rpms/ipa
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import ipa-4.8.4-7.module+el8.2.0+6047+59605870

Browse Source
This commit is contained in:
CentOS Sources 2020-04-28 04:56:16 -04:00 committed by Andrew Lukoshko
parent 0a4aede6a1
commit 1406ae40eb
24 changed files with 1238 additions and 4702 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/freeipa-4.8.0.tar.gz
SOURCES/freeipa-4.8.4.tar.gz

2
.ipa.metadata
View File

@ -1 +1 @@
4cbc1d041eef6d9f5381bdfcfebf9a96d40b94cb SOURCES/freeipa-4.8.0.tar.gz
72c91f01b2039795223417dc6761edf8ee0f36ee SOURCES/freeipa-4.8.4.tar.gz

47
SOURCES/0001-DNS-install-check-Fix-overlapping-DNS-zone-from-the-master-itself_2c2cef7_rhbz#1784003.patch Normal file
View File

@ -0,0 +1,47 @@
From 2c2cef7063315766d893b275185b422be3f3c019 Mon Sep 17 00:00:00 2001
From: Thomas Woerner <twoerner@redhat.com>
Date: Dec 16 2019 20:37:17 +0000
Subject: DNS install check: Fix overlapping DNS zone from the master itself
The change to allow overlapping zone to be from the master itself has
introduced two issues: The check for the master itself should only executed
if options.force and options.allow_zone_overlap are both false and the
reverse zone check later on was still handling ValueError instead of
dnsutil.DNSZoneAlreadyExists.
Both issues have been fixed and the deployment with existing name servers
is properly working again.
Fixes: https://pagure.io/freeipa/issue/8150
Signed-off-by: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
diff --git a/ipaserver/install/dns.py b/ipaserver/install/dns.py
index 36ba6f8..9f08e86 100644
--- a/ipaserver/install/dns.py
+++ b/ipaserver/install/dns.py
@@ -135,15 +135,15 @@ def install_check(standalone, api, replica, options, hostname):
logger.warning("%s Please make sure that the domain is "
"properly delegated to this IPA server.",
e)
-
- hst = dnsutil.DNSName(hostname).make_absolute().to_text()
- if hst not in e.kwargs['ns']:
- raise ValueError(str(e))
+ else:
+ hst = dnsutil.DNSName(hostname).make_absolute().to_text()
+ if hst not in e.kwargs['ns']:
+ raise ValueError(str(e))
for reverse_zone in options.reverse_zones:
try:
dnsutil.check_zone_overlap(reverse_zone)
- except ValueError as e:
+ except dnsutil.DNSZoneAlreadyExists as e:
if options.force or options.allow_zone_overlap:
logger.warning('%s', str(e))
else:

32
SOURCES/0001-No-need-to-call-rhel-specific-domainname-service.patch
View File

@ -1,32 +0,0 @@
From b3378c32603e83ea3d4651cee3af99e644a30457 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 20 Jul 2018 11:06:55 -0400
Subject: [PATCH] No need to call rhel-specific domainname service
It was moved upstream into hostname package which named it
nis-domainname. When it was in the initscripts package there were
separate fedora-domainname and rhel-domainname services.
From F29+ it will be nis-domainname. We can use that as well in
RHEL 8.
---
ipaplatform/rhel/services.py | 3 ---
1 file changed, 3 deletions(-)
diff --git a/ipaplatform/rhel/services.py b/ipaplatform/rhel/services.py
index 1403d08..06fa633 100644
--- a/ipaplatform/rhel/services.py
+++ b/ipaplatform/rhel/services.py
@@ -30,9 +30,6 @@ from ipaplatform.redhat import services as redhat_services
# to their actual systemd service names
rhel_system_units = redhat_services.redhat_system_units
-# Service that sets domainname on RHEL is called rhel-domainname.service
-rhel_system_units['domainname'] = 'rhel-domainname.service'
-
# Service classes that implement RHEL-specific behaviour
--
2.13.6

124
SOURCES/0002-Fix-test_webui.test_selinuxusermap.patch
View File

@ -1,124 +0,0 @@
From 96af5394c210e637a5ab81d6925be3b0a429fc08 Mon Sep 17 00:00:00 2001
From: Stanislav Levin <slev@altlinux.org>
Date: Fri, 5 Jul 2019 14:39:17 +0300
Subject: [PATCH] Fix `test_webui.test_selinuxusermap`
A previous refactoring of SELinux tests has have a wrong
assumption about the user field separator within
ipaSELinuxUserMapOrder. That was '$$', but should be just '$'.
Actually, '.ldif' and '.update' files are passed through
Python template string substitution:
> $$ is an escape; it is replaced with a single $.
> $identifier names a substitution placeholder matching
> a mapping key of "identifier"
This means that the text to be substituted on should not be escaped.
The wrong ipaSELinuxUserMapOrder previously set will be replaced on
upgrade.
Fixes: https://pagure.io/freeipa/issue/7996
Fixes: https://pagure.io/freeipa/issue/8005
Signed-off-by: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
install/updates/50-ipaconfig.update | 1 +
ipaplatform/base/constants.py | 10 +++++-----
ipaserver/install/ldapupdate.py | 3 +++
ipatests/test_integration/test_winsyncmigrate.py | 2 +-
ipatests/test_webui/data_selinuxusermap.py | 4 ++--
ipatests/test_xmlrpc/test_selinuxusermap_plugin.py | 4 ++--
6 files changed, 14 insertions(+), 10 deletions(-)
diff --git a/install/updates/50-ipaconfig.update b/install/updates/50-ipaconfig.update
index 2e1c5c357..35e154b4e 100644
--- a/install/updates/50-ipaconfig.update
+++ b/install/updates/50-ipaconfig.update
@@ -1,4 +1,5 @@
dn: cn=ipaConfig,cn=etc,$SUFFIX
+replace: ipaSELinuxUserMapOrder: guest_u:s0$$$$xguest_u:s0$$$$user_u:s0$$$$staff_u:s0-s0:c0.c1023$$$$sysadm_u:s0-s0:c0.c1023$$$$unconfined_u:s0-s0:c0.c1023::$SELINUX_USERMAP_ORDER
replace: ipaSELinuxUserMapOrder: ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023::guest_u:s0$$xguest_u:s0$$user_u:s0$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023
replace: ipaSELinuxUserMapOrder: guest_u:s0$$xguest_u:s0$$user_u:s0-s0:c0.c1023$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023::guest_u:s0$$xguest_u:s0$$user_u:s0$$staff_u:s0-s0:c0.c1023$$unconfined_u:s0-s0:c0.c1023
add:ipaSELinuxUserMapDefault: $SELINUX_USERMAP_DEFAULT
diff --git a/ipaplatform/base/constants.py b/ipaplatform/base/constants.py
index cdb72e74a..eac60cac3 100644
--- a/ipaplatform/base/constants.py
+++ b/ipaplatform/base/constants.py
@@ -62,11 +62,11 @@ class BaseConstantsNamespace:
SELINUX_USERMAP_DEFAULT = "unconfined_u:s0-s0:c0.c1023"
SELINUX_USERMAP_ORDER = (
"guest_u:s0"
- "$$xguest_u:s0"
- "$$user_u:s0"
- "$$staff_u:s0-s0:c0.c1023"
- "$$sysadm_u:s0-s0:c0.c1023"
- "$$unconfined_u:s0-s0:c0.c1023"
+ "$xguest_u:s0"
+ "$user_u:s0"
+ "$staff_u:s0-s0:c0.c1023"
+ "$sysadm_u:s0-s0:c0.c1023"
+ "$unconfined_u:s0-s0:c0.c1023"
)
SSSD_USER = "sssd"
# WSGI module override, only used on Fedora
diff --git a/ipaserver/install/ldapupdate.py b/ipaserver/install/ldapupdate.py
index d9e47dcc0..0cdea6a82 100644
--- a/ipaserver/install/ldapupdate.py
+++ b/ipaserver/install/ldapupdate.py
@@ -322,6 +322,9 @@ class LDAPUpdate:
if not self.sub_dict.get("SELINUX_USERMAP_DEFAULT"):
self.sub_dict["SELINUX_USERMAP_DEFAULT"] = \
platformconstants.SELINUX_USERMAP_DEFAULT
+ if not self.sub_dict.get("SELINUX_USERMAP_ORDER"):
+ self.sub_dict["SELINUX_USERMAP_ORDER"] = \
+ platformconstants.SELINUX_USERMAP_ORDER
self.api = create_api(mode=None)
self.api.bootstrap(in_server=True,
context='updates',
diff --git a/ipatests/test_integration/test_winsyncmigrate.py b/ipatests/test_integration/test_winsyncmigrate.py
index 593fc2065..be9f44072 100644
--- a/ipatests/test_integration/test_winsyncmigrate.py
+++ b/ipatests/test_integration/test_winsyncmigrate.py
@@ -59,7 +59,7 @@ class TestWinsyncMigrate(IntegrationTest):
ipa_group = 'ipa_group'
ad_user = 'testuser'
default_shell = platformconstants.DEFAULT_SHELL
- selinuxuser = platformconstants.SELINUX_USERMAP_ORDER.split("$$")[0]
+ selinuxuser = platformconstants.SELINUX_USERMAP_ORDER.split("$")[0]
test_role = 'test_role'
test_hbac_rule = 'test_hbac_rule'
test_selinux_map = 'test_selinux_map'
diff --git a/ipatests/test_webui/data_selinuxusermap.py b/ipatests/test_webui/data_selinuxusermap.py
index ca7b1dcdd..312e7592f 100644
--- a/ipatests/test_webui/data_selinuxusermap.py
+++ b/ipatests/test_webui/data_selinuxusermap.py
@@ -5,8 +5,8 @@
from ipaplatform.constants import constants as platformconstants
# for example, user_u:s0
-selinuxuser1 = platformconstants.SELINUX_USERMAP_ORDER.split("$$")[0]
-selinuxuser2 = platformconstants.SELINUX_USERMAP_ORDER.split("$$")[1]
+selinuxuser1 = platformconstants.SELINUX_USERMAP_ORDER.split("$")[0]
+selinuxuser2 = platformconstants.SELINUX_USERMAP_ORDER.split("$")[1]
selinux_mcs_max = platformconstants.SELINUX_MCS_MAX
selinux_mls_max = platformconstants.SELINUX_MLS_MAX
diff --git a/ipatests/test_xmlrpc/test_selinuxusermap_plugin.py b/ipatests/test_xmlrpc/test_selinuxusermap_plugin.py
index 0b73992aa..e5b23bd4d 100644
--- a/ipatests/test_xmlrpc/test_selinuxusermap_plugin.py
+++ b/ipatests/test_xmlrpc/test_selinuxusermap_plugin.py
@@ -32,8 +32,8 @@ from ipatests.test_xmlrpc.test_user_plugin import get_user_result
import pytest
rule1 = u'selinuxrule1'
-selinuxuser1 = platformconstants.SELINUX_USERMAP_ORDER.split("$$")[0]
-selinuxuser2 = platformconstants.SELINUX_USERMAP_ORDER.split("$$")[1]
+selinuxuser1 = platformconstants.SELINUX_USERMAP_ORDER.split("$")[0]
+selinuxuser2 = platformconstants.SELINUX_USERMAP_ORDER.split("$")[1]
INVALID_MCS = "Invalid MCS value, must match {}, where max category {}".format(
platformconstants.SELINUX_MCS_REGEX,
--
2.21.0

