[Freeipa-devel] Automated Fedora update testing
Hi folks! I thought this might be of interest to the FreeIPA community, so I thought I'd write it up here in case anyone missed it elsewhere. I work on the Fedora QA team, and we have been using the openQA automated test system (developed by our friends at SUSE) to run various functional tests on Fedora composes for the last couple of years. As FreeIPA is considered a critical part of Fedora Server, we run a few tests that exercise FreeIPA. The tests set up a FreeIPA server, run some basic checks on it, and also enrol two systems as clients of the domain, one using the 'realm join' command directly, one using Cockpit. The client tests do some basic client functionality testing (getent, logging in as a domain user, changing passwords, etc.) and also test the web UI to some extent. Until recently we ran these tests only on Fedora's nightly development release distribution composes. Recently, though, we deployed some enhancements to our openQA setup that let us run tests on Fedora distribution updates as well, and have the results made visible through the Fedora update system (Bodhi). The tests are automatically run on any critical path package, and as of today, they are also run on any update containing any of a manually-tended list of FreeIPA-related packages: 389-ds 389-ds-base bind bind-dyndb-ldap certmonger ding-libs freeipa krb5-server pki-core sssd tomcat cockpit This means that for any Fedora update containing one of these or any critical path package, Fedora's openQA FreeIPA tests should run, and you should see the results in the Fedora update system (Bodhi). You can see the results in Bodhi by clicking the Automated Updates tab for any update. For instance, here's a recent 389-ds-base update for Fedora 26: https://bodhi.fedoraproject.org/updates/FEDORA-2017-15e2a038b2 If you look at the Automated Tests tab, you can see passes for: update.server_role_deploy_domain_controller update.realmd_join_cockpit update.realmd_join_sssd indicating that this update didn't cause any problems for FreeIPA. Clicking on any test result will take you to the openQA page for the test, where you can diagnose failures and so on (explaining how to do this is a bit beyond the scope of this mail, please do ask me if you're interested!) I hope this stuff will help us avoid shipping updates that break FreeIPA (and other key components). If you have any questions, concerns, comments, or suggestions, please do ask! To anticipate one question: you can cause *all* the tests for an update to be re-run by editing the update in any way (you don't have to change the package loadout, just changing a single character in the description or something will do). If you think just one test result is bogus and want it re-run, currently, you'll have to ask someone with the necessary power - either me or Jan Sedlak (garretraziel on IRC). I'm in North America and he's in Europe, so we should have most timezones covered between us. We're hoping to set up a better mechanism for this in future. Note, if you're interested in the results for the nightly Fedora distribution composes, an email summary of the results for those is sent each time they're run to the Fedora test@ and devel@ lists, look for mails with "compose check report" in the subject. Any time any of the FreeIPA tests fails, the failure will be listed in the mail (passed tests are not specifically listed, just a count of them). I usually keep an eye on those results and analyze failures and file bugs, though. -- Adam Williamson Fedora QA Community Monkey IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net http://www.happyassassin.net -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] Blog post: Debugging FreeIPA 4.5 privilege separation code
Hi, Simo and I wrote an article on how to debug FreeIPA 4.5 privilege separation code. It is not about debugging, in fact, but on where to look for various types of logs and how to interpret them. The article also provides a high level explanation of how privilege separation in FreeIPA works and what it allows us to achieve. You can read the article here: https://vda.li/en/docs/freeipa-debug-privsep/ -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#746][comment] KDC proxy URI records
URL: https://github.com/freeipa/freeipa/pull/746 Title: #746: KDC proxy URI records simo5 commented: """ We can probably defer. """ See the full comment at https://github.com/freeipa/freeipa/pull/746#issuecomment-298087667 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#746][edited] KDC proxy URI records
URL: https://github.com/freeipa/freeipa/pull/746 Author: MartinBasti Title: #746: KDC proxy URI records Action: edited Changed field: body Original value: """ Automatic creation of KDC proxy URI records Enables creation of following KDC proxy URL records per each replica: ``` _kerberos.example.com. IN URI "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy"; _kpasswd.example.com. IN URI "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy"; ``` Records are created for each replica in topology as KDC proxy is enabled by default. (If KDC proxy is manually disabled this record will be created anyway) URI records for kadmin discovery are not created because FreeIPA doesn't support kadmin. See: https://k5wiki.kerberos.org/wiki/Projects/KDC_Discovery https://pagure.io/freeipa/issue/6337 ### TODO - [x] Add URI records for 88/UDP, 88/TCP with higher priority to keep client asking directly KDC first - [ ] Add URI records for HTTPS only when kdc proxy is enabled on server (requires to update server roles with role attribute KDC proxy) - [ ] Update release notes - `Postponed`: Fix https://pagure.io/freeipa/issue/6906 to allow enroll FreeIPA clients using HTTPS KDC proxy """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#746][synchronized] KDC proxy URI records
URL: https://github.com/freeipa/freeipa/pull/746 Author: MartinBasti Title: #746: KDC proxy URI records Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/746/head:pr746 git checkout pr746 From 0c6e1bf34b92cfe5ff29b29843826181970bcff2 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Wed, 26 Apr 2017 18:49:47 +0200 Subject: [PATCH] Automatic creation of KDC URI records Enables creation of following records per each replica: KDC URI records: _kerberos.example.com. IN URI "krb5srv:M:tcp:ipaserver.example.com" _kpasswd.example.com. IN URI "krb5srv:M:tcp:ipaserver.example.com" _kerberos.example.com. IN URI "krb5srv:M:udp:ipaserver.example.com" _kpasswd.example.com. IN URI "krb5srv:M:udp:ipaserver.example.com" KDC proxy URI records: _kerberos.example.com. IN URI +10 "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy"; _kpasswd.example.com. IN URI +10 "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy"; URI records for kadmin discovery are not created because FreeIPA doesn't support kadmin. KDC URI records (tcp, udp) must have higher priority than KDC proxy (https) to prefer direct communication with KDC. Also there is a bug that prevents ipa-client-install to enroll client with using only KDC proxy in some cases (see https://pagure.io/freeipa/issue/6906). All records are created for each replica in topology as KDC proxy is enabled by default. (Please note if KDC proxy is manually disabled KDC Proxy records will be created anyway) See: https://k5wiki.kerberos.org/wiki/Projects/KDC_Discovery https://pagure.io/freeipa/issue/6337 --- ipaserver/dns_data_management.py| 88 - ipatests/test_integration/test_dns_locations.py | 52 +++ 2 files changed, 138 insertions(+), 2 deletions(-) diff --git a/ipaserver/dns_data_management.py b/ipaserver/dns_data_management.py index d4dc42e..0dbedde 100644 --- a/ipaserver/dns_data_management.py +++ b/ipaserver/dns_data_management.py @@ -37,6 +37,23 @@ (DNSName(u'_kpasswd._udp'), 464), ) +IPA_DEFAULT_KDC_URI_REC = ( +# URI record name, target +(DNSName(u'_kpasswd'), u'krb5srv:M:tcp:{server}'), +(DNSName(u'_kpasswd'), u'krb5srv:M:udp:{server}'), +(DNSName(u'_kerberos'), u'krb5srv:M:tcp:{server}'), +(DNSName(u'_kerberos'), u'krb5srv:M:udp:{server}'), +) + +# URI records for KDCProxy must have lower priority than for KDC, clients must +# prefer to connect directly to KDC +IPA_KDCPROXY_PRIORITY_PENALIZATION = 10 +IPA_DEFAULT_KDCPROXY_URI_REC = ( +# URI record name, target +(DNSName(u'_kpasswd'), u'krb5srv:M:kkdcp:https://{server}/KdcProxy'), +(DNSName(u'_kerberos'), u'krb5srv:M:kkdcp:https://{server}/KdcProxy'), +) + IPA_DEFAULT_ADTRUST_SRV_REC = ( # srv record name, port (DNSName(u'_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs'), 389), @@ -127,6 +144,34 @@ def __add_srv_records( r_name, rdatatype.SRV, create=True) rdataset.add(rd, ttl=86400) # FIXME: use TTL from config +def __add_kdc_uri_records( +self, zone_obj, hostname, rname_target_map, +weight=100, priority=0, location=None +): +assert isinstance(hostname, DNSName) +assert isinstance(priority, int) +assert isinstance(weight, int) + +if location: +suffix = self.__get_location_suffix(location) +else: +suffix = self.domain_abs + +for name, target in rname_target_map: +rd = rdata.from_text( +rdataclass.IN, rdatatype.URI, +'{0} {1} {2}'.format( +priority, weight, +target.format(server=hostname.ToASCII()) +) +) + +r_name = name.derelativize(suffix) + +rdataset = zone_obj.get_rdataset( +r_name, rdatatype.URI, create=True) +rdataset.add(rd, ttl=86400) # FIXME: use TTL from config + def __add_ca_records_from_hostname(self, zone_obj, hostname): assert isinstance(hostname, DNSName) and hostname.is_absolute() r_name = DNSName('ipa-ca') + self.domain_abs @@ -173,6 +218,7 @@ def _add_base_dns_records_for_server( else: eff_roles = server['roles'] hostname_abs = DNSName(hostname).make_absolute() +hostname_rel = DNSName(hostname) if include_kerberos_realm: self.__add_kerberos_txt_rec(zone_obj) @@ -185,6 +231,21 @@ def _add_base_dns_records_for_server( IPA_DEFAULT_MASTER_SRV_REC, weight=server['weight'] ) +self.__add_kdc_uri_records( +zone_obj, +hostname_rel, +IPA_DEFAULT_KDC_URI_REC, +weight=server['weight'] +) + +# FIXME: create KDC Proxy records only when KDC proxy is enabled +self.__add_kdc
[Freeipa-devel] [freeipa PR#746][comment] KDC proxy URI records
URL: https://github.com/freeipa/freeipa/pull/746 Title: #746: KDC proxy URI records MartinBasti commented: """ @simo5 not really a 4.5 material then """ See the full comment at https://github.com/freeipa/freeipa/pull/746#issuecomment-298039065 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#746][comment] KDC proxy URI records
URL: https://github.com/freeipa/freeipa/pull/746 Title: #746: KDC proxy URI records simo5 commented: """ @MartinBasti In this case we need a way to tell the system what are the priorities and which protocols are enabled, priorities are important too, admins need to be able to change them as they see fit. """ See the full comment at https://github.com/freeipa/freeipa/pull/746#issuecomment-298037434 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#746][comment] KDC proxy URI records
URL: https://github.com/freeipa/freeipa/pull/746 Title: #746: KDC proxy URI records MartinBasti commented: """ @simo5 we don't support manual changes of IPA system records, it is regenerated automatically, so any manual changes are overwritten when: new replica is added/replica is removed/user executes manually `ipa dns-update-system-records` """ See the full comment at https://github.com/freeipa/freeipa/pull/746#issuecomment-298034002 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#746][comment] KDC proxy URI records
URL: https://github.com/freeipa/freeipa/pull/746 Title: #746: KDC proxy URI records simo5 commented: """ I am not entirely sure we want to care for the cse where an admin disables KDC Proxy in an automatic fashion; otherwise we would also need to check if TCP or UDP are disabled and change that too. FreeIPA as a product enables TCP/UDP and proxy and an admin that wants to change this by manually changing configurations should also take care of manually changing the URI records in DNS I think. Just like they would need to change records in DNS if either TCP or UDP protocols were disabled. However if it is overly simple to detect and update records based on enabled protocols I am not against doing so. """ See the full comment at https://github.com/freeipa/freeipa/pull/746#issuecomment-298032999 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#746][edited] KDC proxy URI records
URL: https://github.com/freeipa/freeipa/pull/746 Author: MartinBasti Title: #746: KDC proxy URI records Action: edited Changed field: body Original value: """ Automatic creation of KDC proxy URI records Enables creation of following KDC proxy URL records per each replica: ``` _kerberos.example.com. IN URI "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy"; _kpasswd.example.com. IN URI "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy"; ``` Records are created for each replica in topology as KDC proxy is enabled by default. (If KDC proxy is manually disabled this record will be created anyway) URI records for kadmin discovery are not created because FreeIPA doesn't support kadmin. See: https://k5wiki.kerberos.org/wiki/Projects/KDC_Discovery https://pagure.io/freeipa/issue/6337 ### TODO - [ ] Add URI records for 88/UDP, 88/TCP with higher priority to keep client asking directly KDC first - [ ] Add URI records for HTTPS only when kdc proxy is enabled on server (requires to update server roles with role attribute KDC proxy) - [ ] Fix https://pagure.io/freeipa/issue/6906 to allow enroll FreeIPA clients using HTTPS KDC proxy """ -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#746][synchronized] KDC proxy URI records
URL: https://github.com/freeipa/freeipa/pull/746 Author: MartinBasti Title: #746: KDC proxy URI records Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/746/head:pr746 git checkout pr746 From d79bc35de7315c9a49605c4acb0798441ce67997 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Wed, 26 Apr 2017 18:49:47 +0200 Subject: [PATCH] Automatic creation of KDC URI records Enables creation of following records per each replica: KDC URI records: _kerberos.example.com. IN URI "krb5srv:M:tcp:ipaserver.example.com" _kpasswd.example.com. IN URI "krb5srv:M:tcp:ipaserver.example.com" _kerberos.example.com. IN URI "krb5srv:M:udp:ipaserver.example.com" _kpasswd.example.com. IN URI "krb5srv:M:udp:ipaserver.example.com" KDC proxy URI records: _kerberos.example.com. IN URI +10 "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy"; _kpasswd.example.com. IN URI +10 "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy"; URI records for kadmin discovery are not created because FreeIPA doesn't support kadmin. KDC URI records (tcp, udp) must have higher priority than KDC proxy (https) to prefer direct communication with KDC. Also there is a bug that prevents ipa-client-install to enroll client with using only KDC proxy in some cases (see https://pagure.io/freeipa/issue/6906). All records are created for each replica in topology as KDC proxy is enabled by default. (Please note if KDC proxy is manually disabled KDC Proxy records will be created anyway) See: https://k5wiki.kerberos.org/wiki/Projects/KDC_Discovery https://pagure.io/freeipa/issue/6337 --- ipaserver/dns_data_management.py| 88 - ipatests/test_integration/test_dns_locations.py | 47 + 2 files changed, 133 insertions(+), 2 deletions(-) diff --git a/ipaserver/dns_data_management.py b/ipaserver/dns_data_management.py index d4dc42e..0dbedde 100644 --- a/ipaserver/dns_data_management.py +++ b/ipaserver/dns_data_management.py @@ -37,6 +37,23 @@ (DNSName(u'_kpasswd._udp'), 464), ) +IPA_DEFAULT_KDC_URI_REC = ( +# URI record name, target +(DNSName(u'_kpasswd'), u'krb5srv:M:tcp:{server}'), +(DNSName(u'_kpasswd'), u'krb5srv:M:udp:{server}'), +(DNSName(u'_kerberos'), u'krb5srv:M:tcp:{server}'), +(DNSName(u'_kerberos'), u'krb5srv:M:udp:{server}'), +) + +# URI records for KDCProxy must have lower priority than for KDC, clients must +# prefer to connect directly to KDC +IPA_KDCPROXY_PRIORITY_PENALIZATION = 10 +IPA_DEFAULT_KDCPROXY_URI_REC = ( +# URI record name, target +(DNSName(u'_kpasswd'), u'krb5srv:M:kkdcp:https://{server}/KdcProxy'), +(DNSName(u'_kerberos'), u'krb5srv:M:kkdcp:https://{server}/KdcProxy'), +) + IPA_DEFAULT_ADTRUST_SRV_REC = ( # srv record name, port (DNSName(u'_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs'), 389), @@ -127,6 +144,34 @@ def __add_srv_records( r_name, rdatatype.SRV, create=True) rdataset.add(rd, ttl=86400) # FIXME: use TTL from config +def __add_kdc_uri_records( +self, zone_obj, hostname, rname_target_map, +weight=100, priority=0, location=None +): +assert isinstance(hostname, DNSName) +assert isinstance(priority, int) +assert isinstance(weight, int) + +if location: +suffix = self.__get_location_suffix(location) +else: +suffix = self.domain_abs + +for name, target in rname_target_map: +rd = rdata.from_text( +rdataclass.IN, rdatatype.URI, +'{0} {1} {2}'.format( +priority, weight, +target.format(server=hostname.ToASCII()) +) +) + +r_name = name.derelativize(suffix) + +rdataset = zone_obj.get_rdataset( +r_name, rdatatype.URI, create=True) +rdataset.add(rd, ttl=86400) # FIXME: use TTL from config + def __add_ca_records_from_hostname(self, zone_obj, hostname): assert isinstance(hostname, DNSName) and hostname.is_absolute() r_name = DNSName('ipa-ca') + self.domain_abs @@ -173,6 +218,7 @@ def _add_base_dns_records_for_server( else: eff_roles = server['roles'] hostname_abs = DNSName(hostname).make_absolute() +hostname_rel = DNSName(hostname) if include_kerberos_realm: self.__add_kerberos_txt_rec(zone_obj) @@ -185,6 +231,21 @@ def _add_base_dns_records_for_server( IPA_DEFAULT_MASTER_SRV_REC, weight=server['weight'] ) +self.__add_kdc_uri_records( +zone_obj, +hostname_rel, +IPA_DEFAULT_KDC_URI_REC, +weight=server['weight'] +) + +# FIXME: create KDC Proxy records only when KDC proxy is enabled +self.__add_kdc_u
[Freeipa-devel] [freeipa PR#746][synchronized] KDC proxy URI records
URL: https://github.com/freeipa/freeipa/pull/746 Author: MartinBasti Title: #746: KDC proxy URI records Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/746/head:pr746 git checkout pr746 From 342158b9f427057c08b9a115b68825f918554ee1 Mon Sep 17 00:00:00 2001 From: Martin Basti Date: Wed, 26 Apr 2017 18:49:47 +0200 Subject: [PATCH] Automatic creation of KDC URI records Enables creation of following records per each replica: KDC URI records: _kerberos.example.com. IN URI "krb5srv:M:tcp:ipaserver.example.com" _kpasswd.example.com. IN URI "krb5srv:M:tcp:ipaserver.example.com" _kerberos.example.com. IN URI "krb5srv:M:udp:ipaserver.example.com" _kpasswd.example.com. IN URI "krb5srv:M:udp:ipaserver.example.com" KDC proxy URI records: _kerberos.example.com. IN URI +10 "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy"; _kpasswd.example.com. IN URI +10 "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy"; URI records for kadmin discovery are not created because FreeIPA doesn't support kadmin. KDC URI records (tcp, udp) must have higher priority than KDC proxy (https) to prefer direct communication with KDC. Also there is a bug that prevents ipa-client-install to enroll client with using only KDC proxy in some cases (see https://pagure.io/freeipa/issue/6906). All records are created for each replica in topology as KDC proxy is enabled by default. (Please note if KDC proxy is manually disabled KDC Proxy records will be created anyway) See: https://k5wiki.kerberos.org/wiki/Projects/KDC_Discovery https://pagure.io/freeipa/issue/6337 --- ipaserver/dns_data_management.py| 88 - ipatests/test_integration/test_dns_locations.py | 47 + 2 files changed, 133 insertions(+), 2 deletions(-) diff --git a/ipaserver/dns_data_management.py b/ipaserver/dns_data_management.py index d4dc42e..0dbedde 100644 --- a/ipaserver/dns_data_management.py +++ b/ipaserver/dns_data_management.py @@ -37,6 +37,23 @@ (DNSName(u'_kpasswd._udp'), 464), ) +IPA_DEFAULT_KDC_URI_REC = ( +# URI record name, target +(DNSName(u'_kpasswd'), u'krb5srv:M:tcp:{server}'), +(DNSName(u'_kpasswd'), u'krb5srv:M:udp:{server}'), +(DNSName(u'_kerberos'), u'krb5srv:M:tcp:{server}'), +(DNSName(u'_kerberos'), u'krb5srv:M:udp:{server}'), +) + +# URI records for KDCProxy must have lower priority than for KDC, clients must +# prefer to connect directly to KDC +IPA_KDCPROXY_PRIORITY_PENALIZATION = 10 +IPA_DEFAULT_KDCPROXY_URI_REC = ( +# URI record name, target +(DNSName(u'_kpasswd'), u'krb5srv:M:kkdcp:https://{server}/KdcProxy'), +(DNSName(u'_kerberos'), u'krb5srv:M:kkdcp:https://{server}/KdcProxy'), +) + IPA_DEFAULT_ADTRUST_SRV_REC = ( # srv record name, port (DNSName(u'_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs'), 389), @@ -127,6 +144,34 @@ def __add_srv_records( r_name, rdatatype.SRV, create=True) rdataset.add(rd, ttl=86400) # FIXME: use TTL from config +def __add_kdc_uri_records( +self, zone_obj, hostname, rname_target_map, +weight=100, priority=0, location=None +): +assert isinstance(hostname, DNSName) +assert isinstance(priority, int) +assert isinstance(weight, int) + +if location: +suffix = self.__get_location_suffix(location) +else: +suffix = self.domain_abs + +for name, target in rname_target_map: +rd = rdata.from_text( +rdataclass.IN, rdatatype.URI, +'{0} {1} {2}'.format( +priority, weight, +target.format(server=hostname.ToASCII()) +) +) + +r_name = name.derelativize(suffix) + +rdataset = zone_obj.get_rdataset( +r_name, rdatatype.URI, create=True) +rdataset.add(rd, ttl=86400) # FIXME: use TTL from config + def __add_ca_records_from_hostname(self, zone_obj, hostname): assert isinstance(hostname, DNSName) and hostname.is_absolute() r_name = DNSName('ipa-ca') + self.domain_abs @@ -173,6 +218,7 @@ def _add_base_dns_records_for_server( else: eff_roles = server['roles'] hostname_abs = DNSName(hostname).make_absolute() +hostname_rel = DNSName(hostname) if include_kerberos_realm: self.__add_kerberos_txt_rec(zone_obj) @@ -185,6 +231,21 @@ def _add_base_dns_records_for_server( IPA_DEFAULT_MASTER_SRV_REC, weight=server['weight'] ) +self.__add_kdc_uri_records( +zone_obj, +hostname_rel, +IPA_DEFAULT_KDC_URI_REC, +weight=server['weight'] +) + +# FIXME: create KDC Proxy records only when KDC proxy is enabled +self.__add_kdc_u
[Freeipa-devel] [freeipa PR#750][+ack] Fixed typo in ipa-client-install help output
URL: https://github.com/freeipa/freeipa/pull/750 Title: #750: Fixed typo in ipa-client-install help output Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#750][opened] Fixed typo in ipa-client-install help output
URL: https://github.com/freeipa/freeipa/pull/750 Author: tscherf Title: #750: Fixed typo in ipa-client-install help output Action: opened PR body: """ Fixed typo in option "--all-ip-addresses" from "ipa-client-install". """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/750/head:pr750 git checkout pr750 From 74025761b44b7e3456a10f0c6d4b74f4296e577a Mon Sep 17 00:00:00 2001 From: Thorsten Scherf Date: Fri, 28 Apr 2017 16:40:17 +0200 Subject: [PATCH] Fixed typo in ipa-client-install output --- ipalib/install/hostname.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ipalib/install/hostname.py b/ipalib/install/hostname.py index 74c569d..ecc2963 100644 --- a/ipalib/install/hostname.py +++ b/ipalib/install/hostname.py @@ -41,7 +41,7 @@ def ip_addresses(self, values): all_ip_addresses = knob( None, -description="All routable IP addresses configured on any inteface " +description="All routable IP addresses configured on any interface " "will be added to DNS", ) all_ip_addresses = prepare_only(all_ip_addresses) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#749][opened] Added plugins directory to python2-ipaclient subpackage
URL: https://github.com/freeipa/freeipa/pull/749 Author: olivergs Title: #749: Added plugins directory to python2-ipaclient subpackage Action: opened PR body: """ Subpackage does not own that directory and could create conflicts if a plugin creates it on its onwn """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/749/head:pr749 git checkout pr749 From 90e8eba2f1f3f40f3ffc1a557f6278d2dfe0f4e7 Mon Sep 17 00:00:00 2001 From: Oliver Gutierrez Date: Fri, 28 Apr 2017 15:21:49 +0100 Subject: [PATCH] Added plugins directory to python2-ipaclient subpackage\n\nSubpackage does not own that directory and could create conflicts if a plugin creates it on its onwn --- freeipa.spec.in | 1 + 1 file changed, 1 insertion(+) diff --git a/freeipa.spec.in b/freeipa.spec.in index ee9a36b..ada60d4 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -1402,6 +1402,7 @@ fi %doc README.md Contributors.txt %license COPYING %dir %{python_sitelib}/ipaclient +%dir %{python_sitelib}/ipaclient/plugins %{python_sitelib}/ipaclient/*.py* %{python_sitelib}/ipaclient/install/*.py* %{python_sitelib}/ipaclient/plugins/*.py* -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#744][+pushed] [4.5] Correct PyPI package dependencies
URL: https://github.com/freeipa/freeipa/pull/744 Title: #744: [4.5] Correct PyPI package dependencies Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#744][comment] [4.5] Correct PyPI package dependencies
URL: https://github.com/freeipa/freeipa/pull/744 Title: #744: [4.5] Correct PyPI package dependencies tomaskrizek commented: """ ipa-4-5: * b91ee1294bb3139f3d9df62c75dd429a5821bf40 Correct PyPI package dependencies """ See the full comment at https://github.com/freeipa/freeipa/pull/744#issuecomment-297991379 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#744][closed] [4.5] Correct PyPI package dependencies
URL: https://github.com/freeipa/freeipa/pull/744 Author: tiran Title: #744: [4.5] Correct PyPI package dependencies Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/744/head:pr744 git checkout pr744 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#748][comment] restore: restart/reload gssproxy after restore
URL: https://github.com/freeipa/freeipa/pull/748 Title: #748: restore: restart/reload gssproxy after restore tomaskrizek commented: """ master: * 3a4c8e39c3e38ec651cfcbb3cac59e0e92e04fe0 restore: restart/reload gssproxy after restore ipa-4-5: * 04ed1fa3acdf002ecc37dde4f5d226c0fbe5aa30 restore: restart/reload gssproxy after restore """ See the full comment at https://github.com/freeipa/freeipa/pull/748#issuecomment-297990747 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#748][closed] restore: restart/reload gssproxy after restore
URL: https://github.com/freeipa/freeipa/pull/748 Author: pvoborni Title: #748: restore: restart/reload gssproxy after restore Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/748/head:pr748 git checkout pr748 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#748][+pushed] restore: restart/reload gssproxy after restore
URL: https://github.com/freeipa/freeipa/pull/748 Title: #748: restore: restart/reload gssproxy after restore Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#748][+ack] restore: restart/reload gssproxy after restore
URL: https://github.com/freeipa/freeipa/pull/748 Title: #748: restore: restart/reload gssproxy after restore Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#748][comment] restore: restart/reload gssproxy after restore
URL: https://github.com/freeipa/freeipa/pull/748 Title: #748: restore: restart/reload gssproxy after restore tomaskrizek commented: """ Ok, everything looks good then. """ See the full comment at https://github.com/freeipa/freeipa/pull/748#issuecomment-297990127 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#744][+ack] [4.5] Correct PyPI package dependencies
URL: https://github.com/freeipa/freeipa/pull/744 Title: #744: [4.5] Correct PyPI package dependencies Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#732][comment] ipa-custodia: use Dogtag's alias/pwdfile.txt
URL: https://github.com/freeipa/freeipa/pull/732 Title: #732: ipa-custodia: use Dogtag's alias/pwdfile.txt MartinBasti commented: """ Postponing, ticket milestone is 4.7 """ See the full comment at https://github.com/freeipa/freeipa/pull/732#issuecomment-297988800 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#732][+postponed] ipa-custodia: use Dogtag's alias/pwdfile.txt
URL: https://github.com/freeipa/freeipa/pull/732 Title: #732: ipa-custodia: use Dogtag's alias/pwdfile.txt Label: +postponed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] "blocker" tag for pull request
On 28.04.2017 14:17, Tomas Krizek wrote: On 04/28/2017 10:15 AM, Petr Vobornik wrote: Hi all, I created "blocker" tag for FreeIPA Git Hub PRs. It is should be used to mark PRs which solves test blocker or other functional blockers - e.g. blocks creation of demo. I.e. should be used rather rarely. I don't like the tag name, but I couldn't find better. I think we could use the name "high-priority". It could have other uses besides marking a blocker, e.g. requesting prompt execution of tests in PR CI. Sounds good or maybe "prioritized", IMHO "blocker" word is overused. Note: blocker priority in pagure doesn't imply blocker tag in PR. But testblocker tag in pagure does. Actually I'm thinking about changing Pagure priority names to: "highest, high, medium, low, patchwelcome" +1, but I'd prefer "critical" instead of "highest" +1 for critical pyldap uses "help wanted" instead "patchwelcome", it sounds better to me. I'd use it as separate tag instead of priority. Even high prioritized issues can be made by contributors in early phase of development if they are easy enough. Martin^2 -- Martin Bašti Software Engineer Red Hat Czech -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#748][comment] restore: restart/reload gssproxy after restore
URL: https://github.com/freeipa/freeipa/pull/748 Title: #748: restore: restart/reload gssproxy after restore pvoborni commented: """ Should work: ``` def debian_service_class_factory(name, api=None): if name == 'dirsrv': return redhat_services.RedHatDirectoryService(name, api) if name == 'domainname': return DebianNoService(name, api) if name == 'ipa': return redhat_services.RedHatIPAService(name, api) if name == 'messagebus': return DebianNoService(name, api) if name == 'ntpd': return DebianSysvService("ntp", api) return DebianService(name, api) ``` so it's `DebianService` ``` class DebianService(redhat_services.RedHatService): system_units = debian_system_units ``` then ``` class RedHatService(base_services.SystemdService): ``` I.e. it is not `DebianSysvService` """ See the full comment at https://github.com/freeipa/freeipa/pull/748#issuecomment-297987349 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#729][synchronized] Turn on NSSOCSP check in mod_nss conf
URL: https://github.com/freeipa/freeipa/pull/729 Author: pvomacka Title: #729: Turn on NSSOCSP check in mod_nss conf Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/729/head:pr729 git checkout pr729 From 2da6692288d276e199f3d4d92a69fd59f31ff138 Mon Sep 17 00:00:00 2001 From: Pavel Vomacka Date: Thu, 6 Apr 2017 16:15:47 +0200 Subject: [PATCH] Turn on NSSOCSP check in mod_nss conf Turn on NSSOCSP directive during install/replica install/upgrade. That check whether the certificate which is used for login is revoked or not using OSCP. Marks the server cert in httpd NSS DB as trusted peer ('P,,') to avoid chicken and egg problem when it is needed to contact the OCSP responder when httpd is starting. https://pagure.io/freeipa/issue/6370 --- freeipa.spec.in | 1 + install/restart_scripts/restart_httpd | 14 +- ipaserver/install/httpinstance.py | 30 ++ ipaserver/install/server/upgrade.py | 24 4 files changed, 68 insertions(+), 1 deletion(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index fbc67cb..9077734 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -306,6 +306,7 @@ Requires: oddjob Requires: gssproxy >= 0.7.0-2 # 1.15.2: FindByNameAndCertificate (https://pagure.io/SSSD/sssd/issue/3050) Requires: sssd-dbus >= 1.15.2 +Requires: python-augeas Provides: %{alt_name}-server = %{version} Conflicts: %{alt_name}-server diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd index d168481..b661b82 100644 --- a/install/restart_scripts/restart_httpd +++ b/install/restart_scripts/restart_httpd @@ -21,11 +21,23 @@ import syslog import traceback +from ipalib import api from ipaplatform import services -from ipaserver.install import certs +from ipaplatform.paths import paths +from ipaserver.install import certs, installutils def _main(): + +api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA) +api.finalize() + +db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR) +nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname") + +# Add trust flag which set certificate trusted for SSL connections. +db.trust_root_cert(nickname, "P,,") + syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd') try: diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index aeb5c5e..f291580 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -29,6 +29,7 @@ import locale import six +from augeas import Augeas from ipalib.constants import IPAAPI_USER from ipalib.install import certmonger @@ -156,6 +157,7 @@ def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None, self.set_mod_nss_protocol) self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile) self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate) +self.step("enabling mod_nss OCSP", self.enable_mod_nss_ocsp) self.step("adding URL rewriting rules", self.__add_include) self.step("configuring httpd", self.__configure_http) self.step("setting up httpd keytab", self.request_service_keytab) @@ -263,6 +265,31 @@ def enable_mod_nss_renegotiate(self): installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False) installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False) +def enable_mod_nss_ocsp(self): +aug = Augeas(flags=Augeas.NO_LOAD | Augeas.NO_MODL_AUTOLOAD) + +aug.set('/augeas/load/Httpd/lens', 'Httpd.lens') +aug.set('/augeas/load/Httpd/incl', paths.HTTPD_NSS_CONF) +aug.load() + +path = os.path.join('/files', paths.HTTPD_NSS_CONF[1:], 'VirtualHost') + +ocsp_comment = aug.get( +'{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path)) +ocsp_dir = aug.get('{}/directive[.="NSSOCSP"]'.format(path)) + +if ocsp_dir is None and ocsp_comment is not None: +# Directive is missing, comment is present +aug.set('{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path), +'NSSOCSP') +aug.rename('{}/#comment[.="NSSOCSP"]'.format(path), 'directive') +elif ocsp_dir is None: +# Directive is missing and comment is missing +aug.set('{}/directive[last()+1]'.format(path), "NSSOCSP") + +aug.set('{}/directive[. = "NSSOCSP"]/arg'.format(path), 'on') +aug.save() + def set_mod_nss_cipher_suite(self): ciphers = ','.join(NSS_CIPHER_SUITE) installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSCipherSuite', ciphers, False) @@ -369,6 +396,7 @@ def __setup_ssl(self): create=True) self.disable_syst
Re: [Freeipa-devel] "blocker" tag for pull request
On 04/28/2017 10:15 AM, Petr Vobornik wrote: > Hi all, > > I created "blocker" tag for FreeIPA Git Hub PRs. > > It is should be used to mark PRs which solves test blocker or other > functional blockers - e.g. blocks creation of demo. I.e. should be > used rather rarely. > > I don't like the tag name, but I couldn't find better. I think we could use the name "high-priority". It could have other uses besides marking a blocker, e.g. requesting prompt execution of tests in PR CI. > > Note: blocker priority in pagure doesn't imply blocker tag in PR. But > testblocker tag in pagure does. Actually I'm thinking about changing > Pagure priority names to: "highest, high, medium, low, patchwelcome" > +1, but I'd prefer "critical" instead of "highest" -- Tomas Krizek PGP: 4A8B A48C 2AED 933B D495 C509 A1FB A5F7 EF8C 4869 signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#733][comment] [4.5] Fix CA/server cert validation in FIPS
URL: https://github.com/freeipa/freeipa/pull/733 Title: #733: [4.5] Fix CA/server cert validation in FIPS MartinBasti commented: """ ipa-4-5: * 651d132b701b773b2bbeb41496d6c5ddbf6d19b3 Fix CA/server cert validation in FIPS """ See the full comment at https://github.com/freeipa/freeipa/pull/733#issuecomment-297982146 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#733][closed] [4.5] Fix CA/server cert validation in FIPS
URL: https://github.com/freeipa/freeipa/pull/733 Author: stlaz Title: #733: [4.5] Fix CA/server cert validation in FIPS Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/733/head:pr733 git checkout pr733 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#733][+pushed] [4.5] Fix CA/server cert validation in FIPS
URL: https://github.com/freeipa/freeipa/pull/733 Title: #733: [4.5] Fix CA/server cert validation in FIPS Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#748][comment] restore: restart/reload gssproxy after restore
URL: https://github.com/freeipa/freeipa/pull/748 Title: #748: restore: restart/reload gssproxy after restore tomaskrizek commented: """ How is this patch going to work for Debian? Shouldn't we also implement `reload_or_restart` for `DebianSysvService`? """ See the full comment at https://github.com/freeipa/freeipa/pull/748#issuecomment-297980381 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#735][comment] automount install: do not wait for sssd restart on uninstallation
URL: https://github.com/freeipa/freeipa/pull/735 Title: #735: automount install: do not wait for sssd restart on uninstallation MartinBasti commented: """ master: * b4e447fa6fc7d659ae6a3b6285d4ddda0baa0be4 automount install: fix checking of SSSD functionality on uninstall ipa-4-5: * ff513d6b20ee0a2ca90b06b8c114386f1e5751d9 automount install: fix checking of SSSD functionality on uninstall """ See the full comment at https://github.com/freeipa/freeipa/pull/735#issuecomment-297977040 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#735][+pushed] automount install: do not wait for sssd restart on uninstallation
URL: https://github.com/freeipa/freeipa/pull/735 Title: #735: automount install: do not wait for sssd restart on uninstallation Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#735][closed] automount install: do not wait for sssd restart on uninstallation
URL: https://github.com/freeipa/freeipa/pull/735 Author: pvoborni Title: #735: automount install: do not wait for sssd restart on uninstallation Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/735/head:pr735 git checkout pr735 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#733][synchronized] [4.5] Fix CA/server cert validation in FIPS
URL: https://github.com/freeipa/freeipa/pull/733 Author: stlaz Title: #733: [4.5] Fix CA/server cert validation in FIPS Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/733/head:pr733 git checkout pr733 From 906c2010d594cc7a0e74f7ef80f41ed00581979f Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Wed, 26 Apr 2017 08:19:27 +0200 Subject: [PATCH] Fix CA/server cert validation in FIPS In FIPS, the NSS library needs to be passed passwords to perform certificate validation. Should we not have passed it and the NSS guys have not fixed this yet, we would get SEC_ERROR_BAD_SIGNATURE which is completely different error than one would expect but that's just how things are with NSS right now. https://pagure.io/freeipa/issue/6897 --- ipapython/certdb.py | 13 +++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/ipapython/certdb.py b/ipapython/certdb.py index 0665f94..ea73ec1 100644 --- a/ipapython/certdb.py +++ b/ipapython/certdb.py @@ -77,6 +77,11 @@ def find_cert_from_txt(cert, start=0): return (cert, e) +def get_file_cont(slot, token, filename): +with open(filename) as f: +return f.read() + + class NSSDatabase(object): """A general-purpose wrapper around a NSS cert database @@ -547,12 +552,14 @@ def verify_server_cert_validity(self, nickname, hostname): if nss.nss_is_initialized(): nss.nss_shutdown() nss.nss_init(self.secdir) +nss.set_password_callback(get_file_cont) try: certdb = nss.get_default_certdb() cert = nss.find_cert_from_nickname(nickname) intended_usage = nss.certificateUsageSSLServer try: -approved_usage = cert.verify_now(certdb, True, intended_usage) +approved_usage = cert.verify_now(certdb, True, intended_usage, + self.pwd_file) except NSPRError as e: if e.errno != -8102: raise ValueError(e.strerror) @@ -572,6 +579,7 @@ def verify_ca_cert_validity(self, nickname): if nss.nss_is_initialized(): nss.nss_shutdown() nss.nss_init(self.secdir) +nss.set_password_callback(get_file_cont) try: certdb = nss.get_default_certdb() cert = nss.find_cert_from_nickname(nickname) @@ -586,7 +594,8 @@ def verify_ca_cert_validity(self, nickname): raise ValueError("not a CA certificate") intended_usage = nss.certificateUsageSSLCA try: -approved_usage = cert.verify_now(certdb, True, intended_usage) +approved_usage = cert.verify_now(certdb, True, intended_usage, + self.pwd_file) except NSPRError as e: if e.errno != -8102:# SEC_ERROR_INADEQUATE_KEY_USAGE raise ValueError(e.strerror) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#735][+ack] automount install: do not wait for sssd restart on uninstallation
URL: https://github.com/freeipa/freeipa/pull/735 Title: #735: automount install: do not wait for sssd restart on uninstallation Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#747][comment] vault: piped input for ipa vault-add fails
URL: https://github.com/freeipa/freeipa/pull/747 Title: #747: vault: piped input for ipa vault-add fails MartinBasti commented: """ master: * d5c41ed4ad370c7d74296a830993a5bd3fd32e5f vault: piped input for ipa vault-add fails ipa-4-5: * c8ca0f89a68b5d57c56344fdeb12fd436976c726 vault: piped input for ipa vault-add fails """ See the full comment at https://github.com/freeipa/freeipa/pull/747#issuecomment-297973494 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#747][closed] vault: piped input for ipa vault-add fails
URL: https://github.com/freeipa/freeipa/pull/747 Author: flo-renaud Title: #747: vault: piped input for ipa vault-add fails Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/747/head:pr747 git checkout pr747 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#747][+pushed] vault: piped input for ipa vault-add fails
URL: https://github.com/freeipa/freeipa/pull/747 Title: #747: vault: piped input for ipa vault-add fails Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#741][comment] 6.9 -> 7.4 migration fixes
URL: https://github.com/freeipa/freeipa/pull/741 Title: #741: 6.9 -> 7.4 migration fixes stlaz commented: """ For the record - the tests are passing on my machine, etwas stimmt hier nicht. """ See the full comment at https://github.com/freeipa/freeipa/pull/741#issuecomment-297969953 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#729][synchronized] Turn on NSSOCSP check in mod_nss conf
URL: https://github.com/freeipa/freeipa/pull/729 Author: pvomacka Title: #729: Turn on NSSOCSP check in mod_nss conf Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/729/head:pr729 git checkout pr729 From 96447296da8dd4ee565d9b5dcf5991e160e87091 Mon Sep 17 00:00:00 2001 From: Pavel Vomacka Date: Thu, 6 Apr 2017 16:15:47 +0200 Subject: [PATCH 1/2] Turn on NSSOCSP check in mod_nss conf Turn on NSSOCSP directive during install/replica install/upgrade. That check whether the certificate which is used for login is revoked or not using OSCP. Marks the server cert in httpd NSS DB as trusted peer ('P,,') to avoid chicken and egg problem when it is needed to contact the OCSP responder when httpd is starting. https://pagure.io/freeipa/issue/6370 --- freeipa.spec.in | 1 + install/restart_scripts/restart_httpd | 14 +- ipaserver/install/httpinstance.py | 19 +++ ipaserver/install/server/upgrade.py | 24 4 files changed, 57 insertions(+), 1 deletion(-) diff --git a/freeipa.spec.in b/freeipa.spec.in index fbc67cb..9077734 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -306,6 +306,7 @@ Requires: oddjob Requires: gssproxy >= 0.7.0-2 # 1.15.2: FindByNameAndCertificate (https://pagure.io/SSSD/sssd/issue/3050) Requires: sssd-dbus >= 1.15.2 +Requires: python-augeas Provides: %{alt_name}-server = %{version} Conflicts: %{alt_name}-server diff --git a/install/restart_scripts/restart_httpd b/install/restart_scripts/restart_httpd index d168481..b661b82 100644 --- a/install/restart_scripts/restart_httpd +++ b/install/restart_scripts/restart_httpd @@ -21,11 +21,23 @@ import syslog import traceback +from ipalib import api from ipaplatform import services -from ipaserver.install import certs +from ipaplatform.paths import paths +from ipaserver.install import certs, installutils def _main(): + +api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA) +api.finalize() + +db = certs.CertDB(api.env.realm, nssdir=paths.HTTPD_ALIAS_DIR) +nickname = installutils.get_directive(paths.HTTPD_NSS_CONF, "NSSNickname") + +# Add trust flag which set certificate trusted for SSL connections. +db.trust_root_cert(nickname, "P,,") + syslog.syslog(syslog.LOG_NOTICE, 'certmonger restarted httpd') try: diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py index aeb5c5e..90f918b 100644 --- a/ipaserver/install/httpinstance.py +++ b/ipaserver/install/httpinstance.py @@ -29,6 +29,7 @@ import locale import six +import augeas from ipalib.constants import IPAAPI_USER from ipalib.install import certmonger @@ -156,6 +157,7 @@ def create_instance(self, realm, fqdn, domain_name, pkcs12_info=None, self.set_mod_nss_protocol) self.step("setting mod_nss password file", self.