From 99f783444df31585a7b613b1a04bb9b0b7519a4f Mon Sep 17 00:00:00 2001 From: Tomas Krizek Date: Wed, 15 Feb 2017 15:48:51 +0100 Subject: [PATCH] Add support for KRB DAL 6.1 and bind-dyndb-ldap 11.0 --- 0003-bind-dyndb-ldap-DNS-fixes.patch | 359 ++++++++++++++++++ ...-ipa-kdb-support-KDB-DAL-version-6.1.patch | 233 ++++++++++++ freeipa.spec | 34 +- 3 files changed, 613 insertions(+), 13 deletions(-) create mode 100644 0003-bind-dyndb-ldap-DNS-fixes.patch create mode 100644 0004-ipa-kdb-support-KDB-DAL-version-6.1.patch diff --git a/0003-bind-dyndb-ldap-DNS-fixes.patch b/0003-bind-dyndb-ldap-DNS-fixes.patch new file mode 100644 index 0000000..c3d1782 --- /dev/null +++ b/0003-bind-dyndb-ldap-DNS-fixes.patch @@ -0,0 +1,359 @@ +From 8ccf7266c6c37cc1e402f9a3fa4c0f15462a2e15 Mon Sep 17 00:00:00 2001 +From: Tomas Krizek +Date: Mon, 16 Jan 2017 13:48:54 +0100 +Subject: [PATCH 1/6] Remove obsolete serial_autoincrement from named.conf + parsing + +Option serial_autoincrement is no longer supported. Remove it from +the named.conf parser and add it to deprecated options to be removed. + +https://fedorahosted.org/freeipa/ticket/6565 + +Reviewed-By: Martin Basti +--- + ipaserver/install/server/upgrade.py | 56 +++---------------------------------- + 1 file changed, 4 insertions(+), 52 deletions(-) + +diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py +index eb4950d394a6297c13159c9d2de91d17f97a8943..b4c15ba7600bcdadd7a6cc50c9aac2805548dbd5 100644 +--- a/ipaserver/install/server/upgrade.py ++++ b/ipaserver/install/server/upgrade.py +@@ -420,8 +420,8 @@ def named_remove_deprecated_options(): + From IPA 3.3, persistent search is a default mechanism for new DNS zone + detection. + +- Remove psearch, zone_refresh and cache_ttl options, as they have been +- deprecated in bind-dyndb-ldap configuration file. ++ Remove psearch, zone_refresh cache_ttl and serial_autoincrement options, ++ as they have been deprecated in bind-dyndb-ldap configuration file. + + When some change in named.conf is done, this functions returns True. + """ +@@ -433,7 +433,8 @@ def named_remove_deprecated_options(): + root_logger.info('DNS is not configured') + return False + +- deprecated_options = ['zone_refresh', 'psearch', 'cache_ttl'] ++ deprecated_options = ['zone_refresh', 'psearch', 'cache_ttl', ++ 'serial_autoincrement'] + removed_options = [] + + try: +@@ -510,54 +511,6 @@ def named_set_minimum_connections(): + return changed + + +-def named_enable_serial_autoincrement(): +- """ +- Serial autoincrement is a requirement for zone transfers or DNSSEC. It +- should be enabled both for new installs and upgraded servers. +- +- When some change in named.conf is done, this functions returns True +- """ +- changed = False +- +- root_logger.info('[Enabling serial autoincrement in DNS]') +- +- if not bindinstance.named_conf_exists(): +- # DNS service may not be configured +- root_logger.info('DNS is not configured') +- return changed +- +- try: +- serial_autoincrement = bindinstance.named_conf_get_directive( +- 'serial_autoincrement') +- except IOError as e: +- root_logger.debug('Cannot retrieve psearch option from %s: %s', +- bindinstance.NAMED_CONF, e) +- return changed +- else: +- serial_autoincrement = None if serial_autoincrement is None \ +- else serial_autoincrement.lower() +- +- # enable SOA serial autoincrement +- if not sysupgrade.get_upgrade_state('named.conf', 'autoincrement_enabled'): +- if serial_autoincrement != 'yes': +- try: +- bindinstance.named_conf_set_directive('serial_autoincrement', +- 'yes') +- except IOError as e: +- root_logger.error('Cannot enable serial_autoincrement in %s: %s', +- bindinstance.NAMED_CONF, e) +- return changed +- else: +- root_logger.debug('Serial autoincrement enabled') +- changed = True +- else: +- root_logger.debug('Serial autoincrement is alredy enabled') +- sysupgrade.set_upgrade_state('named.conf', 'autoincrement_enabled', True) +- else: +- root_logger.debug('Skip serial autoincrement check') +- +- return changed +- + def named_update_gssapi_configuration(): + """ + Update GSSAPI configuration in named.conf to a recent API. +@@ -1755,7 +1708,6 @@ def upgrade_configuration(): + named_conf_changes = ( + named_remove_deprecated_options(), + named_set_minimum_connections(), +- named_enable_serial_autoincrement(), + named_update_gssapi_configuration(), + named_update_pid_file(), + named_enable_dnssec(), +-- +2.9.3 + + +From 465c2a8df87a555162b91a9e34280b3d208ad8b3 Mon Sep 17 00:00:00 2001 +From: Tomas Krizek +Date: Mon, 19 Dec 2016 13:12:19 +0100 +Subject: [PATCH 2/6] named.conf template: update API for bind 9.11 + +Use the new API for bind 9.11. Removed deprecated "serial_autoincrement" +and updated the rest of configuration to conform to the new format. + +This only fixes new IPA installations. For existing installations, +named.conf will be transformed when the new version of bind-dyndb-ldap +is installed. + +https://fedorahosted.org/freeipa/ticket/6565 + +Reviewed-By: Martin Basti +--- + install/share/bind.named.conf.template | 16 +++++++--------- + ipaplatform/redhat/paths.py | 1 + + ipaserver/install/bindinstance.py | 1 + + 3 files changed, 9 insertions(+), 9 deletions(-) + +diff --git a/install/share/bind.named.conf.template b/install/share/bind.named.conf.template +index e8ea8fba022c4f539fb84a64875b0c5ca46c761b..b7c3a0b78e23f9b5ac2d221dad24a039af201035 100644 +--- a/install/share/bind.named.conf.template ++++ b/install/share/bind.named.conf.template +@@ -43,13 +43,11 @@ zone "." IN { + include "$RFC1912_ZONES"; + include "$ROOT_KEY"; + +-dynamic-db "ipa" { +- library "ldap.so"; +- arg "uri ldapi://%2fvar%2frun%2fslapd-$SERVER_ID.socket"; +- arg "base cn=dns, $SUFFIX"; +- arg "server_id $FQDN"; +- arg "auth_method sasl"; +- arg "sasl_mech GSSAPI"; +- arg "sasl_user DNS/$FQDN"; +- arg "serial_autoincrement yes"; ++dyndb "ipa" "$BIND_LDAP_SO" { ++ uri "ldapi://%2fvar%2frun%2fslapd-$SERVER_ID.socket"; ++ base "cn=dns, $SUFFIX"; ++ server_id "$FQDN"; ++ auth_method "sasl"; ++ sasl_mech "GSSAPI"; ++ sasl_user "DNS/$FQDN"; + }; +diff --git a/ipaplatform/redhat/paths.py b/ipaplatform/redhat/paths.py +index b27b065ad52c49852231039a66c47c2b80df3a62..8212f40cf8afcbd9017018ed538befdaceeb2d9d 100644 +--- a/ipaplatform/redhat/paths.py ++++ b/ipaplatform/redhat/paths.py +@@ -33,6 +33,7 @@ class RedHatPathNamespace(BasePathNamespace): + if sys.maxsize > 2**32: + LIBSOFTHSM2_SO = BasePathNamespace.LIBSOFTHSM2_SO_64 + PAM_KRB5_SO = BasePathNamespace.PAM_KRB5_SO_64 ++ BIND_LDAP_SO = BasePathNamespace.BIND_LDAP_SO_64 + + + paths = RedHatPathNamespace() +diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py +index 7aa9ed4f4baedc686b929e758d72bf992a68a967..478ec4a168667affe6bb00cdac965e39e1858ebb 100644 +--- a/ipaserver/install/bindinstance.py ++++ b/ipaserver/install/bindinstance.py +@@ -798,6 +798,7 @@ class BindInstance(service.Service): + RFC1912_ZONES=paths.NAMED_RFC1912_ZONES, + NAMED_PID=paths.NAMED_PID, + NAMED_VAR_DIR=paths.NAMED_VAR_DIR, ++ BIND_LDAP_SO=paths.BIND_LDAP_SO, + ) + + def __setup_dns_container(self): +-- +2.9.3 + + +From 8cba2c137bd7de298f41f001ab8b27687691fc44 Mon Sep 17 00:00:00 2001 +From: Tomas Krizek +Date: Mon, 19 Dec 2016 16:52:08 +0100 +Subject: [PATCH 3/6] bump required version of BIND, bind-dyndb-ldap + +bynd-dyndb-ldap used a custom configuration file format. Since BIND 9.11, +an API was accepted upstream. This caused backward incompatible changes +to the named.conf configuration file used to configure the +bind-dyndb-ldap BIND plugin. Version 11.0 of bind-dyndb-ldap plugin and +BIND 9.11 are required to use with the new config file format. + +https://fedorahosted.org/freeipa/ticket/6565 + +Reviewed-By: Martin Basti +--- + freeipa.spec.in | 17 +++++------------ + 1 file changed, 5 insertions(+), 12 deletions(-) + +diff --git a/freeipa.spec.in b/freeipa.spec.in +index 8a8e3a592cc0e414dc71202dc8c1f7d9b0526d5c..8b9fa591947a9a5b2bc84eba9b54ef750a9d68e8 100644 +--- a/freeipa.spec.in ++++ b/freeipa.spec.in +@@ -257,18 +257,11 @@ Summary: IPA integrated DNS server with support for automatic DNSSEC signing + Group: System Environment/Base + BuildArch: noarch + Requires: %{name}-server = %{version}-%{release} +-Requires: bind-dyndb-ldap >= 10.0 +-%if 0%{?fedora} >= 21 +-Requires: bind >= 9.9.6-3 +-Requires: bind-utils >= 9.9.6-3 +-Requires: bind-pkcs11 >= 9.9.6-3 +-Requires: bind-pkcs11-utils >= 9.9.6-3 +-%else +-Requires: bind >= 9.9.4-21 +-Requires: bind-utils >= 9.9.4-21 +-Requires: bind-pkcs11 >= 9.9.4-21 +-Requires: bind-pkcs11-utils >= 9.9.4-21 +-%endif ++Requires: bind-dyndb-ldap >= 11.0 ++Requires: bind >= 9.11.0-6.P2 ++Requires: bind-utils >= 9.11.0-6.P2 ++Requires: bind-pkcs11 >= 9.11.0-6.P2 ++Requires: bind-pkcs11-utils >= 9.11.0-6.P2 + Requires: opendnssec >= 1.4.6-4 + + Provides: %{alt_name}-server-dns = %{version} +-- +2.9.3 + + +From b6eb03369a7546077f28ff45db27c76c5bc44584 Mon Sep 17 00:00:00 2001 +From: Tomas Krizek +Date: Fri, 10 Feb 2017 11:30:40 +0100 +Subject: [PATCH 4/6] PEP8: fix line length for regexs in bindinstance + +Reviewed-By: Martin Basti +--- + ipaserver/install/bindinstance.py | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py +index 478ec4a168667affe6bb00cdac965e39e1858ebb..9c10ac98175e0dd5ea98c54eeadcb3452aac04e5 100644 +--- a/ipaserver/install/bindinstance.py ++++ b/ipaserver/install/bindinstance.py +@@ -69,12 +69,15 @@ RESOLV_CONF = paths.RESOLV_CONF + named_conf_section_ipa_start_re = re.compile('\s*dynamic-db\s+"ipa"\s+{') + named_conf_section_options_start_re = re.compile('\s*options\s+{') + named_conf_section_end_re = re.compile('};') +-named_conf_arg_ipa_re = re.compile(r'(?P\s*)arg\s+"(?P\S+)\s(?P[^"]+)";') +-named_conf_arg_options_re = re.compile(r'(?P\s*)(?P\S+)\s+"(?P[^"]+)"\s*;') ++named_conf_arg_ipa_re = re.compile( ++ r'(?P\s*)arg\s+"(?P\S+)\s(?P[^"]+)";') ++named_conf_arg_options_re = re.compile( ++ r'(?P\s*)(?P\S+)\s+"(?P[^"]+)"\s*;') + named_conf_arg_ipa_template = "%(indent)sarg \"%(name)s %(value)s\";\n" + named_conf_arg_options_template = "%(indent)s%(name)s \"%(value)s\";\n" + # non string args for options section +-named_conf_arg_options_re_nonstr = re.compile(r'(?P\s*)(?P\S+)\s+(?P[^"]+)\s*;') ++named_conf_arg_options_re_nonstr = re.compile( ++ r'(?P\s*)(?P\S+)\s+(?P[^"]+)\s*;') + named_conf_arg_options_template_nonstr = "%(indent)s%(name)s %(value)s;\n" + # include directive + named_conf_include_re = re.compile(r'\s*include\s+"(?P)"\s*;') +-- +2.9.3 + + +From 06fd56b4f5f57a0cf9258ecede8af8ab40433364 Mon Sep 17 00:00:00 2001 +From: Tomas Krizek +Date: Fri, 10 Feb 2017 11:16:56 +0100 +Subject: [PATCH 5/6] bindinstance: fix named.conf parsing regexs + +Since named.conf API for bind-dyndb-ldap was updated, our parsing +regexes have to change. + +https://fedorahosted.org/freeipa/ticket/6565 + +Reviewed-By: Martin Basti +--- + ipaserver/install/bindinstance.py | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py +index 9c10ac98175e0dd5ea98c54eeadcb3452aac04e5..30123b74065c7a209c95baedec35ed25d3e112fd 100644 +--- a/ipaserver/install/bindinstance.py ++++ b/ipaserver/install/bindinstance.py +@@ -66,14 +66,14 @@ if six.PY3: + NAMED_CONF = paths.NAMED_CONF + RESOLV_CONF = paths.RESOLV_CONF + +-named_conf_section_ipa_start_re = re.compile('\s*dynamic-db\s+"ipa"\s+{') ++named_conf_section_ipa_start_re = re.compile('\s*dyndb\s+"ipa"\s+"[^"]+"\s+{') + named_conf_section_options_start_re = re.compile('\s*options\s+{') + named_conf_section_end_re = re.compile('};') + named_conf_arg_ipa_re = re.compile( +- r'(?P\s*)arg\s+"(?P\S+)\s(?P[^"]+)";') ++ r'(?P\s*)(?P\S+)\s"(?P[^"]+)";') + named_conf_arg_options_re = re.compile( + r'(?P\s*)(?P\S+)\s+"(?P[^"]+)"\s*;') +-named_conf_arg_ipa_template = "%(indent)sarg \"%(name)s %(value)s\";\n" ++named_conf_arg_ipa_template = "%(indent)s%(name)s \"%(value)s\";\n" + named_conf_arg_options_template = "%(indent)s%(name)s \"%(value)s\";\n" + # non string args for options section + named_conf_arg_options_re_nonstr = re.compile( +@@ -92,13 +92,12 @@ def create_reverse(): + + def named_conf_exists(): + try: +- named_fd = open(NAMED_CONF, 'r') ++ with open(NAMED_CONF, 'r') as named_fd: ++ lines = named_fd.readlines() + except IOError: + return False +- lines = named_fd.readlines() +- named_fd.close() + for line in lines: +- if line.startswith('dynamic-db "ipa"'): ++ if named_conf_section_ipa_start_re.match(line): + return True + return False + +-- +2.9.3 + + +From 7d425b90ebb66f9c3e2f18e78709215b59e4a985 Mon Sep 17 00:00:00 2001 +From: Tomas Krizek +Date: Mon, 13 Feb 2017 18:36:12 +0100 +Subject: [PATCH 6/6] Bump required version of bind-dyndb-ldap to 11.0-2 + +Fedora release bind-dyndb-ldap 11.0-2 transforms existing named.conf +old style API to the new style API. This package version is required +to enable upgrade of existing IPA installations to new version. + +https://fedorahosted.org/freeipa/ticket/6565 + +Reviewed-By: Pavel Vomacka +--- + freeipa.spec.