ipa-4.12.0-7

- Resolves: RHEL-53500 adtrustinstance only prints issues in check_inst() and does not log them
- Resolves: RHEL-52306 Unconditionally add MS-PAC to global config
- Resolves: RHEL-52300 RFE - Keep the configured value for the "nsslapd-ignore-time-skew" after a "force-sync"
- Resolves: RHEL-52222 ipa-replica/server-install with softhsm needs to check permission/ownership of /var/lib/softhsm/tokens to avoid install failure
- Resolves: RHEL-51944 Include latest fixes in python3-ipatests packages
- Resolves: RHEL-50804 ipa-migrate -Z with invalid cert options fails with 'ValueError: option error'
- Resolves: RHEL-49602 misleading warning for missing ipa-selinux-nfast package on luna hsm h/w
- Resolves: RHEL-27856 'Unable to log in as uid=admin-replica.testrealm.test,ou=people,o=ipaca' during replica install

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
This commit is contained in:
Florence Blanc-Renaud 2024-08-08 16:12:28 +02:00
parent 8b6d847e67
commit 3979c73861
13 changed files with 879 additions and 1 deletions

View File

@ -0,0 +1,50 @@
From de940802bb6631fbbc97afd11869d87cba18f47f Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Wed, 17 Jul 2024 18:32:37 +0200
Subject: [PATCH] ipatests: remove xfail for test_ipa_migrate_version_option
The test test_ipa_ipa_migration.py::TestIPAMigrateScenario1::
test_ipa_migrate_version_option is now passing, issue has been fixed.
The -V option has been removed.
Related: https://pagure.io/freeipa/issue/9620
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Sudhir Menon <sumenon@redhat.com>
---
ipatests/test_integration/test_ipa_ipa_migration.py | 12 +++++-------
1 file changed, 5 insertions(+), 7 deletions(-)
diff --git a/ipatests/test_integration/test_ipa_ipa_migration.py b/ipatests/test_integration/test_ipa_ipa_migration.py
index 7e2d4a34216f6cf168f15dda10ce10538a3c3cb9..9aa8a9f32071f122ebb247ba8a1aff041e4fd49a 100644
--- a/ipatests/test_integration/test_ipa_ipa_migration.py
+++ b/ipatests/test_integration/test_ipa_ipa_migration.py
@@ -846,20 +846,18 @@ class TestIPAMigrateScenario1(IntegrationTest):
assert DNS_LOG2 in install_msg
assert DNS_LOG3 in install_msg
- @pytest.mark.xfail(reason="https://issues.redhat.com/browse/RHEL-46003",
- strict=True)
def test_ipa_migrate_version_option(self):
"""
- This testcase checks the version of
- the ipa-migrate tool using -v option
+ The -V option has been removed.
"""
CONSOLE_LOG = (
"ipa-migrate: error: the following arguments are "
"required: mode, hostname"
)
- result = self.master.run_command(["ipa-migrate", "-V"])
- assert result.returncode == 0
- assert CONSOLE_LOG not in result.stderr_text
+ result = self.master.run_command(["ipa-migrate", "-V"],
+ raiseonerr=False)
+ assert result.returncode == 2
+ assert CONSOLE_LOG in result.stderr_text
def test_ipa_migrate_with_log_file_option(self):
"""
--
2.45.2

View File

@ -0,0 +1,33 @@
From 6eb6a929308c2916df9aed2da9ee6ef9d98e2438 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Wed, 17 Jul 2024 18:36:24 +0200
Subject: [PATCH] ipatests: remove xfail for test_ipa_migrate_stage_mode
The test test_ipa_ipa_migration.py::TestIPAMigrateScenario1
::test_ipa_migrate_stage_mode is now passing, the issue has been fixed.
Related: https://pagure.io/freeipa/issue/9621
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Sudhir Menon <sumenon@redhat.com>
---
ipatests/test_integration/test_ipa_ipa_migration.py | 3 ---
1 file changed, 3 deletions(-)
diff --git a/ipatests/test_integration/test_ipa_ipa_migration.py b/ipatests/test_integration/test_ipa_ipa_migration.py
index 9aa8a9f32071f122ebb247ba8a1aff041e4fd49a..a516941047315e07407b8063a7010526d384ab3b 100644
--- a/ipatests/test_integration/test_ipa_ipa_migration.py
+++ b/ipatests/test_integration/test_ipa_ipa_migration.py
@@ -600,9 +600,6 @@ class TestIPAMigrateScenario1(IntegrationTest):
)
assert SCHEMA_OVERRIDE_LOG in install_msg
- @pytest.mark.xfail(
- reason="https://issues.redhat.com/browse/RHEL-45463", strict=True
- )
def test_ipa_migrate_stage_mode(self, empty_log_file):
"""
This test checks that ipa-migrate is successful
--
2.45.2

