[Freeipa-devel] [freeipa PR#474][comment] Update man page of ipa-server-install

2017-02-16 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/474
Title: #474: Update man page of ipa-server-install

martbab commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/08b8bfa9b59b30e1bec1fa8c1cfce992dc80c49f
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/474#issuecomment-280580147
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server

2017-02-16 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/364
Title: #364: Client-only builds with --disable-server

tiran commented:
"""
I have one very important question: Without ipatests, how are you going to 
automatically test client-only builds?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/364#issuecomment-280580037
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#474][closed] Update man page of ipa-server-install

2017-02-16 Thread martbab 
   URL: https://github.com/freeipa/freeipa/pull/474
Author: Akasurde
 Title: #474: Update man page of ipa-server-install
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/474/head:pr474
git checkout pr474
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#474][+pushed] Update man page of ipa-server-install

2017-02-16 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/474
Title: #474: Update man page of ipa-server-install

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#475][comment] Add options to run only ipaclient unittests

2017-02-16 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/475
Title: #475: Add options to run only ipaclient unittests

martbab commented:
"""
I was thinking that instead of making up more options to test runner we could 
reorganize the `ipatests/` directory to actually make sense from the consumer's 
POV, although I admit that it will take more time and also has potential to 
break are incredibly... fragile test handling.

On the plus side, you would run the tests you want naturally by just specifying 
the path that interests you and let the test discovery do the rest.

A silly example:

```bash

$ ipa-run-tests test_ipaclient/test_units
test_ipaclient/test_units/test_util.py 
test_ipaclient/test_units/tutil.py ..
test_ipaclient/test_units/test_csrgen.py .....
...
```
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/475#issuecomment-280579653
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#468][comment] Remove non-sensical kdestroy on https stop

2017-02-16 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/468
Title: #468: Remove non-sensical kdestroy on https stop

martbab commented:
"""
Could we use just keep the post command as "kdestroy -c {apache_ccache_path}"? 
Or is everything chrooted into name-spaced /tmp and we can not access the 
ccache file from within the unit file? 
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/468#issuecomment-280578487
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#475][comment] Add options to run only ipaclient unittests

2017-02-16 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/475
Title: #475: Add options to run only ipaclient unittests

tiran commented:
"""
PS: I'm not attached to the new of the option. Please speak up if you can come 
up with a better name than ```--ipaclient-unittests```.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/475#issuecomment-280578416
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#475][opened] Add options to run only ipaclient unittests

2017-02-16 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/475
Author: tiran
 Title: #475: Add options to run only ipaclient unittests
Action: opened

PR body:
"""
A new option for ipa-run-tests makes the test runner ignore
subdirectories or skips tests that depend on the ipaserver package or on
a running framework for RPC integration tests. The new option enables
testing of client-only builds.

$ ipatests/ipa-run-tests --ipaclient-unittests
...
platform linux2 -- Python 2.7.13, pytest-2.9.2, py-1.4.32, pluggy-0.3.1
rootdir: /home/heimes/redhat, inifile: tox.ini
plugins: sourceorder-0.5, cov-2.3.0, betamax-0.7.1, multihost-1.1
collected 451 items

test_util.py 
util.py ..
test_ipaclient/test_csrgen.py .....
test_ipalib/test_aci.py ...
test_ipalib/test_backend.py 
test_ipalib/test_base.py ...
test_ipalib/test_capabilities.py .
test_ipalib/test_cli.py ...
test_ipalib/test_config.py ...
test_ipalib/test_crud.py ...
test_ipalib/test_errors.py ...
test_ipalib/test_frontend.py 
test_ipalib/test_messages.py 
test_ipalib/test_output.py ...
test_ipalib/test_parameters.py 
.
test_ipalib/test_plugable.py 
test_ipalib/test_rpc.py ..
test_ipalib/test_text.py .
test_ipalib/test_x509.py ...
test_ipapython/test_cookie.py 
test_ipapython/test_dn.py ...
test_ipapython/test_ipautil.py 
..
test_ipapython/test_ipavalidate.py ..
test_ipapython/test_kerberos.py ..
test_ipapython/test_keyring.py ..
test_ipapython/test_ssh.py ...
test_pkcs10/test_pkcs10.py .

https://fedorahosted.org/freeipa/ticket/6517

Signed-off-by: Christian Heimes 
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/475/head:pr475
git checkout pr475
From 95bffaca57427368e4c0ef1e608ffc17f27524d9 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Fri, 17 Feb 2017 08:39:54 +0100
Subject: [PATCH] Add options to run only ipaclient unittests

A new option for ipa-run-tests makes the test runner ignore
subdirectories or skips tests that depend on the ipaserver package or on
a running framework for RPC integration tests. The new option enables
testing of client-only builds.

$ ipatests/ipa-run-tests --ipaclient-unittests
...
platform linux2 -- Python 2.7.13, pytest-2.9.2, py-1.4.32, pluggy-0.3.1
rootdir: /home/heimes/redhat, inifile: tox.ini
plugins: sourceorder-0.5, cov-2.3.0, betamax-0.7.1, multihost-1.1
collected 451 items

test_util.py 
util.py ..
test_ipaclient/test_csrgen.py .....
test_ipalib/test_aci.py ...
test_ipalib/test_backend.py 
test_ipalib/test_base.py ...
test_ipalib/test_capabilities.py .
test_ipalib/test_cli.py ...
test_ipalib/test_config.py ...
test_ipalib/test_crud.py ...
test_ipalib/test_errors.py ...
test_ipalib/test_frontend.py 
test_ipalib/test_messages.py 
test_ipalib/test_output.py ...
test_ipalib/test_parameters.py .
test_ipalib/test_plugable.py 
test_ipalib/test_rpc.py ..
test_ipalib/test_text.py .
test_ipalib/test_x509.py ...
test_ipapython/test_cookie.py 
test_ipapython/test_dn.py ...
test_ipapython/test_ipautil.py ..
test_ipapython/test_ipavalidate.py ..
test_ipapython/test_kerberos.py ..
test_ipapython/test_keyring.py ..
test_ipapython/test_ssh.py ...
test_pkcs10/test_pkcs10.py .

https://fedorahosted.org/freeipa/ticket/6517

Signed-off-by: Christian Heimes 
---
 ipatests/conftest.py   | 62 +-
 ipatests/setup.py  |  1 -
 ipatests/test_ipaclient/test_csrgen.py |  1 +
 ipatests/test_ipalib/test_rpc.py   |  2 ++
 ipatests/util.py   | 15 ++--
 5 files changed, 77 insertions(+), 4 deletions(-)

diff --git a/ipatests/conftest.py b/ipatests/conftest.py
index 511d7b7..32f24cf 100644
--- a/ipatests/conftest.py
+++ b/ipatests/conftest.py
@@ -3,17 +3,26 @@
 #
 from __future__ import print_function
 
+import fnmatch
 import os
 import pprint
+import re
 import sys
 
+import pytest
+
 from ipalib import api
 from ipalib.cli import cli_plugins
 try:
+import ipaplatform
+except ImportError:
+ipaplatform = None
+try:
 import ipaserver
 except ImportError:
 ipaserver = None
 
+HERE = os.path.dirname(os.path.abspath(__file__))
 
 pytest_plugins = [
 'ipatests.pytest_plugins.additional_config',
@

[Freeipa-devel] [freeipa PR#474][+ack] Update man page of ipa-server-install

2017-02-16 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/474
Title: #474: Update man page of ipa-server-install

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#474][opened] Update man page of ipa-server-install

2017-02-16 Thread Akasurde 
   URL: https://github.com/freeipa/freeipa/pull/474
Author: Akasurde
 Title: #474: Update man page of ipa-server-install
Action: opened

PR body:
"""
This fix adds information about --ignore-last-of-role in
ipa-server-install man page

Fixes https://fedorahosted.org/freeipa/ticket/6634

Signed-off-by: Abhijeet Kasurde 
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/474/head:pr474
git checkout pr474
From 555e78d7d5095a995da9611daed13a6847f3f01b Mon Sep 17 00:00:00 2001
From: Abhijeet Kasurde 
Date: Fri, 17 Feb 2017 10:05:22 +0530
Subject: [PATCH] Update man page of ipa-server-install

This fix adds information about --ignore-last-of-role in
ipa-server-install man page

