rpms/ipa
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import ipa-4.9.6-12.module+el8.5.0+14526+983b221b

Browse Source
This commit is contained in:
CentOS Sources 2022-04-26 09:53:02 -04:00 committed by Stepan Oksanichenko
parent f1a4d6e9a8
commit 99d99f81c9
6 changed files with 4504 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
SOURCES/0014-Custodia-use-a-stronger-encryption-algo-when-exporting-keys_rhbz#2062404.patch Normal file
View File

@ -0,0 +1,45 @@
From 653a7fe02880c168755984133ee143567cc7bb4e Mon Sep 17 00:00:00 2001
From: Francisco Trivino <ftrivino@redhat.com>
Date: Feb 01 2022 07:57:24 +0000
Subject: Custodia: use a stronger encryption algo when exporting keys
The Custodia key export handler is using the default's OpenSSL encryption
scheme for PKCS#12.
This represents an issue when performing a migration from CentOS Stream 8 (C8S)
to CentOS Steam 9 (C9S) where the Custodia client running in the new C9S
replica talks to the Custodia server on C8S source server. The later creates an
encrypted PKCS#12 file that contains the cert and the key using the OpenSSL's
default encryption scheme, which is no longer supported on C9S.
This commit enforces a stronger encryption algorigthm by adding following
arguments to the Custodia server handler:
-keypbe AES-256-CBC -certpbe AES-256-CBC -macalg sha384
The new arguments enforce stronger PBEv2 instead of the insecure PBEv1.
Fixes: https://pagure.io/freeipa/issue/9101
Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
---
diff --git a/ipaserver/secrets/handlers/pemfile.py b/ipaserver/secrets/handlers/pemfile.py
index 4e8eff0..ad36bd0 100644
--- a/ipaserver/secrets/handlers/pemfile.py
+++ b/ipaserver/secrets/handlers/pemfile.py
@@ -31,6 +31,9 @@ def export_key(args, tmpdir):
'-out', pk12file,
'-inkey', args.keyfile,
'-password', 'file:{pk12pwfile}'.format(pk12pwfile=pk12pwfile),
+ '-keypbe', 'AES-256-CBC',
+ '-certpbe', 'AES-256-CBC',
+ '-macalg', 'sha384',
])
with open(pk12file, 'rb') as f:

