From 958adc219340f7c4e70a5ecfc51d8e30818939a6 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Tue, 22 Apr 2025 08:07:52 +0000 Subject: [PATCH] Import from CS git --- ...-otp-auth-type-are-enabled_rhel#4874.patch | 25 +- ...uring-initial-replication_rhel#80995.patch | 245 ++++++++++++++++++ ...-is-close-to-being-expired_rhel#4941.patch | 82 ++++++ ...ipa.spec-depend-on-bind-dnssec-utils.patch | 3 +- SPECS/ipa.spec | 23 +- 5 files changed, 357 insertions(+), 21 deletions(-) create mode 100644 SOURCES/0037-Replica-CA-installation-ignore-skew-during-initial-replication_rhel#80995.patch create mode 100644 SOURCES/0038-Add-a-check-into-ipa-cert-fix-tool-to-avoid-updating-certs-if-CA-is-close-to-being-expired_rhel#4941.patch diff --git a/SOURCES/0014-krb5kdc-Fix-start-when-pkinit-and-otp-auth-type-are-enabled_rhel#4874.patch b/SOURCES/0014-krb5kdc-Fix-start-when-pkinit-and-otp-auth-type-are-enabled_rhel#4874.patch index e0d2386..a6e6388 100644 --- a/SOURCES/0014-krb5kdc-Fix-start-when-pkinit-and-otp-auth-type-are-enabled_rhel#4874.patch +++ b/SOURCES/0014-krb5kdc-Fix-start-when-pkinit-and-otp-auth-type-are-enabled_rhel#4874.patch @@ -40,12 +40,11 @@ index 06d511c76..dbb98dba6 100644 #include "ipa_krb5.h" #include "ipa_hostname.h" +#include - + #define IPADB_GLOBAL_CONFIG_CACHE_TIME 60 - -@@ -207,6 +208,19 @@ static const struct { + +@@ -207,5 +208,18 @@ static const struct { { "idp", IPADB_USER_AUTH_IDP }, - { "passkey", IPADB_USER_AUTH_PASSKEY }, { } +}, + objclass_table[] = { @@ -61,10 +60,10 @@ index 06d511c76..dbb98dba6 100644 + { KADM5_HIST_PRINCIPAL, IPADB_USER_AUTH_PASSWORD }, + { } }; - + void ipadb_parse_user_auth(LDAP *lcontext, LDAPMessage *le, @@ -217,17 +231,49 @@ void ipadb_parse_user_auth(LDAP *lcontext, LDAPMessage *le, - + *userauth = IPADB_USER_AUTH_NONE; vals = ldap_get_values_len(lcontext, le, IPA_USER_AUTH_TYPE); - if (!vals) @@ -121,7 +120,7 @@ index 06d511c76..dbb98dba6 100644 /* If password auth is enabled, enable hardened policy too. */ if (*userauth & IPADB_USER_AUTH_PASSWORD) { *userauth |= IPADB_USER_AUTH_HARDENED; --- +-- 2.43.0 @@ -163,7 +162,7 @@ index 436ee0e62..2802221c7 100644 pol_limits = &(ied->pol_limits[IPADB_USER_AUTH_IDX_PKINIT]); } else if (strcmp(auth_indicator, "hardened") == 0) { valid_auth_indicators++; --- +-- 2.43.0 @@ -188,14 +187,14 @@ index dbb98dba6..4e6cacf24 100644 @@ -195,6 +195,9 @@ done: return base; } - + +/* In this table all _AUTH_PASSWORD entries will be + * expanded to include _AUTH_HARDENED in ipadb_parse_user_auth() + * which means there is no need to explicitly add it here */ static const struct { const char *name; enum ipadb_user_auth flag; --- +-- 2.43.0 @@ -230,7 +229,7 @@ index caa0e6a34..5c2e7af02 100644 @@ -23,6 +23,24 @@ class TestPkinitClientInstall(IntegrationTest): def install(cls, mh): tasks.install_master(cls.master) - + + def enforce_password_and_otp(self): + """enforce otp by default and password for admin """ + self.master.run_command( @@ -255,7 +254,7 @@ index caa0e6a34..5c2e7af02 100644 @@ -86,6 +104,14 @@ class TestPkinitClientInstall(IntegrationTest): cabundle = self.master.get_file_contents(paths.KDC_CA_BUNDLE_PEM) client.put_file_contents(self.tmpbundle, cabundle) - + + def