From 3e7d13e409bf7c8e4b2defbef2f23acfcdceddcd Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Sat, 28 Jan 2023 19:54:12 +0000 Subject: [PATCH] import ipa-4.9.11-3.module+el8.8.0+17609+6cfecbae --- .gitignore | 2 +- .ipa.metadata | 2 +- ...d-Fix-build-on-older-versions-of-gcc.patch | 33 -- ...-from-a-specified-group_rhbz#2056009.patch | 41 +++ ...x-the-confusing-summary_rhbz#2022028.patch | 131 ------- ...-grace-when-the-password_rhbz#782917.patch | 56 --- ...d-integration-tests-for-external-IdP.patch | 346 ------------------ ...w-empty-pagination-size_rhbz#2094672.patch | 67 ---- ...Allow-grace-login-limit_rhbz#2109243.patch | 56 --- ...n-progress-is-a-boolean_rhbz#2117303.patch | 35 -- ...-not-prevent-LDAP-binds_rhbz#2109236.patch | 125 ------- ...cy-on-group-pw-policies_rhbz#2115475.patch | 230 ------------ ...arrow-notation-due-to-uglify-js-lim.patch} | 0 ...er-Fix-use-of-nameservers-with-ports.patch | 114 ++++++ SOURCES/freeipa-4.9.10.tar.gz.asc | 16 - SOURCES/freeipa-4.9.11.tar.gz.asc | 16 + SPECS/ipa.spec | 74 +++- 17 files changed, 231 insertions(+), 1113 deletions(-) delete mode 100644 SOURCES/0001-ipa-otpd-Fix-build-on-older-versions-of-gcc.patch create mode 100644 SOURCES/0001-updates-fix-memberManager-ACI-to-allow-managers-from-a-specified-group_rhbz#2056009.patch delete mode 100644 SOURCES/0003-Preserve-user-fix-the-confusing-summary_rhbz#2022028.patch delete mode 100644 SOURCES/0004-Only-calculate-LDAP-password-grace-when-the-password_rhbz#782917.patch delete mode 100644 SOURCES/0005-Add-end-to-end-integration-tests-for-external-IdP.patch delete mode 100644 SOURCES/0006-webui-Do-not-allow-empty-pagination-size_rhbz#2094672.patch delete mode 100644 SOURCES/0007-webui-Allow-grace-login-limit_rhbz#2109243.patch delete mode 100644 SOURCES/0008-check_repl_update-in-progress-is-a-boolean_rhbz#2117303.patch delete mode 100644 SOURCES/0009-Disabling-gracelimit-does-not-prevent-LDAP-binds_rhbz#2109236.patch delete mode 100644 SOURCES/0010-Set-passwordgracelimit-to-match-global-policy-on-group-pw-policies_rhbz#2115475.patch rename SOURCES/{0002-webui-IdP-Remove-arrow-notation-due-to-uglify-js-lim.patch => 1003-webui-IdP-Remove-arrow-notation-due-to-uglify-js-lim.patch} (100%) create mode 100644 SOURCES/1004-Revert-DNSResolver-Fix-use-of-nameservers-with-ports.patch delete mode 100644 SOURCES/freeipa-4.9.10.tar.gz.asc create mode 100644 SOURCES/freeipa-4.9.11.tar.gz.asc diff --git a/.gitignore b/.gitignore index 3912c13..a08d1d6 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/freeipa-4.9.10.tar.gz +SOURCES/freeipa-4.9.11.tar.gz diff --git a/.ipa.metadata b/.ipa.metadata index 81f398b..f1dac03 100644 --- a/.ipa.metadata +++ b/.ipa.metadata @@ -1 +1 @@ -8f2b6a7f52348421fa7c67048dd5ae454f2642fb SOURCES/freeipa-4.9.10.tar.gz +4ef188d43f5f2a09e214dd2bae68595a5977bb61 SOURCES/freeipa-4.9.11.tar.gz diff --git a/SOURCES/0001-ipa-otpd-Fix-build-on-older-versions-of-gcc.patch b/SOURCES/0001-ipa-otpd-Fix-build-on-older-versions-of-gcc.patch deleted file mode 100644 index 4852df8..0000000 --- a/SOURCES/0001-ipa-otpd-Fix-build-on-older-versions-of-gcc.patch +++ /dev/null @@ -1,33 +0,0 @@ -From ff54fe2fdfbab11e08a138cdfd0da900ee865e3d Mon Sep 17 00:00:00 2001 -From: Rafael Guterres Jeffman -Date: Fri, 17 Jun 2022 11:22:32 -0300 -Subject: [PATCH] ipa-otpd: Fix build on older versions of gcc. - -Older versions of gcc do not support unnamed parameters. - -This patch fixes the build on older gcc by applying the same idiom for -unsued parameters as used by other functions in the same module. - -Signed-off-by: Rafael Guterres Jeffman ---- - daemons/ipa-otpd/oauth2.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/daemons/ipa-otpd/oauth2.c b/daemons/ipa-otpd/oauth2.c -index df1ffd50d..11d5c135f 100644 ---- a/daemons/ipa-otpd/oauth2.c -+++ b/daemons/ipa-otpd/oauth2.c -@@ -319,8 +319,9 @@ static int check_access_token_reply(struct child_ctx *child_ctx, - return ret; - } - --static void oauth2_on_child_readable(verto_ctx *, verto_ev *ev) -+static void oauth2_on_child_readable(verto_ctx *vctx, verto_ev *ev) - { -+ (void)vctx; /* Unused */ - static char buf[10240]; - ssize_t io = 0; - struct child_ctx *child_ctx = NULL; --- -2.36.1 - diff --git a/SOURCES/0001-updates-fix-memberManager-ACI-to-allow-managers-from-a-specified-group_rhbz#2056009.patch b/SOURCES/0001-updates-fix-memberManager-ACI-to-allow-managers-from-a-specified-group_rhbz#2056009.patch new file mode 100644 index 0000000..ecbb24f --- /dev/null +++ b/SOURCES/0001-updates-fix-memberManager-ACI-to-allow-managers-from-a-specified-group_rhbz#2056009.patch @@ -0,0 +1,41 @@ +From 651e28c1fb6b86ad1fbd4ea98644e00b7042499c Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Dec 02 2022 12:21:22 +0000 +Subject: updates: fix memberManager ACI to allow managers from a specified group + + +The original implementation of the member manager added support for both +user and group managers but left out upgrade scenario. This means when +upgrading existing installation a manager whose rights defined by the +group membership would not be able to add group members until the ACI is +fixed. + +Remove old ACI and add a full one during upgrade step. + +Fixes: https://pagure.io/freeipa/issue/9286 +Signed-off-by: Alexander Bokovoy +Reviewed-By: Florence Blanc-Renaud + +--- + +diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update +index a168bb9..4a7ba13 100644 +--- a/install/updates/20-aci.update ++++ b/install/updates/20-aci.update +@@ -141,11 +141,13 @@ add:aci:(targetattr = "usercertificate")(version 3.0;acl "selfservice:Users can + + # Allow member managers to modify members of user groups + dn: cn=groups,cn=accounts,$SUFFIX +-add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN";) ++remove:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN";) ++add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN" or userattr = "memberManager#GROUPDN";) + + # Allow member managers to modify members of host groups + dn: cn=hostgroups,cn=accounts,$SUFFIX +-add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to modify members of host groups"; allow (write) userattr = "memberManager#USERDN";) ++remove:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to modify members of host groups"; allow (write) userattr = "memberManager#USERDN";) ++add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to modify members of host groups"; allow (write) userattr = "memberManager#USERDN" or userattr = "memberManager#GROUPDN";) + + # Hosts can add and delete their own services + dn: cn=services,cn=accounts,$SUFFIX + diff --git a/SOURCES/0003-Preserve-user-fix-the-confusing-summary_rhbz#2022028.patch b/SOURCES/0003-Preserve-user-fix-the-confusing-summary_rhbz#2022028.patch deleted file mode 100644 index a7b9808..0000000 --- a/SOURCES/0003-Preserve-user-fix-the-confusing-summary_rhbz#2022028.patch +++ /dev/null @@ -1,131 +0,0 @@ -From ff4152539b96d309dcceaf854a3e0a49f435acff Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Mon, 20 Jun 2022 09:09:11 +0200 -Subject: [PATCH] Preserve user: fix the confusing summary - -When ipa user-del --preserve is called, the command output -prints a summary with: - Deleted user: user1 -although the user was preserved. -Replace the summary with - Preserved user: user1 -to reflect what was actually done. - -Fixes: https://pagure.io/freeipa/issue/9187 -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Michal