Re: [Freeipa-devel] [PATCH] 114 Fix sudo help and summaries
On Thu, 2011-08-25 at 09:28 -0400, Rob Crittenden wrote:
> Martin Kosek wrote:
> > 1) Add sudorule docstring headline
> >
> > 2) Fix naming inconsistency in Sudo plugins help and summaries,
> > especially capitalization of Sudo objects - Sudo Rule, Sudo
> > Command and Sudo Command Group
> >
> > 3) Add missing summaries for sudorule-add-option and
> > sudorule-remove-option
> >
> > https://fedorahosted.org/freeipa/ticket/1595
> > https://fedorahosted.org/freeipa/ticket/1596
>
> This breaks compatibility with old clients:
>
> $ ipa sudorule-add-option test2
> Sudo Option: foo
> ipa: ERROR: non-public: ValueError:
> sudorule_add_option.validate_output(): unexpected keys ['summary'] in
> {'result': {'ipasudoopt': (u'foo',), 'cn': (u'test2',),
> 'ipaenabledflag': (u'TRUE',)}, 'summary': u'Added option "foo" to Sudo
> Rule "test2"'}
> Traceback (most recent call last):
>File "/usr/lib/python2.7/site-packages/ipalib/backend.py", line 125,
> in execute
> result = self.Command[_name](*args, **options)
>File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 443,
> in __call__
> self.validate_output(ret)
>File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 895,
> in validate_output
> nice, extra, output)
> ValueError: sudorule_add_option.validate_output(): unexpected keys
> ['summary'] in {'result': {'ipasudoopt': (u'foo',), 'cn': (u'test2',),
> 'ipaenabledflag': (u'TRUE',)}, 'summary': u'Added option "foo" to Sudo
> Rule "test2"'}
> ipa: ERROR: an internal error has occurred
>
Thanks for catching this. I wonder if we should let output param
validation skip unexpected keys in order to be able to do the change in
Output + keep backwards compatibility in cases like this one.
I reworked the patch so that the summaries are printed via
output_for_cli() - this solves this problem.
Martin
>From 15d03bfa966f975df33b4cee478906b300abc756 Mon Sep 17 00:00:00 2001
From: Martin Kosek
Date: Thu, 25 Aug 2011 12:58:17 +0200
Subject: [PATCH] Fix sudo help and summaries
1) Add sudorule docstring headline
2) Fix naming inconsistency in Sudo plugins help and summaries,
especially capitalization of Sudo objects - Sudo Rule, Sudo
Command and Sudo Command Group
3) Add missing summaries for sudorule-add-option and
sudorule-remove-option. To keep backward compatibility with
older clients, just print the missing summary with
output_for_cli(), don't expand Output.
https://fedorahosted.org/freeipa/ticket/1595
https://fedorahosted.org/freeipa/ticket/1596
---
ipalib/plugins/sudocmd.py | 14
ipalib/plugins/sudocmdgroup.py| 40 +++---
ipalib/plugins/sudorule.py| 46 +++--
tests/test_xmlrpc/test_sudocmd_plugin.py |8 ++--
tests/test_xmlrpc/test_sudocmdgroup_plugin.py | 22 ++--
5 files changed, 70 insertions(+), 60 deletions(-)
diff --git a/ipalib/plugins/sudocmd.py b/ipalib/plugins/sudocmd.py
index da78f0ec52f8c3ebb684a4f746c48b5cb055d355..268e3c1bbe7573b4a219321a87b529cf5a5a 100644
--- a/ipalib/plugins/sudocmd.py
+++ b/ipalib/plugins/sudocmd.py
@@ -97,19 +97,19 @@ api.register(sudocmd)
class sudocmd_add(LDAPCreate):
"""
-Create new sudo command.
+Create new Sudo Command.
"""
-msg_summary = _('Added sudo command "%(value)s"')
+msg_summary = _('Added Sudo Command "%(value)s"')
api.register(sudocmd_add)
class sudocmd_del(LDAPDelete):
"""
-Delete sudo command.
+Delete Sudo Command.
"""
-msg_summary = _('Deleted sudo command "%(value)s"')
+msg_summary = _('Deleted Sudo Command "%(value)s"')
api.register(sudocmd_del)
@@ -118,7 +118,7 @@ class sudocmd_mod(LDAPUpdate):
Modify command.
"""
-msg_summary = _('Modified sudo command "%(value)s"')
+msg_summary = _('Modified Sudo Command "%(value)s"')
api.register(sudocmd_mod)
@@ -128,14 +128,14 @@ class sudocmd_find(LDAPSearch):
"""
msg_summary = ngettext(
-'%(count)d sudo command matched', '%(count)d sudo command matched', 0
+'%(count)d Sudo Command matched', '%(count)d Sudo Commands matched', 0
)
api.register(sudocmd_find)
class sudocmd_show(LDAPRetrieve):
"""
-Display sudo command.
+Display Sudo Command.
"""
api.register(sudocmd_show)
diff --git a/ipalib/plugins/sudocmdgroup.py b/ipalib/plugins/sudocmdgroup.py
index e613f465704bce579ecfba5edb591e0b138bbc7e..41d30fb2cd5edf037fd177a8d78e24a582650f5c 100644
--- a/ipalib/plugins/sudocmdgroup.py
+++ b/ipalib/plugins/sudocmdgroup.py
@@ -17,25 +17,25 @@
# You should have received a copy of the GNU General Public License
# along with this program. If not, see
[Freeipa-devel] [PATCH] 1 Add ipa-adtrust-install utility
Hi,
with this patch an initial samba configuration for the AD trust feature
can be created by calling ipa-adtrust-install. Please be aware that you
will need a samba/master build to start smbd with the created
configuration, because only here all the needed features are available.
Günther is working on a spec file so that we can include a samba package
in the IPA development repository
(https://fedorahosted.org/freeipa/ticket/1610).
I haven't used python for quite some time and since this is my first
contribution I'm happy to fix any violations to coding style and other
guidelines.
bye,
Sumit
From 6012f921ed4d0bb9359d70018881a8ebbdfde0f9 Mon Sep 17 00:00:00 2001
From: sbose
Date: Wed, 24 Aug 2011 11:18:56 +0200
Subject: [PATCH] Add ipa-adtrust-install utility
https://fedorahosted.org/freeipa/ticket/1619
---
freeipa.spec.in |2 +
install/po/Makefile.in |1 +
install/tools/Makefile.am |1 +
install/tools/ipa-adtrust-install | 198 +++
install/tools/man/Makefile.am |1 +
install/tools/man/ipa-adtrust-install.1 | 44 +
ipaserver/install/Makefile.am |1 +
ipaserver/install/service.py|3 +-
ipaserver/install/smbinstance.py| 261 +++
9 files changed, 511 insertions(+), 1 deletions(-)
create mode 100755 install/tools/ipa-adtrust-install
create mode 100644 install/tools/man/ipa-adtrust-install.1
create mode 100644 ipaserver/install/smbinstance.py
diff --git a/freeipa.spec.in b/freeipa.spec.in
index
1bf52b952177598bd24afc0560802f1883fa5a60..a67e9329f8230c05b0e9feeb321fb07e4f41a350
100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -370,6 +370,7 @@ fi
%doc COPYING README Contributors.txt
%{_sbindir}/ipa-ca-install
%{_sbindir}/ipa-dns-install
+%{_sbindir}/ipa-adtrust-install
%{_sbindir}/ipa-server-install
%{_sbindir}/ipa-replica-conncheck
%{_sbindir}/ipa-replica-install
@@ -448,6 +449,7 @@ fi
%{_mandir}/man1/ipa-server-certinstall.1.gz
%{_mandir}/man1/ipa-server-install.1.gz
%{_mandir}/man1/ipa-dns-install.1.gz
+%{_mandir}/man1/ipa-adtrust-install.1.gz
%{_mandir}/man1/ipa-ca-install.1.gz
%{_mandir}/man1/ipa-compat-manage.1.gz
%{_mandir}/man1/ipa-nis-manage.1.gz
diff --git a/install/po/Makefile.in b/install/po/Makefile.in
index
a5468752723636b005c1d0876f10326e5c970814..d20a5d9628cb119f7704fcdb2917f1c897194147
100644
--- a/install/po/Makefile.in
+++ b/install/po/Makefile.in
@@ -54,6 +54,7 @@ PY_EXPLICIT_FILES = \
install/tools/ipa-server-install \
install/tools/ipa-ldap-updater \
install/tools/ipa-dns-install \
+ install/tools/ipa-adtrust-install \
install/tools/ipa-ca-install \
ipa-client/ipa-install/ipa-client-install
diff --git a/install/tools/Makefile.am b/install/tools/Makefile.am
index
fc615ec04f324c2d9c98dc8cf674938e1064bec6..96da7531764598878f94b6abd54c27a74671c028
100644
--- a/install/tools/Makefile.am
+++ b/install/tools/Makefile.am
@@ -8,6 +8,7 @@ sbin_SCRIPTS = \
ipa-ca-install \
ipa-dns-install \
ipa-server-install \
+ ipa-adtrust-install \
ipa-replica-conncheck \
ipa-replica-install \
ipa-replica-prepare \
diff --git a/install/tools/ipa-adtrust-install
b/install/tools/ipa-adtrust-install
new file mode 100755
index
..3514690027cdbd25c0d5b8cbc56096051a5be809
--- /dev/null
+++ b/install/tools/ipa-adtrust-install
@@ -0,0 +1,198 @@
+#! /usr/bin/python
+#
+# Authors: Sumit Bose
+# Based on ipa-server-install by Karl MacMillan
+# and ipa-dns-install by Martin Nagy
+#
+# Copyright (C) 2011 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see
Re: [Freeipa-devel] [PATCH] 1 Add ipa-adtrust-install utility
Hi,
On 26.08.2011 12:39, Sumit Bose wrote:
> Hi,
>
> with this patch an initial samba configuration for the AD trust feature
> can be created by calling ipa-adtrust-install. Please be aware that you
> will need a samba/master build to start smbd with the created
> configuration, because only here all the needed features are available.
> Günther is working on a spec file so that we can include a samba package
> in the IPA development repository
> (https://fedorahosted.org/freeipa/ticket/1610).
> +def parse_options():
> +parser = IPAOptionParser(version=version.VERSION)
> +parser.add_option("-p", "--ds-password", dest="dm_password",
> + sensitive=True, help="admin password")
If this is the only password you need, then make it --password. And it
is Directory Manager's account password, right? Would be nice to change
help to be more explicit.
> +parser.add_option("--ip-address", dest="ip_address",
> + type="ip", ip_local=True, help="Master Server IP
> Address")
> +def main():
> +safe_options, options = parse_options()
> +
> +if os.getegid() != 0:
> +sys.exit("Must be root to setup AD trusts on server")
> +
> +installutils.check_server_configuration()
> +
> +standard_logging_setup("/var/log/ipaserver-install.log", options.debug,
> filemode='a')
> +print "\nThe log file for this installation can be found in
> /var/log/ipaserver-install.log"
> +
> +logging.debug('%s was invoked with options: %s' % (sys.argv[0],
> safe_options))
> +logging.debug("missing options might be asked for interactively later\n")
> +
> +global fstore
> +fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
> +
> +print
> "=="
> +print "This program will setup components neede to establish trust to AD
> domains for"
Typo: "neede_d_"
> +# Check we have a public IP that is associated with the hostname
> +if options.ip_address:
> +ip = options.ip_address
I would also run options.ip_address through ipautil.CheckedIPAddress()
to make sure it is correct and is one of local addresses.
> +else:
> +hostaddr = resolve_host(api.env.host)
> +try:
> +ip = hostaddr and ipautil.CheckedIPAddress(hostaddr,
> match_local=True)
> +except Exception, e:
> +print "Error: Invalid IP Address %s: %s" % (ip, e)
> +ip = None
> +
> +if not ip:
> +if options.unattended:
> +sys.exit("Unable to resolve IP address for host name")
> +else:
> +ip = read_ip_address(api.env.host, fstore)
> +ip_address = str(ip)
> +logging.debug("will use ip_address: %s\n", ip_address)
And same here. You don't really want to blindly believe into what's entered.
> +print "\tAdditionally you have to make sure the FreeIPA LDAP server
> cannot reached"
> +print "\tby any domain controller in the Active Directory domain by
> closing the"
> +print "\tfollowing ports for these servers:"
> +print "\t\tTCP Ports:"
> +print "\t\t * 389, 636: LDAP/LDAPS"
> +print "\t\tUDP Ports:"
> +print "\t\t * 389: (C)LDAP"
> +print "\tYou may want to choose to REJECT the packages instead of
> DROPing them to"
s/packages/network packets/
> diff --git a/ipaserver/install/smbinstance.py
> b/ipaserver/install/smbinstance.py
> new file mode 100644
The code in smbinstance.py assumes Samba has been compiled with
/etc/ipa/smb.conf as default configuration file location. Is that correct?
--
/ Alexander Bokovoy
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 853 remove upgrade state when uninstalling
Adam Young wrote: On 08/24/2011 11:38 AM, Rob Crittenden wrote: The upgrade process makes saves some information in the IPA sysrestore state. If any of this state remains after an uninstall then you will get an error during re-install. Theoretically all this state should be removed as part of the upgrade process but on the outside chance, lets remove the state at uninstall to prevent problems. I've had just one report of this, it may have been due to a blown upgrade, I'm not sure. I've been unable to reproduce it but at worst this is a noop and at best allows easy re-installation. This requires patch 852. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel So my latest patch changes .etc.httpd/nss.conf. Is this an appropriate approach for that file as well? No, we back up the entire file. It should get restored to its previous state on uninstall. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1 Add ipa-adtrust-install utility
On Fri, 2011-08-26 at 11:39 +0200, Sumit Bose wrote:
>
> +def check_inst(unattended):
> +has_smb = True
> +
> +if not os.path.exists('/usr/sbin/smbd'):
> +print "Samba was not found on this system"
> +print "Please install the 'samba' package and start the
> installation again"
> +has_smb = False
> +
> +#TODO: Add check for needed samba4 libraries
> +
> +return has_smb
> +
We should probably run smbd -b and parse the output to see if it has all
the options we need, perhaps check the version number too.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCHES] freeipa-v3
On Wed, 2011-08-24 at 17:21 +0300, Alexander Bokovoy wrote: > On 22.08.2011 18:17, Alexander Bokovoy wrote: > > On 22.08.2011 16:30, Simo Sorce wrote: > >> As we finally branched ipa-2-1 from master we are now open to put 3.0 > >> related material on the tree. > >> > >> Here is my rebased set of patches that apply on top of master: > >> http://fedorapeople.org/gitweb?p=simo/public_git/freeipa.git;a=summary > >> > >> They are in the freeipa-v3 branch. > >> > >> Please review and work with me to rebase/refactor any patch that would > >> get a nack. We will fix them until your liking and will finally emit > >> just a one, huge, ACK, or NACK :) > > I went through first 14 commits. ACK for 13 first. > > > > In 6385c80c6c71ae8c4d1f11230c8408bd4bf3f9e3 ipadb_realm_to_ldapi_uri() > > uses two string constants "ldapi://" and "%2fslapd-" four times each. It > > would be nice to #define them and use macros instead, purely for > > maintenance purposes. > > > > In the same function there is comment with typo (patch instead of path). > > > > These are minor and you probably can ignore them. > > > > I'll continue with remaining ones tomorrow. > Finally went through all patches. > > Simo did make squash-in commits to address found issues (which were > discussed on #freeipa over past few days). > > I don't have comments anymore. ACK. We did a smoke test and fixed 2 remaining issues. One introduced during the review phase One introduce by me with the latest schema patches. All has been fixed and I pushed the patches (after squashing in the squash-ins) to master. Master is now officially on the 3.0 track. Please note that until F15/F16 MIT Kerberos packages are updated you will need the packages in the ipa-devel repo to successfully install ipa due to an issue with the kadmin init scripts. Happy hacking! Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1 Add ipa-adtrust-install utility
More comments.
