[Freeipa-devel] [PATCH] 1055 update audit cert renewal time

[Rob Crittenden]

The CA audit certificate is initially valid for two years but its 
profile has it renewing at six months. This bumps the value up to two 
years to match the other certificates.


This relies on Petr's and Ade's dogtag 10 patches.

rob
>From 7d5f799c1abb302d8b90cb50d5e1191fbf4c5edb Mon Sep 17 00:00:00 2001
From: Rob Crittenden 
Date: Wed, 12 Sep 2012 16:22:44 -0400
Subject: [PATCH] Set renewal time for the CA audit certificate to 720 days.

The initial certificate is issued for two years but renewals are
for six months for some reason. This fixes it for new and updated
IPA installs.

https://fedorahosted.org/freeipa/ticket/2951
---
 install/tools/ipa-upgradeconfig | 15 ++-
 ipaserver/install/cainstance.py | 26 ++
 2 files changed, 36 insertions(+), 5 deletions(-)

diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
index 6c0437180c2b47f4d88154741c96648975b30d34..c1fccf9ca1f9994aa987c3c0138f79a528e9e6ed 100644
--- a/install/tools/ipa-upgradeconfig
+++ b/install/tools/ipa-upgradeconfig
@@ -210,14 +210,15 @@ def upgrade_pki(fstore):
 
 This requires enabling SSL renegotiation.
 """
+configured_constants = dogtag.configured_constants()
 root_logger.info('[Verifying that CA proxy configuration is correct]')
-if not os.path.exists('/etc/pki-ca/CS.cfg'):
+if not os.path.exists(configured_constants.CS_CFG_PATH):
 root_logger.debug('No CA detected in /etc/pki-ca')
 return
 
 http = httpinstance.HTTPInstance(fstore)
 http.enable_mod_nss_renegotiate()
-if not installutils.get_directive('/etc/pki-ca/CS.cfg',
+if not installutils.get_directive(configured_constants.CS_CFG_PATH,
   'proxy.securePort', '=') and \
 os.path.exists('/usr/bin/pki-setup-proxy'):
 ipautil.run(['/usr/bin/pki-setup-proxy', '-pki_instance_root=/var/lib'
@@ -288,11 +289,15 @@ def upgrade_ipa_profile(realm):
 root_logger.info('[Verifying that CA service certificate profile is updated]')
 ca = cainstance.CAInstance(realm, certs.NSS_DIR)
 if ca.is_configured():
-if ca.enable_subject_key_identifier():
-root_logger.debug('Subject Key Identifier updated, restarting CA')
-ca.restart()
+ski = ca.enable_subject_key_identifier()
+if ski:
+root_logger.debug('Subject Key Identifier updated.')
 else:
 root_logger.debug('Subject Key Identifier already set.')
+audit = ca.set_audit_renewal()
+if audit or ski:
+root_logger.debug('Restarting CA.')
+ca.restart()
 else:
 root_logger.debug('CA is not configured')
 
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index ccadd1cf8e0967eab20ae382b10f58d104764610..d8900b13ee9412cd77ca8a95d7fdbd7e2261623e 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -551,6 +551,7 @@ class CAInstance(service.Service):
 self.step("set up CRL publishing", self.__enable_crl_publish)
 self.step("set certificate subject base", self.__set_subject_in_config)
 self.step("enabling Subject Key Identifier", self.enable_subject_key_identifier)
+self.step("setting audit signing renewal to 2 years", self.set_audit_renewal)
 self.step("configuring certificate server to start on boot", self.__enable)
 if not self.clone:
 self.step("restarting certificate server", self.__restart_instance)
@@ -1386,6 +1387,31 @@ class CAInstance(service.Service):
 # No update was done
 return False
 
+def set_audit_renewal(self):
+"""
+The default renewal time for the audit signing certificate is
+six months rather than two years. Fix it. This is BZ 843979.
+"""
+# Check the default validity period of the audit signing cert
+# and set it to 2 years if it is 6 months.
+range = installutils.get_directive(
+'%s/caSignedLogCert.cfg' % self.dogtag_constants.SERVICE_PROFILE_DIR,
+'policyset.caLogSigningSet.2.default.params.range',
+separator='='
+)
+root_logger.debug('caSignedLogCert.cfg profile validity range is %s' % range)
+if range == "180":
+installutils.set_directive(
+'%s/caSignedLogCert.cfg' % self.dogtag_constants.SERVICE_PROFILE_DIR,
+'policyset.caLogSigningSet.2.default.params.range',
+'720',
+quotes=False,
+separator='='
+)
+root_logger.debug('updated caSignedLogCert.cfg profile validity range to 720')
+return True
+return False
+
 def is_master(self):
 """
 There are some tasks that are only done on a single dogtag master.
-- 
1.7.11.4

___
Freeipa-devel mailing list
Free

Re: [Freeipa-devel] [PATCH] Patch to allow IPA to work with dogtag 10 on f18

[Ade Lee]

On Wed, 2012-09-12 at 18:43 +0200, Petr Viktorin wrote:
> On 09/11/2012 09:38 PM, Rob Crittenden wrote:
> > Rob Crittenden wrote:
> >> Rob Crittenden wrote:
> >>> Petr Viktorin wrote:
>  On 09/11/2012 04:38 PM, Rob Crittenden wrote:
> > Ade Lee wrote:
> >> On Tue, 2012-09-11 at 08:59 -0400, Rob Crittenden wrote:
> >>> Petr Viktorin wrote:
>  On 09/11/2012 04:04 AM, Ade Lee wrote:
> > On Mon, 2012-09-10 at 16:58 -0400, Rob Crittenden wrote:
> >> Petr Viktorin wrote:
> >>> Attaching rebased and squashed patches. I've done some testing
> >>> with
> >>> them
> >>> but please test some more.
> >>>
> >>
> >> Most of these aren't IPA issues, but dogtag issues. I'll try to
> >> split
> >> them out.
> >>
> >> IPA:
> >>
> >> For the configuration files in install/conf to be updated at rpm
> >> update
> >> time the VERSION needs to be incremented.
> 
>  These files should stay the same since on upgrade we're still
>  using a
>  Dogtag 9 style instance. The Dogtag 10 ports are only used in new
>  installs.
> 
> >> The ipa package lacks any updated dogtag dependencies, so I
> >> abused
> >> it.
> 
>  What should the updated dependencies be? Since it should work with
>  both
>  dogtag 9 and 10, I don't see how they should change.
> >>>
> >>> I don't know either, but we need to prevent people from installing
> >>> incompatible package combinations.
> >>>
> >> Would'nt the Conflicts: ipa < 3.0 in pki-ca mentioned below satisfy
> >> this
> >> requirement?  The main concern is that you must have ipa 3.0 if you
> >> have
> >> dogtag 10.
> >>
> >> Given that dogtag is consumed by IPA though, it makes more sense to
> >> put
> >> the relevant conflicts in IPA rather than in dogtag.  So in this
> >> case,
> >> that would mean putting Conflicts: pki-ca >= 10.0 in IPA 2.x.
> >> Recall that dogtag 10 will only be officially available in f18+.
> >
> > That isn't enough. If a F-17 user with IPA 2.2 installed upgrades to
> > F-18 they would be able to install dogtag 10 and blow up their IPA
> > server.
> >
> >>
> >> I installed IPA with dogtag 9 and created a replica.
> >>
> >> I updated the IPA bits, that worked fine.
> >>
> >> I updated to dogtag 10 and now the CA doesn't work on the master,
> >> including starting the dogtag instance. Note that the rpm update
> >> process
> >> worked, no notice that the CA service didn't restart.
> >>
> > Did you try to restart the CA with selinux in permissive mode?
> > This is
> > still required right now until I get the selinux policy all
> > straightened
> > out.
> >
> > There is also a separate dogtag ticket (which is currently being
> > worked
> > on) to restart existing dogtag instances when dogtag is upgraded
> > from
> > 9->10.
> 
>  In permissive mode, this upgrade works for me.
> >>>
> >>> I was in enforcing mode but saw no AVCs. What is the ETA on fixing
> >>> this?
> >>>
> >>
> >> Within the next week or two, I need to finish the IPA merge database
> >> patch first, and then co-ordinate changes with the selinux guys.
> >>
> 
> 
>  Sometimes I do get this error intermittently:
> 
>  ipa: ERROR: Certificate operation cannot be completed: Unable to
>  communicate with CMS (Service Temporarily Unavailable)
> 
>  Usually, waiting a couple of minutes clears this up. Perhaps we are
>  not
>  doing startup detection correctly. Ade mentioned that waiting for
>  ports
>  may not be ideal. How do we know if Dogtag is initialized?
> >>>
> >>> Years ago we had discussed with Andrew and Matt creating a URI that
> >>> can
> >>> be queried to determine dogtag status. I don't think that ever went
> >>> anywhere.
> >>>
> >> Petr, this happens only on reboot, right?  And not on regular
> >> "service
> >> ipa restart"?
> 
>  I've now seen it happen right after a 9 → 10 upgrade.
> 
> >> Yeah, I remember this conversation - and even created a bug for it at
> >> some point.  This went away because the mechanism you were using
> >> seemed
> >> to be working.  The timing may be very different now with tomcat 7
> >> and
> >> systemd.  I'll open a dogtag trac ticket for this.
> >
> > Ok.
> >
> >>
> 
> >> Uninstalling failed because it tried to run pkidestroy and not
> >> pkiremove.
> 
>  I was under the impression that pkidestroy was the corre

Re: [Freeipa-devel] [PATCH] Patch to allow IPA to work with dogtag 10 on f18

[Petr Viktorin]

On 09/11/2012 09:38 PM, Rob Crittenden wrote:

Rob Crittenden wrote:

Rob Crittenden wrote:

Petr Viktorin wrote:

On 09/11/2012 04:38 PM, Rob Crittenden wrote:

Ade Lee wrote:

On Tue, 2012-09-11 at 08:59 -0400, Rob Crittenden wrote:

Petr Viktorin wrote:

On 09/11/2012 04:04 AM, Ade Lee wrote:

On Mon, 2012-09-10 at 16:58 -0400, Rob Crittenden wrote:

Petr Viktorin wrote:

Attaching rebased and squashed patches. I've done some testing
with
them
but please test some more.