95
SOURCES/0015-uninstall-remove-tdb-files_rhbz#2065719.patch Normal file
View File

@ -0,0 +1,95 @@
From 6302769b83af75f267c76fe6f854d5b42b6b80f5 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Oct 21 2021 19:58:19 +0000
Subject: ipa-server-install uninstall: remove tdb files
ipa-server-install uninstaller must remove samba *.tdb files
in /var/lib/samba, /var/lib/samba/private and /var/lib/samba/lock.
The current code calls rm on the relative path filename
instead of building an absolute path filename,
resulting in failure to remove the tdb files.
Related: https://pagure.io/freeipa/issue/8687
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
index 24e90f3..e034fab 100644
--- a/ipaserver/install/adtrustinstance.py
+++ b/ipaserver/install/adtrustinstance.py
@@ -918,11 +918,18 @@ class ADTRUSTInstance(service.Service):
ipautil.remove_file(self.smb_conf)
# Remove samba's persistent and temporary tdb files
- if os.path.isdir(paths.SAMBA_DIR):
- tdb_files = [tdb_file for tdb_file in os.listdir(paths.SAMBA_DIR)
- if tdb_file.endswith(".tdb")]
- for tdb_file in tdb_files:
- ipautil.remove_file(tdb_file)
+ # in /var/lib/samba and /var/lib/samba/private
+ for smbpath in (paths.SAMBA_DIR,
+ os.path.join(paths.SAMBA_DIR, "private"),
+ os.path.join(paths.SAMBA_DIR, "lock")):
+ if os.path.isdir(smbpath):
+ tdb_files = [
+ os.path.join(smbpath, tdb_file)
+ for tdb_file in os.listdir(smbpath)
+ if tdb_file.endswith(".tdb")
+ ]
+ for tdb_file in tdb_files:
+ ipautil.remove_file(tdb_file)
# Remove our keys from samba's keytab
self.clean_samba_keytab()
From 82eaa2eac454aed75a498d2c6ccd9e921f9c8a89 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Oct 21 2021 19:58:19 +0000
Subject: ipa-client-samba uninstall: remove tdb files
ipa-client-samba uninstaller must remove samba *.tdb files
in /var/lib/samba, /var/lib/samba/private and /var/lib/samba/lock.
The current code calls rm on the relative path filename
instead of building an absolute path filename,
resulting in failure to remove the tdb files.
Fixes: https://pagure.io/freeipa/issue/8687
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
diff --git a/ipaclient/install/ipa_client_samba.py b/ipaclient/install/ipa_client_samba.py
index fd89e59..222ff31 100755
--- a/ipaclient/install/ipa_client_samba.py
+++ b/ipaclient/install/ipa_client_samba.py
@@ -446,13 +446,17 @@ def uninstall(fstore, statestore, options):
fstore.restore_file(paths.SMB_CONF)
# Remove samba's persistent and temporary tdb files
- tdb_files = [
- tdb_file
- for tdb_file in os.listdir(paths.SAMBA_DIR)
- if tdb_file.endswith(".tdb")
- ]
- for tdb_file in tdb_files:
- ipautil.remove_file(tdb_file)
+ # in /var/lib/samba and /var/lib/samba/private
+ for smbpath in (paths.SAMBA_DIR,
+ os.path.join(paths.SAMBA_DIR, "private"),
+ os.path.join(paths.SAMBA_DIR, "lock")):
+ tdb_files = [
+ os.path.join(smbpath, tdb_file)
+ for tdb_file in os.listdir(smbpath)
+ if tdb_file.endswith(".tdb")
+ ]
+ for tdb_file in tdb_files:
+ ipautil.remove_file(tdb_file)
# Remove our keys from samba's keytab
if os.path.exists(paths.SAMBA_KEYTAB):

