Commits

https://fedorahosted.org/freeipa/ticket/4899

Currently doesn't change anything because the strings are not translated. Need to find a way to include them in the translation files. https://fedorahosted.org/freeipa/ticket/4899

Allows some data to be user-specified rather than coming out of the database. The provided data can be formatted with jinja2 rules just as database values can. https://fedorahosted.org/freeipa/ticket/4899

KRB5KDC_LOG = '/var/log/krb5kdc.log' added to paths host.collect_log(paths.KRB5KDC_LOG) added to tasks.py Signed-off-by: Michal Reznik <mreznik@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com>

Add tox infrastructure to test client wheel packages workflow: * build client packages * install client packages * ipa-run-tests --ipaclient-unittests under Python 2 and 3 * pylint of client packages under Python 2 and 3 * placeholder packages work as expected Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>

CertDB would have always created a directory on initialization. This behavior changes here by replacing the truncate argument with create which will only create the database when really required. https://pagure.io/freeipa/issue/6853 Reviewed-By: Tomas Krizek <tkrizek@redhat.com>

https://pagure.io/freeipa/issue/6845 Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Tomas Krizek <tkrizek@redhat.com>

The exception handling of client install inside replica installation was rather promiscuous, hungrily eating any possible exception thrown at it. Scoped down the try-except block and reduced its promiscuity. This change should improve the future development experience debugging this part of the code. https://pagure.io/freeipa/issue/6183 Reviewed-By: Tomas Krizek <tkrizek@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>

When installing client from inside replica installation on DL1, it's possible that the client installation would fail and recommend using --force-join option which is not available in replica installer. Add the option there. https://pagure.io/freeipa/issue/6183 Reviewed-By: Tomas Krizek <tkrizek@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>

Parallel make or flags like IPA_OMIT_INSTALL and IPA_SERVER_WHEELS could lead to bad packages for PyPI. Only build the packages we want with correct flags. Placeholder packages from 'make pypi_package' conflict with 'make wheel_bundle' packages. Use a separate destination directory for PyPI packages. Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>

Fixes https://pagure.io/freeipa/issue/6865 Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>

Fixes: https://pagure.io/freeipa/issue/6863 Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>

mod_wsgi has no way to import a WSGI module by dotted module name. A new kdcproxy.wsgi script is used to import kdcproxy from whatever Python version mod_wsgi is compiled against. This will simplify moving FreeIPA to Python 3 and solves an import problem on Debian. Resolves: https://pagure.io/freeipa/issue/6834 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com>

Don't check for no-pkinit option in case pkinit cert file was provided. Setting no-pkinit is prohibited in this case, so without this fix we have an impossible option-check if we want to provide an own pkinit certificate and private key. https://pagure.io/freeipa/issue/6807 Reviewed-By: Martin Basti <mbasti@redhat.com>

Slots in HSM are not assigned statically, we have to chose proper slot from token label. Softhsm i2.2.0 changed this behavior and now slots can change over time (it is allowed by pkcs11 standard). Changelog: * created method get_slot() that returns slot number from used label * replaces usage of slot in __init__ method of P11_Helper with label * slot is dynamically detected from token label before session is opened * pkcs11-util --init-token now uses '--free' instead '--slot' which uses first free slot (we don't care about slot numbers anymore) https://pagure.io/freeipa/issue/6692 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>

When ADtrust is installed we add a PAC to all tickets, during protocol transition we need to generate a new PAC for the requested user ticket, not check the existing PAC on the requestor ticket. https://pagure.io/freeipa/issue/6862 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

Previously system users needed by FreeIPA server services was created during ipa-server-install. This led to problem when DBus policy was configured during package installation but the user specified in the policy didn't exist yet (and potentionally similar ones). Now the users will be created in package %pre section so all users freeipa-server package needs exist before any installation or configuration begins. Another possibility would be using systemd-sysusers(8) for this purpose but given that systemd is not available during container build the traditional approach is superior. Also dirsrv and pkiuser users are no longer created by FreeIPA instead it depends on 389ds and dogtag to create those users. https://pagure.io/freeipa/issue/6743 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>

Directive LookupUserByCertificateParamName tells mod_lookup_identity module the name of GET parameter that is used to provide username in case certificate is mapped to multiple user accounts. Without this directive login with certificate that's mapped to multiple users doesn't work. https://pagure.io/freeipa/issue/6860 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>

Since introduction of privilege separation in IPA framework none of the operations that require direct access to the framework's credentials can be done. All authentication has to be performed with GSSAPI. As result, we cannot obtain TGT for HTTP/.. principal with kinit anymore, so it is better to re-route all types of trust to oddjobd helper and get rid of casing out two-way trust. Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1438366 Reviewed-By: Martin Basti <mbasti@redhat.com>

Samba error code reporting changes from version to version but we also did not provide proper input into DCE RPC error processing method we have. Unify error processing and add few more fallback entries. With Samba 4.7 we'll have to change it again because error code processing for Samba Python modules will change with introduction of samba.ntstatus and samba.werror modules. Note that this commit also changes a message returned for error code -1073741772 (NT_STATUS_OBJECT_NOT_FOUND) because it is more general one. Fixes https://pagure.io/freeipa/issue/6859 Reviewed-By: Martin Basti <mbasti@redhat.com>

Fix problem with hard-coded shebang in ipa command line tool by using a proper setuptools entry point for the console script. ipaclient is now an executable Python package, too. ``` $ python -m ipaclient ping ``` is equivalent to ``` $ ipa ping ``` Related: https://pagure.io/freeipa/issue/6653 Closes: https://pagure.io/freeipa/issue/6850 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Tomas Krizek <tkrizek@redhat.com>

Fixing the typo https://pagure.io/freeipa/issue/6864 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>

Connect to LDAP after kinit is done, otherwise GSSAPI authentication will fail. https://pagure.io/freeipa/issue/6757 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>

Fixes an issue where the renew agent uses GSSAPI for LDAP connection but fails because it is not authenticated. This reverts commit 7462ade. https://pagure.io/freeipa/issue/6757 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>

The certmonger renew agent and restart scripts use host keytab for authentication. When they are executed during a certmonger request before the host keytab is set up, the authentication will fail. Make sure all certmonger requests in the installer are done after the host keytab is set up. https://pagure.io/freeipa/issue/6757 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>

A different code path is used for DS and httpd certificate requests in replica promotion. This is rather unnecessary and makes the certificate request code not easy to follow. Consolidate the non-promotion and promotion code paths into one. https://pagure.io/freeipa/issue/6757 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>

httpd is restarted by certmonger in the restart_httpd script after the httpd certificate is saved if it was previously running. The restart will fail because httpd is not properly configured at this point. Stop httpd at the beginning of httpd install to avoid the restart. https://pagure.io/freeipa/issue/6757 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>

DS is restarted by certmonger in the restart_dirsrv script after the DS certificate is saved. This breaks the ldap2 backend and makes any operation fail with NetworkError until it is reconnected. Reconnect ldap2 after the DS certificate request is finished to fix the issue. Make sure restart_dirsrv waits for the ldapi socket so that the reconnect does not fail. https://pagure.io/freeipa/issue/6757 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>

Add non regression test for issue 6404: when idrange-add is called with empty dom-name, the command returns ipa: ERROR: an internal error has occurred https://pagure.io/freeipa/issue/6404 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>

The trusted domain entries created in earlier versions are missing gidnumber. During upgrade, a new plugin will read the gidnumber of the fallback group cn=Default SMB Group and add this value to trusted domain entries which do not have a gidNumber. https://pagure.io/freeipa/issue/6827 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

When a trusted domain entry is created, the uidNumber attribute is created but not the gidNumber attribute. This causes samba to log Failed to find a Unix account for DOM-AD$ because the samu structure does not contain a group_sid and is not put in the cache. The fix creates the gidNumber attribute in the trusted domain entry, and initialises the group_sid field in the samu structure returned by ldapsam_getsampwnam. This ensures that the entry is put in the cache. Note that this is only a partial fix for 6660 as it does not prevent _netr_ServerAuthenticate3 from failing with the log _netr_ServerAuthenticate3: netlogon_creds_server_check failed. Rejecting auth request from client VM-AD machine account dom-ad.example.com. https://pagure.io/freeipa/issue/6827 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>

Audit log contains useful information about selinux issues Reviewed-By: Milan Kubik <mkubik@redhat.com>

When idrange-add is called with --dom-name=, the CLI exits with ipa: ERROR: an internal error has occurred This happens because the code checks if the option is provided but does not check if the value is None. We need to handle empty dom-name as if the option was not specified. https://pagure.io/freeipa/issue/6404 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>

If both the pki-tomcat NSS database and its password.conf have been created, don't try to override the password.conf file. https://pagure.io/freeipa/issue/6839 Reviewed-By: Tomas Krizek <tkrizek@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com>

Architecture specific paths should be avoided in the global Kerberos configuration because it is read e.g. by 32bit and 64bit libraries they are installed in parallel. Resolves https://pagure.io/freeipa/issue/6833 Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com>

Commits on Apr 16, 2017

Commits on Apr 12, 2017

Commits on Apr 11, 2017

Commits on Apr 7, 2017

Commits on Apr 6, 2017

Commits on Apr 5, 2017