Re: [Freeipa-devel] [PATCH] 114 Fix sudo help and summaries
On Thu, 2011-08-25 at 09:28 -0400, Rob Crittenden wrote: Martin Kosek wrote: 1) Add sudorule docstring headline 2) Fix naming inconsistency in Sudo plugins help and summaries, especially capitalization of Sudo objects - Sudo Rule, Sudo Command and Sudo Command Group 3) Add missing summaries for sudorule-add-option and sudorule-remove-option https://fedorahosted.org/freeipa/ticket/1595 https://fedorahosted.org/freeipa/ticket/1596 This breaks compatibility with old clients: $ ipa sudorule-add-option test2 Sudo Option: foo ipa: ERROR: non-public: ValueError: sudorule_add_option.validate_output(): unexpected keys ['summary'] in {'result': {'ipasudoopt': (u'foo',), 'cn': (u'test2',), 'ipaenabledflag': (u'TRUE',)}, 'summary': u'Added option foo to Sudo Rule test2'} Traceback (most recent call last): File /usr/lib/python2.7/site-packages/ipalib/backend.py, line 125, in execute result = self.Command[_name](*args, **options) File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 443, in __call__ self.validate_output(ret) File /usr/lib/python2.7/site-packages/ipalib/frontend.py, line 895, in validate_output nice, extra, output) ValueError: sudorule_add_option.validate_output(): unexpected keys ['summary'] in {'result': {'ipasudoopt': (u'foo',), 'cn': (u'test2',), 'ipaenabledflag': (u'TRUE',)}, 'summary': u'Added option foo to Sudo Rule test2'} ipa: ERROR: an internal error has occurred Thanks for catching this. I wonder if we should let output param validation skip unexpected keys in order to be able to do the change in Output + keep backwards compatibility in cases like this one. I reworked the patch so that the summaries are printed via output_for_cli() - this solves this problem. Martin From 15d03bfa966f975df33b4cee478906b300abc756 Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Thu, 25 Aug 2011 12:58:17 +0200 Subject: [PATCH] Fix sudo help and summaries 1) Add sudorule docstring headline 2) Fix naming inconsistency in Sudo plugins help and summaries, especially capitalization of Sudo objects - Sudo Rule, Sudo Command and Sudo Command Group 3) Add missing summaries for sudorule-add-option and sudorule-remove-option. To keep backward compatibility with older clients, just print the missing summary with output_for_cli(), don't expand Output. https://fedorahosted.org/freeipa/ticket/1595 https://fedorahosted.org/freeipa/ticket/1596 --- ipalib/plugins/sudocmd.py | 14 ipalib/plugins/sudocmdgroup.py| 40 +++--- ipalib/plugins/sudorule.py| 46 +++-- tests/test_xmlrpc/test_sudocmd_plugin.py |8 ++-- tests/test_xmlrpc/test_sudocmdgroup_plugin.py | 22 ++-- 5 files changed, 70 insertions(+), 60 deletions(-) diff --git a/ipalib/plugins/sudocmd.py b/ipalib/plugins/sudocmd.py index da78f0ec52f8c3ebb684a4f746c48b5cb055d355..268e3c1bbe7573b4a219321a87b529cf5a5a 100644 --- a/ipalib/plugins/sudocmd.py +++ b/ipalib/plugins/sudocmd.py @@ -97,19 +97,19 @@ api.register(sudocmd) class sudocmd_add(LDAPCreate): -Create new sudo command. +Create new Sudo Command. -msg_summary = _('Added sudo command %(value)s') +msg_summary = _('Added Sudo Command %(value)s') api.register(sudocmd_add) class sudocmd_del(LDAPDelete): -Delete sudo command. +Delete Sudo Command. -msg_summary = _('Deleted sudo command %(value)s') +msg_summary = _('Deleted Sudo Command %(value)s') api.register(sudocmd_del) @@ -118,7 +118,7 @@ class sudocmd_mod(LDAPUpdate): Modify command. -msg_summary = _('Modified sudo command %(value)s') +msg_summary = _('Modified Sudo Command %(value)s') api.register(sudocmd_mod) @@ -128,14 +128,14 @@ class sudocmd_find(LDAPSearch): msg_summary = ngettext( -'%(count)d sudo command matched', '%(count)d sudo command matched', 0 +'%(count)d Sudo Command matched', '%(count)d Sudo Commands matched', 0 ) api.register(sudocmd_find) class sudocmd_show(LDAPRetrieve): -Display sudo command. +Display Sudo Command. api.register(sudocmd_show) diff --git a/ipalib/plugins/sudocmdgroup.py b/ipalib/plugins/sudocmdgroup.py index e613f465704bce579ecfba5edb591e0b138bbc7e..41d30fb2cd5edf037fd177a8d78e24a582650f5c 100644 --- a/ipalib/plugins/sudocmdgroup.py +++ b/ipalib/plugins/sudocmdgroup.py @@ -17,25 +17,25 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see http://www.gnu.org/licenses/. -Groups of Sudo commands +Groups of Sudo Commands -Manage groups of Sudo commands. +Manage groups of Sudo Commands. EXAMPLES: - Add a new Sudo command group: + Add a new Sudo Command Group: ipa sudocmdgroup-add --desc='administrators commands' admincmds - Remove a
