Re: [Freeipa-devel] [PATCH 0011] Make sure selinuxusemap behaves consistently to HBAC rule
On 09/11/2012 01:14 PM, Martin Kosek wrote: On 09/06/2012 01:13 PM, Tomas Babej wrote: On 09/05/2012 01:56 PM, Martin Kosek wrote: On 09/03/2012 05:12 PM, Tomas Babej wrote: Hi, Both selinuxusermap-add and selinuxusermap-mod commands now behave consistently in not allowing user/host category or user/host members and HBAC rule being set at the same time. Also adds a bunch of unit tests that check this behaviour. https://fedorahosted.org/freeipa/ticket/2983 Tomas I found few issues with this patch: 1) Patch needs a rebase 2) Patch does not expect attributes to be set to None, i.e. to be left empty or to be deleted, e.g.: # ipa selinuxusermap-add foo --selinuxuser=guest_u:s0 --usercat=all --hbacrule= ipa: ERROR: HBAC rule and local members cannot both be set # ipa selinuxusermap-add foo --selinuxuser=guest_u:s0 --usercat=all Added SELinux User Map foo Rule name: foo SELinux User: guest_u:s0 User category: all Enabled: TRUE # ipa selinuxusermap-mod foo --usercat= --hbacrule= ipa: ERROR: HBAC rule and local members cannot both be set # ipa selinuxusermap-mod foo --usercat= --- Modified SELinux User Map foo --- Rule name: foo SELinux User: guest_u:s0 Enabled: TRUE # ipa selinuxusermap-mod foo --hbacrule=foo --- Modified SELinux User Map foo --- Rule name: foo SELinux User: guest_u:s0 HBAC Rule: foo Enabled: TRUE # ipa selinuxusermap-mod foo --hbacrule= --usercat=all ipa: ERROR: HBAC rule and local members cannot both be set All these validation failures are not valid. 3) Additionally, I think it would be more readable and less error prone that if instead of this blob: +are_local_members_to_be_set = 'usercategory' in _entry_attrs or \ + 'hostcategory' in _entry_attrs or \ + 'memberuser' in _entry_attrs or \ + 'memberhost' in _entry_attrs You would use something like that: are_local_members_to_be_set = any(attr in _entry_attrs for attr in ('usercategory', 'hostcategory', 'memberuser', 'memberhost')) Martin 1.) Done. 2.) Corrected. 3.) Fixed. Tomas 1) There are some (corner) cases where this approach still does not work: # ipa selinuxusermap-show foo Rule name: foo SELinux User: guest_u:s0 HBAC Rule: foo Enabled: TRUE # ipa selinuxusermap-mod foo --usercat=all --hbacrule= ipa: ERROR: HBAC rule and local members cannot both be set HBAC rule attribute is being deleted and user category set, so this should not be rejected. 2) There are also some styling issues (you can use pep8 tool present in Fedora to locate them on your own, e.g.: ipalib/plugins/selinuxusermap.py:247:32: E203 whitespace before ':' ipalib/plugins/selinuxusermap.py:247:70: E225 missing whitespace around operator ipalib/plugins/selinuxusermap.py:249:36: E221 multiple spaces before operator ... Martin The corner case is fixed now and styling issues corrected as well. Tomas From 003e340bceb2bbae614f07edf1dd3d25d1f1ac23 Mon Sep 17 00:00:00 2001 From: Tomas Babej tba...@redhat.com Date: Thu, 6 Sep 2012 07:03:42 -0400 Subject: [PATCH] Make sure selinuxusemap behaves consistently to HBAC rule Both selinuxusermap-add and selinuxusermap-mod commands now behave consistently in not allowing user/host category or user/host members and HBAC rule being set at the same time. Also adds a bunch of unit tests that check this behaviour. https://fedorahosted.org/freeipa/ticket/2983 --- ipalib/plugins/selinuxusermap.py| 76 +++--- tests/test_xmlrpc/test_selinuxusermap_plugin.py | 179 2 files changed, 237 insertions(+), 18 deletions(-) diff --git a/ipalib/plugins/selinuxusermap.py b/ipalib/plugins/selinuxusermap.py index 13bbb58ec0e6b7bd4275be17198c7452090a0781..32c55850b7d5b78f39cfae8960b8588a35b30251 100644 --- a/ipalib/plugins/selinuxusermap.py +++ b/ipalib/plugins/selinuxusermap.py @@ -70,6 +70,7 @@ SEEALSO: notboth_err = _('HBAC rule and local members cannot both be set') + def validate_selinuxuser(ugettext, user): An SELinux user has 3 components: user:MLS:MCS. user and MLS are required. @@ -91,7 +92,7 @@ def validate_selinuxuser(ugettext, user): # If we add in ::: we don't have to check to see if some values are # empty -(name, mls, mcs, ignore) = (user + ':::').split(':',3) +(name, mls, mcs, ignore) = (user + ':::').split(':', 3) if not regex_name.match(name): return _('Invalid SELinux user name, only a-Z and _ are allowed') @@ -99,10 +100,12 @@ def validate_selinuxuser(ugettext, user):
[Freeipa-devel] [PATCH 0057] Fix LDAP operation selection logic in ldap_modify_do()
Hello, There is a fix for LDAP operation selection logic in ldap_modify_do(). Each operation code in LDAPMod structure can be ORed with LDAP_MOD_BVALUES. Petr^2 Spacek From ab11e62ec2496f2c7245c4d8d80c2fd189b68aa9 Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Tue, 11 Sep 2012 16:23:18 +0200 Subject: [PATCH] Fix LDAP operation selection logic in ldap_modify_do(). Each operation code in LDAPMod structure can be ORed with LDAP_MOD_BVALUES. Signed-off-by: Petr Spacek pspa...@redhat.com --- src/ldap_helper.c | 29 + 1 file changed, 17 insertions(+), 12 deletions(-) diff --git a/src/ldap_helper.c b/src/ldap_helper.c index 058048f41485999be0d8ffeadea02f2e25879370..d9c7ce5d84c3944a86ff1865ff6be073ddc294c8 100644 --- a/src/ldap_helper.c +++ b/src/ldap_helper.c @@ -2149,33 +2149,38 @@ ldap_modify_do(ldap_instance_t *ldap_inst, ldap_connection_t *ldap_conn, CHECK(ldap_connect(ldap_inst, ldap_conn, ISC_FALSE)); } + /* Any mod_op can be ORed with LDAP_MOD_BVALUES. */ + if ((mods[0]-mod_op ~LDAP_MOD_BVALUES) == LDAP_MOD_ADD) + operation_str = modifying(add); + else if ((mods[0]-mod_op ~LDAP_MOD_BVALUES) == LDAP_MOD_DELETE) + operation_str = modifying(del); + else if ((mods[0]-mod_op ~LDAP_MOD_BVALUES) == LDAP_MOD_REPLACE) + operation_str = modifying(replace); + else { + operation_str = modifying(unknown operation); + log_bug(%s: 0x%x, operation_str, mods[0]-mod_op); + CHECK(ISC_R_NOTIMPLEMENTED); + } + if (delete_node) { log_debug(2, deleting whole node: '%s', dn); ret = ldap_delete_ext_s(ldap_conn-handle, dn, NULL, NULL); } else { - log_debug(2, writing to '%s', dn); + log_debug(2, writing to '%s': %s, dn, operation_str); ret = ldap_modify_ext_s(ldap_conn-handle, dn, mods, NULL, NULL); } result = (ret == LDAP_SUCCESS) ? ISC_R_SUCCESS : ISC_R_FAILURE; if (ret == LDAP_SUCCESS) goto cleanup; - if (mods[0]-mod_op == LDAP_MOD_ADD) - operation_str = modifying(add); - else if (mods[0]-mod_op == LDAP_MOD_DELETE) - operation_str = modifying(del); - else { - operation_str = modifying(unknown operation); - CHECK(ISC_R_NOTIMPLEMENTED); - } - LDAP_OPT_CHECK(ldap_get_option(ldap_conn-handle, LDAP_OPT_RESULT_CODE, err_code), ldap_modify_do(%s) failed to obtain ldap error code, operation_str); /* If there is no object yet, create it with an ldap add operation. */ - if (mods[0]-mod_op == LDAP_MOD_ADD err_code == LDAP_NO_SUCH_OBJECT) { + if ((mods[0]-mod_op ~LDAP_MOD_BVALUES) == LDAP_MOD_ADD + err_code == LDAP_NO_SUCH_OBJECT) { int i; LDAPMod **new_mods; char *obj_str[] = { idnsRecord, NULL }; @@ -2211,7 +2216,7 @@ ldap_modify_do(ldap_instance_t *ldap_inst, ldap_connection_t *ldap_conn, /* do not error out if we are trying to delete an * unexisting attribute */ - if (mods[0]-mod_op != LDAP_MOD_DELETE || + if ((mods[0]-mod_op ~LDAP_MOD_BVALUES) != LDAP_MOD_DELETE || err_code != LDAP_NO_SUCH_ATTRIBUTE) { result = ISC_R_FAILURE; } -- 1.7.11.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH 0058] Improve persistent search logging
