Re: [Freeipa-devel] [PATCH] cleanup of pam_sss

2009-07-22 Thread Sumit Bose
On Wed, Jul 22, 2009 at 08:46:13AM -0400, Simo Sorce wrote: On Wed, 2009-07-22 at 12:52 +0200, Sumit Bose wrote: this patch should make pam_sss.c considerably more readable and should allow to use modules like pam_cracklib together with pam_sss. I hope I have caught all corner cases

Re: [Freeipa-devel] [PATCH] Fix race condition leading to segfaults

2009-07-24 Thread Sumit Bose
On Fri, Jul 24, 2009 at 10:15:25AM +0200, Sumit Bose wrote: On Thu, Jul 23, 2009 at 04:18:15PM -0400, Simo Sorce wrote: Sumit found out that ldap auth would segfault from time to time. The problem was the way ldap_result() works you don't know how many results are in the pipe so you

Re: [Freeipa-devel] [PATCH] Fix sasl mappings

2009-10-05 Thread Sumit Bose
On Tue, Sep 29, 2009 at 12:43:15PM -0400, Simo Sorce wrote: Sasl mappings never worked properly with full principal names. This patch fixes the problem. See bug#526284 Should probably commit this patch also against v1. Simo. this patch works for me with v1 and v2. ACK bye, Sumit

Re: [Freeipa-devel] [PATCH] 450 fixes for HBAC services

2010-05-26 Thread Sumit Bose
On Fri, May 21, 2010 at 04:30:12PM -0400, Rob Crittenden wrote: Add the ipqUniqueID object to HBAC services and make sure that they get the memberOf attribute if they are members of service groups. rob I think 30-hbacsvc.update is missing. bye, Sumit

Re: [Freeipa-devel] [PATCH] 450 fixes for HBAC services

2010-05-27 Thread Sumit Bose
On Wed, May 26, 2010 at 09:51:21AM -0400, Rob Crittenden wrote: Sumit Bose wrote: On Fri, May 21, 2010 at 04:30:12PM -0400, Rob Crittenden wrote: Add the ipqUniqueID object to HBAC services and make sure that they get the memberOf attribute if they are members of service groups. rob I

Re: [Freeipa-devel] Sudoers schema

2010-08-19 Thread Sumit Bose
On Thu, Aug 19, 2010 at 02:47:33PM -0400, Rob Crittenden wrote: Dmitri Pal wrote: Hello, It occurred to me that we can have a compromise. We can have two ways and let the admins to decide which model to follow. So the schema will look like this: The sudo rule entry will have a string

Re: [Freeipa-devel] Sudo Schema Bug

2010-09-30 Thread Sumit Bose
On Thu, Sep 30, 2010 at 12:06:01AM -0400, Dmitri Pal wrote: JR Aquino wrote: I have encountered and troubleshot several instances recently where a user was present in more than 1 sudo rule. One that permitted the user, the host, and commands, and another that permited the user, and host,

Re: [Freeipa-devel] Sudo Schema Bug/Feature

2010-09-30 Thread Sumit Bose
On Sep 30, 2010, at 6:17 AM, freeipa-devel-requ...@redhat.commailto:freeipa-devel-requ...@redhat.com freeipa-devel-requ...@redhat.commailto:freeipa-devel-requ...@redhat.com wrote: I think this behaviour is a contradiction to 'paranoid behavior'. I think that instead of 'If there are

Re: [Freeipa-devel] Proposed changes to the HBAC grammar

2010-11-19 Thread Sumit Bose
On Thu, Nov 18, 2010 at 05:27:13PM -0500, Dmitri Pal wrote: Adam Young wrote: On 11/18/2010 04:02 PM, Stephen Gallagher wrote: On 11/18/2010 09:55 AM, Dmitri Pal wrote: Steve can you summarize where we are and what we agreed to, please, and identify the questions that we need to

Re: [Freeipa-devel] SUDO community changed SUDO schema!!!

2011-01-31 Thread Sumit Bose
On Sun, Jan 30, 2011 at 11:53:19PM -0500, Dmitri Pal wrote: On 01/30/2011 11:23 AM, JR Aquino wrote: On 1/29/11 3:40 PM, Dmitri Pal d...@redhat.com wrote: On 01/29/2011 12:37 PM, JR Aquino wrote: On 1/29/11 9:30 AM, JR Aquino jr.aqu...@citrix.com wrote: From: Dmitri Pal

Re: [Freeipa-devel] Adding client on RHEL 6 fails to get DNS entry

2011-02-25 Thread Sumit Bose
On Fri, Feb 25, 2011 at 12:47:03AM -0500, Simo Sorce wrote: On Thu, 24 Feb 2011 20:55:32 -0500 Adam Young ayo...@redhat.com wrote: I updated the reolve.conf of the client machine to point to the server and ran: [root@vm-060 ~]# ipa-client-install --domain idm.lab.bos.redhat.com

Re: [Freeipa-devel] Kerberos implementation issues

2011-06-22 Thread Sumit Bose
On Tue, Jun 21, 2011 at 04:48:08PM -0600, Pete Zaitcev wrote: On Tue, 21 Jun 2011 18:28:36 -0400 Dmitri Pal d...@redhat.com wrote: Dear Dmitri, thanks for the reply. I am reading curl source code now and I notice the distinction between Negotiate that comes from SPNEGO, and GSS-Negotiate.

