From 99dc8ae9689eaa163acb2e63cfe906f5461a8177 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Fri, 17 Dec 2021 20:50:04 +0000 Subject: [PATCH] import ipa-4.9.8-2.module+el8.6.0+13645+f14f0cc3 --- .gitignore | 2 +- .ipa.metadata | 2 +- ...ipa.spec-depend-on-bind-dnssec-utils.patch | 70 +++++ ...ounter_ns-is-Python-3.7_rhbz#1974822.patch | 136 --------- ...auth-indicators-to-inte_rhbz#1979625.patch | 272 ------------------ ...typeclass-when-required_rhbz#1979605.patch | 89 ------ ...te-ipa-server-upgrade.1_rhbz#1973273.patch | 35 --- ...-when-validating-host-a_rhbz#1979625.patch | 69 ----- ...d-crypto-policy-support_rhbz#1982956.patch | 30 -- ...when-adding-CA-profiles_rhbz#1999142.patch | 53 ---- ...-to-access-proc-cpuinfo_rhbz#1998129.patch | 41 --- ...BJECT-if-domains-differ_rhbz#2000263.patch | 46 --- ...d-to-detect-compat-tree_rhbz#1999992.patch | 37 --- ...-base-scope-works-with-_rhbz#2000553.patch | 89 ------ ...-Test-unsecure-nsupdate_rhbz#2000553.patch | 162 ----------- ...ercertificate-in-the-LD_rhbz#1999893.patch | 128 --------- ...C-processing-of-PAC-buffers-20211130.patch | 122 ++++++++ SOURCES/freeipa-4.9.6.tar.gz.asc | 16 -- SOURCES/freeipa-4.9.8.tar.gz.asc | 16 ++ SPECS/ipa.spec | 80 +++--- 20 files changed, 256 insertions(+), 1239 deletions(-) create mode 100644 SOURCES/0001-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch delete mode 100644 SOURCES/0001-rpcserver.py-perf_counter_ns-is-Python-3.7_rhbz#1974822.patch delete mode 100644 SOURCES/0002-Add-checks-to-prevent-adding-auth-indicators-to-inte_rhbz#1979625.patch delete mode 100644 SOURCES/0003-stageuser-add-ipauserauthtypeclass-when-required_rhbz#1979605.patch delete mode 100644 SOURCES/0004-man-page-update-ipa-server-upgrade.1_rhbz#1973273.patch delete mode 100644 SOURCES/0005-Fall-back-to-krbprincipalname-when-validating-host-a_rhbz#1979625.patch delete mode 100644 SOURCES/0006-rhel-platform-add-a-named-crypto-policy-support_rhbz#1982956.patch delete mode 100644 SOURCES/0007-Catch-and-log-errors-when-adding-CA-profiles_rhbz#1999142.patch delete mode 100644 SOURCES/0008-selinux-policy-allow-custodia-to-access-proc-cpuinfo_rhbz#1998129.patch delete mode 100644 SOURCES/0009-extdom-return-LDAP_NO_SUCH_OBJECT-if-domains-differ_rhbz#2000263.patch delete mode 100644 SOURCES/0010-migrate-ds-workaround-to-detect-compat-tree_rhbz#1999992.patch delete mode 100644 SOURCES/0011-Test-ldapsearch-with-base-scope-works-with-_rhbz#2000553.patch delete mode 100644 SOURCES/0012-ipatests-Test-unsecure-nsupdate_rhbz#2000553.patch delete mode 100644 SOURCES/0013-Don-t-store-entries-with-a-usercertificate-in-the-LD_rhbz#1999893.patch create mode 100644 SOURCES/1101-Harden-FreeIPA-KDC-processing-of-PAC-buffers-20211130.patch delete mode 100644 SOURCES/freeipa-4.9.6.tar.gz.asc create mode 100644 SOURCES/freeipa-4.9.8.tar.gz.asc diff --git a/.gitignore b/.gitignore index 34c1a4e..d9c893f 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/freeipa-4.9.6.tar.gz +SOURCES/freeipa-4.9.8.tar.gz diff --git a/.ipa.metadata b/.ipa.metadata index ab790ce..15ef586 100644 --- a/.ipa.metadata +++ b/.ipa.metadata @@ -1 +1 @@ -b7b91082908db35e4acbcd0221b8df4044913dc1 SOURCES/freeipa-4.9.6.tar.gz +38641a7f95779ba35089fcc10e25ec82a9b0248e SOURCES/freeipa-4.9.8.tar.gz diff --git a/SOURCES/0001-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch b/SOURCES/0001-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch new file mode 100644 index 0000000..943e986 --- /dev/null +++ b/SOURCES/0001-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch @@ -0,0 +1,70 @@ +From 0d44e959e5bbe822b51137a8e7cf48fa25533805 Mon Sep 17 00:00:00 2001 +From: Rafael Guterres Jeffman +Date: Fri, 10 Dec 2021 12:15:36 -0300 +Subject: [PATCH] Revert "freeipa.spec: depend on bind-dnssec-utils" + +This reverts commit f89d59b6e18b54967682f6a37ce92ae67ab3fcda. +--- + freeipa.spec.in | 4 +--- + ipaplatform/base/paths.py | 2 +- + ipaplatform/fedora/paths.py | 1 + + ipaserver/dnssec/bindmgr.py | 1 - + 4 files changed, 3 insertions(+), 5 deletions(-) + +diff --git a/freeipa.spec.in b/freeipa.spec.in +index 8f5c370e5..e20edb7bc 100755 +--- a/freeipa.spec.in ++++ b/freeipa.spec.in +@@ -576,11 +576,9 @@ Requires: %{name}-server = %{version}-%{release} + Requires: bind-dyndb-ldap >= 11.2-2 + Requires: bind >= %{bind_version} + Requires: bind-utils >= %{bind_version} +-# bind-dnssec-utils is required by the OpenDNSSec integration +-# https://pagure.io/freeipa/issue/9026 +-Requires: bind-dnssec-utils >= %{bind_version} + %if %{with bind_pkcs11} + Requires: bind-pkcs11 >= %{bind_version} ++Requires: bind-pkcs11-utils >= %{bind_version} + %else + Requires: softhsm >= %{softhsm_version} + Requires: openssl-pkcs11 >= %{openssl_pkcs11_version} +diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py +index 7d21367ec..42a47f1df 100644 +--- a/ipaplatform/base/paths.py ++++ b/ipaplatform/base/paths.py +@@ -259,7 +259,7 @@ class BasePathNamespace: + IPA_PKI_RETRIEVE_KEY = "/usr/libexec/ipa/ipa-pki-retrieve-key" + IPA_HTTPD_PASSWD_READER = "/usr/libexec/ipa/ipa-httpd-pwdreader" + IPA_PKI_WAIT_RUNNING = "/usr/libexec/ipa/ipa-pki-wait-running" +- DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel" ++ DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel-pkcs11" + GETSEBOOL = "/usr/sbin/getsebool" + GROUPADD = "/usr/sbin/groupadd" + USERMOD = "/usr/sbin/usermod" +diff --git a/ipaplatform/fedora/paths.py b/ipaplatform/fedora/paths.py +index 4e993c063..92a948966 100644 +--- a/ipaplatform/fedora/paths.py ++++ b/ipaplatform/fedora/paths.py +@@ -36,6 +36,7 @@ class FedoraPathNamespace(RedHatPathNamespace): + NAMED_CRYPTO_POLICY_FILE = "/etc/crypto-policies/back-ends/bind.config" + if HAS_NFS_CONF: + SYSCONFIG_NFS = '/etc/nfs.conf' ++ DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel" + + + paths = FedoraPathNamespace() +diff --git a/ipaserver/dnssec/bindmgr.py b/ipaserver/dnssec/bindmgr.py +index 0c79cc03d..a15c0e601 100644 +--- a/ipaserver/dnssec/bindmgr.py ++++ b/ipaserver/dnssec/bindmgr.py +@@ -127,7 +127,6 @@ class BINDMgr: + ) + cmd = [ + paths.DNSSEC_KEYFROMLABEL, +- '-E', 'pkcs11', + '-K', workdir, + '-a', attrs['idnsSecAlgorithm'][0], + '-l', uri +-- +2.31.1 + diff --git a/SOURCES/0001-rpcserver.py-perf_counter_ns-is-Python-3.7_rhbz#1974822.patch b/SOURCES/0001-rpcserver.py-perf_counter_ns-is-Python-3.7_rhbz#1974822.patch deleted file mode 100644 index 22f37ad..0000000 --- a/SOURCES/0001-rpcserver.py-perf_counter_ns-is-Python-3.7_rhbz#1974822.patch +++ /dev/null @@ -1,136 +0,0 @@ -From e713c227bb420a841ce3ae146bca55a84a1b0dbf Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= -Date: Tue, 22 Jun 2021 14:36:51 +0200 -Subject: [PATCH] paths: add IPA_SERVER_CONF -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Related: https://pagure.io/freeipa/issue/8891 -Signed-off-by: François Cami -Reviewed-By: Stanislav Levin -Reviewed-By: Rob Crittenden ---- - ipaplatform/base/paths.py | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py -index 91423b332..de217d9ef 100644 ---- a/ipaplatform/base/paths.py -+++ b/ipaplatform/base/paths.py -@@ -71,6 +71,7 @@ class BasePathNamespace: - IPA_DEFAULT_CONF = "/etc/ipa/default.conf" - IPA_DNSKEYSYNCD_KEYTAB = "/etc/ipa/dnssec/ipa-dnskeysyncd.keytab" - IPA_ODS_EXPORTER_KEYTAB = "/etc/ipa/dnssec/ipa-ods-exporter.keytab" -+ IPA_SERVER_CONF = "/etc/ipa/server.conf" - DNSSEC_OPENSSL_CONF = "/etc/ipa/dnssec/openssl.cnf" - DNSSEC_SOFTHSM2_CONF = "/etc/ipa/dnssec/softhsm2.conf" - DNSSEC_SOFTHSM_PIN_SO = "/etc/ipa/dnssec/softhsm_pin_so" --- -2.31.1 - -From ee4be290e1583834a573c3896ee1d97b3fbb6c24 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= -Date: Tue, 22 Jun 2021 14:45:49 +0200 -Subject: [PATCH] ipatests: smoke test for server debug mode. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Add a smoke test to make sure the server can be set in debug mode -without issue. - -Related: https://pagure.io/freeipa/issue/8891 -Signed-off-by: François Cami -Reviewed-By: Stanislav Levin -Reviewed-By: Rob Crittenden ---- - .../test_integration/test_installation.py | 27 +++++++++++++++++++ - 1 file changed, 27 insertions(+) - -diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py -index 301767b8d..0c96536f0 100644 ---- a/ipatests/test_integration/test_installation.py -+++ b/ipatests/test_integration/test_installation.py -@@ -703,6 +703,33 @@ class TestInstallMaster(IntegrationTest): - def test_install_master(self): - tasks.install_master(self.master, setup_dns=False) - -+ @pytest.mark.skip_if_platform( -+ "debian", reason="This test hardcodes the httpd service name" -+ ) -+ def test_smoke_test_for_debug_mode(self): -+ """Test if an IPA server works in debug mode. -+ Related: https://pagure.io/freeipa/issue/8891 -+ -+ Note: this test hardcodes the "httpd" service name. -+ """ -+ -+ target_fname = paths.IPA_SERVER_CONF -+ assert not self.master.transport.file_exists(target_fname) -+ -+ # set the IPA server in debug mode -+ server_conf = "[global]\ndebug=True" -+ self.master.put_file_contents(target_fname, server_conf) -+ self.master.run_command(["systemctl", "restart", "httpd"]) -+ -+ # smoke test in debug mode -+ tasks.kdestroy_all(self.master) -+ tasks.kinit_admin(self.master) -+ self.master.run_command(["ipa", "user-show", "admin"]) -+ -+ # rollback -+ self.master.run_command(["rm", target_fname]) -+ self.master.run_command(["systemctl", "restart", "httpd"]) -+ - def test_schema_compat_attribute_and_tree_disable(self): - """Test if schema-compat-entry-attribute is set - --- -2.31.1 - -From 1539c7383116647ad9c5b125b343f972e9c9653b Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= -Date: Wed, 23 Jun 2021 06:35:19 +0200 -Subject: [PATCH] rpcserver.py: perf_counter_ns is Python 3.7+ -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -perf_counter_ns is only available in Python 3.7 and later. -Define a lambda for 3.6 and lower. - -Fixes: https://pagure.io/freeipa/issue/8891 -Signed-off-by: François Cami -Reviewed-By: Stanislav Levin -Reviewed-By: Rob Crittenden ---- - ipaserver/rpcserver.py | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py -index b121316bf..e612528e0 100644 ---- a/ipaserver/rpcserver.py -+++ b/ipaserver/rpcserver.py -@@ -31,6 +31,7 @@ import os - import time - import traceback - from io import BytesIO -+from sys import version_info - from urllib.parse import parse_qs - from xmlrpc.client import Fault - -@@ -72,6 +73,10 @@ from requests.auth import AuthBase - if six.PY3: - unicode = str - -+# time.perf_counter_ns appeared in Python 3.7. -+if version_info < (3, 7): -+ time.perf_counter_ns = lambda: int(time.perf_counter() * 10**9) -+ - logger = logging.getLogger(__name__) - - HTTP_STATUS_SUCCESS = '200 Success' --- -2.31.1 - diff --git a/SOURCES/0002-Add-checks-to-prevent-adding-auth-indicators-to-inte_rhbz#1979625.patch b/SOURCES/0002-Add-checks-to-prevent-adding-auth-indicators-to-inte_rhbz#1979625.patch deleted file mode 100644 index 81b6c45..0000000 --- a/SOURCES/0002-Add-checks-to-prevent-adding-auth-indicators-to-inte_rhbz#1979625.patch +++ /dev/null @@ -1,272 +0,0 @@ -From a5d2857297cfcf87ed8973df96e89ebcef22850d Mon Sep 17 00:00:00 2001 -From: Antonio Torres -Date: Mon, 8 Mar 2021 18:15:50 +0100 -Subject: [PATCH] Add checks to prevent adding auth indicators to internal IPA - services - -Authentication indicators should not be enforced against internal -IPA services, since not all users of those services are able to produce -Kerberos tickets with all the auth indicator options. This includes -host, ldap, HTTP and cifs in IPA server and cifs in IPA clients. -If a client that is being promoted to replica has an auth indicator -in its host principal then the promotion is aborted. - -Fixes: https://pagure.io/freeipa/issue/8206 -Signed-off-by: Antonio Torres ---- - ipaserver/install/server/replicainstall.py | 13 ++++++++++++ - ipaserver/plugins/host.py | 5 ++++- - ipaserver/plugins/service.py | 24 ++++++++++++++++++++++ - 3 files changed, 41 insertions(+), 1 deletion(-) - -diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py -index 73967a224..f1fb91036 100644 ---- a/ipaserver/install/server/replicainstall.py -+++ b/ipaserver/install/server/replicainstall.py -@@ -770,6 +770,15 @@ def promotion_check_ipa_domain(master_ldap_conn, basedn): - )) - - -+def promotion_check_host_principal_auth_ind(conn, hostdn): -+ entry = conn.get_entry(hostdn, ['krbprincipalauthind']) -+ if 'krbprincipalauthind' in entry: -+ raise RuntimeError( -+ "Client cannot be promoted to a replica if the host principal " -+ "has an authentication indicator set." -+ ) -+ -+ - @common_cleanup - @preserve_enrollment_state - def promote_check(installer): -@@ -956,6 +965,10 @@ def promote_check(installer): - config.master_host_name, None) - - promotion_check_ipa_domain(conn, remote_api.env.basedn) -+ hostdn = DN(('fqdn', api.env.host), -+ api.env.container_host, -+ api.env.basedn) -+ promotion_check_host_principal_auth_ind(conn, hostdn) - - # Make sure that domain fulfills minimal domain level - # requirement -diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py -index eb1f8ef04..41fa933e2 100644 ---- a/ipaserver/plugins/host.py -+++ b/ipaserver/plugins/host.py -@@ -38,7 +38,7 @@ from .baseldap import (LDAPQuery, LDAPObject, LDAPCreate, - LDAPAddAttributeViaOption, - LDAPRemoveAttributeViaOption) - from .service import ( -- validate_realm, normalize_principal, -+ validate_realm, validate_auth_indicator, normalize_principal, - set_certificate_attrs, ticket_flags_params, update_krbticketflags, - set_kerberos_attrs, rename_ipaallowedtoperform_from_ldap, - rename_ipaallowedtoperform_to_ldap, revoke_certs) -@@ -735,6 +735,8 @@ class host_add(LDAPCreate): - update_krbticketflags(ldap, entry_attrs, attrs_list, options, False) - if 'krbticketflags' in entry_attrs: - entry_attrs['objectclass'].append('krbticketpolicyaux') -+ validate_auth_indicator(entry_attrs) -+ - return dn - - def post_callback(self, ldap, dn, entry_attrs, *keys, **options): -@@ -993,6 +995,7 @@ class host_mod(LDAPUpdate): - if 'krbprincipalaux' not in (item.lower() for item in - entry_attrs['objectclass']): - entry_attrs['objectclass'].append('krbprincipalaux') -+ validate_auth_indicator(entry_attrs) - - add_sshpubkey_to_attrs_pre(self.context, attrs_list) - -diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py -index 1c9347804..cfbbff3c6 100644 ---- a/ipaserver/plugins/service.py -+++ b/ipaserver/plugins/service.py -@@ -201,6 +201,28 @@ def validate_realm(ugettext, principal): - raise errors.RealmMismatch() - - -+def validate_auth_indicator(entry): -+ new_value = entry.get('krbprincipalauthind', None) -+ if not new_value: -+ return -+ # The following services are considered internal IPA services -+ # and shouldn't be allowed to have auth indicators. -+ # https://pagure.io/freeipa/issue/8206 -+ pkey = api.Object['service'].get_primary_key_from_dn(entry.dn) -+ principal = kerberos.Principal(pkey) -+ server = api.Command.server_find(principal.hostname)['result'] -+ if server: -+ prefixes = ("host", "cifs", "ldap", "HTTP") -+ else: -+ prefixes = ("cifs",) -+ if principal.service_name in prefixes: -+ raise errors.ValidationError( -+ name='krbprincipalauthind', -+ error=_('authentication indicators not allowed ' -+ 'in service "%s"' % principal.service_name) -+ ) -+ -+ - def normalize_principal(value): - """ - Ensure that the name in the principal is lower-case. The realm is -@@ -652,6 +674,7 @@ class service_add(LDAPCreate): - hostname) - - self.obj.validate_ipakrbauthzdata(entry_attrs) -+ validate_auth_indicator(entry_attrs) - - if not options.get('force', False): - # We know the host exists if we've gotten this far but we -@@ -846,6 +869,7 @@ class service_mod(LDAPUpdate): - assert isinstance(dn, DN) - - self.obj.validate_ipakrbauthzdata(entry_attrs) -+ validate_auth_indicator(entry_attrs) - - # verify certificates - certs = entry_attrs.get('usercertificate') or [] --- -2.31.1 - -From 28484c3dee225662e41acc691bfe6b1c1cee99c8 Mon Sep 17 00:00:00 2001 -From: Antonio Torres -Date: Mon, 8 Mar 2021 18:20:35 +0100 -Subject: [PATCH] ipatests: ensure auth indicators