Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-10-27 Thread Petr Vobornik

On 10/27/2015 04:23 PM, Martin Babinsky wrote:

On 10/22/2015 01:06 PM, Petr Vobornik wrote:

On 10/16/2015 06:41 PM, Endi Sukma Dewata wrote:

On 10/15/2015 9:54 AM, Simo Sorce wrote:

3) ipa-ca-install fails with:

Traceback (most recent call last):
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 445, in start_creation
 run_step(full_msg, method)
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 435, in run_step
 method()
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py",
line
631, in __spawn_instance
 DogtagInstance.spawn_instance(self, cfg_file)
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",

line 185, in spawn_instance
 self.handle_setup_error(e)
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",

line 448, in handle_setup_error
 raise RuntimeError("%s configuration failed." % self.subsystem)
RuntimeError: CA configuration failed.

I guess I'm hitting the authentication bug in Dogtag. It is
supposed to
be fixed in pki-core-10.2.6-10, but is it fixed in
pki-core-10.2.7-0.2?
We might need a new 10.2.7 build.


I am not sure which version has it fixed, Endi ?


PKI ticket #1580 was fixed in pki-core-10.2.6-10 for F23 and F24. We
never released a pki-core-10.2.7. I suppose that is a custom build?



Yes it is a custom build[4].

It was advertised that #1414[1] will be in PKI 10.2.7 but it was
laterincluded into 10.2.6-5. I don't know what's a plan for 10.2.7.

Required patch for the discussed issue #1580[2] is included in 10.2.6-10

So I propose to change requires - patch attached, remove 10.2.7 custom
build from mkosek/freeipa-master repo and add new build(for f22) based
on pki-core-10.2.6-10.fc23 from koji[3]


[1] https://fedorahosted.org/pki/ticket/1414
[2] https://fedorahosted.org/pki/ticket/1580
[3] http://koji.fedoraproject.org/koji/buildinfo?buildID=689985
[4]
https://copr.fedoraproject.org/coprs/mkosek/freeipa-master/build/121544/



ACK



Pushed to master: 3f0707a199dae98d55d8e1f69b750f2d1ed4dcab

pki-core-10.2.6-11 was built for f22 and f23 in  mkosek/freeipa-master 
copr [1]


pki-core-10.2.7-0.2 was removed from the copr

[1] https://copr.fedoraproject.org/coprs/mkosek/freeipa-master/build/130759/
--
Petr Vobornik

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-10-22 Thread Martin Basti



On 22.10.2015 13:30, Martin Babinsky wrote:

On 10/21/2015 09:27 PM, Simo Sorce wrote:

On 21/10/15 15:24, Simo Sorce wrote:

On 21/10/15 11:46, Martin Babinsky wrote:

On 10/20/2015 07:24 PM, Simo Sorce wrote:

On 20/10/15 06:32, Martin Babinsky wrote:

On 10/15/2015 08:14 PM, Simo Sorce wrote:

On 15/10/15 11:39, Martin Basti wrote:

Without this patch the ipa-ca-install is broken in current master.
Unexpected error - see /var/log/ipareplica-ca-install.log for
details:
AttributeError: Values instance has no attribute 'promote'


Should be fixed with the attached patches.




NACK, in patch 551 you add a test for non-existent CLI option into
main
method:

@@ -198,10 +251,20 @@ def main():
  if os.geteuid() != 0:
  sys.exit("\nYou must be root to run this script.\n")

-if filename is not None:
-install_replica(safe_options, options, filename)
-else:
-install_master(safe_options, options)
+try:
+if options.replica or filename is not None:
+install_replica(safe_options, options, filename)
+else:
+install_master(safe_options, options)
+
+finally:
+# Clean up if we created custom credentials
+created_ccache_file = getattr(options, 
'created_ccache_file',

None)
+if created_ccache_file is not None:
+try:
+os.unlink(created_ccache_file)
+except OSError:
+pass

I guess you wanted to add '--replica' option to the CA installer but
since it was not added to option parser the installer explodes.

# ipa-ca-install

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Unexpected error - see /var/log/ipareplica-ca-install.log for 
details:

AttributeError: Values instance has no attribute 'replica'



The attached patch should address this problem now.

Simo.



Thanks, the patch enables CA install on promoted replica.

I have one minor nitpick though:

When running ipa-ca-install on domain level 0 replica w/o replica 
file,

the installer issues the following error:

# ipa-ca-install
Replica file None does not exist

I guess you should separately handle the case when no replica file is
specified and issue a corresponding error message like "A replica file
is required".


Done.
Simo.


Scratch this, it contains a typo, see attached.

Simo.




Thanks, ACK for patch 551-6.

I will continue the review of patch 552 when we'll have a dogtag build 
with fix for https://fedorahosted.org/pki/ticket/1580 in copr repo.



Pushed to master: 958996b9cc55b6e9ecdc23981e79599ec6826b4c

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-10-22 Thread Petr Vobornik

On 10/22/2015 01:30 PM, Martin Babinsky wrote:

On 10/21/2015 09:27 PM, Simo Sorce wrote:


snip





Thanks, ACK for patch 551-6.

I will continue the review of patch 552 when we'll have a dogtag build
with fix for https://fedorahosted.org/pki/ticket/1580 in copr repo.



Martin, could you try it with a plan outlined in
http://www.redhat.com/archives/freeipa-devel/2015-October/msg00342.html

with a copr build:

https://copr.fedoraproject.org/coprs/pvoborni/freeipa-test/build/129440/
--
Petr Vobornik

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-10-22 Thread Petr Vobornik

On 10/16/2015 06:41 PM, Endi Sukma Dewata wrote:

On 10/15/2015 9:54 AM, Simo Sorce wrote:

3) ipa-ca-install fails with:

Traceback (most recent call last):
   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 445, in start_creation
 run_step(full_msg, method)
   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 435, in run_step
 method()
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
631, in __spawn_instance
 DogtagInstance.spawn_instance(self, cfg_file)
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 185, in spawn_instance
 self.handle_setup_error(e)
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 448, in handle_setup_error
 raise RuntimeError("%s configuration failed." % self.subsystem)
RuntimeError: CA configuration failed.

I guess I'm hitting the authentication bug in Dogtag. It is supposed to
be fixed in pki-core-10.2.6-10, but is it fixed in pki-core-10.2.7-0.2?
We might need a new 10.2.7 build.


I am not sure which version has it fixed, Endi ?


PKI ticket #1580 was fixed in pki-core-10.2.6-10 for F23 and F24. We
never released a pki-core-10.2.7. I suppose that is a custom build?



Yes it is a custom build[4].

It was advertised that #1414[1] will be in PKI 10.2.7 but it was 
laterincluded into 10.2.6-5. I don't know what's a plan for 10.2.7.


Required patch for the discussed issue #1580[2] is included in 10.2.6-10

So I propose to change requires - patch attached, remove 10.2.7 custom 
build from mkosek/freeipa-master repo and add new build(for f22) based 
on pki-core-10.2.6-10.fc23 from koji[3]



[1] https://fedorahosted.org/pki/ticket/1414
[2] https://fedorahosted.org/pki/ticket/1580
[3] http://koji.fedoraproject.org/koji/buildinfo?buildID=689985
[4] https://copr.fedoraproject.org/coprs/mkosek/freeipa-master/build/121544/
--
Petr Vobornik
From 2be7d8462fcebe4685288be8f8f5575bec108ed3 Mon Sep 17 00:00:00 2001
From: Petr Vobornik 
Date: Thu, 22 Oct 2015 12:55:54 +0200
Subject: [PATCH] change pki-core required version for replica promotion

Required PKI changes, namely:
  https://fedorahosted.org/pki/ticket/1414
  https://fedorahosted.org/pki/ticket/1580

Are included in pki-core 10.2.6-5 reps. 10.2.6-10

10.2.7 does not exist yet.
---
 freeipa.spec.in | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index 6e8b74a70fe678ec53da0fb03196846093910720..6a993088b16d6af9cb967775e145b712e9414b75 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -141,8 +141,8 @@ Requires(post): systemd-units
 Requires: selinux-policy >= %{selinux_policy_version}
 Requires(post): selinux-policy-base >= %{selinux_policy_version}
 Requires: slapi-nis >= 0.54.2-1
-Requires: pki-ca >= 10.2.7
-Requires: pki-kra >= 10.2.7
+Requires: pki-ca >= 10.2.6-10
+Requires: pki-kra >= 10.2.6-10
 Requires(preun): python systemd-units
 Requires(postun): python systemd-units
 Requires: python-dns >= 1.11.1
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-10-22 Thread Martin Babinsky

On 10/22/2015 02:01 PM, Petr Vobornik wrote:

On 10/22/2015 01:30 PM, Martin Babinsky wrote:

On 10/21/2015 09:27 PM, Simo Sorce wrote:


snip





Thanks, ACK for patch 551-6.

I will continue the review of patch 552 when we'll have a dogtag build
with fix for https://fedorahosted.org/pki/ticket/1580 in copr repo.



Martin, could you try it with a plan outlined in
http://www.redhat.com/archives/freeipa-devel/2015-October/msg00342.html

with a copr build:

https://copr.fedoraproject.org/coprs/pvoborni/freeipa-test/build/129440/


I'm on it.

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-10-22 Thread Martin Babinsky

On 10/15/2015 08:14 PM, Simo Sorce wrote:

On 15/10/15 11:39, Martin Basti wrote:

Without this patch the ipa-ca-install is broken in current master.
Unexpected error - see /var/log/ipareplica-ca-install.log for details:
AttributeError: Values instance has no attribute 'promote'


Should be fixed with the attached patches.





Patch 552-1 ACK.

BTW our combined reviewer/patch splitter skills broke master build today 
(see https://fedorahosted.org/freeipa/ticket/5393) so this patch should 
probably be pushed ASAP.


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-10-22 Thread Martin Basti



On 22.10.2015 17:51, Martin Babinsky wrote:

On 10/15/2015 08:14 PM, Simo Sorce wrote:

On 15/10/15 11:39, Martin Basti wrote:

Without this patch the ipa-ca-install is broken in current master.
Unexpected error - see /var/log/ipareplica-ca-install.log for details:
AttributeError: Values instance has no attribute 'promote'


Should be fixed with the attached patches.





Patch 552-1 ACK.

BTW our combined reviewer/patch splitter skills broke master build 
today (see https://fedorahosted.org/freeipa/ticket/5393) so this patch 
should probably be pushed ASAP.



Pushed to master: bc39cc9f813c35ba603b45c7dc5e9c5ba2be5743

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-10-22 Thread Simo Sorce

On 22/10/15 11:54, Martin Basti wrote:



On 22.10.2015 17:51, Martin Babinsky wrote:

On 10/15/2015 08:14 PM, Simo Sorce wrote:

On 15/10/15 11:39, Martin Basti wrote:

Without this patch the ipa-ca-install is broken in current master.
Unexpected error - see /var/log/ipareplica-ca-install.log for details:
AttributeError: Values instance has no attribute 'promote'


Should be fixed with the attached patches.





Patch 552-1 ACK.

BTW our combined reviewer/patch splitter skills broke master build
today (see https://fedorahosted.org/freeipa/ticket/5393) so this patch
should probably be pushed ASAP.


Pushed to master: bc39cc9f813c35ba603b45c7dc5e9c5ba2be5743



Thanks a lot to all involved in this review and in helping me produce 
and test this work.
It was a sizeable amount of work and I am happy we were able to get it 
in relatively smoothly.


Thanks all.
Simo.

--
Simo Sorce * Red Hat, Inc * New York

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-10-21 Thread Martin Babinsky

On 10/20/2015 07:24 PM, Simo Sorce wrote:

On 20/10/15 06:32, Martin Babinsky wrote:

On 10/15/2015 08:14 PM, Simo Sorce wrote:

On 15/10/15 11:39, Martin Basti wrote:

Without this patch the ipa-ca-install is broken in current master.
Unexpected error - see /var/log/ipareplica-ca-install.log for details:
AttributeError: Values instance has no attribute 'promote'


Should be fixed with the attached patches.




NACK, in patch 551 you add a test for non-existent CLI option into main
method:

@@ -198,10 +251,20 @@ def main():
  if os.geteuid() != 0:
  sys.exit("\nYou must be root to run this script.\n")

-if filename is not None:
-install_replica(safe_options, options, filename)
-else:
-install_master(safe_options, options)
+try:
+if options.replica or filename is not None:
+install_replica(safe_options, options, filename)
+else:
+install_master(safe_options, options)
+
+finally:
+# Clean up if we created custom credentials
+created_ccache_file = getattr(options, 'created_ccache_file',
None)
+if created_ccache_file is not None:
+try:
+os.unlink(created_ccache_file)
+except OSError:
+pass

I guess you wanted to add '--replica' option to the CA installer but
since it was not added to option parser the installer explodes.

# ipa-ca-install

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Unexpected error - see /var/log/ipareplica-ca-install.log for details:
AttributeError: Values instance has no attribute 'replica'



The attached patch should address this problem now.

Simo.



Thanks, the patch enables CA install on promoted replica.

I have one minor nitpick though:

When running ipa-ca-install on domain level 0 replica w/o replica file, 
the installer issues the following error:


# ipa-ca-install
Replica file None does not exist

I guess you should separately handle the case when no replica file is 
specified and issue a corresponding error message like "A replica file 
is required".


--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-10-21 Thread Simo Sorce

On 21/10/15 11:46, Martin Babinsky wrote:

On 10/20/2015 07:24 PM, Simo Sorce wrote:

On 20/10/15 06:32, Martin Babinsky wrote:

On 10/15/2015 08:14 PM, Simo Sorce wrote:

On 15/10/15 11:39, Martin Basti wrote:

Without this patch the ipa-ca-install is broken in current master.
Unexpected error - see /var/log/ipareplica-ca-install.log for details:
AttributeError: Values instance has no attribute 'promote'


Should be fixed with the attached patches.




NACK, in patch 551 you add a test for non-existent CLI option into main
method:

@@ -198,10 +251,20 @@ def main():
  if os.geteuid() != 0:
  sys.exit("\nYou must be root to run this script.\n")

-if filename is not None:
-install_replica(safe_options, options, filename)
-else:
-install_master(safe_options, options)
+try:
+if options.replica or filename is not None:
+install_replica(safe_options, options, filename)
+else:
+install_master(safe_options, options)
+
+finally:
+# Clean up if we created custom credentials
+created_ccache_file = getattr(options, 'created_ccache_file',
None)
+if created_ccache_file is not None:
+try:
+os.unlink(created_ccache_file)
+except OSError:
+pass

I guess you wanted to add '--replica' option to the CA installer but
since it was not added to option parser the installer explodes.

# ipa-ca-install

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Unexpected error - see /var/log/ipareplica-ca-install.log for details:
AttributeError: Values instance has no attribute 'replica'



The attached patch should address this problem now.

Simo.



Thanks, the patch enables CA install on promoted replica.

I have one minor nitpick though:

When running ipa-ca-install on domain level 0 replica w/o replica file,
the installer issues the following error:

# ipa-ca-install
Replica file None does not exist

I guess you should separately handle the case when no replica file is
specified and issue a corresponding error message like "A replica file
is required".


Done.
Simo.


--
Simo Sorce * Red Hat, Inc * New York
>From eedaa293c242807ef0e8b5d7135df51ecd1cdbe9 Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Thu, 20 Aug 2015 17:10:23 -0400
Subject: [PATCH] Allow ipa-ca-install to use the new promotion code

This makes it possible to install a CA after-the-fact on a server
that has been promoted (and has no replica file available).

Signed-off-by: Simo Sorce 
---
 install/tools/ipa-ca-install | 134 ++-
 ipaserver/install/ca.py  |   2 -
 2 files changed, 94 insertions(+), 42 deletions(-)

diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index 6564e4d0304d4e189b133c495b75f200b04e2988..4130b0220aec6d27fcb7cb6ba74d21ee11ec3190 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -21,12 +21,16 @@
 import sys
 import os
 import shutil
+import tempfile
 from ipapython import ipautil
 
 from ipaserver.install import installutils
 from ipaserver.install import certs
 from ipaserver.install.installutils import create_replica_config
+from ipaserver.install.installutils import check_creds, ReplicaConfig
 from ipaserver.install import dsinstance, ca
+from ipaserver.install import cainstance, custodiainstance
+from ipapython import dogtag
 from ipapython import version
 from ipalib import api
 from ipapython.dn import DN
@@ -67,6 +71,8 @@ def parse_options():
   type="choice",
   choices=('SHA1withRSA', 'SHA256withRSA', 'SHA512withRSA'),
   help="Signing algorithm of the IPA CA certificate")
+parser.add_option("-P", "--principal", dest="principal", sensitive=True,
+  default=None, help="User allowed to manage replicas")
 
 options, args = parser.parse_args()
 safe_options = parser.get_safe_opts(options)
@@ -101,20 +107,18 @@ def get_dirman_password():
 
 
 def install_replica(safe_options, options, filename):
-standard_logging_setup(log_file_name, debug=options.debug)
-
-root_logger.debug('%s was invoked with argument "%s" and options: %s',
-sys.argv[0], filename, safe_options)
-root_logger.debug('IPA version %s', version.VENDOR_VERSION)
-
-if not ipautil.file_exists(filename):
-sys.exit("Replica file %s does not exist" % filename)
-
-if not dsinstance.DsInstance().is_configured():
-sys.exit("IPA server is not configured on this system.\n")
-
-api.bootstrap(in_server=True)
-api.finalize()
+domain_level = dsinstance.get_domain_level(api)
+if domain_level > 0:
+options.promote = True
+else:
+options.promote = False
+if filenmae is None:
+sys.exit("A replica file is required")
+if not ipautil.file_exists(filename):
+

Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-10-21 Thread Simo Sorce

On 21/10/15 15:24, Simo Sorce wrote:

On 21/10/15 11:46, Martin Babinsky wrote:

On 10/20/2015 07:24 PM, Simo Sorce wrote:

On 20/10/15 06:32, Martin Babinsky wrote:

On 10/15/2015 08:14 PM, Simo Sorce wrote:

On 15/10/15 11:39, Martin Basti wrote:

Without this patch the ipa-ca-install is broken in current master.
Unexpected error - see /var/log/ipareplica-ca-install.log for
details:
AttributeError: Values instance has no attribute 'promote'


Should be fixed with the attached patches.




NACK, in patch 551 you add a test for non-existent CLI option into main
method:

@@ -198,10 +251,20 @@ def main():
  if os.geteuid() != 0:
  sys.exit("\nYou must be root to run this script.\n")

-if filename is not None:
-install_replica(safe_options, options, filename)
-else:
-install_master(safe_options, options)
+try:
+if options.replica or filename is not None:
+install_replica(safe_options, options, filename)
+else:
+install_master(safe_options, options)
+
+finally:
+# Clean up if we created custom credentials
+created_ccache_file = getattr(options, 'created_ccache_file',
None)
+if created_ccache_file is not None:
+try:
+os.unlink(created_ccache_file)
+except OSError:
+pass

I guess you wanted to add '--replica' option to the CA installer but
since it was not added to option parser the installer explodes.

# ipa-ca-install

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Unexpected error - see /var/log/ipareplica-ca-install.log for details:
AttributeError: Values instance has no attribute 'replica'



The attached patch should address this problem now.

Simo.



Thanks, the patch enables CA install on promoted replica.

I have one minor nitpick though:

When running ipa-ca-install on domain level 0 replica w/o replica file,
the installer issues the following error:

# ipa-ca-install
Replica file None does not exist

I guess you should separately handle the case when no replica file is
specified and issue a corresponding error message like "A replica file
is required".


Done.
Simo.


Scratch this, it contains a typo, see attached.

Simo.

--
Simo Sorce * Red Hat, Inc * New York
>From 85cb09df61ace1f663f7ca4ee18f149c7f70601d Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Thu, 20 Aug 2015 17:10:23 -0400
Subject: [PATCH] Allow ipa-ca-install to use the new promotion code

This makes it possible to install a CA after-the-fact on a server
that has been promoted (and has no replica file available).

Signed-off-by: Simo Sorce 
---
 install/tools/ipa-ca-install | 134 ++-
 ipaserver/install/ca.py  |   2 -
 2 files changed, 94 insertions(+), 42 deletions(-)

diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index 6564e4d0304d4e189b133c495b75f200b04e2988..192e3a6e1f635af64bd80af4a4ec616956b0a5e9 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -21,12 +21,16 @@
 import sys
 import os
 import shutil
+import tempfile
 from ipapython import ipautil
 
 from ipaserver.install import installutils
 from ipaserver.install import certs
 from ipaserver.install.installutils import create_replica_config
+from ipaserver.install.installutils import check_creds, ReplicaConfig
 from ipaserver.install import dsinstance, ca
+from ipaserver.install import cainstance, custodiainstance
+from ipapython import dogtag
 from ipapython import version
 from ipalib import api
 from ipapython.dn import DN
@@ -67,6 +71,8 @@ def parse_options():
   type="choice",
   choices=('SHA1withRSA', 'SHA256withRSA', 'SHA512withRSA'),
   help="Signing algorithm of the IPA CA certificate")
+parser.add_option("-P", "--principal", dest="principal", sensitive=True,
+  default=None, help="User allowed to manage replicas")
 
 options, args = parser.parse_args()
 safe_options = parser.get_safe_opts(options)
@@ -101,20 +107,18 @@ def get_dirman_password():
 
 
 def install_replica(safe_options, options, filename):
-standard_logging_setup(log_file_name, debug=options.debug)
-
-root_logger.debug('%s was invoked with argument "%s" and options: %s',
-sys.argv[0], filename, safe_options)
-root_logger.debug('IPA version %s', version.VENDOR_VERSION)
-
-if not ipautil.file_exists(filename):
-sys.exit("Replica file %s does not exist" % filename)
-
-if not dsinstance.DsInstance().is_configured():
-sys.exit("IPA server is not configured on this system.\n")
-
-api.bootstrap(in_server=True)
-api.finalize()
+domain_level = dsinstance.get_domain_level(api)
+if domain_level > 0:
+options.promote = True
+else:
+options.promote = False
+if filename is None:
+

Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-10-20 Thread Martin Babinsky

On 10/15/2015 08:14 PM, Simo Sorce wrote:

On 15/10/15 11:39, Martin Basti wrote:

Without this patch the ipa-ca-install is broken in current master.
Unexpected error - see /var/log/ipareplica-ca-install.log for details:
AttributeError: Values instance has no attribute 'promote'


Should be fixed with the attached patches.



NACK, in patch 551 you add a test for non-existent CLI option into main 
method:


@@ -198,10 +251,20 @@ def main():
 if os.geteuid() != 0:
 sys.exit("\nYou must be root to run this script.\n")

-if filename is not None:
-install_replica(safe_options, options, filename)
-else:
-install_master(safe_options, options)
+try:
+if options.replica or filename is not None:
+install_replica(safe_options, options, filename)
+else:
+install_master(safe_options, options)
+
+finally:
+# Clean up if we created custom credentials
+created_ccache_file = getattr(options, 'created_ccache_file', None)
+if created_ccache_file is not None:
+try:
+os.unlink(created_ccache_file)
+except OSError:
+pass

I guess you wanted to add '--replica' option to the CA installer but 
since it was not added to option parser the installer explodes.


# ipa-ca-install

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Unexpected error - see /var/log/ipareplica-ca-install.log for details:
AttributeError: Values instance has no attribute 'replica'

--
Martin^3 Babinsky

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-10-20 Thread Simo Sorce

On 20/10/15 06:32, Martin Babinsky wrote:

On 10/15/2015 08:14 PM, Simo Sorce wrote:

On 15/10/15 11:39, Martin Basti wrote:

Without this patch the ipa-ca-install is broken in current master.
Unexpected error - see /var/log/ipareplica-ca-install.log for details:
AttributeError: Values instance has no attribute 'promote'


Should be fixed with the attached patches.




NACK, in patch 551 you add a test for non-existent CLI option into main
method:

@@ -198,10 +251,20 @@ def main():
  if os.geteuid() != 0:
  sys.exit("\nYou must be root to run this script.\n")

-if filename is not None:
-install_replica(safe_options, options, filename)
-else:
-install_master(safe_options, options)
+try:
+if options.replica or filename is not None:
+install_replica(safe_options, options, filename)
+else:
+install_master(safe_options, options)
+
+finally:
+# Clean up if we created custom credentials
+created_ccache_file = getattr(options, 'created_ccache_file',
None)
+if created_ccache_file is not None:
+try:
+os.unlink(created_ccache_file)
+except OSError:
+pass

I guess you wanted to add '--replica' option to the CA installer but
since it was not added to option parser the installer explodes.

# ipa-ca-install

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Unexpected error - see /var/log/ipareplica-ca-install.log for details:
AttributeError: Values instance has no attribute 'replica'


Argh! Sorry,
this use was exactly one of the reason I had to introduce the --replica 
switch, I will have to rework a bunch of code to detect if we are a 
replica or a master, I will hopefully have a revised patch in a few hours.


Simo.


--
Simo Sorce * Red Hat, Inc * New York

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-10-20 Thread Simo Sorce

On 20/10/15 06:32, Martin Babinsky wrote:

On 10/15/2015 08:14 PM, Simo Sorce wrote:

On 15/10/15 11:39, Martin Basti wrote:

Without this patch the ipa-ca-install is broken in current master.
Unexpected error - see /var/log/ipareplica-ca-install.log for details:
AttributeError: Values instance has no attribute 'promote'


Should be fixed with the attached patches.




NACK, in patch 551 you add a test for non-existent CLI option into main
method:

@@ -198,10 +251,20 @@ def main():
  if os.geteuid() != 0:
  sys.exit("\nYou must be root to run this script.\n")

-if filename is not None:
-install_replica(safe_options, options, filename)
-else:
-install_master(safe_options, options)
+try:
+if options.replica or filename is not None:
+install_replica(safe_options, options, filename)
+else:
+install_master(safe_options, options)
+
+finally:
+# Clean up if we created custom credentials
+created_ccache_file = getattr(options, 'created_ccache_file',
None)
+if created_ccache_file is not None:
+try:
+os.unlink(created_ccache_file)
+except OSError:
+pass

I guess you wanted to add '--replica' option to the CA installer but
since it was not added to option parser the installer explodes.

# ipa-ca-install

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

Unexpected error - see /var/log/ipareplica-ca-install.log for details:
AttributeError: Values instance has no attribute 'replica'



The attached patch should address this problem now.

Simo.

--
Simo Sorce * Red Hat, Inc * New York
>From 5d5de8c3e1c6d5ce24dd9860e112547bb8705612 Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Thu, 20 Aug 2015 17:10:23 -0400
Subject: [PATCH] Allow ipa-ca-install to use the new promotion code

This makes it possible to install a CA after-the-fact on a server
that has been promoted (and has no replica file available).

Signed-off-by: Simo Sorce 
---
 install/tools/ipa-ca-install | 132 ++-
 ipaserver/install/ca.py  |   2 -
 2 files changed, 92 insertions(+), 42 deletions(-)

diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index 6564e4d0304d4e189b133c495b75f200b04e2988..0a76b3dd32a7673a2bbe81c1659d38a700be13da 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -21,12 +21,16 @@
 import sys
 import os
 import shutil
+import tempfile
 from ipapython import ipautil
 
 from ipaserver.install import installutils
 from ipaserver.install import certs
 from ipaserver.install.installutils import create_replica_config
+from ipaserver.install.installutils import check_creds, ReplicaConfig
 from ipaserver.install import dsinstance, ca
+from ipaserver.install import cainstance, custodiainstance
+from ipapython import dogtag
 from ipapython import version
 from ipalib import api
 from ipapython.dn import DN
@@ -67,6 +71,8 @@ def parse_options():
   type="choice",
   choices=('SHA1withRSA', 'SHA256withRSA', 'SHA512withRSA'),
   help="Signing algorithm of the IPA CA certificate")
+parser.add_option("-P", "--principal", dest="principal", sensitive=True,
+  default=None, help="User allowed to manage replicas")
 
 options, args = parser.parse_args()
 safe_options = parser.get_safe_opts(options)
@@ -101,20 +107,16 @@ def get_dirman_password():
 
 
 def install_replica(safe_options, options, filename):
-standard_logging_setup(log_file_name, debug=options.debug)
-
-root_logger.debug('%s was invoked with argument "%s" and options: %s',
-sys.argv[0], filename, safe_options)
-root_logger.debug('IPA version %s', version.VENDOR_VERSION)
-
-if not ipautil.file_exists(filename):
-sys.exit("Replica file %s does not exist" % filename)
-
-if not dsinstance.DsInstance().is_configured():
-sys.exit("IPA server is not configured on this system.\n")
-
-api.bootstrap(in_server=True)
-api.finalize()
+domain_level = dsinstance.get_domain_level(api)
+if domain_level > 0:
+options.promote = True
+else:
+options.promote = False
+if not ipautil.file_exists(filename):
+sys.exit("Replica file %s does not exist" % filename)
+
+# Check if we have admin creds already, otherwise acquire them
+check_creds(options, api.env.realm)
 
 # get the directory manager password
 dirman_password = options.password
@@ -132,13 +134,36 @@ def install_replica(safe_options, options, filename):
 options.unattended:
 sys.exit('admin password required')
 
-config = create_replica_config(dirman_password, filename, options)
+if options.promote:
+config = ReplicaConfig()
+config.master_host_name = None
+

Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-10-16 Thread Endi Sukma Dewata

On 10/15/2015 9:54 AM, Simo Sorce wrote:

3) ipa-ca-install fails with:

Traceback (most recent call last):
   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 445, in start_creation
 run_step(full_msg, method)
   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 435, in run_step
 method()
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
631, in __spawn_instance
 DogtagInstance.spawn_instance(self, cfg_file)
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 185, in spawn_instance
 self.handle_setup_error(e)
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 448, in handle_setup_error
 raise RuntimeError("%s configuration failed." % self.subsystem)
RuntimeError: CA configuration failed.

I guess I'm hitting the authentication bug in Dogtag. It is supposed to
be fixed in pki-core-10.2.6-10, but is it fixed in pki-core-10.2.7-0.2?
We might need a new 10.2.7 build.


I am not sure which version has it fixed, Endi ?


PKI ticket #1580 was fixed in pki-core-10.2.6-10 for F23 and F24. We 
never released a pki-core-10.2.7. I suppose that is a custom build?


--
Endi S. Dewata

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-10-15 Thread Jan Cholasta

On 15.10.2015 12:00, Petr Vobornik wrote:

On 10/15/2015 10:45 AM, Jan Cholasta wrote:

On 23.9.2015 19:47, Simo Sorce wrote:

On Wed, 2015-09-23 at 08:35 +0200, Jan Cholasta wrote:

What I mean is that installing a replica using an already existing
replica file should be prevented at level 1 as well:

root@ipa1# ipa-server-install --domain-level=0
root@ipa1# ipa-replica-prepare ipa2.example.com
root@ipa1# ipa domainlevel-set 1

root@ipa2# ipa-replica-install replica-info-ipa2.example.com.gpg
ERROR: Can't install replica from a replica file at domain level > 0


Ok I rebased the patchset with a modification to assume promotion if no
file was provided, and then raise appropriate RuntimeErrors if
conditions about the domain level are not met.

This change also prevents installing with a replica file if domain level
is currently at 1.

They are in the usual custodia-review branch.


"Add ipa-custodia service": functional ACK

1) freeipa-python is still missing BuildRequires and Requires on
python-jwcrypto:

On 23.9.2015 08:35, Jan Cholasta wrote:

On 23.9.2015 02:47, Simo Sorce wrote:

On Tue, 2015-09-22 at 10:57 -0400, Simo Sorce wrote:

On Tue, 2015-09-22 at 10:45 +0200, Jan Cholasta wrote:

1) python-jwcrypto dependency is missing in the spec file.


It shouldn't be necessary as custodia already depends on it.


IMO it is a good practice to require all direct dependencies, because
you can't control indirect dependencies. For example, if one day
custodia switched from jwcrypto to something different, ipa would lose
the jwcrypto dependency without us knowing.



"Require a DS version that has working DNA plugin": ACK


"Implement replica promotion functionality":

1) You should handle NotFound for the find_entries() call in
cainstance.find_ca_server().

2) You can remove ReplicaCA and ReplicaDNS classes as they are unused.

3) I'm getting this on domain level 0 client:

# ipa-replica-install
Password for ad...@abc.idm.lab.eng.brq.redhat.com:
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERROR Major (851968):
Unspecified GSS failure. Minor code may provide more information, Minor
(2529639053): No Kerberos credentials available

It comes from the "Try out authentication" conn.connect() in
promote_check(), because it is missing the ccache kwarg.


"Change DNS installer code to use passed in api": ACK


"Allow ipa-replica-conncheck to use default creds":

1) ipa-replica-install prompts for admin password twice during
connection check:

 Get credentials to log in to remote master
 Check SSH connection to remote master
 ad...@vm-137.abc.idm.lab.eng.brq.redhat.com's password:
 Execute check on remote master
 ad...@vm-137.abc.idm.lab.eng.brq.redhat.com's password:


"Add function to extract CA certs for install": ACK


"topology: manage ca replication agreements": functional ACK

1) This 20-replication.update bit does not seem to be related to the
patch:

# add IPA realm managed suffix to master entry
dn: cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX
add: objectclass: ipaReplTopoManagedServer
add: ipaReplTopoManagedSuffix: $SUFFIX

Why is it included? (Petr?)


I believe this could be send as a separate patch. It was included during
tuning of update and is not related to replica promotion nor managing of
CA agreements.


(reference: 
)






2) In update_ca_topology, call CAInstance.__update_topology() instead of
copy & pasting the code.


"enable topology plugin on upgrade": ACK


"topology plugin configuration workaround": ACK


"handle multiple managed suffixes": ACK


"prevent operation on tombstones": ACK


"Allow to setup the CA when promoting a replica": ACK


"Make checks for existing credentials reusable": ACK


"Add low level helper to get domain level": ACK


To speed things up, I fixed the issues I found in the patches above, to 
be able to push them.


Pushed to master: 6a0087aea176d1e1154b359fa262066896d663e3




"Allow ipa-ca-install to use the new promotion code":

1) The --replica option was not removed:

On 22.9.2015 10:45, Jan Cholasta wrote:

1) The --replica option is redundant. You can safely decide whether this
is the first CA master or not based on information in cn=masters.


2) ipa-ca-install prompts for both admin and DM password:

# ipa-ca-install -r
Password for ad...@abc.idm.lab.eng.brq.redhat.com:
Directory Manager (existing master) password:

DM password should not be required, right?

3) ipa-ca-install fails with:

Traceback (most recent call last):
   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 445, in start_creation
 run_step(full_msg, method)
   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 435, in run_step
 method()
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
631, in __spawn_instance
 

Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-10-15 Thread Simo Sorce
Commenting only on the 2 remaining patches that need to be committed, 
inline.


On 15/10/15 04:45, Jan Cholasta wrote:

On 23.9.2015 19:47, Simo Sorce wrote:



"Allow ipa-ca-install to use the new promotion code":

1) The --replica option was not removed:


Will do, thanks for spotting.


On 22.9.2015 10:45, Jan Cholasta wrote:

1) The --replica option is redundant. You can safely decide whether this
is the first CA master or not based on information in cn=masters.


2) ipa-ca-install prompts for both admin and DM password:

# ipa-ca-install -r
Password for ad...@abc.idm.lab.eng.brq.redhat.com:
Directory Manager (existing master) password:

DM password should not be required, right?


Unfortunately if you install the CA in a separate step we still need to 
ask for the DM password because dogtag uses simple binds over ldaps:// 
and not ldapi://, we do not need that if you pass --setup-ca because we 
generate a random DM password and replace it with the hash obtained by 
the existing master only after all components are installed.



3) ipa-ca-install fails with:

Traceback (most recent call last):
   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 445, in start_creation
 run_step(full_msg, method)
   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py",
line 435, in run_step
 method()
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line
631, in __spawn_instance
 DogtagInstance.spawn_instance(self, cfg_file)
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 185, in spawn_instance
 self.handle_setup_error(e)
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/dogtaginstance.py",
line 448, in handle_setup_error
 raise RuntimeError("%s configuration failed." % self.subsystem)
RuntimeError: CA configuration failed.

I guess I'm hitting the authentication bug in Dogtag. It is supposed to
be fixed in pki-core-10.2.6-10, but is it fixed in pki-core-10.2.7-0.2?
We might need a new 10.2.7 build.


I am not sure which version has it fixed, Endi ?



1) ipa-kra-install fails with:

Traceback (most recent call last):
   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line
171, in execute
 return_value = self.run()
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_kra_install.py",
line 220, in run
 self._run()
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_kra_install.py",
line 200, in _run
 if config.subject_base is None:
AttributeError: 'NoneType' object has no attribute 'subject_base'



I need to find out why this stopped working, will post a patch asap.

Simo.

--
Simo Sorce * Red Hat, Inc * New York

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-10-15 Thread Martin Basti



On 15.10.2015 14:29, Jan Cholasta wrote:

On 15.10.2015 12:00, Petr Vobornik wrote:

On 10/15/2015 10:45 AM, Jan Cholasta wrote:

On 23.9.2015 19:47, Simo Sorce wrote:

On Wed, 2015-09-23 at 08:35 +0200, Jan Cholasta wrote:

What I mean is that installing a replica using an already existing
replica file should be prevented at level 1 as well:

root@ipa1# ipa-server-install --domain-level=0
root@ipa1# ipa-replica-prepare ipa2.example.com
root@ipa1# ipa domainlevel-set 1

root@ipa2# ipa-replica-install replica-info-ipa2.example.com.gpg
ERROR: Can't install replica from a replica file at domain level > 0


Ok I rebased the patchset with a modification to assume promotion 
if no

file was provided, and then raise appropriate RuntimeErrors if
conditions about the domain level are not met.

This change also prevents installing with a replica file if domain 
level

is currently at 1.

They are in the usual custodia-review branch.


"Add ipa-custodia service": functional ACK

1) freeipa-python is still missing BuildRequires and Requires on
python-jwcrypto:

On 23.9.2015 08:35, Jan Cholasta wrote:

On 23.9.2015 02:47, Simo Sorce wrote:

On Tue, 2015-09-22 at 10:57 -0400, Simo Sorce wrote:

On Tue, 2015-09-22 at 10:45 +0200, Jan Cholasta wrote:

1) python-jwcrypto dependency is missing in the spec file.


It shouldn't be necessary as custodia already depends on it.


IMO it is a good practice to require all direct dependencies, because
you can't control indirect dependencies. For example, if one day
custodia switched from jwcrypto to something different, ipa would lose
the jwcrypto dependency without us knowing.



"Require a DS version that has working DNA plugin": ACK


"Implement replica promotion functionality":

1) You should handle NotFound for the find_entries() call in
cainstance.find_ca_server().

2) You can remove ReplicaCA and ReplicaDNS classes as they are unused.

3) I'm getting this on domain level 0 client:

# ipa-replica-install
Password for ad...@abc.idm.lab.eng.brq.redhat.com:
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERROR Major (851968):
Unspecified GSS failure. Minor code may provide more information, Minor
(2529639053): No Kerberos credentials available

It comes from the "Try out authentication" conn.connect() in
promote_check(), because it is missing the ccache kwarg.


"Change DNS installer code to use passed in api": ACK


"Allow ipa-replica-conncheck to use default creds":

1) ipa-replica-install prompts for admin password twice during
connection check:

 Get credentials to log in to remote master
 Check SSH connection to remote master
 ad...@vm-137.abc.idm.lab.eng.brq.redhat.com's password:
 Execute check on remote master
 ad...@vm-137.abc.idm.lab.eng.brq.redhat.com's password:


"Add function to extract CA certs for install": ACK


"topology: manage ca replication agreements": functional ACK

1) This 20-replication.update bit does not seem to be related to the
patch:

# add IPA realm managed suffix to master entry
dn: cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX
add: objectclass: ipaReplTopoManagedServer
add: ipaReplTopoManagedSuffix: $SUFFIX

Why is it included? (Petr?)


I believe this could be send as a separate patch. It was included during
tuning of update and is not related to replica promotion nor managing of
CA agreements.


(reference: 
)






2) In update_ca_topology, call CAInstance.__update_topology() 
instead of

copy & pasting the code.


"enable topology plugin on upgrade": ACK


"topology plugin configuration workaround": ACK


"handle multiple managed suffixes": ACK


"prevent operation on tombstones": ACK


"Allow to setup the CA when promoting a replica": ACK


"Make checks for existing credentials reusable": ACK


"Add low level helper to get domain level": ACK


To speed things up, I fixed the issues I found in the patches above, 
to be able to push them.


Pushed to master: 6a0087aea176d1e1154b359fa262066896d663e3




"Allow ipa-ca-install to use the new promotion code":

1) The --replica option was not removed:

On 22.9.2015 10:45, Jan Cholasta wrote:
1) The --replica option is redundant. You can safely decide whether 
this

is the first CA master or not based on information in cn=masters.


2) ipa-ca-install prompts for both admin and DM password:

# ipa-ca-install -r
Password for ad...@abc.idm.lab.eng.brq.redhat.com:
Directory Manager (existing master) password:

DM password should not be required, right?

3) ipa-ca-install fails with:

Traceback (most recent call last):
   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",

line 445, in start_creation
 run_step(full_msg, method)
   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",

line 435, in run_step
 method()
   File

Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-10-15 Thread Martin Basti



On 15.10.2015 14:29, Jan Cholasta wrote:

On 15.10.2015 12:00, Petr Vobornik wrote:

On 10/15/2015 10:45 AM, Jan Cholasta wrote:

On 23.9.2015 19:47, Simo Sorce wrote:

On Wed, 2015-09-23 at 08:35 +0200, Jan Cholasta wrote:

What I mean is that installing a replica using an already existing
replica file should be prevented at level 1 as well:

root@ipa1# ipa-server-install --domain-level=0
root@ipa1# ipa-replica-prepare ipa2.example.com
root@ipa1# ipa domainlevel-set 1

root@ipa2# ipa-replica-install replica-info-ipa2.example.com.gpg
ERROR: Can't install replica from a replica file at domain level > 0


Ok I rebased the patchset with a modification to assume promotion 
if no

file was provided, and then raise appropriate RuntimeErrors if
conditions about the domain level are not met.

This change also prevents installing with a replica file if domain 
level

is currently at 1.

They are in the usual custodia-review branch.


"Add ipa-custodia service": functional ACK

1) freeipa-python is still missing BuildRequires and Requires on
python-jwcrypto:

On 23.9.2015 08:35, Jan Cholasta wrote:

On 23.9.2015 02:47, Simo Sorce wrote:

On Tue, 2015-09-22 at 10:57 -0400, Simo Sorce wrote:

On Tue, 2015-09-22 at 10:45 +0200, Jan Cholasta wrote:

1) python-jwcrypto dependency is missing in the spec file.


It shouldn't be necessary as custodia already depends on it.


IMO it is a good practice to require all direct dependencies, because
you can't control indirect dependencies. For example, if one day
custodia switched from jwcrypto to something different, ipa would lose
the jwcrypto dependency without us knowing.



"Require a DS version that has working DNA plugin": ACK


"Implement replica promotion functionality":

1) You should handle NotFound for the find_entries() call in
cainstance.find_ca_server().

2) You can remove ReplicaCA and ReplicaDNS classes as they are unused.

3) I'm getting this on domain level 0 client:

# ipa-replica-install
Password for ad...@abc.idm.lab.eng.brq.redhat.com:
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERROR Major (851968):
Unspecified GSS failure. Minor code may provide more information, Minor
(2529639053): No Kerberos credentials available

It comes from the "Try out authentication" conn.connect() in
promote_check(), because it is missing the ccache kwarg.


"Change DNS installer code to use passed in api": ACK


"Allow ipa-replica-conncheck to use default creds":

1) ipa-replica-install prompts for admin password twice during
connection check:

 Get credentials to log in to remote master
 Check SSH connection to remote master
 ad...@vm-137.abc.idm.lab.eng.brq.redhat.com's password:
 Execute check on remote master
 ad...@vm-137.abc.idm.lab.eng.brq.redhat.com's password:


"Add function to extract CA certs for install": ACK


"topology: manage ca replication agreements": functional ACK

1) This 20-replication.update bit does not seem to be related to the
patch:

# add IPA realm managed suffix to master entry
dn: cn=$FQDN,cn=masters,cn=ipa,cn=etc,$SUFFIX
add: objectclass: ipaReplTopoManagedServer
add: ipaReplTopoManagedSuffix: $SUFFIX

Why is it included? (Petr?)


I believe this could be send as a separate patch. It was included during
tuning of update and is not related to replica promotion nor managing of
CA agreements.


(reference: 
)






2) In update_ca_topology, call CAInstance.__update_topology() 
instead of

copy & pasting the code.


"enable topology plugin on upgrade": ACK


"topology plugin configuration workaround": ACK


"handle multiple managed suffixes": ACK


"prevent operation on tombstones": ACK


"Allow to setup the CA when promoting a replica": ACK


"Make checks for existing credentials reusable": ACK


"Add low level helper to get domain level": ACK


To speed things up, I fixed the issues I found in the patches above, 
to be able to push them.


Pushed to master: 6a0087aea176d1e1154b359fa262066896d663e3


Upgrade does not work:

https://fedorahosted.org/freeipa/ticket/5374

Martin





"Allow ipa-ca-install to use the new promotion code":

1) The --replica option was not removed:

On 22.9.2015 10:45, Jan Cholasta wrote:
1) The --replica option is redundant. You can safely decide whether 
this

is the first CA master or not based on information in cn=masters.


2) ipa-ca-install prompts for both admin and DM password:

# ipa-ca-install -r
Password for ad...@abc.idm.lab.eng.brq.redhat.com:
Directory Manager (existing master) password:

DM password should not be required, right?

3) ipa-ca-install fails with:

Traceback (most recent call last):
   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",

line 445, in start_creation
 run_step(full_msg, method)
   File 
"/usr/lib/python2.7/site-packages/ipaserver/install/service.py",

line 435, 

Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-10-15 Thread Simo Sorce

On 15/10/15 11:39, Martin Basti wrote:

Without this patch the ipa-ca-install is broken in current master.
Unexpected error - see /var/log/ipareplica-ca-install.log for details:
AttributeError: Values instance has no attribute 'promote'


Should be fixed with the attached patches.

--
Simo Sorce * Red Hat, Inc * New York
>From 78ddd9c8866713de182e65595fbf9e428ba67880 Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Thu, 20 Aug 2015 17:10:23 -0400
Subject: [PATCH 1/2] Allow ipa-ca-install to use the new promotion code

This makes it possible to install a CA after-the-fact on a server
that has been promoted (and has no replica file available).

