More backports
remove CA affinity patch, not ready for backport yet. Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
parent
f19c883a04
commit
7365e8a23f
35
0008-netbios-defaults.patch
Normal file
35
0008-netbios-defaults.patch
Normal file
@ -0,0 +1,35 @@
|
||||
From eab52d3cda9bbec716008c040551bd11facd0e11 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Date: Wed, 17 Jan 2024 12:27:26 +0200
|
||||
Subject: [PATCH] adtrustinstance: make sure NetBIOS name defaults are set
|
||||
properly
|
||||
|
||||
Some tools may pass None as NetBIOS name if not put explicitly by a
|
||||
user. This meant to use default NetBIOS name generator based on the
|
||||
domain (realm) name. However, this wasn't done properly, so None is
|
||||
passed later to python-ldap and it rejects such LDAP entry.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9514
|
||||
|
||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
||||
---
|
||||
ipaserver/install/adtrustinstance.py | 2 ++
|
||||
1 file changed, 2 insertions(+)
|
||||
|
||||
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
|
||||
index d55ba8491..2ff68dfb4 100644
|
||||
--- a/ipaserver/install/adtrustinstance.py
|
||||
+++ b/ipaserver/install/adtrustinstance.py
|
||||
@@ -189,6 +189,8 @@ class ADTRUSTInstance(service.Service):
|
||||
self.fqdn = self.fqdn or api.env.host
|
||||
self.host_netbios_name = make_netbios_name(self.fqdn)
|
||||
self.realm = self.realm or api.env.realm
|
||||
+ if not self.netbios_name:
|
||||
+ self.netbios_name = make_netbios_name(self.realm)
|
||||
|
||||
self.suffix = ipautil.realm_to_suffix(self.realm)
|
||||
self.ldapi_socket = "%%2fvar%%2frun%%2fslapd-%s.socket" % \
|
||||
--
|
||||
2.43.0
|
||||
|
101
0009-host-keytab-permission.patch
Normal file
101
0009-host-keytab-permission.patch
Normal file
@ -0,0 +1,101 @@
|
||||
From 3842116185de6ae8714f30b57bd75c7eddde53d8 Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Date: Thu, 21 Dec 2023 09:38:57 +0200
|
||||
Subject: [PATCH] host: update System: Manage Host Keytab permission
|
||||
|
||||
Since commit 5c0e7a5fb420377dcc06a956695afdcb35196444, a new extended
|
||||
operation to get a keytab is supposed to be used. This keytab
|
||||
setting/retrieval extended operation checks access rights of the bound
|
||||
DN to write to a virtual attribute 'ipaProtectedOperation;write_keys'.
|
||||
|
||||
If the write isn't allowed, the operation is rejected and ipa-getkeytab
|
||||
tool falls back to an older code that generates the keytab on the client
|
||||
and forcibly sets to the LDAP entry. For the latter, a check is done to
|
||||
make sure the bound DN is allowed to write to 'krbPrincipalKey' attribute.
|
||||
|
||||
This fallback should never happen for newer deployments. When enrollemnt
|
||||
operation is delegated to non-administrative user with the help of 'Host
|
||||
Enrollment' role, a host can be pre-created or created at enrollment
|
||||
time, if this non-administrative user has 'Host Administrators' role. In
|
||||
the latter case a system permission 'System: Manage Host Keytab' grants
|
||||
write access to 'krbPrincipalKey' attribute but lacks any access to the
|
||||
virtual attributes expected by the new extended operation.
|
||||
|
||||
There is a second virtual attribute, 'ipaProtectedOperation;read_keys',
|
||||
that allows to retrieve existing keys for a host. However, during
|
||||
initial enrollment we do not allow to retrieve and reuse existing
|
||||
Kerberos key: while 'ipa-getkeytab -r' would give ability to retrieve
|
||||
the existing key, 'ipa-join' has no way to trigger that operation.
|
||||
Hence, permission 'System: Manage Host Keytab' will not grant the right
|
||||
to read the Kerberos key via extended operation used by 'ipa-getkeytab
|
||||
-r'. Such operation can be done later by utilizing 'ipa
|
||||
service/host-allow-retrieve-keytab' commands.
|
||||
|
||||
Fix 'System: Manage Host Keytab' permission and extend a permission test
|
||||
to see that we do not fallback to the old extended operation.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9496
|
||||
|
||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
---
|
||||
ACI.txt | 2 +-
|
||||
ipaserver/plugins/host.py | 3 ++-
|
||||
ipatests/test_integration/test_user_permissions.py | 7 +++++++
|
||||
3 files changed, 10 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/ACI.txt b/ACI.txt
|
||||
index e6d6e3d15..236bb4367 100644
|
||||
--- a/ACI.txt
|
||||
+++ b/ACI.txt
|
||||
@@ -147,7 +147,7 @@ aci: (targetattr = "usercertificate")(targetfilter = "(objectclass=ipahost)")(ve
|
||||
dn: cn=computers,cn=accounts,dc=ipa,dc=example
|
||||
aci: (targetattr = "userpassword")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Manage Host Enrollment Password";allow (write) groupdn = "ldap:///cn=System: Manage Host Enrollment Password,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
dn: cn=computers,cn=accounts,dc=ipa,dc=example
|
||||
-aci: (targetattr = "krblastpwdchange || krbprincipalkey")(targetfilter = "(&(!(memberOf=cn=ipaservers,cn=hostgroups,cn=accounts,dc=ipa,dc=example))(objectclass=ipahost))")(version 3.0;acl "permission:System: Manage Host Keytab";allow (write) groupdn = "ldap:///cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
+aci: (targetattr = "ipaprotectedoperation;write_keys || krblastpwdchange || krbprincipalkey")(targetfilter = "(&(!(memberOf=cn=ipaservers,cn=hostgroups,cn=accounts,dc=ipa,dc=example))(objectclass=ipahost))")(version 3.0;acl "permission:System: Manage Host Keytab";allow (write) groupdn = "ldap:///cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
dn: cn=computers,cn=accounts,dc=ipa,dc=example
|
||||
aci: (targetattr = "createtimestamp || entryusn || ipaallowedtoperform;read_keys || ipaallowedtoperform;write_keys || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Manage Host Keytab Permissions";allow (compare,read,search,write) groupdn = "ldap:///cn=System: Manage Host Keytab Permissions,cn=permissions,cn=pbac,dc=ipa,dc=example";)
|
||||
dn: cn=computers,cn=accounts,dc=ipa,dc=example
|
||||
diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py
|
||||
index 3ef510edc..b02c8b55f 100644
|
||||
--- a/ipaserver/plugins/host.py
|
||||
+++ b/ipaserver/plugins/host.py
|
||||
@@ -409,7 +409,8 @@ class host(LDAPObject):
|
||||
api.env.container_hostgroup,
|
||||
api.env.basedn),
|
||||
],
|
||||
- 'ipapermdefaultattr': {'krblastpwdchange', 'krbprincipalkey'},
|
||||
+ 'ipapermdefaultattr': {'krblastpwdchange', 'krbprincipalkey',
|
||||
+ 'ipaprotectedoperation;write_keys'},
|
||||
'replaces': [
|
||||
'(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,$SUFFIX";)',
|
||||
],
|
||||
diff --git a/ipatests/test_integration/test_user_permissions.py b/ipatests/test_integration/test_user_permissions.py
|
||||
index 3333a4f6b..cd1096ff3 100644
|
||||
--- a/ipatests/test_integration/test_user_permissions.py
|
||||
+++ b/ipatests/test_integration/test_user_permissions.py
|
||||
@@ -277,6 +277,9 @@ class TestInstallClientNoAdmin(IntegrationTest):
|
||||
self.master.run_command(['ipa', 'privilege-add-permission',
|
||||
'--permissions', 'System: Add Hosts',
|
||||
'Add Hosts'])
|
||||
+ self.master.run_command(['ipa', 'privilege-add-permission',
|
||||
+ '--permissions', 'System: Manage Host Keytab',
|
||||
+ 'Add Hosts'])
|
||||
|
||||
self.master.run_command(['ipa', 'role-add-privilege', 'useradmin',
|
||||
'--privileges', 'Host Enrollment'])
|
||||
@@ -301,6 +304,10 @@ class TestInstallClientNoAdmin(IntegrationTest):
|
||||
encoding='utf-8')
|
||||
assert msg in install_log
|
||||
|
||||
+ # Make sure we do not fallback to an old keytab retrieval method anymore
|
||||
+ msg = "Retrying with pre-4.0 keytab retrieval method..."
|
||||
+ assert msg not in install_log
|
||||
+
|
||||
# check that user is able to request a host cert, too
|
||||
result = tasks.run_certutil(client, ['-L'], paths.IPA_NSSDB_DIR)
|
||||
assert 'Local IPA host' in result.stdout_text
|
||||
--
|
||||
2.43.0
|
||||
|
12
freeipa.spec
12
freeipa.spec
@ -223,10 +223,11 @@ Patch0001: freeipa-4.11-samba-changes.patch
|
||||
Patch0002: freeipa-4.11-pki-revocation-changes.patch
|
||||
Patch0003: freeipa-4.11-py3.12-timezone-changes.patch
|
||||
Patch0004: freeipa-4.11-pwpolicy-minlength.patch
|
||||
Patch0005: 0003-kdb-memory-leak.patch
|
||||
Patch0006: 0004-ipa-cli-krb5-crash.patch
|
||||
Patch0007: 0005-pyca-42.0.0-support.patch
|
||||
Patch0008: 0006-ca-affinity-fix.patch
|
||||
Patch0005: 0009-host-keytab-permission.patch
|
||||
Patch0006: 0008-netbios-defaults.patch
|
||||
Patch0009: 0005-pyca-42.0.0-support.patch
|
||||
Patch0010: 0004-ipa-cli-krb5-crash.patch
|
||||
Patch0011: 0003-kdb-memory-leak.patch
|
||||
|
||||
# RHEL spec file only: START: Change branding to IPA and Identity Management
|
||||
# Moved branding logos and background to redhat-logos-ipa-80.4:
|
||||
@ -1752,7 +1753,8 @@ fi
|
||||
- Fix memory leak in Kerberos KDC driver
|
||||
- Fix possible crash in IPA command line tool when accessing Kerberos credentials
|
||||
- Compatibility fix for Python Cryptography 42.0.0
|
||||
- Fix CA affinity when installing replica
|
||||
- NetBIOS defaults fix
|
||||
- Fix default host keytab retrieval permissions
|
||||
|
||||
* Wed Jan 24 2024 Fedora Release Engineering <releng@fedoraproject.org> - 4.11.1-1.2
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild
|
||||
|
Loading…
Reference in New Issue
Block a user