Commit Graph

15043 Commits

Author SHA1 Message Date
Alexander Bokovoy
637653a533 ipa-kdb: enforce SID checks when generating PAC
Check that a domain SID and a user SID in the PAC passed to us are what
they should be for the local realm's principal.

Fixes: https://pagure.io/freeipa/issue/9031

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Robert Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-11-10 15:00:27 -05:00
Alexander Bokovoy
6cfb9b7193 ipa-kdb: store SID in the principal entry
If the principal entry in LDAP has SID associated with it, store it to
be able to quickly assess the SID when processing PAC.

Also rename string_to_sid to IPA-specific version as it uses different
prototype than Samba version.

Fixes: https://pagure.io/freeipa/issue/9031

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Robert Crittenden <rcritten@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-11-10 15:00:27 -05:00
Florence Blanc-Renaud
2e7396b0e2 ipatests: fix get_user_result method
Because the sidgen plugin is a postop plugin, it is not
always triggered before the result of an ADD is returned
and the objectclasses of the user may / may not contain
ipantuserattrs.
Fix the get_user_result method to work in all the cases.

Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-11-10 14:05:53 +01:00
Rob Crittenden
b842b825ab Make the schema cache TTL user-configurable
The API schema is not checked for changes until after a TTL
is expired. A one-hour TTL was hardcoded which makes development
tedious because the only way to force a schema update is to
remember to remove files between invocations.

This adds a new environment variable, schema_ttl, to configure
the TTL returned by the server to schema() calls. This can be
set low to ensure a frequent refresh during development.

If the client is in compat mode, that is if client is working
against a server that doesn't support the schema() command,
then use the client's schema_ttl instead so that the user still
has control.

Re-check validity before writing the cache. This saves us both
a disk write and the possibility of updating the expiration
with a ttl of 0. This can happen if the fingerprint is still
valid (not expired, no language change) the schema check is
skipped so we have no server-provided ttl.

https://pagure.io/freeipa/issue/8492

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-11-03 10:59:10 +01:00
Mohammad Rizwan
6b544c4362 ipatests: remove redundant kinit from test
Fixture issue_and_expire_cert() kinit after moving the date to
expire certs. This fix is to rely on kinit from fixture.

Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-11-03 10:55:49 +01:00
Alexander Bokovoy
3d809c7061 doc/designs: fix formatting in LDAPI autobind design
Even though specifying 'raw' format is allowed, this breaks Read The
Docs which is not able to complete the full build of documentation and,
therefore, doesn't publish an updated documentation.

Pushed under one-liner rule.

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
2021-11-02 15:38:05 +02:00
Florence Blanc-Renaud
4b665ccf22 ipatests: revert wrong commit on gating definition
Commit ebe838c overwrote the PRCI definition with temp commit
and needs to be reverted.

Reviewed-By: Francois Cami <fcami@redhat.com>
2021-11-02 11:40:25 +01:00
Florence Blanc-Renaud
cc8a0bc24c ipatests: update the expected output of user-add cmd
The SID is not expected to be returned by ipa user-add.

Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-11-02 10:11:28 +01:00
Florence Blanc-Renaud
bede62bf19 User plugin: do not return the SID on user creation
The SID is not part of the default user attributes and does not
need to be returned in the user-add output.

Related: https://pagure.io/freeipa/issue/8995
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-11-02 10:11:28 +01:00
Florence Blanc-Renaud
02b4241e19 Webui tests: new idrange now requires base RID
Now that SID are always generated, the creation of a new
local idrange is refused if baserid is missing.

Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-11-02 10:11:28 +01:00
Florence Blanc-Renaud
c99b8bb4ab ipatests: backup-reinstall-restore needs to clear sssd cache
The integration tests that check backup-reinstall-restore
scenario need to clear sssd cache before checking the uid
of the admin user. For instance:
backup: saves the original admin uid
reinstall: creates a new admin uid, potentially cached by SSSD
restore: restores the original admin uid

Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-11-02 10:11:28 +01:00
Florence Blanc-Renaud
fd53ed14b0 User lifecycle: ignore SID when moving from preserved to staged
When a preserved user entry is moved to staged state, the SID
attribute must not be provided to user-stage command (the option
does not exist and the SID will be re-generated anyway).

Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-11-02 10:11:28 +01:00
Florence Blanc-Renaud
fdfde9ce52 ipatests: adapt expected output with SID
From now on, new users/groups automatically get a SID.
Update the expect test outputs.

Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-11-02 10:11:28 +01:00
Florence Blanc-Renaud
2d468fa49f ipatests: interactive install prompts for netbios name
The interactive server installation now prompts for netbios
name confirmation.
Add expected prompt and send response to the installer.

Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-11-02 10:11:28 +01:00
Florence Blanc-Renaud
8dc064c2e3 ipatests: add test ensuring SIDs are generated for new installs
The standard installer now configures all the items needed
for SID generation. Add a new test with the following scenario:
- install IPA server
- create an active user
- ensure the user's entry has an attribute ipantsecurityidentifier
- ensure that the kerberos ticket for the user contains PAC data
by using the utility ipa-print-pac

Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-11-02 10:11:28 +01:00
Florence Blanc-Renaud
ed001c97ee ipa config: add --enable-sid option
Add new options to ipa config-mod, allowing to enable
SID generation on upgraded servers:
ipa config-mod --enable-sid --add-sids --netbios-name NAME

The new option uses Dbus to launch an oddjob command,
org.freeipa.server.config-enable-sid
that runs the installation steps related to SID generation.

--add-sids is optional and triggers the sid generation task that
populates SID for existing users / groups.
--netbios-name is optional and allows to specify the NetBIOS Name.
When not provided, the NetBIOS name is generated based on the leading
component of the DNS domain name.

This command can be run multiple times.

Fixes: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-11-02 10:11:28 +01:00
Florence Blanc-Renaud
b054532658 adtrust install: define constants for rid bases
Define constants for DEFAULT_PRIMARY_RID_BASE = 1000 and
DEFAULT_SECONDARY_RID_BASE = 100000000

Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-11-02 10:11:28 +01:00
Florence Blanc-Renaud
5541b9d69f Installers: configure sid generation in server/replica installer
ADTRUSTInstance performs only sid configuration when it is
called without --setup-adtrust.

Update man pages for ipa-server-install and ipa-replica-install
with the SID-related options.

Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-11-02 10:11:28 +01:00
Florence Blanc-Renaud
f9e95ce51e SID generation: define SIDInstallInterface
Move the SID-related options into a separate InstallInterface
(--add-sids, --netbios-name, --rid-base and --secondary-rid-base),
make ADTrustInstallInterface inherit from SIDInstallInterface.

Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-11-02 10:11:28 +01:00
Sumedh Sidhaye
ebe838cb86 Test to verify if the case of a request for /ca/rest/authority/{id}/cert (or .../chain) where {id} is an unknown authority ID.
Test Steps:
1. Setup a freeipa server and a replica
2. Stop ipa-custodia service on replica
3. Create a LWCA on the replica
4. Verify LWCA is recognized on the server
5. Run `ipa ca-show <LWCA>`

BZ Link: https://bugzilla.redhat.com/show_bug.cgi?id=1958788

Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2021-11-01 11:27:53 -04:00
Sergey Orlov
f1922fe501
ipatests: use AD domain name from config instead of hardcoded value
The test fails when test config contains AD domain value other than one
hardcoded in the test code.

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-11-01 13:57:18 +01:00
Armando Neto
d6d413628b
ipatests: bump rawhide template for PR-CI
New PR-CI template based on compose `Fedora-Rawhide-20211021.n.0`,
future Fedora 36.

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-10-31 20:44:27 -03:00
Stanislav Levin
18456e71a1 ipatests: TestMultipleExternalCA: Create tempfiles on remote host
Previously, `test_master_install_ca1` and `test_master_install_ca2`
attempt to create tempdirs on local host and later write some
content into the returned paths on remote host. This fails if
a remote host is a local one.

The existent `create_temp_file` function has been extended to
support `suffix` option of `mktemp`.

Fixes: https://pagure.io/freeipa/issue/9013
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-10-28 16:29:01 -04:00
Rob Crittenden
5856f10733 On redhat-based platforms rely on authselect to enable sudo
The default platform task enable_sssd_sudo() writes directly
to nsswitch.conf to enable sudo. This isn't necessary to do on
systems with authselect where we already pass in with-sudo as a
profile option.

