From gitlab at salsa.debian.org Wed Jun 7 12:51:10 2023 From: gitlab at salsa.debian.org (Timo Aaltonen (@tjaalton)) Date: Wed, 07 Jun 2023 11:51:10 +0000 Subject: [Pkg-freeipa-devel] [Git][freeipa-team/freeipa][master] 170 commits: Back to git snapshots Message-ID: <64806f2e771f6_136f88472702450a0@godard.mail> Timo Aaltonen pushed to branch master at FreeIPA packaging / freeipa Commits: 657a7b25 by Antonio Torres at 2022-11-24T17:13:36+01:00 Back to git snapshots Signed-off-by: Antonio Torres <antorres at redhat.com> - - - - - 42957f9e by Florence Blanc-Renaud at 2022-11-25T13:49:37+01:00 API reference: update vault doc Update doc/api/vault_archive_internal.md and doc/api/vault_retrieve_internal.md after the change from commit 93548f2 (default wrapping algo is now des-ede3-cbc instead of aes-128-cbc). Related: https://pagure.io/freeipa/issue/9259 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> - - - - - 660da9ab by Florence Blanc-Renaud at 2022-11-25T13:49:37+01:00 API reference: update dnszone_add generated doc Update doc/api/dnszone_add.md after commit c74c701 (Set 'idnssoaserial' to deprecated) Related: https://pagure.io/freeipa/issue/9249 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> - - - - - 42be04fe by Alexander Bokovoy at 2022-11-28T18:53:51+01:00 updates: fix memberManager ACI to allow managers from a specified group The original implementation of the member manager added support for both user and group managers but left out upgrade scenario. This means when upgrading existing installation a manager whose rights defined by the group membership would not be able to add group members until the ACI is fixed. Remove old ACI and add a full one during upgrade step. Fixes: https://pagure.io/freeipa/issue/9286 Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - aeb9cc9b by Florence Blanc-Renaud at 2022-12-02T10:18:16+01:00 PRCI: update memory reqs for each topology The memory requirements are defined in the vagrant templates in https://github.com/freeipa/freeipa-pr-ci/tree/master/templates/vagrantfiles They have been updated and the corresponding values must be kept consistent in the topologies for PRCI. Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Armando Neto <abiagion at redhat.com> - - - - - c411c2e7 by Florence Blanc-Renaud at 2022-12-02T10:32:34+01:00 webui tests: fix assertion in test_subid.py The test wants to check the error related to an exception obtained inside a "with pytest.raises" instruction. The object is an ExceptionInfo and offers a match method to check the content of the string representation. Use this match() method instead of str(excinfo) which now returns '<ExceptionInfo NoSuchElementException() tblen=10>' Fixes: https://pagure.io/freeipa/issue/9282 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com> - - - - - 8e7d1ac4 by Christian Heimes at 2022-12-02T13:28:04+01:00 ipa-certupdate: Update client certs before KDC/HTTPd restart Apache HTTPd uses `/etc/ipa/ca.crt` to validate client certs. `ipa-certupdate` now updates the file before it restarts HTTPd. Fixes: https://pagure.io/freeipa/issue/9285 Signed-off-by: Christian Heimes <cheimes at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - a10627bd by Antonio Torres at 2022-12-02T14:24:05+01:00 API doc: add basic user management guide Add basic user management guide that includes various examples on performing common tasks related to the user module, such as adding an user, modifying it, adding certificates for it, etc. Signed-off-by: Antonio Torres <antorres at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> - - - - - 2d0a0cc4 by Florence Blanc-Renaud at 2022-12-02T15:27:22+01:00 Spec file: ipa-client depends on krb5-pkinit-openssl Now that ipa-client-installs supports pkinit, the package depends on krb5-pkinit-openssl. Update the spec file, move the dependency from ipa-server to ipa-client subpackage. Fixes: https://pagure.io/freeipa/issue/9290 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> - - - - - 9599e975 by Florence Blanc-Renaud at 2022-12-14T15:44:46+01:00 ipatests: xfail on all fedora for test_ipa_login_with_sso_user With the new fedora36 vagrant image, the test is also failing. Mark xfail for all fedora versions. Related: https://pagure.io/freeipa/issue/9264 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Scott Poore <spoore at redhat.com> - - - - - 65a14a36 by Sudhir Menon at 2022-12-19T11:53:10+01:00 Fixes: ipa-otpd at .service: deprecated syslog setting This patch updates the deprecated syslog setting i.e StandardError=syslog with StandardError=journal Pagure: https://pagure.io/freeipa/issue/9279 Ref: https://github.com/systemd/systemd/pull/15812 Signed-off-by: Sudhir Menon <sumenon at redhat.com> Reviewed-By: Peter Keresztes Schmidt <carbenium at outlook.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - 68f6574c by Florence Blanc-Renaud at 2022-12-19T21:46:51+01:00 ipatests: update the fake fips mode expected message The test ipatests/test_integration/test_fips.py is faking FIPS mode and calls "openssl md5" to ensure the algo is not available in the fake FIPS mode. The error message has been updated with openssl-3.0.5-5. In the past the command used to return: $ openssl md5 /dev/null Error setting digest 140640350118336:error:060800C8:digital envelope routines:EVP_DigestInit_ex:disabled for FIPS:crypto/evp/digest.c:147: And now it returns: $ openssl md5 /dev/null Error setting digest 00C224822E7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (MD5 : 97), Properties () 00C224822E7F0000:error:03000086:digital envelope routines:evp_md_init_internal:initialization error:crypto/evp/digest.c:252: To be compatible with all versions, only check the common part: Error setting digest Mark the test as xfail since installation is currently not working. Related: https://pagure.io/freeipa/issue/9002 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> - - - - - c853cfde by Florence Blanc-Renaud at 2022-12-19T21:46:51+01:00 cert utilities: MAC verification is incompatible with FIPS mode The PKCS12 MAC requires PKCS12KDF which is not an approved FIPS algorithm and cannot be supported by the FIPS provider. Do not require mac verification in FIPS mode: append the option --nomacver to the command openssl pkcs12 used to extract a pem file or a key from a p12 file. Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> - - - - - dfba6ebf by Florence Blanc-Renaud at 2022-12-19T21:46:51+01:00 FIPS setup: fix typo filtering camellia encryption The config file /var/kerberos/krb5kdc/kdc.conf is customized during IPA server installation with a list of supported encryption types. In FIPS mode, camellia encryption is not supported and should be filtered out. Because of a typo in the filtering method, the camellia encryptions are appended while they should not. Fix the typo (camelia vs camellia) in order to filter properly. Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> - - - - - 2904b15a by Florence Blanc-Renaud at 2022-12-19T21:46:51+01:00 Spec file: bump krb5_kdb_version on rawhide fedora 38 now uses krb5 1.20.1 which provides krb5_kdb_version 9.0 instead of 8.0 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> - - - - - 30497892 by Florence Blanc-Renaud at 2022-12-20T17:06:20+01:00 ipatests: update the xfail annotation for test_number_of_zones The test is failing on fedora 36+, update and simplify the xfail condition. Related: https://pagure.io/freeipa/issue/9135 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com> - - - - - 782873a2 by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00 azure tests: move to fedora 37 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - fd212045 by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00 pylint: remove unneeded disable=unused-private-member pylint fixed issue https://github.com/PyCQA/pylint/issues/4756 and we don't need anymore to disable this check. Related: https://pagure.io/freeipa/issue/9278 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - 51e0f751 by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00 pylint: remove useless suppression The newer version of pylint has fixed false positives and does not need anymore these suppressions: - global-variable-not-assigned - invalid-sequence-index - no-name-in-module - not-callable - unsupported-assignment-operation Related: https://pagure.io/freeipa/issue/9278 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - 240b46db by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00 pylint: disable redefined-slots-in-subclass Related: https://pagure.io/freeipa/issue/9278 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - 081dd263 by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00 pylint: disable used-before-assignment Related: https://pagure.io/freeipa/issue/9278 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - 328fb642 by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00 pylint: replace deprecated distutils module PEP 632 deprecates the distutils module. Replace - distutils.spawn.find_executable with shutil.which - distutils.log with logging Related: https://pagure.io/freeipa/issue/9278 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - ac69ad4b by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00 pylint: disable modified-iterating-list Related: https://pagure.io/freeipa/issue/9278 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - 22f182ee by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00 pylint: remove arguments-renamed warnings Related: https://pagure.io/freeipa/issue/9278 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - 5434c12b by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00 pylint: disable using-constant-test Related: https://pagure.io/freeipa/issue/9278 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - 3336236f by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00 pylint: disable unnecessary-dunder-call message Related: https://pagure.io/freeipa/issue/9278 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - 2b97c8ca by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00 pylint: globally disable unnecessary-lambda-assignment message Related: https://pagure.io/freeipa/issue/9278 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - 84c4792b by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00 pylint: disable missing-timeout message Related: https://pagure.io/freeipa/issue/9278 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - 71496be7 by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00 pylint: fix implicit-str-concat Related: https://pagure.io/freeipa/issue/9278 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - b9ea3fcb by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00 pylint: fix duplicate-value Related: https://pagure.io/freeipa/issue/9278 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - 433599fd by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00 pylint: fix deprecated-class SafeConfigParser Related: https://pagure.io/freeipa/issue/9278 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - a95e11db by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00 pylint: disable invalid-sequence-index Related: https://pagure.io/freeipa/issue/9278 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - 07111438 by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00 pylint: disable unhashable-member Related: https://pagure.io/freeipa/issue/9278 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - 4e998848 by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00 pylint: globally disable useless-object-inheritance Related: https://pagure.io/freeipa/issue/9278 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - 3d211b4f by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00 pylint: fix consider-iterating-dictionary Related: https://pagure.io/freeipa/issue/9278 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - 015e25a5 by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00 pylint: disable comparison-of-constants Related: https://pagure.io/freeipa/issue/9278 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - 62e2d111 by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00 pylint: fix comparison-of-constants Related: https://pagure.io/freeipa/issue/9278 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - 85037db2 by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00 pylint: disable deprecated-module message Related: https://pagure.io/freeipa/issue/9278 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - d673fdab by Stanislav Levin at 2023-01-10T10:11:45+01:00 pylint: Lint in single process mode There are several known problems with multiprocess mode. For example, https://github.com/PyCQA/pylint/issues/3232. In other words the lint result depends on the number of jobs. The most correct report is expected for single process. Fixes: https://pagure.io/freeipa/issue/9278 Signed-off-by: Stanislav Levin <slev at altlinux.org> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - f9822697 by Stanislav Levin at 2023-01-10T10:11:45+01:00 pylint: More allowed C extensions Fixes: ``` [E0611(no-name-in-module), ] No name 'parse' in module 'lxml.etree' [E0611(no-name-in-module), ] No name 'murmurhash3' in module 'pysss_murmur' ``` Fixes: https://pagure.io/freeipa/issue/9278 Signed-off-by: Stanislav Levin <slev at altlinux.org> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - 68ab438f by Stanislav Levin at 2023-01-10T10:11:45+01:00 pylint: Replace deprecated extension-pkg-whitelist `extension-pkg-whitelist` is deprecated in favour of `extension-pkg-allow-list` since Pylint 2.7.3: https://pylint.pycqa.org/en/latest/whatsnew/2/2.7/full.html#what-s-new-in-pylint-2-7-3 Fixes: https://pagure.io/freeipa/issue/9278 Signed-off-by: Stanislav Levin <slev at altlinux.org> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - c48c76e9 by Stanislav Levin at 2023-01-10T10:11:45+01:00 pylint: Fix cyclic-import Most of `cyclic-import` issues reported by Pylint are false-positive and they are already handled in the code, but several ones are the actual errors. Fixes: https://pagure.io/freeipa/issue/9232 Fixes: https://pagure.io/freeipa/issue/9278 Signed-off-by: Stanislav Levin <slev at altlinux.org> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - 1261bbf0 by Stanislav Levin at 2023-01-10T10:11:45+01:00 pylint: Replace deprecated pipes `pipes` module is deprecated as of Python 3.11. https://docs.python.org/3/library/pipes.html#module-pipes: > Deprecated since version 3.11, will be removed in version 3.13: The pipes module is deprecated (see PEP 594 for details). IPA code used only `quote` function from `pipes` that in turn is the alias for `shlex.quote` since Python 3.3: https://github.com/python/cpython/commit/9bce311ea4f58ec04cab356a748e173ecfea381c Fixes: https://pagure.io/freeipa/issue/9278 Signed-off-by: Stanislav Levin <slev at altlinux.org> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - b1237656 by Stanislav Levin at 2023-01-10T10:11:45+01:00 pylint: Fix used-before-assignment > Emitted when a local variable is accessed before its assignment took place. Assignments in try blocks are assumed not to have occurred when evaluating associated except/finally blocks. Assignments in except blocks are assumed not to have occurred when evaluating statements outside the block, except when the associated try block contains a return statement. Fixes: https://pagure.io/freeipa/issue/9278 Signed-off-by: Stanislav Levin <slev at altlinux.org> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - acc2daf2 by Stanislav Levin at 2023-01-10T10:11:45+01:00 pylint: Fix modified-iterating-list https://pylint.pycqa.org/en/latest/user_guide/messages/warning/modified-iterating-list.html: > Emitted when items are added or removed to a list being iterated through. Doing so can result in unexpected behaviour, that is why it is preferred to use a copy of the list. https://docs.python.org/3/tutorial/controlflow.html#for-statements: > Code that modifies a collection while iterating over that same collection can be tricky to get right. Instead, it is usually more straight-forward to loop over a copy of the collection or to create a new collection Fixes: https://pagure.io/freeipa/issue/9278 Signed-off-by: Stanislav Levin <slev at altlinux.org> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - dc8c8a78 by Stanislav Levin at 2023-01-10T10:11:45+01:00 pylint: Fix unnecessary-lambda-assignment https://pylint.pycqa.org/en/latest/user_guide/messages/convention/unnecessary-lambda-assignment.html: > Used when a lambda expression is assigned to variable rather than defining a standard function with the "def" keyword. https://peps.python.org/pep-0008/#programming-recommendations: > Always use a def statement instead of an assignment statement that binds a lambda expression directly to an identifier: def f(x): return 2*x f = lambda x: 2*x The first form means that the name of the resulting function object is specifically ?f? instead of the generic ?<lambda>?. This is more useful for tracebacks and string representations in general. The use of the assignment statement eliminates the sole benefit a lambda expression can offer over an explicit def statement (i.e. that it can be embedded inside a larger expression) Fixes: https://pagure.io/freeipa/issue/9278 Signed-off-by: Stanislav Levin <slev at altlinux.org> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - bd7b5bf7 by Stanislav Levin at 2023-01-10T10:11:45+01:00 pylint: Fix unhashable-member https://pylint.pycqa.org/en/latest/user_guide/messages/error/unhashable-member.html: > Emitted when a dict key or set member is not hashable (i.e. doesn't define __hash__ method). https://docs.python.org/3/library/stdtypes.html#dict.update: > Update the dictionary with the key/value pairs from other, overwriting existing keys. Return None. update() accepts either another dictionary object or an iterable of key/value pairs (as tuples or other iterables of length two). If keyword arguments are specified, the dictionary is then updated with those key/value pairs: d.update(red=1, blue=2). Fixes: https://pagure.io/freeipa/issue/9278 Signed-off-by: Stanislav Levin <slev at altlinux.org> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - bccd3c94 by Stanislav Levin at 2023-01-10T10:11:45+01:00 pylint: Fix useless-object-inheritance https://pylint.pycqa.org/en/latest/user_guide/messages/refactor/useless-object-inheritance.html: > Used when a class inherit from object, which under python3 is implicit, hence can be safely removed from bases. Fixes: https://pagure.io/freeipa/issue/9278 Signed-off-by: Stanislav Levin <slev at altlinux.org> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - 2009889d by Stanislav Levin at 2023-01-10T10:11:45+01:00 pylint: Replace deprecated cgi module https://docs.python.org/3/library/cgi.html#module-cgi: > Deprecated since version 3.11, will be removed in version 3.13: The cgi module is deprecated (see PEP 594 for details and alternatives). Fixes: https://pagure.io/freeipa/issue/9278 Signed-off-by: Stanislav Levin <slev at altlinux.org> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - b5f2b0b1 by Florence Blanc-Renaud at 2023-01-11T12:55:04+01:00 ipatests: mark test_smb as xfail Mark the test test_smb.py::TestSMB::test_smb_service_s4u2self as xfail. Related: https://pagure.io/freeipa/issue/9124 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> - - - - - 894dca12 by Florence Blanc-Renaud at 2023-01-16T08:40:16+01:00 server install: remove error log about missing bkup file The client installer code can be called in 3 different ways: - from ipa-client-install CLI - from ipa-replica-install CLI if the client is not already installed - from ipa-server-install In the last case, the client installer is called with options.on_master=True As a result, it's skipping the part that is creating the krb5 configuration: if not options.on_master: nolog = tuple() configure_krb5_conf(...) The configure_krb5_conf method is the place where the krb5.conf file is backup'ed with the extention ".ipabkp". For a master installation, this code is not called and the ipabkp file does not exist => delete raises an error. When delete fails because the file does not exist, no need to log an error message. Fixes: https://pagure.io/freeipa/issue/9306 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 0fa95852 by Florence Blanc-Renaud at 2023-01-17T14:53:35+01:00 Tests: force key type in ACME tests PKI can issue ACME certs only when the key type is rsa. With version 2.0.0, certbot defaults to ecdsa key type, and this causes test failures. For now, force rsa when requesting an ACME certificate. This change can be reverted when PKI fixes the issue on their side (https://github.com/dogtagpki/pki/issues/4273) Related: https://pagure.io/freeipa/issue/9298 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 7d1a3585 by Florence Blanc-Renaud at 2023-01-17T22:42:25+01:00 Installer: create RID base before domain object The installer is currently creating the samba domain object before it adds the RID base and secondary RID base. As a consequence, there is a window during which the sidgen plugin is active but unable to generate SIDs (it requires the samba domain object to find the domain SID and RID base to know where to start from). There is no direct impact except the error log of 389ds that reports ERR - get_ranges - [file ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct. This fix configures the RID base and secondary RID base before the domain object is created, thus removing this window. Fixes: https://pagure.io/freeipa/issue/9309 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> - - - - - 2520a7ad by Filip Dvorak at 2023-01-20T10:02:02+01:00 ipa tests: Add LANG before kinit command to fix issue with locale settings Reviewed-By: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Michal Polovka <mpolovka at redhat.com> - - - - - 364116c2 by Antonio Torres at 2023-01-24T14:54:37+01:00 API doc: validate generated reference Extend 'makeapi --validate' to validate API Reference files too. If differences are found between the generated and stored docs the validation fails. This command is executed in our Azure pipelines, so every time a developer opens a PR but forgets to update the API Reference, the CI will fail. Fixes: https://pagure.io/freeipa/issue/9287 Signed-off-by: Antonio Torres <antorres at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 0e06786a by Florence Blanc-Renaud at 2023-01-24T19:07:52+01:00 Spec file: unify with RHEL9 spec Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Francisco Trivino <ftrivino at redhat.com> - - - - - 2a69d056 by Florence Blanc-Renaud at 2023-01-24T19:07:52+01:00 Spec file: use %autosetup instead of %setup This change fixes rpminspect issues reported when building for RHEL, like the following one: Patch number 1001 (1001-Change-branding-to-IPA-and-Identity-Management.patch) is missing a corresponding %patch1001 macro, usually in %prep. Waiver Authorization: Anyone Suggested Remedy: The named patch is defined in the source RPM header (this means it has a PatchN: definition in the spec file) but is not applied anywhere in the spec file. It is missing a corresponding %patch macro and the spec file lacks the %autosetup or %autopatch macros. You can fix this by adding the appropriate %patch macro in the spec file (usually in the %prep section). The number specified with the %patch macro corresponds to the number used to define the patch at the top of the spec file. So Patch47 is applied with a %patch47 macro. Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Francisco Trivino <ftrivino at redhat.com> - - - - - 97fc368d by Florence Blanc-Renaud at 2023-01-25T13:45:53-05:00 trust-add: handle missing msSFU30MaxGidNumber When ipa trust-add is executed with --range-type ad-trust-posix, the server tries to find the max uidnumber and max gidnumber from AD domain controller. The values are extracted from the entry CN=<domain>,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,<AD suffix> in the msSFU30MaxUidNumber and msSFU30MaxGidNumber attributes. msSFU30MaxUidNumber is required but not msSFU30MaxGidNumber. In case msSFU30MaxGidNumber is missing, the code is currently assigning a "None" value and later on evaluates the max between this value and msSFU30MaxUidNumber. The max function cannot compare None and a list of string and triggers an exception. To avoid the exception, assign [b'0'] to max gid if msSFU30MaxGidNumber is missing. This way, the comparison succeeds and max returns the value from msSFU30MaxUidNumber. Fixes: https://pagure.io/freeipa/issue/9310 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 51b1c22d by Rob Crittenden at 2023-01-27T13:00:22+01:00 doc: Design for certificate pruning This describes how the certificate pruning capability of PKI introduced in v11.3.0 will be integrated into IPA, primarily for ACME. Related: https://pagure.io/freeipa/issue/9294 Signed-off-by: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com> - - - - - 1be3188e by Stanislav Levin at 2023-01-31T11:21:34+01:00 ipatests: healthcheck: Handle missing fips-mode-setup freeipa-healthcheck prechecks existance of `fips-mode-setup` and reports if it's missing: > "fips": "missing /bin/fips-mode-setup" Fixes: https://pagure.io/freeipa/issue/9315 Signed-off-by: Stanislav Levin <slev at altlinux.org> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - fb22c8e5 by Stanislav Levin at 2023-02-01T10:54:12+01:00 spec: Drop no longer used build dependency on paste With ff6e701b0077d9c8e2aacdcaecf70f885018db92 it was replaced with `werkzeug`. https://pypi.org/project/Paste/ > Paste is in maintenance mode and recently moved from bitbucket to github. Patches are accepted to keep it on life support, but for the most part, please consider using other options. Fixes: https://pagure.io/freeipa/issue/9314 Signed-off-by: Stanislav Levin <slev at altlinux.org> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - ff31b0c4 by Rob Crittenden at 2023-02-01T17:47:26+01:00 tests: Add ipa_ca_name checking to DNS system records freeipa-healthcheck 0.12 includes a SUCCESS message if the ipa-ca records are as expected so a user will know they were checked. For that version and beyond test that it is included. Related: https://pagure.io/freeipa/issue/9291 Signed-off-by: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - 6ca11968 by Rob Crittenden at 2023-02-01T17:47:26+01:00 tests: Add new ipa-ca error messages to IPADNSSystemRecordsCheck freeipa-healthcheck changed some messages related to ipa-ca DNS record validation in IPADNSSystemRecordsCheck. Include support for it and retain backwards compatibility. Fixes: https://pagure.io/freeipa/issue/9291 Signed-off-by: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - d662b125 by Stanislav Levin at 2023-02-02T07:31:15+01:00 tests: Configure DNSResolver as platform agnostic resolver Avoid reading platform specific `/etc/resolv.conf` in `TestDNSResolver` unit tests. Systems (e.g. sandboxes) may not have `/etc/resolv.conf` or this file may not contain any configured name servers. `TestDNSResolver` unit tests check only customized `nameservers` property and should not depend on existence of `/etc/resolv.conf`. Resolver accepts `configure` option. https://dnspython.readthedocs.io/en/latest/resolver-class.html : > configure, a bool. If True (the default), the resolver instance is configured in the normal fashion for the operating system the resolver is running on. (I.e. by reading a /etc/resolv.conf file on POSIX systems and from the registry on Windows systems.) Fixes: https://pagure.io/freeipa/issue/9319 Signed-off-by: Stanislav Levin <slev at altlinux.org> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - 9246a8a0 by Rob Crittenden at 2023-02-02T13:42:57+01:00 ipa-acme-manage: add certificate/request pruning management Configures PKI to remove expired certificates and non-resolved requests on a schedule. This is geared towards ACME which can generate a lot of certificates over a short period of time but is general purpose. It lives in ipa-acme-manage because that is the primary reason for including it. Random Serial Numbers v3 must be enabled for this to work. Enabling pruning enables the job scheduler within CS and sets the job user as the IPA RA user which has full rights to certificates and requests. Disabling pruning does not disable the job scheduler because the tool is stateless. Having the scheduler enabled should not be a problem. A restart of PKI is required to apply any changes. This tool forks out to pki-server which does direct writes to CS.cfg. It might be easier to use our own tooling for this but this makes the integration tighter so we pick up any improvements in PKI. The "cron" setting is quite limited, taking only integer values and *. It does not accept ranges, either - or /. No error checking is done in PKI when setting a value, only when attempting to use it, so some rudimentary validation is done. Fixes: https://pagure.io/freeipa/issue/9294 Signed-off-by: Rob Crittenden rcritten at redhat.com Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - f10d1a0f by Rob Crittenden at 2023-02-02T13:42:57+01:00 doc: add the --run command for manual job execution A manual method was mentioned with no specificity. Include the --run command. Also update the troubleshooting section to show what failure to restart the CA after configuration looks like. Import the IPA CA chain for manual execution. Also fix up some $ -> # to indicate root is needed. Related: https://pagure.io/freeipa/issue/9294 Signed-off-by: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - 2857bc69 by Florence Blanc-Renaud at 2023-02-02T15:21:25+01:00 automember-rebuild: add a notice about high CPU usage The automember-rebuild task may require high CPU usage if many users/hosts/groups are processed. Add a note in the ipa automember-rebuild CLI output and in the WebUI confirmation message. Fixes: https://pagure.io/freeipa/issue/9320 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Francisco Trivino <ftrivino at redhat.com> - - - - - 1a965a3a by David Pascual at 2023-02-04T17:14:08+01:00 ipatests: fix (prci_checker) duplicated check & error return code Fix 1: timeout field was being checked twice and did not return fail code on error Fix 2: Tool did not return error code on single file check unsuccessful run Signed-off-by: David Pascual <davherna at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - d24b6998 by Rob Crittenden at 2023-02-05T10:31:19+01:00 tests: add wrapper around ACME RSNv3 test This test is located outside of the TestACMEPrune because it enables RSNv3 while the server installed by TestACME doesn't. It still needs a wrapper to enforce a version of PKI that supports pruning because that is checked first in the tool. Re-ordering that wouldn't be a good user experience. https://pagure.io/freeipa/issue/9322 Signed-off-by: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - a20acb6f by Antonio Torres at 2023-02-08T11:44:01+01:00 API doc: add note about ipa show-mappings to usage guide As discussed in PR #6664, `ipa show-mappings` can be used as a handy way to list command arguments and options directly through the CLI. Signed-off-by: Antonio Torres <antorres at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - a786d3d5 by Chris Kelley at 2023-02-09T14:52:33-05:00 Check that CADogtagCertsConfigCheck can handle cert renewal Renewal causes two certs to have the same nickname. Dogtag is patched to allow for N certs with the same nickname, and this test is to verify that CADogtagCertsConfigCheck still passes. Related: https://github.com/dogtagpki/pki/pull/4285 Signed-off-by: Chris Kelley <ckelley at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com> - - - - - 649c35aa by Antonio Torres at 2023-02-09T16:12:56-05:00 API doc: add usage guides for groups, HBAC and sudo rules Include guides with examples for groups, HBAC and sudo rules management. These cover most of available commands related to these topics. Signed-off-by: Antonio Torres <antorres at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 20ff7c16 by Rob Crittenden at 2023-02-09T21:46:16-05:00 Fix setting values of 0 in ACME pruning Replace comparisons of "if value" with "if value is not None" in order to handle 0. Add a short reference to the man page to indicat that a cert or request retention time of 0 means remove at the next execution. Also indicate that the search time limit is in seconds. Fixes: https://pagure.io/freeipa/issue/9325 Signed-off-by: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Francisco Trivino <ftrivino at redhat.com> - - - - - 4e0ad96f by Rob Crittenden at 2023-02-09T21:48:55-05:00 Wipe the ipa-ca DNS record when updating system records If a server with a CA has been marked as hidden and contains the last A or AAAA address then that address would remain in the ipa-ca entry. This is because update-dns-system-records did not delete values, it just re-computed them. So if no A or AAAA records were found then the existing value was left. Fixes: https://pagure.io/freeipa/issue/9195 Signed-off-by: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Francisco Trivino <ftrivino at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - 0206369e by Alexander Bokovoy at 2023-02-09T21:51:43-05:00 ipa-kdb: PAC consistency checker needs to handle child domains as well When PAC check is performed, we might get a signing TGT instead of the client DB entry. This means it is a principal from a trusted domain but we don't know which one exactly because we only have a krbtgt for the forest root. This happens in MIT Kerberos 1.20 or later where KDB's issue_pac() callback never gets the original client principal directly. Look into known child domains as well and make pass the check if both NetBIOS name and SID correspond to one of the trusted domains under this forest root. Move check for the SID before NetBIOS name check because we can use SID of the domain in PAC to find out the right child domain in our trusted domains' topology list. Fixes: https://pagure.io/freeipa/issue/9316 Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - a6cb905d by Anuja More at 2023-02-09T21:51:43-05:00 Add test for SSH with GSSAPI auth. Added test for aduser with GSSAPI authentication. Related : https://pagure.io/freeipa/issue/9316 Signed-off-by: Anuja More <amore at redhat.com> Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 0f77b359 by Mohammad Rizwan at 2023-02-13T17:33:14-05:00 ipatests: tests for certificate pruning 1. Test to prune the expired certificate by manual run 2. Test to prune expired certificate by cron job 3. Test to prune expired certificate with retention unit option 4. Test to prune expired certificate with search size limit option 5. Test to check config-show command shows set param 6. Test prune command shows proper status after disabling the pruning related: https://pagure.io/freeipa/issue/9294 Signed-off-by: Mohammad Rizwan <myusuf at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 450e78f5 by Stanislav Levin at 2023-02-17T18:13:44+01:00 tests: webui: Allow file access from files in tests https://peter.sh/experiments/chromium-command-line-switches/#allow-file-access-from-files > By default, file:// URIs cannot read other file:// URIs. This is an override for developers who need the old behavior for testing. Fixes webui tests on CI: ``` Testing test/all_tests.html Synchronous XMLHttpRequest on the main thread is deprecated because of its detrimental effects to the end user's experience. For more help, check https://xhr.spec.whatwg.org/. Access to XMLHttpRequest at 'file:///__w/freeipa/freeipa/install/ui/test/qunit.js' from origin 'null' has been blocked by CORS policy: Cross origin requests are only supported for protocol schemes: http, data, chrome, chrome-untrusted, https. Failed to load resource: net::ERR_FAILED Access to XMLHttpRequest at 'file:///__w/freeipa/freeipa/install/ui/test/data/i18n_messages.json' from origin 'null' has been blocked by CORS policy: Cross origin requests are only supported for protocol schemes: http, data, chrome, chrome-untrusted, https. Failed to load resource: net::ERR_FAILED >> Error: Error: Couldn't receive translations ``` Related: https://pagure.io/freeipa/issue/9329 Signed-off-by: Stanislav Levin <slev at altlinux.org> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - 425cad6f by Stanislav Levin at 2023-02-17T18:13:44+01:00 tests: webui: Load qunit only once webui unit tests fail with grunt-contrib-qunit: ``` Testing test/all_tests.html >> Error: Error: QUnit has already been defined. >> at exportQUnit (file:///home/test/freeipa/install/ui/js/qunit.js:2475:12) >> at file:///home/test/freeipa/install/ui/js/qunit.js:2946:3 >> at file:///home/test/freeipa/install/ui/js/qunit.js:5061:2 >> Error: TypeError: Cannot set properties of undefined (setting 'reorder') >> at <anonymous>:175:24 >> at runFactory (file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:17157) >> at execModule (file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:19541) >> at file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:20002 >> at guardCheckComplete (file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:19707) >> at checkComplete (file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:19854) >> at onLoadCallback (file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:22296) >> at HTMLScriptElement.onLoad (file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:26209) ``` Load `qunit` with `dojo.require` that among other useful things helps > Preventing loading Dojo packages twice. dojo.require will simply return if the package is already loaded. See also https://github.com/gruntjs/grunt-contrib-qunit#loading-qunit-with-amd Related: https://pagure.io/freeipa/issue/9329 Signed-off-by: Stanislav Levin <slev at altlinux.org> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - 8fe8b262 by Stanislav Levin at 2023-02-17T18:13:44+01:00 AP: webui: List installed nodejs packages It's helpful for debugging regressions. Related: https://pagure.io/freeipa/issue/9329 Signed-off-by: Stanislav Levin <slev at altlinux.org> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - 9b8e8edc by Stanislav Levin at 2023-02-17T18:13:44+01:00 tests: webui: Update vendored qunit Updated qunit to latest supported version from https://code.jquery.com/qunit. See https://qunitjs.com/intro/#release-channels for details. Related: https://pagure.io/freeipa/issue/9329 Signed-off-by: Stanislav Levin <slev at altlinux.org> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - 41c32174 by David Pascual at 2023-02-20T08:12:20+01:00 doc: Use case examples for PR-CI checker tool This document showcases common usecases for the user to interact with the PR-CI checker tool. Signed-off-by: David Pascual <davherna at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 88b9be29 by mbhalodi at 2023-02-20T08:17:08+01:00 ipatests: ensure that ipa automember-rebuild prints a warning ipa automember-rebuild now prints a warning about CPU usage. Ensure that the warning is properly displayed. Related: https://pagure.io/freeipa/issue/9320 Signed-off-by: mbhalodi <mbhalodi at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - 2a2132cc by Anuja More at 2023-02-20T16:42:29+01:00 PRCI: update test_trust.py for nightly pipelines. test_integration/test_trust.py is divided into two parts. 1: class TestTrust 2: class TestNonPosixAutoPrivateGroup, class TestPosixAutoPrivateGroup Fixes: https://pagure.io/freeipa/issue/9326 Signed-off-by: Anuja More <amore at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - fe13baa0 by Rob Crittenden at 2023-02-21T08:18:07+01:00 doc: Update pruning design with implement enable/disable options Instead of passing TRUE/FALSE to a single --enable option use two flags instead, which IMHO is clearer. So --enable=TRUE to --enable and --enable=FALSE to --disable Fixes:?https://pagure.io/freeipa/issue/9323 Signed-off-by: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Mohammad Rizwan <myusuf at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - e7c642ba by Mohammad Rizwan at 2023-02-22T09:11:24+01:00 ipatests: fix tests in TestACMEPrune When cron_minute + 5 > 59, cron job throwing error for it. i.e 58 + 5 = 63 which is not acceptable value for cron minute. Second fix is related to mismatch of confing setting and corresponding assert. Third fix is related to extending time by 60 minutes to properly expire the certs. related: https://pagure.io/freeipa/issue/9294 Signed-off-by: Mohammad Rizwan <myusuf at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - cd07413c by mbhalodi at 2023-02-22T15:43:23+01:00 ipatests: WebUI - ensure that ipa automember-rebuild prints a warning ipa automember-rebuild now prints a warning about CPU usage in the WebUI. Ensure that the warning is properly displayed. Related: https://pagure.io/freeipa/issue/9320 Signed-off-by: mbhalodi <mbhalodi at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Michal Polovka <mpolovka at redhat.com> - - - - - 0a8a3922 by Florence Blanc-Renaud at 2023-02-23T07:43:05+01:00 ipatests: increase timeout for test_acme The test test_integration/test_acme.py times out frequently and has a current timeout set to 2h, which is roughly the average time for a successful run. Increase by 15 minutes, so that even the tests requiring packages update have enough time (for instance rawhide run needs to update all the packages to the latest version). Also create a separate job for the new test TestACMEPrune. Fixes: https://pagure.io/freeipa/issue/9324 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Mohammad Rizwan <myusuf at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - a94f7bbf by Timo Aaltonen at 2023-02-27T12:09:25+02:00 copyright, watch: Filter prebuilt html documentation from the tarball. - - - - - b0af80ed by Timo Aaltonen at 2023-02-27T12:09:42+02:00 tests: Dump journalctl on fail - - - - - 7dbd5758 by Timo Aaltonen at 2023-02-27T12:10:28+02:00 fix-ldap-so-path.diff: Specify the path to ldap.so again, and use multiarch path. - - - - - 8ab6fd30 by Timo Aaltonen at 2023-02-27T12:10:40+02:00 tests: Dump journalctl for select services - - - - - 88039385 by Christian Heimes at 2023-03-01T04:58:45+01:00 Don't block when kinit_pkinit() fails Installation of ipa-client with PKINIT authentication can block when there is a problem with PKINIT, e.g. KDC does not accept the cert or the anchor chain is incomplete. `kinit` falls back to password authentication and asks the user to enter a password. `kinit` does not have an option to force non-interactive mode. Sending `\n` to stdin seems to be the only solution here. Fixes: https://pagure.io/freeipa/issue/9333 Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> - - - - - 6a4d34fb by Carla Martinez at 2023-03-03T04:55:48+01:00 Update 'Auth indicators' doc string The doc string located in the 'Authentication indicators' ('Services' settings page) was missing the usage explanation for the 'ipd' checkbox option. Fixes: https://pagure.io/freeipa/issue/9338 Signed-off-by: Carla Martinez <carlmart at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com> - - - - - b152e8c3 by Stanislav Levin at 2023-03-03T05:01:33+01:00 dns: Fix support for dnspython 1.1x `nameservers` was transformed into the property in dnspython 2: https://github.com/rthalley/dnspython/commit/bbf0cfd239ffa6deeb67a4787bd292e9a972af74 This causes > AttributeError: type object 'Resolver' has no attribute 'nameservers' on the previous dnspython 1.1x. Fixes: https://pagure.io/freeipa/issue/9339 Signed-off-by: Stanislav Levin <slev at altlinux.org> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - e3507563 by Rafael Guterres Jeffman at 2023-03-03T05:04:31+01:00 Migrated to SPDX license. According to [1] all Fedora packages need to be updated to use a SPDX expression. This patch updates the freeipa spec template to comply with this change. [1] https://fedoraproject.org/wiki/Changes/SPDX_Licenses_Phase_1 Fixes: https://pagure.io/freeipa/issue/9342 Signed-off-by: Rafael Guterres Jeffman <rjeffman at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> - - - - - 9323bafb by Thorsten Scherf at 2023-03-07T13:19:54+01:00 external-idp: change idp server name to reference name When you run "ipa idp-show <idp reference>" the IdP reference is shown as "Identity Provider server name". This is confusing as we are pointing to the earlier created IdP reference rather than a server. Other files are updated as well to reflect this change. Additionally some typos are fixed with this patch too. Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - 34d048ed by Florence Blanc-Renaud at 2023-03-14T17:50:25+01:00 ipatests: adapt for new automembership fixup behavior The automembership fixup task now needs to be called with --cleanup argument when the user expects automember to remove user/hosts from automember groups. Update the test to call create a cleanup task equivalent to dsconf plugin automember fixup --cleanup when it is needed. Fixes: https://pagure.io/freeipa/issue/9313 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 983a6516 by Anuja More at 2023-03-15T09:34:33+01:00 ipatests: Test ipa-advise is not failing with error. The ipa-advise command should not fail with error in command. Related: https://pagure.io/freeipa/issue/6044 Signed-off-by: Anuja More <amore at redhat.com> Reviewed-By: Sudhir Menon <sumenon at redhat.com> - - - - - e1f4f655 by Erik Belko at 2023-03-15T18:30:08+01:00 ipatests: Test MemberManager ACI to allow managers from a specified group after upgrade scenario Testing if manager whose rights defined by the group membership is able to add group members, after upgrade of ipa server. Using ACI modification to demonstrate unability before upgrading ipa server. Related: https://pagure.io/freeipa/issue/9286 Also added some generally helpful functions to tasks.py Signed-off-by: Erik Belko <ebelko at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com> Reviewed-By: Michal Polovka <mpolovka at redhat.com> - - - - - b93f6b52 by Alexander Bokovoy at 2023-03-22T13:59:40+01:00 Don't fail if optional RPM macros file is missing With fix for https://pagure.io/freeipa/issue/7951 we started to modify RPM macros in Azure CI environment. Don't fail if the file does not exist anymore like it happens now in Fedora. Fixes: https://pagure.io/freeipa/issue/9347 Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Francisco Trivino <ftrivino at redhat.com> - - - - - 84f5f87b by Alexander Bokovoy at 2023-03-22T13:59:40+01:00 Use system-wide chromium for webui tests Fixes: https://pagure.io/freeipa/issue/9347 Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Francisco Trivino <ftrivino at redhat.com> - - - - - aacaafce by Alexander Bokovoy at 2023-03-22T13:59:40+01:00 Fix tox in Azure CI Fixes: https://pagure.io/freeipa/issue/9347 Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Francisco Trivino <ftrivino at redhat.com> - - - - - 051bbe36 by Anuja More at 2023-03-23T09:08:06+01:00 ipatests: Test that non admin user can search hbac rule. Related : https://pagure.io/freeipa/issue/5130 Signed-off-by: Anuja More <amore at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - b1b7cbc0 by Antonio Torres at 2023-03-23T17:12:01+01:00 ipaserver: deepcopy objectclasses list from IPA config We need to deepcopy the list of default objectlasses from IPA config before assigning it to an entry, in order to avoid further modifications of the entry affect the cached IPA config. Fixes: https://pagure.io/freeipa/issue/9349 Signed-off-by: Antonio Torres <antorres at redhat.com> Reviewed-By: Francisco Trivino <ftrivino at redhat.com> Reviewed-By: Thomas Woerner <twoerner at redhat.com> - - - - - e07ead94 by Alexander Bokovoy at 2023-03-30T08:11:22+02:00 ipalib/x509: Implement abstract method Certificate.verify_directly_issued_by Added in Python Cryptography 40.0 Thanks to @tiran for the code Fixes: https://pagure.io/freeipa/issue/9355 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - ae014c6a by Florence Blanc-Renaud at 2023-03-30T14:57:57+02:00 ipatests: increase timeout for test_trust The timeout for test_trust is too short (6000s) and the nightly tests often fail. Increase to 7200s. Fixes: https://pagure.io/freeipa/issue/9326 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Anuja More <amore at redhat.com> - - - - - 3eed25e9 by Antonio Torres at 2023-03-30T15:49:45+02:00 doc: allow notes on Param API Reference pages The notes that Param pages will contain after #6733 are added manually, and because of it we need to add markers to differentiate between automated and manual content, equal to what we do for class pages. Signed-off-by: Antonio Torres <antorres at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 54026270 by Stanislav Levin at 2023-03-30T16:16:42+02:00 fastlint: Correct concatenation of file lists `printf` ignores excessive arguments unused in formatting. This resulted in only the first file from two file lists was linted/ stylechecked if both Python template files and Python modules were changed. Make use of formatting instead: > The format is reused as necessary to consume all of the arguments Fixes: https://pagure.io/freeipa/issue/9318 Signed-off-by: Stanislav Levin <slev at altlinux.org> Reviewed-By: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - def07260 by Florence Blanc-Renaud at 2023-04-05T09:27:45+02:00 ipatests: fix test definition for test_trust The nightly test test_trust.py has been split into 2 jobs, one for test_trust.py::TestTrust (test_trust) and the other for the remaining test classes from the same file (test_trust_autoprivate). The backport forgot to narrow down the first job definition to the class test_trust.py::TestTrust in the 4-10_previous pipeline. Fix this omission. Related: https://pagure.io/freeipa/issue/9326 Reviewed-By: Anuja More <amore at redhat.com> - - - - - 6db9bbd8 by mbhalodi at 2023-04-05T09:40:25+02:00 ipatests: add missing automember-cli tests Revisit the bash tests and port the valid tests to upstream. Related: https://pagure.io/freeipa/issue/9332 Signed-off-by: mbhalodi <mbhalodi at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Michal Polovka <mpolovka at redhat.com> - - - - - 03180bed by Jarl Gullberg at 2023-04-05T09:50:08+02:00 ipaplatform/debian: fix path to ldap.so bind-dyndb-ldap on Debian installs ldap.so in a subdirectory of /usr/lib to prevent unintentional usage of an unversioned .so. The default settings for FreeIPA on Debian used an incomplete path, resulting in a failure to find ldap.so when bind attempts to start with bind-dyndb-ldap configured. This fixes the default path to use the appropriate location in its multiarch-qualified path. Signed-off-by: Jarl Gullberg <jarl.gullberg at gmail.com> Reviewed-By: Timo Aaltonen <tjaalton at ubuntu.com> - - - - - 1b38ab17 by Jarl Gullberg at 2023-04-05T09:52:52+02:00 install: Fix missing dyndb keytab directive bind-dyndb-ldap uses the krb5_keytab directive to set the path to the keytab to use. This directive was not being used in the configuration template, resulting in a failure to start named if the keytab path differed from the defaults. This issue was discovered when packaging FreeIPA for Debian, which is one of the platforms where the path is customized. Signed-off-by: Jarl Gullberg <jarl.gullberg at gmail.com> Fixes: https://pagure.io/freeipa/issue/9344 Reviewed-By: Timo Aaltonen <tjaalton at ubuntu.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - e7506403 by Alexander Bokovoy at 2023-04-06T08:53:32+02:00 Ignore empty modification error in case cifs/.. principal already added Constrained delegation target may already be configured by default. Related: https://pagure.io/freeipa/issue/9354 Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 52e6da90 by Alexander Bokovoy at 2023-04-06T08:53:32+02:00 test_xmlrpc: adopt to automember plugin message changes in 389-ds Another change in automember plugin messaging that breaks FreeIPA tests. Use common substring to match. Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 7a7ba45c by Alexander Bokovoy at 2023-04-06T08:53:32+02:00 ipa-kdb: search S4U2Proxy ACLs in cn=s4u2proxy,cn=etc,$BASEDN subtree only Confine search for S4U2Proxy access control lists to the subtree where they created. This will allow to use a similar method to describe RBCD access controls. Related: https://pagure.io/freeipa/issue/5444 Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 18cd909b by Alexander Bokovoy at 2023-04-06T08:53:32+02:00 doc: add design document for Kerberos constrained delegation FreeIPA Kerberos implementation already supports delegation of credentails, both unconstrained and constrained. Constrained delegation is an extension developed by Microsoft and documented in MS-SFU specification. MS-SFU specification also includes resource-based constrained delegation (RBCD) which FreeIPA did not support. Microsoft has decided to force use of RBCD for forest trust. This means that certain use-cases will not be possible anymore. This design document outlines approaches used by FreeIPA for constrained delegation implementation, including RBCD. Fixes: https://pagure.io/freeipa/issue/9354 Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 5b6ad0e6 by Alexander Bokovoy at 2023-04-06T08:53:32+02:00 IPA API changes to support RBCD IPA API commands to manage RBCD access controls. Fixes: https://pagure.io/freeipa/issue/9354 Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 7ac6adfa by Alexander Bokovoy at 2023-04-06T08:53:32+02:00 kdb: implement RBCD handling in KDB driver Resource-based constrained delegation (RBCD) is implemented with a new callback used by the KDC. This callback is called when a server asks for S4U2Proxy TGS request and passes a ticket that contains RBCD PAC options. The callback is supposed to take a client and a server principals, a PAC and a target service database entry. Using the target service database entry it then needs to decide whether a server principal is allowed to delegate the client credentials to the target service. The callback can also cross-check whether the client principal can be limited in delegating own tickets but this is not implemented in the current version. Fixes: https://pagure.io/freeipa/issue/9354 Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 7d68f4f0 by Alexander Bokovoy at 2023-04-06T08:53:32+02:00 RBCD: add basic test for RBCD handling Add a test that uses IPA API to allow delegation of RBCD configuration to a host and then use it to set up RBCD rule for a service. Run RBCD check when the rule exists and when the rule is removed. Since we only provide RBCD support on KDC side with Kerberos 1.20, skip the test on Fedora versions prior to Fedora 38 and on RHEL versions prior to RHEL 9.2. Fixes: https://pagure.io/freeipa/issue/9354 Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - b63e6a25 by Alexander Bokovoy at 2023-04-06T08:53:32+02:00 doc/designs/rbcd.md: add usage examples Fixes: https://pagure.io/freeipa/issue/9354 Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - cb18ca31 by Alexander Bokovoy at 2023-04-06T08:53:32+02:00 doc/designs/rbcd.md: document use of S-1-18-* SIDs Fixes: https://pagure.io/freeipa/issue/9354 Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 9c6b4f44 by Antonio Torres at 2023-04-06T17:36:18+02:00 Extend API documentation This includes: * Section about command/param info in usage guide * Section about metadata retrieval in usage guide * Guide about differences between CLI and API * Access control guide (management of roles, privileges and permissions). * Guide about API contexts * JSON-RPC usage guide and JSON-to-Python conversion * Notes about types in API Reference Signed-off-by: Antonio Torres <antorres at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 304fd550 by mbhalodi at 2023-04-13T10:51:52+02:00 ipatests: Test for sequence processing failures with server context 1 : Test to verify that groups have correct userclass when external is set to true or false with group-add. 2 : After creating a nonposix group verify that all following group_add calls to add posix groups calls are not failing with missing attribute. Related: https://pagure.io/freeipa/issue/9349 Signed-off-by: mbhalodi <mbhalodi at redhat.com> Reviewed-By: Michal Polovka <mpolovka at redhat.com> Reviewed-By: Anuja More <amore at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Antonio Torres <antorres at redhat.com> Reviewed-By: Michal Polovka <mpolovka at redhat.com> Reviewed-By: Anuja More <amore at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Antonio Torres <antorres at redhat.com> - - - - - e2b08433 by Florence Blanc-Renaud at 2023-04-17T15:17:00-04:00 ipatests: mark known failures for autoprivategroup Two tests have known issues in test_trust.py with sssd 2.8.2+: - TestNonPosixAutoPrivateGroup::test_idoverride_with_auto_private_group (when called with the "hybrid" parameter) - TestPosixAutoPrivateGroup::test_only_uid_number_auto_private_group_default (when called with the "true" parameter) Related: https://pagure.io/freeipa/issue/9295 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> - - - - - d63756eb by Christian Heimes at 2023-04-18T12:12:47+02:00 Speed up installer by restarting DS after DNA plugin DS does not enable plugins unless nsslapd-dynamic-plugins is enabled or DS is restarted. The DNA plugin creates its configuration entries with some delay after the plugin is enabled. DS is now restarted after the DNA plugin is enabled so it can create the entries while Dogtag and the rest of the system is installing. The updater `update_dna_shared_config` no longer blocks and waits for two times 60 seconds for `posix-ids` and `subordinate-ids`. Fixes: https://pagure.io/freeipa/issue/9358 Signed-off-by: Christian Heimes <cheimes at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 3b64eaa1 by Todd Zullinger at 2023-04-18T15:24:43+02:00 spec: verify upstream source signature Per the Fedora packaging guidelines?. The GPG key was generated using details found on the wiki?. The following commands can be used to fetch the signing key via fingerprint and extract it: fpr=0E63D716D76AC080A4A33513F40800B6298EB963 gpg --keyserver keys.openpgp.org --receive-keys $fpr gpg --armor --export-options export-minimal --export $fpr >gpgkey-$fpr.asc ? https://docs.fedoraproject.org/en-US/packaging-guidelines/#_verifying_signatures ? https://www.freeipa.org/page/Verify_Release_Signature Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> - - - - - 90d0f049 by Todd Zullinger at 2023-04-18T15:24:43+02:00 spec: silence krb5 pkgconf errors in %krb5_base_version Send stderr of pkgconf to /dev/null rather than printing the following error text while parsing the spec file: Package krb5 was not found in the pkg-config search path. Perhaps you should add the directory containing `krb5.pc' to the PKG_CONFIG_PATH environment variable Package 'krb5', required by 'virtual:world', not found `BuildRequires: pkgconfig(krb5)` ensures this won't happen when running a real build. It simply avoids 4 lines of needless error output when running something like `fedpkg prep`. Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> - - - - - 1f10aebc by Michal Polovka at 2023-04-20T12:57:32+02:00 ipatest: loginscreen: do not use hardcoded password Use admin password obtained from local config instead of hardcoded value, as the password may differ in different testing environments. https://pagure.io/freeipa/issue/9226 Signed-off-by: Michal Polovka <mpolovka at redhat.com> Reviewed-By: Erik Belko <ebelko at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - e2576670 by Rob Crittenden at 2023-04-27T11:17:47-04:00 Enforce sizelimit in cert-find The sizelimit option was not being passed into the dogtag ra_find() command so it always returned all available certificates. A value of 0 will retain old behavior and return all certificates. The default value is the LDAP searchsizelimit. Related: https://pagure.io/freeipa/issue/9331 Signed-off-by: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com> Reviewed-By: Antonio Torres <antorres at redhat.com> - - - - - 50dd79d1 by Rob Crittenden at 2023-04-27T11:17:47-04:00 Use the OpenSSL certificate parser in cert-find cert-find is a rather complex beast because it not only looks for certificates in the optional CA but within the IPA LDAP database as well. It has a process to deduplicate the certificates since any PKI issued certificates will also be associated with an IPA record. In order to obtain the data to deduplicate the certificates the cert from LDAP must be parser for issuer and serial number. ipaldap has automation to determine the datatype of an attribute and will use the python-cryptography engine to decode a certificate automatically if you access entry['usercertificate']. The downside is that this is comparatively slow. Here is the parse time in microseconds: OpenSSL.crypto 175 pyasn1 1010 python-cryptography 3136 The python-cryptography time is fine if you're parsing one certificate but if the LDAP search returns a lot of certificates, say in the thousands, then those microseconds add up quickly. In testing it took ~17 seconds to parse 5k certificates. It's hard to overstate just how much better the cryptography Python interface is. In the case of OpenSSL really the only certificate fields easily available are serial number, subject and issuer. And the subject/issuer are in the OpenSSL reverse format which doesn't compare nicely to the cryptography format. The DN module can correct this. Fortunately for cert-find we only need serial number and issuer, so the OpenSSL module fine. It takes ~2 seconds. pyasn1 is also relatively faster but switch to it would require subtantially more effort for less payback. cert-find when there are a lot of certificates has been historically slow. It isn't related to the CA which returns large sets (well, 5k anyway) in a second or two. It was the LDAP comparision adding tens of seconds to the runtime. CLI times from before and after: original: ------------------------------- Number of entries returned 5011 ------------------------------- real 0m21.155s user 0m0.835s sys 0m0.159s using OpenSSL: real 0m5.747s user 0m0.864s sys 0m0.148s OpenSSL is forcibly lazy-loaded so it doesn't conflict with python-requests. See ipaserver/wsgi.py for the gory details. Fixes: https://pagure.io/freeipa/issue/9331 Signed-off-by: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com> Reviewed-By: Antonio Torres <antorres at redhat.com> - - - - - bdb77a3d by Timo Aaltonen at 2023-04-28T09:51:56+02:00 Drop duplicate includedir from krb5.conf SSSD already provides a config snippet which includes SSSD_PUBCONF_KRB5_INCLUDE_D_DIR, and having both breaks Java. Add also a dependency on sssd-krb5 for freeipa-client. https://pagure.io/freeipa/issue/9267 Signed-off-by: Timo Aaltonen <tjaalton at debian.org> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 918b6e01 by Florence Blanc-Renaud at 2023-04-29T13:49:09+02:00 cert_find: fix call with --all When ipa cert-find --all is called, the function prints the certificate public bytes. The code recently switched to OpenSSL.crypto and the objects OpenSSL.crypto.X509 do not have the method public_bytes(). Use to_cryptography() to transform into a cryptography.x509.Certificate before calling public_bytes(). Related: https://pagure.io/freeipa/issue/9331 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 3d787c21 by Stanislav Levin at 2023-04-29T13:50:44+02:00 ipasphinx: Correct import of progress_message for Sphinx 6.1.0+ Pylint reports false-negative result for Sphinx 6.1.0+: ``` ************* Module ipasphinx.ipabase ipasphinx/ipabase.py:10: [E0611(no-name-in-module), ] No name 'progress_message' in module 'sphinx.util') ``` Actually `sphinx.util.progress_message` is still available in Sphinx 6.1 but it's deprecated and will be removed in 8.0: https://www.sphinx-doc.org/en/master/extdev/deprecated.html#deprecated-apis Related change: https://github.com/sphinx-doc/sphinx/commit/8c5e7013ea5f6a50e3cc3130b22205a85ba87fab Fixes: https://pagure.io/freeipa/issue/9361 Signed-off-by: Stanislav Levin <slev at altlinux.org> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 8a7c0683 by Rafael Guterres Jeffman at 2023-04-29T13:52:12+02:00 Fix "no entry" condition when searching PAC info Fix Covscan-discovered DEADCODE block when searching for PAC info, caused by a wrong condition being evaluated when entry is a trusted domain object. Fixes: https://pagure.io/freeipa/issue/9368 Signed-off-by: Rafael Guterres Jeffman <rjeffman at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> - - - - - 76c78827 by Sudhir Menon at 2023-04-29T13:55:57+02:00 ipatests: ipa-adtrust-install command test scenarios This patch includes additional testcase that can be run against ipa-adtrust-install CLI tool. test_adtrust_install_with_incorrect_netbios_name test_adtrust_install_as_regular_ipa_user test_adtrust_install_with_incorrect_admin_password test_adtrust_install_with_invalid_rid_base_value test_adtrust_install_with_invalid_secondary_rid_base test_adtrust_reinstall_updates_ipaNTFlatName_attribute test_adtrust_install_without_ipa_installed test_samba_credential_cache_is_removed_post_uninstall test_adtrust_install_without_integrated_dns test_adtrust_install_with_debug_option test_adtrust_install_cli_without_smbpasswd_file test_adtrust_install_enable_compat test_adtrust_install_invalid_ipaddress_option test_syntax_error_in_ipachangeconf test_unattended_adtrust_install_uses_default_netbios_name test_smb_not_starting_post_adtrust_install Signed-off-by: Sudhir Menon <sumenon at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - 1c43d914 by Alexander Bokovoy at 2023-05-04T10:52:40+02:00 Change doc theme to 'book' RTD theam is not compatible with Sphinx 7.0+ https://github.com/readthedocs/readthedocs.org/issues/10279 Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - 717228c9 by Florence Blanc-Renaud at 2023-05-04T14:31:59+02:00 Nightly test: add +15min for test_ipahealthcheck The test test_ipahealthcheck.py::TestIpaHealthcheck frequently hits its 90min timeout. Extend by 15min to allow completion. Fixes: https://pagure.io/freeipa/issue/9362 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Anuja More <amore at redhat.com> - - - - - 846c267f by mbhalodi at 2023-05-04T16:12:25+02:00 ipatests: add remove automember condition tests Related: https://pagure.io/freeipa/issue/9332 Signed-off-by: mbhalodi <mbhalodi at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - d95c4cf1 by Florence Blanc-Renaud at 2023-05-04T18:18:26+02:00 spec file: force nodejs < 20 on fedora < 39 On fedora < 39, nodejs 20 is not the default version. As a consequence, the installation of nodejs20 adds the command /usr/bin/node-20 instead of /usr/bin/node. FreeIPA build is using the node command and fails if the command is missing. Force nodejs < 20 on fedora < 39 to make sure the node command is installed. Fixes: https://pagure.io/freeipa/issue/9374 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 16a81062 by s1341 at 2023-05-04T21:30:34+02:00 ipaplatform: add initial nixos support Fixes: https://pagure.io/freeipa/issue/9299 Signed-off-by: Shmarya Rubenstein <github at shmarya.net> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> - - - - - 3a9a5bda by Florence Blanc-Renaud at 2023-05-08T13:55:15-04:00 idview: improve performance of idview-show The command ipa idview-show NAME has a post callback method that replaces the ID override anchor with the corresponding user name. For instance the anchor ipaanchoruuid=:SID:S-1-5-21-3951964782-819614989-3867706637-1114 is replaced with the name of the ad user aduser at ad.test. The method loops on all the anchors and for each one performs the resolution, which can be a costly operation if the anchor is for a trusted user. Instead of doing a search for each anchor, it is possible to read the 'ipaOriginalUid' value from the ID override entry. Fixes: https://pagure.io/freeipa/issue/9372 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> - - - - - 12d1aafe by Florence Blanc-Renaud at 2023-05-11T13:47:46+02:00 Tests: test on f37 and f38 Fedora 38 is now available, move the testing pipelines to - fedora 38 for the _latest definitions - fedora 37 for the _previous definitions Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Francisco Trivino <ftrivino at redhat.com> - - - - - bc394432 by Michal Polovka at 2023-05-16T17:32:14+02:00 ipatests: commands: Wait for the SSSD to become available Previous test to test_ssh_key_connection is calling ipa-server-upgrade command, which restarts all the associated services. Especially on slower machine, SSSD is not yet online when the SSH connection is attempted. This results to only cached users being available. Wait for SSSD to become available before the SSH connection is attempted. Fixes: https://pagure.io/freeipa/issue/9377 Signed-off-by: Michal Polovka <mpolovka at redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com> Reviewed-By: Julien Rische <jrische at redhat.com> - - - - - 627c1101 by Florence Blanc-Renaud at 2023-05-16T14:37:21-04:00 azure tests: move to fedora 38 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> - - - - - 81a6b9ad by Rob Crittenden at 2023-05-16T16:23:47-04:00 Return the <Message> value cert-find failures from the CA If a cert-find fails on the CA side we get a Message tag containing a string describing the failure plus the java stack trace. Pull out the first part of the message as defined by the first colon and include that in the error message returned to the user. The new message will appear as: $ ipa cert-find ipa: ERROR: Certificate operation cannot be completed: Unable to search for certificates (500) vs the old generic message: ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (500) This can be reproduced by setting nssizelimit to 100 on the pkidbuser. The internal PKI search returns err=4 but the CA tries to convert all values into certificates and it fails. The value needs to be high enough that the CA can start but low enough that you don't have to create hundreds of certificates to demonstrate the issue. https://pagure.io/freeipa/issue/9369 Signed-off-by: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com> - - - - - edcdcf83 by Mohammad Rizwan at 2023-05-22T08:02:30+02:00 ipatests: wait for sssd-kcm to settle after date change In order to expire the ACME cert, system is moved and while issuing the kinit command, results into failure. Hence run kinit command repeatedly untill things get settle. This patch removes the sleep and adds tasks.run_repeatedly() method instead. Signed-off-by: Mohammad Rizwan <myusuf at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - 7830ab96 by Florence Blanc-Renaud at 2023-05-23T20:59:03+02:00 user or group name: explain the supported format The commands ipa user-add or ipa group-add validate the format of the user/group name and display the following message when it does not conform to the expectations: invalid 'login': may only include letters, numbers, _, -, . and $ The format is more complex, for instance '1234567' is an invalid user name but the failure is inconsistent with the error message. Modify the error message to point to ipa help user/group and add more details in the help message. Same change for idoverrideuser and idoverridegroup: The user/group name must follow these rules: - cannot contain only numbers - must start with a letter, a number, _ or . - may contain letters, numbers, _, ., or - - may end with a letter, a number, _, ., - or $ Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2150217 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com> Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 58173c02 by Jerry James at 2023-05-24T14:08:45-04:00 Change fontawesome-fonts requires to match fontawesome 4.x fontawesome 6.x is not entirely compatible with 4.x version but in Fedora the change was made to make 4.x bits FreeIPA depends on to be forward-ported to 6.x build. This also allows to have common dependency for all versions. This patch switches to the common dependency using 'fonts(fontawesome)'. This works on all Fedora and RHEL versions. Signed-off-by: Jerry James <loganjerry at gmail.com> Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - abe71fe1 by Rob Crittenden at 2023-05-24T17:57:22-04:00 Mention in ipa-client-install that nscd is disabled Also warn that similar services may also need to be disabled. An example is an nscd replacement named unscd. Fixes: https://pagure.io/freeipa/issue/9086 Signed-off-by: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com> - - - - - a6f485fc by Florence Blanc-Renaud at 2023-05-25T08:32:59+02:00 ACME tests: fix issue_and_expire_acme_cert method The fixture issue_and_expire_acme_cert is changing the date on master and client. It also resets the admin password as it gets expired after the date change. Currently the code is resetting the password by performing kinit on the client, which leaves the master with an expired ticket in its cache. Reset the password on the master instead in order to have a valid ticket for the next operations. Fixes: https://pagure.io/freeipa/issue/9383 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Mohammad Rizwan <myusuf at redhat.com> - - - - - 630cda5c by Julien Rische at 2023-06-01T08:01:00+02:00 kdb: Use krb5_pac_full_sign_compat() when available In November 2022, Microsoft introduced a new PAC signature type called "extended KDC signature" (or "full PAC checksum"). This new PAC signature will be required by default by Active Directory in July 2023 for S4U requests, and opt-out will no longer be possible after October 2023. Support for this new signature type was added to MIT krb5, but it relies on the new KDB API introduced in krb5 1.20. For older MIT krb5 versions, the code generating extended KDC signatures cannot be backported as it is without backporting the full new KDB API code too. This would have too much impact to be done. As a consequence, krb5 packages for Fedora 37, CentOS 8 Stream, and RHEL 8 will include a downstream-only update adding the krb5_pac_full_sign_compat() function, which can be used in combination with the prior to 1.20 KDB API to generate PAC extended KDC signatures. Fixes: https://pagure.io/freeipa/issue/9373 Signed-off-by: Julien Rische <jrische at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> - - - - - bbe545ff by Julien Rische at 2023-06-01T08:01:00+02:00 Tolerate absence of PAC ticket signature depending of server capabilities Since November 2020, Active Directory KDC generates a new type of signature as part of the PAC. It is called "ticket signature", and is generated based on the encrypted part of the ticket. The presence of this signature is not mandatory in order for the PAC to be accepted for S4U requests. However, the behavior is different for MIT krb5. Support was added as part of the 1.20 release, and this signature is required in order to process S4U requests. Contrary to the PAC extended KDC signature, the code generating this signature cannot be isolated and backported to older krb5 versions because this version of the KDB API does not allow passing the content of the ticket's encrypted part to IPA. This is an issue in gradual upgrade scenarios where some IPA servers rely on 1.19 and older versions of MIT krb5, while others use version 1.20 or newer. A service ticket that was provided by 1.19- IPA KDC will be rejected when used by a service against a 1.20+ IPA KDC for S4U requests. On Fedora, CentOS 9 Stream, and RHEL 9, when the krb5 version is 1.20 or newer, it will include a downstream-only update adding the "optional_pac_tkt_chksum" KDB string attribute allowing to tolerate the absence of PAC ticket signatures, if necessary. This commit adds an extra step during the installation and update processes where it adds a "pacTktSignSupported" ipaConfigString attribute in "cn=KDC,cn=[server],cn=masters,cn=ipa,cn=etc,[basedn]" if the MIT krb5 version IPA what built with was 1.20 or newer. This commit also set "optional_pac_tkt_chksum" as a virtual KDB entry attribute. This means the value of the attribute is not actually stored in the database (to avoid race conditions), but its value is determined at the KDC starting time by search the "pacTktSignSupported" ipaConfigString in the server list. If this value is missing for at least of them is missing, enforcement of the PAC ticket signature is disabled by setting "optional_pac_tkt_chksum" to true for the local realm TGS KDB entry. For foreign realm TGS KDB entries, the "optional_pac_tkt_chksum" virtual string attribute is set to true systematically, because, at least for now, trusted AD domains can still have PAC ticket signature support disabled. Given the fact the "pacTktSignSupported" ipaConfigString for a single server is added when this server is updated, and that the value of "optional_pac_tkt_chksum" is determined at KDC starting time based on the ipaConfigString attributes of all the KDCs in the domain, this requires to restart all the KDCs in the domain after all IPA servers were updated in order for PAC ticket signature enforcement to actually take effect. Fixes: https://pagure.io/freeipa/issue/9371 Signed-off-by: Julien Rische <jrische at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> - - - - - 7ea3b866 by Julien Rische at 2023-06-01T08:01:00+02:00 Filter out constrained delegation ACL from KDB entry Commit f78dc0b163 was missing an exception for the constrained delegation ACL TL data type during the principal entry update operation. This ACL is not meant to be stored as encoded data in krbExtraData. Signed-off-by: Julien Rische <jrische at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> - - - - - 3d0decd9 by Alexander Bokovoy at 2023-06-01T15:48:45+02:00 ipa-kdb: hint KDC to use aes256-sha1 for forest trust TGT >From https://krbdev.mit.edu/rt/Ticket/Display.html?id=9089 -------- The KDC uses the first local TGT key for the privsvr and full PAC checksums. If this key is of an aes-sha2 enctype in a cross-realm TGT, a Microsoft KDC in the target realm may reject the ticket because it has an unexpectedly large privsvr checksum buffer. This behavior is unnecessarily picky as the target realm KDC cannot and does not need to very the privsvr checksum, but [MS-PAC] 2.8.2 does limit the checksum key to three specific enctypes. -------- Use MIT Kerberos 1.21+ facility to hint about proper enctype for cross-realm TGT. Fixes: https://pagure.io/freeipa/issue/9124 Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Julien Rische <jrische at redhat.com> - - - - - 803a4477 by Alexander Bokovoy at 2023-06-01T15:48:45+02:00 ipa-kdb: protect against context corruption Early in startup LDAP server might not respond well yet and should_support_pac_tkt_sign() will bail out with KRB5_KDB_SERVER_INTERNAL_ERR. We should postpone this call but for time being we should prevent a crash. Crash happens because init_module() returns with an error and KDC then calls fini_module() which will free the DB context which is already corrupted for some reason. Do not call any free() call because the whole context is corrupted as tests do show. Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Julien Rische <jrische at redhat.com> - - - - - fefa0248 by Alexander Bokovoy at 2023-06-01T15:48:45+02:00 ipa-kdb: postpone ticket checksum configuration Postpone ticket checksum configuration after KDB module was initialized. This, in practice, should now happen when a master key is retrieved. Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Julien Rische <jrische at redhat.com> - - - - - bd8fcd6f by Alexander Bokovoy at 2023-06-01T15:48:45+02:00 ipa-kdb: process out of realm server lookup during S4U Kerberos principal aliases lookup had a long-standing TODO item to support server referrals for host-based aliases. This commit implements server referrals for hosts belonging to trusted domains. The use-case is a part of S4U processing in a two-way trust when an IPA service requests a ticket to a host in a trusted domain (e.g. service on AD DC). In such situation, the server principal in TGS request will be a normal principal in our domain and KDC needs to respond with a server referral. This referral can be issued by a KDB driver or by the KDC itself, using 'domain_realms' section of krb5.conf. Since KDB knows all suffixes associated with the trusted domains, implement the logic there. Fixes: https://pagure.io/freeipa/issue/9164 Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Julien Rische <jrische at redhat.com> - - - - - 1b55e9b1 by Alexander Bokovoy at 2023-06-01T15:48:45+02:00 ipa-kdb: skip verification of PAC full checksum MIT Kerberos KDC code will do verification of the PAC full checksum buffers, we don't need to process them. This change only applies to newer MIT Kerberos version which have this buffer type defined, hence using #ifdef to protect the use of the define. This should have no functional difference. Related: https://pagure.io/freeipa/issue/9371 Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Julien Rische <jrische at redhat.com> - - - - - 11ce2b21 by Alexander Bokovoy at 2023-06-01T15:48:45+02:00 ipalib/x509.py: Add signature_algorithm_parameters Python-cryptography 41.0.0 new abstract method. Signed-off-by: Christian Heimes <cheimes at redhat.com> Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Julien Rische <jrische at redhat.com> - - - - - 325a1319 by Rob Crittenden at 2023-06-02T10:00:57+02:00 Replace usage of #!/usr/bin/env python3 with #!/usr/bin/python3 Only three remaining scripts used this form, two of which are for developers only and not shipped. The shebang in ipa-ccache-sweeper will be converted to "#!$(PYTHON) -I" in the build process. Fixes: https://pagure.io/freeipa/issue/8941 Signed-off-by: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com> - - - - - f2b821ab by Alexander Bokovoy at 2023-06-02T16:01:41-04:00 ipa-kdb: be compatible with krb5 1.19 when checking for server referral Related: https://pagure.io/freeipa/issue/9164 Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com> - - - - - 58017abe by Rob Crittenden at 2023-06-02T18:30:08-04:00 Don't allow a group to be converted to POSIX and external This condition was checked in group-add but not in group-mod. This evaluation is done later in the pre_callback so that all the other machinations about posix are already done to make it easier to tell whether this condition is true or not. Fixes: https://pagure.io/freeipa/issue/8990 Signed-off-by: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com> - - - - - 283f5463 by Florence Blanc-Renaud at 2023-06-05T14:00:17+02:00 ipatest: remove xfail from test_smb test_smb is now successful because the windows server version has been updated to windows-server-2022 with - KB5012170 - KB5025230 - KB5022507 - servicing stack 10.0.20348.1663 in freeipa-pr-ci commit 3ba4151. Remove the xfail. Fixes: https://pagure.io/freeipa/issue/9124 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Mohammad Rizwan <myusuf at redhat.com> - - - - - e3797ca2 by Antonio Torres at 2023-06-06T09:40:38+02:00 Update translations to FreeIPA ipa-4-10 state Signed-off-by: Antonio Torres <antorres at redhat.com> - - - - - 03b92fb4 by Antonio Torres at 2023-06-06T09:43:34+02:00 Update list of contributors Signed-off-by: Antonio Torres <antorres at redhat.com> - - - - - 2fd9cbbe by Antonio Torres at 2023-06-06T10:01:01+02:00 Become IPA 4.10.2 - - - - - 1099db0f by Timo Aaltonen at 2023-06-07T14:46:19+03:00 Merge branch 'upstream' - - - - - f52e2b0a by Timo Aaltonen at 2023-06-07T14:46:39+03:00 version bump - - - - - 78ec5308 by Timo Aaltonen at 2023-06-07T14:49:16+03:00 drop upstreamed patches - - - - - 30 changed files: - .wheelconstraints.in - ACI.txt - API.txt - Contributors.txt - Makefile.am - VERSION.m4 - client/man/ipa-client-install.1 - configure.ac - contrib/lite-server.py - contrib/lite-setup.py - daemons/dnssec/ipa-dnskeysyncd.in - daemons/ipa-kdb/ipa_kdb.c - daemons/ipa-kdb/ipa_kdb.h - daemons/ipa-kdb/ipa_kdb_common.c - daemons/ipa-kdb/ipa_kdb_delegation.c - daemons/ipa-kdb/ipa_kdb_mspac.c - daemons/ipa-kdb/ipa_kdb_mspac_v6.c - daemons/ipa-kdb/ipa_kdb_principals.c - daemons/ipa-otpd/ipa-otpd at .service.in - debian/changelog - debian/copyright - ? debian/patches/install-fix-missing-dyndb-keytab-directive.diff - debian/patches/series - debian/tests/server-install - debian/watch - doc/api/A6Record.md - doc/api/AAAARecord.md - doc/api/AFSDBRecord.md - doc/api/APLRecord.md - doc/api/ARecord.md The diff was not included because it is too large. View it on GitLab: https://salsa.debian.org/freeipa-team/freeipa/-/compare/2da091cd0e848d5d533ff85334ed1976014b28c1...78ec530871875bf4a94c49df01a4a1e145fc006f -- View it on GitLab: https://salsa.debian.org/freeipa-team/freeipa/-/compare/2da091cd0e848d5d533ff85334ed1976014b28c1...78ec530871875bf4a94c49df01a4a1e145fc006f You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Wed Jun 7 12:51:14 2023 From: gitlab at salsa.debian.org (Timo Aaltonen (@tjaalton)) Date: Wed, 07 Jun 2023 11:51:14 +0000 Subject: [Pkg-freeipa-devel] [Git][freeipa-team/freeipa][upstream] 163 commits: Back to git snapshots Message-ID: <64806f327c817_136f88472e824528c@godard.mail> Timo Aaltonen pushed to branch upstream at FreeIPA packaging / freeipa Commits: 657a7b25 by Antonio Torres at 2022-11-24T17:13:36+01:00 Back to git snapshots Signed-off-by: Antonio Torres <antorres at redhat.com> - - - - - 42957f9e by Florence Blanc-Renaud at 2022-11-25T13:49:37+01:00 API reference: update vault doc Update doc/api/vault_archive_internal.md and doc/api/vault_retrieve_internal.md after the change from commit 93548f2 (default wrapping algo is now des-ede3-cbc instead of aes-128-cbc). Related: https://pagure.io/freeipa/issue/9259 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> - - - - - 660da9ab by Florence Blanc-Renaud at 2022-11-25T13:49:37+01:00 API reference: update dnszone_add generated doc Update doc/api/dnszone_add.md after commit c74c701 (Set 'idnssoaserial' to deprecated) Related: https://pagure.io/freeipa/issue/9249 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> - - - - - 42be04fe by Alexander Bokovoy at 2022-11-28T18:53:51+01:00 updates: fix memberManager ACI to allow managers from a specified group The original implementation of the member manager added support for both user and group managers but left out upgrade scenario. This means when upgrading existing installation a manager whose rights defined by the group membership would not be able to add group members until the ACI is fixed. Remove old ACI and add a full one during upgrade step. Fixes: https://pagure.io/freeipa/issue/9286 Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - aeb9cc9b by Florence Blanc-Renaud at 2022-12-02T10:18:16+01:00 PRCI: update memory reqs for each topology The memory requirements are defined in the vagrant templates in https://github.com/freeipa/freeipa-pr-ci/tree/master/templates/vagrantfiles They have been updated and the corresponding values must be kept consistent in the topologies for PRCI. Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Armando Neto <abiagion at redhat.com> - - - - - c411c2e7 by Florence Blanc-Renaud at 2022-12-02T10:32:34+01:00 webui tests: fix assertion in test_subid.py The test wants to check the error related to an exception obtained inside a "with pytest.raises" instruction. The object is an ExceptionInfo and offers a match method to check the content of the string representation. Use this match() method instead of str(excinfo) which now returns '<ExceptionInfo NoSuchElementException() tblen=10>' Fixes: https://pagure.io/freeipa/issue/9282 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com> - - - - - 8e7d1ac4 by Christian Heimes at 2022-12-02T13:28:04+01:00 ipa-certupdate: Update client certs before KDC/HTTPd restart Apache HTTPd uses `/etc/ipa/ca.crt` to validate client certs. `ipa-certupdate` now updates the file before it restarts HTTPd. Fixes: https://pagure.io/freeipa/issue/9285 Signed-off-by: Christian Heimes <cheimes at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - a10627bd by Antonio Torres at 2022-12-02T14:24:05+01:00 API doc: add basic user management guide Add basic user management guide that includes various examples on performing common tasks related to the user module, such as adding an user, modifying it, adding certificates for it, etc. Signed-off-by: Antonio Torres <antorres at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> - - - - - 2d0a0cc4 by Florence Blanc-Renaud at 2022-12-02T15:27:22+01:00 Spec file: ipa-client depends on krb5-pkinit-openssl Now that ipa-client-installs supports pkinit, the package depends on krb5-pkinit-openssl. Update the spec file, move the dependency from ipa-server to ipa-client subpackage. Fixes: https://pagure.io/freeipa/issue/9290 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> - - - - - 9599e975 by Florence Blanc-Renaud at 2022-12-14T15:44:46+01:00 ipatests: xfail on all fedora for test_ipa_login_with_sso_user With the new fedora36 vagrant image, the test is also failing. Mark xfail for all fedora versions. Related: https://pagure.io/freeipa/issue/9264 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Scott Poore <spoore at redhat.com> - - - - - 65a14a36 by Sudhir Menon at 2022-12-19T11:53:10+01:00 Fixes: ipa-otpd at .service: deprecated syslog setting This patch updates the deprecated syslog setting i.e StandardError=syslog with StandardError=journal Pagure: https://pagure.io/freeipa/issue/9279 Ref: https://github.com/systemd/systemd/pull/15812 Signed-off-by: Sudhir Menon <sumenon at redhat.com> Reviewed-By: Peter Keresztes Schmidt <carbenium at outlook.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - 68f6574c by Florence Blanc-Renaud at 2022-12-19T21:46:51+01:00 ipatests: update the fake fips mode expected message The test ipatests/test_integration/test_fips.py is faking FIPS mode and calls "openssl md5" to ensure the algo is not available in the fake FIPS mode. The error message has been updated with openssl-3.0.5-5. In the past the command used to return: $ openssl md5 /dev/null Error setting digest 140640350118336:error:060800C8:digital envelope routines:EVP_DigestInit_ex:disabled for FIPS:crypto/evp/digest.c:147: And now it returns: $ openssl md5 /dev/null Error setting digest 00C224822E7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (MD5 : 97), Properties () 00C224822E7F0000:error:03000086:digital envelope routines:evp_md_init_internal:initialization error:crypto/evp/digest.c:252: To be compatible with all versions, only check the common part: Error setting digest Mark the test as xfail since installation is currently not working. Related: https://pagure.io/freeipa/issue/9002 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> - - - - - c853cfde by Florence Blanc-Renaud at 2022-12-19T21:46:51+01:00 cert utilities: MAC verification is incompatible with FIPS mode The PKCS12 MAC requires PKCS12KDF which is not an approved FIPS algorithm and cannot be supported by the FIPS provider. Do not require mac verification in FIPS mode: append the option --nomacver to the command openssl pkcs12 used to extract a pem file or a key from a p12 file. Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> - - - - - dfba6ebf by Florence Blanc-Renaud at 2022-12-19T21:46:51+01:00 FIPS setup: fix typo filtering camellia encryption The config file /var/kerberos/krb5kdc/kdc.conf is customized during IPA server installation with a list of supported encryption types. In FIPS mode, camellia encryption is not supported and should be filtered out. Because of a typo in the filtering method, the camellia encryptions are appended while they should not. Fix the typo (camelia vs camellia) in order to filter properly. Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> - - - - - 2904b15a by Florence Blanc-Renaud at 2022-12-19T21:46:51+01:00 Spec file: bump krb5_kdb_version on rawhide fedora 38 now uses krb5 1.20.1 which provides krb5_kdb_version 9.0 instead of 8.0 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> - - - - - 30497892 by Florence Blanc-Renaud at 2022-12-20T17:06:20+01:00 ipatests: update the xfail annotation for test_number_of_zones The test is failing on fedora 36+, update and simplify the xfail condition. Related: https://pagure.io/freeipa/issue/9135 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com> - - - - - 782873a2 by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00 azure tests: move to fedora 37 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - fd212045 by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00 pylint: remove unneeded disable=unused-private-member pylint fixed issue https://github.com/PyCQA/pylint/issues/4756 and we don't need anymore to disable this check. Related: https://pagure.io/freeipa/issue/9278 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - 51e0f751 by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00 pylint: remove useless suppression The newer version of pylint has fixed false positives and does not need anymore these suppressions: - global-variable-not-assigned - invalid-sequence-index - no-name-in-module - not-callable - unsupported-assignment-operation Related: https://pagure.io/freeipa/issue/9278 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - 240b46db by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00 pylint: disable redefined-slots-in-subclass Related: https://pagure.io/freeipa/issue/9278 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - 081dd263 by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00 pylint: disable used-before-assignment Related: https://pagure.io/freeipa/issue/9278 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - 328fb642 by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00 pylint: replace deprecated distutils module PEP 632 deprecates the distutils module. Replace - distutils.spawn.find_executable with shutil.which - distutils.log with logging Related: https://pagure.io/freeipa/issue/9278 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - ac69ad4b by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00 pylint: disable modified-iterating-list Related: https://pagure.io/freeipa/issue/9278 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - 22f182ee by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00 pylint: remove arguments-renamed warnings Related: https://pagure.io/freeipa/issue/9278 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - 5434c12b by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00 pylint: disable using-constant-test Related: https://pagure.io/freeipa/issue/9278 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - 3336236f by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00 pylint: disable unnecessary-dunder-call message Related: https://pagure.io/freeipa/issue/9278 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - 2b97c8ca by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00 pylint: globally disable unnecessary-lambda-assignment message Related: https://pagure.io/freeipa/issue/9278 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - 84c4792b by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00 pylint: disable missing-timeout message Related: https://pagure.io/freeipa/issue/9278 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - 71496be7 by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00 pylint: fix implicit-str-concat Related: https://pagure.io/freeipa/issue/9278 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - b9ea3fcb by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00 pylint: fix duplicate-value Related: https://pagure.io/freeipa/issue/9278 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - 433599fd by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00 pylint: fix deprecated-class SafeConfigParser Related: https://pagure.io/freeipa/issue/9278 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - a95e11db by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00 pylint: disable invalid-sequence-index Related: https://pagure.io/freeipa/issue/9278 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - 07111438 by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00 pylint: disable unhashable-member Related: https://pagure.io/freeipa/issue/9278 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - 4e998848 by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00 pylint: globally disable useless-object-inheritance Related: https://pagure.io/freeipa/issue/9278 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - 3d211b4f by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00 pylint: fix consider-iterating-dictionary Related: https://pagure.io/freeipa/issue/9278 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - 015e25a5 by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00 pylint: disable comparison-of-constants Related: https://pagure.io/freeipa/issue/9278 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - 62e2d111 by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00 pylint: fix comparison-of-constants Related: https://pagure.io/freeipa/issue/9278 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - 85037db2 by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00 pylint: disable deprecated-module message Related: https://pagure.io/freeipa/issue/9278 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - d673fdab by Stanislav Levin at 2023-01-10T10:11:45+01:00 pylint: Lint in single process mode There are several known problems with multiprocess mode. For example, https://github.com/PyCQA/pylint/issues/3232. In other words the lint result depends on the number of jobs. The most correct report is expected for single process. Fixes: https://pagure.io/freeipa/issue/9278 Signed-off-by: Stanislav Levin <slev at altlinux.org> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - f9822697 by Stanislav Levin at 2023-01-10T10:11:45+01:00 pylint: More allowed C extensions Fixes: ``` [E0611(no-name-in-module), ] No name 'parse' in module 'lxml.etree' [E0611(no-name-in-module), ] No name 'murmurhash3' in module 'pysss_murmur' ``` Fixes: https://pagure.io/freeipa/issue/9278 Signed-off-by: Stanislav Levin <slev at altlinux.org> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - 68ab438f by Stanislav Levin at 2023-01-10T10:11:45+01:00 pylint: Replace deprecated extension-pkg-whitelist `extension-pkg-whitelist` is deprecated in favour of `extension-pkg-allow-list` since Pylint 2.7.3: https://pylint.pycqa.org/en/latest/whatsnew/2/2.7/full.html#what-s-new-in-pylint-2-7-3 Fixes: https://pagure.io/freeipa/issue/9278 Signed-off-by: Stanislav Levin <slev at altlinux.org> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - c48c76e9 by Stanislav Levin at 2023-01-10T10:11:45+01:00 pylint: Fix cyclic-import Most of `cyclic-import` issues reported by Pylint are false-positive and they are already handled in the code, but several ones are the actual errors. Fixes: https://pagure.io/freeipa/issue/9232 Fixes: https://pagure.io/freeipa/issue/9278 Signed-off-by: Stanislav Levin <slev at altlinux.org> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - 1261bbf0 by Stanislav Levin at 2023-01-10T10:11:45+01:00 pylint: Replace deprecated pipes `pipes` module is deprecated as of Python 3.11. https://docs.python.org/3/library/pipes.html#module-pipes: > Deprecated since version 3.11, will be removed in version 3.13: The pipes module is deprecated (see PEP 594 for details). IPA code used only `quote` function from `pipes` that in turn is the alias for `shlex.quote` since Python 3.3: https://github.com/python/cpython/commit/9bce311ea4f58ec04cab356a748e173ecfea381c Fixes: https://pagure.io/freeipa/issue/9278 Signed-off-by: Stanislav Levin <slev at altlinux.org> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - b1237656 by Stanislav Levin at 2023-01-10T10:11:45+01:00 pylint: Fix used-before-assignment > Emitted when a local variable is accessed before its assignment took place. Assignments in try blocks are assumed not to have occurred when evaluating associated except/finally blocks. Assignments in except blocks are assumed not to have occurred when evaluating statements outside the block, except when the associated try block contains a return statement. Fixes: https://pagure.io/freeipa/issue/9278 Signed-off-by: Stanislav Levin <slev at altlinux.org> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - acc2daf2 by Stanislav Levin at 2023-01-10T10:11:45+01:00 pylint: Fix modified-iterating-list https://pylint.pycqa.org/en/latest/user_guide/messages/warning/modified-iterating-list.html: > Emitted when items are added or removed to a list being iterated through. Doing so can result in unexpected behaviour, that is why it is preferred to use a copy of the list. https://docs.python.org/3/tutorial/controlflow.html#for-statements: > Code that modifies a collection while iterating over that same collection can be tricky to get right. Instead, it is usually more straight-forward to loop over a copy of the collection or to create a new collection Fixes: https://pagure.io/freeipa/issue/9278 Signed-off-by: Stanislav Levin <slev at altlinux.org> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - dc8c8a78 by Stanislav Levin at 2023-01-10T10:11:45+01:00 pylint: Fix unnecessary-lambda-assignment https://pylint.pycqa.org/en/latest/user_guide/messages/convention/unnecessary-lambda-assignment.html: > Used when a lambda expression is assigned to variable rather than defining a standard function with the "def" keyword. https://peps.python.org/pep-0008/#programming-recommendations: > Always use a def statement instead of an assignment statement that binds a lambda expression directly to an identifier: def f(x): return 2*x f = lambda x: 2*x The first form means that the name of the resulting function object is specifically ?f? instead of the generic ?<lambda>?. This is more useful for tracebacks and string representations in general. The use of the assignment statement eliminates the sole benefit a lambda expression can offer over an explicit def statement (i.e. that it can be embedded inside a larger expression) Fixes: https://pagure.io/freeipa/issue/9278 Signed-off-by: Stanislav Levin <slev at altlinux.org> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - bd7b5bf7 by Stanislav Levin at 2023-01-10T10:11:45+01:00 pylint: Fix unhashable-member https://pylint.pycqa.org/en/latest/user_guide/messages/error/unhashable-member.html: > Emitted when a dict key or set member is not hashable (i.e. doesn't define __hash__ method). https://docs.python.org/3/library/stdtypes.html#dict.update: > Update the dictionary with the key/value pairs from other, overwriting existing keys. Return None. update() accepts either another dictionary object or an iterable of key/value pairs (as tuples or other iterables of length two). If keyword arguments are specified, the dictionary is then updated with those key/value pairs: d.update(red=1, blue=2). Fixes: https://pagure.io/freeipa/issue/9278 Signed-off-by: Stanislav Levin <slev at altlinux.org> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - bccd3c94 by Stanislav Levin at 2023-01-10T10:11:45+01:00 pylint: Fix useless-object-inheritance https://pylint.pycqa.org/en/latest/user_guide/messages/refactor/useless-object-inheritance.html: > Used when a class inherit from object, which under python3 is implicit, hence can be safely removed from bases. Fixes: https://pagure.io/freeipa/issue/9278 Signed-off-by: Stanislav Levin <slev at altlinux.org> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - 2009889d by Stanislav Levin at 2023-01-10T10:11:45+01:00 pylint: Replace deprecated cgi module https://docs.python.org/3/library/cgi.html#module-cgi: > Deprecated since version 3.11, will be removed in version 3.13: The cgi module is deprecated (see PEP 594 for details and alternatives). Fixes: https://pagure.io/freeipa/issue/9278 Signed-off-by: Stanislav Levin <slev at altlinux.org> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - b5f2b0b1 by Florence Blanc-Renaud at 2023-01-11T12:55:04+01:00 ipatests: mark test_smb as xfail Mark the test test_smb.py::TestSMB::test_smb_service_s4u2self as xfail. Related: https://pagure.io/freeipa/issue/9124 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> - - - - - 894dca12 by Florence Blanc-Renaud at 2023-01-16T08:40:16+01:00 server install: remove error log about missing bkup file The client installer code can be called in 3 different ways: - from ipa-client-install CLI - from ipa-replica-install CLI if the client is not already installed - from ipa-server-install In the last case, the client installer is called with options.on_master=True As a result, it's skipping the part that is creating the krb5 configuration: if not options.on_master: nolog = tuple() configure_krb5_conf(...) The configure_krb5_conf method is the place where the krb5.conf file is backup'ed with the extention ".ipabkp". For a master installation, this code is not called and the ipabkp file does not exist => delete raises an error. When delete fails because the file does not exist, no need to log an error message. Fixes: https://pagure.io/freeipa/issue/9306 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 0fa95852 by Florence Blanc-Renaud at 2023-01-17T14:53:35+01:00 Tests: force key type in ACME tests PKI can issue ACME certs only when the key type is rsa. With version 2.0.0, certbot defaults to ecdsa key type, and this causes test failures. For now, force rsa when requesting an ACME certificate. This change can be reverted when PKI fixes the issue on their side (https://github.com/dogtagpki/pki/issues/4273) Related: https://pagure.io/freeipa/issue/9298 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 7d1a3585 by Florence Blanc-Renaud at 2023-01-17T22:42:25+01:00 Installer: create RID base before domain object The installer is currently creating the samba domain object before it adds the RID base and secondary RID base. As a consequence, there is a window during which the sidgen plugin is active but unable to generate SIDs (it requires the samba domain object to find the domain SID and RID base to know where to start from). There is no direct impact except the error log of 389ds that reports ERR - get_ranges - [file ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct. This fix configures the RID base and secondary RID base before the domain object is created, thus removing this window. Fixes: https://pagure.io/freeipa/issue/9309 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> - - - - - 2520a7ad by Filip Dvorak at 2023-01-20T10:02:02+01:00 ipa tests: Add LANG before kinit command to fix issue with locale settings Reviewed-By: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Michal Polovka <mpolovka at redhat.com> - - - - - 364116c2 by Antonio Torres at 2023-01-24T14:54:37+01:00 API doc: validate generated reference Extend 'makeapi --validate' to validate API Reference files too. If differences are found between the generated and stored docs the validation fails. This command is executed in our Azure pipelines, so every time a developer opens a PR but forgets to update the API Reference, the CI will fail. Fixes: https://pagure.io/freeipa/issue/9287 Signed-off-by: Antonio Torres <antorres at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 0e06786a by Florence Blanc-Renaud at 2023-01-24T19:07:52+01:00 Spec file: unify with RHEL9 spec Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Francisco Trivino <ftrivino at redhat.com> - - - - - 2a69d056 by Florence Blanc-Renaud at 2023-01-24T19:07:52+01:00 Spec file: use %autosetup instead of %setup This change fixes rpminspect issues reported when building for RHEL, like the following one: Patch number 1001 (1001-Change-branding-to-IPA-and-Identity-Management.patch) is missing a corresponding %patch1001 macro, usually in %prep. Waiver Authorization: Anyone Suggested Remedy: The named patch is defined in the source RPM header (this means it has a PatchN: definition in the spec file) but is not applied anywhere in the spec file. It is missing a corresponding %patch macro and the spec file lacks the %autosetup or %autopatch macros. You can fix this by adding the appropriate %patch macro in the spec file (usually in the %prep section). The number specified with the %patch macro corresponds to the number used to define the patch at the top of the spec file. So Patch47 is applied with a %patch47 macro. Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Francisco Trivino <ftrivino at redhat.com> - - - - - 97fc368d by Florence Blanc-Renaud at 2023-01-25T13:45:53-05:00 trust-add: handle missing msSFU30MaxGidNumber When ipa trust-add is executed with --range-type ad-trust-posix, the server tries to find the max uidnumber and max gidnumber from AD domain controller. The values are extracted from the entry CN=<domain>,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,<AD suffix> in the msSFU30MaxUidNumber and msSFU30MaxGidNumber attributes. msSFU30MaxUidNumber is required but not msSFU30MaxGidNumber. In case msSFU30MaxGidNumber is missing, the code is currently assigning a "None" value and later on evaluates the max between this value and msSFU30MaxUidNumber. The max function cannot compare None and a list of string and triggers an exception. To avoid the exception, assign [b'0'] to max gid if msSFU30MaxGidNumber is missing. This way, the comparison succeeds and max returns the value from msSFU30MaxUidNumber. Fixes: https://pagure.io/freeipa/issue/9310 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 51b1c22d by Rob Crittenden at 2023-01-27T13:00:22+01:00 doc: Design for certificate pruning This describes how the certificate pruning capability of PKI introduced in v11.3.0 will be integrated into IPA, primarily for ACME. Related: https://pagure.io/freeipa/issue/9294 Signed-off-by: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com> - - - - - 1be3188e by Stanislav Levin at 2023-01-31T11:21:34+01:00 ipatests: healthcheck: Handle missing fips-mode-setup freeipa-healthcheck prechecks existance of `fips-mode-setup` and reports if it's missing: > "fips": "missing /bin/fips-mode-setup" Fixes: https://pagure.io/freeipa/issue/9315 Signed-off-by: Stanislav Levin <slev at altlinux.org> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - fb22c8e5 by Stanislav Levin at 2023-02-01T10:54:12+01:00 spec: Drop no longer used build dependency on paste With ff6e701b0077d9c8e2aacdcaecf70f885018db92 it was replaced with `werkzeug`. https://pypi.org/project/Paste/ > Paste is in maintenance mode and recently moved from bitbucket to github. Patches are accepted to keep it on life support, but for the most part, please consider using other options. Fixes: https://pagure.io/freeipa/issue/9314 Signed-off-by: Stanislav Levin <slev at altlinux.org> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - ff31b0c4 by Rob Crittenden at 2023-02-01T17:47:26+01:00 tests: Add ipa_ca_name checking to DNS system records freeipa-healthcheck 0.12 includes a SUCCESS message if the ipa-ca records are as expected so a user will know they were checked. For that version and beyond test that it is included. Related: https://pagure.io/freeipa/issue/9291 Signed-off-by: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - 6ca11968 by Rob Crittenden at 2023-02-01T17:47:26+01:00 tests: Add new ipa-ca error messages to IPADNSSystemRecordsCheck freeipa-healthcheck changed some messages related to ipa-ca DNS record validation in IPADNSSystemRecordsCheck. Include support for it and retain backwards compatibility. Fixes: https://pagure.io/freeipa/issue/9291 Signed-off-by: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - d662b125 by Stanislav Levin at 2023-02-02T07:31:15+01:00 tests: Configure DNSResolver as platform agnostic resolver Avoid reading platform specific `/etc/resolv.conf` in `TestDNSResolver` unit tests. Systems (e.g. sandboxes) may not have `/etc/resolv.conf` or this file may not contain any configured name servers. `TestDNSResolver` unit tests check only customized `nameservers` property and should not depend on existence of `/etc/resolv.conf`. Resolver accepts `configure` option. https://dnspython.readthedocs.io/en/latest/resolver-class.html : > configure, a bool. If True (the default), the resolver instance is configured in the normal fashion for the operating system the resolver is running on. (I.e. by reading a /etc/resolv.conf file on POSIX systems and from the registry on Windows systems.) Fixes: https://pagure.io/freeipa/issue/9319 Signed-off-by: Stanislav Levin <slev at altlinux.org> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - 9246a8a0 by Rob Crittenden at 2023-02-02T13:42:57+01:00 ipa-acme-manage: add certificate/request pruning management Configures PKI to remove expired certificates and non-resolved requests on a schedule. This is geared towards ACME which can generate a lot of certificates over a short period of time but is general purpose. It lives in ipa-acme-manage because that is the primary reason for including it. Random Serial Numbers v3 must be enabled for this to work. Enabling pruning enables the job scheduler within CS and sets the job user as the IPA RA user which has full rights to certificates and requests. Disabling pruning does not disable the job scheduler because the tool is stateless. Having the scheduler enabled should not be a problem. A restart of PKI is required to apply any changes. This tool forks out to pki-server which does direct writes to CS.cfg. It might be easier to use our own tooling for this but this makes the integration tighter so we pick up any improvements in PKI. The "cron" setting is quite limited, taking only integer values and *. It does not accept ranges, either - or /. No error checking is done in PKI when setting a value, only when attempting to use it, so some rudimentary validation is done. Fixes: https://pagure.io/freeipa/issue/9294 Signed-off-by: Rob Crittenden rcritten at redhat.com Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - f10d1a0f by Rob Crittenden at 2023-02-02T13:42:57+01:00 doc: add the --run command for manual job execution A manual method was mentioned with no specificity. Include the --run command. Also update the troubleshooting section to show what failure to restart the CA after configuration looks like. Import the IPA CA chain for manual execution. Also fix up some $ -> # to indicate root is needed. Related: https://pagure.io/freeipa/issue/9294 Signed-off-by: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - 2857bc69 by Florence Blanc-Renaud at 2023-02-02T15:21:25+01:00 automember-rebuild: add a notice about high CPU usage The automember-rebuild task may require high CPU usage if many users/hosts/groups are processed. Add a note in the ipa automember-rebuild CLI output and in the WebUI confirmation message. Fixes: https://pagure.io/freeipa/issue/9320 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Francisco Trivino <ftrivino at redhat.com> - - - - - 1a965a3a by David Pascual at 2023-02-04T17:14:08+01:00 ipatests: fix (prci_checker) duplicated check & error return code Fix 1: timeout field was being checked twice and did not return fail code on error Fix 2: Tool did not return error code on single file check unsuccessful run Signed-off-by: David Pascual <davherna at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - d24b6998 by Rob Crittenden at 2023-02-05T10:31:19+01:00 tests: add wrapper around ACME RSNv3 test This test is located outside of the TestACMEPrune because it enables RSNv3 while the server installed by TestACME doesn't. It still needs a wrapper to enforce a version of PKI that supports pruning because that is checked first in the tool. Re-ordering that wouldn't be a good user experience. https://pagure.io/freeipa/issue/9322 Signed-off-by: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - a20acb6f by Antonio Torres at 2023-02-08T11:44:01+01:00 API doc: add note about ipa show-mappings to usage guide As discussed in PR #6664, `ipa show-mappings` can be used as a handy way to list command arguments and options directly through the CLI. Signed-off-by: Antonio Torres <antorres at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - a786d3d5 by Chris Kelley at 2023-02-09T14:52:33-05:00 Check that CADogtagCertsConfigCheck can handle cert renewal Renewal causes two certs to have the same nickname. Dogtag is patched to allow for N certs with the same nickname, and this test is to verify that CADogtagCertsConfigCheck still passes. Related: https://github.com/dogtagpki/pki/pull/4285 Signed-off-by: Chris Kelley <ckelley at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com> - - - - - 649c35aa by Antonio Torres at 2023-02-09T16:12:56-05:00 API doc: add usage guides for groups, HBAC and sudo rules Include guides with examples for groups, HBAC and sudo rules management. These cover most of available commands related to these topics. Signed-off-by: Antonio Torres <antorres at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 20ff7c16 by Rob Crittenden at 2023-02-09T21:46:16-05:00 Fix setting values of 0 in ACME pruning Replace comparisons of "if value" with "if value is not None" in order to handle 0. Add a short reference to the man page to indicat that a cert or request retention time of 0 means remove at the next execution. Also indicate that the search time limit is in seconds. Fixes: https://pagure.io/freeipa/issue/9325 Signed-off-by: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Francisco Trivino <ftrivino at redhat.com> - - - - - 4e0ad96f by Rob Crittenden at 2023-02-09T21:48:55-05:00 Wipe the ipa-ca DNS record when updating system records If a server with a CA has been marked as hidden and contains the last A or AAAA address then that address would remain in the ipa-ca entry. This is because update-dns-system-records did not delete values, it just re-computed them. So if no A or AAAA records were found then the existing value was left. Fixes: https://pagure.io/freeipa/issue/9195 Signed-off-by: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Francisco Trivino <ftrivino at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - 0206369e by Alexander Bokovoy at 2023-02-09T21:51:43-05:00 ipa-kdb: PAC consistency checker needs to handle child domains as well When PAC check is performed, we might get a signing TGT instead of the client DB entry. This means it is a principal from a trusted domain but we don't know which one exactly because we only have a krbtgt for the forest root. This happens in MIT Kerberos 1.20 or later where KDB's issue_pac() callback never gets the original client principal directly. Look into known child domains as well and make pass the check if both NetBIOS name and SID correspond to one of the trusted domains under this forest root. Move check for the SID before NetBIOS name check because we can use SID of the domain in PAC to find out the right child domain in our trusted domains' topology list. Fixes: https://pagure.io/freeipa/issue/9316 Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - a6cb905d by Anuja More at 2023-02-09T21:51:43-05:00 Add test for SSH with GSSAPI auth. Added test for aduser with GSSAPI authentication. Related : https://pagure.io/freeipa/issue/9316 Signed-off-by: Anuja More <amore at redhat.com> Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 0f77b359 by Mohammad Rizwan at 2023-02-13T17:33:14-05:00 ipatests: tests for certificate pruning 1. Test to prune the expired certificate by manual run 2. Test to prune expired certificate by cron job 3. Test to prune expired certificate with retention unit option 4. Test to prune expired certificate with search size limit option 5. Test to check config-show command shows set param 6. Test prune command shows proper status after disabling the pruning related: https://pagure.io/freeipa/issue/9294 Signed-off-by: Mohammad Rizwan <myusuf at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 450e78f5 by Stanislav Levin at 2023-02-17T18:13:44+01:00 tests: webui: Allow file access from files in tests https://peter.sh/experiments/chromium-command-line-switches/#allow-file-access-from-files > By default, file:// URIs cannot read other file:// URIs. This is an override for developers who need the old behavior for testing. Fixes webui tests on CI: ``` Testing test/all_tests.html Synchronous XMLHttpRequest on the main thread is deprecated because of its detrimental effects to the end user's experience. For more help, check https://xhr.spec.whatwg.org/. Access to XMLHttpRequest at 'file:///__w/freeipa/freeipa/install/ui/test/qunit.js' from origin 'null' has been blocked by CORS policy: Cross origin requests are only supported for protocol schemes: http, data, chrome, chrome-untrusted, https. Failed to load resource: net::ERR_FAILED Access to XMLHttpRequest at 'file:///__w/freeipa/freeipa/install/ui/test/data/i18n_messages.json' from origin 'null' has been blocked by CORS policy: Cross origin requests are only supported for protocol schemes: http, data, chrome, chrome-untrusted, https. Failed to load resource: net::ERR_FAILED >> Error: Error: Couldn't receive translations ``` Related: https://pagure.io/freeipa/issue/9329 Signed-off-by: Stanislav Levin <slev at altlinux.org> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - 425cad6f by Stanislav Levin at 2023-02-17T18:13:44+01:00 tests: webui: Load qunit only once webui unit tests fail with grunt-contrib-qunit: ``` Testing test/all_tests.html >> Error: Error: QUnit has already been defined. >> at exportQUnit (file:///home/test/freeipa/install/ui/js/qunit.js:2475:12) >> at file:///home/test/freeipa/install/ui/js/qunit.js:2946:3 >> at file:///home/test/freeipa/install/ui/js/qunit.js:5061:2 >> Error: TypeError: Cannot set properties of undefined (setting 'reorder') >> at <anonymous>:175:24 >> at runFactory (file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:17157) >> at execModule (file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:19541) >> at file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:20002 >> at guardCheckComplete (file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:19707) >> at checkComplete (file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:19854) >> at onLoadCallback (file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:22296) >> at HTMLScriptElement.onLoad (file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:26209) ``` Load `qunit` with `dojo.require` that among other useful things helps > Preventing loading Dojo packages twice. dojo.require will simply return if the package is already loaded. See also https://github.com/gruntjs/grunt-contrib-qunit#loading-qunit-with-amd Related: https://pagure.io/freeipa/issue/9329 Signed-off-by: Stanislav Levin <slev at altlinux.org> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - 8fe8b262 by Stanislav Levin at 2023-02-17T18:13:44+01:00 AP: webui: List installed nodejs packages It's helpful for debugging regressions. Related: https://pagure.io/freeipa/issue/9329 Signed-off-by: Stanislav Levin <slev at altlinux.org> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - 9b8e8edc by Stanislav Levin at 2023-02-17T18:13:44+01:00 tests: webui: Update vendored qunit Updated qunit to latest supported version from https://code.jquery.com/qunit. See https://qunitjs.com/intro/#release-channels for details. Related: https://pagure.io/freeipa/issue/9329 Signed-off-by: Stanislav Levin <slev at altlinux.org> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - 41c32174 by David Pascual at 2023-02-20T08:12:20+01:00 doc: Use case examples for PR-CI checker tool This document showcases common usecases for the user to interact with the PR-CI checker tool. Signed-off-by: David Pascual <davherna at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 88b9be29 by mbhalodi at 2023-02-20T08:17:08+01:00 ipatests: ensure that ipa automember-rebuild prints a warning ipa automember-rebuild now prints a warning about CPU usage. Ensure that the warning is properly displayed. Related: https://pagure.io/freeipa/issue/9320 Signed-off-by: mbhalodi <mbhalodi at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - 2a2132cc by Anuja More at 2023-02-20T16:42:29+01:00 PRCI: update test_trust.py for nightly pipelines. test_integration/test_trust.py is divided into two parts. 1: class TestTrust 2: class TestNonPosixAutoPrivateGroup, class TestPosixAutoPrivateGroup Fixes: https://pagure.io/freeipa/issue/9326 Signed-off-by: Anuja More <amore at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - fe13baa0 by Rob Crittenden at 2023-02-21T08:18:07+01:00 doc: Update pruning design with implement enable/disable options Instead of passing TRUE/FALSE to a single --enable option use two flags instead, which IMHO is clearer. So --enable=TRUE to --enable and --enable=FALSE to --disable Fixes:?https://pagure.io/freeipa/issue/9323 Signed-off-by: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Mohammad Rizwan <myusuf at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - e7c642ba by Mohammad Rizwan at 2023-02-22T09:11:24+01:00 ipatests: fix tests in TestACMEPrune When cron_minute + 5 > 59, cron job throwing error for it. i.e 58 + 5 = 63 which is not acceptable value for cron minute. Second fix is related to mismatch of confing setting and corresponding assert. Third fix is related to extending time by 60 minutes to properly expire the certs. related: https://pagure.io/freeipa/issue/9294 Signed-off-by: Mohammad Rizwan <myusuf at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - cd07413c by mbhalodi at 2023-02-22T15:43:23+01:00 ipatests: WebUI - ensure that ipa automember-rebuild prints a warning ipa automember-rebuild now prints a warning about CPU usage in the WebUI. Ensure that the warning is properly displayed. Related: https://pagure.io/freeipa/issue/9320 Signed-off-by: mbhalodi <mbhalodi at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Michal Polovka <mpolovka at redhat.com> - - - - - 0a8a3922 by Florence Blanc-Renaud at 2023-02-23T07:43:05+01:00 ipatests: increase timeout for test_acme The test test_integration/test_acme.py times out frequently and has a current timeout set to 2h, which is roughly the average time for a successful run. Increase by 15 minutes, so that even the tests requiring packages update have enough time (for instance rawhide run needs to update all the packages to the latest version). Also create a separate job for the new test TestACMEPrune. Fixes: https://pagure.io/freeipa/issue/9324 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Mohammad Rizwan <myusuf at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 88039385 by Christian Heimes at 2023-03-01T04:58:45+01:00 Don't block when kinit_pkinit() fails Installation of ipa-client with PKINIT authentication can block when there is a problem with PKINIT, e.g. KDC does not accept the cert or the anchor chain is incomplete. `kinit` falls back to password authentication and asks the user to enter a password. `kinit` does not have an option to force non-interactive mode. Sending `\n` to stdin seems to be the only solution here. Fixes: https://pagure.io/freeipa/issue/9333 Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> - - - - - 6a4d34fb by Carla Martinez at 2023-03-03T04:55:48+01:00 Update 'Auth indicators' doc string The doc string located in the 'Authentication indicators' ('Services' settings page) was missing the usage explanation for the 'ipd' checkbox option. Fixes: https://pagure.io/freeipa/issue/9338 Signed-off-by: Carla Martinez <carlmart at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com> - - - - - b152e8c3 by Stanislav Levin at 2023-03-03T05:01:33+01:00 dns: Fix support for dnspython 1.1x `nameservers` was transformed into the property in dnspython 2: https://github.com/rthalley/dnspython/commit/bbf0cfd239ffa6deeb67a4787bd292e9a972af74 This causes > AttributeError: type object 'Resolver' has no attribute 'nameservers' on the previous dnspython 1.1x. Fixes: https://pagure.io/freeipa/issue/9339 Signed-off-by: Stanislav Levin <slev at altlinux.org> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - e3507563 by Rafael Guterres Jeffman at 2023-03-03T05:04:31+01:00 Migrated to SPDX license. According to [1] all Fedora packages need to be updated to use a SPDX expression. This patch updates the freeipa spec template to comply with this change. [1] https://fedoraproject.org/wiki/Changes/SPDX_Licenses_Phase_1 Fixes: https://pagure.io/freeipa/issue/9342 Signed-off-by: Rafael Guterres Jeffman <rjeffman at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> - - - - - 9323bafb by Thorsten Scherf at 2023-03-07T13:19:54+01:00 external-idp: change idp server name to reference name When you run "ipa idp-show <idp reference>" the IdP reference is shown as "Identity Provider server name". This is confusing as we are pointing to the earlier created IdP reference rather than a server. Other files are updated as well to reflect this change. Additionally some typos are fixed with this patch too. Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - 34d048ed by Florence Blanc-Renaud at 2023-03-14T17:50:25+01:00 ipatests: adapt for new automembership fixup behavior The automembership fixup task now needs to be called with --cleanup argument when the user expects automember to remove user/hosts from automember groups. Update the test to call create a cleanup task equivalent to dsconf plugin automember fixup --cleanup when it is needed. Fixes: https://pagure.io/freeipa/issue/9313 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 983a6516 by Anuja More at 2023-03-15T09:34:33+01:00 ipatests: Test ipa-advise is not failing with error. The ipa-advise command should not fail with error in command. Related: https://pagure.io/freeipa/issue/6044 Signed-off-by: Anuja More <amore at redhat.com> Reviewed-By: Sudhir Menon <sumenon at redhat.com> - - - - - e1f4f655 by Erik Belko at 2023-03-15T18:30:08+01:00 ipatests: Test MemberManager ACI to allow managers from a specified group after upgrade scenario Testing if manager whose rights defined by the group membership is able to add group members, after upgrade of ipa server. Using ACI modification to demonstrate unability before upgrading ipa server. Related: https://pagure.io/freeipa/issue/9286 Also added some generally helpful functions to tasks.py Signed-off-by: Erik Belko <ebelko at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com> Reviewed-By: Michal Polovka <mpolovka at redhat.com> - - - - - b93f6b52 by Alexander Bokovoy at 2023-03-22T13:59:40+01:00 Don't fail if optional RPM macros file is missing With fix for https://pagure.io/freeipa/issue/7951 we started to modify RPM macros in Azure CI environment. Don't fail if the file does not exist anymore like it happens now in Fedora. Fixes: https://pagure.io/freeipa/issue/9347 Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Francisco Trivino <ftrivino at redhat.com> - - - - - 84f5f87b by Alexander Bokovoy at 2023-03-22T13:59:40+01:00 Use system-wide chromium for webui tests Fixes: https://pagure.io/freeipa/issue/9347 Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Francisco Trivino <ftrivino at redhat.com> - - - - - aacaafce by Alexander Bokovoy at 2023-03-22T13:59:40+01:00 Fix tox in Azure CI Fixes: https://pagure.io/freeipa/issue/9347 Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Francisco Trivino <ftrivino at redhat.com> - - - - - 051bbe36 by Anuja More at 2023-03-23T09:08:06+01:00 ipatests: Test that non admin user can search hbac rule. Related : https://pagure.io/freeipa/issue/5130 Signed-off-by: Anuja More <amore at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - b1b7cbc0 by Antonio Torres at 2023-03-23T17:12:01+01:00 ipaserver: deepcopy objectclasses list from IPA config We need to deepcopy the list of default objectlasses from IPA config before assigning it to an entry, in order to avoid further modifications of the entry affect the cached IPA config. Fixes: https://pagure.io/freeipa/issue/9349 Signed-off-by: Antonio Torres <antorres at redhat.com> Reviewed-By: Francisco Trivino <ftrivino at redhat.com> Reviewed-By: Thomas Woerner <twoerner at redhat.com> - - - - - e07ead94 by Alexander Bokovoy at 2023-03-30T08:11:22+02:00 ipalib/x509: Implement abstract method Certificate.verify_directly_issued_by Added in Python Cryptography 40.0 Thanks to @tiran for the code Fixes: https://pagure.io/freeipa/issue/9355 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - ae014c6a by Florence Blanc-Renaud at 2023-03-30T14:57:57+02:00 ipatests: increase timeout for test_trust The timeout for test_trust is too short (6000s) and the nightly tests often fail. Increase to 7200s. Fixes: https://pagure.io/freeipa/issue/9326 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Anuja More <amore at redhat.com> - - - - - 3eed25e9 by Antonio Torres at 2023-03-30T15:49:45+02:00 doc: allow notes on Param API Reference pages The notes that Param pages will contain after #6733 are added manually, and because of it we need to add markers to differentiate between automated and manual content, equal to what we do for class pages. Signed-off-by: Antonio Torres <antorres at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 54026270 by Stanislav Levin at 2023-03-30T16:16:42+02:00 fastlint: Correct concatenation of file lists `printf` ignores excessive arguments unused in formatting. This resulted in only the first file from two file lists was linted/ stylechecked if both Python template files and Python modules were changed. Make use of formatting instead: > The format is reused as necessary to consume all of the arguments Fixes: https://pagure.io/freeipa/issue/9318 Signed-off-by: Stanislav Levin <slev at altlinux.org> Reviewed-By: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - def07260 by Florence Blanc-Renaud at 2023-04-05T09:27:45+02:00 ipatests: fix test definition for test_trust The nightly test test_trust.py has been split into 2 jobs, one for test_trust.py::TestTrust (test_trust) and the other for the remaining test classes from the same file (test_trust_autoprivate). The backport forgot to narrow down the first job definition to the class test_trust.py::TestTrust in the 4-10_previous pipeline. Fix this omission. Related: https://pagure.io/freeipa/issue/9326 Reviewed-By: Anuja More <amore at redhat.com> - - - - - 6db9bbd8 by mbhalodi at 2023-04-05T09:40:25+02:00 ipatests: add missing automember-cli tests Revisit the bash tests and port the valid tests to upstream. Related: https://pagure.io/freeipa/issue/9332 Signed-off-by: mbhalodi <mbhalodi at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Michal Polovka <mpolovka at redhat.com> - - - - - 03180bed by Jarl Gullberg at 2023-04-05T09:50:08+02:00 ipaplatform/debian: fix path to ldap.so bind-dyndb-ldap on Debian installs ldap.so in a subdirectory of /usr/lib to prevent unintentional usage of an unversioned .so. The default settings for FreeIPA on Debian used an incomplete path, resulting in a failure to find ldap.so when bind attempts to start with bind-dyndb-ldap configured. This fixes the default path to use the appropriate location in its multiarch-qualified path. Signed-off-by: Jarl Gullberg <jarl.gullberg at gmail.com> Reviewed-By: Timo Aaltonen <tjaalton at ubuntu.com> - - - - - 1b38ab17 by Jarl Gullberg at 2023-04-05T09:52:52+02:00 install: Fix missing dyndb keytab directive bind-dyndb-ldap uses the krb5_keytab directive to set the path to the keytab to use. This directive was not being used in the configuration template, resulting in a failure to start named if the keytab path differed from the defaults. This issue was discovered when packaging FreeIPA for Debian, which is one of the platforms where the path is customized. Signed-off-by: Jarl Gullberg <jarl.gullberg at gmail.com> Fixes: https://pagure.io/freeipa/issue/9344 Reviewed-By: Timo Aaltonen <tjaalton at ubuntu.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - e7506403 by Alexander Bokovoy at 2023-04-06T08:53:32+02:00 Ignore empty modification error in case cifs/.. principal already added Constrained delegation target may already be configured by default. Related: https://pagure.io/freeipa/issue/9354 Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 52e6da90 by Alexander Bokovoy at 2023-04-06T08:53:32+02:00 test_xmlrpc: adopt to automember plugin message changes in 389-ds Another change in automember plugin messaging that breaks FreeIPA tests. Use common substring to match. Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 7a7ba45c by Alexander Bokovoy at 2023-04-06T08:53:32+02:00 ipa-kdb: search S4U2Proxy ACLs in cn=s4u2proxy,cn=etc,$BASEDN subtree only Confine search for S4U2Proxy access control lists to the subtree where they created. This will allow to use a similar method to describe RBCD access controls. Related: https://pagure.io/freeipa/issue/5444 Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 18cd909b by Alexander Bokovoy at 2023-04-06T08:53:32+02:00 doc: add design document for Kerberos constrained delegation FreeIPA Kerberos implementation already supports delegation of credentails, both unconstrained and constrained. Constrained delegation is an extension developed by Microsoft and documented in MS-SFU specification. MS-SFU specification also includes resource-based constrained delegation (RBCD) which FreeIPA did not support. Microsoft has decided to force use of RBCD for forest trust. This means that certain use-cases will not be possible anymore. This design document outlines approaches used by FreeIPA for constrained delegation implementation, including RBCD. Fixes: https://pagure.io/freeipa/issue/9354 Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 5b6ad0e6 by Alexander Bokovoy at 2023-04-06T08:53:32+02:00 IPA API changes to support RBCD IPA API commands to manage RBCD access controls. Fixes: https://pagure.io/freeipa/issue/9354 Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 7ac6adfa by Alexander Bokovoy at 2023-04-06T08:53:32+02:00 kdb: implement RBCD handling in KDB driver Resource-based constrained delegation (RBCD) is implemented with a new callback used by the KDC. This callback is called when a server asks for S4U2Proxy TGS request and passes a ticket that contains RBCD PAC options. The callback is supposed to take a client and a server principals, a PAC and a target service database entry. Using the target service database entry it then needs to decide whether a server principal is allowed to delegate the client credentials to the target service. The callback can also cross-check whether the client principal can be limited in delegating own tickets but this is not implemented in the current version. Fixes: https://pagure.io/freeipa/issue/9354 Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 7d68f4f0 by Alexander Bokovoy at 2023-04-06T08:53:32+02:00 RBCD: add basic test for RBCD handling Add a test that uses IPA API to allow delegation of RBCD configuration to a host and then use it to set up RBCD rule for a service. Run RBCD check when the rule exists and when the rule is removed. Since we only provide RBCD support on KDC side with Kerberos 1.20, skip the test on Fedora versions prior to Fedora 38 and on RHEL versions prior to RHEL 9.2. Fixes: https://pagure.io/freeipa/issue/9354 Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - b63e6a25 by Alexander Bokovoy at 2023-04-06T08:53:32+02:00 doc/designs/rbcd.md: add usage examples Fixes: https://pagure.io/freeipa/issue/9354 Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - cb18ca31 by Alexander Bokovoy at 2023-04-06T08:53:32+02:00 doc/designs/rbcd.md: document use of S-1-18-* SIDs Fixes: https://pagure.io/freeipa/issue/9354 Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 9c6b4f44 by Antonio Torres at 2023-04-06T17:36:18+02:00 Extend API documentation This includes: * Section about command/param info in usage guide * Section about metadata retrieval in usage guide * Guide about differences between CLI and API * Access control guide (management of roles, privileges and permissions). * Guide about API contexts * JSON-RPC usage guide and JSON-to-Python conversion * Notes about types in API Reference Signed-off-by: Antonio Torres <antorres at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 304fd550 by mbhalodi at 2023-04-13T10:51:52+02:00 ipatests: Test for sequence processing failures with server context 1 : Test to verify that groups have correct userclass when external is set to true or false with group-add. 2 : After creating a nonposix group verify that all following group_add calls to add posix groups calls are not failing with missing attribute. Related: https://pagure.io/freeipa/issue/9349 Signed-off-by: mbhalodi <mbhalodi at redhat.com> Reviewed-By: Michal Polovka <mpolovka at redhat.com> Reviewed-By: Anuja More <amore at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Antonio Torres <antorres at redhat.com> Reviewed-By: Michal Polovka <mpolovka at redhat.com> Reviewed-By: Anuja More <amore at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Antonio Torres <antorres at redhat.com> - - - - - e2b08433 by Florence Blanc-Renaud at 2023-04-17T15:17:00-04:00 ipatests: mark known failures for autoprivategroup Two tests have known issues in test_trust.py with sssd 2.8.2+: - TestNonPosixAutoPrivateGroup::test_idoverride_with_auto_private_group (when called with the "hybrid" parameter) - TestPosixAutoPrivateGroup::test_only_uid_number_auto_private_group_default (when called with the "true" parameter) Related: https://pagure.io/freeipa/issue/9295 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> - - - - - d63756eb by Christian Heimes at 2023-04-18T12:12:47+02:00 Speed up installer by restarting DS after DNA plugin DS does not enable plugins unless nsslapd-dynamic-plugins is enabled or DS is restarted. The DNA plugin creates its configuration entries with some delay after the plugin is enabled. DS is now restarted after the DNA plugin is enabled so it can create the entries while Dogtag and the rest of the system is installing. The updater `update_dna_shared_config` no longer blocks and waits for two times 60 seconds for `posix-ids` and `subordinate-ids`. Fixes: https://pagure.io/freeipa/issue/9358 Signed-off-by: Christian Heimes <cheimes at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 3b64eaa1 by Todd Zullinger at 2023-04-18T15:24:43+02:00 spec: verify upstream source signature Per the Fedora packaging guidelines?. The GPG key was generated using details found on the wiki?. The following commands can be used to fetch the signing key via fingerprint and extract it: fpr=0E63D716D76AC080A4A33513F40800B6298EB963 gpg --keyserver keys.openpgp.org --receive-keys $fpr gpg --armor --export-options export-minimal --export $fpr >gpgkey-$fpr.asc ? https://docs.fedoraproject.org/en-US/packaging-guidelines/#_verifying_signatures ? https://www.freeipa.org/page/Verify_Release_Signature Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> - - - - - 90d0f049 by Todd Zullinger at 2023-04-18T15:24:43+02:00 spec: silence krb5 pkgconf errors in %krb5_base_version Send stderr of pkgconf to /dev/null rather than printing the following error text while parsing the spec file: Package krb5 was not found in the pkg-config search path. Perhaps you should add the directory containing `krb5.pc' to the PKG_CONFIG_PATH environment variable Package 'krb5', required by 'virtual:world', not found `BuildRequires: pkgconfig(krb5)` ensures this won't happen when running a real build. It simply avoids 4 lines of needless error output when running something like `fedpkg prep`. Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> - - - - - 1f10aebc by Michal Polovka at 2023-04-20T12:57:32+02:00 ipatest: loginscreen: do not use hardcoded password Use admin password obtained from local config instead of hardcoded value, as the password may differ in different testing environments. https://pagure.io/freeipa/issue/9226 Signed-off-by: Michal Polovka <mpolovka at redhat.com> Reviewed-By: Erik Belko <ebelko at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - e2576670 by Rob Crittenden at 2023-04-27T11:17:47-04:00 Enforce sizelimit in cert-find The sizelimit option was not being passed into the dogtag ra_find() command so it always returned all available certificates. A value of 0 will retain old behavior and return all certificates. The default value is the LDAP searchsizelimit. Related: https://pagure.io/freeipa/issue/9331 Signed-off-by: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com> Reviewed-By: Antonio Torres <antorres at redhat.com> - - - - - 50dd79d1 by Rob Crittenden at 2023-04-27T11:17:47-04:00 Use the OpenSSL certificate parser in cert-find cert-find is a rather complex beast because it not only looks for certificates in the optional CA but within the IPA LDAP database as well. It has a process to deduplicate the certificates since any PKI issued certificates will also be associated with an IPA record. In order to obtain the data to deduplicate the certificates the cert from LDAP must be parser for issuer and serial number. ipaldap has automation to determine the datatype of an attribute and will use the python-cryptography engine to decode a certificate automatically if you access entry['usercertificate']. The downside is that this is comparatively slow. Here is the parse time in microseconds: OpenSSL.crypto 175 pyasn1 1010 python-cryptography 3136 The python-cryptography time is fine if you're parsing one certificate but if the LDAP search returns a lot of certificates, say in the thousands, then those microseconds add up quickly. In testing it took ~17 seconds to parse 5k certificates. It's hard to overstate just how much better the cryptography Python interface is. In the case of OpenSSL really the only certificate fields easily available are serial number, subject and issuer. And the subject/issuer are in the OpenSSL reverse format which doesn't compare nicely to the cryptography format. The DN module can correct this. Fortunately for cert-find we only need serial number and issuer, so the OpenSSL module fine. It takes ~2 seconds. pyasn1 is also relatively faster but switch to it would require subtantially more effort for less payback. cert-find when there are a lot of certificates has been historically slow. It isn't related to the CA which returns large sets (well, 5k anyway) in a second or two. It was the LDAP comparision adding tens of seconds to the runtime. CLI times from before and after: original: ------------------------------- Number of entries returned 5011 ------------------------------- real 0m21.155s user 0m0.835s sys 0m0.159s using OpenSSL: real 0m5.747s user 0m0.864s sys 0m0.148s OpenSSL is forcibly lazy-loaded so it doesn't conflict with python-requests. See ipaserver/wsgi.py for the gory details. Fixes: https://pagure.io/freeipa/issue/9331 Signed-off-by: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com> Reviewed-By: Antonio Torres <antorres at redhat.com> - - - - - bdb77a3d by Timo Aaltonen at 2023-04-28T09:51:56+02:00 Drop duplicate includedir from krb5.conf SSSD already provides a config snippet which includes SSSD_PUBCONF_KRB5_INCLUDE_D_DIR, and having both breaks Java. Add also a dependency on sssd-krb5 for freeipa-client. https://pagure.io/freeipa/issue/9267 Signed-off-by: Timo Aaltonen <tjaalton at debian.org> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 918b6e01 by Florence Blanc-Renaud at 2023-04-29T13:49:09+02:00 cert_find: fix call with --all When ipa cert-find --all is called, the function prints the certificate public bytes. The code recently switched to OpenSSL.crypto and the objects OpenSSL.crypto.X509 do not have the method public_bytes(). Use to_cryptography() to transform into a cryptography.x509.Certificate before calling public_bytes(). Related: https://pagure.io/freeipa/issue/9331 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 3d787c21 by Stanislav Levin at 2023-04-29T13:50:44+02:00 ipasphinx: Correct import of progress_message for Sphinx 6.1.0+ Pylint reports false-negative result for Sphinx 6.1.0+: ``` ************* Module ipasphinx.ipabase ipasphinx/ipabase.py:10: [E0611(no-name-in-module), ] No name 'progress_message' in module 'sphinx.util') ``` Actually `sphinx.util.progress_message` is still available in Sphinx 6.1 but it's deprecated and will be removed in 8.0: https://www.sphinx-doc.org/en/master/extdev/deprecated.html#deprecated-apis Related change: https://github.com/sphinx-doc/sphinx/commit/8c5e7013ea5f6a50e3cc3130b22205a85ba87fab Fixes: https://pagure.io/freeipa/issue/9361 Signed-off-by: Stanislav Levin <slev at altlinux.org> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 8a7c0683 by Rafael Guterres Jeffman at 2023-04-29T13:52:12+02:00 Fix "no entry" condition when searching PAC info Fix Covscan-discovered DEADCODE block when searching for PAC info, caused by a wrong condition being evaluated when entry is a trusted domain object. Fixes: https://pagure.io/freeipa/issue/9368 Signed-off-by: Rafael Guterres Jeffman <rjeffman at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> - - - - - 76c78827 by Sudhir Menon at 2023-04-29T13:55:57+02:00 ipatests: ipa-adtrust-install command test scenarios This patch includes additional testcase that can be run against ipa-adtrust-install CLI tool. test_adtrust_install_with_incorrect_netbios_name test_adtrust_install_as_regular_ipa_user test_adtrust_install_with_incorrect_admin_password test_adtrust_install_with_invalid_rid_base_value test_adtrust_install_with_invalid_secondary_rid_base test_adtrust_reinstall_updates_ipaNTFlatName_attribute test_adtrust_install_without_ipa_installed test_samba_credential_cache_is_removed_post_uninstall test_adtrust_install_without_integrated_dns test_adtrust_install_with_debug_option test_adtrust_install_cli_without_smbpasswd_file test_adtrust_install_enable_compat test_adtrust_install_invalid_ipaddress_option test_syntax_error_in_ipachangeconf test_unattended_adtrust_install_uses_default_netbios_name test_smb_not_starting_post_adtrust_install Signed-off-by: Sudhir Menon <sumenon at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - 1c43d914 by Alexander Bokovoy at 2023-05-04T10:52:40+02:00 Change doc theme to 'book' RTD theam is not compatible with Sphinx 7.0+ https://github.com/readthedocs/readthedocs.org/issues/10279 Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - 717228c9 by Florence Blanc-Renaud at 2023-05-04T14:31:59+02:00 Nightly test: add +15min for test_ipahealthcheck The test test_ipahealthcheck.py::TestIpaHealthcheck frequently hits its 90min timeout. Extend by 15min to allow completion. Fixes: https://pagure.io/freeipa/issue/9362 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Anuja More <amore at redhat.com> - - - - - 846c267f by mbhalodi at 2023-05-04T16:12:25+02:00 ipatests: add remove automember condition tests Related: https://pagure.io/freeipa/issue/9332 Signed-off-by: mbhalodi <mbhalodi at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - d95c4cf1 by Florence Blanc-Renaud at 2023-05-04T18:18:26+02:00 spec file: force nodejs < 20 on fedora < 39 On fedora < 39, nodejs 20 is not the default version. As a consequence, the installation of nodejs20 adds the command /usr/bin/node-20 instead of /usr/bin/node. FreeIPA build is using the node command and fails if the command is missing. Force nodejs < 20 on fedora < 39 to make sure the node command is installed. Fixes: https://pagure.io/freeipa/issue/9374 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 16a81062 by s1341 at 2023-05-04T21:30:34+02:00 ipaplatform: add initial nixos support Fixes: https://pagure.io/freeipa/issue/9299 Signed-off-by: Shmarya Rubenstein <github at shmarya.net> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> - - - - - 3a9a5bda by Florence Blanc-Renaud at 2023-05-08T13:55:15-04:00 idview: improve performance of idview-show The command ipa idview-show NAME has a post callback method that replaces the ID override anchor with the corresponding user name. For instance the anchor ipaanchoruuid=:SID:S-1-5-21-3951964782-819614989-3867706637-1114 is replaced with the name of the ad user aduser at ad.test. The method loops on all the anchors and for each one performs the resolution, which can be a costly operation if the anchor is for a trusted user. Instead of doing a search for each anchor, it is possible to read the 'ipaOriginalUid' value from the ID override entry. Fixes: https://pagure.io/freeipa/issue/9372 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> - - - - - 12d1aafe by Florence Blanc-Renaud at 2023-05-11T13:47:46+02:00 Tests: test on f37 and f38 Fedora 38 is now available, move the testing pipelines to - fedora 38 for the _latest definitions - fedora 37 for the _previous definitions Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Francisco Trivino <ftrivino at redhat.com> - - - - - bc394432 by Michal Polovka at 2023-05-16T17:32:14+02:00 ipatests: commands: Wait for the SSSD to become available Previous test to test_ssh_key_connection is calling ipa-server-upgrade command, which restarts all the associated services. Especially on slower machine, SSSD is not yet online when the SSH connection is attempted. This results to only cached users being available. Wait for SSSD to become available before the SSH connection is attempted. Fixes: https://pagure.io/freeipa/issue/9377 Signed-off-by: Michal Polovka <mpolovka at redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com> Reviewed-By: Julien Rische <jrische at redhat.com> - - - - - 627c1101 by Florence Blanc-Renaud at 2023-05-16T14:37:21-04:00 azure tests: move to fedora 38 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> - - - - - 81a6b9ad by Rob Crittenden at 2023-05-16T16:23:47-04:00 Return the <Message> value cert-find failures from the CA If a cert-find fails on the CA side we get a Message tag containing a string describing the failure plus the java stack trace. Pull out the first part of the message as defined by the first colon and include that in the error message returned to the user. The new message will appear as: $ ipa cert-find ipa: ERROR: Certificate operation cannot be completed: Unable to search for certificates (500) vs the old generic message: ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (500) This can be reproduced by setting nssizelimit to 100 on the pkidbuser. The internal PKI search returns err=4 but the CA tries to convert all values into certificates and it fails. The value needs to be high enough that the CA can start but low enough that you don't have to create hundreds of certificates to demonstrate the issue. https://pagure.io/freeipa/issue/9369 Signed-off-by: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com> - - - - - edcdcf83 by Mohammad Rizwan at 2023-05-22T08:02:30+02:00 ipatests: wait for sssd-kcm to settle after date change In order to expire the ACME cert, system is moved and while issuing the kinit command, results into failure. Hence run kinit command repeatedly untill things get settle. This patch removes the sleep and adds tasks.run_repeatedly() method instead. Signed-off-by: Mohammad Rizwan <myusuf at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - 7830ab96 by Florence Blanc-Renaud at 2023-05-23T20:59:03+02:00 user or group name: explain the supported format The commands ipa user-add or ipa group-add validate the format of the user/group name and display the following message when it does not conform to the expectations: invalid 'login': may only include letters, numbers, _, -, . and $ The format is more complex, for instance '1234567' is an invalid user name but the failure is inconsistent with the error message. Modify the error message to point to ipa help user/group and add more details in the help message. Same change for idoverrideuser and idoverridegroup: The user/group name must follow these rules: - cannot contain only numbers - must start with a letter, a number, _ or . - may contain letters, numbers, _, ., or - - may end with a letter, a number, _, ., - or $ Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2150217 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com> Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 58173c02 by Jerry James at 2023-05-24T14:08:45-04:00 Change fontawesome-fonts requires to match fontawesome 4.x fontawesome 6.x is not entirely compatible with 4.x version but in Fedora the change was made to make 4.x bits FreeIPA depends on to be forward-ported to 6.x build. This also allows to have common dependency for all versions. This patch switches to the common dependency using 'fonts(fontawesome)'. This works on all Fedora and RHEL versions. Signed-off-by: Jerry James <loganjerry at gmail.com> Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - abe71fe1 by Rob Crittenden at 2023-05-24T17:57:22-04:00 Mention in ipa-client-install that nscd is disabled Also warn that similar services may also need to be disabled. An example is an nscd replacement named unscd. Fixes: https://pagure.io/freeipa/issue/9086 Signed-off-by: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com> - - - - - a6f485fc by Florence Blanc-Renaud at 2023-05-25T08:32:59+02:00 ACME tests: fix issue_and_expire_acme_cert method The fixture issue_and_expire_acme_cert is changing the date on master and client. It also resets the admin password as it gets expired after the date change. Currently the code is resetting the password by performing kinit on the client, which leaves the master with an expired ticket in its cache. Reset the password on the master instead in order to have a valid ticket for the next operations. Fixes: https://pagure.io/freeipa/issue/9383 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Mohammad Rizwan <myusuf at redhat.com> - - - - - 630cda5c by Julien Rische at 2023-06-01T08:01:00+02:00 kdb: Use krb5_pac_full_sign_compat() when available In November 2022, Microsoft introduced a new PAC signature type called "extended KDC signature" (or "full PAC checksum"). This new PAC signature will be required by default by Active Directory in July 2023 for S4U requests, and opt-out will no longer be possible after October 2023. Support for this new signature type was added to MIT krb5, but it relies on the new KDB API introduced in krb5 1.20. For older MIT krb5 versions, the code generating extended KDC signatures cannot be backported as it is without backporting the full new KDB API code too. This would have too much impact to be done. As a consequence, krb5 packages for Fedora 37, CentOS 8 Stream, and RHEL 8 will include a downstream-only update adding the krb5_pac_full_sign_compat() function, which can be used in combination with the prior to 1.20 KDB API to generate PAC extended KDC signatures. Fixes: https://pagure.io/freeipa/issue/9373 Signed-off-by: Julien Rische <jrische at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> - - - - - bbe545ff by Julien Rische at 2023-06-01T08:01:00+02:00 Tolerate absence of PAC ticket signature depending of server capabilities Since November 2020, Active Directory KDC generates a new type of signature as part of the PAC. It is called "ticket signature", and is generated based on the encrypted part of the ticket. The presence of this signature is not mandatory in order for the PAC to be accepted for S4U requests. However, the behavior is different for MIT krb5. Support was added as part of the 1.20 release, and this signature is required in order to process S4U requests. Contrary to the PAC extended KDC signature, the code generating this signature cannot be isolated and backported to older krb5 versions because this version of the KDB API does not allow passing the content of the ticket's encrypted part to IPA. This is an issue in gradual upgrade scenarios where some IPA servers rely on 1.19 and older versions of MIT krb5, while others use version 1.20 or newer. A service ticket that was provided by 1.19- IPA KDC will be rejected when used by a service against a 1.20+ IPA KDC for S4U requests. On Fedora, CentOS 9 Stream, and RHEL 9, when the krb5 version is 1.20 or newer, it will include a downstream-only update adding the "optional_pac_tkt_chksum" KDB string attribute allowing to tolerate the absence of PAC ticket signatures, if necessary. This commit adds an extra step during the installation and update processes where it adds a "pacTktSignSupported" ipaConfigString attribute in "cn=KDC,cn=[server],cn=masters,cn=ipa,cn=etc,[basedn]" if the MIT krb5 version IPA what built with was 1.20 or newer. This commit also set "optional_pac_tkt_chksum" as a virtual KDB entry attribute. This means the value of the attribute is not actually stored in the database (to avoid race conditions), but its value is determined at the KDC starting time by search the "pacTktSignSupported" ipaConfigString in the server list. If this value is missing for at least of them is missing, enforcement of the PAC ticket signature is disabled by setting "optional_pac_tkt_chksum" to true for the local realm TGS KDB entry. For foreign realm TGS KDB entries, the "optional_pac_tkt_chksum" virtual string attribute is set to true systematically, because, at least for now, trusted AD domains can still have PAC ticket signature support disabled. Given the fact the "pacTktSignSupported" ipaConfigString for a single server is added when this server is updated, and that the value of "optional_pac_tkt_chksum" is determined at KDC starting time based on the ipaConfigString attributes of all the KDCs in the domain, this requires to restart all the KDCs in the domain after all IPA servers were updated in order for PAC ticket signature enforcement to actually take effect. Fixes: https://pagure.io/freeipa/issue/9371 Signed-off-by: Julien Rische <jrische at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> - - - - - 7ea3b866 by Julien Rische at 2023-06-01T08:01:00+02:00 Filter out constrained delegation ACL from KDB entry Commit f78dc0b163 was missing an exception for the constrained delegation ACL TL data type during the principal entry update operation. This ACL is not meant to be stored as encoded data in krbExtraData. Signed-off-by: Julien Rische <jrische at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> - - - - - 3d0decd9 by Alexander Bokovoy at 2023-06-01T15:48:45+02:00 ipa-kdb: hint KDC to use aes256-sha1 for forest trust TGT >From https://krbdev.mit.edu/rt/Ticket/Display.html?id=9089 -------- The KDC uses the first local TGT key for the privsvr and full PAC checksums. If this key is of an aes-sha2 enctype in a cross-realm TGT, a Microsoft KDC in the target realm may reject the ticket because it has an unexpectedly large privsvr checksum buffer. This behavior is unnecessarily picky as the target realm KDC cannot and does not need to very the privsvr checksum, but [MS-PAC] 2.8.2 does limit the checksum key to three specific enctypes. -------- Use MIT Kerberos 1.21+ facility to hint about proper enctype for cross-realm TGT. Fixes: https://pagure.io/freeipa/issue/9124 Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Julien Rische <jrische at redhat.com> - - - - - 803a4477 by Alexander Bokovoy at 2023-06-01T15:48:45+02:00 ipa-kdb: protect against context corruption Early in startup LDAP server might not respond well yet and should_support_pac_tkt_sign() will bail out with KRB5_KDB_SERVER_INTERNAL_ERR. We should postpone this call but for time being we should prevent a crash. Crash happens because init_module() returns with an error and KDC then calls fini_module() which will free the DB context which is already corrupted for some reason. Do not call any free() call because the whole context is corrupted as tests do show. Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Julien Rische <jrische at redhat.com> - - - - - fefa0248 by Alexander Bokovoy at 2023-06-01T15:48:45+02:00 ipa-kdb: postpone ticket checksum configuration Postpone ticket checksum configuration after KDB module was initialized. This, in practice, should now happen when a master key is retrieved. Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Julien Rische <jrische at redhat.com> - - - - - bd8fcd6f by Alexander Bokovoy at 2023-06-01T15:48:45+02:00 ipa-kdb: process out of realm server lookup during S4U Kerberos principal aliases lookup had a long-standing TODO item to support server referrals for host-based aliases. This commit implements server referrals for hosts belonging to trusted domains. The use-case is a part of S4U processing in a two-way trust when an IPA service requests a ticket to a host in a trusted domain (e.g. service on AD DC). In such situation, the server principal in TGS request will be a normal principal in our domain and KDC needs to respond with a server referral. This referral can be issued by a KDB driver or by the KDC itself, using 'domain_realms' section of krb5.conf. Since KDB knows all suffixes associated with the trusted domains, implement the logic there. Fixes: https://pagure.io/freeipa/issue/9164 Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Julien Rische <jrische at redhat.com> - - - - - 1b55e9b1 by Alexander Bokovoy at 2023-06-01T15:48:45+02:00 ipa-kdb: skip verification of PAC full checksum MIT Kerberos KDC code will do verification of the PAC full checksum buffers, we don't need to process them. This change only applies to newer MIT Kerberos version which have this buffer type defined, hence using #ifdef to protect the use of the define. This should have no functional difference. Related: https://pagure.io/freeipa/issue/9371 Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Julien Rische <jrische at redhat.com> - - - - - 11ce2b21 by Alexander Bokovoy at 2023-06-01T15:48:45+02:00 ipalib/x509.py: Add signature_algorithm_parameters Python-cryptography 41.0.0 new abstract method. Signed-off-by: Christian Heimes <cheimes at redhat.com> Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Julien Rische <jrische at redhat.com> - - - - - 325a1319 by Rob Crittenden at 2023-06-02T10:00:57+02:00 Replace usage of #!/usr/bin/env python3 with #!/usr/bin/python3 Only three remaining scripts used this form, two of which are for developers only and not shipped. The shebang in ipa-ccache-sweeper will be converted to "#!$(PYTHON) -I" in the build process. Fixes: https://pagure.io/freeipa/issue/8941 Signed-off-by: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com> - - - - - f2b821ab by Alexander Bokovoy at 2023-06-02T16:01:41-04:00 ipa-kdb: be compatible with krb5 1.19 when checking for server referral Related: https://pagure.io/freeipa/issue/9164 Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com> - - - - - 58017abe by Rob Crittenden at 2023-06-02T18:30:08-04:00 Don't allow a group to be converted to POSIX and external This condition was checked in group-add but not in group-mod. This evaluation is done later in the pre_callback so that all the other machinations about posix are already done to make it easier to tell whether this condition is true or not. Fixes: https://pagure.io/freeipa/issue/8990 Signed-off-by: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com> - - - - - 283f5463 by Florence Blanc-Renaud at 2023-06-05T14:00:17+02:00 ipatest: remove xfail from test_smb test_smb is now successful because the windows server version has been updated to windows-server-2022 with - KB5012170 - KB5025230 - KB5022507 - servicing stack 10.0.20348.1663 in freeipa-pr-ci commit 3ba4151. Remove the xfail. Fixes: https://pagure.io/freeipa/issue/9124 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Mohammad Rizwan <myusuf at redhat.com> - - - - - e3797ca2 by Antonio Torres at 2023-06-06T09:40:38+02:00 Update translations to FreeIPA ipa-4-10 state Signed-off-by: Antonio Torres <antorres at redhat.com> - - - - - 03b92fb4 by Antonio Torres at 2023-06-06T09:43:34+02:00 Update list of contributors Signed-off-by: Antonio Torres <antorres at redhat.com> - - - - - 2fd9cbbe by Antonio Torres at 2023-06-06T10:01:01+02:00 Become IPA 4.10.2 - - - - - 30 changed files: - .wheelconstraints.in - ACI.txt - API.txt - Contributors.txt - Makefile.am - VERSION.m4 - client/man/ipa-client-install.1 - configure.ac - contrib/lite-server.py - contrib/lite-setup.py - daemons/dnssec/ipa-dnskeysyncd.in - daemons/ipa-kdb/ipa_kdb.c - daemons/ipa-kdb/ipa_kdb.h - daemons/ipa-kdb/ipa_kdb_common.c - daemons/ipa-kdb/ipa_kdb_delegation.c - daemons/ipa-kdb/ipa_kdb_mspac.c - daemons/ipa-kdb/ipa_kdb_mspac_v6.c - daemons/ipa-kdb/ipa_kdb_principals.c - daemons/ipa-otpd/ipa-otpd at .service.in - doc/api/A6Record.md - doc/api/AAAARecord.md - doc/api/AFSDBRecord.md - doc/api/APLRecord.md - doc/api/ARecord.md - doc/api/AccessTime.md - doc/api/Any.md - doc/api/BinaryFile.md - doc/api/Bool.md - doc/api/Bytes.md - doc/api/BytesEnum.md The diff was not included because it is too large. View it on GitLab: https://salsa.debian.org/freeipa-team/freeipa/-/compare/e5819bcae6779b89b6d11a144f293a4838344738...2fd9cbbe4492ec5dec06c36ce315c43120ef5fca -- View it on GitLab: https://salsa.debian.org/freeipa-team/freeipa/-/compare/e5819bcae6779b89b6d11a144f293a4838344738...2fd9cbbe4492ec5dec06c36ce315c43120ef5fca You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Wed Jun 7 13:11:58 2023 From: gitlab at salsa.debian.org (Timo Aaltonen (@tjaalton)) Date: Wed, 07 Jun 2023 12:11:58 +0000 Subject: [Pkg-freeipa-devel] [Git][freeipa-team/freeipa][master] 2 commits: source: Update extend-diff-ignore. Message-ID: <6480740e5320f_136f8847284249455@godard.mail> Timo Aaltonen pushed to branch master at FreeIPA packaging / freeipa Commits: 8a91716a by Timo Aaltonen at 2023-06-07T14:59:25+03:00 source: Update extend-diff-ignore. - - - - - 7f36ccfc by Timo Aaltonen at 2023-06-07T15:04:59+03:00 Revert "copyright, watch: Filter prebuilt html documentation from the tarball." This reverts commit a94f7bbf72c6f7a864f2e15b3fc9da1be52b1b58. - - - - - 4 changed files: - debian/changelog - debian/copyright - debian/source/local-options - debian/watch Changes: ===================================== debian/changelog ===================================== @@ -1,9 +1,8 @@ -freeipa (4.10.2+dfsg1-1) UNRELEASED; urgency=medium +freeipa (4.10.2-1) UNRELEASED; urgency=medium * New upstream release. * control: Bump sssd, bind9 depends. - * copyright, watch: Filter prebuilt html documentation from the - tarball. + * source: Update extend-diff-ignore. -- Timo Aaltonen Tue, 21 Feb 2023 10:13:42 +0200 ===================================== debian/copyright ===================================== @@ -1,7 +1,6 @@ Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ Upstream-name: freeipa Source: http://releases.pagure.org/freeipa -Files-Excluded: doc/_build Files: * Copyright: 1999-2011 Red Hat, Inc. ===================================== debian/source/local-options ===================================== @@ -20,3 +20,5 @@ extend-diff-ignore = .lgtm.yml extend-diff-ignore = install/updates/30-ipservices.update|install/updates/75-user-trust-attributes.update # github extend-diff-ignore = .github/stale.yml +# upstream signature verification +extend-diff-ignore = gpgkey-* ===================================== debian/watch ===================================== @@ -1,3 +1,3 @@ version=3 -options=dversionmangle=s/\+dfsg\d*$//,oversionmangle=s/$/+dfsg1/,uversionmangle=s/rc/~rc/ \ +options=uversionmangle=s/rc/~rc/ \ https://releases.pagure.org/freeipa/freeipa-(.+).tar.gz View it on GitLab: https://salsa.debian.org/freeipa-team/freeipa/-/compare/78ec530871875bf4a94c49df01a4a1e145fc006f...7f36ccfcaf54566ab8e8d46eb65bd9c49e0c6180 -- View it on GitLab: https://salsa.debian.org/freeipa-team/freeipa/-/compare/78ec530871875bf4a94c49df01a4a1e145fc006f...7f36ccfcaf54566ab8e8d46eb65bd9c49e0c6180 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Wed Jun 7 13:12:12 2023 From: gitlab at salsa.debian.org (Timo Aaltonen (@tjaalton)) Date: Wed, 07 Jun 2023 12:12:12 +0000 Subject: [Pkg-freeipa-devel] [Git][freeipa-team/freeipa][master-next] 169 commits: Back to git snapshots Message-ID: <6480741c9c1d1_136f8847270249649@godard.mail> Timo Aaltonen pushed to branch master-next at FreeIPA packaging / freeipa Commits: 657a7b25 by Antonio Torres at 2022-11-24T17:13:36+01:00 Back to git snapshots Signed-off-by: Antonio Torres <antorres at redhat.com> - - - - - 42957f9e by Florence Blanc-Renaud at 2022-11-25T13:49:37+01:00 API reference: update vault doc Update doc/api/vault_archive_internal.md and doc/api/vault_retrieve_internal.md after the change from commit 93548f2 (default wrapping algo is now des-ede3-cbc instead of aes-128-cbc). Related: https://pagure.io/freeipa/issue/9259 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> - - - - - 660da9ab by Florence Blanc-Renaud at 2022-11-25T13:49:37+01:00 API reference: update dnszone_add generated doc Update doc/api/dnszone_add.md after commit c74c701 (Set 'idnssoaserial' to deprecated) Related: https://pagure.io/freeipa/issue/9249 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> - - - - - 42be04fe by Alexander Bokovoy at 2022-11-28T18:53:51+01:00 updates: fix memberManager ACI to allow managers from a specified group The original implementation of the member manager added support for both user and group managers but left out upgrade scenario. This means when upgrading existing installation a manager whose rights defined by the group membership would not be able to add group members until the ACI is fixed. Remove old ACI and add a full one during upgrade step. Fixes: https://pagure.io/freeipa/issue/9286 Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - aeb9cc9b by Florence Blanc-Renaud at 2022-12-02T10:18:16+01:00 PRCI: update memory reqs for each topology The memory requirements are defined in the vagrant templates in https://github.com/freeipa/freeipa-pr-ci/tree/master/templates/vagrantfiles They have been updated and the corresponding values must be kept consistent in the topologies for PRCI. Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Armando Neto <abiagion at redhat.com> - - - - - c411c2e7 by Florence Blanc-Renaud at 2022-12-02T10:32:34+01:00 webui tests: fix assertion in test_subid.py The test wants to check the error related to an exception obtained inside a "with pytest.raises" instruction. The object is an ExceptionInfo and offers a match method to check the content of the string representation. Use this match() method instead of str(excinfo) which now returns '<ExceptionInfo NoSuchElementException() tblen=10>' Fixes: https://pagure.io/freeipa/issue/9282 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com> - - - - - 8e7d1ac4 by Christian Heimes at 2022-12-02T13:28:04+01:00 ipa-certupdate: Update client certs before KDC/HTTPd restart Apache HTTPd uses `/etc/ipa/ca.crt` to validate client certs. `ipa-certupdate` now updates the file before it restarts HTTPd. Fixes: https://pagure.io/freeipa/issue/9285 Signed-off-by: Christian Heimes <cheimes at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - a10627bd by Antonio Torres at 2022-12-02T14:24:05+01:00 API doc: add basic user management guide Add basic user management guide that includes various examples on performing common tasks related to the user module, such as adding an user, modifying it, adding certificates for it, etc. Signed-off-by: Antonio Torres <antorres at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> - - - - - 2d0a0cc4 by Florence Blanc-Renaud at 2022-12-02T15:27:22+01:00 Spec file: ipa-client depends on krb5-pkinit-openssl Now that ipa-client-installs supports pkinit, the package depends on krb5-pkinit-openssl. Update the spec file, move the dependency from ipa-server to ipa-client subpackage. Fixes: https://pagure.io/freeipa/issue/9290 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> - - - - - 9599e975 by Florence Blanc-Renaud at 2022-12-14T15:44:46+01:00 ipatests: xfail on all fedora for test_ipa_login_with_sso_user With the new fedora36 vagrant image, the test is also failing. Mark xfail for all fedora versions. Related: https://pagure.io/freeipa/issue/9264 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Scott Poore <spoore at redhat.com> - - - - - 65a14a36 by Sudhir Menon at 2022-12-19T11:53:10+01:00 Fixes: ipa-otpd at .service: deprecated syslog setting This patch updates the deprecated syslog setting i.e StandardError=syslog with StandardError=journal Pagure: https://pagure.io/freeipa/issue/9279 Ref: https://github.com/systemd/systemd/pull/15812 Signed-off-by: Sudhir Menon <sumenon at redhat.com> Reviewed-By: Peter Keresztes Schmidt <carbenium at outlook.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - 68f6574c by Florence Blanc-Renaud at 2022-12-19T21:46:51+01:00 ipatests: update the fake fips mode expected message The test ipatests/test_integration/test_fips.py is faking FIPS mode and calls "openssl md5" to ensure the algo is not available in the fake FIPS mode. The error message has been updated with openssl-3.0.5-5. In the past the command used to return: $ openssl md5 /dev/null Error setting digest 140640350118336:error:060800C8:digital envelope routines:EVP_DigestInit_ex:disabled for FIPS:crypto/evp/digest.c:147: And now it returns: $ openssl md5 /dev/null Error setting digest 00C224822E7F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto/evp/evp_fetch.c:349:Global default library context, Algorithm (MD5 : 97), Properties () 00C224822E7F0000:error:03000086:digital envelope routines:evp_md_init_internal:initialization error:crypto/evp/digest.c:252: To be compatible with all versions, only check the common part: Error setting digest Mark the test as xfail since installation is currently not working. Related: https://pagure.io/freeipa/issue/9002 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> - - - - - c853cfde by Florence Blanc-Renaud at 2022-12-19T21:46:51+01:00 cert utilities: MAC verification is incompatible with FIPS mode The PKCS12 MAC requires PKCS12KDF which is not an approved FIPS algorithm and cannot be supported by the FIPS provider. Do not require mac verification in FIPS mode: append the option --nomacver to the command openssl pkcs12 used to extract a pem file or a key from a p12 file. Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> - - - - - dfba6ebf by Florence Blanc-Renaud at 2022-12-19T21:46:51+01:00 FIPS setup: fix typo filtering camellia encryption The config file /var/kerberos/krb5kdc/kdc.conf is customized during IPA server installation with a list of supported encryption types. In FIPS mode, camellia encryption is not supported and should be filtered out. Because of a typo in the filtering method, the camellia encryptions are appended while they should not. Fix the typo (camelia vs camellia) in order to filter properly. Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> - - - - - 2904b15a by Florence Blanc-Renaud at 2022-12-19T21:46:51+01:00 Spec file: bump krb5_kdb_version on rawhide fedora 38 now uses krb5 1.20.1 which provides krb5_kdb_version 9.0 instead of 8.0 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> - - - - - 30497892 by Florence Blanc-Renaud at 2022-12-20T17:06:20+01:00 ipatests: update the xfail annotation for test_number_of_zones The test is failing on fedora 36+, update and simplify the xfail condition. Related: https://pagure.io/freeipa/issue/9135 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com> - - - - - 782873a2 by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00 azure tests: move to fedora 37 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - fd212045 by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00 pylint: remove unneeded disable=unused-private-member pylint fixed issue https://github.com/PyCQA/pylint/issues/4756 and we don't need anymore to disable this check. Related: https://pagure.io/freeipa/issue/9278 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - 51e0f751 by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00 pylint: remove useless suppression The newer version of pylint has fixed false positives and does not need anymore these suppressions: - global-variable-not-assigned - invalid-sequence-index - no-name-in-module - not-callable - unsupported-assignment-operation Related: https://pagure.io/freeipa/issue/9278 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - 240b46db by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00 pylint: disable redefined-slots-in-subclass Related: https://pagure.io/freeipa/issue/9278 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - 081dd263 by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00 pylint: disable used-before-assignment Related: https://pagure.io/freeipa/issue/9278 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - 328fb642 by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00 pylint: replace deprecated distutils module PEP 632 deprecates the distutils module. Replace - distutils.spawn.find_executable with shutil.which - distutils.log with logging Related: https://pagure.io/freeipa/issue/9278 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - ac69ad4b by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00 pylint: disable modified-iterating-list Related: https://pagure.io/freeipa/issue/9278 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - 22f182ee by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00 pylint: remove arguments-renamed warnings Related: https://pagure.io/freeipa/issue/9278 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - 5434c12b by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00 pylint: disable using-constant-test Related: https://pagure.io/freeipa/issue/9278 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - 3336236f by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00 pylint: disable unnecessary-dunder-call message Related: https://pagure.io/freeipa/issue/9278 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - 2b97c8ca by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00 pylint: globally disable unnecessary-lambda-assignment message Related: https://pagure.io/freeipa/issue/9278 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - 84c4792b by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00 pylint: disable missing-timeout message Related: https://pagure.io/freeipa/issue/9278 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - 71496be7 by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00 pylint: fix implicit-str-concat Related: https://pagure.io/freeipa/issue/9278 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - b9ea3fcb by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00 pylint: fix duplicate-value Related: https://pagure.io/freeipa/issue/9278 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - 433599fd by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00 pylint: fix deprecated-class SafeConfigParser Related: https://pagure.io/freeipa/issue/9278 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - a95e11db by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00 pylint: disable invalid-sequence-index Related: https://pagure.io/freeipa/issue/9278 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - 07111438 by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00 pylint: disable unhashable-member Related: https://pagure.io/freeipa/issue/9278 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - 4e998848 by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00 pylint: globally disable useless-object-inheritance Related: https://pagure.io/freeipa/issue/9278 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - 3d211b4f by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00 pylint: fix consider-iterating-dictionary Related: https://pagure.io/freeipa/issue/9278 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - 015e25a5 by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00 pylint: disable comparison-of-constants Related: https://pagure.io/freeipa/issue/9278 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - 62e2d111 by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00 pylint: fix comparison-of-constants Related: https://pagure.io/freeipa/issue/9278 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - 85037db2 by Florence Blanc-Renaud at 2023-01-10T10:11:45+01:00 pylint: disable deprecated-module message Related: https://pagure.io/freeipa/issue/9278 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - d673fdab by Stanislav Levin at 2023-01-10T10:11:45+01:00 pylint: Lint in single process mode There are several known problems with multiprocess mode. For example, https://github.com/PyCQA/pylint/issues/3232. In other words the lint result depends on the number of jobs. The most correct report is expected for single process. Fixes: https://pagure.io/freeipa/issue/9278 Signed-off-by: Stanislav Levin <slev at altlinux.org> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - f9822697 by Stanislav Levin at 2023-01-10T10:11:45+01:00 pylint: More allowed C extensions Fixes: ``` [E0611(no-name-in-module), ] No name 'parse' in module 'lxml.etree' [E0611(no-name-in-module), ] No name 'murmurhash3' in module 'pysss_murmur' ``` Fixes: https://pagure.io/freeipa/issue/9278 Signed-off-by: Stanislav Levin <slev at altlinux.org> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - 68ab438f by Stanislav Levin at 2023-01-10T10:11:45+01:00 pylint: Replace deprecated extension-pkg-whitelist `extension-pkg-whitelist` is deprecated in favour of `extension-pkg-allow-list` since Pylint 2.7.3: https://pylint.pycqa.org/en/latest/whatsnew/2/2.7/full.html#what-s-new-in-pylint-2-7-3 Fixes: https://pagure.io/freeipa/issue/9278 Signed-off-by: Stanislav Levin <slev at altlinux.org> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - c48c76e9 by Stanislav Levin at 2023-01-10T10:11:45+01:00 pylint: Fix cyclic-import Most of `cyclic-import` issues reported by Pylint are false-positive and they are already handled in the code, but several ones are the actual errors. Fixes: https://pagure.io/freeipa/issue/9232 Fixes: https://pagure.io/freeipa/issue/9278 Signed-off-by: Stanislav Levin <slev at altlinux.org> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - 1261bbf0 by Stanislav Levin at 2023-01-10T10:11:45+01:00 pylint: Replace deprecated pipes `pipes` module is deprecated as of Python 3.11. https://docs.python.org/3/library/pipes.html#module-pipes: > Deprecated since version 3.11, will be removed in version 3.13: The pipes module is deprecated (see PEP 594 for details). IPA code used only `quote` function from `pipes` that in turn is the alias for `shlex.quote` since Python 3.3: https://github.com/python/cpython/commit/9bce311ea4f58ec04cab356a748e173ecfea381c Fixes: https://pagure.io/freeipa/issue/9278 Signed-off-by: Stanislav Levin <slev at altlinux.org> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - b1237656 by Stanislav Levin at 2023-01-10T10:11:45+01:00 pylint: Fix used-before-assignment > Emitted when a local variable is accessed before its assignment took place. Assignments in try blocks are assumed not to have occurred when evaluating associated except/finally blocks. Assignments in except blocks are assumed not to have occurred when evaluating statements outside the block, except when the associated try block contains a return statement. Fixes: https://pagure.io/freeipa/issue/9278 Signed-off-by: Stanislav Levin <slev at altlinux.org> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - acc2daf2 by Stanislav Levin at 2023-01-10T10:11:45+01:00 pylint: Fix modified-iterating-list https://pylint.pycqa.org/en/latest/user_guide/messages/warning/modified-iterating-list.html: > Emitted when items are added or removed to a list being iterated through. Doing so can result in unexpected behaviour, that is why it is preferred to use a copy of the list. https://docs.python.org/3/tutorial/controlflow.html#for-statements: > Code that modifies a collection while iterating over that same collection can be tricky to get right. Instead, it is usually more straight-forward to loop over a copy of the collection or to create a new collection Fixes: https://pagure.io/freeipa/issue/9278 Signed-off-by: Stanislav Levin <slev at altlinux.org> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - dc8c8a78 by Stanislav Levin at 2023-01-10T10:11:45+01:00 pylint: Fix unnecessary-lambda-assignment https://pylint.pycqa.org/en/latest/user_guide/messages/convention/unnecessary-lambda-assignment.html: > Used when a lambda expression is assigned to variable rather than defining a standard function with the "def" keyword. https://peps.python.org/pep-0008/#programming-recommendations: > Always use a def statement instead of an assignment statement that binds a lambda expression directly to an identifier: def f(x): return 2*x f = lambda x: 2*x The first form means that the name of the resulting function object is specifically ?f? instead of the generic ?<lambda>?. This is more useful for tracebacks and string representations in general. The use of the assignment statement eliminates the sole benefit a lambda expression can offer over an explicit def statement (i.e. that it can be embedded inside a larger expression) Fixes: https://pagure.io/freeipa/issue/9278 Signed-off-by: Stanislav Levin <slev at altlinux.org> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - bd7b5bf7 by Stanislav Levin at 2023-01-10T10:11:45+01:00 pylint: Fix unhashable-member https://pylint.pycqa.org/en/latest/user_guide/messages/error/unhashable-member.html: > Emitted when a dict key or set member is not hashable (i.e. doesn't define __hash__ method). https://docs.python.org/3/library/stdtypes.html#dict.update: > Update the dictionary with the key/value pairs from other, overwriting existing keys. Return None. update() accepts either another dictionary object or an iterable of key/value pairs (as tuples or other iterables of length two). If keyword arguments are specified, the dictionary is then updated with those key/value pairs: d.update(red=1, blue=2). Fixes: https://pagure.io/freeipa/issue/9278 Signed-off-by: Stanislav Levin <slev at altlinux.org> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - bccd3c94 by Stanislav Levin at 2023-01-10T10:11:45+01:00 pylint: Fix useless-object-inheritance https://pylint.pycqa.org/en/latest/user_guide/messages/refactor/useless-object-inheritance.html: > Used when a class inherit from object, which under python3 is implicit, hence can be safely removed from bases. Fixes: https://pagure.io/freeipa/issue/9278 Signed-off-by: Stanislav Levin <slev at altlinux.org> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - 2009889d by Stanislav Levin at 2023-01-10T10:11:45+01:00 pylint: Replace deprecated cgi module https://docs.python.org/3/library/cgi.html#module-cgi: > Deprecated since version 3.11, will be removed in version 3.13: The cgi module is deprecated (see PEP 594 for details and alternatives). Fixes: https://pagure.io/freeipa/issue/9278 Signed-off-by: Stanislav Levin <slev at altlinux.org> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - b5f2b0b1 by Florence Blanc-Renaud at 2023-01-11T12:55:04+01:00 ipatests: mark test_smb as xfail Mark the test test_smb.py::TestSMB::test_smb_service_s4u2self as xfail. Related: https://pagure.io/freeipa/issue/9124 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> - - - - - 894dca12 by Florence Blanc-Renaud at 2023-01-16T08:40:16+01:00 server install: remove error log about missing bkup file The client installer code can be called in 3 different ways: - from ipa-client-install CLI - from ipa-replica-install CLI if the client is not already installed - from ipa-server-install In the last case, the client installer is called with options.on_master=True As a result, it's skipping the part that is creating the krb5 configuration: if not options.on_master: nolog = tuple() configure_krb5_conf(...) The configure_krb5_conf method is the place where the krb5.conf file is backup'ed with the extention ".ipabkp". For a master installation, this code is not called and the ipabkp file does not exist => delete raises an error. When delete fails because the file does not exist, no need to log an error message. Fixes: https://pagure.io/freeipa/issue/9306 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 0fa95852 by Florence Blanc-Renaud at 2023-01-17T14:53:35+01:00 Tests: force key type in ACME tests PKI can issue ACME certs only when the key type is rsa. With version 2.0.0, certbot defaults to ecdsa key type, and this causes test failures. For now, force rsa when requesting an ACME certificate. This change can be reverted when PKI fixes the issue on their side (https://github.com/dogtagpki/pki/issues/4273) Related: https://pagure.io/freeipa/issue/9298 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 7d1a3585 by Florence Blanc-Renaud at 2023-01-17T22:42:25+01:00 Installer: create RID base before domain object The installer is currently creating the samba domain object before it adds the RID base and secondary RID base. As a consequence, there is a window during which the sidgen plugin is active but unable to generate SIDs (it requires the samba domain object to find the domain SID and RID base to know where to start from). There is no direct impact except the error log of 389ds that reports ERR - get_ranges - [file ipa_sidgen_common.c, line 276]: Failed to convert LDAP entry to range struct. This fix configures the RID base and secondary RID base before the domain object is created, thus removing this window. Fixes: https://pagure.io/freeipa/issue/9309 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> - - - - - 2520a7ad by Filip Dvorak at 2023-01-20T10:02:02+01:00 ipa tests: Add LANG before kinit command to fix issue with locale settings Reviewed-By: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Michal Polovka <mpolovka at redhat.com> - - - - - 364116c2 by Antonio Torres at 2023-01-24T14:54:37+01:00 API doc: validate generated reference Extend 'makeapi --validate' to validate API Reference files too. If differences are found between the generated and stored docs the validation fails. This command is executed in our Azure pipelines, so every time a developer opens a PR but forgets to update the API Reference, the CI will fail. Fixes: https://pagure.io/freeipa/issue/9287 Signed-off-by: Antonio Torres <antorres at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 0e06786a by Florence Blanc-Renaud at 2023-01-24T19:07:52+01:00 Spec file: unify with RHEL9 spec Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Francisco Trivino <ftrivino at redhat.com> - - - - - 2a69d056 by Florence Blanc-Renaud at 2023-01-24T19:07:52+01:00 Spec file: use %autosetup instead of %setup This change fixes rpminspect issues reported when building for RHEL, like the following one: Patch number 1001 (1001-Change-branding-to-IPA-and-Identity-Management.patch) is missing a corresponding %patch1001 macro, usually in %prep. Waiver Authorization: Anyone Suggested Remedy: The named patch is defined in the source RPM header (this means it has a PatchN: definition in the spec file) but is not applied anywhere in the spec file. It is missing a corresponding %patch macro and the spec file lacks the %autosetup or %autopatch macros. You can fix this by adding the appropriate %patch macro in the spec file (usually in the %prep section). The number specified with the %patch macro corresponds to the number used to define the patch at the top of the spec file. So Patch47 is applied with a %patch47 macro. Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Francisco Trivino <ftrivino at redhat.com> - - - - - 97fc368d by Florence Blanc-Renaud at 2023-01-25T13:45:53-05:00 trust-add: handle missing msSFU30MaxGidNumber When ipa trust-add is executed with --range-type ad-trust-posix, the server tries to find the max uidnumber and max gidnumber from AD domain controller. The values are extracted from the entry CN=<domain>,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,<AD suffix> in the msSFU30MaxUidNumber and msSFU30MaxGidNumber attributes. msSFU30MaxUidNumber is required but not msSFU30MaxGidNumber. In case msSFU30MaxGidNumber is missing, the code is currently assigning a "None" value and later on evaluates the max between this value and msSFU30MaxUidNumber. The max function cannot compare None and a list of string and triggers an exception. To avoid the exception, assign [b'0'] to max gid if msSFU30MaxGidNumber is missing. This way, the comparison succeeds and max returns the value from msSFU30MaxUidNumber. Fixes: https://pagure.io/freeipa/issue/9310 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 51b1c22d by Rob Crittenden at 2023-01-27T13:00:22+01:00 doc: Design for certificate pruning This describes how the certificate pruning capability of PKI introduced in v11.3.0 will be integrated into IPA, primarily for ACME. Related: https://pagure.io/freeipa/issue/9294 Signed-off-by: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com> - - - - - 1be3188e by Stanislav Levin at 2023-01-31T11:21:34+01:00 ipatests: healthcheck: Handle missing fips-mode-setup freeipa-healthcheck prechecks existance of `fips-mode-setup` and reports if it's missing: > "fips": "missing /bin/fips-mode-setup" Fixes: https://pagure.io/freeipa/issue/9315 Signed-off-by: Stanislav Levin <slev at altlinux.org> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - fb22c8e5 by Stanislav Levin at 2023-02-01T10:54:12+01:00 spec: Drop no longer used build dependency on paste With ff6e701b0077d9c8e2aacdcaecf70f885018db92 it was replaced with `werkzeug`. https://pypi.org/project/Paste/ > Paste is in maintenance mode and recently moved from bitbucket to github. Patches are accepted to keep it on life support, but for the most part, please consider using other options. Fixes: https://pagure.io/freeipa/issue/9314 Signed-off-by: Stanislav Levin <slev at altlinux.org> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - ff31b0c4 by Rob Crittenden at 2023-02-01T17:47:26+01:00 tests: Add ipa_ca_name checking to DNS system records freeipa-healthcheck 0.12 includes a SUCCESS message if the ipa-ca records are as expected so a user will know they were checked. For that version and beyond test that it is included. Related: https://pagure.io/freeipa/issue/9291 Signed-off-by: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - 6ca11968 by Rob Crittenden at 2023-02-01T17:47:26+01:00 tests: Add new ipa-ca error messages to IPADNSSystemRecordsCheck freeipa-healthcheck changed some messages related to ipa-ca DNS record validation in IPADNSSystemRecordsCheck. Include support for it and retain backwards compatibility. Fixes: https://pagure.io/freeipa/issue/9291 Signed-off-by: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - d662b125 by Stanislav Levin at 2023-02-02T07:31:15+01:00 tests: Configure DNSResolver as platform agnostic resolver Avoid reading platform specific `/etc/resolv.conf` in `TestDNSResolver` unit tests. Systems (e.g. sandboxes) may not have `/etc/resolv.conf` or this file may not contain any configured name servers. `TestDNSResolver` unit tests check only customized `nameservers` property and should not depend on existence of `/etc/resolv.conf`. Resolver accepts `configure` option. https://dnspython.readthedocs.io/en/latest/resolver-class.html : > configure, a bool. If True (the default), the resolver instance is configured in the normal fashion for the operating system the resolver is running on. (I.e. by reading a /etc/resolv.conf file on POSIX systems and from the registry on Windows systems.) Fixes: https://pagure.io/freeipa/issue/9319 Signed-off-by: Stanislav Levin <slev at altlinux.org> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - 9246a8a0 by Rob Crittenden at 2023-02-02T13:42:57+01:00 ipa-acme-manage: add certificate/request pruning management Configures PKI to remove expired certificates and non-resolved requests on a schedule. This is geared towards ACME which can generate a lot of certificates over a short period of time but is general purpose. It lives in ipa-acme-manage because that is the primary reason for including it. Random Serial Numbers v3 must be enabled for this to work. Enabling pruning enables the job scheduler within CS and sets the job user as the IPA RA user which has full rights to certificates and requests. Disabling pruning does not disable the job scheduler because the tool is stateless. Having the scheduler enabled should not be a problem. A restart of PKI is required to apply any changes. This tool forks out to pki-server which does direct writes to CS.cfg. It might be easier to use our own tooling for this but this makes the integration tighter so we pick up any improvements in PKI. The "cron" setting is quite limited, taking only integer values and *. It does not accept ranges, either - or /. No error checking is done in PKI when setting a value, only when attempting to use it, so some rudimentary validation is done. Fixes: https://pagure.io/freeipa/issue/9294 Signed-off-by: Rob Crittenden rcritten at redhat.com Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - f10d1a0f by Rob Crittenden at 2023-02-02T13:42:57+01:00 doc: add the --run command for manual job execution A manual method was mentioned with no specificity. Include the --run command. Also update the troubleshooting section to show what failure to restart the CA after configuration looks like. Import the IPA CA chain for manual execution. Also fix up some $ -> # to indicate root is needed. Related: https://pagure.io/freeipa/issue/9294 Signed-off-by: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - 2857bc69 by Florence Blanc-Renaud at 2023-02-02T15:21:25+01:00 automember-rebuild: add a notice about high CPU usage The automember-rebuild task may require high CPU usage if many users/hosts/groups are processed. Add a note in the ipa automember-rebuild CLI output and in the WebUI confirmation message. Fixes: https://pagure.io/freeipa/issue/9320 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Francisco Trivino <ftrivino at redhat.com> - - - - - 1a965a3a by David Pascual at 2023-02-04T17:14:08+01:00 ipatests: fix (prci_checker) duplicated check & error return code Fix 1: timeout field was being checked twice and did not return fail code on error Fix 2: Tool did not return error code on single file check unsuccessful run Signed-off-by: David Pascual <davherna at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - d24b6998 by Rob Crittenden at 2023-02-05T10:31:19+01:00 tests: add wrapper around ACME RSNv3 test This test is located outside of the TestACMEPrune because it enables RSNv3 while the server installed by TestACME doesn't. It still needs a wrapper to enforce a version of PKI that supports pruning because that is checked first in the tool. Re-ordering that wouldn't be a good user experience. https://pagure.io/freeipa/issue/9322 Signed-off-by: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - a20acb6f by Antonio Torres at 2023-02-08T11:44:01+01:00 API doc: add note about ipa show-mappings to usage guide As discussed in PR #6664, `ipa show-mappings` can be used as a handy way to list command arguments and options directly through the CLI. Signed-off-by: Antonio Torres <antorres at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - a786d3d5 by Chris Kelley at 2023-02-09T14:52:33-05:00 Check that CADogtagCertsConfigCheck can handle cert renewal Renewal causes two certs to have the same nickname. Dogtag is patched to allow for N certs with the same nickname, and this test is to verify that CADogtagCertsConfigCheck still passes. Related: https://github.com/dogtagpki/pki/pull/4285 Signed-off-by: Chris Kelley <ckelley at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com> - - - - - 649c35aa by Antonio Torres at 2023-02-09T16:12:56-05:00 API doc: add usage guides for groups, HBAC and sudo rules Include guides with examples for groups, HBAC and sudo rules management. These cover most of available commands related to these topics. Signed-off-by: Antonio Torres <antorres at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 20ff7c16 by Rob Crittenden at 2023-02-09T21:46:16-05:00 Fix setting values of 0 in ACME pruning Replace comparisons of "if value" with "if value is not None" in order to handle 0. Add a short reference to the man page to indicat that a cert or request retention time of 0 means remove at the next execution. Also indicate that the search time limit is in seconds. Fixes: https://pagure.io/freeipa/issue/9325 Signed-off-by: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Francisco Trivino <ftrivino at redhat.com> - - - - - 4e0ad96f by Rob Crittenden at 2023-02-09T21:48:55-05:00 Wipe the ipa-ca DNS record when updating system records If a server with a CA has been marked as hidden and contains the last A or AAAA address then that address would remain in the ipa-ca entry. This is because update-dns-system-records did not delete values, it just re-computed them. So if no A or AAAA records were found then the existing value was left. Fixes: https://pagure.io/freeipa/issue/9195 Signed-off-by: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Francisco Trivino <ftrivino at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - 0206369e by Alexander Bokovoy at 2023-02-09T21:51:43-05:00 ipa-kdb: PAC consistency checker needs to handle child domains as well When PAC check is performed, we might get a signing TGT instead of the client DB entry. This means it is a principal from a trusted domain but we don't know which one exactly because we only have a krbtgt for the forest root. This happens in MIT Kerberos 1.20 or later where KDB's issue_pac() callback never gets the original client principal directly. Look into known child domains as well and make pass the check if both NetBIOS name and SID correspond to one of the trusted domains under this forest root. Move check for the SID before NetBIOS name check because we can use SID of the domain in PAC to find out the right child domain in our trusted domains' topology list. Fixes: https://pagure.io/freeipa/issue/9316 Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - a6cb905d by Anuja More at 2023-02-09T21:51:43-05:00 Add test for SSH with GSSAPI auth. Added test for aduser with GSSAPI authentication. Related : https://pagure.io/freeipa/issue/9316 Signed-off-by: Anuja More <amore at redhat.com> Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 0f77b359 by Mohammad Rizwan at 2023-02-13T17:33:14-05:00 ipatests: tests for certificate pruning 1. Test to prune the expired certificate by manual run 2. Test to prune expired certificate by cron job 3. Test to prune expired certificate with retention unit option 4. Test to prune expired certificate with search size limit option 5. Test to check config-show command shows set param 6. Test prune command shows proper status after disabling the pruning related: https://pagure.io/freeipa/issue/9294 Signed-off-by: Mohammad Rizwan <myusuf at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 450e78f5 by Stanislav Levin at 2023-02-17T18:13:44+01:00 tests: webui: Allow file access from files in tests https://peter.sh/experiments/chromium-command-line-switches/#allow-file-access-from-files > By default, file:// URIs cannot read other file:// URIs. This is an override for developers who need the old behavior for testing. Fixes webui tests on CI: ``` Testing test/all_tests.html Synchronous XMLHttpRequest on the main thread is deprecated because of its detrimental effects to the end user's experience. For more help, check https://xhr.spec.whatwg.org/. Access to XMLHttpRequest at 'file:///__w/freeipa/freeipa/install/ui/test/qunit.js' from origin 'null' has been blocked by CORS policy: Cross origin requests are only supported for protocol schemes: http, data, chrome, chrome-untrusted, https. Failed to load resource: net::ERR_FAILED Access to XMLHttpRequest at 'file:///__w/freeipa/freeipa/install/ui/test/data/i18n_messages.json' from origin 'null' has been blocked by CORS policy: Cross origin requests are only supported for protocol schemes: http, data, chrome, chrome-untrusted, https. Failed to load resource: net::ERR_FAILED >> Error: Error: Couldn't receive translations ``` Related: https://pagure.io/freeipa/issue/9329 Signed-off-by: Stanislav Levin <slev at altlinux.org> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - 425cad6f by Stanislav Levin at 2023-02-17T18:13:44+01:00 tests: webui: Load qunit only once webui unit tests fail with grunt-contrib-qunit: ``` Testing test/all_tests.html >> Error: Error: QUnit has already been defined. >> at exportQUnit (file:///home/test/freeipa/install/ui/js/qunit.js:2475:12) >> at file:///home/test/freeipa/install/ui/js/qunit.js:2946:3 >> at file:///home/test/freeipa/install/ui/js/qunit.js:5061:2 >> Error: TypeError: Cannot set properties of undefined (setting 'reorder') >> at <anonymous>:175:24 >> at runFactory (file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:17157) >> at execModule (file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:19541) >> at file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:20002 >> at guardCheckComplete (file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:19707) >> at checkComplete (file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:19854) >> at onLoadCallback (file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:22296) >> at HTMLScriptElement.onLoad (file:///home/test/freeipa/install/ui/js/dojo/dojo.js:1:26209) ``` Load `qunit` with `dojo.require` that among other useful things helps > Preventing loading Dojo packages twice. dojo.require will simply return if the package is already loaded. See also https://github.com/gruntjs/grunt-contrib-qunit#loading-qunit-with-amd Related: https://pagure.io/freeipa/issue/9329 Signed-off-by: Stanislav Levin <slev at altlinux.org> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - 8fe8b262 by Stanislav Levin at 2023-02-17T18:13:44+01:00 AP: webui: List installed nodejs packages It's helpful for debugging regressions. Related: https://pagure.io/freeipa/issue/9329 Signed-off-by: Stanislav Levin <slev at altlinux.org> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - 9b8e8edc by Stanislav Levin at 2023-02-17T18:13:44+01:00 tests: webui: Update vendored qunit Updated qunit to latest supported version from https://code.jquery.com/qunit. See https://qunitjs.com/intro/#release-channels for details. Related: https://pagure.io/freeipa/issue/9329 Signed-off-by: Stanislav Levin <slev at altlinux.org> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - 41c32174 by David Pascual at 2023-02-20T08:12:20+01:00 doc: Use case examples for PR-CI checker tool This document showcases common usecases for the user to interact with the PR-CI checker tool. Signed-off-by: David Pascual <davherna at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 88b9be29 by mbhalodi at 2023-02-20T08:17:08+01:00 ipatests: ensure that ipa automember-rebuild prints a warning ipa automember-rebuild now prints a warning about CPU usage. Ensure that the warning is properly displayed. Related: https://pagure.io/freeipa/issue/9320 Signed-off-by: mbhalodi <mbhalodi at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - 2a2132cc by Anuja More at 2023-02-20T16:42:29+01:00 PRCI: update test_trust.py for nightly pipelines. test_integration/test_trust.py is divided into two parts. 1: class TestTrust 2: class TestNonPosixAutoPrivateGroup, class TestPosixAutoPrivateGroup Fixes: https://pagure.io/freeipa/issue/9326 Signed-off-by: Anuja More <amore at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - fe13baa0 by Rob Crittenden at 2023-02-21T08:18:07+01:00 doc: Update pruning design with implement enable/disable options Instead of passing TRUE/FALSE to a single --enable option use two flags instead, which IMHO is clearer. So --enable=TRUE to --enable and --enable=FALSE to --disable Fixes:?https://pagure.io/freeipa/issue/9323 Signed-off-by: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Mohammad Rizwan <myusuf at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - e7c642ba by Mohammad Rizwan at 2023-02-22T09:11:24+01:00 ipatests: fix tests in TestACMEPrune When cron_minute + 5 > 59, cron job throwing error for it. i.e 58 + 5 = 63 which is not acceptable value for cron minute. Second fix is related to mismatch of confing setting and corresponding assert. Third fix is related to extending time by 60 minutes to properly expire the certs. related: https://pagure.io/freeipa/issue/9294 Signed-off-by: Mohammad Rizwan <myusuf at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - cd07413c by mbhalodi at 2023-02-22T15:43:23+01:00 ipatests: WebUI - ensure that ipa automember-rebuild prints a warning ipa automember-rebuild now prints a warning about CPU usage in the WebUI. Ensure that the warning is properly displayed. Related: https://pagure.io/freeipa/issue/9320 Signed-off-by: mbhalodi <mbhalodi at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Michal Polovka <mpolovka at redhat.com> - - - - - 0a8a3922 by Florence Blanc-Renaud at 2023-02-23T07:43:05+01:00 ipatests: increase timeout for test_acme The test test_integration/test_acme.py times out frequently and has a current timeout set to 2h, which is roughly the average time for a successful run. Increase by 15 minutes, so that even the tests requiring packages update have enough time (for instance rawhide run needs to update all the packages to the latest version). Also create a separate job for the new test TestACMEPrune. Fixes: https://pagure.io/freeipa/issue/9324 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Mohammad Rizwan <myusuf at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 88039385 by Christian Heimes at 2023-03-01T04:58:45+01:00 Don't block when kinit_pkinit() fails Installation of ipa-client with PKINIT authentication can block when there is a problem with PKINIT, e.g. KDC does not accept the cert or the anchor chain is incomplete. `kinit` falls back to password authentication and asks the user to enter a password. `kinit` does not have an option to force non-interactive mode. Sending `\n` to stdin seems to be the only solution here. Fixes: https://pagure.io/freeipa/issue/9333 Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> - - - - - 6a4d34fb by Carla Martinez at 2023-03-03T04:55:48+01:00 Update 'Auth indicators' doc string The doc string located in the 'Authentication indicators' ('Services' settings page) was missing the usage explanation for the 'ipd' checkbox option. Fixes: https://pagure.io/freeipa/issue/9338 Signed-off-by: Carla Martinez <carlmart at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com> - - - - - b152e8c3 by Stanislav Levin at 2023-03-03T05:01:33+01:00 dns: Fix support for dnspython 1.1x `nameservers` was transformed into the property in dnspython 2: https://github.com/rthalley/dnspython/commit/bbf0cfd239ffa6deeb67a4787bd292e9a972af74 This causes > AttributeError: type object 'Resolver' has no attribute 'nameservers' on the previous dnspython 1.1x. Fixes: https://pagure.io/freeipa/issue/9339 Signed-off-by: Stanislav Levin <slev at altlinux.org> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - e3507563 by Rafael Guterres Jeffman at 2023-03-03T05:04:31+01:00 Migrated to SPDX license. According to [1] all Fedora packages need to be updated to use a SPDX expression. This patch updates the freeipa spec template to comply with this change. [1] https://fedoraproject.org/wiki/Changes/SPDX_Licenses_Phase_1 Fixes: https://pagure.io/freeipa/issue/9342 Signed-off-by: Rafael Guterres Jeffman <rjeffman at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> - - - - - 9323bafb by Thorsten Scherf at 2023-03-07T13:19:54+01:00 external-idp: change idp server name to reference name When you run "ipa idp-show <idp reference>" the IdP reference is shown as "Identity Provider server name". This is confusing as we are pointing to the earlier created IdP reference rather than a server. Other files are updated as well to reflect this change. Additionally some typos are fixed with this patch too. Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - 34d048ed by Florence Blanc-Renaud at 2023-03-14T17:50:25+01:00 ipatests: adapt for new automembership fixup behavior The automembership fixup task now needs to be called with --cleanup argument when the user expects automember to remove user/hosts from automember groups. Update the test to call create a cleanup task equivalent to dsconf plugin automember fixup --cleanup when it is needed. Fixes: https://pagure.io/freeipa/issue/9313 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 983a6516 by Anuja More at 2023-03-15T09:34:33+01:00 ipatests: Test ipa-advise is not failing with error. The ipa-advise command should not fail with error in command. Related: https://pagure.io/freeipa/issue/6044 Signed-off-by: Anuja More <amore at redhat.com> Reviewed-By: Sudhir Menon <sumenon at redhat.com> - - - - - e1f4f655 by Erik Belko at 2023-03-15T18:30:08+01:00 ipatests: Test MemberManager ACI to allow managers from a specified group after upgrade scenario Testing if manager whose rights defined by the group membership is able to add group members, after upgrade of ipa server. Using ACI modification to demonstrate unability before upgrading ipa server. Related: https://pagure.io/freeipa/issue/9286 Also added some generally helpful functions to tasks.py Signed-off-by: Erik Belko <ebelko at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com> Reviewed-By: Michal Polovka <mpolovka at redhat.com> - - - - - b93f6b52 by Alexander Bokovoy at 2023-03-22T13:59:40+01:00 Don't fail if optional RPM macros file is missing With fix for https://pagure.io/freeipa/issue/7951 we started to modify RPM macros in Azure CI environment. Don't fail if the file does not exist anymore like it happens now in Fedora. Fixes: https://pagure.io/freeipa/issue/9347 Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Francisco Trivino <ftrivino at redhat.com> - - - - - 84f5f87b by Alexander Bokovoy at 2023-03-22T13:59:40+01:00 Use system-wide chromium for webui tests Fixes: https://pagure.io/freeipa/issue/9347 Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Francisco Trivino <ftrivino at redhat.com> - - - - - aacaafce by Alexander Bokovoy at 2023-03-22T13:59:40+01:00 Fix tox in Azure CI Fixes: https://pagure.io/freeipa/issue/9347 Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Francisco Trivino <ftrivino at redhat.com> - - - - - 051bbe36 by Anuja More at 2023-03-23T09:08:06+01:00 ipatests: Test that non admin user can search hbac rule. Related : https://pagure.io/freeipa/issue/5130 Signed-off-by: Anuja More <amore at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - b1b7cbc0 by Antonio Torres at 2023-03-23T17:12:01+01:00 ipaserver: deepcopy objectclasses list from IPA config We need to deepcopy the list of default objectlasses from IPA config before assigning it to an entry, in order to avoid further modifications of the entry affect the cached IPA config. Fixes: https://pagure.io/freeipa/issue/9349 Signed-off-by: Antonio Torres <antorres at redhat.com> Reviewed-By: Francisco Trivino <ftrivino at redhat.com> Reviewed-By: Thomas Woerner <twoerner at redhat.com> - - - - - e07ead94 by Alexander Bokovoy at 2023-03-30T08:11:22+02:00 ipalib/x509: Implement abstract method Certificate.verify_directly_issued_by Added in Python Cryptography 40.0 Thanks to @tiran for the code Fixes: https://pagure.io/freeipa/issue/9355 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Stanislav Levin <slev at altlinux.org> - - - - - ae014c6a by Florence Blanc-Renaud at 2023-03-30T14:57:57+02:00 ipatests: increase timeout for test_trust The timeout for test_trust is too short (6000s) and the nightly tests often fail. Increase to 7200s. Fixes: https://pagure.io/freeipa/issue/9326 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Anuja More <amore at redhat.com> - - - - - 3eed25e9 by Antonio Torres at 2023-03-30T15:49:45+02:00 doc: allow notes on Param API Reference pages The notes that Param pages will contain after #6733 are added manually, and because of it we need to add markers to differentiate between automated and manual content, equal to what we do for class pages. Signed-off-by: Antonio Torres <antorres at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 54026270 by Stanislav Levin at 2023-03-30T16:16:42+02:00 fastlint: Correct concatenation of file lists `printf` ignores excessive arguments unused in formatting. This resulted in only the first file from two file lists was linted/ stylechecked if both Python template files and Python modules were changed. Make use of formatting instead: > The format is reused as necessary to consume all of the arguments Fixes: https://pagure.io/freeipa/issue/9318 Signed-off-by: Stanislav Levin <slev at altlinux.org> Reviewed-By: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - def07260 by Florence Blanc-Renaud at 2023-04-05T09:27:45+02:00 ipatests: fix test definition for test_trust The nightly test test_trust.py has been split into 2 jobs, one for test_trust.py::TestTrust (test_trust) and the other for the remaining test classes from the same file (test_trust_autoprivate). The backport forgot to narrow down the first job definition to the class test_trust.py::TestTrust in the 4-10_previous pipeline. Fix this omission. Related: https://pagure.io/freeipa/issue/9326 Reviewed-By: Anuja More <amore at redhat.com> - - - - - 6db9bbd8 by mbhalodi at 2023-04-05T09:40:25+02:00 ipatests: add missing automember-cli tests Revisit the bash tests and port the valid tests to upstream. Related: https://pagure.io/freeipa/issue/9332 Signed-off-by: mbhalodi <mbhalodi at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Michal Polovka <mpolovka at redhat.com> - - - - - 03180bed by Jarl Gullberg at 2023-04-05T09:50:08+02:00 ipaplatform/debian: fix path to ldap.so bind-dyndb-ldap on Debian installs ldap.so in a subdirectory of /usr/lib to prevent unintentional usage of an unversioned .so. The default settings for FreeIPA on Debian used an incomplete path, resulting in a failure to find ldap.so when bind attempts to start with bind-dyndb-ldap configured. This fixes the default path to use the appropriate location in its multiarch-qualified path. Signed-off-by: Jarl Gullberg <jarl.gullberg at gmail.com> Reviewed-By: Timo Aaltonen <tjaalton at ubuntu.com> - - - - - 1b38ab17 by Jarl Gullberg at 2023-04-05T09:52:52+02:00 install: Fix missing dyndb keytab directive bind-dyndb-ldap uses the krb5_keytab directive to set the path to the keytab to use. This directive was not being used in the configuration template, resulting in a failure to start named if the keytab path differed from the defaults. This issue was discovered when packaging FreeIPA for Debian, which is one of the platforms where the path is customized. Signed-off-by: Jarl Gullberg <jarl.gullberg at gmail.com> Fixes: https://pagure.io/freeipa/issue/9344 Reviewed-By: Timo Aaltonen <tjaalton at ubuntu.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - e7506403 by Alexander Bokovoy at 2023-04-06T08:53:32+02:00 Ignore empty modification error in case cifs/.. principal already added Constrained delegation target may already be configured by default. Related: https://pagure.io/freeipa/issue/9354 Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 52e6da90 by Alexander Bokovoy at 2023-04-06T08:53:32+02:00 test_xmlrpc: adopt to automember plugin message changes in 389-ds Another change in automember plugin messaging that breaks FreeIPA tests. Use common substring to match. Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 7a7ba45c by Alexander Bokovoy at 2023-04-06T08:53:32+02:00 ipa-kdb: search S4U2Proxy ACLs in cn=s4u2proxy,cn=etc,$BASEDN subtree only Confine search for S4U2Proxy access control lists to the subtree where they created. This will allow to use a similar method to describe RBCD access controls. Related: https://pagure.io/freeipa/issue/5444 Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 18cd909b by Alexander Bokovoy at 2023-04-06T08:53:32+02:00 doc: add design document for Kerberos constrained delegation FreeIPA Kerberos implementation already supports delegation of credentails, both unconstrained and constrained. Constrained delegation is an extension developed by Microsoft and documented in MS-SFU specification. MS-SFU specification also includes resource-based constrained delegation (RBCD) which FreeIPA did not support. Microsoft has decided to force use of RBCD for forest trust. This means that certain use-cases will not be possible anymore. This design document outlines approaches used by FreeIPA for constrained delegation implementation, including RBCD. Fixes: https://pagure.io/freeipa/issue/9354 Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 5b6ad0e6 by Alexander Bokovoy at 2023-04-06T08:53:32+02:00 IPA API changes to support RBCD IPA API commands to manage RBCD access controls. Fixes: https://pagure.io/freeipa/issue/9354 Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 7ac6adfa by Alexander Bokovoy at 2023-04-06T08:53:32+02:00 kdb: implement RBCD handling in KDB driver Resource-based constrained delegation (RBCD) is implemented with a new callback used by the KDC. This callback is called when a server asks for S4U2Proxy TGS request and passes a ticket that contains RBCD PAC options. The callback is supposed to take a client and a server principals, a PAC and a target service database entry. Using the target service database entry it then needs to decide whether a server principal is allowed to delegate the client credentials to the target service. The callback can also cross-check whether the client principal can be limited in delegating own tickets but this is not implemented in the current version. Fixes: https://pagure.io/freeipa/issue/9354 Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 7d68f4f0 by Alexander Bokovoy at 2023-04-06T08:53:32+02:00 RBCD: add basic test for RBCD handling Add a test that uses IPA API to allow delegation of RBCD configuration to a host and then use it to set up RBCD rule for a service. Run RBCD check when the rule exists and when the rule is removed. Since we only provide RBCD support on KDC side with Kerberos 1.20, skip the test on Fedora versions prior to Fedora 38 and on RHEL versions prior to RHEL 9.2. Fixes: https://pagure.io/freeipa/issue/9354 Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - b63e6a25 by Alexander Bokovoy at 2023-04-06T08:53:32+02:00 doc/designs/rbcd.md: add usage examples Fixes: https://pagure.io/freeipa/issue/9354 Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - cb18ca31 by Alexander Bokovoy at 2023-04-06T08:53:32+02:00 doc/designs/rbcd.md: document use of S-1-18-* SIDs Fixes: https://pagure.io/freeipa/issue/9354 Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 9c6b4f44 by Antonio Torres at 2023-04-06T17:36:18+02:00 Extend API documentation This includes: * Section about command/param info in usage guide * Section about metadata retrieval in usage guide * Guide about differences between CLI and API * Access control guide (management of roles, privileges and permissions). * Guide about API contexts * JSON-RPC usage guide and JSON-to-Python conversion * Notes about types in API Reference Signed-off-by: Antonio Torres <antorres at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 304fd550 by mbhalodi at 2023-04-13T10:51:52+02:00 ipatests: Test for sequence processing failures with server context 1 : Test to verify that groups have correct userclass when external is set to true or false with group-add. 2 : After creating a nonposix group verify that all following group_add calls to add posix groups calls are not failing with missing attribute. Related: https://pagure.io/freeipa/issue/9349 Signed-off-by: mbhalodi <mbhalodi at redhat.com> Reviewed-By: Michal Polovka <mpolovka at redhat.com> Reviewed-By: Anuja More <amore at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Antonio Torres <antorres at redhat.com> Reviewed-By: Michal Polovka <mpolovka at redhat.com> Reviewed-By: Anuja More <amore at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Antonio Torres <antorres at redhat.com> - - - - - e2b08433 by Florence Blanc-Renaud at 2023-04-17T15:17:00-04:00 ipatests: mark known failures for autoprivategroup Two tests have known issues in test_trust.py with sssd 2.8.2+: - TestNonPosixAutoPrivateGroup::test_idoverride_with_auto_private_group (when called with the "hybrid" parameter) - TestPosixAutoPrivateGroup::test_only_uid_number_auto_private_group_default (when called with the "true" parameter) Related: https://pagure.io/freeipa/issue/9295 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> - - - - - d63756eb by Christian Heimes at 2023-04-18T12:12:47+02:00 Speed up installer by restarting DS after DNA plugin DS does not enable plugins unless nsslapd-dynamic-plugins is enabled or DS is restarted. The DNA plugin creates its configuration entries with some delay after the plugin is enabled. DS is now restarted after the DNA plugin is enabled so it can create the entries while Dogtag and the rest of the system is installing. The updater `update_dna_shared_config` no longer blocks and waits for two times 60 seconds for `posix-ids` and `subordinate-ids`. Fixes: https://pagure.io/freeipa/issue/9358 Signed-off-by: Christian Heimes <cheimes at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 3b64eaa1 by Todd Zullinger at 2023-04-18T15:24:43+02:00 spec: verify upstream source signature Per the Fedora packaging guidelines?. The GPG key was generated using details found on the wiki?. The following commands can be used to fetch the signing key via fingerprint and extract it: fpr=0E63D716D76AC080A4A33513F40800B6298EB963 gpg --keyserver keys.openpgp.org --receive-keys $fpr gpg --armor --export-options export-minimal --export $fpr >gpgkey-$fpr.asc ? https://docs.fedoraproject.org/en-US/packaging-guidelines/#_verifying_signatures ? https://www.freeipa.org/page/Verify_Release_Signature Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> - - - - - 90d0f049 by Todd Zullinger at 2023-04-18T15:24:43+02:00 spec: silence krb5 pkgconf errors in %krb5_base_version Send stderr of pkgconf to /dev/null rather than printing the following error text while parsing the spec file: Package krb5 was not found in the pkg-config search path. Perhaps you should add the directory containing `krb5.pc' to the PKG_CONFIG_PATH environment variable Package 'krb5', required by 'virtual:world', not found `BuildRequires: pkgconfig(krb5)` ensures this won't happen when running a real build. It simply avoids 4 lines of needless error output when running something like `fedpkg prep`. Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> - - - - - 1f10aebc by Michal Polovka at 2023-04-20T12:57:32+02:00 ipatest: loginscreen: do not use hardcoded password Use admin password obtained from local config instead of hardcoded value, as the password may differ in different testing environments. https://pagure.io/freeipa/issue/9226 Signed-off-by: Michal Polovka <mpolovka at redhat.com> Reviewed-By: Erik Belko <ebelko at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - e2576670 by Rob Crittenden at 2023-04-27T11:17:47-04:00 Enforce sizelimit in cert-find The sizelimit option was not being passed into the dogtag ra_find() command so it always returned all available certificates. A value of 0 will retain old behavior and return all certificates. The default value is the LDAP searchsizelimit. Related: https://pagure.io/freeipa/issue/9331 Signed-off-by: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com> Reviewed-By: Antonio Torres <antorres at redhat.com> - - - - - 50dd79d1 by Rob Crittenden at 2023-04-27T11:17:47-04:00 Use the OpenSSL certificate parser in cert-find cert-find is a rather complex beast because it not only looks for certificates in the optional CA but within the IPA LDAP database as well. It has a process to deduplicate the certificates since any PKI issued certificates will also be associated with an IPA record. In order to obtain the data to deduplicate the certificates the cert from LDAP must be parser for issuer and serial number. ipaldap has automation to determine the datatype of an attribute and will use the python-cryptography engine to decode a certificate automatically if you access entry['usercertificate']. The downside is that this is comparatively slow. Here is the parse time in microseconds: OpenSSL.crypto 175 pyasn1 1010 python-cryptography 3136 The python-cryptography time is fine if you're parsing one certificate but if the LDAP search returns a lot of certificates, say in the thousands, then those microseconds add up quickly. In testing it took ~17 seconds to parse 5k certificates. It's hard to overstate just how much better the cryptography Python interface is. In the case of OpenSSL really the only certificate fields easily available are serial number, subject and issuer. And the subject/issuer are in the OpenSSL reverse format which doesn't compare nicely to the cryptography format. The DN module can correct this. Fortunately for cert-find we only need serial number and issuer, so the OpenSSL module fine. It takes ~2 seconds. pyasn1 is also relatively faster but switch to it would require subtantially more effort for less payback. cert-find when there are a lot of certificates has been historically slow. It isn't related to the CA which returns large sets (well, 5k anyway) in a second or two. It was the LDAP comparision adding tens of seconds to the runtime. CLI times from before and after: original: ------------------------------- Number of entries returned 5011 ------------------------------- real 0m21.155s user 0m0.835s sys 0m0.159s using OpenSSL: real 0m5.747s user 0m0.864s sys 0m0.148s OpenSSL is forcibly lazy-loaded so it doesn't conflict with python-requests. See ipaserver/wsgi.py for the gory details. Fixes: https://pagure.io/freeipa/issue/9331 Signed-off-by: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com> Reviewed-By: Antonio Torres <antorres at redhat.com> - - - - - bdb77a3d by Timo Aaltonen at 2023-04-28T09:51:56+02:00 Drop duplicate includedir from krb5.conf SSSD already provides a config snippet which includes SSSD_PUBCONF_KRB5_INCLUDE_D_DIR, and having both breaks Java. Add also a dependency on sssd-krb5 for freeipa-client. https://pagure.io/freeipa/issue/9267 Signed-off-by: Timo Aaltonen <tjaalton at debian.org> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 918b6e01 by Florence Blanc-Renaud at 2023-04-29T13:49:09+02:00 cert_find: fix call with --all When ipa cert-find --all is called, the function prints the certificate public bytes. The code recently switched to OpenSSL.crypto and the objects OpenSSL.crypto.X509 do not have the method public_bytes(). Use to_cryptography() to transform into a cryptography.x509.Certificate before calling public_bytes(). Related: https://pagure.io/freeipa/issue/9331 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 3d787c21 by Stanislav Levin at 2023-04-29T13:50:44+02:00 ipasphinx: Correct import of progress_message for Sphinx 6.1.0+ Pylint reports false-negative result for Sphinx 6.1.0+: ``` ************* Module ipasphinx.ipabase ipasphinx/ipabase.py:10: [E0611(no-name-in-module), ] No name 'progress_message' in module 'sphinx.util') ``` Actually `sphinx.util.progress_message` is still available in Sphinx 6.1 but it's deprecated and will be removed in 8.0: https://www.sphinx-doc.org/en/master/extdev/deprecated.html#deprecated-apis Related change: https://github.com/sphinx-doc/sphinx/commit/8c5e7013ea5f6a50e3cc3130b22205a85ba87fab Fixes: https://pagure.io/freeipa/issue/9361 Signed-off-by: Stanislav Levin <slev at altlinux.org> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 8a7c0683 by Rafael Guterres Jeffman at 2023-04-29T13:52:12+02:00 Fix "no entry" condition when searching PAC info Fix Covscan-discovered DEADCODE block when searching for PAC info, caused by a wrong condition being evaluated when entry is a trusted domain object. Fixes: https://pagure.io/freeipa/issue/9368 Signed-off-by: Rafael Guterres Jeffman <rjeffman at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> - - - - - 76c78827 by Sudhir Menon at 2023-04-29T13:55:57+02:00 ipatests: ipa-adtrust-install command test scenarios This patch includes additional testcase that can be run against ipa-adtrust-install CLI tool. test_adtrust_install_with_incorrect_netbios_name test_adtrust_install_as_regular_ipa_user test_adtrust_install_with_incorrect_admin_password test_adtrust_install_with_invalid_rid_base_value test_adtrust_install_with_invalid_secondary_rid_base test_adtrust_reinstall_updates_ipaNTFlatName_attribute test_adtrust_install_without_ipa_installed test_samba_credential_cache_is_removed_post_uninstall test_adtrust_install_without_integrated_dns test_adtrust_install_with_debug_option test_adtrust_install_cli_without_smbpasswd_file test_adtrust_install_enable_compat test_adtrust_install_invalid_ipaddress_option test_syntax_error_in_ipachangeconf test_unattended_adtrust_install_uses_default_netbios_name test_smb_not_starting_post_adtrust_install Signed-off-by: Sudhir Menon <sumenon at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - 1c43d914 by Alexander Bokovoy at 2023-05-04T10:52:40+02:00 Change doc theme to 'book' RTD theam is not compatible with Sphinx 7.0+ https://github.com/readthedocs/readthedocs.org/issues/10279 Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - 717228c9 by Florence Blanc-Renaud at 2023-05-04T14:31:59+02:00 Nightly test: add +15min for test_ipahealthcheck The test test_ipahealthcheck.py::TestIpaHealthcheck frequently hits its 90min timeout. Extend by 15min to allow completion. Fixes: https://pagure.io/freeipa/issue/9362 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Anuja More <amore at redhat.com> - - - - - 846c267f by mbhalodi at 2023-05-04T16:12:25+02:00 ipatests: add remove automember condition tests Related: https://pagure.io/freeipa/issue/9332 Signed-off-by: mbhalodi <mbhalodi at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - d95c4cf1 by Florence Blanc-Renaud at 2023-05-04T18:18:26+02:00 spec file: force nodejs < 20 on fedora < 39 On fedora < 39, nodejs 20 is not the default version. As a consequence, the installation of nodejs20 adds the command /usr/bin/node-20 instead of /usr/bin/node. FreeIPA build is using the node command and fails if the command is missing. Force nodejs < 20 on fedora < 39 to make sure the node command is installed. Fixes: https://pagure.io/freeipa/issue/9374 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 16a81062 by s1341 at 2023-05-04T21:30:34+02:00 ipaplatform: add initial nixos support Fixes: https://pagure.io/freeipa/issue/9299 Signed-off-by: Shmarya Rubenstein <github at shmarya.net> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> - - - - - 3a9a5bda by Florence Blanc-Renaud at 2023-05-08T13:55:15-04:00 idview: improve performance of idview-show The command ipa idview-show NAME has a post callback method that replaces the ID override anchor with the corresponding user name. For instance the anchor ipaanchoruuid=:SID:S-1-5-21-3951964782-819614989-3867706637-1114 is replaced with the name of the ad user aduser at ad.test. The method loops on all the anchors and for each one performs the resolution, which can be a costly operation if the anchor is for a trusted user. Instead of doing a search for each anchor, it is possible to read the 'ipaOriginalUid' value from the ID override entry. Fixes: https://pagure.io/freeipa/issue/9372 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> - - - - - 12d1aafe by Florence Blanc-Renaud at 2023-05-11T13:47:46+02:00 Tests: test on f37 and f38 Fedora 38 is now available, move the testing pipelines to - fedora 38 for the _latest definitions - fedora 37 for the _previous definitions Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Francisco Trivino <ftrivino at redhat.com> - - - - - bc394432 by Michal Polovka at 2023-05-16T17:32:14+02:00 ipatests: commands: Wait for the SSSD to become available Previous test to test_ssh_key_connection is calling ipa-server-upgrade command, which restarts all the associated services. Especially on slower machine, SSSD is not yet online when the SSH connection is attempted. This results to only cached users being available. Wait for SSSD to become available before the SSH connection is attempted. Fixes: https://pagure.io/freeipa/issue/9377 Signed-off-by: Michal Polovka <mpolovka at redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com> Reviewed-By: Julien Rische <jrische at redhat.com> - - - - - 627c1101 by Florence Blanc-Renaud at 2023-05-16T14:37:21-04:00 azure tests: move to fedora 38 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> - - - - - 81a6b9ad by Rob Crittenden at 2023-05-16T16:23:47-04:00 Return the <Message> value cert-find failures from the CA If a cert-find fails on the CA side we get a Message tag containing a string describing the failure plus the java stack trace. Pull out the first part of the message as defined by the first colon and include that in the error message returned to the user. The new message will appear as: $ ipa cert-find ipa: ERROR: Certificate operation cannot be completed: Unable to search for certificates (500) vs the old generic message: ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (500) This can be reproduced by setting nssizelimit to 100 on the pkidbuser. The internal PKI search returns err=4 but the CA tries to convert all values into certificates and it fails. The value needs to be high enough that the CA can start but low enough that you don't have to create hundreds of certificates to demonstrate the issue. https://pagure.io/freeipa/issue/9369 Signed-off-by: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com> - - - - - edcdcf83 by Mohammad Rizwan at 2023-05-22T08:02:30+02:00 ipatests: wait for sssd-kcm to settle after date change In order to expire the ACME cert, system is moved and while issuing the kinit command, results into failure. Hence run kinit command repeatedly untill things get settle. This patch removes the sleep and adds tasks.run_repeatedly() method instead. Signed-off-by: Mohammad Rizwan <myusuf at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Florence Blanc-Renaud <flo at redhat.com> - - - - - 7830ab96 by Florence Blanc-Renaud at 2023-05-23T20:59:03+02:00 user or group name: explain the supported format The commands ipa user-add or ipa group-add validate the format of the user/group name and display the following message when it does not conform to the expectations: invalid 'login': may only include letters, numbers, _, -, . and $ The format is more complex, for instance '1234567' is an invalid user name but the failure is inconsistent with the error message. Modify the error message to point to ipa help user/group and add more details in the help message. Same change for idoverrideuser and idoverridegroup: The user/group name must follow these rules: - cannot contain only numbers - must start with a letter, a number, _ or . - may contain letters, numbers, _, ., or - - may end with a letter, a number, _, ., - or $ Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2150217 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com> Reviewed-By: Alexander Bokovoy <abbra at users.noreply.github.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - 58173c02 by Jerry James at 2023-05-24T14:08:45-04:00 Change fontawesome-fonts requires to match fontawesome 4.x fontawesome 6.x is not entirely compatible with 4.x version but in Fedora the change was made to make 4.x bits FreeIPA depends on to be forward-ported to 6.x build. This also allows to have common dependency for all versions. This patch switches to the common dependency using 'fonts(fontawesome)'. This works on all Fedora and RHEL versions. Signed-off-by: Jerry James <loganjerry at gmail.com> Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> - - - - - abe71fe1 by Rob Crittenden at 2023-05-24T17:57:22-04:00 Mention in ipa-client-install that nscd is disabled Also warn that similar services may also need to be disabled. An example is an nscd replacement named unscd. Fixes: https://pagure.io/freeipa/issue/9086 Signed-off-by: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com> - - - - - a6f485fc by Florence Blanc-Renaud at 2023-05-25T08:32:59+02:00 ACME tests: fix issue_and_expire_acme_cert method The fixture issue_and_expire_acme_cert is changing the date on master and client. It also resets the admin password as it gets expired after the date change. Currently the code is resetting the password by performing kinit on the client, which leaves the master with an expired ticket in its cache. Reset the password on the master instead in order to have a valid ticket for the next operations. Fixes: https://pagure.io/freeipa/issue/9383 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Mohammad Rizwan <myusuf at redhat.com> - - - - - 630cda5c by Julien Rische at 2023-06-01T08:01:00+02:00 kdb: Use krb5_pac_full_sign_compat() when available In November 2022, Microsoft introduced a new PAC signature type called "extended KDC signature" (or "full PAC checksum"). This new PAC signature will be required by default by Active Directory in July 2023 for S4U requests, and opt-out will no longer be possible after October 2023. Support for this new signature type was added to MIT krb5, but it relies on the new KDB API introduced in krb5 1.20. For older MIT krb5 versions, the code generating extended KDC signatures cannot be backported as it is without backporting the full new KDB API code too. This would have too much impact to be done. As a consequence, krb5 packages for Fedora 37, CentOS 8 Stream, and RHEL 8 will include a downstream-only update adding the krb5_pac_full_sign_compat() function, which can be used in combination with the prior to 1.20 KDB API to generate PAC extended KDC signatures. Fixes: https://pagure.io/freeipa/issue/9373 Signed-off-by: Julien Rische <jrische at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> - - - - - bbe545ff by Julien Rische at 2023-06-01T08:01:00+02:00 Tolerate absence of PAC ticket signature depending of server capabilities Since November 2020, Active Directory KDC generates a new type of signature as part of the PAC. It is called "ticket signature", and is generated based on the encrypted part of the ticket. The presence of this signature is not mandatory in order for the PAC to be accepted for S4U requests. However, the behavior is different for MIT krb5. Support was added as part of the 1.20 release, and this signature is required in order to process S4U requests. Contrary to the PAC extended KDC signature, the code generating this signature cannot be isolated and backported to older krb5 versions because this version of the KDB API does not allow passing the content of the ticket's encrypted part to IPA. This is an issue in gradual upgrade scenarios where some IPA servers rely on 1.19 and older versions of MIT krb5, while others use version 1.20 or newer. A service ticket that was provided by 1.19- IPA KDC will be rejected when used by a service against a 1.20+ IPA KDC for S4U requests. On Fedora, CentOS 9 Stream, and RHEL 9, when the krb5 version is 1.20 or newer, it will include a downstream-only update adding the "optional_pac_tkt_chksum" KDB string attribute allowing to tolerate the absence of PAC ticket signatures, if necessary. This commit adds an extra step during the installation and update processes where it adds a "pacTktSignSupported" ipaConfigString attribute in "cn=KDC,cn=[server],cn=masters,cn=ipa,cn=etc,[basedn]" if the MIT krb5 version IPA what built with was 1.20 or newer. This commit also set "optional_pac_tkt_chksum" as a virtual KDB entry attribute. This means the value of the attribute is not actually stored in the database (to avoid race conditions), but its value is determined at the KDC starting time by search the "pacTktSignSupported" ipaConfigString in the server list. If this value is missing for at least of them is missing, enforcement of the PAC ticket signature is disabled by setting "optional_pac_tkt_chksum" to true for the local realm TGS KDB entry. For foreign realm TGS KDB entries, the "optional_pac_tkt_chksum" virtual string attribute is set to true systematically, because, at least for now, trusted AD domains can still have PAC ticket signature support disabled. Given the fact the "pacTktSignSupported" ipaConfigString for a single server is added when this server is updated, and that the value of "optional_pac_tkt_chksum" is determined at KDC starting time based on the ipaConfigString attributes of all the KDCs in the domain, this requires to restart all the KDCs in the domain after all IPA servers were updated in order for PAC ticket signature enforcement to actually take effect. Fixes: https://pagure.io/freeipa/issue/9371 Signed-off-by: Julien Rische <jrische at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> - - - - - 7ea3b866 by Julien Rische at 2023-06-01T08:01:00+02:00 Filter out constrained delegation ACL from KDB entry Commit f78dc0b163 was missing an exception for the constrained delegation ACL TL data type during the principal entry update operation. This ACL is not meant to be stored as encoded data in krbExtraData. Signed-off-by: Julien Rische <jrische at redhat.com> Reviewed-By: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com> - - - - - 3d0decd9 by Alexander Bokovoy at 2023-06-01T15:48:45+02:00 ipa-kdb: hint KDC to use aes256-sha1 for forest trust TGT >From https://krbdev.mit.edu/rt/Ticket/Display.html?id=9089 -------- The KDC uses the first local TGT key for the privsvr and full PAC checksums. If this key is of an aes-sha2 enctype in a cross-realm TGT, a Microsoft KDC in the target realm may reject the ticket because it has an unexpectedly large privsvr checksum buffer. This behavior is unnecessarily picky as the target realm KDC cannot and does not need to very the privsvr checksum, but [MS-PAC] 2.8.2 does limit the checksum key to three specific enctypes. -------- Use MIT Kerberos 1.21+ facility to hint about proper enctype for cross-realm TGT. Fixes: https://pagure.io/freeipa/issue/9124 Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Julien Rische <jrische at redhat.com> - - - - - 803a4477 by Alexander Bokovoy at 2023-06-01T15:48:45+02:00 ipa-kdb: protect against context corruption Early in startup LDAP server might not respond well yet and should_support_pac_tkt_sign() will bail out with KRB5_KDB_SERVER_INTERNAL_ERR. We should postpone this call but for time being we should prevent a crash. Crash happens because init_module() returns with an error and KDC then calls fini_module() which will free the DB context which is already corrupted for some reason. Do not call any free() call because the whole context is corrupted as tests do show. Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Julien Rische <jrische at redhat.com> - - - - - fefa0248 by Alexander Bokovoy at 2023-06-01T15:48:45+02:00 ipa-kdb: postpone ticket checksum configuration Postpone ticket checksum configuration after KDB module was initialized. This, in practice, should now happen when a master key is retrieved. Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Julien Rische <jrische at redhat.com> - - - - - bd8fcd6f by Alexander Bokovoy at 2023-06-01T15:48:45+02:00 ipa-kdb: process out of realm server lookup during S4U Kerberos principal aliases lookup had a long-standing TODO item to support server referrals for host-based aliases. This commit implements server referrals for hosts belonging to trusted domains. The use-case is a part of S4U processing in a two-way trust when an IPA service requests a ticket to a host in a trusted domain (e.g. service on AD DC). In such situation, the server principal in TGS request will be a normal principal in our domain and KDC needs to respond with a server referral. This referral can be issued by a KDB driver or by the KDC itself, using 'domain_realms' section of krb5.conf. Since KDB knows all suffixes associated with the trusted domains, implement the logic there. Fixes: https://pagure.io/freeipa/issue/9164 Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Julien Rische <jrische at redhat.com> - - - - - 1b55e9b1 by Alexander Bokovoy at 2023-06-01T15:48:45+02:00 ipa-kdb: skip verification of PAC full checksum MIT Kerberos KDC code will do verification of the PAC full checksum buffers, we don't need to process them. This change only applies to newer MIT Kerberos version which have this buffer type defined, hence using #ifdef to protect the use of the define. This should have no functional difference. Related: https://pagure.io/freeipa/issue/9371 Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Julien Rische <jrische at redhat.com> - - - - - 11ce2b21 by Alexander Bokovoy at 2023-06-01T15:48:45+02:00 ipalib/x509.py: Add signature_algorithm_parameters Python-cryptography 41.0.0 new abstract method. Signed-off-by: Christian Heimes <cheimes at redhat.com> Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Julien Rische <jrische at redhat.com> - - - - - 325a1319 by Rob Crittenden at 2023-06-02T10:00:57+02:00 Replace usage of #!/usr/bin/env python3 with #!/usr/bin/python3 Only three remaining scripts used this form, two of which are for developers only and not shipped. The shebang in ipa-ccache-sweeper will be converted to "#!$(PYTHON) -I" in the build process. Fixes: https://pagure.io/freeipa/issue/8941 Signed-off-by: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Rafael Guterres Jeffman <rjeffman at redhat.com> - - - - - f2b821ab by Alexander Bokovoy at 2023-06-02T16:01:41-04:00 ipa-kdb: be compatible with krb5 1.19 when checking for server referral Related: https://pagure.io/freeipa/issue/9164 Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com> - - - - - 58017abe by Rob Crittenden at 2023-06-02T18:30:08-04:00 Don't allow a group to be converted to POSIX and external This condition was checked in group-add but not in group-mod. This evaluation is done later in the pre_callback so that all the other machinations about posix are already done to make it easier to tell whether this condition is true or not. Fixes: https://pagure.io/freeipa/issue/8990 Signed-off-by: Rob Crittenden <rcritten at redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com> - - - - - 283f5463 by Florence Blanc-Renaud at 2023-06-05T14:00:17+02:00 ipatest: remove xfail from test_smb test_smb is now successful because the windows server version has been updated to windows-server-2022 with - KB5012170 - KB5025230 - KB5022507 - servicing stack 10.0.20348.1663 in freeipa-pr-ci commit 3ba4151. Remove the xfail. Fixes: https://pagure.io/freeipa/issue/9124 Signed-off-by: Florence Blanc-Renaud <flo at redhat.com> Reviewed-By: Mohammad Rizwan <myusuf at redhat.com> - - - - - e3797ca2 by Antonio Torres at 2023-06-06T09:40:38+02:00 Update translations to FreeIPA ipa-4-10 state Signed-off-by: Antonio Torres <antorres at redhat.com> - - - - - 03b92fb4 by Antonio Torres at 2023-06-06T09:43:34+02:00 Update list of contributors Signed-off-by: Antonio Torres <antorres at redhat.com> - - - - - 2fd9cbbe by Antonio Torres at 2023-06-06T10:01:01+02:00 Become IPA 4.10.2 - - - - - 1099db0f by Timo Aaltonen at 2023-06-07T14:46:19+03:00 Merge branch 'upstream' - - - - - f52e2b0a by Timo Aaltonen at 2023-06-07T14:46:39+03:00 version bump - - - - - 78ec5308 by Timo Aaltonen at 2023-06-07T14:49:16+03:00 drop upstreamed patches - - - - - 8a91716a by Timo Aaltonen at 2023-06-07T14:59:25+03:00 source: Update extend-diff-ignore. - - - - - 7f36ccfc by Timo Aaltonen at 2023-06-07T15:04:59+03:00 Revert "copyright, watch: Filter prebuilt html documentation from the tarball." This reverts commit a94f7bbf72c6f7a864f2e15b3fc9da1be52b1b58. - - - - - 14f90712 by Timo Aaltonen at 2023-06-07T15:09:57+03:00 Upload to experimental, build the server and enable tests. - - - - - 30 changed files: - .wheelconstraints.in - ACI.txt - API.txt - Contributors.txt - Makefile.am - VERSION.m4 - client/man/ipa-client-install.1 - configure.ac - contrib/lite-server.py - contrib/lite-setup.py - daemons/dnssec/ipa-dnskeysyncd.in - daemons/ipa-kdb/ipa_kdb.c - daemons/ipa-kdb/ipa_kdb.h - daemons/ipa-kdb/ipa_kdb_common.c - daemons/ipa-kdb/ipa_kdb_delegation.c - daemons/ipa-kdb/ipa_kdb_mspac.c - daemons/ipa-kdb/ipa_kdb_mspac_v6.c - daemons/ipa-kdb/ipa_kdb_principals.c - daemons/ipa-otpd/ipa-otpd at .service.in - debian/changelog - debian/control - debian/copyright - ? debian/patches/fix-ldap-so-path.diff - ? debian/patches/install-fix-missing-dyndb-keytab-directive.diff - debian/patches/series - debian/rules - debian/source/local-options - debian/tests/control - debian/watch - doc/api/A6Record.md The diff was not included because it is too large. View it on GitLab: https://salsa.debian.org/freeipa-team/freeipa/-/compare/e54a0f5416213b3b9e58bd6d3d29f7bf0d9288d2...14f907125212cc19b34f553ba248622f9f0cf50e -- View it on GitLab: https://salsa.debian.org/freeipa-team/freeipa/-/compare/e54a0f5416213b3b9e58bd6d3d29f7bf0d9288d2...14f907125212cc19b34f553ba248622f9f0cf50e You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Wed Jun 7 17:07:57 2023 From: gitlab at salsa.debian.org (Timo Aaltonen (@tjaalton)) Date: Wed, 07 Jun 2023 16:07:57 +0000 Subject: [Pkg-freeipa-devel] [Git][freeipa-team/freeipa][master-next] 3 commits: copyright, source: Fix some lintian issues/overrides. Message-ID: <6480ab5d1149_136f88472ac31136a@godard.mail> Timo Aaltonen pushed to branch master-next at FreeIPA packaging / freeipa Commits: 7b87d73b by Timo Aaltonen at 2023-06-07T19:01:26+03:00 copyright, source: Fix some lintian issues/overrides. - - - - - bd5c1073 by Timo Aaltonen at 2023-06-07T19:07:15+03:00 server-trust-ad: Add a lintian override for the samba plugin rpath. - - - - - 617d19aa by Timo Aaltonen at 2023-06-07T19:07:23+03:00 Upload to experimental, build the server and enable tests. - - - - - 7 changed files: - debian/changelog - debian/control - debian/copyright - + debian/freeipa-server-trust-ad.lintian-overrides - debian/rules - debian/source/lintian-overrides - debian/tests/control Changes: ===================================== debian/changelog ===================================== @@ -1,8 +1,16 @@ +freeipa (4.10.2-1+exp1) UNRELEASED; urgency=medium + + * Upload to experimental, build the server and enable tests. + + -- Timo Aaltonen Tue, 28 Feb 2023 22:07:14 +0200 + freeipa (4.10.2-1) UNRELEASED; urgency=medium * New upstream release. * control: Bump sssd, bind9 depends. * source: Update extend-diff-ignore. + * copyright, source: Fix some lintian issues/overrides. + * server-trust-ad: Add a lintian override for the samba plugin rpath. -- Timo Aaltonen Tue, 21 Feb 2023 10:13:42 +0200 ===================================== debian/control ===================================== @@ -50,6 +50,20 @@ Build-Depends: python3-yubico, systemd, uuid-dev, + 389-ds-base-dev (>= 1.4.4.16), + libpwquality-dev, + libsss-idmap-dev, + libsss-certmap-dev, + libsss-nss-idmap-dev (>= 1.14.0), + libtevent-dev, + libunistring-dev, + libverto-dev, + nodejs [amd64 arm64 armhf i386 mips mips64el mipsel ppc64 ppc64el s390x], + pki-base (>= 10.10.6~), + python3-lesscpy, + python3-pkg-resources, + python3-rjsmin, + samba-dev, Package: freeipa-common Architecture: all @@ -201,3 +215,183 @@ Description: FreeIPA centralized identity framework -- shared Python3 modules . This Python3 module is used by other FreeIPA packages. + +Package: freeipa-server +Architecture: amd64 arm64 armhf i386 mips mips64el mipsel ppc64 ppc64el s390x +Breaks: freeipa-server-trust-ad (<< 4.3.0-1) +Replaces: freeipa-server-trust-ad (<< 4.3.0-1) +Depends: + 389-ds-base (>= 1.4.4.16), + acl, + adduser, + apache2 (>= 2.4.41-4ubuntu2), + certmonger (>= 0.79.5-2), + chrony, + fonts-font-awesome, + fonts-open-sans, + freeipa-client (= ${binary:Version}), + freeipa-common (= ${source:Version}), + gssproxy (>= 0.8.2-2), + krb5-admin-server, + krb5-kdc (>= 1.18), + krb5-kdc-ldap, + krb5-otp, + krb5-pkinit, + ldap-utils, + libapache2-mod-auth-gssapi (>= 1.5.0), + libapache2-mod-lookup-identity (>= 1.0.0), + libapache2-mod-wsgi-py3, + libjs-dojo-core, + libjs-jquery, + libjs-scriptaculous, + libnss3-tools, + libsasl2-modules-gssapi-mit, + oddjob (>= 0.34.3-2), + p11-kit, + pki-ca (>= 10.10.6~), + pki-kra (>= 10.10.6~), + python3-dateutil, + python3-ipaserver (= ${source:Version}), + python3-gssapi, + python3-ldap (>= 2.4.22), + python3-systemd, + slapi-nis (>= 0.56.1), + ssl-cert, + sssd-dbus, + systemd-sysv, + ${misc:Depends}, + ${python3:Depends}, + ${shlibs:Depends} +Recommends: + freeipa-server-dns, +Description: FreeIPA centralized identity framework -- server + FreeIPA is an integrated solution to provide centrally managed Identity + (machine, user, virtual machines, groups, authentication credentials), Policy + (configuration settings, access control information) and Audit (events, + logs, analysis thereof). + . + This is the server package. + +Package: freeipa-server-dns +Architecture: all +Breaks: freeipa-server (<< 4.3.0-1) +Replaces: freeipa-server (<< 4.3.0-1) +Depends: + freeipa-server (>= ${source:Version}), + bind9 (>= 1:9.18.7), + bind9-dyndb-ldap (>= 11.4), + libengine-pkcs11-openssl, + opendnssec (>= 1:2.1.5), + softhsm2, + ${misc:Depends}, + ${python3:Depends}, + ${shlibs:Depends} +Description: FreeIPA centralized identity framework -- IPA DNS integration + FreeIPA is an integrated solution to provide centrally managed Identity + (machine, user, virtual machines, groups, authentication credentials), Policy + (configuration settings, access control information) and Audit (events, + logs, analysis thereof). + . + This package adds DNS integration with BIND 9. + +Package: freeipa-server-trust-ad +Architecture: amd64 arm64 armhf i386 mips mips64el mipsel ppc64 ppc64el s390x +Depends: + freeipa-common (= ${source:Version}), + freeipa-server (= ${binary:Version}), + python3-ipaserver (= ${source:Version}), + python3-samba, + samba, + winbind, + ${misc:Depends}, + ${python3:Depends}, + ${shlibs:Depends} +Multi-Arch: same +Description: FreeIPA centralized identity framework -- AD trust installer + FreeIPA is an integrated solution to provide centrally managed Identity + (machine, user, virtual machines, groups, authentication credentials), Policy + (configuration settings, access control information) and Audit (events, + logs, analysis thereof). + . + Cross-realm trusts with Active Directory in IPA require working Samba 4 + installation. This package is provided for convenience to install all required + dependencies at once. + +Package: freeipa-tests +Architecture: all +Depends: + python3-ipalib (>= ${source:Version}), + python3-ipatests (>= ${source:Version}), + python3-pytest, + ${misc:Depends}, + ${python3:Depends} +Recommends: python3-yaml +Description: FreeIPA centralized identity framework -- tests + FreeIPA is an integrated solution to provide centrally managed Identity + (machine, user, virtual machines, groups, authentication credentials), Policy + (configuration settings, access control information) and Audit (events, + logs, analysis thereof). + . + This package contains tests that verify IPA functionality. + +Package: python3-ipaserver +Architecture: all +Section: python +Breaks: freeipa-server (<< 4.3.0-1), + freeipa-server-trust-ad (<< 4.4.4-1), +Replaces: freeipa-server (<< 4.3.0-1), + freeipa-server-trust-ad (<< 4.4.4-1), +Depends: + freeipa-common (= ${binary:Version}), + pki-tools (>= 10.2.6-3), + python3-dbus, + python3-dnspython, + python3-gssapi, + python3-ipaclient (= ${binary:Version}), + python3-ipalib (>= ${source:Version}), + python3-jwcrypto, + python3-kdcproxy, + python3-ldap (>= 2.4.22), + python3-libsss-nss-idmap, + python3-pki-base, + python3-pyasn1, + python3-sss, + samba-common, + zip, + ${misc:Depends}, + ${python3:Depends}, +Description: FreeIPA centralized identity framework -- Python3 modules for server + FreeIPA is an integrated solution to provide centrally managed Identity + (machine, user, virtual machines, groups, authentication credentials), Policy + (configuration settings, access control information) and Audit (events, + logs, analysis thereof). + . + This Python3 module is used by FreeIPA server. + +Package: python3-ipatests +Architecture: all +Section: python +Breaks: freeipa-tests (<< 4.3.0-1) +Replaces: freeipa-tests (<< 4.3.0-1) +Depends: + libnss3-tools, + python3-ipalib (>= ${source:Version}), + python3-mock, + python3-paramiko, + python3-paste, + python3-polib, + python3-pytest-multihost, + python3-pytest-sourceorder, + python3-sss, + xz-utils, + ${misc:Depends}, + ${python3:Depends} +Recommends: python3-yaml +Description: FreeIPA centralized identity framework -- Python3 modules for tests + FreeIPA is an integrated solution to provide centrally managed Identity + (machine, user, virtual machines, groups, authentication credentials), Policy + (configuration settings, access control information) and Audit (events, + logs, analysis thereof). + . + This Python3 module is used by FreeIPA tests. + ===================================== debian/copyright ===================================== @@ -6,6 +6,11 @@ Files: * Copyright: 1999-2011 Red Hat, Inc. License: GPL-3+ +Files: debian/* +Copyright: Michele Baldessari michele at pupazzo.org> + Timo Aaltonen +License: GPL-2+ + Files: daemons/ipa-slapi-plugins/*/*.c daemons/ipa-slapi-plugins/*/*.h Copyright: 2005-2010 Red Hat, Inc. @@ -81,9 +86,8 @@ Copyright: 2012-2013, Dave Gandy License: MIT Files: install/ui/util/build/build.js - install/ui/util/build/_base/configRhino.js install/ui/build/dojo/dojo.js - debian/missing-sources/dojo + debian/missing-sources/dojo/* Copyright: 2004-2012, The Dojo Foundation License: BSD-3-clause or AFL-2.1 @@ -92,11 +96,6 @@ Copyright: 2009, John Resig, J?rn Zaefferer 2008, Ariel Flesler License: MIT or GPL-2 or BSD-2-clause -Files: debian/* -Copyright: Michele Baldessari michele at pupazzo.org> - Timo Aaltonen -License: GPL-2+ - License: GPL-2 On Debian machines the full text of the GNU General Public License version 2 can be found in the file /usr/share/common-licenses/GPL-2. ===================================== debian/freeipa-server-trust-ad.lintian-overrides ===================================== @@ -0,0 +1,2 @@ +# plugin +custom-library-search-path ===================================== debian/rules ===================================== @@ -9,11 +9,11 @@ include /usr/share/dpkg/pkg-info.mk CFLAGS += -D_FORTIFY_SOURCE=2 # build server only where nodejs is available -#ifneq (,$(filter $(DEB_HOST_ARCH), amd64 arm64 armhf i386 mips mips64el mipsel ppc64 ppc64el s390x)) -# ONLY_CLIENT=0 -#else +ifneq (,$(filter $(DEB_HOST_ARCH), amd64 arm64 armhf i386 mips mips64el mipsel ppc64 ppc64el s390x)) + ONLY_CLIENT=0 +else ONLY_CLIENT=1 -#endif +endif DESTDIR=$(CURDIR)/debian/tmp ===================================== debian/source/lintian-overrides ===================================== @@ -1,11 +1,8 @@ -# a few long lines, this is still the unminified one -freeipa source: source-is-missing debian/missing-sources/qrcode.js line length is 602 characters (>512) - # missing-sources/dojo/*, see install/ui/src/dojo.profile.js -freeipa source: source-is-missing install/ui/build/dojo/dojo.js line length is 31980 characters (>512) +freeipa source: source-is-missing [install/ui/build/dojo/dojo.js] # missing-sources/jquery-*.js -freeipa source: source-is-missing install/ui/src/libs/jquery.js line length is 32584 characters (>512) +freeipa source: source-is-missing [install/ui/src/libs/jquery.js] # missing-sources/build/*, see install/ui/src/build.profile.js -freeipa source: source-is-missing install/ui/util/build/build.js line length is 31954 characters (>512) +freeipa source: source-is-missing [install/ui/util/build/build.js] ===================================== debian/tests/control ===================================== @@ -1,8 +1,8 @@ -#Tests: server-install -#Depends: -# freeipa-server, freeipa-client, freeipa-server-dns, -# sudo, -#Restrictions: -# allow-stderr, -# isolation-container, -# needs-root, +Tests: server-install +Depends: + freeipa-server, freeipa-client, freeipa-server-dns, + sudo, +Restrictions: + allow-stderr, + isolation-container, + needs-root, View it on GitLab: https://salsa.debian.org/freeipa-team/freeipa/-/compare/14f907125212cc19b34f553ba248622f9f0cf50e...617d19aa5295cb1d8bc8da86cb26b2692b37c9af -- View it on GitLab: https://salsa.debian.org/freeipa-team/freeipa/-/compare/14f907125212cc19b34f553ba248622f9f0cf50e...617d19aa5295cb1d8bc8da86cb26b2692b37c9af You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Wed Jun 7 17:10:52 2023 From: gitlab at salsa.debian.org (Timo Aaltonen (@tjaalton)) Date: Wed, 07 Jun 2023 16:10:52 +0000 Subject: [Pkg-freeipa-devel] [Git][freeipa-team/freeipa][master] 2 commits: copyright, source: Fix some lintian issues/overrides. Message-ID: <6480ac0c206e2_136f88472e8311769@godard.mail> Timo Aaltonen pushed to branch master at FreeIPA packaging / freeipa Commits: 7b87d73b by Timo Aaltonen at 2023-06-07T19:01:26+03:00 copyright, source: Fix some lintian issues/overrides. - - - - - bd5c1073 by Timo Aaltonen at 2023-06-07T19:07:15+03:00 server-trust-ad: Add a lintian override for the samba plugin rpath. - - - - - 4 changed files: - debian/changelog - debian/copyright - + debian/freeipa-server-trust-ad.lintian-overrides - debian/source/lintian-overrides Changes: ===================================== debian/changelog ===================================== @@ -3,6 +3,8 @@ freeipa (4.10.2-1) UNRELEASED; urgency=medium * New upstream release. * control: Bump sssd, bind9 depends. * source: Update extend-diff-ignore. + * copyright, source: Fix some lintian issues/overrides. + * server-trust-ad: Add a lintian override for the samba plugin rpath. -- Timo Aaltonen Tue, 21 Feb 2023 10:13:42 +0200 ===================================== debian/copyright ===================================== @@ -6,6 +6,11 @@ Files: * Copyright: 1999-2011 Red Hat, Inc. License: GPL-3+ +Files: debian/* +Copyright: Michele Baldessari michele at pupazzo.org> + Timo Aaltonen +License: GPL-2+ + Files: daemons/ipa-slapi-plugins/*/*.c daemons/ipa-slapi-plugins/*/*.h Copyright: 2005-2010 Red Hat, Inc. @@ -81,9 +86,8 @@ Copyright: 2012-2013, Dave Gandy License: MIT Files: install/ui/util/build/build.js - install/ui/util/build/_base/configRhino.js install/ui/build/dojo/dojo.js - debian/missing-sources/dojo + debian/missing-sources/dojo/* Copyright: 2004-2012, The Dojo Foundation License: BSD-3-clause or AFL-2.1 @@ -92,11 +96,6 @@ Copyright: 2009, John Resig, J?rn Zaefferer 2008, Ariel Flesler License: MIT or GPL-2 or BSD-2-clause -Files: debian/* -Copyright: Michele Baldessari michele at pupazzo.org> - Timo Aaltonen -License: GPL-2+ - License: GPL-2 On Debian machines the full text of the GNU General Public License version 2 can be found in the file /usr/share/common-licenses/GPL-2. ===================================== debian/freeipa-server-trust-ad.lintian-overrides ===================================== @@ -0,0 +1,2 @@ +# plugin +custom-library-search-path ===================================== debian/source/lintian-overrides ===================================== @@ -1,11 +1,8 @@ -# a few long lines, this is still the unminified one -freeipa source: source-is-missing debian/missing-sources/qrcode.js line length is 602 characters (>512) - # missing-sources/dojo/*, see install/ui/src/dojo.profile.js -freeipa source: source-is-missing install/ui/build/dojo/dojo.js line length is 31980 characters (>512) +freeipa source: source-is-missing [install/ui/build/dojo/dojo.js] # missing-sources/jquery-*.js -freeipa source: source-is-missing install/ui/src/libs/jquery.js line length is 32584 characters (>512) +freeipa source: source-is-missing [install/ui/src/libs/jquery.js] # missing-sources/build/*, see install/ui/src/build.profile.js -freeipa source: source-is-missing install/ui/util/build/build.js line length is 31954 characters (>512) +freeipa source: source-is-missing [install/ui/util/build/build.js] View it on GitLab: https://salsa.debian.org/freeipa-team/freeipa/-/compare/7f36ccfcaf54566ab8e8d46eb65bd9c49e0c6180...bd5c1073f0236f31df91b2293045f434a2d775b0 -- View it on GitLab: https://salsa.debian.org/freeipa-team/freeipa/-/compare/7f36ccfcaf54566ab8e8d46eb65bd9c49e0c6180...bd5c1073f0236f31df91b2293045f434a2d775b0 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Wed Jun 7 17:31:35 2023 From: gitlab at salsa.debian.org (Timo Aaltonen (@tjaalton)) Date: Wed, 07 Jun 2023 16:31:35 +0000 Subject: [Pkg-freeipa-devel] [Git][freeipa-team/freeipa][master] source: Add a lintian override for client-only build; empty-debian- tests-control. Message-ID: <6480b0e7e0257_136f88472983132c4@godard.mail> Timo Aaltonen pushed to branch master at FreeIPA packaging / freeipa Commits: b75a9df8 by Timo Aaltonen at 2023-06-07T19:31:14+03:00 source: Add a lintian override for client-only build; empty-debian- tests-control. - - - - - 2 changed files: - debian/changelog - debian/source/lintian-overrides Changes: ===================================== debian/changelog ===================================== @@ -5,6 +5,8 @@ freeipa (4.10.2-1) UNRELEASED; urgency=medium * source: Update extend-diff-ignore. * copyright, source: Fix some lintian issues/overrides. * server-trust-ad: Add a lintian override for the samba plugin rpath. + * source: Add a lintian override for client-only build; empty-debian- + tests-control. -- Timo Aaltonen Tue, 21 Feb 2023 10:13:42 +0200 ===================================== debian/source/lintian-overrides ===================================== @@ -6,3 +6,6 @@ freeipa source: source-is-missing [install/ui/src/libs/jquery.js] # missing-sources/build/*, see install/ui/src/build.profile.js freeipa source: source-is-missing [install/ui/util/build/build.js] + +# client doesn't run autopkgtests +freeipa source: empty-debian-tests-control View it on GitLab: https://salsa.debian.org/freeipa-team/freeipa/-/commit/b75a9df8d4eb779afed8b0c33d8507b6f3685a63 -- View it on GitLab: https://salsa.debian.org/freeipa-team/freeipa/-/commit/b75a9df8d4eb779afed8b0c33d8507b6f3685a63 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From plugwash-urgent at p10link.net Sun Jun 11 20:29:48 2023 From: plugwash-urgent at p10link.net (plugwash) Date: Sun, 11 Jun 2023 20:29:48 +0100 Subject: [Pkg-freeipa-devel] Bug#1037345: 389-ds-base: ftbfs with rust-base64 0.21 Message-ID: Package: 389-ds-base Version: 2.3.1+dfsg1-1 Tags: trixie, sid, ftbfs 389-ds-base FTBFS with the new version of rust-base64. I attach a patch which makes the package build, and also fixes some packaging annoyances. I have not tested it beyond that. I may or may not NMU this later. -------------- next part -------------- diff -Nru 389-ds-base-2.3.1+dfsg1/debian/changelog 389-ds-base-2.3.1+dfsg1/debian/changelog --- 389-ds-base-2.3.1+dfsg1/debian/changelog 2023-01-24 11:21:19.000000000 +0000 +++ 389-ds-base-2.3.1+dfsg1/debian/changelog 2023-06-11 13:22:07.000000000 +0000 @@ -1,3 +1,13 @@ +389-ds-base (2.3.1+dfsg1-1.1) UNRELEASED; urgency=medium + + * Non-maintainer upload. + * Add patch for base64 0.21 + * Make Debian dependency on base64 match cargo dependency. + * Improve clean target. + * Use ln -fs instead of ln -s to allow resuming build after fixing errors. + + -- Peter Michael Green Sun, 11 Jun 2023 13:22:07 +0000 + 389-ds-base (2.3.1+dfsg1-1) unstable; urgency=medium * Repackage the source, filter vendored crates and allow building with diff -Nru 389-ds-base-2.3.1+dfsg1/debian/control 389-ds-base-2.3.1+dfsg1/debian/control --- 389-ds-base-2.3.1+dfsg1/debian/control 2023-01-24 11:21:16.000000000 +0000 +++ 389-ds-base-2.3.1+dfsg1/debian/control 2023-06-11 13:22:07.000000000 +0000 @@ -27,7 +27,7 @@ libpci-dev, libpcre2-dev, libperl-dev, - librust-base64-dev, + librust-base64-0.21-dev, librust-cbindgen-dev, librust-cc-dev, librust-crossbeam-dev, diff -Nru 389-ds-base-2.3.1+dfsg1/debian/patches/base64-0.21.diff 389-ds-base-2.3.1+dfsg1/debian/patches/base64-0.21.diff --- 389-ds-base-2.3.1+dfsg1/debian/patches/base64-0.21.diff 1970-01-01 00:00:00.000000000 +0000 +++ 389-ds-base-2.3.1+dfsg1/debian/patches/base64-0.21.diff 2023-06-11 13:22:07.000000000 +0000 @@ -0,0 +1,65 @@ +Description: update for base64 0.21 +Author: Peter Michael Green + +Index: 389-ds-base-2.3.1+dfsg1.new/src/plugins/pwdchan/src/lib.rs +=================================================================== +--- 389-ds-base-2.3.1+dfsg1.new.orig/src/plugins/pwdchan/src/lib.rs ++++ 389-ds-base-2.3.1+dfsg1.new/src/plugins/pwdchan/src/lib.rs +@@ -42,6 +42,12 @@ macro_rules! ab64_to_b64 { + }}; + } + ++use base64::engine::GeneralPurpose; ++use base64::engine::GeneralPurposeConfig; ++use base64::Engine; ++use base64::alphabet; ++static BASE64CONFIG: GeneralPurposeConfig = GeneralPurposeConfig::new().with_decode_allow_trailing_bits(true); ++static BASE64ENGINE: GeneralPurpose = GeneralPurpose::new(&alphabet::STANDARD,BASE64CONFIG); + impl PwdChanCrypto { + #[inline(always)] + fn pbkdf2_decompose(encrypted: &str) -> Result<(usize, Vec, Vec), PluginError> { +@@ -62,7 +68,7 @@ impl PwdChanCrypto { + .ok_or(PluginError::MissingValue) + .and_then(|ab64| { + let s = ab64_to_b64!(ab64); +- base64::decode_config(&s, base64::STANDARD.decode_allow_trailing_bits(true)) ++ BASE64ENGINE.decode(&s) + .map_err(|e| { + log_error!(ErrorLevel::Error, "Invalid Base 64 {} -> {:?}", s, e); + PluginError::InvalidBase64 +@@ -74,7 +80,7 @@ impl PwdChanCrypto { + .ok_or(PluginError::MissingValue) + .and_then(|ab64| { + let s = ab64_to_b64!(ab64); +- base64::decode_config(&s, base64::STANDARD.decode_allow_trailing_bits(true)) ++ BASE64ENGINE.decode(&s) + .map_err(|e| { + log_error!(ErrorLevel::Error, "Invalid Base 64 {} -> {:?}", s, e); + PluginError::InvalidBase64 +@@ -152,11 +158,11 @@ impl PwdChanCrypto { + PluginError::Format + })?; + // the base64 salt +- base64::encode_config_buf(&salt, base64::STANDARD, &mut output); ++ BASE64ENGINE.encode_string(&salt, &mut output); + // Push the delim + output.push_str("$"); + // Finally the base64 hash +- base64::encode_config_buf(&hash_input, base64::STANDARD, &mut output); ++ BASE64ENGINE.encode_string(&hash_input, &mut output); + // Return it + Ok(output) + } +Index: 389-ds-base-2.3.1+dfsg1.new/src/plugins/pwdchan/Cargo.toml +=================================================================== +--- 389-ds-base-2.3.1+dfsg1.new.orig/src/plugins/pwdchan/Cargo.toml ++++ 389-ds-base-2.3.1+dfsg1.new/src/plugins/pwdchan/Cargo.toml +@@ -17,7 +17,7 @@ paste = "1.