import ipa-4.9.6-4.module+el8.5.0+11912+1b4496cf

2021-09-07 14:26:15 +00:00 · 2021-09-07 14:26:15 +00:00 · 13629a2c74
commit 13629a2c74
parent 7cb3bafb7e
11 changed files with 736 additions and 32 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/freeipa-4.9.3.tar.gz
+SOURCES/freeipa-4.9.6.tar.gz
--- a/.ipa.metadata
+++ b/.ipa.metadata
@ -1 +1 @@
-8e8da2d8eb9eae8e2d3561a69452e1b7a98455d8 SOURCES/freeipa-4.9.3.tar.gz
+b7b91082908db35e4acbcd0221b8df4044913dc1 SOURCES/freeipa-4.9.6.tar.gz
--- a/SOURCES/0001-rpcserver.py-perf_counter_ns-is-Python-3.7_rhbz#1974822.patch
+++ b/SOURCES/0001-rpcserver.py-perf_counter_ns-is-Python-3.7_rhbz#1974822.patch
@ -0,0 +1,136 @@
 From e713c227bb420a841ce3ae146bca55a84a1b0dbf Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
 Date: Tue, 22 Jun 2021 14:36:51 +0200
 Subject: [PATCH] paths: add IPA_SERVER_CONF
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 Related: https://pagure.io/freeipa/issue/8891
 Signed-off-by: François Cami <fcami@redhat.com>
 Reviewed-By: Stanislav Levin <slev@altlinux.org>
 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 ---
 ipaplatform/base/paths.py | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
 index 91423b332..de217d9ef 100644
 --- a/ipaplatform/base/paths.py
 +++ b/ipaplatform/base/paths.py
@@ -71,6 +71,7 @@ class BasePathNamespace:
     IPA_DEFAULT_CONF = "/etc/ipa/default.conf"
     IPA_DNSKEYSYNCD_KEYTAB = "/etc/ipa/dnssec/ipa-dnskeysyncd.keytab"
     IPA_ODS_EXPORTER_KEYTAB = "/etc/ipa/dnssec/ipa-ods-exporter.keytab"
 +    IPA_SERVER_CONF = "/etc/ipa/server.conf"
     DNSSEC_OPENSSL_CONF = "/etc/ipa/dnssec/openssl.cnf"
     DNSSEC_SOFTHSM2_CONF = "/etc/ipa/dnssec/softhsm2.conf"
     DNSSEC_SOFTHSM_PIN_SO = "/etc/ipa/dnssec/softhsm_pin_so"
 -- 
 2.31.1
 From ee4be290e1583834a573c3896ee1d97b3fbb6c24 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
 Date: Tue, 22 Jun 2021 14:45:49 +0200
 Subject: [PATCH] ipatests: smoke test for server debug mode.
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 Add a smoke test to make sure the server can be set in debug mode
 without issue.
 Related: https://pagure.io/freeipa/issue/8891
 Signed-off-by: François Cami <fcami@redhat.com>
 Reviewed-By: Stanislav Levin <slev@altlinux.org>
 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 ---
 .../test_integration/test_installation.py     | 27 +++++++++++++++++++
 1 file changed, 27 insertions(+)
 diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
 index 301767b8d..0c96536f0 100644
 --- a/ipatests/test_integration/test_installation.py
 +++ b/ipatests/test_integration/test_installation.py
@@ -703,6 +703,33 @@ class TestInstallMaster(IntegrationTest):
     def test_install_master(self):
         tasks.install_master(self.master, setup_dns=False)
 +    @pytest.mark.skip_if_platform(
 +        "debian", reason="This test hardcodes the httpd service name"
 +    )
 +    def test_smoke_test_for_debug_mode(self):
 +        """Test if an IPA server works in debug mode.
 +        Related: https://pagure.io/freeipa/issue/8891
 +
 +        Note: this test hardcodes the "httpd" service name.
 +        """
 +
 +        target_fname = paths.IPA_SERVER_CONF
 +        assert not self.master.transport.file_exists(target_fname)
 +
 +        # set the IPA server in debug mode
 +        server_conf = "[global]\ndebug=True"
 +        self.master.put_file_contents(target_fname, server_conf)
 +        self.master.run_command(["systemctl", "restart", "httpd"])
 +
 +        # smoke test in debug mode
 +        tasks.kdestroy_all(self.master)
 +        tasks.kinit_admin(self.master)
 +        self.master.run_command(["ipa", "user-show", "admin"])
 +
 +        # rollback
 +        self.master.run_command(["rm", target_fname])
 +        self.master.run_command(["systemctl", "restart", "httpd"])
 +
     def test_schema_compat_attribute_and_tree_disable(self):
         """Test if schema-compat-entry-attribute is set
 -- 
 2.31.1
 From 1539c7383116647ad9c5b125b343f972e9c9653b Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
 Date: Wed, 23 Jun 2021 06:35:19 +0200
 Subject: [PATCH] rpcserver.py: perf_counter_ns is Python 3.7+
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 perf_counter_ns is only available in Python 3.7 and later.
 Define a lambda for 3.6 and lower.
