rpms/ipa
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import ipa-4.9.6-6.module+el8.5.0+12660+88e16a2c

Browse Source
This commit is contained in:
CentOS Sources 2021-11-09 04:57:57 -05:00 committed by Stepan Oksanichenko
parent aca3dbcb48
commit 32d9493df4
29 changed files with 1340 additions and 2257 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/freeipa-4.9.2.tar.gz
SOURCES/freeipa-4.9.6.tar.gz

2
.ipa.metadata
View File

@ -1 +1 @@
c7b37727ffbdebe311990f7d31ae3b8bf2d06792 SOURCES/freeipa-4.9.2.tar.gz
b7b91082908db35e4acbcd0221b8df4044913dc1 SOURCES/freeipa-4.9.6.tar.gz

381
SOURCES/0001-ipatests_libsss_sudo_and_sudo_pagure#8530_rhbz#1932289.patch
View File

@ -1,381 +0,0 @@
From b590dcef10680b4ea3181ae1caec183e5967562b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Fri, 11 Dec 2020 07:35:59 +0200
Subject: [PATCH] ipatests: add TestInstallWithoutSudo
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Test IPA servers and clients behavior when sudo is not installed.
Fixes: https://pagure.io/freeipa/issue/8530
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
.../nightly_ipa-4-9_latest.yaml | 12 ++++
.../nightly_ipa-4-9_latest_selinux.yaml | 13 ++++
.../nightly_ipa-4-9_previous.yaml | 12 ++++
.../test_integration/test_installation.py | 66 +++++++++++++++++++
4 files changed, 103 insertions(+)
diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
index 3acd6a13c..d91b16cab 100644
--- a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
+++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
@@ -535,6 +535,18 @@ jobs:
timeout: 10800
topology: *master_1repl
+ fedora-latest-ipa-4-9/test_installation_TestInstallWithoutSudo:
+ requires: [fedora-latest-ipa-4-9/build]
+ priority: 50
+ job:
+ class: RunPytest
+ args:
+ build_url: '{fedora-latest-ipa-4-9/build_url}'
+ test_suite: test_integration/test_installation.py::TestInstallWithoutSudo
+ template: *ci-ipa-4-9-latest
+ timeout: 4800
+ topology: *master_1repl_1client
+
fedora-latest-ipa-4-9/test_idviews:
requires: [fedora-latest-ipa-4-9/build]
priority: 50
diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
index c01192cf5..8adb06d0c 100644
--- a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
+++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
@@ -575,6 +575,19 @@ jobs:
timeout: 10800
topology: *master_1repl
+ fedora-latest-ipa-4-9/test_installation_TestInstallWithoutSudo:
+ requires: [fedora-latest-ipa-4-9/build]
+ priority: 50
+ job:
+ class: RunPytest
+ args:
+ build_url: '{fedora-latest-ipa-4-9/build_url}'
+ selinux_enforcing: True
+ test_suite: test_integration/test_installation.py::TestInstallWithoutSudo
+ template: *ci-ipa-4-9-latest
+ timeout: 4800
+ topology: *master_1repl_1client
+
fedora-latest-ipa-4-9/test_idviews:
requires: [fedora-latest-ipa-4-9/build]
priority: 50
diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
index a6ea24f6a..2b5d4fd5e 100644
--- a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
+++ b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
@@ -535,6 +535,18 @@ jobs:
timeout: 10800
topology: *master_1repl
+ fedora-previous-ipa-4-9/test_installation_TestInstallWithoutSudo:
+ requires: [fedora-previous-ipa-4-9/build]
+ priority: 50
+ job:
+ class: RunPytest
+ args:
+ build_url: '{fedora-previous-ipa-4-9/build_url}'
+ test_suite: test_integration/test_installation.py::TestInstallWithoutSudo
+ template: *ci-ipa-4-9-previous
+ timeout: 4800
+ topology: *master_1repl_1client
+
fedora-previous-ipa-4-9/test_idviews:
requires: [fedora-previous-ipa-4-9/build]
priority: 50
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
index eb6f7d78e..6e8af024c 100644
--- a/ipatests/test_integration/test_installation.py
+++ b/ipatests/test_integration/test_installation.py
@@ -1537,3 +1537,69 @@ class TestInstallReplicaAgainstSpecificServer(IntegrationTest):
self.replicas[0].hostname],
stdin_text=dirman_password)
assert self.replicas[0].hostname not in cmd.stdout_text
+
+
+class TestInstallWithoutSudo(IntegrationTest):
+
+ num_clients = 1
+ num_replicas = 1
+ no_sudo_str = "The sudo binary does not seem to be present on this"
+
+ @classmethod
+ def install(cls, mh):
+ pass
+
+ def test_sudo_removal(self):
+ # ipa-client makes sudo depend on libsss_sudo.
+
+ # --nodeps is mandatory because dogtag uses sudo at install
+ # time until commit 49585867207922479644a03078c29548de02cd03
+ # which is scheduled to land in 10.10.
+
+ # This also means sudo+libsss_sudo cannot be uninstalled on
+ # IPA servers with a CA.
+ assert tasks.is_package_installed(self.clients[0], 'sudo')
+ assert tasks.is_package_installed(self.clients[0], 'libsss_sudo')
+ tasks.uninstall_packages(
+ self.clients[0], ['sudo', 'libsss_sudo'], nodeps=True
+ )
+
+ def test_ipa_installation_without_sudo(self):
+ # FixMe: When Dogtag 10.10 is out, test installation without sudo
+ tasks.install_master(self.master, setup_dns=True)
+
+ def test_replica_installation_without_sudo(self):
+ # FixMe: When Dogtag 10.10 is out, test replica installation
+ # without sudo and with CA
+ tasks.uninstall_packages(
+ self.replicas[0], ['sudo', 'libsss_sudo'], nodeps=True
+ )
+ # One-step install is needed.
+ # With promote=True, two-step install is done and that only captures
+ # the ipa-replica-install stdout/stderr, not ipa-client-install's.
+ result = tasks.install_replica(
+ self.master, self.replicas[0], promote=False,
+ setup_dns=True, setup_ca=False
+ )
+ assert self.no_sudo_str in result.stderr_text
+
+ def test_client_installation_without_sudo(self):
+ result = tasks.install_client(self.master, self.clients[0])
+ assert self.no_sudo_str in result.stderr_text
+
+ def test_remove_sudo_on_ipa(self):
+ tasks.uninstall_packages(
+ self.master, ['sudo', 'libsss_sudo'], nodeps=True
+ )
+ self.master.run_command(
+ ['ipactl', 'restart']
+ )
+
+ def test_install_sudo_on_client(self):
+ """ Check that installing sudo pulls libsss_sudo in"""
+ for pkg in ('sudo', 'libsss_sudo'):
+ assert tasks.is_package_installed(self.clients[0], pkg) is False
+ tasks.uninstall_client(self.clients[0])
+ tasks.install_packages(self.clients[0], ['sudo'])
+ for pkg in ('sudo', 'libsss_sudo'):
+ assert tasks.is_package_installed(self.clients[0], pkg)
--
2.29.2
From 0c2741af9f353d2fbb21a5768e6433c0e99da0e9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Thu, 10 Dec 2020 08:35:12 +0200
Subject: [PATCH] ipatests: tasks: handle uninstalling packages with nodeps
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Handle package removal without taking dependencies into account.
E.g. add frontends for rpm -e --nodeps.
Related: ipatests/pytest_ipa/integration/tasks.py
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
ipatests/pytest_ipa/integration/tasks.py | 51 +++++++++++++++++++-----
1 file changed, 41 insertions(+), 10 deletions(-)
diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
index b91859816..2fe78367f 100755
--- a/ipatests/pytest_ipa/integration/tasks.py
+++ b/ipatests/pytest_ipa/integration/tasks.py
@@ -29,6 +29,7 @@ import re
import collections
import itertools
import shutil
+import shlex
import copy
import subprocess
import tempfile
@@ -2381,20 +2382,33 @@ def download_packages(host, pkgs):
return tmpdir
-def uninstall_packages(host, pkgs):
+def uninstall_packages(host, pkgs, nodeps=False):
"""Uninstall packages on a remote host.
- :param host: the host where the uninstallation takes place
- :param pkgs: packages to uninstall, provided as a list of strings
+ :param host: the host where the uninstallation takes place.
+ :param pkgs: packages to uninstall, provided as a list of strings.
+ :param nodeps: ignore dependencies (dangerous!).
"""
platform = get_platform(host)
- # Only supports RHEL 8+ and Fedora for now
- if platform in ('rhel', 'fedora'):
- install_cmd = ['/usr/bin/dnf', 'remove', '-y']
- elif platform in ('ubuntu'):
- install_cmd = ['apt-get', 'remove', '-y']
+ if platform not in ('rhel', 'fedora', 'ubuntu'):
+ raise ValueError('uninstall_packages: unknown platform %s' % platform)
+ if nodeps:
+ if platform in ('rhel', 'fedora'):
+ cmd = "rpm -e --nodeps"
+ elif platform in ('ubuntu'):
+ cmd = "dpkg -P --force-depends"
+ for package in pkgs:
+ uninstall_cmd = shlex.split(cmd)
+ uninstall_cmd.append(package)
+ # keep raiseonerr=True here. --fcami
+ host.run_command(uninstall_cmd)
else:
- raise ValueError('install_packages: unknown platform %s' % platform)
- host.run_command(install_cmd + pkgs, raiseonerr=False)
+ if platform in ('rhel', 'fedora'):
+ cmd = "/usr/bin/dnf remove -y"
+ elif platform in ('ubuntu'):
+ cmd = "apt-get remove -y"
+ uninstall_cmd = shlex.split(cmd)
+ uninstall_cmd.extend(pkgs)
+ host.run_command(uninstall_cmd, raiseonerr=False)
def wait_for_request(host, request_id, timeout=120):
@@ -2649,3 +2663,20 @@ def run_ssh_cmd(
assert "Authentication succeeded" not in stderr
assert "No more authentication methods to try." in stderr
return (return_code, stdout, stderr)
+
+
+def is_package_installed(host, pkg):
+ platform = get_platform(host)
+ if platform in ('rhel', 'fedora'):
+ result = host.run_command(
+ ['rpm', '-q', pkg], raiseonerr=False
+ )
+ elif platform in ['ubuntu']:
+ result = host.run_command(
+ ['dpkg', '-s', pkg], raiseonerr=False
+ )
+ else:
+ raise ValueError(
+ 'is_package_installed: unknown platform %s' % platform
+ )
+ return result.returncode == 0
--
2.29.2
From fe157ca349e3146a53884e90e6e588efb4e97eeb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Thu, 10 Dec 2020 08:15:22 +0200
Subject: [PATCH] ipa-client-install: output a warning if sudo is not present
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fixes: https://pagure.io/freeipa/issue/8530
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
ipaclient/install/client.py | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index 8acfa0cd1..0e478fa26 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -24,6 +24,7 @@ import re
import SSSDConfig
import shutil
import socket
+import subprocess
import sys
import tempfile
import textwrap
@@ -2200,7 +2201,18 @@ def install_check(options):
"authentication resources",
rval=CLIENT_INSTALL_ERROR)
- # when installing with '--no-sssd' option, check whether nss-ldap is
+ # When installing without the "--no-sudo" option, check whether sudo is
+ # available.
+ if options.conf_sudo:
+ try:
+ subprocess.Popen(['sudo -V'])
+ except FileNotFoundError:
+ logger.info(
+ "The sudo binary does not seem to be present on this "
+ "system. Please consider installing sudo if required."
+ )
+
+ # when installing with the '--no-sssd' option, check whether nss-ldap is
# installed
if not options.sssd:
if not os.path.exists(paths.PAM_KRB5_SO):
--
2.29.2
From ee0ba2df41cf545b82d3d26e7e7e42447bb0f63e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Thu, 10 Dec 2020 07:55:16 +0200
Subject: [PATCH] freeipa.spec: client: depend on libsss_sudo and sudo
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
On 10.10+ releases of Dogtag, the PKI installer will not depend
on sudo anymore. This opens the possibility of creating IPA servers
without a properly configured sudo.
In fact, even IPA clients should have sudo and libsss_sudo installed
in most cases, so add a weak dependency on both of them to the client
subpackage.
Also make sure libsss_sudo is installed if sudo is present.
Fixes: https://pagure.io/freeipa/issue/8530
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
freeipa.spec.in | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index ba52a3834..93e473ac4 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -640,6 +640,11 @@ Requires: nfs-utils
Requires: sssd-tools >= %{sssd_version}
Requires(post): policycoreutils
+# https://pagure.io/freeipa/issue/8530
+Recommends: libsss_sudo
+Recommends: sudo
+Requires: (libsss_sudo if sudo)
+
Provides: %{alt_name}-client = %{version}
Conflicts: %{alt_name}-client
Obsoletes: %{alt_name}-client < %{version}
--
2.29.2

136
SOURCES/0001-rpcserver.py-perf_counter_ns-is-Python-3.7_rhbz#1974822.patch Normal file
View File

@ -0,0 +1,136 @@
From e713c227bb420a841ce3ae146bca55a84a1b0dbf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Tue, 22 Jun 2021 14:36:51 +0200
Subject: [PATCH] paths: add IPA_SERVER_CONF
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Related: https://pagure.io/freeipa/issue/8891
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipaplatform/base/paths.py | 1 +
1 file changed, 1 insertion(+)
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 91423b332..de217d9ef 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -71,6 +71,7 @@ class BasePathNamespace:
IPA_DEFAULT_CONF = "/etc/ipa/default.conf"
IPA_DNSKEYSYNCD_KEYTAB = "/etc/ipa/dnssec/ipa-dnskeysyncd.keytab"
IPA_ODS_EXPORTER_KEYTAB = "/etc/ipa/dnssec/ipa-ods-exporter.keytab"
+ IPA_SERVER_CONF = "/etc/ipa/server.conf"
DNSSEC_OPENSSL_CONF = "/etc/ipa/dnssec/openssl.cnf"
DNSSEC_SOFTHSM2_CONF = "/etc/ipa/dnssec/softhsm2.conf"
DNSSEC_SOFTHSM_PIN_SO = "/etc/ipa/dnssec/softhsm_pin_so"
--
2.31.1
From ee4be290e1583834a573c3896ee1d97b3fbb6c24 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Tue, 22 Jun 2021 14:45:49 +0200
Subject: [PATCH] ipatests: smoke test for server debug mode.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Add a smoke test to make sure the server can be set in debug mode
without issue.
Related: https://pagure.io/freeipa/issue/8891
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
.../test_integration/test_installation.py | 27 +++++++++++++++++++
1 file changed, 27 insertions(+)
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
index 301767b8d..0c96536f0 100644
--- a/ipatests/test_integration/test_installation.py
+++ b/ipatests/test_integration/test_installation.py
@@ -703,6 +703,33 @@ class TestInstallMaster(IntegrationTest):
def test_install_master(self):
tasks.install_master(self.master, setup_dns=False)
+ @pytest.mark.skip_if_platform(
+ "debian", reason="This test hardcodes the httpd service name"
+ )
+ def test_smoke_test_for_debug_mode(self):
+ """Test if an IPA server works in debug mode.
+ Related: https://pagure.io/freeipa/issue/8891
+
+ Note: this test hardcodes the "httpd" service name.
+ """
+
+ target_fname = paths.IPA_SERVER_CONF
+ assert not self.master.transport.file_exists(target_fname)
+
+ # set the IPA server in debug mode
+ server_conf = "[global]\ndebug=True"
+ self.master.put_file_contents(target_fname, server_conf)
+ self.master.run_command(["systemctl", "restart", "httpd"])
+
+ # smoke test in debug mode
+ tasks.kdestroy_all(self.master)
+ tasks.kinit_admin(self.master)
+ self.master.run_command(["ipa", "user-show", "admin"])
+
+ # rollback
+ self.master.run_command(["rm", target_fname])
+ self.master.run_command(["systemctl", "restart", "httpd"])
+
def test_schema_compat_attribute_and_tree_disable(self):
"""Test if schema-compat-entry-attribute is set
--
2.31.1
From 1539c7383116647ad9c5b125b343f972e9c9653b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Wed, 23 Jun 2021 06:35:19 +0200
Subject: [PATCH] rpcserver.py: perf_counter_ns is Python 3.7+
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
perf_counter_ns is only available in Python 3.7 and later.
Define a lambda for 3.6 and lower.
Fixes: https://pagure.io/freeipa/issue/8891
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipaserver/rpcserver.py | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index b121316bf..e612528e0 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -31,6 +31,7 @@ import os
import time
import traceback
from io import BytesIO
+from sys import version_info
from urllib.parse import parse_qs
from xmlrpc.client import Fault
@@ -72,6 +73,10 @@ from requests.auth import AuthBase
if six.PY3:
unicode = str
+# time.perf_counter_ns appeared in Python 3.7.
+if version_info < (3, 7):
+ time.perf_counter_ns = lambda: int(time.perf_counter() * 10**9)
+
logger = logging.getLogger(__name__)
HTTP_STATUS_SUCCESS = '200 Success'
--
2.31.1

