diff --git a/0005-Improve-server-affinity-for-ca-less-deployments_rhel#22283.patch b/0005-Improve-server-affinity-for-ca-less-deployments_rhel#22283.patch new file mode 100644 index 0000000..000591c --- /dev/null +++ b/0005-Improve-server-affinity-for-ca-less-deployments_rhel#22283.patch @@ -0,0 +1,212 @@ +From 3add9ba03a0af913d03b1f5ecaa8e48e46a93f91 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Jan 15 2024 13:42:08 +0000 +Subject: Server affinity: Retain user-requested remote server + + +We want to avoid splitting a replica server installation between +two hosts where possible so if a CA or KRA is requested then +we only try to install against a remote server that also provides +those capabilities. This avoids race conditions. + +If a CA or KRA is not requested and the user has provided a +server to install against then use that instead of overriding it. + +Extend the logic of picking the remote Custodia mode +(KRA, CA, *MASTER*) to include considering whether the +CA and KRA services are requested. If the service(s) are +not requested the the associated hostname may not be +reliable. + +Fixes: https://pagure.io/freeipa/issue/9491 +Related: https://pagure.io/freeipa/issue/9289 + +Signed-off-by: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud + +--- + +diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py +index 27fbdef..8096b6a 100644 +--- a/ipaserver/install/server/replicainstall.py ++++ b/ipaserver/install/server/replicainstall.py +@@ -782,6 +782,7 @@ def promotion_check_host_principal_auth_ind(conn, hostdn): + + + def remote_connection(config): ++ logger.debug("Creating LDAP connection to %s", config.master_host_name) + ldapuri = 'ldaps://%s' % ipautil.format_netloc(config.master_host_name) + xmlrpc_uri = 'https://{}/ipa/xml'.format( + ipautil.format_netloc(config.master_host_name)) +@@ -1087,7 +1088,7 @@ def promote_check(installer): + 'CA', conn, preferred_cas + ) + if ca_host is not None: +- if config.master_host_name != ca_host: ++ if options.setup_ca and config.master_host_name != ca_host: + conn.disconnect() + del remote_api + config.master_host_name = ca_host +@@ -1096,8 +1097,7 @@ def promote_check(installer): + conn = remote_api.Backend.ldap2 + conn.connect(ccache=installer._ccache) + config.ca_host_name = ca_host +- config.master_host_name = ca_host +- ca_enabled = True ++ ca_enabled = True # There is a CA somewhere in the topology + if options.dirsrv_cert_files: + logger.error("Certificates could not be provided when " + "CA is present on some master.") +@@ -1135,7 +1135,7 @@ def promote_check(installer): + 'KRA', conn, preferred_kras + ) + if kra_host is not None: +- if config.master_host_name != kra_host: ++ if options.setup_kra and config.master_host_name != kra_host: + conn.disconnect() + del remote_api + config.master_host_name = kra_host +@@ -1143,10 +1143,9 @@ def promote_check(installer): + installer._remote_api = remote_api + conn = remote_api.Backend.ldap2 + conn.connect(ccache=installer._ccache) +- config.kra_host_name = kra_host +- config.ca_host_name = kra_host +- config.master_host_name = kra_host +- kra_enabled = True ++ config.kra_host_name = kra_host ++ config.ca_host_name = kra_host ++ kra_enabled = True # There is a KRA somewhere in the topology + if options.setup_kra and options.server and \ + kra_host != options.server: + # Installer was provided with a specific master +@@ -1372,10 +1371,10 @@ def install(installer): + otpd.create_instance('OTPD', config.host_name, + ipautil.realm_to_suffix(config.realm_name)) + +- if kra_enabled: ++ if options.setup_kra and kra_enabled: + # A KRA peer always provides a CA, too. + mode = custodiainstance.CustodiaModes.KRA_PEER +- elif ca_enabled: ++ elif options.setup_ca and ca_enabled: + mode = custodiainstance.CustodiaModes.CA_PEER + else: + mode = custodiainstance.CustodiaModes.MASTER_PEER + +From 