Re: [Freeipa-devel] [PATCH 0052] Create server-dns sub-package

[Alexander Bokovoy]

On Thu, 16 Jul 2015, Jan Cholasta wrote:

Dne 15.7.2015 v 19:39 Simo Sorce napsal(a):

- Original Message -

From: "Petr Spacek" 
To: "Jan Cholasta" , freeipa-devel@redhat.com, "Alexander 
Bokovoy" 
Cc: "Simo Sorce" 
Sent: Tuesday, July 14, 2015 10:33:41 AM
Subject: Re: [Freeipa-devel] [PATCH 0052] Create server-dns sub-package

On 14.7.2015 16:29, Jan Cholasta wrote:

Dne 14.7.2015 v 14:33 Petr Spacek napsal(a):

On 2.7.2015 09:56, Petr Spacek wrote:

On 2.7.2015 09:36, Alexander Bokovoy wrote:

On Thu, 02 Jul 2015, Jan Cholasta wrote:

Can this be done without adding server-core?

I'm not aware of such method (except of adding all DNS dependencies
as
Requires straight into freeipa-server package).


Because it's not server core,
it's the whole thing! Or maybe just rename it to server-common?


I'm fine with 'common'. Ticket 4058 calls for sub-package for CA too
so my
idea was to create 'core' package which will be gradually reduced
more and more.


Well, I don't like the fact that in order to install IPA server
without DNS you have to install freeipa-server-core instead of just
freeipa-server. Fedora packaging guidelines [1] state that the
metapackage should be named freeipa-server-compat, so I guess
renaming
freeipa-server to freeipa-server-compat and freeipa-server-core to
freeipa-server is good enough.

I think you are misunderstanding what the guidelines say. -compat
subpackage is something that only contains Requires: and Obsoletes:,
to
help to pull the right packages. It is not supposed to be a
full-featured package with content.


With Petr's patch, freeipa-server is exactly that - a metapackage with
requires and obsoletes only - hence my suggestion to rename it
according to
the guidelines.

That's not good.


I think we are good enough with freeipa-server-dns. We have the same
situation with freeipa-server-trust-ad -- it is not required by the
main
package and pulls in Samba-related bits. We also don't have any
-compat
or metapackage for it.


freeipa-server-dns is fine, what is IMO not fine is that it *is*
required by
the main freeipa-server package, *unlike* freeipa-server-trust-ad.

We don't have a compat metapackage for freeipa-server-trust-ad, because
there are no upgrade issues with it, which is what Petr is trying to
solve
with his patch.

So, the issue is that for installed bind+bind-dyndb-ldap combination we
need to switch to bind-pkcs11+bind-dyndb-ldap. Maybe instead of
modifying main freeipa package we could modify bind-dyndb-ldap package
to require bind-pkcs11 and corresponding bits of freeipa packages?


Unfortunately, no.
- bind-dyndb-ldap itself is used & supported even without FreeIPA.
- bind-pkcs11 depends on properly configured SoftHSM (or other PKCS#11
provider)
=> upgrade could break non-FreeIPA installations.

I'm attempting to rework the patch now, stay tuned.


Apparently this thread was abandoned during my PTO so I'm sending new
patch
here. It includes the -compat package and works with YUM and DNF.


I don't like that freeipa-server got renamed to freeipa-server-core, but I
won't push against it if Alexander and others (CCing Simo) are OK with it.


For the record, I was not able to make it work without the rename.


My opinion is that if we run dnf install freeipa-server, then we need to get 
freeipa server packages.
If this is what happens I am ok with patches, otherwise I am not.


Without the patch, "dnf install freeipa-server" installs freeipa 
server without DNS dependencies.


With the first version of the patch, "dnf install freeipa-server" 
installs freeipa server with all DNS dependencies. To install freeipa 
server without DNS dependencies, you need to run "dnf install 
freeipa-server-core". (Note that with this patch freeipa-server is a 
meta-package with no files.)


With the second version of the patch, "dnf install freeipa-server" 
fails, because there is no freeipa-server anymore. To install freeipa 
server without DNS dependencies, you need to run "dnf install 
freeipa-server-core".

Can we do
Provides: freeipa-server
in freeipa-server-compat?
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0052] Create server-dns sub-package

[Jan Cholasta]

Dne 15.7.2015 v 19:39 Simo Sorce napsal(a):

- Original Message -

From: "Petr Spacek" 
To: "Jan Cholasta" , freeipa-devel@redhat.com, "Alexander 
Bokovoy" 
Cc: "Simo Sorce" 
Sent: Tuesday, July 14, 2015 10:33:41 AM
Subject: Re: [Freeipa-devel] [PATCH 0052] Create server-dns sub-package

On 14.7.2015 16:29, Jan Cholasta wrote:

Dne 14.7.2015 v 14:33 Petr Spacek napsal(a):

On 2.7.2015 09:56, Petr Spacek wrote:

On 2.7.2015 09:36, Alexander Bokovoy wrote:

On Thu, 02 Jul 2015, Jan Cholasta wrote:

Can this be done without adding server-core?

I'm not aware of such method (except of adding all DNS dependencies
as
Requires straight into freeipa-server package).


Because it's not server core,
it's the whole thing! Or maybe just rename it to server-common?


I'm fine with 'common'. Ticket 4058 calls for sub-package for CA too
so my
idea was to create 'core' package which will be gradually reduced
more and more.


Well, I don't like the fact that in order to install IPA server
without DNS you have to install freeipa-server-core instead of just
freeipa-server. Fedora packaging guidelines [1] state that the
metapackage should be named freeipa-server-compat, so I guess
renaming
freeipa-server to freeipa-server-compat and freeipa-server-core to
freeipa-server is good enough.

I think you are misunderstanding what the guidelines say. -compat
subpackage is something that only contains Requires: and Obsoletes:,
to
help to pull the right packages. It is not supposed to be a
full-featured package with content.


With Petr's patch, freeipa-server is exactly that - a metapackage with
requires and obsoletes only - hence my suggestion to rename it
according to
the guidelines.

That's not good.


I think we are good enough with freeipa-server-dns. We have the same
situation with freeipa-server-trust-ad -- it is not required by the
main
package and pulls in Samba-related bits. We also don't have any
-compat
or metapackage for it.


freeipa-server-dns is fine, what is IMO not fine is that it *is*
required by
the main freeipa-server package, *unlike* freeipa-server-trust-ad.

We don't have a compat metapackage for freeipa-server-trust-ad, because
there are no upgrade issues with it, which is what Petr is trying to
solve
with his patch.

So, the issue is that for installed bind+bind-dyndb-ldap combination we
need to switch to bind-pkcs11+bind-dyndb-ldap. Maybe instead of
modifying main freeipa package we could modify bind-dyndb-ldap package
to require bind-pkcs11 and corresponding bits of freeipa packages?


Unfortunately, no.
- bind-dyndb-ldap itself is used & supported even without FreeIPA.
- bind-pkcs11 depends on properly configured SoftHSM (or other PKCS#11
provider)
=> upgrade could break non-FreeIPA installations.

I'm attempting to rework the patch now, stay tuned.


Apparently this thread was abandoned during my PTO so I'm sending new
patch
here. It includes the -compat package and works with YUM and DNF.


I don't like that freeipa-server got renamed to freeipa-server-core, but I
won't push against it if Alexander and others (CCing Simo) are OK with it.


For the record, I was not able to make it work without the rename.


My opinion is that if we run dnf install freeipa-server, then we need to get 
freeipa server packages.
If this is what happens I am ok with patches, otherwise I am not.


Without the patch, "dnf install freeipa-server" installs freeipa server 
without DNS dependencies.


With the first version of the patch, "dnf install freeipa-server" 
installs freeipa server with all DNS dependencies. To install freeipa 
server without DNS dependencies, you need to run "dnf install 
freeipa-server-core". (Note that with this patch freeipa-server is a 
meta-package with no files.)


With the second version of the patch, "dnf install freeipa-server" 
fails, because there is no freeipa-server anymore. To install freeipa 
server without DNS dependencies, you need to run "dnf install 
freeipa-server-core".


--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Finishing the Community Portal

[Drew Erny]

Right now, I'm focusing on deployment of the application. I'm running 
out of time on my internship, so we'll see if I find time in the last 
couple of weeks to add that feature.


On 07/15/2015 04:37 PM, Gabe Alford wrote:
On Wed, Jul 15, 2015 at 2:32 PM, Nathaniel McCallum 
mailto:npmccal...@redhat.com>> wrote:


I definitely see both models finding use.


+1

- Original Message -
> Yeah, user creation requires manual intervention; an admin has
to move
> the user from staging to the main user tree.
>
> It could be pretty easily modified to allow totally automated self
> sign-up though
>

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code




-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Finishing the Community Portal

[Gabe Alford]

On Wed, Jul 15, 2015 at 2:32 PM, Nathaniel McCallum 
wrote:

> I definitely see both models finding use.
>

+1


> - Original Message -
> > Yeah, user creation requires manual intervention; an admin has to move
> > the user from staging to the main user tree.
> >
> > It could be pretty easily modified to allow totally automated self
> > sign-up though
> >
>
> --
> Manage your subscription for the Freeipa-devel mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-devel
> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
>
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Finishing the Community Portal

[Nathaniel McCallum]

I definitely see both models finding use.

- Original Message -
> Yeah, user creation requires manual intervention; an admin has to move
> the user from staging to the main user tree.
> 
> It could be pretty easily modified to allow totally automated self
> sign-up though
> 

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Finishing the Community Portal

[Drew Erny]

Yeah, user creation requires manual intervention; an admin has to move 
the user from staging to the main user tree.


It could be pretty easily modified to allow totally automated self 
sign-up though


On 07/15/2015 01:42 PM, Nathaniel McCallum wrote:

I'm pretty excited about this.

As I see it right now user creation requires manual intervention. Is this 
correct?

Is it possible to have a fully automated process where a token is generated and 
mailed to the user to verify their email address?

- Original Message -

Hi, all,

I'm just about finished with the Community Portal, which I've said a
couple of times, but I really mean it this time. The Captcha was the
last technical detail that needed addressing. At this point, any further
programming is going to be dedicated to configuration of the application.

Right now, a organization could deploy the community portal in about a
day, if they had a programmer handy who pulled down my source, changed a
bunch of hard-coded configuration, and stuck it on a server.

This might be acceptable, especially in the first iteration of the
application, but it probably isn't. How do I go about packaging the web
app that I built so that it can be deployed quickly to a server?
Someone off-list, I think, mentioned making it deployable to OpenShift?

Basically, what do I have to do to call this application Finished?

The code is located at github.com/dperny/freeipa-communityportal

Thanks,

Drew Erny

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code



--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Finishing the Community Portal

[Nathaniel McCallum]

I'm pretty excited about this.

As I see it right now user creation requires manual intervention. Is this 
correct?

Is it possible to have a fully automated process where a token is generated and 
mailed to the user to verify their email address?

