Re: [Freeipa-devel] Kerberos over HTTPS (KDC proxy)

On 05/28/2015 01:29 AM, Jan Cholasta wrote: Dne 27.5.2015 v 15:51 Nathaniel McCallum napsal(a): On Wed, 2015-05-27 at 15:47 +0200, Jan Cholasta wrote: Dne 27.5.2015 v 15:43 Simo Sorce napsal(a): On Wed, 2015-05-27 at 13:57 +0200, Jan Cholasta wrote: ipa config-mod --enable-kdcproxy=TRUE

Re: [Freeipa-devel] [PATCH] Fixup fix for 4914

On 05/29/2015 06:03 PM, Simo Sorce wrote: New patch attached. Simo. Hi, thanks for the quick fix. With the patch applied, the server was able to install. ACK Thanks, Milan -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-d

Re: [Freeipa-devel] [PATCH] Fixup fix for 4914

New patch attached. Simo. -- Simo Sorce * Red Hat, Inc * New York >From 90ea121ae8f82a1b6e754e17b38b272ec36cd148 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Fri, 29 May 2015 11:18:17 -0400 Subject: [PATCH] Add compatibility function for older libkrb5 Before krb5 1.13 the krb5_salttype_to_

Re: [Freeipa-devel] [PATCH] Fixup fix for 4914

On Fri, 2015-05-29 at 18:59 +0300, Alexander Bokovoy wrote: > On Fri, 29 May 2015, Simo Sorce wrote: > >The patches for ticket 4914 worked fine on Fedora 22 (and in general any > >system that was updated to krb5 1.13) however they fail in Fedora 21 and > >similar because of a bug in one of the libk

Re: [Freeipa-devel] [PATCH] Fixup fix for 4914

On Fri, 29 May 2015, Simo Sorce wrote: The patches for ticket 4914 worked fine on Fedora 22 (and in general any system that was updated to krb5 1.13) however they fail in Fedora 21 and similar because of a bug in one of the libkrb5 functions used in the new code. The bug is fixed in 1.13 but not

[Freeipa-devel] [PATCH] Fixup fix for 4914

The patches for ticket 4914 worked fine on Fedora 22 (and in general any system that was updated to krb5 1.13) however they fail in Fedora 21 and similar because of a bug in one of the libkrb5 functions used in the new code. The bug is fixed in 1.13 but not in older versions as it causes side effec

Re: [Freeipa-devel] [PATCH] 0001 Provide Kerberos over HTTP (MS-KKDCP)

Changes since patch 1: - Further simplify krb ticket code Simo has pointed out that KRB5_CLIENT_KTNAME and MEMORY ccache are sufficient for the GSSAPI. http://k5wiki.kerberos.org/wiki/Projects/Keytab_initiation - switch is now in ipaConfigString=kdcProxyEnabled of cn=KDC,cn=$FQDN,cn=masters

[Freeipa-devel] [PATCH 0007] replica install fails with domain level 1

This is a patch for the two issues reported in ticket #5035 https://fedorahosted.org/freeipa/ticket/5035 >From 7039d965919a631ac12ac366848c5dfaab475fe1 Mon Sep 17 00:00:00 2001 From: Ludwig Krispenz Date: Fri, 29 May 2015 16:12:44 +0200 Subject: [PATCH] replica install fails with domain level 1

Re: [Freeipa-devel] Fix password changes via kadmin

On Fri, 2015-05-29 at 14:20 +0200, Milan Kubik wrote: > On 05/27/2015 04:50 PM, Martin Babinsky wrote: > > On 05/27/2015 04:33 PM, Martin Kosek wrote: > >> On 05/27/2015 03:55 PM, Alexander Bokovoy wrote: > >>> On Wed, 27 May 2015, Simo Sorce wrote: > On Wed, 2015-05-27 at 15:25 +0200, Martin

Re: [Freeipa-devel] #4905: [RFE] Allow Kerberos authentication for users with certificates on smart cards (pkinit)

On Fri, May 29, 2015 at 12:54:13PM +0200, Martin Kosek wrote: > On 05/29/2015 12:33 PM, Sumit Bose wrote: > >On Fri, May 29, 2015 at 12:10:24PM +0200, Martin Kosek wrote: > >>On 05/29/2015 11:26 AM, Sumit Bose wrote: > >>>On Fri, May 29, 2015 at 10:38:41AM +0200, Martin Kosek wrote: > Hello all

Re: [Freeipa-devel] Fix password changes via kadmin

On 05/27/2015 04:50 PM, Martin Babinsky wrote: On 05/27/2015 04:33 PM, Martin Kosek wrote: On 05/27/2015 03:55 PM, Alexander Bokovoy wrote: On Wed, 27 May 2015, Simo Sorce wrote: On Wed, 2015-05-27 at 15:25 +0200, Martin Babinsky wrote: On 05/25/2015 10:48 AM, Martin Babinsky wrote: On 04/06

Re: [Freeipa-devel] [PATCH 429] replica-install: Allow install on top of already configured client

On 05/28/2015 03:35 PM, Jan Cholasta wrote: Dne 26.5.2015 v 17:49 Jan Cholasta napsal(a): Dne 20.5.2015 v 17:27 Jan Cholasta napsal(a): Hi, the attached patch implements the initial bits for . Test by running ipa-client-install and then ipa-replic

Re: [Freeipa-devel] [PATCHES 0001-0013 v5] Profiles and CA ACLs

On 05/29/2015 11:21 AM, Martin Basti wrote: On 29/05/15 06:17, Fraser Tweedale wrote: On Thu, May 28, 2015 at 02:42:53PM +0200, Martin Basti wrote: On 28/05/15 11:48, Martin Basti wrote: On 27/05/15 16:04, Fraser Tweedale wrote: Hello all, Fresh certificate management patchset; Changelog: -

Re: [Freeipa-devel] #4905: [RFE] Allow Kerberos authentication for users with certificates on smart cards (pkinit)

On 05/29/2015 12:33 PM, Sumit Bose wrote: On Fri, May 29, 2015 at 12:10:24PM +0200, Martin Kosek wrote: On 05/29/2015 11:26 AM, Sumit Bose wrote: On Fri, May 29, 2015 at 10:38:41AM +0200, Martin Kosek wrote: Hello all, I would like to discuss the scope needed for ticket 4905 [1]. This is most

Re: [Freeipa-devel] #4905: [RFE] Allow Kerberos authentication for users with certificates on smart cards (pkinit)

On Fri, May 29, 2015 at 12:10:24PM +0200, Martin Kosek wrote: > On 05/29/2015 11:26 AM, Sumit Bose wrote: > >On Fri, May 29, 2015 at 10:38:41AM +0200, Martin Kosek wrote: > >>Hello all, > >> > >>I would like to discuss the scope needed for ticket 4905 [1]. This is mostly > >>question for Sumit as h

Re: [Freeipa-devel] topology + domainlevels + testing

Thank you! On 05/29/2015 12:20 PM, Martin Kosek wrote: > Done - I updated the template - there is new "test_plan" attribute. > > On 05/29/2015 12:06 PM, Oleg Fayans wrote: >> Examples are >> 1. >> http://www.freeipa.org/page/V4/Manage_replication_topology >> http://www.freeipa.org/page/Www.freeipa

Re: [Freeipa-devel] topology + domainlevels + testing

Done - I updated the template - there is new "test_plan" attribute. On 05/29/2015 12:06 PM, Oleg Fayans wrote: Examples are 1. http://www.freeipa.org/page/V4/Manage_replication_topology http://www.freeipa.org/page/Www.freeipa.org/page/V4/replication_topology/Test_plan I had to move that page t

Re: [Freeipa-devel] #4905: [RFE] Allow Kerberos authentication for users with certificates on smart cards (pkinit)

On 05/29/2015 11:26 AM, Sumit Bose wrote: On Fri, May 29, 2015 at 10:38:41AM +0200, Martin Kosek wrote: Hello all, I would like to discuss the scope needed for ticket 4905 [1]. This is mostly question for Sumit as he is working on the SSSD SC support. The main minimal target is to allow SSSD ge