Most of these aren't IPA issues, but dogtag issues. I'll try to
split
them out.

IPA:

For the configuration files in install/conf to be updated at rpm
update
time the VERSION needs to be incremented.


These files should stay the same since on upgrade we're still
using a
Dogtag 9 style instance. The Dogtag 10 ports are only used in new
installs.


The ipa package lacks any updated dogtag dependencies, so I
abused
it.


What should the updated dependencies be? Since it should work with
both
dogtag 9 and 10, I don't see how they should change.


I don't know either, but we need to prevent people from installing
incompatible package combinations.


Would'nt the Conflicts: ipa < 3.0 in pki-ca mentioned below satisfy
this
requirement?  The main concern is that you must have ipa 3.0 if you
have
dogtag 10.

Given that dogtag is consumed by IPA though, it makes more sense to
put
the relevant conflicts in IPA rather than in dogtag.  So in this
case,
that would mean putting Conflicts: pki-ca >= 10.0 in IPA 2.x.
Recall that dogtag 10 will only be officially available in f18+.


That isn't enough. If a F-17 user with IPA 2.2 installed upgrades to
F-18 they would be able to install dogtag 10 and blow up their IPA
server.




I installed IPA with dogtag 9 and created a replica.

I updated the IPA bits, that worked fine.

I updated to dogtag 10 and now the CA doesn't work on the master,
including starting the dogtag instance. Note that the rpm update
process
worked, no notice that the CA service didn't restart.


Did you try to restart the CA with selinux in permissive mode?
This is
still required right now until I get the selinux policy all
straightened
out.

There is also a separate dogtag ticket (which is currently being
worked
on) to restart existing dogtag instances when dogtag is upgraded
from
9->10.


In permissive mode, this upgrade works for me.


I was in enforcing mode but saw no AVCs. What is the ETA on fixing
this?



Within the next week or two, I need to finish the IPA merge database
patch first, and then co-ordinate changes with the selinux guys.




Sometimes I do get this error intermittently:

ipa: ERROR: Certificate operation cannot be completed: Unable to
communicate with CMS (Service Temporarily Unavailable)

Usually, waiting a couple of minutes clears this up. Perhaps we are
not
doing startup detection correctly. Ade mentioned that waiting for
ports
may not be ideal. How do we know if Dogtag is initialized?


Years ago we had discussed with Andrew and Matt creating a URI that
can
be queried to determine dogtag status. I don't think that ever went
anywhere.


Petr, this happens only on reboot, right?  And not on regular
"service
ipa restart"?


I've now seen it happen right after a 9 → 10 upgrade.


Yeah, I remember this conversation - and even created a bug for it at
some point.  This went away because the mechanism you were using
seemed
to be working.  The timing may be very different now with tomcat 7
and
systemd.  I'll open a dogtag trac ticket for this.


Ok.






Uninstalling failed because it tried to run pkidestroy and not
pkiremove.


I was under the impression that pkidestroy was the correct
command to
remove an upgraded instance. I'll check with Ade.


I'll test this too.


The contents of the file passed to pkispawn should be logged
so we
can
see exactly what was passed in.


Its a pretty big file.  You might want to only log the
modifications.
Or save the file somewhere.


Our logs are pretty verbose, so that shouldn't be a problem. I'll
put it
in the next version of the patch.


The question to ask is: would you need the contents of this file if
all
you got were logs and needed to evaluate why installation failed? In
most cases this is yes.


Up to you guys.  There is a patch I am working on in which I will be
logging the object that is being passed to the server from pkispawn.
That - and the diffs to the standard config file as I mentioned
above -
will likely be sufficient to debug almost all cases.

Make sure not to log any passwords.



Thanks for the catch. Attaching updated patch that sanitizes the
passwords.


DOGTAG:

When upgrading using the dogtag-devel repo I had to specify
pki-tools.x86_64 otherwise it tried to install both 32 and 64-bit
versions (and failed).

I ended up running: yum update pki-ca tomcatjss pki-tools.x86_64
--enablerepo=dogtag-devel --enablerepo=updates-testing


We'll look into this.  I think I know why this happens.


What happens if someone manually upgrades pki-ca without first

Re: [Freeipa-devel] [PATCH] 0078 ipa-client-install: Obtain host TGT from one specific KDC

[Petr Viktorin]

On 09/12/2012 04:04 PM, Martin Kosek wrote:

On 09/12/2012 02:58 PM, Jan Cholasta wrote:

Dne 12.9.2012 14:09, Petr Viktorin napsal(a):

On 09/12/2012 01:20 PM, Petr Viktorin wrote:

On 09/11/2012 10:39 PM, Rob Crittenden wrote:

Petr Viktorin wrote:

When installing the client, we need to take extra case to only contact
the one server we're installing against. Otherwise, in the real world,
we might hit a server that hasn't replicated info about the client yet.

This patch fixes a bug where kinit attempted to contact a KDC that
didn't have the host principal yet.


To reproduce:

- Install a "master" and "replica"
- Change the Kerberos DNS entries to only point to the replica:
  for REC_NAME in '_kerberos-master._tcp' '_kerberos-master._udp'
'_kerberos._tcp' '_kerberos._udp' '_kpasswd._tcp' '_kpasswd._udp'; do
  ipa dnsrecord-mod $DOMAIN $REC_NAME --srv-rec="0 100 88
$REPLICA_HOSTNAME"
  done
  ipa dnsrecord-mod $DOMAIN _ldap._tcp --srv-rec="0 100 389
$MASTER_HOSTNAME"
  ipa dnsrecord-find $DOMAIN  # check
- Sever communication between the hosts to disable replication:
  (on master)
  iptables -A INPUT -j DROP -p all --source $REPLICA_IP
- On client machine, put master as nameserver in /etc/resolv.conf &
install client

This will fail without the patch.


Thanks to Petr Spacek, Simo, and Scott for helping to reproduce and
explain the bug. I learned a lot.

https://fedorahosted.org/freeipa/ticket/2982


ACK, pushed to master and ipa-3-0

rob



The patch broke server installs. Please revert it if you're having
trouble while I look into it.




I messed up and removed the kinit call entirely when installing on
master. Attaching a fix.



Works for me, ACK.

Honza



When the server installation is complete, I was surprised to see I have now
host credentials in my CCACHE:

# ipa-server-install --setup-dns
...
==
Setup complete

Next steps:
1. You must make sure these network ports are open:
TCP Ports:
  * 80, 443: HTTP/HTTPS
  * 389, 636: LDAP/LDAPS
  * 88, 464: kerberos
  * 53: bind
UDP Ports:
  * 88, 464: kerberos
  * 53: bind
  * 123: ntp

2. You can now obtain a kerberos ticket using the command: 'kinit admin'
   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
   and the web user interface.

Be sure to back up the CA certificate stored in /root/cacert.p12
This file is required to create replicas. The password for this
file is the Directory Manager password

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: host/vm-086.idm.lab.bos.redhat@idm.lab.bos.redhat.com

Valid starting ExpiresService principal
09/12/12 09:28:24  09/13/12 09:28:24
krbtgt/idm.lab.bos.redhat@idm.lab.bos.redhat.com
09/12/12 09:28:24  09/13/12 09:28:24
HTTP/vm-086.idm.lab.bos.redhat@idm.lab.bos.redhat.com
09/12/12 09:28:26  09/13/12 09:28:24
DNS/vm-086.idm.lab.bos.redhat@idm.lab.bos.redhat.com


I don't think this is an expected behavior, installer should use a CCACHE
separate from user's default.

Martin


I need to slow down.
Thanks for the catch. Attaching another fix.


--
Petr³
From c8499bed87d40c8b12e6f938d349a4a872180242 Mon Sep 17 00:00:00 2001
From: Petr Viktorin 
Date: Wed, 12 Sep 2012 10:30:31 -0400
Subject: [PATCH] Use temporary key cache for host key in server installation

This fixes an oversight in the earlier patch
---
 ipa-client/ipa-install/ipa-client-install | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 392aa65a0503a2ff647a8f6b089f8dfcc3fec094..3b1fd1a4486ccb3e5ad7f1f42b69f8ee988d2350 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -1572,9 +1572,10 @@ def install(options, env, fstore, statestore):
 if options.on_master:
 # If on master assume kerberos is already configured properly.
 # Get the host TGT.
+os.environ['KRB5CCNAME'] = CCACHE_FILE
 try:
 run(['/usr/bin/kinit', '-k', '-t', '/etc/krb5.keytab',
-'host/%s@%s' % (hostname, cli_realm)], env=env)
+'host/%s@%s' % (hostname, cli_realm)])
 except CalledProcessError, e:
 root_logger.error("Failed to obtain host TGT.")
 return CLIENT_INSTALL_ERROR
-- 
1.7.11.4

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0077 Check direct/reverse hostname/address resolution in ipa-replica-install

[Petr Viktorin]

On 09/11/2012 11:05 PM, Rob Crittenden wrote:

Petr Viktorin wrote:

On 09/04/2012 07:44 PM, Rob Crittenden wrote:

Petr Viktorin wrote:


https://fedorahosted.org/freeipa/ticket/2845


Shouldn't this also call verify_fqdn() on the local hostname and not
just the master? I think this would eventually fail in the conncheck but
what if that was skipped?

rob


A few lines above there is a call to get_host_name, which will call
verify_fqdn.



I double-checked this, it fails in conncheck. Here are my steps:

# ipa-server-install --setup-dns
# ipa-replica-prepare replica.example.com --ip-address=192.168.100.2
# ipa host-del replica.example.com

On replica, set DNS to IPA master, with hostname in /etc/hosts.

# ipa-replica-install ...

The verify_fqdn() passes because the resolver uses /etc/hosts.

The conncheck fails:

Execute check on remote master
Check connection from master to remote replica 'replica.example.com':

Remote master check failed with following error message(s):
Could not chdir to home directory /home/admin: No such file or directory
Port check failed! Unable to resolve host name 'replica.example.com'

Connection check failed!
Please fix your network settings according to error messages above.
If the check results are not valid it can be skipped with
--skip-conncheck parameter.

The DNS test happens much further after this, and I get why, I just
don't see how useful it is unless the --skip-conncheck is used.


