Disconnecting topology/removing last-role-host during server
uninstallation should raise error rather than just being logged
if the appropriate ignore settings are not present.
https://fedorahosted.org/freeipa/ticket/6168
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Read whole cache into memory and keep it there for lifetime of api
object. This removes the need to repetitively open/close the cache and
speeds up every access to it.
https://fedorahosted.org/freeipa/ticket/6048
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Since there is a new warning about only one CA server, the default facet
of topology facet group is set to servers list where the warning is.
So the warning will be shown right after clicking on Topology section.
Part of: https://fedorahosted.org/freeipa/ticket/5828
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
It is not safe to have only one CA server in topology. Therefore there is a check
and in case that there is only one CA server a warning is shown. The warning is
shown after each refreshing of servers facet.
https://fedorahosted.org/freeipa/ticket/5828
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Errors during DNS resolution might indicate that forwarder is the
necessary configuration which is missing. Now we disallow adding a
forwarder only if the zone is normally resolvable without the forwarder.
https://fedorahosted.org/freeipa/ticket/6062
Reviewed-By: Martin Basti <mbasti@redhat.com>
Previously, update_dnsforward_emptyzones failed with an exeception if
DNS query failed for some reason. Now the error is logged and upgrade
continues.
I assume that this is okay because the DNS query is used as heuristics
of last resort in the upgrade logic and failure to do so should not have
catastrophics consequences: In the worst case, the admin needs to
manually change forwarding policy from 'first' to 'only'.
In the end I have decided not to auto-start BIND because BIND depends on
GSSAPI for authentication, which in turn depends on KDC ... Alternative
like reconfiguring BIND to use LDAPI+EXTERNAL and reconfiguring DS to
accept LDAP external bind from named user are too complicated.
https://fedorahosted.org/freeipa/ticket/6205
Reviewed-By: Martin Basti <mbasti@redhat.com>
This are manual fixes for patches submitted upstream, and should be
picked up once a new asn1c is available.
They will be overridden if the code is regenerated before then.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Regenerate the code with asn1c 0.9.27, this allows us to pick up a few
fixes for problems identified by coverity as well as other general bugfixes.
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Fix for accidentally pushed commit c15ba1f9e8
During install we call sshd with no config file, sometimes leading to it
complaining about missing files or bad config options. Since we're just
looking for the return code to see if the options are correct, we can
discard these error messages.
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Always run the client installation script with --no-ntp
option so that it does not show the message about --force-ntpd
option that does not exist in ipa-replica-install. The time
synchronization is done elsewhere anyway.
https://fedorahosted.org/freeipa/ticket/6046
Reviewed-By: Martin Basti <mbasti@redhat.com>
Whether a parameter is treated like password is determined by the
`password` class attribute defined in the Param class. Whether the CLI will
asks for confirmation of a password parameter depends on the value of the
`confirm` kwarg of the Password class.
Move the `confirm` kwarg from the Password class to the Param class, so
that it can be used by any Param subclass which has the `password` class
attribute set to True.
This fixes confirmation of the --key option of otptoken-add, which is a
Bytes subclass with `password` set to True.
https://fedorahosted.org/freeipa/ticket/6174
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: David Kupka <dkupka@redhat.com>
Topology graph didn't show plus icons correctly.
There is a problem with uglifying of javascript code. It does not leave unicode character
written in hexadecimal format unchanged. Therefore this workaround which inserts
needed character using Javascript function and uglifiyng does not affect it.
https://fedorahosted.org/freeipa/ticket/6175
Reviewed-By: Martin Basti <mbasti@redhat.com>
The man page for ipa-cacert-manage didn't mention that some
options are only applicable to the install some to the renew
subcommand.
Also fixed a few missing articles.
https://fedorahosted.org/freeipa/ticket/6013
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
daemons/ipa-kdb/ipa_kdb_mspac.c: In function 'filter_logon_info':
daemons/ipa-kdb/ipa_kdb_mspac.c:1536:19: error: 'struct PAC_LOGON_INFO'
has no member named 'res_group_dom_sid'
if (info->info->res_group_dom_sid != NULL &&
^~
daemons/ipa-kdb/ipa_kdb_mspac.c:1537:19: error: 'struct PAC_LOGON_INFO'
has no member named 'res_groups'; did you mean 'resource_groups'?
info->info->res_groups.count != 0) {
^~
mv -f .deps/ipa_kdb_delegation.Tpo .deps/ipa_kdb_delegation.Plo
Makefile:806: recipe for target 'ipa_kdb_mspac.lo' failed
make[3]: *** [ipa_kdb_mspac.lo] Error 1
make[3]: *** Waiting for unfinished jobs....
Related change in samba
4406cf792a
Resolves:
https://fedorahosted.org/freeipa/ticket/6173
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Also put jsl into dependencies.
The patch also split lint target into more smaller targets.
The purpose of this change is to add possibility to run only
fast jslint by using make jslint and don't waste time with pylint,
which can take a lot of time.
https://fedorahosted.org/freeipa/ticket/6161
Reviewed-By: Martin Basti <mbasti@redhat.com>
Prevents sshd from producing warning messages on package upgrade because
not all of the default host key files (/etc/ssh/ssh_host_dsa_key,
/etc/ssh/ssh_host_ecdsa_key, /etc/ssh/ssh_host_ed25519_key and
/etc/ssh/ssh_host_rsa_key) are present.
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The Principal refactor causes service collections
('memberservice_service' attribute) to return Principal objects
where previously it returned strings, but the HBAC machinery used
for CA ACL enforcement only handles strings. Update the code to
stringify service Principal objects when adding them to HBAC rules.
Fixes: https://fedorahosted.org/freeipa/ticket/6146
Reviewed-By: Martin Basti <mbasti@redhat.com>