test_restart_krb5kdc(self): + tasks.kinit_admin(self.master) + self.enforce_password_and_otp() @@ -267,6 +266,6 @@ index caa0e6a34..5c2e7af02 100644 def test_client_install_pkinit(self): tasks.kinit_admin(self.master) self.add_certmaperule() --- +-- 2.43.0 diff --git a/SOURCES/0037-Replica-CA-installation-ignore-skew-during-initial-replication_rhel#80995.patch b/SOURCES/0037-Replica-CA-installation-ignore-skew-during-initial-replication_rhel#80995.patch new file mode 100644 index 0000000..a62eebc --- /dev/null +++ b/SOURCES/0037-Replica-CA-installation-ignore-skew-during-initial-replication_rhel#80995.patch @@ -0,0 +1,245 @@ +From 19f22cf75ae768dd2b6c0d674cf55f8d6ffafb31 Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Mar 07 2025 06:48:02 +0000 +Subject: Replica CA installation: ignore time skew during initial replication + + +During a replica CA installation, the initial replication step may fail +if there is too much time skew between the server and replica. + +The replica installer already takes care of this for the replication of +the domain suffix but the replica CA installer does not set +nssldapd-ignore-time-skew to on for o=ipaca suffix. + +During a replica CA installation, read the initial value of +nssldapd-ignore-time-skew, force it to on, start replication and +revert to the initial value. + +Apply the same logic to dsinstance and ipa-replica-manage force-sync. + +Fixes: https://pagure.io/freeipa/issue/9635 +Signed-off-by: Florence Blanc-Renaud +Reviewed-By: Rob Crittenden +Reviewed-By: Rob Crittenden + +--- + +diff --git a/install/share/Makefile.am b/install/share/Makefile.am +index e0fe4b7..4029297 100644 +--- a/install/share/Makefile.am ++++ b/install/share/Makefile.am +@@ -38,7 +38,6 @@ dist_app_DATA = \ + default-trust-view.ldif \ + delegation.ldif \ + replica-acis.ldif \ +- replica-prevent-time-skew.ldif \ + ds-nfiles.ldif \ + ds-ipa-env.conf.template \ + dns.ldif \ +diff --git a/install/share/replica-prevent-time-skew.ldif b/install/share/replica-prevent-time-skew.ldif +deleted file mode 100644 +index 5d301fe..0000000 +--- a/install/share/replica-prevent-time-skew.ldif ++++ /dev/null +@@ -1,4 +0,0 @@ +-dn: cn=config +-changetype: modify +-replace: nsslapd-ignore-time-skew +-nsslapd-ignore-time-skew: $SKEWVALUE +diff --git a/install/tools/ipa-replica-manage.in b/install/tools/ipa-replica-manage.in +index cebf73a..71851be 100644 +--- a/install/tools/ipa-replica-manage.in ++++ b/install/tools/ipa-replica-manage.in +@@ -1237,12 +1237,13 @@ def force_sync(realm, thishost, fromhost, dirman_passwd, nolookup=False): + repl.force_sync(repl.conn, fromhost) + else: + ds = dsinstance.DsInstance(realm_name=realm) +- ds.replica_manage_time_skew(prevent=False) ++ ds.replica_ignore_initial_time_skew() + repl = replication.ReplicationManager(realm, fromhost, dirman_passwd) + repl.force_sync(repl.conn, thishost) + agreement = repl.get_replication_agreement(thishost) + repl.wait_for_repl_update(repl.conn, agreement.dn) +- ds.replica_manage_time_skew(prevent=True) ++ ds.replica_revert_time_skew() ++ + + def show_DNA_ranges(hostname, master, realm, dirman_passwd, nextrange=False, + nolookup=False): +diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py +index 35cec89..e15e629 100644 +--- a/ipaserver/install/cainstance.py ++++ b/ipaserver/install/cainstance.py +@@ -409,7 +409,11 @@ class CAInstance(DogtagInstance): + if promote: + # Setup Database + self.step("creating certificate server db", self.