Update to 4.8.2

- Replace %%{_libdir} macro in BuildRequires (#1746882)
- Restore user-nsswitch.conf before calling authselect (#1746557)
- ipa service-find does not list cifs service created by
  ipa-client-samba (#1731433)
- Occasional 'whoami.data is undefined' error in FreeIPA web UI
  (#1699109)
- ipa-kra-install fails due to fs.protected_regular=1 (#1698384)

.gitignore

@@ -78,3 +78,5 @@
 /freeipa-4.8.0.tar.gz.asc
 /freeipa-4.8.1.tar.gz
 /freeipa-4.8.1.tar.gz.asc
+/freeipa-4.8.2.tar.gz
+/freeipa-4.8.2.tar.gz.asc

0001-Don-t-install-a-preexec_fn-by-default.patch

@@ -1,50 +0,0 @@
-From 7ee24413f0945b7d582a33795cdfc7c59471cb69 Mon Sep 17 00:00:00 2001
-From: Christian Heimes <cheimes@redhat.com>
-Date: Mon, 7 Oct 2019 21:58:00 +0200
-Subject: [PATCH] Don't install a preexec_fn by default
-
-ipautil.run() now only installs a preexec_fn when it is actually needed.
-This addresses a compatibility issue with mod_wsgi subinterpreters under
-Python 3.8.
-
-Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1759290
-See: https://bugs.python.org/issue37951
-Signed-off-by: Christian Heimes <cheimes@redhat.com>
----
- ipapython/ipautil.py | 20 ++++++++++++--------
- 1 file changed, 12 insertions(+), 8 deletions(-)
-
-diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py
-index d87b9e3c1..e047324d3 100644
---- a/ipapython/ipautil.py
-+++ b/ipapython/ipautil.py
-@@ -515,14 +515,18 @@ def run(args, stdin=None, raiseonerr=True, nolog=(), env=None,
-             for group, gid in zip(suplementary_groups, suplementary_gids):
-                 logger.debug('suplementary_group=%s (GID %d)', group, gid)
- 
--    def preexec_fn():
--        if runas is not None:
--            os.setgroups(suplementary_gids)
--            os.setregid(pent.pw_gid, pent.pw_gid)
--            os.setreuid(pent.pw_uid, pent.pw_uid)
--
--        if umask:
--            os.umask(umask)
-+    if runas is not None or umask is not None:
-+        # preexec function is not supported in WSGI environment
-+        def preexec_fn():
-+            if runas is not None:
-+                os.setgroups(suplementary_gids)
-+                os.setregid(pent.pw_gid, pent.pw_gid)
-+                os.setreuid(pent.pw_uid, pent.pw_uid)
-+
-+            if umask is not None:
-+                os.umask(umask)
-+    else:
-+        preexec_fn = None
- 
-     try:
-         # pylint: disable=subprocess-popen-preexec-fn
--- 
-2.20.1
-

0002-dont-create-log-files-from-help-scripts.patch

@@ -1,174 +0,0 @@
-From 90f72324549f2bceba3e051efb2a1b43c467ff8a Mon Sep 17 00:00:00 2001
-From: Christian Heimes <cheimes@redhat.com>
-Date: Mon, 23 Sep 2019 18:23:04 +0200
-Subject: [PATCH] Don't create log files from help scripts
-
-Helper scripts now use api.bootstrap(log=None) to avoid the creation of
-log files. Helper scripts are typically executed from daemons which
-perform their own logging. The helpers still log to stderr/stdout.
-
-This also gets rid of some SELinux AVCs when the script tries to write
-to /root/.ipa/.
-
-Fixes: https://pagure.io/freeipa/issue/8075
-Signed-off-by: Christian Heimes <cheimes@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
----
- install/certmonger/dogtag-ipa-ca-renew-agent-submit.in | 4 +++-
- install/restart_scripts/renew_ca_cert.in               | 4 +++-
- install/restart_scripts/renew_ra_cert.in               | 4 +++-
- install/restart_scripts/restart_dirsrv.in              | 4 +++-
- install/restart_scripts/stop_pkicad.in                 | 4 +++-
- install/tools/ipa-custodia-check.in                    | 2 +-
- install/tools/ipa-httpd-kdcproxy.in                    | 6 ++++--
- install/tools/ipa-pki-wait-running.in                  | 2 +-
- ipaserver/secrets/handlers/dmldap.py                   | 6 +++---
- 9 files changed, 24 insertions(+), 12 deletions(-)
-
-diff --git a/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in b/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in
-index a9f17db3a..10efb4cf3 100644
---- a/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in
-+++ b/install/certmonger/dogtag-ipa-ca-renew-agent-submit.in
-@@ -477,7 +477,9 @@ def main():
-     if operation not in ('SUBMIT', 'POLL'):
-         return OPERATION_NOT_SUPPORTED_BY_HELPER
- 
--    api.bootstrap(in_server=True, context='renew', confdir=paths.ETC_IPA)
-+    api.bootstrap(
-+        in_server=True, context='renew', confdir=paths.ETC_IPA, log=None
-+    )
-     api.finalize()
- 
-     tmpdir = tempfile.mkdtemp(prefix="tmp-")
-diff --git a/install/restart_scripts/renew_ca_cert.in b/install/restart_scripts/renew_ca_cert.in
-index 6d1ae6253..b265e62d5 100644
---- a/install/restart_scripts/renew_ca_cert.in
-+++ b/install/restart_scripts/renew_ca_cert.in
-@@ -43,7 +43,9 @@ from ipapython.certdb import TrustFlags
- def _main():
-     nickname = sys.argv[1]
- 
--    api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA)
-+    api.bootstrap(
-+        in_server=True, context='restart', confdir=paths.ETC_IPA, log=None
-+    )
-     api.finalize()
- 
-     dogtag_service = services.knownservices['pki_tomcatd']
-diff --git a/install/restart_scripts/renew_ra_cert.in b/install/restart_scripts/renew_ra_cert.in
-index 2a0416d21..02f2f5e23 100644
---- a/install/restart_scripts/renew_ra_cert.in
-+++ b/install/restart_scripts/renew_ra_cert.in
-@@ -34,7 +34,9 @@ from ipaplatform.paths import paths
- 
- 
- def _main():
--    api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA)
-+    api.bootstrap(
-+        in_server=True, context='restart', confdir=paths.ETC_IPA, log=None
-+    )
-     api.finalize()
- 
-     tmpdir = tempfile.mkdtemp(prefix="tmp-")
-diff --git a/install/restart_scripts/restart_dirsrv.in b/install/restart_scripts/restart_dirsrv.in
-index 77c2409a3..56cfa104f 100644
---- a/install/restart_scripts/restart_dirsrv.in
-+++ b/install/restart_scripts/restart_dirsrv.in
-@@ -34,7 +34,9 @@ def _main():
-     except IndexError:
-         instance = ""
- 
--    api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA)
