Commit Graph

11470 Commits

Author SHA1 Message Date
Tibor Dudlák
74d36a8af6 dnsserver.py: dnsserver-find no longer returns internal server error
Invocation of the ipa dnsserver-find command failed with
internal server error when there is no DNS server in topology.

Fixes: https://pagure.io/freeipa/issue/6571
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-06-15 13:51:06 +02:00
Stanislav Laznicka
440c61dc40 adtrustinstance: fix ID range comparison
The ID range comparison was comparing numbers to a string or possibly
to `None` and was tailored in such a way that the check would always
pass although it went directly against the definition of the absolute
value of a substitution.

https://pagure.io/freeipa/issue/7002

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-06-15 13:49:05 +02:00
Stanislav Laznicka
c8cc62564b Docstring+refactor of IPADiscovery.ipadnssearchkrbrealm()
Added a docstring and made a tiny miny refactor to
IPADiscovery.ipadnssearchkrbrealm()

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-06-15 13:42:52 +02:00
Stanislav Laznicka
1cab1e980c ipadiscovery: Return realm as a string
We don't have a use for realm as a bytes instance, return it as a
string, otherwise there's a use of str() on bytes in py3.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-06-15 13:42:52 +02:00
Thorsten Scherf
e8358eaea9 Changed ownership of ldiffile to DS_USER
Resolves:
https://pagure.io/freeipa/issue/7010

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-06-15 10:40:18 +02:00
David Kupka
342f72140f kra: promote: Get ticket before calling custodia
When installing second (or consequent) KRA instance keys are retrieved
using custodia. Custodia checks that the keys are synchronized in
master's directory server and the check uses GSSAPI and therefore fails
if there's no ticket in ccache.

https://pagure.io/freeipa/issue/7020

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-15 10:10:27 +02:00
David Kreitschmann
bf0ba9b36e Disable pylint in get_help function because of type confusion.
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-06-15 09:12:19 +02:00
David Kreitschmann
d5bb541061 Store help in Schema before writing to disk
Signed-off-by: David Kreitschmann <david@kreitschmann.de>
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-06-15 09:12:19 +02:00
Pavel Vomacka
b25412f988 WebUI: add support for changing trust UPN suffixes
It is now possible to change UPN suffixes in WebUI. This change
allows another way to changing UPN suffixes for AD users.

https://pagure.io/freeipa/issue/7015

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-06-14 16:55:15 +02:00
Alexander Bokovoy
abb6384875 trust-mod: allow modifying list of UPNs of a trusted forest
There are two ways for maintaining user principal names (UPNs) in Active
Directory:
 - associate UPN suffixes with the forest root and then allow for each
   user account to choose UPN suffix for logon
 - directly modify userPrincipalName attribute in LDAP

Both approaches lead to the same result: AD DC accepts user@UPN-Suffix
as a proper principal in AS-REQ and TGS-REQ.

The latter (directly modify userPrincipalName) case has a consequence
that this UPN suffix is not visible via netr_DsRGetForestTrustInformation
DCE RPC call. As result, FreeIPA KDC will not know that a particular UPN
suffix does belong to a trusted Active Directory forest. As result, SSSD
will not be able to authenticate and validate this user from a trusted
Active Directory forest.

This is especially true for one-word UPNs which otherwise wouldn't work
properly on Kerberos level for both FreeIPA and Active Directory.

Administrators are responsible for amending the list of UPNs associated
with the forest in this case. With this commit, an option is added to
'ipa trust-mod' that allows specifying arbitrary UPN suffixes to a
trusted forest root.

