3.3.4-3

- Move ipa-otpd socket directory to /var/run/krb5kdc - Require krb5-server 1.11.5-3 supporting the new directory - ipa_lockout plugin did not work with users's without krbPwdPolicyReference
2014-02-11 18:05:03 +01:00 · 2014-02-11 18:05:03 +01:00 · 9ea7eb2ddf
commit 9ea7eb2ddf
parent 5b79ddb067
4 changed files with 268 additions and 2 deletions
--- a/0010-Fallback-to-global-policy-in-ipa-lockout-plugin.patch
+++ b/0010-Fallback-to-global-policy-in-ipa-lockout-plugin.patch
@ -0,0 +1,108 @@
+From 11ebbe3f27fdf18e2578b533eb2560e9f88eeede Mon Sep 17 00:00:00 2001
+From: Martin Kosek <mkosek@redhat.com>
+Date: Thu, 30 Jan 2014 16:58:25 +0100
+Subject: [PATCH 10/11] Fallback to global policy in ipa-lockout plugin
+
+krbPwdPolicyReference is no longer filled default users. Instead, plugins
+fallback to hardcoded global policy reference.
+
+Fix ipa-lockout plugin to fallback to it instead of failing to apply
+the policy.
+
+https://fedorahosted.org/freeipa/ticket/4085
+---
+ .../ipa-slapi-plugins/ipa-lockout/ipa_lockout.c    | 34 ++++++++++++++++++++++
+ 1 file changed, 34 insertions(+)
+
+diff --git a/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c b/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c
+index fd6602fdee9b2fd95c154fd512fcba4f37e56bad..5a24359d319aaea28773daa01d268d2d46583270 100644
+--- a/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c
+++ b/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c
+@@ -49,6 +49,7 @@
+ #include <time.h>
+ #include "slapi-plugin.h"
+ #include "nspr.h"
+#include <krb5.h>
+ 
+ #include "util.h"
+ 
+@@ -81,6 +82,8 @@ static int g_plugin_started = 0;
+ 
+ static struct ipa_context *global_ipactx = NULL;
+ 
+static char *ipa_global_policy = NULL;
+
+ #define GENERALIZED_TIME_LENGTH 15
+ 
+ /**
+@@ -142,8 +145,11 @@ ipalockout_get_global_config(struct ipa_context *ipactx)
+     Slapi_Attr *attr = NULL;
+     char *dn = NULL;
+     char *basedn = NULL;
+    char *realm = NULL;
+     Slapi_DN *sdn;
+     Slapi_Entry *config_entry;
+    krb5_context krbctx = NULL;
+    krb5_error_code krberr;
+     int ret;
+ 
+     /* Get cn=config so we can get the default naming context */
+@@ -167,6 +173,28 @@ ipalockout_get_global_config(struct ipa_context *ipactx)
+         goto done;
+     }
+ 
+    krberr = krb5_init_context(&krbctx);
+    if (krberr) {
+        LOG_FATAL("krb5_init_context failed (%d)\n", krberr);
+        ret = LDAP_OPERATIONS_ERROR;
+        goto done;
+    }
+
+    krberr = krb5_get_default_realm(krbctx, &realm);
+    if (krberr) {
+        LOG_FATAL("Failed to get default realm (%d)\n", krberr);
+        ret = LDAP_OPERATIONS_ERROR;
+        goto done;
+    }
+
+    ipa_global_policy = slapi_ch_smprintf("cn=global_policy,cn=%s,cn=kerberos,%s",
+                                          realm, basedn);
+    if (!ipa_global_policy) {
+        LOG_OOM();
+        ret = LDAP_OPERATIONS_ERROR;
+        goto done;
+    }
+
+     ret = asprintf(&dn, "cn=ipaConfig,cn=etc,%s", basedn);
+     if (ret == -1) {
+         LOG_OOM();
+@@ -221,6 +249,8 @@ ipalockout_get_global_config(struct ipa_context *ipactx)
+ done:
+     if (config_entry)
+         slapi_entry_free(config_entry);
+    free(realm);
+    krb5_free_context(krbctx);
+     free(dn);
+     free(basedn);
+     return ret;
+@@ -248,6 +278,8 @@ int ipalockout_getpolicy(Slapi_Entry *target_entry, Slapi_Entry **policy_entry,
+             slapi_valueset_first_value(*values, &sv);
+             *policy_dn = slapi_value_get_string(sv);
+         }
+    } else {
+        *policy_dn = ipa_global_policy;
+     }
+ 
+     if (*policy_dn == NULL) {
+@@ -376,6 +408,8 @@ ipalockout_close(Slapi_PBlock * pb)
+ {
+     LOG_TRACE( "--in-->\n");
+ 
+    slapi_ch_free_string(&ipa_global_policy);
+
+     LOG_TRACE("<--out--\n");
+ 
+     return EOK;
+-- 
+1.8.5.3
+
--- a/0011-ipa-lockout-do-not-fail-when-default-realm-cannot-be.patch
+++ b/0011-ipa-lockout-do-not-fail-when-default-realm-cannot-be.patch
@ -0,0 +1,66 @@
+From 43070359eb267c3eb3b290f5f601e9509a63389f Mon Sep 17 00:00:00 2001
+From: Martin Kosek <mkosek@redhat.com>
+Date: Tue, 4 Feb 2014 11:02:34 +0100
+Subject: [PATCH 11/11] ipa-lockout: do not fail when default realm cannot be
+ read
+
+When ipa-lockout plugin is started during FreeIPA server installation,
+the default realm may not be available and plugin should then not end
+with failure.
+
+Similarly to other plugins, start in degraded mode in this situation.
+Operation is fully restored during the final services restart.
+
+https://fedorahosted.org/freeipa/ticket/4085
+---
+ .../ipa-slapi-plugins/ipa-lockout/ipa_lockout.c    | 34 +++++++++++-----------
+ 1 file changed, 17 insertions(+), 17 deletions(-)
+
+diff --git a/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c b/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c
+index 5a24359d319aaea28773daa01d268d2d46583270..265c2701c36fe78486a2bdd4a66366b0b05472a0 100644
+--- a/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c
+++ b/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c