272
SOURCES/0002-Add-checks-to-prevent-adding-auth-indicators-to-inte_rhbz#1979625.patch Normal file
View File

@ -0,0 +1,272 @@
From a5d2857297cfcf87ed8973df96e89ebcef22850d Mon Sep 17 00:00:00 2001
From: Antonio Torres <antorres@redhat.com>
Date: Mon, 8 Mar 2021 18:15:50 +0100
Subject: [PATCH] Add checks to prevent adding auth indicators to internal IPA
services
Authentication indicators should not be enforced against internal
IPA services, since not all users of those services are able to produce
Kerberos tickets with all the auth indicator options. This includes
host, ldap, HTTP and cifs in IPA server and cifs in IPA clients.
If a client that is being promoted to replica has an auth indicator
in its host principal then the promotion is aborted.
Fixes: https://pagure.io/freeipa/issue/8206
Signed-off-by: Antonio Torres <antorres@redhat.com>
---
ipaserver/install/server/replicainstall.py | 13 ++++++++++++
ipaserver/plugins/host.py | 5 ++++-
ipaserver/plugins/service.py | 24 ++++++++++++++++++++++
3 files changed, 41 insertions(+), 1 deletion(-)
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 73967a224..f1fb91036 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -770,6 +770,15 @@ def promotion_check_ipa_domain(master_ldap_conn, basedn):
))
+def promotion_check_host_principal_auth_ind(conn, hostdn):
+ entry = conn.get_entry(hostdn, ['krbprincipalauthind'])
+ if 'krbprincipalauthind' in entry:
+ raise RuntimeError(
+ "Client cannot be promoted to a replica if the host principal "
+ "has an authentication indicator set."
+ )
+
+
@common_cleanup
@preserve_enrollment_state
def promote_check(installer):
@@ -956,6 +965,10 @@ def promote_check(installer):
config.master_host_name, None)
promotion_check_ipa_domain(conn, remote_api.env.basedn)
+ hostdn = DN(('fqdn', api.env.host),
+ api.env.container_host,
+ api.env.basedn)
+ promotion_check_host_principal_auth_ind(conn, hostdn)
# Make sure that domain fulfills minimal domain level
# requirement
diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py
index eb1f8ef04..41fa933e2 100644
--- a/ipaserver/plugins/host.py
+++ b/ipaserver/plugins/host.py
@@ -38,7 +38,7 @@ from .baseldap import (LDAPQuery, LDAPObject, LDAPCreate,
LDAPAddAttributeViaOption,
LDAPRemoveAttributeViaOption)
from .service import (
- validate_realm, normalize_principal,
+ validate_realm, validate_auth_indicator, normalize_principal,
set_certificate_attrs, ticket_flags_params, update_krbticketflags,
set_kerberos_attrs, rename_ipaallowedtoperform_from_ldap,
rename_ipaallowedtoperform_to_ldap, revoke_certs)
@@ -735,6 +735,8 @@ class host_add(LDAPCreate):
update_krbticketflags(ldap, entry_attrs, attrs_list, options, False)
if 'krbticketflags' in entry_attrs:
entry_attrs['objectclass'].append('krbticketpolicyaux')
+ validate_auth_indicator(entry_attrs)
+
return dn
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
@@ -993,6 +995,7 @@ class host_mod(LDAPUpdate):
if 'krbprincipalaux' not in (item.lower() for item in
entry_attrs['objectclass']):
entry_attrs['objectclass'].append('krbprincipalaux')
+ validate_auth_indicator(entry_attrs)
add_sshpubkey_to_attrs_pre(self.context, attrs_list)
diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py
index 1c9347804..cfbbff3c6 100644
--- a/ipaserver/plugins/service.py
+++ b/ipaserver/plugins/service.py
@@ -201,6 +201,28 @@ def validate_realm(ugettext, principal):
raise errors.RealmMismatch()
+def validate_auth_indicator(entry):
+ new_value = entry.get('krbprincipalauthind', None)
+ if not new_value:
+ return
+ # The following services are considered internal IPA services
+ # and shouldn't be allowed to have auth indicators.
+ # https://pagure.io/freeipa/issue/8206
+ pkey = api.Object['service'].get_primary_key_from_dn(entry.dn)
+ principal = kerberos.Principal(pkey)
+ server = api.Command.server_find(principal.hostname)['result']
+ if server:
+ prefixes = ("host", "cifs", "ldap", "HTTP")
+ else:
+ prefixes = ("cifs",)
+ if principal.service_name in prefixes:
+ raise errors.ValidationError(
+ name='krbprincipalauthind',
+ error=_('authentication indicators not allowed '
+ 'in service "%s"' % principal.service_name)
+ )
+
+
def normalize_principal(value):
"""
Ensure that the name in the principal is lower-case. The realm is
@@ -652,6 +674,7 @@ class service_add(LDAPCreate):
hostname)
self.obj.validate_ipakrbauthzdata(entry_attrs)
+ validate_auth_indicator(entry_attrs)
if not options.get('force', False):
# We know the host exists if we've gotten this far but we
@@ -846,6 +869,7 @@ class service_mod(LDAPUpdate):
assert isinstance(dn, DN)
self.obj.validate_ipakrbauthzdata(entry_attrs)
+ validate_auth_indicator(entry_attrs)
# verify certificates
certs = entry_attrs.get('usercertificate') or []
--
2.31.1
From 28484c3dee225662e41acc691bfe6b1c1cee99c8 Mon Sep 17 00:00:00 2001
From: Antonio Torres <antorres@redhat.com>
Date: Mon, 8 Mar 2021 18:20:35 +0100
Subject: [PATCH] ipatests: ensure auth indicators can't be added to internal
IPA services
Authentication indicators should not be added to internal IPA services,
since this can lead to a broken IPA setup. In case a client with
an auth indicator set in its host principal, promoting it to a replica
should fail.
Related: https://pagure.io/freeipa/issue/8206
Signed-off-by: Antonio Torres <antorres@redhat.com>
---
.../test_replica_promotion.py | 38 +++++++++++++++++++
ipatests/test_xmlrpc/test_host_plugin.py | 10 +++++
ipatests/test_xmlrpc/test_service_plugin.py | 21 ++++++++++
3 files changed, 69 insertions(+)
diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
index 0a137dbdc..b9c56f775 100644
--- a/ipatests/test_integration/test_replica_promotion.py
+++ b/ipatests/test_integration/test_replica_promotion.py
@@ -101,6 +101,44 @@ class TestReplicaPromotionLevel1(ReplicaPromotionBase):
assert result.returncode == 1
assert expected_err in result.stderr_text
+ @replicas_cleanup
+ def test_install_with_host_auth_ind_set(self):
+ """ A client shouldn't be able to be promoted if it has
+ any auth indicator set in the host principal.
+ https://pagure.io/freeipa/issue/8206
+ """
+
+ client = self.replicas[0]
+ # Configure firewall first
+ Firewall(client).enable_services(["freeipa-ldap",
+ "freeipa-ldaps"])
+
+ client.run_command(['ipa-client-install', '-U',
+ '--domain', self.master.domain.name,
+ '--realm', self.master.domain.realm,
+ '-p', 'admin',
+ '-w', self.master.config.admin_password,
+ '--server', self.master.hostname,
+ '--force-join'])
+
+ tasks.kinit_admin(client)
+
+ client.run_command(['ipa', 'host-mod', '--auth-ind=otp',
+ client.hostname])
+
+ res = client.run_command(['ipa-replica-install', '-U', '-w',
+ self.master.config.dirman_password],
+ raiseonerr=False)
+
+ client.run_command(['ipa', 'host-mod', '--auth-ind=',
+ client.hostname])
+
+ expected_err = ("Client cannot be promoted to a replica if the host "
+ "principal has an authentication indicator set.")
+ assert res.returncode == 1
+ assert expected_err in res.stderr_text
+
+
@replicas_cleanup
def test_one_command_installation(self):
"""
diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py
index c66bbc865..9cfde3565 100644
--- a/ipatests/test_xmlrpc/test_host_plugin.py
+++ b/ipatests/test_xmlrpc/test_host_plugin.py
@@ -605,6 +605,16 @@ class TestProtectedMaster(XMLRPC_test):
error=u'An IPA master host cannot be deleted or disabled')):
command()
+ def test_try_add_auth_ind_master(self, this_host):
+ command = this_host.make_update_command({
+ u'krbprincipalauthind': u'radius'})
+ with raises_exact(errors.ValidationError(
+ name='krbprincipalauthind',
+ error=u'authentication indicators not allowed '
+ 'in service "host"'
+ )):
+ command()
+
@pytest.mark.tier1
class TestValidation(XMLRPC_test):
diff --git a/ipatests/test_xmlrpc/test_service_plugin.py b/ipatests/test_xmlrpc/test_service_plugin.py
index 4c845938c..ed634a045 100644
--- a/ipatests/test_xmlrpc/test_service_plugin.py
+++ b/ipatests/test_xmlrpc/test_service_plugin.py
@@ -25,6 +25,7 @@ from ipalib import api, errors
from ipatests.test_xmlrpc.xmlrpc_test import Declarative, fuzzy_uuid, fuzzy_hash
from ipatests.test_xmlrpc.xmlrpc_test import fuzzy_digits, fuzzy_date, fuzzy_issuer
from ipatests.test_xmlrpc.xmlrpc_test import fuzzy_hex, XMLRPC_test
+from ipatests.test_xmlrpc.xmlrpc_test import raises_exact
from ipatests.test_xmlrpc import objectclasses
from ipatests.test_xmlrpc.testcert import get_testcert, subject_base
from ipatests.test_xmlrpc.test_user_plugin import get_user_result, get_group_dn
@@ -1552,6 +1553,15 @@ def indicators_host(request):
return tracker.make_fixture(request)
+@pytest.fixture(scope='function')
+def this_host(request):
+ """Fixture for the current master"""
+ tracker = HostTracker(name=api.env.host.partition('.')[0],
+ fqdn=api.env.host)
+ tracker.exists = True
+ return tracker
+
+
@pytest.fixture(scope='function')
def indicators_service(request):
tracker = ServiceTracker(
@@ -1587,6 +1597,17 @@ class TestAuthenticationIndicators(XMLRPC_test):
expected_updates={u'krbprincipalauthind': [u'radius']}
)
+ def test_update_indicator_internal_service(self, this_host):
+ command = this_host.make_command('service_mod',
+ 'ldap/' + this_host.fqdn,
+ **dict(krbprincipalauthind='otp'))
+ with raises_exact(errors.ValidationError(
+ name='krbprincipalauthind',
+ error=u'authentication indicators not allowed '
+ 'in service "ldap"'
+ )):
+ command()
+
@pytest.fixture(scope='function')
def managing_host(request):
--
2.31.1

60
SOURCES/0002-ipatests-error-message-check-in-uninstall-log-for-KR_rhbz#1932289.patch
View File

@ -1,60 +0,0 @@
From 6b25cd3241a5609b4d903d5697b8947fab403c90 Mon Sep 17 00:00:00 2001
From: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
Date: Wed, 17 Feb 2021 19:43:00 +0530
Subject: [PATCH] ipatests: error message check in uninstall log for KRA
This test checks that there is no error message in uninstall
log for KRA instance when IPA was installed with KRA.
related: https://pagure.io/freeipa/issue/8550
Signed-off-by: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
.../test_backup_and_restore.py | 22 ++++++++++++++++---
1 file changed, 19 insertions(+), 3 deletions(-)
diff --git a/ipatests/test_integration/test_backup_and_restore.py b/ipatests/test_integration/test_backup_and_restore.py
index f13dfb5cb..6890ef201 100644
--- a/ipatests/test_integration/test_backup_and_restore.py
+++ b/ipatests/test_integration/test_backup_and_restore.py
@@ -451,9 +451,11 @@ class BaseBackupAndRestoreWithKRA(IntegrationTest):
backup_path = tasks.get_backup_dir(self.master)
- self.master.run_command(['ipa-server-install',
- '--uninstall',
- '-U'])
+ # check that no error message in uninstall log for KRA instance
+ cmd = self.master.run_command(['ipa-server-install',
+ '--uninstall',
+ '-U'])
+ assert "failed to uninstall KRA" not in cmd.stderr_text
if reinstall:
tasks.install_master(self.master, setup_dns=True)
@@ -482,6 +484,20 @@ class TestBackupReinstallRestoreWithKRA(BaseBackupAndRestoreWithKRA):
"""backup, uninstall, reinstall, restore"""
self._full_backup_restore_with_vault(reinstall=True)
+ def test_no_error_message_with_uninstall_ipa_with_kra(self):
+ """Test there is no error message in uninstall log for KRA instance
+
+ There was error message in uninstall log when IPA with KRA was
+ uninstalled. This test check that there is no error message in
+ uninstall log for kra instance.
+
+ related: https://pagure.io/freeipa/issue/8550
+ """
+ cmd = self.master.run_command(['ipa-server-install',
+ '--uninstall',
+ '-U'])
+ assert "failed to uninstall KRA" not in cmd.stderr_text
+
class TestBackupAndRestoreWithReplica(IntegrationTest):
"""Regression tests for issues 7234 and 7455
--
2.29.2

119
SOURCES/0003-ipatests-skip-tests-for-AD-trust-with-shared-secret-_rhbz#1932289.patch
View File

@ -1,119 +0,0 @@
From 6d7b2d7d1b4711255ea72d62d27b5c5f4ec7c6e1 Mon Sep 17 00:00:00 2001
From: Sergey Orlov <sorlov@redhat.com>
Date: Tue, 16 Feb 2021 12:32:55 +0100
Subject: [PATCH] ipatests: skip tests for AD trust with shared secret in FIPS
mode
Related to https://pagure.io/freeipa/issue/8715
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
ipatests/test_integration/test_trust.py | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
index 3e522617d..c8a348212 100644
--- a/ipatests/test_integration/test_trust.py
+++ b/ipatests/test_integration/test_trust.py
@@ -5,6 +5,7 @@ from __future__ import absolute_import
import re
import textwrap
import time
+import functools
import pytest
@@ -13,6 +14,7 @@ from ipaplatform.paths import paths
from ipatests.test_integration.base import IntegrationTest
from ipatests.pytest_ipa.integration import tasks
+from ipatests.pytest_ipa.integration import fips
from ipapython.dn import DN
from collections import namedtuple
from contextlib import contextmanager
@@ -20,6 +22,18 @@ from contextlib import contextmanager
TestDataRule = namedtuple('TestDataRule',
['name', 'ruletype', 'user', 'subject'])
+
+def skip_in_fips_mode_due_to_issue_8715(test_method):
+ @functools.wraps(test_method)
+ def wrapper(instance):
+ if fips.is_fips_enabled(instance.master):
+ pytest.skip('Skipping in FIPS mode due to '
+ 'https://pagure.io/freeipa/issue/8715')
+ else:
+ test_method(instance)
+ return wrapper
+
+
class BaseTestTrust(IntegrationTest):
num_clients = 1
topology = 'line'
@@ -751,6 +765,7 @@ class TestTrust(BaseTestTrust):
# Test for one-way forest trust with shared secret
+ @skip_in_fips_mode_due_to_issue_8715
def test_establish_forest_trust_with_shared_secret(self):
tasks.configure_dns_for_trust(self.master, self.ad)
tasks.configure_windows_dns_for_trust(self.ad, self.master)
@@ -775,6 +790,7 @@ class TestTrust(BaseTestTrust):
tasks.establish_trust_with_ad(
self.master, self.ad_domain, shared_secret=self.shared_secret)
+ @skip_in_fips_mode_due_to_issue_8715
def test_trustdomains_found_in_forest_trust_with_shared_secret(self):
result = self.master.run_command(
['ipa', 'trust-fetch-domains', self.ad.domain.name],
@@ -783,6 +799,7 @@ class TestTrust(BaseTestTrust):
self.check_trustdomains(
self.ad_domain, [self.ad_domain, self.ad_subdomain])
+ @skip_in_fips_mode_due_to_issue_8715
def test_user_gid_uid_resolution_in_forest_trust_with_shared_secret(self):
"""Check that user has SID-generated UID"""
# Using domain name since it is lowercased realm name for AD domains
@@ -801,6 +818,7 @@ class TestTrust(BaseTestTrust):
assert re.search(
testuser_regex, result.stdout_text), result.stdout_text
+ @skip_in_fips_mode_due_to_issue_8715
def test_remove_forest_trust_with_shared_secret(self):
ps_cmd = (
'[System.DirectoryServices.ActiveDirectory.Forest]'
@@ -823,6 +841,7 @@ class TestTrust(BaseTestTrust):
# Test for one-way external trust with shared secret
+ @skip_in_fips_mode_due_to_issue_8715
def test_establish_external_trust_with_shared_secret(self):
tasks.configure_dns_for_trust(self.master, self.ad)
tasks.configure_windows_dns_for_trust(self.ad, self.master)
@@ -838,6 +857,7 @@ class TestTrust(BaseTestTrust):
self.master, self.ad_domain, shared_secret=self.shared_secret,
extra_args=['--range-type', 'ipa-ad-trust', '--external=True'])
+ @skip_in_fips_mode_due_to_issue_8715
def test_trustdomains_found_in_external_trust_with_shared_secret(self):
result = self.master.run_command(
['ipa', 'trust-fetch-domains', self.ad.domain.name],
@@ -846,6 +866,7 @@ class TestTrust(BaseTestTrust):
self.check_trustdomains(
self.ad_domain, [self.ad_domain])
+ @skip_in_fips_mode_due_to_issue_8715
def test_user_uid_resolution_in_external_trust_with_shared_secret(self):
"""Check that user has SID-generated UID"""
# Using domain name since it is lowercased realm name for AD domains
@@ -864,6 +885,7 @@ class TestTrust(BaseTestTrust):
assert re.search(
testuser_regex, result.stdout_text), result.stdout_text
+ @skip_in_fips_mode_due_to_issue_8715
def test_remove_external_trust_with_shared_secret(self):
self.ad.run_command(
['netdom.exe', 'trust', self.master.domain.name,
--
2.29.2