For the record, it's because we need to check if the host has DNS 
installed. We need a LDAP connection to check this.



ipa-replica-install ~rcrit/replica-info-replica.example.com.gpg
--skip-conncheck
Directory Manager (existing master) password:

ipa : ERRORCould not resolve hostname replica.example.com
using DNS. Clients may not function properly. Please check your DNS
setup. (Note that this check queries IPA DNS directly and ignores
/etc/hosts.)
Continue? [no]:

So I guess, what are the intentions here? It is certainly better than
before.

rob


If the replica is in the master's /etc/hosts, but not in DNS, the 
conncheck will succeed. This check explicitly queries IPA records only 
and ignores /etc/hosts so it'll notice this case and warn.


--
Petr³

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0006] Improves sssd.conf handling during ipa-client uninstall

[Martin Kosek]

On 08/29/2012 02:54 PM, Tomas Babej wrote:
> On 08/27/2012 04:55 PM, Martin Kosek wrote:
>> On 08/27/2012 03:37 PM, Jakub Hrozek wrote:
>>> On Mon, Aug 27, 2012 at 02:57:44PM +0200, Martin Kosek wrote:
 I think that the right behavior of SSSD conf uninstall should be the
 following:

 * sssd.conf existed before IPA install + non-IPA domains in sssd.conf 
 found:
- move backed conf up sssd.conf.bkp (and inform the user)
- use SSSDConfig delete_domain function to remove ipa domain from 
 sssd.conf
- restart sssd afterwards
>>> I'm confused here, which of the files is the original
>>> pre-ipa-client-install file?
>> This is the "backed up sssd.conf". I thought that it may be useful for user 
>> to
>> still have an access to it after uninstall.
>>
>>> How does the non-ipa domain end up in the sssd.conf file? Does it have
>>> to be configured manually or does ipa-client-install merge the list of
>>> domains on installation?
>> ipa-client-install merge the list of the domains. It overrides the old
>> sssd.conf only when we cannot parse the sssd.conf and --preserve-sssd option
>> was not set.
>>
>> Martin
> Hi,
> 
> The sssd.conf file is no longer left behind in case sssd was not
> configured before the installation. However, the patch goes behind
> the scope of this ticked and improves the handling of sssd.conf
> during the ipa-client-install --uninstall in general.
> 
> The current behaviour (well documented in source code) is as follows:
>   - In general, the IPA domain is simply removed from the sssd.conf
> file, instead of sssd.conf being rewritten from the backup. This
> preserves any domains added after installation.
> 
>   - If sssd.conf existed before the installation, it is restored to
> sssd.conf.bkp. However, any IPA domains from pre-installation
> sssd.conf should have been merged during the installation.
> 
>   - If sssd.conf did not exist before the installation, and no other
> domains than IPA domain exist in it, the patch makes sure that
> sssd.conf is moved to sssd.conf.deleted so user experiences no
> crash during any next installation due to its existence.
> 
> https://fedorahosted.org/freeipa/ticket/2740
> 
> Tomas
> 

Good job, SSSD uninstall process now looks more consistent and better
documented. I just found the following (mainly minor) issues. Comments in the
patch:

diff --git a/ipa-client/ipa-install/ipa-client-install
b/ipa-client/ipa-install/ipa-client-install
index
2e65921e8de2dfe68443f5b5875954d71dd48ed2..c5cef15e1fb3a3e1d7cfd070f4288d3839accfc8
100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -183,6 +183,36 @@ def nssldap_exists():

 return (retval, files_found)

+# helper function for uninstall
+# deletes IPA domain from sssd.conf
+def delete_IPA_domain():

Function names should be lowercase -> delete_ipa_domain

+sssd = ipaservices.service('sssd')
+try:
+sssdconfig = SSSDConfig.SSSDConfig()
+sssdconfig.import_config()
+domains = sssdconfig.list_active_domains()
+
+IPA_domain_name = None

Variables should be lowercase -> ipa_domain_name

+
+for name in domains:
+domain = sssdconfig.get_domain(name)
+try:
+provider = domain.get_option('id_provider')
+if provider == "ipa":
+IPA_domain_name = name
+break
+except SSSDConfig.NoOptionError:
+continue
+
+if IPA_domain_name != None:

Do not use != with None, True, False - use "is not None".

+sssdconfig.delete_domain(IPA_domain_name)
+sssdconfig.write()
+else:
+root_logger.warning("IPA domain could not be found in " +
+"sssd.conf and therefore not deleted")
+except IOError:
+root_logger.warning("IPA domain could not be deleted. No access to the
sssd.conf file.")

There should be full path to sssd.conf in this error message. It is very useful
sometimes.

+
 def uninstall(options, env):

 if not fstore.has_files():
@@ -212,7 +242,12 @@ def uninstall(options, env):
 sssdconfig = SSSDConfig.SSSDConfig()
 sssdconfig.import_config()
 domains = sssdconfig.list_active_domains()
-if len(domains) > 1:
+all_domains = sssdconfig.list_domains()
+
+# we consider all the domains, because handling sssd.conf
+# during uninstall is dependant on was_sssd_configured flag
+# so the user does not lose info about inactive domains
+if len(all_domains) > 1:
 # There was more than IPA domain configured
 was_sssd_configured = True
 for name in domains:
@@ -349,6 +384,62 @@ def uninstall(options, env):
 "Failed to remove krb5/LDAP configuration: %s", str(e))
 return CLIENT_INSTALL_ERROR

+# Next if-elif-elif construction deals with sssd.c

Re: [Freeipa-devel] [PATCH] 0078 ipa-client-install: Obtain host TGT from one specific KDC

[Martin Kosek]

On 09/12/2012 04:29 PM, Simo Sorce wrote:
> On Wed, 2012-09-12 at 16:04 +0200, Martin Kosek wrote:
>> On 09/12/2012 02:58 PM, Jan Cholasta wrote:
>>> Dne 12.9.2012 14:09, Petr Viktorin napsal(a):
 On 09/12/2012 01:20 PM, Petr Viktorin wrote:
> On 09/11/2012 10:39 PM, Rob Crittenden wrote:
>> Petr Viktorin wrote:
>>> When installing the client, we need to take extra case to only contact
>>> the one server we're installing against. Otherwise, in the real world,
>>> we might hit a server that hasn't replicated info about the client yet.
>>>
>>> This patch fixes a bug where kinit attempted to contact a KDC that
>>> didn't have the host principal yet.
>>>
>>>
>>> To reproduce:
>>>
>>> - Install a "master" and "replica"
>>> - Change the Kerberos DNS entries to only point to the replica:
>>>  for REC_NAME in '_kerberos-master._tcp' '_kerberos-master._udp'
>>> '_kerberos._tcp' '_kerberos._udp' '_kpasswd._tcp' '_kpasswd._udp'; do
>>>  ipa dnsrecord-mod $DOMAIN $REC_NAME --srv-rec="0 100 88
>>> $REPLICA_HOSTNAME"
>>>  done
>>>  ipa dnsrecord-mod $DOMAIN _ldap._tcp --srv-rec="0 100 389
>>> $MASTER_HOSTNAME"
>>>  ipa dnsrecord-find $DOMAIN  # check
>>> - Sever communication between the hosts to disable replication:
>>>  (on master)
>>>  iptables -A INPUT -j DROP -p all --source $REPLICA_IP
>>> - On client machine, put master as nameserver in /etc/resolv.conf &
>>> install client
>>>
>>> This will fail without the patch.
>>>
>>>
>>> Thanks to Petr Spacek, Simo, and Scott for helping to reproduce and
>>> explain the bug. I learned a lot.
>>>
>>> https://fedorahosted.org/freeipa/ticket/2982
>>
>> ACK, pushed to master and ipa-3-0
>>
>> rob
>>
>
> The patch broke server installs. Please revert it if you're having
> trouble while I look into it.
>
>

 I messed up and removed the kinit call entirely when installing on
 master. Attaching a fix.

>>>
>>> Works for me, ACK.
>>>
>>> Honza
>>>
>>
>> When the server installation is complete, I was surprised to see I have now
>> host credentials in my CCACHE:
>>
>> # ipa-server-install --setup-dns
>> ...
>> ==
>> Setup complete
>>
>> Next steps:
>>  1. You must make sure these network ports are open:
>>  TCP Ports:
>>* 80, 443: HTTP/HTTPS
>>* 389, 636: LDAP/LDAPS
>>* 88, 464: kerberos
>>* 53: bind
>>  UDP Ports:
>>* 88, 464: kerberos
>>* 53: bind
>>* 123: ntp
>>
>>  2. You can now obtain a kerberos ticket using the command: 'kinit admin'
>> This ticket will allow you to use the IPA tools (e.g., ipa user-add)
>> and the web user interface.
>>
>> Be sure to back up the CA certificate stored in /root/cacert.p12
>> This file is required to create replicas. The password for this
>> file is the Directory Manager password
>>
>> # klist
>> Ticket cache: FILE:/tmp/krb5cc_0
>> Default principal: host/vm-086.idm.lab.bos.redhat@idm.lab.bos.redhat.com
>>
>> Valid starting ExpiresService principal
>> 09/12/12 09:28:24  09/13/12 09:28:24
>> krbtgt/idm.lab.bos.redhat@idm.lab.bos.redhat.com
>> 09/12/12 09:28:24  09/13/12 09:28:24
>> HTTP/vm-086.idm.lab.bos.redhat@idm.lab.bos.redhat.com
>> 09/12/12 09:28:26  09/13/12 09:28:24
>> DNS/vm-086.idm.lab.bos.redhat@idm.lab.bos.redhat.com
>>
>>
>> I don't think this is an expected behavior, installer should use a CCACHE
>> separate from user's default.
> 
> Definitely,
> a private install ccache should be used.
> Please open a ticket.
> 
> Simo.
> 

This is caused by a patch pushed today (in a scope of a fix for ticket 2982).
Petr Viktorin is working on a fix which will be sent soon, so I think that
ticket is not necessary in this case.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0078 ipa-client-install: Obtain host TGT from one specific KDC

[Simo Sorce]