- Original Message -
> Hi, all,
> 
> I'm just about finished with the Community Portal, which I've said a
> couple of times, but I really mean it this time. The Captcha was the
> last technical detail that needed addressing. At this point, any further
> programming is going to be dedicated to configuration of the application.
> 
> Right now, a organization could deploy the community portal in about a
> day, if they had a programmer handy who pulled down my source, changed a
> bunch of hard-coded configuration, and stuck it on a server.
> 
> This might be acceptable, especially in the first iteration of the
> application, but it probably isn't. How do I go about packaging the web
> app that I built so that it can be deployed quickly to a server?
> Someone off-list, I think, mentioned making it deployable to OpenShift?
> 
> Basically, what do I have to do to call this application Finished?
> 
> The code is located at github.com/dperny/freeipa-communityportal
> 
> Thanks,
> 
> Drew Erny
> 
> --
> Manage your subscription for the Freeipa-devel mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-devel
> Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
> 

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0052] Create server-dns sub-package

[Simo Sorce]

- Original Message -
> From: "Petr Spacek" 
> To: "Jan Cholasta" , freeipa-devel@redhat.com, 
> "Alexander Bokovoy" 
> Cc: "Simo Sorce" 
> Sent: Tuesday, July 14, 2015 10:33:41 AM
> Subject: Re: [Freeipa-devel] [PATCH 0052] Create server-dns sub-package
> 
> On 14.7.2015 16:29, Jan Cholasta wrote:
> > Dne 14.7.2015 v 14:33 Petr Spacek napsal(a):
> >> On 2.7.2015 09:56, Petr Spacek wrote:
> >>> On 2.7.2015 09:36, Alexander Bokovoy wrote:
>  On Thu, 02 Jul 2015, Jan Cholasta wrote:
> > Can this be done without adding server-core?
>  I'm not aware of such method (except of adding all DNS dependencies
>  as
>  Requires straight into freeipa-server package).
> 
> > Because it's not server core,
> > it's the whole thing! Or maybe just rename it to server-common?
> 
>  I'm fine with 'common'. Ticket 4058 calls for sub-package for CA too
>  so my
>  idea was to create 'core' package which will be gradually reduced
>  more and more.
> >>>
> >>> Well, I don't like the fact that in order to install IPA server
> >>> without DNS you have to install freeipa-server-core instead of just
> >>> freeipa-server. Fedora packaging guidelines [1] state that the
> >>> metapackage should be named freeipa-server-compat, so I guess
> >>> renaming
> >>> freeipa-server to freeipa-server-compat and freeipa-server-core to
> >>> freeipa-server is good enough.
> >> I think you are misunderstanding what the guidelines say. -compat
> >> subpackage is something that only contains Requires: and Obsoletes:,
> >> to
> >> help to pull the right packages. It is not supposed to be a
> >> full-featured package with content.
> >
> > With Petr's patch, freeipa-server is exactly that - a metapackage with
> > requires and obsoletes only - hence my suggestion to rename it
> > according to
> > the guidelines.
>  That's not good.
> 
> >> I think we are good enough with freeipa-server-dns. We have the same
> >> situation with freeipa-server-trust-ad -- it is not required by the
> >> main
> >> package and pulls in Samba-related bits. We also don't have any
> >> -compat
> >> or metapackage for it.
> >
> > freeipa-server-dns is fine, what is IMO not fine is that it *is*
> > required by
> > the main freeipa-server package, *unlike* freeipa-server-trust-ad.
> >
> > We don't have a compat metapackage for freeipa-server-trust-ad, because
> > there are no upgrade issues with it, which is what Petr is trying to
> > solve
> > with his patch.
>  So, the issue is that for installed bind+bind-dyndb-ldap combination we
>  need to switch to bind-pkcs11+bind-dyndb-ldap. Maybe instead of
>  modifying main freeipa package we could modify bind-dyndb-ldap package
>  to require bind-pkcs11 and corresponding bits of freeipa packages?
> >>>
> >>> Unfortunately, no.
> >>> - bind-dyndb-ldap itself is used & supported even without FreeIPA.
> >>> - bind-pkcs11 depends on properly configured SoftHSM (or other PKCS#11
> >>> provider)
> >>> => upgrade could break non-FreeIPA installations.
> >>>
> >>> I'm attempting to rework the patch now, stay tuned.
> >>
> >> Apparently this thread was abandoned during my PTO so I'm sending new
> >> patch
> >> here. It includes the -compat package and works with YUM and DNF.
> > 
> > I don't like that freeipa-server got renamed to freeipa-server-core, but I
> > won't push against it if Alexander and others (CCing Simo) are OK with it.
> 
> For the record, I was not able to make it work without the rename.

My opinion is that if we run dnf install freeipa-server, then we need to get 
freeipa server packages.
If this is what happens I am ok with patches, otherwise I am not.

Simo.

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 005] otptoken: use ipapython.nsslib instead of Python's ssl module

[Christian Heimes]

On 2015-07-07 18:40, Christian Heimes wrote:
> Hello,
> 
> the patch removes the dependency on Python's ssl module and
> python-backports-ssl_match_hostname.
> 
> https://fedorahosted.org/freeipa/ticket/5068
> 
> Open question
> -
> Is paths.IPA_NSSDB_DIR the correct NSSDB?

My patch hasn't been processed since last week. Can somebody have a
look, please?

Christian




signature.asc
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Sync useradd from IPA to AD

[Rich Megginson]

On 07/15/2015 09:42 AM, Email wrote:
Hi everyone, my name is Tony and this is my first post, so it's nice 
to meet all of you.  I've been tasked with creating an AD and FreeIPA 
environment, and I'm looking into the sync between the two.  It looks 
like creating a user in AD causes that user to be created in IPA, but 
not the other way around.  But if I create them in IPA they will not 
be auto created in AD.  I'm wondering why this is.


This is intentional.  If you are using FreeIPA and windows sync, it is 
assumed you want AD to be the provisioning system for new users, and not 
FreeIPA.


I would seriously consider using trusts instead of windows sync.

See section 8.1 of the fedora documentation as a reference. 


Link please?  We may need to clarify the language.


Thanks in advance!

~Tony





-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] Sync useradd from IPA to AD

[Email]

Hi everyone, my name is Tony and this is my first post, so it's nice to
meet all of you.  I've been tasked with creating an AD and FreeIPA
environment, and I'm looking into the sync between the two.  It looks like
creating a user in AD causes that user to be created in IPA, but not the
other way around.  But if I create them in IPA they will not be auto
created in AD.  I'm wondering why this is.  See section 8.1 of the fedora
documentation as a reference.  Thanks in advance!

~Tony
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0286] Sysrestore: copy files instead of moving them to avoid SELinux issues

[Martin Basti]

On 15/07/15 18:01, Alexander Bokovoy wrote:

On Wed, 15 Jul 2015, Martin Basti wrote:
Moved files temporarily exist without a proper SElinux context which 
causes issues when running SSSD/ntpd tries to work with files.


https://fedorahosted.org/freeipa/ticket/4923

Patch attached.

--
Martin Basti




From a86424429eea3bede519284e2d986c4fad8755f8 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 15 Jul 2015 16:20:59 +0200
Subject: [PATCH] sysrestore: copy files instead of moving them to avoind
SELinux issues

Copying files restores SELinux context.

https://fedorahosted.org/freeipa/ticket/4923
---
ipapython/sysrestore.py | 12 ++--
1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/ipapython/sysrestore.py b/ipapython/sysrestore.py
index 
c058ff7c04d4604ba96c2a4ece68d476b5b6491f..354897240b542c2671b662a4fdad1a089652f899 
100644

--- a/ipapython/sysrestore.py
+++ b/ipapython/sysrestore.py
@@ -186,12 +186,12 @@ class FileStore:
if new_path is not None:
path = new_path

-shutil.move(backup_path, path)
+shutil.copy(backup_path, path)  # SELinux needs copy
+os.remove(backup_path)
+
os.chown(path, int(uid), int(gid))
os.chmod(path, int(mode))

-tasks.restore_context(path)
-

Please keep restorecon calls because we might have a case when old label
was wrong in the backup.



del self.files[filename]
self.save()

@@ -217,12 +217,12 @@ class FileStore:
root_logger.debug("  -> Not restoring - '%s' doesn't 
exist", backup_path)

continue

-shutil.move(backup_path, path)
+shutil.copy(backup_path, path)  # SELinux needs copy
+os.remove(backup_path)
+
os.chown(path, int(uid), int(gid))
os.chmod(path, int(mode))

-tasks.restore_context(path)
-

Same here.



Sorry I don't get it.
Label is not copied from backup_file.
I changed Selinux context, then copy to original location and context 
was restored when file does not exist.


Do you mean case when the target file has different label than it should 
have?


Martin^2

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] DNS: consolidate RR types in API and LDAP schema

[Petr Spacek]

On 15.7.2015 17:39, Martin Basti wrote:
> On 15/07/15 17:38, Petr Spacek wrote:
>> On 15.7.2015 17:33, Martin Basti wrote:
>>> On 15/07/15 16:03, Martin Basti wrote:
 On 15/07/15 15:39, Petr Vobornik wrote:
> On 07/15/2015 02:42 PM, Martin Basti wrote:
>> Patch attached.
>>
>>   https://fedorahosted.org/freeipa/ticket/4934
>>   https://fedorahosted.org/freeipa/ticket/5055
>>
> Why are you adding RP, APL, IPSEC, DHCID, HIP, SPF records? Is there a 
> plan
> to use them? Can't we just not use unsupported records in LDAPSearch'?
> (which would fix #5055)
 I had discussion with Petr2, and we decided to do it this way, because 
 these
 records are valid.

 Removing unsupported records from search changes the behavior of the DNS
 commands. Now IPA shows even unsupported records which cannot be modified 
 by
 API. AFAIK we want to keep this behavior.

>>> Updated patch attached.
>>>
>>> I forgot to remove DNSKEY from object class definition.
>> Are you 100 % sure that it will not break on upgrade? Please double-check 
>> that
>> with Thierry.
>>
> IT was my change before we decided that DNSKEY should not be there, it is not
> in git repo.

I see, okay.

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0286] Sysrestore: copy files instead of moving them to avoid SELinux issues

[Alexander Bokovoy]

On Wed, 15 Jul 2015, Martin Basti wrote:
Moved files temporarily exist without a proper SElinux context which 
causes issues when running SSSD/ntpd tries to work with files.


https://fedorahosted.org/freeipa/ticket/4923

Patch attached.

--
Martin Basti




From a86424429eea3bede519284e2d986c4fad8755f8 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 15 Jul 2015 16:20:59 +0200
Subject: [PATCH] sysrestore: copy files instead of moving them to avoind
SELinux issues

Copying files restores SELinux context.

https://fedorahosted.org/freeipa/ticket/4923
---
ipapython/sysrestore.py | 12 ++--
1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/ipapython/sysrestore.py b/ipapython/sysrestore.py
index 
c058ff7c04d4604ba96c2a4ece68d476b5b6491f..354897240b542c2671b662a4fdad1a089652f899
 100644
--- a/ipapython/sysrestore.py
+++ b/ipapython/sysrestore.py
@@ -186,12 +186,12 @@ class FileStore:
if new_path is not None:
path = new_path

-shutil.move(backup_path, path)
+shutil.copy(backup_path, path)  # SELinux needs copy
+os.remove(backup_path)
+
os.chown(path, int(uid), int(gid))
os.chmod(path, int(mode))

-tasks.restore_context(path)
-

Please keep restorecon calls because we might have a case when old label
was wrong in the backup.



del self.files[filename]
self.save()

@@ -217,12 +217,12 @@ class FileStore:
root_logger.debug("  -> Not restoring - '%s' doesn't exist", 
backup_path)
continue

-shutil.move(backup_path, path)
+shutil.copy(backup_path, path)  # SELinux needs copy
+os.remove(backup_path)
+
os.chown(path, int(uid), int(gid))
os.chmod(path, int(mode))

-tasks.restore_context(path)
-

Same here.