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/freeipa.spec.in b/freeipa.spec.in +index 8b9fa591947a9a5b2bc84eba9b54ef750a9d68e8..1dd8d0c60cacfc79554bb3c61fa8297e89b7b192 100644 +--- a/freeipa.spec.in ++++ b/freeipa.spec.in +@@ -257,7 +257,7 @@ Summary: IPA integrated DNS server with support for automatic DNSSEC signing + Group: System Environment/Base + BuildArch: noarch + Requires: %{name}-server = %{version}-%{release} +-Requires: bind-dyndb-ldap >= 11.0 ++Requires: bind-dyndb-ldap >= 11.0-2 + Requires: bind >= 9.11.0-6.P2 + Requires: bind-utils >= 9.11.0-6.P2 + Requires: bind-pkcs11 >= 9.11.0-6.P2 +-- +2.9.3 + diff --git a/0004-ipa-kdb-support-KDB-DAL-version-6.1.patch b/0004-ipa-kdb-support-KDB-DAL-version-6.1.patch new file mode 100644 index 0000000..f5afcd9 --- /dev/null +++ b/0004-ipa-kdb-support-KDB-DAL-version-6.1.patch @@ -0,0 +1,233 @@ +From 985549be991c73c7455ed3b1393bd464ef4d197a Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Tue, 24 Jan 2017 11:02:30 +0200 +Subject: [PATCH 1/1] ipa-kdb: support KDB DAL version 6.1 + +DAL version 6.0 removed support for a callback to free principal. +This broke KDB drivers which had complex e_data structure within +the principal structure. As result, FreeIPA KDB driver was leaking +memory with DAL version 6.0 (krb5 1.15). + +DAL version 6.1 added a special callback for freeing e_data structure. +See details at krb5/krb5#596 + +Restructure KDB driver code to provide this callback in case +we are built against DAL version that supports it. For DAL version +prior to 6.0 use this callback in the free_principal callback to +tidy the code. + +Use explicit KDB version dependency in Fedora 26+ via BuildRequires. + +With new DAL version, freeipa package will fail to build and +we'll have to add a support for new DAL version explicitly. + +https://fedorahosted.org/freeipa/ticket/6619 +--- + daemons/configure.ac | 21 ++++++++++++++++++ + daemons/ipa-kdb/ipa_kdb.c | 42 ++++++++++++++++++++++++++++++++++-- + daemons/ipa-kdb/ipa_kdb.h | 2 ++ + daemons/ipa-kdb/ipa_kdb_principals.c | 42 ++++++++++++++++++++---------------- + freeipa.spec.in | 9 ++++++++ + 5 files changed, 96 insertions(+), 20 deletions(-) + +diff --git a/daemons/configure.ac b/daemons/configure.ac +index 5c5a1046397aa97ba18cafc1b81dc2a6fb2dfd34..77a3be0397fac0364d364f2e4ac3f917cca7fff3 100644 +--- a/daemons/configure.ac ++++ b/daemons/configure.ac +@@ -66,6 +66,27 @@ AC_SUBST(KRB5_LIBS) + AC_SUBST(KRAD_LIBS) + AC_SUBST(krb5rundir) + ++AC_CHECK_HEADER(kdb.h, [], [AC_MSG_ERROR([kdb.h not found])]) ++AC_CHECK_MEMBER( ++ [kdb_vftabl.free_principal], ++ [AC_DEFINE([HAVE_KDB_FREEPRINCIPAL], [1], ++ [KDB driver API has free_principal callback])], ++ [AC_MSG_NOTICE([KDB driver API has no free_principal callback])], ++ [[#include ]]) ++AC_CHECK_MEMBER( ++ [kdb_vftabl.free_principal_e_data], ++ [AC_DEFINE([HAVE_KDB_FREEPRINCIPAL_EDATA], [1], ++ [KDB driver API has free_principal_e_data callback])], ++ [AC_MSG_NOTICE([KDB driver API has no free_principal_e_data callback])], ++ [[#include ]]) ++ ++if test "x$ac_cv_member_kdb_vftabl_free_principal" = "xno" \ ++ -a "x$ac_cv_member_kdb_vftable_free_principal_e_data" = "xno" ; then ++ AC_MSG_WARN([KDB driver API does not allow to free Kerberos principal data.]) ++ AC_MSG_WARN([KDB driver will leak memory on Kerberos principal use]) ++ AC_MSG_WARN([See https://github.com/krb5/krb5/pull/596 for details]) ++fi ++ + dnl --------------------------------------------------------------------------- + dnl - Check for Mozilla LDAP and OpenLDAP SDK + dnl --------------------------------------------------------------------------- +diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c +index e96353fe2602652dbf12f68745080b64665ffed2..e74ab56270500c2d3753d76754b8a5f1c28200a0 100644 +--- a/daemons/ipa-kdb/ipa_kdb.c ++++ b/daemons/ipa-kdb/ipa_kdb.c +@@ -625,6 +625,9 @@ static void ipadb_free(krb5_context context, void *ptr) + + /* KDB Virtual Table */ + ++/* We explicitly want to keep different ABI tables below separate. */ ++/* Do not merge them together. Older ABI does not need to be updated */ ++ + #if KRB5_KDB_DAL_MAJOR_VERSION == 5 + kdb_vftabl kdb_function_table = { + .maj_ver = KRB5_KDB_DAL_MAJOR_VERSION, +@@ -657,8 +660,9 @@ kdb_vftabl kdb_function_table = { + .audit_as_req = ipadb_audit_as_req, + .check_allowed_to_delegate = ipadb_check_allowed_to_delegate + }; ++#endif + +-#elif KRB5_KDB_DAL_MAJOR_VERSION == 6 ++#if (KRB5_KDB_DAL_MAJOR_VERSION == 6) && !defined(HAVE_KDB_FREEPRINCIPAL_EDATA) + kdb_vftabl kdb_function_table = { + .maj_ver = KRB5_KDB_DAL_MAJOR_VERSION, + .min_ver = 0, +@@ -686,8 +690,42 @@ kdb_vftabl kdb_function_table = { + .audit_as_req = ipadb_audit_as_req, + .check_allowed_to_delegate = ipadb_check_allowed_to_delegate + }; ++#endif + +-#else ++#if (KRB5_KDB_DAL_MAJOR_VERSION == 6) && defined(HAVE_KDB_FREEPRINCIPAL_EDATA) ++kdb_vftabl kdb_function_table = { ++ .maj_ver = KRB5_KDB_DAL_MAJOR_VERSION, ++ .min_ver = 1, ++ .init_library = ipadb_init_library, ++ .fini_library = ipadb_fini_library, ++ .init_module = ipadb_init_module, ++ .fini_module = ipadb_fini_module, ++ .create = ipadb_create, ++ .get_age = ipadb_get_age, ++ .get_principal = ipadb_get_principal, ++ .put_principal = ipadb_put_principal, ++ .delete_principal = ipadb_delete_principal, ++ .iterate = ipadb_iterate, ++ .create_policy = ipadb_create_pwd_policy, ++ .get_policy = ipadb_get_pwd_policy, ++ .put_policy = ipadb_put_pwd_policy, ++ .iter_policy = ipadb_iterate_pwd_policy, ++ .delete_policy = ipadb_delete_pwd_policy, ++ .fetch_master_key = ipadb_fetch_master_key, ++ .store_master_key_list = ipadb_store_master_key_list, ++ .change_pwd = ipadb_change_pwd, ++ .sign_authdata = ipadb_sign_authdata, ++ .check_transited_realms = ipadb_check_transited_realms, ++ .check_policy_as = ipadb_check_policy_as, ++ .audit_as_req = ipadb_audit_as_req, ++ .check_allowed_to_delegate = ipadb_check_allowed_to_delegate, ++ /* The order is important, DAL version 6.1 added ++ * the free_principal_e_data callback */ ++ .free_principal_e_data = ipadb_free_principal_e_data, ++}; ++#endif ++ ++#if (KRB5_KDB_DAL_MAJOR_VERSION != 5) && (KRB5_KDB_DAL_MAJOR_VERSION != 6) + #error unsupported DAL major version + #endif + +diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h +index 1fdb409df92f1f8d9a82af3423e6e73313c62ab7..d5a343345562062b309d14c2e493f8d3028a6780 100644 +--- a/daemons/ipa-kdb/ipa_kdb.h ++++ b/daemons/ipa-kdb/ipa_kdb.h +@@ -180,6 +180,8 @@ krb5_error_code ipadb_get_principal(krb5_context kcontext, + unsigned int flags, + krb5_db_entry **entry); + void ipadb_free_principal(krb5_context kcontext, krb5_db_entry *entry); ++/* Helper function for DAL API 6.1 or later */ ++void ipadb_free_principal_e_data(krb5_context kcontext, krb5_octet *e_data); + krb5_error_code ipadb_put_principal(krb5_context kcontext, + krb5_db_entry *entry, + char **db_args); +diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c +index 5b80909475565d6bb4fa8cba67629094daf51eb3..3bd8fb8c70c61b056a714bc0a8149bd8524beb1d 100644 +--- a/daemons/ipa-kdb/ipa_kdb_principals.c ++++ b/daemons/ipa-kdb/ipa_kdb_principals.c +@@ -1274,11 +1274,32 @@ done: + return kerr; + } + ++void ipadb_free_principal_e_data(krb5_context kcontext, krb5_octet *e_data) ++{ ++ struct ipadb_e_data *ied; ++ int i; ++ ++ ied = (struct ipadb_e_data *)e_data; ++ if (ied->magic == IPA_E_DATA_MAGIC) { ++ ldap_memfree(ied->entry_dn); ++ free(ied->passwd); ++ free(ied->pw_policy_dn); ++ for (i = 0; ied->pw_history && ied->pw_history[i]; i++) { ++ free(ied->pw_history[i]); ++ } ++ free(ied->pw_history); ++ for (i = 0; ied->authz_data && ied->authz_data[i]; i++) { ++ free(ied->authz_data[i]); ++ } ++ free(ied->authz_data); ++ free(ied->pol); ++ free(ied); ++ } ++} ++ + void ipadb_free_principal(krb5_context kcontext, krb5_db_entry *entry) + { +- struct ipadb_e_data *ied; + krb5_tl_data *prev, *next; +- int i; + + if (entry) { + krb5_free_principal(kcontext, entry->princ); +@@ -1292,22 +1313,7 @@ void ipadb_free_principal(krb5_context kcontext, krb5_db_entry *entry) + ipa_krb5_free_key_data(entry->key_data, entry->n_key_data); + + if (entry->e_data) { +- ied = (struct ipadb_e_data *)entry->e_data; +- if (ied->magic == IPA_E_DATA_MAGIC) { +- ldap_memfree(ied->entry_dn); +- free(ied->passwd); +- free(ied->pw_policy_dn); +- for (i = 0; ied->pw_history && ied->pw_history[i]; i++) { +- free(ied->pw_history[i]); +- } +- free(ied->pw_history); +- for (i = 0; ied->authz_data && ied->authz_data[i]; i++) { +- free(ied->authz_data[i]); +- } +- free(ied->authz_data); +- free(ied->pol); +- free(ied); +- } ++ ipadb_free_principal_e_data(kcontext, entry->e_data); + } + + free(entry); +diff --git a/freeipa.spec.in b/freeipa.spec.in +index 1dd8d0c60cacfc79554bb3c61fa8297e89b7b192..52ad0d4c1f1cec95821e17401e709f05ea9d97f6 100644 +--- a/freeipa.spec.in ++++ b/freeipa.spec.in +@@ -57,7 +57,16 @@ BuildRequires: nspr-devel + BuildRequires: nss-devel + BuildRequires: openssl-devel + BuildRequires: openldap-devel ++# For KDB DAL version, make explicit dependency so that increase of version ++# will cause the build to fail due to unsatisfied dependencies. ++# DAL version change may cause code crash or memory leaks, it is better to fail early. ++%if 0%{?fedora} > 25 ++BuildRequires: krb5-devel >= 1.15-5 ++BuildRequires: krb5-kdb-version = 6.1 ++%else ++# 1.12+: libkrad (http://krbdev.mit.edu/rt/Ticket/Display.html?id=7678) + BuildRequires: krb5-devel >= 1.13 ++%endif + BuildRequires: krb5-workstation + BuildRequires: libuuid-devel + BuildRequires: libcurl-devel >= 7.21.7-2 +-- +2.9.3 + diff --git a/freeipa.spec b/freeipa.spec index 04bb2b5..e98f51f 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -38,7 +38,7 @@ Name: freeipa Version: %{VERSION} -Release: 4%{?dist} +Release: 5%{?dist} Summary: The Identity, Policy and Audit system Group: System Environment/Base @@ -49,6 +49,8 @@ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Patch0001: 0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch Patch0002: 0002-Support-DAL-version-5-and-version-6.patch +Patch0003: 0003-bind-dyndb-ldap-DNS-fixes.patch +Patch0004: 0004-ipa-kdb-support-KDB-DAL-version-6.1.patch %if ! %{ONLY_CLIENT} BuildRequires: 389-ds-base-devel >= 1.3.5.6 @@ -64,7 +66,16 @@ BuildRequires: nspr-devel BuildRequires: nss-devel BuildRequires: openssl-devel BuildRequires: openldap-devel +# For KDB DAL version, make explicit dependency so that increase of version +# will cause the build to fail due to unsatisfied dependencies. +# DAL version change may cause code crash or memory leaks, it is better to fail early. +%if 0%{?fedora} > 25 +BuildRequires: krb5-devel >= 1.15-5 +BuildRequires: krb5-kdb-version = 6.1 +%else +# 1.12+: libkrad (http://krbdev.mit.edu/rt/Ticket/Display.html?id=7678) BuildRequires: krb5-devel >= 1.13 +%endif BuildRequires: krb5-workstation BuildRequires: libuuid-devel BuildRequires: libcurl-devel >= 7.21.7-2 @@ -265,18 +276,11 @@ Summary: IPA integrated DNS server with support for automatic DNSSEC signing Group: System Environment/Base BuildArch: noarch Requires: %{name}-server = %{version}-%{release} -Requires: bind-dyndb-ldap >= 10.0 -%if 0%{?fedora} >= 21 -Requires: bind >= 9.9.6-3 -Requires: bind-utils >= 9.9.6-3 -Requires: bind-pkcs11 >= 9.9.6-3 -Requires: bind-pkcs11-utils >= 9.9.6-3 -%else -Requires: bind >= 9.9.4-21 -Requires: bind-utils >= 9.9.4-21 -Requires: bind-pkcs11 >= 9.9.4-21 -Requires: bind-pkcs11-utils >= 9.9.4-21 -%endif +Requires: bind-dyndb-ldap >= 11.0-2 +Requires: bind >= 9.11.0-6.P2 +Requires: bind-utils >= 9.11.0-6.P2 +Requires: bind-pkcs11 >= 9.11.0-6.P2 +Requires: bind-pkcs11-utils >= 9.11.0-6.P2 Requires: opendnssec >= 1.4.6-4 Provides: %{alt_name}-server-dns = %{version} @@ -1476,6 +1480,10 @@ fi %endif # ONLY_CLIENT %changelog +* Wed Feb 15 2017 Tomas Krizek - 4.4.3-5 +- Fixes #1403352 - bind-dyndb-ldap: support new named.conf API in BIND 9.11 +- Fixes #1412739 - ipa-kdb: support DAL version 6.1 + * Fri Feb 10 2017 Fedora Release Engineering - 4.4.3-4 - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild