Commit Graph

2692 Commits

Author SHA1 Message Date
Martin Babinsky
4d57aef7a5 smart card advises: use a wrapper around Bash for loops
Replace the raw `command` calls constructing the for loops in some
methods by a wrapper hiding this detail.

https://pagure.io/freeipa/issue/7036

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-07-04 09:48:04 +02:00
Martin Babinsky
a9fec090f7 Use the compound statement formatting API for configuring PKINIT
Use `if_branch` and `else_branch` context managers instead of raw
`command` calls in the method that generates Bash snippet that
configures PKINIT on the master.

https://pagure.io/freeipa/issue/7036

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-07-04 09:48:04 +02:00
Martin Babinsky
85a79b5ccd Fix indentation of statements in Smart card advises
https://pagure.io/freeipa/issue/7036

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-07-04 09:48:04 +02:00
Martin Babinsky
9808395c17 delegate formatting of compound Bash statements to dedicated classes
this simplifies handling compound statements using _AdviceOutput class.
The necessary statements are exposed as context managers and API for
most common constructs is provided.

https://pagure.io/freeipa/issue/7036

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-07-04 09:48:04 +02:00
Martin Babinsky
dea4b4ca1b advise: add an infrastructure for formatting Bash compound statements
A series of context managers simplify formatting of common compound
statements such as `if`, `else if`, `else` blocks.

https://pagure.io/freeipa/issue/7036

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-07-04 09:48:04 +02:00
Martin Babinsky
0181334c4c delegate the indentation handling in advises to dedicated class
Indentation levels are now handled transparently by a dedicated class
and should not pollute the statement printing logic.

https://pagure.io/freeipa/issue/7036

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-07-04 09:48:04 +02:00
Martin Babinsky
36e0d2d65c add a class that tracks the indentation in the generated advises
https://pagure.io/freeipa/issue/7036

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-07-04 09:48:04 +02:00
Martin Babinsky
e0c2e0f26c Allow to pass in multiple CA cert paths to the smart card advises
If the user has a series of CA certificates required to verify smart
card certs (e.g. intermediary CAs and root CA) it is convenient to allow
for passing them to the advise scripts as a series of PEM files.

https://pagure.io/freeipa/issue/7036

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-07-04 09:48:04 +02:00
Martin Babinsky
584abe5b68 smart-card advises: add steps to store smart card signing CA cert
On master, upload the CA certificate to IPA LDAP and NSS databases. On
both master and client run ipa-certupdate to update client-side CA
certificate bundles used as PKINIT anchors.

https://pagure.io/freeipa/issue/7036

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-07-04 09:48:04 +02:00
Martin Babinsky
69ba5f9422 smart-card advises: configure systemwide NSS DB also on master
Previously the Smart card signing CA cert was uploaded to systemwide NSS
DB only on the client, but it need to be added also to the server.
Modify the advise plugins to allow for common configuration steps to
occur in both cases.

https://pagure.io/freeipa/issue/7036

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-07-04 09:48:04 +02:00
Martin Basti
e53674e741 py3: ipa_otptoken_import: fix calling unicode on bytes
.decode() must be used instead

https://pagure.io/freeipa/issue/4985

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-28 16:26:50 +02:00
Martin Basti
24eadd3a39 py3: ipa_otptoken_import: fix lamba code inspection
lambda in py3 has '__code__' attribute instead of 'func_code'

https://pagure.io/freeipa/issue/4985

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-28 16:26:50 +02:00
Martin Basti
8416d5772d py3: Remove comparison >=2 of debnug log level
We have only one debug log level and it causes issues with py3.
...
  File "/usr/lib/python3.5/site-packages/ipaserver/rpcserver.py", line 490, in marshal
    response, version, pretty_print=self.api.env.debug >= 2
TypeError: unorderable types: str() >= int()

https://pagure.io/freeipa/issue/4985

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-28 16:26:50 +02:00
Jan Cholasta
d5fc0ddd87 install: do not assume /etc/krb5.conf.d exists
Add `includedir /etc/krb5.conf.d` to /etc/krb5.conf only if
/etc/krb5.conf.d exists.

Do not rely on /etc/krb5.conf.d to enable the certauth plugin.

This fixes install on platforms which do not have /etc/krb5.conf.d.

https://pagure.io/freeipa/issue/6589

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Lukas Slebodnik <lslebodn@redhat.com>
2017-06-28 15:44:51 +02:00
Stanislav Laznicka
d308abac2e rpcserver: remove addition of str and bytes
base64 encoding returns bytes but these can't be added together with
a string.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-06-27 16:48:21 +02:00
Stanislav Laznicka
db4d0998fd wsgi plugins: mod_wsgi expects bytes as an output
python3-mod_wsgi expects that the application() method returns
bytes otherwise it breaks.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-06-27 16:48:21 +02:00
Martin Basti
c422206cc7 py3: dogtag.py: fix bytes warnings
/usr/lib/python3.5/site-packages/ipaserver/plugins/dogtag.py:1438: BytesWarning: str() on a bytes instance
   "parse_result:\\n%s" % (parse_func.__name__, xml_text, result))

https://pagure.io/freeipa/issue/4985

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-23 14:45:05 +02:00
Martin Basti
b0e5168841 py3: secrets: remove iteritems usage
https://pagure.io/freeipa/issue/4985

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-23 14:44:25 +02:00
Simo Sorce
0537ab07ba Make sure we check ccaches in all rpcserver paths
We need to verify the ccache is avcailable in all cases or finalize
will cause us to acquire creds with the keytab which is not what we
want.

Ticket #7037

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-23 10:27:04 +02:00
Stanislav Laznicka
8311069d18 adtrustinstance: write the conf as a string
Since ipautil.template_file() returns a string, we should not try
to write it as bytes.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-06-21 16:34:05 +02:00
Stanislav Laznicka
a83b2583ab adtrustinstance: pep8 fix
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-06-21 16:34:05 +02:00
Martin Basti
f3537297be Remove network and broadcast address warnings
We cannot reliably determine when an IP Address is network or broadcast.
We allowed to use non-local IP addresses due container use cases, we
don't know subnets of used IP addresses.

https://pagure.io/freeipa/issue/4317

Reviewed-By: David Kupka <dkupka@redhat.com>
2017-06-20 11:29:41 +02:00
Martin Basti
1b8dc1131c replica install: add missing check for non-local IP address
Add missing warning for used non-local IP address.

https://pagure.io/freeipa/issue/4317

Reviewed-By: David Kupka <dkupka@redhat.com>
2017-06-20 11:29:41 +02:00
Martin Basti
6024165101 CheckedIPAddress: remove match_local param
This parameter is unused in code. We are no longer testing if IP address
matches an interface in constructor.

https://pagure.io/freeipa/issue/4317

Reviewed-By: David Kupka <dkupka@redhat.com>
2017-06-20 11:29:41 +02:00
Felipe Volpone
36532031cf
Changing cert-find to go through the proxy instead of using the port 8080
The cert-find command now uses the proxy to reach Dogtag, instead of using
the port 8080. In order to accomplish that, it's necessary to change the
proxy configuration including the URL called.

https://pagure.io/freeipa/issue/6966

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-06-16 08:56:53 +02:00
Tibor Dudlák
74d36a8af6 dnsserver.py: dnsserver-find no longer returns internal server error
Invocation of the ipa dnsserver-find command failed with
internal server error when there is no DNS server in topology.

Fixes: https://pagure.io/freeipa/issue/6571
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-06-15 13:51:06 +02:00
Stanislav Laznicka
440c61dc40 adtrustinstance: fix ID range comparison
The ID range comparison was comparing numbers to a string or possibly
to `None` and was tailored in such a way that the check would always
pass although it went directly against the definition of the absolute
value of a substitution.

https://pagure.io/freeipa/issue/7002

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-06-15 13:49:05 +02:00
Thorsten Scherf
e8358eaea9 Changed ownership of ldiffile to DS_USER
Resolves:
https://pagure.io/freeipa/issue/7010

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-06-15 10:40:18 +02:00
David Kupka
342f72140f kra: promote: Get ticket before calling custodia
When installing second (or consequent) KRA instance keys are retrieved
using custodia. Custodia checks that the keys are synchronized in
master's directory server and the check uses GSSAPI and therefore fails
if there's no ticket in ccache.

https://pagure.io/freeipa/issue/7020

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-15 10:10:27 +02:00
Alexander Bokovoy
abb6384875 trust-mod: allow modifying list of UPNs of a trusted forest
There are two ways for maintaining user principal names (UPNs) in Active
Directory:
 - associate UPN suffixes with the forest root and then allow for each
   user account to choose UPN suffix for logon
 - directly modify userPrincipalName attribute in LDAP

Both approaches lead to the same result: AD DC accepts user@UPN-Suffix
as a proper principal in AS-REQ and TGS-REQ.

The latter (directly modify userPrincipalName) case has a consequence
that this UPN suffix is not visible via netr_DsRGetForestTrustInformation
DCE RPC call. As result, FreeIPA KDC will not know that a particular UPN
suffix does belong to a trusted Active Directory forest. As result, SSSD
will not be able to authenticate and validate this user from a trusted
Active Directory forest.

