diff --git a/0014-krb5kdc-Fix-start-when-pkinit-and-otp-auth-type-are-enabled_rhel#4874.patch b/0014-krb5kdc-Fix-start-when-pkinit-and-otp-auth-type-are-enabled_rhel#4874.patch index e0d2386..a6e6388 100644 --- a/0014-krb5kdc-Fix-start-when-pkinit-and-otp-auth-type-are-enabled_rhel#4874.patch +++ b/0014-krb5kdc-Fix-start-when-pkinit-and-otp-auth-type-are-enabled_rhel#4874.patch @@ -40,12 +40,11 @@ index 06d511c76..dbb98dba6 100644 #include "ipa_krb5.h" #include "ipa_hostname.h" +#include - + #define IPADB_GLOBAL_CONFIG_CACHE_TIME 60 - -@@ -207,6 +208,19 @@ static const struct { + +@@ -207,5 +208,18 @@ static const struct { { "idp", IPADB_USER_AUTH_IDP }, - { "passkey", IPADB_USER_AUTH_PASSKEY }, { } +}, + objclass_table[] = { @@ -61,10 +60,10 @@ index 06d511c76..dbb98dba6 100644 + { KADM5_HIST_PRINCIPAL, IPADB_USER_AUTH_PASSWORD }, + { } }; - + void ipadb_parse_user_auth(LDAP *lcontext, LDAPMessage *le, @@ -217,17 +231,49 @@ void ipadb_parse_user_auth(LDAP *lcontext, LDAPMessage *le, - + *userauth = IPADB_USER_AUTH_NONE; vals = ldap_get_values_len(lcontext, le, IPA_USER_AUTH_TYPE); - if (!vals) @@ -121,7 +120,7 @@ index 06d511c76..dbb98dba6 100644 /* If password auth is enabled, enable hardened policy too. */ if (*userauth & IPADB_USER_AUTH_PASSWORD) { *userauth |= IPADB_USER_AUTH_HARDENED; --- +-- 2.43.0 @@ -163,7 +162,7 @@ index 436ee0e62..2802221c7 100644 pol_limits = &(ied->pol_limits[IPADB_USER_AUTH_IDX_PKINIT]); } else if (strcmp(auth_indicator, "hardened") == 0) { valid_auth_indicators++; --- +-- 2.43.0 @@ -188,14 +187,14 @@ index dbb98dba6..4e6cacf24 100644 @@ -195,6 +195,9 @@ done: return base; } - + +/* In this table all _AUTH_PASSWORD entries will be + * expanded to include _AUTH_HARDENED in ipadb_parse_user_auth() + * which means there is no need to explicitly add it here */ static const struct { const char *name; enum ipadb_user_auth flag; --- +-- 2.43.0 @@ -230,7 +229,7 @@ index caa0e6a34..5c2e7af02 100644 @@ -23,6 +23,24 @@ class TestPkinitClientInstall(IntegrationTest): def install(cls, mh): tasks.install_master(cls.master) - + + def enforce_password_and_otp(self): + """enforce otp by default and password for admin """ + self.master.run_command( @@ -255,7 +254,7 @@ index caa0e6a34..5c2e7af02 100644 @@ -86,6 +104,14 @@ class TestPkinitClientInstall(IntegrationTest): cabundle = self.master.get_file_contents(paths.KDC_CA_BUNDLE_PEM) client.put_file_contents(self.tmpbundle, cabundle) - + + def test_restart_krb5kdc(self): + tasks.kinit_admin(self.master) + self.enforce_password_and_otp() @@ -267,6 +266,6 @@ index caa0e6a34..5c2e7af02 100644 def test_client_install_pkinit(self): tasks.kinit_admin(self.master) self.add_certmaperule() --- +-- 2.43.0 diff --git a/0037-Replica-CA-installation-ignore-skew-during-initial-replication_rhel#80995.patch b/0037-Replica-CA-installation-ignore-skew-during-initial-replication_rhel#80995.patch index c90a4e7..a62eebc 100644 --- a/0037-Replica-CA-installation-ignore-skew-during-initial-replication_rhel#80995.patch +++ b/0037-Replica-CA-installation-ignore-skew-during-initial-replication_rhel#80995.patch @@ -50,7 +50,7 @@ diff --git a/install/tools/ipa-replica-manage.in b/install/tools/ipa-replica-man index cebf73a..71851be 100644 --- a/install/tools/ipa-replica-manage.in +++ b/install/tools/ipa-replica-manage.in -@@ -1269,12 +1269,12 @@ def force_sync(realm, thishost, fromhost, dirman_passwd, nolookup=False): +@@ -1237,12 +1237,13 @@ def force_sync(realm, thishost, fromhost, dirman_passwd, nolookup=False): repl.force_sync(repl.conn, fromhost) else: ds = dsinstance.DsInstance(realm_name=realm) @@ -62,9 +62,10 @@ index cebf73a..71851be 100644 repl.wait_for_repl_update(repl.conn, agreement.dn) - ds.replica_manage_time_skew(prevent=True) + ds.replica_revert_time_skew() - - ++ + def show_DNA_ranges(hostname, master, realm, dirman_passwd, nextrange=False, + nolookup=False): diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py index 35cec89..e15e629 100644 --- a/ipaserver/install/cainstance.py @@ -91,7 +92,7 @@ index cbacfae..ba4bf8a 100644 self.step("ignore time skew for initial replication", - self.