__create_ds_db) ++ self.step("ignore time skew for initial replication", ++ self.replica_ignore_initial_time_skew) + self.step("setting up initial replication", self.__setup_replication) ++ self.step("revert time skew after initial replication", ++ self.replica_revert_time_skew) + self.step("creating ACIs for admin", self.add_ipaca_aci) + self.step("creating installation admin user", self.setup_admin) + self.step("configuring certificate server instance", +diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py +index cbacfae..ba4bf8a 100644 +--- a/ipaserver/install/dsinstance.py ++++ b/ipaserver/install/dsinstance.py +@@ -385,11 +385,11 @@ class DsInstance(service.Service): + # This helps with initial replication or force-sync because + # the receiving side has no valuable changes itself yet. + self.step("ignore time skew for initial replication", +- self.__replica_ignore_initial_time_skew) ++ self.replica_ignore_initial_time_skew) + + self.step("setting up initial replication", self.__setup_replica) + self.step("prevent time skew after initial replication", +- self.replica_manage_time_skew) ++ self.replica_revert_time_skew) + self.step("adding sasl mappings to the directory", self.__configure_sasl_mappings) + self.step("updating schema", self.__update_schema) + # See LDIFs for automember configuration during replica install +@@ -995,16 +995,6 @@ class DsInstance(service.Service): + def __add_replication_acis(self): + self._ldap_mod("replica-acis.ldif", self.sub_dict) + +- def __replica_ignore_initial_time_skew(self): +- self.replica_manage_time_skew(prevent=False) +- +- def replica_manage_time_skew(self, prevent=True): +- if prevent: +- self.sub_dict['SKEWVALUE'] = 'off' +- else: +- self.sub_dict['SKEWVALUE'] = 'on' +- self._ldap_mod("replica-prevent-time-skew.ldif", self.sub_dict) +- + def __setup_s4u2proxy(self): + + def __add_principal(last_cn, principal, self): +diff --git a/ipaserver/install/service.py b/ipaserver/install/service.py +index 13ae346..15ca70b 100644 +--- a/ipaserver/install/service.py ++++ b/ipaserver/install/service.py +@@ -811,6 +811,31 @@ class Service: + self.run_getkeytab(self.api.env.ldap_uri, self.keytab, self.principal) + self.set_keytab_owner() + ++ def replica_ignore_initial_time_skew(self): ++ """ ++ Set nsslapd-ignore-time-skew = on if not already set ++ and store the initial value in order to restore it later. ++ ++ The on value allows replica initialization even if there ++ are excessive time skews. ++ """ ++ dn = DN(('cn', 'config')) ++ entry_attrs = api.Backend.ldap2.get_entry(dn) ++ self.original_time_skew = entry_attrs['nsslapd-ignore-time-skew'][0] ++ if self.original_time_skew != 'on': ++ entry_attrs['nsslapd-ignore-time-skew'] = 'on' ++ api.Backend.ldap2.update_entry(entry_attrs) ++ ++ def replica_revert_time_skew(self): ++ """ ++ Revert nsslapd-ignore-time-skew to its previous value. ++ """ ++ dn = DN(('cn', 'config')) ++ entry_attrs = api.Backend.ldap2.get_entry(dn) ++ if self.original_time_skew != 'on': ++ entry_attrs['nsslapd-ignore-time-skew'] = self.original_time_skew ++ api.Backend.ldap2.update_entry(entry_attrs) ++ + + class SimpleServiceInstance(Service): + def create_instance(self, gensvc_name=None, fqdn=None, ldap_suffix=None, + +From a6bb2fa4997dd7894dbf75d1c3fd1deaebd3e05c Mon Sep 17 00:00:00 2001 +From: Sudhir Menon +Date: Mar 07 2025 06:48:02 +0000 +Subject: ipatests: Test to check that the configured value for "nsslapd-ignore-time-skew" remains on even after a "force-sync" is done + + +Related: https://pagure.io/freeipa/issue/9635 + +Signed-off-by: Sudhir Menon +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Rob Crittenden + +--- + +diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py +index ef0727e..3673f7f 100644 +--- a/ipatests/test_integration/test_installation.py ++++ b/ipatests/test_integration/test_installation.py +@@ -2132,3 +2132,69 @@ class TestHostnameValidator(IntegrationTest): + assert result.returncode == 1 + assert 'hostname cannot be the same as the domain name' \ + in result.stderr_text ++ ++ ++class TestNsslapdIgnoreTimeSkew(IntegrationTest): ++ """ ++ Test to check nsslapd-ignore-time-skew is not disabled. ++ """ ++ num_replicas = 1 ++ topology = 'line' ++ ++ @pytest.fixture ++ def update_time_skew(self): ++ """ ++ Fixture enables nsslapd-ignore-time-skew ++ parameter and reverts it back ++ """ ++ ldap = self.replicas[0].ldap_connect() ++ dn = DN( ++ ("cn", "config"), ++ ) ++ entry = ldap.get_entry(dn) ++ entry.single_value["nsslapd-ignore-time-skew"] = 'on' ++ ldap.update_entry(entry) ++ ++ yield ++ ++ entry = ldap.get_entry(dn) ++ entry.single_value["nsslapd-ignore-time-skew"] = 'off' ++ ldap.update_entry(entry) ++ ++ def test_check_nsslapd_ignore_time_skew(self): ++ """ ++ This testcase checks that the ignore time skew parameter ++ is set to on during the directory server replica ++ installation (replication of the suffix) and during ++ the CA replica (replication of o=ipaca). ++ It also checks that the time skew is reverted during ++ pki_tomcat setup stage. ++ """ ++ DIRSRV_LOG = ( ++ "ignore time skew for initial replication" ++ ) ++ PKI_TOMCAT_LOG = ( ++ "revert time skew after initial replication" ++ ) ++ install_msg = self.replicas[0].get_file_contents( ++ paths.IPAREPLICA_INSTALL_LOG, encoding="utf-8" ++ ) ++ dirsrv_msg = re.findall(DIRSRV_LOG, install_msg) ++ assert len(dirsrv_msg) == 2 ++ assert PKI_TOMCAT_LOG in install_msg ++ ++ def test_forcesync_does_not_overwrite_ignore_time_skew( ++ self, update_time_skew): ++ """ ++ This testcase checks that calling ipa-replica-manage ++ force-sync does not overwrite the value of ignore ++ time skew ++ """ ++ result = self.replicas[0].run_command( ++ ["ipa-replica-manage", "force-sync", ++ "--from", self.master.hostname, ++ "--no-lookup", "-v"]) ++ assert result.returncode == 0 ++ conn = self.replicas[0].ldap_connect() ++ ldap_entry = conn.get_entry(DN("cn=config")) ++ assert ldap_entry.single_value['nsslapd-ignore-time-skew'] == "on" + diff --git a/SOURCES/0038-Add-a-check-into-ipa-cert-fix-tool-to-avoid-updating-certs-if-CA-is-close-to-being-expired_rhel#4941.patch b/SOURCES/0038-Add-a-check-into-ipa-cert-fix-tool-to-avoid-updating-certs-if-CA-is-close-to-being-expired_rhel#4941.patch new file mode 100644 index 0000000..4d44971 --- /dev/null +++ b/SOURCES/0038-Add-a-check-into-ipa-cert-fix-tool-to-avoid-updating-certs-if-CA-is-close-to-being-expired_rhel#4941.patch @@ -0,0 +1,82 @@ +From ac6eee670d8a753e66ba69a65eff55447fff2822 Mon Sep 17 00:00:00 2001 +From: Aleksandr Sharov +Date: Mar 25 2025 09:33:06 +0000 +Subject: Add a check into ipa-cert-fix tool to avoid updating certs if CA is close to being expired. + + +Fixes: https://pagure.io/freeipa/issue/9760 +Signed-off-by: Aleksandr Sharov +Reviewed-By: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud + +--- + +diff --git a/ipaserver/install/ipa_cert_fix.py b/ipaserver/install/ipa_cert_fix.py +index 8e02d1e..960d7b9 100644 +--- a/ipaserver/install/ipa_cert_fix.py ++++ b/ipaserver/install/ipa_cert_fix.py +@@ -69,6 +69,7 @@ logger = logging.getLogger(__name__) + + + cert_nicknames = { ++ 'ca_issuing': 'caSigningCert cert-pki-ca', + 'sslserver': 'Server-Cert cert-pki-ca', + 'subsystem': 'subsystemCert cert-pki-ca', + 'ca_ocsp_signing': 'ocspSigningCert cert-pki-ca', +@@ -137,6 +138,16 @@ class IPACertFix(AdminTool): + print("Nothing to do.") + return 0 + ++ if any(key == 'ca_issuing' for key, _ in certs): ++ logger.debug("CA signing cert is expired, exiting!") ++ print( ++ "The CA signing certificate is expired or will expire within " ++ "the next two weeks.\n\nipa-cert-fix cannot proceed, please " ++ "refer to the ipa-cacert-manage tool to renew the CA " ++ "certificate before proceeding." ++ ) ++ return 1 ++ + print(msg) + + print_intentions(certs, extra_certs, non_renewed) + +From cdc03d7b6233f736c51c10aa07225aac9715e4c0 Mon Sep 17 00:00:00 2001 +From: Aleksandr Sharov +Date: Mar 25 2025 18:03:54 +0000 +Subject: Test fix for the update + + +Fixes: https://pagure.io/freeipa/issue/9760 +Signed-off-by: Aleksandr Sharov +Reviewed-By: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud + +--- + +diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py +index 15d8a81..d11fd3d 100644 +--- a/ipatests/test_integration/test_ipa_cert_fix.py ++++ b/ipatests/test_integration/test_ipa_cert_fix.py +@@ -301,13 +301,18 @@ class TestIpaCertFix(IntegrationTest): + valid. If CA cert expired, ipa-cert-fix won't work. + + related: https://pagure.io/freeipa/issue/8721 ++ ++ If CA cert is close to expiry, there's no reason to issue new certs ++ with short validity period. So, ipa-cert-fix should fail in this case. ++ ++ related: https://pagure.io/freeipa/issue/9760 + """ + result = self.master.run_command(['ipa-cert-fix', '-v'], + stdin_text='yes\n', + raiseonerr=False) + # check that pki-server cert-fix command fails +- err_msg = ("ERROR: CalledProcessError(Command " +- "['pki-server', 'cert-fix'") ++ err_msg = ("CA signing cert is expired, exiting!") ++ assert result.returncode == 1 + assert err_msg in result.stderr_text + + + diff --git a/SOURCES/1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch b/SOURCES/1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch index e1a74ff..de96332 100644 --- a/SOURCES/1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch +++ b/SOURCES/1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch @@ -32,7 +32,7 @@ diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py index 7d21367ec..42a47f1df 100644 --- a/ipaplatform/base/paths.py +++ b/ipaplatform/base/paths.py -@@ -259,7 +259,6 @@ class BasePathNamespace: +@@ -258,8 +258,7 @@ class BasePathNamespace: IPA_PKI_RETRIEVE_KEY = "/usr/libexec/ipa/ipa-pki-retrieve-key" IPA_HTTPD_PASSWD_READER = "/usr/libexec/ipa/ipa-httpd-pwdreader" IPA_PKI_WAIT_RUNNING = "/usr/libexec/ipa/ipa-pki-wait-running" @@ -41,6 +41,7 @@ index 7d21367ec..42a47f1df 100644 - DNSSEC_KEYFROMLABEL_9_17 = "/usr/bin/dnssec-keyfromlabel" GETSEBOOL = "/usr/sbin/getsebool" GROUPADD = "/usr/sbin/groupadd" + USERMOD = "/usr/sbin/usermod" diff --git a/ipaplatform/fedora/paths.py b/ipaplatform/fedora/paths.py index 4e993c063..92a948966 100644 --- a/ipaplatform/fedora/paths.py diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec index 49c15a8..f1620e7 100644 --- a/SPECS/ipa.spec +++ b/SPECS/ipa.spec @@ -190,7 +190,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 14%{?rc_version:.%rc_version}%{?dist} +Release: 16%{?rc_version:.%rc_version}%{?dist} Summary: The Identity, Policy and Audit system License: GPLv3+ @@ -245,6 +245,8 @@ Patch0033: 0033-PKINIT-certificate-fix-renewal-on-hidden-replica_rhel#4913. Patch0034: 0034-Add-ipa-idrange-fix_rhel#56920.patch Patch0035: 0035-Unconditionally-add-MS-PAC-to-global-config-on-update_rhel#49437.patch Patch0036: 0036-ipatests-Update-ipa-adtrust-install-test_rhel#40894.patch +Patch0037: 0037-Replica-CA-installation-ignore-skew-during-initial-replication_rhel#80995.patch +Patch0038: 0038-Add-a-check-into-ipa-cert-fix-tool-to-avoid-updating-certs-if-CA-is-close-to-being-expired_rhel#4941.patch %if 0%{?rhel} >= 8 Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch Patch1002: 1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch @@ -1008,10 +1010,7 @@ for i in *.po ; do done popd -for p in %patches ; do - %__patch -p1 -i $p - UpdateTimestamps -p1 $p -done +%autopatch -p1 %build # PATH is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1005235 @@ -1762,6 +1761,16 @@ fi %endif %changelog +* Mon Mar 31 2025 Rafael Jeffman - 4.9.13-16 +- Add a- heck into ipa-cert-fix tool to avoid updating certs if CA is close to expire + Resolves: RHEL-4941 +- Fix rpminspect's 'patches' warnings + Resolves: RHEL-22497 + +* Mon Mar 10 2025 Rafael Jeffman - 4.9.13-15 +- Replica CA installation: ignore skew during initial replication + Resolves RHEL-80995 + * Wed Nov 27 2024 Rafael Jeffman - 4.9.13-14 - ipatests: Update ipa-adtrust-install test Resolves: RHEL-40894 @@ -1924,7 +1933,7 @@ fi * Thu May 25 2023 Rafael Jeffman - 4.9.12-2 - Use the OpenSSL certificate parser in cert-find - Resolves: RHBZ#2209947 + Resolves: RHBZ#2209947 * Wed May 24 2023 Rafael Jeffman - 4.9.12-1 - Rebase ipa to 4.9.12 @@ -1957,7 +1966,7 @@ fi Resolves: RHBZ#2129895 - Fix canonicalization issue in Web UI Resolves: RHBZ#2127035 -- Remove idnssoaserial argument from dns zone API. +- Remove idnssoaserial argument from dns zone API. Resolves: RHBZ#2108630 - Warn for permissions with read/write/search/compare and no attrs Resolves: RHBZ#2098187