90
SOURCES/0002-krbtktpolicy-reset.patch Normal file
View File

@ -0,0 +1,90 @@
From a8b52eaf3cf56c90e3d94fdef0b9e426052634ea Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Wed, 18 Dec 2019 12:08:59 +0200
Subject: [PATCH] Reset per-indicator Kerberos policy
When 'ipa krbtpolicy-reset' is called, we need to reset all policy
settings, including per-indicator ones. Per-indicator policy uses
subtyped attributes (foo;bar), the current krbtpolicy-reset code does
not deal with those.
Add support for per-indicator policy reset. It is a bit tricky, as we
need to drop the values to defaults but avoid adding non-per-indicator
variants of the same attributes.
Add test to check that policy has been resetted by observing a new
Kerberos TGT for the user after its policy reset.
Fixes: https://pagure.io/freeipa/issue/8153
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
---
ipaserver/plugins/krbtpolicy.py | 21 +++++++++++++++++++-
ipatests/test_integration/test_krbtpolicy.py | 13 ++++++++++++
2 files changed, 33 insertions(+), 1 deletion(-)
diff --git a/ipaserver/plugins/krbtpolicy.py b/ipaserver/plugins/krbtpolicy.py
index 997fe7e81..b01c44e93 100644
--- a/ipaserver/plugins/krbtpolicy.py
+++ b/ipaserver/plugins/krbtpolicy.py
@@ -68,6 +68,8 @@ register = Registry()
_default_values = {
'krbmaxticketlife': 86400,
'krbmaxrenewableage': 604800,
+ 'krbauthindmaxticketlife': 86400,
+ 'krbauthindmaxrenewableage': 604800,
}
# These attributes never have non-optional values, so they should be
@@ -311,9 +313,26 @@ class krbtpolicy_reset(baseldap.LDAPQuery):
def_values[a] = None
# if reseting global policy - set values to default
else:
- def_values = _default_values
+ def_values = _default_values.copy()
entry = ldap.get_entry(dn, list(def_values))
+
+ # For per-indicator policies, drop them to defaults
+ for subtype in _supported_options:
+ for attr in _option_based_attrs:
+ name = '{};{}'.format(attr, subtype)
+ if name in entry:
+ if uid is not None:
+ def_values[name] = None
+ else:
+ def_values[name] = _default_values[attr]
+
+ # Remove non-subtyped attrs variants,
+ # they should never be used directly.
+ for attr in _option_based_attrs:
+ if attr in def_values:
+ del def_values[attr]
+
entry.update(def_values)
try:
ldap.update_entry(entry)
diff --git a/ipatests/test_integration/test_krbtpolicy.py b/ipatests/test_integration/test_krbtpolicy.py
index b2264de7a..08e332096 100644
--- a/ipatests/test_integration/test_krbtpolicy.py
+++ b/ipatests/test_integration/test_krbtpolicy.py
@@ -112,3 +112,16 @@ class TestPWPolicy(IntegrationTest):
assert maxlife_within_policy(result.stdout_text, 1200) is True
tasks.kdestroy_all(master)
+
+ def test_krbtpolicy_reset(self):
+ """Test a hardened kerberos ticket policy reset"""
+ master = self.master
+
+ tasks.kinit_admin(master)
+ master.run_command(['ipa', 'krbtpolicy-reset', USER2])
+ master.run_command(['kinit', USER2],
+ stdin_text=PASSWORD + '\n')
+ result = master.run_command('klist | grep krbtgt')
+ assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True
+
+ tasks.kdestroy_all(master)
--
2.24.1

33
SOURCES/0003-Remove-posixAccount-from-service_find-search-filter-2f9cbff_rhbz#1731437.patch
View File

@ -1,33 +0,0 @@
From 2f9cbffb6e57ded2d0107f457241f33b17869a96 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Jul 19 2019 19:16:16 +0000
Subject: Remove posixAccount from service_find search filter
This will allow cifs principals to be found. They were suppressed
because they include objectclass=posixAccount.
This is a bit of a historical anomaly. This was included in the
filter from the initial commit (though it was person, not
posixAccount). I believe it was a mistake from the beginning but
it wasn't noticed because it didn't cause any obvious issues.
https://pagure.io/freeipa/issue/8013
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
---
diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py
index f58fe4b..c118b80 100644
--- a/ipaserver/plugins/service.py
+++ b/ipaserver/plugins/service.py
@@ -889,7 +889,6 @@ class service_find(LDAPSearch):
assert isinstance(base_dn, DN)
# lisp style!
custom_filter = '(&(objectclass=ipaService)' \
- '(!(objectClass=posixAccount))' \
'(!(|(krbprincipalname=kadmin/*)' \
'(krbprincipalname=K/M@*)' \
'(krbprincipalname=krbtgt/*))' \

193
SOURCES/0003-adtrust-print-DNS-records-for-external-DNS-case-after-role-is-enabled_936e27f_rhbz#1665051.patch Normal file
View File

@ -0,0 +1,193 @@
From 936e27f75961c67e619ecfa641e256ce80662d68 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Feb 14 2020 07:24:58 +0000
Subject: adtrust: print DNS records for external DNS case after role is enabled
We cannot gather information about required DNS records before "ADTrust
Controller" role is enabled on this server. As result, we need to call
the step to add DNS records after the role was enabled.
Fixes: https://pagure.io/freeipa/issue/8192
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
diff --git a/install/tools/ipa-adtrust-install.in b/install/tools/ipa-adtrust-install.in
index 1abfea9..7d94b71 100644
--- a/install/tools/ipa-adtrust-install.in
+++ b/install/tools/ipa-adtrust-install.in
@@ -214,7 +214,13 @@ def main():
# Enable configured services and update DNS SRV records
service.sync_services_state(api.env.host)
- api.Command.dns_update_system_records()
+
+ dns_help = adtrust.generate_dns_service_records_help(api)
+ if dns_help:
+ for line in dns_help:
+ service.print_msg(line, sys.stdout)
+ else:
+ api.Command.dns_update_system_records()
print("""
=============================================================================
diff --git a/ipaserver/install/adtrust.py b/ipaserver/install/adtrust.py
index 70c4359..6c14e84 100644
--- a/ipaserver/install/adtrust.py
+++ b/ipaserver/install/adtrust.py
@@ -26,6 +26,8 @@ from ipaserver.install import installutils
from ipaserver.install import adtrustinstance
from ipaserver.install import service
from ipaserver.install.plugins.adtrust import update_host_cifs_keytabs
+from ipaserver.install.bindinstance import dns_zone_exists
+from ipaserver.dns_data_management import IPASystemRecords
if six.PY3:
@@ -436,6 +438,41 @@ def install(standalone, options, fstore, api):
add_new_adtrust_agents(api, options)
+def generate_dns_service_records_help(api):
+ """
+ Return list of instructions to create DNS service records for Windows
+ if in case DNS is not enabled and the DNS zone is not managed by IPA.
+ In case IPA manages the DNS zone, nothing is returned.
+ """
+
+ zone = api.env.domain
+
+ err_msg = []
+
+ ret = api.Command['dns_is_enabled']()
+ if not ret['result']:
+ err_msg.append("DNS management was not enabled at install time.")
+ else:
+ if not dns_zone_exists(zone):
+ err_msg.append(
+ "DNS zone %s cannot be managed as it is not defined in "
+ "IPA" % zone)
+
+ if err_msg:
+ err_msg.append("Add the following service records to your DNS "
+ "server for DNS zone %s: " % zone)
+ system_records = IPASystemRecords(api, all_servers=True)
+ adtrust_records = system_records.get_base_records(
+ [api.env.host], ["AD trust controller"],
+ include_master_role=False, include_kerberos_realm=False)
+ for r_name, node in adtrust_records.items():
+ for rec in IPASystemRecords.records_list_from_node(r_name, node):
+ err_msg.append(rec)
+ return err_msg
+
+ return None
+
+
@group
class ADTrustInstallInterface(ServiceAdminInstallInterface):
"""
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
index 8699d53..a59e85d 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -32,10 +32,8 @@ import socket
import six
-from ipaserver.dns_data_management import IPASystemRecords
from ipaserver.install import service
from ipaserver.install import installutils
-from ipaserver.install.bindinstance import dns_zone_exists
from ipaserver.install.replication import wait_for_task
from ipalib import errors, api
from ipalib.util import normalize_zone
@@ -586,43 +584,6 @@ class ADTRUSTInstance(service.Service):
logger.critical("Failed to remove old key for %s",
self.principal)
- def srv_rec(self, host, port, prio):
- return "%(prio)d 100 %(port)d %(host)s" % dict(host=host,prio=prio,port=port)
-
- def __add_dns_service_records(self):
- """
- Add DNS service records for Windows if DNS is enabled and the DNS zone
- is managed. If there are already service records for LDAP and Kerberos
- their values are used. Otherwise default values are used.
- """
-
- zone = api.env.domain
-
- err_msg = None
-
- ret = api.Command['dns_is_enabled']()
- if not ret['result']:
- err_msg = "DNS management was not enabled at install time."
- else:
- if not dns_zone_exists(zone):
- err_msg = (
- "DNS zone %s cannot be managed as it is not defined in "
- "IPA" % zone)
-
- if err_msg:
- self.print_msg(err_msg)
- self.print_msg("Add the following service records to your DNS " \
- "server for DNS zone %s: " % zone)
- system_records = IPASystemRecords(api, all_servers=True)
- adtrust_records = system_records.get_base_records(
- [self.fqdn], ["AD trust controller"],
- include_master_role=False, include_kerberos_realm=False)
- for r_name, node in adtrust_records.items():
- for rec in IPASystemRecords.records_list_from_node(r_name, node):
- self.print_msg(rec)
- else:
- api.Command.dns_update_system_records()
-
def __configure_selinux_for_smbd(self):
try:
tasks.set_selinux_booleans(constants.SELINUX_BOOLEAN_ADTRUST,
@@ -876,8 +837,6 @@ class ADTRUSTInstance(service.Service):
self.step("map BUILTIN\\Guests to nobody group",
self.__map_Guests_to_nobody)
self.step("configuring smbd to start on boot", self.__enable)
- self.step("adding special DNS service records", \
- self.__add_dns_service_records)
if self.enable_compat:
self.step("enabling trusted domains support for older clients via Schema Compatibility plugin",
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index 6b08b70..afce0d7 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -984,6 +984,12 @@ def install(installer):
service.enable_services(host_name)
api.Command.dns_update_system_records()
+ if options.setup_adtrust:
+ dns_help = adtrust.generate_dns_service_records_help(api)
+ if dns_help:
+ for line in dns_help:
+ service.print_msg(line, sys.stdout)
+
if not options.setup_dns:
# After DNS and AD trust are configured and services are
# enabled, create a dummy instance to dump DNS configuration.
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 536f0db..71ea091 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -1351,6 +1351,12 @@ def install(installer):
# enabled-service case, also perform update in hidden replica case.
api.Command.dns_update_system_records()
+ if options.setup_adtrust:
+ dns_help = adtrust.generate_dns_service_records_help(api)
+ if dns_help:
+ for line in dns_help:
+ service.print_msg(line, sys.stdout)
+
ca_servers = find_providing_servers('CA', api.Backend.ldap2, api=api)
api.Backend.ldap2.disconnect()