Fixes https://fedorahosted.org/freeipa/ticket/6634

Signed-off-by: Abhijeet Kasurde 
---
 install/tools/man/ipa-server-install.1 | 7 +--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1
index 8bfbefb..a7c7f81 100644
--- a/install/tools/man/ipa-server-install.1
+++ b/install/tools/man/ipa-server-install.1
@@ -1,7 +1,7 @@
 .\" A man page for ipa-server-install
-.\" Copyright (C) 2008-2016  FreeIPA Contributors see COPYING for license
+.\" Copyright (C) 2008-2017  FreeIPA Contributors see COPYING for license
 .\"
-.TH "ipa-server-install" "1" "Dec 19 2016" "FreeIPA" "FreeIPA Manual Pages"
+.TH "ipa-server-install" "1" "Feb 17 2017" "FreeIPA" "FreeIPA Manual Pages"
 .SH "NAME"
 ipa\-server\-install \- Configure an IPA server
 .SH "SYNOPSIS"
@@ -57,6 +57,9 @@ Don't install allow_all HBAC rule. This rule lets any user from any host access
 \fB\-\-ignore-topology-disconnect\fR
 Ignore errors reported when IPA server uninstall would lead to disconnected topology. This option can be used only when domain level is 1 or more.
 .TP
+\fB\-\-ignore-last-of-role\fR
+Ignore errors reported when IPA server uninstall would lead to removal of last CA/DNS server or DNSSec master. This option can be used only when domain level is 1 or more.
+.TP
 \fB\-\-no\-ui\-redirect\fR
 Do not automatically redirect to the Web UI.
 .TP
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#473][+ack] Fix session/cookie related issues introduced with the privilege separation patches

2017-02-16 Thread abbra 
  URL: https://github.com/freeipa/freeipa/pull/473
Title: #473: Fix session/cookie related issues introduced with the privilege 
separation patches

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server

2017-02-16 Thread lslebodn 
  URL: https://github.com/freeipa/freeipa/pull/364
Title: #364: Client-only builds with --disable-server

lslebodn commented:
"""
On (16/02/17 02:30), Christian Heimes wrote:
>Lukas, you are wasting both my and your precious time with a needless 
>bike-shedding discussion about semantics. The ```--disable-server``` option 
>skips all parts of the build process that are only relevant for server and not 
>relevant for client. ```ipatests``` is relevant for both, therefore it stays.
>

It's not bikeshadig. You are adding HACKs to freeipa build system.

If this PR will be pushed with cuurent state then I will need to send PR
to fix client-only build and it will not install ipatests with
--disable-server.

I proposed you a compromise few times.
Thank you very much for ignoring it.

LS

"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/364#issuecomment-280433054
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#473][comment] Fix session/cookie related issues introduced with the privilege separation patches

2017-02-16 Thread abbra 
  URL: https://github.com/freeipa/freeipa/pull/473
Title: #473: Fix session/cookie related issues introduced with the privilege 
separation patches

abbra commented:
"""
LGTM
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/473#issuecomment-280428547
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#473][synchronized] Fix session/cookie related issues introduced with the privilege separation patches

2017-02-16 Thread simo5 
   URL: https://github.com/freeipa/freeipa/pull/473
Author: simo5
 Title: #473: Fix session/cookie related issues introduced with the privilege 
separation patches
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/473/head:pr473
git checkout pr473
From 3af883d10030a12980bbcc2383199d237ab5904d Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Thu, 16 Feb 2017 11:07:31 -0500
Subject: [PATCH 1/2] Change session logout to kill only the cookie

Removing the ccache goes too far as it will cause unrelated sessions to
fail as well, this is a problem for accounts used to do unattended
operations and that may operate in parallel.

Fixes https://fedorahosted.org/freeipa/ticket/6682

Signed-off-by: Simo Sorce 
---
 ipaserver/plugins/session.py |  5 +++--
 ipaserver/session.py | 34 --
 2 files changed, 3 insertions(+), 36 deletions(-)
 delete mode 100644 ipaserver/session.py

diff --git a/ipaserver/plugins/session.py b/ipaserver/plugins/session.py
index c700ab9..8e480ed 100644
--- a/ipaserver/plugins/session.py
+++ b/ipaserver/plugins/session.py
@@ -5,7 +5,6 @@
 from ipalib import Command
 from ipalib.request import context
 from ipalib.plugable import Registry
-from ipaserver.session import logout
 
 register = Registry()
 
@@ -21,7 +20,9 @@ def execute(self, *args, **options):
 ccache_name = getattr(context, 'ccache_name', None)
 if ccache_name is None:
 self.debug('session logout command: no ccache_name found')
+else:
+delattr(context, 'ccache_name')
 
-logout(ccache_name)
+setattr(context, 'logout_cookie', '')
 
 return dict(result=None)
diff --git a/ipaserver/session.py b/ipaserver/session.py
deleted file mode 100644
index 6957feb..000
--- a/ipaserver/session.py
+++ /dev/null
@@ -1,34 +0,0 @@
-# Authors: John Dennis 
-#
-# Copyright (C) 2011  Red Hat
-# see file 'COPYING' for use and warranty information
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see .
-
-import os
-
-from ipalib.request import context
-from ipalib.krb_utils import (
-krb5_parse_ccache,
-)
-
-
-def logout(ccache_name=None):
-if ccache_name is None:
-ccache_name = getattr(context, 'ccache_name', None)
-if ccache_name is not None:
-scheme, name = krb5_parse_ccache(ccache_name)
-if scheme == 'FILE':
-os.unlink(name)
-setattr(context, 'logout_cookie', '')

From 1af969594ec1ce358c56bd15cd4a8fa88deeb22a Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Thu, 16 Feb 2017 13:29:10 -0500
Subject: [PATCH 2/2] Deduplicate session cookies in headers

This removes one of the 2 identical copies of the ipa_session cookie

Fixes https://fedorahosted.org/freeipa/ticket/6676

Signed-off-by: Simo Sorce 
---
 install/conf/ipa.conf | 5 +
 1 file changed, 5 insertions(+)

diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index f0330c5..635bfe5 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -79,6 +79,11 @@ WSGIScriptReloading Off
   WSGIApplicationGroup ipa
   Header always append X-Frame-Options DENY
   Header always append Content-Security-Policy "frame-ancestors 'none'"
+
+  # mod_session always sets two copies of the cookie, and this confuses our
+  # legacy clients, the unset here works because it ends up unsetting only one
+  # of the 2 header tables set by mod_session, leaving the other intact
+  Header unset Set-Cookie
 
 
 # Target for login with internal connections
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#473][opened] Fix session/cookie related issues introduced with the privilege separation patches

2017-02-16 Thread simo5 
   URL: https://github.com/freeipa/freeipa/pull/473
Author: simo5
 Title: #473: Fix session/cookie related issues introduced with the privilege 
separation patches
Action: opened

PR body:
"""
Fixes two bugs opened recently about double cookies being returned and ccache 
removal
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/473/head:pr473
git checkout pr473
From eae1b88a45329fceb385ab80ebf1beda6ab7f522 Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Thu, 16 Feb 2017 11:07:31 -0500
Subject: [PATCH 1/2] Change session logout to kill only the cookie

Removing the ccache goes to far as it will cause unrelated sessions to
fail as well, this is a problem for accounts used to do unattended
operations and that may operate in parallel.

Fixes https://fedorahosted.org/freeipa/ticket/6682

Signed-off-by: Simo Sorce 
---
 ipaserver/plugins/session.py |  5 +++--
 ipaserver/session.py | 34 --
 2 files changed, 3 insertions(+), 36 deletions(-)
 delete mode 100644 ipaserver/session.py

diff --git a/ipaserver/plugins/session.py b/ipaserver/plugins/session.py
index c700ab9..8e480ed 100644
--- a/ipaserver/plugins/session.py
+++ b/ipaserver/plugins/session.py
@@ -5,7 +5,6 @@
 from ipalib import Command
 from ipalib.request import context
 from ipalib.plugable import Registry
-from ipaserver.session import logout
 
 register = Registry()
 
@@ -21,7 +20,9 @@ def execute(self, *args, **options):
 ccache_name = getattr(context, 'ccache_name', None)
 if ccache_name is None:
 self.debug('session logout command: no ccache_name found')
+else:
+delattr(context, 'ccache_name')
 
-logout(ccache_name)
+setattr(context, 'logout_cookie', '')
 
 return dict(result=None)
diff --git a/ipaserver/session.py b/ipaserver/session.py
deleted file mode 100644
index 6957feb..000
--- a/ipaserver/session.py
+++ /dev/null
@@ -1,34 +0,0 @@
-# Authors: John Dennis 
-#
-# Copyright (C) 2011  Red Hat
-# see file 'COPYING' for use and warranty information
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see .
-
-import os
-
-from ipalib.request import context
-from ipalib.krb_utils import (
-krb5_parse_ccache,
-)
-
-
-def logout(ccache_name=None):
-if ccache_name is None:
-ccache_name = getattr(context, 'ccache_name', None)
-if ccache_name is not None:
-scheme, name = krb5_parse_ccache(ccache_name)
-if scheme == 'FILE':
-os.unlink(name)
-setattr(context, 'logout_cookie', '')

From a40f8f8bd3597fe8748c523abeed5b554ab74920 Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Thu, 16 Feb 2017 13:29:10 -0500
Subject: [PATCH 2/2] Deduplcate session cookie in headers