Override the default function with does a direct write with a no-op.

https://pagure.io/freeipa/issue/8755

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-10-28 16:24:06 -04:00
Florence Blanc-Renaud
bacddb8288 Design: Integrate SID configuration into base IPA installers
Add design doc for the feature.

Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-10-28 16:22:26 -04:00
Florence Blanc-Renaud
bbe554acf4 ipa-server-install uninstall: remove tdb files
ipa-server-install uninstaller must remove samba *.tdb files
in /var/lib/samba, /var/lib/samba/private and /var/lib/samba/lock.
The current code calls rm on the relative path filename
instead of building an absolute path filename,
resulting in failure to remove the tdb files.

Related: https://pagure.io/freeipa/issue/8687
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-10-21 18:58:16 +02:00
Florence Blanc-Renaud
91334b271a ipa-client-samba uninstall: remove tdb files
ipa-client-samba uninstaller must remove samba *.tdb files
in /var/lib/samba, /var/lib/samba/private and /var/lib/samba/lock.
The current code calls rm on the relative path filename
instead of building an absolute path filename,
resulting in failure to remove the tdb files.

Fixes: https://pagure.io/freeipa/issue/8687
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-10-21 18:58:16 +02:00
Michal Polovka
f11a4c3df5
ipatests: webui: Specify configuration loader
Default YAML loader has been deprecated in PyYAML-6.0, specify loader explicitly.

Fixes: https://pagure.io/freeipa/issue/9009

Signed-off-by: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-10-21 10:36:27 +02:00
Stanislav Levin
ade5b9dee2 azure: Don't customize pip's builddir
As of 21.3 pip:

> Remove the --build-dir option and aliases, one last time. (pypa/pip#10485)

https://pip.pypa.io/en/stable/news/#v21-3

Previous versions warn about deprecation.

The builddir is provided to pip via env variable PIP_BUILD in Tox task.
The purpose of changing of default builddir was noexec mount option for
/tmp in Travis (see 17d571c961). Since Travis is no longer used and
Azure lacks this issue the PIP_BUILD can be safely removed.

Note: pip 21.3 just ignores this env variable, which is more than can be
said for the command line option. It's better to clean it up, since the
behaviour may be changed in future.

This is effectively the revert of 17d571c961.

Fixes: https://pagure.io/freeipa/issue/9011
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-10-21 08:03:03 +02:00
Stanislav Levin
8f1dda6404 seccomp profile: Default to ENOSYS instead of EPERM
This allows application to detect whether the kernel supports
syscall or not. Previously, an error was unconditionally EPERM.
There are many issues about glibc failed with new syscalls in containerized
environments if their host run on old kernel.

More about motivation for ENOSYS over EPERM:
https://github.com/opencontainers/runc/issues/2151
https://github.com/opencontainers/runc/pull/2750

See about defaultErrnoRet introduction:
https://github.com/opencontainers/runtime-spec/pull/1087

Previously, FreeIPA profile was vendored from
https://github.com/containers/podman/blob/main/vendor/github.com/containers/common/pkg/seccomp/seccomp.json

Now it is merged directly from
https://github.com/containers/common/blob/main/pkg/seccomp/seccomp.json

Fixes: https://pagure.io/freeipa/issue/9008
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-10-18 12:08:56 +02:00
Rob Crittenden
47fbe05f7f Improve sudooption docs, make the option multi-value
I don't know why this wasn't always multi-value but if one wanted
to set multiple options they needed to call add-option multiple
times. The LDAP attribute is already multi-value.

This shouldn't cause API issues as it understood the attribute as
multi-value just didn't expose it. Client output on the CLI will
look a bit different:

Added option "('one', 'two')" to Sudo Rule "test"

or

Added option "(u'one', u'Two')" to Sudo Rule "test"

instead of with this change:

Added option "one,two" to Sudo Rule "test"

Removing an option works in a similar way.

The value is normalized on the client side in order to ensure that
the option value is always a tuple.

https://pagure.io/freeipa/issue/2278

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-10-08 10:47:58 +02:00
Florence Blanc-Renaud
575074daf0 ipatests: Update the subca used in TestIPACommand::test_cacert_manage
The above test is installing 2 Let's Encrypt certificates:
the root ISRG Root X1 and a subca. The subca expired Oct 6 and needs to
be replaced with a valid one, otherwise ipa-cacert-manage install
refuses to install it.

Fixes: https://pagure.io/freeipa/issue/9006
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
2021-10-08 10:39:05 +02:00
Sergey Orlov
2a7285c8dd
ipatests: check for message in sssd log only during actual test action
Get size of the log file immediately before main test action to avoid
capturing messages written to log during environment preparation.

Fixes https://pagure.io/freeipa/issue/8987

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-10-05 10:23:31 +02:00
Florence Blanc-Renaud
563077c935 webui test: close notification after selinux user map update
The test test_undo_refresh_reset_update_cancel is sometimes
failing because a notification obscures the selinuxmap record.

After saving the modification on the record, close any notification
to make sure the test succeeds.

Fixes: https://pagure.io/freeipa/issue/8846
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
2021-10-04 09:14:24 -04:00
Florence Blanc-Renaud
2d534662c4 ipatests: update expected error message for openssl verify
The test TestIpaHealthCheckWithExternalCA::test_ipahealthcheck_ipaopensslchainvalidation
needs to be adapted with the new error message returned by
openssl verify when the provided certificate file does not exist.
The message changed with openssl3.

Fixes: https://pagure.io/freeipa/issue/8999
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-09-29 15:52:45 +02:00
Florence Blanc-Renaud
a6b3993d92 ipatests: increase sosreport verbosity
With the new version sos-4.2-1, sos report -v prints the
debug messages into sos.log only. In order to see the debug
messages in the console, -vv is needed.
For more info refer to sos report commit
1d0729a9dc

Since the test is looking for messages in stdout, use -vv to
make sure the expected messages are printed in the console.

Fixes: https://pagure.io/freeipa/issue/9000
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
2021-09-29 15:50:31 +02:00
Vit Mojzis
cd85b729d3 selinux: Fix file context definition for /var/run
There is a file context equivalence rule assigning /run the same
contexts as /var/run. Because of it it's necessary to use /var/run
instead of /run in file context definitions.

See:
https://fedoraproject.org/wiki/SELinux/IndependentPolicy#File_contexts_and_equivalency_rules

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2021-09-27 09:53:38 -04:00
Pavel Březina
7a9301c5f9 kdb: fix typo in ipa_kdcpolicy_check_as
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-09-22 09:36:39 +02:00
Stanislav Levin
c0a2b37791 test_schema_plugin: Add missing tests for command, class and topic commands
Fixes: https://pagure.io/freeipa/issue/8954
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-09-20 17:53:53 +02:00
Stanislav Levin
d4a3ed9dd4 test_schema_plugin: Drop dependency on Tracker
Tracker is the best for testing plugins dealing with LDAP.
The tests in test_schema_plugin are not used LDAP at all.

Fixes: https://pagure.io/freeipa/issue/8954
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-09-20 17:53:53 +02:00
Stanislav Levin
210739c0ed command_defaults: Don't crash on nonexistent command
It's common for ipa commands to raise NotFound in such a case.

Fixes: https://pagure.io/freeipa/issue/8954
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-09-20 17:53:53 +02:00
Stanislav Levin
7706dfaf09 schema plugin: Fix commands without metaobject arg
Previously, all the commands of schema plugin derived from
BaseMetaSearch require metaobject as their argument
(by implementation), but the spec for some of them only optionally
asks for search criteria arg. This patch fixes this inconsistency.

Fixes: https://pagure.io/freeipa/issue/8954
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2021-09-20 17:53:53 +02:00
Rob Crittenden
540b01bc6e ipatests: Test that a user can be issued multiple certificates
Prevent regressions in the LDAP cache layer that caused newly
issued certificates to overwrite existing ones.

https://pagure.io/freeipa/issue/8986

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2021-09-16 13:16:17 -04:00
Rob Crittenden
ba526c5cb0 Don't store entries with a usercertificate in the LDAP cache
usercertificate often has a subclass and both the plain and
subclassed (binary) values are queried. I'm concerned that
they are used more or less interchangably in places so not
caching these entries is the safest path forward for now until
we can dedicate the time to find all usages, determine their
safety and/or perhaps handle this gracefully within the cache
now.

What we see in this bug is that usercertificate;binary holds the
first certificate value but a user-mod is done with
setattr usercertificate=<new_cert>. Since there is no
usercertificate value (remember, it's usercertificate;binary)
a replace is done and 389-ds wipes the existing value as we've
asked it to.

I'm not comfortable with simply treating them the same because
in LDAP they are not.

https://pagure.io/freeipa/issue/8986

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2021-09-16 13:16:17 -04:00
Stanislav Levin
4fa6afa922 ipatests: Log debug messages for locator plugin
SSSD provides Kerberos plugin
> to tell the Kerberos libraries what Realm and which KDC to use.

It's useful to see what is happening during kinit in case of any
issues.

Related: https://pagure.io/freeipa/issue/8353
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-09-15 10:16:54 +02:00
Stanislav Levin
93126e01a5 krb5: Pin kpasswd server to a primary one
There are time gaps in which kinit requests may fail due to
offlined SSSD's locator and replication delays.

Since `IPA` provider or SSSD offline the locator plugin for libkrb5
(man 8 sssd_krb5_locator_plugin) can do nothing about this and kinit
fallbacks to the standard libkrb5 algorithm described in `man 5 krb5.conf`.
`krb5.conf` on IPA server doesn't include `kpasswd_server` and kinit
fallbacks to DNS way. DNS (URI or SRV) RRs don't preserve any order
and kinit may contact either master or replica kpasswd servers.
This may result in a password was changed on a replica but was not
replicated to master:
master(kinit)->master(initial)->replica(kpasswd)->master(can't
obtain initial creds with new password)

So, `kpasswd_server` serves as fallback for the offlined locator.

Note: primary_kdc(the former master_kdc) doesn't help here because
it is only used if the initial credentials obtaining fails (see
`krb5_get_init_creds_password` in libkrb5) and not a password change.

Fixes: https://pagure.io/freeipa/issue/8353
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-09-15 10:16:54 +02:00
Stanislav Levin
a941e8f602 azure: Ignore tar errors
Sometimes tar fails on changed in process files:
```
[2021-09-07 11:03:33] + tar --ignore-failed-read -czf ipaserver_install_logs.tar.gz --warning=no-failed-read /var/log/dirsrv /var/log/httpd2 /var/log/ipa /var/log/ipaclient-install.log /var/log/ipa-custodia.audit.log /var/log/ipaserver-install.log /var/log/krb5kdc.log /var/log/pki /var/log/samba /var/lib/bind/data systemd_journal.log
[2021-09-07 11:03:33] tar: Removing leading `/' from member names
[2021-09-07 11:03:33] tar: Removing leading `/' from hard link targets
[2021-09-07 11:03:33] tar: /var/log/dirsrv/slapd-IPA-TEST/access: file changed as we read it
[2021-09-07 11:03:33] + tests_result=1
```

This is expected failure since processes are not stopped during logs
collection and can flush their logs.

Fixes: https://pagure.io/freeipa/issue/8983
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2021-09-15 08:48:13 +02:00
Florence Blanc-Renaud
5edf144a7e Doc: add a design template
Add a template for new features in doc/designs/template.md
The template is excluded from automatic doc generation.

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-09-14 14:58:33 -04:00
Florence Blanc-Renaud
a2e06c385e ipatests: fix expected msg in tasks.run_ssh_cmd
OpenSSH 8.7p1 changed the message logged on successful
authentication (see commit 9e1882ef6489a7dd16b6d7794af96629cae61a53).

As a result, the method run_ssh_cmd is failing and needs to be
adapted in order to be compatible with old and new openssh versions.

Fixes: https://pagure.io/freeipa/issue/8989
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2021-09-14 14:56:42 -04:00
Chris Kelley
d43b513927 Make Dogtag return XML for ipa cert-find
Using JSON by default within Dogtag appears to cause ipa cert-find to
return JSON, when the request was made with XML. We can request that XML
is returned as before by specifying so in the request header.

Fixes: https://pagure.io/freeipa/issue/8980
Signed-off-by: Chris Kelley <ckelley@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
2021-09-10 13:56:46 -04:00