From b4517960e4f4a35bd57d61476878f947de71d51b Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Wed, 29 May 2024 19:24:35 +0200 Subject: [PATCH] ipa-4.12.0-1 - Resolves: RHEL-39140 Rebase ipa to the latest 4.12 version for RHEL 9.5 - Resolves: RHEL-34757 The change for preventing deletion of the admin user caused a regression in disable - Resolves: RHEL-30553 Depend on nfsv4-client-utils or nfs-utils - Resolves: RHEL-29762 IPA sidgen fails to create SID for manually set ID for a new range [rhel-9.5.0] - Resolves: RHEL-26261 Fix replica connection check for use with AD administrator - Resolves: RHEL-18062 ipa ca-show NAME --certificate-out=file creates empty file when NAME does not exist - Resolves: RHEL-12149 traceback in ipaserver/dcerpc.py - Resolves: RHEL-4810 [RFE] FreeIPA-to-FreeIPA migration - Resolves: RHEL-4807 [RFE] Support in IPA for HSM boxes Signed-off-by: Florence Blanc-Renaud --- .gitignore | 2 + ...sts-fix-healthcheck-test-without-DNS.patch | 44 - ...x-healthcheck-test-for-indent-option.patch | 47 -- ...tests-fix-test_ipactl_scenario_check.patch | 35 - ...ix-the-IPACertificate-validity-dates.patch | 88 -- ...olicy-minlength-to-be-removed-like-o.patch | 135 --- ...-the-test-failing-due-to-FIPS-policy.patch | 70 -- ...-the-revocation-reason-key-may-be-ca.patch | 50 -- ...version-from-the-remote-to-determine.patch | 102 --- ...ected-output-for-ipahealthcheck.meta.patch | 48 -- ...nsslapd-accesslog-logbuffering-WARN-.patch | 132 --- ...ected-output-for-ipahealthcheck.ipa..patch | 45 - ...member-fails-with-an-external-member.patch | 38 - ...ba-changes-in-samba.security.dom_sid.patch | 41 - ...l-restart-services-after-date-change.patch | 43 - ...new-password-policy-logging-function.patch | 40 - ...497-Update-logging-in-ipa_enrollment.patch | 68 -- ...ate-debug-logging-in-ipa_graceperiod.patch | 47 -- ...-update-debug-logging-in-ipa_lockout.patch | 46 -- ...7-update-debug-logging-in-ipa_modrdn.patch | 56 -- ...ate-debug-logging-in-ipa_otp_counter.patch | 82 -- ...e-debug-logging-in-ipa_otp_lasttoken.patch | 96 --- ...pdate-debug-logging-in-ipa-pwd-extop.patch | 766 ------------------ ...497-update-debug-logging-in-ipa_uuid.patch | 47 -- ...not-collecting-or-returning-messages.patch | 82 -- ...y-that-hbactest-will-return-messages.patch | 56 -- ...er-detection-of-allowed-user-auth-ty.patch | 126 --- ...lying-ticket-policy-do-not-deny-PKIN.patch | 41 - ...user-auth-table-mapping-use-of-_AUTH.patch | 31 - ...re-PKINIT-enrollment-works-with-a-st.patch | 71 -- ...-HTTP-Referer-header-on-all-requests.patch | 121 --- ...s-for-verifying-Referer-header-in-th.patch | 359 -------- ...kip-ds_encryption-tests-on-RHEL9-SUT.patch | 46 -- ...-pki-server-ca-config-show-failures-.patch | 61 -- ...utomount-install-uninstall-with-new-.patch | 125 --- ...ient-install-uninstall-with-automoun.patch | 73 -- ...ount-Don-t-use-deprecated-ipadiscove.patch | 66 -- ...-Retain-user-requested-remote-server.patch | 98 --- ...on-t-error-out-on-substring-mismatch.patch | 120 --- ...System-Manage-Host-Keytab-permission.patch | 101 --- ...make-sure-NetBIOS-name-defaults-are-.patch | 35 - ...Don-t-rely-just-on-ca-kra-_enabled-f.patch | 54 -- ...r-replica-update-in-test_dns_locatio.patch | 42 - ...call-ca.install-if-there-is-a-CA-in-.patch | 69 -- 0044-ipapython-Clean-up-krb5_error.patch | 144 ---- ...t-return-type-of-krb5_free_cred_cont.patch | 47 -- ...ate-KRB5Error-exceptions-on-iteratin.patch | 53 -- ...-memory-leak-during-PAC-verification.patch | 91 --- ...re-staged-users-when-generating-SIDs.patch | 83 -- 0049-sidgen-fix-missing-prototypes.patch | 26 - ...r-do-not-fail-if-canonical-principal.patch | 48 -- ...sts-for-ipahealtcheck-tests-for-spec.patch | 65 -- ...ts-remove-xfail-thanks-to-sssd-2.9.4.patch | 42 - ...il-for-autoprivate-group-test-with-o.patch | 52 -- ...ix-tasks.wait_for_replication-method.patch | 36 - 0055-ipa-kdb-Rework-ipadb_reinit_mspac.patch | 707 ---------------- ...d-support-for-RSA-OAEP-wrapping-algo.patch | 126 --- ...ult-server-archival-retrieval-calls-.patch | 87 -- ...-as-default-wrapping-algo-when-FIPS-.patch | 97 --- ...ix-double-free-in-ipadb_reinit_mspac.patch | 28 - ...te-Kerberos-principal-name-before-ru.patch | 233 ------ ...al-Don-t-try-to-verify-that-the-real.patch | 89 -- ...onal-fallback-to-RSA-OAEP-wrapping-a.patch | 45 - ...low-enforcing-2FA-only-over-LDAP-bin.patch | 294 ------- ...d-MFA-note-in-case-of-a-successful-L.patch | 63 -- ...clare-operation-notes-support-from-3.patch | 42 - ...e-forest-trust-info-cache-when-filte.patch | 53 -- ...or-test_ipahealthcheck_ipansschainva.patch | 68 -- ...support-Samba-4.20-private-libraries.patch | 51 -- freeipa.spec | 218 +++-- sources | 4 +- 71 files changed, 144 insertions(+), 6693 deletions(-) delete mode 100644 0001-ipatests-fix-healthcheck-test-without-DNS.patch delete mode 100644 0002-ipatests-fix-healthcheck-test-for-indent-option.patch delete mode 100644 0003-ipatests-fix-test_ipactl_scenario_check.patch delete mode 100644 0004-ipalib-fix-the-IPACertificate-validity-dates.patch delete mode 100644 0005-Allow-password-policy-minlength-to-be-removed-like-o.patch delete mode 100644 0006-ipatests-Skip-the-test-failing-due-to-FIPS-policy.patch delete mode 100644 0007-The-PKI-JSON-API-the-revocation-reason-key-may-be-ca.patch delete mode 100644 0008-WIP-Get-the-PKI-version-from-the-remote-to-determine.patch delete mode 100644 0009-ipatests-fix-expected-output-for-ipahealthcheck.meta.patch delete mode 100644 0010-ipatests-ignore-nsslapd-accesslog-logbuffering-WARN-.patch delete mode 100644 0011-ipatests-fix-expected-output-for-ipahealthcheck.ipa..patch delete mode 100644 0012-group-add-member-fails-with-an-external-member.patch delete mode 100644 0013-Handle-samba-changes-in-samba.security.dom_sid.patch delete mode 100644 0014-test_install-restart-services-after-date-change.patch delete mode 100644 0015-Issue-9497-Add-new-password-policy-logging-function.patch delete mode 100644 0016-Issue-9497-Update-logging-in-ipa_enrollment.patch delete mode 100644 0017-Issue-9497-update-debug-logging-in-ipa_graceperiod.patch delete mode 100644 0018-Issue-9497-update-debug-logging-in-ipa_lockout.patch delete mode 100644 0019-Issue-9497-update-debug-logging-in-ipa_modrdn.patch delete mode 100644 0020-Issue-9497-update-debug-logging-in-ipa_otp_counter.patch delete mode 100644 0021-Issue-9497-update-debug-logging-in-ipa_otp_lasttoken.patch delete mode 100644 0022-Issue-9497-update-debug-logging-in-ipa-pwd-extop.patch delete mode 100644 0023-Issue-9497-update-debug-logging-in-ipa_uuid.patch delete mode 100644 0024-hbactest-was-not-collecting-or-returning-messages.patch delete mode 100644 0025-ipatests-Verify-that-hbactest-will-return-messages.patch delete mode 100644 0026-ipa-kdb-add-better-detection-of-allowed-user-auth-ty.patch delete mode 100644 0027-ipa-kdb-when-applying-ticket-policy-do-not-deny-PKIN.patch delete mode 100644 0028-ipa-kdb-clarify-user-auth-table-mapping-use-of-_AUTH.patch delete mode 100644 0029-ipatests-make-sure-PKINIT-enrollment-works-with-a-st.patch delete mode 100644 0030-Check-the-HTTP-Referer-header-on-all-requests.patch delete mode 100644 0031-Integration-tests-for-verifying-Referer-header-in-th.patch delete mode 100644 0032-ipatests-Skip-ds_encryption-tests-on-RHEL9-SUT.patch delete mode 100644 0033-ACME-Don-t-treat-pki-server-ca-config-show-failures-.patch delete mode 100644 0034-Fix-ipa-client-automount-install-uninstall-with-new-.patch delete mode 100644 0035-ipatests-Test-client-install-uninstall-with-automoun.patch delete mode 100644 0036-ipa-client-automount-Don-t-use-deprecated-ipadiscove.patch delete mode 100644 0037-Server-affinity-Retain-user-requested-remote-server.patch delete mode 100644 0038-get_directive-don-t-error-out-on-substring-mismatch.patch delete mode 100644 0039-host-update-System-Manage-Host-Keytab-permission.patch delete mode 100644 0040-adtrustinstance-make-sure-NetBIOS-name-defaults-are-.patch delete mode 100644 0041-Server-affinity-Don-t-rely-just-on-ca-kra-_enabled-f.patch delete mode 100644 0042-ipatests-wait-for-replica-update-in-test_dns_locatio.patch delete mode 100644 0043-Server-affinity-call-ca.install-if-there-is-a-CA-in-.patch delete mode 100644 0044-ipapython-Clean-up-krb5_error.patch delete mode 100644 0045-ipapython-Correct-return-type-of-krb5_free_cred_cont.patch delete mode 100644 0046-ipapython-Propagate-KRB5Error-exceptions-on-iteratin.patch delete mode 100644 0047-ipa-kdb-Fix-memory-leak-during-PAC-verification.patch delete mode 100644 0048-sidgen-ignore-staged-users-when-generating-SIDs.patch delete mode 100644 0049-sidgen-fix-missing-prototypes.patch delete mode 100644 0050-kdb-PAC-generator-do-not-fail-if-canonical-principal.patch delete mode 100644 0051-ipatests-Skip-tests-for-ipahealtcheck-tests-for-spec.patch delete mode 100644 0052-ipatests-remove-xfail-thanks-to-sssd-2.9.4.patch delete mode 100644 0053-ipatests-add-xfail-for-autoprivate-group-test-with-o.patch delete mode 100644 0054-ipatests-fix-tasks.wait_for_replication-method.patch delete mode 100644 0055-ipa-kdb-Rework-ipadb_reinit_mspac.patch delete mode 100644 0056-Vault-add-support-for-RSA-OAEP-wrapping-algo.patch delete mode 100644 0057-Vault-improve-vault-server-archival-retrieval-calls-.patch delete mode 100644 0058-kra-set-RSA-OAEP-as-default-wrapping-algo-when-FIPS-.patch delete mode 100644 0059-ipa-kdb-Fix-double-free-in-ipadb_reinit_mspac.patch delete mode 100644 0060-rpcserver-validate-Kerberos-principal-name-before-ru.patch delete mode 100644 0061-validate_principal-Don-t-try-to-verify-that-the-real.patch delete mode 100644 0062-Vault-add-additional-fallback-to-RSA-OAEP-wrapping-a.patch delete mode 100644 0063-ipa-pwd-extop-allow-enforcing-2FA-only-over-LDAP-bin.patch delete mode 100644 0064-ipa-pwd-extop-add-MFA-note-in-case-of-a-successful-L.patch delete mode 100644 0065-ipa-pwd-extop-declare-operation-notes-support-from-3.patch delete mode 100644 0066-dcerpc-invalidate-forest-trust-info-cache-when-filte.patch delete mode 100644 0067-ipatests-Fixes-for-test_ipahealthcheck_ipansschainva.patch delete mode 100644 0068-ipa-kdb-support-Samba-4.20-private-libraries.patch diff --git a/.gitignore b/.gitignore index 3b3628b..d658d28 100644 --- a/.gitignore +++ b/.gitignore @@ -122,3 +122,5 @@ /freeipa-4.10.2.tar.gz.asc /freeipa-4.11.0.tar.gz /freeipa-4.11.0.tar.gz.asc +/freeipa-4.12.0.tar.gz +/freeipa-4.12.0.tar.gz.asc diff --git a/0001-ipatests-fix-healthcheck-test-without-DNS.patch b/0001-ipatests-fix-healthcheck-test-without-DNS.patch deleted file mode 100644 index 730cc64..0000000 --- a/0001-ipatests-fix-healthcheck-test-without-DNS.