Re: [Freeipa-devel] [PATCH 562-563] Fix ipa-sam to use the getkeytab control instead of the setkeytab control
On Thu, 03 Dec 2015, Simo Sorce wrote: The first patch is preparatory and is needed in general now that we want top allow alias and use krbCanonicalName as the canonical name when multiple values are avilable in krbPrincipalName. The second patch changes slightly how the interdomain trust account is created so that the getkeytab control can generate the proper key (with the right salt) for interop reasons with AD. The change should be upgrade safe because keys are generate at account creation so older accounts lacking the alias won't be a problem. Fixes ##5495 This patchset seems to fall through cracks -- it was ACKed but not committed. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Should we split up ipa-client?
Hi, On 13.1.2016 13:03, Martin Babinsky wrote: On 01/13/2016 11:34 AM, Petr Viktorin wrote: Hello, I'm planning to port the ipa-client to Python 3, and I'm likely to end up shaking out some dusty corners of the codebase, rather than doing the minimal amount of work :) So I'd like to get your opinions before I commit significant time to this. I think it would be beneficial to split ipa-client to better match both how it's put in the RPMs these days, and how the rest of IPA is organized. (And, to stop using autotools to "build" Python libraries...) The resulting structure could look like this: ipaclient/ - *.py - setup.py +1 client-tools/ - man/* - *.c - *.h - all the automake stuff - current contents of ipa-install (Python scripts that go in /usr/sbin) I would rather s/client-tools/client/, as this stuff goes into the freeipa-*client* subpackage. I'm not sure if this is what you are suggesting or not, but I would like the man page files to be in the same directory as the corresponding source code files. Removed: - ipa-client.spec.in (included in freeipa.spec.in) - NEWS (empty) - README (entirely outdated) +1 Does this look like a reasonable direction to explore? Makes sense to me, this kind of work would be needed during client installer refactoring anyway (also, using autotools for python module installation hurts my brain a lot). Honza -- Jan Cholasta -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [TEST] Workaround for ticket N 5559
On 13.1.2016 18:13, Martin Basti wrote: > > > On 08.01.2016 10:12, Oleg Fayans wrote: >> Passes lint, fixes an issue with replica installation failures due to >> absence of corresponding reverse zone on master. >> >> >> > NACK > > [ipa.ipatests.test_integration.host.Host.master.ParamikoTransport] RUN ['ipa', > 'dnsrecord-add', '129.168.192.in-addr.arpa.', '101', > '--ptr-hostname=master.ipa.test.'] > [ipa.ipatests.test_integration.host.Host.master.cmd21] RUN ['ipa', > 'dnsrecord-add', '129.168.192.in-addr.arpa.', '101', > '--ptr-hostname=master.ipa.test.'] > [ipa.ipatests.test_integration.host.Host.master.cmd21] ipa: ERROR: DNS is not > configured > [ipa.ipatests.test_integration.host.Host.master.cmd21] Exit code: 2 Also, we did not manage to reproduce the problem described in ticket #5559 with latest master for IPA and bind-dyndb-ldap devel branch, so it might not be necessary to spend more time on this. -- Petr^2 Spacek -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0402] Warn user about possibility to loss CA, KRA, DNSSEC master during uninstall
https://fedorahosted.org/freeipa/ticket/5544 Patch attached. From a882c48058cca2564265546e557e9d7d542a9553 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Wed, 13 Jan 2016 17:27:06 +0100 Subject: [PATCH] Warn about potential loss of CA, KRA, DNSSEC during uninstall If connection do LDAP failed (or LDAP server is down) we cannot verify if there is any additonal instance of CA, KRA, DNSSEC master. In this case a user is warned and promted to confirm uninstallation. https://fedorahosted.org/freeipa/ticket/5544 --- ipaserver/install/server/install.py | 12 +++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index 8a57886cd91bc4dbb06d30b457844499d3ff6cec..49e97eb667a322898acc3a064f4eae5381ded918 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -1078,8 +1078,18 @@ def uninstall_check(installer): msg = ("\nWARNING: Failed to connect to Directory Server to find " "information about replication agreements. Uninstallation " "will continue despite the possible existing replication " - "agreements.\n\n") + "agreements.\n\n" + "If this server is the last instance of CA, KRA, or DNSSEC " + "master, uninstallation may result in data loss.\n\n" +) print(textwrap.fill(msg, width=80, replace_whitespace=False)) + +if (installer.interactive and not user_input( +"Are you sure you want to continue with the uninstall " +"procedure?", False)): +print("") +print("Aborting uninstall operation.") +sys.exit(1) else: dns.uninstall_check(options) -- 2.5.0 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0126-0127] reset openldap client config to point to freshly promote replica
