More backports

remove CA affinity patch, not ready for backport yet. Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
2024-01-30 18:09:49 +02:00 · 2024-01-30 18:09:49 +02:00 · 7365e8a23f
commit 7365e8a23f
parent f19c883a04
3 changed files with 143 additions and 5 deletions
--- a/0008-netbios-defaults.patch
+++ b/0008-netbios-defaults.patch
@ -0,0 +1,35 @@
+From eab52d3cda9bbec716008c040551bd11facd0e11 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Wed, 17 Jan 2024 12:27:26 +0200
+Subject: [PATCH] adtrustinstance: make sure NetBIOS name defaults are set
+ properly
+
+Some tools may pass None as NetBIOS name if not put explicitly by a
+user. This meant to use default NetBIOS name generator based on the
+domain (realm) name. However, this wasn't done properly, so None is
+passed later to python-ldap and it rejects such LDAP entry.
+
+Fixes: https://pagure.io/freeipa/issue/9514
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+---
+ ipaserver/install/adtrustinstance.py | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
+index d55ba8491..2ff68dfb4 100644
+--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
+@@ -189,6 +189,8 @@ class ADTRUSTInstance(service.Service):
+         self.fqdn = self.fqdn or api.env.host
+         self.host_netbios_name = make_netbios_name(self.fqdn)
+         self.realm = self.realm or api.env.realm
+        if not self.netbios_name:
+            self.netbios_name = make_netbios_name(self.realm)
+ 
+         self.suffix = ipautil.realm_to_suffix(self.realm)
+         self.ldapi_socket = "%%2fvar%%2frun%%2fslapd-%s.socket" % \
+-- 
+2.43.0
+
--- a/0009-host-keytab-permission.patch
+++ b/0009-host-keytab-permission.patch
@ -0,0 +1,101 @@
+From 3842116185de6ae8714f30b57bd75c7eddde53d8 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Thu, 21 Dec 2023 09:38:57 +0200
+Subject: [PATCH] host: update System: Manage Host Keytab permission
+
+Since commit 5c0e7a5fb420377dcc06a956695afdcb35196444, a new extended
+operation to get a keytab is supposed to be used. This keytab
+setting/retrieval extended operation checks access rights of the bound
+DN to write to a virtual attribute 'ipaProtectedOperation;write_keys'.
+
+If the write isn't allowed, the operation is rejected and ipa-getkeytab
+tool falls back to an older code that generates the keytab on the client
+and forcibly sets to the LDAP entry. For the latter, a check is done to
+make sure the bound DN is allowed to write to 'krbPrincipalKey' attribute.
+
+This fallback should never happen for newer deployments. When enrollemnt
+operation is delegated to non-administrative user with the help of 'Host
+Enrollment' role, a host can be pre-created or created at enrollment
+time, if this non-administrative user has 'Host Administrators' role. In
+the latter case a system permission 'System: Manage Host Keytab' grants
+write access to 'krbPrincipalKey' attribute but lacks any access to the
+virtual attributes expected by the new extended operation.
+
+There is a second virtual attribute, 'ipaProtectedOperation;read_keys',
+that allows to retrieve existing keys for a host. However, during
+initial enrollment we do not allow to retrieve and reuse existing
+Kerberos key: while 'ipa-getkeytab -r' would give ability to retrieve
+the existing key, 'ipa-join' has no way to trigger that operation.
+Hence, permission 'System: Manage Host Keytab' will not grant the right
+to read the Kerberos key via extended operation used by 'ipa-getkeytab
+-r'. Such operation can be done later by utilizing 'ipa
+service/host-allow-retrieve-keytab' commands.
+
+Fix 'System: Manage Host Keytab' permission and extend a permission test
+to see that we do not fallback to the old extended operation.
+
+Fixes: https://pagure.io/freeipa/issue/9496
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+---
+ ACI.txt                                            | 2 +-
+ ipaserver/plugins/host.py                          | 3 ++-
+ ipatests/test_integration/test_user_permissions.py | 7 +++++++
+ 3 files changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/ACI.txt b/ACI.txt
+index e6d6e3d15..236bb4367 100644
+--- a/ACI.txt
+++ b/ACI.txt
+@@ -147,7 +147,7 @@ aci: (targetattr = "usercertificate")(targetfilter = "(objectclass=ipahost)")(ve
+ dn: cn=computers,cn=accounts,dc=ipa,dc=example
+ aci: (targetattr = "userpassword")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Manage Host Enrollment Password";allow (write) groupdn = "ldap:///cn=System: Manage Host Enrollment Password,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+ dn: cn=computers,cn=accounts,dc=ipa,dc=example
+-aci: (targetattr = "krblastpwdchange || krbprincipalkey")(targetfilter = "(&(!(memberOf=cn=ipaservers,cn=hostgroups,cn=accounts,dc=ipa,dc=example))(objectclass=ipahost))")(version 3.0;acl "permission:System: Manage Host Keytab";allow (write) groupdn = "ldap:///cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+aci: (targetattr = "ipaprotectedoperation;write_keys || krblastpwdchange || krbprincipalkey")(targetfilter = "(&(!(memberOf=cn=ipaservers,cn=hostgroups,cn=accounts,dc=ipa,dc=example))(objectclass=ipahost))")(version 3.0;acl "permission:System: Manage Host Keytab";allow (write) groupdn = "ldap:///cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+ dn: cn=computers,cn=accounts,dc=ipa,dc=example
+ aci: (targetattr = "createtimestamp || entryusn || ipaallowedtoperform;read_keys || ipaallowedtoperform;write_keys || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Manage Host Keytab Permissions";allow (compare,read,search,write) groupdn = "ldap:///cn=System: Manage Host Keytab Permissions,cn=permissions,cn=pbac,dc=ipa,dc=example";)
+ dn: cn=computers,cn=accounts,dc=ipa,dc=example
+diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py
+index 3ef510edc..b02c8b55f 100644
+--- a/ipaserver/plugins/host.py
+++ b/ipaserver/plugins/host.py
+@@ -409,7 +409,8 @@ class host(LDAPObject):
+                                         api.env.container_hostgroup,
+                                         api.env.basedn),
+             ],
+-            'ipapermdefaultattr': {'krblastpwdchange', 'krbprincipalkey'},
+            'ipapermdefaultattr': {'krblastpwdchange', 'krbprincipalkey',
+                                   'ipaprotectedoperation;write_keys'},
+             'replaces': [
+                 '(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,$SUFFIX";)',
+             ],
+diff --git a/ipatests/test_integration/test_user_permissions.py b/ipatests/test_integration/test_user_permissions.py
+index 3333a4f6b..cd1096ff3 100644
+--- a/ipatests/test_integration/test_user_permissions.py
+++ b/ipatests/test_integration/test_user_permissions.py
+@@ -277,6 +277,9 @@ class TestInstallClientNoAdmin(IntegrationTest):
+         self.master.run_command(['ipa', 'privilege-add-permission',
+                                  '--permissions', 'System: Add Hosts',
+                                  'Add Hosts'])
+        self.master.run_command(['ipa', 'privilege-add-permission',
+                                 '--permissions', 'System: Manage Host Keytab',
+                                 'Add Hosts'])
+ 
+         self.master.run_command(['ipa', 'role-add-privilege', 'useradmin',
+                                  '--privileges', 'Host Enrollment'])
+@@ -301,6 +304,10 @@ class TestInstallClientNoAdmin(IntegrationTest):
+                                                encoding='utf-8')
+         assert msg in install_log
+ 
+        # Make sure we do not fallback to an old keytab retrieval method anymore
+        msg = "Retrying with pre-4.0 keytab retrieval method..."
+        assert msg not in install_log
+
+         # check that user is able to request a host cert, too
+         result = tasks.run_certutil(client, ['-L'], paths.IPA_NSSDB_DIR)
+         assert 'Local IPA host' in result.stdout_text
+-- 
+2.43.0
+
--- a/freeipa.spec
+++ b/freeipa.spec
@ -223,10 +223,11 @@ Patch0001:      freeipa-4.11-samba-changes.patch
 Patch0002:      freeipa-4.11-pki-revocation-changes.patch
 Patch0003:      freeipa-4.11-py3.12-timezone-changes.patch
 Patch0004:      freeipa-4.11-pwpolicy-minlength.patch
-Patch0005:      0003-kdb-memory-leak.patch
-Patch0006:      0004-ipa-cli-krb5-crash.patch
-Patch0007:      0005-pyca-42.0.0-support.patch
-Patch0008:      0006-ca-affinity-fix.patch
+Patch0005:      0009-host-keytab-permission.patch
+Patch0006:      0008-netbios-defaults.patch
+Patch0009:      0005-pyca-42.0.0-support.patch
+Patch0010:      0004-ipa-cli-krb5-crash.patch
+Patch0011:      0003-kdb-memory-leak.patch

 # RHEL spec file only: START: Change branding to IPA and Identity Management
 # Moved branding logos and background to redhat-logos-ipa-80.4:
@ -1752,7 +1753,8 @@ fi
 - Fix memory leak in Kerberos KDC driver
 - Fix possible crash in IPA command line tool when accessing Kerberos credentials
 - Compatibility fix for Python Cryptography 42.0.0
- Fix CA affinity when installing replica
+- NetBIOS defaults fix
+- Fix default host keytab retrieval permissions

 * Wed Jan 24 2024 Fedora Release Engineering <releng@fedoraproject.org> - 4.11.1-1.2
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild