freeipa.git/install, branch kdc-fixes FreeIPA patches Modernize number literals 2015-07-31T13:22:19+00:00 Petr Viktorin pviktori@redhat.com 2015-07-15T14:38:06+00:00 b8c46f2a32d0d8c2dc6ef0867f85f63cf076a004 Use Python-3 compatible syntax, without breaking compatibility with py 2.7 - Octals literals start with 0o to prevent confusion - The "L" at the end of large int literals is not required as they use long on Python 2 automatically. - Using 'int' instead of 'long' for small numbers is OK in all cases except strict type checking checking, e.g. type(0). https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Use Python-3 compatible syntax, without breaking compatibility with py 2.7

- Octals literals start with 0o to prevent confusion
- The "L" at the end of large int literals is not required as they use
  long on Python 2 automatically.
- Using 'int' instead of 'long' for small numbers is OK in all cases except
  strict type checking checking, e.g. type(0).

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
webui: fix regressions failed auth messages 2015-07-29T15:13:31+00:00 Petr Vobornik pvoborni@redhat.com 2015-07-28T12:01:34+00:00 66bd2094f97f277cc480d5887b79bb7b8c237b72 1. after logout, krb auth no longer shows "session expired" but correct "Authentication with Kerberos failed". 2. "The password or username you entered is incorrect." is showed on failed forms-based auth. https://fedorahosted.org/freeipa/ticket/5163 Reviewed-By: Martin Basti <mbasti@redhat.com> 
1. after logout, krb auth no longer shows "session expired" but correct
"Authentication with Kerberos failed".

2. "The password or username you entered is incorrect." is showed on
failed forms-based auth.

https://fedorahosted.org/freeipa/ticket/5163

Reviewed-By: Martin Basti <mbasti@redhat.com>
Remove ico files from Makefile 2015-07-27T14:19:49+00:00 Martin Basti mbasti@redhat.com 2015-07-27T14:06:39+00:00 2427b2c2429a0b4098ba7015eabb4a3b2c1e756e Icons were removed in a4be844809179ff0a05286606df1487d81a70022 but still persist in Makefile. This patch fixes Makefile. https://fedorahosted.org/freeipa/ticket/823 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> 
Icons were removed in a4be844809179ff0a05286606df1487d81a70022 but still
persist in Makefile. This patch fixes Makefile.

https://fedorahosted.org/freeipa/ticket/823

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
webui: add Kerberos configuration instructions for Chrome 2015-07-27T11:50:49+00:00 Petr Vobornik pvoborni@redhat.com 2015-07-17T13:57:30+00:00 a4be844809179ff0a05286606df1487d81a70022 * IE section moved at the end * Chrome section added * FF and IE icons removed https://fedorahosted.org/freeipa/ticket/823 Reviewed-By: Martin Basti <mbasti@redhat.com> 
* IE section moved at the end
* Chrome section added
* FF and IE icons removed

https://fedorahosted.org/freeipa/ticket/823

Reviewed-By: Martin Basti <mbasti@redhat.com>
DNS: Consolidate DNS RR types in API and schema 2015-07-21T15:18:29+00:00 Martin Basti mbasti@redhat.com 2015-07-15T07:44:07+00:00 5ea41abe9836c94579115f9b220a8205b15d520d * Remove NSEC3, DNSKEY, TSIG, TKEY, TA records from API: These records never worked, they dont have attributes in schema. TSIG and TKEY are meta-RR should not be in LDAP TA is not supported by BIND NSEC3, DNSKEY are DNSSEC records generated by BIND, should not be in LDAP. *! SIG, NSEC are already defined in schema, must stay in API. * Add HINFO, MINFO, MD, NXT records to API as unsupported records These records are already defined in LDAP schema * Add schema for RP, APL, IPSEC, DHCID, HIP, SPF records These records were defined in IPA API as unsupported, but schema definition was missing. This causes that ACI cannot be created for these records and dnszone-find failed. (#5055) https://fedorahosted.org/freeipa/ticket/4934 https://fedorahosted.org/freeipa/ticket/5055 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com> 
* Remove NSEC3, DNSKEY, TSIG, TKEY, TA records from API:
    These records never worked, they dont have attributes in schema.
    TSIG and TKEY are meta-RR should not be in LDAP
    TA is not supported by BIND
    NSEC3, DNSKEY are DNSSEC records generated by BIND, should not be
    in LDAP.
    *! SIG, NSEC are already defined in schema, must stay in API.

* Add HINFO, MINFO, MD, NXT records to API as unsupported records
    These records are already defined in LDAP schema

* Add schema for RP, APL, IPSEC, DHCID, HIP, SPF records
    These records were defined in IPA API as unsupported, but schema definition was
    missing. This causes that ACI cannot be created for these records
    and dnszone-find failed. (#5055)

https://fedorahosted.org/freeipa/ticket/4934
https://fedorahosted.org/freeipa/ticket/5055

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
Allow value 'no' for replica-certify-all attr in abort-clean-ruv subcommand 2015-07-17T14:47:18+00:00 Martin Basti mbasti@redhat.com 2015-07-16T14:26:55+00:00 82aaa1e6d07a13429381b94ffe4b5fc562427213 --force option set replica-certify-all to 'no' during abort-clean-ruv subcommand https://fedorahosted.org/freeipa/ticket/4988 Reviewed-By: Petr Vobornik <pvoborni@redhat.com> 
--force option set replica-certify-all to 'no' during abort-clean-ruv
subcommand

https://fedorahosted.org/freeipa/ticket/4988

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Fix minor typos 2015-07-17T12:33:30+00:00 Yuri Chornoivan yurchor@ukr.net 2015-07-03T16:14:42+00:00 75fde43491872d3e2f52e8a523af9e60486fd0e0 <ame> -> <name> overriden -> overridden ablity -> ability enties -> entries the the -> the https://fedorahosted.org/freeipa/ticket/5109 Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> 
<ame> -> <name>
overriden -> overridden
ablity -> ability
enties -> entries
the the -> the

https://fedorahosted.org/freeipa/ticket/5109

Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
migration: Use api.env variables. 2015-07-17T08:30:42+00:00 David Kupka dkupka@redhat.com 2015-07-16T08:15:36+00:00 e5d179b5b96bba5048a05135693acc5507d38163 Use api.env.basedn instead of anonymously accessing LDAP to get base DN. Use api.env.basedn instead of searching filesystem for ldapi socket. https://fedorahosted.org/freeipa/ticket/4953 Reviewed-By: Jan Cholasta <jcholast@redhat.com> Reviewed-By: Petr Vobornik <pvoborni@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Use api.env.basedn instead of anonymously accessing LDAP to get base DN.
Use api.env.basedn instead of searching filesystem for ldapi socket.

https://fedorahosted.org/freeipa/ticket/4953

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
webui: fix user reset password dialog 2015-07-16T13:28:38+00:00 Petr Vobornik pvoborni@redhat.com 2015-07-14T15:55:48+00:00 9083c528f75a958df062a9521729f30b65e5e551 Could not open user password dialog. regression introduced in ed78dcfa3acde7aeb1f381f49988c6911c5277ee https://fedorahosted.org/freeipa/ticket/5131 Reviewed-By: Martin Basti <mbasti@redhat.com> 
Could not open user password dialog.

regression introduced in ed78dcfa3acde7aeb1f381f49988c6911c5277ee

https://fedorahosted.org/freeipa/ticket/5131

Reviewed-By: Martin Basti <mbasti@redhat.com>
oddjob: avoid chown keytab to sssd if sssd user does not exist 2015-07-16T11:41:08+00:00 Alexander Bokovoy abokovoy@redhat.com 2015-07-16T11:11:26+00:00 c6a1bd591e81cd82c0715c01bcc82f2947adf3bb If sssd user does not exist, it means SSSD does not run as sssd user. Currently SSSD has too tight check for keytab permissions and ownership. It assumes the keytab has to be owned by the same user it runs under and has to have 0600 permissions. ipa-getkeytab creates the file with right permissions and 'root:root' ownership. Jakub Hrozek promised to enhance SSSD keytab permissions check so that both sssd:sssd and root:root ownership is possible and then when SSSD switches to 'sssd' user, the former becomes the default. Since right now SSSD 1.13 is capable to run as 'sssd' user but doesn't create 'sssd' user in Fedora 22 / RHEL 7 environments, we can use its presence as a version trigger. https://fedorahosted.org/freeipa/ticket/5136 Reviewed-By: Tomas Babej <tbabej@redhat.com> 
If sssd user does not exist, it means SSSD does not run as sssd user.

Currently SSSD has too tight check for keytab permissions and ownership.
It assumes the keytab has to be owned by the same user it runs under
and has to have 0600 permissions. ipa-getkeytab creates the file with
right permissions and 'root:root' ownership.

Jakub Hrozek promised to enhance SSSD keytab permissions check so that
both sssd:sssd and root:root ownership is possible and then when SSSD
switches to 'sssd' user, the former becomes the default. Since right now
SSSD 1.13 is capable to run as 'sssd' user but doesn't create 'sssd'
user in Fedora 22 / RHEL 7 environments, we can use its presence as a
version trigger.

https://fedorahosted.org/freeipa/ticket/5136

Reviewed-By: Tomas Babej <tbabej@redhat.com>