[Freeipa-devel] [PATCH] 1 Add ipa-adtrust-install utility

2011-08-26 Thread Sumit Bose
+1,198 @@ +#! /usr/bin/python +# +# Authors: Sumit Bose sb...@redhat.com +# Based on ipa-server-install by Karl MacMillan kmacmil...@mentalrootkit.com +# and ipa-dns-install by Martin Nagy +# +# Copyright (C) 2011 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program

Re: [Freeipa-devel] [PATCH] 1 Add ipa-adtrust-install utility

2011-08-26 Thread Sumit Bose
On Fri, Aug 26, 2011 at 09:35:16PM +0300, Alexander Bokovoy wrote: diff --git a/ipaserver/install/smbinstance.py b/ipaserver/install/smbinstance.py new file mode 100644 The code in smbinstance.py assumes Samba has been compiled with /etc/ipa/smb.conf as default configuration file

Re: [Freeipa-devel] [PATCH] 1 Add ipa-adtrust-install utility

2011-09-08 Thread Sumit Bose
On Wed, Sep 07, 2011 at 06:10:50PM -0400, Simo Sorce wrote: On Tue, 2011-08-30 at 16:40 +0200, Sumit Bose wrote: I don't think that we should run winbind. I also changed the path to the smb.conf file from /etc/ipa to /etc/samba which makes the change to /etc/sysconfig/samba unnecessary

Re: [Freeipa-devel] [PATCH] 1 Add ipa-adtrust-install utility

2011-09-08 Thread Sumit Bose
On Thu, Sep 08, 2011 at 02:06:44PM +0200, Martin Kosek wrote: On Thu, 2011-09-08 at 13:52 +0200, Sumit Bose wrote: On Wed, Sep 07, 2011 at 06:10:50PM -0400, Simo Sorce wrote: On Tue, 2011-08-30 at 16:40 +0200, Sumit Bose wrote: I don't think that we should run winbind. I also

Re: [Freeipa-devel] [PATCH] 1 Add ipa-adtrust-install utility

2011-09-12 Thread Sumit Bose
On Fri, Sep 09, 2011 at 07:06:47PM -0400, Simo Sorce wrote: On Thu, 2011-09-08 at 14:39 +0200, Sumit Bose wrote: On Thu, Sep 08, 2011 at 02:06:44PM +0200, Martin Kosek wrote: On Thu, 2011-09-08 at 13:52 +0200, Sumit Bose wrote: On Wed, Sep 07, 2011 at 06:10:50PM -0400, Simo Sorce wrote

[Freeipa-devel] [PATCH] 2 Call standard_logging_setup() before any logging is done

2011-09-13 Thread Sumit Bose
Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Tue, 13 Sep 2011 12:37:47 +0200 Subject: [PATCH] Call standard_logging_setup() before any logging is done --- install/tools/ipa-dns-install |4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diff --git a/install/tools/ipa-dns

Re: [Freeipa-devel] [PATCH] 1 Add ipa-adtrust-install utility

2011-09-13 Thread Sumit Bose
On Mon, Sep 12, 2011 at 05:24:38PM -0400, Simo Sorce wrote: On Mon, 2011-09-12 at 17:53 +0200, Sumit Bose wrote: [..] I can now run 'smbclient -k -L' on my test system wit hthe recent samba patch. Sorry a couple more nitpicks. Trying to reinstall ipa-adtrust-install it returned

[Freeipa-devel] [PATCH] 3 Fix ACIs in ipa-adtrust-install

2011-09-19 Thread Sumit Bose
Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Mon, 19 Sep 2011 11:48:05 +0200 Subject: [PATCH] Fix ACIs in ipa-adtrust-install --- ipaserver/install/adtrustinstance.py | 15 +-- 1 files changed, 13 insertions(+), 2 deletions(-) diff --git a/ipaserver/install

[Freeipa-devel] [PATCH] 4 Update samba LDAP schema

2011-09-19 Thread Sumit Bose
expects the old objectclasses for users, groups and trust objects. bye, Sumit From 08ba5beebf81be67f03ae384f2119ae81b3ebf9d Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Mon, 19 Sep 2011 15:45:30 +0200 Subject: [PATCH] Update samba LDAP schema The samba LDAP schema is updated

Re: [Freeipa-devel] [PATCH] #1728 New schema for IPAv3 required attributes

2011-09-20 Thread Sumit Bose
On Mon, Sep 19, 2011 at 12:34:36PM -0400, Simo Sorce wrote: Attached find a patch for new attributes and objectclasses for the IPA v3 goal of configuring trust relationships between freeipa and windows domains. I think everything is ok, I just started to wonder if it is maybe safer to always

Re: [Freeipa-devel] [PATCH] #1728 New schema for IPAv3 required attributes

2011-09-20 Thread Sumit Bose
On Tue, Sep 20, 2011 at 08:47:58AM -0400, Simo Sorce wrote: On Tue, 2011-09-20 at 12:36 +0200, Sumit Bose wrote: On Mon, Sep 19, 2011 at 12:34:36PM -0400, Simo Sorce wrote: Attached find a patch for new attributes and objectclasses for the IPA v3 goal of configuring trust relationships

Re: [Freeipa-devel] FreeIPA and per-machine views

2011-09-23 Thread Sumit Bose
On Fri, Sep 23, 2011 at 07:48:06AM -0400, Stephen Gallagher wrote: On Thu, 2011-09-22 at 21:55 -0400, Dmitri Pal wrote: On 09/21/2011 10:07 PM, Stephen Gallagher wrote: I've ben working on the multiple search base feature in SSSD and I've had some thoughts that might be relevant to the

[Freeipa-devel] [PATCH] 6 Add admin SIDs

2011-09-23 Thread Sumit Bose
Hi, this patch extends the ipa-adtrust-install utility by adding SIDs to the IPA admin user and the admins group. bye, Sumit From 9d24a20c8d81440398f38e71efd024320b20577d Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Fri, 23 Sep 2011 15:11:23 +0200 Subject: [PATCH] Add admin