[Freeipa-devel] [PATCH] 1 Add ipa-adtrust-install utility
Hi, with this patch an initial samba configuration for the AD trust feature can be created by calling ipa-adtrust-install. Please be aware that you will need a samba/master build to start smbd with the created configuration, because only here all the needed features are available. Günther is working on a spec file so that we can include a samba package in the IPA development repository (https://fedorahosted.org/freeipa/ticket/1610). I haven't used python for quite some time and since this is my first contribution I'm happy to fix any violations to coding style and other guidelines. bye, Sumit From 6012f921ed4d0bb9359d70018881a8ebbdfde0f9 Mon Sep 17 00:00:00 2001 From: sbose sb...@ipa-devel.ipa.devel Date: Wed, 24 Aug 2011 11:18:56 +0200 Subject: [PATCH] Add ipa-adtrust-install utility https://fedorahosted.org/freeipa/ticket/1619 --- freeipa.spec.in |2 + install/po/Makefile.in |1 + install/tools/Makefile.am |1 + install/tools/ipa-adtrust-install | 198 +++ install/tools/man/Makefile.am |1 + install/tools/man/ipa-adtrust-install.1 | 44 + ipaserver/install/Makefile.am |1 + ipaserver/install/service.py|3 +- ipaserver/install/smbinstance.py| 261 +++ 9 files changed, 511 insertions(+), 1 deletions(-) create mode 100755 install/tools/ipa-adtrust-install create mode 100644 install/tools/man/ipa-adtrust-install.1 create mode 100644 ipaserver/install/smbinstance.py diff --git a/freeipa.spec.in b/freeipa.spec.in index 1bf52b952177598bd24afc0560802f1883fa5a60..a67e9329f8230c05b0e9feeb321fb07e4f41a350 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -370,6 +370,7 @@ fi %doc COPYING README Contributors.txt %{_sbindir}/ipa-ca-install %{_sbindir}/ipa-dns-install +%{_sbindir}/ipa-adtrust-install %{_sbindir}/ipa-server-install %{_sbindir}/ipa-replica-conncheck %{_sbindir}/ipa-replica-install @@ -448,6 +449,7 @@ fi %{_mandir}/man1/ipa-server-certinstall.1.gz %{_mandir}/man1/ipa-server-install.1.gz %{_mandir}/man1/ipa-dns-install.1.gz +%{_mandir}/man1/ipa-adtrust-install.1.gz %{_mandir}/man1/ipa-ca-install.1.gz %{_mandir}/man1/ipa-compat-manage.1.gz %{_mandir}/man1/ipa-nis-manage.1.gz diff --git a/install/po/Makefile.in b/install/po/Makefile.in index a5468752723636b005c1d0876f10326e5c970814..d20a5d9628cb119f7704fcdb2917f1c897194147 100644 --- a/install/po/Makefile.in +++ b/install/po/Makefile.in @@ -54,6 +54,7 @@ PY_EXPLICIT_FILES = \ install/tools/ipa-server-install \ install/tools/ipa-ldap-updater \ install/tools/ipa-dns-install \ + install/tools/ipa-adtrust-install \ install/tools/ipa-ca-install \ ipa-client/ipa-install/ipa-client-install diff --git a/install/tools/Makefile.am b/install/tools/Makefile.am index fc615ec04f324c2d9c98dc8cf674938e1064bec6..96da7531764598878f94b6abd54c27a74671c028 100644 --- a/install/tools/Makefile.am +++ b/install/tools/Makefile.am @@ -8,6 +8,7 @@ sbin_SCRIPTS = \ ipa-ca-install \ ipa-dns-install \ ipa-server-install \ + ipa-adtrust-install \ ipa-replica-conncheck \ ipa-replica-install \ ipa-replica-prepare \ diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install new file mode 100755 index ..3514690027cdbd25c0d5b8cbc56096051a5be809 --- /dev/null +++ b/install/tools/ipa-adtrust-install @@ -0,0 +1,198 @@ +#! /usr/bin/python +# +# Authors: Sumit Bose sb...@redhat.com +# Based on ipa-server-install by Karl MacMillan kmacmil...@mentalrootkit.com +# and ipa-dns-install by Martin Nagy +# +# Copyright (C) 2011 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see http://www.gnu.org/licenses/. +# + +import traceback + +from ipaserver.plugins.ldap2 import ldap2 +from ipaserver.install import smbinstance +from ipaserver.install.installutils import * +from ipaserver.install import installutils +from ipapython import version +from ipapython import ipautil, sysrestore +from ipalib import api, errors, util +from ipapython.config import IPAOptionParser +import krbV +import ldap + +def parse_options(): +parser = IPAOptionParser(version=version.VERSION) +
Re: [Freeipa-devel] [PATCHES] freeipa-v3
On Wed, 2011-08-24 at 17:21 +0300, Alexander Bokovoy wrote: On 22.08.2011 18:17, Alexander Bokovoy wrote: On 22.08.2011 16:30, Simo Sorce wrote: As we finally branched ipa-2-1 from master we are now open to put 3.0 related material on the tree. Here is my rebased set of patches that apply on top of master: http://fedorapeople.org/gitweb?p=simo/public_git/freeipa.git;a=summary They are in the freeipa-v3 branch. Please review and work with me to rebase/refactor any patch that would get a nack. We will fix them until your liking and will finally emit just a one, huge, ACK, or NACK :) I went through first 14 commits. ACK for 13 first. In 6385c80c6c71ae8c4d1f11230c8408bd4bf3f9e3 ipadb_realm_to_ldapi_uri() uses two string constants ldapi:// and %2fslapd- four times each. It would be nice to #define them and use macros instead, purely for maintenance purposes. In the same function there is comment with typo (patch instead of path). These are minor and you probably can ignore them. I'll continue with remaining ones tomorrow. Finally went through all patches. Simo did make squash-in commits to address found issues (which were discussed on #freeipa over past few days). I don't have comments anymore. ACK. We did a smoke test and fixed 2 remaining issues. One introduced during the review phase One introduce by me with the latest schema patches. All has been fixed and I pushed the patches (after squashing in the squash-ins) to master. Master is now officially on the 3.0 track. Please note that until F15/F16 MIT Kerberos packages are updated you will need the packages in the ipa-devel repo to successfully install ipa due to an issue with the kadmin init scripts. Happy hacking! Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1 Add ipa-adtrust-install utility
More comments. On Fri, 2011-08-26 at 11:39 +0200, Sumit Bose wrote: [..] +if not options.unattended: +print +print The following operations may take some minutes to complete. +print Please wait until the prompt is returned. +print + +# Create a BIND instance comment seem to be wrong here :) +if options.unattended and not options.dm_password: +sys.exit(\nIn unattended mode you need to provide at least the -p option) + +dm_password = options.dm_password or read_password(Directory Manager, + confirm=False, validate=False) +smb = smbinstance.SMBInstance(fstore, dm_password) [..] diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index a7f6ff4eea1b67f714e18f882a082d4ad7d83026..7e0d2bd314f00ccf0b0ee37a9d572bdd5ee89414 100644 --- a/ipaserver/install/service.py +++ b/ipaserver/install/service.py @@ -37,7 +37,8 @@ SERVICE_LIST = { 'KPASSWD':('kadmin', 20), 'DNS':('named', 30), 'HTTP':('httpd', 40), -'CA':('pki-cad', 50) +'CA':('pki-cad', 50), +'SMB':('smb', 60) Please do not use SMB (in general I do not think SMB is the right prefix). Use something like ADTRUST or MSRPC or WINCOMPAT. } def stop(service_name, instance_name=, capture_output=True): diff --git a/ipaserver/install/smbinstance.py b/ipaserver/install/smbinstance.py new file mode 100644 index ..5988f1e056d29af6686d53237b82d460cdc719da --- /dev/null +++ b/ipaserver/install/smbinstance.py @@ -0,0 +1,261 @@ +# Authors: Sumit Bose sb...@redhat.com +# +# Copyright (C) 2011 Red Hat +# see file 'COPYING' for use and warranty information +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see http://www.gnu.org/licenses/. +# + +import logging + +import os +import ldap +import service +import tempfile +from ipaserver import ipaldap +from ipalib import errors +from ipapython import sysrestore +from ipapython import ipautil + +import random +import string +import struct + +def check_inst(unattended): +has_smb = True + +if not os.path.exists('/usr/sbin/smbd'): +print Samba was not found on this system +print Please install the 'samba' package and start the installation again +has_smb = False + +#TODO: Add check for needed samba4 libraries + +return has_smb + +def ipa_smb_conf_exists(): +if os.path.exists('/etc/ipa/smb.conf'): +print Samba is already configured for this IPA server. + return True + +return False + +def random_password(length=16): +myrg = random.SystemRandom() +alphabet = string.letters[0:52] + string.digits + string.punctuation +pw = str().join(myrg.choice(alphabet) for _ in range(length)) +return pw We have a utility function to generate a proper random password IIRC. +class SMBInstance(service.Service): +def __init__(self, fstore=None, dm_password=None): +service.Service.__init__(self, smb, dm_password=dm_password) + +if fstore: +self.fstore = fstore +else: +self.fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore') + +def __create_samba_user(self): +print The user for Samba is %s % self.smb_dn +try: +self.admin_conn.getEntry(self.smb_dn, ldap.SCOPE_BASE) +print Samba user entry exists, not resetting password +return +except errors.NotFound: +pass + +# The user doesn't exist, add it +entry = ipaldap.Entry(self.smb_dn) +entry.setValues(objectclass, [account, simplesecurityobject]) +entry.setValues(uid, samba) +entry.setValues(userPassword, self.smb_dn_pwd) +self.admin_conn.add_s(entry) + +# And finally grant it permission to read NT passwords, we do not want +# to support LM passwords so there is no need to allow access to them +mod = [(ldap.MOD_ADD, 'aci', +str(['(targetattr = sambaNTPassword)(version 3.0; acl Samba user can read NT passwords; allow (read) userdn=ldap:///% s;)' % self.smb_dn]))] +try: +self.admin_conn.modify_s(self.suffix, mod) +except ldap.TYPE_OR_VALUE_EXISTS: +logging.debug(samba user aci already exists
Re: [Freeipa-devel] [PATCH] 852 remove more files in uninstaller
On 08/24/2011 10:58 AM, Rob Crittenden wrote: We were missing a few 389-ds files and directories. This removes everything but the logs. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. I am not convinced this is a 100% solution for the original problem. The files like the keytab are only deleted if a A DS instance is found, but if the ywere lying around from a previous installation that did not remove them, they will still be there after running uninstall. Probably a corner case, and should probably be OK in the longer term, unless having these files around prevent an install from getting to the point that the DS gets installed...we'd be in a situation where we can't move forward and can't move back. We'll keep an eye out for that, but I think it is unlikely. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 256 Fixed host keytab status after setting OTP.
On 08/26/2011 12:14 AM, Endi Sukma Dewata wrote: The host details page has been modified to update the keytab status based on the data returned by the host-mod command for setting OTP. Ticket #1710 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag
On Fri, 2011-08-26 at 12:45 -0400, Adam Young wrote: On 08/25/2011 05:24 PM, Adam Young wrote: Uses the updated version of pkicreate which makes an ipa specific proxy config file. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel The test for the proxy file in /etc/httpd/conf.d was isfile' but since the file is actually a symlink, it needs to be islink. This one checks for either. Nack, install fails after configuring the http service. Restart bails out using export SYSTEMCL_SKIP_REDIRECT=1 to get systemd out of the way (it was suppressing the error output) I get an permission denied error trying to open /etc/httpd/conf.d/proxy-ipa.conf That's a symlink into /etc/pki-ca/proxy-ipa.conf which is a file owned by pkiuser:pkiuser with permission 660 (therefore not readable by the apache user). Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 853 remove upgrade state when uninstalling
Adam Young wrote: On 08/24/2011 11:38 AM, Rob Crittenden wrote: The upgrade process makes saves some information in the IPA sysrestore state. If any of this state remains after an uninstall then you will get an error during re-install. Theoretically all this state should be removed as part of the upgrade process but on the outside chance, lets remove the state at uninstall to prevent problems. I've had just one report of this, it may have been due to a blown upgrade, I'm not sure. I've been unable to reproduce it but at worst this is a noop and at best allows easy re-installation. This requires patch 852. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag
On Fri, 2011-08-26 at 14:03 -0400, Simo Sorce wrote: On Fri, 2011-08-26 at 12:45 -0400, Adam Young wrote: On 08/25/2011 05:24 PM, Adam Young wrote: Uses the updated version of pkicreate which makes an ipa specific proxy config file. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel The test for the proxy file in /etc/httpd/conf.d was isfile' but since the file is actually a symlink, it needs to be islink. This one checks for either. Nack, install fails after configuring the http service. Restart bails out using export SYSTEMCL_SKIP_REDIRECT=1 to get systemd out of the way (it was suppressing the error output) I get an permission denied error trying to open /etc/httpd/conf.d/proxy-ipa.conf That's a symlink into /etc/pki-ca/proxy-ipa.conf which is a file owned by pkiuser:pkiuser with permission 660 (therefore not readable by the apache user). Ok it turns out permissions are not the real issue as the file is read while apache is till root, it's a selinux issue. Apache starts if I setenforce 0 Still a NAck of course, it needs to work with selinux in enforcing mode Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1 Add ipa-adtrust-install utility
