import ipa-4.9.8-2.module+el8.6.0+13645+f14f0cc3

This commit is contained in:
CentOS Sources 2021-12-17 20:50:04 +00:00 committed by Stepan Oksanichenko
parent c083723f7d
commit 99dc8ae968
20 changed files with 256 additions and 1239 deletions

2
.gitignore vendored
View File

@ -1 +1 @@
SOURCES/freeipa-4.9.6.tar.gz
SOURCES/freeipa-4.9.8.tar.gz

View File

@ -1 +1 @@
b7b91082908db35e4acbcd0221b8df4044913dc1 SOURCES/freeipa-4.9.6.tar.gz
38641a7f95779ba35089fcc10e25ec82a9b0248e SOURCES/freeipa-4.9.8.tar.gz

View File

@ -0,0 +1,70 @@
From 0d44e959e5bbe822b51137a8e7cf48fa25533805 Mon Sep 17 00:00:00 2001
From: Rafael Guterres Jeffman <rjeffman@redhat.com>
Date: Fri, 10 Dec 2021 12:15:36 -0300
Subject: [PATCH] Revert "freeipa.spec: depend on bind-dnssec-utils"
This reverts commit f89d59b6e18b54967682f6a37ce92ae67ab3fcda.
---
freeipa.spec.in | 4 +---
ipaplatform/base/paths.py | 2 +-
ipaplatform/fedora/paths.py | 1 +
ipaserver/dnssec/bindmgr.py | 1 -
4 files changed, 3 insertions(+), 5 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 8f5c370e5..e20edb7bc 100755
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -576,11 +576,9 @@ Requires: %{name}-server = %{version}-%{release}
Requires: bind-dyndb-ldap >= 11.2-2
Requires: bind >= %{bind_version}
Requires: bind-utils >= %{bind_version}
-# bind-dnssec-utils is required by the OpenDNSSec integration
-# https://pagure.io/freeipa/issue/9026
-Requires: bind-dnssec-utils >= %{bind_version}
%if %{with bind_pkcs11}
Requires: bind-pkcs11 >= %{bind_version}
+Requires: bind-pkcs11-utils >= %{bind_version}
%else
Requires: softhsm >= %{softhsm_version}
Requires: openssl-pkcs11 >= %{openssl_pkcs11_version}
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 7d21367ec..42a47f1df 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -259,7 +259,7 @@ class BasePathNamespace:
IPA_PKI_RETRIEVE_KEY = "/usr/libexec/ipa/ipa-pki-retrieve-key"
IPA_HTTPD_PASSWD_READER = "/usr/libexec/ipa/ipa-httpd-pwdreader"
IPA_PKI_WAIT_RUNNING = "/usr/libexec/ipa/ipa-pki-wait-running"
- DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel"
+ DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel-pkcs11"
GETSEBOOL = "/usr/sbin/getsebool"
GROUPADD = "/usr/sbin/groupadd"
USERMOD = "/usr/sbin/usermod"
diff --git a/ipaplatform/fedora/paths.py b/ipaplatform/fedora/paths.py
index 4e993c063..92a948966 100644
--- a/ipaplatform/fedora/paths.py
+++ b/ipaplatform/fedora/paths.py
@@ -36,6 +36,7 @@ class FedoraPathNamespace(RedHatPathNamespace):
NAMED_CRYPTO_POLICY_FILE = "/etc/crypto-policies/back-ends/bind.config"
if HAS_NFS_CONF:
SYSCONFIG_NFS = '/etc/nfs.conf'
+ DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel"
paths = FedoraPathNamespace()
diff --git a/ipaserver/dnssec/bindmgr.py b/ipaserver/dnssec/bindmgr.py
index 0c79cc03d..a15c0e601 100644
--- a/ipaserver/dnssec/bindmgr.py
+++ b/ipaserver/dnssec/bindmgr.py
@@ -127,7 +127,6 @@ class BINDMgr:
)
cmd = [
paths.DNSSEC_KEYFROMLABEL,
- '-E', 'pkcs11',
'-K', workdir,
'-a', attrs['idnsSecAlgorithm'][0],
'-l', uri
--
2.31.1

View File

@ -1,136 +0,0 @@
From e713c227bb420a841ce3ae146bca55a84a1b0dbf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Tue, 22 Jun 2021 14:36:51 +0200
Subject: [PATCH] paths: add IPA_SERVER_CONF
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Related: https://pagure.io/freeipa/issue/8891
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipaplatform/base/paths.py | 1 +
1 file changed, 1 insertion(+)
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index 91423b332..de217d9ef 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -71,6 +71,7 @@ class BasePathNamespace:
IPA_DEFAULT_CONF = "/etc/ipa/default.conf"
IPA_DNSKEYSYNCD_KEYTAB = "/etc/ipa/dnssec/ipa-dnskeysyncd.keytab"
IPA_ODS_EXPORTER_KEYTAB = "/etc/ipa/dnssec/ipa-ods-exporter.keytab"
+ IPA_SERVER_CONF = "/etc/ipa/server.conf"
DNSSEC_OPENSSL_CONF = "/etc/ipa/dnssec/openssl.cnf"
DNSSEC_SOFTHSM2_CONF = "/etc/ipa/dnssec/softhsm2.conf"
DNSSEC_SOFTHSM_PIN_SO = "/etc/ipa/dnssec/softhsm_pin_so"
--
2.31.1
From ee4be290e1583834a573c3896ee1d97b3fbb6c24 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Tue, 22 Jun 2021 14:45:49 +0200
Subject: [PATCH] ipatests: smoke test for server debug mode.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Add a smoke test to make sure the server can be set in debug mode
without issue.
Related: https://pagure.io/freeipa/issue/8891
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
.../test_integration/test_installation.py | 27 +++++++++++++++++++
1 file changed, 27 insertions(+)
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
index 301767b8d..0c96536f0 100644
--- a/ipatests/test_integration/test_installation.py
+++ b/ipatests/test_integration/test_installation.py
@@ -703,6 +703,33 @@ class TestInstallMaster(IntegrationTest):
def test_install_master(self):
tasks.install_master(self.master, setup_dns=False)
+ @pytest.mark.skip_if_platform(
+ "debian", reason="This test hardcodes the httpd service name"
+ )
+ def test_smoke_test_for_debug_mode(self):
+ """Test if an IPA server works in debug mode.
+ Related: https://pagure.io/freeipa/issue/8891
+
+ Note: this test hardcodes the "httpd" service name.
+ """
+
+ target_fname = paths.IPA_SERVER_CONF
+ assert not self.master.transport.file_exists(target_fname)
+
+ # set the IPA server in debug mode
+ server_conf = "[global]\ndebug=True"
+ self.master.put_file_contents(target_fname, server_conf)
+ self.master.run_command(["systemctl", "restart", "httpd"])
+
+ # smoke test in debug mode
+ tasks.kdestroy_all(self.master)
+ tasks.kinit_admin(self.master)
+ self.master.run_command(["ipa", "user-show", "admin"])
+
+ # rollback
+ self.master.run_command(["rm", target_fname])
+ self.master.run_command(["systemctl", "restart", "httpd"])
+
def test_schema_compat_attribute_and_tree_disable(self):
"""Test if schema-compat-entry-attribute is set
--
2.31.1
From 1539c7383116647ad9c5b125b343f972e9c9653b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
Date: Wed, 23 Jun 2021 06:35:19 +0200
Subject: [PATCH] rpcserver.py: perf_counter_ns is Python 3.7+
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
perf_counter_ns is only available in Python 3.7 and later.
Define a lambda for 3.6 and lower.
Fixes: https://pagure.io/freeipa/issue/8891
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
ipaserver/rpcserver.py | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index b121316bf..e612528e0 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -31,6 +31,7 @@ import os
import time
import traceback
from io import BytesIO
+from sys import version_info
from urllib.parse import parse_qs
from xmlrpc.client import Fault
@@ -72,6 +73,10 @@ from requests.auth import AuthBase
if six.PY3:
unicode = str
+# time.perf_counter_ns appeared in Python 3.7.
+if version_info < (3, 7):
+ time.perf_counter_ns = lambda: int(time.perf_counter() * 10**9)
+
logger = logging.getLogger(__name__)
HTTP_STATUS_SUCCESS = '200 Success'
--
2.31.1

View File

@ -1,272 +0,0 @@
From a5d2857297cfcf87ed8973df96e89ebcef22850d Mon Sep 17 00:00:00 2001
From: Antonio Torres <antorres@redhat.com>
Date: Mon, 8 Mar 2021 18:15:50 +0100
Subject: [PATCH] Add checks to prevent adding auth indicators to internal IPA
services
Authentication indicators should not be enforced against internal
IPA services, since not all users of those services are able to produce
Kerberos tickets with all the auth indicator options. This includes
host, ldap, HTTP and cifs in IPA server and cifs in IPA clients.
If a client that is being promoted to replica has an auth indicator
in its host principal then the promotion is aborted.
Fixes: https://pagure.io/freeipa/issue/8206
Signed-off-by: Antonio Torres <antorres@redhat.com>
---
ipaserver/install/server/replicainstall.py | 13 ++++++++++++
ipaserver/plugins/host.py | 5 ++++-
ipaserver/plugins/service.py | 24 ++++++++++++++++++++++
3 files changed, 41 insertions(+), 1 deletion(-)
diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
index 73967a224..f1fb91036 100644
--- a/ipaserver/install/server/replicainstall.py
+++ b/ipaserver/install/server/replicainstall.py
@@ -770,6 +770,15 @@ def promotion_check_ipa_domain(master_ldap_conn, basedn):
))
+def promotion_check_host_principal_auth_ind(conn, hostdn):
+ entry = conn.get_entry(hostdn, ['krbprincipalauthind'])
+ if 'krbprincipalauthind' in entry:
+ raise RuntimeError(
+ "Client cannot be promoted to a replica if the host principal "
+ "has an authentication indicator set."
+ )
+
+
@common_cleanup
@preserve_enrollment_state
def promote_check(installer):
@@ -956,6 +965,10 @@ def promote_check(installer):
config.master_host_name, None)
promotion_check_ipa_domain(conn, remote_api.env.basedn)
+ hostdn = DN(('fqdn', api.env.host),
+ api.env.container_host,
+ api.env.basedn)
+ promotion_check_host_principal_auth_ind(conn, hostdn)
# Make sure that domain fulfills minimal domain level
# requirement
diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py
index eb1f8ef04..41fa933e2 100644
--- a/ipaserver/plugins/host.py
+++ b/ipaserver/plugins/host.py
@@ -38,7 +38,7 @@ from .baseldap import (LDAPQuery, LDAPObject, LDAPCreate,
LDAPAddAttributeViaOption,
LDAPRemoveAttributeViaOption)
from .service import (
- validate_realm, normalize_principal,
+ validate_realm, validate_auth_indicator, normalize_principal,
set_certificate_attrs, ticket_flags_params, update_krbticketflags,
set_kerberos_attrs, rename_ipaallowedtoperform_from_ldap,
rename_ipaallowedtoperform_to_ldap, revoke_certs)
@@ -735,6 +735,8 @@ class host_add(LDAPCreate):
update_krbticketflags(ldap, entry_attrs, attrs_list, options, False)
if 'krbticketflags' in entry_attrs:
entry_attrs['objectclass'].append('krbticketpolicyaux')
+ validate_auth_indicator(entry_attrs)
+
return dn
def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
@@ -993,6 +995,7 @@ class host_mod(LDAPUpdate):
if 'krbprincipalaux' not in (item.lower() for item in
entry_attrs['objectclass']):
entry_attrs['objectclass'].append('krbprincipalaux')
+ validate_auth_indicator(entry_attrs)
add_sshpubkey_to_attrs_pre(self.context, attrs_list)
diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py
index 1c9347804..cfbbff3c6 100644
--- a/ipaserver/plugins/service.py
+++ b/ipaserver/plugins/service.py
@@ -201,6 +201,28 @@ def validate_realm(ugettext, principal):
raise errors.RealmMismatch()
+def validate_auth_indicator(entry):
+ new_value = entry.get('krbprincipalauthind', None)
+ if not new_value:
+ return
+ # The following services are considered internal IPA services
+ # and shouldn't be allowed to have auth indicators.
+ # https://pagure.io/freeipa/issue/8206
+ pkey = api.Object['service'].get_primary_key_from_dn(entry.dn)
+ principal = kerberos.Principal(pkey)
+ server = api.Command.server_find(principal.hostname)['result']
+ if server:
+ prefixes = ("host", "cifs", "ldap", "HTTP")
+ else:
+ prefixes = ("cifs",)
+ if principal.service_name in prefixes:
+ raise errors.ValidationError(
+ name='krbprincipalauthind',
+ error=_('authentication indicators not allowed '
+ 'in service "%s"' % principal.service_name)
+ )
+
+
def normalize_principal(value):
"""
Ensure that the name in the principal is lower-case. The realm is
@@ -652,6 +674,7 @@ class service_add(LDAPCreate):
hostname)
self.obj.validate_ipakrbauthzdata(entry_attrs)
+ validate_auth_indicator(entry_attrs)
if not options.get('force', False):
# We know the host exists if we've gotten this far but we
@@ -846,6 +869,7 @@ class service_mod(LDAPUpdate):
assert isinstance(dn, DN)
self.obj.validate_ipakrbauthzdata(entry_attrs)
+ validate_auth_indicator(entry_attrs)
# verify certificates
certs = entry_attrs.get('usercertificate') or []
--
2.31.1
From 28484c3dee225662e41acc691bfe6b1c1cee99c8 Mon Sep 17 00:00:00 2001
From: Antonio Torres <antorres@redhat.com>
Date: Mon, 8 Mar 2021 18:20:35 +0100
Subject: [PATCH] ipatests: ensure auth indicators can't be added to internal
IPA services
Authentication indicators should not be added to internal IPA services,
since this can lead to a broken IPA setup. In case a client with
an auth indicator set in its host principal, promoting it to a replica
should fail.
Related: https://pagure.io/freeipa/issue/8206
Signed-off-by: Antonio Torres <antorres@redhat.com>
---
.../test_replica_promotion.py | 38 +++++++++++++++++++
ipatests/test_xmlrpc/test_host_plugin.py | 10 +++++
ipatests/test_xmlrpc/test_service_plugin.py | 21 ++++++++++
3 files changed, 69 insertions(+)
diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
index 0a137dbdc..b9c56f775 100644
--- a/ipatests/test_integration/test_replica_promotion.py
+++ b/ipatests/test_integration/test_replica_promotion.py
@@ -101,6 +101,44 @@ class TestReplicaPromotionLevel1(ReplicaPromotionBase):
assert result.returncode == 1
assert expected_err in result.stderr_text
+ @replicas_cleanup
+ def test_install_with_host_auth_ind_set(self):
+ """ A client shouldn't be able to be promoted if it has
+ any auth indicator set in the host principal.
+ https://pagure.io/freeipa/issue/8206
+ """
+
+ client = self.replicas[0]
+ # Configure firewall first
+ Firewall(client).enable_services(["freeipa-ldap",
+ "freeipa-ldaps"])
+
+ client.run_command(['ipa-client-install', '-U',
+ '--domain', self.master.domain.name,
+ '--realm', self.master.domain.realm,
+ '-p', 'admin',
+ '-w', self.master.config.admin_password,
+ '--server', self.master.hostname,
+ '--force-join'])
+
+ tasks.kinit_admin(client)
+
+ client.run_command(['ipa', 'host-mod', '--auth-ind=otp',
+ client.hostname])
+
+ res = client.run_command(['ipa-replica-install', '-U', '-w',
+ self.master.config.dirman_password],
+ raiseonerr=False)
+
+ client.run_command(['ipa', 'host-mod', '--auth-ind=',
+ client.hostname])
+
+ expected_err = ("Client cannot be promoted to a replica if the host "
+ "principal has an authentication indicator set.")
+ assert res.returncode == 1
+ assert expected_err in res.stderr_text
+
+
@replicas_cleanup
def test_one_command_installation(self):
"""
diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py
index c66bbc865..9cfde3565 100644
--- a/ipatests/test_xmlrpc/test_host_plugin.py
+++ b/ipatests/test_xmlrpc/test_host_plugin.py
@@ -605,6 +605,16 @@ class TestProtectedMaster(XMLRPC_test):
error=u'An IPA master host cannot be deleted or disabled')):
command()
+ def test_try_add_auth_ind_master(self, this_host):
+ command = this_host.make_update_command({
+ u'krbprincipalauthind': u'radius'})
+ with raises_exact(errors.ValidationError(
+ name='krbprincipalauthind',
+ error=u'authentication indicators not allowed '
+ 'in service "host"'
+ )):
+ command()
+
@pytest.mark.tier1
class TestValidation(XMLRPC_test):
diff --git a/ipatests/test_xmlrpc/test_service_plugin.py b/ipatests/test_xmlrpc/test_service_plugin.py
index 4c845938c..ed634a045 100644
--- a/ipatests/test_xmlrpc/test_service_plugin.py
+++ b/ipatests/test_xmlrpc/test_service_plugin.py
@@ -25,6 +25,7 @@ from ipalib import api, errors
from ipatests.test_xmlrpc.xmlrpc_test import Declarative, fuzzy_uuid, fuzzy_hash
from ipatests.test_xmlrpc.xmlrpc_test import fuzzy_digits, fuzzy_date, fuzzy_issuer
from ipatests.test_xmlrpc.xmlrpc_test import fuzzy_hex, XMLRPC_test
+from ipatests.test_xmlrpc.xmlrpc_test import raises_exact
from ipatests.test_xmlrpc import objectclasses
from ipatests.test_xmlrpc.testcert import get_testcert, subject_base
from ipatests.test_xmlrpc.test_user_plugin import get_user_result, get_group_dn
@@ -1552,6 +1553,15 @@ def indicators_host(request):
return tracker.make_fixture(request)
+@pytest.fixture(scope='function')
+def this_host(request):
+ """Fixture for the current master"""
+ tracker = HostTracker(name=api.env.host.partition('.')[0],
+ fqdn=api.env.host)
+ tracker.exists = True
+ return tracker
+
+
@pytest.fixture(scope='function')
def indicators_service(request):
tracker = ServiceTracker(
@@ -1587,6 +1597,17 @@ class TestAuthenticationIndicators(XMLRPC_test):
expected_updates={u'krbprincipalauthind': [u'radius']}
)
+ def test_update_indicator_internal_service(self, this_host):
+ command = this_host.make_command('service_mod',
+ 'ldap/' + this_host.fqdn,
+ **dict(krbprincipalauthind='otp'))
+ with raises_exact(errors.ValidationError(
+ name='krbprincipalauthind',
+ error=u'authentication indicators not allowed '
+ 'in service "ldap"'
+ )):
+ command()
+
@pytest.fixture(scope='function')
def managing_host(request):
--
2.31.1

View File

@ -1,89 +0,0 @@
From 06468b2f604c56b02231904072cb57412966a701 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Mon, 5 Jul 2021 09:51:41 +0200
Subject: [PATCH] stageuser: add ipauserauthtypeclass when required
The command
ipa stageuser-add --user-auth-type=xxx
is currently failing because the objectclass ipauserauthtypeclass
is missing from the created entry.
There is code adding the missing objectclass in the
pre_common_callback method of user_add, and this code should
be common to user_add and stageuser_add. In order to avoid code
duplication, it makes more sense to move the existing code to
pre_common_callback of baseuser_add, that is called by both
classes.
Fixes: https://pagure.io/freeipa/issue/8909
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
ipaserver/plugins/baseuser.py | 3 +++
ipaserver/plugins/user.py | 4 ----
2 files changed, 3 insertions(+), 4 deletions(-)
diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py
index ae16a978a..6035228f1 100644
--- a/ipaserver/plugins/baseuser.py
+++ b/ipaserver/plugins/baseuser.py
@@ -539,6 +539,9 @@ class baseuser_add(LDAPCreate):
if entry_attrs.get('ipatokenradiususername', None):
add_missing_object_class(ldap, u'ipatokenradiusproxyuser', dn,
entry_attrs, update=False)
+ if entry_attrs.get('ipauserauthtype', None):
+ add_missing_object_class(ldap, u'ipauserauthtypeclass', dn,
+ entry_attrs, update=False)
def post_common_callback(self, ldap, dn, entry_attrs, *keys, **options):
assert isinstance(dn, DN)
diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py
index 6f7facb53..e4ee572b2 100644
--- a/ipaserver/plugins/user.py
+++ b/ipaserver/plugins/user.py
@@ -617,10 +617,6 @@ class user_add(baseuser_add):
'ipauser' not in entry_attrs['objectclass']:
entry_attrs['objectclass'].append('ipauser')
- if 'ipauserauthtype' in entry_attrs and \
- 'ipauserauthtypeclass' not in entry_attrs['objectclass']:
- entry_attrs['objectclass'].append('ipauserauthtypeclass')
-
rcl = entry_attrs.get('ipatokenradiusconfiglink', None)
if rcl:
if 'ipatokenradiusproxyuser' not in entry_attrs['objectclass']:
--
2.31.1
From 4a5a0fe7d25209a41a2eadd159f7f4c771e5d7fc Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Mon, 5 Jul 2021 10:22:31 +0200
Subject: [PATCH] XMLRPC test: add a test for stageuser-add --user-auth-type
Related: https://pagure.io/freeipa/issue/8909
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
ipatests/test_xmlrpc/test_stageuser_plugin.py | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/ipatests/test_xmlrpc/test_stageuser_plugin.py b/ipatests/test_xmlrpc/test_stageuser_plugin.py
index 5586fc607..bc606b093 100644
--- a/ipatests/test_xmlrpc/test_stageuser_plugin.py
+++ b/ipatests/test_xmlrpc/test_stageuser_plugin.py
@@ -343,6 +343,12 @@ class TestStagedUser(XMLRPC_test):
result = command()
assert result['count'] == 1
+ def test_create_withuserauthtype(self, stageduser):
+ stageduser.ensure_missing()
+ command = stageduser.make_create_command(
+ options={u'ipauserauthtype': u'password'})
+ command()
+
@pytest.mark.tier1
class TestCreateInvalidAttributes(XMLRPC_test):
--
2.31.1

View File

@ -1,35 +0,0 @@
From 195035cef51a132b2b80df57ed50f2fe620244e6 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Wed, 7 Jul 2021 14:11:40 +0200
Subject: [PATCH] man page: update ipa-server-upgrade.1
The man page needs to clarify in which case the command needs
to be run.
Fixes: https://pagure.io/freeipa/issue/8913
Reviewed-By: Francois Cami <fcami@redhat.com>
---
install/tools/man/ipa-server-upgrade.1 | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/install/tools/man/ipa-server-upgrade.1 b/install/tools/man/ipa-server-upgrade.1
index 3db19b0f1..f01e21c6b 100644
--- a/install/tools/man/ipa-server-upgrade.1
+++ b/install/tools/man/ipa-server-upgrade.1
@@ -8,7 +8,12 @@ ipa\-server\-upgrade \- upgrade IPA server
.SH "SYNOPSIS"
ipa\-server\-upgrade [options]
.SH "DESCRIPTION"
-ipa\-server\-upgrade is used to upgrade IPA server when the IPA packages are being updated. It is not intended to be executed by end\-users.
+ipa\-server\-upgrade is executed automatically to upgrade IPA server when
+the IPA packages are being updated. It is not intended to be executed by
+end\-users, unless the automatic execution reports an error. In this case,
+the administrator needs to identify and fix the issue that is causing the
+upgrade failure (with the help of /var/log/ipaupgrade.log)
+and manually re\-run ipa\-server\-upgrade.
ipa\-server\-upgrade will:
--
2.31.1

