Commit Graph

13268 Commits

Author SHA1 Message Date
Robbie Harwood
179c8f4009 Add a skeleton kdcpolicy plugin
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
2019-09-10 12:33:21 +03:00
Robbie Harwood
39e3704a06 Move certauth configuration into a server krb5.conf template
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
2019-09-10 12:33:21 +03:00
Robbie Harwood
c7b938a1d5 Enable krb5 snippet updates on client update
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
2019-09-10 12:33:21 +03:00
Changmin Teng
d0570404ef Extend the list of supported pre-auth mechanisms in IPA server API
As new authentication indicators implemented, we also modified server
API to support those new values. Also, "krbprincipalauthind" attribute
is modified to use a pre-defined set of values instead of arbitrary
strings.

Resolves: https://pagure.io/freeipa/issue/8001
Signed-off-by: Changmin Teng <cteng@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
2019-09-10 12:33:21 +03:00
Changmin Teng
9c0a35f1e7 Add new authentication indicators in kdc.conf.template
As of release 1.17, KDC can be configured to apply authentication
indicator for SPAKE, PKINIT, and encrypted challenge preauth via
FAST channel, which are not configured in current version of freeIPA.

Note that even though the value of encrypted_challenge_indicator is
attached only when encrypted challenge preauth is performed along
a FAST channel, it's possible to perform FAST without encrypted
challenge by using SPAKE. Since there is no reason to force clients
not to use SPAKE while using FAST, we made a design choice to merge
SPAKE and FAST in a new option called "Hardened Password", which
requires user to use at least one of SPAKE or FAST channel. Hence
same value attaching to both spake_preauth_indicator and
encrypted_challenge_indicator.

Resolves: https://pagure.io/freeipa/issue/8001
Signed-off-by: Changmin Teng <cteng@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
2019-09-10 12:33:21 +03:00
Alexander Bokovoy
80e4c18b75 adtrust: avoid using timestamp in klist output
When parsing a keytab to copy keys to a different keytab, we don't need
the timestamp, so don't ask klist to output it. In some locales (en_IN,
for example), the timestamp is output in a single field without a space
between date and time. In other locales it can be represented with date
and time separated by a space.

Fixes: https://pagure.io/freeipa/issue/8066
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2019-09-10 12:25:07 +03:00
Michal Polovka
8ce0e6bf60
ipatests: add tests for ipa host-add with non-default maxhostnamelength
Implement test for ticket 2018: Change hostname length limit to 64.
The fix provides a new configuration parameter (maxhostname) that can be modified through ipa config-mod, and governs the max hostname len allowed through ipa host-add.
Add new tests:

    - check that maxhostname cannot be changed to a value < 64
    - check that ipa host-add is refused if the hostname length is > maxhostname
    - check that ipa host-add is OK if the hostname length is <= maxhostname

Related: https://pagure.io/freeipa/issue/2018
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-09-09 12:12:39 +02:00
Rob Crittenden
65d38af9e2 Skip lock and fork in ipa-server-guard on unsupported ops
On startup certmonger performs a number of options on the
configured CA (IPA, not to be confused with the real dogtag CA)
and the tracking requests.

Break early for operations that are not supported by ipa-submit.
This will save both a fork and a lock call.

https://bugzilla.redhat.com/show_bug.cgi?id=1656519

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2019-09-06 10:29:43 -04:00
Rob Crittenden
0770254ce3 Defer initializing the API in dogtag-ipa-ca-renew-agent-submit
Wait until we know a supported operation is being called
(SUBMIT and POLL) before initializing the API, which can be
an expensive operation.

https://bugzilla.redhat.com/show_bug.cgi?id=1656519

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2019-09-06 10:29:43 -04:00
Sergey Orlov
1d033b040d
ipatests: refactor and extend tests for IPA-Samba integration
Add tests for following scenarios:
* running `ipa-client-samba --uninstall` without prior installation
* mount and access Samba share by IPA user
* mount and access Samba share by AD user
* mount samba share by one IPA user and access it by another one
* try mount samba share without kerberos authentication
* uninstall and reinstall ipa-client-samba

Relates: https://pagure.io/freeipa/issue/3999
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
2019-09-06 12:11:04 +02:00
Sergey Orlov
1fe69f352b
ipatests: modify run_command to allow specify successful return codes
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
2019-09-06 12:11:04 +02:00
Sergey Orlov
3fa7865ff8
ipatests: add utility functions related to using and managing user accounts
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
2019-09-06 12:11:04 +02:00
Sergey Orlov
074bf285f1
ipatests: allow to pass additional options for clients installation
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
2019-09-06 12:11:04 +02:00
Florence Blanc-Renaud
c1af6aa27c ipatests: add nightly definition for DS integration tests
This commit is a first step in order to run nightly
integration tests with the 389-ds Directory Server.
It is updating the tests that should be run against
a nightly build of 389-ds.

The vagrant box freeipa/389ds-master-f30 version 0.0.1 has already
been created, available in vagrant cloud.
freeipa-pr-ci workspace also already contains the nightly scheduler
definition for this job (saturdays 00:10, using nightly_master_389ds.yaml)
but the cron job is not scheduled yet.

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-09-06 09:05:52 +02:00
Robbie Harwood
45b4f5377b Fix NULL pointer dereference in maybe_require_preauth()
ipadb_get_global_config() is permitted to return NULL.

Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-09-05 14:53:55 -04:00
Robbie Harwood
9414b038e7 Log INFO message when LDAP connection fails on startup
Since krb5_klog_syslog() always needs parameters from syslog.h, move the
include into ipa_krb5.h.

Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-09-05 14:53:55 -04:00
Rob Crittenden
5db48f151b Add missing timeout option to logging statement
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-09-05 09:15:23 +02:00
Rob Crittenden
adf2eab263 Log dogtag auth timeout in install, provide hint to increase it
There is a loop which keeps trying to bind as the admin user
which will fail until it is replicated.

In the case where there is a lot to replicate the default
5 minute timeout may be insufficient. Provide a hint for
tuning.

Fixes: https://pagure.io/freeipa/issue/7971
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-09-04 14:52:14 +02:00
Rob Crittenden
54035982e5 Log the replication wait timeout for debugging purposes
Related: https://pagure.io/freeipa/issue/7971
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-09-04 14:52:14 +02:00
Rob Crittenden
faf34fcdfd Replace replication_wait_timeout with certmonger_wait_timeout
The variable is intended to control the timeout for replication
events. If someone had significantly reduced it via configuration
then it could have caused certmogner requests to fail due to timeouts.

Add replication_wait_timeout, certmonger_wait_timeout and
http_timeout to the default.conf man page.

Related: https://pagure.io/freeipa/issue/7971
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-09-04 14:52:14 +02:00
Christian Heimes
0d7eb0a972 Add new env vars to pylint plugin
The vars api.env.host_princ and smb_princ where introduced a while ago.
Sometimes parallel linting complain about the attributes. Add both to
the list of known members in pylint_plugins.py.

Related: https://pagure.io/freeipa/issue/3999
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-09-04 10:30:07 +02:00
Christian Heimes
0fc4b8c25c Fix wrong use of identity operation
Strings should not be compared with the identity operation 'is' or
'is not'.

Fixes: https://pagure.io/freeipa/issue/8057
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-09-04 10:30:07 +02:00
Christian Heimes
8d2125f654 Enable literal-comparison linter again
The literal comparison linter checks for "value is 0" or "value is ''".

Related: https://pagure.io/freeipa/issue/8057
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-09-04 10:30:07 +02:00
Florence Blanc-Renaud
4a437a3c42 config plugin: replace 'is 0' with '== 0'
Since python3.8, identity checks with literal produce syntax warnings.
Replace the check 'if .. is 0' with 'if .. == 0'

Related: https://pagure.io/freeipa/issue/8057
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-09-04 08:28:14 +02:00
François Cami
02262ac7cf ipapython/ipachangeconf.py: change "is not 0" for "!= 0"
Python 3.8 introduced a warning to check for usage of "is not"
when comparing literals. Any such usage will output:
SyntaxWarning: "is not" with a literal. Did you mean "!="?
See: https://bugs.python.org/issue34850

Fixes: https://pagure.io/freeipa/issue/8057
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-09-02 17:39:11 +02:00
Christian Heimes
51836c0594 Replace %{_libdir} macro in BuildRequires
The %{_libdir} macro is architecture dependend and therefore does not
correctly work across different platforms. In the past the SRPM was
created on a platform with /usr/lib64. Recent SRPMs have /usr/lib, which
breaks dnf builddep.

Depend on krb5-server directly rather than a file in krb5-server
package:

$ rpm -qf /usr/lib64/krb5/plugins/kdb/db2.so
krb5-server-1.16.1-25.fc29.x86_64

Fixes: https://pagure.io/freeipa/issue/8056
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: François Cami <fcami@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
2019-08-31 00:48:35 +02:00
Michal Polovka
253779afc4
ipatests: fix topology for TestIpaNotConfigured in PR-CI nightly definitions
Topology for TestIpaNotConfigured is changed from ipaserver to
master_1repl in order to prevent aforementioned test suite runner from
configuring ipa-server, which is required by the test itself.

Resolves: https://pagure.io/freeipa/issue/8055
Related: https://pagure.io/freeipa/issue/6843
2019-08-30 12:20:21 +02:00
Florence Blanc-Renaud
b48fe19fe5 ipatests: fix wrong xfail in test_domain_resolution_order
The test is written for a SSSD fix delivered in 2.2.0, but has a xfail
based on fedora version < 30.
SSSD 2.2.0 was originally available only on fedora 30 but is now also
available on fedora 29, and recent runs on f29 started to succeed
(because the fix is now present) but with a strict xfail.

The fix completely removes the xfail as the current branch is supported on
fedora 29 and 30.

Fixes: https://pagure.io/freeipa/issue/8052
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2019-08-30 10:16:52 +02:00
Serhii Tsymbaliuk
b20ae34b48
WebUI tests: Fix login screen loading issue
test_webui/test_loginscreen fails because login screen is rendered with delays.
To solve the issue small pause added after login.

Ticket: https://pagure.io/freeipa/issue/8053

Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2019-08-29 20:16:43 +02:00
François Cami
73f049c75f authconfig.py: restore user-nsswitch.conf at uninstall time
Calling authselect at uninstall time before restoring user-nsswitch.conf
would result in a sudoers entry in nsswitch.conf which is not activated
in the default sssd authselect profile.
Make sure user-nsswitch.conf is restored before calling authselect.

Fixes: https://pagure.io/freeipa/issue/8054
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2019-08-29 17:34:27 +02:00
François Cami
03a228aaf6 ipatests: remove xfail in TestIpaClientAutomountFileRestore
Remove xfail in TestIpaClientAutomountFileRestore to check the
associated bugfix.

Related-to: https://pagure.io/freeipa/issue/8054
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2019-08-29 17:34:27 +02:00
sumenon
b24359cafa Added testcase to check capitalization fix while running ipa user-mod
1. This testcase checks that when ipa user-mod command is run with capital letters
there is no error shown in the console, instead the modifications for first and last
name of  the user is applied.

2. Adding tasks.kinit_admin since the test was being executed as different user
leading to permission issue.
ipa: ERROR: Insufficient access: Could not read UPG Definition originfilter. Check your permissions

Issue: https://pagure.io/freeipa/issue/5879
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2019-08-29 10:07:32 +02:00
Rob Critenden
41ef8fba31 Use tasks to configure automount nsswitch settings
authselect doesn't allow one to directly write to
/etc/nsswitch.conf. It will complain bitterly if it
detects it and will refuse to work until reset.

Instead it wants the user to write to
/etc/authselect/user-nsswitch.conf and then it will handle
merging in any differences.

To complicate matters some databases are not user configurable
like passwd, group and of course, automount. There are some
undocumented options to allow one to override these though so
we utilize that.

tasks are used so that authselect-based installations can still
write directly to /etc/nsswitch.conf and operate as it used to.

Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-08-28 22:15:50 -04:00
Rob Critenden
e5af8c19a9 Move ipachangeconf from ipaclient.install to ipapython
This will let us call it from ipaplatform.

Mark the original location as deprecated.

Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-08-28 22:15:50 -04:00
François Cami
b27ad6e9f9 ipa-client-automount: always restore nsswitch.conf at uninstall time
ipa-client-automount used to only restore nsswitch.conf when sssd was not
used. However authselect's default profile is now sssd so always restore
nsswitch.conf's automount configuration to 'files sssd'.
Note that the behavior seen before commit:
a0e846f56c
would always restore nsswitch.conf to the previous state which in some cases
was wrong.

Fixes: https://pagure.io/freeipa/issue/8038
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-08-28 22:15:50 -04:00
François Cami
405dcc6bec ipatests: check that ipa-client-automount restores nsswitch.conf at uninstall time
Check that using ipa-client-install, ipa-client-automount --no-ssd, then uninstalling
both properly restores nsswitch.conf sequentially.

Related-to:: https://pagure.io/freeipa/issue/8038
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-08-28 22:15:50 -04:00
Michal Polovka
a71c59c7c8 ipatests: Test for ipa-backup with ipa not configured
Added test class for executing tests without ipa server being
configured. This is achieved by not providing topology attribute in the
test class. Subsequently implemented test for PG6843 - ipa-backup does not create
log file at /var/log/ - by invoking ipa-backup command with ipa server
not configured and checking for expected error code presence of /var/log
in the error message.

https://pagure.io/freeipa/issue/6843

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Tibor Dudlák <tdudlak@redhat.com>
Reviewed-By: François Cami <fcami@redhat.com>
2019-08-27 12:04:45 +02:00
Alexander Bokovoy
24c6ce27b2 Mark failing test as xfail for use of python-dns make_ds method
https://github.com/rthalley/dnspython/issues/343 documents broken use of
hashes in dns.dnssec.make_ds() and other python-dns methods. This is a
regression introduced with python-dns 1.16.

