freeipa.git/install/oddjob, branch fix_ber_scanf FreeIPA patches trust-fetch-domains: make sure we use right KDC when --server is specified 2019-06-28T11:30:59+00:00 Alexander Bokovoy abokovoy@redhat.com 2019-06-27T12:17:07+00:00 6c9fcccfbcbb78b49b65c12bf05b2647f1522609 Since we are authenticating against AD DC before talking to it (by using trusted domain object's credentials), we need to override krb5.conf configuration in case --server option is specified. The context is a helper which is launched out of process with the help of oddjobd. The helper takes existing trusted domain object, uses its credentials to authenticate and then runs LSA RPC calls against that trusted domain's domain controller. Previous code directed Samba bindings to use the correct domain controller. However, if a DC visible to MIT Kerberos is not reachable, we would not be able to obtain TGT and the whole process will fail. trust_add.execute() was calling out to the D-Bus helper without passing the options (e.g. --server) so there was no chance to get that option visible by the oddjob helper. Also we need to make errors in the oddjob helper more visible to error_log. Thus, move error reporting for a normal communication up from the exception catching. Resolves: https://pagure.io/freeipa/issue/7895 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com> Reviewed-By: Sergey Orlov <sorlov@redhat.com> 
Since we are authenticating against AD DC before talking to it (by using
trusted domain object's credentials), we need to override krb5.conf
configuration in case --server option is specified.

The context is a helper which is launched out of process with the help
of oddjobd. The helper takes existing trusted domain object, uses its
credentials to authenticate and then runs LSA RPC calls against that
trusted domain's domain controller. Previous code directed Samba
bindings to use the correct domain controller. However, if a DC visible
to MIT Kerberos is not reachable, we would not be able to obtain TGT and
the whole process will fail.

trust_add.execute() was calling out to the D-Bus helper without passing
the options (e.g. --server) so there was no chance to get that option
visible by the oddjob helper.

Also we need to make errors in the oddjob helper more visible to
error_log. Thus, move error reporting for a normal communication up from
the exception catching.

Resolves: https://pagure.io/freeipa/issue/7895
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
Replace PYTHONSHEBANG with valid shebang 2019-06-24T07:35:57+00:00 Christian Heimes cheimes@redhat.com 2019-06-21T10:05:19+00:00 6d02eddd3ef7f65c1a922125371fcbb83e35d7f8 Replace the @PYTHONSHEBANG@ substitution with a valid #!/usr/bin/python3 shebang. This turns Python .in files into valid Python files. The files can now be checked with pylint and IDEs recognize the files as Python files. The shebang is still replaced with "#!$(PYTHON) -E" to support platform-python. Related: https://pagure.io/freeipa/issue/7984 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Francois Cami <fcami@redhat.com> 
Replace the @PYTHONSHEBANG@ substitution with a valid #!/usr/bin/python3
shebang. This turns Python .in files into valid Python files. The files
can now be checked with pylint and IDEs recognize the files as Python
files.

The shebang is still replaced with "#!$(PYTHON) -E" to support
platform-python.

Related: https://pagure.io/freeipa/issue/7984
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Debian: auto-generate config files for oddjobd 2019-04-24T12:08:20+00:00 Christian Heimes cheimes@redhat.com 2019-04-23T07:21:37+00:00 81d0108afc8f08b0e424d8d1fdf83f1e0ccc7765 The oddjobd config files are now auto-generated with automake to have correct path to libexec on all platforms. Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Rob Crittenden <rcritten@redhat.com> 
The oddjobd config files are now auto-generated with automake to have
correct path to libexec on all platforms.

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Bypass D-BUS interface definition deficiences for trust-fetch-domains 2019-04-08T15:51:38+00:00 Alexander Bokovoy abokovoy@redhat.com 2019-04-08T08:43:59+00:00 cb0f24bfe251c4d659354da520be65e999f2245b In oddjobd it is possible to pass arguments as command line or on the stdin. We use command line to pass them but the way oddjobd registers the D-BUS method signatures is by specifying all arguments as mandatory. Internally, oddjobd simply ignores if you passed less arguments than specified in the D-BUS defition. Unfortunately, it is not possible to specify less than maximum due to D-BUS seeing all arguments in the list (30 is defined for the trust-fetch-domains). To pass options, have to pad a list of arguments to maximum with empty strings and then filter out unneeded ones in the script. Option parser already removes all options from the list of arguments so all we need to do is to take our actual arguments. In case of trust-fetch-domains, it is the name of the domain so we can only care about args[0]. Fixes: https://pagure.io/freeipa/issue/7903 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com> 
In oddjobd it is possible to pass arguments as command line or on the
stdin. We use command line to pass them but the way oddjobd registers
the D-BUS method signatures is by specifying all arguments as mandatory.

Internally, oddjobd simply ignores if you passed less arguments than
specified in the D-BUS defition. Unfortunately, it is not possible to
specify less than maximum due to D-BUS seeing all arguments in the
list (30 is defined for the trust-fetch-domains).

To pass options, have to pad a list of arguments to maximum with empty
strings and then filter out unneeded ones in the script. Option parser
already removes all options from the list of arguments so all we need to
do is to take our actual arguments. In case of trust-fetch-domains, it
is the name of the domain so we can only care about args[0].

Fixes: https://pagure.io/freeipa/issue/7903
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
oddjob: allow to pass options to trust-fetch-domains 2019-04-01T11:27:41+00:00 Alexander Bokovoy abokovoy@redhat.com 2019-03-31T07:39:05+00:00 de4a9875d410c68ae4f9602b70c753a11034b31b Refactor com.redhat.idm.trust-fetch.domains oddjob helper to allow passing administrative credentials and a domain controller to talk to. This approach allows to avoid rediscovering a domain controller in case a user actually specified the domain controller when establishing trust. It also allows to pass through admin credentials if user decides to do so. The latter will be used later to allow updating trust topology in a similar oddjob helper. Resolves: https://pagure.io/freeipa/issue/7895 Reviewed-By: Christian Heimes <cheimes@redhat.com> 
Refactor com.redhat.idm.trust-fetch.domains oddjob helper to allow
passing administrative credentials and a domain controller to talk to.

This approach allows to avoid rediscovering a domain controller in case
a user actually specified the domain controller when establishing trust.

It also allows to pass through admin credentials if user decides to do
so. The latter will be used later to allow updating trust topology in a
similar oddjob helper.

Resolves: https://pagure.io/freeipa/issue/7895
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Generate scripts from templates 2018-08-23T12:49:06+00:00 Christian Heimes cheimes@redhat.com 2018-08-22T15:15:55+00:00 c8da61b92ac08ab206df260765c531e70d0342f5 Python scripts are now generated from templates. The scripts are marked as nodist (no distribution) but install targets. The templates for the scripts are extra distribution data, no installation (noinst). Fixes: https://pagure.io/freeipa/issue/7680 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Python scripts are now generated from templates. The scripts are marked
as nodist (no distribution) but install targets. The templates for the
scripts are extra distribution data, no installation (noinst).

Fixes: https://pagure.io/freeipa/issue/7680
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Rename Python scripts and add dynamic shebang 2018-08-23T12:49:06+00:00 Christian Heimes cheimes@redhat.com 2018-08-22T13:55:17+00:00 a347c1165073e61572993a64c00b122cb49dabe1 All Python scripts are now generated from a template with a dynamic shebang. ipatests/i18n.py is no longer an executable script with shebang. The module is not executed as script directly, but rather as $(PYTHON) ipatests/i18n.py Fixes: https://pagure.io/freeipa/issue/7680 All Python scripts are now template files with a dynamic shebang line. Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
All Python scripts are now generated from a template with a dynamic
shebang.

ipatests/i18n.py is no longer an executable script with shebang. The
module is not executed as script directly, but rather as

    $(PYTHON) ipatests/i18n.py

Fixes: https://pagure.io/freeipa/issue/7680
All Python scripts are now template files with a dynamic shebang line.

Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Have all the scripts run in python 3 by default 2018-02-15T17:43:12+00:00 Stanislav Laznicka slaznick@redhat.com 2017-08-31T08:45:31+00:00 f31797c70ac6d1fe4a651def1f87350bec16d194 The Python 3 refactoring effort is finishing, it should be safe to turn all scripts to run in Python 3 by default. https://pagure.io/freeipa/issue/4985 Reviewed-By: Christian Heimes <cheimes@redhat.com> 
The Python 3 refactoring effort is finishing, it should be safe
to turn all scripts to run in Python 3 by default.

https://pagure.io/freeipa/issue/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
wsgi, oddjob: remove needless uses of Env 2017-07-14T13:55:59+00:00 Jan Cholasta jcholast@redhat.com 2016-10-04T12:50:09+00:00 0562359f3102357310fd385c9188ea14680e5302 Do not use custom Env instance to determine the debug level to use for the IPA API object - the IPA API object can properly determine the configured debug level on its own. Reviewed-By: Martin Basti <mbasti@redhat.com> 
Do not use custom Env instance to determine the debug level to use for the
IPA API object - the IPA API object can properly determine the configured
debug level on its own.

Reviewed-By: Martin Basti <mbasti@redhat.com>
Add a new user to run the framework code 2017-02-15T06:13:37+00:00 Simo Sorce simo@redhat.com 2016-08-16T13:03:19+00:00 4fd89833ee5421b05c10329d627d0e0fc8496046 Add the apache user the ipawebui group. Make the ccaches directory owned by the ipawebui group and make mod_auth_gssapi write the ccache files as r/w by the apache user and the ipawebui group. Fix tmpfiles creation ownership and permissions to allow the user to access ccaches files. The webui framework now works as a separate user than apache, so the certs used to access the dogtag instance need to be usable by this new user as well. Both apache and the webui user are in the ipawebui group, so use that. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Add the apache user the ipawebui group.
Make the ccaches directory owned by the ipawebui group and make
mod_auth_gssapi write the ccache files as r/w by the apache user and
the ipawebui group.
Fix tmpfiles creation ownership and permissions to allow the user to
access ccaches files.
The webui framework now works as a separate user than apache, so the certs
used to access the dogtag instance need to be usable by this new user as well.
Both apache and the webui user are in the ipawebui group, so use that.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>