Re: [Freeipa-devel] [PATCHES] from Debian

[Martin Basti]

On 10/05/2015 04:44 PM, Timo Aaltonen wrote:

On 05.10.2015 16:08, Timo Aaltonen wrote:

Hi

   Here are a few prep patches to get off the list before getting to
discuss how to add Debian platform support..

Here's one more.






ACK

Pushed to master: 7c32ecaa0ebdfc879d6d2286974987b9fee7082e
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHES 0069-0077] support for proper Kerberos principal canonicalization

[David Kupka]

On 05/10/15 16:12, Simo Sorce wrote:

On 05/10/15 09:00, Martin Babinsky wrote:

These patches implement the plumbing required to properly support
canonicalization of Kerberos principals (
https://fedorahosted.org/freeipa/ticket/3864).

Setting multiple principal aliases on hosts/services is beyond the scope
of this patchset and should be done after these patches are pushed.

I will try to send some tests for the patches later this week.

Please review the hell out of them.


LGTM, I do not see any issue at quick visual inspection.
What about the performance regression with the indexes ? Is that bug
fixed in 389ds ?

Simo.




The issue is still there. Thierry investigated this in 389 DS and IIUC 
he is not sure if it's bug or completely missing feature. Therefore we 
still don't know how much time is needed there.


--
David Kupka

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 375 Added mechanism to copy vault secrets.

[Jan Cholasta]

On 2.10.2015 15:23, Martin Basti wrote:



On 08/27/2015 01:47 AM, Endi Sukma Dewata wrote:

On 8/20/2015 2:08 AM, Endi Sukma Dewata wrote:

On 8/19/2015 4:20 AM, Martin Basti wrote:

On 08/16/2015 05:29 PM, Endi Sukma Dewata wrote:

The vault-add and vault-archive commands have been modified to
optionally retrieve a secret from a source vault, then re-archive
the secret into the new/existing target vault.

https://fedorahosted.org/freeipa/ticket/5223




I cannot apply this patch.


Rebased. It depends on patch #371-2.


Rebased due to other changes in vault.



Code works for me, but wouldn't be better to create a new command,
something like vault-copy, instead of adding new options to existing
command?


+1

--
Jan Cholasta

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH 0054] Update FreeIPA package description

[Petr Spacek]

On 2.10.2015 14:32, Gabe Alford wrote:
> Bump for review.

Sorry for delay. I like the new text, ACK.

Petr^2 Spacek

> On Mon, Sep 21, 2015 at 9:37 AM, Gabe Alford  wrote:
> 
>> Hello,
>>
>> Fix for https://fedorahosted.org/freeipa/ticket/5284
>>
>> Thanks,
>>
>> Gabe

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [patch 0021] Include ipatests/test_xmlrpc/data directory into distribution

[Milan Kubík]

Adds ipatests/test_xmlrpc/data directory and its content into package. 
The files are needed for certprofile (and CA ACL) tests.

Patch attached.

--
Milan Kubik

From 2e7e84f27590efd7b5097551104f723e018c722f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Milan=20Kub=C3=ADk?= 
Date: Thu, 1 Oct 2015 15:55:19 +0200
Subject: [PATCH 1/2] Include ipatests/test_xmlrpc/data directory into
 distribution.

---
 ipatests/setup.py.in | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ipatests/setup.py.in b/ipatests/setup.py.in
index 90390c06d191cfbc85c385af9b3af6768826703e..afc77ad564eca3e7ad5f488662d32c54d11ea189 100644
--- a/ipatests/setup.py.in
+++ b/ipatests/setup.py.in
@@ -84,6 +84,7 @@ def setup_package():
 'ipatests.test_integration': ['scripts/*'],
 'ipatests.test_pkcs10': ['*.csr'],
 "ipatests.test_ipaserver": ['data/*'],
+'ipatests.test_xmlrpc': ['data/*'],
 }
 )
 finally:
-- 
2.6.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

[Jan Pazdziora]

On Thu, Oct 01, 2015 at 04:33:28PM +0200, Oleg Fayans wrote:
> 
> 1.
> Having PTR sync enabled in global DNS configuration and installing client
> with --enable-dns-updates option, ipa master still does not create a PTR
> record for the client machine. As a result, ipa-repolica-install throws the
> following error:
> 
> ipa : ERRORReverse DNS resolution of address 192.168.122.171
> (f22replica1.pesen.net) failed. Clients may not function properly. Please
> check your DNS setup. (Note that this check queries IPA DNS directly and
> ignores /etc/hosts.)

I believe you also need to have the PTR sync enabled in the forward zone
(pesen.net).

-- 
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [PATCHES 0069-0077] support for proper Kerberos principal canonicalization

[Martin Babinsky]

These patches implement the plumbing required to properly support 
canonicalization of Kerberos principals (

https://fedorahosted.org/freeipa/ticket/3864).

Setting multiple principal aliases on hosts/services is beyond the scope 
of this patchset and should be done after these patches are pushed.


I will try to send some tests for the patches later this week.

Please review the hell out of them.

