[Pkg-freeipa-devel] [Git][freeipa-team/freeipa][master] 132 commits: Store HSM token and state

Timo Aaltonen gitlab at salsa.debian.org
Wed Nov 20 18:12:36 GMT 2019 


Timo Aaltonen pushed to branch master at FreeIPA packaging / freeipa


Commits:
eb231392 by Christian Heimes at 2019-08-19T08:50:07Z
Store HSM token and state

The HSM state is stored in fstore, so that CA and KRA installer use the
correct token names for internal certificates. The default token is
"internal", meaning the keys are stored in a NSSDB as usual.

Related: https://pagure.io/freeipa/issue/5608
Co-authored-by: Magnus K Karlsson <magnus-ka.karlsson at polisen.se>
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>

- - - - -
3bb72545 by Sumit Bose at 2019-08-19T10:01:56Z
extdom: unify error code handling especially LDAP_NO_SUCH_OBJECT

A return code LDAP_NO_SUCH_OBJECT will tell SSSD on the IPA client to
remove the searched object from the cache. As a consequence
LDAP_NO_SUCH_OBJECT should only be returned if the object really does
not exists otherwise the data of existing objects might be removed form
the cache of the clients causing unexpected behaviour like
authentication errors.

Currently some code-paths use LDAP_NO_SUCH_OBJECT as default error code.
With this patch LDAP_NO_SUCH_OBJECT is only returned if the related
lookup functions return ENOENT. Timeout related error code will lead to
LDAP_TIMELIMIT_EXCEEDED and LDAP_OPERATIONS_ERROR is used as default
error code.

Fixes: https://pagure.io/freeipa/issue/8044
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
0ead6f59 by Alexander Bokovoy at 2019-08-19T10:01:56Z
ipa-extdom-extop: test timed out getgrgid_r

Simulate getgrgid_r() timeout when packing list of groups user is a
member of in pack_ber_user().

Related: https://pagure.io/freeipa/issue/8044
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
d7f5e7b7 by Armando Neto at 2019-08-22T12:44:36Z
prci: Update box used in branch ipa-4-8

Replace template box used, from ci-master-f30 to ci-ipa-4-8-f30.

This affects the cached packages since it's using ipa-4-8 .spec file.

Based on the changes made in freeipa/freeipa-pr-ci#304.

Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
bd181e34 by Alexander Bokovoy at 2019-08-22T12:44:36Z
Mark failing test as xfail for use of python-dns make_ds method

https://github.com/rthalley/dnspython/issues/343 documents broken use of
hashes in dns.dnssec.make_ds() and other python-dns methods. This is a
regression introduced with python-dns 1.16.

Mark the test as expecting to fail until python-dns is fixed in Fedora.

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
0010d07c by Michal Polovka at 2019-08-27T14:08:04Z
ipatests: Test for ipa-backup with ipa not configured

Added test class for executing tests without ipa server being
configured. This is achieved by not providing topology attribute in the
test class. Subsequently implemented test for PG6843 - ipa-backup does not create
log file at /var/log/ - by invoking ipa-backup command with ipa server
not configured and checking for expected error code presence of /var/log
in the error message.

https://pagure.io/freeipa/issue/6843

Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Tibor Dudlák <tdudlak at redhat.com>
Reviewed-By: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>
Reviewed-By: Tibor Dudlák <tdudlak at redhat.com>
Reviewed-By: François Cami <fcami at redhat.com>

- - - - -
abea98a9 by François Cami at 2019-08-29T06:45:12Z
ipatests: check that ipa-client-automount restores nsswitch.conf at uninstall time

Check that using ipa-client-install, ipa-client-automount --no-ssd, then uninstalling
both properly restores nsswitch.conf sequentially.

Related-to:: https://pagure.io/freeipa/issue/8038
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Critenden <rcritten at redhat.com>
Reviewed-By: François Cami <fcami at redhat.com>

- - - - -
2f0afeda by François Cami at 2019-08-29T06:45:12Z
ipa-client-automount: always restore nsswitch.conf at uninstall time

ipa-client-automount used to only restore nsswitch.conf when sssd was not
used. However authselect's default profile is now sssd so always restore
nsswitch.conf's automount configuration to 'files sssd'.
Note that the behavior seen before commit:
a0e846f56c8de3b549d1d284087131da13135e34
would always restore nsswitch.conf to the previous state which in some cases
was wrong.

Fixes: https://pagure.io/freeipa/issue/8038
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Critenden <rcritten at redhat.com>
Reviewed-By: François Cami <fcami at redhat.com>

- - - - -
6e92776b by Rob Critenden at 2019-08-29T06:45:12Z
Move ipachangeconf from ipaclient.install to ipapython

This will let us call it from ipaplatform.

Mark the original location as deprecated.

Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Critenden <rcritten at redhat.com>
Reviewed-By: François Cami <fcami at redhat.com>

- - - - -
2da90887 by Rob Critenden at 2019-08-29T06:45:12Z
Use tasks to configure automount nsswitch settings

authselect doesn't allow one to directly write to
/etc/nsswitch.conf. It will complain bitterly if it
detects it and will refuse to work until reset.

Instead it wants the user to write to
/etc/authselect/user-nsswitch.conf and then it will handle
merging in any differences.

To complicate matters some databases are not user configurable
like passwd, group and of course, automount. There are some
undocumented options to allow one to override these though so
we utilize that.

tasks are used so that authselect-based installations can still
write directly to /etc/nsswitch.conf and operate as it used to.

Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Critenden <rcritten at redhat.com>
Reviewed-By: François Cami <fcami at redhat.com>

- - - - -
24b2d589 by sumenon at 2019-08-29T15:21:05Z
Added testcase to check capitalization fix while running ipa user-mod

1. This testcase checks that when ipa user-mod command is run with capital letters
there is no error shown in the console, instead the modifications for first and last
name of  the user is applied.

2. Adding tasks.kinit_admin since the test was being executed as different user
leading to permission issue.
ipa: ERROR: Insufficient access: Could not read UPG Definition originfilter. Check your permissions

Issue: https://pagure.io/freeipa/issue/5879
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
26de3107 by Serhii Tsymbaliuk at 2019-08-29T20:21:02Z
WebUI tests: Fix login screen loading issue

test_webui/test_loginscreen fails because login screen is rendered with delays.
To solve the issue small pause added after login.

Ticket: https://pagure.io/freeipa/issue/8053

Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: François Cami <fcami at redhat.com>

- - - - -
ffe9871e by François Cami at 2019-08-29T21:00:38Z
ipatests: remove xfail in TestIpaClientAutomountFileRestore

Remove xfail in TestIpaClientAutomountFileRestore to check the
associated bugfix.

Related-to: https://pagure.io/freeipa/issue/8054
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>

- - - - -
7343504f by François Cami at 2019-08-29T21:00:38Z
authconfig.py: restore user-nsswitch.conf at uninstall time

Calling authselect at uninstall time before restoring user-nsswitch.conf
would result in a sudoers entry in nsswitch.conf which is not activated
in the default sssd authselect profile.
Make sure user-nsswitch.conf is restored before calling authselect.

Fixes: https://pagure.io/freeipa/issue/8054
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Thomas Woerner <twoerner at redhat.com>

- - - - -
d1d0eb63 by François Cami at 2019-08-30T09:59:40Z
travis-ci: make dnf invocations more resilient

Travis-CI sometimes fails to download repository metadata or
packages. Change dnf configuration and invocation:
* activate dnf fastestmirror
* add more dnf retries
* invoke "dnf makecache" twice

Fixes: https://pagure.io/freeipa/issue/8048
Signed-off-by: François Cami <fcami at redhat.com>

- - - - -
11c720d6 by Florence Blanc-Renaud at 2019-08-30T10:31:33Z
ipatests: fix wrong xfail in test_domain_resolution_order

The test is written for a SSSD fix delivered in 2.2.0, but has a xfail
based on fedora version < 30.
SSSD 2.2.0 was originally available only on fedora 30 but is now also
available on fedora 29, and recent runs on f29 started to succeed
(because the fix is now present) but with a strict xfail.

The fix completely removes the xfail as the current branch is supported on
fedora 29 and 30.

Fixes: https://pagure.io/freeipa/issue/8052
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
3aca6548 by Michal Polovka at 2019-08-30T16:13:18Z
ipatests: fix topology for TestIpaNotConfigured in PR-CI nightly definitions

Topology for TestIpaNotConfigured is changed from ipaserver to
master_1repl in order to prevent aforementioned test suite runner from
configuring ipa-server, which is required by the test itself.

Resolves: https://pagure.io/freeipa/issue/8055
Related: https://pagure.io/freeipa/issue/6843

- - - - -
5de091bd by Christian Heimes at 2019-09-02T15:39:25Z
Replace %{_libdir} macro in BuildRequires

The %{_libdir} macro is architecture dependend and therefore does not
correctly work across different platforms. In the past the SRPM was
created on a platform with /usr/lib64. Recent SRPMs have /usr/lib, which
breaks dnf builddep.

Depend on krb5-server directly rather than a file in krb5-server
package:

$ rpm -qf /usr/lib64/krb5/plugins/kdb/db2.so
krb5-server-1.16.1-25.fc29.x86_64

Fixes: https://pagure.io/freeipa/issue/8056
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: François Cami <fcami at redhat.com>

- - - - -
79b9d596 by François Cami at 2019-09-03T09:40:46Z
ipapython/ipachangeconf.py: change "is not 0" for "!= 0"

Python 3.8 introduced a warning to check for usage of "is not"
when comparing literals. Any such usage will output:
SyntaxWarning: "is not" with a literal. Did you mean "!="?
See: https://bugs.python.org/issue34850

Fixes: https://pagure.io/freeipa/issue/8057
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
129adb40 by Florence Blanc-Renaud at 2019-09-04T08:35:01Z
config plugin: replace 'is 0' with '== 0'

Since python3.8, identity checks with literal produce syntax warnings.
Replace the check 'if .. is 0' with 'if .. == 0'

Related: https://pagure.io/freeipa/issue/8057
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
70302ab6 by Christian Heimes at 2019-09-04T12:41:55Z
Enable literal-comparison linter again

The literal comparison linter checks for "value is 0" or "value is ''".

Related: https://pagure.io/freeipa/issue/8057
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
4c17a9b9 by Christian Heimes at 2019-09-04T12:41:55Z
Fix wrong use of identity operation

Strings should not be compared with the identity operation 'is' or
'is not'.

Fixes: https://pagure.io/freeipa/issue/8057
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
576e2ce8 by Christian Heimes at 2019-09-04T12:41:55Z
Add new env vars to pylint plugin

The vars api.env.host_princ and smb_princ where introduced a while ago.
Sometimes parallel linting complain about the attributes. Add both to
the list of known members in pylint_plugins.py.

Related: https://pagure.io/freeipa/issue/3999
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
bb7025fd by Robbie Harwood at 2019-09-06T14:28:17Z
Log INFO message when LDAP connection fails on startup

Since krb5_klog_syslog() always needs parameters from syslog.h, move the
include into ipa_krb5.h.

Signed-off-by: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
d9c2edb0 by Robbie Harwood at 2019-09-06T14:28:17Z
Fix NULL pointer dereference in maybe_require_preauth()

ipadb_get_global_config() is permitted to return NULL.

Signed-off-by: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
5c5f5374 by Rob Crittenden at 2019-09-06T20:39:39Z
Defer initializing the API in dogtag-ipa-ca-renew-agent-submit

Wait until we know a supported operation is being called
(SUBMIT and POLL) before initializing the API, which can be
an expensive operation.

https://bugzilla.redhat.com/show_bug.cgi?id=1656519

Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>

- - - - -
a6286e60 by Rob Crittenden at 2019-09-06T20:39:39Z
Skip lock and fork in ipa-server-guard on unsupported ops

On startup certmonger performs a number of options on the
configured CA (IPA, not to be confused with the real dogtag CA)
and the tracking requests.

Break early for operations that are not supported by ipa-submit.
This will save both a fork and a lock call.

https://bugzilla.redhat.com/show_bug.cgi?id=1656519

Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>

- - - - -
c14aa5d4 by Sergey Orlov at 2019-09-06T21:51:16Z
ipatests: allow to pass additional options for clients installation

Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
0b62616c by Sergey Orlov at 2019-09-06T21:51:16Z
ipatests: add utility functions related to using and managing user accounts

Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
a45662ae by Sergey Orlov at 2019-09-06T21:51:16Z
ipatests: modify run_command to allow specify successful return codes

Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
a4839f67 by Sergey Orlov at 2019-09-06T21:51:16Z
ipatests: refactor and extend tests for IPA-Samba integration

Add tests for following scenarios:
* running `ipa-client-samba --uninstall` without prior installation
* mount and access Samba share by IPA user
* mount and access Samba share by AD user
* mount samba share by one IPA user and access it by another one
* try mount samba share without kerberos authentication
* uninstall and reinstall ipa-client-samba

Relates: https://pagure.io/freeipa/issue/3999
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
4dcd1128 by Michal Polovka at 2019-09-10T11:28:33Z
ipatests: add tests for ipa host-add with non-default maxhostnamelength

Implement test for ticket 2018: Change hostname length limit to 64.
The fix provides a new configuration parameter (maxhostname) that can be modified through ipa config-mod, and governs the max hostname len allowed through ipa host-add.
Add new tests:

    - check that maxhostname cannot be changed to a value < 64
    - check that ipa host-add is refused if the hostname length is > maxhostname
    - check that ipa host-add is OK if the hostname length is <= maxhostname

Related: https://pagure.io/freeipa/issue/2018

- - - - -
ed1c1626 by Alexander Bokovoy at 2019-09-11T09:21:59Z
adtrust: avoid using timestamp in klist output

When parsing a keytab to copy keys to a different keytab, we don't need
the timestamp, so don't ask klist to output it. In some locales (en_IN,
for example), the timestamp is output in a single field without a space
between date and time. In other locales it can be represented with date
and time separated by a space.

