diff --git a/.gitignore b/.gitignore index bed6ed2..34c1a4e 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/freeipa-4.9.3.tar.gz +SOURCES/freeipa-4.9.6.tar.gz diff --git a/.ipa.metadata b/.ipa.metadata index d9c3e7e..ab790ce 100644 --- a/.ipa.metadata +++ b/.ipa.metadata @@ -1 +1 @@ -8e8da2d8eb9eae8e2d3561a69452e1b7a98455d8 SOURCES/freeipa-4.9.3.tar.gz +b7b91082908db35e4acbcd0221b8df4044913dc1 SOURCES/freeipa-4.9.6.tar.gz diff --git a/SOURCES/0001-rpcserver.py-perf_counter_ns-is-Python-3.7_rhbz#1974822.patch b/SOURCES/0001-rpcserver.py-perf_counter_ns-is-Python-3.7_rhbz#1974822.patch new file mode 100644 index 0000000..22f37ad --- /dev/null +++ b/SOURCES/0001-rpcserver.py-perf_counter_ns-is-Python-3.7_rhbz#1974822.patch @@ -0,0 +1,136 @@ +From e713c227bb420a841ce3ae146bca55a84a1b0dbf Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= +Date: Tue, 22 Jun 2021 14:36:51 +0200 +Subject: [PATCH] paths: add IPA_SERVER_CONF +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Related: https://pagure.io/freeipa/issue/8891 +Signed-off-by: François Cami +Reviewed-By: Stanislav Levin +Reviewed-By: Rob Crittenden +--- + ipaplatform/base/paths.py | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py +index 91423b332..de217d9ef 100644 +--- a/ipaplatform/base/paths.py ++++ b/ipaplatform/base/paths.py +@@ -71,6 +71,7 @@ class BasePathNamespace: + IPA_DEFAULT_CONF = "/etc/ipa/default.conf" + IPA_DNSKEYSYNCD_KEYTAB = "/etc/ipa/dnssec/ipa-dnskeysyncd.keytab" + IPA_ODS_EXPORTER_KEYTAB = "/etc/ipa/dnssec/ipa-ods-exporter.keytab" ++ IPA_SERVER_CONF = "/etc/ipa/server.conf" + DNSSEC_OPENSSL_CONF = "/etc/ipa/dnssec/openssl.cnf" + DNSSEC_SOFTHSM2_CONF = "/etc/ipa/dnssec/softhsm2.conf" + DNSSEC_SOFTHSM_PIN_SO = "/etc/ipa/dnssec/softhsm_pin_so" +-- +2.31.1 + +From ee4be290e1583834a573c3896ee1d97b3fbb6c24 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= +Date: Tue, 22 Jun 2021 14:45:49 +0200 +Subject: [PATCH] ipatests: smoke test for server debug mode. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Add a smoke test to make sure the server can be set in debug mode +without issue. + +Related: https://pagure.io/freeipa/issue/8891 +Signed-off-by: François Cami +Reviewed-By: Stanislav Levin +Reviewed-By: Rob Crittenden +--- + .../test_integration/test_installation.py | 27 +++++++++++++++++++ + 1 file changed, 27 insertions(+) + +diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py +index 301767b8d..0c96536f0 100644 +--- a/ipatests/test_integration/test_installation.py ++++ b/ipatests/test_integration/test_installation.py +@@ -703,6 +703,33 @@ class TestInstallMaster(IntegrationTest): + def test_install_master(self): + tasks.install_master(self.master, setup_dns=False) + ++ @pytest.mark.skip_if_platform( ++ "debian", reason="This test hardcodes the httpd service name" ++ ) ++ def test_smoke_test_for_debug_mode(self): ++ """Test if an IPA server works in debug mode. ++ Related: https://pagure.io/freeipa/issue/8891 ++ ++ Note: this test hardcodes the "httpd" service name. ++ """ ++ ++ target_fname = paths.IPA_SERVER_CONF ++ assert not self.master.transport.file_exists(target_fname) ++ ++ # set the IPA server in debug mode ++ server_conf = "[global]\ndebug=True" ++ self.master.put_file_contents(target_fname, server_conf) ++ self.master.run_command(["systemctl", "restart", "httpd"]) ++ ++ # smoke test in debug mode ++ tasks.kdestroy_all(self.master) ++ tasks.kinit_admin(self.master) ++ self.master.run_command(["ipa", "user-show", "admin"]) ++ ++ # rollback ++ self.master.run_command(["rm", target_fname]) ++ self.master.run_command(["systemctl", "restart", "httpd"]) ++ + def test_schema_compat_attribute_and_tree_disable(self): + """Test if schema-compat-entry-attribute is set + +-- +2.31.1 + +From 1539c7383116647ad9c5b125b343f972e9c9653b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= +Date: Wed, 23 Jun 2021 06:35:19 +0200 +Subject: [PATCH] rpcserver.py: perf_counter_ns is Python 3.7+ +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +perf_counter_ns is only available in Python 3.7 and later. +Define a lambda for 3.6 and lower. + +Fixes: https://pagure.io/freeipa/issue/8891 +Signed-off-by: François Cami +Reviewed-By: Stanislav Levin +Reviewed-By: Rob Crittenden +--- + ipaserver/rpcserver.py | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py +index b121316bf..e612528e0 100644 +--- a/ipaserver/rpcserver.py ++++ b/ipaserver/rpcserver.py +@@ -31,6 +31,7 @@ import os + import time + import traceback + from io import BytesIO ++from sys import version_info + from urllib.parse import parse_qs + from xmlrpc.client import Fault + +@@ -72,6 +73,10 @@ from requests.auth import AuthBase + if six.PY3: + unicode = str + ++# time.perf_counter_ns appeared in Python 3.7. ++if version_info < (3, 7): ++ time.perf_counter_ns = lambda: int(time.perf_counter() * 10**9) ++ + logger = logging.getLogger(__name__) + + HTTP_STATUS_SUCCESS = '200 Success' +-- +2.31.1 + diff --git a/SOURCES/0002-Add-checks-to-prevent-adding-auth-indicators-to-inte_rhbz#1979625.patch b/SOURCES/0002-Add-checks-to-prevent-adding-auth-indicators-to-inte_rhbz#1979625.patch new file mode 100644 index 0000000..81b6c45 --- /dev/null +++ b/SOURCES/0002-Add-checks-to-prevent-adding-auth-indicators-to-inte_rhbz#1979625.patch @@ -0,0 +1,272 @@ +From a5d2857297cfcf87ed8973df96e89ebcef22850d Mon Sep 17 00:00:00 2001 +From: Antonio Torres +Date: Mon, 8 Mar 2021 18:15:50 +0100 +Subject: [PATCH] Add checks to prevent adding auth indicators to internal IPA + services + +Authentication indicators should not be enforced against internal +IPA services, since not all users of those services are able to produce +Kerberos tickets with all the auth indicator options. This includes +host, ldap, HTTP and cifs in IPA server and cifs in IPA clients. +If a client that is being promoted to replica has an auth indicator +in its host principal then the promotion is aborted. + +Fixes: https://pagure.io/freeipa/issue/8206 +Signed-off-by: Antonio Torres +--- + ipaserver/install/server/replicainstall.py | 13 ++++++++++++ + ipaserver/plugins/host.py | 5 ++++- + ipaserver/plugins/service.py | 24 ++++++++++++++++++++++ + 3 files changed, 41 insertions(+), 1 deletion(-) + +diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py +index 73967a224..f1fb91036 100644 +--- a/ipaserver/install/server/replicainstall.py ++++ b/ipaserver/install/server/replicainstall.py +@@ -770,6 +770,15 @@ def promotion_check_ipa_domain(master_ldap_conn, basedn): + )) + + ++def promotion_check_host_principal_auth_ind(conn, hostdn): ++ entry = conn.get_entry(hostdn, ['krbprincipalauthind']) ++ if 'krbprincipalauthind' in entry: ++ raise RuntimeError( ++ "Client cannot be promoted to a replica if the host principal " ++ "has an authentication indicator set." ++ ) ++ ++ + @common_cleanup + @preserve_enrollment_state + def promote_check(installer): +@@ -956,6 +965,10 @@ def promote_check(installer): + config.master_host_name, None) + + promotion_check_ipa_domain(conn, remote_api.env.basedn) ++ hostdn = DN(('fqdn', api.env.host), ++ api.env.container_host, ++ api.env.basedn) ++ promotion_check_host_principal_auth_ind(conn, hostdn) + + # Make sure that domain fulfills minimal domain level + # requirement +diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py +index eb1f8ef04..41fa933e2 100644 +--- a/ipaserver/plugins/host.py ++++ b/ipaserver/plugins/host.py +@@ -38,7 +38,7 @@ from .baseldap import (LDAPQuery, LDAPObject, LDAPCreate, + LDAPAddAttributeViaOption, + LDAPRemoveAttributeViaOption) + from .service import ( +- validate_realm, normalize_principal, ++ validate_realm, validate_auth_indicator, normalize_principal, + set_certificate_attrs, ticket_flags_params, update_krbticketflags, + set_kerberos_attrs, rename_ipaallowedtoperform_from_ldap, + rename_ipaallowedtoperform_to_ldap, revoke_certs) +@@ -735,6 +735,8 @@ class host_add(LDAPCreate): + update_krbticketflags(ldap, entry_attrs, attrs_list, options, False) + if 'krbticketflags' in entry_attrs: + entry_attrs['objectclass'].append('krbticketpolicyaux') ++ validate_auth_indicator(entry_attrs) ++ + return dn + + def post_callback(self, ldap, dn, entry_attrs, *keys, **options): +@@ -993,6 +995,7 @@ class host_mod(LDAPUpdate): + if 'krbprincipalaux' not in (item.lower() for item in + entry_attrs['objectclass']): + entry_attrs['objectclass'].append('krbprincipalaux') ++ validate_auth_indicator(entry_attrs) + + add_sshpubkey_to_attrs_pre(self.context, attrs_list) + +diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py +index 1c9347804..cfbbff3c6 100644 +--- a/ipaserver/plugins/service.py ++++ b/ipaserver/plugins/service.py +@@ -201,6 +201,28 @@ def validate_realm(ugettext, principal): + raise errors.RealmMismatch() + + ++def validate_auth_indicator(entry): ++ new_value = entry.get('krbprincipalauthind', None) ++ if not new_value: ++ return ++ # The following services are considered internal IPA services ++ # and shouldn't be allowed to have auth indicators. ++ # https://pagure.io/freeipa/issue/8206 ++ pkey = api.Object['service'].get_primary_key_from_dn(entry.dn) ++ principal = kerberos.Principal(pkey) ++ server = api.Command.server_find(principal.hostname)['result'] ++ if server: ++ prefixes = ("host", "cifs", "ldap", "HTTP") ++ else: ++ prefixes = ("cifs",) ++ if principal.service_name in prefixes: ++ raise errors.ValidationError( ++ name='krbprincipalauthind', ++ error=_('authentication indicators not allowed ' ++ 'in service "%s"' % principal.service_name) ++ ) ++ ++ + def normalize_principal(value): + """ + Ensure that the name in the principal is lower-case. The realm is +@@ -652,6 +674,7 @@ class service_add(LDAPCreate): + hostname) + + self.obj.validate_ipakrbauthzdata(entry_attrs) ++ validate_auth_indicator(entry_attrs) + + if not options.get('force', False): + # We know the host exists if we've gotten this far but we +@@ -846,6 +869,7 @@ class service_mod(LDAPUpdate): + assert isinstance(dn, DN) + + self.obj.validate_ipakrbauthzdata(entry_attrs) ++ validate_auth_indicator(entry_attrs) + + # verify certificates + certs = entry_attrs.get('usercertificate') or [] +-- +2.31.1 + +From 28484c3dee225662e41acc691bfe6b1c1cee99c8 Mon Sep 17 00:00:00 2001 +From: Antonio Torres +Date: Mon, 8 Mar 2021 18:20:35 +0100 +Subject: [PATCH] ipatests: ensure auth indicators can't be added to internal + IPA services + +Authentication indicators should not be added to internal IPA services, +since this can lead to a broken IPA setup. In case a client with +an auth indicator set in its host principal, promoting it to a replica +should fail. + +Related: https://pagure.io/freeipa/issue/8206 +Signed-off-by: Antonio Torres +--- + .../test_replica_promotion.py | 38 +++++++++++++++++++ + ipatests/test_xmlrpc/test_host_plugin.py | 10 +++++ + ipatests/test_xmlrpc/test_service_plugin.py | 21 ++++++++++ + 3 files changed, 69 insertions(+) + +diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py +index 0a137dbdc..b9c56f775 100644 +--- a/ipatests/test_integration/test_replica_promotion.py ++++ b/ipatests/test_integration/test_replica_promotion.py +@@ -101,6 +101,44 @@ class TestReplicaPromotionLevel1(ReplicaPromotionBase): + assert result.returncode == 1 + assert expected_err in result.stderr_text + ++ @replicas_cleanup ++ def test_install_with_host_auth_ind_set(self): ++ """ A client shouldn't be able to be promoted if it has ++ any auth indicator set in the host principal. ++ https://pagure.io/freeipa/issue/8206 ++ """ ++ ++ client = self.replicas[0] ++ # Configure firewall first ++ Firewall(client).enable_services(["freeipa-ldap", ++ "freeipa-ldaps"]) ++ ++ client.run_command(['ipa-client-install', '-U', ++ '--domain', self.master.domain.name, ++ '--realm', self.master.domain.realm, ++ '-p', 'admin', ++ '-w', self.master.config.admin_password, ++ '--server', self.master.hostname, ++ '--force-join']) ++ ++ tasks.kinit_admin(client) ++ ++ client.run_command(['ipa', 'host-mod', '--auth-ind=otp', ++ client.hostname]) ++ ++ res = client.run_command(['ipa-replica-install', '-U', '-w', ++ self.master.config.dirman_password], ++ raiseonerr=False) ++ ++ client.run_command(['ipa', 'host-mod', '--auth-ind=', ++ client.hostname]) ++ ++ expected_err = ("Client cannot be promoted to a replica if the host " ++ "principal has an authentication indicator set.") ++ assert res.returncode == 1 ++ assert expected_err in res.stderr_text ++ ++ + @replicas_cleanup + def test_one_command_installation(self): + """ +diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py +index c66bbc865..9cfde3565 100644 +--- a/ipatests/test_xmlrpc/test_host_plugin.py ++++ b/ipatests/test_xmlrpc/test_host_plugin.py +@@ -605,6 +605,16 @@ class TestProtectedMaster(XMLRPC_test): + error=u'An IPA master host cannot be deleted or disabled')): + command() + ++ def test_try_add_auth_ind_master(self, this_host): ++ command = this_host.make_update_command({ ++ u'krbprincipalauthind': u'radius'}) ++ with raises_exact(errors.ValidationError( ++ name='krbprincipalauthind', ++ error=u'authentication indicators not allowed ' ++ 'in service "host"' ++ )): ++ command() ++ + + @pytest.mark.tier1 + class TestValidation(XMLRPC_test): +diff --git a/ipatests/test_xmlrpc/test_service_plugin.py b/ipatests/test_xmlrpc/test_service_plugin.py +index 4c845938c..ed634a045 100644 +--- a/ipatests/test_xmlrpc/test_service_plugin.py ++++ b/ipatests/test_xmlrpc/test_service_plugin.py +@@ -25,6 +25,7 @@ from ipalib import api, errors + from ipatests.test_xmlrpc.xmlrpc_test import Declarative, fuzzy_uuid, fuzzy_hash + from ipatests.test_xmlrpc.xmlrpc_test import fuzzy_digits, fuzzy_date, fuzzy_issuer + from ipatests.test_xmlrpc.xmlrpc_test import fuzzy_hex, XMLRPC_test ++from ipatests.test_xmlrpc.xmlrpc_test import raises_exact + from ipatests.test_xmlrpc import objectclasses + from ipatests.test_xmlrpc.testcert import get_testcert, subject_base + from ipatests.test_xmlrpc.test_user_plugin import get_user_result, get_group_dn +@@ -1552,6 +1553,15 @@ def indicators_host(request): + return tracker.make_fixture(request) + + ++@pytest.fixture(scope='function') ++def this_host(request): ++ """Fixture for the current master""" ++ tracker = HostTracker(name=api.env.host.partition('.')[0], ++ fqdn=api.env.host) ++ tracker.exists = True ++ return tracker ++ ++ + @pytest.fixture(scope='function') + def indicators_service(request): + tracker = ServiceTracker( +@@ -1587,6 +1597,17 @@ class TestAuthenticationIndicators(XMLRPC_test): + expected_updates={u'krbprincipalauthind': [u'radius']} + ) + ++ def test_update_indicator_internal_service(self, this_host): ++ command = this_host.make_command('service_mod', ++ 'ldap/' + this_host.fqdn, ++ **dict(krbprincipalauthind='otp')) ++ with raises_exact(errors.ValidationError( ++ name='krbprincipalauthind', ++ error=u'authentication indicators not allowed ' ++ 'in service "ldap"' ++ )): ++ command() ++ + + @pytest.fixture(scope='function') + def managing_host(request): +-- +2.31.1 + diff --git a/SOURCES/0003-stageuser-add-ipauserauthtypeclass-when-required_rhbz#1979605.patch b/SOURCES/0003-stageuser-add-ipauserauthtypeclass-when-required_rhbz#1979605.patch new file mode 100644 index 0000000..7934afd --- /dev/null +++ b/SOURCES/0003-stageuser-add-ipauserauthtypeclass-when-required_rhbz#1979605.patch @@ -0,0 +1,89 @@ +From 06468b2f604c56b02231904072cb57412966a701 Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Mon, 5 Jul 2021 09:51:41 +0200 +Subject: [PATCH] stageuser: add ipauserauthtypeclass when required + +The command +ipa stageuser-add --user-auth-type=xxx +is currently failing because the objectclass ipauserauthtypeclass +is missing from the created entry. + +There is code adding the missing objectclass in the +pre_common_callback method of user_add, and this code should +be common to user_add and stageuser_add. In order to avoid code +duplication, it makes more sense to move the existing code to +pre_common_callback of