URL: https://github.com/freeipa/freeipa/pull/2461
Author: abbra
Title: #2461: net groupmap: force using empty config when mapping Guests
Action: opened
PR body:
"""
When we define a group mapping for BUILTIN\Guests to 'nobody' group in
we run 'net groupmap add ...' with a default /etc/samba/smb.conf which
is now configured to use ipasam passdb module. We authenticate to LDAP
with GSSAPI in ipasam passdb module initialization.
If GSSAPI authentication failed (KDC is offline, for example, during
server upgrade), 'net groupmap add' crashes after ~10 attempts to
re-authenticate. This is intended behavior in smbd/winbindd as they
cannot work anymore. However, for the command line tools there are
plenty of operations where passdb module is not needed.
Additionally, GSSAPI authentication uses the default ccache in the
environment and a key from /etc/samba/samba.keytab keytab. This means
that if you'd run 'net *' as root, it will replace whatever Kerberos
tickets you have with a TGT for cifs/`hostname` and a service ticket to
ldap/`hostname` of IPA master.
Apply a simple solution to avoid using /etc/samba/smb.conf when we
set up the group mapping by specifying '-s /dev/null' in 'net groupmap'
call.
For upgrade code this is enough as in
a678336b8b36cdbea2512e79c09e475fdc249569 we enforce use of empty
credentials cache during upgrade to prevent tripping on individual
ccaches from KEYRING: or KCM: cache collections.
Related: https://pagure.io/freeipa/issue/7705
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2461/head:pr2461
git checkout pr2461
URL: https://github.com/freeipa/freeipa/pull/2473
Author: flo-renaud
Title: #2473: [Backport][ipa-4-7] ipa-advise: update url of cacerdir_rehash tool
Action: opened
PR body:
"""
This PR was opened automatically because PR #2448 was pushed to master and backport to ipa-4-7 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2473/head:pr2473
git checkout pr2473
URL: https://github.com/freeipa/freeipa/pull/2472
Author: flo-renaud
Title: #2472: [Backport][ipa-4-6] ipa-advise: update url of cacerdir_rehash tool
Action: opened
PR body:
"""
This PR was opened automatically because PR #2448 was pushed to master and backport to ipa-4-6 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2472/head:pr2472
git checkout pr2472
URL: https://github.com/freeipa/freeipa/pull/2469
Author: t-woerner
Title: #2469: Fix C issues found by coverity and others
Action: opened
PR body:
"""
Two issues have been addressed:
Fix ressource leak in daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c ipa_cldap_netlogon
The leak happens due to using strndup in a for loop to create a temporary
string without freeing it in all cases.
and
Fix ressource leak in client/config.c get_config_entry
The leak happens due to using strndup to create a temporary string without
freeing it afterwards.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2469/head:pr2469
git checkout pr2469
URL: https://github.com/freeipa/freeipa/pull/2448
Author: pvoborni
Title: #2448: ipa-advise: update url of cacerdir_rehash tool
Action: opened
PR body:
"""
On legacy systems which don't have cacerdir_rehash tool (provided by authconfig)
the generated advise script downloads this tool from project page and uses it.
After decommision of Fedorahosted and move of authconfig project to Pagure,
this url was not updated in FreeIPA project.
This patch updates the url.
https://pagure.io/freeipa/issue/7731
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2448/head:pr2448
git checkout pr2448
URL: https://github.com/freeipa/freeipa/pull/2467
Author: rcritten
Title: #2467: [Backport][ipa-4-7] Handle NTP configuration in a replica server installation
Action: opened
PR body:
"""
This PR was opened automatically because PR #2451 was pushed to master and backport to ipa-4-7 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2467/head:pr2467
git checkout pr2467
URL: https://github.com/freeipa/freeipa/pull/2451
Author: rcritten
Title: #2451: Handle NTP configuration in a replica server installation
Action: opened
PR body:
"""
There were two separate issues:
1. If not enrolling on a pre-configured client then the ntp-server and
ntp-pool options are not being passed down to the client installer
invocation.
2. If the client is already enrolled then the ntp options are ignored
altogether.
So basically reverse those. Detect the ntp options and add them to
the ipa-client-install invocation if the client is not pre-enrolled.
If it is pre-enrolled then call out to the time configuration
methods to setup the servers or pool. The changes will be recorded
in the client sysrestore.
https://pagure.io/freeipa/issue/7723
Signed-off-by: Rob Crittenden <rcritten(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/2451/head:pr2451
git checkout pr2451