[Freeipa-devel] [freeipa PR#897][opened] install: replica: Show message about key synchronization

[dkupka via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/897
Author: dkupka
 Title: #897: install: replica: Show message about key synchronization
Action: opened

PR body:
"""
https://pagure.io/freeipa/issue/6940
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/897/head:pr897
git checkout pr897
From 228f6a100e5fa5d2b26815dffc8e62494e48e751 Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Tue, 27 Jun 2017 15:09:01 +0200
Subject: [PATCH] install: replica: Show message about key synchronization

https://pagure.io/freeipa/issue/6940
---
 ipaserver/install/custodiainstance.py | 4 
 1 file changed, 4 insertions(+)

diff --git a/ipaserver/install/custodiainstance.py b/ipaserver/install/custodiainstance.py
index 390576bc0c..a5afa14461 100644
--- a/ipaserver/install/custodiainstance.py
+++ b/ipaserver/install/custodiainstance.py
@@ -128,6 +128,10 @@ def __wait_keys(self, host, timeout=300):
 deadline = int(time.time()) + timeout
 root_logger.info("Waiting up to {} seconds to see our keys "
  "appear on host: {}".format(timeout, host))
+# FIXME: Change once there's better way to show this mesage
+# in installer output
+print("Waiting for keys, to appear on host: {}, "
+  "please wait until this has completed.".format(host))
 
 konn = KEMLdap(ldap_uri)
 saved_e = None
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#875][comment] Fix ip address checks

[dkupka via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/875
Title: #875: Fix ip address checks

dkupka commented:
"""
@MartinBasti please rebase for ipa-4-5
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/875#issuecomment-309698530
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#875][closed] Fix ip address checks

[dkupka via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/875
Author: MartinBasti
 Title: #875: Fix ip address checks
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/875/head:pr875
git checkout pr875
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#875][-pushed] Fix ip address checks

[dkupka via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/875
Title: #875: Fix ip address checks

Label: -pushed
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#875][comment] Fix ip address checks

[dkupka via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/875
Title: #875: Fix ip address checks

dkupka commented:
"""
master:

* 82ad586f6cbf6e707add3c866ed4e37ade69b045 Fix local IP address validation
* cb48a49c80f4a11d2d16511e0f1366867320f153 ipa-dns-install: remove check for 
local ip address
* 0b69e44f16fbba6ab7ddef5a3e55bdabcfd6a8a6 refactor CheckedIPAddress class
* 6024165101677c844dc3bbb337e290df2e66eaf1 CheckedIPAddress: remove match_local 
param
* f9cba7d161f788c32336b66ff7c641f4a1ed2754 Remove ip_netmask from option parser
* 1b8dc1131c9ca7218efb8fe16dcce97f9f960be9 replica install: add missing check 
for non-local IP address
* f3537297bee2890c6b839750bb7a0a2cf904cdf9 Remove network and broadcast address 
warnings
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/875#issuecomment-309698183
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#875][+pushed] Fix ip address checks

[dkupka via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/875
Title: #875: Fix ip address checks

Label: +pushed
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#875][+ack] Fix ip address checks

[dkupka via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/875
Title: #875: Fix ip address checks

Label: +ack
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#875][comment] Fix ip address checks

[dkupka via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/875
Title: #875: Fix ip address checks

dkupka commented:
"""
Changes look good to me. But it uncovers another unwanted behaviour: With 
--setup-dns the installer adds IP and FQDN into /etc/hosts. This results in all 
traffic from local system towards it's FQDN being routed over the external IP.
I believe this is not a good idea but don't have strong opinion about fixing it 
in this PR or separate one. It's time to stop touching /etc/hosts.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/875#issuecomment-309665085
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#873][synchronized] kra: promote: Get ticket before attempting to get KRA keys with custodia

[dkupka via FreeIPA-devel]

   URL: https://github.com/freeipa/freeipa/pull/873
Author: dkupka
 Title: #873: kra: promote: Get ticket before attempting to get KRA keys with 
custodia
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/873/head:pr873
git checkout pr873
From 3a653419ded76b16cd7df150e6fc37c2d1651389 Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Wed, 14 Jun 2017 15:39:58 +0200
Subject: [PATCH] kra: promote: Get ticket before calling custodia

When installing second (or consequent) KRA instance keys are retrieved
using custodia. Custodia checks that the keys are synchronized in
master's directory server and the check uses GSSAPI and therefore fails
if there's no ticket in ccache.

https://pagure.io/freeipa/issue/7020
---
 ipaserver/install/kra.py | 21 ++---
 1 file changed, 14 insertions(+), 7 deletions(-)

diff --git a/ipaserver/install/kra.py b/ipaserver/install/kra.py
index f345406128..3545b301a9 100644
--- a/ipaserver/install/kra.py
+++ b/ipaserver/install/kra.py
@@ -10,6 +10,7 @@
 import shutil
 
 from ipalib import api
+from ipalib.install.kinit import kinit_keytab
 from ipaplatform import services
 from ipaplatform.paths import paths
 from ipapython import certdb
@@ -84,13 +85,19 @@ def install(api, replica_config, options):
 return
 krafile = os.path.join(replica_config.dir, 'kracert.p12')
 if options.promote:
-custodia = custodiainstance.CustodiaInstance(
-replica_config.host_name,
-replica_config.realm_name)
-custodia.get_kra_keys(
-replica_config.kra_host_name,
-krafile,
-replica_config.dirman_password)
+with ipautil.private_ccache():
+ccache = os.environ['KRB5CCNAME']
+kinit_keytab(
+'host/{env.host}@{env.realm}'.format(env=api.env),
+paths.KRB5_KEYTAB,
+ccache)
+custodia = custodiainstance.CustodiaInstance(
+replica_config.host_name,
+replica_config.realm_name)
+custodia.get_kra_keys(
+replica_config.kra_host_name,
+krafile,
+replica_config.dirman_password)
 else:
 cafile = os.path.join(replica_config.dir, 'cacert.p12')
 if not ipautil.file_exists(cafile):
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#841][+ack] ipa-kdb: use canonical principal in certauth plugin

[dkupka via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/841
Title: #841: ipa-kdb: use canonical principal in certauth plugin

Label: +ack
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#841][comment] ipa-kdb: use canonical principal in certauth plugin

[dkupka via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/841
Title: #841: ipa-kdb: use canonical principal in certauth plugin

dkupka commented:
"""
Works for me.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/841#issuecomment-306743729
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#823][comment] ipa-kdb: reload certificate mapping rules periodically

[dkupka via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/823
Title: #823: ipa-kdb: reload certificate mapping rules periodically

dkupka commented:
"""
@sumit-bose You're right but then there's ~6 hours gap where no reload 
happened. I would expect that there would be one attempt to reload every 5 
minutes. Or do I understand it wrong?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/823#issuecomment-305518700
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org

[Freeipa-devel] [freeipa PR#823][comment] ipa-kdb: reload certificate mapping rules periodically

[dkupka via FreeIPA-devel]

  URL: https://github.com/freeipa/freeipa/pull/823
Title: #823: ipa-kdb: reload certificate mapping rules periodically

dkupka commented:
"""
@sumit-bose Yes, I added rule that should allow the user to kinit with 
certificate. I tried and it worked. Then I modified the rule so it no longer 
matched the user and immediate pkinit failed. I see the message with each kinit 
not it the interval:

```
$ sudo grep "Initializing IPA certauth plugin" /var/log/krb5kdc.log
Jun 01 08:44:45 vm-150.example.com krb5kdc[3908](info): Initializing IPA 
certauth plugin.
Jun 01 08:45:07 vm-150.example.com krb5kdc[3910](info): Initializing IPA 
certauth plugin.
Jun 01 08:52:54 vm-150.example.com krb5kdc[3907](info): Initializing IPA 
certauth plugin.
Jun 01 08:52:57 vm-150.example.com krb5kdc[3911](info): Initializing IPA 
certauth plugin.
Jun 01 08:53:22 vm-150.example.com krb5kdc[3908](info): Initializing IPA 
certauth plugin.
Jun 01 08:56:50 vm-150.example.com krb5kdc[3909](info): Initializing IPA 
certauth plugin.
Jun 01 09:02:14 vm-150.example.com krb5kdc[3912](info): Initializing IPA 
certauth plugin.
Jun 01 09:02:33 vm-150.example.com krb5kdc[3907](info): Initializing IPA 
certauth plugin.
Jun 01 14:55:21 vm-150.example.com krb5kdc[3908](info): Initializing IPA 
certauth plugin.
```
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/823#issuecomment-305485079
___
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org