diff --git a/.gitignore b/.gitignore
index daedcd2..171cd00 100644
--- a/.gitignore
+++ b/.gitignore
@@ -74,3 +74,5 @@
/freeipa-4.7.2.tar.gz.asc
/freeipa-4.7.90.pre1.tar.gz
/freeipa-4.7.90.pre1.tar.gz.asc
+/freeipa-4.8.0.tar.gz
+/freeipa-4.8.0.tar.gz.asc
diff --git a/0001-Correct-default-fontawesome-path-broken-by-da2cf1c5.patch b/0001-Correct-default-fontawesome-path-broken-by-da2cf1c5.patch
deleted file mode 100644
index 5d479d6..0000000
--- a/0001-Correct-default-fontawesome-path-broken-by-da2cf1c5.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From 486ba017ceab1fb240f2fc48fea6169bc8c97319 Mon Sep 17 00:00:00 2001
-From: Adam Williamson <awilliam@redhat.com>
-Date: Wed, 1 May 2019 16:19:53 -0700
-Subject: [PATCH] Correct default fontawesome path (broken by da2cf1c5)
-
-On Fedora/RHEL, it does not have a dash in it. The changes in
-da2cf1c5 inadvertently added a dash to the path in the 'base'
-paths definition (used on Fedora/RHEL), so the font wasn't found.
-
-Signed-off-by: Adam Williamson <awilliam@redhat.com>
----
- ipaplatform/base/paths.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
-index 1cd2591bc..e1d396690 100644
---- a/ipaplatform/base/paths.py
-+++ b/ipaplatform/base/paths.py
-@@ -249,7 +249,7 @@ class BasePathNamespace:
- USERADD = "/usr/sbin/useradd"
- FONTS_DIR = "/usr/share/fonts"
- FONTS_OPENSANS_DIR = "/usr/share/fonts/open-sans"
-- FONTS_FONTAWESOME_DIR = "/usr/share/fonts/font-awesome"
-+ FONTS_FONTAWESOME_DIR = "/usr/share/fonts/fontawesome"
- USR_SHARE_IPA_DIR = "/usr/share/ipa/"
- USR_SHARE_IPA_CLIENT_DIR = "/usr/share/ipa/client"
- CA_TOPOLOGY_ULDIF = "/usr/share/ipa/ca-topology.uldif"
---
-2.21.0
-
diff --git a/0001-revert-minssf-defaults.patch b/0001-revert-minssf-defaults.patch
deleted file mode 100644
index 777c13e..0000000
--- a/0001-revert-minssf-defaults.patch
+++ /dev/null
@@ -1,136 +0,0 @@
-From 8177734d3b6c141c251c74ee29d223a7d414ab13 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Wed, 1 May 2019 21:25:31 +0300
-Subject: [PATCH] Revert "Require a minimum SASL security factor of 56"
-
-This reverts commit 350954589774499d99bf87cb5631c664bb0707c4.
----
- install/share/Makefile.am | 1 -
- install/share/min-ssf.ldif | 14 --------------
- ipalib/constants.py | 3 ---
- ipapython/ipaldap.py | 17 ++---------------
- ipaserver/install/dsinstance.py | 5 -----
- 5 files changed, 2 insertions(+), 38 deletions(-)
- delete mode 100644 install/share/min-ssf.ldif
-
-diff --git a/install/share/Makefile.am b/install/share/Makefile.am
-index be83bdf75..8d039d95c 100644
---- a/install/share/Makefile.am
-+++ b/install/share/Makefile.am
-@@ -94,7 +94,6 @@ dist_app_DATA = \
- ipa-kdc-proxy.conf.template \
- ipa-pki-proxy.conf.template \
- ipa-rewrite.conf.template \
-- min-ssf.ldif \
- ipaca_default.ini \
- ipaca_customize.ini \
- ipaca_softhsm2.ini \
-diff --git a/install/share/min-ssf.ldif b/install/share/min-ssf.ldif
-deleted file mode 100644
-index 1c2566f84..000000000
---- a/install/share/min-ssf.ldif
-+++ /dev/null
-@@ -1,14 +0,0 @@
--# config
--# pretend SSF for LDAPI connections
--# nsslapd-localssf must be equal to or greater than nsslapd-minssf
--dn: cn=config
--changetype: modify
--replace: nsslapd-localssf
--nsslapd-localssf: 256
--
--# minimum security strength factor for SASL and TLS
--# 56 is considered weak, but some old clients announce wrong SSF.
--dn: cn=config
--changetype: modify
--replace: nsslapd-minssf
--nsslapd-minssf: 56
-diff --git a/ipalib/constants.py b/ipalib/constants.py
-index bcf6f3373..c22dd26ae 100644
---- a/ipalib/constants.py
-+++ b/ipalib/constants.py
-@@ -311,9 +311,6 @@ TLS_VERSIONS = [
- ]
- TLS_VERSION_MINIMAL = "tls1.0"
-
--# minimum SASL secure strength factor for LDAP connections
--# 56 provides backwards compatibility with old libraries.
--LDAP_SSF_MIN_THRESHOLD = 56
-
- # Use cache path
- USER_CACHE_PATH = (
-diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
-index d9d67be1d..9ff443fe4 100644
---- a/ipapython/ipaldap.py
-+++ b/ipapython/ipaldap.py
-@@ -43,9 +43,7 @@ import six
-
- # pylint: disable=ipa-forbidden-import
- from ipalib import errors, x509, _
--from ipalib.constants import (
-- LDAP_GENERALIZED_TIME_FORMAT, LDAP_SSF_MIN_THRESHOLD
--)
-+from ipalib.constants import LDAP_GENERALIZED_TIME_FORMAT
- # pylint: enable=ipa-forbidden-import
- from ipaplatform.paths import paths
- from ipapython.ipautil import format_netloc, CIDict
-@@ -105,8 +103,7 @@ def realm_to_ldapi_uri(realm_name):
- return 'ldapi://' + ldapurl.ldapUrlEscape(socketname)
-
-
--def ldap_initialize(uri, cacertfile=None,
-- ssf_min_threshold=LDAP_SSF_MIN_THRESHOLD):
-+def ldap_initialize(uri, cacertfile=None):
- """Wrapper around ldap.initialize()
-
- The function undoes global and local ldap.conf settings that may cause
-@@ -117,10 +114,6 @@ def ldap_initialize(uri, cacertfile=None,
- locations, also known as system-wide trust store.
- * Cert validation is enforced.
- * SSLv2 and SSLv3 are disabled.
-- * Require a minimum SASL security factor of 56. That level ensures
-- data integrity and confidentiality. Although at least AES128 is
-- enforced pretty much everywhere, 56 is required for backwards
-- compatibility with systems that announce wrong SSF.
- """
- conn = ldap.initialize(uri)
-
-@@ -128,12 +121,6 @@ def ldap_initialize(uri, cacertfile=None,
- conn.set_option(ldap.OPT_X_SASL_NOCANON, ldap.OPT_ON)
-
- if not uri.startswith('ldapi://'):
-- # require a minimum SSF for TCP connections, but don't lower SSF_MIN
-- # if the current value is already larger.
-- cur_min_ssf = conn.get_option(ldap.OPT_X_SASL_SSF_MIN)
-- if cur_min_ssf < ssf_min_threshold:
-- conn.set_option(ldap.OPT_X_SASL_SSF_MIN, ssf_min_threshold)
--
- if cacertfile:
- if not os.path.isfile(cacertfile):
- raise IOError(errno.ENOENT, cacertfile)
-diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
-index 8240e3043..9f05db1db 100644
---- a/ipaserver/install/dsinstance.py
-+++ b/ipaserver/install/dsinstance.py
-@@ -324,8 +324,6 @@ class DsInstance(service.Service):
- else:
- self.step("importing CA certificates from LDAP",
- self.__import_ca_certs)
-- # set min SSF after DS is configured for TLS
-- self.step("require minimal SSF", self.__min_ssf)
- self.step("restarting directory server", self.__restart_instance)
-
- self.start_creation()
-@@ -1243,9 +1241,6 @@ class DsInstance(service.Service):
- dm_password=self.dm_password
- )
-
-- def __min_ssf(self):
-- self._ldap_mod("min-ssf.ldif")
--
- def __add_sudo_binduser(self):
- self._ldap_mod("sudobind.ldif", self.sub_dict)
-
---
-2.21.0
-
diff --git a/0002-upgrade-adtrust-when-no-trusts.patch b/0002-upgrade-adtrust-when-no-trusts.patch
deleted file mode 100644
index b98c49f..0000000