On Fri, 2011-08-26 at 11:39 +0200, Sumit Bose wrote:
[..]
> +if not options.unattended:
> +print ""
> +print "The following operations may take some minutes to
> complete."
> +print "Please wait until the prompt is returned."
> +print ""
> +
> +# Create a BIND instance
comment seem to be wrong here :)
> +if options.unattended and not options.dm_password:
> +sys.exit("\nIn unattended mode you need to provide at least
> the -p option")
> +
> +dm_password = options.dm_password or read_password("Directory
> Manager",
> + confirm=False,
> validate=False)
> +smb = smbinstance.SMBInstance(fstore, dm_password)
[..]
> diff --git a/ipaserver/install/service.py
> b/ipaserver/install/service.py
> index
> a7f6ff4eea1b67f714e18f882a082d4ad7d83026..7e0d2bd314f00ccf0b0ee37a9d572bdd5ee89414
> 100644
> --- a/ipaserver/install/service.py
> +++ b/ipaserver/install/service.py
> @@ -37,7 +37,8 @@ SERVICE_LIST = {
> 'KPASSWD':('kadmin', 20),
> 'DNS':('named', 30),
> 'HTTP':('httpd', 40),
> -'CA':('pki-cad', 50)
> +'CA':('pki-cad', 50),
> +'SMB':('smb', 60)
Please do not use SMB (in general I do not think SMB is the right
prefix). Use something like ADTRUST or MSRPC or WINCOMPAT.
> }
>
> def stop(service_name, instance_name="", capture_output=True):
> diff --git a/ipaserver/install/smbinstance.py
> b/ipaserver/install/smbinstance.py
> new file mode 100644
> index
> ..5988f1e056d29af6686d53237b82d460cdc719da
> --- /dev/null
> +++ b/ipaserver/install/smbinstance.py
> @@ -0,0 +1,261 @@
> +# Authors: Sumit Bose
> +#
> +# Copyright (C) 2011 Red Hat
> +# see file 'COPYING' for use and warranty information
> +#
> +# This program is free software; you can redistribute it and/or
> modify
> +# it under the terms of the GNU General Public License as published
> by
> +# the Free Software Foundation, either version 3 of the License, or
> +# (at your option) any later version.
> +#
> +# This program is distributed in the hope that it will be useful,
> +# but WITHOUT ANY WARRANTY; without even the implied warranty of
> +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
> +# GNU General Public License for more details.
> +#
> +# You should have received a copy of the GNU General Public License
> +# along with this program. If not, see
>
Re: [Freeipa-devel] [PATCH] 852 remove more files in uninstaller
On 08/24/2011 10:58 AM, Rob Crittenden wrote: We were missing a few 389-ds files and directories. This removes everything but the logs. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. I am not convinced this is a 100% solution for the original problem. The files like the keytab are only deleted if a A DS instance is found, but if the ywere lying around from a previous installation that did not remove them, they will still be there after running uninstall. Probably a corner case, and should probably be OK in the longer term, unless having these files around prevent an install from getting to the point that the DS gets installed...we'd be in a situation where we can't move forward and can't move back. We'll keep an eye out for that, but I think it is unlikely. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 853 remove upgrade state when uninstalling
On 08/24/2011 11:38 AM, Rob Crittenden wrote: The upgrade process makes saves some information in the IPA sysrestore state. If any of this state remains after an uninstall then you will get an error during re-install. Theoretically all this state should be removed as part of the upgrade process but on the outside chance, lets remove the state at uninstall to prevent problems. I've had just one report of this, it may have been due to a blown upgrade, I'm not sure. I've been unable to reproduce it but at worst this is a noop and at best allows easy re-installation. This requires patch 852. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 255 Fixed host OTP status.
On 08/25/2011 03:29 AM, Endi Sukma Dewata wrote: On 8/24/2011 5:58 PM, Endi Sukma Dewata wrote: The host details page has been modified to show the status of the OTP. Setting a new OTP is now done using a dialog box. Ticket #1710 Attached is a rebased version. Note: As mentioned in rcrit's patch #851, setting a new password will make has_keytab false. Currently the UI doesn't refresh the keytab's status. I'm still considering several options. This will be fixed in a separate patch. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK - didn't thoroughly check ipa_init.json. I assume it's valid because it's generated. -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 256 Fixed host keytab status after setting OTP.
On 08/26/2011 12:14 AM, Endi Sukma Dewata wrote: The host details page has been modified to update the keytab status based on the data returned by the host-mod command for setting OTP. Ticket #1710 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK -- Petr Vobornik ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 858 set SASL_NOCANON in client installer
If the IPA server's reverse DNS is broken, such as the PTR entry
pointing to a different name then enrollment will fail and ipa-getkeytab
won't work.
I tested with:
[rcrit@dane freeipa]$ getent hosts slinky
192.168.166.39 slinky.example.com
[rcrit@dane freeipa]$ getent hosts 192.168.166.39
192.168.166.39 lego.example.com
This relies on fixes in openldap and krb5 in Fedora-15. It is testable
in RHEL 6.2 though.
sssd has similar problems and they are making a change as well. Without
the sssd fix enrollment will succeed but nss won't work.
rob
>From 4fccaf6d5a373c18a53fe99326261e5e504e2020 Mon Sep 17 00:00:00 2001
From: Rob Crittenden
Date: Fri, 26 Aug 2011 10:42:40 -0400
Subject: [PATCH] Disable reverse lookups in ipa-join and ipa-getkeytab
This prevents broken DNS from causing enrollment problems.