Polovka -Reviewed-By: Rob Crittenden ---- - ipaserver/plugins/user.py | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py -index 25d2bb6aa..fa8a67d3d 100644 ---- a/ipaserver/plugins/user.py -+++ b/ipaserver/plugins/user.py -@@ -56,6 +56,7 @@ from .idviews import remove_ipaobject_overrides - from ipalib.plugable import Registry - from .baseldap import ( - LDAPObject, -+ pkey_to_unicode, - pkey_to_value, - LDAPCreate, - LDAPSearch, -@@ -701,6 +702,7 @@ class user_del(baseuser_del): - __doc__ = _('Delete a user.') - - msg_summary = _('Deleted user "%(value)s"') -+ msg_summary_preserved = _('Preserved user "%(value)s"') - - takes_options = baseuser_del.takes_options + ( - Bool('preserve?', -@@ -831,6 +833,8 @@ class user_del(baseuser_del): - failed.append(pkey_to_value(pkey, options)) - - val = dict(result=dict(failed=failed), value=preserved) -+ val['summary'] = self.msg_summary_preserved % dict( -+ value=pkey_to_unicode(preserved)) - return val - else: - return super(user_del, self).execute(*keys, **options) --- -2.36.1 - -From 4984ff210a169129e4e56b10e54e9c795520855c Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Mon, 20 Jun 2022 09:12:14 +0200 -Subject: [PATCH] xmlrpc tests: updated expected output for preserved user - -Update the expected summary for the command -ipa user-del --preserve - -The command now displays: Preserved user: user1 -instead of Deleted user: user1 - -Related: https://pagure.io/freeipa/issue/9187 - -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Michal Polovka -Reviewed-By: Rob Crittenden ---- - ipatests/test_xmlrpc/test_stageuser_plugin.py | 5 ++++- - ipatests/test_xmlrpc/tracker/user_plugin.py | 7 ++++++- - 2 files changed, 10 insertions(+), 2 deletions(-) - -diff --git a/ipatests/test_xmlrpc/test_stageuser_plugin.py b/ipatests/test_xmlrpc/test_stageuser_plugin.py -index bc606b093..fd146876c 100644 ---- a/ipatests/test_xmlrpc/test_stageuser_plugin.py -+++ b/ipatests/test_xmlrpc/test_stageuser_plugin.py -@@ -479,11 +479,12 @@ class TestActive(XMLRPC_test): - - def test_delete_preserve(self, user): - user.ensure_exists() -- user.track_delete() -+ user.track_delete(preserve=True) - command = user.make_delete_command(no_preserve=False, preserve=True) - result = command() - user.check_delete(result) - -+ user.track_delete(preserve=False) - command = user.make_delete_command() - result = command() - user.check_delete(result) -@@ -622,6 +623,7 @@ class TestCustomAttr(XMLRPC_test): - assert 'BusinessCat' in result['result'][u'businesscategory'] - - # delete the user with --preserve -+ user_customattr.track_delete(preserve=True) - command = user_customattr.make_delete_command(no_preserve=False, - preserve=True) - result = command() -@@ -763,6 +765,7 @@ class TestGroups(XMLRPC_test): - result = command() - group.check_retrieve(result) - -+ user.track_delete(preserve=True) - command = user.make_delete_command(no_preserve=False, preserve=True) - result = command() - user.check_delete(result) -diff --git a/ipatests/test_xmlrpc/tracker/user_plugin.py b/ipatests/test_xmlrpc/tracker/user_plugin.py -index 03c106250..b04be4c19 100644 ---- a/ipatests/test_xmlrpc/tracker/user_plugin.py -+++ b/ipatests/test_xmlrpc/tracker/user_plugin.py -@@ -273,9 +273,14 @@ class UserTracker(CertmapdataMixin, KerberosAliasMixin, Tracker): - - def check_delete(self, result): - """ Check 'user-del' command result """ -+ if u'preserved' in self.attrs and self.attrs[u'preserved']: -+ summary = u'Preserved user "%s"' % self.uid -+ else: -+ summary = u'Deleted user "%s"' % self.uid -+ - assert_deepequal(dict( - value=[self.uid], -- summary=u'Deleted user "%s"' % self.uid, -+ summary=summary, - result=dict(failed=[]), - ), result) - --- -2.36.1 - diff --git a/SOURCES/0004-Only-calculate-LDAP-password-grace-when-the-password_rhbz#782917.patch b/SOURCES/0004-Only-calculate-LDAP-password-grace-when-the-password_rhbz#782917.patch deleted file mode 100644 index 54da08a..0000000 --- a/SOURCES/0004-Only-calculate-LDAP-password-grace-when-the-password_rhbz#782917.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 3675bd1d7aca443832bb9bb2f521cc4d3a088aec Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Wed, 29 Jun 2022 13:25:55 +0000 -Subject: [PATCH] Only calculate LDAP password grace when the password is - expired - -The user's pwd expiration was retrieved but inadvertently was never -compared to current time. So any LDAP bind, including from the -IPA API, counted against the grace period. There is no need to go -through the graceperiod code for non-expired passwords. - -https://pagure.io/freeipa/issue/1539 - -Signed-off-by: Rob Crittenden -Reviewed-By: Florence Blanc-Renaud ---- - .../ipa-graceperiod/ipa_graceperiod.c | 12 +++++++++--- - 1 file changed, 9 insertions(+), 3 deletions(-) - -diff --git a/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c b/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c -index 0860b5c20..a3f57cb4b 100644 ---- a/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c -+++ b/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c -@@ -359,7 +359,8 @@ static int ipagraceperiod_preop(Slapi_PBlock *pb) - Slapi_ValueSet *values = NULL; - long grace_limit = 0; - int grace_user_time; -- char *pwd_expiration = NULL; -+ char *tmpstr = NULL; -+ time_t pwd_expiration; - int pwresponse_requested = 0; - Slapi_PBlock *pbtm = NULL; - Slapi_Mods *smods = NULL; -@@ -414,12 +415,17 @@ static int ipagraceperiod_preop(Slapi_PBlock *pb) - } - slapi_value_free(&objectclass); - -- pwd_expiration = slapi_entry_attr_get_charptr(target_entry, "krbPasswordExpiration"); -- if (pwd_expiration == NULL) { -+ tmpstr = slapi_entry_attr_get_charptr(target_entry, "krbPasswordExpiration"); -+ if (tmpstr == NULL) { - /* No expiration means nothing to do */ - LOG_TRACE("No krbPasswordExpiration for %s, nothing to do\n", dn); - goto done; - } -+ pwd_expiration = ipapwd_gentime_to_time_t(tmpstr); -+ if (pwd_expiration > time(NULL)) { -+ /* Not expired, nothing to see here */ -+ goto done; -+ } - - ldrc = ipagraceperiod_getpolicy(target_entry, &policy_entry, - &values, &actual_type_name, --- -2.36.1 - diff --git a/SOURCES/0005-Add-end-to-end-integration-tests-for-external-IdP.patch b/SOURCES/0005-Add-end-to-end-integration-tests-for-external-IdP.patch deleted file mode 100644 index 700df13..0000000 --- a/SOURCES/0005-Add-end-to-end-integration-tests-for-external-IdP.patch +++ /dev/null @@ -1,346 +0,0 @@ -From 857713c5a9c8e0b62c06dd92e69c09eeb34b2e99 Mon Sep 17 00:00:00 2001 -From: Anuja More -Date: Mon, 23 May 2022 12:26:34 +0530 -Subject: [PATCH] Add end to end integration tests for external IdP - -Added tests for HBAC and SUDO rule and other -test scenarios. - -Related : https://pagure.io/freeipa/issue/8805 -Related: https://pagure.io/freeipa/issue/8803 -Related: https://pagure.io/freeipa/issue/8804 - -Signed-off-by: Anuja More -Reviewed-By: Florence Blanc-Renaud -Reviewed-By: Florence Blanc-Renaud ---- - ipatests/test_integration/test_idp.py | 260 ++++++++++++++++++++++---- - 1 file changed, 226 insertions(+), 34 deletions(-) - -diff --git a/ipatests/test_integration/test_idp.py b/ipatests/test_integration/test_idp.py -index 8f9e92e6a..2ffe6a208 100644 ---- a/ipatests/test_integration/test_idp.py -+++ b/ipatests/test_integration/test_idp.py -@@ -1,6 +1,8 @@ - from __future__ import absolute_import - - import time -+import pytest -+import re - - import textwrap - from ipaplatform.paths import paths -@@ -22,12 +24,12 @@ driver.get(verification_uri) - try: - element = WebDriverWait(driver, 90).until( - EC.presence_of_element_located((By.ID, "username"))) -- driver.find_element_by_id("username").send_keys("testuser1") -- driver.find_element_by_id("password").send_keys("{passwd}") -- driver.find_element_by_id("kc-login").click() -+ driver.find_element(By.ID, "username").send_keys("testuser1") -+ driver.find_element(By.ID, "password").send_keys("{passwd}") -+ driver.find_element(By.ID, "kc-login").click() - element = WebDriverWait(driver, 90).until( - EC.presence_of_element_located((By.ID, "kc-login"))) -- driver.find_element_by_id("kc-login").click() -+ driver.find_element(By.ID, "kc-login").click() - assert "Device Login Successful" in driver.page_source - finally: - now = datetime.now().strftime("%M-%S") -@@ -39,18 +41,12 @@ finally: - def add_user_code(host, verification_uri): - contents = user_code_script.format(uri=verification_uri, - passwd=host.config.admin_password) -- host.put_file_contents("/tmp/add_user_code.py", contents) -- tasks.run_repeatedly( -- host, ['python3', '/tmp/add_user_code.py']) -- -- --def get_verification_uri(host, since, keycloak_server_name): -- command = textwrap.dedent(""" -- journalctl -u ipa-otpd\\* --since="%s" | grep "user_code:" | awk '{ print substr($7,2,9) }'""" % since) # noqa: E501 -- user_code = host.run_command(command).stdout_text.rstrip("\r\n") -- uri = ("https://{0}:8443/auth/realms/master/device?user_code={1}".format( -- keycloak_server_name, user_code)) -- return uri -+ try: -+ host.put_file_contents("/tmp/add_user_code.py", contents) -+ tasks.run_repeatedly( -+ host, ['python3', '/tmp/add_user_code.py']) -+ finally: -+ host.run_command(["rm", "-f", "/tmp/add_user_code.py"]) - - - def kinit_idp(host, user, keycloak_server): -@@ -58,11 +54,14 @@ def kinit_idp(host, user, keycloak_server): - tasks.kdestroy_all(host) - # create armor for FAST - host.run_command(["kinit", "-n", "-c", ARMOR]) -- since = time.strftime('%Y-%m-%d %H:%M:%S') - cmd = ["kinit", "-T", ARMOR, user] -+ - with host.spawn_expect(cmd, default_timeout=100) as e: -- e.expect('Authenticate at .+: ') -- uri = get_verification_uri(host, since, keycloak_server.hostname) -+ e.expect('Authenticate at (.+) and press ENTER.:') -+ prompt = e.get_last_output() -+ uri = re.search(r'Authenticate at (.*?) and press ENTER.:', prompt -+ ).group(1) -+ time.sleep(15) - if uri: - add_user_code(keycloak_server, uri) - e.sendline('\n') -@@ -74,21 +73,27 @@ def kinit_idp(host, user, keycloak_server): - - class TestIDPKeycloak(IntegrationTest): - -- num_replicas = 1 -+ num_replicas = 2 - topology = 'line' - - @classmethod - def install(cls, mh): -- tasks.install_master(cls.master, setup_dns=True) -- tasks.install_client(cls.master, cls.replicas[0]) -- content = cls.master.get_file_contents(paths.IPA_DEFAULT_CONF, -- encoding='utf-8') -- new_content = content + "\noidc_child_debug_level = 10" -- cls.master.put_file_contents(paths.IPA_DEFAULT_CONF, new_content) -+ cls.client = cls.replicas[0] -+ cls.replica = cls.replicas[1] -+ tasks.install_master(cls.master) -+ tasks.install_client(cls.master, cls.replicas[0], -+ extra_args=["--mkhomedir"]) -+ tasks.install_replica(cls.master, cls.replicas[1]) -+ for host in [cls.master, cls.replicas[0], cls.replicas[1]]: -+ content = host.get_file_contents(paths.IPA_DEFAULT_CONF, -+ encoding='utf-8') -+ new_content = content + "\noidc_child_debug_level = 10" -+ host.put_file_contents(paths.IPA_DEFAULT_CONF, new_content) - with tasks.remote_sssd_config(cls.master) as sssd_config: - sssd_config.edit_domain( - cls.master.domain, 'krb5_auth_timeout', 1100) - tasks.clear_sssd_cache(cls.master) -+ tasks.clear_sssd_cache(cls.replicas[0]) - tasks.kinit_admin(cls.master) - cls.master.run_command(["ipa", "config-mod", "--user-auth-type=idp", - "--user-auth-type=password"]) -@@ -97,20 +102,207 @@ class TestIDPKeycloak(IntegrationTest): - cls.replicas[0].run_command(xvfb) - - def test_auth_keycloak_idp(self): -- keycloak_srv = self.replicas[0] -- create_quarkus.setup_keycloakserver(keycloak_srv) -+ """ -+ Test case to check that OAuth 2.0 Device -+ Authorization Grant is working as -+ expected for user configured with external idp. -+ """ -+ create_quarkus.setup_keycloakserver(self.client) - time.sleep(60) -- create_quarkus.setup_keycloak_client(keycloak_srv) -+ create_quarkus.setup_keycloak_client(self.client) - tasks.kinit_admin(self.master) -- cmd = ["ipa", "idp-add", "keycloak", "--provider=keycloak", -+ cmd = ["ipa", "idp-add", "keycloakidp", "--provider=keycloak", - "--client-id=ipa_oidc_client", "--org=master", -- "--base-url={0}:8443/auth".format(keycloak_srv.hostname)] -+ "--base-url={0}:8443/auth".format(self.client.hostname)] - self.master.run_command(cmd, stdin_text="{0}\n{0}".format( -- keycloak_srv.config.admin_password)) -+ self.client.config.admin_password)) - tasks.user_add(self.master, 'keycloakuser', - extra_args=["--user-auth-type=idp", - "--idp-user-id=testuser1@ipa.test", -- "--idp=keycloak"] -+ "--idp=keycloakidp"] - ) -+ list_user = self.master.run_command( -+ ["ipa", "user-find", "--idp-user-id=testuser1@ipa.test"] -+ ) -+ assert "keycloakuser" in list_user.stdout_text -+ list_by_idp = self.master.run_command(["ipa", "user-find", -+ "--idp=keycloakidp"] -+ ) -+ assert "keycloakuser" in list_by_idp.stdout_text -+ list_by_user = self.master.run_command( -+ ["ipa", "user-find", "--idp-user-id=testuser1@ipa.test", "--all"] -+ ) -+ assert "keycloakidp" in list_by_user.stdout_text -+ tasks.clear_sssd_cache(self.master) -+ kinit_idp(self.master, 'keycloakuser', keycloak_server=self.client) -+ -+ @pytest.fixture -+ def hbac_setup_teardown(self): -+ # allow sshd only on given host -+ tasks.kinit_admin(self.master) -+ self.master.run_command(["ipa", "hbacrule-disable", "allow_all"]) -+ self.master.run_command(["ipa", "hbacrule-add", "rule1"]) -+ self.master.run_command(["ipa", "hbacrule-add-user", "rule1", -+ "--users=keycloakuser"] -+ ) -+ self.master.run_command(["ipa", "hbacrule-add-host", "rule1", -+ "--hosts", self.replica.hostname]) -+ self.master.run_command(["ipa", "hbacrule-add-service", "rule1", -+ "--hbacsvcs=sshd"] -+ ) -+ tasks.clear_sssd_cache(self.master) -+ tasks.clear_sssd_cache(self.replica) -+ yield -+ -+ # cleanup -+ tasks.kinit_admin(self.master) -+ self.master.run_command(["ipa", "hbacrule-enable", "allow_all"]) -+ self.master.run_command(["ipa", "hbacrule-del", "rule1"]) -+ -+ def test_auth_hbac(self, hbac_setup_teardown): -+ """ -+ Test case to check that hbacrule is working as -+ expected for user configured with external idp. -+ """ -+ kinit_idp(self.master, 'keycloakuser', keycloak_server=self.client) -+ ssh_cmd = "ssh -q -K -l keycloakuser {0} whoami" -+ valid_ssh = self.master.run_command( -+ ssh_cmd.format(self.replica.hostname)) -+ assert "keycloakuser" in valid_ssh.stdout_text -+ negative_ssh = self.master.run_command( -+ ssh_cmd.format(self.master.hostname), raiseonerr=False -+ ) -+ assert negative_ssh.returncode == 255 -+ -+ def test_auth_sudo_idp(self): -+ """ -+ Test case to check that sudorule is working as -+ expected for user configured with external idp. -+ """ -+ tasks.kdestroy_all(self.master) -+ tasks.kinit_admin(self.master) -+ # rule: keycloakuser are allowed to execute yum on -+ # the client machine as root. -+ cmdlist = [ -+ ["ipa", "sudocmd-add", "/usr/bin/yum"], -+ ["ipa", "sudorule-add", "sudorule"], -+ ['ipa', 'sudorule-add-user', '--users=keycloakuser', -+ 'sudorule'], -+ ['ipa', 'sudorule-add-host', '--hosts', -+ self.client.hostname, 'sudorule'], -+ ['ipa', 'sudorule-add-runasuser', -+ '--users=root', 'sudorule'], -+ ['ipa', 'sudorule-add-allow-command', -+ '--sudocmds=/usr/bin/yum', 'sudorule'], -+ ['ipa', 'sudorule-show', 'sudorule', '--all'], -+ ['ipa', 'sudorule-add-option', -+ 'sudorule', '--sudooption', "!authenticate"] -+ ] -+ for cmd in cmdlist: -+ self.master.run_command(cmd) -+ tasks.clear_sssd_cache(self.master) -+ tasks.clear_sssd_cache(self.client) -+ try: -+ cmd = 'sudo -ll -U keycloakuser' -+ test = self.client.run_command(cmd).stdout_text -+ assert "User keycloakuser may run the following commands" in test -+ assert "/usr/bin/yum" in test -+ kinit_idp(self.client, 'keycloakuser', self.client) -+ test_sudo = 'su -c "sudo yum list wget" keycloakuser' -+ self.client.run_command(test_sudo) -+ list_fail = self.master.run_command(cmd).stdout_text -+ assert "User keycloakuser is not allowed to run sudo" in list_fail -+ finally: -+ tasks.kinit_admin(self.master) -+ self.master.run_command(['ipa', 'sudorule-del', 'sudorule']) -+ self.master.run_command(["ipa", "sudocmd-del", "/usr/bin/yum"]) -+ -+ def test_auth_replica(self): -+ """ -+ Test case to check that OAuth 2.0 Device -+ Authorization is working as expected on replica. -+ """ -+ tasks.clear_sssd_cache(self.master) -+ tasks.clear_sssd_cache(self.replica) -+ tasks.kinit_admin(self.replica) -+ list_user = self.master.run_command( -+ ["ipa", "user-find", "--idp-user-id=testuser1@ipa.test"] -+ ) -+ assert "keycloakuser" in list_user.stdout_text -+ list_by_idp = self.replica.run_command(["ipa", "user-find", -+ "--idp=keycloakidp"] -+ ) -+ assert "keycloakuser" in list_by_idp.stdout_text -+ list_by_user = self.replica.run_command( -+ ["ipa", "user-find", "--idp-user-id=testuser1@ipa.test", "--all"] -+ ) -+ assert "keycloakidp" in list_by_user.stdout_text -+ kinit_idp(self.replica, 'keycloakuser', keycloak_server=self.client) -+ -+ def test_idp_with_services(self): -+ """ -+ Test case to check that services can be configured -+ auth indicator as idp. -+ """ - tasks.clear_sssd_cache(self.master) -- kinit_idp(self.master, 'keycloakuser', keycloak_srv) -+ tasks.kinit_admin(self.master) -+ domain = self.master.domain.name.upper() -+ services = [ -+ "DNS/{0}@{1}".format(self.master.hostname, domain), -+ "HTTP/{0}@{1}".format(self.client.hostname, domain), -+ "dogtag/{0}@{1}".format(self.master.hostname, domain), -+ "ipa-dnskeysyncd/{0}@{1}".format(self.master.hostname, domain) -+ ] -+ try: -+ for service in services: -+ test = self.master.run_command(["ipa", "service-mod", service, -+ "--auth-ind=idp"] -+ ) -+ assert "Authentication Indicators: idp" in test.stdout_text -+ finally: -+ for service in services: -+ self.master.run_command(["ipa", "service-mod", service, -+ "--auth-ind="]) -+ -+ def test_idp_backup_restore(self): -+ """ -+ Test case to check that after restore data is retrieved -+ with related idp configuration. -+ """ -+ tasks.kinit_admin(self.master) -+ user = "backupuser" -+ cmd = ["ipa", "idp-add", "testidp", "--provider=keycloak", -+ "--client-id=ipa_oidc_client", "--org=master", -+ "--base-url={0}:8443/auth".format(self.client.hostname)] -+ self.master.run_command(cmd, stdin_text="{0}\n{0}".format( -+ self.client.config.admin_password)) -+ -+ tasks.user_add(self.master, user, -+ extra_args=["--user-auth-type=idp", -+ "--idp-user-id=testuser1@ipa.test", -+ "--idp=testidp"] -+ ) -+ -+ backup_path = tasks.get_backup_dir(self.master) -+ # change data after backup -+ self.master.run_command(['ipa', 'user-del', user]) -+ self.master.run_command(['ipa', 'idp-del', 'testidp']) -+ dirman_password = self.master.config.dirman_password -+ self.master.run_command(['ipa-restore', backup_path], -+ stdin_text=dirman_password + '\nyes') -+ try: -+ list_user = self.master.run_command( -+ ['ipa', 'user-show', 'backupuser', '--all'] -+ ).stdout_text -+ assert "External IdP configuration: testidp" in list_user -+ assert "User authentication types: idp" in list_user -+ assert ("External IdP user identifier: " -+ "testuser1@ipa.test") in list_user -+ list_idp = self.master.run_command(['ipa', 'idp-find', 'testidp']) -+ assert "testidp" in list_idp.stdout_text -+ kinit_idp(self.master, user, self.client) -+ finally: -+ tasks.kdestroy_all(self.master) -+ tasks.kinit_admin(self.master) -+ self.master.run_command(["rm", "-rf", backup_path]) -+ self.master.run_command(["ipa", "idp-del", "testidp"]) --- -2.36.1 - diff --git a/SOURCES/0006-webui-Do-not-allow-empty-pagination-size_rhbz#2094672.patch b/SOURCES/0006-webui-Do-not-allow-empty-pagination-size_rhbz#2094672.patch deleted file mode 100644 index 25e9f72..0000000 --- a/SOURCES/0006-webui-Do-not-allow-empty-pagination-size_rhbz#2094672.patch +++ /dev/null @@ -1,67 +0,0 @@ -From 991849cf58fa990ad4540a61214b5ab4fcd4baa1 Mon Sep 17 00:00:00 2001 -From: Armando Neto -Date: Fri, 8 Jul 2022 15:56:31 -0300 -Subject: [PATCH] webui: Do not allow empty pagination size - -Pagination size must be required, the current validators are triggered after -form is submitted, thus the only way for check if data is not empty is by making -the field required. - -Fixes: https://pagure.io/freeipa/issue/9192 - -Signed-off-by: Armando Neto -Reviewed-By: Florence Blanc-Renaud ---- - .../ui/src/freeipa/Application_controller.js | 1 + - ipatests/test_webui/test_misc_cases.py | 19 +++++++++++++++++++ - 2 files changed, 20 insertions(+) - -diff --git a/install/ui/src/freeipa/Application_controller.js b/install/ui/src/freeipa/Application_controller.js -index 46aabc9c4..140ee8fe0 100644 ---- a/install/ui/src/freeipa/Application_controller.js -+++ b/install/ui/src/freeipa/Application_controller.js -@@ -318,6 +318,7 @@ define([ - $type: 'text', - name: 'pagination_size', - label: '@i18n:customization.table_pagination', -+ required: true, - validators: ['positive_integer'] - } - ] -diff --git a/ipatests/test_webui/test_misc_cases.py b/ipatests/test_webui/test_misc_cases.py -index 5f7ffb54e..aca9e1a99 100644 ---- a/ipatests/test_webui/test_misc_cases.py -+++ b/ipatests/test_webui/test_misc_cases.py -@@ -11,6 +11,11 @@ from ipatests.test_webui.ui_driver import screenshot - import pytest - import re - -+try: -+ from selenium.webdriver.common.by import By -+except ImportError: -+ pass -+ - - @pytest.mark.tier1 - class TestMiscCases(UI_driver): -@@ -26,3 +31,17 @@ class TestMiscCases(UI_driver): - ver_re = re.compile('version: .*') - assert re.search(ver_re, about_text), 'Version not found' - self.dialog_button_click('ok') -+ -+ @screenshot -+ def test_customization_pagination_input_required(self): -+ """Test if 'pagination size' is required when submitting the form.""" -+ self.init_app() -+ -+ self.profile_menu_action('configuration') -+ self.fill_input('pagination_size', '') -+ self.dialog_button_click('save') -+ -+ pagination_size_elem = self.find( -+ ".widget[name='pagination_size']", By.CSS_SELECTOR) -+ -+ self.assert_field_validation_required(parent=pagination_size_elem) --- -2.36.1 - diff --git a/SOURCES/0007-webui-Allow-grace-login-limit_rhbz#2109243.patch b/SOURCES/0007-webui-Allow-grace-login-limit_rhbz#2109243.patch deleted file mode 100644 index 93cfab9..0000000 --- a/SOURCES/0007-webui-Allow-grace-login-limit_rhbz#2109243.patch +++ /dev/null @@ -1,56 +0,0 @@ -From ade5093b08f92b279c200f341e96972a74f644d8 Mon Sep 17 00:00:00 2001 -From: Carla Martinez -Date: Fri, 29 Jul 2022 13:16:16 +0200 -Subject: [PATCH] webui: Allow grace login limit - -There was no support for setting the grace login limit on the WebUI. The -only way to so was only via CLI: - - `ipa pwpolicy-mod --gracelimit=2 global_policy` - -Thus, the grace login limit must be updated from the policy section and -this will reflect also on the user settings (under the 'Password Policy' -section) - -Fixes: https://pagure.io/freeipa/issue/9211 - -Signed-off-by: Carla Martinez -Reviewed-By: Florence Blanc-Renaud ---- - install/ui/src/freeipa/policy.js | 3 +++ - install/ui/src/freeipa/user.js | 5 +++++ - 2 files changed, 8 insertions(+) - -diff --git a/install/ui/src/freeipa/policy.js b/install/ui/src/freeipa/policy.js -index fa2028a52..7ec103636 100644 ---- a/install/ui/src/freeipa/policy.js -+++ b/install/ui/src/freeipa/policy.js -@@ -72,6 +72,9 @@ return { - { - name: 'cospriority', - required: true -+ }, -+ { -+ name: 'passwordgracelimit' - } - ] - }] -diff --git a/install/ui/src/freeipa/user.js b/install/ui/src/freeipa/user.js -index a580db035..b47c97f72 100644 ---- a/install/ui/src/freeipa/user.js -+++ b/install/ui/src/freeipa/user.js -@@ -318,6 +318,11 @@ return { - label: '@mo-param:pwpolicy:krbpwdlockoutduration:label', - read_only: true, - measurement_unit: 'seconds' -+ }, -+ { -+ name: 'passwordgracelimit', -+ label: '@mo-param:pwpolicy:passwordgracelimit:label', -+ read_only: true - } - ] - }, --- -2.37.2 - diff --git a/SOURCES/0008-check_repl_update-in-progress-is-a-boolean_rhbz#2117303.patch b/SOURCES/0008-check_repl_update-in-progress-is-a-boolean_rhbz#2117303.patch deleted file mode 100644 index 36629da..0000000 --- a/SOURCES/0008-check_repl_update-in-progress-is-a-boolean_rhbz#2117303.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 05a298f56485222583cb7dd4f6a3a4c5c77fc8cf Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Sun, 7 Aug 2022 12:44:47 +0200 -Subject: [PATCH] check_repl_update: in progress is a boolean - -With the fix for https://pagure.io/freeipa/issue/9171, -nsds5replicaUpdateInProgress is now handled as a boolean. -One remaining occurrence was still handling it as a string -and calling lower() on its value. - -Replace with direct boolean comparison. - -Fixes: https://pagure.io/freeipa/issue/9218 -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Alexander Bokovoy ---- - ipaserver/install/replication.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py -index 16be3760c..9d9aa1c4b 100644 ---- a/ipaserver/install/replication.py -+++ b/ipaserver/install/replication.py -@@ -1152,7 +1152,7 @@ class ReplicationManager: - except (ValueError, TypeError, KeyError): - end = 0 - # incremental update is done if inprogress is false and end >= start -- done = inprogress and inprogress.lower() == 'false' and start <= end -+ done = inprogress is not None and not inprogress and start <= end - logger.info("Replication Update in progress: %s: status: %s: " - "start: %d: end: %d", - inprogress, status, start, end) --- -2.37.2 - diff --git a/SOURCES/0009-Disabling-gracelimit-does-not-prevent-LDAP-binds_rhbz#2109236.patch b/SOURCES/0009-Disabling-gracelimit-does-not-prevent-LDAP-binds_rhbz#2109236.patch deleted file mode 100644 index 17088cf..0000000 --- a/SOURCES/0009-Disabling-gracelimit-does-not-prevent-LDAP-binds_rhbz#2109236.patch +++ /dev/null @@ -1,125 +0,0 @@ -From 1316cd8b2252c2543cf2ef2186956a8833037b1e Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Thu, 21 Jul 2022 09:28:46 -0400 -Subject: [PATCH] Disabling gracelimit does not prevent LDAP binds - -Originally the code treated 0 as disabled. This was -changed during the review process to -1 but one remnant -was missed effetively allowing gracelimit 0 to also mean -disabled. - -Add explicit tests for testing with gracelimit = 0 and -gracelimit = -1. - -Also remove some extranous "str(self.master.domain.basedn)" -lines from some of the tests. - -Fixes: https://pagure.io/freeipa/issue/9206 - -Signed-off-by: Rob Crittenden -Reviewed-By: Francisco Trivino ---- - .../ipa-graceperiod/ipa_graceperiod.c | 2 +- - ipatests/test_integration/test_pwpolicy.py | 55 ++++++++++++++++++- - 2 files changed, 53 insertions(+), 4 deletions(-) - -diff --git a/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c b/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c -index a3f57cb4b..345e1dee7 100644 ---- a/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c -+++ b/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c -@@ -479,7 +479,7 @@ static int ipagraceperiod_preop(Slapi_PBlock *pb) - if (pwresponse_requested) { - slapi_pwpolicy_make_response_control(pb, -1, grace_limit - grace_user_time , -1); - } -- } else if ((grace_limit > 0) && (grace_user_time >= grace_limit)) { -+ } else if (grace_user_time >= grace_limit) { - LOG_TRACE("%s password is expired and out of grace limit\n", dn); - errstr = "Password is expired.\n"; - ret = LDAP_INVALID_CREDENTIALS; -diff --git a/ipatests/test_integration/test_pwpolicy.py b/ipatests/test_integration/test_pwpolicy.py -index 6d6698284..41d6e9070 100644 ---- a/ipatests/test_integration/test_pwpolicy.py -+++ b/ipatests/test_integration/test_pwpolicy.py -@@ -36,7 +36,7 @@ class TestPWPolicy(IntegrationTest): - cls.master.run_command(['ipa', 'group-add-member', POLICY, - '--users', USER]) - cls.master.run_command(['ipa', 'pwpolicy-add', POLICY, -- '--priority', '1']) -+ '--priority', '1', '--gracelimit', '-1']) - cls.master.run_command(['ipa', 'passwd', USER], - stdin_text='{password}\n{password}\n'.format( - password=PASSWORD -@@ -265,7 +265,6 @@ class TestPWPolicy(IntegrationTest): - - def test_graceperiod_expired(self): - """Test the LDAP bind grace period""" -- str(self.master.domain.basedn) - dn = "uid={user},cn=users,cn=accounts,{base_dn}".format( - user=USER, base_dn=str(self.master.domain.basedn)) - -@@ -308,7 +307,6 @@ class TestPWPolicy(IntegrationTest): - - def test_graceperiod_not_replicated(self): - """Test that the grace period is reset on password reset""" -- str(self.master.domain.basedn) - dn = "uid={user},cn=users,cn=accounts,{base_dn}".format( - user=USER, base_dn=str(self.master.domain.basedn)) - -@@ -341,3 +339,54 @@ class TestPWPolicy(IntegrationTest): - ) - assert 'passwordgraceusertime: 0' in result.stdout_text.lower() - self.reset_password(self.master) -+ -+ def test_graceperiod_zero(self): -+ """Test the LDAP bind with zero grace period""" -+ dn = "uid={user},cn=users,cn=accounts,{base_dn}".format( -+ user=USER, base_dn=str(self.master.domain.basedn)) -+ -+ self.master.run_command( -+ ["ipa", "pwpolicy-mod", POLICY, "--gracelimit", "0", ], -+ ) -+ -+ # Resetting the password will mark it as expired -+ self.reset_password(self.master) -+ -+ # Now grace is done and binds should fail. -+ result = self.master.run_command( -+ ["ldapsearch", "-e", "ppolicy", "-D", dn, -+ "-w", PASSWORD, "-b", dn], raiseonerr=False -+ ) -+ assert result.returncode == 49 -+ -+ assert 'Password is expired' in result.stderr_text -+ assert 'Password expired, 0 grace logins remain' in result.stderr_text -+ -+ def test_graceperiod_disabled(self): -+ """Test the LDAP bind with grace period disabled (-1)""" -+ str(self.master.domain.basedn) -+ dn = "uid={user},cn=users,cn=accounts,{base_dn}".format( -+ user=USER, base_dn=str(self.master.domain.basedn)) -+ -+ # This can fail if gracelimit is already -1 so ignore it -+ self.master.run_command( -+ ["ipa", "pwpolicy-mod", POLICY, "--gracelimit", "-1",], -+ raiseonerr=False, -+ ) -+ -+ # Ensure the password is expired -+ self.reset_password(self.master) -+ -+ result = self.kinit_as_user(self.master, PASSWORD, PASSWORD) -+ -+ for _i in range(0, 10): -+ result = self.master.run_command( -+ ["ldapsearch", "-e", "ppolicy", "-D", dn, -+ "-w", PASSWORD, "-b", dn] -+ ) -+ -+ # With graceperiod disabled it should not increment -+ result = tasks.ldapsearch_dm( -+ self.master, dn, ['passwordgraceusertime',], -+ ) -+ assert 'passwordgraceusertime: 0' in result.stdout_text.lower() --- -2.37.2 - diff --git a/SOURCES/0010-Set-passwordgracelimit-to-match-global-policy-on-group-pw-policies_rhbz#2115475.patch b/SOURCES/0010-Set-passwordgracelimit-to-match-global-policy-on-group-pw-policies_rhbz#2115475.patch deleted file mode 100644 index 952e49b..0000000 --- a/SOURCES/0010-Set-passwordgracelimit-to-match-global-policy-on-group-pw-policies_rhbz#2115475.patch +++ /dev/null @@ -1,230 +0,0 @@ -From 434620ee342ac4767beccec647a318bfa7743dfa Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Thu, 18 Aug 2022 08:21:58 -0400 -Subject: [PATCH] doc: Update LDAP grace period design with default values - -New group password policies will get -1 (unlimited) on creation -by default. - -Existing group password policies will remain untouched and -those created prior will be treated as no BIND allowed. - -Fixes: https://pagure.io/freeipa/issue/9212 - -Signed-off-by: Rob Crittenden -Reviewed-By: Florence Blanc-Renaud ---- - doc/designs/ldap_grace_period.md | 17 ++++++++++++++++- - 1 file changed, 16 insertions(+), 1 deletion(-) - -diff --git a/doc/designs/ldap_grace_period.md b/doc/designs/ldap_grace_period.md -index 4b9db3424..e26aedda9 100644 ---- a/doc/designs/ldap_grace_period.md -+++ b/doc/designs/ldap_grace_period.md -@@ -51,7 +51,22 @@ The basic flow is: - - On successful password reset (by anyone) reset the user's passwordGraceUserTime to 0. - --The default value on install/upgrade will be -1 to retail existing behavior. -+Range values for passwordgracelimit are: -+ -+-1 : password grace checking is disabled -+ 0 : no grace BIND are allowed at all post-expiration -+ 1..MAXINT: the number of BIND allowed post-expiration -+ -+The default value for the global policy on install/upgrade will be -1 to -+retain existing behavior. -+ -+New group password policies will default to -1 to retain previous -+behavior. -+ -+Existing group policies with no grace limit set are updated to use -+the default unlimited value, -1. This is done because lack of value in -+LDAP is treated as 0 so any existing group policies would not allow -+post-expiration BIND so this will avoid confusion. - - The per-user attempts will not be replicated. - --- -2.37.2 - -From 497a57e7a6872fa30d1855a1d91a455bfdbf9300 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Thu, 4 Aug 2022 12:04:22 -0400 -Subject: [PATCH] Set default gracelimit on group password policies to -1 - -This will retain previous behavior of unlimited LDAP BIND -post-expiration. - -Fixes: https://pagure.io/freeipa/issue/9212 - -Signed-off-by: Rob Crittenden -Reviewed-By: Florence Blanc-Renaud ---- - API.txt | 2 +- - ipaserver/plugins/pwpolicy.py | 2 ++ - ipatests/test_xmlrpc/test_pwpolicy_plugin.py | 2 ++ - 3 files changed, 5 insertions(+), 1 deletion(-) - -diff --git a/API.txt b/API.txt -index 5ba9add13..d7ea74f08 100644 ---- a/API.txt -+++ b/API.txt -@@ -4075,7 +4075,7 @@ option: Int('krbpwdlockoutduration?', cli_name='lockouttime') - option: Int('krbpwdmaxfailure?', cli_name='maxfail') - option: Int('krbpwdmindiffchars?', cli_name='minclasses') - option: Int('krbpwdminlength?', cli_name='minlength') --option: Int('passwordgracelimit?', cli_name='gracelimit', default=-1) -+option: Int('passwordgracelimit?', autofill=True, cli_name='gracelimit', default=-1) - option: Flag('raw', autofill=True, cli_name='raw', default=False) - option: Str('setattr*', cli_name='setattr') - option: Str('version?') -diff --git a/ipaserver/plugins/pwpolicy.py b/ipaserver/plugins/pwpolicy.py -index 4428aede2..f4ebffd5c 100644 ---- a/ipaserver/plugins/pwpolicy.py -+++ b/ipaserver/plugins/pwpolicy.py -@@ -408,6 +408,7 @@ class pwpolicy(LDAPObject): - minvalue=-1, - maxvalue=Int.MAX_UINT32, - default=-1, -+ autofill=True, - ), - ) - -@@ -539,6 +540,7 @@ class pwpolicy_add(LDAPCreate): - keys[-1], krbpwdpolicyreference=dn, - cospriority=options.get('cospriority') - ) -+ - return dn - - def post_callback(self, ldap, dn, entry_attrs, *keys, **options): -diff --git a/ipatests/test_xmlrpc/test_pwpolicy_plugin.py b/ipatests/test_xmlrpc/test_pwpolicy_plugin.py -index 8eee69c18..fc785223b 100644 ---- a/ipatests/test_xmlrpc/test_pwpolicy_plugin.py -+++ b/ipatests/test_xmlrpc/test_pwpolicy_plugin.py -@@ -387,6 +387,7 @@ class test_pwpolicy_mod_cospriority(Declarative): - krbpwdhistorylength=[u'10'], - krbpwdmindiffchars=[u'3'], - krbpwdminlength=[u'8'], -+ passwordgracelimit=[u'-1'], - objectclass=objectclasses.pwpolicy, - ), - summary=None, -@@ -417,6 +418,7 @@ class test_pwpolicy_mod_cospriority(Declarative): - krbpwdhistorylength=[u'10'], - krbpwdmindiffchars=[u'3'], - krbpwdminlength=[u'8'], -+ passwordgracelimit=[u'-1'], - ), - summary=None, - value=u'ipausers', --- -2.37.2 - -From a4ddaaf3048c4e8d78a1807af7266ee40ab3a30b Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Thu, 4 Aug 2022 12:04:41 -0400 -Subject: [PATCH] Set default on group pwpolicy with no grace limit in upgrade - -If an existing group policy lacks a password grace limit -update it to -1 on upgrade. - -Fixes: https://pagure.io/freeipa/issue/9212 - -Signed-off-by: Rob Crittenden -Reviewed-By: Florence Blanc-Renaud ---- - .../updates/90-post_upgrade_plugins.update | 1 + - ipaserver/install/plugins/update_pwpolicy.py | 66 +++++++++++++++++++ - 2 files changed, 67 insertions(+) - -diff --git a/install/updates/90-post_upgrade_plugins.update b/install/updates/90-post_upgrade_plugins.update -index c7ec71d49..6fe91aa6c 100644 ---- a/install/updates/90-post_upgrade_plugins.update -+++ b/install/updates/90-post_upgrade_plugins.update -@@ -26,6 +26,7 @@ plugin: update_ra_cert_store - plugin: update_mapping_Guests_to_nobody - plugin: fix_kra_people_entry - plugin: update_pwpolicy -+plugin: update_pwpolicy_grace - - # last - # DNS version 1 -diff --git a/ipaserver/install/plugins/update_pwpolicy.py b/ipaserver/install/plugins/update_pwpolicy.py -index dca44ce43..4185f0343 100644 ---- a/ipaserver/install/plugins/update_pwpolicy.py -+++ b/ipaserver/install/plugins/update_pwpolicy.py -@@ -78,3 +78,69 @@ class update_pwpolicy(Updater): - return False, [] - - return False, [] -+ -+ -+@register() -+class update_pwpolicy_grace(Updater): -+ """ -+ Ensure all group policies have a grace period set. -+ """ -+ -+ def execute(self, **options): -+ ldap = self.api.Backend.ldap2 -+ -+ base_dn = DN(('cn', self.api.env.realm), ('cn', 'kerberos'), -+ self.api.env.basedn) -+ search_filter = ( -+ "(&(objectClass=krbpwdpolicy)(!