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 4c8512168f6a9f224277a4db055f5432af37a552 Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Thu, 28 Sep 2023 17:39:32 +0200 -Subject: [PATCH] ipatests: fix healthcheck test without DNS - -ipa-healthcheck has added a new check for ipa-ca record -missing. The test needs to be adapted to handle the new check. - -Fixes: https://pagure.io/freeipa/issue/9459 - -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Rob Crittenden ---- - ipatests/test_integration/test_ipahealthcheck.py | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py -index 6e01642f36a3d39ac7b3c2721664b21356bf424b..822f550d2ee241a9dd14c99d75199e6207b78e9c 100644 ---- a/ipatests/test_integration/test_ipahealthcheck.py -+++ b/ipatests/test_integration/test_ipahealthcheck.py -@@ -1640,13 +1640,19 @@ class TestIpaHealthCheckWithoutDNS(IntegrationTest): - "Got {count} ipa-ca AAAA records, expected {expected}", - "Expected URI record missing", - } -- else: -+ elif (parse_version(version) < parse_version('0.13')): - expected_msgs = { - "Expected SRV record missing", - "Unexpected ipa-ca address {ipaddr}", - "expected ipa-ca to contain {ipaddr} for {server}", - "Expected URI record missing", - } -+ else: -+ expected_msgs = { -+ "Expected SRV record missing", -+ "Expected URI record missing", -+ "missing IP address for ipa-ca server {server}", -+ } - - tasks.install_packages(self.master, HEALTHCHECK_PKG) - returncode, data = run_healthcheck( --- -2.41.0 - diff --git a/0002-ipatests-fix-healthcheck-test-for-indent-option.patch b/0002-ipatests-fix-healthcheck-test-for-indent-option.patch deleted file mode 100644 index 174bc62..0000000 --- a/0002-ipatests-fix-healthcheck-test-for-indent-option.patch +++ /dev/null @@ -1,47 +0,0 @@ -From ca4ac6c06dd37deab5ba7c4df8789acf9e45d03e Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Thu, 28 Sep 2023 12:48:37 +0200 -Subject: [PATCH] ipatests: fix healthcheck test for --indent option - -ipa-healthcheck --indent option expects an integer. The error -message changed with ipa-healthcheck 0.13. -Recent versions also check that the value is in the range 0-32. - -The test must be compatible with old and new versions. - -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Rob Crittenden ---- - ipatests/test_integration/test_ipahealthcheck.py | 13 ++++++++++--- - 1 file changed, 10 insertions(+), 3 deletions(-) - -diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py -index 822f550d2ee241a9dd14c99d75199e6207b78e9c..35fcfe10508589ded021207a4eba4fb0143495b4 100644 ---- a/ipatests/test_integration/test_ipahealthcheck.py -+++ b/ipatests/test_integration/test_ipahealthcheck.py -@@ -2412,12 +2412,19 @@ class TestIpaHealthCLI(IntegrationTest): - cmd = self.base_cmd + ["--indent", option] - result = self.master.run_command(cmd, raiseonerr=False) - assert result.returncode == 2 -- assert 'invalid int value' in result.stderr_text -+ assert ('invalid int value' in result.stderr_text -+ or 'is not an integer' in result.stderr_text) - -- # unusual success, arguably odd but not invalid :-) -+ version = tasks.get_healthcheck_version(self.master) - for option in ('-1', '5000'): - cmd = self.base_cmd + ["--indent", option] -- result = self.master.run_command(cmd) -+ result = self.master.run_command(cmd, raiseonerr=False) -+ if parse_version(version) >= parse_version('0.13'): -+ assert result.returncode == 2 -+ assert 'is not in the range 0-32' in result.stderr_text -+ else: -+ # Older versions did not check for a given allowed range -+ assert result.returncode == 0 - - def test_severity(self): - """ --- -2.41.0 - diff --git a/0003-ipatests-fix-test_ipactl_scenario_check.patch b/0003-ipatests-fix-test_ipactl_scenario_check.patch deleted file mode 100644 index c6ac0b8..0000000 --- a/0003-ipatests-fix-test_ipactl_scenario_check.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 8ffcce91c694d83f6698a0539b970f41ea056e2d Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Thu, 21 Sep 2023 10:32:41 +0200 -Subject: [PATCH] ipatests: fix test_ipactl_scenario_check - -The test is comparing the PID of services before and after -calling ipactl start, expecting to have the same value. -It should not compare the pid for ipa-dnskeysyncd as this service -is automatically restarted upon failure. - -Fixes: https://pagure.io/freeipa/issue/9415 - -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Alexander Bokovoy -Reviewed-By: Rob Crittenden ---- - ipatests/test_integration/test_installation.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py -index 39fbff2b674296b0696defa7bac3efe35c89e0b7..68a442a9cd7746eec728ee38fda34dbc5361c59b 100644 ---- a/ipatests/test_integration/test_installation.py -+++ b/ipatests/test_integration/test_installation.py -@@ -695,7 +695,7 @@ def get_pki_tomcatd_pid(host): - def get_ipa_services_pids(host): - ipa_services_name = [ - "krb5kdc", "kadmin", "named", "httpd", "ipa-custodia", -- "pki_tomcatd", "ipa-dnskeysyncd" -+ "pki_tomcatd" - ] - pids_of_ipa_services = {} - for name in ipa_services_name: --- -2.41.0 - diff --git a/0004-ipalib-fix-the-IPACertificate-validity-dates.patch b/0004-ipalib-fix-the-IPACertificate-validity-dates.patch deleted file mode 100644 index 6b04dab..0000000 --- a/0004-ipalib-fix-the-IPACertificate-validity-dates.patch +++ /dev/null @@ -1,88 +0,0 @@ -From d9ad56155e76f97ad9326d5c1bcc6e19eea3a0da Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Mon, 9 Oct 2023 13:54:17 +0200 -Subject: [PATCH] ipalib: fix the IPACertificate validity dates - -The class IPACertificate builds objects from x509 Certificate -objects and creates the not_valid_before and not_valid_after values -by converting to a timestamp + applying timezone delta to UTC + reading -from the timestamp. This results in applying twice the delta. - -Use a simpler method that replaces the timezone info with UTC in the -datetime object. - -Fixes: https://pagure.io/freeipa/issue/9462 - -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Rob Crittenden ---- - ipalib/x509.py | 6 ++---- - ipatests/test_ipalib/test_x509.py | 25 +++++++++++++++++++++++++ - 2 files changed, 27 insertions(+), 4 deletions(-) - -diff --git a/ipalib/x509.py b/ipalib/x509.py -index 7396688ae60cff76069c7325bab69441babfb8a7..769d480077e0d167646424627f252c336336f531 100644 ---- a/ipalib/x509.py -+++ b/ipalib/x509.py -@@ -266,13 +266,11 @@ class IPACertificate(crypto_x509.Certificate): - - @property - def not_valid_before(self): -- return datetime.datetime.fromtimestamp( -- self._cert.not_valid_before.timestamp(), tz=datetime.timezone.utc) -+ return self._cert.not_valid_before.replace(tzinfo=datetime.timezone.utc) - - @property - def not_valid_after(self): -- return datetime.datetime.fromtimestamp( -- self._cert.not_valid_after.timestamp(), tz=datetime.timezone.utc) -+ return self._cert.not_valid_after.replace(tzinfo=datetime.timezone.utc) - - @property - def tbs_certificate_bytes(self): -diff --git a/ipatests/test_ipalib/test_x509.py b/ipatests/test_ipalib/test_x509.py -index c25e8a0b5b6b918e50b155890fe20cfdd4d747c4..74287c84a581a800fa1c2700ad749fcacbc9d249 100644 ---- a/ipatests/test_ipalib/test_x509.py -+++ b/ipatests/test_ipalib/test_x509.py -@@ -26,6 +26,7 @@ from binascii import hexlify - from configparser import RawConfigParser - import datetime - from io import StringIO -+import os - import pickle - - import pytest -@@ -253,6 +254,30 @@ class test_x509: - b'+\x06\x01\x05\x05\x07\x03\x01' - ) - -+ def test_cert_with_timezone(self): -+ """ -+ Test the not_before and not_after values in a diffent timezone -+ -+ Test for https://pagure.io/freeipa/issue/9462 -+ """ -+ # Store initial timezone, then set to New York -+ tz = os.environ.get('TZ', None) -+ os.environ['TZ'] = 'America/New_York' -+ # Load the cert, extract not before and not after -+ cert = x509.load_pem_x509_certificate(goodcert_headers) -+ not_before = datetime.datetime(2010, 6, 25, 13, 0, 42, 0, -+ datetime.timezone.utc) -+ not_after = datetime.datetime(2015, 6, 25, 13, 0, 42, 0, -+ datetime.timezone.utc) -+ # Reset timezone to previous value -+ if tz: -+ os.environ['TZ'] = tz -+ else: -+ del os.environ['TZ'] -+ # ensure the timezone doesn't mess with not_before and not_after -+ assert cert.not_valid_before == not_before -+ assert cert.not_valid_after == not_after -+ - def test_load_pkcs7_pem(self): - certlist = x509.pkcs7_to_certs(good_pkcs7, datatype=x509.PEM) - assert len(certlist) == 1 --- -2.41.0 - diff --git a/0005-Allow-password-policy-minlength-to-be-removed-like-o.patch b/0005-Allow-password-policy-minlength-to-be-removed-like-o.patch deleted file mode 100644 index af3c80d..0000000 --- a/0005-Allow-password-policy-minlength-to-be-removed-like-o.patch +++ /dev/null @@ -1,135 +0,0 @@ -From 9b0b723a0e62f18d41be53900ab8a3e710708563 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Thu, 18 May 2023 09:23:32 -0400 -Subject: [PATCH] Allow password policy minlength to be removed like other - values - -This is a side-effect of adding the libpwquality options. It -imposes its own hardcoded minimum password length so some care -was needed to ensure that it isn't set too low. - -So if there are no libpwquality options used then it's fine to -have no minlength in the policy. - -Fixes: https://pagure.io/freeipa/issue/9297 - -Signed-off-by: Rob Crittenden -Reviewed-By: Alexander Bokovoy -Reviewed-By: Florence Blanc-Renaud ---- - ipaserver/plugins/pwpolicy.py | 10 +++-- - ipatests/test_integration/test_pwpolicy.py | 45 +++++++++++++++++++++- - 2 files changed, 50 insertions(+), 5 deletions(-) - -diff --git a/ipaserver/plugins/pwpolicy.py b/ipaserver/plugins/pwpolicy.py -index 5ea3e6b78c9ee98d204b8382fbed9e21edf51d10..15cfef45b69743c852e43d58b7428976b9e55681 100644 ---- a/ipaserver/plugins/pwpolicy.py -+++ b/ipaserver/plugins/pwpolicy.py -@@ -462,6 +462,7 @@ class pwpolicy(LDAPObject): - return False - - has_pwquality_value = False -+ min_length = 0 - if not add: - if len(keys) > 0: - existing_entry = self.api.Command.pwpolicy_show( -@@ -470,14 +471,15 @@ class pwpolicy(LDAPObject): - existing_entry = self.api.Command.pwpolicy_show( - all=True,)['result'] - existing_entry.update(entry_attrs) -- min_length = int(get_val(existing_entry, 'krbpwdminlength')) -- -+ if existing_entry.get('krbpwdminlength'): -+ min_length = int(get_val(existing_entry, 'krbpwdminlength')) - has_pwquality_value = has_pwquality_set(existing_entry) - else: -- min_length = int(get_val(entry_attrs, 'krbpwdminlength')) -+ if entry_attrs.get('krbpwdminlength'): -+ min_length = int(get_val(entry_attrs, 'krbpwdminlength')) - has_pwquality_value = has_pwquality_set(entry_attrs) - -- if min_length and min_length < 6 and has_pwquality_value: -+ if min_length < 6 and has_pwquality_value: - raise errors.ValidationError( - name='minlength', - error=_('Minimum length must be >= 6 if maxrepeat, ' -diff --git a/ipatests/test_integration/test_pwpolicy.py b/ipatests/test_integration/test_pwpolicy.py -index 41d6e9070a90c2bde7b3182ad6ecf1a923bba203..652c95e47bdab8bbe137f660d0b2ea2c0496c53e 100644 ---- a/ipatests/test_integration/test_pwpolicy.py -+++ b/ipatests/test_integration/test_pwpolicy.py -@@ -36,7 +36,9 @@ class TestPWPolicy(IntegrationTest): - cls.master.run_command(['ipa', 'group-add-member', POLICY, - '--users', USER]) - cls.master.run_command(['ipa', 'pwpolicy-add', POLICY, -- '--priority', '1', '--gracelimit', '-1']) -+ '--priority', '1', -+ '--gracelimit', '-1', -+ '--minlength', '6']) - cls.master.run_command(['ipa', 'passwd', USER], - stdin_text='{password}\n{password}\n'.format( - password=PASSWORD -@@ -92,6 +94,12 @@ class TestPWPolicy(IntegrationTest): - "--minlength", "0", - "--minclasses", "0",], - ) -+ # minlength => 6 is required for any of the libpwquality settings -+ self.master.run_command( -+ ["ipa", "pwpolicy-mod", POLICY, -+ "--minlength", "6"], -+ raiseonerr=False, -+ ) - - @pytest.fixture - def reset_pwpolicy(self): -@@ -212,6 +220,7 @@ class TestPWPolicy(IntegrationTest): - assert 'Password is too simple' in \ - result.stdout_text - -+ self.reset_password(self.master) - # test with valid password - for valid in ('Passw0rd', 'password1!', 'Password!'): - self.kinit_as_user(self.master, PASSWORD, valid) -@@ -252,6 +261,40 @@ class TestPWPolicy(IntegrationTest): - assert result.returncode != 0 - assert 'minlength' in result.stderr_text - -+ def test_minlength_empty(self, reset_pwpolicy): -+ """Test that the pwpolicy minlength can be blank -+ """ -+ # Ensure it is set to a non-zero value to avoid EmptyModlist -+ self.master.run_command( -+ ["ipa", "pwpolicy-mod", POLICY, -+ "--minlength", "10",] -+ ) -+ # Enable one of the libpwquality options, removing minlength -+ # should fail. -+ self.master.run_command( -+ ["ipa", "pwpolicy-mod", POLICY, -+ "--maxrepeat", "4",] -+ ) -+ result = self.master.run_command( -+ ["ipa", "pwpolicy-mod", POLICY, -+ "--minlength", "",], raiseonerr=False -+ ) -+ assert result.returncode != 0 -+ -+ # Remove the blocking value -+ self.master.run_command( -+ ["ipa", "pwpolicy-mod", POLICY, -+ "--maxrepeat", "",] -+ ) -+ -+ # Now erase it -+ result = self.master.run_command( -+ ["ipa", "pwpolicy-mod", POLICY, -+ "--minlength", "",] -+ ) -+ assert result.returncode == 0 -+ assert 'minlength' not in result.stderr_text -+ - def test_minlength_add(self): - """Test that adding a new policy with minlength is caught. - """ --- -2.41.0 - diff --git a/0006-ipatests-Skip-the-test-failing-due-to-FIPS-policy.patch b/0006-ipatests-Skip-the-test-failing-due-to-FIPS-policy.patch deleted file mode 100644 index 5d809a2..0000000 --- a/0006-ipatests-Skip-the-test-failing-due-to-FIPS-policy.patch +++ /dev/null @@ -1,70 +0,0 @@ -From cfb8748b23e93f84c2a6b03cc55d1116d7d1332e Mon Sep 17 00:00:00 2001 -From: Sudhir Menon -Date: Tue, 10 Oct 2023 15:22:27 +0530 -Subject: [PATCH] ipatests: Skip the test failing due to FIPS policy - -1. test_certmonger_reads_token_HSM test in test_installaton.py -is failing in FIPS/STIG mode with the below error. - -SEC_ERROR_PKCS12_UNABLE_TO_IMPORT_KEY: Unable to import. -Error attempting to import private key in STIG mode - -2. Adding the posfix config change, because there was a crash -seen in smtpd in FIPS mode. - -ie. postconf -e smtpd_tls_fingerprint_digest=sha256 - -KCS: https://access.redhat.com/solutions/6958957 - -Signed-off-by: Sudhir Menon -Reviewed-By: Florence Blanc-Renaud ---- - ipatests/test_integration/test_epn.py | 4 +++- - ipatests/test_integration/test_installation.py | 2 ++ - 2 files changed, 5 insertions(+), 1 deletion(-) - -diff --git a/ipatests/test_integration/test_epn.py b/ipatests/test_integration/test_epn.py -index 8ea79cefbdd067b148ef0b7050c9fc803339371a..b391e32219bb0a799c8d75c113af5da24aa58b46 100644 ---- a/ipatests/test_integration/test_epn.py -+++ b/ipatests/test_integration/test_epn.py -@@ -180,7 +180,6 @@ def configure_starttls(host): - postconf(host, 'smtpd_tls_session_cache_timeout = 3600s') - # announce STARTTLS support to remote SMTP clients, not require - postconf(host, 'smtpd_tls_security_level = may') -- - host.run_command(["systemctl", "restart", "postfix"]) - - -@@ -208,6 +207,9 @@ def configure_ssl_client_cert(host): - # CA certificates of root CAs trusted to sign remote SMTP client cert - postconf(host, f"smtpd_tls_CAfile = {paths.IPA_CA_CRT}") - -+ if host.is_fips_mode: -+ postconf(host, 'smtpd_tls_fingerprint_digest = sha256') -+ - host.run_command(["systemctl", "restart", "postfix"]) - - -diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py -index 68a442a9cd7746eec728ee38fda34dbc5361c59b..bf4163abc0f138ed42c639eee3e95df52da43a71 100644 ---- a/ipatests/test_integration/test_installation.py -+++ b/ipatests/test_integration/test_installation.py -@@ -35,6 +35,7 @@ from ipatests.pytest_ipa.integration.env_config import get_global_config - from ipatests.test_integration.base import IntegrationTest - from ipatests.test_integration.test_caless import CALessBase, ipa_certs_cleanup - from ipatests.test_integration.test_cert import get_certmonger_fs_id -+from ipatests.pytest_ipa.integration import skip_if_fips - from ipaplatform import services - - -@@ -298,6 +299,7 @@ class TestInstallCA(IntegrationTest): - tasks.install_replica(self.master, self.replicas[1], setup_ca=False) - tasks.install_ca(self.replicas[1], extra_args=["--skip-schema-check"]) - -+ @skip_if_fips() - def test_certmonger_reads_token_HSM(self): - """Test if certmonger reads the token in HSM - --- -2.41.0 - diff --git a/0007-The-PKI-JSON-API-the-revocation-reason-key-may-be-ca.patch b/0007-The-PKI-JSON-API-the-revocation-reason-key-may-be-ca.patch deleted file mode 100644 index 66d6c63..0000000 --- a/0007-The-PKI-JSON-API-the-revocation-reason-key-may-be-ca.patch +++ /dev/null @@ -1,50 +0,0 @@ -From d4271391adc45c781092db0fb89b802743a9dda8 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Mon, 11 Sep 2023 21:37:05 +0000 -Subject: [PATCH] The PKI JSON API the revocation reason key may be - case-sensitive - -PKI 11.4.0 changed the reason keyword in the REST API from lower-case -to camel-case in https://github.com/dogtagpki/pki/commit/926eb221ce6 - -Use Reason instead of reason as the keyword for revocations -for PKI 11.4.0+ - -Related: https://pagure.io/freeipa/issue/9345 - -Signed-off-by: Rob Crittenden -Reviewed-By: Florence Blanc-Renaud -Reviewed-By: Thomas Woerner ---- - ipaserver/plugins/dogtag.py | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py -index 1c2c51824eecb71cfa8146ceb30435c5ad5d79c7..0036803c86652b557ebeb3cd048877bc01a6b71a 100644 ---- a/ipaserver/plugins/dogtag.py -+++ b/ipaserver/plugins/dogtag.py -@@ -274,6 +274,8 @@ if six.PY3: - - logger = logging.getLogger(__name__) - -+pki_version = pki.util.Version(pki.specification_version()) -+ - # These are general status return values used when - # CMSServlet.outputError() is invoked. - CMS_SUCCESS = 0 -@@ -1130,7 +1132,11 @@ class ra(rabase.rabase, RestClient): - serial_number = int(serial_number, 0) - - path = 'agent/certs/{}/revoke'.format(serial_number) -- data = '{{"reason":"{}"}}'.format(reasons[revocation_reason]) -+ if pki_version < pki.util.Version("11.4.0"): -+ keyword = "reason" -+ else: -+ keyword = "Reason" -+ data = '{{"{}":"{}"}}'.format(keyword, reasons[revocation_reason]) - - http_status, _http_headers, http_body = self._ssldo( - 'POST', path, --- -2.41.0 - diff --git a/0008-WIP-Get-the-PKI-version-from-the-remote-to-determine.patch b/0008-WIP-Get-the-PKI-version-from-the-remote-to-determine.patch deleted file mode 100644 index 2f85e4f..0000000 --- a/0008-WIP-Get-the-PKI-version-from-the-remote-to-determine.patch +++ /dev/null @@ -1,102 +0,0 @@ -From 0539d97f3e9d2b7d80549ff08d78fe55afcc2dbb Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Thu, 26 Oct 2023 13:59:21 -0400 -Subject: [PATCH] WIP: Get the PKI version from the remote to determine the - argument - -Reviewed-By: Florence Blanc-Renaud -Reviewed-By: Thomas Woerner ---- - ipaserver/plugins/dogtag.py | 55 ++++++++++++++++++++++++++++++++----- - 1 file changed, 48 insertions(+), 7 deletions(-) - -diff --git a/ipaserver/plugins/dogtag.py b/ipaserver/plugins/dogtag.py -index 0036803c86652b557ebeb3cd048877bc01a6b71a..7cd51ae58ae0edfe69f0ac7fa190290e2669b0d2 100644 ---- a/ipaserver/plugins/dogtag.py -+++ b/ipaserver/plugins/dogtag.py -@@ -274,8 +274,6 @@ if six.PY3: - - logger = logging.getLogger(__name__) - --pki_version = pki.util.Version(pki.specification_version()) -- - # These are general status return values used when - # CMSServlet.outputError() is invoked. - CMS_SUCCESS = 0 -@@ -1059,6 +1057,39 @@ class ra(rabase.rabase, RestClient): - - return cmd_result - -+ def get_pki_version(self): -+ """ -+ Retrieve the version of a remote PKI server. -+ -+ The REST API request is a GET to the info URI: -+ GET /pki/rest/info HTTP/1.1 -+ -+ The response is: {"Version":"11.5.0","Attributes":{"Attribute":[]}} -+ """ -+ path = "/pki/rest/info" -+ logger.debug('%s.get_pki_version()', type(self).