--
Martin^3 Babinsky
From 4832fa024a3083f6cce3c151ab29ae99a696fcf1 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Fri, 2 Oct 2015 18:05:03 +0200
Subject: [PATCH 09/09] account for added krbcanonicalname attribute during
 xmlrpc tests

https://fedorahosted.org/freeipa/ticket/3864
---
 ipatests/test_xmlrpc/objectclasses.py | 1 -
 ipatests/test_xmlrpc/test_host_plugin.py  | 4 +++-
 ipatests/test_xmlrpc/test_service_plugin.py   | 4 ++--
 ipatests/test_xmlrpc/test_stageuser_plugin.py | 5 -
 ipatests/test_xmlrpc/test_user_plugin.py  | 7 +--
 5 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/ipatests/test_xmlrpc/objectclasses.py b/ipatests/test_xmlrpc/objectclasses.py
index 1cd77c7f885fe408d0d9d48fc6d8284900c91b7f..206cb3689a97623f5144686b23a9a3f56c113560 100644
--- a/ipatests/test_xmlrpc/objectclasses.py
+++ b/ipatests/test_xmlrpc/objectclasses.py
@@ -100,7 +100,6 @@ service = [
 u'ipaobject',
 u'ipaservice',
 u'pkiuser',
-u'ipakrbprincipal',
 u'top',
 ]
 
diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py
index bba86492e98d098d4c0bbd42de58e96b9b570e1d..efd9403f0028a7ae45261cabcb4f490b94d7db66 100644
--- a/ipatests/test_xmlrpc/test_host_plugin.py
+++ b/ipatests/test_xmlrpc/test_host_plugin.py
@@ -122,7 +122,8 @@ class HostTracker(Tracker):
 'ipaallowedtoperform_write_keys_hostgroup'}
 retrieve_all_keys = retrieve_keys | {
 u'cn', u'ipakrbokasdelegate', u'ipakrbrequirespreauth', u'ipauniqueid',
-u'managing_host', u'objectclass', u'serverhostname'}
+u'managing_host', u'objectclass', u'serverhostname',
+u'krbcanonicalname'}
 create_keys = retrieve_keys | {'objectclass', 'ipauniqueid',
'randompassword'}
 update_keys = retrieve_keys - {'dn'}
@@ -178,6 +179,7 @@ class HostTracker(Tracker):
 description=[self.description],
 l=[self.location],
 krbprincipalname=[u'host/%s@%s' % (self.fqdn, self.api.env.realm)],
+krbcanonicalname=[u'host/%s@%s' % (self.fqdn, self.api.env.realm)],
 objectclass=objectclasses.host,
 ipauniqueid=[fuzzy_uuid],
 managedby_host=[self.fqdn],
diff --git a/ipatests/test_xmlrpc/test_service_plugin.py b/ipatests/test_xmlrpc/test_service_plugin.py
index 78ba60a691a625d3fdce2ea0df0f2aef9ef3caac..6c399ed62b9ec52000ab155fbcd5a387c6135fc2 100644
--- a/ipatests/test_xmlrpc/test_service_plugin.py
+++ b/ipatests/test_xmlrpc/test_service_plugin.py
@@ -236,7 +236,7 @@ class test_service(Declarative):
 result=dict(
 dn=service1dn,
 krbprincipalname=[service1],
-ipakrbprincipalalias=[service1],
+krbcanonicalname=[service1],
 objectclass=objectclasses.service,
 ipauniqueid=[fuzzy_uuid],
 managedby_host=[fqdn1],
@@ -278,7 +278,7 @@ class test_service(Declarative):
 dict(
 dn=service1dn,
 krbprincipalname=[service1],
-ipakrbprincipalalias=[service1],
+krbcanonicalname=[service1],
 objectclass=objectclasses.service,
 ipauniqueid=[fuzzy_uuid],
 has_keytab=False,
diff --git a/ipatests/test_xmlrpc/test_stageuser_plugin.py b/ipatests/test_xmlrpc/test_stageuser_plugin.py
index b09ef6e84cd95a32061b07d833c5a39f1750f80b..d19bbdf450085b55a02b68ac5ebbb091ae7dc227 100644
--- a/ipatests/test_xmlrpc/test_stageuser_plugin.py
+++ b/ipatests/test_xmlrpc/test_stageuser_plugin.py
@@ -103,7 +103,8 @@ class StageUserTracker(Tracker):
 u'st', u'mobile', u'pager', }
 retrieve_all_keys = retrieve_keys | {
 u'cn', u'ipauniqueid', u'objectclass', u'description',
-u'displayname', u'gecos', u'initials', u'krbprincipalname', u'manager'}
+u'displayname', u'gecos', u'initials', u'krbprincipalname',
+u'krbcanonicalname', u'manager'}
 
 create_keys = retrieve_all_keys | {
 u'objectclass', u'ipauniqueid', u'randompassword',
@@ -170,6 +171,7 @@ class StageUserTracker(Tracker):
 uidnumber=[u'-1'],
 gidnumber=[u'-1'],
 krbprincipalname=[u'%s@%s' % (self.uid, self.api.env.realm)],
+krbcanonicalname=[u'%s@%s' % (self.uid, self.api.env.realm)],
 mail=[u'%s@%s' % (self.uid, self.api.env.domain)],
 

[Freeipa-devel] [PATCHES] from Debian

[Timo Aaltonen]

Hi

  Here are a few prep patches to get off the list before getting to
discuss how to add Debian platform support..
From 49f2158b4be10b3e82392eda55909f94ee581c1a Mon Sep 17 00:00:00 2001
From: Timo Aaltonen 
Date: Sat, 3 Oct 2015 11:40:15 +0300
Subject: [PATCH] paths: Add GENERATE_RNDC_KEY.

---
 ipaplatform/base/paths.py | 1 +
 ipaserver/install/bindinstance.py | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index a272143d0053451c017c0df613951cc0e6d52c54..0d2c4c17769ef643ba2d6c9991d910cf6e00858d 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -210,6 +210,7 @@ class BasePathNamespace(object):
 DOGTAG_IPA_CA_RENEW_AGENT_SUBMIT = "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit"
 DOGTAG_IPA_RENEW_AGENT_SUBMIT = "/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit"
 IPA_SERVER_GUARD = "/usr/libexec/certmonger/ipa-server-guard"
+GENERATE_RNDC_KEY = "/usr/libexec/generate-rndc-key.sh"
 IPA_DNSKEYSYNCD_REPLICA = "/usr/libexec/ipa/ipa-dnskeysync-replica"
 IPA_DNSKEYSYNCD = "/usr/libexec/ipa/ipa-dnskeysyncd"
 IPA_ODS_EXPORTER = "/usr/libexec/ipa/ipa-ods-exporter"
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index 771f13b00e37a6bf510ff46fe880240c84356761..9a9ef1af8a7b1cf438994489c895aec37102547b 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -1002,7 +1002,7 @@ class BindInstance(service.Service):
 
 def __generate_rndc_key(self):
 installutils.check_entropy()
-ipautil.run(['/usr/libexec/generate-rndc-key.sh'])
+ipautil.run(paths.GENERATE_RNDC_KEY)
 
 def add_master_dns_records(self, fqdn, ip_addresses, realm_name, domain_name,
reverse_zones, ntp=False, ca_configured=None):
-- 
2.5.0

From 9fc6a372c37d5fa0c514de49d262d26130b6bb5c Mon Sep 17 00:00:00 2001
From: Benjamin Drung 
Date: Mon, 5 Oct 2015 15:41:30 +0300
Subject: [PATCH] Fix hyphen-used-as-minus-sign warning (found by lintian)

See https://lintian.debian.org/tags/hyphen-used-as-minus-sign.html for
an explanation.
---
 install/tools/man/ipa-adtrust-install.1   | 2 +-
 install/tools/man/ipa-replica-conncheck.1 | 6 +++---
 install/tools/man/ipa-server-install.1| 2 +-
 ipatests/man/ipa-test-config.1| 4 ++--
 ipatests/man/ipa-test-task.1  | 2 +-
 5 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/install/tools/man/ipa-adtrust-install.1 b/install/tools/man/ipa-adtrust-install.1
index 2658f1957d1161963bf6af75e5a086a01b95c52f..06378b5983e55bb6c34971b0f5129246f9f14fd3 100644
--- a/install/tools/man/ipa-adtrust-install.1
+++ b/install/tools/man/ipa-adtrust-install.1
@@ -117,7 +117,7 @@ The name of the user with administrative privileges for this IPA server. Default
 \fB\-a\fR, \fB\-\-admin\-password\fR=\fIpassword\fR
 The password of the user with administrative privileges for this IPA server. Will be asked interactively if \fB\-U\fR is not specified.
 .TP
-The credentials of the admin user will be used to obtain Kerberos ticket before configuring cross-realm trusts support and afterwards, to ensure that the ticket contains MS-PAC information required to actually add a trust with Active Directory domain via 'ipa trust-add --type=ad' command.
+The credentials of the admin user will be used to obtain Kerberos ticket before configuring cross-realm trusts support and afterwards, to ensure that the ticket contains MS-PAC information required to actually add a trust with Active Directory domain via 'ipa trust\-add \-\-type=ad' command.
 .TP
 \fB\-\-enable\-compat\fR
 Enables support for trusted domains users for old clients through Schema Compatibility plugin.
diff --git a/install/tools/man/ipa-replica-conncheck.1 b/install/tools/man/ipa-replica-conncheck.1
index 566322cf035bbb51d1ba8b14166a1b61375015da..e948d7919c772305ef2f0b5b7b50de2b908ff9e0 100644
--- a/install/tools/man/ipa-replica-conncheck.1
+++ b/install/tools/man/ipa-replica-conncheck.1
@@ -70,13 +70,13 @@ Output only errors
 
 .SH "EXAMPLES"
 .TP
-\fBipa-replica-conncheck -m master.example.com\fR
+\fBipa\-replica\-conncheck \-m master.example.com\fR
 Run a replica machine connection check against a remote master \fImaster.example.com\fR. If the connection to the remote master machine is successful the program will switch to listening mode and prompt for running the master machine part. The second part check the connection from master to replica.
 .TP
-\fBipa-replica-conncheck -R replica.example.com\fR
+\fBipa\-replica\-conncheck \-R replica.example.com\fR
 Run a master machine connection check part. This is either run automatically by replica part of the connection check program (when \fI-a\fR option is set) or manually by the user. A running ipa-replica-conncheck(1) in a listening mode must be already running on a replica 

[Freeipa-devel] FreeIPA CI tests in Vagrant

[Martin Basti]

Hello,

I would like to share my script that allows to create topology for 
FreeIPA CI tests in Vagrant.
It is very first "stupid" version, works only with F22 box. It is useful 
for development.

Script creates Vagrant configuration and CI configuration for YAML.

Machines created by vagrant are named:
controller  (created by default)
master  (created by default)
replica1  (--replicas option)
.
.
replicaN
client1  (--client option)
.
.
clientM

The script is available here https://github.com/bastiak/ipa-devel-tools

Required packages: vagrant vagrant-libvirt PyYAML

Usage:
$python3 ipa-vagrant-ci-topology-create.py ci-test --replicas 1 --clients 1

$python3 ipa-vagrant-ci-topology-create.py -h
Use --help for more options

It creates directory structure in current location
.
├── ci-test
│   ├── controller_rsa  # generated private key for controller
│   ├── controller_rsa.pub  # generated public key for controller 
(needed by CI tests)

│   ├── ipa-test-config.yaml  # generated configuration for CI tests
│   ├── provisioning  # currently empty dir, but I have big plans with it :)
│   ├── rpms  # custom RPMs that will be installed on all machines
│   └── Vagrantfile  # generated configration file for Vagrant

$ cd ci-test

$ vagrant up
$ vagrant ssh [controller|master|replica1|...] (by default it open 
connection to controller machine)
$IPATEST_YAML_CONFIG=/vagrant/ipa-test-config.yaml ipa-run-tests 
test_integration/test_simple_replication.py  # configuration file is 
located in /vagrant directory


$ logout
$ vagrant destroy


Martin

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHES] from Debian

[Timo Aaltonen]

On 05.10.2015 16:37, Martin Basti wrote:
> 
> 
> On 10/05/2015 03:31 PM, Simo Sorce wrote:
>> On 05/10/15 09:08, Timo Aaltonen wrote:
>>>
>>> Hi
>>>
>>>Here are a few prep patches to get off the list before getting to
>>> discuss how to add Debian platform support..
>>>
>>
>> LGTM.
>>
>> Simo.
>>
>>
> 
> IMO this should be written in this way (I didn't test)
> 
> ipautil.run([paths.GENERATE_RNDC_KEY])

Yes you're right, here's an updated version.



-- 
t
From 49f2158b4be10b3e82392eda55909f94ee581c1a Mon Sep 17 00:00:00 2001
From: Timo Aaltonen 
Date: Sat, 3 Oct 2015 11:40:15 +0300
Subject: [PATCH] paths: Add GENERATE_RNDC_KEY.

---
 ipaplatform/base/paths.py | 1 +
 ipaserver/install/bindinstance.py | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index a272143d0053451c017c0df613951cc0e6d52c54..0d2c4c17769ef643ba2d6c9991d910cf6e00858d 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -210,6 +210,7 @@ class BasePathNamespace(object):
 DOGTAG_IPA_CA_RENEW_AGENT_SUBMIT = "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit"
 DOGTAG_IPA_RENEW_AGENT_SUBMIT = "/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit"
 IPA_SERVER_GUARD = "/usr/libexec/certmonger/ipa-server-guard"
+GENERATE_RNDC_KEY = "/usr/libexec/generate-rndc-key.sh"
 IPA_DNSKEYSYNCD_REPLICA = "/usr/libexec/ipa/ipa-dnskeysync-replica"
 IPA_DNSKEYSYNCD = "/usr/libexec/ipa/ipa-dnskeysyncd"
 IPA_ODS_EXPORTER = "/usr/libexec/ipa/ipa-ods-exporter"
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index 771f13b00e37a6bf510ff46fe880240c84356761..9a9ef1af8a7b1cf438994489c895aec37102547b 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -1002,7 +1002,7 @@ class BindInstance(service.Service):
 
 def __generate_rndc_key(self):
 installutils.check_entropy()
-ipautil.run(['/usr/libexec/generate-rndc-key.sh'])
+ipautil.run([paths.GENERATE_RNDC_KEY])
 
 def add_master_dns_records(self, fqdn, ip_addresses, realm_name, domain_name,
reverse_zones, ntp=False, ca_configured=None):
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [patch 0021] Include ipatests/test_xmlrpc/data directory into distribution

[Martin Basti]

On 10/05/2015 01:45 PM, Milan Kubík wrote:
Adds ipatests/test_xmlrpc/data directory and its content into package. 
The files are needed for certprofile (and CA ACL) tests.

Patch attached.




ACK

Pushed to:
master: dbfdc1d39b7917236270fe4dff6caf0ccb5cd04c
ipa-4-2: c99e0aa6fda2bbbfdd871f78ef246641dee3626c

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

[Endi Sukma Dewata]

On 10/5/2015 8:47 AM, Simo Sorce wrote:

2. The second attempt after re-enrolling client resulted in the error of
CA installation:

Starting replication, please wait until this has completed.
Update in progress, 7 seconds elapsed
Update succeeded

   [4/24]: creating installation admin user
   [5/24]: setting up certificate server
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to
configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f'
'/tmp/tmpHAJVFG'' returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the
installation logs and the following files/directories for more
information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki-ca-install.log
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki/pki-tomcat
   [error] RuntimeError: CA configuration failed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERRORCA
configuration failed.


This is due to the known bug with authentication in Dogtag. Endy fixed
it upstream.

Endy,
do you know when the bug will be released in a package we can use for
testing ?


Here is the bug: https://fedorahosted.org/pki/ticket/1580

I don't think we're ready for a Dogtag 10.3 build, so we may need to 
cherry-pick it to 10.2.x. I'll check with Matt.


--
Endi S. Dewata

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

[Simo Sorce]

On 05/10/15 09:42, Oleg Fayans wrote:

Hi Jan, Simo

On 10/05/2015 02:15 PM, Jan Pazdziora wrote:

On Thu, Oct 01, 2015 at 04:33:28PM +0200, Oleg Fayans wrote:


1.
Having PTR sync enabled in global DNS configuration and installing
client
with --enable-dns-updates option, ipa master still does not create a PTR
record for the client machine. As a result, ipa-repolica-install
throws the
following error:

ipa : ERRORReverse DNS resolution of address 192.168.122.171
(f22replica1.pesen.net) failed. Clients may not function properly.
Please
check your DNS setup. (Note that this check queries IPA DNS directly and
ignores /etc/hosts.)


I believe you also need to have the PTR sync enabled in the forward zone
(pesen.net).



Today I was unable to reproduce this issue with just PTR sync enabled in
global dns configuration. I wonder, what might have caused it. Anyway,
today I hit a number of other issues with replica promotion.

1. At one point ipa-replica-install on a configured client has thrown
the following error:

Configuring ipa-custodia
   [1/5]: Generating ipa-custodia config file
   [2/5]: Generating ipa-custodia keys
   [3/5]: Importing RA Key
   [error] HTTPError: 502 Server Error: Proxy Error
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERROR502 Server
Error: Proxy Error

(corresponding part of the error log of dirsrv attached)


Seem like the peer server was unreachable ?
Was there a networking problem ?


2. The second attempt after re-enrolling client resulted in the error of
CA installation:

Starting replication, please wait until this has completed.
Update in progress, 7 seconds elapsed
Update succeeded

   [4/24]: creating installation admin user
   [5/24]: setting up certificate server
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to
configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f'
'/tmp/tmpHAJVFG'' returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the
installation logs and the following files/directories for more information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki-ca-install.log
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL
/var/log/pki/pki-tomcat
   [error] RuntimeError: CA configuration failed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERRORCA
configuration failed.


This is due to the known bug with authentication in Dogtag. Endy fixed 
it upstream.


Endy,
do you know when the bug will be released in a package we can use for 
testing ?



Weird thing is that mentioned log files were missing in the system.

3. This is probably not related to replica promotions, but anyway:
when I do `ipa host-del --updatedns %client_hostname%` on master, it
does delete the host, but *preserves* dns records (in both zones).
Is --updatedns option not aimed at automatic deletion of dns records?


I do not know that it does help, but I tend to use --force when deleting 
a failed replica.


Simo.

--
Simo Sorce * Red Hat, Inc * New York

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHES] from Debian

[Simo Sorce]

On 05/10/15 09:08, Timo Aaltonen wrote:


Hi

   Here are a few prep patches to get off the list before getting to
discuss how to add Debian platform support..



LGTM.

Simo.


--
Simo Sorce * Red Hat, Inc * New York

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHSET] Replica promotion patches

[Oleg Fayans]

Hi Jan, Simo

On 10/05/2015 02:15 PM, Jan Pazdziora wrote:

On Thu, Oct 01, 2015 at 04:33:28PM +0200, Oleg Fayans wrote:


1.
Having PTR sync enabled in global DNS configuration and installing client
with --enable-dns-updates option, ipa master still does not create a PTR
record for the client machine. As a result, ipa-repolica-install throws the
following error:

ipa : ERRORReverse DNS resolution of address 192.168.122.171
(f22replica1.pesen.net) failed. Clients may not function properly. Please
check your DNS setup. (Note that this check queries IPA DNS directly and
ignores /etc/hosts.)


I believe you also need to have the PTR sync enabled in the forward zone
(pesen.net).



Today I was unable to reproduce this issue with just PTR sync enabled in 
global dns configuration. I wonder, what might have caused it. Anyway, 
today I hit a number of other issues with replica promotion.


1. At one point ipa-replica-install on a configured client has thrown 
the following error:


Configuring ipa-custodia
  [1/5]: Generating ipa-custodia config file
  [2/5]: Generating ipa-custodia keys
  [3/5]: Importing RA Key
  [error] HTTPError: 502 Server Error: Proxy Error
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERROR502 Server 
Error: Proxy Error


(corresponding part of the error log of dirsrv attached)

2. The second attempt after re-enrolling client resulted in the error of 
CA installation:


Starting replication, please wait until this has completed.
Update in progress, 7 seconds elapsed
Update succeeded

  [4/24]: creating installation admin user
  [5/24]: setting up certificate server
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to 
configure CA instance: Command ''/usr/sbin/pkispawn' '-s' 'CA' '-f' 
'/tmp/tmpHAJVFG'' returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the 
installation logs and the following files/directories for more information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL 
/var/log/pki-ca-install.log
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL 
/var/log/pki/pki-tomcat

  [error] RuntimeError: CA configuration failed.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERRORCA 
configuration failed.


Weird thing is that mentioned log files were missing in the system.

3. This is probably not related to replica promotions, but anyway:
when I do `ipa host-del --updatedns %client_hostname%` on master, it 
does delete the host, but *preserves* dns records (in both zones).

Is --updatedns option not aimed at automatic deletion of dns records?

--
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.
[05/Oct/2015:04:08:45 -0400] NSACLPlugin - The ACL target 
cn=computers,cn=compat,dc=pesen,dc=net does not exist
[05/Oct/2015:04:08:45 -0400] NSACLPlugin - The ACL target 
cn=ng,cn=compat,dc=pesen,dc=net does not exist
[05/Oct/2015:04:08:45 -0400] NSACLPlugin - The ACL target 
ou=sudoers,dc=pesen,dc=net does not exist
[05/Oct/2015:04:08:45 -0400] NSACLPlugin - The ACL target 
cn=users,cn=compat,dc=pesen,dc=net does not exist
[05/Oct/2015:04:08:45 -0400] NSACLPlugin - The ACL target 
cn=vaults,cn=kra,dc=pesen,dc=net does not exist
[05/Oct/2015:04:08:45 -0400] NSACLPlugin - The ACL target 
cn=vaults,cn=kra,dc=pesen,dc=net does not exist
[05/Oct/2015:04:08:45 -0400] NSACLPlugin - The ACL target 
cn=vaults,cn=kra,dc=pesen,dc=net does not exist
[05/Oct/2015:04:08:45 -0400] NSACLPlugin - The ACL target 
cn=vaults,cn=kra,dc=pesen,dc=net does not exist
[05/Oct/2015:04:08:45 -0400] NSACLPlugin - The ACL target 
cn=vaults,cn=kra,dc=pesen,dc=net does not exist
[05/Oct/2015:04:08:45 -0400] NSACLPlugin - The ACL target 
cn=vaults,cn=kra,dc=pesen,dc=net does not exist
[05/Oct/2015:04:08:45 -0400] NSACLPlugin - The ACL target 
cn=vaults,cn=kra,dc=pesen,dc=net does not exist
[05/Oct/2015:04:08:45 -0400] NSACLPlugin - The ACL target 
cn=vaults,cn=kra,dc=pesen,dc=net does not exist
[05/Oct/2015:04:08:45 -0400] NSACLPlugin - The ACL target 
cn=vaults,cn=kra,dc=pesen,dc=net does not exist
[05/Oct/2015:04:08:45 -0400] NSACLPlugin - The ACL target 
cn=vaults,cn=kra,dc=pesen,dc=net does not exist
[05/Oct/2015:04:08:45 -0400] NSACLPlugin - The ACL target 
cn=vaults,cn=kra,dc=pesen,dc=net does not exist
[05/Oct/2015:04:08:45 -0400] NSACLPlugin - The ACL target 
cn=ad,cn=etc,dc=pesen,dc=net does not exist
[05/Oct/2015:04:08:45 -0400] NSACLPlugin - The ACL target cn=casigningcert 
cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=pesen,dc=net does not exist
[05/Oct/2015:04:08:45 -0400] NSACLPlugin - The ACL target cn=casigningcert 
cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=pesen,dc=net does not exist
[05/Oct/2015:04:08:46 -0400] NSACLPlugin - The ACL target cn=automember rebuild 
membership,cn=tasks,cn=config does not exist
[05/Oct/2015:04:08:46 

Re: [Freeipa-devel] [PATCHES 0069-0077] support for proper Kerberos principal canonicalization

[Simo Sorce]

On 05/10/15 09:00, Martin Babinsky wrote:

These patches implement the plumbing required to properly support
canonicalization of Kerberos principals (
https://fedorahosted.org/freeipa/ticket/3864).

Setting multiple principal aliases on hosts/services is beyond the scope
of this patchset and should be done after these patches are pushed.

I will try to send some tests for the patches later this week.

Please review the hell out of them.


LGTM, I do not see any issue at quick visual inspection.
What about the performance regression with the indexes ? Is that bug 
fixed in 389ds ?


Simo.


--
Simo Sorce * Red Hat, Inc * New York

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHES] from Debian

[Timo Aaltonen]

On 05.10.2015 16:08, Timo Aaltonen wrote:
> 
>   Hi
> 
>   Here are a few prep patches to get off the list before getting to
> discuss how to add Debian platform support..

Here's one more.



-- 
t
From 65df37b7b31c0689e452112130236c3fe43971a2 Mon Sep 17 00:00:00 2001
From: Timo Aaltonen 
Date: Mon, 5 Oct 2015 17:37:49 +0300
Subject: [PATCH] httpinstance: Replace a hardcoded path to password.conf with
 HTTPD_PASSWORD_CONF

---
 ipaserver/install/httpinstance.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
index 4269d3697c1fb17ddb4b3c69a1b41c51c9daf713..ee4853a3f9a8a42bd050fd8b208fc2419c323512 100644
--- a/ipaserver/install/httpinstance.py
+++ b/ipaserver/install/httpinstance.py
@@ -244,7 +244,7 @@ class HTTPInstance(service.Service):
 installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False)
 
 def __set_mod_nss_passwordfile(self):
-installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSPassPhraseDialog', 'file:/etc/httpd/conf/password.conf')
+installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSPassPhraseDialog', 'file:' + paths.HTTPD_PASSWORD_CONF)
 
 def __add_include(self):
 """This should run after __set_mod_nss_port so is already backed up"""
-- 
2.5.0

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHES] from Debian

[Martin Basti]

On 10/05/2015 03:31 PM, Simo Sorce wrote:

On 05/10/15 09:08, Timo Aaltonen wrote:


Hi

   Here are a few prep patches to get off the list before getting to
discuss how to add Debian platform support..