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0286] Sysrestore: copy files instead of moving them to avoid SELinux issues

[Martin Basti]

Moved files temporarily exist without a proper SElinux context which 
causes issues when running SSSD/ntpd tries to work with files.


https://fedorahosted.org/freeipa/ticket/4923

Patch attached.

--
Martin Basti

From a86424429eea3bede519284e2d986c4fad8755f8 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 15 Jul 2015 16:20:59 +0200
Subject: [PATCH] sysrestore: copy files instead of moving them to avoind
 SELinux issues

Copying files restores SELinux context.

https://fedorahosted.org/freeipa/ticket/4923
---
 ipapython/sysrestore.py | 12 ++--
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/ipapython/sysrestore.py b/ipapython/sysrestore.py
index c058ff7c04d4604ba96c2a4ece68d476b5b6491f..354897240b542c2671b662a4fdad1a089652f899 100644
--- a/ipapython/sysrestore.py
+++ b/ipapython/sysrestore.py
@@ -186,12 +186,12 @@ class FileStore:
 if new_path is not None:
 path = new_path
 
-shutil.move(backup_path, path)
+shutil.copy(backup_path, path)  # SELinux needs copy
+os.remove(backup_path)
+
 os.chown(path, int(uid), int(gid))
 os.chmod(path, int(mode))
 
-tasks.restore_context(path)
-
 del self.files[filename]
 self.save()
 
@@ -217,12 +217,12 @@ class FileStore:
 root_logger.debug("  -> Not restoring - '%s' doesn't exist", backup_path)
 continue
 
-shutil.move(backup_path, path)
+shutil.copy(backup_path, path)  # SELinux needs copy
+os.remove(backup_path)
+
 os.chown(path, int(uid), int(gid))
 os.chmod(path, int(mode))
 
-tasks.restore_context(path)
-
 	#force file to be deleted
 self.files = {}
 self.save()
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] DNS: consolidate RR types in API and LDAP schema

[Martin Basti]

On 15/07/15 17:38, Petr Spacek wrote:

On 15.7.2015 17:33, Martin Basti wrote:

On 15/07/15 16:03, Martin Basti wrote:

On 15/07/15 15:39, Petr Vobornik wrote:

On 07/15/2015 02:42 PM, Martin Basti wrote:

Patch attached.

  https://fedorahosted.org/freeipa/ticket/4934
  https://fedorahosted.org/freeipa/ticket/5055


Why are you adding RP, APL, IPSEC, DHCID, HIP, SPF records? Is there a plan
to use them? Can't we just not use unsupported records in LDAPSearch'?
(which would fix #5055)

I had discussion with Petr2, and we decided to do it this way, because these
records are valid.

Removing unsupported records from search changes the behavior of the DNS
commands. Now IPA shows even unsupported records which cannot be modified by
API. AFAIK we want to keep this behavior.


Updated patch attached.

I forgot to remove DNSKEY from object class definition.

Are you 100 % sure that it will not break on upgrade? Please double-check that
with Thierry.

IT was my change before we decided that DNSKEY should not be there, it 
is not in git repo.


--
Martin Basti

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] DNS: consolidate RR types in API and LDAP schema

[Petr Spacek]

On 15.7.2015 17:33, Martin Basti wrote:
> On 15/07/15 16:03, Martin Basti wrote:
>> On 15/07/15 15:39, Petr Vobornik wrote:
>>> On 07/15/2015 02:42 PM, Martin Basti wrote:
 Patch attached.

  https://fedorahosted.org/freeipa/ticket/4934
  https://fedorahosted.org/freeipa/ticket/5055

>>>
>>> Why are you adding RP, APL, IPSEC, DHCID, HIP, SPF records? Is there a plan
>>> to use them? Can't we just not use unsupported records in LDAPSearch'?
>>> (which would fix #5055)
>> I had discussion with Petr2, and we decided to do it this way, because these
>> records are valid.
>>
>> Removing unsupported records from search changes the behavior of the DNS
>> commands. Now IPA shows even unsupported records which cannot be modified by
>> API. AFAIK we want to keep this behavior.
>>
> Updated patch attached.
> 
> I forgot to remove DNSKEY from object class definition.

Are you 100 % sure that it will not break on upgrade? Please double-check that
with Thierry.

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] DNS: consolidate RR types in API and LDAP schema

[Martin Basti]

On 15/07/15 16:03, Martin Basti wrote:

On 15/07/15 15:39, Petr Vobornik wrote:

On 07/15/2015 02:42 PM, Martin Basti wrote:

Patch attached.

 https://fedorahosted.org/freeipa/ticket/4934
 https://fedorahosted.org/freeipa/ticket/5055



Why are you adding RP, APL, IPSEC, DHCID, HIP, SPF records? Is there 
a plan to use them? Can't we just not use unsupported records in 
LDAPSearch'? (which would fix #5055)
I had discussion with Petr2, and we decided to do it this way, because 
these records are valid.


Removing unsupported records from search changes the behavior of the 
DNS commands. Now IPA shows even unsupported records which cannot be 
modified by API. AFAIK we want to keep this behavior.



Updated patch attached.

I forgot to remove DNSKEY from object class definition.

--
Martin Basti

From 77e3469cd08ea4fc8c1471c924964404ff9364a9 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 15 Jul 2015 09:44:07 +0200
Subject: [PATCH] DNS: Consolidate DNS RR types in API and schema

* Remove NSEC3, DNSKEY, TSIG, TKEY, TA records from API:
These records never worked, they dont have attributes in schema.
TSIG and TKEY are meta-RR should not be in LDAP
TA is not supported by BIND
NSEC3, DNSKEY are DNSSEC records generated by BIND, should not be
in LDAP.
*! SIG, NSEC are already defined in schema, must stay in API.

* Add HINFO, MINFO, MD, NXT records to API as unsupported records
These records are already defined in LDAP schema

* Add schema for RP, APL, IPSEC, DHCID, HIP, SPF records
These records were defined in IPA API as unsupported, but schema definition was
missing. This causes that ACI cannot be created for these records
and dnszone-find failed. (#5055)

https://fedorahosted.org/freeipa/ticket/4934
https://fedorahosted.org/freeipa/ticket/5055
---
 ACI.txt   |   4 +-
 API.txt   |  28 ++--
 VERSION   |   4 +-
 install/share/60ipadns.ldif   |   8 +++-
 install/share/dns.ldif|   2 +-
 install/updates/40-dns.update |   4 +-
 ipalib/plugins/dns.py | 101 ++
 7 files changed, 71 insertions(+), 80 deletions(-)

diff --git a/ACI.txt b/ACI.txt
index 76a7ff70e27c032bdd8fa26e076271e02b23d3b3..60607b98deb74d0b7f45d24ee9359b0cf8162b0d 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -61,13 +61,13 @@ aci: (targetattr = "ipaprivatekey || ipapublickey || ipasecretkey || ipasecretke
 dn: dc=ipa,dc=example
 aci: (targetattr = "cn || idnssecalgorithm || idnsseckeyactivate || idnsseckeycreated || idnsseckeydelete || idnsseckeyinactive || idnsseckeypublish || idnsseckeyref || idnsseckeyrevoke || idnsseckeysep || idnsseckeyzone || objectclass")(target = "ldap:///cn=dns,dc=ipa,dc=example";)(targetfilter = "(objectclass=idnsSecKey)")(version 3.0;acl "permission:System: Manage DNSSEC metadata";allow (all) groupdn = "ldap:///cn=System: Manage DNSSEC metadata,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: dc=ipa,dc=example
-aci: (targetattr = "a6record || record || afsdbrecord || arecord || certrecord || cn || cnamerecord || createtimestamp || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || entryusn || hinforecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || modifytimestamp || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || objectclass || ptrrecord || rrsigrecord || sigrecord || srvrecord || sshfprecord || tlsarecord || txtrecord || unknownrecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example";)(version 3.0;acl "permission:System: Read DNS Entries";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetattr = "a6record || record || afsdbrecord || aplrecord || arecord || certrecord || cn || cnamerecord || createtimestamp || dhcidrecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || entryusn || hinforecord || hiprecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || ipseckeyrecord || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || modifytimestamp || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || objectclass || ptrrecord || rprecord || rrsigrecord || sigrecord || spfrecord || srvrecord || sshfprecord || tlsarecord || txtrecord || unknownr

Re: [Freeipa-devel] [PATCH 0048] separate module to handle installation of AD trust related functionality

[Martin Babinsky]

On 07/15/2015 04:19 PM, Martin Babinsky wrote:

On 07/15/2015 04:05 PM, Jan Cholasta wrote:

Dne 15.7.2015 v 16:02 Martin Babinsky napsal(a):

During investigation of https://fedorahosted.org/freeipa/ticket/3993 I
have realized that I can do some guerilla ref*ctoring and move the guts
of `ipa-adtrust-install` to separate module, as we did with CA, KRA, DNS
and friends.


+1



I have put a link to https://fedorahosted.org/freeipa/ticket/4468 to the
commit message, is it OK even if we formally closed the ticket?



To quote the last comment in the ticket: "Please open tickets for
missing functionality that you depend on."



Attaching updated patch with the link to #4468 removed from commit message.





Git's copy/rename detection can confuse people. That's why I am 
attaching a patch generated without passing '-M' and '-C' options to 
'git format-patch'.