On 13.01.2016 17:59, Rob Crittenden wrote: Martin Babinsky wrote: fixes https://fedorahosted.org/freeipa/ticket/5584 In order to ensure consistent behavior with ipa-client-install, I opted to reuse the configure_openldap_conf() function and restoring the config from client sysrestore before modifying it. If you think this approach is not optimal please propose an alternative solution. You could also just do an action set on URI to change the value, right? It would need a new function but it would be very small. If you do end up keeping this I'd want a new commit message for moving the code to include why you're moving it (to avoid the need to deference the ticket). rob NACK Traceback (most recent call last): File "./makeapi", line 459, in sys.exit(main()) File "./makeapi", line 430, in main api.finalize() File "/root/freeipa/ipalib/plugable.py", line 658, in finalize self.__do_if_not_done('load_plugins') File "/root/freeipa/ipalib/plugable.py", line 372, in __do_if_not_done getattr(self, name)() File "/root/freeipa/ipalib/plugable.py", line 536, in load_plugins self.import_plugins(module) File "/root/freeipa/ipalib/plugable.py", line 574, in import_plugins module = importlib.import_module(name) File "/usr/lib64/python2.7/importlib/__init__.py", line 37, in import_module __import__(name) File "/root/freeipa/ipalib/plugins/baseuser.py", line 33, in from ipapython.ipautil import ipa_generate_password File "/root/freeipa/ipapython/ipautil.py", line 49, in from ipaclient.ipachangeconf import IPAChangeConf ImportError: No module named ipaclient.ipachangeconf Traceback (most recent call last): File "./makeaci", line 35, in from ipapython.ipaldap import LDAPClient File "/root/freeipa/ipapython/ipaldap.py", line 41, in from ipapython.ipautil import ( File "/root/freeipa/ipapython/ipautil.py", line 49, in from ipaclient.ipachangeconf import IPAChangeConf ImportError: No module named ipaclient.ipachangeconf Makefile:138: recipe for target 'version-update' failed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [TEST] Workaround for ticket N 5559
On 08.01.2016 10:12, Oleg Fayans wrote: Passes lint, fixes an issue with replica installation failures due to absence of corresponding reverse zone on master. NACK [ipa.ipatests.test_integration.host.Host.master.ParamikoTransport] RUN ['ipa', 'dnsrecord-add', '129.168.192.in-addr.arpa.', '101', '--ptr-hostname=master.ipa.test.'] [ipa.ipatests.test_integration.host.Host.master.cmd21] RUN ['ipa', 'dnsrecord-add', '129.168.192.in-addr.arpa.', '101', '--ptr-hostname=master.ipa.test.'] [ipa.ipatests.test_integration.host.Host.master.cmd21] ipa: ERROR: DNS is not configured [ipa.ipatests.test_integration.host.Host.master.cmd21] Exit code: 2 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0126-0127] reset openldap client config to point to freshly promote replica
Martin Babinsky wrote: > fixes https://fedorahosted.org/freeipa/ticket/5584 > > In order to ensure consistent behavior with ipa-client-install, I opted > to reuse the configure_openldap_conf() function and restoring the config > from client sysrestore before modifying it. > > If you think this approach is not optimal please propose an alternative > solution. You could also just do an action set on URI to change the value, right? It would need a new function but it would be very small. If you do end up keeping this I'd want a new commit message for moving the code to include why you're moving it (to avoid the need to deference the ticket). rob -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0126-0127] reset openldap client config to point to freshly promote replica
On 01/13/2016 05:42 PM, Martin Babinsky wrote: fixes https://fedorahosted.org/freeipa/ticket/5584 In order to ensure consistent behavior with ipa-client-install, I opted to reuse the configure_openldap_conf() function and restoring the config from client sysrestore before modifying it. If you think this approach is not optimal please propose an alternative solution. messed up the mail again oh well. This is the correct ticket URL: https://fedorahosted.org/freeipa/ticket/5488 -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [PATCH 0126-0127] reset openldap client config to point to freshly promote replica