[Freeipa-devel] [PATCH] ipa-pwd-extop: allow password change on all connections with SSF1

2011-09-27 Thread Sumit Bose
check in ipa_enrollment.c. But I think enrollments via LDAPI does not make much sense so it does not need to be changed. This patch should fix https://fedorahosted.org/freeipa/ticket/1877. bye, Sumit From 8ed807a42982aabe958a4d0cac47d5f4511be11c Mon Sep 17 00:00:00 2001 From: Sumit Bose sb

[Freeipa-devel] [PATCH] 8 Add DNS service records for Windows

2011-10-14 Thread Sumit Bose
Hi, this patch adds DNS service records for for Windows systems during the setup of trust support. Fixes https://fedorahosted.org/freeipa/ticket/1939. bye, Sumit From 098f835edf3baedf2e69392909c9e725fde378f0 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Thu, 13 Oct 2011 12:01

Re: [Freeipa-devel] [PATCH] 8 Add DNS service records for Windows

2011-10-14 Thread Sumit Bose
On Fri, Oct 14, 2011 at 12:15:57PM +0200, Sumit Bose wrote: Hi, this patch adds DNS service records for for Windows systems during the setup of trust support. Fixes https://fedorahosted.org/freeipa/ticket/1939. bye, Sumit Alexander made some comments on irc which I tried to integrate

Re: [Freeipa-devel] [PATCH] 8 Add DNS service records for Windows

2011-10-14 Thread Sumit Bose
On Fri, Oct 14, 2011 at 08:21:51PM +0300, Alexander Bokovoy wrote: On Fri, 14 Oct 2011, Sumit Bose wrote: On Fri, Oct 14, 2011 at 12:15:57PM +0200, Sumit Bose wrote: Hi, this patch adds DNS service records for for Windows systems during the setup of trust support. Fixes

Re: [Freeipa-devel] [PATCHES] #1791 Tust Effort: Add support for generating MS-PAC

2011-11-04 Thread Sumit Bose
On Fri, Nov 04, 2011 at 10:49:40AM -0400, Simo Sorce wrote: The attached patches are for master and concern the effort of creating trust relationships between IPA and AD domains. With these patches if you have run ipa-adtrust-install the IPA kdc will be able to create a MS-PAC if the user

Re: [Freeipa-devel] [PATCHES] #1950 Implement CLDAP server for AD trust introperability

2011-11-18 Thread Sumit Bose
On Fri, Nov 18, 2011 at 11:50:47AM -0500, Simo Sorce wrote: On Fri, 2011-11-18 at 16:07 +0100, Sumit Bose wrote: On Thu, Nov 17, 2011 at 05:00:51PM -0500, Simo Sorce wrote: Attached find a series of patches that implement a CLDAP server as a dirsrv plugin. The server right now

Re: [Freeipa-devel] [PATCH] #2122 Fix PAC re-signing

2011-11-23 Thread Sumit Bose
On Tue, Nov 22, 2011 at 07:10:54PM -0500, Simo Sorce wrote: In some cases the KDC will decide to use a different checksum type when re-signing a PAC to include it in a service ticket. This is common in a cross-realm trust with AD as most AD DCs will use a HMAC-MD5-RC4 checksum while IPA's

Re: [Freeipa-devel] [PATCH] #2122 Fix PAC re-signing

2011-11-24 Thread Sumit Bose
On Wed, Nov 23, 2011 at 11:53:11AM +0100, Sumit Bose wrote: On Tue, Nov 22, 2011 at 07:10:54PM -0500, Simo Sorce wrote: In some cases the KDC will decide to use a different checksum type when re-signing a PAC to include it in a service ticket. This is common in a cross-realm trust

[Freeipa-devel] [PATCH] Make pwd-extop aware of new ipaNTHash attribute

2011-11-28 Thread Sumit Bose
68d66eba4e31a314242322471dbfe698f4493737 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Thu, 24 Nov 2011 18:38:38 +0100 Subject: [PATCH] Make pwd-extop aware of new ipaNTHash attribute --- .../ipa-pwd-extop/ipa_pwd_extop.c |4 +- daemons/ipa-slapi-plugins/ipa

Re: [Freeipa-devel] [PATCH] #2122 Fix PAC re-signing

2011-11-29 Thread Sumit Bose
On Mon, Nov 28, 2011 at 07:43:57PM -0500, Simo Sorce wrote: On Thu, 2011-11-24 at 13:54 +0100, Sumit Bose wrote: I think I found two issues which should be fixed by the following patch: - krb5_pac_add_buffer() expects krb5_pac and not krb5_pac * as a second argument good catch

Re: [Freeipa-devel] [PATCH] Add ipasam samba passdb backend

2011-11-30 Thread Sumit Bose
On Tue, Nov 29, 2011 at 11:25:41PM +0200, Alexander Bokovoy wrote: On Tue, 29 Nov 2011, Sumit Bose wrote: @@ -199,10 +216,11 @@ class ADTRUSTInstance(service.Service): self.admin_conn.addEntry(entry) entry = ipaldap.Entry(self.smb_dom_dn

[Freeipa-devel] Samba package name change samba-4.0 - samba4

2011-11-30 Thread Sumit Bose
Hi, we recently changed the name of the samba packages in the ipa-devel respository. The packages are now called samba4-* and libsmbclient4-* instead of samba-4.0-* and libsmbclient-4.0-* . The name was changed because the samba packages will updated the samba4 packages which are currently