(passwordgracelimit=*)))" -+ ) -+ -+ while True: -+ # Run the search in loop to avoid issues when LDAP limits are hit -+ # during update -+ -+ try: -+ (entries, truncated) = ldap.find_entries( -+ search_filter, ['objectclass'], base_dn, time_limit=0, -+ size_limit=0) -+ -+ except errors.EmptyResult: -+ logger.debug("update_pwpolicy: no policies without " -+ "passwordgracelimit set") -+ return False, [] -+ -+ except errors.ExecutionError as e: -+ logger.error("update_pwpolicy: cannot retrieve list " -+ "of policies missing passwordgracelimit: %s", e) -+ return False, [] -+ -+ logger.debug("update_pwpolicy: found %d " -+ "policies to update, truncated: %s", -+ len(entries), truncated) -+ -+ error = False -+ -+ for entry in entries: -+ # Set unlimited BIND by default -+ entry['passwordgracelimit'] = -1 -+ try: -+ ldap.update_entry(entry) -+ except (errors.EmptyModlist, errors.NotFound): -+ pass -+ except errors.ExecutionError as e: -+ logger.debug("update_pwpolicy: cannot " -+ "update policy: %s", e) -+ error = True -+ -+ if error: -+ # Exit loop to avoid infinite cycles -+ logger.error("update_pwpolicy: error(s) " -+ "detected during pwpolicy update") -+ return False, [] -+ -+ elif not truncated: -+ # All affected entries updated, exit the loop -+ logger.debug("update_pwpolicy: all policies updated") -+ return False, [] -+ -+ return False, [] --- -2.37.2 - diff --git a/SOURCES/0002-webui-IdP-Remove-arrow-notation-due-to-uglify-js-lim.patch b/SOURCES/1003-webui-IdP-Remove-arrow-notation-due-to-uglify-js-lim.patch similarity index 100% rename from SOURCES/0002-webui-IdP-Remove-arrow-notation-due-to-uglify-js-lim.patch rename to SOURCES/1003-webui-IdP-Remove-arrow-notation-due-to-uglify-js-lim.patch diff --git a/SOURCES/1004-Revert-DNSResolver-Fix-use-of-nameservers-with-ports.patch b/SOURCES/1004-Revert-DNSResolver-Fix-use-of-nameservers-with-ports.patch new file mode 100644 index 0000000..d5fe2d3 --- /dev/null +++ b/SOURCES/1004-Revert-DNSResolver-Fix-use-of-nameservers-with-ports.patch @@ -0,0 +1,114 @@ +From 9a33838407f244e481523fe643bc0626874e8b1a Mon Sep 17 00:00:00 2001 +From: Rafael Guterres Jeffman +Date: Mon, 19 Dec 2022 14:57:03 -0300 +Subject: [PATCH] Revert "DNSResolver: Fix use of nameservers with ports" + +This reverts commit 5e2e4664aec641886923c2bec61ce25b96edb62a. +--- + ipapython/dnsutil.py | 41 ------------------------- + ipatests/test_ipapython/test_dnsutil.py | 40 ------------------------ + 2 files changed, 81 deletions(-) + +diff --git a/ipapython/dnsutil.py b/ipapython/dnsutil.py +index 58de365ab..4baeaf8cc 100644 +--- a/ipapython/dnsutil.py ++++ b/ipapython/dnsutil.py +@@ -144,47 +144,6 @@ class DNSResolver(dns.resolver.Resolver): + nameservers.remove(ipv4_loopback) + self.nameservers = nameservers + +- @dns.resolver.Resolver.nameservers.setter +- def nameservers(self, nameservers): +- """ +- *nameservers*, a ``list`` of nameservers with optional ports: +- "SERVER_IP port PORT_NUMBER". +- +- Overloads dns.resolver.Resolver.nameservers setter to split off ports +- into nameserver_ports after setting nameservers successfully with the +- setter in dns.resolver.Resolver. +- """ +- # Get nameserver_ports if it is already set +- if hasattr(self, "nameserver_ports"): +- nameserver_ports = self.nameserver_ports +- else: +- nameserver_ports = {} +- +- # Check nameserver items in list and split out converted port number +- # into nameserver_ports: { nameserver: port } +- if isinstance(nameservers, list): +- _nameservers = [] +- for nameserver in nameservers: +- splits = nameserver.split() +- if len(splits) == 3 and splits[1] == "port": +- nameserver = splits[0] +- try: +- port = int(splits[2]) +- if port < 0 or port > 65535: +- raise ValueError() +- except ValueError: +- raise ValueError( +- "invalid nameserver: %s is not a valid port" % +- splits[2]) +- nameserver_ports[nameserver] = port +- _nameservers.append(nameserver) +- nameservers = _nameservers +- +- # Call dns.resolver.Resolver.nameservers setter +- dns.resolver.Resolver.nameservers.__set__(self, nameservers) +- # Set nameserver_ports after successfull call to setter +- self.nameserver_ports = nameserver_ports +- + + class DNSZoneAlreadyExists(dns.exception.DNSException): + supp_kwargs = {'zone', 'ns'} +diff --git a/ipatests/test_ipapython/test_dnsutil.py b/ipatests/test_ipapython/test_dnsutil.py +index 09463c69d..5e7a46197 100644 +--- a/ipatests/test_ipapython/test_dnsutil.py ++++ b/ipatests/test_ipapython/test_dnsutil.py +@@ -101,43 +101,3 @@ class TestSortURI: + assert dnsutil.sort_prio_weight([h3, h2, h1]) == [h1, h2, h3] + assert dnsutil.sort_prio_weight([h3, h3, h3]) == [h3] + assert dnsutil.sort_prio_weight([h2, h2, h1, h1]) == [h1, h2] +- +- +-class TestDNSResolver: +- def test_nameservers(self): +- res = dnsutil.DNSResolver() +- res.nameservers = ["4.4.4.4", "8.8.8.8"] +- assert res.nameservers == ["4.4.4.4", "8.8.8.8"] +- +- def test_nameservers_with_ports(self): +- res = dnsutil.DNSResolver() +- res.nameservers = ["4.4.4.4 port 53", "8.8.8.8 port 8053"] +- assert res.nameservers == ["4.4.4.4", "8.8.8.8"] +- assert res.nameserver_ports == {"4.4.4.4": 53, "8.8.8.8": 8053} +- +- res.nameservers = ["4.4.4.4 port 53", "8.8.8.8 port 8053"] +- assert res.nameservers == ["4.4.4.4", "8.8.8.8"] +- assert res.nameserver_ports == {"4.4.4.4": 53, "8.8.8.8": 8053} +- +- def test_nameservers_with_bad_ports(self): +- res = dnsutil.DNSResolver() +- try: +- res.nameservers = ["4.4.4.4 port a"] +- except ValueError: +- pass +- else: +- pytest.fail("No fail on bad port a") +- +- try: +- res.nameservers = ["4.4.4.4 port -1"] +- except ValueError: +- pass +- else: +- pytest.fail("No fail on bad port -1") +- +- try: +- res.nameservers = ["4.4.4.4 port 65536"] +- except ValueError: +- pass +- else: +- pytest.fail("No fail on bad port 65536") +-- +2.38.1 + diff --git a/SOURCES/freeipa-4.9.10.tar.gz.asc b/SOURCES/freeipa-4.9.10.tar.gz.asc deleted file mode 100644 index 2804c24..0000000 --- a/SOURCES/freeipa-4.9.10.tar.gz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCAAdFiEE11Z2TU1+KXxtrRFyaYdvcqbi008FAmKp71wACgkQaYdvcqbi -008rbg/9G5w7KXgJcrhwBx5qqd4fqzSnwJdyN5oaBIEKNsAigMD7LIYawqgnO3g/ -/3FmJTbeCrOj9EoakvE1YNRT+75oxAO+rMFcRvFHlJyfMCa3r3lrS4LrlQiiyNwZ -IHovcXr0Q3fizhp/V3acyZqx2pbnSh24CK4q5a1CNUs8SPkEFcOfpAJIMQCHeH6t -ScfxuWOp8R1FnaNQc/9x3vy3ySQbHMxIWLSfJy7pk7FhLGAvgVNQBAz70Bg7BfR1 -R1V6syGeaPmqLOQw0jV05YMxyKwkbnSK/h2DlCg/iNQ/S71rXhOpuk01dDf73CI4 -Fu1H9TX50Indq31+4qbOlKZqDshhNzRRpn2m2qVvzeTfObHlZMbYNyVamovP9fEZ -pfJcppI8aNDURjqpf/sVy4G8mhI5FQS+Q7bKvv9C04iE3XpTutg8q5mLMXGwWekY -yeklBAmdygOKsY1uWb7BCH9eoWCVWKIwi4m5uYteZNxBt4aqsa/VFsxCE1P2T7/S -+yc1Jo7hXWW8v3wm+dIGJj+Lz9YlJxC9SAiC72a6kTwIe2gnKlxoYbqe/18hEWm6 -0jESl2LiXfBhXz0YQlv2HjcPWZMMrNuhSCGTMgzP8KfZB258mtxpbBTk5/e9Wgsk -29GCfaMWFUqZsrteG10HT/P6cotre6EVffQl9lNlPNQpX+DUKy4= -=azus ------END PGP SIGNATURE----- diff --git a/SOURCES/freeipa-4.9.11.tar.gz.asc b/SOURCES/freeipa-4.9.11.tar.gz.asc new file mode 100644 index 0000000..47ddb7d --- /dev/null +++ b/SOURCES/freeipa-4.9.11.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEE11Z2TU1+KXxtrRFyaYdvcqbi008FAmOA8kcACgkQaYdvcqbi +00887g/9GTvueJCypiuTqxKsbkTbWamOyH3W+AqtHw9Ff+wM/hnkSloGizhQ4EZZ +4Zs1e6bfM1pGXT7DXU9WbiYtcVtUhY5l9SnT9moCMaG1z4aB7z9UCxsqsSCuy3bG +KQq6AO2z4DaqHiz6ez3QXi+MUCNnPziWmS3bLdDCrTK0PNxqiMPIotlXMgVFgDL7 +go/TAUvUL27zH4ELvG4parSGEKVEqe//RzXklOwGrInyj/4u42x7lUdO2ugOolCI +wNod8v+NWQWVgxNyhfTjP5VBZzO9wkGx4xruF2cAjVdjnIUGcG0FR3hI/bpi7Lyv +EmIozbQMK92MLel63E7Z/d5Jxfmuw/n1t5NrgSth+9hhWnBEpiaKkD2zAmUATqHf ++y4mbrtajmjzewEnfUnQfCvSLDPyTpnQKkRY8hUvk7u/J+/ZFWMQl9RdGNw3M0Zr +WrsqkKLK/n5IOHYHb/lBRaUidssKjQYFIvyNfHDP/lu6iiyLOpi5MIdk9BakO5wc +oDMk3w9xY7tPPmoesW40BThnAdOR9U4aad8zVvOxhMfzAYRwu95HGQoHnk7/rNut +IfzMZVjVTLQ8gyApcBlWzu/buiOoEXTKaMyzs0S9RMptknj5Xf0CGRz3bVrZRfJd +umyhD6/rNk3eZW/yEIv3IqFev0h1txTBPSTlczYUIz6uc7nx82E= +=8YVm +-----END PGP SIGNATURE----- diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec index af97919..0c47ee0 100644 --- a/SPECS/ipa.spec +++ b/SPECS/ipa.spec @@ -176,7 +176,7 @@ # Work-around fact that RPM SPEC parser does not accept # "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement -%define IPA_VERSION 4.9.10 +%define IPA_VERSION 4.9.11 # Release candidate version -- uncomment with one percent for RC versions #%%global rc_version %%nil %define AT_SIGN @ @@ -189,7 +189,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 7%{?rc_version:.%rc_version}%{?dist} +Release: 3%{?rc_version:.%rc_version}%{?dist} Summary: The Identity, Policy and Audit system License: GPLv3+ @@ -209,18 +209,16 @@ Source1: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_vers # RHEL spec file only: START %if %{NON_DEVELOPER_BUILD} %if 0%{?rhel} >= 8 -Patch0001: 0001-ipa-otpd-Fix-build-on-older-versions-of-gcc.patch -Patch0002: 0002-webui-IdP-Remove-arrow-notation-due-to-uglify-js-lim.patch -Patch0003: 0003-Preserve-user-fix-the-confusing-summary_rhbz#2022028.patch -Patch0004: 0004-Only-calculate-LDAP-password-grace-when-the-password_rhbz#782917.patch -Patch0005: 0005-Add-end-to-end-integration-tests-for-external-IdP.patch -Patch0006: 0006-webui-Do-not-allow-empty-pagination-size_rhbz#2094672.patch -Patch0007: 0007-webui-Allow-grace-login-limit_rhbz#2109243.patch -Patch0008: 0008-check_repl_update-in-progress-is-a-boolean_rhbz#2117303.patch -Patch0009: 0009-Disabling-gracelimit-does-not-prevent-LDAP-binds_rhbz#2109236.patch -Patch0010: 0010-Set-passwordgracelimit-to-match-global-policy-on-group-pw-policies_rhbz#2115475.patch +Patch0001: 0001-updates-fix-memberManager-ACI-to-allow-managers-from-a-specified-group_rhbz#2056009.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch Patch1002: 1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch +Patch1003: 1003-webui-IdP-Remove-arrow-notation-due-to-uglify-js-lim.patch +# Due to behavior changes in python3-dns 2.2.0, IPA overrides the setting of the +# nameserver property inherited from dns.resolver.Resolver class to allow the +# setting of nameservers with custom ports. The method used is only needed, and +# only works, on version 2.2.0, or later, of python3-dns. For RHEL 8, which uses +# series 1.xx, the method override is not needed to provide the same behavior. +Patch1004: 1004-Revert-DNSResolver-Fix-use-of-nameservers-with-ports.patch %endif %endif # RHEL spec file only: END @@ -293,6 +291,7 @@ BuildRequires: cracklib-dicts # Build dependencies for makeapi/makeaci # BuildRequires: python3-cffi +# RHEL 8 packages will not work with python3-dns 2.2.0 or newer. BuildRequires: python3-dns BuildRequires: python3-ldap >= %{python_ldap_version} BuildRequires: python3-libsss_nss_idmap @@ -345,6 +344,7 @@ BuildRequires: python3-cryptography >= 1.6 BuildRequires: python3-custodia >= 0.3.1 BuildRequires: python3-dateutil BuildRequires: python3-dbus +# RHEL 8 packages will not work with python3-dns 2.2.0 or newer. BuildRequires: python3-dns >= 1.15 BuildRequires: python3-docker BuildRequires: python3-gssapi >= 1.2.0 @@ -419,7 +419,6 @@ Requires: nss-tools >= %{nss_version} Requires(post): krb5-server >= %{krb5_version} Requires(post): krb5-server >= %{krb5_base_version} Requires: krb5-kdb-version = %{krb5_kdb_version} -Requires: krb5-pkinit-openssl >= %{krb5_version} Requires: cyrus-sasl-gssapi%{?_isa} Requires: chrony Requires: httpd >= %{httpd_version} @@ -517,6 +516,7 @@ Requires: python3-augeas Requires: augeas-libs >= %{augeas_version} Requires: python3-custodia >= 0.3.1 Requires: python3-dbus +# RHEL 8 packages will not work with python3-dns 2.2.0 or newer. Requires: python3-dns >= 1.15 Requires: python3-gssapi >= 1.2.0 Requires: python3-ipaclient = %{version}-%{release} @@ -647,6 +647,8 @@ Requires: python3-sssdconfig >= %{sssd_version} Requires: cyrus-sasl-gssapi%{?_isa} Requires: chrony Requires: krb5-workstation >= %{krb5_version} +# Support pkinit with client install +Requires: krb5-pkinit-openssl >= %{krb5_version} # authselect: sssd profile with-subid %if 0%{?fedora} >= 36 Requires: authselect >= 1.4.0 @@ -746,6 +748,7 @@ Requires: %{name}-common = %{version}-%{release} Requires: python3-ipalib = %{version}-%{release} Requires: python3-augeas Requires: augeas-libs >= %{augeas_version} +# RHEL 8 packages will not work with python3-dns 2.2.0 or newer. Requires: python3-dns >= 1.15 Requires: python3-jinja2 @@ -826,6 +829,7 @@ Requires: python3-cffi Requires: python3-cryptography >= 1.6 Requires: python3-dateutil Requires: python3-dbus +# RHEL 8 packages will not work with python3-dns 2.2.0 or newer. Requires: python3-dns >= 1.15 Requires: python3-gssapi >= 1.2.0 Requires: python3-jwcrypto >= 0.4.2 @@ -1240,7 +1244,7 @@ if [ $1 -gt 1 ] ; then %{__python3} -c 'from ipaclient.install.client import configure_krb5_snippet; configure_krb5_snippet()' >>/var/log/ipaupgrade.log 2>&1 %{__python3} -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' >>/var/log/ipaupgrade.log 2>&1 - chmod 0600 /var/log/ipaupgrade.lo + chmod 0600 /var/log/ipaupgrade.log SSH_CLIENT_SYSTEM_CONF="/etc/ssh/ssh_config" if [ -f "$SSH_CLIENT_SYSTEM_CONF" ]; then sed -E --in-place=.orig 's/^(HostKeyAlgorithms ssh-rsa,ssh-dss)$/# disabled by ipa-client update\n# \1/' "$SSH_CLIENT_SYSTEM_CONF" @@ -1716,12 +1720,50 @@ fi %if %{with selinux} %files selinux %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.* -%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename} +%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename} # with selinux %endif %changelog -* Tue Nov 1 2022 Rafael Jeffman - 4.9.10-7 +* Mon Dec 19 2022 Rafael Jeffman - 4.9.11-3 +- Revert DNSResolver Fix use of nameservers with ports. + Related: RHBZ#2141316 + +* Fri Dec 16 2022 Rafael Jeffman - 4.9.11-2 +- webui IdP: Remove arrow notation due to uglify-js limitation + Related: RHBZ#2141316 + +* Wed Dec 14 2022 Rafael Jeffman - 4.9.11-1 +- Rebase ipa to 4.9.11 + Resolves: RHBZ#2141316 +- updates: fix memberManager ACI to allow managers from a specified group + Resolves: RHBZ#2056009 +- Defer creating the final krb5.conf on clients + Resolves: RHBZ#2148259 +- Exclude installed policy module file from RPM verification + Resolves: RHBZ#2149567 +- Spec file: ipa-client depends on krb5-pkinit-openssl + Resolves: RHBZ#2149889 + +* Thu Nov 24 2022 Rafael Jeffman - 4.9.10-8 +- ipa man page format the EXAMPLES section + Resolves: RHBZ#2129895 +- Fix canonicalization issue in Web UI + Resolves: RHBZ#2127035 +- Remove idnssoaserial argument from dns zone API. + Resolves: RHBZ#2108630 +- Warn for permissions with read/write/search/compare and no attrs + Resolves: RHBZ#2098187 +- Add PKINIT support to ipa-client-install + Resolves: RHBZ#2075452 +- Generate CNAMEs for TXT+URI location krb records + Resolves: RHBZ#2104185 +- Vault: fix interoperability issues with older RHEL systems + Resolves: RHBZ#2144737 +- Fix typo on ipaupgrade.log chmod during RPM %post snipppet + Resolves: RHBZ#2140994 + +* Tue Nov 1 2022 Rafael Jeffman - 4.9.10-7 - Rebuild to samba 4.17.2. Related: RHBZ#2132051