Invocation of the ipa dnsserver-find command failed with
internal server error when there is no DNS server in topology.
Fixes: https://pagure.io/freeipa/issue/6571
Reviewed-By: Martin Basti <mbasti@redhat.com>
The ID range comparison was comparing numbers to a string or possibly
to `None` and was tailored in such a way that the check would always
pass although it went directly against the definition of the absolute
value of a substitution.
https://pagure.io/freeipa/issue/7002
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
We don't have a use for realm as a bytes instance, return it as a
string, otherwise there's a use of str() on bytes in py3.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Martin Basti <mbasti@redhat.com>
When installing second (or consequent) KRA instance keys are retrieved
using custodia. Custodia checks that the keys are synchronized in
master's directory server and the check uses GSSAPI and therefore fails
if there's no ticket in ccache.
https://pagure.io/freeipa/issue/7020
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Signed-off-by: David Kreitschmann <david@kreitschmann.de>
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
It is now possible to change UPN suffixes in WebUI. This change
allows another way to changing UPN suffixes for AD users.
https://pagure.io/freeipa/issue/7015
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
There are two ways for maintaining user principal names (UPNs) in Active
Directory:
- associate UPN suffixes with the forest root and then allow for each
user account to choose UPN suffix for logon
- directly modify userPrincipalName attribute in LDAP
Both approaches lead to the same result: AD DC accepts user@UPN-Suffix
as a proper principal in AS-REQ and TGS-REQ.
The latter (directly modify userPrincipalName) case has a consequence
that this UPN suffix is not visible via netr_DsRGetForestTrustInformation
DCE RPC call. As result, FreeIPA KDC will not know that a particular UPN
suffix does belong to a trusted Active Directory forest. As result, SSSD
will not be able to authenticate and validate this user from a trusted
Active Directory forest.
This is especially true for one-word UPNs which otherwise wouldn't work
properly on Kerberos level for both FreeIPA and Active Directory.
Administrators are responsible for amending the list of UPNs associated
with the forest in this case. With this commit, an option is added to
'ipa trust-mod' that allows specifying arbitrary UPN suffixes to a
trusted forest root.
As with all '-mod' commands, the change replaces existing UPNs when
applied, so administrators are responsible to specify all of them:
ipa trust-mod ad.test --upn-suffixes={existing.upn,another_upn,new}
Fixes: https://pagure.io/freeipa/issue/7015
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
The advise printing code was augmented by methods that simplify
generating bash snippets that report errors or failed commands.
https://pagure.io/freeipa/issue/6982
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
In session_storage.py, store_data() stores data as the bytes data
type but get_data() is returning a string. Have get_data() return
bytes as well.
https://pagure.io/freeipa/issue/4985
Reviewed-By: Martin Basti <mbasti@redhat.com>
User with the 'Enrollment Administrator' role assigned is able to
enroll client with ipa-client-install command.
Resolves: https://pagure.io/freeipa/issue/6852
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
In future default package names can start to pointing to py3 instead of
py2. We have to explicitly ask for python2-* and python3-* packages.
This commit changes only dependencies that are available in both F25 and
F26
https://pagure.io/freeipa/issue/4985
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
After invocation of the ipa server-del <hostname>
command there was still record in ldap if DNS
was installed on the <hostname> server.
Fixes: https://pagure.io/freeipa/issue/6572
Reviewed-By: Martin Basti <mbasti@redhat.com>
Older clients have issues properly parsing cookies and the sessionMaxAge
setting is one of those that breaks them.
Comment out the setting and add a comment that explains why it is not
set by default.
https://pagure.io/freeipa/issue/7001
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This is done by setting the kinit_lifetime option in default.conf
to a value that can be passed in with the -l option syntax of kinit.
https://pagure.io/freeipa/issue/7001
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Currently the certauth plugin use the unmodified principal from the
request to lookup the user. This might fail if e.g. enterprise
principals are use. With this patch the canonical principal form the kdc
entry is used.
Resolves https://pagure.io/freeipa/issue/6993
Reviewed-By: David Kupka <dkupka@redhat.com>
Complete fixing of the bug requires fix on python-gssapi side.
That fix is included in version 1.2.0-5.
Fixes: https://pagure.io/freeipa/issue/6796
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
The OCSP check was previously turned on but it introduced several
issues. Therefore the check will be turned off by default.
For turning on should be used ipa advise command with correct recipe.
The solution is tracked here: https://pagure.io/freeipa/issue/6982
Fixes: https://pagure.io/freeipa/issue/6981
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Enabling PKINIT often fails during server upgrade when requesting the KDC
certificate.
Now that PKINIT can be enabled post-install using ipa-pkinit-manage, avoid
the upgrade failure by not enabling PKINIT by default.
https://pagure.io/freeipa/issue/7000
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Add the ipa-pkinit-manage tool to allow enabling / disabling PKINIT after
the initial server install.
https://pagure.io/freeipa/issue/7000
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
After the KDC certificate is installed, add the PKINIT enabled flag to the
KDC master entry.
https://pagure.io/freeipa/issue/7000
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
When trying to delete a partially removed master entry lacking
'iparepltopomanagedsuffix' attribute, the code that tries to retrieve
tha value for further computations passes None and causes unhandled
internal errors.
If the attribute is empty or not present, we should return empty list
instead as to not break calling cod attribute, the code that tries to
retrieve tha value for further computations passes None and causes
unhandled internal errors. We should return empty list instead.
https://pagure.io/freeipa/issue/6965
Reviewed-By: Felipe Volpone <felipevolpone@gmail.com>
We automatically add 'otp' and 'radius' authentication indicators when
pre-authentication with OTP or RADIUS did succeed. Do the same for
certauth-based pre-authentication (PKINIT).
A default PKINIT configuration does not add any authentication
indicators unless 'pkinit_indicator = pkinit' is set in kdc.conf.
Unfortunately, modifying kdc.conf automatically is a bit more
complicated than modifying krb5.conf. Given that we have 'otp' and
'radius' authentication indicators also defined in the code not in the
kdc.conf, this change is following an established trend.
SSSD certauth interface does not provide additional information about
which rule(s) succeeded in matching the incoming certificate. Thus,
there is not much information we can automatically provide in the
indicator. It would be good to generate indicators that include some
information from the certmapping rules in future but for now a single
'pkinit' indicator is enough.
Fixes https://pagure.io/freeipa/issue/6736
Reviewed-By: Simo Sorce <ssorce@redhat.com>
In service.py the primary key is krbCanonicalName, which we
don't want to use to do searchs. Now, cert-find uses primary
key or a specified attribute to do searches in LDAP, instead
of using only a primary key.
https://pagure.io/freeipa/issue/6948
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
There was a recursion in RPCClient.create_connection() which under rare
circumstances would not have an ending condition. This commit removes
it and cleans up the code a bit as well.
https://pagure.io/freeipa/issue/6796
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Made several improvements to coding style:
- same use of KerberosError throughout the module
- removed some unused variables
- moved code from try-except blocks if it didn't have to be there
- preparations for putting most of RPCClient.create_connection()
to loop
https://pagure.io/freeipa/issue/6796
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This commit removes recursion in RPCClient.forward() which may lack
end condition.
https://pagure.io/freeipa/issue/6796
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
With this patch the certificate mapping rules are reloaded every 5
minutes.
Resolves https://pagure.io/freeipa/issue/6963
Reviewed-By: David Kupka <dkupka@redhat.com>
The python-ldap classes that process schema definitions require a
unicode string, not a byte string. A recent py3 compatibility fix
(d89de4219d) changed the constructor
argument to a unicode string to dispel a warning, but this broke
schema update. Change it back to a bytestring.
Part of: https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Martin Basti <mbasti@redhat.com>
Some messages are only logged in journal. Collection of journal
makes debugging failed tests from logs easier.
Fixes: https://pagure.io/freeipa/issue/6971
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Remove brackets from the paths in naming pattern of directories
for multihost logs. Brackets in filenames require special handling
in markdown URLs, bash paths etc.
Related: https://pagure.io/freeipa/issue/6971
Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
F26 defaults to python3 with pylint package, we have to explicitly ask
for python2 version of pylint
https://pagure.io/freeipa/issue/6986
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
If the Subject DN is syntactically valid but contains unrecognised
name attributes, FreeIPA accepts it but Dogtag rejects it, returning
status 400 and causing the framework to raise RemoteRetrieveError.
Update the ca-add command to perform some additional validation on
the user-supplied Subject DN, making sure that we recognise all the
attributes.
Fixes: https://pagure.io/freeipa/issue/6987
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Reviewed-By: Felipe Volpone <felipevolpone@gmail.com>
Py3 doesn't support ordering with None value
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
with py3 urlopen used internally with pyldap doesn't work with raw
filepaths without specifying "file://" prefix. This works on both
py2/py3
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Functions mix unicode and bytes, use only bytes.
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
softhsm works with bytes, so key_id must be byte otherwise we get errors
from bytes and string comparison
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
ConfigParser.readfd() is deprecated in py3, we can use .read() which is
compatible with py2
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
DeprecationWarning: The SafeConfigParser class has been renamed
to ConfigParser in Python 3.2. This alias will be removed in
future versions. Use ConfigParser directly instead.
https://fedorahosted.org/freeipa/ticket/4985
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
While the world certainly is interested in our privates, we
should not just go ahead and show it to them.
https://pagure.io/freeipa/issue/6973
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Subdirectories of remote plugins were forgotten in previous fix
d22ac59828cc4339d509804ddb3e2e1da9cfaa20 .
https://pagure.io/freeipa/issue/6927
Reviewed-By: Pavel Vomacka <pvomacka@redhat.com>