Mark the test as expecting to fail until python-dns is fixed in Fedora.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-08-22 09:43:51 -03:00
Armando Neto
481c540000 prci: update test definitions
Update boxes used in nightlies runs and add new ones.

Based on the changes made in freeipa/freeipa-pr-ci#304.

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-08-22 09:43:51 -03:00
Christian Heimes
bebe09f3e4 Fix ca_initialize_hsm_state
Fixup for commit eb2313920e.
configparser's set() method does not convert boolean to string
automatically. Use string '"False"', which is then interpreted as
boolean 'False' by getboolean().

Related: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-08-21 12:48:36 +03:00
François Cami
c709f13171 travis-ci: make dnf invocations more resilient
Travis-CI sometimes fails to download repository metadata or
packages. Change dnf configuration and invocation:
* activate dnf fastestmirror
* add more dnf retries
* invoke "dnf makecache" twice

Fixes: https://pagure.io/freeipa/issue/8048
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Scott Poore <spoore@redhat.com>
2019-08-21 11:00:04 +02:00
Alexander Bokovoy
c78cb9404e ipa-extdom-extop: test timed out getgrgid_r
Simulate getgrgid_r() timeout when packing list of groups user is a
member of in pack_ber_user().

Related: https://pagure.io/freeipa/issue/8044
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-08-19 11:20:57 +03:00
Sumit Bose
9fe984fed7 extdom: unify error code handling especially LDAP_NO_SUCH_OBJECT
A return code LDAP_NO_SUCH_OBJECT will tell SSSD on the IPA client to
remove the searched object from the cache. As a consequence
LDAP_NO_SUCH_OBJECT should only be returned if the object really does
not exists otherwise the data of existing objects might be removed form
the cache of the clients causing unexpected behaviour like
authentication errors.

Currently some code-paths use LDAP_NO_SUCH_OBJECT as default error code.
With this patch LDAP_NO_SUCH_OBJECT is only returned if the related
lookup functions return ENOENT. Timeout related error code will lead to
LDAP_TIMELIMIT_EXCEEDED and LDAP_OPERATIONS_ERROR is used as default
error code.

Fixes: https://pagure.io/freeipa/issue/8044
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-08-19 11:20:57 +03:00
Christian Heimes
076d955b93 Store HSM token and state
The HSM state is stored in fstore, so that CA and KRA installer use the
correct token names for internal certificates. The default token is
"internal", meaning the keys are stored in a NSSDB as usual.

Related: https://pagure.io/freeipa/issue/5608
Co-authored-by: Magnus K Karlsson <magnus-ka.karlsson@polisen.se>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2019-08-19 09:56:08 +02:00
Florence Blanc-Renaud
41e5d4653a Nightly test definition: add missing tests
The following test was missing from all nightlies:
- test_integration/test_crlgen_manage.py

The following tests was missing from nightly_f29:
- test_integration/test_smb.py

The following test was missing from nightly_rawhide:
- test_integration/test_smb.py

Note: nightly_f28 not updated as we stopped testing on f28.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-08-14 14:21:31 +03:00
Alexander Bokovoy
ef80a0746f Update contributors
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-08-14 14:18:17 +03:00
Alexander Bokovoy
661804b748 Update translations
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-08-14 14:18:17 +03:00
Alexander Bokovoy
c9938e3d84 Add Theodor van Nahl to the Contributors.txt
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-08-13 16:45:53 -04:00
Christian Heimes
a36556e106 Allow insecure binds for migration
Commit 5be9341fba disallowed simple bind
over an insecure connection. Password logins were only allowed over LDAPS
or LDAP+STARTTLS. The restriction broke 'ipa migrate-ds' in some cases.

This commit lifts the restriction and permits insecure binds over plain
LDAP. It also makes the migrate-ds plugin use STARTTLS when a CA
certificate is configured with a plain LDAP connection.

Fixes: https://pagure.io/freeipa/issue/8040
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2019-08-13 18:43:58 +02:00
Christian Heimes
17c2e31fdc Don't move keys when key backup is disabled
The CA_BACKUP_KEYS_P12 file is not enabled when pki_backup_keys is
set to False. It's the case when FreeIPA is configured with HSM support.

Related: https://pagure.io/freeipa/issue/7677
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2019-08-13 11:30:18 +02:00