__name__) -+ http_status, _http_headers, http_body = self._ssldo( -+ 'GET', path, -+ headers={ -+ 'Content-Type': 'application/json', -+ 'Accept': 'application/json', -+ }, -+ use_session=False, -+ ) -+ if http_status != 200: -+ self.raise_certificate_operation_error('get_pki_version', -+ detail=http_status) -+ -+ try: -+ response = json.loads(ipautil.decode_json(http_body)) -+ except ValueError as e: -+ logger.debug("Response from CA was not valid JSON: %s", e) -+ raise errors.RemoteRetrieveError( -+ reason=_("Response from CA was not valid JSON") -+ ) -+ -+ return response.get('Version') -+ - - def revoke_certificate(self, serial_number, revocation_reason=0): - """ -@@ -1125,6 +1156,20 @@ class ra(rabase.rabase, RestClient): - detail='7 is not a valid revocation reason' - ) - -+ # dogtag changed the argument case for revocation from -+ # "reason" to "Reason" in PKI 11.4.0. Detect that change -+ # based on the remote version and pass the expected value -+ # in. -+ pki_version = pki.util.Version(self.get_pki_version()) -+ if pki_version is None: -+ self.raise_certificate_operation_error('revoke_certificate', -+ detail="Remove version not " -+ "detected") -+ if pki_version < pki.util.Version("11.4.0"): -+ reason = "reason" -+ else: -+ reason = "Reason" -+ - # Convert serial number to integral type from string to properly handle - # radix issues. Note: the int object constructor will properly handle - # large magnitude integral values by returning a Python long type -@@ -1132,11 +1177,7 @@ class ra(rabase.rabase, RestClient): - serial_number = int(serial_number, 0) - - path = 'agent/certs/{}/revoke'.format(serial_number) -- if pki_version < pki.util.Version("11.4.0"): -- keyword = "reason" -- else: -- keyword = "Reason" -- data = '{{"{}":"{}"}}'.format(keyword, reasons[revocation_reason]) -+ data = '{{"{}":"{}"}}'.format(reason, reasons[revocation_reason]) - - http_status, _http_headers, http_body = self._ssldo( - 'POST', path, --- -2.41.0 - diff --git a/0009-ipatests-fix-expected-output-for-ipahealthcheck.meta.patch b/0009-ipatests-fix-expected-output-for-ipahealthcheck.meta.patch deleted file mode 100644 index eba1717..0000000 --- a/0009-ipatests-fix-expected-output-for-ipahealthcheck.meta.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 411107e1d1fa64b15978b7c69522613fbf3aa827 Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Fri, 29 Sep 2023 10:31:00 +0200 -Subject: [PATCH] ipatests: fix expected output for - ipahealthcheck.meta.services - -ipa-healthcheck commit 31be12b introduced a change in the output -message when pki-tomcatd is not running. -With versions <= 0.12, the service name is displayed as -pki_tomcatd (with an underscore), but with 0.13+ it is -pki-tomcatd (with a dash). - -Fixes: https://pagure.io/freeipa/issue/9460 - -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Rob Crittenden ---- - ipatests/test_integration/test_ipahealthcheck.py | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py -index 35fcfe10508589ded021207a4eba4fb0143495b4..5d79f2b529e819a291228776c4cc278463f02e59 100644 ---- a/ipatests/test_integration/test_ipahealthcheck.py -+++ b/ipatests/test_integration/test_ipahealthcheck.py -@@ -454,6 +454,11 @@ class TestIpaHealthCheck(IntegrationTest): - assert data[0]["result"] == "SUCCESS" - assert data[0]["kw"]["status"] is True - -+ version = tasks.get_healthcheck_version(self.master) -+ # With healthcheck newer versions, the error msg for PKI tomcat -+ # contains the string pki-tomcatd instead of pki_tomcatd -+ always_replace = parse_version(version) >= parse_version("0.13") -+ - for service in svc_list: - restart_service(self.master, service) - returncode, data = run_healthcheck( -@@ -466,7 +471,7 @@ class TestIpaHealthCheck(IntegrationTest): - for check in data: - if check["check"] != service: - continue -- if service != 'pki_tomcatd': -+ if service != 'pki_tomcatd' or always_replace: - service = service.replace('_', '-') - assert check["result"] == "ERROR" - assert check["kw"]["msg"] == "%s: not running" % service --- -2.41.0 - diff --git a/0010-ipatests-ignore-nsslapd-accesslog-logbuffering-WARN-.patch b/0010-ipatests-ignore-nsslapd-accesslog-logbuffering-WARN-.patch deleted file mode 100644 index 553c2cc..0000000 --- a/0010-ipatests-ignore-nsslapd-accesslog-logbuffering-WARN-.patch +++ /dev/null @@ -1,132 +0,0 @@ -From 7e76329f76b7605ac6ec255c53b3c15d368a63f7 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Mon, 13 Nov 2023 09:48:09 -0500 -Subject: [PATCH] ipatests: ignore nsslapd-accesslog-logbuffering WARN in - healthcheck - -Log buffering is disabled in the integration tests so we can have all -the logs at the end. This is causing a warning to show in the 389-ds -checks and causing tests to fail that expect all SUCCESS. - -Add an exclude for this specific key so tests will pass again. - -We may eventually want a more sophisiticated mechanism to handle -excludes, or updating the config in general, but this is fine for now. - -Fixes: https://pagure.io/freeipa/issue/9400 - -Signed-off-by: Rob Crittenden -Reviewed-By: Florence Blanc-Renaud -Reviewed-By: Michal Polovka ---- - .../test_integration/test_ipahealthcheck.py | 28 +++++++++++++++++++ - .../test_replica_promotion.py | 5 +++- - 2 files changed, 32 insertions(+), 1 deletion(-) - -diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py -index 5d79f2b529e819a291228776c4cc278463f02e59..278f75abdd772a59178a61e2ab63e3178fef2518 100644 ---- a/ipatests/test_integration/test_ipahealthcheck.py -+++ b/ipatests/test_integration/test_ipahealthcheck.py -@@ -10,6 +10,7 @@ from __future__ import absolute_import - from configparser import RawConfigParser, NoOptionError - from datetime import datetime, timedelta, timezone - UTC = timezone.utc -+import io - import json - import os - import re -@@ -209,6 +210,28 @@ def run_healthcheck(host, source=None, check=None, output_type="json", - return result.returncode, data - - -+def set_excludes(host, option, value, -+ config_file='/etc/ipahealthcheck/ipahealthcheck.conf'): -+ """Mark checks that should be excluded from the results -+ -+ This will set in the [excludes] section on host: -+ option=value -+ """ -+ EXCLUDES = "excludes" -+ -+ conf = host.get_file_contents(config_file, encoding='utf-8') -+ cfg = RawConfigParser() -+ cfg.read_string(conf) -+ if not cfg.has_section(EXCLUDES): -+ cfg.add_section(EXCLUDES) -+ if not cfg.has_option(EXCLUDES, option): -+ cfg.set(EXCLUDES, option, value) -+ out = io.StringIO() -+ cfg.write(out) -+ out.seek(0) -+ host.put_file_contents(config_file, out.read()) -+ -+ - @pytest.fixture - def restart_service(): - """Shut down and restart a service as a fixture""" -@@ -266,6 +289,7 @@ class TestIpaHealthCheck(IntegrationTest): - setup_dns=True, - extra_args=['--no-dnssec-validation'] - ) -+ set_excludes(cls.master, "key", "DSCLE0004") - - def test_ipa_healthcheck_install_on_master(self): - """ -@@ -558,6 +582,7 @@ class TestIpaHealthCheck(IntegrationTest): - setup_dns=True, - extra_args=['--no-dnssec-validation'] - ) -+ set_excludes(self.replicas[0], "key", "DSCLE0004") - - # Init a user on replica to assign a DNA range - tasks.kinit_admin(self.replicas[0]) -@@ -698,6 +723,7 @@ class TestIpaHealthCheck(IntegrationTest): - 'output_type=human' - ]) - ) -+ set_excludes(self.master, "key", "DSCLE0004", config_file) - returncode, output = run_healthcheck( - self.master, failures_only=True, config=config_file - ) -@@ -713,6 +739,7 @@ class TestIpaHealthCheck(IntegrationTest): - 'output_file=%s' % HC_LOG, - ]) - ) -+ set_excludes(self.master, "key", "DSCLE0004") - returncode, _unused = run_healthcheck( - self.master, config=config_file - ) -@@ -2408,6 +2435,7 @@ class TestIpaHealthCLI(IntegrationTest): - cls.master, setup_dns=True, extra_args=['--no-dnssec-validation'] - ) - tasks.install_packages(cls.master, HEALTHCHECK_PKG) -+ set_excludes(cls.master, "key", "DSCLE0004") - - def test_indent(self): - """ -diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py -index d477c3a20df80f16d47a55c9359ce165049dd907..b71f2d5d7e1517ab73d79b62477a3377839b0b7a 100644 ---- a/ipatests/test_integration/test_replica_promotion.py -+++ b/ipatests/test_integration/test_replica_promotion.py -@@ -13,7 +13,7 @@ import pytest - - from ipatests.test_integration.base import IntegrationTest - from ipatests.test_integration.test_ipahealthcheck import ( -- run_healthcheck, HEALTHCHECK_PKG -+ run_healthcheck, set_excludes, HEALTHCHECK_PKG - ) - from ipatests.pytest_ipa.integration import tasks - from ipatests.pytest_ipa.integration.tasks import ( -@@ -983,6 +983,9 @@ class TestHiddenReplicaPromotion(IntegrationTest): - # manually install KRA to verify that hidden state is synced - tasks.install_kra(cls.replicas[0]) - -+ set_excludes(cls.master, "key", "DSCLE0004") -+ set_excludes(cls.replicas[0], "key", "DSCLE0004") -+ - def _check_dnsrecords(self, hosts_expected, hosts_unexpected=()): - domain = DNSName(self.master.domain.name).make_absolute() - rset = [ --- -2.41.0 - diff --git a/0011-ipatests-fix-expected-output-for-ipahealthcheck.ipa..patch b/0011-ipatests-fix-expected-output-for-ipahealthcheck.ipa..patch deleted file mode 100644 index bd27617..0000000 --- a/0011-ipatests-fix-expected-output-for-ipahealthcheck.ipa..patch +++ /dev/null @@ -1,45 +0,0 @@ -From faf8be455a6ab4f5b1bed00a611e655535ed31e7 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Tue, 14 Nov 2023 13:21:30 -0500 -Subject: [PATCH] ipatests: fix expected output for ipahealthcheck.ipa.host - -ipa-healthcheck commit e69589d5 changed the output when