diff --git a/0042-ipatests-wait-for-replica-update-in-test_dns_locatio.patch b/0042-ipatests-wait-for-replica-update-in-test_dns_locatio.patch new file mode 100644 index 0000000..61926ae --- /dev/null +++ b/0042-ipatests-wait-for-replica-update-in-test_dns_locatio.patch @@ -0,0 +1,42 @@ +From 3b2f3d41e4de0bcb78bfaecb32e06cbd22b809c2 Mon Sep 17 00:00:00 2001 +From: Masahiro Matsuya +Date: Tue, 9 Jan 2024 23:12:11 +0900 +Subject: [PATCH] ipatests: wait for replica update in test_dns_locations + +test_ipa_ca_records and test_adtrust_system_records can fail with +NXDOMAIN, because it doesn't wait enough for the update on replica. +It can be resolved by waiting for the update with wait_for_replication. + +Fixes: https://pagure.io/freeipa/issue/9504 +Reviewed-By: Florence Blanc-Renaud +--- + ipatests/test_integration/test_dns_locations.py | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/ipatests/test_integration/test_dns_locations.py b/ipatests/test_integration/test_dns_locations.py +index 44900af8015ff62728f64bc626eedfcead41e214..89a310892954cbee88d1cf38683e80a2e47122ef 100644 +--- a/ipatests/test_integration/test_dns_locations.py ++++ b/ipatests/test_integration/test_dns_locations.py +@@ -534,6 +534,9 @@ class TestDNSLocations(IntegrationTest): + + expected_servers = (self.master.ip, self.replicas[1].ip) + ++ ldap = self.master.ldap_connect() ++ tasks.wait_for_replication(ldap) ++ + for ip in (self.master.ip, self.replicas[0].ip, self.replicas[1].ip): + self._test_A_rec_against_server(ip, self.domain, expected_servers) + +@@ -557,6 +560,9 @@ class TestDNSLocations(IntegrationTest): + (self.PRIO_HIGH, self.WEIGHT, DNSName(self.master.hostname)), + ) + ++ ldap = self.master.ldap_connect() ++ tasks.wait_for_replication(ldap) ++ + for ip in (self.master.ip, self.replicas[0].ip, self.replicas[1].ip): + self._test_SRV_rec_against_server( + ip, self.domain, expected_servers, +-- +2.43.0 + diff --git a/0043-Server-affinity-call-ca.install-if-there-is-a-CA-in-.patch b/0043-Server-affinity-call-ca.install-if-there-is-a-CA-in-.patch new file mode 100644 index 0000000..2d463e6 --- /dev/null +++ b/0043-Server-affinity-call-ca.install-if-there-is-a-CA-in-.patch @@ -0,0 +1,69 @@ +From 5dbb3101cee7a96ec8eef40be8e802d456c0d06c Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Mon, 22 Jan 2024 08:36:27 -0500 +Subject: [PATCH] Server affinity: call ca.install() if there is a CA in the + topology + +This should not have been gated on options.setup_ca because we need +the RA agent on all servers if there is a CA in the topology otherwise +the non-CA servers won't be able to communicate with the CA. + +Fixes: https://pagure.io/freeipa/issue/9510 + +Signed-off-by: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud +--- + ipaserver/install/ca.py | 7 ++++--- + ipaserver/install/server/replicainstall.py | 7 +++++-- + 2 files changed, 9 insertions(+), 5 deletions(-) + +diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py +index c93ae1fce4c8848d493677eafee7952740e51631..187f8032b6190799027135d5d3932dbdee4dea8a 100644 +--- a/ipaserver/install/ca.py ++++ b/ipaserver/install/ca.py +@@ -387,9 +387,10 @@ def install_step_0(standalone, replica_config, options, custodia): + promote = False + else: + cafile = os.path.join(replica_config.dir, 'cacert.p12') +- custodia.get_ca_keys( +- cafile, +- replica_config.dirman_password) ++ if replica_config.setup_ca: ++ custodia.get_ca_keys( ++ cafile, ++ replica_config.dirman_password) + + ca_signing_algorithm = None + ca_type = None +diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py +index 191913ddb973b94bcd8ad920570edcee27349ffd..b3fd27e6a15db298f9a97d514d24662c83141013 100644 +--- a/ipaserver/install/server/replicainstall.py ++++ b/ipaserver/install/server/replicainstall.py +@@ -1382,11 +1382,13 @@ def install(installer): + custodia = custodiainstance.get_custodia_instance(config, mode) + custodia.create_instance() + +- if options.setup_ca and ca_enabled: ++ if ca_enabled: + options.realm_name = config.realm_name + options.domain_name = config.domain_name + options.host_name = config.host_name + options.dm_password = config.dirman_password ++ # Always call ca.install() if there is a CA in the topology ++ # to ensure the RA agent is present. + ca.install(False, config, options, custodia=custodia) + + # configure PKINIT now that all required services are in place +@@ -1398,7 +1400,8 @@ def install(installer): + service.print_msg("Finalize replication settings") + ds.finalize_replica_config() + +- if options.setup_kra and kra_enabled: ++ if kra_enabled: ++ # The KRA installer checks for itself the status of setup_kra + kra.install(api, config, options, custodia=custodia) + + service.print_msg("Restarting the KDC") +-- +2.43.0 + diff --git a/0044-ipapython-Clean-up-krb5_error.patch b/0044-ipapython-Clean-up-krb5_error.patch new file mode 100644 index 0000000..a022956 --- /dev/null +++ b/0044-ipapython-Clean-up-krb5_error.patch @@ -0,0 +1,144 @@ +From 33638de180a8157e369ad6c61f9e3406d9e85404 Mon Sep 17 00:00:00 2001 +From: Stanislav Levin +Date: Tue, 23 Jan 2024 19:12:53 +0300 +Subject: [PATCH] ipapython: Clean up krb5_error + +`krb5_error` has different definition in MIT krb. +https://web.mit.edu/kerberos/krb5-latest/doc/appdev/refs/types/krb5_error.html + +> Error message structure. +> +> Declaration: +> typedef struct _krb5_error krb5_error + +While `krb5_error_code` +https://web.mit.edu/kerberos/www/krb5-latest/doc/appdev/refs/types/krb5_error_code.html#c.krb5_error_code + +> krb5_error_code +> Used to convey an operation status. +> +> The value 0 indicates success; any other values are com_err codes. Use krb5_get_error_message() to obtain a string describing the error. +> +> Declaration +> typedef krb5_int32 krb5_error_code + +And this is what was actually used. + +To prevent confusion of types `krb5_error` was replaced with +`krb5_error_code`. + +Fixes: https://pagure.io/freeipa/issue/9519 +Signed-off-by: Stanislav Levin +Reviewed-By: Alexander Bokovoy +--- + ipapython/session_storage.py | 25 ++++++++++++------------- + 1 file changed, 12 insertions(+), 13 deletions(-) + +diff --git a/ipapython/session_storage.py b/ipapython/session_storage.py +index c43ef7d4e8ef5931f6d74d360be131fe46159dc7..371cf152472d54c9a59b60bece9559323ede78b7 100644 +--- a/ipapython/session_storage.py ++++ b/ipapython/session_storage.py +@@ -111,7 +111,7 @@ class KRB5Error(Exception): + + + def krb5_errcheck(result, func, arguments): +- """Error checker for krb5_error return value""" ++ """Error checker for krb5_error_code return value""" + if result != 0: + raise KRB5Error(result, func.__name__, arguments) + +@@ -119,14 +119,13 @@ def krb5_errcheck(result, func, arguments): + krb5_context = ctypes.POINTER(_krb5_context) + krb5_ccache = ctypes.POINTER(_krb5_ccache) + krb5_data_p = ctypes.POINTER(_krb5_data) +-krb5_error = ctypes.c_int32 + krb5_creds = _krb5_creds + krb5_pointer = ctypes.c_void_p + krb5_cc_cursor = krb5_pointer + + krb5_init_context = LIBKRB5.krb5_init_context + krb5_init_context.argtypes = (ctypes.POINTER(krb5_context), ) +-krb5_init_context.restype = krb5_error ++krb5_init_context.restype = krb5_error_code + krb5_init_context.errcheck = krb5_errcheck + + krb5_free_context = LIBKRB5.krb5_free_context +@@ -143,30 +142,30 @@ krb5_free_data_contents.restype = None + + krb5_cc_default = LIBKRB5.krb5_cc_default + krb5_cc_default.argtypes = (krb5_context, ctypes.POINTER(krb5_ccache), ) +-krb5_cc_default.restype = krb5_error ++krb5_cc_default.restype = krb5_error_code + krb5_cc_default.errcheck = krb5_errcheck + + krb5_cc_close = LIBKRB5.krb5_cc_close + krb5_cc_close.argtypes = (krb5_context, krb5_ccache, ) +-krb5_cc_close.restype = krb5_error ++krb5_cc_close.restype = krb5_error_code + krb5_cc_close.errcheck = krb5_errcheck + + krb5_parse_name = LIBKRB5.krb5_parse_name + krb5_parse_name.argtypes = (krb5_context, ctypes.c_char_p, + ctypes.POINTER(krb5_principal), ) +-krb5_parse_name.restype = krb5_error ++krb5_parse_name.restype = krb5_error_code + krb5_parse_name.errcheck = krb5_errcheck + + krb5_cc_set_config = LIBKRB5.krb5_cc_set_config + krb5_cc_set_config.argtypes = (krb5_context, krb5_ccache, krb5_principal, + ctypes.c_char_p, krb5_data_p, ) +-krb5_cc_set_config.restype = krb5_error ++krb5_cc_set_config.restype = krb5_error_code + krb5_cc_set_config.errcheck = krb5_errcheck + + krb5_cc_get_principal = LIBKRB5.krb5_cc_get_principal + krb5_cc_get_principal.argtypes = (krb5_context, krb5_ccache, + ctypes.POINTER(krb5_principal), ) +-krb5_cc_get_principal.restype = krb5_error ++krb5_cc_get_principal.restype = krb5_error_code + krb5_cc_get_principal.errcheck = krb5_errcheck + + # krb5_build_principal is a variadic function but that can't be expressed +@@ -177,26 +176,26 @@ krb5_build_principal.argtypes = (krb5_context, ctypes.POINTER(krb5_principal), + ctypes.c_uint, ctypes.c_char_p, + ctypes.c_char_p, ctypes.c_char_p, + ctypes.c_char_p, ctypes.c_char_p, ) +-krb5_build_principal.restype = krb5_error ++krb5_build_principal.restype = krb5_error_code + krb5_build_principal.errcheck = krb5_errcheck + + krb5_cc_start_seq_get = LIBKRB5.krb5_cc_start_seq_get + krb5_cc_start_seq_get.argtypes = (krb5_context, krb5_ccache, + ctypes.POINTER(krb5_cc_cursor), ) +-krb5_cc_start_seq_get.restype = krb5_error ++krb5_cc_start_seq_get.restype = krb5_error_code + krb5_cc_start_seq_get.errcheck = krb5_errcheck + + krb5_cc_next_cred = LIBKRB5.krb5_cc_next_cred + krb5_cc_next_cred.argtypes = (krb5_context, krb5_ccache, + ctypes.POINTER(krb5_cc_cursor), + ctypes.POINTER(krb5_creds), ) +-krb5_cc_next_cred.restype = krb5_error ++krb5_cc_next_cred.restype = krb5_error_code + krb5_cc_next_cred.errcheck = krb5_errcheck + + krb5_cc_end_seq_get = LIBKRB5.krb5_cc_end_seq_get + krb5_cc_end_seq_get.argtypes = (krb5_context, krb5_ccache, + ctypes.POINTER(krb5_cc_cursor), ) +-krb5_cc_end_seq_get.restype = krb5_error ++krb5_cc_end_seq_get.restype = krb5_error_code + krb5_cc_end_seq_get.errcheck = krb5_errcheck + + krb5_free_cred_contents = LIBKRB5.krb5_free_cred_contents +@@ -212,7 +211,7 @@ krb5_principal_compare.restype = krb5_boolean + krb5_unparse_name = LIBKRB5.krb5_unparse_name + krb5_unparse_name.argtypes = (krb5_context, krb5_principal, + ctypes.POINTER(ctypes.c_char_p), ) +-krb5_unparse_name.restype = krb5_error ++krb5_unparse_name.restype = krb5_error_code + krb5_unparse_name.errcheck = krb5_errcheck + + krb5_free_unparsed_name = LIBKRB5.krb5_free_unparsed_name +-- +2.43.0 + diff --git a/0045-ipapython-Correct-return-type-of-krb5_free_cred_cont.patch b/0045-ipapython-Correct-return-type-of-krb5_free_cred_cont.patch new file mode 100644 index 0000000..ed6743d --- /dev/null +++ b/0045-ipapython-Correct-return-type-of-krb5_free_cred_cont.patch @@ -0,0 +1,47 @@ +From f8a616dc6196324145372713da772fe9b2352e53 Mon Sep 17 00:00:00 2001 +From: Stanislav Levin +Date: Tue, 23 Jan 2024 19:19:43 +0300 +Subject: [PATCH] ipapython: Correct return type of krb5_free_cred_contents + +According to https://web.mit.edu/kerberos/krb5-latest/doc/appdev/refs/api/krb5_free_cred_contents.html + +> krb5_free_cred_contents - Free the contents of a krb5_creds structure. +> +> void krb5_free_cred_contents(krb5_context context, krb5_creds * val) +> param: +> [in] context - Library context +> +> [in] val - Credential structure to free contents of +> +> This function frees the contents of val , but not the structure itself. + +https://github.com/krb5/krb5/blob/5b00197227231943bd2305328c8260dd0b0dbcf0/src/lib/krb5/krb/kfree.c#L166 + +This leads to undefined behavior and `krb5_free_cred_contents` can +raise KRB5Error (because of garbage data) while actually its foreign +function doesn't. + +Fixes: https://pagure.io/freeipa/issue/9519 +Signed-off-by: Stanislav Levin +Reviewed-By: Alexander Bokovoy +--- + ipapython/session_storage.py | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/ipapython/session_storage.py b/ipapython/session_storage.py +index 371cf152472d54c9a59b60bece9559323ede78b7..dc36f54939a838bcb933dfb0089410d9b00f9e4d 100644 +--- a/ipapython/session_storage.py ++++ b/ipapython/session_storage.py +@@ -200,8 +200,7 @@ krb5_cc_end_seq_get.errcheck = krb5_errcheck + + krb5_free_cred_contents = LIBKRB5.krb5_free_cred_contents + krb5_free_cred_contents.argtypes = (krb5_context, ctypes.POINTER(krb5_creds)) +-krb5_free_cred_contents.restype = krb5_error +-krb5_free_cred_contents.errcheck = krb5_errcheck ++krb5_free_cred_contents.restype = None + + krb5_principal_compare = LIBKRB5.krb5_principal_compare + krb5_principal_compare.argtypes = (krb5_context, krb5_principal, +-- +2.43.0 + diff --git a/0046-ipapython-Propagate-KRB5Error-exceptions-on-iteratin.patch b/0046-ipapython-Propagate-KRB5Error-exceptions-on-iteratin.patch new file mode 100644 index 0000000..1043528 --- /dev/null +++ b/0046-ipapython-Propagate-KRB5Error-exceptions-on-iteratin.patch @@ -0,0 +1,53 @@ +From 59b8a9fb7169561c7ba9168fe84f47ae94e5ce23 Mon Sep 17 00:00:00 2001 +From: Stanislav Levin +Date: Tue, 23 Jan 2024 19:52:34 +0300 +Subject: [PATCH] ipapython: Propagate KRB5Error exceptions on iterating ccache + +`ipapython.session_storage.get_data` iterates over +credentials in a credential cache till `krb5_cc_next_cred` returns +an error. This function doesn't expect any error on calling +other kerberos foreign functions during iteration. But that can +actually happen and KRB5Error exceptions stop an iteration while +they should be propagated. + +With this change iteration will exactly stop on `krb5_cc_next_cred` +error as it was supposed to be. + +Fixes: https://pagure.io/freeipa/issue/9519 +Signed-off-by: Stanislav Levin +Reviewed-By: Alexander Bokovoy +--- + ipapython/session_storage.py | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/ipapython/session_storage.py b/ipapython/session_storage.py +index dc36f54939a838bcb933dfb0089410d9b00f9e4d..e890dc9b11475cc26d212ccbe040df3cfbfba6e8 100644 +--- a/ipapython/session_storage.py ++++ b/ipapython/session_storage.py +@@ -312,8 +312,12 @@ def get_data(princ_name, key): + checkcreds = krb5_creds() + # the next function will throw an error and break out of the + # while loop when we try to access past the last cred +- krb5_cc_next_cred(context, ccache, ctypes.byref(cursor), +- ctypes.byref(checkcreds)) ++ try: ++ krb5_cc_next_cred(context, ccache, ctypes.byref(cursor), ++ ctypes.byref(checkcreds)) ++ except KRB5Error: ++ break ++ + if (krb5_principal_compare(context, principal, + checkcreds.client) == 1 and + krb5_principal_compare(context, srv_princ, +@@ -328,8 +332,6 @@ def