Fixes: https://pagure.io/freeipa/issue/8066
Reviewed-By: Thomas Woerner <twoerner at redhat.com>

- - - - -
e1dad72f by Changmin Teng at 2019-09-11T09:23:47Z
Add new authentication indicators in kdc.conf.template

As of release 1.17, KDC can be configured to apply authentication
indicator for SPAKE, PKINIT, and encrypted challenge preauth via
FAST channel, which are not configured in current version of freeIPA.

Note that even though the value of encrypted_challenge_indicator is
attached only when encrypted challenge preauth is performed along
a FAST channel, it's possible to perform FAST without encrypted
challenge by using SPAKE. Since there is no reason to force clients
not to use SPAKE while using FAST, we made a design choice to merge
SPAKE and FAST in a new option called "Hardened Password", which
requires user to use at least one of SPAKE or FAST channel. Hence
same value attaching to both spake_preauth_indicator and
encrypted_challenge_indicator.

Resolves: https://pagure.io/freeipa/issue/8001
Signed-off-by: Changmin Teng <cteng at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Simo Sorce <ssorce at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>

- - - - -
67467f4f by Changmin Teng at 2019-09-11T09:23:47Z
Extend the list of supported pre-auth mechanisms in IPA server API

As new authentication indicators implemented, we also modified server
API to support those new values. Also, "krbprincipalauthind" attribute
is modified to use a pre-defined set of values instead of arbitrary
strings.

Resolves: https://pagure.io/freeipa/issue/8001
Signed-off-by: Changmin Teng <cteng at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Simo Sorce <ssorce at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>

- - - - -
b2e540cb by Robbie Harwood at 2019-09-11T09:23:47Z
Enable krb5 snippet updates on client update

Signed-off-by: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Simo Sorce <ssorce at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>

- - - - -
80be759f by Robbie Harwood at 2019-09-11T09:23:47Z
Move certauth configuration into a server krb5.conf template

Signed-off-by: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Simo Sorce <ssorce at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>

- - - - -
3a8980f2 by Robbie Harwood at 2019-09-11T09:23:47Z
Add a skeleton kdcpolicy plugin

Signed-off-by: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Simo Sorce <ssorce at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>

- - - - -
76d1f944 by Changmin Teng at 2019-09-11T09:23:47Z
Implement user pre-authentication control with kdcpolicy plugin

We created a Kerberos kdcpolicy plugin to enforce user
pre-authentication policy for newly added pkinit and hardened policy.

In the past version of freeIPA, password enforcement exists but was done
by removing key data for a principal while parsing LDAP entry for it.
This hack is also removed and is now also enforced by kdcpolicy plugin
instead.

Resolves: https://pagure.io/freeipa/issue/8001
Signed-off-by: Changmin Teng <cteng at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Simo Sorce <ssorce at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>

- - - - -
3e42d747 by Changmin Teng at 2019-09-11T09:23:47Z
Modify webUI to adhere to new IPA server API

Given the changes in IPA server API changes, whebUI is modified to
utilize new authentication indicators, and disabled custom indicators
for services' white list.

Resolves: https://pagure.io/freeipa/issue/8001
Signed-off-by: Changmin Teng <cteng at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Simo Sorce <ssorce at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>

- - - - -
027e30db by Changmin Teng at 2019-09-11T09:23:47Z
Add design document

This document details authentication indicaters and kerberos ticket
policies implemented in IPA.

Resolves: https://pagure.io/freeipa/issue/8001
Signed-off-by: Changmin Teng <cteng at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Simo Sorce <ssorce at redhat.com>
Reviewed-By: Robbie Harwood <rharwood at redhat.com>

- - - - -
f98c9f2d by Christian Heimes at 2019-09-11T16:22:43Z
Fix ca_initialize_hsm_state

Fixup for commit eb2313920e20bb4a74fc0abc52c496ccf2822dab.
configparser's set() method does not convert boolean to string
automatically. Use string '"False"', which is then interpreted as
boolean 'False' by getboolean().

Related: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
a8703cd4 by Serhii Tsymbaliuk at 2019-09-12T08:30:53Z
WebUI: Make 'Unlock' option is available only on locked user page

The implementation includes checking password policy for selected user.
'Unlock' option is available only in case user reached a limit of login failures.

Ticket: https://pagure.io/freeipa/issue/5062
Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
51723c73 by Tomas Halman at 2019-09-12T09:15:44Z
extdom: plugin doesn't allow @ in group name

Old implementation handles username and group names with
one common call. Character @ is used in the call to detect UPN.

Group name can legaly contain this character and therefore the
common approach doesn't work in such case.

Also the original call is less efficient because it tries to resolv
username allways then it fallback to group resolution.

Here we implement two new separate calls for resolving users and
groups.

Fixes: https://bugzilla.redhat.com/1746951
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
9253c18b by Tomas Halman at 2019-09-12T09:15:44Z
extdom: plugin doesn't use timeout in blocking call

Expose nss timeout parameter. Use sss_nss_getorigbyname_timeout
instead of sss_nss_getorigbyname

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
d8a6b21d by Tomas Halman at 2019-09-12T09:15:44Z
extdom: use sss_nss_*_timeout calls

Use nss calls with timeout in extdom plugin

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
13a37fb4 by Tomas Halman at 2019-09-12T09:15:44Z
extdom: add extdom protocol documentation

Add the description of extdom protocol and its versions

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
79458ee6 by Francisco Trivino at 2019-09-13T07:29:34Z
prci: increase gating tasks priority

Sometimes the gating tasks (build and jobs) are blocked because of nightly
regression remaining tasks are in progress. The reason is because nightly
regressions are not finished or they are re-triggered during day-time.
Gating tasks are blocked because they have same priority than nightly tasks.

This commit increases gating tasks priority so the testing of pull requests
will not be blocked anymore.

Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
0deea83e by Alexander Bokovoy at 2019-09-13T07:34:35Z
add default access control when migrating trust objects

It looks like for some cases we do not have proper set up keytab
retrieval configuration in the old trusted domain object. This mostly
affects two-way trust cases. In such cases, create default configuration
as ipasam would have created when trust was established.

Resolves: https://pagure.io/freeipa/issue/8067

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
b32510d6 by Alexander Bokovoy at 2019-09-13T07:34:35Z
adtrust: add default read_keys permission for TDO objects

If trusted domain object (TDO) is lacking ipaAllowedToPerform;read_keys
attribute values, it cannot be used by SSSD to retrieve TDO keys and the
whole communication with Active Directory domain controllers will not be
possible.

This seems to affect trusts which were created before
ipaAllowedToPerform;read_keys permission granting was introduced
(FreeIPA 4.2). Add back the default setting for the permissions which
grants access to trust agents and trust admins.