LGTM.

Simo.




IMO this should be written in this way (I didn't test)

ipautil.run([paths.GENERATE_RNDC_KEY])

Martin


--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] Remaining issues before adding Debian platform support

[Timo Aaltonen]

Hi

  I'm not sure if the goal is to be able to build IPA on Debian from
git/tarballs, but here's a list of what would need to be fixed first to
get there:

- places where usernames have been hardcoded need something like
ipaplatform/base/paths.py:
  apache -> www-data in:
  * ipaserver/install/httpinstance.py
  * ipaserver/install/ipa_server_certinstall.py
  * ipaserver/install/cainstance.py
  * ipaserver/install/certs.py
  named -> bind in:
  * ipaserver/install/bindinstance.py

- config/service files that use hardcoded paths in them need to be moved
to a template, and use paths.py macros:
  * install/conf/ipa.conf
  * init/systemd/ipa_memcached.service

- same but with hardcoded usernames
  * init/ipa_memcached.conf

- ipaserver/install/httpinstance.py needs to run "a2enmod/a2dismod nss"
because libapache2-mod-nss doesn't enable it on install (can't remember
why, but there was a good reason..)

- various places using Fedora-specific libpaths (/usr/lib vs.
/usr/lib64), whereas on Debian these are /usr/lib/, see
https://wiki.debian.org/Multiarch/Tuples
  * ipaserver/install/ldapupdate.py
  * ipapython/certmonger.py
  * ipaserver/install/certs.py
  * ipaserver/install/ipa_backup.py
  * ipaserver/install/ipa_restore.py

- ntp daemon defaults use a different variable name (OPTIONS vs
NTPD_OPTS), and quotes (" vs. ')
  * ipaserver/install/ntpinstance.py

- "Include conf.d/ipa-rewrite.conf" in httpinstance.py needs to use an
absolute path with HTTPD_CONF_D, or HTTPD_CONF_D repurposed to only have
'conf.d' on Fedora and then conf-enabled on Debian

- install/share/bind.named.conf.template needs to drop the default zone
on Debian, since that's already configured via includes (-> bind fails
to start), so a template file with an exception for Debian would fix it

- Makefile needs to use --install-layout=deb for setup.py

- ipa-client/ipa-install/ipa-client-automount needs to check for
variable named 'NEED_GSSD' on debian, so ipaplatform/base/vars.py? (same
for NTPD_OPTS)


There.. that should be all I think :) Oh, forgot that currently dnssec
needs to be disabled by some heavy patching, because 9.10.x isn't
packaged yet..


-- 
t

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCH] 0197 client referral support for trusted domain principal

[Sumit Bose]

On Thu, Sep 03, 2015 at 06:22:05PM +0300, Alexander Bokovoy wrote:
> On Thu, 03 Sep 2015, Alexander Bokovoy wrote:
> >Hi,
> >
> >attached patch adds support for issuing client referrals when FreeIPA
> >KDC is asked to give a TGT for a principal from a trusted forest.
> >
> >We return a matching forest name as a realm and KDC then returns an
> >error pointing a client to a direction of that realm. You can see how it
> >looks with http://fpaste.org/263064/14412849/ -- it shows behavior for
> >both 'kinit -E -C' and 'kinit -E'.
> >
> >Note that current MIT Kerberos KDC has a bug that prevents us from
> >responding with a correct client referral. A patched version for Fedora
> >22 is available in COPR abbra/krb5-test, a fix to upstream krb5 is
> >https://github.com/krb5/krb5/pull/323/ and I'm working on filing bugs to
> >Fedora and RHEL versions.
> >
> >With the version in my abbra/krb5-test COPR you can test the patch with
> >the help of kinit like fpaste URL above shows.
> After discussing with Simo and Sumit, here is updated patch that
> operates directly on 'search_for' krb5_principal and avoids
> strchr()/strrchr() and additional memory allocations -- it uses
> memrchr() to find '@' in the last component of the search_for principal
> and considers the part of the component after '@' as an enterprise realm
> to check.

The patch looks good and works as advertised. I've tested in a IPA
domain which trusts two different forests. All requests to the forest
roots and child domains where properly redirected. I tested with your
krb5 test build and with MIT Kerberos 1.14 which contains the needed
fix.

Nevertheless there are a view points I want to discuss:

- missing support for AD's Alternative Domain Suffixes, this is
  important to allow AD users to login in with their "Email-Address"
  (which is the typical reference for a user name with an alternative
  domain suffix). I think this is not strictly related to the given
  ticket, so it can be solved in the context of a new ticket, do you
  agree?

- referrals from outside. If I call 'kinit -E admin@IPA.DOMAIN' from a
  client in a trusted AD forest I get a 'Client not found in database'
  error because AD tends to use lower case domain names in the referal
  response. The request is still properly send to the IPA KDC because
  DNS does not care about the case. The IPA KDC processes the request
  with the principal 'user\@IPA.DOMAIN@ipa.domain' until
  ipadb_is_princ_from_trusted_realm() returns KRB5_KDB_NOENTRY becasue
  it detects that the principal is from the local realm. I think it
  would be good to enhance your patch to handle this case.

