From 00abb6c62bbc61931a8756833d87aea010f1917c Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Mon, 13 Feb 2023 16:22:35 +0100 Subject: [PATCH] ipa-4.10.1-5 - Resolves: rhbz#2162656 Passwordless (GSSAPI) SSH not working for subdomain - Resolves: rhbz#2166326 Removing the last DNS type for ipa-ca does not work - Resolves: rhbz#2167473 RFE - Add a warning note about possible performance impact of the Auto Member rebuild task - Resolves: rhbz#2168244 requestsearchtimelimit=0 doesn't seems to be work with ipa-acme-manage pruning command Signed-off-by: Florence Blanc-Renaud --- ...ld-add-a-notice-about-high-CPU-usage.patch | 68 ++++++++ ...-setting-values-of-0-in-ACME-pruning.patch | 158 ++++++++++++++++++ ...DNS-record-when-updating-system-reco.patch | 69 ++++++++ ...istency-checker-needs-to-handle-chil.patch | 111 ++++++++++++ 0014-Add-test-for-SSH-with-GSSAPI-auth.patch | 83 +++++++++ freeipa.spec | 13 +- 6 files changed, 501 insertions(+), 1 deletion(-) create mode 100644 0010-automember-rebuild-add-a-notice-about-high-CPU-usage.patch create mode 100644 0011-Fix-setting-values-of-0-in-ACME-pruning.patch create mode 100644 0012-Wipe-the-ipa-ca-DNS-record-when-updating-system-reco.patch create mode 100644 0013-ipa-kdb-PAC-consistency-checker-needs-to-handle-chil.patch create mode 100644 0014-Add-test-for-SSH-with-GSSAPI-auth.patch diff --git a/0010-automember-rebuild-add-a-notice-about-high-CPU-usage.patch b/0010-automember-rebuild-add-a-notice-about-high-CPU-usage.patch new file mode 100644 index 0000000..f3891fd --- /dev/null +++ b/0010-automember-rebuild-add-a-notice-about-high-CPU-usage.patch @@ -0,0 +1,68 @@ +From 2857bc69957bde7e59fff1c66c5a83c7f560616b Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Tue, 31 Jan 2023 15:53:08 +0100 +Subject: [PATCH] automember-rebuild: add a notice about high CPU usage + +The automember-rebuild task may require high CPU usage +if many users/hosts/groups are processed. +Add a note in the ipa automember-rebuild CLI output +and in the WebUI confirmation message. + +Fixes: https://pagure.io/freeipa/issue/9320 +Signed-off-by: Florence Blanc-Renaud +Reviewed-By: Francisco Trivino +--- + install/ui/test/data/i18n_messages.json | 2 +- + ipaclient/plugins/automember.py | 8 ++++++++ + ipaserver/plugins/internal.py | 6 +++++- + 3 files changed, 14 insertions(+), 2 deletions(-) + +diff --git a/install/ui/test/data/i18n_messages.json b/install/ui/test/data/i18n_messages.json +index 49d288326d8cea192a16e93a274599805b0ea666..5b735487bf33805e8f0534d378d1497f05a11be8 100644 +--- a/install/ui/test/data/i18n_messages.json ++++ b/install/ui/test/data/i18n_messages.json +@@ -7,7 +7,7 @@ + "actions": { + "apply": "Apply", + "automember_rebuild": "Rebuild auto membership", +- "automember_rebuild_confirm": "Are you sure you want to rebuild auto membership?", ++ "automember_rebuild_confirm": "Are you sure you want to rebuild auto membership? In case of a high number of users, hosts or groups, the operation may require high CPU usage.", + "automember_rebuild_success": "Automember rebuild membership task completed", + "confirm": "Are you sure you want to proceed with the action?", + "delete_confirm": "Are you sure you want to delete ${object}?", +diff --git a/ipaclient/plugins/automember.py b/ipaclient/plugins/automember.py +index df4a2e5a01744e0ff22c74180e13c2e7dc33fbaa..7108dc948753b9f6a4439842bd75e7c5e064bda6 100644 +--- a/ipaclient/plugins/automember.py ++++ b/ipaclient/plugins/automember.py +@@ -34,3 +34,11 @@ class automember_add_condition(MethodOverride): + flags=['suppress_empty'], + ), + ) ++ ++ ++@register(override=True, no_fail=True) ++class automember_rebuild(MethodOverride): ++ def interactive_prompt_callback(self, kw): ++ msg = _('IMPORTANT: In case of a high number of users, hosts or ' ++ 'groups, the operation may require high CPU usage.') ++ self.Backend.textui.print_plain(msg) +diff --git a/ipaserver/plugins/internal.py b/ipaserver/plugins/internal.py +index 5ffa7a281548a0658386f8740dbddd96fd0bc7d6..e1e920f8bb49dd8ba8f30b727111bb1316f6a918 100644 +--- a/ipaserver/plugins/internal.py ++++ b/ipaserver/plugins/internal.py +@@ -160,7 +160,11 @@ class i18n_messages(Command): + "actions": { + "apply": _("Apply"), + "automember_rebuild": _("Rebuild auto membership"), +- "automember_rebuild_confirm": _("Are you sure you want to rebuild auto membership?"), ++ "automember_rebuild_confirm": _( ++ "Are you sure you want to rebuild auto membership? In case of " ++ "a high number of users, hosts or groups, the operation " ++ "may require high CPU usage." ++ ), + "automember_rebuild_success": _("Automember rebuild membership task completed"), + "confirm": _("Are you sure you want to proceed with the action?"), + "delete_confirm": _("Are you sure you want to delete ${object}?"), +-- +2.39.1 + diff --git a/0011-Fix-setting-values-of-0-in-ACME-pruning.patch b/0011-Fix-setting-values-of-0-in-ACME-pruning.patch new file mode 100644 index 0000000..55f2f0d --- /dev/null +++ b/0011-Fix-setting-values-of-0-in-ACME-pruning.patch @@ -0,0 +1,158 @@ +From 20ff7c16022793c707f6c2b8fb38a801870bc0e2 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Wed, 8 Feb 2023 10:42:58 -0500 +Subject: [PATCH] Fix setting values of 0 in ACME pruning + +Replace comparisons of "if value" with "if value is not None" +in order to handle 0. + +Add a short reference to the man page to indicat that a cert +or request retention time of 0 means remove at the next +execution. + +Also indicate that the search time limit is in seconds. + +Fixes: https://pagure.io/freeipa/issue/9325 + +Signed-off-by: Rob Crittenden +Reviewed-By: Francisco Trivino +--- + doc/designs/expired_certificate_pruning.md | 4 ++-- + install/tools/man/ipa-acme-manage.1 | 8 +++---- + ipaserver/install/ipa_acme_manage.py | 28 +++++++++++----------- + 3 files changed, 20 insertions(+), 20 deletions(-) + +diff --git a/doc/designs/expired_certificate_pruning.md b/doc/designs/expired_certificate_pruning.md +index a23e452696ba2a150c4ad5a3e57360ae0a16a338..35ead7b00145b5df44caf542cba277f0e6e08b6a 100644 +--- a/doc/designs/expired_certificate_pruning.md ++++ b/doc/designs/expired_certificate_pruning.md +@@ -67,11 +67,11 @@ There are four values each that can be managed for pruning certificates and requ + * expired cert/incomplete request time + * time unit + * LDAP search size limit +-* LDAP search time limit ++* LDAP search time limit (in seconds) + + The first two configure when an expired certificate or incomplete request will be deleted. The unit can be one of: minute, hour, day, year. By default it is 30 days. + +-The LDAP limits control how many entries are returned and how long the search can take. By default it is 1000 entries and unlimited time. ++The LDAP limits control how many entries are returned and how long the search can take. By default it is 1000 