Resolves: https://pagure.io/freeipa/issue/8067

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
f2fb2208 by ndehadra at 2019-09-13T16:13:32Z
Hidden Replica: Add a test for Automatic CRL configuration

Added test to check whether hidden replica can be configurred
as CRL generation master.

Related Tickets:
https://pagure.io/freeipa/issue/7307

Signed-off-by: ndehadra <ndehadra at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
0b2ed9c4 by Tibor Dudlák at 2019-09-16T14:07:31Z
Add container environment check to replicainstall

Inside the container environment master's IP address
does not resolve to its name.

Resolves: https://pagure.io/freeipa/issue/6210
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
919240bc by Serhii Tsymbaliuk at 2019-09-17T11:28:18Z
WebUI: Fix changing category on HBAC/Sudo/etc Rule pages

No object can be added to a rule when object category is 'all'.
So while editing rule there is needed to save actual category value
before adding related objects.

Ticket: https://pagure.io/freeipa/issue/7961

Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>

- - - - -
850500c9 by Serhii Tsymbaliuk at 2019-09-17T23:43:13Z
WebUI: Fix new test initialization on "HBAC Test" page

"New Test" action cleared only information about selected options but kept
radio buttons checked. It confused users and caused an error on validation step.

New behaviour is:
- tables forget all selected values after "New Test" click;
- first table record is checked initially in case the option is mandatory;
- all records is unchecked initially in case the option is not mandatory.

Ticket: https://pagure.io/freeipa/issue/8031

Signed-off-by: Serhii Tsymbaliuk <stsymbal at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>

- - - - -
a2da6652 by Sergey Orlov at 2019-09-19T11:53:55Z
ipatests: add new utilities for file management

Added utilities for working with remote hosts
* backup and restore files
* modify .ini files
* check if selinux is enabled

Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
9431c642 by Sergey Orlov at 2019-09-19T11:53:55Z
ipatests: refactoring: use library function to check if selinux is enabled

Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
5a1ad735 by Sergey Orlov at 2019-09-19T11:53:55Z
ipatests: add tests for cached_auth_timeout in sssd.conf

The tests check that auth cache
* is disabled by default
* is working when enabled
* expires after specified time
* is inherited by trusted domain

Related to: https://bugzilla.redhat.com/1685581

Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
f2627629 by Rob Crittenden at 2019-09-19T19:16:35Z
Don't log host passwords when they are set/modified

The host password was defined as a Str type so would be
logged in cleartext in the Apache log.

A new class, HostPassword, was defined to only override
safe_value() so it always returns an obfuscated value.

The Password class cannot be used because it has special treatment
in the frontend to manage prompting and specifically doesn't
allow a value to be passed into it. This breaks backwards
compatibility with older clients. Since this class is derived
from Str old clients treat it as a plain string value.

This also removes the search option from passwords.

https://pagure.io/freeipa/issue/8017

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
8e87e654 by Rob Crittenden at 2019-09-19T19:18:30Z
Re-order tasks.restore_pkcs11_modules() to run earlier

It was executed after restore_all_files() so PKCS11_MODULES was
already restored so that part was a no-op, but the redhat
restore_pkcs11_modules() also calls unlink() on each restored
file so basically the file would be restored, unlinked, then
since it was already restored, skipped.

By moving the call to restore_pkcs11_modules() earlier it can
do the expected restoration properly.

https://pagure.io/freeipa/issue/8034

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
f3814e61 by Alexandre Mulatinho at 2019-09-19T19:20:08Z
ipa-scripts: fix all ipa command line scripts to operate with -I

Replacing -E flag to -I on all ipa python scripts except tests.

Signed-off-by: Alexandre Mulatinho <alex at mulatinho.net>
Related: https://pagure.io/freeipa/issue/7987
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
1b1e7196 by Anuja More at 2019-09-20T08:48:48Z
Extdom plugin should not return error (32)/'No such object'

Regression test for https://pagure.io/freeipa/issue/8044

If there is a timeout during a request to SSSD the extdom plugin
should not return error 'No such object' and the existing
user should not be added to negative cache on the client.

Signed-off-by: Anuja More <amore at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>

- - - - -
c4fca825 by Rob Crittenden at 2019-09-20T17:11:46Z
Report if a certmonger CA is missing

If a certmonger CA is not defined but is referenced within
a request (so was removed sometime after a request was
created) then anything that pulls all certmonger requests would
fail with the cryptic error:

"Failed to get request: bus, object_path and dbus_interface
must not be None."

This was often seen during upgrades.

Catch this specific condition and report a more specific error
so the user will have some bread crumb to know how to address
the issue.

https://pagure.io/freeipa/issue/7870

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
3323913d by Rafael Guterres Jeffman at 2019-09-20T17:13:43Z
Re-add function façades removed by commit 2da9088.

ansible-freeipa breaks if this functions do not exist, so they will be
added back and marked as deprecated.

Related Tickets:
https://pagure.io/freeipa/issue/8062

Signed-off-by: Rafael Guterres Jeffman <rjeffman at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
8b3d5b05 by Robbie Harwood at 2019-09-23T07:03:56Z
Fix segfault in ipadb_parse_ldap_entry()

lcontext may be NULL here, probably due to a restarted 389ds.  Based on
a patch by Rob Crittenden.

Signed-off-by: Robbie Harwood <rharwood at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
ebec637a by Florence Blanc-Renaud at 2019-09-23T07:06:05Z
ipa-backup: backup the PKCS module config files setup by IPA

ipa installer creates /etc/pkcs11/modules/softhsm2.module in order
to disable global p11-kit configuration for NSS.
This file was not included in the backups, and not restored.

The fix adds the file to the list of files to include in a backup.

Fixes: https://pagure.io/freeipa/issue/8073
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
71c09ad5 by Florence Blanc-Renaud at 2019-09-23T07:06:05Z
ipatests: ensure that backup/restore restores pkcs 11 modules config file

In the test_backup_and_restore, add a new test:
- before backup, save the content of /etc/pkcs11/modules/softhsm2.module
- after restore, ensure the file is present with the same content.

Related: https://pagure.io/freeipa/issue/8073
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
966e0b8c by Rob Crittenden at 2019-09-23T17:32:08Z
ipa-restore: Restore ownership and perms on 389-ds log directory

Previously it would end up being owned by root:root mode 0755
instead of dirsrv:dirsrv mode 0770.

https://pagure.io/freeipa/issue/7725

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
c845ef07 by Florence Blanc-Renaud at 2019-09-23T17:50:05Z
replica install: enforce --server arg

When the --server option is provided to ipa-replica-install (1-step
install), make sure that the server offers all the required roles
(CA, KRA). If it's not the case, refuse the installation.

Note that the --server option is ignored when promoting from client to
replica (2-step install with ipa-client-install and ipa-replica-install),
meaning that the existing behavior is not changed in this use case:
by default the host specified in default.conf as server is used for
enrollment, but if it does not provide a required role, another host can
be picked for CA or KRA setup.

Fixes: https://pagure.io/freeipa/issue/7566
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>

- - - - -
a733fec3 by Stanislav Levin at 2019-09-25T12:23:10Z
Fixed errors newly exposed by pylint 2.4.0

Newest Pylint introduced additional checks [1]:

- import-outside-toplevel [2]

> This check warns when modules are imported from places other
than a module toplevel, e.g. inside a function or a class.

- no-else-continue [3]

> These checks highlight unnecessary else and elif blocks after
break and continue statements.

- unnecessary-comprehension [4]

> This check is emitted when pylint finds list-, set- or
dict-comprehensions, that are unnecessary and can be rewritten
with the list-, set- or dict-constructors.

[1] https://github.com/PyCQA/pylint/blob/pylint-2.4.0/doc/whatsnew/2.4.rst
[2] https://github.com/PyCQA/pylint/issues/3067
[3] https://github.com/PyCQA/pylint/issues/2327
[4] https://github.com/PyCQA/pylint/issues/2905

Fixes: https://pagure.io/freeipa/issue/8077
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
7f5b826e by Stanislav Levin at 2019-09-25T12:23:10Z
Setup DNS for AP Docker container

Docker utilizes its own way to provide DNS (hostname, hosts, NS).
By default, they are almost the same as the host's ones.
For instance, below is from AP container:
```
cat /etc/hosts

127.0.0.1	localhost
::1	localhost ip6-localhost ip6-loopback
fe00::0	ip6-localnet
ff00::0	ip6-mcastprefix
ff02::1	ip6-allnodes
ff02::2	ip6-allrouters
172.17.0.2	ipa.example.test ipa

cat /etc/resolv.conf
nameserver 168.63.129.16
search hqdv2iuiph0ufpcrhp4amkgzwf.fx.internal.cloudapp.net
```

As a result FreeIPA uses 168.63.129.16 (AP DNS NS [1]) as a DNS forwarder.
It's not desirable to rely on this.
Let's clear test environment.

[1] https://docs.microsoft.com/en-us/azure/virtual-network/what-is-ip-address-168-63-129-16

Related: https://pagure.io/freeipa/issue/8077
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
f709ca97 by Rob Crittenden at 2019-09-25T17:37:58Z
Disable dogtag cert publishing

Dogtag had only one switch, ca.publish.enable, for both CRLs and certs.

Since cert publishing is not used in IPA it should be disabled to
avoid false positives in the logs.

https://pagure.io/freeipa/issue/7522

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
3098b67c by Christian Heimes at 2019-09-25T17:44:48Z
Don't create log files from help scripts

Helper scripts now use api.bootstrap(log=None) to avoid the creation of
log files. Helper scripts are typically executed from daemons which
perform their own logging. The helpers still log to stderr/stdout.

This also gets rid of some SELinux AVCs when the script tries to write
to /root/.ipa/.

Fixes: https://pagure.io/freeipa/issue/8075
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
a305f674 by Fraser Tweedale at 2019-09-26T02:47:54Z
IPASecStore: support extra key arguments

To support lightweight CA key replication using AES, while retaining
backwards compatibility with old servers, it is necessary to signal
support for AES.  Whereas we currently request a key with the path:

  /keys/ca_wrapped/<nickname>

and whereas paths with > 3 components are unsupported, add support
for handlers to signal that they support extra arguments (defaulting
to False), those arguments being conveyed as additional path
components, e.g.:

  # 2.16.840.1.101.3.4.1.2 = aes128-cbc
  /keys/ca_wrapped/<nickname>/2.16.840.1.101.3.4.1.2

This commit only adds the Custodia support for extra handler
arguments.  Work to support LWCA key replication with AES wrapping
will continue in subsequent commits.

Part of: https://pagure.io/freeipa/issue/8020

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
979f25c5 by Fraser Tweedale at 2019-09-26T02:47:54Z
NSSWrappedCertDB: accept optional symmetric algorithm

Add support for Custodia ca_wrapped clients to specify the desired
symmetric encryption algorithm for exporting the wrapped signing key
(this mechanism is used for LWCA key replication).  If not
specified, we must assume that the client has an older Dogtag
version that can only import keys wrapped with DES-EDE3-CBC
encryption.

The selected algorithm gets passed to the 'nsswrappedcert' handler,
which in turn passes it to the 'pki ca-authority-key-export' command
(which is part of Dogtag).

Client-side changes will occur in a subsequent commit.

Part of: https://pagure.io/freeipa/issue/8020

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
abc28bec by Fraser Tweedale at 2019-09-26T02:47:54Z
ipa-pki-retrieve-key: request AES encryption (with fallback)

Update the ipa-pki-retrieve-key client to issue a request that
specifies that AES encryption should be used.  If the server
responds 404, fall back to a request *without* an algorithm
parameter.  This handles both of the possible 404 scenarios:

a) It is an old server that does not support extra Custodia key
   parameters;

b) The server supports extra parameters but the key does not exist,
   in which case the fallback request will also fail with 404.

Fixes: https://pagure.io/freeipa/issue/8020
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
af5f2b84 by Fraser Tweedale at 2019-09-26T02:47:54Z
Bump Dogtag min version to 10.7.3

Dogtag 10.7.3 adds AES support for key export, enabling lightweight
CA key replication to use AES.  Bump the Requires min version.

Fixes: https://pagure.io/freeipa/issue/8020
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
624144de by Florence Blanc-Renaud at 2019-10-01T14:32:46Z
ipa user_add: do not check group if UPG is disabled

The UPG plugin is used to create a user private group when a new
IPA user is created, with the same name as the user. When this plugin
is enabled, the user creation must ensure that no group exists with
the same name.

When the UPG plugin is disabled, or when the user is created with the
--noprivate option, there is no need to perform this check as the
private group will not get created.

Currently, the --noprivate option correctly skips the test, but a
disabled UPG plugin does not skip the test. The fix ensures that
UPG plugin status is checked.

Fixes: https://pagure.io/freeipa/issue/4972
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
482ee74d by Florence Blanc-Renaud at 2019-10-01T14:32:46Z
ipatests: add XMLRPC test for user-add when UPG plugin is disabled

Add a new XMLRPC test in test_user_plugin:
- disable the UPG plugin
- create a user without the --gid parameter
  as the default group for new users is not POSIX (ipausers), the
  command is expected to fail
- create a user with the --gid parameter
  The provided gid is used and command is expected to succeed
- create a user with the same name as an existing group
  As the UPG plugin is disabled, the user creation will not trigger
  the creation of a group with the same name, and command is
  expected to succeed
- re-enable the UPG plugin for other tests

Related to: https://pagure.io/freeipa/issue/4972

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
ebb6e5df by Rafael Guterres Jeffman at 2019-10-01T14:36:28Z
Removes rpmlint warning on freeipa.spec.

This patch removes a warning due to mixed usage of spaces and tabs
in freeipa.spec.in file.

Signed-off-by: Rafael Guterres Jeffman <rjeffman at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
07d318d0 by Rafael Guterres Jeffman at 2019-10-01T14:36:28Z
Removes several pylint warnings.

This patche removes 93 pylint deprecation warnings due to invalid escape
sequences (mostly 'invalid escape sequence \d') on unicode strings.

Signed-off-by: Rafael Guterres Jeffman <rjeffman at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
9d75f829 by Rafael Guterres Jeffman at 2019-10-01T14:36:28Z
Removed unnecessary imports after code review.

Signed-off-by: Rafael Guterres Jeffman <rjeffman at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
f022674f by Rafael Guterres Jeffman at 2019-10-01T14:36:28Z
Removes several pylint warnings.

This patche removes 93 pylint deprecation warnings due to invalid escape
sequences (mostly 'invalid escape sequence \d') on unicode strings.

Signed-off-by: Rafael Guterres Jeffman <rjeffman at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
56b736b8 by Rafael Guterres Jeffman at 2019-10-01T14:36:28Z
Removed unnecessary imports after code review.

Signed-off-by: Rafael Guterres Jeffman <rjeffman at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
c793c681 by Rafael Guterres Jeffman at 2019-10-01T14:36:28Z
Fixes pylint errors introduced by version 2.4.0.

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
3f98406b by Alexander Bokovoy at 2019-10-01T20:58:47Z
Add local helpers to handle unixid structure

Samba did remove unixid_from_*() helpers in the upstream commit
c906153cc7af21abe508ddd30c447642327d6a5d (Samba 4.11). Since they are
very simple, make a local copy instead.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1757089
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
b24feb41 by Florence Blanc-Renaud at 2019-10-02T13:22:15Z
ipatests: fix test_replica_promotion.py::TestHiddenReplicaPromotion

The test test_replica_promotion.py::TestHiddenReplicaPromotion randomly
fails in nightly_f29.

The test is checking that a given IP address is not in the DNS records
for the domain. When we are unlucky, we may come up with the following
situation:
- IP address that is unexpected: 192.168.121.25
- IP address that is found for the DNS record: 192.168.121.254

As 192.168.121.25 is a substring of 192.168.121.254, the test wrongly considers that the unexpected address was found.
Extract of the log:
    for host in hosts_unexpected:
        value = host.hostname if rtype == 'SRV' else host.ip
>       assert value not in txt
E       AssertionError: assert '192.168.121.25' not in 'ipa-ca.ipa.test. 1 IN A 192.168.121.254'
E         '192.168.121.25' is contained here:
E           ipa-ca.ipa.test. 1 IN A 192.168.121.254
E         ?                         ++++++++++++++

This happens because the test is comparing the content of the output as a
string. The fix is extracting the exact hostname/IP address from the
record instead.

Fixes: https://pagure.io/freeipa/issue/8070
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
940e2ef9 by Mohammad Rizwan Yusuf at 2019-10-02T13:27:08Z
Check file ownership and permission for dirsrv log instance

Check if file ownership and permission is set to dirsrv:dirsrv
and 770 on /var/log/dirsrv/slapd-<instance> after ipa-restore.

related ticket : https://pagure.io/freeipa/issue/7725

Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
2c7ad3c3 by Armando Neto at 2019-10-03T12:02:04Z
prci: increase timeout for jobs that required AD

Vagrant retries to provision hosts if something happens, it was introduced
in PR-CI after https://github.com/freeipa/freeipa-pr-ci/commit/380c8b8c78a1ce277b7c1a327bda9d123c117c4d.

This takes time, some jobs are killed during test execution, so this
increases the time-out parameter from 1 hour and 20 minutes to 2 hours.

Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
8704fb0f by Rob Crittenden at 2019-10-07T06:15:57Z
Replace replication_wait_timeout with certmonger_wait_timeout

The variable is intended to control the timeout for replication
events. If someone had significantly reduced it via configuration
then it could have caused certmogner requests to fail due to timeouts.

Add replication_wait_timeout, certmonger_wait_timeout and
http_timeout to the default.conf man page.

Related: https://pagure.io/freeipa/issue/7971
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
c61a3277 by Rob Crittenden at 2019-10-07T06:15:57Z
Log the replication wait timeout for debugging purposes

Related: https://pagure.io/freeipa/issue/7971
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
02ff41dc by Rob Crittenden at 2019-10-07T06:15:57Z
Log dogtag auth timeout in install, provide hint to increase it

There is a loop which keeps trying to bind as the admin user
which will fail until it is replicated.

In the case where there is a lot to replicate the default
5 minute timeout may be insufficient. Provide a hint for
tuning.

Fixes: https://pagure.io/freeipa/issue/7971
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
e10c8968 by Rob Crittenden at 2019-10-07T06:15:57Z
Add missing timeout option to logging statement

Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
3067632f by Sergey Orlov at 2019-10-14T08:00:33Z
ipatests: fix DNS forwarders setup for AD trust tests with non-root domains

The tests are failing to establish trust with AD subdomain and tree domain
controllers. This happens because IPA server needs to contact root domain
controller to fetch domain-wide UPN suffixes but can not do it because we
setup DNS forwarding only for the domains with which we try to establish
trust.
To establish trust with AD subdomain we now setup forwarder for root AD
domain, and to establish trust with AD treedomain  -- two forwarders:
one for root domain and another one for treedomain.

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
b6134e86 by Mohammad Rizwan Yusuf at 2019-10-14T08:50:01Z
Installation of replica against a specific server

Test to check replica install against specific server. It uses master and
replica1 without CA and having custodia service stopped. Then try to
install replica2 from replica1 and expect it to get fail as specified server
is not providing all the services.

related ticket: https://pagure.io/freeipa/issue/7566

Signed-off-by: Mohammad Rizwan Yusuf <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
b585e58b by Mohammad Rizwan Yusuf at 2019-10-14T08:50:01Z
Add test to nightly yamls.

Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

Conflicts:
	ipatests/prci_definitions/nightly_f29.yaml
	ipatests/prci_definitions/nightly_master_testing.yaml
	ipatests/prci_definitions/nightly_rawhide.yaml

Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
8f8e4508 by François Cami at 2019-10-16T10:17:46Z
ipa_client_automount.py: fix typo (idmap.conf => idmapd.conf)

660c49 introduced --idmap-domain which sets the Domain option in
idmapd.conf. However the help message for that knob mentioned
idmap.conf which is wrong. Fix that.
Reported by Marc Muehlfeld <mmuehlfe at redhat.com>.

Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>

- - - - -
c73000e0 by François Cami at 2019-10-17T06:32:33Z
ipatests: temporarily remove test_smb from gating

test_smb is now failing in a repeatable way due to CI infrastructure
issues. Temporarily remove it until this is fixed.

Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
94b4c25b by Florence Blanc-Renaud at 2019-10-17T10:15:20Z
ipa-server-certinstall manpage: add missing options

Some options were not documented in the man page:
--version
-h, --help
-p DIRMAN_PASSWD (but the long name --dirman-password is in the man page)
-v, --verbose
-q, --quiet
--log-file=FILE

Fixes: https://pagure.io/freeipa/issue/8086
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
4c24d013 by Florence Blanc-Renaud at 2019-10-17T10:20:47Z
ipa-backup: fix python2 issue with os.mkdir

Python2 and python3 have different interfaces for os.mkdir:
python2: os.mkdir(path[, mode])
python3: os.mkdir(path, mode=0o777, *, dir_fd=None)

ipa-backup is using the python3 format, which breaks deployments using
python2. The fix consists in using os.mkdir(path, 0o700) instead of
os.mkdir(path, mode=0o700).

Fixes: https://pagure.io/freeipa/issue/8099
Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com>

- - - - -
57545821 by Stanislav Levin at 2019-10-17T11:43:41Z
Restore running of 'test_ipaserver' tests on Azure

`test_ipaserver` was lost on refactoring in #c8ef093e56.
Let's run that again.

Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
b3857c71 by Stanislav Levin at 2019-10-17T11:43:41Z
Install language packs for tests

* 'fr_FR' locale is utilized in
test_ipaserver/test_i18n_messages.py::test_i18n_messages::test_i18n_consequence_receive

* 'en_US' is a commonly used locale
AP warns regularly:

```
/bin/bash: warning: setlocale: LC_ALL: cannot change locale
(en_US.utf8): No such file or directory
```

Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
09c6db75 by Fraser Tweedale at 2019-10-18T01:51:32Z
krainstance: set correct issuer DN in uid=ipakra entry

If IPA CA has custom subject DN (not "CN=Certificate
Authority,{subject_base}"), the uid=ipakra people entry gets an
incorrect 'description' attribute.  The issuer DN in the
'description' attribute is based on the aforementioned pattern,
instead of the actual IPA CA subject DN.

Update KRAInstance.configure_instance() to require the CA subject DN
argument.  Update ipaserver.install.kra.install() to pass the CA
subject DN.

Fixes: https://pagure.io/freeipa/issue/8084
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
23f4e003 by Fraser Tweedale at 2019-10-18T01:51:32Z
upgrade: fix ipakra people entry 'description' attribute

Add an upgrade script to detect when ipakra people entry has
incorrect 'description' attribute and fix it.

Part of: https://pagure.io/freeipa/issue/8084

Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
5d68d04c by Fraser Tweedale at 2019-10-18T01:51:32Z
test_integration: add tests for custom CA subject DN

Define integration test for custom CA subject DN and subject base
scenarios.  Add to nightly CI runs.

Part of: https://pagure.io/freeipa/issue/8084

Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
3fbd0abf by Christian Heimes at 2019-10-18T13:57:42Z
Don't install a preexec_fn by default

ipautil.run() now only installs a preexec_fn when it is actually needed.
This addresses a compatibility issue with mod_wsgi subinterpreters under
Python 3.8.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1759290
See: https://bugs.python.org/issue37951
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
40da0cef by Armando Neto at 2019-10-18T14:28:56Z
prci: increase timeout argument for test_sssd.py

Follow-up for commit a4ca34261a55af96e3428822f08f8b2292e6234a.

Vagrant retries to provision hosts if something happens, it was introduced
in PR-CI after freeipa/freeipa-pr-ci at 380c8b8.

This takes time, some jobs are killed during test execution, so this
adds 20 minutes more to `test_sssd.py` test suite.

This also adds a missing but available topology to `temp_commit.yaml`.

Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Francisco Trivino <ftrivino at redhat.com>

- - - - -
7d0fbbf4 by Stanislav Levin at 2019-11-04T19:24:00Z
Fix errors found by Pylint-2.4.3

New Pylint (2.4.3) catches several new 'true problems'. At the same
time, it warns about things that are massively and reasonably
employed in FreeIPA.

list of fixed:
- no-else-continue
- redeclared-assigned-name
- no-else-break
- unnecessary-comprehension
- using-constant-test (false positive)

list of ignored (responsibility of contributors and reviewers):
- import-outside-toplevel

Fixes: https://pagure.io/freeipa/issue/8102
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>

- - - - -
e5c9c751 by Rob Crittenden at 2019-11-05T14:45:19Z
Enable AES SHA 256 and 384-bit enctypes in Kerberos

https://pagure.io/freeipa/issue/8110

Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
686b85b1 by Sergey Orlov at 2019-11-05T16:30:59Z
ipatests: add test to check that only TLS 1.2 is enabled in Apache

Related to: https://pagure.io/freeipa/issue/7995

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
42482636 by Spencer E. Olson at 2019-11-05T19:55:32Z
Fixes debian path for IPA_CUSTODIA_HANDLER

Debian installs into a different directory for libexec files.  This patch
fixes the path to the custodia files for debian.

Signed-off-by: Spencer E. Olson <olsonse at umich.edu>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
9f93c658 by Sergey Orlov at 2019-11-05T19:57:09Z
ipatests: strip newline character when getting name of temp file

Function create_temp_file was returning unprocessed output of mktemp
command, which contains a trailing newline. Callers which tryed to write
to the temp file were creating a new one instead.

Reviewed-By: Michal Polovka <mpolovka at redhat.com>

- - - - -
66ff6114 by Sergey Orlov at 2019-11-05T19:57:09Z
ipatests: in DNS zone file add A record for name server

Testcase test_server_option_with_unreachable_ad creates a zone file
for AD domain. This file had a hard-coded A record for host specified in
NS record. Some versions of BIND consider this zone invalid and refuse
to start with message:
```
zone ad.test/IN: NS 'root-dc.ad.test' has no address records (A or AAAA)
```

Fixed by replacing hard-coded value with short name of the AD instance.

Reviewed-By: Michal Polovka <mpolovka at redhat.com>

- - - - -
9023033e by Christian Heimes at 2019-11-05T21:54:56Z
Block camellia in krbenctypes update in FIPS

Add FIPS conditional to updates to prevent updater from adding camellia
encsalttypes.

Fixes: https://pagure.io/freeipa/issue/8111
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
6ab306a2 by Christian Heimes at 2019-11-05T21:54:56Z
Skip commented lines after substitution

LDAP updater now ignores commented out lines after substitution.

Fixes: https://pagure.io/freeipa/issue/8111
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
0142a3bc by Robbie Harwood at 2019-11-07T18:03:18Z
Provide modern example enctypes in ipa-getkeytab(1)

Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
24e882f1 by Rob Crittenden at 2019-11-07T19:45:45Z
Add conditional restart (try-restart) capability to services

This will conditionally restart a service if it is active.

https://pagure.io/freeipa/issue/8105

Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Ade Lee <alee at redhat.com>

- - - - -
6bac58ca by Rob Crittenden at 2019-11-07T19:45:45Z
Conditionally restart certmonger after client installation

If certmonger is running prior to client installation then its
IPA CA configuration will be incomplete and missing the CA chain.