This removes one of the 2 identical copies of the ipa_session cookie

Fixes https://fedorahosted.org/freeipa/ticket/6676

Signed-off-by: Simo Sorce 
---
 install/conf/ipa.conf | 5 +
 1 file changed, 5 insertions(+)

diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index f0330c5..635bfe5 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -79,6 +79,11 @@ WSGIScriptReloading Off
   WSGIApplicationGroup ipa
   Header always append X-Frame-Options DENY
   Header always append Content-Security-Policy "frame-ancestors 'none'"
+
+  # mod_session always sets two copies of the cookie, and this confuses our
+  # legacy clients, the unset here works because it ends up unsetting only one
+  # of the 2 header tables set by mod_session, leaving the other intact
+  Header unset Set-Cookie
 
 
 # Target for login with internal connections
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#446][synchronized] Add password file to certutil calls in ipapython.certdb module

2017-02-16 Thread stlaz 
   URL: https://github.com/freeipa/freeipa/pull/446
Author: stlaz
 Title: #446: Add password file to certutil calls in ipapython.certdb module
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/446/head:pr446
git checkout pr446
From 301a98b12f6c0d61a7af1d5ff807520cff760f91 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Tue, 6 Dec 2016 09:14:54 +0100
Subject: [PATCH 1/2] Add password to certutil calls in NSSDatabase

NSSDatabases should call certutil with a password. Also, removed
`password_filename` argument from `.create_db()`.

https://fedorahosted.org/freeipa/ticket/5695
---
 install/tools/ipa-replica-conncheck|  9 +
 ipaclient/install/client.py| 17 +++--
 ipapython/certdb.py| 20 +++-
 ipaserver/install/cainstance.py| 23 +++
 ipaserver/install/ipa_cacert_manage.py |  6 ++
 ipaserver/install/server/upgrade.py|  6 ++
 6 files changed, 42 insertions(+), 39 deletions(-)

diff --git a/install/tools/ipa-replica-conncheck b/install/tools/ipa-replica-conncheck
index 04e23de..fdbd4f3 100755
--- a/install/tools/ipa-replica-conncheck
+++ b/install/tools/ipa-replica-conncheck
@@ -542,12 +542,7 @@ def main():
 
 with certdb.NSSDatabase(nss_dir) as nss_db:
 if options.ca_cert_file:
-nss_dir = nss_db.secdir
-
-password = ipautil.ipa_generate_password()
-password_file = ipautil.write_tmp_file(password)
-nss_db.create_db(password_file.name)
-
+nss_db.create_db()
 ca_certs = x509.load_certificate_list_from_file(
 options.ca_cert_file)
 for ca_cert in ca_certs:
@@ -555,8 +550,6 @@ def main():
 serialization.Encoding.DER)
 nss_db.add_cert(
 data, str(DN(ca_cert.subject)), 'C,,')
-else:
-nss_dir = None
 
 api.bootstrap(context='client',
   confdir=paths.ETC_IPA,
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index 2b01b0d..e43ec7b 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -2284,18 +2284,8 @@ def install_check(options):
 
 def create_ipa_nssdb():
 db = certdb.NSSDatabase(paths.IPA_NSSDB_DIR)
-pwdfile = os.path.join(db.secdir, 'pwdfile.txt')
-
-ipautil.backup_file(pwdfile)
-ipautil.backup_file(os.path.join(db.secdir, 'cert8.db'))
-ipautil.backup_file(os.path.join(db.secdir, 'key3.db'))
-ipautil.backup_file(os.path.join(db.secdir, 'secmod.db'))
-
-with open(pwdfile, 'w') as f:
-f.write(ipautil.ipa_generate_password())
-os.chmod(pwdfile, 0o600)
-
-db.create_db(pwdfile)
+db.create_db(backup=True)
+os.chmod(db.pwd_file, 0o600)
 os.chmod(os.path.join(db.secdir, 'cert8.db'), 0o644)
 os.chmod(os.path.join(db.secdir, 'key3.db'), 0o644)
 os.chmod(os.path.join(db.secdir, 'secmod.db'), 0o644)
@@ -2667,8 +2657,7 @@ def _install(options):
 for cert in ca_certs
 ]
 try:
-pwd_file = ipautil.write_tmp_file(ipautil.ipa_generate_password())
-tmp_db.create_db(pwd_file.name)
+tmp_db.create_db()
 
 for i, cert in enumerate(ca_certs):
 tmp_db.add_cert(cert, 'CA certificate %d' % (i + 1), 'C,,')
diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index a6bfcbc..73387cf 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -17,7 +17,6 @@
 # along with this program.  If not, see .
 #
 
-import binascii
 import os
 import io
 import pwd
@@ -112,13 +111,12 @@ def __exit__(self, type, value, tb):
 def run_certutil(self, args, stdin=None, **kwargs):
 new_args = [CERTUTIL, "-d", self.secdir]
 new_args = new_args + args
+new_args.extend(['-f', self.pwd_file])
 return ipautil.run(new_args, stdin, **kwargs)
 
-def create_db(self, password_filename=None, user=None, group=None,
-  mode=None, backup=False):
+def create_db(self, user=None, group=None, mode=None, backup=False):
 """Create cert DB
 
-:param password_filename: Name of file containing the database password
 :param user: User owner the secdir
 :param group: Group owner of the secdir
 :param mode: Mode of the secdir
@@ -145,19 +143,15 @@ def create_db(self, password_filename=None, user=None, group=None,
 if not os.path.exists(self.secdir):
 os.makedirs(self.secdir, dirmode)
 
-if password_filename is None:
-password_filename = self.pwd_file
-
-if not os.path.exists(password_filename):
+

[Freeipa-devel] [freeipa PR#454][synchronized] Move AD trust installation code to a separate module

2017-02-16 Thread martbab 
   URL: https://github.com/freeipa/freeipa/pull/454
Author: martbab
 Title: #454: Move AD trust installation code to a separate module
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/454/head:pr454
git checkout pr454
From ea2ba13a1c545259fcb69680f72ba2640894c335 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Wed, 8 Feb 2017 17:02:09 +0100
Subject: [PATCH] Move AD trust installation code to a separate module

This facilitates calling the necessary checks and configuration code as
a module from e.g. a composite installer. The code that checks for the
admin credentials stays in the standalone installer as the code inside
the adtrust module is expected to operate also without admin
credentials.

https://fedorahosted.org/freeipa/ticket/6629
---
 install/tools/ipa-adtrust-install | 349 +-
 ipaserver/install/adtrust.py  | 382 ++
 2 files changed, 389 insertions(+), 342 deletions(-)
 create mode 100644 ipaserver/install/adtrust.py

diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install
index b504c08..443c3c4 100755
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@@ -25,27 +25,24 @@ from __future__ import print_function
 
 import os
 import sys
-import ldap
 
 import six
 
 from optparse import SUPPRESS_HELP  # pylint: disable=deprecated-module
 
 from ipalib.install import sysrestore
-from ipaserver.install import adtrustinstance
+from ipaserver.install import adtrust
 from ipaserver.install.installutils import (
 read_password,
 check_server_configuration,
 run_script)
-from ipaserver.install import service
 from ipapython.admintool import ScriptError
 from ipapython import version
-from ipapython import ipautil, ipaldap
+from ipapython import ipautil
 from ipalib import api, errors, krb_utils
 from ipapython.config import IPAOptionParser
 from ipaplatform.paths import paths
 from ipapython.ipa_log_manager import root_logger, standard_logging_setup
-from ipapython.dn import DN
 
 if six.PY3:
 unicode = str
@@ -98,35 +95,6 @@ def parse_options():
 return safe_options, options
 
 
-def netbios_name_error(name):
-print("\nIllegal NetBIOS name [%s].\n" % name)
-print("Up to 15 characters and only uppercase ASCII letters, digits "
-  "and dashes are allowed. Empty string is not allowed.")
-
-
-def read_netbios_name(netbios_default):
-netbios_name = ""
-
-print("Enter the NetBIOS name for the IPA domain.")
-print("Only up to 15 uppercase ASCII letters, digits "
-  "and dashes are allowed.")
-print("Example: EXAMPLE.")
-print("")
-print("")
-if not netbios_default:
-netbios_default = "EXAMPLE"
-while True:
-netbios_name = ipautil.user_input(
-"NetBIOS domain name", netbios_default, allow_empty=False)
-print("")
-if adtrustinstance.check_netbios_name(netbios_name):
-break
-
-netbios_name_error(netbios_name)
-
-return netbios_name
-
-
 def read_admin_password(admin_name):
 print("Configuring cross-realm trusts for IPA server requires password "
   "for user '%s'." % (admin_name))
@@ -137,95 +105,6 @@ def read_admin_password(admin_name):
 return admin_password
 
 
-def set_and_check_netbios_name(netbios_name, unattended):
-"""
-Depending if trust in already configured or not a given NetBIOS domain
-name must be handled differently.
-
-If trust is not configured the given NetBIOS is used or the NetBIOS is
-generated if none was given on the command line.
-
-If trust is  already configured the given NetBIOS name is used to reset
-the stored NetBIOS name it it differs from the current one.
-"""
-
-flat_name_attr = 'ipantflatname'
-cur_netbios_name = None
-gen_netbios_name = None
-reset_netbios_name = False
-entry = None
-
-try:
-entry = api.Backend.ldap2.get_entry(
-DN(('cn', api.env.domain), api.env.container_cifsdomains,
-   ipautil.realm_to_suffix(api.env.realm)),
-[flat_name_attr])
-except errors.NotFound:
-# trust not configured
-pass
-else:
-cur_netbios_name = entry.get(flat_name_attr)[0]
-
-if cur_netbios_name and not netbios_name:
-# keep the current NetBIOS name
-netbios_name = cur_netbios_name
-reset_netbios_name = False
-elif cur_netbios_name and cur_netbios_name != netbios_name:
-# change the NetBIOS name
-print("Current NetBIOS domain name is %s, new name is %s.\n"
-  % (cur_netbios_name, netbios_name))
-print("Please note that changing the NetBIOS name might "
-  "break existing trust relationships.")
-if unattended:
-reset_netbios_name = True
-print("NetBIOS domain name will be changed to %s

[Freeipa-devel] [freeipa PR#396][+ack] Explicitly remove support of SSLv2

2017-02-16 Thread tomaskrizek 
  URL: https://github.com/freeipa/freeipa/pull/396
Title: #396: Explicitly remove support of SSLv2

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#465][+ack] Tests: search for disabled users

2017-02-16 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/465
Title: #465: Tests: search for disabled users

Label: +ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#468][comment] Remove non-sensical kdestroy on https stop

2017-02-16 Thread simo5 
  URL: https://github.com/freeipa/freeipa/pull/468
Title: #468: Remove non-sensical kdestroy on https stop

simo5 commented:
"""
If you request a new keytab you should clean up the cacche ?
If we have a way to run the post exec command as the right user and with the 
right /tmp (httpd unit file uses namepaced /tmp) we could keep this code in the 
unit file I guess, although it would be wasteful in most cases when ccache does 
not change...
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/468#issuecomment-280377329
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#465][comment] Tests: search for disabled users

2017-02-16 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/465
Title: #465: Tests: search for disabled users

MartinBasti commented:
"""
@stlaz That means the any *-find command may work unexpectedly with 
non-mandratory attribute. For this case you must get all active users by 
`user-find --disabled=false` + `user-find --disabled=`
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/465#issuecomment-280377270
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#465][comment] Tests: search for disabled users

2017-02-16 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/465
Title: #465: Tests: search for disabled users

stlaz commented:
"""
Does that mean that `user-find` no longer works?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/465#issuecomment-280374785
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#468][comment] Remove non-sensical kdestroy on https stop

2017-02-16 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/468
Title: #468: Remove non-sensical kdestroy on https stop

MartinBasti commented:
"""
how about @martbab comment?

https://github.com/freeipa/freeipa/pull/468#issuecomment-280056786

> However the restore use-case is not the only one which can result into stale 
> ccache, I can also think about requesting new Apache keytab, restarting the 
> service and be left with a stale ccache and key mismatch again.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/468#issuecomment-280372861
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#468][comment] Remove non-sensical kdestroy on https stop

2017-02-16 Thread simo5 
  URL: https://github.com/freeipa/freeipa/pull/468
Title: #468: Remove non-sensical kdestroy on https stop

simo5 commented:
"""
If this is about backup/restore, add a kdestroy ccache in the restore scripts, 
making sue it su - apache first
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/468#issuecomment-280370010
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#465][comment] Tests: search for disabled users

2017-02-16 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/465
Title: #465: Tests: search for disabled users

MartinBasti commented:
"""
No because according @HonzaCholasta this is expected framework behavior
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/465#issuecomment-280366327
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#468][synchronized] Remove non-sensical kdestroy on https stop

2017-02-16 Thread simo5 
   URL: https://github.com/freeipa/freeipa/pull/468
Author: simo5
 Title: #468: Remove non-sensical kdestroy on https stop
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/468/head:pr468
git checkout pr468
From fc6194388470b43a7eca11029d955b3a9c1e7c5c Mon Sep 17 00:00:00 2001
From: Simo Sorce 
Date: Wed, 15 Feb 2017 04:44:59 -0500
Subject: [PATCH] Remove non-sensical kdestroy on https stop

This kdestroy runs as root and wipes root's own ccachs ...
this is totally inappropriate.

https://fedorahosted.org/freeipa/ticket/6673

Signed-off-by: Simo Sorce 
---
 install/share/ipa-httpd.conf.template | 1 -
 ipaplatform/redhat/tasks.py   | 1 -
 2 files changed, 2 deletions(-)

diff --git a/install/share/ipa-httpd.conf.template b/install/share/ipa-httpd.conf.template
index 8822066..d36ca81 100644
--- a/install/share/ipa-httpd.conf.template
+++ b/install/share/ipa-httpd.conf.template
@@ -4,4 +4,3 @@
 Environment=GSS_USE_PROXY=yes
 Environment=KDCPROXY_CONFIG=$KDCPROXY_CONFIG
 ExecStartPre=$IPA_HTTPD_KDCPROXY
-ExecStopPost=$POST
diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py
index 5bddd14..a5f0077 100644
--- a/ipaplatform/redhat/tasks.py
+++ b/ipaplatform/redhat/tasks.py
@@ -458,7 +458,6 @@ def configure_httpd_service_ipa_conf(self):
 dict(
 KDCPROXY_CONFIG=paths.KDCPROXY_CONFIG,
 IPA_HTTPD_KDCPROXY=paths.IPA_HTTPD_KDCPROXY,
-POST='-{kdestroy} -A'.format(kdestroy=paths.KDESTROY)
 )
 )
 
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#468][comment] Remove non-sensical kdestroy on https stop

2017-02-16 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/468
Title: #468: Remove non-sensical kdestroy on https stop

MartinBasti commented:
"""
@simo5 any ideas how this should be fixed? We cannot push this patch without 
additional fix of removing outdated ccache because it will cause permanent fail 
of CI for backup/restore and it will mask real issues.


"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/468#issuecomment-280360540
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#396][synchronized] Explicitly remove support of SSLv2

2017-02-16 Thread stlaz 
   URL: https://github.com/freeipa/freeipa/pull/396
Author: stlaz
 Title: #396: Explicitly remove support of SSLv2
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/396/head:pr396
git checkout pr396
From 661ed55292dda18f1f09f89af883086f9b5a7ab0 Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Fri, 13 Jan 2017 12:31:29 +0100
Subject: [PATCH] Explicitly remove support of SSLv2/3

It was possible to set tls_version_min/max to 'ssl2' or 'ssl3',
even though newer versions of NSS will fail to set this as a valid
TLS version. This patch explicitly checks for deprecated TLS versions
prior to creating a TLS connection.

Also, we don't allow tls_version_min/max to be set to a random
string anymore.

https://fedorahosted.org/freeipa/ticket/6607
---
 ipalib/config.py| 27 ++--
 ipalib/constants.py | 10 +
 ipapython/nsslib.py | 61 +++--
 3 files changed, 94 insertions(+), 4 deletions(-)

diff --git a/ipalib/config.py b/ipalib/config.py
index 20591db..1a59879 100644
--- a/ipalib/config.py
+++ b/ipalib/config.py
@@ -41,8 +41,11 @@
 
 from ipapython.dn import DN
 from ipalib.base import check_name
-from ipalib.constants import CONFIG_SECTION
-from ipalib.constants import OVERRIDE_ERROR, SET_ERROR, DEL_ERROR
+from ipalib.constants import (
+CONFIG_SECTION,
+OVERRIDE_ERROR, SET_ERROR, DEL_ERROR,
+TLS_VERSIONS
+)
 from ipalib import errors
 
 if six.PY3:
@@ -578,6 +581,26 @@ def _finalize_core(self, **defaults):
 
 self._merge(**defaults)
 
+# set the best known TLS version if min/max versions are not set
+if 'tls_version_min' not in self:
+self.tls_version_min = TLS_VERSIONS[-1]
+elif self.tls_version_min not in TLS_VERSIONS:
+raise errors.EnvironmentError(
+"Unknown TLS version '{ver}' set in tls_version_min."
+.format(ver=self.tls_version_min))
+
+if 'tls_version_max' not in self:
+self.tls_version_max = TLS_VERSIONS[-1]
+elif self.tls_version_max not in TLS_VERSIONS:
+raise errors.EnvironmentError(
+"Unknown TLS version '{ver}' set in tls_version_max."
+.format(ver=self.tls_version_max))
+
+if self.tls_version_max < self.tls_version_min:
+raise errors.EnvironmentError(
+"tls_version_min is set to a higher TLS version than "
+"tls_version_max.")
+
 def _finalize(self, **lastchance):
 """
 Finalize and lock environment.
diff --git a/ipalib/constants.py b/ipalib/constants.py
index fa20624..e64324f 100644
--- a/ipalib/constants.py
+++ b/ipalib/constants.py
@@ -283,3 +283,13 @@
 # IPA API Framework user
 IPAAPI_USER = 'ipaapi'
 IPAAPI_GROUP = 'ipaapi'
+
+# TLS related constants
+TLS_VERSIONS = [
+"ssl2",
+"ssl3",
+"tls1.0",
+"tls1.1",
+"tls1.2"
+]
+TLS_VERSION_MINIMAL = "tls1.0"
diff --git a/ipapython/nsslib.py b/ipapython/nsslib.py
index 08d05fc..97bbf64 100644
--- a/ipapython/nsslib.py
+++ b/ipapython/nsslib.py
@@ -23,6 +23,8 @@
 import getpass
 import socket
 from ipapython.ipa_log_manager import root_logger
+from ipapython.ipa_log_manager import log_mgr
+from ipalib.constants import TLS_VERSIONS, TLS_VERSION_MINIMAL
 
 from nss.error import NSPRError
 import nss.io as io
@@ -38,6 +40,9 @@
 # pylint: disable=import-error
 import http.client as httplib
 
+# get a logger for this module
+logger = log_mgr.get_logger(__name__)
+
 # NSS database currently open
 current_dbdir = None
 
@@ -129,6 +134,56 @@ def client_auth_data_callback(ca_names, chosen_nickname, password, certdb):
 socket.AF_UNSPEC: io.PR_AF_UNSPEC
 }
 
+
+def get_proper_tls_version_span(tls_version_min, tls_version_max):
+"""
+This function checks whether the given TLS versions are known in FreeIPA
+and that these versions fulfill the requirements for minimal TLS version
+(see `ipalib.constants: TLS_VERSIONS, TLS_VERSION_MINIMAL`).
+
+:param tls_version_min:
+the lower value in the TLS min-max span, raised to the lowest allowed
+value if too low
+:param tls_version_max:
+the higher value in the TLS min-max span, raised to tls_version_min
+if lower than TLS_VERSION_MINIMAL
+:raises: ValueError
+"""
+min_allowed_idx = TLS_VERSIONS.index(TLS_VERSION_MINIMAL)
+
+try:
+min_version_idx = TLS_VERSIONS.index(tls_version_min)
+except ValueError:
+raise ValueError("tls_version_min ('{val}') is not a known "
+ "TLS version.".format(val=tls_version_min))
+
+try:
+max_version_idx = TLS_VERSIONS.index(tls_version_max)
+except ValueError:
+raise ValueError("tls_version_max ('{val}') is not a known "
+ "TLS version.".format(val=tls_version_max))
+
+if min_version_idx > ma

[Freeipa-devel] [freeipa PR#454][synchronized] Move AD trust installation code to a separate module

2017-02-16 Thread martbab 
   URL: https://github.com/freeipa/freeipa/pull/454
Author: martbab
 Title: #454: Move AD trust installation code to a separate module
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/454/head:pr454
git checkout pr454
From ce9cdf7e78d3325095a94ce525354544869e5481 Mon Sep 17 00:00:00 2001
From: Martin Babinsky 
Date: Wed, 8 Feb 2017 17:02:09 +0100
Subject: [PATCH] Move AD trust installation code to a separate module

This facilitates calling the necessary checks and configuration code as
a module from e.g. a composite installer. The code that checks for the
admin credentials stays in the standalone installer as the code inside
the adtrust module is expected to operate also without admin
credentials.

https://fedorahosted.org/freeipa/ticket/6629
---
 install/tools/ipa-adtrust-install | 349 +--
 ipaserver/install/adtrust.py  | 371 ++
 2 files changed, 378 insertions(+), 342 deletions(-)
 create mode 100644 ipaserver/install/adtrust.py

diff --git a/install/tools/ipa-adtrust-install b/install/tools/ipa-adtrust-install
index b504c08..443c3c4 100755
--- a/install/tools/ipa-adtrust-install
+++ b/install/tools/ipa-adtrust-install
@@ -25,27 +25,24 @@ from __future__ import print_function
 
 import os
 import sys
-import ldap
 
 import six
 
 from optparse import SUPPRESS_HELP  # pylint: disable=deprecated-module
 
 from ipalib.install import sysrestore
-from ipaserver.install import adtrustinstance
+from ipaserver.install import adtrust
 from ipaserver.install.installutils import (
 read_password,
 check_server_configuration,
 run_script)
-from ipaserver.install import service
 from ipapython.admintool import ScriptError
 from ipapython import version
-from ipapython import ipautil, ipaldap
+from ipapython import ipautil
 from ipalib import api, errors, krb_utils
 from ipapython.config import IPAOptionParser
 from ipaplatform.paths import paths
 from ipapython.ipa_log_manager import root_logger, standard_logging_setup
-from ipapython.dn import DN
 
 if six.PY3:
 unicode = str
@@ -98,35 +95,6 @@ def parse_options():
 return safe_options, options
 
 
-def netbios_name_error(name):
-print("\nIllegal NetBIOS name [%s].\n" % name)
-print("Up to 15 characters and only uppercase ASCII letters, digits "
-  "and dashes are allowed. Empty string is not allowed.")
-
-
-def read_netbios_name(netbios_default):
-netbios_name = ""
-
-print("Enter the NetBIOS name for the IPA domain.")
-print("Only up to 15 uppercase ASCII letters, digits "
-  "and dashes are allowed.")
-print("Example: EXAMPLE.")
-print("")
-print("")
-if not netbios_default:
-netbios_default = "EXAMPLE"
-while True:
-netbios_name = ipautil.user_input(
-"NetBIOS domain name", netbios_default, allow_empty=False)
-print("")
-if adtrustinstance.check_netbios_name(netbios_name):
-break
-
-netbios_name_error(netbios_name)
-
-return netbios_name
-
-
 def read_admin_password(admin_name):
 print("Configuring cross-realm trusts for IPA server requires password "
   "for user '%s'." % (admin_name))
@@ -137,95 +105,6 @@ def read_admin_password(admin_name):
 return admin_password
 
 
-def set_and_check_netbios_name(netbios_name, unattended):
-"""
-Depending if trust in already configured or not a given NetBIOS domain
-name must be handled differently.
-
-If trust is not configured the given NetBIOS is used or the NetBIOS is
-generated if none was given on the command line.
-
-If trust is  already configured the given NetBIOS name is used to reset
-the stored NetBIOS name it it differs from the current one.
-"""
-
-flat_name_attr = 'ipantflatname'
-cur_netbios_name = None
-gen_netbios_name = None
-reset_netbios_name = False
-entry = None
-
-try:
-entry = api.Backend.ldap2.get_entry(
-DN(('cn', api.env.domain), api.env.container_cifsdomains,
-   ipautil.realm_to_suffix(api.env.realm)),
-[flat_name_attr])
-except errors.NotFound:
-# trust not configured
-pass
-else:
-cur_netbios_name = entry.get(flat_name_attr)[0]
-
-if cur_netbios_name and not netbios_name:
-# keep the current NetBIOS name
-netbios_name = cur_netbios_name
-reset_netbios_name = False
-elif cur_netbios_name and cur_netbios_name != netbios_name:
-# change the NetBIOS name
-print("Current NetBIOS domain name is %s, new name is %s.\n"
-  % (cur_netbios_name, netbios_name))
-print("Please note that changing the NetBIOS name might "
-  "break existing trust relationships.")
-if unattended:
-reset_netbios_name = True
-print("NetBIOS domain name will be changed to %

[Freeipa-devel] [freeipa PR#464][-ack] Bump required python-cryptography version

2017-02-16 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/464
Title: #464: Bump required python-cryptography version

Label: -ack
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#464][-pushed] Bump required python-cryptography version

2017-02-16 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/464
Title: #464: Bump required python-cryptography version

Label: -pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#464][comment] Bump required python-cryptography version

2017-02-16 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/464
Title: #464: Bump required python-cryptography version

stlaz commented:
"""
Didn't realize we need that as well now, patch is in this PR.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/464#issuecomment-280358488
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#464][synchronized] Bump required python-cryptography version

2017-02-16 Thread stlaz 
   URL: https://github.com/freeipa/freeipa/pull/464
Author: stlaz
 Title: #464: Bump required python-cryptography version
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/464/head:pr464
git checkout pr464
From eaed208591eaf587ef33c43e4df0f5b3ab92214b Mon Sep 17 00:00:00 2001
From: Stanislav Laznicka 
Date: Thu, 16 Feb 2017 16:14:24 +0100
Subject: [PATCH] Bump python-cryptography version in ipasetup.py.in

When bumping version of python-cryptography in freeipa.spec.in,
ipasetup.py.in was forgotten about.
---
 ipasetup.py.in | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ipasetup.py.in b/ipasetup.py.in
index c221e0d..915f0ed 100644
--- a/ipasetup.py.in
+++ b/ipasetup.py.in
@@ -63,7 +63,7 @@ if SETUPTOOLS_VERSION < (8, 0, 0):
 
