diff --git a/0025-dcerpc-invalidate-forest-trust-intfo-cache-when-filtering-out-realm-domains_rhel#28559.patch b/0025-dcerpc-invalidate-forest-trust-intfo-cache-when-filtering-out-realm-domains_rhel#28559.patch new file mode 100644 index 0000000..5bd2477 --- /dev/null +++ b/0025-dcerpc-invalidate-forest-trust-intfo-cache-when-filtering-out-realm-domains_rhel#28559.patch @@ -0,0 +1,50 @@ +From 656a11ae961f8d1afad54567cfe8ccb53e084a67 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Mar 20 2024 10:06:07 +0000 +Subject: dcerpc: invalidate forest trust info cache when filtering out realm domains + + +When get_realmdomains() method is called, it will filter out subdomains +of the IPA primary domain. This is required because Active Directory +domain controllers are assuming subdomains already covered by the main +domain namespace. + +[MS-LSAD] 3.1.4.7.16.1, 'Forest Trust Collision Generation' defines the +method of validating the forest trust information. They are the same as +rules in [MS-ADTS] section 6.1.6. Specifically, + + - A top-level name must not be superior to an enabled top-level name + for another trusted domain object, unless the current trusted domain + object has a corresponding exclusion record. + +In practice, we filtered those subdomains already but the code wasn't +invalidating a previously retrieved forest trust information. + +Fixes: https://pagure.io/freeipa/issue/9551 + +Signed-off-by: Alexander Bokovoy +Reviewed-By: Florence Blanc-Renaud + +--- + +diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py +index b6139db..7ee553d 100644 +--- a/ipaserver/dcerpc.py ++++ b/ipaserver/dcerpc.py +@@ -1103,6 +1103,7 @@ class TrustDomainInstance: + + info.count = len(ftinfo_records) + info.entries = ftinfo_records ++ another_domain.ftinfo_data = info + return info + + def clear_ftinfo_conflict(self, another_domain, cinfo): +@@ -1778,6 +1779,7 @@ class TrustDomainJoins: + return + + self.local_domain.ftinfo_records = [] ++ self.local_domain.ftinfo_data = None + + realm_domains = self.api.Command.realmdomains_show()['result'] + # Use realmdomains' modification timestamp + diff --git a/0026-backport-test-fixes_rhel#29908.patch b/0026-backport-test-fixes_rhel#29908.patch new file mode 100644 index 0000000..20aacdd --- /dev/null +++ b/0026-backport-test-fixes_rhel#29908.patch @@ -0,0 +1,335 @@ +From 3bba254ccdcf9b62fdd8a6d71baecf37c97c300c Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Mon, 3 Apr 2023 08:37:28 +0200 +Subject: [PATCH] ipatests: mark known failures for autoprivategroup + +Two tests have known issues in test_trust.py with sssd 2.8.2+: +- TestNonPosixAutoPrivateGroup::test_idoverride_with_auto_private_group +(when called with the "hybrid" parameter) +- TestPosixAutoPrivateGroup::test_only_uid_number_auto_private_group_default +(when called with the "true" parameter) + +Related: https://pagure.io/freeipa/issue/9295 +Signed-off-by: Florence Blanc-Renaud +Reviewed-By: Rob Crittenden +Reviewed-By: Alexander Bokovoy +--- + ipatests/test_integration/test_trust.py | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py +index 0d5b71cb0..12f000c1a 100644 +--- a/ipatests/test_integration/test_trust.py ++++ b/ipatests/test_integration/test_trust.py +@@ -1154,11 +1154,15 @@ class TestNonPosixAutoPrivateGroup(BaseTestTrust): + self.gid_override + ): + self.mod_idrange_auto_private_group(type) +- (uid, gid) = self.get_user_id(self.clients[0], nonposixuser) +- assert (uid == self.uid_override and gid == self.gid_override) ++ sssd_version = tasks.get_sssd_version(self.clients[0]) ++ bad_version = sssd_version >= tasks.parse_version("2.8.2") ++ cond = (type == 'hybrid') and bad_version ++ with xfail_context(condition=cond, ++ reason="https://pagure.io/freeipa/issue/9295"): ++ (uid, gid) = self.get_user_id(self.clients[0], nonposixuser) ++ assert (uid == self.uid_override and gid == self.gid_override) + test_group = self.clients[0].run_command( + ["id", nonposixuser]).stdout_text +- # version = tasks.get_sssd_version(self.clients[0]) + with xfail_context(type == "hybrid", + 'https://github.com/SSSD/sssd/issues/5989'): + assert "domain users@{0}".format(self.ad_domain) in test_group +@@ -1232,8 +1236,11 @@ class TestPosixAutoPrivateGroup(BaseTestTrust): + posixuser = "testuser1@%s" % self.ad_domain + self.mod_idrange_auto_private_group(type) + if type == "true": +- (uid, gid) = self.get_user_id(self.clients[0], posixuser) +- assert uid == gid ++ sssd_version = tasks.get_sssd_version(self.clients[0]) ++ with xfail_context(sssd_version >= tasks.parse_version("2.8.2"), ++ "https://pagure.io/freeipa/issue/9295"): ++ (uid, gid) = self.get_user_id(self.clients[0], posixuser) ++ assert uid == gid + else: + for host in [self.master, self.clients[0]]: + result = host.run_command(['id', posixuser], raiseonerr=False) +-- +2.44.0 + +From ed2a8eb0cefadfe0544074114facfef381349ae0 Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Feb 12 2024 10:43:39 +0000 +Subject: ipatests: add xfail for autoprivate group test with override + + +Because of SSSD issue 7169, secondary groups are not +retrieved when autoprivate group is set and an idoverride +replaces the user's primary group. +Mark the known issues as xfail. + +Related: https://github.com/SSSD/sssd/issues/7169 + +Signed-off-by: Florence Blanc-Renaud +Reviewed-By: Anuja More + +--- + +diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py +index 3b9f0fb..2b94514 100644 +--- a/ipatests/test_integration/test_trust.py ++++ b/ipatests/test_integration/test_trust.py +@@ -1164,8 +1164,12 @@ class TestNonPosixAutoPrivateGroup(BaseTestTrust): + assert (uid == self.uid_override and gid == self.gid_override) + test_group = self.clients[0].run_command( + ["id", nonposixuser]).stdout_text +- with xfail_context(type == "hybrid", +- 'https://github.com/SSSD/sssd/issues/5989'): ++ cond2 = ((type == 'false' ++ and sssd_version >= tasks.parse_version("2.9.4")) ++ or type == 'hybrid') ++ with xfail_context(cond2, ++ 'https://github.com/SSSD/sssd/issues/5989 ' ++ 'and 7169'): + assert "domain users@{0}".format(self.ad_domain) in test_group + + @pytest.mark.parametrize('type', ['hybrid', 'true', "false"]) +@@ -1287,5 +1291,9 @@ class TestPosixAutoPrivateGroup(BaseTestTrust): + assert(uid == self.uid_override + and gid == self.gid_override) + result = self.clients[0].run_command(['id', posixuser]) +- assert "10047(testgroup@{0})".format( +- self.ad_domain) in result.stdout_text ++ sssd_version = tasks.get_sssd_version(self.clients[0]) ++ bad_version = sssd_version >= tasks.parse_version("2.9.4") ++ with xfail_context(bad_version and type in ('false', 'hybrid'), ++ "https://github.com/SSSD/sssd/issues/7169"): ++ assert "10047(testgroup@{0})".format( ++ self.ad_domain) in result.stdout_text + +From d5392300d77170ea3202ee80690ada8bf81b60b5 Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Feb 12 2024 10:44:47 +0000 +Subject: ipatests: remove xfail thanks to sssd 2.9.4 + + +SSSD 2.9.4 fixes some issues related to auto-private-group + +Related: https://pagure.io/freeipa/issue/9295 +Signed-off-by: Florence Blanc-Renaud +Reviewed-By: Anuja More + +--- + +diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py +index 12f000c..3b9f0fb 100644 +--- a/ipatests/test_integration/test_trust.py ++++ b/ipatests/test_integration/test_trust.py +@@ -1155,7 +1155,8 @@ class TestNonPosixAutoPrivateGroup(BaseTestTrust): + ): + self.mod_idrange_auto_private_group(type) + sssd_version = tasks.get_sssd_version(self.clients[0]) +- bad_version = sssd_version >= tasks.parse_version("2.8.2") ++ bad_version = (tasks.parse_version("2.8.2") <= sssd_version ++ < tasks.parse_version("2.9.4")) + cond = (type == 'hybrid') and bad_version + with xfail_context(condition=cond, + reason="https://pagure.io/freeipa/issue/9295"): +@@ -1237,7 +1238,9 @@ class TestPosixAutoPrivateGroup(BaseTestTrust): + self.mod_idrange_auto_private_group(type) + if type == "true": + sssd_version = tasks.get_sssd_version(self.clients[0]) +- with xfail_context(sssd_version >= tasks.parse_version("2.8.2"), ++ bad_version = (tasks.parse_version("2.8.2") <= sssd_version ++ < tasks.parse_version("2.9.4")) ++ with xfail_context(bad_version, + "https://pagure.io/freeipa/issue/9295"): + (uid, gid) = self.get_user_id(self.clients[0], posixuser) + assert uid == gid + +From 34d048ede0c439b3a53e02f8ace96ff91aa1609d Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Mar 14 2023 16:50:25 +0000 +Subject: ipatests: adapt for new automembership fixup behavior + + +The automembership fixup task now needs to be called +with --cleanup argument when the user expects automember +to remove user/hosts from automember groups. +Update the test to call create a cleanup task equivalent to +dsconf plugin automember fixup --cleanup +when it is needed. + +Fixes: https://pagure.io/freeipa/issue/9313 +Signed-off-by: Florence Blanc-Renaud +Reviewed-By: Alexander Bokovoy +Reviewed-By: Rob Crittenden + +--- + +diff --git a/ipatests/test_integration/test_automember.py b/ipatests/test_integration/test_automember.py +index 7acd0d7..8b27f4d 100644 +--- a/ipatests/test_integration/test_automember.py ++++ b/ipatests/test_integration/test_automember.py +@@ -4,6 +4,7 @@ + """This covers tests for automemberfeature.""" + + from __future__ import absolute_import ++import uuid + + from ipapython.dn import DN + +@@ -211,11 +212,27 @@ class TestAutounmembership(IntegrationTest): + # Running automember-build so that user is part of correct group + result = self.master.run_command(['ipa', 'automember-rebuild', + '--users=%s' % user2]) ++ assert msg in result.stdout_text ++ ++ # The additional --cleanup argument is required ++ cleanup_ldif = ( ++ "dn: cn={cn},cn=automember rebuild membership," ++ "cn=tasks,cn=config\n" ++ "changetype: add\n" ++ "objectclass: top\n" ++ "objectclass: extensibleObject\n" ++ "basedn: cn=users,cn=accounts,{suffix}\n" ++ "filter: (uid={user})\n" ++ "cleanup: yes\n" ++ "scope: sub" ++ ).format(cn=str(uuid.uuid4()), ++ suffix=str(self.master.domain.basedn), ++ user=user2) ++ tasks.ldapmodify_dm(self.master, cleanup_ldif) ++ + assert self.is_user_member_of_group(user2, group2) + assert not self.is_user_member_of_group(user2, group1) + +- assert msg in result.stdout_text +- + finally: + # testcase cleanup + self.remove_user_automember(user2, raiseonerr=False) +@@ -248,11 +265,27 @@ class TestAutounmembership(IntegrationTest): + result = self.master.run_command( + ['ipa', 'automember-rebuild', '--hosts=%s' % host2] + ) ++ assert msg in result.stdout_text ++ ++ # The additional --cleanup argument is required ++ cleanup_ldif = ( ++ "dn: cn={cn},cn=automember rebuild membership," ++ "cn=tasks,cn=config\n" ++ "changetype: add\n" ++ "objectclass: top\n" ++ "objectclass: extensibleObject\n" ++ "basedn: cn=computers,cn=accounts,{suffix}\n" ++ "filter: (fqdn={fqdn})\n" ++ "cleanup: yes\n" ++ "scope: sub" ++ ).format(cn=str(uuid.uuid4()), ++ suffix=str(self.master.domain.basedn), ++ fqdn=host2) ++ tasks.ldapmodify_dm(self.master, cleanup_ldif) ++ + assert self.is_host_member_of_hostgroup(host2, hostgroup2) + assert not self.is_host_member_of_hostgroup(host2, hostgroup1) + +- assert msg in result.stdout_text +- + finally: + # testcase cleanup + self.remove_host_automember(host2, raiseonerr=False) + +From 9b777390fbb6d4c683bf7d3e5f74d5443209b1d5 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Fri, 24 Mar 2023 08:15:00 +0200 +Subject: [PATCH] test_xmlrpc: adopt to automember plugin message changes in + 389-ds + +Another change in automember plugin messaging that breaks FreeIPA tests. +Use common substring to match. + +Signed-off-by: Alexander Bokovoy +Reviewed-By: Rob Crittenden +--- + ipatests/test_xmlrpc/xmlrpc_test.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ipatests/test_xmlrpc/xmlrpc_test.py b/ipatests/test_xmlrpc/xmlrpc_test.py +index cf11721bfca..5fe1245dc65 100644 +--- a/ipatests/test_xmlrpc/xmlrpc_test.py ++++ b/ipatests/test_xmlrpc/xmlrpc_test.py +@@ -64,7 +64,7 @@ def test(xs): + + # Matches an automember task finish message + fuzzy_automember_message = Fuzzy( +- r'^Automember rebuild task finished\. Processed \(\d+\) entries\.