diff --git a/0023-ipatests-remove-xfail-for-test_ipa_migrate_version_o.patch b/0023-ipatests-remove-xfail-for-test_ipa_migrate_version_o.patch new file mode 100644 index 0000000..e739ecc --- /dev/null +++ b/0023-ipatests-remove-xfail-for-test_ipa_migrate_version_o.patch @@ -0,0 +1,50 @@ +From de940802bb6631fbbc97afd11869d87cba18f47f Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Wed, 17 Jul 2024 18:32:37 +0200 +Subject: [PATCH] ipatests: remove xfail for test_ipa_migrate_version_option + +The test test_ipa_ipa_migration.py::TestIPAMigrateScenario1:: +test_ipa_migrate_version_option is now passing, issue has been fixed. +The -V option has been removed. + +Related: https://pagure.io/freeipa/issue/9620 + +Signed-off-by: Florence Blanc-Renaud +Reviewed-By: Sudhir Menon +--- + ipatests/test_integration/test_ipa_ipa_migration.py | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +diff --git a/ipatests/test_integration/test_ipa_ipa_migration.py b/ipatests/test_integration/test_ipa_ipa_migration.py +index 7e2d4a34216f6cf168f15dda10ce10538a3c3cb9..9aa8a9f32071f122ebb247ba8a1aff041e4fd49a 100644 +--- a/ipatests/test_integration/test_ipa_ipa_migration.py ++++ b/ipatests/test_integration/test_ipa_ipa_migration.py +@@ -846,20 +846,18 @@ class TestIPAMigrateScenario1(IntegrationTest): + assert DNS_LOG2 in install_msg + assert DNS_LOG3 in install_msg + +- @pytest.mark.xfail(reason="https://issues.redhat.com/browse/RHEL-46003", +- strict=True) + def test_ipa_migrate_version_option(self): + """ +- This testcase checks the version of +- the ipa-migrate tool using -v option ++ The -V option has been removed. + """ + CONSOLE_LOG = ( + "ipa-migrate: error: the following arguments are " + "required: mode, hostname" + ) +- result = self.master.run_command(["ipa-migrate", "-V"]) +- assert result.returncode == 0 +- assert CONSOLE_LOG not in result.stderr_text ++ result = self.master.run_command(["ipa-migrate", "-V"], ++ raiseonerr=False) ++ assert result.returncode == 2 ++ assert CONSOLE_LOG in result.stderr_text + + def test_ipa_migrate_with_log_file_option(self): + """ +-- +2.45.2 + diff --git a/0024-ipatests-remove-xfail-for-test_ipa_migrate_stage_mod.patch b/0024-ipatests-remove-xfail-for-test_ipa_migrate_stage_mod.patch new file mode 100644 index 0000000..6fcb38f --- /dev/null +++ b/0024-ipatests-remove-xfail-for-test_ipa_migrate_stage_mod.patch @@ -0,0 +1,33 @@ +From 6eb6a929308c2916df9aed2da9ee6ef9d98e2438 Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Wed, 17 Jul 2024 18:36:24 +0200 +Subject: [PATCH] ipatests: remove xfail for test_ipa_migrate_stage_mode + +The test test_ipa_ipa_migration.py::TestIPAMigrateScenario1 +::test_ipa_migrate_stage_mode is now passing, the issue has been fixed. + +Related: https://pagure.io/freeipa/issue/9621 + +Signed-off-by: Florence Blanc-Renaud +Reviewed-By: Sudhir Menon +--- + ipatests/test_integration/test_ipa_ipa_migration.py | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/ipatests/test_integration/test_ipa_ipa_migration.py b/ipatests/test_integration/test_ipa_ipa_migration.py +index 9aa8a9f32071f122ebb247ba8a1aff041e4fd49a..a516941047315e07407b8063a7010526d384ab3b 100644 +--- a/ipatests/test_integration/test_ipa_ipa_migration.py ++++ b/ipatests/test_integration/test_ipa_ipa_migration.py +@@ -600,9 +600,6 @@ class TestIPAMigrateScenario1(IntegrationTest): + ) + assert SCHEMA_OVERRIDE_LOG in install_msg + +- @pytest.mark.xfail( +- reason="https://issues.redhat.com/browse/RHEL-45463", strict=True +- ) + def test_ipa_migrate_stage_mode(self, empty_log_file): + """ + This test checks that ipa-migrate is successful +-- +2.45.2 + diff --git a/0025-Unconditionally-add-MS-PAC-to-global-config-on-updat.patch b/0025-Unconditionally-add-MS-PAC-to-global-config-on-updat.patch new file mode 100644 index 0000000..df99768 --- /dev/null +++ b/0025-Unconditionally-add-MS-PAC-to-global-config-on-updat.patch @@ -0,0 +1,26 @@ +From d1a485a435ea9dba7587d1998451a09d3aa4077b Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Wed, 17 Jul 2024 15:45:06 +0200 +Subject: [PATCH] Unconditionally add MS-PAC to global config on update + +Fixes: https://pagure.io/freeipa/issue/9632 + +Signed-off-by: Julien Rische +Reviewed-By: Florence Blanc-Renaud +--- + install/updates/60-trusts.update | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/install/updates/60-trusts.update b/install/updates/60-trusts.update +index 56e392044a2fae97ab2f26d8afcffa6a872d41c8..b2fdccae74accf934c9f9e7d83fe63459c1e48b4 100644 +--- a/install/updates/60-trusts.update ++++ b/install/updates/60-trusts.update +@@ -54,4 +54,4 @@ add:aci: (target="ldap:///krbprincipalname=cifs/($$dn),cn=services,cn=accounts,$ + + # Add the default PAC type to configuration + dn: cn=ipaConfig,cn=etc,$SUFFIX +-addifnew: ipaKrbAuthzData: MS-PAC ++add: ipaKrbAuthzData: MS-PAC +-- +2.45.2 + diff --git a/0026-Remove-RC4-and-3DES-default-encryption-types-on-upda.patch b/0026-Remove-RC4-and-3DES-default-encryption-types-on-upda.patch new file mode 100644 index 0000000..2779117 --- /dev/null +++ b/0026-Remove-RC4-and-3DES-default-encryption-types-on-upda.patch @@ -0,0 +1,26 @@ +From 9f88188204e443dd5d1d22ebe65b947452558f66 Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Wed, 17 Jul 2024 15:47:33 +0200 +Subject: [PATCH] Remove RC4 and 3DES default encryption types on update + +Fixes: https://pagure.io/freeipa/issue/9633 + +Signed-off-by: Julien Rische +Reviewed-By: Florence Blanc-Renaud +--- + install/updates/50-krbenctypes.update | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/install/updates/50-krbenctypes.update b/install/updates/50-krbenctypes.update +index 1058a92d8f5a4971e9ecab52506981b8e470ff77..1bf2bf33a6566586639767771dff501d91a03508 100644 +--- a/install/updates/50-krbenctypes.update ++++ b/install/updates/50-krbenctypes.update +@@ -7,3 +7,5 @@ add: krbSupportedEncSaltTypes: aes128-sha2:normal + add: krbSupportedEncSaltTypes: aes128-sha2:special + add: krbSupportedEncSaltTypes: aes256-sha2:normal + add: krbSupportedEncSaltTypes: aes256-sha2:special ++remove: krbDefaultEncSaltTypes: des3-hmac-sha1:special ++remove: krbDefaultEncSaltTypes: arcfour-hmac:special +-- +2.45.2 + diff --git a/0027-Fix-a-copy-paste-issue-when-detecting-the-HSM-SELinu.patch b/0027-Fix-a-copy-paste-issue-when-detecting-the-HSM-SELinu.patch new file mode 100644 index 0000000..b01086d --- /dev/null +++ b/0027-Fix-a-copy-paste-issue-when-detecting-the-HSM-SELinu.patch @@ -0,0 +1,33 @@ +From fdd471d55c73503456683b1dea55769700730b16 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Thu, 18 Jul 2024 13:40:28 -0400 +Subject: [PATCH] Fix a copy/paste issue when detecting the HSM SELinux + subpackage + +I made a mistake when trying to detect which HSM is being used +to ensure that the appropriate SELinux subpackage is installed. + +Fixes: https://pagure.io/freeipa/issue/9636 + +Signed-off-by: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud +--- + ipaserver/install/ca.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py +index b8155d9965712dbce4076e9d73d6712135309ce2..e57dc47587fa0e0a6dbbe7511784af065560d782 100644 +--- a/ipaserver/install/ca.py ++++ b/ipaserver/install/ca.py +@@ -265,7 +265,7 @@ def hsm_validator(token_name, token_library, token_password): + if 'nfast' in token_library: + module = 'ipa-selinux-nfast' + elif 'luna' in token_library: +- module = 'ipa-selinux-nfast' ++ module = 'ipa-selinux-luna' + else: + module = None + if module: +-- +2.45.2 + diff --git a/0028-ipa-migrate-properly-handle-invalid-certificates.patch b/0028-ipa-migrate-properly-handle-invalid-certificates.patch new file mode 100644 index 0000000..79ac9d3 --- /dev/null +++ b/0028-ipa-migrate-properly-handle-invalid-certificates.patch @@ -0,0 +1,36 @@ +From 0e4fbc3b0d15fd219d831b0b49f5312894448206 Mon Sep 17 00:00:00 2001 +From: Mark Reynolds +Date: Mon, 29 Jul 2024 09:58:30 -0400 +Subject: [PATCH] ipa-migrate - properly handle invalid certificates + +A ValueError is raised when an invalid certificate is used, so the tool +should handle this properly and not produce a stack trace. + +Fixes: https://pagure.io/freeipa/issue/9642 + +Signed-off-by: Mark Reynolds +Reviewed-By: Rob Crittenden +--- + ipaserver/install/ipa_migrate.py | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/ipaserver/install/ipa_migrate.py b/ipaserver/install/ipa_migrate.py +index 20f59f84db21022b66c0aa1ffd696d99aef85a44..e21937401b3463335d8297b41a403405071d3795 100644 +--- a/ipaserver/install/ipa_migrate.py ++++ b/ipaserver/install/ipa_migrate.py +@@ -761,6 +761,12 @@ class IPAMigrate(): + try: + ds_conn = LDAPClient(ldapuri, cacert=self.args.cacertfile, + start_tls=True) ++ except ValueError: ++ # Most likely invalid certificate ++ self.handle_error( ++ "Failed to connect to remote server: " ++ "CA certificate is invalid" ++ ) + except ( + ldap.LDAPError, + errors.NetworkError, +-- +2.45.2 + diff --git a/0029-ipatests-Fix-usage-of-token_password_file.patch b/0029-ipatests-Fix-usage-of-token_password_file.patch new file mode 100644 index 0000000..1c5762c --- /dev/null +++ b/0029-ipatests-Fix-usage-of-token_password_file.patch @@ -0,0 +1,73 @@ +From f03a96a7b914eb5130552cea626fd28e26b2108d Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Mon, 15 Jul 2024 10:21:28 -0400 +Subject: [PATCH] ipatests: Fix usage of token_password_file + +There were a few hardcoded places where it was set to +/tmp/token_passwd instead of using the class variable. + +Don't rely on previous running tests installing the token +password file so they can be run individually. + +Fixes: https://pagure.io/freeipa/issue/9603 + +Signed-off-by: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud +--- + ipatests/test_integration/test_hsm.py | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/ipatests/test_integration/test_hsm.py b/ipatests/test_integration/test_hsm.py +index 3a33c3bda6d072aa16e361b04ac2d668902bb0e9..64305460a5150dfc28a4ab378ac72cd38987184c 100644 +--- a/ipatests/test_integration/test_hsm.py ++++ b/ipatests/test_integration/test_hsm.py +@@ -173,6 +173,9 @@ class BaseHSMTest(IntegrationTest): + cls.master.run_command(['usermod', 'pkiuser', '-a', '-G', 'ods']) + + cls.token_name, cls.token_password = get_hsm_token(cls.master) ++ cls.master.put_file_contents( ++ cls.token_password_file, cls.token_password ++ ) + tasks.install_master( + cls.master, setup_dns=cls.master_with_dns, + setup_kra=cls.master_with_kra, +@@ -220,10 +223,6 @@ class TestHSMInstall(BaseHSMTest): + + def test_hsm_install_replica0_ca_less_install(self): + check_version(self.master) +- +- self.master.put_file_contents( +- self.token_password_file, self.token_password +- ) + tasks.install_replica( + self.master, self.replicas[0], setup_ca=False, + setup_dns=True, +@@ -412,7 +411,7 @@ class TestHSMcertRenewal(BaseHSMTest): + cert = tasks.certutil_fetch_cert( + self.master, + paths.PKI_TOMCAT_ALIAS_DIR, +- '/tmp/token_passwd', ++ self.token_password_file, + nickname, + token_name=self.token_name, + ) +@@ -428,13 +427,14 @@ class TestHSMcertRenewal(BaseHSMTest): + status = tasks.wait_for_request(self.master, request_id[0], 120) + assert status == "MONITORING" + +- args = ['-L', '-h', self.token_name, '-f', '/tmp/token_passwd'] ++ args = ['-L', '-h', self.token_name, '-f', ++ self.token_password_file,] + tasks.run_certutil(self.master, args, paths.PKI_TOMCAT_ALIAS_DIR) + + cert = tasks.certutil_fetch_cert( + self.master, + paths.PKI_TOMCAT_ALIAS_DIR, +- '/tmp/token_passwd', ++ self.token_password_file, + nickname, + token_name=self.token_name, + ) +-- +2.45.2 + diff --git a/0030-Run-HSM-validation-as-pkiuser-to-verify-token-permis.patch b/0030-Run-HSM-validation-as-pkiuser-to-verify-token-permis.patch new file mode 100644 index 0000000..596f784 --- /dev/null +++ b/0030-Run-HSM-validation-as-pkiuser-to-verify-token-permis.patch @@ -0,0 +1,175 @@ +From 38b83c2b9329b8b16096d63e83f186c91d578ce8 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Wed, 10 Jul 2024 16:14:46 -0400 +Subject: [PATCH] Run HSM validation as pkiuser to verify token permissions + +Run all commands as pkiuser when validating that the HSM token +is available, that the token library path is correct and that +the password can read keys. This will avoid issues where the +initial validation is ok but the pkiuser is not granted read +access to some part of the token. This is very possible +when using softhsm2. + +Fixes: https://pagure.io/freeipa/issue/9626 + +Signed-off-by: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud +--- + ipaserver/install/ca.py | 20 ++++++++-- + ipatests/test_integration/test_hsm.py | 57 +++++++++++++++++++++++++++ + 2 files changed, 74 insertions(+), 3 deletions(-) + +diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py +index e57dc47587fa0e0a6dbbe7511784af065560d782..9ff91b9cc42673138eee6fa8e0eb46b323be8b1d 100644 +--- a/ipaserver/install/ca.py ++++ b/ipaserver/install/ca.py +@@ -18,6 +18,7 @@ import six + from ipalib.constants import IPA_CA_CN + from ipalib.install import certstore + from ipalib.install.service import enroll_only, master_install_only, replica_install_only ++from ipaplatform.constants import constants + from ipaserver.install import sysupgrade + from ipapython.install import typing + from ipapython.install.core import group, knob, extend_knob +@@ -208,8 +209,15 @@ def hsm_validator(token_name, token_library, token_password): + raise ValueError( + "Token library path '%s' does not exist" % token_library + ) ++ pkiuser = constants.PKI_USER ++ pkigroup = constants.PKI_GROUP ++ if 'libsofthsm' in token_library: ++ import grp ++ group = grp.getgrnam(constants.ODS_GROUP) ++ if str(constants.PKI_USER) in group.gr_mem: ++ pkigroup = constants.ODS_GROUP + with certdb.NSSDatabase() as tempnssdb: +- tempnssdb.create_db() ++ tempnssdb.create_db(user=str(pkiuser), group=str(pkigroup)) + # Try adding the token library to the temporary database in + # case