FreeIPA 4.9.0 release candidate 1

- Update to new upstream release
- Unify most of Fedora/RHEL/Upstream spec files

.gitignore

@@ -94,3 +94,5 @@
 /freeipa-4.8.9.tar.gz.asc
 /freeipa-4.8.10.tar.gz
 /freeipa-4.8.10.tar.gz.asc
+/freeipa-4.9.0rc1.tar.gz
+/freeipa-4.9.0rc1.tar.gz.asc

freeipa.spec

@@ -1,3 +1,18 @@
+# ipatests enabled by default, can be disabled with --without ipatests
+%bcond_without ipatests
+# default to not use XML-RPC in Rawhide, can be turned around with --with ipa_join_xml
+# On RHEL 8 we should use --with ipa_join_xml
+%bcond_with ipa_join_xml
+
+# Linting is disabled by default, needed for upstream testing
+%bcond_with lint
+
+# Build documentation with sphinx
+%bcond_with doc
+
+# Build Python wheels
+%bcond_with wheels
+
 # 389-ds-base 1.4 no longer supports i686 platform, build only client
 # packages, https://bugzilla.redhat.com/show_bug.cgi?id=1544386
 %if 0%{?fedora} >= 28 || 0%{?rhel} > 7
@@ -6,7 +21,6 @@
     %endif
 %endif
 
-
 # Define ONLY_CLIENT to only make the ipa-client and ipa-python
 # subpackages
 %{!?ONLY_CLIENT:%global ONLY_CLIENT 0}
@@ -16,37 +30,19 @@
     %global enable_server_option --enable-server
 %endif
 
-# Build ipatests
-%if 0%{?rhel}
+%if %{ONLY_CLIENT}
     %global with_ipatests 0
 %endif
-%if ! %{ONLY_CLIENT}
-    %{!?with_ipatests:%global with_ipatests 1}
-%endif
-%if 0%{?with_ipatests}
-    %global with_ipatests_option --with-ipatests
-%else
-    %global with_ipatests_option --without-ipatests
-%endif
 
-# Python 2/3 packages and default Python interpreter
-%if 0%{?rhel} > 7
-    %global with_default_python 3
-%endif
+# Whether to build ipatests
+%global with_ipatests_option %{?_with_ipatests}
 
-%if 0%{?fedora} >= 29
-    # F29 only supports Python 3 as default Python
-    %global with_default_python 3
-%endif
-
-%{!?with_default_python:%global with_default_python 3}
-
-%global with_python3 1
-%global python %{__python3}
+# Whether to use XML-RPC with ipa-join
+%global with_ipa_join_xml_option %{?_with_ipa_join_xml}
 
 # lint is not executed during rpmbuild
 # %%global with_lint 1
-%if 0%{?with_lint}
+%if %{with lint}
     %global linter_options --enable-pylint --with-jslint
 %else
     %global linter_options --disable-pylint --without-jslint
@@ -62,18 +58,19 @@
 %if 0%{?rhel}
 %global package_name ipa
 %global alt_name freeipa
-%global krb5_version 1.18
+%global krb5_version 1.18.2
+%global krb5_kdb_version 8.0
 # 0.7.16: https://github.com/drkjam/netaddr/issues/71
-%global python_netaddr_version 0.7.16
+%global python_netaddr_version 0.7.19
 # Require 4.7.0 which brings Python 3 bindings
-%global samba_version 4.7.0
-%global selinux_policy_version 3.14.3-21
-%global slapi_nis_version 0.56.1-4
+%global samba_version 4.12.3-12
+%global selinux_policy_version 3.14.3-52
+%global slapi_nis_version 0.56.4
 %global python_ldap_version 3.1.0-1
 # python3-lib389
 # Fix for "Installation fails: Replica Busy"
 # https://pagure.io/389-ds-base/issue/49818
-%global ds_version 1.4.0.16
+%global ds_version 1.4.2.4-6
 # Fix for TLS 1.3 PHA, RHBZ#1775158
 %global httpd_version 2.4.37-21
 
