freeipa.git/ipaclient, branch pwdpolicy FreeIPA patches py3: decode bytes for json.loads() 2017-01-24T12:25:47+00:00 Martin Basti mbasti@redhat.com 2017-01-12T15:20:43+00:00 18337bf7f7c31a47fe0c7280f82fca043b548bd5 In py 3.5 json.loads requires to have string as input, all bytes must be decoded. Note: python 3.6 supports bytes for json.loads() https://fedorahosted.org/freeipa/ticket/4985 Reviewed-By: Christian Heimes <cheimes@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
In py 3.5 json.loads requires to have string as input, all bytes must be
decoded.

Note: python 3.6 supports bytes for json.loads()

https://fedorahosted.org/freeipa/ticket/4985

Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
client install: correctly report all failures 2017-01-20T16:34:07+00:00 Jan Cholasta jcholast@redhat.com 2017-01-03T06:43:12+00:00 26630db9d0fb1d9c8a02840b71b3fb3e8bdf3e0d In commit 5249eb817efbb5708d097173a8d5f1e322fb201e, the client install code was converted to use exception handling instead of return codes. However, some return statements were not converted to raise statements and as a result, ipa-client-install will report success in some error conditions. Convert the return statements to raise statements to fix the issue. https://fedorahosted.org/freeipa/ticket/6392 Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> 
In commit 5249eb817efbb5708d097173a8d5f1e322fb201e, the client install code
was converted to use exception handling instead of return codes. However,
some return statements were not converted to raise statements and as a
result, ipa-client-install will report success in some error conditions.

Convert the return statements to raise statements to fix the issue.

https://fedorahosted.org/freeipa/ticket/6392

Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
disable hostname canonicalization by Kerberos library 2017-01-11T15:18:24+00:00 Martin Babinsky mbabinsk@redhat.com 2017-01-09T13:36:33+00:00 566c86a782bfd7d50938866e9f89faf56cea773f By default, Kerberos client library attempts to canonicalize service hostname in TGS requests. This can fail e.g. if hosts file on the client machine references short names before FQDNs. In this case the short name is used in TGS_REQ which KDC fails to resolve. Since we do not (yet) support referencing hosts by their short names it is safe to just disable this behavior in krb5.conf and use supplied FQDNs. https://fedorahosted.org/freeipa/ticket/6584 Reviewed-By: Tomas Krizek <tkrizek@redhat.com> Reviewed-By: Simo Sorce <ssorce@redhat.com> 
By default, Kerberos client library attempts to canonicalize service
hostname in TGS requests. This can fail e.g. if hosts file on the client
machine references short names before FQDNs. In this case the short name
is used in TGS_REQ which KDC fails to resolve.

Since we do not (yet) support referencing hosts by their short names it
is safe to just disable this behavior in krb5.conf and use supplied
FQDNs.

https://fedorahosted.org/freeipa/ticket/6584

Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Simo Sorce <ssorce@redhat.com>
ipaclient: schema cache: Handle malformed server info data gracefully 2017-01-09T08:13:36+00:00 David Kupka dkupka@redhat.com 2017-01-03T07:57:21+00:00 d15ccde20fcc97a597180255ee9f5eb38caa206c As a part of CLI schema cache some data about each previously contacted server are stored in simple JSON file. The file may get corrupted and became undecodable for various reasons (parallel access, file system error, tampering). Since the data are not necessary we should just warn an continue. https://fedorahosted.org/freeipa/ticket/6578 Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
As a part of CLI schema cache some data about each previously contacted server
are stored in simple JSON file. The file may get corrupted and became
undecodable for various reasons (parallel access, file system error,
tampering). Since the data are not necessary we should just warn an continue.

https://fedorahosted.org/freeipa/ticket/6578

Reviewed-By: Jan Cholasta <jcholast@redhat.com>
ipa_generate_password algorithm change 2017-01-06T08:26:56+00:00 Petr Spacek pspacek@redhat.com 2016-12-21T14:07:34+00:00 fb7c111ac13510609e2cba14ecf88cd2ed291a4b A change to the algorithm that generates random passwords for multiple purposes throught IPA. This spells out the need to assess password strength by the entropy it contains rather than its length. This new password generation should also be compatible with the NSS implementation of password requirements in FIPS environment so that newly created databases won't fail with wrong authentication. https://fedorahosted.org/freeipa/ticket/5695 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Petr Spacek <pspacek@redhat.com> 
A change to the algorithm that generates random passwords
for multiple purposes throught IPA. This spells out the need
to assess password strength by the entropy it contains rather
than its length.

This new password generation should also be compatible with the
NSS implementation of password requirements in FIPS environment
so that newly created databases won't fail with wrong authentication.

https://fedorahosted.org/freeipa/ticket/5695

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Petr Spacek <pspacek@redhat.com>
schema_cache: Make handling of string compatible with python3 2017-01-05T17:30:00+00:00 David Kupka dkupka@redhat.com 2016-12-14T16:19:52+00:00 388ed93935de56adbf1db976e9df276327c9a1e4 https://fedorahosted.org/freeipa/ticket/6559 Reviewed-By: Martin Basti <mbasti@redhat.com> 
https://fedorahosted.org/freeipa/ticket/6559

Reviewed-By: Martin Basti <mbasti@redhat.com>
client, platform: Use paths.SSH* instead of get_config_dir(). 2017-01-05T16:50:03+00:00 Timo Aaltonen tjaalton@debian.org 2016-12-01T12:08:58+00:00 0ff12de338a8db32bb10e1b41f32255e7b971b6f Reviewed-By: Martin Basti <mbasti@redhat.com> 
Reviewed-By: Martin Basti <mbasti@redhat.com>
Silence pylint import errors of ipaserver in ipalib and ipaclient 2017-01-05T08:50:28+00:00 Christian Heimes cheimes@redhat.com 2017-01-03T14:16:26+00:00 987d24f784e05e911bf4e87bd1156abb1dd56210 In client-only installations the ipaserver package is not available. Additional guards prevent pylint to complain about missing ipaserver package. https://fedorahosted.org/freeipa/ticket/6468 Reviewed-By: Martin Basti <mbasti@redhat.com> 
In client-only installations the ipaserver package is not available.
Additional guards prevent pylint to complain about missing ipaserver
package.

https://fedorahosted.org/freeipa/ticket/6468

Reviewed-By: Martin Basti <mbasti@redhat.com>
ipaclient.plugins: Use api_version from internally called commands 2016-12-14T10:50:35+00:00 David Kupka dkupka@redhat.com 2016-12-06T11:35:23+00:00 d841a79dc104521f736469eff7154c2f4266082b In client plugins make sure the api_version is 'inherited' from server command that is internally called. Otherwise the api_version is obtained from client API instance. When calling server command from client command 'version' is passed in options and it overrides the right one. Server then refuses to handle such call. https://fedorahosted.org/freeipa/ticket/6539 Reviewed-By: Martin Basti <mbasti@redhat.com> 
In client plugins make sure the api_version is 'inherited' from server command
that is internally called. Otherwise the api_version is obtained from client
API instance. When calling server command from client command 'version' is
passed in options and it overrides the right one. Server then refuses to handle
such call.

https://fedorahosted.org/freeipa/ticket/6539

Reviewed-By: Martin Basti <mbasti@redhat.com>
Configure Anonymous PKINIT on server install 2016-12-12T12:39:44+00:00 Simo Sorce simo@redhat.com 2016-07-26T15:19:01+00:00 ca4e6c1fdfac9b545b26f885dc4865f22ca36ae6 Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST authentication (necessary for 2FA for example) using an anonymous krbtgt obtained via Pkinit. https://fedorahosted.org/freeipa/ticket/5678 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> 
Allow anonymous pkinit to be used so that unenrolled hosts can perform FAST
authentication (necessary for 2FA for example) using an anonymous krbtgt
obtained via Pkinit.

https://fedorahosted.org/freeipa/ticket/5678

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>