rpms
/
ipa
7
0
Fork 0
Code Issues Pull Requests Releases Activity

ipa release 4.9.13-4 

- Improve server affinity for CA-less deployments
  Resolves: RHEL-22283
- host: update system: Manage Host Keytab permission
  Resolves: RHEL-22286
- adtrustinstance: make sure NetBIOS name defaults are set properly
  Resolves: RHEL-21938
- ipatests: Fix healthcheck report when nsslapd accesslog logbuffering is set to off
  Resolves: RHEL-19672

Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
This commit is contained in:
Rafael Guterres Jeffman 2024-01-23 18:39:46 -03:00
parent a321f34b62
commit 3b5629ec63
5 changed files with 531 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

212
0005-Improve-server-affinity-for-ca-less-deployments_rhel#22283.patch Normal file
View File

@ -0,0 +1,212 @@
From 3add9ba03a0af913d03b1f5ecaa8e48e46a93f91 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Jan 15 2024 13:42:08 +0000
Subject: Server affinity: Retain user-requested remote server
We want to avoid splitting a replica server installation between
two hosts where possible so if a CA or KRA is requested then
we only try to install against a remote server that also provides
those capabilities. This avoids race conditions.
If a CA or KRA is not requested and the user has provided a
server to install against then use that instead of overriding it.
Extend the logic of picking the remote Custodia mode
(KRA, CA, *MASTER*) to include considering whether the
CA and KRA services are requested. If the service(s) are
not requested the the associated hostname may not be
reliable.
Fixes: https://pagure.io/freeipa/issue/9491
Related: https://pagure.io/freeipa/issue/9289
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 27fbdef..8096b6a 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -782,6 +782,7 @@ def promotion_check_host_principal_auth_ind(conn, hostdn):
def remote_connection(config):
+ logger.debug("Creating LDAP connection to %s", config.master_host_name)
ldapuri = 'ldaps://%s' % ipautil.format_netloc(config.master_host_name)
xmlrpc_uri = 'https://{}/ipa/xml'.format(
ipautil.format_netloc(config.master_host_name))
@@ -1087,7 +1088,7 @@ def promote_check(installer):
'CA', conn, preferred_cas
)
if ca_host is not None:
- if config.master_host_name != ca_host:
+ if options.setup_ca and config.master_host_name != ca_host:
conn.disconnect()
del remote_api
config.master_host_name = ca_host
@@ -1096,8 +1097,7 @@ def promote_check(installer):
conn = remote_api.Backend.ldap2
conn.connect(ccache=installer._ccache)
config.ca_host_name = ca_host
- config.master_host_name = ca_host
- ca_enabled = True
+ ca_enabled = True # There is a CA somewhere in the topology
if options.dirsrv_cert_files:
logger.error("Certificates could not be provided when "
"CA is present on some master.")
@@ -1135,7 +1135,7 @@ def promote_check(installer):
'KRA', conn, preferred_kras
)
if kra_host is not None:
- if config.master_host_name != kra_host:
+ if options.setup_kra and config.master_host_name != kra_host:
conn.disconnect()
del remote_api
config.master_host_name = kra_host
@@ -1143,10 +1143,9 @@ def promote_check(installer):
installer._remote_api = remote_api
conn = remote_api.Backend.ldap2
conn.connect(ccache=installer._ccache)
- config.kra_host_name = kra_host
- config.ca_host_name = kra_host
- config.master_host_name = kra_host
- kra_enabled = True
+ config.kra_host_name = kra_host
+ config.ca_host_name = kra_host
+ kra_enabled = True # There is a KRA somewhere in the topology
if options.setup_kra and options.server and \
kra_host != options.server:
# Installer was provided with a specific master
@@ -1372,10 +1371,10 @@ def install(installer):
otpd.create_instance('OTPD', config.host_name,
ipautil.realm_to_suffix(config.realm_name))
- if kra_enabled:
+ if options.setup_kra and kra_enabled:
