fix build with Samba 4.4

- Fix build with Samba 4.4
- Update SELinux requires to fix connection check during installation

0002-IPA-SAM-Fix-build-with-samba-4.4.patch

@@ -0,0 +1,54 @@
+>From f9057ca98557094a4db84ac072ee9efd02a4ff79 Mon Sep 17 00:00:00 2001
+From: Lukas Slebodnik <lslebodn@redhat.com>
+Date: Fri, 29 Jan 2016 10:40:18 +0100
+Subject: [PATCH 1/3] IPA-SAM: Fix build with samba 4.4
+
+samba_util.h is not shipped with samba-4.4
+and it was indirectly included by "ndr.h"
+
+Some functions have prototypes in different header file
+"util/talloc_stack.h" and other does not have declarations
+in other header file. But they are still part of libsamba-util.so
+
+sh$ objdump -T /usr/lib64/libsamba-util.so.0.0.1 | grep -E "trim_s|xstrdup"
+0000000000022200 g    DF .text  000000000000001f  SAMBA_UTIL_0.0.1 smb_xstrdup
+00000000000223b0 g    DF .text  000000000000019d  SAMBA_UTIL_0.0.1 trim_string
+
+ipa_sam.c: In function 'ldapsam_uid_to_sid':
+ipa_sam.c:836:24: warning: implicit declaration of function 'talloc_stackframe'
+                  [-Wimplicit-function-declaration]
+  TALLOC_CTX *tmp_ctx = talloc_stackframe();
+                        ^
+ipa_sam.c: In function 'pdb_init_ipasam':
+ipa_sam.c:4493:2: warning: implicit declaration of function 'trim_string'
+                  [-Wimplicit-function-declaration]
+  trim_string( uri, "\"", "\"" );
+  ^
+ipa_sam.c:4580:26: warning: implicit declaration of function 'smb_xstrdup'
+                   [-Wimplicit-function-declaration]
+  ldap_state->domain_dn = smb_xstrdup(dn);
+                          ^
+---
+ daemons/ipa-sam/ipa_sam.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
+index 7274d600b532f1066661e8a614a47eea7632ed70..871775b0a19e9c273652ff7a0b497d86bb866aa6 100644
+--- a/daemons/ipa-sam/ipa_sam.c
++++ b/daemons/ipa-sam/ipa_sam.c
+@@ -19,6 +19,12 @@
+ #include <util/data_blob.h>
+ #include <util/time.h>
+ #include <util/debug.h>
++#include <util/talloc_stack.h>
++
++#ifndef _SAMBA_UTIL_H_
++bool trim_string(char *s, const char *front, const char *back);
++char *smb_xstrdup(const char *s);
++#endif
+ 
+ #include <core/ntstatus.h>
+ #include <gen_ndr/security.h>
+-- 
+2.5.0
+

0003-replica-promotion-fix-AVC-denials-in-remote-connecti.patch

@@ -0,0 +1,61 @@
+From af50dbca408aa83be2356f81b0e531f5cf8ca4b2 Mon Sep 17 00:00:00 2001
+From: Jan Cholasta <jcholast@redhat.com>
+Date: Fri, 15 Jan 2016 08:07:21 +0100
+Subject: [PATCH] replica promotion: fix AVC denials in remote connection check
+
+Also move com.redhat.idm.trust-fetch-domains to /usr/libexec/ipa/oddjob.
+
+https://fedorahosted.org/freeipa/ticket/5550
+---
+ freeipa.spec.in                                          | 7 ++-----
+ install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf | 2 +-
+ 2 files changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/freeipa.spec.in b/freeipa.spec.in
+index c8a5216..54a11bf 100644
+--- a/freeipa.spec.in
++++ b/freeipa.spec.in
+@@ -14,7 +14,7 @@
+ %global selinux_policy_version 3.12.1-153
+ %else
+ %global samba_version 2:4.0.5-1
+-%global selinux_policy_version 3.13.1-128.6
++%global selinux_policy_version 3.13.1-158.4
+ %endif
+ 
+ %define krb5_base_version %(LC_ALL=C rpm -q --qf '%%{VERSION}' krb5-devel | grep -Eo '^[^.]+\.[^.]+')
+@@ -698,9 +698,6 @@ make client-install DESTDIR=%{buildroot}
+ mkdir -p %{buildroot}%{_usr}/share/ipa
+ 
+ %if ! %{ONLY_CLIENT}
+-# FIXME: https://bugzilla.redhat.com/show_bug.cgi?id=1289930
+-mv %{buildroot}%{_libexecdir}/ipa/oddjob/com.redhat.idm.trust-fetch-domains %{buildroot}%{_libexecdir}/ipa/com.redhat.idm.trust-fetch-domains
+-
+ # Remove .la files from libtool - we don't want to package
+ # these files
+ rm %{buildroot}/%{plugin_dir}/libipa_pwd_extop.la
+@@ -1224,7 +1221,7 @@ fi
+ %ghost %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
+ %{_sysconfdir}/dbus-1/system.d/oddjob-ipa-trust.conf
+ %{_sysconfdir}/oddjobd.conf.d/oddjobd-ipa-trust.conf
+-%%attr(755,root,root) %{_libexecdir}/ipa/com.redhat.idm.trust-fetch-domains
++%%attr(755,root,root) %{_libexecdir}/ipa/oddjob/com.redhat.idm.trust-fetch-domains
+ 
+ %endif # ONLY_CLIENT
+ 
+diff --git a/install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf b/install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf
+index 17817de..bc2e8d1 100644
+--- a/install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf
++++ b/install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf
+@@ -10,7 +10,7 @@
+       </interface>
+       <interface name="com.redhat.idm.trust">
+         <method name="fetch_domains">
+-          <helper exec="/usr/libexec/ipa/com.redhat.idm.trust-fetch-domains"
++          <helper exec="/usr/libexec/ipa/oddjob/com.redhat.idm.trust-fetch-domains"
+ 		  arguments="1"
+                   argument_passing_method="cmdline"
+ 		  prepend_user_name="no"/>
+-- 
+2.5.0
+