Re: [Freeipa-devel] topology* commands not exported through ipalib.api.Command

On 05/29/2015 12:06 PM, Oleg Fayans wrote: Hi Martin, Thanks for the clarification! On 05/29/2015 12:05 PM, Martin Kosek wrote: On 05/29/2015 12:01 PM, Oleg Fayans wrote: Hi Ludwig, Should topology plugin export it's commands through ipalib.api? Currently when I import ipalib.api and inspect

Re: [Freeipa-devel] topology* commands not exported through ipalib.api.Command

Hi Martin, Thanks for the clarification! On 05/29/2015 12:05 PM, Martin Kosek wrote: > On 05/29/2015 12:01 PM, Oleg Fayans wrote: >> Hi Ludwig, >> >> Should topology plugin export it's commands through ipalib.api? >> Currently when I import ipalib.api and inspect available commands in >> api.Comm

Re: [Freeipa-devel] topology + domainlevels + testing

Examples are 1. http://www.freeipa.org/page/V4/Manage_replication_topology http://www.freeipa.org/page/Www.freeipa.org/page/V4/replication_topology/Test_plan 2. http://www.freeipa.org/page/V4/User_Life-Cycle_Management http://www.freeipa.org/page/V4/User_Life-Cycle_Management/Test_Plan On 05/29/

Re: [Freeipa-devel] topology* commands not exported through ipalib.api.Command

On 05/29/2015 12:01 PM, Oleg Fayans wrote: Hi Ludwig, Should topology plugin export it's commands through ipalib.api? Currently when I import ipalib.api and inspect available commands in api.Command, there are no topology-specific commands. The full list of commands currently exported through th

Re: [Freeipa-devel] topology + domainlevels + testing

On 05/29/2015 11:28 AM, Oleg Fayans wrote: Hi all, Is there already a separate testplan for Domain Levels feature? If not, should I probably take care of domainlevel-specific testcases in the scope of the Topology testplan, since these features are closely correlated right now? Another question

[Freeipa-devel] topology* commands not exported through ipalib.api.Command

Hi Ludwig, Should topology plugin export it's commands through ipalib.api? Currently when I import ipalib.api and inspect available commands in api.Command, there are no topology-specific commands. The full list of commands currently exported through the API is attached -- Oleg Fayans Quality En

Re: [Freeipa-devel] [PATCH 02261] Revert 389 DS BuildRequires version

On (29/05/15 10:56), Ludwig Krispenz wrote: >Hi, > >the topology plugin relies on a change in DS to be able to mark replication >agreements, this fix is in master and will be in 1.3.3.11 (but I think it is >not yet out) Do you mean a built time dependency or run time dependency? Because I didn't ha

[Freeipa-devel] topology + domainlevels + testing

Hi all, Is there already a separate testplan for Domain Levels feature? If not, should I probably take care of domainlevel-specific testcases in the scope of the Topology testplan, since these features are closely correlated right now? Another question: I think it could be a nice idea to have a s

Re: [Freeipa-devel] #4905: [RFE] Allow Kerberos authentication for users with certificates on smart cards (pkinit)

On Fri, May 29, 2015 at 10:38:41AM +0200, Martin Kosek wrote: > Hello all, > > I would like to discuss the scope needed for ticket 4905 [1]. This is mostly > question for Sumit as he is working on the SSSD SC support. The main minimal > target is to allow SSSD get a ticket for a user once he authe

Re: [Freeipa-devel] [PATCHES 0001-0013 v5] Profiles and CA ACLs

On 29/05/15 06:17, Fraser Tweedale wrote: On Thu, May 28, 2015 at 02:42:53PM +0200, Martin Basti wrote: On 28/05/15 11:48, Martin Basti wrote: On 27/05/15 16:04, Fraser Tweedale wrote: Hello all, Fresh certificate management patchset; Changelog: - Now depends on patch freeipa-ftweedal-0014 f

Re: [Freeipa-devel] Testing Migration

On 28/05/15 21:47, Drew Erny wrote: Hi, freeipa-devel, More newbie questions. I have what I believe to be a fix for Ticket #2547 (https://fedorahosted.org/freeipa/ticket/2547) written, but I need to test this fix. I need to migrate an LDAP database that is in the previously expected for (all