222
SOURCES/freeipa-4.9.6-bf-2.patch Normal file
View File

@ -0,0 +1,222 @@
From fe59e6a0b06926a3d71c6b6f361714d1422d5b0f Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Thu, 11 Nov 2021 09:58:09 +0200
Subject: [PATCH 1/2] ipa-kdb: honor SID from the host or service entry
If the SID was explicitly set for the host or service entry, honor it
when issuing PAC. For normal services and hosts we don't allocate
individual SIDs but for cifs/... principals on domain members we do as
they need to login to Samba domain controller.
Related: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
---
daemons/ipa-kdb/ipa_kdb_mspac.c | 46 ++++++++++++++++++++-------------
1 file changed, 28 insertions(+), 18 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 0e0ee3616..6f272f9fe 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -653,6 +653,28 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
* clear it after detecting the changes */
info3->base.acct_flags = ACB_USE_AES_KEYS;
+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
+ "ipaNTSecurityIdentifier", &strres);
+ if (ret) {
+ /* SID is mandatory for all but host/services */
+ if (!(is_host || is_service)) {
+ return ret;
+ }
+ info3->base.rid = 0;
+ } else {
+ ret = ipadb_string_to_sid(strres, &sid);
+ free(strres);
+ if (ret) {
+ return ret;
+ }
+ ret = sid_split_rid(&sid, &info3->base.rid);
+ if (ret) {
+ return ret;
+ }
+ }
+
+ /* If SID was present prefer using it even for hosts and services
+ * but we still need to set the account flags correctly */
if ((is_host || is_service)) {
/* it is either host or service, so get the hostname first */
char *sep = strchr(info3->base.account_name.string, '/');
@@ -661,29 +683,17 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
sep ? sep + 1 : info3->base.account_name.string);
if (is_master) {
/* Well known RID of domain controllers group */
- info3->base.rid = 516;
+ if (info3->base.rid == 0) {
+ info3->base.rid = 516;
+ }
info3->base.acct_flags |= ACB_SVRTRUST;
} else {
/* Well known RID of domain computers group */
- info3->base.rid = 515;
+ if (info3->base.rid == 0) {
+ info3->base.rid = 515;
+ }
info3->base.acct_flags |= ACB_WSTRUST;
}
- } else {
- ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
- "ipaNTSecurityIdentifier", &strres);
- if (ret) {
- /* SID is mandatory */
- return ret;
- }
- ret = ipadb_string_to_sid(strres, &sid);
- free(strres);
- if (ret) {
- return ret;
- }
- ret = sid_split_rid(&sid, &info3->base.rid);
- if (ret) {
- return ret;
- }
}
ret = ipadb_ldap_deref_results(ipactx->lcontext, lentry, &deref_results);
--
2.33.1
From 21af43550aa0a31e1ec5240578bd64fcbdd4ee24 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Thu, 11 Nov 2021 10:16:47 +0200
Subject: [PATCH 2/2] ipa-kdb: validate domain SID in incoming PAC for trusted
domains for S4U
Previously, ipadb_check_logon_info() was called only for cross-realm
case. Now we call it for both in-realm and cross-realm cases. In case of
the S4U2Proxy, we would be passed a PAC of the original caller which
might be a principal from the trusted realm. We cannot validate that PAC
against our local client DB entry because this is the proxy entry which
is guaranteed to have different SID.
In such case, validate the SID of the domain in PAC against our realm
and any trusted doman but skip an additional check of the DB entry in
the S4U2Proxy case.
Related: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
---
daemons/ipa-kdb/ipa_kdb_mspac.c | 54 ++++++++++++++++++++++++++-------
1 file changed, 43 insertions(+), 11 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 6f272f9fe..6f7d1ac15 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -1637,11 +1637,13 @@ static void filter_logon_info_log_message_rid(struct dom_sid *sid, uint32_t rid)
static krb5_error_code check_logon_info_consistent(krb5_context context,
TALLOC_CTX *memctx,
krb5_const_principal client_princ,
+ krb5_boolean is_s4u,
struct PAC_LOGON_INFO_CTR *info)
{
krb5_error_code kerr = 0;
struct ipadb_context *ipactx;
bool result;
+ bool is_from_trusted_domain = false;
krb5_db_entry *client_actual = NULL;
struct ipadb_e_data *ied = NULL;
int flags = 0;
@@ -1671,14 +1673,36 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,
result = dom_sid_check(&ipactx->mspac->domsid,
info->info->info3.base.domain_sid, true);
if (!result) {
- /* memctx is freed by the caller */
- char *sid = dom_sid_string(memctx, info->info->info3.base.domain_sid);
- char *dom = dom_sid_string(memctx, &ipactx->mspac->domsid);
- krb5_klog_syslog(LOG_ERR, "PAC issue: PAC record claims domain SID different "
- "to local domain SID: local [%s], PAC [%s]",
- dom ? dom : "<failed to display>",
- sid ? sid : "<failed to display>");
- return KRB5KDC_ERR_POLICY;
+ /* In S4U case we might be dealing with the PAC issued by the trusted domain */
+ if (is_s4u && (ipactx->mspac->trusts != NULL)) {
+ /* Iterate through list of trusts and check if this SID belongs to
+ * one of the domains we trust */
+ for(int i = 0 ; i < ipactx->mspac->num_trusts ; i++) {
+ result = dom_sid_check(&ipactx->mspac->trusts[i].domsid,
+ info->info->info3.base.domain_sid, true);
+ if (result) {
+ is_from_trusted_domain = true;
+ break;
+ }
+ }
+ }
+
+ if (!result) {
+ /* memctx is freed by the caller */
+ char *sid = dom_sid_string(memctx, info->info->info3.base.domain_sid);
+ char *dom = dom_sid_string(memctx, &ipactx->mspac->domsid);
+ krb5_klog_syslog(LOG_ERR, "PAC issue: PAC record claims domain SID different "
+ "to local domain SID or any trusted domain SID: "
+ "local [%s], PAC [%s]",
+ dom ? dom : "<failed to display>",
+ sid ? sid : "<failed to display>");
+ return KRB5KDC_ERR_POLICY;
+ }
+ }
+
+ if (is_s4u && is_from_trusted_domain) {
+ /* If the PAC belongs to a user from the trusted domain, we cannot compare SIDs */
+ return 0;
}
kerr = ipadb_get_principal(context, client_princ, flags, &client_actual);
@@ -1703,6 +1727,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,
goto done;
}
+
kerr = ipadb_get_sid_from_pac(memctx, info->info, &client_sid);
if (kerr) {
goto done;
@@ -1956,6 +1981,7 @@ krb5_error_code filter_logon_info(krb5_context context,
static krb5_error_code ipadb_check_logon_info(krb5_context context,
krb5_const_principal client_princ,
krb5_boolean is_cross_realm,
+ krb5_boolean is_s4u,
krb5_data *pac_blob,
struct dom_sid *requester_sid)
{
@@ -1999,8 +2025,11 @@ static krb5_error_code ipadb_check_logon_info(krb5_context context,
if (!is_cross_realm) {
/* For local realm case we need to check whether the PAC is for our user
- * but we don't need to process further */
- kerr = check_logon_info_consistent(context, tmpctx, client_princ, &info);
+ * but we don't need to process further. In S4U2Proxy case when the client
+ * is ours but operates on behalf of the cross-realm principal, we will
+ * search through the trusted domains but otherwise skip the exact SID check
+ * as we are not responsible for the principal from the trusted domain */
+ kerr = check_logon_info_consistent(context, tmpctx, client_princ, is_s4u, &info);
goto done;
}
@@ -2251,7 +2280,10 @@ static krb5_error_code ipadb_verify_pac(krb5_context context,
#endif
kerr = ipadb_check_logon_info(context,
- client_princ, is_cross_realm, &pac_blob,
+ client_princ,
+ is_cross_realm,
+ (flags & KRB5_KDB_FLAGS_S4U),
+ &pac_blob,
requester_sid);
if (kerr != 0) {
goto done;
--
2.33.1

122
SOURCES/freeipa-4.9.6-bf-3.patch Normal file
View File

@ -0,0 +1,122 @@
From 7d93bda31ce0b4e0e22c6e464c9138800dcf8b1c Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Fri, 26 Nov 2021 11:13:51 +0200
Subject: [PATCH] ipa-kdb: fix requester SID check according to MS-KILE and
MS-SFU updates
New versions of MS-KILE and MS-SFU after Windows Server November 2021
security updates add PAC_REQUESTER_SID buffer check behavior:
- PAC_REQUESTER_SID should only be added for TGT requests
- if PAC_REQUESTER_SID is present, KDC must verify that the cname on
the ticket resolves to the account with the same SID as the
PAC_REQUESTER_SID. If it doesn't KDC must respond with
KDC_ERR_TKT_REVOKED
Change requester SID check to skip exact check for non-local
PAC_REQUESTER_SID but harden to ensure it comes from the trusted domains
we know about.
If requester SID is the same as in PAC, we already do cname vs PAC SID
verification.
With these changes FreeIPA works against Windows Server 2019 with
November 2021 security fixes in cross-realm S4U2Self operations.
Fixes: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
daemons/ipa-kdb/ipa_kdb_mspac.c | 47 ++++++++++++++++++++++++---------
1 file changed, 34 insertions(+), 13 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 538cfbba9..1b972c167 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -1697,7 +1697,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,
"local [%s], PAC [%s]",
dom ? dom : "<failed to display>",
sid ? sid : "<failed to display>");
- return KRB5KDC_ERR_POLICY;
+ return KRB5KDC_ERR_TGT_REVOKED;
}
}
@@ -1709,7 +1709,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,
kerr = ipadb_get_principal(context, client_princ, flags, &client_actual);
if (kerr != 0) {
krb5_klog_syslog(LOG_ERR, "PAC issue: ipadb_get_principal failed.");
- return KRB5KDC_ERR_POLICY;
+ return KRB5KDC_ERR_TGT_REVOKED;
}
ied = (struct ipadb_e_data *)client_actual->e_data;
@@ -1743,7 +1743,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,
"local [%s] vs PAC [%s]",
local_sid ? local_sid : "<failed to display>",
pac_sid ? pac_sid : "<failed to display>");
- kerr = KRB5KDC_ERR_POLICY;
+ kerr = KRB5KDC_ERR_TGT_REVOKED;
goto done;
}
@@ -2005,22 +2005,43 @@ static krb5_error_code ipadb_check_logon_info(krb5_context context,
/* Check that requester SID is the same as in the PAC entry */
if (requester_sid != NULL) {
struct dom_sid client_sid;
+ bool is_from_trusted_domain = false;
kerr = ipadb_get_sid_from_pac(tmpctx, info.info, &client_sid);
if (kerr) {
goto done;
}
result = dom_sid_check(&client_sid, requester_sid, true);
if (!result) {
- /* memctx is freed by the caller */
- char *pac_sid = dom_sid_string(tmpctx, &client_sid);
- char *req_sid = dom_sid_string(tmpctx, requester_sid);
- krb5_klog_syslog(LOG_ERR, "PAC issue: PAC has a SID "
- "different from what PAC requester claims. "
- "PAC [%s] vs PAC requester [%s]",
- pac_sid ? pac_sid : "<failed to display>",
- req_sid ? req_sid : "<failed to display>");
- kerr = KRB5KDC_ERR_POLICY;
- goto done;
+ struct ipadb_context *ipactx = ipadb_get_context(context);
+ if (!ipactx || !ipactx->mspac) {
+ return KRB5_KDB_DBNOTINITED;
+ }
+ /* In S4U case we might be dealing with the PAC issued by the trusted domain */
+ if (is_s4u && (ipactx->mspac->trusts != NULL)) {
+ /* Iterate through list of trusts and check if this SID belongs to
+ * one of the domains we trust */
+ for(int i = 0 ; i < ipactx->mspac->num_trusts ; i++) {
+ result = dom_sid_check(&ipactx->mspac->trusts[i].domsid,
+ requester_sid, false);
+ if (result) {
+ is_from_trusted_domain = true;
+ break;
+ }
+ }
+ }
+
+ if (!is_from_trusted_domain) {
+ /* memctx is freed by the caller */
+ char *pac_sid = dom_sid_string(tmpctx, &client_sid);
+ char *req_sid = dom_sid_string(tmpctx, requester_sid);
+ krb5_klog_syslog(LOG_ERR, "PAC issue: PAC has a SID "
+ "different from what PAC requester claims. "
+ "PAC [%s] vs PAC requester [%s]",
+ pac_sid ? pac_sid : "<failed to display>",
+ req_sid ? req_sid : "<failed to display>");
+ kerr = KRB5KDC_ERR_TGT_REVOKED;
+ goto done;
+ }
}
}
--
2.31.1

3979
SOURCES/freeipa-4.9.6-bf.patch Normal file
View File

File diff suppressed because it is too large Load Diff

47
SPECS/ipa.spec
View File

@ -68,8 +68,8 @@
%global krb5_kdb_version 8.0
# 0.7.16: https://github.com/drkjam/netaddr/issues/71
%global python_netaddr_version 0.7.19
# Require 4.7.0 which brings Python 3 bindings
%global samba_version 4.12.3-12
# Require 4.14.5-6 which brings CVE-2020-25717 fixes in RHEL 8.5.z
%global samba_version 4.14.5-6
%global selinux_policy_version 3.14.3-52
%global slapi_nis_version 0.56.4
%global python_ldap_version 3.1.0-1
@ -92,9 +92,9 @@
%global krb5_version 1.18.2-29
# 0.7.16: https://github.com/drkjam/netaddr/issues/71
%global python_netaddr_version 0.7.16
# Require 4.7.0 which brings Python 3 bindings
# Require 4.12 which has DsRGetForestTrustInformation access rights fixes
%global samba_version 2:4.12.10
# Require 4.14.6 which brings CVE-2020-25717 fixes
%global samba_version 2:4.14.6
# 3.14.5-45 or later includes a number of interfaces fixes for IPA interface
%global selinux_policy_version 3.14.5-45
@ -191,7 +191,7 @@
Name: %{package_name}
Version: %{IPA_VERSION}
Release: 6%{?rc_version:.%rc_version}%{?dist}
Release: 12%{?rc_version:.%rc_version}%{?dist}
Summary: The Identity, Policy and Audit system
License: GPLv3+
@ -224,10 +224,17 @@ Patch0010: 0010-migrate-ds-workaround-to-detect-compat-tree_rhbz#1999992.pa
Patch0011: 0011-Test-ldapsearch-with-base-scope-works-with-_rhbz#2000553.patch
Patch0012: 0012-ipatests-Test-unsecure-nsupdate_rhbz#2000553.patch
Patch0013: 0013-Don-t-store-entries-with-a-usercertificate-in-the-LD_rhbz#1999893.patch
Patch0014: 0014-Custodia-use-a-stronger-encryption-algo-when-exporting-keys_rhbz#2062404.patch
Patch0015: 0015-uninstall-remove-tdb-files_rhbz#2065719.patch
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
%endif
%endif
# RHEL spec file only: END
# SID hardening patches
Patch1100: freeipa-4.9.6-bf.patch
Patch1101: freeipa-4.9.6-bf-2.patch
Patch1102: freeipa-4.9.6-bf-3.patch
# For the timestamp trick in patch application
BuildRequires: diffstat
@ -471,6 +478,8 @@ Requires: gssproxy >= 0.7.0-2
Requires: sssd-dbus >= %{sssd_version}
Requires: libpwquality
Requires: cracklib-dicts
# NDR libraries are internal in Samba and change with version without changing SONAME
Requires: samba-client-libs >= %{samba_version}
Provides: %{alt_name}-server = %{version}
Conflicts: %{alt_name}-server
@ -1377,6 +1386,7 @@ fi
%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-ra-agent
%dir %{_libexecdir}/ipa/oddjob
%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.conncheck
%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.config-enable-sid
%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.trust-enable-agent
%config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freeipa.server.conf
%config(noreplace) %{_sysconfdir}/oddjobd.conf.d/ipa-server.conf
@ -1709,6 +1719,31 @@ fi
%changelog
* Fri Mar 18 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.6-12
- ipa-server-install uninstall: remove tdb files
- ipa-client-samba uninstall: remove tdb files
Resolves: RHBZ#2065719
* Tue Mar 15 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.6-11
- Custodia use a stronger encryption algo when exporting keys
Resolves: RHBZ#2062404
* Thu Nov 30 2021 Rafael Jeffman <rjeffman@redhat.com> - 4.9.6-10
- Bump realease version due to build issue.
Related: RHBZ#2021489
* Thu Nov 30 2021 Rafael Jeffman <rjeffman@redhat.com> - 4.9.6-9
- Hardening for CVE-2020-25717, part 3
Related: RHBZ#2021489
* Thu Nov 18 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.6-8
- Hardening for CVE-2020-25717, part 2
- Related: RHBZ#2021171
* Sun Nov 07 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.6-7
- Hardening for CVE-2020-25717
- Related: RHBZ#2021171
* Fri Sep 17 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.6-6
- Don't store entries with a usercertificate in the LDAP cache
Resolves: RHBZ#1999893