View File

@ -1,69 +0,0 @@
From 8ad535b618d60fa016061212ff85d0ad28ccae59 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 12 Jul 2021 11:02:10 -0400
Subject: [PATCH] Fall back to krbprincipalname when validating host auth
indicators
When adding a new host the principal cannot be determined because it
relies on either:
a) an entry to already exist
b) krbprincipalname be a component of the dn
As a result the full dn is being passed into ipapython.Kerberos
which can't parse it.
Look into the entry in validate_validate_auth_indicator() for
krbprincipalname in this case.
https://pagure.io/freeipa/issue/8206
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
ipaserver/plugins/service.py | 5 +++++
ipatests/test_xmlrpc/test_host_plugin.py | 11 +++++++++++
2 files changed, 16 insertions(+)
diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py
index cfbbff3c6..498f5e444 100644
--- a/ipaserver/plugins/service.py
+++ b/ipaserver/plugins/service.py
@@ -209,6 +209,11 @@ def validate_auth_indicator(entry):
# and shouldn't be allowed to have auth indicators.
# https://pagure.io/freeipa/issue/8206
pkey = api.Object['service'].get_primary_key_from_dn(entry.dn)
+ if pkey == str(entry.dn):
+ # krbcanonicalname may not be set yet if this is a host entry,
+ # try krbprincipalname
+ if 'krbprincipalname' in entry:
+ pkey = entry['krbprincipalname']
principal = kerberos.Principal(pkey)
server = api.Command.server_find(principal.hostname)['result']
if server:
diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py
index 9cfde3565..ff50e796c 100644
--- a/ipatests/test_xmlrpc/test_host_plugin.py
+++ b/ipatests/test_xmlrpc/test_host_plugin.py
@@ -615,6 +615,17 @@ class TestProtectedMaster(XMLRPC_test):
)):
command()
+ def test_add_non_master_with_auth_ind(self, host5):
+ host5.ensure_missing()
+ command = host5.make_command(
+ 'host_add', host5.fqdn, krbprincipalauthind=['radius'],
+ force=True
+ )
+ result = command()
+ # The fact that the command succeeds exercises the change but
+ # let's check the indicator as well.
+ assert result['result']['krbprincipalauthind'] == ('radius',)
+
@pytest.mark.tier1
class TestValidation(XMLRPC_test):
--
2.31.1

View File

@ -1,30 +0,0 @@
From 1a5159b216455070eb51b6a11ceaf0033fc8ce4c Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Fri, 16 Jul 2021 09:20:33 +0300
Subject: [PATCH] rhel platform: add a named crypto-policy support
RHEL 8+ provides bind system-wide crypto policy support, enable it.
Fixes: https://pagure.io/freeipa/issue/8925
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Anuja More <amore@redhat.com>
---
ipaplatform/rhel/paths.py | 1 +
1 file changed, 1 insertion(+)
diff --git a/ipaplatform/rhel/paths.py b/ipaplatform/rhel/paths.py
index c081ada32..3631550eb 100644
--- a/ipaplatform/rhel/paths.py
+++ b/ipaplatform/rhel/paths.py
@@ -30,6 +30,7 @@ from ipaplatform.rhel.constants import HAS_NFS_CONF
class RHELPathNamespace(RedHatPathNamespace):
+ NAMED_CRYPTO_POLICY_FILE = "/etc/crypto-policies/back-ends/bind.config"
if HAS_NFS_CONF:
SYSCONFIG_NFS = '/etc/nfs.conf'
--
2.31.1

View File

@ -1,53 +0,0 @@
From a6e708ab4006d6623c37de1692de5362fcdb5dd6 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Mon, 30 Aug 2021 16:44:47 -0400
Subject: [PATCH] Catch and log errors when adding CA profiles
Rather than stopping the installer entirely, catch and report
errors adding new certificate profiles, and remove the
broken profile entry from LDAP so it may be re-added later.
It was discovered that installing a newer IPA that has the
ACME profile which requires sanToCNDefault will fail when
installing a new server against a very old one that lacks
this class.
Running ipa-server-upgrade post-install will add the profile
and generate the missing ipa-ca SAN record so that ACME
can work.
https://pagure.io/freeipa/issue/8974
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
ipaserver/install/cainstance.py | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index 9e842b33e..8c8bf1b3a 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1973,8 +1973,17 @@ def import_included_profiles():
# Create the profile, replacing any existing profile of same name
profile_data = __get_profile_config(profile_id)
- _create_dogtag_profile(profile_id, profile_data, overwrite=True)
- logger.debug("Imported profile '%s'", profile_id)
+ try:
+ _create_dogtag_profile(profile_id, profile_data,
+ overwrite=True)
+ except errors.HTTPRequestError as e:
+ logger.warning("Failed to import profile '%s': %s. Running "
+ "ipa-server-upgrade when installation is "
+ "completed may resolve this issue.",
+ profile_id, e)
+ conn.delete_entry(entry)
+ else:
+ logger.debug("Imported profile '%s'", profile_id)
else:
logger.debug(
"Profile '%s' is already in LDAP; skipping", profile_id
--
2.31.1

View File

@ -1,41 +0,0 @@
From 07e2bf732f54f936cccc4e0c7b468d77f97e911a Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Mon, 30 Aug 2021 18:40:24 +0200
Subject: [PATCH] selinux policy: allow custodia to access /proc/cpuinfo
On aarch64, custodia creates AVC when accessing /proc/cpuinfo.
According to gcrypt manual
(https://gnupg.org/documentation/manuals/gcrypt/Configuration.html),
/proc/cpuinfo is used on ARM architecture to read the hardware
capabilities of the CPU. This explains why the issue happens only
on aarch64.
audit2allow suggests to add the following:
allow ipa_custodia_t proc_t:file { getattr open read };
but this policy would be too broad. Instead, the patch is using
the interface kernel_read_system_state.
Fixes: https://pagure.io/freeipa/issue/8972
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
---
selinux/ipa.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/selinux/ipa.te b/selinux/ipa.te
index 68e109419..7492fca04 100644
--- a/selinux/ipa.te
+++ b/selinux/ipa.te
@@ -364,6 +364,7 @@ files_tmp_filetrans(ipa_custodia_t, ipa_custodia_tmp_t, { dir file })
kernel_dgram_send(ipa_custodia_t)
kernel_read_network_state(ipa_custodia_t)
+kernel_read_system_state(ipa_custodia_t)
auth_read_passwd(ipa_custodia_t)
--
2.31.1

View File

@ -1,46 +0,0 @@
From 4fca95751ca32a1ed16a6d8a4e557c5799ec5c78 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 25 Aug 2021 17:10:29 +0200
Subject: [PATCH] extdom: return LDAP_NO_SUCH_OBJECT if domains differ
If a client sends a request to lookup an object from a given trusted
domain by UID or GID and an object with matching ID is only found in a
different domain the extdom should return LDAP_NO_SUCH_OBJECT to
indicate to the client that the requested ID does not exists in the
given domain.
Resolves: https://pagure.io/freeipa/issue/8965
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
.../ipa-extdom-extop/ipa_extdom_common.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
index 5d97ff613..6f646b9f4 100644
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
@@ -542,7 +542,9 @@ int pack_ber_user(struct ipa_extdom_ctx *ctx,
if (strcasecmp(locat+1, domain_name) == 0 ) {
locat[0] = '\0';
} else {
- ret = LDAP_INVALID_SYNTAX;
+ /* The found object is from a different domain than requested,
+ * that means it does not exist in the requested domain */
+ ret = LDAP_NO_SUCH_OBJECT;
goto done;
}
}
@@ -655,7 +657,9 @@ int pack_ber_group(enum response_types response_type,
if (strcasecmp(locat+1, domain_name) == 0 ) {
locat[0] = '\0';
} else {
- ret = LDAP_INVALID_SYNTAX;
+ /* The found object is from a different domain than requested,
+ * that means it does not exist in the requested domain */
+ ret = LDAP_NO_SUCH_OBJECT;
goto done;
}
}
--
2.31.1