-+    api.bootstrap(
-+        in_server=True, context='restart', confdir=paths.ETC_IPA, log=None
-+    )
-     api.finalize()
- 
-     syslog.syslog(syslog.LOG_NOTICE, "certmonger restarted dirsrv instance '%s'" % instance)
-diff --git a/install/restart_scripts/stop_pkicad.in b/install/restart_scripts/stop_pkicad.in
-index a51c31226..c1b1a0aca 100644
---- a/install/restart_scripts/stop_pkicad.in
-+++ b/install/restart_scripts/stop_pkicad.in
-@@ -28,7 +28,9 @@ from ipaserver.install import certs
- 
- 
- def main():
--    api.bootstrap(in_server=True, context='restart', confdir=paths.ETC_IPA)
-+    api.bootstrap(
-+        in_server=True, context='restart', confdir=paths.ETC_IPA, log=None
-+    )
-     api.finalize()
- 
-     dogtag_service = services.knownservices['pki_tomcatd']
-diff --git a/install/tools/ipa-custodia-check.in b/install/tools/ipa-custodia-check.in
-index b496ef387..7fdfbff52 100644
---- a/install/tools/ipa-custodia-check.in
-+++ b/install/tools/ipa-custodia-check.in
-@@ -102,7 +102,7 @@ class IPACustodiaTester:
-         self.args = args
-         if not api.isdone('bootstrap'):
-             # bootstrap to initialize api.env
--            api.bootstrap()
-+            api.bootstrap(log=None)
-             self.debug("IPA API bootstrapped")
-         self.realm = api.env.realm
-         self.host = api.env.host
-diff --git a/install/tools/ipa-httpd-kdcproxy.in b/install/tools/ipa-httpd-kdcproxy.in
-index 49c473e2e..5988421d3 100644
---- a/install/tools/ipa-httpd-kdcproxy.in
-+++ b/install/tools/ipa-httpd-kdcproxy.in
-@@ -186,8 +186,10 @@ class KDCProxyConfig:
- def main(debug=DEBUG, time_limit=TIME_LIMIT):
-     # initialize API without file logging
-     if not api.isdone('bootstrap'):
--        api.bootstrap(context='server', confdir=paths.ETC_IPA,
--                      log=None, debug=debug)
-+        api.bootstrap(
-+            context='server', confdir=paths.ETC_IPA, log=None,
-+            debug=debug
-+        )
-         standard_logging_setup(verbose=True, debug=debug)
- 
-     try:
-diff --git a/install/tools/ipa-pki-wait-running.in b/install/tools/ipa-pki-wait-running.in
-index 7fab309f0..69f5ec296 100644
---- a/install/tools/ipa-pki-wait-running.in
-+++ b/install/tools/ipa-pki-wait-running.in
-@@ -88,7 +88,7 @@ def main():
-         sys.exit(EXIT_SUCCESS)
- 
-     # bootstrap ipalib.api to parse config file
--    api.bootstrap(confdir=paths.ETC_IPA)
-+    api.bootstrap(confdir=paths.ETC_IPA, log=None)
-     timeout = api.env.startup_timeout
- 
-     conn = get_conn(api.env.host, subsystem=SUBSYSTEM)
-diff --git a/ipaserver/secrets/handlers/dmldap.py b/ipaserver/secrets/handlers/dmldap.py
-index 876440f16..c45348cfe 100644
---- a/ipaserver/secrets/handlers/dmldap.py
-+++ b/ipaserver/secrets/handlers/dmldap.py
-@@ -8,9 +8,9 @@ import os
- 
- from ipalib import api
- from ipalib import errors
-+from ipaplatform.paths import paths
- from ipapython.dn import DN
--from ipapython.ipaldap import LDAPClient
--from ipaserver.install.installutils import realm_to_ldapi_uri
-+from ipapython.ipaldap import LDAPClient, realm_to_ldapi_uri
- from . import common
- 
- CN_CONFIG = DN(('cn', 'config'))
-@@ -46,7 +46,7 @@ def main():
- 
-     # create LDAP connection using LDAPI and EXTERNAL bind as root
-     if not api.isdone('bootstrap'):
--        api.bootstrap()
-+        api.bootstrap(confdir=paths.ETC_IPA, log=None)
-     realm = api.env.realm
-     ldap_uri = realm_to_ldapi_uri(realm)
-     conn = LDAPClient(ldap_uri=ldap_uri, no_schema=True)
--- 
-2.21.0
-

freeipa-samba-4.11-unixid-fixes.patch

@@ -1,101 +0,0 @@
-From 28113991463f81ab960b47264a2949a0d0857826 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Mon, 30 Sep 2019 17:43:12 +0300
-Subject: [PATCH] Add local helpers to handle unixid structure
-
-Samba did remove unixid_from_*() helpers in the upstream commit
-c906153cc7af21abe508ddd30c447642327d6a5d (Samba 4.11). Since they are
-very simple, make a local copy instead.
-
-Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1757089
-Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
----
- daemons/ipa-sam/ipa_sam.c | 27 +++++++++++++++++++++------
- 1 file changed, 21 insertions(+), 6 deletions(-)
-
-diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
-index ba1f7f148..89ba16ee6 100644
---- a/daemons/ipa-sam/ipa_sam.c
-+++ b/daemons/ipa-sam/ipa_sam.c
-@@ -498,9 +498,24 @@ done:
- 	return unix_dn;
- }
- 
-+/* Samba removed unixid_* helpers in c906153cc7af21abe508ddd30c447642327d6a5d */
-+static void ipasam_unixid_from_uid(struct unixid *id, uint32_t some_uid)
-+{
-+       if (id) {
-+               id->id = some_uid;
-+               id->type = ID_TYPE_UID;
-+       }
-+}
- 
- 
- 
-+static void ipasam_unixid_from_gid(struct unixid *id, uint32_t some_gid)
-+{
-+       if (id) {
-+               id->id = some_gid;
-+               id->type = ID_TYPE_GID;
-+       }
-+}
- 
- static bool ldapsam_extract_rid_from_entry(LDAP *ldap_struct,
- 					   LDAPMessage *entry,
-@@ -858,7 +873,7 @@ static bool ldapsam_sid_to_id(struct pdb_methods *methods,
- 			goto done;
- 		}
- 
--		unixid_from_gid(id, strtoul(gid_str, NULL, 10));
-+		ipasam_unixid_from_gid(id, strtoul(gid_str, NULL, 10));
- 
- 		idmap_cache_set_sid2unixid(sid, id);
- 
-@@ -876,7 +891,7 @@ static bool ldapsam_sid_to_id(struct pdb_methods *methods,
- 		goto done;
- 	}
- 
--	unixid_from_uid(id, strtoul(value, NULL, 10));
-+	ipasam_unixid_from_uid(id, strtoul(value, NULL, 10));
- 
- 	idmap_cache_set_sid2unixid(sid, id);
- 
-@@ -964,7 +979,7 @@ static bool ipasam_uid_to_sid(struct pdb_methods *methods, uid_t uid,
- 
- 	sid_copy(sid, user_sid);
- 
--	unixid_from_uid(&id, uid);
-+	ipasam_unixid_from_uid(&id, uid);
- 
- 	idmap_cache_set_sid2unixid(sid, &id);
- 
-@@ -1080,7 +1095,7 @@ found:
- 
- 	sid_copy(sid, group_sid);
- 
--	unixid_from_gid(&id, gid);
-+	ipasam_unixid_from_gid(&id, gid);
- 
- 	idmap_cache_set_sid2unixid(sid, &id);
- 
-@@ -3260,7 +3275,7 @@ static int ipasam_get_sid_by_gid(struct ipasam_private *ipasam_state,
- 	}
- 	sid_copy(_sid, sid);
- 
--	unixid_from_gid(&id, gid);
-+	ipasam_unixid_from_gid(&id, gid);
- 
- 	idmap_cache_set_sid2unixid(sid, &id);
- 
-@@ -3322,7 +3337,7 @@ static int ipasam_get_primary_group_sid(TALLOC_CTX *mem_ctx,
- 		}
- 	}
- 
--	unixid_from_gid(&id, gid);
-+	ipasam_unixid_from_gid(&id, gid);
- 
- 	idmap_cache_set_sid2unixid(group_sid, &id);
- 
--- 
-2.21.0
-

freeipa.spec

@@ -97,11 +97,9 @@
 
 %endif  # Fedora
 
-# Require Dogtag PKI 10.6.8-3 (10.6.7 was never pushed to stable)
+# 10.7.3 supports LWCA key replication using AES
-# 10.6.7 fixes UpdateNumberRange clone installation issue
+# https://pagure.io/freeipa/issue/8020
-# https://pagure.io/freeipa/issue/7654 and empty token issue
+%global pki_version 10.7.3-1
-# and https://pagure.io/dogtagpki/issue/3073
-%global pki_version 10.7.0-1
 
 # https://pagure.io/certmonger/issue/90
 %global certmonger_version 0.79.7-1
@@ -126,25 +124,22 @@
 
 # Work-around fact that RPM SPEC parser does not accept
 # "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement
-%define IPA_VERSION 4.8.1
+%define IPA_VERSION 4.8.2
 %define AT_SIGN @
 # redefine IPA_VERSION only if its value matches the Autoconf placeholder
 %if "%{IPA_VERSION}" == "%{AT_SIGN}VERSION%{AT_SIGN}"
-     %define IPA_VERSION nonsense.to.please.RPM.SPEC.parser
+    %define IPA_VERSION nonsense.to.please.RPM.SPEC.parser
 %endif
 
 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        5%{?dist}
+Release:        1%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 License:        GPLv3+
 URL:            http://www.freeipa.org/
 Source0:        https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz
 Source1:        https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz.asc
-Patch1:         freeipa-samba-4.11-unixid-fixes.patch
-Patch2:         0001-Don-t-install-a-preexec_fn-by-default.patch
-Patch3:         0002-dont-create-log-files-from-help-scripts.patch
 
 # For the timestamp trick in patch application
 BuildRequires:  diffstat
@@ -277,7 +272,7 @@ BuildRequires:  python3-yubico
 %if ! %{ONLY_CLIENT}
 BuildRequires:  libcmocka-devel
 # Required by ipa_kdb_tests
-BuildRequires:  %{_libdir}/krb5/plugins/kdb/db2.so
+BuildRequires:  krb5-server >= %{krb5_version}
 %endif # ONLY_CLIENT
 
 %description
@@ -958,6 +953,8 @@ if [ $1 -gt 1 ] ; then
             cp /etc/ipa/ca.crt /var/lib/ipa-client/pki/kdc-ca-bundle.pem
             cp /etc/ipa/ca.crt /var/lib/ipa-client/pki/ca-bundle.pem
         fi
+
+        %{__python3} -c 'from ipaclient.install.client import configure_krb5_snippet; configure_krb5_snippet()' >>/var/log/ipaupgrade.log 2>&1
     fi
 
     if [ $restore -ge 2 ]; then
@@ -1121,6 +1118,7 @@ fi
 %{_usr}/share/ipa/*.ldif
 %{_usr}/share/ipa/*.uldif
 %{_usr}/share/ipa/*.template
+%{_usr}/share/ipa/bind.ipa-ext.conf
 %dir %{_usr}/share/ipa/advise
 %dir %{_usr}/share/ipa/advise/legacy
 %{_usr}/share/ipa/advise/legacy/*.template
@@ -1165,6 +1163,7 @@ fi
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/kdcproxy/ipa-kdc-proxy.conf
 %ghost %attr(0644,root,apache) %config(noreplace) %{_usr}/share/ipa/html/ca.crt
+%ghost %attr(0640,root,named) %config(noreplace) %{_sysconfdir}/named/ipa-ext.conf
 %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb.con
 %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb5.ini
 %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krbrealm.con
@@ -1336,6 +1335,16 @@ fi
 
 
 %changelog
+* Tue Nov 12 2019 Rob Crittenden <rcritten@redhat.com> - 4.8.2-1
+- New upstream release 4.8.2
+- Replace %%{_libdir} macro in BuildRequires (#1746882)
+- Restore user-nsswitch.conf before calling authselect (#1746557)
+- ipa service-find does not list cifs service created by
+  ipa-client-samba (#1731433)
+- Occasional 'whoami.data is undefined' error in FreeIPA web UI
+  (#1699109)
+- ipa-kra-install fails due to fs.protected_regular=1 (#1698384)
+
 * Sun Oct 20 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.1-5
 - Don't create log files from helper scripts
 - Fixes: rhbz#1754189

sources

@@ -1,2 +1,2 @@
-SHA512 (freeipa-4.8.1.tar.gz) = 9ab11cb03c6ea7d12c5ed9d555c3d7ffa5709850220a402f609f2ced3dee90a4a68239edb62cbc8a0122e56dc3e033740fb25076fa9a45e1de143e9662db363f
+SHA512 (freeipa-4.8.2.tar.gz) = 4ca63cc63152a240c78d7b77f674831c557cad1a991c7ba8c5339f79f1f42fb72991c804bee4d5686c9d3eddb9b9fb5347fbfa1398d8397ec6cf9c075c7773f1
-SHA512 (freeipa-4.8.1.tar.gz.asc) = a3da8eadd5752d17d780eeb3a7677c4920a03f3b548e888083523c7bc1d6a21b5cb72b0e18343c55d187257825dbdacea72adfe5baf7f75c6c5bb271361ed157
+SHA512 (freeipa-4.8.2.tar.gz.asc) = 4c82920bd78d59ee4143e96832af74c44274945240aac16b49180bca07bf521bb300124613f2de2501b53b48a4a11d60ac81a4398e55d1deeb190125e09bf5b1