--
Martin^3 Babinsky
From 4177fd6b1ec692b40ab3f9a6b28f201d8f5e16e0 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Wed, 15 Jul 2015 15:44:19 +0200
Subject: [PATCH] separate module to handle installation of AD trust related
 functionality

This patch is a part of installer rewrite effort. It also sets the stage for
implementing uninstallation logic into 'ipa-adtrust-install'.

https://fedorahosted.org/freeipa/ticket/3993
---
 install/tools/ipa-adtrust-install | 377 +--
 ipaserver/install/adtrust.py  | 399 ++
 2 files changed, 402 insertions(+), 374 deletions(-)
 create mode 100644 ipaserver/install/adtrust.py

diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install
index 5340c31d16ed78da0cb39725d9ae93c76470b698..a33c0f6cfdcad91a94419918cf30b41c17088c0a 100755
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@@ -21,7 +21,7 @@
 # along with this program.  If not, see .
 #
 
-from ipaserver.install import adtrustinstance
+from ipaserver.install import adtrust
 from ipaserver.install.installutils import *
 from ipaserver.install import service
 from ipapython import version
@@ -73,140 +73,6 @@ def parse_options():
 
 return safe_options, options
 
-def netbios_name_error(name):
-print "\nIllegal NetBIOS name [%s].\n" % name
-print "Up to 15 characters and only uppercase ASCII letter and digits are allowed."
-
-def read_netbios_name(netbios_default):
-netbios_name = ""
-
-print "Enter the NetBIOS name for the IPA domain."
-print "Only up to 15 uppercase ASCII letters and digits are allowed."
-print "Example: EXAMPLE."
-print ""
-print ""
-if not netbios_default:
-netbios_default = "EXAMPLE"
-while True:
-netbios_name = ipautil.user_input("NetBIOS domain name", netbios_default, allow_empty = False)
-print ""
-if adtrustinstance.check_netbios_name(netbios_name):
-break
-
-netbios_name_error(netbios_name)
-
-return netbios_name
-
-def read_admin_password(admin_name):
-print "Configuring cross-realm trusts for IPA server requires password for user '%s'." % (admin_name)
-print "This user is a regular system account used for IPA server administration."
-print ""
-admin_password = read_password(admin_name, confirm=False, validate=None)
-return admin_password
-
-def set_and_check_netbios_name(netbios_name, unattended):
-"""
-Depending if trust in already configured or not a given NetBIOS domain
-name must be handled differently.
-
-If trust is not configured the given NetBIOS is used or the NetBIOS is
-generated if none was given on the command line.
-
-If trust is  already configured the given NetBIOS name is used to reset
-the stored NetBIOS name it it differs from the current one.
-"""
-
-flat_name_attr = 'ipantflatname'
-cur_netbios_name = None
-gen_netbios_name = None
-reset_netbios_name = False
-entry = None
-
-try:
-entry = api.Backend.ldap2.get_entry(
-DN(('cn', api.env.domain), api.env.container_cifsdomains,
-   ipautil.realm_to_suffix(api.env.realm)),
-[flat_name_attr])
-except errors.NotFound:
-# trust not configured
-pass
-else:
-cur_netbios_name = entry.get(flat_name_attr)[0]
-
-if cur_netbios_name and not netbios_name:
-# keep the current NetBIOS name
-netbios_name = cur_netbios_name
-reset_netbios_name = False
-elif cur_netbios_name and cur_netbios_name != netbios_name:
-# change the NetBIOS name
-print "Current NetBIOS domain name is %s, new name is %s.\n" % \
-  (cur_netbios_name, netbios_name)
-print "Please note that changing the NetBIOS name might " \
-  "break existing trust relationships."
-if unattended:
-reset_netbios_name = True
-print "NetBIOS domain name will be changed to %s.\n" % \
-  netbios_name
-   

Re: [Freeipa-devel] [PATCH 0048] separate module to handle installation of AD trust related functionality

[Martin Babinsky]

On 07/15/2015 04:05 PM, Jan Cholasta wrote:

Dne 15.7.2015 v 16:02 Martin Babinsky napsal(a):

During investigation of https://fedorahosted.org/freeipa/ticket/3993 I
have realized that I can do some guerilla ref*ctoring and move the guts
of `ipa-adtrust-install` to separate module, as we did with CA, KRA, DNS
and friends.


+1



I have put a link to https://fedorahosted.org/freeipa/ticket/4468 to the
commit message, is it OK even if we formally closed the ticket?



To quote the last comment in the ticket: "Please open tickets for
missing functionality that you depend on."



Attaching updated patch with the link to #4468 removed from commit message.

--
Martin^3 Babinsky
From 71d58b685d7ba3050e6d390a9b2d2f94c866fc24 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Wed, 15 Jul 2015 15:44:19 +0200
Subject: [PATCH] separate module to handle installation of AD trust related
 functionality

This patch is a part of installer rewrite effort. It also sets the stage for
implementing uninstallation logic into 'ipa-adtrust-install'.

https://fedorahosted.org/freeipa/ticket/3993
---
 install/tools/ipa-adtrust-install  | 377 +
 .../install/adtrust.py | 109 +-
 2 files changed, 10 insertions(+), 476 deletions(-)
 copy install/tools/ipa-adtrust-install => ipaserver/install/adtrust.py (78%)
 mode change 100755 => 100644

diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install
index 5340c31d16ed78da0cb39725d9ae93c76470b698..a33c0f6cfdcad91a94419918cf30b41c17088c0a 100755
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@@ -21,7 +21,7 @@
 # along with this program.  If not, see .
 #
 
-from ipaserver.install import adtrustinstance
+from ipaserver.install import adtrust
 from ipaserver.install.installutils import *
 from ipaserver.install import service
 from ipapython import version
@@ -73,140 +73,6 @@ def parse_options():
 
 return safe_options, options
 
-def netbios_name_error(name):
-print "\nIllegal NetBIOS name [%s].\n" % name
-print "Up to 15 characters and only uppercase ASCII letter and digits are allowed."
-
-def read_netbios_name(netbios_default):
-netbios_name = ""
-
-print "Enter the NetBIOS name for the IPA domain."
-print "Only up to 15 uppercase ASCII letters and digits are allowed."
-print "Example: EXAMPLE."
-print ""
-print ""
-if not netbios_default:
-netbios_default = "EXAMPLE"
-while True:
-netbios_name = ipautil.user_input("NetBIOS domain name", netbios_default, allow_empty = False)
-print ""
-if adtrustinstance.check_netbios_name(netbios_name):
-break
-
-netbios_name_error(netbios_name)
-
-return netbios_name
-
-def read_admin_password(admin_name):
-print "Configuring cross-realm trusts for IPA server requires password for user '%s'." % (admin_name)
-print "This user is a regular system account used for IPA server administration."
-print ""
-admin_password = read_password(admin_name, confirm=False, validate=None)
-return admin_password
-
-def set_and_check_netbios_name(netbios_name, unattended):
-"""
-Depending if trust in already configured or not a given NetBIOS domain
-name must be handled differently.
-
-If trust is not configured the given NetBIOS is used or the NetBIOS is
-generated if none was given on the command line.
-
-If trust is  already configured the given NetBIOS name is used to reset
-the stored NetBIOS name it it differs from the current one.
-"""
-
-flat_name_attr = 'ipantflatname'
-cur_netbios_name = None
-gen_netbios_name = None
-reset_netbios_name = False
-entry = None
-
-try:
-entry = api.Backend.ldap2.get_entry(
-DN(('cn', api.env.domain), api.env.container_cifsdomains,
-   ipautil.realm_to_suffix(api.env.realm)),
-[flat_name_attr])
-except errors.NotFound:
-# trust not configured
-pass
-else:
-cur_netbios_name = entry.get(flat_name_attr)[0]
-
-if cur_netbios_name and not netbios_name:
-# keep the current NetBIOS name
-netbios_name = cur_netbios_name
-reset_netbios_name = False
-elif cur_netbios_name and cur_netbios_name != netbios_name:
-# change the NetBIOS name
-print "Current NetBIOS domain name is %s, new name is %s.\n" % \
-  (cur_netbios_name, netbios_name)
-print "Please note that changing the NetBIOS name might " \
-  "break existing trust relationships."
-if unattended:
-reset_netbios_name = True
-print "NetBIOS domain name will be changed to %s.\n" % \
-  netbios_name
-else:
-print "Say 'yes' if the NetBIOS shall be changed and " \
-  "'no' if the old one shall be kept."
-reset_netbios

Re: [Freeipa-devel] [PATCH 0057] Do not use anonymous bind in migration UI.

[David Kupka]

On 15/07/15 15:34, Jan Cholasta wrote:

Dne 15.7.2015 v 15:21 David Kupka napsal(a):

https://fedorahosted.org/freeipa/ticket/4953

To test this patch:

1. Migrate users from LDAP or other FreeIPA server
(https://www.freeipa.org/page/Howto/Migration)

2. Disable anonymous bind to Directory Server
(https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/disabling-anon-binds.html)



3. Go to FreeIPA migration page (ipa.example.com/ipa/migration/) and
enter name and password of one of the migrated users.

Without this patch you will get an error page.


NACK, you are calling do_bind with wrong arguments.


Updated patch attached.

--
David Kupka
From 43d8cc79283e9cbead102bd1415ad4107f65df11 Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Wed, 15 Jul 2015 14:55:28 +0200
Subject: [PATCH] Do not use anonymous bind in migration UI.

https://fedorahosted.org/freeipa/ticket/4953
---
 install/migration/migration.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/install/migration/migration.py b/install/migration/migration.py
index b629b1c9ff7bd58f1ea64e4c2b2433428a939f28..4e92794e3bb386bbd9dd80e7123bfb63f2fa8dc4 100644
--- a/install/migration/migration.py
+++ b/install/migration/migration.py
@@ -51,7 +51,7 @@ def get_base_dn(ldap_uri):
 """
 try:
 conn = IPAdmin(ldap_uri=ldap_uri)
-conn.do_simple_bind(DN(), '')
+conn.do_bind()
 base_dn = get_ipa_basedn(conn)
 except Exception, e:
 root_logger.error('migration context search failed: %s' % e)
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0048] separate module to handle installation of AD trust related functionality

[Jan Cholasta]

Dne 15.7.2015 v 16:02 Martin Babinsky napsal(a):

During investigation of https://fedorahosted.org/freeipa/ticket/3993 I
have realized that I can do some guerilla ref*ctoring and move the guts
of `ipa-adtrust-install` to separate module, as we did with CA, KRA, DNS
and friends.


+1



I have put a link to https://fedorahosted.org/freeipa/ticket/4468 to the
commit message, is it OK even if we formally closed the ticket?



To quote the last comment in the ticket: "Please open tickets for 
missing functionality that you depend on."


--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] DNS: consolidate RR types in API and LDAP schema

[Martin Basti]

On 15/07/15 15:39, Petr Vobornik wrote:

On 07/15/2015 02:42 PM, Martin Basti wrote:

Patch attached.

 https://fedorahosted.org/freeipa/ticket/4934
 https://fedorahosted.org/freeipa/ticket/5055



Why are you adding RP, APL, IPSEC, DHCID, HIP, SPF records? Is there a 
plan to use them? Can't we just not use unsupported records in 
LDAPSearch'? (which would fix #5055)
I had discussion with Petr2, and we decided to do it this way, because 
these records are valid.


Removing unsupported records from search changes the behavior of the DNS 
commands. Now IPA shows even unsupported records which cannot be 
modified by API. AFAIK we want to keep this behavior.


--
Martin Basti

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0048] separate module to handle installation of AD trust related functionality

[Martin Babinsky]

During investigation of https://fedorahosted.org/freeipa/ticket/3993 I 
have realized that I can do some guerilla ref*ctoring and move the guts 
of `ipa-adtrust-install` to separate module, as we did with CA, KRA, DNS 
and friends.


I have put a link to https://fedorahosted.org/freeipa/ticket/4468 to the 
commit message, is it OK even if we formally closed the ticket?


--
Martin^3 Babinsky
From 17b6098981d764d776c5ed19be5697cdb46620ba Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Wed, 15 Jul 2015 15:44:19 +0200
Subject: [PATCH] separate module to handle installation of AD trust related
 functionality

This patch is a part of installer rewrite effort. It also sets the stage for
implementing uninstallation logic into 'ipa-adtrust-install'.

https://fedorahosted.org/freeipa/ticket/4468
https://fedorahosted.org/freeipa/ticket/3993
---
 install/tools/ipa-adtrust-install  | 377 +
 .../install/adtrust.py | 109 +-
 2 files changed, 10 insertions(+), 476 deletions(-)
 copy install/tools/ipa-adtrust-install => ipaserver/install/adtrust.py (78%)
 mode change 100755 => 100644

diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install
index 5340c31d16ed78da0cb39725d9ae93c76470b698..a33c0f6cfdcad91a94419918cf30b41c17088c0a 100755
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@@ -21,7 +21,7 @@
 # along with this program.  If not, see .
 #
 
-from ipaserver.install import adtrustinstance
+from ipaserver.install import adtrust
 from ipaserver.install.installutils import *
 from ipaserver.install import service
 from ipapython import version
@@ -73,140 +73,6 @@ def parse_options():
 
 return safe_options, options
 
-def netbios_name_error(name):
-print "\nIllegal NetBIOS name [%s].\n" % name
-print "Up to 15 characters and only uppercase ASCII letter and digits are allowed."
-
-def read_netbios_name(netbios_default):
-netbios_name = ""
-
-print "Enter the NetBIOS name for the IPA domain."
-print "Only up to 15 uppercase ASCII letters and digits are allowed."
-print "Example: EXAMPLE."
-print ""
-print ""
-if not netbios_default:
-netbios_default = "EXAMPLE"
-while True:
-netbios_name = ipautil.user_input("NetBIOS domain name", netbios_default, allow_empty = False)
-print ""
-if adtrustinstance.check_netbios_name(netbios_name):
-break
-
-netbios_name_error(netbios_name)
-
-return netbios_name
-
-def read_admin_password(admin_name):
-print "Configuring cross-realm trusts for IPA server requires password for user '%s'." % (admin_name)
-print "This user is a regular system account used for IPA server administration."
-print ""
-admin_password = read_password(admin_name, confirm=False, validate=None)
-return admin_password
-
-def set_and_check_netbios_name(netbios_name, unattended):
-"""
-Depending if trust in already configured or not a given NetBIOS domain
-name must be handled differently.
-
-If trust is not configured the given NetBIOS is used or the NetBIOS is
-generated if none was given on the command line.
-
-If trust is  already configured the given NetBIOS name is used to reset
-the stored NetBIOS name it it differs from the current one.
-"""
-
-flat_name_attr = 'ipantflatname'
-cur_netbios_name = None
-gen_netbios_name = None
-reset_netbios_name = False
-entry = None
-
-try:
-entry = api.Backend.ldap2.get_entry(
-DN(('cn', api.env.domain), api.env.container_cifsdomains,
-   ipautil.realm_to_suffix(api.env.realm)),
-[flat_name_attr])
-except errors.NotFound:
-# trust not configured
-pass
-else:
-cur_netbios_name = entry.get(flat_name_attr)[0]
-
-if cur_netbios_name and not netbios_name:
-# keep the current NetBIOS name
-netbios_name = cur_netbios_name
-reset_netbios_name = False
-elif cur_netbios_name and cur_netbios_name != netbios_name:
-# change the NetBIOS name
-print "Current NetBIOS domain name is %s, new name is %s.\n" % \
-  (cur_netbios_name, netbios_name)
-print "Please note that changing the NetBIOS name might " \
-  "break existing trust relationships."
-if unattended:
-reset_netbios_name = True
-print "NetBIOS domain name will be changed to %s.\n" % \
-  netbios_name
-else:
-print "Say 'yes' if the NetBIOS shall be changed and " \
-  "'no' if the old one shall be kept."
-reset_netbios_name = ipautil.user_input(
-'Do you want to reset the NetBIOS domain name?',
-default = False, allow_empty = False)
-if not reset_netbios_name:
-netbios_name = cur_ne

Re: [Freeipa-devel] DNS: consolidate RR types in API and LDAP schema

[Petr Vobornik]

On 07/15/2015 02:42 PM, Martin Basti wrote:

Patch attached.

 https://fedorahosted.org/freeipa/ticket/4934
 https://fedorahosted.org/freeipa/ticket/5055



Why are you adding RP, APL, IPSEC, DHCID, HIP, SPF records? Is there a 
plan to use them? Can't we just not use unsupported records in 
LDAPSearch'? (which would fix #5055)

--
Petr Vobornik

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0057] Do not use anonymous bind in migration UI.

[Jan Cholasta]

Dne 15.7.2015 v 15:21 David Kupka napsal(a):

https://fedorahosted.org/freeipa/ticket/4953

To test this patch:

1. Migrate users from LDAP or other FreeIPA server
(https://www.freeipa.org/page/Howto/Migration)

2. Disable anonymous bind to Directory Server
(https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/disabling-anon-binds.html)


3. Go to FreeIPA migration page (ipa.example.com/ipa/migration/) and
enter name and password of one of the migrated users.

Without this patch you will get an error page.


NACK, you are calling do_bind with wrong arguments.

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0057] Do not use anonymous bind in migration UI.

[David Kupka]

https://fedorahosted.org/freeipa/ticket/4953

To test this patch:

1. Migrate users from LDAP or other FreeIPA server 
(https://www.freeipa.org/page/Howto/Migration)


2. Disable anonymous bind to Directory Server 
(https://docs.fedoraproject.org/en-US/Fedora/15/html/FreeIPA_Guide/disabling-anon-binds.html)


3. Go to FreeIPA migration page (ipa.example.com/ipa/migration/) and 
enter name and password of one of the migrated users.


Without this patch you will get an error page.

--
David Kupka
From a9c50987842a08eb6928bd662a1db57b85d4b3cd Mon Sep 17 00:00:00 2001
From: David Kupka 
Date: Wed, 15 Jul 2015 14:55:28 +0200
Subject: [PATCH] Do not use anonymous bind in migration UI.

https://fedorahosted.org/freeipa/ticket/4953
---
 install/migration/migration.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/install/migration/migration.py b/install/migration/migration.py
index b629b1c9ff7bd58f1ea64e4c2b2433428a939f28..ec660ba5329193675826cd8ce292034fd33744b5 100644
--- a/install/migration/migration.py
+++ b/install/migration/migration.py
@@ -51,7 +51,7 @@ def get_base_dn(ldap_uri):
 """
 try:
 conn = IPAdmin(ldap_uri=ldap_uri)
-conn.do_simple_bind(DN(), '')
+conn.do_bind(DN(), '')
 base_dn = get_ipa_basedn(conn)
 except Exception, e:
 root_logger.error('migration context search failed: %s' % e)
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Unable to acquire replicaLDAP during replica installation

[Ludwig Krispenz]

On 07/15/2015 02:42 PM, Oleg Fayans wrote:

Hi Ludwig,

On 07/15/2015 01:52 PM, Ludwig Krispenz wrote:


On 07/15/2015 01:22 PM, Oleg Fayans wrote:

Hi Ludwig,

On 07/15/2015 12:20 PM, Ludwig Krispenz wrote:

looks like the initial replication is failing:
[15/Jul/2015:04:47:31 -0400] slapi_ldap_bind - Error: could not 
bind id [cn=replication manager,cn=config] authentication mechanism 
[SIMPLE]: error 32 (No such object) errno 0 (Success)
[15/Jul/2015:04:47:31 -0400] NSMMReplicationPlugin - 
agmt="cn=meTof22master.pesen.net" (f22master:389): Replication bind 
with SIMPLE auth failed: LDAP error 32 (No such object) ()


could you check the access log for ADD and DEL of "cn=replication 
manager,cn=config" on both master and replica,

Here are corresponding lines in access log of master:

[15/Jul/2015:04:45:00 -0400] conn=52 op=6 ADD dn="cn=replication 
manager,cn=config"
[15/Jul/2015:04:45:00 -0400] conn=52 op=6 RESULT err=68 tag=105 
nentries=0 etime=0

err=68 means "already exists", so is there an other ADD, and a DEL ?

did you install the replicas in parallel ?

Yes, I did.
Probably, this is the main reason

could be.
the procedure is to use a temporary repl manager, ADD/DEL cn=replication 
manager.

Done in parallel you could have
A ADD cn=repl
B ADD cn=repl ==> err=68 ==> ??? don't know how the failure is handled
A DEL cn=repl
B try to use cn=repl, but it no longer exists






Replica's access log does not contain any records about replication 
manager


error log on master has this interesting record:
[15/Jul/2015:04:47:30 -0400] repl_version_plugin_recv_acquire_cb - 
[file ipa_repl_version.c, line 119]: Incompatible IPA versions, 
pausing replication. This server: "2010061412" remote server: 
"(null)".


This is really weird, because both master and replica use the same 
version of packages:

freeipa-server-4.2.90.201507141138GIT3459607-0.fc22.x86_64


is there anything in the error log of the master ?

Ludwig

On 07/15/2015 11:07 AM, Oleg Fayans wrote:

Hi everybody,

The following error was encountered during installation of one of 
repicas using the packages built from the latest upstream code:
  [error] RuntimeError: One of the ldap service principals is 
missing. Replication agreement cannot be converted.
Replication error message: Unable to acquire replicaLDAP error: No 
such object


The second replica however was installed successfully.
Installation log and dirsrv errors log are attached
















--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0047] ipa-ca-install: print more specific errors when CA is already installed

[Martin Babinsky]

Fixes https://fedorahosted.org/freeipa/ticket/4492

--
Martin^3 Babinsky
From 8c29064df3649db5784e96440bae3ae0ed19dcd3 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Wed, 15 Jul 2015 14:15:49 +0200
Subject: [PATCH] ipa-ca-install: print more specific errors when CA is already
 installed

This patch implements a more thorough checking for already installed CAs
during standalone CA installation using ipa-ca-install. The installer now
differentiates between CA that is already installed locally and CA installed
on one or more masters in topology and prints an appropriate error message.

https://fedorahosted.org/freeipa/ticket/4492
---
 ipaserver/install/ca.py | 12 ++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
index 498cc48a742d1b2d862eb9dfdb18743cfb211b78..39f4435e2d8f1b66b4b1acf2f2219c33120707dc 100644
--- a/ipaserver/install/ca.py
+++ b/ipaserver/install/ca.py
@@ -45,8 +45,16 @@ def install_check(standalone, replica_config, options):
 
 return
 
-if standalone and api.Command.ca_is_enabled()['result']:
-sys.exit("CA is already installed.\n")
+if standalone:
+if cainstance.is_ca_installed_locally():
+sys.exit("CA is already installed on this host.")
+elif api.Command.ca_is_enabled()['result']:
+sys.exit(
+"One or more CA masters are already present in IPA realm "
+"'%s'.\nIf you wish to replicate CA to this host, please "
+"re-run 'ipa-ca-install'\nwith a replica file generated on "
+"an existing CA master as argument." % realm_name
+)
 
 if options.external_cert_files:
 if not cainstance.is_step_one_done():
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0285] DNS: consolidate RR types in API and LDAP schema

[Martin Basti]

On 15/07/15 14:42, Martin Basti wrote:

Patch attached.

https://fedorahosted.org/freeipa/ticket/4934
https://fedorahosted.org/freeipa/ticket/5055





I forgot to add patch number in subject.

--
Martin Basti

From 6453116b130f090632c78c5c61d63e7bf5f815ef Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 15 Jul 2015 09:44:07 +0200
Subject: [PATCH] DNS: Consolidate DNS RR types in API and schema

* Remove NSEC3, DNSKEY, TSIG, TKEY, TA records from API:
These records never worked, they dont have attributes in schema.
TSIG and TKEY are meta-RR should not be in LDAP
TA is not supported by BIND
NSEC3, DNSKEY are DNSSEC records generated by BIND, should not be
in LDAP.
*! SIG, NSEC are already defined in schema, must stay in API.

* Add HINFO, MINFO, MD, NXT records to API as unsupported records
These records are already defined in LDAP schema

* Add schema for RP, APL, IPSEC, DHCID, HIP, SPF records
These records were defined in IPA API as unsupported, but schema definition was
missing. This causes that ACI cannot be created for these records
and dnszone-find failed. (#5055)

https://fedorahosted.org/freeipa/ticket/4934
https://fedorahosted.org/freeipa/ticket/5055
---
 ACI.txt   |   4 +-
 API.txt   |  28 ++--
 VERSION   |   4 +-
 install/share/60ipadns.ldif   |   8 +++-
 install/share/dns.ldif|   2 +-
 install/updates/40-dns.update |   4 +-
 ipalib/plugins/dns.py | 101 ++
 7 files changed, 71 insertions(+), 80 deletions(-)

diff --git a/ACI.txt b/ACI.txt
index 76a7ff70e27c032bdd8fa26e076271e02b23d3b3..60607b98deb74d0b7f45d24ee9359b0cf8162b0d 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -61,13 +61,13 @@ aci: (targetattr = "ipaprivatekey || ipapublickey || ipasecretkey || ipasecretke
 dn: dc=ipa,dc=example
 aci: (targetattr = "cn || idnssecalgorithm || idnsseckeyactivate || idnsseckeycreated || idnsseckeydelete || idnsseckeyinactive || idnsseckeypublish || idnsseckeyref || idnsseckeyrevoke || idnsseckeysep || idnsseckeyzone || objectclass")(target = "ldap:///cn=dns,dc=ipa,dc=example";)(targetfilter = "(objectclass=idnsSecKey)")(version 3.0;acl "permission:System: Manage DNSSEC metadata";allow (all) groupdn = "ldap:///cn=System: Manage DNSSEC metadata,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: dc=ipa,dc=example
-aci: (targetattr = "a6record || record || afsdbrecord || arecord || certrecord || cn || cnamerecord || createtimestamp || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || entryusn || hinforecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || modifytimestamp || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || objectclass || ptrrecord || rrsigrecord || sigrecord || srvrecord || sshfprecord || tlsarecord || txtrecord || unknownrecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example";)(version 3.0;acl "permission:System: Read DNS Entries";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetattr = "a6record || record || afsdbrecord || aplrecord || arecord || certrecord || cn || cnamerecord || createtimestamp || dhcidrecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || entryusn || hinforecord || hiprecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || ipseckeyrecord || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || modifytimestamp || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || objectclass || ptrrecord || rprecord || rrsigrecord || sigrecord || spfrecord || srvrecord || sshfprecord || tlsarecord || txtrecord || unknownrecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example";)(version 3.0;acl "permission:System: Read DNS Entries";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || entryusn || idnssecalgorithm || idnsseckeyactivate || idnsseckeycreated || idnsseckeydelete || idnsseckeyinactive || idnsseckeypublish || idnsseckeyref || idnsseckeyrevoke || idnsseckeysep || idnsseckeyzone || modifytimestamp || objectclass")(target = "ldap:///cn=dns,dc=ipa,dc=example";)

Re: [Freeipa-devel] Unable to acquire replicaLDAP during replica installation

[Oleg Fayans]

Hi Ludwig,

On 07/15/2015 01:52 PM, Ludwig Krispenz wrote:


On 07/15/2015 01:22 PM, Oleg Fayans wrote:

Hi Ludwig,

On 07/15/2015 12:20 PM, Ludwig Krispenz wrote:

looks like the initial replication is failing:
[15/Jul/2015:04:47:31 -0400] slapi_ldap_bind - Error: could not bind 
id [cn=replication manager,cn=config] authentication mechanism 
[SIMPLE]: error 32 (No such object) errno 0 (Success)
[15/Jul/2015:04:47:31 -0400] NSMMReplicationPlugin - 
agmt="cn=meTof22master.pesen.net" (f22master:389): Replication bind 
with SIMPLE auth failed: LDAP error 32 (No such object) ()


could you check the access log for ADD and DEL of "cn=replication 
manager,cn=config" on both master and replica,

Here are corresponding lines in access log of master:

[15/Jul/2015:04:45:00 -0400] conn=52 op=6 ADD dn="cn=replication 
manager,cn=config"
[15/Jul/2015:04:45:00 -0400] conn=52 op=6 RESULT err=68 tag=105 
nentries=0 etime=0

err=68 means "already exists", so is there an other ADD, and a DEL ?

did you install the replicas in parallel ?

Yes, I did.
Probably, this is the main reason



Replica's access log does not contain any records about replication 
manager


error log on master has this interesting record:
[15/Jul/2015:04:47:30 -0400] repl_version_plugin_recv_acquire_cb - 
[file ipa_repl_version.c, line 119]: Incompatible IPA versions, 
pausing replication. This server: "2010061412" remote server: 
"(null)".


This is really weird, because both master and replica use the same 
version of packages:

freeipa-server-4.2.90.201507141138GIT3459607-0.fc22.x86_64


is there anything in the error log of the master ?

Ludwig

On 07/15/2015 11:07 AM, Oleg Fayans wrote:

Hi everybody,

The following error was encountered during installation of one of 
repicas using the packages built from the latest upstream code:
  [error] RuntimeError: One of the ldap service principals is 
missing. Replication agreement cannot be converted.
Replication error message: Unable to acquire replicaLDAP error: No 
such object


The second replica however was installed successfully.
Installation log and dirsrv errors log are attached














--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] DNS: consolidate RR types in API and LDAP schema

[Martin Basti]

Patch attached.

https://fedorahosted.org/freeipa/ticket/4934
https://fedorahosted.org/freeipa/ticket/5055

--
Martin Basti

From 6453116b130f090632c78c5c61d63e7bf5f815ef Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Wed, 15 Jul 2015 09:44:07 +0200
Subject: [PATCH] DNS: Consolidate DNS RR types in API and schema

* Remove NSEC3, DNSKEY, TSIG, TKEY, TA records from API:
These records never worked, they dont have attributes in schema.
TSIG and TKEY are meta-RR should not be in LDAP
TA is not supported by BIND
NSEC3, DNSKEY are DNSSEC records generated by BIND, should not be
in LDAP.
*! SIG, NSEC are already defined in schema, must stay in API.

* Add HINFO, MINFO, MD, NXT records to API as unsupported records
These records are already defined in LDAP schema

* Add schema for RP, APL, IPSEC, DHCID, HIP, SPF records
These records were defined in IPA API as unsupported, but schema definition was
missing. This causes that ACI cannot be created for these records
and dnszone-find failed. (#5055)

https://fedorahosted.org/freeipa/ticket/4934
https://fedorahosted.org/freeipa/ticket/5055
---
 ACI.txt   |   4 +-
 API.txt   |  28 ++--
 VERSION   |   4 +-
 install/share/60ipadns.ldif   |   8 +++-
 install/share/dns.ldif|   2 +-
 install/updates/40-dns.update |   4 +-
 ipalib/plugins/dns.py | 101 ++
 7 files changed, 71 insertions(+), 80 deletions(-)

diff --git a/ACI.txt b/ACI.txt
index 76a7ff70e27c032bdd8fa26e076271e02b23d3b3..60607b98deb74d0b7f45d24ee9359b0cf8162b0d 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -61,13 +61,13 @@ aci: (targetattr = "ipaprivatekey || ipapublickey || ipasecretkey || ipasecretke
 dn: dc=ipa,dc=example
 aci: (targetattr = "cn || idnssecalgorithm || idnsseckeyactivate || idnsseckeycreated || idnsseckeydelete || idnsseckeyinactive || idnsseckeypublish || idnsseckeyref || idnsseckeyrevoke || idnsseckeysep || idnsseckeyzone || objectclass")(target = "ldap:///cn=dns,dc=ipa,dc=example";)(targetfilter = "(objectclass=idnsSecKey)")(version 3.0;acl "permission:System: Manage DNSSEC metadata";allow (all) groupdn = "ldap:///cn=System: Manage DNSSEC metadata,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: dc=ipa,dc=example
-aci: (targetattr = "a6record || record || afsdbrecord || arecord || certrecord || cn || cnamerecord || createtimestamp || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || entryusn || hinforecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || modifytimestamp || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || objectclass || ptrrecord || rrsigrecord || sigrecord || srvrecord || sshfprecord || tlsarecord || txtrecord || unknownrecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example";)(version 3.0;acl "permission:System: Read DNS Entries";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetattr = "a6record || record || afsdbrecord || aplrecord || arecord || certrecord || cn || cnamerecord || createtimestamp || dhcidrecord || dlvrecord || dnamerecord || dnsclass || dnsttl || dsrecord || entryusn || hinforecord || hiprecord || idnsallowdynupdate || idnsallowquery || idnsallowsyncptr || idnsallowtransfer || idnsforwarders || idnsforwardpolicy || idnsname || idnssecinlinesigning || idnssoaexpire || idnssoaminimum || idnssoamname || idnssoarefresh || idnssoaretry || idnssoarname || idnssoaserial || idnsupdatepolicy || idnszoneactive || ipseckeyrecord || keyrecord || kxrecord || locrecord || managedby || mdrecord || minforecord || modifytimestamp || mxrecord || naptrrecord || nsec3paramrecord || nsecrecord || nsrecord || nxtrecord || objectclass || ptrrecord || rprecord || rrsigrecord || sigrecord || spfrecord || srvrecord || sshfprecord || tlsarecord || txtrecord || unknownrecord")(target = "ldap:///idnsname=*,cn=dns,dc=ipa,dc=example";)(version 3.0;acl "permission:System: Read DNS Entries";allow (compare,read,search) groupdn = "ldap:///cn=System: Read DNS Entries,cn=permissions,cn=pbac,dc=ipa,dc=example";)
 dn: dc=ipa,dc=example
 aci: (targetattr = "cn || createtimestamp || entryusn || idnssecalgorithm || idnsseckeyactivate || idnsseckeycreated || idnsseckeydelete || idnsseckeyinactive || idnsseckeypublish || idnsseckeyref || idnsseckeyrevoke || idnsseckeysep || idnsseckeyzone || modifytimestamp || objectclass")(target = "ldap:///cn=dns,dc=ipa,dc=example";)(targetfilter = "(objectclass=idnsSecKey)")(version 3.0;acl "permission:System: Read D

Re: [Freeipa-devel] [PATCH 0339] trusts: Check for AD root domain among our trusted domains

[Tomas Babej]

On 07/15/2015 02:31 PM, Alexander Bokovoy wrote:
> On Wed, 15 Jul 2015, Tomas Babej wrote:
>> Hi,
>>
>> Check for the presence of the forest root DNS domain of the AD realm
>> among the IPA realm domains prior to esablishing the trust.
>>
>> This prevents creation of a failing setup, as trusts would not work
>> properly in this case.
>>
>> https://fedorahosted.org/freeipa/ticket/4799
> LGTM.
> 
> The only comment I have is for the error message text. Would it make
> sense to point to 'ipa realmdomans-mod --del-domain' command?
> 
> 

Sure, why not.

I actually abstained from generating the whole command (including the AD
domain argument), as I believe it's better the users are discouraged
from blindly copying commands around.

Updated patch attached.

Toams
From 345abc73709bb20f2bb6f57b9109be86463fc8d2 Mon Sep 17 00:00:00 2001
From: Tomas Babej 
Date: Wed, 15 Jul 2015 14:22:48 +0200
Subject: [PATCH] trusts: Check for AD root domain among our trusted domains

Check for the presence of the forest root DNS domain of the AD realm
among the IPA realm domains prior to esablishing the trust.

This prevents creation of a failing setup, as trusts would not work
properly in this case.

https://fedorahosted.org/freeipa/ticket/4799
---
 ipalib/plugins/trust.py | 21 -
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
index 196df5926e7965dc1f0165f301bd5ac11528d1cd..6232e4fe9d3d5e957d22a3557cdcf4bb12cec0ea 100644
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -640,6 +640,8 @@ sides.
self.params['realm_passwd'].label, confirm=False)
 
 def validate_options(self, *keys, **options):
+trusted_realm_domain = keys[-1]
+
 if not _bindings_installed:
 raise errors.NotFound(
 name=_('AD Trust setup'),
@@ -692,6 +694,23 @@ sides.
 )
 )
 
+# Obtain a list of IPA realm domains
+result = self.api.Command.realmdomains_show()['result']
+realm_domains = result['associateddomain']
+
+# Do not allow the AD's trusted realm domain in the list
+# of our realm domains
+if trusted_realm_domain.lower() in realm_domains:
+raise errors.ValidationError(
+name=_('AD Trust setup'),
+error=_(
+'Trusted domain %(domain)s is included among '
+'IPA realm domains. It needs to be removed '
+'prior to establishing the trust. See the '
+'"ipa realmdomains-mod --del-domain" command.'
+) % dict(domain=trusted_realm_domain)
+)
+
 self.realm_server = options.get('realm_server')
 self.realm_admin = options.get('realm_admin')
 self.realm_passwd = options.get('realm_passwd')
@@ -702,7 +721,7 @@ sides.
 if len(names) > 1:
 # realm admin name is in UPN format, user@realm, check that
 # realm is the same as the one that we are attempting to trust
-if keys[-1].lower() != names[-1].lower():
+if trusted_realm_domain.lower() != names[-1].lower():
 raise errors.ValidationError(
 name=_('AD Trust setup'),
 error=_(
-- 
2.1.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0339] trusts: Check for AD root domain among our trusted domains

[Alexander Bokovoy]

On Wed, 15 Jul 2015, Tomas Babej wrote:

Hi,

Check for the presence of the forest root DNS domain of the AD realm
among the IPA realm domains prior to esablishing the trust.

This prevents creation of a failing setup, as trusts would not work
properly in this case.

https://fedorahosted.org/freeipa/ticket/4799

LGTM.

The only comment I have is for the error message text. Would it make
sense to point to 'ipa realmdomans-mod --del-domain' command?


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 0339] trusts: Check for AD root domain among our trusted domains

[Tomas Babej]

Hi,

 Check for the presence of the forest root DNS domain of the AD realm
among the IPA realm domains prior to esablishing the trust.

This prevents creation of a failing setup, as trusts would not work
properly in this case.

https://fedorahosted.org/freeipa/ticket/4799

Tomas
From 03dabf99d538747051f1c898e6a58162425e7b28 Mon Sep 17 00:00:00 2001
From: Tomas Babej 
Date: Wed, 15 Jul 2015 14:22:48 +0200
Subject: [PATCH] trusts: Check for AD root domain among our trusted domains

Check for the presence of the forest root DNS domain of the AD realm
among the IPA realm domains prior to esablishing the trust.

This prevents creation of a failing setup, as trusts would not work
properly in this case.

https://fedorahosted.org/freeipa/ticket/4799
---
 ipalib/plugins/trust.py | 20 +++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
index 196df5926e7965dc1f0165f301bd5ac11528d1cd..f28f2fdca9ef31b5b143f988616a75b25cc60016 100644
--- a/ipalib/plugins/trust.py
+++ b/ipalib/plugins/trust.py
@@ -640,6 +640,8 @@ sides.
self.params['realm_passwd'].label, confirm=False)
 
 def validate_options(self, *keys, **options):
+trusted_realm_domain = keys[-1]
+
 if not _bindings_installed:
 raise errors.NotFound(
 name=_('AD Trust setup'),
@@ -692,6 +694,22 @@ sides.
 )
 )
 
+# Obtain a list of IPA realm domains
+result = self.api.Command.realmdomains_show()['result']
+realm_domains = result['associateddomain']
+
+# Do not allow the AD's trusted realm domain in the list
+# of our realm domains
+if trusted_realm_domain.lower() in realm_domains:
+raise errors.ValidationError(
+name=_('AD Trust setup'),
+error=_(
+'Trusted domain %(domain)s is included among '
+'IPA realm domains. It needs to be removed '
+'prior to establishing the trust.'
+) % dict(domain=trusted_realm_domain)
+)
+
 self.realm_server = options.get('realm_server')
 self.realm_admin = options.get('realm_admin')
 self.realm_passwd = options.get('realm_passwd')
@@ -702,7 +720,7 @@ sides.
 if len(names) > 1:
 # realm admin name is in UPN format, user@realm, check that
 # realm is the same as the one that we are attempting to trust
-if keys[-1].lower() != names[-1].lower():
+if trusted_realm_domain.lower() != names[-1].lower():
 raise errors.ValidationError(
 name=_('AD Trust setup'),
 error=_(
-- 
2.1.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Unable to acquire replicaLDAP during replica installation

[Ludwig Krispenz]

On 07/15/2015 01:22 PM, Oleg Fayans wrote:

Hi Ludwig,

On 07/15/2015 12:20 PM, Ludwig Krispenz wrote:

looks like the initial replication is failing:
[15/Jul/2015:04:47:31 -0400] slapi_ldap_bind - Error: could not bind 
id [cn=replication manager,cn=config] authentication mechanism 
[SIMPLE]: error 32 (No such object) errno 0 (Success)
[15/Jul/2015:04:47:31 -0400] NSMMReplicationPlugin - 
agmt="cn=meTof22master.pesen.net" (f22master:389): Replication bind 
with SIMPLE auth failed: LDAP error 32 (No such object) ()


could you check the access log for ADD and DEL of "cn=replication 
manager,cn=config" on both master and replica,

Here are corresponding lines in access log of master:

[15/Jul/2015:04:45:00 -0400] conn=52 op=6 ADD dn="cn=replication 
manager,cn=config"
[15/Jul/2015:04:45:00 -0400] conn=52 op=6 RESULT err=68 tag=105 
nentries=0 etime=0

err=68 means "already exists", so is there an other ADD, and a DEL ?

did you install the replicas in parallel ?


Replica's access log does not contain any records about replication 
manager


error log on master has this interesting record:
[15/Jul/2015:04:47:30 -0400] repl_version_plugin_recv_acquire_cb - 
[file ipa_repl_version.c, line 119]: Incompatible IPA versions, 
pausing replication. This server: "2010061412" remote server: 
"(null)".


This is really weird, because both master and replica use the same 
version of packages:

freeipa-server-4.2.90.201507141138GIT3459607-0.fc22.x86_64


is there anything in the error log of the master ?

Ludwig

On 07/15/2015 11:07 AM, Oleg Fayans wrote:

Hi everybody,

The following error was encountered during installation of one of 
repicas using the packages built from the latest upstream code:
  [error] RuntimeError: One of the ldap service principals is 
missing. Replication agreement cannot be converted.
Replication error message: Unable to acquire replicaLDAP error: No 
such object


The second replica however was installed successfully.
Installation log and dirsrv errors log are attached












--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0054] cermonger: Use private unix socket when DBus SystemBus is not, available.

[Jan Cholasta]

Dne 7.7.2015 v 16:51 David Kupka napsal(a):

On 03/07/15 08:46, Martin Kosek wrote:

On 07/03/2015 08:41 AM, Jan Cholasta wrote:

Dne 2.7.2015 v 14:34 David Kupka napsal(a):

On 01/07/15 16:31, David Kupka wrote:





Updated patch attached.


Client install works, but uninstall does not:

# ipa-client-install --uninstall -U
certmonger failed to start: Command ''/bin/systemctl' 'start'
'certmonger.service'' returned non-zero exit status 1
certmonger failed to stop tracking certificate: Failed to start
certmonger:
Timeouted
2015-07-03 02:38:15 [17242] Error reading PIN from
"/etc/ipa/nssdb/pwdfile.txt": No such file or directory.
Failed to start certmonger: Timeouted

The patch needs a rebase.



Also, "Timeouted" is not a word, try "Timed out" instead :-)


Updated patch attached. Also attaching patch that removes unneeded
certmonger (re)starting and DBus starting from ipa-client-install.



NACK.

When dbus is not available and ipa-client-install is run *without* 
--request-cert, certmonger tracks "Local IPA host" in /etc/ipa/nssdb.


When ipa-client-install is run *with* --request-cert, the certificate is 
not issued, but I guess this is not caused by your patch.


--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Unable to acquire replicaLDAP during replica installation

[Oleg Fayans]

Hi Ludwig,

On 07/15/2015 12:20 PM, Ludwig Krispenz wrote:

looks like the initial replication is failing:
[15/Jul/2015:04:47:31 -0400] slapi_ldap_bind - Error: could not bind 
id [cn=replication manager,cn=config] authentication mechanism 
[SIMPLE]: error 32 (No such object) errno 0 (Success)
[15/Jul/2015:04:47:31 -0400] NSMMReplicationPlugin - 
agmt="cn=meTof22master.pesen.net" (f22master:389): Replication bind 
with SIMPLE auth failed: LDAP error 32 (No such object) ()


could you check the access log for ADD and DEL of "cn=replication 
manager,cn=config" on both master and replica,

Here are corresponding lines in access log of master:

[15/Jul/2015:04:45:00 -0400] conn=52 op=6 ADD dn="cn=replication 
manager,cn=config"
[15/Jul/2015:04:45:00 -0400] conn=52 op=6 RESULT err=68 tag=105 
nentries=0 etime=0


Replica's access log does not contain any records about replication manager

error log on master has this interesting record:
[15/Jul/2015:04:47:30 -0400] repl_version_plugin_recv_acquire_cb - [file 
ipa_repl_version.c, line 119]: Incompatible IPA versions, pausing 
replication. This server: "2010061412" remote server: "(null)".


This is really weird, because both master and replica use the same 
version of packages:

freeipa-server-4.2.90.201507141138GIT3459607-0.fc22.x86_64


is there anything in the error log of the master ?

Ludwig

On 07/15/2015 11:07 AM, Oleg Fayans wrote:

Hi everybody,

The following error was encountered during installation of one of 
repicas using the packages built from the latest upstream code:
  [error] RuntimeError: One of the ldap service principals is 
missing. Replication agreement cannot be converted.
Replication error message: Unable to acquire replicaLDAP error: No 
such object


The second replica however was installed successfully.
Installation log and dirsrv errors log are attached










--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 465] spec file: Update minimum required version of krb5

[Jan Cholasta]

Hi,

Dne 15.7.2015 v 12:54 Alexander Bokovoy napsal(a):

On Wed, 15 Jul 2015, Jan Cholasta wrote:

Hi,

the attached patch fixes .

ACK



Thanks for the review.

