rpms/ipa
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import ipa-4.9.3-1.module+el8.5.0+10565+ae980a94

Browse Source
This commit is contained in:
CentOS Sources 2021-06-14 19:47:31 +00:00 committed by Andrew Lukoshko
parent 1f7d41d375
commit 7cb3bafb7e
15 changed files with 49 additions and 2190 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/freeipa-4.9.2.tar.gz SOURCES/freeipa-4.9.3.tar.gz

2
.ipa.metadata
View File

@ -1 +1 @@
c7b37727ffbdebe311990f7d31ae3b8bf2d06792 SOURCES/freeipa-4.9.2.tar.gz 8e8da2d8eb9eae8e2d3561a69452e1b7a98455d8 SOURCES/freeipa-4.9.3.tar.gz

381
SOURCES/0001-ipatests_libsss_sudo_and_sudo_pagure#8530_rhbz#1932289.patch
View File

@ -1,381 +0,0 @@
From b590dcef10680b4ea3181ae1caec183e5967562b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Fri, 11 Dec 2020 07:35:59 +0200
Subject: [PATCH] ipatests: add TestInstallWithoutSudo
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Test IPA servers and clients behavior when sudo is not installed.
Fixes: https://pagure.io/freeipa/issue/8530
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
.../nightly_ipa-4-9_latest.yaml | 12 ++++
.../nightly_ipa-4-9_latest_selinux.yaml | 13 ++++
.../nightly_ipa-4-9_previous.yaml | 12 ++++
.../test_integration/test_installation.py | 66 +++++++++++++++++++
4 files changed, 103 insertions(+)
diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
index 3acd6a13c..d91b16cab 100644
--- a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
+++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
@@ -535,6 +535,18 @@ jobs:
timeout: 10800
topology: *master_1repl
+ fedora-latest-ipa-4-9/test_installation_TestInstallWithoutSudo:
+ requires: [fedora-latest-ipa-4-9/build]
+ priority: 50
+ job:
+ class: RunPytest
+ args:
+ build_url: '{fedora-latest-ipa-4-9/build_url}'
+ test_suite: test_integration/test_installation.py::TestInstallWithoutSudo
+ template: *ci-ipa-4-9-latest
+ timeout: 4800
+ topology: *master_1repl_1client
+
fedora-latest-ipa-4-9/test_idviews:
requires: [fedora-latest-ipa-4-9/build]
priority: 50
diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
index c01192cf5..8adb06d0c 100644
--- a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
+++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
@@ -575,6 +575,19 @@ jobs:
timeout: 10800
topology: *master_1repl
+ fedora-latest-ipa-4-9/test_installation_TestInstallWithoutSudo:
+ requires: [fedora-latest-ipa-4-9/build]
+ priority: 50
+ job:
+ class: RunPytest
+ args:
+ build_url: '{fedora-latest-ipa-4-9/build_url}'
+ selinux_enforcing: True
+ test_suite: test_integration/test_installation.py::TestInstallWithoutSudo
+ template: *ci-ipa-4-9-latest
+ timeout: 4800
+ topology: *master_1repl_1client
+
fedora-latest-ipa-4-9/test_idviews:
requires: [fedora-latest-ipa-4-9/build]
priority: 50
diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
index a6ea24f6a..2b5d4fd5e 100644
--- a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
+++ b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
@@ -535,6 +535,18 @@ jobs:
timeout: 10800
topology: *master_1repl
+ fedora-previous-ipa-4-9/test_installation_TestInstallWithoutSudo:
+ requires: [fedora-previous-ipa-4-9/build]
+ priority: 50
+ job:
+ class: RunPytest
+ args:
+ build_url: '{fedora-previous-ipa-4-9/build_url}'
+ test_suite: test_integration/test_installation.py::TestInstallWithoutSudo
+ template: *ci-ipa-4-9-previous
+ timeout: 4800
+ topology: *master_1repl_1client
+
fedora-previous-ipa-4-9/test_idviews:
requires: [fedora-previous-ipa-4-9/build]
priority: 50
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
index eb6f7d78e..6e8af024c 100644
--- a/ipatests/test_integration/test_installation.py
+++ b/ipatests/test_integration/test_installation.py
@@ -1537,3 +1537,69 @@ class TestInstallReplicaAgainstSpecificServer(IntegrationTest):
self.replicas[0].hostname],
stdin_text=dirman_password)
assert self.replicas[0].hostname not in cmd.stdout_text
+
+
+class TestInstallWithoutSudo(IntegrationTest):
+
+ num_clients = 1
+ num_replicas = 1
+ no_sudo_str = "The sudo binary does not seem to be present on this"
+
+ @classmethod
+ def install(cls, mh):
+ pass
+
+ def test_sudo_removal(self):
+ # ipa-client makes sudo depend on libsss_sudo.
+
+ # --nodeps is mandatory because dogtag uses sudo at install
+ # time until commit 49585867207922479644a03078c29548de02cd03
+ # which is scheduled to land in 10.10.
+
+ # This also means sudo+libsss_sudo cannot be uninstalled on
+ # IPA servers with a CA.
+ assert tasks.is_package_installed(self.clients[0], 'sudo')
+ assert tasks.is_package_installed(self.clients[0], 'libsss_sudo')
+ tasks.uninstall_packages(
+ self.clients[0], ['sudo', 'libsss_sudo'], nodeps=True
+ )
+
+ def test_ipa_installation_without_sudo(self):
+ # FixMe: When Dogtag 10.10 is out, test installation without sudo
+ tasks.install_master(self.master, setup_dns=True)
+
+ def test_replica_installation_without_sudo(self):
+ # FixMe: When Dogtag 10.10 is out, test replica installation
+ # without sudo and with CA
+ tasks.uninstall_packages(
+ self.replicas[0], ['sudo', 'libsss_sudo'], nodeps=True
+ )
+ # One-step install is needed.
+ # With promote=True, two-step install is done and that only captures
+ # the ipa-replica-install stdout/stderr, not ipa-client-install's.
+ result = tasks.install_replica(
+ self.master, self.replicas[0], promote=False,
+ setup_dns=True, setup_ca=False
+ )
+ assert self.no_sudo_str in result.stderr_text
+
+ def test_client_installation_without_sudo(self):
+ result = tasks.install_client(self.master, self.clients[0])
+ assert self.no_sudo_str in result.stderr_text
+
+ def test_remove_sudo_on_ipa(self):
+ tasks.uninstall_packages(
+ self.master, ['sudo', 'libsss_sudo'], nodeps=True
+ )
+ self.master.run_command(
+ ['ipactl', 'restart']
+ )
+
+ def test_install_sudo_on_client(self):
+ """ Check that installing sudo pulls libsss_sudo in"""
+ for pkg in ('sudo', 'libsss_sudo'):
+ assert tasks.is_package_installed(self.clients[0], pkg) is False
+ tasks.uninstall_client(self.clients[0])
+ tasks.install_packages(self.clients[0], ['sudo'])
+ for pkg in ('sudo', 'libsss_sudo'):
+ assert tasks.is_package_installed(self.clients[0], pkg)
--
2.29.2
From 0c2741af9f353d2fbb21a5768e6433c0e99da0e9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Thu, 10 Dec 2020 08:35:12 +0200
Subject: [PATCH] ipatests: tasks: handle uninstalling packages with nodeps
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Handle package removal without taking dependencies into account.
E.g. add frontends for rpm -e --nodeps.
Related: ipatests/pytest_ipa/integration/tasks.py
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
ipatests/pytest_ipa/integration/tasks.py | 51 +++++++++++++++++++-----
1 file changed, 41 insertions(+), 10 deletions(-)
diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
index b91859816..2fe78367f 100755
--- a/ipatests/pytest_ipa/integration/tasks.py
+++ b/ipatests/pytest_ipa/integration/tasks.py
@@ -29,6 +29,7 @@ import re
import collections
import itertools
import shutil
+import shlex
import copy
import subprocess
import tempfile
@@ -2381,20 +2382,33 @@ def download_packages(host, pkgs):
return tmpdir
-def uninstall_packages(host, pkgs):
+def uninstall_packages(host, pkgs, nodeps=False):
"""Uninstall packages on a remote host.
- :param host: the host where the uninstallation takes place
- :param pkgs: packages to uninstall, provided as a list of strings
+ :param host: the host where the uninstallation takes place.
+ :param pkgs: packages to uninstall, provided as a list of strings.
+ :param nodeps: ignore dependencies (dangerous!).
"""
platform = get_platform(host)
- # Only supports RHEL 8+ and Fedora for now
- if platform in ('rhel', 'fedora'):
- install_cmd = ['/usr/bin/dnf', 'remove', '-y']
- elif platform in ('ubuntu'):
- install_cmd = ['apt-get', 'remove', '-y']
+ if platform not in ('rhel', 'fedora', 'ubuntu'):
+ raise ValueError('uninstall_packages: unknown platform %s' % platform)
+ if nodeps:
+ if platform in ('rhel', 'fedora'):
+ cmd = "rpm -e --nodeps"
+ elif platform in ('ubuntu'):
+ cmd = "dpkg -P --force-depends"
+ for package in pkgs:
+ uninstall_cmd = shlex.split(cmd)
+ uninstall_cmd.append(package)
+ # keep raiseonerr=True here. --fcami
+ host.run_command(uninstall_cmd)
else:
- raise ValueError('install_packages: unknown platform %s' % platform)
- host.run_command(install_cmd + pkgs, raiseonerr=False)
+ if platform in ('rhel', 'fedora'):
+ cmd = "/usr/bin/dnf remove -y"
+ elif platform in ('ubuntu'):
+ cmd = "apt-get remove -y"
+ uninstall_cmd = shlex.split(cmd)
+ uninstall_cmd.extend(pkgs)
+ host.run_command(uninstall_cmd, raiseonerr=False)
def wait_for_request(host, request_id, timeout=120):
@@ -2649,3 +2663,20 @@ def run_ssh_cmd(
assert "Authentication succeeded" not in stderr
assert "No more authentication methods to try." in stderr
return (return_code, stdout, stderr)
+
+
+def is_package_installed(host, pkg):
+ platform = get_platform(host)
+ if platform in ('rhel', 'fedora'):
+ result = host.run_command(
+ ['rpm', '-q', pkg], raiseonerr=False
+ )
+ elif platform in ['ubuntu']:
+ result = host.run_command(
+ ['dpkg', '-s', pkg], raiseonerr=False
+ )
+ else:
+ raise ValueError(
+ 'is_package_installed: unknown platform %s' % platform
+ )
+ return result.returncode == 0
--
2.29.2
From fe157ca349e3146a53884e90e6e588efb4e97eeb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Thu, 10 Dec 2020 08:15:22 +0200
Subject: [PATCH] ipa-client-install: output a warning if sudo is not present
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fixes: https://pagure.io/freeipa/issue/8530
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
ipaclient/install/client.py | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index 8acfa0cd1..0e478fa26 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -24,6 +24,7 @@ import re
import SSSDConfig
import shutil
import socket
+import subprocess
import sys
import tempfile
import textwrap
@@ -2200,7 +2201,18 @@ def install_check(options):
"authentication resources",
rval=CLIENT_INSTALL_ERROR)
- # when installing with '--no-sssd' option, check whether nss-ldap is
+ # When installing without the "--no-sudo" option, check whether sudo is
+ # available.
+ if options.conf_sudo:
+ try:
+ subprocess.Popen(['sudo -V'])
+ except FileNotFoundError:
+ logger.info(
+ "The sudo binary does not seem to be present on this "
+ "system. Please consider installing sudo if required."
+ )
+
+ # when installing with the '--no-sssd' option, check whether nss-ldap is
# installed
if not options.sssd:
if not os.path.exists(paths.PAM_KRB5_SO):
--
2.29.2
From ee0ba2df41cf545b82d3d26e7e7e42447bb0f63e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Thu, 10 Dec 2020 07:55:16 +0200
Subject: [PATCH] freeipa.spec: client: depend on libsss_sudo and sudo
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
On 10.10+ releases of Dogtag, the PKI installer will not depend
on sudo anymore. This opens the possibility of creating IPA servers
without a properly configured sudo.
In fact, even IPA clients should have sudo and libsss_sudo installed
in most cases, so add a weak dependency on both of them to the client
subpackage.
Also make sure libsss_sudo is installed if sudo is present.
Fixes: https://pagure.io/freeipa/issue/8530
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Michal Polovka <mpolovka@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
freeipa.spec.in | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index ba52a3834..93e473ac4 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -640,6 +640,11 @@ Requires: nfs-utils
Requires: sssd-tools >= %{sssd_version}
Requires(post): policycoreutils
+# https://pagure.io/freeipa/issue/8530
+Recommends: libsss_sudo
+Recommends: sudo
+Requires: (libsss_sudo if sudo)
+
Provides: %{alt_name}-client = %{version}
Conflicts: %{alt_name}-client
Obsoletes: %{alt_name}-client < %{version}
--
2.29.2