https://fedorahosted.org/freeipa/ticket/1693
---
ipa-client/ipa-getkeytab.c |7 +++
ipa-client/ipa-join.c |7 +++
2 files changed, 14 insertions(+), 0 deletions(-)
diff --git a/ipa-client/ipa-getkeytab.c b/ipa-client/ipa-getkeytab.c
index 166f46e..5a521d0 100644
--- a/ipa-client/ipa-getkeytab.c
+++ b/ipa-client/ipa-getkeytab.c
@@ -577,6 +577,13 @@ static int ldap_set_keytab(krb5_context krbctx,
goto error_out;
}
+/* Don't do DNS canonicalization */
+ ret = ldap_set_option(ld, LDAP_OPT_X_SASL_NOCANON, LDAP_OPT_ON);
+ if (ret != LDAP_SUCCESS) {
+ fprintf(stderr, _("Unable to set LDAP_OPT_X_SASL_NOCANON\n"));
+ goto error_out;
+ }
+
version = LDAP_VERSION3;
ret = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version);
if (ret != LDAP_SUCCESS) {
diff --git a/ipa-client/ipa-join.c b/ipa-client/ipa-join.c
index f6ca693..aac8097 100644
--- a/ipa-client/ipa-join.c
+++ b/ipa-client/ipa-join.c
@@ -213,6 +213,13 @@ connect_ldap(const char *hostname, const char *binddn, const char *bindpw) {
goto fail;
}
+/* Don't do DNS canonicalization */
+ret = ldap_set_option(ld, LDAP_OPT_X_SASL_NOCANON, LDAP_OPT_ON);
+if (ret != LDAP_SUCCESS) {
+fprintf(stderr, _("Unable to set LDAP_OPT_X_SASL_NOCANON\n"));
+goto fail;
+}
+
ret = ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version);
if (ret != LDAP_SUCCESS) {
fprintf(stderr, _("Unable to set LDAP version\n"));
--
1.7.1
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 256 Fixed host keytab status after setting OTP.
On 8/26/2011 9:26 AM, Petr Vobornik wrote: On 08/26/2011 12:14 AM, Endi Sukma Dewata wrote: The host details page has been modified to update the keytab status based on the data returned by the host-mod command for setting OTP. Ticket #1710 ACK Pushed to master and ipa-2-1. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 255 Fixed host OTP status.
On 8/26/2011 9:26 AM, Petr Vobornik wrote: On 08/25/2011 03:29 AM, Endi Sukma Dewata wrote: The host details page has been modified to show the status of the OTP. Setting a new OTP is now done using a dialog box. Ticket #1710 Attached is a rebased version. Note: As mentioned in rcrit's patch #851, setting a new password will make has_keytab false. Currently the UI doesn't refresh the keytab's status. I'm still considering several options. This will be fixed in a separate patch. ACK - didn't thoroughly check ipa_init.json. I assume it's valid because it's generated. Yes, it's the actual server output captured using update_ipa_init.sh. Pushed to master and ipa-2-1. -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 858 set SASL_NOCANON in client installer
On Fri, 2011-08-26 at 11:06 -0400, Rob Crittenden wrote: > If the IPA server's reverse DNS is broken, such as the PTR entry > pointing to a different name then enrollment will fail and > ipa-getkeytab > won't work. > > I tested with: > > [rcrit@dane freeipa]$ getent hosts slinky > 192.168.166.39 slinky.example.com > [rcrit@dane freeipa]$ getent hosts 192.168.166.39 > 192.168.166.39 lego.example.com > > This relies on fixes in openldap and krb5 in Fedora-15. It is > testable > in RHEL 6.2 though. > > sssd has similar problems and they are making a change as well. > Without > the sssd fix enrollment will succeed but nss won't work. > ACK! Simo. > -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1 Add ipa-adtrust-install utility
On Fri, Aug 26, 2011 at 02:08:27PM +0300, Alexander Bokovoy wrote:
> Hi,
>
> On 26.08.2011 12:39, Sumit Bose wrote:
> > Hi,
> >
> > with this patch an initial samba configuration for the AD trust feature
> > can be created by calling ipa-adtrust-install. Please be aware that you
> > will need a samba/master build to start smbd with the created
> > configuration, because only here all the needed features are available.
> > Günther is working on a spec file so that we can include a samba package
> > in the IPA development repository
> > (https://fedorahosted.org/freeipa/ticket/1610).
>
> > +def parse_options():
> > +parser = IPAOptionParser(version=version.VERSION)
> > +parser.add_option("-p", "--ds-password", dest="dm_password",
> > + sensitive=True, help="admin password")
> If this is the only password you need, then make it --password. And it
> is Directory Manager's account password, right? Would be nice to change
> help to be more explicit.
ipa-server-install and ipa-dns-install use the same option for the same
purpose, so I thought it might be a good idea to use the same. But you
are right "admin password" is misleading here. Maybe the help should be
fixed in ipa-server-install and ipa-dns-install, too?
>
> > +parser.add_option("--ip-address", dest="ip_address",
> > + type="ip", ip_local=True, help="Master Server IP
> > Address")
>
> > +def main():
> > +safe_options, options = parse_options()
> > +
> > +if os.getegid() != 0:
> > +sys.exit("Must be root to setup AD trusts on server")
> > +
> > +installutils.check_server_configuration()
> > +
> > +standard_logging_setup("/var/log/ipaserver-install.log",
> > options.debug, filemode='a')
> > +print "\nThe log file for this installation can be found in
> > /var/log/ipaserver-install.log"
> > +
> > +logging.debug('%s was invoked with options: %s' % (sys.argv[0],
> > safe_options))
> > +logging.debug("missing options might be asked for interactively
> > later\n")
> > +
> > +global fstore
> > +fstore = sysrestore.FileStore('/var/lib/ipa/sysrestore')
> > +
> > +print
> > "=="
> > +print "This program will setup components neede to establish trust to
> > AD domains for"
> Typo: "neede_d_"
fixed
>
> > +# Check we have a public IP that is associated with the hostname
> > +if options.ip_address:
> > +ip = options.ip_address
> I would also run options.ip_address through ipautil.CheckedIPAddress()
> to make sure it is correct and is one of local addresses.
>
> > +else:
> > +hostaddr = resolve_host(api.env.host)
> > +try:
> > +ip = hostaddr and ipautil.CheckedIPAddress(hostaddr,
> > match_local=True)
> > +except Exception, e:
> > +print "Error: Invalid IP Address %s: %s" % (ip, e)
> > +ip = None
> > +
> > +if not ip:
> > +if options.unattended:
> > +sys.exit("Unable to resolve IP address for host name")
> > +else:
> > +ip = read_ip_address(api.env.host, fstore)
> > +ip_address = str(ip)
> > +logging.debug("will use ip_address: %s\n", ip_address)
> And same here. You don't really want to blindly believe into what's entered.
fixed
>
> > +print "\tAdditionally you have to make sure the FreeIPA LDAP server
> > cannot reached"
> > +print "\tby any domain controller in the Active Directory domain by
> > closing the"
> > +print "\tfollowing ports for these servers:"
> > +print "\t\tTCP Ports:"
> > +print "\t\t * 389, 636: LDAP/LDAPS"
> > +print "\t\tUDP Ports:"
> > +print "\t\t * 389: (C)LDAP"
> > +print "\tYou may want to choose to REJECT the packages instead of
> > DROPing them to"
> s/packages/network packets/
fixed
>
> > diff --git a/ipaserver/install/smbinstance.py
> > b/ipaserver/install/smbinstance.py
> > new file mode 100644
> The code in smbinstance.py assumes Samba has been compiled with
> /etc/ipa/smb.conf as default configuration file location. Is that correct?
>
no, __write_sysconfig_samba() adds "-s /etc/ipa/smb.conf" to
SMBDOPTIONS in /etc/sysconfig/samba.
Thanks for the review. I will send a new patch when I've fixed the
issues Simo found.
bye,
Sumit
> --
> / Alexander Bokovoy
>
> ___
> Freeipa-devel mailing list
> Freeipa-devel@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 009 Modifying sudo options refreshes the whole page
https://fedorahosted.org/freeipa/ticket/1689
Currently adding or deleting sudo options will refresh the entire page.
It's not a problem but the code could be optimized to refresh only the
sudo options table
--
Petr Vobornik
From 05bfd5e1fa5126ee581273d1adfcf995da4d4dcd Mon Sep 17 00:00:00 2001
From: Petr Vobornik
Date: Fri, 26 Aug 2011 18:36:54 +0200
Subject: [PATCH] Modifying sudo options refreshes the whole page
https://fedorahosted.org/freeipa/ticket/1689
Currently adding or deleting sudo options will refresh the entire page. It's not a problem but the code could be optimized to refresh only the sudo options table
---
install/ui/sudo.js | 36
install/ui/widget.js | 10 +-
2 files changed, 33 insertions(+), 13 deletions(-)
diff --git a/install/ui/sudo.js b/install/ui/sudo.js
index 8d33550c0d7c25bc8f882084cb8a04662a54ebd7..4b0a2e12350dda47c6ee918a595609e57ebcd7bb 100644
--- a/install/ui/sudo.js
+++ b/install/ui/sudo.js
@@ -574,12 +574,12 @@ IPA.sudo.options_section = function(spec) {
options: {
ipasudoopt: value
},
-on_success: function() {
-that.facet.refresh();
+on_success: function(data) {
+that.load(data.result.result);
dialog.close();
},
-on_error: function() {
-that.facet.refresh();
+on_error: function(data) {
+that.update();
dialog.close();
}
});
@@ -618,12 +618,19 @@ IPA.sudo.options_section = function(spec) {
dialog.execute = function() {
var batch = IPA.batch_command({
-on_success: function() {
-that.facet.refresh();
+on_success: function(data) {
+//last successful result of batch results contains valid data
+var result = data.result.results[data.result.results.length - 1].result;
+if(result) {
+that.load(result);
+} else {
+that.update();
+}
+
dialog.close();
},
-on_error: function() {
-that.facet.refresh();
+on_error: function(data) {
+that.update();
dialog.close();
}
});
@@ -646,6 +653,19 @@ IPA.sudo.options_section = function(spec) {
dialog.open(that.container);
};
+that.update = function() {
+var command = IPA.command({
+entity: that.facet.entity.name,
+method: 'show',
+args: that.facet.get_primary_key(true),
+on_success: function(data) {
+that.load(data.result.result);
+}
+});
+
+command.execute();
+};
+
/*initialization*/
setup_table();
diff --git a/install/ui/widget.js b/install/ui/widget.js
index 62af6c16d10aac65e51191f2da955b8f1ebb3bed..83cb4dcb23c6a296739bf7e8604ef3f7a6a5b3e7 100644
--- a/install/ui/widget.js
+++ b/install/ui/widget.js
@@ -1471,11 +1471,11 @@ IPA.table_widget = function (spec) {
that.empty();
that.values = result[that.name];
-if (!that.values) return;
-
-for (var i=0; i___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag
On 08/25/2011 05:24 PM, Adam Young wrote:
Uses the updated version of pkicreate which makes an ipa specific
proxy config file.
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
The test for the proxy file in /etc/httpd/conf.d was "isfile' but
since the file is actually a symlink, it needs to be "islink". This
one checks for either.
From 15dac1a0ff7288cf9f2e6296e90d76facc6c497f Mon Sep 17 00:00:00 2001
From: Adam Young
Date: Wed, 17 Aug 2011 15:36:18 -0400
Subject: [PATCH] enable proxy for dogtag
Dogtag is going to be proxied through httpd. To make this work, it has to support renegotiation of the SSL
connection. This patch enables renegotiate in the nss configuration file during during apache configuration,
as well as modifies libnss to set the appropriate optins on the ssl connection in order to renegotiate.
The IPA install uses the internal ports instead of proxying through
httpd since httpd is not set up yet.
IPA needs to Request the certificate through a port that uses authentication. On the Dogtag side, they provide an additional mapping for this: /ca/eeca/ca as opposed tp /ca/ee/ca just for this purpose.
https://fedorahosted.org/freeipa/ticket/1334
add flag to pkicreate in order to enable using proxy.
adding /etc/http/conf.d/ symlink to /etc/pki-ca/proxy.conf, and cleans it up on uninstall
---
ipalib/constants.py | 10 +++---
ipapython/dogtag.py |2 +-
ipapython/nsslib.py | 15 ++-
ipaserver/install/cainstance.py | 15 +--
ipaserver/install/certs.py|4 ++--
ipaserver/install/httpinstance.py |5 +
ipaserver/plugins/dogtag.py |2 +-
7 files changed, 43 insertions(+), 10 deletions(-)
diff --git a/ipalib/constants.py b/ipalib/constants.py
index 026e0735441eabf8dbe63fffa85da69aa151c5d7..51cf566e1cb5631593f005af5a940cbd5b66f444 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -136,9 +136,13 @@ DEFAULT_CONFIG = (
# CA plugin:
('ca_host', FQDN), # Set in Env._finalize_core()
-('ca_port', 9180),
-('ca_agent_port', 9443),
-('ca_ee_port', 9444),
+('ca_port', 80),
+('ca_agent_port', 443),
+('ca_ee_port', 443),
+('ca_install_port', 9180),
+('ca_agent_install_port', 9443),
+('ca_ee_install_port', 9444),
+
# Special CLI:
('prompt_all', False),
diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py
index 969535e4b95d3fc7f7f5202000bb29deef558e32..02f981974e1047a880ed05e428a86b4a4d4a6c21 100644
--- a/ipapython/dogtag.py
+++ b/ipapython/dogtag.py
@@ -34,7 +34,7 @@ def get_ca_certchain(ca_host=None):
if ca_host is None:
ca_host = api.env.ca_host
chain = None
-conn = httplib.HTTPConnection(ca_host, api.env.ca_port)
+conn = httplib.HTTPConnection(ca_host, api.env.ca_install_port)
conn.request("GET", "/ca/ee/ca/getCertChain")
res = conn.getresponse()
doc = None
diff --git a/ipapython/nsslib.py b/ipapython/nsslib.py
index e347d217992a4a549413f3e33d9248a403ee68cd..c4d8cdcf60704c0002663f1abb6aff84022c2c55 100644
--- a/ipapython/nsslib.py
+++ b/ipapython/nsslib.py
@@ -208,12 +208,25 @@ class NSSConnection(httplib.HTTPConnection, NSSAddressFamilyFallback):
self._create_socket()
def _create_socket(self):
+
+#TODO remove the try block once python-nss is guaranteed to
+ #contain these values
+try :
+ssl_enable_renegotiation = SSL_ENABLE_RENEGOTIATION #pylint: disable=E0602
+ssl_require_safe_negotiation = SSL_REQUIRE_SAFE_NEGOTIATION #pylint: disable=E0602
+ssl_renegotiate_requires_xtn = SSL_RENEGOTIATE_REQUIRES_XTN #pylint: disable=E0602
+except :
+ssl_enable_renegotiation = 20
+ssl_require_safe_negotiation = 21
+ssl_renegotiate_requires_xtn = 2
+
# Create the socket here so we can do things like let the caller
# override the NSS callbacks
self.sock = ssl.SSLSocket(family=self.family)
self.sock.set_ssl_option(ssl.SSL_SECURITY, True)
self.sock.set_ssl_option(ssl.SSL_HANDSHAKE_AS_CLIENT, True)
-
+self.sock.set_ssl_option(ssl_require_safe_negotiation, False)
+self.sock.set_ssl_option(ssl_enable_renegotiation, ssl_renegotiate_requires_xtn)
