From 105d30c14d12a0018518da0cdd08d9150965b6ed Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Thu, 12 Jan 2023 03:29:17 -0500 Subject: [PATCH] import ipa-4.9.10-9.module+el8.7.0+17437+cf46f77f --- ...ization-issue-in-Web-UI_rhbz#2133050.patch | 62 +++ ...al-krb5-conf-on-clients_rhbz#2150246.patch | 473 ++++++++++++++++++ ...with-older-RHEL-systems_rhbz#2148255.patch | 123 +++++ SPECS/ipa.spec | 21 +- 4 files changed, 677 insertions(+), 2 deletions(-) create mode 100644 SOURCES/0011-fix-canonicalization-issue-in-Web-UI_rhbz#2133050.patch create mode 100644 SOURCES/0012-Defer-creating-the-final-krb5-conf-on-clients_rhbz#2150246.patch create mode 100644 SOURCES/0013-Vault-fix-interoperability-issues-with-older-RHEL-systems_rhbz#2148255.patch diff --git a/SOURCES/0011-fix-canonicalization-issue-in-Web-UI_rhbz#2133050.patch b/SOURCES/0011-fix-canonicalization-issue-in-Web-UI_rhbz#2133050.patch new file mode 100644 index 0000000..4fa0b23 --- /dev/null +++ b/SOURCES/0011-fix-canonicalization-issue-in-Web-UI_rhbz#2133050.patch @@ -0,0 +1,62 @@ +From 109cd579e3b089b7fad4c92bf25594eba1af8a21 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Tue, 23 Aug 2022 16:58:07 +0300 +Subject: [PATCH] fix canonicalization issue in Web UI + +When Kerberos principal alias is used to login to a Web UI, we end up +with a request that is authenticated by a ticket issued in the alias +name but metadata processed for the canonical user name. This confuses +RPC layer of Web UI code and causes infinite loop to reload the page. + +Fix it by doing two things: + + - force use of canonicalization of an enterprise principal on server + side, not just specifying that the principal is an enterprise one; + + - recognize that a principal in the whoami()-returned object can have + aliases and the principal returned by the server in the JSON response + may be one of those aliases. + +Fixes: https://pagure.io/freeipa/issue/9226 + +Signed-off-by: Alexander Bokovoy +Reviewed-By: Armando Neto +--- + install/ui/src/freeipa/ipa.js | 8 +++++++- + ipaserver/rpcserver.py | 1 + + 2 files changed, 8 insertions(+), 1 deletion(-) + +diff --git a/install/ui/src/freeipa/ipa.js b/install/ui/src/freeipa/ipa.js +index 758db1b00..a08d632e9 100644 +--- a/install/ui/src/freeipa/ipa.js ++++ b/install/ui/src/freeipa/ipa.js +@@ -271,7 +271,13 @@ var IPA = function () { + var cn = that.whoami.data.krbcanonicalname; + if (cn) that.principal = cn[0]; + if (!that.principal) { +- that.principal = that.whoami.data.krbprincipalname[0]; ++ var principal = data.principal; ++ var idx = that.whoami.data.krbprincipalname.indexOf(principal); ++ if (idx > -1) { ++ that.principal = principal; ++ } else { ++ that.principal = that.whoami.data.krbprincipalname[0]; ++ } + } + } else if (entity === 'idoverrideuser') { + that.principal = that.whoami.data.ipaoriginaluid[0]; +diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py +index 1f85e9898..4e8a08b66 100644 +--- a/ipaserver/rpcserver.py ++++ b/ipaserver/rpcserver.py +@@ -1109,6 +1109,7 @@ class login_password(Backend, KerberosSession): + ccache_name, + armor_ccache_name=armor_path, + enterprise=True, ++ canonicalize=True, + lifetime=self.api.env.kinit_lifetime) + + if armor_path: +-- +2.37.3 + diff --git a/SOURCES/0012-Defer-creating-the-final-krb5-conf-on-clients_rhbz#2150246.patch b/SOURCES/0012-Defer-creating-the-final-krb5-conf-on-clients_rhbz#2150246.patch new file mode 100644 index 0000000..30114a5 --- /dev/null +++ b/SOURCES/0012-Defer-creating-the-final-krb5-conf-on-clients_rhbz#2150246.patch @@ -0,0 +1,473 @@ +From 69413325158a3ea06d1491acd77ee6e0955ee89a Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Sep 26 2022 11:48:47 +0000 +Subject: Defer creating the final krb5.conf on clients + + +A temporary krb5.conf is created early during client enrollment +and was previously used only during the initial ipa-join call. +The final krb5.conf was written soon afterward. + +If there are multiple servers it is possible that the client +may then choose a different KDC to connect. If the client +is faster than replication then the client may not exist +on all servers and therefore enrollment will fail. + +This was seen in performance testing of how many simultaneous +client enrollments are possible. + +Use a decorator to wrap the _install() method to ensure the +temporary files created during installation are cleaned up. + +https://pagure.io/freeipa/issue/9228 + +Signed-off-by: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud + +--- + +diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py +index 920c517..93bc740 100644 +--- a/ipaclient/install/client.py ++++ b/ipaclient/install/client.py +@@ -101,6 +101,37 @@ cli_basedn = None + # end of global variables + + ++def cleanup(func): ++ def inner(options, tdict): ++ # Add some additional options which contain the temporary files ++ # needed during installation. ++ fd, krb_name = tempfile.mkstemp() ++ os.close(fd) ++ ccache_dir = tempfile.mkdtemp(prefix='krbcc') ++ ++ tdict['krb_name'] = krb_name ++ tdict['ccache_dir'] = ccache_dir ++ ++ func(options, tdict) ++ ++ os.environ.pop('KRB5_CONFIG', None) ++ ++ try: ++ os.remove(krb_name) ++ except OSError: ++ logger.error("Could not remove %s", krb_name) ++ try: ++ os.rmdir(ccache_dir) ++ except OSError: ++ pass ++ try: ++ os.remove(krb_name + ".ipabkp") ++ except OSError: ++ logger.error("Could not remove %s.ipabkp", krb_name) ++ ++ return inner ++ ++ + def remove_file(filename): + """ + Deletes a file. If the file does not exist (OSError 2) does nothing. +@@ -2652,7 +2683,7 @@ def restore_time_sync(statestore, fstore): + + def install(options): + try: +- _install(options) ++ _install(options, dict()) + except ScriptError as e: + if e.rval == CLIENT_INSTALL_ERROR: + if options.force: +@@ -2679,7 +2710,8 @@ def install(options): + pass + + +-def _install(options): ++@cleanup ++def _install(options, tdict): + env = {'PATH': SECURE_PATH} + + fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE) +@@ -2687,6 +2719,9 @@ def _install(options): + + statestore.backup_state('installation', 'complete', False) + ++ krb_name = tdict['krb_name'] ++ ccache_dir = tdict['ccache_dir'] ++ + if not options.on_master: + # Try removing old principals from the keytab + purge_host_keytab(cli_realm) +@@ -2719,182 +2754,162 @@ def _install(options): + host_principal = 'host/%s@%s' % (hostname, cli_realm) + if not options.on_master: + nolog = tuple() +- # First test out the kerberos configuration +- fd, krb_name = tempfile.mkstemp() +- os.close(fd) +- ccache_dir = tempfile.mkdtemp(prefix='krbcc') +- try: +- configure_krb5_conf( +- cli_realm=cli_realm, +- cli_domain=cli_domain, +- cli_server=cli_server, +- cli_kdc=cli_kdc, +- dnsok=False, +- filename=krb_name, +- client_domain=client_domain, +- client_hostname=hostname, +- configure_sssd=options.sssd, +- force=options.force) +- env['KRB5_CONFIG'] = krb_name +- ccache_name = os.path.join(ccache_dir, 'ccache') +- join_args = [ +- paths.SBIN_IPA_JOIN, +- "-s", cli_server[0], +- "-b", str(realm_to_suffix(cli_realm)), +- "-h", hostname, +- "-k", paths.KRB5_KEYTAB +- ] +- if options.debug: +- join_args.append("-d") +- env['XMLRPC_TRACE_CURL'] = 'yes' +- if options.force_join: +- join_args.append("-f") +- if options.principal is not None: +- stdin = None +- principal = options.principal +- if principal.find('@') == -1: +- principal = '%s@%s' % (principal, cli_realm) +- if options.password is not None: +- stdin = options.password ++ configure_krb5_conf( ++ cli_realm=cli_realm, ++ cli_domain=cli_domain, ++ cli_server=cli_server, ++ cli_kdc=cli_kdc, ++ dnsok=False, ++ filename=krb_name, ++ client_domain=client_domain, ++ client_hostname=hostname, ++ configure_sssd=options.sssd, ++ force=options.force) ++ env['KRB5_CONFIG'] = krb_name ++ ccache_name = os.path.join(ccache_dir, 'ccache') ++ join_args = [ ++ paths.SBIN_IPA_JOIN, ++ "-s", cli_server[0], ++ "-b", str(realm_to_suffix(cli_realm)), ++ "-h", hostname, ++ "-k", paths.KRB5_KEYTAB ++ ] ++ if options.debug: ++ join_args.append("-d") ++ env['XMLRPC_TRACE_CURL'] = 'yes' ++ if options.force_join: ++ join_args.append("-f") ++ if options.principal is not None: ++ stdin = None ++ principal = options.principal ++ if principal.find('@') == -1: ++ principal = '%s@%s' % (principal, cli_realm) ++ if options.password is not None: ++ stdin = options.password ++ else: ++ if not options.unattended: ++ try: ++ stdin = getpass.getpass( ++ "Password for %s: " % principal) ++ except EOFError: ++ stdin = None ++ if not stdin: ++ raise ScriptError( ++ "Password must be provided for {}.".format( ++ principal), ++ rval=CLIENT_INSTALL_ERROR) + else: +- if not options.unattended: +- try: +- stdin = getpass.getpass( +- "Password for %s: " % principal) +- except EOFError: +- stdin = None +- if not stdin: +- raise ScriptError( +- "Password must be provided for {}.".format( +- principal), +- rval=CLIENT_INSTALL_ERROR) ++ if sys.stdin.isatty(): ++ logger.error( ++ "Password must be provided in " ++ "non-interactive mode.") ++ logger.info( ++ "This can be done via " ++ "echo password | ipa-client-install ... " ++ "or with the -w option.") ++ raise ScriptError(rval=CLIENT_INSTALL_ERROR) + else: +- if sys.stdin.isatty(): +- logger.error( +- "Password must be provided in " +- "non-interactive mode.") +- logger.info( +- "This can be done via " +- "echo password | ipa-client-install ... " +- "or with the -w option.") +- raise ScriptError(rval=CLIENT_INSTALL_ERROR) +- else: +- stdin = sys.stdin.readline() ++ stdin = sys.stdin.readline() + ++ try: ++ kinit_password(principal, stdin, ccache_name, ++ config=krb_name) ++ except RuntimeError as e: ++ print_port_conf_info() ++ raise ScriptError( ++ "Kerberos authentication failed: {}".format(e), ++ rval=CLIENT_INSTALL_ERROR) ++ elif options.keytab: ++ join_args.append("-f") ++ if os.path.exists(options.keytab): + try: +- kinit_password(principal, stdin, ccache_name, +- config=krb_name) +- except RuntimeError as e: ++ kinit_keytab(host_principal, ++ options.keytab, ++ ccache_name, ++ config=krb_name, ++ attempts=options.kinit_attempts) ++ except gssapi.exceptions.GSSError as e: + print_port_conf_info() + raise ScriptError( + "Kerberos authentication failed: {}".format(e), + rval=CLIENT_INSTALL_ERROR) +- elif options.keytab: +- join_args.append("-f") +- if os.path.exists(options.keytab): +- try: +- kinit_keytab(host_principal, +- options.keytab, +- ccache_name, +- config=krb_name, +- attempts=options.kinit_attempts) +- except gssapi.exceptions.GSSError as e: +- print_port_conf_info() +- raise ScriptError( +- "Kerberos authentication failed: {}".format(e), +- rval=CLIENT_INSTALL_ERROR) +- else: +- raise ScriptError( +- "Keytab file could not be found: {}".format( +- options.keytab), +- rval=CLIENT_INSTALL_ERROR) +- elif options.password: +- nolog = (options.password,) +- join_args.append("-w") +- join_args.append(options.password) +- elif options.prompt_password: +- if options.unattended: +- raise ScriptError( +- "Password must be provided in non-interactive mode", +- rval=CLIENT_INSTALL_ERROR) +- try: +- password = getpass.getpass("Password: ") +- except EOFError: +- password = None +- if not password: +- raise ScriptError( +- "Password must be provided.", +- rval=CLIENT_INSTALL_ERROR) +- join_args.append("-w") +- join_args.append(password) +- nolog = (password,) +- +- env['KRB5CCNAME'] = os.environ['KRB5CCNAME'] = ccache_name +- # Get the CA certificate ++ else: ++ raise ScriptError( ++ "Keytab file could not be found: {}".format( ++ options.keytab), ++ rval=CLIENT_INSTALL_ERROR) ++ elif options.password: ++ nolog = (options.password,) ++ join_args.append("-w") ++ join_args.append(options.password) ++ elif options.prompt_password: ++ if options.unattended: ++ raise ScriptError( ++ "Password must be provided in non-interactive mode", ++ rval=CLIENT_INSTALL_ERROR) + try: +- os.environ['KRB5_CONFIG'] = env['KRB5_CONFIG'] +- get_ca_certs(fstore, options, cli_server[0], cli_basedn, +- cli_realm) +- del os.environ['KRB5_CONFIG'] +- except errors.FileError as e: +- logger.error('%s', e) +- raise ScriptError(rval=CLIENT_INSTALL_ERROR) +- except Exception as e: +- logger.error("Cannot obtain CA certificate\n%s", e) +- raise ScriptError(rval=CLIENT_INSTALL_ERROR) +- +- # Now join the domain +- result = run( +- join_args, raiseonerr=False, env=env, nolog=nolog, +- capture_error=True) +- stderr = result.error_output ++ password = getpass.getpass("Password: ") ++ except EOFError: ++ password = None ++ if not password: ++ raise ScriptError( ++ "Password must be provided.", ++ rval=CLIENT_INSTALL_ERROR) ++ join_args.append("-w") ++ join_args.append(password) ++ nolog = (password,) + +- if result.returncode != 0: +- logger.error("Joining realm failed: %s", stderr) +- if not options.force: +- if result.returncode == 13: +- logger.info( +- "Use --force-join option to override the host " +- "entry on the server and force client enrollment.") +- raise ScriptError(rval=CLIENT_INSTALL_ERROR) +- logger.info( +- "Use ipa-getkeytab to obtain a host " +- "principal for this server.") +- else: +- logger.info("Enrolled in IPA realm %s", cli_realm) ++ env['KRB5CCNAME'] = os.environ['KRB5CCNAME'] = ccache_name ++ # Get the CA certificate ++ try: ++ os.environ['KRB5_CONFIG'] = env['KRB5_CONFIG'] ++ get_ca_certs(fstore, options, cli_server[0], cli_basedn, ++ cli_realm) ++ except errors.FileError as e: ++ logger.error('%s', e) ++ raise ScriptError(rval=CLIENT_INSTALL_ERROR) ++ except Exception as e: ++ logger.error("Cannot obtain CA certificate\n%s", e) ++ raise ScriptError(rval=CLIENT_INSTALL_ERROR) + +- if options.principal is not None: +- run([paths.KDESTROY], raiseonerr=False, env=env) ++ # Now join the domain ++ result = run( ++ join_args, raiseonerr=False, env=env, nolog=nolog, ++ capture_error=True) ++ stderr = result.error_output + +- # Obtain the TGT. We do it with the temporary krb5.conf, so that +- # only the KDC we're installing under is contacted. +- # Other KDCs might not have replicated the principal yet. +- # Once we have the TGT, it's usable on any server. +- try: +- kinit_keytab(host_principal, paths.KRB5_KEYTAB, CCACHE_FILE, +- config=krb_name, +- attempts=options.kinit_attempts) +- env['KRB5CCNAME'] = os.environ['KRB5CCNAME'] = CCACHE_FILE +- except gssapi.exceptions.GSSError as e: +- print_port_conf_info() +- logger.error("Failed to obtain host TGT: %s", e) +- # failure to get ticket makes it impossible to login and bind +- # from sssd to LDAP, abort installation and rollback changes ++ if result.returncode != 0: ++ logger.error("Joining realm failed: %s", stderr) ++ if not options.force: ++ if result.returncode == 13: ++ logger.info( ++ "Use --force-join option to override the host " ++ "entry on the server and force client enrollment.") + raise ScriptError(rval=CLIENT_INSTALL_ERROR) ++ logger.info( ++ "Use ipa-getkeytab to obtain a host " ++ "principal for this server.") ++ else: ++ logger.info("Enrolled in IPA realm %s", cli_realm) + +- finally: +- try: +- os.remove(krb_name) +- except OSError: +- logger.error("Could not remove %s", krb_name) +- try: +- os.rmdir(ccache_dir) +- except OSError: +- pass +- try: +- os.remove(krb_name + ".ipabkp") +- except OSError: +- logger.error("Could not remove %s.ipabkp", krb_name) ++ if options.principal is not None: ++ run([paths.KDESTROY], raiseonerr=False, env=env) ++ ++ # Obtain the TGT. We do it with the temporary krb5.conf, so that ++ # only the KDC we're installing under is contacted. ++ # Other KDCs might not have replicated the principal yet. ++ # Once we have the TGT, it's usable on any server. ++ try: ++ kinit_keytab(host_principal, paths.KRB5_KEYTAB, CCACHE_FILE, ++ config=krb_name, ++ attempts=options.kinit_attempts) ++ env['KRB5CCNAME'] = os.environ['KRB5CCNAME'] = CCACHE_FILE ++ except gssapi.exceptions.GSSError as e: ++ print_port_conf_info() ++ logger.error("Failed to obtain host TGT: %s", e) ++ # failure to get ticket makes it impossible to login and bind ++ # from sssd to LDAP, abort installation and rollback changes ++ raise ScriptError(rval=CLIENT_INSTALL_ERROR) + + # Configure ipa.conf + if not options.on_master: +@@ -2931,23 +2946,6 @@ def _install(options): + except gssapi.exceptions.GSSError as e: + logger.error("Failed to obtain host TGT: %s", e) + raise ScriptError(rval=CLIENT_INSTALL_ERROR) +- else: +- # Configure krb5.conf +- fstore.backup_file(paths.KRB5_CONF) +- configure_krb5_conf( +- cli_realm=cli_realm, +- cli_domain=cli_domain, +- cli_server=cli_server, +- cli_kdc=cli_kdc, +- dnsok=dnsok, +- filename=paths.KRB5_CONF, +- client_domain=client_domain, +- client_hostname=hostname, +- configure_sssd=options.sssd, +- force=options.force) +- +- logger.info( +- "Configured /etc/krb5.conf for IPA realm %s", cli_realm) + + # Clear out any current session keyring information + try: +@@ -3274,6 +3272,23 @@ def _install(options): + configure_nisdomain( + options=options, domain=cli_domain, statestore=statestore) + ++ # Configure the final krb5.conf ++ if not options.on_master: ++ fstore.backup_file(paths.KRB5_CONF) ++ configure_krb5_conf( ++ cli_realm=cli_realm, ++ cli_domain=cli_domain, ++ cli_server=cli_server, ++ cli_kdc=cli_kdc, ++ dnsok=dnsok, ++ filename=paths.KRB5_CONF, ++ client_domain=client_domain, ++ client_hostname=hostname, ++ configure_sssd=options.sssd, ++ force=options.force) ++ ++ logger.info("Configured /etc/krb5.conf for IPA realm %s", cli_realm) ++ + statestore.delete_state('installation', 'complete') + statestore.backup_state('installation', 'complete', True) + logger.info('Client configuration complete.') + diff --git