Commit Graph

13015 Commits

Author SHA1 Message Date
Alexander Bokovoy
98b4c710d9 upgrade: adtrust - catch empty result when retrieving list of trusts
Upgrade failure when ipa-server-upgrade is being run on a system with no
trust established but trust configured

Fixes: https://pagure.io/freeipa/issue/7939
Reviewed-By: François Cami <fcami@redhat.com>
2019-05-11 21:15:37 +02:00
François Cami
5331510eab ipa_backup.py: replace /var/lib/ipa/backup with paths.IPA_BACKUP_DIR
/var/lib/ipa/backup is defined in ipaplatform.paths as paths.IPA_BACKUP_DIR
Remove all instances of /var/lib/ipa/backup/ in ipa_backup.py.

Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
2019-05-07 09:08:40 +02:00
François Cami
e6415ec321 ipa-backup: better error message if ENOSPC
When the destination directory cannot store the complete backup
ipa-backup fails but does not explain why.
This commit adds error-checking to db2ldif(), db2bak() and
finalize_backup() and enhances the error message.

Fixes: https://pagure.io/freeipa/issue/7647
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Tibor Dudlák <tdudlak@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2019-05-07 09:00:42 +02:00
François Cami
d76737e4c6 ipatests: add tests for the new NFSv4 domain option of ipa-client-automount
This commit tests the--idmap-domain knob with the following behavior:
- if not present, default to IDM domain (current behavior)
- if equal to DNS (magic value), set nothing and let idmapd autodetect domain
- otherwise set Domain in idmap.conf to the value passed by this parameter

Related to: https://pagure.io/freeipa/issue/7918
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-05-06 17:46:19 +02:00
François Cami
660c4984c6 ipa-client-automount: add knob to configure NFSv4 Domain (idmapd.conf)
ipa-client-automount assumes the NFS domain to be the same as the IPA domain.
This is not always the case.
This commit adds a --idmap-domain knob with the following behavior:
- if not present, default to IDM domain (current behavior)
- if equal to DNS (magic value), set nothing and let idmapd autodetect domain
- otherwise set Domain in idmap.conf to the value passed by this parameter

Fixes: https://pagure.io/freeipa/issue/7918
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-05-06 17:46:19 +02:00
Adam Williamson
78652a52f0 Correct default fontawesome path (broken by da2cf1c5)
On Fedora/RHEL, it does not have a dash in it. The changes in
da2cf1c5 inadvertently added a dash to the path in the 'base'
paths definition (used on Fedora/RHEL), so the font wasn't found.

Signed-off-by: Adam Williamson <awilliam@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-05-02 09:36:54 -04:00
Alexander Bokovoy
294aa3a333 Revert "Require a minimum SASL security factor of 56"
This reverts commit 3509545897.

We cannot force increase in minimum SASL security factor until our
consumers are ready to deal with it. Unfortunately, realmd uses
anonymous connection for discovery and validation of IPA LDAP server.

The way it is done is fragile (it doesn't take into account an
advertised IPA version, only checks that 'IPA' string exists in the info
field) but since bumping of minimum SSF prevents reading IPA info field
using anonymous connection, client enrollment fails.

We should get back to bumping minimum SSF after realmd and other
potential consumers are fixed.

Reviewed-By: François Cami <fcami@redhat.com>
2019-05-02 11:39:23 +02:00
Christian Heimes
e73fdcf8ba Import urllib submodules
otpclient only imported the urllib parent package, not urllib.request
and urllib.parse subpackages. This may or may not work depending on the
import order of other plugins.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-30 10:32:43 -04:00
Alexander Bokovoy
dc113a0a31 Turn master branch back after pre-release tagging 2019-04-29 17:58:14 +03:00
Alexander Bokovoy
628ec088b6 Become FreeIPA 4.7.90.pre1 2019-04-29 17:55:04 +03:00
Christian Heimes
3c98187988 Consider configured servers as valid
Under some conditions, ipa config-show and several other commands were
failing with error message:

  ERROR: invalid 'PKINIT enabled server': all masters must have IPA master role enabled

Amongst others the issue can be caused by a broken installation, when
some services are left in state 'configuredServices'. The problem even
block uninstallation or removal of replicas. Now configured servers are
also consider valid providers for associated roles.