Re: [Freeipa-devel] Samba package name change samba-4.0 - samba4

2011-11-30 Thread Sumit Bose
On Wed, Nov 30, 2011 at 08:46:04AM -0500, Stephen Gallagher wrote: On Wed, 2011-11-30 at 14:40 +0100, Sumit Bose wrote: Hi, we recently changed the name of the samba packages in the ipa-devel respository. The packages are now called samba4-* and libsmbclient4-* instead of samba-4.0

[Freeipa-devel] [PATCH] 16 Add a second module init call for newer samba versions

2011-12-08 Thread Sumit Bose
Hi, the samba team decided to rename the symbol to initialize a new module (again). This patch adds the new name and keeps the old one. bye, Sumit From a9036112ca47f14d9f17f665fd6bd3efba9dc7b3 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Wed, 7 Dec 2011 17:23:53 +0100 Subject

Re: [Freeipa-devel] WIP: ipa trust command

2011-12-12 Thread Sumit Bose
On Mon, Dec 12, 2011 at 07:49:04PM +0200, Alexander Bokovoy wrote: Hi, I'm working on ticket #1821 to introduce FreeIPA 3.0 AD trusts management CLI and GUI. It is quite apparent that most of management commands will be similar to all future trust types (AD, IPA, etc), thus, it makes

Re: [Freeipa-devel] WIP: ipa trust command

2011-12-14 Thread Sumit Bose
On Tue, Dec 13, 2011 at 07:08:24PM +0200, Alexander Bokovoy wrote: On Tue, 13 Dec 2011, Simo Sorce wrote: On Mon, 2011-12-12 at 22:27 +0200, Alexander Bokovoy wrote: On Mon, 12 Dec 2011, Sumit Bose wrote: --password Value [type-specific parameters] Creates a trust between

Re: [Freeipa-devel] WIP: ipa trust command

2011-12-14 Thread Sumit Bose
On Wed, Dec 14, 2011 at 07:45:53AM -0500, Simo Sorce wrote: On Wed, 2011-12-14 at 10:23 +0100, Sumit Bose wrote: On Tue, Dec 13, 2011 at 07:08:24PM +0200, Alexander Bokovoy wrote: On Tue, 13 Dec 2011, Simo Sorce wrote: On Mon, 2011-12-12 at 22:27 +0200, Alexander Bokovoy wrote

Re: [Freeipa-devel] WIP: ipa trust command

2011-12-14 Thread Sumit Bose
On Wed, Dec 14, 2011 at 08:31:57AM -0500, Simo Sorce wrote: On Wed, 2011-12-14 at 14:12 +0100, Sumit Bose wrote: On Wed, Dec 14, 2011 at 07:45:53AM -0500, Simo Sorce wrote: On Wed, 2011-12-14 at 10:23 +0100, Sumit Bose wrote: On Tue, Dec 13, 2011 at 07:08:24PM +0200, Alexander Bokovoy

[Freeipa-devel] Adding a new DNA plugin configuration in IPAv3

2012-01-31 Thread Sumit Bose
Hi, for the IPAv3 trust feature we have to add the objectclass ipaNTUserAttrs/ipaNTGroupAttrs to every user/group which should be visible on the Windows side of the trust. The only MUST attribute of both objectclasses is ipaNTSecurityIdentifier the SID or the user or group. We would like to

Re: [Freeipa-devel] Adding a new DNA plugin configuration in IPAv3

2012-02-02 Thread Sumit Bose
On Wed, Feb 01, 2012 at 01:59:15PM -0500, Simo Sorce wrote: On Wed, 2012-02-01 at 12:00 -0500, Dmitri Pal wrote: On 01/31/2012 06:45 AM, Sumit Bose wrote: Hi, for the IPAv3 trust feature we have to add the objectclass ipaNTUserAttrs/ipaNTGroupAttrs to every user/group which should

Re: [Freeipa-devel] [PATCH] 18 Add external domain extop DS plugin

2012-03-23 Thread Sumit Bose
On Fri, Mar 23, 2012 at 09:35:47AM -0400, Dmitri Pal wrote: On 03/23/2012 08:52 AM, Sumit Bose wrote: Hi, these two patches introduce a new extended operation to the IPA server which can be used by clients in the IPA domain to obtain information about users and groups from trusted

Re: [Freeipa-devel] [PATCH] 18 Add external domain extop DS plugin

2012-03-23 Thread Sumit Bose
On Fri, Mar 23, 2012 at 12:08:22PM -0400, Dmitri Pal wrote: On 03/23/2012 11:57 AM, Sumit Bose wrote: On Fri, Mar 23, 2012 at 09:35:47AM -0400, Dmitri Pal wrote: On 03/23/2012 08:52 AM, Sumit Bose wrote: Hi, these two patches introduce a new extended operation to the IPA server which

Re: [Freeipa-devel] [PATCH] 490 Fix s4u2proxy handling when a MS-PAC is available

2012-03-28 Thread Sumit Bose
On Tue, Mar 27, 2012 at 03:17:06PM -0400, Simo Sorce wrote: This patch fixes #2504, the logic to choose the client principal to use was basically reversed, and we ended up using the wrong principal to verify the PAC owner. This patch fixes it. Tested and s4u2proxy keeps working both with and

Re: [Freeipa-devel] [PATCH] (master) Support case-insensitive searches for principals during TGS request processing

2012-04-02 Thread Sumit Bose
On Thu, Mar 29, 2012 at 05:02:31PM -0400, Simo Sorce wrote: On Thu, 2012-03-29 at 16:30 +0300, Alexander Bokovoy wrote: This is due to some krbtgt/realm@REALM searches performed in KDC without allowing for principal aliases and therefore no chance to our case-insensitive searches to kick

Re: [Freeipa-devel] [PATCH] 0042-0048 AD trusts support (master)