89
SOURCES/0003-stageuser-add-ipauserauthtypeclass-when-required_rhbz#1979605.patch Normal file
View File

@ -0,0 +1,89 @@
From 06468b2f604c56b02231904072cb57412966a701 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Mon, 5 Jul 2021 09:51:41 +0200
Subject: [PATCH] stageuser: add ipauserauthtypeclass when required
The command
ipa stageuser-add --user-auth-type=xxx
is currently failing because the objectclass ipauserauthtypeclass
is missing from the created entry.
There is code adding the missing objectclass in the
pre_common_callback method of user_add, and this code should
be common to user_add and stageuser_add. In order to avoid code
duplication, it makes more sense to move the existing code to
pre_common_callback of baseuser_add, that is called by both
classes.
Fixes: https://pagure.io/freeipa/issue/8909
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
ipaserver/plugins/baseuser.py | 3 +++
ipaserver/plugins/user.py | 4 ----
2 files changed, 3 insertions(+), 4 deletions(-)
diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py
index ae16a978a..6035228f1 100644
--- a/ipaserver/plugins/baseuser.py
+++ b/ipaserver/plugins/baseuser.py
@@ -539,6 +539,9 @@ class baseuser_add(LDAPCreate):
if entry_attrs.get('ipatokenradiususername', None):
add_missing_object_class(ldap, u'ipatokenradiusproxyuser', dn,
entry_attrs, update=False)
+ if entry_attrs.get('ipauserauthtype', None):
+ add_missing_object_class(ldap, u'ipauserauthtypeclass', dn,
+ entry_attrs, update=False)
def post_common_callback(self, ldap, dn, entry_attrs, *keys, **options):
assert isinstance(dn, DN)
diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py
index 6f7facb53..e4ee572b2 100644
--- a/ipaserver/plugins/user.py
+++ b/ipaserver/plugins/user.py
@@ -617,10 +617,6 @@ class user_add(baseuser_add):
'ipauser' not in entry_attrs['objectclass']:
entry_attrs['objectclass'].append('ipauser')
- if 'ipauserauthtype' in entry_attrs and \
- 'ipauserauthtypeclass' not in entry_attrs['objectclass']:
- entry_attrs['objectclass'].append('ipauserauthtypeclass')
-
rcl = entry_attrs.get('ipatokenradiusconfiglink', None)
if rcl:
if 'ipatokenradiusproxyuser' not in entry_attrs['objectclass']:
--
2.31.1
From 4a5a0fe7d25209a41a2eadd159f7f4c771e5d7fc Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Mon, 5 Jul 2021 10:22:31 +0200
Subject: [PATCH] XMLRPC test: add a test for stageuser-add --user-auth-type
Related: https://pagure.io/freeipa/issue/8909
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
ipatests/test_xmlrpc/test_stageuser_plugin.py | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/ipatests/test_xmlrpc/test_stageuser_plugin.py b/ipatests/test_xmlrpc/test_stageuser_plugin.py
index 5586fc607..bc606b093 100644
--- a/ipatests/test_xmlrpc/test_stageuser_plugin.py
+++ b/ipatests/test_xmlrpc/test_stageuser_plugin.py
@@ -343,6 +343,12 @@ class TestStagedUser(XMLRPC_test):
result = command()
assert result['count'] == 1
+ def test_create_withuserauthtype(self, stageduser):
+ stageduser.ensure_missing()
+ command = stageduser.make_create_command(
+ options={u'ipauserauthtype': u'password'})
+ command()
+
@pytest.mark.tier1
class TestCreateInvalidAttributes(XMLRPC_test):
--
2.31.1

347
SOURCES/0004-ipatests-ipa-cert-fix_pagure#8600_rhbz#1932289.patch
View File

@ -1,347 +0,0 @@
From a0626e09b3eaf5d030982e2ff03e95841ad1b4b9 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 3 Feb 2021 15:52:05 -0500
Subject: [PATCH] ipa-cert-fix: Don't hardcode the NSS certificate nickname
The nickname of the 389-ds certificate was hardcoded as
Server-Cert which failed if the user had installed a
third-party certificate using ipa-server-certinstall.
Instead pull the nickname from the DS configuration and
retrieve it based on that.
https://pagure.io/freeipa/issue/8600
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipaserver/install/ipa_cert_fix.py | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)
diff --git a/ipaserver/install/ipa_cert_fix.py b/ipaserver/install/ipa_cert_fix.py
index 2f2c15613..29af89cd5 100644
--- a/ipaserver/install/ipa_cert_fix.py
+++ b/ipaserver/install/ipa_cert_fix.py
@@ -203,9 +203,12 @@ def expired_ipa_certs(now):
certs.append((IPACertType.HTTPS, cert))
# LDAPS
- ds_dbdir = dsinstance.config_dirname(realm_to_serverid(api.env.realm))
+ serverid = realm_to_serverid(api.env.realm)
+ ds = dsinstance.DsInstance(realm_name=api.env.realm)
+ ds_dbdir = dsinstance.config_dirname(serverid)
+ ds_nickname = ds.get_server_cert_nickname(serverid)
db = NSSDatabase(nssdir=ds_dbdir)
- cert = db.get_cert('Server-Cert')
+ cert = db.get_cert(ds_nickname)
if cert.not_valid_after <= now:
certs.append((IPACertType.LDAPS, cert))
@@ -344,11 +347,13 @@ def install_ipa_certs(subject_base, ca_subject_dn, certs):
elif certtype is IPACertType.HTTPS:
shutil.copyfile(cert_path, paths.HTTPD_CERT_FILE)
elif certtype is IPACertType.LDAPS:
- ds_dbdir = dsinstance.config_dirname(
- realm_to_serverid(api.env.realm))
+ serverid = realm_to_serverid(api.env.realm)
+ ds = dsinstance.DsInstance(realm_name=api.env.realm)
+ ds_dbdir = dsinstance.config_dirname(serverid)
db = NSSDatabase(nssdir=ds_dbdir)
- db.delete_cert('Server-Cert')
- db.import_pem_cert('Server-Cert', EMPTY_TRUST_FLAGS, cert_path)
+ ds_nickname = ds.get_server_cert_nickname(serverid)
+ db.delete_cert(ds_nickname)
+ db.import_pem_cert(ds_nickname, EMPTY_TRUST_FLAGS, cert_path)
elif certtype is IPACertType.KDC:
shutil.copyfile(cert_path, paths.KDC_CERT)
--
2.29.2
From 660507fda2394b17d709c47a05ce5df548a47990 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 4 Feb 2021 08:25:48 -0500
Subject: [PATCH] ipatests: test third-party 389-ds cert with ipa-cert-fix
ipa-cert-fix was hardcoded to use Server-Cert as the nickname
so would fail if a third-party certificate was installed for DS.
https://pagure.io/freeipa/issue/8600
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
.../test_integration/test_ipa_cert_fix.py | 57 +++++++++++++++++++
1 file changed, 57 insertions(+)
diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
index 2f7de5526..f9e5fe6e2 100644
--- a/ipatests/test_integration/test_ipa_cert_fix.py
+++ b/ipatests/test_integration/test_ipa_cert_fix.py
@@ -11,6 +11,17 @@ import time
from ipaplatform.paths import paths
from ipatests.pytest_ipa.integration import tasks
from ipatests.test_integration.base import IntegrationTest
+from ipatests.test_integration.test_caless import CALessBase, ipa_certs_cleanup
+
+
+def server_install_teardown(func):
+ def wrapped(*args):
+ master = args[0].master
+ try:
+ func(*args)
+ finally:
+ ipa_certs_cleanup(master)
+ return wrapped
class TestIpaCertFix(IntegrationTest):
@@ -94,3 +105,49 @@ class TestIpaCertFix(IntegrationTest):
else:
# timeout
raise AssertionError('Timeout: Failed to renew all the certs')
+
+
+class TestIpaCertFixThirdParty(CALessBase):
+ """
+ Test that ipa-cert-fix works with an installation with custom certs.
+ """
+
+ @classmethod
+ def install(cls, mh):
+ cls.nickname = 'ca1/server'
+
+ super(TestIpaCertFixThirdParty, cls).install(mh)
+ tasks.install_master(cls.master, setup_dns=True)
+
+ @server_install_teardown
+ def test_third_party_certs(self):
+ self.create_pkcs12(self.nickname,
+ password=self.cert_password,
+ filename='server.p12')
+ self.prepare_cacert('ca1')
+
+ # We have a chain length of one. If this is extended then the
+ # additional cert names will need to be calculated.
+ nick_chain = self.nickname.split('/')
+ ca_cert = '%s.crt' % nick_chain[0]
+
+ # Add the CA to the IPA store
+ self.copy_cert(self.master, ca_cert)
+ self.master.run_command(['ipa-cacert-manage', 'install', ca_cert])
+
+ # Apply the new cert chain otherwise ipa-server-certinstall will fail
+ self.master.run_command(['ipa-certupdate'])
+
+ # Install the updated certs and restart the world
+ self.copy_cert(self.master, 'server.p12')
+ args = ['ipa-server-certinstall',
+ '-p', self.master.config.dirman_password,
+ '--pin', self.master.config.admin_password,
+ '-d', 'server.p12']
+ self.master.run_command(args)
+ self.master.run_command(['ipactl', 'restart',])
+
+ # Run ipa-cert-fix. This is basically a no-op but tests that
+ # the DS nickname is used and not a hardcoded value.
+ result = self.master.run_command(['ipa-cert-fix', '-v'],)
+ assert self.nickname in result.stderr_text
--
2.29.2
From 4cb6f0ba0df928eea60b20892a6fc85373627946 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 5 Feb 2021 09:00:54 -0500
Subject: [PATCH] Set pki-core dependency to 10.3.3 for pki-server cert-fix bug
Related: https://github.com/dogtagpki/pki/issues/3387
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
freeipa.spec.in | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 93e473ac4..0e261285b 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -128,11 +128,11 @@
%if 0%{?rhel} == 8
# PKIConnection has been modified to always validate certs.
# https://pagure.io/freeipa/issue/8379
-%global pki_version 10.9.0-0.4
+%global pki_version 10.10.4-1
%else
# New KRA profile, ACME support
# https://pagure.io/freeipa/issue/8545
-%global pki_version 10.10.0-2
+%global pki_version 10.10.3-1
%endif
# RHEL 8.3+, F32+ has 0.79.13
--
2.29.2
From f3463728f2196589d36e14cedccb26c03730a7c0 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 10 Feb 2021 16:07:13 -0500
Subject: [PATCH] Don't renew non-IPA issued certs in ipa-cert-fix
If the Apache, 389-ds or KDC certificate was issued by
a third party there is nothing we can do, regardless of
whether it is expired or not.
Report which certificates will not be renewed so the
admin can manually do do (likely in the event of a
third-party certificate).
https://pagure.io/freeipa/issue/8600
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipaserver/install/ipa_cert_fix.py | 53 +++++++++++++++++++++++++------
1 file changed, 43 insertions(+), 10 deletions(-)
diff --git a/ipaserver/install/ipa_cert_fix.py b/ipaserver/install/ipa_cert_fix.py
index 29af89cd5..210cf80f1 100644
--- a/ipaserver/install/ipa_cert_fix.py
+++ b/ipaserver/install/ipa_cert_fix.py
@@ -43,6 +43,7 @@ from ipapython.certdb import NSSDatabase, EMPTY_TRUST_FLAGS
from ipapython.dn import DN
from ipapython.ipaldap import realm_to_serverid
from ipaserver.install import ca, cainstance, dsinstance
+from ipaserver.install.certs import is_ipa_issued_cert
from ipapython import directivesetter
from ipapython import ipautil
@@ -104,6 +105,13 @@ class IPACertFix(AdminTool):
api.bootstrap(in_server=True, confdir=paths.ETC_IPA)
api.finalize()
+
+ if not dsinstance.is_ds_running(realm_to_serverid(api.env.realm)):
+ print(
+ "The LDAP server is not running; cannot proceed."
+ )
+ return 1
+
api.Backend.ldap2.connect() # ensure DS is up
subject_base = dsinstance.DsInstance().find_subject_base()
@@ -113,7 +121,7 @@ class IPACertFix(AdminTool):
ca_subject_dn = ca.lookup_ca_subject(api, subject_base)
now = datetime.datetime.now() + datetime.timedelta(weeks=2)
- certs, extra_certs = expired_certs(now)
+ certs, extra_certs, non_renewed = expired_certs(now)
if not certs and not extra_certs:
print("Nothing to do.")
@@ -121,7 +129,7 @@ class IPACertFix(AdminTool):
print(msg)
- print_intentions(certs, extra_certs)
+ print_intentions(certs, extra_certs, non_renewed)
response = ipautil.user_input('Enter "yes" to proceed')
if response.lower() != 'yes':
@@ -133,7 +141,10 @@ class IPACertFix(AdminTool):
fix_certreq_directives(certs)
run_cert_fix(certs, extra_certs)
except ipautil.CalledProcessError:
- if any(x[0] is IPACertType.LDAPS for x in extra_certs):
+ if any(
+ x[0] is IPACertType.LDAPS
+ for x in extra_certs + non_renewed
+ ):
# The DS cert was expired. This will cause
# 'pki-server cert-fix' to fail at the final
# restart. Therefore ignore the CalledProcessError
@@ -152,13 +163,15 @@ class IPACertFix(AdminTool):
print("Becoming renewal master.")
cainstance.CAInstance().set_renewal_master()
+ print("Restarting IPA")
ipautil.run(['ipactl', 'restart'], raiseonerr=True)
return 0
def expired_certs(now):
- return expired_dogtag_certs(now), expired_ipa_certs(now)
+ expired_ipa, non_renew_ipa = expired_ipa_certs(now)
+ return expired_dogtag_certs(now), expired_ipa, non_renew_ipa
def expired_dogtag_certs(now):
@@ -191,6 +204,7 @@ def expired_ipa_certs(now):
"""
certs = []
+ non_renewed = []
# IPA RA
cert = x509.load_certificate_from_file(paths.RA_AGENT_PEM)
@@ -200,7 +214,10 @@ def expired_ipa_certs(now):
# Apache HTTPD
cert = x509.load_certificate_from_file(paths.HTTPD_CERT_FILE)
if cert.not_valid_after <= now:
- certs.append((IPACertType.HTTPS, cert))
+ if not is_ipa_issued_cert(api, cert):
+ non_renewed.append((IPACertType.HTTPS, cert))
+ else:
+ certs.append((IPACertType.HTTPS, cert))
# LDAPS
serverid = realm_to_serverid(api.env.realm)
@@ -210,18 +227,24 @@ def expired_ipa_certs(now):
db = NSSDatabase(nssdir=ds_dbdir)
cert = db.get_cert(ds_nickname)
if cert.not_valid_after <= now:
- certs.append((IPACertType.LDAPS, cert))
+ if not is_ipa_issued_cert(api, cert):
+ non_renewed.append((IPACertType.LDAPS, cert))
+ else:
+ certs.append((IPACertType.LDAPS, cert))
# KDC
cert = x509.load_certificate_from_file(paths.KDC_CERT)
if cert.not_valid_after <= now:
- certs.append((IPACertType.KDC, cert))
+ if not is_ipa_issued_cert(api, cert):
+ non_renewed.append((IPACertType.HTTPS, cert))
+ else:
+ certs.append((IPACertType.KDC, cert))
- return certs
+ return certs, non_renewed
-def print_intentions(dogtag_certs, ipa_certs):
- print("The following certificates will be renewed: ")
+def print_intentions(dogtag_certs, ipa_certs, non_renewed):
+ print("The following certificates will be renewed:")
print()
for certid, cert in dogtag_certs:
@@ -230,6 +253,16 @@ def print_intentions(dogtag_certs, ipa_certs):
for certtype, cert in ipa_certs:
print_cert_info("IPA", certtype.value, cert)
+ if non_renewed:
+ print(
+ "The following certificates will NOT be renewed because "
+ "they were not issued by the IPA CA:"
+ )
+ print()
+
+ for certtype, cert in non_renewed:
+ print_cert_info("IPA", certtype.value, cert)
+
def print_cert_info(context, desc, cert):
print("{} {} certificate:".format(context, desc))
--
2.29.2

35
SOURCES/0004-man-page-update-ipa-server-upgrade.1_rhbz#1973273.patch Normal file
View File

@ -0,0 +1,35 @@
From 195035cef51a132b2b80df57ed50f2fe620244e6 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Wed, 7 Jul 2021 14:11:40 +0200
Subject: [PATCH] man page: update ipa-server-upgrade.1
The man page needs to clarify in which case the command needs
to be run.
Fixes: https://pagure.io/freeipa/issue/8913
Reviewed-By: Francois Cami <fcami@redhat.com>
---
install/tools/man/ipa-server-upgrade.1 | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/install/tools/man/ipa-server-upgrade.1 b/install/tools/man/ipa-server-upgrade.1
index 3db19b0f1..f01e21c6b 100644
--- a/install/tools/man/ipa-server-upgrade.1
+++ b/install/tools/man/ipa-server-upgrade.1
@@ -8,7 +8,12 @@ ipa\-server\-upgrade \- upgrade IPA server
.SH "SYNOPSIS"
ipa\-server\-upgrade [options]
.SH "DESCRIPTION"
-ipa\-server\-upgrade is used to upgrade IPA server when the IPA packages are being updated. It is not intended to be executed by end\-users.
+ipa\-server\-upgrade is executed automatically to upgrade IPA server when
+the IPA packages are being updated. It is not intended to be executed by
+end\-users, unless the automatic execution reports an error. In this case,
+the administrator needs to identify and fix the issue that is causing the
+upgrade failure (with the help of /var/log/ipaupgrade.log)
+and manually re\-run ipa\-server\-upgrade.
ipa\-server\-upgrade will:
--
2.31.1