$' ++ r'^Automember rebuild task finished\. Processed \(\d+\) entries' + ) + + # Matches trusted domain GUID, like u'463bf2be-3456-4a57-979e-120304f2a0eb' +From 8e8b97a2251329aec9633a5c7c644bc5034bc8c2 Mon Sep 17 00:00:00 2001 +From: Sudhir Menon +Date: Wed, 20 Mar 2024 14:29:46 +0530 +Subject: [PATCH] ipatests: Fixes for test_ipahealthcheck_ipansschainvalidation + testcases. + +Currently the test is using IPA_NSSDB_PWDFILE_TXT which is /etc/ipa/nssdb/pwdfile.txt +which causes error in STIG mode. + +[root@master slapd-TESTRELM-TEST]# certutil -M -n 'TESTRELM.TEST IPA CA' -t ',,' -d . -f /etc/ipa/nssdb/pwdfile.txt +Incorrect password/PIN entered. + +Hence modified the test to include paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE/pwd.txt. + +Signed-off-by: Sudhir Menon +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Rob Crittenden +--- + ipatests/test_integration/test_ipahealthcheck.py | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py +index 8aae9fad776..a96de7088aa 100644 +--- a/ipatests/test_integration/test_ipahealthcheck.py ++++ b/ipatests/test_integration/test_ipahealthcheck.py +@@ -2731,17 +2731,18 @@ def remove_server_cert(self): + Fixture to remove Server cert and revert the change. + """ + instance = realm_to_serverid(self.master.domain.realm) ++ instance_dir = paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance + self.master.run_command( + [ + "certutil", + "-L", + "-d", +- paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance, ++ instance_dir, + "-n", + "Server-Cert", + "-a", + "-o", +- paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance ++ instance_dir + + "/Server-Cert.pem", + ] + ) +@@ -2760,15 +2761,15 @@ def remove_server_cert(self): + [ + "certutil", + "-d", +- paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance, ++ instance_dir, + "-A", + "-i", +- paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance ++ instance_dir + + "/Server-Cert.pem", + "-t", + "u,u,u", + "-f", +- paths.IPA_NSSDB_PWDFILE_TXT, ++ "%s/pwdfile.txt" % instance_dir, + "-n", + "Server-Cert", + ] diff --git a/ipa.spec b/ipa.spec index 0dab3be..a7f2e9f 100644 --- a/ipa.spec +++ b/ipa.spec @@ -81,7 +81,8 @@ # Fix for TLS 1.3 PHA, RHBZ#1775158 %global httpd_version 2.4.37-21 -%global bind_version 9.11.20-6 +# Fix for RHEL-25649 +%global bind_version 9.11.36-14 %else # Fedora @@ -189,7 +190,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 8%{?rc_version:.%rc_version}%{?dist} +Release: 9%{?rc_version:.%rc_version}%{?dist} Summary: The Identity, Policy and Audit system License: GPLv3+ @@ -232,6 +233,8 @@ Patch0021: 0021-kra-set-RSA-OAEP-as-default-wrapping-algo-when-FIPS-.patch Patch0022: 0022-ipa-kdb-Fix-double-free-in-ipadb_reinit_mspac.patch Patch0023: 0023-rpcserver-validate-Kerberos-principal-name-before-running-kinit_rhel#26153.patch Patch0024: 0024-Vault-add-additional-fallback-to-RSA-OAEP-wrapping-algo_rhel#28259.patch +Patch0025: 0025-dcerpc-invalidate-forest-trust-intfo-cache-when-filtering-out-realm-domains_rhel#28559.patch +Patch0026: 0026-backport-test-fixes_rhel#29908.patch %if 0%{?rhel} >= 8 Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch Patch1002: 1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch @@ -1747,6 +1750,17 @@ fi %endif %changelog +* Fri Apr 12 2024 Rafael Jeffman - 9.4.13-9 +- dcerpc: invalidate forest trust intfo cache when filtering out realm domains + Resolves: RHEL-28559 +- Backport latests test fixes in python3-tests + ipatests: add xfail for autoprivate group test with override + ipatests: remove xfail thanks to sssd 2.9.4 + ipatests: adapt for new automembership fixup behavior + ipatests: Fixes for test_ipahealthcheck_ipansschainvalidation testcases + test_xmlrpc: adopt to automember plugin message changes in 389-ds + Resolves: RHEL-29908 + * Thu Mar 07 2024 Rafael Jeffman - 4.9.13-8 - rpcserver: validate Kerberos principal name before running kinit Resolves: RHEL-26153