a/SOURCES/0013-Vault-fix-interoperability-issues-with-older-RHEL-systems_rhbz#2148255.patch b/SOURCES/0013-Vault-fix-interoperability-issues-with-older-RHEL-systems_rhbz#2148255.patch new file mode 100644 index 0000000..f8c55fe --- /dev/null +++ b/SOURCES/0013-Vault-fix-interoperability-issues-with-older-RHEL-systems_rhbz#2148255.patch @@ -0,0 +1,123 @@ +From c643e56e4c45b7cb61aa53989657143627c23e04 Mon Sep 17 00:00:00 2001 +From: Francisco Trivino +Date: Nov 22 2022 06:56:00 +0000 +Subject: Vault: fix interoperability issues with older RHEL systems + + +AES-128-CBC was recently enabled as default wrapping algorithm for transport of secrets. +This change was done in favor of FIPS as crypto-policies disabled 3DES in RHEL9, but +setting AES as default ended-up breaking backwards compatibility with older RHEL systems. + +This commit is tuning some defaults so that interoperability with older RHEL systems +works again. The new logic reflects: + +- when an old client is calling a new server, it doesn't send any value for wrapping_algo + and the old value is used (3DES), so that the client can decrypt using 3DES. + +- when a new client is calling a new server, it sends wrapping_algo = AES128_CBC + +- when a new client is calling an old server, it doesn't send any value and the default is + to use 3DES. + +Finally, as this logic is able to handle overlapping wrapping algorithm between server and +client, the Option "--wrapping-algo" is hidden from "ipa vault-archive --help" and "ipa +vault-retrieve --help" commands. + +Fixes: https://pagure.io/freeipa/issue/9259 +Signed-off-by: Francisco Trivino +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Rob Crittenden + +--- + +diff --git a/API.txt b/API.txt +index 9892211..2bd1cc2 100644 +--- a/API.txt ++++ b/API.txt +@@ -6666,7 +6666,7 @@ option: Flag('shared?', autofill=True, default=False) + option: Str('username?', cli_name='user') + option: Bytes('vault_data') + option: Str('version?') +-option: StrEnum('wrapping_algo?', autofill=True, default=u'aes-128-cbc', values=[u'aes-128-cbc', u'des-ede3-cbc']) ++option: StrEnum('wrapping_algo?', autofill=True, default=u'des-ede3-cbc', values=[u'aes-128-cbc', u'des-ede3-cbc']) + output: Entry('result') + output: Output('summary', type=[, ]) + output: PrimaryKey('value') +@@ -6766,7 +6766,7 @@ option: Bytes('session_key') + option: Flag('shared?', autofill=True, default=False) + option: Str('username?', cli_name='user') + option: Str('version?') +-option: StrEnum('wrapping_algo?', autofill=True, default=u'aes-128-cbc', values=[u'aes-128-cbc', u'des-ede3-cbc']) ++option: StrEnum('wrapping_algo?', autofill=True, default=u'des-ede3-cbc', values=[u'aes-128-cbc', u'des-ede3-cbc']) + output: Entry('result') + output: Output('summary', type=[, ]) + output: PrimaryKey('value') +diff --git a/VERSION.m4 b/VERSION.m4 +index 7d60b01..b4b1774 100644 +--- a/VERSION.m4 ++++ b/VERSION.m4 +@@ -86,8 +86,8 @@ define(IPA_DATA_VERSION, 20100614120000) + # # + ######################################################## + define(IPA_API_VERSION_MAJOR, 2) +-# Last change: add graceperiodlimit +-define(IPA_API_VERSION_MINOR, 248) ++# Last change: fix vault interoperability issues. ++define(IPA_API_VERSION_MINOR, 251) + + ######################################################## + # Following values are auto-generated from values above +diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py +index 115171c..d4c84eb 100644 +--- a/ipaclient/plugins/vault.py ++++ b/ipaclient/plugins/vault.py +@@ -687,7 +687,7 @@ class ModVaultData(Local): + default_algo = config.get('wrapping_default_algorithm') + if default_algo is None: + # old server +- wrapping_algo = constants.VAULT_WRAPPING_AES128_CBC ++ wrapping_algo = constants.VAULT_WRAPPING_3DES + elif default_algo in constants.VAULT_WRAPPING_SUPPORTED_ALGOS: + # try to use server default + wrapping_algo = default_algo +@@ -801,7 +801,8 @@ class vault_archive(ModVaultData): + if option.name not in ('nonce', + 'session_key', + 'vault_data', +- 'version'): ++ 'version', ++ 'wrapping_algo'): + yield option + for option in super(vault_archive, self).get_options(): + yield option +@@ -1053,7 +1054,7 @@ class vault_retrieve(ModVaultData): + + def get_options(self): + for option in self.api.Command.vault_retrieve_internal.options(): +- if option.name not in ('session_key', 'version'): ++ if option.name not in ('session_key', 'version', 'wrapping_algo'): + yield option + for option in super(vault_retrieve, self).get_options(): + yield option +diff --git a/ipaserver/plugins/vault.py b/ipaserver/plugins/vault.py +index 4d40f66..574c83a 100644 +--- a/ipaserver/plugins/vault.py ++++ b/ipaserver/plugins/vault.py +@@ -1051,7 +1051,7 @@ class vault_archive_internal(PKQuery): + 'wrapping_algo?', + doc=_('Key wrapping algorithm'), + values=VAULT_WRAPPING_SUPPORTED_ALGOS, +- default=VAULT_WRAPPING_DEFAULT_ALGO, ++ default=VAULT_WRAPPING_3DES, + autofill=True, + ), + ) +@@ -1130,7 +1130,7 @@ class vault_retrieve_internal(PKQuery): + 'wrapping_algo?', + doc=_('Key wrapping algorithm'), + values=VAULT_WRAPPING_SUPPORTED_ALGOS, +- default=VAULT_WRAPPING_DEFAULT_ALGO, ++ default=VAULT_WRAPPING_3DES, + autofill=True, + ), + ) diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec index 924263b..83173c6 100644 --- a/SPECS/ipa.spec +++ b/SPECS/ipa.spec @@ -191,7 +191,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 6%{?rc_version:.%rc_version}%{?dist} +Release: 9%{?rc_version:.%rc_version}%{?dist} Summary: The Identity, Policy and Audit system License: GPLv3+ @@ -221,6 +221,9 @@ Patch0007: 0007-webui-Allow-grace-login-limit_rhbz#2109243.patch Patch0008: 0008-check_repl_update-in-progress-is-a-boolean_rhbz#2117303.patch Patch0009: 0009-Disabling-gracelimit-does-not-prevent-LDAP-binds_rhbz#2109236.patch Patch0010: 0010-Set-passwordgracelimit-to-match-global-policy-on-group-pw-policies_rhbz#2115475.patch +Patch0011: 0011-fix-canonicalization-issue-in-Web-UI_rhbz#2133050.patch +Patch0012: 0012-Defer-creating-the-final-krb5-conf-on-clients_rhbz#2150246.patch +Patch0013: 0013-Vault-fix-interoperability-issues-with-older-RHEL-systems_rhbz#2148255.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch Patch1002: 1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch %endif @@ -1718,11 +1721,25 @@ fi %if %{with selinux} %files selinux %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.* -%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename} +%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename} # with selinux %endif %changelog +* Mon Dec 5 2022 Rafael Jeffman - 4.9.10-9 +- Exclude installed policy module file from RPM verification + Resolves: RHBZ#2150243 + +* Fri Dec 2 2022 Rafael Jeffman - 4.9.10-8 +- Defer creating the final krb5.conf on clients + Resolves: RHBZ#2150246 +- Vault: fix interoperability issues with older RHEL systems + Resolves: RHBZ#2148255 + +* Thu Oct 13 2022 Rafael Jeffman - 4.9.10-7 +- Fix canonicalization issue in Web UI + Resolves: RHBZ#2133050 + * Mon Aug 22 2022 Rafael Jeffman - 4.9.10-6 - webui: Allow grace login limit Resolves: RHBZ#2109243