60
SOURCES/0002-ipatests-error-message-check-in-uninstall-log-for-KR_rhbz#1932289.patch
View File

@ -1,60 +0,0 @@
From 6b25cd3241a5609b4d903d5697b8947fab403c90 Mon Sep 17 00:00:00 2001
From: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
Date: Wed, 17 Feb 2021 19:43:00 +0530
Subject: [PATCH] ipatests: error message check in uninstall log for KRA
This test checks that there is no error message in uninstall
log for KRA instance when IPA was installed with KRA.
related: https://pagure.io/freeipa/issue/8550
Signed-off-by: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
.../test_backup_and_restore.py | 22 ++++++++++++++++---
1 file changed, 19 insertions(+), 3 deletions(-)
diff --git a/ipatests/test_integration/test_backup_and_restore.py b/ipatests/test_integration/test_backup_and_restore.py
index f13dfb5cb..6890ef201 100644
--- a/ipatests/test_integration/test_backup_and_restore.py
+++ b/ipatests/test_integration/test_backup_and_restore.py
@@ -451,9 +451,11 @@ class BaseBackupAndRestoreWithKRA(IntegrationTest):
backup_path = tasks.get_backup_dir(self.master)
- self.master.run_command(['ipa-server-install',
- '--uninstall',
- '-U'])
+ # check that no error message in uninstall log for KRA instance
+ cmd = self.master.run_command(['ipa-server-install',
+ '--uninstall',
+ '-U'])
+ assert "failed to uninstall KRA" not in cmd.stderr_text
if reinstall:
tasks.install_master(self.master, setup_dns=True)
@@ -482,6 +484,20 @@ class TestBackupReinstallRestoreWithKRA(BaseBackupAndRestoreWithKRA):
"""backup, uninstall, reinstall, restore"""
self._full_backup_restore_with_vault(reinstall=True)
+ def test_no_error_message_with_uninstall_ipa_with_kra(self):
+ """Test there is no error message in uninstall log for KRA instance
+
+ There was error message in uninstall log when IPA with KRA was
+ uninstalled. This test check that there is no error message in
+ uninstall log for kra instance.
+
+ related: https://pagure.io/freeipa/issue/8550
+ """
+ cmd = self.master.run_command(['ipa-server-install',
+ '--uninstall',
+ '-U'])
+ assert "failed to uninstall KRA" not in cmd.stderr_text
+
class TestBackupAndRestoreWithReplica(IntegrationTest):
"""Regression tests for issues 7234 and 7455
--
2.29.2

119
SOURCES/0003-ipatests-skip-tests-for-AD-trust-with-shared-secret-_rhbz#1932289.patch
View File

@ -1,119 +0,0 @@
From 6d7b2d7d1b4711255ea72d62d27b5c5f4ec7c6e1 Mon Sep 17 00:00:00 2001
From: Sergey Orlov <sorlov@redhat.com>
Date: Tue, 16 Feb 2021 12:32:55 +0100
Subject: [PATCH] ipatests: skip tests for AD trust with shared secret in FIPS
mode
Related to https://pagure.io/freeipa/issue/8715
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
ipatests/test_integration/test_trust.py | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
index 3e522617d..c8a348212 100644
--- a/ipatests/test_integration/test_trust.py
+++ b/ipatests/test_integration/test_trust.py
@@ -5,6 +5,7 @@ from __future__ import absolute_import
import re
import textwrap
import time
+import functools
import pytest
@@ -13,6 +14,7 @@ from ipaplatform.paths import paths
from ipatests.test_integration.base import IntegrationTest
from ipatests.pytest_ipa.integration import tasks
+from ipatests.pytest_ipa.integration import fips
from ipapython.dn import DN
from collections import namedtuple
from contextlib import contextmanager
@@ -20,6 +22,18 @@ from contextlib import contextmanager
TestDataRule = namedtuple('TestDataRule',
['name', 'ruletype', 'user', 'subject'])
+
+def skip_in_fips_mode_due_to_issue_8715(test_method):
+ @functools.wraps(test_method)
+ def wrapper(instance):
+ if fips.is_fips_enabled(instance.master):
+ pytest.skip('Skipping in FIPS mode due to '
+ 'https://pagure.io/freeipa/issue/8715')
+ else:
+ test_method(instance)
+ return wrapper
+
+
class BaseTestTrust(IntegrationTest):
num_clients = 1
topology = 'line'
@@ -751,6 +765,7 @@ class TestTrust(BaseTestTrust):
# Test for one-way forest trust with shared secret
+ @skip_in_fips_mode_due_to_issue_8715
def test_establish_forest_trust_with_shared_secret(self):
tasks.configure_dns_for_trust(self.master, self.ad)
tasks.configure_windows_dns_for_trust(self.ad, self.master)
@@ -775,6 +790,7 @@ class TestTrust(BaseTestTrust):
tasks.establish_trust_with_ad(
self.master, self.ad_domain, shared_secret=self.shared_secret)
+ @skip_in_fips_mode_due_to_issue_8715
def test_trustdomains_found_in_forest_trust_with_shared_secret(self):
result = self.master.run_command(
['ipa', 'trust-fetch-domains', self.ad.domain.name],
@@ -783,6 +799,7 @@ class TestTrust(BaseTestTrust):
self.check_trustdomains(
self.ad_domain, [self.ad_domain, self.ad_subdomain])
+ @skip_in_fips_mode_due_to_issue_8715
def test_user_gid_uid_resolution_in_forest_trust_with_shared_secret(self):
"""Check that user has SID-generated UID"""
# Using domain name since it is lowercased realm name for AD domains
@@ -801,6 +818,7 @@ class TestTrust(BaseTestTrust):
assert re.search(
testuser_regex, result.stdout_text), result.stdout_text
+ @skip_in_fips_mode_due_to_issue_8715
def test_remove_forest_trust_with_shared_secret(self):
ps_cmd = (
'[System.DirectoryServices.ActiveDirectory.Forest]'
@@ -823,6 +841,7 @@ class TestTrust(BaseTestTrust):
# Test for one-way external trust with shared secret
+ @skip_in_fips_mode_due_to_issue_8715
def test_establish_external_trust_with_shared_secret(self):
tasks.configure_dns_for_trust(self.master, self.ad)
tasks.configure_windows_dns_for_trust(self.ad, self.master)
@@ -838,6 +857,7 @@ class TestTrust(BaseTestTrust):
self.master, self.ad_domain, shared_secret=self.shared_secret,
extra_args=['--range-type', 'ipa-ad-trust', '--external=True'])
+ @skip_in_fips_mode_due_to_issue_8715
def test_trustdomains_found_in_external_trust_with_shared_secret(self):
result = self.master.run_command(
['ipa', 'trust-fetch-domains', self.ad.domain.name],
@@ -846,6 +866,7 @@ class TestTrust(BaseTestTrust):
self.check_trustdomains(
self.ad_domain, [self.ad_domain])
+ @skip_in_fips_mode_due_to_issue_8715
def test_user_uid_resolution_in_external_trust_with_shared_secret(self):
"""Check that user has SID-generated UID"""
# Using domain name since it is lowercased realm name for AD domains
@@ -864,6 +885,7 @@ class TestTrust(BaseTestTrust):
assert re.search(
testuser_regex, result.stdout_text), result.stdout_text
+ @skip_in_fips_mode_due_to_issue_8715
def test_remove_external_trust_with_shared_secret(self):
self.ad.run_command(
['netdom.exe', 'trust', self.master.domain.name,
--
2.29.2