@@ -97,6 +94,8 @@
 %endif
 %global slapi_nis_version 0.56.5
 
+%global krb5_kdb_version 8.0
+
 # fix for segfault in python3-ldap, https://pagure.io/freeipa/issue/7324
 %global python_ldap_version 3.1.0-1
 # 1.4.3 moved nsslapd-db-locks to cn=bdb sub-entry
@@ -110,6 +109,16 @@
 %global httpd_version 2.4.41-6.1
 %endif
 
+# BIND employs 'pkcs11' OpenSSL engine instead of native PKCS11
+# Fedora 31+ uses OpenSSL engine, as well as Fedora ELN (RHEL9)
+%if 0%{?fedora} || 0%{?rhel} > 8
+    %global with_bind_pkcs11 0
+    %global openssl_pkcs11_version 0.4.10-6
+    %global softhsm_version 2.5.0-4
+%else
+    %global with_bind_pkcs11 1
+%endif
+
 # Don't use Fedora's Python dependency generator on Fedora 30/rawhide yet.
 # Some packages don't provide new dist aliases.
 # https://docs.fedoraproject.org/en-US/packaging-guidelines/Python/
@@ -118,13 +127,6 @@
 # Fedora
 %endif
 
-# krb5 can only provide one KDB at a time
-%if 0%{?fedora} >= 32 || 0%{?rhel} >= 8
-%global krb5_kdb_version 8.0
-%else
-%global krb5_kdb_version 7.0
-%endif
-
 # PKIConnection has been modified to always validate certs.
 # https://pagure.io/freeipa/issue/8379
 %global pki_version 10.9.0-0.4
@@ -132,18 +134,22 @@
 # https://pagure.io/certmonger/issue/90
 %global certmonger_version 0.79.7-1
 
-# NSS release with fix for p11-kit-proxy issue, affects F28
-# https://pagure.io/freeipa/issue/7810
-%if 0%{?fedora} == 28
-%global nss_version 3.41.0-3
-%else
 %global nss_version 3.41.0-1
+
+# One-Way Trust authenticated by trust secret
+# https://bugzilla.redhat.com/show_bug.cgi?id=1345975#c20
+%global sssd_version 1.16.3-2
+
+%define krb5_base_version %(LC_ALL=C pkgconf --modversion krb5 | grep -Eo '^[^.]+\.[^.]+' || echo %krb5_version)
+
+%if 0%{?fedora} >= 33
+# systemd with resolved enabled
+# see https://pagure.io/freeipa/issue/8275
+%global systemd_version 246.6-3
+%else
+%global systemd_version 245
 %endif
 
-%global sssd_version 2.2.0-1
-
-%define krb5_base_version %(LC_ALL=C rpm -q --qf '%%{VERSION}' krb5-devel | grep -Eo '^[^.]+\.[^.]+')
-
 %global plugin_dir %{_libdir}/dirsrv/plugins
 %global etc_systemd_dir %{_sysconfdir}/systemd/system
 %global gettext_domain ipa
@@ -152,7 +158,9 @@
 
 # Work-around fact that RPM SPEC parser does not accept
 # "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement
-%define IPA_VERSION 4.8.10
+%define IPA_VERSION 4.9.0
+# Release candidate version -- set to %%nil (one percent sign) for a release
+%define rc_version rc1
 %define AT_SIGN @
 # redefine IPA_VERSION only if its value matches the Autoconf placeholder
 %if "%{IPA_VERSION}" == "%{AT_SIGN}VERSION%{AT_SIGN}"
@@ -161,19 +169,16 @@
 