View File

@ -0,0 +1,26 @@
From d1a485a435ea9dba7587d1998451a09d3aa4077b Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Wed, 17 Jul 2024 15:45:06 +0200
Subject: [PATCH] Unconditionally add MS-PAC to global config on update
Fixes: https://pagure.io/freeipa/issue/9632
Signed-off-by: Julien Rische <jrische@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
install/updates/60-trusts.update | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/updates/60-trusts.update b/install/updates/60-trusts.update
index 56e392044a2fae97ab2f26d8afcffa6a872d41c8..b2fdccae74accf934c9f9e7d83fe63459c1e48b4 100644
--- a/install/updates/60-trusts.update
+++ b/install/updates/60-trusts.update
@@ -54,4 +54,4 @@ add:aci: (target="ldap:///krbprincipalname=cifs/($$dn),cn=services,cn=accounts,$
# Add the default PAC type to configuration
dn: cn=ipaConfig,cn=etc,$SUFFIX
-addifnew: ipaKrbAuthzData: MS-PAC
+add: ipaKrbAuthzData: MS-PAC
--
2.45.2

View File

@ -0,0 +1,26 @@
From 9f88188204e443dd5d1d22ebe65b947452558f66 Mon Sep 17 00:00:00 2001
From: Julien Rische <jrische@redhat.com>
Date: Wed, 17 Jul 2024 15:47:33 +0200
Subject: [PATCH] Remove RC4 and 3DES default encryption types on update
Fixes: https://pagure.io/freeipa/issue/9633
Signed-off-by: Julien Rische <jrische@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
install/updates/50-krbenctypes.update | 2 ++
1 file changed, 2 insertions(+)
diff --git a/install/updates/50-krbenctypes.update b/install/updates/50-krbenctypes.update
index 1058a92d8f5a4971e9ecab52506981b8e470ff77..1bf2bf33a6566586639767771dff501d91a03508 100644
--- a/install/updates/50-krbenctypes.update
+++ b/install/updates/50-krbenctypes.update
@@ -7,3 +7,5 @@ add: krbSupportedEncSaltTypes: aes128-sha2:normal
add: krbSupportedEncSaltTypes: aes128-sha2:special
add: krbSupportedEncSaltTypes: aes256-sha2:normal
add: krbSupportedEncSaltTypes: aes256-sha2:special
+remove: krbDefaultEncSaltTypes: des3-hmac-sha1:special
+remove: krbDefaultEncSaltTypes: arcfour-hmac:special
--
2.45.2

View File

@ -0,0 +1,33 @@
From fdd471d55c73503456683b1dea55769700730b16 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 18 Jul 2024 13:40:28 -0400
Subject: [PATCH] Fix a copy/paste issue when detecting the HSM SELinux
subpackage
I made a mistake when trying to detect which HSM is being used
to ensure that the appropriate SELinux subpackage is installed.
Fixes: https://pagure.io/freeipa/issue/9636
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
ipaserver/install/ca.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
index b8155d9965712dbce4076e9d73d6712135309ce2..e57dc47587fa0e0a6dbbe7511784af065560d782 100644
--- a/ipaserver/install/ca.py
+++ b/ipaserver/install/ca.py
@@ -265,7 +265,7 @@ def hsm_validator(token_name, token_library, token_password):
if 'nfast' in token_library:
module = 'ipa-selinux-nfast'
elif 'luna' in token_library:
- module = 'ipa-selinux-nfast'
+ module = 'ipa-selinux-luna'
else:
module = None
if module:
--
2.45.2

View File

@ -0,0 +1,36 @@
From 0e4fbc3b0d15fd219d831b0b49f5312894448206 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Mon, 29 Jul 2024 09:58:30 -0400
Subject: [PATCH] ipa-migrate - properly handle invalid certificates
A ValueError is raised when an invalid certificate is used, so the tool
should handle this properly and not produce a stack trace.
Fixes: https://pagure.io/freeipa/issue/9642
Signed-off-by: Mark Reynolds <mreynolds@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipaserver/install/ipa_migrate.py | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/ipaserver/install/ipa_migrate.py b/ipaserver/install/ipa_migrate.py
index 20f59f84db21022b66c0aa1ffd696d99aef85a44..e21937401b3463335d8297b41a403405071d3795 100644
--- a/ipaserver/install/ipa_migrate.py
+++ b/ipaserver/install/ipa_migrate.py
@@ -761,6 +761,12 @@ class IPAMigrate():
try:
ds_conn = LDAPClient(ldapuri, cacert=self.args.cacertfile,
start_tls=True)
+ except ValueError:
+ # Most likely invalid certificate
+ self.handle_error(
+ "Failed to connect to remote server: "
+ "CA certificate is invalid"
+ )
except (
ldap.LDAPError,
errors.NetworkError,
--
2.45.2