347
SOURCES/0004-ipatests-ipa-cert-fix_pagure#8600_rhbz#1932289.patch
View File

@ -1,347 +0,0 @@
From a0626e09b3eaf5d030982e2ff03e95841ad1b4b9 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 3 Feb 2021 15:52:05 -0500
Subject: [PATCH] ipa-cert-fix: Don't hardcode the NSS certificate nickname
The nickname of the 389-ds certificate was hardcoded as
Server-Cert which failed if the user had installed a
third-party certificate using ipa-server-certinstall.
Instead pull the nickname from the DS configuration and
retrieve it based on that.
https://pagure.io/freeipa/issue/8600
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipaserver/install/ipa_cert_fix.py | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)
diff --git a/ipaserver/install/ipa_cert_fix.py b/ipaserver/install/ipa_cert_fix.py
index 2f2c15613..29af89cd5 100644
--- a/ipaserver/install/ipa_cert_fix.py
+++ b/ipaserver/install/ipa_cert_fix.py
@@ -203,9 +203,12 @@ def expired_ipa_certs(now):
certs.append((IPACertType.HTTPS, cert))
# LDAPS
- ds_dbdir = dsinstance.config_dirname(realm_to_serverid(api.env.realm))
+ serverid = realm_to_serverid(api.env.realm)
+ ds = dsinstance.DsInstance(realm_name=api.env.realm)
+ ds_dbdir = dsinstance.config_dirname(serverid)
+ ds_nickname = ds.get_server_cert_nickname(serverid)
db = NSSDatabase(nssdir=ds_dbdir)
- cert = db.get_cert('Server-Cert')
+ cert = db.get_cert(ds_nickname)
if cert.not_valid_after <= now:
certs.append((IPACertType.LDAPS, cert))
@@ -344,11 +347,13 @@ def install_ipa_certs(subject_base, ca_subject_dn, certs):
elif certtype is IPACertType.HTTPS:
shutil.copyfile(cert_path, paths.HTTPD_CERT_FILE)
elif certtype is IPACertType.LDAPS:
- ds_dbdir = dsinstance.config_dirname(
- realm_to_serverid(api.env.realm))
+ serverid = realm_to_serverid(api.env.realm)
+ ds = dsinstance.DsInstance(realm_name=api.env.realm)
+ ds_dbdir = dsinstance.config_dirname(serverid)
db = NSSDatabase(nssdir=ds_dbdir)
- db.delete_cert('Server-Cert')
- db.import_pem_cert('Server-Cert', EMPTY_TRUST_FLAGS, cert_path)
+ ds_nickname = ds.get_server_cert_nickname(serverid)
+ db.delete_cert(ds_nickname)
+ db.import_pem_cert(ds_nickname, EMPTY_TRUST_FLAGS, cert_path)
elif certtype is IPACertType.KDC:
shutil.copyfile(cert_path, paths.KDC_CERT)
--
2.29.2
From 660507fda2394b17d709c47a05ce5df548a47990 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 4 Feb 2021 08:25:48 -0500
Subject: [PATCH] ipatests: test third-party 389-ds cert with ipa-cert-fix
ipa-cert-fix was hardcoded to use Server-Cert as the nickname
so would fail if a third-party certificate was installed for DS.
https://pagure.io/freeipa/issue/8600
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
.../test_integration/test_ipa_cert_fix.py | 57 +++++++++++++++++++
1 file changed, 57 insertions(+)
diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
index 2f7de5526..f9e5fe6e2 100644
--- a/ipatests/test_integration/test_ipa_cert_fix.py
+++ b/ipatests/test_integration/test_ipa_cert_fix.py
@@ -11,6 +11,17 @@ import time
from ipaplatform.paths import paths
from ipatests.pytest_ipa.integration import tasks
from ipatests.test_integration.base import IntegrationTest
+from ipatests.test_integration.test_caless import CALessBase, ipa_certs_cleanup
+
+
+def server_install_teardown(func):
+ def wrapped(*args):
+ master = args[0].master
+ try:
+ func(*args)
+ finally:
+ ipa_certs_cleanup(master)
+ return wrapped
class TestIpaCertFix(IntegrationTest):
@@ -94,3 +105,49 @@ class TestIpaCertFix(IntegrationTest):
else:
# timeout
raise AssertionError('Timeout: Failed to renew all the certs')
+
+
+class TestIpaCertFixThirdParty(CALessBase):
+ """
+ Test that ipa-cert-fix works with an installation with custom certs.
+ """
+
+ @classmethod
+ def install(cls, mh):
+ cls.nickname = 'ca1/server'
+
+ super(TestIpaCertFixThirdParty, cls).install(mh)
+ tasks.install_master(cls.master, setup_dns=True)
+
+ @server_install_teardown
+ def test_third_party_certs(self):
+ self.create_pkcs12(self.nickname,
+ password=self.cert_password,
+ filename='server.p12')
+ self.prepare_cacert('ca1')
+
+ # We have a chain length of one. If this is extended then the
+ # additional cert names will need to be calculated.
+ nick_chain = self.nickname.split('/')
+ ca_cert = '%s.crt' % nick_chain[0]
+
+ # Add the CA to the IPA store
+ self.copy_cert(self.master, ca_cert)
+ self.master.run_command(['ipa-cacert-manage', 'install', ca_cert])
+
+ # Apply the new cert chain otherwise ipa-server-certinstall will fail
+ self.master.run_command(['ipa-certupdate'])
+
+ # Install the updated certs and restart the world
+ self.copy_cert(self.master, 'server.p12')
+ args = ['ipa-server-certinstall',
+ '-p', self.master.config.dirman_password,
+ '--pin', self.master.config.admin_password,
+ '-d', 'server.p12']
+ self.master.run_command(args)
+ self.master.run_command(['ipactl', 'restart',])
+
+ # Run ipa-cert-fix. This is basically a no-op but tests that
+ # the DS nickname is used and not a hardcoded value.
+ result = self.master.run_command(['ipa-cert-fix', '-v'],)
+ assert self.nickname in result.stderr_text
--
2.29.2
From 4cb6f0ba0df928eea60b20892a6fc85373627946 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 5 Feb 2021 09:00:54 -0500
Subject: [PATCH] Set pki-core dependency to 10.3.3 for pki-server cert-fix bug
Related: https://github.com/dogtagpki/pki/issues/3387
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
freeipa.spec.in | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 93e473ac4..0e261285b 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -128,11 +128,11 @@
%if 0%{?rhel} == 8
# PKIConnection has been modified to always validate certs.
# https://pagure.io/freeipa/issue/8379
-%global pki_version 10.9.0-0.4
+%global pki_version 10.10.4-1
%else
# New KRA profile, ACME support
# https://pagure.io/freeipa/issue/8545
-%global pki_version 10.10.0-2
+%global pki_version 10.10.3-1
%endif
# RHEL 8.3+, F32+ has 0.79.13
--
2.29.2
From f3463728f2196589d36e14cedccb26c03730a7c0 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Wed, 10 Feb 2021 16:07:13 -0500
Subject: [PATCH] Don't renew non-IPA issued certs in ipa-cert-fix
If the Apache, 389-ds or KDC certificate was issued by
a third party there is nothing we can do, regardless of
whether it is expired or not.
Report which certificates will not be renewed so the
admin can manually do do (likely in the event of a
third-party certificate).
https://pagure.io/freeipa/issue/8600
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipaserver/install/ipa_cert_fix.py | 53 +++++++++++++++++++++++++------
1 file changed, 43 insertions(+), 10 deletions(-)
diff --git a/ipaserver/install/ipa_cert_fix.py b/ipaserver/install/ipa_cert_fix.py
index 29af89cd5..210cf80f1 100644
--- a/ipaserver/install/ipa_cert_fix.py
+++ b/ipaserver/install/ipa_cert_fix.py
@@ -43,6 +43,7 @@ from ipapython.certdb import NSSDatabase, EMPTY_TRUST_FLAGS
from ipapython.dn import DN
from ipapython.ipaldap import realm_to_serverid
from ipaserver.install import ca, cainstance, dsinstance
+from ipaserver.install.certs import is_ipa_issued_cert
from ipapython import directivesetter
from ipapython import ipautil
@@ -104,6 +105,13 @@ class IPACertFix(AdminTool):
api.bootstrap(in_server=True, confdir=paths.ETC_IPA)
api.finalize()
+
+ if not dsinstance.is_ds_running(realm_to_serverid(api.env.realm)):
+ print(
+ "The LDAP server is not running; cannot proceed."
+ )
+ return 1
+
api.Backend.ldap2.connect() # ensure DS is up
subject_base = dsinstance.DsInstance().find_subject_base()
@@ -113,7 +121,7 @@ class IPACertFix(AdminTool):
ca_subject_dn = ca.lookup_ca_subject(api, subject_base)
now = datetime.datetime.now() + datetime.timedelta(weeks=2)
- certs, extra_certs = expired_certs(now)
+ certs, extra_certs, non_renewed = expired_certs(now)
if not certs and not extra_certs:
print("Nothing to do.")
@@ -121,7 +129,7 @@ class IPACertFix(AdminTool):
print(msg)
- print_intentions(certs, extra_certs)
+ print_intentions(certs, extra_certs, non_renewed)
response = ipautil.user_input('Enter "yes" to proceed')
if response.lower() != 'yes':
@@ -133,7 +141,10 @@ class IPACertFix(AdminTool):
fix_certreq_directives(certs)
run_cert_fix(certs, extra_certs)
except ipautil.CalledProcessError:
- if any(x[0] is IPACertType.LDAPS for x in extra_certs):
+ if any(
+ x[0] is IPACertType.LDAPS
+ for x in extra_certs + non_renewed
+ ):
# The DS cert was expired. This will cause
# 'pki-server cert-fix' to fail at the final
# restart. Therefore ignore the CalledProcessError
@@ -152,13 +163,15 @@ class IPACertFix(AdminTool):
print("Becoming renewal master.")
cainstance.CAInstance().set_renewal_master()
+ print("Restarting IPA")
ipautil.run(['ipactl', 'restart'], raiseonerr=True)
return 0
def expired_certs(now):
- return expired_dogtag_certs(now), expired_ipa_certs(now)
+ expired_ipa, non_renew_ipa = expired_ipa_certs(now)
+ return expired_dogtag_certs(now), expired_ipa, non_renew_ipa
def expired_dogtag_certs(now):
@@ -191,6 +204,7 @@ def expired_ipa_certs(now):
"""
certs = []
+ non_renewed = []
# IPA RA
cert = x509.load_certificate_from_file(paths.RA_AGENT_PEM)
@@ -200,7 +214,10 @@ def expired_ipa_certs(now):
# Apache HTTPD
cert = x509.load_certificate_from_file(paths.HTTPD_CERT_FILE)
if cert.not_valid_after <= now:
- certs.append((IPACertType.HTTPS, cert))
+ if not is_ipa_issued_cert(api, cert):
+ non_renewed.append((IPACertType.HTTPS, cert))
+ else:
+ certs.append((IPACertType.HTTPS, cert))
# LDAPS
serverid = realm_to_serverid(api.env.realm)
@@ -210,18 +227,24 @@ def expired_ipa_certs(now):
db = NSSDatabase(nssdir=ds_dbdir)
cert = db.get_cert(ds_nickname)
if cert.not_valid_after <= now:
- certs.append((IPACertType.LDAPS, cert))
+ if not is_ipa_issued_cert(api, cert):
+ non_renewed.append((IPACertType.LDAPS, cert))
+ else:
+ certs.append((IPACertType.LDAPS, cert))
# KDC
cert = x509.load_certificate_from_file(paths.KDC_CERT)
if cert.not_valid_after <= now:
- certs.append((IPACertType.KDC, cert))
+ if not is_ipa_issued_cert(api, cert):
+ non_renewed.append((IPACertType.HTTPS, cert))
+ else:
+ certs.append((IPACertType.KDC, cert))
- return certs
+ return certs, non_renewed
-def print_intentions(dogtag_certs, ipa_certs):
- print("The following certificates will be renewed: ")
+def print_intentions(dogtag_certs, ipa_certs, non_renewed):
+ print("The following certificates will be renewed:")
print()
for certid, cert in dogtag_certs:
@@ -230,6 +253,16 @@ def print_intentions(dogtag_certs, ipa_certs):
for certtype, cert in ipa_certs:
print_cert_info("IPA", certtype.value, cert)
+ if non_renewed:
+ print(
+ "The following certificates will NOT be renewed because "
+ "they were not issued by the IPA CA:"
+ )
+ print()
+
+ for certtype, cert in non_renewed:
+ print_cert_info("IPA", certtype.value, cert)
+
def print_cert_info(context, desc, cert):
print("{} {} certificate:".format(context, desc))
--
2.29.2

