[Freeipa-devel] [PATCH] support AES for cross-realm TGTs

2012-09-26 Thread Simo Sorce
This patch allows Windows to send us TGTs using AES. Simo. -- Simo Sorce * Red Hat, Inc. * New York From 6397e6acbe29a7b54539f307d30976deb68b1465 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Wed, 26 Sep 2012 18:34:57 -0400 Subject: [PATCH] Add support for using AES fo cross-realm TGTs ---

Re: [Freeipa-devel] [PATCH 0016] Adds port to connection error message in ipa-client-install

2012-09-26 Thread Rob Crittenden
Tomas Babej wrote: Hi, Connection error message in ipa-client-install now warns the user about the need of opening 389 port for directory server. https://fedorahosted.org/freeipa/ticket/2816 I think this can be pushed as a one-liner. I think we should list all ports that are required for cli

Re: [Freeipa-devel] [PATCH] 314-315 Limit unindexed searches

2012-09-26 Thread Rob Crittenden
Martin Kosek wrote: These 2 patches significantly limit the number of unindexed LDAP searches we do in IPA. I used our unit test suite as a good source of different LDAP searches run by our command suite. Most of the remaining unindexed searches are produced either by our general term search ("i

Re: [Freeipa-devel] Announcing FreeIPA v3.0.0 release candidate 1

2012-09-26 Thread Alexander Bokovoy
Hi, small addition -- in order to get trusts created properly on new installs you'll need to apply my patch 0080 https://www.redhat.com/archives/freeipa-devel/2012-September/msg00426.html this is one fix that we missed in RC1. :( -- / Alexander Bokovoy - Original Message - > From: "Rob

Re: [Freeipa-devel] [PATCH] 313 Validate SELinux users in config-mod

2012-09-26 Thread Rob Crittenden
Martin Kosek wrote: On 09/26/2012 12:32 PM, Petr Viktorin wrote: On 09/26/2012 12:25 PM, Petr Viktorin wrote: I found strange behavior in validate_selinuxuser. Perhaps it's material for another ticket. This command passes validation: $ ./ipa config_mod --ipaselinuxusermapdefault=unconfined_u:

[Freeipa-devel] Announcing FreeIPA v3.0.0 release candidate 1

2012-09-26 Thread Rob Crittenden
The FreeIPA team is proud to announce version FreeIPA v3.0.0 rc 1. It can be downloaded from http://www.freeipa.org/page/Downloads. A build is available in the Fedora 18 and rawhide repositories or for Fedora 17 via the freeipa-devel repo on www.freeipa.org: http://freeipa.org/downloads/freeip

Re: [Freeipa-devel] [PATCH 0015] Restrict admins group modifications

2012-09-26 Thread Martin Kosek
On 09/25/2012 02:59 PM, Tomas Babej wrote: > On 09/25/2012 02:31 PM, Martin Kosek wrote: >> On 09/25/2012 02:22 PM, Tomas Babej wrote: >>> Hi, >>> >>> Group-mod command no longer allows --rename and/or --external >>> changes made to the admins group. In such cases, ProtectedEntryError >>> is being

Re: [Freeipa-devel] [PATCH 0070] Fix zone register locking in zr_set_zone_serial_digest()

2012-09-26 Thread Petr Spacek
On 09/26/2012 04:01 PM, Adam Tkac wrote: On Wed, Sep 26, 2012 at 12:57:33PM +0200, Petr Spacek wrote: Hello, Fix zone register locking in zr_set_zone_serial_digest(). Zone register has to be locked against simultaneous writes. Ack Pushed to master: 09bdbfc807a63c19d171af5fe3b1337

Re: [Freeipa-devel] [PATCH 0014] Improve user addition to default group in host-add

2012-09-26 Thread Martin Kosek
On 09/26/2012 03:23 PM, Tomas Babej wrote: > On 09/25/2012 12:37 PM, Tomas Babej wrote: >> Hi, >> >> On adding new user, host-add tries to make it a member of default >> user group. This, however, can raise AlreadyGroupMember when the >> user is already member of this group due to automember rule o

Re: [Freeipa-devel] [PATCH 0070] Fix zone register locking in zr_set_zone_serial_digest()

2012-09-26 Thread Adam Tkac
On Wed, Sep 26, 2012 at 12:57:33PM +0200, Petr Spacek wrote: > Hello, > > Fix zone register locking in zr_set_zone_serial_digest(). > > Zone register has to be locked against simultaneous writes. Ack > From ad51025a35efe47542f4379049c8e23d1054726c Mon Sep 17 00:00:00 2001 > From: Petr S

Re: [Freeipa-devel] [PATCH 0014] Improve user addition to default group in host-add

2012-09-26 Thread Tomas Babej
On 09/25/2012 12:37 PM, Tomas Babej wrote: Hi, On adding new user, host-add tries to make it a member of default user group. This, however, can raise AlreadyGroupMember when the user is already member of this group due to automember rule or default group configured. This patch makes sure Already

[Freeipa-devel] [PATCH 0016] Adds port to connection error message in ipa-client-install

2012-09-26 Thread Tomas Babej
Hi, Connection error message in ipa-client-install now warns the user about the need of opening 389 port for directory server. https://fedorahosted.org/freeipa/ticket/2816 I think this can be pushed as a one-liner. Tomas >From 0f4ad3917ecf8a9d290923c7fae0a55f4f8d2448 Mon Sep 17 00:00:00 2001 F

Re: [Freeipa-devel] [PATCH] 312 Use custom zonemgr for reverse zones

2012-09-26 Thread Martin Kosek
On 09/26/2012 01:38 PM, Petr Viktorin wrote: > On 09/25/2012 10:42 AM, Martin Kosek wrote: >> When DNS is being installed during ipa-{server,dns,replica}-install, >> forward and reverse zone is created. However, reverse zone was always >> created with default zonemgr even when a custom zonemgr was

Re: [Freeipa-devel] [PATCH] 312 Use custom zonemgr for reverse zones

2012-09-26 Thread Petr Viktorin
On 09/25/2012 10:42 AM, Martin Kosek wrote: When DNS is being installed during ipa-{server,dns,replica}-install, forward and reverse zone is created. However, reverse zone was always created with default zonemgr even when a custom zonemgr was passed to the installer as this functionality was miss

[Freeipa-devel] [PATCH 0070] Fix zone register locking in zr_set_zone_serial_digest()

2012-09-26 Thread Petr Spacek
Hello, Fix zone register locking in zr_set_zone_serial_digest(). Zone register has to be locked against simultaneous writes. -- Petr^2 Spacek From ad51025a35efe47542f4379049c8e23d1054726c Mon Sep 17 00:00:00 2001 From: Petr Spacek Date: Wed, 26 Sep 2012 12:51:06 +0200 Subject: [PATCH]

Re: [Freeipa-devel] [PATCH] 313 Validate SELinux users in config-mod

2012-09-26 Thread Martin Kosek
On 09/26/2012 12:32 PM, Petr Viktorin wrote: > On 09/26/2012 12:25 PM, Petr Viktorin wrote: >> >> I found strange behavior in validate_selinuxuser. Perhaps it's material >> for another ticket. This command passes validation: >> >> $ ./ipa config_mod >> --ipaselinuxusermapdefault=unconfined_u:s0-s0:

Re: [Freeipa-devel] [PATCH] 313 Validate SELinux users in config-mod

2012-09-26 Thread Petr Viktorin
On 09/26/2012 12:25 PM, Petr Viktorin wrote: I found strange behavior in validate_selinuxuser. Perhaps it's material for another ticket. This command passes validation: $ ./ipa config_mod --ipaselinuxusermapdefault=unconfined_u:s0-s0:c0.c1023 --ipaselinuxusermaporder='unconfined_u:s0-s0:c0.c102

Re: [Freeipa-devel] [PATCH] 313 Validate SELinux users in config-mod

2012-09-26 Thread Petr Viktorin
On 09/25/2012 01:54 PM, Martin Kosek wrote: config-mod is capable of changing default SELinux user map order and a default SELinux user. Validate the new config values to prevent bogus default SELinux users to be assigned to IPA users. https://fedorahosted.org/freeipa/ticket/2993 --- Note: I re

Re: [Freeipa-devel] [PATCH 0014] Improve user addition to default group in host-add

2012-09-26 Thread Petr Viktorin
On 09/25/2012 12:37 PM, Tomas Babej wrote: Hi, On adding new user, host-add tries to make it a member of default user group. This, however, can raise AlreadyGroupMember when the user is already member of this group due to automember rule or default group configured. This patch makes sure Already