a service -keytab is missing to not report the GSSAPI error but to report -that the keytab doesn't exist at all. This distinguishes from real -Kerberos issues like kvno. - -Fixes: https://pagure.io/freeipa/issue/9482 - -Signed-off-by: Rob Crittenden -Reviewed-By: Florence Blanc-Renaud -Reviewed-By: Michal Polovka ---- - ipatests/test_integration/test_ipahealthcheck.py | 12 +++++++++--- - 1 file changed, 9 insertions(+), 3 deletions(-) - -diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py -index 278f75abdd772a59178a61e2ab63e3178fef2518..785e9abbae3b807f100a3d875e0c0b23f868be83 100644 ---- a/ipatests/test_integration/test_ipahealthcheck.py -+++ b/ipatests/test_integration/test_ipahealthcheck.py -@@ -635,9 +635,15 @@ class TestIpaHealthCheck(IntegrationTest): - ipahealthcheck.ipa.host when GSSAPI credentials cannot be obtained - from host's keytab. - """ -- msg = ( -- "Minor (2529639107): No credentials cache found" -- ) -+ version = tasks.get_healthcheck_version(self.master) -+ if parse_version(version) >= parse_version("0.15"): -+ msg = ( -+ "Service {service} keytab {path} does not exist." -+ ) -+ else: -+ msg = ( -+ "Minor (2529639107): No credentials cache found" -+ ) - - with tasks.FileBackup(self.master, paths.KRB5_KEYTAB): - self.master.run_command(["rm", "-f", paths.KRB5_KEYTAB]) --- -2.41.0 - diff --git a/0012-group-add-member-fails-with-an-external-member.patch b/0012-group-add-member-fails-with-an-external-member.patch deleted file mode 100644 index 61339da..0000000 --- a/0012-group-add-member-fails-with-an-external-member.patch +++ /dev/null @@ -1,38 +0,0 @@ -From bc69177ef80d1873026ad91a6e449b9cf20028b9 Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Thu, 19 Oct 2023 12:47:03 +0200 -Subject: [PATCH] group-add-member fails with an external member - -The command ipa group-add-member --external aduser@addomain.test -fails with an internal error when used with samba 4.19. - -The command internally calls samba.security.dom_sid(sid) which -used to raise a TypeError but now raises a ValueError -(commit 9abdd67 on https://github.com/samba-team/samba). - -IPA source code needs to handle properly both exception types. - -Fixes: https://pagure.io/freeipa/issue/9466 - -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Rob Crittenden ---- - ipaserver/dcerpc.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py -index 741f0608f93449f5a3959a47734f965ab484a1e5..7e585c87639db093222fe2cebca5c9094a22d7ce 100644 ---- a/ipaserver/dcerpc.py -+++ b/ipaserver/dcerpc.py -@@ -303,7 +303,7 @@ class DomainValidator: - # Parse sid string to see if it is really in a SID format - try: - test_sid = security.dom_sid(sid) -- except TypeError: -+ except (TypeError, ValueError): - raise errors.ValidationError(name='sid', - error=_('SID is not valid')) - --- -2.43.0 - diff --git a/0013-Handle-samba-changes-in-samba.security.dom_sid.patch b/0013-Handle-samba-changes-in-samba.security.dom_sid.patch deleted file mode 100644 index 07196a0..0000000 --- a/0013-Handle-samba-changes-in-samba.security.dom_sid.patch +++ /dev/null @@ -1,41 +0,0 @@ -From c6623f9ce4e1bde729ed6f729da5981c9f26c728 Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Fri, 20 Oct 2023 10:20:57 +0200 -Subject: [PATCH] Handle samba changes in samba.security.dom_sid() - -samba.security.dom_sid() in 4.19 now raises ValueError instead of -TypeError. Fix the expected exception. - -Related: https://pagure.io/freeipa/issue/9466 - -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Alexander Bokovoy ---- - ipaserver/dcerpc.py | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py -index 7e585c87639db093222fe2cebca5c9094a22d7ce..675572c036e4ea5434d2c6808dd301b425229b38 100644 ---- a/ipaserver/dcerpc.py -+++ b/ipaserver/dcerpc.py -@@ -97,7 +97,7 @@ logger = logging.getLogger(__name__) - def is_sid_valid(sid): - try: - security.dom_sid(sid) -- except TypeError: -+ except (TypeError, ValueError): - return False - else: - return True -@@ -457,7 +457,7 @@ class DomainValidator: - try: - test_sid = security.dom_sid(sid) - return unicode(test_sid) -- except TypeError: -+ except (TypeError, ValueError): - raise errors.ValidationError(name=_('trusted domain object'), - error=_('Trusted domain did not ' - 'return a valid SID for ' --- -2.43.0 - diff --git a/0014-test_install-restart-services-after-date-change.patch b/0014-test_install-restart-services-after-date-change.patch deleted file mode 100644 index cd4bcd7..0000000 --- a/0014-test_install-restart-services-after-date-change.patch +++ /dev/null @@ -1,43 +0,0 @@ -From c7f999599efe9f3f237f8ad3b7c739714051e3e9 Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Thu, 7 Dec 2023 08:35:45 +0100 -Subject: [PATCH] test_install: restart services after date change - -The test TestKRAinstallAfterCertRenew is moving the -date in the future in order to reach the grace period where -certmonger detects some certificates need to be renewed. -Restart the services after the date change. - -Fixes: https://pagure.io/freeipa/issue/9405 - -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Michal Polovka ---- - ipatests/test_integration/test_installation.py | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py -index bf4163abc0f138ed42c639eee3e95df52da43a71..02fa5bc56d63421c28a5dd1fa02f9f75d305e7bf 100644 ---- a/ipatests/test_integration/test_installation.py -+++ b/ipatests/test_integration/test_installation.py -@@ -1569,6 +1569,8 @@ class TestKRAinstallAfterCertRenew(IntegrationTest): - grace_date = cert_expiry - timedelta(days=10) - grace_date = datetime.strftime(grace_date, "%Y-%m-%d %H:%M:%S") - self.master.run_command(['date', '-s', grace_date]) -+ # restart service after date change -+ self.master.run_command(['ipactl', 'restart']) - - # get the count of certs track by certmonger - cmd = self.master.run_command(['getcert', 'list']) -@@ -1591,6 +1593,8 @@ class TestKRAinstallAfterCertRenew(IntegrationTest): - cert_expiry = cert_expiry + timedelta(days=3) - cert_expiry = datetime.strftime(cert_expiry, "%Y-%m-%d %H:%M:%S") - self.master.run_command(['date', '-s', cert_expiry]) -+ # restart service after date change -+ self.master.run_command(['ipactl', 'restart']) - - passwd = "{passwd}\n{passwd}\n{passwd}".format(passwd=admin_pass) - self.master.run_command(['kinit', 'admin'], stdin_text=passwd) --- -2.43.0 - diff --git a/0015-Issue-9497-Add-new-password-policy-logging-function.patch b/0015-Issue-9497-Add-new-password-policy-logging-function.patch deleted file mode 100644 index 1512cfc..0000000 --- a/0015-Issue-9497-Add-new-password-policy-logging-function.patch +++ /dev/null @@ -1,40 +0,0 @@ -From eabdbbc00613963deffe42ea17dfb0a690c62e3f Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Tue, 12 Dec 2023 08:34:44 -0500 -Subject: [PATCH] Issue 9497 - Add new password policy logging function - -Fixes: https://pagure.io/freeipa/issue/9497 - -Signed-off-by: Mark Reynolds -Reviewed-By: Alexander Bokovoy ---- - daemons/ipa-slapi-plugins/common/util.h | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/daemons/ipa-slapi-plugins/common/util.h b/daemons/ipa-slapi-plugins/common/util.h -index 1eaf47facb717fe6a95d89fe02311205eabc3e96..db7cf7181ceaf710a5a082c4e80eb66567180be5 100644 ---- a/daemons/ipa-slapi-plugins/common/util.h -+++ b/daemons/ipa-slapi-plugins/common/util.h -@@ -30,7 +30,7 @@ - * Program may make changes or additions to the list of Approved - * Interfaces. - * -- * Copyright (C) 2010 Red Hat, Inc. -+ * Copyright (C) 2010-2023 Red Hat, Inc. - * All rights reserved. - * END COPYRIGHT BLOCK **/ - -@@ -67,6 +67,10 @@ - "[file %s, line %d]: " fmt, \ - __FILE__, __LINE__, ##__VA_ARGS__) - -+#define LOG_PWDPOLICY(fmt, ...) \ -+ slapi_log_error(SLAPI_LOG_PWDPOLICY, log_func, fmt, ##__VA_ARGS__) -+ -+/* "Trace" logging is very expensive and should be avoided/replaced. TBD */ - #define LOG_TRACE(fmt, ...) \ - slapi_log_error(SLAPI_LOG_TRACE, log_func, fmt, ##__VA_ARGS__) - --- -2.43.0 - diff --git a/0016-Issue-9497-Update-logging-in-ipa_enrollment.patch b/0016-Issue-9497-Update-logging-in-ipa_enrollment.patch deleted file mode 100644 index ae5ef17..0000000 --- a/0016-Issue-9497-Update-logging-in-ipa_enrollment.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 7e31f111c83bed966157b0660e9640e18450b1a2 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Tue, 12 Dec 2023 08:36:49 -0500 -Subject: [PATCH] Issue 9497 - Update logging in ipa_enrollment - -Fixes: https://pagure.io/freeipa/issue/9497 - -Signed-off-by: Mark Reynolds -Reviewed-By: Alexander Bokovoy ---- - .../ipa-enrollment/ipa_enrollment.c | 13 +++++++------ - 1 file changed, 7 insertions(+), 6 deletions(-) - -diff --git a/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c b/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c -index 26cbb69d713767909fd62fb77e7defdd323ec7ac..b72ad5ef1c81997d89b2f94528da516b5df3d285 100644 ---- a/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c -+++ b/daemons/ipa-slapi-plugins/ipa-enrollment/ipa_enrollment.c -@@ -30,7 +30,7 @@ - * Program may make changes or additions to the list of Approved - * Interfaces. - * -- * Copyright (C) 2005 Red Hat, Inc. -+ * Copyright (C) 2005-2023 Red Hat, Inc. - * All rights reserved. - * END COPYRIGHT BLOCK **/ - -@@ -132,7 +132,8 @@ ipa_join(Slapi_PBlock *pb) - Slapi_DN *sdn; - Slapi_Backend *be; - Slapi_Entry **es = NULL; -- int rc=0, ret=0, res, i; -+ int rc=0, ret=0, res; -+ size_t i; - int is_root=0; - char *krbLastPwdChange = NULL; - char *fqdn = NULL; -@@ -204,7 +205,7 @@ ipa_join(Slapi_PBlock *pb) - - /* if there is none or more than one, freak out */ - if (i != 1) { -- LOG_TRACE("Too many entries, or entry no found (%d)", i); -+ LOG_TRACE("Too many entries, or entry no found (%lu)\n", i); - if (i == 0) - errMesg = "Host not found.\n"; - else -@@ -217,7 +218,7 @@ ipa_join(Slapi_PBlock *pb) - /* Is this host already enrolled? */ - krbLastPwdChange = slapi_entry_attr_get_charptr(targetEntry, "krbLastPwdChange"); - if (NULL != krbLastPwdChange) { -- LOG_TRACE("Host already enrolled"); -+ LOG_TRACE("Host already enrolled\n"); - errMesg = "Host already enrolled.