TestExternalTrustWithRootDomain was inherited from ADTrustSubdomainBase
This caused that external trust was checked two times with subdomain
and was not checked with root domain.
Related to https://pagure.io/freeipa/issue/7889
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Before establishing trust with AD it is recommended in documentation
(and for many setups necessary) to create add DNS forwarder for AD domain.
Bind config supplied by ipa server has dnssec validation enabled.
If Windows server DNS does not have DNSSEC enabled with valid certificate,
then bind will not be able to use it as forwarder and trust will not be
established.
Related to https://pagure.io/freeipa/issue/7889
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
It was changed in f487233df0
for unknown reason. It did not influence test runs as
configure_dns_for_trust was made no-op in previous commit
1d9e1521c5. As now this commit is reverted,
configure_dns_for_trust is restored, invocation parameters also need to
be changed to initial values.
Related to https://pagure.io/freeipa/issue/7889
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This reverts commit 1d9e1521c5.
The reverted commit message states:
"Since DNS configuration is no longer needed for running trust tests,
this method's contents are removed."
In fact tests can run without DNS configuration only in case if test setup
has a DNS server with DNSSEC support and there are A records for Windows
machines and SRV records Windows AD services and this DNS server is used
as forwarder by bind. If one of these in not true
then tests fail when trying to establish trust (ipa trust-add) as --server
option is not used and ipa can not find the AD machine. If we specify
--server option and add Windows hosts to /etc/hosts, then trust will be
established, but then sssd will fail to find the host to talk for getting users
from AD. So for general case we should setup DNS forwarders prior to
establishing trust, as stated in
https://www.freeipa.org/page/Active_Directory_trust_setup
Related to https://pagure.io/freeipa/issue/7889
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The test case for hidden replica restore is flaky and sometimes fails.
The general issues is covered by upstream bug 7894.
See: https://pagure.io/freeipa/issue/7894
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: François Cami <fcami@redhat.com>
Refactor com.redhat.idm.trust-fetch.domains oddjob helper to allow
passing administrative credentials and a domain controller to talk to.
This approach allows to avoid rediscovering a domain controller in case
a user actually specified the domain controller when establishing trust.
It also allows to pass through admin credentials if user decides to do
so. The latter will be used later to allow updating trust topology in a
similar oddjob helper.
Resolves: https://pagure.io/freeipa/issue/7895
Reviewed-By: Christian Heimes <cheimes@redhat.com>
ipa-setup-kra is failing in python2 with
invalid 'role_servrole': must be Unicode text
because of a unicode conversion error.
The method api.Command.server_role_find is called with the parameter
role_servrole='IPA master' but it should rather be
role_servrole=u'IPA master'
Fixes: https://pagure.io/freeipa/issue/7897
Reviewed-By: Christian Heimes <cheimes@redhat.com>
During upgrade, the method add_systemd_user_hbac is creating
a hbacsvc and a hbacrule, but fails in python2 because of
unicode conversion errors.
The arguments should be defined as u'value'.
Fixes: https://pagure.io/freeipa/issue/7896
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Samba 4.10 moved away to private libraries two functions we used to
convert a binary SID structre to strings:
- sid_talloc_string()
- sid_string_dbg()
We already used libsss_idmap to convert textual representation of SIDs
to a binary one, use the reverse function too.
libsss_idmap code operates on talloc structures, so we need to adopt a
bit a place where sid_string_dbg() was used because it assumed a static
buffer was provided by sid_string_dbg().
Finally, sid_talloc_string()'s replacement moves allocated memory to the
right context so that a memory will be freed earlier. Our SSSD idmap
context is a long-living one while in all cases where we were using
sid_talloc_string() we free the context much earlier.
Resolves: https://pagure.io/freeipa/issue/7893
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Use methods:
- tasks.replica_install()
- tasks.client_install()
instead of custom methods.
Move ntp_pool/server to class scope.
Using teardown_method for cleanup.
Edit tasks.client_install to return result of installation.
Refactor install_replica task:
Add promote parameter to install_replica task.
Add ntp_args to install_client call and remove from
replica installation from tasks.install_replica while promoting.
Use case while not promoting has to have user allowed to enroll
a replica and server to contact in case autodiscovery does not work.
Related: https://pagure.io/freeipa/issue/7719
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
If the `ipa idrange-mod` command has been used show a notification that sssd.service needs restarting. It's needed for applying changes. E.g. after setup AD trust with a domain with more than 200000 objects (the highest RID > idm's default value, 200000) users with RIDs > 200000 are not able to login, the size needs to be increased via idrange-mod, but it makes an effect only after sssd restarting.
Implementation:
Notification was implemented via passing `ipalib.messages.ServiceRestartRequired` to `add_message` method in `ipaserver.plugins.idrange.idrange_mod.post_callback`.
Tests:
Added `messages` with sssd restart required (`ipalib.messages.ServiceRestartRequired`) to cases with idrange_mod where output is expected in `ipatests.test_xmlrpc.test_range_plugin.test_range'.
Fixes: https://pagure.io/freeipa/issue/7708
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
There were several bugs across several projects preventing
installation when the CA subject DN contains characters that need
escaping in the string representation, e.g.
CN=Certificate Authority,O=Acme\, Inc.,ST=Massachusetts,C=US
The package versions containing relevant fixes are:
- 389-ds-base 1.4.0.20 (we already require >= 1.4.0.21)
- pki-core 10.5.5 (we already require >= 10.6.8)
- certmonger 0.79.7 (this commit bumps the dependency)
With this change, installation will now work. Integration tests are
left for a subsequent commit.
Fixes: https://pagure.io/freeipa/issue/7347
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The test was not executing ipa automember-rebuild --type hostgroup.
The test has been extended to execute it twice: Once when it needs to fail
because there is an orphan automember rule. Also after this orphan
automember rule has been removed. Here the test needs to succeed.
Fixes: https://pagure.io/freeipa/issue/7891
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
When uninstalling a cluster and only hidden servers are left,
config-show can return a result set without ipa_master_server entry.
Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
The design draft explains implementation details, limitations, and API
changes for the new feature.
Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Exercise ipa-replica-install with a hidden replica as source server and
creation of replication agreements between a hidden and an enabled
replica.
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
ipa-{adtrust|ca|dns|kra}-install on a hidden replica also installs the
new service as hidden service.
Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
DNSSec key master and CA renewal master can't be hidden. There must be
at least one enabled server available for each role, too.
Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
config-show only used to show enabled servers. Now also show hidden
servers on separate lines. Additionally include information about
KRA and DNS servers.
The augmented config-show output makes it easier to diagnose a cluster
and simplifies sanity checks.
Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Hidden services are now considered as associated role providers, too. This
fixes the issue of:
invalid 'PKINIT enabled server': all masters must have IPA
master role enabled
and similar issues with CA and DNS.
Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
server-state modified the hidden / enabled flags of all configured
services of a server. Since the command does not directly modify the
server LDAP entry, the command has to be implemented as a dedicated plugin.
Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Move tests for DNS and roles into helper methods to make them reusable.
Fixes: https://pagure.io/freeipa/issue/7892
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
A hidden replica is a replica that does not advertise its services via
DNS SRV records, ipa-ca DNS entry, or LDAP. Clients do not auto-select a
hidden replica, but are still free to explicitly connect to it.
Fixes: https://pagure.io/freeipa/issue/7892
Co-authored-by: Francois Cami <fcami@redhat.com>
Signed-off-by: Francois Cami <fcami@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
A hidden replica is a replica that does not advertise its services via
DNS SRV records, ipa-ca DNS entry, or LDAP. Clients do not auto-select a
hidden replica, but are still free to explicitly connect to it.
Fixes: https://pagure.io/freeipa/issue/7892
Co-authored-by: Francois Cami <fcami@redhat.com>:
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Existing trust agreements will lack required Kerberos principals and
POSIX attributes expected to allow Active Directory domain controllers
to query IPA master over LSA and NETLOGON RPC pipes.
Upgrade code is split into two parts:
- upgrade trusted domain object to have proper POSIX attributes
- generate required Kerberos principals for AD DC communication
Fixes: https://pagure.io/freeipa/issue/6077
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Refactor ipa-sam code to generate principals with additional POSIX
information so that FreeIPA is capable to establish trust when using a
shared secret from Active Directory domain controller side.
Trust verification process from Samba AD DC or Microsoft Windows AD DC
side requires us to have a working local TDO object with POSIX
attributes so that smbd would be able to map incoming authenticated
Kerberos principal for the TDO to a local POSIX account.
Note that FreeIPA stores TDO objects in a subtree of cn=trusts,$SUFFIX
and thus SSSD is not able to see these POSIX accounts unless
specifically instructed to do so via multiple search bases. The support
for automatically enabling cn=trusts,$SUFFIX search base in IPA server
mode was added to SSSD 1.16.3 and 2.1.0 with the commit
14faec9cd9
Fixes: https://pagure.io/freeipa/issue/6077
Reviewed-By: Christian Heimes <cheimes@redhat.com>
SSSD and Samba on IPA masters need to be able to look up POSIX
attributes of trusted domain objects in order to allow Active Directory
domain controllers from trusted forests to connect to LSA and NETLOGON
pipes.
We only have access to read POSIX attributes in cn=accounts,$SUFFIX
subtree rather than whole $SUFFIX. Thus, add an ACI to trusts subtree.
Fixes: https://pagure.io/freeipa/issue/6077
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Replace manual queries of container_masters with new APIs get_masters()
and is_service_enabled().
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Replace occurences of ('cn', 'masters'), ('cn', 'ipa'), ('cn', 'etc')
with api.env.container_masters.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Fixup for commit c0fd5e39c7. Only set
ca_host to source master hostname if ca_host points to the local host.
This permits users to override ca_host in /etc/ipa/default.conf when
installing a replica.
Related: https://pagure.io/freeipa/issue/7744
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Commit 53e0b2255d introduced a minor bug.
Instead of comparing errno to ENOENT, the check assigned ENOENT to
errno.
Coverity: CID 337082
See: https://pagure.io/freeipa/issue/4607
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This directory has been already dropped in @6d66e826c,
but not entirely.
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Use proper filter that is caught up by the ACI for 'permission:System:
Read Domain Level' to allow any authenticated user to see the domain
level.
If the server doesn't have domain level set, callers in replica
installer expect errors.NotFound but never get it.
Return the right exception here and change the other caller to follow
the same convention.
Inability to retrieve ipaDomainLevel attribute due to a filter mismatch
casues ipa-replica-install to fail if run as a replica host principal.
Use DOMAIN_LEVEL_0 constant instead of 0 as used by the rest of the code.
Fixes: https://pagure.io/freeipa/issue/7876
Reviewed-By: Christian Heimes <cheimes@redhat.com>
ipa-replica-manage force-sync --from <server> is performing a wrong check
that may result in the tool looping on "No status yet".
force-sync is adding a nsds5replicaupdateschedule attribute to the
replication agreement in order to force replication to wake up. Note that
this is not a re-initialization (re init drops the current db and reloads
the entire db).
In a second step, force-sync is checking the replication agreement by reading
nsds5BeginReplicaRefresh, nsds5ReplicaLastInitStatus,
nsds5ReplicaLastInitStart and nsds5ReplicaLastInitEnd. This is a wrong
test as force-sync is not an init operation and does not touch these
attributes.
The tool should call wait_for_repl_update rather than wait_for_repl_init.
This way, the check is done on the replication agreement attributes
nsds5replicaUpdateInProgress, nsds5ReplicaLastUpdateStatus,
nsds5ReplicaLastUpdateStart and nsds5ReplicaLastUpdateEnd.
Fixes: https://pagure.io/freeipa/issue/7886
Reviewed-By: Christian Heimes <cheimes@redhat.com>
It allows to avoid confusion with identical short hostnames.
There are two cases implemented:
- no common DNS zone: graph shows FQDN for all nodes
- all nodes have one common DNS zone: graph shows DN relatively to the common zone
https://pagure.io/freeipa/issue/7206
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Coverity found the following issue:
Error: BAD_COMPARE (CWE-697): [#def1]
freeipa-4.6.5/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c:121: null_misuse: Comparing pointer "threadnumber" against "NULL" using anything besides "==" or "!=" is likely to be incorrect.
The comparison is using the pointer while it should use the pointed value.
Fixes: https://pagure.io/freeipa/issue/7884
Reviewed-By: Christian Heimes <cheimes@redhat.com>
With 389-DS 1.4.0.21, automember plugin also gets triggered on modify ops
by default. This means that a member manually removed gets automatically
re-added by the plugin.
This behavior can be disabled by setting autoMemberProcessModifyOps=off in
the entry cn=Auto Membership Plugin,cn=plugins,cn=config.
Before 389-DS 1.4.0.21, it was possible to remove a member and the member
did not get re-added (unless automember-rebuild was called). This former
behavior can be forced by setting autoMemberProcessModifyOps=off.
This commit fixes the test and checks the behavior when
autoMemberProcessModifyOps=off and when autoMemberProcessModifyOps=on.
Fixes: https://pagure.io/freeipa/issue/7855
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Sending the full uri was causing httplib to send requests as:
POST http://ipa.example.com/ca/admin/ca/getStatus HTTP/1.1
From what I can tell tomcat changed its URL handling due to a CVE
(BZ 1552375). This has been wrong in freeipa since the CA status
checking was added, d6fbbd5 , but tomcat handled it fine so we
didn't notice.
https://pagure.io/freeipa/issue/7883
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
The user and group lookups done by the extdom plugin might need some
time depending on the state of the service (typically SSSD) handling the
requests.
To avoid that all worker threads are busy waiting on a connect or a
reply from SSSD and no other request can be handled this patch adds an
instance counter and an instance limit for the extdom plugin.
By default the limit will be around 80% of the number of worker threads.
It can be tuned further with the plugin option ipaExtdomMaxInstances
which must in set in ipaextdommaxinstances and should have an integer
value larger than 0 and lesser than the number of worker threads.
If the instance limit is reached the extdom plugin will return LDAP_BUSY
for every new request until the number of instance is again below the
limit.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
If ipa-server-install --uninstall is called on a server that
is CRL generation master, refuse uninstallation unless
--ignore-last-of-role is specified or (in interactive mode)
the admin is OK to force uninstallation.
Related to https://pagure.io/freeipa/issue/5803
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Add new integration tests for the new command ipa-crlgen-manage,
and test_cmdline tests.
Related to: https://pagure.io/freeipa/issue/5803
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
If the mask used during the installation is "too restrictive", ie.0027,
installing FreeIPA results in a broken server or replica.
Check for too-restrictive mask at install time and error out.
Fixes: https://pagure.io/freeipa/issue/7193
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