Signed-off-by: Simo Sorce 
---
 install/tools/ipa-ca-install | 92 
 ipaserver/install/ca.py  |  2 -
 2 files changed, 77 insertions(+), 17 deletions(-)

diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
index 6564e4d0304d4e189b133c495b75f200b04e2988..e59f016e43c76d4bd40ad4535596a37b5edaeb6e 100755
--- a/install/tools/ipa-ca-install
+++ b/install/tools/ipa-ca-install
@@ -21,12 +21,16 @@
 import sys
 import os
 import shutil
+import tempfile
 from ipapython import ipautil
 
 from ipaserver.install import installutils
 from ipaserver.install import certs
 from ipaserver.install.installutils import create_replica_config
+from ipaserver.install.installutils import check_creds, ReplicaConfig
 from ipaserver.install import dsinstance, ca
+from ipaserver.install import cainstance, custodiainstance
+from ipapython import dogtag
 from ipapython import version
 from ipalib import api
 from ipapython.dn import DN
@@ -67,6 +71,8 @@ def parse_options():
   type="choice",
   choices=('SHA1withRSA', 'SHA256withRSA', 'SHA512withRSA'),
   help="Signing algorithm of the IPA CA certificate")
+parser.add_option("-P", "--principal", dest="principal", sensitive=True,
+  default=None, help="User allowed to manage replicas")
 
 options, args = parser.parse_args()
 safe_options = parser.get_safe_opts(options)
@@ -107,15 +113,24 @@ def install_replica(safe_options, options, filename):
 sys.argv[0], filename, safe_options)
 root_logger.debug('IPA version %s', version.VENDOR_VERSION)
 
-if not ipautil.file_exists(filename):
-sys.exit("Replica file %s does not exist" % filename)
-
 if not dsinstance.DsInstance().is_configured():
 sys.exit("IPA server is not configured on this system.\n")
 
 api.bootstrap(in_server=True)
 api.finalize()
 
+domain_level = dsinstance.get_domain_level(api)
+if domain_level > 0:
+options.promote = True
+else:
+options.promote = False
+if not ipautil.file_exists(filename):
+sys.exit("Replica file %s does not exist" % filename)
+
+
+# Check if we have admin creds already, otherwise acquire them
+check_creds(options, api.env.realm)
+
 # get the directory manager password
 dirman_password = options.password
 if not dirman_password:
@@ -132,13 +147,36 @@ def install_replica(safe_options, options, filename):
 options.unattended:
 sys.exit('admin password required')
 
-config = create_replica_config(dirman_password, filename, options)
+if options.promote:
+config = ReplicaConfig()
+config.master_host_name = None
+config.realm_name = api.env.realm
+config.host_name = api.env.host
+config.domain_name = api.env.domain
+config.dirman_password = dirman_password
+config.ca_ds_port = dogtag.install_constants.DS_PORT
+config.top_dir = tempfile.mkdtemp("ipa")
+config.dir = config.top_dir
+else:
+config = create_replica_config(dirman_password, filename, options)
+
 global REPLICA_INFO_TOP_DIR
 REPLICA_INFO_TOP_DIR = config.top_dir
 config.setup_ca = True
 
-api.Backend.ldap2.connect(bind_dn=DN(('cn', 'Directory Manager')),
-  bind_pw=dirman_password)
+conn = api.Backend.ldap2
+conn.connect(bind_dn=DN(('cn', 'Directory Manager')),
+bind_pw=dirman_password)
+
+if config.subject_base is None:
+attrs = conn.get_ipa_config()
+config.subject_base = attrs.get('ipacertificatesubjectbase')[0]
+
+if config.master_host_name is None:
+config.ca_host_name = cainstance.find_ca_server(api.env.ca_host, conn)
+config.master_host_name = config.ca_host_name
+else:
+config.ca_host_name = config.master_host_name
 
 options.realm_name = config.realm_name
 options.domain_name = config.domain_name
@@ -147,7 +185,22 @@ def install_replica(safe_options, options, filename):
 options.subject = config.subject_base
 
 ca.install_check(True, config, options)
-ca.install(True, config, options)
+if options.promote:
+ca_data = 

Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-10-13 Thread Jan Cholasta

On 1.10.2015 15:22, Simo Sorce wrote:

On 01/10/15 07:42, Jan Cholasta wrote:

Hi,

I have just imported python-jwcrypto, custodia and pki-core-10.2.7 into
mkosek/freeipa-master as well, to (hopefully) make things easier.

Simo, custodia failed to build F22, any idea why? See
.



On the surface it looks like a missing dependency on cffi, though I am
not sure why we'd need it, maybe the tests are downloading cryptography
to build it for non-system python versions ?


The issue is that the %autosetup macro does not apply patches on F22. I 
verified this on a F22 VM with "rpmspec -P custodia.spec". I fixed this 
by replacing "%autosetup" with "%setup -q" and "%patch -P 01 -p 1".


--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-10-13 Thread Simo Sorce

On 13/10/15 03:40, Jan Cholasta wrote:

On 1.10.2015 15:22, Simo Sorce wrote:

On 01/10/15 07:42, Jan Cholasta wrote:

Hi,

I have just imported python-jwcrypto, custodia and pki-core-10.2.7 into
mkosek/freeipa-master as well, to (hopefully) make things easier.

Simo, custodia failed to build F22, any idea why? See
.




On the surface it looks like a missing dependency on cffi, though I am
not sure why we'd need it, maybe the tests are downloading cryptography
to build it for non-system python versions ?


The issue is that the %autosetup macro does not apply patches on F22. I
verified this on a F22 VM with "rpmspec -P custodia.spec". I fixed this
by replacing "%autosetup" with "%setup -q" and "%patch -P 01 -p 1".


Ah great, thanks!

Simo.

--
Simo Sorce * Red Hat, Inc * New York

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-10-07 Thread Endi Sukma Dewata

On 10/5/2015 9:33 AM, Endi Sukma Dewata wrote:

On 10/5/2015 8:47 AM, Simo Sorce wrote:

2. The second attempt after re-enrolling client resulted in the error of
CA installation:


This is due to the known bug with authentication in Dogtag. Endy fixed
it upstream.

Endy,
do you know when the bug will be released in a package we can use for
testing ?


Here is the bug: https://fedorahosted.org/pki/ticket/1580

I don't think we're ready for a Dogtag 10.3 build, so we may need to
cherry-pick it to 10.2.x. I'll check with Matt.



The fix is now available in the following build:
http://koji.fedoraproject.org/koji/buildinfo?buildID=689985

Please also provide a feedback:
https://bodhi.fedoraproject.org/updates/FEDORA-2015-cea85c052a

Thanks!

--
Endi S. Dewata

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-10-06 Thread Jan Pazdziora
On Mon, Oct 05, 2015 at 09:47:14AM -0400, Simo Sorce wrote:
> On 05/10/15 09:42, Oleg Fayans wrote:
> >1. At one point ipa-replica-install on a configured client has thrown
> >the following error:
> >
> >Configuring ipa-custodia
> >   [1/5]: Generating ipa-custodia config file
> >   [2/5]: Generating ipa-custodia keys
> >   [3/5]: Importing RA Key
> >   [error] HTTPError: 502 Server Error: Proxy Error
> >Your system may be partly configured.
> >Run /usr/sbin/ipa-server-install --uninstall to clean up.
> >
> >ipa.ipapython.install.cli.install_tool(Replica): ERROR502 Server
> >Error: Proxy Error
> >
> >(corresponding part of the error log of dirsrv attached)
> 
> Seem like the peer server was unreachable ?
> Was there a networking problem ?

I've hit the same issue, during demo today, on a third replica I was
creating. I was using four VMs on my laptop so no networking issue
should have caused that.

On the replica (being promoted), /var/log/ipareplica-install.log ends with

On the master, in the error_log, I see

[Tue Oct 06 13:22:33.196769 2015] [wsgi:error] [pid 10789] ipa: INFO: 
[jsonserver_session] ad...@example.test: 
service_add(u'HTTP/ipa-4.example.t...@example.test', version=u'2.112'): SUCCESS
[Tue Oct 06 13:22:39.231882 2015] [wsgi:error] [pid 10788] ipa: INFO: 
[xmlserver] host/ipa-4.example.t...@example.test: 
cert_request(u'MIIDWDCCAkACAQAwHTEbMBkGA1UEAxMSaXBhLTQuZXhhbXBsZS50ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAn1pFdI1FuH1ad882x27i+oi3alabIt1hZjeGyT2zfEWaLajgAcDtT1RjWWFzrWtn9YJAe+3cm7R21MI8eFS1aCBlPaRgBLtefaakQy99k8p3IC8LwZxX9bvPPTuZVuF73DYXmaQAgpe/W7TLhCSFwZqht5D8aG0B7qm2E+mpclqKdlbk9egq8K8zFxs4mbLAuEd95wpSBJWnuaTPwRzrjpniCdl5OFof+ImTIMTVS6+5RUxB6KCi5WpGLbrAZWpHZ80a+weo0RK098r1GMT7LSTTZvOmJ22d15Ub0vQXTqVgAMVtt221vEZ1ZhRsLTbeh89JsDKOonNWk6VwOsYHnQIDAQABoIH1MCUGCSqGSIb3DQEJFDEYHhYAUwBlAHIAdgBlAHIALQBDAGUAcgB0MIHLBgkqhkiG9w0BCQ4xgb0wgbowgYcGA1UdEQEBAAR9MHugNAYKKwYBBAGCNxQCA6AmDCRIVFRQL2lwYS00LmV4YW1wbGUudGVzdEBFWEFNUExFLlRFU1SgQwYGKwYBBQICoDkwN6AOGwxFWEFNUExFLlRFU1ShJTAjoAMCAQGhHDAaGwRIVFRQGxJpcGEtNC5leGFtcGxlLnRlc3QwDAYDVR0TAQH/BAIwADAgBgNVHQ4BAQAEFgQUZsVqOSFYBWZnFs42WMXGAag8w20wDQYJKoZIhvcNAQELBQADggEBAJDlTLM1Iyb4We61xIXttSReAbi0seO/ZevSiPN+orHdr+YLSD!
 
pbS6CSXm5X9Asvlo8iu0iRFrj/CUJAyPu+M7v+lfr3VwrKErycrczt5O4xgGPGfs0XODSlwQOG57SUyQyLXdyLPJtks/ah/LkfbCevew0cjhSnjEN7RpbV6Azh05vMyzF6J7NXlRLFzDDcz099Tug4Siuwsi/Y3AD0b+IR6I1ZOfLKzzzSEu+sC32JzaVythN3TbPqjeyGy/on3JsQTlznzn2LEVVoPioyF1oHyI7hG1OheTNjCoZXgfJUp1Ftct6YhsfhzglORcbmqDL00DdCU/789G5IworCCYo=',
 principal=u'HTTP/ipa-4.example.t...@example.test', add=True, version=u'2.51'): 
SUCCESS
[Tue Oct 06 13:22:47.652434 2015] [proxy_http:error] [pid 1394] (20014)Internal 
error: [client 192.168.100.229:49031] AH01102: error reading status line from 
remote server httpd-UDS:0
[Tue Oct 06 13:22:47.652476 2015] [proxy:error] [pid 1394] [client 
192.168.100.229:49031] AH00898: Error reading from remote server returned by 
/ipa/keys/ra/ipaCert
[Tue Oct 06 13:24:31.017069 2015] [wsgi:error] [pid 10789] ipa: INFO: 
[jsonserver_kerb] ad...@example.test: ping(): SUCCESS

-- 
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-10-06 Thread Jan Pazdziora
On Tue, Oct 06, 2015 at 12:26:14PM -0400, Simo Sorce wrote:
> 
> Was custodia running ?
> Can you check its log file ?

/etc/ipa/custodia/custodia.conf suggests

auditlog = /var/log/ipa-custodia.audit.log

but that file does not exist at all. So either it was not running,
or it failed to create that log file.

-- 
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-10-06 Thread Simo Sorce

On 06/10/15 11:06, Jan Pazdziora wrote:

On Mon, Oct 05, 2015 at 09:47:14AM -0400, Simo Sorce wrote:

On 05/10/15 09:42, Oleg Fayans wrote:

1. At one point ipa-replica-install on a configured client has thrown
the following error:

Configuring ipa-custodia
   [1/5]: Generating ipa-custodia config file
   [2/5]: Generating ipa-custodia keys
   [3/5]: Importing RA Key
   [error] HTTPError: 502 Server Error: Proxy Error
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERROR502 Server
Error: Proxy Error

(corresponding part of the error log of dirsrv attached)


Seem like the peer server was unreachable ?
Was there a networking problem ?


I've hit the same issue, during demo today, on a third replica I was
creating. I was using four VMs on my laptop so no networking issue
should have caused that.

On the replica (being promoted), /var/log/ipareplica-install.log ends with

On the master, in the error_log, I see

[Tue Oct 06 13:22:33.196769 2015] [wsgi:error] [pid 10789] ipa: INFO: 
[jsonserver_session] ad...@example.test: 
service_add(u'HTTP/ipa-4.example.t...@example.test', version=u'2.112'): SUCCESS
[Tue Oct 06 13:22:39.231882 2015] [wsgi:error] [pid 10788] ipa: INFO: 
[xmlserver] host/ipa-4.example.t...@example.test: 
cert_request(u'MIIDWDCCAkACAQAwHTEbMBkGA1UEAxMSaXBhLTQuZXhhbXBsZS50ZXN0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAn1pFdI1FuH1ad882x27i+oi3alabIt1hZjeGyT2zfEWaLajgAcDtT1RjWWFzrWtn9YJAe+3cm7R21MI8eFS1aCBlPaRgBLtefaakQy99k8p3IC8LwZxX9bvPPTuZVuF73DYXmaQAgpe/W7TLhCSFwZqht5D8aG0B7qm2E+mpclqKdlbk9egq8K8zFxs4mbLAuEd95wpSBJWnuaTPwRzrjpniCdl5OFof+ImTIMTVS6+5RUxB6KCi5WpGLbrAZWpHZ80a+weo0RK098r1GMT7LSTTZvOmJ22d15Ub0vQXTqVgAMVtt221vEZ1ZhRsLTbeh89JsDKOonNWk6VwOsYHnQIDAQABoIH1MCUGCSqGSIb3DQEJFDEYHhYAUwBlAHIAdgBlAHIALQBDAGUAcgB0MIHLBgkqhkiG9w0BCQ4xgb0wgbowgYcGA1UdEQEBAAR9MHugNAYKKwYBBAGCNxQCA6AmDCRIVFRQL2lwYS00LmV4YW1wbGUudGVzdEBFWEFNUExFLlRFU1SgQwYGKwYBBQICoDkwN6AOGwxFWEFNUExFLlRFU1ShJTAjoAMCAQGhHDAaGwRIVFRQGxJpcGEtNC5leGFtcGxlLnRlc3QwDAYDVR0TAQH/BAIwADAgBgNVHQ4BAQAEFgQUZsVqOSFYBWZnFs42WMXGAag8w20wDQYJKoZIhvcNAQELBQADggEBAJDlTLM1Iyb4We61xIXttSReAbi0seO/ZevSiPN+orHdr+YL!

SDpbS6CSXm
5X9Asvlo8iu0iRFrj/CUJAyPu+M7v+lfr3VwrKErycrczt5O4xgGPGfs0XODSlwQOG57SUyQyLXdyLPJtks/ah/LkfbCevew0cjhSnjEN7RpbV6Azh05vMyzF6J7NXlRLFzDDcz099Tug4Siuwsi/Y3AD0b+IR6I1ZOfLKzzzSEu+sC32JzaVythN3TbPqjeyGy/on3JsQTlznzn2LEVVoPioyF1oHyI7hG1OheTNjCoZXgfJUp1Ftct6YhsfhzglORcbmqDL00DdCU/789G5IworCCYo=',
 principal=u'HTTP/ipa-4.example.t...@example.test', add=True, version=u'2.51'): 
SUCCESS

[Tue Oct 06 13:22:47.652434 2015] [proxy_http:error] [pid 1394] (20014)Internal 
error: [client 192.168.100.229:49031] AH01102: error reading status line from 
remote server httpd-UDS:0
[Tue Oct 06 13:22:47.652476 2015] [proxy:error] [pid 1394] [client 
192.168.100.229:49031] AH00898: Error reading from remote server returned by 
/ipa/keys/ra/ipaCert
[Tue Oct 06 13:24:31.017069 2015] [wsgi:error] [pid 10789] ipa: INFO: 
[jsonserver_kerb] ad...@example.test: ping(): SUCCESS


Was custodia running ?
Can you check its log file ?

Simo.

--
Simo Sorce * Red Hat, Inc * New York

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-10-05 Thread Jan Pazdziora
On Thu, Oct 01, 2015 at 04:33:28PM +0200, Oleg Fayans wrote:
> 
> 1.
> Having PTR sync enabled in global DNS configuration and installing client
> with --enable-dns-updates option, ipa master still does not create a PTR
> record for the client machine. As a result, ipa-repolica-install throws the
> following error:
> 
> ipa : ERRORReverse DNS resolution of address 192.168.122.171
> (f22replica1.pesen.net) failed. Clients may not function properly. Please
> check your DNS setup. (Note that this check queries IPA DNS directly and
> ignores /etc/hosts.)

I believe you also need to have the PTR sync enabled in the forward zone
(pesen.net).

-- 
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-10-05 Thread Endi Sukma Dewata

On 10/5/2015 8:47 AM, Simo Sorce wrote:

2. The second attempt after re-enrolling client resulted in the error of
CA installation:

Starting replication, please wait until this has completed.
Update in progress, 7 seconds elapsed
Update succeeded

   [4/24]: creating installation admin user
   [5/24]: setting up certificate server
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to
configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f'
'/tmp/tmpHAJVFG'' returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the
installation logs and the following files/directories for more
information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki-ca-install.log
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki/pki-tomcat
   [error] RuntimeError: CA configuration failed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERRORCA
configuration failed.


This is due to the known bug with authentication in Dogtag. Endy fixed
it upstream.

Endy,
do you know when the bug will be released in a package we can use for
testing ?


Here is the bug: https://fedorahosted.org/pki/ticket/1580

I don't think we're ready for a Dogtag 10.3 build, so we may need to 
cherry-pick it to 10.2.x. I'll check with Matt.


--
Endi S. Dewata

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-10-05 Thread Simo Sorce

On 05/10/15 09:42, Oleg Fayans wrote:

Hi Jan, Simo

On 10/05/2015 02:15 PM, Jan Pazdziora wrote:

On Thu, Oct 01, 2015 at 04:33:28PM +0200, Oleg Fayans wrote:


1.
Having PTR sync enabled in global DNS configuration and installing
client
with --enable-dns-updates option, ipa master still does not create a PTR
record for the client machine. As a result, ipa-repolica-install
throws the
following error:

ipa : ERRORReverse DNS resolution of address 192.168.122.171
(f22replica1.pesen.net) failed. Clients may not function properly.
Please
check your DNS setup. (Note that this check queries IPA DNS directly and
ignores /etc/hosts.)


I believe you also need to have the PTR sync enabled in the forward zone
(pesen.net).



Today I was unable to reproduce this issue with just PTR sync enabled in
global dns configuration. I wonder, what might have caused it. Anyway,
today I hit a number of other issues with replica promotion.

1. At one point ipa-replica-install on a configured client has thrown
the following error:

Configuring ipa-custodia
   [1/5]: Generating ipa-custodia config file
   [2/5]: Generating ipa-custodia keys
   [3/5]: Importing RA Key
   [error] HTTPError: 502 Server Error: Proxy Error
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERROR502 Server
Error: Proxy Error

(corresponding part of the error log of dirsrv attached)


Seem like the peer server was unreachable ?
Was there a networking problem ?


2. The second attempt after re-enrolling client resulted in the error of
CA installation:

Starting replication, please wait until this has completed.
Update in progress, 7 seconds elapsed
Update succeeded

   [4/24]: creating installation admin user
   [5/24]: setting up certificate server
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to
configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f'
'/tmp/tmpHAJVFG'' returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the
installation logs and the following files/directories for more information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki-ca-install.log
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki/pki-tomcat
   [error] RuntimeError: CA configuration failed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERRORCA
configuration failed.


This is due to the known bug with authentication in Dogtag. Endy fixed 
it upstream.


Endy,
do you know when the bug will be released in a package we can use for 
testing ?



Weird thing is that mentioned log files were missing in the system.

3. This is probably not related to replica promotions, but anyway:
when I do `ipa host-del --updatedns %client_hostname%` on master, it
does delete the host, but *preserves* dns records (in both zones).
Is --updatedns option not aimed at automatic deletion of dns records?


I do not know that it does help, but I tend to use --force when deleting 
a failed replica.


Simo.

--
Simo Sorce * Red Hat, Inc * New York

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-10-05 Thread Oleg Fayans

Hi Jan, Simo

On 10/05/2015 02:15 PM, Jan Pazdziora wrote:

On Thu, Oct 01, 2015 at 04:33:28PM +0200, Oleg Fayans wrote:


1.
Having PTR sync enabled in global DNS configuration and installing client
with --enable-dns-updates option, ipa master still does not create a PTR
record for the client machine. As a result, ipa-repolica-install throws the
following error:

ipa : ERRORReverse DNS resolution of address 192.168.122.171
(f22replica1.pesen.net) failed. Clients may not function properly. Please
check your DNS setup. (Note that this check queries IPA DNS directly and
ignores /etc/hosts.)


I believe you also need to have the PTR sync enabled in the forward zone
(pesen.net).



Today I was unable to reproduce this issue with just PTR sync enabled in 
global dns configuration. I wonder, what might have caused it. Anyway, 
today I hit a number of other issues with replica promotion.


1. At one point ipa-replica-install on a configured client has thrown 
the following error:


Configuring ipa-custodia
  [1/5]: Generating ipa-custodia config file
  [2/5]: Generating ipa-custodia keys
  [3/5]: Importing RA Key
  [error] HTTPError: 502 Server Error: Proxy Error
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERROR502 Server 
Error: Proxy Error


(corresponding part of the error log of dirsrv attached)

2. The second attempt after re-enrolling client resulted in the error of 
CA installation:


Starting replication, please wait until this has completed.
Update in progress, 7 seconds elapsed
Update succeeded

  [4/24]: creating installation admin user
  [5/24]: setting up certificate server
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to 
configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' 
'/tmp/tmpHAJVFG'' returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the 
installation logs and the following files/directories for more information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL 
/var/log/pki-ca-install.log
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL 
/var/log/pki/pki-tomcat

  [error] RuntimeError: CA configuration failed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERRORCA 
configuration failed.


Weird thing is that mentioned log files were missing in the system.

3. This is probably not related to replica promotions, but anyway:
when I do `ipa host-del --updatedns %client_hostname%` on master, it 
does delete the host, but *preserves* dns records (in both zones).

Is --updatedns option not aimed at automatic deletion of dns records?

--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.
[05/Oct/2015:04:08:45 -0400] NSACLPlugin - The ACL target 
cn=computers,cn=compat,dc=pesen,dc=net does not exist
[05/Oct/2015:04:08:45 -0400] NSACLPlugin - The ACL target 
cn=ng,cn=compat,dc=pesen,dc=net does not exist
[05/Oct/2015:04:08:45 -0400] NSACLPlugin - The ACL target 
ou=sudoers,dc=pesen,dc=net does not exist
[05/Oct/2015:04:08:45 -0400] NSACLPlugin - The ACL target 
cn=users,cn=compat,dc=pesen,dc=net does not exist
[05/Oct/2015:04:08:45 -0400] NSACLPlugin - The ACL target 
cn=vaults,cn=kra,dc=pesen,dc=net does not exist
[05/Oct/2015:04:08:45 -0400] NSACLPlugin - The ACL target 
cn=vaults,cn=kra,dc=pesen,dc=net does not exist
[05/Oct/2015:04:08:45 -0400] NSACLPlugin - The ACL target 
cn=vaults,cn=kra,dc=pesen,dc=net does not exist
[05/Oct/2015:04:08:45 -0400] NSACLPlugin - The ACL target 
cn=vaults,cn=kra,dc=pesen,dc=net does not exist
[05/Oct/2015:04:08:45 -0400] NSACLPlugin - The ACL target 
cn=vaults,cn=kra,dc=pesen,dc=net does not exist
[05/Oct/2015:04:08:45 -0400] NSACLPlugin - The ACL target 
cn=vaults,cn=kra,dc=pesen,dc=net does not exist
[05/Oct/2015:04:08:45 -0400] NSACLPlugin - The ACL target 
cn=vaults,cn=kra,dc=pesen,dc=net does not exist
[05/Oct/2015:04:08:45 -0400] NSACLPlugin - The ACL target 
cn=vaults,cn=kra,dc=pesen,dc=net does not exist
[05/Oct/2015:04:08:45 -0400] NSACLPlugin - The ACL target 
cn=vaults,cn=kra,dc=pesen,dc=net does not exist
[05/Oct/2015:04:08:45 -0400] NSACLPlugin - The ACL target 
cn=vaults,cn=kra,dc=pesen,dc=net does not exist
[05/Oct/2015:04:08:45 -0400] NSACLPlugin - The ACL target 
cn=vaults,cn=kra,dc=pesen,dc=net does not exist
[05/Oct/2015:04:08:45 -0400] NSACLPlugin - The ACL target 
cn=ad,cn=etc,dc=pesen,dc=net does not exist
[05/Oct/2015:04:08:45 -0400] NSACLPlugin - The ACL target cn=casigningcert 
cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=pesen,dc=net does not exist
[05/Oct/2015:04:08:45 -0400] NSACLPlugin - The ACL target cn=casigningcert 
cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=pesen,dc=net does not exist
[05/Oct/2015:04:08:46 -0400] NSACLPlugin - The ACL target cn=automember rebuild 
membership,cn=tasks,cn=config does not exist
[05/Oct/2015:04:08:46 

Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-10-01 Thread Oleg Fayans

Hi Ludwig,

Thank you! vakwetu/dogtag_10.2.7_test_builds was the bit that was missing

On 10/01/2015 12:29 PM, Ludwig Krispenz wrote:


On 10/01/2015 12:06 PM, Oleg Fayans wrote:

Hi Simo,

I was able to build the packages based on your git repo. However, my
attempt to install the resulting bits failed due to lack of dependencies:

pki-ca >= 10.2.7 is needed by
freeipa-server-4.2.90.201510010815GITb726fa9-0.fc22.x86_64
pki-kra >= 10.2.7 is needed by
freeipa-server-4.2.90.201510010815GITb726fa9-0.fc22.x86_64

My system has version 10.2.6 of above packages provided by
mkosek/freeipa-master copr repo.

What is the correct repo to get 10.2.7 from?

when Simo first submitted the patches for review he also listed the
repos used:

simo/jwcrypto
simo/custodia
abbra/sssd-kkdcproxy (for sssd 1.13.1)
lkrispen/389-ds-current (for 389 > 1.3.4.4)
vakwetu/dogtag_10.2.7_test_builds (for dogtag 10.2.7)
mkosek/freeipa-4.2-fedora-22 (misc)
fedora/updates-testing (python-gssapi 1.1.2)

I'm not sure if all of them are still needed, eg for 389-ds the private
repo is no longer neede, but you can use this for missing rpms




On 09/29/2015 09:31 PM Simo Sorce wrote:

On 29/09/15 14:56, Oleg Fayans wrote:



On 09/29/2015 06:47 PM, Simo Sorce wrote:

On 29/09/15 11:50, Oleg Fayans wrote:

Hi Simo,

It seems to have resolved the initial issue, but now the build fails
due
to lint complaints: https://paste.fedoraproject.org/272714/54174014/


These happens if you do not have custodia installed.
I guess I should make it also a BuildRequires ?


I think so, yes.


Turns out it is already there.

Simo.


Simo.


On 09/29/2015 04:54 PM, Simo Sorce wrote:

On 29/09/15 10:39, Oleg Fayans wrote:

Hi Simo,

Is this [1] the correct link to the repo containing all latest
replica-promotion patches? I tried to build the packages from this
code
and the build failed due to libpdb not having make_pdb_method [2]
I was able to successfully build from the clean upstream tree on
the
same machine.



I rebased it on top of current master, let me know if this helps.

Simo.



[1]
https://fedorapeople.org/cgit/simo/public_git/freeipa.git/log/?h=custodia-review







[2] https://paste.fedoraproject.org/272672/53685114/

On 09/29/2015 03:55 PM, Simo Sorce wrote:

On 29/09/15 09:28, Jan Pazdziora wrote:

On Thu, Sep 24, 2015 at 09:10:30AM -0400, Simo Sorce wrote:


I think the problem is that the patch was pushed prematurely.
The option should become unused once the other patches in this
patchset are
applied, that is why that patch was not on top of the list but
rather
down
close to the bottom.


Simo,

could you please add the

How To Test

steps to http://www.freeipa.org/page/V4/Replica_Promotion?

It would make the functional check of this patchset easier,
spelling
out how the workflow is supposed to work.


Done.

HTH,
Simo.























--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-10-01 Thread Oleg Fayans

Hi Simo,

I was able to build the packages based on your git repo. However, my 
attempt to install the resulting bits failed due to lack of dependencies:


pki-ca >= 10.2.7 is needed by 
freeipa-server-4.2.90.201510010815GITb726fa9-0.fc22.x86_64
pki-kra >= 10.2.7 is needed by 
freeipa-server-4.2.90.201510010815GITb726fa9-0.fc22.x86_64


My system has version 10.2.6 of above packages provided by 
mkosek/freeipa-master copr repo.


What is the correct repo to get 10.2.7 from?

On 09/29/2015 09:31 PM Simo Sorce wrote:

On 29/09/15 14:56, Oleg Fayans wrote:



On 09/29/2015 06:47 PM, Simo Sorce wrote:

On 29/09/15 11:50, Oleg Fayans wrote:

Hi Simo,

It seems to have resolved the initial issue, but now the build fails
due
to lint complaints: https://paste.fedoraproject.org/272714/54174014/


These happens if you do not have custodia installed.
I guess I should make it also a BuildRequires ?


I think so, yes.


Turns out it is already there.

Simo.


Simo.


On 09/29/2015 04:54 PM, Simo Sorce wrote:

On 29/09/15 10:39, Oleg Fayans wrote:

Hi Simo,

Is this [1] the correct link to the repo containing all latest
replica-promotion patches? I tried to build the packages from this
code
and the build failed due to libpdb not having make_pdb_method [2]
I was able to successfully build from the clean upstream tree on the
same machine.



I rebased it on top of current master, let me know if this helps.

Simo.



[1]
https://fedorapeople.org/cgit/simo/public_git/freeipa.git/log/?h=custodia-review






[2] https://paste.fedoraproject.org/272672/53685114/

On 09/29/2015 03:55 PM, Simo Sorce wrote:

On 29/09/15 09:28, Jan Pazdziora wrote:

On Thu, Sep 24, 2015 at 09:10:30AM -0400, Simo Sorce wrote:


I think the problem is that the patch was pushed prematurely.
The option should become unused once the other patches in this
patchset are
applied, that is why that patch was not on top of the list but
rather
down
close to the bottom.


Simo,

could you please add the

How To Test

steps to http://www.freeipa.org/page/V4/Replica_Promotion?

It would make the functional check of this patchset easier,
spelling
out how the workflow is supposed to work.


Done.

HTH,
Simo.



















--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-10-01 Thread Ludwig Krispenz


On 10/01/2015 12:06 PM, Oleg Fayans wrote:

Hi Simo,

I was able to build the packages based on your git repo. However, my 
attempt to install the resulting bits failed due to lack of dependencies:


pki-ca >= 10.2.7 is needed by 
freeipa-server-4.2.90.201510010815GITb726fa9-0.fc22.x86_64
pki-kra >= 10.2.7 is needed by 
freeipa-server-4.2.90.201510010815GITb726fa9-0.fc22.x86_64


My system has version 10.2.6 of above packages provided by 
mkosek/freeipa-master copr repo.


What is the correct repo to get 10.2.7 from?
when Simo first submitted the patches for review he also listed the 
repos used:


simo/jwcrypto
simo/custodia
abbra/sssd-kkdcproxy (for sssd 1.13.1)
lkrispen/389-ds-current (for 389 > 1.3.4.4)
vakwetu/dogtag_10.2.7_test_builds (for dogtag 10.2.7)
mkosek/freeipa-4.2-fedora-22 (misc)
fedora/updates-testing (python-gssapi 1.1.2)

I'm not sure if all of them are still needed, eg for 389-ds the private repo is 
no longer neede, but you can use this for missing rpms




On 09/29/2015 09:31 PM Simo Sorce wrote:

On 29/09/15 14:56, Oleg Fayans wrote:



On 09/29/2015 06:47 PM, Simo Sorce wrote:

On 29/09/15 11:50, Oleg Fayans wrote:

Hi Simo,

It seems to have resolved the initial issue, but now the build fails
due
to lint complaints: https://paste.fedoraproject.org/272714/54174014/


These happens if you do not have custodia installed.
I guess I should make it also a BuildRequires ?


I think so, yes.


Turns out it is already there.

Simo.


Simo.


On 09/29/2015 04:54 PM, Simo Sorce wrote:

On 29/09/15 10:39, Oleg Fayans wrote:

Hi Simo,

Is this [1] the correct link to the repo containing all latest
replica-promotion patches? I tried to build the packages from this
code
and the build failed due to libpdb not having make_pdb_method [2]
I was able to successfully build from the clean upstream tree on 
the

same machine.



I rebased it on top of current master, let me know if this helps.

Simo.



[1]
https://fedorapeople.org/cgit/simo/public_git/freeipa.git/log/?h=custodia-review 








[2] https://paste.fedoraproject.org/272672/53685114/

On 09/29/2015 03:55 PM, Simo Sorce wrote:

On 29/09/15 09:28, Jan Pazdziora wrote:

On Thu, Sep 24, 2015 at 09:10:30AM -0400, Simo Sorce wrote:


I think the problem is that the patch was pushed prematurely.
The option should become unused once the other patches in this
patchset are
applied, that is why that patch was not on top of the list but
rather
down
close to the bottom.


Simo,

could you please add the

How To Test

steps to http://www.freeipa.org/page/V4/Replica_Promotion?

It would make the functional check of this patchset easier,
spelling
out how the workflow is supposed to work.


Done.

HTH,
Simo.





















--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-10-01 Thread Simo Sorce

On 01/10/15 07:42, Jan Cholasta wrote:

Hi,

I have just imported python-jwcrypto, custodia and pki-core-10.2.7 into
mkosek/freeipa-master as well, to (hopefully) make things easier.

Simo, custodia failed to build F22, any idea why? See
.


On the surface it looks like a missing dependency on cffi, though I am 
not sure why we'd need it, maybe the tests are downloading cryptography 
to build it for non-system python versions ?


Simo.



On 1.10.2015 12:39, Oleg Fayans wrote:

Hi Ludwig,

Thank you! vakwetu/dogtag_10.2.7_test_builds was the bit that was missing

On 10/01/2015 12:29 PM, Ludwig Krispenz wrote:


On 10/01/2015 12:06 PM, Oleg Fayans wrote:

Hi Simo,

I was able to build the packages based on your git repo. However, my
attempt to install the resulting bits failed due to lack of
dependencies:

pki-ca >= 10.2.7 is needed by
freeipa-server-4.2.90.201510010815GITb726fa9-0.fc22.x86_64
pki-kra >= 10.2.7 is needed by
freeipa-server-4.2.90.201510010815GITb726fa9-0.fc22.x86_64

My system has version 10.2.6 of above packages provided by
mkosek/freeipa-master copr repo.

What is the correct repo to get 10.2.7 from?

when Simo first submitted the patches for review he also listed the
repos used:

simo/jwcrypto
simo/custodia
abbra/sssd-kkdcproxy (for sssd 1.13.1)
lkrispen/389-ds-current (for 389 > 1.3.4.4)
vakwetu/dogtag_10.2.7_test_builds (for dogtag 10.2.7)
mkosek/freeipa-4.2-fedora-22 (misc)
fedora/updates-testing (python-gssapi 1.1.2)

I'm not sure if all of them are still needed, eg for 389-ds the private
repo is no longer neede, but you can use this for missing rpms




On 09/29/2015 09:31 PM Simo Sorce wrote:

On 29/09/15 14:56, Oleg Fayans wrote:



On 09/29/2015 06:47 PM, Simo Sorce wrote:

On 29/09/15 11:50, Oleg Fayans wrote:

Hi Simo,

It seems to have resolved the initial issue, but now the build
fails
due
to lint complaints:
https://paste.fedoraproject.org/272714/54174014/


These happens if you do not have custodia installed.
I guess I should make it also a BuildRequires ?


I think so, yes.


Turns out it is already there.

Simo.


Simo.


On 09/29/2015 04:54 PM, Simo Sorce wrote:

On 29/09/15 10:39, Oleg Fayans wrote:

Hi Simo,

Is this [1] the correct link to the repo containing all latest
replica-promotion patches? I tried to build the packages from
this
code
and the build failed due to libpdb not having make_pdb_method [2]
I was able to successfully build from the clean upstream tree on
the
same machine.



I rebased it on top of current master, let me know if this helps.

Simo.



[1]
https://fedorapeople.org/cgit/simo/public_git/freeipa.git/log/?h=custodia-review









[2] https://paste.fedoraproject.org/272672/53685114/

On 09/29/2015 03:55 PM, Simo Sorce wrote:

On 29/09/15 09:28, Jan Pazdziora wrote:

On Thu, Sep 24, 2015 at 09:10:30AM -0400, Simo Sorce wrote:


I think the problem is that the patch was pushed prematurely.
The option should become unused once the other patches in this
patchset are
applied, that is why that patch was not on top of the list but
rather
down
close to the bottom.


Simo,

could you please add the

How To Test

steps to http://www.freeipa.org/page/V4/Replica_Promotion?

It would make the functional check of this patchset easier,
spelling
out how the workflow is supposed to work.


Done.

HTH,
Simo.





























--
Simo Sorce * Red Hat, Inc * New York

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-10-01 Thread Oleg Fayans
First glance on the packages built from today's tree reveal the 
following problems:


1.
Having PTR sync enabled in global DNS configuration and installing 
client with --enable-dns-updates option, ipa master still does not 
create a PTR record for the client machine. As a result, 
ipa-repolica-install throws the following error:


ipa : ERRORReverse DNS resolution of address 192.168.122.171 
(f22replica1.pesen.net) failed. Clients may not function properly. 
Please check your DNS setup. (Note that this check queries IPA DNS 
directly and ignores /etc/hosts.)


2.
When corresponding PTR record is created manually, ipa-replica-install 
still fails:


Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERRORno matching 
entry found


The same error was catched by Jan Pazdziora (current discussion in #ipa 
channel)




On 08/26/2015 11:27 PM, Simo Sorce wrote:

This patchset implements https://fedorahosted.org/freeipa/ticket/2888
and introduces a number of required  changes and dependencies to achieve
this goal.
This work requires the custodia project to securely transfer keys
between ipa servers.

This work is not 100% complete, it still misses the ability to install
kra instances and the ability to install a CA (via ipa-ca-install) with
externally signed certs.

However it is massive enough that warrants review and pushing, the resat
of the changes can be applied later as this work should not disrupt the
classic install methods.

In order to build my previous patches (530-533) are needed as well as a
number of updated components.

I used the following coprs for testing:
simo/jwcrypto
simo/custodia
abbra/sssd-kkdcproxy (for sssd 1.13.1)
lkrispen/389-ds-current (for 389 > 1.3.4.4)
vakwetu/dogtag_10.2.7_test_builds (for dogtag 10.2.7)
mkosek/freeipa-4.2-fedora-22 (misc)
fedora/updates-testing (python-gssapi 1.1.2)

Ludwig's copr is necessary to have a functional DNA plugin in replicas,
eventually his patches should be committed in 389-ds-base 1.3.4.4 when
it will be released.

We are aware of a dogtag bug https://fedorahosted.org/pki/ticket/1580
that may cause installation issues in some case (re-install of a
replica).

The domain must be raised to level 1 in order to use replica promotion.

In order to promote a replica the server must be first joined as a
regular client to the domain.

This is the flow I usually use for testing:

# ipa-client-install
# kinit admin
# ipa-replica-install --promote --setup-ca


These patches are also available in this git tree rebnase on current
master:
https://fedorapeople.org/cgit/simo/public_git/freeipa.git/log/?h=custodia-review

Simo.





--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-10-01 Thread Simo Sorce

On 01/10/15 10:33, Oleg Fayans wrote:

First glance on the packages built from today's tree reveal the
following problems:

1.
Having PTR sync enabled in global DNS configuration and installing
client with --enable-dns-updates option, ipa master still does not
create a PTR record for the client machine. As a result,
ipa-repolica-install throws the following error:

ipa : ERRORReverse DNS resolution of address 192.168.122.171
(f22replica1.pesen.net) failed. Clients may not function properly.
Please check your DNS setup. (Note that this check queries IPA DNS
directly and ignores /etc/hosts.)


I work around this by passing in --no-host-dns for now


2.
When corresponding PTR record is created manually, ipa-replica-install
still fails:

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERRORno matching
entry found

The same error was catched by Jan Pazdziora (current discussion in #ipa
channel)


I pushed a rebase patchset on top of current master that includes a 
small patch that should deal with the kra detection bug properly.



HTH,
Simo.




On 08/26/2015 11:27 PM, Simo Sorce wrote:

This patchset implements https://fedorahosted.org/freeipa/ticket/2888
and introduces a number of required  changes and dependencies to achieve
this goal.
This work requires the custodia project to securely transfer keys
between ipa servers.

This work is not 100% complete, it still misses the ability to install
kra instances and the ability to install a CA (via ipa-ca-install) with
externally signed certs.

However it is massive enough that warrants review and pushing, the resat
of the changes can be applied later as this work should not disrupt the
classic install methods.

In order to build my previous patches (530-533) are needed as well as a
number of updated components.

I used the following coprs for testing:
simo/jwcrypto
simo/custodia
abbra/sssd-kkdcproxy (for sssd 1.13.1)
lkrispen/389-ds-current (for 389 > 1.3.4.4)
vakwetu/dogtag_10.2.7_test_builds (for dogtag 10.2.7)
mkosek/freeipa-4.2-fedora-22 (misc)
fedora/updates-testing (python-gssapi 1.1.2)

Ludwig's copr is necessary to have a functional DNA plugin in replicas,
eventually his patches should be committed in 389-ds-base 1.3.4.4 when
it will be released.

We are aware of a dogtag bug https://fedorahosted.org/pki/ticket/1580
that may cause installation issues in some case (re-install of a
replica).

The domain must be raised to level 1 in order to use replica promotion.

In order to promote a replica the server must be first joined as a
regular client to the domain.

This is the flow I usually use for testing:

# ipa-client-install
# kinit admin
# ipa-replica-install --promote --setup-ca


These patches are also available in this git tree rebnase on current
master:
https://fedorapeople.org/cgit/simo/public_git/freeipa.git/log/?h=custodia-review


Simo.








--
Simo Sorce * Red Hat, Inc * New York

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-09-30 Thread Jan Cholasta

On 24.9.2015 15:10, Simo Sorce wrote:

On 24/09/15 04:43, Martin Basti wrote:



On 09/24/2015 02:25 AM, Martin Basti wrote:



On 09/22/2015 10:45 AM, Jan Cholasta wrote:

Hi,

On 9.9.2015 20:25, Simo Sorce wrote:

On Wed, 2015-08-26 at 17:27 -0400, Simo Sorce wrote:

This patchset implements https://fedorahosted.org/freeipa/ticket/2888
and introduces a number of required  changes and dependencies to
achieve
this goal.
This work requires the custodia project to securely transfer keys
between ipa servers.

This work is not 100% complete, it still misses the ability to
install
kra instances and the ability to install a CA (via ipa-ca-install)
with
externally signed certs.

However it is massive enough that warrants review and pushing, the
resat
of the changes can be applied later as this work should not disrupt
the
classic install methods.

In order to build my previous patches (530-533) are needed as well
as a
number of updated components.

I used the following coprs for testing:
simo/jwcrypto
simo/custodia
abbra/sssd-kkdcproxy (for sssd 1.13.1)
lkrispen/389-ds-current (for 389 > 1.3.4.4)
vakwetu/dogtag_10.2.7_test_builds (for dogtag 10.2.7)
mkosek/freeipa-4.2-fedora-22 (misc)
fedora/updates-testing (python-gssapi 1.1.2)

Ludwig's copr is necessary to have a functional DNA plugin in
replicas,
eventually his patches should be committed in 389-ds-base 1.3.4.4
when
it will be released.

We are aware of a dogtag bug https://fedorahosted.org/pki/ticket/1580
that may cause installation issues in some case (re-install of a
replica).

The domain must be raised to level 1 in order to use replica
promotion.

In order to promote a replica the server must be first joined as a
regular client to the domain.

This is the flow I usually use for testing:

# ipa-client-install
# kinit admin
# ipa-replica-install --promote --setup-ca


These patches are also available in this git tree rebnase on current
master:
https://fedorapeople.org/cgit/simo/public_git/freeipa.git/log/?h=custodia-review




FYI: I rebased this branch on top of master and applied minor
changes to
one of the DNS patches. I also added the missing support to install
KRA.

DS 1.3.4.4 is also in Fedora updates testing, so ludwig's copr is not
needed anymore.

Dogtag's ticket is not fixed yet so running both --setup-ca and
--setup-kra at the same time will still yield an error and install
will
fail.

Please let me know if there are any major issues with this patchset,
I'd
like to push it to master and attack the remaining issues as add ons
(install with external certs not supported yet for example)


So far I have only read through the code without running it (mostly).


"Remove unused arguments": ACK


"Simplify the install_replica_ca function": ACK


"IPA Custodia Daemon":

1) Instead of putting the code in "ipakeys" package, could you put it
in "ipapython.keys"? This way it would be consistent with DNSSEC,
which has binaries in daemons/dnssec/ and modules in ipapython/dnssec/.

2) Is it safe to create cn=custodia in update file only? Updates are
executed late in ipa-server-install. Is is guaranteed that nothing
will try to access cn=custodia before the updates are run?

(Nevermind, it is added to bootstrap-template.ldif 2 commits below.)

3) Shouldn't cn=custodia be created only when domain level >= 1?

4) pylint fails with:

daemons/ipa-custodia/ipakeys/kem.py:156: [E1002(super-on-old-class),
IPAKEMKeys.__init__] Use of super on an old style class)
daemons/ipa-custodia/ipakeys/kem.py:178: [E1101(no-member),
IPAKEMKeys.generate_server_keys] Instance of 'IPAKEMKeys' has no
'config' member)
daemons/ipa-custodia/ipakeys/kem.py:187: [E1101(no-member),
IPAKEMKeys.server_keys] Instance of 'IPAKEMKeys' has no 'config'
member)

5) There are some PEP8 transgressions:

./daemons/ipa-custodia/ipakeys/kem.py:202:80: E501 line too long (82
> 79 characters)
./daemons/ipa-custodia/ipakeys/kem.py:203:80: E501 line too long (82
> 79 characters)
./daemons/ipa-custodia/ipakeys/store.py:33:1: E302 expected 2 blank
lines, found 1
./daemons/ipa-custodia/setup.py:8:9: E251 unexpected spaces around
keyword / parameter equals
./daemons/ipa-custodia/setup.py:8:11: E251 unexpected spaces around
keyword / parameter equals
./daemons/ipa-custodia/setup.py:9:12: E251 unexpected spaces around
keyword / parameter equals
./daemons/ipa-custodia/setup.py:9:14: E251 unexpected spaces around
keyword / parameter equals
./daemons/ipa-custodia/setup.py:10:12: E251 unexpected spaces around
keyword / parameter equals
./daemons/ipa-custodia/setup.py:10:14: E251 unexpected spaces around
keyword / parameter equals
./daemons/ipa-custodia/setup.py:11:15: E251 unexpected spaces around
keyword / parameter equals
./daemons/ipa-custodia/setup.py:11:17: E251 unexpected spaces around
keyword / parameter equals
./daemons/ipa-custodia/setup.py:12:21: E251 unexpected spaces around
keyword / parameter equals
./daemons/ipa-custodia/setup.py:12:23: E251 unexpected spaces around
keyword / parameter equals

Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-09-30 Thread Simo Sorce

On 30/09/15 08:32, Jan Cholasta wrote:

On 24.9.2015 15:10, Simo Sorce wrote:

On 24/09/15 04:43, Martin Basti wrote:



On 09/24/2015 02:25 AM, Martin Basti wrote:



On 09/22/2015 10:45 AM, Jan Cholasta wrote:

Hi,

On 9.9.2015 20:25, Simo Sorce wrote:

On Wed, 2015-08-26 at 17:27 -0400, Simo Sorce wrote:

This patchset implements
https://fedorahosted.org/freeipa/ticket/2888
and introduces a number of required  changes and dependencies to
achieve
this goal.
This work requires the custodia project to securely transfer keys
between ipa servers.