Re: [Freeipa-devel] KDC proxy implementation specs

On 2015-05-29 08:07, Nathaniel McCallum wrote: > On Fri, 2015-05-29 at 08:02 +0200, Jan Cholasta wrote: >> Dne 28.5.2015 v 16:48 Nathaniel McCallum napsal(a): >>> On Thu, 2015-05-28 at 16:34 +0200, Christian Heimes wrote: Jan has suggested to ipaConfigString=kdcProxyEnabled in cn=KDC,cn=$

Re: [Freeipa-devel] [PATCH 02261] Revert 389 DS BuildRequires version

Hi, the topology plugin relies on a change in DS to be able to mark replication agreements, this fix is in master and will be in 1.3.3.11 (but I think it is not yet out) Ludwig On 05/29/2015 10:33 AM, Martin Basti wrote: On 29/05/15 09:23, Lukas Slebodnik wrote: On (12/05/15 21:03), Martin

Re: [Freeipa-devel] [PATCH 02261] Revert 389 DS BuildRequires version

On (29/05/15 10:33), Martin Basti wrote: >On 29/05/15 09:23, Lukas Slebodnik wrote: >>On (12/05/15 21:03), Martin Basti wrote: >>>On 12/05/15 18:23, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/4921 To test this, the mkosek/freeipa-master copr repo with 389-ds-base 1.3.4

[Freeipa-devel] #4905: [RFE] Allow Kerberos authentication for users with certificates on smart cards (pkinit)

Hello all, I would like to discuss the scope needed for ticket 4905 [1]. This is mostly question for Sumit as he is working on the SSSD SC support. The main minimal target is to allow SSSD get a ticket for a user once he authenticates with his SC with certificates tracked in FreeIPA as agreed

Re: [Freeipa-devel] [PATCH 02261] Revert 389 DS BuildRequires version

On 29/05/15 09:23, Lukas Slebodnik wrote: On (12/05/15 21:03), Martin Basti wrote: On 12/05/15 18:23, Martin Basti wrote: https://fedorahosted.org/freeipa/ticket/4921 To test this, the mkosek/freeipa-master copr repo with 389-ds-base 1.3.4.0 is needed. All previous changes to uniqueness plugi

[Freeipa-devel] Attention: ipa-server-install, ipa-replica-install and ipa-upgradeconfig code was moved

Hi, the code of ipa-server-install, ipa-replica-install and ipa-upgradeconfig was moved to modules in ipaserver in these commits: * 027515230a93a7a60983d3eca26a97a0d9c3610e Server Upgrade: Move code from ipa-upgradeconfig to separate module * 5a7b153ad238ebdf8aa3c85fdf5c308640d8457b ins

Re: [Freeipa-devel] [PATCH 430-433] Move ipa-server-* into modules

Dne 29.5.2015 v 09:52 Martin Basti napsal(a): On 28/05/15 16:28, Jan Cholasta wrote: Hi, the attached patches move ipa-server-install, ipa-replica-install and ipa-server-upgrade into modules. This is part of . Honza ACK Thanks. Pushed to maste

Re: [Freeipa-devel] [PATCH 430-433] Move ipa-server-* into modules

On 28/05/15 16:28, Jan Cholasta wrote: Hi, the attached patches move ipa-server-install, ipa-replica-install and ipa-server-upgrade into modules. This is part of . Honza ACK -- Martin Basti -- Manage your subscription for the Freeipa-devel ma

Re: [Freeipa-devel] Testing Migration

On 05/28/2015 09:47 PM, Drew Erny wrote: Hi, freeipa-devel, More newbie questions. I have what I believe to be a fix for Ticket #2547 (https://fedorahosted.org/freeipa/ticket/2547) written, but I need to test this fix. I need to migrate an LDAP database that is in the previously expected for (al

Re: [Freeipa-devel] [PATCH 0245] Fix uniqueness plugins vol. 2

On (12/05/15 21:03), Martin Basti wrote: >On 12/05/15 18:23, Martin Basti wrote: >>https://fedorahosted.org/freeipa/ticket/4921 >> >>To test this, the mkosek/freeipa-master copr repo with 389-ds-base 1.3.4.0 >>is needed. >> >>All previous changes to uniqueness plugins were made just in master branc