When re-running `ipa-server-install --setup-dns` on already installed
server, we do not get to the check of being already installed because
DNS zone overlap forces us to fail earlier.
Change exception returned for this case from check_zone_overlap() to
return structured information that allows to understand whether we are
finding a conflict with ourselves.
Use the returned information to only fail DNS check at this point if DNS
zone overlap is generated by a different name server than ourselves.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
temp_commit.yaml among others have wrong indentation:
expected 4 but found 3.
Fix indentation.
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
DomainValidator.get_trusted_domain_object_from_sid() was using
escape_filter_chars() with bytes. The function only works with text.
This caused idview to fail under some circumstances. Reimplement
backslash hex quoting for bytes.
Fixes: https://pagure.io/freeipa/issue/7958
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
After adding a replica to AD trust agent, the warning
message does not mention that restarting sssd is mantatory
for the trust agent to work. Fix the string.
Fixes: https://pagure.io/freeipa/issue/8148
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
verify_server_cert_validity() and verify_ca_cert_validity() now check
the validity time range of external certificates. The check fails if the
certificate is not valid yet or will expire in less than an hour.
Fixes: https://pagure.io/freeipa/issue/8142
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Fix comparison bug that prevents ldap_disable to actually disable a
service.
Fixes: https://pagure.io/freeipa/issue/8143
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
ipa-server-install fails if idstart is set to 0. There might be
additional issues when idstart overlaps with local users. Ensure that
idstart is larger than UID_MAX or GID_MAX from /etc/login.defs.
Fixes: https://pagure.io/freeipa/issue/8137
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
If --no-ssh and --no-sshd are not specified in ipa-client-install,
/etc/ssh/{ssh, sshd}_config is updated and existing content is maintained.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The lite-server does no longer work correctly since rpcserver is also
using GSS_NAME. Set up GSS_NAME from ccache.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The test is installing master +DNSSEC, then replica and migrates the DNSSEC
to the replica.
During teardown, the replica is removed with ipa server-del. This operation
deletes the entries cn=DNS and cn=DNSSEC on the master, but if the
replication is stopped before the operations are replicated on the replica,
the replica may end up with a dangling cn=DNSSEC entry and no cn=DNS entry.
In this case ipa-server-install --uninstall on the replica will fail.
The fix: uninstall the DNSSec master as the last step of teardown
Related: https://pagure.io/freeipa/issue/7985
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The helper function ipalib.util.check_client_configuration() now
considers a client configured when either:
* confdir is overridden (e.g. with IPA_CONFDIR) and the conf_default
file exists.
* confdir is /etc/ipa, /etc/ipa/default.conf exists and client
sysrestore state exists.
The check for sysrestore state is faster than checking for the presence
of the directory and presence of files in the directory. The sysrestore
state is always presence. sysrestore.index may be missing if no files
were backed up.
Fixes: https://pagure.io/freeipa/issue/8133
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
The method has_upg returns if user private groups are enabled or
disabled. has_upg() is called three times by user-add. The setting is
now cached on the request local variable context to speed up batch
processing of user imports.
context is cleared after every request.
Related: https://pagure.io/freeipa/issue/8134
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
test_smb slows down gating and PR turnover. The test takes between 45 and
50 minutes to execute while the other gating tests finish in about or less
than half the time.
The Samba / AD integration tests are still executed in nightly tests.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
After an upgrade, the group cn=adtrust agents may be missing some members.
Each ad trust controller must appear twice as member:
- krbprincipalname=cifs/hostname@realm,cn=services,cn=accounts,basedn
- fqdn=hostname,cn=computers,cn=accounts,basedn
Add an upgrade plugin that builds a list of hostnames from the cifs
principals and adds if needed fqdn=hostname...
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1778777
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Removing Travis CI in favour of Azure Pipelines.
All tests previously tested by Travis are also configured in Azure.
Repos [1] and [2] were used to build Docker images for Travis, thus
they are no longer required for branches master and ipa-4-8.
Branches ipa-4-7 and ipa-4-6 don't have Azure pipelines configured,
so Travis will continue to be used by them.
1 - https://github.com/freeipa/ipa-docker-test-runner
2 - https://github.com/freeipa/freeipa-builder
Related: https://pagure.io/freeipa/issue/7323
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
Client connections no longer override TLS version range and ciphers by
default. Instead clients use the default settings from the system's
crypto policy.
Minimum TLS version is now TLS 1.2. The default crypto policy on
RHEL 8 sets TLS 1.2 as minimum version, while Fedora 31 sets TLS 1.0 as
minimum version. The minimum version is configured with OpenSSL 1.1.1
APIs. Python 3.6 lacks the setters to override the system policy.
The effective minimum version is always TLS 1.2, because FreeIPA
reconfigures Apache HTTPd on Fedora.
Fixes: https://pagure.io/freeipa/issue/8125
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
urllib3 now supports post-handshake authentication with TLS 1.3. Enable
TLS 1.3 support for Apache HTTPd.
The update depends on bug fixes for TLS 1.3 PHA support in urllib3 and
Apache HTTPd. New builds are available in freeipa-master COPR and in
F30/F31.
Overwrite crypto-policy on Fedora only. Fedora 31 and earlier have TLS
1.0 and 1.1 still enabled by default.
Fixes: https://pagure.io/freeipa/issue/8125
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Paramiko is not compatible with FIPS mode. It uses MD5 on the client
side and does not support rsa-sha2 connections for RSA auth.
See: https://pagure.io/freeipa/issue/8129
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
When a system is in FIPS mode, SSHd can prints some noise to stderr:
FIPS mode initialized\r\n
This noise causes interference and breakage of some tests. Remove the
noise from stderr_bytes, which automatically fixes stderr_text, too.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
The goal of the last test in test_crlgen_manage is to ensure that
ipa-server-install --uninstall can proceed if the server is the last one
in the topology, even if it is the CRL generation master.
