diff --git a/0002-Make-lint-work-on-Fedora-22.patch b/0002-Make-lint-work-on-Fedora-22.patch new file mode 100644 index 0000000..c91ddbc --- /dev/null +++ b/0002-Make-lint-work-on-Fedora-22.patch @@ -0,0 +1,78 @@ +From a0ffcd6f8ba610c20808a2f863d384b7631c64ac Mon Sep 17 00:00:00 2001 +From: David Kupka +Date: Fri, 27 Mar 2015 07:14:27 -0400 +Subject: [PATCH] Make lint work on Fedora 22. + +pylint added 'confidence' parameter to 'add_message' method of PyLinter. +To be compatible with both, pre- and post- 1.4 IPALinter must accept +the parameter but not pass it over. +Also python3 checker was added and enabled by default. FreeIPA is still +not ready for python3. +Additionally few false-positives was marked. +--- + ipalib/plugins/otptoken.py | 1 + + ipapython/dnssec/ldapkeydb.py | 1 + + ipaserver/install/ipa_otptoken_import.py | 1 + + make-lint | 3 ++- + 4 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/ipalib/plugins/otptoken.py b/ipalib/plugins/otptoken.py +index b87145df80a3be9b16d596dd4072129c2290f40a..867659ec2a867b2dba79922a4e98b7b6254e81bf 100644 +--- a/ipalib/plugins/otptoken.py ++++ b/ipalib/plugins/otptoken.py +@@ -547,6 +547,7 @@ class otptoken_sync(Local): + query = urllib.urlencode(query) + + # Sync the token. ++ # pylint: disable=E1101 + handler = HTTPSHandler(ca_certs=os.path.join(self.api.env.confdir, 'ca.crt'), + cert_reqs=ssl.CERT_REQUIRED, + ssl_version=ssl.PROTOCOL_TLSv1) +diff --git a/ipapython/dnssec/ldapkeydb.py b/ipapython/dnssec/ldapkeydb.py +index 71c0a95a39b1b460178d0b853ed26bf2cfe5bda1..520b510707d432d2e432c55ca25f2a872d832348 100644 +--- a/ipapython/dnssec/ldapkeydb.py ++++ b/ipapython/dnssec/ldapkeydb.py +@@ -23,6 +23,7 @@ def uri_escape(val): + assert len(val) > 0, "zero-length URI component detected" + hexval = hexlify(val) + out = '%' ++ # pylint: disable=E1127 + out += '%'.join(hexval[i:i+2] for i in range(0, len(hexval), 2)) + return out + +diff --git a/ipaserver/install/ipa_otptoken_import.py b/ipaserver/install/ipa_otptoken_import.py +index b78aba93a2edc987450d921c87ea4f61b014b419..c6a69c9975cc113c10d0dee669f9db619422a9d3 100644 +--- a/ipaserver/install/ipa_otptoken_import.py ++++ b/ipaserver/install/ipa_otptoken_import.py +@@ -60,6 +60,7 @@ def convertDate(value): + + dt = dateutil.parser.parse(value) + ++ # pylint: disable=E1101 + if dt.tzinfo is None: + dt = datetime.datetime(*dt.timetuple()[0:6], + tzinfo=dateutil.tz.tzlocal()) +diff --git a/make-lint b/make-lint +index bd0eb4d75c50c794dbd40444ab035df5a5153d6c..8016d1c3554944d7799aefe0242f4f844e76e32c 100755 +--- a/make-lint ++++ b/make-lint +@@ -143,7 +143,7 @@ class IPALinter(PyLinter): + return + super(IPALinter, self).register_checker(checker) + +- def add_message(self, msg_id, line=None, node=None, args=None): ++ def add_message(self, msg_id, line=None, node=None, args=None, confidence=None): + if line is None and node is not None: + line = node.fromlineno + +@@ -235,6 +235,7 @@ def main(): + '{path}:{line}: [{msg_id}({symbol}), {obj}] {msg})') + linter.set_option('reports', False) + linter.set_option('persistent', False) ++ linter.set_option('disable', 'python3') + + linter.check(files) + +-- +2.1.0 + diff --git a/0002-Timeout-when-performing-time-sync-during-client-inst.patch b/0002-Timeout-when-performing-time-sync-during-client-inst.patch deleted file mode 100644 index 82fa470..0000000 --- a/0002-Timeout-when-performing-time-sync-during-client-inst.patch +++ /dev/null @@ -1,105 +0,0 @@ ->From 8c6aaa8a9b2829f9cfff402dc65f2b5a9a93813b Mon Sep 17 00:00:00 2001 -From: Nathan Kinder -Date: Wed, 25 Feb 2015 15:19:47 -0800 -Subject: [PATCH 2/2] Timeout when performing time sync during client install - -We use ntpd now to sync time before fetching a TGT during client -install. Unfortuantely, ntpd