On 26.08.2011 18:59, Sumit Bose wrote: +def parse_options(): +parser = IPAOptionParser(version=version.VERSION) +parser.add_option(-p, --ds-password, dest=dm_password, + sensitive=True, help=admin password) If this is the only password you need, then make it --password. And it is Directory Manager's account password, right? Would be nice to change help to be more explicit. ipa-server-install and ipa-dns-install use the same option for the same purpose, so I thought it might be a good idea to use the same. But you are right admin password is misleading here. Maybe the help should be fixed in ipa-server-install and ipa-dns-install, too? Please file a ticket for that. diff --git a/ipaserver/install/smbinstance.py b/ipaserver/install/smbinstance.py new file mode 100644 The code in smbinstance.py assumes Samba has been compiled with /etc/ipa/smb.conf as default configuration file location. Is that correct? no, __write_sysconfig_samba() adds -s /etc/ipa/smb.conf to SMBDOPTIONS in /etc/sysconfig/samba. But then net utility will not be able to use it. Same for nmbd and winbindd. If for last two you could use /etc/sysconfig/samba to direct them to a proper configuration, you can't do so for /usr/bin/net. -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1 Add ipa-adtrust-install utility
On Fri, Aug 26, 2011 at 09:35:16PM +0300, Alexander Bokovoy wrote: diff --git a/ipaserver/install/smbinstance.py b/ipaserver/install/smbinstance.py new file mode 100644 The code in smbinstance.py assumes Samba has been compiled with /etc/ipa/smb.conf as default configuration file location. Is that correct? no, __write_sysconfig_samba() adds -s /etc/ipa/smb.conf to SMBDOPTIONS in /etc/sysconfig/samba. But then net utility will not be able to use it. Same for nmbd and winbindd. If for last two you could use /etc/sysconfig/samba to direct them to a proper configuration, you can't do so for /usr/bin/net. Currently we plan not to use nmbd or winbind. But you are right about net or other utilities. Maybe we should just use the default samba config file, otherwise we would have to add some paragraphs to the documentation explaining how to use the samba utilities. Simo, what do you think? bye, Sumit -- / Alexander Bokovoy ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1 Add ipa-adtrust-install utility
On Fri, 2011-08-26 at 20:52 +0200, Sumit Bose wrote: On Fri, Aug 26, 2011 at 09:35:16PM +0300, Alexander Bokovoy wrote: diff --git a/ipaserver/install/smbinstance.py b/ipaserver/install/smbinstance.py new file mode 100644 The code in smbinstance.py assumes Samba has been compiled with /etc/ipa/smb.conf as default configuration file location. Is that correct? no, __write_sysconfig_samba() adds -s /etc/ipa/smb.conf to SMBDOPTIONS in /etc/sysconfig/samba. But then net utility will not be able to use it. Same for nmbd and winbindd. If for last two you could use /etc/sysconfig/samba to direct them to a proper configuration, you can't do so for /usr/bin/net. Currently we plan not to use nmbd or winbind. But you are right about net or other utilities. Maybe we should just use the default samba config file, otherwise we would have to add some paragraphs to the documentation explaining how to use the samba utilities. Simo, what do you think? I guess we should use the standard /etc/samba/smb.conf After all we are only setting one line in there and then using the standard registry tdbs to hold configuration, so it's not like we are not going to stomp all over the default samba tdbs anyway. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 009 Modifying sudo options refreshes the whole page