baseuser_add, that is called by both +classes. + +Fixes: https://pagure.io/freeipa/issue/8909 +Reviewed-By: Rob Crittenden +Reviewed-By: Alexander Bokovoy +--- + ipaserver/plugins/baseuser.py | 3 +++ + ipaserver/plugins/user.py | 4 ---- + 2 files changed, 3 insertions(+), 4 deletions(-) + +diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py +index ae16a978a..6035228f1 100644 +--- a/ipaserver/plugins/baseuser.py ++++ b/ipaserver/plugins/baseuser.py +@@ -539,6 +539,9 @@ class baseuser_add(LDAPCreate): + if entry_attrs.get('ipatokenradiususername', None): + add_missing_object_class(ldap, u'ipatokenradiusproxyuser', dn, + entry_attrs, update=False) ++ if entry_attrs.get('ipauserauthtype', None): ++ add_missing_object_class(ldap, u'ipauserauthtypeclass', dn, ++ entry_attrs, update=False) + + def post_common_callback(self, ldap, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) +diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py +index 6f7facb53..e4ee572b2 100644 +--- a/ipaserver/plugins/user.py ++++ b/ipaserver/plugins/user.py +@@ -617,10 +617,6 @@ class user_add(baseuser_add): + 'ipauser' not in entry_attrs['objectclass']: + entry_attrs['objectclass'].append('ipauser') + +- if 'ipauserauthtype' in entry_attrs and \ +- 'ipauserauthtypeclass' not in entry_attrs['objectclass']: +- entry_attrs['objectclass'].append('ipauserauthtypeclass') +- + rcl = entry_attrs.get('ipatokenradiusconfiglink', None) + if rcl: + if 'ipatokenradiusproxyuser' not in entry_attrs['objectclass']: +-- +2.31.1 + +From 4a5a0fe7d25209a41a2eadd159f7f4c771e5d7fc Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Mon, 5 Jul 2021 10:22:31 +0200 +Subject: [PATCH] XMLRPC test: add a test for stageuser-add --user-auth-type + +Related: https://pagure.io/freeipa/issue/8909 +Reviewed-By: Rob Crittenden +Reviewed-By: Alexander Bokovoy +--- + ipatests/test_xmlrpc/test_stageuser_plugin.py | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/ipatests/test_xmlrpc/test_stageuser_plugin.py b/ipatests/test_xmlrpc/test_stageuser_plugin.py +index 5586fc607..bc606b093 100644 +--- a/ipatests/test_xmlrpc/test_stageuser_plugin.py ++++ b/ipatests/test_xmlrpc/test_stageuser_plugin.py +@@ -343,6 +343,12 @@ class TestStagedUser(XMLRPC_test): + result = command() + assert result['count'] == 1 + ++ def test_create_withuserauthtype(self, stageduser): ++ stageduser.ensure_missing() ++ command = stageduser.make_create_command( ++ options={u'ipauserauthtype': u'password'}) ++ command() ++ + + @pytest.mark.tier1 + class TestCreateInvalidAttributes(XMLRPC_test): +-- +2.31.1 + diff --git a/SOURCES/0004-man-page-update-ipa-server-upgrade.1_rhbz#1973273.patch b/SOURCES/0004-man-page-update-ipa-server-upgrade.1_rhbz#1973273.patch new file mode 100644 index 0000000..83182ce --- /dev/null +++ b/SOURCES/0004-man-page-update-ipa-server-upgrade.1_rhbz#1973273.patch @@ -0,0 +1,35 @@ +From 195035cef51a132b2b80df57ed50f2fe620244e6 Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Wed, 7 Jul 2021 14:11:40 +0200 +Subject: [PATCH] man page: update ipa-server-upgrade.1 + +The man page needs to clarify in which case the command needs +to be run. + +Fixes: https://pagure.io/freeipa/issue/8913 +Reviewed-By: Francois Cami +--- + install/tools/man/ipa-server-upgrade.1 | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/install/tools/man/ipa-server-upgrade.1 b/install/tools/man/ipa-server-upgrade.1 +index 3db19b0f1..f01e21c6b 100644 +--- a/install/tools/man/ipa-server-upgrade.1 ++++ b/install/tools/man/ipa-server-upgrade.1 +@@ -8,7 +8,12 @@ ipa\-server\-upgrade \- upgrade IPA server + .SH "SYNOPSIS" + ipa\-server\-upgrade [options] + .SH "DESCRIPTION" +-ipa\-server\-upgrade is used to upgrade IPA server when the IPA packages are being updated. It is not intended to be executed by end\-users. ++ipa\-server\-upgrade is executed automatically to upgrade IPA server when ++the IPA packages are being updated. It is not intended to be executed by ++end\-users, unless the automatic execution reports an error. In this case, ++the administrator needs to identify and fix the issue that is causing the ++upgrade failure (with the help of /var/log/ipaupgrade.log) ++and manually re\-run ipa\-server\-upgrade. + + ipa\-server\-upgrade will: + +-- +2.31.1 + diff --git a/SOURCES/0005-Fall-back-to-krbprincipalname-when-validating-host-a_rhbz#1979625.patch b/SOURCES/0005-Fall-back-to-krbprincipalname-when-validating-host-a_rhbz#1979625.patch new file mode 100644 index 0000000..069d106 --- /dev/null +++ b/SOURCES/0005-Fall-back-to-krbprincipalname-when-validating-host-a_rhbz#1979625.patch @@ -0,0 +1,69 @@ +From 8ad535b618d60fa016061212ff85d0ad28ccae59 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Mon, 12 Jul 2021 11:02:10 -0400 +Subject: [PATCH] Fall back to krbprincipalname when validating host auth + indicators + +When adding a new host the principal cannot be determined because it +relies on either: + +a) an entry to already exist +b) krbprincipalname be a component of the dn + +As a result the full dn is being passed into ipapython.Kerberos +which can't parse it. + +Look into the entry in validate_validate_auth_indicator() for +krbprincipalname in this case. + +https://pagure.io/freeipa/issue/8206 + +Signed-off-by: Rob Crittenden +Reviewed-By: Alexander Bokovoy +Reviewed-By: Florence Blanc-Renaud +--- + ipaserver/plugins/service.py | 5 +++++ + ipatests/test_xmlrpc/test_host_plugin.py | 11 +++++++++++ + 2 files changed, 16 insertions(+) + +diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py +index cfbbff3c6..498f5e444 100644 +--- a/ipaserver/plugins/service.py ++++ b/ipaserver/plugins/service.py +@@ -209,6 +209,11 @@ def validate_auth_indicator(entry): + # and shouldn't be allowed to have auth indicators. + # https://pagure.io/freeipa/issue/8206 + pkey = api.Object['service'].get_primary_key_from_dn(entry.dn) ++ if pkey == str(entry.dn): ++ # krbcanonicalname may not be set yet if this is a host entry, ++ # try krbprincipalname ++ if 'krbprincipalname' in entry: ++ pkey = entry['krbprincipalname'] + principal = kerberos.Principal(pkey) + server = api.Command.server_find(principal.hostname)['result'] + if server: +diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py +index 9cfde3565..ff50e796c 100644 +--- a/ipatests/test_xmlrpc/test_host_plugin.py ++++ b/ipatests/test_xmlrpc/test_host_plugin.py +@@ -615,6 +615,17 @@ class TestProtectedMaster(XMLRPC_test): + )): + command() + ++ def test_add_non_master_with_auth_ind(self, host5): ++ host5.ensure_missing() ++ command = host5.make_command( ++ 'host_add', host5.fqdn, krbprincipalauthind=['radius'], ++ force=True ++ ) ++ result = command() ++ # The fact that the command succeeds exercises the change but ++ # let's check the indicator as well. ++ assert result['result']['krbprincipalauthind'] == ('radius',) ++ + + @pytest.mark.tier1 + class TestValidation(XMLRPC_test): +-- +2.31.1 + diff --git a/SOURCES/freeipa-4.9.3.tar.gz.asc b/SOURCES/freeipa-4.9.3.tar.gz.asc deleted file mode 100644 index 9d5543d..0000000 --- a/SOURCES/freeipa-4.9.3.tar.gz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEEhAodHH8+xLL+UwQ1RxniuKu/YhoFAmBkFSoACgkQRxniuKu/ -Yhpz5Q//cbKbxQe2iIpCOyFnWtlwMGonj9OmeLP+dms8OnWvnpGBlLD0ftu+O9tf -JoCzURMvjfJGMlEbG7FxW9coz4Fe6caDyZ5KJiM15qie75K5nIF44WgVXhTXx7/0 -2H6Q1MIgE8lxr+h4xcYB04KXPwLUpFGttGHDlbl9205M9dJi+WYNWEbHwCNwbl2w -uXOFQm+AtAnUBuB0I0KJvgZMhtSV2FAx3NsPFO2DkMKB3KVS6cKEzxm8aBzCeNvP -ndWvo51QFU0AheMt/Cahl97dzTorW8pqjt1+QBil4KxWCf0KyOI3OeTvKZ1bYtUs -x32JDQP+UMkZ8y9NypK9TMcht3f8Wi7nvzg3kCuwltMr7spTVsqEP//WejdK5gmh -dyU3qYPWz41SJargYwb8ehj1DOHBsNXEL57I2zY13oM1dC9T2YAc+OhSCWtMyknD -vatLZSwVm27k79NADKF56RXUPur/m2UHnnYuk09AyDOIGZRM3Tn/10nRZgjs5eM8 -CLa4+5gn96BrkW1kP8mWPtWQqyv3buzj3xC7otmnjDgaxmXA/30wJ+2qebGTRAhf -qo2rbwJsSkv0sC8l1luZgzgnvrQpri3qS96zhoeusooTqx6dTwUBGV8ea/sqvk0K -Qu0q+iQk3CCgCfi/i6pc1UsB59tCy3KEZUc58Q6UUNewfcA3WW8= -=Wgf7 ------END PGP SIGNATURE----- diff --git a/SOURCES/freeipa-4.9.6.tar.gz.asc b/SOURCES/freeipa-4.9.6.tar.gz.asc new file mode 100644 index 0000000..f71d351 --- /dev/null +++ b/SOURCES/freeipa-4.9.6.