41
SOURCES/0004-AD-user-without-override-receive-InternalServerError-with-API_4db18be_rhbz#1782572.patch Normal file
View File

@ -0,0 +1,41 @@
From 4db18be5467c0b8f7633b281c724f469f907e573 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Jan 13 2020 12:08:19 +0000
Subject: AD user without override receive InternalServerError with API
When ipa commands are used by an Active Directory user that
does not have any idoverride-user set, they return the
following error message which can be misleading:
$ kinit aduser@ADDOMAIN.COM
$ ipa ping
ipa: ERROR: cannot connect to 'https://master.ipa.com/ipa/json': Internal Server Error
The fix properly handles ACIError exception received when
creating the context, and now the following message can be seen:
$ kinit aduser@ADDOMAIN.COM
$ ipa ping
ipa: ERROR: cannot connect to 'https://master.ipa.com/ipa/json': Unauthorized
with the following log in /var/log/httpd/error_log:
ipa: INFO: 401 Unauthorized: Insufficient access: Invalid credentials
Fixes: https://pagure.io/freeipa/issue/8163
---
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index 0495557..194cbbc 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -694,7 +694,7 @@ class KerberosWSGIExecutioner(WSGIExecutioner, KerberosSession):
status = HTTP_STATUS_SUCCESS
response = status.encode('utf-8')
start_response(status, self.headers)
- return self.marshal(None, e)
+ return [self.marshal(None, e)]
finally:
destroy_context()
return response

146
SOURCES/0004-Repeated-uninstallation-of-ipa-client-samba-crashes_rhbz#1732529.patch
View File

@ -1,146 +0,0 @@
From b9b98097a47f27b56500edc972c438597e6609b1 Mon Sep 17 00:00:00 2001
From: François Cami <fcami@redhat.com>
Date: Jul 26 2019 13:09:42 +0000
Subject: ipatests: test multiple invocations of ipa-client-samba --uninstall
Related-to: https://pagure.io/freeipa/issue/8019
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
---
diff --git a/ipatests/test_integration/test_smb.py b/ipatests/test_integration/test_smb.py
index 4e295c0..26d70b3 100644
--- a/ipatests/test_integration/test_smb.py
+++ b/ipatests/test_integration/test_smb.py
@@ -150,3 +150,6 @@ class TestSMB(IntegrationTest):
smbsrv = self.replicas[0]
smbsrv.run_command(['ipa-client-samba', '--uninstall', '-U'])
+ # test for https://pagure.io/freeipa/issue/8019
+ # try another uninstall after the first one:
+ smbsrv.run_command(['ipa-client-samba', '--uninstall', '-U'])
From 256a6a879061d2b97c11e9cd97b2427579610fa1 Mon Sep 17 00:00:00 2001
From: François Cami <fcami@redhat.com>
Date: Jul 26 2019 13:09:42 +0000
Subject: ipa-client-samba: remove and restore smb.conf only on first uninstall
Fixes: https://pagure.io/freeipa/issue/8019
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
---
diff --git a/ipaclient/install/ipa_client_samba.py b/ipaclient/install/ipa_client_samba.py
index e2be67d..6a3c3bd 100755
--- a/ipaclient/install/ipa_client_samba.py
+++ b/ipaclient/install/ipa_client_samba.py
@@ -433,8 +433,9 @@ def uninstall(fstore, statestore, options):
ipautil.remove_ccache(ccache_path=paths.KRB5CC_SAMBA)
# Remove samba's configuration file
- ipautil.remove_file(paths.SMB_CONF)
- fstore.restore_file(paths.SMB_CONF)
+ if fstore.has_file(paths.SMB_CONF):
+ ipautil.remove_file(paths.SMB_CONF)
+ fstore.restore_file(paths.SMB_CONF)
# Remove samba's persistent and temporary tdb files
tdb_files = [
@@ -624,7 +625,7 @@ def run():
api.Command.service_del(api.env.smb_princ)
except AttributeError:
logger.error(
- "Chosen IPA master %s does not have support to"
+ "Chosen IPA master %s does not have support to "
"set up Samba domain members", server,
)
return 1
From 00ba2ae6681dafa92d3f00f2a4e11adaa477ea0e Mon Sep 17 00:00:00 2001
From: François Cami <fcami@redhat.com>
Date: Jul 26 2019 13:09:42 +0000
Subject: ipatests: test ipa-client-samba after --uninstall
Related-to: https://pagure.io/freeipa/issue/8021
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
---
diff --git a/ipatests/test_integration/test_smb.py b/ipatests/test_integration/test_smb.py
index 26d70b3..933d468 100644
--- a/ipatests/test_integration/test_smb.py
+++ b/ipatests/test_integration/test_smb.py
@@ -153,3 +153,8 @@ class TestSMB(IntegrationTest):
# test for https://pagure.io/freeipa/issue/8019
# try another uninstall after the first one:
smbsrv.run_command(['ipa-client-samba', '--uninstall', '-U'])
+ # test for https://pagure.io/freeipa/issue/8021
+ # try to install again:
+ smbsrv.run_command(["ipa-client-samba", "-U"])
+ # cleanup:
+ smbsrv.run_command(['ipa-client-samba', '--uninstall', '-U'])
From 551cd68d0959b1ee761ead6338dc06c544c0c5da Mon Sep 17 00:00:00 2001
From: François Cami <fcami@redhat.com>
Date: Jul 26 2019 13:09:42 +0000
Subject: ipa-client-samba: remove state on uninstall
The "domain_member" state was not removed at uninstall time.
Remove it so that future invocations of ipa-client-samba work.
Fixes: https://pagure.io/freeipa/issue/8021
Signed-off-by: François Cami <fcami@redhat.com>
https://pagure.io/freeipa/issue/8021
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
---
diff --git a/ipaclient/install/ipa_client_samba.py b/ipaclient/install/ipa_client_samba.py
index 6a3c3bd..126ef32 100755
--- a/ipaclient/install/ipa_client_samba.py
+++ b/ipaclient/install/ipa_client_samba.py
@@ -523,11 +523,25 @@ def run():
if options.uninstall:
if statestore.has_state("domain_member"):
uninstall(fstore, statestore, options)
- print(
- "Samba configuration is reverted. "
- "However, Samba databases were fully cleaned and "
- "old configuration file will not be usable anymore."
- )
+ try:
+ keys = (
+ "configured", "hardening", "groupmap", "tdb",
+ "service.principal", "smb.conf"
+ )
+ for key in keys:
+ statestore.delete_state("domain_member", key)
+ except Exception as e:
+ print(
+ "Error: Failed to remove the domain_member statestores: "
+ "%s" % e
+ )
+ return 1
+ else:
+ print(
+ "Samba configuration is reverted. "
+ "However, Samba databases were fully cleaned and "
+ "old configuration file will not be usable anymore."
+ )
else:
print("Samba domain member is not configured yet")
return 0

72
SOURCES/0005-WebUI-Add-PKINIT-status-field-to-Configuration-page-a46383f_rhbz#1518153.patch
View File

@ -1,72 +0,0 @@
From a46383ffe414f703264f8a81450f44abbd95d78e Mon Sep 17 00:00:00 2001
From: Serhii Tsymbaliuk <stsymbal@redhat.com>
Date: Jul 26 2019 20:36:58 +0000
Subject: WebUI: Add PKINIT status field to 'Configuration' page
- Add 'Server Options' section to the page
- Add 'IPA master capable of PKINIT' field to the 'Server Options'
Ticket: https://pagure.io/freeipa/issue/7305
Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
diff --git a/install/ui/src/freeipa/serverconfig.js b/install/ui/src/freeipa/serverconfig.js
index 25f484a..6c82b40 100644
--- a/install/ui/src/freeipa/serverconfig.js
+++ b/install/ui/src/freeipa/serverconfig.js
@@ -50,6 +50,24 @@ return {
]
},
{
+ name: 'server',
+ label: '@i18n:objects.config.server',
+ fields: [
+ {
+ $type: 'entity_select',
+ name: 'ca_renewal_master_server',
+ other_entity: 'server',
+ other_field: 'cn',
+ flags: ['w_if_no_aci']
+ },
+ {
+ $type: 'multivalued',
+ name: 'pkinit_server_server',
+ read_only: true
+ }
+ ]
+ },
+ {
name: 'user',
label: '@i18n:objects.config.user',
fields: [
@@ -99,13 +117,6 @@ return {
{
$type: 'multivalued',
name: 'ipauserobjectclasses'
- },
- {
- $type: 'entity_select',
- name: 'ca_renewal_master_server',
- other_entity: 'server',
- other_field: 'cn',
- flags: ['w_if_no_aci']
}
]
},
diff --git a/ipaserver/plugins/internal.py b/ipaserver/plugins/internal.py
index 0f0ad3a..19957d7 100644
--- a/ipaserver/plugins/internal.py
+++ b/ipaserver/plugins/internal.py
@@ -726,6 +726,7 @@ class i18n_messages(Command):
"group": _("Group Options"),
"search": _("Search Options"),
"selinux": _("SELinux Options"),
+ "server": _("Server Options"),
"service": _("Service Options"),
"user": _("User Options"),
},

82
SOURCES/0005-ipa-client-automount-fails-after-repeated-installation-uninstallation_rhbz#1790886.patch Normal file
View File