it isn't already available. Ignore all errors. + command = [ +@@ -223,6 +231,7 @@ def hsm_validator(token_name, token_library, token_password): + # It may fail if p11-kit has already registered the library, that's + # ok. + ipautil.run(command, stdin='\n', cwd=tempnssdb.secdir, ++ runas=pkiuser, suplementary_groups=[pkigroup], + raiseonerr=False) + + command = [ +@@ -232,7 +241,8 @@ def hsm_validator(token_name, token_library, token_password): + '-force' + ] + lines = ipautil.run( +- command, cwd=tempnssdb.secdir, capture_output=True).output ++ command, cwd=tempnssdb.secdir, capture_output=True, ++ runas=pkiuser, suplementary_groups=[pkigroup]).output + found = False + token_line = f'token: {token_name}' + for line in lines.split('\n'): +@@ -241,9 +251,11 @@ def hsm_validator(token_name, token_library, token_password): + break + if not found: + raise ValueError( +- "Token named '%s' was not found" % token_name ++ "Token named '%s' was not found. Check permissions" ++ % token_name + ) + pwdfile = ipautil.write_tmp_file(token_password) ++ os.fchown(pwdfile.fileno(), pkiuser.uid, pkigroup.gid) + args = [ + paths.CERTUTIL, + "-d", '{}:{}'.format(tempnssdb.dbtype, tempnssdb.secdir), +@@ -252,6 +264,8 @@ def hsm_validator(token_name, token_library, token_password): + "-f", pwdfile.name, + ] + result = ipautil.run(args, cwd=tempnssdb.secdir, ++ runas=pkiuser, ++ suplementary_groups=[pkigroup], + capture_error=True, raiseonerr=False) + if result.returncode != 0 and len(result.error_output): + if 'SEC_ERROR_BAD_PASSWORD' in result.error_output: +diff --git a/ipatests/test_integration/test_hsm.py b/ipatests/test_integration/test_hsm.py +index 64305460a5150dfc28a4ab378ac72cd38987184c..974820fc7363b77fd5fdecc7cf0efca412f3af42 100644 +--- a/ipatests/test_integration/test_hsm.py ++++ b/ipatests/test_integration/test_hsm.py +@@ -833,6 +833,13 @@ class TestHSMNegative(IntegrationTest): + + cls.token_name, cls.token_password = get_hsm_token(cls.master) + ++ @classmethod ++ def uninstall(cls, mh): ++ cls.master.run_command( ++ ['softhsm2-util', '--delete-token', '--token', cls.token_name], ++ raiseonerr=False ++ ) ++ + def test_hsm_negative_wrong_token_details(self): + check_version(self.master) + # wrong token name +@@ -868,6 +875,51 @@ class TestHSMNegative(IntegrationTest): + ) + assert result.returncode != 0 + ++ def test_hsm_negative_bad_token_dir_permissions(self): ++ """Create an unreadable softhsm2 token and install should fail. ++ ++ This is most often seen on replicas where the pkiuser is not ++ a member of the ods group. ++ """ ++ check_version(self.master) ++ token_name = 'bad_perms' ++ token_passwd = 'Secret123' ++ self.master.run_command( ++ ['softhsm2-util', '--delete-token', '--token', token_name], ++ raiseonerr=False ++ ) ++ self.master.run_command( ++ ['usermod', 'pkiuser', '-a', '-G', 'ods'] ++ ) ++ self.master.run_command( ++ ['softhsm2-util', '--init-token', ++ '--free', '--pin', token_passwd, '--so-pin', token_passwd, ++ '--label', token_name] ++ ) ++ self.master.run_command( ++ ['usermod', 'pkiuser', '-r', '-G', 'ods'] ++ ) ++ result = tasks.install_master( ++ self.master, raiseonerr=False, ++ extra_args=( ++ '--token-name', token_name, ++ '--token-library-path', hsm_lib_path, ++ '--token-password', token_passwd ++ ) ++ ) ++ self.master.run_command( ++ ['usermod', 'pkiuser', '-a', '-G', 'ods'] ++ ) ++ self.master.run_command( ++ ['softhsm2-util', '--delete-token', '--token', token_name], ++ raiseonerr=False ++ ) ++ assert result.returncode != 0 ++ assert ( ++ f"Token named '{token_name}' was not found" ++ in result.stderr_text ++ ) ++ + def test_hsm_negative_special_char_token_name(self): + check_version(self.master) + token_name = 'hsm:token' +@@ -912,6 +964,11 @@ class TestHSMNegative(IntegrationTest): + '--token-password-file', self.token_password_file + ) + ) ++ self.master.run_command( ++ ['softhsm2-util', '--delete-token', '--token', self.token_name], ++ raiseonerr=False ++ ) ++ # assert 'error message non existing token lib' in result.stderr_text + assert result.returncode != 0 + + +-- +2.45.2 + diff --git a/0031-Replica-CA-installation-ignore-time-skew-during-init.patch b/0031-Replica-CA-installation-ignore-time-skew-during-init.patch new file mode 100644 index 0000000..9786576 --- /dev/null +++ b/0031-Replica-CA-installation-ignore-time-skew-during-init.patch @@ -0,0 +1,163 @@ +From aadb8051d4a3172aac3790f47ff4d241a245bab4 Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Thu, 18 Jul 2024 12:57:36 +0200 +Subject: [PATCH] Replica CA installation: ignore time skew during initial + replication + +During a replica CA