On Wed, 2012-09-12 at 16:04 +0200, Martin Kosek wrote:
> On 09/12/2012 02:58 PM, Jan Cholasta wrote:
> > Dne 12.9.2012 14:09, Petr Viktorin napsal(a):
> >> On 09/12/2012 01:20 PM, Petr Viktorin wrote:
> >>> On 09/11/2012 10:39 PM, Rob Crittenden wrote:
>  Petr Viktorin wrote:
> > When installing the client, we need to take extra case to only contact
> > the one server we're installing against. Otherwise, in the real world,
> > we might hit a server that hasn't replicated info about the client yet.
> >
> > This patch fixes a bug where kinit attempted to contact a KDC that
> > didn't have the host principal yet.
> >
> >
> > To reproduce:
> >
> > - Install a "master" and "replica"
> > - Change the Kerberos DNS entries to only point to the replica:
> >  for REC_NAME in '_kerberos-master._tcp' '_kerberos-master._udp'
> > '_kerberos._tcp' '_kerberos._udp' '_kpasswd._tcp' '_kpasswd._udp'; do
> >  ipa dnsrecord-mod $DOMAIN $REC_NAME --srv-rec="0 100 88
> > $REPLICA_HOSTNAME"
> >  done
> >  ipa dnsrecord-mod $DOMAIN _ldap._tcp --srv-rec="0 100 389
> > $MASTER_HOSTNAME"
> >  ipa dnsrecord-find $DOMAIN  # check
> > - Sever communication between the hosts to disable replication:
> >  (on master)
> >  iptables -A INPUT -j DROP -p all --source $REPLICA_IP
> > - On client machine, put master as nameserver in /etc/resolv.conf &
> > install client
> >
> > This will fail without the patch.
> >
> >
> > Thanks to Petr Spacek, Simo, and Scott for helping to reproduce and
> > explain the bug. I learned a lot.
> >
> > https://fedorahosted.org/freeipa/ticket/2982
> 
>  ACK, pushed to master and ipa-3-0
> 
>  rob
> 
> >>>
> >>> The patch broke server installs. Please revert it if you're having
> >>> trouble while I look into it.
> >>>
> >>>
> >>
> >> I messed up and removed the kinit call entirely when installing on
> >> master. Attaching a fix.
> >>
> > 
> > Works for me, ACK.
> > 
> > Honza
> > 
> 
> When the server installation is complete, I was surprised to see I have now
> host credentials in my CCACHE:
> 
> # ipa-server-install --setup-dns
> ...
> ==
> Setup complete
> 
> Next steps:
>   1. You must make sure these network ports are open:
>   TCP Ports:
> * 80, 443: HTTP/HTTPS
> * 389, 636: LDAP/LDAPS
> * 88, 464: kerberos
> * 53: bind
>   UDP Ports:
> * 88, 464: kerberos
> * 53: bind
> * 123: ntp
> 
>   2. You can now obtain a kerberos ticket using the command: 'kinit admin'
>  This ticket will allow you to use the IPA tools (e.g., ipa user-add)
>  and the web user interface.
> 
> Be sure to back up the CA certificate stored in /root/cacert.p12
> This file is required to create replicas. The password for this
> file is the Directory Manager password
> 
> # klist
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: host/vm-086.idm.lab.bos.redhat@idm.lab.bos.redhat.com
> 
> Valid starting ExpiresService principal
> 09/12/12 09:28:24  09/13/12 09:28:24
> krbtgt/idm.lab.bos.redhat@idm.lab.bos.redhat.com
> 09/12/12 09:28:24  09/13/12 09:28:24
> HTTP/vm-086.idm.lab.bos.redhat@idm.lab.bos.redhat.com
> 09/12/12 09:28:26  09/13/12 09:28:24
> DNS/vm-086.idm.lab.bos.redhat@idm.lab.bos.redhat.com
> 
> 
> I don't think this is an expected behavior, installer should use a CCACHE
> separate from user's default.

Definitely,
a private install ccache should be used.
Please open a ticket.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0011] Make sure selinuxusemap behaves consistently to HBAC rule

[Martin Kosek]

On 09/12/2012 10:24 AM, Tomas Babej wrote:
> On 09/11/2012 01:14 PM, Martin Kosek wrote:
>> On 09/06/2012 01:13 PM, Tomas Babej wrote:
>>> On 09/05/2012 01:56 PM, Martin Kosek wrote:
 On 09/03/2012 05:12 PM, Tomas Babej wrote:
> Hi,
>
> Both selinuxusermap-add and selinuxusermap-mod commands now behave
> consistently in not allowing user/host category or user/host members
> and HBAC rule being set at the same time. Also adds a bunch of unit
> tests that check this behaviour.
>
> https://fedorahosted.org/freeipa/ticket/2983
>
> Tomas
>
 I found few issues with this patch:

 1) Patch needs a rebase

 2) Patch does not expect attributes to be set to None, i.e. to be left
 empty or
 to be deleted, e.g.:

 # ipa selinuxusermap-add foo --selinuxuser=guest_u:s0 --usercat=all
 --hbacrule=
 ipa: ERROR: HBAC rule and local members cannot both be set

 # ipa selinuxusermap-add foo --selinuxuser=guest_u:s0 --usercat=all
 
 Added SELinux User Map "foo"
 
 Rule name: foo
 SELinux User: guest_u:s0
 User category: all
 Enabled: TRUE

 # ipa selinuxusermap-mod foo --usercat= --hbacrule=
 ipa: ERROR: HBAC rule and local members cannot both be set

 # ipa selinuxusermap-mod foo --usercat=
 ---
 Modified SELinux User Map "foo"
 ---
 Rule name: foo
 SELinux User: guest_u:s0
 Enabled: TRUE

 # ipa selinuxusermap-mod foo --hbacrule=foo
 ---
 Modified SELinux User Map "foo"
 ---
 Rule name: foo
 SELinux User: guest_u:s0
 HBAC Rule: foo
 Enabled: TRUE

 # ipa selinuxusermap-mod foo --hbacrule= --usercat=all
 ipa: ERROR: HBAC rule and local members cannot both be set

 All these validation failures are not valid.

 3) Additionally, I think it would be more readable and less error prone
 that if
 instead of this blob:

 +are_local_members_to_be_set  = 'usercategory' in _entry_attrs or \
 +   'hostcategory' in _entry_attrs or \
 +   'memberuser' in _entry_attrs or \
 +   'memberhost' in _entry_attrs

 You would use something like that:

 are_local_members_to_be_set  = any(attr in _entry_attrs
  for attr in ('usercategory',
   'hostcategory',
   'memberuser',
   'memberhost'))

 Martin
>>> 1.) Done.
>>> 2.) Corrected.
>>> 3.) Fixed.
>>>
>>> Tomas
>> 1) There are some (corner) cases where this approach still does not work:
>>
>> # ipa selinuxusermap-show foo
>>Rule name: foo
>>SELinux User: guest_u:s0
>>HBAC Rule: foo
>>Enabled: TRUE
>> # ipa selinuxusermap-mod foo --usercat=all --hbacrule=
>> ipa: ERROR: HBAC rule and local members cannot both be set
>>
>> HBAC rule attribute is being deleted and user category set, so this should 
>> not
>> be rejected.
>>
>> 2) There are also some styling issues (you can use pep8 tool present in 
>> Fedora
>> to locate them on your own, e.g.:
>>
>> ipalib/plugins/selinuxusermap.py:247:32: E203 whitespace before ':'
>> ipalib/plugins/selinuxusermap.py:247:70: E225 missing whitespace around 
>> operator
>> ipalib/plugins/selinuxusermap.py:249:36: E221 multiple spaces before operator
>> ...
>>
>> Martin
> The corner case is fixed now and styling issues corrected as well.
> 
> Tomas

Yup, works fine now.

ACK. Pushed to master, ipa-3-0.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0078 ipa-client-install: Obtain host TGT from one specific KDC

[Martin Kosek]

On 09/12/2012 02:58 PM, Jan Cholasta wrote:
> Dne 12.9.2012 14:09, Petr Viktorin napsal(a):
>> On 09/12/2012 01:20 PM, Petr Viktorin wrote:
>>> On 09/11/2012 10:39 PM, Rob Crittenden wrote:
 Petr Viktorin wrote:
> When installing the client, we need to take extra case to only contact
> the one server we're installing against. Otherwise, in the real world,
> we might hit a server that hasn't replicated info about the client yet.
>
> This patch fixes a bug where kinit attempted to contact a KDC that
> didn't have the host principal yet.
>
>
> To reproduce:
>
> - Install a "master" and "replica"
> - Change the Kerberos DNS entries to only point to the replica:
>  for REC_NAME in '_kerberos-master._tcp' '_kerberos-master._udp'
> '_kerberos._tcp' '_kerberos._udp' '_kpasswd._tcp' '_kpasswd._udp'; do
>  ipa dnsrecord-mod $DOMAIN $REC_NAME --srv-rec="0 100 88
> $REPLICA_HOSTNAME"
>  done
>  ipa dnsrecord-mod $DOMAIN _ldap._tcp --srv-rec="0 100 389
> $MASTER_HOSTNAME"
>  ipa dnsrecord-find $DOMAIN  # check
> - Sever communication between the hosts to disable replication:
>  (on master)
>  iptables -A INPUT -j DROP -p all --source $REPLICA_IP
> - On client machine, put master as nameserver in /etc/resolv.conf &
> install client
>
> This will fail without the patch.
>
>
> Thanks to Petr Spacek, Simo, and Scott for helping to reproduce and
> explain the bug. I learned a lot.
>
> https://fedorahosted.org/freeipa/ticket/2982

 ACK, pushed to master and ipa-3-0

 rob

>>>
>>> The patch broke server installs. Please revert it if you're having
>>> trouble while I look into it.
>>>
>>>
>>
>> I messed up and removed the kinit call entirely when installing on
>> master. Attaching a fix.
>>
> 
> Works for me, ACK.
> 
> Honza
> 

When the server installation is complete, I was surprised to see I have now
host credentials in my CCACHE:

# ipa-server-install --setup-dns
...
==
Setup complete

Next steps:
1. You must make sure these network ports are open:
TCP Ports:
  * 80, 443: HTTP/HTTPS
  * 389, 636: LDAP/LDAPS
  * 88, 464: kerberos
  * 53: bind
UDP Ports:
  * 88, 464: kerberos
  * 53: bind
  * 123: ntp

2. You can now obtain a kerberos ticket using the command: 'kinit admin'
   This ticket will allow you to use the IPA tools (e.g., ipa user-add)
   and the web user interface.