This is especially true for one-word UPNs which otherwise wouldn't work
properly on Kerberos level for both FreeIPA and Active Directory.

Administrators are responsible for amending the list of UPNs associated
with the forest in this case. With this commit, an option is added to
'ipa trust-mod' that allows specifying arbitrary UPN suffixes to a
trusted forest root.

As with all '-mod' commands, the change replaces existing UPNs when
applied, so administrators are responsible to specify all of them:

  ipa trust-mod ad.test --upn-suffixes={existing.upn,another_upn,new}

Fixes: https://pagure.io/freeipa/issue/7015
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-06-14 16:38:12 +02:00
Martin Babinsky
e418e9a4ca Prepare advise plugin for smart card auth configuration
The plugin contains recipes for configuring Smart Card authentication
on FreeIPA server and enrolled client.

https://www.freeipa.org/page/V4/Smartcard_authentication_ipa-advise_recipes
https://pagure.io/freeipa/issue/6982

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-06-14 12:24:20 +02:00
Martin Babinsky
0569c02f17 Extend the advice printing code by some useful abstractions
The advise printing code was augmented by methods that simplify
generating bash snippets that report errors or failed commands.

https://pagure.io/freeipa/issue/6982

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-06-14 12:24:20 +02:00
Tibor Dudlák
063211d665 server.py: Removes dns-server configuration from ldap
After invocation of the ipa server-del <hostname>
command there was still record in ldap if DNS
was installed on the <hostname> server.

Fixes: https://pagure.io/freeipa/issue/6572
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-06-08 16:54:04 +02:00
Simo Sorce
77db574cca Add code to be able to set default kinit lifetime
This is done by setting the kinit_lifetime option in default.conf
to a value that can be passed in with the -l option syntax of kinit.

https://pagure.io/freeipa/issue/7001

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-06-07 15:36:26 +02:00
Martin Basti
6637980af6 Only warn when specified server IP addresses don't match intf
In containers local addresses differ from public addresses and we need
a way to provide only public address to installers.

https://pagure.io/freeipa/issue/2715
https://pagure.io/freeipa/issue/4317

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-06-06 18:10:33 +02:00
Pavel Vomacka
566361e63d Turn off OCSP check
The OCSP check was previously turned on but it introduced several
issues. Therefore the check will be turned off by default.

For turning on should be used ipa advise command with correct recipe.
The solution is tracked here: https://pagure.io/freeipa/issue/6982

Fixes: https://pagure.io/freeipa/issue/6981
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-06-06 13:33:54 +02:00
Jan Cholasta
0772ef20b3 server upgrade: do not enable PKINIT by default
Enabling PKINIT often fails during server upgrade when requesting the KDC
certificate.

Now that PKINIT can be enabled post-install using ipa-pkinit-manage, avoid
the upgrade failure by not enabling PKINIT by default.

https://pagure.io/freeipa/issue/7000

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-06-06 13:27:44 +02:00
Jan Cholasta
92276c1e88 pkinit manage: introduce ipa-pkinit-manage
Add the ipa-pkinit-manage tool to allow enabling / disabling PKINIT after
the initial server install.

https://pagure.io/freeipa/issue/7000

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-06-06 13:27:44 +02:00
Jan Cholasta
e131905f3e server certinstall: update KDC master entry
After the KDC certificate is installed, add the PKINIT enabled flag to the
KDC master entry.

https://pagure.io/freeipa/issue/7000

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-06-06 13:27:44 +02:00
Martin Babinsky
8ef4888af7 fix incorrect suffix handling in topology checks
When trying to delete a partially removed master entry lacking
'iparepltopomanagedsuffix' attribute, the code that tries to retrieve
tha value for further computations passes None and causes unhandled
internal errors.

If the attribute is empty or not present, we should return empty list
instead as to not break calling cod attribute, the code that tries to
retrieve tha value for further computations passes None and causes
unhandled internal errors. We should return empty list instead.

https://pagure.io/freeipa/issue/6965

Reviewed-By: Felipe Volpone <felipevolpone@gmail.com>
2017-06-05 18:37:37 +02:00
Felipe Volpone
44bd5e358b Changing cert-find to do not use only primary key to search in LDAP.
In service.py the primary key is krbCanonicalName, which we
don't want to use to do searchs. Now, cert-find uses primary
key or a specified attribute to do searches in LDAP, instead
of using only a primary key.

https://pagure.io/freeipa/issue/6948

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-06-02 16:45:43 +02:00
Fraser Tweedale
89eb162fcd py3: fix regression in schemaupdate
The python-ldap classes that process schema definitions require a
unicode string, not a byte string.  A recent py3 compatibility fix
(d89de4219d) changed the constructor
argument to a unicode string to dispel a warning, but this broke
schema update.  Change it back to a bytestring.

Part of: https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-06-02 09:55:13 +02:00
Fraser Tweedale
5f0e13ce9c ca-add: validate Subject DN name attributes
If the Subject DN is syntactically valid but contains unrecognised
name attributes, FreeIPA accepts it but Dogtag rejects it, returning
status 400 and causing the framework to raise RemoteRetrieveError.

Update the ca-add command to perform some additional validation on
the user-supplied Subject DN, making sure that we recognise all the
attributes.

Fixes: https://pagure.io/freeipa/issue/6987
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Felipe Volpone <felipevolpone@gmail.com>
2017-06-01 09:28:36 +02:00
Martin Basti
99771ceb9f py3: update_mod_nss_cipher_suite: ordering doesn't work with None
Py3 doesn't support ordering with None value

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-01 09:24:24 +02:00
Martin Basti
c6a57d8091 py3: urlfetch: use "file://" prefix with filenames
with py3 urlopen used internally with pyldap doesn't work with raw
filepaths without specifying "file://" prefix. This works on both
py2/py3

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-01 09:24:24 +02:00
Martin Basti
b09a941f34 py3: cainstance: fix BytesWarning
https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-01 09:24:24 +02:00
Martin Basti
d89de4219d py3: schemaupdate: fix BytesWarning
str() was called on bytes

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-01 09:24:24 +02:00
Martin Basti
bc9addac30 py3: LDAP updates: use only bytes/raw values
Functions mix unicode and bytes, use only bytes.

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-01 09:24:24 +02:00
Martin Basti
d7a9e81fbd py3: softhsm key_id must be bytes
softhsm works with bytes, so key_id must be byte otherwise we get errors
from bytes and string comparison

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-01 09:24:24 +02:00
Martin Basti
6e7071d6ad py3: ConfigParser: replace deprecated readfd with read
ConfigParser.readfd() is deprecated in py3, we can use .read() which is
compatible with py2

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-01 09:24:24 +02:00
Martin Basti
2e63ec42d0 py3: use ConfigParser instead of SafeConfigParser
DeprecationWarning: The SafeConfigParser class has been renamed
to ConfigParser in Python 3.2. This alias will be removed in
future versions. Use ConfigParser directly instead.

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-01 09:24:24 +02:00
Jan Cholasta
ab71cd5a16 httpinstance: wait until the service entry is replicated
Wait until the local HTTP service entry is replicated to the remote master
before requesting the server certificate.

This prevents a replication conflict between the service entry added
locally and service entry added remotely when requesting the certificate.

https://pagure.io/freeipa/issue/6867

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-05-30 12:53:27 +02:00
Tibor Dudlák
d73ec06cb3 user.py: replace user_mod with ldap.update_entry()
Refactoring user_add class to use 'ldap.update_entry()' call
instead of api call 'user_mod' when --noprivate option is used.

https://pagure.io/freeipa/issue/5788

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-30 12:35:41 +02:00
Stanislav Laznicka
35675ca2bb Change ConfigParser to RawConfigParser
In case ipa_generate_password() generates a sequence containing
'%', ConfigParser.set() will fail because it would think it is a
string that should be interpolated.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-05-26 17:04:11 +02:00
Martin Babinsky
8b6f8ed7d4 only stop/disable simple service if it is installed
The SimpleServiceInstance uninstaller assument that the service to
uninstall was always present on the system. This may not be valid in
some cases (e.g. containerized deployments) and thus we need to change
the service state only when we know that the unit file exists.

https://pagure.io/freeipa/issue/6977

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-05-26 16:15:53 +02:00
Martin Babinsky
99352731b4 Add pkinit-status command
This command is a more streamlined reporting tool for PKINIT feature
status in the FreeIPA topology. It prints out whether PKINIT is enabled
or disabled on individual masters in a topology. If a`--server` is
specified, it reports status for an individual server. If `--status` is
specified, it searches for all servers that have PKINIT enabled or
disabled.

https://pagure.io/freeipa/issue/6937

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-26 16:11:40 +02:00
Martin Babinsky
f80553208e Add the list of PKINIT servers as a virtual attribute to global config
https://pagure.io/freeipa/issue/6937

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-26 16:11:40 +02:00
Martin Babinsky
d8bb23ac38 Add an attribute reporting client PKINIT-capable servers
A new multi-valued server attribute `pkinit_server` was added which
reports IPA masters that have PKINIT configuration usable by clients.