freeipa.spec

@@ -16,7 +16,7 @@
 %else
 %global samba_version 2:4.3.1-1
 %global samba_build_version 2:4.2.1
-%global selinux_policy_version 3.13.1-128.6
+%global selinux_policy_version 3.13.1-158.4
 %endif
 
 %define krb5_base_version %(LC_ALL=C rpm -q --qf '%%{VERSION}' krb5-devel | grep -Eo '^[^.]+\.[^.]+')
@@ -36,7 +36,7 @@
 
 Name:           freeipa
 Version:        %{VERSION}
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 Group:          System Environment/Base
@@ -46,6 +46,8 @@ Source0:        http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 Patch0001:      0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch
+Patch0002:      0002-IPA-SAM-Fix-build-with-samba-4.4.patch
+Patch0003:      0003-replica-promotion-fix-AVC-denials-in-remote-connecti.patch
 
 %if ! %{ONLY_CLIENT}
 BuildRequires:  389-ds-base-devel >= 1.3.4.4
@@ -619,7 +621,29 @@ This package contains tests that verify IPA functionality under Python 3.
 
 
 %prep
-%setup -n freeipa-%{version} -q
+# Fedora spec file only: START
+# Update timestamps on the files touched by a patch, to avoid non-equal
+# .pyc/.pyo files across the multilib peers within a build, where "Level"
+# is the patch prefix option (e.g. -p1)
+# Taken from specfile for sssd and python-simplejson
+UpdateTimestamps() {
+  Level=$1
+  PatchFile=$2
+
+  # Locate the affected files:
+  for f in $(diffstat $Level -l $PatchFile); do
+    # Set the files to have the same timestamp as that of the patch:
+    touch -r $PatchFile $f
+  done
+}
+
+%setup -n freeipa-%{VERSION} -q
+
+for p in %patches ; do
+    %__patch -p1 -i $p
+    UpdateTimestamps -p1 $p
+done
+# Fedora spec file only: END
 
 
 %build
@@ -709,9 +733,6 @@ make client-install DESTDIR=%{buildroot}
 mkdir -p %{buildroot}%{_usr}/share/ipa
 
 %if ! %{ONLY_CLIENT}
-# FIXME: https://bugzilla.redhat.com/show_bug.cgi?id=1289930
-mv %{buildroot}%{_libexecdir}/ipa/oddjob/com.redhat.idm.trust-fetch-domains %{buildroot}%{_libexecdir}/ipa/com.redhat.idm.trust-fetch-domains
-
 # Remove .la files from libtool - we don't want to package
 # these files
 rm %{buildroot}/%{plugin_dir}/libipa_pwd_extop.la
@@ -1235,7 +1256,7 @@ fi
 %ghost %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
 %{_sysconfdir}/dbus-1/system.d/oddjob-ipa-trust.conf
 %{_sysconfdir}/oddjobd.conf.d/oddjobd-ipa-trust.conf
-%%attr(755,root,root) %{_libexecdir}/ipa/com.redhat.idm.trust-fetch-domains
+%%attr(755,root,root) %{_libexecdir}/ipa/oddjob/com.redhat.idm.trust-fetch-domains
 
 %endif # ONLY_CLIENT
 
@@ -1403,6 +1424,10 @@ fi
 %endif # ONLY_CLIENT
 
 %changelog
+* Thu Feb 04 2016 Petr Vobornik <pvoborni@redhat.com> - 4.3.0-3
+- Fix build with Samba 4.4
+- Update SELinux requires to fix connection check during installation
+
 * Wed Feb 03 2016 Fedora Release Engineering <releng@fedoraproject.org> - 4.3.0-2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild