diff --git a/0012-ipatests-fix-test_topology_rhbz#2232351.patch b/0012-ipatests-fix-test_topology_rhbz#2232351.patch new file mode 100644 index 0000000..e5533c3 --- /dev/null +++ b/0012-ipatests-fix-test_topology_rhbz#2232351.patch @@ -0,0 +1,58 @@ +From fdaad3a45f5674876fd3f6cc7ad1e916ebfc7080 Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Aug 14 2023 13:02:20 +0000 +Subject: ipatests: fix test_topology + + +The test TestTopologyOptions::test_add_remove_segment is +randomly failing downstream. Test scenario: +- create a line topology master <-> repl1 <-> repl2 +- create user on master +- wait for repl success on master +- check that the user is seen on repl2 + +The test waits for replication to complete on the master but +it should also wait for the replication to complete on repl1 +before checking the user presence on repl2. + +Signed-off-by: Florence Blanc-Renaud +Reviewed-By: Anuja More + +--- + +diff --git a/ipatests/test_integration/test_topology.py b/ipatests/test_integration/test_topology.py +index 8a240fa..618c9d5 100644 +--- a/ipatests/test_integration/test_topology.py ++++ b/ipatests/test_integration/test_topology.py +@@ -124,6 +124,9 @@ class TestTopologyOptions(IntegrationTest): + self.replicas[0], + self.replicas[1]) + assert err == "", err ++ # At this point we have replicas[1] <-> master <-> replicas[0] ++ # ^--------------------------^ ++ + # Make sure the new segment is shown by `ipa topologysegment-find` + result1 = self.master.run_command(['ipa', 'topologysegment-find', + DOMAIN_SUFFIX_NAME]).stdout_text +@@ -137,9 +140,12 @@ class TestTopologyOptions(IntegrationTest): + deleteme = find_segment(self.master, self.replicas[1]) + returncode, error = tasks.destroy_segment(self.master, deleteme) + assert returncode == 0, error ++ # At this point we have master <-> replicas[0] <-> replicas[1] ++ + # Wait till replication ends and make sure replica1 does not have + # segment that was deleted on master + master_ldap = self.master.ldap_connect() ++ repl_ldap = self.replicas[0].ldap_connect() + tasks.wait_for_replication(master_ldap) + result3 = self.replicas[0].run_command(['ipa', 'topologysegment-find', + DOMAIN_SUFFIX_NAME]).stdout_text +@@ -150,6 +156,7 @@ class TestTopologyOptions(IntegrationTest): + '--first', 'test', + '--last', 'user']) + tasks.wait_for_replication(master_ldap) ++ tasks.wait_for_replication(repl_ldap) + result4 = self.replicas[1].run_command(['ipa', 'user-find']) + assert('someuser' in result4.stdout_text), 'User not found: someuser' + # We end up having a line topology: master <-> replica1 <-> replica2 + diff --git a/0013-Installer-activate-nss-and-pam-services-in-sssd.conf_rhbz#2216532.patch b/0013-Installer-activate-nss-and-pam-services-in-sssd.conf_rhbz#2216532.patch new file mode 100644 index 0000000..64a634c --- /dev/null +++ b/0013-Installer-activate-nss-and-pam-services-in-sssd.conf_rhbz#2216532.patch @@ -0,0 +1,40 @@ +From f38eefd9f7e54470de7c707782114b17aac8762a Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Aug 16 2023 15:25:34 +0000 +Subject: Installer: activate nss and pam services in sssd.conf + + +If there is already a sssd.conf file before the installer is +executed, the nss and pam services may not be enabled by the +installer. This happens for instance if the machine is hardened +for STIG and sssd.conf does not define services=... in the +[sssd] section. + +The consequence is that trust cannot be established with an AD +domain. + +The installer must enable nss and pam services even if there is +a pre-existing sssd.conf file. + +Fixes: https://pagure.io/freeipa/issue/9427 + +Signed-off-by: Florence Blanc-Renaud +Reviewed-By: Alexander Bokovoy + +--- + +diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py +index ef29a2c..07d62a7 100644 +--- a/ipaclient/install/client.py ++++ b/ipaclient/install/client.py +@@ -969,6 +969,9 @@ def configure_sssd_conf( + nss_service.set_option('memcache_timeout', 600) + sssdconfig.save_service(nss_service) + ++ sssd_enable_service(sssdconfig, 'nss') ++ sssd_enable_service(sssdconfig, 'pam') ++ + domain.set_option('ipa_domain', cli_domain) + domain.set_option('ipa_hostname', client_hostname) + if cli_domain.lower() != cli_realm.lower(): + diff --git a/ipa.spec b/ipa.spec index 3816810..7c66e58 100644 --- a/ipa.spec +++ b/ipa.spec @@ -189,7 +189,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 6%{?rc_version:.%rc_version}%{?dist} +Release: 7%{?rc_version:.%rc_version}%{?dist} Summary: The Identity, Policy and Audit system License: GPLv3+ @@ -220,6 +220,8 @@ Patch0008: 0008-ipatests-enable-firewall-rule-for-http-service-on-acme-clie Patch0009: 0009-User-plugin-improve-error-related-to-non-existing-idp_rhbz#2224572.patch Patch0010: 0010-Prevent-admin-user-from-being-deleted_rhbz#1921181.patch Patch0011: 0011-Fix-memory-leak-in-the-OTP-last-token-plugin_rhbz#2227783.patch +Patch0012: 0012-ipatests-fix-test_topology_rhbz#2232351.patch +Patch0013: 0013-Installer-activate-nss-and-pam-services-in-sssd.conf_rhbz#2216532.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch Patch1002: 1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch Patch1003: 1003-webui-IdP-Remove-arrow-notation-due-to-uglify-js-lim.patch @@ -1734,6 +1736,12 @@ fi %endif %changelog +* Wed Aug 16 2023 Rafael Jeffman - 4.9.12-7 +- ipatests: fix test_topology + Resolves: RHBZ#2232351 +- Installer: activate nss and pam services in sssd.conf + Resolves: RHBZ#2216532 + * Thu Aug 10 2023 Rafael Jeffman - 4.9.12-6 - ipa-kdb: fix error handling of is_master_host() Resolves: RHBZ#2214638