The existing tests were modified to allow for testing the new attribute.

https://pagure.io/freeipa/issue/6937

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-26 16:11:40 +02:00
Martin Babinsky
cac7e49daa Refactor the role/attribute member reporting code
The `config` object now hosts a generic method for updating the config
entry for desired server role configuration (if not empty). The
duplicated code in dns/trust/vaultconfig commands was replaced by a call
to a common method.

https://pagure.io/freeipa/issue/6937

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-26 16:11:40 +02:00
Martin Babinsky
bddb90f38a Allow for multivalued server attributes
In order to achieve the task, the following changes were required:

* vectorize the base class for server attributes
* add a child class that enforces single-value attributes. It still
  accepts/returns single-value lists in order to not break Liskov
  substitution principle
* Existing attributes inherit from the child class

https://pagure.io/freeipa/issue/6937

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-26 16:11:40 +02:00
Martin Basti
663f227a5c adtrust: move SELinux settings to constants
SELinux is platform dependend, moving boolean setting to platform module.

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-26 08:32:05 +02:00
Martin Basti
1a6de32c9e httpd: move SELinux settings to constants
SELinux is platform dependend, moving boolean setting to platform module.

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-26 08:32:05 +02:00
Alexander Bokovoy
9c3fad9cef krb5: make sure KDC certificate is readable
When requesting certificate for KDC profile, make sure its public part
is actually readable to others.

Fixes https://pagure.io/freeipa/issue/6973

Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-05-25 14:25:01 +02:00
Simo Sorce
83619e804b Fix rare race condition with missing ccache file
In some circumstances the ccache file may disappear while
mod_auth_gssapi still has a valid cookie and the client is performing a
json server call.

This may lead to credentials getting sourced from the keytab.
Make sure we enforce what GSS NAME we want to resolve so HTTP creds are
never mistakenly sourced.

Ticket: #6972

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-05-24 17:55:53 +02:00
Stanislav Laznicka
24099d0f80 Remove pkinit-anonymous command
Ever since from v4.5, FreeIPA expects at least some kind of
anonymous PKINIT to work. The pkinit-anonymous command was supposed
to enable/disable anonymous pkinit by locking/unlocking the
anonymous principal. We can't allow this for FreeIPA to work
so we are removing the command as it was never supported anyway.

https://pagure.io/freeipa/issue/6936

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-05-23 18:05:22 +02:00
Florence Blanc-Renaud
d932642475 ipa-ca-install: append CA cert chain into /etc/ipa/ca.crt
ipa-ca-install currently overwrites /etc/ipa/ca.crt with the CA chain
retrieved from Dogtag. It should instead append the new certs, otherwise
the CA that signed dirsrv and httpd certificates is removed and ipa tools
fail.
A consequence is that ipa-kra-install fails.
This is a regression introduced by 5ab85b36.

https://pagure.io/freeipa/issue/6925

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-22 13:28:40 +02:00
Florence Blanc-Renaud
319a079f6d ipa-replica-manage del (dl 0): remove server from defaultServerList
ipa-replica-manage del should remove the server from the entry
cn=default,ou=profile,$BASE
The entry contains an attribute
defaultServerList: srv1.domain.com srv2.domain.com srv3.domain.com

The code calls srvlist = ret.single_value.get('defaultServerList') which means
that srvlist contains a single value (string) containing all the servers
separated by a space, and not a list of attribute values. Because of that,
srvlist[0] corresponds to the first character of the value.
The fix splits srvlist and not srvlist[0].

https://pagure.io/freeipa/issue/6946

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 19:00:48 +02:00
Florence Blanc-Renaud
a02a0a95f2 server-del: update defaultServerList in cn=default,ou=profile,$BASE
ipa server-del should remove the server from the entry
cn=default,ou=profile,$BASE
The entry contains an attribute
defaultServerList: srv1.domain.com srv2.domain.com srv3.domain.com

The code calls srvlist = ret.single_value.get('defaultServerList') which means
that srvlist contains a single value (string) containing all the servers
separated by a space, and not a list of attribute values. Because of that,
srvlist[0] corresponds to the first character of the value.
The fix splits srvlist and not srvlist[0].

https://pagure.io/freeipa/issue/6943

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 18:45:52 +02:00
Stanislav Laznicka
df8205b55c Make a doctext more clear
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-05-19 16:49:04 +02:00
Jan Cholasta
96ca62f81d server certinstall: support PKINIT
Allow replacing the KDC certificate.

https://pagure.io/freeipa/issue/6831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 12:31:24 +02:00
Jan Cholasta
9ea764ecf5 cacert manage: support PKINIT
Allow installing 3rd party CA certificates trusted to issue PKINIT KDC
and/or client certificates.

https://pagure.io/freeipa/issue/6831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 12:31:24 +02:00
Jan Cholasta
b3855704f4 replica install: respect --pkinit-cert-file
When --pkinit-cert-file is used, make sure the certificate and key is
actually passed to `KrbInstance`.

https://pagure.io/freeipa/issue/6831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 12:31:24 +02:00
Jan Cholasta
3b5dbf7cdb server install: fix KDC certificate validation in CA-less
Verify that the provided certificate has the extended key usage and subject
alternative name required for KDC.

https://pagure.io/freeipa/issue/6831
https://pagure.io/freeipa/issue/6869

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 12:31:24 +02:00
Jan Cholasta
cc572378a6 certs: do not export CA certs in install_pem_from_p12
This fixes `kdc.crt` containing the full chain rather than just the KDC
certificate in CA-less server install.

https://pagure.io/freeipa/issue/6831
https://pagure.io/freeipa/issue/6869

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 12:31:24 +02:00
Jan Cholasta
0c5b2c42bf certs: do not export keys world-readable in install_key_from_p12
Make sure the exported private key files are readable only by the owner.

https://pagure.io/freeipa/issue/6831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 12:31:24 +02:00
Jan Cholasta
f769045f0a server install: fix KDC PKINIT configuration
Set `pkinit_pool` in `kdc.conf` to a CA certificate bundle of all CAs known
to IPA.

Make sure `cacert.pem` is exported in all installation code paths.

Use the KDC certificate itself as a PKINIT anchor in `login_password`.

https://pagure.io/freeipa/issue/6831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 12:31:24 +02:00
Jan Cholasta
11b8a34346 client install: fix client PKINIT configuration
Set `pkinit_anchors` in `krb5.conf` to a CA certificate bundle of CAs
trusted to issue KDC certificates rather than `/etc/ipa/ca.crt`.

Set `pkinit_pool` in `krb5.conf` to a CA certificate bundle of all CAs
known to IPA.

Make sure both bundles are exported in all installation code paths.

https://pagure.io/freeipa/issue/6831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 12:31:24 +02:00
Jan Cholasta
01a7416d30 install: trust IPA CA for PKINIT
Trust IPA CA to issue PKINIT KDC and client authentication certificates in
the IPA certificate store.

https://pagure.io/freeipa/issue/6831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 12:31:24 +02:00
Jan Cholasta
52730c786f certdb: use custom object for trust flags
Replace trust flag strings with `TrustFlags` objects. The `TrustFlags`
class encapsulates `certstore` key policy and has an additional flag
indicating the presence of a private key.

https://pagure.io/freeipa/issue/6831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 12:31:24 +02:00
Jan Cholasta
f0442a2d0e certdb, certs: make trust flags argument mandatory
Make the trust flags argument mandatory in all functions in `certdb` and
`certs`.

https://pagure.io/freeipa/issue/6831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 12:31:24 +02:00
Jan Cholasta
235265a5f5 certdb: add named trust flag constants
Add named constants for common trust flag combinations.

Use the named constants instead of trust flags strings in the code.

https://pagure.io/freeipa/issue/6831

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-19 12:31:24 +02:00
René Genz
a0566ed9ce fix minor spelling mistakes
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-19 09:52:46 +02:00
René Genz
bdd88a3eab fix spelling mistake; minor rewording
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-19 09:52:46 +02:00
Florence Blanc-Renaud
c26038d24c ipa-kra-install: fix pkispawn setting for pki_security_domain_hostname
During ipa-kra-install, the installer prepares a configuration file
provided to pkispawn. This configuration file defines
pki_security_domain_hostname=(first master)

but when we are installing a clone, it should be set to the local hostname
instead, see man page pki_default.cfg:
      pki_security_domain_hostname, pki_security_domain_https_port
              Location  of  the security domain.  Required for KRA, OCSP, TKS,
              and TPS subsystems and for  CA  subsystems  joining  a  security
              domain.  Defaults to the location of the CA subsystem within the
              same instance.

When pki_security_domain_hostname points to the 1st master, and this first
master is decommissioned, ipa-kra-install fails on new replicas because pkispawn
tries to connect to this (non-existing) host.

https://pagure.io/freeipa/issue/6895

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-18 17:01:38 +02:00
Tomas Krizek
1b1bace750 ca, kra install: validate DM password
Before proceeding with installation, validate DM password. If the
provided DM password is invalid, abort the installation.