get_data(princ_name, key): + else: + krb5_free_cred_contents(context, + ctypes.byref(checkcreds)) +- except KRB5Error: +- pass + finally: + krb5_cc_end_seq_get(context, ccache, ctypes.byref(cursor)) + +-- +2.43.0 + diff --git a/0047-ipa-kdb-Fix-memory-leak-during-PAC-verification.patch b/0047-ipa-kdb-Fix-memory-leak-during-PAC-verification.patch new file mode 100644 index 0000000..71bfd51 --- /dev/null +++ b/0047-ipa-kdb-Fix-memory-leak-during-PAC-verification.patch @@ -0,0 +1,91 @@ +From 34b58d8ee93ab385c1f3ba1166377fc1008a9c17 Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Wed, 24 Jan 2024 15:50:17 +0100 +Subject: [PATCH] ipa-kdb: Fix memory leak during PAC verification + +Commit 0022bd70d93708d325855d5271516d6cd894d6e8 introduced a memory leak +during the copy of some PAC buffers, because of an unfreed memory +allocation context. + +Fixes: https://pagure.io/freeipa/issue/9520 + +Signed-off-by: Julien Rische +Reviewed-By: Alexander Bokovoy +--- + daemons/ipa-kdb/ipa_kdb_mspac.c | 28 +++++++++++++--------------- + 1 file changed, 13 insertions(+), 15 deletions(-) + +diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c +index 1558e2bead288d9d00014e9b3b059934e80b54e4..2866304e1e374fb6a8dc3400dd1f56583d9d9197 100644 +--- a/daemons/ipa-kdb/ipa_kdb_mspac.c ++++ b/daemons/ipa-kdb/ipa_kdb_mspac.c +@@ -2316,6 +2316,7 @@ krb5_error_code ipadb_common_verify_pac(krb5_context context, + size_t i; + struct dom_sid *requester_sid = NULL; + struct dom_sid req_sid; ++ TALLOC_CTX *tmpctx = NULL; + + if (signing_krbtgt != NULL && + ipadb_is_cross_realm_krbtgt(signing_krbtgt->princ)) { +@@ -2371,6 +2372,12 @@ krb5_error_code ipadb_common_verify_pac(krb5_context context, + goto done; + } + ++ tmpctx = talloc_new(NULL); ++ if (tmpctx == NULL) { ++ kerr = ENOMEM; ++ goto done; ++ } ++ + for (i = 0; i < num_buffers; i++) { + if (types[i] == KRB5_PAC_SERVER_CHECKSUM || + types[i] == KRB5_PAC_PRIVSVR_CHECKSUM || +@@ -2398,32 +2405,21 @@ krb5_error_code ipadb_common_verify_pac(krb5_context context, + DATA_BLOB pac_attrs_data; + krb5_boolean pac_requested; + +- TALLOC_CTX *tmpctx = talloc_new(NULL); +- if (tmpctx == NULL) { +- kerr = ENOMEM; +- goto done; +- } +- + kerr = ipadb_client_requested_pac(context, old_pac, tmpctx, &pac_requested); +- if (kerr != 0) { +- talloc_free(tmpctx); ++ if (kerr) + goto done; +- } + + kerr = ipadb_get_pac_attrs_blob(tmpctx, &pac_requested, &pac_attrs_data); +- if (kerr) { +- talloc_free(tmpctx); ++ if (kerr) + goto done; +- } ++ + data.magic = KV5M_DATA; + data.data = (char *)pac_attrs_data.data; + data.length = pac_attrs_data.length; + + kerr = krb5_pac_add_buffer(context, new_pac, PAC_TYPE_ATTRIBUTES_INFO, &data); +- if (kerr) { +- talloc_free(tmpctx); ++ if (kerr) + goto done; +- } + + continue; + } +@@ -2470,6 +2466,8 @@ done: + if (kerr != 0 && (new_pac != *pac)) { + krb5_pac_free(context, new_pac); + } ++ if (tmpctx) ++ talloc_free(tmpctx); + krb5_free_data_contents(context, &pac_blob); + free(types); + return kerr; +-- +2.43.0 + diff --git a/0048-sidgen-ignore-staged-users-when-generating-SIDs.patch b/0048-sidgen-ignore-staged-users-when-generating-SIDs.patch new file mode 100644 index 0000000..9621b29 --- /dev/null +++ b/0048-sidgen-ignore-staged-users-when-generating-SIDs.patch @@ -0,0 +1,83 @@ +From 37dfe80132d665b1fced67540457362c3ee00a7b Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Tue, 23 Jan 2024 14:47:50 +0200 +Subject: [PATCH] sidgen: ignore staged users when generating SIDs + +Staged users have + + uidNumber: -1 + gidNumber: -1 + ipaUniqueID: autogenerate + +We cannot generate ipaSecurityIdentifier based on those UID/GID numbers. +However, '-1' value will trigger an error + + find_sid_for_ldap_entry - [file ipa_sidgen_common.c, line 483]: ID value too large. + +And that, in turn, will cause stopping SID generation for all users. + +Detect 'ipaUniqueID: autogenerate' situation and ignore these entries. + +Fixes: https://pagure.io/freeipa/issue/9517 + +Signed-off-by: Alexander Bokovoy +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Thierry Bordaz +--- + daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h | 2 ++ + .../ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c | 12 ++++++++++++ + 2 files changed, 14 insertions(+) + +diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h +index 0feff7eec9999a76bf950b8b9fc9fa25b3a2fa88..bd46982d06b3272874f256a8b0c2293fa4829f5b 100644 +--- a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h ++++ b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h +@@ -45,6 +45,8 @@ + #define UID_NUMBER "uidnumber" + #define GID_NUMBER "gidnumber" + #define IPA_SID "ipantsecurityidentifier" ++#define IPA_UNIQUEID "ipauniqueid" ++#define IPA_UNIQUEID_AUTOGENERATE "autogenerate" + #define DOM_ATTRS_FILTER OBJECTCLASS"=ipantdomainattrs" + #define DOMAIN_ID_RANGE_FILTER OBJECTCLASS"=ipadomainidrange" + #define POSIX_ACCOUNT "posixaccount" +diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c +index 6f784804cd39acdf88ceceb0e21b272a04fa13fc..cb763ebf8c733e50483c23856a248eb536c796f1 100644 +--- a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c ++++ b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c +@@ -454,6 +454,7 @@ int find_sid_for_ldap_entry(struct slapi_entry *entry, + uint32_t id; + char *sid = NULL; + char **objectclasses = NULL; ++ char *uniqueid = NULL; + Slapi_PBlock *mod_pb = NULL; + Slapi_Mods *smods = NULL; + int result; +@@ -479,6 +480,16 @@ int find_sid_for_ldap_entry(struct slapi_entry *entry, + goto done; + } + ++ uniqueid = slapi_entry_attr_get_charptr(entry, IPA_UNIQUEID); ++ if (uniqueid != NULL && ++ strncmp(IPA_UNIQUEID_AUTOGENERATE, uniqueid, ++ sizeof(IPA_UNIQUEID_AUTOGENERATE)) == 0) { ++ LOG("Staged entry [%s] does not have Posix IDs, nothing to do.\n", ++ dn_str); ++ ret = 0; ++ goto done; ++ } ++ + if (uid_number >= UINT32_MAX || gid_number >= UINT32_MAX) { + LOG_FATAL("ID value too large.\n"); + ret = LDAP_CONSTRAINT_VIOLATION; +@@ -554,6 +565,7 @@ int find_sid_for_ldap_entry(struct slapi_entry *entry, + } + + done: ++ slapi_ch_free_string(&uniqueid); + slapi_ch_free_string(&sid); + slapi_pblock_destroy(mod_pb); + slapi_mods_free(&smods); +-- +2.43.0 + diff --git a/0049-sidgen-fix-missing-prototypes.patch b/0049-sidgen-fix-missing-prototypes.patch new file mode 100644 index 0000000..4430148 --- /dev/null +++ b/0049-sidgen-fix-missing-prototypes.patch @@ -0,0 +1,26 @@ +From a1f42f0258d9e84928a112e4c39419aad0cebb3b Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Tue, 23 Jan 2024 14:53:39 +0200 +Subject: [PATCH] sidgen: fix missing prototypes + +Signed-off-by: Alexander Bokovoy +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Thierry Bordaz +--- + daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h +index bd46982d06b3272874f256a8b0c2293fa4829f5b..aec862796a8364de84e26fbca96a270a8fb508fc 100644 +--- a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h ++++ b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h +@@ -106,3 +106,6 @@ int find_sid_for_ldap_entry(struct slapi_entry *entry, + const char *base_dn, + const char *dom_sid, + struct range_info **ranges); ++ ++int sidgen_task_init(Slapi_PBlock *pb); ++int ipa_sidgen_init(Slapi_PBlock *pb); +-- +2.43.0 + diff --git a/0050-kdb-PAC-generator-do-not-fail-if-canonical-principal.patch b/0050-kdb-PAC-generator-do-not-fail-if-canonical-principal.patch new file mode 100644 index 0000000..415ae95 --- /dev/null +++ b/0050-kdb-PAC-generator-do-not-fail-if-canonical-principal.patch @@ -0,0 +1,48 @@ +From d09acb5869c5d0faa35b8784c1fea1c1be3f014f Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Fri, 26 Jan 2024 20:53:39 +0200 +Subject: [PATCH] kdb: PAC generator: do not fail if canonical principal is + missing + +krbCanonicalName is mandatory for services but IPA services created +before commit e6ff83e (FreeIPA 4.4.0, ~2016) had no normalization done +to set krbCanonicalName; services created after that version were +upgraded to do have krbCanonicalName. + +Accept krbPrincipalName alone since they have no alias either */ + +Fixes: https://pagure.io/freeipa/issue/9465 + +Signed-off-by: Alexander Bokovoy +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Thierry Bordaz +--- + daemons/ipa-kdb/ipa_kdb_mspac.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c +index 2866304e1e374fb6a8dc3400dd1f56583d9d9197..16374a59468975ebaea5ce18ac6445ec577e5e6a 100644 +--- a/daemons/ipa-kdb/ipa_kdb_mspac.c ++++ b/daemons/ipa-kdb/ipa_kdb_mspac.c +@@ -496,8 +496,16 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, + ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, + "krbCanonicalName", &strres); + if (ret) { +- /* krbCanonicalName is mandatory for services */ +- return ret; ++ /* krbCanonicalName is mandatory for services but IPA services ++ * created before commit e6ff83e (FreeIPA 4.4.0, ~2016) had no ++ * normalization to set krbCanonicalName; services created after ++ * that version were upgraded to do have krbCanonicalName. ++ * ++ * Accept krbPrincipalName alone since they have no alias either */ ++ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, ++ "krbPrincipalName", &strres); ++ if (ret) ++ return ret; + } + + ret = krb5_parse_name(ipactx->kcontext, strres, &princ); +-- +2.43.0 + diff --git a/0051-ipatests-Skip-tests-for-ipahealtcheck-tests-for-spec.patch b/0051-ipatests-Skip-tests-for-ipahealtcheck-tests-for-spec.patch new file mode 100644 index 0000000..85ae84f --- /dev/null +++ b/0051-ipatests-Skip-tests-for-ipahealtcheck-tests-for-spec.patch @@ -0,0 +1,65 @@ +From 8c1f56dbab5de1c06fc424f3c58d366274d70688 Mon Sep 17 00:00:00 2001 +From: Sudhir Menon +Date: Mon, 29 Jan 2024 22:07:43 +0530 +Subject: [PATCH] ipatests: Skip tests for ipahealtcheck tests for specific pki + version + +CADogtagCertsConfigCheck is no more available on RHEL9, hence the +respective tests are skipped. + +Check 'CADogtagCertsConfigCheck' not found in Source 'pki.server.healthcheck.meta.csconfig' + +Ref: https://issues.redhat.com/browse/RHEL-21367 + +Signed-off-by: Sudhir Menon +Reviewed-By: Florence Blanc-Renaud +--- + .../test_integration/test_ipahealthcheck.py | 23 +++++++++++++++---- + 1 file changed, 18 insertions(+), 5 deletions(-) + +diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py +index 28200e0961a23996935c7b1c2b76f2b4b127e066..7323b073273bd95d7b62d19fd5afe03edb2a21da 100644 +--- a/ipatests/test_integration/test_ipahealthcheck.py ++++ b/ipatests/test_integration/test_ipahealthcheck.py +@@ -507,6 +507,11 @@ class TestIpaHealthCheck(IntegrationTest): + Testcase checks behaviour of check DogtagCertsConfigCheck in + ipahealthcheck.dogtag.ca when tomcat config file is removed + """ ++ version = tasks.get_pki_version(self.master) ++ if version >= parse_version("11.5"): ++ pytest.skip("Skipping test for 11.5 pki version, since the " ++ "check CADogtagCertsConfigCheck itself is skipped " ++ "See ipa-healthcheck ticket 317") + returncode, data = run_healthcheck( + self.master, + "ipahealthcheck.dogtag.ca", +@@ -1453,13 +1458,21 @@ class TestIpaHealthCheck(IntegrationTest): + This testcase checks that CADogtagCertsConfigCheck can handle + cert renewal, when there can be two certs with the same nickname + """ +- if (tasks.get_pki_version(self.master) < tasks.parse_version('11.4.0')): ++ if (tasks.get_pki_version( ++ self.master) < tasks.parse_version('11.4.0')): + raise pytest.skip("PKI known issue #2022561") +- self.master.run_command(['ipa-cacert-manage', 'renew', '--self-signed']) ++ elif (tasks.get_pki_version( ++ self.master) >= tasks.parse_version('11.5.0')): ++ raise pytest.skip("Skipping test for 11.5 pki version, since " ++ "check CADogtagCertsConfigCheck is " ++ "not present in source " ++ "pki.server.healthcheck.meta.csconfig") ++ self.master.run_command( ++ ['ipa-cacert-manage', 'renew', '--self-signed'] ++ ) + returncode, data = run_healthcheck( +- self.master, +- "pki.server.healthcheck.meta.csconfig", +- "CADogtagCertsConfigCheck", ++ self.master, "pki.server.healthcheck.meta.csconfig", ++ "CADogtagCertsConfigCheck" + ) + assert returncode == 0 + for check in data: +-- +2.43.0 + diff --git a/freeipa.spec b/freeipa.spec index c85aca9..423a46b 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -223,7 +223,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 5%{?rc_version:.%rc_version}%{?dist} +Release: 6%{?rc_version:.%rc_version}%{?dist} Summary: The Identity, Policy and Audit system License: GPL-3.0-or-later @@ -288,6 +288,16 @@ Patch0038: 0038-get_directive-don-t-error-out-on-substring-mismatch.patch Patch0039: 0039-host-update-System-Manage-Host-Keytab-permission.patch Patch0040: 0040-adtrustinstance-make-sure-NetBIOS-name-defaults-are-.patch Patch0041: 0041-Server-affinity-Don-t-rely-just-on-ca-kra-_enabled-f.patch +Patch0042: 0042-ipatests-wait-for-replica-update-in-test_dns_locatio.patch +Patch0043: 0043-Server-affinity-call-ca.install-if-there-is-a-CA-in-.patch +Patch0044: 0044-ipapython-Clean-up-krb5_error.patch +Patch0045: 0045-ipapython-Correct-return-type-of-krb5_free_cred_cont.patch +Patch0046: 0046-ipapython-Propagate-KRB5Error-exceptions-on-iteratin.patch +Patch0047: 0047-ipa-kdb-Fix-memory-leak-during-PAC-verification.patch +Patch0048: 0048-sidgen-ignore-staged-users-when-generating-SIDs.patch +Patch0049: 0049-sidgen-fix-missing-prototypes.patch +Patch0050: 0050-kdb-PAC-generator-do-not-fail-if-canonical-principal.patch +Patch0051: 0051-ipatests-Skip-tests-for-ipahealtcheck-tests-for-spec.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch %endif %endif @@ -1780,7 +1790,15 @@ fi %endif %changelog -* Thu Jan 18 2024 Florence Blanc-Renaud - 4.11.0-4 +* Fri Feb 09 2024 2024 Florence Blanc-Renaud - 4.11.0-6 +- Resolves: RHEL-23627 IPA stops working if HTTP/... service principal was created before FreeIPA 4.4.0 and never modified +- Resolves: RHEL-23625 sidgen plugin does not ignore staged users +- Resolves: RHEL-23621 session cookie can't be read +- Resolves: RHEL-22372 Gating-DL1 test failure in test_integration/test_dns_locations.py::TestDNSLocations::()::test_ipa_ca_records +- Resolves: RHEL-21809 CA less servers are failing to be added in topology segment for domain suffix +- Resolves: RHEL-17996 Memory leak in IdM's KDC + +* Thu Jan 18 2024 Florence Blanc-Renaud - 4.11.0-5 - Resolves: RHEL-12589 ipa: Invalid CSRF protection - Resolves: RHEL-19748 ipa hbac-test did not report that it hit an arbitrary search limit - Resolves: RHEL-21059 'DogtagCertsConfigCheck' fails, displaying the error message 'Malformed directive: ca.signing.certnickname=caSigningCert cert-pki-ca'