A new test verifies that config-show works with hidden and configured HTTP
service.

Remark: The original intent of the sanity check is no longer clear to me. I
think it was used to very that all services can be started by ipactl.
Since ipactl starts hidden, configured, and enabled services, the new
logic reflect the fact, too.

Fixes: https://pagure.io/freeipa/issue/7929
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-29 16:51:40 +02:00
Florence Blanc-Renaud
161008d5ca ipactl restart: fix wrong logic when checking service list
ipactl is building a list of currently running services from
the content of /var/run/ipa/services.list, and a list of expected services
from the services configured in LDAP.

Because CA and KRA both correspond to the same pki-tomcatd service, the
lists may contain duplicates. The code handling these duplicates is called
at the wrong place, and may result in a wrong list of services to
stop / restart / start.
The fix removes the duplicates before returning the lists, hence making sure
that there is no error when building the list of services to stop / restart
/ start.

Fixes: https://pagure.io/freeipa/issue/7927
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-04-26 17:26:00 +02:00
Christian Heimes
bdce9164a1 Make ipaclient.discovery usable from command line
For debugging and testing make it possible to run a simple domain
discovery from the command line

```
$ python3 -m ipaclient.discovery demo1.freeipa.org
realm    DEMO1.FREEIPA.ORG                      (Discovered from LDAP DNS records in ipa.demo1.freeipa.org)
domain   demo1.freeipa.org                      (Discovered LDAP SRV records from demo1.freeipa.org)
basedn   dc=demo1,dc=freeipa,dc=org             (From IPA server ldap://ipa.demo1.freeipa.org:389)
server   ipa.demo1.freeipa.org                  (Discovered from LDAP DNS records in ipa.demo1.freeipa.org)
servers  ['ipa.demo1.freeipa.org']
Success
$ python3 -m ipaclient.discovery freeipa.org
realm    None
domain   None
basedn   None
server   None
servers  []
NO_LDAP_SERVER
```

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-26 12:53:23 +02:00
Christian Heimes
d59f155e52 Make IPADiscovery work without ldap
ipaclient.discover.IPADiscovery skips LDAP discovery when python-ldap is
not present.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-26 12:53:23 +02:00
Christian Heimes
2a459ce0f2 Make python-ldap optional for PyPI packages
python-ldap is a Python package with heavy C extensions. In order to
build python-ldap, not only OpenLDAP development headers are necessary,
but also OpenSSL, Cyrus SASL, and MIT KRB5 development headers.

A fully functional ipaclient doesn't need an LDAP driver. It talks JSON
RPC over HTTPS to a server. python-ldap is only used by ipapython.dn.DN
to convert a string to a DN with ldap_str2dn(). The function is simple
and can be wrapped with ctypes in a bunch of lines.

Related: https://pagure.io/freeipa/issue/6468
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-26 12:53:23 +02:00
Christian Heimes
c314411130 Correct path to systemd-detect-virt
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-26 12:47:51 +02:00
Christian Heimes
5d4a8017f4 Add helper to look for missing binaries
Fedora has merged /usr/bin and /bin while Debian uses distinct
directories for /usr/bin and /bin. Debian also uses different directory
for libexec files.

A new paths.check_paths() helper makes it easier to detect missing or
wrong paths.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-26 12:47:51 +02:00
Christian Heimes
4f3c4f87a1 Guard dbus.start() with dbus.is_running()
Some platforms like Debian protect the dbus.service with
RefuseManualStart=True. "systemctl start dbus" fails with operation
refused (it is configured to refuse manual start/stop). On Fedora
"systemctl start dbus" is a no-op when dbus is already running.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-26 12:47:51 +02:00
Christian Heimes
beffa7bcda Move Custodia secrets handler to scripts
Implement the import and export handlers for Custodia keys as external
scripts. It's a prerequisite to drop DAC override permission and proper
SELinux rules for ipa-custodia.

Except for DMLDAP,  handlers no longer run as root but as handler
specific users with reduced privileges. The Dogtag-related handlers run
as pkiuser, which also help with HSM support.

The export and import handles are designed to be executed by sudo, too.
In the future, ipa-custodia could be executed as an unprivileged process
that runs the minimal helper scripts with higher privileges.

Fixes: https://pagure.io/freeipa/issue/6888
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-26 12:09:22 +02:00
François Cami
d2c5ce1a82 ipaplatform: add more services
Healthcheck needs to check more services than currently defined
in ipaplatform. Add these services.

Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-04-26 10:25:00 +02:00
Christian Heimes
a22b4a35f2 chmod SYSTEMD_PKI_TOMCAT_IPA_CONF
Change the permission of the new config file
/etc/systemd/system/pki-tomcatd@pki-tomcat.service.d/ipa.conf to 644.
This fixes the systemd warning

Configuration file /etc/systemd/system/pki-tomcatd@pki-tomcat.service.d/ipa.conf is marked world-inaccessible. This has no effect as configuration data is accessible via APIs without restrictions. Proceeding anyway.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-26 09:56:44 +02:00
Christian Heimes
d7e17655c7 Check for SELinux AVCs after installation
Look for SELinux violation after installing a master with CA, KRA, and
DNS with DNSSEC. The test does not fail yet, because there are known
SELinux violations.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-26 09:50:23 +02:00
Christian Heimes
dcd488b3d9 Refactor tasks to include is_selinux_enabled()
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-26 09:50:23 +02:00
Oleg Kozlov
23d5c05232 Check have packages for extra features been installed before restoring backup
`iparestore --full` should check that packages for extra features such as dns and adtrust are installed in the system before restoring a backup in case the backup includes content for these features. If the packages are not installed full backup should be refused and an error message with suggestions should be showed.

If corresponding packages for these features are not installed before the backup restoring, it may cause a situation when the packages are going to be installed after the restoring. In that case configuration files restored by `ipa-restore` will be replaced by default configuration files if the files are tracked by `rpm`. E.g. if `freeipa-server-trust-ad` is not installed before `ipa-restore --full` running, when the package will be installed it also will bring `samba` package according to the dependencies. At `samba` installation step exist correct `/etc/samba/smb.conf` is going to be replaced by the default one from the `samba` package.

Fixes: https://pagure.io/freeipa/issue/7630
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-04-25 14:47:09 +02:00
Sergey Orlov
f5912d0099 ipatests: new tests for ipa-winsync-migrate utility
Fixes https://pagure.io/freeipa/issue/7857

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-25 14:46:11 +02:00
Christian Heimes
74e09087ed Globally disable softhsm2 in p11-kit-proxy
The p11-kit configuration injects p11-kit-proxy into all NSS databases.
Amongst other p11-kit loads SoftHSM2 PKCS#11 provider. This interferes
with 389-DS, certmonger, Dogtag and other services. For example certmonger
tries to open OpenDNSSEC's SoftHSM2 token, although it doesn't use it at
all. It also breaks Dogtag HSM support testing with SoftHSM2.

IPA server does neither need nor use SoftHSM2 proxied by p11-kit.

Related: https://pagure.io/freeipa/issue/7810
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-25 12:53:08 +02:00
Christian Heimes
8686cd3b4b Pass token_name to certmonger
For HSM support, IPA has to pass the token name for CA and subsystem
certificates to certmonger. For now, only the default 'internal' token is
supported.

Related: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-04-25 08:57:58 +02:00
Alexander Bokovoy
b2c5691e73 Enforce SMBLoris attack protection in default Samba configuration
See https://access.redhat.com/security/vulnerabilities/smbloris for
details.

There is no recommended value but for IPA DC we can limit with 1000
concurrent connections from unrelated clients.

Related: https://pagure.io/freeipa/issue/6951
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-04-24 15:47:19 -04:00
Alexander Bokovoy
4ba888694b Set idmap config for Samba to follow IPA ranges and use SSSD
Implicit idmap configuration in Samba was changed in Samba 4.7 to always
require range definition. A default ('*') idmap configuration lacks any
range and thus is marked by testparm utility as invalid one.

Since we do not expect Samba allocating any IDs, idmap configuration
needs to be set in a such way that it is correct from Samba side and is
effectively disabling any allocation on those domains that we don't need
to handle.

Note that 'idmap config <domain> : range' parameter accepts range in a
special format with spaces 'begin - end', so we have to keep the
formatting of the range exact.

Related: https://pagure.io/freeipa/issue/6951
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-04-24 15:47:19 -04:00
Christian Heimes
dd58a705e5 Fix and extend pki config override test
* override ipa_ca_key_size
* test with SHA512withRSA

Related: https://pagure.io/freeipa/issue/5608
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-24 17:08:24 +02:00
Christian Heimes
411e6c37fb Deprecate ipa-client-install --request-cert
Mark the --request-cert option for ipa-client-install as deprecated.
Users are encouraged to request a PEM certificate with certmonger
instead. The option and /etc/ipa/nssdb will be removed in a future
version.

Related: https://pagure.io/freeipa/issue/7492
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-04-24 16:23:17 +02:00
Christian Heimes
0fa692a526 Debian: Use RedHatCAService for pki-tomcatd
The RedHatCAService service class contains extra logic to wait for CA
service to be up and running. Debian now correctly waits for Dogtag before
proceeding with the installation process.

Fixes: https://pagure.io/freeipa/issue/7916
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-04-24 14:08:20 +02:00
Christian Heimes
81d0108afc Debian: auto-generate config files for oddjobd
The oddjobd config files are now auto-generated with automake to have
correct path to libexec on all platforms.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-04-24 14:08:20 +02:00
Christian Heimes
d703f3dbcb Debian: Fix replicatio of light weight sub CAs
The path to ipa-pki-retrieve-key was hard-coded, which broke replication
of light weight sub CA keys.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-04-24 14:08:20 +02:00
Christian Heimes
edaea8865f Add ODS manager abstraction to ipaplatform
OpenDNSSEC 1.4 and 2.x use different commands to initialize kasp.db and
manage zones. ipaplatform.tasks abstracts the commands.

Note: I added the logic to the base task instead of having different
implementations for Red Hat and Debian platforms. Eventually Fedora is
going to move to OpenDNSSEC 2.x, too. The design will make it easier to
support OpenDNSSEC 2.x on Fedora.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-04-24 14:08:20 +02:00
Christian Heimes
8592603ea3 Debian: Use different paths for KDC cert and key
Co-authored-by: Timo Aaltonen <tjaalton@debian.org>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-04-24 14:08:20 +02:00
Christian Heimes
750e658dba Debian: Add fixes for OpenDNSSEC 2.0
Debian/Ubuntu use OpenDNSSEC 2.0, which has different commands to manage
zones and keys.

Co-authored-by: Timo Aaltonen <tjaalton@debian.org>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-04-24 14:08:20 +02:00
Christian Heimes
da2cf1c513 Debian: Add paths for open-sans and font-awesome
Debian has different paths and path suffix for font-awesome. Let's have
explicit paths for all our fonts.

Co-authored-by: Timo Aaltonen <tjaalton@debian.org>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-04-24 14:08:20 +02:00
Christian Heimes
ff41a09e36 Debian doesn't have authselect
Skip authselect configuration and migration on Debian/Ubuntu.

Co-authored-by: Timo Aaltonen <tjaalton@debian.org>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-04-24 14:08:20 +02:00
Christian Heimes
d796c37f17 Debian: use -m lesscpy instead of hard-coded name
python3 -m lesscpy now works correctly. The make-css.sh script is
replaced with a simpler make call and ipa.css now depends on all less
files.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-04-24 14:08:20 +02:00
Alexander Bokovoy
993fd4d7fc Update list of contributors and sort them alphabetically
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-04-24 09:47:31 +02:00
Alexander Bokovoy
e05008d104 Update mailmap
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-04-24 09:47:31 +02:00
Alexander Bokovoy
6c361d74c5 Update translations from Zanata
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-04-24 09:47:31 +02:00
Christian Heimes
5452eb6e77 Reduce startup_timeout to 120sec as documented
man(5) default.conf says that startup_timeout has a default value of 120
seconds. Even 120 seconds are not effective unless systemd is also
reconfigured to have a larger DefaultTimeoutStartSec.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-24 09:09:28 +02:00
Christian Heimes
3f9e23f125 Add ExecStartPost hook to wait for Dogtag PKI
Dogtag PKI typically takes around 10 seconds to start and respond to
requests. Dogtag uses a simple systemd service, which means systemd is
unable to detect when Dogtag is ready. Commands like ``systemctl start``
and ``systemctl restart`` don't block and wait until the CA is up. There
have been various workarounds in Dogtag and IPA.

Systemd has an ExecStartPost hook to run programs after the main service
is started. The post hook blocks systemctl start and restart until all
post hooks report ready, too. The new ipa-pki-wait-running script polls
on port 8080 and waits until the CA subsystem returns ``running``.

Related: https://pagure.io/freeipa/issue/7916
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2019-04-24 09:09:28 +02:00
Stanislav Levin
edd53d8c50 Fix inconsistent-return-statements in ipa-dnskeysync-replica
This problem was discovered by pylint.

Fixes: https://pagure.io/freeipa/issue/7921
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-04-24 08:10:45 +02:00
Stanislav Levin
921d803d15 Add missing deps for make pylint
The make target `pylint` hasn't a full list of its dependencies.
This leads to problems like:
- different build results
- PR tests just do not run pylint over some Python scripts.

The new build target (`python_scripts`) was implemented.
It's intended for building all Python scripts (files, containing
@PYTHONSHEBANG@ as a shebang placeholder).

The make `pylint` should require it.

Fixes: https://pagure.io/freeipa/issue/7921
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-04-24 08:10:45 +02:00
Christian Heimes
36c65c4aaa Remove deprecated object logger
The object logger methods been deprecated for about two years since release
4.6.0. The log manager used to moneky-patch additional log methods like
info(), warning(), and error() into API plugin objects. The methods have
been replaced by calls to module logger objects in 4.6.0.

Remove monkey-patch logger methods, log manager, and its root logger from
ipapython.ipa_log_manager.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
2019-04-23 12:55:35 +02:00
Robbie Harwood
5ecede781b Fix unnecessary usrmerge assumptions
On non-usrmerge systems (e.g., Debian), bash, mv, cp, cat, tail,
keyctl, and gzip live in /bin, not /usr/bin.

On usrmerge systems, /bin is a symlink to /usr/bin (or vice versa), so
this has no effect.

Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2019-04-17 13:56:05 +02:00
François Cami
0ba25c7e68 ipatests: add nfs tests
With the latest NFS changes:
* systemd NFS-related unit files
* configuration from /etc/sysconfig/nfs to /etc/nfs.conf
testing NFS client {manual, ipa-client-automount} configuration
has become paramount.

This extends the existing automount location test and must be
run nightly.

Fixes: https://pagure.io/freeipa/issue/7805
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Peter Cech <pcech@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
2019-04-16 16:58:54 +02:00