+@@ -176,23 +176,23 @@ ipalockout_get_global_config(struct ipa_context *ipactx)
+     krberr = krb5_init_context(&krbctx);
+     if (krberr) {
+         LOG_FATAL("krb5_init_context failed (%d)\n", krberr);
+-        ret = LDAP_OPERATIONS_ERROR;
+-        goto done;
+-    }
+-
+-    krberr = krb5_get_default_realm(krbctx, &realm);
+-    if (krberr) {
+-        LOG_FATAL("Failed to get default realm (%d)\n", krberr);
+-        ret = LDAP_OPERATIONS_ERROR;
+-        goto done;
+-    }
+-
+-    ipa_global_policy = slapi_ch_smprintf("cn=global_policy,cn=%s,cn=kerberos,%s",
+-                                          realm, basedn);
+-    if (!ipa_global_policy) {
+-        LOG_OOM();
+-        ret = LDAP_OPERATIONS_ERROR;
+-        goto done;
+        /* Yes, we failed, but it is because /etc/krb5.conf doesn't exist
+         * or is misconfigured. Start up in a degraded mode.
+         */
+    } else {
+        krberr = krb5_get_default_realm(krbctx, &realm);
+        if (krberr) {
+            LOG_FATAL("Failed to get default realm (%d)\n", krberr);
+        } else {
+            ipa_global_policy =
+                slapi_ch_smprintf("cn=global_policy,cn=%s,cn=kerberos,%s",
+                                  realm, basedn);
+            if (!ipa_global_policy) {
+                LOG_OOM();
+                ret = LDAP_OPERATIONS_ERROR;
+                goto done;
+            }
+        }
+     }
+ 
+     ret = asprintf(&dn, "cn=ipaConfig,cn=etc,%s", basedn);
+-- 
+1.8.5.3
+
--- a/0012-Move-ipa-otpd-socket-directory.patch
+++ b/0012-Move-ipa-otpd-socket-directory.patch
@ -0,0 +1,84 @@
+From 6c500ccf05103566ca888bc8d67187ab81621328 Mon Sep 17 00:00:00 2001
+From: Nathaniel McCallum <npmccallum@redhat.com>
+Date: Fri, 7 Feb 2014 11:56:33 -0500
+Subject: [PATCH] Move ipa-otpd socket directory
+
+https://fedorahosted.org/freeipa/ticket/4167
+Reviewed-By: Martin Kosek <mkosek@redhat.com>
+---
+ daemons/configure.ac                | 6 +++---
+ daemons/ipa-otpd/Makefile.am        | 2 +-
+ daemons/ipa-otpd/ipa-otpd.socket.in | 4 ++--
+ freeipa.spec.in                     | 2 +-
+ 4 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/daemons/configure.ac b/daemons/configure.ac
+index e57dad27614f268d3e5bbafc99b739a5cfa2589b..5646c3873beee996999e4f1d87aea653f4b5dd1b 100644
+--- a/daemons/configure.ac
+++ b/daemons/configure.ac
+@@ -60,10 +60,10 @@ AC_CHECK_LIB(k5crypto, main, [krb5crypto=k5crypto], [krb5crypto=crypto])
+ AC_CHECK_LIB(krad, main, [], [AC_MSG_ERROR([libkrad not found])])
+ KRB5_LIBS="-lkrb5 -l$krb5crypto -lcom_err"
+ KRAD_LIBS="-lkrad"
+-krb5kdcdir="${localstatedir}/kerberos/krb5kdc"
+krb5rundir="${localstatedir}/run/krb5kdc"
+ AC_SUBST(KRB5_LIBS)
+ AC_SUBST(KRAD_LIBS)
+-AC_SUBST(krb5kdcdir)
+AC_SUBST(krb5rundir)
+ 
+ dnl ---------------------------------------------------------------------------
+ dnl - Check for Mozilla LDAP and OpenLDAP SDK
+@@ -337,7 +337,7 @@ echo "
+         sysconfdir:               ${sysconfdir}
+         localstatedir:            ${localstatedir}
+         datadir:                  ${datadir}
+-        krb5kdcdir:               ${krb5kdcdir}
+        krb5rundir:               ${krb5rundir}
+         systemdsystemunitdir:     ${systemdsystemunitdir}
+         source code location:     ${srcdir}
+         compiler:                 ${CC}
+diff --git a/daemons/ipa-otpd/Makefile.am b/daemons/ipa-otpd/Makefile.am
+index af82a5fe08856573d2d245608ba1dbaad171c7fe..83921748426d801e1edeec23f956689be5fe98b5 100644
+--- a/daemons/ipa-otpd/Makefile.am
+++ b/daemons/ipa-otpd/Makefile.am
+@@ -9,7 +9,7 @@ systemdsystemunit_DATA = ipa-otpd.socket ipa-otpd@.service
+ ipa_otpd_SOURCES = bind.c forward.c main.c parse.c query.c queue.c stdio.c
+ 
+ %.socket: %.socket.in
+-	@sed -e 's|@krb5kdcdir[@]|$(krb5kdcdir)|g' \
+	@sed -e 's|@krb5rundir[@]|$(krb5rundir)|g' \
+ 	     -e 's|@UNLINK[@]|@UNLINK@|g' \
+ 	     $< > $@
+ 
+diff --git a/daemons/ipa-otpd/ipa-otpd.socket.in b/daemons/ipa-otpd/ipa-otpd.socket.in
+index b968beaa7b9e68c43b2c5386b62c096fa8b97764..ce3596d9f01b26e3e8bd63f447f85a486c8e0dff 100644
+--- a/daemons/ipa-otpd/ipa-otpd.socket.in
+++ b/daemons/ipa-otpd/ipa-otpd.socket.in
+@@ -2,8 +2,8 @@
+ Description=ipa-otpd socket
+ 
+ [Socket]
+-ListenStream=@krb5kdcdir@/DEFAULT.socket
+-ExecStopPre=@UNLINK@ @krb5kdcdir@/DEFAULT.socket
+ListenStream=@krb5rundir@/DEFAULT.socket
+ExecStopPre=@UNLINK@ @krb5rundir@/DEFAULT.socket
+ SocketMode=0600
+ Accept=true
+ 
+diff --git a/freeipa.spec.in b/freeipa.spec.in
+index c28928c1c5c2d20e2dfe6112750c70bfb0b55894..a908adfc2b2f1bef90c051c86dcd1fdecb61daa4 100644
+--- a/freeipa.spec.in
+++ b/freeipa.spec.in
+@@ -107,7 +107,7 @@ Requires: nss >= 3.14.3-12.0
+ Requires: nss-tools >= 3.14.3-12.0
+ %endif
+ %if 0%{?krb5_dal_version} >= 4
+-Requires: krb5-server >= 1.11.2-1
+Requires: krb5-server >= 1.11.5-3
+ %else
+ %if 0%{krb5_dal_version} == 3
+ # krb5 1.11 bumped DAL interface major version, a rebuild is needed
+-- 
+1.8.5.3
+
--- a/freeipa.spec
+++ b/freeipa.spec
@ -12,7 +12,7 @@