On 8/26/2011 11:41 AM, Petr Vobornik wrote: https://fedorahosted.org/freeipa/ticket/1689 Currently adding or deleting sudo options will refresh the entire page. It's not a problem but the code could be optimized to refresh only the sudo options table We have several scenarios for sudo options: 1. Add succeeded: The command returns the new record, so we can use it to load the table. No problem here. 2. Add failed: We may be able to assume the data on the server didn't change, so we don't have to update the table. (Yes, the old code does a refresh, but I don't think it's necessary.) 3. Delete batch failed: I think we can assume nothing was executed, same as #2. 4. Delete batch succeeded: It could contain a mix of successes and failures. Like you said, we should use the last successful result. But instead of checking only the last result and do a load() or update(), we could iterate through the results and find the last successful one (the one with non-empty result). If we find one, then we can use it to load the table. If there isn't any, it means all failed, so we don't do anything, same as #2. What do you think? -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag
On 08/26/2011 02:34 PM, Simo Sorce wrote: On Fri, 2011-08-26 at 14:03 -0400, Simo Sorce wrote: On Fri, 2011-08-26 at 12:45 -0400, Adam Young wrote: On 08/25/2011 05:24 PM, Adam Young wrote: Uses the updated version of pkicreate which makes an ipa specific proxy config file. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel The test for the proxy file in /etc/httpd/conf.d was isfile' but since the file is actually a symlink, it needs to be islink. This one checks for either. Nack, install fails after configuring the http service. Restart bails out using export SYSTEMCL_SKIP_REDIRECT=1 to get systemd out of the way (it was suppressing the error output) I get an permission denied error trying to open /etc/httpd/conf.d/proxy-ipa.conf That's a symlink into /etc/pki-ca/proxy-ipa.conf which is a file owned by pkiuser:pkiuser with permission 660 (therefore not readable by the apache user). Ok it turns out permissions are not the real issue as the file is read while apache is till root, it's a selinux issue. Apache starts if I setenforce 0 Still a NAck of course, it needs to work with selinux in enforcing mode Simo. This version owns the proxy config file. It works with setenforce 0, but does not work with SELinux, so, preemptive-nack. But I will be gone for a week, so if someone wants to pick this up and run with it, start from here. From 00b43e83864f9a27b20b1d2e90010c7cee007d19 Mon Sep 17 00:00:00 2001 From: Adam Young ayo...@redhat.com Date: Wed, 17 Aug 2011 15:36:18 -0400 Subject: [PATCH] enable proxy for dogtag Dogtag is going to be proxied through httpd. To make this work, it has to support renegotiation of the SSL connection. This patch enables renegotiate in the nss configuration file during during apache configuration, as well as modifies libnss to set the appropriate optins on the ssl connection in order to renegotiate. The IPA install uses the internal ports instead of proxying through httpd since httpd is not set up yet. IPA needs to Request the certificate through a port that uses authentication. On the Dogtag side, they provide an additional mapping for this: /ca/eeca/ca as opposed tp /ca/ee/ca just for this purpose. https://fedorahosted.org/freeipa/ticket/1334 add flag to pkicreate in order to enable using proxy. add the proxy file in /etc/http/conf.d/ --- freeipa.spec.in |3 +++ install/conf/Makefile.am |1 + install/conf/proxy-ipa.conf | 25 + ipalib/constants.py | 10 +++--- ipapython/dogtag.py |2 +- ipapython/nsslib.py | 15 ++- ipaserver/install/cainstance.py |6 -- ipaserver/install/certs.py|4 ++-- ipaserver/install/httpinstance.py |5 + ipaserver/plugins/dogtag.py |2 +- 10 files changed, 63 insertions(+), 10 deletions(-) create mode 100644 install/conf/proxy-ipa.conf diff --git a/freeipa.spec.in b/freeipa.spec.in index d25aee693591243da2adf01319869c60919d2dd0..c8a125a834a159401c295a0080f371a968435c21 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -304,6 +304,7 @@ ln -s ../../../..