diff --git a/.gitignore b/.gitignore index 86888a6..f881887 100644 --- a/.gitignore +++ b/.gitignore @@ -78,3 +78,5 @@ /freeipa-4.8.0.tar.gz.asc /freeipa-4.8.1.tar.gz /freeipa-4.8.1.tar.gz.asc +/freeipa-4.8.2.tar.gz +/freeipa-4.8.2.tar.gz.asc diff --git a/0001-Don-t-install-a-preexec_fn-by-default.patch b/0001-Don-t-install-a-preexec_fn-by-default.patch deleted file mode 100644 index f42779d..0000000 --- a/0001-Don-t-install-a-preexec_fn-by-default.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 7ee24413f0945b7d582a33795cdfc7c59471cb69 Mon Sep 17 00:00:00 2001 -From: Christian Heimes -Date: Mon, 7 Oct 2019 21:58:00 +0200 -Subject: [PATCH] Don't install a preexec_fn by default - -ipautil.run() now only installs a preexec_fn when it is actually needed. -This addresses a compatibility issue with mod_wsgi subinterpreters under -Python 3.8. - -Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1759290 -See: https://bugs.python.org/issue37951 -Signed-off-by: Christian Heimes ---- - ipapython/ipautil.py | 20 ++++++++++++-------- - 1 file changed, 12 insertions(+), 8 deletions(-) - -diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py -index d87b9e3c1..e047324d3 100644 ---- a/ipapython/ipautil.py -+++ b/ipapython/ipautil.py -@@ -515,14 +515,18 @@ def run(args, stdin=None, raiseonerr=True, nolog=(), env=None, - for group, gid in zip(suplementary_groups, suplementary_gids): - logger.debug('suplementary_group=%s (GID %d)', group, gid) - -- def preexec_fn(): -- if runas is not None: -- os.setgroups(suplementary_gids) -- os.setregid(pent.pw_gid, pent.pw_gid) -- os.setreuid(pent.pw_uid, pent.pw_uid) -- -- if umask: -- os.umask(umask) -+ if runas is not None or umask is not None: -+ # preexec function is not supported in WSGI environment -+ def preexec_fn(): -+ if runas is not None: -+ os.setgroups(suplementary_gids) -+ os.setregid(pent.pw_gid, pent.pw_gid) -+ os.setreuid(pent.pw_uid, pent.pw_uid) -+ -+ if umask is not None: -+ os.umask(umask) -+ else: -+ preexec_fn = None - - try: - # pylint: disable=subprocess-popen-preexec-fn --- -2.20.1 - diff --git a/0002-dont-create-log-files-from-help-scripts.patch b/0002-dont-create-log-files-from-help-scripts.patch deleted file mode 100644 index ad6a29f..0000000 --- a/0002-dont-create-log-files-from-help-scripts.patch +++ /dev/null @@ -1,174 +0,0 @@ -From 90f72324549f2bceba3e051efb2a1b43c467ff8a Mon Sep 17 00:00:00 2001 -From: Christian Heimes -Date: Mon, 23 Sep 2019 18:23:04 +0200 -Subject: [PATCH] Don't create log files from help scripts - -Helper scripts now use api.bootstrap(log=None) to avoid the creation of -log files. Helper scripts are typically executed from daemons which -perform their own logging. The helpers still log to stderr/stdout. - -This also gets rid of some SELinux AVCs when the script tries to write -to /root/.ipa/. - -Fixes: https://pagure.io/freeipa/issue/8075 -Signed-off-by: Christian Heimes -Reviewed-By: Alexander Bokovoy -Reviewed-By: Rob Crittenden ---- - install/certmonger/dogtag-ipa-ca-renew-agent-submit.in | 4 +++- - install/restart_scripts/renew_ca_cert.in | 4 +++- - install/restart_scripts/renew_ra_cert.in | 4 +++- - install/restart_scripts/restart_dirsrv.in | 4 +++- - install/restart_scripts/stop_pkicad.in | 4 +++- - install/tools/ipa-custodia-check.in | 2 +- - install/tools/ipa-httpd-kdcproxy.in | 6 ++++-- - install/tools/ipa-pki-wait-running.in | 2 +- - ipaserver/secrets/handlers/dmldap.py | 6 +++--- - 9 files changed, 24 insertions(+), 12 deletions(-) - -diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in b/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in -index a9f17db3a..10efb4cf3 100644 ---- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in -+++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in -@@ -477,7 +477,9 @@ def main(): - if operation not in ('SUBMIT', 'POLL'): - return OPERATION_NOT_SUPPORTED_BY_HELPER - -- api.bootstrap(in_server=True, context='renew', confdir=paths.ETC_IPA) -+ api.bootstrap( -+ in_server=True, context='renew', confdir=paths.ETC_IPA, log=None -+ ) - api.finalize() - - tmpdir = tempfile.mkdtemp(prefix="tmp-") -diff --git a/install/restart_scripts/renew_ca_cert.in b/install/restart_scripts/renew_ca_cert.in -index 6d1ae6253..b265e62d5 100644 ---- a/install/restart_scripts/renew_ca_cert.in -+++ b/install/restart_scripts/renew_ca_cert.in -@@ -43,7 +43,9 @@ from ipapython.certdb import TrustFlags - def _main(): - nickname = sys.argv[1] - -- api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA) -+ api.bootstrap( -+ in_server=True, context='restart', confdir=paths.ETC_IPA, log=None -+ ) - api.finalize() - - dogtag_service = services.knownservices['pki_tomcatd'] -diff --git a/install/restart_scripts/renew_ra_cert.in b/install/restart_scripts/renew_ra_cert.in -index 2a0416d21..02f2f5e23 100644 ---- a/install/restart_scripts/renew_ra_cert.in -+++ b/install/restart_scripts/renew_ra_cert.in -@@ -34,7 +34,9 @@ from ipaplatform.paths import paths - - - def _main(): -- api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA) -+ api.bootstrap( -+ in_server=True, context='restart', confdir=paths.ETC_IPA, log=None -+ ) - api.finalize() - - tmpdir = tempfile.mkdtemp(prefix="tmp-") -diff --git a/install/restart_scripts/restart_dirsrv.in b/install/restart_scripts/restart_dirsrv.in -index 77c2409a3..56cfa104f 100644 ---- a/install/restart_scripts/restart_dirsrv.in -+++ b/install/restart_scripts/restart_dirsrv.in -@@ -34,7 +34,9 @@ def _main(): - except IndexError: - instance = "" - -- api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA) -+ api.bootstrap( -+ in_server=True, context='restart', confdir=paths.ETC_IPA, log=None -+ ) - api.finalize() - - syslog.syslog(syslog.LOG_NOTICE, "certmonger restarted dirsrv instance '%s'" % instance) -diff --git a/install/restart_scripts/stop_pkicad.in b/install/restart_scripts/stop_pkicad.in -index a51c31226..c1b1a0aca 100644 ---- a/install/restart_scripts/stop_pkicad.in -+++ b/install/restart_scripts/stop_pkicad.in -@@ -28,7 +28,9 @@ from ipaserver.install import certs - - - def main(): -- api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA) -+ api.bootstrap( -+ in_server=True, context='restart', confdir=paths.ETC_IPA, log=None -+ ) - api.finalize() - - dogtag_service = services.knownservices['pki_tomcatd'] -diff --git a/install/tools/ipa-custodia-check.in b/install/tools/ipa-custodia-check.in -index b496ef387..7fdfbff52 100644 ---- a/install/tools/ipa-custodia-check.in -+++ b/install/tools/ipa-custodia-check.in -@@ -102,7 +102,7 @@ class IPACustodiaTester: - self.args = args - if not api.isdone('bootstrap'): - # bootstrap to initialize api.env -- api.bootstrap() -+ api.bootstrap(log=None) - self.debug("IPA API bootstrapped") - self.realm = api.env.realm - self.host = api.env.host -diff --git a/install/tools/ipa-httpd-kdcproxy.in b/install/tools/ipa-httpd-kdcproxy.in -index 49c473e2e..5988421d3 100644 ---- a/install/tools/ipa-httpd-kdcproxy.in -+++ b/install/tools/ipa-httpd-kdcproxy.in -@@ -186,8 +186,10 @@ class KDCProxyConfig: - def main(debug=DEBUG, time_limit=TIME_LIMIT): - # initialize API without file logging - if not api.isdone('bootstrap'): -- api.bootstrap(context='server', confdir=paths.ETC_IPA, -- log=None, debug=debug) -+ api.bootstrap( -+ context='server', confdir=paths.ETC_IPA, log=None, -+ debug=debug -+ ) - standard_logging_setup(verbose=True, debug=debug) - - try: -diff --git a/install/tools/ipa-pki-wait-running.in b/install/tools/ipa-pki-wait-running.in -index 7fab309f0..69f5ec296 100644 ---- a/install/tools/ipa-pki-wait-running.in -+++ b/install/tools/ipa-pki-wait-running.in -@@ -88,7 +88,7 @@ def main(): - sys.exit(EXIT_SUCCESS) - - # bootstrap ipalib.api to parse config file -- api.bootstrap(confdir=paths.ETC_IPA) -+ api.bootstrap(confdir=paths.ETC_IPA, log=None) - timeout = api.env.startup_timeout - - conn = get_conn(api.env.host, subsystem=SUBSYSTEM) -diff --git a/ipaserver/secrets/handlers/dmldap.py b/ipaserver/secrets/handlers/dmldap.py -index 876440f16..c45348cfe 100644 ---- a/ipaserver/secrets/handlers/dmldap.py -+++ b/ipaserver/secrets/handlers/dmldap.py -@@ -8,9 +8,9 @@ import os - - from ipalib import api - from ipalib import errors -+from ipaplatform.paths import paths - from ipapython.dn import DN --from ipapython.ipaldap import LDAPClient --from ipaserver.install.installutils import realm_to_ldapi_uri -+from ipapython.ipaldap import LDAPClient, realm_to_ldapi_uri - from . import common - - CN_CONFIG = DN(('cn', 'config')) -@@ -46,7 +46,7 @@ def main(): - - # create LDAP connection using LDAPI and EXTERNAL bind as root - if not api.isdone('bootstrap'): -- api.bootstrap() -+ api.bootstrap(confdir=paths.ETC_IPA, log=None) - realm = api.env.realm - ldap_uri = realm_to_ldapi_uri(realm) - conn = LDAPClient(ldap_uri=ldap_uri, no_schema=True) --- -2.21.0 - diff --git a/freeipa-samba-4.11-unixid-fixes.patch b/freeipa-samba-4.11-unixid-fixes.patch deleted file mode 100644 index a6d8e25..0000000 --- a/freeipa-samba-4.11-unixid-fixes.patch +++ /dev/null @@ -1,101 +0,0 @@ -From 28113991463f81ab960b47264a2949a0d0857826 Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Mon, 30 Sep 2019 17:43:12 +0300 -Subject: [PATCH] Add local helpers to handle unixid structure - -Samba did remove unixid_from_*() helpers in the upstream commit -c906153cc7af21abe508ddd30c447642327d6a5d (Samba 4.11). Since they are -very simple, make a local copy instead. - -Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1757089 -Signed-off-by: Alexander Bokovoy ---- - daemons/ipa-sam/ipa_sam.c | 27 +++++++++++++++++++++------ - 