 
 PACKAGE_VERSION = {
-'cryptography': 'cryptography >= 1.3.1',
+'cryptography': 'cryptography >= 1.4',
 'dnspython': 'dnspython >= 1.15',
 'gssapi': 'gssapi >= 1.2.0',
 'ipaclient': 'ipaclient == {}'.format(VERSION),
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#468][comment] Remove non-sensical kdestroy on https stop

2017-02-16 Thread simo5 
  URL: https://github.com/freeipa/freeipa/pull/468
Title: #468: Remove non-sensical kdestroy on https stop

simo5 commented:
"""
@MartinBasti the unit files are the wrong place to destroy ccaches, especially 
given they run as a different user (root) and may not have access to destroy 
stuff when we start using KCM.
If we need clear ccaches then we need a different plan, please reopen the 
original bug, and push this PR to fix the impeding issue.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/468#issuecomment-280357949
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#448][synchronized] Tests: Basic coverage with tree root domain

2017-02-16 Thread gkaihorodova 
   URL: https://github.com/freeipa/freeipa/pull/448
Author: gkaihorodova
 Title: #448: Tests: Basic coverage with tree root domain
Action: synchronized

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/448/head:pr448
git checkout pr448
From 9ec4a2d23e40e0949ac135519439a8b459455201 Mon Sep 17 00:00:00 2001
From: Ganna Kaihorodova 
Date: Wed, 8 Feb 2017 11:38:08 +0100
Subject: [PATCH] Tests: Basic coverage with tree root domain

Extend existing legacy client tests to cover test cases with tree root domain.

https://fedorahosted.org/freeipa/ticket/6489
---
 ipatests/test_integration/test_legacy_clients.py | 91 +++-
 1 file changed, 90 insertions(+), 1 deletion(-)

diff --git a/ipatests/test_integration/test_legacy_clients.py b/ipatests/test_integration/test_legacy_clients.py
index 8bd680a..3f33ac0 100644
--- a/ipatests/test_integration/test_legacy_clients.py
+++ b/ipatests/test_integration/test_legacy_clients.py
@@ -58,6 +58,8 @@ class BaseTestLegacyClient(object):
 testuser_gid_regex = None
 subdomain_testuser_uid_regex = None
 subdomain_testuser_gid_regex = None
+treedomain_testuser_uid_regex = None
+treedomain_testuser_gid_regex = None
 
 # To allow custom validation dependent on the trust type
 posix_trust = False
@@ -326,6 +328,81 @@ def test_login_disabled_subdomain_ad_user(self):
 
 assert result.returncode != 0
 
+def test_getent_treedomain_ad_user(self):
+if not self.ad_treedomain:
+raise nose.SkipTest('AD tree root domain is not available.')
+
+self.clear_sssd_caches()
+testuser = 'treetestuser@{0}'.format(self.ad_treedomain)
+result = self.legacy_client.run_command(['getent', 'passwd', testuser])
+
+testuser_regex = ("treetestuser@{0}:\*:{1}:{2}:TreeTest User:"
+  "/home/{0}/treetestuser:/bin/sh".format(
+  re.escape(self.ad_treedomain),
+  self.treedomain_testuser_uid_regex,
+  self.treedomain_testuser_gid_regex))
+
+assert re.search(testuser_regex, result.stdout_text)
+
+def test_getent_treedomain_ad_group(self):
+if not self.ad_treedomain:
+raise nose.SkipTest('AD tree root domain is not available')
+
+self.clear_sssd_caches()
+testgroup = 'treetestgroup@{0}'.format(self.ad_treedomain)
+result = self.legacy_client.run_command(['getent', 'group', testgroup])
+
+testgroup_stdout = "{0}:\*:{1}:".format(
+   testgroup, self.treedomain_testuser_gid_regex)
+
+assert re.search(testgroup_stdout, result.stdout_text)
+
+def test_id_treedomain_ad_user(self):
+if not self.ad_treedomain:
+raise nose.SkipTest('AD tree root domain is not available')
+
+self.clear_sssd_caches()
+
+testuser = 'treetestuser@{0}'.format(self.ad_treedomain)
+testgroup = 'treetestgroup@{0}'.format(self.ad_treedomain)
+
+result = self.legacy_client.run_command(['id', testuser])
+
+# Only for POSIX trust testing does the testuser belong to the
+# testgroup
+
+group_name = '\({}\)'.format(testgroup) if self.posix_trust else ''
+
+uid_regex = "uid={0}\({1}\)".format(
+self.treedomain_testuser_uid_regex, testuser)
+
+gid_regex = "gid={0}{1}".format(
+self.treedomain_testuser_gid_regex, group_name)
+
+group_regex = "groups={0}{1}".format(
+  self.treedomain_testuser_gid_regex, group_name)
+
+assert re.search(uid_regex, result.stdout_text)
+assert re.search(gid_regex, result.stdout_text)
+assert re.search(group_regex, result.stdout_text)
+
+def test_login_treedomain_ad_user(self):
+if not self.ad_treedomain:
+raise nose.SkipTest('AD tree root domain is not available.')
+
+if not self.master.transport.file_exists('/usr/bin/sshpass'):
+raise nose.SkipTest('Package sshpass not available on {}'.format(
+self.master.hostname))
+
+result = self.master.run_command(
+'sshpass -p {0} ssh -o StrictHostKeyChecking=no '
+'-l admin {1} "echo test"'.format(
+self.legacy_client.config.admin_password,
+self.legacy_client.external_hostname))
+
+assert "test" in result.stdout_text
+
+
 @classmethod
 def install(cls, mh):
 super(BaseTestLegacyClient, cls).install(mh)
@@ -354,10 +431,18 @@ def install(cls, mh):
 try:
 child_ad = cls.host_by_role(cls.optional_extra_roles[0])
 cls.ad_subdomain = '.'.join(
-   child_ad.hostname.split('.')[1:])
+child_ad.hostname.split('.')[1:])
 except LookupError:
 cls.ad_subdomain = None
 
+# Determin

[Freeipa-devel] [freeipa PR#464][reopened] Bump required python-cryptography version

2017-02-16 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/464
Author: stlaz
 Title: #464: Bump required python-cryptography version
Action: reopened

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/464/head:pr464
git checkout pr464
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#464][comment] Bump required python-cryptography version

2017-02-16 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/464
Title: #464: Bump required python-cryptography version

tiran commented:
"""
```ipasetup.py.in``` hasn't been updated.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/464#issuecomment-280347773
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#472][opened] Packaging: Add placeholder packages

2017-02-16 Thread tiran 
   URL: https://github.com/freeipa/freeipa/pull/472
Author: tiran
 Title: #472: Packaging: Add placeholder packages
Action: opened

PR body:
"""
The ipa and freeipa packages are placeholders to prevent PyPI squashing
attacks and reserve the names for future use. `pip install ipa` installs
ipaclient.

Signed-off-by: Christian Heimes 

The new PR provides just the two placeholder packages from PR #379.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/472/head:pr472
git checkout pr472
From 12184517863aef5dd29ed4705d33ca1eedea3220 Mon Sep 17 00:00:00 2001
From: Christian Heimes 
Date: Thu, 16 Feb 2017 15:27:49 +0100
Subject: [PATCH] Packaging: Add placeholder packages

The ipa and freeipa packages are placeholders to prevent PyPI squashing
attacks and reserve the names for future use. `pip install ipa` installs
ipaclient.

Signed-off-by: Christian Heimes 
---
 Makefile.am   |  4 +++-
 Makefile.python.am| 21 +
 configure.ac  |  3 +++
 packaging/Makefile.am | 10 ++
 packaging/freeipa/Makefile.am |  3 +++
 packaging/freeipa/README.txt  |  2 ++
 packaging/freeipa/setup.cfg   |  6 ++
 packaging/freeipa/setup.py| 23 +++
 packaging/ipa/Makefile.am |  3 +++
 packaging/ipa/README.txt  |  2 ++
 packaging/ipa/setup.cfg   |  6 ++
 packaging/ipa/setup.py| 23 +++
 12 files changed, 97 insertions(+), 9 deletions(-)
 create mode 100644 packaging/Makefile.am
 create mode 100644 packaging/freeipa/Makefile.am
 create mode 100644 packaging/freeipa/README.txt
 create mode 100644 packaging/freeipa/setup.cfg
 create mode 100755 packaging/freeipa/setup.py
 create mode 100644 packaging/ipa/Makefile.am
 create mode 100644 packaging/ipa/README.txt
 create mode 100644 packaging/ipa/setup.cfg
 create mode 100755 packaging/ipa/setup.py

diff --git a/Makefile.am b/Makefile.am
index 30ad9bb..a6faa11 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1,7 +1,7 @@
 ACLOCAL_AMFLAGS = -I m4
 
 IPACLIENT_SUBDIRS = ipaclient ipalib ipapython
-SUBDIRS = asn1 util client contrib daemons init install $(IPACLIENT_SUBDIRS) ipaplatform ipaserver ipatests po
+SUBDIRS = asn1 util client contrib daemons init install $(IPACLIENT_SUBDIRS) ipaplatform ipaserver ipatests packaging po
 
 MOSTLYCLEANFILES = ipasetup.pyc ipasetup.pyo \
 		   ignore_import_errors.pyc ignore_import_errors.pyo \
@@ -206,6 +206,8 @@ $(WHEELBUNDLEDIR):
 	mkdir -p $(WHEELBUNDLEDIR)
 
 bdist_wheel: $(WHEELDISTDIR)
+	$(MAKE) $(AM_MAKEFLAGS) -C packaging/ipa bdist_wheel || exit 1;
+	$(MAKE) $(AM_MAKEFLAGS) -C packaging/freeipa bdist_wheel || exit 1;
 	for dir in $(IPACLIENT_SUBDIRS); do \
 	$(MAKE) $(AM_MAKEFLAGS) -C $${dir} $@ || exit 1; \
 	done
diff --git a/Makefile.python.am b/Makefile.python.am
index 665893f..9c34fe3 100644
--- a/Makefile.python.am
+++ b/Makefile.python.am
@@ -1,5 +1,6 @@
 pkgname = $(shell basename "$(abs_srcdir)")
 pkgpythondir = $(pythondir)/$(pkgname)
+pkginstall = true
 
 if VERBOSE_MAKE
 VERBOSITY="--verbose"
@@ -19,16 +20,20 @@ all-local: $(top_builddir)/ipasetup.py
 		--build-base "$(abs_builddir)/build"
 
 install-exec-local: $(top_builddir)/ipasetup.py
-	$(PYTHON) $(srcdir)/setup.py \
-		$(VERBOSITY) \
-		install \
-		--prefix "$(DESTDIR)$(prefix)" \
-		--single-version-externally-managed \
-		--record "$(DESTDIR)$(pkgpythondir)/install_files.txt" \
-		--optimize 1
+	if [ "x$(pkginstall)" = "xtrue" ]; then \
+	$(PYTHON) $(srcdir)/setup.py \
+		$(VERBOSITY) \
+		install \
+		--prefix "$(DESTDIR)$(prefix)" \
+		--single-version-externally-managed \
+		--record "$(DESTDIR)$(pkgpythondir)/install_files.txt" \
+		--optimize 1; \
+	fi
 
 uninstall-local:
-	cat "$(DESTDIR)$(pkgpythondir)/install_files.txt" | xargs rm -rf
+	if [ -f "$(DESTDIR)$(pkgpythondir)/install_files.txt" ]; then \
+	cat "$(DESTDIR)$(pkgpythondir)/install_files.txt" | xargs rm -rf ; \
+	fi
 	rm -rf "$(DESTDIR)$(pkgpythondir)"
 
 clean-local: $(top_builddir)/ipasetup.py
diff --git a/configure.ac b/configure.ac
index 44dc11b..f48ba14 100644
--- a/configure.ac
+++ b/configure.ac
@@ -577,6 +577,9 @@ AC_CONFIG_FILES([
 ipaserver/Makefile
 ipatests/Makefile
 ipatests/man/Makefile
+packaging/Makefile
+packaging/freeipa/Makefile
+packaging/ipa/Makefile
 po/Makefile.in
 po/Makefile.hack
 util/Makefile
diff --git a/packaging/Makefile.am b/packaging/Makefile.am
new file mode 100644
index 000..5725ed9
--- /dev/null
+++ b/packaging/Makefile.am
@@ -0,0 +1,10 @@
+# This file will be processed with automake-1.7 to create Makefile.in
+#
+AUTOMAKE_OPTIONS = 1.7 subdir-objects
+
+NULL =
+
+SUBDIRS =			\
+	freeipa			\
+	ipa			\
+	$(NULL)
diff --git a/packaging/freeipa/Makefile.am b/packaging/freeipa/Makefile.am
new file mode 100644
index 000..15d86ce
--- /dev/null
+++ b/packaging/freeipa/Makefile.am
@@ -0,0 +1,3 @@
+incl

[Freeipa-devel] [freeipa PR#471][comment] Fix some privilege separation regressions

2017-02-16 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/471
Title: #471: Fix some privilege separation regressions

stlaz commented:
"""
Upgrade still fails when run for the first time during `dnf update`:
http://pastebin.com/H4kt6hVb
When I run it by hand after this failure, it gets a bit further, but 
NSSConnection fails in the `[Migrating certificate profiles to LDAP]` step:
http://pastebin.com/8tBjYjkU

"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/471#issuecomment-280340971
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#471][comment] Fix some privilege separation regressions

2017-02-16 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/471
Title: #471: Fix some privilege separation regressions

stlaz commented:
"""
Upgrade still fails when run for the first time during `dnf update`:
http://pastebin.com/H4kt6hVb
When I run it by hand after this failure, it gets a bit further, but 
NSSConnection fails in the `[Migrating certificate profiles to LDAP]` step:
http://pastebin.com/8tBjYjkU

"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/471#issuecomment-280340971
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server

2017-02-16 Thread tomaskrizek 
  URL: https://github.com/freeipa/freeipa/pull/364
Title: #364: Client-only builds with --disable-server

tomaskrizek commented:
"""
ACK, I'm fine with pushing this PR.

`make install` does install ipatests for client-only build, other 
server-related packages are omitted.

Server build work like before and isn't affected by this PR.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/364#issuecomment-280326722
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server

2017-02-16 Thread pvoborni 
  URL: https://github.com/freeipa/freeipa/pull/364
Title: #364: Client-only builds with --disable-server

pvoborni commented:
"""
I think it is OK to keep the behavior of the patch and go with it provided that 
the behavior is properly document in the design page after push. 

The only reason to block it would be that it would be difficult to change it 
later or if it breaks any existing functionality. But AFAIK it is not the case 
here. 
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/364#issuecomment-280324471
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#443][+rejected] Stronger check for DM password during server install

2017-02-16 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/443
Title: #443: Stronger check for DM password during server install

Label: +rejected
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#443][comment] Stronger check for DM password during server install

2017-02-16 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/443
Title: #443: Stronger check for DM password during server install

stlaz commented:
"""
Closing as REJECTED, this will be sorted out in another way.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/443#issuecomment-280324266
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#443][closed] Stronger check for DM password during server install

2017-02-16 Thread stlaz 
   URL: https://github.com/freeipa/freeipa/pull/443
Author: stlaz
 Title: #443: Stronger check for DM password during server install
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/443/head:pr443
git checkout pr443
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#396][comment] Explicitly remove support of SSLv2

2017-02-16 Thread tomaskrizek 
  URL: https://github.com/freeipa/freeipa/pull/396
Title: #396: Explicitly remove support of SSLv2

tomaskrizek commented:
"""
Please update the commit title and description to make it clear that it also 
removes support of SSLv3.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/396#issuecomment-280306512
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#471][comment] Fix some privilege separation regressions

2017-02-16 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/471
Title: #471: Fix some privilege separation regressions

stlaz commented:
"""
LGTM
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/471#issuecomment-280305500
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server

2017-02-16 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/364
Title: #364: Client-only builds with --disable-server

tiran commented:
"""
Lukas, you are wasting both my and your precious time with a needless 
bike-shedding discussion about semantics. The ```--disable-server``` option 
skips all parts of the build process that are only relevant for server and not 
relevant for client. ```ipatests``` is relevant for both, therefore it stays.

I told you that I need  ```ipatests``` to run tests as part of my build 
process. It is not yet part of the upstream FreeIPA build process. I also told 
you that I will provide another PR that will take care of it and add 
client-only tests. This PR acts as a foundation for both my container build 
processes and the future PR.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/364#issuecomment-280293802
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#469][reopened] Ignore unlink error in ipa-otpd.socket

2017-02-16 Thread HonzaCholasta 
   URL: https://github.com/freeipa/freeipa/pull/469
Author: tiran
 Title: #469: Ignore unlink error in ipa-otpd.socket
Action: reopened

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/469/head:pr469
git checkout pr469
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#469][comment] Ignore unlink error in ipa-otpd.socket

2017-02-16 Thread HonzaCholasta 