This work is not 100% complete, it still misses the ability to
install
kra instances and the ability to install a CA (via ipa-ca-install)
with
externally signed certs.

However it is massive enough that warrants review and pushing, the
resat
of the changes can be applied later as this work should not disrupt
the
classic install methods.

In order to build my previous patches (530-533) are needed as well
as a
number of updated components.

I used the following coprs for testing:
simo/jwcrypto
simo/custodia
abbra/sssd-kkdcproxy (for sssd 1.13.1)
lkrispen/389-ds-current (for 389 > 1.3.4.4)
vakwetu/dogtag_10.2.7_test_builds (for dogtag 10.2.7)
mkosek/freeipa-4.2-fedora-22 (misc)
fedora/updates-testing (python-gssapi 1.1.2)

Ludwig's copr is necessary to have a functional DNA plugin in
replicas,
eventually his patches should be committed in 389-ds-base 1.3.4.4
when
it will be released.

We are aware of a dogtag bug
https://fedorahosted.org/pki/ticket/1580
that may cause installation issues in some case (re-install of a
replica).

The domain must be raised to level 1 in order to use replica
promotion.

In order to promote a replica the server must be first joined as a
regular client to the domain.

This is the flow I usually use for testing:

# ipa-client-install
# kinit admin
# ipa-replica-install --promote --setup-ca


These patches are also available in this git tree rebnase on current
master:
https://fedorapeople.org/cgit/simo/public_git/freeipa.git/log/?h=custodia-review





FYI: I rebased this branch on top of master and applied minor
changes to
one of the DNS patches. I also added the missing support to install
KRA.

DS 1.3.4.4 is also in Fedora updates testing, so ludwig's copr is not
needed anymore.

Dogtag's ticket is not fixed yet so running both --setup-ca and
--setup-kra at the same time will still yield an error and install
will
fail.

Please let me know if there are any major issues with this patchset,
I'd
like to push it to master and attack the remaining issues as add ons
(install with external certs not supported yet for example)


So far I have only read through the code without running it (mostly).


"Remove unused arguments": ACK


"Simplify the install_replica_ca function": ACK


"IPA Custodia Daemon":

1) Instead of putting the code in "ipakeys" package, could you put it
in "ipapython.keys"? This way it would be consistent with DNSSEC,
which has binaries in daemons/dnssec/ and modules in
ipapython/dnssec/.

2) Is it safe to create cn=custodia in update file only? Updates are
executed late in ipa-server-install. Is is guaranteed that nothing
will try to access cn=custodia before the updates are run?

(Nevermind, it is added to bootstrap-template.ldif 2 commits below.)

3) Shouldn't cn=custodia be created only when domain level >= 1?

4) pylint fails with:

daemons/ipa-custodia/ipakeys/kem.py:156: [E1002(super-on-old-class),
IPAKEMKeys.__init__] Use of super on an old style class)
daemons/ipa-custodia/ipakeys/kem.py:178: [E1101(no-member),
IPAKEMKeys.generate_server_keys] Instance of 'IPAKEMKeys' has no
'config' member)
daemons/ipa-custodia/ipakeys/kem.py:187: [E1101(no-member),
IPAKEMKeys.server_keys] Instance of 'IPAKEMKeys' has no 'config'
member)

5) There are some PEP8 transgressions:

./daemons/ipa-custodia/ipakeys/kem.py:202:80: E501 line too long (82
> 79 characters)
./daemons/ipa-custodia/ipakeys/kem.py:203:80: E501 line too long (82
> 79 characters)
./daemons/ipa-custodia/ipakeys/store.py:33:1: E302 expected 2 blank
lines, found 1
./daemons/ipa-custodia/setup.py:8:9: E251 unexpected spaces around
keyword / parameter equals
./daemons/ipa-custodia/setup.py:8:11: E251 unexpected spaces around
keyword / parameter equals
./daemons/ipa-custodia/setup.py:9:12: E251 unexpected spaces around
keyword / parameter equals
./daemons/ipa-custodia/setup.py:9:14: E251 unexpected spaces around
keyword / parameter equals
./daemons/ipa-custodia/setup.py:10:12: E251 unexpected spaces around
keyword / parameter equals
./daemons/ipa-custodia/setup.py:10:14: E251 unexpected spaces around
keyword / parameter equals
./daemons/ipa-custodia/setup.py:11:15: E251 unexpected spaces around
keyword / parameter equals
./daemons/ipa-custodia/setup.py:11:17: E251 unexpected spaces around
keyword / parameter equals
./daemons/ipa-custodia/setup.py:12:21: E251 unexpected spaces around
keyword / parameter equals
./daemons/ipa-custodia/setup.py:12:23: E251 unexpected spaces 

Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-09-30 Thread Jan Cholasta

On 30.9.2015 15:15, Simo Sorce wrote:

On 30/09/15 08:32, Jan Cholasta wrote:

On 24.9.2015 15:10, Simo Sorce wrote:

On 24/09/15 04:43, Martin Basti wrote:



On 09/24/2015 02:25 AM, Martin Basti wrote:



On 09/22/2015 10:45 AM, Jan Cholasta wrote:

Hi,

On 9.9.2015 20:25, Simo Sorce wrote:

On Wed, 2015-08-26 at 17:27 -0400, Simo Sorce wrote:

This patchset implements
https://fedorahosted.org/freeipa/ticket/2888
and introduces a number of required  changes and dependencies to
achieve
this goal.
This work requires the custodia project to securely transfer keys
between ipa servers.

This work is not 100% complete, it still misses the ability to
install
kra instances and the ability to install a CA (via ipa-ca-install)
with
externally signed certs.

However it is massive enough that warrants review and pushing, the
resat
of the changes can be applied later as this work should not disrupt
the
classic install methods.

In order to build my previous patches (530-533) are needed as well
as a
number of updated components.

I used the following coprs for testing:
simo/jwcrypto
simo/custodia
abbra/sssd-kkdcproxy (for sssd 1.13.1)
lkrispen/389-ds-current (for 389 > 1.3.4.4)
vakwetu/dogtag_10.2.7_test_builds (for dogtag 10.2.7)
mkosek/freeipa-4.2-fedora-22 (misc)
fedora/updates-testing (python-gssapi 1.1.2)

Ludwig's copr is necessary to have a functional DNA plugin in
replicas,
eventually his patches should be committed in 389-ds-base 1.3.4.4
when
it will be released.

We are aware of a dogtag bug
https://fedorahosted.org/pki/ticket/1580
that may cause installation issues in some case (re-install of a
replica).

The domain must be raised to level 1 in order to use replica
promotion.

In order to promote a replica the server must be first joined as a
regular client to the domain.

This is the flow I usually use for testing:

# ipa-client-install
# kinit admin
# ipa-replica-install --promote --setup-ca


These patches are also available in this git tree rebnase on
current
master:
https://fedorapeople.org/cgit/simo/public_git/freeipa.git/log/?h=custodia-review






FYI: I rebased this branch on top of master and applied minor
changes to
one of the DNS patches. I also added the missing support to install
KRA.

DS 1.3.4.4 is also in Fedora updates testing, so ludwig's copr is
not
needed anymore.

Dogtag's ticket is not fixed yet so running both --setup-ca and
--setup-kra at the same time will still yield an error and install
will
fail.

Please let me know if there are any major issues with this patchset,
I'd
like to push it to master and attack the remaining issues as add ons
(install with external certs not supported yet for example)


So far I have only read through the code without running it (mostly).


"Remove unused arguments": ACK


"Simplify the install_replica_ca function": ACK


"IPA Custodia Daemon":

1) Instead of putting the code in "ipakeys" package, could you put it
in "ipapython.keys"? This way it would be consistent with DNSSEC,
which has binaries in daemons/dnssec/ and modules in
ipapython/dnssec/.

2) Is it safe to create cn=custodia in update file only? Updates are
executed late in ipa-server-install. Is is guaranteed that nothing
will try to access cn=custodia before the updates are run?

(Nevermind, it is added to bootstrap-template.ldif 2 commits below.)

3) Shouldn't cn=custodia be created only when domain level >= 1?

4) pylint fails with:

daemons/ipa-custodia/ipakeys/kem.py:156: [E1002(super-on-old-class),
IPAKEMKeys.__init__] Use of super on an old style class)
daemons/ipa-custodia/ipakeys/kem.py:178: [E1101(no-member),
IPAKEMKeys.generate_server_keys] Instance of 'IPAKEMKeys' has no
'config' member)
daemons/ipa-custodia/ipakeys/kem.py:187: [E1101(no-member),
IPAKEMKeys.server_keys] Instance of 'IPAKEMKeys' has no 'config'
member)

5) There are some PEP8 transgressions:

./daemons/ipa-custodia/ipakeys/kem.py:202:80: E501 line too long (82
> 79 characters)
./daemons/ipa-custodia/ipakeys/kem.py:203:80: E501 line too long (82
> 79 characters)
./daemons/ipa-custodia/ipakeys/store.py:33:1: E302 expected 2 blank
lines, found 1
./daemons/ipa-custodia/setup.py:8:9: E251 unexpected spaces around
keyword / parameter equals
./daemons/ipa-custodia/setup.py:8:11: E251 unexpected spaces around
keyword / parameter equals
./daemons/ipa-custodia/setup.py:9:12: E251 unexpected spaces around
keyword / parameter equals
./daemons/ipa-custodia/setup.py:9:14: E251 unexpected spaces around
keyword / parameter equals
./daemons/ipa-custodia/setup.py:10:12: E251 unexpected spaces around
keyword / parameter equals
./daemons/ipa-custodia/setup.py:10:14: E251 unexpected spaces around
keyword / parameter equals
./daemons/ipa-custodia/setup.py:11:15: E251 unexpected spaces around
keyword / parameter equals
./daemons/ipa-custodia/setup.py:11:17: E251 unexpected spaces around
keyword / parameter equals
./daemons/ipa-custodia/setup.py:12:21: E251 unexpected spaces around
keyword / parameter equals

Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-09-30 Thread Jan Pazdziora
On Tue, Sep 29, 2015 at 03:31:23PM -0400, Simo Sorce wrote:
> On 29/09/15 14:56, Oleg Fayans wrote:
> >
> >
> >On 09/29/2015 06:47 PM, Simo Sorce wrote:
> >>On 29/09/15 11:50, Oleg Fayans wrote:
> >>>Hi Simo,
> >>>
> >>>It seems to have resolved the initial issue, but now the build fails due
> >>>to lint complaints: https://paste.fedoraproject.org/272714/54174014/
> >>
> >>These happens if you do not have custodia installed.
> >>I guess I should make it also a BuildRequires ?
> >
> >I think so, yes.
> 
> Turns out it is already there.

Oleg, were you able to build from the branch now?

Simo, could you maybe make a copr repo from your branch?

-- 
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-09-29 Thread Jan Pazdziora
On Thu, Sep 24, 2015 at 09:10:30AM -0400, Simo Sorce wrote:
> 
> I think the problem is that the patch was pushed prematurely.
> The option should become unused once the other patches in this patchset are
> applied, that is why that patch was not on top of the list but rather down
> close to the bottom.

Simo,

could you please add the

How To Test 

steps to http://www.freeipa.org/page/V4/Replica_Promotion?

It would make the functional check of this patchset easier, spelling
out how the workflow is supposed to work.

Thank you,

-- 
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-09-29 Thread Simo Sorce

On 29/09/15 09:28, Jan Pazdziora wrote:

On Thu, Sep 24, 2015 at 09:10:30AM -0400, Simo Sorce wrote:


I think the problem is that the patch was pushed prematurely.
The option should become unused once the other patches in this patchset are
applied, that is why that patch was not on top of the list but rather down
close to the bottom.


Simo,

could you please add the

How To Test

steps to http://www.freeipa.org/page/V4/Replica_Promotion?

It would make the functional check of this patchset easier, spelling
out how the workflow is supposed to work.


Done.

HTH,
Simo.


--
Simo Sorce * Red Hat, Inc * New York

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-09-29 Thread Simo Sorce

On 29/09/15 10:39, Oleg Fayans wrote:

Hi Simo,

Is this [1] the correct link to the repo containing all latest
replica-promotion patches? I tried to build the packages from this code
and the build failed due to libpdb not having make_pdb_method [2]
I was able to successfully build from the clean upstream tree on the
same machine.



I rebased it on top of current master, let me know if this helps.

Simo.



[1]
https://fedorapeople.org/cgit/simo/public_git/freeipa.git/log/?h=custodia-review

[2] https://paste.fedoraproject.org/272672/53685114/

On 09/29/2015 03:55 PM, Simo Sorce wrote:

On 29/09/15 09:28, Jan Pazdziora wrote:

On Thu, Sep 24, 2015 at 09:10:30AM -0400, Simo Sorce wrote:


I think the problem is that the patch was pushed prematurely.
The option should become unused once the other patches in this
patchset are
applied, that is why that patch was not on top of the list but rather
down
close to the bottom.


Simo,

could you please add the

How To Test

steps to http://www.freeipa.org/page/V4/Replica_Promotion?

It would make the functional check of this patchset easier, spelling
out how the workflow is supposed to work.


Done.

HTH,
Simo.







--
Simo Sorce * Red Hat, Inc * New York

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-09-29 Thread Oleg Fayans

Hi Simo,

Is this [1] the correct link to the repo containing all latest 
replica-promotion patches? I tried to build the packages from this code 
and the build failed due to libpdb not having make_pdb_method [2]
I was able to successfully build from the clean upstream tree on the 
same machine.



[1] 
https://fedorapeople.org/cgit/simo/public_git/freeipa.git/log/?h=custodia-review

[2] https://paste.fedoraproject.org/272672/53685114/

On 09/29/2015 03:55 PM, Simo Sorce wrote:

On 29/09/15 09:28, Jan Pazdziora wrote:

On Thu, Sep 24, 2015 at 09:10:30AM -0400, Simo Sorce wrote:


I think the problem is that the patch was pushed prematurely.
The option should become unused once the other patches in this
patchset are
applied, that is why that patch was not on top of the list but rather
down
close to the bottom.


Simo,

could you please add the

How To Test

steps to http://www.freeipa.org/page/V4/Replica_Promotion?

It would make the functional check of this patchset easier, spelling
out how the workflow is supposed to work.


Done.

HTH,
Simo.




--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-09-29 Thread Oleg Fayans

Hi Simo,

It seems to have resolved the initial issue, but now the build fails due 
to lint complaints: https://paste.fedoraproject.org/272714/54174014/


On 09/29/2015 04:54 PM, Simo Sorce wrote:

On 29/09/15 10:39, Oleg Fayans wrote:

Hi Simo,

Is this [1] the correct link to the repo containing all latest
replica-promotion patches? I tried to build the packages from this code
and the build failed due to libpdb not having make_pdb_method [2]
I was able to successfully build from the clean upstream tree on the
same machine.



I rebased it on top of current master, let me know if this helps.

Simo.



[1]
https://fedorapeople.org/cgit/simo/public_git/freeipa.git/log/?h=custodia-review


[2] https://paste.fedoraproject.org/272672/53685114/

On 09/29/2015 03:55 PM, Simo Sorce wrote:

On 29/09/15 09:28, Jan Pazdziora wrote:

On Thu, Sep 24, 2015 at 09:10:30AM -0400, Simo Sorce wrote:


I think the problem is that the patch was pushed prematurely.
The option should become unused once the other patches in this
patchset are
applied, that is why that patch was not on top of the list but rather
down
close to the bottom.


Simo,

could you please add the

How To Test

steps to http://www.freeipa.org/page/V4/Replica_Promotion?

It would make the functional check of this patchset easier, spelling
out how the workflow is supposed to work.


Done.

HTH,
Simo.









--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-09-29 Thread Simo Sorce

On 29/09/15 11:50, Oleg Fayans wrote:

Hi Simo,

It seems to have resolved the initial issue, but now the build fails due
to lint complaints: https://paste.fedoraproject.org/272714/54174014/


These happens if you do not have custodia installed.
I guess I should make it also a BuildRequires ?

Simo.


On 09/29/2015 04:54 PM, Simo Sorce wrote:

On 29/09/15 10:39, Oleg Fayans wrote:

Hi Simo,

Is this [1] the correct link to the repo containing all latest
replica-promotion patches? I tried to build the packages from this code
and the build failed due to libpdb not having make_pdb_method [2]
I was able to successfully build from the clean upstream tree on the
same machine.



I rebased it on top of current master, let me know if this helps.

Simo.



[1]
https://fedorapeople.org/cgit/simo/public_git/freeipa.git/log/?h=custodia-review



[2] https://paste.fedoraproject.org/272672/53685114/

On 09/29/2015 03:55 PM, Simo Sorce wrote:

On 29/09/15 09:28, Jan Pazdziora wrote:

On Thu, Sep 24, 2015 at 09:10:30AM -0400, Simo Sorce wrote:


I think the problem is that the patch was pushed prematurely.
The option should become unused once the other patches in this
patchset are
applied, that is why that patch was not on top of the list but rather
down
close to the bottom.


Simo,

could you please add the

How To Test

steps to http://www.freeipa.org/page/V4/Replica_Promotion?

It would make the functional check of this patchset easier, spelling
out how the workflow is supposed to work.


Done.

HTH,
Simo.












--
Simo Sorce * Red Hat, Inc * New York

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-09-29 Thread Oleg Fayans



On 09/29/2015 06:47 PM, Simo Sorce wrote:

On 29/09/15 11:50, Oleg Fayans wrote:

Hi Simo,

It seems to have resolved the initial issue, but now the build fails due
to lint complaints: https://paste.fedoraproject.org/272714/54174014/


These happens if you do not have custodia installed.
I guess I should make it also a BuildRequires ?


I think so, yes.



Simo.


On 09/29/2015 04:54 PM, Simo Sorce wrote:

On 29/09/15 10:39, Oleg Fayans wrote:

Hi Simo,

Is this [1] the correct link to the repo containing all latest
replica-promotion patches? I tried to build the packages from this code
and the build failed due to libpdb not having make_pdb_method [2]
I was able to successfully build from the clean upstream tree on the
same machine.



I rebased it on top of current master, let me know if this helps.

Simo.



[1]
https://fedorapeople.org/cgit/simo/public_git/freeipa.git/log/?h=custodia-review




[2] https://paste.fedoraproject.org/272672/53685114/

On 09/29/2015 03:55 PM, Simo Sorce wrote:

On 29/09/15 09:28, Jan Pazdziora wrote:

On Thu, Sep 24, 2015 at 09:10:30AM -0400, Simo Sorce wrote:


I think the problem is that the patch was pushed prematurely.
The option should become unused once the other patches in this
patchset are
applied, that is why that patch was not on top of the list but
rather
down
close to the bottom.


Simo,

could you please add the

How To Test

steps to http://www.freeipa.org/page/V4/Replica_Promotion?

It would make the functional check of this patchset easier, spelling
out how the workflow is supposed to work.


Done.

HTH,
Simo.














--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-09-29 Thread Simo Sorce

On 29/09/15 14:56, Oleg Fayans wrote:



On 09/29/2015 06:47 PM, Simo Sorce wrote:

On 29/09/15 11:50, Oleg Fayans wrote:

Hi Simo,

It seems to have resolved the initial issue, but now the build fails due
to lint complaints: https://paste.fedoraproject.org/272714/54174014/


These happens if you do not have custodia installed.
I guess I should make it also a BuildRequires ?


I think so, yes.


Turns out it is already there.

Simo.


Simo.


On 09/29/2015 04:54 PM, Simo Sorce wrote:

On 29/09/15 10:39, Oleg Fayans wrote:

Hi Simo,

Is this [1] the correct link to the repo containing all latest
replica-promotion patches? I tried to build the packages from this
code
and the build failed due to libpdb not having make_pdb_method [2]
I was able to successfully build from the clean upstream tree on the
same machine.



I rebased it on top of current master, let me know if this helps.

Simo.



[1]
https://fedorapeople.org/cgit/simo/public_git/freeipa.git/log/?h=custodia-review





[2] https://paste.fedoraproject.org/272672/53685114/

On 09/29/2015 03:55 PM, Simo Sorce wrote:

On 29/09/15 09:28, Jan Pazdziora wrote:

On Thu, Sep 24, 2015 at 09:10:30AM -0400, Simo Sorce wrote:


I think the problem is that the patch was pushed prematurely.
The option should become unused once the other patches in this
patchset are
applied, that is why that patch was not on top of the list but
rather
down
close to the bottom.


Simo,

could you please add the

How To Test

steps to http://www.freeipa.org/page/V4/Replica_Promotion?

It would make the functional check of this patchset easier, spelling
out how the workflow is supposed to work.


Done.

HTH,
Simo.

















--
Simo Sorce * Red Hat, Inc * New York

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-09-24 Thread Martin Basti



On 09/24/2015 02:25 AM, Martin Basti wrote:



On 09/22/2015 10:45 AM, Jan Cholasta wrote:

Hi,

On 9.9.2015 20:25, Simo Sorce wrote:

On Wed, 2015-08-26 at 17:27 -0400, Simo Sorce wrote:

This patchset implements https://fedorahosted.org/freeipa/ticket/2888
and introduces a number of required  changes and dependencies to 
achieve

this goal.
This work requires the custodia project to securely transfer keys
between ipa servers.

This work is not 100% complete, it still misses the ability to install
kra instances and the ability to install a CA (via ipa-ca-install) 
with

externally signed certs.

However it is massive enough that warrants review and pushing, the 
resat
of the changes can be applied later as this work should not disrupt 
the

classic install methods.

In order to build my previous patches (530-533) are needed as well 
as a

number of updated components.

I used the following coprs for testing:
simo/jwcrypto
simo/custodia
abbra/sssd-kkdcproxy (for sssd 1.13.1)
lkrispen/389-ds-current (for 389 > 1.3.4.4)
vakwetu/dogtag_10.2.7_test_builds (for dogtag 10.2.7)
mkosek/freeipa-4.2-fedora-22 (misc)
fedora/updates-testing (python-gssapi 1.1.2)

Ludwig's copr is necessary to have a functional DNA plugin in 
replicas,

eventually his patches should be committed in 389-ds-base 1.3.4.4 when
it will be released.

We are aware of a dogtag bug https://fedorahosted.org/pki/ticket/1580
that may cause installation issues in some case (re-install of a
replica).

The domain must be raised to level 1 in order to use replica 
promotion.


In order to promote a replica the server must be first joined as a
regular client to the domain.