View File

@ -1,37 +0,0 @@
From 3c4f9e7347965ff9a887147df34e720224ffa7cc Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Tue, 7 Sep 2021 17:06:53 +0200
Subject: [PATCH] migrate-ds: workaround to detect compat tree
Migrate-ds needs to check if compat tree is enabled before
migrating users and groups. The check is doing a base
search on cn=compat,$SUFFIX and considers the compat tree
enabled when the entry exists.
Due to a bug in slapi-nis, the base search may return NotFound
even though the compat tree is enabled. The workaround is to
perform a base search on cn=users,cn=compat,$SUFFIX instead.
Fixes: https://pagure.io/freeipa/issue/8984
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
ipaserver/plugins/migration.py | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/ipaserver/plugins/migration.py b/ipaserver/plugins/migration.py
index db5241915..6ee205fc8 100644
--- a/ipaserver/plugins/migration.py
+++ b/ipaserver/plugins/migration.py
@@ -922,7 +922,8 @@ migration process might be incomplete\n''')
# check whether the compat plugin is enabled
if not options.get('compat'):
try:
- ldap.get_entry(DN(('cn', 'compat'), (api.env.basedn)))
+ ldap.get_entry(DN(('cn', 'users'), ('cn', 'compat'),
+ (api.env.basedn)))
return dict(result={}, failed={}, enabled=True, compat=False)
except errors.NotFound:
pass
--
2.31.1

View File

@ -1,89 +0,0 @@
From a3d71eb72a6125a80a9d7b698f34dcb95dc25184 Mon Sep 17 00:00:00 2001
From: Anuja More <amore@redhat.com>
Date: Thu, 5 Aug 2021 20:03:21 +0530
Subject: [PATCH] ipatests: Test ldapsearch with base scope works with compat
tree.
Added test to verify that ldapsearch for compat tree
with scope base and sub is not failing.
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1958909
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
ipatests/test_integration/test_commands.py | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
index 2035ced56..e3a0d867e 100644
--- a/ipatests/test_integration/test_commands.py
+++ b/ipatests/test_integration/test_commands.py
@@ -1558,6 +1558,19 @@ class TestIPACommandWithoutReplica(IntegrationTest):
# Run the command again after cache is removed
self.master.run_command(['ipa', 'user-show', 'ipauser1'])
+ def test_basesearch_compat_tree(self):
+ """Test ldapsearch against compat tree is working
+
+ This to ensure that ldapsearch with base scope is not failing.
+
+ related: https://bugzilla.redhat.com/show_bug.cgi?id=1958909
+ """
+ tasks.kinit_admin(self.master)
+ base_dn = str(self.master.domain.basedn)
+ base = "cn=admins,cn=groups,cn=compat,{basedn}".format(basedn=base_dn)
+ tasks.ldapsearch_dm(self.master, base, ldap_args=[], scope='sub')
+ tasks.ldapsearch_dm(self.master, base, ldap_args=[], scope='base')
+
class TestIPAautomount(IntegrationTest):
@classmethod
--
2.31.1
From d4062e407d242a72b9d4e32f4fdd6aed086ce005 Mon Sep 17 00:00:00 2001
From: Anuja More <amore@redhat.com>
Date: Thu, 5 Aug 2021 20:23:15 +0530
Subject: [PATCH] ipatests: skip test_basesearch_compat_tree on fedora.
slapi-nis with fix is not part of fedora yet.
test requires with fix:
https://pagure.io/slapi-nis/c/61ea8f6a104da25329e301a8f56944f860de8177?
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
ipatests/test_integration/test_commands.py | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
index e3a0d867e..4d9a81652 100644
--- a/ipatests/test_integration/test_commands.py
+++ b/ipatests/test_integration/test_commands.py
@@ -38,6 +38,7 @@ from ipatests.create_external_ca import ExternalCA
from ipatests.test_ipalib.test_x509 import good_pkcs7, badcert
from ipapython.ipautil import realm_to_suffix, ipa_generate_password
from ipaserver.install.installutils import realm_to_serverid
+from pkg_resources import parse_version
logger = logging.getLogger(__name__)
@@ -1565,6 +1566,12 @@ class TestIPACommandWithoutReplica(IntegrationTest):
related: https://bugzilla.redhat.com/show_bug.cgi?id=1958909
"""
+ version = self.master.run_command(
+ ["rpm", "-qa", "--qf", "%{VERSION}", "slapi-nis"]
+ )
+ if tasks.get_platform(self.master) == "fedora" and parse_version(
+ version.stdout_text) <= parse_version("0.56.7"):
+ pytest.skip("Test requires slapi-nis with fix on fedora")
tasks.kinit_admin(self.master)
base_dn = str(self.master.domain.basedn)
base = "cn=admins,cn=groups,cn=compat,{basedn}".format(basedn=base_dn)
--
2.31.1

View File

@ -1,162 +0,0 @@
From 4fdab0c94c4e17e42e5f38a0e671bea39bcc9b74 Mon Sep 17 00:00:00 2001
From: Anuja More <amore@redhat.com>
Date: Mon, 9 Aug 2021 20:57:22 +0530
Subject: [PATCH] ipatests: Test unsecure nsupdate.
The test configures an external bind server on the ipa-server
(not the IPA-embedded DNS server) that allows unauthenticated nsupdates.
When the IPA client is registered using ipa-client-install,
DNS records are added for the client in the bind server using nsupdate.
The first try is using GSS-TIG but fails as expected, and the client
installer then tries with unauthenticated nsupdate.
Related : https://pagure.io/freeipa/issue/8402
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
.../test_installation_client.py | 118 ++++++++++++++++++
1 file changed, 118 insertions(+)
diff --git a/ipatests/test_integration/test_installation_client.py b/ipatests/test_integration/test_installation_client.py
index fa59a5255..014b0f6ab 100644
--- a/ipatests/test_integration/test_installation_client.py
+++ b/ipatests/test_integration/test_installation_client.py
@@ -8,10 +8,15 @@ Module provides tests for various options of ipa-client-install.
from __future__ import absolute_import
+import pytest
+import re
import shlex
+import textwrap
+from ipaplatform.paths import paths
from ipatests.test_integration.base import IntegrationTest
from ipatests.pytest_ipa.integration import tasks
+from ipatests.pytest_ipa.integration.firewall import Firewall
class TestInstallClient(IntegrationTest):
@@ -70,3 +75,116 @@ class TestInstallClient(IntegrationTest):
extra_args=['--ssh-trust-dns'])
result = self.clients[0].run_command(['cat', '/etc/ssh/ssh_config'])
assert 'HostKeyAlgorithms' not in result.stdout_text
+
+
+class TestClientInstallBind(IntegrationTest):
+ """
+ The test configures an external bind server on the ipa-server
+ (not the IPA-embedded DNS server) that allows unauthenticated nsupdates.
+ When the IPA client is registered using ipa-client-install,
+ DNS records are added for the client in the bind server using nsupdate.
+ The first try is using GSS-TIG but fails as expected, and the client
+ installer then tries with unauthenticated nsupdate.
+ """
+
+ num_clients = 1
+
+ @classmethod
+ def install(cls, mh):
+ cls.client = cls.clients[0]
+
+ @pytest.fixture
+ def setup_bindserver(self):
+ bindserver = self.master
+ named_conf_backup = tasks.FileBackup(self.master, paths.NAMED_CONF)
+ # create a zone in the BIND server that is identical to the IPA
+ add_zone = textwrap.dedent("""
+ zone "{domain}" IN {{ type master;
+ file "{domain}.db"; allow-query {{ any; }};
+ allow-update {{ any; }}; }};
+ """).format(domain=bindserver.domain.name)
+
+ namedcfg = bindserver.get_file_contents(
+ paths.NAMED_CONF, encoding='utf-8')
+ namedcfg += '\n' + add_zone
+ bindserver.put_file_contents(paths.NAMED_CONF, namedcfg)
+
+ def update_contents(path, pattern, replace):
+ contents = bindserver.get_file_contents(path, encoding='utf-8')
+ namedcfg_query = re.sub(pattern, replace, contents)
+ bindserver.put_file_contents(path, namedcfg_query)
+
+ update_contents(paths.NAMED_CONF, 'localhost;', 'any;')
+ update_contents(paths.NAMED_CONF, "listen-on port 53 { 127.0.0.1; };",
+ "#listen-on port 53 { 127.0.0.1; };")
+ update_contents(paths.NAMED_CONF, "listen-on-v6 port 53 { ::1; };",
+ "#listen-on-v6 port 53 { ::1; };")
+
+ add_records = textwrap.dedent("""
+ @ IN SOA {fqdn}. root.{domain}. (
+ 1001 ;Serial
+ 3H ;Refresh
+ 15M ;Retry
+ 1W ;Expire
+ 1D ;Minimum 1D
+ )
+ @ IN NS {fqdn}.
+ ns1 IN A {bindserverip}
+ _kerberos.{domain}. IN TXT {zoneupper}
+ {fqdn}. IN A {bindserverip}
+ ipa-ca.{domain}. IN A {bindserverip}
+ _kerberos-master._tcp.{domain}. IN SRV 0 100 88 {fqdn}.
+ _kerberos-master._udp.{domain}. IN SRV 0 100 88 {fqdn}.
+ _kerberos._tcp.{domain}. IN SRV 0 100 88 {fqdn}.
+ _kerberos._udp.{domain}. IN SRV 0 100 88 {fqdn}.
+ _kpasswd._tcp.{domain}. IN SRV 0 100 464 {fqdn}.
+ _kpasswd._udp.{domain}. IN SRV 0 100 464 {fqdn}.
+ _ldap._tcp.{domain}. IN SRV 0 100 389 {fqdn}.
+ """).format(
+ fqdn=bindserver.hostname,
+ domain=bindserver.domain.name,
+ bindserverip=bindserver.ip,
+ zoneupper=bindserver.domain.name.upper()
+ )
+ bindserverdb = "/var/named/{0}.db".format(bindserver.domain.name)
+ bindserver.put_file_contents(bindserverdb, add_records)
+ bindserver.run_command(['systemctl', 'start', 'named'])
+ Firewall(bindserver).enable_services(["dns"])
+ yield
+ named_conf_backup.restore()
+ bindserver.run_command(['rm', '-rf', bindserverdb])
+
+ def test_client_nsupdate(self, setup_bindserver):
+ """Test secure nsupdate failed, then try unsecure nsupdate..
+
+ Test to verify when bind is configured with dynamic update policy,
+ and during client-install 'nsupdate -g' fails then it should run with
+ second call using unauthenticated nsupdate.
+
+ Related : https://pagure.io/freeipa/issue/8402
+ """
+ # with pre-configured bind server, install ipa-server without dns.
+ tasks.install_master(self.master, setup_dns=False)
+ self.client.resolver.backup()
+ self.client.resolver.setup_resolver(
+ self.master.ip, self.master.domain.name)
+ try:
+ self.client.run_command(['ipa-client-install', '-U',
+ '--domain', self.client.domain.name,
+ '--realm', self.client.domain.realm,
+ '-p', self.client.config.admin_name,
+ '-w', self.client.config.admin_password,
+ '--server', self.master.hostname])
+ # call unauthenticated nsupdate if GSS-TSIG nsupdate failed.
+ str1 = "nsupdate (GSS-TSIG) failed"
+ str2 = "'/usr/bin/nsupdate', '/etc/ipa/.dns_update.txt'"
+ client_log = self.client.get_file_contents(
+ paths.IPACLIENT_INSTALL_LOG, encoding='utf-8'
+ )
+ assert str1 in client_log and str2 in client_log
+ dig_after = self.client.run_command(
+ ['dig', '@{0}'.format(self.master.ip), self.client.hostname,
+ '-t', 'SSHFP'])
+ assert "ANSWER: 0" not in dig_after.stdout_text.strip()
+ finally:
+ self.client.resolver.restore()
--
2.31.1

View File

@ -1,128 +0,0 @@
From be1e3bbfc13aff9a583108376f245b81cc3666fb Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Thu, 9 Sep 2021 15:26:55 -0400
Subject: [PATCH] Don't store entries with a usercertificate in the LDAP cache
usercertificate often has a subclass and both the plain and
subclassed (binary) values are queried. I'm concerned that
they are used more or less interchangably in places so not
caching these entries is the safest path forward for now until
we can dedicate the time to find all usages, determine their
safety and/or perhaps handle this gracefully within the cache
now.
What we see in this bug is that usercertificate;binary holds the
first certificate value but a user-mod is done with
setattr usercertificate=<new_cert>. Since there is no
usercertificate value (remember, it's usercertificate;binary)
a replace is done and 389-ds wipes the existing value as we've
asked it to.
I'm not comfortable with simply treating them the same because
in LDAP they are not.
https://pagure.io/freeipa/issue/8986
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
---
ipapython/ipaldap.py | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
index f94b784d6..ced8f1bd6 100644
--- a/ipapython/ipaldap.py
+++ b/ipapython/ipaldap.py
@@ -1821,9 +1821,17 @@ class LDAPCache(LDAPClient):
entry=None, exception=None):
# idnsname - caching prevents delete when mod value to None
# cospriority - in a Class of Service object, uncacheable
- # TODO - usercertificate was banned at one point and I don't remember
- # why...
- BANNED_ATTRS = {'idnsname', 'cospriority'}
+ # usercertificate* - caching subtypes is tricky, trade less
+ # complexity for performance
+ #
+ # TODO: teach the cache about subtypes
+
+ BANNED_ATTRS = {
+ 'idnsname',
+ 'cospriority',
+ 'usercertificate',
+ 'usercertificate;binary'
+ }
if not self._enable_cache:
return
--
2.31.1
From 86588640137562b2016fdb0f91142d00bc38e54a Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Fri, 10 Sep 2021 09:01:48 -0400
Subject: [PATCH] ipatests: Test that a user can be issued multiple
certificates
Prevent regressions in the LDAP cache layer that caused newly
issued certificates to overwrite existing ones.
https://pagure.io/freeipa/issue/8986
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Francois Cami <fcami@redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
---
ipatests/test_integration/test_cert.py | 29 ++++++++++++++++++++++++++
1 file changed, 29 insertions(+)
diff --git a/ipatests/test_integration/test_cert.py b/ipatests/test_integration/test_cert.py
index 7d51b76ee..b4e85eadc 100644
--- a/ipatests/test_integration/test_cert.py
+++ b/ipatests/test_integration/test_cert.py
@@ -16,6 +16,7 @@ import string
import time
from ipaplatform.paths import paths
+from ipapython.dn import DN
from cryptography import x509
from cryptography.x509.oid import ExtensionOID
from cryptography.hazmat.backends import default_backend
@@ -183,6 +184,34 @@ class TestInstallMasterClient(IntegrationTest):
)
assert "profile: caServerCert" in result.stdout_text
+ def test_multiple_user_certificates(self):
+ """Test that a user may be issued multiple certificates"""
+ ldap = self.master.ldap_connect()
+
+ user = 'user1'
+
+ tasks.kinit_admin(self.master)
+ tasks.user_add(self.master, user)
+
+ for id in (0,1):
+ csr_file = f'{id}.csr'
+ key_file = f'{id}.key'
+ cert_file = f'{id}.crt'
+ openssl_cmd = [
+ 'openssl', 'req', '-newkey', 'rsa:2048', '-keyout', key_file,
+ '-nodes', '-out', csr_file, '-subj', '/CN=' + user]
+ self.master.run_command(openssl_cmd)
+
+ cmd_args = ['ipa', 'cert-request', '--principal', user,
+ '--certificate-out', cert_file, csr_file]
+ self.master.run_command(cmd_args)
+
+ # easier to count by pulling the LDAP entry
+ entry = ldap.get_entry(DN(('uid', user), ('cn', 'users'),
+ ('cn', 'accounts'), self.master.domain.basedn))
+
+ assert len(entry.get('usercertificate')) == 2
+
@pytest.fixture
def test_subca_certs(self):
"""
--
2.31.1

View File

@ -0,0 +1,122 @@
From 7d93bda31ce0b4e0e22c6e464c9138800dcf8b1c Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Fri, 26 Nov 2021 11:13:51 +0200
Subject: [PATCH] ipa-kdb: fix requester SID check according to MS-KILE and
MS-SFU updates
New versions of MS-KILE and MS-SFU after Windows Server November 2021
security updates add PAC_REQUESTER_SID buffer check behavior:
- PAC_REQUESTER_SID should only be added for TGT requests
- if PAC_REQUESTER_SID is present, KDC must verify that the cname on
the ticket resolves to the account with the same SID as the
PAC_REQUESTER_SID. If it doesn't KDC must respond with
KDC_ERR_TKT_REVOKED
Change requester SID check to skip exact check for non-local
PAC_REQUESTER_SID but harden to ensure it comes from the trusted domains
we know about.
If requester SID is the same as in PAC, we already do cname vs PAC SID
verification.
With these changes FreeIPA works against Windows Server 2019 with
November 2021 security fixes in cross-realm S4U2Self operations.
Fixes: https://pagure.io/freeipa/issue/9031
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
daemons/ipa-kdb/ipa_kdb_mspac.c | 47 ++++++++++++++++++++++++---------
1 file changed, 34 insertions(+), 13 deletions(-)
diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
index 538cfbba9..1b972c167 100644
--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
@@ -1697,7 +1697,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,
"local [%s], PAC [%s]",
dom ? dom : "<failed to display>",
sid ? sid : "<failed to display>");
- return KRB5KDC_ERR_POLICY;
+ return KRB5KDC_ERR_TGT_REVOKED;
}
}
@@ -1709,7 +1709,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,
kerr = ipadb_get_principal(context, client_princ, flags, &client_actual);
if (kerr != 0) {
krb5_klog_syslog(LOG_ERR, "PAC issue: ipadb_get_principal failed.");
- return KRB5KDC_ERR_POLICY;
+ return KRB5KDC_ERR_TGT_REVOKED;
}
ied = (struct ipadb_e_data *)client_actual->e_data;
@@ -1743,7 +1743,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,
"local [%s] vs PAC [%s]",
local_sid ? local_sid : "<failed to display>",
pac_sid ? pac_sid : "<failed to display>");
- kerr = KRB5KDC_ERR_POLICY;
+ kerr = KRB5KDC_ERR_TGT_REVOKED;
goto done;
}
@@ -2005,22 +2005,43 @@ static krb5_error_code ipadb_check_logon_info(krb5_context context,
/* Check that requester SID is the same as in the PAC entry */
if (requester_sid != NULL) {
struct dom_sid client_sid;
+ bool is_from_trusted_domain = false;
kerr = ipadb_get_sid_from_pac(tmpctx, info.info, &client_sid);
if (kerr) {
goto done;
}
result = dom_sid_check(&client_sid, requester_sid, true);
if (!result) {
- /* memctx is freed by the caller */
- char *pac_sid = dom_sid_string(tmpctx, &client_sid);
- char *req_sid = dom_sid_string(tmpctx, requester_sid);
- krb5_klog_syslog(LOG_ERR, "PAC issue: PAC has a SID "
- "different from what PAC requester claims. "
- "PAC [%s] vs PAC requester [%s]",
- pac_sid ? pac_sid : "<failed to display>",
- req_sid ? req_sid : "<failed to display>");
- kerr = KRB5KDC_ERR_POLICY;
- goto done;
+ struct ipadb_context *ipactx = ipadb_get_context(context);
+ if (!ipactx || !ipactx->mspac) {
+ return KRB5_KDB_DBNOTINITED;
+ }
+ /* In S4U case we might be dealing with the PAC issued by the trusted domain */
+ if (is_s4u && (ipactx->mspac->trusts != NULL)) {
+ /* Iterate through list of trusts and check if this SID belongs to
+ * one of the domains we trust */
+ for(int i = 0 ; i < ipactx->mspac->num_trusts ; i++) {
+ result = dom_sid_check(&ipactx->mspac->trusts[i].domsid,
+ requester_sid, false);
+ if (result) {
+ is_from_trusted_domain = true;
+ break;
+ }
+ }
+ }
+
+ if (!is_from_trusted_domain) {
+ /* memctx is freed by the caller */
+ char *pac_sid = dom_sid_string(tmpctx, &client_sid);
+ char *req_sid = dom_sid_string(tmpctx, requester_sid);
+ krb5_klog_syslog(LOG_ERR, "PAC issue: PAC has a SID "
+ "different from what PAC requester claims. "
+ "PAC [%s] vs PAC requester [%s]",
+ pac_sid ? pac_sid : "<failed to display>",
+ req_sid ? req_sid : "<failed to display>");
+ kerr = KRB5KDC_ERR_TGT_REVOKED;
+ goto done;
+ }
}
}
--
2.31.1

View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEhAodHH8+xLL+UwQ1RxniuKu/YhoFAmDbPRQACgkQRxniuKu/
Yhr7uBAAnpF70nH8Cn/HhKKpfafPoN3B9fDNIfAa+jsJ52OyeNMKVNi4MEob32iN
1aMGGFCJUMle/M7v1+w8WH59eiHs1jKHcFZnl2R4Ap5SxVtypYT+ewXbNnSHII2w
qWS5PvLkJwjh6Bw/HlyBwDRSrw9Yah4oZZbJt3zE06+Imr8BpB3IWqyhuAi7FjYO
J9hHCwCvtJvWK4yplZSXCt8OS1JA68/Djgjecm5lUSamuqKaBVhDb+ZAPLDJpBf5
Pz2JpUF/W/rplt+Q9wAFdhDB9iC0vd3MBkgs4KPsjuyS9+GGNu8LyXs0C1Wm/VgX
liX2pjZmpnTrhH3QQ2nufwH784ZpinXxS2fcbvCfX1Utgr77wNHjwqDt2NBffJl1
BM7JJr1ZwGOGSki6yjRDXbeSAsiEX9l7f2mv2t/8ZjHMRJ7mJmBbmh5Qhk5qsMou
BptNDE20cG77xcjBtTCDpii/UatETuNAyMd/l2smfe76z8y61fQrvScxRwOCHckw
u/ERChpBZOUlQt59Efj3ja313oXZMxXRw01n/72Hh5rnk+XZf75zQ1zUDBYnwzAr
4cdqyrfpFkQu1sRQvgjT8ZLkP8istjRdVEI/Oj61zb5+6+scQ/Zh/R/mYGCV4/h+
RzojBwUAXuwUMrj1jTbb5Lkz58+vY3Lk4xNOY2hSAc8rCcDVRZY=
=TQFs
-----END PGP SIGNATURE-----