Fixes https://pagure.io/freeipa/issue/6892

Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-17 12:50:42 +02:00
Tomas Krizek
7a4a368c53 installutils: add DM password validator
Add a validator that checks whether provided Directory Manager
is valid by attempting to connect to LDAP.

Related https://pagure.io/freeipa/issue/6892

Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-17 12:50:42 +02:00
Florence Blanc-Renaud
d9ed2573fd ipa-server-install: fix uninstall
ipa-server-install --uninstall fails to stop tracking the certificates
because it assigns a tuple to the variable nicknames, then tries to
call nicknames.append(). This is a regression introduced by 21f4cbf8.

Assignment should be done using nicknames = list(self.tracking_reqs) instead.

https://pagure.io/freeipa/issue/6950

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-05-16 11:44:08 +00:00
Felipe Volpone
d51af28bdb Fixing adding authenticator indicators to host
The check for krbprincipalaux in the entries is now made
case-insensitively.

https://pagure.io/freeipa/issue/6911

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2017-05-16 10:29:00 +02:00
Felipe Volpone
d973168e89 Fixing the cert-request comparing whole email address case-sensitively.
Now, the cert-request command compares the domain part of the
email case-insensitively.

https://pagure.io/freeipa/issue/5919

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-05-16 09:50:22 +02:00
Jan Cholasta
b03ede8796 ipa-cacert-manage: add --external-ca-type
Add the `--external-ca-type`, as known from `ipa-server-install` and
`ipa-ca-install`, to `ipa-cacert-manage`.

This allows creating IPA CA CSRs suitable for use with Microsoft CS using
`ipa-cacert-manage`:

```
ipa-cacert-manage renew --external-ca --external-ca-type=ms-cs
```

https://pagure.io/freeipa/issue/5799

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-15 12:14:28 +02:00
Jan Cholasta
21f4cbf8da renew agent: get rid of virtual profiles
Replace all uses of virtual profiles with `dogtag-ipa-ca-renew-agent-reuse`
and remove profile from the IPA CA certificate tracking request.

This prevents virtual profiles from making their way into CSRs and in turn
being rejected by certain CAs. This affected the IPA CA CSR with Microsoft
CS in particular.

https://pagure.io/freeipa/issue/5799

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-15 12:14:28 +02:00
Jan Cholasta
25aeeaf46d renew agent: allow reusing existing certs
Add a switch which makes `dogtag-ipa-ca-renew-agent-submit` reuse the
existing certificate rather than request a new one from the CA while
maintaining LDAP replication of the certificate.

Make this available as a new `dogtag-ipa-ca-renew-agent-reuse` certmonger
CA.

This allows redoing the LDAP replication and reexecuting pre- and post-save
commands of a tracking request without reissuing the certificate.

https://pagure.io/freeipa/issue/5799

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-15 12:14:28 +02:00
Jan Cholasta
09a49ad458 cainstance: use correct profile for lightweight CA certificates
Use Dogtag's `caCACert` CA certificate profile rather than the
`ipaCACertRenewal` virtual profile for lightweight CA certificates.

The `ipaCACertRenewal` virtual profile adds special handling of externally
signed CA certificates and LDAP replication of issued certificates on top
of `caCACert`, neither of which is relevant for lightweight CA
certificates.

Remove all of the special casing of lightweight CA certificates from
dogtag-ipa-ca-renew-agent-submit.

Make sure existing lightweight CA certmonger tracking requests are updated
on server upgrade.

https://pagure.io/freeipa/issue/5799

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-15 12:14:28 +02:00
Jan Cholasta
5abd9bb996 server upgrade: always fix certmonger tracking request
Fix certmonger tracking requests on every run of ipa-server-upgrade rather
than only when the tracking configuration has changed and the requests have
not yet been updated.

This allows fixing broken tracking requests just by re-running
ipa-server-upgrade.

https://pagure.io/freeipa/issue/5799

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-15 12:14:28 +02:00
Jan Cholasta
ce9eefe53b renew agent: respect CA renewal master setting
Do not bypass the renewal master check when a non-virtual profile is used
in dogtag-ipa-ca-renew-agent-submit.

This fixes dogtag-ipa-ca-renew-agent not respecting the CA renewal master
setting for certificates tracked with a real profile. (Note that there
currently aren't any such certificates tracked by us.)

Request the RA certificate using dogtag-submit rather than
dogtag-ipa-ca-renew-agent-submit as the CA renewal master setting is not
available so early in the install process.

https://pagure.io/freeipa/issue/5799

Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-05-15 12:14:28 +02:00
Pavel Vomacka
e0b32dac54
Turn on NSSOCSP check in mod_nss conf
Turn on NSSOCSP directive during install/replica install/upgrade.
That check whether the certificate which is used for login is
revoked or not using OSCP.

Marks the server cert in httpd NSS DB as trusted peer ('P,,')
to avoid chicken and egg problem when it is needed to contact
the OCSP responder when httpd is starting.

https://pagure.io/freeipa/issue/6370

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-05-10 09:08:34 +02:00
Florence Blanc-Renaud
8983ce53e3 ipa-kra-install: fix check_host_keys
ipa-kra-install on a replica checks that the keys are available before
going further to avoid race condition due to replication. The issue is
that the check_host_keys method expects to find exactly one key for
cn=env/host but 2 may exist: one below cn=custodia and one below
cn=dogtag,cn=custodia.
The fix is to check that at least one key exist (not exactly one key).

https://pagure.io/freeipa/issue/6934

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-05-09 14:28:13 +02:00
Tomas Krizek
ebefb28177 upgrade: add missing suffix to http instance
During an upgrade, http.suffix is used to identify ldap entry when
configuring kdc proxy. When the suffix is missing, the script crashed
when enabling KDC proxy, because it used invalid DN.

Fixes https://pagure.io/freeipa/issue/6920

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-05 18:55:41 +02:00
Tomas Krizek
4b8ab77dd4 installer service: fix typo in service entry
The typo would result in incorrect resolution of existing keys and
their existence wasn't properly logged as intended.

Related https://pagure.io/freeipa/issue/6920

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-05 18:55:41 +02:00
Stanislav Laznicka
aba384ddb5 Fix wrong message on Dogtag instances stop
https://pagure.io/freeipa/issue/6766

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-05-05 18:50:43 +02:00
Stanislav Laznicka
1a7a1f955e Make CA/KRA fail when they don't start
Since all the services throw exceptions when we're unable to
start/restart them, CA/KRA should not be an exception to it.

https://pagure.io/freeipa/issue/6766

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-05-05 18:50:43 +02:00
Martin Basti
7f4c2fbd97 Use proper SELinux context with http.keytab
During upgrade keytab is moved to a new location using "move" operation.
This commit replaces move operation with "copy" and "remove" that
ensures a proper selinux context.

https://pagure.io/freeipa/issue/6924

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-05-03 17:42:50 +02:00
Simo Sorce
1f9f84a66d
Make sure remote hosts have our keys
In complex replication setups a replica may try to obtain CA keys from a
host that is not the master we initially create the keys against.
In this case race conditions may happen due to replication. So we need
to make sure the server we are contacting to get the CA keys has our
keys in LDAP. We do this by waiting to positively fetch our encryption
public key (the last one we create) from the target host LDAP server.

Fixes: https://pagure.io/freeipa/issue/6838

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-05-03 16:37:21 +02:00
Tomas Krizek
0fa6c4d96e
kra install: update installation failure message
When installation fails, do not advise the user to use the
obsoleted --uninstall option.

Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Fixes https://pagure.io/freeipa/issue/6923

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-05-03 16:32:05 +02:00
Florence Blanc-Renaud
a24923066d
ipa-server-install with external CA: fix pkinit cert issuance
ipa-server-install with external CA fails to issue pkinit certs.
This happens because the installer calls
krb = krbinstance.KrbInstance(fstore)
then
krb.enable_ssl()
and in this code path self.config_pkinit is set to None, leading to a wrong
code path.

The fix initializes the required fields of the krbinstance before calling
krb.enable_ssl.

https://pagure.io/freeipa/issue/6921

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Abhijeet Kasurde <akasurde@redhat.com>
2017-05-03 16:29:01 +02:00
Stanislav Laznicka
0d406fcb78 Refresh Dogtag RestClient.ca_host property
Refresh the ca_host property of the Dogtag's RestClient class when
it's requested as a context manager.

This solves the problem which would occur on DL0 when installing
CA which needs to perform a set of steps against itself accessing
8443 port. This port should however only be available locally so
trying to connect to remote master would fail. We need to make
sure the right CA host is accessed.

https://pagure.io/freeipa/issue/6878

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-05-02 17:33:25 +02:00
Petr Vobornik
c19196a0d3 kerberos session: use CA cert with full cert chain for obtaining cookie
Http request performed in finalize_kerberos_acquisition doesn't use
CA certificate/certificate store with full certificate chain of IPA server.
So it might happen that in case that IPA is installed with externally signed
CA certificate, the call can fail because of certificate validation
and e.g. prevent session acquisition.