Pushed to:
master: d6e701a79333c0d732323a1f4250aa698625e889
ipa-4-2: 5678e211af604af5ed20df5d4282df8a0275aa14

Honza

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 465] spec file: Update minimum required version of krb5

[Alexander Bokovoy]

On Wed, 15 Jul 2015, Jan Cholasta wrote:

Hi,

the attached patch fixes .

ACK

--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0281] Validate adding a privilege to a permission

[Martin Basti]

On 10/07/15 10:43, Martin Basti wrote:

On 10/07/15 07:32, Jan Cholasta wrote:

Hi,

Dne 9.7.2015 v 16:55 Martin Basti napsal(a):

https://fedorahosted.org/freeipa/ticket/5075

Patch attached.


the check is very plugin-specific, so I don't think it should be in 
ipalib.util. You can keep it in privilege and import it from there in 
permission just fine.


Honza


Updated patch attached.




Updated patch attached.

--
Martin Basti

From bfb3f06a28163a7d63fc9f58fe15dab531d9 Mon Sep 17 00:00:00 2001
From: Martin Basti 
Date: Thu, 9 Jul 2015 16:48:36 +0200
Subject: [PATCH] Validate adding privilege to a permission

Adding priviledge to a permission via webUI allowed to avoid check and to add permission
with improper type.

https://fedorahosted.org/freeipa/ticket/5075
---
 ipalib/plugins/permission.py |  7 ++
 ipalib/plugins/privilege.py  | 51 ++--
 2 files changed, 33 insertions(+), 25 deletions(-)

diff --git a/ipalib/plugins/permission.py b/ipalib/plugins/permission.py
index f2e896935cc777801ec3a70262372f296b1ea2b8..7d2a4dd156693d9d9b7d6f042488856274fb3f64 100644
--- a/ipalib/plugins/permission.py
+++ b/ipalib/plugins/permission.py
@@ -21,6 +21,7 @@ import re
 import traceback
 
 from ipalib.plugins import baseldap
+from ipalib.plugins.privilege import validate_permission_to_privilege
 from ipalib import errors
 from ipalib.parameters import Str, StrEnum, DNParam, Flag
 from ipalib import api, _, ngettext
@@ -1377,6 +1378,12 @@ class permission_add_member(baseldap.LDAPAddMember):
 """Add members to a permission."""
 NO_CLI = True
 
+def pre_callback(self, ldap, dn, member_dns, failed, *keys, **options):
+# We can only add permissions with bind rule type set to
+# "permission" (or old-style permissions)
+validate_permission_to_privilege(self.api, keys[-1])
+return dn
+
 
 @register()
 class permission_remove_member(baseldap.LDAPRemoveMember):
diff --git a/ipalib/plugins/privilege.py b/ipalib/plugins/privilege.py
index 867544359f76fdcb44cd3015f7466a46ba492bec..ffb903e03dbfaafbe2bb7135038494ae49a7d8a8 100644
--- a/ipalib/plugins/privilege.py
+++ b/ipalib/plugins/privilege.py
@@ -45,6 +45,31 @@ See role and permission for additional information.
 register = Registry()
 
 
+def validate_permission_to_privilege(api, permission):
+ldap = api.Backend.ldap2
+ldapfilter = ldap.combine_filters(rules='&', filters=[
+'(objectClass=ipaPermissionV2)', '(!(ipaPermBindRuleType=permission))',
+ldap.make_filter_from_attr('cn', permission, rules='|')])
+try:
+entries, truncated = ldap.find_entries(
+filter=ldapfilter,
+attrs_list=['cn', 'ipapermbindruletype'],
+base_dn=DN(api.env.container_permission, api.env.basedn),
+size_limit=1)
+except errors.NotFound:
+pass
+else:
+entry = entries[0]
+message = _('cannot add permission "%(perm)s" with bindtype '
+'"%(bindtype)s" to a privilege')
+raise errors.ValidationError(
+name='permission',
+error=message % {
+'perm': entry.single_value['cn'],
+'bindtype': entry.single_value.get(
+'ipapermbindruletype', 'permission')})
+
+
 @register()
 class privilege(LDAPObject):
 """
@@ -185,31 +210,7 @@ class privilege_add_permission(LDAPAddReverseMember):
 if options.get('permission'):
 # We can only add permissions with bind rule type set to
 # "permission" (or old-style permissions)
-ldapfilter = ldap.combine_filters(rules='&', filters=[
-'(objectClass=ipaPermissionV2)',
-'(!(ipaPermBindRuleType=permission))',
-ldap.make_filter_from_attr('cn', options['permission'],
-   rules='|'),
-])
-try:
-entries, truncated = ldap.find_entries(
-filter=ldapfilter,
-attrs_list=['cn', 'ipapermbindruletype'],
-base_dn=DN(self.api.env.container_permission,
-   self.api.env.basedn),
-size_limit=1)
-except errors.NotFound:
-pass
-else:
-entry = entries[0]
-message = _('cannot add permission "%(perm)s" with bindtype '
-'"%(bindtype)s" to a privilege')
-raise errors.ValidationError(
-name='permission',
-error=message % {
-'perm': entry.single_value['cn'],
-'bindtype': entry.single_value.get(
-'ipapermbindruletype', 'permission')})
+validate_permission_to_privilege(self.api, options['permission'])
 return dn
 
 
-- 
2.4.3

-- 
Manage your subscription for the Freeipa-devel mailing

Re: [Freeipa-devel] [PATCH 464] spec file: Move /etc/ipa/kdcproxy to the server subpackage

[Jan Cholasta]

Dne 15.7.2015 v 12:42 Christian Heimes napsal(a):

On 2015-07-14 13:56, Jan Cholasta wrote:

Hi,

the attached patch fixes client-only builds.


LGTM.

I didn't know about the difference between server and client-only
builds. Thanks for the fix!


Pushed to:
master: ba31b415697b1e8e85f6d55e939ede36be9942e6
ipa-4-2: 3fa581afc2da962496edba09488c569ffa26cf8d

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 464] spec file: Move /etc/ipa/kdcproxy to the server subpackage

[Christian Heimes]

On 2015-07-14 13:56, Jan Cholasta wrote:
> Hi,
> 
> the attached patch fixes client-only builds.

LGTM.

I didn't know about the difference between server and client-only
builds. Thanks for the fix!




signature.asc
Description: OpenPGP digital signature
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCH 465] spec file: Update minimum required version of krb5

[Jan Cholasta]

Hi,

the attached patch fixes .

Honza

--
Jan Cholasta
From ee18849be68ca6705165c660b7138f694369e764 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Wed, 15 Jul 2015 08:45:53 +
Subject: [PATCH] spec file: Update minimum required version of krb5

Automatically require the krb5 version used at build time.

https://fedorahosted.org/freeipa/ticket/5132
---
 freeipa.spec.in | 6 --
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/freeipa.spec.in b/freeipa.spec.in
index e9f97c3..ee6961e 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -11,6 +11,8 @@
 %global selinux_policy_version 3.12.1-179
 %endif
 
+%define krb5_base_version %(LC_ALL=C rpm -q --qf '%%{VERSION}' krb5-devel | grep -Eo '^[^.]+\.[^.]+')
+
 %global plugin_dir %{_libdir}/dirsrv/plugins
 %global etc_systemd_dir %{_sysconfdir}/systemd/system
 %global gettext_domain ipa
@@ -52,7 +54,7 @@ BuildRequires:  nspr-devel
 BuildRequires:  nss-devel
 BuildRequires:  openssl-devel
 BuildRequires:  openldap-devel
-BuildRequires:  krb5-devel >= 1.11
+BuildRequires:  krb5-devel >= 1.13
 BuildRequires:  krb5-workstation
 BuildRequires:  libuuid-devel
 BuildRequires:  libcurl-devel >= 7.21.7-2
@@ -119,7 +121,7 @@ Requires: 389-ds-base >= 1.3.4.0
 Requires: openldap-clients > 2.4.35-4
 Requires: nss >= 3.14.3-12.0
 Requires: nss-tools >= 3.14.3-12.0
-Requires: krb5-server >= 1.11.5-5
+Requires(post): krb5-server >= %{krb5_base_version}, krb5-server < %{krb5_base_version}.100
 Requires: krb5-pkinit-openssl
 Requires: cyrus-sasl-gssapi%{?_isa}
 Requires: ntp
-- 
2.1.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Unable to acquire replicaLDAP during replica installation

[Ludwig Krispenz]

looks like the initial replication is failing:
[15/Jul/2015:04:47:31 -0400] slapi_ldap_bind - Error: could not bind id 
[cn=replication manager,cn=config] authentication mechanism [SIMPLE]: 
error 32 (No such object) errno 0 (Success)
[15/Jul/2015:04:47:31 -0400] NSMMReplicationPlugin - 
agmt="cn=meTof22master.pesen.net" (f22master:389): Replication bind with 
SIMPLE auth failed: LDAP error 32 (No such object) ()


could you check the access log for ADD and DEL of "cn=replication 
manager,cn=config" on both master and replica,

is there anything in the error log of the master ?

Ludwig

On 07/15/2015 11:07 AM, Oleg Fayans wrote:

Hi everybody,

The following error was encountered during installation of one of 
repicas using the packages built from the latest upstream code:
  [error] RuntimeError: One of the ldap service principals is missing. 
Replication agreement cannot be converted.
Replication error message: Unable to acquire replicaLDAP error: No 
such object


The second replica however was installed successfully.
Installation log and dirsrv errors log are attached






-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] ipa-devel repos on jdennis.fedorapeople.org

[Jan Pazdziora]

On Tue, Jul 14, 2015 at 12:49:23PM -0400, John Dennis wrote:
> On 07/14/2015 12:03 PM, Petr Spacek wrote:
> >Hello,
> >
> >Is anyone using repos
> >https://jdennis.fedorapeople.org/ipa-devel/
> >?
> >
> >AFAIK nobody in Brno is seriously using it but I'm not sure about people
> >outside the Brno.
> >
> >Could we use COPR instead and get out of builder business? Upcoming lab
> >maintenance window could be a good time to do that.
> 
> I would love to get out of the builder business and I suspect Nalin would as
> well [1]. The question came up in our Monday meeting as well. Nobody seem to
> know if anyone was using these builds and why we weren't using COPR. The

The Fedora infra admins should be able to provide HTTP logs for the
repo, if you needs some numbers about potential usage.

-- 
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0283] copy-schema-to-ca: allow to overwrite schema files

[Jan Cholasta]

Dne 14.7.2015 v 14:17 David Kupka napsal(a):

On 10/07/15 14:31, Martin Basti wrote:

https://fedorahosted.org/freeipa/ticket/5034

Patch attached.




Works for me, ACK.



Pushed to:
master: 8bc0e9693b4b8356859b00afecd150b5c75fed99
ipa-4-2: cbdeba7a73c20b60b748558e63cf8672387febda

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0284] stageuser-activate: show user name in error message instead of DN

[Jan Cholasta]

Dne 13.7.2015 v 15:03 David Kupka napsal(a):

On 10/07/15 14:51, Martin Basti wrote:

https://fedorahosted.org/freeipa/ticket/5038

I reworded the error message to keep the same format as stageuser-add
and user-add.

Patch attached.




Works for me, ACK.



Pushed to:
master: c144ea6feff2a712e4862f4e3c2fa882309da5b8
ipa-4-2: 49802bff910bf9ba9eb6fda7e0f255e0a688611f

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code