ipa:

- Remove unused patches. - Handle new samba exception types. Resolves: RHEL-17623
2023-11-30 13:13:35 -03:00 · 2023-11-30 13:13:35 -03:00 · 2005990bae
commit 2005990bae
parent 4d6406a1a1
3 changed files with 79 additions and 99 deletions
--- a/0001-Handle-samba-exception-type-change_rhel#17623.patch
+++ b/0001-Handle-samba-exception-type-change_rhel#17623.patch
@ -0,0 +1,73 @@
 From 06b4c61b4484efe2093501caf21b03f1fc14093b Mon Sep 17 00:00:00 2001
 From: Florence Blanc-Renaud <flo@redhat.com>
 Date: Thu, 19 Oct 2023 12:47:03 +0200
 Subject: [PATCH] group-add-member fails with an external member
 The command ipa group-add-member --external aduser@addomain.test
 fails with an internal error when used with samba 4.19.
 The command internally calls samba.security.dom_sid(sid) which
 used to raise a TypeError but now raises a ValueError
 (commit 9abdd67 on https://github.com/samba-team/samba).
 IPA source code needs to handle properly both exception types.
 Fixes: https://pagure.io/freeipa/issue/9466
 Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
 Reviewed-By: Rob Crittenden <rcritten@redhat.com>
 ---
 ipaserver/dcerpc.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
 index c1db2f9a499..ee0a229d1f0 100644
 --- a/ipaserver/dcerpc.py
 +++ b/ipaserver/dcerpc.py
@@ -303,7 +303,7 @@ def get_domain_by_sid(self, sid, exact_match=False):
         # Parse sid string to see if it is really in a SID format
         try:
             test_sid = security.dom_sid(sid)
 -        except TypeError:
 +        except (TypeError, ValueError):
             raise errors.ValidationError(name='sid',
                                          error=_('SID is not valid'))
 From aa3397378acf1a03fc8bbe34b9fae33e84588b34 Mon Sep 17 00:00:00 2001
 From: Florence Blanc-Renaud <flo@redhat.com>
 Date: Fri, 20 Oct 2023 10:20:57 +0200
 Subject: [PATCH] Handle samba changes in samba.security.dom_sid()
 samba.security.dom_sid() in 4.19 now raises ValueError instead of
 TypeError. Fix the expected exception.
 Related: https://pagure.io/freeipa/issue/9466
 Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 ---
 ipaserver/dcerpc.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
 index ee0a229d1f0..3e4c71d9976 100644
 --- a/ipaserver/dcerpc.py
 +++ b/ipaserver/dcerpc.py
@@ -97,7 +97,7 @@
 def is_sid_valid(sid):
     try:
         security.dom_sid(sid)
 -    except TypeError:
 +    except (TypeError, ValueError):
         return False
     else:
         return True
@@ -457,7 +457,7 @@ def get_trusted_domain_object_sid(self, object_name,
         try:
             test_sid = security.dom_sid(sid)
             return unicode(test_sid)
 -        except TypeError:
 +        except (TypeError, ValueError):
             raise errors.ValidationError(name=_('trusted domain object'),
                                          error=_('Trusted domain did not '
                                                  'return a valid SID for '
--- a/0014-ipa-kdb-Make-AD-SIGNEDPATH-optional-with-krb5-DAL-8.patch
+++ b/0014-ipa-kdb-Make-AD-SIGNEDPATH-optional-with-krb5-DAL-8.patch
@ -1,98 +0,0 @@
 From d394afc1210a21378c018d0ff93d400a57324289 Mon Sep 17 00:00:00 2001
 From: Julien Rische <jrische@redhat.com>
 Date: Mon, 25 Sep 2023 15:14:03 +0200
 Subject: [PATCH] ipa-kdb: Make AD-SIGNEDPATH optional with krb5 DAL 8 and
 older
 Since krb5 1.20, the PAC is generated by default, and the AD-SIGNEDPATH
 authdata is no longer generated. However, on krb5 versions prior to
 1.20, the KDC still expects an AD-SIGNEDPATH when verifying a
 constrained delegation (S4U2Proxy) TGS-REQ. In IPA's case this
 requirement is not needed, because the PAC signatures are already
 fulfilling this role.
 CentOS and RHEL downstream releases of krb5 will include the
 "optional_ad_signedpath" KDB string attribute allowing to disable the
 AD-SIGNEDPATH requirement in case the PAC is present.
 This commit sets the "optional_ad_signedpath" string attribute to "true"
 systematically on the TGS principal if the database abstract layer (DAL)
 of krb5 is version 8 or older (prior to krb5 1.20).
 Fixes: https://pagure.io/freeipa/issue/9448
 Signed-off-by: Julien Rische <jrische@redhat.com>
 Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
 ---
 daemons/ipa-kdb/ipa_kdb_principals.c | 38 ++++++++++++++++++++++++++--
 1 file changed, 36 insertions(+), 2 deletions(-)
 diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
 index e95cb453c..fadb132ed 100644
 --- a/daemons/ipa-kdb/ipa_kdb_principals.c
 +++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -113,6 +113,10 @@ static char *std_principal_obj_classes[] = {
 #define DEFAULT_TL_DATA_CONTENT "\x00\x00\x00\x00principal@UNINITIALIZED"
 +#ifndef KRB5_KDB_SK_OPTIONAL_AD_SIGNEDPATH
 +#define KRB5_KDB_SK_OPTIONAL_AD_SIGNEDPATH "optional_ad_signedpath"
 +#endif
 +
 static int ipadb_ldap_attr_to_tl_data(LDAP *lcontext, LDAPMessage *le,
                                       char *attrname,
                                       krb5_tl_data **result, int *num)
@@ -178,6 +182,25 @@ done:
     return ret;
 }
 +static bool
 +is_tgs_princ(krb5_context kcontext, krb5_const_principal princ)
 +{
 +    krb5_data *primary;
 +    size_t l_tgs_name;
 +
 +    if (2 != krb5_princ_size(kcontext, princ))
 +        return false;
 +
 +    primary = krb5_princ_component(kcontext, princ, 0);
 +
 +    l_tgs_name = strlen(KRB5_TGS_NAME);
 +
 +    if (l_tgs_name != primary->length)
 +        return false;
 +
 +    return 0 == memcmp(primary->data, KRB5_TGS_NAME, l_tgs_name);
 +}
 +
 static krb5_error_code ipadb_set_tl_data(krb5_db_entry *entry,
                                          krb5_int16 type,
                                          krb5_ui_2 length,
@@ -1647,11 +1670,22 @@ krb5_error_code ipadb_get_principal(krb5_context kcontext,
     /* Lookup local names and aliases first. */
     kerr = dbget_princ(kcontext, ipactx, search_for, flags, entry);
 -    if (kerr != KRB5_KDB_NOENTRY) {
 +    if (kerr == KRB5_KDB_NOENTRY) {
 +        kerr = dbget_alias(kcontext, ipactx, search_for, flags, entry);
 +    }
 +    if (kerr)
         return kerr;
 +
 +#if KRB5_KDB_DAL_MAJOR_VERSION <= 8
 +    /* If TGS principal, some virtual attributes may be added */
 +    if (is_tgs_princ(kcontext, (*entry)->princ)) {
 +        kerr = krb5_dbe_set_string(kcontext, *entry,
 +                                   KRB5_KDB_SK_OPTIONAL_AD_SIGNEDPATH,
 +                                   "true");
     }
 +#endif
 -    return dbget_alias(kcontext, ipactx, search_for, flags, entry);
 +    return kerr;
 }
 void ipadb_free_principal_e_data(krb5_context kcontext, krb5_octet *e_data)
 -- 
 2.41.0
--- a/ipa.spec
+++ b/ipa.spec
@ -189,7 +189,7 @@
 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        1%{?rc_version:.%rc_version}%{?dist}
+Release:        2%{?rc_version:.%rc_version}%{?dist}
 Summary:        The Identity, Policy and Audit system
 License:        GPLv3+
@ -208,6 +208,7 @@ Source1:        https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_vers
 # RHEL spec file only: START
 %if %{NON_DEVELOPER_BUILD}
 Patch0001:      0001-Handle-samba-exception-type-change_rhel#17623.patch
 %if 0%{?rhel} >= 8
 Patch1001:      1001-Change-branding-to-IPA-and-Identity-Management.patch
 Patch1002:      1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch
@ -1723,6 +1724,10 @@ fi
 %endif
 %changelog
 * Thu Nov 30 2023 Rafael Jeffman <rjeffman@redhat.com> - 4.9.13-2
 - Handle new samba exception types.
  Resolves: RHEL-17623
 * Tue Nov 21 2023 Rafael Jeffman <rjeffman@redhat.com> - 4.9.13-1
 - Rebase ipa to 4.9.13
  Resolves: RHEL-16936