If it will fail for sure is not known - the use case was not discovered,
but it is faster and safer to fix preemptively.

https://pagure.io/freeipa/issue/6876

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-05-02 13:42:52 +02:00
Petr Vobornik
3a4c8e39c3
restore: restart/reload gssproxy after restore
So that gssproxy picks up new configuration and therefore related
usages like authentication of CLI against server works

https://pagure.io/freeipa/issue/6902

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-04-28 14:56:02 +02:00
Martin Babinsky
960e361f68 Do not test anonymous PKINIT after install/upgrade
Local FAST armoring will now work regardless of PKINIT status so there
is no need to explicitly test for working PKINIT. If there is, there
should be a test case for that.

https://pagure.io/freeipa/issue/6830

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2017-04-28 08:38:12 +00:00
Martin Babinsky
a194055c92 Upgrade: configure local/full PKINIT depending on the master status
The upgrader has been modified to configure either local or full PKINIT
depending on the CA status. Additionally, the new PKINIT configuration
will be written to the master's KDC entry.

https://pagure.io/freeipa/issue/6830
http://www.freeipa.org/page/V4/Kerberos_PKINIT

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2017-04-28 08:38:12 +00:00
Martin Babinsky
2374b648d0 Use local anchor when armoring password requests
https://pagure.io/freeipa/issue/6830

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2017-04-28 08:38:12 +00:00
Martin Babinsky
68c6a4d4e1 Stop requesting anonymous keytab and purge all references of it
anonymous kinit using keytab never worked so we may safely remove all
code that requests/uses it.

https://pagure.io/freeipa/issue/6830

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2017-04-28 08:38:12 +00:00
Martin Babinsky
86972299d9 API for retrieval of master's PKINIT status and publishing it in LDAP
An API was provided to report whether PKINIT is enabled for clients or
not. If yes, the pkinitEnabled value will be added to the
ipaConfigString attribute of master's KDC entry.

See http://www.freeipa.org/page/V4/Kerberos_PKINIT#Configuration for
more details.

https://pagure.io/freeipa/issue/6830

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2017-04-28 08:38:12 +00:00
Martin Babinsky
fb52f7a1f3 Allow for configuration of all three PKINIT variants when deploying KDC
The PKINIT setup code now can configure PKINIT using IPA CA signed
certificate, 3rd party certificate and local PKINIT with self-signed
keypair. The local PKINIT is also selected as a fallback mechanism if
the CSR is rejected by CA master or `--no-pkinit` is used.

http://www.freeipa.org/page/V4/Kerberos_PKINIT
https://pagure.io/freeipa/issue/6830

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2017-04-28 08:38:12 +00:00
Martin Babinsky
b1a1e10439 separate function to set ipaConfigString values on service entry
There is some code duplication regarding setting ipaConfigString values
when:
   * LDAP-enabling a service entry
   * advertising enabled KDCProxy in LDAP

We can delegate the common work to a single re-usable function and thus
expose it to future use-cases (like PKINIT advertising).

https://pagure.io/freeipa/issue/6830

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
2017-04-28 08:38:12 +00:00
Christian Heimes
5197422ef6 Vault: Explicitly default to 3DES CBC
The server-side plugin for IPA Vault relied on the fact that the default
oid for encryption algorithm is 3DES in CBC mode (DES-EDE3-CBC). Dogtag
10.4 has changed the default from 3DES to AES. Pass the correct
algorithm OID to KeyClient.archive_encrypted_data().

Closes: https://pagure.io/freeipa/issue/6899
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-04-28 08:25:03 +02:00
Christian Heimes
26ab51ddf4 Correct PyPI package dependencies
* Remove unused install requires from ipapython
* Add missing requirements to ipaserver
* Correct dependencies for yubico otptoken
* Add explicit dependency on cffi for csrgen
* Python 2 uses python-ldap, Python 3 pyldap

https://pagure.io/freeipa/issue/6875

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-04-26 12:31:11 +02:00
Gabe
38276d3473 Update get_attr_filter in LDAPSearch to handle nsaccountlock user searches
- Update get_attr_filter in LDAPSearch to handle nsaccountlock by setting the default value for
  nsaccountlock to false as well as update the filter to check for the default value
- Remove pytest xfail for test_find_enabled_user

https://pagure.io/freeipa/issue/6896

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-04-26 10:20:42 +00:00
Stanislav Laznicka
ddbbb1c58e Move the compat plugin setup at the end of install
The compat plugin was causing deadlocks with the topology plugin. Move
its setup at the end of the installation and remove the
cn=topology,cn=ipa,cn=etc subtree from its scope.

https://pagure.io/freeipa/issue/6821

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-04-24 17:11:51 +02:00
Florence Blanc-Renaud
434d9e539d upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust is installed
During upgrade, the plugin update_tdo_gidnumber is launched in order to
add a gidnumber to the Trusted Domain Object.
This plugin should not be run when ad trust is not installed, otherwise an
error message is displayed.

https://pagure.io/freeipa/issue/6881

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-04-24 12:51:37 +02:00
Stanislav Laznicka
b38750eaa8 Fix CAInstance.import_ra_cert for empty passwords
OpenSSL can't cope with empty files, add a newline after each password

https://pagure.io/freeipa/issue/6878

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-04-20 10:20:27 +00:00
Stanislav Laznicka
6f0a622d83 Fix RA cert import during DL0 replication
Previous versions of FreeIPA add password to the ra.p12 file
contained in the password-protected tarball. This was forgotten
about in the recent changes and fixed now.

https://pagure.io/freeipa/issue/6878

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-04-19 12:36:01 +00:00
Stanislav Laznicka
7b8503173b ext. CA: correctly write the cert chain
The cert file would have been rewritten all over again with
any of the cert in the CA cert chain without this patch.

https://pagure.io/freeipa/issue/6872

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-04-19 12:00:38 +00:00
Stanislav Laznicka
25a33ce8b1 server-install: No double Kerberos install
When we're installing server with an external CA, the installation
would have failed in the second step where it's passed the required
CA cert file because it would have tried to perform the Kerberos
installation for the second time.

https://pagure.io/freeipa/issue/6757

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-04-19 12:00:38 +00:00
Jan Cholasta
eb6d4c3037 cert: defer cert-find result post-processing
Rather than post-processing the results of each internal search,
post-process the combined result.

This avoids expensive per-certificate searches when cert-find is executed
with the --all option on certificates which won't even be included in the
combined result.

https://pagure.io/freeipa/issue/6808

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-04-19 11:28:27 +00:00
Stanislav Laznicka
9ac56e47d7
Fix CA-less to CA-full upgrade
CertDB would have always created a directory on initialization. This
behavior changes here by replacing the truncate argument with create
which will only create the database when really required.

https://pagure.io/freeipa/issue/6853

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-04-12 16:21:46 +02:00
Stanislav Laznicka
db84516d23
replicainstall: better client install exception handling
The exception handling of client install inside replica installation
was rather promiscuous, hungrily eating any possible exception thrown
at it. Scoped down the try-except block and reduced its promiscuity.
This change should improve the future development experience debugging
this part of the code.

https://pagure.io/freeipa/issue/6183

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-04-12 15:52:41 +02:00
Stanislav Laznicka
87051f51c6
Add the force-join option to replica install
When installing client from inside replica installation on DL1,
it's possible that the client installation would fail and recommend
using --force-join option which is not available in replica installer.
Add the option there.

https://pagure.io/freeipa/issue/6183

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-04-12 15:52:41 +02:00
Stanislav Laznicka
1160dc5d8b server-install: remove broken no-pkinit check
Don't check for no-pkinit option in case pkinit cert file was
provided. Setting no-pkinit is prohibited in this case, so without
this fix we have an impossible option-check if we want to provide
an own pkinit certificate and private key.

https://pagure.io/freeipa/issue/6807

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-04-12 13:02:47 +02:00
Martin Basti
e8f2a415b3 Fix PKCS11 helper
Slots in HSM are not assigned statically, we have to chose proper
slot from token label.

Softhsm i2.2.0 changed this behavior and now slots can change over
time (it is allowed by pkcs11 standard).

Changelog:
* created method get_slot() that returns slot number from
  used label
* replaces usage of slot in __init__ method of P11_Helper
  with label
* slot is dynamically detected from token label before
  session is opened
* pkcs11-util --init-token now uses '--free' instead '--slot'
  which uses first free slot (we don't care about slot numbers
  anymore)

https://pagure.io/freeipa/issue/6692

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-04-12 09:54:10 +02:00
David Kupka
a726e98f03 Create system users for FreeIPA services during package installation
Previously system users needed by FreeIPA server services was created during
ipa-server-install. This led to problem when DBus policy was configured during
package installation but the user specified in the policy didn't exist yet
(and potentionally similar ones). Now the users will be created in package %pre
section so all users freeipa-server package needs exist before any installation
or configuration begins.
Another possibility would be using systemd-sysusers(8) for this purpose but
given that systemd is not available during container build the traditional
approach is superior.
Also dirsrv and pkiuser users are no longer created by FreeIPA instead it
depends on 389ds and dogtag to create those users.

https://pagure.io/freeipa/issue/6743

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-04-11 17:51:49 +02:00
Alexander Bokovoy
e560899cce trust: always use oddjobd helper for fetching trust information
Since introduction of privilege separation in IPA framework none of the
operations that require direct access to the framework's credentials can
be done. All authentication has to be performed with GSSAPI.

As result, we cannot obtain TGT for HTTP/.. principal with kinit
anymore, so it is better to re-route all types of trust to oddjobd
helper and get rid of casing out two-way trust.

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1438366

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-04-11 14:16:39 +02:00
Alexander Bokovoy
aef77b3529 ipaserver/dcerpc: unify error processing
Samba error code reporting changes from version to version but we also
did not provide proper input into DCE RPC error processing method we
have.

Unify error processing and add few more fallback entries.

With Samba 4.7 we'll have to change it again because error code
processing for Samba Python modules will change with introduction of
samba.ntstatus and samba.werror modules.

Note that this commit also changes a message returned for error code
-1073741772 (NT_STATUS_OBJECT_NOT_FOUND) because it is more general one.

Fixes https://pagure.io/freeipa/issue/6859

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-04-11 14:16:39 +02:00
Martin Basti
bad0f608c4 Remove surplus 'the' in output of ipa-adtrust-install
Fixing the typo

https://pagure.io/freeipa/issue/6864

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-04-11 13:06:13 +02:00
Jan Cholasta
181cb94e74 install: request service certs after host keytab is set up
The certmonger renew agent and restart scripts use host keytab for
authentication. When they are executed during a certmonger request before
the host keytab is set up, the authentication will fail.

Make sure all certmonger requests in the installer are done after the host
keytab is set up.

https://pagure.io/freeipa/issue/6757

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-04-07 18:53:15 +02:00
Jan Cholasta
ec52332229 dsinstance, httpinstance: consolidate certificate request code
A different code path is used for DS and httpd certificate requests in
replica promotion. This is rather unnecessary and makes the certificate
request code not easy to follow.

Consolidate the non-promotion and promotion code paths into one.

https://pagure.io/freeipa/issue/6757

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-04-07 18:53:15 +02:00
Jan Cholasta
8a85586379 httpinstance: avoid httpd restart during certificate request
httpd is restarted by certmonger in the restart_httpd script after the
httpd certificate is saved if it was previously running. The restart will
fail because httpd is not properly configured at this point.

Stop httpd at the beginning of httpd install to avoid the restart.

https://pagure.io/freeipa/issue/6757

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-04-07 18:53:15 +02:00
Jan Cholasta
b189be12ec dsinstance: reconnect ldap2 after DS is restarted by certmonger
DS is restarted by certmonger in the restart_dirsrv script after the DS
certificate is saved. This breaks the ldap2 backend and makes any operation
fail with NetworkError until it is reconnected.

Reconnect ldap2 after the DS certificate request is finished to fix the
issue. Make sure restart_dirsrv waits for the ldapi socket so that the
reconnect does not fail.

https://pagure.io/freeipa/issue/6757

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-04-07 18:53:15 +02:00
Florence Blanc-Renaud
5405de5bc1 Upgrade: add gidnumber to trusted domain entry
The trusted domain entries created in earlier versions are missing gidnumber.
During upgrade, a new plugin will read the gidnumber of the fallback group
cn=Default SMB Group and add this value to trusted domain entries which do
not have a gidNumber.

https://pagure.io/freeipa/issue/6827

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-04-07 12:38:35 +02:00
Florence Blanc-Renaud
70743c8c48
idrange-add: properly handle empty --dom-name option
When idrange-add is called with --dom-name=, the CLI exits with
ipa: ERROR: an internal error has occurred
This happens because the code checks if the option is provided but does not
check if the value is None.

We need to handle empty dom-name as if the option was not specified.

https://pagure.io/freeipa/issue/6404

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-04-05 10:15:51 +02:00
Stanislav Laznicka
1aa77fe389
Add pki_pin only when needed
If both the pki-tomcat NSS database and its password.conf have been
created, don't try to override the password.conf file.

https://pagure.io/freeipa/issue/6839

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-04-05 10:12:53 +02:00
Jan Cholasta
5f5a3b29db httpinstance: make sure NSS database is backed up
The NSS database at /etc/httpd/alias is not properly initialized and backed
up in CA-less replica promotion. This might cause the install to fail after
previous install and uninstall.

Make sure the NSS database is initialized and backed up even in CA-less
replica promotion to fix the issue.

https://pagure.io/freeipa/issue/4639

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-04-04 08:21:50 +00:00
Stanislav Laznicka
aae9a918b6 Remove publish_ca_cert() method from NSSDatabase
NSSDatabase.publish_ca_cert() is not used anymore, remove it.

https://pagure.io/freeipa/issue/6806

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-04-03 13:06:29 +00:00
Stanislav Laznicka
8c87014e19 Get correct CA cert nickname in CA-less
During CA-less installation, we initialize the HTTPD alias
database from a pkcs12 file. This means there's going to
be different nicknames to the added certificates. Store
the CA certificate nickname in HTTPInstance__setup_ssl()
to be able to correctly export it later.

https://pagure.io/freeipa/issue/6806

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-04-03 13:06:29 +00:00
Christian Heimes
ae1c2086db Add an option to build ipaserver wheels
To create a wheel bundle with ipaserver and its dependencies:

    make wheel_bundle IPA_SERVER_WHEELS=1

To include additional dependencies:

    make wheel_bundle IPA_EXTRA_WHEELS=ipatests[webui]

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-04-03 13:08:52 +02:00
Christian Heimes
7c9df35d3d Add extra_requires for additional dependencies
ipaserver did not have extra_requires to state additional dependencies.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-04-03 13:08:52 +02:00
Christian Heimes
3064b890e2 Conditionally import pyhbac
The pyhbac module is part of SSSD. It's not available as stand-alone
PyPI package. It would take a lot of effort to package it because the
code is deeply tight into SSSD.

Let's follow the example of other SSSD Python packages and make the
import of pyhbac conditionally. It's only necessary for caacl and
hbactest plugins.

I renamed convert_to_ipa_rule() to _convert_to_ipa_rule() because it
does not check for presence of pyhbac package itself. The check is
performed earlier in execute(). The prefix indicates that it is an
internal function and developers have to think twice before using it
in another place.

This makes it much easier to install ipaserver with instrumented build
of Python with a different ABI or in isolated virtual envs to profile
and debug the server.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-04-03 13:08:52 +02:00
Abhijeet Kasurde
a1bb442054 Hide request_type doc string in cert-request help
Fix hides description of request_type argument in cert-request
command help

Fixes https://pagure.io/freeipa/issue/6494
Fixes https://pagure.io/freeipa/issue/5734

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-03-31 12:32:51 +02:00
Gabe
274b0bcf5f Add --password-expiration to allow admin to force user password expiration
- Allows an admin to easily force a user to expire their password forcing the user to change it immediately or at a specified time in the future

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-31 12:19:40 +02:00
Stanislav Laznicka
fe7cf1e854 Remove redundant option check for cert files
There was a redundant check for CA-less install certificate files
for replicas but the same check is done for all installers before
that.

https://pagure.io/freeipa/issue/6801

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-30 15:41:35 +02:00
Stanislav Laznicka
9e3ae785ac Don't allow setting pkinit-related options on DL0
pkinit is not supported on DL0, remove options that allow to set it
from ipa-{server,replica}-install.

https://pagure.io/freeipa/issue/6801

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-30 15:41:35 +02:00
Stanislav Laznicka
6cda1509a6 Fix the order of cert-files check
Without this patch, if either of dirsrv_cert_files, http_cert_files
or pkinit_cert_files is set along with no-pkinit, the user is first
requested to add the remaining options and when they do that,
they are told that they are using 'no-pkinit' along with
'pkinit-cert-file'.

https://pagure.io/freeipa/issue/6801

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-30 15:41:35 +02:00
Martin Babinsky
2eabb0dab7 Remove duplicate functionality in upgrade
Since krbinstance code can now handle all operations of the
`enabled_anonymous_principal` function from upgrade we can remove
extraneous function altogether.

https://pagure.io/freeipa/issue/6799

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-30 15:30:56 +02:00
Martin Babinsky
191668e85b Always check and create anonymous principal during KDC install
The anonymous principal will now be checked for presence and created on
both server and replica install. This fixes errors caused during replica
installation against older master that do not have anonymous principal
present.

https://pagure.io/freeipa/issue/6799

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-30 15:30:56 +02:00
Abhijeet Kasurde
7fddc1df57 Hide PKI Client database password in log file
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-30 13:20:57 +02:00
Fabiano Fidêncio
e03056cf34 Allow erasing ipaDomainResolutionOrder attribute
Currently when trying to erase the ipaDomainResolutionOrder attribute we
hit an internal error as the split() method is called on a None object.