\n"; - rc = LDAP_OPERATIONS_ERROR; - goto free_and_return; -@@ -313,8 +314,8 @@ done: - ret = slapi_pblock_set(pb, SLAPI_EXT_OP_RET_OID, JOIN_OID); - if (!ret) ret = slapi_pblock_set(pb, SLAPI_EXT_OP_RET_VALUE, &retbval); - if (ret) { -- errMesg = "Could not set return values"; -- LOG("%s\n", errMesg); -+ errMesg = "Could not set return values\n"; -+ LOG("%s", errMesg); - rc = SLAPI_PLUGIN_EXTENDED_SENT_RESULT; - } - --- -2.43.0 - diff --git a/0017-Issue-9497-update-debug-logging-in-ipa_graceperiod.patch b/0017-Issue-9497-update-debug-logging-in-ipa_graceperiod.patch deleted file mode 100644 index e375136..0000000 --- a/0017-Issue-9497-update-debug-logging-in-ipa_graceperiod.patch +++ /dev/null @@ -1,47 +0,0 @@ -From e4aebc121c9242390da86fe6bda3e8c28edfb746 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Tue, 12 Dec 2023 08:37:41 -0500 -Subject: [PATCH] Issue 9497 - update debug logging in ipa_graceperiod - -Fixes: https://pagure.io/freeipa/issue/9497 - -Signed-off-by: Mark Reynolds -Reviewed-By: Alexander Bokovoy ---- - daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c b/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c -index 345e1dee7d163167373ca82dedb1e827f0e1bc8c..7a2d4f2aaea677d1fb3553fe49e6aa17c3e7a38c 100644 ---- a/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c -+++ b/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c -@@ -30,7 +30,7 @@ - * Program may make changes or additions to the list of Approved - * Interfaces. - * -- * Copyright (C) 2022 Red Hat, Inc. -+ * Copyright (C) 2022-2023 Red Hat, Inc. - * All rights reserved. - * END COPYRIGHT BLOCK **/ - -@@ -447,7 +447,7 @@ static int ipagraceperiod_preop(Slapi_PBlock *pb) - LOG_TRACE("grace limit disabled, skipping\n"); - goto done; - } else if (grace_limit < -1) { -- LOG_FATAL("Invalid passwordGraceLimit value %d\n", grace_limit); -+ LOG_FATAL("Invalid passwordGraceLimit value %ld\n", grace_limit); - return LDAP_OPERATIONS_ERROR; - } - -@@ -480,7 +480,7 @@ static int ipagraceperiod_preop(Slapi_PBlock *pb) - slapi_pwpolicy_make_response_control(pb, -1, grace_limit - grace_user_time , -1); - } - } else if (grace_user_time >= grace_limit) { -- LOG_TRACE("%s password is expired and out of grace limit\n", dn); -+ LOG_PWDPOLICY("%s password is expired and out of grace limit\n", dn); - errstr = "Password is expired.\n"; - ret = LDAP_INVALID_CREDENTIALS; - --- -2.43.0 - diff --git a/0018-Issue-9497-update-debug-logging-in-ipa_lockout.patch b/0018-Issue-9497-update-debug-logging-in-ipa_lockout.patch deleted file mode 100644 index ae8554f..0000000 --- a/0018-Issue-9497-update-debug-logging-in-ipa_lockout.patch +++ /dev/null @@ -1,46 +0,0 @@ -From be805c1150fd0c2e6ac2276f8535b14d57557aad Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Tue, 12 Dec 2023 08:38:47 -0500 -Subject: [PATCH] Issue 9497 - update debug logging in ipa_lockout - -Fixes: https://pagure.io/freeipa/issue/9497 - -Signed-off-by: Mark Reynolds -Reviewed-By: Alexander Bokovoy ---- - daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c b/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c -index a8095ccd371bfd29e3148ab2ad8c982a08f0b7e0..366018094bdc42c914d7743a89519ba1e1a6e124 100644 ---- a/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c -+++ b/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c -@@ -30,7 +30,7 @@ - * Program may make changes or additions to the list of Approved - * Interfaces. - * -- * Copyright (C) 2010 Red Hat, Inc. -+ * Copyright (C) 2010-2023 Red Hat, Inc. - * All rights reserved. - * END COPYRIGHT BLOCK **/ - -@@ -823,13 +823,15 @@ static int ipalockout_preop(Slapi_PBlock *pb) - if (failedcount >= max_fail) { - if (lockout_duration == 0) { - errstr = "Entry permanently locked.\n"; -+ LOG_PWDPOLICY("Entry '%s' is permanently locked.\n", dn); - ret = LDAP_UNWILLING_TO_PERFORM; - goto done; - } - - if (time_now < last_failed + lockout_duration) { - /* Too many failures */ -- LOG_TRACE("Too many failed logins. %lu out of %d\n", failedcount, max_fail); -+ LOG_PWDPOLICY("Too many failed logins for '%s'. %lu out of %d\n", -+ dn, failedcount, max_fail); - errstr = "Too many failed logins.\n"; - ret = LDAP_UNWILLING_TO_PERFORM; - } --- -2.43.0 - diff --git a/0019-Issue-9497-update-debug-logging-in-ipa_modrdn.patch b/0019-Issue-9497-update-debug-logging-in-ipa_modrdn.patch deleted file mode 100644 index df1c28a..0000000 --- a/0019-Issue-9497-update-debug-logging-in-ipa_modrdn.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 473b1e465ba93ec313bc7cea62bb8d545f37e8bd Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Tue, 12 Dec 2023 08:39:14 -0500 -Subject: [PATCH] Issue 9497 - update debug logging in ipa_modrdn - -Fixes: https://pagure.io/freeipa/issue/9497 - -Signed-off-by: Mark Reynolds -Reviewed-By: Alexander Bokovoy ---- - daemons/ipa-slapi-plugins/ipa-modrdn/ipa_modrdn.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/daemons/ipa-slapi-plugins/ipa-modrdn/ipa_modrdn.c b/daemons/ipa-slapi-plugins/ipa-modrdn/ipa_modrdn.c -index 6cec5f242b7d23d3752e5bc30c67e034abc96abb..8be192a5e94211f94a7f3a8a62409250b723ddb5 100644 ---- a/daemons/ipa-slapi-plugins/ipa-modrdn/ipa_modrdn.c -+++ b/daemons/ipa-slapi-plugins/ipa-modrdn/ipa_modrdn.c -@@ -30,7 +30,7 @@ - * Program may make changes or additions to the list of Approved - * Interfaces. - * -- * Copyright (C) 2010 Red Hat, Inc. -+ * Copyright (C) 2010-2023 Red Hat, Inc. - * All rights reserved. - * END COPYRIGHT BLOCK **/ - -@@ -350,7 +350,6 @@ ipamodrdn_load_plugin_config(void) - { - int status = EOK; - int result; -- int i; - Slapi_PBlock *search_pb; - Slapi_Entry **entries = NULL; - -@@ -379,7 +378,7 @@ ipamodrdn_load_plugin_config(void) - goto cleanup; - } - -- for (i = 0; (entries[i] != NULL); i++) { -+ for (size_t i = 0; (entries[i] != NULL); i++) { - /* We don't care about the status here because we may have - * some invalid config entries, but we just want to continue - * looking for valid ones. */ -@@ -680,7 +679,8 @@ ipamodrdn_change_attr(struct configEntry *cfgentry, - slapi_modify_internal_pb(mod_pb); - slapi_pblock_get(mod_pb, SLAPI_PLUGIN_INTOP_RESULT, &ret); - if (ret != LDAP_SUCCESS) { -- LOG_FATAL("Failed to change attribute with error %d\n", ret); -+ LOG_FATAL("Failed to change attribute '%s' in '%s' with error %d\n", -+ cfgentry->tattr, targetdn, ret); - ret = EFAIL; - } - ret = EOK; --- -2.43.0 - diff --git a/0020-Issue-9497-update-debug-logging-in-ipa_otp_counter.patch b/0020-Issue-9497-update-debug-logging-in-ipa_otp_counter.patch deleted file mode 100644 index 5713c8a..0000000 --- a/0020-Issue-9497-update-debug-logging-in-ipa_otp_counter.patch +++ /dev/null @@ -1,82 +0,0 @@ -From 0f78feeca51a7abe49fbabf22991bf89eba7b12a Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Tue, 12 Dec 2023 08:39:47 -0500 -Subject: [PATCH] Issue 9497 - update debug logging in ipa_otp_counter - -Fixes: https://pagure.io/freeipa/issue/9497 - -Signed-off-by: Mark Reynolds -Reviewed-By: Alexander Bokovoy ---- - .../ipa-otp-counter/ipa_otp_counter.c | 13 +++++++++---- - daemons/ipa-slapi-plugins/ipa-otp-counter/ldapmod.h | 4 +++- - 2 files changed, 12 insertions(+), 5 deletions(-) - -diff --git a/daemons/ipa-slapi-plugins/ipa-otp-counter/ipa_otp_counter.c b/daemons/ipa-slapi-plugins/ipa-otp-counter/ipa_otp_counter.c -index da047d7dc58e27b37ad29c39bde44e33602ab4c5..5e03450c5164ee450736fc61b40ef769bc4572dd 100644 ---- a/daemons/ipa-slapi-plugins/ipa-otp-counter/ipa_otp_counter.c -+++ b/daemons/ipa-slapi-plugins/ipa-otp-counter/ipa_otp_counter.c -@@ -33,7 +33,7 @@ - * Authors: - * Nathaniel McCallum - * -- * Copyright (C) 2014 Red Hat, Inc. -+ * Copyright (C) 2014-2023 Red Hat, Inc. - * All rights reserved. - * END COPYRIGHT BLOCK **/ - -@@ -295,14 +295,16 @@ preop_mod(Slapi_PBlock *pb) - } - - if (!simulate(mods, attr, cpre, &cpost) && repl == 0) { -- msg = slapi_ch_smprintf("Invalid operation sequence on %s", attr); -+ msg = slapi_ch_smprintf("Invalid operation sequence on %s (%s)", -+ attr, slapi_entry_get_dn_const(epre)); - goto error; - } - - if (cpost < cpre) { - if (repl == 0) { -- msg = slapi_ch_smprintf("Will not %s %s", -- cpost == COUNTER_UNSET ? "delete" : "decrement", attr); -+ msg = slapi_ch_smprintf("Will not %s %s (%s)", -+ cpost == COUNTER_UNSET ? "delete" : "decrement", -+ attr, slapi_entry_get_dn_const(epre)); - goto error; - } - -@@ -321,6 +323,9 @@ preop_mod(Slapi_PBlock *pb) - - error: - rc = LDAP_UNWILLING_TO_PERFORM; -+ if (msg) { -+ LOG("%s - error %d\n", msg, rc); -+ } - slapi_send_ldap_result(pb, rc, NULL, msg, 0, NULL); - if (slapi_pblock_set(pb, SLAPI_RESULT_CODE, &rc)) { - LOG_FATAL("slapi_pblock_set failed!