Commit Graph

13601 Commits

Author SHA1 Message Date
Rob Crittenden
6cb4f4bd50 ipa-certupdate removes all CA certs from db before adding new ones
This will allow for CA certificates to be dropped from the list
of certificates. It also allows for the trust flags to be
updated when an existing cert is dropped and re-added.

https://pagure.io/freeipa/issue/8124

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-01-28 13:05:31 -05:00
Rob Crittenden
acfb6191a1 Add delete option to ipa-cacert-manage to remove CA certificates
Before removing a CA re-verify all the other CAs to ensure that
the chain is not broken. Provide a force option to handle cases
where the CA is expired or verification fails for some other
reason, or you really just want them gone.

https://pagure.io/freeipa/issue/8124

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-01-28 13:05:31 -05:00
Gaurav Talreja
4a1f56ecdc Normalize test definations titles
Rename job titles to match their test suites and how they are defined in nightly yamls.

Issue : https://github.com/freeipa/freeipa-pr-ci/issues/336

Signed-off-by: Gaurav Talreja <gtalreja@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-01-27 09:38:20 -03:00
Christian Heimes
e9ae7c4b89 lite-setup: configure lite-server test env
Introduce a script that configures a local testing environment
with ipa default.conf, krb5.conf, and ca.crt from a server hostname.

The lite server configuration allows easy and convenient testing of
IPA server and client code. It uses an existing 389-DS and KRB5 KDC
server on another machine:

    $ contrib/lite-setup.py master.ipa.example
    $ source ~/.ipa/activate.sh
    (ipaenv) $ kinit username
    (ipaenv) $ make lite-server

IPA server UI is available on http://localhost:8888/ipa/

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-01-24 08:35:47 -05:00
Christian Heimes
0a55e82d91 Add tracemalloc support to profile memory usage
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-01-24 08:35:47 -05:00
Sergey Orlov
0ad4f4c86a
ipatests: add test_winsyncmigrate suite to nightly runs
The test suite test_winsyncmigrate was missing in nightly definitions
because CI was lacking configuration needed for establishing winsync
agreement: the Certificate Authority needs to be configured on
Windows AD instance. Now that PR-CI is updated to include said changes, we
can start executing this test suite. It is not reasonable to add it to
gating as this suite is time consuming just like other tests requiring
provisioning of AD instances.

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-01-23 16:38:56 +01:00
Christian Heimes
10b62ad6bc Make assert_error compatible with Python 3.6
The re.Pattern class was introduced in Python 3.7. Use duck-typing to
distinguish between str and re pattern object.

Fixes: https://pagure.io/freeipa/issue/8179
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
2020-01-22 13:15:19 -05:00
Christian Heimes
e107b8e4fe Print LDAP diagnostic messages on error
ipa_ldap_init(), ipa_tls_ssl_init(), and the bind operations of ipa-join
and ipa-getkeytab now print LDAP error string and LDAP diagonstic messages
to stderr.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-01-17 15:47:00 +01:00
Robbie Harwood
df6a89be51 Fix several leaks in ipadb_find_principal
`vals` is often leaked during early exit.  Refactor function to use a
single exit path to prevent this.

Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-01-15 10:00:08 +01:00
Robbie Harwood
ab4e910c52 Use separate variable for client fetch in kdcpolicy
`client` is not intended to be modified as a parameter of the AS check
function.  Fixes an "incompatible pointer type" compiler warning.

Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-01-15 10:00:08 +01:00
Robbie Harwood
3ccf73bfd6 Make the coding style explicit
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-01-15 10:00:08 +01:00
Florence Blanc-Renaud
ae140ae406 ipatests: fix backup and restore
The tests for backup_and_restore check that the ipa-backup command
compresses the tar file AFTER restarting IPA services by reading the
output and looking for a pattern with "gzip" before "Starting IPA service."

As the tar file name is randomly created, it sometimes happen that the
name contains gzip and in this case the test wrongly assumes that
the gzip cmd was called.

The fix makes a stricter comparison, looking for /bin/gzip.

Fixes: https://pagure.io/freeipa/issue/8170
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2020-01-14 16:27:50 -05:00
Rob Crittenden
b5b9efeb57 Allow an empty cookie in dogtag-ipa-ca-renew-agent-submit
A "cookie" is used with certmonger to track the state of a
request across multiple requests to a CA (in ca-cookie). This
is used with the certmonger POLL operation to submit a request
to the CA for the status of a certificate request. This, along
with the profile, are passed to the certmonger CA helper
scripts via environment variables when a request is made. It is
cleared from the certmonger request once the certificate is
issued.

This CA helper can do a number of things:

- SUBMIT new certicate requests (including the CA)
- POLL for status of an existing certificate request
- For non renewal masters, POLL to see if an updated cert is in
  LDAP

A POLL operation requires a cookie so that the state about the
request can be passed to the CA. For the case of retrieving an
updated cert from LDAP there is no state to maintain. It just
checks LDAP and returns either a cert or WAIT_WITH_DELAY if one
is not yet available.

There are two kinds of cookies in operation here:
1. The CERTMONGER_CA_COOKIE environment variable passed via
   certmonger to this helper which is a JSON object.
2. The cookie value within the JSON object which contains the
   URL to be passed to dogtag.

For the purposes of clarity "cookie" here is the value within
the JSON.

The CERTMONGER_CA_COOKIE is deconstructed and reconstructed as
the request is processed, doing double duty. It initially comes
in as a JSON dict object with two keys: profile and cookie.
In call_handler the CERTMONGER_CA_COOKIE is decomposed into a
python object and the profile compared to the requested profile
(and request rejected if they don't match) and the cookie key
overrides the CERTMONGER_CA_COOKIE environment variable. This is
then reversed at the end of the request when it again becomes a
JSON object containing the profile and cookie.

This script was previously enforcing that a cookie be available on
all POLL requests, whether it is actually required or not. This
patch relaxes that requirement.

The first request of a non-renewal master for an updated certicate
from LDAP is a SUBMIT operation. This is significant because it
doesn't require a cookie: there is no state on a new request. If
there is no updated cert in LDAP then the tracking request goes
into the CA_WORKING state and certmonger will wait 8 hours (as
returned by this script) and try again.

Subsequent requests are done using POLL. This required a cookie
so all such requests would fail with the ca-error
Invalid cookie: u'' as it was empty (because there is no state).

There is no need to fail early on a missing cookie. Enforcement
will be done later if needed (and it isn't always needed). So
if CERTMONGER_CA_COOKIE is an empty string then generate a new
CERTMONGER_CA_COOKIE containing the requested profile and an empty
cookie. It still will fail if certmonger doesn't set a cookie at
all.

An example of a cookie when retrieving a new RA Agent certificate
is:

{"profile": "caServerCert", "cookie": "state=retrieve&requestId=20"}

This will result in this request to the CA:
[09/Jan/2020:14:29:54 -0500] "GET
/ca/ee/ca/displayCertFromRequest?requestId=20&importCert=true&xml=true
HTTP/1.1" 200 9857

For a renewal, the reconstructed cookie will consist of:

{"profile": "caServerCert", "cookie": ""}

https://pagure.io/freeipa/issue/8164

Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-01-13 10:08:38 -05:00
Anuja More
f35738ef22 Add xmlrpc test with input validation check for kerberos ticket policy.
This checks that valid/invalid inputs for subtypes of
authentication indicator kerberos ticket policy options.

Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2020-01-13 13:05:47 +01:00
Florence Blanc-Renaud
e2d69380fb AD user without override receive InternalServerError with API
When ipa commands are used by an Active Directory user that
does not have any idoverride-user set, they return the
following error message which can be misleading:
$ kinit aduser@ADDOMAIN.COM
$ ipa ping
ipa: ERROR: cannot connect to 'https://master.ipa.com/ipa/json': Internal Server Error

The fix properly handles ACIError exception received when
creating the context, and now the following message can be seen:

$ kinit aduser@ADDOMAIN.COM
$ ipa ping
ipa: ERROR: cannot connect to 'https://master.ipa.com/ipa/json': Unauthorized

with the following log in /var/log/httpd/error_log:
ipa: INFO: 401 Unauthorized: Insufficient access:  Invalid credentials

Fixes: https://pagure.io/freeipa/issue/8163
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
2020-01-10 17:07:57 +01:00
François Cami
5fe8fc6298 ipatests: expect "Dynamic Update" and "Bind update policy" in default dnszone* output
Fix XMLRPC tests so that "Dynamic Update" and "Bind update policy"
can be displayed by default in many DNS commands' output.

Related to: https://pagure.io/freeipa/issue/7938
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-01-06 09:42:21 -05:00
François Cami
5b95d4cc50 ipaserver/plugins/dns.py: add "Dynamic Update" and "Bind update policy" to default dnszone* output
Displaying "Dynamic Update" and "Bind update policy" by default
when 'ipa dnszone-show/find' are used would make client dns update
failures easier to diagnose, so display them.

Fixes: https://pagure.io/freeipa/issue/7938
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2020-01-06 09:42:21 -05:00
Armando Neto
a22e873480 prci: update packages for rawhide nightly runs
This forces PR-CI to update the packages instead of using the versions
already included in the vagrant image.

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2020-01-03 09:43:40 -03:00
Jayesh Garg
fb3c2c1402 Nightly definations commit
Signed-off-by: Jayesh Garg <jgarg@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2019-12-23 12:56:30 +01:00
Jayesh
ad3bf5042d Test for ipa-ca-install on replica
Test on replica for ipa-ca-install with options
--no-host-dns,--skip-schema-check,done changes in
ipatests/pytest_ipa/integration/tasks.py because
wants to pass few arguments to install_ca method

Signed-off-by: Jayesh <jgarg@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2019-12-23 12:56:30 +01:00
Anuja More
bfc998eae2 Fix fedora version for xfail for sssd test
Test was failing in nightly_PR for ipa-4.7
As https://pagure.io/SSSD/sssd/issue/3978 is not available on
fedora-29

Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-12-23 10:21:25 +01:00
Anuja More
83ec9296a9 Add integration test for otp kerberos ticket policy.
This also exercises the Authentication Indicator Kerberos ticket
policy options by testing a otp indicator type.

Related: https://pagure.io/freeipa/issue/8001

Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-12-20 16:29:30 +02:00
Jayesh
09a5192f25 Test ipa-getkeytab quiet mode, encryptons
This will first check ipa-getkeytab quiet mode,
then it will check ipa-getkeytab server name,
then it will check different type of encryptions

Signed-off-by: Jayesh <jgarg@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-12-20 16:17:42 +02:00
Fraser Tweedale
2a2cc96166 ipatests: add test for certinstall with notBefore in the future
Part of: https://pagure.io/freeipa/issue/8142

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-12-19 15:50:44 +01:00
Jayesh Garg
d7b3aafc63 Test if ipactl starts services stopped by systemctl
This will first check if all services are running then it will stop
few service. After that it will restart all services and then check
the status and pid of services.It will also compare pid after ipactl
start and restart in case of start it will remain unchanged on the
other hand in case of restart it will change.

Signed-off-by: Jayesh Garg <jgarg@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
2019-12-18 18:48:36 +01:00
Alexander Bokovoy
2ed5eca762 Reset per-indicator Kerberos policy
When 'ipa krbtpolicy-reset' is called, we need to reset all policy
settings, including per-indicator ones. Per-indicator policy uses
subtyped attributes (foo;bar), the current krbtpolicy-reset code does
not deal with those.

Add support for per-indicator policy reset. It is a bit tricky, as we
need to drop the values to defaults but avoid adding non-per-indicator
variants of the same attributes.

Add test to check that policy has been resetted by observing a new
Kerberos TGT for the user after its policy reset.

Fixes: https://pagure.io/freeipa/issue/8153

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-12-18 14:16:33 +01:00
Gaurav Talreja
775bbb919a prci: bump template version for nightly_rawhide
New template is based on Fedora-Cloud-Base-Vagrant-Rawhide-20191201.n.0.x86_64.vagrant-libvirt.box

Template used : https://app.vagrantup.com/freeipa/boxes/ci-master-frawhide/versions/0.0.10

Tested at : https://github.com/freeipa-pr-ci2/freeipa/pull/94

Signed-off-by: Gaurav Talreja <gtalreja@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2019-12-17 15:53:31 -03:00
Fraser Tweedale
c4b0cf4d63 Fix test regressions caused by certificate validation changes
Some integration tests (that were enabled in nightly CI but not
PR-CI) are failing due to changes in the error messages.  Update the
error message assertions to get these tests going again.

Part of: https://pagure.io/freeipa/issue/8142

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-12-17 09:20:43 +01:00
Fraser Tweedale
3d779b492d ipatests: assert_error: allow regexp match
Enhance the assert_error subroutine to provide regular expression
matching against the command's stderr output, in additional to
substring match.

Part of: https://pagure.io/freeipa/issue/8142

Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-12-17 09:20:43 +01:00
Fraser Tweedale
aa9340cfdb removed unused function export_pem_p12
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-12-17 09:18:37 +01:00
Anuja More
0162f3aafd ipatests: filter_users should be applied correctly.
Added test which checks that no look up should
be added in data provider when users are added in
filter_users for doamin provider.

Related Ticket:
https://pagure.io/SSSD/sssd/issue/3978

Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
2019-12-17 08:29:49 +01:00
Armando Neto
ef1b8d0f49 ipatests: Skip test_sss_ssh_authorizedkeys method
Temporarily skipping test due to unknown time-outs happening regularly.

Issue: https://pagure.io/freeipa/issue/8151

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
2019-12-16 17:17:37 -03:00
Thomas Woerner
f80a6548ad DNS install check: Fix overlapping DNS zone from the master itself
The change to allow overlapping zone to be from the master itself has
introduced two issues: The check for the master itself should only executed
if options.force and options.allow_zone_overlap are both false and the
reverse zone check later on was still handling ValueError instead of
dnsutil.DNSZoneAlreadyExists.

Both issues have been fixed and the deployment with existing name servers
is properly working again.

Fixes: https://pagure.io/freeipa/issue/8150
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2019-12-16 18:02:22 +01:00
Dinesh Prasanth M K
df59f09eed Adding auto COPR builds
Signed-off-by: Dinesh Prasanth M K <dmoluguw@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-12-14 14:20:34 +02:00
Armando Neto
0926cb87da ipatests: Improve test_commands reliability
Sometimes ssh command gets stuck, running manually without passing a command
to be executed this is returned:

```
$ ssh -o PasswordAuthentication=no -o IdentitiesOnly=yes \
  -o StrictHostKeyChecking=no -l testsshuser \
  -i /tmp/tmp.rQIT3KYScX master.ipa.test
Could not chdir to home directory /home/testsshuser: No such file or directory
```

This commit forces the homedir creation and adds a timeout to ssh.

Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-12-14 14:19:21 +02:00
Florence Blanc-Renaud
8a522bed6b ipa-cacert-manage man page: fix indentation
Fix the indentation of the SYNPOSIS section

Fixes: https://pagure.io/freeipa/issue/8138
Reviewed-By: Francois Cami <fcami@redhat.com>
2019-12-13 17:49:22 +02:00
Alexander Bokovoy
3d402b69eb ipa-client-samba: map domain sid of trust domain properly for display
Trusted domain object in LDAP uses ipaNTTrustedDomainSID attribute to
store SID of the trusted domain while IPA domain itself uses
ipaNTSecurityIdentifier. When mapping the values for printing out a
summary table, use the right mapping according to the object.

Fixes: https://pagure.io/freeipa/issue/8149
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-12-13 17:33:33 +02:00
François Cami
c8f1ed1213 ipatests/test_nfs.py: wait before umount
umount calls including in cleanup do not wait.
The test failed once with:
"umount.nfs4: /home: device is busy"
which looks like a leftover open file descriptor.
Add wait periods before umount.

Fixes: https://pagure.io/freeipa/issue/8144
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-12-13 04:47:52 +02:00
Sumit Bose
f0d12b7f1b ipa-kdb: Remove keys if password auth is disabled
With commit 15ff9c8 a check was removed and as a result Kerberos keys
are unconditionally added to the user entry struct if they are
available. As a result the password related pre-authentication methods
PA-ENC-TIMESTAMP and PA-ETYPE-INFO2 are advertised in the NEEDED_PREAUTH
reply to an AS_REQ.

With respect to the KDC policies this does not matter much because if
password authentication is disabled for the given principal the policy
will reject the AS_REQ if the user tries password authentication. This
is possible because with commit 15ff9c8 kinit will ask for a password if
called without any additional options (e.g. armor ticket or PKINIT
identity). Before 15ff9c8 was committed it just failed with 'kinit:
Pre-authentication failed: Invalid argument while getting initial
credentials' because no suitable pre-authentication method was
available. This is the same behavior as if no password was set for the
given principal.

But with this change SSSD fails to detect the available authentication
types for the given principal properly. As described in
https://docs.pagure.org/SSSD.sssd/design_pages/prompting_for_multiple_authentication_types.html
SSSD uses the MIT Kerberos responder interface to determine the
available authentication methods for the principal and does not check
the ipaUserAuthType LDAP attribute. As a result if a user has 2FA (otp)
authentication configured, which implies that a password is set as the
first factor, the responder interface will always indicate that password
authentication is available even if only opt is enabled for the user.

In this case SSSD will use a prompting which indicates that the second
factor might be optional. Additionally if prompting the user directly is
not possible (e.g. ssh with ChallengeResponseAuthentication /
KbdInteractiveAuthentication disabled) the single string entered by the
user will always be assumed as a password and not as a combination of
password and otp-token value. As a consequence authentication will
always fail because password authentication is disabled for the user and
since SSSD does not do try-and-error 2FA is not tried.

This patch add back the check so that if password authentication is not
available for the principal the Kerberos will not be added to the entry
struct and the KDC will not advertise PA-ENC-TIMESTAMP or
PA-ETYPE-INFO2. If you think this is wrong and the behavior added by
15ff9c8 should be preferred SSSD handing of the available authentication
types must be extended to read ipaUserAuthType as well to restore the
user experience with respect to 2FA prompting and ssh behavior.

Related to https://pagure.io/freeipa/issue/8001

Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-12-13 03:49:47 +02:00
Thomas Woerner
a2820bbbc3 Enable TestInstallMasterDNSRepeatedly in prci_definitions
For fedora-latest, pki-fedora, fedora-previous and fedora-rawhide

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-12-12 18:24:44 +01:00
Thomas Woerner
d070c59577 Test repeated installation of the primary with DNS enabled and domain set
Test that a repeated installation of the primary with DNS enabled
will lead to a already installed message and not in "DNS zone X
already exists in DNS" in check_zone_overlap.

The error is only occuring if domain is set explicitly in the command
line installer as check_zone_overlap is used in the domain_name validator.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-12-12 18:24:44 +01:00
Alexander Bokovoy
dd7fdaa77d DNS install check: allow overlapping zone to be from the master itself
When re-running `ipa-server-install --setup-dns` on already installed
server, we do not get to the check of being already installed because
DNS zone overlap forces us to fail earlier.

Change exception returned for this case from check_zone_overlap() to
return structured information that allows to understand whether we are
finding a conflict with ourselves.

Use the returned information to only fail DNS check at this point if DNS
zone overlap is generated by a different name server than ourselves.

Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-12-12 18:24:44 +01:00
François Cami
6462cc0f3a ipatests: fix pr-ci templates' indentation
temp_commit.yaml among others have wrong indentation:
expected 4 but found 3.
Fix indentation.

Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
2019-12-12 10:01:25 +01:00
Christian Heimes
c30a0c2268 Fix get_trusted_domain_object_from_sid()
DomainValidator.get_trusted_domain_object_from_sid() was using
escape_filter_chars() with bytes. The function only works with text.
This caused idview to fail under some circumstances. Reimplement
backslash hex quoting for bytes.

Fixes: https://pagure.io/freeipa/issue/7958
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-12-12 09:58:16 +01:00
François Cami
d5dad53e70 adtrust.py: mention restarting sssd when adding trust agents
After adding a replica to AD trust agent, the warning
message does not mention that restarting sssd is mantatory
for the trust agent to work. Fix the string.

Fixes: https://pagure.io/freeipa/issue/8148
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-12-11 16:57:03 -05:00
Christian Heimes
d30dd52920 Check valid before/after of external certs
verify_server_cert_validity() and verify_ca_cert_validity() now check
the validity time range of external certificates. The check fails if the
certificate is not valid yet or will expire in less than an hour.

Fixes: https://pagure.io/freeipa/issue/8142
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-12-10 16:23:31 +01:00
Christian Heimes
3cae7f4ee6 Fix service ldap_disable()
Fix comparison bug that prevents ldap_disable to actually disable a
service.

Fixes: https://pagure.io/freeipa/issue/8143
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-12-10 16:22:48 +01:00
Christian Heimes
44b3791bc3 Require idstart to be larger than UID_MAX
ipa-server-install fails if idstart is set to 0. There might be
additional issues when idstart overlaps with local users. Ensure that
idstart is larger than UID_MAX or GID_MAX from /etc/login.defs.

Fixes: https://pagure.io/freeipa/issue/8137
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-12-10 16:22:11 +01:00
MIZUTA Takeshi
650db3b80d Add config that maintains existing content to ipa-client-install manpage
If --no-ssh and --no-sshd are not specified in ipa-client-install,
/etc/ssh/{ssh, sshd}_config is updated and existing content is maintained.

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-12-10 16:20:24 +01:00
Anuja More
836b90f652 ipatests : Login via ssh using private-key for ipa-user should work.
Added test for : https://pagure.io/SSSD/sssd/issue/3937

Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
2019-12-06 15:41:09 +01:00