2012-04-03 Thread Sumit Bose
On Tue, Apr 03, 2012 at 01:41:35PM +0300, Alexander Bokovoy wrote: Hi! Attached are the current patches for adding support for Active Directory trusts for FreeIPA v3 (master). These are tested and working with samba4 build available in ipa-devel@ repo. You have to use --delegate until

Re: [Freeipa-devel] samba4 woes

2012-04-20 Thread Sumit Bose
On Fri, Apr 20, 2012 at 12:37:08PM -0400, John Dennis wrote: We're supposed to be working on master now, not 2.2. But master has dependencies on samba4. Those dependencies can only be resolved on F17, an unreleased platform. I think it's reasonable for IPA developers to work on the current

Re: [Freeipa-devel] samba4 woes

2012-04-21 Thread Sumit Bose
On Fri, Apr 20, 2012 at 07:20:32PM -0400, John Dennis wrote: On 04/20/2012 05:49 PM, Sumit Bose wrote: I take samba4 and libldb from the ipa-devel repo. There are even versions for my very old F15 devel system. Yup, one of the first things I tried. But those conflict with the libsmbclient

Re: [Freeipa-devel] have you been running master?

2012-04-23 Thread Sumit Bose
On Mon, Apr 23, 2012 at 11:51:09AM -0400, John Dennis wrote: Just curious, some changes went into master that modified how we call into ldap (for both the installer and normal server operation). But those changes occurred when many of us we working on 2.2 almost exclusively. So has anybody

Re: [Freeipa-devel] [PATCH] 0042-0048 AD trusts support (master)

2012-06-05 Thread Sumit Bose
On Mon, Jun 04, 2012 at 03:32:36PM +0300, Alexander Bokovoy wrote: On Mon, 04 Jun 2012, Martin Kosek wrote: I did another round of testing and this is what I found so far: 1) freeipa.spec.in was missing python-crypto BuildRequires (you fixed that) 2) Unit tests need to be updated,

Re: [Freeipa-devel] [PATCH] 19-21 Use exop instead of kadmin.local

2012-06-08 Thread Sumit Bose
On Thu, Jun 07, 2012 at 12:09:32PM +0200, Sumit Bose wrote: now with patches :-) On Thu, Jun 07, 2012 at 12:07:13PM +0200, Sumit Bose wrote: Hi, this patch fixes https://fedorahosted.org/freeipa/ticket/2513 and as a consequence makes https://fedorahosted.org/freeipa/ticket/2516 obsolete

Re: [Freeipa-devel] [PATCH] move samba4-specific python code to a subpackage

2012-06-13 Thread Sumit Bose
On Tue, Jun 12, 2012 at 04:08:12PM +0300, Alexander Bokovoy wrote: DCERPC code in AD trusts implementation depends on Samba 4 Python bindings. Make this dependency optional for main freeipa-server package by moving the dependency to freeipa-server-trust-ad subpackage. Main interface to AD

[Freeipa-devel] [PATCHES] 22-24 Add initial support for ID ranges

2012-06-13 Thread Sumit Bose
0024: add primary and secondary RID base to the local range object during ipa-adtrust-install bye, Sumit From f9dbf28c52feabeae801d41bd4f69d2eb898a8b0 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Mon, 11 Jun 2012 18:31:36 +0200 Subject: [PATCH] Extend LDAP schema

Re: [Freeipa-devel] [PATCHES] 22-24 Add initial support for ID ranges

2012-06-14 Thread Sumit Bose
On Wed, Jun 13, 2012 at 08:38:23PM -0400, Simo Sorce wrote: On Wed, 2012-06-13 at 21:17 +0200, Sumit Bose wrote: to keep track of the different ranges we use for UIDs/GIDs for local users/groups and users from trusted domains new range objects are introduced which are stored below cn

Re: [Freeipa-devel] [PATCHES] 22-24 Add initial support for ID ranges

2012-06-14 Thread Sumit Bose
On Thu, Jun 14, 2012 at 07:54:40AM -0400, Simo Sorce wrote: On Thu, 2012-06-14 at 12:35 +0200, Sumit Bose wrote: On Wed, Jun 13, 2012 at 08:38:23PM -0400, Simo Sorce wrote: On Wed, 2012-06-13 at 21:17 +0200, Sumit Bose wrote: to keep track of the different ranges we use for UIDs

Re: [Freeipa-devel] [PATCHES] 22-24 Add initial support for ID ranges

2012-06-17 Thread Sumit Bose
On Thu, Jun 14, 2012 at 02:25:01PM +0200, Sumit Bose wrote: On Thu, Jun 14, 2012 at 07:54:40AM -0400, Simo Sorce wrote: On Thu, 2012-06-14 at 12:35 +0200, Sumit Bose wrote: On Wed, Jun 13, 2012 at 08:38:23PM -0400, Simo Sorce wrote: On Wed, 2012-06-13 at 21:17 +0200, Sumit Bose wrote

Re: [Freeipa-devel] [PATCH] External group membership for trusted domains

2012-06-25 Thread Sumit Bose
Hi Alexander, On Thu, Jun 21, 2012 at 06:26:02PM +0300, Alexander Bokovoy wrote: Hi! Attached is the patch to support external group membership for trusted domains. This is needed to get proper group membership with the work Sumit and Jan are doing on both IPA and SSSD sides. We already

[Freeipa-devel] [PATCH] Filter groups in the PAC

2012-06-26 Thread Sumit Bose
the user from the PAC is added to the local groups on the client. bye, Sumit From 2e1415e17b811f76d2611a70560ab024765ab3ad Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Mon, 30 Apr 2012 15:30:01 +0200 Subject: [PATCH] Filter groups in the PAC If one or more of the external

[Freeipa-devel] [PATCH] Fix typo

2012-06-26 Thread Sumit Bose
: Sumit Bose sb...@redhat.com Date: Tue, 26 Jun 2012 09:58:01 +0200 Subject: [PATCH] Fix typo --- daemons/ipa-kdb/ipa_kdb_mspac.c |2 +- 1 Datei geändert, 1 Zeile hinzugefügt(+), 1 Zeile entfernt(-) diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c index

Re: [Freeipa-devel] [PATCHES] 22-24 Add initial support for ID ranges

2012-06-26 Thread Sumit Bose
On Sun, Jun 17, 2012 at 09:47:20PM +0200, Sumit Bose wrote: On Thu, Jun 14, 2012 at 02:25:01PM +0200, Sumit Bose wrote: On Thu, Jun 14, 2012 at 07:54:40AM -0400, Simo Sorce wrote: On Thu, 2012-06-14 at 12:35 +0200, Sumit Bose wrote: On Wed, Jun 13, 2012 at 08:38:23PM -0400, Simo Sorce

Re: [Freeipa-devel] [PATCH] External group membership for trusted domains

2012-06-27 Thread Sumit Bose
On Wed, Jun 27, 2012 at 12:56:56PM +0300, Alexander Bokovoy wrote: On Mon, 25 Jun 2012, Alexander Bokovoy wrote: On Mon, 25 Jun 2012, Sumit Bose wrote: Hi Alexander, On Thu, Jun 21, 2012 at 06:26:02PM +0300, Alexander Bokovoy wrote: Hi! Attached is the patch to support external group

Re: [Freeipa-devel] [PATCH] 0055 Add error condition handling to SASL bind callback in ipasam module

2012-06-27 Thread Sumit Bose
On Wed, Jun 27, 2012 at 05:29:07PM +0300, Alexander Bokovoy wrote: Hi, attached patch adds comprehensive error condition handling to SASL bind callback in ipasam module. The callback is doing keytab-based auth against FreeIPA LDAP server and original version lacked error checks on purpose.

Re: [Freeipa-devel] [PATCH] 0056 Support requests for DOMAIN$ account for trusted domain in ipasam module

2012-06-27 Thread Sumit Bose
On Wed, Jun 27, 2012 at 05:36:51PM +0300, Alexander Bokovoy wrote: Hi, Windows 2008R2 attempts to authenticate as DOMAIN$ with trust password when trust is established. Change ipasam module to consider DOMAIN$ when checking for trusted domain accounts as current code only checks for DOMAIN.

Re: [Freeipa-devel] [PATCH] 0055 Add error condition handling to SASL bind callback in ipasam module

2012-06-27 Thread Sumit Bose
On Wed, Jun 27, 2012 at 07:09:03PM +0300, Alexander Bokovoy wrote: On Wed, 27 Jun 2012, Sumit Bose wrote: On Wed, Jun 27, 2012 at 05:29:07PM +0300, Alexander Bokovoy wrote: Hi, attached patch adds comprehensive error condition handling to SASL bind callback in ipasam module. The callback

Re: [Freeipa-devel] [PATCH] 18 Add external domain extop DS plugin

2012-06-28 Thread Sumit Bose
On Thu, Jun 28, 2012 at 01:51:28PM +0200, Martin Kosek wrote: On 06/28/2012 01:09 PM, Martin Kosek wrote: On 06/28/2012 12:19 PM, Sumit Bose wrote: On Thu, Jun 28, 2012 at 09:52:14AM +0200, Martin Kosek wrote: On 06/27/2012 06:38 PM, Alexander Bokovoy wrote: On Wed, 27 Jun 2012, Sumit

Re: [Freeipa-devel] [PATCH] Filter groups in the PAC

2012-06-28 Thread Sumit Bose
On Wed, Jun 27, 2012 at 07:28:11PM +0300, Alexander Bokovoy wrote: On Tue, 26 Jun 2012, Sumit Bose wrote: Hi, this patch contains the KDC part of the external groups handling. If group SIDs from the PAC can be found in the ipaExternalGroup objects and the external groups are member of local

[Freeipa-devel] [PATCH] Use lower case names in LDAP to meet freeIPA convention

2012-06-29 Thread Sumit Bose
: Sumit Bose sb...@redhat.com Date: Fri, 29 Jun 2012 10:58:04 +0200 Subject: [PATCH] Use lower case names in LDAP to meet freeIPA convention --- daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h | 22 ++--- 1 Datei geändert, 11 Zeilen hinzugefügt(+), 11 Zeilen entfernt(-) diff --git

Re: [Freeipa-devel] please use DN objects

2012-06-29 Thread Sumit Bose
On Fri, Jun 29, 2012 at 05:27:41PM -0400, John Dennis wrote: I just saw a commit that had things like this in it: admin_conn.search_s(cn=ranges,cn=etc,+self.suffix, Please don't form DN's using string formatting! We've had DN objects in the code for a long time now, please use them,

[Freeipa-devel] [PATCH] 31 Use DN objects instead of strings in adtrustinstance

2012-07-02 Thread Sumit Bose
Hi, as pointed out by John adtrustinstance.py does not use the DN objects but strings to define LDAP DNs. This patch fixes it. bye, Sumit From e91540c323791f06791c973754e7773eaccaf08e Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Mon, 2 Jul 2012 12:20:23 +0200 Subject: [PATCH

Re: [Freeipa-devel] [PATCH] ipasam SASL bind callback fixes

2012-07-04 Thread Sumit Bose
On Wed, Jul 04, 2012 at 08:57:44PM +0300, Alexander Bokovoy wrote: Hi, when chasing what looked like ccache corruption with Sumit, I've found yet another issue: use of local stack variable in long-time living code. This local stack use was absent in the original patch version and was