Be sure to back up the CA certificate stored in /root/cacert.p12
This file is required to create replicas. The password for this
file is the Directory Manager password

# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: host/vm-086.idm.lab.bos.redhat@idm.lab.bos.redhat.com

Valid starting ExpiresService principal
09/12/12 09:28:24  09/13/12 09:28:24
krbtgt/idm.lab.bos.redhat@idm.lab.bos.redhat.com
09/12/12 09:28:24  09/13/12 09:28:24
HTTP/vm-086.idm.lab.bos.redhat@idm.lab.bos.redhat.com
09/12/12 09:28:26  09/13/12 09:28:24
DNS/vm-086.idm.lab.bos.redhat@idm.lab.bos.redhat.com


I don't think this is an expected behavior, installer should use a CCACHE
separate from user's default.

Martin

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 85 Add --no-ssh option to ipa-client-install to disable OpenSSH client configuration

[Jan Cholasta]

Hi,

this patch fixes .

If both --no-ssh and --no-sshd are specified, do not configure the SSH 
service in SSSD.


Honza

--
Jan Cholasta
>From 2a80c57305b099129b192e7ccf52b7f8cc982c41 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Wed, 12 Sep 2012 09:19:26 -0400
Subject: [PATCH] Add --no-ssh option to ipa-client-install to disable OpenSSH
 client configuration.

If both --no-ssh and --no-sshd are specified, do not configure the SSH service
in SSSD.

ticket 3070
---
 install/tools/ipa-replica-install |  4 ++
 install/tools/ipa-server-install  |  4 ++
 install/tools/man/ipa-replica-install.1   |  3 ++
 install/tools/man/ipa-server-install.1|  3 ++
 ipa-client/ipa-install/ipa-client-install | 78 ++-
 ipa-client/man/ipa-client-install.1   |  3 ++
 6 files changed, 63 insertions(+), 32 deletions(-)

diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
index 41e1ef5..267a70d 100755
--- a/install/tools/ipa-replica-install
+++ b/install/tools/ipa-replica-install
@@ -68,6 +68,8 @@ def parse_options():
   default=True, help="Do not automatically redirect to the Web UI")
 basic_group.add_option("--ssh-trust-dns", dest="trust_sshfp", default=False, action="store_true",
   help="configure OpenSSH client to trust DNS SSHFP records")
+basic_group.add_option("--no-ssh", dest="conf_ssh", default=True, action="store_false",
+  help="do not configure OpenSSH client")
 basic_group.add_option("--no-sshd", dest="conf_sshd", default=True, action="store_false",
   help="do not configure OpenSSH server")
 basic_group.add_option("--skip-conncheck", dest="skip_conncheck", action="store_true",
@@ -500,6 +502,8 @@ def main():
 args.append("--no-dns-sshfp")
 if options.trust_sshfp:
 args.append("--ssh-trust-dns")
+if not options.conf_ssh:
+args.append("--no-ssh")
 if not options.conf_sshd:
 args.append("--no-sshd")
 ipautil.run(args)
diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
index ba056fd..f07aead 100755
--- a/install/tools/ipa-server-install
+++ b/install/tools/ipa-server-install
@@ -145,6 +145,8 @@ def parse_options():
   default=True, help="Do not automatically redirect to the Web UI")
 basic_group.add_option("--ssh-trust-dns", dest="trust_sshfp", default=False, action="store_true",
   help="configure OpenSSH client to trust DNS SSHFP records")
+basic_group.add_option("--no-ssh", dest="conf_ssh", default=True, action="store_false",
+  help="do not configure OpenSSH client")
 basic_group.add_option("--no-sshd", dest="conf_sshd", default=True, action="store_false",
   help="do not configure OpenSSH server")
 basic_group.add_option("-d", "--debug", dest="debug", action="store_true",
@@ -1071,6 +1073,8 @@ def main():
 args.append("--no-dns-sshfp")
 if options.trust_sshfp:
 args.append("--ssh-trust-dns")
+if not options.conf_ssh:
+args.append("--no-ssh")
 if not options.conf_sshd:
 args.append("--no-sshd")
 run(args)
diff --git a/install/tools/man/ipa-replica-install.1 b/install/tools/man/ipa-replica-install.1
index 3f44597..084b454 100644
--- a/install/tools/man/ipa-replica-install.1
+++ b/install/tools/man/ipa-replica-install.1
@@ -56,6 +56,9 @@ Do not automatically redirect to the Web UI.
 \fB\-\-ssh\-trust\-dns\fR
 Configure OpenSSH client to trust DNS SSHFP records.
 .TP
+\fB\-\-no\-ssh\fR
+Do not configure OpenSSH client.
+.TP
 \fB\-\-no\-sshd\fR
 Do not configure OpenSSH server.
 .TP
diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1
index 61b7c66..75c6a78 100644
--- a/install/tools/man/ipa-server-install.1
+++ b/install/tools/man/ipa-server-install.1
@@ -66,6 +66,9 @@ Do not automatically redirect to the Web UI.
 \fB\-\-ssh\-trust\-dns\fR
 Configure OpenSSH client to trust DNS SSHFP records.
 .TP
+\fB\-\-no\-ssh\fR
+Do not configure OpenSSH client.
+.TP
 \fB\-\-no\-sshd\fR
 Do not configure OpenSSH server.
 .TP
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 83f5268..1bd9dcb 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -89,6 +89,8 @@ def parse_options():
   help="do not configure ntp", default=True, dest="conf_ntp")
 basic_group.add_option("--ssh-trust-dns", dest="trust_sshfp", default=False, action="store_true",
   help="configure OpenSSH client to trust DNS SSHFP records")
+basic_group.add_option("--no-ssh", dest="conf_ssh", default=True, action="store_false",
+  help="do not configure Op

[Freeipa-devel] [PATCH] 84 Add the SSH service to SSSD config file before trying to activate it

[Jan Cholasta]

Hi,

this patch fixes .

Users no longer have to configure SSH in sssd.conf manually if the file 
exists prior to running ipa-client-install.


Honza

--
Jan Cholasta
>From 38fd87c7b9d941b76753c3f11eca0058a83b8954 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Tue, 11 Sep 2012 04:43:57 -0400
Subject: [PATCH] Add the SSH service to SSSD config file before trying to
 activate it.

ticket 3069
---
 ipa-client/ipa-install/ipa-client-install | 8 ++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 06e0798..ccb2228 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -803,14 +803,18 @@ def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options, clie
 domain = sssdconfig.new_domain(cli_domain)
 
 try:
-sssdconfig.activate_service('ssh')
-except SSSDConfig.NoServiceError:
+sssdconfig.new_service('ssh')
+except SSSDConfig.ServiceAlreadyExists:
+pass
+except SSSDConfig.ServiceNotRecognizedError:
 root_logger.error("Unable to activate the SSH service in SSSD config.")
 root_logger.info(
 "Please make sure you have SSSD built with SSH support installed.")
 root_logger.info(
 "Configure SSH support manually in /etc/sssd/sssd.conf.")
 
+sssdconfig.activate_service('ssh')
+
 domain.add_provider('ipa', 'id')
 
 #add discovery domain if client domain different from server domain
-- 
1.7.11.4

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0078 ipa-client-install: Obtain host TGT from one specific KDC

[Rob Crittenden]

Jan Cholasta wrote:

Dne 12.9.2012 14:09, Petr Viktorin napsal(a):

On 09/12/2012 01:20 PM, Petr Viktorin wrote:

On 09/11/2012 10:39 PM, Rob Crittenden wrote:

Petr Viktorin wrote:

When installing the client, we need to take extra case to only contact
the one server we're installing against. Otherwise, in the real world,
we might hit a server that hasn't replicated info about the client
yet.

This patch fixes a bug where kinit attempted to contact a KDC that
didn't have the host principal yet.


To reproduce:

- Install a "master" and "replica"
- Change the Kerberos DNS entries to only point to the replica:
 for REC_NAME in '_kerberos-master._tcp' '_kerberos-master._udp'
'_kerberos._tcp' '_kerberos._udp' '_kpasswd._tcp' '_kpasswd._udp'; do
 ipa dnsrecord-mod $DOMAIN $REC_NAME --srv-rec="0 100 88
$REPLICA_HOSTNAME"
 done
 ipa dnsrecord-mod $DOMAIN _ldap._tcp --srv-rec="0 100 389
$MASTER_HOSTNAME"
 ipa dnsrecord-find $DOMAIN  # check
- Sever communication between the hosts to disable replication:
 (on master)
 iptables -A INPUT -j DROP -p all --source $REPLICA_IP
- On client machine, put master as nameserver in /etc/resolv.conf &
install client

This will fail without the patch.


Thanks to Petr Spacek, Simo, and Scott for helping to reproduce and
explain the bug. I learned a lot.

https://fedorahosted.org/freeipa/ticket/2982


ACK, pushed to master and ipa-3-0

rob



The patch broke server installs. Please revert it if you're having
trouble while I look into it.




I messed up and removed the kinit call entirely when installing on
master. Attaching a fix.



Works for me, ACK.

Honza



pushed to master and ipa-3-0

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0078 ipa-client-install: Obtain host TGT from one specific KDC

[Jan Cholasta]

Dne 12.9.2012 14:09, Petr Viktorin napsal(a):

On 09/12/2012 01:20 PM, Petr Viktorin wrote:

On 09/11/2012 10:39 PM, Rob Crittenden wrote:

Petr Viktorin wrote:

When installing the client, we need to take extra case to only contact
the one server we're installing against. Otherwise, in the real world,
we might hit a server that hasn't replicated info about the client yet.

This patch fixes a bug where kinit attempted to contact a KDC that
didn't have the host principal yet.


To reproduce:

- Install a "master" and "replica"
- Change the Kerberos DNS entries to only point to the replica:
 for REC_NAME in '_kerberos-master._tcp' '_kerberos-master._udp'
'_kerberos._tcp' '_kerberos._udp' '_kpasswd._tcp' '_kpasswd._udp'; do
 ipa dnsrecord-mod $DOMAIN $REC_NAME --srv-rec="0 100 88
$REPLICA_HOSTNAME"
 done
 ipa dnsrecord-mod $DOMAIN _ldap._tcp --srv-rec="0 100 389
$MASTER_HOSTNAME"
 ipa dnsrecord-find $DOMAIN  # check
- Sever communication between the hosts to disable replication:
 (on master)
 iptables -A INPUT -j DROP -p all --source $REPLICA_IP
- On client machine, put master as nameserver in /etc/resolv.conf &
install client

This will fail without the patch.