135
SOURCES/0005-ipatests-test-Samba-mount-with-NTLM-authentication_rhbz#1932289.patch
View File

@ -1,135 +0,0 @@
From 80ccac79b9d123e158a5ba60f9853611d0854188 Mon Sep 17 00:00:00 2001
From: Sergey Orlov <sorlov@redhat.com>
Date: Wed, 17 Feb 2021 16:48:33 +0100
Subject: [PATCH] ipatests: test Samba mount with NTLM authentication
Related to https://pagure.io/freeipa/issue/8636
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
ipatests/pytest_ipa/integration/__init__.py | 17 ++++++
ipatests/test_integration/test_smb.py | 63 +++++++++++++++++++++
2 files changed, 80 insertions(+)
diff --git a/ipatests/pytest_ipa/integration/__init__.py b/ipatests/pytest_ipa/integration/__init__.py
index 55291ae8b..f62b667bd 100644
--- a/ipatests/pytest_ipa/integration/__init__.py
+++ b/ipatests/pytest_ipa/integration/__init__.py
@@ -28,12 +28,14 @@ import os
import tempfile
import shutil
import re
+import functools
import pytest
from pytest_multihost import make_multihost_fixture
from ipapython import ipautil
from ipaplatform.paths import paths
+from . import fips
from .config import Config
from .env_config import get_global_config
from . import tasks
@@ -478,3 +480,18 @@ def del_compat_attrs(cls):
del cls.ad_subdomains
del cls.ad_treedomains
del cls.ad_domains
+
+
+def skip_if_fips(reason='Not supported in FIPS mode', host='master'):
+ if callable(reason):
+ raise TypeError('Invalid decorator usage, add "()"')
+
+ def decorator(test_method):
+ @functools.wraps(test_method)
+ def wrapper(instance, *args, **kwargs):
+ if fips.is_fips_enabled(getattr(instance, host)):
+ pytest.skip(reason)
+ else:
+ test_method(instance, *args, **kwargs)
+ return wrapper
+ return decorator
diff --git a/ipatests/test_integration/test_smb.py b/ipatests/test_integration/test_smb.py
index 37725ab15..749a96325 100644
--- a/ipatests/test_integration/test_smb.py
+++ b/ipatests/test_integration/test_smb.py
@@ -19,6 +19,7 @@ from ipatests.test_integration.base import IntegrationTest
from ipatests.pytest_ipa.integration import tasks
from ipaplatform.osinfo import osinfo
from ipaplatform.paths import paths
+from ipatests.pytest_ipa.integration import skip_if_fips
def wait_smbd_functional(host):
@@ -378,6 +379,68 @@ class TestSMB(IntegrationTest):
finally:
self.cleanup_mount(mountpoint)
+ def check_repeated_smb_mount(self, options):
+ mountpoint = '/mnt/smb'
+ unc = '//{}/homes'.format(self.smbserver.hostname)
+ test_file = 'ntlm_test'
+ test_file_server_path = '/home/{}/{}'.format(self.ipa_user1, test_file)
+ test_file_client_path = '{}/{}'.format(mountpoint, test_file)
+
+ self.smbclient.run_command(['mkdir', '-p', mountpoint])
+ self.smbserver.put_file_contents(test_file_server_path, '')
+ try:
+ for i in [1, 2]:
+ res = self.smbclient.run_command([
+ 'mount', '-t', 'cifs', unc, mountpoint, '-o', options],
+ raiseonerr=False)
+ assert res.returncode == 0, (
+ 'Mount failed at iteration {}. Output: {}'
+ .format(i, res.stdout_text + res.stderr_text))
+ assert self.smbclient.transport.file_exists(
+ test_file_client_path)
+ self.smbclient.run_command(['umount', mountpoint])
+ finally:
+ self.cleanup_mount(mountpoint)
+ self.smbserver.run_command(['rm', '-f', test_file_server_path])
+
+ @skip_if_fips()
+ def test_ntlm_authentication_with_auto_domain(self):
+ """Repeatedly try to authenticate with username and password with
+ automatic domain discovery.
+
+ This is a regression test for https://pagure.io/freeipa/issue/8636
+ """
+ tasks.kdestroy_all(self.smbclient)
+
+ mount_options = 'user={user},pass={password},domainauto'.format(
+ user=self.ipa_user1,
+ password=self.ipa_user1_password
+ )
+
+ self.check_repeated_smb_mount(mount_options)
+
+ @skip_if_fips()
+ def test_ntlm_authentication_with_upn_with_lowercase_domain(self):
+ tasks.kdestroy_all(self.smbclient)
+
+ mount_options = 'user={user}@{domain},pass={password}'.format(
+ user=self.ipa_user1,
+ password=self.ipa_user1_password,
+ domain=self.master.domain.name.lower()
+ )
+ self.check_repeated_smb_mount(mount_options)
+
+ @skip_if_fips()
+ def test_ntlm_authentication_with_upn_with_uppercase_domain(self):
+ tasks.kdestroy_all(self.smbclient)
+
+ mount_options = 'user={user}@{domain},pass={password}'.format(
+ user=self.ipa_user1,
+ password=self.ipa_user1_password,
+ domain=self.master.domain.name.upper()
+ )
+ self.check_repeated_smb_mount(mount_options)
+
def test_uninstall_samba(self):
self.smbserver.run_command(['ipa-client-samba', '--uninstall', '-U'])
res = self.smbserver.run_command(
--
2.29.2

79
SOURCES/0006-ipatests_do_not_ignore_zonemgr_pagure#8718_rhbz#1932289.patch
View File

@ -1,79 +0,0 @@
From 20bb855a57080145d0d5555294381c890ef605bb Mon Sep 17 00:00:00 2001
From: Antonio Torres <antorres@redhat.com>
Date: Tue, 16 Feb 2021 16:53:24 +0100
Subject: [PATCH] ipaserver: don't ignore zonemgr option on install
Fix zonemgr option in ipaserver install being
ignored because of an incorrect condition.
Fixes: https://pagure.io/freeipa/issue/8718
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipaserver/install/bindinstance.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index 3b446ce76..19941cd00 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -355,7 +355,7 @@ def add_zone(name, zonemgr=None, dns_backup=None, ns_hostname=None,
else:
update_policy = get_dns_forward_zone_update_policy(api.env.realm)
- if zonemgr is None:
+ if not zonemgr:
zonemgr = 'hostmaster.%s' % name
if ns_hostname:
@@ -682,7 +682,7 @@ class BindInstance(service.Service):
self.forward_policy = forward_policy
self.reverse_zones = reverse_zones
- if zonemgr is not None:
+ if not zonemgr:
self.zonemgr = 'hostmaster.%s' % normalize_zone(self.domain)
else:
self.zonemgr = normalize_zonemgr(zonemgr)
--
2.29.2
From 82043e1fd052618608d3b7786473a632478795ee Mon Sep 17 00:00:00 2001
From: Antonio Torres <antorres@redhat.com>
Date: Tue, 16 Feb 2021 18:24:26 +0100
Subject: [PATCH] ipatests: check that zonemgr is set correctly during server
install
Add test to check that zonemgr is correctly
set when installing IPA server.
Related: https://pagure.io/freeipa/issue/8718
Signed-off-by: Antonio Torres <antorres@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
ipatests/test_integration/test_installation.py | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
index 6e8af024c..18c5bd243 100644
--- a/ipatests/test_integration/test_installation.py
+++ b/ipatests/test_integration/test_installation.py
@@ -1171,6 +1171,13 @@ class TestInstallMasterDNS(IntegrationTest):
extra_args=['--zonemgr', 'me@example.org'],
)
+ tasks.kinit_admin(self.master)
+ result = self.master.run_command(
+ ['ipa', 'dnszone-show', self.master.domain.name]
+ ).stdout_text
+
+ assert "Administrator e-mail address: me.example.org" in result
+
def test_server_install_lock_bind_recursion(self):
"""Test if server installer lock Bind9 recursion
--
2.29.2