This is the flow I usually use for testing:

# ipa-client-install
# kinit admin
# ipa-replica-install --promote --setup-ca


These patches are also available in this git tree rebnase on current
master:
https://fedorapeople.org/cgit/simo/public_git/freeipa.git/log/?h=custodia-review 



FYI: I rebased this branch on top of master and applied minor 
changes to
one of the DNS patches. I also added the missing support to install 
KRA.


DS 1.3.4.4 is also in Fedora updates testing, so ludwig's copr is not
needed anymore.

Dogtag's ticket is not fixed yet so running both --setup-ca and
--setup-kra at the same time will still yield an error and install will
fail.

Please let me know if there are any major issues with this patchset, 
I'd

like to push it to master and attack the remaining issues as add ons
(install with external certs not supported yet for example)


So far I have only read through the code without running it (mostly).


"Remove unused arguments": ACK


"Simplify the install_replica_ca function": ACK


"IPA Custodia Daemon":

1) Instead of putting the code in "ipakeys" package, could you put it 
in "ipapython.keys"? This way it would be consistent with DNSSEC, 
which has binaries in daemons/dnssec/ and modules in ipapython/dnssec/.


2) Is it safe to create cn=custodia in update file only? Updates are 
executed late in ipa-server-install. Is is guaranteed that nothing 
will try to access cn=custodia before the updates are run?


(Nevermind, it is added to bootstrap-template.ldif 2 commits below.)

3) Shouldn't cn=custodia be created only when domain level >= 1?

4) pylint fails with:

daemons/ipa-custodia/ipakeys/kem.py:156: [E1002(super-on-old-class), 
IPAKEMKeys.__init__] Use of super on an old style class)
daemons/ipa-custodia/ipakeys/kem.py:178: [E1101(no-member), 
IPAKEMKeys.generate_server_keys] Instance of 'IPAKEMKeys' has no 
'config' member)
daemons/ipa-custodia/ipakeys/kem.py:187: [E1101(no-member), 
IPAKEMKeys.server_keys] Instance of 'IPAKEMKeys' has no 'config' member)


5) There are some PEP8 transgressions:

./daemons/ipa-custodia/ipakeys/kem.py:202:80: E501 line too long (82 
> 79 characters)
./daemons/ipa-custodia/ipakeys/kem.py:203:80: E501 line too long (82 
> 79 characters)
./daemons/ipa-custodia/ipakeys/store.py:33:1: E302 expected 2 blank 
lines, found 1
./daemons/ipa-custodia/setup.py:8:9: E251 unexpected spaces around 
keyword / parameter equals
./daemons/ipa-custodia/setup.py:8:11: E251 unexpected spaces around 
keyword / parameter equals
./daemons/ipa-custodia/setup.py:9:12: E251 unexpected spaces around 
keyword / parameter equals
./daemons/ipa-custodia/setup.py:9:14: E251 unexpected spaces around 
keyword / parameter equals
./daemons/ipa-custodia/setup.py:10:12: E251 unexpected spaces around 
keyword / parameter equals
./daemons/ipa-custodia/setup.py:10:14: E251 unexpected spaces around 
keyword / parameter equals
./daemons/ipa-custodia/setup.py:11:15: E251 unexpected spaces around 
keyword / parameter equals
./daemons/ipa-custodia/setup.py:11:17: E251 unexpected spaces around 
keyword / parameter equals
./daemons/ipa-custodia/setup.py:12:21: E251 unexpected spaces around 
keyword / parameter equals
./daemons/ipa-custodia/setup.py:12:23: E251 unexpected spaces around 
keyword / parameter equals
./daemons/ipa-custodia/setup.py:14:13: E251 

Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-09-24 Thread Simo Sorce

On 24/09/15 04:43, Martin Basti wrote:



On 09/24/2015 02:25 AM, Martin Basti wrote:



On 09/22/2015 10:45 AM, Jan Cholasta wrote:

Hi,

On 9.9.2015 20:25, Simo Sorce wrote:

On Wed, 2015-08-26 at 17:27 -0400, Simo Sorce wrote:

This patchset implements https://fedorahosted.org/freeipa/ticket/2888
and introduces a number of required  changes and dependencies to
achieve
this goal.
This work requires the custodia project to securely transfer keys
between ipa servers.

This work is not 100% complete, it still misses the ability to install
kra instances and the ability to install a CA (via ipa-ca-install)
with
externally signed certs.

However it is massive enough that warrants review and pushing, the
resat
of the changes can be applied later as this work should not disrupt
the
classic install methods.

In order to build my previous patches (530-533) are needed as well
as a
number of updated components.

I used the following coprs for testing:
simo/jwcrypto
simo/custodia
abbra/sssd-kkdcproxy (for sssd 1.13.1)
lkrispen/389-ds-current (for 389 > 1.3.4.4)
vakwetu/dogtag_10.2.7_test_builds (for dogtag 10.2.7)
mkosek/freeipa-4.2-fedora-22 (misc)
fedora/updates-testing (python-gssapi 1.1.2)

Ludwig's copr is necessary to have a functional DNA plugin in
replicas,
eventually his patches should be committed in 389-ds-base 1.3.4.4 when
it will be released.

We are aware of a dogtag bug https://fedorahosted.org/pki/ticket/1580
that may cause installation issues in some case (re-install of a
replica).

The domain must be raised to level 1 in order to use replica
promotion.

In order to promote a replica the server must be first joined as a
regular client to the domain.

This is the flow I usually use for testing:

# ipa-client-install
# kinit admin
# ipa-replica-install --promote --setup-ca


These patches are also available in this git tree rebnase on current
master:
https://fedorapeople.org/cgit/simo/public_git/freeipa.git/log/?h=custodia-review



FYI: I rebased this branch on top of master and applied minor
changes to
one of the DNS patches. I also added the missing support to install
KRA.

DS 1.3.4.4 is also in Fedora updates testing, so ludwig's copr is not
needed anymore.

Dogtag's ticket is not fixed yet so running both --setup-ca and
--setup-kra at the same time will still yield an error and install will
fail.

Please let me know if there are any major issues with this patchset,
I'd
like to push it to master and attack the remaining issues as add ons
(install with external certs not supported yet for example)


So far I have only read through the code without running it (mostly).


"Remove unused arguments": ACK


"Simplify the install_replica_ca function": ACK


"IPA Custodia Daemon":

1) Instead of putting the code in "ipakeys" package, could you put it
in "ipapython.keys"? This way it would be consistent with DNSSEC,
which has binaries in daemons/dnssec/ and modules in ipapython/dnssec/.

2) Is it safe to create cn=custodia in update file only? Updates are
executed late in ipa-server-install. Is is guaranteed that nothing
will try to access cn=custodia before the updates are run?

(Nevermind, it is added to bootstrap-template.ldif 2 commits below.)

3) Shouldn't cn=custodia be created only when domain level >= 1?

4) pylint fails with:

daemons/ipa-custodia/ipakeys/kem.py:156: [E1002(super-on-old-class),
IPAKEMKeys.__init__] Use of super on an old style class)
daemons/ipa-custodia/ipakeys/kem.py:178: [E1101(no-member),
IPAKEMKeys.generate_server_keys] Instance of 'IPAKEMKeys' has no
'config' member)
daemons/ipa-custodia/ipakeys/kem.py:187: [E1101(no-member),
IPAKEMKeys.server_keys] Instance of 'IPAKEMKeys' has no 'config' member)

5) There are some PEP8 transgressions:

./daemons/ipa-custodia/ipakeys/kem.py:202:80: E501 line too long (82
> 79 characters)
./daemons/ipa-custodia/ipakeys/kem.py:203:80: E501 line too long (82
> 79 characters)
./daemons/ipa-custodia/ipakeys/store.py:33:1: E302 expected 2 blank
lines, found 1
./daemons/ipa-custodia/setup.py:8:9: E251 unexpected spaces around
keyword / parameter equals
./daemons/ipa-custodia/setup.py:8:11: E251 unexpected spaces around
keyword / parameter equals
./daemons/ipa-custodia/setup.py:9:12: E251 unexpected spaces around
keyword / parameter equals
./daemons/ipa-custodia/setup.py:9:14: E251 unexpected spaces around
keyword / parameter equals
./daemons/ipa-custodia/setup.py:10:12: E251 unexpected spaces around
keyword / parameter equals
./daemons/ipa-custodia/setup.py:10:14: E251 unexpected spaces around
keyword / parameter equals
./daemons/ipa-custodia/setup.py:11:15: E251 unexpected spaces around
keyword / parameter equals
./daemons/ipa-custodia/setup.py:11:17: E251 unexpected spaces around
keyword / parameter equals
./daemons/ipa-custodia/setup.py:12:21: E251 unexpected spaces around
keyword / parameter equals
./daemons/ipa-custodia/setup.py:12:23: E251 unexpected spaces around
keyword / parameter equals
./daemons/ipa-custodia/setup.py:14:13: E251 

Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-09-23 Thread Simo Sorce
On Wed, 2015-09-23 at 08:35 +0200, Jan Cholasta wrote:
> What I mean is that installing a replica using an already existing 
> replica file should be prevented at level 1 as well:
> 
> root@ipa1# ipa-server-install --domain-level=0
> root@ipa1# ipa-replica-prepare ipa2.example.com
> root@ipa1# ipa domainlevel-set 1
> 
> root@ipa2# ipa-replica-install replica-info-ipa2.example.com.gpg
> ERROR: Can't install replica from a replica file at domain level > 0

Ok I rebased the patchset with a modification to assume promotion if no
file was provided, and then raise appropriate RuntimeErrors if
conditions about the domain level are not met.

This change also prevents installing with a replica file if domain level
is currently at 1.

They are in the usual custodia-review branch.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-09-23 Thread Jan Cholasta

On 23.9.2015 02:47, Simo Sorce wrote:

On Tue, 2015-09-22 at 10:57 -0400, Simo Sorce wrote:

On Tue, 2015-09-22 at 10:45 +0200, Jan Cholasta wrote:

Hi,

On 9.9.2015 20:25, Simo Sorce wrote:

On Wed, 2015-08-26 at 17:27 -0400, Simo Sorce wrote:

This patchset implements https://fedorahosted.org/freeipa/ticket/2888
and introduces a number of required  changes and dependencies to achieve
this goal.
This work requires the custodia project to securely transfer keys
between ipa servers.

This work is not 100% complete, it still misses the ability to install
kra instances and the ability to install a CA (via ipa-ca-install) with
externally signed certs.

However it is massive enough that warrants review and pushing, the resat
of the changes can be applied later as this work should not disrupt the
classic install methods.

In order to build my previous patches (530-533) are needed as well as a
number of updated components.

I used the following coprs for testing:
simo/jwcrypto
simo/custodia
abbra/sssd-kkdcproxy (for sssd 1.13.1)
lkrispen/389-ds-current (for 389 > 1.3.4.4)
vakwetu/dogtag_10.2.7_test_builds (for dogtag 10.2.7)
mkosek/freeipa-4.2-fedora-22 (misc)
fedora/updates-testing (python-gssapi 1.1.2)

Ludwig's copr is necessary to have a functional DNA plugin in replicas,
eventually his patches should be committed in 389-ds-base 1.3.4.4 when
it will be released.

We are aware of a dogtag bug https://fedorahosted.org/pki/ticket/1580
that may cause installation issues in some case (re-install of a
replica).

The domain must be raised to level 1 in order to use replica promotion.

In order to promote a replica the server must be first joined as a
regular client to the domain.

This is the flow I usually use for testing:

# ipa-client-install
# kinit admin
# ipa-replica-install --promote --setup-ca


These patches are also available in this git tree rebnase on current
master:
https://fedorapeople.org/cgit/simo/public_git/freeipa.git/log/?h=custodia-review


FYI: I rebased this branch on top of master and applied minor changes to
one of the DNS patches. I also added the missing support to install KRA.

DS 1.3.4.4 is also in Fedora updates testing, so ludwig's copr is not
needed anymore.

Dogtag's ticket is not fixed yet so running both --setup-ca and
--setup-kra at the same time will still yield an error and install will
fail.

Please let me know if there are any major issues with this patchset, I'd
like to push it to master and attack the remaining issues as add ons
(install with external certs not supported yet for example)


So far I have only read through the code without running it (mostly).


"Remove unused arguments": ACK


"Simplify the install_replica_ca function": ACK


Thanks for pushing these.



"IPA Custodia Daemon":

1) Instead of putting the code in "ipakeys" package, could you put it in
"ipapython.keys"? This way it would be consistent with DNSSEC, which has
binaries in daemons/dnssec/ and modules in ipapython/dnssec/.


I think I can do this, it was originally all in daemon becuse that's
where I had the custodia submodules, but we do not carry a copy anymore.


2) Is it safe to create cn=custodia in update file only? Updates are
executed late in ipa-server-install. Is is guaranteed that nothing will
try to access cn=custodia before the updates are run?

(Nevermind, it is added to bootstrap-template.ldif 2 commits below.)

3) Shouldn't cn=custodia be created only when domain level >= 1?


It is used only at >= 1 level, but we have to create it when we update
the code, otherwise you cannot switch to level 1.
Switching a level ion LDAP cannot cause an update script to be run so
you would have incomplete servers publicizing level 1 but not offering a
critical service for level 1.


Makes sense, thanks.




4) pylint fails with:

daemons/ipa-custodia/ipakeys/kem.py:156: [E1002(super-on-old-class),
IPAKEMKeys.__init__] Use of super on an old style class)
daemons/ipa-custodia/ipakeys/kem.py:178: [E1101(no-member),
IPAKEMKeys.generate_server_keys] Instance of 'IPAKEMKeys' has no
'config' member)
daemons/ipa-custodia/ipakeys/kem.py:187: [E1101(no-member),
IPAKEMKeys.server_keys] Instance of 'IPAKEMKeys' has no 'config' member)


On what pylint version ?
I had to disable pylint for a while but it currently runs and doesn't
complain to me ...


pylint looks fine for everything I touched now.


As I said in the other thread, this is without custodia installed, so 
just ignore it.





5) There are some PEP8 transgressions:

./daemons/ipa-custodia/ipakeys/kem.py:202:80: E501 line too long (82 >
79 characters)
./daemons/ipa-custodia/ipakeys/kem.py:203:80: E501 line too long (82 >
79 characters)
./daemons/ipa-custodia/ipakeys/store.py:33:1: E302 expected 2 blank
lines, found 1
./daemons/ipa-custodia/setup.py:8:9: E251 unexpected spaces around
keyword / parameter equals
./daemons/ipa-custodia/setup.py:8:11: E251 unexpected spaces around
keyword / parameter equals
./daemons/ipa-custodia/setup.py:9:12: E251 

Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-09-23 Thread Martin Basti



On 09/22/2015 10:45 AM, Jan Cholasta wrote:

Hi,

On 9.9.2015 20:25, Simo Sorce wrote:

On Wed, 2015-08-26 at 17:27 -0400, Simo Sorce wrote:

This patchset implements https://fedorahosted.org/freeipa/ticket/2888
and introduces a number of required  changes and dependencies to 
achieve

this goal.
This work requires the custodia project to securely transfer keys
between ipa servers.

This work is not 100% complete, it still misses the ability to install
kra instances and the ability to install a CA (via ipa-ca-install) with
externally signed certs.

However it is massive enough that warrants review and pushing, the 
resat

of the changes can be applied later as this work should not disrupt the
classic install methods.

In order to build my previous patches (530-533) are needed as well as a
number of updated components.

I used the following coprs for testing:
simo/jwcrypto
simo/custodia
abbra/sssd-kkdcproxy (for sssd 1.13.1)
lkrispen/389-ds-current (for 389 > 1.3.4.4)
vakwetu/dogtag_10.2.7_test_builds (for dogtag 10.2.7)
mkosek/freeipa-4.2-fedora-22 (misc)
fedora/updates-testing (python-gssapi 1.1.2)

Ludwig's copr is necessary to have a functional DNA plugin in replicas,
eventually his patches should be committed in 389-ds-base 1.3.4.4 when
it will be released.

We are aware of a dogtag bug https://fedorahosted.org/pki/ticket/1580
that may cause installation issues in some case (re-install of a
replica).

The domain must be raised to level 1 in order to use replica promotion.

In order to promote a replica the server must be first joined as a
regular client to the domain.

This is the flow I usually use for testing:

# ipa-client-install
# kinit admin
# ipa-replica-install --promote --setup-ca


These patches are also available in this git tree rebnase on current
master:
https://fedorapeople.org/cgit/simo/public_git/freeipa.git/log/?h=custodia-review 



FYI: I rebased this branch on top of master and applied minor changes to
one of the DNS patches. I also added the missing support to install KRA.

DS 1.3.4.4 is also in Fedora updates testing, so ludwig's copr is not
needed anymore.

Dogtag's ticket is not fixed yet so running both --setup-ca and
--setup-kra at the same time will still yield an error and install will
fail.

Please let me know if there are any major issues with this patchset, I'd
like to push it to master and attack the remaining issues as add ons
(install with external certs not supported yet for example)


So far I have only read through the code without running it (mostly).


"Remove unused arguments": ACK


"Simplify the install_replica_ca function": ACK


"IPA Custodia Daemon":

1) Instead of putting the code in "ipakeys" package, could you put it 
in "ipapython.keys"? This way it would be consistent with DNSSEC, 
which has binaries in daemons/dnssec/ and modules in ipapython/dnssec/.


2) Is it safe to create cn=custodia in update file only? Updates are 
executed late in ipa-server-install. Is is guaranteed that nothing 
will try to access cn=custodia before the updates are run?


(Nevermind, it is added to bootstrap-template.ldif 2 commits below.)

3) Shouldn't cn=custodia be created only when domain level >= 1?

4) pylint fails with:

daemons/ipa-custodia/ipakeys/kem.py:156: [E1002(super-on-old-class), 
IPAKEMKeys.__init__] Use of super on an old style class)
daemons/ipa-custodia/ipakeys/kem.py:178: [E1101(no-member), 
IPAKEMKeys.generate_server_keys] Instance of 'IPAKEMKeys' has no 
'config' member)
daemons/ipa-custodia/ipakeys/kem.py:187: [E1101(no-member), 
IPAKEMKeys.server_keys] Instance of 'IPAKEMKeys' has no 'config' member)


5) There are some PEP8 transgressions:

./daemons/ipa-custodia/ipakeys/kem.py:202:80: E501 line too long (82 > 
79 characters)
./daemons/ipa-custodia/ipakeys/kem.py:203:80: E501 line too long (82 > 
79 characters)
./daemons/ipa-custodia/ipakeys/store.py:33:1: E302 expected 2 blank 
lines, found 1
./daemons/ipa-custodia/setup.py:8:9: E251 unexpected spaces around 
keyword / parameter equals
./daemons/ipa-custodia/setup.py:8:11: E251 unexpected spaces around 
keyword / parameter equals
./daemons/ipa-custodia/setup.py:9:12: E251 unexpected spaces around 
keyword / parameter equals
./daemons/ipa-custodia/setup.py:9:14: E251 unexpected spaces around 
keyword / parameter equals
./daemons/ipa-custodia/setup.py:10:12: E251 unexpected spaces around 
keyword / parameter equals
./daemons/ipa-custodia/setup.py:10:14: E251 unexpected spaces around 
keyword / parameter equals
./daemons/ipa-custodia/setup.py:11:15: E251 unexpected spaces around 
keyword / parameter equals
./daemons/ipa-custodia/setup.py:11:17: E251 unexpected spaces around 
keyword / parameter equals
./daemons/ipa-custodia/setup.py:12:21: E251 unexpected spaces around 
keyword / parameter equals
./daemons/ipa-custodia/setup.py:12:23: E251 unexpected spaces around 
keyword / parameter equals
./daemons/ipa-custodia/setup.py:14:13: E251 unexpected spaces around 
keyword / parameter equals

Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-09-22 Thread Jan Cholasta

On 22.9.2015 17:23, Simo Sorce wrote:

On Tue, 2015-09-22 at 10:45 +0200, Jan Cholasta wrote:

4) pylint fails with:

daemons/ipa-custodia/ipakeys/kem.py:156: [E1002(super-on-old-class),
IPAKEMKeys.__init__] Use of super on an old style class)
daemons/ipa-custodia/ipakeys/kem.py:178: [E1101(no-member),
IPAKEMKeys.generate_server_keys] Instance of 'IPAKEMKeys' has no
'config' member)
daemons/ipa-custodia/ipakeys/kem.py:187: [E1101(no-member),
IPAKEMKeys.server_keys] Instance of 'IPAKEMKeys' has no 'config'
member)


I do not know why pylint gives you these errors.
The top level class for IPAKEMKeys is is ultimatile the custodia class
called HTTPAuthorizer which is defined as a new-style class (derives
from object), that class also unconditionally inits config.
Maybe you ran pylint w/o custodia installed ?


Yes, that was it. Sorry.

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-09-22 Thread Simo Sorce
On Tue, 2015-09-22 at 10:45 +0200, Jan Cholasta wrote:
> Hi,
> 
> On 9.9.2015 20:25, Simo Sorce wrote:
> > On Wed, 2015-08-26 at 17:27 -0400, Simo Sorce wrote:
> >> This patchset implements https://fedorahosted.org/freeipa/ticket/2888
> >> and introduces a number of required  changes and dependencies to achieve
> >> this goal.
> >> This work requires the custodia project to securely transfer keys
> >> between ipa servers.
> >>
> >> This work is not 100% complete, it still misses the ability to install
> >> kra instances and the ability to install a CA (via ipa-ca-install) with
> >> externally signed certs.
> >>
> >> However it is massive enough that warrants review and pushing, the resat
> >> of the changes can be applied later as this work should not disrupt the
> >> classic install methods.
> >>
> >> In order to build my previous patches (530-533) are needed as well as a
> >> number of updated components.
> >>
> >> I used the following coprs for testing:
> >> simo/jwcrypto
> >> simo/custodia
> >> abbra/sssd-kkdcproxy (for sssd 1.13.1)
> >> lkrispen/389-ds-current (for 389 > 1.3.4.4)
> >> vakwetu/dogtag_10.2.7_test_builds (for dogtag 10.2.7)
> >> mkosek/freeipa-4.2-fedora-22 (misc)
> >> fedora/updates-testing (python-gssapi 1.1.2)
> >>
> >> Ludwig's copr is necessary to have a functional DNA plugin in replicas,
> >> eventually his patches should be committed in 389-ds-base 1.3.4.4 when
> >> it will be released.
> >>
> >> We are aware of a dogtag bug https://fedorahosted.org/pki/ticket/1580
> >> that may cause installation issues in some case (re-install of a
> >> replica).
> >>
> >> The domain must be raised to level 1 in order to use replica promotion.
> >>
> >> In order to promote a replica the server must be first joined as a
> >> regular client to the domain.
> >>
> >> This is the flow I usually use for testing:
> >>
> >> # ipa-client-install
> >> # kinit admin
> >> # ipa-replica-install --promote --setup-ca
> >>  >> etc...>
> >>
> >> These patches are also available in this git tree rebnase on current
> >> master:
> >> https://fedorapeople.org/cgit/simo/public_git/freeipa.git/log/?h=custodia-review
> >
> > FYI: I rebased this branch on top of master and applied minor changes to
> > one of the DNS patches. I also added the missing support to install KRA.
> >
> > DS 1.3.4.4 is also in Fedora updates testing, so ludwig's copr is not
> > needed anymore.
> >
> > Dogtag's ticket is not fixed yet so running both --setup-ca and
> > --setup-kra at the same time will still yield an error and install will
> > fail.
> >
> > Please let me know if there are any major issues with this patchset, I'd
> > like to push it to master and attack the remaining issues as add ons
> > (install with external certs not supported yet for example)
> 
> So far I have only read through the code without running it (mostly).
> 
> 
> "Remove unused arguments": ACK
> 
> 
> "Simplify the install_replica_ca function": ACK

Thanks for pushing these.

