freeipa.git, branch cakeysfix FreeIPA patches Make sure remote hosts have our keys 2017-05-03T11:35:53+00:00 Simo Sorce simo@redhat.com 2017-03-31T15:22:45+00:00 06e65f8859164bc7e12a2c42d64b9f7c381a3219 In complex replication setups a replica may try to obtain CA keys from a host that is not the master we initially create the keys against. In this case race conditions may happen due to replication. So we need to make sure the server we are contacting to get the CA keys has our keys in LDAP. We do this by waiting to positively fetch our encryption public key (the last one we create) from the target host LDAP server. Fixes: https://pagure.io/freeipa/issue/6838 Signed-off-by: Simo Sorce <simo@redhat.com> 
In complex replication setups a replica may try to obtain CA keys from a
host that is not the master we initially create the keys against.
In this case race conditions may happen due to replication. So we need
to make sure the server we are contacting to get the CA keys has our
keys in LDAP. We do this by waiting to positively fetch our encryption
public key (the last one we create) from the target host LDAP server.

Fixes: https://pagure.io/freeipa/issue/6838

Signed-off-by: Simo Sorce <simo@redhat.com>
Remove the cachedproperty class 2017-05-02T15:33:25+00:00 Stanislav Laznicka slaznick@redhat.com 2017-04-28T07:31:45+00:00 92313c9e9d37733feb79d1b1c825178f48d6c69c The cachedproperty class was used in one special use-case where it only caused issues. Let's get rid of it. https://pagure.io/freeipa/issue/6878 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> 
The cachedproperty class was used in one special use-case where it only
caused issues. Let's get rid of it.

https://pagure.io/freeipa/issue/6878

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Refresh Dogtag RestClient.ca_host property 2017-05-02T15:33:25+00:00 Stanislav Laznicka slaznick@redhat.com 2017-04-27T10:51:30+00:00 0d406fcb784924bfe685729f3156efb8c902b947 Refresh the ca_host property of the Dogtag's RestClient class when it's requested as a context manager. This solves the problem which would occur on DL0 when installing CA which needs to perform a set of steps against itself accessing 8443 port. This port should however only be available locally so trying to connect to remote master would fail. We need to make sure the right CA host is accessed. https://pagure.io/freeipa/issue/6878 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> 
Refresh the ca_host property of the Dogtag's RestClient class when
it's requested as a context manager.

This solves the problem which would occur on DL0 when installing
CA which needs to perform a set of steps against itself accessing
8443 port. This port should however only be available locally so
trying to connect to remote master would fail. We need to make
sure the right CA host is accessed.

https://pagure.io/freeipa/issue/6878

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
ipa-client-install: remove extra space in pkinit_anchors definition 2017-05-02T11:46:55+00:00 Florence Blanc-Renaud flo@redhat.com 2017-05-02T08:22:22+00:00 26dbab1fd4384b8f3999b153c2d94220cf541ad2 ipa-client-install modifies /etc/krb5.conf and defines the following line: pkinit_anchors = FILE: /etc/ipa/ca.crt The extra space between FILE: and /etc/ipa/ca.crt break pkinit. https://pagure.io/freeipa/issue/6916 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
ipa-client-install modifies /etc/krb5.conf and defines the following line:
    pkinit_anchors = FILE: /etc/ipa/ca.crt

The extra space between FILE: and /etc/ipa/ca.crt break pkinit.

https://pagure.io/freeipa/issue/6916

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
kerberos session: use CA cert with full cert chain for obtaining cookie 2017-05-02T11:42:52+00:00 Petr Vobornik pvoborni@redhat.com 2017-04-25T15:19:36+00:00 c19196a0d3fc0a38c4c83cb8a7fde56e6bc310af Http request performed in finalize_kerberos_acquisition doesn't use CA certificate/certificate store with full certificate chain of IPA server. So it might happen that in case that IPA is installed with externally signed CA certificate, the call can fail because of certificate validation and e.g. prevent session acquisition. If it will fail for sure is not known - the use case was not discovered, but it is faster and safer to fix preemptively. https://pagure.io/freeipa/issue/6876 Reviewed-By: Martin Basti <mbasti@redhat.com> 
Http request performed in finalize_kerberos_acquisition doesn't use
CA certificate/certificate store with full certificate chain of IPA server.
So it might happen that in case that IPA is installed with externally signed
CA certificate, the call can fail because of certificate validation
and e.g. prevent session acquisition.

If it will fail for sure is not known - the use case was not discovered,
but it is faster and safer to fix preemptively.

https://pagure.io/freeipa/issue/6876

Reviewed-By: Martin Basti <mbasti@redhat.com>
Fixed typo in ipa-client-install output 2017-05-02T11:41:20+00:00 Thorsten Scherf tscherf@redhat.com 2017-04-28T14:40:17+00:00 e3f849d541e8d054b0932d8ec1bd4c836e53c6f0 Reviewed-By: Martin Basti <mbasti@redhat.com> 
Reviewed-By: Martin Basti <mbasti@redhat.com>
restore: restart/reload gssproxy after restore 2017-04-28T12:56:02+00:00 Petr Vobornik pvoborni@redhat.com 2017-04-26T16:47:53+00:00 3a4c8e39c3e38ec651cfcbb3cac59e0e92e04fe0 So that gssproxy picks up new configuration and therefore related usages like authentication of CLI against server works https://pagure.io/freeipa/issue/6902 Reviewed-By: Tomas Krizek <tkrizek@redhat.com> 
So that gssproxy picks up new configuration and therefore related
usages like authentication of CLI against server works

https://pagure.io/freeipa/issue/6902

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
automount install: fix checking of SSSD functionality on uninstall 2017-04-28T11:41:56+00:00 Petr Vobornik pvoborni@redhat.com 2017-04-25T16:19:21+00:00 b4e447fa6fc7d659ae6a3b6285d4ddda0baa0be4 Change in 2d4d1a9dc0ef2bbe86751768d6e6b009a52c0dc9 no longer initializes api in `ipa-client-automount --uninstallation` Which caused error in wait_for_sssd which gets realm from initialized API. This patch initializes the API in a way that it doesn't download schema on uninstallation and on installation it uses host keytab for it so it no longer requires user's Kerberos credentials. Also fix call of xxx_service_class_factory which requires api as param. https://pagure.io/freeipa/issue/6861 Reviewed-By: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Tomas Krizek <tkrizek@redhat.com> 
Change in 2d4d1a9dc0ef2bbe86751768d6e6b009a52c0dc9 no longer initializes
api in `ipa-client-automount --uninstallation` Which caused error in
wait_for_sssd which gets realm from initialized API.

This patch initializes the API in a way that it doesn't download schema
on uninstallation and on installation it uses host keytab for it so it
no longer requires user's Kerberos credentials.

Also fix call of xxx_service_class_factory which requires api as param.

https://pagure.io/freeipa/issue/6861

Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
vault: piped input for ipa vault-add fails 2017-04-28T11:19:51+00:00 Florence Blanc-Renaud flo@redhat.com 2017-04-27T16:20:06+00:00 d5c41ed4ad370c7d74296a830993a5bd3fd32e5f An exception is raised when using echo "Secret123\n" | ipa vault-add myvault This happens because the code is using (string).decode(sys.stdin.encoding) and sys.stdin.encoding is None when the input is read from a pipe. The fix is using the prompt_password method defined by Backend.textui, which gracefully handles this issue. https://pagure.io/freeipa/issue/6907 Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Abhijeet Kasurde <akasurde@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> 
An exception is raised when using echo "Secret123\n" | ipa vault-add myvault

This happens because the code is using (string).decode(sys.stdin.encoding)
and sys.stdin.encoding is None when the input is read from a pipe.
The fix is using the prompt_password method defined by Backend.textui,
which gracefully handles this issue.

https://pagure.io/freeipa/issue/6907

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Do not test anonymous PKINIT after install/upgrade 2017-04-28T08:38:12+00:00 Martin Babinsky mbabinsk@redhat.com 2017-04-25T17:12:51+00:00 960e361f68a3d7acd9bcf16ec6fe8f6d5376c4ae Local FAST armoring will now work regardless of PKINIT status so there is no need to explicitly test for working PKINIT. If there is, there should be a test case for that. https://pagure.io/freeipa/issue/6830 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> 
Local FAST armoring will now work regardless of PKINIT status so there
is no need to explicitly test for working PKINIT. If there is, there
should be a test case for that.

https://pagure.io/freeipa/issue/6830

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>