- S4U2Self. MIT Kerberos 1.14 can now properly handle S4U2Self across
  domain and forest boundaries (I tested this in a setup with 2 AD
  forests with request going from a child domain to a child domain in
  the other forest. Unfortunately it is currently not working with IPA
  in neither direction (I guess the case issue from above might be the
  reason for the incoming request to fail). Here I think a new ticket
  would to good as well because some research might be needed and the
  issue might even be in the MIT code. (If you want to run some tests I
  can give you access to my test environment.)

Let me know if you prefer to handle the issues with other tickets, then
I would ACK the patch as it is.

bye,
Sumit

> 
> -- 
> / Alexander Bokovoy

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] Remaining issues before adding Debian platform support

[Martin Basti]

On 10/05/2015 05:00 PM, Timo Aaltonen wrote:

Hi

   I'm not sure if the goal is to be able to build IPA on Debian from
git/tarballs, but here's a list of what would need to be fixed first to
get there:

- places where usernames have been hardcoded need something like
ipaplatform/base/paths.py:
   apache -> www-data in:
   * ipaserver/install/httpinstance.py
   * ipaserver/install/ipa_server_certinstall.py
   * ipaserver/install/cainstance.py
   * ipaserver/install/certs.py

this can be extracted to ipaplatform/base/constants.py


   named -> bind in:
   * ipaserver/install/bindinstance.py

this is quite tricky,
for named_user the right location is to ipaplatform/base/constants.py

for service, you can look in ipaplatform/redhat/services.py there is 
already mapping named to named.pkcs11, we can do something similar in 
debian platform specification, debian_system_units['named'] = 'bind.service'
However if you want to replace named with bind completely, it requires 
much more changes.




- config/service files that use hardcoded paths in them need to be moved
to a template, and use paths.py macros:
   * install/conf/ipa.conf
   * init/systemd/ipa_memcached.service

- same but with hardcoded usernames
   * init/ipa_memcached.conf

A discussion with other developer is needed how to resolve these files


- ipaserver/install/httpinstance.py needs to run "a2enmod/a2dismod nss"
because libapache2-mod-nss doesn't enable it on install (can't remember
why, but there was a good reason..)

We did installer changes, Honza may know if this is possible.



- various places using Fedora-specific libpaths (/usr/lib vs.
/usr/lib64), whereas on Debian these are /usr/lib/, see
https://wiki.debian.org/Multiarch/Tuples

I might be wrong, but I found different issues:

   * ipaserver/install/ldapupdate.py

this affects update files, and the same issue is for ldif files
We can replace path '/var/lib(64)' with substitute variable in those 
files, and create a platform specific method to determine the correct 
path, or just substitute with value from ipaplatform/base/paths

   * ipapython/certmonger.py
   * ipaserver/install/certs.py
   * ipaserver/install/ipa_backup.py
   * ipaserver/install/ipa_restore.py

Here for libpath we can use ipaplatform task.py or path.py if it is enough
The occurrences of /var/lib/ipa/backup should be in ipaplatform/paths


- ntp daemon defaults use a different variable name (OPTIONS vs
NTPD_OPTS), and quotes (" vs. ')
   * ipaserver/install/ntpinstance.py
IMO here also default pools should be excluded to constants as a list of 
ntp servers per platform.

OPTIONS can be excluded to ipaplatform/constants.py
Probably the " or ' issue can be handled in the same way


- "Include conf.d/ipa-rewrite.conf" in httpinstance.py needs to use an
absolute path with HTTPD_CONF_D, or HTTPD_CONF_D repurposed to only have
'conf.d' on Fedora and then conf-enabled on Debian

ok


- install/share/bind.named.conf.template needs to drop the default zone
on Debian, since that's already configured via includes (-> bind fails
to start), so a template file with an exception for Debian would fix it
The solution here can be augeas, but I'm not sure if we will able to 
move to augeas soon enough.

This is the same issue as with ipa.conf


- Makefile needs to use --install-layout=deb for setup.py

- ipa-client/ipa-install/ipa-client-automount needs to check for
variable named 'NEED_GSSD' on debian, so ipaplatform/base/vars.py? (same
for NTPD_OPTS)

Leaving this for others.



There.. that should be all I think :) Oh, forgot that currently dnssec
needs to be disabled by some heavy patching, because 9.10.x isn't
packaged yet..

I'm willing to send patch to disable DNSSEC installation if you want.
Is there a chance to get 9.10.x with pkcs11 support?
Can you please open a ticket?

Thank you for this investigation
Martin^2

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Re: [Freeipa-devel] [PATCHES] from Debian

[Martin Basti]

On 10/05/2015 03:41 PM, Timo Aaltonen wrote:

On 05.10.2015 16:37, Martin Basti wrote:


On 10/05/2015 03:31 PM, Simo Sorce wrote:

On 05/10/15 09:08, Timo Aaltonen wrote:

 Hi

Here are a few prep patches to get off the list before getting to
discuss how to add Debian platform support..


LGTM.

Simo.



IMO this should be written in this way (I didn't test)

ipautil.run([paths.GENERATE_RNDC_KEY])

Yes you're right, here's an updated version.




ACK

Pushed to master: 7059117ec32bfad8ec802d472b0f7d2b6cb12d2a

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code