babinsky wrote: On 10/13/2015 09:17 AM, Petr Spacek wrote: On 12.10.2015 13:38, Martin Babinsky wrote: each service possessing Kerberos keytab wiil now remove it and destroy any associated credentials cache during its

Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-10-13 Thread Simo Sorce
On 13/10/15 03:40, Jan Cholasta wrote: On 1.10.2015 15:22, Simo Sorce wrote: On 01/10/15 07:42, Jan Cholasta wrote: Hi, I have just imported python-jwcrypto, custodia and pki-core-10.2.7 into mkosek/freeipa-master as well, to (hopefully) make things easier. Simo, custodia failed to build

Re: [Freeipa-devel] [PATCH 5] The delegation uris are not set, match message to code

2015-10-13 Thread Tomas Babej
On 10/13/2015 01:18 PM, Tomas Babej wrote: > > > On 10/13/2015 01:14 PM, Jan Pazdziora wrote: >> >> One-liner. >> >> >> > > ACK, network.negotiate-auth.delegation-uris is indeed not being set. > > Tomas > Pushed to master: 9d7abfaf7a97f3ea0831d1870898c00b7e8d93e3 -- Manage your

Re: [Freeipa-devel] [PATCH 0084] hide topology segment direction in topology command CLI and webui interface

2015-10-13 Thread Oleg Fayans
Hi Ludwig, On 10/13/2015 12:55 PM, Ludwig Krispenz wrote: On 10/13/2015 12:43 PM, Oleg Fayans wrote: Hi guys, On 10/13/2015 12:34 PM, Petr Vobornik wrote: On 10/13/2015 12:19 PM, Martin Babinsky wrote: On 10/13/2015 10:15 AM, Petr Vobornik wrote: On 10/13/2015 10:02 AM, Oleg Fayans wrote:

Re: [Freeipa-devel] [PATCH 0066] ipactl: Do not start/stop/restart single service multiple times

2015-10-13 Thread Tomas Babej
On 08/27/2015 08:07 AM, David Kupka wrote: > On 26/08/15 17:49, Tomas Babej wrote: >> >> >> On 08/26/2015 03:16 PM, David Kupka wrote: >>> https://fedorahosted.org/freeipa/ticket/5248 >>> >>> >> >> +def deduplicate(lst): >> +new_lst = [] >> +s = set(lst) >> +for i in lst: >> +

Re: [Freeipa-devel] [PATCHES] More Python3 porting

2015-10-13 Thread Tomas Babej
On 10/08/2015 05:17 PM, Petr Viktorin wrote: > Hello, > Here is another batch of Python 3 porting patches. > I went through the patches both code-wise and functional-tests wise (xmlrpc, CI, manual). Looks fine. ACK, thanks for the patchset. Tomas -- Manage your subscription for the

Re: [Freeipa-devel] [PATCH 0082] remove Kerberos authenticators after service uninstall

2015-10-13 Thread Alexander Bokovoy
On Tue, 13 Oct 2015, Martin Basti wrote: On 13.10.2015 10:04, Petr Spacek wrote: On 13.10.2015 09:34, Martin Babinsky wrote: On 10/13/2015 09:17 AM, Petr Spacek wrote: On 12.10.2015 13:38, Martin Babinsky wrote: each service possessing Kerberos keytab wiil now remove it and destroy any

[Freeipa-devel] [PATCH 5] The delegation uris are not set, match message to code

2015-10-13 Thread Jan Pazdziora
One-liner. -- Jan Pazdziora Senior Principal Software Engineer, Identity Management Engineering, Red Hat >From 612495129cb84fca972c0331adc591ea59dafd21 Mon Sep 17 00:00:00 2001 From: Jan Pazdziora Date: Tue, 13 Oct 2015 13:07:24 +0200 Subject: [PATCH] The delegation uris