View File

@ -0,0 +1,73 @@
From f03a96a7b914eb5130552cea626fd28e26b2108d Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 15 Jul 2024 10:21:28 -0400
Subject: [PATCH] ipatests: Fix usage of token_password_file
There were a few hardcoded places where it was set to
/tmp/token_passwd instead of using the class variable.
Don't rely on previous running tests installing the token
password file so they can be run individually.
Fixes: https://pagure.io/freeipa/issue/9603
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
ipatests/test_integration/test_hsm.py | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/ipatests/test_integration/test_hsm.py b/ipatests/test_integration/test_hsm.py
index 3a33c3bda6d072aa16e361b04ac2d668902bb0e9..64305460a5150dfc28a4ab378ac72cd38987184c 100644
--- a/ipatests/test_integration/test_hsm.py
+++ b/ipatests/test_integration/test_hsm.py
@@ -173,6 +173,9 @@ class BaseHSMTest(IntegrationTest):
cls.master.run_command(['usermod', 'pkiuser', '-a', '-G', 'ods'])
cls.token_name, cls.token_password = get_hsm_token(cls.master)
+ cls.master.put_file_contents(
+ cls.token_password_file, cls.token_password
+ )
tasks.install_master(
cls.master, setup_dns=cls.master_with_dns,
setup_kra=cls.master_with_kra,
@@ -220,10 +223,6 @@ class TestHSMInstall(BaseHSMTest):
def test_hsm_install_replica0_ca_less_install(self):
check_version(self.master)
-
- self.master.put_file_contents(
- self.token_password_file, self.token_password
- )
tasks.install_replica(
self.master, self.replicas[0], setup_ca=False,
setup_dns=True,
@@ -412,7 +411,7 @@ class TestHSMcertRenewal(BaseHSMTest):
cert = tasks.certutil_fetch_cert(
self.master,
paths.PKI_TOMCAT_ALIAS_DIR,
- '/tmp/token_passwd',
+ self.token_password_file,
nickname,
token_name=self.token_name,
)
@@ -428,13 +427,14 @@ class TestHSMcertRenewal(BaseHSMTest):
status = tasks.wait_for_request(self.master, request_id[0], 120)
assert status == "MONITORING"
- args = ['-L', '-h', self.token_name, '-f', '/tmp/token_passwd']
+ args = ['-L', '-h', self.token_name, '-f',
+ self.token_password_file,]
tasks.run_certutil(self.master, args, paths.PKI_TOMCAT_ALIAS_DIR)
cert = tasks.certutil_fetch_cert(
self.master,
paths.PKI_TOMCAT_ALIAS_DIR,
- '/tmp/token_passwd',
+ self.token_password_file,
nickname,
token_name=self.token_name,
)
--
2.45.2