Thanks to Petr Spacek, Simo, and Scott for helping to reproduce and
explain the bug. I learned a lot.

https://fedorahosted.org/freeipa/ticket/2982


ACK, pushed to master and ipa-3-0

rob



The patch broke server installs. Please revert it if you're having
trouble while I look into it.




I messed up and removed the kinit call entirely when installing on
master. Attaching a fix.



Works for me, ACK.

Honza

--
Jan Cholasta

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] Patch to allow IPA to work with dogtag 10 on f18

[Petr Viktorin]

On 09/12/2012 04:42 AM, Ade Lee wrote:

On Tue, 2012-09-11 at 14:45 -0400, Rob Crittenden wrote:

Petr Viktorin wrote:

On 09/11/2012 04:38 PM, Rob Crittenden wrote:

Ade Lee wrote:

On Tue, 2012-09-11 at 08:59 -0400, Rob Crittenden wrote:

Petr Viktorin wrote:

On 09/11/2012 04:04 AM, Ade Lee wrote:

On Mon, 2012-09-10 at 16:58 -0400, Rob Crittenden wrote:

Petr Viktorin wrote:

Attaching rebased and squashed patches. I've done some testing with
them
but please test some more.



Most of these aren't IPA issues, but dogtag issues. I'll try to
split
them out.

IPA:

For the configuration files in install/conf to be updated at rpm
update
time the VERSION needs to be incremented.


These files should stay the same since on upgrade we're still using a
Dogtag 9 style instance. The Dogtag 10 ports are only used in new
installs.


The ipa package lacks any updated dogtag dependencies, so I abused
it.


What should the updated dependencies be? Since it should work with
both
dogtag 9 and 10, I don't see how they should change.


I don't know either, but we need to prevent people from installing
incompatible package combinations.


Would'nt the Conflicts: ipa < 3.0 in pki-ca mentioned below satisfy this
requirement?  The main concern is that you must have ipa 3.0 if you have
dogtag 10.

Given that dogtag is consumed by IPA though, it makes more sense to put
the relevant conflicts in IPA rather than in dogtag.  So in this case,
that would mean putting Conflicts: pki-ca >= 10.0 in IPA 2.x.
Recall that dogtag 10 will only be officially available in f18+.


That isn't enough. If a F-17 user with IPA 2.2 installed upgrades to
F-18 they would be able to install dogtag 10 and blow up their IPA
server.


We can add the Conflicts: freeipa-server < 3.0 to the dogtag packages
(likely in pki-base).

But we should also add explicit dependencies to ipa.

For ipa 2.2, Conflicts: pki-ca >= 10.0, Requires: pki-ca >= 9.x
For ipa 3,   Requires: pki-ca >= 10.0


Unfortunately we need to support IPA 3.0 with Dogtag 9.


This is of course assumes that ipa 3 is only officially released on f18
(which is what will happen for dogtag 10).  Just because we can support
d9 on ipa 3 does not mean we should.

As it is, in this case, we will have to support IPA 3 + d10, IPA 3 + d10
+ d9-style instance, IPA 2.x + d9.


We also need to test replication between various combinations of these.


--
Petr³

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH] 305-308 Expand Referential Integrity checks

[Martin Kosek]

To test, add sudo commands, hosts or users to a sudo rule or hbac rule and then
rename or delete the linked object. After the update, the links should be 
amended.

-

Many attributes in IPA (e.g. manager, memberuser, managedby, ...)
are used to store DNs of linked objects in IPA (users, hosts, sudo
commands, etc.). However, when the linked objects is deleted or
renamed, the attribute pointing to it stays with the objects and
thus may create a dangling link causing issues in client software
reading the data.

Directory Server has a plugin to enforce referential integrity (RI)
by checking DEL and MODRDN operations and updating affected links.
It was already used for manager and secretary attributes and
should be expanded for the missing attributes to avoid dangling
links.

As a prerequisite, all attributes checked for RI must have pres
and eq indexes to avoid performance issues. The following indexes
have been added:
  * manager (pres index only)
  * secretary (pres index only)
  * memberHost
  * memberUser
  * sourcehost
  * memberservice
  * managedby
  * memberallowcmd
  * memberdenycmd
  * ipasudorunas
  * ipasudorunasgroup

Referential Integrity plugin was updated to check all these
attributes.

Note: this update will only fix RI on one master as RI plugin does
not check replicated operations.

https://fedorahosted.org/freeipa/ticket/2866

-- 
Martin Kosek 
Senior Software Engineer - Identity Management Team
Red Hat Inc.
From de4d160ba4a9bce33f227078ba00ee2d8cd04594 Mon Sep 17 00:00:00 2001
From: Martin Kosek 
Date: Wed, 12 Sep 2012 09:28:36 +0200
Subject: [PATCH 1/4] Add attributeTypes to safe schema updater

AttributeType updates are sensitive to case, whitespace or X-ORIGIN mismatch
just like ObjectClass attribute which is already being normalized before
an update value is compared with update instructions.

Expand safe schema updater routine to cover both ObjectClasses and
AttributeTypes updates.

https://fedorahosted.org/freeipa/ticket/2440
---
 ipaserver/install/ldapupdate.py | 68 +++--
 1 file changed, 39 insertions(+), 29 deletions(-)

diff --git a/ipaserver/install/ldapupdate.py b/ipaserver/install/ldapupdate.py
index 111769ffee1d04f2036d3abe49190c715e13f99a..528e349d7975022005d2f91d70a5abed0ab42307 100644
--- a/ipaserver/install/ldapupdate.py
+++ b/ipaserver/install/ldapupdate.py
@@ -35,7 +35,7 @@ from ipalib import errors
 from ipalib import api
 from ipapython.dn import DN
 import ldap
-from ldap.schema.models import ObjectClass
+from ldap.schema.models import ObjectClass, AttributeType
 from ipapython.ipa_log_manager import *
 import krbV
 import platform
@@ -551,23 +551,32 @@ class LDAPUpdate:
 # Replacing objectClassess needs a special handling and
 # normalization of OC definitions to avoid update failures for
 # example when X-ORIGIN is the only difference
-objectclass_replacement = False
-if action == "replace" and entry.dn == DN(('cn', 'schema')) and \
-attr.lower() == "objectclasses":
-objectclass_replacement = True
-oid_index = {}
-# build the OID index for replacing
-for objectclass in entry_values:
-try:
-objectclass_object = ObjectClass(str(objectclass))
-except Exception, e:
-self.error('replace: cannot parse ObjectClass "%s": %s',
-objectclass, e)
-continue
-# In a corner case, there may be more representations of
-# the same objectclass due to the previous updates
-# We want to replace them all
-oid_index.setdefault(objectclass_object.oid, []).append(objectclass)
+schema_update = False
+schema_elem_class = None
+schema_elem_name = None
+if action == "replace" and entry.dn == DN(('cn', 'schema')):
+if attr.lower() == "objectclasses":
+schema_elem_class = ObjectClass
+schema_elem_name = "ObjectClass"
+elif attr.lower() == "attributetypes":
+schema_elem_class = AttributeType
+schema_elem_name = "AttributeType"
+
+if schema_elem_class is not None:
+schema_update = True
+oid_index = {}
+# build the OID index for replacing
+for schema_elem in entry_values:
+try:
+schema_elem_object = schema_elem_class(str(schema_elem))
+except Exception, e:
+self.error('replace: cannot parse %s "%s": %s',
+schema_elem_name, schema_elem, e)
+continue
+

Re: [Freeipa-devel] [PATCH] 0078 ipa-client-install: Obtain host TGT from one specific KDC

[Petr Viktorin]

On 09/12/2012 01:20 PM, Petr Viktorin wrote:

On 09/11/2012 10:39 PM, Rob Crittenden wrote:

Petr Viktorin wrote:

When installing the client, we need to take extra case to only contact
the one server we're installing against. Otherwise, in the real world,
we might hit a server that hasn't replicated info about the client yet.

This patch fixes a bug where kinit attempted to contact a KDC that
didn't have the host principal yet.


To reproduce:

- Install a "master" and "replica"
- Change the Kerberos DNS entries to only point to the replica:
 for REC_NAME in '_kerberos-master._tcp' '_kerberos-master._udp'
'_kerberos._tcp' '_kerberos._udp' '_kpasswd._tcp' '_kpasswd._udp'; do
 ipa dnsrecord-mod $DOMAIN $REC_NAME --srv-rec="0 100 88
$REPLICA_HOSTNAME"
 done
 ipa dnsrecord-mod $DOMAIN _ldap._tcp --srv-rec="0 100 389
$MASTER_HOSTNAME"
 ipa dnsrecord-find $DOMAIN  # check
- Sever communication between the hosts to disable replication:
 (on master)
 iptables -A INPUT -j DROP -p all --source $REPLICA_IP
- On client machine, put master as nameserver in /etc/resolv.conf &
install client

This will fail without the patch.


Thanks to Petr Spacek, Simo, and Scott for helping to reproduce and
explain the bug. I learned a lot.

https://fedorahosted.org/freeipa/ticket/2982


ACK, pushed to master and ipa-3-0

rob



The patch broke server installs. Please revert it if you're having
trouble while I look into it.




I messed up and removed the kinit call entirely when installing on 
master. Attaching a fix.