  URL: https://github.com/freeipa/freeipa/pull/469
Title: #469: Ignore unlink error in ipa-otpd.socket

HonzaCholasta commented:
"""
This will ignore all errors, not just file does not exist. Are we OK with that?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/469#issuecomment-280291966
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#469][closed] Ignore unlink error in ipa-otpd.socket

2017-02-16 Thread HonzaCholasta 
   URL: https://github.com/freeipa/freeipa/pull/469
Author: tiran
 Title: #469: Ignore unlink error in ipa-otpd.socket
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/469/head:pr469
git checkout pr469
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#471][opened] Fix some privilege separation regressions

2017-02-16 Thread HonzaCholasta 
   URL: https://github.com/freeipa/freeipa/pull/471
Author: HonzaCholasta
 Title: #471: Fix some privilege separation regressions
Action: opened

PR body:
"""
**client install: create /etc/ipa/nssdb with correct mode**

The NSS database directory is created with mode 640, which causes the IPA
client to fail to connect to any IPA server, because it is unable to read
trusted CA certificates from the NSS database.

Create the directory with mode 644 to fix the issue.

**server upgrade: fix upgrade in CA-less**

Use /etc/httpd/alias instead of /var/lib/ipa/radb in upload_cacrt, as
/var/lib/ipa/radb is not populated in CA-less.

Do not migrate ipaCert from /etc/httpd/alias to /var/lib/ipa/radb in
CA-less, as it might be an incorrect certificate from previous CA-ful
install, and is not necessary anyway.

**server upgrade: fix upgrade from pre-4.0**

update_ca_renewal_master uses ipaCert certmonger tracking information to
decide whether the local server is the CA renewal master or not. The
information is lost when migrating from /etc/httpd/alias to
/var/lib/ipa/radb in update_ra_cert_store.

Make sure update_ra_cert_store is executed after update_ca_renewal_master
so that correct information is used.

**server upgrade: always upgrade KRA agent PEM file**

Before the KRA agent PEM file is exported in server upgrade, the sysupgrade
state file is consulted. This causes the KRA agent PEM file not to be
exported to the new location if the upgrade was executed in the past.

Do not consult the sysupgrade state file to decide whether to upgrade the
KRA agent PEM file or not, the existence of the file is enough to make this
decision.

https://fedorahosted.org/freeipa/ticket/5959
https://fedorahosted.org/freeipa/ticket/6675
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/471/head:pr471
git checkout pr471
From cca67c28fbc17ae17e1b09fc2a9ff7a692000341 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Thu, 16 Feb 2017 10:57:14 +0100
Subject: [PATCH 1/4] client install: create /etc/ipa/nssdb with correct mode

The NSS database directory is created with mode 640, which causes the IPA
client to fail to connect to any IPA server, because it is unable to read
trusted CA certificates from the NSS database.

Create the directory with mode 644 to fix the issue.

https://fedorahosted.org/freeipa/ticket/5959
---
 ipaclient/install/client.py |  2 +-
 ipapython/certdb.py | 10 --
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index 2b01b0d..396b43c 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -2295,7 +2295,7 @@ def create_ipa_nssdb():
 f.write(ipautil.ipa_generate_password())
 os.chmod(pwdfile, 0o600)
 
-db.create_db(pwdfile)
+db.create_db(pwdfile, mode=0o755)
 os.chmod(os.path.join(db.secdir, 'cert8.db'), 0o644)
 os.chmod(os.path.join(db.secdir, 'key3.db'), 0o644)
 os.chmod(os.path.join(db.secdir, 'secmod.db'), 0o644)
diff --git a/ipapython/certdb.py b/ipapython/certdb.py
index a6bfcbc..c542cd9 100644
--- a/ipapython/certdb.py
+++ b/ipapython/certdb.py
@@ -126,9 +126,11 @@ def create_db(self, password_filename=None, user=None, group=None,
 """
 dirmode = 0o750
 filemode = 0o640
+pwdfilemode = 0o640
 if mode is not None:
 dirmode = mode
 filemode = mode & 0o666
+pwdfilemode = mode & 0o660
 
 uid = -1
 gid = -1
@@ -153,7 +155,7 @@ def create_db(self, password_filename=None, user=None, group=None,
 hex_str = binascii.hexlify(os.urandom(10))
 with io.open(os.open(password_filename,
  os.O_CREAT | os.O_WRONLY,
- filemode), 'wb', closefd=True) as f:
+ pwdfilemode), 'wb', closefd=True) as f:
 f.write(hex_str)
 f.flush()
 
@@ -168,7 +170,11 @@ def create_db(self, password_filename=None, user=None, group=None,
 if os.path.exists(path):
 if uid != -1 or gid != -1:
 os.chown(path, uid, gid)
-os.chmod(path, filemode)
+if path == os.path.abspath(self.pwd_file):
+new_mode = pwdfilemode
+else:
+new_mode = filemode
+os.chmod(path, new_mode)
 tasks.restore_context(path)
 
 def list_certs(self):

From 0ed14b1e46dd08a5b66cfedcb41cd04af1055398 Mon Sep 17 00:00:00 2001
From: Jan Cholasta 
Date: Thu, 16 Feb 2017 11:09:04 +0100
Subject: [PATCH 2/4] server upgrade: fix upgrade in CA-less

Use /etc/httpd/alias instead of /var/lib/ipa/radb in upload_cacrt, as
/var/lib/ipa/radb is not populated in CA-less.

Do not migrate ipaCert from /etc/httpd/alias to /var/lib/ipa/radb in
CA-less, as it might be an incorrect certificate from pre

[Freeipa-devel] [freeipa PR#469][comment] Ignore unlink error in ipa-otpd.socket

2017-02-16 Thread martbab 
  URL: https://github.com/freeipa/freeipa/pull/469
Title: #469: Ignore unlink error in ipa-otpd.socket

martbab commented:
"""
LGTM, but do we require this fix also in 4-4 branch?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/469#issuecomment-280285004
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server

2017-02-16 Thread lslebodn 
  URL: https://github.com/freeipa/freeipa/pull/364
Title: #364: Client-only builds with --disable-server

lslebodn commented:
"""
On (16/02/17 00:57), Christian Heimes wrote:
>You are missing the point. Obviously tests are an important part of building. 
>I can't test the client bits when ipatests is not available.
>

You missed that the name of this PR is
"Client-only builds with --disable-server"

So this PR *MUST* implement client-only build.

Your use-case is different and you need to realize that
freeIPA does not have a *unit* test for client bits.
All client parts are tested by integration tests
which require server.

>Let's do small, incremental improvements. I need the client-only builds ASAP 
>(EOW, next week tops) for some container stuff. Client-only RPMs can be 
>implemented later in beta phase for 4.5.
>

I have never requested anything related to "Client-only RPMs"
I always mentioned "make install"

Let's do the correct change from semantic POV.

If you want to install tests with client-only build
then please add new configure time option for this purpose
And do not misuse option "--disable-server"

Misusing options is a bad/hacky approch
and we need to clean hacks from freeIPA and not create new one.

LS

"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/364#issuecomment-280277782
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#465][comment] Tests: search for disabled users

2017-02-16 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/465
Title: #465: Tests: search for disabled users

stlaz commented:
"""
Is there a ticket for the xfail scenario?
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/465#issuecomment-280275823
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#446][edited] Add password file to certutil calls in ipapython.certdb module

2017-02-16 Thread stlaz 
   URL: https://github.com/freeipa/freeipa/pull/446
Author: stlaz
 Title: #446: Add password file to certutil calls in ipapython.certdb module
Action: edited

 Changed field: body
Original value:
"""
With this patchset, ipa-client-install should not ask for NSS database password.

Prerequisite:
https://github.com/freeipa/freeipa/pull/367

**edit:** This was a part of a bigger branch and might be missing some parts.
"""

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#367][comment] Remove nsslib from IPA

2017-02-16 Thread stlaz 
  URL: https://github.com/freeipa/freeipa/pull/367
Title: #367: Remove nsslib from IPA

stlaz commented:
"""
In the last update I renamed the proposed config option `ca_certfile` to 
`cacert_store` and made a requirement for it to be absolute path. This was done 
with possible future changes to it (thanks @HonzaCholasta for pointing that 
out).

If the tests pass then this should be ready for review.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/367#issuecomment-280272695
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#364][comment] Client-only builds with --disable-server

2017-02-16 Thread tiran 
  URL: https://github.com/freeipa/freeipa/pull/364
Title: #364: Client-only builds with --disable-server

tiran commented:
"""
You are missing the point. Obviously tests are an important part of building. I 
can't test the client bits when ipatests is not available.

Let's do small, incremental improvements. I need the client-only builds ASAP 
(EOW, next week tops) for some container stuff. Client-only RPMs can be 
implemented later in beta phase for 4.5.
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/364#issuecomment-280271921
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#466][+pushed] pkinit: make sure to have proper dictionary for Kerberos instance on upgrade

2017-02-16 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/466
Title: #466: pkinit: make sure to have proper dictionary for Kerberos instance 
on upgrade

Label: +pushed
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#466][closed] pkinit: make sure to have proper dictionary for Kerberos instance on upgrade

2017-02-16 Thread MartinBasti 
   URL: https://github.com/freeipa/freeipa/pull/466
Author: abbra
 Title: #466: pkinit: make sure to have proper dictionary for Kerberos instance 
on upgrade
Action: closed

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/466/head:pr466
git checkout pr466
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

[Freeipa-devel] [freeipa PR#466][comment] pkinit: make sure to have proper dictionary for Kerberos instance on upgrade

2017-02-16 Thread MartinBasti 
  URL: https://github.com/freeipa/freeipa/pull/466
Title: #466: pkinit: make sure to have proper dictionary for Kerberos instance 
on upgrade

MartinBasti commented:
"""
Fixed upstream
master:
https://fedorahosted.org/freeipa/changeset/14d84daf29543978c6383da10f4f2d913346f013
"""

See the full comment at 
https://github.com/freeipa/freeipa/pull/466#issuecomment-280270827
-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code