View File

@ -0,0 +1,175 @@
From 38b83c2b9329b8b16096d63e83f186c91d578ce8 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 10 Jul 2024 16:14:46 -0400
Subject: [PATCH] Run HSM validation as pkiuser to verify token permissions
Run all commands as pkiuser when validating that the HSM token
is available, that the token library path is correct and that
the password can read keys. This will avoid issues where the
initial validation is ok but the pkiuser is not granted read
access to some part of the token. This is very possible
when using softhsm2.
Fixes: https://pagure.io/freeipa/issue/9626
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
ipaserver/install/ca.py | 20 ++++++++--
ipatests/test_integration/test_hsm.py | 57 +++++++++++++++++++++++++++
2 files changed, 74 insertions(+), 3 deletions(-)
diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
index e57dc47587fa0e0a6dbbe7511784af065560d782..9ff91b9cc42673138eee6fa8e0eb46b323be8b1d 100644
--- a/ipaserver/install/ca.py
+++ b/ipaserver/install/ca.py
@@ -18,6 +18,7 @@ import six
from ipalib.constants import IPA_CA_CN
from ipalib.install import certstore
from ipalib.install.service import enroll_only, master_install_only, replica_install_only
+from ipaplatform.constants import constants
from ipaserver.install import sysupgrade
from ipapython.install import typing
from ipapython.install.core import group, knob, extend_knob
@@ -208,8 +209,15 @@ def hsm_validator(token_name, token_library, token_password):
raise ValueError(
"Token library path '%s' does not exist" % token_library
)
+ pkiuser = constants.PKI_USER
+ pkigroup = constants.PKI_GROUP
+ if 'libsofthsm' in token_library:
+ import grp
+ group = grp.getgrnam(constants.ODS_GROUP)
+ if str(constants.PKI_USER) in group.gr_mem:
+ pkigroup = constants.ODS_GROUP
with certdb.NSSDatabase() as tempnssdb:
- tempnssdb.create_db()
+ tempnssdb.create_db(user=str(pkiuser), group=str(pkigroup))
# Try adding the token library to the temporary database in
# case it isn't already available. Ignore all errors.
command = [
@@ -223,6 +231,7 @@ def hsm_validator(token_name, token_library, token_password):
# It may fail if p11-kit has already registered the library, that's
# ok.
ipautil.run(command, stdin='\n', cwd=tempnssdb.secdir,
+ runas=pkiuser, suplementary_groups=[pkigroup],
raiseonerr=False)
command = [
@@ -232,7 +241,8 @@ def hsm_validator(token_name, token_library, token_password):
'-force'
]
lines = ipautil.run(
- command, cwd=tempnssdb.secdir, capture_output=True).output
+ command, cwd=tempnssdb.secdir, capture_output=True,
+ runas=pkiuser, suplementary_groups=[pkigroup]).output
found = False
token_line = f'token: {token_name}'
for line in lines.split('\n'):
@@ -241,9 +251,11 @@ def hsm_validator(token_name, token_library, token_password):
break
if not found:
raise ValueError(
- "Token named '%s' was not found" % token_name
+ "Token named '%s' was not found. Check permissions"
+ % token_name
)
pwdfile = ipautil.write_tmp_file(token_password)
+ os.fchown(pwdfile.fileno(), pkiuser.uid, pkigroup.gid)
args = [
paths.CERTUTIL,
"-d", '{}:{}'.format(tempnssdb.dbtype, tempnssdb.secdir),
@@ -252,6 +264,8 @@ def hsm_validator(token_name, token_library, token_password):
"-f", pwdfile.name,
]
result = ipautil.run(args, cwd=tempnssdb.secdir,
+ runas=pkiuser,
+ suplementary_groups=[pkigroup],
capture_error=True, raiseonerr=False)
if result.returncode != 0 and len(result.error_output):
if 'SEC_ERROR_BAD_PASSWORD' in result.error_output:
diff --git a/ipatests/test_integration/test_hsm.py b/ipatests/test_integration/test_hsm.py
index 64305460a5150dfc28a4ab378ac72cd38987184c..974820fc7363b77fd5fdecc7cf0efca412f3af42 100644
--- a/ipatests/test_integration/test_hsm.py
+++ b/ipatests/test_integration/test_hsm.py
@@ -833,6 +833,13 @@ class TestHSMNegative(IntegrationTest):
cls.token_name, cls.token_password = get_hsm_token(cls.master)
+ @classmethod
+ def uninstall(cls, mh):
+ cls.master.run_command(
+ ['softhsm2-util', '--delete-token', '--token', cls.token_name],
+ raiseonerr=False
+ )
+
def test_hsm_negative_wrong_token_details(self):
check_version(self.master)
# wrong token name
@@ -868,6 +875,51 @@ class TestHSMNegative(IntegrationTest):
)
assert result.returncode != 0
+ def test_hsm_negative_bad_token_dir_permissions(self):
+ """Create an unreadable softhsm2 token and install should fail.
+
+ This is most often seen on replicas where the pkiuser is not
+ a member of the ods group.
+ """
+ check_version(self.master)
+ token_name = 'bad_perms'
+ token_passwd = 'Secret123'
+ self.master.run_command(
+ ['softhsm2-util', '--delete-token', '--token', token_name],
+ raiseonerr=False
+ )
+ self.master.run_command(
+ ['usermod', 'pkiuser', '-a', '-G', 'ods']
+ )
+ self.master.run_command(
+ ['softhsm2-util', '--init-token',
+ '--free', '--pin', token_passwd, '--so-pin', token_passwd,
+ '--label', token_name]
+ )
+ self.master.run_command(
+ ['usermod', 'pkiuser', '-r', '-G', 'ods']
+ )
+ result = tasks.install_master(
+ self.master, raiseonerr=False,
+ extra_args=(
+ '--token-name', token_name,
+ '--token-library-path', hsm_lib_path,
+ '--token-password', token_passwd
+ )
+ )
+ self.master.run_command(
+ ['usermod', 'pkiuser', '-a', '-G', 'ods']
+ )
+ self.master.run_command(
+ ['softhsm2-util', '--delete-token', '--token', token_name],
+ raiseonerr=False
+ )
+ assert result.returncode != 0
+ assert (
+ f"Token named '{token_name}' was not found"
+ in result.stderr_text
+ )
+
def test_hsm_negative_special_char_token_name(self):
check_version(self.master)
token_name = 'hsm:token'
@@ -912,6 +964,11 @@ class TestHSMNegative(IntegrationTest):
'--token-password-file', self.token_password_file
)
)
+ self.master.run_command(
+ ['softhsm2-util', '--delete-token', '--token', self.token_name],
+ raiseonerr=False
+ )
+ # assert 'error message non existing token lib' in result.stderr_text
assert result.returncode != 0
--
2.45.2