 Fixes: https://pagure.io/freeipa/issue/8891
 Signed-off-by: François Cami <fcami@redhat.com>
 Reviewed-By: Stanislav Levin <slev@altlinux.org>
 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 ---
 ipaserver/rpcserver.py | 5 +++++
 1 file changed, 5 insertions(+)
 diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
 index b121316bf..e612528e0 100644
 --- a/ipaserver/rpcserver.py
 +++ b/ipaserver/rpcserver.py
@@ -31,6 +31,7 @@ import os
 import time
 import traceback
 from io import BytesIO
 +from sys import version_info
 from urllib.parse import parse_qs
 from xmlrpc.client import Fault
@@ -72,6 +73,10 @@ from requests.auth import AuthBase
 if six.PY3:
     unicode = str
 +# time.perf_counter_ns appeared in Python 3.7.
 +if version_info < (3, 7):
 +    time.perf_counter_ns = lambda: int(time.perf_counter() * 10**9)
 +
 logger = logging.getLogger(__name__)
 HTTP_STATUS_SUCCESS = '200 Success'
 -- 
 2.31.1
--- a/SOURCES/0002-Add-checks-to-prevent-adding-auth-indicators-to-inte_rhbz#1979625.patch
+++ b/SOURCES/0002-Add-checks-to-prevent-adding-auth-indicators-to-inte_rhbz#1979625.patch
@ -0,0 +1,272 @@
 From a5d2857297cfcf87ed8973df96e89ebcef22850d Mon Sep 17 00:00:00 2001
 From: Antonio Torres <antorres@redhat.com>
 Date: Mon, 8 Mar 2021 18:15:50 +0100
 Subject: [PATCH] Add checks to prevent adding auth indicators to internal IPA
 services
 Authentication indicators should not be enforced against internal
 IPA services, since not all users of those services are able to produce
 Kerberos tickets with all the auth indicator options. This includes
 host, ldap, HTTP and cifs in IPA server and cifs in IPA clients.
 If a client that is being promoted to replica has an auth indicator
 in its host principal then the promotion is aborted.
 Fixes: https://pagure.io/freeipa/issue/8206
 Signed-off-by: Antonio Torres <antorres@redhat.com>
 ---
 ipaserver/install/server/replicainstall.py | 13 ++++++++++++
 ipaserver/plugins/host.py                  |  5 ++++-
 ipaserver/plugins/service.py               | 24 ++++++++++++++++++++++
 3 files changed, 41 insertions(+), 1 deletion(-)
 diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
 index 73967a224..f1fb91036 100644
 --- a/ipaserver/install/server/replicainstall.py
 +++ b/ipaserver/install/server/replicainstall.py
@@ -770,6 +770,15 @@ def promotion_check_ipa_domain(master_ldap_conn, basedn):
         ))
 +def promotion_check_host_principal_auth_ind(conn, hostdn):
 +    entry = conn.get_entry(hostdn, ['krbprincipalauthind'])
 +    if 'krbprincipalauthind' in entry:
 +        raise RuntimeError(
 +            "Client cannot be promoted to a replica if the host principal "
 +            "has an authentication indicator set."
 +        )
 +
 +
 @common_cleanup
 @preserve_enrollment_state
 def promote_check(installer):
@@ -956,6 +965,10 @@ def promote_check(installer):
                                      config.master_host_name, None)
         promotion_check_ipa_domain(conn, remote_api.env.basedn)
 +        hostdn = DN(('fqdn', api.env.host),
 +                    api.env.container_host,
 +                    api.env.basedn)
 +        promotion_check_host_principal_auth_ind(conn, hostdn)
         # Make sure that domain fulfills minimal domain level
         # requirement
 diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py
 index eb1f8ef04..41fa933e2 100644
 --- a/ipaserver/plugins/host.py
 +++ b/ipaserver/plugins/host.py
@@ -38,7 +38,7 @@ from .baseldap import (LDAPQuery, LDAPObject, LDAPCreate,
                                      LDAPAddAttributeViaOption,
                                      LDAPRemoveAttributeViaOption)
 from .service import (
 -    validate_realm, normalize_principal,
 +    validate_realm, validate_auth_indicator, normalize_principal,
     set_certificate_attrs, ticket_flags_params, update_krbticketflags,
     set_kerberos_attrs, rename_ipaallowedtoperform_from_ldap,
     rename_ipaallowedtoperform_to_ldap, revoke_certs)
@@ -735,6 +735,8 @@ class host_add(LDAPCreate):
         update_krbticketflags(ldap, entry_attrs, attrs_list, options, False)
         if 'krbticketflags' in entry_attrs:
             entry_attrs['objectclass'].append('krbticketpolicyaux')
 +        validate_auth_indicator(entry_attrs)
 +
         return dn
     def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
@@ -993,6 +995,7 @@ class host_mod(LDAPUpdate):
             if 'krbprincipalaux' not in (item.lower() for item in
                                          entry_attrs['objectclass']):
                 entry_attrs['objectclass'].append('krbprincipalaux')
 +            validate_auth_indicator(entry_attrs)
         add_sshpubkey_to_attrs_pre(self.context, attrs_list)
 diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py
 index 1c9347804..cfbbff3c6 100644
 --- a/ipaserver/plugins/service.py
 +++ b/ipaserver/plugins/service.py
@@ -201,6 +201,28 @@ def validate_realm(ugettext, principal):
         raise errors.RealmMismatch()
 +def validate_auth_indicator(entry):
 +    new_value = entry.get('krbprincipalauthind', None)
 +    if not new_value:
 +        return
 +    # The following services are considered internal IPA services
 +    # and shouldn't be allowed to have auth indicators.
 +    # https://pagure.io/freeipa/issue/8206
 +    pkey = api.Object['service'].get_primary_key_from_dn(entry.dn)
 +    principal = kerberos.Principal(pkey)
 +    server = api.Command.server_find(principal.hostname)['result']
 +    if server:
 +        prefixes = ("host", "cifs", "ldap", "HTTP")
 +    else:
 +        prefixes = ("cifs",)
 +    if principal.service_name in prefixes:
 +        raise errors.ValidationError(
 +            name='krbprincipalauthind',
 +            error=_('authentication indicators not allowed '
 +                    'in service "%s"' % principal.service_name)
 +        )
 +
 +
 def normalize_principal(value):
     """
     Ensure that the name in the principal is lower-case. The realm is
@@ -652,6 +674,7 @@ class service_add(LDAPCreate):
                     hostname)
         self.obj.validate_ipakrbauthzdata(entry_attrs)
 +        validate_auth_indicator(entry_attrs)
         if not options.get('force', False):
             # We know the host exists if we've gotten this far but we
@@ -846,6 +869,7 @@ class service_mod(LDAPUpdate):
         assert isinstance(dn, DN)
         self.obj.validate_ipakrbauthzdata(entry_attrs)
 +        validate_auth_indicator(entry_attrs)
         # verify certificates
         certs = entry_attrs.get('usercertificate') or []
 -- 
 2.31.1
 From 28484c3dee225662e41acc691bfe6b1c1cee99c8 Mon Sep 17 00:00:00 2001
 From: Antonio Torres <antorres@redhat.com>
 Date: Mon, 8 Mar 2021 18:20:35 +0100
 Subject: [PATCH] ipatests: ensure auth indicators can't be added to internal
 IPA services
 Authentication indicators should not be added to internal IPA services,
 since this can lead to a broken IPA setup. In case a client with
 an auth indicator set in its host principal, promoting it to a replica
 should fail.
 Related: https://pagure.io/freeipa/issue/8206
 Signed-off-by: Antonio Torres <antorres@redhat.com>
 ---
 .../test_replica_promotion.py                 | 38 +++++++++++++++++++
 ipatests/test_xmlrpc/test_host_plugin.py      | 10 +++++
 ipatests/test_xmlrpc/test_service_plugin.py   | 21 ++++++++++
 3 files changed, 69 insertions(+)
 diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
 index 0a137dbdc..b9c56f775 100644
 --- a/ipatests/test_integration/test_replica_promotion.py
 +++ b/ipatests/test_integration/test_replica_promotion.py
@@ -101,6 +101,44 @@ class TestReplicaPromotionLevel1(ReplicaPromotionBase):
         assert result.returncode == 1
         assert expected_err in result.stderr_text
 +    @replicas_cleanup
 +    def test_install_with_host_auth_ind_set(self):
 +        """ A client shouldn't be able to be promoted if it has
 +        any auth indicator set in the host principal.
 +        https://pagure.io/freeipa/issue/8206
 +        """
 +
 +        client = self.replicas[0]
 +        # Configure firewall first
 +        Firewall(client).enable_services(["freeipa-ldap",
 +                                          "freeipa-ldaps"])
 +
 +        client.run_command(['ipa-client-install', '-U',
 +                            '--domain', self.master.domain.name,
 +                            '--realm', self.master.domain.realm,
 +                            '-p', 'admin',
 +                            '-w', self.master.config.admin_password,
 +                            '--server', self.master.hostname,
 +                            '--force-join'])
 +
 +        tasks.kinit_admin(client)
 +
 +        client.run_command(['ipa', 'host-mod', '--auth-ind=otp',
 +                            client.hostname])
 +
 +        res = client.run_command(['ipa-replica-install', '-U', '-w',
 +                                  self.master.config.dirman_password],
 +                                 raiseonerr=False)
 +
 +        client.run_command(['ipa', 'host-mod', '--auth-ind=',
 +                            client.hostname])
 +
 +        expected_err = ("Client cannot be promoted to a replica if the host "
 +                        "principal has an authentication indicator set.")
 +        assert res.returncode == 1
 +        assert expected_err in res.stderr_text
 +
 +
     @replicas_cleanup
     def test_one_command_installation(self):
         """
 diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py
 index c66bbc865..9cfde3565 100644
 --- a/ipatests/test_xmlrpc/test_host_plugin.py
 +++ b/ipatests/test_xmlrpc/test_host_plugin.py
@@ -605,6 +605,16 @@ class TestProtectedMaster(XMLRPC_test):
                 error=u'An IPA master host cannot be deleted or disabled')):
             command()
 +    def test_try_add_auth_ind_master(self, this_host):
 +        command = this_host.make_update_command({
 +            u'krbprincipalauthind': u'radius'})
 +        with raises_exact(errors.ValidationError(
 +            name='krbprincipalauthind',
 +            error=u'authentication indicators not allowed '
 +                'in service "host"'
 +        )):
 +            command()
 +
 @pytest.mark.tier1
 class TestValidation(XMLRPC_test):
 diff --git a/ipatests/test_xmlrpc/test_service_plugin.py b/ipatests/test_xmlrpc/test_service_plugin.py
 index 4c845938c..ed634a045 100644
 --- a/ipatests/test_xmlrpc/test_service_plugin.py
 +++ b/ipatests/test_xmlrpc/test_service_plugin.py
@@ -25,6 +25,7 @@ from ipalib import api, errors
 from ipatests.test_xmlrpc.xmlrpc_test import Declarative, fuzzy_uuid, fuzzy_hash
 from ipatests.test_xmlrpc.xmlrpc_test import fuzzy_digits, fuzzy_date, fuzzy_issuer
 from ipatests.test_xmlrpc.xmlrpc_test import fuzzy_hex, XMLRPC_test
 +from ipatests.test_xmlrpc.xmlrpc_test import raises_exact
 from ipatests.test_xmlrpc import objectclasses
 from ipatests.test_xmlrpc.testcert import get_testcert, subject_base
 from ipatests.test_xmlrpc.test_user_plugin import get_user_result, get_group_dn
@@ -1552,6 +1553,15 @@ def indicators_host(request):
     return tracker.make_fixture(request)
 +@pytest.fixture(scope='function')
 +def this_host(request):
 +    """Fixture for the current master"""
 +    tracker = HostTracker(name=api.env.host.partition('.')[0],
 +                          fqdn=api.env.host)
 +    tracker.exists = True
 +    return tracker
 +
 +
 @pytest.fixture(scope='function')
 def indicators_service(request):
     tracker = ServiceTracker(
@@ -1587,6 +1597,17 @@ class TestAuthenticationIndicators(XMLRPC_test):
             expected_updates={u'krbprincipalauthind': [u'radius']}
         )
 +    def test_update_indicator_internal_service(self, this_host):
 +        command = this_host.make_command('service_mod',
 +                                         'ldap/' + this_host.fqdn,
 +                                         **dict(krbprincipalauthind='otp'))
 +        with raises_exact(errors.ValidationError(
 +            name='krbprincipalauthind',
 +            error=u'authentication indicators not allowed '
 +                 'in service "ldap"'
 +        )):
 +            command()
 +
 @pytest.fixture(scope='function')
 def managing_host(request):
 -- 
 2.31.1
--- a/SOURCES/0003-stageuser-add-ipauserauthtypeclass-when-required_rhbz#1979605.patch
+++ b/SOURCES/0003-stageuser-add-ipauserauthtypeclass-when-required_rhbz#1979605.patch
@ -0,0 +1,89 @@
 From 06468b2f604c56b02231904072cb57412966a701 Mon Sep 17 00:00:00 2001
 From: Florence Blanc-Renaud <flo@redhat.com>
 Date: Mon, 5 Jul 2021 09:51:41 +0200
 Subject: [PATCH] stageuser: add ipauserauthtypeclass when required
 The command
 ipa stageuser-add --user-auth-type=xxx
 is currently failing because the objectclass ipauserauthtypeclass
 is missing from the created entry.
 There is code adding the missing objectclass in the
 pre_common_callback method of user_add, and this code should
 be common to user_add and stageuser_add. In order to avoid code
 duplication, it makes more sense to move the existing code to
 pre_common_callback of baseuser_add, that is called by both
 classes.
 Fixes: https://pagure.io/freeipa/issue/8909
 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 ---
 ipaserver/plugins/baseuser.py | 3 +++
 ipaserver/plugins/user.py     | 4 ----
 2 files changed, 3 insertions(+), 4 deletions(-)
 diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py
 index ae16a978a..6035228f1 100644
 --- a/ipaserver/plugins/baseuser.py
 +++ b/ipaserver/plugins/baseuser.py
@@ -539,6 +539,9 @@ class baseuser_add(LDAPCreate):
         if entry_attrs.get('ipatokenradiususername', None):
             add_missing_object_class(ldap, u'ipatokenradiusproxyuser', dn,
                                      entry_attrs, update=False)
 +        if entry_attrs.get('ipauserauthtype', None):
 +            add_missing_object_class(ldap, u'ipauserauthtypeclass', dn,
 +                                     entry_attrs, update=False)
     def post_common_callback(self, ldap, dn, entry_attrs, *keys, **options):
         assert isinstance(dn, DN)
 diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py
 index 6f7facb53..e4ee572b2 100644
 --- a/ipaserver/plugins/user.py
 +++ b/ipaserver/plugins/user.py
@@ -617,10 +617,6 @@ class user_add(baseuser_add):
            'ipauser' not in entry_attrs['objectclass']:
             entry_attrs['objectclass'].append('ipauser')
 -        if 'ipauserauthtype' in entry_attrs and \
 -           'ipauserauthtypeclass' not in entry_attrs['objectclass']:
 -            entry_attrs['objectclass'].append('ipauserauthtypeclass')
 -
         rcl = entry_attrs.get('ipatokenradiusconfiglink', None)
         if rcl:
             if 'ipatokenradiusproxyuser' not in entry_attrs['objectclass']:
 -- 
 2.31.1
 From 4a5a0fe7d25209a41a2eadd159f7f4c771e5d7fc Mon Sep 17 00:00:00 2001
 From: Florence Blanc-Renaud <flo@redhat.com>
 Date: Mon, 5 Jul 2021 10:22:31 +0200
 Subject: [PATCH] XMLRPC test: add a test for stageuser-add --user-auth-type
 Related: https://pagure.io/freeipa/issue/8909
 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 ---
 ipatests/test_xmlrpc/test_stageuser_plugin.py | 6 ++++++
 1 file changed, 6 insertions(+)
 diff --git a/ipatests/test_xmlrpc/test_stageuser_plugin.py b/ipatests/test_xmlrpc/test_stageuser_plugin.py
 index 5586fc607..bc606b093 100644
 --- a/ipatests/test_xmlrpc/test_stageuser_plugin.py
 +++ b/ipatests/test_xmlrpc/test_stageuser_plugin.py
@@ -343,6 +343,12 @@ class TestStagedUser(XMLRPC_test):
         result = command()
         assert result['count'] == 1
 +    def test_create_withuserauthtype(self, stageduser):
 +        stageduser.ensure_missing()
 +        command = stageduser.make_create_command(
 +            options={u'ipauserauthtype': u'password'})
 +        command()
 +
 @pytest.mark.tier1
 class TestCreateInvalidAttributes(XMLRPC_test):
 -- 
 2.31.1
--- a/SOURCES/0004-man-page-update-ipa-server-upgrade.1_rhbz#1973273.patch
+++ b/SOURCES/0004-man-page-update-ipa-server-upgrade.1_rhbz#1973273.patch
@ -0,0 +1,35 @@
 From 195035cef51a132b2b80df57ed50f2fe620244e6 Mon Sep 17 00:00:00 2001
 From: Florence Blanc-Renaud <flo@redhat.com>
 Date: Wed, 7 Jul 2021 14:11:40 +0200
 Subject: [PATCH] man page: update ipa-server-upgrade.1
 The man page needs to clarify in which case the command needs
 to be run.
 Fixes: https://pagure.io/freeipa/issue/8913
 Reviewed-By: Francois Cami <fcami@redhat.com>
 ---
 install/tools/man/ipa-server-upgrade.1 | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)
 diff --git a/install/tools/man/ipa-server-upgrade.1 b/install/tools/man/ipa-server-upgrade.1
 index 3db19b0f1..f01e21c6b 100644
 --- a/install/tools/man/ipa-server-upgrade.1
 +++ b/install/tools/man/ipa-server-upgrade.1
@@ -8,7 +8,12 @@ ipa\-server\-upgrade \- upgrade IPA server
 .SH "SYNOPSIS"
 ipa\-server\-upgrade [options]
 .SH "DESCRIPTION"
 -ipa\-server\-upgrade is used to upgrade IPA server when the IPA packages are being updated. It is not intended to be executed by end\-users.
 +ipa\-server\-upgrade is executed automatically to upgrade IPA server when
 +the IPA packages are being updated. It is not intended to be executed by
 +end\-users, unless the automatic execution reports an error. In this case,
 +the administrator needs to identify and fix the issue that is causing the
 +upgrade failure (with the help of /var/log/ipaupgrade.log)
 +and manually re\-run ipa\-server\-upgrade.
 ipa\-server\-upgrade will:
 -- 
 2.31.1
--- a/SOURCES/0005-Fall-back-to-krbprincipalname-when-validating-host-a_rhbz#1979625.patch
+++ b/SOURCES/0005-Fall-back-to-krbprincipalname-when-validating-host-a_rhbz#1979625.patch
@ -0,0 +1,69 @@
 From 8ad535b618d60fa016061212ff85d0ad28ccae59 Mon Sep 17 00:00:00 2001
 From: Rob Crittenden <rcritten@redhat.com>
 Date: Mon, 12 Jul 2021 11:02:10 -0400
 Subject: [PATCH] Fall back to krbprincipalname when validating host auth
 indicators
 When adding a new host the principal cannot be determined because it
 relies on either:
 a) an entry to already exist
 b) krbprincipalname be a component of the dn
 As a result the full dn is being passed into ipapython.Kerberos
 which can't parse it.
 Look into the entry in validate_validate_auth_indicator() for
 krbprincipalname in this case.
 https://pagure.io/freeipa/issue/8206
 Signed-off-by: Rob Crittenden <rcritten@redhat.com>
 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
 ---
 ipaserver/plugins/service.py             |  5 +++++
 ipatests/test_xmlrpc/test_host_plugin.py | 11 +++++++++++
 2 files changed, 16 insertions(+)
 diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py
 index cfbbff3c6..498f5e444 100644
 --- a/ipaserver/plugins/service.py
 +++ b/ipaserver/plugins/service.py
@@ -209,6 +209,11 @@ def validate_auth_indicator(entry):
     # and shouldn't be allowed to have auth indicators.
     # https://pagure.io/freeipa/issue/8206
     pkey = api.Object['service'].get_primary_key_from_dn(entry.dn)
 +    if pkey == str(entry.dn):
 +        # krbcanonicalname may not be set yet if this is a host entry,
 +        # try krbprincipalname
 +        if 'krbprincipalname' in entry:
 +            pkey = entry['krbprincipalname']
     principal = kerberos.Principal(pkey)
     server = api.Command.server_find(principal.hostname)['result']
     if server:
 diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py
 index 9cfde3565..ff50e796c 100644
 --- a/ipatests/test_xmlrpc/test_host_plugin.py
 +++ b/ipatests/test_xmlrpc/test_host_plugin.py
@@ -615,6 +615,17 @@ class TestProtectedMaster(XMLRPC_test):
         )):
             command()
 +    def test_add_non_master_with_auth_ind(self, host5):
 +        host5.ensure_missing()
 +        command = host5.make_command(
 +            'host_add', host5.fqdn, krbprincipalauthind=['radius'],
 +            force=True
 +        )
 +        result = command()
 +        # The fact that the command succeeds exercises the change but
 +        # let's check the indicator as well.
 +        assert result['result']['krbprincipalauthind'] == ('radius',)
 +
 @pytest.mark.tier1
 class TestValidation(XMLRPC_test):
 -- 
 2.31.1
--- a/SOURCES/0006-rhel-platform-add-a-named-crypto-policy-support_rhbz#1982956.patch
+++ b/SOURCES/0006-rhel-platform-add-a-named-crypto-policy-support_rhbz#1982956.patch
@ -0,0 +1,30 @@
 From 1a5159b216455070eb51b6a11ceaf0033fc8ce4c Mon Sep 17 00:00:00 2001
 From: Alexander Bokovoy <abokovoy@redhat.com>
 Date: Fri, 16 Jul 2021 09:20:33 +0300
 Subject: [PATCH] rhel platform: add a named crypto-policy support
 RHEL 8+ provides bind system-wide crypto policy support, enable it.
 Fixes: https://pagure.io/freeipa/issue/8925
 Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
 Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
 Reviewed-By: Anuja More <amore@redhat.com>
 ---
 ipaplatform/rhel/paths.py | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/ipaplatform/rhel/paths.py b/ipaplatform/rhel/paths.py
 index c081ada32..3631550eb 100644
 --- a/ipaplatform/rhel/paths.py
 +++ b/ipaplatform/rhel/paths.py
@@ -30,6 +30,7 @@ from ipaplatform.rhel.constants import HAS_NFS_CONF
 class RHELPathNamespace(RedHatPathNamespace):
 +    NAMED_CRYPTO_POLICY_FILE = "/etc/crypto-policies/back-ends/bind.config"
     if HAS_NFS_CONF:
         SYSCONFIG_NFS = '/etc/nfs.conf'
 -- 
 2.31.1
--- a/SOURCES/freeipa-4.9.3.tar.gz.asc
+++ b/SOURCES/freeipa-4.9.3.tar.gz.asc
@ -1,16 +0,0 @@
 -----BEGIN PGP SIGNATURE-----
 iQIzBAABCgAdFiEEhAodHH8+xLL+UwQ1RxniuKu/YhoFAmBkFSoACgkQRxniuKu/
 Yhpz5Q//cbKbxQe2iIpCOyFnWtlwMGonj9OmeLP+dms8OnWvnpGBlLD0ftu+O9tf
 JoCzURMvjfJGMlEbG7FxW9coz4Fe6caDyZ5KJiM15qie75K5nIF44WgVXhTXx7/0
 2H6Q1MIgE8lxr+h4xcYB04KXPwLUpFGttGHDlbl9205M9dJi+WYNWEbHwCNwbl2w
 uXOFQm+AtAnUBuB0I0KJvgZMhtSV2FAx3NsPFO2DkMKB3KVS6cKEzxm8aBzCeNvP
 ndWvo51QFU0AheMt/Cahl97dzTorW8pqjt1+QBil4KxWCf0KyOI3OeTvKZ1bYtUs
 x32JDQP+UMkZ8y9NypK9TMcht3f8Wi7nvzg3kCuwltMr7spTVsqEP//WejdK5gmh
 dyU3qYPWz41SJargYwb8ehj1DOHBsNXEL57I2zY13oM1dC9T2YAc+OhSCWtMyknD
 vatLZSwVm27k79NADKF56RXUPur/m2UHnnYuk09AyDOIGZRM3Tn/10nRZgjs5eM8
 CLa4+5gn96BrkW1kP8mWPtWQqyv3buzj3xC7otmnjDgaxmXA/30wJ+2qebGTRAhf
 qo2rbwJsSkv0sC8l1luZgzgnvrQpri3qS96zhoeusooTqx6dTwUBGV8ea/sqvk0K
 Qu0q+iQk3CCgCfi/i6pc1UsB59tCy3KEZUc58Q6UUNewfcA3WW8=
 =Wgf7
 -----END PGP SIGNATURE-----
--- a/SOURCES/freeipa-4.9.6.tar.gz.asc
+++ b/SOURCES/freeipa-4.9.6.tar.gz.asc
@ -0,0 +1,16 @@
 -----BEGIN PGP SIGNATURE-----
 iQIzBAABCgAdFiEEhAodHH8+xLL+UwQ1RxniuKu/YhoFAmDbPRQACgkQRxniuKu/
 Yhr7uBAAnpF70nH8Cn/HhKKpfafPoN3B9fDNIfAa+jsJ52OyeNMKVNi4MEob32iN
 1aMGGFCJUMle/M7v1+w8WH59eiHs1jKHcFZnl2R4Ap5SxVtypYT+ewXbNnSHII2w
 qWS5PvLkJwjh6Bw/HlyBwDRSrw9Yah4oZZbJt3zE06+Imr8BpB3IWqyhuAi7FjYO
 J9hHCwCvtJvWK4yplZSXCt8OS1JA68/Djgjecm5lUSamuqKaBVhDb+ZAPLDJpBf5
 Pz2JpUF/W/rplt+Q9wAFdhDB9iC0vd3MBkgs4KPsjuyS9+GGNu8LyXs0C1Wm/VgX
 liX2pjZmpnTrhH3QQ2nufwH784ZpinXxS2fcbvCfX1Utgr77wNHjwqDt2NBffJl1
 BM7JJr1ZwGOGSki6yjRDXbeSAsiEX9l7f2mv2t/8ZjHMRJ7mJmBbmh5Qhk5qsMou
 BptNDE20cG77xcjBtTCDpii/UatETuNAyMd/l2smfe76z8y61fQrvScxRwOCHckw
 u/ERChpBZOUlQt59Efj3ja313oXZMxXRw01n/72Hh5rnk+XZf75zQ1zUDBYnwzAr
 4cdqyrfpFkQu1sRQvgjT8ZLkP8istjRdVEI/Oj61zb5+6+scQ/Zh/R/mYGCV4/h+
 RzojBwUAXuwUMrj1jTbb5Lkz58+vY3Lk4xNOY2hSAc8rCcDVRZY=
 =TQFs
 -----END PGP SIGNATURE-----
--- a/SPECS/ipa.spec
+++ b/SPECS/ipa.spec
@ -2,7 +2,7 @@
 %bcond_without ipatests
 # default to not use XML-RPC in Rawhide, can be turned around with --with ipa_join_xml
 # On RHEL 8 we should use --with ipa_join_xml
-%bcond_without ipa_join_xml
+%bcond_with ipa_join_xml
 # Linting is disabled by default, needed for upstream testing
 %bcond_with lint
@ -49,7 +49,7 @@
 # lint is not executed during rpmbuild
 # %%global with_lint 1
 %if %{with lint}
-    %global linter_options --enable-pylint --with-jslint --enable-rpmlint
+    %global linter_options --enable-pylint --without-jslint --enable-rpmlint
 %else
    %global linter_options --disable-pylint --without-jslint --disable-rpmlint
 %endif
@ -109,7 +109,7 @@
 %if 0%{?fedora} < 34
 %global ds_version %{lua: local v={}; v['32']='1.4.3.20-2'; v['33']='1.4.4.13-2'; print(v[rpm.expand('%{fedora}')])}
 %else
-%global ds_version 2.0.3-3
+%global ds_version 2.0.4-1
 %endif
 # Fix for TLS 1.3 PHA, RHBZ#1775146
@ -160,6 +160,16 @@
 %global systemd_version 239
 %endif
 # augeas support for new chrony options
 # see https://pagure.io/freeipa/issue/8676
 # Note: will need to be updated for RHEL9 when a fix is available for
 # https://bugzilla.redhat.com/show_bug.cgi?id=1931787
 %if 0%{?fedora} >= 33
 %global augeas_version 1.12.0-6
 %else
 %global augeas_version 1.12.0-3
 %endif
 %global plugin_dir %{_libdir}/dirsrv/plugins
 %global etc_systemd_dir %{_sysconfdir}/systemd/system
 %global gettext_domain ipa
@ -168,7 +178,7 @@
 # Work-around fact that RPM SPEC parser does not accept
 # "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement
-%define IPA_VERSION 4.9.3
+%define IPA_VERSION 4.9.6
 # Release candidate version -- uncomment with one percent for RC versions
 #%%global rc_version %%nil
 %define AT_SIGN @
@ -181,7 +191,7 @@
 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        1%{?rc_version:.%rc_version}%{?dist}
+Release:        4%{?rc_version:.%rc_version}%{?dist}
 Summary:        The Identity, Policy and Audit system
 License:        GPLv3+
@ -201,12 +211,17 @@ Source1:        https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_vers
 # RHEL spec file only: START
 %if %{NON_DEVELOPER_BUILD}
 %if 0%{?rhel} >= 8
 Patch0001:      0001-rpcserver.py-perf_counter_ns-is-Python-3.7_rhbz#1974822.patch
 Patch0002:      0002-Add-checks-to-prevent-adding-auth-indicators-to-inte_rhbz#1979625.patch
 Patch0003:      0003-stageuser-add-ipauserauthtypeclass-when-required_rhbz#1979605.patch
 Patch0004:      0004-man-page-update-ipa-server-upgrade.1_rhbz#1973273.patch
 Patch0005:      0005-Fall-back-to-krbprincipalname-when-validating-host-a_rhbz#1979625.patch
 Patch0006:      0006-rhel-platform-add-a-named-crypto-policy-support_rhbz#1982956.patch
 Patch1001:      1001-Change-branding-to-IPA-and-Identity-Management.patch
 %endif
 %endif
 # RHEL spec file only: END
 # For the timestamp trick in patch application
 BuildRequires:  diffstat
@ -310,7 +325,10 @@ BuildRequires: python3-m2r
 #
 %if %{with lint}
 BuildRequires:  git
 %if 0%{?fedora} < 34
 # jsl is orphaned in Fedora 34+
 BuildRequires:  jsl
 %endif
 BuildRequires:  nss-tools
 BuildRequires:  rpmlint
 BuildRequires:  softhsm
@ -342,12 +360,8 @@ BuildRequires:  python3-polib
 BuildRequires:  python3-pyasn1
 BuildRequires:  python3-pyasn1-modules
 BuildRequires:  python3-pycodestyle
-%if 0%{?fedora} || 0%{?rhel} > 8
+# .wheelconstraints.in limits pylint version in Azure and tox tests
-# https://bugzilla.redhat.com/show_bug.cgi?id=1648299
+BuildRequires:  python3-pylint
 BuildRequires:  python3-pylint >= 2.1.1-2
 %else
 BuildRequires:  python3-pylint >= 1.7
 %endif
 BuildRequires:  python3-pytest-multihost
 BuildRequires:  python3-pytest-sourceorder
 BuildRequires:  python3-qrcode-core >= 5.0.0
@ -434,7 +448,12 @@ Requires(pre): certmonger >= %{certmonger_version}
 Requires(pre): 389-ds-base >= %{ds_version}
 Requires: fontawesome-fonts
 Requires: open-sans-fonts
 %if 0%{?fedora} >= 32 || 0%{?rhel} >= 9
 # https://pagure.io/freeipa/issue/8632
 Requires: openssl > 1.1.1i
 %else
 Requires: openssl
 %endif
 Requires: softhsm >= 2.0.0rc1-1
 Requires: p11-kit
 Requires: %{etc_systemd_dir}
@ -486,6 +505,7 @@ Requires: %{name}-common = %{version}-%{release}
 # we need pre-requires since earlier versions may break upgrade
 Requires(pre): python3-ldap >= %{python_ldap_version}
 Requires: python3-augeas
 Requires: augeas-libs >= %{augeas_version}
 Requires: python3-custodia >= 0.3.1
 Requires: python3-dbus
 Requires: python3-dns >= 1.15
@ -521,8 +541,8 @@ Requires: %{name}-client-common = %{version}-%{release}
 Requires: httpd >= %{httpd_version}
 Requires: systemd-units >= %{systemd_version}
 Requires: custodia >= 0.3.1
-%if 0%{?rhel} >= 8
+%if 0%{?rhel} >= 8 && ! 0%{?eln}
-Requires: redhat-logos-ipa >= 80.4
+Requires: system-logos-ipa >= 80.4
 %endif
 Provides: %{alt_name}-server-common = %{version}
@ -576,6 +596,7 @@ Requires: %{name}-common = %{version}-%{release}
 Requires: samba >= %{samba_version}
 Requires: samba-winbind
 Requires: sssd-winbind-idmap
 Requires: libsss_idmap
 %if 0%{?rhel}
 Obsoletes: ipa-idoverride-memberof-plugin <= 0.1
@ -709,6 +730,7 @@ Requires: %{name}-client-common = %{version}-%{release}
 Requires: %{name}-common = %{version}-%{release}
 Requires: python3-ipalib = %{version}-%{release}
 Requires: python3-augeas
 Requires: augeas-libs >= %{augeas_version}
 Requires: python3-dns >= 1.15
 Requires: python3-jinja2
@ -1680,6 +1702,57 @@ fi
 %changelog
 * Thu Jul 22 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.6-4
 - ipatests: NAMED_CRYPTO_POLICY_FILE not defined for RHEL
  Resolves: RHBZ#1982956
 * Thu Jul 15 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.6-3
 - man page: update ipa-server-upgrade.1
  Resolves: RHBZ#1973273
 - Fall back to krbprincipalname when validating host auth indicators
  Resolves: RHBZ#1979625
 - Add dependency for sssd-winbind-idmap to server-trust-ad
  Resolves: RHBZ#1982211
 * Thu Jul  8 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.6-2
 - IPA server in debug mode fails to run because time.perf_counter_ns is
  Python 3.7+
  Resolves: RHBZ#1974822
 - Add checks to prevent assigning authentication indicators to internal IPA
  services
  Resolves: RHBZ#1979625
 - Unable to set ipaUserAuthType with stageuser-add
  Resolves: RHBZ#1979605
 * Thu Jul  1 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.6-1
 - Upstream release FreeIPA 4.9.6
  Related: RHBZ#1945038
 - Revise PKINIT upgrade code
  Resolves: RHBZ#1886837
 - ipa-cert-fix man page: add note about certmonger renewal
  Resolves: RHBZ#1780317
 - Certificate Serial Number issue
  Resolves: RHBZ#1919384
 * Mon Jun 14 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.5-1
 - Upstream release FreeIPA 4.9.5
  Related: RHBZ#1945038
 - IPA to allow setting a new range type
  Resolves: RHBZ#1688267
 - ipa-server-install displays debug output when --debug output is not
  specified.
  Resolves: RHBZ#1943151
 - ACME fails to generate a cert on migrated RHEL8.4 server
  Resolves: RHBZ#1934991
 - Switch ipa-client to use the JSON API
  Resolves: RHBZ#1937856
 - IDM - Allow specifying permanent logging settings for BIND
  Resolves: RHBZ#1951511
 - Cache LDAP data within a request
  Resolves: RHBZ#1953656
 - ipa-server-upgrade is failing while upgrading rhel8.3 to rhel8.4
  Resolves: RHBZ#1957768
 * Wed Mar 31 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.3-1
 - Upstream release FreeIPA 4.9.3
  Resolves: RHBZ#1945038
`@ -1 +1 @@`
	`SOURCES/freeipa-4.9.3.tar.gz`	`SOURCES/freeipa-4.9.6.tar.gz`
`@ -1 +1 @@`
	`8e8da2d8eb9eae8e2d3561a69452e1b7a98455d8 SOURCES/freeipa-4.9.3.tar.gz`	`b7b91082908db35e4acbcd0221b8df4044913dc1 SOURCES/freeipa-4.9.6.tar.gz`