__set_mod_nss_passwordfile) self.step("enabling mod_nss renegotiate", self.enable_mod_nss_renegotiate) +self.step("enabling mod_nss OCSP", self.enable_mod_nss_ocsp) self.step("adding URL rewriting rules", self.__add_include) self.step("configuring httpd", self.__configure_http) self.step("setting up httpd keytab", self.request_service_keytab) @@ -263,6 +265,20 @@ def enable_mod_nss_renegotiate(self): installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRenegotiation', 'on', False) installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSRequireSafeNegotiation', 'on', False) +def enable_mod_nss_ocsp(self): +aug = augeas.Augeas(flags=Augeas.NO_LOAD | Augeas.NO_MODL_AUTOLOAD) + +aug.set('/augeas/load/Httpd/lens', 'Httpd.lens') +aug.set('/augeas/load/Httpd/incl', paths.HTTPD_NSS_CONF) +aug.load() + +path = os.path.join('/files', paths.HTTPD_NSS_CONF[1:], 'VirtualHost') + +aug.set('{}/#comment[.=~regexp("NSSOCSP .*")]'.format(path), 'NSSOCSP') +aug.rename('{}/#comment[.="NSSOCSP"]'.format(path), 'directive') +aug.set('{}/directive[. = "NSSOCSP"]/arg'.format(path), 'on') +aug.save() + def set_mod_nss_cipher_suite(self): ciphers = ','.join(NSS_CIPHER_SUITE) installutils.set_directive(paths.HTTPD_NSS_CONF, 'NSSCipherSuite', ciphers, False) @@ -369,6 +385,7 @@ def __setup_ssl(self): create=True) self.disable_system_trust() self.create_password_conf() + if self.pkcs12_info: if self.ca_is_configured: trust_flags = 'CT,C,C' @@ -393,6 +410,8 @@ def __setup_ssl(self): self.__set_mod_nss_nickname(nickname) self.add_cert_to_service() +db.trust_root_cert(nickname, "P,,") + else: if not self.promote: ca_args = [ diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upg
[Freeipa-devel] [freeipa PR#738][+rejected] restore: restart gssproxy after restore
URL: https://github.com/freeipa/freeipa/pull/738 Title: #738: restore: restart gssproxy after restore Label: +rejected -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#738][closed] restore: restart gssproxy after restore
URL: https://github.com/freeipa/freeipa/pull/738 Author: pvoborni Title: #738: restore: restart gssproxy after restore Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/738/head:pr738 git checkout pr738 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#738][comment] restore: restart gssproxy after restore
URL: https://github.com/freeipa/freeipa/pull/738 Title: #738: restore: restart gssproxy after restore pvoborni commented: """ PR #748 obsoletes this one - this PR was created badly and so I cannot force update it. New one uses reload-or-restart """ See the full comment at https://github.com/freeipa/freeipa/pull/738#issuecomment-297962651 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#748][comment] restore: restart/reload gssproxy after restore
URL: https://github.com/freeipa/freeipa/pull/748 Title: #748: restore: restart/reload gssproxy after restore pvoborni commented: """ Obsoletes PR #738 """ See the full comment at https://github.com/freeipa/freeipa/pull/748#issuecomment-297962322 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#748][opened] restore: restart/reload gssproxy after restore
URL: https://github.com/freeipa/freeipa/pull/748 Author: pvoborni Title: #748: restore: restart/reload gssproxy after restore Action: opened PR body: """ So that gssproxy picks up new configuration and therefore related usages like authentication of CLI against server works https://pagure.io/freeipa/issue/6902 """ To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/748/head:pr748 git checkout pr748 From d49d50c8af896425f5c63950edde08bd88dbb46f Mon Sep 17 00:00:00 2001 From: Petr Vobornik Date: Wed, 26 Apr 2017 18:47:53 +0200 Subject: [PATCH] restore: restart/reload gssproxy after restore So that gssproxy picks up new configuration and therefore related usages like authentication of CLI against server works https://pagure.io/freeipa/issue/6902 --- ipaplatform/base/services.py | 21 ++--- ipaserver/install/ipa_restore.py | 3 +++ 2 files changed, 21 insertions(+), 3 deletions(-) diff --git a/ipaplatform/base/services.py b/ipaplatform/base/services.py index 068b972..fca6298 100644 --- a/ipaplatform/base/services.py +++ b/ipaplatform/base/services.py @@ -154,6 +154,10 @@ def stop(self, instance_name="", capture_output=True, return +def reload_or_restart(self, instance_name="", capture_output=True, + wait=True): +return + def restart(self, instance_name="", capture_output=True, wait=True): return @@ -298,14 +302,25 @@ def start(self, instance_name="", capture_output=True, wait=True): instance_name, update_service_list=update_service_list) -def restart(self, instance_name="", capture_output=True, wait=True): -ipautil.run([paths.SYSTEMCTL, "restart", - self.service_instance(instance_name)], +def _restart_base(self, instance_name, operation, capture_output=True, + wait=False): + +ipautil.run([paths.SYSTEMCTL, operation, +self.service_instance(instance_name)], skip_output=not capture_output) if wait and self.is_running(instance_name): self.wait_for_open_ports(self.service_instance(instance_name)) +def reload_or_restart(self, instance_name="", capture_output=True, + wait=True): +self._restart_base(instance_name, "reload-or-restart", + capture_output, wait) + +def restart(self, instance_name="", capture_output=True, wait=True): +self._restart_base(instance_name, "restart", + capture_output, wait) + def is_running(self, instance_name="", wait=True): instance = self.service_instance(instance_name, 'is-active') diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py index 378c013..96fc493 100644 --- a/ipaserver/install/ipa_restore.py +++ b/ipaserver/install/ipa_restore.py @@ -401,6 +401,9 @@ def run(self): services.knownservices.pki_tomcatd.enable() services.knownservices.pki_tomcatd.disable() +self.log.info('Restarting GSS-proxy') +gssproxy = services.service('gssproxy', api) +gssproxy.reload_or_restart() self.log.info('Starting IPA services') run(['ipactl', 'start']) self.log.info('Restarting SSSD') -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#694][closed] RFC: implement local PKINIT deployment in server/replica install
URL: https://github.com/freeipa/freeipa/pull/694 Author: martbab Title: #694: RFC: implement local PKINIT deployment in server/replica install Action: closed To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/694/head:pr694 git checkout pr694 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#694][comment] RFC: implement local PKINIT deployment in server/replica install
URL: https://github.com/freeipa/freeipa/pull/694 Title: #694: RFC: implement local PKINIT deployment in server/replica install HonzaCholasta commented: """ master: * b1a1e104391c84cb9af7b0a7c8748c8652442ddb separate function to set ipaConfigString values on service entry * fb52f7a1f328b126626525179d5250692daca2cd Allow for configuration of all three PKINIT variants when deploying KDC * 86972299d937960bcb713fc73b447cddb4ea44bd API for retrieval of master's PKINIT status and publishing it in LDAP * 3adb9ca875f8eb99e99a29e17a471a2b6f408a4a Use only anonymous PKINIT to fetch armor ccache * 68c6a4d4e1340ce01bdc7ec5dd394604a3da7688 Stop requesting anonymous keytab and purge all references of it * 2374b648d0dfd08ec4cfbcc35f7987fa8b8a6ffa Use local anchor when armoring password requests * a194055c92c7ca4eba29323f990ec3b92026221b Upgrade: configure local/full PKINIT depending on the master status * 960e361f68a3d7acd9bcf16ec6fe8f6d5376c4ae Do not test anonymous PKINIT after install/upgrade ipa-4-5: * 31a24436592304db6e84270e4a95df34d1e0af46 separate function to set ipaConfigString values on service entry * b49e075c90a7ab43e82f422aa11dc7540e2fb2c0 Allow for configuration of all three PKINIT variants when deploying KDC * a0e2a09292ffa2adbf97c2e7e4facc9693dbc311 API for retrieval of master's PKINIT status and publishing it in LDAP * fca378c9a65f582ac3dcda4b6201e8847ed9e512 Use only anonymous PKINIT to fetch armor ccache * 9fcc794dac6ffb1f1cc6c92a588ea0911be5ba14 Stop requesting anonymous keytab and purge all references of it * 5031929b6d710336f6308d7f46779c9e8e98103a Use local anchor when armoring password requests * 2452e6e5f3a7e7a25eadf5243a28da75a47f9d2c Upgrade: configure local/full PKINIT depending on the master status * d497c4589cc7506ef9a88b691b8b1d97ad1f1009 Do not test anonymous PKINIT after install/upgrade """ See the full comment at https://github.com/freeipa/freeipa/pull/694#issuecomment-297941980 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#694][+pushed] RFC: implement local PKINIT deployment in server/replica install
URL: https://github.com/freeipa/freeipa/pull/694 Title: #694: RFC: implement local PKINIT deployment in server/replica install Label: +pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#694][+ack] RFC: implement local PKINIT deployment in server/replica install
URL: https://github.com/freeipa/freeipa/pull/694 Title: #694: RFC: implement local PKINIT deployment in server/replica install Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] KDC proxy URI records
On 2017-04-27 14:00, Martin Bašti wrote: > > > On 26.04.2017 20:41, Simo Sorce wrote: >> On Wed, 2017-04-26 at 12:57 +0200, Martin Bašti wrote: >>> On 25.04.2017 16:57, Martin Bašti wrote: Hello all, I'm going to implement automatic URI records for kdc proxy and I'd like to clarify if following URI records are the right one. _kerberos-adm.example.com. IN URI 0 "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy"; _krb5kdc.example.com. IN URI 0 "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy"; _kpasswd.example.com. IN URI 0 "krb5srv:M:kkdcp:https://ipaserver.example.com/KdcProxy"; I assume we want to use "kkdcp" and "https", and "M" flag as all IPA servers are masters, please confirm. Sources: https://k5wiki.kerberos.org/wiki/Projects/KDC_Discovery https://tools.ietf.org/id/draft-mccallum-kitten-krb-service-discovery-02.txt Thank you >>> I found out that wiki page differs from the RFC draft and from the >>> source in git >>> >>> There is "_kerberos.REALM" record instead of "_krb5kdc.REALM" >>> >>> >>> And I'm not sure if _kerberos-adm should be included as we don't really >>> support kadmin. >> We shouldn't. >> >> Simo. >> > > I would like to discuss consequences of adding kdc URI records: > > 1. basically all ipa clients enrolled using autodiscovery will use > kdcproxy instead of KDC on port 88, because URI takes precedence over > SRV in KRB5 client implementation. Are we ok with such a big change? Update: It's correct that URI records have a higher priority than SRV records. A client with URI discovery support will never check SRV records when it is able to retrieve URI records. For newer clients we have to include TCP and UDP URI records, too. I did some testing. MIT KRB5 prefers UDP/TCP over MSKKDP for records with same priority. That fact is not stated in the RFC. I'm writing a mail to Nathaniel and Simo to discuss the matter. Christian -- Christian Heimes Senior Software Engineer, Identity Management and Platform Security Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Michael Cunningham, Michael O'Neill, Eric Shander signature.asc Description: OpenPGP digital signature -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#694][comment] RFC: implement local PKINIT deployment in server/replica install
URL: https://github.com/freeipa/freeipa/pull/694 Title: #694: RFC: implement local PKINIT deployment in server/replica install HonzaCholasta commented: """ Works for me, ACK. """ See the full comment at https://github.com/freeipa/freeipa/pull/694#issuecomment-297940885 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] "blocker" tag for pull request
Hi all, I created "blocker" tag for FreeIPA Git Hub PRs. It is should be used to mark PRs which solves test blocker or other functional blockers - e.g. blocks creation of demo. I.e. should be used rather rarely. I don't like the tag name, but I couldn't find better. Note: blocker priority in pagure doesn't imply blocker tag in PR. But testblocker tag in pagure does. Actually I'm thinking about changing Pagure priority names to: "highest, high, medium, low, patchwelcome" -- Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#723][-ack] Store GSSAPI session key in /var/run/httpd
URL: https://github.com/freeipa/freeipa/pull/723 Title: #723: Store GSSAPI session key in /var/run/httpd Label: -ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#723][-pushed] Store GSSAPI session key in /var/run/httpd
URL: https://github.com/freeipa/freeipa/pull/723 Title: #723: Store GSSAPI session key in /var/run/httpd Label: -pushed -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#747][+ack] vault: piped input for ipa vault-add fails
URL: https://github.com/freeipa/freeipa/pull/747 Title: #747: vault: piped input for ipa vault-add fails Label: +ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#747][comment] vault: piped input for ipa vault-add fails
URL: https://github.com/freeipa/freeipa/pull/747 Title: #747: vault: piped input for ipa vault-add fails stlaz commented: """ Thank you for the brief action taken. Re-adding the ACK label. """ See the full comment at https://github.com/freeipa/freeipa/pull/747#issuecomment-297935390 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#747][comment] vault: piped input for ipa vault-add fails
URL: https://github.com/freeipa/freeipa/pull/747 Title: #747: vault: piped input for ipa vault-add fails flo-renaud commented: """ @stlaz Thank you for the reminder. Commit msg updated with issue 6907 """ See the full comment at https://github.com/freeipa/freeipa/pull/747#issuecomment-297935155 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#747][synchronized] vault: piped input for ipa vault-add fails
URL: https://github.com/freeipa/freeipa/pull/747 Author: flo-renaud Title: #747: vault: piped input for ipa vault-add fails Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/747/head:pr747 git checkout pr747 From 4b11def7359308d43bda011a622339156a4b0b43 Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Thu, 27 Apr 2017 18:20:06 +0200 Subject: [PATCH] vault: piped input for ipa vault-add fails An exception is raised when using echo "Secret123\n" | ipa vault-add myvault This happens because the code is using (string).decode(sys.stdin.encoding) and sys.stdin.encoding is None when the input is read from a pipe. The fix is using the prompt_password method defined by Backend.textui, which gracefully handles this issue. https://pagure.io/freeipa/issue/6907 --- ipaclient/plugins/vault.py | 37 - 1 file changed, 8 insertions(+), 29 deletions(-) diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py index 3fb4900..f21dc4d 100644 --- a/ipaclient/plugins/vault.py +++ b/ipaclient/plugins/vault.py @@ -21,11 +21,9 @@ import base64 import errno -import getpass import io import json import os -import sys import tempfile from cryptography.fernet import Fernet, InvalidToken @@ -84,29 +82,6 @@ def validated_read(argname, filename, mode='r', encoding=None): MAX_VAULT_DATA_SIZE = 2**20 # = 1 MB -def get_new_password(): -""" -Gets new password from user and verify it. -""" -while True: -password = getpass.getpass('New password: ').decode( -sys.stdin.encoding) -password2 = getpass.getpass('Verify password: ').decode( -sys.stdin.encoding) - -if password == password2: -return password - -print(' ** Passwords do not match! **') - - -def get_existing_password(): -""" -Gets existing password from user. -""" -return getpass.getpass('Password: ').decode(sys.stdin.encoding) - - def generate_symmetric_key(password, salt): """ Generates symmetric key from password and salt. @@ -304,7 +279,8 @@ def forward(self, *args, **options): password = password.rstrip('\n') else: -password = get_new_password() +password = self.api.Backend.textui.prompt_password( +'New password') # generate vault salt options['ipavaultsalt'] = os.urandom(16) @@ -887,9 +863,11 @@ def forward(self, *args, **options): else: if override_password: -password = get_new_password() +password = self.api.Backend.textui.prompt_password( +'New password') else: -password = get_existing_password() +password = self.api.Backend.textui.prompt_password( +'Password', confirm=False) if not override_password: # verify password by retrieving existing data @@ -1112,7 +1090,8 @@ def forward(self, *args, **options): password = password.rstrip('\n') else: -password = get_existing_password() +password = self.api.Backend.textui.prompt_password( +'Password', confirm=False) # generate encryption key from password encryption_key = generate_symmetric_key(password, salt) -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#741][+blocker] 6.9 -> 7.4 migration fixes
URL: https://github.com/freeipa/freeipa/pull/741 Title: #741: 6.9 -> 7.4 migration fixes Label: +blocker -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#747][comment] vault: piped input for ipa vault-add fails
URL: https://github.com/freeipa/freeipa/pull/747 Title: #747: vault: piped input for ipa vault-add fails stlaz commented: """ @Akasurde: Don't add ACK label when the PR is not OK! @flo-renaud: You will need to specify a ticket for this PR. """ See the full comment at https://github.com/freeipa/freeipa/pull/747#issuecomment-297933288 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#747][-ack] vault: piped input for ipa vault-add fails
URL: https://github.com/freeipa/freeipa/pull/747 Title: #747: vault: piped input for ipa vault-add fails Label: -ack -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#694][+blocker] RFC: implement local PKINIT deployment in server/replica install
URL: https://github.com/freeipa/freeipa/pull/694 Title: #694: RFC: implement local PKINIT deployment in server/replica install Label: +blocker -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] [freeipa PR#741][synchronized] 6.9 -> 7.4 migration fixes
URL: https://github.com/freeipa/freeipa/pull/741 Author: stlaz Title: #741: 6.9 -> 7.4 migration fixes Action: synchronized To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/741/head:pr741 git checkout pr741 From fddf366557e23806a5e05ba06c8471828c8daa7b Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Thu, 27 Apr 2017 12:51:30 +0200 Subject: [PATCH 1/2] Refresh Dogtag RestClient.ca_host property Refresh the ca_host property of the Dogtag's RestClient class when it's requested as a context manager. This solves the problem which would occur on DL0 when installing CA against an old master which does not have port 8443 accessible. The setup tries to update the cert profiles via this port but fail. This operation should be performed against the local instance anyway. https://pagure.io/freeipa/issue/6878 --- ipaserver/plugins/dogtag.py | 34 ++ 1 file changed, 22 insertions(+), 12 deletions(-) diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py index 3997531..2ac4674 100644 --- a/ipaserver/plugins/dogtag.py +++ b/ipaserver/plugins/dogtag.py @@ -1202,7 +1202,6 @@ def select_any_master(ldap2, service='CA'): import random from ipaserver.plugins import rabase from ipalib.constants import TYPE_ERROR -from ipalib.util import cachedproperty from ipalib import _ from ipaplatform.paths import paths @@ -1250,34 +1249,45 @@ def __init__(self, api): self.client_keyfile = paths.RA_AGENT_KEY super(RestClient, self).__init__(api) +self._ca_host = None # session cookie self.override_port = None self.cookie = None -@cachedproperty +@property def ca_host(self): """ -:return: host - as str +:returns: FQDN of a host hopefully providing a CA service -Select our CA host. +Select our CA host, cache it for the first time. """ +if self._ca_host is not None: +return self._ca_host + ldap2 = self.api.Backend.ldap2 if host_has_service(api.env.ca_host, ldap2, "CA"): -return api.env.ca_host -if api.env.host != api.env.ca_host: +self._ca_host = api.env.ca_host +elif api.env.host != api.env.ca_host: if host_has_service(api.env.host, ldap2, "CA"): -return api.env.host -host = select_any_master(ldap2) -if host: -return host +self._ca_host = api.env.host else: -return api.env.ca_host +self._ca_host = select_any_master(ldap2) +if self._ca_host is None: +self._ca_host = api.env.ca_host +return self._ca_host + +@ca_host.setter +def ca_host(self, value): +self._ca_host = value def __enter__(self): """Log into the REST API""" if self.cookie is not None: return + +# Refresh the ca_host property +self._ca_host = None + status, resp_headers, _resp_body = dogtag.https_request( self.ca_host, self.override_port or self.env.ca_agent_port, url='/ca/rest/account/login', From 6d7589e8654d11a7d73256d862ecad8168a5e4da Mon Sep 17 00:00:00 2001 From: Stanislav Laznicka Date: Fri, 28 Apr 2017 09:31:45 +0200 Subject: [PATCH 2/2] Remove the cachedproperty class The cachedproperty class was used in one special use-case where it only caused issues. Let's get rid of it. https://pagure.io/freeipa/issue/6878 --- ipalib/util.py | 34 -- 1 file changed, 34 deletions(-) diff --git a/ipalib/util.py b/ipalib/util.py index e9d4105..8973a19 100644 --- a/ipalib/util.py +++ b/ipalib/util.py @@ -34,7 +34,6 @@ import encodings import sys import ssl -from weakref import WeakKeyDictionary import netaddr from dns import resolver, rdatatype @@ -492,39 +491,6 @@ def remove_sshpubkey_from_output_list_post(context, entries): delattr(context, 'ipasshpubkey_added') -class cachedproperty(object): -""" -A property-like attribute that caches the return value of a method call. - -When the attribute is first read, the method is called and its return -value is saved and returned. On subsequent reads, the saved value is -returned. - -Typical usage: -class C(object): -@cachedproperty -def attr(self): -return 'value' -""" -__slots__ = ('getter', 'store') - -def __init__(self, getter): -self.getter = getter -self.store = WeakKeyDictionary() - -def __get__(self, obj, cls): -if obj is None: -return None -if obj not in self.store: -self.store[obj] = self.getter(obj) -return self.store[obj] - -def __set__(self, obj, value): -raise AttributeError("can't set attribute") - -def __delete__(self, obj): -ra
Re: [Freeipa-devel] KDC proxy URI records
On 28.04.2017 09:32, Martin Kosek wrote: On 04/27/2017 04:16 PM, Simo Sorce wrote: On Thu, 2017-04-27 at 15:56 +0200, Petr Vobornik wrote: On 04/27/2017 02:19 PM, Christian Heimes wrote: On 2017-04-27 14:00, Martin Bašti wrote: I would like to discuss consequences of adding kdc URI records: 1. basically all ipa clients enrolled using autodiscovery will use kdcproxy instead of KDC on port 88, because URI takes precedence over SRV in KRB5 client implementation. Are we ok with such a big change? Does the client also prefer KKDCP if you give the Kerberos 88/UDP and 88/TCP URIs a higher priority than the KKDCP HTTPS URIs? 2. probably client installer must be updated because currently with CA-full installation it is not working. ipa-client-install (with autodiscovery) failed on kinit, see KRB5_TRACE bellow that it refuses self signed certificate Actually it is not a self-sigend EE certificate. The validation message is bogus because FreeIPA TLS configuration is slightly buggy. We send the trust anchor (root CA) although a server should not include its trust anchor in its ServerHello message. OpenSSL detects an untrusted root CA in the ServerHello peer chain and emits the message. If I read the 600 lines (!) function ipaclient.install.client._install correctly, then ipa-client-install first attempts to negotiate a TGT and then installs the trust anchor in the global trust store. It should be enough to reverse the order and inject the trust anchor first. Christian By reading this, even if we do the change in client install, I'd rather not generate the DNS records in 4.5.1 release and rather make sure that everything works during 4.6 development. I agree. My original assumption why I suggested this RFE was that it would be very contained change and only used only by clients that do not have classic Kerberos ports available. Given how much it influences rest of the framework, we indeed should not push on it in a bugfix release. The reason is that there might also be something else not working and it is better to time test it + the fix would not fix older clients. If anybody wants to use/try it, then the records can be created manually. We need to ix clients regardless, o someone enabling it will find the same issues. Right. Can someone please file the ticket so that it can be triaged later? ticket is here https://pagure.io/freeipa/issue/6906 Thanks, Martin -- Martin Bašti Software Engineer Red Hat Czech -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] KDC proxy URI records
On 04/27/2017 04:16 PM, Simo Sorce wrote: > On Thu, 2017-04-27 at 15:56 +0200, Petr Vobornik wrote: >> On 04/27/2017 02:19 PM, Christian Heimes wrote: >>> On 2017-04-27 14:00, Martin Bašti wrote: I would like to discuss consequences of adding kdc URI records: 1. basically all ipa clients enrolled using autodiscovery will use kdcproxy instead of KDC on port 88, because URI takes precedence over SRV in KRB5 client implementation. Are we ok with such a big change? >>> >>> Does the client also prefer KKDCP if you give the Kerberos 88/UDP >>> and >>> 88/TCP URIs a higher priority than the KKDCP HTTPS URIs? >>> 2. probably client installer must be updated because currently with CA-full installation it is not working. ipa-client-install (with autodiscovery) failed on kinit, see KRB5_TRACE bellow that it refuses self signed certificate >>> >>> Actually it is not a self-sigend EE certificate. The validation >>> message >>> is bogus because FreeIPA TLS configuration is slightly buggy. We >>> send >>> the trust anchor (root CA) although a server should not include its >>> trust anchor in its ServerHello message. OpenSSL detects an >>> untrusted >>> root CA in the ServerHello peer chain and emits the message. >>> >>> If I read the 600 lines (!) function >>> ipaclient.install.client._install >>> correctly, then ipa-client-install first attempts to negotiate a >>> TGT and >>> then installs the trust anchor in the global trust store. It should >>> be >>> enough to reverse the order and inject the trust anchor first. >>> >>> Christian >>> >> >> By reading this, even if we do the change in client install, I'd >> rather >> not generate the DNS records in 4.5.1 release and rather make sure >> that >> everything works during 4.6 development. I agree. My original assumption why I suggested this RFE was that it would be very contained change and only used only by clients that do not have classic Kerberos ports available. Given how much it influences rest of the framework, we indeed should not push on it in a bugfix release. >> The reason is that there might also be something else not working and >> it >> is better to time test it + the fix would not fix older clients. >> >> If anybody wants to use/try it, then the records can be created >> manually. > > > > We need to ix clients regardless, o someone enabling it will find the > same issues. Right. Can someone please file the ticket so that it can be triaged later? Thanks, Martin -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code