View File

@ -0,0 +1,163 @@
From aadb8051d4a3172aac3790f47ff4d241a245bab4 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Thu, 18 Jul 2024 12:57:36 +0200
Subject: [PATCH] Replica CA installation: ignore time skew during initial
replication
During a replica CA installation, the initial replication step may fail
if there is too much time skew between the server and replica.
The replica installer already takes care of this for the replication of
the domain suffix but the replica CA installer does not set
nssldapd-ignore-time-skew to on for o=ipaca suffix.
During a replica CA installation, read the initial value of
nssldapd-ignore-time-skew, force it to on, start replication and
revert to the initial value.
Apply the same logic to dsinstance and ipa-replica-manage force-sync.
Fixes: https://pagure.io/freeipa/issue/9635
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
install/share/Makefile.am | 1 -
install/share/replica-prevent-time-skew.ldif | 4 ----
install/tools/ipa-replica-manage.in | 4 ++--
ipaserver/install/cainstance.py | 4 ++++
ipaserver/install/dsinstance.py | 14 ++---------
ipaserver/install/service.py | 25 ++++++++++++++++++++
6 files changed, 33 insertions(+), 19 deletions(-)
delete mode 100644 install/share/replica-prevent-time-skew.ldif
diff --git a/install/share/Makefile.am b/install/share/Makefile.am
index e0fe4b7d1756bd05f060a92ab52f910b4bd3adc8..4029297b76cc2f30dc9eab606e5670667978dd27 100644
--- a/install/share/Makefile.am
+++ b/install/share/Makefile.am
@@ -38,7 +38,6 @@ dist_app_DATA = \
default-trust-view.ldif \
delegation.ldif \
replica-acis.ldif \
- replica-prevent-time-skew.ldif \
ds-nfiles.ldif \
ds-ipa-env.conf.template \
dns.ldif \
diff --git a/install/share/replica-prevent-time-skew.ldif b/install/share/replica-prevent-time-skew.ldif
deleted file mode 100644
index 5d301feddb56347f3b35be89edaae1a7d91e07de..0000000000000000000000000000000000000000
--- a/install/share/replica-prevent-time-skew.ldif
+++ /dev/null
@@ -1,4 +0,0 @@
-dn: cn=config
-changetype: modify
-replace: nsslapd-ignore-time-skew
-nsslapd-ignore-time-skew: $SKEWVALUE
diff --git a/install/tools/ipa-replica-manage.in b/install/tools/ipa-replica-manage.in
index 56145cb8a2249f8c5279d9baec4f34f274990bcf..d6e6ef57c39af70f164d41662227af3dc2535f9c 100644
--- a/install/tools/ipa-replica-manage.in
+++ b/install/tools/ipa-replica-manage.in
@@ -1262,12 +1262,12 @@ def force_sync(realm, thishost, fromhost, dirman_passwd, nolookup=False):
repl.force_sync(repl.conn, fromhost)
else:
ds = dsinstance.DsInstance(realm_name=realm)
- ds.replica_manage_time_skew(prevent=False)
+ ds.replica_ignore_initial_time_skew()
repl = replication.ReplicationManager(realm, fromhost, dirman_passwd)
repl.force_sync(repl.conn, thishost)
agreement = repl.get_replication_agreement(thishost)
repl.wait_for_repl_update(repl.conn, agreement.dn)
- ds.replica_manage_time_skew(prevent=True)
+ ds.replica_revert_time_skew()
def show_DNA_ranges(hostname, master, realm, dirman_passwd, nextrange=False,
nolookup=False):
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index b4b86024899bc6532f1123503cec63be9435f55b..5dac2c0441752e7bb569cde1fc93bc17c3128cdf 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -416,7 +416,11 @@ class CAInstance(DogtagInstance):
if promote:
# Setup Database
self.step("creating certificate server db", self.__create_ds_db)
+ self.step("ignore time skew for initial replication",
+ self.replica_ignore_initial_time_skew)
self.step("setting up initial replication", self.__setup_replication)
+ self.step("revert time skew after initial replication",
+ self.replica_revert_time_skew)
self.step("creating ACIs for admin", self.add_ipaca_aci)
self.step("creating installation admin user", self.setup_admin)
self.step("configuring certificate server instance",
diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
index 88984d0219033717cefd28d6170535b6c859330f..dab58e42661f500e7aca0e8311e93d421567b8c8 100644
--- a/ipaserver/install/dsinstance.py
+++ b/ipaserver/install/dsinstance.py
@@ -387,11 +387,11 @@ class DsInstance(service.Service):
# This helps with initial replication or force-sync because
# the receiving side has no valuable changes itself yet.
self.step("ignore time skew for initial replication",
- self.__replica_ignore_initial_time_skew)
+ self.replica_ignore_initial_time_skew)
self.step("setting up initial replication", self.__setup_replica)
self.step("prevent time skew after initial replication",
- self.replica_manage_time_skew)
+ self.replica_revert_time_skew)
self.step("adding sasl mappings to the directory", self.__configure_sasl_mappings)
self.step("updating schema", self.__update_schema)
# See LDIFs for automember configuration during replica install
@@ -997,16 +997,6 @@ class DsInstance(service.Service):
def __add_replication_acis(self):
self._ldap_mod("replica-acis.ldif", self.sub_dict)
- def __replica_ignore_initial_time_skew(self):
- self.replica_manage_time_skew(prevent=False)
-
- def replica_manage_time_skew(self, prevent=True):
- if prevent:
- self.sub_dict['SKEWVALUE'] = 'off'
- else:
- self.sub_dict['SKEWVALUE'] = 'on'
- self._ldap_mod("replica-prevent-time-skew.ldif", self.sub_dict)
-
def __setup_s4u2proxy(self):
def __add_principal(last_cn, principal, self):
diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py
index 4c366a184ffdc26aaf7b546af9e4de8b43b7be41..cf0f64ab9794111761adf735bc488269bd1814fc 100644
--- a/ipaserver/install/service.py
+++ b/ipaserver/install/service.py
@@ -862,6 +862,31 @@ class Service:
self.run_getkeytab(self.api.env.ldap_uri, self.keytab, self.principal)
self.set_keytab_owner()
+ def replica_ignore_initial_time_skew(self):
+ """
+ Set nsslapd-ignore-time-skew = on if not already set
+ and store the initial value in order to restore it later.
+
+ The on value allows replica initialization even if there
+ are excessive time skews.
+ """
+ dn = DN(('cn', 'config'))
+ entry_attrs = api.Backend.ldap2.get_entry(dn)
+ self.original_time_skew = entry_attrs['nsslapd-ignore-time-skew'][0]
+ if self.original_time_skew != 'on':
+ entry_attrs['nsslapd-ignore-time-skew'] = 'on'
+ api.Backend.ldap2.update_entry(entry_attrs)
+
+ def replica_revert_time_skew(self):
+ """
+ Revert nsslapd-ignore-time-skew to its previous value.
+ """
+ dn = DN(('cn', 'config'))
+ entry_attrs = api.Backend.ldap2.get_entry(dn)
+ if self.original_time_skew != 'on':
+ entry_attrs['nsslapd-ignore-time-skew'] = self.original_time_skew
+ api.Backend.ldap2.update_entry(entry_attrs)
+
class SimpleServiceInstance(Service):
def create_instance(self, gensvc_name=None, fqdn=None, ldap_suffix=None,
--
2.45.2