The current code is wrong because it tries to uninstall the master
(which has already been uninstalled in the prev test), It should rather
uninstall replicas[0].
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The uninstall method of some tests can be skipped as the cleanup is
already done before.
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
At the end of any integration test, the method uninstall is called and
uninstalls master, replicas and clients.
Usually the master is the CA renewal master and DNSSec master, and
uninstallation may fail.
This commits modifies the uninstall method in order to:
- call 'ipa server-del replica' before running uninstall on a replica
- uninstall the replicas before uninstalling the master
Fixes: https://pagure.io/freeipa/issue/7985
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
On successful code path we leak internal copy of the ucs2-encoded
password.
Fixes: https://pagure.io/freeipa/issue/8131
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Even when a number of translated encryption types is zero, the array
might still be allocated. Call free() in any case as free(NULL) does
nothing.
Fixes: https://pagure.io/freeipa/issue/8131
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
The plugin had two bugs:
For one it did not work under Python 3 because urlencode() returns a string
but HTTPSHandler expects bytes as data argument.
The primary key field name is not available in client plugins. Just pass
the token name and let server code convert the name to DN.
Fixes: https://pagure.io/freeipa/issue/7804
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Add integration tests to verify HOTP, TOTP, service with OTP auth
indicator, and OTP token sync.
Related: https://pagure.io/freeipa/issue/7804
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
A raw batch request was fully logged which could expose parameters
we don't want logged, like passwords.
Override _repr_iter to use the individual commands to log the
values so that values are properly obscured.
In case of errors log the full value on when the server is in
debug mode.
Reported by Jamison Bennett from Cloudera
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Florence Blanc-Renaud <frenaud@redhat.com>
ber_scanf expects a pointer to a ber_tag_t to return the tag pointed at
by "t", if that is not provided the pointer will be store in whatever
memory location is pointed by the stack at that time causeing a crash.
Note that this is effectively unused code because in ipa-kdb the only
party that can write a key_data structure to be stored is te kdb_driver
itself and we never encode these s2kparam data.
But we need to handle this for future proofing.
Fixes#8071
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
The ipaserver template triggers the installation of IPA server
before the tests are launched and should not be used for
test_integration tests
Switch to master_1repl template.
Related: https://pagure.io/freeipa/issue/8001
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Add disable-stale-users.md: feature document for the upcoming DSU feature.
Fixes: https://pagure.io/freeipa/issue/8104
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This also exercises the Authentication Indicator Kerberos ticket
policy options by testing a specific indicator type.
Related: https://pagure.io/freeipa/issue/8001
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
For the authentication indicators 'otp', 'radius', 'pkinit', and
'hardened', allow specifying maximum ticket life and maximum renewable
age in Kerberos ticket policy.
The policy extensions are now loaded when a Kerberos principal data is
requested by the KDC and evaluated in AS_REQ KDC policy check. If one of
the authentication indicators mentioned above is present in the AS_REQ,
corresponding policy is applied to the ticket.
Related: https://pagure.io/freeipa/issue/8001
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
LDAP attribute options aren't enforced in the LDAP schema. They
represent server- and client-side treatment of attribute values but the
schema definition knows nothing about them.
When we check attribute presence in the entry, we should strip options
before comparing attribute names with the schema.
Related: https://pagure.io/freeipa/issue/8001
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
The fix prevents blocking elements in the right side near notification area.
Notification area now has fixed width and it isn't offset.
Also notification icon is aligned to notification text.
Ticket: https://pagure.io/freeipa/issue/8120
Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Since 6c27104467 we need a new selinux
policy in order to ensure /etc/named directory content has the correct
selinux flags.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
Commands like ipa group-add-member-manager now show permission
errors on failed operations.
Fixes: https://pagure.io/freeipa/issue/8122
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
If a replica has no Samba bindings but there are trust agreements
configured on some trust controller, skip trust upgrade code on this
replica.
Resolves: https://pagure.io/freeipa/issue/8001
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
A single-valued DNParam parameter must not accept multivalues. Add test
checking the behavior for single valued and multivalued DNParam.
Related: https://pagure.io/freeipa/issue/8097
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
ipa user-add-certmapdata defines --issuer and --subject as single valued.
Add a test checking that this is enforced.
Related: https://pagure.io/freeipa/issue/8097
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
When ipa user-add-certmapdata is called with multiple --subject or
multiple --issuer, the DNParam's _convert_scalar method is called with
a tuple containing all the params and should raise an exception as the
--subject and --issuer are single-value params.
The DNParam _convert_scalar method internally calls the DN init method,
and the DN init method is able to create a DN from a tuple of RDNs.
As such, it won't raise exception if a tuple/list is provided.
Check that _convert_scalar is only provided a single element.
Fixes: https://pagure.io/freeipa/issue/8097
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
- fix API method call for adding member manager
- fix regressions in host group associated tables
Ticket: https://pagure.io/freeipa/issue/8123
Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Commit cd887a48b5 did that for gating,
this commit bumps the version for the remaining definitions.
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Based on userspace FIPS mode by Ondrej Moris.
Userspace FIPS mode fakes a Kernel in FIPS enforcing mode. User space
programs behave like the Kernel was booted in FIPS enforcing mode. Kernel
space code still runs in standard mode.
Fixes: https://pagure.io/freeipa/issue/8118
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Template used: https://app.vagrantup.com/freeipa/boxes/ci-master-f31/versions/0.0.2
with installed packages updated.
This commit also replaces `fedora-30` with `fedora-latest` for test_smb gating definition
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>