701339d4fed539713eb1a13495992879f56a6daa Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Jan 18 2024 14:53:28 +0000 +Subject: Server affinity: Don't rely just on [ca|kra]_enabled for installs + + +ca_enable and kra_enabled are intended to be used to identify that +a CA or KRA is available in the topology. It was also being used +to determine whether a CA or KRA service is desired on a replica +install, rather than options.setup_[ca|kra] + +Fixes: https://pagure.io/freeipa/issue/9510 + +Signed-off-by: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud + +--- + +diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py +index 8096b6a..191913d 100644 +--- a/ipaserver/install/server/replicainstall.py ++++ b/ipaserver/install/server/replicainstall.py +@@ -1143,7 +1143,8 @@ def promote_check(installer): + installer._remote_api = remote_api + conn = remote_api.Backend.ldap2 + conn.connect(ccache=installer._ccache) +- config.kra_host_name = kra_host ++ config.kra_host_name = kra_host ++ if options.setup_kra: # only reset ca_host if KRA is requested + config.ca_host_name = kra_host + kra_enabled = True # There is a KRA somewhere in the topology + if options.setup_kra and options.server and \ +@@ -1381,7 +1382,7 @@ def install(installer): + custodia = custodiainstance.get_custodia_instance(config, mode) + custodia.create_instance() + +- if ca_enabled: ++ if options.setup_ca and ca_enabled: + options.realm_name = config.realm_name + options.domain_name = config.domain_name + options.host_name = config.host_name +@@ -1397,7 +1398,7 @@ def install(installer): + service.print_msg("Finalize replication settings") + ds.finalize_replica_config() + +- if kra_enabled: ++ if options.setup_kra and kra_enabled: + kra.install(api, config, options, custodia=custodia) + + service.print_msg("Restarting the KDC") + +From e6014a5c1996528b255480b67fe2937203bff81b Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Jan 23 2024 15:32:58 +0000 +Subject: Server affinity: call ca.install() if there is a CA in the topology + + +This should not have been gated on options.setup_ca because we need +the RA agent on all servers if there is a CA in the topology otherwise +the non-CA servers won't be able to communicate with the CA. + +Fixes: https://pagure.io/freeipa/issue/9510 + +Signed-off-by: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud + +--- + +diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py +index c93ae1f..187f803 100644 +--- a/ipaserver/install/ca.py ++++ b/ipaserver/install/ca.py +@@ -387,9 +387,10 @@ def install_step_0(standalone, replica_config, options, custodia): + promote = False + else: + cafile = os.path.join(replica_config.dir, 'cacert.p12') +- custodia.get_ca_keys( +- cafile, +- replica_config.dirman_password) ++ if replica_config.setup_ca: ++ custodia.get_ca_keys( ++ cafile, ++ replica_config.dirman_password) + + ca_signing_algorithm = None + ca_type = None +diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py +index f8d4733..4c1c07c 100644 +--- a/ipaserver/install/server/replicainstall.py ++++ b/ipaserver/install/server/replicainstall.py +@@ -1359,11 +1359,13 @@ def install(installer): + custodia = custodiainstance.get_custodia_instance(config, mode) + custodia.create_instance() + +- if options.setup_ca and ca_enabled: ++ if ca_enabled: + options.realm_name = config.realm_name + options.domain_name = config.domain_name + options.host_name = config.host_name + options.dm_password = config.dirman_password ++ # Always call ca.install() if there is a CA in the topology ++ # to ensure the RA agent is present. + ca.install(False, config, options, custodia=custodia) + + # configure PKINIT now that all required services are in place +@@ -1375,7 +1377,8 @@ def install(installer): + service.print_msg("Finalize replication settings") + ds.finalize_replica_config() + +- if options.setup_kra and kra_enabled: ++ if kra_enabled: ++ # The KRA installer checks for itself the status of setup_kra + kra.install(api, config, options, custodia=custodia) + + service.print_msg("Restarting the KDC") + diff --git a/0006-host-update-System-Manage-Host-Keytab-permission_rhel#22286.patch b/0006-host-update-System-Manage-Host-Keytab-permission_rhel#22286.patch new file mode 100644 index 0000000..05b6a46 --- /dev/null +++ b/0006-host-update-System-Manage-Host-Keytab-permission_rhel#22286.patch @@ -0,0 +1,97 @@ +From 3842116185de6ae8714f30b57bd75c7eddde53d8 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Jan 15 2024 13:50:10 +0000 +Subject: host: update System: Manage Host Keytab permission + + +Since commit 5c0e7a5fb420377dcc06a956695afdcb35196444, a new extended +operation to get a keytab is supposed to be used. This keytab +setting/retrieval extended operation checks access rights of the bound +DN to write to a virtual attribute 'ipaProtectedOperation;write_keys'. + +If the write isn't allowed, the operation is rejected and ipa-getkeytab +tool falls back to an older code that generates the keytab on the client +and forcibly sets to the LDAP entry. For the latter, a check is done to +make sure the bound DN is allowed to write to 'krbPrincipalKey' attribute. + +This fallback should never happen for newer deployments. When enrollemnt +operation is delegated to non-administrative user with the help of 'Host +Enrollment' role, a host can be pre-created or created at enrollment +time, if this non-administrative user has 'Host Administrators' role. In +the latter case a system permission 'System: Manage Host Keytab' grants +write access to 'krbPrincipalKey' attribute but lacks any access to the +virtual attributes expected by the new extended operation. + +There is a second virtual attribute, 'ipaProtectedOperation;read_keys', +that allows to retrieve existing keys for a host. However, during +initial enrollment we do not allow to retrieve and reuse existing +Kerberos key: while 'ipa-getkeytab -r' would give ability to retrieve +the existing key, 'ipa-join' has no way to trigger that operation. +Hence, permission 'System: Manage Host Keytab' will not grant the right +to read the Kerberos key via extended operation used by 'ipa-getkeytab +-r'. Such operation can be done later by utilizing 'ipa +service/host-allow-retrieve-keytab' commands. + +Fix 'System: Manage Host Keytab' permission and extend a permission test +to see that we do not fallback to the old extended operation. + +Fixes: https://pagure.io/freeipa/issue/9496 + +Signed-off-by: Alexander Bokovoy +Reviewed-By: Rob Crittenden + +--- + +diff --git a/ACI.txt b/ACI.txt +index e6d6e3d..236bb43 100644 +--- a/ACI.txt ++++ b/ACI.txt +@@ -147,7 +147,7 @@ aci: (targetattr = "usercertificate")(targetfilter = "(objectclass=ipahost)")(ve + dn: cn=computers,cn=accounts,dc=ipa,dc=example + aci: (targetattr = "userpassword")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Manage Host Enrollment Password";allow (write) groupdn = "ldap:///cn=System: Manage Host Enrollment Password,cn=permissions,cn=pbac,dc=ipa,dc=example";) + dn: cn=computers,cn=accounts,dc=ipa,dc=example +-aci: (targetattr = "krblastpwdchange || krbprincipalkey")(targetfilter = "(&(!(memberOf=cn=ipaservers,cn=hostgroups,cn=accounts,dc=ipa,dc=example))(objectclass=ipahost))")(version 3.0;acl "permission:System: Manage Host Keytab";allow (write) groupdn = "ldap:///cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=ipa,dc=example";) ++aci: (targetattr = "ipaprotectedoperation;write_keys || krblastpwdchange || krbprincipalkey")(targetfilter = "(&(!