View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEE11Z2TU1+KXxtrRFyaYdvcqbi008FAmGf1XcACgkQaYdvcqbi
00/kMQ//Vano94V0/L3YsLaqKiFcGo/py5pTq1Os3wB9zzCYSuU0P/eajuHLBYNe
MfxecZihFFlmUdNooNWbewT4CE0ey1qFLwPfGXuLrse6fXVLLaYnAv2mkPUmDSpM
XfXO0PFU0BtdkMAUsdUATngPCpQzYjVUKsAMwPovi3UcLzFZ8tWJKMA55urhwC4q
E042wPLqzcX6Ee5JBSBkfNe35vG2LY7o3Ynh8SVCee2lBJvdWiuFT5XRhybXUsOp
q3eTsVPz68p7CvOrjlLSsWPP0nbGF1O1UQsN+oaDZAav1Nx8lTOlxUCUQXWbs2X6
BTUAOmZ6VjYu61sNgNSj+BSHlHIT3uRJ55JO5nLH/hLm0Oxn6SGRTVMueqV376QA
CsIk7UrdcX9QUtu70eRxuu1aAWJ5eaF4GDWnFP+62wzd/d6LjWEE+9kXgvrcTF0C
UzjWrmbI8x23bB4kqcROHz8lryMsBpZ94QKPHVppMiPgapDKRkculYkSeRLboADi
q4mh2prkDSq9diWV4HvZTGwPU77oiLrQsvbGuvwD62PAlyQ4rZpfW3FllTL2Lcxy
urA8a9UnQWQtDOsZIyxmMJ7R04gjI5fZfDhq6S09L9MfjFEKjsqO4FzXamj+SbAo
w25sIp1qT0sV1vOt+/R/HYSIyggQyTZpQJu5UB34QLqpfDdUwFg=
=t9up
-----END PGP SIGNATURE-----

View File

@ -68,8 +68,8 @@
%global krb5_kdb_version 8.0
# 0.7.16: https://github.com/drkjam/netaddr/issues/71
%global python_netaddr_version 0.7.19
# Require 4.7.0 which brings Python 3 bindings
%global samba_version 4.12.3-12
# Require 4.14.5-13 which brings CVE-2020-25717 fixes
%global samba_version 4.14.5-13
%global selinux_policy_version 3.14.3-52
%global slapi_nis_version 0.56.4
%global python_ldap_version 3.1.0-1
@ -92,9 +92,9 @@
%global krb5_version 1.18.2-29
# 0.7.16: https://github.com/drkjam/netaddr/issues/71
%global python_netaddr_version 0.7.16
# Require 4.7.0 which brings Python 3 bindings
# Require 4.12 which has DsRGetForestTrustInformation access rights fixes
%global samba_version 2:4.12.10
# Require 4.14.6 which brings CVE-2020-25717 fixes
%global samba_version 2:4.14.6
# 3.14.5-45 or later includes a number of interfaces fixes for IPA interface
%global selinux_policy_version 3.14.5-45
@ -178,7 +178,7 @@
# Work-around fact that RPM SPEC parser does not accept
# "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement
%define IPA_VERSION 4.9.6
%define IPA_VERSION 4.9.8
# Release candidate version -- uncomment with one percent for RC versions
#%%global rc_version %%nil
%define AT_SIGN @
@ -191,7 +191,7 @@
Name: %{package_name}
Version: %{IPA_VERSION}
Release: 6%{?rc_version:.%rc_version}%{?dist}
Release: 2%{?rc_version:.%rc_version}%{?dist}
Summary: The Identity, Policy and Audit system
License: GPLv3+
@ -211,23 +211,12 @@ Source1: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_vers
# RHEL spec file only: START
%if %{NON_DEVELOPER_BUILD}
%if 0%{?rhel} >= 8
Patch0001: 0001-rpcserver.py-perf_counter_ns-is-Python-3.7_rhbz#1974822.patch
Patch0002: 0002-Add-checks-to-prevent-adding-auth-indicators-to-inte_rhbz#1979625.patch
Patch0003: 0003-stageuser-add-ipauserauthtypeclass-when-required_rhbz#1979605.patch
Patch0004: 0004-man-page-update-ipa-server-upgrade.1_rhbz#1973273.patch
Patch0005: 0005-Fall-back-to-krbprincipalname-when-validating-host-a_rhbz#1979625.patch
Patch0006: 0006-rhel-platform-add-a-named-crypto-policy-support_rhbz#1982956.patch
Patch0007: 0007-Catch-and-log-errors-when-adding-CA-profiles_rhbz#1999142.patch
Patch0008: 0008-selinux-policy-allow-custodia-to-access-proc-cpuinfo_rhbz#1998129.patch
Patch0009: 0009-extdom-return-LDAP_NO_SUCH_OBJECT-if-domains-differ_rhbz#2000263.patch
Patch0010: 0010-migrate-ds-workaround-to-detect-compat-tree_rhbz#1999992.patch
Patch0011: 0011-Test-ldapsearch-with-base-scope-works-with-_rhbz#2000553.patch
Patch0012: 0012-ipatests-Test-unsecure-nsupdate_rhbz#2000553.patch
Patch0013: 0013-Don-t-store-entries-with-a-usercertificate-in-the-LD_rhbz#1999893.patch
Patch0001: 0001-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
%endif
%endif
# RHEL spec file only: END
Patch1101: 1101-Harden-FreeIPA-KDC-processing-of-PAC-buffers-20211130.patch
# For the timestamp trick in patch application
BuildRequires: diffstat
@ -471,6 +460,8 @@ Requires: gssproxy >= 0.7.0-2
Requires: sssd-dbus >= %{sssd_version}
Requires: libpwquality
Requires: cracklib-dicts
# NDR libraries are internal in Samba and change with version without changing SONAME
Requires: samba-client-libs >= %{samba_version}
Provides: %{alt_name}-server = %{version}
Conflicts: %{alt_name}-server
@ -1370,6 +1361,7 @@ fi
%{_libexecdir}/ipa/ipa-pki-wait-running
%{_libexecdir}/ipa/ipa-otpd
%{_libexecdir}/ipa/ipa-print-pac
%{_libexecdir}/ipa/ipa-subids
%dir %{_libexecdir}/ipa/custodia
%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-dmldap
%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-pki-tomcat
@ -1377,6 +1369,7 @@ fi
%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-ra-agent
%dir %{_libexecdir}/ipa/oddjob
%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.conncheck
%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.config-enable-sid
%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.trust-enable-agent
%config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freeipa.server.conf
%config(noreplace) %{_sysconfdir}/oddjobd.conf.d/ipa-server.conf
@ -1709,21 +1702,40 @@ fi
%changelog
* Fri Sep 17 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.6-6
- Don't store entries with a usercertificate in the LDAP cache
Resolves: RHBZ#1999893
* Fri Dec 10 2021 Rafael Jeffman <rjeffman@redhat.com> - 4.9.8-2
- Revert bind-pkcs11-utils configuration in freeipa.spec.
Resolves: RHBZ#2026732
* Mon Sep 13 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.6-5
- Catch and log errors when adding CA profiles
Resolves: RHBZ#1999142
- selinux policy: allow custodia to access /proc/cpuinfo
Resolves: RHBZ#1998129
- extdom: LDAP_INVALID_SYNTAX returned instead of LDAP_NO_SUCH_OBJECT
Resolves: RHBZ#2000263
- ipa migrate-ds command fails to warn when compat plugin is enabled
Resolves: RHBZ#1999992
- Backport latest test fixes in python3-ipatests
Resolves: RHBZ#2000553
* Tue Nov 30 2021 Rafael Jeffman <rjeffman@redhat.com> - 4.9.8-1
- Upstream release FreeIPA 4.9.8
Related: RHBZ#2015607
- Hardening for CVE-2020-25717
* Fri Nov 12 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.6-9.1
- Fix S4U2Self regression for cross-realm requester SID buffer
- Related: RHBZ#2021443
* Fri Nov 12 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.6-9
- Require samba 4.14.5-13 with IPA DC server role fixes
- Related: RHBZ#2021443
* Fri Nov 12 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.6-8
- Add versioned dependency of samba-client-libs to ipa-server
- Related: RHBZ#2021443
* Thu Nov 11 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.6-7
- Hardening for CVE-2020-25717
- Harden processing of trusted domains' users in S4U operations
- Resolves: RHBZ#2021443
* Wed Nov 10 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.6-6
- Hardening for CVE-2020-25717
- Rebuild against samba-4.14.5-11.el8
- Resolves: RHBZ#2021443
* Sun Nov 07 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.6-5
- Hardening for CVE-2020-25717
- Related: RHBZ#2019668
* Thu Jul 22 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.6-4
- ipatests: NAMED_CRYPTO_POLICY_FILE not defined for RHEL