\n"); -diff --git a/daemons/ipa-slapi-plugins/ipa-otp-counter/ldapmod.h b/daemons/ipa-slapi-plugins/ipa-otp-counter/ldapmod.h -index 45f43904b2288a97802ad2d698a30be972e2d8b7..324107c487f53e11774c51f248b00043e44b0bcc 100644 ---- a/daemons/ipa-slapi-plugins/ipa-otp-counter/ldapmod.h -+++ b/daemons/ipa-slapi-plugins/ipa-otp-counter/ldapmod.h -@@ -33,7 +33,7 @@ - * Authors: - * Nathaniel McCallum - * -- * Copyright (C) 2014 Red Hat, Inc. -+ * Copyright (C) 2014-2023 Red Hat, Inc. - * All rights reserved. - * END COPYRIGHT BLOCK **/ - -@@ -41,6 +41,8 @@ - - #include - -+#define IPA_PLUGIN_NAME "ipa-otp-counter" -+ - long long - ldapmod_get_value(const LDAPMod *mod, long long def); - --- -2.43.0 - diff --git a/0021-Issue-9497-update-debug-logging-in-ipa_otp_lasttoken.patch b/0021-Issue-9497-update-debug-logging-in-ipa_otp_lasttoken.patch deleted file mode 100644 index 1d82729..0000000 --- a/0021-Issue-9497-update-debug-logging-in-ipa_otp_lasttoken.patch +++ /dev/null @@ -1,96 +0,0 @@ -From 5eb6af01873d0f70ff5b02c972867877da8e7c50 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Tue, 12 Dec 2023 08:40:13 -0500 -Subject: [PATCH] Issue 9497 - update debug logging in ipa_otp_lasttoken - -Fixes: https://pagure.io/freeipa/issue/9497 - -Signed-off-by: Mark Reynolds -Reviewed-By: Alexander Bokovoy ---- - .../ipa-otp-lasttoken/ipa_otp_lasttoken.c | 25 ++++++++++++------- - 1 file changed, 16 insertions(+), 9 deletions(-) - -diff --git a/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c b/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c -index 11106b239f9de9074125979cfae7c02e434936e1..c1318f8eb19a5ff7da016eb145eece2f56925235 100644 ---- a/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c -+++ b/daemons/ipa-slapi-plugins/ipa-otp-lasttoken/ipa_otp_lasttoken.c -@@ -33,7 +33,7 @@ - * Authors: - * Nathaniel McCallum - * -- * Copyright (C) 2013 Red Hat, Inc. -+ * Copyright (C) 2013-2023 Red Hat, Inc. - * All rights reserved. - * END COPYRIGHT BLOCK **/ - -@@ -46,7 +46,7 @@ - - #include "util.h" - --#define PLUGIN_NAME "ipa-otp-lasttoken" -+#define IPA_PLUGIN_NAME "ipa-otp-lasttoken" - #define OTP_CONTAINER "cn=otp,%s" - - static struct otp_config *otp_config; -@@ -191,9 +191,14 @@ static inline int send_error(Slapi_PBlock *pb, int rc, const char *errstr) - - static int preop_del(Slapi_PBlock *pb) - { -+ char *dn = NULL; -+ - if (is_allowed(pb, NULL)) - return 0; - -+ slapi_pblock_get(pb, SLAPI_TARGET_DN, &dn); -+ LOG("Can't delete last active token (%s)", dn); -+ - return send_error(pb, LDAP_UNWILLING_TO_PERFORM, - "Can't delete last active token"); - } -@@ -221,10 +226,12 @@ static int preop_mod(Slapi_PBlock *pb) - return 0; - - /* If a protected attribute is modified, deny. */ -- for (int i = 0; mods != NULL && mods[i] != NULL; i++) { -- for (int j = 0; errors[j].attr != NULL; j++) { -- if (strcasecmp(mods[i]->mod_type, errors[j].attr) == 0) -+ for (size_t i = 0; mods != NULL && mods[i] != NULL; i++) { -+ for (size_t j = 0; errors[j].attr != NULL; j++) { -+ if (strcasecmp(mods[i]->mod_type, errors[j].attr) == 0) { -+ LOG("%s (%s)", errors[j].msg, slapi_entry_get_dn_const(entry)); - return send_error(pb, LDAP_UNWILLING_TO_PERFORM, errors[j].msg); -+ } - } - } - -@@ -284,7 +291,7 @@ static int ipa_otp_lasttoken_start(Slapi_PBlock *pb) - int ipa_otp_lasttoken_init(Slapi_PBlock *pb) - { - static const Slapi_PluginDesc preop_desc = { -- PLUGIN_NAME, -+ IPA_PLUGIN_NAME, - "FreeIPA", - "FreeIPA/1.0", - "Protect the user's last active token" -@@ -297,14 +304,14 @@ int ipa_otp_lasttoken_init(Slapi_PBlock *pb) - ret |= slapi_pblock_set(pb, SLAPI_PLUGIN_VERSION, SLAPI_PLUGIN_VERSION_01); - ret |= slapi_pblock_set(pb, SLAPI_PLUGIN_DESCRIPTION, (void *) &preop_desc); - ret |= slapi_register_plugin("betxnpreoperation", 1, __func__, preop_init, -- PLUGIN_NAME " betxnpreoperation", NULL, -+ IPA_PLUGIN_NAME " betxnpreoperation", NULL, - ipa_otp_lasttoken_plugin_id); - ret |= slapi_register_plugin("postoperation", 1, __func__, postop_init, -- PLUGIN_NAME " postoperation", NULL, -+ IPA_PLUGIN_NAME " postoperation", NULL, - ipa_otp_lasttoken_plugin_id); - ret |= slapi_register_plugin("internalpostoperation", 1, __func__, - intpostop_init, -- PLUGIN_NAME " internalpostoperation", NULL, -+ IPA_PLUGIN_NAME " internalpostoperation", NULL, - ipa_otp_lasttoken_plugin_id); - ret |= slapi_pblock_set(pb, SLAPI_PLUGIN_START_FN, - (void *)ipa_otp_lasttoken_start); --- -2.43.0 - diff --git a/0022-Issue-9497-update-debug-logging-in-ipa-pwd-extop.patch b/0022-Issue-9497-update-debug-logging-in-ipa-pwd-extop.patch deleted file mode 100644 index 602b81c..0000000 --- a/0022-Issue-9497-update-debug-logging-in-ipa-pwd-extop.patch +++ /dev/null @@ -1,766 +0,0 @@ -From 3a8fe8c3a9de8d0e17ab4064ac689bce2b4b5042 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Tue, 12 Dec 2023 08:41:10 -0500 -Subject: [PATCH] Issue 9497 - update debug logging in ipa-pwd-extop - -Fixes: https://pagure.io/freeipa/issue/9497 - -Signed-off-by: Mark Reynolds -Reviewed-By: Alexander Bokovoy ---- - .../ipa-slapi-plugins/ipa-pwd-extop/common.c | 25 +++-- - .../ipa-pwd-extop/encoding.c | 5 +- - .../ipa-pwd-extop/ipa_pwd_extop.c | 106 ++++++++++-------- - .../ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 59 +++++----- - 4 files changed, 105 insertions(+), 90 deletions(-) - -diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c -index 5251713c68855e10b0980af71696d944e683ae90..d30764bb2a05c7ca4a33ea114a2dc19af39e216f 100644 ---- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c -+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c -@@ -33,7 +33,7 @@ - * Authors: - * Simo Sorce - * -- * Copyright (C) 2007-2010 Red Hat, Inc. -+ * Copyright (C) 2007-2023 Red Hat, Inc. - * All rights reserved. - * END COPYRIGHT BLOCK **/ - -@@ -81,7 +81,8 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void) - char **encsalts; - char **tmparray; - char *tmpstr; -- int i, ret; -+ int ret; -+ size_t i; - - config = calloc(1, sizeof(struct ipapwd_krbcfg)); - if (!config) { -@@ -327,7 +328,8 @@ int ipapwd_getPolicy(const char *dn, - "ipaPwdUserCheck", NULL}; - Slapi_Entry **es = NULL; - Slapi_Entry *pe = NULL; -- int ret, res, scope, i; -+ int ret, res, scope; -+ size_t i; - int buffer_flags=0; - Slapi_ValueSet* results = NULL; - char *actual_type_name = NULL; -@@ -545,7 +547,7 @@ int ipapwd_gen_checks(Slapi_PBlock *pb, char **errMesg, - } - sdn = slapi_sdn_new_dn_byref(dn); - if (!sdn) { -- LOG_FATAL("Unable to convert dn to sdn %s", dn ? dn : ""); -+ LOG_FATAL("Unable to convert dn to sdn %s\n", dn ? dn : ""); - *errMesg = "Internal Error"; - rc = LDAP_OPERATIONS_ERROR; - goto done; -@@ -564,7 +566,7 @@ int ipapwd_gen_checks(Slapi_PBlock *pb, char **errMesg, - /* get the kerberos context and master key */ - *config = ipapwd_getConfig(); - if (NULL == *config) { -- LOG_FATAL("Error Retrieving Master Key"); -+ LOG_FATAL("Error Retrieving Master Key\n"); - *errMesg = "Fatal Internal Error"; - rc = LDAP_OPERATIONS_ERROR; - } -@@ -594,7 +596,7 @@ int ipapwd_CheckPolicy(struct ipapwd_data *data) - /* Find the entry with the password policy */ - ret = ipapwd_getPolicy(data->dn, data->target, &pol); - if (ret) { -- LOG_TRACE("No password policy, use defaults"); -+ LOG_TRACE("No password policy, use defaults\n"); - } - break; - case IPA_CHANGETYPE_ADMIN: -@@ -620,14 +622,14 @@ int ipapwd_CheckPolicy(struct ipapwd_data *data) - */ - ret = ipapwd_getPolicy(data->dn, data->target, &tmppol); - if (ret) { -- LOG_TRACE("No password policy, use defaults"); -+ LOG_TRACE("No password policy, use defaults\n"); - } else { - pol.max_pwd_life = tmppol.max_pwd_life; - pol.history_length = tmppol.history_length; - } - break; - default: -- LOG_TRACE("Unknown password change type, use defaults"); -+ LOG_TRACE("Unknown password change type, use defaults\n"); - break; - } - -@@ -860,7 +862,7 @@ int ipapwd_SetPassword(struct ipapwd_krbcfg *krbcfg, - case IPA_CHANGETYPE_DSMGR: - case IPA_CHANGETYPE_ADMIN: - /* Mark as administratively reset which will unlock acct */ -- ret = ipapwd_setdate(data->target, smods, -+ ret = ipapwd_setdate(data->target, smods, - "krbLastAdminUnlock", - data->timeNow, false); - if (ret != LDAP_SUCCESS) -@@ -951,7 +953,7 @@ Slapi_Value **ipapwd_setPasswordHistory(Slapi_Mods *smods, - char **new_pwd_history = NULL; - int n = 0; - int ret; -- int i; -+ size_t i; - - pwd_history = slapi_entry_attr_get_charray(data->target, - "passwordHistory"); -@@ -1083,10 +1085,9 @@ int ipapwd_set_extradata(const char *dn, - void ipapwd_free_slapi_value_array(Slapi_Value ***svals) - { - Slapi_Value **sv = *svals; -- int i; - - if (sv) { -- for (i = 0; sv[i]; i++) { -+ for (size_t i = 0; sv[i]; i++) { - slapi_value_free(&sv[i]); - } - } -diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c -index 7b2f341229b4f3bf48105c3856c0d6778da154a5..43ae6f0a645c8f3ff0fa2d147891f93efff0eb20 100644 ---- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c -+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/encoding.c -@@ -33,7 +33,7 @@ - * Authors: - * Simo Sorce - * -- * Copyright (C) 2007-2010 Red Hat, Inc. -+ * Copyright (C) 2007-2023 Red Hat, Inc. - * All rights reserved. - * END COPYRIGHT BLOCK **/ - -@@ -231,7 +231,7 @@ int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg, - - if (!*svals) { - /* errMesg should have been set in encrypt_encode_key() */ -- LOG_FATAL("key encryption/encoding failed\n"); -+ LOG_FATAL("key encryption/encoding failed (%s)\n", *errMesg); - rc = LDAP_OPERATIONS_ERROR; - goto done; - } -@@ -267,6 +267,7 @@ int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg, - } - (*ntvals)[0] = slapi_value_new(); - if (slapi_value_set((*ntvals)[0], nt_key, 16) == NULL) { -+ LOG("Failed to set value for nt_key"); - rc = LDAP_OPERATIONS_ERROR; - goto done; - } -diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c -index 0d630ca04c38b739bb0d8bf22c162af9d3e15566..43c31becae45c1c91c7c2adf498aedbd05af9a69 100644 ---- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c -+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c -@@ -33,7 +33,7 @@ - * Authors: - * Simo Sorce - * -- * Copyright (C) 2007-2010 Red Hat, Inc. -+ * Copyright (C) 2007-2023 Red Hat, Inc. - * All rights reserved. - * END COPYRIGHT BLOCK **/ - -@@ -108,7 +108,7 @@ static void filter_keys(struct ipapwd_krbcfg *krbcfg, - struct ipapwd_keyset *kset, - bool allow_nthash) - { -- int i, j; -+ size_t i, j; - - for (i = 0; i < kset->num_keys; i++) { - for (j = 0; j < krbcfg->num_supp_encsalts; j++) { -@@ -151,11 +151,11 @@ static void filter_enctypes(struct ipapwd_krbcfg *krbcfg, - bool allow_nthash) - { - /* first filter for duplicates */ -- for (int i = 0; i + 1 < *num_kenctypes; i++) { -- for (int j = i + 1; j < *num_kenctypes; j++) { -+ for (size_t i = 0; i + 1 < *num_kenctypes; i++) { -+ for (size_t j = i + 1; j < *num_kenctypes; j++) { - if (kenctypes[i].ks_enctype == kenctypes[j].ks_enctype) { - /* duplicate, filter out */ -- for (int k = j; k + 1 < *num_kenctypes; k++) { -+ for (size_t k = j; k + 1 < *num_kenctypes; k++) { - kenctypes[k].ks_enctype = kenctypes[k + 1].ks_enctype; - kenctypes[k].ks_salttype = kenctypes[k + 1].ks_salttype; - } -@@ -166,8 +166,8 @@ static void filter_enctypes(struct ipapwd_krbcfg *krbcfg, - } - - /* then filter for supported */ -- for (int i = 0; i < *num_kenctypes; i++) { -- int j; -+ for (size_t i = 0; i < *num_kenctypes; i++) { -+ size_t j; - - /* Check if supported */ - for (j = 0; j < krbcfg->num_supp_encsalts; j++) { -@@ -184,7 +184,7 @@ static void filter_enctypes(struct ipapwd_krbcfg *krbcfg, - } - if (j == krbcfg->num_supp_encsalts) { - /* Unsupported, filter out */ -- for (int k = i; k + 1 < *num_kenctypes; k++) { -+ for (size_t k = i; k + 1 < *num_kenctypes; k++) { - kenctypes[k].ks_enctype = kenctypes[k + 1].ks_enctype; - kenctypes[k].ks_salttype = kenctypes[k + 1].ks_salttype; - } -@@ -344,6 +344,8 @@ parse_req_done: - - rc = ipapwd_check_max_pwd_len(strlen(newPasswd), &errMesg); - if (rc) { -+ LOG_PWDPOLICY("Failed to set password credentials for '%s': %s\n", -+ bindDN, errMesg); - goto free_and_return; - } - -@@ -456,7 +458,7 @@ parse_req_done: - char *cur_pw; - - if (oldPasswd == NULL || *oldPasswd == '\0') { -- LOG_FATAL("Old password was not provided!