Hello, this patch adds result codes to error messages in persistent search code. Petr^2 Spacek From f6cb53278d8f39ac6da4fb8e26820f6ee02ae6e3 Mon Sep 17 00:00:00 2001 From: Petr Spacek pspa...@redhat.com Date: Wed, 12 Sep 2012 12:27:51 +0200 Subject: [PATCH] Improve persistent search logging. Signed-off-by: Petr Spacek pspa...@redhat.com --- src/ldap_helper.c | 14 +++--- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/src/ldap_helper.c b/src/ldap_helper.c index d9c7ce5d84c3944a86ff1865ff6be073ddc294c8..92edbe7159272772e1c993d46da7c93382cbc5d4 100644 --- a/src/ldap_helper.c +++ b/src/ldap_helper.c @@ -3069,9 +3069,9 @@ update_zone(isc_task_t *task, isc_event_t *event) cleanup: if (result != ISC_R_SUCCESS) - log_error(update_action (psearch) failed for '%s': %s. + log_error_r(update_zone (psearch) failed for '%s'. Zones can be outdated, run `rndc reload`, - pevent-dn, isc_result_totext(result)); + pevent-dn); ldap_query_free(ISC_FALSE, ldap_qresult_zone); ldap_query_free(ISC_FALSE, ldap_qresult_record); @@ -3125,7 +3125,7 @@ update_config(isc_task_t *task, isc_event_t *event) cleanup: if (result != ISC_R_SUCCESS) - log_error(update_config (psearch) failed for %s. + log_error_r(update_config (psearch) failed for '%s'. Configuration can be outdated, run `rndc reload`, pevent-dn); @@ -3221,9 +3221,9 @@ update_record(isc_task_t *task, isc_event_t *event) } cleanup: if (result != ISC_R_SUCCESS) - log_error(update_record (psearch) failed, dn '%s'. + log_error_r(update_record (psearch) failed, dn '%s' change type 0x%x. Records can be outdated, run `rndc reload`, - pevent-dn); + pevent-dn, pevent-chgtype); if (dns_name_dynamic(name)) dns_name_free(name, inst-mctx); @@ -3400,7 +3400,7 @@ cleanup: if (prevdn_ldap != NULL) ldap_memfree(prevdn); - log_error(psearch_update failed for %s zone. + log_error_r(psearch_update failed for '%s' zone. Zone can be outdated, run `rndc reload`, entry-dn); } @@ -3586,7 +3586,7 @@ restart: * Error means inconsistency of our zones * data. */ -log_error(ldap_psearch_watcher failed, zones +log_error_r(ldap_psearch_watcher failed, zones might be outdated. Run `rndc reload`); goto soft_err; } -- 1.7.11.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0078 ipa-client-install: Obtain host TGT from one specific KDC
On 09/11/2012 10:39 PM, Rob Crittenden wrote: Petr Viktorin wrote: When installing the client, we need to take extra case to only contact the one server we're installing against. Otherwise, in the real world, we might hit a server that hasn't replicated info about the client yet. This patch fixes a bug where kinit attempted to contact a KDC that didn't have the host principal yet. To reproduce: - Install a master and replica - Change the Kerberos DNS entries to only point to the replica: for REC_NAME in '_kerberos-master._tcp' '_kerberos-master._udp' '_kerberos._tcp' '_kerberos._udp' '_kpasswd._tcp' '_kpasswd._udp'; do ipa dnsrecord-mod $DOMAIN $REC_NAME --srv-rec=0 100 88 $REPLICA_HOSTNAME done ipa dnsrecord-mod $DOMAIN _ldap._tcp --srv-rec=0 100 389 $MASTER_HOSTNAME ipa dnsrecord-find $DOMAIN # check - Sever communication between the hosts to disable replication: (on master) iptables -A INPUT -j DROP -p all --source $REPLICA_IP - On client machine, put master as nameserver in /etc/resolv.conf install client This will fail without the patch. Thanks to Petr Spacek, Simo, and Scott for helping to reproduce and explain the bug. I learned a lot. https://fedorahosted.org/freeipa/ticket/2982 ACK, pushed to master and ipa-3-0 rob The patch broke server installs. Please revert it if you're having trouble while I look into it. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0078 ipa-client-install: Obtain host TGT from one specific KDC
On 09/12/2012 01:20 PM, Petr Viktorin wrote: On 09/11/2012 10:39 PM, Rob Crittenden wrote: Petr Viktorin wrote: When installing the client, we need to take extra case to only contact the one server we're installing against. Otherwise, in the real world, we might hit a server that hasn't replicated info about the client yet. This patch fixes a bug where kinit attempted to contact a KDC that didn't have the host principal yet. To reproduce: - Install a master and replica - Change the Kerberos DNS entries to only point to the replica: for REC_NAME in '_kerberos-master._tcp' '_kerberos-master._udp' '_kerberos._tcp' '_kerberos._udp' '_kpasswd._tcp' '_kpasswd._udp'; do ipa dnsrecord-mod $DOMAIN $REC_NAME --srv-rec=0 100 88 $REPLICA_HOSTNAME done ipa dnsrecord-mod $DOMAIN _ldap._tcp --srv-rec=0 100 389 $MASTER_HOSTNAME ipa dnsrecord-find $DOMAIN # check - Sever communication between the hosts to disable replication: (on master) iptables -A INPUT -j DROP -p all --source $REPLICA_IP - On client machine, put master as nameserver in /etc/resolv.conf install client This will fail without the patch. Thanks to Petr Spacek, Simo, and Scott for helping to reproduce and explain the bug. I learned a lot. https://fedorahosted.org/freeipa/ticket/2982 ACK, pushed to master and ipa-3-0 rob The patch broke server installs. Please revert it if you're having trouble while I look into it. I messed up and removed the kinit call entirely when installing on master. Attaching a fix. -- Petr³ From d8686e7063aa749cdd6c26721820cf30658e1c30 Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Wed, 12 Sep 2012 07:31:15 -0400 Subject: [PATCH] Fix server installation The fix to ticket #2982 removed a kinit call when the client was installed as part of a master. Re-add the kinit call in this case. --- ipa-client/ipa-install/ipa-client-install | 12 ++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 06e07983956b87c75fbd59139ea5fcaa046d7980..392aa65a0503a2ff647a8f6b089f8dfcc3fec094 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -1569,8 +1569,16 @@ def install(options, env, fstore, statestore): root_logger.info(Failed to add CA to the default NSS database.) return CLIENT_INSTALL_ERROR -# If on master assume kerberos is already configured properly. -if not options.on_master: +if options.on_master: +# If on master assume kerberos is already configured properly. +# Get the host TGT. +try: +run(['/usr/bin/kinit', '-k', '-t', '/etc/krb5.keytab', +'host/%s@%s' % (hostname, cli_realm)], env=env) +except CalledProcessError, e: +root_logger.error(Failed to obtain host TGT.) +return CLIENT_INSTALL_ERROR +else: # Configure krb5.conf fstore.backup_file(/etc/krb5.conf) if configure_krb5_conf( -- 1.7.11.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 305-308 Expand Referential Integrity checks
To test, add sudo commands, hosts or users to a sudo rule or hbac rule and then rename or delete the linked object. After the update, the links should be amended. - Many attributes in IPA (e.g. manager, memberuser, managedby, ...) are used to store DNs of linked objects in IPA (users, hosts, sudo commands, etc.). However, when the linked objects is deleted or renamed, the attribute pointing to it stays with the objects and thus may create a dangling link causing issues in client software reading the data. Directory Server has a plugin to enforce referential integrity (RI) by checking DEL and MODRDN operations and updating affected links. It was already used for manager and secretary attributes and should be expanded for the missing attributes to avoid dangling links. As a prerequisite, all attributes checked for RI must have pres and eq indexes to avoid performance issues. The following indexes have been added: * manager (pres index only) * secretary (pres index only) * memberHost * memberUser * sourcehost * memberservice * managedby * memberallowcmd * memberdenycmd * ipasudorunas * ipasudorunasgroup Referential Integrity plugin was updated to check all these attributes. Note: this update will only fix RI on one master as RI plugin does not check replicated operations. https://fedorahosted.org/freeipa/ticket/2866 -- Martin Kosek mko...@redhat.com Senior Software Engineer - Identity Management Team Red Hat Inc. From de4d160ba4a9bce33f227078ba00ee2d8cd04594 Mon Sep 17 00:00:00 2001 From: Martin Kosek mko...