will hang forever if it is unable to -reach the NTP server. - -This patch adds the ability for commands run via ipautil.run() to -have an optional timeout. This capability is used by the NTP sync -code that is run during ipa-client-install. - -Ticket: https://fedorahosted.org/freeipa/ticket/4842 ---- - ipa-client/ipaclient/ntpconf.py | 8 +++++++- - ipaplatform/base/paths.py | 1 + - ipapython/ipautil.py | 12 +++++++++++- - 3 files changed, 19 insertions(+), 2 deletions(-) - -diff --git a/ipa-client/ipaclient/ntpconf.py b/ipa-client/ipaclient/ntpconf.py -index e1ac55a..99e43a6 100644 ---- a/ipa-client/ipaclient/ntpconf.py -+++ b/ipa-client/ipaclient/ntpconf.py -@@ -18,6 +18,7 @@ - # - - from ipapython import ipautil -+from ipapython.ipa_log_manager import root_logger - import shutil - import os - from ipaplatform.tasks import tasks -@@ -149,7 +150,12 @@ def synconce_ntp(server_fqdn): - - tmp_ntp_conf = ipautil.write_tmp_file('server %s' % server_fqdn) - try: -- ipautil.run([ntpd, '-qgc', tmp_ntp_conf.name]) -+ # The ntpd command will never exit if it is unable to reach the -+ # server, so timeout after 15 seconds. -+ timeout = 15 -+ root_logger.info('Attempting to sync time using ntpd. ' -+ 'Will timeout after %s seconds' % timeout) -+ ipautil.run([ntpd, '-qgc', tmp_ntp_conf.name], timeout=timeout) - return True - except ipautil.CalledProcessError: - return False -diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py -index 7922e3b..11c7e92 100644 ---- a/ipaplatform/base/paths.py -+++ b/ipaplatform/base/paths.py -@@ -186,6 +186,7 @@ class BasePathNamespace(object): - SSLGET = "/usr/bin/sslget" - SSS_SSH_AUTHORIZEDKEYS = "/usr/bin/sss_ssh_authorizedkeys" - SSS_SSH_KNOWNHOSTSPROXY = "/usr/bin/sss_ssh_knownhostsproxy" -+ BIN_TIMEOUT = "/usr/bin/timeout" - UPDATE_CA_TRUST = "/usr/bin/update-ca-trust" - BIN_WGET = "/usr/bin/wget" - ZIP = "/usr/bin/zip" -diff --git a/ipapython/ipautil.py b/ipapython/ipautil.py -index 4116d97..6a06a8e 100644 ---- a/ipapython/ipautil.py -+++ b/ipapython/ipautil.py -@@ -249,7 +249,7 @@ def shell_quote(string): - - def run(args, stdin=None, raiseonerr=True, - nolog=(), env=None, capture_output=True, skip_output=False, cwd=None, -- runas=None): -+ runas=None, timeout=None): - """ - Execute a command and return stdin, stdout and the process return code. - -@@ -277,6 +277,8 @@ def run(args, stdin=None, raiseonerr=True, - :param cwd: Current working directory - :param runas: Name of a user that the command shold be run as. The spawned - process will have both real and effective UID and GID set. -+ :param timeout: Timeout if the command hasn't returned within the specified -+ number of seconds. - """ - p_in = None - p_out = None -@@ -302,6 +304,11 @@ def run(args, stdin=None, raiseonerr=True, - p_out = subprocess.PIPE - p_err = subprocess.PIPE - -+ if timeout: -+ # If a timeout was provided, use the timeout command -+ # to execute the requested command. -+ args[0:0] = [paths.BIN_TIMEOUT, str(timeout)] -+ - arg_string = nolog_replace(' '.join(shell_quote(a) for a in args), nolog) - root_logger.debug('Starting external process') - root_logger.debug('args=%s' % arg_string) -@@ -332,6 +339,9 @@ def run(args, stdin=None, raiseonerr=True, - if skip_output: - p_out.close() # pylint: disable=E1103 - -+ if timeout and p.returncode == 124: -+ root_logger.debug('Process did not complete before timeout') -+ - root_logger.debug('Process finished, return code=%s', p.returncode) - - # The command and its output may include passwords that we don't want --- -1.9.3 - diff --git a/0003-Remove-unused-part-of-ipa.conf.patch b/0003-Remove-unused-part-of-ipa.conf.patch new file mode 100644 index 0000000..89d10f2 --- /dev/null +++ b/0003-Remove-unused-part-of-ipa.conf.patch @@ -0,0 +1,40 @@ +From 206de2b2b8f46f4c41f7df39c952e445329b9170 Mon Sep 17 00:00:00 2001 +From: David Kupka +Date: Mon, 30 Mar 2015 04:11:19 -0400 +Subject: [PATCH 1/3] Remove unused part of ipa.conf. + +Separate configuration of '/var/www/cgi-bin' is no longer needed legacy from +IPA 1.0. +--- + install/conf/ipa.conf | 15 --------------- + 1 file changed, 15 deletions(-) + +diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf +index 7eede73efc559967925d2bbfeee54e1e2efd3e21..62ee955ecfe0be78a3bd377e5aa35a335681621f 100644 +--- a/install/conf/ipa.conf ++++ b/install/conf/ipa.conf +@@ -174,21 +174,6 @@ Alias /ipa/wsgi "/usr/share/ipa/wsgi" + AddHandler wsgi-script .py + + +-# Protect our CGIs +- +- AuthType Kerberos +- AuthName "Kerberos Login" +- KrbMethodNegotiate on +- KrbMethodK5Passwd off +- KrbServiceName HTTP +- KrbAuthRealms $REALM +- Krb5KeyTab /etc/httpd/conf/ipa.keytab +- KrbSaveCredentials on +- Require valid-user +- ErrorDocument 401 /ipa/errors/unauthorized.html +- +- +- + # migration related pages + Alias /ipa/migration "/usr/share/ipa/migration" + +-- +2.3.4 + diff --git a/0004-Use-mod_auth_gssapi-instead-of-mod_auth_kerb.patch b/0004-Use-mod_auth_gssapi-instead-of-mod_auth_kerb.patch new file mode 100644 index 0000000..dc9e998 --- /dev/null +++ b/0004-Use-mod_auth_gssapi-instead-of-mod_auth_kerb.patch @@ -0,0 +1,184 @@ +From d7a856097039b37e77a59aad66d6cdedc3eb6aee Mon Sep 17 00:00:00 2001 +From: David Kupka +Date: Mon, 30 Mar 2015 04:17:55 -0400 +Subject: [PATCH 2/3] Use mod_auth_gssapi instead of mod_auth_kerb. + +https://fedorahosted.org/freeipa/ticket/4190 +--- + freeipa.spec.in | 4 +++- + init/systemd/ipa.conf.tmpfiles | 1 + + install/conf/ipa.conf | 16 +++++----------- + ipalib/session.py | 20 ++++++++++---------- + ipaserver/rpcserver.py | 2 +- + 5 files changed, 20 insertions(+), 23 deletions(-) + +diff --git a/freeipa.spec.in b/freeipa.spec.in +index 546f3473c5ac8885c6df128b2e3793d76795e85b..8d58f2568e1de418c25cb1bd34fc7d4736a15e54 100644 +--- a/freeipa.spec.in ++++ b/freeipa.spec.in +@@ -118,7 +118,7 @@ Requires: cyrus-sasl-gssapi%{?_isa} + Requires: ntp + Requires: httpd >= 2.4.6-6 + Requires: mod_wsgi +-Requires: mod_auth_kerb >= 5.4-16 ++Requires: mod_auth_gssapi >= 1.1.0-2 + Requires: mod_nss >= 1.0.8-26 + Requires: python-ldap >= 2.4.15 + Requires: python-krbV +@@ -463,6 +463,7 @@ install -m 0644 init/systemd/ipa.conf.tmpfiles %{buildroot}%{_tmpfilesdir}/%{nam + mkdir -p %{buildroot}%{_localstatedir}/run/ + install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa_memcached/ + install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa/ ++install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/clientcaches + + mkdir -p %{buildroot}%{_libdir}/krb5/plugins/libkrb5 + touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so +@@ -680,6 +681,7 @@ fi + %config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter + %dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/ + %dir %attr(0700,root,root) %{_localstatedir}/run/ipa/ ++%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/clientcaches/ + # NOTE: systemd specific section + %{_tmpfilesdir}/%{name}.conf + %attr(644,root,root) %{_unitdir}/ipa.service +diff --git a/init/systemd/ipa.conf.tmpfiles b/init/systemd/ipa.conf.tmpfiles +index 1e7a896ed8df00c97f2d092504e2a65960bb341d..b4503cc673f3407421cd194091f5373ba204a483 100644 +--- a/init/systemd/ipa.conf.tmpfiles ++++ b/init/systemd/ipa.conf.tmpfiles +@@ -1,2 +1,3 @@ + d /var/run/ipa_memcached 0700 apache apache + d /var/run/ipa 0700 root root ++d /var/run/httpd/clientcaches 0700 apache apache +diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf +index 62ee955ecfe0be78a3bd377e5aa35a335681621f..871fab8248fcc1c3793ce71bdcb86720a7e31c61 