ipa:

- ipatests: fix test_topology
  Resolves: RHBZ#2232351
- Installer: activate nss and pam services in sssd.conf
  Resolves: RHBZ#2216532

Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>

0012-ipatests-fix-test_topology_rhbz#2232351.patch

@@ -0,0 +1,58 @@
+From fdaad3a45f5674876fd3f6cc7ad1e916ebfc7080 Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Aug 14 2023 13:02:20 +0000
+Subject: ipatests: fix test_topology
+
+
+The test TestTopologyOptions::test_add_remove_segment is
+randomly failing downstream. Test scenario:
+- create a line topology master <-> repl1 <-> repl2
+- create user on master
+- wait for repl success on master
+- check that the user is seen on repl2
+
+The test waits for replication to complete on the master but
+it should also wait for the replication to complete on repl1
+before checking the user presence on repl2.
+
+Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Anuja More <amore@redhat.com>
+
+---
+
+diff --git a/ipatests/test_integration/test_topology.py b/ipatests/test_integration/test_topology.py
+index 8a240fa..618c9d5 100644
+--- a/ipatests/test_integration/test_topology.py
++++ b/ipatests/test_integration/test_topology.py
+@@ -124,6 +124,9 @@ class TestTopologyOptions(IntegrationTest):
+                                             self.replicas[0],
+                                             self.replicas[1])
+         assert err == "", err
++        # At this point we have replicas[1] <-> master <-> replicas[0]
++        #                          ^--------------------------^
++
+         # Make sure the new segment is shown by `ipa topologysegment-find`
+         result1 = self.master.run_command(['ipa', 'topologysegment-find',
+                                            DOMAIN_SUFFIX_NAME]).stdout_text
+@@ -137,9 +140,12 @@ class TestTopologyOptions(IntegrationTest):
+         deleteme = find_segment(self.master, self.replicas[1])
+         returncode, error = tasks.destroy_segment(self.master, deleteme)
+         assert returncode == 0, error
++        # At this point we have master <-> replicas[0] <-> replicas[1]
++
+         # Wait till replication ends and make sure replica1 does not have
+         # segment that was deleted on master
+         master_ldap = self.master.ldap_connect()
++        repl_ldap = self.replicas[0].ldap_connect()
+         tasks.wait_for_replication(master_ldap)
+         result3 = self.replicas[0].run_command(['ipa', 'topologysegment-find',
+                                                DOMAIN_SUFFIX_NAME]).stdout_text
+@@ -150,6 +156,7 @@ class TestTopologyOptions(IntegrationTest):
+                                  '--first', 'test',
+                                  '--last', 'user'])
+         tasks.wait_for_replication(master_ldap)
++        tasks.wait_for_replication(repl_ldap)
+         result4 = self.replicas[1].run_command(['ipa', 'user-find'])
+         assert('someuser' in result4.stdout_text), 'User not found: someuser'
+         # We end up having a line topology: master <-> replica1 <-> replica2
+

0013-Installer-activate-nss-and-pam-services-in-sssd.conf_rhbz#2216532.patch

@@ -0,0 +1,40 @@
+From f38eefd9f7e54470de7c707782114b17aac8762a Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Aug 16 2023 15:25:34 +0000
+Subject: Installer: activate nss and pam services in sssd.conf
+
+
+If there is already a sssd.conf file before the installer is
+executed, the nss and pam services may not be enabled by the
+installer. This happens for instance if the machine is hardened
+for STIG and sssd.conf does not define services=... in the
+[sssd] section.
+
+The consequence is that trust cannot be established with an AD
+domain.
+
+The installer must enable nss and pam services even if there is
+a pre-existing sssd.conf file.
+
+Fixes: https://pagure.io/freeipa/issue/9427
+
+Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+
+---
+
+diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
+index ef29a2c..07d62a7 100644
+--- a/ipaclient/install/client.py
++++ b/ipaclient/install/client.py
+@@ -969,6 +969,9 @@ def configure_sssd_conf(
+         nss_service.set_option('memcache_timeout', 600)
+         sssdconfig.save_service(nss_service)
+ 
++    sssd_enable_service(sssdconfig, 'nss')
++    sssd_enable_service(sssdconfig, 'pam')
++
+     domain.set_option('ipa_domain', cli_domain)
+     domain.set_option('ipa_hostname', client_hostname)
+     if cli_domain.lower() != cli_realm.lower():
+

ipa.spec

@@ -189,7 +189,7 @@
 
 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        6%{?rc_version:.%rc_version}%{?dist}
+Release:        7%{?rc_version:.%rc_version}%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 License:        GPLv3+
@@ -220,6 +220,8 @@ Patch0008:      0008-ipatests-enable-firewall-rule-for-http-service-on-acme-clie
 Patch0009:      0009-User-plugin-improve-error-related-to-non-existing-idp_rhbz#2224572.patch
 Patch0010:      0010-Prevent-admin-user-from-being-deleted_rhbz#1921181.patch
 Patch0011:      0011-Fix-memory-leak-in-the-OTP-last-token-plugin_rhbz#2227783.patch
+Patch0012:      0012-ipatests-fix-test_topology_rhbz#2232351.patch
+Patch0013:      0013-Installer-activate-nss-and-pam-services-in-sssd.conf_rhbz#2216532.patch
 Patch1001:      1001-Change-branding-to-IPA-and-Identity-Management.patch
 Patch1002:      1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch
 Patch1003:      1003-webui-IdP-Remove-arrow-notation-due-to-uglify-js-lim.patch
@@ -1734,6 +1736,12 @@ fi
 %endif
 
 %changelog
+* Wed Aug 16 2023 Rafael Jeffman <rjeffman@redhat.com> - 4.9.12-7
+- ipatests: fix test_topology
+  Resolves: RHBZ#2232351
+- Installer: activate nss and pam services in sssd.conf
+  Resolves: RHBZ#2216532
+
 * Thu Aug 10 2023 Rafael Jeffman <rjeffman@redhat.com> - 4.9.12-6
 - ipa-kdb: fix error handling of is_master_host()
   Resolves: RHBZ#2214638