Re: [Freeipa-devel] [PATCH 0009] WebUI: Disappearing automember rule expressions

2015-10-13 Thread Tomas Babej
On 10/09/2015 01:46 PM, Stanislav Laznicka wrote: > Hi, > please see the patch attached. > > Standa L. > > ACK, works as desired. Tomas -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA:

Re: [Freeipa-devel] [PATCH 0082] remove Kerberos authenticators after service uninstall

2015-10-13 Thread Martin Basti
On 13.10.2015 10:04, Petr Spacek wrote: On 13.10.2015 09:34, Martin Babinsky wrote: On 10/13/2015 09:17 AM, Petr Spacek wrote: On 12.10.2015 13:38, Martin Babinsky wrote: each service possessing Kerberos keytab wiil now remove it and destroy any associated credentials cache during its

Re: [Freeipa-devel] [PATCHES] More Python3 porting

2015-10-13 Thread Tomas Babej
On 10/13/2015 02:15 PM, Tomas Babej wrote: > > > On 10/08/2015 05:17 PM, Petr Viktorin wrote: >> Hello, >> Here is another batch of Python 3 porting patches. >> > > I went through the patches both code-wise and functional-tests wise > (xmlrpc, CI, manual). Looks fine. > > ACK, thanks for the

Re: [Freeipa-devel] [PATCH 504] vault: fix service name normalization

2015-10-13 Thread Petr Vobornik
On 10/13/2015 12:24 PM, Jan Cholasta wrote: On 13.10.2015 10:18, Jan Cholasta wrote: Hi, the attached patch fixes . Honza Decided to use a slightly different approach, updated patch attached. Works for me, ACK -- Petr Vobornik -- Manage your

Re: [Freeipa-devel] [PATCH 0082] remove Kerberos authenticators after service uninstall

2015-10-13 Thread Petr Spacek
On 13.10.2015 14:52, Simo Sorce wrote: > On 13/10/15 04:04, Petr Spacek wrote: >> On 13.10.2015 09:34, Martin Babinsky wrote: >>> On 10/13/2015 09:17 AM, Petr Spacek wrote: On 12.10.2015 13:38, Martin Babinsky wrote: > > each service possessing Kerberos keytab wiil now remove it and

Re: [Freeipa-devel] [PATCH 0082] remove Kerberos authenticators after service uninstall

2015-10-13 Thread Simo Sorce
On 13/10/15 08:58, Petr Spacek wrote: On 13.10.2015 14:52, Simo Sorce wrote: On 13/10/15 04:04, Petr Spacek wrote: On 13.10.2015 09:34, Martin Babinsky wrote: On 10/13/2015 09:17 AM, Petr Spacek wrote: On 12.10.2015 13:38, Martin Babinsky wrote: each service possessing Kerberos keytab wiil

Re: [Freeipa-devel] [PATCH 0056] Enable nsaccountlock in user.py cli

2015-10-13 Thread Martin Basti
On 09.10.2015 19:17, Gabe Alford wrote: Hello, This patch enables nsaccountlock in user.py cli. It is very handy to be able to search and find users with disabled/enabled accounts, etc. That said, I couldn't find why it was no_option in the first place, so I am not 100% sure if it breaks

Re: [Freeipa-devel] [PATCH] 0001 cert-show: Remove check if hostname != CN

2015-10-13 Thread Jan Orel
> The restriction was there so that hosts had limited visibility. This > applies that limitation to all users. I think the host check needs to be > re-added. I am confused, correct me if I am wrong, but the "if hostname:" check seems always redundat because it would raise exception before either

[Freeipa-devel] [PATCHES 0324 - 0325] DNSSEC: warn user if DNSSEC key master is not installed on any replica

2015-10-13 Thread Martin Basti
https://fedorahosted.org/freeipa/ticket/5290 Patches attached. From a8ee0440a363e11b82878609a4a0204039ce5b7e Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Tue, 13 Oct 2015 14:08:35 +0200 Subject: [PATCH 1/2] DNSSEC: Remove service containers from LDAP after uninstalling

Re: [Freeipa-devel] [PATCH 0084] hide topology segment direction in topology command CLI and webui interface

2015-10-13 Thread Martin Babinsky
On 10/13/2015 10:15 AM, Petr Vobornik wrote: On 10/13/2015 10:02 AM, Oleg Fayans wrote: NACK UI still shows the connectivity information at http:///ipa/ui/#/e/topologysuffix/topologysegment/realm Showing it is correct and desired - both in CLI and Web UI. The end state should be that UIs

Re: [Freeipa-devel] [PATCH 0058] Remove bind configuration detected question

2015-10-13 Thread Martin Basti
On 09.10.2015 19:17, Gabe Alford wrote: Hello, Fix for https://fedorahosted.org/freeipa/ticket/5351 Thanks, Gabe ACK Pushed to: master: d0bdc37679ef6807d16f2f3b216366834f9d6de0 ipa-4-2: 1d78cbb036760261f8d8e57fc0b7109e9e1c7568 -- Manage your subscription for the Freeipa-devel mailing

Re: [Freeipa-devel] [PATCH 0056] Enable nsaccountlock in user.py cli

2015-10-13 Thread Martin Basti
On 13.10.2015 18:53, Gabe Alford wrote: Thanks Martin, What about adding no_create and no_update flags? Gabe Yes, that may work, also please increment minor version of API and add ticket into commit message (https://fedorahosted.org/freeipa/ticket/5366)

Re: [Freeipa-devel] [PATCH 0084] hide topology segment direction in topology command CLI and webui interface

2015-10-13 Thread Martin Babinsky
On 10/13/2015 06:55 PM, Martin Babinsky wrote: mbabinsk - hide segment direction from topology commands Ooops forgot to regenerate API.txt. Attaching updated patch. -- Martin^3 Babinsky From 2964ac74100ec2ded3acf15b1bc1ab327c6cd00f Mon Sep 17 00:00:00 2001 From: Martin Babinsky

Re: [Freeipa-devel] [PATCH 0056] Enable nsaccountlock in user.py cli

2015-10-13 Thread Gabe Alford
Thanks Martin, What about adding no_create and no_update flags? Gabe On Tue, Oct 13, 2015 at 9:54 AM, Martin Basti wrote: > > > On 09.10.2015 19:17, Gabe Alford wrote: > > Hello, > > This patch enables nsaccountlock in user.py cli. It is very handy to be > able to search

Re: [Freeipa-devel] [PATCHES 0318 - 0320, 0323] installer: allow to modify dse.ldif during installation

2015-10-13 Thread Martin Basti
On 12.10.2015 12:30, Martin Babinsky wrote: On 10/08/2015 05:58 PM, Martin Basti wrote: The attached patches fix following tickets: https://fedorahosted.org/freeipa/ticket/4949 https://fedorahosted.org/freeipa/ticket/4048 https://fedorahosted.org/freeipa/ticket/1930 With these

Re: [Freeipa-devel] [PATCH 0056] Enable nsaccountlock in user.py cli

2015-10-13 Thread Gabe Alford
Updated patch attached. On Tue, Oct 13, 2015 at 10:59 AM, Martin Basti wrote: > > > On 13.10.2015 18:53, Gabe Alford wrote: > > Thanks Martin, > > What about adding no_create and no_update flags? > > Gabe > > Yes, that may work, also please increment minor version of API and

Re: [Freeipa-devel] [PATCH] 0001 cert-show: Remove check if hostname != CN

2015-10-13 Thread Rob Crittenden
Jan Orel wrote: >> The restriction was there so that hosts had limited visibility. This >> applies that limitation to all users. I think the host check needs to be >> re-added. > > I am confused, correct me if I am wrong, but the "if hostname:" check > seems always redundat because it would raise