# A KRA peer always provides a CA, too.
mode = custodiainstance.CustodiaModes.KRA_PEER
- elif ca_enabled:
+ elif options.setup_ca and ca_enabled:
mode = custodiainstance.CustodiaModes.CA_PEER
else:
mode = custodiainstance.CustodiaModes.MASTER_PEER
From 701339d4fed539713eb1a13495992879f56a6daa Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Jan 18 2024 14:53:28 +0000
Subject: Server affinity: Don't rely just on [ca|kra]_enabled for installs
ca_enable and kra_enabled are intended to be used to identify that
a CA or KRA is available in the topology. It was also being used
to determine whether a CA or KRA service is desired on a replica
install, rather than options.setup_[ca|kra]
Fixes: https://pagure.io/freeipa/issue/9510
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 8096b6a..191913d 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -1143,7 +1143,8 @@ def promote_check(installer):
installer._remote_api = remote_api
conn = remote_api.Backend.ldap2
conn.connect(ccache=installer._ccache)
- config.kra_host_name = kra_host
+ config.kra_host_name = kra_host
+ if options.setup_kra: # only reset ca_host if KRA is requested
config.ca_host_name = kra_host
kra_enabled = True # There is a KRA somewhere in the topology
if options.setup_kra and options.server and \
@@ -1381,7 +1382,7 @@ def install(installer):
custodia = custodiainstance.get_custodia_instance(config, mode)
custodia.create_instance()
- if ca_enabled:
+ if options.setup_ca and ca_enabled:
options.realm_name = config.realm_name
options.domain_name = config.domain_name
options.host_name = config.host_name
@@ -1397,7 +1398,7 @@ def install(installer):
service.print_msg("Finalize replication settings")
ds.finalize_replica_config()
- if kra_enabled:
+ if options.setup_kra and kra_enabled:
kra.install(api, config, options, custodia=custodia)
service.print_msg("Restarting the KDC")
From e6014a5c1996528b255480b67fe2937203bff81b Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Jan 23 2024 15:32:58 +0000
Subject: Server affinity: call ca.install() if there is a CA in the topology
This should not have been gated on options.setup_ca because we need
the RA agent on all servers if there is a CA in the topology otherwise
the non-CA servers won't be able to communicate with the CA.
Fixes: https://pagure.io/freeipa/issue/9510
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py
index c93ae1f..187f803 100644
--- a/ipaserver/install/ca.py
+++ b/ipaserver/install/ca.py
@@ -387,9 +387,10 @@ def install_step_0(standalone, replica_config, options, custodia):
promote = False
else:
cafile = os.path.join(replica_config.dir, 'cacert.p12')
- custodia.get_ca_keys(
- cafile,
- replica_config.dirman_password)
+ if replica_config.setup_ca:
+ custodia.get_ca_keys(
+ cafile,
+ replica_config.dirman_password)
ca_signing_algorithm = None
ca_type = None
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index f8d4733..4c1c07c 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -1359,11 +1359,13 @@ def install(installer):
custodia = custodiainstance.get_custodia_instance(config, mode)
custodia.create_instance()
- if options.setup_ca and ca_enabled:
+ if ca_enabled:
options.realm_name = config.realm_name
options.domain_name = config.domain_name
options.host_name = config.host_name
options.dm_password = config.dirman_password
+ # Always call ca.install() if there is a CA in the topology
+ # to ensure the RA agent is present.
ca.install(False, config, options, custodia=custodia)
# configure PKINIT now that all required services are in place
@@ -1375,7 +1377,8 @@ def install(installer):
service.print_msg("Finalize replication settings")
ds.finalize_replica_config()
- if options.setup_kra and kra_enabled:
+ if kra_enabled:
+ # The KRA installer checks for itself the status of setup_kra
kra.install(api, config, options, custodia=custodia)
service.print_msg("Restarting the KDC")

97
0006-host-update-System-Manage-Host-Keytab-permission_rhel#22286.patch Normal file
View File

@ -0,0 +1,97 @@
From 3842116185de6ae8714f30b57bd75c7eddde53d8 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Jan 15 2024 13:50:10 +0000
Subject: host: update System: Manage Host Keytab permission
Since commit 5c0e7a5fb420377dcc06a956695afdcb35196444, a new extended
operation to get a keytab is supposed to be used. This keytab
setting/retrieval extended operation checks access rights of the bound
DN to write to a virtual attribute 'ipaProtectedOperation;write_keys'.
If the write isn't allowed, the operation is rejected and ipa-getkeytab
tool falls back to an older code that generates the keytab on the client
and forcibly sets to the LDAP entry. For the latter, a check is done to
make sure the bound DN is allowed to write to 'krbPrincipalKey' attribute.
This fallback should never happen for newer deployments. When enrollemnt
operation is delegated to non-administrative user with the help of 'Host
Enrollment' role, a host can be pre-created or created at enrollment
time, if this non-administrative user has 'Host Administrators' role. In
the latter case a system permission 'System: Manage Host Keytab' grants
write access to 'krbPrincipalKey' attribute but lacks any access to the
virtual attributes expected by the new extended operation.
There is a second virtual attribute, 'ipaProtectedOperation;read_keys',
that allows to retrieve existing keys for a host. However, during
initial enrollment we do not allow to retrieve and reuse existing
Kerberos key: while 'ipa-getkeytab -r' would give ability to retrieve
the existing key, 'ipa-join' has no way to trigger that operation.
Hence, permission 'System: Manage Host Keytab' will not grant the right
to read the Kerberos key via extended operation used by 'ipa-getkeytab
-r'. Such operation can be done later by utilizing 'ipa
service/host-allow-retrieve-keytab' commands.
Fix 'System: Manage Host Keytab' permission and extend a permission test
to see that we do not fallback to the old extended operation.
Fixes: https://pagure.io/freeipa/issue/9496
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
diff --git a/ACI.txt b/ACI.txt
index e6d6e3d..236bb43 100644
--- a/ACI.txt
+++ b/ACI.txt
@@ -147,7 +147,7 @@ aci: (targetattr = "usercertificate")(targetfilter = "(objectclass=ipahost)")(ve
dn: cn=computers,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "userpassword")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Manage Host Enrollment Password";allow (write) groupdn = "ldap:///cn=System: Manage Host Enrollment Password,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=computers,cn=accounts,dc=ipa,dc=example
-aci: (targetattr = "krblastpwdchange || krbprincipalkey")(targetfilter = "(&(!(memberOf=cn=ipaservers,cn=hostgroups,cn=accounts,dc=ipa,dc=example))(objectclass=ipahost))")(version 3.0;acl "permission:System: Manage Host Keytab";allow (write) groupdn = "ldap:///cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetattr = "ipaprotectedoperation;write_keys || krblastpwdchange || krbprincipalkey")(targetfilter = "(&(!(memberOf=cn=ipaservers,cn=hostgroups,cn=accounts,dc=ipa,dc=example))(objectclass=ipahost))")(version 3.0;acl "permission:System: Manage Host Keytab";allow (write) groupdn = "ldap:///cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=computers,cn=accounts,dc=ipa,dc=example
aci: (targetattr = "createtimestamp || entryusn || ipaallowedtoperform;read_keys || ipaallowedtoperform;write_keys || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Manage Host Keytab Permissions";allow (compare,read,search,write) groupdn = "ldap:///cn=System: Manage Host Keytab Permissions,cn=permissions,cn=pbac,dc=ipa,dc=example";)
dn: cn=computers,cn=accounts,dc=ipa,dc=example
diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py
index 3ef510e..b02c8b5 100644
--- a/ipaserver/plugins/host.py
+++ b/ipaserver/plugins/host.py
@@ -409,7 +409,8 @@ class host(LDAPObject):
api.env.container_hostgroup,
api.env.basedn),
],
- 'ipapermdefaultattr': {'krblastpwdchange', 'krbprincipalkey'},
+ 'ipapermdefaultattr': {'krblastpwdchange', 'krbprincipalkey',
+ 'ipaprotectedoperation;write_keys'},
'replaces': [
'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,$SUFFIX";)',
],
diff --git a/ipatests/test_integration/test_user_permissions.py b/ipatests/test_integration/test_user_permissions.py
index 3333a4f..cd1096f 100644
--- a/ipatests/test_integration/test_user_permissions.py
+++ b/ipatests/test_integration/test_user_permissions.py
@@ -277,6 +277,9 @@ class TestInstallClientNoAdmin(IntegrationTest):
self.master.run_command(['ipa', 'privilege-add-permission',
'--permissions', 'System: Add Hosts',
'Add Hosts'])
+ self.master.run_command(['ipa', 'privilege-add-permission',
+ '--permissions', 'System: Manage Host Keytab',
+ 'Add Hosts'])
self.master.run_command(['ipa', 'role-add-privilege', 'useradmin',
'--privileges', 'Host Enrollment'])
@@ -301,6 +304,10 @@ class TestInstallClientNoAdmin(IntegrationTest):
encoding='utf-8')
assert msg in install_log
+ # Make sure we do not fallback to an old keytab retrieval method anymore
+ msg = "Retrying with pre-4.0 keytab retrieval method..."
+ assert msg not in install_log
+
# check that user is able to request a host cert, too
result = tasks.run_certutil(client, ['-L'], paths.IPA_NSSDB_DIR)
assert 'Local IPA host' in result.stdout_text

32
0007-adtrustinstance-make-sure-NetBIOS-name-defaults-are-set-properly_rhel#21938.patch Normal file
View File

@ -0,0 +1,32 @@
From 2f17319df6147832dceff7c06154363f8d58b194 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Jan 18 2024 09:07:31 +0000
Subject: adtrustinstance: make sure NetBIOS name defaults are set properly
Some tools may pass None as NetBIOS name if not put explicitly by a
user. This meant to use default NetBIOS name generator based on the
domain (realm) name. However, this wasn't done properly, so None is
passed later to python-ldap and it rejects such LDAP entry.
Fixes: https://pagure.io/freeipa/issue/9514
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
index bf0cc3b..bb5b61a 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -189,6 +189,8 @@ class ADTRUSTInstance(service.Service):
self.fqdn = self.fqdn or api.env.host
self.host_netbios_name = make_netbios_name(self.fqdn)
self.realm = self.realm or api.env.realm
+ if not self.netbios_name:
+ self.netbios_name = make_netbios_name(self.realm)
self.suffix = ipautil.realm_to_suffix(self.realm)
self.ldapi_socket = "%%2fvar%%2frun%%2fslapd-%s.socket" % \

175
0008-ipatests-Fix-healthcheck-report-when-nsslapd-accesslog-logbuffering-is-set-to-off_rhel#19672.patch Normal file
View File

@ -0,0 +1,175 @@
From 5afda72afc6fd626359411b55f092989fdd7d82d Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Jan 15 2024 13:39:21 +0000
Subject: ipatests: ignore nsslapd-accesslog-logbuffering WARN in healthcheck
Log buffering is disabled in the integration tests so we can have all
the logs at the end. This is causing a warning to show in the 389-ds
checks and causing tests to fail that expect all SUCCESS.
Add an exclude for this specific key so tests will pass again.
We may eventually want a more sophisiticated mechanism to handle
excludes, or updating the config in general, but this is fine for now.
Fixes: https://pagure.io/freeipa/issue/9400
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
---
diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
index 7fb8e40..14fba26 100644
--- a/ipatests/test_integration/test_ipahealthcheck.py
+++ b/ipatests/test_integration/test_ipahealthcheck.py
@@ -9,6 +9,7 @@ from __future__ import absolute_import
from configparser import RawConfigParser, NoOptionError
from datetime import datetime, timedelta
+import io
import json
import os
import re
@@ -208,6 +209,28 @@ def run_healthcheck(host, source=None, check=None, output_type="json",
return result.returncode, data
+def set_excludes(host, option, value,
+ config_file='/etc/ipahealthcheck/ipahealthcheck.conf'):
+ """Mark checks that should be excluded from the results
+
+ This will set in the [excludes] section on host:
+ option=value
+ """
+ EXCLUDES = "excludes"
+
+ conf = host.get_file_contents(config_file, encoding='utf-8')
+ cfg = RawConfigParser()
+ cfg.read_string(conf)
+ if not cfg.has_section(EXCLUDES):
+ cfg.add_section(EXCLUDES)
+ if not cfg.has_option(EXCLUDES, option):
+ cfg.set(EXCLUDES, option, value)
+ out = io.StringIO()
+ cfg.write(out)
+ out.seek(0)
+ host.put_file_contents(config_file, out.read())
+
+
@pytest.fixture
def restart_service():
"""Shut down and restart a service as a fixture"""
@@ -265,6 +288,7 @@ class TestIpaHealthCheck(IntegrationTest):
setup_dns=True,
extra_args=['--no-dnssec-validation']
)
+ set_excludes(cls.master, "key", "DSCLE0004")
def test_ipa_healthcheck_install_on_master(self):
"""
@@ -552,6 +576,7 @@ class TestIpaHealthCheck(IntegrationTest):
setup_dns=True,
extra_args=['--no-dnssec-validation']
)
+ set_excludes(self.replicas[0], "key", "DSCLE0004")
# Init a user on replica to assign a DNA range
tasks.kinit_admin(self.replicas[0])
@@ -692,6 +717,7 @@ class TestIpaHealthCheck(IntegrationTest):
'output_type=human'
])
)
+ set_excludes(self.master, "key", "DSCLE0004", config_file)
returncode, output = run_healthcheck(
self.master, failures_only=True, config=config_file
)
@@ -707,6 +733,7 @@ class TestIpaHealthCheck(IntegrationTest):
'output_file=%s' % HC_LOG,
])
)
+ set_excludes(self.master, "key", "DSCLE0004")
returncode, _unused = run_healthcheck(
self.master, config=config_file
)
@@ -2396,6 +2423,7 @@ class TestIpaHealthCLI(IntegrationTest):
cls.master, setup_dns=True, extra_args=['--no-dnssec-validation']
)
tasks.install_packages(cls.master, HEALTHCHECK_PKG)
+ set_excludes(cls.master, "key", "DSCLE0004")
def test_indent(self):
"""
diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
index d477c3a..b71f2d5 100644
--- a/ipatests/test_integration/test_replica_promotion.py
+++ b/ipatests/test_integration/test_replica_promotion.py
@@ -13,7 +13,7 @@ import pytest
from ipatests.test_integration.base import IntegrationTest
from ipatests.test_integration.test_ipahealthcheck import (
- run_healthcheck, HEALTHCHECK_PKG
+ run_healthcheck, set_excludes, HEALTHCHECK_PKG
)
from ipatests.pytest_ipa.integration import tasks
from ipatests.pytest_ipa.integration.tasks import (
@@ -983,6 +983,9 @@ class TestHiddenReplicaPromotion(IntegrationTest):
# manually install KRA to verify that hidden state is synced
tasks.install_kra(cls.replicas[0])
+ set_excludes(cls.master, "key", "DSCLE0004")
+ set_excludes(cls.replicas[0], "key", "DSCLE0004")
+
def _check_dnsrecords(self, hosts_expected, hosts_unexpected=()):
domain = DNSName(self.master.domain.name).make_absolute()
rset = [
From f1cfe7d9ff2489dbb6cad70999b0e1bd433c0537 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Jan 15 2024 13:39:21 +0000
Subject: ipatests: fix expected output for ipahealthcheck.ipa.host
ipa-healthcheck commit e69589d5 changed the output when a service
keytab is missing to not report the GSSAPI error but to report
that the keytab doesn't exist at all. This distinguishes from real
Kerberos issues like kvno.
Fixes: https://pagure.io/freeipa/issue/9482
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
---
diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
index 14fba26..8aae9fa 100644
--- a/ipatests/test_integration/test_ipahealthcheck.py
+++ b/ipatests/test_integration/test_ipahealthcheck.py
@@ -629,9 +629,15 @@ class TestIpaHealthCheck(IntegrationTest):
ipahealthcheck.ipa.host when GSSAPI credentials cannot be obtained
from host's keytab.
"""
- msg = (
- "Minor (2529639107): No credentials cache found"
- )
+ version = tasks.get_healthcheck_version(self.master)
+ if parse_version(version) >= parse_version("0.15"):
+ msg = (
+ "Service {service} keytab {path} does not exist."
+ )
+ else:
+ msg = (
+ "Minor (2529639107): No credentials cache found"
+ )
with tasks.FileBackup(self.master, paths.KRB5_KEYTAB):
self.master.run_command(["rm", "-f", paths.KRB5_KEYTAB])

16
ipa.spec
View File

@ -189,7 +189,7 @@
Name: %{package_name}
Version: %{IPA_VERSION}
Release: 3%{?rc_version:.%rc_version}%{?dist}
Release: 4%{?rc_version:.%rc_version}%{?dist}
Summary: The Identity, Policy and Audit system
License: GPLv3+
@ -212,6 +212,10 @@ Patch0001: 0001-Handle-samba-exception-type-change_rhel#17623.patch
Patch0002: 0002-Check-the-HTTP-Referer-header-on-all-requests.patch
Patch0003: 0003-Integration-tests-for-verifying-Referer-header-in-th.patch
Patch0004: 0004-ipa-kdb-Detect-and-block-Bronze-Bit-attacks.patch
Patch0005: 0005-Improve-server-affinity-for-ca-less-deployments_rhel#22283.patch
Patch0006: 0006-host-update-System-Manage-Host-Keytab-permission_rhel#22286.patch
Patch0007: 0007-adtrustinstance-make-sure-NetBIOS-name-defaults-are-set-properly_rhel#21938.patch
Patch0008: 0008-ipatests-Fix-healthcheck-report-when-nsslapd-accesslog-logbuffering-is-set-to-off_rhel#19672.patch
%if 0%{?rhel} >= 8
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
Patch1002: 1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch
@ -1727,6 +1731,16 @@ fi
%endif
%changelog
* Tue Jan 23 2024 Rafael Jeffman <rjeffman@redhat.com> - 4.9.13-4
- Improve server affinity for CA-less deployments
Resolves: RHEL-22283
- host: update system: Manage Host Keytab permission
Resolves: RHEL-22286
- adtrustinstance: make sure NetBIOS name defaults are set properly
Resolves: RHEL-21938
- ipatests: Fix healthcheck report when nsslapd accesslog logbuffering is set to off
Resolves: RHEL-19672
* Wed Jan 10 2024 Julien Rische <jrische@redhat.com> - 4.9.13-3
- ipa-kdb: Detect and block Bronze-Bit attacks
Resolves: RHEL-9984