1 file changed, 21 insertions(+), 6 deletions(-) - -diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c -index ba1f7f148..89ba16ee6 100644 ---- a/daemons/ipa-sam/ipa_sam.c -+++ b/daemons/ipa-sam/ipa_sam.c -@@ -498,9 +498,24 @@ done: - return unix_dn; - } - -+/* Samba removed unixid_* helpers in c906153cc7af21abe508ddd30c447642327d6a5d */ -+static void ipasam_unixid_from_uid(struct unixid *id, uint32_t some_uid) -+{ -+ if (id) { -+ id->id = some_uid; -+ id->type = ID_TYPE_UID; -+ } -+} - - - -+static void ipasam_unixid_from_gid(struct unixid *id, uint32_t some_gid) -+{ -+ if (id) { -+ id->id = some_gid; -+ id->type = ID_TYPE_GID; -+ } -+} - - static bool ldapsam_extract_rid_from_entry(LDAP *ldap_struct, - LDAPMessage *entry, -@@ -858,7 +873,7 @@ static bool ldapsam_sid_to_id(struct pdb_methods *methods, - goto done; - } - -- unixid_from_gid(id, strtoul(gid_str, NULL, 10)); -+ ipasam_unixid_from_gid(id, strtoul(gid_str, NULL, 10)); - - idmap_cache_set_sid2unixid(sid, id); - -@@ -876,7 +891,7 @@ static bool ldapsam_sid_to_id(struct pdb_methods *methods, - goto done; - } - -- unixid_from_uid(id, strtoul(value, NULL, 10)); -+ ipasam_unixid_from_uid(id, strtoul(value, NULL, 10)); - - idmap_cache_set_sid2unixid(sid, id); - -@@ -964,7 +979,7 @@ static bool ipasam_uid_to_sid(struct pdb_methods *methods, uid_t uid, - - sid_copy(sid, user_sid); - -- unixid_from_uid(&id, uid); -+ ipasam_unixid_from_uid(&id, uid); - - idmap_cache_set_sid2unixid(sid, &id); - -@@ -1080,7 +1095,7 @@ found: - - sid_copy(sid, group_sid); - -- unixid_from_gid(&id, gid); -+ ipasam_unixid_from_gid(&id, gid); - - idmap_cache_set_sid2unixid(sid, &id); - -@@ -3260,7 +3275,7 @@ static int ipasam_get_sid_by_gid(struct ipasam_private *ipasam_state, - } - sid_copy(_sid, sid); - -- unixid_from_gid(&id, gid); -+ ipasam_unixid_from_gid(&id, gid); - - idmap_cache_set_sid2unixid(sid, &id); - -@@ -3322,7 +3337,7 @@ static int ipasam_get_primary_group_sid(TALLOC_CTX *mem_ctx, - } - } - -- unixid_from_gid(&id, gid); -+ ipasam_unixid_from_gid(&id, gid); - - idmap_cache_set_sid2unixid(group_sid, &id); - --- -2.21.0 - diff --git a/freeipa.spec b/freeipa.spec index c6d680b..4fbcd4a 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -97,11 +97,9 @@ %endif # Fedora -# Require Dogtag PKI 10.6.8-3 (10.6.7 was never pushed to stable) -# 10.6.7 fixes UpdateNumberRange clone installation issue -# https://pagure.io/freeipa/issue/7654 and empty token issue -# and https://pagure.io/dogtagpki/issue/3073 -%global pki_version 10.7.0-1 +# 10.7.3 supports LWCA key replication using AES +# https://pagure.io/freeipa/issue/8020 +%global pki_version 10.7.3-1 # https://pagure.io/certmonger/issue/90 %global certmonger_version 0.79.7-1 @@ -126,25 +124,22 @@ # Work-around fact that RPM SPEC parser does not accept # "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement -%define IPA_VERSION 4.8.1 +%define IPA_VERSION 4.8.2 %define AT_SIGN @ # redefine IPA_VERSION only if its value matches the Autoconf placeholder %if "%{IPA_VERSION}" == "%{AT_SIGN}VERSION%{AT_SIGN}" - %define IPA_VERSION nonsense.to.please.RPM.SPEC.parser + %define IPA_VERSION nonsense.to.please.RPM.SPEC.parser %endif Name: %{package_name} Version: %{IPA_VERSION} -Release: 5%{?dist} +Release: 1%{?dist} Summary: The Identity, Policy and Audit system License: GPLv3+ URL: http://www.freeipa.org/ Source0: https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz Source1: https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz.asc -Patch1: freeipa-samba-4.11-unixid-fixes.patch -Patch2: 0001-Don-t-install-a-preexec_fn-by-default.patch -Patch3: 0002-dont-create-log-files-from-help-scripts.patch # For the timestamp trick in patch application BuildRequires: diffstat @@ -277,7 +272,7 @@ BuildRequires: python3-yubico %if ! %{ONLY_CLIENT} BuildRequires: libcmocka-devel # Required by ipa_kdb_tests -BuildRequires: %{_libdir}/krb5/plugins/kdb/db2.so +BuildRequires: krb5-server >= %{krb5_version} %endif # ONLY_CLIENT %description @@ -958,6 +953,8 @@ if [ $1 -gt 1 ] ; then cp /etc/ipa/ca.crt /var/lib/ipa-client/pki/kdc-ca-bundle.pem cp /etc/ipa/ca.crt /var/lib/ipa-client/pki/ca-bundle.pem fi + + %{__python3} -c 'from ipaclient.install.client import configure_krb5_snippet; configure_krb5_snippet()' >>/var/log/ipaupgrade.log 2>&1 fi if [ $restore -ge 2 ]; then @@ -1121,6 +1118,7 @@ fi %{_usr}/share/ipa/*.ldif %{_usr}/share/ipa/*.uldif %{_usr}/share/ipa/*.template +%{_usr}/share/ipa/bind.ipa-ext.conf %dir %{_usr}/share/ipa/advise %dir %{_usr}/share/ipa/advise/legacy %{_usr}/share/ipa/advise/legacy/*.template @@ -1165,6 +1163,7 @@ fi %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/kdcproxy/ipa-kdc-proxy.conf %ghost %attr(0644,root,apache) %config(noreplace) %{_usr}/share/ipa/html/ca.crt +%ghost %attr(0640,root,named) %config(noreplace) %{_sysconfdir}/named/ipa-ext.conf %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb.con %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb5.ini %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krbrealm.con @@ -1336,6 +1335,16 @@ fi %changelog +* Tue Nov 12 2019 Rob Crittenden - 4.8.2-1 +- New upstream release 4.8.2 +- Replace %%{_libdir} macro in BuildRequires (#1746882) +- Restore user-nsswitch.conf before calling authselect (#1746557) +- ipa service-find does not list cifs service created by + ipa-client-samba (#1731433) +- Occasional 'whoami.data is undefined' error in FreeIPA web UI + (#1699109) +- ipa-kra-install fails due to fs.protected_regular=1 (#1698384) + * Sun Oct 20 2019 Alexander Bokovoy - 4.8.1-5 - Don't create log files from helper scripts - Fixes: rhbz#1754189 diff --git a/sources b/sources index bc374fa..c23c93a 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (freeipa-4.8.1.tar.gz) = 9ab11cb03c6ea7d12c5ed9d555c3d7ffa5709850220a402f609f2ced3dee90a4a68239edb62cbc8a0122e56dc3e033740fb25076fa9a45e1de143e9662db363f -SHA512 (freeipa-4.8.1.tar.gz.asc) = a3da8eadd5752d17d780eeb3a7677c4920a03f3b548e888083523c7bc1d6a21b5cb72b0e18343c55d187257825dbdacea72adfe5baf7f75c6c5bb271361ed157 +SHA512 (freeipa-4.8.2.tar.gz) = 4ca63cc63152a240c78d7b77f674831c557cad1a991c7ba8c5339f79f1f42fb72991c804bee4d5686c9d3eddb9b9fb5347fbfa1398d8397ec6cf9c075c7773f1 +SHA512 (freeipa-4.8.2.tar.gz.asc) = 4c82920bd78d59ee4143e96832af74c44274945240aac16b49180bca07bf521bb300124613f2de2501b53b48a4a11d60ac81a4398e55d1deeb190125e09bf5b1