installation, the initial replication step may fail +if there is too much time skew between the server and replica. + +The replica installer already takes care of this for the replication of +the domain suffix but the replica CA installer does not set +nssldapd-ignore-time-skew to on for o=ipaca suffix. + +During a replica CA installation, read the initial value of +nssldapd-ignore-time-skew, force it to on, start replication and +revert to the initial value. + +Apply the same logic to dsinstance and ipa-replica-manage force-sync. + +Fixes: https://pagure.io/freeipa/issue/9635 +Signed-off-by: Florence Blanc-Renaud +Reviewed-By: Rob Crittenden +--- + install/share/Makefile.am | 1 - + install/share/replica-prevent-time-skew.ldif | 4 ---- + install/tools/ipa-replica-manage.in | 4 ++-- + ipaserver/install/cainstance.py | 4 ++++ + ipaserver/install/dsinstance.py | 14 ++--------- + ipaserver/install/service.py | 25 ++++++++++++++++++++ + 6 files changed, 33 insertions(+), 19 deletions(-) + delete mode 100644 install/share/replica-prevent-time-skew.ldif + +diff --git a/install/share/Makefile.am b/install/share/Makefile.am +index e0fe4b7d1756bd05f060a92ab52f910b4bd3adc8..4029297b76cc2f30dc9eab606e5670667978dd27 100644 +--- a/install/share/Makefile.am ++++ b/install/share/Makefile.am +@@ -38,7 +38,6 @@ dist_app_DATA = \ + default-trust-view.ldif \ + delegation.ldif \ + replica-acis.ldif \ +- replica-prevent-time-skew.ldif \ + ds-nfiles.ldif \ + ds-ipa-env.conf.template \ + dns.ldif \ +diff --git a/install/share/replica-prevent-time-skew.ldif b/install/share/replica-prevent-time-skew.ldif +deleted file mode 100644 +index 5d301feddb56347f3b35be89edaae1a7d91e07de..0000000000000000000000000000000000000000 +--- a/install/share/replica-prevent-time-skew.ldif ++++ /dev/null +@@ -1,4 +0,0 @@ +-dn: cn=config +-changetype: modify +-replace: nsslapd-ignore-time-skew +-nsslapd-ignore-time-skew: $SKEWVALUE +diff --git a/install/tools/ipa-replica-manage.in b/install/tools/ipa-replica-manage.in +index 56145cb8a2249f8c5279d9baec4f34f274990bcf..d6e6ef57c39af70f164d41662227af3dc2535f9c 100644 +--- a/install/tools/ipa-replica-manage.in ++++ b/install/tools/ipa-replica-manage.in +@@ -1262,12 +1262,12 @@ def force_sync(realm, thishost, fromhost, dirman_passwd, nolookup=False): + repl.force_sync(repl.conn, fromhost) + else: + ds = dsinstance.DsInstance(realm_name=realm) +- ds.replica_manage_time_skew(prevent=False) ++ ds.replica_ignore_initial_time_skew() + repl = replication.ReplicationManager(realm, fromhost, dirman_passwd) + repl.force_sync(repl.conn, thishost) + agreement = repl.get_replication_agreement(thishost) + repl.wait_for_repl_update(repl.conn, agreement.dn) +- ds.replica_manage_time_skew(prevent=True) ++ ds.replica_revert_time_skew() + + def show_DNA_ranges(hostname, master, realm, dirman_passwd, nextrange=False, + nolookup=False): +diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py +index b4b86024899bc6532f1123503cec63be9435f55b..5dac2c0441752e7bb569cde1fc93bc17c3128cdf 100644 +--- a/ipaserver/install/cainstance.py ++++ b/ipaserver/install/cainstance.py +@@ -416,7 +416,11 @@ class CAInstance(DogtagInstance): + if promote: + # Setup Database + self.step("creating certificate server db", self.__create_ds_db) ++ self.step("ignore time skew for initial replication", ++ self.replica_ignore_initial_time_skew) + self.step("setting up initial replication", self.__setup_replication) ++ self.step("revert time skew after initial replication", ++ self.replica_revert_time_skew) + self.step("creating ACIs for admin", self.add_ipaca_aci) + self.step("creating installation admin user", self.setup_admin) + self.step("configuring certificate server instance", +diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py +index 88984d0219033717cefd28d6170535b6c859330f..dab58e42661f500e7aca0e8311e93d421567b8c8 100644 +--- a/ipaserver/install/dsinstance.py ++++ b/ipaserver/install/dsinstance.py +@@ -387,11 +387,11 @@ class DsInstance(service.Service): + # This helps with initial replication or force-sync because + # the receiving side has no valuable changes itself yet. + self.step("ignore time skew for initial replication", +- self.__replica_ignore_initial_time_skew) ++ self.replica_ignore_initial_time_skew) + + self.step("setting up initial replication", self.__setup_replica) + self.step("prevent time skew after initial replication", +- self.replica_manage_time_skew) ++ self.replica_revert_time_skew) + self.step("adding sasl mappings to the directory", self.__configure_sasl_mappings) + self.step("updating schema", self.__update_schema) + # See LDIFs for automember configuration during replica install +@@ -997,16 +997,6 @@ class DsInstance(service.Service): + def __add_replication_acis(self): + self._ldap_mod("replica-acis.ldif", self.sub_dict) + +- def __replica_ignore_initial_time_skew(self): +- self.replica_manage_time_skew(prevent=False) +- +- def replica_manage_time_skew(self, prevent=True): +- if prevent: +- self.sub_dict['SKEWVALUE'] = 'off' +- else: +- self.sub_dict['SKEWVALUE'] = 'on' +- self._ldap_mod("replica-prevent-time-skew.ldif", self.sub_dict) +- + def __setup_s4u2proxy(self): + + def __add_principal(last_cn, principal, self): +diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py +index 4c366a184ffdc26aaf7b546af9e4de8b43b7be41..cf0f64ab9794111761adf735bc488269bd1814fc 100644 +--- a/ipaserver/install/service.py ++++ b/ipaserver/install/service.py +@@ -862,6 +862,31 @@ class Service: + self.run_getkeytab(self.api.env.ldap_uri, self.keytab, self.principal) + self.set_keytab_owner() + ++ def replica_ignore_initial_time_skew(self): ++ """ ++ Set nsslapd-ignore-time-skew = on if not already set ++ and store the initial value in order to restore it later. ++ ++ The on value allows replica initialization even if there ++ are excessive time skews. ++ """ ++ dn = DN(('cn', 'config')) ++ entry_attrs = api.Backend.ldap2.get_entry(dn) ++ self.original_time_skew = entry_attrs['nsslapd-ignore-time-skew'][0] ++ if self.original_time_skew != 'on': ++ entry_attrs['nsslapd-ignore-time-skew'] = 'on' ++ api.Backend.ldap2.update_entry(entry_attrs) ++ ++ def replica_revert_time_skew(self): ++ """ ++ Revert nsslapd-ignore-time-skew to its previous value. ++ """ ++ dn = DN(('cn', 'config')) ++ entry_attrs = api.Backend.ldap2.get_entry(dn) ++ if self.original_time_skew != 'on': ++ entry_attrs['nsslapd-ignore-time-skew'] = self.original_time_skew ++ api.Backend.ldap2.update_entry(entry_attrs) ++ + + class SimpleServiceInstance(Service): + def create_instance(self, gensvc_name=None, fqdn=None, ldap_suffix=None, +-- +2.45.2 + diff --git a/0032-Log-errors-reported-by-adtrustinstance.check_inst-us.patch b/0032-Log-errors-reported-by-adtrustinstance.check_inst-us.patch new file mode 100644 index 0000000..8ba28b4 --- /dev/null +++ b/0032-Log-errors-reported-by-adtrustinstance.check_inst-us.patch @@ -0,0 +1,49 @@ +From e83d949c7f1734dff70379e360e9bbf626149c61 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Fri, 19 Jul 2024 14:24:15 -0400 +Subject: [PATCH] Log errors reported by adtrustinstance.check_inst() using + logger + +It previously only printed the issue which made troubleshooting +after the fact difficult. Using logger.error() provides the same +visual functionality but also logs to the server install log. + +Fixes: https://pagure.io/freeipa/issue/9637 + +Signed-off-by: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud +--- + ipaserver/install/adtrustinstance.py | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py +index 2ff68dfb46371a6118eb67515347eb762a37e1ec..fd5a5a282fa2a222de85c6b29d8d9621b53c95d2 100644 +--- a/ipaserver/install/adtrustinstance.py ++++ b/ipaserver/install/adtrustinstance.py +@@ -65,8 +65,8 @@ and re-run ipa-adtrust-instal again afterwards. + def check_inst(): + for smbfile in [paths.SMBD, paths.NET]: + if not os.path.exists(smbfile): +- print("%s was not found on this system" % smbfile) +- print("Please install the 'samba' packages and " \ ++ logger.error("%s was not found on this system", smbfile) ++ logger.error("Please install the 'samba' packages and " + "start the installation again") + return False + +@@ -74,9 +74,10 @@ def check_inst(): + # by looking for the file /usr/share/ipa/smb.conf.empty + if not os.path.exists(os.path.join(paths.USR_SHARE_IPA_DIR, + "smb.conf.empty")): +- print("AD Trust requires the '%s' package" % ++ logger.error("AD Trust requires the '%s' package", + constants.IPA_ADTRUST_PACKAGE_NAME) +- print("Please install the package and start the installation again") ++ logger.error( ++ "Please install the package and start the installation again") + return False + + #TODO: Add check for needed samba4 libraries +-- +2.45.2 + diff --git a/0033-ipatests-Verify-that-SIDgen-task-continue-even-if-it.patch b/0033-ipatests-Verify-that-SIDgen-task-continue-even-if-it.patch new file mode 100644 index 0000000..10977fe --- /dev/null +++ b/0033-ipatests-Verify-that-SIDgen-task-continue-even-if-it.patch @@ -0,0 +1,116 @@ +From ee96c129a6034d02245a41c58fa3398c12c9ee75 Mon Sep 17 00:00:00 2001 +From: Mohammad Rizwan +Date: Thu, 11 Jul 2024 18:14:52 +0530 +Subject: [PATCH] ipatests: Verify that SIDgen task continue even if it fails + to assign sid + +related: https://pagure.io/freeipa/issue/9618 + +Signed-off-by: Mohammad Rizwan +Reviewed-By: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud +--- + ipatests/test_integration/test_commands.py | 73 +++++++++++++++++++++- + 1 file changed, 71 insertions(+), 2 deletions(-) + +diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py +index f6f1c979a751a300f09358c044fbfb34539d188e..fd34defe5b12f06ed7c16350cb90933ce9bcd72e 100644 +--- a/ipatests/test_integration/test_commands.py ++++ b/ipatests/test_integration/test_commands.py +@@ -1267,7 +1267,7 @@ class TestIPACommand(IntegrationTest): + + def get_dirsrv_id(self): + serverid = realm_to_serverid(self.master.domain.realm) +- return("dirsrv@%s.service" % serverid) ++ return ("dirsrv@%s.service" % serverid) + + def test_ipa_nis_manage_enable(self): + """ +@@ -1769,7 +1769,7 @@ class TestIPACommandWithoutReplica(IntegrationTest): + api.bootstrap_with_global_options(context='server') + api.finalize() + api.Backend.ldap2.connect() +- ++ + api.Command["group_add"]("testgroup1", external=True) + api.Command["group_add"]("testgroup2", external=False) + result1 = api.Command["group_show"]("testgroup1", all=True)["result"] # noqa: E501 +@@ -1814,6 +1814,75 @@ class TestIPACommandWithoutReplica(IntegrationTest): + '/tmp/reproducer2_code.py']) + assert "missing attribute" not in result.stdout_text + ++ def test_sidgen_task_continue_on_error(self): ++ """Verify that SIDgen task continue even if it fails to assign sid ++ scenario: ++ - add a user with no uid (it will be auto-assigned inside ++ the range) ++ - add a user with uid 2000 ++ - add a user with no uid (it will be auto-assigned inside ++ the range) ++ - edit the first and 3rd users, remove the objectclass ++ ipaNTUserAttrs and the attribute ipaNTSecurityIdentifier ++ - run the sidgen task ++ - verify that user1 and user3 have a ipaNTSecurityIdentifier ++ - verify that old error message is not seen in dirsrv error log ++ - verify that new error message is seen in dirsrv error log ++ ++ related: https://pagure.io/freeipa/issue/9618 ++ """ ++ test_user1 = 'test_user1' ++ test_user2 = 'test_user2' ++ test_user2000 = 'test_user2000' ++ base_dn = str(self.master.domain.basedn) ++ old_err_msg = 'Cannot add SID to existing entry' ++ new_err_msg = r'Finished with [0-9]+ failures, please check the log' ++ ++ tasks.kinit_admin(self.master) ++ tasks.user_add(self.master, test_user1) ++ self.master.run_command( ++ ['ipa', 'user-add', test_user2000, ++ '--first', 'test', '--last', 'user', ++ '--uid', '2000'] ++ ) ++ tasks.user_add(self.master, test_user2) ++ ++ for user in (test_user1, test_user2): ++ entry_ldif = textwrap.dedent(""" ++ dn: uid={user},cn=users,cn=accounts,{base_dn} ++ changetype: modify ++ delete: ipaNTSecurityIdentifier ++ - ++ delete: objectclass ++ objectclass: ipaNTUserAttrs ++ """).format( ++ user=user, ++ base_dn=base_dn) ++ tasks.ldapmodify_dm(self.master, entry_ldif) ++ ++ # run sidgen task ++ self.master.run_command( ++ ['ipa', 'config-mod', '--add-sids', '--enable-sid'] ++ ) ++ ++ # ensure that sidgen have added the attr removed above ++ for user in (test_user1, test_user2): ++ result = tasks.ldapsearch_dm( ++ self.master, ++ 'uid={user},cn=users,cn=accounts,{base_dn}'.format( ++ user=user, base_dn=base_dn), ++ ['ipaNTSecurityIdentifier'] ++ ) ++ assert 'ipaNTSecurityIdentifier' in result.stdout_text ++ ++ dashed_domain = self.master.domain.realm.replace(".", '-') ++ dirsrv_error_log = self.master.get_file_contents( ++ paths.SLAPD_INSTANCE_ERROR_LOG_TEMPLATE % (dashed_domain), ++ encoding='utf-8' ++ ) ++ assert old_err_msg not in dirsrv_error_log ++ assert re.search(new_err_msg, dirsrv_error_log) ++ + + class TestIPAautomount(IntegrationTest): + @classmethod +-- +2.45.2 + diff --git a/0034-ipatests-ipa-migrate-tool-with-Z-option-CACERTFILE.patch b/0034-ipatests-ipa-migrate-tool-with-Z-option-CACERTFILE.patch new file mode 100644 index 0000000..efbd47e --- /dev/null +++ b/0034-ipatests-ipa-migrate-tool-with-Z-option-CACERTFILE.patch @@ -0,0 +1,76 @@ +From 8046023fc46c628c099d84b026ab866f7c6e16d6 Mon Sep 17 00:00:00 2001 +From: Sudhir Menon +Date: Thu, 25 Jul 2024 18:32:21 +0530 +Subject: [PATCH] ipatests: ipa-migrate tool with -Z option (CACERTFILE) + +This patch add tests to check the scenarios associated with +pagure tickets + +https://pagure.io/freeipa/issue/9642 - ipa-migrate - properly handle invalid certificates +https://pagure.io/freeipa/issue/9619 - ipa-migrate starttls does not work + +Signed-off-by: Sudhir Menon +Reviewed-By: Rob Crittenden +--- + .../test_ipa_ipa_migration.py | 48 +++++++++++++++++++ + 1 file changed, 48 insertions(+) + +diff --git a/ipatests/test_integration/test_ipa_ipa_migration.py b/ipatests/test_integration/test_ipa_ipa_migration.py +index a516941047315e07407b8063a7010526d384ab3b..f697bbfbfc6169309274db689501c99fe148cc70 100644 +--- a/ipatests/test_integration/test_ipa_ipa_migration.py ++++ b/ipatests/test_integration/test_ipa_ipa_migration.py +@@ -872,3 +872,51 @@ class TestIPAMigrateScenario1(IntegrationTest): + extra_args=params, + ) + assert self.replicas[0].transport.file_exists(custom_log_file) ++ ++ def test_ipa_migrate_stage_mode_with_cert(self): ++ """ ++ This testcase checks that ipa-migrate command ++ works without the 'ValuerError' ++ when -Z option is used with valid cert ++ """ ++ cert_file = '/tmp/ipa.crt' ++ remote_server_cert = self.master.get_file_contents( ++ paths.IPA_CA_CRT, encoding="utf-8" ++ ) ++ self.replicas[0].put_file_contents(cert_file, remote_server_cert) ++ params = ['-x', '-n', '-Z', cert_file] ++ result = run_migrate( ++ self.replicas[0], ++ "stage-mode", ++ self.master.hostname, ++ "cn=Directory Manager", ++ self.master.config.admin_password, ++ extra_args=params, ++ ) ++ assert result.returncode == 0 ++ ++ def test_ipa_migrate_stage_mode_with_invalid_cert(self): ++ """ ++ This test checks ipa-migrate tool throws ++ error when invalid cert is specified with ++ -Z option ++ """ ++ cert_file = '/tmp/invaid_cert.crt' ++ invalid_cert = ( ++ b'-----BEGIN CERTIFICATE-----\n' ++ b'MIIFazCCDQYJKoZIhvcNAQELBQAw\n' ++ b'-----END CERTIFICATE-----\n' ++ ) ++ ERR_MSG = "Failed to connect to remote server: " ++ params = ['-x', '-n', '-Z', cert_file] ++ self.replicas[0].put_file_contents(cert_file, invalid_cert) ++ result = run_migrate( ++ self.replicas[0], ++ "stage-mode", ++ self.master.hostname, ++ "cn=Directory Manager", ++ self.master.config.admin_password, ++ extra_args=params, ++ ) ++ assert result.returncode == 1 ++ assert ERR_MSG in result.stderr_text +-- +2.45.2 + diff --git a/freeipa.spec b/freeipa.spec index f76151e..7af7204 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -224,7 +224,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 6%{?rc_version:.%rc_version}%{?dist} +Release: 7%{?rc_version:.%rc_version}%{?dist} Summary: The Identity, Policy and Audit system License: GPL-3.0-or-later @@ -270,6 +270,18 @@ Patch0019: 0019-ipa-migrate-starttls-does-not-work.patch Patch0020: 0020-ipa-pwd-extop-differentiate-OTP-requirements-in-LDAP.patch Patch0021: 0021-ipatests-Test-replica-installation-using-AD-admin.patch Patch0022: 0022-Issue-9621-ipa-migrate-should-not-update-mapped-attr.patch +Patch0023: 0023-ipatests-remove-xfail-for-test_ipa_migrate_version_o.patch +Patch0024: 0024-ipatests-remove-xfail-for-test_ipa_migrate_stage_mod.patch +Patch0025: 0025-Unconditionally-add-MS-PAC-to-global-config-on-updat.patch +Patch0026: 0026-Remove-RC4-and-3DES-default-encryption-types-on-upda.patch +Patch0027: 0027-Fix-a-copy-paste-issue-when-detecting-the-HSM-SELinu.patch +Patch0028: 0028-ipa-migrate-properly-handle-invalid-certificates.patch +Patch0029: 0029-ipatests-Fix-usage-of-token_password_file.patch +Patch0030: 0030-Run-HSM-validation-as-pkiuser-to-verify-token-permis.patch +Patch0031: 0031-Replica-CA-installation-ignore-time-skew-during-init.patch +Patch0032: 0032-Log-errors-reported-by-adtrustinstance.check_inst-us.patch +Patch0033: 0033-ipatests-Verify-that-SIDgen-task-continue-even-if-it.patch +Patch0034: 0034-ipatests-ipa-migrate-tool-with-Z-option-CACERTFILE.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch %endif %endif @@ -1883,6 +1895,16 @@ fi %endif %changelog +* Thu Aug 8 2024 Florence Blanc-Renaud - 4.12.0-7 +- Resolves: RHEL-53500 adtrustinstance only prints issues in check_inst() and does not log them +- Resolves: RHEL-52306 Unconditionally add MS-PAC to global config +- Resolves: RHEL-52300 RFE - Keep the configured value for the "nsslapd-ignore-time-skew" after a "force-sync" +- Resolves: RHEL-52222 ipa-replica/server-install with softhsm needs to check permission/ownership of /var/lib/softhsm/tokens to avoid install failure +- Resolves: RHEL-51944 Include latest fixes in python3-ipatests packages +- Resolves: RHEL-50804 ipa-migrate -Z with invalid cert options fails with 'ValueError: option error' +- Resolves: RHEL-49602 misleading warning for missing ipa-selinux-nfast package on luna hsm h/w +- Resolves: RHEL-27856 'Unable to log in as uid=admin-replica.testrealm.test,ou=people,o=ipaca' during replica install + * Thu Jul 18 2024 Florence Blanc-Renaud - 4.12.0-6 - Resolves: RHEL-47292 Include latest fixes in python3-ipatests packages - Resolves: RHEL-47146 Syntax error uninstalling the selinux-luna subpackage