can't be added to internal - IPA services - -Authentication indicators should not be added to internal IPA services, -since this can lead to a broken IPA setup. In case a client with -an auth indicator set in its host principal, promoting it to a replica -should fail. - -Related: https://pagure.io/freeipa/issue/8206 -Signed-off-by: Antonio Torres ---- - .../test_replica_promotion.py | 38 +++++++++++++++++++ - ipatests/test_xmlrpc/test_host_plugin.py | 10 +++++ - ipatests/test_xmlrpc/test_service_plugin.py | 21 ++++++++++ - 3 files changed, 69 insertions(+) - -diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py -index 0a137dbdc..b9c56f775 100644 ---- a/ipatests/test_integration/test_replica_promotion.py -+++ b/ipatests/test_integration/test_replica_promotion.py -@@ -101,6 +101,44 @@ class TestReplicaPromotionLevel1(ReplicaPromotionBase): - assert result.returncode == 1 - assert expected_err in result.stderr_text - -+ @replicas_cleanup -+ def test_install_with_host_auth_ind_set(self): -+ """ A client shouldn't be able to be promoted if it has -+ any auth indicator set in the host principal. -+ https://pagure.io/freeipa/issue/8206 -+ """ -+ -+ client = self.replicas[0] -+ # Configure firewall first -+ Firewall(client).enable_services(["freeipa-ldap", -+ "freeipa-ldaps"]) -+ -+ client.run_command(['ipa-client-install', '-U', -+ '--domain', self.master.domain.name, -+ '--realm', self.master.domain.realm, -+ '-p', 'admin', -+ '-w', self.master.config.admin_password, -+ '--server', self.master.hostname, -+ '--force-join']) -+ -+ tasks.kinit_admin(client) -+ -+ client.run_command(['ipa', 'host-mod', '--auth-ind=otp', -+ client.hostname]) -+ -+ res = client.run_command(['ipa-replica-install', '-U', '-w', -+ self.master.config.dirman_password], -+ raiseonerr=False) -+ -+ client.run_command(['ipa', 'host-mod', '--auth-ind=', -+ client.hostname]) -+ -+ expected_err = ("Client cannot be promoted to a replica if the host " -+ "principal has an authentication indicator set.") -+ assert res.returncode == 1 -+ assert expected_err in res.stderr_text -+ -+ - @replicas_cleanup - def test_one_command_installation(self): - """ -diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py -index c66bbc865..9cfde3565 100644 ---- a/ipatests/test_xmlrpc/test_host_plugin.py -+++ b/ipatests/test_xmlrpc/test_host_plugin.py -@@ -605,6 +605,16 @@ class TestProtectedMaster(XMLRPC_test): - error=u'An IPA master host cannot be deleted or disabled')): - command() - -+ def test_try_add_auth_ind_master(self, this_host): -+ command = this_host.make_update_command({ -+ u'krbprincipalauthind': u'radius'}) -+ with raises_exact(errors.ValidationError( -+ name='krbprincipalauthind', -+ error=u'authentication indicators not allowed ' -+ 'in service "host"' -+ )): -+ command() -+ - - @pytest.mark.tier1 - class TestValidation(XMLRPC_test): -diff --git a/ipatests/test_xmlrpc/test_service_plugin.py b/ipatests/test_xmlrpc/test_service_plugin.py -index 4c845938c..ed634a045 100644 ---- a/ipatests/test_xmlrpc/test_service_plugin.py -+++ b/ipatests/test_xmlrpc/test_service_plugin.py -@@ -25,6 +25,7 @@ from ipalib import api, errors - from ipatests.test_xmlrpc.xmlrpc_test import Declarative, fuzzy_uuid, fuzzy_hash - from ipatests.test_xmlrpc.xmlrpc_test import fuzzy_digits, fuzzy_date, fuzzy_issuer - from ipatests.test_xmlrpc.xmlrpc_test import fuzzy_hex, XMLRPC_test -+from ipatests.test_xmlrpc.xmlrpc_test import raises_exact - from ipatests.test_xmlrpc import objectclasses - from ipatests.test_xmlrpc.testcert import get_testcert, subject_base - from ipatests.test_xmlrpc.test_user_plugin import get_user_result, get_group_dn -@@ -1552,6 +1553,15 @@ def indicators_host(request): - return tracker.make_fixture(request) - - -+@pytest.fixture(scope='function') -+def this_host(request): -+ """Fixture for the current master""" -+ tracker = HostTracker(name=api.env.host.partition('.')[0], -+ fqdn=api.env.host) -+ tracker.exists = True -+ return tracker -+ -+ - @pytest.fixture(scope='function') - def indicators_service(request): - tracker = ServiceTracker( -@@ -1587,6 +1597,17 @@ class TestAuthenticationIndicators(XMLRPC_test): - expected_updates={u'krbprincipalauthind': [u'radius']} - ) - -+ def test_update_indicator_internal_service(self, this_host): -+ command = this_host.make_command('service_mod', -+ 'ldap/' + this_host.fqdn, -+ **dict(krbprincipalauthind='otp')) -+ with raises_exact(errors.ValidationError( -+ name='krbprincipalauthind', -+ error=u'authentication indicators not allowed ' -+ 'in service "ldap"' -+ )): -+ command() -+ - - @pytest.fixture(scope='function') - def managing_host(request): --- -2.31.1 - diff --git a/SOURCES/0003-stageuser-add-ipauserauthtypeclass-when-required_rhbz#1979605.patch b/SOURCES/0003-stageuser-add-ipauserauthtypeclass-when-required_rhbz#1979605.patch deleted file mode 100644 index 7934afd..0000000 --- a/SOURCES/0003-stageuser-add-ipauserauthtypeclass-when-required_rhbz#1979605.patch +++ /dev/null @@ -1,89 +0,0 @@ -From 06468b2f604c56b02231904072cb57412966a701 Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Mon, 5 Jul 2021 09:51:41 +0200 -Subject: [PATCH] stageuser: add ipauserauthtypeclass when required - -The command -ipa stageuser-add --user-auth-type=xxx -is currently failing because the objectclass ipauserauthtypeclass -is missing from the created entry. - -There is code adding the missing objectclass in the -pre_common_callback method of user_add, and this code should -be common to user_add and stageuser_add. In order to avoid code -duplication, it makes more sense to move the existing code to -pre_common_callback of baseuser_add, that is called by both -classes. - -Fixes: https://pagure.io/freeipa/issue/8909 -Reviewed-By: Rob Crittenden -Reviewed-By: Alexander Bokovoy ---- - ipaserver/plugins/baseuser.py | 3 +++ - ipaserver/plugins/user.py | 4 ---- - 2 files changed, 3 insertions(+), 4 deletions(-) - -diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py -index ae16a978a..6035228f1 100644 ---- a/ipaserver/plugins/baseuser.py -+++ b/ipaserver/plugins/baseuser.py -@@ -539,6 +539,9 @@ class baseuser_add(LDAPCreate): - if entry_attrs.get('ipatokenradiususername', None): - add_missing_object_class(ldap, u'ipatokenradiusproxyuser', dn, - entry_attrs, update=False) -+ if entry_attrs.get('ipauserauthtype', None): -+ add_missing_object_class(ldap, u'ipauserauthtypeclass', dn, -+ entry_attrs, update=False) - - def post_common_callback(self, ldap, dn, entry_attrs, *keys, **options): - assert isinstance(dn, DN) -diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py -index 6f7facb53..e4ee572b2 100644 ---- a/ipaserver/plugins/user.py -+++ b/ipaserver/plugins/user.py -@@ -617,10 +617,6 @@ class user_add(baseuser_add): - 'ipauser' not in entry_attrs['objectclass']: - entry_attrs['objectclass'].append('ipauser') - -- if 'ipauserauthtype' in entry_attrs and \ -- 'ipauserauthtypeclass' not in entry_attrs['objectclass']: -- entry_attrs['objectclass'].append('ipauserauthtypeclass') -- - rcl = entry_attrs.get('ipatokenradiusconfiglink', None) - if rcl: - if 'ipatokenradiusproxyuser' not in entry_attrs['objectclass']: --- -2.31.1 - -From 4a5a0fe7d25209a41a2eadd159f7f4c771e5d7fc Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Mon, 5 Jul 2021 10:22:31 +0200 -Subject: [PATCH] XMLRPC test: add a test for stageuser-add --user-auth-type - -Related: https://pagure.io/freeipa/issue/8909 -Reviewed-By: Rob Crittenden -Reviewed-By: Alexander Bokovoy ---- - ipatests/test_xmlrpc/test_stageuser_plugin.py | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/ipatests/test_xmlrpc/test_stageuser_plugin.py b/ipatests/test_xmlrpc/test_stageuser_plugin.py -index 5586fc607..bc606b093 100644 ---- a/ipatests/test_xmlrpc/test_stageuser_plugin.py -+++ b/ipatests/test_xmlrpc/test_stageuser_plugin.py -@@ -343,6 +343,12 @@ class TestStagedUser(XMLRPC_test): - result = command() - assert result['count'] == 1 - -+ def test_create_withuserauthtype(self, stageduser): -+ stageduser.ensure_missing() -+ command = stageduser.make_create_command( -+ options={u'ipauserauthtype': u'password'}) -+ command() -+ - - @pytest.mark.tier1 - class TestCreateInvalidAttributes(XMLRPC_test): --- -2.31.1 - diff --git a/SOURCES/0004-man-page-update-ipa-server-upgrade.1_rhbz#1973273.patch b/SOURCES/0004-man-page-update-ipa-server-upgrade.1_rhbz#1973273.patch deleted file mode 100644 index 83182ce..0000000 --- a/SOURCES/0004-man-page-update-ipa-server-upgrade.1_rhbz#1973273.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 195035cef51a132b2b80df57ed50f2fe620244e6 Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Wed, 7 Jul 2021 14:11:40 +0200 -Subject: [PATCH] man page: update ipa-server-upgrade.1 - -The man page needs to clarify in which case the command needs -to be run. - -Fixes: https://pagure.io/freeipa/issue/8913 -Reviewed-By: Francois Cami ---- - install/tools/man/ipa-server-upgrade.1 | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/install/tools/man/ipa-server-upgrade.1 b/install/tools/man/ipa-server-upgrade.1 -index 3db19b0f1..f01e21c6b 100644 ---- a/install/tools/man/ipa-server-upgrade.1 -+++ b/install/tools/man/ipa-server-upgrade.1 -@@ -8,7 +8,12 @@ ipa\-server\-upgrade \- upgrade IPA server - .SH "SYNOPSIS" - ipa\-server\-upgrade [options] - .SH "DESCRIPTION" --ipa\-server\-upgrade is used to upgrade IPA server when the IPA packages are being updated. It is not intended to be executed by end\-users. -+ipa\-server\-upgrade is executed automatically to upgrade IPA server when -+the IPA packages are being updated. It is not intended to be executed by -+end\-users, unless the automatic execution reports an error. In this case, -+the administrator needs to identify and fix the issue that is causing the -+upgrade failure (with the help of /var/log/ipaupgrade.log) -+and manually re\-run ipa\-server\-upgrade. - - ipa\-server\-upgrade will: - --- -2.31.1 - diff --git a/SOURCES/0005-Fall-back-to-krbprincipalname-when-validating-host-a_rhbz#1979625.patch b/SOURCES/0005-Fall-back-to-krbprincipalname-when-validating-host-a_rhbz#1979625.patch deleted file mode 100644 index 069d106..0000000 --- a/SOURCES/0005-Fall-back-to-krbprincipalname-when-validating-host-a_rhbz#1979625.patch +++ /dev/null @@ -1,69 +0,0 @@ -From 8ad535b618d60fa016061212ff85d0ad28ccae59 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Mon, 12 Jul 2021 11:02:10 -0400 -Subject: [PATCH] Fall back to krbprincipalname when validating host auth - indicators - -When adding a new host the principal cannot be determined because it -relies on either: - -a) an entry to already exist -b) krbprincipalname be a component of the dn - -As a result the full dn is being passed into ipapython.Kerberos -which can't parse it. - -Look into the entry in validate_validate_auth_indicator() for -krbprincipalname in this case. - -https://pagure.io/freeipa/issue/8206 - -Signed-off-by: Rob Crittenden -Reviewed-By: Alexander Bokovoy -Reviewed-By: Florence Blanc-Renaud ---- - ipaserver/plugins/service.py | 5 +++++ - ipatests/test_xmlrpc/test_host_plugin.py | 11 +++++++++++ - 2 files changed, 16 insertions(+) - -diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py -index cfbbff3c6..498f5e444 100644 ---- a/ipaserver/plugins/service.py -+++ b/ipaserver/plugins/service.py -@@ -209,6 +209,11 @@ def validate_auth_indicator(entry): - # and shouldn't be allowed to have auth indicators. - # https://pagure.io/freeipa/issue/8206 - pkey = api.Object['service'].get_primary_key_from_dn(entry.dn) -+ if pkey == str(entry.dn): -+ # krbcanonicalname may not be set yet if this is a host entry, -+ # try krbprincipalname -+ if 'krbprincipalname' in entry: -+ pkey = entry['krbprincipalname'] - principal = kerberos.Principal(pkey) - server = api.Command.server_find(principal.hostname)['result'] - if server: -diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py -index 9cfde3565..ff50e796c 100644 ---- a/ipatests/test_xmlrpc/test_host_plugin.py -+++ b/ipatests/test_xmlrpc/test_host_plugin.py -@@ -615,6 +615,17 @@ class TestProtectedMaster(XMLRPC_test): - )): - command() - -+ def test_add_non_master_with_auth_ind(self, host5): -+ host5.ensure_missing() -+ command = host5.make_command( -+ 'host_add', host5.fqdn, krbprincipalauthind=['radius'], -+ force=True -+ ) -+ result = command() -+ # The fact that the command succeeds exercises the change but -+ # let's check the indicator as well. -+ assert result['result']['krbprincipalauthind'] == ('radius',) -+ - - @pytest.mark.tier1 - class TestValidation(XMLRPC_test): --- -2.31.1 - diff --git a/SOURCES/0006-rhel-platform-add-a-named-crypto-policy-support_rhbz#1982956.patch b/SOURCES/0006-rhel-platform-add-a-named-crypto-policy-support_rhbz#1982956.patch deleted file mode 100644 index 3f83c40..0000000 --- a/SOURCES/0006-rhel-platform-add-a-named-crypto-policy-support_rhbz#1982956.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 1a5159b216455070eb51b6a11ceaf0033fc8ce4c Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Fri, 16 Jul 2021 09:20:33 +0300 -Subject: [PATCH] rhel platform: add a named crypto-policy support - -RHEL 8+ provides bind system-wide crypto policy support, enable it. - -Fixes: https://pagure.io/freeipa/issue/8925 -Signed-off-by: Alexander Bokovoy -Reviewed-By: Florence Blanc-Renaud -Reviewed-By: Anuja More ---- - ipaplatform/rhel/paths.py | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/ipaplatform/rhel/paths.py b/ipaplatform/rhel/paths.py -index c081ada32..3631550eb 100644 ---- a/ipaplatform/rhel/paths.py -+++ b/ipaplatform/rhel/paths.py -@@ -30,6 +30,7 @@ from ipaplatform.rhel.constants import HAS_NFS_CONF - - - class RHELPathNamespace(RedHatPathNamespace): -+ NAMED_CRYPTO_POLICY_FILE = "/etc/crypto-policies/back-ends/bind.config" - if HAS_NFS_CONF: - SYSCONFIG_NFS = '/etc/nfs.conf' - --- -2.31.1 - diff --git a/SOURCES/0007-Catch-and-log-errors-when-adding-CA-profiles_rhbz#1999142.patch b/SOURCES/0007-Catch-and-log-errors-when-adding-CA-profiles_rhbz#1999142.patch deleted file mode 100644 index 34b33c7..0000000 --- a/SOURCES/0007-Catch-and-log-errors-when-adding-CA-profiles_rhbz#1999142.patch +++ /dev/null @@ -1,53 +0,0 @@ -From a6e708ab4006d6623c37de1692de5362fcdb5dd6 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Mon, 30 Aug 2021 16:44:47 -0400 -Subject: [PATCH] Catch and log errors when adding CA profiles - -Rather than stopping the installer entirely, catch and report -errors adding new certificate profiles, and remove the -broken profile entry from LDAP so it may be re-added later. - -It was discovered that installing a newer IPA that has the -ACME profile which requires sanToCNDefault will fail when -installing a new server against a very old one that lacks -this class. - -Running ipa-server-upgrade post-install will add the profile -and generate the missing ipa-ca SAN record so that ACME -can work. - -https://pagure.io/freeipa/issue/8974 - -Signed-off-by: Rob Crittenden -Reviewed-By: Florence Blanc-Renaud ---- - ipaserver/install/cainstance.py | 13 +++++++++++-- - 1 file changed, 11 insertions(+), 2 deletions(-) - -diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py -index 9e842b33e..8c8bf1b3a 100644 ---- a/ipaserver/install/cainstance.py -+++ b/ipaserver/install/cainstance.py -@@ -1973,8 +1973,17 @@ def import_included_profiles(): - - # Create the profile, replacing any existing profile of same name - profile_data = __get_profile_config(profile_id) -- _create_dogtag_profile(profile_id, profile_data, overwrite=True) -- logger.debug("Imported profile '%s'", profile_id) -+ try: -+ _create_dogtag_profile(profile_id, profile_data, -+ overwrite=True) -+ except errors.HTTPRequestError as e: -+ logger.warning("Failed to import profile '%s': %s. Running " -+ "ipa-server-upgrade when installation is " -+ "completed may resolve this issue.", -+ profile_id, e) -+ conn.delete_entry(entry) -+ else: -+ logger.debug("Imported profile '%s'", profile_id) - else: - logger.debug( - "Profile '%s' is already in LDAP; skipping", profile_id --- -2.31.1 - diff --git a/SOURCES/0008-selinux-policy-allow-custodia-to-access-proc-cpuinfo_rhbz#1998129.patch b/SOURCES/0008-selinux-policy-allow-custodia-to-access-proc-cpuinfo_rhbz#1998129.patch deleted file mode 100644 index 14a8b03..0000000 --- a/SOURCES/0008-selinux-policy-allow-custodia-to-access-proc-cpuinfo_rhbz#1998129.