The CA tracking request was modified to drop the profile which
was caught by ipa-healthcheck. Run ipa-certupdate then
ipa-healthcheck to confirm that no problems are introduced.
https://pagure.io/freeipa/issue/8644
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
The CA tracking request is modified (it calls renew but it doesn't
actually do a renewal) as part of ipa-certupdate and it dropped
the profile. ipa-healthcheck discovered this condition.
https://pagure.io/freeipa/issue/8644
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
dns_lookup was set to false during ipa client installation which prevented
searches for SRV records for Kerberos servers.
Since https://pagure.io/freeipa/issue/6523 is fixed, dns_lookup is always True
now and the fixture is not needed anymore.
Reviewed-By: Francois Cami <fcami@redhat.com>
The tasks module provides a method to clear sssd cache,
but the method does not remove the file /var/lib/sss/mc/initgroups.
Update the method to also remove this file.
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
TestIpaHealthCLI::test_input_file test was skipped due to
bz1866558. Removed the below statement so that the test can
now run as the bug is fixed.
@pytest.mark.xfail(reason='BZ 1866558', strict=False)
Also changed the assert statement to search text in
stdout_text rather than sdterr_text
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This testcase checks when trust between IPA-AD is established
successfully, IPATrustControllerPrincipalCheck displays
result as SUCCESS
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
When using a fixture, we get a temporary directory created and then
removed by pytest. Pytest uses `shutil.rmtree` call which collects all
files in the directory being removed and then removes them one by one.
At the point of removal of our GNUPGHOME directory, gpg daemon is being
shut down and there might still be an agent UNIX domain socket. The
removal actually overlaps in time with shut down of the gpg daemon, thus
causing `shutil.rmtree()` to fail when an agent UNIX domain socket is
removed by the daemon.
Change the way how we run the gpg agent to use a temporary systemd
service. Stop the service in the finalizer method so that systemd would
send SIGTERM signal and the gpg agent would clean itself up.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
389ds does not return any more additional information
about a failing bind (to avoid leaking information).
As a consequence, when ipa-nis-manage is provided a
wrong password, the error message contains less info
as in the past and needs to be fixed.
Fixes: https://pagure.io/freeipa/issue/8631
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
test_acme is not stable and often needs to be
launched multiple times. Remove the test from gating
until the issue is fixed
Related: https://pagure.io/freeipa/issue/8602
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
Move actual resolution of UID/GID values for 'ods' entities to the code
that needs them. This prevents failures when uninstalling IPA server set
up without DNS feature. In particular, 'ods' user and group are created
when 'opendnssec' package is installed and if 'opendnssec' package is
not installed, uninstall fails in OpenDNSSEC Exporter instance
constructor.
We use common pattern of checking the service during uninstall:
svc = SVCClass()
if svc.is_configured():
svc.uninstall()
Thus, service class constructor must not do UID/GID resolution
Fixes: https://pagure.io/freeipa/issue/8630
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Move actual resolution of UID/GID values for 'ods' and 'named' entities
to the code that needs them. This prevents failures when uninstalling
IPA server set up without DNS feature. In particular, 'named' group is
created when 'bind' package is installed and if 'bind' package is not
installed, uninstall fails in OpenDNSSEC instance constructor.
We use common pattern for all services during uninstall:
svc = SVCClass(..)
if svc.is_configured()
svc.uninstall()
This requires that the class constructor should not rely on artifacts
that only exist when the service is configured.
Fixes: https://pagure.io/freeipa/issue/8630
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Move actual resolution of UID/GID values for 'ods' and 'named' entities
to the code that needs them. This prevents failures when uninstalling
IPA server set up without DNS feature. In particular, 'named' group is
created when 'bind' package is installed and if 'bind' package is not
installed, uninstall fails in OpenDNSSEC instance constructor.
We use common pattern for all services during uninstall:
svc = SVCClass(..)
if svc.is_configured()
svc.uninstall()
This requires that the class constructor should not rely on artifacts
that only exist when the service is configured.
Fixes: https://pagure.io/freeipa/issue/8630
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
User name for trail space key was using the name for lead space key.
As a result, when both tests were transformed, second one was
unsuccessful as the original user was already created.
Fix the user name data according to the test.
Fixes: https://pagure.io/freeipa/issue/8629
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
With commit 809d9cb80f we now allow
leading and trailing space in passwords. Fix Web UI tests to follow this
change.
Fixes: https://pagure.io/freeipa/issue/8629
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Only checking for ID to equal "rhel" causes build failures on CentOS
Stream. Instead check both ID and ID_LIKE. This should also work later
on when rebuilds like CentOS Linux get this update.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
- Create /var/named/dyndb-ldap/ipa/master/ early
- Assume that /var/named/dyndb-ldap/ipa/master/ exists in BINDMgr.sync()
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
krb5 uses the negative part of krb5_timestamp to store time values
after 2038:
https://k5wiki.kerberos.org/wiki/Projects/Timestamps_after_2038
In other words, krb5 uses krb5_timestamp (signed int) with
unsigned arithmetic for expanding the timestamp's upper bound.
This commit:
- adds some helper functions for working with krb5_timestamp as
unsigned (actually copied from
https://github.com/krb5/krb5/blob/master/src/include/k5-int.h)
- replaces operations with krb5_timestamp's by these new functions
Fixes: https://pagure.io/freeipa/issue/8028
Signed-off-by: Slava Aseev <ptrnine@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
'gpg2' is a convenience symlink on Debian, provided by a package that
will go away eventually. 'gpg' is available everywhere.
Signed-off-by: Timo Aaltonen <tjaalton@debian.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