@ -0,0 +1,82 @@
From 6332aed9ba67e2ee759a9d988ba92139486469d4 Mon Sep 17 00:00:00 2001
From: François Cami <fcami@redhat.com>
Date: Feb 14 2020 16:38:19 +0000
Subject: ipa-client-automount: call save_domain() for each change
Call sssdconfig.save_domain(domain) after each configuration
change during ipa-client-automount --uninstall.
Previously, sssdconfig.save_domain(domain) was called only
outside of the domain detection loop which changed the domain
configuration. This introduced issues as this method's behavior
is only consistent when configuration items are removed in a
certain order: https://pagure.io/SSSD/sssd/issue/4149
Plus, it is more correct to save the configuration from within
the loop if ever we support multiple domains.
Fixes: https://pagure.io/freeipa/issue/8190
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
diff --git a/ipaclient/install/ipa_client_automount.py b/ipaclient/install/ipa_client_automount.py
index 3ef257a..fdf974d 100644
--- a/ipaclient/install/ipa_client_automount.py
+++ b/ipaclient/install/ipa_client_automount.py
@@ -355,9 +355,10 @@ def uninstall(fstore, statestore):
continue
if provider == "ipa":
domain.remove_option('ipa_automount_location')
+ sssdconfig.save_domain(domain)
domain.remove_provider('autofs')
+ sssdconfig.save_domain(domain)
break
- sssdconfig.save_domain(domain)
sssdconfig.write(paths.SSSD_CONF)
sssd = services.service('sssd', api)
sssd.restart()
From 7ae804c726970ae467a7f76efa21bae40405551d Mon Sep 17 00:00:00 2001
From: François Cami <fcami@redhat.com>
Date: Feb 14 2020 16:38:19 +0000
Subject: ipatests: make sure ipa-client-automount reverts sssd.conf
Due to https://pagure.io/SSSD/sssd/issue/4149 ipa-client-automount
fails to remove the ipa_automount_location entry from sssd.conf.
Test that autofs_provider and ipa_automount_location are removed.
Fixes: https://pagure.io/freeipa/issue/8190
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
diff --git a/ipatests/test_integration/test_nfs.py b/ipatests/test_integration/test_nfs.py
index 7d29836..532dd61 100644
--- a/ipatests/test_integration/test_nfs.py
+++ b/ipatests/test_integration/test_nfs.py
@@ -332,6 +332,20 @@ class TestIpaClientAutomountFileRestore(IntegrationTest):
"ipa-client-automount", "--uninstall", "-U"
])
+ if not no_sssd:
+ # https://pagure.io/freeipa/issue/8190
+ # check that no ipa_automount_location is left in sssd.conf
+ # also check for autofs_provider for good measure
+ grep_automount_in_sssdconf_cmd = \
+ "egrep ipa_automount_location\\|autofs_provider " \
+ "/etc/sssd/sssd.conf"
+ cmd = self.clients[0].run_command(
+ grep_automount_in_sssdconf_cmd, raiseonerr=False
+ )
+ assert cmd.returncode == 1, \
+ "PG8190 regression found: ipa_automount_location still " \
+ "present in sssd.conf"
+
cmd = self.clients[0].run_command(grep_automount_command)
assert cmd.stdout_text.split() == after_ipa_client_install

1339
SOURCES/0006-external-ca-profile-fix_rhbz#1731813.patch
View File

File diff suppressed because it is too large Load Diff

62
SOURCES/0006-install-updates-move-external-members-past-schema-compat-update_14dbf04_rhbz#1803165.patch Normal file
View File

@ -0,0 +1,62 @@
From 14dbf04148c6284b176eca34aa70df4bef09b857 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Feb 12 2020 14:16:42 +0000
Subject: install/updates: move external members past schema compat update
There is an ordering discrepancy because the base compat tree
configuration is in install/updates/80-schema_compat.update so it is ran
after 50-externalmembers.update. And since at that point
cn=groups,cn=Schema ... does not exist yet, external members
configuration is not applied.
Move it around to make sure it is applied after Schema Compatibility
plugin configuration is created.
Fixes: https://pagure.io/freeipa/issue/8193
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
diff --git a/install/updates/50-externalmembers.update b/install/updates/50-externalmembers.update
deleted file mode 100644
index 6b9c5dd..0000000
--- a/install/updates/50-externalmembers.update
+++ /dev/null
@@ -1,3 +0,0 @@
-dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
-addifexist: schema-compat-entry-attribute: ipaexternalmember=%deref_r("member","ipaexternalmember")
-addifexist: schema-compat-entry-attribute: objectclass=ipaexternalgroup
diff --git a/install/updates/81-externalmembers.update b/install/updates/81-externalmembers.update
new file mode 100644
index 0000000..6b9c5dd
--- /dev/null
+++ b/install/updates/81-externalmembers.update
@@ -0,0 +1,3 @@
+dn: cn=groups,cn=Schema Compatibility,cn=plugins,cn=config
+addifexist: schema-compat-entry-attribute: ipaexternalmember=%deref_r("member","ipaexternalmember")
+addifexist: schema-compat-entry-attribute: objectclass=ipaexternalgroup
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
index 68facba..8a4d9cc 100644
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@@ -52,7 +52,6 @@ app_DATA = \
50-krbenctypes.update \
50-nis.update \
50-ipaconfig.update \
- 50-externalmembers.update \
55-pbacmemberof.update \
59-trusts-sysacount.update \
60-trusts.update \
@@ -65,7 +64,8 @@ app_DATA = \
73-winsync.update \
73-certmap.update \
75-user-trust-attributes.update \
- 80-schema_compat.update \
+ 80-schema_compat.update \
+ 81-externalmembers.update \
90-post_upgrade_plugins.update \
$(NULL)

72
SOURCES/0007-Allow-insecure-binds-for-migration-8e207fd3_rhbz#1731963.patch
View File

@ -1,72 +0,0 @@
From 8e207fd33d524f5cde2dfd8a41a08926a328a92b Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Tue, 13 Aug 2019 17:22:01 +0200
Subject: [PATCH] Allow insecure binds for migration
Commit 5be9341fbabaf7bcb396a2ce40f17e1ccfa54b77 disallowed simple bind
over an insecure connection. Password logins were only allowed over LDAPS
or LDAP+STARTTLS. The restriction broke 'ipa migrate-ds' in some cases.
This commit lifts the restriction and permits insecure binds over plain
LDAP. It also makes the migrate-ds plugin use STARTTLS when a CA
certificate is configured with a plain LDAP connection.
Fixes: https://pagure.io/freeipa/issue/8040
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
---
ipapython/ipaldap.py | 8 +++++---
ipaserver/plugins/migration.py | 9 ++++-----
2 files changed, 9 insertions(+), 8 deletions(-)
diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
index 9ff443fe4f..f40858e27f 100644
--- a/ipapython/ipaldap.py
+++ b/ipapython/ipaldap.py
@@ -1206,12 +1206,14 @@ def _connect(self):
return conn
def simple_bind(self, bind_dn, bind_password, server_controls=None,
- client_controls=None):
+ client_controls=None, insecure_bind=False):
"""
Perform simple bind operation.
"""
- if self.protocol == 'ldap' and not self._start_tls and bind_password:
- # non-empty bind must use a secure connection
+ if (self.protocol == 'ldap' and not self._start_tls and
+ bind_password and not insecure_bind):
+ # non-empty bind must use a secure connection unless
+ # insecure bind is explicitly enabled
raise ValueError('simple_bind over insecure LDAP connection')
with self.error_handler():
self._flush_schema()
diff --git a/ipaserver/plugins/migration.py b/ipaserver/plugins/migration.py
index d0ca8369ae..b025c46cc5 100644
--- a/ipaserver/plugins/migration.py
+++ b/ipaserver/plugins/migration.py
@@ -901,20 +901,19 @@ def execute(self, ldapuri, bindpw, **options):
return dict(result={}, failed={}, enabled=False, compat=True)
# connect to DS
- cacert = None
if options.get('cacertfile') is not None:
# store CA cert into file
tmp_ca_cert_f = write_tmp_file(options['cacertfile'])
cacert = tmp_ca_cert_f.name
- # start TLS connection
- ds_ldap = LDAPClient(ldapuri, cacert=cacert)
+ # start TLS connection or STARTTLS
+ ds_ldap = LDAPClient(ldapuri, cacert=cacert, start_tls=True)
ds_ldap.simple_bind(options['binddn'], bindpw)
tmp_ca_cert_f.close()
else:
- ds_ldap = LDAPClient(ldapuri, cacert=cacert)
- ds_ldap.simple_bind(options['binddn'], bindpw)
+ ds_ldap = LDAPClient(ldapuri)
+ ds_ldap.simple_bind(options['binddn'], bindpw, insecure_bind=True)
# check whether the compat plugin is enabled
if not options.get('compat'):

67
SOURCES/0007-kdb-make-sure-audit_as_req-callback-signature-change-is-preserved_rhbz#1803786.patch Normal file
View File

@ -0,0 +1,67 @@
From 30b8c8b9985a5eb41e700b80fd03f95548e45fba Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Mon, 17 Feb 2020 13:58:51 +0200
Subject: [PATCH] kdb: make sure audit_as_req callback signature change is
preserved
audit_as_req() callback has changed its signature with MIT krb5 commit
20991d55efbe1f987c1dbc1065f2d58c8f34031b in 2017, we should preserve the
change for any newer DAL versions. Otherwise audit_as_req() callback
would reference wrong data and we might crash.
Fixes: https://pagure.io/freeipa/issue/8200
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
---
daemons/ipa-kdb/ipa_kdb.h | 2 +-
daemons/ipa-kdb/ipa_kdb_audit_as.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
index 7519f26e26..ae37a5a033 100644
--- a/daemons/ipa-kdb/ipa_kdb.h
+++ b/daemons/ipa-kdb/ipa_kdb.h
@@ -345,7 +345,7 @@ krb5_error_code ipadb_check_allowed_to_delegate(krb5_context kcontext,
void ipadb_audit_as_req(krb5_context kcontext,
krb5_kdc_req *request,
-#if (KRB5_KDB_DAL_MAJOR_VERSION == 7)
+#if (KRB5_KDB_DAL_MAJOR_VERSION >= 7)
const krb5_address *local_addr,
const krb5_address *remote_addr,
#endif
diff --git a/daemons/ipa-kdb/ipa_kdb_audit_as.c b/daemons/ipa-kdb/ipa_kdb_audit_as.c
index 77748a75d6..a60bc82b6d 100644
--- a/daemons/ipa-kdb/ipa_kdb_audit_as.c
+++ b/daemons/ipa-kdb/ipa_kdb_audit_as.c
@@ -25,7 +25,7 @@
void ipadb_audit_as_req(krb5_context kcontext,
krb5_kdc_req *request,
-#if (KRB5_KDB_DAL_MAJOR_VERSION == 7)
+#if (KRB5_KDB_DAL_MAJOR_VERSION >= 7)
const krb5_address *local_addr,
const krb5_address *remote_addr,
#endif
#From 4eb48492b354ecc30ffe1dd9654dcc0e0e833d64 Mon Sep 17 00:00:00 2001
#From: Alexander Bokovoy <abokovoy@redhat.com>
#Date: Mon, 17 Feb 2020 14:21:10 +0200
#Subject: [PATCH] Azure Pipelines: re-enable nodejs:12 stream for Fedora 31+
#
#Reviewed-By: Christian Heimes <cheimes@redhat.com>
#---
# ipatests/azure/templates/prepare-build.yml | 1 +
# 1 file changed, 1 insertion(+)
#
#diff --git a/ipatests/azure/templates/prepare-build.yml b/ipatests/azure/templates/prepare-build.yml
#index 0528efe129..643910f085 100644
#--- a/ipatests/azure/templates/prepare-build.yml
#+++ b/ipatests/azure/templates/prepare-build.yml
#@@ -13,6 +13,7 @@ steps:
# for metalink in $(sudo dnf repolist -v |grep Repo-metalink | awk '{print $2}' ) ; do echo '###############' ; echo '####' ; echo $metalink ; echo '####' ; curl $metalink ; done
# echo "Fastestmirror results:"
# sudo cat /var/cache/dnf/fastestmirror.cache
#+ sudo dnf -y module enable nodejs:12
# sudo dnf makecache || :
# echo "Installing base development environment"
# sudo dnf install -y \

120
SOURCES/0008-Allow-an-empty-cookie-in-dogtag-ipa-ca-renew-agent-submit_3d7d58d_rhbz#1790663.patch Normal file
View File

@ -0,0 +1,120 @@
From 3d7d58d8214f3c899c0afd1a3a6a6678f38b7b39 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Jan 13 2020 18:41:53 +0000
Subject: Allow an empty cookie in dogtag-ipa-ca-renew-agent-submit
A "cookie" is used with certmonger to track the state of a
request across multiple requests to a CA (in ca-cookie). This
is used with the certmonger POLL operation to submit a request
to the CA for the status of a certificate request. This, along
with the profile, are passed to the certmonger CA helper
scripts via environment variables when a request is made. It is
cleared from the certmonger request once the certificate is
issued.
This CA helper can do a number of things:
- SUBMIT new certicate requests (including the CA)
- POLL for status of an existing certificate request
- For non renewal masters, POLL to see if an updated cert is in
LDAP
A POLL operation requires a cookie so that the state about the
request can be passed to the CA. For the case of retrieving an
updated cert from LDAP there is no state to maintain. It just
checks LDAP and returns either a cert or WAIT_WITH_DELAY if one
is not yet available.
There are two kinds of cookies in operation here:
1. The CERTMONGER_CA_COOKIE environment variable passed via
certmonger to this helper which is a JSON object.
2. The cookie value within the JSON object which contains the
URL to be passed to dogtag.
For the purposes of clarity "cookie" here is the value within
the JSON.
The CERTMONGER_CA_COOKIE is deconstructed and reconstructed as
the request is processed, doing double duty. It initially comes
in as a JSON dict object with two keys: profile and cookie.
In call_handler the CERTMONGER_CA_COOKIE is decomposed into a
python object and the profile compared to the requested profile
(and request rejected if they don't match) and the cookie key
overrides the CERTMONGER_CA_COOKIE environment variable. This is
then reversed at the end of the request when it again becomes a
JSON object containing the profile and cookie.
This script was previously enforcing that a cookie be available on
all POLL requests, whether it is actually required or not. This
patch relaxes that requirement.
The first request of a non-renewal master for an updated certicate
from LDAP is a SUBMIT operation. This is significant because it
doesn't require a cookie: there is no state on a new request. If
there is no updated cert in LDAP then the tracking request goes
into the CA_WORKING state and certmonger will wait 8 hours (as
returned by this script) and try again.
Subsequent requests are done using POLL. This required a cookie
so all such requests would fail with the ca-error
Invalid cookie: u'' as it was empty (because there is no state).
There is no need to fail early on a missing cookie. Enforcement
will be done later if needed (and it isn't always needed). So
if CERTMONGER_CA_COOKIE is an empty string then generate a new
CERTMONGER_CA_COOKIE containing the requested profile and an empty
cookie. It still will fail if certmonger doesn't set a cookie at
all.
An example of a cookie when retrieving a new RA Agent certificate
is:
{"profile": "caServerCert", "cookie": "state=retrieve&requestId=20"}
This will result in this request to the CA:
[09/Jan/2020:14:29:54 -0500] "GET
/ca/ee/ca/displayCertFromRequest?requestId=20&importCert=true&xml=true
HTTP/1.1" 200 9857
For a renewal, the reconstructed cookie will consist of:
{"profile": "caServerCert", "cookie": ""}
https://pagure.io/freeipa/issue/8164
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in b/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in
index 10efb4c..95ad080 100644
--- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in
+++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in
@@ -123,7 +123,9 @@ def call_handler(_handler, *args, **kwargs):
operation = os.environ['CERTMONGER_OPERATION']
if operation == 'POLL':
cookie = os.environ.pop('CERTMONGER_CA_COOKIE', None)
- if cookie is not None:
+ if cookie is None:
+ return (UNCONFIGURED, "Cookie not provided")
+ if len(cookie) > 0:
try:
context = json.loads(cookie)
if not isinstance(context, dict):
@@ -131,7 +133,13 @@ def call_handler(_handler, *args, **kwargs):
except (TypeError, ValueError):
return (UNCONFIGURED, "Invalid cookie: %r" % cookie)
else:
- return (UNCONFIGURED, "Cookie not provided")
+ # Reconstruct the data for the missing cookie. Sanity checking
+ # is done elsewhere, when needed.
+ context = dict(cookie=u'')
+ profile = os.environ.get('CERTMONGER_CA_PROFILE')
+ if profile is not None:
+ profile = profile.encode('ascii').decode('raw_unicode_escape')
+ context['profile'] = profile
if 'profile' in context:
profile = context.pop('profile')

104
SOURCES/0008-install-Add-missing-scripts-to-app_DATA_rhbz#1741170.patch
View File

@ -1,104 +0,0 @@
install/updates/30-ipservices.update from 39eaf2fa as it is not part of the
release tarball of 4.8.0 but needed for 27586cb7:
commit 39eaf2fab5e27bd12edfb2a24c439a8ea5fb26f0
Author: Christian Heimes <cheimes@redhat.com>
Date: Fri Dec 7 13:08:49 2018 +0100
Add index and container for RFC 2307 IP services
IPA doesn't officially support RFC 2307 IP services. However SSSD has a
nsswitch plugin to provide service lookups. The subtree search for
(&(ipserviceport=$PORT)(ipserviceprotocol=$SRV)(objectclass=ipservice)) in
cn=accounts,$SUFFIX has caused performance issues on large
installations.
This patch introduced a dedicated container
cn=ipservices,cn=accounts,$SUFFIX for IP services for future use or 3rd
party extensions. SSSD will be change its search base in an upcoming
release, too.
A new ipServicePort index is added to optimize searches for an IP
service by port. There is no index on ipServiceProtocol because the index
would have poor selectivity. An ipService entry has either 'tcp' or 'udp'
as protocol.
Fixes: https://pagure.io/freeipa/issue/7797
See: https://pagure.io/freeipa/issue/7786
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
diff --git a/install/updates/30-ipservices.update b/install/updates/30-ipservices.update
new file mode 100644
index 000000000..01a6d52f8
--- /dev/null
+++ b/install/updates/30-ipservices.update
@@ -0,0 +1,6 @@
+# container for RFC 2307 IP services
+
+dn: cn=ipservices,cn=accounts,$SUFFIX
+default: objectClass: top
+default: objectClass: nsContainer
+default: cn: ipservices
install/updates/75-user-trust-attributes.update from c18ee9b6 as it is not
part of the release tarball of 4.8.0 but needed for 27586cb7:
commit c18ee9b641ddc1e6b52d0413caa1fb98ac13785d
Author: Tibor Dudlák <tdudlak@redhat.com>
Date: Tue Apr 2 16:23:09 2019 +0200
Add SMB attributes for users
SMB attributes are used by Samba domain controller when reporting
details about IPA users via LSA DCE RPC calls.
Based on the initial work from the external plugin:
https://github.com/abbra/freeipa-user-trust-attributes
Related: https://pagure.io/freeipa/issue/3999
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Signed-off-by: Tibor Dudlák <tdudlak@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Tibor Dudlak <tdudlak@redhat.com>
diff --git a/install/updates/75-user-trust-attributes.update b/install/updates/75-user-trust-attributes.update
new file mode 100644
index 000000000..43bb40c7d
--- /dev/null
+++ b/install/updates/75-user-trust-attributes.update
@@ -0,0 +1,5 @@
+# Add an explicit self-service ACI to allow writing to manage trust attributes
+# for the owner of the object
+dn: cn=users,cn=accounts,$SUFFIX
+add:aci:(targetattr = "ipantlogonscript || ipantprofilepath || ipanthomedirectory || ipanthomedirectorydrive")(version 3.0;acl "system:Allow trust agents to read user SMB attributes";allow (read) groupdn = "ldap:///cn=adtrust agents,cn=sysaccounts,cn=etc,$SUFFIX";)
+add:aci:(targetattr = "ipantlogonscript || ipantprofilepath || ipanthomedirectory || ipanthomedirectorydrive")(version 3.0;acl "selfservice:Users can manage their SMB attributes";allow (write) userdn = "ldap:///self";)
commit 27586cb7ae32af191cb8a3c36fc8856957300f08
Author: Timo Aaltonen <tjaalton@debian.org>
Date: Fri Aug 9 23:03:25 2019 +0300
install: Add missing scripts to app_DATA.
Signed-off-by: Timo Aaltonen <tjaalton@debian.org>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
index bce8a56b1..68facbaf2 100644
--- a/install/updates/Makefile.am
+++ b/install/updates/Makefile.am
@@ -30,6 +30,7 @@ app_DATA = \
21-ca_renewal_container.update \
21-certstore_container.update \
25-referint.update \
+ 30-ipservices.update \
30-provisioning.update \
30-s4u2proxy.update \
37-locations.update \
@@ -63,6 +64,7 @@ app_DATA = \
73-custodia.update \
73-winsync.update \
73-certmap.update \
+ 75-user-trust-attributes.update \
80-schema_compat.update \
90-post_upgrade_plugins.update \
$(NULL)

