Errors related to establishing trust can occur if samba service is not
restarted after ipa-adtrust-install has been run. Restart the service at
the end of the installer to avoid such issues.
https://fedorahosted.org/freeipa/ticket/5134
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
As part of hardening of adtrust installer, we should wait until
the sidgen task is completed before continuing, as it can take
considerable amount of time for a larger deployment.
https://fedorahosted.org/freeipa/ticket/5134
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Relative name "record.zone" is being added into zone "zone.",
which is probably a mistake. User probably wanted to either specify
relative name "record" or use FQDN "record.zone.".
Reviewed-By: Martin Basti <mbasti@redhat.com>
Web UI tests were marked as tier1 tests.
The tier system is intended to be used together with CI system
to make sure the more complicated tests are being run only
when all of the basic functionality is working.
The system is using pytest's marker system. E.g. an invocation of
all tier1 tests with listing will look like:
$ py.test -v -m tier1 ipatests
or in case of out of tree tests:
$ ipa-run-tests -m tier1
Reviewed-By: Ales 'alich' Marecek <amarecek@redhat.com>
ipa-replica-prepare command is disabled in non-zero domain-level. Instead of
raising and exception with the whole message instructing the user to promote
replicas from enrolled clients in level 1+ topologies, the exception itself
contains only a brief informative message and the rest is logged at error
level.
https://fedorahosted.org/freeipa/ticket/5175
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Packaging of sssd was changed and more sub-packages are build
from sssd.src.rpm. Especially python bindings and development packages
are already in sub-packages. As a result of this change the meta package
sssd can be removed from BuildRequires without any problem.
FreeIPA spec file contained build requirement for latest version of
sssd even though the latest sssd was not required for building
FreeIPA rpms. In many cases, it was sufficient just to change requirements
for FreeIPA packages instead of build requirements.
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
- Add subsection to ipa-adtrust-install man page
- Update port information in ipa-adtrust-install
https://fedorahosted.org/freeipa/ticket/5414
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
When creating an A record we used to provide full hostname as a record name,
while we should have provided only the first part of the hostname
https://fedorahosted.org/freeipa/ticket/5419
Reviewed-By: Martin Basti <mbasti@redhat.com>
As of 4.3 the replica installation is performed without preparing a gpg file on
master, but rather enrolling a future replica as a client with subsequent
promotion of the client. This required the corresponding change in the
integration tests
https://fedorahosted.org/freeipa/ticket/5379
Reviewed-By: Martin Basti <mbasti@redhat.com>
Dogtag 10.2.6-12 includes automatic upgrade from Tomcat 7 to Tomcat 8.
Otherwise FreeIPA is broken after upgrades. This affects Fedora 22 to
Fedora 23 upgrades.
https://bugzilla.redhat.com/show_bug.cgi?id=1274915
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
* ipa-csreplica-manage {connect|disconnect} - a user should use 'ipa
topologysegment-*' commands
* ipa-csreplica-manage del - a user should use ipa-replica-manage del
https://fedorahosted.org/freeipa/ticket/5405
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Remove lockout policy update file because all currently supported versions
have krbPwdMaxFailure defaulting to 6 and krbPwdLockoutDuration defaulting to 600.
Keeping lockout policy update file prevents from creating a more scrict policy in
environments subject to regulatory compliance
https://fedorahosted.org/freeipa/ticket/5418
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
when a suffix becomes managed for a host, the host needs to
be added to the managed servers, otherwise connectivity check would fail
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
the creation or deletion of a replication agreemet is rejected if the
servers are managed for the suffix. But bot endpoints need to checked
Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
Added try-except block in dns plugin in order to provide user
friendly message to end user.
https://fedorahosted.org/freeipa/ticket/4811
Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
There is no reason to proceed if a CA is already installed, and the
check does not involve a lot of setup, so do it early on.
Ticket: https://fedorahosted.org/freeipa/ticket/5397
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
The client XML-RPC implementation is tied to rpclib internals,
so with a change in Python it needs to be updated. And rpclib
changed in Python 3.
Reviewed-By: Tomas Babej <tbabej@redhat.com>
StringIO was renamed in Python 3. The import was was unused,
so remove it.
Files need to be opened in binary mode if bytes are written to them.
(For Python 2: on Linux, there's no practical difference between
text and binary mode)
Reviewed-By: Tomas Babej <tbabej@redhat.com>
Added constants for domain levels
DOMAIN_LEVEL_0 = 0
DOMAIN_LEVEL_1 = 1
This allows to search for domain level easier in code.
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Reviewed-By: Tomas Babej <tbabej@redhat.com>
The unlock_principal_password unlocks the (new) user by running
ldappasswd as the user.
change_principal is an context manager that changes identity
for the supplied api object by disconnecting and reconnecting
the rpcclient in and outside of requested kerberos context.
This context manager allows to run tests that cannot be
executed as an admin user which can for example override
an CA ACL.
https://fedorahosted.org/freeipa/ticket/57
Reviewed-By: Martin Basti <mbasti@redhat.com>
Also includes basic ACL manipulation and adding
and removing members to/from the acl.
https://fedorahosted.org/freeipa/ticket/57
Reviewed-By: Martin Basti <mbasti@redhat.com>
