freeipa.git/ipaplatform/redhat, branch clisesshandling FreeIPA patches tasks: run `systemctl daemon-reload` after httpd.service.d updates 2017-03-21T15:38:06+00:00 Jan Cholasta jcholast@redhat.com 2017-03-16T12:51:29+00:00 3de09709cc33f1d26f2d605bac82110fe73dde03 Run `systemctl daemon-reload` after `/etc/systemd/system/httpd.service.d/ipa.conf` is created or deleted, otherwise systemd will not merge the file into httpd.service and therefore required environment variables will not be set for httpd. This fixes authentication failures ("No valid Negotiate header in server response") due to missing `GSS_USE_PROXY=yes` in httpd environment. https://pagure.io/freeipa/issue/6773 Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> 
Run `systemctl daemon-reload` after
`/etc/systemd/system/httpd.service.d/ipa.conf` is created or deleted,
otherwise systemd will not merge the file into httpd.service and therefore
required environment variables will not be set for httpd.

This fixes authentication failures ("No valid Negotiate header in server
response") due to missing `GSS_USE_PROXY=yes` in httpd environment.

https://pagure.io/freeipa/issue/6773

Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
pylint_plugins: add forbidden import checker 2017-03-10T12:04:59+00:00 Jan Cholasta jcholast@redhat.com 2017-02-14T08:58:44+00:00 5d489ac5604ca959cfe439c0594b8739073f3cea Add new pylint AST checker plugin which implements a check for imports forbidden in IPA. Which imports are forbidden is configurable in pylintrc. Provide default forbidden import configuration and disable the check for existing forbidden imports in our code base. Reviewed-By: Martin Basti <mbasti@redhat.com> 
Add new pylint AST checker plugin which implements a check for imports
forbidden in IPA. Which imports are forbidden is configurable in pylintrc.

Provide default forbidden import configuration and disable the check for
existing forbidden imports in our code base.

Reviewed-By: Martin Basti <mbasti@redhat.com>
server install: require IPv6 stack to be enabled 2017-03-09T15:50:21+00:00 Tomas Krizek tkrizek@redhat.com 2017-03-07T12:54:41+00:00 ecb450308d0a49afffb31dda1e405ad40552e70e Add checks to install and replica install to verify IPv6 stack is enabled. IPv6 is required by some IPA parts (AD, conncheck, ...). https://pagure.io/freeipa/issue/6608 Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com> 
Add checks to install and replica install to verify IPv6 stack
is enabled. IPv6 is required by some IPA parts (AD, conncheck, ...).

https://pagure.io/freeipa/issue/6608

Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Remove NSPRError exception from platform tasks 2017-03-01T14:58:59+00:00 Christian Heimes cheimes@redhat.com 2017-03-01T10:19:08+00:00 88fd936a761dfce099c4b03529d679256c9860d6 ipalib.x509 no longer raises NSPRError. PyCA cryptography raises ValueError for invalid certs. https://fedorahosted.org/freeipa/ticket/5695 Signed-off-by: Christian Heimes <cheimes@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> 
ipalib.x509 no longer raises NSPRError. PyCA cryptography raises
ValueError for invalid certs.

https://fedorahosted.org/freeipa/ticket/5695

Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
Remove non-sensical kdestroy on https stop 2017-02-22T14:50:48+00:00 Simo Sorce simo@redhat.com 2017-02-15T09:44:59+00:00 b8f304c66994ae82ea484a4e8bd057d4ccf1e6bd This kdestroy runs as root and wipes root's own ccachs ... this is totally inappropriate. Use a file ccache that ends up in the private tmp, so that if the service is restarted the file is automatically removed. https://fedorahosted.org/freeipa/ticket/6673 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Martin Babinsky <mbabinsk@redhat.com> Reviewed-By: Martin Basti <mbasti@redhat.com> Reviewed-By: Christian Heimes <cheimes@redhat.com> 
This kdestroy runs as root and wipes root's own ccachs ...
this is totally inappropriate.
Use a file ccache that ends up in the private tmp, so that if the
service is restarted the file is automatically removed.

https://fedorahosted.org/freeipa/ticket/6673

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Martin Babinsky <mbabinsk@redhat.com>
Reviewed-By: Martin Basti <mbasti@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Add a new user to run the framework code 2017-02-15T06:13:37+00:00 Simo Sorce simo@redhat.com 2016-08-16T13:03:19+00:00 4fd89833ee5421b05c10329d627d0e0fc8496046 Add the apache user the ipawebui group. Make the ccaches directory owned by the ipawebui group and make mod_auth_gssapi write the ccache files as r/w by the apache user and the ipawebui group. Fix tmpfiles creation ownership and permissions to allow the user to access ccaches files. The webui framework now works as a separate user than apache, so the certs used to access the dogtag instance need to be usable by this new user as well. Both apache and the webui user are in the ipawebui group, so use that. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
Add the apache user the ipawebui group.
Make the ccaches directory owned by the ipawebui group and make
mod_auth_gssapi write the ccache files as r/w by the apache user and
the ipawebui group.
Fix tmpfiles creation ownership and permissions to allow the user to
access ccaches files.
The webui framework now works as a separate user than apache, so the certs
used to access the dogtag instance need to be usable by this new user as well.
Both apache and the webui user are in the ipawebui group, so use that.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Configure HTTPD to work via Gss-Proxy 2017-02-15T06:13:37+00:00 Simo Sorce simo@redhat.com 2016-11-29T16:10:22+00:00 d2f5fc304f1938d23171ae330fa20b213ceed54e https://fedorahosted.org/freeipa/ticket/4189 https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
https://fedorahosted.org/freeipa/ticket/4189
https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
Generate tmpfiles config at install time 2017-02-15T06:13:37+00:00 Simo Sorce simo@redhat.com 2016-12-01T16:37:20+00:00 38c66896de1769077cd5b057133606ec5eeaf62b We do not want to generate runtime directories just because the packages are installed, but only if the server is actually setup and run. Also this will be needed later because we will create a user at install time and some tmpfiles will need to be owned by this user. As we are changing this code also rationalize the directory structure and move it from the http rundir to the ipa specific rundir. https://fedorahosted.org/freeipa/ticket/5959 Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-By: Jan Cholasta <jcholast@redhat.com> 
We do not want to generate runtime directories just because the packages
are installed, but only if the server is actually setup and run. Also this
will be needed later because we will create a user at install time and some
tmpfiles will need to be owned by this user.
As we are changing this code also rationalize the directory structure and
move it from the http rundir to the ipa specific rundir.

https://fedorahosted.org/freeipa/ticket/5959

Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Jan Cholasta <jcholast@redhat.com>
named.conf template: update API for bind 9.11 2017-02-09T15:34:53+00:00 Tomas Krizek tkrizek@redhat.com 2016-12-19T12:12:19+00:00 e8a2abd548b594e6f22f38445ee32bcaa7f27303 Use the new API for bind 9.11. Removed deprecated "serial_autoincrement" and updated the rest of configuration to conform to the new format. This only fixes new IPA installations. For existing installations, named.conf will be transformed when the new version of bind-dyndb-ldap is installed. https://fedorahosted.org/freeipa/ticket/6565 Reviewed-By: Martin Basti <mbasti@redhat.com> 
Use the new API for bind 9.11. Removed deprecated "serial_autoincrement"
and updated the rest of configuration to conform to the new format.

This only fixes new IPA installations. For existing installations,
named.conf will be transformed when the new version of bind-dyndb-ldap
is installed.

https://fedorahosted.org/freeipa/ticket/6565

Reviewed-By: Martin Basti <mbasti@redhat.com>
Fix for handling CalledProcessError in authconfig 2017-01-18T07:51:38+00:00 Abhijeet Kasurde akasurde@redhat.com 2016-10-24T05:20:03+00:00 6d52c0fe6acb09f3b8525840dfacc3f0885eac37 NIS configuration error should be hidden from user while running ipa-client-install Fixes https://fedorahosted.org/freeipa/ticket/5244 Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com> Reviewed-By: Tomas Krizek <tkrizek@redhat.com> Reviewed-By: Stanislav Laznicka <slaznick@redhat.com> 
NIS configuration error should be hidden from user
while running ipa-client-install

Fixes https://fedorahosted.org/freeipa/ticket/5244

Signed-off-by: Abhijeet Kasurde <akasurde@redhat.com>
Reviewed-By: Tomas Krizek <tkrizek@redhat.com>
Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>