--
Petr³
From d8686e7063aa749cdd6c26721820cf30658e1c30 Mon Sep 17 00:00:00 2001
From: Petr Viktorin 
Date: Wed, 12 Sep 2012 07:31:15 -0400
Subject: [PATCH] Fix server installation

The fix to ticket #2982 removed a kinit call when the client was installed
as part of a master. Re-add the kinit call in this case.
---
 ipa-client/ipa-install/ipa-client-install | 12 ++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index 06e07983956b87c75fbd59139ea5fcaa046d7980..392aa65a0503a2ff647a8f6b089f8dfcc3fec094 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -1569,8 +1569,16 @@ def install(options, env, fstore, statestore):
 root_logger.info("Failed to add CA to the default NSS database.")
 return CLIENT_INSTALL_ERROR
 
-# If on master assume kerberos is already configured properly.
-if not options.on_master:
+if options.on_master:
+# If on master assume kerberos is already configured properly.
+# Get the host TGT.
+try:
+run(['/usr/bin/kinit', '-k', '-t', '/etc/krb5.keytab',
+'host/%s@%s' % (hostname, cli_realm)], env=env)
+except CalledProcessError, e:
+root_logger.error("Failed to obtain host TGT.")
+return CLIENT_INSTALL_ERROR
+else:
 # Configure krb5.conf
 fstore.backup_file("/etc/krb5.conf")
 if configure_krb5_conf(
-- 
1.7.11.4

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH] 0078 ipa-client-install: Obtain host TGT from one specific KDC

[Petr Viktorin]

On 09/11/2012 10:39 PM, Rob Crittenden wrote:

Petr Viktorin wrote:

When installing the client, we need to take extra case to only contact
the one server we're installing against. Otherwise, in the real world,
we might hit a server that hasn't replicated info about the client yet.

This patch fixes a bug where kinit attempted to contact a KDC that
didn't have the host principal yet.


To reproduce:

- Install a "master" and "replica"
- Change the Kerberos DNS entries to only point to the replica:
 for REC_NAME in '_kerberos-master._tcp' '_kerberos-master._udp'
'_kerberos._tcp' '_kerberos._udp' '_kpasswd._tcp' '_kpasswd._udp'; do
 ipa dnsrecord-mod $DOMAIN $REC_NAME --srv-rec="0 100 88
$REPLICA_HOSTNAME"
 done
 ipa dnsrecord-mod $DOMAIN _ldap._tcp --srv-rec="0 100 389
$MASTER_HOSTNAME"
 ipa dnsrecord-find $DOMAIN  # check
- Sever communication between the hosts to disable replication:
 (on master)
 iptables -A INPUT -j DROP -p all --source $REPLICA_IP
- On client machine, put master as nameserver in /etc/resolv.conf &
install client

This will fail without the patch.


Thanks to Petr Spacek, Simo, and Scott for helping to reproduce and
explain the bug. I learned a lot.

https://fedorahosted.org/freeipa/ticket/2982


ACK, pushed to master and ipa-3-0

rob



The patch broke server installs. Please revert it if you're having 
trouble while I look into it.



--
Petr³

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH 0059] Fix potential crash after free(uninitialized variable)

[Petr Spacek]

Hello,

This patch fixes potential crash after free(uninitialized variable) in 
persistent search code.


Coverity CID 13088.

Petr^2 Spacek
From 3197b4ace3e852495bf4f9fdc32192459160027c Mon Sep 17 00:00:00 2001
From: Petr Spacek 
Date: Wed, 12 Sep 2012 13:04:39 +0200
Subject: [PATCH] Fix potential crash after free(uninitialized variable) in
 persistent search code.

Coverity CID 13088.

Signed-off-by: Petr Spacek 
---
 src/ldap_helper.c | 15 +++
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/src/ldap_helper.c b/src/ldap_helper.c
index 92edbe7159272772e1c993d46da7c93382cbc5d4..67a64b79159983c83cb1bfc73c4b02a9bce986a7 100644
--- a/src/ldap_helper.c
+++ b/src/ldap_helper.c
@@ -2878,8 +2878,8 @@ cleanup:
 static isc_result_t
 ldap_pscontrol_create(LDAPControl **ctrlp)
 {
-	BerElement *ber;
-	struct berval *berval;
+	BerElement *ber = NULL;
+	struct berval *berval = NULL;
 	isc_result_t result = ISC_R_FAILURE;
 
 	REQUIRE(ctrlp != NULL && *ctrlp == NULL);
@@ -2905,14 +2905,13 @@ ldap_pscontrol_create(LDAPControl **ctrlp)
 			!= LDAP_SUCCESS)
 		goto cleanup;
 
-	ber_free(ber, 1);
-	ber_bvfree(berval);
-
-	return ISC_R_SUCCESS;
+	result = ISC_R_SUCCESS;
 
 cleanup:
-	ber_free(ber, 1);
-	ber_bvfree(berval);
+	if (ber != NULL)
+		ber_free(ber, 1);
+	if (berval != NULL)
+		ber_bvfree(berval);
 
 	return result;
 }
-- 
1.7.11.4

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH 0058] Improve persistent search logging

[Petr Spacek]

Hello,

this patch adds "result" codes to error messages in persistent search code.

Petr^2 Spacek
From f6cb53278d8f39ac6da4fb8e26820f6ee02ae6e3 Mon Sep 17 00:00:00 2001
From: Petr Spacek 
Date: Wed, 12 Sep 2012 12:27:51 +0200
Subject: [PATCH] Improve persistent search logging.

Signed-off-by: Petr Spacek 
---
 src/ldap_helper.c | 14 +++---
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/src/ldap_helper.c b/src/ldap_helper.c
index d9c7ce5d84c3944a86ff1865ff6be073ddc294c8..92edbe7159272772e1c993d46da7c93382cbc5d4 100644
--- a/src/ldap_helper.c
+++ b/src/ldap_helper.c
@@ -3069,9 +3069,9 @@ update_zone(isc_task_t *task, isc_event_t *event)
 
 cleanup:
 	if (result != ISC_R_SUCCESS)
-		log_error("update_action (psearch) failed for '%s': %s. "
+		log_error_r("update_zone (psearch) failed for '%s'. "
 			  "Zones can be outdated, run `rndc reload`",
-			  pevent->dn, isc_result_totext(result));
+			  pevent->dn);
 
 	ldap_query_free(ISC_FALSE, &ldap_qresult_zone);
 	ldap_query_free(ISC_FALSE, &ldap_qresult_record);
@@ -3125,7 +3125,7 @@ update_config(isc_task_t *task, isc_event_t *event)
 
 cleanup:
 	if (result != ISC_R_SUCCESS)
-		log_error("update_config (psearch) failed for %s. "
+		log_error_r("update_config (psearch) failed for '%s'. "
 			  "Configuration can be outdated, run `rndc reload`",
 			  pevent->dn);
 
@@ -3221,9 +3221,9 @@ update_record(isc_task_t *task, isc_event_t *event)
 	}
 cleanup:
 	if (result != ISC_R_SUCCESS)
-		log_error("update_record (psearch) failed, dn '%s'. "
+		log_error_r("update_record (psearch) failed, dn '%s' change type 0x%x. "
 			  "Records can be outdated, run `rndc reload`",
-			  pevent->dn);
+			  pevent->dn, pevent->chgtype);
 
 	if (dns_name_dynamic(&name))
 		dns_name_free(&name, inst->mctx);
@@ -3400,7 +3400,7 @@ cleanup:
 		if (prevdn_ldap != NULL)
 			ldap_memfree(prevdn);
 
-		log_error("psearch_update failed for %s zone. "
+		log_error_r("psearch_update failed for '%s' zone. "
 			  "Zone can be outdated, run `rndc reload`",
 			  entry->dn);
 	}
@@ -3586,7 +3586,7 @@ restart:
  * Error means inconsistency of our zones
  * data.
  */
-log_error("ldap_psearch_watcher failed, zones "
+log_error_r("ldap_psearch_watcher failed, zones "
 	  "might be outdated. Run `rndc reload`");
 goto soft_err;
 			}
-- 
1.7.11.4

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH 0057] Fix LDAP operation selection logic in ldap_modify_do()

[Petr Spacek]

Hello,

There is a fix for LDAP operation selection logic in ldap_modify_do().

Each operation code in LDAPMod structure can be ORed
with LDAP_MOD_BVALUES.

Petr^2 Spacek
From ab11e62ec2496f2c7245c4d8d80c2fd189b68aa9 Mon Sep 17 00:00:00 2001
From: Petr Spacek 
Date: Tue, 11 Sep 2012 16:23:18 +0200
Subject: [PATCH] Fix LDAP operation selection logic in ldap_modify_do().

Each operation code in LDAPMod structure can be ORed
with LDAP_MOD_BVALUES.

Signed-off-by: Petr Spacek 
---
 src/ldap_helper.c | 29 +
 1 file changed, 17 insertions(+), 12 deletions(-)

diff --git a/src/ldap_helper.c b/src/ldap_helper.c
index 058048f41485999be0d8ffeadea02f2e25879370..d9c7ce5d84c3944a86ff1865ff6be073ddc294c8 100644
--- a/src/ldap_helper.c
+++ b/src/ldap_helper.c
@@ -2149,33 +2149,38 @@ ldap_modify_do(ldap_instance_t *ldap_inst, ldap_connection_t *ldap_conn,
 		CHECK(ldap_connect(ldap_inst, ldap_conn, ISC_FALSE));
 	}
 
+	/* Any mod_op can be ORed with LDAP_MOD_BVALUES. */
+	if ((mods[0]->mod_op & ~LDAP_MOD_BVALUES) == LDAP_MOD_ADD)
+		operation_str = "modifying(add)";
+	else if ((mods[0]->mod_op & ~LDAP_MOD_BVALUES) == LDAP_MOD_DELETE)
+		operation_str = "modifying(del)";
+	else if ((mods[0]->mod_op & ~LDAP_MOD_BVALUES) == LDAP_MOD_REPLACE)
+		operation_str = "modifying(replace)";
+	else {
+		operation_str = "modifying(unknown operation)";
+		log_bug("%s: 0x%x", operation_str, mods[0]->mod_op);
+		CHECK(ISC_R_NOTIMPLEMENTED);
+	}
+
 	if (delete_node) {
 		log_debug(2, "deleting whole node: '%s'", dn);
 		ret = ldap_delete_ext_s(ldap_conn->handle, dn, NULL, NULL);
 	} else {
-		log_debug(2, "writing to '%s'", dn);
+		log_debug(2, "writing to '%s': %s", dn, operation_str);
 		ret = ldap_modify_ext_s(ldap_conn->handle, dn, mods, NULL, NULL);
 	}
 
 	result = (ret == LDAP_SUCCESS) ? ISC_R_SUCCESS : ISC_R_FAILURE;
 	if (ret == LDAP_SUCCESS)
 		goto cleanup;
 
