Replace the "import default_encoding_utf8" in ipalib/cli.py with equivalent
Python code.
https://fedorahosted.org/freeipa/ticket/5596
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Stop using rpm-python to compare package versions since the implicit NSS
initialization upon the module import breaks NSS handling in IPA code. Call
rpm-libs C-API function via CFFI instead.
Big thanks to Martin Kosek <mkosek@redhat.com> for sharing the code snippet
that spurred this patch.
https://fedorahosted.org/freeipa/ticket/5572
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The combination of a bug in Dogtag's sslget command and a new feature
in mod_nss causes an incomplete uninstallation of KRA. The bug has been
fixed in Dogtag 10.2.6-13.
https://fedorahosted.org/freeipa/ticket/5469https://fedorahosted.org/pki/ticket/1704
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Running make with PYTHON=/usr/bin/python3 will build/install the
bits for Python 3.
Executable scripts in ipatests have symlinks Python version suffixes
as per Fedora guidelines. Suffix-less names point to the Python 2 versions.
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Add server_conncheck command which calls ipa-replica-conncheck --replica
over oddjob.
https://fedorahosted.org/freeipa/ticket/5497
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Make the following changes in packaging:
* freeipa-server - split off python2-ipaserver and freeipa-server-common,
* freeipa-server-dns - build as noarch,
* freeipa-client - split off python2-ipaclient and freeipa-client-common,
* freeipa-admintools - build as noarch,
* freeipa-python - split into python2-ipalib and freeipa-common, provide
freeipa-python-compat for upgrades,
* freeipa-tests - rename to python2-ipatests and build as noarch.
Bump version to 4.2.91.
https://fedorahosted.org/freeipa/ticket/3197
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
/etc/ipa/dnssec is now owned by freeipa-server. The remaining files are now
owned by freeipa-client.
https://fedorahosted.org/freeipa/ticket/3197
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Use ding-libs to parse /etc/ipa/default.conf to find the IPA server
to contact by default.
Signed-off-by: Simo Sorce <simo@redhat.com>
Ticket: https://fedorahosted.org/freeipa/ticket/2203
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
By default mod_auth_gssapi allows all locally available mechanisms. If
the gssntlmssp package is installed, it also offers ntlmssp. This has
the annoying side effect that some browser will pop up a
username/password request dialog if no Krb5 credentials are available.
The patch restricts the mechanism to krb5 and removes ntlmssp and
iakerb support from Apache's ipa.conf.
The new feature was added to mod_auth_gssapi 1.3.0.
https://fedorahosted.org/freeipa/ticket/5114
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Configure.jar used to be used with firefox version < 10 which is not
supported anymore, thus this can be removed.
https://fedorahosted.org/freeipa/ticket/5144
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Packaging of sssd was changed and more sub-packages are build
from sssd.src.rpm. Especially python bindings and development packages
are already in sub-packages. As a result of this change the meta package
sssd can be removed from BuildRequires without any problem.
FreeIPA spec file contained build requirement for latest version of
sssd even though the latest sssd was not required for building
FreeIPA rpms. In many cases, it was sufficient just to change requirements
for FreeIPA packages instead of build requirements.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Dogtag 10.2.6-12 includes automatic upgrade from Tomcat 7 to Tomcat 8.
Otherwise FreeIPA is broken after upgrades. This affects Fedora 22 to
Fedora 23 upgrades.
https://bugzilla.redhat.com/show_bug.cgi?id=1274915
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Configure IPA so that topology plugin will manage also CA replication
agreements.
upgrades if CA is congigured:
- ipaca suffix is added to cn=topology,cn=ipa,cn=etc,$SUFFIX
- ipaReplTopoManagedSuffix: o=ipaca is added to master entry
- binddngroup is added to o=ipaca replica entry
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
The DNA plugin needed to be fixed to deal with replica binddn groups.
Version 1.3.4.4 is needed for that.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Add a customized Custodia daemon and enable it after installation.
Generates server keys and loads them in LDAP autonomously on install
or update.
Provides client code classes too.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
This change makes kdcproxy user creation consistent with DS and CA user
creation. Before, the user was created in the spec file, in %pre scriptlet
of freeipa-server.
https://fedorahosted.org/freeipa/ticket/5314
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Certain subcomponents of IPA, such as Dogtag, cannot function if
non-critical directories (such as log directories) have not been
stored in the backup.
This patch implements storage of selected empty directories,
while preserving attributes and SELinux context.
https://fedorahosted.org/freeipa/ticket/5297
Reviewed-By: Martin Basti <mbasti@redhat.com>
python-krbV library is deprecated and doesn't work with python 3. Replacing all
it's usages with python-gssapi.
- Removed Backend.krb and KRB5_CCache classes
They were wrappers around krbV classes that cannot really work without them
- Added few utility functions for querying GSSAPI credentials
in krb_utils module. They provide replacements for KRB5_CCache.
- Merged two kinit_keytab functions
- Changed ldap plugin connection defaults to match ipaldap
- Unified getting default realm
Using api.env.realm instead of krbV call
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
This prevents ipa-server-upgrade failures on SELinux AVCs because of old
selinux-policy version.
https://fedorahosted.org/freeipa/ticket/5256
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Martin Kosek <mkosek@redhat.com>
python-gssapi had a bug in exception handling that caused exceptions to be
shadowed by LookupError. The new version should fix the problem.
Reviewed-By: Simo Sorce <ssorce@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
kerberos library doesn't support Python 3 and probably never will.
python-gssapi library is Python 3 compatible.
https://fedorahosted.org/freeipa/ticket/5147
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
This patch removes the dependency on M2Crypto in favor for cryptography.
Cryptography is more strict about the key size and doesn't support
non-standard key sizes:
>>> from M2Crypto import RC4
>>> from ipaserver.dcerpc import arcfour_encrypt
>>> RC4.RC4(b'key').update(b'data')
'o\r@\x8c'
>>> arcfour_encrypt(b'key', b'data')
Traceback (most recent call last):
...
ValueError: Invalid key size (24) for RC4.
Standard key sizes 40, 56, 64, 80, 128, 192 and 256 are supported:
>>> arcfour_encrypt(b'key12', b'data')
'\xcd\xf80d'
>>> RC4.RC4(b'key12').update(b'data')
'\xcd\xf80d'
http://cryptography.readthedocs.org/en/latest/hazmat/primitives/symmetric-encryption/#cryptography.hazmat.primitives.ciphers.algorithms.ARC4https://fedorahosted.org/freeipa/ticket/5148
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
There might be AVC denial between moving file and restoring context.
Using 'mv -Z' will solve this issue.
https://fedorahosted.org/freeipa/ticket/4923
Reviewed-By: David Kupka <dkupka@redhat.com>
The otptoken plugin is the only module in FreeIPA that uses Python's ssl
module instead of NSS. The patch replaces ssl with NSSConnection. It
uses the default NSS database to lookup trust anchors. NSSConnection
uses NSS for hostname matching. The package
python-backports-ssl_match_hostname is no longer required.
https://fedorahosted.org/freeipa/ticket/5068
Reviewed-By: Martin Basti <mbasti@redhat.com>
Introduce a ipaplatform/constants.py file to store platform related
constants, which are not paths.
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
This allows us to automatically pull in package bind-pkcs11
and thus create upgrade path for on CentOS 7.1 -> 7.2.
IPA previously had no requires on BIND packages and these had to be
installed manually before first ipa-dns-install run.
We need to pull additional bind-pkcs11 package during RPM upgrade
so ipa-dns-install cannot help with this.
https://fedorahosted.org/freeipa/ticket/4058
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The home directory of the kdcproxy user is now properly owned by the
package and no longer created by useradd.
https://fedorahosted.org/freeipa/ticket/5135
Reviewed-By: Tomas Babej <tbabej@redhat.com>
A new SELinux policy allows communication between IPA framework running
under Apache with oddjobd-based services via DBus.
This communication is crucial for one-way trust support and also is required
for any out of band tools which may be executed by IPA framework.
Details of out of band communication and SELinux policy can be found in a bug
https://bugzilla.redhat.com/show_bug.cgi?id=1238165
Reviewed-By: Tomas Babej <tbabej@redhat.com>
The directory was in the python subpackage, but that broke client-only
build. We don't want the directory to be installed on clients anyway,
since it is part of a server-side feature.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
One-way trust is the default now, use 'trust add --two-way ' to
force bidirectional trust
https://fedorahosted.org/freeipa/ticket/4959
In case of one-way trust we cannot authenticate using cross-realm TGT
against an AD DC. We have to use trusted domain object from within AD
domain and access to this object is limited to avoid compromising the whole
trust configuration.
Instead, IPA framework can call out to oddjob daemon and ask it to
run the script which can have access to the TDO object. This script
(com.redhat.idm.trust-fetch-domains) is using cifs/ipa.master principal
to retrieve TDO object credentials from IPA LDAP if needed and then
authenticate against AD DCs using the TDO object credentials.
The script pulls the trust topology out of AD DCs and updates IPA LDAP
store. Then IPA framework can pick the updated data from the IPA LDAP
under normal access conditions.
Part of https://fedorahosted.org/freeipa/ticket/4546
Reviewed-By: Tomas Babej <tbabej@redhat.com>
The vault plugin has been modified to support symmetric and asymmetric
vaults to provide additional security over the standard vault by
encrypting the data before it's sent to the server. The encryption
functionality is implemented using the python-cryptography library.
https://fedorahosted.org/freeipa/ticket/3872
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