> 
> "IPA Custodia Daemon":
> 
> 1) Instead of putting the code in "ipakeys" package, could you put it in 
> "ipapython.keys"? This way it would be consistent with DNSSEC, which has 
> binaries in daemons/dnssec/ and modules in ipapython/dnssec/.

I think I can do this, it was originally all in daemon becuse that's
where I had the custodia submodules, but we do not carry a copy anymore.

> 2) Is it safe to create cn=custodia in update file only? Updates are 
> executed late in ipa-server-install. Is is guaranteed that nothing will 
> try to access cn=custodia before the updates are run?
> 
> (Nevermind, it is added to bootstrap-template.ldif 2 commits below.)
> 
> 3) Shouldn't cn=custodia be created only when domain level >= 1?

It is used only at >= 1 level, but we have to create it when we update
the code, otherwise you cannot switch to level 1.
Switching a level ion LDAP cannot cause an update script to be run so
you would have incomplete servers publicizing level 1 but not offering a
critical service for level 1.

> 4) pylint fails with:
> 
> daemons/ipa-custodia/ipakeys/kem.py:156: [E1002(super-on-old-class), 
> IPAKEMKeys.__init__] Use of super on an old style class)
> daemons/ipa-custodia/ipakeys/kem.py:178: [E1101(no-member), 
> IPAKEMKeys.generate_server_keys] Instance of 'IPAKEMKeys' has no 
> 'config' member)
> daemons/ipa-custodia/ipakeys/kem.py:187: [E1101(no-member), 
> IPAKEMKeys.server_keys] Instance of 'IPAKEMKeys' has no 'config' member)

On what pylint version ?
I had to disable pylint for a while but it currently runs and doesn't
complain to me ...

> 5) There are some PEP8 transgressions:
> 
> ./daemons/ipa-custodia/ipakeys/kem.py:202:80: E501 line too long (82 > 
> 79 characters)
> ./daemons/ipa-custodia/ipakeys/kem.py:203:80: E501 line too long (82 > 
> 79 characters)
> ./daemons/ipa-custodia/ipakeys/store.py:33:1: E302 expected 2 blank 
> lines, found 1
> ./daemons/ipa-custodia/setup.py:8:9: E251 unexpected spaces around 
> keyword / parameter equals
> 

Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-09-22 Thread Simo Sorce
On Tue, 2015-09-22 at 10:45 +0200, Jan Cholasta wrote:
> 4) pylint fails with:
> 
> daemons/ipa-custodia/ipakeys/kem.py:156: [E1002(super-on-old-class), 
> IPAKEMKeys.__init__] Use of super on an old style class)
> daemons/ipa-custodia/ipakeys/kem.py:178: [E1101(no-member), 
> IPAKEMKeys.generate_server_keys] Instance of 'IPAKEMKeys' has no 
> 'config' member)
> daemons/ipa-custodia/ipakeys/kem.py:187: [E1101(no-member), 
> IPAKEMKeys.server_keys] Instance of 'IPAKEMKeys' has no 'config'
> member)

I do not know why pylint gives you these errors.
The top level class for IPAKEMKeys is is ultimatile the custodia class
called HTTPAuthorizer which is defined as a new-style class (derives
from object), that class also unconditionally inits config.
Maybe you ran pylint w/o custodia installed ?

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-09-09 Thread Simo Sorce
On Wed, 2015-08-26 at 17:27 -0400, Simo Sorce wrote:
> This patchset implements https://fedorahosted.org/freeipa/ticket/2888
> and introduces a number of required  changes and dependencies to achieve
> this goal.
> This work requires the custodia project to securely transfer keys
> between ipa servers.
> 
> This work is not 100% complete, it still misses the ability to install
> kra instances and the ability to install a CA (via ipa-ca-install) with
> externally signed certs.
> 
> However it is massive enough that warrants review and pushing, the resat
> of the changes can be applied later as this work should not disrupt the
> classic install methods.
> 
> In order to build my previous patches (530-533) are needed as well as a
> number of updated components.
> 
> I used the following coprs for testing:
> simo/jwcrypto
> simo/custodia
> abbra/sssd-kkdcproxy (for sssd 1.13.1)
> lkrispen/389-ds-current (for 389 > 1.3.4.4)
> vakwetu/dogtag_10.2.7_test_builds (for dogtag 10.2.7)
> mkosek/freeipa-4.2-fedora-22 (misc)
> fedora/updates-testing (python-gssapi 1.1.2)
> 
> Ludwig's copr is necessary to have a functional DNA plugin in replicas,
> eventually his patches should be committed in 389-ds-base 1.3.4.4 when
> it will be released.
> 
> We are aware of a dogtag bug https://fedorahosted.org/pki/ticket/1580
> that may cause installation issues in some case (re-install of a
> replica).
> 
> The domain must be raised to level 1 in order to use replica promotion.
> 
> In order to promote a replica the server must be first joined as a
> regular client to the domain.
> 
> This is the flow I usually use for testing:
> 
> # ipa-client-install
> # kinit admin
> # ipa-replica-install --promote --setup-ca
>  etc...>
> 
> These patches are also available in this git tree rebnase on current
> master:
> https://fedorapeople.org/cgit/simo/public_git/freeipa.git/log/?h=custodia-review

FYI: I rebased this branch on top of master and applied minor changes to
one of the DNS patches. I also added the missing support to install KRA.

DS 1.3.4.4 is also in Fedora updates testing, so ludwig's copr is not
needed anymore.

Dogtag's ticket is not fixed yet so running both --setup-ca and
--setup-kra at the same time will still yield an error and install will
fail.

Please let me know if there are any major issues with this patchset, I'd
like to push it to master and attack the remaining issues as add ons
(install with external certs not supported yet for example)

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-09-03 Thread Martin Basti



On 09/02/2015 10:37 PM, Simo Sorce wrote:

On Wed, 2015-09-02 at 15:22 -0400, Simo Sorce wrote:

On Mon, 2015-08-31 at 14:45 +0200, Tomas Babej wrote:

On 08/26/2015 11:27 PM, Simo Sorce wrote:

This patchset implements https://fedorahosted.org/freeipa/ticket/2888
and introduces a number of required  changes and dependencies to achieve
this goal.
This work requires the custodia project to securely transfer keys
between ipa servers.

This work is not 100% complete, it still misses the ability to install
kra instances and the ability to install a CA (via ipa-ca-install) with
externally signed certs.

However it is massive enough that warrants review and pushing, the resat
of the changes can be applied later as this work should not disrupt the
classic install methods.

In order to build my previous patches (530-533) are needed as well as a
number of updated components.

I used the following coprs for testing:
simo/jwcrypto
simo/custodia
abbra/sssd-kkdcproxy (for sssd 1.13.1)
lkrispen/389-ds-current (for 389 > 1.3.4.4)
vakwetu/dogtag_10.2.7_test_builds (for dogtag 10.2.7)
mkosek/freeipa-4.2-fedora-22 (misc)
fedora/updates-testing (python-gssapi 1.1.2)

Ludwig's copr is necessary to have a functional DNA plugin in replicas,
eventually his patches should be committed in 389-ds-base 1.3.4.4 when
it will be released.

We are aware of a dogtag bug https://fedorahosted.org/pki/ticket/1580
that may cause installation issues in some case (re-install of a
replica).

The domain must be raised to level 1 in order to use replica promotion.

In order to promote a replica the server must be first joined as a
regular client to the domain.

This is the flow I usually use for testing:

# ipa-client-install
# kinit admin
# ipa-replica-install --promote --setup-ca


These patches are also available in this git tree rebnase on current
master:
https://fedorapeople.org/cgit/simo/public_git/freeipa.git/log/?h=custodia-review

Simo.




I'm running in a issue when upgrading RPMs:

2015-08-31T10:53:32Z DEBUG   File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
execute
 return_value = self.run()
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
line 48, in run
 server.upgrade()
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1596, in upgrade
 upgrade_configuration()
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1508, in upgrade_configuration
 custodia.upgrade_instance()
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line
57, in upgrade_instance
 self.__gen_keys()
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line
51, in __gen_keys
 KeyStore.generate_server_keys()
   File "/usr/lib/python2.7/site-packages/ipakeys/kem.py", line 181, in
generate_server_keys
 ldapconn.set_key(KEY_USAGE_SIG, self.host, principal, pubkeys[0])
   File "/usr/lib/python2.7/site-packages/ipakeys/kem.py", line 127, in
set_key
 conn.modify_s(dn, mods)
   File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line
364, in modify_s
 return self.result(msgid,all=1,timeout=self.timeout)
   File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line
465, in result
 resp_type, resp_data, resp_msgid = self.result2(msgid,all,timeout)
   File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line
469, in result2
 resp_type, resp_data, resp_msgid, resp_ctrls =
self.result3(msgid,all,timeout)
   File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line
476, in result3
 resp_ctrl_classes=resp_ctrl_classes
   File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line
483, in result4
 ldap_result =
self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
   File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line
106, in _ldap_call
 result = func(*args,**kwargs)

2015-08-31T10:53:32Z DEBUG The ipa-server-upgrade command failed,
exception: NO_SUCH_OBJECT: {'desc': 'No such object'}
2015-08-31T10:53:32Z ERROR LDAP error: NO_SUCH_OBJECT
No such object

Have you found out what this was about ?

I just found a different probelm affecting ipa-server-upgrade on my
master, it tracebacks trying to update the schema, which is odd:

2015-09-02T19:06:39Z DEBUG   [5/8]: updating schema
2015-09-02T19:06:39Z DEBUG flushing 
ldapi://%2fvar%2frun%2fslapd-PROMO-LAN.socket from SchemaCache
2015-09-02T19:06:39Z DEBUG retrieving schema for SchemaCache 
url=ldapi://%2fvar%2frun%2fslapd-PROMO-LAN.socket 
conn=
2015-09-02T19:06:40Z DEBUG Processing schema LDIF file 
/usr/share/ipa/60kerberos.ldif
2015-09-02T19:06:40Z DEBUG Traceback (most recent call last):
   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 
417, in start_creation
 run_step(full_msg, method)
   File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", 

Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-09-03 Thread Oleg Fayans

I've encountered this today too. Filed a ticket about it:

https://fedorahosted.org/freeipa/ticket/5283

On 09/03/2015 10:57 AM, Martin Basti wrote:



On 09/02/2015 10:37 PM, Simo Sorce wrote:

On Wed, 2015-09-02 at 15:22 -0400, Simo Sorce wrote:

On Mon, 2015-08-31 at 14:45 +0200, Tomas Babej wrote:

On 08/26/2015 11:27 PM, Simo Sorce wrote:

This patchset implements https://fedorahosted.org/freeipa/ticket/2888
and introduces a number of required  changes and dependencies to
achieve
this goal.
This work requires the custodia project to securely transfer keys
between ipa servers.

This work is not 100% complete, it still misses the ability to install
kra instances and the ability to install a CA (via ipa-ca-install)
with
externally signed certs.

However it is massive enough that warrants review and pushing, the
resat
of the changes can be applied later as this work should not disrupt
the
classic install methods.

In order to build my previous patches (530-533) are needed as well
as a
number of updated components.

I used the following coprs for testing:
simo/jwcrypto
simo/custodia
abbra/sssd-kkdcproxy (for sssd 1.13.1)
lkrispen/389-ds-current (for 389 > 1.3.4.4)
vakwetu/dogtag_10.2.7_test_builds (for dogtag 10.2.7)
mkosek/freeipa-4.2-fedora-22 (misc)
fedora/updates-testing (python-gssapi 1.1.2)

Ludwig's copr is necessary to have a functional DNA plugin in
replicas,
eventually his patches should be committed in 389-ds-base 1.3.4.4 when
it will be released.

We are aware of a dogtag bug https://fedorahosted.org/pki/ticket/1580
that may cause installation issues in some case (re-install of a
replica).

The domain must be raised to level 1 in order to use replica
promotion.

In order to promote a replica the server must be first joined as a
regular client to the domain.

This is the flow I usually use for testing:

# ipa-client-install
# kinit admin
# ipa-replica-install --promote --setup-ca


These patches are also available in this git tree rebnase on current
master:
https://fedorapeople.org/cgit/simo/public_git/freeipa.git/log/?h=custodia-review


Simo.




I'm running in a issue when upgrading RPMs:

2015-08-31T10:53:32Z DEBUG   File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
execute
 return_value = self.run()
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",

line 48, in run
 server.upgrade()
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1596, in upgrade
 upgrade_configuration()
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1508, in upgrade_configuration
 custodia.upgrade_instance()
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py",
line
57, in upgrade_instance
 self.__gen_keys()
   File
"/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py",
line
51, in __gen_keys
 KeyStore.generate_server_keys()
   File "/usr/lib/python2.7/site-packages/ipakeys/kem.py", line 181, in
generate_server_keys
 ldapconn.set_key(KEY_USAGE_SIG, self.host, principal, pubkeys[0])
   File "/usr/lib/python2.7/site-packages/ipakeys/kem.py", line 127, in
set_key
 conn.modify_s(dn, mods)
   File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line
364, in modify_s
 return self.result(msgid,all=1,timeout=self.timeout)
   File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line
465, in result
 resp_type, resp_data, resp_msgid = self.result2(msgid,all,timeout)
   File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line
469, in result2
 resp_type, resp_data, resp_msgid, resp_ctrls =
self.result3(msgid,all,timeout)
   File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line
476, in result3
 resp_ctrl_classes=resp_ctrl_classes
   File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line
483, in result4
 ldap_result =
self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)

   File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line
106, in _ldap_call
 result = func(*args,**kwargs)

2015-08-31T10:53:32Z DEBUG The ipa-server-upgrade command failed,
exception: NO_SUCH_OBJECT: {'desc': 'No such object'}
2015-08-31T10:53:32Z ERROR LDAP error: NO_SUCH_OBJECT
No such object

Have you found out what this was about ?

I just found a different probelm affecting ipa-server-upgrade on my
master, it tracebacks trying to update the schema, which is odd:

2015-09-02T19:06:39Z DEBUG   [5/8]: updating schema
2015-09-02T19:06:39Z DEBUG flushing
ldapi://%2fvar%2frun%2fslapd-PROMO-LAN.socket from SchemaCache
2015-09-02T19:06:39Z DEBUG retrieving schema for SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-PROMO-LAN.socket
conn=
2015-09-02T19:06:40Z DEBUG Processing schema LDIF file
/usr/share/ipa/60kerberos.ldif
2015-09-02T19:06:40Z DEBUG Traceback (most recent call last):
   File

Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-09-03 Thread Martin Basti



On 09/03/2015 02:57 PM, Simo Sorce wrote:

On Thu, 2015-09-03 at 10:57 +0200, Martin Basti wrote:

On 09/02/2015 10:37 PM, Simo Sorce wrote:

On Wed, 2015-09-02 at 15:22 -0400, Simo Sorce wrote:

On Mon, 2015-08-31 at 14:45 +0200, Tomas Babej wrote:

On 08/26/2015 11:27 PM, Simo Sorce wrote:

This patchset implements https://fedorahosted.org/freeipa/ticket/2888
and introduces a number of required  changes and dependencies to achieve
this goal.
This work requires the custodia project to securely transfer keys
between ipa servers.

This work is not 100% complete, it still misses the ability to install
kra instances and the ability to install a CA (via ipa-ca-install) with
externally signed certs.

However it is massive enough that warrants review and pushing, the resat
of the changes can be applied later as this work should not disrupt the
classic install methods.

In order to build my previous patches (530-533) are needed as well as a
number of updated components.

I used the following coprs for testing:
simo/jwcrypto
simo/custodia
abbra/sssd-kkdcproxy (for sssd 1.13.1)
lkrispen/389-ds-current (for 389 > 1.3.4.4)
vakwetu/dogtag_10.2.7_test_builds (for dogtag 10.2.7)
mkosek/freeipa-4.2-fedora-22 (misc)
fedora/updates-testing (python-gssapi 1.1.2)

Ludwig's copr is necessary to have a functional DNA plugin in replicas,
eventually his patches should be committed in 389-ds-base 1.3.4.4 when
it will be released.

We are aware of a dogtag bug https://fedorahosted.org/pki/ticket/1580
that may cause installation issues in some case (re-install of a
replica).

The domain must be raised to level 1 in order to use replica promotion.

In order to promote a replica the server must be first joined as a
regular client to the domain.

This is the flow I usually use for testing:

# ipa-client-install
# kinit admin
# ipa-replica-install --promote --setup-ca


These patches are also available in this git tree rebnase on current
master:
https://fedorapeople.org/cgit/simo/public_git/freeipa.git/log/?h=custodia-review

Simo.




I'm running in a issue when upgrading RPMs:

2015-08-31T10:53:32Z DEBUG   File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
execute
  return_value = self.run()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
line 48, in run
  server.upgrade()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1596, in upgrade
  upgrade_configuration()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1508, in upgrade_configuration
  custodia.upgrade_instance()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line
57, in upgrade_instance
  self.__gen_keys()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line
51, in __gen_keys
  KeyStore.generate_server_keys()
File "/usr/lib/python2.7/site-packages/ipakeys/kem.py", line 181, in
generate_server_keys
  ldapconn.set_key(KEY_USAGE_SIG, self.host, principal, pubkeys[0])
File "/usr/lib/python2.7/site-packages/ipakeys/kem.py", line 127, in
set_key
  conn.modify_s(dn, mods)
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line
364, in modify_s
  return self.result(msgid,all=1,timeout=self.timeout)
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line
465, in result
  resp_type, resp_data, resp_msgid = self.result2(msgid,all,timeout)
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line
469, in result2
  resp_type, resp_data, resp_msgid, resp_ctrls =
self.result3(msgid,all,timeout)
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line
476, in result3
  resp_ctrl_classes=resp_ctrl_classes
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line
483, in result4
  ldap_result =
self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line
106, in _ldap_call
  result = func(*args,**kwargs)

2015-08-31T10:53:32Z DEBUG The ipa-server-upgrade command failed,
exception: NO_SUCH_OBJECT: {'desc': 'No such object'}
2015-08-31T10:53:32Z ERROR LDAP error: NO_SUCH_OBJECT
No such object

Have you found out what this was about ?

I just found a different probelm affecting ipa-server-upgrade on my
master, it tracebacks trying to update the schema, which is odd:

2015-09-02T19:06:39Z DEBUG   [5/8]: updating schema
2015-09-02T19:06:39Z DEBUG flushing 
ldapi://%2fvar%2frun%2fslapd-PROMO-LAN.socket from SchemaCache
2015-09-02T19:06:39Z DEBUG retrieving schema for SchemaCache 
url=ldapi://%2fvar%2frun%2fslapd-PROMO-LAN.socket 
conn=
2015-09-02T19:06:40Z DEBUG Processing schema LDIF file 
/usr/share/ipa/60kerberos.ldif
2015-09-02T19:06:40Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 

Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-09-03 Thread Simo Sorce
On Thu, 2015-09-03 at 15:21 +0200, Martin Basti wrote:
> 
> On 09/03/2015 02:57 PM, Simo Sorce wrote:
> > On Thu, 2015-09-03 at 10:57 +0200, Martin Basti wrote:
> >> On 09/02/2015 10:37 PM, Simo Sorce wrote:
> >>> On Wed, 2015-09-02 at 15:22 -0400, Simo Sorce wrote:
>  On Mon, 2015-08-31 at 14:45 +0200, Tomas Babej wrote:
> > On 08/26/2015 11:27 PM, Simo Sorce wrote:
> >> This patchset implements https://fedorahosted.org/freeipa/ticket/2888
> >> and introduces a number of required  changes and dependencies to 
> >> achieve
> >> this goal.
> >> This work requires the custodia project to securely transfer keys
> >> between ipa servers.
> >>
> >> This work is not 100% complete, it still misses the ability to install
> >> kra instances and the ability to install a CA (via ipa-ca-install) with
> >> externally signed certs.
> >>
> >> However it is massive enough that warrants review and pushing, the 
> >> resat
> >> of the changes can be applied later as this work should not disrupt the
> >> classic install methods.
> >>
> >> In order to build my previous patches (530-533) are needed as well as a
> >> number of updated components.
> >>
> >> I used the following coprs for testing:
> >> simo/jwcrypto
> >> simo/custodia
> >> abbra/sssd-kkdcproxy (for sssd 1.13.1)
> >> lkrispen/389-ds-current (for 389 > 1.3.4.4)
> >> vakwetu/dogtag_10.2.7_test_builds (for dogtag 10.2.7)
> >> mkosek/freeipa-4.2-fedora-22 (misc)
> >> fedora/updates-testing (python-gssapi 1.1.2)
> >>
> >> Ludwig's copr is necessary to have a functional DNA plugin in replicas,
> >> eventually his patches should be committed in 389-ds-base 1.3.4.4 when
> >> it will be released.
> >>
> >> We are aware of a dogtag bug https://fedorahosted.org/pki/ticket/1580
> >> that may cause installation issues in some case (re-install of a
> >> replica).
> >>
> >> The domain must be raised to level 1 in order to use replica promotion.
> >>
> >> In order to promote a replica the server must be first joined as a
> >> regular client to the domain.
> >>
> >> This is the flow I usually use for testing:
> >>
> >> # ipa-client-install
> >> # kinit admin
> >> # ipa-replica-install --promote --setup-ca
> >>  >> etc...>
> >>
> >> These patches are also available in this git tree rebnase on current
> >> master:
> >> https://fedorapeople.org/cgit/simo/public_git/freeipa.git/log/?h=custodia-review
> >>
> >> Simo.
> >>
> >>
> >>
> > I'm running in a issue when upgrading RPMs:
> >
> > 2015-08-31T10:53:32Z DEBUG   File
> > "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
> > execute
> >   return_value = self.run()
> > File
> > "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
> > line 48, in run
> >   server.upgrade()
> > File
> > "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
> > line 1596, in upgrade
> >   upgrade_configuration()
> > File
> > "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
> > line 1508, in upgrade_configuration
> >   custodia.upgrade_instance()
> > File
> > "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py",
> >  line
> > 57, in upgrade_instance
> >   self.__gen_keys()
> > File
> > "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py",
> >  line
> > 51, in __gen_keys
> >   KeyStore.generate_server_keys()
> > File "/usr/lib/python2.7/site-packages/ipakeys/kem.py", line 181, in
> > generate_server_keys
> >   ldapconn.set_key(KEY_USAGE_SIG, self.host, principal, pubkeys[0])
> > File "/usr/lib/python2.7/site-packages/ipakeys/kem.py", line 127, in
> > set_key
> >   conn.modify_s(dn, mods)
> > File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line
> > 364, in modify_s
> >   return self.result(msgid,all=1,timeout=self.timeout)
> > File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line
> > 465, in result
> >   resp_type, resp_data, resp_msgid = self.result2(msgid,all,timeout)
> > File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line
> > 469, in result2
> >   resp_type, resp_data, resp_msgid, resp_ctrls =
> > self.result3(msgid,all,timeout)
> > File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line
> > 476, in result3
> >   resp_ctrl_classes=resp_ctrl_classes
> > File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line
> > 483, in result4
> >   ldap_result =
> > self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)

Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-09-03 Thread Simo Sorce
On Thu, 2015-09-03 at 10:57 +0200, Martin Basti wrote:
> 
> On 09/02/2015 10:37 PM, Simo Sorce wrote:
> > On Wed, 2015-09-02 at 15:22 -0400, Simo Sorce wrote:
> >> On Mon, 2015-08-31 at 14:45 +0200, Tomas Babej wrote:
> >>> On 08/26/2015 11:27 PM, Simo Sorce wrote:
>  This patchset implements https://fedorahosted.org/freeipa/ticket/2888
>  and introduces a number of required  changes and dependencies to achieve
>  this goal.
>  This work requires the custodia project to securely transfer keys
>  between ipa servers.
> 
>  This work is not 100% complete, it still misses the ability to install
>  kra instances and the ability to install a CA (via ipa-ca-install) with
>  externally signed certs.
> 
>  However it is massive enough that warrants review and pushing, the resat
>  of the changes can be applied later as this work should not disrupt the
>  classic install methods.
> 
>  In order to build my previous patches (530-533) are needed as well as a
>  number of updated components.
> 
>  I used the following coprs for testing:
>  simo/jwcrypto
>  simo/custodia
>  abbra/sssd-kkdcproxy (for sssd 1.13.1)
>  lkrispen/389-ds-current (for 389 > 1.3.4.4)
>  vakwetu/dogtag_10.2.7_test_builds (for dogtag 10.2.7)
>  mkosek/freeipa-4.2-fedora-22 (misc)
>  fedora/updates-testing (python-gssapi 1.1.2)
> 
>  Ludwig's copr is necessary to have a functional DNA plugin in replicas,
>  eventually his patches should be committed in 389-ds-base 1.3.4.4 when
>  it will be released.
> 
>  We are aware of a dogtag bug https://fedorahosted.org/pki/ticket/1580
>  that may cause installation issues in some case (re-install of a
>  replica).
> 
>  The domain must be raised to level 1 in order to use replica promotion.
> 
>  In order to promote a replica the server must be first joined as a
>  regular client to the domain.
> 
>  This is the flow I usually use for testing:
> 
>  # ipa-client-install
>  # kinit admin
>  # ipa-replica-install --promote --setup-ca
>    etc...>
> 
>  These patches are also available in this git tree rebnase on current
>  master:
>  https://fedorapeople.org/cgit/simo/public_git/freeipa.git/log/?h=custodia-review
> 
>  Simo.
> 
> 
> 
> >>> I'm running in a issue when upgrading RPMs:
> >>>
> >>> 2015-08-31T10:53:32Z DEBUG   File
> >>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
> >>> execute
> >>>  return_value = self.run()
> >>>File
> >>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
> >>> line 48, in run
> >>>  server.upgrade()
> >>>File
> >>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
> >>> line 1596, in upgrade
> >>>  upgrade_configuration()
> >>>File
> >>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
> >>> line 1508, in upgrade_configuration
> >>>  custodia.upgrade_instance()
> >>>File
> >>> "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", 
> >>> line
> >>> 57, in upgrade_instance
> >>>  self.__gen_keys()
> >>>File
> >>> "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", 
> >>> line
> >>> 51, in __gen_keys
> >>>  KeyStore.generate_server_keys()
> >>>File "/usr/lib/python2.7/site-packages/ipakeys/kem.py", line 181, in
> >>> generate_server_keys
> >>>  ldapconn.set_key(KEY_USAGE_SIG, self.host, principal, pubkeys[0])
> >>>File "/usr/lib/python2.7/site-packages/ipakeys/kem.py", line 127, in
> >>> set_key
> >>>  conn.modify_s(dn, mods)
> >>>File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line
> >>> 364, in modify_s
> >>>  return self.result(msgid,all=1,timeout=self.timeout)
> >>>File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line
> >>> 465, in result
> >>>  resp_type, resp_data, resp_msgid = self.result2(msgid,all,timeout)
> >>>File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line
> >>> 469, in result2
> >>>  resp_type, resp_data, resp_msgid, resp_ctrls =
> >>> self.result3(msgid,all,timeout)
> >>>File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line
> >>> 476, in result3
> >>>  resp_ctrl_classes=resp_ctrl_classes
> >>>File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line
> >>> 483, in result4
> >>>  ldap_result =
> >>> self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
> >>>File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line
> >>> 106, in _ldap_call
> >>>  result = func(*args,**kwargs)
> >>>
> >>> 2015-08-31T10:53:32Z DEBUG The ipa-server-upgrade command failed,
> >>> exception: NO_SUCH_OBJECT: {'desc': 'No such object'}
> >>> 2015-08-31T10:53:32Z ERROR LDAP error: NO_SUCH_OBJECT
> >>> No such object
> >> 

Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-09-02 Thread Simo Sorce
On Wed, 2015-09-02 at 15:22 -0400, Simo Sorce wrote:
> On Mon, 2015-08-31 at 14:45 +0200, Tomas Babej wrote:
> > 
> > On 08/26/2015 11:27 PM, Simo Sorce wrote:
> > > This patchset implements https://fedorahosted.org/freeipa/ticket/2888
> > > and introduces a number of required  changes and dependencies to achieve
> > > this goal.
> > > This work requires the custodia project to securely transfer keys
> > > between ipa servers.
> > > 
> > > This work is not 100% complete, it still misses the ability to install
> > > kra instances and the ability to install a CA (via ipa-ca-install) with
> > > externally signed certs.
> > > 
> > > However it is massive enough that warrants review and pushing, the resat
> > > of the changes can be applied later as this work should not disrupt the
> > > classic install methods.
> > > 
> > > In order to build my previous patches (530-533) are needed as well as a
> > > number of updated components.
> > > 
> > > I used the following coprs for testing:
> > > simo/jwcrypto
> > > simo/custodia
> > > abbra/sssd-kkdcproxy (for sssd 1.13.1)
> > > lkrispen/389-ds-current (for 389 > 1.3.4.4)
> > > vakwetu/dogtag_10.2.7_test_builds (for dogtag 10.2.7)
> > > mkosek/freeipa-4.2-fedora-22 (misc)
> > > fedora/updates-testing (python-gssapi 1.1.2)
> > > 
> > > Ludwig's copr is necessary to have a functional DNA plugin in replicas,
> > > eventually his patches should be committed in 389-ds-base 1.3.4.4 when
> > > it will be released.
> > > 
> > > We are aware of a dogtag bug https://fedorahosted.org/pki/ticket/1580
> > > that may cause installation issues in some case (re-install of a
> > > replica).
> > > 
> > > The domain must be raised to level 1 in order to use replica promotion.
> > > 
> > > In order to promote a replica the server must be first joined as a
> > > regular client to the domain.
> > > 
> > > This is the flow I usually use for testing:
> > > 
> > > # ipa-client-install
> > > # kinit admin
> > > # ipa-replica-install --promote --setup-ca
> > >  > > etc...>
> > > 
> > > These patches are also available in this git tree rebnase on current
> > > master:
> > > https://fedorapeople.org/cgit/simo/public_git/freeipa.git/log/?h=custodia-review
> > > 
> > > Simo.
> > > 
> > > 
> > > 
> > 
> > I'm running in a issue when upgrading RPMs:
> > 
> > 2015-08-31T10:53:32Z DEBUG   File
> > "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
> > execute
> > return_value = self.run()
> >   File
> > "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
> > line 48, in run
> > server.upgrade()
> >   File
> > "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
> > line 1596, in upgrade
> > upgrade_configuration()
> >   File
> > "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
> > line 1508, in upgrade_configuration
> > custodia.upgrade_instance()
> >   File
> > "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", 
> > line
> > 57, in upgrade_instance
> > self.__gen_keys()
> >   File
> > "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", 
> > line
> > 51, in __gen_keys
> > KeyStore.generate_server_keys()
> >   File "/usr/lib/python2.7/site-packages/ipakeys/kem.py", line 181, in
> > generate_server_keys
> > ldapconn.set_key(KEY_USAGE_SIG, self.host, principal, pubkeys[0])
> >   File "/usr/lib/python2.7/site-packages/ipakeys/kem.py", line 127, in
> > set_key
> > conn.modify_s(dn, mods)
> >   File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line
> > 364, in modify_s
> > return self.result(msgid,all=1,timeout=self.timeout)
> >   File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line
> > 465, in result
> > resp_type, resp_data, resp_msgid = self.result2(msgid,all,timeout)
> >   File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line
> > 469, in result2
> > resp_type, resp_data, resp_msgid, resp_ctrls =
> > self.result3(msgid,all,timeout)
> >   File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line
> > 476, in result3
> > resp_ctrl_classes=resp_ctrl_classes
> >   File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line
> > 483, in result4
> > ldap_result =
> > self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
> >   File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line
> > 106, in _ldap_call
> > result = func(*args,**kwargs)
> > 
> > 2015-08-31T10:53:32Z DEBUG The ipa-server-upgrade command failed,
> > exception: NO_SUCH_OBJECT: {'desc': 'No such object'}
> > 2015-08-31T10:53:32Z ERROR LDAP error: NO_SUCH_OBJECT
> > No such object
> 
> Have you found out what this was about ?
> 
> I just found a different probelm affecting ipa-server-upgrade on my
> master, it tracebacks trying to update the schema, which is odd:
> 
> 2015-09-02T19:06:39Z DEBUG   [5/8]: updating schema
> 2015-09-02T19:06:39Z DEBUG flushing 
> 

Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-09-02 Thread Simo Sorce
On Mon, 2015-08-31 at 14:45 +0200, Tomas Babej wrote:
> 
> On 08/26/2015 11:27 PM, Simo Sorce wrote:
> > This patchset implements https://fedorahosted.org/freeipa/ticket/2888
> > and introduces a number of required  changes and dependencies to achieve
> > this goal.
> > This work requires the custodia project to securely transfer keys
> > between ipa servers.
> > 
> > This work is not 100% complete, it still misses the ability to install
> > kra instances and the ability to install a CA (via ipa-ca-install) with
> > externally signed certs.
> > 
> > However it is massive enough that warrants review and pushing, the resat
> > of the changes can be applied later as this work should not disrupt the
> > classic install methods.
> > 
> > In order to build my previous patches (530-533) are needed as well as a
> > number of updated components.
> > 
> > I used the following coprs for testing:
> > simo/jwcrypto
> > simo/custodia
> > abbra/sssd-kkdcproxy (for sssd 1.13.1)
> > lkrispen/389-ds-current (for 389 > 1.3.4.4)
> > vakwetu/dogtag_10.2.7_test_builds (for dogtag 10.2.7)
> > mkosek/freeipa-4.2-fedora-22 (misc)
> > fedora/updates-testing (python-gssapi 1.1.2)
> > 
> > Ludwig's copr is necessary to have a functional DNA plugin in replicas,
> > eventually his patches should be committed in 389-ds-base 1.3.4.4 when
> > it will be released.
> > 
> > We are aware of a dogtag bug https://fedorahosted.org/pki/ticket/1580
> > that may cause installation issues in some case (re-install of a
> > replica).
> > 
> > The domain must be raised to level 1 in order to use replica promotion.
> > 
> > In order to promote a replica the server must be first joined as a
> > regular client to the domain.
> > 
> > This is the flow I usually use for testing:
> > 
> > # ipa-client-install
> > # kinit admin
> > # ipa-replica-install --promote --setup-ca
> >  > etc...>
> > 
> > These patches are also available in this git tree rebnase on current
> > master:
> > https://fedorapeople.org/cgit/simo/public_git/freeipa.git/log/?h=custodia-review
> > 
> > Simo.
> > 
> > 
> > 
> 
> I'm running in a issue when upgrading RPMs:
> 
> 2015-08-31T10:53:32Z DEBUG   File
> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
> execute
> return_value = self.run()
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
> line 48, in run
> server.upgrade()
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
> line 1596, in upgrade
> upgrade_configuration()
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
> line 1508, in upgrade_configuration
> custodia.upgrade_instance()
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line
> 57, in upgrade_instance
> self.__gen_keys()
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line
> 51, in __gen_keys
> KeyStore.generate_server_keys()
>   File "/usr/lib/python2.7/site-packages/ipakeys/kem.py", line 181, in
> generate_server_keys
> ldapconn.set_key(KEY_USAGE_SIG, self.host, principal, pubkeys[0])
>   File "/usr/lib/python2.7/site-packages/ipakeys/kem.py", line 127, in
> set_key
> conn.modify_s(dn, mods)
>   File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line
> 364, in modify_s
> return self.result(msgid,all=1,timeout=self.timeout)
>   File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line
> 465, in result
> resp_type, resp_data, resp_msgid = self.result2(msgid,all,timeout)
>   File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line
> 469, in result2
> resp_type, resp_data, resp_msgid, resp_ctrls =
> self.result3(msgid,all,timeout)
>   File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line
> 476, in result3
> resp_ctrl_classes=resp_ctrl_classes
>   File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line
> 483, in result4
> ldap_result =
> self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
>   File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line
> 106, in _ldap_call
> result = func(*args,**kwargs)
> 
> 2015-08-31T10:53:32Z DEBUG The ipa-server-upgrade command failed,
> exception: NO_SUCH_OBJECT: {'desc': 'No such object'}
> 2015-08-31T10:53:32Z ERROR LDAP error: NO_SUCH_OBJECT
> No such object

Have you found out what this was about ?

I just found a different probelm affecting ipa-server-upgrade on my
master, it tracebacks trying to update the schema, which is odd:

2015-09-02T19:06:39Z DEBUG   [5/8]: updating schema
2015-09-02T19:06:39Z DEBUG flushing 
ldapi://%2fvar%2frun%2fslapd-PROMO-LAN.socket from SchemaCache
2015-09-02T19:06:39Z DEBUG retrieving schema for SchemaCache 
url=ldapi://%2fvar%2frun%2fslapd-PROMO-LAN.socket 
conn=
2015-09-02T19:06:40Z DEBUG Processing schema LDIF file 
/usr/share/ipa/60kerberos.ldif
2015-09-02T19:06:40Z DEBUG Traceback (most recent 

Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-08-31 Thread Tomas Babej


On 08/26/2015 11:27 PM, Simo Sorce wrote:
> This patchset implements https://fedorahosted.org/freeipa/ticket/2888
> and introduces a number of required  changes and dependencies to achieve
> this goal.
> This work requires the custodia project to securely transfer keys
> between ipa servers.
> 
> This work is not 100% complete, it still misses the ability to install
> kra instances and the ability to install a CA (via ipa-ca-install) with
> externally signed certs.
> 
> However it is massive enough that warrants review and pushing, the resat
> of the changes can be applied later as this work should not disrupt the
> classic install methods.
> 
> In order to build my previous patches (530-533) are needed as well as a
> number of updated components.
> 
> I used the following coprs for testing:
> simo/jwcrypto
> simo/custodia
> abbra/sssd-kkdcproxy (for sssd 1.13.1)
> lkrispen/389-ds-current (for 389 > 1.3.4.4)
> vakwetu/dogtag_10.2.7_test_builds (for dogtag 10.2.7)
> mkosek/freeipa-4.2-fedora-22 (misc)
> fedora/updates-testing (python-gssapi 1.1.2)
> 
> Ludwig's copr is necessary to have a functional DNA plugin in replicas,
> eventually his patches should be committed in 389-ds-base 1.3.4.4 when
> it will be released.
> 
> We are aware of a dogtag bug https://fedorahosted.org/pki/ticket/1580
> that may cause installation issues in some case (re-install of a
> replica).
> 
> The domain must be raised to level 1 in order to use replica promotion.
> 
> In order to promote a replica the server must be first joined as a
> regular client to the domain.
> 
> This is the flow I usually use for testing:
> 
> # ipa-client-install
> # kinit admin
> # ipa-replica-install --promote --setup-ca
>  etc...>
> 
> These patches are also available in this git tree rebnase on current
> master:
> https://fedorapeople.org/cgit/simo/public_git/freeipa.git/log/?h=custodia-review
> 
> Simo.
> 
> 
> 

I'm running in a issue when upgrading RPMs:

2015-08-31T10:53:32Z DEBUG   File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
execute
return_value = self.run()
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
line 48, in run
server.upgrade()
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1596, in upgrade
upgrade_configuration()
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
line 1508, in upgrade_configuration
custodia.upgrade_instance()
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line
57, in upgrade_instance
self.__gen_keys()
  File
"/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line
51, in __gen_keys
KeyStore.generate_server_keys()
  File "/usr/lib/python2.7/site-packages/ipakeys/kem.py", line 181, in
generate_server_keys
ldapconn.set_key(KEY_USAGE_SIG, self.host, principal, pubkeys[0])
  File "/usr/lib/python2.7/site-packages/ipakeys/kem.py", line 127, in
set_key
conn.modify_s(dn, mods)
  File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line
364, in modify_s
return self.result(msgid,all=1,timeout=self.timeout)
  File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line
465, in result
resp_type, resp_data, resp_msgid = self.result2(msgid,all,timeout)
  File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line
469, in result2
resp_type, resp_data, resp_msgid, resp_ctrls =
self.result3(msgid,all,timeout)
  File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line
476, in result3
resp_ctrl_classes=resp_ctrl_classes
  File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line
483, in result4
ldap_result =
self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
  File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line
106, in _ldap_call
result = func(*args,**kwargs)

2015-08-31T10:53:32Z DEBUG The ipa-server-upgrade command failed,
exception: NO_SUCH_OBJECT: {'desc': 'No such object'}
2015-08-31T10:53:32Z ERROR LDAP error: NO_SUCH_OBJECT
No such object

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-08-31 Thread Simo Sorce
On Mon, 2015-08-31 at 14:45 +0200, Tomas Babej wrote:
> 
> On 08/26/2015 11:27 PM, Simo Sorce wrote:
> > This patchset implements https://fedorahosted.org/freeipa/ticket/2888
> > and introduces a number of required  changes and dependencies to achieve
> > this goal.
> > This work requires the custodia project to securely transfer keys
> > between ipa servers.
> > 
> > This work is not 100% complete, it still misses the ability to install
> > kra instances and the ability to install a CA (via ipa-ca-install) with
> > externally signed certs.
> > 
> > However it is massive enough that warrants review and pushing, the resat
> > of the changes can be applied later as this work should not disrupt the
> > classic install methods.
> > 
> > In order to build my previous patches (530-533) are needed as well as a
> > number of updated components.
> > 
> > I used the following coprs for testing:
> > simo/jwcrypto
> > simo/custodia
> > abbra/sssd-kkdcproxy (for sssd 1.13.1)
> > lkrispen/389-ds-current (for 389 > 1.3.4.4)
> > vakwetu/dogtag_10.2.7_test_builds (for dogtag 10.2.7)
> > mkosek/freeipa-4.2-fedora-22 (misc)
> > fedora/updates-testing (python-gssapi 1.1.2)
> > 
> > Ludwig's copr is necessary to have a functional DNA plugin in replicas,
> > eventually his patches should be committed in 389-ds-base 1.3.4.4 when
> > it will be released.
> > 
> > We are aware of a dogtag bug https://fedorahosted.org/pki/ticket/1580
> > that may cause installation issues in some case (re-install of a
> > replica).
> > 
> > The domain must be raised to level 1 in order to use replica promotion.
> > 
> > In order to promote a replica the server must be first joined as a
> > regular client to the domain.
> > 
> > This is the flow I usually use for testing:
> > 
> > # ipa-client-install
> > # kinit admin
> > # ipa-replica-install --promote --setup-ca
> >  > etc...>
> > 
> > These patches are also available in this git tree rebnase on current
> > master:
> > https://fedorapeople.org/cgit/simo/public_git/freeipa.git/log/?h=custodia-review
> > 
> > Simo.
> > 
> > 
> > 
> 
> I'm running in a issue when upgrading RPMs:

What version are you upgrading from ?

Also do you have logs telling which update is failing ? I can guess it
is the topology stuff but that would be surprising.

Simo.

> 2015-08-31T10:53:32Z DEBUG   File
> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in
> execute
> return_value = self.run()
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
> line 48, in run
> server.upgrade()
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
> line 1596, in upgrade
> upgrade_configuration()
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
> line 1508, in upgrade_configuration
> custodia.upgrade_instance()
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line
> 57, in upgrade_instance
> self.__gen_keys()
>   File
> "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line
> 51, in __gen_keys
> KeyStore.generate_server_keys()
>   File "/usr/lib/python2.7/site-packages/ipakeys/kem.py", line 181, in
> generate_server_keys
> ldapconn.set_key(KEY_USAGE_SIG, self.host, principal, pubkeys[0])
>   File "/usr/lib/python2.7/site-packages/ipakeys/kem.py", line 127, in
> set_key
> conn.modify_s(dn, mods)
>   File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line
> 364, in modify_s
> return self.result(msgid,all=1,timeout=self.timeout)
>   File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line
> 465, in result
> resp_type, resp_data, resp_msgid = self.result2(msgid,all,timeout)
>   File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line
> 469, in result2
> resp_type, resp_data, resp_msgid, resp_ctrls =
> self.result3(msgid,all,timeout)
>   File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line
> 476, in result3
> resp_ctrl_classes=resp_ctrl_classes
>   File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line
> 483, in result4
> ldap_result =
> self._ldap_call(self._l.result4,msgid,all,timeout,add_ctrls,add_intermediates,add_extop)
>   File "/usr/lib64/python2.7/site-packages/ldap/ldapobject.py", line
> 106, in _ldap_call
> result = func(*args,**kwargs)
> 
> 2015-08-31T10:53:32Z DEBUG The ipa-server-upgrade command failed,
> exception: NO_SUCH_OBJECT: {'desc': 'No such object'}
> 2015-08-31T10:53:32Z ERROR LDAP error: NO_SUCH_OBJECT
> No such object


-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code


Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

2015-08-31 Thread Tomas Babej


On 08/31/2015 02:56 PM, Simo Sorce wrote:
> On Mon, 2015-08-31 at 14:45 +0200, Tomas Babej wrote:
>>
>> On 08/26/2015 11:27 PM, Simo Sorce wrote:
>>> This patchset implements https://fedorahosted.org/freeipa/ticket/2888
>>> and introduces a number of required  changes and dependencies to achieve
>>> this goal.
>>> This work requires the custodia project to securely transfer keys
>>> between ipa servers.
>>>
>>> This work is not 100% complete, it still misses the ability to install
>>> kra instances and the ability to install a CA (via ipa-ca-install) with
>>> externally signed certs.
>>>
>>> However it is massive enough that warrants review and pushing, the resat
>>> of the changes can be applied later as this work should not disrupt the
>>> classic install methods.
>>>
>>> In order to build my previous patches (530-533) are needed as well as a
>>> number of updated components.
>>>
>>> I used the following coprs for testing:
>>> simo/jwcrypto
>>> simo/custodia
>>> abbra/sssd-kkdcproxy (for sssd 1.13.1)
>>> lkrispen/389-ds-current (for 389 > 1.3.4.4)
>>> vakwetu/dogtag_10.2.7_test_builds (for dogtag 10.2.7)
>>> mkosek/freeipa-4.2-fedora-22 (misc)
>>> fedora/updates-testing (python-gssapi 1.1.2)
>>>
>>> Ludwig's copr is necessary to have a functional DNA plugin in replicas,
>>> eventually his patches should be committed in 389-ds-base 1.3.4.4 when
>>> it will be released.
>>>
>>> We are aware of a dogtag bug https://fedorahosted.org/pki/ticket/1580
>>> that may cause installation issues in some case (re-install of a
>>> replica).
>>>
>>> The domain must be raised to level 1 in order to use replica promotion.
>>>
>>> In order to promote a replica the server must be first joined as a
>>> regular client to the domain.
>>>
>>> This is the flow I usually use for testing:
>>>
>>> # ipa-client-install
>>> # kinit admin
>>> # ipa-replica-install --promote --setup-ca
>>> >> etc...>
>>>
>>> These patches are also available in this git tree rebnase on current
>>> master:
>>> https://fedorapeople.org/cgit/simo/public_git/freeipa.git/log/?h=custodia-review
>>>
>>> Simo.
>>>
>>>
>>>
>>
>> I'm running in a issue when upgrading RPMs:
> 
> What version are you upgrading from ?
> 
> Also do you have logs telling which update is failing ? I can guess it
> is the topology stuff but that would be surprising.
> 
> Simo.
> 

It was a master devel machine with some wear on it, clean 4.2.
install does not blow up on upgrade for me.

Will investigate further.

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code