If a certificate is subsequently requested with -F to store the
CA chain in a file or NSS db it may not be available yet. A
conditional restart of certmonger will pick up the new IPA
configuration and complete the IPA CA configuration in certmonger.

A pure restart and service activation is not done since certmonger
is not required unless --request-cert was passed ipa-client-install.

https://pagure.io/freeipa/issue/8105

Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Ade Lee <alee at redhat.com>

- - - - -
d9d9abba by Florence Blanc-Renaud at 2019-11-11T11:53:37Z
smartcard: make the ipa-advise script compatible with authselect/authconfig

"ipa-advise config-client-for-smart-card-auth" is run on a server and
creates a script that needs to be copied and executed on a client.
The client may be of a different version and use authconfig instead of
authselect. The generated script must be able to handle both cases
(client using authselect or client using authconfig).

The patch checks whether authselect is available and calls the proper
configuration command (authselect or authconfig) depending on its
availability on the client.

Fixes: https://pagure.io/freeipa/issue/8113
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
3d548970 by Christian Heimes at 2019-11-11T12:31:21Z
Add group membership management

A group membership manager is a user or a group that can add members to
a group or remove members from a group or host group.

Fixes: https://pagure.io/freeipa/issue/8114
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Simo Sorce <ssorce at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
fd10eaaa by Christian Heimes at 2019-11-11T12:31:21Z
Add tests for member management

Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Simo Sorce <ssorce at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
11ec42a9 by Sergey Orlov at 2019-11-11T15:49:06Z
ipatests: refactor FileBackup helper

* `cp` now preserves all attributes of original file, there is no reason
  to select only some of them
* backup is now restored with `mv` instead of `cp` to avoid leaving junk

Related to: https://pagure.io/freeipa/issue/8115

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
48a53527 by Sergey Orlov at 2019-11-11T15:49:06Z
ipatests: replace ad hoc backup with FileBackup helper

Test test_smb_mount_and_access_by_different_users was failing with message
```
kdestroy: Permission denied while initializing krb5
```

This happened because the previous test
`test_smb_access_for_ad_user_at_ipa_client` was calling the fixture
`enable_smb_client_dns_lookup_kdc` which was doing backup of krb5.conf
in a wrong way:
- mktemp (to create a temp file)
- cp /etc/krb5.conf to the temp file
- ...
- mv tempfile /etc/krb5.conf

This flow looses the file permissions, because mktemp creates a file
using the default umask, which results in -rw------- permissions.
The copy does not modify the permissions, and the mv keeps the
permissions from the source => /etc/krb5.conf now has -rw-------.

Fixes: https://pagure.io/freeipa/issue/8115
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
98f2f8c6 by Sergey Orlov at 2019-11-11T15:49:06Z
ipatests: enable test_smb.py in gating.yaml

Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
965ce521 by Armando Neto at 2019-11-12T12:17:20Z
prci: bump template version

Template used: https://app.vagrantup.com/freeipa/boxes/ci-ipa-4-8-f30/versions/0.0.2

Installed packages updated, no other major change.

Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
bbe24723 by Cédric Jeanneret at 2019-11-12T13:52:03Z
Prevents DNS Amplification Attack and allow to customize named

While [1] did open recursion, it also opened widely a security flaw.

This patch intends to close it back, while allowing operators to easily
add their open configuration within Bind9.

In order to allow operators to still open Bind recursion, a new file is
introduced, "ipa-ext.conf" (path might change according to the OS). This
file is not managed by the installer, meaning changes to it won't be
overridden.
Since it's included at the very end of the main configuration file, it
also allows to override some defaults - of course, operators have to be
careful with that.

Related-Bug: https://bugzilla.redhat.com/show_bug.cgi?id=1754530
Fixes: https://pagure.io/freeipa/issue/8079

[1] https://github.com/freeipa/freeipa/commit/5f4c75eb28b3d50a35fbf3a86a6d842bce8e72f9

Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>

- - - - -
0bda6f95 by Alexander Bokovoy at 2019-11-12T18:25:44Z
Update translations

Add Portuguese translation

Reviewed-By: Armando Neto <abiagion at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>

- - - - -
3674a5c7 by Alexander Bokovoy at 2019-11-12T18:46:27Z
Update list of contributors

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
9dfce7a6 by Alexander Bokovoy at 2019-11-12T18:46:35Z
Become FreeIPA 4.8.2

- - - - -
f9b5bbb6 by Timo Aaltonen at 2019-11-20T16:26:24Z
Merge branch 'upstream'

- - - - -
4b3db701 by Timo Aaltonen at 2019-11-20T16:27:35Z
bump the version

- - - - -
bb64919d by Timo Aaltonen at 2019-11-20T16:52:30Z
server.install: Updated.

- - - - -
64281e75 by Timo Aaltonen at 2019-11-20T17:59:01Z
releasing package freeipa version 4.8.2-1

- - - - -


30 changed files:

- .test_runner_config.yaml
- ACI.txt
- API.txt
- Contributors.txt
- Makefile.pythonscripts.am
- VERSION.m4
- client/man/default.conf.5
- client/man/ipa-getkeytab.1
- configure.ac
- daemons/ipa-kdb/Makefile.am
- daemons/ipa-kdb/ipa_kdb.c
- daemons/ipa-kdb/ipa_kdb.exports
- daemons/ipa-kdb/ipa_kdb.h
- daemons/ipa-kdb/ipa_kdb_audit_as.c
- daemons/ipa-kdb/ipa_kdb_certauth.c
- + daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
- daemons/ipa-kdb/ipa_kdb_mspac.c
- daemons/ipa-kdb/ipa_kdb_principals.c
- daemons/ipa-sam/ipa_sam.c
- daemons/ipa-slapi-plugins/ipa-extdom-extop/back_extdom.h
- daemons/ipa-slapi-plugins/ipa-extdom-extop/back_extdom_nss_sss.c
- daemons/ipa-slapi-plugins/ipa-extdom-extop/back_extdom_sss_idmap.c
- daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom.h
- daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_cmocka_tests.c
- daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
- daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c
- debian/changelog
- debian/freeipa-server.install
- + doc/designs/extdom-plugin-protocol.md
- + doc/designs/krb-ticket-policy.md


The diff was not included because it is too large.


View it on GitLab: https://salsa.debian.org/freeipa-team/freeipa/compare/4800fc1eb9ec85bf03ab6b5b9a24ac350704af7e...64281e75be25a9e3d56db4cb99466be41695d2a3

-- 
View it on GitLab: https://salsa.debian.org/freeipa-team/freeipa/compare/4800fc1eb9ec85bf03ab6b5b9a24ac350704af7e...64281e75be25a9e3d56db4cb99466be41695d2a3
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20191120/3de22378/attachment-0001.html>

More information about the Pkg-freeipa-devel mailing list