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCgAdFiEEhAodHH8+xLL+UwQ1RxniuKu/YhoFAmDbPRQACgkQRxniuKu/ +Yhr7uBAAnpF70nH8Cn/HhKKpfafPoN3B9fDNIfAa+jsJ52OyeNMKVNi4MEob32iN +1aMGGFCJUMle/M7v1+w8WH59eiHs1jKHcFZnl2R4Ap5SxVtypYT+ewXbNnSHII2w +qWS5PvLkJwjh6Bw/HlyBwDRSrw9Yah4oZZbJt3zE06+Imr8BpB3IWqyhuAi7FjYO +J9hHCwCvtJvWK4yplZSXCt8OS1JA68/Djgjecm5lUSamuqKaBVhDb+ZAPLDJpBf5 +Pz2JpUF/W/rplt+Q9wAFdhDB9iC0vd3MBkgs4KPsjuyS9+GGNu8LyXs0C1Wm/VgX +liX2pjZmpnTrhH3QQ2nufwH784ZpinXxS2fcbvCfX1Utgr77wNHjwqDt2NBffJl1 +BM7JJr1ZwGOGSki6yjRDXbeSAsiEX9l7f2mv2t/8ZjHMRJ7mJmBbmh5Qhk5qsMou +BptNDE20cG77xcjBtTCDpii/UatETuNAyMd/l2smfe76z8y61fQrvScxRwOCHckw +u/ERChpBZOUlQt59Efj3ja313oXZMxXRw01n/72Hh5rnk+XZf75zQ1zUDBYnwzAr +4cdqyrfpFkQu1sRQvgjT8ZLkP8istjRdVEI/Oj61zb5+6+scQ/Zh/R/mYGCV4/h+ +RzojBwUAXuwUMrj1jTbb5Lkz58+vY3Lk4xNOY2hSAc8rCcDVRZY= +=TQFs +-----END PGP SIGNATURE----- diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec index 5be6747..9b6f2eb 100644 --- a/SPECS/ipa.spec +++ b/SPECS/ipa.spec @@ -2,7 +2,7 @@ %bcond_without ipatests # default to not use XML-RPC in Rawhide, can be turned around with --with ipa_join_xml # On RHEL 8 we should use --with ipa_join_xml -%bcond_without ipa_join_xml +%bcond_with ipa_join_xml # Linting is disabled by default, needed for upstream testing %bcond_with lint @@ -49,7 +49,7 @@ # lint is not executed during rpmbuild # %%global with_lint 1 %if %{with lint} - %global linter_options --enable-pylint --with-jslint --enable-rpmlint + %global linter_options --enable-pylint --without-jslint --enable-rpmlint %else %global linter_options --disable-pylint --without-jslint --disable-rpmlint %endif @@ -109,7 +109,7 @@ %if 0%{?fedora} < 34 %global ds_version %{lua: local v={}; v['32']='1.4.3.20-2'; v['33']='1.4.4.13-2'; print(v[rpm.expand('%{fedora}')])} %else -%global ds_version 2.0.3-3 +%global ds_version 2.0.4-1 %endif # Fix for TLS 1.3 PHA, RHBZ#1775146 @@ -160,6 +160,16 @@ %global systemd_version 239 %endif +# augeas support for new chrony options +# see https://pagure.io/freeipa/issue/8676 +# Note: will need to be updated for RHEL9 when a fix is available for +# https://bugzilla.redhat.com/show_bug.cgi?id=1931787 +%if 0%{?fedora} >= 33 +%global augeas_version 1.12.0-6 +%else +%global augeas_version 1.12.0-3 +%endif + %global plugin_dir %{_libdir}/dirsrv/plugins %global etc_systemd_dir %{_sysconfdir}/systemd/system %global gettext_domain ipa @@ -168,7 +178,7 @@ # Work-around fact that RPM SPEC parser does not accept # "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement -%define IPA_VERSION 4.9.3 +%define IPA_VERSION 4.9.6 # Release candidate version -- uncomment with one percent for RC versions #%%global rc_version %%nil %define AT_SIGN @ @@ -181,7 +191,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 1%{?rc_version:.%rc_version}%{?dist} +Release: 3%{?rc_version:.%rc_version}%{?dist} Summary: The Identity, Policy and Audit system License: GPLv3+ @@ -201,12 +211,16 @@ Source1: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_vers # RHEL spec file only: START %if %{NON_DEVELOPER_BUILD} %if 0%{?rhel} >= 8 +Patch0001: 0001-rpcserver.py-perf_counter_ns-is-Python-3.7_rhbz#1974822.patch +Patch0002: 0002-Add-checks-to-prevent-adding-auth-indicators-to-inte_rhbz#1979625.patch +Patch0003: 0003-stageuser-add-ipauserauthtypeclass-when-required_rhbz#1979605.patch +Patch0004: 0004-man-page-update-ipa-server-upgrade.1_rhbz#1973273.patch +Patch0005: 0005-Fall-back-to-krbprincipalname-when-validating-host-a_rhbz#1979625.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch %endif %endif # RHEL spec file only: END - # For the timestamp trick in patch application BuildRequires: diffstat @@ -310,7 +324,10 @@ BuildRequires: python3-m2r # %if %{with lint} BuildRequires: git +%if 0%{?fedora} < 34 +# jsl is orphaned in Fedora 34+ BuildRequires: jsl +%endif BuildRequires: nss-tools BuildRequires: rpmlint BuildRequires: softhsm @@ -342,12 +359,8 @@ BuildRequires: python3-polib BuildRequires: python3-pyasn1 BuildRequires: python3-pyasn1-modules BuildRequires: python3-pycodestyle -%if 0%{?fedora} || 0%{?rhel} > 8 -# https://bugzilla.redhat.com/show_bug.cgi?id=1648299 -BuildRequires: python3-pylint >= 2.1.1-2 -%else -BuildRequires: python3-pylint >= 1.7 -%endif +# .wheelconstraints.in limits pylint version in Azure and tox tests +BuildRequires: python3-pylint BuildRequires: python3-pytest-multihost BuildRequires: python3-pytest-sourceorder BuildRequires: python3-qrcode-core >= 5.0.0 @@ -434,7 +447,12 @@ Requires(pre): certmonger >= %{certmonger_version} Requires(pre): 389-ds-base >= %{ds_version} Requires: fontawesome-fonts Requires: open-sans-fonts +%if 0%{?fedora} >= 32 || 0%{?rhel} >= 9 +# https://pagure.io/freeipa/issue/8632 +Requires: openssl > 1.1.1i +%else Requires: openssl +%endif Requires: softhsm >= 2.0.0rc1-1 Requires: p11-kit Requires: %{etc_systemd_dir} @@ -486,6 +504,7 @@ Requires: %{name}-common = %{version}-%{release} # we need pre-requires since earlier versions may break upgrade Requires(pre): python3-ldap >= %{python_ldap_version} Requires: python3-augeas +Requires: augeas-libs >= %{augeas_version} Requires: python3-custodia >= 0.3.1 Requires: python3-dbus Requires: python3-dns >= 1.15 @@ -521,8 +540,8 @@ Requires: %{name}-client-common = %{version}-%{release} Requires: httpd >= %{httpd_version} Requires: systemd-units >= %{systemd_version} Requires: custodia >= 0.3.1 -%if 0%{?rhel} >= 8 -Requires: redhat-logos-ipa >= 80.4 +%if 0%{?rhel} >= 8 && ! 0%{?eln} +Requires: system-logos-ipa >= 80.4 %endif Provides: %{alt_name}-server-common = %{version} @@ -576,6 +595,7 @@ Requires: %{name}-common = %{version}-%{release} Requires: samba >= %{samba_version} Requires: samba-winbind +Requires: sssd-winbind-idmap Requires: libsss_idmap %if 0%{?rhel} Obsoletes: ipa-idoverride-memberof-plugin <= 0.1 @@ -709,6 +729,7 @@ Requires: %{name}-client-common = %{version}-%{release} Requires: %{name}-common = %{version}-%{release} Requires: python3-ipalib = %{version}-%{release} Requires: python3-augeas +Requires: augeas-libs >= %{augeas_version} Requires: python3-dns >= 1.15 Requires: python3-jinja2 @@ -1680,6 +1701,53 @@ fi %changelog +* Thu Jul 15 2021 Thomas Woerner - 4.9.6-3 +- man page: update ipa-server-upgrade.1 + Resolves: RHBZ#1973273 +- Fall back to krbprincipalname when validating host auth indicators + Resolves: RHBZ#1979625 +- Add dependency for sssd-winbind-idmap to server-trust-ad + Resolves: RHBZ#1982211 + +* Thu Jul 8 2021 Thomas Woerner - 4.9.6-2 +- IPA server in debug mode fails to run because time.perf_counter_ns is + Python 3.7+ + Resolves: RHBZ#1974822 +- Add checks to prevent assigning authentication indicators to internal IPA + services + Resolves: RHBZ#1979625 +- Unable to set ipaUserAuthType with stageuser-add + Resolves: RHBZ#1979605 + +* Thu Jul 1 2021 Thomas Woerner - 4.9.6-1 +- Upstream release FreeIPA 4.9.6 + Related: RHBZ#1945038 +- Revise PKINIT upgrade code + Resolves: RHBZ#1886837 +- ipa-cert-fix man page: add note about certmonger renewal + Resolves: RHBZ#1780317 +- Certificate Serial Number issue + Resolves: RHBZ#1919384 + +* Mon Jun 14 2021 Thomas Woerner - 4.9.5-1 +- Upstream release FreeIPA 4.9.5 + Related: RHBZ#1945038 +- IPA to allow setting a new range type + Resolves: RHBZ#1688267 +- ipa-server-install displays debug output when --debug output is not + specified. + Resolves: RHBZ#1943151 +- ACME fails to generate a cert on migrated RHEL8.4 server + Resolves: RHBZ#1934991 +- Switch ipa-client to use the JSON API + Resolves: RHBZ#1937856 +- IDM - Allow specifying permanent logging settings for BIND + Resolves: RHBZ#1951511 +- Cache LDAP data within a request + Resolves: RHBZ#1953656 +- ipa-server-upgrade is failing while upgrading rhel8.3 to rhel8.4 + Resolves: RHBZ#1957768 + * Wed Mar 31 2021 Thomas Woerner - 4.9.3-1 - Upstream release FreeIPA 4.9.3 Resolves: RHBZ#1945038