fixes https://fedorahosted.org/freeipa/ticket/5584 In order to ensure consistent behavior with ipa-client-install, I opted to reuse the configure_openldap_conf() function and restoring the config from client sysrestore before modifying it. If you think this approach is not optimal please propose an alternative solution. -- Martin^3 Babinsky From 7850644ce33c213d362b0ba61b866e1c240a6fb1 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Wed, 13 Jan 2016 17:11:05 +0100 Subject: [PATCH 2/2] reset ldap.conf to point to newly installer replica after promotion When promoting a client to replica reset openldap client config so that it no longer uses remote master as default LDAP hosts but uses local connection to replica. Also make sure that the behavior regarding editing of user-customized config is consistent with the client installer. https://fedorahosted.org/freeipa/ticket/5488 --- ipaserver/install/server/replicainstall.py | 22 ++ 1 file changed, 22 insertions(+) diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py index 7edee88e101ff59b516c97934e201bed69671cdb..adeae8ee2026b707ad64ec91f236ad1bd5fc4840 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -412,6 +412,27 @@ def uninstall_client(): print() +def promote_openldap_conf(basedn, hostname): +""" +set ldap.conf file so that URI directive points to the replica being +promoted. Restore the original file first so that any user settings are +not touched. + +:param basedn: LDAP base DN +:param hostname: hostname of replica being promoted +""" + +client_fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE, + paths.SYSRESTORE_INDEX) +ldap_conf = paths.OPENLDAP_LDAP_CONF +root_logger.debug("Configuring {}".format(ldap_conf)) + +if client_fstore.has_file(ldap_conf): +client_fstore.restore_file(ldap_conf) + +ipautil.configure_openldap_conf(client_fstore, basedn, [hostname]) + + def promote_sssd(host_name): sssdconfig = SSSDConfig.SSSDConfig() sssdconfig.import_config() @@ -1373,6 +1394,7 @@ def promote(installer): custodia.import_dm_password(config.master_host_name) promote_sssd(config.host_name) +promote_openldap_conf(api.env.basedn, config.host_name) # Switch API so that it uses the new servr configuration server_api = create_api(mode=None) -- 2.5.0 From e308f22601f78da14e9486da4c7cc63c906a5df7 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Wed, 13 Jan 2016 17:10:18 +0100 Subject: [PATCH 1/2] ipa client: move configure_openldap_conf to ipapython.ipautil https://fedorahosted.org/freeipa/ticket/5488 --- ipa-client/ipa-install/ipa-client-install | 59 +- ipapython/ipautil.py | 61 +++ 2 files changed, 62 insertions(+), 58 deletions(-) diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install index af8d27bd0da9b847fef917d3bcc2ebd1837c5fb0..b774e14e8a672b8bd426aa4c46c4f9db79fea559 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -980,63 +980,6 @@ def configure_nslcd_conf(fstore, cli_basedn, cli_realm, cli_domain, cli_server, return (0, 'NSLCD', ', '.join(files)) -def configure_openldap_conf(fstore, cli_basedn, cli_server): -ldapconf = ipaclient.ipachangeconf.IPAChangeConf("IPA Installer") -ldapconf.setOptionAssignment((" ", "\t")) - -opts = [{'name':'comment', 'type':'comment', -'value':' File modified by ipa-client-install'}, -{'name':'empty', 'type':'empty'}, -{'name':'comment', 'type':'comment', -'value':' We do not want to break your existing configuration, ' -'hence:'}, -# this needs to be kept updated if we change more options -{'name':'comment', 'type':'comment', -'value':' URI, BASE and TLS_CACERT have been added if they ' -'were not set.'}, -{'name':'comment', 'type':'comment', -'value':' In case any of them were set, a comment with ' - 'trailing note'}, -{'name':'comment', 'type':'comment', -'value':' "# modified by IPA" note has been inserted.'}, -{'name':'comment', 'type':'comment', -'value':' To use IPA server with openLDAP tools, please comment ' -'out your'}, -{'name':'comment', 'type':'comment', -'value':' existing configuration for these options and ' -'uncomment the'}, -{'name':'comment', 'type':'comment', -'value':' corresponding lines generated by IPA.'}, -{'name':'empty', 'type':'empty'}
Re: [Freeipa-devel] [PATCH 0121] consider IPA master removed from topology when request for host TGT fails
On 01/13/2016 10:31 AM, Martin Babinsky wrote: On 01/07/2016 05:38 PM, Martin Babinsky wrote: On 01/07/2016 05:37 PM, Martin Babinsky wrote: https://fedorahosted.org/freeipa/ticket/5584 And the patch is here. self-NACK, there may be a better way to handle this. I will do some investigation and send updated patch. Attaching updated patch. -- Martin^3 Babinsky From 0fe8f5e989f62c716f1de8159ca4d8c498106784 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Thu, 7 Jan 2016 16:48:11 +0100 Subject: [PATCH 1/3] uninstallation: more robust check for master removal from topology When uninstalling IPA master in domain level 1 topology, the code that checks for correct removal from topology will now consider failures to lookup host entry in local LDAP and to obtain host TGT as a sign that the master entry was already removed. https://fedorahosted.org/freeipa/ticket/5584 --- ipaserver/install/server/install.py | 37 +++-- 1 file changed, 31 insertions(+), 6 deletions(-) diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py index 8a57886cd91bc4dbb06d30b457844499d3ff6cec..aa048cc6d05490ec38e4f2808e7874cd8312704b 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -4,6 +4,7 @@ from __future__ import print_function +import gssapi import os import pickle import pwd @@ -291,26 +292,50 @@ def common_cleanup(func): def check_master_deleted(api, masters, interactive): +""" +Determine whether the IPA master was removed from the domain level 1 +topology. The function first tries to locally lookup the master host entry +and fetches host prinicipal from DS. Then we attempt to acquire host TGT, +contact the other masters one at a time and query for the existence of the +host entry for our IPA master. + +:param api: instance of API object +:param masters: list of masters to contact +:param interactive: whether run in interactive mode. The user will be +prompted for action if the removal status cannot be determined +:return: True if the master is not part of the topology anymore as +determined by the following conditions: +* the host entry does not exist in local DS +* we fail to get host TGT +* GSSAPI connection to remote DS fails on invalid authentication +* if we are the only master +False otherwise +""" try: host_princ = api.Command.host_show( api.env.host)['result']['krbprincipalname'][0] -except Exception as e: -root_logger.warning( -"Failed to get host principal name: {0}".format(e) +except errors.NotFound: +root_logger.debug( +"Host entry for {} already deleted".format(api.env.host) ) +return True +except Exception as e: +root_logger.warning("Failed to get host principal name: {0}".format(e)) return False ccache_path = os.path.join('/', 'tmp', 'krb5cc_host') with ipautil.private_ccache(ccache_path): +# attempt to get host TGT. Failure to do this indicates that the +# master was removed from topology try: ipautil.kinit_keytab(host_princ, paths.KRB5_KEYTAB, ccache_path) -except Exception as e: -root_logger.error( +except gssapi.exceptions.GSSError as e: +root_logger.debug( "Kerberos authentication as '{0}' failed: {1}".format( host_princ, e ) ) -return False +return True last_server = True for master in masters: -- 2.5.0 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 565] Fix potential aborts in KDB driver
On 13.01.2016 16:03, Simo Sorce wrote: On Wed, 2016-01-13 at 15:49 +0100, Martin Basti wrote: On 13.01.2016 15:31, Martin Babinsky wrote: On 01/13/2016 03:30 PM, Simo Sorce wrote: On Wed, 2016-01-13 at 14:02 +0100, Martin Babinsky wrote: On 01/05/2016 11:19 PM, Simo Sorce wrote: On Tue, 2016-01-05 at 16:15 -0500, Simo Sorce wrote: The LDAP context was not checked on the first api call and a context may be null on some error conditions (LDAP server unreachable). Always check that we have a valid context before calling the ldap API. Builds abut it is untested. Forgot to mention that this bug affects all 4.x versions and should probably be backported on all maintained branches. I opened a bug to track it too: https://fedorahosted.org/freeipa/ticket/5577 Simo. ACK. Please include the ticket URL in the commit message. Could you add it when pushing ? Unless you need some other change in the patch it will be less churn that way. Simo. Yes we could. I didn't realize that, sorry for the noise. I do not know where to push it, ticket is still in needs triage, it has not been decided where it should go. It definitely goes in master. You can push elsewhere as well later. Simo. Pushed to master: 2144b1eeb789639b8a3df287b580aeb6196188a8 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 565] Fix potential aborts in KDB driver
On Wed, 2016-01-13 at 15:49 +0100, Martin Basti wrote: > > On 13.01.2016 15:31, Martin Babinsky wrote: > > On 01/13/2016 03:30 PM, Simo Sorce wrote: > >> On Wed, 2016-01-13 at 14:02 +0100, Martin Babinsky wrote: > >>> On 01/05/2016 11:19 PM, Simo Sorce wrote: > On Tue, 2016-01-05 at 16:15 -0500, Simo Sorce wrote: > > The LDAP context was not checked on the first api call and a > > context may > > be null on some error conditions (LDAP server unreachable). > > > > Always check that we have a valid context before calling the ldap > > API. > > > > Builds abut it is untested. > > Forgot to mention that this bug affects all 4.x versions and should > probably be backported on all maintained branches. > > I opened a bug to track it too: > https://fedorahosted.org/freeipa/ticket/5577 > > Simo. > > >>> ACK. Please include the ticket URL in the commit message. > >>> > >> > >> Could you add it when pushing ? > >> > >> Unless you need some other change in the patch it will be less churn > >> that way. > >> > >> Simo. > >> > > > > Yes we could. I didn't realize that, sorry for the noise. > > > I do not know where to push it, ticket is still in needs triage, it has > not been decided where it should go. It definitely goes in master. You can push elsewhere as well later. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 565] Fix potential aborts in KDB driver
On 13.01.2016 15:31, Martin Babinsky wrote: On 01/13/2016 03:30 PM, Simo Sorce wrote: On Wed, 2016-01-13 at 14:02 +0100, Martin Babinsky wrote: On 01/05/2016 11:19 PM, Simo Sorce wrote: On Tue, 2016-01-05 at 16:15 -0500, Simo Sorce wrote: The LDAP context was not checked on the first api call and a context may be null on some error conditions (LDAP server unreachable). Always check that we have a valid context before calling the ldap API. Builds abut it is untested. Forgot to mention that this bug affects all 4.x versions and should probably be backported on all maintained branches. I opened a bug to track it too: https://fedorahosted.org/freeipa/ticket/5577 Simo. ACK. Please include the ticket URL in the commit message. Could you add it when pushing ? Unless you need some other change in the patch it will be less churn that way. Simo. Yes we could. I didn't realize that, sorry for the noise. I do not know where to push it, ticket is still in needs triage, it has not been decided where it should go. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 565] Fix potential aborts in KDB driver
On 01/13/2016 03:30 PM, Simo Sorce wrote: On Wed, 2016-01-13 at 14:02 +0100, Martin Babinsky wrote: On 01/05/2016 11:19 PM, Simo Sorce wrote: On Tue, 2016-01-05 at 16:15 -0500, Simo Sorce wrote: The LDAP context was not checked on the first api call and a context may be null on some error conditions (LDAP server unreachable). Always check that we have a valid context before calling the ldap API. Builds abut it is untested. Forgot to mention that this bug affects all 4.x versions and should probably be backported on all maintained branches. I opened a bug to track it too: https://fedorahosted.org/freeipa/ticket/5577 Simo. ACK. Please include the ticket URL in the commit message. Could you add it when pushing ? Unless you need some other change in the patch it will be less churn that way. Simo. Yes we could. I didn't realize that, sorry for the noise. -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 565] Fix potential aborts in KDB driver
On Wed, 2016-01-13 at 14:02 +0100, Martin Babinsky wrote: > On 01/05/2016 11:19 PM, Simo Sorce wrote: > > On Tue, 2016-01-05 at 16:15 -0500, Simo Sorce wrote: > >> The LDAP context was not checked on the first api call and a context may > >> be null on some error conditions (LDAP server unreachable). > >> > >> Always check that we have a valid context before calling the ldap API. > >> > >> Builds abut it is untested. > > > > Forgot to mention that this bug affects all 4.x versions and should > > probably be backported on all maintained branches. > > > > I opened a bug to track it too: > > https://fedorahosted.org/freeipa/ticket/5577 > > > > Simo. > > > ACK. Please include the ticket URL in the commit message. > Could you add it when pushing ? Unless you need some other change in the patch it will be less churn that way. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] Remove des3/arcfour from default enctypes
On 13.01.2016 15:06, Alexander Bokovoy wrote: On Mon, 23 Nov 2015, Simo Sorce wrote: Note, this does not touch the trust code because apparently we use only arcfour there. CCing Alexander to give me a comment about that, probably worth opening a ticket specific to trusts. Otherwise addresses #4740 Simo. -- Simo Sorce * Red Hat, Inc * New York From 70b4c8971ca623aa51e8e7d1f0e5d245a05c7396 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Mon, 23 Nov 2015 13:40:42 -0500 Subject: [PATCH] Use only AES enctypes by default Remove des3 and arcfour from the defaults for new installs. NOTE: the ipasam/dcerpc code sill uses arcfour Signed-off-by: Simo Sorce Ticket: https://fedorahosted.org/freeipa/ticket/4740 --- daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c | 14 +++--- install/share/kerberos.ldif | 2 -- 2 files changed, 3 insertions(+), 13 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c index 1a8ef47b0fc6a932a4115dfa05ecf1a39c8e762f..5dc606d22305cf63a16feca30aab2728bb20b80d 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c @@ -55,18 +55,10 @@ extern const char *ipa_realm_dn; extern const char *ipa_etc_config_dn; extern const char *ipa_pwd_config_dn; -/* These are the default enc:salt types if nothing is defined. - * TODO: retrieve the configure set of ecntypes either from the - * kfc.conf file or by synchronizing the file content into - * the directory */ +/* These are the default enc:salt types if nothing is defined in LDAP */ static const char *ipapwd_def_encsalts[] = { -"des3-hmac-sha1:normal", -/*"arcfour-hmac:normal", -"des-hmac-sha1:normal", -"des-cbc-md5:normal", */ -"des-cbc-crc:normal", -/*"des-cbc-crc:v4", -"des-cbc-crc:afs3", */ +"aes256-cts:special", +"aes128-cts:special", NULL }; diff --git a/install/share/kerberos.ldif b/install/share/kerberos.ldif index 41e77952adafaf28bfaa96b4c1f1a81ef96348be..1f556382e262ec1b71eb0f4267de0a987952d84d 100644 --- a/install/share/kerberos.ldif +++ b/install/share/kerberos.ldif @@ -30,8 +30,6 @@ krbMaxTicketLife: 86400 krbMaxRenewableAge: 604800 krbDefaultEncSaltTypes: aes256-cts:special krbDefaultEncSaltTypes: aes128-cts:special -krbDefaultEncSaltTypes: des3-hmac-sha1:special -krbDefaultEncSaltTypes: arcfour-hmac:special # Default password Policy dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX -- 2.5.0 ACK. Pushed to: master: 58ab032f1ae20454d4b9d760c7601fd8b44045f5 ipa-4-3: bad5b0247984635fe402283aee259f35a048df6b -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH] Remove des3/arcfour from default enctypes
On Mon, 23 Nov 2015, Simo Sorce wrote: Note, this does not touch the trust code because apparently we use only arcfour there. CCing Alexander to give me a comment about that, probably worth opening a ticket specific to trusts. Otherwise addresses #4740 Simo. -- Simo Sorce * Red Hat, Inc * New York From 70b4c8971ca623aa51e8e7d1f0e5d245a05c7396 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Mon, 23 Nov 2015 13:40:42 -0500 Subject: [PATCH] Use only AES enctypes by default Remove des3 and arcfour from the defaults for new installs. NOTE: the ipasam/dcerpc code sill uses arcfour Signed-off-by: Simo Sorce Ticket: https://fedorahosted.org/freeipa/ticket/4740 --- daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c | 14 +++--- install/share/kerberos.ldif | 2 -- 2 files changed, 3 insertions(+), 13 deletions(-) diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c index 1a8ef47b0fc6a932a4115dfa05ecf1a39c8e762f..5dc606d22305cf63a16feca30aab2728bb20b80d 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c @@ -55,18 +55,10 @@ extern const char *ipa_realm_dn; extern const char *ipa_etc_config_dn; extern const char *ipa_pwd_config_dn; -/* These are the default enc:salt types if nothing is defined. - * TODO: retrieve the configure set of ecntypes either from the - * kfc.conf file or by synchronizing the file content into - * the directory */ +/* These are the default enc:salt types if nothing is defined in LDAP */ static const char *ipapwd_def_encsalts[] = { -"des3-hmac-sha1:normal", -/*"arcfour-hmac:normal", -"des-hmac-sha1:normal", -"des-cbc-md5:normal", */ -"des-cbc-crc:normal", -/*"des-cbc-crc:v4", -"des-cbc-crc:afs3", */ +"aes256-cts:special", +"aes128-cts:special", NULL }; diff --git a/install/share/kerberos.ldif b/install/share/kerberos.ldif index 41e77952adafaf28bfaa96b4c1f1a81ef96348be..1f556382e262ec1b71eb0f4267de0a987952d84d 100644 --- a/install/share/kerberos.ldif +++ b/install/share/kerberos.ldif @@ -30,8 +30,6 @@ krbMaxTicketLife: 86400 krbMaxRenewableAge: 604800 krbDefaultEncSaltTypes: aes256-cts:special krbDefaultEncSaltTypes: aes128-cts:special -krbDefaultEncSaltTypes: des3-hmac-sha1:special -krbDefaultEncSaltTypes: arcfour-hmac:special # Default password Policy dn: cn=global_policy,cn=$REALM,cn=kerberos,$SUFFIX -- 2.5.0 ACK. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 565] Fix potential aborts in KDB driver
On 01/05/2016 11:19 PM, Simo Sorce wrote: On Tue, 2016-01-05 at 16:15 -0500, Simo Sorce wrote: The LDAP context was not checked on the first api call and a context may be null on some error conditions (LDAP server unreachable). Always check that we have a valid context before calling the ldap API. Builds abut it is untested. Forgot to mention that this bug affects all 4.x versions and should probably be backported on all maintained branches. I opened a bug to track it too: https://fedorahosted.org/freeipa/ticket/5577 Simo. ACK. Please include the ticket URL in the commit message. -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0011-0012][RFE] ipa-replica-manage: automatically clean dangling RUVs
On 18.12.2015 12:46, Stanislav Laznicka wrote: Hi, Attached are the patches for auto-find and clean of dangling (cs)ruvs. Currently, the cleaning of an RUV waits for all replicas to be online, even on --force. If that were an issue, I can make the command fail before trying to clean any of RUVs. However, the user is shown a replica is offline and is prompted to confirm the cleaning so the possible wait should not be a problem I believe. Standa L. Hello, patches needs rebase, I cannot apply them. -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Should we split up ipa-client?
On 01/13/2016 11:34 AM, Petr Viktorin wrote: Hello, I'm planning to port the ipa-client to Python 3, and I'm likely to end up shaking out some dusty corners of the codebase, rather than doing the minimal amount of work :) So I'd like to get your opinions before I commit significant time to this. I think it would be beneficial to split ipa-client to better match both how it's put in the RPMs these days, and how the rest of IPA is organized. (And, to stop using autotools to "build" Python libraries...) The resulting structure could look like this: ipaclient/ - *.py - setup.py client-tools/ - man/* - *.c - *.h - all the automake stuff - current contents of ipa-install (Python scripts that go in /usr/sbin) Removed: - ipa-client.spec.in (included in freeipa.spec.in) - NEWS (empty) - README (entirely outdated) Does this look like a reasonable direction to explore? Makes sense to me, this kind of work would be needed during client installer refactoring anyway (also, using autotools for python module installation hurts my brain a lot). -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] Should we split up ipa-client?
Hello, I'm planning to port the ipa-client to Python 3, and I'm likely to end up shaking out some dusty corners of the codebase, rather than doing the minimal amount of work :) So I'd like to get your opinions before I commit significant time to this. I think it would be beneficial to split ipa-client to better match both how it's put in the RPMs these days, and how the rest of IPA is organized. (And, to stop using autotools to "build" Python libraries...) The resulting structure could look like this: ipaclient/ - *.py - setup.py client-tools/ - man/* - *.c - *.h - all the automake stuff - current contents of ipa-install (Python scripts that go in /usr/sbin) Removed: - ipa-client.spec.in (included in freeipa.spec.in) - NEWS (empty) - README (entirely outdated) Does this look like a reasonable direction to explore? -- Petr Viktorin -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0121] consider IPA master removed from topology when request for host TGT fails
On 01/07/2016 05:38 PM, Martin Babinsky wrote: On 01/07/2016 05:37 PM, Martin Babinsky wrote: https://fedorahosted.org/freeipa/ticket/5584 And the patch is here. self-NACK, there may be a better way to handle this. I will do some investigation and send updated patch. -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [patch 0029, 0030] fixes for install tasks in integration tests
On 11.01.2016 11:59, Milan Kubík wrote: On 01/07/2016 09:36 AM, Milan Kubík wrote: 0029: Add 10.in-addr.arpa. zone to ipa 0030: If the IP addresses in the topology are resolvable, do not add them to master. Hi. I'm dropping 0029 for now. 0030 gets an update. -- Milan Kubik ACK Pushed to: master: c0133778ae6ea207aa3b184af54fea5803e2ac23 ipa-4-3: 850ea4cc8fa25c85c5a6869481c311b1f10611cc -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0124] ipa-csreplica-manage: remove extraneous ldap2 connection
On 11.01.2016 16:47, Martin Basti wrote: On 11.01.2016 12:34, Martin Kosek wrote: On 01/08/2016 06:31 PM, Martin Babinsky wrote: On 01/08/2016 06:17 PM, Martin Basti wrote: On 08.01.2016 17:18, Martin Babinsky wrote: fixes ipa-csreplica-manage del blowing up due https://fedorahosted.org/freeipa/ticket/5583 for master and ipa-4-3 only. Give me patch plese!! Auto-attach plugin would be most welcome.. here's the patch. Back my developer days, I used this script for sending patches :-) https://github.com/freeipa/freeipa-tools/blob/master/sendpatch.py This let me (almost never) forget attaching the file(s) in the right format. ACK Pushed to: master: a81e69a796fee2405252838d512e5b950f3be5d8 ipa-4-3: 6ef4bfb7b422af4e487043cdfec88845c3644d6a -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0118] fix Py3 incompatible exception instantiation in replica install code
