From 4bae5f4bc8a28fa6255249e2a274700373f2a55f Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Wed, 21 Mar 2018 10:45:19 +0200 Subject: [PATCH] More fixes to Fedora 28 beta --- ...rver-roles-should-ignore-errors.Empt.patch | 5 +- ...te-dictionary-has-WSGI_PREFIX_DIR-wh.patch | 31 ------- ...directory-with-new-variables-when-up.patch | 41 +++++++++ ...iguration-upgrade-under-file-based-c.patch | 88 +++++++++++++++++++ ...i-command-when-creating-an-OTP-token.patch | 49 +++++++++++ freeipa.spec | 11 ++- 6 files changed, 190 insertions(+), 35 deletions(-) delete mode 100644 0002-Make-sure-template-dictionary-has-WSGI_PREFIX_DIR-wh.patch create mode 100644 0002-Update-template-directory-with-new-variables-when-up.patch create mode 100644 0003-upgrade-Run-configuration-upgrade-under-file-based-c.patch create mode 100644 0004-use-LDAP-Whoami-command-when-creating-an-OTP-token.patch diff --git a/0001-Processing-of-server-roles-should-ignore-errors.Empt.patch b/0001-Processing-of-server-roles-should-ignore-errors.Empt.patch index 3bd5e6f..20f176e 100644 --- a/0001-Processing-of-server-roles-should-ignore-errors.Empt.patch +++ b/0001-Processing-of-server-roles-should-ignore-errors.Empt.patch @@ -1,7 +1,8 @@ -From 782d74463226039647ec0b5caaa1a967d86cc930 Mon Sep 17 00:00:00 2001 +From e161bce61819fbc8fd1b2a0bdfb01ecf9947b733 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Mon, 19 Mar 2018 21:48:04 +0200 -Subject: [PATCH] Processing of server roles should ignore errors.EmptyResult +Subject: [PATCH 1/2] Processing of server roles should ignore + errors.EmptyResult When non-admin user issues a command that utilizes api.Object.config.show_servroles_attributes(), some server roles might diff --git a/0002-Make-sure-template-dictionary-has-WSGI_PREFIX_DIR-wh.patch b/0002-Make-sure-template-dictionary-has-WSGI_PREFIX_DIR-wh.patch deleted file mode 100644 index af3d72f..0000000 --- a/0002-Make-sure-template-dictionary-has-WSGI_PREFIX_DIR-wh.patch +++ /dev/null @@ -1,31 +0,0 @@ -From ffa274fc72e0d56bca3389d3ba973459053c25f3 Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Tue, 20 Mar 2018 09:35:51 +0200 -Subject: [PATCH 2/2] Make sure template dictionary has WSGI_PREFIX_DIR when - upgrading ipa.conf.template - -Fixes https://pagure.io/freeipa/issue/7454 -Signed-off-by: Alexander Bokovoy ---- - ipaserver/install/server/upgrade.py | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py -index a38f4115c..807d674d7 100644 ---- a/ipaserver/install/server/upgrade.py -+++ b/ipaserver/install/server/upgrade.py -@@ -1651,6 +1651,11 @@ def upgrade_configuration(): - - ds_dirname = dsinstance.config_dirname(ds_serverid) - -+ sub_dict['WSGI_PREFIX_DIR'] = paths.WSGI_PREFIX_DIR -+ sub_dict['GSSAPI_SESSION_KEY'] = paths.GSSAPI_SESSION_KEY -+ sub_dict['FONTS_DIR'] = paths.FONTS_DIR -+ sub_dict['IPA_CCACHES'] = paths.IPA_CCACHES -+ sub_dict['IPA_CUSTODIA_SOCKET'] = paths.IPA_CUSTODIA_SOCKET - upgrade_file(sub_dict, paths.HTTPD_IPA_CONF, - os.path.join(paths.USR_SHARE_IPA_DIR, - "ipa.conf.template")) --- -2.14.3 - diff --git a/0002-Update-template-directory-with-new-variables-when-up.patch b/0002-Update-template-directory-with-new-variables-when-up.patch new file mode 100644 index 0000000..8026a76 --- /dev/null +++ b/0002-Update-template-directory-with-new-variables-when-up.patch @@ -0,0 +1,41 @@ +From ae35587582f0e4ae1e9fac3270d2f6942f4f7a31 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Tue, 20 Mar 2018 09:35:51 +0200 +Subject: [PATCH 2/2] Update template directory with new variables when + upgrading ipa.conf.template + +With e6c707b168067ebb3705c21efc377acd29b23fff we changed httpd +configuration to use abstracted out variables in the template. +However, during upgrade we haven't resolved these variables so an +upgrade from pre-e6c707b168067ebb3705c21efc377acd29b23fff install will +fail. + +Add all missing variables to the upgrade code. + +Fixes https://pagure.io/freeipa/issue/7454 +Signed-off-by: Alexander Bokovoy +--- + ipaserver/install/server/upgrade.py | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py +index a38f4115c..5654cc32d 100644 +--- a/ipaserver/install/server/upgrade.py ++++ b/ipaserver/install/server/upgrade.py +@@ -1617,7 +1617,12 @@ def upgrade_configuration(): + AUTOREDIR='' if auto_redirect else '#', + CRL_PUBLISH_PATH=paths.PKI_CA_PUBLISH_DIR, + DOGTAG_PORT=8009, +- CLONE='#' ++ CLONE='#', ++ WSGI_PREFIX_DIR=paths.WSGI_PREFIX_DIR, ++ GSSAPI_SESSION_KEY=paths.GSSAPI_SESSION_KEY, ++ FONTS_DIR=paths.FONTS_DIR, ++ IPA_CCACHES=paths.IPA_CCACHES, ++ IPA_CUSTODIA_SOCKET=paths.IPA_CUSTODIA_SOCKET + ) + + subject_base = find_subject_base() +-- +2.14.3 + diff --git a/0003-upgrade-Run-configuration-upgrade-under-file-based-c.patch b/0003-upgrade-Run-configuration-upgrade-under-file-based-c.patch new file mode 100644 index 0000000..b5dfe11 --- /dev/null +++ b/0003-upgrade-Run-configuration-upgrade-under-file-based-c.patch @@ -0,0 +1,88 @@ +From c25c5c1c85d4ee3aaea7c62a32134c0af56b9004 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Wed, 21 Mar 2018 10:33:32 +0200 +Subject: [PATCH] upgrade: Run configuration upgrade under file-based ccache + +Use anonymous file-based ccache to prevent upgrade failures +in case KCM: or KEYRING: ccache type is used by default +in krb5.conf and is not available. We don't need any user +credentials during upgrade procedure but kadmin.local +would attempt to resolve default ccache and if that's not +available, kadmin.local will fail. + +Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1558818 +Signed-off-by: Alexander Bokovoy +--- + ipaserver/install/server/upgrade.py | 39 +++++++++++++++++++++++++++++++++++-- + 1 file changed, 37 insertions(+), 2 deletions(-) + +diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py +index a38f4115c..00389a914 100644 +--- a/ipaserver/install/server/upgrade.py ++++ b/ipaserver/install/server/upgrade.py +@@ -11,10 +11,11 @@ import shutil + import pwd + import fileinput + import sys ++from contextlib import contextmanager + from augeas import Augeas + import dns.exception + from ipalib import api, x509 +-from ipalib.install import certmonger, sysrestore ++from ipalib.install import certmonger, sysrestore, kinit + import SSSDConfig + import ipalib.util + import ipalib.errors +@@ -1926,6 +1927,32 @@ def upgrade_check(options): + logger.warning("Upgrade without version check may break your system") + + ++@contextmanager ++def anonymous_ccache(): ++ kpath = os.path.join(paths.IPA_CCACHES, ++ "upgrade_ccache_{}".format(os.getpid())) ++ ++ try: ++ logger.debug('Obtaining anonymous creds in ccache %s', kpath) ++ kinit.kinit_armor( ++ kpath, ++ pkinit_anchors=[paths.KDC_CERT, paths.KDC_CA_BUNDLE_PEM], ++ ) ++ kdestroy = True ++ except RuntimeError: ++ logger.error("Failed to obtain anonymous creds cache") ++ kdestroy = False ++ old_path = os.getenv('KRB5CCNAME') ++ try: ++ os.environ['KRB5CCNAME'] = kpath ++ yield ++ finally: ++ if old_path: ++ os.environ['KRB5CCNAME'] = old_path ++ if kdestroy: ++ installutils.remove_ccache(kpath) ++ ++ + def upgrade(): + realm = api.env.realm + schema_files = [os.path.join(paths.USR_SHARE_IPA_DIR, f) for f +@@ -1950,7 +1977,15 @@ def upgrade(): + + print('Upgrading IPA services') + logger.info('Upgrading the configuration of the IPA services') +- upgrade_configuration() ++ # Use anonymous file-based ccache to prevent upgrade failures ++ # in case KCM: or KEYRING: ccache type is used by default ++ # in krb5.conf and is not available. We don't need any user ++ # credentials during upgrade procedure but kadmin.local ++ # would attempt to resolve default ccache and if that's not ++ # available, kadmin.local will fail. ++ # Bug https://bugzilla.redhat.com/show_bug.cgi?id=1558818 ++ with anonymous_ccache(): ++ upgrade_configuration() + logger.info('The IPA services were upgraded') + + # store new data version after upgrade +-- +2.14.3 + diff --git a/0004-use-LDAP-Whoami-command-when-creating-an-OTP-token.patch b/0004-use-LDAP-Whoami-command-when-creating-an-OTP-token.patch new file mode 100644 index 0000000..8fddf24 --- /dev/null +++ b/0004-use-LDAP-Whoami-command-when-creating-an-OTP-token.patch @@ -0,0 +1,49 @@ +From 585250368a8841e69176006acb6876abc54843cb Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Tue, 20 Mar 2018 16:40:24 +0200 +Subject: [PATCH] use LDAP Whoami command when creating an OTP token + +ipa user-find --whoami is used by ipa otptoken-add to populate +ipaTokenOwner and managedBy attributes. These attributes, in turn are +checked by the self-service ACI which allows to create OTP tokens +assigned to the creator. + +With 389-ds-base 1.4.0.6-2.fc28 in Fedora 28 beta there is a bug in +searches with scope 'one' that result in ipa user-find --whoami +returning 0 results. + +Because ipa user-find --whoami does not work, non-admin user cannot +create a token. This is a regression that can be fixed by using LDAP +Whoami command. + +Fixes: https://pagure.io/freeipa/issue/7456 +Signed-off-by: Alexander Bokovoy +--- + ipaserver/plugins/otptoken.py | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/ipaserver/plugins/otptoken.py b/ipaserver/plugins/otptoken.py +index d94ae49ff..17b32094d 100644 +--- a/ipaserver/plugins/otptoken.py ++++ b/ipaserver/plugins/otptoken.py +@@ -311,13 +311,12 @@ class otptoken_add(LDAPCreate): + # If owner was not specified, default to the person adding this token. + # If managedby was not specified, attempt a sensible default. + if 'ipatokenowner' not in entry_attrs or 'managedby' not in entry_attrs: +- result = self.api.Command.user_find( +- whoami=True, no_members=False)['result'] +- if result: +- cur_uid = result[0]['uid'][0] ++ cur_dn = DN(self.api.Backend.ldap2.conn.whoami_s()[4:]) ++ if cur_dn: ++ cur_uid = cur_dn[0].value + prev_uid = entry_attrs.setdefault('ipatokenowner', cur_uid) + if cur_uid == prev_uid: +- entry_attrs.setdefault('managedby', result[0]['dn']) ++ entry_attrs.setdefault('managedby', cur_dn.ldap_text()) + + # Resolve the owner's dn + _normalize_owner(self.api.Object.user, entry_attrs) +-- +2.14.3 + diff --git a/freeipa.spec b/freeipa.spec index 801d5b6..2c7d13d 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -100,7 +100,7 @@ Name: freeipa Version: %{VERSION} -Release: 4%{?dist} +Release: 5%{?dist} Summary: The Identity, Policy and Audit system Group: System Environment/Base @@ -109,7 +109,9 @@ URL: https://www.freeipa.org/ Source0: https://releases.pagure.org/freeipa/freeipa-%{VERSION}.tar.gz Source1: https://releases.pagure.org/freeipa/freeipa-%{VERSION}.tar.gz.asc Patch0001: 0001-Processing-of-server-roles-should-ignore-errors.Empt.patch -Patch0002: 0002-Make-sure-template-dictionary-has-WSGI_PREFIX_DIR-wh.patch +Patch0002: 0002-Update-template-directory-with-new-variables-when-up.patch +Patch0003: 0003-upgrade-Run-configuration-upgrade-under-file-based-c.patch +Patch0004: 0004-use-LDAP-Whoami-command-when-creating-an-OTP-token.patch # For the timestamp trick in patch application BuildRequires: diffstat @@ -1718,6 +1720,11 @@ fi %endif # with_ipatests %changelog +* Tue Mar 20 2018 Alexander Bokovoy - 4.6.90.pre1-5 +- Apply upstream fix for #1558354 +- Run upgrade under file-based ccache (#1558818) +- Fix OTP token issuance due to regression in https://pagure.io/389-ds-base/issue/49617 + * Tue Mar 20 2018 Adam Williamson - 4.6.90.pre1-4 - Fix upgrades harder (extension of -3 patch) (#1558354)