Commit Graph

11502 Commits

Author SHA1 Message Date
Martin Basti
3f59721c55 py3: vault: data must be bytes
Use bytes for vault data

https://pagure.io/freeipa/issue/4985

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-23 14:45:05 +02:00
Martin Basti
10d4fb7ea8 py3: test_location_plugin: fix iteration over changed dict
In py3 dict.items() doesn't return list so we must create a list to
avoid changing dictionary over iteration.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-23 14:45:05 +02:00
Martin Basti
8116a7b450 py3: test_kerberos_principal_aliases: fix code scope
In py3 the variable is valid only in the block where it is defined. We
must move test definition to global scope.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-23 14:45:05 +02:00
Martin Basti
c422206cc7 py3: dogtag.py: fix bytes warnings
/usr/lib/python3.5/site-packages/ipaserver/plugins/dogtag.py:1438: BytesWarning: str() on a bytes instance
   "parse_result:\\n%s" % (parse_func.__name__, xml_text, result))

https://pagure.io/freeipa/issue/4985

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-23 14:45:05 +02:00
Martin Basti
b35db9152c py3: travis: enable tests for plugins that are aleready working
These tests just works now

https://pagure.io/freeipa/issue/4985

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-23 14:45:05 +02:00
Martin Basti
b0e5168841 py3: secrets: remove iteritems usage
https://pagure.io/freeipa/issue/4985

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-23 14:44:25 +02:00
Simo Sorce
0537ab07ba Make sure we check ccaches in all rpcserver paths
We need to verify the ccache is avcailable in all cases or finalize
will cause us to acquire creds with the keytab which is not what we
want.

Ticket #7037

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-23 10:27:04 +02:00
Martin Basti
b43dab8388 Travis: check for BytesWarnings in httpd error_log
This check should prevent regressions in already py3 ported server plugins.
Later it may be extened to multiple logs.

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-22 13:43:44 +02:00
Stanislav Laznicka
8311069d18 adtrustinstance: write the conf as a string
Since ipautil.template_file() returns a string, we should not try
to write it as bytes.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-06-21 16:34:05 +02:00
Stanislav Laznicka
a83b2583ab adtrustinstance: pep8 fix
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-06-21 16:34:05 +02:00
Martin Basti
0487f993fd py3: ipaldap: fix encoding of datetime objects
datetime objects were converted to string instead fo bytes.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-21 10:24:39 +02:00
Martin Basti
db01767acf py3: LDAPClient: remove __del__ method
in py3 we are receiving ugly tracebacks due __del__ method that
should be used very carefully or never. Due tracebacks, this doesn't
work and context manager should be used for reliable connection
termination.

Exception ignored in: <bound method LDAPClient.__del__ of ipaserver.plugins.ldap2.ldap2()>
Traceback (most recent call last):
  File "/usr/lib/python3.5/site-packages/ipapython/ipaldap.py", line 1057, in __del__
  File "/usr/lib/python3.5/site-packages/ipaserver/plugins/ldap2.py", line 123, in close
  File "/usr/lib/python3.5/site-packages/ipalib/backend.py", line 94, in isconnected
NameError: name 'hasattr' is not defined
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-21 10:24:39 +02:00
Martin Basti
7c163c90b8 LDAPEntry: rename _orig to _orig_raw
It was hard to detect what is supposed to be in self._orig variable.
Renaming to _orig_raw makes clear for future generations that it
contains bytes.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-21 10:24:39 +02:00
Sumit Bose
1f0ca6aafd ipa_pwd_extop: do not generate NT hashes in FIPS mode
In FIPS mode NT hashes (aka md4) are not allowed. If FIPS more is
detected we disable NT hashes even is the are allowed by IPA
configuration.

Resolves https://pagure.io/freeipa/issue/7026

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-21 10:16:41 +02:00
Sumit Bose
f169481b55 ipa-sam: replace encode_nt_key() with E_md4hash()
Since ipa-sam is running as part of smbd is it safe to use the
E_md4hash() from Samba. This way ipa-sam does not depend on other crypto
libraries which might depend on other rules like e.g. FIPS mode.

Resolves https://pagure.io/freeipa/issue/7026

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-21 10:16:41 +02:00
Martin Basti
52b43c7168 python-netifaces: update to reflect upstream changes
python-netifaces now provides IPv6 netmask in format mask/prefix. It
breaks freeipa as it is unexpected format for python-netaddr. We must
split netmask and provide only prefix for netaddr.

https://pagure.io/freeipa/issue/7021

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
2017-06-20 13:52:10 +02:00
Martin Basti
172a2e7456 Travis: enable temporary Py3 testing
This testconfig is temporary until all plugins are migrated into py3.
After that this temporal config file will be removed and used only the
previous one again

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-20 12:36:29 +02:00
Martin Basti
5fdd0a3f60 Travis: build only py2 packages for py2 testing
We will testing both py2 and py3 packages, first step is use only py2
builds for testing py2 packages

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-20 12:36:29 +02:00
Martin Basti
4eec2f5e57 Build: allow to build only py2 rpms for fedora
This is more or less for testing purposes of py2/py3 compatibility

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-20 12:36:29 +02:00
Martin Basti
f3537297be Remove network and broadcast address warnings
We cannot reliably determine when an IP Address is network or broadcast.
We allowed to use non-local IP addresses due container use cases, we
don't know subnets of used IP addresses.

https://pagure.io/freeipa/issue/4317

Reviewed-By: David Kupka <dkupka@redhat.com>
2017-06-20 11:29:41 +02:00
Martin Basti
1b8dc1131c replica install: add missing check for non-local IP address
Add missing warning for used non-local IP address.

https://pagure.io/freeipa/issue/4317

Reviewed-By: David Kupka <dkupka@redhat.com>
2017-06-20 11:29:41 +02:00
Martin Basti
f9cba7d161 Remove ip_netmask from option parser
ipa-dns-install uses ip_netmask=False --> parse_netmask=False, other installers uses default (parse_netmask=True).
Use this consistent accross all installers.

Also this option is unused (and shouldn't be used).

https://pagure.io/freeipa/issue/4317

Reviewed-By: David Kupka <dkupka@redhat.com>
2017-06-20 11:29:41 +02:00
Martin Basti
6024165101 CheckedIPAddress: remove match_local param
This parameter is unused in code. We are no longer testing if IP address
matches an interface in constructor.

https://pagure.io/freeipa/issue/4317

Reviewed-By: David Kupka <dkupka@redhat.com>
2017-06-20 11:29:41 +02:00
Martin Basti
0b69e44f16 refactor CheckedIPAddress class
Make methods without side effects (setting mask)

https://pagure.io/freeipa/issue/4317

Reviewed-By: David Kupka <dkupka@redhat.com>
2017-06-20 11:29:41 +02:00
Martin Basti
cb48a49c80 ipa-dns-install: remove check for local ip address
This check was forgotten and will be removed now.

https://pagure.io/freeipa/issue/4317

Reviewed-By: David Kupka <dkupka@redhat.com>
2017-06-20 11:29:41 +02:00
Martin Basti
82ad586f6c Fix local IP address validation
Previously bf9886a84393d1d1546db7e49b102e08a16a83e7 match_local has
undesirable side effect that CheckedIPAddress object has set self._net
from local interface.

However with the recent changes, match_local is usually set to False,
thus this side effect stops happening and default mask per address class
is used. This causes validation error because mask on interface and mask
used for provided IP addresses differ (reporducible only with classless
masks).

FreeIPA should compare only IP addresses with local addresses without masks

https://pagure.io/freeipa/issue/4317

Reviewed-By: David Kupka <dkupka@redhat.com>
2017-06-20 11:29:41 +02:00
Stanislav Laznicka
bee3c1eccd More verbose error message on kdc cert validation
KDC cert validation was added but provides rather non-descriptive
error should there be something wrong with a certificate. Pass
the error message from the `openssl` tool in such cases.

https://pagure.io/freeipa/issue/6945

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-06-16 16:04:00 +02:00
Stanislav Laznicka
f827fe0f19 cert-validate: keep all messages in cert validation
Previous attempt to improve error messages during certificate
validation would only work in English locale so we're keeping
the whole NSS messages for all cases.

https://pagure.io/freeipa/issue/6945

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-06-16 16:04:00 +02:00
Felipe Volpone
36532031cf
Changing cert-find to go through the proxy instead of using the port 8080
The cert-find command now uses the proxy to reach Dogtag, instead of using
the port 8080. In order to accomplish that, it's necessary to change the
proxy configuration including the URL called.

https://pagure.io/freeipa/issue/6966

Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
2017-06-16 08:56:53 +02:00
Tibor Dudlák
7fd2102a78 Add --force-join into ipa-replica-install manpage
Resolves: https://pagure.io/freeipa/issue/7011
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-06-15 13:56:53 +02:00
Fraser Tweedale
d7e1ab8438 Add a README to certificate profile templates directory
There have been several instances of people using the profile
configuration template files as actual profile configurations,
resulting in failures and support load.  Add a README to the profile
template directory to explain that these files should not be used
and advise of the recommend procedure.

Fixes: https://pagure.io/freeipa/issue/7014
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-06-15 13:55:09 +02:00
Tomas Krizek
44e3496bd1 ipatests: do not collect systemd journal when logfile_dir is missing
If logs aren't collected to logfile_dir, skip collection of systemd
journal.

Related https://pagure.io/freeipa/issue/6971

Signed-off-by: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-06-15 13:52:50 +02:00
Tibor Dudlák
74d36a8af6 dnsserver.py: dnsserver-find no longer returns internal server error
Invocation of the ipa dnsserver-find command failed with
internal server error when there is no DNS server in topology.

Fixes: https://pagure.io/freeipa/issue/6571
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-06-15 13:51:06 +02:00
Stanislav Laznicka
440c61dc40 adtrustinstance: fix ID range comparison
The ID range comparison was comparing numbers to a string or possibly
to `None` and was tailored in such a way that the check would always
pass although it went directly against the definition of the absolute
value of a substitution.

https://pagure.io/freeipa/issue/7002

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-06-15 13:49:05 +02:00
Stanislav Laznicka
c8cc62564b Docstring+refactor of IPADiscovery.ipadnssearchkrbrealm()
Added a docstring and made a tiny miny refactor to
IPADiscovery.ipadnssearchkrbrealm()

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-06-15 13:42:52 +02:00
Stanislav Laznicka
1cab1e980c ipadiscovery: Return realm as a string
We don't have a use for realm as a bytes instance, return it as a
string, otherwise there's a use of str() on bytes in py3.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-06-15 13:42:52 +02:00
Thorsten Scherf
e8358eaea9 Changed ownership of ldiffile to DS_USER
Resolves:
https://pagure.io/freeipa/issue/7010

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-06-15 10:40:18 +02:00
David Kupka
342f72140f kra: promote: Get ticket before calling custodia
When installing second (or consequent) KRA instance keys are retrieved
using custodia. Custodia checks that the keys are synchronized in
master's directory server and the check uses GSSAPI and therefore fails
if there's no ticket in ccache.

https://pagure.io/freeipa/issue/7020

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-15 10:10:27 +02:00
David Kreitschmann
bf0ba9b36e Disable pylint in get_help function because of type confusion.
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-06-15 09:12:19 +02:00
David Kreitschmann
d5bb541061 Store help in Schema before writing to disk
Signed-off-by: David Kreitschmann <david@kreitschmann.de>
Reviewed-By: David Kupka <dkupka@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-06-15 09:12:19 +02:00
Pavel Vomacka
b25412f988 WebUI: add support for changing trust UPN suffixes
It is now possible to change UPN suffixes in WebUI. This change
allows another way to changing UPN suffixes for AD users.

https://pagure.io/freeipa/issue/7015

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
2017-06-14 16:55:15 +02:00
Alexander Bokovoy
abb6384875 trust-mod: allow modifying list of UPNs of a trusted forest
There are two ways for maintaining user principal names (UPNs) in Active
Directory:
 - associate UPN suffixes with the forest root and then allow for each
   user account to choose UPN suffix for logon
 - directly modify userPrincipalName attribute in LDAP

Both approaches lead to the same result: AD DC accepts user@UPN-Suffix
as a proper principal in AS-REQ and TGS-REQ.

The latter (directly modify userPrincipalName) case has a consequence
that this UPN suffix is not visible via netr_DsRGetForestTrustInformation
DCE RPC call. As result, FreeIPA KDC will not know that a particular UPN
suffix does belong to a trusted Active Directory forest. As result, SSSD
will not be able to authenticate and validate this user from a trusted
Active Directory forest.

This is especially true for one-word UPNs which otherwise wouldn't work
properly on Kerberos level for both FreeIPA and Active Directory.

Administrators are responsible for amending the list of UPNs associated
with the forest in this case. With this commit, an option is added to
'ipa trust-mod' that allows specifying arbitrary UPN suffixes to a
trusted forest root.

As with all '-mod' commands, the change replaces existing UPNs when
applied, so administrators are responsible to specify all of them:

  ipa trust-mod ad.test --upn-suffixes={existing.upn,another_upn,new}

Fixes: https://pagure.io/freeipa/issue/7015
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
2017-06-14 16:38:12 +02:00
Martin Babinsky
e418e9a4ca Prepare advise plugin for smart card auth configuration
The plugin contains recipes for configuring Smart Card authentication
on FreeIPA server and enrolled client.

https://www.freeipa.org/page/V4/Smartcard_authentication_ipa-advise_recipes
https://pagure.io/freeipa/issue/6982

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-06-14 12:24:20 +02:00
Martin Babinsky
0569c02f17 Extend the advice printing code by some useful abstractions
The advise printing code was augmented by methods that simplify
generating bash snippets that report errors or failed commands.

https://pagure.io/freeipa/issue/6982

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-06-14 12:24:20 +02:00
Stanislav Laznicka
d665224a85 session_storage: Correctly handle string/byte types
In session_storage.py, store_data() stores data as the bytes data
type but get_data() is returning a string. Have get_data() return
bytes as well.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-06-09 16:59:53 +02:00
Tibor Dudlák
468eb3c712 Add Role 'Enrollment Administrator'
User with the 'Enrollment Administrator' role assigned is able to
enroll client with ipa-client-install command.

Resolves: https://pagure.io/freeipa/issue/6852
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-06-09 16:37:40 +02:00
Martin Basti
a2147de6e2 Explicitly ask for py2 dependencies in py2 packages
In future default package names can start to pointing to py3 instead of
py2. We have to explicitly ask for python2-* and python3-* packages.

This commit changes only dependencies that are available in both F25 and
F26

https://pagure.io/freeipa/issue/4985

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
2017-06-09 16:34:15 +02:00
Tibor Dudlák
063211d665 server.py: Removes dns-server configuration from ldap
After invocation of the ipa server-del <hostname>
command there was still record in ldap if DNS
was installed on the <hostname> server.

Fixes: https://pagure.io/freeipa/issue/6572
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-06-08 16:54:04 +02:00
Tibor Dudlák
dfc271fdf4 sssd.py: Deprecating no-sssd option.
Resolves: https://pagure.io/freeipa/issue/5860
Reviewed-By: Martin Basti <mbasti@redhat.com>
2017-06-08 15:47:16 +02:00
Tibor Dudlák
eae8714026 client.py: Replace hardcoded 'admin' with options.principal
Fixes: https://pagure.io/freeipa/issue/5406
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
2017-06-08 15:45:29 +02:00