URL: https://github.com/freeipa/freeipa/pull/903
Author: felipevolpone
Title: #903: Warning the user when using a loopback IP as forwarder
Action: opened
PR body:
"""
Now, the user can pass a loopback IP in the --forwarder option.
Previously, an error would be raised, now we just show a warning message.
Fixes: https://pagure.io/freeipa/issue/5801
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/903/head:pr903
git checkout pr903
URL: https://github.com/freeipa/freeipa/pull/1027
Author: tomaskrizek
Title: #1027: prci: add external_ca test
Action: opened
PR body:
"""
Add external_ca to the PR CI test suite.
Signed-off-by: Tomas Krizek <tkrizek(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1027/head:pr1027
git checkout pr1027
URL: https://github.com/freeipa/freeipa/pull/930
Author: frasertweedale
Title: #930: install: allow specifying external CA template
Action: opened
PR body:
"""
This PR allow an admin to specify an AD-CS target certificate template
by name or OID, via the new option --external-ca-profile.
The profile may be specified by name (string) or OID + version + optional minor version.
https://pagure.io/freeipa/issue/6858
The approach is:
1. preliminary refactor to the IPAOptionParser to allow easily specifying a custom
data constructor (this is used for the data type that holds the template specifier).
2. refactor to reduce duplication of external CA type enum values.
3. the main thing:
- add data type for template specifier
- add ipa-server-install `--external-ca-profile` CLI option
- update CA installation to add the appropriate *pkispawn* config based on the template
specifier
- update *ipa-server-install* man page
4. add the `external-ca-profile` option to *ipa-ca-install* and update man page.
**NOTE FOR TESTERS**
*python-cryptography* has a bug parsing long OIDs. It is fixed as of v1.9 (f27).
AD-CS creates and uses OIDs long enough to trigger the bug as a matter of course.
Apply the following small diff to your *python-cryptography* lib to avoid the bug:
https://github.com/frasertweedale/cryptography/blob/effeb600057a93f7cb95df1…
**HOW TO TEST**
1. Install AD-CS in a Windows machine and create a custom profile by copying the *SubCA*
profile.
2. Two-step external CA ipa-server-install:
```
$ ipa-server-install \
--external-ca --external-ca-type=ms-cs \
--external-ca-profile=1.3.6.1.4.1.311.21.8.8950086.10656446.2706058.12775672.480128.147.7130143.4405632:1
```
(Use the actual OID of the custom profile). If everything works, hooray!
3. Start over with ca-less deployment. Then add CA via ``ipa-ca-install --external-ca-... # as before``.
If everything works, hooray.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/930/head:pr930
git checkout pr930
URL: https://github.com/freeipa/freeipa/pull/894
Author: felipevolpone
Title: #894: Fixing ipa-replica-install --setup-kra if it's the first KRA in topology
Action: opened
PR body:
"""
I'm trying to fix the ticket, but I'm not quite sure of how to do it. Until now, I removed the exception and called the api in kra to install it. However, I'm getting an exception:
```
bash-4.3$ sudo python /usr/sbin/ipa-replica-install -r DOM-116.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM --setup-kra --setup-ca
WARNING: conflicting time&date synchronization service 'chronyd' will be disabled in favor of ntpd
IPA client is already configured on this system, ignoring the --domain, --server, --realm, --hostname, --password and --keytab options.
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR Timed out trying to obtain keys.
ipa.ipapython.install.cli.install_tool(CompatServerReplicaInstall): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
```
from /var/log/ipareplica-install.log
```
2017-06-23T18:38:44Z DEBUG stderr=
2017-06-23T18:38:44Z DEBUG Destroyed connection context.ldap2_140135237350736
2017-06-23T18:38:44Z DEBUG Created connection context.ldap2_140135237350736
2017-06-23T18:38:44Z DEBUG raw: hostgroup_show(u'ipaservers', rights=True, all=True, version=u'2.228')
2017-06-23T18:38:44Z DEBUG hostgroup_show(u'ipaservers', rights=True, all=True, raw=False, version=u'2.228', no_members=False)
2017-06-23T18:38:44Z DEBUG flushing ldaps://vm-116.abc.idm.lab.eng.brq.redhat.com from SchemaCache
2017-06-23T18:38:44Z DEBUG retrieving schema for SchemaCache url=ldaps://vm-116.abc.idm.lab.eng.brq.redhat.com conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f73c6769f38>
2017-06-23T18:38:44Z DEBUG Destroyed connection context.ldap2_140135237350736
2017-06-23T18:38:44Z DEBUG Created connection context.ldap2_140135237350736
2017-06-23T18:38:44Z DEBUG flushing ldaps://vm-116.abc.idm.lab.eng.brq.redhat.com from SchemaCache
2017-06-23T18:38:44Z DEBUG retrieving schema for SchemaCache url=ldaps://vm-116.abc.idm.lab.eng.brq.redhat.com conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f73c6769c20>
2017-06-23T18:38:44Z DEBUG No IPA DNS servers, skipping forward/reverse resolution check
2017-06-23T18:38:44Z DEBUG Initializing principal host/vm-058-064.abc.idm.lab.eng.brq.redhat.com(a)DOM-116.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM using keytab /etc/krb5.keytab
2017-06-23T18:38:44Z DEBUG using ccache /tmp/krbcc9omA2g/ccache
2017-06-23T18:38:44Z DEBUG Attempt 1/1: success
2017-06-23T18:38:44Z DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
2017-06-23T18:38:44Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
2017-06-23T18:38:44Z INFO Waiting up to 300 seconds to see our keys appear on host: None
2017-06-23T18:38:45Z DEBUG Transient error getting keys: '{'desc': "Can't contact LDAP server"}'
2017-06-23T18:43:45Z DEBUG Destroyed connection context.ldap2_140135237350736
2017-06-23T18:43:45Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 172, in execute
return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 333, in run
cfgr.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 366, in run
self.validate()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 375, in validate
for _nothing in self._validator():
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner
exc_handler(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 458, in _handle_validate_exception
self._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner
step()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 636, in _configure
next(validator)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 434, in __runner
exc_handler(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 458, in _handle_validate_exception
self._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 521, in _handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 518, in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 453, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 424, in __runner
step()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 421, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install
for _nothing in self._installer(self.parent):
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/__init__.py", line 613, in main
replica_promote_check(self)
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 386, in decorated
func(installer)
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 408, in decorated
func(installer)
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1270, in promote_check
raise ScriptError(e)
2017-06-23T18:43:45Z DEBUG The ipa-replica-install command failed, exception: ScriptError: Timed out trying to obtain keys.
2017-06-23T18:43:45Z ERROR Timed out trying to obtain keys.
2017-06-23T18:43:45Z ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
```
There is a high chance that I'm getting the wrong path here, so if there is someone able to help me (pointing to some docs or explaining more details of it), it would be great.
Ticket https://pagure.io/freeipa/issue/7008
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/894/head:pr894
git checkout pr894
URL: https://github.com/freeipa/freeipa/pull/937
Author: felipevolpone
Title: #937: Configuring log handlers during the input parameters validation phase
Action: opened
PR body:
"""
Previously, a log handler would be configured only after all the input parameters be validated, as can be checked in `ipapython/admintool.py::AdminTool::main`. So, any call to `logger.[warning,info,error,debug]`, during that phase, doesn't work and it also raises an exception.
Now, log handlers are setup before the input parameters validation phase.
Fixes: https://pagure.io/freeipa/issue/7071
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/937/head:pr937
git checkout pr937
URL: https://github.com/freeipa/freeipa/pull/933
Author: felipevolpone
Title: #933: Checks if Directory Server is installed and running before installation
Action: opened
PR body:
"""
In cases when IPA is installed in two steps (external CA), it's necessary to check (in the second step) if Directory Server is running and if it's installed before continue with the IPA installation.
Fixes: https://pagure.io/freeipa/issue/6611
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/933/head:pr933
git checkout pr933
URL: https://github.com/freeipa/freeipa/pull/1018
Author: flo-renaud
Title: #1018: Python3: Fix winsync replication agreement
Action: opened
PR body:
"""
When configuring a winsync replication agreement, the tool performs a search
on AD for defaultNamingContext. The entry contains the value as a bytes, it
needs to be decoded otherwise subsequent calls to
DN(WIN_USER_CONTAINER, self.ad_suffix) will fail.
https://pagure.io/freeipa/issue/4985
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/1018/head:pr1018
git checkout pr1018
URL: https://github.com/freeipa/freeipa/pull/996
Author: frasertweedale
Title: #996: ipa-pki-retrieve-key: ensure we do not crash
Action: opened
PR body:
"""
If ipa-pki-retrieve-key fails for some reason (which may be a
"legitimate" reason, e.g. the server it is attempting to contact
being offline), the program terminates with an uncaught exception,
resulting in crash report.
Catch all exceptions; if an exception gets raised, report the
traceback and exit with nonzero status.
Fixes: https://pagure.io/freeipa/issue/7115
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/996/head:pr996
git checkout pr996