# Provide a callback which notifies us when the SSL handshake is complete
self.sock.set_handshake_callback(self.handshake_callback)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 5c6c49e4b1780e5b64815cad2c39c7994d981cd4..b82a29daf8568aa8f88f041d54f89f835261072e 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -69,6 +69,8 @@ ADMIN_SECURE_PORT=9445
EE_CLIENT_AUTH_PORT=9446
UNSECURE_PORT=9180
TOMCAT_SERVER_PORT=9701
+PKI_PROXY_FILE="/etc/pki-ca/proxy-ip
Re: [Freeipa-devel] [PATCH] 858 set SASL_NOCANON in client installer
Simo Sorce wrote: On Fri, 2011-08-26 at 11:06 -0400, Rob Crittenden wrote: If the IPA server's reverse DNS is broken, such as the PTR entry pointing to a different name then enrollment will fail and ipa-getkeytab won't work. I tested with: [rcrit@dane freeipa]$ getent hosts slinky 192.168.166.39 slinky.example.com [rcrit@dane freeipa]$ getent hosts 192.168.166.39 192.168.166.39 lego.example.com This relies on fixes in openldap and krb5 in Fedora-15. It is testable in RHEL 6.2 though. sssd has similar problems and they are making a change as well. Without the sssd fix enrollment will succeed but nss won't work. ACK! Simo. pushed to master and ipa-2-1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 852 remove more files in uninstaller
Adam Young wrote: On 08/24/2011 10:58 AM, Rob Crittenden wrote: We were missing a few 389-ds files and directories. This removes everything but the logs. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK. I am not convinced this is a 100% solution for the original problem. The files like the keytab are only deleted if a A DS instance is found, but if the ywere lying around from a previous installation that did not remove them, they will still be there after running uninstall. Probably a corner case, and should probably be OK in the longer term, unless having these files around prevent an install from getting to the point that the DS gets installed...we'd be in a situation where we can't move forward and can't move back. We'll keep an eye out for that, but I think it is unlikely. pushed to master and ipa-2-1 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag
On Fri, 2011-08-26 at 12:45 -0400, Adam Young wrote: > On 08/25/2011 05:24 PM, Adam Young wrote: > > Uses the updated version of pkicreate which makes an ipa specific > > proxy config file. > > > > > > ___ > > Freeipa-devel mailing list > > Freeipa-devel@redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-devel > The test for the proxy file in /etc/httpd/conf.d was "isfile' but > since the file is actually a symlink, it needs to be "islink". This > one checks for either. Nack, install fails after configuring the http service. Restart bails out using export SYSTEMCL_SKIP_REDIRECT=1 to get systemd out of the way (it was suppressing the error output) I get an permission denied error trying to open /etc/httpd/conf.d/proxy-ipa.conf That's a symlink into /etc/pki-ca/proxy-ipa.conf which is a file owned by pkiuser:pkiuser with permission 660 (therefore not readable by the apache user). Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 853 remove upgrade state when uninstalling
Adam Young wrote: On 08/24/2011 11:38 AM, Rob Crittenden wrote: The upgrade process makes saves some information in the IPA sysrestore state. If any of this state remains after an uninstall then you will get an error during re-install. Theoretically all this state should be removed as part of the upgrade process but on the outside chance, lets remove the state at uninstall to prevent problems. I've had just one report of this, it may have been due to a blown upgrade, I'm not sure. I've been unable to reproduce it but at worst this is a noop and at best allows easy re-installation. This requires patch 852. rob ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel ACK pushed to master ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag
On Fri, 2011-08-26 at 14:03 -0400, Simo Sorce wrote: > On Fri, 2011-08-26 at 12:45 -0400, Adam Young wrote: > > On 08/25/2011 05:24 PM, Adam Young wrote: > > > Uses the updated version of pkicreate which makes an ipa specific > > > proxy config file. > > > > > > > > > ___ > > > Freeipa-devel mailing list > > > Freeipa-devel@redhat.com > > > https://www.redhat.com/mailman/listinfo/freeipa-devel > > The test for the proxy file in /etc/httpd/conf.d was "isfile' but > > since the file is actually a symlink, it needs to be "islink". This > > one checks for either. > > Nack, install fails after configuring the http service. > Restart bails out > > using export SYSTEMCL_SKIP_REDIRECT=1 to get systemd out of the way (it > was suppressing the error output) I get an permission denied error > trying to open /etc/httpd/conf.d/proxy-ipa.conf > That's a symlink into /etc/pki-ca/proxy-ipa.conf which is a file owned > by pkiuser:pkiuser with permission 660 (therefore not readable by the > apache user). Ok it turns out permissions are not the real issue as the file is read while apache is till root, it's a selinux issue. Apache starts if I setenforce 0 Still a NAck of course, it needs to work with selinux in enforcing mode Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1 Add ipa-adtrust-install utility
On 26.08.2011 18:59, Sumit Bose wrote:
>>> +def parse_options():
>>> +parser = IPAOptionParser(version=version.VERSION)
>>> +parser.add_option("-p", "--ds-password", dest="dm_password",
>>> + sensitive=True, help="admin password")
>> If this is the only password you need, then make it --password. And it
>> is Directory Manager's account password, right? Would be nice to change
>> help to be more explicit.
>
> ipa-server-install and ipa-dns-install use the same option for the same
> purpose, so I thought it might be a good idea to use the same. But you
> are right "admin password" is misleading here. Maybe the help should be
> fixed in ipa-server-install and ipa-dns-install, too?
Please file a ticket for that.
>>> diff --git a/ipaserver/install/smbinstance.py
>>> b/ipaserver/install/smbinstance.py
>>> new file mode 100644
>> The code in smbinstance.py assumes Samba has been compiled with
>> /etc/ipa/smb.conf as default configuration file location. Is that correct?
>>
>
> no, __write_sysconfig_samba() adds "-s /etc/ipa/smb.conf" to
> SMBDOPTIONS in /etc/sysconfig/samba.
But then net utility will not be able to use it. Same for nmbd and
winbindd. If for last two you could use /etc/sysconfig/samba to direct
them to a proper configuration, you can't do so for /usr/bin/net.
--
/ Alexander Bokovoy
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1 Add ipa-adtrust-install utility
On Fri, Aug 26, 2011 at 09:35:16PM +0300, Alexander Bokovoy wrote: > >>> diff --git a/ipaserver/install/smbinstance.py > >>> b/ipaserver/install/smbinstance.py > >>> new file mode 100644 > >> The code in smbinstance.py assumes Samba has been compiled with > >> /etc/ipa/smb.conf as default configuration file location. Is that correct? > >> > > > > no, __write_sysconfig_samba() adds "-s /etc/ipa/smb.conf" to > > SMBDOPTIONS in /etc/sysconfig/samba. > But then net utility will not be able to use it. Same for nmbd and > winbindd. If for last two you could use /etc/sysconfig/samba to direct > them to a proper configuration, you can't do so for /usr/bin/net. Currently we plan not to use nmbd or winbind. But you are right about net or other utilities. Maybe we should just use the default samba config file, otherwise we would have to add some paragraphs to the documentation explaining how to use the samba utilities. Simo, what do you think? bye, Sumit > > -- > / Alexander Bokovoy > > ___ > Freeipa-devel mailing list > Freeipa-devel@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 1 Add ipa-adtrust-install utility
On Fri, 2011-08-26 at 20:52 +0200, Sumit Bose wrote: > On Fri, Aug 26, 2011 at 09:35:16PM +0300, Alexander Bokovoy wrote: > > >>> diff --git a/ipaserver/install/smbinstance.py > > >>> b/ipaserver/install/smbinstance.py > > >>> new file mode 100644 > > >> The code in smbinstance.py assumes Samba has been compiled with > > >> /etc/ipa/smb.conf as default configuration file location. Is that > > >> correct? > > >> > > > > > > no, __write_sysconfig_samba() adds "-s /etc/ipa/smb.conf" to > > > SMBDOPTIONS in /etc/sysconfig/samba. > > But then net utility will not be able to use it. Same for nmbd and > > winbindd. If for last two you could use /etc/sysconfig/samba to direct > > them to a proper configuration, you can't do so for /usr/bin/net. > > Currently we plan not to use nmbd or winbind. But you are right about > net or other utilities. Maybe we should just use the default samba > config file, otherwise we would have to add some paragraphs to the > documentation explaining how to use the samba utilities. > > Simo, what do you think? I guess we should use the standard /etc/samba/smb.conf After all we are only setting one line in there and then using the standard registry tdbs to hold configuration, so it's not like we are not going to stomp all over the default samba tdbs anyway. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 009 Modifying sudo options refreshes the whole page
On 8/26/2011 11:41 AM, Petr Vobornik wrote: https://fedorahosted.org/freeipa/ticket/1689 Currently adding or deleting sudo options will refresh the entire page. It's not a problem but the code could be optimized to refresh only the sudo options table We have several scenarios for sudo options: 1. Add succeeded: The command returns the new record, so we can use it to load the table. No problem here. 2. Add failed: We may be able to assume the data on the server didn't change, so we don't have to update the table. (Yes, the old code does a refresh, but I don't think it's necessary.) 3. Delete batch failed: I think we can assume nothing was executed, same as #2. 4. Delete batch succeeded: It could contain a mix of successes and failures. Like you said, we should use the last successful result. But instead of checking only the last result and do a load() or update(), we could iterate through the results and find the last successful one (the one with non-empty result). If we find one, then we can use it to load the table. If there isn't any, it means all failed, so we don't do anything, same as #2. What do you think? -- Endi S. Dewata ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag
On 08/26/2011 02:34 PM, Simo Sorce wrote:
On Fri, 2011-08-26 at 14:03 -0400, Simo Sorce wrote:
On Fri, 2011-08-26 at 12:45 -0400, Adam Young wrote:
On 08/25/2011 05:24 PM, Adam Young wrote:
Uses the updated version of pkicreate which makes an ipa specific
proxy config file.
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
The test for the proxy file in /etc/httpd/conf.d was "isfile' but
since the file is actually a symlink, it needs to be "islink". This
one checks for either.
Nack, install fails after configuring the http service.
Restart bails out
using export SYSTEMCL_SKIP_REDIRECT=1 to get systemd out of the way (it
was suppressing the error output) I get an permission denied error
trying to open /etc/httpd/conf.d/proxy-ipa.conf
That's a symlink into /etc/pki-ca/proxy-ipa.conf which is a file owned
by pkiuser:pkiuser with permission 660 (therefore not readable by the
apache user).
Ok it turns out permissions are not the real issue as the file is read
while apache is till root, it's a selinux issue.
Apache starts if I setenforce 0
Still a NAck of course, it needs to work with selinux in enforcing mode
Simo.
This version owns the proxy config file. It works with setenforce 0,
but does not work with SELinux, so, preemptive-nack. But I will be gone
for a week, so if someone wants to pick this up and run with it, start
from here.
From 00b43e83864f9a27b20b1d2e90010c7cee007d19 Mon Sep 17 00:00:00 2001
From: Adam Young
Date: Wed, 17 Aug 2011 15:36:18 -0400
Subject: [PATCH] enable proxy for dogtag
Dogtag is going to be proxied through httpd. To make this work, it has to support renegotiation of the SSL
connection. This patch enables renegotiate in the nss configuration file during during apache configuration,
as well as modifies libnss to set the appropriate optins on the ssl connection in order to renegotiate.
The IPA install uses the internal ports instead of proxying through
httpd since httpd is not set up yet.
IPA needs to Request the certificate through a port that uses authentication. On the Dogtag side, they provide an additional mapping for this: /ca/eeca/ca as opposed tp /ca/ee/ca just for this purpose.
https://fedorahosted.org/freeipa/ticket/1334
add flag to pkicreate in order to enable using proxy.
add the proxy file in /etc/http/conf.d/
---
freeipa.spec.in |3 +++
install/conf/Makefile.am |1 +
install/conf/proxy-ipa.conf | 25 +
ipalib/constants.py | 10 +++---
ipapython/dogtag.py |2 +-
ipapython/nsslib.py | 15 ++-
ipaserver/install/cainstance.py |6 --
ipaserver/install/certs.py|4 ++--
ipaserver/install/httpinstance.py |5 +
ipaserver/plugins/dogtag.py |2 +-
10 files changed, 63 insertions(+), 10 deletions(-)
create mode 100644 install/conf/proxy-ipa.conf
diff --git a/freeipa.spec.in b/freeipa.spec.in
index d25aee693591243da2adf01319869c60919d2dd0..c8a125a834a159401c295a0080f371a968435c21 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -304,6 +304,7 @@ ln -s ../../../..%{_sysconfdir}/ipa/html/ipa_error.css \
# So we can own our Apache configuration
mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d/
/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa.conf
+/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/proxy-ipa.conf
/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
mkdir -p %{buildroot}%{_initrddir}
install -m755 ipa.init %{buildroot}%{_initrddir}/ipa
@@ -449,8 +450,10 @@ fi
%config(noreplace) %{_sysconfdir}/ipa/html/hbac-deny-remove.html
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa.conf
+%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/proxy-ipa.conf
%{_usr}/share/ipa/ipa.conf
%{_usr}/share/ipa/ipa-rewrite.conf
+%{_usr}/share/ipa/proxy-ipa.conf
%dir %{_usr}/share/ipa/updates/
%{_usr}/share/ipa/updates/*
%attr(755,root,root) %{plugin_dir}/libipa_pwd_extop.so
diff --git a/install/conf/Makefile.am b/install/conf/Makefile.am
index e00ad618f47b704d3fb6451545fe3fbfaa1b31a9..2055f4e93bf7b884f318315eced8da1208d13a65 100644
--- a/install/conf/Makefile.am
+++ b/install/conf/Makefile.am
@@ -3,6 +3,7 @@ NULL =
appdir = $(IPA_DATA_DIR)
app_DATA = \
ipa.conf \
+ proxy-ipa.conf \
ipa-rewrite.conf \
$(NULL)
diff --git a/install/conf/proxy-ipa.conf b/install/conf/proxy-ipa.conf
new file mode 100644
index ..af949209f897c274fce6137e8a4ac6a19da263db
--- /dev/null
+++ b/install/conf/proxy-ipa.conf
@@ -0,0 +1,25 @@
+ProxyRequests Off
