URL: https://github.com/freeipa/freeipa/pull/5216
Author: menonsudhir
Title: #5216: ipatests: ipa-healthcheck test for DS RIPluginCheck
Action: opened
PR body:
"""
This testcase modifies the update value set on RI Plugin to -1 as a result checks
that RIPluginCheck reports warning message
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5216/head:pr5216
git checkout pr5216
URL: https://github.com/freeipa/freeipa/pull/5219
Author: rcritten
Title: #5219: [Backport][ipa-4-8] ipatests: ipa-healthcheck test for DS BackendsCheck
Action: opened
PR body:
"""
This PR was opened automatically because PR #5214 was pushed to master and backport to ipa-4-8 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5219/head:pr5219
git checkout pr5219
URL: https://github.com/freeipa/freeipa/pull/5218
Author: rcritten
Title: #5218: [Backport][ipa-4-8] ipatests: ipa-healthcheck fixes for tests running on RHEL
Action: opened
PR body:
"""
This PR was opened automatically because PR #5210 was pushed to master and backport to ipa-4-8 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5218/head:pr5218
git checkout pr5218
URL: https://github.com/freeipa/freeipa/pull/5217
Author: rcritten
Title: #5217: [Backport][ipa-4-8] rpcserver: fallback to non-armored kinit in case of trusted domains
Action: opened
PR body:
"""
This PR was opened automatically because PR #5213 was pushed to master and backport to ipa-4-8 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5217/head:pr5217
git checkout pr5217
URL: https://github.com/freeipa/freeipa/pull/5215
Author: menonsudhir
Title: #5215: ipatests: ipa-healthcheck test for DS EncryptionCheck
Action: opened
PR body:
"""
This testcase checks that EncryptionCheck reports ERROR status when DS tls version is modified to TLS1.0.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5215/head:pr5215
git checkout pr5215
URL: https://github.com/freeipa/freeipa/pull/5214
Author: menonsudhir
Title: #5214: ipatests: ipa-healthcheck test for DS BackendsCheck
Action: opened
PR body:
"""
This testcase checks that the BackendsCheck reports the CRITICAL status when dse.ldif present in the
DS instance directory is renamed/moved.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5214/head:pr5214
git checkout pr5214
URL: https://github.com/freeipa/freeipa/pull/5210
Author: menonsudhir
Title: #5210: ipatests: ipa-healthcheck fixes for tests running on RHEL
Action: opened
PR body:
"""
Below tests have been failing in RHEL version 0.4 and hence the tests have been
modified
TestIpaHealthCheckFileCheck::test_ipa_filecheck_bad_owner
TestIpaHealthCheckFileCheck::test_ipa_filecheck_bad_group
TestIpaHealthCheckFileCheck::test_ipa_filecheck_bad_too_restrictive
TestIpaHealthCheckFileCheck::test_ipa_filecheck_too_permissive
TestIpaHealthCheckFileCheck::test_nssdb_filecheck_bad_owner
TestIpaHealthCheckWithExternalCA::test_opensslchainvalidation_ipa_ca_cert
TestIpaHealthCheckWithExternalCA::test_nsschainvalidation_ipa_invalid_chain
TestIpaHealthCheckWithExternalCA::test_ipahealthcheck_iparaagent
TestIpaHealthCheckWithExternalCA::test_ipahealthcheck_iparaagent_bad_serial
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5210/head:pr5210
git checkout pr5210
URL: https://github.com/freeipa/freeipa/pull/5213
Author: abbra
Title: #5213: rpcserver: fallback to non-armored kinit in case of trusted domains
Action: opened
PR body:
"""
MIT Kerberos implements FAST negotiation as specified in RFC 6806
section 11. The implementation relies on the caller to provide a hint
whether FAST armoring must be used.
FAST armor can only be used when both client and KDC have a shared
secret. When KDC is from a trusted domain, there is no way to have a
shared secret between a generic Kerberos client and that KDC.
[MS-KILE] section 3.2.5.4 'Using FAST When the Realm Supports FAST'
allows KILE clients (Kerberos clients) to have local settings that
direct it to enforce use of FAST. This is equal to the current
implementation of 'kinit' utility in MIT Kerberos requiring to use FAST
if armor cache (option '-T') is provided.
[MS-KILE] section 3.3.5.7.4 defines a way for a computer from a
different realm to use compound identity TGS-REQ to create FAST TGS-REQ
explicitly armored with the computer's TGT. However, this method is not
available to IPA framework as we don't have access to the IPA server's
host key. In addition, 'kinit' utility does not support this method.
Active Directory has a policy to force use of FAST when client
advertizes its use. Since we cannot know in advance whether a principal
to obtain initial credentials for belongs to our realm or to a trusted
one due to enterprise principal canonicalization, we have to try to
kinit. Right now we fail unconditionally if FAST couldn't be used and
libkrb5 communication with a KDC from the user realm (e.g. from a
trusted forest) causes enforcement of a FAST.
In the latter case, as we cannot use FAST anyway, try to kinit again
without advertizing FAST. This works even in the situations when FAST
enforcement is enabled on Active Directory side: if client doesn't
advertize FAST capability, it is not required. Additionally, FAST cannot
be used for any practical need for a trusted domain's users yet.
Signed-off-by: Alexander Bokovoy <abokovoy(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5213/head:pr5213
git checkout pr5213
URL: https://github.com/freeipa/freeipa/pull/5209
Author: abbra
Title: #5209: [Backport][ipa-4-8] ipa-kdb: support subordinate/superior UPN suffixes
Action: opened
PR body:
"""
[MS-ADTS] 6.1.6.9.3.2 requires msDS-TrustForestTrustInfo attribute of
trusted domain information in Active Directory to conform certain rules.
One side-effect of those rules is that list of UPN suffixes reported
through the netr_DsRGetForestTrustInformation function is dynamically
filtered to deduplicate subordinate suffixes.
It means that if list of UPN suffixes contains the following top level
names (TLNs):
fabrikam.comsub.fabrikam.com
then netr_DsRGetForestTrustInformation would only return 'fabrikam.com'
as the TLN, fully filtering 'sub.fabrikam.com'.
IPA KDB driver used exact comparison of the UPN suffixes so any
subordinate had to be specified exactly.
Modify logic so that if exact check does not succeed, we validate a
realm to test being a subordinate of the known UPN suffixes. The
subordinate check is done by making sure UPN suffix is at the end of the
test realm and is immediately preceded with a dot.
Because the function to check suffixes potentially called for every
Kerberos principal, precalculate and cache length for each UPN suffix at
the time we retrieve the list of them.
Fixes: https://pagure.io/freeipa/issue/8554
Signed-off-by: Alexander Bokovoy <abokovoy(a)redhat.com>
Reviewed-By: Rob Crittenden <rcritten(a)redhat.com>
Reviewed-By: Robbie Harwood <rharwood(a)redhat.com>
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5209/head:pr5209
git checkout pr5209
URL: https://github.com/freeipa/freeipa/pull/5211
Author: rcritten
Title: #5211: [Backport][ipa-4-8] Use a state to determine if a 389-ds upgrade is in progress
Action: opened
PR body:
"""
This PR was opened automatically because PR #5207 was pushed to master and backport to ipa-4-8 is required.
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5211/head:pr5211
git checkout pr5211