From bfd62d7855528519192ebe0d385fc86d9107c096 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 15 Nov 2022 01:37:31 -0500 Subject: [PATCH] import ansible-freeipa-1.8.3-1.el9 --- .ansible-freeipa.metadata | 2 +- .gitignore | 2 +- ...ated-attributes_3c8d6c7_RHBZ#2132997.patch | 361 ------------------ ...-fails-while-upda_PR877_RHBZ#2132971.patch | 38 -- ...g-idstart-check_de8911a_RHBZ#2132977.patch | 54 --- ...od-to-AnsibleMod_707777_RHBZ#2132991.patch | 55 --- ...ays-generate-SIDs_PR866_RHBZ#2132971.patch | 259 ------------- ...es-for-trust_type_PR808_RHBZ#2132968.patch | 79 ---- ...-test-enhancement_PR810_RHBZ#2132968.patch | 298 --------------- SPECS/ansible-freeipa.spec | 86 +++-- 10 files changed, 61 insertions(+), 1173 deletions(-) delete mode 100644 SOURCES/ansible-freeipa-1.6.3-ipaconfig-Add-support-for-SID-related-attributes_3c8d6c7_RHBZ#2132997.patch delete mode 100644 SOURCES/ansible-freeipa-1.6.3-ipareplica-ipareplica_setup_adtrust-fails-while-upda_PR877_RHBZ#2132971.patch delete mode 100644 SOURCES/ansible-freeipa-1.6.3-ipaserver-Add-missing-idstart-check_de8911a_RHBZ#2132977.patch delete mode 100644 SOURCES/ansible-freeipa-1.6.3-ipaserver-ipareplica-Add-isatty-method-to-AnsibleMod_707777_RHBZ#2132991.patch delete mode 100644 SOURCES/ansible-freeipa-1.6.3-ipaserver-ipareplica-Always-generate-SIDs_PR866_RHBZ#2132971.patch delete mode 100644 SOURCES/ansible-freeipa-1.6.3-ipatrust-Set-valid-choices-for-trust_type_PR808_RHBZ#2132968.patch delete mode 100644 SOURCES/ansible-freeipa-1.6.3-ipatrust-fix-range_type-and-test-enhancement_PR810_RHBZ#2132968.patch diff --git a/.ansible-freeipa.metadata b/.ansible-freeipa.metadata index 5601de3..035cfbf 100644 --- a/.ansible-freeipa.metadata +++ b/.ansible-freeipa.metadata @@ -1 +1 @@ -7f143f7b2263b6de41c41bba9aea905d17242efb SOURCES/ansible-freeipa-1.6.3.tar.gz +c4d984a5760e18c642703728f847fd9a8e4d2d7a SOURCES/ansible-freeipa-1.8.3.tar.gz diff --git a/.gitignore b/.gitignore index 408ad4f..b89a6c4 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/ansible-freeipa-1.6.3.tar.gz +SOURCES/ansible-freeipa-1.8.3.tar.gz diff --git a/SOURCES/ansible-freeipa-1.6.3-ipaconfig-Add-support-for-SID-related-attributes_3c8d6c7_RHBZ#2132997.patch b/SOURCES/ansible-freeipa-1.6.3-ipaconfig-Add-support-for-SID-related-attributes_3c8d6c7_RHBZ#2132997.patch deleted file mode 100644 index 93e7520..0000000 --- a/SOURCES/ansible-freeipa-1.6.3-ipaconfig-Add-support-for-SID-related-attributes_3c8d6c7_RHBZ#2132997.patch +++ /dev/null @@ -1,361 +0,0 @@ -diff -up ansible-freeipa-1.6.3/playbooks/config/change-ipa-domain-netbios-name.yml.ipaconfig_sid ansible-freeipa-1.6.3/playbooks/config/change-ipa-domain-netbios-name.yml ---- ansible-freeipa-1.6.3/playbooks/config/change-ipa-domain-netbios-name.yml.ipaconfig_sid 2022-10-07 17:12:51.172335899 +0200 -+++ ansible-freeipa-1.6.3/playbooks/config/change-ipa-domain-netbios-name.yml 2022-10-07 17:12:51.172335899 +0200 -@@ -0,0 +1,12 @@ -+--- -+- name: Playbook to change IPA domain netbios name -+ hosts: ipaserver -+ become: no -+ gather_facts: no -+ -+ tasks: -+ - name: Set IPA domain netbios name -+ ipaconfig: -+ ipaadmin_password: SomeADMINpassword -+ enable_sid: yes -+ netbios_name: IPADOM -diff -up ansible-freeipa-1.6.3/playbooks/config/generate-users-groups-sids.yml.ipaconfig_sid ansible-freeipa-1.6.3/playbooks/config/generate-users-groups-sids.yml ---- ansible-freeipa-1.6.3/playbooks/config/generate-users-groups-sids.yml.ipaconfig_sid 2022-10-07 17:12:51.172335899 +0200 -+++ ansible-freeipa-1.6.3/playbooks/config/generate-users-groups-sids.yml 2022-10-07 17:12:51.172335899 +0200 -@@ -0,0 +1,12 @@ -+--- -+- name: Playbook to ensure SIDs are enabled and users and groups have SIDs -+ hosts: ipaserver -+ become: no -+ gather_facts: no -+ -+ tasks: -+ - name: Enable SID and generate users and groups SIDS -+ ipaconfig: -+ ipaadmin_password: SomeADMINpassword -+ enable_sid: yes -+ add_sids: yes -diff -up ansible-freeipa-1.6.3/plugins/modules/ipaconfig.py.ipaconfig_sid ansible-freeipa-1.6.3/plugins/modules/ipaconfig.py ---- ansible-freeipa-1.6.3/plugins/modules/ipaconfig.py.ipaconfig_sid 2022-01-27 14:05:04.000000000 +0100 -+++ ansible-freeipa-1.6.3/plugins/modules/ipaconfig.py 2022-10-07 17:18:43.193785596 +0200 -@@ -148,6 +148,24 @@ options: - required: false - type: list - aliases: ["ipadomainresolutionorder"] -+ enable_sid: -+ description: > -+ New users and groups automatically get a SID assigned. -+ Requires IPA 4.9.8+. -+ required: false -+ type: bool -+ netbios_name: -+ description: > -+ NetBIOS name of the IPA domain. -+ Requires IPA 4.9.8+ and 'enable_sid: yes'. -+ required: false -+ type: string -+ add_sids: -+ description: > -+ Add SIDs for existing users and groups. -+ Requires IPA 4.9.8+ and 'enable_sid: yes'. -+ required: false -+ type: bool - ''' - - EXAMPLES = ''' -@@ -169,6 +187,24 @@ EXAMPLES = ''' - ipaadmin_password: SomeADMINpassword - defaultshell: /bin/bash - maxusername: 64 -+ -+- name: Playbook to enable SID and generate users and groups SIDs -+ hosts: ipaserver -+ tasks: -+ - name: Enable SID and generate users and groups SIDS -+ ipaconfig: -+ ipaadmin_password: SomeADMINpassword -+ enable_sid: yes -+ add_sids: yes -+ -+- name: Playbook to change IPA domain netbios name -+ hosts: ipaserver -+ tasks: -+ - name: Enable SID and generate users and groups SIDS -+ ipaconfig: -+ ipaadmin_password: SomeADMINpassword -+ enable_sid: yes -+ netbios_name: IPADOM - ''' - - RETURN = ''' -@@ -247,6 +283,14 @@ config: - domain_resolution_order: - description: list of domains used for short name qualification - returned: always -+ enable_sid: -+ description: > -+ new users and groups automatically get a SID assigned. -+ Requires IPA 4.9.8+. -+ returned: always -+ netbios_name: -+ description: NetBIOS name of the IPA domain. Requires IPA 4.9.8+. -+ returned: if enable_sid is True - ''' - - -@@ -260,6 +304,28 @@ def config_show(module): - return _result["result"] - - -+def get_netbios_name(module): -+ try: -+ _result = module.ipa_command_no_name("trustconfig_show", {"all": True}) -+ except Exception: # pylint: disable=broad-except -+ return None -+ else: -+ return _result["result"]["ipantflatname"][0] -+ -+ -+def is_enable_sid(module): -+ """When 'enable-sid' is true admin user and admins group have SID set.""" -+ _result = module.ipa_command("user_show", "admin", {"all": True}) -+ sid = _result["result"].get("ipantsecurityidentifier", [""]) -+ if not sid[0].endswith("-500"): -+ return False -+ _result = module.ipa_command("group_show", "admins", {"all": True}) -+ sid = _result["result"].get("ipantsecurityidentifier", [""]) -+ if not sid[0].endswith("-512"): -+ return False -+ return True -+ -+ - def main(): - ansible_module = IPAAnsibleModule( - argument_spec=dict( -@@ -313,7 +379,10 @@ def main(): - aliases=["ipauserauthtype"]), - ca_renewal_master_server=dict(type="str", required=False), - domain_resolution_order=dict(type="list", required=False, -- aliases=["ipadomainresolutionorder"]) -+ aliases=["ipadomainresolutionorder"]), -+ enable_sid=dict(type="bool", required=False), -+ add_sids=dict(type="bool", required=False), -+ netbios_name=dict(type="str", required=False), - ), - supports_check_mode=True, - ) -@@ -344,7 +413,10 @@ def main(): - "pac_type": "ipakrbauthzdata", - "user_auth_type": "ipauserauthtype", - "ca_renewal_master_server": "ca_renewal_master_server", -- "domain_resolution_order": "ipadomainresolutionorder" -+ "domain_resolution_order": "ipadomainresolutionorder", -+ "enable_sid": "enable_sid", -+ "netbios_name": "netbios_name", -+ "add_sids": "add_sids", - } - reverse_field_map = {v: k for k, v in field_map.items()} - -@@ -392,11 +464,47 @@ def main(): - changed = False - exit_args = {} - -- # Connect to IPA API -- with ansible_module.ipa_connect(): -+ # Connect to IPA API (enable-sid requires context == 'client') -+ with ansible_module.ipa_connect(context="client"): -+ has_enable_sid = ansible_module.ipa_command_param_exists( -+ "config_mod", "enable_sid") - - result = config_show(ansible_module) -+ - if params: -+ netbios_name = params.get("netbios_name") -+ if netbios_name: -+ netbios_name = netbios_name.upper() -+ add_sids = params.get("add_sids") -+ enable_sid = params.get("enable_sid") -+ required_sid = any([netbios_name, add_sids]) -+ if required_sid and not enable_sid: -+ ansible_module.fail_json( -+ "'enable-sid: yes' required for 'netbios_name' " -+ "and 'add-sids'." -+ ) -+ if enable_sid: -+ if not has_enable_sid: -+ ansible_module.fail_json( -+ "This version of IPA does not support 'enable-sid'.") -+ if ( -+ netbios_name -+ and netbios_name == get_netbios_name(ansible_module) -+ ): -+ del params["netbios_name"] -+ netbios_name = None -+ if not add_sids and "add_sids" in params: -+ del params["add_sids"] -+ if ( -+ not any([netbios_name, add_sids]) -+ and is_enable_sid(ansible_module) -+ ): -+ del params["enable_sid"] -+ else: -+ for param in ["enable_sid", "netbios_name", "add_sids"]: -+ if param in params: -+ del params[params] -+ - params = { - k: v for k, v in params.items() - if k not in result or result[k] != v -@@ -441,6 +549,10 @@ def main(): - raise ValueError( - "Unexpected attribute type: %s" % arg_type) - exit_args[k] = type_map[arg_type](value) -+ # Set enable_sid -+ if has_enable_sid: -+ exit_args["enable_sid"] = is_enable_sid(ansible_module) -+ exit_args["netbios_name"] = get_netbios_name(ansible_module) - - # Done - ansible_module.exit_json(changed=changed, config=exit_args) -diff -up ansible-freeipa-1.6.3/README-config.md.ipaconfig_sid ansible-freeipa-1.6.3/README-config.md ---- ansible-freeipa-1.6.3/README-config.md.ipaconfig_sid 2022-01-27 14:05:04.000000000 +0100 -+++ ansible-freeipa-1.6.3/README-config.md 2022-10-07 17:12:51.172335899 +0200 -@@ -65,6 +65,9 @@ Example playbook to read config options: - maxusername: 64 - ``` - -+ -+Example playbook to set global configuration options: -+ - ```yaml - --- - - name: Playbook to ensure some config options are set -@@ -79,6 +82,40 @@ Example playbook to read config options: - ``` - - -+Example playbook to enable SID and generate users and groups SIDs: -+ -+```yaml -+--- -+- name: Playbook to ensure SIDs are enabled and users and groups have SIDs -+ hosts: ipaserver -+ become: no -+ gather_facts: no -+ -+ tasks: -+ - name: Enable SID and generate users and groups SIDS -+ ipaconfig: -+ ipaadmin_password: SomeADMINpassword -+ enable_sid: yes -+ add_sids: yes -+``` -+ -+Example playbook to change IPA domain NetBIOS name: -+ -+```yaml -+--- -+- name: Playbook to change IPA domain netbios name -+ hosts: ipaserver -+ become: no -+ gather_facts: no -+ -+ tasks: -+ - name: Set IPA domain netbios name -+ ipaconfig: -+ ipaadmin_password: SomeADMINpassword -+ enable_sid: yes -+ netbios_name: IPADOM -+``` -+ - Variables - ========= - -@@ -111,6 +148,9 @@ Variable | Description | Required - `user_auth_type` \| `ipauserauthtype` | set default types of supported user authentication (choices: `password`, `radius`, `otp`, `disabled`). Use `""` to clear this variable. | no - `domain_resolution_order` \| `ipadomainresolutionorder` | Set list of domains used for short name qualification | no - `ca_renewal_master_server` \| `ipacarenewalmasterserver`| Renewal master for IPA certificate authority. | no -+`enable_sid` | New users and groups automatically get a SID assigned. Requires IPA 4.9.8+. (bool) | no -+`netbios_name` | NetBIOS name of the IPA domain. Requires IPA 4.9.8+ and 'enable_sid: yes'. | no -+`add_sids` | Add SIDs for existing users and groups. Requires IPA 4.9.8+ and 'enable_sid: yes'. (bool) | no - - - Return Values -@@ -140,6 +180,8 @@ Variable | Description | Returned When -   | `user_auth_type` |   -   | `domain_resolution_order` |   -   | `ca_renewal_master_server` |   -+  | `enable_sid` |   -+  | `netbios_name` |   - - All returned fields take the same form as their namesake input parameters - -diff -up ansible-freeipa-1.6.3/tests/config/test_config_sid.yml.ipaconfig_sid ansible-freeipa-1.6.3/tests/config/test_config_sid.yml ---- ansible-freeipa-1.6.3/tests/config/test_config_sid.yml.ipaconfig_sid 2022-10-07 17:12:51.172335899 +0200 -+++ ansible-freeipa-1.6.3/tests/config/test_config_sid.yml 2022-10-07 17:12:51.172335899 +0200 -@@ -0,0 +1,70 @@ -+--- -+- name: Test config -+ hosts: "{{ ipa_test_host | default('ipaserver') }}" -+ become: no -+ gather_facts: no -+ -+ tasks: -+ -+ # GET CURRENT CONFIG -+ -+ - name: Return current values of the global configuration options -+ ipaconfig: -+ ipaadmin_password: SomeADMINpassword -+ ipaapi_context: "{{ ipa_context | default(omit) }}" -+ register: previous -+ -+ # TESTS -+ - block: -+ - name: Ensure SID is enabled. -+ ipaconfig: -+ ipaadmin_password: SomeADMINpassword -+ ipaapi_context: "{{ ipa_context | default(omit) }}" -+ enable_sid: yes -+ register: result -+ failed_when: result.failed or previous.config.enable_sid == result.changed -+ -+ - name: Ensure SID is enabled, again. -+ ipaconfig: -+ ipaadmin_password: SomeADMINpassword -+ ipaapi_context: "{{ ipa_context | default(omit) }}" -+ enable_sid: yes -+ register: result -+ failed_when: result.failed or result.changed -+ -+ - name: Ensure netbios_name is "IPATESTPLAY" -+ ipaconfig: -+ ipaadmin_password: SomeADMINpassword -+ ipaapi_context: "{{ ipa_context | default(omit) }}" -+ enable_sid: yes -+ netbios_name: IPATESTPLAY -+ register: result -+ failed_when: result.failed or not result.changed -+ -+ - name: Ensure netbios_name is "IPATESTPLAY", again -+ ipaconfig: -+ ipaadmin_password: SomeADMINpassword -+ ipaapi_context: "{{ ipa_context | default(omit) }}" -+ enable_sid: yes -+ netbios_name: IPATESTPLAY -+ register: result -+ failed_when: result.failed or result.changed -+ -+ # add_sids is not idempotent as it always tries to generate the missing -+ # SIDs for users and groups. -+ - name: Add SIDs to users and groups. -+ ipaconfig: -+ ipaadmin_password: SomeADMINpassword -+ ipaapi_context: "{{ ipa_context | default(omit) }}" -+ enable_sid: yes -+ add_sids: yes -+ -+ # REVERT TO PREVIOUS CONFIG -+ always: -+ # Once SID is enabled, it cannot be reverted. -+ - name: Revert netbios_name to original configuration -+ ipaconfig: -+ ipaadmin_password: SomeADMINpassword -+ ipaapi_context: "{{ ipa_context | default(omit) }}" -+ netbios_name: "{{ previous.config.netbios_name | default(omit) }}" -+ enable_sid: yes diff --git a/SOURCES/ansible-freeipa-1.6.3-ipareplica-ipareplica_setup_adtrust-fails-while-upda_PR877_RHBZ#2132971.patch b/SOURCES/ansible-freeipa-1.6.3-ipareplica-ipareplica_setup_adtrust-fails-while-upda_PR877_RHBZ#2132971.patch deleted file mode 100644 index 96e323f..0000000 --- a/SOURCES/ansible-freeipa-1.6.3-ipareplica-ipareplica_setup_adtrust-fails-while-upda_PR877_RHBZ#2132971.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 641c550cc3650c6d0aa95f52b422089f64e7fb6a Mon Sep 17 00:00:00 2001 -From: Thomas Woerner -Date: Mon, 15 Aug 2022 16:00:06 +0200 -Subject: [PATCH] ipareplica: ipareplica_setup_adtrust fails while updating - ipaNTFlatName - -The internal parameter sid_generation_always is generated in -ipareplica_test to enable SID generation if ipareplica_setup_adtrust is -not enabled. - -This parameter was not used for ipareplica_prepare though, therefore -adtrust.install_check was not executed and did not set the attribute -adtrust.netbios_name. As a result adtrust.netbios_name was None and the -try to use this as the new NetBIOS domain name failed with an -INVALID_SYNTAX error in adtrustinstance while executing -ipareplica_setup_adtrust. - -This issue only occurs if SIDs are not enabled in the domain yet for -example with an old deployment. ---- - roles/ipareplica/tasks/install.yml | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/roles/ipareplica/tasks/install.yml b/roles/ipareplica/tasks/install.yml -index 0e5f840..7413884 100644 ---- a/roles/ipareplica/tasks/install.yml -+++ b/roles/ipareplica/tasks/install.yml -@@ -201,6 +201,7 @@ - ### additional ### - server: "{{ result_ipareplica_test.server }}" - skip_conncheck: "{{ ipareplica_skip_conncheck }}" -+ sid_generation_always: "{{ result_ipareplica_test.sid_generation_always }}" - register: result_ipareplica_prepare - - - name: Install - Add to ipaservers --- -2.37.3 - diff --git a/SOURCES/ansible-freeipa-1.6.3-ipaserver-Add-missing-idstart-check_de8911a_RHBZ#2132977.patch b/SOURCES/ansible-freeipa-1.6.3-ipaserver-Add-missing-idstart-check_de8911a_RHBZ#2132977.patch deleted file mode 100644 index 329e338..0000000 --- a/SOURCES/ansible-freeipa-1.6.3-ipaserver-Add-missing-idstart-check_de8911a_RHBZ#2132977.patch +++ /dev/null @@ -1,54 +0,0 @@ -diff -up ansible-freeipa-1.6.3/roles/ipaserver/library/ipaserver_test.py.idstart_heck ansible-freeipa-1.6.3/roles/ipaserver/library/ipaserver_test.py ---- ansible-freeipa-1.6.3/roles/ipaserver/library/ipaserver_test.py.idstart_heck 2022-10-07 17:06:41.915918624 +0200 -+++ ansible-freeipa-1.6.3/roles/ipaserver/library/ipaserver_test.py 2022-10-07 17:09:55.228613556 +0200 -@@ -226,7 +226,8 @@ from ansible.module_utils.ansible_ipa_se - read_cache, ca, tasks, check_ldap_conf, timeconf, httpinstance, - check_dirsrv, ScriptError, get_fqdn, verify_fqdn, BadHostError, - validate_domain_name, load_pkcs12, IPA_PYTHON_VERSION, -- encode_certificate, check_available_memory, adtrustinstance -+ encode_certificate, check_available_memory, adtrustinstance, -+ get_min_idstart - ) - from ansible.module_utils import six - -@@ -580,6 +581,16 @@ def main(): - "'--ignore-topology-disconnect/--ignore-last-of-role' " - "options can be used only during uninstallation") - -+ if get_min_idstart is not None: -+ min_idstart = get_min_idstart() -+ if self.idstart < min_idstart: -+ raise RuntimeError( -+ "idstart (%i) must be larger than UID_MAX/GID_MAX " -+ "(%i) setting in /etc/login.defs." % ( -+ self.idstart, min_idstart -+ ) -+ ) -+ - if self.idmax < self.idstart: - raise RuntimeError( - "idmax (%s) cannot be smaller than idstart (%s)" % -diff -up ansible-freeipa-1.6.3/roles/ipaserver/module_utils/ansible_ipa_server.py.idstart_heck ansible-freeipa-1.6.3/roles/ipaserver/module_utils/ansible_ipa_server.py ---- ansible-freeipa-1.6.3/roles/ipaserver/module_utils/ansible_ipa_server.py.idstart_heck 2022-01-27 14:05:04.000000000 +0100 -+++ ansible-freeipa-1.6.3/roles/ipaserver/module_utils/ansible_ipa_server.py 2022-10-07 17:07:35.907833419 +0200 -@@ -41,7 +41,7 @@ __all__ = ["IPAChangeConf", "certmonger" - "adtrustinstance", "IPAAPI_USER", "sync_time", "PKIIniLoader", - "default_subject_base", "default_ca_subject_dn", - "check_ldap_conf", "encode_certificate", "decode_certificate", -- "check_available_memory"] -+ "check_available_memory", "get_min_idstart"] - - import sys - -@@ -178,6 +178,11 @@ else: - from ipalib.x509 import load_certificate - load_pem_x509_certificate = None - -+ try: -+ from ipaserver.install.server.install import get_min_idstart -+ except ImportError: -+ get_min_idstart = None -+ - else: - # IPA version < 4.5 - diff --git a/SOURCES/ansible-freeipa-1.6.3-ipaserver-ipareplica-Add-isatty-method-to-AnsibleMod_707777_RHBZ#2132991.patch b/SOURCES/ansible-freeipa-1.6.3-ipaserver-ipareplica-Add-isatty-method-to-AnsibleMod_707777_RHBZ#2132991.patch deleted file mode 100644 index c951d94..0000000 --- a/SOURCES/ansible-freeipa-1.6.3-ipaserver-ipareplica-Add-isatty-method-to-AnsibleMod_707777_RHBZ#2132991.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 7077776de3432a321298df13076ea0cc59bc35b1 Mon Sep 17 00:00:00 2001 -From: Thomas Woerner -Date: Mon, 5 Sep 2022 13:16:26 +0200 -Subject: [PATCH] ipaserver/ipareplica: Add isatty method to AnsibleModuleLog - -In some cases ipa code is using sys.stdout.isatty. As stdout is mapped -to AnsibleModuleLog this call will lead in a traceback as it was not -defined. - -The staticmethod isatty has been added to AnsibleModuleLog in ipaserver -role module_utils/ansible_ipa_server.py and in ipareplica role -module_utils/ansible_ipa_repica.py. - -Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2120415 - ansible-freeipa Replica Install Setup DNS fails -Fixes: #251 - 'AnsibleModuleLog' object has no attribute 'isatty' -Fixes: #117 - 'AnsibleModuleLog' object has no attribute 'isatty' ---- - roles/ipareplica/module_utils/ansible_ipa_replica.py | 4 ++++ - roles/ipaserver/module_utils/ansible_ipa_server.py | 4 ++++ - 2 files changed, 8 insertions(+) - -diff --git a/roles/ipareplica/module_utils/ansible_ipa_replica.py b/roles/ipareplica/module_utils/ansible_ipa_replica.py -index 0e4e738..27ee13d 100644 ---- a/roles/ipareplica/module_utils/ansible_ipa_replica.py -+++ b/roles/ipareplica/module_utils/ansible_ipa_replica.py -@@ -222,6 +222,10 @@ else: - def info(self, msg): - self.module.debug(msg) - -+ @staticmethod -+ def isatty(): -+ return False -+ - def write(self, msg): - self.module.debug(msg) - # self.module.warn(msg) -diff --git a/roles/ipaserver/module_utils/ansible_ipa_server.py b/roles/ipaserver/module_utils/ansible_ipa_server.py -index 5b1c4e5..8e7be0b 100644 ---- a/roles/ipaserver/module_utils/ansible_ipa_server.py -+++ b/roles/ipaserver/module_utils/ansible_ipa_server.py -@@ -255,6 +255,10 @@ else: - def info(self, msg): - self.module.debug(msg) - -+ @staticmethod -+ def isatty(): -+ return False -+ - def write(self, msg): - self.module.debug(msg) - # self.module.warn(msg) --- -2.37.3 - diff --git a/SOURCES/ansible-freeipa-1.6.3-ipaserver-ipareplica-Always-generate-SIDs_PR866_RHBZ#2132971.patch b/SOURCES/ansible-freeipa-1.6.3-ipaserver-ipareplica-Always-generate-SIDs_PR866_RHBZ#2132971.patch deleted file mode 100644 index 50f7fbc..0000000 --- a/SOURCES/ansible-freeipa-1.6.3-ipaserver-ipareplica-Always-generate-SIDs_PR866_RHBZ#2132971.patch +++ /dev/null @@ -1,259 +0,0 @@ -diff -up ansible-freeipa-1.6.3/roles/ipareplica/library/ipareplica_prepare.py.always_sids ansible-freeipa-1.6.3/roles/ipareplica/library/ipareplica_prepare.py ---- ansible-freeipa-1.6.3/roles/ipareplica/library/ipareplica_prepare.py.always_sids 2022-01-27 14:05:04.000000000 +0100 -+++ ansible-freeipa-1.6.3/roles/ipareplica/library/ipareplica_prepare.py 2022-10-07 16:51:35.750411448 +0200 -@@ -182,6 +182,9 @@ options: - skip_conncheck: - description: Skip connection check to remote master - required: yes -+ sid_generation_always: -+ description: Enable SID generation always -+ required: yes - author: - - Thomas Woerner - ''' -@@ -275,6 +278,8 @@ def main(): - # additional - server=dict(required=True), - skip_conncheck=dict(required=False, type='bool'), -+ sid_generation_always=dict(required=False, type='bool', -+ default=False), - ), - supports_check_mode=True, - ) -@@ -350,6 +355,7 @@ def main(): - # '_hostname_overridden') - options.server = ansible_module.params.get('server') - options.skip_conncheck = ansible_module.params.get('skip_conncheck') -+ sid_generation_always = ansible_module.params.get('sid_generation_always') - - # init # - -@@ -755,7 +761,7 @@ def main(): - - ansible_log.debug("-- CHECK ADTRUST --") - -- if options.setup_adtrust: -+ if options.setup_adtrust or sid_generation_always: - adtrust.install_check(False, options, remote_api) - - except errors.ACIError: -diff -up ansible-freeipa-1.6.3/roles/ipareplica/library/ipareplica_setup_adtrust.py.always_sids ansible-freeipa-1.6.3/roles/ipareplica/library/ipareplica_setup_adtrust.py ---- ansible-freeipa-1.6.3/roles/ipareplica/library/ipareplica_setup_adtrust.py.always_sids 2022-01-27 14:05:04.000000000 +0100 -+++ ansible-freeipa-1.6.3/roles/ipareplica/library/ipareplica_setup_adtrust.py 2022-10-07 16:44:59.008094369 +0200 -@@ -71,6 +71,9 @@ options: - setup_ca: - description: Configure a dogtag CA - required: no -+ setup_adtrust: -+ description: Configure AD trust capability -+ required: yes - config_master_host_name: - description: The config master_host_name setting - required: no -@@ -112,6 +115,7 @@ def main(): - ccache=dict(required=True), - _top_dir=dict(required=True), - setup_ca=dict(required=True, type='bool'), -+ setup_adtrust=dict(required=True, type='bool'), - config_master_host_name=dict(required=True), - ), - supports_check_mode=True, -@@ -140,6 +144,7 @@ def main(): - os.environ['KRB5CCNAME'] = ccache - options._top_dir = ansible_module.params.get('_top_dir') - options.setup_ca = ansible_module.params.get('setup_ca') -+ options.setup_adtrust = ansible_module.params.get('setup_adtrust') - config_master_host_name = ansible_module.params.get( - 'config_master_host_name') - adtrust.netbios_name = ansible_module.params.get('adtrust_netbios_name') -diff -up ansible-freeipa-1.6.3/roles/ipareplica/library/ipareplica_test.py.always_sids ansible-freeipa-1.6.3/roles/ipareplica/library/ipareplica_test.py ---- ansible-freeipa-1.6.3/roles/ipareplica/library/ipareplica_test.py.always_sids 2022-01-27 14:05:04.000000000 +0100 -+++ ansible-freeipa-1.6.3/roles/ipareplica/library/ipareplica_test.py 2022-10-07 16:50:45.621497736 +0200 -@@ -144,7 +144,7 @@ from ansible.module_utils.ansible_ipa_re - ansible_module_get_parsed_ip_addresses, service, - redirect_stdout, create_ipa_conf, ipautil, - x509, validate_domain_name, common_check, -- IPA_PYTHON_VERSION -+ IPA_PYTHON_VERSION, adtrustinstance - ) - - -@@ -271,6 +271,14 @@ def main(): - # # options.setup_adtrust = False - # # ansible_module.warn(msg="adtrust is not supported, disabling") - -+ sid_generation_always = False -+ if not options.setup_adtrust: -+ # pylint: disable=deprecated-method -+ argspec = inspect.getargspec(adtrustinstance.ADTRUSTInstance.__init__) -+ # pylint: enable=deprecated-method -+ if "fulltrust" in argspec.args: -+ sid_generation_always = True -+ - # if options.setup_kra and not kra_imported: - # # if "kra" not in options._allow_missing: - # ansible_module.fail_json(msg="kra can not be imported") -@@ -472,6 +480,7 @@ def main(): - # additional - client_enrolled=client_enrolled, - change_master_for_certmonger=change_master_for_certmonger, -+ sid_generation_always=sid_generation_always - ) - - -diff -up ansible-freeipa-1.6.3/roles/ipareplica/module_utils/ansible_ipa_replica.py.always_sids ansible-freeipa-1.6.3/roles/ipareplica/module_utils/ansible_ipa_replica.py ---- ansible-freeipa-1.6.3/roles/ipareplica/module_utils/ansible_ipa_replica.py.always_sids 2022-01-27 14:05:04.000000000 +0100 -+++ ansible-freeipa-1.6.3/roles/ipareplica/module_utils/ansible_ipa_replica.py 2022-10-07 16:54:27.707115487 +0200 -@@ -46,7 +46,8 @@ __all__ = ["contextlib", "dnsexception", - "common_check", "current_domain_level", - "check_domain_level_is_supported", "promotion_check_ipa_domain", - "SSSDConfig", "CalledProcessError", "timeconf", "ntpinstance", -- "dnsname", "kernel_keyring", "krbinstance"] -+ "dnsname", "kernel_keyring", "krbinstance", -+ "adtrustinstance"] - - import sys - -@@ -105,6 +106,7 @@ else: - adtrust, bindinstance, ca, certs, dns, dsinstance, httpinstance, - installutils, kra, krbinstance, - otpdinstance, custodiainstance, service, upgradeinstance) -+ from ipaserver.install import adtrustinstance - try: - from ipaserver.masters import ( - find_providing_servers, find_providing_server) -diff -up ansible-freeipa-1.6.3/roles/ipareplica/tasks/install.yml.always_sids ansible-freeipa-1.6.3/roles/ipareplica/tasks/install.yml ---- ansible-freeipa-1.6.3/roles/ipareplica/tasks/install.yml.always_sids 2022-01-27 14:05:04.000000000 +0100 -+++ ansible-freeipa-1.6.3/roles/ipareplica/tasks/install.yml 2022-10-07 16:44:59.008094369 +0200 -@@ -748,13 +748,15 @@ - ccache: "{{ result_ipareplica_prepare.ccache }}" - _top_dir: "{{ result_ipareplica_prepare._top_dir }}" - setup_ca: "{{ result_ipareplica_prepare.config_setup_ca }}" -+ setup_adtrust: "{{ result_ipareplica_test.setup_adtrust }}" - config_master_host_name: - "{{ result_ipareplica_prepare.config_master_host_name }}" - adtrust_netbios_name: - "{{ result_ipareplica_prepare.adtrust_netbios_name }}" - adtrust_reset_netbios_name: - "{{ result_ipareplica_prepare.adtrust_reset_netbios_name }}" -- when: result_ipareplica_test.setup_adtrust -+ when: result_ipareplica_test.setup_adtrust or -+ result_ipareplica_test.sid_generation_always - - - name: Install - Enable IPA - ipareplica_enable_ipa: -diff -up ansible-freeipa-1.6.3/roles/ipaserver/library/ipaserver_prepare.py.always_sids ansible-freeipa-1.6.3/roles/ipaserver/library/ipaserver_prepare.py ---- ansible-freeipa-1.6.3/roles/ipaserver/library/ipaserver_prepare.py.always_sids 2022-01-27 14:05:04.000000000 +0100 -+++ ansible-freeipa-1.6.3/roles/ipaserver/library/ipaserver_prepare.py 2022-10-07 16:47:45.005808635 +0200 -@@ -141,6 +141,9 @@ options: - setup_ca: - description: Configure a dogtag CA - required: yes -+ sid_generation_always: -+ description: Enable SID generation always -+ required: yes - _hostname_overridden: - description: The installer _hostname_overridden setting - required: yes -@@ -213,6 +216,8 @@ def main(): - - # additional - setup_ca=dict(required=False, type='bool', default=False), -+ sid_generation_always=dict(required=False, type='bool', -+ default=False), - _hostname_overridden=dict(required=False, type='bool', - default=False), - ), -@@ -279,6 +284,7 @@ def main(): - options.setup_ca = ansible_module.params.get('setup_ca') - options._host_name_overridden = ansible_module.params.get( - '_hostname_overridden') -+ sid_generation_always = ansible_module.params.get('sid_generation_always') - options.kasp_db_file = None - - # init ################################################################## -@@ -371,7 +377,7 @@ def main(): - logger.debug('Starting Directory Server') - services.knownservices.dirsrv.start(instance_name) - -- if options.setup_adtrust: -+ if options.setup_adtrust or sid_generation_always: - with redirect_stdout(ansible_log): - adtrust.install_check(False, options, api) - -diff -up ansible-freeipa-1.6.3/roles/ipaserver/library/ipaserver_test.py.always_sids ansible-freeipa-1.6.3/roles/ipaserver/library/ipaserver_test.py ---- ansible-freeipa-1.6.3/roles/ipaserver/library/ipaserver_test.py.always_sids 2022-01-27 14:05:04.000000000 +0100 -+++ ansible-freeipa-1.6.3/roles/ipaserver/library/ipaserver_test.py 2022-10-07 16:46:12.413968014 +0200 -@@ -226,7 +226,7 @@ from ansible.module_utils.ansible_ipa_se - read_cache, ca, tasks, check_ldap_conf, timeconf, httpinstance, - check_dirsrv, ScriptError, get_fqdn, verify_fqdn, BadHostError, - validate_domain_name, load_pkcs12, IPA_PYTHON_VERSION, -- encode_certificate, check_available_memory -+ encode_certificate, check_available_memory, adtrustinstance - ) - from ansible.module_utils import six - -@@ -395,12 +395,16 @@ def main(): - - # version specific ###################################################### - -- if options.setup_adtrust and not adtrust_imported: -- # if "adtrust" not in options._allow_missing: -- ansible_module.fail_json(msg="adtrust can not be imported") -- # else: -- # options.setup_adtrust = False -- # ansible_module.warn(msg="adtrust is not supported, disabling") -+ sid_generation_always = False -+ if not options.setup_adtrust: -+ # pylint: disable=deprecated-method -+ argspec = inspect.getargspec(adtrustinstance.ADTRUSTInstance.__init__) -+ # pylint: enable=deprecated-method -+ if "fulltrust" in argspec.args: -+ sid_generation_always = True -+ else: -+ if not adtrust_imported: -+ ansible_module.fail_json(msg="adtrust can not be imported") - - if options.setup_kra and not kra_imported: - # if "kra" not in options._allow_missing: -@@ -522,7 +526,8 @@ def main(): - "You cannot specify an --enable-compat option without the " - "--setup-adtrust option") - -- if self.netbios_name: -+ # Deactivate test for new IPA SID generation -+ if self.netbios_name and not sid_generation_always: - raise RuntimeError( - "You cannot specify a --netbios-name option without the " - "--setup-adtrust option") -@@ -1079,7 +1084,8 @@ def main(): - ntp_pool=options.ntp_pool, - # additional - _installation_cleanup=_installation_cleanup, -- domainlevel=options.domainlevel) -+ domainlevel=options.domainlevel, -+ sid_generation_always=sid_generation_always) - - - if __name__ == '__main__': -diff -up ansible-freeipa-1.6.3/roles/ipaserver/tasks/install.yml.always_sids ansible-freeipa-1.6.3/roles/ipaserver/tasks/install.yml ---- ansible-freeipa-1.6.3/roles/ipaserver/tasks/install.yml.always_sids 2022-01-27 14:05:04.000000000 +0100 -+++ ansible-freeipa-1.6.3/roles/ipaserver/tasks/install.yml 2022-10-07 16:48:36.946719227 +0200 -@@ -191,6 +191,7 @@ - secondary_rid_base: "{{ ipaserver_secondary_rid_base | default(omit) }}" - ### additional ### - setup_ca: "{{ result_ipaserver_test.setup_ca }}" -+ sid_generation_always: "{{ result_ipaserver_test.sid_generation_always }}" - _hostname_overridden: "{{ result_ipaserver_test._hostname_overridden }}" - register: result_ipaserver_prepare - -@@ -392,7 +393,8 @@ - adtrust_netbios_name: "{{ result_ipaserver_prepare.adtrust_netbios_name }}" - adtrust_reset_netbios_name: - "{{ result_ipaserver_prepare.adtrust_reset_netbios_name }}" -- when: result_ipaserver_test.setup_adtrust -+ when: result_ipaserver_test.setup_adtrust or -+ result_ipaserver_test.sid_generation_always - - - name: Install - Set DS password - ipaserver_set_ds_password: diff --git a/SOURCES/ansible-freeipa-1.6.3-ipatrust-Set-valid-choices-for-trust_type_PR808_RHBZ#2132968.patch b/SOURCES/ansible-freeipa-1.6.3-ipatrust-Set-valid-choices-for-trust_type_PR808_RHBZ#2132968.patch deleted file mode 100644 index 76f4e0f..0000000 --- a/SOURCES/ansible-freeipa-1.6.3-ipatrust-Set-valid-choices-for-trust_type_PR808_RHBZ#2132968.patch +++ /dev/null @@ -1,79 +0,0 @@ -From 6124dc0cf1a7653f11e88d80290aeb231e486cab Mon Sep 17 00:00:00 2001 -From: Rafael Guterres Jeffman -Date: Tue, 26 Apr 2022 11:11:12 -0300 -Subject: [PATCH] ipatrust: Updated ipatrust documentation. - -This patch updates the ipatrust documentation about the 'trust_type' -parameter, and changes one password to be similar to the standard -passwords used in other modules. ---- - README-trust.md | 1 + - plugins/modules/ipatrust.py | 5 +++-- - 2 files changed, 4 insertions(+), 2 deletions(-) - -diff --git a/README-trust.md b/README-trust.md -index ef04f6c..efa69c7 100644 ---- a/README-trust.md -+++ b/README-trust.md -@@ -105,6 +105,7 @@ Variable | Description | Required - `password` | Active Directory domain administrator's password string. | no - `server` | Domain controller for the Active Directory domain string. | no - `trust_secret` | Shared secret for the trust string. | no -+`trust_type` | Trust type. Currently, only 'ad' for Active Directory is supported. | no - `base_id` | First posix id for the trusted domain integer. | no - `range_size` | Size of the ID range reserved for the trusted domain integer. | no - `range_type` | Type of trusted domain ID range, It can be one of `ipa-ad-trust` or `ipa-ad-trust-posix`and defaults to `ipa-ad-trust`. | no -diff --git a/plugins/modules/ipatrust.py b/plugins/modules/ipatrust.py -index 0c7aac5..d94ec94 100644 ---- a/plugins/modules/ipatrust.py -+++ b/plugins/modules/ipatrust.py -@@ -44,7 +44,8 @@ options: - description: - - Trust type (ad for Active Directory, default) - default: ad -- required: true -+ required: false -+ choices: ["ad"] - admin: - description: - - Active Directory domain administrator -@@ -103,7 +104,7 @@ EXAMPLES = """ - realm: ad.example.test - trust_type: ad - admin: Administrator -- password: Welcome2020! -+ password: SomeW1Npassword - state: present - - # delete ad-trust --- -2.37.3 - -From 423a6b0e12e87adb86cd76095a7b260d19ab4959 Mon Sep 17 00:00:00 2001 -From: Rafael Guterres Jeffman -Date: Tue, 12 Apr 2022 18:47:20 -0300 -Subject: [PATCH] ipatrust: Set valid choices for trust_type. - -Ensure only valid choices for trust_type ('ad') are available for the -module parameter. ---- - plugins/modules/ipatrust.py | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/plugins/modules/ipatrust.py b/plugins/modules/ipatrust.py -index 6251ecc..0c7aac5 100644 ---- a/plugins/modules/ipatrust.py -+++ b/plugins/modules/ipatrust.py -@@ -190,7 +190,8 @@ def main(): - state=dict(type="str", default="present", - choices=["present", "absent"]), - # present -- trust_type=dict(type="str", default="ad", required=False), -+ trust_type=dict(type="str", default="ad", required=False, -+ choices=["ad"]), - admin=dict(type="str", default=None, required=False), - password=dict(type="str", default=None, - required=False, no_log=True), --- -2.37.3 - diff --git a/SOURCES/ansible-freeipa-1.6.3-ipatrust-fix-range_type-and-test-enhancement_PR810_RHBZ#2132968.patch b/SOURCES/ansible-freeipa-1.6.3-ipatrust-fix-range_type-and-test-enhancement_PR810_RHBZ#2132968.patch deleted file mode 100644 index b7d804d..0000000 --- a/SOURCES/ansible-freeipa-1.6.3-ipatrust-fix-range_type-and-test-enhancement_PR810_RHBZ#2132968.patch +++ /dev/null @@ -1,298 +0,0 @@ -From 766cf5a285aa24d1ca8058a90605ca03d04f14f5 Mon Sep 17 00:00:00 2001 -From: Rafael Guterres Jeffman -Date: Wed, 13 Apr 2022 08:12:26 -0300 -Subject: [PATCH] ipatrust: Fix support for `range_type`. - -The ipatrust module was ignoring the value of `range_type`, which is -required to allow for different types of idranges. ---- - plugins/modules/ipatrust.py | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/plugins/modules/ipatrust.py b/plugins/modules/ipatrust.py -index 6251ecc..40b61b5 100644 ---- a/plugins/modules/ipatrust.py -+++ b/plugins/modules/ipatrust.py -@@ -157,7 +157,7 @@ def add_trust(module, realm, args): - - - def gen_args(trust_type, admin, password, server, trust_secret, base_id, -- range_size, _range_type, two_way, external): -+ range_size, range_type, two_way, external): - _args = {} - if trust_type is not None: - _args["trust_type"] = trust_type -@@ -173,6 +173,8 @@ def gen_args(trust_type, admin, password, server, trust_secret, base_id, - _args["base_id"] = base_id - if range_size is not None: - _args["range_size"] = range_size -+ if range_type is not None: -+ _args["range_type"] = range_type - if two_way is not None: - _args["bidirectional"] = two_way - if external is not None: --- -2.37.3 - -From 3ea452ef6fa25798211623806a862aa4b9e70815 Mon Sep 17 00:00:00 2001 -From: Rafael Guterres Jeffman -Date: Wed, 30 Mar 2022 14:22:15 -0300 -Subject: [PATCH] tests/trust: Improved test coverage and execution. - -This patch applies several changes to the ipatrust test playbook: - -* Add externally defined parameters so execution in local trust - environments can be configured. The available parameters are: - * winserver_admin_password: the Administrator password for the AD - server (default: 'SomeW1Npassword') - * winserver_domain: the AD server domain (default: 'windows.local') - * winserver realm: the AD server realm (by default, the uppercase - version of winserver_domain) - * ipaserver_domain: the FreeIPA server domain (default: 'ipa.test') - * ipaserver_realm: the FreeIPA server realm (by default, the - uppercase version of ipaserver_domain - -* Modify trust verification to check for the existence of the trust as - it the output of `ipa trust-find`, instead of cheking for the number - of items returned, as the number might vary. - -* Add idempotency tests by re-executing tasks and verifying that no - change was performed. - -* Added tests to verify creation of trusts with different 'range_type'. - -* Use a Kerberos cache for shell scripts, and destroy it on exit. - -* Properly remove all `idrange` that might be created upon setting up a - trust. ---- - tests/trust/test_trust.yml | 161 +++++++++++++++++++++++++++++++------ - 1 file changed, 137 insertions(+), 24 deletions(-) - -diff --git a/tests/trust/test_trust.yml b/tests/trust/test_trust.yml -index e4ecdf5..5d1280d 100644 ---- a/tests/trust/test_trust.yml -+++ b/tests/trust/test_trust.yml -@@ -1,55 +1,168 @@ - --- --- name: find trust -+- name: Test ipatrust - hosts: "{{ ipa_test_host | default('ipaserver') }}" - become: true - gather_facts: false - -+ vars: -+ adserver: -+ domain: "{{ winserver_domain | default('windows.local')}}" -+ realm: "{{ winserver_realm | default(winserver_domain) | default('windows.local') | upper }}" -+ password: "{{ winserver_admin_password | default('SomeW1Npassword') }}" -+ ipaserver: -+ domain: "{{ ipaserver_domain | default('ipa.test')}}" -+ realm: "{{ ipaserver_realm | default(ipaserver_domain) | default('ipa.test') | upper }}" -+ trust_exists: 'Realm name: {{ adserver.domain }}' -+ ad_range_exists: 'Range name: {{ adserver.realm }}_id_range' -+ ipa_range_exists: 'Range name: {{ ipaserver.realm }}_subid_range' -+ - tasks: - - - block: - -- - name: delete trust -+ - name: Delete test trust - ipatrust: - ipaadmin_password: SomeADMINpassword - ipaapi_context: "{{ ipa_context | default(omit) }}" -- realm: windows.local -+ realm: "{{ adserver.domain }}" - state: absent -- register: del_trust - -- - name: check for trust -+ - name: Clear test idranges - shell: | -- echo 'SomeADMINpassword' | kinit admin -- ipa trust-find windows.local -- register: check_find_trust -- failed_when: "'0 trusts matched' not in check_find_trust.stdout" -+ kinit -c test_krb5_cache admin <<< SomeADMINpassword -+ ipa idrange-del {{ adserver.realm }}_id_range || true -+ ipa idrange-del {{ ipaserver.realm }}_subid_range || true -+ kdestroy -c test_krb5_cache -q -A - -- - name: delete id range -+ - name: Add trust with range_type 'ipa-ad-trust' -+ ipatrust: -+ ipaadmin_password: SomeADMINpassword -+ ipaapi_context: "{{ ipa_context | default(omit) }}" -+ realm: "{{ adserver.domain }}" -+ admin: Administrator -+ trust_type: ad -+ range_type: ipa-ad-trust -+ password: "{{ adserver.password }}" -+ state: present -+ register: result -+ failed_when: result.failed or not result.changed -+ -+ - name: check if 'ipa-ad-trust' trust exists - shell: | - echo 'SomeADMINpassword' | kinit admin -- ipa idrange-del WINDOWS.LOCAL_id_range -- when: del_trust['changed'] | bool -+ ipa trust-find -+ kdestroy -c test_krb5_cache -q -A -+ register: check_add_trust -+ failed_when: "trust_exists not in check_add_trust.stdout" - -- - name: check for range -+ - name: Add trust with range_type 'ipa-ad-trust', again -+ ipatrust: -+ ipaadmin_password: SomeADMINpassword -+ ipaapi_context: "{{ ipa_context | default(omit) }}" -+ realm: "{{ adserver.domain }}" -+ admin: Administrator -+ range_type: ipa-ad-trust -+ password: "{{ adserver.password }}" -+ state: present -+ register: result -+ failed_when: result.failed or result.changed -+ -+ - name: Delete 'ipa-ad-trust' trust -+ ipatrust: -+ ipaadmin_password: SomeADMINpassword -+ ipaapi_context: "{{ ipa_context | default(omit) }}" -+ realm: "{{ adserver.domain }}" -+ state: absent -+ register: result -+ failed_when: result.failed or not result.changed -+ -+ - name: Check if 'ipa-ad-trust' trust was removed - shell: | -- echo 'SomeADMINpassword' | kinit admin -- ipa idrange-find WINDOWS.LOCAL_id_range -- register: check_del_idrange -- failed_when: "'0 ranges matched' not in check_del_idrange.stdout" -+ kinit -c test_krb5_cache admin <<< SomeADMINpassword -+ ipa trust-find -+ kdestroy -c test_krb5_cache -q -A -+ register: check_add_trust -+ failed_when: "trust_exists in check_add_trust.stdout" -+ -+ - name: Delete 'ipa-ad-trust' trust, again -+ ipatrust: -+ ipaadmin_password: SomeADMINpassword -+ ipaapi_context: "{{ ipa_context | default(omit) }}" -+ realm: "{{ adserver.domain }}" -+ state: absent -+ register: result -+ failed_when: result.failed or result.changed -+ -+ - name: Clear test idranges -+ shell: | -+ kinit -c test_krb5_cache admin <<< SomeADMINpassword -+ ipa idrange-del {{ adserver.realm }}_id_range || true -+ ipa idrange-del {{ ipaserver.realm }}_subid_range || true -+ kdestroy -c test_krb5_cache -q -A - -- - name: add trust -+ - name: Add trust with range_type 'ipa-ad-trust-posix' - ipatrust: - ipaadmin_password: SomeADMINpassword - ipaapi_context: "{{ ipa_context | default(omit) }}" -- realm: windows.local -+ realm: "{{ adserver.domain }}" - admin: Administrator -- password: secret_ad_pw -+ range_type: ipa-ad-trust-posix -+ password: "{{ adserver.password }}" - state: present -+ register: result -+ failed_when: result.failed or not result.changed - -- - name: check for trust -+ - name: Check if 'ipa-ad-trust-posix' trust exists - shell: | -- echo 'SomeADMINpassword' | kinit admin -- ipa trust-find windows.local -+ kinit -c test_krb5_cache admin <<< SomeADMINpassword -+ ipa trust-find -+ kdestroy -c test_krb5_cache -q -A - register: check_add_trust -- failed_when: "'1 trust matched' not in check_add_trust.stdout" -+ failed_when: "trust_exists not in check_add_trust.stdout" -+ -+ - name: Add trust with range_type 'ipa-ad-trust-posix', again -+ ipatrust: -+ ipaadmin_password: SomeADMINpassword -+ ipaapi_context: "{{ ipa_context | default(omit) }}" -+ realm: "{{ adserver.domain }}" -+ admin: Administrator -+ range_type: ipa-ad-trust-posix -+ password: "{{ adserver.password }}" -+ state: present -+ register: result -+ failed_when: result.failed or result.changed -+ -+ - name: Delete 'ipa-ad-trust-posix' trust -+ ipatrust: -+ ipaadmin_password: SomeADMINpassword -+ ipaapi_context: "{{ ipa_context | default(omit) }}" -+ realm: "{{ adserver.domain }}" -+ state: absent -+ register: result -+ failed_when: result.failed or not result.changed -+ -+ - name: Check if trust 'ipa-ad-trust-posix' was removed -+ shell: | -+ kinit -c test_krb5_cache admin <<< SomeADMINpassword -+ ipa trust-find -+ kdestroy -c test_krb5_cache -q -A -+ register: check_del_trust -+ failed_when: "trust_exists in check_del_trust.stdout" -+ -+ - name: Delete 'ipa-ad-trust-posix' trust, again -+ ipatrust: -+ ipaadmin_password: SomeADMINpassword -+ ipaapi_context: "{{ ipa_context | default(omit) }}" -+ realm: "{{ adserver.domain }}" -+ state: absent -+ register: result -+ failed_when: result.failed or result.changed -+ -+ - name: Clear test idranges -+ shell: | -+ kinit -c test_krb5_cache admin <<< SomeADMINpassword -+ ipa idrange-del {{ adserver.realm }}_id_range || true -+ ipa idrange-del {{ ipaserver.realm }}_subid_range || true -+ kdestroy -c test_krb5_cache -q -A - - when: trust_test_is_supported | default(false) --- -2.37.3 - -From 50b16cb33ff80f479825228b54349ba93b7c2ad5 Mon Sep 17 00:00:00 2001 -From: Rafael Guterres Jeffman -Date: Wed, 30 Mar 2022 14:42:12 -0300 -Subject: [PATCH] tests/ipatrust: Modify AD realm name to an invalid name. - -As the task is expected to fail, the AD realm name was modified to show -the expected behavior more clearly. ---- - tests/trust/test_trust_client_context.yml | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tests/trust/test_trust_client_context.yml b/tests/trust/test_trust_client_context.yml -index 2ea3853..6f4ff06 100644 ---- a/tests/trust/test_trust_client_context.yml -+++ b/tests/trust/test_trust_client_context.yml -@@ -13,7 +13,7 @@ - ipatrust: - ipaadmin_password: SomeADMINpassword - ipaapi_context: server -- realm: windows.local -+ realm: this.test.should.fail - register: result - failed_when: not (result.failed and result.msg is regex("No module named '*ipaserver'*")) - when: ipa_host_is_client --- -2.37.3 - diff --git a/SPECS/ansible-freeipa.spec b/SPECS/ansible-freeipa.spec index 298d1c6..0a708ed 100644 --- a/SPECS/ansible-freeipa.spec +++ b/SPECS/ansible-freeipa.spec @@ -7,18 +7,11 @@ Summary: Roles and playbooks to deploy FreeIPA servers, replicas and clients Name: ansible-freeipa -Version: 1.6.3 -Release: 2%{?dist} +Version: 1.8.3 +Release: 1%{?dist} URL: https://github.com/freeipa/ansible-freeipa License: GPLv3+ Source: https://github.com/freeipa/ansible-freeipa/archive/v%{version}.tar.gz#/%{name}-%{version}.tar.gz -Patch1: ansible-freeipa-1.6.3-ipatrust-Set-valid-choices-for-trust_type_PR808_RHBZ#2132968.patch -Patch2: ansible-freeipa-1.6.3-ipatrust-fix-range_type-and-test-enhancement_PR810_RHBZ#2132968.patch -Patch3: ansible-freeipa-1.6.3-ipaserver-ipareplica-Always-generate-SIDs_PR866_RHBZ#2132971.patch -Patch4: ansible-freeipa-1.6.3-ipareplica-ipareplica_setup_adtrust-fails-while-upda_PR877_RHBZ#2132971.patch -Patch5: ansible-freeipa-1.6.3-ipaserver-Add-missing-idstart-check_de8911a_RHBZ#2132977.patch -Patch6: ansible-freeipa-1.6.3-ipaserver-ipareplica-Add-isatty-method-to-AnsibleMod_707777_RHBZ#2132991.patch -Patch7: ansible-freeipa-1.6.3-ipaconfig-Add-support-for-SID-related-attributes_3c8d6c7_RHBZ#2132997.patch BuildArch: noarch %if 0%{?fedora} >= 35 || 0%{?rhel} >= 9 Requires: ansible-core @@ -39,6 +32,7 @@ Features - One-time-password (OTP) support for client installation - Repair mode for clients - Backup and restore, also to and from controller +- Smartcard setup for servers and clients - Modules for automembership rule management - Modules for automount key management - Modules for automount location management @@ -55,6 +49,7 @@ Features - Modules for hbacsvcgroup management - Modules for host management - Modules for hostgroup management +- Modules for idrange management - Modules for location management - Modules for permission management - Modules for privilege management @@ -63,6 +58,8 @@ Features - Modules for self service management - Modules for server management - Modules for service management +- Modules for service delegation rule management +- Modules for service delegation target management - Modules for sudocmd management - Modules for sudocmdgroup management - Modules for sudorule management @@ -119,13 +116,6 @@ to get the needed requrements to run the tests. %prep %setup -q # Do not create backup files with patches -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 -%patch7 -p1 # Fix python modules and module utils: # - Remove shebang @@ -154,6 +144,10 @@ cp -rp roles/ipaclient %{buildroot}%{_datadir}/ansible/roles/ cp -rp roles/ipaclient/README.md README-client.md cp -rp roles/ipabackup %{buildroot}%{_datadir}/ansible/roles/ cp -rp roles/ipabackup/README.md README-backup.md +cp -rp roles/ipasmartcard_server %{buildroot}%{_datadir}/ansible/roles/ +cp -rp roles/ipasmartcard_server/README.md README-smartcard_server.md +cp -rp roles/ipasmartcard_client %{buildroot}%{_datadir}/ansible/roles/ +cp -rp roles/ipasmartcard_client/README.md README-smartcard_client.md install -m 755 -d %{buildroot}%{_datadir}/ansible/plugins/ cp -rp plugins/* %{buildroot}%{_datadir}/ansible/plugins/ @@ -169,6 +163,8 @@ cp -rp tests %{buildroot}%{_datadir}/ansible-freeipa/ %{_datadir}/ansible/roles/ipareplica %{_datadir}/ansible/roles/ipaclient %{_datadir}/ansible/roles/ipabackup +%{_datadir}/ansible/roles/ipasmartcard_server +%{_datadir}/ansible/roles/ipasmartcard_client %{_datadir}/ansible/plugins/doc_fragments %{_datadir}/ansible/plugins/module_utils %{_datadir}/ansible/plugins/modules @@ -183,17 +179,53 @@ cp -rp tests %{buildroot}%{_datadir}/ansible-freeipa/ %{_datadir}/ansible-freeipa/requirements-tests.txt %changelog -* Mon Oct 10 2022 Thomas Woerner - 1.6.3-2 -- ipatrust: fix range_type and set valid choices for trust_type - Resolves: RHBZ#2132968 -- ipaserver/ipareplica: Always generate SIDs - Resolves: RHBZ#2132971 -- ipaserver: Add missing idstart check - Resolves: RHBZ#2132977 -- ansible-freeipa Replica Install Setup DNS fails - Resolves: RHBZ#2132991 -- ipaconfig does not support SID and netbios attributes - Resolves: RHBZ#2132997 +* Tue Aug 16 2022 Thomas Woerner - 1.8.3-1 +- Update to version 1.8.3 + https://github.com/freeipa/ansible-freeipa/releases/tag/v1.8.3 + Related: RHBZ#2080322 +- Fixes replica deployment issue for domains without SID support. + Related: RHBZ#2110478 + +* Thu Jul 28 2022 Thomas Woerner - 1.8.2-1 +- Update to version 1.8.2 + https://github.com/freeipa/ansible-freeipa/releases/tag/v1.8.2 + Related: RHBZ#2080322 +- SIDs are always generated for server and replica deployments + Resolves: RHBZ#2110478 +- Random Serial Numbers are not enabled by default any more + Resolves: RHBZ#2110523 +- Fixes comparison of bool values in IPA 4.9.10+ for ipadnsconfig + Resolves: RHBZ#2110538 + +* Thu Jul 7 2022 Thomas Woerner - 1.8.1-1 +- Update to version 1.8.1 + https://github.com/freeipa/ansible-freeipa/releases/tag/v1.8.1 + Related: RHBZ#2080322 +- ipa server deploys failing with latest IPA compose + Resolves: RHBZ#2103924 +- ipaserver_external_cert_files failes to copy with ansible 2.13 + Resolves: RHBZ#2104142 + +* Fri Jun 24 2022 Thomas Woerner - 1.8.0-1 +- idrange: Fix usage of dom_name when idrange doesn't exist. + Resolves: RHBZ#2086994 +- smartcard roles for ansible-freeipa + Resolves: RHBZ#2076567 + +* Fri Apr 29 2022 Thomas Woerner - 1.7.0-1 +- Update to version 1.7.0 + https://github.com/freeipa/ansible-freeipa/releases/tag/v1.7.0 + Resolves: RHBZ#2080322 +- New idrange management module. + Resolves: RHBZ#2069188 +- Not able to update empty descriptions in automount maps.a + Resolves: RHBZ#2050179 +- New servicedelegationrule management module. + Resolves: RHBZ#2069179 +- New servicedelegationtarget management module. + Resolves: RHBZ#2069180 +- Add support for managing idoverrideusers in ipagroup. + Resolves: RHBZ#2069183 * Thu Jan 27 2022 Thomas Woerner - 1.6.3-1 - Update to version 1.6.3