From 5eefa180c14427c6b5031866e0aa1a440f25474b Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Wed, 3 Jul 2019 10:26:16 +0300 Subject: [PATCH] FreeIPA 4.8.0 release --- .gitignore | 2 + ...-fontawesome-path-broken-by-da2cf1c5.patch | 30 ---- 0001-revert-minssf-defaults.patch | 136 ------------------ 0002-upgrade-adtrust-when-no-trusts.patch | 44 ------ freeipa.spec | 43 ++++-- sources | 6 +- 6 files changed, 38 insertions(+), 223 deletions(-) delete mode 100644 0001-Correct-default-fontawesome-path-broken-by-da2cf1c5.patch delete mode 100644 0001-revert-minssf-defaults.patch delete mode 100644 0002-upgrade-adtrust-when-no-trusts.patch diff --git a/.gitignore b/.gitignore index daedcd2..171cd00 100644 --- a/.gitignore +++ b/.gitignore @@ -74,3 +74,5 @@ /freeipa-4.7.2.tar.gz.asc /freeipa-4.7.90.pre1.tar.gz /freeipa-4.7.90.pre1.tar.gz.asc +/freeipa-4.8.0.tar.gz +/freeipa-4.8.0.tar.gz.asc diff --git a/0001-Correct-default-fontawesome-path-broken-by-da2cf1c5.patch b/0001-Correct-default-fontawesome-path-broken-by-da2cf1c5.patch deleted file mode 100644 index 5d479d6..0000000 --- a/0001-Correct-default-fontawesome-path-broken-by-da2cf1c5.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 486ba017ceab1fb240f2fc48fea6169bc8c97319 Mon Sep 17 00:00:00 2001 -From: Adam Williamson -Date: Wed, 1 May 2019 16:19:53 -0700 -Subject: [PATCH] Correct default fontawesome path (broken by da2cf1c5) - -On Fedora/RHEL, it does not have a dash in it. The changes in -da2cf1c5 inadvertently added a dash to the path in the 'base' -paths definition (used on Fedora/RHEL), so the font wasn't found. - -Signed-off-by: Adam Williamson ---- - ipaplatform/base/paths.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py -index 1cd2591bc..e1d396690 100644 ---- a/ipaplatform/base/paths.py -+++ b/ipaplatform/base/paths.py -@@ -249,7 +249,7 @@ class BasePathNamespace: - USERADD = "/usr/sbin/useradd" - FONTS_DIR = "/usr/share/fonts" - FONTS_OPENSANS_DIR = "/usr/share/fonts/open-sans" -- FONTS_FONTAWESOME_DIR = "/usr/share/fonts/font-awesome" -+ FONTS_FONTAWESOME_DIR = "/usr/share/fonts/fontawesome" - USR_SHARE_IPA_DIR = "/usr/share/ipa/" - USR_SHARE_IPA_CLIENT_DIR = "/usr/share/ipa/client" - CA_TOPOLOGY_ULDIF = "/usr/share/ipa/ca-topology.uldif" --- -2.21.0 - diff --git a/0001-revert-minssf-defaults.patch b/0001-revert-minssf-defaults.patch deleted file mode 100644 index 777c13e..0000000 --- a/0001-revert-minssf-defaults.patch +++ /dev/null @@ -1,136 +0,0 @@ -From 8177734d3b6c141c251c74ee29d223a7d414ab13 Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Wed, 1 May 2019 21:25:31 +0300 -Subject: [PATCH] Revert "Require a minimum SASL security factor of 56" - -This reverts commit 350954589774499d99bf87cb5631c664bb0707c4. ---- - install/share/Makefile.am | 1 - - install/share/min-ssf.ldif | 14 -------------- - ipalib/constants.py | 3 --- - ipapython/ipaldap.py | 17 ++--------------- - ipaserver/install/dsinstance.py | 5 ----- - 5 files changed, 2 insertions(+), 38 deletions(-) - delete mode 100644 install/share/min-ssf.ldif - -diff --git a/install/share/Makefile.am b/install/share/Makefile.am -index be83bdf75..8d039d95c 100644 ---- a/install/share/Makefile.am -+++ b/install/share/Makefile.am -@@ -94,7 +94,6 @@ dist_app_DATA = \ - ipa-kdc-proxy.conf.template \ - ipa-pki-proxy.conf.template \ - ipa-rewrite.conf.template \ -- min-ssf.ldif \ - ipaca_default.ini \ - ipaca_customize.ini \ - ipaca_softhsm2.ini \ -diff --git a/install/share/min-ssf.ldif b/install/share/min-ssf.ldif -deleted file mode 100644 -index 1c2566f84..000000000 ---- a/install/share/min-ssf.ldif -+++ /dev/null -@@ -1,14 +0,0 @@ --# config --# pretend SSF for LDAPI connections --# nsslapd-localssf must be equal to or greater than nsslapd-minssf --dn: cn=config --changetype: modify --replace: nsslapd-localssf --nsslapd-localssf: 256 -- --# minimum security strength factor for SASL and TLS --# 56 is considered weak, but some old clients announce wrong SSF. --dn: cn=config --changetype: modify --replace: nsslapd-minssf --nsslapd-minssf: 56 -diff --git a/ipalib/constants.py b/ipalib/constants.py -index bcf6f3373..c22dd26ae 100644 ---- a/ipalib/constants.py -+++ b/ipalib/constants.py -@@ -311,9 +311,6 @@ TLS_VERSIONS = [ - ] - TLS_VERSION_MINIMAL = "tls1.0" - --# minimum SASL secure strength factor for LDAP connections --# 56 provides backwards compatibility with old libraries. --LDAP_SSF_MIN_THRESHOLD = 56 - - # Use cache path - USER_CACHE_PATH = ( -diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py -index d9d67be1d..9ff443fe4 100644 ---- a/ipapython/ipaldap.py -+++ b/ipapython/ipaldap.py -@@ -43,9 +43,7 @@ import six - - # pylint: disable=ipa-forbidden-import - from ipalib import errors, x509, _ --from ipalib.constants import ( -- LDAP_GENERALIZED_TIME_FORMAT, LDAP_SSF_MIN_THRESHOLD --) -+from ipalib.constants import LDAP_GENERALIZED_TIME_FORMAT - # pylint: enable=ipa-forbidden-import - from ipaplatform.paths import paths - from ipapython.ipautil import format_netloc, CIDict -@@ -105,8 +103,7 @@ def realm_to_ldapi_uri(realm_name): - return 'ldapi://' + ldapurl.ldapUrlEscape(socketname) - - --def ldap_initialize(uri, cacertfile=None, -- ssf_min_threshold=LDAP_SSF_MIN_THRESHOLD): -+def ldap_initialize(uri, cacertfile=None): - """Wrapper around ldap.initialize() - - The function undoes global and local ldap.conf settings that may cause -@@ -117,10 +114,6 @@ def ldap_initialize(uri, cacertfile=None, - locations, also known as system-wide trust store. - * Cert validation is enforced. - * SSLv2 and SSLv3 are disabled. -- * Require a minimum SASL security factor of 56. That level ensures -- data integrity and confidentiality. Although at least AES128 is -- enforced pretty much everywhere, 56 is required for backwards -- compatibility with systems that announce wrong SSF. - """ - conn = ldap.initialize(uri) - -@@ -128,12 +121,6 @@ def ldap_initialize(uri, cacertfile=None, - conn.set_option(ldap.OPT_X_SASL_NOCANON, ldap.OPT_ON) - - if not uri.startswith('ldapi://'): -- # require a minimum SSF for TCP connections, but don't lower SSF_MIN -- # if the current value is already larger. -- cur_min_ssf = conn.get_option(ldap.OPT_X_SASL_SSF_MIN) -- if cur_min_ssf < ssf_min_threshold: -- conn.set_option(ldap.OPT_X_SASL_SSF_MIN, ssf_min_threshold) -- - if cacertfile: - if not os.path.isfile(cacertfile): - raise IOError(errno.ENOENT, cacertfile) -diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py -index 8240e3043..9f05db1db 100644 ---- a/ipaserver/install/dsinstance.py -+++ b/ipaserver/install/dsinstance.py -@@ -324,8 +324,6 @@ class DsInstance(service.Service): - else: - self.step("importing CA certificates from LDAP", - self.__import_ca_certs) -- # set min SSF after DS is configured for TLS -- self.step("require minimal SSF", self.__min_ssf) - self.step("restarting directory server", self.__restart_instance) - - self.start_creation() -@@ -1243,9 +1241,6 @@ class DsInstance(service.Service): - dm_password=self.dm_password - ) - -- def __min_ssf(self): -- self._ldap_mod("min-ssf.ldif") -- - def __add_sudo_binduser(self): - self._ldap_mod("sudobind.ldif", self.sub_dict) - --- -2.21.0 - diff --git a/0002-upgrade-adtrust-when-no-trusts.patch b/0002-upgrade-adtrust-when-no-trusts.patch deleted file mode 100644 index b98c49f..0000000 --- a/0002-upgrade-adtrust-when-no-trusts.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 528a21996734467be193673e4f987e7e3acc3ad9 Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Sat, 11 May 2019 11:54:40 +0300 -Subject: [PATCH] upgrade: adtrust - catch empty result when retrieving list of - trusts - -Upgrade failure when ipa-server-upgrade is being run on a system with no -trust established but trust configured - -Fixes: https://pagure.io/freeipa/issue/7939 ---- - ipaserver/install/plugins/adtrust.py | 16 +++++++++++----- - 1 file changed, 11 insertions(+), 5 deletions(-) - -diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py -index 6b4e2caa2..cdc3a8b04 100644 ---- a/ipaserver/install/plugins/adtrust.py -+++ b/ipaserver/install/plugins/adtrust.py -@@ -609,11 +609,17 @@ class update_tdo_to_new_layout(Updater): - - trusts_dn = self.api.env.container_adtrusts + self.api.env.basedn - -- trusts = ldap.get_entries( -- base_dn=trusts_dn, -- scope=ldap.SCOPE_ONELEVEL, -- filter=self.trust_filter, -- attrs_list=self.trust_attrs) -+ # We might be in a situation when no trusts exist yet -+ # In such case there is nothing to upgrade but we have to catch -+ # an exception or it will abort the whole upgrade process -+ try: -+ trusts = ldap.get_entries( -+ base_dn=trusts_dn, -+ scope=ldap.SCOPE_ONELEVEL, -+ filter=self.trust_filter, -+ attrs_list=self.trust_attrs) -+ except errors.EmptyResult: -+ trusts = [] - - # For every trust, retrieve its principals and convert - for t_entry in trusts: --- -2.21.0 - diff --git a/freeipa.spec b/freeipa.spec index 80dbb1e..ad7cdf3 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -101,7 +101,7 @@ # 10.6.7 fixes UpdateNumberRange clone installation issue # https://pagure.io/freeipa/issue/7654 and empty token issue # and https://pagure.io/dogtagpki/issue/3073 -%global pki_version 10.6.8-3 +%global pki_version 10.7.0-1 # https://pagure.io/certmonger/issue/90 %global certmonger_version 0.79.7-1 @@ -114,7 +114,7 @@ %global nss_version 3.41.0-1 %endif -%global sssd_version 2.1.0-2 +%global sssd_version 2.2.0-1 %define krb5_base_version %(LC_ALL=C rpm -q --qf '%%{VERSION}' krb5-devel | grep -Eo '^[^.]+\.[^.]+') @@ -126,7 +126,7 @@ # Work-around fact that RPM SPEC parser does not accept # "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement -%define IPA_VERSION 4.7.90.pre1 +%define IPA_VERSION 4.8.0 %define AT_SIGN @ # redefine IPA_VERSION only if its value matches the Autoconf placeholder %if "%{IPA_VERSION}" == "%{AT_SIGN}VERSION%{AT_SIGN}" @@ -135,18 +135,13 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 6%{?dist} +Release: 1%{?dist} Summary: The Identity, Policy and Audit system License: GPLv3+ URL: http://www.freeipa.org/ Source0: https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz Source1: https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz.asc -Patch0001: 0001-revert-minssf-defaults.patch -# https://github.com/freeipa/freeipa/pull/3104 -# Fix an error in the path the webUI uses for fontawesome -Patch0002: 0001-Correct-default-fontawesome-path-broken-by-da2cf1c5.patch -Patch0003: 0002-upgrade-adtrust-when-no-trusts.patch # For the timestamp trick in patch application BuildRequires: diffstat @@ -535,6 +530,23 @@ If your network uses IPA for authentication, this package should be installed on every client machine. This package provides command-line tools for IPA administrators. +%package client-samba +Summary: Tools to configure Samba on IPA client +Group: System Environment/Base +Requires: %{name}-client = %{version}-%{release} +Requires: python3-samba +Requires: samba-client +Requires: samba-winbind +Requires: samba-common-tools +Requires: samba +Requires: sssd-winbind-idmap +Requires: tdb-tools +Requires: cifs-utils + +%description client-samba +This package provides command-line tools to deploy Samba domain member +on the machine enrolled into a FreeIPA environment + %package -n python3-ipaclient Summary: Python libraries used by IPA client BuildArch: noarch @@ -1014,6 +1026,7 @@ fi %{_sbindir}/ipa-winsync-migrate %{_sbindir}/ipa-pkinit-manage %{_sbindir}/ipa-crlgen-manage +%{_sbindir}/ipa-cert-fix %{_libexecdir}/certmonger/dogtag-ipa-ca-renew-agent-submit %{_libexecdir}/certmonger/ipa-server-guard %{_libexecdir}/ipa/custodia/ipa-custodia-dmldap @@ -1078,6 +1091,7 @@ fi %{_mandir}/man1/ipa-winsync-migrate.1* %{_mandir}/man1/ipa-pkinit-manage.1* %{_mandir}/man1/ipa-crlgen-manage.1* +%{_mandir}/man1/ipa-cert-fix.1* %files -n python3-ipaserver @@ -1211,6 +1225,7 @@ fi %{_sbindir}/ipa-join %{_bindir}/ipa %config %{_sysconfdir}/bash_completion.d +%config %{_sysconfdir}/sysconfig/certmonger %{_mandir}/man1/ipa.1* %{_mandir}/man1/ipa-getkeytab.1* %{_mandir}/man1/ipa-rmkeytab.1* @@ -1219,6 +1234,12 @@ fi %{_mandir}/man1/ipa-certupdate.1* %{_mandir}/man1/ipa-join.1* +%files client-samba +%doc README.md Contributors.txt +%license COPYING +%{_sbindir}/ipa-client-samba +%{_mandir}/man1/ipa-client-samba.1* + %files -n python3-ipaclient %doc README.md Contributors.txt %license COPYING @@ -1312,6 +1333,10 @@ fi %changelog +* Wed Jul 03 2019 Alexander Bokovoy - 4.8.0-1 +- New upstream release 4.8.0 +- New subpackage: freeipa-client-samba + * Sat May 11 2019 Alexander Bokovoy - 4.7.90.pre1-6 - Upgrade: handle situation when trusts were configured but not established yet Fixed: rhbz#1708808 diff --git a/sources b/sources index 1f78d2f..05bd694 100644 --- a/sources +++ b/sources @@ -1,4 +1,2 @@ -SHA512 (freeipa-4.7.2.tar.gz) = 11d805fe0c085b285bace571912c3b541fc5aa9207c87ec31e22ac5fcfd2fa410e9a7ce4aafc88821e57c0be99a38d98d0c824e46bc85d968b4937f8599d9d5f -SHA512 (freeipa-4.7.2.tar.gz.asc) = ab4215555eb6458ccefc0038976d39ed3f708eaa6bc7fe7eea3e72af285665501da6275c881897584d178f4a1ea290d23051a1591f1b14b30691fea1cc05b641 -SHA512 (freeipa-4.7.90.pre1.tar.gz) = 97c61d24f37b72aca838e6b67756af106329d8a933e6c8f7eaff362aae7943463b0efa5a6f99874513e95621666fc0a9adf58b44d5fa0be9b10e64c8ce2d9235 -SHA512 (freeipa-4.7.90.pre1.tar.gz.asc) = 0109dfa2846fbac79c7ef8b7427ce96d3d1a1aac8998d66616194fe30501e342bf6c1f251d460ddd4fd9d3f7d8ab100358adbd26c7bfc69e393a1a1c3ef1c016 +SHA512 (freeipa-4.8.0.tar.gz) = f1c0831d97adee4f951972b7a6096ba4458704514ac1ead4e6ed0072524ac320750d690315c0b8d3a51b2f51d66dea81cf224ce417bd5d2eeb65ffe0c45c9229 +SHA512 (freeipa-4.8.0.tar.gz.asc) = 8d8b3de2ea0eab4a2ce1a063b686927cb1e95b60d5da7c945633edc79252c113c2b44e98299be34efd32526c421335f4344b1a20b6483011c1319d4284af2934