 Name:           freeipa
 Version:        3.3.4
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        The Identity, Policy and Audit system

 Group:          System Environment/Base
@ -30,6 +30,9 @@ Patch0006:      0006-Enable-Retro-Changelog-and-Content-Synchronization-D.patch
 Patch0007:      0007-Limit-memberOf-and-refInt-DS-plugins-to-main-IPA-suf.patch
 Patch0008:      0008-Remove-working-directory-for-bind-dyndb-ldap-plugin.patch
 Patch0009:      0009-Remove-mod_ssl-port-workaround.patch
+Patch0010:      0010-Fallback-to-global-policy-in-ipa-lockout-plugin.patch
+Patch0011:      0011-ipa-lockout-do-not-fail-when-default-realm-cannot-be.patch
+Patch0012:      0012-Move-ipa-otpd-socket-directory.patch

 %if ! %{ONLY_CLIENT}
 BuildRequires:  389-ds-base-devel >= 1.3.1.3
@ -116,7 +119,7 @@ Requires: nss >= 3.14.3-12.0
 Requires: nss-tools >= 3.14.3-12.0
 %endif
 %if 0%{?krb5_dal_version} >= 4
-Requires: krb5-server >= 1.11.2-1
+Requires: krb5-server >= 1.11.5-3
 %else
 %if 0%{krb5_dal_version} == 3
 # krb5 1.11 bumped DAL interface major version, a rebuild is needed
@ -925,6 +928,11 @@ fi
 %endif # ONLY_CLIENT

 %changelog
+* Tue Feb 11 2014 Martin Kosek <mkosek@redhat.com> - 3.3.4-3
+- Move ipa-otpd socket directory to /var/run/krb5kdc
+- Require krb5-server 1.11.5-3 supporting the new directory
+- ipa_lockout plugin did not work with users's without krbPwdPolicyReference
+
 * Wed Jan 29 2014 Martin Kosek <mkosek@redhat.com> - 3.3.4-2
 - Fix hardened build