__replica_ignore_initial_time_skew) + self.replica_ignore_initial_time_skew) - + self.step("setting up initial replication", self.__setup_replica) self.step("prevent time skew after initial replication", - self.replica_manage_time_skew) @@ -102,7 +103,7 @@ index cbacfae..ba4bf8a 100644 @@ -995,16 +995,6 @@ class DsInstance(service.Service): def __add_replication_acis(self): self._ldap_mod("replica-acis.ldif", self.sub_dict) - + - def __replica_ignore_initial_time_skew(self): - self.replica_manage_time_skew(prevent=False) - @@ -114,7 +115,7 @@ index cbacfae..ba4bf8a 100644 - self._ldap_mod("replica-prevent-time-skew.ldif", self.sub_dict) - def __setup_s4u2proxy(self): - + def __add_principal(last_cn, principal, self): diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py index 13ae346..15ca70b 100644 @@ -123,7 +124,7 @@ index 13ae346..15ca70b 100644 @@ -811,6 +811,31 @@ class Service: self.run_getkeytab(self.api.env.ldap_uri, self.keytab, self.principal) self.set_keytab_owner() - + + def replica_ignore_initial_time_skew(self): + """ + Set nsslapd-ignore-time-skew = on if not already set @@ -149,7 +150,7 @@ index 13ae346..15ca70b 100644 + entry_attrs['nsslapd-ignore-time-skew'] = self.original_time_skew + api.Backend.ldap2.update_entry(entry_attrs) + - + class SimpleServiceInstance(Service): def create_instance(self, gensvc_name=None, fqdn=None, ldap_suffix=None, diff --git a/0038-Add-a-check-into-ipa-cert-fix-tool-to-avoid-updating-certs-if-CA-is-close-to-being-expired_rhel#4941.patch b/0038-Add-a-check-into-ipa-cert-fix-tool-to-avoid-updating-certs-if-CA-is-close-to-being-expired_rhel#4941.patch new file mode 100644 index 0000000..4d44971 --- /dev/null +++ b/0038-Add-a-check-into-ipa-cert-fix-tool-to-avoid-updating-certs-if-CA-is-close-to-being-expired_rhel#4941.patch @@ -0,0 +1,82 @@ +From ac6eee670d8a753e66ba69a65eff55447fff2822 Mon Sep 17 00:00:00 2001 +From: Aleksandr Sharov +Date: Mar 25 2025 09:33:06 +0000 +Subject: Add a check into ipa-cert-fix tool to avoid updating certs if CA is close to being expired. + + +Fixes: https://pagure.io/freeipa/issue/9760 +Signed-off-by: Aleksandr Sharov +Reviewed-By: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud + +--- + +diff --git a/ipaserver/install/ipa_cert_fix.py b/ipaserver/install/ipa_cert_fix.py +index 8e02d1e..960d7b9 100644 +--- a/ipaserver/install/ipa_cert_fix.py ++++ b/ipaserver/install/ipa_cert_fix.py +@@ -69,6 +69,7 @@ logger = logging.getLogger(__name__) + + + cert_nicknames = { ++ 'ca_issuing': 'caSigningCert cert-pki-ca', + 'sslserver': 'Server-Cert cert-pki-ca', + 'subsystem': 'subsystemCert cert-pki-ca', + 'ca_ocsp_signing': 'ocspSigningCert cert-pki-ca', +@@ -137,6 +138,16 @@ class IPACertFix(AdminTool): + print("Nothing to do.") + return 0 + ++ if any(key == 'ca_issuing' for key, _ in certs): ++ logger.debug("CA signing cert is expired, exiting!") ++ print( ++ "The CA signing certificate is expired or will expire within " ++ "the next two weeks.\n\nipa-cert-fix cannot proceed, please " ++ "refer to the ipa-cacert-manage tool to renew the CA " ++ "certificate before proceeding." ++ ) ++ return 1 ++ + print(msg) + + print_intentions(certs, extra_certs, non_renewed) + +From cdc03d7b6233f736c51c10aa07225aac9715e4c0 Mon Sep 17 00:00:00 2001 +From: Aleksandr Sharov +Date: Mar 25 2025 18:03:54 +0000 +Subject: Test fix for the update + + +Fixes: https://pagure.io/freeipa/issue/9760 +Signed-off-by: Aleksandr Sharov +Reviewed-By: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud + +--- + +diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py +index 15d8a81..d11fd3d 100644 +--- a/ipatests/test_integration/test_ipa_cert_fix.py ++++ b/ipatests/test_integration/test_ipa_cert_fix.py +@@ -301,13 +301,18 @@ class TestIpaCertFix(IntegrationTest): + valid. If CA cert expired, ipa-cert-fix won't work. + + related: https://pagure.io/freeipa/issue/8721 ++ ++ If CA cert is close to expiry, there's no reason to issue new certs ++ with short validity period. So, ipa-cert-fix should fail in this case. ++ ++ related: https://pagure.io/freeipa/issue/9760 + """ + result = self.master.run_command(['ipa-cert-fix', '-v'], + stdin_text='yes\n', + raiseonerr=False) + # check that pki-server cert-fix command fails +- err_msg = ("ERROR: CalledProcessError(Command " +- "['pki-server', 'cert-fix'") ++ err_msg = ("CA signing cert is expired, exiting!") ++ assert result.returncode == 1 + assert err_msg in result.stderr_text + + + diff --git a/1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch b/1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch index e1a74ff..de96332 100644 --- a/1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch +++ b/1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch @@ -32,7 +32,7 @@ diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index 7d21367ec..42a47f1df 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py -@@ -259,7 +259,6 @@ class BasePathNamespace: +@@ -258,8 +258,7 @@ class BasePathNamespace: IPA_PKI_RETRIEVE_KEY = "/usr/libexec/ipa/ipa-pki-retrieve-key" IPA_HTTPD_PASSWD_READER = "/usr/libexec/ipa/ipa-httpd-pwdreader" IPA_PKI_WAIT_RUNNING = "/usr/libexec/ipa/ipa-pki-wait-running" @@ -41,6 +41,7 @@ index 7d21367ec..42a47f1df 100644 - DNSSEC_KEYFROMLABEL_9_17 = "/usr/bin/dnssec-keyfromlabel" GETSEBOOL = "/usr/sbin/getsebool" GROUPADD = "/usr/sbin/groupadd" + USERMOD = "/usr/sbin/usermod" diff --git a/ipaplatform/fedora/paths.py b/ipaplatform/fedora/paths.py index 4e993c063..92a948966 100644 --- a/ipaplatform/fedora/paths.py diff --git a/ipa.spec b/ipa.spec index eb6fabd..0d7691d 100644 --- a/ipa.spec +++ b/ipa.spec @@ -190,7 +190,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 15%{?rc_version:.%rc_version}%{?dist} +Release: 16%{?rc_version:.%rc_version}%{?dist} Summary: The Identity, Policy and Audit system License: GPLv3+ @@ -246,6 +246,7 @@ Patch0034: 0034-Add-ipa-idrange-fix_rhel#56920.patch Patch0035: 0035-Unconditionally-add-MS-PAC-to-global-config-on-update_rhel#49437.patch Patch0036: 0036-ipatests-Update-ipa-adtrust-install-test_rhel#40894.patch Patch0037: 0037-Replica-CA-installation-ignore-skew-during-initial-replication_rhel#80995.patch +Patch0038: 0038-Add-a-check-into-ipa-cert-fix-tool-to-avoid-updating-certs-if-CA-is-close-to-being-expired_rhel#4941.patch %if 0%{?rhel} >= 8 Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch Patch1002: 1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch @@ -1009,10 +1010,7 @@ for i in *.po ; do done popd -for p in %patches ; do - %__patch -p1 -i $p - UpdateTimestamps -p1 $p -done +%autopatch -p1 -q %build # PATH is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1005235 @@ -1763,6 +1761,12 @@ fi %endif %changelog +* Mon Mar 31 2025 Rafael Jeffman - 4.9.13-16 +- Add a- heck into ipa-cert-fix tool to avoid updating certs if CA is close to expire + Resolves: RHEL-4941 +- Fix rpminspect's 'patches' warnings + Resolves: RHEL-22497 + * Mon Mar 10 2025 Rafael Jeffman - 4.9.13-15 - Replica CA installation: ignore skew during initial replication Resolves RHEL-80995 @@ -1929,7 +1933,7 @@ fi * Thu May 25 2023 Rafael Jeffman - 4.9.12-2 - Use the OpenSSL certificate parser in cert-find - Resolves: RHBZ#2209947 + Resolves: RHBZ#2209947 * Wed May 24 2023 Rafael Jeffman - 4.9.12-1 - Rebase ipa to 4.9.12 @@ -1962,7 +1966,7 @@ fi Resolves: RHBZ#2129895 - Fix canonicalization issue in Web UI Resolves: RHBZ#2127035 -- Remove idnssoaserial argument from dns zone API. +- Remove idnssoaserial argument from dns zone API. Resolves: RHBZ#2108630 - Warn for permissions with read/write/search/compare and no attrs Resolves: RHBZ#2098187