+
+# matches for ee port
+
+NSSOptions +StdEnvVars +ExportCertData +StrictRequire
Re: [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag
On Fri, 2011-08-26 at 17:41 -0400, Adam Young wrote: > On 08/26/2011 02:34 PM, Simo Sorce wrote: > > On Fri, 2011-08-26 at 14:03 -0400, Simo Sorce wrote: > >> On Fri, 2011-08-26 at 12:45 -0400, Adam Young wrote: > >>> On 08/25/2011 05:24 PM, Adam Young wrote: > Uses the updated version of pkicreate which makes an ipa specific > proxy config file. > > > ___ > Freeipa-devel mailing list > Freeipa-devel@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-devel > >>> The test for the proxy file in /etc/httpd/conf.d was "isfile' but > >>> since the file is actually a symlink, it needs to be "islink". This > >>> one checks for either. > >> Nack, install fails after configuring the http service. > >> Restart bails out > >> > >> using export SYSTEMCL_SKIP_REDIRECT=1 to get systemd out of the way (it > >> was suppressing the error output) I get an permission denied error > >> trying to open /etc/httpd/conf.d/proxy-ipa.conf > >> That's a symlink into /etc/pki-ca/proxy-ipa.conf which is a file owned > >> by pkiuser:pkiuser with permission 660 (therefore not readable by the > >> apache user). > > Ok it turns out permissions are not the real issue as the file is read > > while apache is till root, it's a selinux issue. > > Apache starts if I setenforce 0 > > > > Still a NAck of course, it needs to work with selinux in enforcing mode > > > > Simo. > > > This version owns the proxy config file. It works with setenforce 0, > but does not work with SELinux, so, preemptive-nack. But I will be gone > for a week, so if someone wants to pick this up and run with it, start > from here. The previous patch with the corrected isfile vs islink issue works fine as long as the SELinux policy is fixed to allow access to /etc/pki-ca/proxy-ipa.conf I have tested a mastyer and then replica install with no issues after I loaded a custom SeLinux policy that allow that. So tentative ACK to the former patch. I will discuss with Ade how to resolve the SELinux issue and willpush to master once that is solved. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag
On 08/26/2011 06:30 PM, Simo Sorce wrote: On Fri, 2011-08-26 at 17:41 -0400, Adam Young wrote: On 08/26/2011 02:34 PM, Simo Sorce wrote: On Fri, 2011-08-26 at 14:03 -0400, Simo Sorce wrote: On Fri, 2011-08-26 at 12:45 -0400, Adam Young wrote: On 08/25/2011 05:24 PM, Adam Young wrote: Uses the updated version of pkicreate which makes an ipa specific proxy config file. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel The test for the proxy file in /etc/httpd/conf.d was "isfile' but since the file is actually a symlink, it needs to be "islink". This one checks for either. Nack, install fails after configuring the http service. Restart bails out using export SYSTEMCL_SKIP_REDIRECT=1 to get systemd out of the way (it was suppressing the error output) I get an permission denied error trying to open /etc/httpd/conf.d/proxy-ipa.conf That's a symlink into /etc/pki-ca/proxy-ipa.conf which is a file owned by pkiuser:pkiuser with permission 660 (therefore not readable by the apache user). Ok it turns out permissions are not the real issue as the file is read while apache is till root, it's a selinux issue. Apache starts if I setenforce 0 Still a NAck of course, it needs to work with selinux in enforcing mode Simo. This version owns the proxy config file. It works with setenforce 0, but does not work with SELinux, so, preemptive-nack. But I will be gone for a week, so if someone wants to pick this up and run with it, start from here. The previous patch with the corrected isfile vs islink issue works fine as long as the SELinux policy is fixed to allow access to /etc/pki-ca/proxy-ipa.conf I have tested a mastyer and then replica install with no issues after I loaded a custom SeLinux policy that allow that. So tentative ACK to the former patch. I will discuss with Ade how to resolve the SELinux issue and willpush to master once that is solved. Simo. Previous patch is based on a change for PKI-CA that we are not going to push, so we can't go with that. The file /etc/pki-ca/proxy-ipa.conf will not be available for IPA to use. Whatever the issue is with this patch it has to be fairly minor. The difference in approach is that this one includes the conf file and places it in /etc/httpd/conf.d. The problem is possibly the fact that this one uses localhost instead of the FQDN, although I did test it both ways prior to adding it to the RPM, and it worked with localhost and SELinux in enforcing mode. ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0283-enable-proxy-for-dogtag
On 08/26/2011 08:57 PM, Adam Young wrote:
On 08/26/2011 06:30 PM, Simo Sorce wrote:
On Fri, 2011-08-26 at 17:41 -0400, Adam Young wrote:
On 08/26/2011 02:34 PM, Simo Sorce wrote:
On Fri, 2011-08-26 at 14:03 -0400, Simo Sorce wrote:
On Fri, 2011-08-26 at 12:45 -0400, Adam Young wrote:
On 08/25/2011 05:24 PM, Adam Young wrote:
Uses the updated version of pkicreate which makes an ipa specific
proxy config file.
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
The test for the proxy file in /etc/httpd/conf.d was "isfile' but
since the file is actually a symlink, it needs to be "islink".
This
one checks for either.
Nack, install fails after configuring the http service.
Restart bails out
using export SYSTEMCL_SKIP_REDIRECT=1 to get systemd out of the
way (it
was suppressing the error output) I get an permission denied error
trying to open /etc/httpd/conf.d/proxy-ipa.conf
That's a symlink into /etc/pki-ca/proxy-ipa.conf which is a file
owned
by pkiuser:pkiuser with permission 660 (therefore not readable by the
apache user).
Ok it turns out permissions are not the real issue as the file is read
while apache is till root, it's a selinux issue.
Apache starts if I setenforce 0
Still a NAck of course, it needs to work with selinux in enforcing
mode
Simo.
This version owns the proxy config file. It works with setenforce 0,
but does not work with SELinux, so, preemptive-nack. But I will be gone
for a week, so if someone wants to pick this up and run with it, start
from here.
The previous patch with the corrected isfile vs islink issue works fine
as long as the SELinux policy is fixed to allow access
to /etc/pki-ca/proxy-ipa.conf
I have tested a mastyer and then replica install with no issues after I
loaded a custom SeLinux policy that allow that.
So tentative ACK to the former patch.
I will discuss with Ade how to resolve the SELinux issue and willpush to
master once that is solved.
Simo.
Previous patch is based on a change for PKI-CA that we are not going
to push, so we can't go with that. The file
/etc/pki-ca/proxy-ipa.conf will not be available for IPA to use.
Whatever the issue is with this patch it has to be fairly minor. The
difference in approach is that this one includes the conf file and
places it in /etc/httpd/conf.d. The problem is possibly the fact that
this one uses localhost instead of the FQDN, although I did test it
both ways prior to adding it to the RPM, and it worked with localhost
and SELinux in enforcing mode.
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
Failure seems to be from this step in the install log:
After configuration, the server can be operated by the command:
/sbin/service pki-cad restart pki-ca
2011-08-26 21:51:47,114 DEBUG stderr=[error] FAILED
run_command("/sbin/service p
ki-cad restart pki-ca"), exit status=126 output="Stopping pki-ca: [ OK ]
/usr/bin/runcon: /var/lib/pki-ca/pki-ca: Permission denied"
And in the Audit log:
type=AVC msg=audit(1314409907.089:2397): avc: denied { transition }
for pid=21040 comm="runcon" path="/etc/rc.d/init.d/tomcat6" dev=dm-0
ino=35449 scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:system_r:pki_ca_script_t:s0 tclass=process
type=AVC msg=audit(1314410048.272:2398): avc: denied { transition }
for pid=21124 comm="runcon" path="/etc/rc.d/init.d/tomcat6" dev=dm-0
ino=35449 scontext=system_u:system_r:kernel_t:s0
tcontext=system_u:system_r:pki_ca_script_t:s0 tclass=process
___
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel