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 07e2bf732f54f936cccc4e0c7b468d77f97e911a Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Mon, 30 Aug 2021 18:40:24 +0200 -Subject: [PATCH] selinux policy: allow custodia to access /proc/cpuinfo - -On aarch64, custodia creates AVC when accessing /proc/cpuinfo. - -According to gcrypt manual -(https://gnupg.org/documentation/manuals/gcrypt/Configuration.html), -/proc/cpuinfo is used on ARM architecture to read the hardware -capabilities of the CPU. This explains why the issue happens only -on aarch64. - -audit2allow suggests to add the following: -allow ipa_custodia_t proc_t:file { getattr open read }; - -but this policy would be too broad. Instead, the patch is using -the interface kernel_read_system_state. - -Fixes: https://pagure.io/freeipa/issue/8972 -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Christian Heimes ---- - selinux/ipa.te | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/selinux/ipa.te b/selinux/ipa.te -index 68e109419..7492fca04 100644 ---- a/selinux/ipa.te -+++ b/selinux/ipa.te -@@ -364,6 +364,7 @@ files_tmp_filetrans(ipa_custodia_t, ipa_custodia_tmp_t, { dir file }) - - kernel_dgram_send(ipa_custodia_t) - kernel_read_network_state(ipa_custodia_t) -+kernel_read_system_state(ipa_custodia_t) - - auth_read_passwd(ipa_custodia_t) - --- -2.31.1 - diff --git a/SOURCES/0009-extdom-return-LDAP_NO_SUCH_OBJECT-if-domains-differ_rhbz#2000263.patch b/SOURCES/0009-extdom-return-LDAP_NO_SUCH_OBJECT-if-domains-differ_rhbz#2000263.patch deleted file mode 100644 index e88902d..0000000 --- a/SOURCES/0009-extdom-return-LDAP_NO_SUCH_OBJECT-if-domains-differ_rhbz#2000263.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 4fca95751ca32a1ed16a6d8a4e557c5799ec5c78 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Wed, 25 Aug 2021 17:10:29 +0200 -Subject: [PATCH] extdom: return LDAP_NO_SUCH_OBJECT if domains differ - -If a client sends a request to lookup an object from a given trusted -domain by UID or GID and an object with matching ID is only found in a -different domain the extdom should return LDAP_NO_SUCH_OBJECT to -indicate to the client that the requested ID does not exists in the -given domain. - -Resolves: https://pagure.io/freeipa/issue/8965 -Reviewed-By: Rob Crittenden ---- - .../ipa-extdom-extop/ipa_extdom_common.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c -index 5d97ff613..6f646b9f4 100644 ---- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c -+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c -@@ -542,7 +542,9 @@ int pack_ber_user(struct ipa_extdom_ctx *ctx, - if (strcasecmp(locat+1, domain_name) == 0 ) { - locat[0] = '\0'; - } else { -- ret = LDAP_INVALID_SYNTAX; -+ /* The found object is from a different domain than requested, -+ * that means it does not exist in the requested domain */ -+ ret = LDAP_NO_SUCH_OBJECT; - goto done; - } - } -@@ -655,7 +657,9 @@ int pack_ber_group(enum response_types response_type, - if (strcasecmp(locat+1, domain_name) == 0 ) { - locat[0] = '\0'; - } else { -- ret = LDAP_INVALID_SYNTAX; -+ /* The found object is from a different domain than requested, -+ * that means it does not exist in the requested domain */ -+ ret = LDAP_NO_SUCH_OBJECT; - goto done; - } - } --- -2.31.1 - diff --git a/SOURCES/0010-migrate-ds-workaround-to-detect-compat-tree_rhbz#1999992.patch b/SOURCES/0010-migrate-ds-workaround-to-detect-compat-tree_rhbz#1999992.patch deleted file mode 100644 index 8ea12a5..0000000 --- a/SOURCES/0010-migrate-ds-workaround-to-detect-compat-tree_rhbz#1999992.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 3c4f9e7347965ff9a887147df34e720224ffa7cc Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Tue, 7 Sep 2021 17:06:53 +0200 -Subject: [PATCH] migrate-ds: workaround to detect compat tree - -Migrate-ds needs to check if compat tree is enabled before -migrating users and groups. The check is doing a base -search on cn=compat,$SUFFIX and considers the compat tree -enabled when the entry exists. - -Due to a bug in slapi-nis, the base search may return NotFound -even though the compat tree is enabled. The workaround is to -perform a base search on cn=users,cn=compat,$SUFFIX instead. - -Fixes: https://pagure.io/freeipa/issue/8984 -Reviewed-By: Alexander Bokovoy ---- - ipaserver/plugins/migration.py | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/ipaserver/plugins/migration.py b/ipaserver/plugins/migration.py -index db5241915..6ee205fc8 100644 ---- a/ipaserver/plugins/migration.py -+++ b/ipaserver/plugins/migration.py -@@ -922,7 +922,8 @@ migration process might be incomplete\n''') - # check whether the compat plugin is enabled - if not options.get('compat'): - try: -- ldap.get_entry(DN(('cn', 'compat'), (api.env.basedn))) -+ ldap.get_entry(DN(('cn', 'users'), ('cn', 'compat'), -+ (api.env.basedn))) - return dict(result={}, failed={}, enabled=True, compat=False) - except errors.NotFound: - pass --- -2.31.1 - diff --git a/SOURCES/0011-Test-ldapsearch-with-base-scope-works-with-_rhbz#2000553.patch b/SOURCES/0011-Test-ldapsearch-with-base-scope-works-with-_rhbz#2000553.patch deleted file mode 100644 index 450a75e..0000000 --- a/SOURCES/0011-Test-ldapsearch-with-base-scope-works-with-_rhbz#2000553.patch +++ /dev/null @@ -1,89 +0,0 @@ -From a3d71eb72a6125a80a9d7b698f34dcb95dc25184 Mon Sep 17 00:00:00 2001 -From: Anuja More -Date: Thu, 5 Aug 2021 20:03:21 +0530 -Subject: [PATCH] ipatests: Test ldapsearch with base scope works with compat - tree. - -Added test to verify that ldapsearch for compat tree -with scope base and sub is not failing. - -Related: https://bugzilla.redhat.com/show_bug.cgi?id=1958909 - -Signed-off-by: Anuja More -Reviewed-By: Mohammad Rizwan -Reviewed-By: Florence Blanc-Renaud ---- - ipatests/test_integration/test_commands.py | 13 +++++++++++++ - 1 file changed, 13 insertions(+) - -diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py -index 2035ced56..e3a0d867e 100644 ---- a/ipatests/test_integration/test_commands.py -+++ b/ipatests/test_integration/test_commands.py -@@ -1558,6 +1558,19 @@ class TestIPACommandWithoutReplica(IntegrationTest): - # Run the command again after cache is removed - self.master.run_command(['ipa', 'user-show', 'ipauser1']) - -+ def test_basesearch_compat_tree(self): -+ """Test ldapsearch against compat tree is working -+ -+ This to ensure that ldapsearch with base scope is not failing. -+ -+ related: https://bugzilla.redhat.com/show_bug.cgi?id=1958909 -+ """ -+ tasks.kinit_admin(self.master) -+ base_dn = str(self.master.domain.basedn) -+ base = "cn=admins,cn=groups,cn=compat,{basedn}".format(basedn=base_dn) -+ tasks.ldapsearch_dm(self.master, base, ldap_args=[], scope='sub') -+ tasks.ldapsearch_dm(self.master, base, ldap_args=[], scope='base') -+ - - class TestIPAautomount(IntegrationTest): - @classmethod --- -2.31.1 - -From d4062e407d242a72b9d4e32f4fdd6aed086ce005 Mon Sep 17 00:00:00 2001 -From: Anuja More -Date: Thu, 5 Aug 2021 20:23:15 +0530 -Subject: [PATCH] ipatests: skip test_basesearch_compat_tree on fedora. - -slapi-nis with fix is not part of fedora yet. -test requires with fix: -https://pagure.io/slapi-nis/c/61ea8f6a104da25329e301a8f56944f860de8177? - -Signed-off-by: Anuja More -Reviewed-By: Mohammad Rizwan -Reviewed-By: Florence Blanc-Renaud ---- - ipatests/test_integration/test_commands.py | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py -index e3a0d867e..4d9a81652 100644 ---- a/ipatests/test_integration/test_commands.py -+++ b/ipatests/test_integration/test_commands.py -@@ -38,6 +38,7 @@ from ipatests.create_external_ca import ExternalCA - from ipatests.test_ipalib.test_x509 import good_pkcs7, badcert - from ipapython.ipautil import realm_to_suffix, ipa_generate_password - from ipaserver.install.installutils import realm_to_serverid -+from pkg_resources import parse_version - - logger = logging.getLogger(__name__) - -@@ -1565,6 +1566,12 @@ class TestIPACommandWithoutReplica(IntegrationTest): - - related: https://bugzilla.redhat.com/show_bug.cgi?id=1958909 - """ -+ version = self.master.run_command( -+ ["rpm", "-qa", "--qf", "%{VERSION}", "slapi-nis"] -+ ) -+ if tasks.get_platform(self.master) == "fedora" and parse_version( -+ version.stdout_text) <= parse_version("0.56.7"): -+ pytest.skip("Test requires slapi-nis with fix on fedora") - tasks.kinit_admin(self.master) - base_dn = str(self.master.domain.basedn) - base = "cn=admins,cn=groups,cn=compat,{basedn}".format(basedn=base_dn) --- -2.31.1 - diff --git a/SOURCES/0012-ipatests-Test-unsecure-nsupdate_rhbz#2000553.patch b/SOURCES/0012-ipatests-Test-unsecure-nsupdate_rhbz#2000553.patch deleted file mode 100644 index a223c94..0000000 --- a/SOURCES/0012-ipatests-Test-unsecure-nsupdate_rhbz#2000553.patch +++ /dev/null @@ -1,162 +0,0 @@ -From 4fdab0c94c4e17e42e5f38a0e671bea39bcc9b74 Mon Sep 17 00:00:00 2001 -From: Anuja More -Date: Mon, 9 Aug 2021 20:57:22 +0530 -Subject: [PATCH] ipatests: Test unsecure nsupdate. - -The test configures an external bind server on the ipa-server -(not the IPA-embedded DNS server) that allows unauthenticated nsupdates. - -When the IPA client is registered using ipa-client-install, -DNS records are added for the client in the bind server using nsupdate. -The first try is using GSS-TIG but fails as expected, and the client -installer then tries with unauthenticated nsupdate. - -Related : https://pagure.io/freeipa/issue/8402 - -Signed-off-by: Anuja More -Reviewed-By: Rob Crittenden -Reviewed-By: Florence Blanc-Renaud ---- - .../test_installation_client.py | 118 ++++++++++++++++++ - 1 file changed, 118 insertions(+) - -diff --git a/ipatests/test_integration/test_installation_client.py b/ipatests/test_integration/test_installation_client.py -index fa59a5255..014b0f6ab 100644 ---- a/ipatests/test_integration/test_installation_client.py -+++ b/ipatests/test_integration/test_installation_client.py -@@ -8,10 +8,15 @@ Module provides tests for various options of ipa-client-install. - - from __future__ import absolute_import - -+import pytest -+import re - import shlex -+import textwrap - -+from ipaplatform.paths import paths - from ipatests.test_integration.base import IntegrationTest - from ipatests.pytest_ipa.integration import tasks -+from ipatests.pytest_ipa.integration.firewall import Firewall - - - class TestInstallClient(IntegrationTest): -@@ -70,3 +75,116 @@ class TestInstallClient(IntegrationTest): - extra_args=['--ssh-trust-dns']) - result = self.clients[0].run_command(['cat', '/etc/ssh/ssh_config']) - assert 'HostKeyAlgorithms' not in result.stdout_text -+ -+ -+class TestClientInstallBind(IntegrationTest): -+ """ -+ The test configures an external bind server on the ipa-server -+ (not the IPA-embedded DNS server) that allows unauthenticated nsupdates. -+ When the IPA client is registered using ipa-client-install, -+ DNS records are added for the client in the bind server using nsupdate. -+ The first try is using GSS-TIG but fails as expected, and the client -+ installer then tries with unauthenticated nsupdate. -+ """ -+ -+ num_clients = 1 -+ -+ @classmethod -+ def install(cls, mh): -+ cls.client = cls.clients[0] -+ -+ @pytest.fixture -+ def setup_bindserver(self): -+ bindserver = self.master -+ named_conf_backup = tasks.FileBackup(self.master, paths.NAMED_CONF) -+ # create a zone in the BIND server that is identical to the IPA -+ add_zone = textwrap.dedent(""" -+ zone "{domain}" IN {{ type master; -+ file "{domain}.db"; allow-query {{ any; }}; -+ allow-update {{ any; }}; }}; -+ """).format(domain=bindserver.domain.name) -+ -+ namedcfg = bindserver.get_file_contents( -+ paths.NAMED_CONF, encoding='utf-8') -+ namedcfg += '\n' + add_zone -+ bindserver.put_file_contents(paths.NAMED_CONF, namedcfg) -+ -+ def update_contents(path, pattern, replace): -+ contents = bindserver.get_file_contents(path, encoding='utf-8') -+ namedcfg_query = re.sub(pattern, replace, contents) -+ bindserver.put_file_contents(path, namedcfg_query) -+ -+ update_contents(paths.NAMED_CONF, 'localhost;', 'any;') -+ update_contents(paths.NAMED_CONF, "listen-on port 53 { 127.0.0.1; };", -+ "#listen-on port 53 { 127.0.0.1; };") -+ update_contents(paths.NAMED_CONF, "listen-on-v6 port 53 { ::1; };", -+ "#listen-on-v6 port 53 { ::1; };") -+ -+ add_records = textwrap.dedent(""" -+ @ IN SOA {fqdn}. root.{domain}. ( -+ 1001 ;Serial -+ 3H ;Refresh -+ 15M ;Retry -+ 1W ;Expire -+ 1D ;Minimum 1D -+ ) -+ @ IN NS {fqdn}. -+ ns1 IN A {bindserverip} -+ _kerberos.{domain}. IN TXT {zoneupper} -+ {fqdn}. IN A {bindserverip} -+ ipa-ca.{domain}. IN A {bindserverip} -+ _kerberos-master._tcp.{domain}. IN SRV 0 100 88 {fqdn}. -+ _kerberos-master._udp.{domain}. IN SRV 0 100 88 {fqdn}. -+ _kerberos._tcp.{domain}. IN SRV 0 100 88 {fqdn}. -+ _kerberos._udp.{domain}. IN SRV 0 100 88 {fqdn}. -+ _kpasswd._tcp.{domain}. IN SRV 0 100 464 {fqdn}. -+ _kpasswd._udp.{domain}. IN SRV 0 100 464 {fqdn}. -+ _ldap._tcp.{domain}. IN SRV 0 100 389 {fqdn}. -+ """).format( -+ fqdn=bindserver.hostname, -+ domain=bindserver.domain.name, -+ bindserverip=bindserver.ip, -+ zoneupper=bindserver.domain.name.upper() -+ ) -+ bindserverdb = "/var/named/{0}.db".format(bindserver.domain.name) -+ bindserver.put_file_contents(bindserverdb, add_records) -+ bindserver.run_command(['systemctl', 'start', 'named']) -+ Firewall(bindserver).enable_services(["dns"]) -+ yield -+ named_conf_backup.restore() -+ bindserver.run_command(['rm', '-rf', bindserverdb]) -+ -+ def test_client_nsupdate(self, setup_bindserver): -+ """Test secure nsupdate failed, then try unsecure nsupdate.. -+ -+ Test to verify when bind is configured with dynamic update policy, -+ and during client-install 'nsupdate -g' fails then it should run with -+ second call using unauthenticated nsupdate. -+ -+ Related : https://pagure.io/freeipa/issue/8402 -+ """ -+ # with pre-configured bind server, install ipa-server without dns. -+ tasks.install_master(self.master, setup_dns=False) -+ self.client.resolver.backup() -+ self.client.resolver.setup_resolver( -+ self.master.ip, self.master.domain.name) -+ try: -+ self.client.run_command(['ipa-client-install', '-U', -+ '--domain', self.client.domain.name, -+ '--realm', self.client.domain.realm, -+ '-p', self.client.config.admin_name, -+ '-w', self.client.config.admin_password, -+ '--server', self.master.hostname]) -+ # call unauthenticated nsupdate if GSS-TSIG nsupdate failed. -+ str1 = "nsupdate (GSS-TSIG) failed" -+ str2 = "'/usr/bin/nsupdate', '/etc/ipa/.dns_update.txt'" -+ client_log = self.client.get_file_contents( -+ paths.IPACLIENT_INSTALL_LOG, encoding='utf-8' -+ ) -+ assert str1 in client_log and str2 in client_log -+ dig_after = self.client.run_command( -+ ['dig', '@{0}'.format(self.master.ip), self.client.hostname, -+ '-t', 'SSHFP']) -+ assert "ANSWER: 0" not in dig_after.stdout_text.strip() -+ finally: -+ self.client.resolver.restore() --- -2.31.1 - diff --git a/SOURCES/0013-Don-t-store-entries-with-a-usercertificate-in-the-LD_rhbz#1999893.patch b/SOURCES/0013-Don-t-store-entries-with-a-usercertificate-in-the-LD_rhbz#1999893.patch deleted file mode 100644 index 739e7c3..0000000 --- a/SOURCES/0013-Don-t-store-entries-with-a-usercertificate-in-the-LD_rhbz#1999893.patch +++ /dev/null @@ -1,128 +0,0 @@ -From be1e3bbfc13aff9a583108376f245b81cc3666fb Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Thu, 9 Sep 2021 15:26:55 -0400 -Subject: [PATCH] Don't store entries with a usercertificate in the LDAP cache - -usercertificate often has a subclass and both the plain and -subclassed (binary) values are queried. I'm concerned that -they are used more or less interchangably in places so not -caching these entries is the safest path forward for now until -we can dedicate the time to find all usages, determine their -safety and/or perhaps handle this gracefully within the cache -now. - -What we see in this bug is that usercertificate;binary holds the -first certificate value but a user-mod is done with -setattr usercertificate=. Since there is no -usercertificate value (remember, it's usercertificate;binary) -a replace is done and 389-ds wipes the existing value as we've -asked it to. - -I'm not comfortable with simply treating them the same because -in LDAP they are not. - -https://pagure.io/freeipa/issue/8986 - -Signed-off-by: Rob Crittenden -Reviewed-By: Francois Cami -Reviewed-By: Fraser Tweedale ---- - ipapython/ipaldap.py | 14 +++++++++++--- - 1 file changed, 11 insertions(+), 3 deletions(-) - -diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py -index f94b784d6..ced8f1bd6 100644 ---- a/ipapython/ipaldap.py -+++ b/ipapython/ipaldap.py -@@ -1821,9 +1821,17 @@ class LDAPCache(LDAPClient): - entry=None, exception=None): - # idnsname - caching prevents delete when mod value to None - # cospriority - in a Class of Service object, uncacheable -- # TODO - usercertificate was banned at one point and I don't remember -- # why... -- BANNED_ATTRS = {'idnsname', 'cospriority'} -+ # usercertificate* - caching subtypes is tricky, trade less -+ # complexity for performance -+ # -+ # TODO: teach the cache about subtypes -+ -+ BANNED_ATTRS = { -+ 'idnsname', -+ 'cospriority', -+ 'usercertificate', -+ 'usercertificate;binary' -+ } - if not self._enable_cache: - return - --- -2.31.1 - -From 86588640137562b2016fdb0f91142d00bc38e54a Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Fri, 10 Sep 2021 09:01:48 -0400 -Subject: [PATCH] ipatests: Test that a user can be issued multiple - certificates - -Prevent regressions in the LDAP cache layer that caused newly -issued certificates to overwrite existing ones. - -https://pagure.io/freeipa/issue/8986 - -Signed-off-by: Rob Crittenden -Reviewed-By: Francois Cami -Reviewed-By: Fraser Tweedale ---- - ipatests/test_integration/test_cert.py | 29 ++++++++++++++++++++++++++ - 1 file changed, 29 insertions(+) - -diff --git a/ipatests/test_integration/test_cert.py b/ipatests/test_integration/test_cert.py -index 7d51b76ee..b4e85eadc 100644 ---- a/ipatests/test_integration/test_cert.py -+++ b/ipatests/test_integration/test_cert.py -@@ -16,6 +16,7 @@ import string - import time - - from ipaplatform.paths import paths -+from ipapython.dn import DN - from cryptography import x509 - from cryptography.x509.oid import ExtensionOID - from cryptography.hazmat.backends import default_backend -@@ -183,6 +184,34 @@ class TestInstallMasterClient(IntegrationTest): - ) - assert "profile: caServerCert" in result.stdout_text - -+ def test_multiple_user_certificates(self): -+ """Test that a user may be issued multiple certificates""" -+ ldap = self.master.ldap_connect() -+ -+ user = 'user1' -+ -+ tasks.kinit_admin(self.master) -+ tasks.user_add(self.master, user) -+ -+ for id in (0,1): -+ csr_file = f'{id}.csr' -+ key_file = f'{id}.key' -+ cert_file = f'{id}.crt' -+ openssl_cmd = [ -+ 'openssl', 'req', '-newkey', 'rsa:2048', '-keyout', key_file, -+ '-nodes', '-out', csr_file, '-subj', '/CN=' + user] -+ self.master.run_command(openssl_cmd) -+ -+ cmd_args = ['ipa', 'cert-request', '--principal', user, -+ '--certificate-out', cert_file, csr_file] -+ self.master.run_command(cmd_args) -+ -+ # easier to count by pulling the LDAP entry -+ entry = ldap.get_entry(DN(('uid', user), ('cn', 'users'), -+ ('cn', 'accounts'), self.master.domain.basedn)) -+ -+ assert len(entry.get('usercertificate')) == 2 -+ - @pytest.fixture - def test_subca_certs(self): - """ --- -2.31.1 - diff --git a/SOURCES/1101-Harden-FreeIPA-KDC-processing-of-PAC-buffers-20211130.patch b/SOURCES/1101-Harden-FreeIPA-KDC-processing-of-PAC-buffers-20211130.patch new file mode 100644 index 0000000..48bb8e0 --- /dev/null +++ b/SOURCES/1101-Harden-FreeIPA-KDC-processing-of-PAC-buffers-20211130.patch @@ -0,0 +1,122 @@ +From 7d93bda31ce0b4e0e22c6e464c9138800dcf8b1c Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Fri, 26 Nov 2021 11:13:51 +0200 +Subject: [PATCH] ipa-kdb: fix requester SID check according to MS-KILE and + MS-SFU updates + +New versions of MS-KILE and MS-SFU after Windows Server November 2021 +security updates add PAC_REQUESTER_SID buffer check behavior: + + - PAC_REQUESTER_SID should only be added for TGT requests + + - if PAC_REQUESTER_SID is present, KDC must verify that the cname on + the ticket resolves to the account with the same SID as the + PAC_REQUESTER_SID. If it doesn't KDC must respond with + KDC_ERR_TKT_REVOKED + +Change requester SID check to skip exact check for non-local +PAC_REQUESTER_SID but harden to ensure it comes from the trusted domains +we know about. + +If requester SID is the same as in PAC, we already do cname vs PAC SID +verification. + +With these changes FreeIPA works against Windows Server 2019 with +November 2021 security fixes in cross-realm S4U2Self operations. + +Fixes: https://pagure.io/freeipa/issue/9031 + +Signed-off-by: Alexander Bokovoy +Reviewed-By: Rob Crittenden +--- + daemons/ipa-kdb/ipa_kdb_mspac.c | 47 ++++++++++++++++++++++++--------- + 1 file changed, 34 insertions(+), 13 deletions(-) + +diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c +index 538cfbba9..1b972c167 100644 +--- a/daemons/ipa-kdb/ipa_kdb_mspac.c ++++ b/daemons/ipa-kdb/ipa_kdb_mspac.c +@@ -1697,7 +1697,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context, + "local [%s], PAC [%s]", + dom ? dom : "", + sid ? sid : ""); +- return KRB5KDC_ERR_POLICY; ++ return KRB5KDC_ERR_TGT_REVOKED; + } + } + +@@ -1709,7 +1709,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context, + kerr = ipadb_get_principal(context, client_princ, flags, &client_actual); + if (kerr != 0) { + krb5_klog_syslog(LOG_ERR, "PAC issue: ipadb_get_principal failed."); +- return KRB5KDC_ERR_POLICY; ++ return KRB5KDC_ERR_TGT_REVOKED; + } + + ied = (struct ipadb_e_data *)client_actual->e_data; +@@ -1743,7 +1743,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context, + "local [%s] vs PAC [%s]", + local_sid ? local_sid : "", + pac_sid ? pac_sid : ""); +- kerr = KRB5KDC_ERR_POLICY; ++ kerr = KRB5KDC_ERR_TGT_REVOKED; + goto done; + } + +@@ -2005,22 +2005,43 @@ static krb5_error_code ipadb_check_logon_info(krb5_context context, + /* Check that requester SID is the same as in the PAC entry */ + if (requester_sid != NULL) { + struct dom_sid client_sid; ++ bool is_from_trusted_domain = false; + kerr = ipadb_get_sid_from_pac(tmpctx, info.info, &client_sid); + if (kerr) { + goto done; + } + result = dom_sid_check(&client_sid, requester_sid, true); + if (!result) { +- /* memctx is freed by the caller */ +- char *pac_sid = dom_sid_string(tmpctx, &client_sid); +- char *req_sid = dom_sid_string(tmpctx, requester_sid); +- krb5_klog_syslog(LOG_ERR, "PAC issue: PAC has a SID " +- "different from what PAC requester claims. " +- "PAC [%s] vs PAC requester [%s]", +- pac_sid ? pac_sid : "", +- req_sid ? req_sid : ""); +- kerr = KRB5KDC_ERR_POLICY; +- goto done; ++ struct ipadb_context *ipactx = ipadb_get_context(context); ++ if (!ipactx || !ipactx->mspac) { ++ return KRB5_KDB_DBNOTINITED; ++ } ++ /* In S4U case we might be dealing with the PAC issued by the trusted domain */ ++ if (is_s4u && (ipactx->mspac->trusts != NULL)) { ++ /* Iterate through list of trusts and check if this SID belongs to ++ * one of the domains we trust */ ++ for(int i = 0 ; i < ipactx->mspac->num_trusts ; i++) { ++ result = dom_sid_check(&ipactx->mspac->trusts[i].domsid, ++ requester_sid, false); ++ if (result) { ++ is_from_trusted_domain = true; ++ break; ++ } ++ } ++ } ++ ++ if (!is_from_trusted_domain) { ++ /* memctx is freed by the caller */ ++ char *pac_sid = dom_sid_string(tmpctx, &client_sid); ++ char *req_sid = dom_sid_string(tmpctx, requester_sid); ++ krb5_klog_syslog(LOG_ERR, "PAC issue: PAC has a SID " ++ "different from what PAC requester claims. " ++ "PAC [%s] vs PAC requester [%s]", ++ pac_sid ? pac_sid : "", ++ req_sid ? req_sid : ""); ++ kerr = KRB5KDC_ERR_TGT_REVOKED; ++ goto done; ++ } + } + } + +-- +2.31.1 + diff --git a/SOURCES/freeipa-4.9.6.tar.gz.asc b/SOURCES/freeipa-4.9.6.tar.gz.asc deleted file mode 100644 index f71d351..0000000 --- a/SOURCES/freeipa-4.9.6.tar.gz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEEhAodHH8+xLL+UwQ1RxniuKu/YhoFAmDbPRQACgkQRxniuKu/ -Yhr7uBAAnpF70nH8Cn/HhKKpfafPoN3B9fDNIfAa+jsJ52OyeNMKVNi4MEob32iN -1aMGGFCJUMle/M7v1+w8WH59eiHs1jKHcFZnl2R4Ap5SxVtypYT+ewXbNnSHII2w -qWS5PvLkJwjh6Bw/HlyBwDRSrw9Yah4oZZbJt3zE06+Imr8BpB3IWqyhuAi7FjYO -J9hHCwCvtJvWK4yplZSXCt8OS1JA68/Djgjecm5lUSamuqKaBVhDb+ZAPLDJpBf5 -Pz2JpUF/W/rplt+Q9wAFdhDB9iC0vd3MBkgs4KPsjuyS9+GGNu8LyXs0C1Wm/VgX -liX2pjZmpnTrhH3QQ2nufwH784ZpinXxS2fcbvCfX1Utgr77wNHjwqDt2NBffJl1 -BM7JJr1ZwGOGSki6yjRDXbeSAsiEX9l7f2mv2t/8ZjHMRJ7mJmBbmh5Qhk5qsMou -BptNDE20cG77xcjBtTCDpii/UatETuNAyMd/l2smfe76z8y61fQrvScxRwOCHckw -u/ERChpBZOUlQt59Efj3ja313oXZMxXRw01n/72Hh5rnk+XZf75zQ1zUDBYnwzAr -4cdqyrfpFkQu1sRQvgjT8ZLkP8istjRdVEI/Oj61zb5+6+scQ/Zh/R/mYGCV4/h+ -RzojBwUAXuwUMrj1jTbb5Lkz58+vY3Lk4xNOY2hSAc8rCcDVRZY= -=TQFs ------END PGP SIGNATURE----- diff --git a/SOURCES/freeipa-4.9.8.tar.gz.asc b/SOURCES/freeipa-4.9.8.tar.gz.asc new file mode 100644 index 0000000..c14420c --- /dev/null +++ b/SOURCES/freeipa-4.9.8.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEE11Z2TU1+KXxtrRFyaYdvcqbi008FAmGf1XcACgkQaYdvcqbi +00/kMQ//Vano94V0/L3YsLaqKiFcGo/py5pTq1Os3wB9zzCYSuU0P/eajuHLBYNe +MfxecZihFFlmUdNooNWbewT4CE0ey1qFLwPfGXuLrse6fXVLLaYnAv2mkPUmDSpM +XfXO0PFU0BtdkMAUsdUATngPCpQzYjVUKsAMwPovi3UcLzFZ8tWJKMA55urhwC4q +E042wPLqzcX6Ee5JBSBkfNe35vG2LY7o3Ynh8SVCee2lBJvdWiuFT5XRhybXUsOp +q3eTsVPz68p7CvOrjlLSsWPP0nbGF1O1UQsN+oaDZAav1Nx8lTOlxUCUQXWbs2X6 +BTUAOmZ6VjYu61sNgNSj+BSHlHIT3uRJ55JO5nLH/hLm0Oxn6SGRTVMueqV376QA +CsIk7UrdcX9QUtu70eRxuu1aAWJ5eaF4GDWnFP+62wzd/d6LjWEE+9kXgvrcTF0C +UzjWrmbI8x23bB4kqcROHz8lryMsBpZ94QKPHVppMiPgapDKRkculYkSeRLboADi +q4mh2prkDSq9diWV4HvZTGwPU77oiLrQsvbGuvwD62PAlyQ4rZpfW3FllTL2Lcxy +urA8a9UnQWQtDOsZIyxmMJ7R04gjI5fZfDhq6S09L9MfjFEKjsqO4FzXamj+SbAo +w25sIp1qT0sV1vOt+/R/HYSIyggQyTZpQJu5UB34QLqpfDdUwFg= +=t9up +-----END PGP SIGNATURE----- diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec index d45b5f0..a237a9b 100644 --- a/SPECS/ipa.spec +++ b/SPECS/ipa.spec @@ -68,8 +68,8 @@ %global krb5_kdb_version 8.0 # 0.7.16: https://github.com/drkjam/netaddr/issues/71 %global python_netaddr_version 0.7.19 -# Require 4.7.0 which brings Python 3 bindings -%global samba_version 4.12.3-12 +# Require 4.14.5-13 which brings CVE-2020-25717 fixes +%global samba_version 4.14.5-13 %global selinux_policy_version 3.14.3-52 %global slapi_nis_version 0.56.4 %global python_ldap_version 3.1.0-1 @@ -92,9 +92,9 @@ %global krb5_version 1.18.2-29 # 0.7.16: https://github.com/drkjam/netaddr/issues/71 %global python_netaddr_version 0.7.16 -# Require 4.7.0 which brings Python 3 bindings -# Require 4.12 which has DsRGetForestTrustInformation access rights fixes -%global samba_version 2:4.12.10 + +# Require 4.14.6 which brings CVE-2020-25717 fixes +%global samba_version 2:4.14.6 # 3.14.5-45 or later includes a number of interfaces fixes for IPA interface %global selinux_policy_version 3.14.5-45 @@ -178,7 +178,7 @@ # Work-around fact that RPM SPEC parser does not accept # "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement -%define IPA_VERSION 4.9.6 +%define IPA_VERSION 4.9.8 # Release candidate version -- uncomment with one percent for RC versions #%%global rc_version %%nil %define AT_SIGN @ @@ -191,7 +191,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 6%{?rc_version:.%rc_version}%{?dist} +Release: 2%{?rc_version:.%rc_version}%{?dist} Summary: The Identity, Policy and Audit system License: GPLv3+ @@ -211,23 +211,12 @@ Source1: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_vers # RHEL spec file only: START %if %{NON_DEVELOPER_BUILD} %if 0%{?rhel} >= 8 -Patch0001: 0001-rpcserver.py-perf_counter_ns-is-Python-3.7_rhbz#1974822.patch -Patch0002: 0002-Add-checks-to-prevent-adding-auth-indicators-to-inte_rhbz#1979625.patch -Patch0003: 0003-stageuser-add-ipauserauthtypeclass-when-required_rhbz#1979605.patch -Patch0004: 0004-man-page-update-ipa-server-upgrade.1_rhbz#1973273.patch -Patch0005: 0005-Fall-back-to-krbprincipalname-when-validating-host-a_rhbz#1979625.patch -Patch0006: 0006-rhel-platform-add-a-named-crypto-policy-support_rhbz#1982956.patch -Patch0007: 0007-Catch-and-log-errors-when-adding-CA-profiles_rhbz#1999142.patch -Patch0008: 0008-selinux-policy-allow-custodia-to-access-proc-cpuinfo_rhbz#1998129.patch -Patch0009: 0009-extdom-return-LDAP_NO_SUCH_OBJECT-if-domains-differ_rhbz#2000263.patch -Patch0010: 0010-migrate-ds-workaround-to-detect-compat-tree_rhbz#1999992.patch -Patch0011: 0011-Test-ldapsearch-with-base-scope-works-with-_rhbz#2000553.patch -Patch0012: 0012-ipatests-Test-unsecure-nsupdate_rhbz#2000553.patch -Patch0013: 0013-Don-t-store-entries-with-a-usercertificate-in-the-LD_rhbz#1999893.patch +Patch0001: 0001-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch %endif %endif # RHEL spec file only: END +Patch1101: 1101-Harden-FreeIPA-KDC-processing-of-PAC-buffers-20211130.patch # For the timestamp trick in patch application BuildRequires: diffstat @@ -471,6 +460,8 @@ Requires: gssproxy >= 0.7.0-2 Requires: sssd-dbus >= %{sssd_version} Requires: libpwquality Requires: cracklib-dicts +# NDR libraries are internal in Samba and change with version without changing SONAME +Requires: samba-client-libs >= %{samba_version} Provides: %{alt_name}-server = %{version} Conflicts: %{alt_name}-server @@ -1370,6 +1361,7 @@ fi %{_libexecdir}/ipa/ipa-pki-wait-running %{_libexecdir}/ipa/ipa-otpd %{_libexecdir}/ipa/ipa-print-pac +%{_libexecdir}/ipa/ipa-subids %dir %{_libexecdir}/ipa/custodia %attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-dmldap %attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-pki-tomcat @@ -1377,6 +1369,7 @@ fi %attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-ra-agent %dir %{_libexecdir}/ipa/oddjob %attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.conncheck +%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.config-enable-sid %attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.trust-enable-agent %config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freeipa.server.conf %config(noreplace) %{_sysconfdir}/oddjobd.conf.d/ipa-server.conf @@ -1709,21 +1702,40 @@ fi %changelog -* Fri Sep 17 2021 Thomas Woerner - 4.9.6-6 -- Don't store entries with a usercertificate in the LDAP cache - Resolves: RHBZ#1999893 +* Fri Dec 10 2021 Rafael Jeffman - 4.9.8-2 +- Revert bind-pkcs11-utils configuration in freeipa.spec. + Resolves: RHBZ#2026732 -* Mon Sep 13 2021 Thomas Woerner - 4.9.6-5 -- Catch and log errors when adding CA profiles - Resolves: RHBZ#1999142 -- selinux policy: allow custodia to access /proc/cpuinfo - Resolves: RHBZ#1998129 -- extdom: LDAP_INVALID_SYNTAX returned instead of LDAP_NO_SUCH_OBJECT - Resolves: RHBZ#2000263 -- ipa migrate-ds command fails to warn when compat plugin is enabled - Resolves: RHBZ#1999992 -- Backport latest test fixes in python3-ipatests - Resolves: RHBZ#2000553 +* Tue Nov 30 2021 Rafael Jeffman - 4.9.8-1 +- Upstream release FreeIPA 4.9.8 + Related: RHBZ#2015607 +- Hardening for CVE-2020-25717 + +* Fri Nov 12 2021 Alexander Bokovoy - 4.9.6-9.1 +- Fix S4U2Self regression for cross-realm requester SID buffer +- Related: RHBZ#2021443 + +* Fri Nov 12 2021 Alexander Bokovoy - 4.9.6-9 +- Require samba 4.14.5-13 with IPA DC server role fixes +- Related: RHBZ#2021443 + +* Fri Nov 12 2021 Alexander Bokovoy - 4.9.6-8 +- Add versioned dependency of samba-client-libs to ipa-server +- Related: RHBZ#2021443 + +* Thu Nov 11 2021 Alexander Bokovoy - 4.9.6-7 +- Hardening for CVE-2020-25717 +- Harden processing of trusted domains' users in S4U operations +- Resolves: RHBZ#2021443 + +* Wed Nov 10 2021 Alexander Bokovoy - 4.9.6-6 +- Hardening for CVE-2020-25717 +- Rebuild against samba-4.14.5-11.el8 +- Resolves: RHBZ#2021443 + +* Sun Nov 07 2021 Alexander Bokovoy - 4.9.6-5 +- Hardening for CVE-2020-25717 +- Related: RHBZ#2019668 * Thu Jul 22 2021 Thomas Woerner - 4.9.6-4 - ipatests: NAMED_CRYPTO_POLICY_FILE not defined for RHEL