By returning early in case of empty string we now allow removing the
ipaDomainResolutionOrder attribute by both calling delattr or setting
its value to an empty string.

https://pagure.io/freeipa/issue/6825

Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-30 13:19:11 +02:00
Alexander Bokovoy
0d817ae63a adtrust: make sure that runtime hostname result is consistent with the configuration
FreeIPA's `ipasam` module to Samba uses gethostname() call to identify
own server's host name. This value is then used in multiple places,
including construction of cifs/host.name principal. `ipasam` module
always uses GSSAPI authentication when talking to LDAP, so Kerberos
keys must be available in the /etc/samba/samba.keytab. However, if
the principal was created using non-FQDN name but system reports
FQDN name, `ipasam` will fail to acquire Kerberos credentials.
Same with FQDN principal and non-FQDN hostname.

Also host name and principal name must have the same case.

Report an error when configuring ADTrust instance with inconsistent
runtime hostname and configuration. This prevents errors like this:

    [20/21]: starting CIFS services
    ipa         : CRITICAL CIFS services failed to start

    where samba logs have this:

    [2017/03/20 06:34:27.385307,  0] ipa_sam.c:4193(bind_callback_cleanup)
      kerberos error: code=-1765328203, message=Keytab contains no suitable keys for cifs/ipatrust@EXAMPLE.COM
    [2017/03/20 06:34:27.385476,  1] ../source3/lib/smbldap.c:1206(get_cached_ldap_connect)
      Connection to LDAP server failed for the 16 try!

Fixes https://pagure.io/freeipa/issue/6786

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-30 13:17:21 +02:00
Martin Babinsky
5c22f905d4 Ensure KDC is propery configured after upgrade
https://pagure.io/freeipa/issue/6792

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-30 13:09:42 +02:00
Martin Babinsky
17aa51ef02 Split out anonymous PKINIT test to a separate method
This allows for more flexibility in the whole PKINIT setup process.

https://pagure.io/freeipa/issue/6792

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-30 13:09:42 +02:00
Martin Babinsky
1fc48cd0af Remove unused variable from failed anonymous PKINIT handling
https://pagure.io/freeipa/issue/6792

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-30 13:09:42 +02:00
Martin Babinsky
c2d95d3962 Upgrade: configure PKINIT after adding anonymous principal
In order to set up PKINIT, the anonymous principal must already be
created, otherwise the upgrade with fail when trying out anonymous
PKINIT. Switch the order of steps so that this issue does not occur.

https://pagure.io/freeipa/issue/6792

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-30 13:09:42 +02:00
David Kupka
0128e805e5
httpinstance.disable_system_trust: Don't fail if module 'Root Certs' is not available
Server installation failed when attmpting to disable module 'Root Certs' and
the module was not available in HTTP_ALIAS_DIR. When the module is not
available there's no need to disable it and the error may be treated as
success.

https://pagure.io/freeipa/issue/6803

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-28 17:10:54 +02:00
Stanislav Laznicka
e204d030fc
Generate PIN for PKI to help Dogtag in FIPS
Dogtag is currently unable to generate a PIN it could use for
an NSS database creation in FIPS. Generate it for them so that
we don't fail.

https://pagure.io/freeipa/issue/6824

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-03-28 17:07:20 +02:00
Christian Heimes
f5bf5466ed Use Custodia 0.3.1 features
* Use sd-notify in ipa-custodia.service
* Introduce libexec/ipa/ipa-custodia script. It comes with correct
  default setting for IPA's config file. The new file also makes it
  simpler to run IPA's custodia instance with its own SELinux context.
* ipapython no longer depends on custodia

The patch addresses three issues:

* https://bugzilla.redhat.com/show_bug.cgi?id=1430247
  Forward compatibility with Custodia 0.3 in Fedora rawhide
* https://pagure.io/freeipa/issue/5825
  Use sd-notify
* https://pagure.io/freeipa/issue/6788
  Prepare for separate SELinux context

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-28 15:02:06 +02:00
Stanislav Laznicka
dc13703e75
Backup CA cert from kerberos folder
https://pagure.io/freeipa/issue/6748

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-28 13:16:35 +02:00
David Kupka
7e1fdd2c58 rpcserver.login_x509: Actually return reply from __call__ method
__call__ didn't return causing internal error in wsgi application. Previously
this bug was hidden by some other error and the code worked even though it
shouldn't.

https://pagure.io/freeipa/issue/6819

Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2017-03-28 13:04:39 +02:00
David Kupka
3dcd342631 Create temporaty directories at the begining of uninstall
Since commit 38c6689 temporary directories are no longer created at package
install time. Instead they're created at server install time.
Some steps in uninstall also assume that temporary direcories exist. Creating
the directories in the begining of server uninstall ensure that the uninstall
will go through.

https://pagure.io/freeipa/issue/6715

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-28 08:45:56 +02:00
Stanislav Laznicka
8c1409155e Allow renaming of the sudorule objects
The recent changes allow the sudorule objects to be renamed.

https://pagure.io/freeipa/issue/2466

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-27 19:08:26 +02:00
Stanislav Laznicka
55424c8677 Allow renaming of the HBAC rule objects
The recent changes allow HBAC rule objects to be renamed.

https://pagure.io/freeipa/issue/6784

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-27 19:08:26 +02:00
Stanislav Laznicka
8e4408e678 Reworked the renaming mechanism
The rename operation on *_mod commands was only allowed when
the primary key of an entry was also its RDN. With these changes,
it should be possible to rename the rest of the entries as well.

An attribute to the base LDAPObject was added to whitelist the
objects we want to allow to be renamed. It replaced an old
attribute rdn_is_primary_key which was used for the very same
purpose but the name was confusing because it was not set
correctly for certain objects.

https://pagure.io/freeipa/issue/2466
https://pagure.io/freeipa/issue/6784

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-27 19:08:26 +02:00
Jan Cholasta
6de507c2ca cert: do not limit internal searches in cert-find
Instead, apply the limits on the combined result.

This fixes (absence of) `--sizelimit` leading to strange behavior, such as
`cert-find --users user` returning a non-empty result only with
`--sizelimit 0`.

https://pagure.io/freeipa/issue/6716

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-27 09:02:31 +02:00
Pavel Vomacka
ceedc3f7ec WebUI: Add support for login for AD users
After login, method user-find --whoami was called which cannot be
called for AD users. That method was replaced by ipa whoami command
and sequential command according to result of ipa whoami. AD user
can now be logged in.

AD users have new menu definition which contains only list of IPA
users and profile page of AD user - "User ID Override".

This commit also fixes several places where IPA.whoami object was
used, because its structure was also changed. It now contains two
objects. First one is stored in 'metadata' property and stores
result from ipa whoami (type of object, command which should be
called for showing detailed data about currently logged entity, etc).
The second one is stored in 'data' property which stores result of
_show command for currently logged entity.

https://pagure.io/freeipa/issue/3242

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-03-27 08:55:41 +02:00
Stanislav Laznicka
2612c092dd
Backup ipa-specific httpd unit-file
On backup-restore, the ipa unit file for httpd was not backed up.
This file however contains setting for httpd to communicate with
gssproxy so not backing it up will result in httpd not knowing
how to get credentials.

https://pagure.io/freeipa/issue/6748

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-03-23 10:12:44 +01:00
Alexander Bokovoy
7324451834 ldap2: use LDAP whoami operation to retrieve bind DN for current connection
For external users which are mapped to some DN in LDAP server, we
wouldn't neccesary be able to find a kerberos data in their LDAP entry.
Instead of searching for Kerberos principal use actual DN we are bound
to because for get_effective_rights LDAP control we only need the DN
itself.

Fixes https://pagure.io/freeipa/issue/6797

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2017-03-22 17:19:22 +01:00
Jan Cholasta
9939aa5363 replica prepare: fix wrong IPA CA nickname in replica file
Lookup IPA CA subject and pass it to CertDB when creating dscert.p12 and
httpcert.p12, otherwise a generic nickname will be used for the IPA CA
certificate instead of "$REALM IPA CA".

This fixes replica install on domain level 0 from a replica file created
using ipa-replica-install on IPA 4.5.

https://pagure.io/freeipa/issue/6777

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-03-22 15:56:54 +01:00
felipe
772d4e3d4e
Fixing replica install: fix ldap connection in domlvl 0
Now, at the domain level 0, the replica install always uses
Directory Manager credentials to create the LDAP connection.
Since ACIs permitting hosts to manage their own services were
added in 4.2 release,  the old master denies this operations.

https://pagure.io/freeipa/issue/6549

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-22 15:31:40 +01:00
Jan Cholasta
e263cb46cb httpinstance: clean up /etc/httpd/alias on uninstall
Restore cert8.db, key3.db, pwdfile.txt and secmod.db in /etc/httpd/alias
from backup on uninstall.

Files modified by IPA are kept with .ipasave suffix.

https://pagure.io/freeipa/issue/4639

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-03-22 14:58:18 +01:00
Jan Cholasta
bbd18cf10f certs: do not implicitly create DS pin.txt
Do not implicitly create DS pin.txt in `CertDB.init_from_pkcs12()`, create
it explicitly in `DSInstance.__enable_ssl()`.