--- a/0002-upgrade-adtrust-when-no-trusts.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From 528a21996734467be193673e4f987e7e3acc3ad9 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sat, 11 May 2019 11:54:40 +0300
-Subject: [PATCH] upgrade: adtrust - catch empty result when retrieving list of
- trusts
-
-Upgrade failure when ipa-server-upgrade is being run on a system with no
-trust established but trust configured
-
-Fixes: https://pagure.io/freeipa/issue/7939
----
- ipaserver/install/plugins/adtrust.py | 16 +++++++++++-----
- 1 file changed, 11 insertions(+), 5 deletions(-)
-
-diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py
-index 6b4e2caa2..cdc3a8b04 100644
---- a/ipaserver/install/plugins/adtrust.py
-+++ b/ipaserver/install/plugins/adtrust.py
-@@ -609,11 +609,17 @@ class update_tdo_to_new_layout(Updater):
-
- trusts_dn = self.api.env.container_adtrusts + self.api.env.basedn
-
-- trusts = ldap.get_entries(
-- base_dn=trusts_dn,
-- scope=ldap.SCOPE_ONELEVEL,
-- filter=self.trust_filter,
-- attrs_list=self.trust_attrs)
-+ # We might be in a situation when no trusts exist yet
-+ # In such case there is nothing to upgrade but we have to catch
-+ # an exception or it will abort the whole upgrade process
-+ try:
-+ trusts = ldap.get_entries(
-+ base_dn=trusts_dn,
-+ scope=ldap.SCOPE_ONELEVEL,
-+ filter=self.trust_filter,
-+ attrs_list=self.trust_attrs)
-+ except errors.EmptyResult:
-+ trusts = []
-
- # For every trust, retrieve its principals and convert
- for t_entry in trusts:
---
-2.21.0
-
diff --git a/freeipa.spec b/freeipa.spec
index 80dbb1e..ad7cdf3 100644
--- a/freeipa.spec
+++ b/freeipa.spec
@@ -101,7 +101,7 @@
# 10.6.7 fixes UpdateNumberRange clone installation issue
# https://pagure.io/freeipa/issue/7654 and empty token issue
# and https://pagure.io/dogtagpki/issue/3073
-%global pki_version 10.6.8-3
+%global pki_version 10.7.0-1
# https://pagure.io/certmonger/issue/90
%global certmonger_version 0.79.7-1
@@ -114,7 +114,7 @@
%global nss_version 3.41.0-1
%endif
-%global sssd_version 2.1.0-2
+%global sssd_version 2.2.0-1
%define krb5_base_version %(LC_ALL=C rpm -q --qf '%%{VERSION}' krb5-devel | grep -Eo '^[^.]+\.[^.]+')
@@ -126,7 +126,7 @@
# Work-around fact that RPM SPEC parser does not accept
# "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement
-%define IPA_VERSION 4.7.90.pre1
+%define IPA_VERSION 4.8.0
%define AT_SIGN @
# redefine IPA_VERSION only if its value matches the Autoconf placeholder
%if "%{IPA_VERSION}" == "%{AT_SIGN}VERSION%{AT_SIGN}"
@@ -135,18 +135,13 @@
Name: %{package_name}
Version: %{IPA_VERSION}
-Release: 6%{?dist}
+Release: 1%{?dist}
Summary: The Identity, Policy and Audit system
License: GPLv3+
URL: http://www.freeipa.org/
Source0: https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz
Source1: https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz.asc
-Patch0001: 0001-revert-minssf-defaults.patch
-# https://github.com/freeipa/freeipa/pull/3104
-# Fix an error in the path the webUI uses for fontawesome
-Patch0002: 0001-Correct-default-fontawesome-path-broken-by-da2cf1c5.patch
-Patch0003: 0002-upgrade-adtrust-when-no-trusts.patch
# For the timestamp trick in patch application
BuildRequires: diffstat
@@ -535,6 +530,23 @@ If your network uses IPA for authentication, this package should be
installed on every client machine.
This package provides command-line tools for IPA administrators.
+%package client-samba
+Summary: Tools to configure Samba on IPA client
+Group: System Environment/Base
+Requires: %{name}-client = %{version}-%{release}
+Requires: python3-samba
+Requires: samba-client
+Requires: samba-winbind
+Requires: samba-common-tools
+Requires: samba
+Requires: sssd-winbind-idmap
+Requires: tdb-tools
+Requires: cifs-utils
+
+%description client-samba
+This package provides command-line tools to deploy Samba domain member
+on the machine enrolled into a FreeIPA environment
+
%package -n python3-ipaclient
Summary: Python libraries used by IPA client
BuildArch: noarch
@@ -1014,6 +1026,7 @@ fi
%{_sbindir}/ipa-winsync-migrate
%{_sbindir}/ipa-pkinit-manage
%{_sbindir}/ipa-crlgen-manage
+%{_sbindir}/ipa-cert-fix
%{_libexecdir}/certmonger/dogtag-ipa-ca-renew-agent-submit
%{_libexecdir}/certmonger/ipa-server-guard
%{_libexecdir}/ipa/custodia/ipa-custodia-dmldap
@@ -1078,6 +1091,7 @@ fi
%{_mandir}/man1/ipa-winsync-migrate.1*
%{_mandir}/man1/ipa-pkinit-manage.1*
%{_mandir}/man1/ipa-crlgen-manage.1*
+%{_mandir}/man1/ipa-cert-fix.1*
%files -n python3-ipaserver
@@ -1211,6 +1225,7 @@ fi
%{_sbindir}/ipa-join
%{_bindir}/ipa
%config %{_sysconfdir}/bash_completion.d
+%config %{_sysconfdir}/sysconfig/certmonger
%{_mandir}/man1/ipa.1*
%{_mandir}/man1/ipa-getkeytab.1*
%{_mandir}/man1/ipa-rmkeytab.1*
@@ -1219,6 +1234,12 @@ fi
%{_mandir}/man1/ipa-certupdate.1*
%{_mandir}/man1/ipa-join.1*
+%files client-samba
+%doc README.md Contributors.txt
+%license COPYING
+%{_sbindir}/ipa-client-samba
+%{_mandir}/man1/ipa-client-samba.1*
+
%files -n python3-ipaclient
%doc README.md Contributors.txt
%license COPYING
@@ -1312,6 +1333,10 @@ fi
%changelog
+* Wed Jul 03 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.8.0-1
+- New upstream release 4.8.0
+- New subpackage: freeipa-client-samba
+
* Sat May 11 2019 Alexander Bokovoy <abokovoy@redhat.com> - 4.7.90.pre1-6
- Upgrade: handle situation when trusts were configured but not established yet
Fixed: rhbz#1708808
diff --git a/sources b/sources
index 1f78d2f..05bd694 100644
--- a/sources
+++ b/sources
@@ -1,4 +1,2 @@
-SHA512 (freeipa-4.7.2.tar.gz) = 11d805fe0c085b285bace571912c3b541fc5aa9207c87ec31e22ac5fcfd2fa410e9a7ce4aafc88821e57c0be99a38d98d0c824e46bc85d968b4937f8599d9d5f
-SHA512 (freeipa-4.7.2.tar.gz.asc) = ab4215555eb6458ccefc0038976d39ed3f708eaa6bc7fe7eea3e72af285665501da6275c881897584d178f4a1ea290d23051a1591f1b14b30691fea1cc05b641
-SHA512 (freeipa-4.7.90.pre1.tar.gz) = 97c61d24f37b72aca838e6b67756af106329d8a933e6c8f7eaff362aae7943463b0efa5a6f99874513e95621666fc0a9adf58b44d5fa0be9b10e64c8ce2d9235
-SHA512 (freeipa-4.7.90.pre1.tar.gz.asc) = 0109dfa2846fbac79c7ef8b7427ce96d3d1a1aac8998d66616194fe30501e342bf6c1f251d460ddd4fd9d3f7d8ab100358adbd26c7bfc69e393a1a1c3ef1c016
+SHA512 (freeipa-4.8.0.tar.gz) = f1c0831d97adee4f951972b7a6096ba4458704514ac1ead4e6ed0072524ac320750d690315c0b8d3a51b2f51d66dea81cf224ce417bd5d2eeb65ffe0c45c9229
+SHA512 (freeipa-4.8.0.tar.gz.asc) = 8d8b3de2ea0eab4a2ce1a063b686927cb1e95b60d5da7c945633edc79252c113c2b44e98299be34efd32526c421335f4344b1a20b6483011c1319d4284af2934