 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        7%{?dist}
+Release:        0%{?rc_version:.%rc_version}%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 License:        GPLv3+
 URL:            http://www.freeipa.org/
-Source0:        https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz
-Source1:        https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz.asc
+Source0:        https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_version}.tar.gz
+Source1:        https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_version}.tar.gz.asc
 Patch0:         freeipa-4.8.10-systemd-resolved.patch
 Patch1:         freeipa-4.8.10-systemd-resolved-configuration.patch
 Patch2:         freeipa-4.8.10-systemd-resolved-selinux-fixes.patch
-# https://github.com/freeipa/freeipa/pull/5212
-# Fix deployment errors with 389-ds-base 1.4.4.6+
-Patch3:         5212.patch
 
 # For the timestamp trick in patch application
 BuildRequires:  diffstat
@@ -184,12 +189,20 @@ BuildRequires:  openldap-devel
 # DAL version change may cause code crash or memory leaks, it is better to fail early.
 BuildRequires:  krb5-kdb-version = %{krb5_kdb_version}
 BuildRequires:  krb5-kdb-devel-version = %{krb5_kdb_version}
+BuildRequires:  krb5-devel >= %{krb5_version}
+BuildRequires:  pkgconfig(krb5)
+%if %{with ipa_join_xml}
 # 1.27.4: xmlrpc_curl_xportparms.gssapi_delegation
 BuildRequires:  xmlrpc-c-devel >= 1.27.4
+%else
+BuildRequires:  libcurl-devel
+BuildRequires:  jansson-devel
+%endif
 BuildRequires:  popt-devel
 BuildRequires:  gcc
 BuildRequires:  make
 BuildRequires:  pkgconfig
+BuildRequires:  pkgconf
 BuildRequires:  autoconf
 BuildRequires:  automake
 BuildRequires:  libtool
@@ -197,7 +210,7 @@ BuildRequires:  gettext
 BuildRequires:  gettext-devel
 BuildRequires:  python3-devel
 BuildRequires:  python3-setuptools
-BuildRequires:  systemd
+BuildRequires:  systemd >= %{systemd_version}
 # systemd-tmpfiles which is executed from make install requires apache user
 BuildRequires:  httpd
 BuildRequires:  nspr-devel
@@ -210,6 +223,7 @@ BuildRequires:  samba-devel >= %{samba_version}
 BuildRequires:  libtalloc-devel
 BuildRequires:  libtevent-devel
 BuildRequires:  libuuid-devel
+BuildRequires:  libpwquality-devel
 BuildRequires:  libsss_idmap-devel
 BuildRequires:  libsss_certmap-devel
 BuildRequires:  libsss_nss_idmap-devel >= %{sssd_version}
@@ -225,9 +239,9 @@ BuildRequires:  libunistring-devel
 # 0.13.0: https://bugzilla.redhat.com/show_bug.cgi?id=1584773
 # 0.13.0-2: fix for missing dependency on python-six
 BuildRequires:  python3-lesscpy >= 0.13.0-2
-
+BuildRequires:  cracklib-dicts
 # ONLY_CLIENT
-%endif 
+%endif
 
 #
 # Build dependencies for makeapi/makeaci
@@ -245,7 +259,7 @@ BuildRequires:  python3-psutil
 #
 # Build dependencies for wheel packaging and PyPI upload
 #
-%if 0%{?with_wheels}
+%if %{with wheels}
 BuildRequires:  dbus-glib-devel
 BuildRequires:  libffi-devel
 BuildRequires:  python3-tox
@@ -258,10 +272,15 @@ BuildRequires:  python3-wheel
 # with_wheels
 %endif
 
+%if %{with doc}
+BuildRequires: python3-sphinx
+BuildRequires: python3-m2r
+%endif
+
 #
 # Build dependencies for lint and fastcheck
 #
-%if 0%{?with_lint}
+%if 0%{with lint}
 BuildRequires:  git
 BuildRequires:  jsl
 BuildRequires:  nss-tools
@@ -293,7 +312,7 @@ BuildRequires:  python3-polib
 BuildRequires:  python3-pyasn1
 BuildRequires:  python3-pyasn1-modules
 BuildRequires:  python3-pycodestyle
-%if 0%{?fedora} >= 29
+%if 0%{?fedora} || %{?rhel} > 8
 # https://bugzilla.redhat.com/show_bug.cgi?id=1648299
 BuildRequires:  python3-pylint >= 2.1.1-2
 %else
@@ -369,17 +388,19 @@ Requires: mod_session >= %{httpd_version}
 # 0.9.9: https://github.com/adelton/mod_lookup_identity/pull/3
 Requires: mod_lookup_identity >= 0.9.9
 Requires: acl
-Requires: systemd-units >= 38
+Requires: systemd-units >= %{systemd_version}
+Requires(pre): systemd-units >= %{systemd_version}
+Requires(post): systemd-units >= %{systemd_version}
+Requires(preun): systemd-units >= %{systemd_version}
+Requires(postun): systemd-units >= %{systemd_version}
 Requires(pre): shadow-utils
-Requires(pre): systemd-units
-Requires(post): systemd-units
 Requires: selinux-policy >= %{selinux_policy_version}
 Requires(post): selinux-policy-base >= %{selinux_policy_version}
 Requires: slapi-nis >= %{slapi_nis_version}
 Requires: pki-ca >= %{pki_version}
 Requires: pki-kra >= %{pki_version}
-Requires(preun): systemd-units
-Requires(postun): systemd-units
+# pki-acme package was split out in pki-10.10.0
+Requires: (pki-acme >= %{pki_version} if pki-ca >= 10.10.0)
 Requires: policycoreutils >= 2.1.12-5
 Requires: tar
 Requires(pre): certmonger >= %{certmonger_version}
@@ -395,6 +416,8 @@ Requires: oddjob
 # 0.7.0-2: https://pagure.io/gssproxy/pull-request/172
 Requires: gssproxy >= 0.7.0-2
 Requires: sssd-dbus >= %{sssd_version}
+Requires: libpwquality
+Requires: cracklib-dicts
 
 Provides: %{alt_name}-server = %{version}
 Conflicts: %{alt_name}-server
@@ -463,7 +486,7 @@ Summary: Common files used by IPA server
 BuildArch: noarch
 Requires: %{name}-client-common = %{version}-%{release}
 Requires: httpd >= %{httpd_version}
-Requires: systemd-units >= 38
+Requires: systemd-units >= %{systemd_version}
 
 Provides: %{alt_name}-server-common = %{version}
 Conflicts: %{alt_name}-server-common
@@ -482,12 +505,22 @@ If you are installing an IPA server, you need to install this package.
 Summary: IPA integrated DNS server with support for automatic DNSSEC signing
 BuildArch: noarch
 Requires: %{name}-server = %{version}-%{release}
-Requires: bind-dyndb-ldap >= 11.3-1
-Requires: bind >= 9.11.19
-Requires: bind-utils >= 9.11.19
-Requires: bind-pkcs11 >= 9.11.19
-Requires: bind-pkcs11-utils >= 9.11.19
-Requires: opendnssec >= 2.1.6-3
+Requires: bind-dyndb-ldap >= 11.0-2
+Requires: bind >= 9.11.0-6.P2
+Requires: bind-utils >= 9.11.0-6.P2
+%if %{with bind_pkcs11}
+Requires: bind-pkcs11 >= 9.11.0-6.P2
+Requires: bind-pkcs11-utils >= 9.11.0-6.P2
+%else
+Requires: softhsm >= %{softhsm_version}
+Requires: openssl-pkcs11 >= %{openssl_pkcs11_version}
+%endif
+%if 0%{?fedora} >= 32 || 0%{?rhel} >= 9
+# See https://bugzilla.redhat.com/show_bug.cgi?id=1825812
+Requires: opendnssec >= 2.1.6-5
+%else
+Requires: opendnssec >= 1.4.6-4
+%endif
 %{?systemd_requires}
 