View File

@ -0,0 +1,49 @@
From e83d949c7f1734dff70379e360e9bbf626149c61 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 19 Jul 2024 14:24:15 -0400
Subject: [PATCH] Log errors reported by adtrustinstance.check_inst() using
logger
It previously only printed the issue which made troubleshooting
after the fact difficult. Using logger.error() provides the same
visual functionality but also logs to the server install log.
Fixes: https://pagure.io/freeipa/issue/9637
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipaserver/install/adtrustinstance.py | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
index 2ff68dfb46371a6118eb67515347eb762a37e1ec..fd5a5a282fa2a222de85c6b29d8d9621b53c95d2 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -65,8 +65,8 @@ and re-run ipa-adtrust-instal again afterwards.
def check_inst():
for smbfile in [paths.SMBD, paths.NET]:
if not os.path.exists(smbfile):
- print("%s was not found on this system" % smbfile)
- print("Please install the 'samba' packages and " \
+ logger.error("%s was not found on this system", smbfile)
+ logger.error("Please install the 'samba' packages and "
"start the installation again")
return False
@@ -74,9 +74,10 @@ def check_inst():
# by looking for the file /usr/share/ipa/smb.conf.empty
if not os.path.exists(os.path.join(paths.USR_SHARE_IPA_DIR,
"smb.conf.empty")):
- print("AD Trust requires the '%s' package" %
+ logger.error("AD Trust requires the '%s' package",
constants.IPA_ADTRUST_PACKAGE_NAME)
- print("Please install the package and start the installation again")
+ logger.error(
+ "Please install the package and start the installation again")
return False
#TODO: Add check for needed samba4 libraries
--
2.45.2

View File

@ -0,0 +1,116 @@
From ee96c129a6034d02245a41c58fa3398c12c9ee75 Mon Sep 17 00:00:00 2001
From: Mohammad Rizwan <myusuf@redhat.com>
Date: Thu, 11 Jul 2024 18:14:52 +0530
Subject: [PATCH] ipatests: Verify that SIDgen task continue even if it fails
to assign sid
related: https://pagure.io/freeipa/issue/9618
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipatests/test_integration/test_commands.py | 73 +++++++++++++++++++++-
1 file changed, 71 insertions(+), 2 deletions(-)
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
index f6f1c979a751a300f09358c044fbfb34539d188e..fd34defe5b12f06ed7c16350cb90933ce9bcd72e 100644
--- a/ipatests/test_integration/test_commands.py
+++ b/ipatests/test_integration/test_commands.py
@@ -1267,7 +1267,7 @@ class TestIPACommand(IntegrationTest):
def get_dirsrv_id(self):
serverid = realm_to_serverid(self.master.domain.realm)
- return("dirsrv@%s.service" % serverid)
+ return ("dirsrv@%s.service" % serverid)
def test_ipa_nis_manage_enable(self):
"""
@@ -1769,7 +1769,7 @@ class TestIPACommandWithoutReplica(IntegrationTest):
api.bootstrap_with_global_options(context='server')
api.finalize()
api.Backend.ldap2.connect()
-
+
api.Command["group_add"]("testgroup1", external=True)
api.Command["group_add"]("testgroup2", external=False)
result1 = api.Command["group_show"]("testgroup1", all=True)["result"] # noqa: E501
@@ -1814,6 +1814,75 @@ class TestIPACommandWithoutReplica(IntegrationTest):
'/tmp/reproducer2_code.py'])
assert "missing attribute" not in result.stdout_text
+ def test_sidgen_task_continue_on_error(self):
+ """Verify that SIDgen task continue even if it fails to assign sid
+ scenario:
+ - add a user with no uid (it will be auto-assigned inside
+ the range)
+ - add a user with uid 2000
+ - add a user with no uid (it will be auto-assigned inside
+ the range)
+ - edit the first and 3rd users, remove the objectclass
+ ipaNTUserAttrs and the attribute ipaNTSecurityIdentifier
+ - run the sidgen task
+ - verify that user1 and user3 have a ipaNTSecurityIdentifier
+ - verify that old error message is not seen in dirsrv error log
+ - verify that new error message is seen in dirsrv error log
+
+ related: https://pagure.io/freeipa/issue/9618
+ """
+ test_user1 = 'test_user1'
+ test_user2 = 'test_user2'
+ test_user2000 = 'test_user2000'
+ base_dn = str(self.master.domain.basedn)
+ old_err_msg = 'Cannot add SID to existing entry'
+ new_err_msg = r'Finished with [0-9]+ failures, please check the log'
+
+ tasks.kinit_admin(self.master)
+ tasks.user_add(self.master, test_user1)
+ self.master.run_command(
+ ['ipa', 'user-add', test_user2000,
+ '--first', 'test', '--last', 'user',
+ '--uid', '2000']
+ )
+ tasks.user_add(self.master, test_user2)
+
+ for user in (test_user1, test_user2):
+ entry_ldif = textwrap.dedent("""
+ dn: uid={user},cn=users,cn=accounts,{base_dn}
+ changetype: modify
+ delete: ipaNTSecurityIdentifier
+ -
+ delete: objectclass
+ objectclass: ipaNTUserAttrs
+ """).format(
+ user=user,
+ base_dn=base_dn)
+ tasks.ldapmodify_dm(self.master, entry_ldif)
+
+ # run sidgen task
+ self.master.run_command(
+ ['ipa', 'config-mod', '--add-sids', '--enable-sid']
+ )
+
+ # ensure that sidgen have added the attr removed above
+ for user in (test_user1, test_user2):
+ result = tasks.ldapsearch_dm(
+ self.master,
+ 'uid={user},cn=users,cn=accounts,{base_dn}'.format(
+ user=user, base_dn=base_dn),
+ ['ipaNTSecurityIdentifier']
+ )
+ assert 'ipaNTSecurityIdentifier' in result.stdout_text
+
+ dashed_domain = self.master.domain.realm.replace(".", '-')
+ dirsrv_error_log = self.master.get_file_contents(
+ paths.SLAPD_INSTANCE_ERROR_LOG_TEMPLATE % (dashed_domain),
+ encoding='utf-8'
+ )
+ assert old_err_msg not in dirsrv_error_log
+ assert re.search(new_err_msg, dirsrv_error_log)
+
class TestIPAautomount(IntegrationTest):
@classmethod
--
2.45.2

View File

@ -0,0 +1,76 @@
From 8046023fc46c628c099d84b026ab866f7c6e16d6 Mon Sep 17 00:00:00 2001
From: Sudhir Menon <sumenon@redhat.com>
Date: Thu, 25 Jul 2024 18:32:21 +0530
Subject: [PATCH] ipatests: ipa-migrate tool with -Z option (CACERTFILE)
This patch add tests to check the scenarios associated with
pagure tickets
https://pagure.io/freeipa/issue/9642 - ipa-migrate - properly handle invalid certificates
https://pagure.io/freeipa/issue/9619 - ipa-migrate starttls does not work
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
.../test_ipa_ipa_migration.py | 48 +++++++++++++++++++
1 file changed, 48 insertions(+)
diff --git a/ipatests/test_integration/test_ipa_ipa_migration.py b/ipatests/test_integration/test_ipa_ipa_migration.py
index a516941047315e07407b8063a7010526d384ab3b..f697bbfbfc6169309274db689501c99fe148cc70 100644
--- a/ipatests/test_integration/test_ipa_ipa_migration.py
+++ b/ipatests/test_integration/test_ipa_ipa_migration.py
@@ -872,3 +872,51 @@ class TestIPAMigrateScenario1(IntegrationTest):
extra_args=params,
)
assert self.replicas[0].transport.file_exists(custom_log_file)
+
+ def test_ipa_migrate_stage_mode_with_cert(self):
+ """
+ This testcase checks that ipa-migrate command
+ works without the 'ValuerError'
+ when -Z <cert> option is used with valid cert
+ """
+ cert_file = '/tmp/ipa.crt'
+ remote_server_cert = self.master.get_file_contents(
+ paths.IPA_CA_CRT, encoding="utf-8"
+ )
+ self.replicas[0].put_file_contents(cert_file, remote_server_cert)
+ params = ['-x', '-n', '-Z', cert_file]
+ result = run_migrate(
+ self.replicas[0],
+ "stage-mode",
+ self.master.hostname,
+ "cn=Directory Manager",
+ self.master.config.admin_password,
+ extra_args=params,
+ )
+ assert result.returncode == 0
+
+ def test_ipa_migrate_stage_mode_with_invalid_cert(self):
+ """
+ This test checks ipa-migrate tool throws
+ error when invalid cert is specified with
+ -Z option
+ """
+ cert_file = '/tmp/invaid_cert.crt'
+ invalid_cert = (
+ b'-----BEGIN CERTIFICATE-----\n'
+ b'MIIFazCCDQYJKoZIhvcNAQELBQAw\n'
+ b'-----END CERTIFICATE-----\n'
+ )
+ ERR_MSG = "Failed to connect to remote server: "
+ params = ['-x', '-n', '-Z', cert_file]
+ self.replicas[0].put_file_contents(cert_file, invalid_cert)
+ result = run_migrate(
+ self.replicas[0],
+ "stage-mode",
+ self.master.hostname,
+ "cn=Directory Manager",
+ self.master.config.admin_password,
+ extra_args=params,
+ )
+ assert result.returncode == 1
+ assert ERR_MSG in result.stderr_text
--
2.45.2

View File

@ -224,7 +224,7 @@
Name: %{package_name} Name: %{package_name}
Version: %{IPA_VERSION} Version: %{IPA_VERSION}
Release: 6%{?rc_version:.%rc_version}%{?dist} Release: 7%{?rc_version:.%rc_version}%{?dist}
Summary: The Identity, Policy and Audit system Summary: The Identity, Policy and Audit system
License: GPL-3.0-or-later License: GPL-3.0-or-later
@ -270,6 +270,18 @@ Patch0019: 0019-ipa-migrate-starttls-does-not-work.patch
Patch0020: 0020-ipa-pwd-extop-differentiate-OTP-requirements-in-LDAP.patch Patch0020: 0020-ipa-pwd-extop-differentiate-OTP-requirements-in-LDAP.patch
Patch0021: 0021-ipatests-Test-replica-installation-using-AD-admin.patch Patch0021: 0021-ipatests-Test-replica-installation-using-AD-admin.patch
Patch0022: 0022-Issue-9621-ipa-migrate-should-not-update-mapped-attr.patch Patch0022: 0022-Issue-9621-ipa-migrate-should-not-update-mapped-attr.patch
Patch0023: 0023-ipatests-remove-xfail-for-test_ipa_migrate_version_o.patch
Patch0024: 0024-ipatests-remove-xfail-for-test_ipa_migrate_stage_mod.patch
Patch0025: 0025-Unconditionally-add-MS-PAC-to-global-config-on-updat.patch
Patch0026: 0026-Remove-RC4-and-3DES-default-encryption-types-on-upda.patch
Patch0027: 0027-Fix-a-copy-paste-issue-when-detecting-the-HSM-SELinu.patch
Patch0028: 0028-ipa-migrate-properly-handle-invalid-certificates.patch
Patch0029: 0029-ipatests-Fix-usage-of-token_password_file.patch
Patch0030: 0030-Run-HSM-validation-as-pkiuser-to-verify-token-permis.patch
Patch0031: 0031-Replica-CA-installation-ignore-time-skew-during-init.patch
Patch0032: 0032-Log-errors-reported-by-adtrustinstance.check_inst-us.patch
Patch0033: 0033-ipatests-Verify-that-SIDgen-task-continue-even-if-it.patch
Patch0034: 0034-ipatests-ipa-migrate-tool-with-Z-option-CACERTFILE.patch
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
%endif %endif
%endif %endif
@ -1883,6 +1895,16 @@ fi
%endif %endif
%changelog %changelog
* Thu Aug 8 2024 Florence Blanc-Renaud <flo@redhat.com> - 4.12.0-7
- Resolves: RHEL-53500 adtrustinstance only prints issues in check_inst() and does not log them
- Resolves: RHEL-52306 Unconditionally add MS-PAC to global config
- Resolves: RHEL-52300 RFE - Keep the configured value for the "nsslapd-ignore-time-skew" after a "force-sync"
- Resolves: RHEL-52222 ipa-replica/server-install with softhsm needs to check permission/ownership of /var/lib/softhsm/tokens to avoid install failure
- Resolves: RHEL-51944 Include latest fixes in python3-ipatests packages
- Resolves: RHEL-50804 ipa-migrate -Z with invalid cert options fails with 'ValueError: option error'
- Resolves: RHEL-49602 misleading warning for missing ipa-selinux-nfast package on luna hsm h/w
- Resolves: RHEL-27856 'Unable to log in as uid=admin-replica.testrealm.test,ou=people,o=ipaca' during replica install
* Thu Jul 18 2024 Florence Blanc-Renaud <flo@redhat.com> - 4.12.0-6 * Thu Jul 18 2024 Florence Blanc-Renaud <flo@redhat.com> - 4.12.0-6
- Resolves: RHEL-47292 Include latest fixes in python3-ipatests packages - Resolves: RHEL-47292 Include latest fixes in python3-ipatests packages
- Resolves: RHEL-47146 Syntax error uninstalling the selinux-luna subpackage - Resolves: RHEL-47146 Syntax error uninstalling the selinux-luna subpackage