[Freeipa-devel] [PATCH] 32 Only check local ID range during ipa-adtrust-install

2012-07-04 Thread Sumit Bose
Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Mon, 2 Jul 2012 18:19:38 +0200 Subject: [PATCH] Only check local ID range during ipa-adtrust-install Since the local ID range it now added during the update process it does not have to be created during ipa-adtrust-install

[Freeipa-devel] [PATCH] 33 Allow silent build if available

2012-07-04 Thread Sumit Bose
00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Wed, 4 Jul 2012 12:15:05 +0200 Subject: [PATCH] Allow silent build if available --- daemons/configure.ac |1 + 1 Datei geändert, 1 Zeile hinzugefügt(+) diff --git a/daemons/configure.ac b/daemons/configure.ac index

[Freeipa-devel] [PATCH] 34-35 ipasam fixes

2012-07-04 Thread Sumit Bose
Hi, the following two patches contain fixes for ipa_sam.c. The first fixes several issues which were found by clang and the second removes some testing stuff I forgot to change. bye, Sumit From 116631a3fd2a50e3c2b5a44ed4cff44fe4f0ab99 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com

Re: [Freeipa-devel] [PATCH] use 'dedicated keytab file' parameter value instead of hard-coded string

2012-07-06 Thread Sumit Bose
On Fri, Jul 06, 2012 at 12:47:12PM +0300, Alexander Bokovoy wrote: Hi, another small two-line cleanup. We already set 'dedicated keytab file' in smb.conf when installing trusts via ipa-adtrust-install. ACK bye, Sumit -- / Alexander Bokovoy

Re: [Freeipa-devel] [PATCH] reduce redundant checks in ldapsam_search_users()

2012-07-06 Thread Sumit Bose
On Fri, Jul 06, 2012 at 01:18:28PM +0300, Alexander Bokovoy wrote: On Fri, 06 Jul 2012, Alexander Bokovoy wrote: Hi, Obvious clean up in ldapsam_search_users(): every branch is setting the same base dn and nothing else. Merged the line with talloc_strdup() call few lines after that. ACK

Re: [Freeipa-devel] [PATCH] Fix typo

2012-07-09 Thread Sumit Bose
On Tue, Jun 26, 2012 at 10:29:00AM +0200, Sumit Bose wrote: Hi, this patch fixes a small typo and silences a compiler warning. I think it is right to use authdata instead of authdata here, but I have to admit that I cannot say why we have not seen any issues before. bye, Sumit I think I

[Freeipa-devel] [PATCH] Improve performance of get_group_sids()

2012-07-10 Thread Sumit Bose
will finish this after my PTO. But I haven't started to work on this. So if you think it should be fixed earlier feel free to take the ticket. bye, Sumit From a70dd5049943ae88aba46ef3e95b06a944efcf60 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Fri, 6 Jul 2012 12:24:01 +0200 Subject

Re: [Freeipa-devel] [PATCHSET] 496 add some PAC verification

2012-08-02 Thread Sumit Bose
On Mon, Jul 16, 2012 at 06:54:26PM -0400, Simo Sorce wrote: This patchset is about Ticket #2849 The point is to verify that the PAC information we are getting from a trusted realm is actually consistent with the information we know about that trust relationship. The patchset adds a way to

Re: [Freeipa-devel] [PATCH] 193 Range Web UI

2012-08-14 Thread Sumit Bose
On Mon, Aug 13, 2012 at 07:41:01PM -0500, Endi Sukma Dewata wrote: On 8/6/2012 2:08 AM, Petr Vobornik wrote: Range web UI was implemented. It consist of: * new menu item - 'ranges' in 'IPA Server' tab * new search page * new details page

[Freeipa-devel] [PATCH] trust CLI: add ID range for new trusted domain

2012-08-14 Thread Sumit Bose
independently of the SSSD patch. bye, Sumit From f9515cb32526a078a01604c072a7bc6e9b265b19 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Mon, 6 Aug 2012 14:30:38 +0200 Subject: [PATCH 1/2] extdom: read ranges from LDAP --- .../ipa-extdom-extop/ipa_extdom_common.c | 72

Re: [Freeipa-devel] [PATCH] 193 Range Web UI

2012-08-21 Thread Sumit Bose
On Mon, Aug 20, 2012 at 04:53:50PM -0500, Endi Sukma Dewata wrote: On 8/20/2012 10:49 AM, Petr Vobornik wrote: Updated patch attached. Preview can be seen at: http://pvoborni.fedorapeople.org/ranges/#ipaserver=rangenavigation=ipaserverrange-facet=search ACK. I agree, all options should

[Freeipa-devel] [PATCH] ipadb_iterate(): handle match_entry == NULL

2012-08-21 Thread Sumit Bose
From: Sumit Bose sb...@redhat.com Date: Tue, 21 Aug 2012 12:48:29 +0200 Subject: [PATCH] ipadb_iterate(): handle match_entry == NULL If match_entry == NULL all principals should be iterated. Additionally this patch adds a check in ipadb_filter_escape() to make sure that the input is not NULL

Re: [Freeipa-devel] [PATCH] ipadb_iterate(): handle match_entry == NULL

2012-08-21 Thread Sumit Bose
On Tue, Aug 21, 2012 at 08:53:50AM -0400, Simo Sorce wrote: - Original Message - Hi, there was an issue reported yesterday on #freeipa (https://fedorahosted.org/freeipa/ticket/3011). It is easy to reproduce 'kdb5_util dump' just core dumps. The attached patch adds a parameter

Re: [Freeipa-devel] [PATCH] 303 Add range safety check for range_mod and range_del

2012-09-06 Thread Sumit Bose
On Wed, Sep 05, 2012 at 05:13:41PM +0200, Martin Kosek wrote: range_mod and range_del command could easily create objects with ID which is suddenly out of specified range. This could cause issues in trust scenarios where range objects are used for computation of remote IDs. Add validator

[Freeipa-devel] [PATCH] ipasam: Fixes build with samba4 rc1

2012-09-14 Thread Sumit Bose
Hi, in samba4 rc1 there is an API change which we have to adopt in ipasam. This patch updates ipasam and unbreaks the build with samba4 rc1. bye, Sumit From 4e39eb306da08b29f694b9ff44ccb53865e33d92 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Fri, 14 Sep 2012 14:14:23 +0200

Re: [Freeipa-devel] [PATCH] Set master_kdc and dns_lookup_kdc to true

2012-09-15 Thread Sumit Bose
On Fri, Sep 14, 2012 at 05:57:23PM -0400, Rob Crittenden wrote: Sumit Bose wrote: Hi, those two patches should fix https://fedorahosted.org/freeipa/ticket/2515 . The first makes the needed change for fresh installations. The second adds the changes during ipa-adtrust-install if needed. I

Re: [Freeipa-devel] [PATCH] Set master_kdc and dns_lookup_kdc to true

2012-09-17 Thread Sumit Bose
On Sat, Sep 15, 2012 at 06:14:56PM -0400, Simo Sorce wrote: On Sat, 2012-09-15 at 22:02 +0200, Sumit Bose wrote: On Fri, Sep 14, 2012 at 05:57:23PM -0400, Rob Crittenden wrote: Sumit Bose wrote: Hi, those two patches should fix https://fedorahosted.org/freeipa/ticket/2515

Re: [Freeipa-devel] IPA server resolv.conf

2012-09-17 Thread Sumit Bose
On Mon, Sep 17, 2012 at 11:18:53AM +0200, Petr Spacek wrote: On 09/17/2012 09:15 AM, Martin Kosek wrote: On 09/17/2012 09:06 AM, Petr Spacek wrote: Discussion about patch Set master_kdc and dns_lookup_kdc to true) reminds one related problem: Our server installer puts line nameserver

Re: [Freeipa-devel] [PATCH] 0073 Add trust verification code

2012-09-18 Thread Sumit Bose
On Mon, Sep 17, 2012 at 06:44:36PM +0300, Alexander Bokovoy wrote: Hi, Following patch adds trust verification sequence to the case when we establish trust with knowledge of AD administrative credentials. As we found out, in order to validate/verify trust, one has to have administrative

Re: [Freeipa-devel] [PATCH] 0073 Add trust verification code

2012-09-18 Thread Sumit Bose
On Tue, Sep 18, 2012 at 12:42:49PM +0200, Sumit Bose wrote: On Mon, Sep 17, 2012 at 06:44:36PM +0300, Alexander Bokovoy wrote: Hi, Following patch adds trust verification sequence to the case when we establish trust with knowledge of AD administrative credentials. As we found out

Re: [Freeipa-devel] [PATCH] 0078 ipa group-show external group does not list its members

2012-09-24 Thread Sumit Bose
On Mon, Sep 24, 2012 at 05:01:25PM +0300, Alexander Bokovoy wrote: Hi, small patch, to make sure external members are listed when 'ipa group-show' is called. https://fedorahosted.org/freeipa/ticket/2975 ACK bye, Sumit -- / Alexander Bokovoy

Re: [Freeipa-devel] [PATCH] Simplify get_group_sids

2012-09-24 Thread Sumit Bose
On Mon, Sep 24, 2012 at 02:40:45PM -0400, Simo Sorce wrote: This should also give us a slight performance boost as we do not convert the whole SID to a string many times over. I was digging up the archive URL of my patch related to this posted to the list on July

Re: [Freeipa-devel] [PATCH] 0080 rewrite SID comparison to take into account different SID forms

2012-09-27 Thread Sumit Bose
On Tue, Sep 25, 2012 at 05:40:57PM +0300, Alexander Bokovoy wrote: Hi, Domain validator code in ipaserver/dcerpc.py verifies that a SID belongs to one of our trusted domains. This verification was expecting that SID is for some resource within trusted domain and ignored the case when it is

[Freeipa-devel] [PATCHES] 3 enhancements for the ipa-adtrust-install page

2012-10-02 Thread Sumit Bose
Hi, the following three patches should fix https://fedorahosted.org/freeipa/ticket/2967 https://fedorahosted.org/freeipa/ticket/2972 https://fedorahosted.org/freeipa/ticket/3038 respectively. bye, Sumit From bab787a651773ec9bead34cfaaec05991ebc74c4 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb

[Freeipa-devel] [PATCH] Fix various issues found by Coverity

2012-10-02 Thread Sumit Bose
Hi, this patch fixes a couple of resource leaks and unchecked return and an uninitialised value found by Coverity. bye, Sumit From b39269b5adf5d2ae6076d5aa4394e68924027ce6 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Tue, 2 Oct 2012 11:25:04 +0200 Subject: [PATCH] Fix various

[Freeipa-devel] [PATCH] 75-78 Add fallback group

2012-10-02 Thread Sumit Bose
9cb3514cd7c73810ce4b5dceb82d36b739124854 Mon Sep 17 00:00:00 2001 From: Sumit Bose sb...@redhat.com Date: Tue, 18 Sep 2012 11:32:10 +0200 Subject: [PATCH 75/78] ipa-adtrust-install: Add fallback group --- ipaserver/install/adtrustinstance.py | 79 ++-- 1 Datei geändert, 67 Zeilen hinzugefügt(+), 12

  1   2   3   4   >