As with all '-mod' commands, the change replaces existing UPNs when
applied, so administrators are responsible to specify all of them:

  ipa trust-mod ad.test --upn-suffixes={existing.upn,another_upn,new}

Fixes: https://pagure.io/freeipa/issue/7015
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-06-14 16:38:12 +02:00
Martin Babinsky
e418e9a4ca Prepare advise plugin for smart card auth configuration
The plugin contains recipes for configuring Smart Card authentication
on FreeIPA server and enrolled client.

https://www.freeipa.org/page/V4/Smartcard_authentication_ipa-advise_recipes
https://pagure.io/freeipa/issue/6982

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-06-14 12:24:20 +02:00
Martin Babinsky
0569c02f17 Extend the advice printing code by some useful abstractions
The advise printing code was augmented by methods that simplify
generating bash snippets that report errors or failed commands.

https://pagure.io/freeipa/issue/6982

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-06-14 12:24:20 +02:00
Stanislav Laznicka
d665224a85 session_storage: Correctly handle string/byte types
In session_storage.py, store_data() stores data as the bytes data
type but get_data() is returning a string. Have get_data() return
bytes as well.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-06-09 16:59:53 +02:00
Tibor Dudlák
468eb3c712 Add Role 'Enrollment Administrator'
User with the 'Enrollment Administrator' role assigned is able to
enroll client with ipa-client-install command.

Resolves: https://pagure.io/freeipa/issue/6852
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-06-09 16:37:40 +02:00
Martin Basti
a2147de6e2 Explicitly ask for py2 dependencies in py2 packages
In future default package names can start to pointing to py3 instead of
py2. We have to explicitly ask for python2-* and python3-* packages.

This commit changes only dependencies that are available in both F25 and
F26

https://pagure.io/freeipa/issue/4985

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-09 16:34:15 +02:00
Tibor Dudlák
063211d665 server.py: Removes dns-server configuration from ldap
After invocation of the ipa server-del <hostname>
command there was still record in ldap if DNS
was installed on the <hostname> server.

Fixes: https://pagure.io/freeipa/issue/6572
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-06-08 16:54:04 +02:00
Tibor Dudlák
dfc271fdf4 sssd.py: Deprecating no-sssd option.
Resolves: https://pagure.io/freeipa/issue/5860
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-06-08 15:47:16 +02:00
Tibor Dudlák
eae8714026 client.py: Replace hardcoded 'admin' with options.principal
Fixes: https://pagure.io/freeipa/issue/5406
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-06-08 15:45:29 +02:00
Simo Sorce
c52ca92cda Revert setting sessionMaxAge for old clients
Older clients have issues properly parsing cookies and the sessionMaxAge
setting is one of those that breaks them.
Comment out the setting and add a comment that explains why it is not
set by default.

https://pagure.io/freeipa/issue/7001

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-06-07 15:36:26 +02:00
Simo Sorce
77db574cca Add code to be able to set default kinit lifetime
This is done by setting the kinit_lifetime option in default.conf
to a value that can be passed in with the -l option syntax of kinit.

https://pagure.io/freeipa/issue/7001

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-06-07 15:36:26 +02:00
Sumit Bose
117d6e9be0 ipa-kdb: use canonical principal in certauth plugin
Currently the certauth plugin use the unmodified principal from the
request to lookup the user. This might fail if e.g. enterprise
principals are use. With this patch the canonical principal form the kdc
entry is used.

Resolves https://pagure.io/freeipa/issue/6993

Reviewed-By: David Kupka <dkupka@redhat.com>
2017-06-07 14:00:06 +02:00
Pavel Vomacka
2485c3377a Bump version of python-gssapi
Complete fixing of the bug requires fix on python-gssapi side.
That fix is included in version 1.2.0-5.

Fixes: https://pagure.io/freeipa/issue/6796
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-07 13:58:17 +02:00
Martin Basti
6637980af6 Only warn when specified server IP addresses don't match intf
In containers local addresses differ from public addresses and we need
a way to provide only public address to installers.

https://pagure.io/freeipa/issue/2715
https://pagure.io/freeipa/issue/4317

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
2017-06-06 18:10:33 +02:00
Pavel Vomacka
566361e63d Turn off OCSP check
The OCSP check was previously turned on but it introduced several
issues. Therefore the check will be turned off by default.

For turning on should be used ipa advise command with correct recipe.
The solution is tracked here: https://pagure.io/freeipa/issue/6982

Fixes: https://pagure.io/freeipa/issue/6981
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-06-06 13:33:54 +02:00
Jan Cholasta
0772ef20b3 server upgrade: do not enable PKINIT by default
Enabling PKINIT often fails during server upgrade when requesting the KDC
certificate.

Now that PKINIT can be enabled post-install using ipa-pkinit-manage, avoid
the upgrade failure by not enabling PKINIT by default.

https://pagure.io/freeipa/issue/7000

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-06-06 13:27:44 +02:00
Jan Cholasta
92276c1e88 pkinit manage: introduce ipa-pkinit-manage
Add the ipa-pkinit-manage tool to allow enabling / disabling PKINIT after
the initial server install.

https://pagure.io/freeipa/issue/7000

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-06-06 13:27:44 +02:00
Jan Cholasta
e131905f3e server certinstall: update KDC master entry
After the KDC certificate is installed, add the PKINIT enabled flag to the
KDC master entry.

https://pagure.io/freeipa/issue/7000

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-06-06 13:27:44 +02:00
Martin Babinsky
8ef4888af7 fix incorrect suffix handling in topology checks
When trying to delete a partially removed master entry lacking
'iparepltopomanagedsuffix' attribute, the code that tries to retrieve
tha value for further computations passes None and causes unhandled
internal errors.

If the attribute is empty or not present, we should return empty list
instead as to not break calling cod attribute, the code that tries to
retrieve tha value for further computations passes None and causes
unhandled internal errors. We should return empty list instead.

https://pagure.io/freeipa/issue/6965

Reviewed-By: Felipe Volpone <felipevolpone@gmail.com>
2017-06-05 18:37:37 +02:00
Alexander Bokovoy
e8a7e2e38a ipa-kdb: add pkinit authentication indicator in case of a successful certauth
We automatically add 'otp' and 'radius' authentication indicators when
pre-authentication with OTP or RADIUS did succeed. Do the same for
certauth-based pre-authentication (PKINIT).

A default PKINIT configuration does not add any authentication
indicators unless 'pkinit_indicator = pkinit' is set in kdc.conf.
Unfortunately, modifying kdc.conf automatically is a bit more
complicated than modifying krb5.conf. Given that we have 'otp' and
'radius' authentication indicators also defined in the code not in the
kdc.conf, this change is following an established trend.

SSSD certauth interface does not provide additional information about
which rule(s) succeeded in matching the incoming certificate. Thus,
there is not much information we can automatically provide in the
indicator. It would be good to generate indicators that include some
information from the certmapping rules in future but for now a single
'pkinit' indicator is enough.

Fixes https://pagure.io/freeipa/issue/6736

Reviewed-By: Simo Sorce <ssorce@redhat.com>
2017-06-05 18:35:27 +02:00
Felipe Volpone
44bd5e358b Changing cert-find to do not use only primary key to search in LDAP.
In service.py the primary key is krbCanonicalName, which we
don't want to use to do searchs. Now, cert-find uses primary
key or a specified attribute to do searches in LDAP, instead
of using only a primary key.

https://pagure.io/freeipa/issue/6948

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-06-02 16:45:43 +02:00
Stanislav Laznicka
e1f8684e85 rpc: avoid possible recursion in create_connection
There was a recursion in RPCClient.create_connection() which under rare
circumstances would not have an ending condition. This commit removes
it and cleans up the code a bit as well.

https://pagure.io/freeipa/issue/6796

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-06-02 16:43:02 +02:00
Stanislav Laznicka
79d1752577 rpc: preparations for recursion fix
Made several improvements to coding style:
 - same use of KerberosError throughout the module
 - removed some unused variables
 - moved code from try-except blocks if it didn't have to be there
 - preparations for putting most of RPCClient.create_connection()
   to loop

https://pagure.io/freeipa/issue/6796

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-06-02 16:43:02 +02:00
Stanislav Laznicka
81a808caeb Avoid possible endless recursion in RPC call
This commit removes recursion in RPCClient.forward() which may lack
end condition.

https://pagure.io/freeipa/issue/6796

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-06-02 16:43:02 +02:00
Sumit Bose
e8aed25248 ipa-kdb: reload certificate mapping rules periodically
With this patch the certificate mapping rules are reloaded every 5
minutes.

Resolves https://pagure.io/freeipa/issue/6963

Reviewed-By: David Kupka <dkupka@redhat.com>
2017-06-02 16:40:24 +02:00
Fraser Tweedale
89eb162fcd py3: fix regression in schemaupdate
The python-ldap classes that process schema definitions require a
unicode string, not a byte string.  A recent py3 compatibility fix
(d89de4219d) changed the constructor
argument to a unicode string to dispel a warning, but this broke
schema update.  Change it back to a bytestring.

Part of: https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-06-02 09:55:13 +02:00
Tomas Krizek
48b7e83511 ipatests: add systemd journal collection for multihost tests
Some messages are only logged in journal. Collection of journal
makes debugging failed tests from logs easier.

Fixes: https://pagure.io/freeipa/issue/6971

Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-06-01 11:50:44 +02:00
Tomas Krizek
906c4c9459 ipatests: change logdir naming pattern for multihost tests
Remove brackets from the paths in naming pattern of directories
for multihost logs. Brackets in filenames require special handling
in markdown URLs, bash paths etc.

Related: https://pagure.io/freeipa/issue/6971

Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-06-01 11:50:44 +02:00
Martin Basti
be1415b6cc pylint: explicitly depends on python2-pylint
F26 defaults to python3 with pylint package, we have to explicitly ask
for python2 version of pylint

https://pagure.io/freeipa/issue/6986

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-01 09:51:52 +02:00
Fraser Tweedale
5f0e13ce9c ca-add: validate Subject DN name attributes
If the Subject DN is syntactically valid but contains unrecognised
name attributes, FreeIPA accepts it but Dogtag rejects it, returning
status 400 and causing the framework to raise RemoteRetrieveError.

Update the ca-add command to perform some additional validation on
the user-supplied Subject DN, making sure that we recognise all the
attributes.

Fixes: https://pagure.io/freeipa/issue/6987
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Felipe Volpone <felipevolpone@gmail.com>
2017-06-01 09:28:36 +02:00
Martin Basti
99771ceb9f py3: update_mod_nss_cipher_suite: ordering doesn't work with None
Py3 doesn't support ordering with None value

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-01 09:24:24 +02:00
Martin Basti
c6a57d8091 py3: urlfetch: use "file://" prefix with filenames
with py3 urlopen used internally with pyldap doesn't work with raw
filepaths without specifying "file://" prefix. This works on both
py2/py3

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-01 09:24:24 +02:00
Martin Basti
b09a941f34 py3: cainstance: fix BytesWarning
https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-01 09:24:24 +02:00
Martin Basti
d89de4219d py3: schemaupdate: fix BytesWarning
str() was called on bytes

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-01 09:24:24 +02:00
Martin Basti
bc9addac30 py3: LDAP updates: use only bytes/raw values
Functions mix unicode and bytes, use only bytes.

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-01 09:24:24 +02:00
Martin Basti
d7a9e81fbd py3: softhsm key_id must be bytes
softhsm works with bytes, so key_id must be byte otherwise we get errors
from bytes and string comparison

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-01 09:24:24 +02:00
Martin Basti
27f8f9f03d py3: ipaldap: encode Boolean as bytes
Python LDAP requires bytes

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-01 09:24:24 +02:00
Martin Basti
6e7071d6ad py3: ConfigParser: replace deprecated readfd with read
ConfigParser.readfd() is deprecated in py3, we can use .read() which is
compatible with py2

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-01 09:24:24 +02:00
Martin Basti
2e63ec42d0 py3: use ConfigParser instead of SafeConfigParser
DeprecationWarning: The SafeConfigParser class has been renamed
to ConfigParser in Python 3.2. This alias will be removed in
future versions. Use ConfigParser directly instead.

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-01 09:24:24 +02:00
Stanislav Laznicka
3b6892783e kdc.key should not be visible to all
While the world certainly is interested in our privates, we
should not just go ahead and show it to them.

https://pagure.io/freeipa/issue/6973

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-05-31 18:18:47 +02:00
Martin Basti
71adc8cd3f Add remote_plugins subdirectories to RPM
Subdirectories of remote plugins were forgotten in previous fix
d22ac59828cc4339d509804ddb3e2e1da9cfaa20 .

https://pagure.io/freeipa/issue/6927

Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
2017-05-31 10:32:57 +02:00