Before removing a CA re-verify all the other CAs to ensure that
the chain is not broken. Provide a force option to handle cases
where the CA is expired or verification fails for some other
reason, or you really just want them gone.
https://pagure.io/freeipa/issue/8124
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Rename job titles to match their test suites and how they are defined in nightly yamls.
Issue : https://github.com/freeipa/freeipa-pr-ci/issues/336
Signed-off-by: Gaurav Talreja <gtalreja@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Introduce a script that configures a local testing environment
with ipa default.conf, krb5.conf, and ca.crt from a server hostname.
The lite server configuration allows easy and convenient testing of
IPA server and client code. It uses an existing 389-DS and KRB5 KDC
server on another machine:
$ contrib/lite-setup.py master.ipa.example
$ source ~/.ipa/activate.sh
(ipaenv) $ kinit username
(ipaenv) $ make lite-server
IPA server UI is available on http://localhost:8888/ipa/
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The test suite test_winsyncmigrate was missing in nightly definitions
because CI was lacking configuration needed for establishing winsync
agreement: the Certificate Authority needs to be configured on
Windows AD instance. Now that PR-CI is updated to include said changes, we
can start executing this test suite. It is not reasonable to add it to
gating as this suite is time consuming just like other tests requiring
provisioning of AD instances.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The re.Pattern class was introduced in Python 3.7. Use duck-typing to
distinguish between str and re pattern object.
Fixes: https://pagure.io/freeipa/issue/8179
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
ipa_ldap_init(), ipa_tls_ssl_init(), and the bind operations of ipa-join
and ipa-getkeytab now print LDAP error string and LDAP diagonstic messages
to stderr.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
`vals` is often leaked during early exit. Refactor function to use a
single exit path to prevent this.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
`client` is not intended to be modified as a parameter of the AS check
function. Fixes an "incompatible pointer type" compiler warning.
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The tests for backup_and_restore check that the ipa-backup command
compresses the tar file AFTER restarting IPA services by reading the
output and looking for a pattern with "gzip" before "Starting IPA service."
As the tar file name is randomly created, it sometimes happen that the
name contains gzip and in this case the test wrongly assumes that
the gzip cmd was called.
The fix makes a stricter comparison, looking for /bin/gzip.
Fixes: https://pagure.io/freeipa/issue/8170
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
A "cookie" is used with certmonger to track the state of a
request across multiple requests to a CA (in ca-cookie). This
is used with the certmonger POLL operation to submit a request
to the CA for the status of a certificate request. This, along
with the profile, are passed to the certmonger CA helper
scripts via environment variables when a request is made. It is
cleared from the certmonger request once the certificate is
issued.
This CA helper can do a number of things:
- SUBMIT new certicate requests (including the CA)
- POLL for status of an existing certificate request
- For non renewal masters, POLL to see if an updated cert is in
LDAP
A POLL operation requires a cookie so that the state about the
request can be passed to the CA. For the case of retrieving an
updated cert from LDAP there is no state to maintain. It just
checks LDAP and returns either a cert or WAIT_WITH_DELAY if one
is not yet available.
There are two kinds of cookies in operation here:
1. The CERTMONGER_CA_COOKIE environment variable passed via
certmonger to this helper which is a JSON object.
2. The cookie value within the JSON object which contains the
URL to be passed to dogtag.
For the purposes of clarity "cookie" here is the value within
the JSON.
The CERTMONGER_CA_COOKIE is deconstructed and reconstructed as
the request is processed, doing double duty. It initially comes
in as a JSON dict object with two keys: profile and cookie.
In call_handler the CERTMONGER_CA_COOKIE is decomposed into a
python object and the profile compared to the requested profile
(and request rejected if they don't match) and the cookie key
overrides the CERTMONGER_CA_COOKIE environment variable. This is
then reversed at the end of the request when it again becomes a
JSON object containing the profile and cookie.
This script was previously enforcing that a cookie be available on
all POLL requests, whether it is actually required or not. This
patch relaxes that requirement.
The first request of a non-renewal master for an updated certicate
from LDAP is a SUBMIT operation. This is significant because it
doesn't require a cookie: there is no state on a new request. If
there is no updated cert in LDAP then the tracking request goes
into the CA_WORKING state and certmonger will wait 8 hours (as
returned by this script) and try again.
Subsequent requests are done using POLL. This required a cookie
so all such requests would fail with the ca-error
Invalid cookie: u'' as it was empty (because there is no state).
There is no need to fail early on a missing cookie. Enforcement
will be done later if needed (and it isn't always needed). So
if CERTMONGER_CA_COOKIE is an empty string then generate a new
CERTMONGER_CA_COOKIE containing the requested profile and an empty
cookie. It still will fail if certmonger doesn't set a cookie at
all.
An example of a cookie when retrieving a new RA Agent certificate
is:
{"profile": "caServerCert", "cookie": "state=retrieve&requestId=20"}
This will result in this request to the CA:
[09/Jan/2020:14:29:54 -0500] "GET
/ca/ee/ca/displayCertFromRequest?requestId=20&importCert=true&xml=true
HTTP/1.1" 200 9857
For a renewal, the reconstructed cookie will consist of:
{"profile": "caServerCert", "cookie": ""}
https://pagure.io/freeipa/issue/8164
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
This checks that valid/invalid inputs for subtypes of
authentication indicator kerberos ticket policy options.
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
When ipa commands are used by an Active Directory user that
does not have any idoverride-user set, they return the
following error message which can be misleading:
$ kinit aduser@ADDOMAIN.COM
$ ipa ping
ipa: ERROR: cannot connect to 'https://master.ipa.com/ipa/json': Internal Server Error
The fix properly handles ACIError exception received when
creating the context, and now the following message can be seen:
$ kinit aduser@ADDOMAIN.COM
$ ipa ping
ipa: ERROR: cannot connect to 'https://master.ipa.com/ipa/json': Unauthorized
with the following log in /var/log/httpd/error_log:
ipa: INFO: 401 Unauthorized: Insufficient access: Invalid credentials
Fixes: https://pagure.io/freeipa/issue/8163
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Fix XMLRPC tests so that "Dynamic Update" and "Bind update policy"
can be displayed by default in many DNS commands' output.
Related to: https://pagure.io/freeipa/issue/7938
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Displaying "Dynamic Update" and "Bind update policy" by default
when 'ipa dnszone-show/find' are used would make client dns update
failures easier to diagnose, so display them.
Fixes: https://pagure.io/freeipa/issue/7938
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This forces PR-CI to update the packages instead of using the versions
already included in the vagrant image.
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Test on replica for ipa-ca-install with options
--no-host-dns,--skip-schema-check,done changes in
ipatests/pytest_ipa/integration/tasks.py because
wants to pass few arguments to install_ca method
Signed-off-by: Jayesh <jgarg@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Test was failing in nightly_PR for ipa-4.7
As https://pagure.io/SSSD/sssd/issue/3978 is not available on
fedora-29
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
This also exercises the Authentication Indicator Kerberos ticket
policy options by testing a otp indicator type.
Related: https://pagure.io/freeipa/issue/8001
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This will first check ipa-getkeytab quiet mode,
then it will check ipa-getkeytab server name,
then it will check different type of encryptions
Signed-off-by: Jayesh <jgarg@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This will first check if all services are running then it will stop
few service. After that it will restart all services and then check
the status and pid of services.It will also compare pid after ipactl
start and restart in case of start it will remain unchanged on the
other hand in case of restart it will change.
Signed-off-by: Jayesh Garg <jgarg@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf@redhat.com>
When 'ipa krbtpolicy-reset' is called, we need to reset all policy
settings, including per-indicator ones. Per-indicator policy uses
subtyped attributes (foo;bar), the current krbtpolicy-reset code does
not deal with those.
Add support for per-indicator policy reset. It is a bit tricky, as we
need to drop the values to defaults but avoid adding non-per-indicator
variants of the same attributes.
Add test to check that policy has been resetted by observing a new
Kerberos TGT for the user after its policy reset.
Fixes: https://pagure.io/freeipa/issue/8153
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Some integration tests (that were enabled in nightly CI but not
PR-CI) are failing due to changes in the error messages. Update the
error message assertions to get these tests going again.
Part of: https://pagure.io/freeipa/issue/8142
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Enhance the assert_error subroutine to provide regular expression
matching against the command's stderr output, in additional to
substring match.
Part of: https://pagure.io/freeipa/issue/8142
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Added test which checks that no look up should
be added in data provider when users are added in
filter_users for doamin provider.
Related Ticket:
https://pagure.io/SSSD/sssd/issue/3978
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Temporarily skipping test due to unknown time-outs happening regularly.
Issue: https://pagure.io/freeipa/issue/8151
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
The change to allow overlapping zone to be from the master itself has
introduced two issues: The check for the master itself should only executed
if options.force and options.allow_zone_overlap are both false and the
reverse zone check later on was still handling ValueError instead of
dnsutil.DNSZoneAlreadyExists.
Both issues have been fixed and the deployment with existing name servers
is properly working again.
Fixes: https://pagure.io/freeipa/issue/8150
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Sometimes ssh command gets stuck, running manually without passing a command
to be executed this is returned:
```
$ ssh -o PasswordAuthentication=no -o IdentitiesOnly=yes \
-o StrictHostKeyChecking=no -l testsshuser \
-i /tmp/tmp.rQIT3KYScX master.ipa.test
Could not chdir to home directory /home/testsshuser: No such file or directory
```
This commit forces the homedir creation and adds a timeout to ssh.
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Trusted domain object in LDAP uses ipaNTTrustedDomainSID attribute to
store SID of the trusted domain while IPA domain itself uses
ipaNTSecurityIdentifier. When mapping the values for printing out a
summary table, use the right mapping according to the object.
Fixes: https://pagure.io/freeipa/issue/8149
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
umount calls including in cleanup do not wait.
The test failed once with:
"umount.nfs4: /home: device is busy"
which looks like a leftover open file descriptor.
Add wait periods before umount.
Fixes: https://pagure.io/freeipa/issue/8144
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
With commit 15ff9c8 a check was removed and as a result Kerberos keys
are unconditionally added to the user entry struct if they are
available. As a result the password related pre-authentication methods
PA-ENC-TIMESTAMP and PA-ETYPE-INFO2 are advertised in the NEEDED_PREAUTH
reply to an AS_REQ.
With respect to the KDC policies this does not matter much because if
password authentication is disabled for the given principal the policy
will reject the AS_REQ if the user tries password authentication. This
is possible because with commit 15ff9c8 kinit will ask for a password if
called without any additional options (e.g. armor ticket or PKINIT
identity). Before 15ff9c8 was committed it just failed with 'kinit:
Pre-authentication failed: Invalid argument while getting initial
credentials' because no suitable pre-authentication method was
available. This is the same behavior as if no password was set for the
given principal.
But with this change SSSD fails to detect the available authentication
types for the given principal properly. As described in
https://docs.pagure.org/SSSD.sssd/design_pages/prompting_for_multiple_authentication_types.html
SSSD uses the MIT Kerberos responder interface to determine the
available authentication methods for the principal and does not check
the ipaUserAuthType LDAP attribute. As a result if a user has 2FA (otp)
authentication configured, which implies that a password is set as the
first factor, the responder interface will always indicate that password
authentication is available even if only opt is enabled for the user.
In this case SSSD will use a prompting which indicates that the second
factor might be optional. Additionally if prompting the user directly is
not possible (e.g. ssh with ChallengeResponseAuthentication /
KbdInteractiveAuthentication disabled) the single string entered by the
user will always be assumed as a password and not as a combination of
password and otp-token value. As a consequence authentication will
always fail because password authentication is disabled for the user and
since SSSD does not do try-and-error 2FA is not tried.
This patch add back the check so that if password authentication is not
available for the principal the Kerberos will not be added to the entry
struct and the KDC will not advertise PA-ENC-TIMESTAMP or
PA-ETYPE-INFO2. If you think this is wrong and the behavior added by
15ff9c8 should be preferred SSSD handing of the available authentication
types must be extended to read ipaUserAuthType as well to restore the
user experience with respect to 2FA prompting and ssh behavior.
Related to https://pagure.io/freeipa/issue/8001
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Test that a repeated installation of the primary with DNS enabled
will lead to a already installed message and not in "DNS zone X
already exists in DNS" in check_zone_overlap.
The error is only occuring if domain is set explicitly in the command
line installer as check_zone_overlap is used in the domain_name validator.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
When re-running `ipa-server-install --setup-dns` on already installed
server, we do not get to the check of being already installed because
DNS zone overlap forces us to fail earlier.
Change exception returned for this case from check_zone_overlap() to
return structured information that allows to understand whether we are
finding a conflict with ourselves.
Use the returned information to only fail DNS check at this point if DNS
zone overlap is generated by a different name server than ourselves.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
temp_commit.yaml among others have wrong indentation:
expected 4 but found 3.
Fix indentation.
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
DomainValidator.get_trusted_domain_object_from_sid() was using
escape_filter_chars() with bytes. The function only works with text.
This caused idview to fail under some circumstances. Reimplement
backslash hex quoting for bytes.
Fixes: https://pagure.io/freeipa/issue/7958
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
After adding a replica to AD trust agent, the warning
message does not mention that restarting sssd is mantatory
for the trust agent to work. Fix the string.
Fixes: https://pagure.io/freeipa/issue/8148
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
verify_server_cert_validity() and verify_ca_cert_validity() now check
the validity time range of external certificates. The check fails if the
certificate is not valid yet or will expire in less than an hour.
Fixes: https://pagure.io/freeipa/issue/8142
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Fix comparison bug that prevents ldap_disable to actually disable a
service.
Fixes: https://pagure.io/freeipa/issue/8143
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
ipa-server-install fails if idstart is set to 0. There might be
additional issues when idstart overlaps with local users. Ensure that
idstart is larger than UID_MAX or GID_MAX from /etc/login.defs.
Fixes: https://pagure.io/freeipa/issue/8137
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
If --no-ssh and --no-sshd are not specified in ipa-client-install,
/etc/ssh/{ssh, sshd}_config is updated and existing content is maintained.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The lite-server does no longer work correctly since rpcserver is also
using GSS_NAME. Set up GSS_NAME from ccache.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>