-	if (mods[0]->mod_op == LDAP_MOD_ADD)
-		operation_str = "modifying(add)";
-	else if (mods[0]->mod_op == LDAP_MOD_DELETE)
-		operation_str = "modifying(del)";
-	else {
-		operation_str = "modifying(unknown operation)";
-		CHECK(ISC_R_NOTIMPLEMENTED);
-	}
-
 	LDAP_OPT_CHECK(ldap_get_option(ldap_conn->handle, LDAP_OPT_RESULT_CODE,
 			&err_code), "ldap_modify_do(%s) failed to obtain ldap error code",
 			operation_str);
 
 	/* If there is no object yet, create it with an ldap add operation. */
-	if (mods[0]->mod_op == LDAP_MOD_ADD && err_code == LDAP_NO_SUCH_OBJECT) {
+	if ((mods[0]->mod_op & ~LDAP_MOD_BVALUES) == LDAP_MOD_ADD &&
+	 err_code == LDAP_NO_SUCH_OBJECT) {
 		int i;
 		LDAPMod **new_mods;
 		char *obj_str[] = { "idnsRecord", NULL };
@@ -2211,7 +2216,7 @@ ldap_modify_do(ldap_instance_t *ldap_inst, ldap_connection_t *ldap_conn,
 
 	/* do not error out if we are trying to delete an
 	 * unexisting attribute */
-	if (mods[0]->mod_op != LDAP_MOD_DELETE ||
+	if ((mods[0]->mod_op & ~LDAP_MOD_BVALUES) != LDAP_MOD_DELETE ||
 	err_code != LDAP_NO_SUCH_ATTRIBUTE) {
 		result = ISC_R_FAILURE;
 	}
-- 
1.7.11.4

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

[Freeipa-devel] [PATCH 0056] Fix crash caused by zone deletion vs. SOA serial increment race condition

[Petr Spacek]

Hello,

The patch fixes crash caused by stupid bug in logging code.

Petr^2 Spacek
From 01aa00f9ba4feac9f97b34b81c3697b2b7f8122f Mon Sep 17 00:00:00 2001
From: Petr Spacek 
Date: Fri, 7 Sep 2012 16:21:27 +0200
Subject: [PATCH] Fix crash caused by zone deletion vs. SOA serial increment
 race condition.

Signed-off-by: Petr Spacek 
---
 src/ldap_helper.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/ldap_helper.c b/src/ldap_helper.c
index e636a84b35d0bcdc8573c6e7146f38ee21a42076..058048f41485999be0d8ffeadea02f2e25879370 100644
--- a/src/ldap_helper.c
+++ b/src/ldap_helper.c
@@ -2931,6 +2931,7 @@ soa_serial_increment(isc_mem_t *mctx, ldap_instance_t *inst,
 		dns_name_t *zone_name) {
 	isc_result_t result = ISC_R_FAILURE;
 	ld_string_t *zone_dn = NULL;
+	const char *zone_dn_char = "INACTIVE/UNKNOWN";
 	ldapdb_rdatalist_t rdatalist;
 	dns_rdatalist_t *rdlist = NULL;
 	dns_rdata_t *soa_rdata = NULL;
@@ -2944,6 +2945,7 @@ soa_serial_increment(isc_mem_t *mctx, ldap_instance_t *inst,
 	INIT_LIST(rdatalist);
 	CHECK(str_new(mctx, &zone_dn));
 	CHECK(dnsname_to_dn(inst->zone_register, zone_name, zone_dn));
+	zone_dn_char = str_buf(zone_dn);
 	log_debug(5, "incrementing SOA serial number in zone '%s'",
 str_buf(zone_dn));
 
@@ -2978,7 +2980,7 @@ cleanup:
 	if (result != ISC_R_SUCCESS ||
 	isc_serial_gt(new_serial, old_serial) != ISC_TRUE)
 		log_error("SOA serial number incrementation failed in zone '%s'",
-	str_buf(zone_dn));
+zone_dn_char);
 
 	str_destroy(&zone_dn);
 	ldapdb_rdatalist_destroy(mctx, &rdatalist);
-- 
1.7.11.4

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Re: [Freeipa-devel] [PATCH 0011] Make sure selinuxusemap behaves consistently to HBAC rule

[Tomas Babej]

On 09/11/2012 01:14 PM, Martin Kosek wrote:

On 09/06/2012 01:13 PM, Tomas Babej wrote:

On 09/05/2012 01:56 PM, Martin Kosek wrote:

On 09/03/2012 05:12 PM, Tomas Babej wrote:

Hi,

Both selinuxusermap-add and selinuxusermap-mod commands now behave
consistently in not allowing user/host category or user/host members
and HBAC rule being set at the same time. Also adds a bunch of unit
tests that check this behaviour.

https://fedorahosted.org/freeipa/ticket/2983

Tomas


I found few issues with this patch:

1) Patch needs a rebase

2) Patch does not expect attributes to be set to None, i.e. to be left empty or
to be deleted, e.g.:

# ipa selinuxusermap-add foo --selinuxuser=guest_u:s0 --usercat=all --hbacrule=
ipa: ERROR: HBAC rule and local members cannot both be set

# ipa selinuxusermap-add foo --selinuxuser=guest_u:s0 --usercat=all

Added SELinux User Map "foo"

Rule name: foo
SELinux User: guest_u:s0
User category: all
Enabled: TRUE

# ipa selinuxusermap-mod foo --usercat= --hbacrule=
ipa: ERROR: HBAC rule and local members cannot both be set

# ipa selinuxusermap-mod foo --usercat=
---
Modified SELinux User Map "foo"
---
Rule name: foo
SELinux User: guest_u:s0
Enabled: TRUE

# ipa selinuxusermap-mod foo --hbacrule=foo
---
Modified SELinux User Map "foo"
---
Rule name: foo
SELinux User: guest_u:s0
HBAC Rule: foo
Enabled: TRUE

# ipa selinuxusermap-mod foo --hbacrule= --usercat=all
ipa: ERROR: HBAC rule and local members cannot both be set

All these validation failures are not valid.

3) Additionally, I think it would be more readable and less error prone that if
instead of this blob:

+are_local_members_to_be_set  = 'usercategory' in _entry_attrs or \
+   'hostcategory' in _entry_attrs or \
+   'memberuser' in _entry_attrs or \
+   'memberhost' in _entry_attrs

You would use something like that:

are_local_members_to_be_set  = any(attr in _entry_attrs
 for attr in ('usercategory',
  'hostcategory',
  'memberuser',
  'memberhost'))

Martin

1.) Done.
2.) Corrected.
3.) Fixed.

Tomas

1) There are some (corner) cases where this approach still does not work:

# ipa selinuxusermap-show foo
   Rule name: foo
   SELinux User: guest_u:s0
   HBAC Rule: foo
   Enabled: TRUE
# ipa selinuxusermap-mod foo --usercat=all --hbacrule=
ipa: ERROR: HBAC rule and local members cannot both be set

HBAC rule attribute is being deleted and user category set, so this should not
be rejected.

2) There are also some styling issues (you can use pep8 tool present in Fedora
to locate them on your own, e.g.:

ipalib/plugins/selinuxusermap.py:247:32: E203 whitespace before ':'
ipalib/plugins/selinuxusermap.py:247:70: E225 missing whitespace around operator
ipalib/plugins/selinuxusermap.py:249:36: E221 multiple spaces before operator
...

Martin

The corner case is fixed now and styling issues corrected as well.

Tomas
>From 003e340bceb2bbae614f07edf1dd3d25d1f1ac23 Mon Sep 17 00:00:00 2001
From: Tomas Babej 
Date: Thu, 6 Sep 2012 07:03:42 -0400
Subject: [PATCH] Make sure selinuxusemap behaves consistently to HBAC rule

Both selinuxusermap-add and selinuxusermap-mod commands now behave
consistently in not allowing user/host category or user/host members
and HBAC rule being set at the same time. Also adds a bunch of unit
tests that check this behaviour.

https://fedorahosted.org/freeipa/ticket/2983
---
 ipalib/plugins/selinuxusermap.py|  76 +++---
 tests/test_xmlrpc/test_selinuxusermap_plugin.py | 179 
 2 files changed, 237 insertions(+), 18 deletions(-)

diff --git a/ipalib/plugins/selinuxusermap.py b/ipalib/plugins/selinuxusermap.py
index 13bbb58ec0e6b7bd4275be17198c7452090a0781..32c55850b7d5b78f39cfae8960b8588a35b30251 100644
--- a/ipalib/plugins/selinuxusermap.py
+++ b/ipalib/plugins/selinuxusermap.py
@@ -70,6 +70,7 @@ SEEALSO:
 
 notboth_err = _('HBAC rule and local members cannot both be set')
 
+
 def validate_selinuxuser(ugettext, user):
 """
 An SELinux user has 3 components: user:MLS:MCS. user and MLS are required.
@@ -91,7 +92,7 @@ def validate_selinuxuser(ugettext, user):
 
 # If we add in ::: we don't have to check to see if some values are
 # empty
-(name, mls, mcs, ignore) = (user + ':::').split(':',3)
+(name, mls, mcs, ignore) = (user + ':::').split(':', 3)
 
 if not regex_name.match(name):
 return _('Invalid SELinux user name, only a-Z and _ are allowed')
@@ -99,10 +100,12 @@ def validate_selinuxuser(ugettext, user):
 return _('Inv

Re: [Freeipa-devel] [PATCH] 211 Prevent opening of multiple dirty dialogs on navigation

[Petr Vobornik]

On 09/10/2012 09:12 PM, Endi Sukma Dewata wrote:

On 9/7/2012 7:37 AM, Petr Vobornik wrote:

Facets which performs AJAX call after update refresh (clear dirty state)
after calling callback of dirty dialog. It might lead to multiple
openings of dirty dialog.

Assuming that calling dirty dialog's callback can be evaluated as "dirty
state is gone", we can call reset in the callback to prevent the issue.
There will be an incorrect state in the facet for a moment. It will be
fixed soon on execute of callback of the refresh AJAX call. It is not an
issue because it will happen in background. User will be looking on
different facet.

https://fedorahosted.org/freeipa/ticket/2667


ACK.


Pushed to master, ipa-3-0.

--
Petr Vobornik

___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel