When creating ipa-client-samba tool, few common routines from the server
installer code became useful for the client code as well.
Move them to ipapython.ipautil and update references as well.
Fixes: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Document general design for Samba file server running on IPA client as a
domain member in IPA domain.
Fixes: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Added test which validates that POSIX attributes, such
as shell or home directory, are no longer overwritten or missing.
Related Ticket : https://pagure.io/SSSD/sssd/issue/2474
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Since we are authenticating against AD DC before talking to it (by using
trusted domain object's credentials), we need to override krb5.conf
configuration in case --server option is specified.
The context is a helper which is launched out of process with the help
of oddjobd. The helper takes existing trusted domain object, uses its
credentials to authenticate and then runs LSA RPC calls against that
trusted domain's domain controller. Previous code directed Samba
bindings to use the correct domain controller. However, if a DC visible
to MIT Kerberos is not reachable, we would not be able to obtain TGT and
the whole process will fail.
trust_add.execute() was calling out to the D-Bus helper without passing
the options (e.g. --server) so there was no chance to get that option
visible by the oddjob helper.
Also we need to make errors in the oddjob helper more visible to
error_log. Thus, move error reporting for a normal communication up from
the exception catching.
Resolves: https://pagure.io/freeipa/issue/7895
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Now that ipa-client-automount and ipactl main logic has been
moved into modules, introduce minimal executables.
Fixes: https://pagure.io/freeipa/issue/7984
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Updating ipa_client_automount.py and ipactl.py's codestyle is
mandatory to make pylint pass as these are considered new files.
Fixes: https://pagure.io/freeipa/issue/7984
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Fixes: https://pagure.io/freeipa/issue/7984
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Second part of the trust principals upgrade
For existing LOCAL-FLAT$@REMOTE object, convert it to
krbtgt/LOCAL-FLAT@REMOTE and add LOCAL-FLAT$@REMOTE as an alias. To do
so we need to modify an entry content a bit so it is better to remove
the old entry and create a new one instead of renaming.
Resolves: https://pagure.io/freeipa/issue/7992
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Disable link to user page from user ID override in case it is in 'Default Trust View'
Ticket: https://pagure.io/freeipa/issue/7139
Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
By default, the `last` exit code returned from Azure script will be
checked and, if non-zero, treated as a step failure. Luckily,
for Linux script is a shortcut for Bash. Hence errexit/e option
could be applied. But Azure pipelines doesn't set it by default:
https://github.com/microsoft/azure-pipelines-agent/issues/1803
For multiline script this is a problem, unless otherwise designed.
Some of benefits of checking the result of each subcommand:
- preventing subsequent issues (broken packages, container images, etc.)
- time saving (next steps will not run)
- good diagnostics (tells which part of script fails)
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Previously '--idmap-domain DNS' would assume the Domain
parameter of idmapd.conf was already absent. With this
fix, the Domain parameter is always removed and the
configuration file is always backuped.
Related-to: https://pagure.io/freeipa/issue/7918
Fixes: https://pagure.io/freeipa/issue/7988
Signed-off-by: François Cami fcami@redhat.com
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Upgrade code had Kerberos principal names mixed up: instead of creating
krbtgt/LOCAL-FLAT@REMOTE and marking LOCAL-FLAT$@REMOTE as an alias to
it, it created LOCAL-FLAT$@REMOTE Kerberos principal and marked
krbtgt/LOCAL-FLAT@REMOTE as an alias.
This differs from what Active Directory expects and what is created by
ipasam plugin when trust is established. When upgrading such deployment,
an upgrade code then unexpectedly failed.
Resolves: https://pagure.io/freeipa/issue/7992
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Add a new XMLRPC test with the following scenario:
- ldapadd a user without the posixaccount objectclass
- call ipa stageuser-find <user>
- check that 1 entry is returned
Related: https://pagure.io/freeipa/issue/7983
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
ipa stageuser-find fails to return a staged user if it does not
contain the posixaccount objectclass.
The code is replacing the search filter (objectclass=posixaccount)
with (|(objectclass=posixaccount)(objectclass=inetorgperson)) so it
should work in theory.
The issue is that on python2 the filter has been hexlified before
reaching the stageuser plugin, hence filter.replace does not recognize
the pattern (objectclass=posixaccount).
The fix consists in creating the filter with a call to
ldap.make_filter_from_attr()
that will hexlify too, if needed.
Fixes: https://pagure.io/freeipa/issue/7983
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The systemd unit name of `named`(which is actually used) is platform-dependent:
debian - bind9-pkcs11.service
fedora - named-pkcs11.service
redhat - named-pkcs11.service
Other systems may have their own name of `bind` service.
But the default one (`named-pkcs11`) is assumed in many tests.
Of course, these tests fail on such platforms.
This can be easily fixed.
All platforms define well-knownservice `named`, which is linked to
the actually utilized one.
Fixes: https://pagure.io/freeipa/issue/7990
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The check can fail for a lot of other reasons than there is
overlap so the error should be logged.
This causes confusion when --auto-reverse is requested and
some lookup fails causing the reverse to not be created.
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
By default certmonger does not log operations. With debug level 2,
certmonger logs errors and operations to journald. An increased debug
level makes it easier to investigate problems.
Fixes: https://pagure.io/freeipa/issue/7986
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Replace the @PYTHONSHEBANG@ substitution with a valid #!/usr/bin/python3
shebang. This turns Python .in files into valid Python files. The files
can now be checked with pylint and IDEs recognize the files as Python
files.
The shebang is still replaced with "#!$(PYTHON) -E" to support
platform-python.
Related: https://pagure.io/freeipa/issue/7984
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
For now all the default shells of users and admin are hardcoded in
different parts of the project. This makes it impossible to run the
test suite against the setup, which has the default shell differed
from '/bin/sh'.
The single configuration point for the shell of users and admin is
added to overcome this limitation.
Fixes: https://pagure.io/freeipa/issue/7978
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
"message" parameter of pytest.raises is deprecated since Pytest4.1:
```
It is a common mistake to think this parameter will match the
exception message, while in fact it only serves to provide a custom
message in case the pytest.raises check fails.
```
That was the truth for test_unrecognised_attr_type_raises, which has
wrongly checked an exception message.
Fixes: https://pagure.io/freeipa/issue/7981
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
nfs.py calls "ipa user-add" without inputting the password twice
leading to a timeout. Input password twice then.
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
A CustodiaClient object has to the process environment a bit, e.g. set
up GSSAPI credentials. To reuse the credentials in libldap connections,
it is also necessary to set up a custom ccache store and to set the
environment variable KRBCCNAME temporarily.
Fixes: https://pagure.io/freeipa/issue/7964
Co-Authored-By: Fraser Tweedale <ftweedal@redhat.com>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
If lightweight CA key replication has not completed, requests for
the certificate or chain will return 404**. This can occur in
normal operation, and should be a temporary condition. Detect this
case and handle it by simply omitting the 'certificate' and/or
'certificate_out' fields in the response, and add a warning message
to the response.
Also update the client-side plugin that handles the
--certificate-out option. Because the CLI will automatically print
the warning message, if the expected field is missing from the
response, just ignore it and continue processing.
** after the Dogtag NullPointerException gets fixed!
Part of: https://pagure.io/freeipa/issue/7964
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
rpm sorts pre1 release after dev releases. To have dev releases override
pre releases in upstream, the patch level must be bumped after every pre
release.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
Since tox-3.8.0 the substituted virtualenv-paths of tox
(like {envpython} or {envsitepackagesdir}) have become relative.
The documentation says nothing about this. Thus, these paths
should always be resolved as absolute.
https://github.com/tox-dev/tox/issues/1339
Fixes: https://pagure.io/freeipa/issue/7977
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This test requires SELinux and fails if selinux is disabled
(because it's calling semanage login -l).
The vagrant images currently in use in the nightly tests
are configured with selinux disabled. Add skipif marker when
selinux is disabled.
Fixes: https://pagure.io/freeipa/issue/7974
Reviewed-By: François Cami <fcami@redhat.com>
The hidden replica documentation mentioned using
$ ipa server-state <hostname> --state=enable
whereas the right command is
$ ipa server-state <hostname> --state=enabled
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
The test test_backup_and_restore.py::TestBackupAndRestore
test_full_backup_and_restore_with_selinux_booleans_off
requires SELinux to be enabled because it's using
getsebool command.
Skip the test if SELinux is disabled.
Fixes: https://pagure.io/freeipa/issue/7970
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The admintool will display the message when something goes wrong:
See %s for more information" % self.log_file_name
This is handy except when finally logging setup is not done
yet so the log file doesn't actually get written to.
This can happen if validation catches and raises an exception.
Fixes: https://pagure.io/freeipa/issue/7952
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
The behavior of automember changed with the design
https://www.port389.org/docs/389ds/design/automember-postop-modify-design.html
such that members are "cleaned up" first then re-added. This has
the effect of removing members that no longer apply to a rule.
This was breaking the automember rebuild tests because sometimes
the tests were faster than 389-ds causing memberships to be missed.
This does a client-side wait for the task to finish up so still
exercises the rebuild code.
https://pagure.io/freeipa/issue/7972
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Equal DNs with multi-valued RDNs can compare inequal if one (or
both) is constructed from a cryptography.x509.Name, because the AVAs
in the multi-valued RDNs are not being sorted.
Sort the AVAs when constructing from Name and add test cases for
equality checks on multi-valued RDNs constructed from inputs with
permuted AVA order.
Part of: https://pagure.io/freeipa/issue/7963
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Commit e3f3584 introduced an additional prompt in ipa-server-install
"Do you want to configure chrony with NTP server or pool address?".
The test is building a string passed to stdin in interactive mode
but this string has not been updated with the additional answer for
this new question.
This commit answers 'no' to the question and allows to proceed with
the ipa server installation.
Fixes: https://pagure.io/freeipa/issue/7969
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
It is likely that these were fixed by the original change
b96906156b but was uncaught because
these tests are not executed in CI because the server is configured.
https://pagure.io/freeipa/issue/7836
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
This is to suppress the spurious error message:
The ipa-client-install command failed.
when the client is not configured.
This is managed by allowing a ScriptError to return SUCCESS (0)
and have this ignored in log_failure().
https://pagure.io/freeipa/issue/7836
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
This was an attempt to suppress client uninstallation failure
messages in the server uninstallation script. This method
inadvertently also suppressed client uninstallation messages and
was generally confusing.
This reverts part of b96906156bhttps://pagure.io/freeipa/issue/7836
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
New feature of autounmembership added in 389-ds-base
https://pagure.io/389-ds-base/issue/50077
Tests for autounmembership feature has been added in
this PR
Signed-off-by: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
The code was attempting to strip off any trailing newline and then
calling lstrip() on the rest.
This assumes that the key has a trailing newline. At best this
can cause the last character of the comment to be lost. If there
is no comment it will fail to load the key because it is invalid.
Patch by Félix-Antoine Fortin <felix-antoine.fortin@calculquebec.ca>
https://pagure.io/freeipa/issue/7959
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Use dsctl instead, the modern replacement for ldif2db, db2ldif,
bak2db and db2bak.
https://pagure.io/freeipa/issue/7965
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The Host.ldap_connect() method uses LDAPClient from ipapython package.
In a3934a21 we started to use secure connection from tests controller to
ipa server. And also 5be9341f changed the LDAPClient.simple_bind method
to forbid password based authentiction over insecure connection.
This makes it imposible to establish ldap connection in some test
configurations where hostnames known to ipa server do not match ones known
to tests controller (i.e. when host.hostname != host.external_hostname)
because TLS certificate is issued for host.hostname and test controller
tries to verify it against host.external_hostname.
A sublass of LDAPClient is provided which allows to skip certificate check.
Fixes: https://pagure.io/freeipa/issue/7960
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Azure tests fail because we couldn't configure docker for IPv6 anymore.
This happened because we weren't able to copy our configuration file to
/etc/docker -- looks like the docker directory does not exist.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Tests added for two scenarios:
1) adding one-way external trust, trust on Windows side is created using
netdom utility.
2) adding one-way forest trust, trust on Windows side is created using
powershell bindings to .Net functions
Tests verify that specified trusts can be established, trust domains can
be fetched and AD user data can be queried by IPA client.
Relates: https://pagure.io/freeipa/issue/6077
Reviewed-By: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
ipaserver.installutils.realm_to_serverid was deprecated. Use
ipapython.ipaldap.realm_to_serverid instead.
Part of: https://pagure.io/freeipa/issue/7885
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
We only want to become the renewal master if we actually renewed a
shared certificate. But there is a bug in the logic; even if the
only Dogtag certificate to be renewed is the 'sslserver' (a
non-shared certificate), the renewal master will be reset. Fix the
bug.
A static type system would have excluded this bug.
Part of: https://pagure.io/freeipa/issue/7885
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
When DS cert is expired, 'pki-server cert-fix' will fail at the
final step (restart). When this case arises, ignore the
CalledProcessError and continue.
We can't know for sure if the error was due to failure of final
restart, or something going wrong earlier. But if it was a more
serious failure, the next step (installing the renewed IPA-specific
certificates) will fail.
Part of: https://pagure.io/freeipa/issue/7885
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