entries and unlimited time (0 == unlimited, unit is seconds). + + ### Configuration settings + +diff --git a/install/tools/man/ipa-acme-manage.1 b/install/tools/man/ipa-acme-manage.1 +index e6cec4e4a7fd460c514a72456a2dc9a2e3682ebd..b8383c14f482698d2bcc8b08f0c0bf5882c3c298 100644 +--- a/install/tools/man/ipa-acme-manage.1 ++++ b/install/tools/man/ipa-acme-manage.1 +@@ -79,7 +79,7 @@ For example, "0 0 1 * *" schedules the job to run at 12:00am on the first + day of each month. + .TP + \fB\-\-certretention=CERTRETENTION\fR +-Certificate retention time. The default is 30. ++Certificate retention time. The default is 30. A value of 0 will remove expired certificates with no delay. + .TP + \fB\-\-certretentionunit=CERTRETENTIONUNIT\fR + Certificate retention units. Valid units are: minute, hour, day, year. +@@ -89,10 +89,10 @@ The default is days. + LDAP search size limit searching for expired certificates. The default is 1000. This is a client-side limit. There may be additional server-side limitations. + .TP + \fB\-\-certsearchtimelimit=CERTSEARCHTIMELIMIT\fR +-LDAP search time limit searching for expired certificates. The default is 0, no limit. This is a client-side limit. There may be additional server-side limitations. ++LDAP search time limit (seconds) searching for expired certificates. The default is 0, no limit. This is a client-side limit. There may be additional server-side limitations. + .TP + \fB\-\-requestretention=REQUESTRETENTION\fR +-Request retention time. The default is 30. ++Request retention time. The default is 30. A value of 0 will remove expired requests with no delay. + .TP + \fB\-\-requestretentionunit=REQUESTRETENTIONUNIT\fR + Request retention units. Valid units are: minute, hour, day, year. +@@ -102,7 +102,7 @@ The default is days. + LDAP search size limit searching for unfulfilled requests. The default is 1000. There may be additional server-side limitations. + .TP + \fB\-\-requestsearchtimelimit=REQUESTSEARCHTIMELIMIT\fR +-LDAP search time limit searching for unfulfilled requests. The default is 0, no limit. There may be additional server-side limitations. ++LDAP search time limit (seconds) searching for unfulfilled requests. The default is 0, no limit. There may be additional server-side limitations. + .TP + \fB\-\-config\-show\fR + Show the current pruning configuration +diff --git a/ipaserver/install/ipa_acme_manage.py b/ipaserver/install/ipa_acme_manage.py +index b7b2111d9edcec2580aa4a485d7a7340146ff065..e7c35ff6fb5b7a30ac9e2c0c18f8db805cf06ee9 100644 +--- a/ipaserver/install/ipa_acme_manage.py ++++ b/ipaserver/install/ipa_acme_manage.py +@@ -207,14 +207,14 @@ class IPAACMEManage(AdminTool): + self.options.enable, + self.options.disable, + self.options.cron, +- self.options.certretention, ++ self.options.certretention is not None, + self.options.certretentionunit, +- self.options.requestretention, ++ self.options.requestretention is not None, + self.options.requestretentionunit, +- self.options.certsearchsizelimit, +- self.options.certsearchtimelimit, +- self.options.requestsearchsizelimit, +- self.options.requestsearchtimelimit, ++ self.options.certsearchsizelimit is not None, ++ self.options.certsearchtimelimit is not None, ++ self.options.requestsearchsizelimit is not None, ++ self.options.requestsearchtimelimit is not None, + ] + ) + and (self.options.config_show or self.options.run) +@@ -226,7 +226,7 @@ class IPAACMEManage(AdminTool): + elif self.options.cron: + if len(self.options.cron.split()) != 5: + self.option_parser.error("Invalid format for --cron") +- # dogtag does no validation when setting an option so ++ # dogtag does no validation when setting this option so + # do the minimum. The dogtag cron is limited compared to + # crontab(5). + opt = self.options.cron.split() +@@ -255,7 +255,7 @@ class IPAACMEManage(AdminTool): + 'pki-server', command, + f'{prefix}.{directive}' + ] +- if value: ++ if value is not None: + args.extend([str(value)]) + logger.debug(args) + result = run(args, raiseonerr=False, capture_output=True, +@@ -350,28 +350,28 @@ class IPAACMEManage(AdminTool): + + # pki-server ca-config-set can only set one option at a time so + # loop through all the options and set what is there. +- if self.options.certretention: ++ if self.options.certretention is not None: + ca_config_set('certRetentionTime', + self.options.certretention) + if self.options.certretentionunit: + ca_config_set('certRetentionUnit', + self.options.certretentionunit) +- if self.options.certsearchtimelimit: ++ if self.options.certsearchtimelimit is not None: + ca_config_set('certSearchTimeLimit', + self.options.certsearchtimelimit) +- if self.options.certsearchsizelimit: ++ if self.options.certsearchsizelimit is not None: + ca_config_set('certSearchSizeLimit', + self.options.certsearchsizelimit) +- if self.options.requestretention: ++ if self.options.requestretention is not None: + ca_config_set('requestRetentionTime', + self.options.requestretention) + if self.options.requestretentionunit: + ca_config_set('requestRetentionUnit', + self.options.requestretentionunit) +- if self.options.requestsearchsizelimit: ++ if self.options.requestsearchsizelimit is not None: + ca_config_set('requestSearchSizeLimit', + self.options.requestsearchsizelimit) +- if self.options.requestsearchtimelimit: ++ if self.options.requestsearchtimelimit is not None: + ca_config_set('requestSearchTimeLimit', + self.options.requestsearchtimelimit) + if self.options.cron: +-- +2.39.1 + diff --git a/0012-Wipe-the-ipa-ca-DNS-record-when-updating-system-reco.patch b/0012-Wipe-the-ipa-ca-DNS-record-when-updating-system-reco.patch new file mode 100644 index 0000000..ea70bca --- /dev/null +++ b/0012-Wipe-the-ipa-ca-DNS-record-when-updating-system-reco.patch @@ -0,0 +1,69 @@ +From 4e0ad96fbd9f438c884eeeaa60c2fb0c910a2b61 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Mon, 11 Jul 2022 14:20:32 -0400 +Subject: [PATCH] Wipe the ipa-ca DNS record when updating system records + +If a server with a CA has been marked as hidden and +contains the last A or AAAA address then that address +would remain in the ipa-ca entry. + +This is because update-dns-system-records did not delete +values, it just re-computed them. So if no A or AAAA +records were found then the existing value was left. + +Fixes: https://pagure.io/freeipa/issue/9195 + +Signed-off-by: Rob Crittenden +Reviewed-By: Francisco Trivino +Reviewed-By: Stanislav Levin +--- + ipaserver/dns_data_management.py | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/ipaserver/dns_data_management.py b/ipaserver/dns_data_management.py +index e2bc530ee8a8d7ade853652680c524ccd229205c..aaae5446856aba5e39ca9bb9c03decd434e4f71a 100644 +--- a/ipaserver/dns_data_management.py ++++ b/ipaserver/dns_data_management.py +@@ -19,6 +19,7 @@ from dns import ( + from time import sleep, time + + from ipalib import errors ++from ipalib.constants import IPA_CA_RECORD + from ipalib.dns import record_name_format + from ipapython.dnsutil import DNSName + from ipaserver.install import installutils +@@ -187,7 +188,7 @@ class IPASystemRecords: + + def __add_ca_records_from_hostname(self, zone_obj, hostname): + assert isinstance(hostname, DNSName) and hostname.is_absolute() +- r_name = DNSName('ipa-ca') + self.domain_abs ++ r_name = DNSName(IPA_CA_RECORD) + self.domain_abs + rrsets = None + end_time = time() + CA_RECORDS_DNS_TIMEOUT + while True: +@@ -210,6 +211,7 @@ class IPASystemRecords: + + for rrset in rrsets: + for rd in rrset: ++ logger.debug("Adding CA IP %s for %s", rd.to_text(), hostname) + rdataset = zone_obj.get_rdataset( + r_name, rd.rdtype, create=True) + rdataset.add(rd, ttl=self.TTL) +@@ -461,6 +463,14 @@ class IPASystemRecords: + ) + ) + ++ # Remove the ipa-ca record(s). They will be reconstructed in ++ # get_base_records(). ++ r_name = DNSName(IPA_CA_RECORD) + self.domain_abs ++ try: ++ self.api_instance.Command.dnsrecord_del( ++ self.domain_abs, r_name, del_all=True) ++ except errors.NotFound: ++ pass + base_zone = self.get_base_records() + for record_name, node in base_zone.items(): + set_cname_template = record_name in names_requiring_cname_templates +-- +2.39.1 + diff --git a/0013-ipa-kdb-PAC-consistency-checker-needs-to-handle-chil.patch b/0013-ipa-kdb-PAC-consistency-checker-needs-to-handle-chil.patch new file mode 100644 index 0000000..95d8ad1 --- /dev/null +++ b/0013-ipa-kdb-PAC-consistency-checker-needs-to-handle-chil.patch @@ -0,0 +1,111 @@ +From 0206369eec8530e96c66986c4ca501d8962193ce Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Mon, 30 Jan 2023 14:22:30 +0200 +Subject: [PATCH] ipa-kdb: PAC consistency checker needs to handle child + domains as well + +When PAC check is performed, we might get a signing TGT instead of the +client DB entry. This means it is a principal from a trusted domain but +we don't know which one exactly because we only have a krbtgt for the +forest root. This happens in MIT Kerberos 1.20 or later where KDB's +issue_pac() callback never gets the original client principal directly. + +Look into known child domains as well and make pass the check if both +NetBIOS name and SID correspond to one of the trusted domains under this +forest root. Move check for the SID before NetBIOS name check because we +can use SID of the domain in PAC to find out the right child domain in +our trusted domains' topology list. + +Fixes: https://pagure.io/freeipa/issue/9316 + +Signed-off-by: Alexander Bokovoy +Reviewed-By: Rafael Guterres Jeffman +Reviewed-By: Rob Crittenden +--- + daemons/ipa-kdb/ipa_kdb_mspac.c | 51 +++++++++++++++++++++------------ + 1 file changed, 32 insertions(+), 19 deletions(-) + +diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c +index a15050e2166f95c227d2e3c7d238e1ea2fe01235..476d1cb558a53420821ccfb1b794cb6bedce7794 100644 +--- a/daemons/ipa-kdb/ipa_kdb_mspac.c ++++ b/daemons/ipa-kdb/ipa_kdb_mspac.c +@@ -1827,11 +1827,43 @@ krb5_error_code filter_logon_info(krb5_context context, + bool result; + char *domstr = NULL; + ++ ipactx = ipadb_get_context(context); ++ if (!ipactx || !ipactx->mspac) { ++ return KRB5_KDB_DBNOTINITED; ++ } ++ + domain = get_domain_from_realm_update(context, realm); + if (!domain) { + return EINVAL; + } + ++ /* check exact sid */ ++ result = dom_sid_check(&domain->domsid, info->info->info3.base.domain_sid, true); ++ if (!result) { ++ struct ipadb_mspac *mspac_ctx = ipactx->mspac; ++ result = FALSE; ++ /* Didn't match but perhaps the original PAC was issued by a child domain's DC? */ ++ for (k = 0; k < mspac_ctx->num_trusts; k++) { ++ result = dom_sid_check(&mspac_ctx->trusts[k].domsid, ++ info->info->info3.base.domain_sid, true); ++ if (result) { ++ domain = &mspac_ctx->trusts[k]; ++ break; ++ } ++ } ++ if (!result) { ++ domstr = dom_sid_string(NULL, info->info->info3.base.domain_sid); ++ krb5_klog_syslog(LOG_ERR, "PAC Info mismatch: domain = %s, " ++ "expected domain SID = %s, " ++ "found domain SID = %s", ++ domain->domain_name, domain->domain_sid, ++ domstr ? domstr : ""); ++ talloc_free(domstr); ++ return EINVAL; ++ } ++ } ++ ++ /* At this point we may have changed the domain we look at, */ + /* check netbios/flat name */ + if (strcasecmp(info->info->info3.base.logon_domain.string, + domain->flat_name) != 0) { +@@ -1843,21 +1875,6 @@ krb5_error_code filter_logon_info(krb5_context context, + return EINVAL; + } + +- /* check exact sid */ +- result = dom_sid_check(&domain->domsid, info->info->info3.base.domain_sid, true); +- if (!result) { +- domstr = dom_sid_string(NULL, info->info->info3.base.domain_sid); +- if (!domstr) { +- return EINVAL; +- } +- krb5_klog_syslog(LOG_ERR, "PAC Info mismatch: domain = %s, " +- "expected domain SID = %s, " +- "found domain SID = %s", +- domain->domain_name, domain->domain_sid, domstr); +- talloc_free(domstr); +- return EINVAL; +- } +- + /* Check if this domain has been filtered out by the trust itself*/ + if (domain->parent != NULL) { + for(k = 0; k < domain->parent->len_sid_blocklist_incoming; k++) { +@@ -1944,10 +1961,6 @@ krb5_error_code filter_logon_info(krb5_context context, + * should include different possibilities into account + * */ + if (info->info->info3.sidcount != 0) { +- ipactx = ipadb_get_context(context); +- if (!ipactx || !ipactx->mspac) { +- return KRB5_KDB_DBNOTINITED; +- } + count = info->info->info3.sidcount; + i = 0; + j = 0; +-- +2.39.1 + diff --git a/0014-Add-test-for-SSH-with-GSSAPI-auth.patch b/0014-Add-test-for-SSH-with-GSSAPI-auth.patch new file mode 100644 index 0000000..00630b5 --- /dev/null +++ b/0014-Add-test-for-SSH-with-GSSAPI-auth.patch @@ -0,0 +1,83 @@ +From a6cb905de74da38d62f9c3bd7957018924282521 Mon Sep 17 00:00:00 2001 +From: Anuja More +Date: Mon, 30 Jan 2023 19:27:49 +0530 +Subject: [PATCH] Add test for SSH with GSSAPI auth. + +Added test for aduser with GSSAPI authentication. + +Related : https://pagure.io/freeipa/issue/9316 + +Signed-off-by: Anuja More +Reviewed-By: Rafael Guterres Jeffman +Reviewed-By: Rob Crittenden +--- + ipatests/test_integration/test_trust.py | 46 +++++++++++++++++++++++++ + 1 file changed, 46 insertions(+) + +diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py +index c4b3b99ce1abbc16817b6530939fd9bae3f9500a..0d5b71cb0277a79eed7c34eb7e3d7eb6c09faa5e 100644 +--- a/ipatests/test_integration/test_trust.py ++++ b/ipatests/test_integration/test_trust.py +@@ -527,6 +527,35 @@ class TestTrust(BaseTestTrust): + .format(self.ad_domain, subordinate_suffix)) + self.ad.run_command(['powershell', '-c', cmd]) + ++ def test_ssh_aduser(self): ++ """Test ssh with GSSAPI is working with aduser ++ ++ When kerberos ticket is obtained for child domain user ++ and ssh with this ticket should be successful ++ with no password prompt. ++ ++ Related : https://pagure.io/freeipa/issue/9316 ++ """ ++ testuser = 'testuser@{0}'.format(self.ad_domain) ++ testusersub = 'subdomaintestuser@{0}'.format(self.ad_subdomain) ++ ++ def sshuser(host, user): ++ tasks.kdestroy_all(host) ++ try: ++ tasks.kinit_as_user(host, user, ++ host.config.ad_admin_password ++ ) ++ ssh_cmd = "ssh -q -K -l {user} {host} hostname" ++ valid_ssh = host.run_command( ++ ssh_cmd.format(user=user, host=host.hostname) ++ ) ++ assert host.hostname in valid_ssh.stdout_text ++ finally: ++ tasks.kdestroy_all(host) ++ ++ sshuser(self.master, testuser) ++ sshuser(self.master, testusersub) ++ + def test_remove_nonposix_trust(self): + self.remove_trust(self.ad) + tasks.unconfigure_dns_for_trust(self.master, self.ad) +@@ -785,6 +814,23 @@ class TestTrust(BaseTestTrust): + assert re.search( + testuser_regex, result.stdout_text), result.stdout_text + ++ def test_ssh_adtreeuser(self): ++ testuser = 'treetestuser@{0}'.format(self.ad_treedomain) ++ self.master.run_command(["id", testuser]) ++ tasks.clear_sssd_cache(self.master) ++ tasks.kdestroy_all(self.master) ++ try: ++ tasks.kinit_as_user(self.master, testuser, ++ password="Secret123456" ++ ) ++ ssh_cmd = "ssh -q -K -l {user} {host} hostname" ++ valid_ssh = self.master.run_command( ++ ssh_cmd.format(user=testuser, host=self.master.hostname) ++ ) ++ assert self.master.hostname in valid_ssh.stdout_text ++ finally: ++ tasks.kdestroy_all(self.master) ++ + def test_remove_external_treedomain_trust(self): + self.remove_trust(self.tree_ad) + tasks.unconfigure_dns_for_trust(self.master, self.ad, self.tree_ad) +-- +2.39.1 + diff --git a/freeipa.spec b/freeipa.spec index 8b83e54..a543043 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -223,7 +223,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 4%{?rc_version:.%rc_version}%{?dist} +Release: 5%{?rc_version:.%rc_version}%{?dist} Summary: The Identity, Policy and Audit system License: GPLv3+ @@ -256,6 +256,11 @@ Patch0006: 0006-doc-Design-for-certificate-pruning.patch Patch0007: 0007-ipa-acme-manage-add-certificate-request-pruning-mana.patch Patch0008: 0008-doc-add-the-run-command-for-manual-job-execution.patch Patch0009: 0009-tests-add-wrapper-around-ACME-RSNv3-test.patch +Patch0010: 0010-automember-rebuild-add-a-notice-about-high-CPU-usage.patch +Patch0011: 0011-Fix-setting-values-of-0-in-ACME-pruning.patch +Patch0012: 0012-Wipe-the-ipa-ca-DNS-record-when-updating-system-reco.patch +Patch0013: 0013-ipa-kdb-PAC-consistency-checker-needs-to-handle-chil.patch +Patch0014: 0014-Add-test-for-SSH-with-GSSAPI-auth.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch %endif %endif @@ -1743,6 +1748,12 @@ fi %endif %changelog +* Mon Feb 13 2023 Florence Blanc-Renaud - 4.10.1-5 +- Resolves: rhbz#2162656 Passwordless (GSSAPI) SSH not working for subdomain +- Resolves: rhbz#2166326 Removing the last DNS type for ipa-ca does not work +- Resolves: rhbz#2167473 RFE - Add a warning note about possible performance impact of the Auto Member rebuild task +- Resolves: rhbz#2168244 requestsearchtimelimit=0 doesn't seems to be work with ipa-acme-manage pruning command + * Mon Feb 06 2023 Florence Blanc-Renaud - 4.10.1-4 - Resolves: rhbz#2161284 'ERROR Could not remove /tmp/tmpbkw6hawo.ipabkp' can be seen prior to 'ipa-client-install' command was successful - Resolves: rhbz#2164403 ipa-trust-add with --range-type=ipa-ad-trust-posix fails while creating an ID range