This stops the file from being created in /etc/httpd/alias during classic
replica install.

https://pagure.io/freeipa/issue/4639

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-03-22 14:58:18 +01:00
Christian Heimes
602b395cf1 Fix Python 3 pylint errors
************* Module ipaserver.install.ipa_kra_install
ipaserver/install/ipa_kra_install.py:25: [W0402(deprecated-module), ] Uses of a deprecated module 'optparse')
************* Module ipapython.install.core
ipapython/install/core.py:163: [E1101(no-member), _knob] Module 'types' has no 'TypeType' member)
************* Module ipatests.test_ipapython.test_dn
ipatests/test_ipapython/test_dn.py:1205: [W1505(deprecated-method), TestDN.test_x500_text] Using deprecated method assertEquals())
************* Module ipa-ca-install
install/tools/ipa-ca-install:228: [E1101(no-member), install_master] Instance of 'ValueError' has no 'message' member)
install/tools/ipa-ca-install:232: [E1101(no-member), install_master] Instance of 'ValueError' has no 'message' member)

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-15 19:11:32 +01:00
Martin Babinsky
a1686a90c0 Try out anonymous PKINIT after it is configured
After PKINIT certificate is requested and everything is set up, we
should attempt to perform anonymous PKINIT and fail hard if it does not
work for some reason.

https://pagure.io/freeipa/issue/6739

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-03-15 16:39:39 +01:00
Martin Babinsky
b45629fc48 check for replica's KDC entry on master before requesting PKINIT cert
This prevents replication-based race conditions to break PKINIT
certificate requests on replica installation.

https://pagure.io/freeipa/issue/6739

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-03-15 16:39:39 +01:00
Martin Babinsky
8f4abf7bc1 check that the master requesting PKINIT cert has KDC enabled
https://pagure.io/freeipa/issue/6739

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-03-15 16:39:39 +01:00
Martin Babinsky
069948466e Make wait_for_entry raise exceptions
Instead of only logging errors when timeout is reached or query for the
entry fails for other reasons, `wait_for_entry` should raise exceptions
so that we can handle them in caller or let them propagate and fail
early.

https://pagure.io/freeipa/issue/6739

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-03-15 16:39:39 +01:00
Martin Babinsky
bd18b5f91e Move PKINIT configuration to a later stage of server/replica install
This is to ensure that we can request PKINIT certs once all the
following requirements are in place:

    * CA is configured or PKCS#12 file is provided
    * LDAP, KDC and Apache are configured and the master role is thus
      completed and enabled

https://pagure.io/freeipa/issue/6739

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-03-15 16:39:39 +01:00
Martin Babinsky
b5b23e073e Request PKINIT cert directly from Dogtag API on first master
On the first master the framework may not be fully functional to server
certificate requests. It is safer to configure helper that contacts
Dogtag REST API directly.

https://pagure.io/freeipa/issue/6739

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-03-15 16:39:39 +01:00
Martin Babinsky
95768de06f Make PKINIT certificate request logic consistent with other installers
The certmonger request handling code during pkinit setup actually never
correctly handled situations when certificate request was rejected by
the CA or CA was unreachable. This led to subtle errors caused by broken
anonymous pkinit (e.g. failing WebUI logins) which are hard to debug.

The code should behave as other service installers, e. g. use
`request_and_wait_for_cert` method which raises hard error when request
times out or is not granted by CA. On master contact Dogtag CA endpoint
directly as is done in DS installation.

https://pagure.io/freeipa/issue/6739

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-03-15 16:39:39 +01:00
Stanislav Laznicka
46d4d534c0 Remove pkinit from ipa-replica-prepare
The PKINIT feature is not available on domain level 0 so any
options about pkinit are false.

https://pagure.io/freeipa/issue/6759

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-03-15 16:23:21 +01:00
David Kupka
70889d4d5e rpcserver: x509_login: Handle unsuccessful certificate login gracefully
When mod_lookup_identity is unable to match user by certificate (and username)
it unsets http request's user. mod_auth_gssapi is then unable to get Kerberos
ticket and doesn't set KRB5CCNAME environment variable.
x509_login.__call__ now returns 401 in such case to indicate that request was
not authenticated.

https://pagure.io/freeipa/issue/6225

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-03-15 10:34:44 +01:00
Martin Babinsky
1cdd5dee00 idviews: correctly handle modification of non-existent view
the pre-callback in `idview-mod` did not correctly handle non-existent
object during objectclass check. It will now correctly report that the
object was not found instead on generic 'no such entry'.

https://pagure.io/freeipa/issue/6372

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-15 09:48:12 +01:00
Martin Babinsky
4e5e3eebb2 Re-use trust domain retrieval code in certmap validators
https://pagure.io/freeipa/issue/6372

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-14 18:37:10 +01:00
Martin Babinsky
544d66b710 idview: add domain_resolution_order attribute
`idview-add` and `idview-mod` can now set and validate the attribute.
The required objectclass is added on-demand after modification

https://pagure.io/freeipa/issue/6372

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-14 18:37:10 +01:00
Martin Babinsky
1b5f56d154 ipaconfig: add the ability to manipulate domain resolution order
optional attribute was added to config object along with validator that
check for valid domain names and also checks whether the specified
domains exist in FreeIPA or in trusted forests and, in case of trusted
domains, are not disabled.

Part of http://www.freeipa.org/page/V4/AD_User_Short_Names

https://pagure.io/freeipa/issue/6372

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
2017-03-14 18:37:10 +01:00
Jan Cholasta
f037bfa483 httpinstance: disable system trust module in /etc/httpd/alias
Currently the NSS database in /etc/httpd/alias is installed with the system
trust module enabled. This is problematic for a number of reasons:

* IPA has its own trust store, which is effectively bypassed when the
  system trust module is enabled in the database. This may cause IPA
  unrelated CAs to be trusted by httpd, or even IPA related CAs not to be
  trusted by httpd.

* On client install, the IPA trust configuration is copied to the system
  trust store for third parties. When this configuration is removed, it may
  cause loss of trust information in /etc/httpd/alias
  (https://bugzilla.redhat.com/show_bug.cgi?id=1427897).

* When a CA certificate provided by the user in CA-less install conflicts
  with a CA certificate in the system trust store, the latter may be used
  by httpd, leading to broken https
  (https://www.redhat.com/archives/freeipa-users/2016-July/msg00360.html).

Disable the system trust module on install and upgrade to prevent the
system trust store to be used in /etc/httpd/alias and fix all of the above
issues.

https://pagure.io/freeipa/issue/6132

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2017-03-14 17:12:19 +01:00
Stanislav Laznicka
ee6d031a6a Backup KDC certificate pair
KDC certificate pair was added but is not included in backup which
might cause issues when restoring the IPA service.

https://pagure.io/freeipa/issue/6748

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-14 17:09:47 +01:00
Martin Basti
f4c7f1dd8a Remove copy-schema-to-ca.py from master branch
This script is used only for IPA <3.1, so it must be compatible with
ipa-3-0 branch, so it should be placed there

https://pagure.io/freeipa/issue/6540

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-03-14 15:16:20 +01:00
Pavel Vomacka
75c592d3b9 Support certificate login after installation and upgrade
Add necessary steps which set SSSD and set SELinux boolean during
installation or upgrade. Also create new endpoint in apache for
login using certificates.

https://pagure.io/freeipa/issue/6225

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
2017-03-14 15:13:43 +01:00
Stanislav Laznicka
8980f4098e Don't fail more if cert req/cert creation failed
This should help debugging issues that could happen during server
certificate creation.

https://pagure.io/freeipa/issue/6755

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-14 15:02:42 +01:00
Stanislav Laznicka
992e6ecd1f Fix ipa-replica-prepare server-cert creation
Fixes an issue introduced in 0a54fac0, we need to specify the current
master's hostname so that we know to which CA we need to connect to
create the other's server Server-Cert.

https://pagure.io/freeipa/issue/6755

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-03-14 15:02:42 +01:00
Jan Cholasta
8ed891cb61 cert: include certificate chain in cert command output
Include the full certificate chain in the output of cert-request, cert-show
and cert-find if --chain or --all is specified.

If output file is specified in the CLI together with --chain, the full
certificate chain is written to the file.

https://pagure.io/freeipa/issue/6547

Reviewed-By: David Kupka <dkupka@redhat.com>
2017-03-14 12:58:45 +01:00
Pavel Vomacka
39d7ef3de4 WebUI: add vault management
Add vault management into WebUI, there are some constraints:
- There is no crypto library so Symmetric and Assymetric vaults
  are not supported in WebUI. Also retrieving or archiving data
  is not supported.
- There aren't any container support right now

Supported is:
- Browsing vaults
- Adding Standard vaults (users, service, shared)
- Removing vaults
- Adding and removing owners
- Adding and removing members

https://fedorahosted.org/freeipa/ticket/5426

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2017-03-14 10:40:10 +01:00