100644 +--- a/install/conf/ipa.conf ++++ b/install/conf/ipa.conf +@@ -3,7 +3,6 @@ + # + # This file may be overwritten on upgrades. + # +-# LoadModule auth_kerb_module modules/mod_auth_kerb.so + + ProxyRequests Off + +@@ -61,19 +60,14 @@ WSGIScriptReloading Off + SetHandler None + + +-KrbConstrainedDelegationLock ipa +- + # Protect /ipa and everything below it in webspace with Apache Kerberos auth + +- AuthType Kerberos ++ AuthType GSSAPI + AuthName "Kerberos Login" +- KrbMethodNegotiate on +- KrbMethodK5Passwd off +- KrbServiceName HTTP +- KrbAuthRealms $REALM +- Krb5KeyTab /etc/httpd/conf/ipa.keytab +- KrbSaveCredentials on +- KrbConstrainedDelegation on ++ GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab ++ GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab ++ GssapiDelegCcacheDir /var/run/httpd/clientcaches ++ GssapiUseS4U2Proxy on + Require valid-user + ErrorDocument 401 /ipa/errors/unauthorized.html + +diff --git a/ipalib/session.py b/ipalib/session.py +index ae40fdfe189b3bfd5f0437c04efaab73ac31f88a..2f732b333375c837b931c6b16ccfc535e11d7e4c 100644 +--- a/ipalib/session.py ++++ b/ipalib/session.py +@@ -484,7 +484,7 @@ improve authentication performance. First some definitions. + There are 4 major players: + + 1. client +- 2. mod_auth_kerb (in Apache process) ++ 2. mod_auth_gssapi (in Apache process) + 3. wsgi handler (in IPA wsgi python process) + 4. ds (directory server) + +@@ -506,12 +506,12 @@ This describes how things work in our current system for the web UI. + + 2. Client sends post to /ipa/json. + +- 3. mod_auth_kerb is configured to protect /ipa/json, replies 401 ++ 3. mod_auth_gssapi is configured to protect /ipa/json, replies 401 + authenticate negotiate. + + 4. Client resends with credentials + +- 5. mod_auth_kerb validates credentials ++ 5. mod_auth_gssapi validates credentials + + a. if invalid replies 403 access denied (stops here) + +@@ -550,7 +550,7 @@ A few notes about the session implementation. + Changes to Apache's resource protection + --------------------------------------- + +- * /ipa/json is no longer protected by mod_auth_kerb. This is ++ * /ipa/json is no longer protected by mod_auth_gssapi. This is + necessary to avoid the negotiate expense in steps 3,4,5 + above. Instead the /ipa/json resource will be protected in our wsgi + handler via the session cookie. +@@ -583,15 +583,15 @@ The new sequence is: + + 5. client sends request to /ipa/login to obtain session credentials + +- 6. mod_auth_kerb replies 401 negotiate on /ipa/login ++ 6. mod_auth_gssapi replies 401 negotiate on /ipa/login + + 7. client sends credentials to /ipa/login + +- 8. mod_auth_kerb validates credentials ++ 8. mod_auth_gssapi validates credentials + + a. if valid + +- - mod_auth_kerb permits access to /ipa/login. wsgi handler is ++ - mod_auth_gssapi permits access to /ipa/login. wsgi handler is + invoked and does the following: + + * establishes session for client +@@ -600,7 +600,7 @@ The new sequence is: + + a. if invalid + +- - mod_auth_kerb sends 403 access denied (processing stops) ++ - mod_auth_gssapi sends 403 access denied (processing stops) + + 9. client now posts the same data again to /ipa/json including + session cookie. Processing repeats starting at step 2 and since +@@ -617,12 +617,12 @@ and xmlrpc API's are the same, they differ only on how their procedure + calls are marshalled and unmarshalled. + + Under the new scheme /ipa/xml will continue to be Kerberos protected +-at all times. Apache's mod_auth_kerb will continue to require the ++at all times. Apache's mod_auth_gssapi will continue to require the + client provides valid Kerberos credentials. + + When the WSGI handler routes to /ipa/xml the Kerberos credentials will + be extracted from the KRB5CCNAME environment variable as provided by +-mod_auth_kerb. Everything else remains the same. ++mod_auth_gssapi. Everything else remains the same. + + ''' + +diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py +index d6bc955b9d9910a24eec5df1def579310eb54786..4173ed918d2ce992aa79d18b2ac3338b35388918 100644 +--- a/ipaserver/rpcserver.py ++++ b/ipaserver/rpcserver.py +@@ -858,7 +858,7 @@ class login_kerberos(Backend, KerberosSession, HTTP_Status): + def __call__(self, environ, start_response): + self.debug('WSGI login_kerberos.__call__:') + +- # Get the ccache created by mod_auth_kerb ++ # Get the ccache created by mod_auth_gssapi + user_ccache_name=environ.get('KRB5CCNAME') + if user_ccache_name is None: + return self.internal_error(environ, start_response, +-- +2.3.4 + diff --git a/0005-Bump-ipa.conf-version-to-17.patch b/0005-Bump-ipa.conf-version-to-17.patch new file mode 100644 index 0000000..7329417 --- /dev/null +++ b/0005-Bump-ipa.conf-version-to-17.patch @@ -0,0 +1,23 @@ +From 12f1eaf7feeb2ee3f50c2e90cffd0849a42a2c81 Mon Sep 17 00:00:00 2001 +From: David Kupka +Date: Mon, 30 Mar 2015 04:18:11 -0400 +Subject: [PATCH 3/3] Bump ipa.conf version to 17. + +--- + install/conf/ipa.conf | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf +index 871fab8248fcc1c3793ce71bdcb86720a7e31c61..92637c04d4f961a0b7f016fe125341c63f400285 100644 +--- a/install/conf/ipa.conf ++++ b/install/conf/ipa.conf +@@ -1,5 +1,5 @@ + # +-# VERSION 16 - DO NOT REMOVE THIS LINE ++# VERSION 17 - DO NOT REMOVE THIS LINE + # + # This file may be overwritten on upgrades. + # +-- +2.3.4 + diff --git a/freeipa.spec b/freeipa.spec index ac2e9ae..e1e21e9 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -25,7 +25,7 @@ Name: freeipa Version: %{VERSION} -Release: 1%{?dist} +Release: 2%{?dist} Summary: The Identity, Policy and Audit system Group: System Environment/Base @@ -35,6 +35,10 @@ Source0: http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Patch0001: 0001-Skip-time-sync-during-client-install-when-using-no-n.patch +Patch0002: 0002-Make-lint-work-on-Fedora-22.patch +Patch0003: 0003-Remove-unused-part-of-ipa.conf.patch +Patch0004: 0004-Use-mod_auth_gssapi-instead-of-mod_auth_kerb.patch +Patch0005: 0005-Bump-ipa.conf-version-to-17.patch %if ! %{ONLY_CLIENT} BuildRequires: 389-ds-base-devel >= 1.3.3.8 @@ -120,7 +124,7 @@ Requires: cyrus-sasl-gssapi%{?_isa} Requires: ntp Requires: httpd >= 2.4.6-6 Requires: mod_wsgi -Requires: mod_auth_kerb >= 5.4-16 +Requires: mod_auth_gssapi >= 1.1.0-2 Requires: mod_nss >= 1.0.8-26 Requires: python-ldap >= 2.4.15 Requires: python-krbV @@ -492,6 +496,7 @@ install -m 0644 init/systemd/ipa.conf.tmpfiles %{buildroot}%{_tmpfilesdir}/%{nam mkdir -p %{buildroot}%{_localstatedir}/run/ install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa_memcached/ install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa/ +install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/clientcaches mkdir -p %{buildroot}%{_libdir}/krb5/plugins/libkrb5 touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so @@ -708,6 +713,7 @@ fi %config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter %dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/ %dir %attr(0700,root,root) %{_localstatedir}/run/ipa/ +%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/clientcaches/ # NOTE: systemd specific section %{_tmpfilesdir}/%{name}.conf %attr(644,root,root) %{_unitdir}/ipa.service @@ -941,6 +947,9 @@ fi %endif # ONLY_CLIENT %changelog +* Mon Mar 30 2015 Petr Vobornik - 4.1.4-2 +- Replace mod_auth_kerb usage with mod_auth_gssapi + * Thu Mar 26 2015 Alexander Bokovoy - 4.1.4-1 - Update to upstream 4.1.4 - see http://www.freeipa.org/page/Releases/4.1.4 - fix CVE-2015-1827 (#1206047)