- Create /var/named/dyndb-ldap/ipa/master/ early
- Assume that /var/named/dyndb-ldap/ipa/master/ exists in BINDMgr.sync()
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
krb5 uses the negative part of krb5_timestamp to store time values
after 2038:
https://k5wiki.kerberos.org/wiki/Projects/Timestamps_after_2038
In other words, krb5 uses krb5_timestamp (signed int) with
unsigned arithmetic for expanding the timestamp's upper bound.
This commit:
- adds some helper functions for working with krb5_timestamp as
unsigned (actually copied from
https://github.com/krb5/krb5/blob/master/src/include/k5-int.h)
- replaces operations with krb5_timestamp's by these new functions
Fixes: https://pagure.io/freeipa/issue/8028
Signed-off-by: Slava Aseev <ptrnine@altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
'gpg2' is a convenience symlink on Debian, provided by a package that
will go away eventually. 'gpg' is available everywhere.
Signed-off-by: Timo Aaltonen <tjaalton@debian.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
- order permissions alphabeticaly
- do not use semicollon after interfaces
- gen_require should only be used in interfaces
-- to resolve this issue, corresponding changes have to be made in
distribution policy instead of ipa module - disabling check
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Add test to ensure that strings with trailing or leading
whitespaces are allowed as valid passwords.
Signed-off-by: Antonio Torres Moríñigo <atorresm@protonmail.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
kwargs is redefined to set the `noextrawhitespace` parameter
from the Str class to `False`.
Fixes: https://pagure.io/freeipa/issue/7599
Signed-off-by: Antonio Torres Moríñigo <atorresm@protonmail.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Previously, dns_lookup_kdc was only set to True if DNS
discovery worked or if the KDC was not specified on the
command-line.
Setting dns_lookup_kdc to False would result in a hardcoded
configuration which is less reliable in the long run.
For instance, adding a trust to an Active Directory forest
after clients are enrolled would result in clients not being
able to authenticate AD users. Recycling FreeIPA servers
could prove problematic if the original hostnames are not
reused too.
Change summary:
Always set dns_lookup_kdc to True on client enrollment.
With this change, DNS SRV search will always be performed
before looking into /etc/krb5.conf realm entries.
Fixes: https://pagure.io/freeipa/issue/6523
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Previously, dns_lookup_kdc was only set to True if DNS
discovery worked or if the KDC was not specified on the
command-line.
Make sure dns_lookup_kdc is always set to true.
Fixes: https://pagure.io/freeipa/issue/6523
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Convert configuredService to either enabledService or hiddenService
depending on the state of the server role. This is to fix situations
when deployment has happened before introduction of hidden replicas
as those services will stay as configuredService and will not get
started after upgrade, rendering the system non-functioning.
Fixes: https://pagure.io/freeipa/issue/8623
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
When there are no services in LDAP that have specified states, we don't
need to update their state.
Fixes: https://pagure.io/freeipa/issue/8623
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
In case we've got a principal name as '*', we don't need to specify
the principal itself, use pre-defined filter for a wild-card search.
Previously, we had to escape the '*' as specifying it with an explicit
matching rule would have violated RFC 4515 section 3. However, since we
don't really need to specify a different matching rule for a wild-card
search, we can remove this part completely.
Use this change as an opportunity to simplify the code and reduce
number of duplicated filter constants -- if extra filter is NULL, we can
simply pass "" and use _EXTRA filter constants to format the final
filter.
Fixes: https://pagure.io/freeipa/issue/8624
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Currently the TestIpaHealthCheckWithADtrust trust required
only one root AD Domain for testing.
Replaced the existing topology with adroot_adchild_adtree_master_1client
so that trust tests can be run with child/tree root AD domains.
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
This testcase checks that when external trust is configured
between IPA and AD subdomain, IPATrustDomainsCheck
doesnot display ERROR
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Python code does detection of the system encoding based on the locale
settings. On RHEL 8.4 development images we somehow get LANG=en_US which
defaults to iso8859-1 _inside_ the systemd-started service, even though
the whole environment defaults to LANG=en_US.UTF-8.
When instrumented with ExecStartPre=/usr/bin/locale, the following
output can be seen:
locale[45481]: LANG=en_US
locale[45481]: LC_CTYPE="en_US"
locale[45481]: LC_NUMERIC="en_US"
locale[45481]: LC_TIME="en_US"
locale[45481]: LC_COLLATE="en_US"
locale[45481]: LC_MONETARY="en_US"
locale[45481]: LC_MESSAGES="en_US"
locale[45481]: LC_PAPER="en_US"
locale[45481]: LC_NAME="en_US"
locale[45481]: LC_ADDRESS="en_US"
locale[45481]: LC_TELEPHONE="en_US"
locale[45481]: LC_MEASUREMENT="en_US"
locale[45481]: LC_IDENTIFICATION="en_US"
locale[45481]: LC_ALL=
ipactl[45483]: Unexpected error
ipactl[45483]: SystemEncodingError: System encoding must be UTF-8, 'iso8859-1' is not supported. Set LC_ALL="C.UTF-8", or LC_ALL="" and LC_CTYPE="C.UTF-8".
systemd[1]: ipa.service: Main process exited, code=exited, status=1/FAILURE
Set the environment to explicit LC_ALL=C.UTF-8 to please the Python
code. FreeIPA server side only cares about actual encoding, not the
language itself. We already use LC_ALL=C.UTF-8 in httpd service snippet.
Fixes: https://pagure.io/freeipa/issue/8617
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Rules in ipa-rewrite.conf use $DOMAIN variable but it is not available
in the dictionary. Regression was introduced with
e731b2725a.
Fixes: https://pagure.io/freeipa/issue/8615
Related: https://pagure.io/freeipa/issue/8595
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
With commit c6644b8566 we default to
create unique credential caches in /run/ipa/ccaches for every client
that connects to IPA with a new session. On F34, mod_auth_gssapi process
running as 'apache' cannot create the ccache in /run/ipa/ccaches because
it has no access rights.
The core of the problem is that we have two different paths to obtaining
a ccache: one where 'apache' running httpd process creates it directly
and one where an internal redirect from 'ipaapi' running httpd process
is happening.
Use SUID and SGID to 'ipaapi'/'ipaapi' and allow 'apache' group to write
to '/run/ipa/ccaches'. This fixes the problem.
Note that we cannot completely remove 'GssapiDelegCcachePerms'. If we'd
do so, mod_auth_gssapi will do redirects and fail.
Fixes: https://pagure.io/freeipa/issue/8613
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
The test test_user_plugin is using a hardcoded date for
password expiration and started failed since we passed this date.
Replace the hardcoded date with now + 1 year.
Fixes: https://pagure.io/freeipa/issue/8616
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Add a new upgrade test. Scenario:
- create an empty /var/lib/pki/pki-tomcat/kra directory
- call ipa-server-upgrade
With issue 8596, the upgrade fails because it assumes KRA is
installed. With the fix, ipa-server-upgrade completes successfully.
Related: https://pagure.io/freeipa/issue/8596
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The dogtaginstance.is_installed() method currently relies on
the presence of the directory /var/lib/pki/pki-tomcat/{ca|kra},
even if it is empty.
An unwanted consequence is ipa-server-upgrade wrongly assuming the KRA
is installed and crashing when trying to upgrade a not-installed
component.
The fix relies on the command "pki-server subsystem-show {ca|kra}" to
detect if a subsystem is installed. The command does not require PKI
to be running (hence can be called anytime) and is delivered by
the pki-server package which is already required by ipa server pkg.
Fixes: https://pagure.io/freeipa/issue/8596
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
freeipa-selinux subpackage is used by both client and server but
requires freeipa-server subpackage unconditionally. This needs to be
removed.
Originally, upstream spec file did not have this bug. It was brought
in with unification of the specfiles.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1883005
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
mod_md requires its own SELinux policy which is only available
in the upstream github. It is beyond the scope of this test to
maintain SELinux policy only for the scenario so skip it
if the client is in enforcing.
Note that no check needs to be done on OS because that is
already handled by the outer skipif for skip_mod_md_tests.
https://pagure.io/freeipa/issue/8514
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
The addition of test_ccache_sweep includes a number of sleeps
to force cache expiration.
https://pagure.io/freeipa/issue/8589
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
The associated service doesn't need to be enabled. Enabling the
timer is suffient for it to execute. It requires the timers
service so will be ready automatically to run on the configured
period.
https://pagure.io/freeipa/issue/8589
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
- Force wipe all existing ccaches
- Set the ticket policy to a short value, 30 seconds.
- Do a series of kinit, ipa command, kdestroy to generate ccaches
- sleep(30)
- Run the sweeper
- Verify that all ccaches are gone
https://pagure.io/freeipa/issue/8589
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Rather than having a shared ccache per user, configure
mod_auth_gssapi to create a unique one. This requires cleanup
to remove expired caches. A new script is added,
ipa-ccache-sweeper to do this. It will be invoked by a
new service, ipa-ccache-sweep, which will be executed every
12 hours by an equally-named timer.
https://pagure.io/freeipa/issue/8589
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
This ensures that the ticket policy will be reset even on
failure.
https://pagure.io/freeipa/issue/8589
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
In order to reduce maintenance burden and to be able to use automatic
build tools, bring up the differences between RPM spec files in
upstream, RHEL, and Fedora to a minimum.
This gives us an opportunity to:
- start using proper conditional macros (%bcond_with/%bcond_without)
- remove old cruft where Fedora 31+ and RHEL8+ are already the same
- remove Group lines which already deprecated in Fedora packaging
policy
- remove buildroot cleanup
- support release candidate designations: mostly affects downstreams but
it is better to have macro support in the common spec file.
There is also a special handling of the %SOURCE1 (detached tarball
signature). In developer builds we wouldn't have the signature generated
but RPM needs all files mentioned as sources and patches to exist. The
solution is to filter out detached signature if the final component of
the IPA_VERSION starts with 'dev'. This should cover both in-source
builds (also used in Azure CI and COPR) and PR CI.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