(memberOf=cn=ipaservers,cn=hostgroups,cn=accounts,dc=ipa,dc=example))(objectclass=ipahost))")(version 3.0;acl "permission:System: Manage Host Keytab";allow (write) groupdn = "ldap:///cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=ipa,dc=example";) + dn: cn=computers,cn=accounts,dc=ipa,dc=example + aci: (targetattr = "createtimestamp || entryusn || ipaallowedtoperform;read_keys || ipaallowedtoperform;write_keys || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Manage Host Keytab Permissions";allow (compare,read,search,write) groupdn = "ldap:///cn=System: Manage Host Keytab Permissions,cn=permissions,cn=pbac,dc=ipa,dc=example";) + dn: cn=computers,cn=accounts,dc=ipa,dc=example +diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py +index 3ef510e..b02c8b5 100644 +--- a/ipaserver/plugins/host.py ++++ b/ipaserver/plugins/host.py +@@ -409,7 +409,8 @@ class host(LDAPObject): + api.env.container_hostgroup, + api.env.basedn), + ], +- 'ipapermdefaultattr': {'krblastpwdchange', 'krbprincipalkey'}, ++ 'ipapermdefaultattr': {'krblastpwdchange', 'krbprincipalkey', ++ 'ipaprotectedoperation;write_keys'}, + 'replaces': [ + '(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,$SUFFIX";)', + ], +diff --git a/ipatests/test_integration/test_user_permissions.py b/ipatests/test_integration/test_user_permissions.py +index 3333a4f..cd1096f 100644 +--- a/ipatests/test_integration/test_user_permissions.py ++++ b/ipatests/test_integration/test_user_permissions.py +@@ -277,6 +277,9 @@ class TestInstallClientNoAdmin(IntegrationTest): + self.master.run_command(['ipa', 'privilege-add-permission', + '--permissions', 'System: Add Hosts', + 'Add Hosts']) ++ self.master.run_command(['ipa', 'privilege-add-permission', ++ '--permissions', 'System: Manage Host Keytab', ++ 'Add Hosts']) + + self.master.run_command(['ipa', 'role-add-privilege', 'useradmin', + '--privileges', 'Host Enrollment']) +@@ -301,6 +304,10 @@ class TestInstallClientNoAdmin(IntegrationTest): + encoding='utf-8') + assert msg in install_log + ++ # Make sure we do not fallback to an old keytab retrieval method anymore ++ msg = "Retrying with pre-4.0 keytab retrieval method..." ++ assert msg not in install_log ++ + # check that user is able to request a host cert, too + result = tasks.run_certutil(client, ['-L'], paths.IPA_NSSDB_DIR) + assert 'Local IPA host' in result.stdout_text + diff --git a/0007-adtrustinstance-make-sure-NetBIOS-name-defaults-are-set-properly_rhel#21938.patch b/0007-adtrustinstance-make-sure-NetBIOS-name-defaults-are-set-properly_rhel#21938.patch new file mode 100644 index 0000000..09b62e0 --- /dev/null +++ b/0007-adtrustinstance-make-sure-NetBIOS-name-defaults-are-set-properly_rhel#21938.patch @@ -0,0 +1,32 @@ +From 2f17319df6147832dceff7c06154363f8d58b194 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Jan 18 2024 09:07:31 +0000 +Subject: adtrustinstance: make sure NetBIOS name defaults are set properly + + +Some tools may pass None as NetBIOS name if not put explicitly by a +user. This meant to use default NetBIOS name generator based on the +domain (realm) name. However, this wasn't done properly, so None is +passed later to python-ldap and it rejects such LDAP entry. + +Fixes: https://pagure.io/freeipa/issue/9514 + +Signed-off-by: Alexander Bokovoy +Reviewed-By: Florence Blanc-Renaud + +--- + +diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py +index bf0cc3b..bb5b61a 100644 +--- a/ipaserver/install/adtrustinstance.py ++++ b/ipaserver/install/adtrustinstance.py +@@ -189,6 +189,8 @@ class ADTRUSTInstance(service.Service): + self.fqdn = self.fqdn or api.env.host + self.host_netbios_name = make_netbios_name(self.fqdn) + self.realm = self.realm or api.env.realm ++ if not self.netbios_name: ++ self.netbios_name = make_netbios_name(self.realm) + + self.suffix = ipautil.realm_to_suffix(self.realm) + self.ldapi_socket = "%%2fvar%%2frun%%2fslapd-%s.socket" % \ + diff --git a/0008-ipatests-Fix-healthcheck-report-when-nsslapd-accesslog-logbuffering-is-set-to-off_rhel#19672.patch b/0008-ipatests-Fix-healthcheck-report-when-nsslapd-accesslog-logbuffering-is-set-to-off_rhel#19672.patch new file mode 100644 index 0000000..f47a11f --- /dev/null +++ b/0008-ipatests-Fix-healthcheck-report-when-nsslapd-accesslog-logbuffering-is-set-to-off_rhel#19672.patch @@ -0,0 +1,175 @@ +From 5afda72afc6fd626359411b55f092989fdd7d82d Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Jan 15 2024 13:39:21 +0000 +Subject: ipatests: ignore nsslapd-accesslog-logbuffering WARN in healthcheck + + +Log buffering is disabled in the integration tests so we can have all +the logs at the end. This is causing a warning to show in the 389-ds +checks and causing tests to fail that expect all SUCCESS. + +Add an exclude for this specific key so tests will pass again. + +We may eventually want a more sophisiticated mechanism to handle +excludes, or updating the config in general, but this is fine for now. + +Fixes: https://pagure.io/freeipa/issue/9400 + +Signed-off-by: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Michal Polovka +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Michal Polovka + +--- + +diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py +index 7fb8e40..14fba26 100644 +--- a/ipatests/test_integration/test_ipahealthcheck.py ++++ b/ipatests/test_integration/test_ipahealthcheck.py +@@ -9,6 +9,7 @@ from __future__ import absolute_import + + from configparser import RawConfigParser, NoOptionError + from datetime import datetime, timedelta ++import io + import json + import os + import re +@@ -208,6 +209,28 @@ def run_healthcheck(host, source=None, check=None, output_type="json", + return result.returncode, data + + ++def set_excludes(host, option, value, ++ config_file='/etc/ipahealthcheck/ipahealthcheck.conf'): ++ """Mark checks that should be excluded from the results ++ ++ This will set in the [excludes] section on host: ++ option=value ++ """ ++ EXCLUDES = "excludes" ++ ++ conf = host.get_file_contents(config_file, encoding='utf-8') ++ cfg = RawConfigParser() ++ cfg.read_string(conf) ++ if not cfg.has_section(EXCLUDES): ++ cfg.add_section(EXCLUDES) ++ if not cfg.has_option(EXCLUDES, option): ++ cfg.set(EXCLUDES, option, value) ++ out = io.StringIO() ++ cfg.write(out) ++ out.seek(0) ++ host.put_file_contents(config_file, out.read()) ++ ++ + @pytest.fixture + def restart_service(): + """Shut down and restart a service as a fixture""" +@@ -265,6 +288,7 @@ class TestIpaHealthCheck(IntegrationTest): + setup_dns=True, + extra_args=['--no-dnssec-validation'] + ) ++ set_excludes(cls.master, "key", "DSCLE0004") + + def test_ipa_healthcheck_install_on_master(self): + """ +@@ -552,6 +576,7 @@ class TestIpaHealthCheck(IntegrationTest): + setup_dns=True, + extra_args=['--no-dnssec-validation'] + ) ++ set_excludes(self.replicas[0], "key", "DSCLE0004") + + # Init a user on replica to assign a DNA range + tasks.kinit_admin(self.replicas[0]) +@@ -692,6 +717,7 @@ class TestIpaHealthCheck(IntegrationTest): + 'output_type=human' + ]) + ) ++ set_excludes(self.master, "key", "DSCLE0004", config_file) + returncode, output = run_healthcheck( + self.master, failures_only=True, config=config_file + ) +@@ -707,6 +733,7 @@ class TestIpaHealthCheck(IntegrationTest): + 'output_file=%s' % HC_LOG, + ]) + ) ++ set_excludes(self.master, "key", "DSCLE0004") + returncode, _unused = run_healthcheck( + self.master, config=config_file + ) +@@ -2396,6 +2423,7 @@ class TestIpaHealthCLI(IntegrationTest): + cls.master, setup_dns=True, extra_args=['--no-dnssec-validation'] + ) + tasks.install_packages(cls.master, HEALTHCHECK_PKG) ++ set_excludes(cls.master, "key", "DSCLE0004") + + def test_indent(self): + """ +diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py +index d477c3a..b71f2d5 100644 +--- a/ipatests/test_integration/test_replica_promotion.py ++++ b/ipatests/test_integration/test_replica_promotion.py +@@ -13,7 +13,7 @@ import pytest + + from ipatests.test_integration.base import IntegrationTest + from ipatests.test_integration.test_ipahealthcheck import ( +- run_healthcheck, HEALTHCHECK_PKG ++ run_healthcheck, set_excludes, HEALTHCHECK_PKG + ) + from ipatests.pytest_ipa.integration import tasks + from ipatests.pytest_ipa.integration.tasks import ( +@@ -983,6 +983,9 @@ class TestHiddenReplicaPromotion(IntegrationTest): + # manually install KRA to verify that hidden state is synced + tasks.install_kra(cls.replicas[0]) + ++ set_excludes(cls.master, "key", "DSCLE0004") ++ set_excludes(cls.replicas[0], "key", "DSCLE0004") ++ + def _check_dnsrecords(self, hosts_expected, hosts_unexpected=()): + domain = DNSName(self.master.domain.name).make_absolute() + rset = [ + +From f1cfe7d9ff2489dbb6cad70999b0e1bd433c0537 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Jan 15 2024 13:39:21 +0000 +Subject: ipatests: fix expected output for ipahealthcheck.ipa.host + + +ipa-healthcheck commit e69589d5 changed the output when a service +keytab is missing to not report the GSSAPI error but to report +that the keytab doesn't exist at all. This distinguishes from real +Kerberos issues like kvno. + +Fixes: https://pagure.io/freeipa/issue/9482 + +Signed-off-by: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Michal Polovka +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Michal Polovka + +--- + +diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py +index 14fba26..8aae9fa 100644 +--- a/ipatests/test_integration/test_ipahealthcheck.py ++++ b/ipatests/test_integration/test_ipahealthcheck.py +@@ -629,9 +629,15 @@ class TestIpaHealthCheck(IntegrationTest): + ipahealthcheck.ipa.host when GSSAPI credentials cannot be obtained + from host's keytab. + """ +- msg = ( +- "Minor (2529639107): No credentials cache found" +- ) ++ version = tasks.get_healthcheck_version(self.master) ++ if parse_version(version) >= parse_version("0.15"): ++ msg = ( ++ "Service {service} keytab {path} does not exist." ++ ) ++ else: ++ msg = ( ++ "Minor (2529639107): No credentials cache found" ++ ) + + with tasks.FileBackup(self.master, paths.KRB5_KEYTAB): + self.master.run_command(["rm", "-f", paths.KRB5_KEYTAB]) + diff --git a/ipa.spec b/ipa.spec index d7fdc93..c148dca 100644 --- a/ipa.spec +++ b/ipa.spec @@ -189,7 +189,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 3%{?rc_version:.%rc_version}%{?dist} +Release: 4%{?rc_version:.%rc_version}%{?dist} Summary: The Identity, Policy and Audit system License: GPLv3+ @@ -212,6 +212,10 @@ Patch0001: 0001-Handle-samba-exception-type-change_rhel#17623.patch Patch0002: 0002-Check-the-HTTP-Referer-header-on-all-requests.patch Patch0003: 0003-Integration-tests-for-verifying-Referer-header-in-th.patch Patch0004: 0004-ipa-kdb-Detect-and-block-Bronze-Bit-attacks.patch +Patch0005: 0005-Improve-server-affinity-for-ca-less-deployments_rhel#22283.patch +Patch0006: 0006-host-update-System-Manage-Host-Keytab-permission_rhel#22286.patch +Patch0007: 0007-adtrustinstance-make-sure-NetBIOS-name-defaults-are-set-properly_rhel#21938.patch +Patch0008: 0008-ipatests-Fix-healthcheck-report-when-nsslapd-accesslog-logbuffering-is-set-to-off_rhel#19672.patch %if 0%{?rhel} >= 8 Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch Patch1002: 1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch @@ -1727,6 +1731,16 @@ fi %endif %changelog +* Tue Jan 23 2024 Rafael Jeffman - 4.9.13-4 +- Improve server affinity for CA-less deployments + Resolves: RHEL-22283 +- host: update system: Manage Host Keytab permission + Resolves: RHEL-22286 +- adtrustinstance: make sure NetBIOS name defaults are set properly + Resolves: RHEL-21938 +- ipatests: Fix healthcheck report when nsslapd accesslog logbuffering is set to off + Resolves: RHEL-19672 + * Wed Jan 10 2024 Julien Rische - 4.9.13-3 - ipa-kdb: Detect and block Bronze-Bit attacks Resolves: RHEL-9984