 Provides: %{alt_name}-server-dns = %{version}
@@ -551,13 +584,14 @@ Requires: krb5-workstation >= %{krb5_version}
 Requires: authselect >= 0.4-2
 Requires: curl
 # NIS domain name config: /usr/lib/systemd/system/*-domainname.service
-%if 0%{?fedora} >= 29
+# All Fedora 28+ and RHEL8+ contain the service in hostname package
 Requires: hostname
-%else
-Requires: initscripts
-%endif
 Requires: libcurl >= 7.21.7-2
+%if %{with ipa_join_xml}
 Requires: xmlrpc-c >= 1.27.4
+%else
+Requires: jansson
+%endif
 Requires: sssd-ipa >= %{sssd_version}
 Requires: certmonger >= %{certmonger_version}
 Requires: nss-tools >= %{nss_version}
@@ -612,9 +646,10 @@ on the machine enrolled into a FreeIPA environment
 Summary: Tools to configure Expiring Password Notification in IPA
 Group: System Environment/Base
 Requires: systemd-units
-Requires(post): systemd-units
-Requires(preun): systemd-units
-Requires(postun): systemd-units
+Requires: systemd-units >= %{systemd_version}
+Requires(post): systemd-units >= %{systemd_version}
+Requires(preun): systemd-units >= %{systemd_version}
+Requires(postun): systemd-units >= %{systemd_version}
 Requires: %{name}-client = %{version}-%{release}
 
 %description client-epn
@@ -649,6 +684,12 @@ BuildArch: noarch
 Provides: %{alt_name}-client-common = %{version}
 Conflicts: %{alt_name}-client-common
 Obsoletes: %{alt_name}-client-common < %{version}
+# python2-ipa* packages are no longer available in 4.8.
+Obsoletes: python2-ipaclient < 4.8.0-1
+Obsoletes: python2-ipalib < 4.8.0-1
+Obsoletes: python2-ipaserver < 4.8.0-1
+Obsoletes: python2-ipatests < 4.8.0-1
+
 
 %description client-common
 IPA is an integrated solution to provide centrally managed Identity (users,
@@ -740,11 +781,11 @@ Obsoletes: %{alt_name}-common < %{version}
 
 Conflicts: %{alt_name}-python < %{version}
 
-%if 0%{?with_selinux}
+%if %{with selinux}
 # This ensures that the *-selinux package and all it’s dependencies are not
 # pulled into containers and other systems that do not use SELinux. The
 # policy defines types and file contexts for client and server.
-Requires:       (%{name}-selinux = %{version}-%{release} if selinux-policy-%{selinuxtype})
+Requires:       (%{name}-selinux if selinux-policy-%{selinuxtype})
 %endif
 
 %description common
@@ -756,7 +797,7 @@ and integration with Active Directory based infrastructures (Trusts).
 If you are using IPA, you need to install this package.
 
 
-%if 0%{?with_ipatests}
+%if %{with ipatests}
 
 %package -n python3-ipatests
 Summary: IPA tests and test tools
@@ -789,11 +830,12 @@ This package contains tests that verify IPA functionality under Python 3.
 # with_ipatests
 %endif
 
-%if 0%{?with_selinux}
+%if %{with selinux}
 # SELinux subpackage
 %package selinux
 Summary:             FreeIPA SELinux policy
 BuildArch:           noarch
+Requires:            %{name}-server = %{version}-%{release}
 Requires:            selinux-policy-%{selinuxtype}
 Requires(post):      selinux-policy-%{selinuxtype}
 %{?selinux_requires}
@@ -805,7 +847,6 @@ Custom SELinux policy module for FreeIPA
 
 
 %prep
-# Fedora spec file only: START
 # Update timestamps on the files touched by a patch, to avoid non-equal
 # .pyc/.pyo files across the multilib peers within a build, where "Level"
 # is the patch prefix option (e.g. -p1)
@@ -817,17 +858,24 @@ UpdateTimestamps() {
   # Locate the affected files:
   for f in $(diffstat $Level -l $PatchFile); do
     # Set the files to have the same timestamp as that of the patch:
-    touch -r $PatchFile $f
+    touch -c -r $PatchFile $f
   done
 }
 
 %setup -n freeipa-%{version} -q
 
+# To allow proper application patches to the stripped po files, strip originals
+pushd po
+for i in *.po ; do
+    msgattrib --translated --no-fuzzy --no-location -s $i > $i.tmp || exit 1
+    mv $i.tmp $i || exit 1
+done
+popd
+
 for p in %patches ; do
     %__patch -p1 -i $p
     UpdateTimestamps -p1 $p
 done
-# Fedora spec file only: END
 
 %build
 # PATH is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1005235
@@ -838,6 +886,7 @@ autoreconf -ivf
 %configure --with-vendor-suffix=-%{release} \
            %{enable_server_option} \
            %{with_ipatests_option} \
+           %{with_ipa_join_xml_option} \
            %{linter_options}
 
 # run build in default dir
@@ -858,11 +907,13 @@ make %{?_smp_mflags} check VERBOSE=yes LIBDIR=%{_libdir}
 # All files and directories created by spec install should be marked as ghost.
 # (These are typically configuration files created by IPA installer.)
 # All other artifacts should be created by make install.
-#
 
-%{__make} python_install DESTDIR=%{?buildroot} INSTALL="%{__install} -p"
+%make_install
 
-%if 0%{?with_ipatests}
+# don't package ipasphinx for now
+rm -rf %{buildroot}%{python3_sitelib}/ipasphinx*
+
+%if %{with ipatests}
 mv %{buildroot}%{_bindir}/ipa-run-tests %{buildroot}%{_bindir}/ipa-run-tests-%{python3_version}
 mv %{buildroot}%{_bindir}/ipa-test-config %{buildroot}%{_bindir}/ipa-test-config-%{python3_version}
 mv %{buildroot}%{_bindir}/ipa-test-task %{buildroot}%{_bindir}/ipa-test-task-%{python3_version}
@@ -875,11 +926,6 @@ ln -frs %{buildroot}%{_bindir}/ipa-test-task-%{python3_version} %{buildroot}%{_b
 # with_ipatests
 %endif
 
-# default installation
-# This installs all Python packages twice and overrides the ipa-test
-# commands. We'll fix the command links later with ln --force.
-%make_install
-
 # remove files which are useful only for make uninstall
 find %{buildroot} -wholename '*/site-packages/*/install_files.txt' -exec rm {} \;
 
@@ -948,7 +994,7 @@ fi
 
 %posttrans server
 # don't execute upgrade and restart of IPA when server is not installed
-%{__python3} -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1
+%{__python3} -c "import sys; from ipalib import facts; sys.exit(0 if facts.is_ipa_configured() else 1);" > /dev/null 2>&1
 
 if [  $? -eq 0 ]; then
     # This is necessary for Fedora system upgrades which by default
@@ -1027,7 +1073,7 @@ fi
 
 
 %posttrans server-trust-ad
-%{__python3} -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1
+%{__python3} -c "import sys; from ipalib import facts; sys.exit(0 if facts.is_ipa_configured() else 1);" > /dev/null 2>&1
 if [  $? -eq 0 ]; then
 # NOTE: systemd specific section
     /bin/systemctl try-restart httpd.service >/dev/null 2>&1 || :
@@ -1080,6 +1126,7 @@ if [ $1 -gt 1 ] ; then
         fi
 
         %{__python3} -c 'from ipaclient.install.client import configure_krb5_snippet; configure_krb5_snippet()' >>/var/log/ipaupgrade.log 2>&1
+        %{__python3} -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' >>/var/log/ipaupgrade.log 2>&1
         SSH_CLIENT_SYSTEM_CONF="/etc/ssh/ssh_config"
         if [ -f "$SSH_CLIENT_SYSTEM_CONF" ]; then
             sed -E --in-place=.orig 's/^(HostKeyAlgorithms ssh-rsa,ssh-dss)$/# disabled by ipa-client update\n# \1/' "$SSH_CLIENT_SYSTEM_CONF"
@@ -1088,7 +1135,7 @@ if [ $1 -gt 1 ] ; then
 fi
 
 
-%if 0%{?with_selinux}
+%if %{with selinux}
 # SELinux contexts are saved so that only affected files can be
 # relabeled after the policy module installation
 %pre selinux
@@ -1205,6 +1252,7 @@ fi
 %{_sbindir}/ipa-pkinit-manage
 %{_sbindir}/ipa-crlgen-manage
 %{_sbindir}/ipa-cert-fix
+%{_sbindir}/ipa-acme-manage
 %{_libexecdir}/certmonger/dogtag-ipa-ca-renew-agent-submit
 %{_libexecdir}/certmonger/ipa-server-guard
 %dir %{_libexecdir}/ipa
@@ -1272,7 +1320,7 @@ fi
 %{_mandir}/man1/ipa-pkinit-manage.1*
 %{_mandir}/man1/ipa-crlgen-manage.1*
 %{_mandir}/man1/ipa-cert-fix.1*
-
+%{_mandir}/man1/ipa-acme-manage.1*
 
 %files -n python3-ipaserver
 %doc README.md Contributors.txt
@@ -1419,6 +1467,8 @@ fi
 %{_mandir}/man1/ipa-client-automount.1*
 %{_mandir}/man1/ipa-certupdate.1*
 %{_mandir}/man1/ipa-join.1*
+%dir %{_libexecdir}/ipa/acme
+%{_libexecdir}/ipa/acme/certbot-dns-ipa
 
 %files client-samba
 %doc README.md Contributors.txt
@@ -1500,7 +1550,7 @@ fi
 %doc README.md Contributors.txt
 %license COPYING
 %dir %{_usr}/share/ipa
-
+%dir %{_libexecdir}/ipa
 
 %files -n python3-ipalib
 %doc README.md Contributors.txt
@@ -1514,7 +1564,7 @@ fi
 %{python3_sitelib}/ipaplatform-*.egg-info
 
 
-%if 0%{?with_ipatests}
+%if %{with ipatests}
 
 %files -n python3-ipatests
 %doc README.md Contributors.txt
@@ -1537,7 +1587,7 @@ fi
 # with_ipatests
 %endif
 
-%if 0%{?with_selinux}
+%if %{with selinux}
 %files selinux
 %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.*
 %ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
@@ -1545,6 +1595,10 @@ fi
 %endif
 
 %changelog
+* Wed Nov 18 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.0-0.rc1
+- FreeIPA 4.9.0 release candidate 1
+- Synchronize spec file with upstream and RHEL
+
 * Wed Oct 28 2020 Adam Williamson <awilliam@redhat.com> - 4.8.10-7
 - Backport #5212 for deployment failures with 389-ds-base 1.4.4.6+
 

sources

@@ -1,2 +1,2 @@
-SHA512 (freeipa-4.8.10.tar.gz) = a14608cd2f8b50f1404df4761f1f72f1c250ea54257e8f072f488c1684a5f01dba060c67d17e11ab1237f65e041d9fca0eb4d0b9d1804cedb33a957c9ecfd954
-SHA512 (freeipa-4.8.10.tar.gz.asc) = 7d188fd8ce742e4900c8b359e23406efda955578930d7d800fca96f03b461162bd2799e3915db7968c325c9c24712cfc108064e93dc3d6dd97b77968390e0e04
+SHA512 (freeipa-4.9.0rc1.tar.gz) = 384ac0163f3977311ef523a6ed71ac8ceb33347d44f89763583e97e8e50eed2f9ec94e32f23dc8d9514c8e7e26d03ae859d045e9a1dd17b3f0cdd0fced82d464
+SHA512 (freeipa-4.9.0rc1.tar.gz.asc) = 2be55c28456c07104bb45984d2c6d804730e90172e9288b21ae45dc5542fceddbb621b96c3e3e5e2b613ebfa55c792727adfb43b349d2069d150f42067c91bf2