Update to upstream 4.4.1 release

2016-09-01 16:47:48 +03:00 · 2016-09-01 16:47:48 +03:00 · 47a0c67ac7
commit 47a0c67ac7
parent 6b7ae28924
1 changed files with 75 additions and 73 deletions
--- a/freeipa.spec
+++ b/freeipa.spec
@ -1,4 +1,4 @@
-# Define ONLY_CLIENT to only make the ipa-admintools, ipa-client and ipa-python
+# Define ONLY_CLIENT to only make the ipa-client and ipa-python
 # subpackages
 %{!?ONLY_CLIENT:%global ONLY_CLIENT 0}

@ -13,10 +13,12 @@
 %global samba_version 4.0.5-1
 %global samba_build_version %{samba_version}
 %global selinux_policy_version 3.12.1-153
+%global slapi_nis_version 0.56.0-4
 %else
 %global samba_version 2:4.3.1-1
 %global samba_build_version 2:4.2.1
 %global selinux_policy_version 3.13.1-158.4
+%global slapi_nis_version 0.56.1
 %endif

 %define krb5_base_version %(LC_ALL=C rpm -q --qf '%%{VERSION}' krb5-devel | grep -Eo '^[^.]+\.[^.]+')
@ -30,13 +32,13 @@
 %global platform_module fedora
 %endif

-%global VERSION 4.3.2
+%global VERSION 4.4.1

 %define _hardened_build 1

 Name:           freeipa
 Version:        %{VERSION}
-Release:        2%{?dist}
+Release:        1%{?dist}
 Summary:        The Identity, Policy and Audit system

 Group:          System Environment/Base
@ -46,18 +48,14 @@ Source0:        http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)

 Patch0001:      0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch
-Patch0002:      0002-DNS-server-upgrade-do-not-fail-when-DNS-server-did-n.patch
-Patch0003:      0003-cert-revoke-fix-permission-check-bypass-CVE-2016-540.patch
-Patch0004:      0004-ipa-kdb-Allow-to-build-with-samba-4.5.patch

 %if ! %{ONLY_CLIENT}
-BuildRequires:  389-ds-base-devel >= 1.3.5
+BuildRequires:  389-ds-base-devel >= 1.3.5.6
 BuildRequires:  svrcore-devel
 BuildRequires:  policycoreutils >= 2.1.12-5
 BuildRequires:  systemd-units
 BuildRequires:  samba-devel >= %{samba_build_version}
 BuildRequires:  samba-python
-BuildRequires:  libwbclient-devel
 BuildRequires:  libtalloc-devel
 BuildRequires:  libtevent-devel
 %endif # ONLY_CLIENT
@ -87,7 +85,8 @@ BuildRequires:  python-gssapi >= 1.1.2
 BuildRequires:  python-rhsm
 BuildRequires:  pyOpenSSL
 BuildRequires:  pylint >= 1.0
-BuildRequires:  python-polib
+# workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506
+BuildRequires:  python2-polib
 BuildRequires:  python-libipa_hbac
 BuildRequires:  python-memcached
 BuildRequires:  python-lxml
@ -95,8 +94,9 @@ BuildRequires:  python-pyasn1 >= 0.0.9a
 BuildRequires:  python-qrcode-core >= 5.0.0
 BuildRequires:  python-dns >= 1.11.1
 BuildRequires:  libsss_idmap-devel
-BuildRequires:  libsss_nss_idmap-devel >= 1.12.2
+BuildRequires:  libsss_nss_idmap-devel >= 1.14.0
 BuildRequires:  java-headless
+BuildRequires:  jsl
 BuildRequires:  rhino
 BuildRequires:  libverto-devel
 BuildRequires:  systemd
@ -104,7 +104,7 @@ BuildRequires:  libunistring-devel
 BuildRequires:  python-lesscpy
 BuildRequires:  python-yubico >= 1.2.3
 BuildRequires:  openssl-devel
-BuildRequires:  pki-base >= 10.2.6
+BuildRequires:  pki-base >= 10.3.3-3
 BuildRequires:  python-pytest-multihost >= 0.5
 BuildRequires:  python-pytest-sourceorder
 BuildRequires:  python-kdcproxy >= 0.3
@ -113,6 +113,9 @@ BuildRequires:  python-jwcrypto
 BuildRequires:  custodia
 BuildRequires:  libini_config-devel >= 1.2.0
 BuildRequires:  dbus-python
+BuildRequires:  python-netifaces >= 0.10.4
+BuildRequires:  python-libsss_nss_idmap
+BuildRequires:  python-sss

 # Build dependencies for unit tests
 BuildRequires:  libcmocka-devel
@ -139,10 +142,9 @@ Summary: The IPA authentication server
 Group: System Environment/Base
 Requires: %{name}-server-common = %{version}-%{release}
 Requires: %{name}-client = %{version}-%{release}
-Requires: %{name}-admintools = %{version}-%{release}
 Requires: %{name}-common = %{version}-%{release}
 Requires: python2-ipaserver = %{version}-%{release}
-Requires: 389-ds-base >= 1.3.5
+Requires: 389-ds-base >= 1.3.5.6
 Requires: openldap-clients > 2.4.35-4
 Requires: nss >= 3.14.3-12.0
 Requires: nss-tools >= 3.14.3-12.0
@ -150,7 +152,7 @@ Requires(post): krb5-server >= %{krb5_base_version}, krb5-server < %{krb5_base_v
 Requires: krb5-pkinit-openssl
 Requires: cyrus-sasl-gssapi%{?_isa}
 Requires: ntp
-Requires: httpd >= 2.4.6-6
+Requires: httpd >= 2.4.6-31
 Requires: mod_wsgi
 Requires: mod_auth_gssapi >= 1.4.0
 Requires: mod_nss >= 1.0.8-26
@ -165,16 +167,16 @@ Requires(pre): systemd-units
 Requires(post): systemd-units
 Requires: selinux-policy >= %{selinux_policy_version}
 Requires(post): selinux-policy-base >= %{selinux_policy_version}
-Requires: slapi-nis >= 0.55-1
-Requires: pki-ca >= 10.2.6-19
-Requires: pki-kra >= 10.2.6-19
+Requires: slapi-nis >= %{slapi_nis_version}
+Requires: pki-ca >= 10.3.3-3
+Requires: pki-kra >= 10.3.3-3
 Requires(preun): python systemd-units
 Requires(postun): python systemd-units
 Requires: zip
 Requires: policycoreutils >= 2.1.12-5
 Requires: tar
 Requires(pre): certmonger >= 0.78
-Requires(pre): 389-ds-base >= 1.3.5
+Requires(pre): 389-ds-base >= 1.3.5.6
 Requires: fontawesome-fonts
 Requires: open-sans-fonts
 Requires: openssl
@ -240,7 +242,7 @@ Summary: Common files used by IPA server
 Group: System Environment/Base
 BuildArch: noarch
 Requires: %{name}-client-common = %{version}-%{release}
-Requires: httpd >= 2.4.6-6
+Requires: httpd >= 2.4.6-31
 Requires: systemd-units >= 38
 Requires: custodia

@ -262,7 +264,7 @@ Summary: IPA integrated DNS server with support for automatic DNSSEC signing
 Group: System Environment/Base
 BuildArch: noarch
 Requires: %{name}-server = %{version}-%{release}
-Requires: bind-dyndb-ldap >= 6.0-4
+Requires: bind-dyndb-ldap >= 10.0
 %if 0%{?fedora} >= 21
 Requires: bind >= 9.9.6-3
 Requires: bind-utils >= 9.9.6-3
@ -283,9 +285,6 @@ Obsoletes: %{alt_name}-server-dns < %{version}
 # upgrade path from monolithic -server to -server + -server-dns
 Obsoletes: %{name}-server <= 4.2.0

-# FreeIPA does not support running integrated BIND in chroot jail
-Conflicts: bind-chroot
-
 %description server-dns
 IPA integrated DNS server with support for automatic DNSSEC signing.
 Integrated DNS server is BIND 9. OpenDNSSEC provides key management.
@ -336,9 +335,11 @@ Requires: krb5-workstation
 Requires: authconfig
 Requires: pam_krb5
 Requires: curl
+# NIS domain name config: /usr/lib/systemd/system/*-domainname.service
+Requires: initscripts
 Requires: libcurl >= 7.21.7-2
 Requires: xmlrpc-c >= 1.27.4
-Requires: sssd >= 1.13.3-5
+Requires: sssd >= 1.14.0
 Requires: python-sssdconfig
 Requires: certmonger >= 0.78
 Requires: nss-tools
@ -355,6 +356,13 @@ Provides: %{alt_name}-client = %{version}
 Conflicts: %{alt_name}-client
 Obsoletes: %{alt_name}-client < %{version}

+Provides: %{alt_name}-admintools = %{version}
+Conflicts: %{alt_name}-admintools
+Obsoletes: %{alt_name}-admintools < 4.4.1
+
+Obsoletes: %{name}-admintools < 4.4.1
+Provides: %{name}-admintools = %{version}-%{release}
+
 %description client
 IPA is an integrated solution to provide centrally managed Identity (users,
 hosts, services), Authentication (SSO, 2FA), and Authorization
@ -363,6 +371,7 @@ features for further integration with Linux based clients (SUDO, automount)
 and integration with Active Directory based infrastructures (Trusts).
 If your network uses IPA for authentication, this package should be
 installed on every client machine.
+This package provides command-line tools for IPA administrators.


 %package -n python2-ipaclient
@ -374,7 +383,6 @@ Requires: %{name}-client-common = %{version}-%{release}
 Requires: %{name}-common = %{version}-%{release}
 Requires: python2-ipalib = %{version}-%{release}
 Requires: python-dns >= 1.11.1
-Requires: pyusb

 %description -n python2-ipaclient
 IPA is an integrated solution to provide centrally managed Identity (users,
@ -397,7 +405,6 @@ Requires: %{name}-client-common = %{version}-%{release}
 Requires: %{name}-common = %{version}-%{release}
 Requires: python3-ipalib = %{version}-%{release}
 Requires: python3-dns >= 1.11.1
-Requires: python3-pyusb

 %description -n python3-ipaclient
 IPA is an integrated solution to provide centrally managed Identity (users,
@ -430,27 +437,6 @@ If your network uses IPA for authentication, this package should be
 installed on every client machine.


-%package admintools
-Summary: IPA administrative tools
-Group: System Environment/Base
-BuildArch: noarch
-Requires: %{name}-client-common = %{version}-%{release}
-Requires: python2-ipalib = %{version}-%{release}
-Requires: python-ldap
-
-Provides: %{alt_name}-admintools = %{version}
-Conflicts: %{alt_name}-admintools
-Obsoletes: %{alt_name}-admintools < %{version}
-
-%description admintools
-IPA is an integrated solution to provide centrally managed Identity (users,
-hosts, services), Authentication (SSO, 2FA), and Authorization
-(host access control, SELinux user roles, services). The solution provides
-features for further integration with Linux based clients (SUDO, automount)
-and integration with Active Directory based infrastructures (Trusts).
-This package provides command-line tools for IPA administrators.
-
-
 %package python-compat
 Summary: Compatiblity package for Python libraries used by IPA
 Group: System Environment/Libraries
@ -483,7 +469,7 @@ python2-ipalib and %{name}-common. Packages still depending on
 Summary: Python libraries used by IPA
 Group: System Environment/Libraries
 BuildArch: noarch
-Conflicts: %{name}-python < %{version}-%{release}
+Conflicts: %{name}-python < 4.2.91
 %{?python_provide:%python_provide python2-ipalib}
 Provides: python2-ipapython = %{version}-%{release}
 %{?python_provide:%python_provide python2-ipapython}
@ -492,7 +478,6 @@ Provides: python2-ipaplatform = %{version}-%{release}
 Requires: %{name}-common = %{version}-%{release}
 Requires: python-gssapi >= 1.1.2
 Requires: gnupg
-Requires: iproute
 Requires: keyutils
 Requires: pyOpenSSL
 Requires: python-nss >= 0.16
@ -506,12 +491,17 @@ Requires: python-pyasn1
 Requires: python-dateutil
 Requires: python-yubico >= 1.2.3
 Requires: python-sss-murmur
-Requires: curl
 Requires: dbus-python
 Requires: python-setuptools
 Requires: python-six
 Requires: python-jwcrypto
 Requires: python-cffi
+Requires: python-ldap >= 2.4.15
+Requires: python-requests
+Requires: python-custodia
+Requires: python-dns >= 1.11.1
+Requires: python-netifaces >= 0.10.4
+Requires: pyusb

 Conflicts: %{alt_name}-python < %{version}

@ -538,7 +528,6 @@ Provides: python3-ipaplatform = %{version}-%{release}
 Requires: %{name}-common = %{version}-%{release}
 Requires: python3-gssapi >= 1.1.2
 Requires: gnupg
-Requires: iproute
 Requires: keyutils
 Requires: python3-pyOpenSSL
 Requires: python3-nss >= 0.16
@ -551,12 +540,17 @@ Requires: python3-pyasn1
 Requires: python3-dateutil
 Requires: python3-yubico >= 1.2.3
 Requires: python3-sss-murmur
-Requires: curl
 Requires: python3-dbus
 Requires: python3-setuptools
 Requires: python3-six
 Requires: python3-jwcrypto
 Requires: python3-cffi
+Requires: python3-pyldap >= 2.4.15
+Requires: python3-custodia
+Requires: python3-requests
+Requires: python3-dns >= 1.11.1
+Requires: python3-netifaces >= 0.10.4
+Requires: python3-pyusb

 %description -n python3-ipalib
 IPA is an integrated solution to provide centrally managed Identity (users,
@ -573,7 +567,7 @@ If you are using IPA with Python 3, you need to install this package.
 Summary: Common files used by IPA
 Group: System Environment/Libraries
 BuildArch: noarch
-Conflicts: %{name}-python < %{version}-%{release}
+Conflicts: %{name}-python < 4.2.91

 Provides: %{alt_name}-common = %{version}
 Conflicts: %{alt_name}-common
@ -598,15 +592,16 @@ BuildArch: noarch
 Obsoletes: %{name}-tests < 4.2.91
 Provides: %{name}-tests = %{version}-%{release}
 %{?python_provide:%python_provide python2-ipatests}
-Requires: %{name}-client-common = %{version}-%{release}
-Requires: python2-ipalib = %{version}-%{release}
+Requires: python2-ipaclient = %{version}-%{release}
+Requires: python2-ipaserver = %{version}-%{release}
 Requires: tar
 Requires: xz
 Requires: python-nose
 Requires: pytest >= 2.6
 Requires: python-paste
 Requires: python-coverage
-Requires: python-polib
+# workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506
+Requires: python2-polib
 Requires: python-pytest-multihost >= 0.5
 Requires: python-pytest-sourceorder
 Requires: ldns-utils
@ -631,8 +626,9 @@ This package contains tests that verify IPA functionality.
 Summary: IPA tests and test tools
 BuildArch: noarch
 %{?python_provide:%python_provide python3-ipatests}
-Requires: %{name}-client-common = %{version}-%{release}
-Requires: python3-ipalib = %{version}-%{release}
+Requires: python3-ipaclient = %{version}-%{release}
+# FIXME: uncomment once there's python3-ipaserver
+#Requires: python3-ipaserver = %{version}-%{release}
 Requires: tar
 Requires: xz
 Requires: python3-nose
@ -872,7 +868,6 @@ mkdir -p %{buildroot}%{_unitdir}
 mkdir -p %{buildroot}%{etc_systemd_dir}
 install -m 644 init/systemd/ipa.service %{buildroot}%{_unitdir}/ipa.service
 install -m 644 init/systemd/ipa_memcached.service %{buildroot}%{_unitdir}/ipa_memcached.service
-install -m 644 init/systemd/httpd.service %{buildroot}%{etc_systemd_dir}/httpd.service
 install -m 644 init/systemd/ipa-custodia.service %{buildroot}%{_unitdir}/ipa-custodia.service
 # END
 mkdir -p %{buildroot}/%{_localstatedir}/lib/ipa/backup
@ -899,6 +894,8 @@ mkdir -p %{buildroot}%{_sysconfdir}/cron.d

 mkdir -p %{buildroot}%{_sysconfdir}/ipa/custodia

+mkdir -p %{buildroot}%{_usr}/share/ipa/schema.d
+
 %endif # ONLY_CLIENT


@ -1035,17 +1032,17 @@ if [ -f '/etc/ssh/sshd_config' -a $restore -ge 2 ]; then
            /^(AuthorizedKeysCommand(User|RunAs)|PubKeyAgentRunAs)[ \t]/ d
        ' /etc/ssh/sshd_config >/etc/ssh/sshd_config.ipanew

-        if /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandUser=nobody'; then
+        if /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandUser=nobody' 2>/dev/null; then
            sed -ri '
                s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/
                s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandUser nobody/
            ' /etc/ssh/sshd_config.ipanew
-        elif /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandRunAs=nobody'; then
+        elif /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandRunAs=nobody' 2>/dev/null; then
            sed -ri '
                s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/
                s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandRunAs nobody/
            ' /etc/ssh/sshd_config.ipanew
-        elif /usr/sbin/sshd -t -f /dev/null -o 'PubKeyAgent=/usr/bin/sss_ssh_authorizedkeys %u' -o 'PubKeyAgentRunAs=nobody'; then
+        elif /usr/sbin/sshd -t -f /dev/null -o 'PubKeyAgent=/usr/bin/sss_ssh_authorizedkeys %u' -o 'PubKeyAgentRunAs=nobody' 2>/dev/null; then
            sed -ri '
                s/^AuthorizedKeysCommand (.+)$/PubKeyAgent \1 %u/
                s/^PubKeyAgent .*$/\0\nPubKeyAgentRunAs nobody/
@ -1096,6 +1093,7 @@ fi
 %{_libexecdir}/ipa/ipa-dnskeysync-replica
 %{_libexecdir}/ipa/ipa-ods-exporter
 %{_libexecdir}/ipa/ipa-httpd-kdcproxy
+%{_libexecdir}/ipa/ipa-pki-retrieve-key
 %dir %{_libexecdir}/ipa/oddjob
 %attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.conncheck
 %config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freeipa.server.conf
@ -1184,7 +1182,7 @@ fi
 %{_tmpfilesdir}/%{name}.conf
 %attr(644,root,root) %{_unitdir}/ipa_memcached.service
 %attr(644,root,root) %{_unitdir}/ipa-custodia.service
-%attr(644,root,root) %{etc_systemd_dir}/httpd.service
+%ghost %attr(644,root,root) %{etc_systemd_dir}/httpd.d/ipa.conf
 # END
 %dir %{_usr}/share/ipa
 %{_usr}/share/ipa/wsgi.py*
@ -1275,7 +1273,8 @@ fi
 %ghost %{_localstatedir}/lib/ipa/pki-ca/publish
 %ghost %{_localstatedir}/named/dyndb-ldap/ipa
 %dir %attr(0700,root,root) %{_sysconfdir}/ipa/custodia
-
+%dir %{_usr}/share/ipa/schema.d
+%attr(0644,root,root) %{_usr}/share/ipa/schema.d/README

 %files server-dns
 %defattr(-,root,root,-)
@ -1311,6 +1310,9 @@ fi
 %{_sbindir}/ipa-getkeytab
 %{_sbindir}/ipa-rmkeytab
 %{_sbindir}/ipa-join
+%{_bindir}/ipa
+%config %{_sysconfdir}/bash_completion.d
+%{_mandir}/man1/ipa.1.gz
 %{_mandir}/man1/ipa-getkeytab.1.gz
 %{_mandir}/man1/ipa-rmkeytab.1.gz
 %{_mandir}/man1/ipa-client-install.1.gz
@ -1325,6 +1327,9 @@ fi
 %license COPYING
 %dir %{python_sitelib}/ipaclient
 %{python_sitelib}/ipaclient/*.py*
+%{python_sitelib}/ipaclient/plugins/*.py*
+%{python_sitelib}/ipaclient/remote_plugins/*.py*
+%{python_sitelib}/ipaclient/remote_plugins/2_*/*.py*
 %{python_sitelib}/ipaclient-*.egg-info


@ -1337,6 +1342,12 @@ fi
 %dir %{python3_sitelib}/ipaclient
 %{python3_sitelib}/ipaclient/*.py
 %{python3_sitelib}/ipaclient/__pycache__/*.py*
+%{python3_sitelib}/ipaclient/plugins/*.py
+%{python3_sitelib}/ipaclient/plugins/__pycache__/*.py*
+%{python3_sitelib}/ipaclient/remote_plugins/*.py
+%{python3_sitelib}/ipaclient/remote_plugins/__pycache__/*.py*
+%{python3_sitelib}/ipaclient/remote_plugins/2_*/*.py
+%{python3_sitelib}/ipaclient/remote_plugins/2_*/__pycache__/*.py*
 %{python3_sitelib}/ipaclient-*.egg-info

 %endif # with_python3
@ -1361,15 +1372,6 @@ fi
 %{_mandir}/man5/default.conf.5.gz


-%files admintools
-%defattr(-,root,root,-)
-%doc README Contributors.txt
-%license COPYING
-%{_bindir}/ipa
-%config %{_sysconfdir}/bash_completion.d
-%{_mandir}/man1/ipa.1.gz
-
-
 %files python-compat
 %defattr(-,root,root,-)
 %doc README Contributors.txt