318
SOURCES/0007-ipatests_ipa-cert-fix_renews_pagure#7885_rhbz#1932289.patch
View File

@ -1,318 +0,0 @@
From 7f30ddb1b7e30c22f9b7d14d2658b58a0ea6b459 Mon Sep 17 00:00:00 2001
From: Mohammad Rizwan <myusuf@redhat.com>
Date: Tue, 2 Feb 2021 17:33:57 +0530
Subject: [PATCH] ipatests: Test if ipa-cert-fix renews expired certs
Test moves system date to expire certs. Then calls ipa-cert-fix
to renew them. This certs include subsystem, audit-signing,
OCSP signing, Dogtag HTTPS, IPA RA agent, LDAP and KDC certs.
related: https://pagure.io/freeipa/issue/7885
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
---
.../test_integration/test_ipa_cert_fix.py | 60 +++++++++++++++++++
1 file changed, 60 insertions(+)
diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
index f9e5fe6e2..da68af573 100644
--- a/ipatests/test_integration/test_ipa_cert_fix.py
+++ b/ipatests/test_integration/test_ipa_cert_fix.py
@@ -8,12 +8,16 @@ Module provides tests for ipa-cert-fix CLI.
import pytest
import time
+import logging
from ipaplatform.paths import paths
from ipatests.pytest_ipa.integration import tasks
from ipatests.test_integration.base import IntegrationTest
from ipatests.test_integration.test_caless import CALessBase, ipa_certs_cleanup
+logger = logging.getLogger(__name__)
+
+
def server_install_teardown(func):
def wrapped(*args):
master = args[0].master
@@ -24,6 +28,26 @@ def server_install_teardown(func):
return wrapped
+def check_status(host, cert_count, state, timeout=600):
+ """Helper method to check that if all the certs are in given state
+ :param host: the host
+ :param cert_count: no of cert to look for
+ :param state: state to check for
+ :param timeout: max time in seconds to wait for the state
+ """
+ for _i in range(0, timeout, 10):
+ result = host.run_command(['getcert', 'list'])
+ count = result.stdout_text.count(f"status: {state}")
+ logger.info("cert count in %s state : %s", state, count)
+ if int(count) == cert_count:
+ break
+ time.sleep(10)
+ else:
+ raise RuntimeError("request timed out")
+
+ return count
+
+
class TestIpaCertFix(IntegrationTest):
@classmethod
def uninstall(cls, mh):
@@ -106,6 +130,42 @@ class TestIpaCertFix(IntegrationTest):
# timeout
raise AssertionError('Timeout: Failed to renew all the certs')
+ def test_renew_expired_cert_on_master(self, expire_cert_critical):
+ """Test if ipa-cert-fix renews expired certs
+
+ Test moves system date to expire certs. Then calls ipa-cert-fix
+ to renew them. This certs include subsystem, audit-signing,
+ OCSP signing, Dogtag HTTPS, IPA RA agent, LDAP and KDC certs.
+
+ related: https://pagure.io/freeipa/issue/7885
+ """
+ # wait for cert expiry
+ check_status(self.master, 8, "CA_UNREACHABLE")
+
+ self.master.run_command(['ipa-cert-fix', '-v'], stdin_text='yes\n')
+
+ check_status(self.master, 9, "MONITORING")
+
+ # second iteration of ipa-cert-fix
+ result = self.master.run_command(
+ ['ipa-cert-fix', '-v'],
+ stdin_text='yes\n'
+ )
+ assert "Nothing to do" in result.stdout_text
+ check_status(self.master, 9, "MONITORING")
+
+ def test_ipa_cert_fix_non_ipa(self):
+ """Test ipa-cert-fix doesn't work on non ipa system
+
+ ipa-cert-fix tool should not work on non ipa system.
+
+ related: https://pagure.io/freeipa/issue/7885
+ """
+ result = self.master.run_command(['ipa-cert-fix', '-v'],
+ stdin_text='yes\n',
+ raiseonerr=False)
+ assert result.returncode == 2
+
class TestIpaCertFixThirdParty(CALessBase):
"""
--
2.29.2
From 36a60dbb35cb4429f00528f79bec8b7982a30c74 Mon Sep 17 00:00:00 2001
From: Mohammad Rizwan <myusuf@redhat.com>
Date: Thu, 11 Feb 2021 16:54:22 +0530
Subject: [PATCH] Move fixture outside the class and add setup_kra capability
Moved fixture to use across multiple classes. Added capability
to install the KRA to the fixture
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
---
.../test_integration/test_ipa_cert_fix.py | 46 ++++++++++++-------
1 file changed, 30 insertions(+), 16 deletions(-)
diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
index da68af573..591dc5031 100644
--- a/ipatests/test_integration/test_ipa_cert_fix.py
+++ b/ipatests/test_integration/test_ipa_cert_fix.py
@@ -48,6 +48,33 @@ def check_status(host, cert_count, state, timeout=600):
return count
+@pytest.fixture
+def expire_cert_critical():
+ """
+ Fixture to expire the certs by moving the system date using
+ date -s command and revert it back
+ """
+
+ hosts = dict()
+
+ def _expire_cert_critical(host, setup_kra=False):
+ hosts['host'] = host
+ # Do not install NTP as the test plays with the date
+ tasks.install_master(host, setup_dns=False,
+ extra_args=['--no-ntp'])
+ if setup_kra:
+ tasks.install_kra(host)
+ host.run_command(['systemctl', 'stop', 'chronyd'])
+ host.run_command(['date', '-s', '+3Years+1day'])
+
+ yield _expire_cert_critical
+
+ host = hosts.pop('host')
+ tasks.uninstall_master(host)
+ host.run_command(['date', '-s', '-3Years-1day'])
+ host.run_command(['systemctl', 'start', 'chronyd'])
+
+
class TestIpaCertFix(IntegrationTest):
@classmethod
def uninstall(cls, mh):
@@ -55,22 +82,6 @@ class TestIpaCertFix(IntegrationTest):
# the fixture
pass
- @pytest.fixture
- def expire_cert_critical(self):
- """
- Fixture to expire the certs by moving the system date using
- date -s command and revert it back
- """
- # Do not install NTP as the test plays with the date
- tasks.install_master(self.master, setup_dns=False,
- extra_args=['--no-ntp'])
- self.master.run_command(['systemctl', 'stop', 'chronyd'])
- self.master.run_command(['date','-s', '+3Years+1day'])
- yield
- tasks.uninstall_master(self.master)
- self.master.run_command(['date','-s', '-3Years-1day'])
- self.master.run_command(['systemctl', 'start', 'chronyd'])
-
def test_missing_csr(self, expire_cert_critical):
"""
Test that ipa-cert-fix succeeds when CSR is missing from CS.cfg
@@ -82,6 +93,7 @@ class TestIpaCertFix(IntegrationTest):
- call getcert resubmit in order to create the CSR in certmonger file
- use ipa-cert-fix, no issue should be seen
"""
+ expire_cert_critical(self.master)
# pki must be stopped in order to edit CS.cfg
self.master.run_command(['ipactl', 'stop'])
self.master.run_command(['sed', '-i', r'/ca\.sslserver\.certreq=/d',
@@ -139,6 +151,8 @@ class TestIpaCertFix(IntegrationTest):
related: https://pagure.io/freeipa/issue/7885
"""
+ expire_cert_critical(self.master)
+
# wait for cert expiry
check_status(self.master, 8, "CA_UNREACHABLE")
--
2.29.2
From c84e0547e1a693ba0e9edbfeea7bafdb2fb2b4a2 Mon Sep 17 00:00:00 2001
From: Mohammad Rizwan <myusuf@redhat.com>
Date: Thu, 11 Feb 2021 16:59:53 +0530
Subject: [PATCH] ipatests: Test if ipa-cert-fix renews expired certs with kra
installed
This test check if ipa-cert-fix renews certs with kra
certificate installed.
related: https://pagure.io/freeipa/issue/7885
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
---
.../test_integration/test_ipa_cert_fix.py | 25 +++++++++++++++++++
1 file changed, 25 insertions(+)
diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
index 591dc5031..b2e92d4dc 100644
--- a/ipatests/test_integration/test_ipa_cert_fix.py
+++ b/ipatests/test_integration/test_ipa_cert_fix.py
@@ -225,3 +225,28 @@ class TestIpaCertFixThirdParty(CALessBase):
# the DS nickname is used and not a hardcoded value.
result = self.master.run_command(['ipa-cert-fix', '-v'],)
assert self.nickname in result.stderr_text
+
+
+class TestCertFixKRA(IntegrationTest):
+ @classmethod
+ def uninstall(cls, mh):
+ # Uninstall method is empty as the uninstallation is done in
+ # the fixture
+ pass
+
+ def test_renew_expired_cert_with_kra(self, expire_cert_critical):
+ """Test if ipa-cert-fix renews expired certs with kra installed
+
+ This test check if ipa-cert-fix renews certs with kra
+ certificate installed.
+
+ related: https://pagure.io/freeipa/issue/7885
+ """
+ expire_cert_critical(self.master, setup_kra=True)
+
+ # check if all subsystem cert expired
+ check_status(self.master, 11, "CA_UNREACHABLE")
+
+ self.master.run_command(['ipa-cert-fix', '-v'], stdin_text='yes\n')
+
+ check_status(self.master, 12, "MONITORING")
--
2.29.2
From 260fbcb03297ef1ed5418b16c0df0587d2989b22 Mon Sep 17 00:00:00 2001
From: Mohammad Rizwan <myusuf@redhat.com>
Date: Tue, 2 Mar 2021 11:42:36 +0530
Subject: [PATCH] ipatests: update nightly definition for ipa_cert_fix suite
Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
---
ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml | 2 +-
ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml | 2 +-
ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
index ebd539246..8a88698eb 100644
--- a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
+++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
@@ -1687,5 +1687,5 @@ jobs:
build_url: '{fedora-latest-ipa-4-9/build_url}'
test_suite: test_integration/test_ipa_cert_fix.py
template: *ci-ipa-4-9-latest
- timeout: 3600
+ timeout: 7200
topology: *master_1repl
diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
index d4b597d6e..14f0c4292 100644
--- a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
+++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
@@ -1821,5 +1821,5 @@ jobs:
selinux_enforcing: True
test_suite: test_integration/test_ipa_cert_fix.py
template: *ci-ipa-4-9-latest
- timeout: 3600
+ timeout: 7200
topology: *master_1repl
diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
index 1fd589e6a..b7f8d2b3e 100644
--- a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
+++ b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
@@ -1687,5 +1687,5 @@ jobs:
build_url: '{fedora-previous-ipa-4-9/build_url}'
test_suite: test_integration/test_ipa_cert_fix.py
template: *ci-ipa-4-9-previous
- timeout: 3600
+ timeout: 7200
topology: *master_1repl
--
2.29.2

37
SOURCES/0008-ipatests-use-whole-date-when-calling-journalctl-sinc_rhbz#1932289.patch
View File

@ -1,37 +0,0 @@
From caf748860860293e010e695d72f6b3b3d8509f8a Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Tue, 2 Mar 2021 08:44:35 +0100
Subject: [PATCH] ipatests: use whole date when calling journalctl --since
The test test_commands.py::TestIPACommand::test_ssh_key_connection
is checking the content of the journal using journalctl --since ...
but provides only the time, not the whole date with year-month-day.
As a consequence, if the test is executed around midnight it may
find nothing in the journal because it's looking for logs after 11:50PM,
which is a date in the future.
The fix provides a complete date with year-month-day hours:min:sec.
Fixes: https://pagure.io/freeipa/issue/8728
Reviewed-By: Francois Cami <fcami@redhat.com>
---
ipatests/test_integration/test_commands.py | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
index 45f642bf2..b7ffb926f 100644
--- a/ipatests/test_integration/test_commands.py
+++ b/ipatests/test_integration/test_commands.py
@@ -642,7 +642,8 @@ class TestIPACommand(IntegrationTest):
# start to look at logs a bit before "now"
# https://pagure.io/freeipa/issue/8432
since = time.strftime(
- '%H:%M:%S', (datetime.now() - timedelta(seconds=10)).timetuple()
+ '%Y-%m-%d %H:%M:%S',
+ (datetime.now() - timedelta(seconds=10)).timetuple()
)
tasks.run_ssh_cmd(
--
2.29.2

594
SOURCES/0009-ipa-kdb-do-not-use-OpenLDAP-functions-with-NULL-LDAP_rhbz#1932784.patch
View File

@ -1,594 +0,0 @@
From 2832810891acfaca68142df7271d6f0a50a588eb Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Fri, 19 Feb 2021 15:37:47 +0200
Subject: [PATCH] ipa-kdb: do not use OpenLDAP functions with NULL LDAP context
Calling to ipadb_get_connection() will remove LDAP context if any error
happens. This means upper layers must always verify that LDAP context
exists after such calls.
ipadb_get_user_auth() may re-read global configuration and that may fail
and cause IPA context to have NULL LDAP context.
Fixes: https://pagure.io/freeipa/issue/8681
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
daemons/ipa-kdb/ipa_kdb.c | 1 +
daemons/ipa-kdb/ipa_kdb_mspac.c | 32 +++++++++++++++-------------
daemons/ipa-kdb/ipa_kdb_principals.c | 26 ++++++++++++++++------
3 files changed, 37 insertions(+), 22 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
index 43ba955ac..6e1e3e351 100644
--- a/daemons/ipa-kdb/ipa_kdb.c
+++ b/daemons/ipa-kdb/ipa_kdb.c
@@ -57,6 +57,7 @@ static void ipadb_context_free(krb5_context kcontext,
/* ldap free lcontext */
if ((*ctx)->lcontext) {
ldap_unbind_ext_s((*ctx)->lcontext, NULL, NULL);
+ (*ctx)->lcontext = NULL;
}
free((*ctx)->supp_encs);
free((*ctx)->def_encs);
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 31f617129..81a8fd483 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -418,7 +418,6 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
krb5_timestamp authtime,
struct netr_SamInfo3 *info3)
{
- LDAP *lcontext = ipactx->lcontext;
LDAPDerefRes *deref_results = NULL;
struct dom_sid sid;
gid_t prigid = -1;
@@ -435,7 +434,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
bool is_idobject = false;
krb5_principal princ;
- ret = ipadb_ldap_attr_to_strlist(lcontext, lentry, "objectClass",
+ ret = ipadb_ldap_attr_to_strlist(ipactx->lcontext, lentry, "objectClass",
&objectclasses);
if (ret == 0 && objectclasses != NULL) {
for (c = 0; objectclasses[c] != NULL; c++) {
@@ -472,13 +471,14 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
}
if (is_host) {
- ret = ipadb_ldap_attr_to_str(lcontext, lentry, "fqdn", &strres);
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, "fqdn", &strres);
if (ret) {
/* fqdn is mandatory for hosts */
return ret;
}
} else if (is_service) {
- ret = ipadb_ldap_attr_to_str(lcontext, lentry, "krbCanonicalName", &strres);
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
+ "krbCanonicalName", &strres);
if (ret) {
/* krbCanonicalName is mandatory for services */
return ret;
@@ -498,7 +498,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
return ENOENT;
}
} else {
- ret = ipadb_ldap_attr_to_str(lcontext, lentry, "uid", &strres);
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, "uid", &strres);
if (ret) {
/* uid is mandatory */
return ret;
@@ -511,7 +511,8 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
if (is_host || is_service) {
prigid = 515; /* Well known RID for domain computers group */
} else {
- ret = ipadb_ldap_attr_to_int(lcontext, lentry, "gidNumber", &intres);
+ ret = ipadb_ldap_attr_to_int(ipactx->lcontext, lentry,
+ "gidNumber", &intres);
if (ret) {
/* gidNumber is mandatory */
return ret;
@@ -544,7 +545,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
info3->base.kickoff_time = INT64_MAX;
#endif
- ret = ipadb_ldap_attr_to_time_t(lcontext, lentry,
+ ret = ipadb_ldap_attr_to_time_t(ipactx->lcontext, lentry,
"krbLastPwdChange", &timeres);
switch (ret) {
case 0:
@@ -562,7 +563,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
info3->base.allow_password_change = info3->base.last_password_change;
info3->base.force_password_change = INT64_MAX;
- ret = ipadb_ldap_attr_to_str(lcontext, lentry, "cn", &strres);
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, "cn", &strres);
switch (ret) {
case 0:
info3->base.full_name.string = talloc_strdup(memctx, strres);
@@ -575,7 +576,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
return ret;
}
- ret = ipadb_ldap_attr_to_str(lcontext, lentry,
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
"ipaNTLogonScript", &strres);
switch (ret) {
case 0:
@@ -589,7 +590,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
return ret;
}
- ret = ipadb_ldap_attr_to_str(lcontext, lentry,
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
"ipaNTProfilePath", &strres);
switch (ret) {
case 0:
@@ -603,7 +604,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
return ret;
}
- ret = ipadb_ldap_attr_to_str(lcontext, lentry,
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
"ipaNTHomeDirectory", &strres);
switch (ret) {
case 0:
@@ -617,7 +618,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
return ret;
}
- ret = ipadb_ldap_attr_to_str(lcontext, lentry,
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
"ipaNTHomeDirectoryDrive", &strres);
switch (ret) {
case 0:
@@ -648,7 +649,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
info3->base.rid = 515;
}
} else {
- ret = ipadb_ldap_attr_to_str(lcontext, lentry,
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
"ipaNTSecurityIdentifier", &strres);
if (ret) {
/* SID is mandatory */
@@ -665,7 +666,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
}
}
- ret = ipadb_ldap_deref_results(lcontext, lentry, &deref_results);
+ ret = ipadb_ldap_deref_results(ipactx->lcontext, lentry, &deref_results);
switch (ret) {
LDAPDerefRes *dres;
LDAPDerefVal *dval;
@@ -2511,7 +2512,7 @@ static void ipadb_free_sid_blacklists(char ***sid_blocklist_incoming, char ***si
krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
{
struct ipadb_adtrusts *t;
- LDAP *lc = ipactx->lcontext;
+ LDAP *lc = NULL;
char *attrs[] = { "cn", "ipaNTTrustPartner", "ipaNTFlatName",
"ipaNTTrustedDomainSID", "ipaNTSIDBlacklistIncoming",
"ipaNTSIDBlacklistOutgoing", "ipaNTAdditionalSuffixes", NULL };
@@ -2545,6 +2546,7 @@ krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
goto done;
}
+ lc = ipactx->lcontext;
for (le = ldap_first_entry(lc, res); le; le = ldap_next_entry(lc, le)) {
dnstr = ldap_get_dn(lc, le);
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index d1fa51578..cf1b4f53e 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -333,6 +333,11 @@ static enum ipadb_user_auth ipadb_get_user_auth(struct ipadb_context *ipactx,
if (gcfg != NULL)
gua = gcfg->user_auth;
+ /* lcontext == NULL means ipadb_get_global_config() failed to load
+ * global config and cleared the ipactx */
+ if (ipactx->lcontext == NULL)
+ return IPADB_USER_AUTH_NONE;
+
/* Get the user's user_auth settings if not disabled. */
if ((gua & IPADB_USER_AUTH_DISABLED) == 0)
ipadb_parse_user_auth(ipactx->lcontext, lentry, &ua);
@@ -607,8 +612,16 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
free(entry);
return KRB5_KDB_DBNOTINITED;
}
- lcontext = ipactx->lcontext;
- if (!lcontext) {
+
+ entry->magic = KRB5_KDB_MAGIC_NUMBER;
+ entry->len = KRB5_KDB_V1_BASE_LENGTH;
+
+ /* Get User Auth configuration. */
+ ua = ipadb_get_user_auth(ipactx, lentry);
+
+ /* ipadb_get_user_auth() calls into ipadb_get_global_config()
+ * and that might fail, causing lcontext to become NULL */
+ if (!ipactx->lcontext) {
krb5_klog_syslog(LOG_INFO,
"No LDAP connection in ipadb_parse_ldap_entry(); retrying...\n");
ret = ipadb_get_connection(ipactx);
@@ -620,11 +633,10 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
}
}
- entry->magic = KRB5_KDB_MAGIC_NUMBER;
- entry->len = KRB5_KDB_V1_BASE_LENGTH;
-
- /* Get User Auth configuration. */
- ua = ipadb_get_user_auth(ipactx, lentry);
+ /* If any code below would result in invalidating ipactx->lcontext,
+ * lcontext must be updated with the new ipactx->lcontext value.
+ * We rely on the fact that none of LDAP-parsing helpers does it. */
+ lcontext = ipactx->lcontext;
/* ignore mask for now */
--
2.29.2
From 0da9de495ca41a1bf0926aef7c9c75c3e53dcd63 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Tue, 23 Feb 2021 10:06:25 +0200
Subject: [PATCH] ipa-kdb: fix compiler warnings
There are few fields in KDB structures that have 'conflicting' types but
need to be compared. They come from MIT Kerberos and we have no choice
here.
In the same way, SID structures have own requirements.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
daemons/ipa-kdb/ipa_kdb_audit_as.c | 4 ++--
daemons/ipa-kdb/ipa_kdb_mspac.c | 6 +++---
daemons/ipa-kdb/ipa_kdb_principals.c | 6 +++---
daemons/ipa-kdb/ipa_kdb_pwdpolicy.c | 2 +-
4 files changed, 9 insertions(+), 9 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_audit_as.c b/daemons/ipa-kdb/ipa_kdb_audit_as.c
index ed48ea758..ec2046bfe 100644
--- a/daemons/ipa-kdb/ipa_kdb_audit_as.c
+++ b/daemons/ipa-kdb/ipa_kdb_audit_as.c
@@ -112,13 +112,13 @@ void ipadb_audit_as_req(krb5_context kcontext,
if (krb5_ts_after(krb5_ts_incr(client->last_failed,
ied->pol->lockout_duration), authtime) &&
- (client->fail_auth_count >= ied->pol->max_fail &&
+ (client->fail_auth_count >= (krb5_kvno) ied->pol->max_fail &&
ied->pol->max_fail != 0)) {
/* client already locked, nothing more to do */
break;
}
if (ied->pol->max_fail == 0 ||
- client->fail_auth_count < ied->pol->max_fail) {
+ client->fail_auth_count < (krb5_kvno) ied->pol->max_fail) {
/* let's increase the fail counter */
client->fail_auth_count++;
client->mask |= KMASK_FAIL_AUTH_COUNT;
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 81a8fd483..9691b14f6 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -148,9 +148,9 @@ int string_to_sid(const char *str, struct dom_sid *sid)
char *dom_sid_string(TALLOC_CTX *memctx, const struct dom_sid *dom_sid)
{
- size_t c;
+ int8_t c;
size_t len;
- int ofs;
+ size_t ofs;
uint32_t ia;
char *buf;
@@ -2612,7 +2612,7 @@ krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
t[n].upn_suffixes_len = NULL;
if (t[n].upn_suffixes != NULL) {
- size_t len = 0;
+ int len = 0;
for (; t[n].upn_suffixes[len] != NULL; len++);
diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
index cf1b4f53e..0a98ff054 100644
--- a/daemons/ipa-kdb/ipa_kdb_principals.c
+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
@@ -494,7 +494,7 @@ static krb5_error_code ipadb_get_ldap_auth_ind(krb5_context kcontext,
l = len;
for (i = 0; i < count; i++) {
ret = snprintf(ap, l, "%s ", authinds[i]);
- if (ret <= 0 || ret > l) {
+ if (ret <= 0 || ret > (int) l) {
ret = ENOMEM;
goto cleanup;
}
@@ -2086,7 +2086,7 @@ static krb5_error_code ipadb_get_ldap_mod_auth_ind(krb5_context kcontext,
char *s = NULL;
size_t ai_size = 0;
int cnt = 0;
- int i = 0;
+ size_t i = 0;
ret = krb5_dbe_get_string(kcontext, entry, "require_auth", &ais);
if (ret) {
@@ -2467,7 +2467,7 @@ static krb5_error_code ipadb_entry_default_attrs(struct ipadb_mods *imods)
{
krb5_error_code kerr;
LDAPMod *m = NULL;
- int i;
+ size_t i;
kerr = ipadb_mods_new(imods, &m);
if (kerr) {
diff --git a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
index 4965e6d7f..6f21ef867 100644
--- a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
+++ b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
@@ -361,7 +361,7 @@ krb5_error_code ipadb_check_policy_as(krb5_context kcontext,
}
if (ied->pol->max_fail == 0 ||
- client->fail_auth_count < ied->pol->max_fail) {
+ client->fail_auth_count < (krb5_kvno) ied->pol->max_fail) {
/* still within allowed failures range */
return 0;
}
--
2.29.2
From c7ce801b590e29263e9b1904995c603735007771 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Wed, 24 Feb 2021 20:51:40 +0200
Subject: [PATCH] ipa-kdb: add missing prototypes
On Fedora 33 GCC defaults to -Wmissing-prototypes and emits warnings
about function prototypes missing. If -Werror is specified, this breaks
compilation.
We also default to -Werror=implicit-function-declaration
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
daemons/ipa-kdb/ipa_kdb_kdcpolicy.c | 4 ++++
daemons/ipa-kdb/ipa_kdb_mspac.c | 20 ++++++++++++--------
daemons/ipa-kdb/ipa_kdb_mspac_private.h | 4 ++++
3 files changed, 20 insertions(+), 8 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
index a89f8bbda..aa61a2d1b 100644
--- a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
+++ b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
@@ -14,6 +14,10 @@
#define ONE_DAY_SECONDS (24 * 60 * 60)
#define JITTER_WINDOW_SECONDS (1 * 60 * 60)
+krb5_error_code kdcpolicy_ipakdb_initvt(krb5_context context,
+ int maj_ver, int min_ver,
+ krb5_plugin_vtable vtable);
+
static void
jitter(krb5_deltat baseline, krb5_deltat *lifetime_out)
{
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 9691b14f6..47b12a16f 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -2408,9 +2408,10 @@ void ipadb_mspac_struct_free(struct ipadb_mspac **mspac)
*mspac = NULL;
}
-krb5_error_code ipadb_adtrusts_fill_sid_blacklist(char **source_sid_blacklist,
- struct dom_sid **result_sids,
- int *result_length)
+static krb5_error_code
+ipadb_adtrusts_fill_sid_blacklist(char **source_sid_blacklist,
+ struct dom_sid **result_sids,
+ int *result_length)
{
int len, i;
char **source;
@@ -2441,9 +2442,10 @@ krb5_error_code ipadb_adtrusts_fill_sid_blacklist(char **source_sid_blacklist,
return 0;
}
-krb5_error_code ipadb_adtrusts_fill_sid_blacklists(struct ipadb_adtrusts *adtrust,
- char **sid_blocklist_incoming,
- char **sid_blocklist_outgoing)
+static krb5_error_code
+ipadb_adtrusts_fill_sid_blacklists(struct ipadb_adtrusts *adtrust,
+ char **sid_blocklist_incoming,
+ char **sid_blocklist_outgoing)
{
krb5_error_code kerr;
@@ -2464,7 +2466,8 @@ krb5_error_code ipadb_adtrusts_fill_sid_blacklists(struct ipadb_adtrusts *adtrus
return 0;
}
-krb5_error_code ipadb_mspac_check_trusted_domains(struct ipadb_context *ipactx)
+static krb5_error_code
+ipadb_mspac_check_trusted_domains(struct ipadb_context *ipactx)
{
char *attrs[] = { NULL };
char *filter = "(objectclass=ipaNTTrustedDomain)";
@@ -2509,7 +2512,8 @@ static void ipadb_free_sid_blacklists(char ***sid_blocklist_incoming, char ***si
}
}
-krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
+static krb5_error_code
+ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
{
struct ipadb_adtrusts *t;
LDAP *lc = NULL;
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac_private.h b/daemons/ipa-kdb/ipa_kdb_mspac_private.h
index d23a14a0b..8c8a3a001 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac_private.h
+++ b/daemons/ipa-kdb/ipa_kdb_mspac_private.h
@@ -53,3 +53,7 @@ struct ipadb_adtrusts {
int string_to_sid(const char *str, struct dom_sid *sid);
char *dom_sid_string(TALLOC_CTX *memctx, const struct dom_sid *dom_sid);
+krb5_error_code filter_logon_info(krb5_context context, TALLOC_CTX *memctx,
+ krb5_data realm, struct PAC_LOGON_INFO_CTR *info);
+void get_authz_data_types(krb5_context context, krb5_db_entry *entry,
+ bool *_with_pac, bool *_with_pad);
\ No newline at end of file
--
2.29.2
From f340baa4283c76957d9e0a85896c7fa3a994bba6 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Wed, 24 Feb 2021 20:52:15 +0200
Subject: [PATCH] ipa-kdb: reformat ipa_kdb_certauth
Add prototype to the exported function
Replace few tabs by spaces and mark static code as static.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
daemons/ipa-kdb/ipa_kdb_certauth.c | 25 ++++++++++++++-----------
1 file changed, 14 insertions(+), 11 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_certauth.c b/daemons/ipa-kdb/ipa_kdb_certauth.c
index bc6b26578..3a3060c92 100644
--- a/daemons/ipa-kdb/ipa_kdb_certauth.c
+++ b/daemons/ipa-kdb/ipa_kdb_certauth.c
@@ -71,10 +71,13 @@ struct krb5_certauth_moddata_st {
time_t valid_until;
};
-void ipa_certmap_debug(void *private,
- const char *file, long line,
- const char *function,
- const char *format, ...)
+krb5_error_code certauth_ipakdb_initvt(krb5_context context,
+ int maj_ver, int min_ver,
+ krb5_plugin_vtable vtable);
+
+static void ipa_certmap_debug(void *private, const char *file, long line,
+ const char *function,
+ const char *format, ...)
{
va_list ap;
char str[255] = { 0 };
@@ -354,12 +357,12 @@ static krb5_error_code ipa_certauth_authorize(krb5_context context,
* so there is nothing more to add here. */
auth_inds = calloc(2, sizeof(char *));
if (auth_inds != NULL) {
- ret = asprintf(&auth_inds[0], "pkinit");
- if (ret != -1) {
+ ret = asprintf(&auth_inds[0], "pkinit");
+ if (ret != -1) {
auth_inds[1] = NULL;
*authinds_out = auth_inds;
- } else {
- free(auth_inds);
+ } else {
+ free(auth_inds);
}
}
@@ -404,12 +407,12 @@ static void ipa_certauth_free_indicator(krb5_context context,
size_t i = 0;
if ((authinds == NULL) || (moddata == NULL)) {
- return;
+ return;
}
for(i=0; authinds[i]; i++) {
- free(authinds[i]);
- authinds[i] = NULL;
+ free(authinds[i]);
+ authinds[i] = NULL;
}
free(authinds);
--
2.29.2
From 2968609fd9f8f91b704dc8167d39ecc67beb8ddd Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Wed, 24 Feb 2021 20:55:41 +0200
Subject: [PATCH] ipa-kdb: mark test functions as static
No need to define missing prototypes to single use test functions.
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
daemons/ipa-kdb/tests/ipa_kdb_tests.c | 13 +++++--------
1 file changed, 5 insertions(+), 8 deletions(-)
diff --git a/daemons/ipa-kdb/tests/ipa_kdb_tests.c b/daemons/ipa-kdb/tests/ipa_kdb_tests.c
index 2a174ce6b..0b51ffb96 100644
--- a/daemons/ipa-kdb/tests/ipa_kdb_tests.c
+++ b/daemons/ipa-kdb/tests/ipa_kdb_tests.c
@@ -181,7 +181,7 @@ extern krb5_error_code filter_logon_info(krb5_context context,
krb5_data realm,
struct PAC_LOGON_INFO_CTR *info);
-void test_filter_logon_info(void **state)
+static void test_filter_logon_info(void **state)
{
krb5_error_code kerr;
krb5_data realm = {KV5M_DATA, REALM_LEN, REALM};
@@ -316,10 +316,7 @@ void test_filter_logon_info(void **state)
}
-extern void get_authz_data_types(krb5_context context, krb5_db_entry *entry,
- bool *with_pac, bool *with_pad);
-
-void test_get_authz_data_types(void **state)
+static void test_get_authz_data_types(void **state)
{
bool with_pac;
bool with_pad;
@@ -437,7 +434,7 @@ void test_get_authz_data_types(void **state)
krb5_free_principal(test_ctx->krb5_ctx, non_nfs_princ);
}
-void test_string_to_sid(void **state)
+static void test_string_to_sid(void **state)
{
int ret;
struct dom_sid sid;
@@ -469,7 +466,7 @@ void test_string_to_sid(void **state)
assert_memory_equal(&exp_sid, &sid, sizeof(struct dom_sid));
}
-void test_dom_sid_string(void **state)
+static void test_dom_sid_string(void **state)
{
struct test_ctx *test_ctx;
char *str_sid;
@@ -495,7 +492,7 @@ void test_dom_sid_string(void **state)
}
-void test_check_trusted_realms(void **state)
+static void test_check_trusted_realms(void **state)
{
struct test_ctx *test_ctx;
krb5_error_code kerr = 0;
--
2.29.2

64
SOURCES/0010-ipa-client-install-output-a-warning-if-sudo-is-not-p_rhbz#1939371.patch
View File

@ -1,64 +0,0 @@
From 061e0b63ef3a72ba3261b42ec5f2ce290070c613 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Mon, 15 Mar 2021 16:55:08 +0100
Subject: [PATCH] ipa-client-install: output a warning if sudo is not present
(2)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fixes: https://pagure.io/freeipa/issue/8530
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
---
ipaclient/install/client.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
index 0e478fa26..9bdfbddaf 100644
--- a/ipaclient/install/client.py
+++ b/ipaclient/install/client.py
@@ -2205,7 +2205,7 @@ def install_check(options):
# available.
if options.conf_sudo:
try:
- subprocess.Popen(['sudo -V'])
+ subprocess.Popen(['sudo', '-V'])
except FileNotFoundError:
logger.info(
"The sudo binary does not seem to be present on this "
--
2.30.2
From 4b917833fdd62cce2fd72809fd5c963194efba3e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Mon, 15 Mar 2021 17:00:05 +0100
Subject: [PATCH] ipatests: check for the "no sudo present" string absence
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
When sudo is installed, no warning should be output about sudo not
being available (obviously). Check that the relevant string is
not present.
Fixes: https://pagure.io/freeipa/issue/8530
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
---
ipatests/test_integration/test_installation.py | 2 ++
1 file changed, 2 insertions(+)
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
index a50a59f1a..a5ff17a0d 100644
--- a/ipatests/test_integration/test_installation.py
+++ b/ipatests/test_integration/test_installation.py
@@ -1620,3 +1620,5 @@ class TestInstallWithoutSudo(IntegrationTest):
tasks.install_packages(self.clients[0], ['sudo'])
for pkg in ('sudo', 'libsss_sudo'):
assert tasks.is_package_installed(self.clients[0], pkg)
+ result = tasks.install_client(self.master, self.clients[0])
+ assert self.no_sudo_str not in result.stderr_text
--
2.30.2

16
SOURCES/freeipa-4.9.2.tar.gz.asc
View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEhAodHH8+xLL+UwQ1RxniuKu/YhoFAmAqwW4ACgkQRxniuKu/
YhoqEw/+J2+fMEF4qYDnb6LPs0h/xbiMU+WG5SI0Ybcy6FUrCp2utFqO6N8r7K3J
k9WTcAXweqwEO5aP1fjvbQiIc55lQgN1rlJc+GtnBbPPKabrJB0xgx2VpP2MI8Jl
JRSAdSNvSghaR1v0MYL3ly7GPRLUrb1+Avln+eJIHRfAuUjf9j4MWh7VNDsSp7pQ
vMqz8OHEvSSRQYGKyJ5vQlcHRQNot2pZoWHVfEcRXMD6qn2N7yUU4o9wNOYvJMw8
YEyInE24D13UV33F9K5QrLEaJ7lpIwJ9lmhAFuZoDUC81s5aAmLtNzUWcdwlOSzk
tY4T+ucpq+0eH1gUiDm6bME7Uw87nc9KuNS3+Q+P2Y7RdUrrbLj8BIsz30VSk8n1
rH2DZo/1NOFwQ5qDN92QjTeGotqCjwK/j+uRB12HkRgOHkouoZjqwcYRfdxmBhKd
wk6BdDtvSP4voqqoeuZNCbeOKCYsqE2HlGZE9YiLbBAQs081Ir9Tajpn8sgMVURi
7kQN7Xq9/jEl7sQ14VkRMQP8A+rRkmLM1sW3vqhMFDSOyi+qQNnzAnR28qxDBXC3
4gG/yFGgqX7mSXsfvTVrjhcVEO6IsqkkPAcFR3Xivpy146LoONSlIGgtA8mGMIeO
Zd3awH4T8kAt3d9RBI+R34sZm//uKQgOKDrAx0VjekFkK0tj2qU=
=XC/f
-----END PGP SIGNATURE-----

16
SOURCES/freeipa-4.9.3.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEhAodHH8+xLL+UwQ1RxniuKu/YhoFAmBkFSoACgkQRxniuKu/
Yhpz5Q//cbKbxQe2iIpCOyFnWtlwMGonj9OmeLP+dms8OnWvnpGBlLD0ftu+O9tf
JoCzURMvjfJGMlEbG7FxW9coz4Fe6caDyZ5KJiM15qie75K5nIF44WgVXhTXx7/0
2H6Q1MIgE8lxr+h4xcYB04KXPwLUpFGttGHDlbl9205M9dJi+WYNWEbHwCNwbl2w
uXOFQm+AtAnUBuB0I0KJvgZMhtSV2FAx3NsPFO2DkMKB3KVS6cKEzxm8aBzCeNvP
ndWvo51QFU0AheMt/Cahl97dzTorW8pqjt1+QBil4KxWCf0KyOI3OeTvKZ1bYtUs
x32JDQP+UMkZ8y9NypK9TMcht3f8Wi7nvzg3kCuwltMr7spTVsqEP//WejdK5gmh
dyU3qYPWz41SJargYwb8ehj1DOHBsNXEL57I2zY13oM1dC9T2YAc+OhSCWtMyknD
vatLZSwVm27k79NADKF56RXUPur/m2UHnnYuk09AyDOIGZRM3Tn/10nRZgjs5eM8
CLa4+5gn96BrkW1kP8mWPtWQqyv3buzj3xC7otmnjDgaxmXA/30wJ+2qebGTRAhf
qo2rbwJsSkv0sC8l1luZgzgnvrQpri3qS96zhoeusooTqx6dTwUBGV8ea/sqvk0K
Qu0q+iQk3CCgCfi/i6pc1UsB59tCy3KEZUc58Q6UUNewfcA3WW8=
=Wgf7
-----END PGP SIGNATURE-----

69
SPECS/ipa.spec
View File

@ -49,9 +49,9 @@
# lint is not executed during rpmbuild # lint is not executed during rpmbuild
# %%global with_lint 1 # %%global with_lint 1
%if %{with lint} %if %{with lint}
%global linter_options --enable-pylint --with-jslint %global linter_options --enable-pylint --with-jslint --enable-rpmlint
%else %else
%global linter_options --disable-pylint --without-jslint %global linter_options --disable-pylint --without-jslint --disable-rpmlint
%endif %endif
# Include SELinux subpackage # Include SELinux subpackage
@ -73,10 +73,13 @@
%global selinux_policy_version 3.14.3-52 %global selinux_policy_version 3.14.3-52
%global slapi_nis_version 0.56.4 %global slapi_nis_version 0.56.4
%global python_ldap_version 3.1.0-1 %global python_ldap_version 3.1.0-1
# python3-lib389 %if 0%{?rhel} < 9
# Fix for "Installation fails: Replica Busy" # Bug 1929067 - PKI instance creation failed with new 389-ds-base build
# https://pagure.io/389-ds-base/issue/49818 %global ds_version 1.4.3.16-12
%global ds_version 1.4.2.4-6 %else
%global ds_version 2.0.3-3
%endif
# Fix for TLS 1.3 PHA, RHBZ#1775158 # Fix for TLS 1.3 PHA, RHBZ#1775158
%global httpd_version 2.4.37-21 %global httpd_version 2.4.37-21
%global bind_version 9.11.20-6 %global bind_version 9.11.20-6
@ -101,9 +104,13 @@
# fix for segfault in python3-ldap, https://pagure.io/freeipa/issue/7324 # fix for segfault in python3-ldap, https://pagure.io/freeipa/issue/7324
%global python_ldap_version 3.1.0-1 %global python_ldap_version 3.1.0-1
# 1.4.3 moved nsslapd-db-locks to cn=bdb sub-entry
# https://pagure.io/freeipa/issue/8515 # Make sure to use 389-ds-base versions that fix https://github.com/389ds/389-ds-base/issues/4609
%global ds_version 1.4.3 %if 0%{?fedora} < 34
%global ds_version %{lua: local v={}; v['32']='1.4.3.20-2'; v['33']='1.4.4.13-2'; print(v[rpm.expand('%{fedora}')])}
%else
%global ds_version 2.0.3-3
%endif
# Fix for TLS 1.3 PHA, RHBZ#1775146 # Fix for TLS 1.3 PHA, RHBZ#1775146
%global httpd_version 2.4.41-9 %global httpd_version 2.4.41-9
@ -126,13 +133,11 @@
%endif %endif
%if 0%{?rhel} == 8 %if 0%{?rhel} == 8
# PKIConnection has been modified to always validate certs. # Make sure to use PKI versions that work with 389-ds fix for https://github.com/389ds/389-ds-base/issues/4609
# https://pagure.io/freeipa/issue/8379 %global pki_version 10.10.5
%global pki_version 10.9.0-0.4
%else %else
# New KRA profile, ACME support # Make sure to use PKI versions that work with 389-ds fix for https://github.com/389ds/389-ds-base/issues/4609
# https://pagure.io/freeipa/issue/8545 %global pki_version 10.10.5
%global pki_version 10.10.0-2
%endif %endif
# RHEL 8.3+, F32+ has 0.79.13 # RHEL 8.3+, F32+ has 0.79.13
@ -163,7 +168,7 @@
# Work-around fact that RPM SPEC parser does not accept # Work-around fact that RPM SPEC parser does not accept
# "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement # "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement
%define IPA_VERSION 4.9.2 %define IPA_VERSION 4.9.3
# Release candidate version -- uncomment with one percent for RC versions # Release candidate version -- uncomment with one percent for RC versions
#%%global rc_version %%nil #%%global rc_version %%nil
%define AT_SIGN @ %define AT_SIGN @
@ -176,7 +181,7 @@
Name: %{package_name} Name: %{package_name}
Version: %{IPA_VERSION} Version: %{IPA_VERSION}
Release: 3%{?rc_version:.%rc_version}%{?dist} Release: 1%{?rc_version:.%rc_version}%{?dist}
Summary: The Identity, Policy and Audit system Summary: The Identity, Policy and Audit system
License: GPLv3+ License: GPLv3+
@ -196,16 +201,6 @@ Source1: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_vers
# RHEL spec file only: START # RHEL spec file only: START
%if %{NON_DEVELOPER_BUILD} %if %{NON_DEVELOPER_BUILD}
%if 0%{?rhel} >= 8 %if 0%{?rhel} >= 8
Patch0001: 0001-ipatests_libsss_sudo_and_sudo_pagure#8530_rhbz#1932289.patch
Patch0002: 0002-ipatests-error-message-check-in-uninstall-log-for-KR_rhbz#1932289.patch
Patch0003: 0003-ipatests-skip-tests-for-AD-trust-with-shared-secret-_rhbz#1932289.patch
Patch0004: 0004-ipatests-ipa-cert-fix_pagure#8600_rhbz#1932289.patch
Patch0005: 0005-ipatests-test-Samba-mount-with-NTLM-authentication_rhbz#1932289.patch
Patch0006: 0006-ipatests_do_not_ignore_zonemgr_pagure#8718_rhbz#1932289.patch
Patch0007: 0007-ipatests_ipa-cert-fix_renews_pagure#7885_rhbz#1932289.patch
Patch0008: 0008-ipatests-use-whole-date-when-calling-journalctl-sinc_rhbz#1932289.patch
Patch0009: 0009-ipa-kdb-do-not-use-OpenLDAP-functions-with-NULL-LDAP_rhbz#1932784.patch
Patch0010: 0010-ipa-client-install-output-a-warning-if-sudo-is-not-p_rhbz#1939371.patch
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
%endif %endif
%endif %endif
@ -645,6 +640,11 @@ Requires: nfs-utils
Requires: sssd-tools >= %{sssd_version} Requires: sssd-tools >= %{sssd_version}
Requires(post): policycoreutils Requires(post): policycoreutils
# https://pagure.io/freeipa/issue/8530
Recommends: libsss_sudo
Recommends: sudo
Requires: (libsss_sudo if sudo)
Provides: %{alt_name}-client = %{version} Provides: %{alt_name}-client = %{version}
Conflicts: %{alt_name}-client Conflicts: %{alt_name}-client
Obsoletes: %{alt_name}-client < %{version} Obsoletes: %{alt_name}-client < %{version}
@ -803,7 +803,7 @@ Requires: python3-requests
Requires: python3-six Requires: python3-six
Requires: python3-sss-murmur Requires: python3-sss-murmur
Requires: python3-yubico >= 1.3.2-7 Requires: python3-yubico >= 1.3.2-7
%if 0%{?rhel} && 0%{?rhel} >= 8 %if 0%{?rhel} && 0%{?rhel} == 8
Requires: platform-python-setuptools Requires: platform-python-setuptools
%else %else
Requires: python3-setuptools Requires: python3-setuptools
@ -1680,16 +1680,9 @@ fi
%changelog %changelog
* Fri Mar 19 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.2-3 * Wed Mar 31 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.3-1
- ipa-client-install displays false message - Upstream release FreeIPA 4.9.3
'sudo binary does not seem to be present on this system' Resolves: RHBZ#1945038
Resolves: RHBZ#1939371
* Thu Mar 4 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.2-2
- Sync ipatests from upstream to RHEL packages for FreeIPA 4.9 branch
Resolves: RHBZ#1932289
- Fix krb5kdc is crashing intermittently on IPA server
Resolves: RHBZ#1932784
* Mon Feb 15 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.2-1 * Mon Feb 15 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.2-1
- Upstream release FreeIPA 4.9.2 - Upstream release FreeIPA 4.9.2