*" + slapi_r_plugin = { path="../../slapi_r_plugin" } + uuid = { version = "0.8", features = [ "v4" ] } + openssl = { version = "0.10" } +-base64 = "0.13" ++base64 = "0.21" + + [build-dependencies] + cc = { version = "1.0", features = ["parallel"] } diff -Nru 389-ds-base-2.3.1+dfsg1/debian/patches/series 389-ds-base-2.3.1+dfsg1/debian/patches/series --- 389-ds-base-2.3.1+dfsg1/debian/patches/series 2023-01-24 11:21:16.000000000 +0000 +++ 389-ds-base-2.3.1+dfsg1/debian/patches/series 2023-06-11 13:22:07.000000000 +0000 @@ -3,3 +3,4 @@ dont-run-rpm.diff use-packaged-rust-registry.diff allow-newer-crates.diff +base64-0.21.diff diff -Nru 389-ds-base-2.3.1+dfsg1/debian/rules 389-ds-base-2.3.1+dfsg1/debian/rules --- 389-ds-base-2.3.1+dfsg1/debian/rules 2023-01-24 11:21:16.000000000 +0000 +++ 389-ds-base-2.3.1+dfsg1/debian/rules 2023-06-11 13:22:07.000000000 +0000 @@ -24,6 +24,10 @@ rm -rf src/lib389/build src/lib389/lib389.egg-info find src/lib389/ -name '__pycache__' -exec rm -rf '{}' ';' rm -f src/lib389/man/*.8 + rm -f ldap/admin/src/*.inf rust-nsslapd-private.h src/Cargo.lock + rm -f wrappers/dirsrv-snmp.service wrappers/dirsrv.target wrappers/dirsrv at .service wrappers/dirsrv at .service.d/custom.conf wrappers/ds_selinux_restorecon.sh wrappers/ds_systemd_ask_password_acl + rm -f debian/vendor/*-* + rm -f config.sub config.guess override_dh_auto_configure: dh_auto_configure -- \ @@ -41,7 +45,7 @@ --enable-rust-offline (cd debian/vendor && for i in `ls /usr/share/cargo/registry`; do \ - ln -s /usr/share/cargo/registry/$$i .; done) + ln -fs /usr/share/cargo/registry/$$i .; done) override_dh_auto_build: (cd src/lib389 && python3 setup.py build) From owner at bugs.debian.org Mon Jun 12 01:42:05 2023 From: owner at bugs.debian.org (Debian Bug Tracking System) Date: Mon, 12 Jun 2023 00:42:05 +0000 Subject: [Pkg-freeipa-devel] Processed: fix severity References: Message-ID: Processing commands for control at bugs.debian.org: > severity 1037345 serious Bug #1037345 [389-ds-base] 389-ds-base: ftbfs with rust-base64 0.21 Severity set to 'serious' from 'normal' > severity 1037351 serious Bug #1037351 [hippotat] hippotat: ftbfs with rust-base64 0.21 Severity set to 'serious' from 'normal' > thanks Stopping processing here. Please contact me if you need assistance. -- 1037345: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037345 1037351: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037351 Debian Bug Tracking System Contact owner at bugs.debian.org with problems From gitlab at salsa.debian.org Mon Jun 12 08:52:29 2023 From: gitlab at salsa.debian.org (Timo Aaltonen (@tjaalton)) Date: Mon, 12 Jun 2023 07:52:29 +0000 Subject: [Pkg-freeipa-devel] [Git][freeipa-team/389-ds-base][master] 115 commits: Bump version to 2.3.1 Message-ID: <6486cebd98b23_136f88c06540811418a0@godard.mail> Timo Aaltonen pushed to branch master at FreeIPA packaging / 389-ds-base Commits: 6ad8f075 by Mark Reynolds at 2022-11-18T08:54:06-05:00 Bump version to 2.3.1 - - - - - 06e96874 by Simon Pichugin at 2022-11-18T07:02:12-08:00 Issue 5534 - Add copyright text to the repository files Description: We need to have copyright texts around our files and some of it is missing. This commit adds the copyright to tests and lib389. Also, add an automatic generator in the create_test.py script. Fixes: https://github.com/389ds/389-ds-base/issues/5534 Reviewed by: @mreynolds389, @progier389 (Thanks!) - - - - - 83949f6d by Simon Pichugin at 2022-11-18T09:21:32-08:00 Issue 5534 - Fix a rebase typo (#5537) Description: Fix a minor typo in config/compact_test.py. Related: https://github.com/389ds/389-ds-base/issues/5534 Reviewed by: @mreynolds389 (Thanks!) - - - - - ba9d8b3b by tbordaz at 2022-11-21T11:41:15+01:00 Issue 3729 - (cont) RFE Extend log of operations statistics in access log (#5538) Bug description: This is a continuation of the #3729 The previous fix did not manage internal SRCH, so statistics of internal SRCH were not logged Fix description: For internal operation log_op_stat uses connid/op_id/op_internal_id/op_nested_count that have been computed log_result For direct operation log_op_stat uses info from the operation itself (o_connid and o_opid) log_op_stat relies on operation_type rather than o_tag that is not available for internal operation relates: #3729 Reviewed by: Pierre Rogier - - - - - 3e814cfb by Stanislav Levin at 2022-11-22T15:21:11+01:00 Issue 5541 - Fix typo in `lib389.cli_conf.backend._get_backend` (#5542) Fix Description: Replace `name` with `be_name`. relates: https://github.com/389ds/389-ds-base/issues/5541 Reviewed by: progier (Thanks) - - - - - b0f8c322 by Stanislav Levin at 2022-11-22T15:22:46+01:00 Issue 5539 - Make logger's parameter name unified (#5540) Description: Some of the functions of `lib389.cli_conf.security` used `log` as logger's parameter name while another ones - `logs`. This lead to regression like #5539. Fix Description: Replace `logs` with `log`. relates: https://github.com/389ds/389-ds-base/issues/5539 Reviewed by: mreynolds (Thanks) - - - - - 89160f7a by Firstyear at 2022-11-24T09:55:46+10:00 Issue 5526 - RFE - Improve saslauthd migration options (#5528) Bug Description: We should improve our migration paths from openldap to allow the commonly used saslauthd plugin. Fix Description: This adds the import transform to convert users to use the nsSaslauthId field. This also adds a helper in migration to enable the plugins as needed. Finally this also adds some hardening to pam_pta. fixes: https://github.com/389ds/389-ds-base/issues/5526 Author: William Brown <william at blackhats.net.au> Review by: @progier389 - - - - - 08c21134 by Mark Reynolds at 2022-11-28T10:34:31-05:00 Issue 5544 - Increase default task TTL Description: Increase the Time To Live of tasks from 1 hour to 12 hours relates: https://github.com/389ds/389-ds-base/issues/5544 Reviewed by: progier(Thanks!) - - - - - 8e32e5f4 by William Brown at 2022-12-06T10:53:26+10:00 Issue 5521 - BUG - Pam PTA multiple issues Bug Description: Pam PTA and the lib389 cli had numerous issues that were affecting administration and configuration. Fix Description: This fixes many issues: * add pam-[enable,disable,show] seperate to pta enable. We can't combine these into one because they are seperate plugins. They also still needs ways to enable them outside of the direct config attribute manipulation. * Make pamMissingSuffix return a default of IGNORE on NONE. This is because many of the current tools don't actually set this value and it can block server restarts. * pamSecure would not warn properly on lack of TLS connections which can trick users into thinking the plugin is not working. fixes: https://github.com/389ds/389-ds-base/issues/5521 Author: William Brown <william at blackhats.net.au> Review by: @mreynolds389 @droideck (Thanks!) - - - - - a8ae3421 by William Brown at 2022-12-06T10:53:26+10:00 Issue 5521 - RFE - split pass through auth cli Bug Description: The pass through auth cli previously was a "merge" of both ldap pass through and pam pass through. These two do not share any commonality, and actually conflict on each other. This caused a lot of confusion, especially in documentation where it wasn't clear how to use either feature as a result. Fix Description: Split the cli into two seperate plugins with their own config domains. This clarifies the situation for users, and makes it far easier to configure the various pass through layers. fixes: https://github.com/389ds/389-ds-base/issues/5521 Author: William Brown <william at blackhats.net.au> Review by: @mreynolds389 @droideck (Thanks!) - - - - - b329cc48 by Viktor Ashirov at 2022-12-12T19:05:30+01:00 Issue 5561 - Nightly tests are failing Bug Description: We use ubuntu-latest as our runner image for testing in containers. Recently there was a switch from 20.04 to 22.04 that caused test failures. Fix Description: * Pin runner image to 22.04 * Remove cgroups mount from docker cmd since ubuntu-22.04 now supports cgroupsv2 Fixes: https://github.com/389ds/389-ds-base/issues/5561 Reviewed-by: @droideck (Thanks!) - - - - - 861d032e by Simon Pichugin at 2022-12-12T16:39:46-08:00 Issue 5554 - Add more tests to security_basic_test suite (#5555) Description: Add tests for ANONYMOUS_BIND and TLSCLIENTAUTH cases (including CERT_MAP_FAILED). Fix minor test structure issues. Fixes: https://github.com/389ds/389-ds-base/issues/5554 Reviewed by: @mreynolds389, @Firstyear (Thanks!) - - - - - 6aa7a6d5 by Mark Reynolds at 2022-12-13T12:08:35-05:00 Issue 5413 - Allow mutliple MemberOf fixup tasks with different bases/filters Description: A change was made to only allow a single fixup task at a time, but there are cases where you would want to run mutliple tasks but on different branches/filters. Now we maintain a linked list of bases/filters of the current running tasks to monitor this. relates: https://github.com/389ds/389-ds-base/issues/5413 Reviewed by: tbordaz(Thanks!) - - - - - 3ba81948 by Mark Reynolds at 2022-12-15T13:17:00-05:00 Update specfile and rust crates Reviewed by: spichugi(Thanks!) - - - - - 5a12552b by Mark Reynolds at 2022-12-15T17:48:44-05:00 Issue 3615 - CLI - prevent virtual attribute indexing Description: Do not allow virtual attributes to be indexed because it breaks search results relates: https://github.com/389ds/389-ds-base/issues/3615 Reviewed by: spichugi(Thanks!) - - - - - bb5df9d4 by progier389 at 2022-12-16T16:18:40+01:00 Issue 5545 - A random crash in import over lmdb (#5546) * Issue 5545 - A random crash in import over lmdb * Issue 5545 - Fix reviews remarks Random crash due to an accelerator that bypass lock while dequeueing worker thread entry but that cause synchronization issue around the hardware memory cache) Solution: lock systematically to perform a membar that ensure proper synchronization. (It does not impact the performances because the provider -> worker queue is not the performance bottleneck. (that is the writer thread database operation that limits the throughput) Also added 2 improvements: Use MDB_NOSYNC flags during off-line import (Anyway if the process is interrupted the import must be rerun) Log regularly some statistics about import writer thread (to help determining if the import bottleneck is because the thread is waiting for input data or waiting that the lmdb operation complete - - - - - 84e8fdd3 by progier389 at 2022-12-16T17:35:19+01:00 Issue 5558 - non-root instance fails to start on creation (#5559) issue: non root installation fails to start after the default storage scheme change. The solution is to avoid removing the RUST storage scheme from dse.ldif templates while preparing the non root user installation. - - - - - a94ae27a by Mark Reynolds at 2022-12-16T11:46:26-05:00 Issue 5425 - CLI - add confirmation arg when deleting backend Description: Add "--do-it" CLI argument when deleting a backend and its subsuffixes fixes: https://github.com/389ds/389-ds-base/issues/5425 Reviewed by: tbordaz & progier(Thanks!!) - - - - - f60e479a by Mark Reynolds at 2022-12-16T11:48:46-05:00 Issue 5531 - CI - use universal_lines in capture_output Description: Use backwards compatible universal_lines in capture_output() relates: https://github.com/389ds/389-ds-base/issues/5531 Reviewed by: progier(Thanks!) - - - - - ed231df0 by Mark Reynolds at 2022-12-16T13:30:08-05:00 Issue 5278 - CLI - dsidm asks for the old password on password reset Description: If we are chaning a password as Root DN we don't need the old password relates: https://github.com/389ds/389-ds-base/issues/5278 Reviewed by: progier(Thanks!) - - - - - 145f48d2 by progier389 at 2022-12-21T19:36:07+01:00 Issue 5550 - dsconf monitor crashes with Error math domain error (#5553) * Issue 5550 - dsconf monitor crashes with Error math domain error Problem: db computes negative db cache free space when db cache use is above 50% because the wrong page size is used for computation. Solution: provide the mempool page size in monitor query and use it in dbmon Also fixing an issue around the changelog db page size. - - - - - af128776 by Mark Reynolds at 2023-01-03T08:37:44-05:00 Issue 5236 - UI add specialized group edit modal Description: Added a modal for handling groups: viewing, adding and removing members Revised overall project: - "Search Base" handling using a label button was not intuitive. Changed it a more recognizable href. - Made table "trash Can" icons visibly clickable - Edit/add entry wizard, the big red "Empty Value!" label is no longer displayed while you edit the value relates: https://github.com/389ds/389-ds-base/issues/5236 Reviewed by: spichugi(Thanks!) - - - - - 81c34adc by dependabot[bot] at 2023-01-03T10:21:30-05:00 Bump json5 from 2.2.1 to 2.2.3 in /src/cockpit/389-console Bumps [json5](https://github.com/json5/json5) from 2.2.1 to 2.2.3. - [Release notes](https://github.com/json5/json5/releases) - [Changelog](https://github.com/json5/json5/blob/main/CHANGELOG.md) - [Commits](https://github.com/json5/json5/compare/v2.2.1...v2.2.3) --- updated-dependencies: - dependency-name: json5 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support at github.com> - - - - - 95d83df8 by Mark Reynolds at 2023-01-05T08:56:58-05:00 Issue 5521 - UI - Update plugins for new split PAM and LDAP pass thru auth Description: Previously PAM and LDAP pass thru auth plugins were merged. This change separates them into their own plugins in the UI. Also improved memory reporting in monitor tab. relates: https://github.com/389ds/389-ds-base/issues/5521 Reviewed by: spichugi(Thanks!) - - - - - bafacd27 by Simon Pichugin at 2023-01-05T08:10:04-08:00 Issue 5585 - lib389 password policy DN handling is incorrect (#5587) Description: After a migration between major DS versions, it can happen that already existing password policies will have 'cn' that contains a valid DN in double quotes "". We need to strip the quotes before processing the DN with python-ldap. Fixes: https://github.com/389ds/389-ds-base/issues/5585 Reviewed by: @tbordaz, @mreynolds389 (Thanks!) - - - - - 2c28c895 by Mark Reynolds at 2023-01-05T15:36:25-05:00 Issue 5588 - Fix CI tests Description: Fix ACL tests that no longer return IndexError but instead return empty list Fix db_home tests when in container and regular db dir is used instead Fix repl monitor test where args_instance was not declared before treating it as dict relates: https://github.com/389ds/389-ds-base/issues/5588 Reviewed by: ? - - - - - 7def4959 by Mark Reynolds at 2023-01-06T19:18:47-05:00 Issue 5348 - RFE - CLI - add functionality to do bulk updates to entries description: dsidm account allow doing bulk updates to a bunch of entries. Add options for setting a filter, scope, and base, whether to continue on error. relates: https://github.com/389ds/389-ds-base/issues/5348 Reviewed by: spichugi(Thanks!) - - - - - acfc4d7a by Mark Reynolds at 2023-01-09T13:28:29-05:00 Issue 5599 - CI - webui tests randomly fail Description: Add sleeps to deal with slow machines relates: https://github.com/389ds/389-ds-base/issues/5599 Reviewed by: progier389(Thanks!) - - - - - 3baaa042 by Mark Reynolds at 2023-01-09T13:37:30-05:00 Fix latest npm audit failures Reviewed by: spichugi(Thanks!) - - - - - 6a4b49a8 by Firstyear at 2023-01-10T13:40:47+10:00 Issue 5591 - BUG - Segfault in cl5configtrim with invalid confi (#5592) Bug Description: When an invalid replication config exists, replica_get_cl_info can return null. The lack of a null check in cl5configtrim can lead to a SIGSEGV Fix Description: Check for the NULL case. fixes: https://github.com/389ds/389-ds-base/issues/5591 Author: William Brown <william at blackhats.net.au> Review by: @mreynolds389 - - - - - 9e8d42c1 by Mark Reynolds at 2023-01-10T08:57:05-05:00 Issue 5593 - CLI - dsidm account subtree-status fails with TypeError Description: The was a problem with the function parameters being passed to the filter method, and we were missing a parameter for the print entry function. relates: https://github.com/389ds/389-ds-base/issues/5593 Reviewed by: spichugi(Thanks!) - - - - - ea5daa5d by Mark Reynolds at 2023-01-11T09:42:23-05:00 Issue 5581 - UI - Support cockpit dark theme Description: We were previously overriding the background color which caused issues with the dark theme. Also changed database tree to add a "Create Suffix" Icon in the tree instead of the button below the tree Fixed browser crash in "edit entry" when changing read only variable relates: https://github.com/389ds/389-ds-base/issues/5581 Reviewed by: spichugi(Thanks!) - - - - - aeebd5a0 by Mark Reynolds at 2023-01-12T10:39:02-05:00 Issue 5602 - UI - browser crash when trying to modify read-only variable Description: Existing code that used to work (incorrectly) is now causing issues. Need to use "let" instead of "const". relates: https://github.com/389ds/389-ds-base/issues/5602 Reviewed by: spichugi(Thanks!) - - - - - 10b3110d by progier389 at 2023-01-16T15:08:54+01:00 Issue 5605 - Adding a slapi_log_backtrace function in libslapd (#5606) Moving log_stack out of db-mdb code to libslapd and renaming it as slapi_log_backtrace. - - - - - b8c90a5a by James Chapman at 2023-01-17T11:42:56+00:00 Issue 3604 - Create a private key/CSR with dsconf/Cockpit (#5584) RFE description: There's no way to create a private key and a CSR with dsconf/Cockpit. However, features for importing a certificate exists, but DS also requires the private key in the NSS database to use the certificate Fix Description: Modify dsconf/UI to allow creation of a CSR. relates: https://github.com/389ds/389-ds-base/issues/3604 Reviewed by: @mreynolds389, @droideck (Thank you) - - - - - 010ac612 by progier389 at 2023-01-18T16:57:03+01:00 Issue 5560 - dscreate run by non superuser set defaults requiring superuser privilege (#5579) when run by a non root user some of dscreate default values of the template options are requiring superuser privileges. Solution: Changing the default value for port, secure_port, selinux, systemd when uid is not 0 - - - - - aa2f8435 by Mark Reynolds at 2023-01-19T20:01:36-05:00 Issue 5608 - UI - need to replace some "const" with "let" Description: Browsers are becoming for strict about jvascript and there were places where a const varaible was being modified. This is now crashing the server. So to be overly cautious a lot of consts were changed just to be safe. relates: https://github.com/389ds/389-ds-base/issues/5608 Reviewed by: spichugi(Thanks!) - - - - - b09b069f by Viktor Ashirov at 2023-01-21T13:20:10+01:00 Issue #5610 - Build failure on Debian Bug Description: On Debian libslapd.so is not getting linked with libcrypto.so, which results in `undefined reference` link errors. Fix Description: Move -lssl and -lcrypto for libslapd.so from LDFLAGS to LIBADD. Fixes: https://github.com/389ds/389-ds-base/issues/5610 Reviewed by: @mreynolds389 (Thanks!) - - - - - 6d73cc23 by Mark Reynolds at 2023-01-23T07:47:36-05:00 Issue 5607, 5351, 5611 - UI/CLI - fix various issues Descriptrion: 5607 - Ldap Editor failed to decode base64 values 5351 - CLI - Cockpit enable check for cockpit package was not portable (just removed this check) 5611 - Security page had a lot of issues when trying to change the Server Certificate. Save didn't work, and "Security Enable" modal would crash relates: https://github.com/389ds/389-ds-base/issues/5607 relates: https://github.com/389ds/389-ds-base/issues/5351 relates: https://github.com/389ds/389-ds-base/issues/5611 Reviewed by: spichugi(Thanks!) - - - - - 14943d56 by Mark Reynolds at 2023-01-23T08:30:34-05:00 Issue 5547 - automember plugin improvements Description: Rebuild task has the following improvements: - Only one task allowed at a time - Do not cleanup previous members by default. Add new CLI option to intentionally cleanup memberships before rebuilding from scratch. - Add better task logging to show fixup progress To prevent automember from being called in a nested be_txn loop thread storage is used to check and skip these loops. relates: https://github.com/389ds/389-ds-base/issues/5547 Reviewed by: spichugi(Thanks!) - - - - - e5375101 by Mark Reynolds at 2023-01-23T10:38:35-05:00 Bump version to 2.3.2 - - - - - 70ab219a by Mark Reynolds at 2023-01-26T13:50:52-05:00 Issue 5497 - boolean attributes should be case insensitive Description: Boolean values are supposed to be case insensitive, but in our code it is senstiive even though the code is in the "cis" file. relates: https://github.com/389ds/389-ds-base/issues/5497 Reviewed by: spichugi(Thanks!) - - - - - ddc6e777 by progier389 at 2023-01-27T15:43:08+01:00 Issue 5578 - dscreate ds-root does not normaile paths (#5613) Problem: dscreate ds-root or subsequent dscreate from-root command fails if either the root prefix or the optional bin path are not normalized. Solution: both the root prefix and the bin directory are now normalized. - - - - - 3813f799 by Florian Schmaus at 2023-01-30T08:28:39-05:00 Remove stale libevent(-devel) dependency It appears that the last user of libevent disappeared with 44e92dc8b900 ("Ticket 50669 - remove nunc-stans"). - - - - - 69978d13 by Mark Reynolds at 2023-02-02T08:13:22-05:00 Issue 4293 - RFE - CLI - add dsrc options for setting user and group subtrees Description: There are customers who do not use "ou=groups" or "ou=people" for theior users and groups. This RFE allows the user/group RDN to be customized in the .dsrc file relates: https://github.com/389ds/389-ds-base/issues/4293 Reviewed by: spichugi(Thanks!) - - - - - 9a5402d0 by Timo Aaltonen at 2023-02-03T20:58:21+02:00 Merge tag '389-ds-base-2.3.1' into m - - - - - 124b9cad by Timo Aaltonen at 2023-02-03T20:58:43+02:00 Merge branch 'master' into m - - - - - fdc33a4b by Timo Aaltonen at 2023-02-03T21:01:12+02:00 version bump - - - - - 546a1282 by Timo Aaltonen at 2023-02-03T21:06:01+02:00 patches: Drop upstreamed or obsolete patches. - - - - - a9a72616 by progier389 at 2023-02-06T16:33:02+01:00 Issue 4577 - Add LMDB pytest github action (#5627) Duplicate the pytest workflow and it seems to work nicely (The github limit of 20 concurrent jobs prevents that too many tests run at the same time) Furthermore as the bdb and lmdb tests run on different containers it ensure a proper test separations. Note: There is a discussion whether we should re factorize or not these actions but if we ever decide to do it, we could do it later on. - - - - - 5cbcd502 by dependabot[bot] at 2023-02-07T16:30:56+01:00 Bump tokio from 1.24.1 to 1.25.0 in /src (#5629) Update cargo.lock to upgrade "tokio" rust component to 1.25 Bumps [tokio](https://github.com/tokio-rs/tokio) from 1.24.1 to 1.25.0. - [Release notes](https://github.com/tokio-rs/tokio/releases) - [Commits](https://github.com/tokio-rs/tokio/compare/tokio-1.24.1...tokio-1.25.0) --- updated-dependencies: - dependency-name: tokio dependency-type: indirect ... Signed-off-by: dependabot[bot] <support at github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> - - - - - b3bb074c by Mark Reynolds at 2023-02-07T13:27:13-05:00 Issue 5624 - RFE - UI - export certificates, and import text base64 encoded certificates Description: Allow exporting CA and server certificates Allow importing a certificate by pasting the base64 encoded certificate text into a form, choosing a certificate from the server's cert dir, or uploading PEM file from the client system. relates: https://github.com/389ds/389-ds-base/issues/5624 Reviewed by: spichugi(Thanks!) - - - - - f195c9de by progier389 at 2023-02-08T15:23:06+01:00 Issue 5637 - Covscan - fix Buffer Overflows (#5638) Covscan reports: . 389-ds-base-2.2.4/ldap/servers/slapd/conntable.c:138: suspicious_sizeof: Passing argument "table_size * 16UL /* sizeof (struct PRPollDesc) */" to function "slapi_ch_calloc" and then casting the return value to "struct PRPollDesc **" is suspicious. And indeed memory space is wasted because a buffer larger than the expected one is allocated in connection table code: it should be: ct->list_num *sizeof(struct PRPollDesc*). Issue: 5637 Reviewed by: @mreynolds389, @jchapma. Thanks ! - - - - - 6d3009f3 by progier389 at 2023-02-08T17:16:09+01:00 Issue 5634 - Deprecated warning related to github action workflow code (#5635) Problem github action pytest reports deprecated warnings about actions/upload-artifact at v2 and set-output Fix: replaced actions/upload-artifact at v2 by actions/upload-artifact at v3 replaced run: echo "::set-output name=varName::value" by run: echo "varName=value" >> $GITHUB_OUTPUT Issue: 5634 Reviewed by: @vashirov, Thanks ! - - - - - 856d7f0d by progier389 at 2023-02-08T19:07:18+01:00 Issue 5517 - Replication conflict CI test sometime fails (#5518) fix a Modrdn conflict resolution issue because wrong dn is used to rename the subtree in entryrdn index. - - - - - cee276d3 by Mark Reynolds at 2023-02-08T17:53:52-05:00 Issue 5632 - CLI - improve error handling with db2ldif Description: Have the CLI check if the ldif location exists. This also prevents the database from getting trashed by skipping the export attempt. relates: https://github.com/389ds/389-ds-base/issues/5632 Reviewed by: progier & spichugi(Thanks!) - - - - - 66438b4d by Firstyear at 2023-02-09T11:29:03+10:00 Issue 2435 - RFE - Raise IDL Scan Limit to INT_MAX (#5639) Bug Description: The IDL scan limit existed as a naive attempt at query optimisation to force longer IDLs to be skipped in favour of short IDLs. However, since we now have a true query optimiser that can handle this correctl, the IDL scan limit is redundant and not functional. The only condition the IDL scan limit can now impact is making queries slower by rejecting the use of longer IDLs when shortcut conditions are not possible. Fix Description: Raise the IDL Scan Limit to INT_MAX to observe the results. In the future we can remove the code entirely. fixes: https://github.com/389ds/389-ds-base/issues/2435 Author: William Brown <william at blackhats.net.au> Review by: @progier389 @mreynolds389 - - - - - 1b4f5a5b by Mark Reynolds at 2023-02-10T07:52:45-05:00 Issue 5630 - CLI - error messages should goto stderr Description: Previously all CLI output (error not not) was sent to stdout when it should really goto stderr. Add new handle/filter for stdout messages relates: https://github.com/389ds/389-ds-base/issues/5630 Reviewed by: spichugi & progier (Thanks!!) - - - - - a5b15583 by James Chapman at 2023-02-13T11:55:23+00:00 Issue 5648 - Covscan - Compiler warnings (#5651) Description: A covscan report on 389-ds-base=-2.2.4 reported two compiler warnings. Defect type: COMPILER_WARNING 389-ds-base-2.2.4/ldap/servers/plugins/retrocl/retrocl_trim.c:458:27: warning[-Wmaybe-uninitialized]: 'trim_interval' may be used uninitialized in this function Defect type: COMPILER_WARNING 389-ds-base-2.2.4/ldap/servers/plugins/retrocl/retrocl_trim.c:26:40: warning[-Wint-conversion]: initialization of 'int' from 'void *' makes integer from pointer without a cast One has since been fixed, this is for the remaining one. relates: https://github.com/389ds/389-ds-base/issues/5648 Reviewed by: @mreynolds389 (Thanks) - - - - - e4ed5a8a by progier389 at 2023-02-13T16:59:00+01:00 Issue 5628 - Handle graceful timeout in CI tests (#5657) Issue: Sometime CI test fails because github workflow timeout of 6 hour is triggered and in this case there is no data to help troubleshooting except that timeout occurred. Solution: Implement a 5 hour timeout in topologies fixture so that test result artefacts get collected before github timeout. when the timeout occurs: the pytest test fails because of a TimeoutError exception and ns-slapd get killed first with SIGTERM then with SIGQUIT ( to get the core file in case of deadlock ) Specific Test modules may configure their own timeout by adding an autouse fixture (see dirsrvtests/tests/suites/lib389/timeout_test.py) Issue: 5628 Reviewed by: @mreynolds389 - - - - - 9710cf1c by progier389 at 2023-02-13T17:05:45+01:00 Issue 5652 - Libasan crash in replication/cascading_test (#5659) got a crash when running replication/cascading_test on with an asan build. at repl_extop.c:486 And review shows that the code is suspicious. Issue: [5652](https://github.com/389ds/389-ds-base/issues/5652) Reviewed by: @mreynolds389 - - - - - 0235b062 by Mark Reynolds at 2023-02-13T11:46:02-05:00 Issue 5653 - covscan - fix invalid dereference Description: 389-ds-base-2.2.4/ldap/servers/slapd/tools/dbscan.c:1111: var_deref_model: Passing null pointer "dump" to "fclose", which dereferences it. 389-ds-base-2.2.4/ldap/servers/slapd/result.c:2022: check_after_deref: Null-checking "op" suggests that it may be null, but it has already been dereferenced on all paths leading to the check. 389-ds-base-2.2.4/ldap/servers/slapd/result.c:2019: var_deref_model: Passing null pointer "op" to "operation_is_flag_set", which dereferences it. relates: https://github.com/389ds/389-ds-base/issues/5653 Reviewed by: jchapman(Thanks!) - - - - - 8a14402f by Mark Reynolds at 2023-02-13T11:50:12-05:00 Issue 5658 - CLI - unable to add attribute with matching rule Description: dsconf incorrectly allows for multiple matching rules of the same type (equality, substr, etc). This causes python-ldap to get upset and error out. Change arguments to only allow one matching rule per type. relates: https://github.com/389ds/389-ds-base/issues/5658 Reviewed by: progier(Thanks!) - - - - - db7be9fb by progier389 at 2023-02-14T13:34:10+01:00 issue 5647 - covscan: memory leak in audit log when adding entries (#5650) covscan reported an issue about "vals" variable in auditlog.c:231 and indeed a charray_free is missing. Issue: 5647 Reviewed by: @mreynolds389, @droideck - - - - - 4a9bd39f by Mark Reynolds at 2023-02-14T08:10:47-05:00 Issue 5640 - Update logconv for new logging format Description: Some of the "closed" m,essages inteh access log are now a mixed case, and logconv should be able to process it. relates: https://github.com/389ds/389-ds-base/issues/5640 Reviewed by: jchapman & tbordaz (Thanks!!) - - - - - 4caf70ca by Mark Reynolds at 2023-02-14T13:51:23-05:00 Issue 5646 - CLI/UI - do not hardcode password storage schemes Description: Previously all the password storage schemes were hardcoded in the UI. Now dsconf can list all the current schemes the server supports relates: https://github.com/389ds/389-ds-base/issues/5636 Reviewed by: spichugi(Thanks!) - - - - - 901316e5 by Mark Reynolds at 2023-02-14T13:55:12-05:00 Issue 5630 - CLI - need to add logging filter for stdout Description: A logging filter was added for stderr, and we now need one for stdout, otherwise we are getting duplicate output from cli tools relates: https://github.com/389ds/389-ds-base/issues/5630 Reviewed by: spichugi(Thanks!) - - - - - c0e2f684 by Viktor Ashirov at 2023-02-14T20:57:10+01:00 Issue 5642 - Build fails against setuptools 67.0.0 Bug Description: `setuptools` 67.0.0 vendors `packaging` 23.0 which dropped `LegacyVersion`. Fix Description: Replace `LegacyVersion` with `DSVersion` to compare version strings that are not compatible with PEP 440 and PEP 508. Reviewed by: @mreynolds389, @progier389 Fixes: https://github.com/389ds/389-ds-base/issues/5642 - - - - - c69f2691 by Mark Reynolds at 2023-02-16T20:04:12-05:00 Issue 5162 - Lib389 - verify certificate type before adding Description: Verify that when importing a certificate that is the correct type. Also cleanup temporary certs that are created when processing a bundle of certs in a PEM file. relates: https://github.com/389ds/389-ds-base/issues/5162 Reviewed by: spichugi(Thanks!) - - - - - fd6b417f by progier389 at 2023-02-20T16:14:05+01:00 Issue 5647 - Fix unused variable warning from previous commit (#5670) * issue 5647 - memory leak in audit log when adding entries * Issue 5647 - Fix unused variable warning from previous commit - - - - - 11c5a0e5 by Mark Reynolds at 2023-02-20T10:24:37-05:00 Issue 5567 - CLI - make ldifgen use the same default ldif name for all options Description: For consistency just use the server's ldif directory for all the default ldif locations relates: https://github.com/389ds/389-ds-base/issues/5667 Reviewed by: vashirov(Thanks!) - - - - - 79214f5b by Mark Reynolds at 2023-02-20T10:46:26-05:00 Issue 5666 - CLI - Add timeout parameter for tasks Description: Add a timeout argument for all dsconf tasks relates: https://github.com/389ds/389-ds-base/issues/5666 Reviewed by: spichugi & jchapman(Thanks!!) - - - - - c70918d1 by Mark Reynolds at 2023-02-20T13:21:13-05:00 Issue 5267 - CI - Fix issues with nsslapd-return-original-entrydn Description: Fix CI test to properly set the nsslapd-return-original-entrydn and to restart the server after changing the config setting. relates: https://github.com/389ds/389-ds-base/issues/5267 Reviewed by: vashirov(Thanks!) - - - - - d7e64128 by James Chapman at 2023-02-21T15:14:08+00:00 Issue 5671 - covscan - clang warning (#5672) Description: covscan reported CLANG_WARNING relates: https://github.com/389ds/389-ds-base/issues/5671 Reviewed by: @progier389 (Thank you) - - - - - a4c4e4ec by tbordaz at 2023-02-22T15:06:52+01:00 Issue 5598 - In 2.x, SRCH throughput drops by 10% because of handling of referral (#5604) Bug description: A part of the fix #5170 append '(objectclass=referral)' to the original filter (in subtree scope) in order to conform smart referral support https://www.ietf.org/rfc/rfc3296.txt This triggers a drop on SRCH throughput (10%). #5598 limits the case when '(objectclass=referral)' is added - Most of the time a server does not contain smart referral. So most of the time it is useless to add that subfilter - It should not be added for internal searches Fix description: A mechanism periodically (each 30s) checks if there are smart referral entries (referral_check) under each backends. Note that if a smart referral is present in a subsuffix, the parent suffix inherits the referral flag. When a smart referral is detected or no more smart referral is detected it logs a information message. During a direct subtree search, 'objectclass=referral' is append at the condition it exists at least a referral under the backend. relates: #5598 Reviewed by: Mark Reynolds, Pierre Rogier, William Brown (Thanks) - - - - - e97cb61d by Mark Reynolds at 2023-02-22T12:03:21-05:00 Issue 5162 - CI - fix error message for invalid pem file Description: With recent changes to certificate validation the error message has changed and the CI needs to be updated. relates: https://github.com/389ds/389-ds-base/issues/5162 Reviewed by: spichugi(Thanks!) - - - - - b110f3bf by Mark Reynolds at 2023-02-23T14:29:33-05:00 Issue 5640 - Update logconv for new logging format Description: Some of the "closed" messages have been replaced by "disconnect" The tool needs to handles these changes relates: https://github.com/389ds/389-ds-base/issues/5640 Reviewed by: spichugi(Thanks!) - - - - - bff3167c by Mark Reynolds at 2023-02-27T11:12:00-05:00 Issue 5600 - buffer overflow when enabling sync repl plugin when dynamic plugins is enabled Description: Our factory extension code was not designed to work with dynamic plugins. It assumes all extensions are registered at startup. If extensions are added after startup (when dynamic plugins is enabled) then this breaks. The fix is to keep track of how many extensions were allocated per object, instead of relying on the global extension count. Patch written by Pierre Rogier - thanks! relates: https://github.com/389ds/389-ds-base/issues/5600 Reviewed by: jachapman (Thanks!) - - - - - ae003cdb by Mark Reynolds at 2023-02-27T16:38:22-05:00 Issue 3604 - UI - Add support for Subject Alternative Names in CSR Description: Add support for SAN in the UI. Update CLI to also provide SAN info when listing CSR. Updated UI to list SAN in CSR Table relates: https://github.com/389ds/389-ds-base/issues/3604 Reviewed by: spichugi(Thanks!) - - - - - 5d26020e by Vladimir Cech at 2023-03-01T09:55:00+01:00 Issue 4758 - Add tests for WebUI Description: Added WebUI test for replication tab. Relates: https://github.com/389ds/389-ds-base/issues/4758 Reviewed by: @bsimonova - - - - - a511f018 by Mark Reynolds at 2023-03-01T14:10:39-05:00 Issue 4583 - Update specfile to skip checks of ASAN builds Description: Need to skip check for ASAN builds otherwise builds never complete relates: https://github.com/389ds/389-ds-base/issues/5683 Reviewed by: spichugi(Thanks!) - - - - - 9000a256 by Barbora Simonova at 2023-03-02T10:28:25+01:00 Issue 5554 - Add more tests to security_basic_test suite Description: Add test for TCP_ERROR maxbersize B2 scenario. Relates: https://github.com/389ds/389-ds-base/issues/5554 Reviewed by: @droideck, @mreynolds389, @vashirov (Thanks!) - - - - - 5a755180 by progier389 at 2023-03-02T17:34:21+01:00 Issue 5661 - LMDB hangs while Rebuilding the replication changelog RUV (#5676) * Issue 5661 - LMDB hangs while Rebuilding the replication changelog RUV * Issue 5661 - LMDB hangs while Rebuilding the replication changelog RUV - Use readonly iteration on bdb should be txn less * Issue 5661 - LMDB hangs while Rebuilding the replication changelog RUV - Added a comment Problem: Tests that: rebuilding the changelog RUV perform changelog trimming (i.e any test that are long enough) purge a Replica ID in the changelog (i.e demote a supplier/ cleanruv) Are hanging on lmdb until killed by the timeout because the changelog iterator loops on first entry. Reason: It is due to a difference in the way bdb and lmdb cusor get works when it is the first cursor operation and no key is provided. (bdb returns first key while lmdb fails). Because of that db-mdb layers use MDB_FIRST when no key is provided. Solution: Add a new dbimp function that iterates over a cursor calling a callback with key and value for all the records (until either the end of the database or the callback says to stop) This is more efficient than current code that walk the cursor through dbimpl API at the replication plugin level because it avoids the dbimpl API overhead (especially in lmdb case) furthermore it allows to easily handle the dbs specificity. Fixed the changelog RUVs rebuild to walk the changelog (using the new dbimpl function) only once instead of twice (collecting min and max for all replica ids then building both standard and purge ruv from these data Fixed the changelog trimming code to use the new changelog iterator, also fixed the way the purge ruv get updated (using now the first csn in the changelog (for the replicas whose csn get removed) instead of the last removed csn ) Fixed the changelog rid purge code to use the new changelog iterator Note: The changelog replication replay iterator is not impacted by this bug and is not changed. Also fixed a regression related to the addition of timeout in the test topology ( m1h1c1 topology is slightly different from the older version and is having a hub->supplier agreement which is making some test fail. Fixed that topology to remove that agreement.) Issue: [5661](#5661 Reviewed by: @tbordaz ( Thanks! ) - - - - - 8483d60d by Mark Reynolds at 2023-03-06T07:29:55-05:00 Issue 5687 - UI - sensitive information disclosure Bug Description: In several places either the clear text password or the pasword hash can be read by unpriviledged users. Fix Description: When processing user entries do not attempt to decode userpassword. When setting the password for chaining or replication agreements/repl manager write the password to a temporary file that can be passed to the CLI. Also, improved user add wizard allowing to search attributes relates: https://github.com/389ds/389-ds-base/issues/5687 Reviewed by: spichugi & vashirov (Thanks!!) - - - - - 8654301b by tbordaz at 2023-03-08T15:40:29+01:00 Issue 5598 - (2nd) In 2.x, SRCH throughput drops by 10% because of handling of referral (#5691) Bug description: The first fix 5598 introduce/reveal a leak. My initial understanding of SLAPI_SEARCH_FILTER and SLAPI_SEARCH_FILTER_INTENDED was wrong. Without referral, they are identical (refering to the same filter). In case of referral, SLAPI_SEARCH_FILTER is a craft one that *includes* the original (SLAPI_SEARCH_FILTER_INTENDED). Fix description: If there is no referral, SLAPI_SEARCH_FILTER_INTENDED and SLAPI_SEARCH_FILTER are just identical relates: #5598 Reviewed by: Mark Reynolds, Pierre Rogier(thanks) - - - - - dc565fda by tbordaz at 2023-03-09T16:50:34+01:00 Issue 5598 - (3rd) In 2.x, SRCH throughput drops by 10% because of handling of referral (#5692) Bug description: The first fix 5598 logs a single and useless message (INFO) when configuring a backend/mapping tree. "INFO - slapd_daemon - New referral entries are detected under dc=example,dc=com (returned to SRCH req)" The reason is that it checks referral (internal search) at the backend level. This is called at startup and config. Upon config it should not be called because backend/ mapping tree are not ready for internal search Fix description: Moving the test from ldbm_instance_start(backend) to startup ldbm_instance_startall (after slapi_mtn_be_started) relates: #5598 Reviewed by: Mark Reynolds (thanks) - - - - - c18a14d9 by dependabot[bot] at 2023-03-15T16:58:03-07:00 Bump webpack from 5.75.0 to 5.76.0 in /src/cockpit/389-console (#5699) Bumps [webpack](https://github.com/webpack/webpack) from 5.75.0 to 5.76.0. - [Release notes](https://github.com/webpack/webpack/releases) - [Commits](https://github.com/webpack/webpack/compare/v5.75.0...v5.76.0) --- updated-dependencies: - dependency-name: webpack dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support at github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> - - - - - 13a0ffd7 by James Chapman at 2023-03-20T10:27:39+00:00 Issue 4812 - Listener thread does not scale with a high num of established connections (#5681) Description: Adding num listeners config option, some tidy up relates: https://github.com/389ds/389-ds-base/issues/4812 Reviewed by: tbordaz, Firstyear, progier389 , mreynolds389, droideck (Thank you) - - - - - 5e4551e9 by James Chapman at 2023-03-20T23:19:08+00:00 Issue 4812 - Listener thread does not scale with a high num of established connections (#5706) Bug description: Latest commit introduced zero alloc bug. Fix description: A memory allocation is attempted before the required size is known. Introduced during rework. relates: https://github.com/389ds/389-ds-base/issues/4812 Reviewed by: @mreynolds389 (Thank you) - - - - - 5f1dc41e by Mark Reynolds at 2023-03-22T09:04:01-04:00 Issue 1081 - Stop schema replication from overwriting x-origin Bug Description: During schema replication all attributes/objectclasses were rewritten as "user defined" on the consumer. This was happening because we treated all schema updates, regardless of the origin, as new "custom" schema. Fix Description: If a schema update is a replicated operation do not check/adjust x_origin value. relates: https://github.com/389ds/389-ds-base/issues/1081 Reviewed by: progier(Thanks!) - - - - - 7c36748c by Simon Pichugin at 2023-03-22T18:28:37-07:00 Issue 5697 - Obsolete nsslapd-ldapimaprootdn attribute (#5698) Description: LDAPI code uses nsslapd-ldapimaprootdn to map Unix root entry to a Root DN entry. It usually has the same value as nsslapd-rootdn. Changing one attribute but not changing the other leads to a non-functional autobind configuration that breaks dsconf and WebUI. LDAPI code should use nsslapd-rootdn value instead of having two separate entries that should be kept in sync. This should make changing Root DN simpler and without fear that it will break dsconf or WebUI access. Fixes: https://github.com/389ds/389-ds-base/issues/5697 Reviewed by: @mreynolds389 (Thanks!) - - - - - eab4eefb by tbordaz at 2023-03-28T10:27:01+02:00 Issue 5710 - subtree search statistics for index lookup does not report ancestorid/entryrdn lookups (#5711) Bug description: The RFE #3729 allows to collect index lookups per search operation. For subtree searches the server lookup ancestorid and those lookup are not recorded Fix description: if statistics are enabled, record ancestorid lookup relates: #5710 Reviewed by: Mark Reynolds (thanks) - - - - - a5617fcd by dependabot[bot] at 2023-03-29T16:52:57-07:00 Bump openssl from 0.10.45 to 0.10.48 in /src (#5709) Bumps [openssl](https://github.com/sfackler/rust-openssl) from 0.10.45 to 0.10.48. - [Release notes](https://github.com/sfackler/rust-openssl/releases) - [Commits](https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.45...openssl-v0.10.48) --- updated-dependencies: - dependency-name: openssl dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support at github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> - - - - - ad0ec0cd by Simon Pichugin at 2023-03-30T19:57:18-07:00 Issue 5701 - CLI - Fix referral mode setting (#5708) Bug Description: Referral mode not working and failing with error: ERROR: Error: 103 - 10 - 53 - Server is unwilling to perform - [] - need to set nsslapd-referral It happens because in CLI, we set nsslapd-referral to the backend when it should be set to "cn=mapping tree". Fix description: Set the attribute to the correct object. Add get_state and set_state custom functions to BackendSuffixView. Fix minor typos. Fixes: https://github.com/389ds/389-ds-base/issues/5701 Reviewed by: @tbordaz, @mreynolds389, @progier389 (Thanks!) - - - - - fc34eec5 by Mark Reynolds at 2023-03-31T11:12:34-04:00 Issue 5714 - UI - fix typo, db settings, log settings, and LDAP editor paginations Description: - DB settings "Look Through Limit" was misspelled, and the "+" increment button was not working - Configuring logs would not correctly enable/disable the save button - LDAP Browser - Pagination was not working correctly when you search for attributes/objectclasses. We were also missing some "search" inputs for attributes in some of the forms. relates: https://github.com/389ds/389-ds-base/issues/5714 Reviewed by: spichugi(Thanks!) - - - - - 7743b386 by James Chapman at 2023-04-11T11:41:17+00:00 Issue 5705 - Add config parameter to close client conns on failed bind (#5712) Description: Malformed applications that ignore BIND return code can load the server with unnecessary requests Fix description: Add a config option that will allow the closure of a client connection from server side when a BIND is failing. relates: https://github.com/389ds/389-ds-base/issues/5707 Reviewed by: @droideck (Thank you) - - - - - 85ab1bc4 by James Chapman at 2023-04-11T11:52:01+00:00 Issue 5718 - Memory leak in connection table (#5719) Bug description: duplicate multiple mem allocation cause leak Fix description: remove duplicate allocation Fixes: https://github.com/389ds/389-ds-base/issues/5718 Reviewed by: @Firstyear (Thank you) - - - - - f0c804b0 by tbordaz at 2023-04-17T15:32:34+02:00 Issue 5726 - ns-slapd crashing in ldbm_back_upgradednformat (#5727) Bug description: With LDBM / BDB separation, LDBM functions like upgradednformat need to initialize ldbminfo Fix description: call dblayer_setup in upgradednformat relates: #5726 Reviewed by: Simon Pichugin (Thanks) - - - - - c4b939b6 by Mark Reynolds at 2023-04-25T15:10:29-04:00 Bump version to 2.3.3 - - - - - 27d38991 by Mark Reynolds at 2023-04-28T08:22:01-04:00 Issue - Copy config files into backup directory Description: Copy dse.ldif, schema files, certmap.conf, slapd-collations, and NSS files into the backup. These files are not restored during a bak2db, so they must be manaully restored (if needed) relates: https://github.com/389ds/389-ds-base/issues/2562 Reviewed by: firstyear, spichugi, progier, and tbordaz (Thanks!!!!) - - - - - c0382a44 by Mark Reynolds at 2023-05-04T14:58:01-04:00 Issue 5749 - RFE - Allow Account Policy Plugin to handle inactivity and expiration at the same time Description: Currently Account Policy Plugin as a state attribute and alternate state attribute. If the main state attribute is NOT present in the entry then it fails back to the alternate state attribute. This RFE adds a new setting that tells the plugin to check both state attributes. The purpose of this is for expiration and inactivity, so this is meant to be used when the alternate state attribute is 'passwordExpirationtime'. So if the main state attribute is OK, it will then check the alternate state attribute for inactivity. relates: https://github.com/389ds/389-ds-base/issues/5749 Reviewed by: tbordaz & spichugi(Thanks!!) - - - - - 882a27da by Mark Reynolds at 2023-05-08T08:30:34-04:00 Issue 5738 - RFE - UI - Read/write replication monitor info to .dsrc file Description: Allow UI to use the .dsrc replication monitor info, and also allow the UI to write new report configurations. This prevents an admin from having to enter this information every time they want to run a report relates: https://github.com/389ds/389-ds-base/issues/5738 Reviewed by: spichugi(Thanks!) - - - - - 148ad351 by tbordaz at 2023-05-09T08:53:40+02:00 Issue 5704 - crash in sync_refresh_initial_content (#5720) Bug description: If the last record of the changelog is not accessible then the session record is NULL. It crashes the server when it is dereferenced. I failed to reproduce it, including disabling/removing 'cn=changelog' backend/mapping tree. So I guess it happens during rare dynamic. Fix description: Return a failure when the session cookie is not initialized relates: #5704 Reviewed by: Mark Reynolds (Thanks) - - - - - 13e66bfa by Firstyear at 2023-05-10T16:26:34+02:00 Issue 5052 - BUG - Custom filters prevented entry deletion (#5060) Bug Description: When a custom filter was provided, entries which were deleted in AD did not have that event correctly reflected in 389-ds. This was due to the behaviour that when an entry in AD is deleted, it is marked with a "deleted" flag which the objectClass=* filter would (accidentally) collect when it did a search. However, a custom user filter being specified would in some cases (such as a memberOf filter) NOT show up the deletion since the entry was considered to have moved out of scope rather than being a full delete. Fix Description: In the case that we have a userfilter, we wrap it in an OR condition that always requests isDeleted flags so that we can correctly reflect the delete status. fixes: https://github.com/389ds/389-ds-base/issues/5052 Author: William Brown <william at blackhats.net.au> Review by: @mreynolds389 @tbordaz - - - - - 9c05f2e4 by Mark Reynolds at 2023-05-11T08:18:05-04:00 Issue 152 - RFE - Add support for LDAP alias entries Description: Per RFC rfc4512#section-2.6 add support for Alias Entries. Currently this is only designed to work with "base" searches. Thanks for @anilech for the code contribution!!! relates: https://github.com/389ds/389-ds-base/issues/152 Reviewed by: spichugi, tbordaz, and progier(Thanks!!!) - - - - - 2a27121f by James Chapman at 2023-05-11T16:05:33-04:00 Issue 5643 - Memory leak in entryrdn during delete (#5717) Bug description: Failure to delete temp key buffer Fix description: Delete temp key buffer on exit Fixes: https://github.com/389ds/389-ds-base/issues/5643 Reviewed by: @mreynolds389 (Thank you) - - - - - dfa4e810 by Mark Reynolds at 2023-05-16T11:28:34-04:00 Issue 5765 - Improve installer selinux handling Description: When labeling ports we retry on error, and we should do the same when labeling files relates: https://github.com/389ds/389-ds-base/issues/5765 Reviewed by: ? - - - - - c0076d02 by Mark Reynolds at 2023-05-18T09:11:46-04:00 Issue 5768 - CLI/UI - cert checks are too strict, and other issues Description: The certificate type checks for CA/server break if there are no certificate extensions set (use openssl in that case to gather the info instead). dscontainter needed to be updated for new cert checks, and UI adding certs improvements. relates: https://github.com/389ds/389-ds-base/issues/5768 Reviewed by: spichugi(Thanks!) - - - - - 71d5fbec by Mark Reynolds at 2023-05-18T09:17:23-04:00 Issue 5770 - RFE - Extend Password Adminstrators to allow skipping password info updates Description: Add new config setting to state that password admin updates should not update entry's password state attributes. relates: https://github.com/389ds/389-ds-base/issues/5770 Reviewed by: progier, tbordaz, spichugi (Thanks!) - - - - - c7d4f688 by James Chapman at 2023-05-18T10:40:23-04:00 Issue 5752 - RFE - Provide a history for LastLoginTime (#5753) Description: When a user did a successfully bind, the "LastLoginTime" attribute is updated. We have now a request from our security department to display the users last successful bind before the current one. When we just read out this attribute the value is already updated, so that the user did not see his real last successful login, in fact he sees the current login date and time. Fix description: Create a new Acount Policy attribute to store the login time stamps for a successful bind. relates: https://github.com/389ds/389-ds-base/issues/5752 Reviewed by: @droideck (Thank you) - - - - - aa50e5bb by Mark Reynolds at 2023-05-18T10:43:07-04:00 Bump version to 2.3.4 - - - - - badf373d by Timo Aaltonen at 2023-06-12T10:13:00+03:00 Improve clean target. * Improve clean target. * Use ln -fs instead of ln -s to allow resuming build after fixing errors. - - - - - f35a5957 by Timo Aaltonen at 2023-06-12T10:13:57+03:00 Fix build with base64 0.21. - - - - - 7957d2ee by Timo Aaltonen at 2023-06-12T10:19:59+03:00 Merge branch 'upstream' - - - - - 4baa45ac by Timo Aaltonen at 2023-06-12T10:20:18+03:00 version bump - - - - - 30 changed files: - .github/workflows/compile.yml - + .github/workflows/lmdbpytest.yml - .github/workflows/pytest.yml - .github/workflows/release.yml - Makefile.am - VERSION.sh - configure.ac - debian/changelog - debian/control - ? debian/patches/5610-fix-linking.diff - + debian/patches/base64-0.21.diff - ? debian/patches/dont-run-rpm.diff - debian/patches/series - debian/rules - dirsrvtests/check_for_duplicate_ids.py - dirsrvtests/conftest.py - dirsrvtests/create_test.py - dirsrvtests/testimony.yaml - + dirsrvtests/tests/data/openldap_2_389/saslauthd/slapd.d/cn=config.ldif - + dirsrvtests/tests/data/openldap_2_389/saslauthd/slapd.d/cn=config/cn=module{0}.ldif - + dirsrvtests/tests/data/openldap_2_389/saslauthd/slapd.d/cn=config/cn=schema.ldif - + dirsrvtests/tests/data/openldap_2_389/saslauthd/slapd.d/cn=config/cn=schema/cn={0}core.ldif - + dirsrvtests/tests/data/openldap_2_389/saslauthd/slapd.d/cn=config/cn=schema/cn={1}cosine.ldif - + dirsrvtests/tests/data/openldap_2_389/saslauthd/slapd.d/cn=config/cn=schema/cn={2}inetorgperson.ldif - + dirsrvtests/tests/data/openldap_2_389/saslauthd/slapd.d/cn=config/cn=schema/cn={3}rfc2307bis.ldif - + dirsrvtests/tests/data/openldap_2_389/saslauthd/slapd.d/cn=config/cn=schema/cn={4}yast.ldif - + dirsrvtests/tests/data/openldap_2_389/saslauthd/slapd.d/cn=config/olcDatabase={-1}frontend.ldif - + dirsrvtests/tests/data/openldap_2_389/saslauthd/slapd.d/cn=config/olcDatabase={0}config.ldif - + dirsrvtests/tests/data/openldap_2_389/saslauthd/slapd.d/cn=config/olcDatabase={1}mdb.ldif - + dirsrvtests/tests/data/openldap_2_389/saslauthd/slapd.d/cn=config/olcDatabase={1}mdb/olcOverlay={0}memberof.ldif The diff was not included because it is too large. View it on GitLab: https://salsa.debian.org/freeipa-team/389-ds-base/-/compare/5a682490caf1ab9582424433ded96375747d4502...4baa45ac432a4d8748bd9fac0f6e1ec3d20187aa -- View it on GitLab: https://salsa.debian.org/freeipa-team/389-ds-base/-/compare/5a682490caf1ab9582424433ded96375747d4502...4baa45ac432a4d8748bd9fac0f6e1ec3d20187aa You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Mon Jun 12 08:53:05 2023 From: gitlab at salsa.debian.org (Timo Aaltonen (@tjaalton)) Date: Mon, 12 Jun 2023 07:53:05 +0000 Subject: [Pkg-freeipa-devel] [Git][freeipa-team/389-ds-base][upstream] 107 commits: Bump version to 2.3.1 Message-ID: <6486cee1652d1_136f886505108114224a@godard.mail> Timo Aaltonen pushed to branch upstream at FreeIPA packaging / 389-ds-base Commits: 6ad8f075 by Mark Reynolds at 2022-11-18T08:54:06-05:00 Bump version to 2.3.1 - - - - - 06e96874 by Simon Pichugin at 2022-11-18T07:02:12-08:00 Issue 5534 - Add copyright text to the repository files Description: We need to have copyright texts around our files and some of it is missing. This commit adds the copyright to tests and lib389. Also, add an automatic generator in the create_test.py script. Fixes: https://github.com/389ds/389-ds-base/issues/5534 Reviewed by: @mreynolds389, @progier389 (Thanks!) - - - - - 83949f6d by Simon Pichugin at 2022-11-18T09:21:32-08:00 Issue 5534 - Fix a rebase typo (#5537) Description: Fix a minor typo in config/compact_test.py. Related: https://github.com/389ds/389-ds-base/issues/5534 Reviewed by: @mreynolds389 (Thanks!) - - - - - ba9d8b3b by tbordaz at 2022-11-21T11:41:15+01:00 Issue 3729 - (cont) RFE Extend log of operations statistics in access log (#5538) Bug description: This is a continuation of the #3729 The previous fix did not manage internal SRCH, so statistics of internal SRCH were not logged Fix description: For internal operation log_op_stat uses connid/op_id/op_internal_id/op_nested_count that have been computed log_result For direct operation log_op_stat uses info from the operation itself (o_connid and o_opid) log_op_stat relies on operation_type rather than o_tag that is not available for internal operation relates: #3729 Reviewed by: Pierre Rogier - - - - - 3e814cfb by Stanislav Levin at 2022-11-22T15:21:11+01:00 Issue 5541 - Fix typo in `lib389.cli_conf.backend._get_backend` (#5542) Fix Description: Replace `name` with `be_name`. relates: https://github.com/389ds/389-ds-base/issues/5541 Reviewed by: progier (Thanks) - - - - - b0f8c322 by Stanislav Levin at 2022-11-22T15:22:46+01:00 Issue 5539 - Make logger's parameter name unified (#5540) Description: Some of the functions of `lib389.cli_conf.security` used `log` as logger's parameter name while another ones - `logs`. This lead to regression like #5539. Fix Description: Replace `logs` with `log`. relates: https://github.com/389ds/389-ds-base/issues/5539 Reviewed by: mreynolds (Thanks) - - - - - 89160f7a by Firstyear at 2022-11-24T09:55:46+10:00 Issue 5526 - RFE - Improve saslauthd migration options (#5528) Bug Description: We should improve our migration paths from openldap to allow the commonly used saslauthd plugin. Fix Description: This adds the import transform to convert users to use the nsSaslauthId field. This also adds a helper in migration to enable the plugins as needed. Finally this also adds some hardening to pam_pta. fixes: https://github.com/389ds/389-ds-base/issues/5526 Author: William Brown <william at blackhats.net.au> Review by: @progier389 - - - - - 08c21134 by Mark Reynolds at 2022-11-28T10:34:31-05:00 Issue 5544 - Increase default task TTL Description: Increase the Time To Live of tasks from 1 hour to 12 hours relates: https://github.com/389ds/389-ds-base/issues/5544 Reviewed by: progier(Thanks!) - - - - - 8e32e5f4 by William Brown at 2022-12-06T10:53:26+10:00 Issue 5521 - BUG - Pam PTA multiple issues Bug Description: Pam PTA and the lib389 cli had numerous issues that were affecting administration and configuration. Fix Description: This fixes many issues: * add pam-[enable,disable,show] seperate to pta enable. We can't combine these into one because they are seperate plugins. They also still needs ways to enable them outside of the direct config attribute manipulation. * Make pamMissingSuffix return a default of IGNORE on NONE. This is because many of the current tools don't actually set this value and it can block server restarts. * pamSecure would not warn properly on lack of TLS connections which can trick users into thinking the plugin is not working. fixes: https://github.com/389ds/389-ds-base/issues/5521 Author: William Brown <william at blackhats.net.au> Review by: @mreynolds389 @droideck (Thanks!) - - - - - a8ae3421 by William Brown at 2022-12-06T10:53:26+10:00 Issue 5521 - RFE - split pass through auth cli Bug Description: The pass through auth cli previously was a "merge" of both ldap pass through and pam pass through. These two do not share any commonality, and actually conflict on each other. This caused a lot of confusion, especially in documentation where it wasn't clear how to use either feature as a result. Fix Description: Split the cli into two seperate plugins with their own config domains. This clarifies the situation for users, and makes it far easier to configure the various pass through layers. fixes: https://github.com/389ds/389-ds-base/issues/5521 Author: William Brown <william at blackhats.net.au> Review by: @mreynolds389 @droideck (Thanks!) - - - - - b329cc48 by Viktor Ashirov at 2022-12-12T19:05:30+01:00 Issue 5561 - Nightly tests are failing Bug Description: We use ubuntu-latest as our runner image for testing in containers. Recently there was a switch from 20.04 to 22.04 that caused test failures. Fix Description: * Pin runner image to 22.04 * Remove cgroups mount from docker cmd since ubuntu-22.04 now supports cgroupsv2 Fixes: https://github.com/389ds/389-ds-base/issues/5561 Reviewed-by: @droideck (Thanks!) - - - - - 861d032e by Simon Pichugin at 2022-12-12T16:39:46-08:00 Issue 5554 - Add more tests to security_basic_test suite (#5555) Description: Add tests for ANONYMOUS_BIND and TLSCLIENTAUTH cases (including CERT_MAP_FAILED). Fix minor test structure issues. Fixes: https://github.com/389ds/389-ds-base/issues/5554 Reviewed by: @mreynolds389, @Firstyear (Thanks!) - - - - - 6aa7a6d5 by Mark Reynolds at 2022-12-13T12:08:35-05:00 Issue 5413 - Allow mutliple MemberOf fixup tasks with different bases/filters Description: A change was made to only allow a single fixup task at a time, but there are cases where you would want to run mutliple tasks but on different branches/filters. Now we maintain a linked list of bases/filters of the current running tasks to monitor this. relates: https://github.com/389ds/389-ds-base/issues/5413 Reviewed by: tbordaz(Thanks!) - - - - - 3ba81948 by Mark Reynolds at 2022-12-15T13:17:00-05:00 Update specfile and rust crates Reviewed by: spichugi(Thanks!) - - - - - 5a12552b by Mark Reynolds at 2022-12-15T17:48:44-05:00 Issue 3615 - CLI - prevent virtual attribute indexing Description: Do not allow virtual attributes to be indexed because it breaks search results relates: https://github.com/389ds/389-ds-base/issues/3615 Reviewed by: spichugi(Thanks!) - - - - - bb5df9d4 by progier389 at 2022-12-16T16:18:40+01:00 Issue 5545 - A random crash in import over lmdb (#5546) * Issue 5545 - A random crash in import over lmdb * Issue 5545 - Fix reviews remarks Random crash due to an accelerator that bypass lock while dequeueing worker thread entry but that cause synchronization issue around the hardware memory cache) Solution: lock systematically to perform a membar that ensure proper synchronization. (It does not impact the performances because the provider -> worker queue is not the performance bottleneck. (that is the writer thread database operation that limits the throughput) Also added 2 improvements: Use MDB_NOSYNC flags during off-line import (Anyway if the process is interrupted the import must be rerun) Log regularly some statistics about import writer thread (to help determining if the import bottleneck is because the thread is waiting for input data or waiting that the lmdb operation complete - - - - - 84e8fdd3 by progier389 at 2022-12-16T17:35:19+01:00 Issue 5558 - non-root instance fails to start on creation (#5559) issue: non root installation fails to start after the default storage scheme change. The solution is to avoid removing the RUST storage scheme from dse.ldif templates while preparing the non root user installation. - - - - - a94ae27a by Mark Reynolds at 2022-12-16T11:46:26-05:00 Issue 5425 - CLI - add confirmation arg when deleting backend Description: Add "--do-it" CLI argument when deleting a backend and its subsuffixes fixes: https://github.com/389ds/389-ds-base/issues/5425 Reviewed by: tbordaz & progier(Thanks!!) - - - - - f60e479a by Mark Reynolds at 2022-12-16T11:48:46-05:00 Issue 5531 - CI - use universal_lines in capture_output Description: Use backwards compatible universal_lines in capture_output() relates: https://github.com/389ds/389-ds-base/issues/5531 Reviewed by: progier(Thanks!) - - - - - ed231df0 by Mark Reynolds at 2022-12-16T13:30:08-05:00 Issue 5278 - CLI - dsidm asks for the old password on password reset Description: If we are chaning a password as Root DN we don't need the old password relates: https://github.com/389ds/389-ds-base/issues/5278 Reviewed by: progier(Thanks!) - - - - - 145f48d2 by progier389 at 2022-12-21T19:36:07+01:00 Issue 5550 - dsconf monitor crashes with Error math domain error (#5553) * Issue 5550 - dsconf monitor crashes with Error math domain error Problem: db computes negative db cache free space when db cache use is above 50% because the wrong page size is used for computation. Solution: provide the mempool page size in monitor query and use it in dbmon Also fixing an issue around the changelog db page size. - - - - - af128776 by Mark Reynolds at 2023-01-03T08:37:44-05:00 Issue 5236 - UI add specialized group edit modal Description: Added a modal for handling groups: viewing, adding and removing members Revised overall project: - "Search Base" handling using a label button was not intuitive. Changed it a more recognizable href. - Made table "trash Can" icons visibly clickable - Edit/add entry wizard, the big red "Empty Value!" label is no longer displayed while you edit the value relates: https://github.com/389ds/389-ds-base/issues/5236 Reviewed by: spichugi(Thanks!) - - - - - 81c34adc by dependabot[bot] at 2023-01-03T10:21:30-05:00 Bump json5 from 2.2.1 to 2.2.3 in /src/cockpit/389-console Bumps [json5](https://github.com/json5/json5) from 2.2.1 to 2.2.3. - [Release notes](https://github.com/json5/json5/releases) - [Changelog](https://github.com/json5/json5/blob/main/CHANGELOG.md) - [Commits](https://github.com/json5/json5/compare/v2.2.1...v2.2.3) --- updated-dependencies: - dependency-name: json5 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support at github.com> - - - - - 95d83df8 by Mark Reynolds at 2023-01-05T08:56:58-05:00 Issue 5521 - UI - Update plugins for new split PAM and LDAP pass thru auth Description: Previously PAM and LDAP pass thru auth plugins were merged. This change separates them into their own plugins in the UI. Also improved memory reporting in monitor tab. relates: https://github.com/389ds/389-ds-base/issues/5521 Reviewed by: spichugi(Thanks!) - - - - - bafacd27 by Simon Pichugin at 2023-01-05T08:10:04-08:00 Issue 5585 - lib389 password policy DN handling is incorrect (#5587) Description: After a migration between major DS versions, it can happen that already existing password policies will have 'cn' that contains a valid DN in double quotes "". We need to strip the quotes before processing the DN with python-ldap. Fixes: https://github.com/389ds/389-ds-base/issues/5585 Reviewed by: @tbordaz, @mreynolds389 (Thanks!) - - - - - 2c28c895 by Mark Reynolds at 2023-01-05T15:36:25-05:00 Issue 5588 - Fix CI tests Description: Fix ACL tests that no longer return IndexError but instead return empty list Fix db_home tests when in container and regular db dir is used instead Fix repl monitor test where args_instance was not declared before treating it as dict relates: https://github.com/389ds/389-ds-base/issues/5588 Reviewed by: ? - - - - - 7def4959 by Mark Reynolds at 2023-01-06T19:18:47-05:00 Issue 5348 - RFE - CLI - add functionality to do bulk updates to entries description: dsidm account allow doing bulk updates to a bunch of entries. Add options for setting a filter, scope, and base, whether to continue on error. relates: https://github.com/389ds/389-ds-base/issues/5348 Reviewed by: spichugi(Thanks!) - - - - - acfc4d7a by Mark Reynolds at 2023-01-09T13:28:29-05:00 Issue 5599 - CI - webui tests randomly fail Description: Add sleeps to deal with slow machines relates: https://github.com/389ds/389-ds-base/issues/5599 Reviewed by: progier389(Thanks!) - - - - - 3baaa042 by Mark Reynolds at 2023-01-09T13:37:30-05:00 Fix latest npm audit failures Reviewed by: spichugi(Thanks!) - - - - - 6a4b49a8 by Firstyear at 2023-01-10T13:40:47+10:00 Issue 5591 - BUG - Segfault in cl5configtrim with invalid confi (#5592) Bug Description: When an invalid replication config exists, replica_get_cl_info can return null. The lack of a null check in cl5configtrim can lead to a SIGSEGV Fix Description: Check for the NULL case. fixes: https://github.com/389ds/389-ds-base/issues/5591 Author: William Brown <william at blackhats.net.au> Review by: @mreynolds389 - - - - - 9e8d42c1 by Mark Reynolds at 2023-01-10T08:57:05-05:00 Issue 5593 - CLI - dsidm account subtree-status fails with TypeError Description: The was a problem with the function parameters being passed to the filter method, and we were missing a parameter for the print entry function. relates: https://github.com/389ds/389-ds-base/issues/5593 Reviewed by: spichugi(Thanks!) - - - - - ea5daa5d by Mark Reynolds at 2023-01-11T09:42:23-05:00 Issue 5581 - UI - Support cockpit dark theme Description: We were previously overriding the background color which caused issues with the dark theme. Also changed database tree to add a "Create Suffix" Icon in the tree instead of the button below the tree Fixed browser crash in "edit entry" when changing read only variable relates: https://github.com/389ds/389-ds-base/issues/5581 Reviewed by: spichugi(Thanks!) - - - - - aeebd5a0 by Mark Reynolds at 2023-01-12T10:39:02-05:00 Issue 5602 - UI - browser crash when trying to modify read-only variable Description: Existing code that used to work (incorrectly) is now causing issues. Need to use "let" instead of "const". relates: https://github.com/389ds/389-ds-base/issues/5602 Reviewed by: spichugi(Thanks!) - - - - - 10b3110d by progier389 at 2023-01-16T15:08:54+01:00 Issue 5605 - Adding a slapi_log_backtrace function in libslapd (#5606) Moving log_stack out of db-mdb code to libslapd and renaming it as slapi_log_backtrace. - - - - - b8c90a5a by James Chapman at 2023-01-17T11:42:56+00:00 Issue 3604 - Create a private key/CSR with dsconf/Cockpit (#5584) RFE description: There's no way to create a private key and a CSR with dsconf/Cockpit. However, features for importing a certificate exists, but DS also requires the private key in the NSS database to use the certificate Fix Description: Modify dsconf/UI to allow creation of a CSR. relates: https://github.com/389ds/389-ds-base/issues/3604 Reviewed by: @mreynolds389, @droideck (Thank you) - - - - - 010ac612 by progier389 at 2023-01-18T16:57:03+01:00 Issue 5560 - dscreate run by non superuser set defaults requiring superuser privilege (#5579) when run by a non root user some of dscreate default values of the template options are requiring superuser privileges. Solution: Changing the default value for port, secure_port, selinux, systemd when uid is not 0 - - - - - aa2f8435 by Mark Reynolds at 2023-01-19T20:01:36-05:00 Issue 5608 - UI - need to replace some "const" with "let" Description: Browsers are becoming for strict about jvascript and there were places where a const varaible was being modified. This is now crashing the server. So to be overly cautious a lot of consts were changed just to be safe. relates: https://github.com/389ds/389-ds-base/issues/5608 Reviewed by: spichugi(Thanks!) - - - - - b09b069f by Viktor Ashirov at 2023-01-21T13:20:10+01:00 Issue #5610 - Build failure on Debian Bug Description: On Debian libslapd.so is not getting linked with libcrypto.so, which results in `undefined reference` link errors. Fix Description: Move -lssl and -lcrypto for libslapd.so from LDFLAGS to LIBADD. Fixes: https://github.com/389ds/389-ds-base/issues/5610 Reviewed by: @mreynolds389 (Thanks!) - - - - - 6d73cc23 by Mark Reynolds at 2023-01-23T07:47:36-05:00 Issue 5607, 5351, 5611 - UI/CLI - fix various issues Descriptrion: 5607 - Ldap Editor failed to decode base64 values 5351 - CLI - Cockpit enable check for cockpit package was not portable (just removed this check) 5611 - Security page had a lot of issues when trying to change the Server Certificate. Save didn't work, and "Security Enable" modal would crash relates: https://github.com/389ds/389-ds-base/issues/5607 relates: https://github.com/389ds/389-ds-base/issues/5351 relates: https://github.com/389ds/389-ds-base/issues/5611 Reviewed by: spichugi(Thanks!) - - - - - 14943d56 by Mark Reynolds at 2023-01-23T08:30:34-05:00 Issue 5547 - automember plugin improvements Description: Rebuild task has the following improvements: - Only one task allowed at a time - Do not cleanup previous members by default. Add new CLI option to intentionally cleanup memberships before rebuilding from scratch. - Add better task logging to show fixup progress To prevent automember from being called in a nested be_txn loop thread storage is used to check and skip these loops. relates: https://github.com/389ds/389-ds-base/issues/5547 Reviewed by: spichugi(Thanks!) - - - - - e5375101 by Mark Reynolds at 2023-01-23T10:38:35-05:00 Bump version to 2.3.2 - - - - - 70ab219a by Mark Reynolds at 2023-01-26T13:50:52-05:00 Issue 5497 - boolean attributes should be case insensitive Description: Boolean values are supposed to be case insensitive, but in our code it is senstiive even though the code is in the "cis" file. relates: https://github.com/389ds/389-ds-base/issues/5497 Reviewed by: spichugi(Thanks!) - - - - - ddc6e777 by progier389 at 2023-01-27T15:43:08+01:00 Issue 5578 - dscreate ds-root does not normaile paths (#5613) Problem: dscreate ds-root or subsequent dscreate from-root command fails if either the root prefix or the optional bin path are not normalized. Solution: both the root prefix and the bin directory are now normalized. - - - - - 3813f799 by Florian Schmaus at 2023-01-30T08:28:39-05:00 Remove stale libevent(-devel) dependency It appears that the last user of libevent disappeared with 44e92dc8b900 ("Ticket 50669 - remove nunc-stans"). - - - - - 69978d13 by Mark Reynolds at 2023-02-02T08:13:22-05:00 Issue 4293 - RFE - CLI - add dsrc options for setting user and group subtrees Description: There are customers who do not use "ou=groups" or "ou=people" for theior users and groups. This RFE allows the user/group RDN to be customized in the .dsrc file relates: https://github.com/389ds/389-ds-base/issues/4293 Reviewed by: spichugi(Thanks!) - - - - - a9a72616 by progier389 at 2023-02-06T16:33:02+01:00 Issue 4577 - Add LMDB pytest github action (#5627) Duplicate the pytest workflow and it seems to work nicely (The github limit of 20 concurrent jobs prevents that too many tests run at the same time) Furthermore as the bdb and lmdb tests run on different containers it ensure a proper test separations. Note: There is a discussion whether we should re factorize or not these actions but if we ever decide to do it, we could do it later on. - - - - - 5cbcd502 by dependabot[bot] at 2023-02-07T16:30:56+01:00 Bump tokio from 1.24.1 to 1.25.0 in /src (#5629) Update cargo.lock to upgrade "tokio" rust component to 1.25 Bumps [tokio](https://github.com/tokio-rs/tokio) from 1.24.1 to 1.25.0. - [Release notes](https://github.com/tokio-rs/tokio/releases) - [Commits](https://github.com/tokio-rs/tokio/compare/tokio-1.24.1...tokio-1.25.0) --- updated-dependencies: - dependency-name: tokio dependency-type: indirect ... Signed-off-by: dependabot[bot] <support at github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> - - - - - b3bb074c by Mark Reynolds at 2023-02-07T13:27:13-05:00 Issue 5624 - RFE - UI - export certificates, and import text base64 encoded certificates Description: Allow exporting CA and server certificates Allow importing a certificate by pasting the base64 encoded certificate text into a form, choosing a certificate from the server's cert dir, or uploading PEM file from the client system. relates: https://github.com/389ds/389-ds-base/issues/5624 Reviewed by: spichugi(Thanks!) - - - - - f195c9de by progier389 at 2023-02-08T15:23:06+01:00 Issue 5637 - Covscan - fix Buffer Overflows (#5638) Covscan reports: . 