@redhat.com Date: Wed, 12 Sep 2012 09:28:36 +0200 Subject: [PATCH 1/4] Add attributeTypes to safe schema updater AttributeType updates are sensitive to case, whitespace or X-ORIGIN mismatch just like ObjectClass attribute which is already being normalized before an update value is compared with update instructions. Expand safe schema updater routine to cover both ObjectClasses and AttributeTypes updates. https://fedorahosted.org/freeipa/ticket/2440 --- ipaserver/install/ldapupdate.py | 68 +++-- 1 file changed, 39 insertions(+), 29 deletions(-) diff --git a/ipaserver/install/ldapupdate.py b/ipaserver/install/ldapupdate.py index 111769ffee1d04f2036d3abe49190c715e13f99a..528e349d7975022005d2f91d70a5abed0ab42307 100644 --- a/ipaserver/install/ldapupdate.py +++ b/ipaserver/install/ldapupdate.py @@ -35,7 +35,7 @@ from ipalib import errors from ipalib import api from ipapython.dn import DN import ldap -from ldap.schema.models import ObjectClass +from ldap.schema.models import ObjectClass, AttributeType from ipapython.ipa_log_manager import * import krbV import platform @@ -551,23 +551,32 @@ class LDAPUpdate: # Replacing objectClassess needs a special handling and # normalization of OC definitions to avoid update failures for # example when X-ORIGIN is the only difference -objectclass_replacement = False -if action == replace and entry.dn == DN(('cn', 'schema')) and \ -attr.lower() == objectclasses: -objectclass_replacement = True -oid_index = {} -# build the OID index for replacing -for objectclass in entry_values: -try: -objectclass_object = ObjectClass(str(objectclass)) -except Exception, e: -self.error('replace: cannot parse ObjectClass %s: %s', -objectclass, e) -continue -# In a corner case, there may be more representations of -# the same objectclass due to the previous updates -# We want to replace them all -oid_index.setdefault(objectclass_object.oid, []).append(objectclass) +schema_update = False +schema_elem_class = None +schema_elem_name = None +if action == replace and entry.dn == DN(('cn', 'schema')): +if attr.lower() == objectclasses: +schema_elem_class = ObjectClass +schema_elem_name = ObjectClass +elif attr.lower() == attributetypes: +schema_elem_class = AttributeType +schema_elem_name = AttributeType + +if schema_elem_class is not None: +schema_update = True +oid_index = {} +# build the OID index for replacing +for schema_elem in entry_values: +try: +schema_elem_object = schema_elem_class(str(schema_elem)) +except Exception, e: +self.error('replace: cannot parse %s %s: %s', +schema_elem_name, schema_elem, e) +
Re: [Freeipa-devel] [PATCH] Patch to allow IPA to work with dogtag 10 on f18
On 09/12/2012 04:42 AM, Ade Lee wrote: On Tue, 2012-09-11 at 14:45 -0400, Rob Crittenden wrote: Petr Viktorin wrote: On 09/11/2012 04:38 PM, Rob Crittenden wrote: Ade Lee wrote: On Tue, 2012-09-11 at 08:59 -0400, Rob Crittenden wrote: Petr Viktorin wrote: On 09/11/2012 04:04 AM, Ade Lee wrote: On Mon, 2012-09-10 at 16:58 -0400, Rob Crittenden wrote: Petr Viktorin wrote: Attaching rebased and squashed patches. I've done some testing with them but please test some more. Most of these aren't IPA issues, but dogtag issues. I'll try to split them out. IPA: For the configuration files in install/conf to be updated at rpm update time the VERSION needs to be incremented. These files should stay the same since on upgrade we're still using a Dogtag 9 style instance. The Dogtag 10 ports are only used in new installs. The ipa package lacks any updated dogtag dependencies, so I abused it. What should the updated dependencies be? Since it should work with both dogtag 9 and 10, I don't see how they should change. I don't know either, but we need to prevent people from installing incompatible package combinations. Would'nt the Conflicts: ipa 3.0 in pki-ca mentioned below satisfy this requirement? The main concern is that you must have ipa 3.0 if you have dogtag 10. Given that dogtag is consumed by IPA though, it makes more sense to put the relevant conflicts in IPA rather than in dogtag. So in this case, that would mean putting Conflicts: pki-ca = 10.0 in IPA 2.x. Recall that dogtag 10 will only be officially available in f18+. That isn't enough. If a F-17 user with IPA 2.2 installed upgrades to F-18 they would be able to install dogtag 10 and blow up their IPA server. We can add the Conflicts: freeipa-server 3.0 to the dogtag packages (likely in pki-base). But we should also add explicit dependencies to ipa. For ipa 2.2, Conflicts: pki-ca = 10.0, Requires: pki-ca = 9.x For ipa 3, Requires: pki-ca = 10.0 Unfortunately we need to support IPA 3.0 with Dogtag 9. This is of course assumes that ipa 3 is only officially released on f18 (which is what will happen for dogtag 10). Just because we can support d9 on ipa 3 does not mean we should. As it is, in this case, we will have to support IPA 3 + d10, IPA 3 + d10 + d9-style instance, IPA 2.x + d9. We also need to test replication between various combinations of these. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0078 ipa-client-install: Obtain host TGT from one specific KDC
Dne 12.9.2012 14:09, Petr Viktorin napsal(a): On 09/12/2012 01:20 PM, Petr Viktorin wrote: On 09/11/2012 10:39 PM, Rob Crittenden wrote: Petr Viktorin wrote: When installing the client, we need to take extra case to only contact the one server we're installing against. Otherwise, in the real world, we might hit a server that hasn't replicated info about the client yet. This patch fixes a bug where kinit attempted to contact a KDC that didn't have the host principal yet. To reproduce: - Install a master and replica - Change the Kerberos DNS entries to only point to the replica: for REC_NAME in '_kerberos-master._tcp' '_kerberos-master._udp' '_kerberos._tcp' '_kerberos._udp' '_kpasswd._tcp' '_kpasswd._udp'; do ipa dnsrecord-mod $DOMAIN $REC_NAME --srv-rec=0 100 88 $REPLICA_HOSTNAME done ipa dnsrecord-mod $DOMAIN _ldap._tcp --srv-rec=0 100 389 $MASTER_HOSTNAME ipa dnsrecord-find $DOMAIN # check - Sever communication between the hosts to disable replication: (on master) iptables -A INPUT -j DROP -p all --source $REPLICA_IP - On client machine, put master as nameserver in /etc/resolv.conf install client This will fail without the patch. Thanks to Petr Spacek, Simo, and Scott for helping to reproduce and explain the bug. I learned a lot. https://fedorahosted.org/freeipa/ticket/2982 ACK, pushed to master and ipa-3-0 rob The patch broke server installs. Please revert it if you're having trouble while I look into it. I messed up and removed the kinit call entirely when installing on master. Attaching a fix. Works for me, ACK. Honza -- Jan Cholasta ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0078 ipa-client-install: Obtain host TGT from one specific KDC
Jan Cholasta wrote: Dne 12.9.2012 14:09, Petr Viktorin napsal(a): On 09/12/2012 01:20 PM, Petr Viktorin wrote: On 09/11/2012 10:39 PM, Rob Crittenden wrote: Petr Viktorin wrote: When installing the client, we need to take extra case to only contact the one server we're installing against. Otherwise, in the real world, we might hit a server that hasn't replicated info about the client yet. This patch fixes a bug where kinit attempted to contact a KDC that didn't have the host principal yet. To reproduce: - Install a master and replica - Change the Kerberos DNS entries to only point to the replica: for REC_NAME in '_kerberos-master._tcp' '_kerberos-master._udp' '_kerberos._tcp' '_kerberos._udp' '_kpasswd._tcp' '_kpasswd._udp'; do ipa dnsrecord-mod $DOMAIN $REC_NAME --srv-rec=0 100 88 $REPLICA_HOSTNAME done ipa dnsrecord-mod $DOMAIN _ldap._tcp --srv-rec=0 100 389 $MASTER_HOSTNAME ipa dnsrecord-find $DOMAIN # check - Sever communication between the hosts to disable replication: (on master) iptables -A INPUT -j DROP -p all --source $REPLICA_IP - On client machine, put master as nameserver in /etc/resolv.conf install client This will fail without the patch. Thanks to Petr Spacek, Simo, and Scott for helping to reproduce and explain the bug. I learned a lot. https://fedorahosted.org/freeipa/ticket/2982 ACK, pushed to master and ipa-3-0 rob The patch broke server installs. Please revert it if you're having trouble while I look into it. I messed up and removed the kinit call entirely when installing on master. Attaching a fix. Works for me, ACK. Honza pushed to master and ipa-3-0 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 84 Add the SSH service to SSSD config file before trying to activate it
Hi, this patch fixes https://fedorahosted.org/freeipa/ticket/3069. Users no longer have to configure SSH in sssd.conf manually if the file exists prior to running ipa-client-install. Honza -- Jan Cholasta From 38fd87c7b9d941b76753c3f11eca0058a83b8954 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Tue, 11 Sep 2012 04:43:57 -0400 Subject: [PATCH] Add the SSH service to SSSD config file before trying to activate it. ticket 3069 --- ipa-client/ipa-install/ipa-client-install | 8 ++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 06e0798..ccb2228 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -803,14 +803,18 @@ def configure_sssd_conf(fstore, cli_realm, cli_domain, cli_server, options, clie domain = sssdconfig.new_domain(cli_domain) try: -sssdconfig.activate_service('ssh') -except SSSDConfig.NoServiceError: +sssdconfig.new_service('ssh') +except SSSDConfig.ServiceAlreadyExists: +pass +except SSSDConfig.ServiceNotRecognizedError: root_logger.error(Unable to activate the SSH service in SSSD config.) root_logger.info( Please make sure you have SSSD built with SSH support installed.) root_logger.info( Configure SSH support manually in /etc/sssd/sssd.conf.) +sssdconfig.activate_service('ssh') + domain.add_provider('ipa', 'id') #add discovery domain if client domain different from server domain -- 1.7.11.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
[Freeipa-devel] [PATCH] 85 Add --no-ssh option to ipa-client-install to disable OpenSSH client configuration
Hi, this patch fixes https://fedorahosted.org/freeipa/ticket/3070. If both --no-ssh and --no-sshd are specified, do not configure the SSH service in SSSD. Honza -- Jan Cholasta From 2a80c57305b099129b192e7ccf52b7f8cc982c41 Mon Sep 17 00:00:00 2001 From: Jan Cholasta jchol...@redhat.com Date: Wed, 12 Sep 2012 09:19:26 -0400 Subject: [PATCH] Add --no-ssh option to ipa-client-install to disable OpenSSH client configuration. If both --no-ssh and --no-sshd are specified, do not configure the SSH service in SSSD. ticket 3070 --- install/tools/ipa-replica-install | 4 ++ install/tools/ipa-server-install | 4 ++ install/tools/man/ipa-replica-install.1 | 3 ++ install/tools/man/ipa-server-install.1| 3 ++ ipa-client/ipa-install/ipa-client-install | 78 ++- ipa-client/man/ipa-client-install.1 | 3 ++ 6 files changed, 63 insertions(+), 32 deletions(-) diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install index 41e1ef5..267a70d 100755 --- a/install/tools/ipa-replica-install +++ b/install/tools/ipa-replica-install @@ -68,6 +68,8 @@ def parse_options(): default=True, help=Do not automatically redirect to the Web UI) basic_group.add_option(--ssh-trust-dns, dest=trust_sshfp, default=False, action=store_true, help=configure OpenSSH client to trust DNS SSHFP records) +basic_group.add_option(--no-ssh, dest=conf_ssh, default=True, action=store_false, + help=do not configure OpenSSH client) basic_group.add_option(--no-sshd, dest=conf_sshd, default=True, action=store_false, help=do not configure OpenSSH server) basic_group.add_option(--skip-conncheck, dest=skip_conncheck, action=store_true, @@ -500,6 +502,8 @@ def main(): args.append(--no-dns-sshfp) if options.trust_sshfp: args.append(--ssh-trust-dns) +if not options.conf_ssh: +args.append(--no-ssh) if not options.conf_sshd: args.append(--no-sshd) ipautil.run(args) diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install index ba056fd..f07aead 100755 --- a/install/tools/ipa-server-install +++ b/install/tools/ipa-server-install @@ -145,6 +145,8 @@ def parse_options(): default=True, help=Do not automatically redirect to the Web UI) basic_group.add_option(--ssh-trust-dns, dest=trust_sshfp, default=False, action=store_true, help=configure OpenSSH client to trust DNS SSHFP records) +basic_group.add_option(--no-ssh, dest=conf_ssh, default=True, action=store_false, + help=do not configure OpenSSH client) basic_group.add_option(--no-sshd, dest=conf_sshd, default=True, action=store_false, help=do not configure OpenSSH server) basic_group.add_option(-d, --debug, dest=debug, action=store_true, @@ -1071,6 +1073,8 @@ def main(): args.append(--no-dns-sshfp) if options.trust_sshfp: args.append(--ssh-trust-dns) +if not options.conf_ssh: +args.append(--no-ssh) if not options.conf_sshd: args.append(--no-sshd) run(args) diff --git a/install/tools/man/ipa-replica-install.1 b/install/tools/man/ipa-replica-install.1 index 3f44597..084b454 100644 --- a/install/tools/man/ipa-replica-install.1 +++ b/install/tools/man/ipa-replica-install.1 @@ -56,6 +56,9 @@ Do not automatically redirect to the Web UI. \fB\-\-ssh\-trust\-dns\fR Configure OpenSSH client to trust DNS SSHFP records. .TP +\fB\-\-no\-ssh\fR +Do not configure OpenSSH client. +.TP \fB\-\-no\-sshd\fR Do not configure OpenSSH server. .TP diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1 index 61b7c66..75c6a78 100644 --- a/install/tools/man/ipa-server-install.1 +++ b/install/tools/man/ipa-server-install.1 @@ -66,6 +66,9 @@ Do not automatically redirect to the Web UI. \fB\-\-ssh\-trust\-dns\fR Configure OpenSSH client to trust DNS SSHFP records. .TP +\fB\-\-no\-ssh\fR +Do not configure OpenSSH client. +.TP \fB\-\-no\-sshd\fR Do not configure OpenSSH server. .TP diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 83f5268..1bd9dcb 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -89,6 +89,8 @@ def parse_options(): help=do not configure ntp, default=True, dest=conf_ntp) basic_group.add_option(--ssh-trust-dns, dest=trust_sshfp, default=False, action=store_true, help=configure OpenSSH client to trust DNS SSHFP records) +basic_group.add_option(--no-ssh, dest=conf_ssh, default=True, action=store_false, + help=do not configure OpenSSH client) basic_group.add_option(--no-sshd, dest=conf_sshd, default=True,
Re: [Freeipa-devel] [PATCH] 0078 ipa-client-install: Obtain host TGT from one specific KDC
On 09/12/2012 02:58 PM, Jan Cholasta wrote: Dne 12.9.2012 14:09, Petr Viktorin napsal(a): On 09/12/2012 01:20 PM, Petr Viktorin wrote: On 09/11/2012 10:39 PM, Rob Crittenden wrote: Petr Viktorin wrote: When installing the client, we need to take extra case to only contact the one server we're installing against. Otherwise, in the real world, we might hit a server that hasn't replicated info about the client yet. This patch fixes a bug where kinit attempted to contact a KDC that didn't have the host principal yet. To reproduce: - Install a master and replica - Change the Kerberos DNS entries to only point to the replica: for REC_NAME in '_kerberos-master._tcp' '_kerberos-master._udp' '_kerberos._tcp' '_kerberos._udp' '_kpasswd._tcp' '_kpasswd._udp'; do ipa dnsrecord-mod $DOMAIN $REC_NAME --srv-rec=0 100 88 $REPLICA_HOSTNAME done ipa dnsrecord-mod $DOMAIN _ldap._tcp --srv-rec=0 100 389 $MASTER_HOSTNAME ipa dnsrecord-find $DOMAIN # check - Sever communication between the hosts to disable replication: (on master) iptables -A INPUT -j DROP -p all --source $REPLICA_IP - On client machine, put master as nameserver in /etc/resolv.conf install client This will fail without the patch. Thanks to Petr Spacek, Simo, and Scott for helping to reproduce and explain the bug. I learned a lot. https://fedorahosted.org/freeipa/ticket/2982 ACK, pushed to master and ipa-3-0 rob The patch broke server installs. Please revert it if you're having trouble while I look into it. I messed up and removed the kinit call entirely when installing on master. Attaching a fix. Works for me, ACK. Honza When the server installation is complete, I was surprised to see I have now host credentials in my CCACHE: # ipa-server-install --setup-dns ... == Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos * 53: bind UDP Ports: * 88, 464: kerberos * 53: bind * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificate stored in /root/cacert.p12 This file is required to create replicas. The password for this file is the Directory Manager password # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: host/vm-086.idm.lab.bos.redhat@idm.lab.bos.redhat.com Valid starting ExpiresService principal 09/12/12 09:28:24 09/13/12 09:28:24 krbtgt/idm.lab.bos.redhat@idm.lab.bos.redhat.com 09/12/12 09:28:24 09/13/12 09:28:24 HTTP/vm-086.idm.lab.bos.redhat@idm.lab.bos.redhat.com 09/12/12 09:28:26 09/13/12 09:28:24 DNS/vm-086.idm.lab.bos.redhat@idm.lab.bos.redhat.com I don't think this is an expected behavior, installer should use a CCACHE separate from user's default. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0011] Make sure selinuxusemap behaves consistently to HBAC rule
On 09/12/2012 10:24 AM, Tomas Babej wrote: On 09/11/2012 01:14 PM, Martin Kosek wrote: On 09/06/2012 01:13 PM, Tomas Babej wrote: On 09/05/2012 01:56 PM, Martin Kosek wrote: On 09/03/2012 05:12 PM, Tomas Babej wrote: Hi, Both selinuxusermap-add and selinuxusermap-mod commands now behave consistently in not allowing user/host category or user/host members and HBAC rule being set at the same time. Also adds a bunch of unit tests that check this behaviour. https://fedorahosted.org/freeipa/ticket/2983 Tomas I found few issues with this patch: 1) Patch needs a rebase 2) Patch does not expect attributes to be set to None, i.e. to be left empty or to be deleted, e.g.: # ipa selinuxusermap-add foo --selinuxuser=guest_u:s0 --usercat=all --hbacrule= ipa: ERROR: HBAC rule and local members cannot both be set # ipa selinuxusermap-add foo --selinuxuser=guest_u:s0 --usercat=all Added SELinux User Map foo Rule name: foo SELinux User: guest_u:s0 User category: all Enabled: TRUE # ipa selinuxusermap-mod foo --usercat= --hbacrule= ipa: ERROR: HBAC rule and local members cannot both be set # ipa selinuxusermap-mod foo --usercat= --- Modified SELinux User Map foo --- Rule name: foo SELinux User: guest_u:s0 Enabled: TRUE # ipa selinuxusermap-mod foo --hbacrule=foo --- Modified SELinux User Map foo --- Rule name: foo SELinux User: guest_u:s0 HBAC Rule: foo Enabled: TRUE # ipa selinuxusermap-mod foo --hbacrule= --usercat=all ipa: ERROR: HBAC rule and local members cannot both be set All these validation failures are not valid. 3) Additionally, I think it would be more readable and less error prone that if instead of this blob: +are_local_members_to_be_set = 'usercategory' in _entry_attrs or \ + 'hostcategory' in _entry_attrs or \ + 'memberuser' in _entry_attrs or \ + 'memberhost' in _entry_attrs You would use something like that: are_local_members_to_be_set = any(attr in _entry_attrs for attr in ('usercategory', 'hostcategory', 'memberuser', 'memberhost')) Martin 1.) Done. 2.) Corrected. 3.) Fixed. Tomas 1) There are some (corner) cases where this approach still does not work: # ipa selinuxusermap-show foo Rule name: foo SELinux User: guest_u:s0 HBAC Rule: foo Enabled: TRUE # ipa selinuxusermap-mod foo --usercat=all --hbacrule= ipa: ERROR: HBAC rule and local members cannot both be set HBAC rule attribute is being deleted and user category set, so this should not be rejected. 2) There are also some styling issues (you can use pep8 tool present in Fedora to locate them on your own, e.g.: ipalib/plugins/selinuxusermap.py:247:32: E203 whitespace before ':' ipalib/plugins/selinuxusermap.py:247:70: E225 missing whitespace around operator ipalib/plugins/selinuxusermap.py:249:36: E221 multiple spaces before operator ... Martin The corner case is fixed now and styling issues corrected as well. Tomas Yup, works fine now. ACK. Pushed to master, ipa-3-0. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0078 ipa-client-install: Obtain host TGT from one specific KDC
On Wed, 2012-09-12 at 16:04 +0200, Martin Kosek wrote: On 09/12/2012 02:58 PM, Jan Cholasta wrote: Dne 12.9.2012 14:09, Petr Viktorin napsal(a): On 09/12/2012 01:20 PM, Petr Viktorin wrote: On 09/11/2012 10:39 PM, Rob Crittenden wrote: Petr Viktorin wrote: When installing the client, we need to take extra case to only contact the one server we're installing against. Otherwise, in the real world, we might hit a server that hasn't replicated info about the client yet. This patch fixes a bug where kinit attempted to contact a KDC that didn't have the host principal yet. To reproduce: - Install a master and replica - Change the Kerberos DNS entries to only point to the replica: for REC_NAME in '_kerberos-master._tcp' '_kerberos-master._udp' '_kerberos._tcp' '_kerberos._udp' '_kpasswd._tcp' '_kpasswd._udp'; do ipa dnsrecord-mod $DOMAIN $REC_NAME --srv-rec=0 100 88 $REPLICA_HOSTNAME done ipa dnsrecord-mod $DOMAIN _ldap._tcp --srv-rec=0 100 389 $MASTER_HOSTNAME ipa dnsrecord-find $DOMAIN # check - Sever communication between the hosts to disable replication: (on master) iptables -A INPUT -j DROP -p all --source $REPLICA_IP - On client machine, put master as nameserver in /etc/resolv.conf install client This will fail without the patch. Thanks to Petr Spacek, Simo, and Scott for helping to reproduce and explain the bug. I learned a lot. https://fedorahosted.org/freeipa/ticket/2982 ACK, pushed to master and ipa-3-0 rob The patch broke server installs. Please revert it if you're having trouble while I look into it. I messed up and removed the kinit call entirely when installing on master. Attaching a fix. Works for me, ACK. Honza When the server installation is complete, I was surprised to see I have now host credentials in my CCACHE: # ipa-server-install --setup-dns ... == Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos * 53: bind UDP Ports: * 88, 464: kerberos * 53: bind * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificate stored in /root/cacert.p12 This file is required to create replicas. The password for this file is the Directory Manager password # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: host/vm-086.idm.lab.bos.redhat@idm.lab.bos.redhat.com Valid starting ExpiresService principal 09/12/12 09:28:24 09/13/12 09:28:24 krbtgt/idm.lab.bos.redhat@idm.lab.bos.redhat.com 09/12/12 09:28:24 09/13/12 09:28:24 HTTP/vm-086.idm.lab.bos.redhat@idm.lab.bos.redhat.com 09/12/12 09:28:26 09/13/12 09:28:24 DNS/vm-086.idm.lab.bos.redhat@idm.lab.bos.redhat.com I don't think this is an expected behavior, installer should use a CCACHE separate from user's default. Definitely, a private install ccache should be used. Please open a ticket. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0078 ipa-client-install: Obtain host TGT from one specific KDC
On 09/12/2012 04:29 PM, Simo Sorce wrote: On Wed, 2012-09-12 at 16:04 +0200, Martin Kosek wrote: On 09/12/2012 02:58 PM, Jan Cholasta wrote: Dne 12.9.2012 14:09, Petr Viktorin napsal(a): On 09/12/2012 01:20 PM, Petr Viktorin wrote: On 09/11/2012 10:39 PM, Rob Crittenden wrote: Petr Viktorin wrote: When installing the client, we need to take extra case to only contact the one server we're installing against. Otherwise, in the real world, we might hit a server that hasn't replicated info about the client yet. This patch fixes a bug where kinit attempted to contact a KDC that didn't have the host principal yet. To reproduce: - Install a master and replica - Change the Kerberos DNS entries to only point to the replica: for REC_NAME in '_kerberos-master._tcp' '_kerberos-master._udp' '_kerberos._tcp' '_kerberos._udp' '_kpasswd._tcp' '_kpasswd._udp'; do ipa dnsrecord-mod $DOMAIN $REC_NAME --srv-rec=0 100 88 $REPLICA_HOSTNAME done ipa dnsrecord-mod $DOMAIN _ldap._tcp --srv-rec=0 100 389 $MASTER_HOSTNAME ipa dnsrecord-find $DOMAIN # check - Sever communication between the hosts to disable replication: (on master) iptables -A INPUT -j DROP -p all --source $REPLICA_IP - On client machine, put master as nameserver in /etc/resolv.conf install client This will fail without the patch. Thanks to Petr Spacek, Simo, and Scott for helping to reproduce and explain the bug. I learned a lot. https://fedorahosted.org/freeipa/ticket/2982 ACK, pushed to master and ipa-3-0 rob The patch broke server installs. Please revert it if you're having trouble while I look into it. I messed up and removed the kinit call entirely when installing on master. Attaching a fix. Works for me, ACK. Honza When the server installation is complete, I was surprised to see I have now host credentials in my CCACHE: # ipa-server-install --setup-dns ... == Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos * 53: bind UDP Ports: * 88, 464: kerberos * 53: bind * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificate stored in /root/cacert.p12 This file is required to create replicas. The password for this file is the Directory Manager password # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: host/vm-086.idm.lab.bos.redhat@idm.lab.bos.redhat.com Valid starting ExpiresService principal 09/12/12 09:28:24 09/13/12 09:28:24 krbtgt/idm.lab.bos.redhat@idm.lab.bos.redhat.com 09/12/12 09:28:24 09/13/12 09:28:24 HTTP/vm-086.idm.lab.bos.redhat@idm.lab.bos.redhat.com 09/12/12 09:28:26 09/13/12 09:28:24 DNS/vm-086.idm.lab.bos.redhat@idm.lab.bos.redhat.com I don't think this is an expected behavior, installer should use a CCACHE separate from user's default. Definitely, a private install ccache should be used. Please open a ticket. Simo. This is caused by a patch pushed today (in a scope of a fix for ticket 2982). Petr Viktorin is working on a fix which will be sent soon, so I think that ticket is not necessary in this case. Martin ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH 0006] Improves sssd.conf handling during ipa-client uninstall
On 08/29/2012 02:54 PM, Tomas Babej wrote: On 08/27/2012 04:55 PM, Martin Kosek wrote: On 08/27/2012 03:37 PM, Jakub Hrozek wrote: On Mon, Aug 27, 2012 at 02:57:44PM +0200, Martin Kosek wrote: I think that the right behavior of SSSD conf uninstall should be the following: * sssd.conf existed before IPA install + non-IPA domains in sssd.conf found: - move backed conf up sssd.conf.bkp (and inform the user) - use SSSDConfig delete_domain function to remove ipa domain from sssd.conf - restart sssd afterwards I'm confused here, which of the files is the original pre-ipa-client-install file? This is the backed up sssd.conf. I thought that it may be useful for user to still have an access to it after uninstall. How does the non-ipa domain end up in the sssd.conf file? Does it have to be configured manually or does ipa-client-install merge the list of domains on installation? ipa-client-install merge the list of the domains. It overrides the old sssd.conf only when we cannot parse the sssd.conf and --preserve-sssd option was not set. Martin Hi, The sssd.conf file is no longer left behind in case sssd was not configured before the installation. However, the patch goes behind the scope of this ticked and improves the handling of sssd.conf during the ipa-client-install --uninstall in general. The current behaviour (well documented in source code) is as follows: - In general, the IPA domain is simply removed from the sssd.conf file, instead of sssd.conf being rewritten from the backup. This preserves any domains added after installation. - If sssd.conf existed before the installation, it is restored to sssd.conf.bkp. However, any IPA domains from pre-installation sssd.conf should have been merged during the installation. - If sssd.conf did not exist before the installation, and no other domains than IPA domain exist in it, the patch makes sure that sssd.conf is moved to sssd.conf.deleted so user experiences no crash during any next installation due to its existence. https://fedorahosted.org/freeipa/ticket/2740 Tomas Good job, SSSD uninstall process now looks more consistent and better documented. I just found the following (mainly minor) issues. Comments in the patch: diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 2e65921e8de2dfe68443f5b5875954d71dd48ed2..c5cef15e1fb3a3e1d7cfd070f4288d3839accfc8 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -183,6 +183,36 @@ def nssldap_exists(): return (retval, files_found) +# helper function for uninstall +# deletes IPA domain from sssd.conf +def delete_IPA_domain(): Function names should be lowercase - delete_ipa_domain +sssd = ipaservices.service('sssd') +try: +sssdconfig = SSSDConfig.SSSDConfig() +sssdconfig.import_config() +domains = sssdconfig.list_active_domains() + +IPA_domain_name = None Variables should be lowercase - ipa_domain_name + +for name in domains: +domain = sssdconfig.get_domain(name) +try: +provider = domain.get_option('id_provider') +if provider == ipa: +IPA_domain_name = name +break +except SSSDConfig.NoOptionError: +continue + +if IPA_domain_name != None: Do not use != with None, True, False - use is not None. +sssdconfig.delete_domain(IPA_domain_name) +sssdconfig.write() +else: +root_logger.warning(IPA domain could not be found in + +sssd.conf and therefore not deleted) +except IOError: +root_logger.warning(IPA domain could not be deleted. No access to the sssd.conf file.) There should be full path to sssd.conf in this error message. It is very useful sometimes. + def uninstall(options, env): if not fstore.has_files(): @@ -212,7 +242,12 @@ def uninstall(options, env): sssdconfig = SSSDConfig.SSSDConfig() sssdconfig.import_config() domains = sssdconfig.list_active_domains() -if len(domains) 1: +all_domains = sssdconfig.list_domains() + +# we consider all the domains, because handling sssd.conf +# during uninstall is dependant on was_sssd_configured flag +# so the user does not lose info about inactive domains +if len(all_domains) 1: # There was more than IPA domain configured was_sssd_configured = True for name in domains: @@ -349,6 +384,62 @@ def uninstall(options, env): Failed to remove krb5/LDAP configuration: %s, str(e)) return CLIENT_INSTALL_ERROR +# Next if-elif-elif construction deals with sssd.conf file. +# Old pre-IPA domains are preserved due merging the old sssd.conf +# during the installation of
Re: [Freeipa-devel] [PATCH] 0077 Check direct/reverse hostname/address resolution in ipa-replica-install
On 09/11/2012 11:05 PM, Rob Crittenden wrote: Petr Viktorin wrote: On 09/04/2012 07:44 PM, Rob Crittenden wrote: Petr Viktorin wrote: https://fedorahosted.org/freeipa/ticket/2845 Shouldn't this also call verify_fqdn() on the local hostname and not just the master? I think this would eventually fail in the conncheck but what if that was skipped? rob A few lines above there is a call to get_host_name, which will call verify_fqdn. I double-checked this, it fails in conncheck. Here are my steps: # ipa-server-install --setup-dns # ipa-replica-prepare replica.example.com --ip-address=192.168.100.2 # ipa host-del replica.example.com On replica, set DNS to IPA master, with hostname in /etc/hosts. # ipa-replica-install ... The verify_fqdn() passes because the resolver uses /etc/hosts. The conncheck fails: Execute check on remote master Check connection from master to remote replica 'replica.example.com': Remote master check failed with following error message(s): Could not chdir to home directory /home/admin: No such file or directory Port check failed! Unable to resolve host name 'replica.example.com' Connection check failed! Please fix your network settings according to error messages above. If the check results are not valid it can be skipped with --skip-conncheck parameter. The DNS test happens much further after this, and I get why, I just don't see how useful it is unless the --skip-conncheck is used. For the record, it's because we need to check if the host has DNS installed. We need a LDAP connection to check this. ipa-replica-install ~rcrit/replica-info-replica.example.com.gpg --skip-conncheck Directory Manager (existing master) password: ipa : ERRORCould not resolve hostname replica.example.com using DNS. Clients may not function properly. Please check your DNS setup. (Note that this check queries IPA DNS directly and ignores /etc/hosts.) Continue? [no]: So I guess, what are the intentions here? It is certainly better than before. rob If the replica is in the master's /etc/hosts, but not in DNS, the conncheck will succeed. This check explicitly queries IPA records only and ignores /etc/hosts so it'll notice this case and warn. -- Petr³ ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] 0078 ipa-client-install: Obtain host TGT from one specific KDC
On 09/12/2012 04:04 PM, Martin Kosek wrote: On 09/12/2012 02:58 PM, Jan Cholasta wrote: Dne 12.9.2012 14:09, Petr Viktorin napsal(a): On 09/12/2012 01:20 PM, Petr Viktorin wrote: On 09/11/2012 10:39 PM, Rob Crittenden wrote: Petr Viktorin wrote: When installing the client, we need to take extra case to only contact the one server we're installing against. Otherwise, in the real world, we might hit a server that hasn't replicated info about the client yet. This patch fixes a bug where kinit attempted to contact a KDC that didn't have the host principal yet. To reproduce: - Install a master and replica - Change the Kerberos DNS entries to only point to the replica: for REC_NAME in '_kerberos-master._tcp' '_kerberos-master._udp' '_kerberos._tcp' '_kerberos._udp' '_kpasswd._tcp' '_kpasswd._udp'; do ipa dnsrecord-mod $DOMAIN $REC_NAME --srv-rec=0 100 88 $REPLICA_HOSTNAME done ipa dnsrecord-mod $DOMAIN _ldap._tcp --srv-rec=0 100 389 $MASTER_HOSTNAME ipa dnsrecord-find $DOMAIN # check - Sever communication between the hosts to disable replication: (on master) iptables -A INPUT -j DROP -p all --source $REPLICA_IP - On client machine, put master as nameserver in /etc/resolv.conf install client This will fail without the patch. Thanks to Petr Spacek, Simo, and Scott for helping to reproduce and explain the bug. I learned a lot. https://fedorahosted.org/freeipa/ticket/2982 ACK, pushed to master and ipa-3-0 rob The patch broke server installs. Please revert it if you're having trouble while I look into it. I messed up and removed the kinit call entirely when installing on master. Attaching a fix. Works for me, ACK. Honza When the server installation is complete, I was surprised to see I have now host credentials in my CCACHE: # ipa-server-install --setup-dns ... == Setup complete Next steps: 1. You must make sure these network ports are open: TCP Ports: * 80, 443: HTTP/HTTPS * 389, 636: LDAP/LDAPS * 88, 464: kerberos * 53: bind UDP Ports: * 88, 464: kerberos * 53: bind * 123: ntp 2. You can now obtain a kerberos ticket using the command: 'kinit admin' This ticket will allow you to use the IPA tools (e.g., ipa user-add) and the web user interface. Be sure to back up the CA certificate stored in /root/cacert.p12 This file is required to create replicas. The password for this file is the Directory Manager password # klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: host/vm-086.idm.lab.bos.redhat@idm.lab.bos.redhat.com Valid starting ExpiresService principal 09/12/12 09:28:24 09/13/12 09:28:24 krbtgt/idm.lab.bos.redhat@idm.lab.bos.redhat.com 09/12/12 09:28:24 09/13/12 09:28:24 HTTP/vm-086.idm.lab.bos.redhat@idm.lab.bos.redhat.com 09/12/12 09:28:26 09/13/12 09:28:24 DNS/vm-086.idm.lab.bos.redhat@idm.lab.bos.redhat.com I don't think this is an expected behavior, installer should use a CCACHE separate from user's default. Martin I need to slow down. Thanks for the catch. Attaching another fix. -- Petr³ From c8499bed87d40c8b12e6f938d349a4a872180242 Mon Sep 17 00:00:00 2001 From: Petr Viktorin pvikt...@redhat.com Date: Wed, 12 Sep 2012 10:30:31 -0400 Subject: [PATCH] Use temporary key cache for host key in server installation This fixes an oversight in the earlier patch --- ipa-client/ipa-install/ipa-client-install | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index 392aa65a0503a2ff647a8f6b089f8dfcc3fec094..3b1fd1a4486ccb3e5ad7f1f42b69f8ee988d2350 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -1572,9 +1572,10 @@ def install(options, env, fstore, statestore): if options.on_master: # If on master assume kerberos is already configured properly. # Get the host TGT. +os.environ['KRB5CCNAME'] = CCACHE_FILE try: run(['/usr/bin/kinit', '-k', '-t', '/etc/krb5.keytab', -'host/%s@%s' % (hostname, cli_realm)], env=env) +'host/%s@%s' % (hostname, cli_realm)]) except CalledProcessError, e: root_logger.error(Failed to obtain host TGT.) return CLIENT_INSTALL_ERROR -- 1.7.11.4 ___ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel
Re: [Freeipa-devel] [PATCH] Patch to allow IPA to work with dogtag 10 on f18
On 09/11/2012 09:38 PM, Rob Crittenden wrote: Rob Crittenden wrote: Rob Crittenden wrote: Petr Viktorin wrote: On 09/11/2012 04:38 PM, Rob Crittenden wrote: Ade Lee wrote: On Tue, 2012-09-11 at 08:59 -0400, Rob Crittenden wrote: Petr Viktorin wrote: On 09/11/2012 04:04 AM, Ade Lee wrote: On Mon, 2012-09-10 at 16:58 -0400, Rob Crittenden wrote: Petr Viktorin wrote: Attaching rebased and squashed patches. I've done some testing with them but please test some more. Most of these aren't IPA issues, but dogtag issues. I'll try to split them out. IPA: For the configuration files in install/conf to be updated at rpm update time the VERSION needs to be incremented. These files should stay the same since on upgrade we're still using a Dogtag 9 style instance. The Dogtag 10 ports are only used in new installs. The ipa package lacks any updated dogtag dependencies, so I abused it. What should the updated dependencies be? Since it should work with both dogtag 9 and 10, I don't see how they should change. I don't know either, but we need to prevent people from installing incompatible package combinations. Would'nt the Conflicts: ipa 3.0 in pki-ca mentioned below satisfy this requirement? The main concern is that you must have ipa 3.0 if you have dogtag 10. Given that dogtag is consumed by IPA though, it makes more sense to put the relevant conflicts in IPA rather than in dogtag. So in this case, that would mean putting Conflicts: pki-ca = 10.0 in IPA 2.x. Recall that dogtag 10 will only be officially available in f18+. That isn't enough. If a F-17 user with IPA 2.2 installed upgrades to F-18 they would be able to install dogtag 10 and blow up their IPA server. I installed IPA with dogtag 9 and created a replica. I updated the IPA bits, that worked fine. I updated to dogtag 10 and now the CA doesn't work on the master, including starting the dogtag instance. Note that the rpm update process worked, no notice that the CA service didn't restart. Did you try to restart the CA with selinux in permissive mode? This is still required right now until I get the selinux policy all straightened out. There is also a separate dogtag ticket (which is currently being worked on) to restart existing dogtag instances when dogtag is upgraded from 9-10. In permissive mode, this upgrade works for me. I was in enforcing mode but saw no AVCs. What is the ETA on fixing this? Within the next week or two, I need to finish the IPA merge database patch first, and then co-ordinate changes with the selinux guys. Sometimes I do get this error intermittently: ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Service Temporarily Unavailable) Usually, waiting a couple of minutes clears this up. Perhaps we are not doing startup detection correctly. Ade mentioned that waiting for ports may not be ideal. How do we know if Dogtag is initialized? Years ago we had discussed with Andrew and Matt creating a URI that can be queried to determine dogtag status. I don't think that ever went anywhere. Petr, this happens only on reboot, right? And not on regular service ipa restart? I've now seen it happen right after a 9 → 10 upgrade. Yeah, I remember this conversation - and even created a bug for it at some point. This went away because the mechanism you were using seemed to be working. The timing may be very different now with tomcat 7 and systemd. I'll open a dogtag trac ticket for this. Ok. Uninstalling failed because it tried to run pkidestroy and not pkiremove. I was under the impression that pkidestroy was the correct command to remove an upgraded instance. I'll check with Ade. I'll test this too. The contents of the file passed to pkispawn should be logged so we can see exactly what was passed in. Its a pretty big file. You might want to only log the modifications. Or save the file somewhere. Our logs are pretty verbose, so that shouldn't be a problem. I'll put it in the next version of the patch. The question to ask is: would you need the contents of this file if all you got were logs and needed to evaluate why installation failed? In most cases this is yes. Up to you guys. There is a patch I am working on in which I will be logging the object that is being passed to the server from pkispawn. That - and the diffs to the standard config file as I mentioned above - will likely be sufficient to debug almost all cases. Make sure not to log any passwords. Thanks for the catch. Attaching updated patch that sanitizes the passwords. DOGTAG: When upgrading using the dogtag-devel repo I had to specify pki-tools.x86_64 otherwise it tried to install both 32 and 64-bit versions (and failed). I ended up running: yum update pki-ca tomcatjss pki-tools.x86_64 --enablerepo=dogtag-devel --enablerepo=updates-testing We'll look into this. I think I know why this happens. What happens if someone manually upgrades pki-ca without first
Re: [Freeipa-devel] [PATCH] Patch to allow IPA to work with dogtag 10 on f18
On Wed, 2012-09-12 at 18:43 +0200, Petr Viktorin wrote: On 09/11/2012 09:38 PM, Rob Crittenden wrote: Rob Crittenden wrote: Rob Crittenden wrote: Petr Viktorin wrote: On 09/11/2012 04:38 PM, Rob Crittenden wrote: Ade Lee wrote: On Tue, 2012-09-11 at 08:59 -0400, Rob Crittenden wrote: Petr Viktorin wrote: On 09/11/2012 04:04 AM, Ade Lee wrote: On Mon, 2012-09-10 at 16:58 -0400, Rob Crittenden wrote: Petr Viktorin wrote: Attaching rebased and squashed patches. I've done some testing with them but please test some more. Most of these aren't IPA issues, but dogtag issues. I'll try to split them out. IPA: For the configuration files in install/conf to be updated at rpm update time the VERSION needs to be incremented. These files should stay the same since on upgrade we're still using a Dogtag 9 style instance. The Dogtag 10 ports are only used in new installs. The ipa package lacks any updated dogtag dependencies, so I abused it. What should the updated dependencies be? Since it should work with both dogtag 9 and 10, I don't see how they should change. I don't know either, but we need to prevent people from installing incompatible package combinations. Would'nt the Conflicts: ipa 3.0 in pki-ca mentioned below satisfy this requirement? The main concern is that you must have ipa 3.0 if you have dogtag 10. Given that dogtag is consumed by IPA though, it makes more sense to put the relevant conflicts in IPA rather than in dogtag. So in this case, that would mean putting Conflicts: pki-ca = 10.0 in IPA 2.x. Recall that dogtag 10 will only be officially available in f18+. That isn't enough. If a F-17 user with IPA 2.2 installed upgrades to F-18 they would be able to install dogtag 10 and blow up their IPA server. I installed IPA with dogtag 9 and created a replica. I updated the IPA bits, that worked fine. I updated to dogtag 10 and now the CA doesn't work on the master, including starting the dogtag instance. Note that the rpm update process worked, no notice that the CA service didn't restart. Did you try to restart the CA with selinux in permissive mode? This is still required right now until I get the selinux policy all straightened out. There is also a separate dogtag ticket (which is currently being worked on) to restart existing dogtag instances when dogtag is upgraded from 9-10. In permissive mode, this upgrade works for me. I was in enforcing mode but saw no AVCs. What is the ETA on fixing this? Within the next week or two, I need to finish the IPA merge database patch first, and then co-ordinate changes with the selinux guys. Sometimes I do get this error intermittently: ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Service Temporarily Unavailable) Usually, waiting a couple of minutes clears this up. Perhaps we are not doing startup detection correctly. Ade mentioned that waiting for ports may not be ideal. How do we know if Dogtag is initialized? Years ago we had discussed with Andrew and Matt creating a URI that can be queried to determine dogtag status. I don't think that ever went anywhere. Petr, this happens only on reboot, right? And not on regular service ipa restart? I've now seen it happen right after a 9 → 10 upgrade. Yeah, I remember this conversation - and even created a bug for it at some point. This went away because the mechanism you were using seemed to be working. The timing may be very different now with tomcat 7 and systemd. I'll open a dogtag trac ticket for this. Ok. Uninstalling failed because it tried to run pkidestroy and not pkiremove. I was under the impression that pkidestroy was the correct command to remove an upgraded instance. I'll check with Ade. I'll test this too. The contents of the file passed to pkispawn should be logged so we can see exactly what was passed in. Its a pretty big file. You might want to only log the modifications. Or save the file somewhere. Our logs are pretty verbose, so that shouldn't be a problem. I'll put it in the next version of the patch. The question to ask is: would you need the contents of this file if all you got were logs and needed to evaluate why installation failed? In most cases this is yes. Up to you guys. There is a patch I am working on in which I will be logging the object that is being passed to the server from pkispawn. That - and the diffs to the standard config file as I mentioned above - will likely be sufficient to debug almost all cases. Make sure not to log any passwords. Thanks for the catch. Attaching updated patch that sanitizes the passwords. DOGTAG: When upgrading using the dogtag-devel repo I had to specify pki-tools.x86_64 otherwise it