69
SOURCES/0005-Fall-back-to-krbprincipalname-when-validating-host-a_rhbz#1979625.patch Normal file
View File

@ -0,0 +1,69 @@
From 8ad535b618d60fa016061212ff85d0ad28ccae59 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 12 Jul 2021 11:02:10 -0400
Subject: [PATCH] Fall back to krbprincipalname when validating host auth
indicators
When adding a new host the principal cannot be determined because it
relies on either:
a) an entry to already exist
b) krbprincipalname be a component of the dn
As a result the full dn is being passed into ipapython.Kerberos
which can't parse it.
Look into the entry in validate_validate_auth_indicator() for
krbprincipalname in this case.
https://pagure.io/freeipa/issue/8206
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
ipaserver/plugins/service.py | 5 +++++
ipatests/test_xmlrpc/test_host_plugin.py | 11 +++++++++++
2 files changed, 16 insertions(+)
diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py
index cfbbff3c6..498f5e444 100644
--- a/ipaserver/plugins/service.py
+++ b/ipaserver/plugins/service.py
@@ -209,6 +209,11 @@ def validate_auth_indicator(entry):
# and shouldn't be allowed to have auth indicators.
# https://pagure.io/freeipa/issue/8206
pkey = api.Object['service'].get_primary_key_from_dn(entry.dn)
+ if pkey == str(entry.dn):
+ # krbcanonicalname may not be set yet if this is a host entry,
+ # try krbprincipalname
+ if 'krbprincipalname' in entry:
+ pkey = entry['krbprincipalname']
principal = kerberos.Principal(pkey)
server = api.Command.server_find(principal.hostname)['result']
if server:
diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py
index 9cfde3565..ff50e796c 100644
--- a/ipatests/test_xmlrpc/test_host_plugin.py
+++ b/ipatests/test_xmlrpc/test_host_plugin.py
@@ -615,6 +615,17 @@ class TestProtectedMaster(XMLRPC_test):
)):
command()
+ def test_add_non_master_with_auth_ind(self, host5):
+ host5.ensure_missing()
+ command = host5.make_command(
+ 'host_add', host5.fqdn, krbprincipalauthind=['radius'],
+ force=True
+ )
+ result = command()
+ # The fact that the command succeeds exercises the change but
+ # let's check the indicator as well.
+ assert result['result']['krbprincipalauthind'] == ('radius',)
+
@pytest.mark.tier1
class TestValidation(XMLRPC_test):
--
2.31.1

135
SOURCES/0005-ipatests-test-Samba-mount-with-NTLM-authentication_rhbz#1932289.patch
View File

@ -1,135 +0,0 @@
From 80ccac79b9d123e158a5ba60f9853611d0854188 Mon Sep 17 00:00:00 2001
From: Sergey Orlov <sorlov@redhat.com>
Date: Wed, 17 Feb 2021 16:48:33 +0100
Subject: [PATCH] ipatests: test Samba mount with NTLM authentication
Related to https://pagure.io/freeipa/issue/8636
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
ipatests/pytest_ipa/integration/__init__.py | 17 ++++++
ipatests/test_integration/test_smb.py | 63 +++++++++++++++++++++
2 files changed, 80 insertions(+)
diff --git a/ipatests/pytest_ipa/integration/__init__.py b/ipatests/pytest_ipa/integration/__init__.py
index 55291ae8b..f62b667bd 100644
--- a/ipatests/pytest_ipa/integration/__init__.py
+++ b/ipatests/pytest_ipa/integration/__init__.py
@@ -28,12 +28,14 @@ import os
import tempfile
import shutil
import re
+import functools
import pytest
from pytest_multihost import make_multihost_fixture
from ipapython import ipautil
from ipaplatform.paths import paths
+from . import fips
from .config import Config
from .env_config import get_global_config
from . import tasks
@@ -478,3 +480,18 @@ def del_compat_attrs(cls):
del cls.ad_subdomains
del cls.ad_treedomains
del cls.ad_domains
+
+
+def skip_if_fips(reason='Not supported in FIPS mode', host='master'):
+ if callable(reason):
+ raise TypeError('Invalid decorator usage, add "()"')
+
+ def decorator(test_method):
+ @functools.wraps(test_method)
+ def wrapper(instance, *args, **kwargs):
+ if fips.is_fips_enabled(getattr(instance, host)):
+ pytest.skip(reason)
+ else:
+ test_method(instance, *args, **kwargs)
+ return wrapper
+ return decorator
diff --git a/ipatests/test_integration/test_smb.py b/ipatests/test_integration/test_smb.py
index 37725ab15..749a96325 100644
--- a/ipatests/test_integration/test_smb.py
+++ b/ipatests/test_integration/test_smb.py
@@ -19,6 +19,7 @@ from ipatests.test_integration.base import IntegrationTest
from ipatests.pytest_ipa.integration import tasks
from ipaplatform.osinfo import osinfo
from ipaplatform.paths import paths
+from ipatests.pytest_ipa.integration import skip_if_fips
def wait_smbd_functional(host):
@@ -378,6 +379,68 @@ class TestSMB(IntegrationTest):
finally:
self.cleanup_mount(mountpoint)
+ def check_repeated_smb_mount(self, options):
+ mountpoint = '/mnt/smb'
+ unc = '//{}/homes'.format(self.smbserver.hostname)
+ test_file = 'ntlm_test'
+ test_file_server_path = '/home/{}/{}'.format(self.ipa_user1, test_file)
+ test_file_client_path = '{}/{}'.format(mountpoint, test_file)
+
+ self.smbclient.run_command(['mkdir', '-p', mountpoint])
+ self.smbserver.put_file_contents(test_file_server_path, '')
+ try:
+ for i in [1, 2]:
+ res = self.smbclient.run_command([
+ 'mount', '-t', 'cifs', unc, mountpoint, '-o', options],
+ raiseonerr=False)
+ assert res.returncode == 0, (
+ 'Mount failed at iteration {}. Output: {}'
+ .format(i, res.stdout_text + res.stderr_text))
+ assert self.smbclient.transport.file_exists(
+ test_file_client_path)
+ self.smbclient.run_command(['umount', mountpoint])
+ finally:
+ self.cleanup_mount(mountpoint)
+ self.smbserver.run_command(['rm', '-f', test_file_server_path])
+
+ @skip_if_fips()
+ def test_ntlm_authentication_with_auto_domain(self):
+ """Repeatedly try to authenticate with username and password with
+ automatic domain discovery.
+
+ This is a regression test for https://pagure.io/freeipa/issue/8636
+ """
+ tasks.kdestroy_all(self.smbclient)
+
+ mount_options = 'user={user},pass={password},domainauto'.format(
+ user=self.ipa_user1,
+ password=self.ipa_user1_password
+ )
+
+ self.check_repeated_smb_mount(mount_options)
+
+ @skip_if_fips()
+ def test_ntlm_authentication_with_upn_with_lowercase_domain(self):
+ tasks.kdestroy_all(self.smbclient)
+
+ mount_options = 'user={user}@{domain},pass={password}'.format(
+ user=self.ipa_user1,
+ password=self.ipa_user1_password,
+ domain=self.master.domain.name.lower()
+ )
+ self.check_repeated_smb_mount(mount_options)
+
+ @skip_if_fips()
+ def test_ntlm_authentication_with_upn_with_uppercase_domain(self):
+ tasks.kdestroy_all(self.smbclient)
+
+ mount_options = 'user={user}@{domain},pass={password}'.format(
+ user=self.ipa_user1,
+ password=self.ipa_user1_password,
+ domain=self.master.domain.name.upper()
+ )
+ self.check_repeated_smb_mount(mount_options)
+
def test_uninstall_samba(self):
self.smbserver.run_command(['ipa-client-samba', '--uninstall', '-U'])
res = self.smbserver.run_command(
--
2.29.2

79
SOURCES/0006-ipatests_do_not_ignore_zonemgr_pagure#8718_rhbz#1932289.patch
View File

@ -1,79 +0,0 @@
From 20bb855a57080145d0d5555294381c890ef605bb Mon Sep 17 00:00:00 2001
From: Antonio Torres <antorres@redhat.com>
Date: Tue, 16 Feb 2021 16:53:24 +0100
Subject: [PATCH] ipaserver: don't ignore zonemgr option on install
Fix zonemgr option in ipaserver install being
ignored because of an incorrect condition.
Fixes: https://pagure.io/freeipa/issue/8718
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipaserver/install/bindinstance.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index 3b446ce76..19941cd00 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -355,7 +355,7 @@ def add_zone(name, zonemgr=None, dns_backup=None, ns_hostname=None,
else:
update_policy = get_dns_forward_zone_update_policy(api.env.realm)
- if zonemgr is None:
+ if not zonemgr:
zonemgr = 'hostmaster.%s' % name
if ns_hostname:
@@ -682,7 +682,7 @@ class BindInstance(service.Service):
self.forward_policy = forward_policy
self.reverse_zones = reverse_zones
- if zonemgr is not None:
+ if not zonemgr:
self.zonemgr = 'hostmaster.%s' % normalize_zone(self.domain)
else:
self.zonemgr = normalize_zonemgr(zonemgr)
--
2.29.2
From 82043e1fd052618608d3b7786473a632478795ee Mon Sep 17 00:00:00 2001
From: Antonio Torres <antorres@redhat.com>
Date: Tue, 16 Feb 2021 18:24:26 +0100
Subject: [PATCH] ipatests: check that zonemgr is set correctly during server
install
Add test to check that zonemgr is correctly
set when installing IPA server.
Related: https://pagure.io/freeipa/issue/8718
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipatests/test_integration/test_installation.py | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
index 6e8af024c..18c5bd243 100644
--- a/ipatests/test_integration/test_installation.py
+++ b/ipatests/test_integration/test_installation.py
@@ -1171,6 +1171,13 @@ class TestInstallMasterDNS(IntegrationTest):
extra_args=['--zonemgr', 'me@example.org'],
)
+ tasks.kinit_admin(self.master)
+ result = self.master.run_command(
+ ['ipa', 'dnszone-show', self.master.domain.name]
+ ).stdout_text
+
+ assert "Administrator e-mail address: me.example.org" in result
+
def test_server_install_lock_bind_recursion(self):
"""Test if server installer lock Bind9 recursion
--
2.29.2

30
SOURCES/0006-rhel-platform-add-a-named-crypto-policy-support_rhbz#1982956.patch Normal file
View File

@ -0,0 +1,30 @@
From 1a5159b216455070eb51b6a11ceaf0033fc8ce4c Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Fri, 16 Jul 2021 09:20:33 +0300
Subject: [PATCH] rhel platform: add a named crypto-policy support
RHEL 8+ provides bind system-wide crypto policy support, enable it.
Fixes: https://pagure.io/freeipa/issue/8925
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
---
ipaplatform/rhel/paths.py | 1 +
1 file changed, 1 insertion(+)
diff --git a/ipaplatform/rhel/paths.py b/ipaplatform/rhel/paths.py
index c081ada32..3631550eb 100644
--- a/ipaplatform/rhel/paths.py
+++ b/ipaplatform/rhel/paths.py
@@ -30,6 +30,7 @@ from ipaplatform.rhel.constants import HAS_NFS_CONF
class RHELPathNamespace(RedHatPathNamespace):
+ NAMED_CRYPTO_POLICY_FILE = "/etc/crypto-policies/back-ends/bind.config"
if HAS_NFS_CONF:
SYSCONFIG_NFS = '/etc/nfs.conf'
--
2.31.1

53
SOURCES/0007-Catch-and-log-errors-when-adding-CA-profiles_rhbz#1999142.patch Normal file
View File

@ -0,0 +1,53 @@
From a6e708ab4006d6623c37de1692de5362fcdb5dd6 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 30 Aug 2021 16:44:47 -0400
Subject: [PATCH] Catch and log errors when adding CA profiles
Rather than stopping the installer entirely, catch and report
errors adding new certificate profiles, and remove the
broken profile entry from LDAP so it may be re-added later.
It was discovered that installing a newer IPA that has the
ACME profile which requires sanToCNDefault will fail when
installing a new server against a very old one that lacks
this class.
Running ipa-server-upgrade post-install will add the profile
and generate the missing ipa-ca SAN record so that ACME
can work.
https://pagure.io/freeipa/issue/8974
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
ipaserver/install/cainstance.py | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 9e842b33e..8c8bf1b3a 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1973,8 +1973,17 @@ def import_included_profiles():
# Create the profile, replacing any existing profile of same name
profile_data = __get_profile_config(profile_id)
- _create_dogtag_profile(profile_id, profile_data, overwrite=True)
- logger.debug("Imported profile '%s'", profile_id)
+ try:
+ _create_dogtag_profile(profile_id, profile_data,
+ overwrite=True)
+ except errors.HTTPRequestError as e:
+ logger.warning("Failed to import profile '%s': %s. Running "
+ "ipa-server-upgrade when installation is "
+ "completed may resolve this issue.",
+ profile_id, e)
+ conn.delete_entry(entry)
+ else:
+ logger.debug("Imported profile '%s'", profile_id)
else:
logger.debug(
"Profile '%s' is already in LDAP; skipping", profile_id
--
2.31.1

318
SOURCES/0007-ipatests_ipa-cert-fix_renews_pagure#7885_rhbz#1932289.patch
View File

@ -1,318 +0,0 @@
From 7f30ddb1b7e30c22f9b7d14d2658b58a0ea6b459 Mon Sep 17 00:00:00 2001
From: Mohammad Rizwan <myusuf@redhat.com>
Date: Tue, 2 Feb 2021 17:33:57 +0530
Subject: [PATCH] ipatests: Test if ipa-cert-fix renews expired certs
Test moves system date to expire certs. Then calls ipa-cert-fix
to renew them. This certs include subsystem, audit-signing,
OCSP signing, Dogtag HTTPS, IPA RA agent, LDAP and KDC certs.
related: https://pagure.io/freeipa/issue/7885
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
---
.../test_integration/test_ipa_cert_fix.py | 60 +++++++++++++++++++
1 file changed, 60 insertions(+)
diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
index f9e5fe6e2..da68af573 100644
--- a/ipatests/test_integration/test_ipa_cert_fix.py
+++ b/ipatests/test_integration/test_ipa_cert_fix.py
@@ -8,12 +8,16 @@ Module provides tests for ipa-cert-fix CLI.
import pytest
import time
+import logging
from ipaplatform.paths import paths
from ipatests.pytest_ipa.integration import tasks
from ipatests.test_integration.base import IntegrationTest
from ipatests.test_integration.test_caless import CALessBase, ipa_certs_cleanup
+logger = logging.getLogger(__name__)
+
+
def server_install_teardown(func):
def wrapped(*args):
master = args[0].master
@@ -24,6 +28,26 @@ def server_install_teardown(func):
return wrapped
+def check_status(host, cert_count, state, timeout=600):
+ """Helper method to check that if all the certs are in given state
+ :param host: the host
+ :param cert_count: no of cert to look for
+ :param state: state to check for
+ :param timeout: max time in seconds to wait for the state
+ """
+ for _i in range(0, timeout, 10):
+ result = host.run_command(['getcert', 'list'])
+ count = result.stdout_text.count(f"status: {state}")
+ logger.info("cert count in %s state : %s", state, count)
+ if int(count) == cert_count:
+ break
+ time.sleep(10)
+ else:
+ raise RuntimeError("request timed out")
+
+ return count
+
+
class TestIpaCertFix(IntegrationTest):
@classmethod
def uninstall(cls, mh):
@@ -106,6 +130,42 @@ class TestIpaCertFix(IntegrationTest):
# timeout
raise AssertionError('Timeout: Failed to renew all the certs')
+ def test_renew_expired_cert_on_master(self, expire_cert_critical):
+ """Test if ipa-cert-fix renews expired certs
+
+ Test moves system date to expire certs. Then calls ipa-cert-fix
+ to renew them. This certs include subsystem, audit-signing,
+ OCSP signing, Dogtag HTTPS, IPA RA agent, LDAP and KDC certs.
+
+ related: https://pagure.io/freeipa/issue/7885
+ """
+ # wait for cert expiry
+ check_status(self.master, 8, "CA_UNREACHABLE")
+
+ self.master.run_command(['ipa-cert-fix', '-v'], stdin_text='yes\n')
+
+ check_status(self.master, 9, "MONITORING")
+
+ # second iteration of ipa-cert-fix
+ result = self.master.run_command(
+ ['ipa-cert-fix', '-v'],
+ stdin_text='yes\n'
+ )
+ assert "Nothing to do" in result.stdout_text
+ check_status(self.master, 9, "MONITORING")
+
+ def test_ipa_cert_fix_non_ipa(self):
+ """Test ipa-cert-fix doesn't work on non ipa system
+
+ ipa-cert-fix tool should not work on non ipa system.
+
+ related: https://pagure.io/freeipa/issue/7885
+ """
+ result = self.master.run_command(['ipa-cert-fix', '-v'],
+ stdin_text='yes\n',
+ raiseonerr=False)
+ assert result.returncode == 2
+
class TestIpaCertFixThirdParty(CALessBase):
"""
--
2.29.2
From 36a60dbb35cb4429f00528f79bec8b7982a30c74 Mon Sep 17 00:00:00 2001
From: Mohammad Rizwan <myusuf@redhat.com>
Date: Thu, 11 Feb 2021 16:54:22 +0530
Subject: [PATCH] Move fixture outside the class and add setup_kra capability
Moved fixture to use across multiple classes. Added capability
to install the KRA to the fixture
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
---
.../test_integration/test_ipa_cert_fix.py | 46 ++++++++++++-------
1 file changed, 30 insertions(+), 16 deletions(-)
diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
index da68af573..591dc5031 100644
--- a/ipatests/test_integration/test_ipa_cert_fix.py
+++ b/ipatests/test_integration/test_ipa_cert_fix.py
@@ -48,6 +48,33 @@ def check_status(host, cert_count, state, timeout=600):
return count
+@pytest.fixture
+def expire_cert_critical():
+ """
+ Fixture to expire the certs by moving the system date using
+ date -s command and revert it back
+ """
+
+ hosts = dict()
+
+ def _expire_cert_critical(host, setup_kra=False):
+ hosts['host'] = host
+ # Do not install NTP as the test plays with the date
+ tasks.install_master(host, setup_dns=False,
+ extra_args=['--no-ntp'])
+ if setup_kra:
+ tasks.install_kra(host)
+ host.run_command(['systemctl', 'stop', 'chronyd'])
+ host.run_command(['date', '-s', '+3Years+1day'])
+
+ yield _expire_cert_critical
+
+ host = hosts.pop('host')
+ tasks.uninstall_master(host)
+ host.run_command(['date', '-s', '-3Years-1day'])
+ host.run_command(['systemctl', 'start', 'chronyd'])
+
+
class TestIpaCertFix(IntegrationTest):
@classmethod
def uninstall(cls, mh):
@@ -55,22 +82,6 @@ class TestIpaCertFix(IntegrationTest):
# the fixture
pass
- @pytest.fixture
- def expire_cert_critical(self):
- """
- Fixture to expire the certs by moving the system date using
- date -s command and revert it back
- """
- # Do not install NTP as the test plays with the date
- tasks.install_master(self.master, setup_dns=False,
- extra_args=['--no-ntp'])
- self.master.run_command(['systemctl', 'stop', 'chronyd'])
- self.master.run_command(['date','-s', '+3Years+1day'])
- yield
- tasks.uninstall_master(self.master)
- self.master.run_command(['date','-s', '-3Years-1day'])
- self.master.run_command(['systemctl', 'start', 'chronyd'])
-
def test_missing_csr(self, expire_cert_critical):
"""
Test that ipa-cert-fix succeeds when CSR is missing from CS.cfg
@@ -82,6 +93,7 @@ class TestIpaCertFix(IntegrationTest):
- call getcert resubmit in order to create the CSR in certmonger file
- use ipa-cert-fix, no issue should be seen
"""
+ expire_cert_critical(self.master)
# pki must be stopped in order to edit CS.cfg
self.master.run_command(['ipactl', 'stop'])
self.master.run_command(['sed', '-i', r'/ca\.sslserver\.certreq=/d',
@@ -139,6 +151,8 @@ class TestIpaCertFix(IntegrationTest):
related: https://pagure.io/freeipa/issue/7885
"""
+ expire_cert_critical(self.master)
+
# wait for cert expiry
check_status(self.master, 8, "CA_UNREACHABLE")
--
2.29.2
From c84e0547e1a693ba0e9edbfeea7bafdb2fb2b4a2 Mon Sep 17 00:00:00 2001
From: Mohammad Rizwan <myusuf@redhat.com>
Date: Thu, 11 Feb 2021 16:59:53 +0530
Subject: [PATCH] ipatests: Test if ipa-cert-fix renews expired certs with kra
installed
This test check if ipa-cert-fix renews certs with kra
certificate installed.
related: https://pagure.io/freeipa/issue/7885
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
---
.../test_integration/test_ipa_cert_fix.py | 25 +++++++++++++++++++
1 file changed, 25 insertions(+)
diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
index 591dc5031..b2e92d4dc 100644
--- a/ipatests/test_integration/test_ipa_cert_fix.py
+++ b/ipatests/test_integration/test_ipa_cert_fix.py
@@ -225,3 +225,28 @@ class TestIpaCertFixThirdParty(CALessBase):
# the DS nickname is used and not a hardcoded value.
result = self.master.run_command(['ipa-cert-fix', '-v'],)
assert self.nickname in result.stderr_text
+
+
+class TestCertFixKRA(IntegrationTest):
+ @classmethod
+ def uninstall(cls, mh):
+ # Uninstall method is empty as the uninstallation is done in
+ # the fixture
+ pass
+
+ def test_renew_expired_cert_with_kra(self, expire_cert_critical):
+ """Test if ipa-cert-fix renews expired certs with kra installed
+
+ This test check if ipa-cert-fix renews certs with kra
+ certificate installed.
+
+ related: https://pagure.io/freeipa/issue/7885
+ """
+ expire_cert_critical(self.master, setup_kra=True)
+
+ # check if all subsystem cert expired
+ check_status(self.master, 11, "CA_UNREACHABLE")
+
+ self.master.run_command(['ipa-cert-fix', '-v'], stdin_text='yes\n')
+
+ check_status(self.master, 12, "MONITORING")
--
2.29.2
From 260fbcb03297ef1ed5418b16c0df0587d2989b22 Mon Sep 17 00:00:00 2001
From: Mohammad Rizwan <myusuf@redhat.com>
Date: Tue, 2 Mar 2021 11:42:36 +0530
Subject: [PATCH] ipatests: update nightly definition for ipa_cert_fix suite
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
---
ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml | 2 +-
ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml | 2 +-
ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
index ebd539246..8a88698eb 100644
--- a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
+++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
@@ -1687,5 +1687,5 @@ jobs:
build_url: '{fedora-latest-ipa-4-9/build_url}'
test_suite: test_integration/test_ipa_cert_fix.py
template: *ci-ipa-4-9-latest
- timeout: 3600
+ timeout: 7200
topology: *master_1repl
diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
index d4b597d6e..14f0c4292 100644
--- a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
+++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
@@ -1821,5 +1821,5 @@ jobs:
selinux_enforcing: True
test_suite: test_integration/test_ipa_cert_fix.py
template: *ci-ipa-4-9-latest
- timeout: 3600
+ timeout: 7200
topology: *master_1repl
diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
index 1fd589e6a..b7f8d2b3e 100644
--- a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
+++ b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
@@ -1687,5 +1687,5 @@ jobs:
build_url: '{fedora-previous-ipa-4-9/build_url}'
test_suite: test_integration/test_ipa_cert_fix.py
template: *ci-ipa-4-9-previous
- timeout: 3600
+ timeout: 7200
topology: *master_1repl
--
2.29.2

37
SOURCES/0008-ipatests-use-whole-date-when-calling-journalctl-sinc_rhbz#1932289.patch
View File

@ -1,37 +0,0 @@
From caf748860860293e010e695d72f6b3b3d8509f8a Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Tue, 2 Mar 2021 08:44:35 +0100
Subject: [PATCH] ipatests: use whole date when calling journalctl --since
The test test_commands.py::TestIPACommand::test_ssh_key_connection
is checking the content of the journal using journalctl --since ...
but provides only the time, not the whole date with year-month-day.
As a consequence, if the test is executed around midnight it may
find nothing in the journal because it's looking for logs after 11:50PM,
which is a date in the future.
The fix provides a complete date with year-month-day hours:min:sec.
Fixes: https://pagure.io/freeipa/issue/8728
Reviewed-By: Francois Cami <fcami@redhat.com>
---
ipatests/test_integration/test_commands.py | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
index 45f642bf2..b7ffb926f 100644
--- a/ipatests/test_integration/test_commands.py
+++ b/ipatests/test_integration/test_commands.py
@@ -642,7 +642,8 @@ class TestIPACommand(IntegrationTest):
# start to look at logs a bit before "now"
# https://pagure.io/freeipa/issue/8432
since = time.strftime(
- '%H:%M:%S', (datetime.now() - timedelta(seconds=10)).timetuple()
+ '%Y-%m-%d %H:%M:%S',
+ (datetime.now() - timedelta(seconds=10)).timetuple()
)
tasks.run_ssh_cmd(
--
2.29.2

41
SOURCES/0008-selinux-policy-allow-custodia-to-access-proc-cpuinfo_rhbz#1998129.patch Normal file
View File

@ -0,0 +1,41 @@
From 07e2bf732f54f936cccc4e0c7b468d77f97e911a Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Mon, 30 Aug 2021 18:40:24 +0200
Subject: [PATCH] selinux policy: allow custodia to access /proc/cpuinfo
On aarch64, custodia creates AVC when accessing /proc/cpuinfo.
According to gcrypt manual
(https://gnupg.org/documentation/manuals/gcrypt/Configuration.html),
/proc/cpuinfo is used on ARM architecture to read the hardware
capabilities of the CPU. This explains why the issue happens only
on aarch64.
audit2allow suggests to add the following:
allow ipa_custodia_t proc_t:file { getattr open read };
but this policy would be too broad. Instead, the patch is using
the interface kernel_read_system_state.
Fixes: https://pagure.io/freeipa/issue/8972
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
---
selinux/ipa.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/selinux/ipa.te b/selinux/ipa.te
index 68e109419..7492fca04 100644
--- a/selinux/ipa.te
+++ b/selinux/ipa.te
@@ -364,6 +364,7 @@ files_tmp_filetrans(ipa_custodia_t, ipa_custodia_tmp_t, { dir file })
kernel_dgram_send(ipa_custodia_t)
kernel_read_network_state(ipa_custodia_t)
+kernel_read_system_state(ipa_custodia_t)
auth_read_passwd(ipa_custodia_t)
--
2.31.1

46
SOURCES/0009-extdom-return-LDAP_NO_SUCH_OBJECT-if-domains-differ_rhbz#2000263.patch Normal file
View File

@ -0,0 +1,46 @@
From 4fca95751ca32a1ed16a6d8a4e557c5799ec5c78 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 25 Aug 2021 17:10:29 +0200
Subject: [PATCH] extdom: return LDAP_NO_SUCH_OBJECT if domains differ
If a client sends a request to lookup an object from a given trusted
domain by UID or GID and an object with matching ID is only found in a
different domain the extdom should return LDAP_NO_SUCH_OBJECT to
indicate to the client that the requested ID does not exists in the
given domain.
Resolves: https://pagure.io/freeipa/issue/8965
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
.../ipa-extdom-extop/ipa_extdom_common.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
index 5d97ff613..6f646b9f4 100644
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
@@ -542,7 +542,9 @@ int pack_ber_user(struct ipa_extdom_ctx *ctx,
if (strcasecmp(locat+1, domain_name) == 0 ) {
locat[0] = '\0';
} else {
- ret = LDAP_INVALID_SYNTAX;
+ /* The found object is from a different domain than requested,
+ * that means it does not exist in the requested domain */
+ ret = LDAP_NO_SUCH_OBJECT;
goto done;
}
}
@@ -655,7 +657,9 @@ int pack_ber_group(enum response_types response_type,
if (strcasecmp(locat+1, domain_name) == 0 ) {
locat[0] = '\0';
} else {
- ret = LDAP_INVALID_SYNTAX;
+ /* The found object is from a different domain than requested,
+ * that means it does not exist in the requested domain */
+ ret = LDAP_NO_SUCH_OBJECT;
goto done;
}
}
--
2.31.1

594
SOURCES/0009-ipa-kdb-do-not-use-OpenLDAP-functions-with-NULL-LDAP_rhbz#1932784.patch
View File

@ -1,594 +0,0 @@
From 2832810891acfaca68142df7271d6f0a50a588eb Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Fri, 19 Feb 2021 15:37:47 +0200
Subject: [PATCH] ipa-kdb: do not use OpenLDAP functions with NULL LDAP context
Calling to ipadb_get_connection() will remove LDAP context if any error
happens. This means upper layers must always verify that LDAP context
exists after such calls.
ipadb_get_user_auth() may re-read global configuration and that may fail
and cause IPA context to have NULL LDAP context.
Fixes: https://pagure.io/freeipa/issue/8681
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
daemons/ipa-kdb/ipa_kdb.c | 1 +
daemons/ipa-kdb/ipa_kdb_mspac.c | 32 +++++++++++++++-------------
daemons/ipa-kdb/ipa_kdb_principals.c | 26 ++++++++++++++++------
3 files changed, 37 insertions(+), 22 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
index 43ba955ac..6e1e3e351 100644
--- a/daemons/ipa-kdb/ipa_kdb.c
+++ b/daemons/ipa-kdb/ipa_kdb.c
@@ -57,6 +57,7 @@ static void ipadb_context_free(krb5_context kcontext,
/* ldap free lcontext */
if ((*ctx)->lcontext) {
ldap_unbind_ext_s((*ctx)->lcontext, NULL, NULL);
+ (*ctx)->lcontext = NULL;
}
free((*ctx)->supp_encs);
free((*ctx)->def_encs);
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 31f617129..81a8fd483 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -418,7 +418,6 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
krb5_timestamp authtime,
struct netr_SamInfo3 *info3)
{
- LDAP *lcontext = ipactx->lcontext;
LDAPDerefRes *deref_results = NULL;
struct dom_sid sid;
gid_t prigid = -1;
@@ -435,7 +434,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
bool is_idobject = false;
krb5_principal princ;
- ret = ipadb_ldap_attr_to_strlist(lcontext, lentry, "objectClass",
+ ret = ipadb_ldap_attr_to_strlist(ipactx->lcontext, lentry, "objectClass",
&objectclasses);
if (ret == 0 && objectclasses != NULL) {
for (c = 0; objectclasses[c] != NULL; c++) {
@@ -472,13 +471,14 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
}
if (is_host) {
- ret = ipadb_ldap_attr_to_str(lcontext, lentry, "fqdn", &strres);
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, "fqdn", &strres);
if (ret) {
/* fqdn is mandatory for hosts */
return ret;
}
} else if (is_service) {
- ret = ipadb_ldap_attr_to_str(lcontext, lentry, "krbCanonicalName", &strres);
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
+ "krbCanonicalName", &strres);
if (ret) {
/* krbCanonicalName is mandatory for services */
return ret;
@@ -498,7 +498,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
return ENOENT;
}
} else {
- ret = ipadb_ldap_attr_to_str(lcontext, lentry, "uid", &strres);
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, "uid", &strres);
if (ret) {
/* uid is mandatory */
return ret;
@@ -511,7 +511,8 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
if (is_host || is_service) {
prigid = 515; /* Well known RID for domain computers group */
} else {
- ret = ipadb_ldap_attr_to_int(lcontext, lentry, "gidNumber", &intres);
+ ret = ipadb_ldap_attr_to_int(ipactx->lcontext, lentry,
+ "gidNumber", &intres);
if (ret) {
/* gidNumber is mandatory */
return ret;
@@ -544,7 +545,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
info3->base.kickoff_time = INT64_MAX;
#endif
- ret = ipadb_ldap_attr_to_time_t(lcontext, lentry,
+ ret = ipadb_ldap_attr_to_time_t(ipactx->lcontext, lentry,
"krbLastPwdChange", &timeres);
switch (ret) {
case 0:
@@ -562,7 +563,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
info3->base.allow_password_change = info3->base.last_password_change;
info3->base.force_password_change = INT64_MAX;
- ret = ipadb_ldap_attr_to_str(lcontext, lentry, "cn", &strres);
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, "cn", &strres);
switch (ret) {
case 0:
info3->base.full_name.string = talloc_strdup(memctx, strres);
@@ -575,7 +576,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
return ret;
}
- ret = ipadb_ldap_attr_to_str(lcontext, lentry,
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
"ipaNTLogonScript", &strres);
switch (ret) {
case 0:
@@ -589,7 +590,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
return ret;
}
- ret = ipadb_ldap_attr_to_str(lcontext, lentry,
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
"ipaNTProfilePath", &strres);
switch (ret) {
case 0:
@@ -603,7 +604,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
return ret;
}
- ret = ipadb_ldap_attr_to_str(lcontext, lentry,
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
"ipaNTHomeDirectory", &strres);
switch (ret) {
case 0:
@@ -617,7 +618,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
return ret;
}
- ret = ipadb_ldap_attr_to_str(lcontext, lentry,
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
"ipaNTHomeDirectoryDrive", &strres);
switch (ret) {
case 0:
@@ -648,7 +649,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
info3->base.rid = 515;
}
} else {
- ret = ipadb_ldap_attr_to_str(lcontext, lentry,
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
"ipaNTSecurityIdentifier", &strres);
if (ret) {
/* SID is mandatory */
@@ -665,7 +666,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
}
}
- ret = ipadb_ldap_deref_results(lcontext, lentry, &deref_results);
+ ret = ipadb_ldap_deref_results(ipactx->lcontext, lentry, &deref_results);
switch (ret) {
LDAPDerefRes *dres;
LDAPDerefVal *dval;
@@ -2511,7 +2512,7 @@ static void ipadb_free_sid_blacklists(char ***sid_blocklist_incoming, char ***si
krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
{
struct ipadb_adtrusts *t;
- LDAP *lc = ipactx->lcontext;
+ LDAP *lc = NULL;
char *attrs[] = { "cn", "ipaNTTrustPartner", "ipaNTFlatName",
"ipaNTTrustedDomainSID", "ipaNTSIDBlacklistIncoming",
"ipaNTSIDBlacklistOutgoing", "ipaNTAdditionalSuffixes", NULL };
@@ -2545,6 +2546,7 @@ krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
goto done;
}
+ lc = ipactx->lcontext;
for (le = ldap_first_entry(lc, res); le; le = ldap_next_entry(lc, le)) {
dnstr = ldap_get_dn(lc, le);
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index d1fa51578..cf1b4f53e 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -333,6 +333,11 @@ static enum ipadb_user_auth ipadb_get_user_auth(struct ipadb_context *ipactx,
if (gcfg != NULL)
gua = gcfg->user_auth;
+ /* lcontext == NULL means ipadb_get_global_config() failed to load
+ * global config and cleared the ipactx */
+ if (ipactx->lcontext == NULL)
+ return IPADB_USER_AUTH_NONE;
+
/* Get the user's user_auth settings if not disabled. */
if ((gua & IPADB_USER_AUTH_DISABLED) == 0)
ipadb_parse_user_auth(ipactx->lcontext, lentry, &ua);
@@ -607,8 +612,16 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
free(entry);
return KRB5_KDB_DBNOTINITED;
}
- lcontext = ipactx->lcontext;
- if (!lcontext) {
+
+ entry->magic = KRB5_KDB_MAGIC_NUMBER;
+ entry->len = KRB5_KDB_V1_BASE_LENGTH;
+
+ /* Get User Auth configuration. */
+ ua = ipadb_get_user_auth(ipactx, lentry);
+
+ /* ipadb_get_user_auth() calls into ipadb_get_global_config()
+ * and that might fail, causing lcontext to become NULL */
+ if (!ipactx->lcontext) {
krb5_klog_syslog(LOG_INFO,
"No LDAP connection in ipadb_parse_ldap_entry(); retrying...\n");
ret = ipadb_get_connection(ipactx);
@@ -620,11 +633,10 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
}
}
- entry->magic = KRB5_KDB_MAGIC_NUMBER;
- entry->len = KRB5_KDB_V1_BASE_LENGTH;
-
- /* Get User Auth configuration. */
- ua = ipadb_get_user_auth(ipactx, lentry);
+ /* If any code below would result in invalidating ipactx->lcontext,
+ * lcontext must be updated with the new ipactx->lcontext value.
+ * We rely on the fact that none of LDAP-parsing helpers does it. */
+ lcontext = ipactx->lcontext;
/* ignore mask for now */
--
2.29.2
From 0da9de495ca41a1bf0926aef7c9c75c3e53dcd63 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Tue, 23 Feb 2021 10:06:25 +0200
Subject: [PATCH] ipa-kdb: fix compiler warnings
There are few fields in KDB structures that have 'conflicting' types but
need to be compared. They come from MIT Kerberos and we have no choice
here.
In the same way, SID structures have own requirements.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
daemons/ipa-kdb/ipa_kdb_audit_as.c | 4 ++--
daemons/ipa-kdb/ipa_kdb_mspac.c | 6 +++---
daemons/ipa-kdb/ipa_kdb_principals.c | 6 +++---
daemons/ipa-kdb/ipa_kdb_pwdpolicy.c | 2 +-
4 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_audit_as.c b/daemons/ipa-kdb/ipa_kdb_audit_as.c
index ed48ea758..ec2046bfe 100644
--- a/daemons/ipa-kdb/ipa_kdb_audit_as.c
+++ b/daemons/ipa-kdb/ipa_kdb_audit_as.c
@@ -112,13 +112,13 @@ void ipadb_audit_as_req(krb5_context kcontext,
if (krb5_ts_after(krb5_ts_incr(client->last_failed,
ied->pol->lockout_duration), authtime) &&
- (client->fail_auth_count >= ied->pol->max_fail &&
+ (client->fail_auth_count >= (krb5_kvno) ied->pol->max_fail &&
ied->pol->max_fail != 0)) {
/* client already locked, nothing more to do */
break;
}
if (ied->pol->max_fail == 0 ||
- client->fail_auth_count < ied->pol->max_fail) {
+ client->fail_auth_count < (krb5_kvno) ied->pol->max_fail) {
/* let's increase the fail counter */
client->fail_auth_count++;
client->mask |= KMASK_FAIL_AUTH_COUNT;
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 81a8fd483..9691b14f6 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -148,9 +148,9 @@ int string_to_sid(const char *str, struct dom_sid *sid)
char *dom_sid_string(TALLOC_CTX *memctx, const struct dom_sid *dom_sid)
{
- size_t c;
+ int8_t c;
size_t len;
- int ofs;
+ size_t ofs;
uint32_t ia;
char *buf;
@@ -2612,7 +2612,7 @@ krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
t[n].upn_suffixes_len = NULL;
if (t[n].upn_suffixes != NULL) {
- size_t len = 0;
+ int len = 0;
for (; t[n].upn_suffixes[len] != NULL; len++);
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index cf1b4f53e..0a98ff054 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -494,7 +494,7 @@ static krb5_error_code ipadb_get_ldap_auth_ind(krb5_context kcontext,
l = len;
for (i = 0; i < count; i++) {
ret = snprintf(ap, l, "%s ", authinds[i]);
- if (ret <= 0 || ret > l) {
+ if (ret <= 0 || ret > (int) l) {
ret = ENOMEM;
goto cleanup;
}
@@ -2086,7 +2086,7 @@ static krb5_error_code ipadb_get_ldap_mod_auth_ind(krb5_context kcontext,
char *s = NULL;
size_t ai_size = 0;
int cnt = 0;
- int i = 0;
+ size_t i = 0;
ret = krb5_dbe_get_string(kcontext, entry, "require_auth", &ais);
if (ret) {
@@ -2467,7 +2467,7 @@ static krb5_error_code ipadb_entry_default_attrs(struct ipadb_mods *imods)
{
krb5_error_code kerr;
LDAPMod *m = NULL;
- int i;
+ size_t i;
kerr = ipadb_mods_new(imods, &m);
if (kerr) {
diff --git a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
index 4965e6d7f..6f21ef867 100644
--- a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
+++ b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
@@ -361,7 +361,7 @@ krb5_error_code ipadb_check_policy_as(krb5_context kcontext,
}
if (ied->pol->max_fail == 0 ||
- client->fail_auth_count < ied->pol->max_fail) {
+ client->fail_auth_count < (krb5_kvno) ied->pol->max_fail) {
/* still within allowed failures range */
return 0;
}
--
2.29.2
From c7ce801b590e29263e9b1904995c603735007771 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Wed, 24 Feb 2021 20:51:40 +0200
Subject: [PATCH] ipa-kdb: add missing prototypes
On Fedora 33 GCC defaults to -Wmissing-prototypes and emits warnings
about function prototypes missing. If -Werror is specified, this breaks
compilation.
We also default to -Werror=implicit-function-declaration
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
daemons/ipa-kdb/ipa_kdb_kdcpolicy.c | 4 ++++
daemons/ipa-kdb/ipa_kdb_mspac.c | 20 ++++++++++++--------
daemons/ipa-kdb/ipa_kdb_mspac_private.h | 4 ++++
3 files changed, 20 insertions(+), 8 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
index a89f8bbda..aa61a2d1b 100644
--- a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
+++ b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
@@ -14,6 +14,10 @@
#define ONE_DAY_SECONDS (24 * 60 * 60)
#define JITTER_WINDOW_SECONDS (1 * 60 * 60)
+krb5_error_code kdcpolicy_ipakdb_initvt(krb5_context context,
+ int maj_ver, int min_ver,
+ krb5_plugin_vtable vtable);
+
static void
jitter(krb5_deltat baseline, krb5_deltat *lifetime_out)
{
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 9691b14f6..47b12a16f 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -2408,9 +2408,10 @@ void ipadb_mspac_struct_free(struct ipadb_mspac **mspac)
*mspac = NULL;
}
-krb5_error_code ipadb_adtrusts_fill_sid_blacklist(char **source_sid_blacklist,
- struct dom_sid **result_sids,
- int *result_length)
+static krb5_error_code
+ipadb_adtrusts_fill_sid_blacklist(char **source_sid_blacklist,
+ struct dom_sid **result_sids,
+ int *result_length)
{
int len, i;
char **source;
@@ -2441,9 +2442,10 @@ krb5_error_code ipadb_adtrusts_fill_sid_blacklist(char **source_sid_blacklist,
return 0;
}
-krb5_error_code ipadb_adtrusts_fill_sid_blacklists(struct ipadb_adtrusts *adtrust,
- char **sid_blocklist_incoming,
- char **sid_blocklist_outgoing)
+static krb5_error_code
+ipadb_adtrusts_fill_sid_blacklists(struct ipadb_adtrusts *adtrust,
+ char **sid_blocklist_incoming,
+ char **sid_blocklist_outgoing)
{
krb5_error_code kerr;
@@ -2464,7 +2466,8 @@ krb5_error_code ipadb_adtrusts_fill_sid_blacklists(struct ipadb_adtrusts *adtrus
return 0;
}
-krb5_error_code ipadb_mspac_check_trusted_domains(struct ipadb_context *ipactx)
+static krb5_error_code
+ipadb_mspac_check_trusted_domains(struct ipadb_context *ipactx)
{
char *attrs[] = { NULL };
char *filter = "(objectclass=ipaNTTrustedDomain)";
@@ -2509,7 +2512,8 @@ static void ipadb_free_sid_blacklists(char ***sid_blocklist_incoming, char ***si
}
}
-krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
+static krb5_error_code
+ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
{
struct ipadb_adtrusts *t;
LDAP *lc = NULL;
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac_private.h b/daemons/ipa-kdb/ipa_kdb_mspac_private.h
index d23a14a0b..8c8a3a001 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac_private.h
+++ b/daemons/ipa-kdb/ipa_kdb_mspac_private.h
@@ -53,3 +53,7 @@ struct ipadb_adtrusts {
int string_to_sid(const char *str, struct dom_sid *sid);
char *dom_sid_string(TALLOC_CTX *memctx, const struct dom_sid *dom_sid);
+krb5_error_code filter_logon_info(krb5_context context, TALLOC_CTX *memctx,
+ krb5_data realm, struct PAC_LOGON_INFO_CTR *info);
+void get_authz_data_types(krb5_context context, krb5_db_entry *entry,
+ bool *_with_pac, bool *_with_pad);
\ No newline at end of file
--
2.29.2
From f340baa4283c76957d9e0a85896c7fa3a994bba6 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Wed, 24 Feb 2021 20:52:15 +0200
Subject: [PATCH] ipa-kdb: reformat ipa_kdb_certauth
Add prototype to the exported function
Replace few tabs by spaces and mark static code as static.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
daemons/ipa-kdb/ipa_kdb_certauth.c | 25 ++++++++++++++-----------
1 file changed, 14 insertions(+), 11 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_certauth.c b/daemons/ipa-kdb/ipa_kdb_certauth.c
index bc6b26578..3a3060c92 100644
--- a/daemons/ipa-kdb/ipa_kdb_certauth.c
+++ b/daemons/ipa-kdb/ipa_kdb_certauth.c
@@ -71,10 +71,13 @@ struct krb5_certauth_moddata_st {
time_t valid_until;
};
-void ipa_certmap_debug(void *private,
- const char *file, long line,
- const char *function,
- const char *format, ...)
+krb5_error_code certauth_ipakdb_initvt(krb5_context context,
+ int maj_ver, int min_ver,
+ krb5_plugin_vtable vtable);
+
+static void ipa_certmap_debug(void *private, const char *file, long line,
+ const char *function,
+ const char *format, ...)
{
va_list ap;
char str[255] = { 0 };
@@ -354,12 +357,12 @@ static krb5_error_code ipa_certauth_authorize(krb5_context context,
* so there is nothing more to add here. */
auth_inds = calloc(2, sizeof(char *));
if (auth_inds != NULL) {
- ret = asprintf(&auth_inds[0], "pkinit");
- if (ret != -1) {
+ ret = asprintf(&auth_inds[0], "pkinit");
+ if (ret != -1) {
auth_inds[1] = NULL;
*authinds_out = auth_inds;
- } else {
- free(auth_inds);
+ } else {
+ free(auth_inds);
}
}
@@ -404,12 +407,12 @@ static void ipa_certauth_free_indicator(krb5_context context,
size_t i = 0;
if ((authinds == NULL) || (moddata == NULL)) {
- return;
+ return;
}
for(i=0; authinds[i]; i++) {
- free(authinds[i]);
- authinds[i] = NULL;
+ free(authinds[i]);
+ authinds[i] = NULL;
}
free(authinds);
--
2.29.2
From 2968609fd9f8f91b704dc8167d39ecc67beb8ddd Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Wed, 24 Feb 2021 20:55:41 +0200
Subject: [PATCH] ipa-kdb: mark test functions as static
No need to define missing prototypes to single use test functions.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
daemons/ipa-kdb/tests/ipa_kdb_tests.c | 13 +++++--------
1 file changed, 5 insertions(+), 8 deletions(-)
diff --git a/daemons/ipa-kdb/tests/ipa_kdb_tests.c b/daemons/ipa-kdb/tests/ipa_kdb_tests.c
index 2a174ce6b..0b51ffb96 100644
--- a/daemons/ipa-kdb/tests/ipa_kdb_tests.c
+++ b/daemons/ipa-kdb/tests/ipa_kdb_tests.c
@@ -181,7 +181,7 @@ extern krb5_error_code filter_logon_info(krb5_context context,
krb5_data realm,
struct PAC_LOGON_INFO_CTR *info);
-void test_filter_logon_info(void **state)
+static void test_filter_logon_info(void **state)
{
krb5_error_code kerr;
krb5_data realm = {KV5M_DATA, REALM_LEN, REALM};
@@ -316,10 +316,7 @@ void test_filter_logon_info(void **state)
}
-extern void get_authz_data_types(krb5_context context, krb5_db_entry *entry,
- bool *with_pac, bool *with_pad);
-
-void test_get_authz_data_types(void **state)
+static void test_get_authz_data_types(void **state)
{
bool with_pac;
bool with_pad;
@@ -437,7 +434,7 @@ void test_get_authz_data_types(void **state)
krb5_free_principal(test_ctx->krb5_ctx, non_nfs_princ);
}
-void test_string_to_sid(void **state)
+static void test_string_to_sid(void **state)
{
int ret;
struct dom_sid sid;
@@ -469,7 +466,7 @@ void test_string_to_sid(void **state)
assert_memory_equal(&exp_sid, &sid, sizeof(struct dom_sid));
}
-void test_dom_sid_string(void **state)
+static void test_dom_sid_string(void **state)
{
struct test_ctx *test_ctx;
char *str_sid;
@@ -495,7 +492,7 @@ void test_dom_sid_string(void **state)
}
-void test_check_trusted_realms(void **state)
+static void test_check_trusted_realms(void **state)
{
struct test_ctx *test_ctx;
krb5_error_code kerr = 0;
--
2.29.2

64
SOURCES/0010-ipa-client-install-output-a-warning-if-sudo-is-not-p_rhbz#1939371.patch
View File

@ -1,64 +0,0 @@
From 061e0b63ef3a72ba3261b42ec5f2ce290070c613 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Mon, 15 Mar 2021 16:55:08 +0100
Subject: [PATCH] ipa-client-install: output a warning if sudo is not present
(2)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fixes: https://pagure.io/freeipa/issue/8530
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
---
ipaclient/install/client.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index 0e478fa26..9bdfbddaf 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -2205,7 +2205,7 @@ def install_check(options):
# available.
if options.conf_sudo:
try:
- subprocess.Popen(['sudo -V'])
+ subprocess.Popen(['sudo', '-V'])
except FileNotFoundError:
logger.info(
"The sudo binary does not seem to be present on this "
--
2.30.2
From 4b917833fdd62cce2fd72809fd5c963194efba3e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Mon, 15 Mar 2021 17:00:05 +0100
Subject: [PATCH] ipatests: check for the "no sudo present" string absence
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
When sudo is installed, no warning should be output about sudo not
being available (obviously). Check that the relevant string is
not present.
Fixes: https://pagure.io/freeipa/issue/8530
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
---
ipatests/test_integration/test_installation.py | 2 ++
1 file changed, 2 insertions(+)
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
index a50a59f1a..a5ff17a0d 100644
--- a/ipatests/test_integration/test_installation.py
+++ b/ipatests/test_integration/test_installation.py
@@ -1620,3 +1620,5 @@ class TestInstallWithoutSudo(IntegrationTest):
tasks.install_packages(self.clients[0], ['sudo'])
for pkg in ('sudo', 'libsss_sudo'):
assert tasks.is_package_installed(self.clients[0], pkg)
+ result = tasks.install_client(self.master, self.clients[0])
+ assert self.no_sudo_str not in result.stderr_text
--
2.30.2

37
SOURCES/0010-migrate-ds-workaround-to-detect-compat-tree_rhbz#1999992.patch Normal file
View File

@ -0,0 +1,37 @@
From 3c4f9e7347965ff9a887147df34e720224ffa7cc Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Tue, 7 Sep 2021 17:06:53 +0200
Subject: [PATCH] migrate-ds: workaround to detect compat tree
Migrate-ds needs to check if compat tree is enabled before
migrating users and groups. The check is doing a base
search on cn=compat,$SUFFIX and considers the compat tree
enabled when the entry exists.
Due to a bug in slapi-nis, the base search may return NotFound
even though the compat tree is enabled. The workaround is to
perform a base search on cn=users,cn=compat,$SUFFIX instead.
Fixes: https://pagure.io/freeipa/issue/8984
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
ipaserver/plugins/migration.py | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/ipaserver/plugins/migration.py b/ipaserver/plugins/migration.py
index db5241915..6ee205fc8 100644
--- a/ipaserver/plugins/migration.py
+++ b/ipaserver/plugins/migration.py
@@ -922,7 +922,8 @@ migration process might be incomplete\n''')
# check whether the compat plugin is enabled
if not options.get('compat'):
try:
- ldap.get_entry(DN(('cn', 'compat'), (api.env.basedn)))
+ ldap.get_entry(DN(('cn', 'users'), ('cn', 'compat'),
+ (api.env.basedn)))
return dict(result={}, failed={}, enabled=True, compat=False)
except errors.NotFound:
pass
--
2.31.1

54
SOURCES/0011-Only-attempt-to-upgrade-ACME-configuration-files-if-_rhbz#1959984.patch
View File

@ -1,54 +0,0 @@
From 1aa3f7a7fd24c651aafde150351328148fd517be Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 6 May 2021 14:10:44 -0400
Subject: [PATCH] Only attempt to upgrade ACME configuration files if deployed
This can happen on upgrades from older deployments that lack
an ACME installation and don't meet the minimum requirements
to deploy one automatically.
Also don't consider missing ACME schema a total failure, just
log and skip it.
https://pagure.io/freeipa/issue/8832
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
ipaserver/install/server/upgrade.py | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index e60524084..75bf26b8e 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1122,7 +1122,8 @@ def ca_upgrade_schema(ca):
acme_schema_ldif = path
break
else:
- raise RuntimeError('ACME schema file not found')
+ logger.info('ACME schema is not available')
+ return False
schema_files=[
'/usr/share/pki/server/conf/schema-certProfile.ldif',
@@ -1530,6 +1531,16 @@ def ca_update_acme_configuration(ca, fqdn):
"""
Re-apply the templates in case anyting has been updated.
"""
+ logger.info('[Updating ACME configuration]')
+ if not os.path.isdir(os.path.join(paths.PKI_TOMCAT, 'acme')):
+ logger.info('ACME is not deployed, skipping')
+ return
+
+ if not os.path.exists(paths.PKI_ACME_ISSUER_CONF):
+ logger.info('ACME configuration file %s is missing',
+ paths.PKI_ACME_ISSUER_CONF)
+ return
+
password = directivesetter.get_directive(
paths.PKI_ACME_ISSUER_CONF,
'password',
--
2.31.1

89
SOURCES/0011-Test-ldapsearch-with-base-scope-works-with-_rhbz#2000553.patch Normal file
View File

@ -0,0 +1,89 @@
From a3d71eb72a6125a80a9d7b698f34dcb95dc25184 Mon Sep 17 00:00:00 2001
From: Anuja More <amore@redhat.com>
Date: Thu, 5 Aug 2021 20:03:21 +0530
Subject: [PATCH] ipatests: Test ldapsearch with base scope works with compat
tree.
Added test to verify that ldapsearch for compat tree
with scope base and sub is not failing.
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1958909
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
ipatests/test_integration/test_commands.py | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
index 2035ced56..e3a0d867e 100644
--- a/ipatests/test_integration/test_commands.py
+++ b/ipatests/test_integration/test_commands.py
@@ -1558,6 +1558,19 @@ class TestIPACommandWithoutReplica(IntegrationTest):
# Run the command again after cache is removed
self.master.run_command(['ipa', 'user-show', 'ipauser1'])
+ def test_basesearch_compat_tree(self):
+ """Test ldapsearch against compat tree is working
+
+ This to ensure that ldapsearch with base scope is not failing.
+
+ related: https://bugzilla.redhat.com/show_bug.cgi?id=1958909
+ """
+ tasks.kinit_admin(self.master)
+ base_dn = str(self.master.domain.basedn)
+ base = "cn=admins,cn=groups,cn=compat,{basedn}".format(basedn=base_dn)
+ tasks.ldapsearch_dm(self.master, base, ldap_args=[], scope='sub')
+ tasks.ldapsearch_dm(self.master, base, ldap_args=[], scope='base')
+
class TestIPAautomount(IntegrationTest):
@classmethod
--
2.31.1
From d4062e407d242a72b9d4e32f4fdd6aed086ce005 Mon Sep 17 00:00:00 2001
From: Anuja More <amore@redhat.com>
Date: Thu, 5 Aug 2021 20:23:15 +0530
Subject: [PATCH] ipatests: skip test_basesearch_compat_tree on fedora.
slapi-nis with fix is not part of fedora yet.
test requires with fix:
https://pagure.io/slapi-nis/c/61ea8f6a104da25329e301a8f56944f860de8177?
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
ipatests/test_integration/test_commands.py | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
index e3a0d867e..4d9a81652 100644
--- a/ipatests/test_integration/test_commands.py
+++ b/ipatests/test_integration/test_commands.py
@@ -38,6 +38,7 @@ from ipatests.create_external_ca import ExternalCA
from ipatests.test_ipalib.test_x509 import good_pkcs7, badcert
from ipapython.ipautil import realm_to_suffix, ipa_generate_password
from ipaserver.install.installutils import realm_to_serverid
+from pkg_resources import parse_version
logger = logging.getLogger(__name__)
@@ -1565,6 +1566,12 @@ class TestIPACommandWithoutReplica(IntegrationTest):
related: https://bugzilla.redhat.com/show_bug.cgi?id=1958909
"""
+ version = self.master.run_command(
+ ["rpm", "-qa", "--qf", "%{VERSION}", "slapi-nis"]
+ )
+ if tasks.get_platform(self.master) == "fedora" and parse_version(
+ version.stdout_text) <= parse_version("0.56.7"):
+ pytest.skip("Test requires slapi-nis with fix on fedora")
tasks.kinit_admin(self.master)
base_dn = str(self.master.domain.basedn)
base = "cn=admins,cn=groups,cn=compat,{basedn}".format(basedn=base_dn)
--
2.31.1

162
SOURCES/0012-ipatests-Test-unsecure-nsupdate_rhbz#2000553.patch Normal file
View File

@ -0,0 +1,162 @@
From 4fdab0c94c4e17e42e5f38a0e671bea39bcc9b74 Mon Sep 17 00:00:00 2001
From: Anuja More <amore@redhat.com>
Date: Mon, 9 Aug 2021 20:57:22 +0530
Subject: [PATCH] ipatests: Test unsecure nsupdate.
The test configures an external bind server on the ipa-server
(not the IPA-embedded DNS server) that allows unauthenticated nsupdates.
When the IPA client is registered using ipa-client-install,
DNS records are added for the client in the bind server using nsupdate.
The first try is using GSS-TIG but fails as expected, and the client
installer then tries with unauthenticated nsupdate.
Related : https://pagure.io/freeipa/issue/8402
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
.../test_installation_client.py | 118 ++++++++++++++++++
1 file changed, 118 insertions(+)
diff --git a/ipatests/test_integration/test_installation_client.py b/ipatests/test_integration/test_installation_client.py
index fa59a5255..014b0f6ab 100644
--- a/ipatests/test_integration/test_installation_client.py
+++ b/ipatests/test_integration/test_installation_client.py
@@ -8,10 +8,15 @@ Module provides tests for various options of ipa-client-install.
from __future__ import absolute_import
+import pytest
+import re
import shlex
+import textwrap
+from ipaplatform.paths import paths
from ipatests.test_integration.base import IntegrationTest
from ipatests.pytest_ipa.integration import tasks
+from ipatests.pytest_ipa.integration.firewall import Firewall
class TestInstallClient(IntegrationTest):
@@ -70,3 +75,116 @@ class TestInstallClient(IntegrationTest):
extra_args=['--ssh-trust-dns'])
result = self.clients[0].run_command(['cat', '/etc/ssh/ssh_config'])
assert 'HostKeyAlgorithms' not in result.stdout_text
+
+
+class TestClientInstallBind(IntegrationTest):
+ """
+ The test configures an external bind server on the ipa-server
+ (not the IPA-embedded DNS server) that allows unauthenticated nsupdates.
+ When the IPA client is registered using ipa-client-install,
+ DNS records are added for the client in the bind server using nsupdate.
+ The first try is using GSS-TIG but fails as expected, and the client
+ installer then tries with unauthenticated nsupdate.
+ """
+
+ num_clients = 1
+
+ @classmethod
+ def install(cls, mh):
+ cls.client = cls.clients[0]
+
+ @pytest.fixture
+ def setup_bindserver(self):
+ bindserver = self.master
+ named_conf_backup = tasks.FileBackup(self.master, paths.NAMED_CONF)
+ # create a zone in the BIND server that is identical to the IPA
+ add_zone = textwrap.dedent("""
+ zone "{domain}" IN {{ type master;
+ file "{domain}.db"; allow-query {{ any; }};
+ allow-update {{ any; }}; }};
+ """).format(domain=bindserver.domain.name)
+
+ namedcfg = bindserver.get_file_contents(
+ paths.NAMED_CONF, encoding='utf-8')
+ namedcfg += '\n' + add_zone
+ bindserver.put_file_contents(paths.NAMED_CONF, namedcfg)
+
+ def update_contents(path, pattern, replace):
+ contents = bindserver.get_file_contents(path, encoding='utf-8')
+ namedcfg_query = re.sub(pattern, replace, contents)
+ bindserver.put_file_contents(path, namedcfg_query)
+
+ update_contents(paths.NAMED_CONF, 'localhost;', 'any;')
+ update_contents(paths.NAMED_CONF, "listen-on port 53 { 127.0.0.1; };",
+ "#listen-on port 53 { 127.0.0.1; };")
+ update_contents(paths.NAMED_CONF, "listen-on-v6 port 53 { ::1; };",
+ "#listen-on-v6 port 53 { ::1; };")
+
+ add_records = textwrap.dedent("""
+ @ IN SOA {fqdn}. root.{domain}. (
+ 1001 ;Serial
+ 3H ;Refresh
+ 15M ;Retry
+ 1W ;Expire
+ 1D ;Minimum 1D
+ )
+ @ IN NS {fqdn}.
+ ns1 IN A {bindserverip}
+ _kerberos.{domain}. IN TXT {zoneupper}
+ {fqdn}. IN A {bindserverip}
+ ipa-ca.{domain}. IN A {bindserverip}
+ _kerberos-master._tcp.{domain}. IN SRV 0 100 88 {fqdn}.
+ _kerberos-master._udp.{domain}. IN SRV 0 100 88 {fqdn}.
+ _kerberos._tcp.{domain}. IN SRV 0 100 88 {fqdn}.
+ _kerberos._udp.{domain}. IN SRV 0 100 88 {fqdn}.
+ _kpasswd._tcp.{domain}. IN SRV 0 100 464 {fqdn}.
+ _kpasswd._udp.{domain}. IN SRV 0 100 464 {fqdn}.
+ _ldap._tcp.{domain}. IN SRV 0 100 389 {fqdn}.
+ """).format(
+ fqdn=bindserver.hostname,
+ domain=bindserver.domain.name,
+ bindserverip=bindserver.ip,
+ zoneupper=bindserver.domain.name.upper()
+ )
+ bindserverdb = "/var/named/{0}.db".format(bindserver.domain.name)
+ bindserver.put_file_contents(bindserverdb, add_records)
+ bindserver.run_command(['systemctl', 'start', 'named'])
+ Firewall(bindserver).enable_services(["dns"])
+ yield
+ named_conf_backup.restore()
+ bindserver.run_command(['rm', '-rf', bindserverdb])
+
+ def test_client_nsupdate(self, setup_bindserver):
+ """Test secure nsupdate failed, then try unsecure nsupdate..
+
+ Test to verify when bind is configured with dynamic update policy,
+ and during client-install 'nsupdate -g' fails then it should run with
+ second call using unauthenticated nsupdate.
+
+ Related : https://pagure.io/freeipa/issue/8402
+ """
+ # with pre-configured bind server, install ipa-server without dns.
+ tasks.install_master(self.master, setup_dns=False)
+ self.client.resolver.backup()
+ self.client.resolver.setup_resolver(
+ self.master.ip, self.master.domain.name)
+ try:
+ self.client.run_command(['ipa-client-install', '-U',
+ '--domain', self.client.domain.name,
+ '--realm', self.client.domain.realm,
+ '-p', self.client.config.admin_name,
+ '-w', self.client.config.admin_password,
+ '--server', self.master.hostname])
+ # call unauthenticated nsupdate if GSS-TSIG nsupdate failed.
+ str1 = "nsupdate (GSS-TSIG) failed"
+ str2 = "'/usr/bin/nsupdate', '/etc/ipa/.dns_update.txt'"
+ client_log = self.client.get_file_contents(
+ paths.IPACLIENT_INSTALL_LOG, encoding='utf-8'
+ )
+ assert str1 in client_log and str2 in client_log
+ dig_after = self.client.run_command(
+ ['dig', '@{0}'.format(self.master.ip), self.client.hostname,
+ '-t', 'SSHFP'])
+ assert "ANSWER: 0" not in dig_after.stdout_text.strip()
+ finally:
+ self.client.resolver.restore()
--
2.31.1

128
SOURCES/0013-Don-t-store-entries-with-a-usercertificate-in-the-LD_rhbz#1999893.patch Normal file
View File

@ -0,0 +1,128 @@
From be1e3bbfc13aff9a583108376f245b81cc3666fb Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 9 Sep 2021 15:26:55 -0400
Subject: [PATCH] Don't store entries with a usercertificate in the LDAP cache
usercertificate often has a subclass and both the plain and
subclassed (binary) values are queried. I'm concerned that
they are used more or less interchangably in places so not
caching these entries is the safest path forward for now until
we can dedicate the time to find all usages, determine their
safety and/or perhaps handle this gracefully within the cache
now.
What we see in this bug is that usercertificate;binary holds the
first certificate value but a user-mod is done with
setattr usercertificate=<new_cert>. Since there is no
usercertificate value (remember, it's usercertificate;binary)
a replace is done and 389-ds wipes the existing value as we've
asked it to.
I'm not comfortable with simply treating them the same because
in LDAP they are not.
https://pagure.io/freeipa/issue/8986
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
---
ipapython/ipaldap.py | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
index f94b784d6..ced8f1bd6 100644
--- a/ipapython/ipaldap.py
+++ b/ipapython/ipaldap.py
@@ -1821,9 +1821,17 @@ class LDAPCache(LDAPClient):
entry=None, exception=None):
# idnsname - caching prevents delete when mod value to None
# cospriority - in a Class of Service object, uncacheable
- # TODO - usercertificate was banned at one point and I don't remember
- # why...
- BANNED_ATTRS = {'idnsname', 'cospriority'}
+ # usercertificate* - caching subtypes is tricky, trade less
+ # complexity for performance
+ #
+ # TODO: teach the cache about subtypes
+
+ BANNED_ATTRS = {
+ 'idnsname',
+ 'cospriority',
+ 'usercertificate',
+ 'usercertificate;binary'
+ }
if not self._enable_cache:
return
--
2.31.1
From 86588640137562b2016fdb0f91142d00bc38e54a Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 10 Sep 2021 09:01:48 -0400
Subject: [PATCH] ipatests: Test that a user can be issued multiple
certificates
Prevent regressions in the LDAP cache layer that caused newly
issued certificates to overwrite existing ones.
https://pagure.io/freeipa/issue/8986
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
---
ipatests/test_integration/test_cert.py | 29 ++++++++++++++++++++++++++
1 file changed, 29 insertions(+)
diff --git a/ipatests/test_integration/test_cert.py b/ipatests/test_integration/test_cert.py
index 7d51b76ee..b4e85eadc 100644
--- a/ipatests/test_integration/test_cert.py
+++ b/ipatests/test_integration/test_cert.py
@@ -16,6 +16,7 @@ import string
import time
from ipaplatform.paths import paths
+from ipapython.dn import DN
from cryptography import x509
from cryptography.x509.oid import ExtensionOID
from cryptography.hazmat.backends import default_backend
@@ -183,6 +184,34 @@ class TestInstallMasterClient(IntegrationTest):
)
assert "profile: caServerCert" in result.stdout_text
+ def test_multiple_user_certificates(self):
+ """Test that a user may be issued multiple certificates"""
+ ldap = self.master.ldap_connect()
+
+ user = 'user1'
+
+ tasks.kinit_admin(self.master)
+ tasks.user_add(self.master, user)
+
+ for id in (0,1):
+ csr_file = f'{id}.csr'
+ key_file = f'{id}.key'
+ cert_file = f'{id}.crt'
+ openssl_cmd = [
+ 'openssl', 'req', '-newkey', 'rsa:2048', '-keyout', key_file,
+ '-nodes', '-out', csr_file, '-subj', '/CN=' + user]
+ self.master.run_command(openssl_cmd)
+
+ cmd_args = ['ipa', 'cert-request', '--principal', user,
+ '--certificate-out', cert_file, csr_file]
+ self.master.run_command(cmd_args)
+
+ # easier to count by pulling the LDAP entry
+ entry = ldap.get_entry(DN(('uid', user), ('cn', 'users'),
+ ('cn', 'accounts'), self.master.domain.basedn))
+
+ assert len(entry.get('usercertificate')) == 2
+
@pytest.fixture
def test_subca_certs(self):
"""
--
2.31.1

16
SOURCES/freeipa-4.9.2.tar.gz.asc
View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEhAodHH8+xLL+UwQ1RxniuKu/YhoFAmAqwW4ACgkQRxniuKu/
YhoqEw/+J2+fMEF4qYDnb6LPs0h/xbiMU+WG5SI0Ybcy6FUrCp2utFqO6N8r7K3J
k9WTcAXweqwEO5aP1fjvbQiIc55lQgN1rlJc+GtnBbPPKabrJB0xgx2VpP2MI8Jl
JRSAdSNvSghaR1v0MYL3ly7GPRLUrb1+Avln+eJIHRfAuUjf9j4MWh7VNDsSp7pQ
vMqz8OHEvSSRQYGKyJ5vQlcHRQNot2pZoWHVfEcRXMD6qn2N7yUU4o9wNOYvJMw8
YEyInE24D13UV33F9K5QrLEaJ7lpIwJ9lmhAFuZoDUC81s5aAmLtNzUWcdwlOSzk
tY4T+ucpq+0eH1gUiDm6bME7Uw87nc9KuNS3+Q+P2Y7RdUrrbLj8BIsz30VSk8n1
rH2DZo/1NOFwQ5qDN92QjTeGotqCjwK/j+uRB12HkRgOHkouoZjqwcYRfdxmBhKd
wk6BdDtvSP4voqqoeuZNCbeOKCYsqE2HlGZE9YiLbBAQs081Ir9Tajpn8sgMVURi
7kQN7Xq9/jEl7sQ14VkRMQP8A+rRkmLM1sW3vqhMFDSOyi+qQNnzAnR28qxDBXC3
4gG/yFGgqX7mSXsfvTVrjhcVEO6IsqkkPAcFR3Xivpy146LoONSlIGgtA8mGMIeO
Zd3awH4T8kAt3d9RBI+R34sZm//uKQgOKDrAx0VjekFkK0tj2qU=
=XC/f
-----END PGP SIGNATURE-----

16
SOURCES/freeipa-4.9.6.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEhAodHH8+xLL+UwQ1RxniuKu/YhoFAmDbPRQACgkQRxniuKu/
Yhr7uBAAnpF70nH8Cn/HhKKpfafPoN3B9fDNIfAa+jsJ52OyeNMKVNi4MEob32iN
1aMGGFCJUMle/M7v1+w8WH59eiHs1jKHcFZnl2R4Ap5SxVtypYT+ewXbNnSHII2w
qWS5PvLkJwjh6Bw/HlyBwDRSrw9Yah4oZZbJt3zE06+Imr8BpB3IWqyhuAi7FjYO
J9hHCwCvtJvWK4yplZSXCt8OS1JA68/Djgjecm5lUSamuqKaBVhDb+ZAPLDJpBf5
Pz2JpUF/W/rplt+Q9wAFdhDB9iC0vd3MBkgs4KPsjuyS9+GGNu8LyXs0C1Wm/VgX
liX2pjZmpnTrhH3QQ2nufwH784ZpinXxS2fcbvCfX1Utgr77wNHjwqDt2NBffJl1
BM7JJr1ZwGOGSki6yjRDXbeSAsiEX9l7f2mv2t/8ZjHMRJ7mJmBbmh5Qhk5qsMou
BptNDE20cG77xcjBtTCDpii/UatETuNAyMd/l2smfe76z8y61fQrvScxRwOCHckw
u/ERChpBZOUlQt59Efj3ja313oXZMxXRw01n/72Hh5rnk+XZf75zQ1zUDBYnwzAr
4cdqyrfpFkQu1sRQvgjT8ZLkP8istjRdVEI/Oj61zb5+6+scQ/Zh/R/mYGCV4/h+
RzojBwUAXuwUMrj1jTbb5Lkz58+vY3Lk4xNOY2hSAc8rCcDVRZY=
=TQFs
-----END PGP SIGNATURE-----

186
SPECS/ipa.spec
View File

@ -2,7 +2,7 @@
%bcond_without ipatests
# default to not use XML-RPC in Rawhide, can be turned around with --with ipa_join_xml
# On RHEL 8 we should use --with ipa_join_xml
%bcond_without ipa_join_xml
%bcond_with ipa_join_xml
# Linting is disabled by default, needed for upstream testing
%bcond_with lint
@ -49,9 +49,9 @@
# lint is not executed during rpmbuild
# %%global with_lint 1
%if %{with lint}
%global linter_options --enable-pylint --with-jslint
%global linter_options --enable-pylint --without-jslint --enable-rpmlint
%else
%global linter_options --disable-pylint --without-jslint
%global linter_options --disable-pylint --without-jslint --disable-rpmlint
%endif
# Include SELinux subpackage
@ -73,10 +73,13 @@
%global selinux_policy_version 3.14.3-52
%global slapi_nis_version 0.56.4
%global python_ldap_version 3.1.0-1
# python3-lib389
# Fix for "Installation fails: Replica Busy"
# https://pagure.io/389-ds-base/issue/49818
%global ds_version 1.4.2.4-6
%if 0%{?rhel} < 9
# Bug 1929067 - PKI instance creation failed with new 389-ds-base build
%global ds_version 1.4.3.16-12
%else
%global ds_version 2.0.3-3
%endif
# Fix for TLS 1.3 PHA, RHBZ#1775158
%global httpd_version 2.4.37-21
%global bind_version 9.11.20-6
@ -101,9 +104,13 @@
# fix for segfault in python3-ldap, https://pagure.io/freeipa/issue/7324
%global python_ldap_version 3.1.0-1
# 1.4.3 moved nsslapd-db-locks to cn=bdb sub-entry
# https://pagure.io/freeipa/issue/8515
%global ds_version 1.4.3
# Make sure to use 389-ds-base versions that fix https://github.com/389ds/389-ds-base/issues/4609
%if 0%{?fedora} < 34
%global ds_version %{lua: local v={}; v['32']='1.4.3.20-2'; v['33']='1.4.4.13-2'; print(v[rpm.expand('%{fedora}')])}
%else
%global ds_version 2.0.4-1
%endif
# Fix for TLS 1.3 PHA, RHBZ#1775146
%global httpd_version 2.4.41-9
@ -126,13 +133,11 @@
%endif
%if 0%{?rhel} == 8
# PKIConnection has been modified to always validate certs.
# https://pagure.io/freeipa/issue/8379
%global pki_version 10.10.5-2
# Make sure to use PKI versions that work with 389-ds fix for https://github.com/389ds/389-ds-base/issues/4609
%global pki_version 10.10.5
%else
# New KRA profile, ACME support
# https://pagure.io/freeipa/issue/8545
%global pki_version 10.10.0-2
# Make sure to use PKI versions that work with 389-ds fix for https://github.com/389ds/389-ds-base/issues/4609
%global pki_version 10.10.5
%endif
# RHEL 8.3+, F32+ has 0.79.13
@ -155,6 +160,16 @@
%global systemd_version 239
%endif
# augeas support for new chrony options
# see https://pagure.io/freeipa/issue/8676
# Note: will need to be updated for RHEL9 when a fix is available for
# https://bugzilla.redhat.com/show_bug.cgi?id=1931787
%if 0%{?fedora} >= 33
%global augeas_version 1.12.0-6
%else
%global augeas_version 1.12.0-3
%endif
%global plugin_dir %{_libdir}/dirsrv/plugins
%global etc_systemd_dir %{_sysconfdir}/systemd/system
%global gettext_domain ipa
@ -163,7 +178,7 @@
# Work-around fact that RPM SPEC parser does not accept
# "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement
%define IPA_VERSION 4.9.2
%define IPA_VERSION 4.9.6
# Release candidate version -- uncomment with one percent for RC versions
#%%global rc_version %%nil
%define AT_SIGN @
@ -176,7 +191,7 @@
Name: %{package_name}
Version: %{IPA_VERSION}
Release: 4%{?rc_version:.%rc_version}%{?dist}
Release: 6%{?rc_version:.%rc_version}%{?dist}
Summary: The Identity, Policy and Audit system
License: GPLv3+
@ -196,23 +211,24 @@ Source1: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_vers
# RHEL spec file only: START
%if %{NON_DEVELOPER_BUILD}
%if 0%{?rhel} >= 8
Patch0001: 0001-ipatests_libsss_sudo_and_sudo_pagure#8530_rhbz#1932289.patch
Patch0002: 0002-ipatests-error-message-check-in-uninstall-log-for-KR_rhbz#1932289.patch
Patch0003: 0003-ipatests-skip-tests-for-AD-trust-with-shared-secret-_rhbz#1932289.patch
Patch0004: 0004-ipatests-ipa-cert-fix_pagure#8600_rhbz#1932289.patch
Patch0005: 0005-ipatests-test-Samba-mount-with-NTLM-authentication_rhbz#1932289.patch
Patch0006: 0006-ipatests_do_not_ignore_zonemgr_pagure#8718_rhbz#1932289.patch
Patch0007: 0007-ipatests_ipa-cert-fix_renews_pagure#7885_rhbz#1932289.patch
Patch0008: 0008-ipatests-use-whole-date-when-calling-journalctl-sinc_rhbz#1932289.patch
Patch0009: 0009-ipa-kdb-do-not-use-OpenLDAP-functions-with-NULL-LDAP_rhbz#1932784.patch
Patch0010: 0010-ipa-client-install-output-a-warning-if-sudo-is-not-p_rhbz#1939371.patch
Patch0011: 0011-Only-attempt-to-upgrade-ACME-configuration-files-if-_rhbz#1959984.patch
Patch0001: 0001-rpcserver.py-perf_counter_ns-is-Python-3.7_rhbz#1974822.patch
Patch0002: 0002-Add-checks-to-prevent-adding-auth-indicators-to-inte_rhbz#1979625.patch
Patch0003: 0003-stageuser-add-ipauserauthtypeclass-when-required_rhbz#1979605.patch
Patch0004: 0004-man-page-update-ipa-server-upgrade.1_rhbz#1973273.patch
Patch0005: 0005-Fall-back-to-krbprincipalname-when-validating-host-a_rhbz#1979625.patch
Patch0006: 0006-rhel-platform-add-a-named-crypto-policy-support_rhbz#1982956.patch
Patch0007: 0007-Catch-and-log-errors-when-adding-CA-profiles_rhbz#1999142.patch
Patch0008: 0008-selinux-policy-allow-custodia-to-access-proc-cpuinfo_rhbz#1998129.patch
Patch0009: 0009-extdom-return-LDAP_NO_SUCH_OBJECT-if-domains-differ_rhbz#2000263.patch
Patch0010: 0010-migrate-ds-workaround-to-detect-compat-tree_rhbz#1999992.patch
Patch0011: 0011-Test-ldapsearch-with-base-scope-works-with-_rhbz#2000553.patch
Patch0012: 0012-ipatests-Test-unsecure-nsupdate_rhbz#2000553.patch
Patch0013: 0013-Don-t-store-entries-with-a-usercertificate-in-the-LD_rhbz#1999893.patch
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
%endif
%endif
# RHEL spec file only: END
# For the timestamp trick in patch application
BuildRequires: diffstat
@ -316,7 +332,10 @@ BuildRequires: python3-m2r
#
%if %{with lint}
BuildRequires: git
%if 0%{?fedora} < 34
# jsl is orphaned in Fedora 34+
BuildRequires: jsl
%endif
BuildRequires: nss-tools
BuildRequires: rpmlint
BuildRequires: softhsm
@ -348,12 +367,8 @@ BuildRequires: python3-polib
BuildRequires: python3-pyasn1
BuildRequires: python3-pyasn1-modules
BuildRequires: python3-pycodestyle
%if 0%{?fedora} || 0%{?rhel} > 8
# https://bugzilla.redhat.com/show_bug.cgi?id=1648299
BuildRequires: python3-pylint >= 2.1.1-2
%else
BuildRequires: python3-pylint >= 1.7
%endif
# .wheelconstraints.in limits pylint version in Azure and tox tests
BuildRequires: python3-pylint
BuildRequires: python3-pytest-multihost
BuildRequires: python3-pytest-sourceorder
BuildRequires: python3-qrcode-core >= 5.0.0
@ -440,7 +455,12 @@ Requires(pre): certmonger >= %{certmonger_version}
Requires(pre): 389-ds-base >= %{ds_version}
Requires: fontawesome-fonts
Requires: open-sans-fonts
%if 0%{?fedora} >= 32 || 0%{?rhel} >= 9
# https://pagure.io/freeipa/issue/8632
Requires: openssl > 1.1.1i
%else
Requires: openssl
%endif
Requires: softhsm >= 2.0.0rc1-1
Requires: p11-kit
Requires: %{etc_systemd_dir}
@ -492,6 +512,7 @@ Requires: %{name}-common = %{version}-%{release}
# we need pre-requires since earlier versions may break upgrade
Requires(pre): python3-ldap >= %{python_ldap_version}
Requires: python3-augeas
Requires: augeas-libs >= %{augeas_version}
Requires: python3-custodia >= 0.3.1
Requires: python3-dbus
Requires: python3-dns >= 1.15
@ -527,8 +548,8 @@ Requires: %{name}-client-common = %{version}-%{release}
Requires: httpd >= %{httpd_version}
Requires: systemd-units >= %{systemd_version}
Requires: custodia >= 0.3.1
%if 0%{?rhel} >= 8
Requires: redhat-logos-ipa >= 80.4
%if 0%{?rhel} >= 8 && ! 0%{?eln}
Requires: system-logos-ipa >= 80.4
%endif
Provides: %{alt_name}-server-common = %{version}
@ -582,6 +603,7 @@ Requires: %{name}-common = %{version}-%{release}
Requires: samba >= %{samba_version}
Requires: samba-winbind
Requires: sssd-winbind-idmap
Requires: libsss_idmap
%if 0%{?rhel}
Obsoletes: ipa-idoverride-memberof-plugin <= 0.1
@ -646,6 +668,11 @@ Requires: nfs-utils
Requires: sssd-tools >= %{sssd_version}
Requires(post): policycoreutils
# https://pagure.io/freeipa/issue/8530
Recommends: libsss_sudo
Recommends: sudo
Requires: (libsss_sudo if sudo)
Provides: %{alt_name}-client = %{version}
Conflicts: %{alt_name}-client
Obsoletes: %{alt_name}-client < %{version}
@ -710,6 +737,7 @@ Requires: %{name}-client-common = %{version}-%{release}
Requires: %{name}-common = %{version}-%{release}
Requires: python3-ipalib = %{version}-%{release}
Requires: python3-augeas
Requires: augeas-libs >= %{augeas_version}
Requires: python3-dns >= 1.15
Requires: python3-jinja2
@ -804,7 +832,7 @@ Requires: python3-requests
Requires: python3-six
Requires: python3-sss-murmur
Requires: python3-yubico >= 1.3.2-7
%if 0%{?rhel} && 0%{?rhel} >= 8
%if 0%{?rhel} && 0%{?rhel} == 8
Requires: platform-python-setuptools
%else
Requires: python3-setuptools
@ -1681,20 +1709,76 @@ fi
%changelog
* Wed May 26 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.2-4
- Only attempt to upgrade ACME configuration files if deployed
Resolves: RHBZ#1959984
* Fri Sep 17 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.6-6
- Don't store entries with a usercertificate in the LDAP cache
Resolves: RHBZ#1999893
* Fri Mar 19 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.2-3
- ipa-client-install displays false message
'sudo binary does not seem to be present on this system'
Resolves: RHBZ#1939371
* Mon Sep 13 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.6-5
- Catch and log errors when adding CA profiles
Resolves: RHBZ#1999142
- selinux policy: allow custodia to access /proc/cpuinfo
Resolves: RHBZ#1998129
- extdom: LDAP_INVALID_SYNTAX returned instead of LDAP_NO_SUCH_OBJECT
Resolves: RHBZ#2000263
- ipa migrate-ds command fails to warn when compat plugin is enabled
Resolves: RHBZ#1999992
- Backport latest test fixes in python3-ipatests
Resolves: RHBZ#2000553
* Thu Mar 4 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.2-2
- Sync ipatests from upstream to RHEL packages for FreeIPA 4.9 branch
Resolves: RHBZ#1932289
- Fix krb5kdc is crashing intermittently on IPA server
Resolves: RHBZ#1932784
* Thu Jul 22 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.6-4
- ipatests: NAMED_CRYPTO_POLICY_FILE not defined for RHEL
Resolves: RHBZ#1982956
* Thu Jul 15 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.6-3
- man page: update ipa-server-upgrade.1
Resolves: RHBZ#1973273
- Fall back to krbprincipalname when validating host auth indicators
Resolves: RHBZ#1979625
- Add dependency for sssd-winbind-idmap to server-trust-ad
Resolves: RHBZ#1982211
* Thu Jul 8 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.6-2
- IPA server in debug mode fails to run because time.perf_counter_ns is
Python 3.7+
Resolves: RHBZ#1974822
- Add checks to prevent assigning authentication indicators to internal IPA
services
Resolves: RHBZ#1979625
- Unable to set ipaUserAuthType with stageuser-add
Resolves: RHBZ#1979605
* Thu Jul 1 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.6-1
- Upstream release FreeIPA 4.9.6
Related: RHBZ#1945038
- Revise PKINIT upgrade code
Resolves: RHBZ#1886837
- ipa-cert-fix man page: add note about certmonger renewal
Resolves: RHBZ#1780317
- Certificate Serial Number issue
Resolves: RHBZ#1919384
* Mon Jun 14 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.5-1
- Upstream release FreeIPA 4.9.5
Related: RHBZ#1945038
- IPA to allow setting a new range type
Resolves: RHBZ#1688267
- ipa-server-install displays debug output when --debug output is not
specified.
Resolves: RHBZ#1943151
- ACME fails to generate a cert on migrated RHEL8.4 server
Resolves: RHBZ#1934991
- Switch ipa-client to use the JSON API
Resolves: RHBZ#1937856
- IDM - Allow specifying permanent logging settings for BIND
Resolves: RHBZ#1951511
- Cache LDAP data within a request
Resolves: RHBZ#1953656
- ipa-server-upgrade is failing while upgrading rhel8.3 to rhel8.4
Resolves: RHBZ#1957768
* Wed Mar 31 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.3-1
- Upstream release FreeIPA 4.9.3
Resolves: RHBZ#1945038
* Mon Feb 15 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.2-1
- Upstream release FreeIPA 4.9.2