389-ds-base-2.2.4/ldap/servers/slapd/conntable.c:138: suspicious_sizeof: Passing argument "table_size * 16UL /* sizeof (struct PRPollDesc) */" to function "slapi_ch_calloc" and then casting the return value to "struct PRPollDesc **" is suspicious. And indeed memory space is wasted because a buffer larger than the expected one is allocated in connection table code: it should be: ct->list_num *sizeof(struct PRPollDesc*). Issue: 5637 Reviewed by: @mreynolds389, @jchapma. Thanks ! - - - - - 6d3009f3 by progier389 at 2023-02-08T17:16:09+01:00 Issue 5634 - Deprecated warning related to github action workflow code (#5635) Problem github action pytest reports deprecated warnings about actions/upload-artifact at v2 and set-output Fix: replaced actions/upload-artifact at v2 by actions/upload-artifact at v3 replaced run: echo "::set-output name=varName::value" by run: echo "varName=value" >> $GITHUB_OUTPUT Issue: 5634 Reviewed by: @vashirov, Thanks ! - - - - - 856d7f0d by progier389 at 2023-02-08T19:07:18+01:00 Issue 5517 - Replication conflict CI test sometime fails (#5518) fix a Modrdn conflict resolution issue because wrong dn is used to rename the subtree in entryrdn index. - - - - - cee276d3 by Mark Reynolds at 2023-02-08T17:53:52-05:00 Issue 5632 - CLI - improve error handling with db2ldif Description: Have the CLI check if the ldif location exists. This also prevents the database from getting trashed by skipping the export attempt. relates: https://github.com/389ds/389-ds-base/issues/5632 Reviewed by: progier & spichugi(Thanks!) - - - - - 66438b4d by Firstyear at 2023-02-09T11:29:03+10:00 Issue 2435 - RFE - Raise IDL Scan Limit to INT_MAX (#5639) Bug Description: The IDL scan limit existed as a naive attempt at query optimisation to force longer IDLs to be skipped in favour of short IDLs. However, since we now have a true query optimiser that can handle this correctl, the IDL scan limit is redundant and not functional. The only condition the IDL scan limit can now impact is making queries slower by rejecting the use of longer IDLs when shortcut conditions are not possible. Fix Description: Raise the IDL Scan Limit to INT_MAX to observe the results. In the future we can remove the code entirely. fixes: https://github.com/389ds/389-ds-base/issues/2435 Author: William Brown <william at blackhats.net.au> Review by: @progier389 @mreynolds389 - - - - - 1b4f5a5b by Mark Reynolds at 2023-02-10T07:52:45-05:00 Issue 5630 - CLI - error messages should goto stderr Description: Previously all CLI output (error not not) was sent to stdout when it should really goto stderr. Add new handle/filter for stdout messages relates: https://github.com/389ds/389-ds-base/issues/5630 Reviewed by: spichugi & progier (Thanks!!) - - - - - a5b15583 by James Chapman at 2023-02-13T11:55:23+00:00 Issue 5648 - Covscan - Compiler warnings (#5651) Description: A covscan report on 389-ds-base=-2.2.4 reported two compiler warnings. Defect type: COMPILER_WARNING 389-ds-base-2.2.4/ldap/servers/plugins/retrocl/retrocl_trim.c:458:27: warning[-Wmaybe-uninitialized]: 'trim_interval' may be used uninitialized in this function Defect type: COMPILER_WARNING 389-ds-base-2.2.4/ldap/servers/plugins/retrocl/retrocl_trim.c:26:40: warning[-Wint-conversion]: initialization of 'int' from 'void *' makes integer from pointer without a cast One has since been fixed, this is for the remaining one. relates: https://github.com/389ds/389-ds-base/issues/5648 Reviewed by: @mreynolds389 (Thanks) - - - - - e4ed5a8a by progier389 at 2023-02-13T16:59:00+01:00 Issue 5628 - Handle graceful timeout in CI tests (#5657) Issue: Sometime CI test fails because github workflow timeout of 6 hour is triggered and in this case there is no data to help troubleshooting except that timeout occurred. Solution: Implement a 5 hour timeout in topologies fixture so that test result artefacts get collected before github timeout. when the timeout occurs: the pytest test fails because of a TimeoutError exception and ns-slapd get killed first with SIGTERM then with SIGQUIT ( to get the core file in case of deadlock ) Specific Test modules may configure their own timeout by adding an autouse fixture (see dirsrvtests/tests/suites/lib389/timeout_test.py) Issue: 5628 Reviewed by: @mreynolds389 - - - - - 9710cf1c by progier389 at 2023-02-13T17:05:45+01:00 Issue 5652 - Libasan crash in replication/cascading_test (#5659) got a crash when running replication/cascading_test on with an asan build. at repl_extop.c:486 And review shows that the code is suspicious. Issue: [5652](https://github.com/389ds/389-ds-base/issues/5652) Reviewed by: @mreynolds389 - - - - - 0235b062 by Mark Reynolds at 2023-02-13T11:46:02-05:00 Issue 5653 - covscan - fix invalid dereference Description: 389-ds-base-2.2.4/ldap/servers/slapd/tools/dbscan.c:1111: var_deref_model: Passing null pointer "dump" to "fclose", which dereferences it. 389-ds-base-2.2.4/ldap/servers/slapd/result.c:2022: check_after_deref: Null-checking "op" suggests that it may be null, but it has already been dereferenced on all paths leading to the check. 389-ds-base-2.2.4/ldap/servers/slapd/result.c:2019: var_deref_model: Passing null pointer "op" to "operation_is_flag_set", which dereferences it. relates: https://github.com/389ds/389-ds-base/issues/5653 Reviewed by: jchapman(Thanks!) - - - - - 8a14402f by Mark Reynolds at 2023-02-13T11:50:12-05:00 Issue 5658 - CLI - unable to add attribute with matching rule Description: dsconf incorrectly allows for multiple matching rules of the same type (equality, substr, etc). This causes python-ldap to get upset and error out. Change arguments to only allow one matching rule per type. relates: https://github.com/389ds/389-ds-base/issues/5658 Reviewed by: progier(Thanks!) - - - - - db7be9fb by progier389 at 2023-02-14T13:34:10+01:00 issue 5647 - covscan: memory leak in audit log when adding entries (#5650) covscan reported an issue about "vals" variable in auditlog.c:231 and indeed a charray_free is missing. Issue: 5647 Reviewed by: @mreynolds389, @droideck - - - - - 4a9bd39f by Mark Reynolds at 2023-02-14T08:10:47-05:00 Issue 5640 - Update logconv for new logging format Description: Some of the "closed" m,essages inteh access log are now a mixed case, and logconv should be able to process it. relates: https://github.com/389ds/389-ds-base/issues/5640 Reviewed by: jchapman & tbordaz (Thanks!!) - - - - - 4caf70ca by Mark Reynolds at 2023-02-14T13:51:23-05:00 Issue 5646 - CLI/UI - do not hardcode password storage schemes Description: Previously all the password storage schemes were hardcoded in the UI. Now dsconf can list all the current schemes the server supports relates: https://github.com/389ds/389-ds-base/issues/5636 Reviewed by: spichugi(Thanks!) - - - - - 901316e5 by Mark Reynolds at 2023-02-14T13:55:12-05:00 Issue 5630 - CLI - need to add logging filter for stdout Description: A logging filter was added for stderr, and we now need one for stdout, otherwise we are getting duplicate output from cli tools relates: https://github.com/389ds/389-ds-base/issues/5630 Reviewed by: spichugi(Thanks!) - - - - - c0e2f684 by Viktor Ashirov at 2023-02-14T20:57:10+01:00 Issue 5642 - Build fails against setuptools 67.0.0 Bug Description: `setuptools` 67.0.0 vendors `packaging` 23.0 which dropped `LegacyVersion`. Fix Description: Replace `LegacyVersion` with `DSVersion` to compare version strings that are not compatible with PEP 440 and PEP 508. Reviewed by: @mreynolds389, @progier389 Fixes: https://github.com/389ds/389-ds-base/issues/5642 - - - - - c69f2691 by Mark Reynolds at 2023-02-16T20:04:12-05:00 Issue 5162 - Lib389 - verify certificate type before adding Description: Verify that when importing a certificate that is the correct type. Also cleanup temporary certs that are created when processing a bundle of certs in a PEM file. relates: https://github.com/389ds/389-ds-base/issues/5162 Reviewed by: spichugi(Thanks!) - - - - - fd6b417f by progier389 at 2023-02-20T16:14:05+01:00 Issue 5647 - Fix unused variable warning from previous commit (#5670) * issue 5647 - memory leak in audit log when adding entries * Issue 5647 - Fix unused variable warning from previous commit - - - - - 11c5a0e5 by Mark Reynolds at 2023-02-20T10:24:37-05:00 Issue 5567 - CLI - make ldifgen use the same default ldif name for all options Description: For consistency just use the server's ldif directory for all the default ldif locations relates: https://github.com/389ds/389-ds-base/issues/5667 Reviewed by: vashirov(Thanks!) - - - - - 79214f5b by Mark Reynolds at 2023-02-20T10:46:26-05:00 Issue 5666 - CLI - Add timeout parameter for tasks Description: Add a timeout argument for all dsconf tasks relates: https://github.com/389ds/389-ds-base/issues/5666 Reviewed by: spichugi & jchapman(Thanks!!) - - - - - c70918d1 by Mark Reynolds at 2023-02-20T13:21:13-05:00 Issue 5267 - CI - Fix issues with nsslapd-return-original-entrydn Description: Fix CI test to properly set the nsslapd-return-original-entrydn and to restart the server after changing the config setting. relates: https://github.com/389ds/389-ds-base/issues/5267 Reviewed by: vashirov(Thanks!) - - - - - d7e64128 by James Chapman at 2023-02-21T15:14:08+00:00 Issue 5671 - covscan - clang warning (#5672) Description: covscan reported CLANG_WARNING relates: https://github.com/389ds/389-ds-base/issues/5671 Reviewed by: @progier389 (Thank you) - - - - - a4c4e4ec by tbordaz at 2023-02-22T15:06:52+01:00 Issue 5598 - In 2.x, SRCH throughput drops by 10% because of handling of referral (#5604) Bug description: A part of the fix #5170 append '(objectclass=referral)' to the original filter (in subtree scope) in order to conform smart referral support https://www.ietf.org/rfc/rfc3296.txt This triggers a drop on SRCH throughput (10%). #5598 limits the case when '(objectclass=referral)' is added - Most of the time a server does not contain smart referral. So most of the time it is useless to add that subfilter - It should not be added for internal searches Fix description: A mechanism periodically (each 30s) checks if there are smart referral entries (referral_check) under each backends. Note that if a smart referral is present in a subsuffix, the parent suffix inherits the referral flag. When a smart referral is detected or no more smart referral is detected it logs a information message. During a direct subtree search, 'objectclass=referral' is append at the condition it exists at least a referral under the backend. relates: #5598 Reviewed by: Mark Reynolds, Pierre Rogier, William Brown (Thanks) - - - - - e97cb61d by Mark Reynolds at 2023-02-22T12:03:21-05:00 Issue 5162 - CI - fix error message for invalid pem file Description: With recent changes to certificate validation the error message has changed and the CI needs to be updated. relates: https://github.com/389ds/389-ds-base/issues/5162 Reviewed by: spichugi(Thanks!) - - - - - b110f3bf by Mark Reynolds at 2023-02-23T14:29:33-05:00 Issue 5640 - Update logconv for new logging format Description: Some of the "closed" messages have been replaced by "disconnect" The tool needs to handles these changes relates: https://github.com/389ds/389-ds-base/issues/5640 Reviewed by: spichugi(Thanks!) - - - - - bff3167c by Mark Reynolds at 2023-02-27T11:12:00-05:00 Issue 5600 - buffer overflow when enabling sync repl plugin when dynamic plugins is enabled Description: Our factory extension code was not designed to work with dynamic plugins. It assumes all extensions are registered at startup. If extensions are added after startup (when dynamic plugins is enabled) then this breaks. The fix is to keep track of how many extensions were allocated per object, instead of relying on the global extension count. Patch written by Pierre Rogier - thanks! relates: https://github.com/389ds/389-ds-base/issues/5600 Reviewed by: jachapman (Thanks!) - - - - - ae003cdb by Mark Reynolds at 2023-02-27T16:38:22-05:00 Issue 3604 - UI - Add support for Subject Alternative Names in CSR Description: Add support for SAN in the UI. Update CLI to also provide SAN info when listing CSR. Updated UI to list SAN in CSR Table relates: https://github.com/389ds/389-ds-base/issues/3604 Reviewed by: spichugi(Thanks!) - - - - - 5d26020e by Vladimir Cech at 2023-03-01T09:55:00+01:00 Issue 4758 - Add tests for WebUI Description: Added WebUI test for replication tab. Relates: https://github.com/389ds/389-ds-base/issues/4758 Reviewed by: @bsimonova - - - - - a511f018 by Mark Reynolds at 2023-03-01T14:10:39-05:00 Issue 4583 - Update specfile to skip checks of ASAN builds Description: Need to skip check for ASAN builds otherwise builds never complete relates: https://github.com/389ds/389-ds-base/issues/5683 Reviewed by: spichugi(Thanks!) - - - - - 9000a256 by Barbora Simonova at 2023-03-02T10:28:25+01:00 Issue 5554 - Add more tests to security_basic_test suite Description: Add test for TCP_ERROR maxbersize B2 scenario. Relates: https://github.com/389ds/389-ds-base/issues/5554 Reviewed by: @droideck, @mreynolds389, @vashirov (Thanks!) - - - - - 5a755180 by progier389 at 2023-03-02T17:34:21+01:00 Issue 5661 - LMDB hangs while Rebuilding the replication changelog RUV (#5676) * Issue 5661 - LMDB hangs while Rebuilding the replication changelog RUV * Issue 5661 - LMDB hangs while Rebuilding the replication changelog RUV - Use readonly iteration on bdb should be txn less * Issue 5661 - LMDB hangs while Rebuilding the replication changelog RUV - Added a comment Problem: Tests that: rebuilding the changelog RUV perform changelog trimming (i.e any test that are long enough) purge a Replica ID in the changelog (i.e demote a supplier/ cleanruv) Are hanging on lmdb until killed by the timeout because the changelog iterator loops on first entry. Reason: It is due to a difference in the way bdb and lmdb cusor get works when it is the first cursor operation and no key is provided. (bdb returns first key while lmdb fails). Because of that db-mdb layers use MDB_FIRST when no key is provided. Solution: Add a new dbimp function that iterates over a cursor calling a callback with key and value for all the records (until either the end of the database or the callback says to stop) This is more efficient than current code that walk the cursor through dbimpl API at the replication plugin level because it avoids the dbimpl API overhead (especially in lmdb case) furthermore it allows to easily handle the dbs specificity. Fixed the changelog RUVs rebuild to walk the changelog (using the new dbimpl function) only once instead of twice (collecting min and max for all replica ids then building both standard and purge ruv from these data Fixed the changelog trimming code to use the new changelog iterator, also fixed the way the purge ruv get updated (using now the first csn in the changelog (for the replicas whose csn get removed) instead of the last removed csn ) Fixed the changelog rid purge code to use the new changelog iterator Note: The changelog replication replay iterator is not impacted by this bug and is not changed. Also fixed a regression related to the addition of timeout in the test topology ( m1h1c1 topology is slightly different from the older version and is having a hub->supplier agreement which is making some test fail. Fixed that topology to remove that agreement.) Issue: [5661](#5661 Reviewed by: @tbordaz ( Thanks! ) - - - - - 8483d60d by Mark Reynolds at 2023-03-06T07:29:55-05:00 Issue 5687 - UI - sensitive information disclosure Bug Description: In several places either the clear text password or the pasword hash can be read by unpriviledged users. Fix Description: When processing user entries do not attempt to decode userpassword. When setting the password for chaining or replication agreements/repl manager write the password to a temporary file that can be passed to the CLI. Also, improved user add wizard allowing to search attributes relates: https://github.com/389ds/389-ds-base/issues/5687 Reviewed by: spichugi & vashirov (Thanks!!) - - - - - 8654301b by tbordaz at 2023-03-08T15:40:29+01:00 Issue 5598 - (2nd) In 2.x, SRCH throughput drops by 10% because of handling of referral (#5691) Bug description: The first fix 5598 introduce/reveal a leak. My initial understanding of SLAPI_SEARCH_FILTER and SLAPI_SEARCH_FILTER_INTENDED was wrong. Without referral, they are identical (refering to the same filter). In case of referral, SLAPI_SEARCH_FILTER is a craft one that *includes* the original (SLAPI_SEARCH_FILTER_INTENDED). Fix description: If there is no referral, SLAPI_SEARCH_FILTER_INTENDED and SLAPI_SEARCH_FILTER are just identical relates: #5598 Reviewed by: Mark Reynolds, Pierre Rogier(thanks) - - - - - dc565fda by tbordaz at 2023-03-09T16:50:34+01:00 Issue 5598 - (3rd) In 2.x, SRCH throughput drops by 10% because of handling of referral (#5692) Bug description: The first fix 5598 logs a single and useless message (INFO) when configuring a backend/mapping tree. "INFO - slapd_daemon - New referral entries are detected under dc=example,dc=com (returned to SRCH req)" The reason is that it checks referral (internal search) at the backend level. This is called at startup and config. Upon config it should not be called because backend/ mapping tree are not ready for internal search Fix description: Moving the test from ldbm_instance_start(backend) to startup ldbm_instance_startall (after slapi_mtn_be_started) relates: #5598 Reviewed by: Mark Reynolds (thanks) - - - - - c18a14d9 by dependabot[bot] at 2023-03-15T16:58:03-07:00 Bump webpack from 5.75.0 to 5.76.0 in /src/cockpit/389-console (#5699) Bumps [webpack](https://github.com/webpack/webpack) from 5.75.0 to 5.76.0. - [Release notes](https://github.com/webpack/webpack/releases) - [Commits](https://github.com/webpack/webpack/compare/v5.75.0...v5.76.0) --- updated-dependencies: - dependency-name: webpack dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support at github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> - - - - - 13a0ffd7 by James Chapman at 2023-03-20T10:27:39+00:00 Issue 4812 - Listener thread does not scale with a high num of established connections (#5681) Description: Adding num listeners config option, some tidy up relates: https://github.com/389ds/389-ds-base/issues/4812 Reviewed by: tbordaz, Firstyear, progier389 , mreynolds389, droideck (Thank you) - - - - - 5e4551e9 by James Chapman at 2023-03-20T23:19:08+00:00 Issue 4812 - Listener thread does not scale with a high num of established connections (#5706) Bug description: Latest commit introduced zero alloc bug. Fix description: A memory allocation is attempted before the required size is known. Introduced during rework. relates: https://github.com/389ds/389-ds-base/issues/4812 Reviewed by: @mreynolds389 (Thank you) - - - - - 5f1dc41e by Mark Reynolds at 2023-03-22T09:04:01-04:00 Issue 1081 - Stop schema replication from overwriting x-origin Bug Description: During schema replication all attributes/objectclasses were rewritten as "user defined" on the consumer. This was happening because we treated all schema updates, regardless of the origin, as new "custom" schema. Fix Description: If a schema update is a replicated operation do not check/adjust x_origin value. relates: https://github.com/389ds/389-ds-base/issues/1081 Reviewed by: progier(Thanks!) - - - - - 7c36748c by Simon Pichugin at 2023-03-22T18:28:37-07:00 Issue 5697 - Obsolete nsslapd-ldapimaprootdn attribute (#5698) Description: LDAPI code uses nsslapd-ldapimaprootdn to map Unix root entry to a Root DN entry. It usually has the same value as nsslapd-rootdn. Changing one attribute but not changing the other leads to a non-functional autobind configuration that breaks dsconf and WebUI. LDAPI code should use nsslapd-rootdn value instead of having two separate entries that should be kept in sync. This should make changing Root DN simpler and without fear that it will break dsconf or WebUI access. Fixes: https://github.com/389ds/389-ds-base/issues/5697 Reviewed by: @mreynolds389 (Thanks!) - - - - - eab4eefb by tbordaz at 2023-03-28T10:27:01+02:00 Issue 5710 - subtree search statistics for index lookup does not report ancestorid/entryrdn lookups (#5711) Bug description: The RFE #3729 allows to collect index lookups per search operation. For subtree searches the server lookup ancestorid and those lookup are not recorded Fix description: if statistics are enabled, record ancestorid lookup relates: #5710 Reviewed by: Mark Reynolds (thanks) - - - - - a5617fcd by dependabot[bot] at 2023-03-29T16:52:57-07:00 Bump openssl from 0.10.45 to 0.10.48 in /src (#5709) Bumps [openssl](https://github.com/sfackler/rust-openssl) from 0.10.45 to 0.10.48. - [Release notes](https://github.com/sfackler/rust-openssl/releases) - [Commits](https://github.com/sfackler/rust-openssl/compare/openssl-v0.10.45...openssl-v0.10.48) --- updated-dependencies: - dependency-name: openssl dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support at github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> - - - - - ad0ec0cd by Simon Pichugin at 2023-03-30T19:57:18-07:00 Issue 5701 - CLI - Fix referral mode setting (#5708) Bug Description: Referral mode not working and failing with error: ERROR: Error: 103 - 10 - 53 - Server is unwilling to perform - [] - need to set nsslapd-referral It happens because in CLI, we set nsslapd-referral to the backend when it should be set to "cn=mapping tree". Fix description: Set the attribute to the correct object. Add get_state and set_state custom functions to BackendSuffixView. Fix minor typos. Fixes: https://github.com/389ds/389-ds-base/issues/5701 Reviewed by: @tbordaz, @mreynolds389, @progier389 (Thanks!) - - - - - fc34eec5 by Mark Reynolds at 2023-03-31T11:12:34-04:00 Issue 5714 - UI - fix typo, db settings, log settings, and LDAP editor paginations Description: - DB settings "Look Through Limit" was misspelled, and the "+" increment button was not working - Configuring logs would not correctly enable/disable the save button - LDAP Browser - Pagination was not working correctly when you search for attributes/objectclasses. We were also missing some "search" inputs for attributes in some of the forms. relates: https://github.com/389ds/389-ds-base/issues/5714 Reviewed by: spichugi(Thanks!) - - - - - 7743b386 by James Chapman at 2023-04-11T11:41:17+00:00 Issue 5705 - Add config parameter to close client conns on failed bind (#5712) Description: Malformed applications that ignore BIND return code can load the server with unnecessary requests Fix description: Add a config option that will allow the closure of a client connection from server side when a BIND is failing. relates: https://github.com/389ds/389-ds-base/issues/5707 Reviewed by: @droideck (Thank you) - - - - - 85ab1bc4 by James Chapman at 2023-04-11T11:52:01+00:00 Issue 5718 - Memory leak in connection table (#5719) Bug description: duplicate multiple mem allocation cause leak Fix description: remove duplicate allocation Fixes: https://github.com/389ds/389-ds-base/issues/5718 Reviewed by: @Firstyear (Thank you) - - - - - f0c804b0 by tbordaz at 2023-04-17T15:32:34+02:00 Issue 5726 - ns-slapd crashing in ldbm_back_upgradednformat (#5727) Bug description: With LDBM / BDB separation, LDBM functions like upgradednformat need to initialize ldbminfo Fix description: call dblayer_setup in upgradednformat relates: #5726 Reviewed by: Simon Pichugin (Thanks) - - - - - c4b939b6 by Mark Reynolds at 2023-04-25T15:10:29-04:00 Bump version to 2.3.3 - - - - - 27d38991 by Mark Reynolds at 2023-04-28T08:22:01-04:00 Issue - Copy config files into backup directory Description: Copy dse.ldif, schema files, certmap.conf, slapd-collations, and NSS files into the backup. These files are not restored during a bak2db, so they must be manaully restored (if needed) relates: https://github.com/389ds/389-ds-base/issues/2562 Reviewed by: firstyear, spichugi, progier, and tbordaz (Thanks!!!!) - - - - - c0382a44 by Mark Reynolds at 2023-05-04T14:58:01-04:00 Issue 5749 - RFE - Allow Account Policy Plugin to handle inactivity and expiration at the same time Description: Currently Account Policy Plugin as a state attribute and alternate state attribute. If the main state attribute is NOT present in the entry then it fails back to the alternate state attribute. This RFE adds a new setting that tells the plugin to check both state attributes. The purpose of this is for expiration and inactivity, so this is meant to be used when the alternate state attribute is 'passwordExpirationtime'. So if the main state attribute is OK, it will then check the alternate state attribute for inactivity. relates: https://github.com/389ds/389-ds-base/issues/5749 Reviewed by: tbordaz & spichugi(Thanks!!) - - - - - 882a27da by Mark Reynolds at 2023-05-08T08:30:34-04:00 Issue 5738 - RFE - UI - Read/write replication monitor info to .dsrc file Description: Allow UI to use the .dsrc replication monitor info, and also allow the UI to write new report configurations. This prevents an admin from having to enter this information every time they want to run a report relates: https://github.com/389ds/389-ds-base/issues/5738 Reviewed by: spichugi(Thanks!) - - - - - 148ad351 by tbordaz at 2023-05-09T08:53:40+02:00 Issue 5704 - crash in sync_refresh_initial_content (#5720) Bug description: If the last record of the changelog is not accessible then the session record is NULL. It crashes the server when it is dereferenced. I failed to reproduce it, including disabling/removing 'cn=changelog' backend/mapping tree. So I guess it happens during rare dynamic. Fix description: Return a failure when the session cookie is not initialized relates: #5704 Reviewed by: Mark Reynolds (Thanks) - - - - - 13e66bfa by Firstyear at 2023-05-10T16:26:34+02:00 Issue 5052 - BUG - Custom filters prevented entry deletion (#5060) Bug Description: When a custom filter was provided, entries which were deleted in AD did not have that event correctly reflected in 389-ds. This was due to the behaviour that when an entry in AD is deleted, it is marked with a "deleted" flag which the objectClass=* filter would (accidentally) collect when it did a search. However, a custom user filter being specified would in some cases (such as a memberOf filter) NOT show up the deletion since the entry was considered to have moved out of scope rather than being a full delete. Fix Description: In the case that we have a userfilter, we wrap it in an OR condition that always requests isDeleted flags so that we can correctly reflect the delete status. fixes: https://github.com/389ds/389-ds-base/issues/5052 Author: William Brown <william at blackhats.net.au> Review by: @mreynolds389 @tbordaz - - - - - 9c05f2e4 by Mark Reynolds at 2023-05-11T08:18:05-04:00 Issue 152 - RFE - Add support for LDAP alias entries Description: Per RFC rfc4512#section-2.6 add support for Alias Entries. Currently this is only designed to work with "base" searches. Thanks for @anilech for the code contribution!!! relates: https://github.com/389ds/389-ds-base/issues/152 Reviewed by: spichugi, tbordaz, and progier(Thanks!!!) - - - - - 2a27121f by James Chapman at 2023-05-11T16:05:33-04:00 Issue 5643 - Memory leak in entryrdn during delete (#5717) Bug description: Failure to delete temp key buffer Fix description: Delete temp key buffer on exit Fixes: https://github.com/389ds/389-ds-base/issues/5643 Reviewed by: @mreynolds389 (Thank you) - - - - - dfa4e810 by Mark Reynolds at 2023-05-16T11:28:34-04:00 Issue 5765 - Improve installer selinux handling Description: When labeling ports we retry on error, and we should do the same when labeling files relates: https://github.com/389ds/389-ds-base/issues/5765 Reviewed by: ? - - - - - c0076d02 by Mark Reynolds at 2023-05-18T09:11:46-04:00 Issue 5768 - CLI/UI - cert checks are too strict, and other issues Description: The certificate type checks for CA/server break if there are no certificate extensions set (use openssl in that case to gather the info instead). dscontainter needed to be updated for new cert checks, and UI adding certs improvements. relates: https://github.com/389ds/389-ds-base/issues/5768 Reviewed by: spichugi(Thanks!) - - - - - 71d5fbec by Mark Reynolds at 2023-05-18T09:17:23-04:00 Issue 5770 - RFE - Extend Password Adminstrators to allow skipping password info updates Description: Add new config setting to state that password admin updates should not update entry's password state attributes. relates: https://github.com/389ds/389-ds-base/issues/5770 Reviewed by: progier, tbordaz, spichugi (Thanks!) - - - - - c7d4f688 by James Chapman at 2023-05-18T10:40:23-04:00 Issue 5752 - RFE - Provide a history for LastLoginTime (#5753) Description: When a user did a successfully bind, the "LastLoginTime" attribute is updated. We have now a request from our security department to display the users last successful bind before the current one. When we just read out this attribute the value is already updated, so that the user did not see his real last successful login, in fact he sees the current login date and time. Fix description: Create a new Acount Policy attribute to store the login time stamps for a successful bind. relates: https://github.com/389ds/389-ds-base/issues/5752 Reviewed by: @droideck (Thank you) - - - - - aa50e5bb by Mark Reynolds at 2023-05-18T10:43:07-04:00 Bump version to 2.3.4 - - - - - 30 changed files: - .github/workflows/compile.yml - + .github/workflows/lmdbpytest.yml - .github/workflows/pytest.yml - .github/workflows/release.yml - Makefile.am - VERSION.sh - configure.ac - dirsrvtests/check_for_duplicate_ids.py - dirsrvtests/conftest.py - dirsrvtests/create_test.py - dirsrvtests/testimony.yaml - + dirsrvtests/tests/data/openldap_2_389/saslauthd/slapd.d/cn=config.ldif - + dirsrvtests/tests/data/openldap_2_389/saslauthd/slapd.d/cn=config/cn=module{0}.ldif - + dirsrvtests/tests/data/openldap_2_389/saslauthd/slapd.d/cn=config/cn=schema.ldif - + dirsrvtests/tests/data/openldap_2_389/saslauthd/slapd.d/cn=config/cn=schema/cn={0}core.ldif - + dirsrvtests/tests/data/openldap_2_389/saslauthd/slapd.d/cn=config/cn=schema/cn={1}cosine.ldif - + dirsrvtests/tests/data/openldap_2_389/saslauthd/slapd.d/cn=config/cn=schema/cn={2}inetorgperson.ldif - + dirsrvtests/tests/data/openldap_2_389/saslauthd/slapd.d/cn=config/cn=schema/cn={3}rfc2307bis.ldif - + dirsrvtests/tests/data/openldap_2_389/saslauthd/slapd.d/cn=config/cn=schema/cn={4}yast.ldif - + dirsrvtests/tests/data/openldap_2_389/saslauthd/slapd.d/cn=config/olcDatabase={-1}frontend.ldif - + dirsrvtests/tests/data/openldap_2_389/saslauthd/slapd.d/cn=config/olcDatabase={0}config.ldif - + dirsrvtests/tests/data/openldap_2_389/saslauthd/slapd.d/cn=config/olcDatabase={1}mdb.ldif - + dirsrvtests/tests/data/openldap_2_389/saslauthd/slapd.d/cn=config/olcDatabase={1}mdb/olcOverlay={0}memberof.ldif - + dirsrvtests/tests/data/openldap_2_389/saslauthd/slapd.d/cn=config/olcDatabase={1}mdb/olcOverlay={1}unique.ldif - + dirsrvtests/tests/data/openldap_2_389/saslauthd/slapd.d/cn=config/olcDatabase={1}mdb/olcOverlay={2}refint.ldif - + dirsrvtests/tests/data/openldap_2_389/saslauthd/suffix.ldif - dirsrvtests/tests/stress/reliabilty/reliab_conn_test.py - dirsrvtests/tests/stress/replication/mmr_01_4m-2h-4c_test.py - dirsrvtests/tests/stress/replication/mmr_01_4m_test.py - dirsrvtests/tests/suites/acl/globalgroup_test.py The diff was not included because it is too large. View it on GitLab: https://salsa.debian.org/freeipa-team/389-ds-base/-/compare/d20b91b26a782222074c3d0b0757be6b79e06d26...aa50e5bbf1fde22bcf6cad5a192edad306ef1f40 -- View it on GitLab: https://salsa.debian.org/freeipa-team/389-ds-base/-/compare/d20b91b26a782222074c3d0b0757be6b79e06d26...aa50e5bbf1fde22bcf6cad5a192edad306ef1f40 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From tjaalton at debian.org Mon Jun 12 08:55:37 2023 From: tjaalton at debian.org (Timo Aaltonen) Date: Mon, 12 Jun 2023 10:55:37 +0300 Subject: [Pkg-freeipa-devel] Bug#1037345: Bug#1037345: 389-ds-base: ftbfs with rust-base64 0.21 In-Reply-To: References: Message-ID: <9496d9e5-f3ca-0077-d554-528f7563808f@debian.org> plugwash kirjoitti 11.6.2023 klo 22.29: > Package: 389-ds-base > Version: 2.3.1+dfsg1-1 > Tags: trixie, sid, ftbfs > > 389-ds-base FTBFS with the new version of rust-base64. > > I attach a patch which makes the package build, and also fixes some > packaging annoyances. I have not tested it beyond that. I may or may not > NMU this later. merged thanks, but not uploaded as there seem to be other issues now with the dependencies being unable to install at least on my sbuilder -- t From noreply at release.debian.org Tue Jun 13 05:39:17 2023 From: noreply at release.debian.org (Debian testing autoremoval watch) Date: Tue, 13 Jun 2023 04:39:17 +0000 Subject: [Pkg-freeipa-devel] 389-ds-base is marked for autoremoval from testing Message-ID: 389-ds-base 2.3.1+dfsg1-1 is marked for autoremoval from testing on 2023-07-11 It (build-)depends on packages with these RC bugs: 1034369: libcereal: autopkgtest regression on non x86: cc1plus: all warnings being treated as errors https://bugs.debian.org/1034369 This mail is generated by: https://salsa.debian.org/release-team/release-tools/-/blob/master/mailer/mail_autoremovals.pl Autoremoval data is generated by: https://salsa.debian.org/qa/udd/-/blob/master/udd/testing_autoremovals_gatherer.pl From noreply at release.debian.org Tue Jun 13 05:39:19 2023 From: noreply at release.debian.org (Debian testing watch) Date: Tue, 13 Jun 2023 04:39:19 +0000 Subject: [Pkg-freeipa-devel] freeipa 4.9.11-2 MIGRATED to testing Message-ID: FYI: The status of the freeipa source package in Debian's testing distribution has changed. Previous version: 4.9.11-1 Current version: 4.9.11-2 -- This email is automatically generated once a day. As the installation of new packages into testing happens multiple times a day you will receive later changes on the next day. See https://release.debian.org/testing-watch/ for more information. From noreply at release.debian.org Tue Jun 13 05:39:20 2023 From: noreply at release.debian.org (Debian testing autoremoval watch) Date: Tue, 13 Jun 2023 04:39:20 +0000 Subject: [Pkg-freeipa-devel] slapi-nis is marked for autoremoval from testing Message-ID: slapi-nis 0.60.0-1 is marked for autoremoval from testing on 2023-07-11 It (build-)depends on packages with these RC bugs: 1034369: libcereal: autopkgtest regression on non x86: cc1plus: all warnings being treated as errors https://bugs.debian.org/1034369 This mail is generated by: https://salsa.debian.org/release-team/release-tools/-/blob/master/mailer/mail_autoremovals.pl Autoremoval data is generated by: https://salsa.debian.org/qa/udd/-/blob/master/udd/testing_autoremovals_gatherer.pl From doko at debian.org Wed Jun 14 10:29:09 2023 From: doko at debian.org (Matthias Klose) Date: Wed, 14 Jun 2023 09:29:09 +0000 Subject: [Pkg-freeipa-devel] Bug#1037792: nss-pem: ftbfs with GCC-13 Message-ID: Package: src:nss-pem Version: 1.0.8+1-1 Severity: normal Tags: sid trixie User: debian-gcc at lists.debian.org Usertags: ftbfs-gcc-13 [This bug is targeted to the upcoming trixie release] Please keep this issue open in the bug tracker for the package it was filed for. If a fix in another package is required, please file a bug for the other package (or clone), and add a block in this package. Please keep the issue open until the package can be built in a follow-up test rebuild. The package fails to build in a test rebuild on at least amd64 with gcc-13/g++-13, but succeeds to build with gcc-12/g++-12. The severity of this report will be raised before the trixie release. The full build log can be found at: http://qa-logs.debian.net/2023/05/22/logs/nss-pem_1.0.8+1-1_unstable_gccexp.log The last lines of the build log are at the end of this report. To build with GCC 13, either set CC=gcc-13 CXX=g++-13 explicitly, or install the gcc, g++, gfortran, ... packages from experimental. apt-get -t=experimental install g++ Common build failures are new warnings resulting in build failures with -Werror turned on, or new/dropped symbols in Debian symbols files. For other C/C++ related build failures see the porting guide at http://gcc.gnu.org/gcc-13/porting_to.html [...] make[7]: Leaving directory '/<>/nss/nss/lib/pkcs7' make[7]: Entering directory '/<>/nss/nss/lib/smime' cc -o OBJS/cmsarray.o -c -std=c99 -g -O2 -ffile-prefix-map=/<>/nss=. -fstack-protector-strong -Wformat -Werror=format-security -I../nss/dist/private/nss -I../nss/dist/private/nss -Wall -pipe -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -m64 -pipe -ffunction-sections -fdata-sections -DHAVE_STRERROR -DLINUX -Dlinux -Wall -Wshadow -Werror -DXP_UNIX -DXP_UNIX -UDEBUG -DNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -UDEBUG -DNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -DNSS_NO_INIT_SUPPORT -DUSE_UTIL_DIRECTLY -DNO_NSPR_10_SUPPORT -DSSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES -I/usr/include/nspr -I/<>/nss/dist/include -I/<>/nss/dist/public/nss -I/<>/nss/dist/private/nss cmsarray.c cc -o OBJS/cmsasn1.o -c -std=c99 -g -O2 -ffile-prefix-map=/<>/nss=. -fstack-protector-strong -Wformat -Werror=format-security -I../nss/dist/private/nss -I../nss/dist/private/nss -Wall -pipe -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -m64 -pipe -ffunction-sections -fdata-sections -DHAVE_STRERROR -DLINUX -Dlinux -Wall -Wshadow -Werror -DXP_UNIX -DXP_UNIX -UDEBUG -DNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -UDEBUG -DNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -DNSS_NO_INIT_SUPPORT -DUSE_UTIL_DIRECTLY -DNO_NSPR_10_SUPPORT -DSSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES -I/usr/include/nspr -I/<>/nss/dist/include -I/<>/nss/dist/public/nss -I/<>/nss/dist/private/nss cmsasn1.c cc -o OBJS/cmsattr.o -c -std=c99 -g -O2 -ffile-prefix-map=/<>/nss=. -fstack-protector-strong -Wformat -Werror=format-security -I../nss/dist/private/nss -I../nss/dist/private/nss -Wall -pipe -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -m64 -pipe -ffunction-sections -fdata-sections -DHAVE_STRERROR -DLINUX -Dlinux -Wall -Wshadow -Werror -DXP_UNIX -DXP_UNIX -UDEBUG -DNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -UDEBUG -DNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -DNSS_NO_INIT_SUPPORT -DUSE_UTIL_DIRECTLY -DNO_NSPR_10_SUPPORT -DSSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES -I/usr/include/nspr -I/<>/nss/dist/include -I/<>/nss/dist/public/nss -I/<>/nss/dist/private/nss cmsattr.c cc -o OBJS/cmscinfo.o -c -std=c99 -g -O2 -ffile-prefix-map=/<>/nss=. -fstack-protector-strong -Wformat -Werror=format-security -I../nss/dist/private/nss -I../nss/dist/private/nss -Wall -pipe -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -m64 -pipe -ffunction-sections -fdata-sections -DHAVE_STRERROR -DLINUX -Dlinux -Wall -Wshadow -Werror -DXP_UNIX -DXP_UNIX -UDEBUG -DNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -UDEBUG -DNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -DNSS_NO_INIT_SUPPORT -DUSE_UTIL_DIRECTLY -DNO_NSPR_10_SUPPORT -DSSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES -I/usr/include/nspr -I/<>/nss/dist/include -I/<>/nss/dist/public/nss -I/<>/nss/dist/private/nss cmscinfo.c cc -o OBJS/cmscipher.o -c -std=c99 -g -O2 -ffile-prefix-map=/<>/nss=. -fstack-protector-strong -Wformat -Werror=format-security -I../nss/dist/private/nss -I../nss/dist/private/nss -Wall -pipe -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -m64 -pipe -ffunction-sections -fdata-sections -DHAVE_STRERROR -DLINUX -Dlinux -Wall -Wshadow -Werror -DXP_UNIX -DXP_UNIX -UDEBUG -DNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -UDEBUG -DNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -DNSS_NO_INIT_SUPPORT -DUSE_UTIL_DIRECTLY -DNO_NSPR_10_SUPPORT -DSSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES -I/usr/include/nspr -I/<>/nss/dist/include -I/<>/nss/dist/public/nss -I/<>/nss/dist/private/nss cmscipher.c cc -o OBJS/cmsdecode.o -c -std=c99 -g -O2 -ffile-prefix-map=/<>/nss=. -fstack-protector-strong -Wformat -Werror=format-security -I../nss/dist/private/nss -I../nss/dist/private/nss -Wall -pipe -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -m64 -pipe -ffunction-sections -fdata-sections -DHAVE_STRERROR -DLINUX -Dlinux -Wall -Wshadow -Werror -DXP_UNIX -DXP_UNIX -UDEBUG -DNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -UDEBUG -DNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -DNSS_NO_INIT_SUPPORT -DUSE_UTIL_DIRECTLY -DNO_NSPR_10_SUPPORT -DSSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES -I/usr/include/nspr -I/<>/nss/dist/include -I/<>/nss/dist/public/nss -I/<>/nss/dist/private/nss cmsdecode.c cc -o OBJS/cmsdigdata.o -c -std=c99 -g -O2 -ffile-prefix-map=/<>/nss=. -fstack-protector-strong -Wformat -Werror=format-security -I../nss/dist/private/nss -I../nss/dist/private/nss -Wall -pipe -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -m64 -pipe -ffunction-sections -fdata-sections -DHAVE_STRERROR -DLINUX -Dlinux -Wall -Wshadow -Werror -DXP_UNIX -DXP_UNIX -UDEBUG -DNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -UDEBUG -DNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -DNSS_NO_INIT_SUPPORT -DUSE_UTIL_DIRECTLY -DNO_NSPR_10_SUPPORT -DSSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES -I/usr/include/nspr -I/<>/nss/dist/include -I/<>/nss/dist/public/nss -I/<>/nss/dist/private/nss cmsdigdata.c cc -o OBJS/cmsdigest.o -c -std=c99 -g -O2 -ffile-prefix-map=/<>/nss=. -fstack-protector-strong -Wformat -Werror=format-security -I../nss/dist/private/nss -I../nss/dist/private/nss -Wall -pipe -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -m64 -pipe -ffunction-sections -fdata-sections -DHAVE_STRERROR -DLINUX -Dlinux -Wall -Wshadow -Werror -DXP_UNIX -DXP_UNIX -UDEBUG -DNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -UDEBUG -DNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -DNSS_NO_INIT_SUPPORT -DUSE_UTIL_DIRECTLY -DNO_NSPR_10_SUPPORT -DSSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES -I/usr/include/nspr -I/<>/nss/dist/include -I/<>/nss/dist/public/nss -I/<>/nss/dist/private/nss cmsdigest.c cc -o OBJS/cmsencdata.o -c -std=c99 -g -O2 -ffile-prefix-map=/<>/nss=. -fstack-protector-strong -Wformat -Werror=format-security -I../nss/dist/private/nss -I../nss/dist/private/nss -Wall -pipe -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -m64 -pipe -ffunction-sections -fdata-sections -DHAVE_STRERROR -DLINUX -Dlinux -Wall -Wshadow -Werror -DXP_UNIX -DXP_UNIX -UDEBUG -DNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -UDEBUG -DNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -DNSS_NO_INIT_SUPPORT -DUSE_UTIL_DIRECTLY -DNO_NSPR_10_SUPPORT -DSSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES -I/usr/include/nspr -I/<>/nss/dist/include -I/<>/nss/dist/public/nss -I/<>/nss/dist/private/nss cmsencdata.c cc -o OBJS/cmsencode.o -c -std=c99 -g -O2 -ffile-prefix-map=/<>/nss=. -fstack-protector-strong -Wformat -Werror=format-security -I../nss/dist/private/nss -I../nss/dist/private/nss -Wall -pipe -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -m64 -pipe -ffunction-sections -fdata-sections -DHAVE_STRERROR -DLINUX -Dlinux -Wall -Wshadow -Werror -DXP_UNIX -DXP_UNIX -UDEBUG -DNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -UDEBUG -DNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -DNSS_NO_INIT_SUPPORT -DUSE_UTIL_DIRECTLY -DNO_NSPR_10_SUPPORT -DSSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES -I/usr/include/nspr -I/<>/nss/dist/include -I/<>/nss/dist/public/nss -I/<>/nss/dist/private/nss cmsencode.c cc -o OBJS/cmsenvdata.o -c -std=c99 -g -O2 -ffile-prefix-map=/<>/nss=. -fstack-protector-strong -Wformat -Werror=format-security -I../nss/dist/private/nss -I../nss/dist/private/nss -Wall -pipe -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -m64 -pipe -ffunction-sections -fdata-sections -DHAVE_STRERROR -DLINUX -Dlinux -Wall -Wshadow -Werror -DXP_UNIX -DXP_UNIX -UDEBUG -DNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -UDEBUG -DNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -DNSS_NO_INIT_SUPPORT -DUSE_UTIL_DIRECTLY -DNO_NSPR_10_SUPPORT -DSSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES -I/usr/include/nspr -I/<>/nss/dist/include -I/<>/nss/dist/public/nss -I/<>/nss/dist/private/nss cmsenvdata.c cc -o OBJS/cmsmessage.o -c -std=c99 -g -O2 -ffile-prefix-map=/<>/nss=. -fstack-protector-strong -Wformat -Werror=format-security -I../nss/dist/private/nss -I../nss/dist/private/nss -Wall -pipe -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -m64 -pipe -ffunction-sections -fdata-sections -DHAVE_STRERROR -DLINUX -Dlinux -Wall -Wshadow -Werror -DXP_UNIX -DXP_UNIX -UDEBUG -DNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -UDEBUG -DNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -DNSS_NO_INIT_SUPPORT -DUSE_UTIL_DIRECTLY -DNO_NSPR_10_SUPPORT -DSSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES -I/usr/include/nspr -I/<>/nss/dist/include -I/<>/nss/dist/public/nss -I/<>/nss/dist/private/nss cmsmessage.c cc -o OBJS/cmspubkey.o -c -std=c99 -g -O2 -ffile-prefix-map=/<>/nss=. -fstack-protector-strong -Wformat -Werror=format-security -I../nss/dist/private/nss -I../nss/dist/private/nss -Wall -pipe -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -m64 -pipe -ffunction-sections -fdata-sections -DHAVE_STRERROR -DLINUX -Dlinux -Wall -Wshadow -Werror -DXP_UNIX -DXP_UNIX -UDEBUG -DNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -UDEBUG -DNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -DNSS_NO_INIT_SUPPORT -DUSE_UTIL_DIRECTLY -DNO_NSPR_10_SUPPORT -DSSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES -I/usr/include/nspr -I/<>/nss/dist/include -I/<>/nss/dist/public/nss -I/<>/nss/dist/private/nss cmspubkey.c cc -o OBJS/cmsrecinfo.o -c -std=c99 -g -O2 -ffile-prefix-map=/<>/nss=. -fstack-protector-strong -Wformat -Werror=format-security -I../nss/dist/private/nss -I../nss/dist/private/nss -Wall -pipe -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -m64 -pipe -ffunction-sections -fdata-sections -DHAVE_STRERROR -DLINUX -Dlinux -Wall -Wshadow -Werror -DXP_UNIX -DXP_UNIX -UDEBUG -DNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -UDEBUG -DNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -DNSS_NO_INIT_SUPPORT -DUSE_UTIL_DIRECTLY -DNO_NSPR_10_SUPPORT -DSSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES -I/usr/include/nspr -I/<>/nss/dist/include -I/<>/nss/dist/public/nss -I/<>/nss/dist/private/nss cmsrecinfo.c cc -o OBJS/cmsreclist.o -c -std=c99 -g -O2 -ffile-prefix-map=/<>/nss=. -fstack-protector-strong -Wformat -Werror=format-security -I../nss/dist/private/nss -I../nss/dist/private/nss -Wall -pipe -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -m64 -pipe -ffunction-sections -fdata-sections -DHAVE_STRERROR -DLINUX -Dlinux -Wall -Wshadow -Werror -DXP_UNIX -DXP_UNIX -UDEBUG -DNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -UDEBUG -DNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -DNSS_NO_INIT_SUPPORT -DUSE_UTIL_DIRECTLY -DNO_NSPR_10_SUPPORT -DSSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES -I/usr/include/nspr -I/<>/nss/dist/include -I/<>/nss/dist/public/nss -I/<>/nss/dist/private/nss cmsreclist.c cc -o OBJS/cmssigdata.o -c -std=c99 -g -O2 -ffile-prefix-map=/<>/nss=. -fstack-protector-strong -Wformat -Werror=format-security -I../nss/dist/private/nss -I../nss/dist/private/nss -Wall -pipe -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -m64 -pipe -ffunction-sections -fdata-sections -DHAVE_STRERROR -DLINUX -Dlinux -Wall -Wshadow -Werror -DXP_UNIX -DXP_UNIX -UDEBUG -DNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -UDEBUG -DNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -DNSS_NO_INIT_SUPPORT -DUSE_UTIL_DIRECTLY -DNO_NSPR_10_SUPPORT -DSSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES -I/usr/include/nspr -I/<>/nss/dist/include -I/<>/nss/dist/public/nss -I/<>/nss/dist/private/nss cmssigdata.c cc -o OBJS/cmssiginfo.o -c -std=c99 -g -O2 -ffile-prefix-map=/<>/nss=. -fstack-protector-strong -Wformat -Werror=format-security -I../nss/dist/private/nss -I../nss/dist/private/nss -Wall -pipe -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -m64 -pipe -ffunction-sections -fdata-sections -DHAVE_STRERROR -DLINUX -Dlinux -Wall -Wshadow -Werror -DXP_UNIX -DXP_UNIX -UDEBUG -DNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -UDEBUG -DNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -DNSS_NO_INIT_SUPPORT -DUSE_UTIL_DIRECTLY -DNO_NSPR_10_SUPPORT -DSSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES -I/usr/include/nspr -I/<>/nss/dist/include -I/<>/nss/dist/public/nss -I/<>/nss/dist/private/nss cmssiginfo.c cc -o OBJS/cmsudf.o -c -std=c99 -g -O2 -ffile-prefix-map=/<>/nss=. -fstack-protector-strong -Wformat -Werror=format-security -I../nss/dist/private/nss -I../nss/dist/private/nss -Wall -pipe -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -m64 -pipe -ffunction-sections -fdata-sections -DHAVE_STRERROR -DLINUX -Dlinux -Wall -Wshadow -Werror -DXP_UNIX -DXP_UNIX -UDEBUG -DNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -UDEBUG -DNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -DNSS_NO_INIT_SUPPORT -DUSE_UTIL_DIRECTLY -DNO_NSPR_10_SUPPORT -DSSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES -I/usr/include/nspr -I/<>/nss/dist/include -I/<>/nss/dist/public/nss -I/<>/nss/dist/private/nss cmsudf.c cc -o OBJS/cmsutil.o -c -std=c99 -g -O2 -ffile-prefix-map=/<>/nss=. -fstack-protector-strong -Wformat -Werror=format-security -I../nss/dist/private/nss -I../nss/dist/private/nss -Wall -pipe -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -m64 -pipe -ffunction-sections -fdata-sections -DHAVE_STRERROR -DLINUX -Dlinux -Wall -Wshadow -Werror -DXP_UNIX -DXP_UNIX -UDEBUG -DNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -UDEBUG -DNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -DNSS_NO_INIT_SUPPORT -DUSE_UTIL_DIRECTLY -DNO_NSPR_10_SUPPORT -DSSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES -I/usr/include/nspr -I/<>/nss/dist/include -I/<>/nss/dist/public/nss -I/<>/nss/dist/private/nss cmsutil.c cc -o OBJS/smimemessage.o -c -std=c99 -g -O2 -ffile-prefix-map=/<>/nss=. -fstack-protector-strong -Wformat -Werror=format-security -I../nss/dist/private/nss -I../nss/dist/private/nss -Wall -pipe -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -m64 -pipe -ffunction-sections -fdata-sections -DHAVE_STRERROR -DLINUX -Dlinux -Wall -Wshadow -Werror -DXP_UNIX -DXP_UNIX -UDEBUG -DNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -UDEBUG -DNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -DNSS_NO_INIT_SUPPORT -DUSE_UTIL_DIRECTLY -DNO_NSPR_10_SUPPORT -DSSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES -I/usr/include/nspr -I/<>/nss/dist/include -I/<>/nss/dist/public/nss -I/<>/nss/dist/private/nss smimemessage.c cc -o OBJS/smimeutil.o -c -std=c99 -g -O2 -ffile-prefix-map=/<>/nss=. -fstack-protector-strong -Wformat -Werror=format-security -I../nss/dist/private/nss -I../nss/dist/private/nss -Wall -pipe -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -m64 -pipe -ffunction-sections -fdata-sections -DHAVE_STRERROR -DLINUX -Dlinux -Wall -Wshadow -Werror -DXP_UNIX -DXP_UNIX -UDEBUG -DNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -UDEBUG -DNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -DNSS_NO_INIT_SUPPORT -DUSE_UTIL_DIRECTLY -DNO_NSPR_10_SUPPORT -DSSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES -I/usr/include/nspr -I/<>/nss/dist/include -I/<>/nss/dist/public/nss -I/<>/nss/dist/private/nss smimeutil.c cc -o OBJS/smimever.o -c -std=c99 -g -O2 -ffile-prefix-map=/<>/nss=. -fstack-protector-strong -Wformat -Werror=format-security -I../nss/dist/private/nss -I../nss/dist/private/nss -Wall -pipe -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -m64 -pipe -ffunction-sections -fdata-sections -DHAVE_STRERROR -DLINUX -Dlinux -Wall -Wshadow -Werror -DXP_UNIX -DXP_UNIX -UDEBUG -DNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -UDEBUG -DNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -DNSS_NO_INIT_SUPPORT -DUSE_UTIL_DIRECTLY -DNO_NSPR_10_SUPPORT -DSSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES -I/usr/include/nspr -I/<>/nss/dist/include -I/<>/nss/dist/public/nss -I/<>/nss/dist/private/nss smimever.c rm -f OBJS/libsmime.a ar cr OBJS/libsmime.a OBJS/cmsarray.o OBJS/cmsasn1.o OBJS/cmsattr.o OBJS/cmscinfo.o OBJS/cmscipher.o OBJS/cmsdecode.o OBJS/cmsdigdata.o OBJS/cmsdigest.o OBJS/cmsencdata.o OBJS/cmsencode.o OBJS/cmsenvdata.o OBJS/cmsmessage.o OBJS/cmspubkey.o OBJS/cmsrecinfo.o OBJS/cmsreclist.o OBJS/cmssigdata.o OBJS/cmssiginfo.o OBJS/cmsudf.o OBJS/cmsutil.o OBJS/smimemessage.o OBJS/smimeutil.o OBJS/smimever.o echo OBJS/libsmime.a OBJS/libsmime.a grep -v ';-' smime.def | sed -e 's,;+,,' -e 's; DATA ;;' -e 's,;;,,' -e 's,;.*,;,' > OBJS/smime.def rm -f OBJS/libsmime3.so cc -shared -Wl,-z,relro -Wl,-z,now -L../nss/dist/lib/ -L../nss/dist/lib/ -m64 -Wl,-z,defs -Wl,-soname -Wl,libsmime3.so -Wl,--version-script,OBJS/smime.def -o OBJS/libsmime3.so OBJS/cmsarray.o OBJS/cmsasn1.o OBJS/cmsattr.o OBJS/cmscinfo.o OBJS/cmscipher.o OBJS/cmsdecode.o OBJS/cmsdigdata.o OBJS/cmsdigest.o OBJS/cmsencdata.o OBJS/cmsencode.o OBJS/cmsenvdata.o OBJS/cmsmessage.o OBJS/cmspubkey.o OBJS/cmsrecinfo.o OBJS/cmsreclist.o OBJS/cmssigdata.o OBJS/cmssiginfo.o OBJS/cmsudf.o OBJS/cmsutil.o OBJS/smimemessage.o OBJS/smimeutil.o OBJS/smimever.o ../pkcs12/OBJS/p12local.o ../pkcs12/OBJS/p12creat.o ../pkcs12/OBJS/p12dec.o ../pkcs12/OBJS/p12plcy.o ../pkcs12/OBJS/p12tmpl.o ../pkcs12/OBJS/p12e.o ../pkcs12/OBJS/p12d.o ../pkcs7/OBJS/certread.o ../pkcs7/OBJS/p7common.o ../pkcs7/OBJS/p7create.o ../pkcs7/OBJS/p7decode.o ../pkcs7/OBJS/p7encode.o ../pkcs7/OBJS/p7local.o ../pkcs7/OBJS/secmime.o -L/<>/nss/dist/lib -lnss3 -L/<>/nss/dist/lib -lnssutil3 -L/usr/lib/x86_64-linux-gnu -lplc4 -lplds4 -lnspr4 -lpthread -ldl -lc chmod +x OBJS/libsmime3.so ../../coreconf/nsinstall/OBJS/nsinstall -R -m 664 OBJS/libsmime.a /<>/nss/dist/lib ../../coreconf/nsinstall/OBJS/nsinstall -R -m 775 OBJS/libsmime3.so /<>/nss/dist/lib make[7]: Leaving directory '/<>/nss/nss/lib/smime' make[7]: Entering directory '/<>/nss/nss/lib/ssl' cc -o OBJS/authcert.o -c -std=c99 -g -O2 -ffile-prefix-map=/<>/nss=. -fstack-protector-strong -Wformat -Werror=format-security -I../nss/dist/private/nss -I../nss/dist/private/nss -Wall -pipe -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -m64 -pipe -ffunction-sections -fdata-sections -DHAVE_STRERROR -DLINUX -Dlinux -Wall -Wshadow -Werror -DXP_UNIX -DXP_UNIX -UDEBUG -DNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -UDEBUG -DNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -DNSS_NO_INIT_SUPPORT -DUSE_UTIL_DIRECTLY -DNO_NSPR_10_SUPPORT -DSSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES -I/usr/include/nspr -I/<>/nss/dist/include -I/<>/nss/dist/public/nss -I/<>/nss/dist/private/nss authcert.c cc -o OBJS/cmpcert.o -c -std=c99 -g -O2 -ffile-prefix-map=/<>/nss=. -fstack-protector-strong -Wformat -Werror=format-security -I../nss/dist/private/nss -I../nss/dist/private/nss -Wall -pipe -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -m64 -pipe -ffunction-sections -fdata-sections -DHAVE_STRERROR -DLINUX -Dlinux -Wall -Wshadow -Werror -DXP_UNIX -DXP_UNIX -UDEBUG -DNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -UDEBUG -DNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -DNSS_NO_INIT_SUPPORT -DUSE_UTIL_DIRECTLY -DNO_NSPR_10_SUPPORT -DSSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES -I/usr/include/nspr -I/<>/nss/dist/include -I/<>/nss/dist/public/nss -I/<>/nss/dist/private/nss cmpcert.c cc -o OBJS/dtls13con.o -c -std=c99 -g -O2 -ffile-prefix-map=/<>/nss=. -fstack-protector-strong -Wformat -Werror=format-security -I../nss/dist/private/nss -I../nss/dist/private/nss -Wall -pipe -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -m64 -pipe -ffunction-sections -fdata-sections -DHAVE_STRERROR -DLINUX -Dlinux -Wall -Wshadow -Werror -DXP_UNIX -DXP_UNIX -UDEBUG -DNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -UDEBUG -DNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -DNSS_NO_INIT_SUPPORT -DUSE_UTIL_DIRECTLY -DNO_NSPR_10_SUPPORT -DSSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES -I/usr/include/nspr -I/<>/nss/dist/include -I/<>/nss/dist/public/nss -I/<>/nss/dist/private/nss dtls13con.c cc -o OBJS/dtlscon.o -c -std=c99 -g -O2 -ffile-prefix-map=/<>/nss=. -fstack-protector-strong -Wformat -Werror=format-security -I../nss/dist/private/nss -I../nss/dist/private/nss -Wall -pipe -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -m64 -pipe -ffunction-sections -fdata-sections -DHAVE_STRERROR -DLINUX -Dlinux -Wall -Wshadow -Werror -DXP_UNIX -DXP_UNIX -UDEBUG -DNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -UDEBUG -DNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -DNSS_NO_INIT_SUPPORT -DUSE_UTIL_DIRECTLY -DNO_NSPR_10_SUPPORT -DSSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES -I/usr/include/nspr -I/<>/nss/dist/include -I/<>/nss/dist/public/nss -I/<>/nss/dist/private/nss dtlscon.c cc -o OBJS/prelib.o -c -std=c99 -g -O2 -ffile-prefix-map=/<>/nss=. -fstack-protector-strong -Wformat -Werror=format-security -I../nss/dist/private/nss -I../nss/dist/private/nss -Wall -pipe -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -m64 -pipe -ffunction-sections -fdata-sections -DHAVE_STRERROR -DLINUX -Dlinux -Wall -Wshadow -Werror -DXP_UNIX -DXP_UNIX -UDEBUG -DNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -UDEBUG -DNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -DNSS_NO_INIT_SUPPORT -DUSE_UTIL_DIRECTLY -DNO_NSPR_10_SUPPORT -DSSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES -I/usr/include/nspr -I/<>/nss/dist/include -I/<>/nss/dist/public/nss -I/<>/nss/dist/private/nss prelib.c cc -o OBJS/selfencrypt.o -c -std=c99 -g -O2 -ffile-prefix-map=/<>/nss=. -fstack-protector-strong -Wformat -Werror=format-security -I../nss/dist/private/nss -I../nss/dist/private/nss -Wall -pipe -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -m64 -pipe -ffunction-sections -fdata-sections -DHAVE_STRERROR -DLINUX -Dlinux -Wall -Wshadow -Werror -DXP_UNIX -DXP_UNIX -UDEBUG -DNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -UDEBUG -DNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -DNSS_NO_INIT_SUPPORT -DUSE_UTIL_DIRECTLY -DNO_NSPR_10_SUPPORT -DSSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES -I/usr/include/nspr -I/<>/nss/dist/include -I/<>/nss/dist/public/nss -I/<>/nss/dist/private/nss selfencrypt.c cc -o OBJS/ssl3con.o -c -std=c99 -g -O2 -ffile-prefix-map=/<>/nss=. -fstack-protector-strong -Wformat -Werror=format-security -I../nss/dist/private/nss -I../nss/dist/private/nss -Wall -pipe -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -m64 -pipe -ffunction-sections -fdata-sections -DHAVE_STRERROR -DLINUX -Dlinux -Wall -Wshadow -Werror -DXP_UNIX -DXP_UNIX -UDEBUG -DNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -UDEBUG -DNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -DNSS_NO_INIT_SUPPORT -DUSE_UTIL_DIRECTLY -DNO_NSPR_10_SUPPORT -DSSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES -I/usr/include/nspr -I/<>/nss/dist/include -I/<>/nss/dist/public/nss -I/<>/nss/dist/private/nss ssl3con.c cc -o OBJS/ssl3ecc.o -c -std=c99 -g -O2 -ffile-prefix-map=/<>/nss=. -fstack-protector-strong -Wformat -Werror=format-security -I../nss/dist/private/nss -I../nss/dist/private/nss -Wall -pipe -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -m64 -pipe -ffunction-sections -fdata-sections -DHAVE_STRERROR -DLINUX -Dlinux -Wall -Wshadow -Werror -DXP_UNIX -DXP_UNIX -UDEBUG -DNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -UDEBUG -DNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -DNSS_NO_INIT_SUPPORT -DUSE_UTIL_DIRECTLY -DNO_NSPR_10_SUPPORT -DSSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES -I/usr/include/nspr -I/<>/nss/dist/include -I/<>/nss/dist/public/nss -I/<>/nss/dist/private/nss ssl3ecc.c cc -o OBJS/ssl3ext.o -c -std=c99 -g -O2 -ffile-prefix-map=/<>/nss=. -fstack-protector-strong -Wformat -Werror=format-security -I../nss/dist/private/nss -I../nss/dist/private/nss -Wall -pipe -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -m64 -pipe -ffunction-sections -fdata-sections -DHAVE_STRERROR -DLINUX -Dlinux -Wall -Wshadow -Werror -DXP_UNIX -DXP_UNIX -UDEBUG -DNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -UDEBUG -DNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -DNSS_NO_INIT_SUPPORT -DUSE_UTIL_DIRECTLY -DNO_NSPR_10_SUPPORT -DSSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES -I/usr/include/nspr -I/<>/nss/dist/include -I/<>/nss/dist/public/nss -I/<>/nss/dist/private/nss ssl3ext.c cc -o OBJS/ssl3exthandle.o -c -std=c99 -g -O2 -ffile-prefix-map=/<>/nss=. -fstack-protector-strong -Wformat -Werror=format-security -I../nss/dist/private/nss -I../nss/dist/private/nss -Wall -pipe -Wdate-time -D_FORTIFY_SOURCE=2 -fPIC -m64 -pipe -ffunction-sections -fdata-sections -DHAVE_STRERROR -DLINUX -Dlinux -Wall -Wshadow -Werror -DXP_UNIX -DXP_UNIX -UDEBUG -DNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -UDEBUG -DNDEBUG -D_DEFAULT_SOURCE -D_BSD_SOURCE -D_POSIX_SOURCE -DSDB_MEASURE_USE_TEMP_DIR -D_REENTRANT -DNSS_NO_INIT_SUPPORT -DUSE_UTIL_DIRECTLY -DNO_NSPR_10_SUPPORT -DSSL_DISABLE_DEPRECATED_CIPHER_SUITE_NAMES -I/usr/include/nspr -I/<>/nss/dist/include -I/<>/nss/dist/public/nss -I/<>/nss/dist/private/nss ssl3exthandle.c ssl3exthandle.c:205:1: error: conflicting types for ?ssl3_ClientSendSessionTicketXtn? due to enum/integer mismatch; have ?PRInt32(const sslSocket *, TLSExtensionData *, sslBuffer *, PRBool *)? {aka ?int(const struct sslSocketStr *, struct TLSExtensionDataStr *, struct sslBufferStr *, int *)?} [-Werror=enum-int-mismatch] 205 | ssl3_ClientSendSessionTicketXtn(const sslSocket *ss, TLSExtensionData *xtnData, | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ In file included from ssl3exthandle.c:17: ssl3exthandle.h:116:11: note: previous declaration of ?ssl3_ClientSendSessionTicketXtn? with type ?SECStatus(const sslSocket *, TLSExtensionData *, sslBuffer *, PRBool *)? {aka ?enum _SECStatus(const struct sslSocketStr *, struct TLSExtensionDataStr *, struct sslBufferStr *, int *)?} 116 | SECStatus ssl3_ClientSendSessionTicketXtn(const sslSocket *ss, | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ cc1: all warnings being treated as errors make[7]: *** [../../coreconf/rules.mk:292: OBJS/ssl3exthandle.o] Error 1 make[7]: Leaving directory '/<>/nss/nss/lib/ssl' make[6]: *** [../coreconf/rules.mk:44: ssl] Error 2 make[6]: Leaving directory '/<>/nss/nss/lib' make[5]: *** [coreconf/rules.mk:44: lib] Error 2 make[5]: Leaving directory '/<>/nss/nss' make[4]: *** [manifest.mn:21: all] Error 2 make[4]: Leaving directory '/<>/nss/nss' make[3]: *** [debian/rules:112: override_dh_auto_build] Error 2 make[3]: Leaving directory '/<>/nss' make[2]: *** [debian/rules:197: build] Error 2 make[2]: Leaving directory '/<>/nss' make[1]: *** [debian/rules:21: override_dh_auto_build] Error 2 make[1]: Leaving directory '/<>' make: *** [debian/rules:12: build] Error 2 dpkg-buildpackage: error: debian/rules build subprocess returned exit status 2 From gitlab at salsa.debian.org Mon Jun 19 17:14:41 2023 From: gitlab at salsa.debian.org (Timo Aaltonen (@tjaalton)) Date: Mon, 19 Jun 2023 16:14:41 +0000 Subject: [Pkg-freeipa-devel] [Git][freeipa-team/389-ds-base][master] 3 commits: close a bug Message-ID: <64907ef150c0a_136f88112eb0742974274@godard.mail> Timo Aaltonen pushed to branch master at FreeIPA packaging / 389-ds-base Commits: f134e575 by Timo Aaltonen at 2023-06-12T10:52:37+03:00 close a bug - - - - - 8461655b by Timo Aaltonen at 2023-06-19T19:11:50+03:00 control: Add dependency on python3-cryptography. - - - - - bdc80aa4 by Timo Aaltonen at 2023-06-19T19:13:52+03:00 releasing package 389-ds-base version 2.3.4+dfsg1-1 - - - - - 2 changed files: - debian/changelog - debian/control Changes: ===================================== debian/changelog ===================================== @@ -1,15 +1,16 @@ -389-ds-base (2.3.4+dfsg1-1) UNRELEASED; urgency=medium +389-ds-base (2.3.4+dfsg1-1) unstable; urgency=medium [ Timo Aaltonen ] * New upstream release. * patches: Drop upstreamed or obsolete patches. + * control: Add dependency on python3-cryptography. [ Peter Michael Green ] * Improve clean target. * Use ln -fs instead of ln -s to allow resuming build after fixing errors. - * Fix build with base64 0.21. + * Fix build with base64 0.21. (Closes: #1037345) - -- Timo Aaltonen Fri, 03 Feb 2023 20:59:10 +0200 + -- Timo Aaltonen Mon, 19 Jun 2023 19:13:30 +0300 389-ds-base (2.3.1+dfsg1-1) unstable; urgency=medium ===================================== debian/control ===================================== @@ -48,6 +48,7 @@ Build-Depends: python3-all-dev, python3-argcomplete, python3-argparse-manpage, + python3-cryptography, python3-dateutil, python3-ldap, python3-packaging, @@ -165,6 +166,7 @@ Depends: ${misc:Depends}, ${python3:Depends}, libnss3-tools, openssl, python3-argcomplete, + python3-cryptography, python3-dateutil, python3-ldap, python3-packaging, View it on GitLab: https://salsa.debian.org/freeipa-team/389-ds-base/-/compare/4baa45ac432a4d8748bd9fac0f6e1ec3d20187aa...bdc80aa4d5937f9cff6d6bb92a5ad71eac8d3229 -- View it on GitLab: https://salsa.debian.org/freeipa-team/389-ds-base/-/compare/4baa45ac432a4d8748bd9fac0f6e1ec3d20187aa...bdc80aa4d5937f9cff6d6bb92a5ad71eac8d3229 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From gitlab at salsa.debian.org Mon Jun 19 17:14:44 2023 From: gitlab at salsa.debian.org (Timo Aaltonen (@tjaalton)) Date: Mon, 19 Jun 2023 16:14:44 +0000 Subject: [Pkg-freeipa-devel] [Git][freeipa-team/389-ds-base] Pushed new tag debian/2.3.4+dfsg1-1 Message-ID: <64907ef48bb96_136f882b37f4f82974427@godard.mail> Timo Aaltonen pushed new tag debian/2.3.4+dfsg1-1 at FreeIPA packaging / 389-ds-base -- View it on GitLab: https://salsa.debian.org/freeipa-team/389-ds-base/-/tree/debian/2.3.4+dfsg1-1 You're receiving this email because of your account on salsa.debian.org. -------------- next part -------------- An HTML attachment was scrubbed... URL: From ftpmaster at ftp-master.debian.org Mon Jun 19 17:22:34 2023 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Mon, 19 Jun 2023 16:22:34 +0000 Subject: [Pkg-freeipa-devel] Processing of 389-ds-base_2.3.4+dfsg1-1_source.changes Message-ID: 389-ds-base_2.3.4+dfsg1-1_source.changes uploaded successfully to localhost along with the files: 389-ds-base_2.3.4+dfsg1-1.dsc 389-ds-base_2.3.4+dfsg1.orig.tar.xz 389-ds-base_2.3.4+dfsg1-1.debian.tar.xz 389-ds-base_2.3.4+dfsg1-1_source.buildinfo Greetings, Your Debian queue daemon (running on host usper.debian.org) From ftpmaster at ftp-master.debian.org Mon Jun 19 17:49:17 2023 From: ftpmaster at ftp-master.debian.org (Debian FTP Masters) Date: Mon, 19 Jun 2023 16:49:17 +0000 Subject: [Pkg-freeipa-devel] 389-ds-base_2.3.4+dfsg1-1_source.changes ACCEPTED into unstable Message-ID: Thank you for your contribution to Debian. Accepted: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Mon, 19 Jun 2023 19:13:30 +0300 Source: 389-ds-base Built-For-Profiles: noudeb Architecture: source Version: 2.3.4+dfsg1-1 Distribution: unstable Urgency: medium Maintainer: Debian FreeIPA Team Changed-By: Timo Aaltonen Closes: 1037345 Changes: 389-ds-base (2.3.4+dfsg1-1) unstable; urgency=medium . [ Timo Aaltonen ] * New upstream release. * patches: Drop upstreamed or obsolete patches. * control: Add dependency on python3-cryptography. . [ Peter Michael Green ] * Improve clean target. * Use ln -fs instead of ln -s to allow resuming build after fixing errors. * Fix build with base64 0.21. (Closes: #1037345) Checksums-Sha1: 9cf65f327ab75ff73af7a52371c0a38a5a803700 3140 389-ds-base_2.3.4+dfsg1-1.dsc 58c15d8dacf468bbd811215f62205088e4b3ecff 4692832 389-ds-base_2.3.4+dfsg1.orig.tar.xz a693311f50280b315b1d5548ea1c4207195e238a 802996 389-ds-base_2.3.4+dfsg1-1.debian.tar.xz aaa1647022e9e455605e88e6269d354583f28936 9501 389-ds-base_2.3.4+dfsg1-1_source.buildinfo Checksums-Sha256: bb5ce91ba6cb1dc244722f72a9795f65f2aa7ab97b2646a0812aba9c6470cf3c 3140 389-ds-base_2.3.4+dfsg1-1.dsc b1cd2278e34630d5dc55f5db8f1ca9acce08df31f9d78399daa5c5942bb7b630 4692832 389-ds-base_2.3.4+dfsg1.orig.tar.xz 4d6596a8f3e61c9d7e56d8a48fe2787bb88a54103ef64d3eb8760fedd1d9a8bf 802996 389-ds-base_2.3.4+dfsg1-1.debian.tar.xz 44e9908de7cbf07430662a650b1338df1b986ab17733583de47772119be510f7 9501 389-ds-base_2.3.4+dfsg1-1_source.buildinfo Files: 7fd496383becc12aa6643bbe9a8c32d5 3140 net optional 389-ds-base_2.3.4+dfsg1-1.dsc e6e2e580aac753277baf914bdecb71fd 4692832 net optional 389-ds-base_2.3.4+dfsg1.orig.tar.xz e346be0514cdf40c12bae3f18c8f0cc3 802996 net optional 389-ds-base_2.3.4+dfsg1-1.debian.tar.xz 02a4ed1c33d55b2975d480774c9cec90 9501 net optional 389-ds-base_2.3.4+dfsg1-1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEdS3ifE3rFwGbS2Yjy3AxZaiJhNwFAmSQfsUACgkQy3AxZaiJ hNyDvBAAit9enbl4h+6kjz/67zZdOwJCbc/cto9SANhZXUE3TC+IQJ/y3IOQBsYe rtEcmh7lQQeVeBX8rH3oSpaWKp3Wxp/Rdt4TgOSpIrnzLMsD9xOnjX6zDr1hXY4C /Q000e8kuGjBxlaaA5D0UVmjrRFZn4HMOMShQ5IrTSg7+0MWSXYTI48+xAuR4A+v 0f329K90pYrLCpVsi/SxhPXnrfXnDUmsQP8Mr8/p0d9+XIqtpExCdAHREN7PJUuo YGrSmv1aELrBCEPKAUbnAbv9gjTg3sNSVRQ8jK4uJLdQ3wOcFxsm9fKsd9j31SYU q7nqFgitBo8+7/Ecxmc9s9jxY3bdeomprd1GXDBO0c6G16KfSaUKQZ7H3yYV3QPv bUqUf/ldpKaqQM4naSIlOtY/jzCussQjpnK+tIUid/bEvmz59uaeLP0afKWBg5ym L+487saT3ObEkd3mOD0GVIaHyKezhZ79FYcwDH8XbK4qkHK7pLlSqYWGhR4cS5wR KDEPyotta2Idc7NLEHgCSBxkqfb5N4bI4/6QKd4NuqCU07ZGSXQ1r16wG0B78Jet vYpQdUN3WKebh73r6dyuT6XN9xUg+2Rv++l25EsvFn2eXTCVPp7k5GehkxGos6Ko mbSp0y57ryMq8W37ETCzZEw+qdvrG/N78jSxBZAfdh1quAIm9Sw= =xIOG -----END PGP SIGNATURE----- From owner at bugs.debian.org Mon Jun 19 17:51:03 2023 From: owner at bugs.debian.org (Debian Bug Tracking System) Date: Mon, 19 Jun 2023 16:51:03 +0000 Subject: [Pkg-freeipa-devel] Bug#1037345: marked as done (389-ds-base: ftbfs with rust-base64 0.21) References: Message-ID: Your message dated Mon, 19 Jun 2023 16:49:17 +0000 with message-id and subject line Bug#1037345: fixed in 389-ds-base 2.3.4+dfsg1-1 has caused the Debian Bug report #1037345, regarding 389-ds-base: ftbfs with rust-base64 0.21 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner at bugs.debian.org immediately.) -- 1037345: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1037345 Debian Bug Tracking System Contact owner at bugs.debian.org with problems -------------- next part -------------- An embedded message was scrubbed... From: plugwash Subject: 389-ds-base: ftbfs with rust-base64 0.21 Date: Sun, 11 Jun 2023 20:29:48 +0100 Size: 10516 URL: -------------- next part -------------- An embedded message was scrubbed... From: Debian FTP Masters Subject: Bug#1037345: fixed in 389-ds-base 2.3.4+dfsg1-1 Date: Mon, 19 Jun 2023 16:49:17 +0000 Size: 7025 URL: From mpitt at debian.org Fri Jun 23 08:34:27 2023 From: mpitt at debian.org (Martin Pitt) Date: Fri, 23 Jun 2023 09:34:27 +0200 Subject: [Pkg-freeipa-devel] Bug#1038925: Leaving IPA domain fails: Some installation state for ntp has not been restored Message-ID: Package: freeipa-client Version: 4.9.11-2 I have freeipa-server listening in my local network, providing a "COCKPIT.LAN" realm (all of this is test VMs). [1] Iniitally, on the unjoined machine, chrony is running: | # systemctl --all|grep -E 'ntp|chrony' | chrony.service loaded active running chrony, an NTP client/server | initrd-parse-etc.service loaded inactive dead Mountpoints Configured in the Real Root | ? ntp.service not-found inactive dead ntp.service | ? ntpsec.service not-found inactive dead ntpsec.service | ? openntpd.service not-found inactive dead openntpd.service This isn't my preference (timesyncd), but FreeIPA only really works with chronyd, and Recommends: it, so there isn't really much choice. Joining the domain with | echo admin-password | ipa-client-install --unattended --principal admin -W works fine [2], even though it shows a warning about NTP; which is a bit weird, as there is no running ntpd (just chrony). After joining, chrony/ntp status is still the same as above. However, leaving the domain again with `ipa-client-install --uninstall --unattended` fails: | Unenrolling client from IPA server | Removing Kerberos service principals from /etc/krb5.keytab | Disabling client Kerberos and LDAP configurations | Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted | Restoring client configuration files | Unconfiguring the NIS domain. | nscd daemon is not installed, skip configuration | nslcd daemon is not installed, skip configuration | Some installation state for ntp has not been restored, see /var/lib/ipa/sysrestore/sysrestore.state | Some installation state has not been restored. | This may cause re-installation to fail. | It should be safe to remove /var/lib/ipa-client/sysrestore.state but it may | mean your system hasn't been restored to its pre-installation state. | Systemwide CA database updated. | Client uninstall complete. | The ipa-client-install command failed. See /var/log/ipaclient-uninstall.log for more information That log says: 2023-06-23T07:21:19Z ERROR Some installation state for ntp has not been restored, see /var/lib/ipa/sysrestore/sysrestore.state /var/lib/ipa/sysrestore/sysrestore.state does not actually exist, but this does: | # cat /var/lib/ipa-client/sysrestore/sysrestore.state | [ntp] | enabled = True | running = False So somehow this gets confused by some imagined "NTP service"? This fails in the same way when I disable chronyd before joining: | systemctl disable --now chronyd | systemctl disable --now chrony (I don't know which one is right, they both seem to do half of the job. chrony is really weird..) Incidentally, it's possible to remove the chrony package, but then ipa-client-install fails immediately, on CalledProcessError(Command ['/bin/systemctl', 'restart', 'chrony.service'] returned non-zero exit status 5: 'Failed to restart chrony.service: Unit chrony.service not found.\n') So "Recommends:" is really too weak. I didn't find a workaround for this so far. [1] # realm discover cockpit.lan type: kerberos realm-name: COCKPIT.LAN domain-name: cockpit.lan configured: no server-software: ipa client-software: sssd required-package: freeipa-client required-package: sssd-tools required-package: sssd required-package: libnss-sss required-package: libpam-sss [2] This program will set up IPA client. Version 4.9.11 WARNING: conflicting time&date synchronization service 'ntp' will be disabled in favor of chronyd Discovery was successful! Client hostname: x0.cockpit.lan Realm: COCKPIT.LAN DNS Domain: cockpit.lan IPA Server: f0.cockpit.lan BaseDN: dc=cockpit,dc=lan Synchronizing time No SRV records of NTP servers found and no NTP server or pool address was provided. Using default chrony configuration. Attempting to sync time with chronyc. Process chronyc waitsync failed to sync time! Unable to sync time with chrony server, assuming the time is in sync. Please check that 123 UDP port is opened, and any time server is on network. Successfully retrieved CA cert Subject: CN=Certificate Authority,O=COCKPIT.LAN Issuer: CN=Certificate Authority,O=COCKPIT.LAN Valid From: 2023-05-07 22:42:23 Valid Until: 2043-05-07 22:42:23 Enrolled in IPA realm COCKPIT.LAN Created /etc/ipa/default.conf Configured /etc/sssd/sssd.conf Systemwide CA database updated. Hostname (x0.cockpit.lan) does not have A/AAAA record. Missing reverse record(s) for address(es): 10.111.113.1. Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub SSSD enabled /etc/ldap/ldap.conf does not exist. Failed to configure /etc/openldap/ldap.conf Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config.d/04-ipa.conf Configuring cockpit.lan as NIS domain. Configured /etc/krb5.conf for IPA realm COCKPIT.LAN Client configuration complete. The ipa-client-install command was successful -------------- next part -------------- 2023-06-23T07:08:33Z DEBUG Logging to /var/log/ipaclient-install.log 2023-06-23T07:08:33Z DEBUG ipa-client-install was invoked with arguments [] and options: {'unattended': True, 'principal': 'admin', 'prompt_password': True, 'on_master': False, 'ca_cert_files': None, 'force': False, 'configure_firefox': False, 'firefox_dir': None, 'keytab': None, 'mkhomedir': False, 'force_join': False, 'ntp_servers': None, 'ntp_pool': None, 'no_ntp': False, 'force_ntpd': False, 'nisdomain': None, 'no_nisdomain': False, 'ssh_trust_dns': False, 'no_ssh': False, 'no_sshd': False, 'no_sudo': False, 'subid': False, 'no_dns_sshfp': False, 'kinit_attempts': None, 'request_cert': False, 'ip_addresses': None, 'all_ip_addresses': False, 'fixed_primary': False, 'permit': False, 'enable_dns_updates': False, 'no_krb5_offline_passwords': False, 'preserve_sssd': False, 'pkinit_identity': None, 'pkinit_anchors': None, 'automount_location': None, 'domain_name': None, 'servers': None, 'realm_name': None, 'host_name': None, 'verbose': False, 'quiet': False, 'log_file': None, 'uninstall': False} 2023-06-23T07:08:33Z DEBUG IPA version 4.9.11 2023-06-23T07:08:33Z DEBUG IPA platform debian 2023-06-23T07:08:33Z DEBUG IPA os-release Debian GNU/Linux 2023-06-23T07:08:33Z DEBUG Starting external process 2023-06-23T07:08:33Z DEBUG args=['/usr/sbin/selinuxenabled'] 2023-06-23T07:08:33Z DEBUG Process finished, return code=1 2023-06-23T07:08:33Z DEBUG stdout= 2023-06-23T07:08:33Z DEBUG stderr= 2023-06-23T07:08:33Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2023-06-23T07:08:33Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2023-06-23T07:08:33Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2023-06-23T07:08:33Z DEBUG Starting external process 2023-06-23T07:08:33Z DEBUG args=['sudo', '-V'] 2023-06-23T07:08:33Z DEBUG Process finished, return code=0 2023-06-23T07:08:33Z DEBUG stdout=Sudo version 1.9.13p3 Configure options: --build=x86_64-linux-gnu --prefix=/usr --includedir=${prefix}/include --mandir=${prefix}/share/man --infodir=${prefix}/share/info --sysconfdir=/etc --localstatedir=/var --disable-option-checking --disable-silent-rules --libdir=${prefix}/lib/x86_64-linux-gnu --runstatedir=/run --disable-maintainer-mode --disable-dependency-tracking --with-all-insults --with-pam --with-pam-login --with-fqdn --with-logging=syslog --with-logfac=authpriv --with-env-editor --with-editor=/usr/bin/editor --with-timeout=15 --with-password-timeout=0 --with-passprompt=[sudo] password for %p: --with-tty-tickets --without-lecture --disable-root-mailer --with-sendmail=/usr/sbin/sendmail --with-rundir=/run/sudo --with-sssd --with-sssd-lib=/usr/lib/x86_64-linux-gnu --enable-zlib=system --enable-admin-flag --with-selinux --with-linux-audit --enable-tmpfiles.d=/usr/lib/tmpfiles.d MVPROG=/bin/mv --with-exampledir=/usr/share/doc/sudo/examples Sudoers policy plugin version 1.9.13p3 Sudoers file grammar version 50 Sudoers path: /etc/sudoers Authentication methods: 'pam' Syslog facility if syslog is being used for logging: authpriv Syslog priority to use when user authenticates successfully: notice Syslog priority to use when user authenticates unsuccessfully: alert Send mail if user authentication fails Send mail if the user is not in sudoers Lecture user the first time they run sudo Require users to authenticate by default Root may run sudo Allow some information gathering to give useful error messages Require fully-qualified hostnames in the sudoers file Visudo will honor the EDITOR environment variable Set the LOGNAME and USER environment variables Length at which to wrap log file lines (0 for no wrap): 80 Authentication timestamp timeout: 15.0 minutes Password prompt timeout: 0.0 minutes Number of tries to enter a password: 3 Umask to use or 0777 to use user's: 022 Path to mail program: /usr/sbin/sendmail Flags for mail program: -t Address to send mail to: root Subject line for mail messages: *** SECURITY information for %h *** Incorrect password message: Sorry, try again. Path to lecture status dir: /var/lib/sudo/lectured Path to authentication timestamp dir: /run/sudo/ts Default password prompt: [sudo] password for %p: Default user to run commands as: root Value to override user's $PATH with: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin Path to the editor for use by visudo: /usr/bin/editor When to require a password for 'list' pseudocommand: any When to require a password for 'verify' pseudocommand: all File descriptors >= 3 will be closed before executing a command Reset the environment to a default set of variables Environment variables to check for safety: TZ TERM LINGUAS LC_* LANGUAGE LANG COLORTERM Environment variables to remove: *=()* RUBYOPT RUBYLIB PYTHONUSERBASE PYTHONINSPECT PYTHONPATH PYTHONHOME TMPPREFIX ZDOTDIR READNULLCMD NULLCMD FPATH PERL5DB PERL5OPT PERL5LIB PERLLIB PERLIO_DEBUG JAVA_TOOL_OPTIONS SHELLOPTS BASHOPTS GLOBIGNORE PS4 BASH_ENV ENV TERMCAP TERMPATH TERMINFO_DIRS TERMINFO _RLD* LD_* PATH_LOCALE NLSPATH HOSTALIASES RES_OPTIONS LOCALDOMAIN CDPATH IFS Environment variables to preserve: XDG_CURRENT_DESKTOP XAUTHORIZATION XAUTHORITY PS2 PS1 PATH LS_COLORS KRB5CCNAME HOSTNAME DPKG_COLORS DISPLAY COLORS Locale to use while parsing sudoers: C Compress I/O logs using zlib Always run commands in a pseudo-tty Directory in which to store input/output logs: /var/log/sudo-io File in which to store the input/output log: %{seq} Add an entry to the utmp/utmpx file when allocating a pty PAM service name to use: sudo PAM service name to use for login shells: sudo-i Attempt to establish PAM credentials for the target user Create a new PAM session for the command to run in Perform PAM account validation management Enable sudoers netgroup support Check parent directories for writability when editing files with sudoedit Allow commands to be run even if sudo cannot write to the audit log Allow commands to be run even if sudo cannot write to the log file Log entries larger than this value will be split into multiple syslog messages: 960 File mode to use for the I/O log files: 0600 Execute commands by file descriptor instead of by path: digest_only Type of authentication timestamp record: tty Ignore case when matching user names Ignore case when matching group names Log when a command is allowed by sudoers Log when a command is denied by sudoers Sudo log server timeout in seconds: 30 Enable SO_KEEPALIVE socket option on the socket connected to the logserver Verify that the log server's certificate is valid Set the pam remote user to the user running sudo The format of logs to produce: sudo Enable SELinux RBAC support Path to the file that is created the first time sudo is run: ~/.sudo_as_admin_successful Allow an intercepted command to run set setuid or setgid programs The largest size core dump file that may be created (in bytes): 0,0 Store plaintext passwords in I/O log input List of regular expressions to use when matching a password prompt [Pp]assword[: ]* The mechanism used by the intercept and log_subcmds options: trace Attempt to verify the command and arguments after execution Local IP address and netmask pairs: 172.27.0.15/255.255.255.0 10.111.113.1/255.255.240.0 192.168.122.1/255.255.255.0 fec0::5054:ff:fe12:3456/ffff:ffff:ffff:ffff:: fe80::5054:ff:fe12:3456/ffff:ffff:ffff:ffff:: fe80::eb62:1683:beac:72a9/ffff:ffff:ffff:ffff:: Sudoers I/O plugin version 1.9.13p3 Sudoers audit plugin version 1.9.13p3 2023-06-23T07:08:33Z DEBUG stderr= 2023-06-23T07:08:33Z DEBUG Deleting invalid keytab: '/etc/krb5.keytab'. 2023-06-23T07:08:33Z DEBUG [IPA Discovery] 2023-06-23T07:08:33Z DEBUG Starting IPA discovery with domain=None, servers=None, hostname=x0.cockpit.lan 2023-06-23T07:08:33Z DEBUG Start searching for LDAP SRV record in "cockpit.lan" (domain of the hostname) and its sub-domains 2023-06-23T07:08:33Z DEBUG Search DNS for SRV record of _ldap._tcp.cockpit.lan 2023-06-23T07:08:33Z DEBUG DNS record found: 0 100 389 f0.cockpit.lan. 2023-06-23T07:08:33Z DEBUG [Kerberos realm search] 2023-06-23T07:08:33Z DEBUG Search DNS for TXT record of _kerberos.cockpit.lan 2023-06-23T07:08:33Z DEBUG DNS record found: "COCKPIT.LAN" 2023-06-23T07:08:33Z DEBUG Search DNS for SRV record of _kerberos._udp.cockpit.lan 2023-06-23T07:08:33Z DEBUG DNS record found: 0 100 88 f0.cockpit.lan. 2023-06-23T07:08:33Z DEBUG [LDAP server check] 2023-06-23T07:08:33Z DEBUG Verifying that f0.cockpit.lan (realm COCKPIT.LAN) is an IPA server 2023-06-23T07:08:33Z DEBUG Init LDAP connection to: ldap://f0.cockpit.lan:389 2023-06-23T07:08:33Z DEBUG Search LDAP server for IPA base DN 2023-06-23T07:08:33Z DEBUG Check if naming context 'dc=cockpit,dc=lan' is for IPA 2023-06-23T07:08:33Z DEBUG Naming context 'dc=cockpit,dc=lan' is a valid IPA context 2023-06-23T07:08:33Z DEBUG Search for (objectClass=krbRealmContainer) in dc=cockpit,dc=lan (sub) 2023-06-23T07:08:33Z DEBUG Found: cn=COCKPIT.LAN,cn=kerberos,dc=cockpit,dc=lan 2023-06-23T07:08:33Z DEBUG Discovery result: Success; server=f0.cockpit.lan, domain=cockpit.lan, kdc=f0.cockpit.lan, basedn=dc=cockpit,dc=lan 2023-06-23T07:08:33Z DEBUG Validated servers: f0.cockpit.lan 2023-06-23T07:08:33Z DEBUG will use discovered domain: cockpit.lan 2023-06-23T07:08:33Z DEBUG Start searching for LDAP SRV record in "cockpit.lan" (Validating DNS Discovery) and its sub-domains 2023-06-23T07:08:33Z DEBUG Search DNS for SRV record of _ldap._tcp.cockpit.lan 2023-06-23T07:08:33Z DEBUG DNS record found: 0 100 389 f0.cockpit.lan. 2023-06-23T07:08:33Z DEBUG DNS validated, enabling discovery 2023-06-23T07:08:33Z DEBUG will use discovered server: f0.cockpit.lan 2023-06-23T07:08:33Z INFO Discovery was successful! 2023-06-23T07:08:33Z DEBUG will use discovered realm: COCKPIT.LAN 2023-06-23T07:08:33Z DEBUG will use discovered basedn: dc=cockpit,dc=lan 2023-06-23T07:08:33Z INFO Client hostname: x0.cockpit.lan 2023-06-23T07:08:33Z DEBUG Hostname source: Machine's FQDN 2023-06-23T07:08:33Z INFO Realm: COCKPIT.LAN 2023-06-23T07:08:33Z DEBUG Realm source: Discovered from LDAP DNS records in f0.cockpit.lan 2023-06-23T07:08:33Z INFO DNS Domain: cockpit.lan 2023-06-23T07:08:33Z DEBUG DNS Domain source: Discovered LDAP SRV records from cockpit.lan (domain of the hostname) 2023-06-23T07:08:33Z INFO IPA Server: f0.cockpit.lan 2023-06-23T07:08:33Z DEBUG IPA Server source: Discovered from LDAP DNS records in f0.cockpit.lan 2023-06-23T07:08:33Z INFO BaseDN: dc=cockpit,dc=lan 2023-06-23T07:08:33Z DEBUG BaseDN source: From IPA server ldap://f0.cockpit.lan:389 2023-06-23T07:08:33Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2023-06-23T07:08:33Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2023-06-23T07:08:33Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2023-06-23T07:08:33Z DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' 2023-06-23T07:08:33Z DEBUG Starting external process 2023-06-23T07:08:33Z DEBUG args=['/usr/sbin/ipa-rmkeytab', '-k', '/etc/krb5.keytab', '-r', 'COCKPIT.LAN'] 2023-06-23T07:08:33Z DEBUG Process finished, return code=7 2023-06-23T07:08:33Z DEBUG stdout= 2023-06-23T07:08:33Z DEBUG stderr=Failed to set cursor 'No such file or directory' 2023-06-23T07:08:33Z DEBUG Starting external process 2023-06-23T07:08:33Z DEBUG args=['/usr/sbin/service', 'ntp', 'status', ''] 2023-06-23T07:08:33Z DEBUG Process finished, return code=4 2023-06-23T07:08:33Z DEBUG stdout= 2023-06-23T07:08:33Z DEBUG stderr=Unit ntp.service could not be found. 2023-06-23T07:08:33Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2023-06-23T07:08:33Z DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' 2023-06-23T07:08:33Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2023-06-23T07:08:33Z DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' 2023-06-23T07:08:33Z DEBUG Starting external process 2023-06-23T07:08:33Z DEBUG args=['/bin/systemctl', 'is-enabled', 'systemd-timesyncd.service'] 2023-06-23T07:08:33Z DEBUG Process finished, return code=1 2023-06-23T07:08:33Z DEBUG stdout= 2023-06-23T07:08:33Z DEBUG stderr=Failed to get unit file state for systemd-timesyncd.service: No such file or directory 2023-06-23T07:08:33Z DEBUG Starting external process 2023-06-23T07:08:33Z DEBUG args=['/bin/systemctl', 'is-active', 'systemd-timesyncd.service'] 2023-06-23T07:08:33Z DEBUG Process finished, return code=3 2023-06-23T07:08:33Z DEBUG stdout=inactive 2023-06-23T07:08:33Z DEBUG stderr= 2023-06-23T07:08:33Z DEBUG Search DNS for SRV record of _ntp._udp.cockpit.lan 2023-06-23T07:08:33Z DEBUG DNS record not found: NXDOMAIN 2023-06-23T07:08:33Z INFO Synchronizing time 2023-06-23T07:08:33Z WARNING No SRV records of NTP servers found and no NTP server or pool address was provided. 2023-06-23T07:08:33Z DEBUG Starting external process 2023-06-23T07:08:33Z DEBUG args=['/bin/systemctl', 'enable', 'chrony.service'] 2023-06-23T07:08:34Z DEBUG Process finished, return code=0 2023-06-23T07:08:34Z DEBUG stdout= 2023-06-23T07:08:34Z DEBUG stderr=Synchronizing state of chrony.service with SysV service script with /lib/systemd/systemd-sysv-install. Executing: /lib/systemd/systemd-sysv-install enable chrony 2023-06-23T07:08:34Z DEBUG Starting external process 2023-06-23T07:08:34Z DEBUG args=['/bin/systemctl', 'restart', 'chrony.service'] 2023-06-23T07:08:34Z DEBUG Process finished, return code=0 2023-06-23T07:08:34Z DEBUG stdout= 2023-06-23T07:08:34Z DEBUG stderr= 2023-06-23T07:08:34Z DEBUG Starting external process 2023-06-23T07:08:34Z DEBUG args=['/bin/systemctl', 'is-active', 'chrony.service'] 2023-06-23T07:08:34Z DEBUG Process finished, return code=0 2023-06-23T07:08:34Z DEBUG stdout=active 2023-06-23T07:08:34Z DEBUG stderr= 2023-06-23T07:08:34Z DEBUG Restart of chrony.service complete 2023-06-23T07:08:34Z INFO Attempting to sync time with chronyc. 2023-06-23T07:08:34Z DEBUG Starting external process 2023-06-23T07:08:34Z DEBUG args=['/usr/bin/chronyc', '-d', 'waitsync', '4', '0', '0', '3'] 2023-06-23T07:08:43Z DEBUG Process finished, return code=1 2023-06-23T07:08:43Z DEBUG stdout=try: 1, refid: 00000000, correction: 0.000000000, skew: 0.000 try: 2, refid: 00000000, correction: 0.000000000, skew: 0.000 try: 3, refid: 00000000, correction: 0.000000000, skew: 0.000 try: 4, refid: 00000000, correction: 0.000000000, skew: 0.000 2023-06-23T07:08:43Z DEBUG stderr= 2023-06-23T07:08:43Z WARNING Process chronyc waitsync failed to sync time! 2023-06-23T07:08:43Z WARNING Unable to sync time with chrony server, assuming the time is in sync. Please check that 123 UDP port is opened, and any time server is on network. 2023-06-23T07:08:43Z DEBUG Starting external process 2023-06-23T07:08:43Z DEBUG args=['/usr/sbin/selinuxenabled'] 2023-06-23T07:08:43Z DEBUG Process finished, return code=1 2023-06-23T07:08:43Z DEBUG stdout= 2023-06-23T07:08:43Z DEBUG stderr= 2023-06-23T07:08:43Z DEBUG Starting external process 2023-06-23T07:08:43Z DEBUG args=['/bin/keyctl', 'get_persistent', '@s', '0'] 2023-06-23T07:08:43Z DEBUG Process finished, return code=0 2023-06-23T07:08:43Z DEBUG stdout=188828386 2023-06-23T07:08:43Z DEBUG stderr= 2023-06-23T07:08:43Z DEBUG Enabling persistent keyring CCACHE 2023-06-23T07:08:43Z DEBUG Writing Kerberos configuration to /tmp/tmpwkl5rfiw: 2023-06-23T07:08:43Z DEBUG #File modified by ipa-client-install includedir /etc/krb5.conf.d/ [libdefaults] default_realm = COCKPIT.LAN dns_lookup_realm = false rdns = false dns_canonicalize_hostname = false dns_lookup_kdc = true ticket_lifetime = 24h forwardable = true udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] COCKPIT.LAN = { kdc = f0.cockpit.lan:88 master_kdc = f0.cockpit.lan:88 admin_server = f0.cockpit.lan:749 kpasswd_server = f0.cockpit.lan:464 default_domain = cockpit.lan pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem } [domain_realm] .cockpit.lan = COCKPIT.LAN cockpit.lan = COCKPIT.LAN x0.cockpit.lan = COCKPIT.LAN 2023-06-23T07:08:43Z DEBUG Writing configuration file /tmp/tmpwkl5rfiw 2023-06-23T07:08:43Z DEBUG #File modified by ipa-client-install includedir /etc/krb5.conf.d/ [libdefaults] default_realm = COCKPIT.LAN dns_lookup_realm = false rdns = false dns_canonicalize_hostname = false dns_lookup_kdc = true ticket_lifetime = 24h forwardable = true udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] COCKPIT.LAN = { kdc = f0.cockpit.lan:88 master_kdc = f0.cockpit.lan:88 admin_server = f0.cockpit.lan:749 kpasswd_server = f0.cockpit.lan:464 default_domain = cockpit.lan pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem } [domain_realm] .cockpit.lan = COCKPIT.LAN cockpit.lan = COCKPIT.LAN x0.cockpit.lan = COCKPIT.LAN 2023-06-23T07:08:43Z DEBUG Initializing principal admin at COCKPIT.LAN using password 2023-06-23T07:08:43Z DEBUG Starting external process 2023-06-23T07:08:43Z DEBUG args=['/usr/bin/kinit', 'admin at COCKPIT.LAN', '-c', '/tmp/krbccd7v8a2s2/ccache'] 2023-06-23T07:08:43Z DEBUG Process finished, return code=0 2023-06-23T07:08:43Z DEBUG stdout=Password for admin at COCKPIT.LAN: 2023-06-23T07:08:43Z DEBUG stderr= 2023-06-23T07:08:43Z DEBUG trying to retrieve CA cert via LDAP from f0.cockpit.lan 2023-06-23T07:08:43Z DEBUG retrieving schema for SchemaCache url=ldap://f0.cockpit.lan:389 conn= 2023-06-23T07:08:43Z INFO Successfully retrieved CA cert Subject: CN=Certificate Authority,O=COCKPIT.LAN Issuer: CN=Certificate Authority,O=COCKPIT.LAN Valid From: 2023-05-07 22:42:23 Valid Until: 2043-05-07 22:42:23 2023-06-23T07:08:43Z DEBUG Starting external process 2023-06-23T07:08:43Z DEBUG args=['/usr/sbin/ipa-join', '-s', 'f0.cockpit.lan', '-b', 'dc=cockpit,dc=lan', '-h', 'x0.cockpit.lan', '-k', '/etc/krb5.keytab'] 2023-06-23T07:08:43Z DEBUG Process finished, return code=0 2023-06-23T07:08:43Z DEBUG stdout= 2023-06-23T07:08:43Z DEBUG stderr=Keytab successfully retrieved and stored in: /etc/krb5.keytab 2023-06-23T07:08:43Z INFO Enrolled in IPA realm COCKPIT.LAN 2023-06-23T07:08:43Z DEBUG Starting external process 2023-06-23T07:08:43Z DEBUG args=['/usr/bin/kdestroy'] 2023-06-23T07:08:43Z DEBUG Process finished, return code=0 2023-06-23T07:08:43Z DEBUG stdout= 2023-06-23T07:08:43Z DEBUG stderr= 2023-06-23T07:08:43Z DEBUG Initializing principal host/x0.cockpit.lan at COCKPIT.LAN using keytab /etc/krb5.keytab 2023-06-23T07:08:43Z DEBUG using ccache /etc/ipa/.dns_ccache 2023-06-23T07:08:44Z DEBUG Attempt 1/5: success 2023-06-23T07:08:44Z DEBUG Backing up system configuration file '/etc/ipa/default.conf' 2023-06-23T07:08:44Z DEBUG -> Not backing up - '/etc/ipa/default.conf' doesn't exist 2023-06-23T07:08:44Z DEBUG Writing configuration file /etc/ipa/default.conf 2023-06-23T07:08:44Z DEBUG #File modified by ipa-client-install [global] basedn = dc=cockpit,dc=lan realm = COCKPIT.LAN domain = cockpit.lan server = f0.cockpit.lan host = x0.cockpit.lan xmlrpc_uri = https://f0.cockpit.lan/ipa/xml enable_ra = True 2023-06-23T07:08:44Z INFO Created /etc/ipa/default.conf 2023-06-23T07:08:44Z DEBUG Backing up system configuration file '/etc/sssd/sssd.conf' 2023-06-23T07:08:44Z DEBUG -> Not backing up - '/etc/sssd/sssd.conf' doesn't exist 2023-06-23T07:08:44Z DEBUG New SSSD config will be created 2023-06-23T07:08:44Z INFO Configured /etc/sssd/sssd.conf 2023-06-23T07:08:44Z DEBUG Starting external process 2023-06-23T07:08:44Z DEBUG args=['/usr/bin/certutil', '-d', '/tmp/tmpy89spgbd', '-N', '-f', '/tmp/tmpy89spgbd/pwdfile.txt', '-@', '/tmp/tmpy89spgbd/pwdfile.txt'] 2023-06-23T07:08:44Z DEBUG Process finished, return code=0 2023-06-23T07:08:44Z DEBUG stdout= 2023-06-23T07:08:44Z DEBUG stderr= 2023-06-23T07:08:44Z DEBUG Starting external process 2023-06-23T07:08:44Z DEBUG args=['/usr/sbin/selinuxenabled'] 2023-06-23T07:08:44Z DEBUG Process finished, return code=1 2023-06-23T07:08:44Z DEBUG stdout= 2023-06-23T07:08:44Z DEBUG stderr= 2023-06-23T07:08:44Z DEBUG Starting external process 2023-06-23T07:08:44Z DEBUG args=['/usr/sbin/selinuxenabled'] 2023-06-23T07:08:44Z DEBUG Process finished, return code=1 2023-06-23T07:08:44Z DEBUG stdout= 2023-06-23T07:08:44Z DEBUG stderr= 2023-06-23T07:08:44Z DEBUG Starting external process 2023-06-23T07:08:44Z DEBUG args=['/usr/sbin/selinuxenabled'] 2023-06-23T07:08:44Z DEBUG Process finished, return code=1 2023-06-23T07:08:44Z DEBUG stdout= 2023-06-23T07:08:44Z DEBUG stderr= 2023-06-23T07:08:44Z DEBUG Starting external process 2023-06-23T07:08:44Z DEBUG args=['/usr/sbin/selinuxenabled'] 2023-06-23T07:08:44Z DEBUG Process finished, return code=1 2023-06-23T07:08:44Z DEBUG stdout= 2023-06-23T07:08:44Z DEBUG stderr= 2023-06-23T07:08:44Z DEBUG Starting external process 2023-06-23T07:08:44Z DEBUG args=['/usr/sbin/selinuxenabled'] 2023-06-23T07:08:44Z DEBUG Process finished, return code=1 2023-06-23T07:08:44Z DEBUG stdout= 2023-06-23T07:08:44Z DEBUG stderr= 2023-06-23T07:08:44Z DEBUG Starting external process 2023-06-23T07:08:44Z DEBUG args=['/usr/bin/certutil', '-d', 'sql:/tmp/tmpy89spgbd', '-A', '-n', 'CA certificate 1', '-t', 'C,,', '-a', '-f', '/tmp/tmpy89spgbd/pwdfile.txt'] 2023-06-23T07:08:44Z DEBUG Process finished, return code=0 2023-06-23T07:08:44Z DEBUG stdout= 2023-06-23T07:08:44Z DEBUG stderr= 2023-06-23T07:08:44Z DEBUG failed to find session_cookie in persistent storage for principal 'host/x0.cockpit.lan at COCKPIT.LAN' 2023-06-23T07:08:44Z DEBUG trying https://f0.cockpit.lan/ipa/json 2023-06-23T07:08:44Z DEBUG Created connection context.rpcclient_139622869669584 2023-06-23T07:08:44Z DEBUG [try 1]: Forwarding 'schema' to json server 'https://f0.cockpit.lan/ipa/json' 2023-06-23T07:08:44Z DEBUG New HTTP connection (f0.cockpit.lan) 2023-06-23T07:08:44Z DEBUG received Set-Cookie ()'['ipa_session=MagBearerToken=nvEN%2fgwkpz2oX6F7DqHiznYTnqdhsyqsjMjopMuGEbG6zsOneRXhlaF1JNxxeUV1%2b6eL5IhyT4qDXA4wUdXuLv7XQVhf8xONPyzzJzVGY8pDVIFKoi4BRFlTMwOsaJydT0YlmPZWJPzUEElUY%2fRDv2p7kbh3SqPXgJFCb8flZmOXW5CKgLgIHiyBTCwVFgR8rZ2tPGWvyR6PAJngyj1ZJoHGFmSpHHqPllHJUHJX0n3d4IssNcfaW%2f0AuEqKMemx;path=/ipa;httponly;secure;']' 2023-06-23T07:08:44Z DEBUG storing cookie 'ipa_session=MagBearerToken=nvEN%2fgwkpz2oX6F7DqHiznYTnqdhsyqsjMjopMuGEbG6zsOneRXhlaF1JNxxeUV1%2b6eL5IhyT4qDXA4wUdXuLv7XQVhf8xONPyzzJzVGY8pDVIFKoi4BRFlTMwOsaJydT0YlmPZWJPzUEElUY%2fRDv2p7kbh3SqPXgJFCb8flZmOXW5CKgLgIHiyBTCwVFgR8rZ2tPGWvyR6PAJngyj1ZJoHGFmSpHHqPllHJUHJX0n3d4IssNcfaW%2f0AuEqKMemx;' for principal host/x0.cockpit.lan at COCKPIT.LAN 2023-06-23T07:08:44Z DEBUG Destroyed connection context.rpcclient_139622869669584 2023-06-23T07:08:44Z DEBUG importing all plugin modules in ipaclient.remote_plugins.schema$d65c094d... 2023-06-23T07:08:44Z DEBUG importing plugin module ipaclient.remote_plugins.schema$d65c094d.plugins 2023-06-23T07:08:44Z DEBUG importing all plugin modules in ipaclient.plugins... 2023-06-23T07:08:44Z DEBUG importing plugin module ipaclient.plugins.automember 2023-06-23T07:08:44Z DEBUG importing plugin module ipaclient.plugins.automount 2023-06-23T07:08:44Z DEBUG importing plugin module ipaclient.plugins.ca 2023-06-23T07:08:44Z DEBUG importing plugin module ipaclient.plugins.cert 2023-06-23T07:08:44Z DEBUG importing plugin module ipaclient.plugins.certmap 2023-06-23T07:08:44Z DEBUG importing plugin module ipaclient.plugins.certprofile 2023-06-23T07:08:44Z DEBUG importing plugin module ipaclient.plugins.dns 2023-06-23T07:08:44Z DEBUG importing plugin module ipaclient.plugins.hbacrule 2023-06-23T07:08:44Z DEBUG importing plugin module ipaclient.plugins.hbactest 2023-06-23T07:08:44Z DEBUG importing plugin module ipaclient.plugins.host 2023-06-23T07:08:44Z DEBUG importing plugin module ipaclient.plugins.idrange 2023-06-23T07:08:44Z DEBUG importing plugin module ipaclient.plugins.internal 2023-06-23T07:08:44Z DEBUG importing plugin module ipaclient.plugins.location 2023-06-23T07:08:44Z DEBUG importing plugin module ipaclient.plugins.migration 2023-06-23T07:08:44Z DEBUG importing plugin module ipaclient.plugins.misc 2023-06-23T07:08:44Z DEBUG importing plugin module ipaclient.plugins.otptoken 2023-06-23T07:08:44Z DEBUG importing plugin module ipaclient.plugins.otptoken_yubikey 2023-06-23T07:08:44Z DEBUG importing plugin module ipaclient.plugins.passwd 2023-06-23T07:08:44Z DEBUG importing plugin module ipaclient.plugins.permission 2023-06-23T07:08:44Z DEBUG importing plugin module ipaclient.plugins.rpcclient 2023-06-23T07:08:44Z DEBUG importing plugin module ipaclient.plugins.server 2023-06-23T07:08:44Z DEBUG importing plugin module ipaclient.plugins.service 2023-06-23T07:08:44Z DEBUG importing plugin module ipaclient.plugins.sudorule 2023-06-23T07:08:44Z DEBUG importing plugin module ipaclient.plugins.topology 2023-06-23T07:08:44Z DEBUG importing plugin module ipaclient.plugins.trust 2023-06-23T07:08:44Z DEBUG importing plugin module ipaclient.plugins.user 2023-06-23T07:08:44Z DEBUG importing plugin module ipaclient.plugins.vault 2023-06-23T07:08:44Z DEBUG found session_cookie in persistent storage for principal 'host/x0.cockpit.lan at COCKPIT.LAN', cookie: 'ipa_session=MagBearerToken=nvEN%2fgwkpz2oX6F7DqHiznYTnqdhsyqsjMjopMuGEbG6zsOneRXhlaF1JNxxeUV1%2b6eL5IhyT4qDXA4wUdXuLv7XQVhf8xONPyzzJzVGY8pDVIFKoi4BRFlTMwOsaJydT0YlmPZWJPzUEElUY%2fRDv2p7kbh3SqPXgJFCb8flZmOXW5CKgLgIHiyBTCwVFgR8rZ2tPGWvyR6PAJngyj1ZJoHGFmSpHHqPllHJUHJX0n3d4IssNcfaW%2f0AuEqKMemx' 2023-06-23T07:08:44Z DEBUG setting session_cookie into context 'ipa_session=MagBearerToken=nvEN%2fgwkpz2oX6F7DqHiznYTnqdhsyqsjMjopMuGEbG6zsOneRXhlaF1JNxxeUV1%2b6eL5IhyT4qDXA4wUdXuLv7XQVhf8xONPyzzJzVGY8pDVIFKoi4BRFlTMwOsaJydT0YlmPZWJPzUEElUY%2fRDv2p7kbh3SqPXgJFCb8flZmOXW5CKgLgIHiyBTCwVFgR8rZ2tPGWvyR6PAJngyj1ZJoHGFmSpHHqPllHJUHJX0n3d4IssNcfaW%2f0AuEqKMemx;' 2023-06-23T07:08:44Z DEBUG trying https://f0.cockpit.lan/ipa/session/json 2023-06-23T07:08:44Z DEBUG Created connection context.rpcclient_139622815111376 2023-06-23T07:08:44Z DEBUG Try RPC connection 2023-06-23T07:08:44Z DEBUG [try 1]: Forwarding 'ping' to json server 'https://f0.cockpit.lan/ipa/session/json' 2023-06-23T07:08:44Z DEBUG New HTTP connection (f0.cockpit.lan) 2023-06-23T07:08:44Z DEBUG [try 1]: Forwarding 'ca_is_enabled' to json server 'https://f0.cockpit.lan/ipa/session/json' 2023-06-23T07:08:44Z DEBUG HTTP connection keep-alive (f0.cockpit.lan) 2023-06-23T07:08:44Z DEBUG [try 1]: Forwarding 'config_show' to json server 'https://f0.cockpit.lan/ipa/session/json' 2023-06-23T07:08:44Z DEBUG HTTP connection keep-alive (f0.cockpit.lan) 2023-06-23T07:08:44Z DEBUG Starting external process 2023-06-23T07:08:44Z DEBUG args=['/usr/bin/certutil', '-d', '/etc/ipa/nssdb', '-N', '-f', '/etc/ipa/nssdb/pwdfile.txt', '-@', '/etc/ipa/nssdb/pwdfile.txt'] 2023-06-23T07:08:45Z DEBUG Process finished, return code=0 2023-06-23T07:08:45Z DEBUG stdout= 2023-06-23T07:08:45Z DEBUG stderr= 2023-06-23T07:08:45Z DEBUG Starting external process 2023-06-23T07:08:45Z DEBUG args=['/usr/sbin/selinuxenabled'] 2023-06-23T07:08:45Z DEBUG Process finished, return code=1 2023-06-23T07:08:45Z DEBUG stdout= 2023-06-23T07:08:45Z DEBUG stderr= 2023-06-23T07:08:45Z DEBUG Starting external process 2023-06-23T07:08:45Z DEBUG args=['/usr/sbin/selinuxenabled'] 2023-06-23T07:08:45Z DEBUG Process finished, return code=1 2023-06-23T07:08:45Z DEBUG stdout= 2023-06-23T07:08:45Z DEBUG stderr= 2023-06-23T07:08:45Z DEBUG Starting external process 2023-06-23T07:08:45Z DEBUG args=['/usr/sbin/selinuxenabled'] 2023-06-23T07:08:45Z DEBUG Process finished, return code=1 2023-06-23T07:08:45Z DEBUG stdout= 2023-06-23T07:08:45Z DEBUG stderr= 2023-06-23T07:08:45Z DEBUG Starting external process 2023-06-23T07:08:45Z DEBUG args=['/usr/sbin/selinuxenabled'] 2023-06-23T07:08:45Z DEBUG Process finished, return code=1 2023-06-23T07:08:45Z DEBUG stdout= 2023-06-23T07:08:45Z DEBUG stderr= 2023-06-23T07:08:45Z DEBUG Starting external process 2023-06-23T07:08:45Z DEBUG args=['/usr/sbin/selinuxenabled'] 2023-06-23T07:08:45Z DEBUG Process finished, return code=1 2023-06-23T07:08:45Z DEBUG stdout= 2023-06-23T07:08:45Z DEBUG stderr= 2023-06-23T07:08:45Z DEBUG Adding CA certificates to the IPA NSS database. 2023-06-23T07:08:45Z DEBUG Starting external process 2023-06-23T07:08:45Z DEBUG args=['/usr/bin/certutil', '-d', 'sql:/etc/ipa/nssdb', '-A', '-n', 'COCKPIT.LAN IPA CA', '-t', 'CT,C,C', '-a', '-f', '/etc/ipa/nssdb/pwdfile.txt'] 2023-06-23T07:08:45Z DEBUG Process finished, return code=0 2023-06-23T07:08:45Z DEBUG stdout= 2023-06-23T07:08:45Z DEBUG stderr= 2023-06-23T07:08:45Z DEBUG Starting external process 2023-06-23T07:08:45Z DEBUG args=['/usr/sbin/update-ca-certificates'] 2023-06-23T07:08:45Z DEBUG Process finished, return code=0 2023-06-23T07:08:45Z DEBUG stdout=Updating certificates in /etc/ssl/certs... 1 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d... done. 2023-06-23T07:08:45Z DEBUG stderr=rehash: warning: skipping ca-certificates.crt,it does not contain exactly one certificate or CRL 2023-06-23T07:08:45Z INFO Systemwide CA database updated. 2023-06-23T07:08:45Z DEBUG The DNS query name does not exist: x0.cockpit.lan. 2023-06-23T07:08:45Z WARNING Hostname (x0.cockpit.lan) does not have A/AAAA record. 2023-06-23T07:08:45Z DEBUG IP check failed: cannot use loopback IP address 127.0.0.1 2023-06-23T07:08:45Z DEBUG IP check failed: cannot use loopback IP address ::1 2023-06-23T07:08:45Z DEBUG IP check successful: 172.27.0.15 2023-06-23T07:08:45Z DEBUG IP check successful: fec0::5054:ff:fe12:3456 2023-06-23T07:08:45Z DEBUG IP check failed: cannot use link-local IP address fe80::5054:ff:fe12:3456%eth0 2023-06-23T07:08:45Z DEBUG IP check successful: 10.111.113.1 2023-06-23T07:08:45Z DEBUG IP check failed: cannot use link-local IP address fe80::eb62:1683:beac:72a9%eth1 2023-06-23T07:08:45Z DEBUG IP check successful: 192.168.122.1 2023-06-23T07:08:45Z DEBUG IP check successful: 10.111.113.1 2023-06-23T07:08:45Z DEBUG IP check failed: cannot use link-local IP address fe80::eb62:1683:beac:72a9%eth1 2023-06-23T07:08:45Z DEBUG Searching for an interface of IP address: 10.111.113.1 2023-06-23T07:08:45Z DEBUG Testing local IP address: 127.0.0.1/255.0.0.0 (interface: lo) 2023-06-23T07:08:45Z DEBUG Testing local IP address: 172.27.0.15/255.255.255.0 (interface: eth0) 2023-06-23T07:08:45Z DEBUG Testing local IP address: 10.111.113.1/255.255.240.0 (interface: eth1) 2023-06-23T07:08:45Z DEBUG Writing nsupdate commands to /etc/ipa/.dns_update.txt: 2023-06-23T07:08:45Z DEBUG debug update delete x0.cockpit.lan. IN A show send update delete x0.cockpit.lan. IN AAAA show send update add x0.cockpit.lan. 1200 IN A 10.111.113.1 show send 2023-06-23T07:08:45Z DEBUG Starting external process 2023-06-23T07:08:45Z DEBUG args=['/usr/bin/nsupdate', '-g', '/etc/ipa/.dns_update.txt'] 2023-06-23T07:08:45Z DEBUG Process finished, return code=0 2023-06-23T07:08:45Z DEBUG stdout=Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: x0.cockpit.lan. 0 ANY A Outgoing update query: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44024 ;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;426952339.sig-f0.cockpit.lan. ANY TKEY ;; ADDITIONAL SECTION: 426952339.sig-f0.cockpit.lan. 0 ANY TKEY gss-tsig. 1687504125 1687504125 3 NOERROR 1753 YIIG1QYGKwYBBQUCoIIGyTCCBsWgDTALBgkqhkiG9xIBAgKiggayBIIG rmCCBqoGCSqGSIb3EgECAgEAboIGmTCCBpWgAwIBBaEDAgEOogcDBQAg AAAAo4IFnmGCBZowggWWoAMCAQWhDRsLQ09DS1BJVC5MQU6iIDAeoAMC AQGhFzAVGwNETlMbDmYwLmNvY2twaXQubGFuo4IFXDCCBVigAwIBEqED AgECooIFSgSCBUaynGOa7RdsMQFoXBNXU8LMuvQzj0YdcrDoN4MzuTmd U6jihv0B84Hat1G2MuW2HH6ZD14BAD9tcaceWGPxd1GKc8YBJgEa9+bq Mkw/+x7nga7cuzPLJIZcUnCoUcASdYlyZp5Owc3+/lx2JjfpiWcoX1P8 bza4BsokHeg8cooBp6OrRDQbiT3kYAEkm/OfT6bYzJI9mj2vY2/dABvA xIJBOkYPkNkCqU4LSgQgHq31mI9u6ii6w4vLroOwy9ZOg5Zg04pfxBdE iF558GE00YYhmaY49P0z782ac1oj5gRzrAQWd6fR0p56oDew1ulaLWoR /La7xfZowqTVShlcncd75vw+73Jlp17VmKT1BTY4gym20CnHddKPoR+4 2kOVuxTy+xUfKvZO9MbxRIurth3VTqdi0axCpv1P45SAyMXzPDSdixU1 I5VftRkQ1P90RXVk/s5t0i5M0rUkZhXKj/hWmQV5rC0h9+OXii1pxEW/ 3qkdmH+E+SM83ZXgnz3l6U+o3d4iB8zPlBdLPb9QAjz9AP6w+MXTxkjd kOc1fxGoEe8W17e45h4TsRtFHHBXHM9fl/0aYQe+47k2IiLXyo11xauP ogCxURlGbqaNPoa587hq/ZTP39CZdp+e7UOQ4SY0tmUWVWbBecZf5clC NHLY4gDcvM+eQlR7rtsNdQsy5QPqHnvnLUkIJGxvF/xCYqU3aN2bx/4r qgXISxH+6FfGD+f30ZMZK18N29JyzCjZHxTrIXm5bPl1+4pzcUn3x8M0 /7pt3lfb8cLVa9I/pIGx2WdI2rlxtG+bKm3A2MimlyRmGvmPC0A90QRu YK0bB7t9zwTUTJ8T0gyD0ZtBIfBV0vjrmDT5BkhsJSSvoVNQzxd5Gjo3 0708O7625Cehdd2Mk6Ouq6i64wpyDx1kI5OhOwSZ5ClUIPjBZlk96wkK k89hLBcq2Y9hg4783C3jdjTelf2ZzOJfe835LdwjIglViVDb5A4irOn3 uUbeHF5Lhai05Y9f3aZkDnolRMZrfj0DJIfGGns2LLFi24h9akyyRvXb LyGcbhOpH89ERYDkA6q5oaARnq/ii6R0Fef7Dl/+C8H6mxkg+AZlR2gq p5ZQMPKmRXjI59xdWzHO+lT98R6tcHmdKCpAIVWMCBqRXOMX+vpHMxHx B0fpLFcnnx4tMjxSqaX9CQl608uX5HimSRzBLqJwKaJIHfzn+GMgI3BB 9IR8BlmtV0OcsH6ue3+LZmfNMAKmtfbe5sEmgPNsHMBs1ruUvW82oL1/ +zExIuiQsg2XFmsIkevovabEzLXZKKzpHXnDHzq2NBrElNGU0KXPnV7F Ug0n7GP7CP12hICVSlC2OJQp/YH2c9W4iY/zrJFC+tZJqToYq/hSQ6+S 0rrZNAP4mRi0+X52ewdwSGh2B/ACvAtBfGf8k1KfKh+teIR0pNnhOU9T zIGB9yBdt/C46Wbqeb5mr9yHD6U6q7Ag2qih18UQtrSx+p/N0fE7lIkB ogF19FhieNQf/fxfCexZm/tGoZ3NDUgtMXup68u8v4CS+OAPtzo1KwIh TMdhvNl5jwefbyiivV/jn+TuGwSSvOxwtVU27O9dLVEZxQcEhWd8x4/b nqU/mCPkBBURda9yushq6rq1Zxf7HaOZW+bWFs1QKCU5QvXwg7ivG9oF gSC8oreprTSu4zG76pCzgdh6GLVltxw8WLhcvGm6g6hFA4YM1MPrm2H0 HmqHmBQpn/eEPdQb13cuz3gAHTLOcj0nntctoCmB1FFBpjontfcpNkUn KNQ980KNEw1znj6f+trNeYCkgd0wgdqgAwIBEqKB0gSBzyqhiO65/h/x Sj+k731AR9pqAMZnyxGne9FyIb8tPuNaJDZyI1XrJgz4JG4cuwaXeAw/ 6AvK/Nld27xYXCrdnugqP0A6FXu5AdCz2yCGwTE6vIFVZgcxKooRXGXu 3Srqu3BCTIeEZFdoiOzF9L8b5FZae39T7PltVqcLSbdTIPOFeFVht8QF 2nFlGkDz3Om593hX4EXpB0ClwiJpANLm5PtXC1au2cgiQxirPNlY4Emc GFPXhIrQPsl2w4pDSU/jMYj+4iezdBmzqPenu+2v1Q== 0 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 59544 ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1 ;; UPDATE SECTION: x0.cockpit.lan. 0 ANY A ;; TSIG PSEUDOSECTION: 426952339.sig-f0.cockpit.lan. 0 ANY TSIG gss-tsig. 1687504125 300 28 BAQE//////8AAAAALzeI5AGWoCZfprz7OuSSPQ== 59544 NOERROR 0 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: x0.cockpit.lan. 0 ANY AAAA Outgoing update query: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3847 ;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;4181638371.sig-f0.cockpit.lan. ANY TKEY ;; ADDITIONAL SECTION: 4181638371.sig-f0.cockpit.lan. 0 ANY TKEY gss-tsig. 1687504125 1687504125 3 NOERROR 1753 YIIG1QYGKwYBBQUCoIIGyTCCBsWgDTALBgkqhkiG9xIBAgKiggayBIIG rmCCBqoGCSqGSIb3EgECAgEAboIGmTCCBpWgAwIBBaEDAgEOogcDBQAg AAAAo4IFnmGCBZowggWWoAMCAQWhDRsLQ09DS1BJVC5MQU6iIDAeoAMC AQGhFzAVGwNETlMbDmYwLmNvY2twaXQubGFuo4IFXDCCBVigAwIBEqED AgECooIFSgSCBUaynGOa7RdsMQFoXBNXU8LMuvQzj0YdcrDoN4MzuTmd U6jihv0B84Hat1G2MuW2HH6ZD14BAD9tcaceWGPxd1GKc8YBJgEa9+bq Mkw/+x7nga7cuzPLJIZcUnCoUcASdYlyZp5Owc3+/lx2JjfpiWcoX1P8 bza4BsokHeg8cooBp6OrRDQbiT3kYAEkm/OfT6bYzJI9mj2vY2/dABvA xIJBOkYPkNkCqU4LSgQgHq31mI9u6ii6w4vLroOwy9ZOg5Zg04pfxBdE iF558GE00YYhmaY49P0z782ac1oj5gRzrAQWd6fR0p56oDew1ulaLWoR /La7xfZowqTVShlcncd75vw+73Jlp17VmKT1BTY4gym20CnHddKPoR+4 2kOVuxTy+xUfKvZO9MbxRIurth3VTqdi0axCpv1P45SAyMXzPDSdixU1 I5VftRkQ1P90RXVk/s5t0i5M0rUkZhXKj/hWmQV5rC0h9+OXii1pxEW/ 3qkdmH+E+SM83ZXgnz3l6U+o3d4iB8zPlBdLPb9QAjz9AP6w+MXTxkjd kOc1fxGoEe8W17e45h4TsRtFHHBXHM9fl/0aYQe+47k2IiLXyo11xauP ogCxURlGbqaNPoa587hq/ZTP39CZdp+e7UOQ4SY0tmUWVWbBecZf5clC NHLY4gDcvM+eQlR7rtsNdQsy5QPqHnvnLUkIJGxvF/xCYqU3aN2bx/4r qgXISxH+6FfGD+f30ZMZK18N29JyzCjZHxTrIXm5bPl1+4pzcUn3x8M0 /7pt3lfb8cLVa9I/pIGx2WdI2rlxtG+bKm3A2MimlyRmGvmPC0A90QRu YK0bB7t9zwTUTJ8T0gyD0ZtBIfBV0vjrmDT5BkhsJSSvoVNQzxd5Gjo3 0708O7625Cehdd2Mk6Ouq6i64wpyDx1kI5OhOwSZ5ClUIPjBZlk96wkK k89hLBcq2Y9hg4783C3jdjTelf2ZzOJfe835LdwjIglViVDb5A4irOn3 uUbeHF5Lhai05Y9f3aZkDnolRMZrfj0DJIfGGns2LLFi24h9akyyRvXb LyGcbhOpH89ERYDkA6q5oaARnq/ii6R0Fef7Dl/+C8H6mxkg+AZlR2gq p5ZQMPKmRXjI59xdWzHO+lT98R6tcHmdKCpAIVWMCBqRXOMX+vpHMxHx B0fpLFcnnx4tMjxSqaX9CQl608uX5HimSRzBLqJwKaJIHfzn+GMgI3BB 9IR8BlmtV0OcsH6ue3+LZmfNMAKmtfbe5sEmgPNsHMBs1ruUvW82oL1/ +zExIuiQsg2XFmsIkevovabEzLXZKKzpHXnDHzq2NBrElNGU0KXPnV7F Ug0n7GP7CP12hICVSlC2OJQp/YH2c9W4iY/zrJFC+tZJqToYq/hSQ6+S 0rrZNAP4mRi0+X52ewdwSGh2B/ACvAtBfGf8k1KfKh+teIR0pNnhOU9T zIGB9yBdt/C46Wbqeb5mr9yHD6U6q7Ag2qih18UQtrSx+p/N0fE7lIkB ogF19FhieNQf/fxfCexZm/tGoZ3NDUgtMXup68u8v4CS+OAPtzo1KwIh TMdhvNl5jwefbyiivV/jn+TuGwSSvOxwtVU27O9dLVEZxQcEhWd8x4/b nqU/mCPkBBURda9yushq6rq1Zxf7HaOZW+bWFs1QKCU5QvXwg7ivG9oF gSC8oreprTSu4zG76pCzgdh6GLVltxw8WLhcvGm6g6hFA4YM1MPrm2H0 HmqHmBQpn/eEPdQb13cuz3gAHTLOcj0nntctoCmB1FFBpjontfcpNkUn KNQ980KNEw1znj6f+trNeYCkgd0wgdqgAwIBEqKB0gSBz/XzIVIuxqZU D3mPwpMfS8DfDp6j/hiYahwhw9o3V9X+QVtFeJ+wMcPsQC2J9fCIU97W qwMzUD1kESwTYM0N6Wj8MQUiAMrwwng5N3s1JHxJTSzt8Cf2CLP0Fq05 zf+JmuR5a+KPrSPWn2W08fS7sKu+Sqj8cRmdpRSDEhpW5fpTqjEdHG26 ZqkNkxxaRA6gSQbWLdVHSZmFE/Z9VekDdhoELrh5rMr+orb066LStaD4 3lne4/kRuSvXhGAe48C7siyPfprclJcm2w82Ysevgg== 0 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 1740 ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1 ;; UPDATE SECTION: x0.cockpit.lan. 0 ANY AAAA ;; TSIG PSEUDOSECTION: 4181638371.sig-f0.cockpit.lan. 0 ANY TSIG gss-tsig. 1687504125 300 28 BAQE//////8AAAAAGEyBFinSxgh1UUSw907Njg== 1740 NOERROR 0 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: x0.cockpit.lan. 1200 IN A 10.111.113.1 Outgoing update query: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2833 ;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;3181930200.sig-f0.cockpit.lan. ANY TKEY ;; ADDITIONAL SECTION: 3181930200.sig-f0.cockpit.lan. 0 ANY TKEY gss-tsig. 1687504125 1687504125 3 NOERROR 1753 YIIG1QYGKwYBBQUCoIIGyTCCBsWgDTALBgkqhkiG9xIBAgKiggayBIIG rmCCBqoGCSqGSIb3EgECAgEAboIGmTCCBpWgAwIBBaEDAgEOogcDBQAg AAAAo4IFnmGCBZowggWWoAMCAQWhDRsLQ09DS1BJVC5MQU6iIDAeoAMC AQGhFzAVGwNETlMbDmYwLmNvY2twaXQubGFuo4IFXDCCBVigAwIBEqED AgECooIFSgSCBUaynGOa7RdsMQFoXBNXU8LMuvQzj0YdcrDoN4MzuTmd U6jihv0B84Hat1G2MuW2HH6ZD14BAD9tcaceWGPxd1GKc8YBJgEa9+bq Mkw/+x7nga7cuzPLJIZcUnCoUcASdYlyZp5Owc3+/lx2JjfpiWcoX1P8 bza4BsokHeg8cooBp6OrRDQbiT3kYAEkm/OfT6bYzJI9mj2vY2/dABvA xIJBOkYPkNkCqU4LSgQgHq31mI9u6ii6w4vLroOwy9ZOg5Zg04pfxBdE iF558GE00YYhmaY49P0z782ac1oj5gRzrAQWd6fR0p56oDew1ulaLWoR /La7xfZowqTVShlcncd75vw+73Jlp17VmKT1BTY4gym20CnHddKPoR+4 2kOVuxTy+xUfKvZO9MbxRIurth3VTqdi0axCpv1P45SAyMXzPDSdixU1 I5VftRkQ1P90RXVk/s5t0i5M0rUkZhXKj/hWmQV5rC0h9+OXii1pxEW/ 3qkdmH+E+SM83ZXgnz3l6U+o3d4iB8zPlBdLPb9QAjz9AP6w+MXTxkjd kOc1fxGoEe8W17e45h4TsRtFHHBXHM9fl/0aYQe+47k2IiLXyo11xauP ogCxURlGbqaNPoa587hq/ZTP39CZdp+e7UOQ4SY0tmUWVWbBecZf5clC NHLY4gDcvM+eQlR7rtsNdQsy5QPqHnvnLUkIJGxvF/xCYqU3aN2bx/4r qgXISxH+6FfGD+f30ZMZK18N29JyzCjZHxTrIXm5bPl1+4pzcUn3x8M0 /7pt3lfb8cLVa9I/pIGx2WdI2rlxtG+bKm3A2MimlyRmGvmPC0A90QRu YK0bB7t9zwTUTJ8T0gyD0ZtBIfBV0vjrmDT5BkhsJSSvoVNQzxd5Gjo3 0708O7625Cehdd2Mk6Ouq6i64wpyDx1kI5OhOwSZ5ClUIPjBZlk96wkK k89hLBcq2Y9hg4783C3jdjTelf2ZzOJfe835LdwjIglViVDb5A4irOn3 uUbeHF5Lhai05Y9f3aZkDnolRMZrfj0DJIfGGns2LLFi24h9akyyRvXb LyGcbhOpH89ERYDkA6q5oaARnq/ii6R0Fef7Dl/+C8H6mxkg+AZlR2gq p5ZQMPKmRXjI59xdWzHO+lT98R6tcHmdKCpAIVWMCBqRXOMX+vpHMxHx B0fpLFcnnx4tMjxSqaX9CQl608uX5HimSRzBLqJwKaJIHfzn+GMgI3BB 9IR8BlmtV0OcsH6ue3+LZmfNMAKmtfbe5sEmgPNsHMBs1ruUvW82oL1/ +zExIuiQsg2XFmsIkevovabEzLXZKKzpHXnDHzq2NBrElNGU0KXPnV7F Ug0n7GP7CP12hICVSlC2OJQp/YH2c9W4iY/zrJFC+tZJqToYq/hSQ6+S 0rrZNAP4mRi0+X52ewdwSGh2B/ACvAtBfGf8k1KfKh+teIR0pNnhOU9T zIGB9yBdt/C46Wbqeb5mr9yHD6U6q7Ag2qih18UQtrSx+p/N0fE7lIkB ogF19FhieNQf/fxfCexZm/tGoZ3NDUgtMXup68u8v4CS+OAPtzo1KwIh TMdhvNl5jwefbyiivV/jn+TuGwSSvOxwtVU27O9dLVEZxQcEhWd8x4/b nqU/mCPkBBURda9yushq6rq1Zxf7HaOZW+bWFs1QKCU5QvXwg7ivG9oF gSC8oreprTSu4zG76pCzgdh6GLVltxw8WLhcvGm6g6hFA4YM1MPrm2H0 HmqHmBQpn/eEPdQb13cuz3gAHTLOcj0nntctoCmB1FFBpjontfcpNkUn KNQ980KNEw1znj6f+trNeYCkgd0wgdqgAwIBEqKB0gSBz+eb5xZRCk4V X7D3tTAhwSwxFNPOo7KN1GRThDnmq+Txq+i4L0lHyc85+Q/WiTt1chis 2jkEJmRe8alK3+F+WKCKdIZ4itLLyDMEY9M8T6DQVOnHFPph1VPDwm9f S+/T3Qj6k9kv0PdQXP3whOfol1x0uC0LBpmYHecggBN/arRPPRvqd7Qe yBK9zjrEr3f7xfOmt8xfMOAx30YFR2H8knHNOct50eSyXShOSsSXlcyp vIRguWDc7d4ymr5Jj00hxqGLd3oZZTnH8AXxvxxRyg== 0 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 15996 ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1 ;; UPDATE SECTION: x0.cockpit.lan. 1200 IN A 10.111.113.1 ;; TSIG PSEUDOSECTION: 3181930200.sig-f0.cockpit.lan. 0 ANY TSIG gss-tsig. 1687504125 300 28 BAQE//////8AAAAALMoXJJRWMK+VVWzSn+5e9w== 15996 NOERROR 0 2023-06-23T07:08:45Z DEBUG stderr=Reply from SOA query: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 1010 ;; flags: qr aa rd; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;x0.cockpit.lan. IN SOA ;; AUTHORITY SECTION: cockpit.lan. 0 IN SOA f0.cockpit.lan. hostmaster.cockpit.lan. 1687503916 3600 900 1209600 3600 Found zone name: cockpit.lan The primary is: f0.cockpit.lan start_gssrequest Found realm from ticket: COCKPIT.LAN send_gssrequest recvmsg reply from GSS-TSIG query ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 44024 ;; flags: qr; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;426952339.sig-f0.cockpit.lan. ANY TKEY ;; ANSWER SECTION: 426952339.sig-f0.cockpit.lan. 0 ANY TKEY gss-tsig. 1687504126 1687507726 3 NOERROR 186 oYG3MIG0oAMKAQChCwYJKoZIhvcSAQICooGfBIGcYIGZBgkqhkiG9xIB AgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvPqsexejUgiyY d8gxuCNGFc3g/DpEhkHtTahecRGCUWzXj7Tx+6ooqmkvfDGnYm0djhFi RiUyOWm+O4i3t0Pt4egz+Ri0eWg7r+BEGNEa9KEYYgP8QFL2roUmhS+q QUJDsIGEPTy5gc8SkfKKhc1o 0 ;; TSIG PSEUDOSECTION: 426952339.sig-f0.cockpit.lan. 0 ANY TSIG gss-tsig. 1687504126 300 28 BAQF//////8AAAAAIgagwtHcKCXKon+YvndV7Q== 44024 NOERROR 0 Sending update to 10.111.112.100#53 Reply from update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 59544 ;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1 ;; ZONE SECTION: ;cockpit.lan. IN SOA ;; TSIG PSEUDOSECTION: 426952339.sig-f0.cockpit.lan. 0 ANY TSIG gss-tsig. 1687504126 300 28 BAQF//////8AAAAAIgagwyqmG2rX/PbGaC0+AA== 59544 NOERROR 0 Reply from SOA query: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 52977 ;; flags: qr aa rd; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;x0.cockpit.lan. IN SOA ;; AUTHORITY SECTION: cockpit.lan. 0 IN SOA f0.cockpit.lan. hostmaster.cockpit.lan. 1687503916 3600 900 1209600 3600 Found zone name: cockpit.lan The primary is: f0.cockpit.lan start_gssrequest send_gssrequest recvmsg reply from GSS-TSIG query ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3847 ;; flags: qr; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;4181638371.sig-f0.cockpit.lan. ANY TKEY ;; ANSWER SECTION: 4181638371.sig-f0.cockpit.lan. 0 ANY TKEY gss-tsig. 1687504126 1687507726 3 NOERROR 186 oYG3MIG0oAMKAQChCwYJKoZIhvcSAQICooGfBIGcYIGZBgkqhkiG9xIB AgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvdpwNTZ1iS/Cc SQKOzfFYK2ZEx4ob5tKeUbvZOVmWov83oe0kvblRQVBysGEsuL576nwv 29gVtRxvHdzmJHRI/046AVZ7pT9Gnb6Ms+iM0opf8GSIp5dzPrkNHKPr 1LlXgPuArIsMtMUIV6rB1UmC 0 ;; TSIG PSEUDOSECTION: 4181638371.sig-f0.cockpit.lan. 0 ANY TSIG gss-tsig. 1687504126 300 28 BAQF//////8AAAAAKsHfpVZo4ij/6gfIexfTZg== 3847 NOERROR 0 Sending update to 10.111.112.100#53 Reply from update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 1740 ;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1 ;; ZONE SECTION: ;cockpit.lan. IN SOA ;; TSIG PSEUDOSECTION: 4181638371.sig-f0.cockpit.lan. 0 ANY TSIG gss-tsig. 1687504126 300 28 BAQF//////8AAAAAKsHfps4juYlqF4DaeodXbg== 1740 NOERROR 0 Reply from SOA query: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 47698 ;; flags: qr aa rd; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;x0.cockpit.lan. IN SOA ;; AUTHORITY SECTION: cockpit.lan. 0 IN SOA f0.cockpit.lan. hostmaster.cockpit.lan. 1687503916 3600 900 1209600 3600 Found zone name: cockpit.lan The primary is: f0.cockpit.lan start_gssrequest send_gssrequest recvmsg reply from GSS-TSIG query ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2833 ;; flags: qr; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;3181930200.sig-f0.cockpit.lan. ANY TKEY ;; ANSWER SECTION: 3181930200.sig-f0.cockpit.lan. 0 ANY TKEY gss-tsig. 1687504126 1687507726 3 NOERROR 186 oYG3MIG0oAMKAQChCwYJKoZIhvcSAQICooGfBIGcYIGZBgkqhkiG9xIB AgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvxDbTt26ncL/Q YdbEM1BMYiTnDJrQ2xWagTfOOxefbscryr12zmbsW6tdkefXsW7T83XH d3E8Wz1vMACEiaEKWt3tYFKgqoKOKBgoXRW3XmKJK7VEUdOGGznrrM0o b6xl/hbSHMVoJsyEs1rg5Ezl 0 ;; TSIG PSEUDOSECTION: 3181930200.sig-f0.cockpit.lan. 0 ANY TSIG gss-tsig. 1687504126 300 28 BAQF//////8AAAAALi8GP16yfX3HSQUU4i/7FQ== 2833 NOERROR 0 Sending update to 10.111.112.100#53 Reply from update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 15996 ;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1 ;; ZONE SECTION: ;cockpit.lan. IN SOA ;; TSIG PSEUDOSECTION: 3181930200.sig-f0.cockpit.lan. 0 ANY TSIG gss-tsig. 1687504126 300 28 BAQF//////8AAAAALi8GQEZ9krYTf4oPv8AVpg== 15996 NOERROR 0 2023-06-23T07:08:45Z DEBUG DNS resolver: Query: x0.cockpit.lan IN A 2023-06-23T07:08:45Z DEBUG DNS resolver: Query: x0.cockpit.lan IN AAAA 2023-06-23T07:08:45Z DEBUG DNS resolver: No record. 2023-06-23T07:08:45Z DEBUG DNS resolver: Query: 10.111.113.1 IN PTR 2023-06-23T07:08:45Z DEBUG DNS resolver: No record. 2023-06-23T07:08:45Z WARNING Missing reverse record(s) for address(es): 10.111.113.1. 2023-06-23T07:08:45Z INFO Adding SSH public key from /etc/ssh/ssh_host_ecdsa_key.pub 2023-06-23T07:08:45Z INFO Adding SSH public key from /etc/ssh/ssh_host_ed25519_key.pub 2023-06-23T07:08:45Z INFO Adding SSH public key from /etc/ssh/ssh_host_rsa_key.pub 2023-06-23T07:08:45Z DEBUG [try 1]: Forwarding 'host_mod' to json server 'https://f0.cockpit.lan/ipa/session/json' 2023-06-23T07:08:45Z DEBUG HTTP connection keep-alive (f0.cockpit.lan) 2023-06-23T07:08:45Z DEBUG Writing nsupdate commands to /etc/ipa/.dns_update.txt: 2023-06-23T07:08:45Z DEBUG debug update delete x0.cockpit.lan. IN SSHFP show send update add x0.cockpit.lan. 1200 IN SSHFP 3 1 17A7250887AE6A9F62D97B1BF6837214C1088F24 update add x0.cockpit.lan. 1200 IN SSHFP 3 2 5F4276F0EB8E3652F3BE9DE0ED441432C5B380D1E794E3ECF524B6FF5C0B81B8 update add x0.cockpit.lan. 1200 IN SSHFP 4 1 9507857A2FBBA15EDB45A865442055C3D10CE3AD update add x0.cockpit.lan. 1200 IN SSHFP 4 2 8C1DF0B89A7F15D5339CFA0C65DE020376C4DEA2BC6ACF1068598B794B359D8C update add x0.cockpit.lan. 1200 IN SSHFP 1 1 E880FA7CDCFA316B28FC840D1C92CBCC0B79F475 update add x0.cockpit.lan. 1200 IN SSHFP 1 2 B114E3E8BCABF2CA9A2161A634417F0572FC973FE18385E19F48B5E5ADFCA218 show send 2023-06-23T07:08:45Z DEBUG Starting external process 2023-06-23T07:08:45Z DEBUG args=['/usr/bin/nsupdate', '-g', '/etc/ipa/.dns_update.txt'] 2023-06-23T07:08:45Z DEBUG Process finished, return code=0 2023-06-23T07:08:45Z DEBUG stdout=Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: x0.cockpit.lan. 0 ANY SSHFP Outgoing update query: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6601 ;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;3773226076.sig-f0.cockpit.lan. ANY TKEY ;; ADDITIONAL SECTION: 3773226076.sig-f0.cockpit.lan. 0 ANY TKEY gss-tsig. 1687504125 1687504125 3 NOERROR 1753 YIIG1QYGKwYBBQUCoIIGyTCCBsWgDTALBgkqhkiG9xIBAgKiggayBIIG rmCCBqoGCSqGSIb3EgECAgEAboIGmTCCBpWgAwIBBaEDAgEOogcDBQAg AAAAo4IFnmGCBZowggWWoAMCAQWhDRsLQ09DS1BJVC5MQU6iIDAeoAMC AQGhFzAVGwNETlMbDmYwLmNvY2twaXQubGFuo4IFXDCCBVigAwIBEqED AgECooIFSgSCBUaynGOa7RdsMQFoXBNXU8LMuvQzj0YdcrDoN4MzuTmd U6jihv0B84Hat1G2MuW2HH6ZD14BAD9tcaceWGPxd1GKc8YBJgEa9+bq Mkw/+x7nga7cuzPLJIZcUnCoUcASdYlyZp5Owc3+/lx2JjfpiWcoX1P8 bza4BsokHeg8cooBp6OrRDQbiT3kYAEkm/OfT6bYzJI9mj2vY2/dABvA xIJBOkYPkNkCqU4LSgQgHq31mI9u6ii6w4vLroOwy9ZOg5Zg04pfxBdE iF558GE00YYhmaY49P0z782ac1oj5gRzrAQWd6fR0p56oDew1ulaLWoR /La7xfZowqTVShlcncd75vw+73Jlp17VmKT1BTY4gym20CnHddKPoR+4 2kOVuxTy+xUfKvZO9MbxRIurth3VTqdi0axCpv1P45SAyMXzPDSdixU1 I5VftRkQ1P90RXVk/s5t0i5M0rUkZhXKj/hWmQV5rC0h9+OXii1pxEW/ 3qkdmH+E+SM83ZXgnz3l6U+o3d4iB8zPlBdLPb9QAjz9AP6w+MXTxkjd kOc1fxGoEe8W17e45h4TsRtFHHBXHM9fl/0aYQe+47k2IiLXyo11xauP ogCxURlGbqaNPoa587hq/ZTP39CZdp+e7UOQ4SY0tmUWVWbBecZf5clC NHLY4gDcvM+eQlR7rtsNdQsy5QPqHnvnLUkIJGxvF/xCYqU3aN2bx/4r qgXISxH+6FfGD+f30ZMZK18N29JyzCjZHxTrIXm5bPl1+4pzcUn3x8M0 /7pt3lfb8cLVa9I/pIGx2WdI2rlxtG+bKm3A2MimlyRmGvmPC0A90QRu YK0bB7t9zwTUTJ8T0gyD0ZtBIfBV0vjrmDT5BkhsJSSvoVNQzxd5Gjo3 0708O7625Cehdd2Mk6Ouq6i64wpyDx1kI5OhOwSZ5ClUIPjBZlk96wkK k89hLBcq2Y9hg4783C3jdjTelf2ZzOJfe835LdwjIglViVDb5A4irOn3 uUbeHF5Lhai05Y9f3aZkDnolRMZrfj0DJIfGGns2LLFi24h9akyyRvXb LyGcbhOpH89ERYDkA6q5oaARnq/ii6R0Fef7Dl/+C8H6mxkg+AZlR2gq p5ZQMPKmRXjI59xdWzHO+lT98R6tcHmdKCpAIVWMCBqRXOMX+vpHMxHx B0fpLFcnnx4tMjxSqaX9CQl608uX5HimSRzBLqJwKaJIHfzn+GMgI3BB 9IR8BlmtV0OcsH6ue3+LZmfNMAKmtfbe5sEmgPNsHMBs1ruUvW82oL1/ +zExIuiQsg2XFmsIkevovabEzLXZKKzpHXnDHzq2NBrElNGU0KXPnV7F Ug0n7GP7CP12hICVSlC2OJQp/YH2c9W4iY/zrJFC+tZJqToYq/hSQ6+S 0rrZNAP4mRi0+X52ewdwSGh2B/ACvAtBfGf8k1KfKh+teIR0pNnhOU9T zIGB9yBdt/C46Wbqeb5mr9yHD6U6q7Ag2qih18UQtrSx+p/N0fE7lIkB ogF19FhieNQf/fxfCexZm/tGoZ3NDUgtMXup68u8v4CS+OAPtzo1KwIh TMdhvNl5jwefbyiivV/jn+TuGwSSvOxwtVU27O9dLVEZxQcEhWd8x4/b nqU/mCPkBBURda9yushq6rq1Zxf7HaOZW+bWFs1QKCU5QvXwg7ivG9oF gSC8oreprTSu4zG76pCzgdh6GLVltxw8WLhcvGm6g6hFA4YM1MPrm2H0 HmqHmBQpn/eEPdQb13cuz3gAHTLOcj0nntctoCmB1FFBpjontfcpNkUn KNQ980KNEw1znj6f+trNeYCkgd0wgdqgAwIBEqKB0gSBz5EkwDA1i94C Ik0g4YlNXKSUnKETIuCbDtbjGdw9T7rmYwr6gorKENXlwA+aaCiR64iu uR6nTb+R30kCKuQXG11EuIUQLZYrK5Xw6OIUk5Qcxx9vYOWRLsW1+BPs TRAnzNWgxfrrlX22ud/IDNTP54V+BZCKiUaWyPLuYAPJ0zOlV5vx0jeN /8n5WRxD5XPl9AOk7ccO7x7EE2WpaOzQCv9NFLZ7kOA9n+HyNrj0/Kkw k/Fw/dAiikOanWuB9APcX0yt0afhcmrVCwd0EP025g== 0 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 42576 ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 1, ADDITIONAL: 1 ;; UPDATE SECTION: x0.cockpit.lan. 0 ANY SSHFP ;; TSIG PSEUDOSECTION: 3773226076.sig-f0.cockpit.lan. 0 ANY TSIG gss-tsig. 1687504125 300 28 BAQE//////8AAAAAFme3eBet0+OwEeDKeetmTg== 42576 NOERROR 0 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: x0.cockpit.lan. 1200 IN SSHFP 3 1 17A7250887AE6A9F62D97B1BF6837214C1088F24 x0.cockpit.lan. 1200 IN SSHFP 3 2 5F4276F0EB8E3652F3BE9DE0ED441432C5B380D1E794E3ECF524B6FF 5C0B81B8 x0.cockpit.lan. 1200 IN SSHFP 4 1 9507857A2FBBA15EDB45A865442055C3D10CE3AD x0.cockpit.lan. 1200 IN SSHFP 4 2 8C1DF0B89A7F15D5339CFA0C65DE020376C4DEA2BC6ACF1068598B79 4B359D8C x0.cockpit.lan. 1200 IN SSHFP 1 1 E880FA7CDCFA316B28FC840D1C92CBCC0B79F475 x0.cockpit.lan. 1200 IN SSHFP 1 2 B114E3E8BCABF2CA9A2161A634417F0572FC973FE18385E19F48B5E5 ADFCA218 Outgoing update query: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56014 ;; flags:; QUESTION: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;739408490.sig-f0.cockpit.lan. ANY TKEY ;; ADDITIONAL SECTION: 739408490.sig-f0.cockpit.lan. 0 ANY TKEY gss-tsig. 1687504125 1687504125 3 NOERROR 1753 YIIG1QYGKwYBBQUCoIIGyTCCBsWgDTALBgkqhkiG9xIBAgKiggayBIIG rmCCBqoGCSqGSIb3EgECAgEAboIGmTCCBpWgAwIBBaEDAgEOogcDBQAg AAAAo4IFnmGCBZowggWWoAMCAQWhDRsLQ09DS1BJVC5MQU6iIDAeoAMC AQGhFzAVGwNETlMbDmYwLmNvY2twaXQubGFuo4IFXDCCBVigAwIBEqED AgECooIFSgSCBUaynGOa7RdsMQFoXBNXU8LMuvQzj0YdcrDoN4MzuTmd U6jihv0B84Hat1G2MuW2HH6ZD14BAD9tcaceWGPxd1GKc8YBJgEa9+bq Mkw/+x7nga7cuzPLJIZcUnCoUcASdYlyZp5Owc3+/lx2JjfpiWcoX1P8 bza4BsokHeg8cooBp6OrRDQbiT3kYAEkm/OfT6bYzJI9mj2vY2/dABvA xIJBOkYPkNkCqU4LSgQgHq31mI9u6ii6w4vLroOwy9ZOg5Zg04pfxBdE iF558GE00YYhmaY49P0z782ac1oj5gRzrAQWd6fR0p56oDew1ulaLWoR /La7xfZowqTVShlcncd75vw+73Jlp17VmKT1BTY4gym20CnHddKPoR+4 2kOVuxTy+xUfKvZO9MbxRIurth3VTqdi0axCpv1P45SAyMXzPDSdixU1 I5VftRkQ1P90RXVk/s5t0i5M0rUkZhXKj/hWmQV5rC0h9+OXii1pxEW/ 3qkdmH+E+SM83ZXgnz3l6U+o3d4iB8zPlBdLPb9QAjz9AP6w+MXTxkjd kOc1fxGoEe8W17e45h4TsRtFHHBXHM9fl/0aYQe+47k2IiLXyo11xauP ogCxURlGbqaNPoa587hq/ZTP39CZdp+e7UOQ4SY0tmUWVWbBecZf5clC NHLY4gDcvM+eQlR7rtsNdQsy5QPqHnvnLUkIJGxvF/xCYqU3aN2bx/4r qgXISxH+6FfGD+f30ZMZK18N29JyzCjZHxTrIXm5bPl1+4pzcUn3x8M0 /7pt3lfb8cLVa9I/pIGx2WdI2rlxtG+bKm3A2MimlyRmGvmPC0A90QRu YK0bB7t9zwTUTJ8T0gyD0ZtBIfBV0vjrmDT5BkhsJSSvoVNQzxd5Gjo3 0708O7625Cehdd2Mk6Ouq6i64wpyDx1kI5OhOwSZ5ClUIPjBZlk96wkK k89hLBcq2Y9hg4783C3jdjTelf2ZzOJfe835LdwjIglViVDb5A4irOn3 uUbeHF5Lhai05Y9f3aZkDnolRMZrfj0DJIfGGns2LLFi24h9akyyRvXb LyGcbhOpH89ERYDkA6q5oaARnq/ii6R0Fef7Dl/+C8H6mxkg+AZlR2gq p5ZQMPKmRXjI59xdWzHO+lT98R6tcHmdKCpAIVWMCBqRXOMX+vpHMxHx B0fpLFcnnx4tMjxSqaX9CQl608uX5HimSRzBLqJwKaJIHfzn+GMgI3BB 9IR8BlmtV0OcsH6ue3+LZmfNMAKmtfbe5sEmgPNsHMBs1ruUvW82oL1/ +zExIuiQsg2XFmsIkevovabEzLXZKKzpHXnDHzq2NBrElNGU0KXPnV7F Ug0n7GP7CP12hICVSlC2OJQp/YH2c9W4iY/zrJFC+tZJqToYq/hSQ6+S 0rrZNAP4mRi0+X52ewdwSGh2B/ACvAtBfGf8k1KfKh+teIR0pNnhOU9T zIGB9yBdt/C46Wbqeb5mr9yHD6U6q7Ag2qih18UQtrSx+p/N0fE7lIkB ogF19FhieNQf/fxfCexZm/tGoZ3NDUgtMXup68u8v4CS+OAPtzo1KwIh TMdhvNl5jwefbyiivV/jn+TuGwSSvOxwtVU27O9dLVEZxQcEhWd8x4/b nqU/mCPkBBURda9yushq6rq1Zxf7HaOZW+bWFs1QKCU5QvXwg7ivG9oF gSC8oreprTSu4zG76pCzgdh6GLVltxw8WLhcvGm6g6hFA4YM1MPrm2H0 HmqHmBQpn/eEPdQb13cuz3gAHTLOcj0nntctoCmB1FFBpjontfcpNkUn KNQ980KNEw1znj6f+trNeYCkgd0wgdqgAwIBEqKB0gSBz2CiUaFkhWxw oP5CjQV8n0WFcNIEwOTEsy1eAZ7f6V/FeuBOdP5ErUzqTzcxyj2OtSqY p/SYhCeb/MJaO5iCIoG72yzw77wcqFMmVup/ff/+Mo40OC9YrTAjEpz6 cWRHObGSVg1iB/dpp4sCd2eoyguhXaUQ3vOY9EqZhRUAEwShBYohFhAv r1GmvBDmRLk9CYHGEiur1bxERr8zLpqRjVDORzC+xXVCwbqI5Ol6JtzO VRRfnj1XkSZMNLEoSkbf9NDX74hBrol/PqmiYqL/5w== 0 Outgoing update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 50673 ;; flags:; ZONE: 1, PREREQ: 0, UPDATE: 6, ADDITIONAL: 1 ;; UPDATE SECTION: x0.cockpit.lan. 1200 IN SSHFP 3 1 17A7250887AE6A9F62D97B1BF6837214C1088F24 x0.cockpit.lan. 1200 IN SSHFP 3 2 5F4276F0EB8E3652F3BE9DE0ED441432C5B380D1E794E3ECF524B6FF 5C0B81B8 x0.cockpit.lan. 1200 IN SSHFP 4 1 9507857A2FBBA15EDB45A865442055C3D10CE3AD x0.cockpit.lan. 1200 IN SSHFP 4 2 8C1DF0B89A7F15D5339CFA0C65DE020376C4DEA2BC6ACF1068598B79 4B359D8C x0.cockpit.lan. 1200 IN SSHFP 1 1 E880FA7CDCFA316B28FC840D1C92CBCC0B79F475 x0.cockpit.lan. 1200 IN SSHFP 1 2 B114E3E8BCABF2CA9A2161A634417F0572FC973FE18385E19F48B5E5 ADFCA218 ;; TSIG PSEUDOSECTION: 739408490.sig-f0.cockpit.lan. 0 ANY TSIG gss-tsig. 1687504125 300 28 BAQE//////8AAAAAGlmEsK4x+vBByXtwdx0ViQ== 50673 NOERROR 0 2023-06-23T07:08:45Z DEBUG stderr=Reply from SOA query: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29443 ;; flags: qr aa rd; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;x0.cockpit.lan. IN SOA ;; AUTHORITY SECTION: cockpit.lan. 3600 IN SOA f0.cockpit.lan. hostmaster.cockpit.lan. 1687503917 3600 900 1209600 3600 Found zone name: cockpit.lan The primary is: f0.cockpit.lan start_gssrequest Found realm from ticket: COCKPIT.LAN send_gssrequest recvmsg reply from GSS-TSIG query ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6601 ;; flags: qr; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;3773226076.sig-f0.cockpit.lan. ANY TKEY ;; ANSWER SECTION: 3773226076.sig-f0.cockpit.lan. 0 ANY TKEY gss-tsig. 1687504126 1687507726 3 NOERROR 186 oYG3MIG0oAMKAQChCwYJKoZIhvcSAQICooGfBIGcYIGZBgkqhkiG9xIB AgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvp4VB/Y5UvHE4 ckbfIDj7g2H9JtDj21h7yvtgtp4auEg1/yWbur8qFEaVGNUni9Nk2Hxb V3+O9yWy+q8jSavc+JRwC7cvvnNZrCuCWAbUM1snRj5GuLsLhsoN3biH tbDvnQ4zuoZwV9jsEATvCGF5 0 ;; TSIG PSEUDOSECTION: 3773226076.sig-f0.cockpit.lan. 0 ANY TSIG gss-tsig. 1687504126 300 28 BAQF//////8AAAAAFcqosTYWQJzc0dQMDVU2rg== 6601 NOERROR 0 Sending update to 10.111.112.100#53 Reply from update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 42576 ;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1 ;; ZONE SECTION: ;cockpit.lan. IN SOA ;; TSIG PSEUDOSECTION: 3773226076.sig-f0.cockpit.lan. 0 ANY TSIG gss-tsig. 1687504126 300 28 BAQF//////8AAAAAFcqosrTDW6lp3HrWPUA0yw== 42576 NOERROR 0 Reply from SOA query: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50240 ;; flags: qr aa rd; QUESTION: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;x0.cockpit.lan. IN SOA ;; AUTHORITY SECTION: cockpit.lan. 3600 IN SOA f0.cockpit.lan. hostmaster.cockpit.lan. 1687503917 3600 900 1209600 3600 Found zone name: cockpit.lan The primary is: f0.cockpit.lan start_gssrequest send_gssrequest recvmsg reply from GSS-TSIG query ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56014 ;; flags: qr; QUESTION: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; QUESTION SECTION: ;739408490.sig-f0.cockpit.lan. ANY TKEY ;; ANSWER SECTION: 739408490.sig-f0.cockpit.lan. 0 ANY TKEY gss-tsig. 1687504126 1687507726 3 NOERROR 186 oYG3MIG0oAMKAQChCwYJKoZIhvcSAQICooGfBIGcYIGZBgkqhkiG9xIB AgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvUNtdDi9AfifR viycWxBHroz8Ksp2+Nn+FW6EVrHk2jkhkPwn82gm9hr5zchtkGeOD5Fh UPB1Y82w7w60aAvQGTUybaMgmcaZiypaOivvmtXwdd+CfNQ6QHOeAf8L opvpGG+5brNdUCvj+nzYHqwI 0 ;; TSIG PSEUDOSECTION: 739408490.sig-f0.cockpit.lan. 0 ANY TSIG gss-tsig. 1687504126 300 28 BAQF//////8AAAAAD+rPFCF1bXSwwKIuqWTamQ== 56014 NOERROR 0 Sending update to 10.111.112.100#53 Reply from update query: ;; ->>HEADER<<- opcode: UPDATE, status: NOERROR, id: 50673 ;; flags: qr; ZONE: 1, PREREQ: 0, UPDATE: 0, ADDITIONAL: 1 ;; ZONE SECTION: ;cockpit.lan. IN SOA ;; TSIG PSEUDOSECTION: 739408490.sig-f0.cockpit.lan. 0 ANY TSIG gss-tsig. 1687504126 300 28 BAQF//////8AAAAAD+rPFUab6aC8+ULpJgM1EQ== 50673 NOERROR 0 2023-06-23T07:08:45Z DEBUG Starting external process 2023-06-23T07:08:45Z DEBUG args=['/bin/systemctl', 'list-unit-files', '--full'] 2023-06-23T07:08:46Z DEBUG Process finished, return code=0 2023-06-23T07:08:46Z DEBUG stdout=UNIT FILE STATE PRESET proc-sys-fs-binfmt_misc.automount static - -.mount generated - boot-efi.mount generated - dev-hugepages.mount static - dev-mqueue.mount static - proc-fs-nfsd.mount static - proc-sys-fs-binfmt_misc.mount disabled disabled run-qemu.mount disabled enabled run-rpc_pipefs.mount generated - sys-fs-fuse-connections.mount static - sys-kernel-config.mount static - sys-kernel-debug.mount static - sys-kernel-tracing.mount static - var-lib-machines.mount static - var-lib-nfs-rpc_pipefs.mount static - systemd-ask-password-console.path static - systemd-ask-password-wall.path static - session-3.scope transient - session-4.scope transient - apparmor.service enabled enabled apt-daily-upgrade.service static - apt-daily.service static - auth-rpcgss-module.service static - autovt at .service alias - blk-availability.service enabled enabled certmonger.service disabled enabled chrony-dnssrv at .service static - chrony-wait.service disabled enabled chrony.service enabled enabled chronyd.service alias - cni-dhcp.service disabled enabled cockpit-motd.service static - cockpit-session at .service static - cockpit-wsinstance-http.service static - cockpit-wsinstance-https-factory at .service static - cockpit-wsinstance-https at .service static - cockpit.service static - console-getty.service disabled disabled container-getty at .service static - cryptdisks-early.service masked enabled cryptdisks.service masked enabled dbus-fi.w1.wpa_supplicant1.service alias - dbus-org.fedoraproject.FirewallD1.service alias - dbus-org.freedesktop.hostname1.service alias - dbus-org.freedesktop.import1.service alias - dbus-org.freedesktop.locale1.service alias - dbus-org.freedesktop.login1.service alias - dbus-org.freedesktop.machine1.service alias - dbus-org.freedesktop.ModemManager1.service alias - dbus-org.freedesktop.network1.service alias - dbus-org.freedesktop.nm-dispatcher.service alias - dbus-org.freedesktop.portable1.service alias - dbus-org.freedesktop.resolve1.service alias - dbus-org.freedesktop.timedate1.service alias - dbus-org.freedesktop.timesync1.service bad enabled dbus.service static - debug-shell.service disabled disabled dm-event.service static - dpkg-db-backup.service static - e2scrub at .service static - e2scrub_all.service static - e2scrub_fail at .service static - e2scrub_reap.service enabled enabled emergency.service static - firewalld.service enabled enabled fstrim.service static - getty-static.service static - getty at .service enabled enabled hwclock.service masked enabled initrd-cleanup.service static - initrd-parse-etc.service static - initrd-switch-root.service static - initrd-udevadm-cleanup-db.service static - iscsi.service alias - iscsid.service disabled enabled kmod-static-nodes.service static - kmod.service alias - libvirt-guests.service enabled enabled libvirtd.service enabled enabled logrotate.service static - lvm2-lvmpolld.service static - lvm2-monitor.service enabled enabled man-db.service static - mdadm-grow-continue at .service static - mdadm-last-resort at .service static - mdcheck_continue.service static - mdcheck_start.service static - mdmon at .service static - mdmonitor-oneshot.service static - mdmonitor.service static - ModemManager.service enabled enabled modprobe at .service static - netplan-ovs-cleanup.service enabled-runtime enabled NetworkManager-dispatcher.service enabled enabled NetworkManager-wait-online.service enabled enabled NetworkManager.service enabled enabled nfs-blkmap.service enabled enabled nfs-common.service masked enabled nfs-idmapd.service static - nfs-kernel-server.service alias - nfs-mountd.service static - nfs-server.service enabled enabled nfs-utils.service static - nfsdcld.service static - nm-priv-helper.service static - oddjobd.service disabled enabled open-iscsi.service enabled enabled packagekit-offline-update.service static - packagekit.service static - pam_namespace.service static - pcp.service generated - pmcd.service enabled enabled pmfind.service disabled enabled pmie.service enabled enabled pmie_check.service static - pmie_daily.service static - pmie_farm.service disabled enabled pmie_farm_check.service static - pmlogger.service enabled enabled pmlogger_check.service static - pmlogger_daily.service static - pmlogger_farm.service disabled enabled pmlogger_farm_check.service static - pmproxy.service enabled enabled podman-auto-update.service enabled enabled podman-kube at .service disabled enabled podman-restart.service enabled enabled podman.service enabled enabled polkit.service static - portmap.service alias - powertop.service disabled enabled procps.service alias - quotaon.service static - rc-local.service static - rc.service masked enabled rcS.service masked enabled realmd.service static - redis-server.service disabled enabled redis-server at .service disabled enabled rescue.service static - rpc-gssd.service static - rpc-statd-notify.service static - rpc-statd.service static - rpc-svcgssd.service static - rpcbind.service enabled enabled rsync.service disabled enabled rtslib-fb-targetctl.service disabled enabled screen-cleanup.service masked enabled selinux-autorelabel-mark.service static - selinux-autorelabel.service static - serial-getty at .service indirect enabled ssh.service enabled enabled sshd.service alias - sssd-autofs.service indirect enabled sssd-ifp.service static - sssd-nss.service indirect enabled sssd-pac.service indirect enabled sssd-pam.service indirect enabled sssd-ssh.service indirect enabled sssd-sudo.service indirect enabled sssd.service enabled enabled sudo.service masked enabled system-update-cleanup.service static - systemd-ask-password-console.service static - systemd-ask-password-wall.service static - systemd-backlight at .service static - systemd-binfmt.service static - systemd-boot-check-no-failures.service disabled disabled systemd-coredump at .service static - systemd-exit.service static - systemd-firstboot.service static - systemd-fsck-root.service enabled-runtime enabled systemd-fsck at .service static - systemd-fsckd.service static - systemd-growfs at -.service generated - systemd-halt.service static - systemd-hibernate-resume at .service static - systemd-hibernate.service static - systemd-hostnamed.service static - systemd-hybrid-sleep.service static - systemd-importd.service static - systemd-initctl.service static - systemd-journal-flush.service static - systemd-journald.service static - systemd-journald at .service static - systemd-kexec.service static - systemd-localed.service static - systemd-logind.service static - systemd-machine-id-commit.service static - systemd-machined.service static - systemd-modules-load.service static - systemd-network-generator.service enabled enabled systemd-networkd-wait-online.service disabled disabled systemd-networkd-wait-online at .service disabled enabled systemd-networkd.service enabled enabled systemd-nspawn at .service disabled enabled systemd-pcrphase-initrd.service static - systemd-pcrphase-sysinit.service static - systemd-pcrphase.service static - systemd-portabled.service static - systemd-poweroff.service static - systemd-pstore.service enabled enabled systemd-quotacheck.service static - systemd-random-seed.service static - systemd-reboot.service static - systemd-remount-fs.service enabled-runtime enabled systemd-repart.service static - systemd-resolved.service enabled enabled systemd-rfkill.service static - systemd-suspend-then-hibernate.service static - systemd-suspend.service static - systemd-sysctl.service static - systemd-sysext.service disabled enabled systemd-sysusers.service static - systemd-time-wait-sync.service disabled disabled systemd-timedated.service static - systemd-tmpfiles-clean.service static - systemd-tmpfiles-setup-dev.service static - systemd-tmpfiles-setup.service static - systemd-udev-settle.service static - systemd-udev-trigger.service static - systemd-udevd.service static - systemd-update-utmp-runlevel.service static - systemd-update-utmp.service static - systemd-user-sessions.service static - systemd-volatile-root.service static - tangd at .service static - targetclid.service disabled enabled tuned.service disabled enabled udev.service alias - udisks2.service enabled enabled unattended-upgrades.service enabled enabled usb_modeswitch at .service static - user-runtime-dir at .service static - user at .service static - uuidd.service indirect enabled virtlockd.service indirect enabled virtlogd.service indirect enabled wpa_supplicant-nl80211 at .service disabled enabled wpa_supplicant-wired at .service disabled enabled wpa_supplicant.service enabled enabled wpa_supplicant at .service disabled enabled x11-common.service masked enabled machine.slice static - system-cockpithttps.slice static - system-systemd\x2dcryptsetup.slice static - user.slice static - cni-dhcp.socket disabled enabled cockpit-session.socket static - cockpit-wsinstance-http.socket static - cockpit-wsinstance-https-factory.socket static - cockpit-wsinstance-https at .socket static - cockpit.socket disabled enabled dbus.socket static - dm-event.socket enabled enabled iscsid.socket enabled enabled libvirtd-admin.socket enabled enabled libvirtd-ro.socket enabled enabled libvirtd-tcp.socket disabled enabled libvirtd-tls.socket disabled enabled libvirtd.socket enabled enabled lvm2-lvmpolld.socket enabled enabled podman.socket enabled enabled rpcbind.socket enabled enabled ssh.socket disabled enabled sssd-autofs.socket enabled enabled sssd-nss.socket enabled enabled sssd-pac.socket enabled enabled sssd-pam-priv.socket enabled enabled sssd-pam.socket enabled enabled sssd-ssh.socket enabled enabled sssd-sudo.socket enabled enabled syslog.socket static - systemd-coredump.socket static - systemd-fsckd.socket static - systemd-initctl.socket static - systemd-journald-audit.socket static - systemd-journald-dev-log.socket static - systemd-journald-varlink at .socket static - systemd-journald.socket static - systemd-journald at .socket static - systemd-networkd.socket enabled enabled systemd-rfkill.socket static - systemd-udevd-control.socket static - systemd-udevd-kernel.socket static - tangd.socket enabled enabled targetclid.socket disabled enabled uuidd.socket enabled enabled virtlockd-admin.socket enabled enabled virtlockd.socket enabled enabled virtlogd-admin.socket enabled enabled virtlogd.socket enabled enabled basic.target static - blockdev at .target static - bluetooth.target static - boot-complete.target static - cryptsetup-pre.target static - cryptsetup.target static - ctrl-alt-del.target alias - default.target alias - emergency.target static - exit.target disabled disabled factory-reset.target static - final.target static - first-boot-complete.target static - getty-pre.target static - getty.target static - graphical.target static - halt.target disabled disabled hibernate.target static - hybrid-sleep.target static - initrd-fs.target static - initrd-root-device.target static - initrd-root-fs.target static - initrd-switch-root.target static - initrd-usr-fs.target static - initrd.target static - integritysetup-pre.target static - integritysetup.target static - kexec.target disabled disabled local-fs-pre.target static - local-fs.target static - machines.target enabled enabled multi-user.target static - network-online.target static - network-pre.target static - network.target static - nfs-client.target enabled enabled nss-lookup.target static - nss-user-lookup.target static - paths.target static - poweroff.target disabled disabled printer.target static - reboot.target disabled enabled remote-cryptsetup.target disabled enabled remote-fs-pre.target static - remote-fs.target enabled enabled remote-veritysetup.target disabled enabled rescue-ssh.target static - rescue.target static - rpc_pipefs.target generated - rpcbind.target static - runlevel0.target alias - runlevel1.target alias - runlevel2.target alias - runlevel3.target alias - runlevel4.target alias - runlevel5.target alias - runlevel6.target alias - selinux-autorelabel.target static - shutdown.target static - sigpwr.target static - sleep.target static - slices.target static - smartcard.target static - sockets.target static - sound.target static - suspend-then-hibernate.target static - suspend.target static - swap.target static - sysinit.target static - system-update-pre.target static - system-update.target static - time-set.target static - time-sync.target static - timers.target static - umount.target static - usb-gadget.target static - veritysetup-pre.target static - veritysetup.target static - virt-guest-shutdown.target static - apt-daily-upgrade.timer disabled enabled apt-daily.timer disabled enabled chrony-dnssrv at .timer disabled enabled dpkg-db-backup.timer enabled enabled e2scrub_all.timer enabled enabled fstrim.timer disabled enabled logrotate.timer enabled enabled man-db.timer disabled enabled mdadm-last-resort at .timer static - mdcheck_continue.timer enabled enabled mdcheck_start.timer enabled enabled mdmonitor-oneshot.timer enabled enabled pmfind.timer disabled enabled pmie_check.timer disabled enabled pmie_daily.timer disabled enabled pmie_farm_check.timer disabled enabled pmlogger_check.timer disabled enabled pmlogger_daily.timer disabled enabled pmlogger_farm_check.timer disabled enabled podman-auto-update.timer enabled enabled systemd-tmpfiles-clean.timer static - 392 unit files listed. 2023-06-23T07:08:46Z DEBUG stderr= 2023-06-23T07:08:46Z DEBUG Starting external process 2023-06-23T07:08:46Z DEBUG args=['/bin/systemctl', 'list-unit-files', '--full'] 2023-06-23T07:08:47Z DEBUG Process finished, return code=0 2023-06-23T07:08:47Z DEBUG stdout=UNIT FILE STATE PRESET proc-sys-fs-binfmt_misc.automount static - -.mount generated - boot-efi.mount generated - dev-hugepages.mount static - dev-mqueue.mount static - proc-fs-nfsd.mount static - proc-sys-fs-binfmt_misc.mount disabled disabled run-qemu.mount disabled enabled run-rpc_pipefs.mount generated - sys-fs-fuse-connections.mount static - sys-kernel-config.mount static - sys-kernel-debug.mount static - sys-kernel-tracing.mount static - var-lib-machines.mount static - var-lib-nfs-rpc_pipefs.mount static - systemd-ask-password-console.path static - systemd-ask-password-wall.path static - session-3.scope transient - session-4.scope transient - apparmor.service enabled enabled apt-daily-upgrade.service static - apt-daily.service static - auth-rpcgss-module.service static - autovt at .service alias - blk-availability.service enabled enabled certmonger.service disabled enabled chrony-dnssrv at .service static - chrony-wait.service disabled enabled chrony.service enabled enabled chronyd.service alias - cni-dhcp.service disabled enabled cockpit-motd.service static - cockpit-session at .service static - cockpit-wsinstance-http.service static - cockpit-wsinstance-https-factory at .service static - cockpit-wsinstance-https at .service static - cockpit.service static - console-getty.service disabled disabled container-getty at .service static - cryptdisks-early.service masked enabled cryptdisks.service masked enabled dbus-fi.w1.wpa_supplicant1.service alias - dbus-org.fedoraproject.FirewallD1.service alias - dbus-org.freedesktop.hostname1.service alias - dbus-org.freedesktop.import1.service alias - dbus-org.freedesktop.locale1.service alias - dbus-org.freedesktop.login1.service alias - dbus-org.freedesktop.machine1.service alias - dbus-org.freedesktop.ModemManager1.service alias - dbus-org.freedesktop.network1.service alias - dbus-org.freedesktop.nm-dispatcher.service alias - dbus-org.freedesktop.portable1.service alias - dbus-org.freedesktop.resolve1.service alias - dbus-org.freedesktop.timedate1.service alias - dbus-org.freedesktop.timesync1.service bad enabled dbus.service static - debug-shell.service disabled disabled dm-event.service static - dpkg-db-backup.service static - e2scrub at .service static - e2scrub_all.service static - e2scrub_fail at .service static - e2scrub_reap.service enabled enabled emergency.service static - firewalld.service enabled enabled fstrim.service static - getty-static.service static - getty at .service enabled enabled hwclock.service masked enabled initrd-cleanup.service static - initrd-parse-etc.service static - initrd-switch-root.service static - initrd-udevadm-cleanup-db.service static - iscsi.service alias - iscsid.service disabled enabled kmod-static-nodes.service static - kmod.service alias - libvirt-guests.service enabled enabled libvirtd.service enabled enabled logrotate.service static - lvm2-lvmpolld.service static - lvm2-monitor.service enabled enabled man-db.service static - mdadm-grow-continue at .service static - mdadm-last-resort at .service static - mdcheck_continue.service static - mdcheck_start.service static - mdmon at .service static - mdmonitor-oneshot.service static - mdmonitor.service static - ModemManager.service enabled enabled modprobe at .service static - netplan-ovs-cleanup.service enabled-runtime enabled NetworkManager-dispatcher.service enabled enabled NetworkManager-wait-online.service enabled enabled NetworkManager.service enabled enabled nfs-blkmap.service enabled enabled nfs-common.service masked enabled nfs-idmapd.service static - nfs-kernel-server.service alias - nfs-mountd.service static - nfs-server.service enabled enabled nfs-utils.service static - nfsdcld.service static - nm-priv-helper.service static - oddjobd.service disabled enabled open-iscsi.service enabled enabled packagekit-offline-update.service static - packagekit.service static - pam_namespace.service static - pcp.service generated - pmcd.service enabled enabled pmfind.service disabled enabled pmie.service enabled enabled pmie_check.service static - pmie_daily.service static - pmie_farm.service disabled enabled pmie_farm_check.service static - pmlogger.service enabled enabled pmlogger_check.service static - pmlogger_daily.service static - pmlogger_farm.service disabled enabled pmlogger_farm_check.service static - pmproxy.service enabled enabled podman-auto-update.service enabled enabled podman-kube at .service disabled enabled podman-restart.service enabled enabled podman.service enabled enabled polkit.service static - portmap.service alias - powertop.service disabled enabled procps.service alias - quotaon.service static - rc-local.service static - rc.service masked enabled rcS.service masked enabled realmd.service static - redis-server.service disabled enabled redis-server at .service disabled enabled rescue.service static - rpc-gssd.service static - rpc-statd-notify.service static - rpc-statd.service static - rpc-svcgssd.service static - rpcbind.service enabled enabled rsync.service disabled enabled rtslib-fb-targetctl.service disabled enabled screen-cleanup.service masked enabled selinux-autorelabel-mark.service static - selinux-autorelabel.service static - serial-getty at .service indirect enabled ssh.service enabled enabled sshd.service alias - sssd-autofs.service indirect enabled sssd-ifp.service static - sssd-nss.service indirect enabled sssd-pac.service indirect enabled sssd-pam.service indirect enabled sssd-ssh.service indirect enabled sssd-sudo.service indirect enabled sssd.service enabled enabled sudo.service masked enabled system-update-cleanup.service static - systemd-ask-password-console.service static - systemd-ask-password-wall.service static - systemd-backlight at .service static - systemd-binfmt.service static - systemd-boot-check-no-failures.service disabled disabled systemd-coredump at .service static - systemd-exit.service static - systemd-firstboot.service static - systemd-fsck-root.service enabled-runtime enabled systemd-fsck at .service static - systemd-fsckd.service static - systemd-growfs at -.service generated - systemd-halt.service static - systemd-hibernate-resume at .service static - systemd-hibernate.service static - systemd-hostnamed.service static - systemd-hybrid-sleep.service static - systemd-importd.service static - systemd-initctl.service static - systemd-journal-flush.service static - systemd-journald.service static - systemd-journald at .service static - systemd-kexec.service static - systemd-localed.service static - systemd-logind.service static - systemd-machine-id-commit.service static - systemd-machined.service static - systemd-modules-load.service static - systemd-network-generator.service enabled enabled systemd-networkd-wait-online.service disabled disabled systemd-networkd-wait-online at .service disabled enabled systemd-networkd.service enabled enabled systemd-nspawn at .service disabled enabled systemd-pcrphase-initrd.service static - systemd-pcrphase-sysinit.service static - systemd-pcrphase.service static - systemd-portabled.service static - systemd-poweroff.service static - systemd-pstore.service enabled enabled systemd-quotacheck.service static - systemd-random-seed.service static - systemd-reboot.service static - systemd-remount-fs.service enabled-runtime enabled systemd-repart.service static - systemd-resolved.service enabled enabled systemd-rfkill.service static - systemd-suspend-then-hibernate.service static - systemd-suspend.service static - systemd-sysctl.service static - systemd-sysext.service disabled enabled systemd-sysusers.service static - systemd-time-wait-sync.service disabled disabled systemd-timedated.service static - systemd-tmpfiles-clean.service static - systemd-tmpfiles-setup-dev.service static - systemd-tmpfiles-setup.service static - systemd-udev-settle.service static - systemd-udev-trigger.service static - systemd-udevd.service static - systemd-update-utmp-runlevel.service static - systemd-update-utmp.service static - systemd-user-sessions.service static - systemd-volatile-root.service static - tangd at .service static - targetclid.service disabled enabled tuned.service disabled enabled udev.service alias - udisks2.service enabled enabled unattended-upgrades.service enabled enabled usb_modeswitch at .service static - user-runtime-dir at .service static - user at .service static - uuidd.service indirect enabled virtlockd.service indirect enabled virtlogd.service indirect enabled wpa_supplicant-nl80211 at .service disabled enabled wpa_supplicant-wired at .service disabled enabled wpa_supplicant.service enabled enabled wpa_supplicant at .service disabled enabled x11-common.service masked enabled machine.slice static - system-cockpithttps.slice static - system-systemd\x2dcryptsetup.slice static - user.slice static - cni-dhcp.socket disabled enabled cockpit-session.socket static - cockpit-wsinstance-http.socket static - cockpit-wsinstance-https-factory.socket static - cockpit-wsinstance-https at .socket static - cockpit.socket disabled enabled dbus.socket static - dm-event.socket enabled enabled iscsid.socket enabled enabled libvirtd-admin.socket enabled enabled libvirtd-ro.socket enabled enabled libvirtd-tcp.socket disabled enabled libvirtd-tls.socket disabled enabled libvirtd.socket enabled enabled lvm2-lvmpolld.socket enabled enabled podman.socket enabled enabled rpcbind.socket enabled enabled ssh.socket disabled enabled sssd-autofs.socket enabled enabled sssd-nss.socket enabled enabled sssd-pac.socket enabled enabled sssd-pam-priv.socket enabled enabled sssd-pam.socket enabled enabled sssd-ssh.socket enabled enabled sssd-sudo.socket enabled enabled syslog.socket static - systemd-coredump.socket static - systemd-fsckd.socket static - systemd-initctl.socket static - systemd-journald-audit.socket static - systemd-journald-dev-log.socket static - systemd-journald-varlink at .socket static - systemd-journald.socket static - systemd-journald at .socket static - systemd-networkd.socket enabled enabled systemd-rfkill.socket static - systemd-udevd-control.socket static - systemd-udevd-kernel.socket static - tangd.socket enabled enabled targetclid.socket disabled enabled uuidd.socket enabled enabled virtlockd-admin.socket enabled enabled virtlockd.socket enabled enabled virtlogd-admin.socket enabled enabled virtlogd.socket enabled enabled basic.target static - blockdev at .target static - bluetooth.target static - boot-complete.target static - cryptsetup-pre.target static - cryptsetup.target static - ctrl-alt-del.target alias - default.target alias - emergency.target static - exit.target disabled disabled factory-reset.target static - final.target static - first-boot-complete.target static - getty-pre.target static - getty.target static - graphical.target static - halt.target disabled disabled hibernate.target static - hybrid-sleep.target static - initrd-fs.target static - initrd-root-device.target static - initrd-root-fs.target static - initrd-switch-root.target static - initrd-usr-fs.target static - initrd.target static - integritysetup-pre.target static - integritysetup.target static - kexec.target disabled disabled local-fs-pre.target static - local-fs.target static - machines.target enabled enabled multi-user.target static - network-online.target static - network-pre.target static - network.target static - nfs-client.target enabled enabled nss-lookup.target static - nss-user-lookup.target static - paths.target static - poweroff.target disabled disabled printer.target static - reboot.target disabled enabled remote-cryptsetup.target disabled enabled remote-fs-pre.target static - remote-fs.target enabled enabled remote-veritysetup.target disabled enabled rescue-ssh.target static - rescue.target static - rpc_pipefs.target generated - rpcbind.target static - runlevel0.target alias - runlevel1.target alias - runlevel2.target alias - runlevel3.target alias - runlevel4.target alias - runlevel5.target alias - runlevel6.target alias - selinux-autorelabel.target static - shutdown.target static - sigpwr.target static - sleep.target static - slices.target static - smartcard.target static - sockets.target static - sound.target static - suspend-then-hibernate.target static - suspend.target static - swap.target static - sysinit.target static - system-update-pre.target static - system-update.target static - time-set.target static - time-sync.target static - timers.target static - umount.target static - usb-gadget.target static - veritysetup-pre.target static - veritysetup.target static - virt-guest-shutdown.target static - apt-daily-upgrade.timer disabled enabled apt-daily.timer disabled enabled chrony-dnssrv at .timer disabled enabled dpkg-db-backup.timer enabled enabled e2scrub_all.timer enabled enabled fstrim.timer disabled enabled logrotate.timer enabled enabled man-db.timer disabled enabled mdadm-last-resort at .timer static - mdcheck_continue.timer enabled enabled mdcheck_start.timer enabled enabled mdmonitor-oneshot.timer enabled enabled pmfind.timer disabled enabled pmie_check.timer disabled enabled pmie_daily.timer disabled enabled pmie_farm_check.timer disabled enabled pmlogger_check.timer disabled enabled pmlogger_daily.timer disabled enabled pmlogger_farm_check.timer disabled enabled podman-auto-update.timer enabled enabled systemd-tmpfiles-clean.timer static - 392 unit files listed. 2023-06-23T07:08:47Z DEBUG stderr= 2023-06-23T07:08:47Z INFO SSSD enabled 2023-06-23T07:08:47Z DEBUG Starting external process 2023-06-23T07:08:47Z DEBUG args=['/bin/systemctl', 'restart', 'sssd.service'] 2023-06-23T07:08:47Z DEBUG Process finished, return code=0 2023-06-23T07:08:47Z DEBUG stdout= 2023-06-23T07:08:47Z DEBUG stderr= 2023-06-23T07:08:47Z DEBUG Starting external process 2023-06-23T07:08:47Z DEBUG args=['/bin/systemctl', 'is-active', 'sssd.service'] 2023-06-23T07:08:47Z DEBUG Process finished, return code=0 2023-06-23T07:08:47Z DEBUG stdout=active 2023-06-23T07:08:47Z DEBUG stderr= 2023-06-23T07:08:47Z DEBUG Restart of sssd.service complete 2023-06-23T07:08:47Z DEBUG Starting external process 2023-06-23T07:08:47Z DEBUG args=['/bin/systemctl', 'enable', 'sssd.service'] 2023-06-23T07:08:48Z DEBUG Process finished, return code=0 2023-06-23T07:08:48Z DEBUG stdout= 2023-06-23T07:08:48Z DEBUG stderr=Synchronizing state of sssd.service with SysV service script with /lib/systemd/systemd-sysv-install. Executing: /lib/systemd/systemd-sysv-install enable sssd 2023-06-23T07:08:48Z DEBUG Backing up system configuration file '/etc/ldap/ldap.conf' 2023-06-23T07:08:48Z DEBUG -> Not backing up - '/etc/ldap/ldap.conf' doesn't exist 2023-06-23T07:08:48Z INFO /etc/ldap/ldap.conf does not exist. 2023-06-23T07:08:48Z DEBUG Configuring /etc/ldap/ldap.conf failed with: [Errno 2] No such file or directory: '/etc/ldap/ldap.conf' 2023-06-23T07:08:48Z INFO Failed to configure /etc/openldap/ldap.conf 2023-06-23T07:08:48Z DEBUG Starting external process 2023-06-23T07:08:48Z DEBUG args=['/usr/bin/getent', 'passwd', 'admin at cockpit.lan'] 2023-06-23T07:08:48Z DEBUG Process finished, return code=0 2023-06-23T07:08:48Z DEBUG stdout=admin:*:424600000:424600000:Administrator:/home/admin:/bin/bash 2023-06-23T07:08:48Z DEBUG stderr= 2023-06-23T07:08:48Z DEBUG Backing up system configuration file '/etc/ssh/ssh_config' 2023-06-23T07:08:48Z DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' 2023-06-23T07:08:48Z INFO Configured /etc/ssh/ssh_config 2023-06-23T07:08:48Z DEBUG Backing up system configuration file '/etc/ssh/sshd_config' 2023-06-23T07:08:48Z DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' 2023-06-23T07:08:48Z INFO Configured /etc/ssh/sshd_config.d/04-ipa.conf 2023-06-23T07:08:48Z DEBUG Starting external process 2023-06-23T07:08:48Z DEBUG args=['/bin/systemctl', 'is-active', 'sshd.service'] 2023-06-23T07:08:48Z DEBUG Process finished, return code=0 2023-06-23T07:08:48Z DEBUG stdout=active 2023-06-23T07:08:48Z DEBUG stderr= 2023-06-23T07:08:48Z DEBUG Starting external process 2023-06-23T07:08:48Z DEBUG args=['/bin/systemctl', 'restart', 'sshd.service'] 2023-06-23T07:08:48Z DEBUG Process finished, return code=0 2023-06-23T07:08:48Z DEBUG stdout= 2023-06-23T07:08:48Z DEBUG stderr= 2023-06-23T07:08:48Z DEBUG Starting external process 2023-06-23T07:08:48Z DEBUG args=['/bin/systemctl', 'is-active', 'sshd.service'] 2023-06-23T07:08:48Z DEBUG Process finished, return code=0 2023-06-23T07:08:48Z DEBUG stdout=active 2023-06-23T07:08:48Z DEBUG stderr= 2023-06-23T07:08:48Z DEBUG Restart of sshd.service complete 2023-06-23T07:08:48Z INFO Configuring cockpit.lan as NIS domain. 2023-06-23T07:08:48Z DEBUG Starting external process 2023-06-23T07:08:48Z DEBUG args=['/usr/bin/nisdomainname'] 2023-06-23T07:08:48Z DEBUG Process finished, return code=1 2023-06-23T07:08:48Z DEBUG stdout=nisdomainname: Local domain name not set 2023-06-23T07:08:48Z DEBUG stderr= 2023-06-23T07:08:48Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2023-06-23T07:08:48Z DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' 2023-06-23T07:08:48Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2023-06-23T07:08:48Z DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' 2023-06-23T07:08:48Z DEBUG Backing up system configuration file '/etc/krb5.conf' 2023-06-23T07:08:48Z DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' 2023-06-23T07:08:48Z DEBUG Starting external process 2023-06-23T07:08:48Z DEBUG args=['/usr/sbin/selinuxenabled'] 2023-06-23T07:08:48Z DEBUG Process finished, return code=1 2023-06-23T07:08:48Z DEBUG stdout= 2023-06-23T07:08:48Z DEBUG stderr= 2023-06-23T07:08:48Z DEBUG Starting external process 2023-06-23T07:08:48Z DEBUG args=['/bin/keyctl', 'get_persistent', '@s', '0'] 2023-06-23T07:08:48Z DEBUG Process finished, return code=0 2023-06-23T07:08:48Z DEBUG stdout=188828386 2023-06-23T07:08:48Z DEBUG stderr= 2023-06-23T07:08:48Z DEBUG Enabling persistent keyring CCACHE 2023-06-23T07:08:48Z DEBUG Writing Kerberos configuration to /etc/krb5.conf: 2023-06-23T07:08:48Z DEBUG #File modified by ipa-client-install includedir /etc/krb5.conf.d/ [libdefaults] default_realm = COCKPIT.LAN dns_lookup_realm = true rdns = false dns_canonicalize_hostname = false dns_lookup_kdc = true ticket_lifetime = 24h forwardable = true udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] COCKPIT.LAN = { pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem } [domain_realm] .cockpit.lan = COCKPIT.LAN cockpit.lan = COCKPIT.LAN x0.cockpit.lan = COCKPIT.LAN 2023-06-23T07:08:48Z DEBUG Writing configuration file /etc/krb5.conf 2023-06-23T07:08:48Z DEBUG #File modified by ipa-client-install includedir /etc/krb5.conf.d/ [libdefaults] default_realm = COCKPIT.LAN dns_lookup_realm = true rdns = false dns_canonicalize_hostname = false dns_lookup_kdc = true ticket_lifetime = 24h forwardable = true udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid} [realms] COCKPIT.LAN = { pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem } [domain_realm] .cockpit.lan = COCKPIT.LAN cockpit.lan = COCKPIT.LAN x0.cockpit.lan = COCKPIT.LAN 2023-06-23T07:08:48Z INFO Configured /etc/krb5.conf for IPA realm COCKPIT.LAN 2023-06-23T07:08:48Z DEBUG Starting external process 2023-06-23T07:08:48Z DEBUG args=['/bin/systemctl', 'try-restart', 'certmonger.service'] 2023-06-23T07:08:48Z DEBUG Process finished, return code=0 2023-06-23T07:08:48Z DEBUG stdout= 2023-06-23T07:08:48Z DEBUG stderr= 2023-06-23T07:08:48Z DEBUG Starting external process 2023-06-23T07:08:48Z DEBUG args=['/bin/systemctl', 'is-active', 'certmonger.service'] 2023-06-23T07:08:48Z DEBUG Process finished, return code=3 2023-06-23T07:08:48Z DEBUG stdout=inactive 2023-06-23T07:08:48Z DEBUG stderr= 2023-06-23T07:08:48Z DEBUG Restart of certmonger.service complete 2023-06-23T07:08:48Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2023-06-23T07:08:48Z DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' 2023-06-23T07:08:48Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2023-06-23T07:08:48Z DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' 2023-06-23T07:08:48Z INFO Client configuration complete. 2023-06-23T07:08:48Z INFO The ipa-client-install command was successful 2023-06-23T07:08:56Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2023-06-23T07:08:56Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2023-06-23T07:08:56Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' -------------- next part -------------- 2023-06-23T07:08:55Z DEBUG Logging to /var/log/ipaclient-uninstall.log 2023-06-23T07:08:55Z DEBUG ipa-client-install was invoked with arguments [] and options: {'unattended': False, 'principal': None, 'prompt_password': False, 'on_master': False, 'ca_cert_files': None, 'force': False, 'configure_firefox': False, 'firefox_dir': None, 'keytab': None, 'mkhomedir': False, 'force_join': False, 'ntp_servers': None, 'ntp_pool': None, 'no_ntp': False, 'force_ntpd': False, 'nisdomain': None, 'no_nisdomain': False, 'ssh_trust_dns': False, 'no_ssh': False, 'no_sshd': False, 'no_sudo': False, 'subid': False, 'no_dns_sshfp': False, 'kinit_attempts': None, 'request_cert': False, 'ip_addresses': None, 'all_ip_addresses': False, 'fixed_primary': False, 'permit': False, 'enable_dns_updates': False, 'no_krb5_offline_passwords': False, 'preserve_sssd': False, 'pkinit_identity': None, 'pkinit_anchors': None, 'automount_location': None, 'domain_name': None, 'servers': None, 'realm_name': None, 'host_name': None, 'verbose': False, 'quiet': False, 'log_file': None, 'uninstall': True} 2023-06-23T07:08:55Z DEBUG IPA version 4.9.11 2023-06-23T07:08:55Z DEBUG IPA platform debian 2023-06-23T07:08:55Z DEBUG IPA os-release Debian GNU/Linux 2023-06-23T07:08:55Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2023-06-23T07:08:55Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2023-06-23T07:08:55Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2023-06-23T07:08:55Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2023-06-23T07:08:55Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2023-06-23T07:08:55Z DEBUG httpd is not configured 2023-06-23T07:08:55Z DEBUG kadmin is not configured 2023-06-23T07:08:55Z DEBUG dirsrv is not configured 2023-06-23T07:08:55Z DEBUG pki-tomcatd is not configured 2023-06-23T07:08:55Z DEBUG install is not configured 2023-06-23T07:08:55Z DEBUG krb5kdc is not configured 2023-06-23T07:08:55Z DEBUG named is not configured 2023-06-23T07:08:55Z DEBUG filestore is tracking no files 2023-06-23T07:08:55Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2023-06-23T07:08:55Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2023-06-23T07:08:55Z DEBUG Starting external process 2023-06-23T07:08:55Z DEBUG args=['/usr/sbin/ipa-client-automount', '--uninstall', '--debug'] 2023-06-23T07:08:56Z DEBUG Process finished, return code=0 2023-06-23T07:08:56Z DEBUG stdout=IPA automount is not configured on this system 2023-06-23T07:08:56Z DEBUG stderr=Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2023-06-23T07:08:56Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2023-06-23T07:08:56Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2023-06-23T07:08:56Z DEBUG Starting external process 2023-06-23T07:08:56Z DEBUG args=['/usr/bin/certutil', '-d', 'sql:/etc/ipa/nssdb', '-L', '-n', 'Local IPA host', '-a', '-f', '/etc/ipa/nssdb/pwdfile.txt'] 2023-06-23T07:08:56Z DEBUG Process finished, return code=255 2023-06-23T07:08:56Z DEBUG stdout= 2023-06-23T07:08:56Z DEBUG stderr=certutil: Could not find cert: Local IPA host : PR_FILE_NOT_FOUND_ERROR: File not found 2023-06-23T07:08:56Z DEBUG Starting external process 2023-06-23T07:08:56Z DEBUG args=['/bin/systemctl', 'start', 'certmonger.service'] 2023-06-23T07:08:56Z DEBUG Process finished, return code=0 2023-06-23T07:08:56Z DEBUG stdout= 2023-06-23T07:08:56Z DEBUG stderr= 2023-06-23T07:08:56Z DEBUG Starting external process 2023-06-23T07:08:56Z DEBUG args=['/bin/systemctl', 'is-active', 'certmonger.service'] 2023-06-23T07:08:56Z DEBUG Process finished, return code=0 2023-06-23T07:08:56Z DEBUG stdout=active 2023-06-23T07:08:56Z DEBUG stderr= 2023-06-23T07:08:56Z DEBUG Start of certmonger.service complete 2023-06-23T07:08:56Z DEBUG Starting external process 2023-06-23T07:08:56Z DEBUG args=['/bin/systemctl', 'stop', 'certmonger.service'] 2023-06-23T07:08:56Z DEBUG Process finished, return code=0 2023-06-23T07:08:56Z DEBUG stdout= 2023-06-23T07:08:56Z DEBUG stderr= 2023-06-23T07:08:56Z DEBUG Stop of certmonger.service complete 2023-06-23T07:08:56Z DEBUG Starting external process 2023-06-23T07:08:56Z DEBUG args=['/bin/systemctl', 'disable', 'certmonger.service'] 2023-06-23T07:08:57Z DEBUG Process finished, return code=0 2023-06-23T07:08:57Z DEBUG stdout= 2023-06-23T07:08:57Z DEBUG stderr=Synchronizing state of certmonger.service with SysV service script with /lib/systemd/systemd-sysv-install. Executing: /lib/systemd/systemd-sysv-install disable certmonger 2023-06-23T07:08:57Z INFO Unenrolling client from IPA server 2023-06-23T07:08:57Z DEBUG Starting external process 2023-06-23T07:08:57Z DEBUG args=['/usr/sbin/ipa-join', '--unenroll', '-h', 'x0.cockpit.lan', '-k', '/etc/krb5.keytab'] 2023-06-23T07:08:58Z DEBUG Process finished, return code=0 2023-06-23T07:08:58Z DEBUG stdout= 2023-06-23T07:08:58Z DEBUG stderr=Unenrollment successful. 2023-06-23T07:08:58Z INFO Removing Kerberos service principals from /etc/krb5.keytab 2023-06-23T07:08:58Z DEBUG Starting external process 2023-06-23T07:08:58Z DEBUG args=['/usr/sbin/ipa-rmkeytab', '-k', '/etc/krb5.keytab', '-r', 'COCKPIT.LAN'] 2023-06-23T07:08:58Z DEBUG Process finished, return code=0 2023-06-23T07:08:58Z DEBUG stdout= 2023-06-23T07:08:58Z DEBUG stderr=Removing principal host/x0.cockpit.lan at COCKPIT.LAN 2023-06-23T07:08:58Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2023-06-23T07:08:58Z DEBUG Starting external process 2023-06-23T07:08:58Z DEBUG args=['/bin/systemctl', 'stop', 'oddjobd.service'] 2023-06-23T07:08:58Z DEBUG Process finished, return code=0 2023-06-23T07:08:58Z DEBUG stdout= 2023-06-23T07:08:58Z DEBUG stderr= 2023-06-23T07:08:58Z DEBUG Stop of oddjobd.service complete 2023-06-23T07:08:58Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2023-06-23T07:08:58Z DEBUG Starting external process 2023-06-23T07:08:58Z DEBUG args=['/bin/systemctl', 'disable', 'oddjobd.service'] 2023-06-23T07:08:58Z DEBUG Process finished, return code=0 2023-06-23T07:08:58Z DEBUG stdout= 2023-06-23T07:08:58Z DEBUG stderr= 2023-06-23T07:08:58Z INFO Disabling client Kerberos and LDAP configurations 2023-06-23T07:08:58Z DEBUG Starting external process 2023-06-23T07:08:58Z DEBUG args=['pam-auth-update', '--package', '--remove', 'mkhomedir'] 2023-06-23T07:08:58Z DEBUG Process finished, return code=0 2023-06-23T07:08:58Z DEBUG stdout= 2023-06-23T07:08:58Z DEBUG stderr= 2023-06-23T07:08:58Z INFO Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted 2023-06-23T07:08:58Z DEBUG Starting external process 2023-06-23T07:08:58Z DEBUG args=['/bin/systemctl', 'stop', 'sssd.service'] 2023-06-23T07:08:58Z DEBUG Process finished, return code=0 2023-06-23T07:08:58Z DEBUG stdout= 2023-06-23T07:08:58Z DEBUG stderr= 2023-06-23T07:08:58Z DEBUG Stop of sssd.service complete 2023-06-23T07:08:58Z DEBUG Starting external process 2023-06-23T07:08:58Z DEBUG args=['/bin/systemctl', 'disable', 'sssd.service'] 2023-06-23T07:08:59Z DEBUG Process finished, return code=0 2023-06-23T07:08:59Z DEBUG stdout= 2023-06-23T07:08:59Z DEBUG stderr=Synchronizing state of sssd.service with SysV service script with /lib/systemd/systemd-sysv-install. Executing: /lib/systemd/systemd-sysv-install disable sssd Removed "/etc/systemd/system/multi-user.target.wants/sssd.service". 2023-06-23T07:08:59Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2023-06-23T07:08:59Z INFO Restoring client configuration files 2023-06-23T07:08:59Z DEBUG Starting external process 2023-06-23T07:08:59Z DEBUG args=['/usr/sbin/selinuxenabled'] 2023-06-23T07:08:59Z DEBUG Process finished, return code=1 2023-06-23T07:08:59Z DEBUG stdout= 2023-06-23T07:08:59Z DEBUG stderr= 2023-06-23T07:08:59Z DEBUG Starting external process 2023-06-23T07:08:59Z DEBUG args=['/usr/sbin/selinuxenabled'] 2023-06-23T07:08:59Z DEBUG Process finished, return code=1 2023-06-23T07:08:59Z DEBUG stdout= 2023-06-23T07:08:59Z DEBUG stderr= 2023-06-23T07:08:59Z DEBUG Starting external process 2023-06-23T07:08:59Z DEBUG args=['/usr/sbin/selinuxenabled'] 2023-06-23T07:08:59Z DEBUG Process finished, return code=1 2023-06-23T07:08:59Z DEBUG stdout= 2023-06-23T07:08:59Z DEBUG stderr= 2023-06-23T07:08:59Z DEBUG Saving Index File to '/var/lib/ipa-client/sysrestore/sysrestore.index' 2023-06-23T07:08:59Z DEBUG -> no files, removing file 2023-06-23T07:08:59Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2023-06-23T07:08:59Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2023-06-23T07:08:59Z DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' 2023-06-23T07:08:59Z INFO Unconfiguring the NIS domain. 2023-06-23T07:08:59Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2023-06-23T07:08:59Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2023-06-23T07:08:59Z DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' 2023-06-23T07:08:59Z DEBUG Starting external process 2023-06-23T07:08:59Z DEBUG args=['/bin/systemctl', 'list-unit-files', '--full'] 2023-06-23T07:09:00Z DEBUG Process finished, return code=0 2023-06-23T07:09:00Z DEBUG stdout=UNIT FILE STATE PRESET proc-sys-fs-binfmt_misc.automount static - -.mount generated - boot-efi.mount generated - dev-hugepages.mount static - dev-mqueue.mount static - proc-fs-nfsd.mount static - proc-sys-fs-binfmt_misc.mount disabled disabled run-qemu.mount disabled enabled run-rpc_pipefs.mount generated - sys-fs-fuse-connections.mount static - sys-kernel-config.mount static - sys-kernel-debug.mount static - sys-kernel-tracing.mount static - var-lib-machines.mount static - var-lib-nfs-rpc_pipefs.mount static - systemd-ask-password-console.path static - systemd-ask-password-wall.path static - session-3.scope transient - session-4.scope transient - apparmor.service enabled enabled apt-daily-upgrade.service static - apt-daily.service static - auth-rpcgss-module.service static - autovt at .service alias - blk-availability.service enabled enabled certmonger.service disabled enabled chrony-dnssrv at .service static - chrony-wait.service disabled enabled chrony.service enabled enabled chronyd.service alias - cni-dhcp.service disabled enabled cockpit-motd.service static - cockpit-session at .service static - cockpit-wsinstance-http.service static - cockpit-wsinstance-https-factory at .service static - cockpit-wsinstance-https at .service static - cockpit.service static - console-getty.service disabled disabled container-getty at .service static - cryptdisks-early.service masked enabled cryptdisks.service masked enabled dbus-fi.w1.wpa_supplicant1.service alias - dbus-org.fedoraproject.FirewallD1.service alias - dbus-org.freedesktop.hostname1.service alias - dbus-org.freedesktop.import1.service alias - dbus-org.freedesktop.locale1.service alias - dbus-org.freedesktop.login1.service alias - dbus-org.freedesktop.machine1.service alias - dbus-org.freedesktop.ModemManager1.service alias - dbus-org.freedesktop.network1.service alias - dbus-org.freedesktop.nm-dispatcher.service alias - dbus-org.freedesktop.portable1.service alias - dbus-org.freedesktop.resolve1.service alias - dbus-org.freedesktop.timedate1.service alias - dbus-org.freedesktop.timesync1.service bad enabled dbus.service static - debug-shell.service disabled disabled dm-event.service static - dpkg-db-backup.service static - e2scrub at .service static - e2scrub_all.service static - e2scrub_fail at .service static - e2scrub_reap.service enabled enabled emergency.service static - firewalld.service enabled enabled fstrim.service static - getty-static.service static - getty at .service enabled enabled hwclock.service masked enabled initrd-cleanup.service static - initrd-parse-etc.service static - initrd-switch-root.service static - initrd-udevadm-cleanup-db.service static - iscsi.service alias - iscsid.service disabled enabled kmod-static-nodes.service static - kmod.service alias - libvirt-guests.service enabled enabled libvirtd.service enabled enabled logrotate.service static - lvm2-lvmpolld.service static - lvm2-monitor.service enabled enabled man-db.service static - mdadm-grow-continue at .service static - mdadm-last-resort at .service static - mdcheck_continue.service static - mdcheck_start.service static - mdmon at .service static - mdmonitor-oneshot.service static - mdmonitor.service static - ModemManager.service enabled enabled modprobe at .service static - netplan-ovs-cleanup.service enabled-runtime enabled NetworkManager-dispatcher.service enabled enabled NetworkManager-wait-online.service enabled enabled NetworkManager.service enabled enabled nfs-blkmap.service enabled enabled nfs-common.service masked enabled nfs-idmapd.service static - nfs-kernel-server.service alias - nfs-mountd.service static - nfs-server.service enabled enabled nfs-utils.service static - nfsdcld.service static - nm-priv-helper.service static - oddjobd.service disabled enabled open-iscsi.service enabled enabled packagekit-offline-update.service static - packagekit.service static - pam_namespace.service static - pcp.service generated - pmcd.service enabled enabled pmfind.service disabled enabled pmie.service enabled enabled pmie_check.service static - pmie_daily.service static - pmie_farm.service disabled enabled pmie_farm_check.service static - pmlogger.service enabled enabled pmlogger_check.service static - pmlogger_daily.service static - pmlogger_farm.service disabled enabled pmlogger_farm_check.service static - pmproxy.service enabled enabled podman-auto-update.service enabled enabled podman-kube at .service disabled enabled podman-restart.service enabled enabled podman.service enabled enabled polkit.service static - portmap.service alias - powertop.service disabled enabled procps.service alias - quotaon.service static - rc-local.service static - rc.service masked enabled rcS.service masked enabled realmd.service static - redis-server.service disabled enabled redis-server at .service disabled enabled rescue.service static - rpc-gssd.service static - rpc-statd-notify.service static - rpc-statd.service static - rpc-svcgssd.service static - rpcbind.service enabled enabled rsync.service disabled enabled rtslib-fb-targetctl.service disabled enabled screen-cleanup.service masked enabled selinux-autorelabel-mark.service static - selinux-autorelabel.service static - serial-getty at .service indirect enabled ssh.service enabled enabled sshd.service alias - sssd-autofs.service indirect enabled sssd-ifp.service static - sssd-nss.service indirect enabled sssd-pac.service indirect enabled sssd-pam.service indirect enabled sssd-ssh.service indirect enabled sssd-sudo.service indirect enabled sssd.service disabled enabled sudo.service masked enabled system-update-cleanup.service static - systemd-ask-password-console.service static - systemd-ask-password-wall.service static - systemd-backlight at .service static - systemd-binfmt.service static - systemd-boot-check-no-failures.service disabled disabled systemd-coredump at .service static - systemd-exit.service static - systemd-firstboot.service static - systemd-fsck-root.service enabled-runtime enabled systemd-fsck at .service static - systemd-fsckd.service static - systemd-growfs at -.service generated - systemd-halt.service static - systemd-hibernate-resume at .service static - systemd-hibernate.service static - systemd-hostnamed.service static - systemd-hybrid-sleep.service static - systemd-importd.service static - systemd-initctl.service static - systemd-journal-flush.service static - systemd-journald.service static - systemd-journald at .service static - systemd-kexec.service static - systemd-localed.service static - systemd-logind.service static - systemd-machine-id-commit.service static - systemd-machined.service static - systemd-modules-load.service static - systemd-network-generator.service enabled enabled systemd-networkd-wait-online.service disabled disabled systemd-networkd-wait-online at .service disabled enabled systemd-networkd.service enabled enabled systemd-nspawn at .service disabled enabled systemd-pcrphase-initrd.service static - systemd-pcrphase-sysinit.service static - systemd-pcrphase.service static - systemd-portabled.service static - systemd-poweroff.service static - systemd-pstore.service enabled enabled systemd-quotacheck.service static - systemd-random-seed.service static - systemd-reboot.service static - systemd-remount-fs.service enabled-runtime enabled systemd-repart.service static - systemd-resolved.service enabled enabled systemd-rfkill.service static - systemd-suspend-then-hibernate.service static - systemd-suspend.service static - systemd-sysctl.service static - systemd-sysext.service disabled enabled systemd-sysusers.service static - systemd-time-wait-sync.service disabled disabled systemd-timedated.service static - systemd-tmpfiles-clean.service static - systemd-tmpfiles-setup-dev.service static - systemd-tmpfiles-setup.service static - systemd-udev-settle.service static - systemd-udev-trigger.service static - systemd-udevd.service static - systemd-update-utmp-runlevel.service static - systemd-update-utmp.service static - systemd-user-sessions.service static - systemd-volatile-root.service static - tangd at .service static - targetclid.service disabled enabled tuned.service disabled enabled udev.service alias - udisks2.service enabled enabled unattended-upgrades.service enabled enabled usb_modeswitch at .service static - user-runtime-dir at .service static - user at .service static - uuidd.service indirect enabled virtlockd.service indirect enabled virtlogd.service indirect enabled wpa_supplicant-nl80211 at .service disabled enabled wpa_supplicant-wired at .service disabled enabled wpa_supplicant.service enabled enabled wpa_supplicant at .service disabled enabled x11-common.service masked enabled machine.slice static - system-cockpithttps.slice static - system-systemd\x2dcryptsetup.slice static - user.slice static - cni-dhcp.socket disabled enabled cockpit-session.socket static - cockpit-wsinstance-http.socket static - cockpit-wsinstance-https-factory.socket static - cockpit-wsinstance-https at .socket static - cockpit.socket disabled enabled dbus.socket static - dm-event.socket enabled enabled iscsid.socket enabled enabled libvirtd-admin.socket enabled enabled libvirtd-ro.socket enabled enabled libvirtd-tcp.socket disabled enabled libvirtd-tls.socket disabled enabled libvirtd.socket enabled enabled lvm2-lvmpolld.socket enabled enabled podman.socket enabled enabled rpcbind.socket enabled enabled ssh.socket disabled enabled sssd-autofs.socket enabled enabled sssd-nss.socket enabled enabled sssd-pac.socket enabled enabled sssd-pam-priv.socket enabled enabled sssd-pam.socket enabled enabled sssd-ssh.socket enabled enabled sssd-sudo.socket enabled enabled syslog.socket static - systemd-coredump.socket static - systemd-fsckd.socket static - systemd-initctl.socket static - systemd-journald-audit.socket static - systemd-journald-dev-log.socket static - systemd-journald-varlink at .socket static - systemd-journald.socket static - systemd-journald at .socket static - systemd-networkd.socket enabled enabled systemd-rfkill.socket static - systemd-udevd-control.socket static - systemd-udevd-kernel.socket static - tangd.socket enabled enabled targetclid.socket disabled enabled uuidd.socket enabled enabled virtlockd-admin.socket enabled enabled virtlockd.socket enabled enabled virtlogd-admin.socket enabled enabled virtlogd.socket enabled enabled basic.target static - blockdev at .target static - bluetooth.target static - boot-complete.target static - cryptsetup-pre.target static - cryptsetup.target static - ctrl-alt-del.target alias - default.target alias - emergency.target static - exit.target disabled disabled factory-reset.target static - final.target static - first-boot-complete.target static - getty-pre.target static - getty.target static - graphical.target static - halt.target disabled disabled hibernate.target static - hybrid-sleep.target static - initrd-fs.target static - initrd-root-device.target static - initrd-root-fs.target static - initrd-switch-root.target static - initrd-usr-fs.target static - initrd.target static - integritysetup-pre.target static - integritysetup.target static - kexec.target disabled disabled local-fs-pre.target static - local-fs.target static - machines.target enabled enabled multi-user.target static - network-online.target static - network-pre.target static - network.target static - nfs-client.target enabled enabled nss-lookup.target static - nss-user-lookup.target static - paths.target static - poweroff.target disabled disabled printer.target static - reboot.target disabled enabled remote-cryptsetup.target disabled enabled remote-fs-pre.target static - remote-fs.target enabled enabled remote-veritysetup.target disabled enabled rescue-ssh.target static - rescue.target static - rpc_pipefs.target generated - rpcbind.target static - runlevel0.target alias - runlevel1.target alias - runlevel2.target alias - runlevel3.target alias - runlevel4.target alias - runlevel5.target alias - runlevel6.target alias - selinux-autorelabel.target static - shutdown.target static - sigpwr.target static - sleep.target static - slices.target static - smartcard.target static - sockets.target static - sound.target static - suspend-then-hibernate.target static - suspend.target static - swap.target static - sysinit.target static - system-update-pre.target static - system-update.target static - time-set.target static - time-sync.target static - timers.target static - umount.target static - usb-gadget.target static - veritysetup-pre.target static - veritysetup.target static - virt-guest-shutdown.target static - apt-daily-upgrade.timer disabled enabled apt-daily.timer disabled enabled chrony-dnssrv at .timer disabled enabled dpkg-db-backup.timer enabled enabled e2scrub_all.timer enabled enabled fstrim.timer disabled enabled logrotate.timer enabled enabled man-db.timer disabled enabled mdadm-last-resort at .timer static - mdcheck_continue.timer enabled enabled mdcheck_start.timer enabled enabled mdmonitor-oneshot.timer enabled enabled pmfind.timer disabled enabled pmie_check.timer disabled enabled pmie_daily.timer disabled enabled pmie_farm_check.timer disabled enabled pmlogger_check.timer disabled enabled pmlogger_daily.timer disabled enabled pmlogger_farm_check.timer disabled enabled podman-auto-update.timer enabled enabled systemd-tmpfiles-clean.timer static - 392 unit files listed. 2023-06-23T07:09:00Z DEBUG stderr= 2023-06-23T07:09:00Z INFO nscd daemon is not installed, skip configuration 2023-06-23T07:09:00Z DEBUG Starting external process 2023-06-23T07:09:00Z DEBUG args=['/bin/systemctl', 'list-unit-files', '--full'] 2023-06-23T07:09:00Z DEBUG Process finished, return code=0 2023-06-23T07:09:00Z DEBUG stdout=UNIT FILE STATE PRESET proc-sys-fs-binfmt_misc.automount static - -.mount generated - boot-efi.mount generated - dev-hugepages.mount static - dev-mqueue.mount static - proc-fs-nfsd.mount static - proc-sys-fs-binfmt_misc.mount disabled disabled run-qemu.mount disabled enabled run-rpc_pipefs.mount generated - sys-fs-fuse-connections.mount static - sys-kernel-config.mount static - sys-kernel-debug.mount static - sys-kernel-tracing.mount static - var-lib-machines.mount static - var-lib-nfs-rpc_pipefs.mount static - systemd-ask-password-console.path static - systemd-ask-password-wall.path static - session-3.scope transient - session-4.scope transient - apparmor.service enabled enabled apt-daily-upgrade.service static - apt-daily.service static - auth-rpcgss-module.service static - autovt at .service alias - blk-availability.service enabled enabled certmonger.service disabled enabled chrony-dnssrv at .service static - chrony-wait.service disabled enabled chrony.service enabled enabled chronyd.service alias - cni-dhcp.service disabled enabled cockpit-motd.service static - cockpit-session at .service static - cockpit-wsinstance-http.service static - cockpit-wsinstance-https-factory at .service static - cockpit-wsinstance-https at .service static - cockpit.service static - console-getty.service disabled disabled container-getty at .service static - cryptdisks-early.service masked enabled cryptdisks.service masked enabled dbus-fi.w1.wpa_supplicant1.service alias - dbus-org.fedoraproject.FirewallD1.service alias - dbus-org.freedesktop.hostname1.service alias - dbus-org.freedesktop.import1.service alias - dbus-org.freedesktop.locale1.service alias - dbus-org.freedesktop.login1.service alias - dbus-org.freedesktop.machine1.service alias - dbus-org.freedesktop.ModemManager1.service alias - dbus-org.freedesktop.network1.service alias - dbus-org.freedesktop.nm-dispatcher.service alias - dbus-org.freedesktop.portable1.service alias - dbus-org.freedesktop.resolve1.service alias - dbus-org.freedesktop.timedate1.service alias - dbus-org.freedesktop.timesync1.service bad enabled dbus.service static - debug-shell.service disabled disabled dm-event.service static - dpkg-db-backup.service static - e2scrub at .service static - e2scrub_all.service static - e2scrub_fail at .service static - e2scrub_reap.service enabled enabled emergency.service static - firewalld.service enabled enabled fstrim.service static - getty-static.service static - getty at .service enabled enabled hwclock.service masked enabled initrd-cleanup.service static - initrd-parse-etc.service static - initrd-switch-root.service static - initrd-udevadm-cleanup-db.service static - iscsi.service alias - iscsid.service disabled enabled kmod-static-nodes.service static - kmod.service alias - libvirt-guests.service enabled enabled libvirtd.service enabled enabled logrotate.service static - lvm2-lvmpolld.service static - lvm2-monitor.service enabled enabled man-db.service static - mdadm-grow-continue at .service static - mdadm-last-resort at .service static - mdcheck_continue.service static - mdcheck_start.service static - mdmon at .service static - mdmonitor-oneshot.service static - mdmonitor.service static - ModemManager.service enabled enabled modprobe at .service static - netplan-ovs-cleanup.service enabled-runtime enabled NetworkManager-dispatcher.service enabled enabled NetworkManager-wait-online.service enabled enabled NetworkManager.service enabled enabled nfs-blkmap.service enabled enabled nfs-common.service masked enabled nfs-idmapd.service static - nfs-kernel-server.service alias - nfs-mountd.service static - nfs-server.service enabled enabled nfs-utils.service static - nfsdcld.service static - nm-priv-helper.service static - oddjobd.service disabled enabled open-iscsi.service enabled enabled packagekit-offline-update.service static - packagekit.service static - pam_namespace.service static - pcp.service generated - pmcd.service enabled enabled pmfind.service disabled enabled pmie.service enabled enabled pmie_check.service static - pmie_daily.service static - pmie_farm.service disabled enabled pmie_farm_check.service static - pmlogger.service enabled enabled pmlogger_check.service static - pmlogger_daily.service static - pmlogger_farm.service disabled enabled pmlogger_farm_check.service static - pmproxy.service enabled enabled podman-auto-update.service enabled enabled podman-kube at .service disabled enabled podman-restart.service enabled enabled podman.service enabled enabled polkit.service static - portmap.service alias - powertop.service disabled enabled procps.service alias - quotaon.service static - rc-local.service static - rc.service masked enabled rcS.service masked enabled realmd.service static - redis-server.service disabled enabled redis-server at .service disabled enabled rescue.service static - rpc-gssd.service static - rpc-statd-notify.service static - rpc-statd.service static - rpc-svcgssd.service static - rpcbind.service enabled enabled rsync.service disabled enabled rtslib-fb-targetctl.service disabled enabled screen-cleanup.service masked enabled selinux-autorelabel-mark.service static - selinux-autorelabel.service static - serial-getty at .service indirect enabled ssh.service enabled enabled sshd.service alias - sssd-autofs.service indirect enabled sssd-ifp.service static - sssd-nss.service indirect enabled sssd-pac.service indirect enabled sssd-pam.service indirect enabled sssd-ssh.service indirect enabled sssd-sudo.service indirect enabled sssd.service disabled enabled sudo.service masked enabled system-update-cleanup.service static - systemd-ask-password-console.service static - systemd-ask-password-wall.service static - systemd-backlight at .service static - systemd-binfmt.service static - systemd-boot-check-no-failures.service disabled disabled systemd-coredump at .service static - systemd-exit.service static - systemd-firstboot.service static - systemd-fsck-root.service enabled-runtime enabled systemd-fsck at .service static - systemd-fsckd.service static - systemd-growfs at -.service generated - systemd-halt.service static - systemd-hibernate-resume at .service static - systemd-hibernate.service static - systemd-hostnamed.service static - systemd-hybrid-sleep.service static - systemd-importd.service static - systemd-initctl.service static - systemd-journal-flush.service static - systemd-journald.service static - systemd-journald at .service static - systemd-kexec.service static - systemd-localed.service static - systemd-logind.service static - systemd-machine-id-commit.service static - systemd-machined.service static - systemd-modules-load.service static - systemd-network-generator.service enabled enabled systemd-networkd-wait-online.service disabled disabled systemd-networkd-wait-online at .service disabled enabled systemd-networkd.service enabled enabled systemd-nspawn at .service disabled enabled systemd-pcrphase-initrd.service static - systemd-pcrphase-sysinit.service static - systemd-pcrphase.service static - systemd-portabled.service static - systemd-poweroff.service static - systemd-pstore.service enabled enabled systemd-quotacheck.service static - systemd-random-seed.service static - systemd-reboot.service static - systemd-remount-fs.service enabled-runtime enabled systemd-repart.service static - systemd-resolved.service enabled enabled systemd-rfkill.service static - systemd-suspend-then-hibernate.service static - systemd-suspend.service static - systemd-sysctl.service static - systemd-sysext.service disabled enabled systemd-sysusers.service static - systemd-time-wait-sync.service disabled disabled systemd-timedated.service static - systemd-tmpfiles-clean.service static - systemd-tmpfiles-setup-dev.service static - systemd-tmpfiles-setup.service static - systemd-udev-settle.service static - systemd-udev-trigger.service static - systemd-udevd.service static - systemd-update-utmp-runlevel.service static - systemd-update-utmp.service static - systemd-user-sessions.service static - systemd-volatile-root.service static - tangd at .service static - targetclid.service disabled enabled tuned.service disabled enabled udev.service alias - udisks2.service enabled enabled unattended-upgrades.service enabled enabled usb_modeswitch at .service static - user-runtime-dir at .service static - user at .service static - uuidd.service indirect enabled virtlockd.service indirect enabled virtlogd.service indirect enabled wpa_supplicant-nl80211 at .service disabled enabled wpa_supplicant-wired at .service disabled enabled wpa_supplicant.service enabled enabled wpa_supplicant at .service disabled enabled x11-common.service masked enabled machine.slice static - system-cockpithttps.slice static - system-systemd\x2dcryptsetup.slice static - user.slice static - cni-dhcp.socket disabled enabled cockpit-session.socket static - cockpit-wsinstance-http.socket static - cockpit-wsinstance-https-factory.socket static - cockpit-wsinstance-https at .socket static - cockpit.socket disabled enabled dbus.socket static - dm-event.socket enabled enabled iscsid.socket enabled enabled libvirtd-admin.socket enabled enabled libvirtd-ro.socket enabled enabled libvirtd-tcp.socket disabled enabled libvirtd-tls.socket disabled enabled libvirtd.socket enabled enabled lvm2-lvmpolld.socket enabled enabled podman.socket enabled enabled rpcbind.socket enabled enabled ssh.socket disabled enabled sssd-autofs.socket enabled enabled sssd-nss.socket enabled enabled sssd-pac.socket enabled enabled sssd-pam-priv.socket enabled enabled sssd-pam.socket enabled enabled sssd-ssh.socket enabled enabled sssd-sudo.socket enabled enabled syslog.socket static - systemd-coredump.socket static - systemd-fsckd.socket static - systemd-initctl.socket static - systemd-journald-audit.socket static - systemd-journald-dev-log.socket static - systemd-journald-varlink at .socket static - systemd-journald.socket static - systemd-journald at .socket static - systemd-networkd.socket enabled enabled systemd-rfkill.socket static - systemd-udevd-control.socket static - systemd-udevd-kernel.socket static - tangd.socket enabled enabled targetclid.socket disabled enabled uuidd.socket enabled enabled virtlockd-admin.socket enabled enabled virtlockd.socket enabled enabled virtlogd-admin.socket enabled enabled virtlogd.socket enabled enabled basic.target static - blockdev at .target static - bluetooth.target static - boot-complete.target static - cryptsetup-pre.target static - cryptsetup.target static - ctrl-alt-del.target alias - default.target alias - emergency.target static - exit.target disabled disabled factory-reset.target static - final.target static - first-boot-complete.target static - getty-pre.target static - getty.target static - graphical.target static - halt.target disabled disabled hibernate.target static - hybrid-sleep.target static - initrd-fs.target static - initrd-root-device.target static - initrd-root-fs.target static - initrd-switch-root.target static - initrd-usr-fs.target static - initrd.target static - integritysetup-pre.target static - integritysetup.target static - kexec.target disabled disabled local-fs-pre.target static - local-fs.target static - machines.target enabled enabled multi-user.target static - network-online.target static - network-pre.target static - network.target static - nfs-client.target enabled enabled nss-lookup.target static - nss-user-lookup.target static - paths.target static - poweroff.target disabled disabled printer.target static - reboot.target disabled enabled remote-cryptsetup.target disabled enabled remote-fs-pre.target static - remote-fs.target enabled enabled remote-veritysetup.target disabled enabled rescue-ssh.target static - rescue.target static - rpc_pipefs.target generated - rpcbind.target static - runlevel0.target alias - runlevel1.target alias - runlevel2.target alias - runlevel3.target alias - runlevel4.target alias - runlevel5.target alias - runlevel6.target alias - selinux-autorelabel.target static - shutdown.target static - sigpwr.target static - sleep.target static - slices.target static - smartcard.target static - sockets.target static - sound.target static - suspend-then-hibernate.target static - suspend.target static - swap.target static - sysinit.target static - system-update-pre.target static - system-update.target static - time-set.target static - time-sync.target static - timers.target static - umount.target static - usb-gadget.target static - veritysetup-pre.target static - veritysetup.target static - virt-guest-shutdown.target static - apt-daily-upgrade.timer disabled enabled apt-daily.timer disabled enabled chrony-dnssrv at .timer disabled enabled dpkg-db-backup.timer enabled enabled e2scrub_all.timer enabled enabled fstrim.timer disabled enabled logrotate.timer enabled enabled man-db.timer disabled enabled mdadm-last-resort at .timer static - mdcheck_continue.timer enabled enabled mdcheck_start.timer enabled enabled mdmonitor-oneshot.timer enabled enabled pmfind.timer disabled enabled pmie_check.timer disabled enabled pmie_daily.timer disabled enabled pmie_farm_check.timer disabled enabled pmlogger_check.timer disabled enabled pmlogger_daily.timer disabled enabled pmlogger_farm_check.timer disabled enabled podman-auto-update.timer enabled enabled systemd-tmpfiles-clean.timer static - 392 unit files listed. 2023-06-23T07:09:00Z DEBUG stderr= 2023-06-23T07:09:00Z INFO nslcd daemon is not installed, skip configuration 2023-06-23T07:09:00Z DEBUG Starting external process 2023-06-23T07:09:00Z DEBUG args=['/bin/systemctl', 'is-active', 'sshd.service'] 2023-06-23T07:09:00Z DEBUG Process finished, return code=0 2023-06-23T07:09:00Z DEBUG stdout=active 2023-06-23T07:09:00Z DEBUG stderr= 2023-06-23T07:09:00Z DEBUG Starting external process 2023-06-23T07:09:00Z DEBUG args=['/bin/systemctl', 'restart', 'sshd.service'] 2023-06-23T07:09:00Z DEBUG Process finished, return code=0 2023-06-23T07:09:00Z DEBUG stdout= 2023-06-23T07:09:00Z DEBUG stderr= 2023-06-23T07:09:00Z DEBUG Starting external process 2023-06-23T07:09:00Z DEBUG args=['/bin/systemctl', 'is-active', 'sshd.service'] 2023-06-23T07:09:00Z DEBUG Process finished, return code=0 2023-06-23T07:09:00Z DEBUG stdout=active 2023-06-23T07:09:00Z DEBUG stderr= 2023-06-23T07:09:00Z DEBUG Restart of sshd.service complete 2023-06-23T07:09:00Z DEBUG Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state' 2023-06-23T07:09:00Z DEBUG Saving StateFile to '/var/lib/ipa-client/sysrestore/sysrestore.state' 2023-06-23T07:09:00Z ERROR Some installation state for ntp has not been restored, see /var/lib/ipa/sysrestore/sysrestore.state 2023-06-23T07:09:00Z WARNING Some installation state has not been restored. This may cause re-installation to fail. It should be safe to remove /var/lib/ipa-client/sysrestore.state but it may mean your system hasn't been restored to its pre-installation state. 2023-06-23T07:09:00Z DEBUG Starting external process 2023-06-23T07:09:00Z DEBUG args=['/usr/sbin/update-ca-certificates'] 2023-06-23T07:09:01Z DEBUG Process finished, return code=0 2023-06-23T07:09:01Z DEBUG stdout=Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d... done. 2023-06-23T07:09:01Z DEBUG stderr= 2023-06-23T07:09:01Z INFO Systemwide CA database updated. 2023-06-23T07:09:01Z INFO Client uninstall complete. 2023-06-23T07:09:01Z INFO The original nsswitch.conf configuration has been restored. 2023-06-23T07:09:01Z INFO You may need to restart services or reboot the machine. 2023-06-23T07:09:05Z DEBUG File "/usr/lib/python3/dist-packages/ipapython/admintool.py", line 180, in execute return_value = self.run() ^^^^^^^^^^ File "/usr/lib/python3/dist-packages/ipapython/install/cli.py", line 344, in run return cfgr.run() ^^^^^^^^^^ File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 360, in run return self.execute() ^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 386, in execute for rval in self._executor(): File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3/dist-packages/six.py", line 719, in reraise raise value File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 418, in step = lambda: next(self.__gen) ^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3/dist-packages/six.py", line 719, in reraise raise value File "/usr/lib/python3/dist-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) ^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 655, in _configure next(executor) File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 431, in __runner exc_handler(exc_info) File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 460, in _handle_execute_exception self._handle_exception(exc_info) File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 518, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3/dist-packages/six.py", line 719, in reraise raise value File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 515, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 450, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python3/dist-packages/six.py", line 719, in reraise raise value File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 421, in __runner step() File "/usr/lib/python3/dist-packages/ipapython/install/core.py", line 418, in step = lambda: next(self.__gen) ^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python3/dist-packages/six.py", line 719, in reraise raise value File "/usr/lib/python3/dist-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) ^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/ipapython/install/common.py", line 73, in _uninstall for unused in self._uninstaller(self.parent): File "/usr/lib/python3/dist-packages/ipaclient/install/client.py", line 4068, in main uninstall(self) File "/usr/lib/python3/dist-packages/ipaclient/install/client.py", line 3706, in uninstall raise ScriptError(rval=rv) 2023-06-23T07:09:05Z DEBUG The ipa-client-install command failed, exception: ScriptError: 2023-06-23T07:09:05Z ERROR The ipa-client-install command failed. See /var/log/ipaclient-uninstall.log for more information From mpitt at debian.org Fri Jun 23 09:01:08 2023 From: mpitt at debian.org (Martin Pitt) Date: Fri, 23 Jun 2023 10:01:08 +0200 Subject: [Pkg-freeipa-devel] Bug#1038925: Acknowledgement (Leaving IPA domain fails: Some installation state for ntp has not been restored) In-Reply-To: References: Message-ID: One workaround that I found is to delete the [ntp] section from /var/lib/ipa-client/sysrestore/sysrestore.state after joining. sed -i '/\[ntp\]/,/^$/ d' /var/lib/ipa-client/sysrestore/sysrestore.state