On 11.01.2016 13:30, Martin Babinsky wrote: On 01/08/2016 06:26 PM, Tomas Babej wrote: On 01/07/2016 05:56 PM, Martin Babinsky wrote: On 01/04/2016 09:02 AM, Martin Babinsky wrote: I have created ticket to patch and added it to commit message: https://fedorahosted.org/freeipa/ticket/5585 ACK for these changes, however, there are additional occurrences in the code base, attaching a patch. Tomas ACK Pushed to: master: 50627004b83fe155767fb02b51099eba612a5855 ipa-4-3: 1181926c970e71cec728bed9ac4b16a2664ef97d -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] [PATCH 0125] IPA upgrade: move replication ACIs to the mapping tree entry
On 01/13/2016 07:18 AM, Jan Cholasta wrote: On 12.1.2016 19:13, Martin Babinsky wrote: commit 6ea868e172738bdd6a8fae34e65126cdd134bbbe broke replica install and management on IPA servers upgraded from pre-4.3 version. The attached patch fixes this. https://fedorahosted.org/freeipa/ticket/5575 Any reason to repeat the DN 3 times? Besides that LGTM. No other reason than not using brain during copy-pasting ACIs. Attaching updated patch. -- Martin^3 Babinsky From fbb09447ee9de307e78ace3dfb70f01d57694be0 Mon Sep 17 00:00:00 2001 From: Martin Babinsky Date: Tue, 12 Jan 2016 18:59:11 +0100 Subject: [PATCH] IPA upgrade: move replication ACIs to the mapping tree entry During IPA server upgrade from pre-4.3 versions, the ACIs permitting manipulation of replication agreements are removed from the 'cn="$SUFFIX",cn=mapping tree,cn=config' and 'cn=o\3Dipaca,cn=mapping tree,cn=config'. However they are never re-added breaking management and installation of replicas. This patch modifies the update process so that the ACIs are first added to the 'cn=mapping tree,cn=config' and then removed from the child entries. https://fedorahosted.org/freeipa/ticket/5575 --- install/updates/20-aci.update | 4 1 file changed, 4 insertions(+) diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update index cef842bbdf291762ef91d6be63c435b2f2161897..5526efa152340f14f17f833e32cbf8231693534f 100644 --- a/install/updates/20-aci.update +++ b/install/updates/20-aci.update @@ -63,8 +63,12 @@ dn: cn=tasks,cn=config add:aci:(targetattr="*")(version 3.0; acl "Admin can read all tasks"; allow (read, compare, search) groupdn = "ldap:///cn=admins,cn=groups,cn=accounts,$SUFFIX";;) # Allow hosts to read their replication agreements +# replication ACIs should reside in cn=mapping tree,cn=config and be common for both suffixes dn: cn=mapping tree,cn=config add:aci: (target = "ldap:///cn=meTo($$dn),cn=*,cn=mapping tree,cn=config")(targetattr = "objectclass || cn")(version 3.0; acl "Allow hosts to read their replication agreements"; allow(read, search, compare) userdn = "ldap:///fqdn=($$dn),cn=computers,cn=accounts,$SUFFIX";) +add: aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";allow (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";) +add: aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5Replica)(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement)(objectClass=nsMappingTree))")(version 3.0; acl "permission:Modify Replication Agreements"; allow (read, write, search) groupdn = "ldap:///cn=Modify Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";) +add: aci: (targetattr=*)(targetfilter="(|(objectclass=nsds5replicationagreement)(objectclass=nsDSWindowsReplicationAgreement))")(version 3.0;acl "permission:Remove Replication Agreements";allow (delete) groupdn = "ldap:///cn=Remove Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";) dn: cn="$SUFFIX",cn=mapping tree,cn=config remove:aci: (targetattr=*)(version 3.0;acl "permission:Add Replication Agreements";allow (add) groupdn = "ldap:///cn=Add Replication Agreements,cn=permissions,cn=pbac,$SUFFIX";) -- 2.5.0 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code