%{_sysconfdir}/ipa/html/ipa_error.css \ # So we can own our Apache configuration mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d/ /bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa.conf +/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/proxy-ipa.conf /bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf mkdir -p %{buildroot}%{_initrddir} install -m755 ipa.init %{buildroot}%{_initrddir}/ipa @@ -449,8 +450,10 @@ fi %config(noreplace) %{_sysconfdir}/ipa/html/hbac-deny-remove.html %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa.conf +%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/proxy-ipa.conf %{_usr}/share/ipa/ipa.conf %{_usr}/share/ipa/ipa-rewrite.conf +%{_usr}/share/ipa/proxy-ipa.conf %dir %{_usr}/share/ipa/updates/ %{_usr}/share/ipa/updates/* %attr(755,root,root) %{plugin_dir}/libipa_pwd_extop.so diff --git a/install/conf/Makefile.am b/install/conf/Makefile.am index e00ad618f47b704d3fb6451545fe3fbfaa1b31a9..2055f4e93bf7b884f318315eced8da1208d13a65 100644 --- a/install/conf/Makefile.am +++ b/install/conf/Makefile.am @@ -3,6 +3,7 @@ NULL = appdir = $(IPA_DATA_DIR) app_DATA = \ ipa.conf \ + proxy-ipa.conf \ ipa-rewrite.conf \ $(NULL) diff --git a/install/conf/proxy-ipa.conf b/install/conf/proxy-ipa.conf new file mode 100644 index ..af949209f897c274fce6137e8a4ac6a19da263db --- /dev/null +++ b/install/conf/proxy-ipa.conf @@ -0,0 +1,25 @@ +ProxyRequests Off + +# matches for ee port +LocationMatch
Re: [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag
On Fri, 2011-08-26 at 17:41 -0400, Adam Young wrote: On 08/26/2011 02:34 PM, Simo Sorce wrote: On Fri, 2011-08-26 at 14:03 -0400, Simo Sorce wrote: On Fri, 2011-08-26 at 12:45 -0400, Adam Young wrote: On 08/25/2011 05:24 PM, Adam Young wrote: Uses the updated version of pkicreate which makes an ipa specific proxy config file. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel The test for the proxy file in /etc/httpd/conf.d was isfile' but since the file is actually a symlink, it needs to be islink. This one checks for either. Nack, install fails after configuring the http service. Restart bails out using export SYSTEMCL_SKIP_REDIRECT=1 to get systemd out of the way (it was suppressing the error output) I get an permission denied error trying to open /etc/httpd/conf.d/proxy-ipa.conf That's a symlink into /etc/pki-ca/proxy-ipa.conf which is a file owned by pkiuser:pkiuser with permission 660 (therefore not readable by the apache user). Ok it turns out permissions are not the real issue as the file is read while apache is till root, it's a selinux issue. Apache starts if I setenforce 0 Still a NAck of course, it needs to work with selinux in enforcing mode Simo. This version owns the proxy config file. It works with setenforce 0, but does not work with SELinux, so, preemptive-nack. But I will be gone for a week, so if someone wants to pick this up and run with it, start from here. The previous patch with the corrected isfile vs islink issue works fine as long as the SELinux policy is fixed to allow access to /etc/pki-ca/proxy-ipa.conf I have tested a mastyer and then replica install with no issues after I loaded a custom SeLinux policy that allow that. So tentative ACK to the former patch. I will discuss with Ade how to resolve the SELinux issue and willpush to master once that is solved. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag
On 08/26/2011 06:30 PM, Simo Sorce wrote: On Fri, 2011-08-26 at 17:41 -0400, Adam Young wrote: On 08/26/2011 02:34 PM, Simo Sorce wrote: On Fri, 2011-08-26 at 14:03 -0400, Simo Sorce wrote: On Fri, 2011-08-26 at 12:45 -0400, Adam Young wrote: On 08/25/2011 05:24 PM, Adam Young wrote: Uses the updated version of pkicreate which makes an ipa specific proxy config file. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel The test for the proxy file in /etc/httpd/conf.d was isfile' but since the file is actually a symlink, it needs to be islink. This one checks for either. Nack, install fails after configuring the http service. Restart bails out using export SYSTEMCL_SKIP_REDIRECT=1 to get systemd out of the way (it was suppressing the error output) I get an permission denied error trying to open /etc/httpd/conf.d/proxy-ipa.conf That's a symlink into /etc/pki-ca/proxy-ipa.conf which is a file owned by pkiuser:pkiuser with permission 660 (therefore not readable by the apache user). Ok it turns out permissions are not the real issue as the file is read while apache is till root, it's a selinux issue. Apache starts if I setenforce 0 Still a NAck of course, it needs to work with selinux in enforcing mode Simo. This version owns the proxy config file. It works with setenforce 0, but does not work with SELinux, so, preemptive-nack. But I will be gone for a week, so if someone wants to pick this up and run with it, start from here. The previous patch with the corrected isfile vs islink issue works fine as long as the SELinux policy is fixed to allow access to /etc/pki-ca/proxy-ipa.conf I have tested a mastyer and then replica install with no issues after I loaded a custom SeLinux policy that allow that. So tentative ACK to the former patch. I will discuss with Ade how to resolve the SELinux issue and willpush to master once that is solved. Simo. Previous patch is based on a change for PKI-CA that we are not going to push, so we can't go with that. The file /etc/pki-ca/proxy-ipa.conf will not be available for IPA to use. Whatever the issue is with this patch it has to be fairly minor. The difference in approach is that this one includes the conf file and places it in /etc/httpd/conf.d. The problem is possibly the fact that this one uses localhost instead of the FQDN, although I did test it both ways prior to adding it to the RPM, and it worked with localhost and SELinux in enforcing mode. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag
On 08/26/2011 08:57 PM, Adam Young wrote: On 08/26/2011 06:30 PM, Simo Sorce wrote: On Fri, 2011-08-26 at 17:41 -0400, Adam Young wrote: On 08/26/2011 02:34 PM, Simo Sorce wrote: On Fri, 2011-08-26 at 14:03 -0400, Simo Sorce wrote: On Fri, 2011-08-26 at 12:45 -0400, Adam Young wrote: On 08/25/2011 05:24 PM, Adam Young wrote: Uses the updated version of pkicreate which makes an ipa specific proxy config file. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel The test for the proxy file in /etc/httpd/conf.d was isfile' but since the file is actually a symlink, it needs to be islink. This one checks for either. Nack, install fails after configuring the http service. Restart bails out using export SYSTEMCL_SKIP_REDIRECT=1 to get systemd out of the way (it was suppressing the error output) I get an permission denied error trying to open /etc/httpd/conf.d/proxy-ipa.conf That's a symlink into /etc/pki-ca/proxy-ipa.conf which is a file owned by pkiuser:pkiuser with permission 660 (therefore not readable by the apache user). Ok it turns out permissions are not the real issue as the file is read while apache is till root, it's a selinux issue. Apache starts if I setenforce 0 Still a NAck of course, it needs to work with selinux in enforcing mode Simo. This version owns the proxy config file. It works with setenforce 0, but does not work with SELinux, so, preemptive-nack. But I will be gone for a week, so if someone wants to pick this up and run with it, start from here. The previous patch with the corrected isfile vs islink issue works fine as long as the SELinux policy is fixed to allow access to /etc/pki-ca/proxy-ipa.conf I have tested a mastyer and then replica install with no issues after I loaded a custom SeLinux policy that allow that. So tentative ACK to the former patch. I will discuss with Ade how to resolve the SELinux issue and willpush to master once that is solved. Simo. Previous patch is based on a change for PKI-CA that we are not going to push, so we can't go with that. The file /etc/pki-ca/proxy-ipa.conf will not be available for IPA to use. Whatever the issue is with this patch it has to be fairly minor. The difference in approach is that this one includes the conf file and places it in /etc/httpd/conf.d. The problem is possibly the fact that this one uses localhost instead of the FQDN, although I did test it both ways prior to adding it to the RPM, and it worked with localhost and SELinux in enforcing mode. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel Failure seems to be from this step in the install log: After configuration, the server can be operated by the command: /sbin/service pki-cad restart pki-ca 2011-08-26 21:51:47,114 DEBUG stderr=[error] FAILED run_command(/sbin/service p ki-cad restart pki-ca), exit status=126 output=Stopping pki-ca: [ OK ] /usr/bin/runcon: /var/lib/pki-ca/pki-ca: Permission denied And in the Audit log: type=AVC msg=audit(1314409907.089:2397): avc: denied { transition } for pid=21040 comm=runcon path=/etc/rc.d/init.d/tomcat6 dev=dm-0 ino=35449 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:pki_ca_script_t:s0 tclass=process type=AVC msg=audit(1314410048.272:2398): avc: denied { transition } for pid=21124 comm=runcon path=/etc/rc.d/init.d/tomcat6 dev=dm-0 ino=35449 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:pki_ca_script_t:s0 tclass=process ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel