[freeipa PR#5341][opened] ipa-client-install: unilaterally set dns_lookup_kdc to True
by fcami
URL: https://github.com/freeipa/freeipa/pull/5341
Author: fcami
Title: #5341: ipa-client-install: unilaterally set dns_lookup_kdc to True
Action: opened
PR body:
"""
Previously, dns_lookup_kdc was only set to True if DNS
discovery worked or if the KDC was not specified on the
command-line.
Setting dns_lookup_kdc to False would result in a hardcoded
configuration which is less reliable in the long run.
For instance, adding a trust to an Active Directory forest
after clients are enrolled would result in clients not being
able to authenticate AD users. Recycling FreeIPA servers
could prove problematic if the original hostnames are not
reused too.
Change summary:
Always set dns_lookup_kdc to True on client enrollment.
With this change, DNS SRV search will always be performed
before looking into /etc/krb5.conf realm entries.
Fixes: https://pagure.io/freeipa/issue/6523
Signed-off-by: François Cami <fcami(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5341/head:pr5341
git checkout pr5341
3 years, 4 months
Preparing for FreeIPA 4.9.0 release candidate
by Alexander Bokovoy
Hi,
we are close to get FreeIPA 4.9.0 release candidate out.
Draft release notes: https://vda.li/drafts/freeipa-4.9.0-release-notes.html
They include difference between 4.8.10 and current git master. Note that
since many things were backported to 4.8 in separate commits that
referenced the same FreeIPA tickets, they appear in the release notes
too even though you might have seen them in release notes for FreeIPA
4.8 releases.
Currently, in nightly tests
https://github.com/freeipa-pr-ci2/freeipa/pull/525 we have 126
successful testsuites and 6 failures, out of which four have known
failures:
- test_adtrust_install, test_cert, test_ipahealthcheck_nodns_extca_file
failure already reported in FreeIPA#8533
- test_installation_TestInstallWithCA2 failure already reported in
FreeIPA#8477
- test_webui_general failure already reported in FreeIPA#8570
- test_webui_users failure already reported in FreeIPA#8569
The latter two issues will most likely be irrelevant for FreeIPA release
as they track behavior change in Fedora FAS plugin and we simply need to
install that plugin in a confined environment, to avoid overlapping with
our tests. FAS behavior is specific to Fedora/CentOS AAA deployment and
should not be a problem for anything else, it is simply a design choice
in FAS plugin.
This makes us down to two known and two not-yet-investigated failures.
On top of that we have a worrying behavior of the Azure CI with regards
to DNSSEC that waits for investigation.
One major part not exercised in the nightlies is an upgrade code.
My plan is to do FreeIPA 4.9.0 release candidate this week -- I planned
it to do last week but things slipped due to various failures and
load at other projects. I think for a release candidate this state is
quite good.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
3 years, 4 months