345
SOURCES/0009-extdom-unify-error-code-handling-especially-LDAP_NO_SUCH_OBJECT_rhbz#1741530.patch
View File

@ -1,345 +0,0 @@
From 3bb72545fc337564e0843b0c72906a9a1e3f6a06 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 14 Jun 2019 11:13:54 +0200
Subject: [PATCH] extdom: unify error code handling especially
LDAP_NO_SUCH_OBJECT
A return code LDAP_NO_SUCH_OBJECT will tell SSSD on the IPA client to
remove the searched object from the cache. As a consequence
LDAP_NO_SUCH_OBJECT should only be returned if the object really does
not exists otherwise the data of existing objects might be removed form
the cache of the clients causing unexpected behaviour like
authentication errors.
Currently some code-paths use LDAP_NO_SUCH_OBJECT as default error code.
With this patch LDAP_NO_SUCH_OBJECT is only returned if the related
lookup functions return ENOENT. Timeout related error code will lead to
LDAP_TIMELIMIT_EXCEEDED and LDAP_OPERATIONS_ERROR is used as default
error code.
Fixes: https://pagure.io/freeipa/issue/8044
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
.../ipa-extdom-extop/back_extdom_sss_idmap.c | 4 +-
.../ipa-extdom-extop/ipa_extdom_common.c | 77 ++++++++++++++-----
.../ipa-extdom-extop/ipa_extdom_extop.c | 2 +
3 files changed, 61 insertions(+), 22 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/back_extdom_sss_idmap.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/back_extdom_sss_idmap.c
index ef552a9a37..163e8e1371 100644
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/back_extdom_sss_idmap.c
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/back_extdom_sss_idmap.c
@@ -62,10 +62,10 @@ static enum nss_status __convert_sss_nss2nss_status(int errcode) {
return NSS_STATUS_SUCCESS;
case ENOENT:
return NSS_STATUS_NOTFOUND;
- case ETIME:
- /* fall-through */
case ERANGE:
return NSS_STATUS_TRYAGAIN;
+ case ETIME:
+ /* fall-through */
case ETIMEDOUT:
/* fall-through */
default:
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
index 525487c9e4..65c723ce65 100644
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
@@ -523,7 +523,7 @@ int pack_ber_user(struct ipa_extdom_ctx *ctx,
if (strcasecmp(locat+1, domain_name) == 0 ) {
locat[0] = '\0';
} else {
- ret = LDAP_NO_SUCH_OBJECT;
+ ret = LDAP_INVALID_SYNTAX;
goto done;
}
}
@@ -568,10 +568,12 @@ int pack_ber_user(struct ipa_extdom_ctx *ctx,
ret = getgrgid_r_wrapper(ctx,
groups[c], &grp, &buf, &buf_len);
if (ret != 0) {
- if (ret == ENOMEM || ret == ERANGE) {
- ret = LDAP_OPERATIONS_ERROR;
- } else {
+ if (ret == ENOENT) {
ret = LDAP_NO_SUCH_OBJECT;
+ } else if (ret == ETIMEDOUT) {
+ ret = LDAP_TIMELIMIT_EXCEEDED;
+ } else {
+ ret = LDAP_OPERATIONS_ERROR;
}
goto done;
}
@@ -634,7 +636,7 @@ int pack_ber_group(enum response_types response_type,
if (strcasecmp(locat+1, domain_name) == 0 ) {
locat[0] = '\0';
} else {
- ret = LDAP_NO_SUCH_OBJECT;
+ ret = LDAP_INVALID_SYNTAX;
goto done;
}
}
@@ -836,6 +838,8 @@ static int handle_uid_request(struct ipa_extdom_ctx *ctx,
|| id_type == SSS_ID_TYPE_BOTH)) {
if (ret == ENOENT) {
ret = LDAP_NO_SUCH_OBJECT;
+ } else if (ret == ETIMEDOUT || ret == ETIME) {
+ ret = LDAP_TIMELIMIT_EXCEEDED;
} else {
set_err_msg(req, "Failed to lookup SID by UID");
ret = LDAP_OPERATIONS_ERROR;
@@ -847,10 +851,12 @@ static int handle_uid_request(struct ipa_extdom_ctx *ctx,
} else {
ret = getpwuid_r_wrapper(ctx, uid, &pwd, &buf, &buf_len);
if (ret != 0) {
- if (ret == ENOMEM || ret == ERANGE) {
- ret = LDAP_OPERATIONS_ERROR;
- } else {
+ if (ret == ENOENT) {
ret = LDAP_NO_SUCH_OBJECT;
+ } else if (ret == ETIMEDOUT) {
+ ret = LDAP_TIMELIMIT_EXCEEDED;
+ } else {
+ ret = LDAP_OPERATIONS_ERROR;
}
goto done;
}
@@ -862,6 +868,8 @@ static int handle_uid_request(struct ipa_extdom_ctx *ctx,
set_err_msg(req, "Failed to read original data");
if (ret == ENOENT) {
ret = LDAP_NO_SUCH_OBJECT;
+ } else if (ret == ETIMEDOUT || ret == ETIME) {
+ ret = LDAP_TIMELIMIT_EXCEEDED;
} else {
ret = LDAP_OPERATIONS_ERROR;
}
@@ -907,6 +915,8 @@ static int handle_gid_request(struct ipa_extdom_ctx *ctx,
if (ret != 0 || id_type != SSS_ID_TYPE_GID) {
if (ret == ENOENT) {
ret = LDAP_NO_SUCH_OBJECT;
+ } else if (ret == ETIMEDOUT || ret == ETIME) {
+ ret = LDAP_TIMELIMIT_EXCEEDED;
} else {
set_err_msg(req, "Failed to lookup SID by GID");
ret = LDAP_OPERATIONS_ERROR;
@@ -918,10 +928,12 @@ static int handle_gid_request(struct ipa_extdom_ctx *ctx,
} else {
ret = getgrgid_r_wrapper(ctx, gid, &grp, &buf, &buf_len);
if (ret != 0) {
- if (ret == ENOMEM || ret == ERANGE) {
- ret = LDAP_OPERATIONS_ERROR;
- } else {
+ if (ret == ENOENT) {
ret = LDAP_NO_SUCH_OBJECT;
+ } else if (ret == ETIMEDOUT) {
+ ret = LDAP_TIMELIMIT_EXCEEDED;
+ } else {
+ ret = LDAP_OPERATIONS_ERROR;
}
goto done;
}
@@ -933,6 +945,8 @@ static int handle_gid_request(struct ipa_extdom_ctx *ctx,
set_err_msg(req, "Failed to read original data");
if (ret == ENOENT) {
ret = LDAP_NO_SUCH_OBJECT;
+ } else if (ret == ETIMEDOUT || ret == ETIME) {
+ ret = LDAP_TIMELIMIT_EXCEEDED;
} else {
ret = LDAP_OPERATIONS_ERROR;
}
@@ -976,6 +990,8 @@ static int handle_cert_request(struct ipa_extdom_ctx *ctx,
if (ret != 0) {
if (ret == ENOENT) {
ret = LDAP_NO_SUCH_OBJECT;
+ } else if (ret == ETIMEDOUT || ret == ETIME) {
+ ret = LDAP_TIMELIMIT_EXCEEDED;
} else {
set_err_msg(req, "Failed to lookup name by certificate");
ret = LDAP_OPERATIONS_ERROR;
@@ -1020,6 +1036,8 @@ static int handle_sid_request(struct ipa_extdom_ctx *ctx,
if (ret != 0) {
if (ret == ENOENT) {
ret = LDAP_NO_SUCH_OBJECT;
+ } else if (ret == ETIMEDOUT || ret == ETIME) {
+ ret = LDAP_TIMELIMIT_EXCEEDED;
} else {
set_err_msg(req, "Failed to lookup name by SID");
ret = LDAP_OPERATIONS_ERROR;
@@ -1057,10 +1075,12 @@ static int handle_sid_request(struct ipa_extdom_ctx *ctx,
case SSS_ID_TYPE_BOTH:
ret = getpwnam_r_wrapper(ctx, fq_name, &pwd, &buf, &buf_len);
if (ret != 0) {
- if (ret == ENOMEM || ret == ERANGE) {
- ret = LDAP_OPERATIONS_ERROR;
- } else {
+ if (ret == ENOENT) {
ret = LDAP_NO_SUCH_OBJECT;
+ } else if (ret == ETIMEDOUT) {
+ ret = LDAP_TIMELIMIT_EXCEEDED;
+ } else {
+ ret = LDAP_OPERATIONS_ERROR;
}
goto done;
}
@@ -1072,6 +1092,8 @@ static int handle_sid_request(struct ipa_extdom_ctx *ctx,
set_err_msg(req, "Failed to read original data");
if (ret == ENOENT) {
ret = LDAP_NO_SUCH_OBJECT;
+ } else if (ret == ETIMEDOUT || ret == ETIME) {
+ ret = LDAP_TIMELIMIT_EXCEEDED;
} else {
ret = LDAP_OPERATIONS_ERROR;
}
@@ -1089,10 +1111,12 @@ static int handle_sid_request(struct ipa_extdom_ctx *ctx,
case SSS_ID_TYPE_GID:
ret = getgrnam_r_wrapper(ctx, fq_name, &grp, &buf, &buf_len);
if (ret != 0) {
- if (ret == ENOMEM || ret == ERANGE) {
- ret = LDAP_OPERATIONS_ERROR;
- } else {
+ if (ret == ENOENT) {
ret = LDAP_NO_SUCH_OBJECT;
+ } else if (ret == ETIMEDOUT) {
+ ret = LDAP_TIMELIMIT_EXCEEDED;
+ } else {
+ ret = LDAP_OPERATIONS_ERROR;
}
goto done;
}
@@ -1104,6 +1128,8 @@ static int handle_sid_request(struct ipa_extdom_ctx *ctx,
set_err_msg(req, "Failed to read original data");
if (ret == ENOENT) {
ret = LDAP_NO_SUCH_OBJECT;
+ } else if (ret == ETIMEDOUT || ret == ETIME) {
+ ret = LDAP_TIMELIMIT_EXCEEDED;
} else {
ret = LDAP_OPERATIONS_ERROR;
}
@@ -1167,6 +1193,8 @@ static int handle_name_request(struct ipa_extdom_ctx *ctx,
if (ret != 0) {
if (ret == ENOENT) {
ret = LDAP_NO_SUCH_OBJECT;
+ } else if (ret == ETIMEDOUT || ret == ETIME) {
+ ret = LDAP_TIMELIMIT_EXCEEDED;
} else {
set_err_msg(req, "Failed to lookup SID by name");
ret = LDAP_OPERATIONS_ERROR;
@@ -1190,6 +1218,8 @@ static int handle_name_request(struct ipa_extdom_ctx *ctx,
set_err_msg(req, "Failed to read original data");
if (ret == ENOENT) {
ret = LDAP_NO_SUCH_OBJECT;
+ } else if (ret == ETIMEDOUT || ret == ETIME) {
+ ret = LDAP_TIMELIMIT_EXCEEDED;
} else {
ret = LDAP_OPERATIONS_ERROR;
}
@@ -1205,6 +1235,9 @@ static int handle_name_request(struct ipa_extdom_ctx *ctx,
} else if (ret == ENOMEM || ret == ERANGE) {
ret = LDAP_OPERATIONS_ERROR;
goto done;
+ } else if (ret == ETIMEDOUT) {
+ ret = LDAP_TIMELIMIT_EXCEEDED;
+ goto done;
} else { /* no user entry found */
/* according to the getpwnam() man page there are a couple of
* error codes which can indicate that the user was not found. To
@@ -1212,10 +1245,12 @@ static int handle_name_request(struct ipa_extdom_ctx *ctx,
* errors. */
ret = getgrnam_r_wrapper(ctx, fq_name, &grp, &buf, &buf_len);
if (ret != 0) {
- if (ret == ENOMEM || ret == ERANGE) {
- ret = LDAP_OPERATIONS_ERROR;
- } else {
+ if (ret == ENOENT) {
ret = LDAP_NO_SUCH_OBJECT;
+ } else if (ret == ETIMEDOUT) {
+ ret = LDAP_TIMELIMIT_EXCEEDED;
+ } else {
+ ret = LDAP_OPERATIONS_ERROR;
}
goto done;
}
@@ -1226,6 +1261,8 @@ static int handle_name_request(struct ipa_extdom_ctx *ctx,
|| id_type == SSS_ID_TYPE_BOTH)) {
if (ret == ENOENT) {
ret = LDAP_NO_SUCH_OBJECT;
+ } else if (ret == ETIMEDOUT || ret == ETIME) {
+ ret = LDAP_TIMELIMIT_EXCEEDED;
} else {
set_err_msg(req, "Failed to read original data");
ret = LDAP_OPERATIONS_ERROR;
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c
index 10d3f86eba..48fcecc1ee 100644
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c
@@ -242,6 +242,8 @@ static int ipa_extdom_extop(Slapi_PBlock *pb)
if (ret != LDAP_SUCCESS) {
if (ret == LDAP_NO_SUCH_OBJECT) {
rc = LDAP_NO_SUCH_OBJECT;
+ } else if (ret == LDAP_TIMELIMIT_EXCEEDED) {
+ rc = LDAP_TIMELIMIT_EXCEEDED;
} else {
rc = LDAP_OPERATIONS_ERROR;
err_msg = "Failed to handle the request.\n";
From 0ead6f59732e8b3370c5d8d05acd29f2d56c52bb Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Mon, 19 Aug 2019 10:15:50 +0300
Subject: [PATCH] ipa-extdom-extop: test timed out getgrgid_r
Simulate getgrgid_r() timeout when packing list of groups user is a
member of in pack_ber_user().
Related: https://pagure.io/freeipa/issue/8044
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
.../ipa_extdom_cmocka_tests.c | 29 +++++++++++++++++++
1 file changed, 29 insertions(+)
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_cmocka_tests.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_cmocka_tests.c
index 29699cfa39..1fa4c6af82 100644
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_cmocka_tests.c
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_cmocka_tests.c
@@ -493,6 +493,34 @@ void test_set_err_msg(void **state)
#define TEST_SID "S-1-2-3-4"
#define TEST_DOMAIN_NAME "DOMAIN"
+/* Always time out for test */
+static
+enum nss_status getgrgid_r_timeout(gid_t gid, struct group *result,
+ char *buffer, size_t buflen, int *errnop) {
+ return NSS_STATUS_UNAVAIL;
+}
+
+void test_pack_ber_user_timeout(void **state)
+{
+ int ret;
+ struct berval *resp_val = NULL;
+ struct test_data *test_data;
+ enum nss_status (*oldgetgrgid_r)(gid_t gid, struct group *result,
+ char *buffer, size_t buflen, int *errnop);
+
+ test_data = (struct test_data *) *state;
+
+ oldgetgrgid_r = test_data->ctx->nss_ctx->getgrgid_r;
+ test_data->ctx->nss_ctx->getgrgid_r = getgrgid_r_timeout;
+
+ ret = pack_ber_user(test_data->ctx, RESP_USER_GROUPLIST,
+ TEST_DOMAIN_NAME, "member001", 12345, 54321,
+ "gecos", "homedir", "shell", NULL, &resp_val);
+ test_data->ctx->nss_ctx->getgrgid_r = oldgetgrgid_r;
+ assert_int_equal(ret, LDAP_TIMELIMIT_EXCEEDED);
+ ber_bvfree(resp_val);
+}
+
char res_sid[] = {0x30, 0x0e, 0x0a, 0x01, 0x01, 0x04, 0x09, 0x53, 0x2d, 0x31, \
0x2d, 0x32, 0x2d, 0x33, 0x2d, 0x34};
char res_nam[] = {0x30, 0x13, 0x0a, 0x01, 0x02, 0x30, 0x0e, 0x04, 0x06, 0x44, \
@@ -614,6 +642,7 @@ void test_decode(void **state)
int main(int argc, const char *argv[])
{
const struct CMUnitTest tests[] = {
+ cmocka_unit_test(test_pack_ber_user_timeout),
cmocka_unit_test(test_getpwnam_r_wrapper),
cmocka_unit_test(test_getpwuid_r_wrapper),
cmocka_unit_test(test_getgrnam_r_wrapper),

2004
SOURCES/0010-Fix-automount-behavior-with-authselect_rhbz#1740167.patch
View File

File diff suppressed because it is too large Load Diff

789
SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch
View File

File diff suppressed because one or more lines are too long

16
SOURCES/freeipa-4.8.0.tar.gz.asc
View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEhAodHH8+xLL+UwQ1RxniuKu/YhoFAl0cTrUACgkQRxniuKu/
YhoehQ//YuCG+Rq2wbkSDiooP8/0K5HvO/atz4Ke8iaKsOKS8gdmaJTyMnsOOoTc
hlx925TIOc4/Xp1+qeIn7T8xZp3rYtGcMcxIyKlUrHCU1Jxc07zf+ZlSwCZTCjLU
YGAh9ReC9+//1oJqnr/C+Rp3veZbYn3DIG261GMqOlHCUfF91hF78XctzklcZNpV
D38a+gfXdWivejezA/GWyiY3foIcLI98zpBd2v0PXEzaKO2BqrVlOl2nDC7BGapS
PvpB4GPwuwo8qxASFbu8I6uxyp2oDZtrM/Tb1HM31cuslieH5p/XRwJ8zoewHvgo
jSKXfcBHmRvjMjSL07R3b7JjZ+1jmj/C5VNXQcPfp2qdhDhmywDArfC3uIBJ2otx
oxKbtAhAzeGIaoyfgjrxk0ZOubnIbmk/M8nan2F9ChJV/NoKVjDVAfUDDM2h6wXg
IRBg6uIOkJAKuOr7i0zaxBkBi/8NpUE214JvJnNfWa1gpoYu1S5tzuja6dSeteRM
JTPPzpkKD2sgK/laRmZQo2si1qFOGEYnLTO0dWJV4/ScZCCy9+rCQ0C6NwKYC7xy
8c1Juu/YqJF/14VbYAWQIABIK/0z0TiVI0r0v75rzSFpMiThrgC6wXo1zFEADiK0
GSoYwkcygn0ne21jQxLizGAPRYvdQ5RkpiE2/J4nVSTyuSM/cM4=
=Q29c
-----END PGP SIGNATURE-----

16
SOURCES/freeipa-4.8.4.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEhAodHH8+xLL+UwQ1RxniuKu/YhoFAl302dsACgkQRxniuKu/
Yhrd0RAAvUv30O5rSlww30kxqV3oQb5CIJYSGb/jpWMAhj1Nr+1Ye1P3rCyJLP4R
+fVu23bgIywv8qkWPZdQxohkYCuiTZa8ogl3gXWJDRCp5f5oKWALzwU+Zlu8HlVj
z8UAOFXEO1fYwvwpOPdr+gGiTS5pLq39EIBZSVjvuviXR0adwVcVvw0R2YXYmiLE
x5uaM289YQ4hKY/V0rgqNn0nYiogFcFvSlhkM9oi4+JiKypocPqKTjM4n8EcdXv4
rSJ6Zv6FgnyoREBITCZjKaTn8OTkhqhhzMOgMzWr8QSmNl44UKA9aq5ZIEJgEnMR
N3vW6Br1f4TDJ3JyWeMoizQcNeTFyuoxN9HhGpvDotx+6g+j2yNfAK7ZZAtjULhm
m13zb1svCbGtvRxB8QfIQe62l3drooimWRf5o9fgPVU0MIxgL7x7AulxrZekik6J
NdwXiz75SKfbFZZWVdf9FjJkaBZ3CpJMJnDQiQyCs+xBWOpXYGYkz9a1NRoFgCdC
y8bY9ErfzhLdcgjbZ3EE24FkWMBeUdW+BC4AYSChZlqUZ9CMTQIdyqPVSG/u5sc9
2Rn1YasAfu0P3DJgRCI0BUcxkxFet5M8hfB0iuLE4OJTKnyhmmOUKmO2wUSw0QIr
ogzzN9DF84wwXD1P4X6WFEzOOthCdLPUHyDo3u5fVIy4QWZZDlQ=
=TTzs
-----END PGP SIGNATURE-----

142
SPECS/ipa.spec
View File

@ -55,19 +55,20 @@
%if 0%{?rhel}
%global package_name ipa
%global alt_name freeipa
%global krb5_version 1.17-7
%global krb5_version 1.17-12
%global krb5_kdb_version 7.0
# 0.7.16: https://github.com/drkjam/netaddr/issues/71
%global python_netaddr_version 0.7.16
%global python_netaddr_version 0.7.19
# Require 4.7.0 which brings Python 3 bindings
%global samba_version 4.7.0
%global selinux_policy_version 3.14.1-14
%global samba_version 4.11.2-11
# Require 3.14.3-24 - Allow ipa_ods_exporter_t domain to read krb5_keytab files
%global selinux_policy_version 3.14.3-24
%global slapi_nis_version 0.56.1-4
%global python_ldap_version 3.1.0-1
# python3-lib389
# Fix for "Installation fails: Replica Busy"
# https://pagure.io/389-ds-base/issue/49818
%global ds_version 1.4.0.16
%global ds_version 1.4.2.4-6
%else
# Fedora
@ -101,7 +102,7 @@
# 10.6.7 fixes UpdateNumberRange clone installation issue
# https://pagure.io/freeipa/issue/7654 and empty token issue
# and https://pagure.io/dogtagpki/issue/3073
%global pki_version 10.7.1-2
%global pki_version 10.8.0
# https://pagure.io/certmonger/issue/90
%global certmonger_version 0.79.7-3
@ -111,10 +112,10 @@
%if 0%{?fedora} == 28
%global nss_version 3.41.0-3
%else
%global nss_version 3.41.0-1
%global nss_version 3.44.0-4
%endif
%global sssd_version 2.2.0-1
%global sssd_version 2.2.3-11
%global kdcproxy_version 0.4-3
@ -126,16 +127,16 @@
# Work-around fact that RPM SPEC parser does not accept
# "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement
%define IPA_VERSION 4.8.0
%define IPA_VERSION 4.8.4
%define AT_SIGN @
# redefine IPA_VERSION only if its value matches the Autoconf placeholder
%if "%{IPA_VERSION}" == "%{AT_SIGN}VERSION%{AT_SIGN}"
%define IPA_VERSION nonsense.to.please.RPM.SPEC.parser
%define IPA_VERSION nonsense.to.please.RPM.SPEC.parser
%endif
Name: %{package_name}
Version: %{IPA_VERSION}
Release: 10%{?dist}
Release: 7%{?dist}
Summary: The Identity, Policy and Audit system
License: GPLv3+
@ -150,16 +151,14 @@ Source1: https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz.as
# RHEL spec file only: END: Change branding to IPA and Identity Management
# RHEL spec file only: START
Patch0001: 0001-No-need-to-call-rhel-specific-domainname-service.patch
Patch0002: 0002-Fix-test_webui.test_selinuxusermap.patch
Patch0003: 0003-Remove-posixAccount-from-service_find-search-filter-2f9cbff_rhbz#1731437.patch
Patch0004: 0004-Repeated-uninstallation-of-ipa-client-samba-crashes_rhbz#1732529.patch
Patch0005: 0005-WebUI-Add-PKINIT-status-field-to-Configuration-page-a46383f_rhbz#1518153.patch
Patch0006: 0006-external-ca-profile-fix_rhbz#1731813.patch
Patch0007: 0007-Allow-insecure-binds-for-migration-8e207fd3_rhbz#1731963.patch
Patch0008: 0008-install-Add-missing-scripts-to-app_DATA_rhbz#1741170.patch
Patch0009: 0009-extdom-unify-error-code-handling-especially-LDAP_NO_SUCH_OBJECT_rhbz#1741530.patch
Patch0010: 0010-Fix-automount-behavior-with-authselect_rhbz#1740167.patch
Patch0001: 0001-DNS-install-check-Fix-overlapping-DNS-zone-from-the-master-itself_2c2cef7_rhbz#1784003.patch
Patch0002: 0002-krbtktpolicy-reset.patch
Patch0003: 0003-adtrust-print-DNS-records-for-external-DNS-case-after-role-is-enabled_936e27f_rhbz#1665051.patch
Patch0004: 0004-AD-user-without-override-receive-InternalServerError-with-API_4db18be_rhbz#1782572.patch
Patch0005: 0005-ipa-client-automount-fails-after-repeated-installation-uninstallation_rhbz#1790886.patch
Patch0006: 0006-install-updates-move-external-members-past-schema-compat-update_14dbf04_rhbz#1803165.patch
Patch0007: 0007-kdb-make-sure-audit_as_req-callback-signature-change-is-preserved_rhbz#1803786.patch
Patch0008: 0008-Allow-an-empty-cookie-in-dogtag-ipa-ca-renew-agent-submit_3d7d58d_rhbz#1790663.patch
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
Patch1002: 1002-4.8.0-Remove-csrgen.patch
# RHEL spec file only: END
@ -172,7 +171,7 @@ BuildRequires: openldap-devel
# will cause the build to fail due to unsatisfied dependencies.
# DAL version change may cause code crash or memory leaks, it is better to fail early.
BuildRequires: krb5-kdb-version = %{krb5_kdb_version}
BuildRequires: krb5-devel >= %{krb5_version}
BuildRequires: krb5-kdb-devel-version = %{krb5_kdb_version}
# 1.27.4: xmlrpc_curl_xportparms.gssapi_delegation
BuildRequires: xmlrpc-c-devel >= 1.27.4
BuildRequires: popt-devel
@ -317,7 +316,7 @@ Requires: %{name}-common = %{version}-%{release}
Requires: python3-ipaserver = %{version}-%{release}
Requires: python3-ldap >= %{python_ldap_version}
Requires: 389-ds-base >= %{ds_version}
Requires: openldap-clients > 2.4.35-4
Requires: openldap-clients >= 2.4.46-11
Requires: nss >= %{nss_version}
Requires: nss-tools >= %{nss_version}
Requires(post): krb5-server >= %{krb5_version}
@ -451,7 +450,7 @@ If you are installing an IPA server, you need to install this package.
Summary: IPA integrated DNS server with support for automatic DNSSEC signing
BuildArch: noarch
Requires: %{name}-server = %{version}-%{release}
Requires: bind-dyndb-ldap >= 11.0-2
Requires: bind-dyndb-ldap >= 11.2-2
Requires: bind >= 9.11.0-6.P2
Requires: bind-utils >= 9.11.0-6.P2
Requires: bind-pkcs11 >= 9.11.0-6.P2
@ -1014,11 +1013,17 @@ if [ $1 -gt 1 ] ; then
cp /etc/ipa/ca.crt /var/lib/ipa-client/pki/kdc-ca-bundle.pem
cp /etc/ipa/ca.crt /var/lib/ipa-client/pki/ca-bundle.pem
fi
%{python} -c 'from ipaclient.install.client import configure_krb5_snippet; configure_krb5_snippet()' >>/var/log/ipaupgrade.log 2>&1
fi
if [ $restore -ge 2 ]; then
%{python} -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' >/var/log/ipaupgrade.log 2>&1
fi
if [ $restore -ge 2 ]; then
sed -E --in-place=.orig 's/^(HostKeyAlgorithms ssh-rsa,ssh-dss)$/# disabled by ipa-client update\n# \1/' /etc/ssh/ssh_config
fi
fi
@ -1177,6 +1182,7 @@ fi
%{_usr}/share/ipa/*.ldif
%{_usr}/share/ipa/*.uldif
%{_usr}/share/ipa/*.template
%{_usr}/share/ipa/bind.ipa-ext.conf
%dir %{_usr}/share/ipa/advise
%dir %{_usr}/share/ipa/advise/legacy
%{_usr}/share/ipa/advise/legacy/*.template
@ -1223,6 +1229,7 @@ fi
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/kdcproxy/ipa-kdc-proxy.conf
%ghost %attr(0644,root,apache) %config(noreplace) %{_usr}/share/ipa/html/ca.crt
%ghost %attr(0640,root,named) %config(noreplace) %{_sysconfdir}/named/ipa-ext.conf
%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb.con
%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb5.ini
%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krbrealm.con
@ -1391,6 +1398,93 @@ fi
%changelog
* Wed Mar 18 2020 Thomas Woerner <twoerner@redhat.com> - 4.8.4-7
- Update dependencies for openldap-client
Resolves: RHBZ#1781799
* Mon Feb 17 2020 Thomas Woerner <twoerner@redhat.com> - 4.8.4-6
- Allow an empty cookie in dogtag-ipa-ca-renew-agent-submit
Resolves: RHBZ#1790663
* Mon Feb 17 2020 Thomas Woerner <twoerner@redhat.com> - 4.8.4-5
- Fixed weekday in 4.8.4-2 changelog date
Related: RHBZ#1784003
- adtrust: print DNS records for external DNS case after role is enabled
Resolves: RHBZ#1665051
- AD user without override receive InternalServerError with API
Resolves: RHBZ#1782572
- ipa-client-automount fails after repeated installation/uninstallation
Resolves: RHBZ#1790886
- install/updates: move external members past schema compat update
Resolves: RHBZ#1803165
- kdb: make sure audit_as_req callback signature change is preserved
Resolves: RHBZ#1803786
* Wed Jan 29 2020 Thomas Woerner <twoerner@redhat.com> - 4.8.4-4
- Update dependencies for samba, 389-ds and sssd
Resolves: RHBZ#1792848
* Fri Jan 17 2020 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.4-3
- Depend on krb5-kdb-version-devel for BuildRequires
- Update nss dependency to 3.44.0-4
- Reset per-indicator Kebreros policy
Resolves: RHBZ#1784761
* Sat Dec 14 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.4-2
- DNS install check: Fix overlapping DNS zone from the master itself
Resolves: RHBZ#1784003
* Sat Dec 14 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.4-1
- Rebase to upstream release 4.8.4
- Removed upstream patches 0001 to 0008 that are part of version 4.8.3-3
Resolves: RHBZ#1782658
Resolves: RHBZ#1782169
Resolves: RHBZ#1783046
Related: RHBZ#1748987
* Mon Dec 2 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.3-3
- Fix otptoken_sync plugin
Resolves: RHBZ#1777811
* Mon Dec 2 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.3-2
- Use default crypto policy for TLS and enable TLS 1.3 support
Resolves: RHBZ#1777809
- Covscan fixes
Resolves: RHBZ#1777920
- Change pki_version to 10.8.0
Related: RHBZ#1748987
* Thu Nov 28 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.3-1
- Rebase to security release 4.8.3 (CVE-2019-14867, CVE-2019-10195)
Resolves: RHBZ#1767304
Resolves: RHBZ#1776939
- Support KDC ticket policies for authentication indicators
Resolves: RHBZ#1777564
* Tue Nov 26 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.2-4
- CVE-2019-14867: Denial of service in IPA server due to wrong use of ber_scanf()
Resolves: RHBZ#1767304
- CVE-2019-10195: Don't log passwords embedded in commands in calls using batch
Resolves: RHBZ#1776939
* Fri Nov 22 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.2-3
- Use default ssh host key algorithms
Resolves: RHBZ#1756432
- Do not run trust upgrade code if master lacks Samba bindings
Resolves: RHBZ#1757064
- Finish group membership management UI
Resolves: RHBZ#1773528
* Mon Nov 18 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.2-2
- Update dependency for bind-dndb-ldap to 11.2-2
Related: RHBZ#1762813
* Thu Nov 14 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.2-1
- Rebase to upstream release 4.8.2
- Removed upstream patches 0001 to 0010 that are part of version 4.8.2
- Updated branding patch
Resolves: RHBZ#1748987
* Thu Aug 29 2019 Thomas Woerner <twoerner@redhat.com> - 4.8.0-10
- Fix automount behavior with authselect
Resolves: RHBZ#1740167