\n"); -+ LOG_FATAL("Old password was not provided for '%s'!\n", dn); - rc = LDAP_INVALID_CREDENTIALS; - goto free_and_return; - } -@@ -466,7 +468,7 @@ parse_req_done: - cur_pw = slapi_entry_attr_get_charptr(targetEntry, - "userPassword"); - if (!cur_pw) { -- LOG_FATAL("User has no current password?\n"); -+ LOG_FATAL("User '%s' does not have a current password?\n", dn); - rc = LDAP_UNWILLING_TO_PERFORM; - goto free_and_return; - } -@@ -485,7 +487,7 @@ parse_req_done: - slapi_value_free(&pw); - - if (ret != 0) { -- LOG_TRACE("Invalid password!\n"); -+ LOG_TRACE("Invalid password for '%s'!\n", dn); - rc = LDAP_INVALID_CREDENTIALS; - goto free_and_return; - } -@@ -579,11 +581,9 @@ parse_req_done: - /* special cases */ - if ((strcasecmp(dn, bindDN) != 0) && - (strcasecmp(ipa_changepw_principal_dn, bindDN) != 0)) { -- int i; -- - pwdata.changetype = IPA_CHANGETYPE_ADMIN; - -- for (i = 0; i < krbcfg->num_passsync_mgrs; i++) { -+ for (size_t i = 0; i < krbcfg->num_passsync_mgrs; i++) { - if (strcasecmp(krbcfg->passsync_mgrs[i], bindDN) == 0) { - pwdata.changetype = IPA_CHANGETYPE_DSMGR; - break; -@@ -606,6 +606,8 @@ parse_req_done: - errMesg = ipapwd_error2string(ret); - ret = ipapwd_to_ldap_pwpolicy_error(ret); - slapi_pwpolicy_make_response_control(pb, -1, -1, ret); -+ LOG_PWDPOLICY("Failed to set password credentials for" -+ " '%s': %s\n", dn, errMesg); - rc = LDAP_CONSTRAINT_VIOLATION; - goto free_and_return; - } -@@ -666,7 +668,7 @@ free_and_return: - if (targetEntry) slapi_entry_free(targetEntry); - if (ber) ber_free(ber, 1); - -- LOG("%s", errMesg ? errMesg : "success"); -+ LOG("%s\n", errMesg ? errMesg : "success"); - slapi_send_ldap_result(pb, rc, NULL, errMesg, 0, NULL); - - return SLAPI_PLUGIN_EXTENDED_SENT_RESULT; -@@ -732,7 +734,8 @@ static Slapi_Entry *get_entry_by_principal(const char *principal) - "krbCanonicalName", - "enrolledBy", NULL }; - Slapi_Entry **es = NULL; -- int res, ret, i; -+ int res, ret; -+ size_t i; - Slapi_Entry *entry = NULL; - - /* Find ancestor base DN */ -@@ -774,7 +777,7 @@ static Slapi_Entry *get_entry_by_principal(const char *principal) - - /* if there is none or more than one, freak out */ - if (i != 1) { -- LOG_TRACE("Too many entries, or entry no found (%d)", i); -+ LOG_TRACE("Too many entries, or entry no found (%ld)\n", i); - goto free_and_return; - } - entry = slapi_entry_dup(es[0]); -@@ -809,7 +812,7 @@ static bool is_allowed_to_access_attr(Slapi_PBlock *pb, char *bindDN, - */ - be = get_realm_backend(); - if (!be) { -- LOG_FATAL("Could not fetch REALM backend!"); -+ LOG_FATAL("Could not fetch REALM backend!\n"); - return false; - } - if (slapi_pblock_set(pb, SLAPI_BACKEND, be)) { -@@ -868,7 +871,8 @@ static void remove_user_password(Slapi_Mods *smods, - if ((NULL != pw) && (NULL == krbLastPwdChange)) { - slapi_mods_add_mod_values(smods, LDAP_MOD_DELETE, - "userPassword", NULL); -- LOG_TRACE("Removing userPassword from host entry\n"); -+ LOG_TRACE("Removing userPassword from host entry '%s'\n", -+ slapi_entry_get_dn_const(targetEntry)); - } - } - if (krbLastPwdChange) slapi_ch_free_string(&krbLastPwdChange); -@@ -891,8 +895,9 @@ static int store_new_keys(Slapi_Entry *target, char *svcname, char *bind_dn, - rc = set_krbLastPwdChange(smods, time_now); - if (rc) { - rc = LDAP_OPERATIONS_ERROR; -- LOG_FATAL("Failed to set krbLastPwdChange"); -- err_msg = "Internal error while storing keytab data\n"; -+ LOG_FATAL("Failed to set krbLastPwdChange for target '%s'\n", -+ slapi_entry_get_dn_const(target)); -+ err_msg = "Internal error while storing keytab data"; - goto done; - } - -@@ -905,8 +910,9 @@ static int store_new_keys(Slapi_Entry *target, char *svcname, char *bind_dn, - rc = ipapwd_apply_mods(slapi_entry_get_dn_const(target), smods); - if (rc != LDAP_SUCCESS) { - rc = LDAP_OPERATIONS_ERROR; -- LOG_FATAL("Failed to apply mods"); -- err_msg = "Internal error while saving keys\n"; -+ LOG_FATAL("Failed to apply mods to target '%s'\n", -+ slapi_entry_get_dn_const(target)); -+ err_msg = "Internal error while saving keys"; - goto done; - } - -@@ -914,8 +920,9 @@ static int store_new_keys(Slapi_Entry *target, char *svcname, char *bind_dn, - svcname, time_now); - if (rc != LDAP_SUCCESS) { - rc = LDAP_OPERATIONS_ERROR; -- LOG_FATAL("Failed to set extradata"); -- err_msg = "Internal error while saving keytab extradata\n"; -+ LOG_FATAL("Failed to set extradata for target '%s'\n", -+ slapi_entry_get_dn_const(target)); -+ err_msg = "Internal error while saving keytab extradata"; - goto done; - } - -@@ -1003,7 +1010,7 @@ static int decode_setkeytab_request(krb5_context krbctx, - kset->mkvno = mkvno; - - rtag = ber_peek_tag(ber, &tlen); -- for (int i = 0; rtag == LBER_SEQUENCE; i++) { -+ for (size_t i = 0; rtag == LBER_SEQUENCE; i++) { - krb5_key_data *newset; - ber_tag_t ctag; - ber_int_t type; -@@ -1181,29 +1188,29 @@ static int encode_setkeytab_reply(struct ipapwd_keyset *kset, - rc = ber_printf(ber, "{i{", (ber_int_t)kset->keys[0].key_data_kvno); - if (rc == -1) { - rc = LDAP_OPERATIONS_ERROR; -- LOG_FATAL("Failed to ber_printf the kvno"); -+ LOG_FATAL("Failed to ber_printf the kvno\n"); - goto done; - } - -- for (int i = 0; i < kset->num_keys; i++) { -+ for (size_t i = 0; i < kset->num_keys; i++) { - rc = ber_printf(ber, "{i}", (ber_int_t)kset->keys[i].key_data_type[0]); - if (rc == -1) { - rc = LDAP_OPERATIONS_ERROR; -- LOG_FATAL("Failed to ber_printf the enctype"); -+ LOG_FATAL("Failed to ber_printf the enctype\n"); - goto done; - } - } - rc = ber_printf(ber, "}}"); - if (rc == -1) { - rc = LDAP_OPERATIONS_ERROR; -- LOG_FATAL("Failed to ber_printf the termination"); -+ LOG_FATAL("Failed to ber_printf the termination\n"); - goto done; - } - - rc = ber_flatten(ber, &bvp); - if (rc == -1) { - rc = LDAP_OPERATIONS_ERROR; -- LOG_FATAL("Failed to ber_flatten the buffer"); -+ LOG_FATAL("Failed to ber_flatten the buffer\n"); - goto done; - } - -@@ -1306,7 +1313,7 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) - - /* get next kvno for entry (will be 1 if this is new) and fix keyset */ - kvno = ipapwd_get_cur_kvno(targetEntry) + 1; -- for (int i = 0; i < kset->num_keys; i++) { -+ for (size_t i = 0; i < kset->num_keys; i++) { - kset->keys[i].key_data_kvno = kvno; - } - -@@ -1352,7 +1359,7 @@ static int ipapwd_setkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) - - rc = encode_setkeytab_reply(kset, &bvp); - if (rc) { -- errMesg = "Internal Error.\n"; -+ errMesg = "Internal Error."; - goto free_and_return; - } - -@@ -1372,7 +1379,7 @@ free_and_return: - if (targetEntry) slapi_entry_free(targetEntry); - - if (svals) { -- for (int i = 0; svals[i]; i++) { -+ for (size_t i = 0; svals[i]; i++) { - slapi_value_free(&svals[i]); - } - free(svals); -@@ -1382,7 +1389,7 @@ free_and_return: - - if (rc == LDAP_SUCCESS) - errMesg = NULL; -- LOG("%s", errMesg ? errMesg : "success"); -+ LOG("%s\n", errMesg ? errMesg : "success"); - slapi_send_ldap_result(pb, rc, NULL, errMesg, 0, NULL); - - return SLAPI_PLUGIN_EXTENDED_SENT_RESULT; -@@ -1403,7 +1410,6 @@ static int decode_getkeytab_request(struct berval *extop, bool *wantold, - krb5_key_salt_tuple *enctypes = NULL; - bool newkt; - bool ret; -- int i; - - ret = ipaasn1_dec_getkt(extop->bv_val, extop->bv_len, &newkt, - &svcname, &password, &etypes, &numtypes); -@@ -1423,7 +1429,7 @@ static int decode_getkeytab_request(struct berval *extop, bool *wantold, - goto done; - } - -- for (i = 0; i < numtypes; i++) { -+ for (size_t i = 0; i < numtypes; i++) { - enctypes[i].ks_enctype = etypes[i]; - enctypes[i].ks_salttype = KRB5_KDB_SALTTYPE_NORMAL; - } -@@ -1466,7 +1472,7 @@ static int encode_getkeytab_reply(krb5_context krbctx, - /* uses last key kvno */ - kvno = keys[num_keys-1].key_data_kvno; - -- for (int i = 0; i < num_keys; i++) { -+ for (size_t i = 0; i < num_keys; i++) { - krb5_enc_data cipher = { 0 }; - krb5_data plain = { 0 }; - krb5_int16 plen; -@@ -1516,7 +1522,7 @@ static int encode_getkeytab_reply(krb5_context krbctx, - rc = LDAP_SUCCESS; - - done: -- for (int i = 0; i < ksc.nkeys; i ++) { -+ for (size_t i = 0; i < ksc.nkeys; i++) { - free(ksc.ksdata[i].key.contents); - } - if (rc != LDAP_SUCCESS) { -@@ -1632,7 +1638,7 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) - * this operation. */ - if (bind_dn == NULL || *bind_dn == '\0') { - /* Refuse the operation because they're bound anonymously */ -- err_msg = "Anonymous Binds are not allowed.\n"; -+ err_msg = "Anonymous Binds are not allowed."; - rc = LDAP_INSUFFICIENT_ACCESS; - goto free_and_return; - } -@@ -1648,7 +1654,7 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) - slapi_pblock_get(pb, SLAPI_EXT_OP_REQ_VALUE, &extop_value); - if (!extop_value) { - LOG_FATAL("Failed to retrieve extended op value from pblock\n"); -- err_msg = "Failed to retrieve extended operation value\n"; -+ err_msg = "Failed to retrieve extended operation value"; - rc = LDAP_OPERATIONS_ERROR; - goto free_and_return; - } -@@ -1674,7 +1680,7 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) - /* get Entry by krbPrincipalName */ - target_entry = get_entry_by_principal(service_name); - if (!target_entry) { -- err_msg = "PrincipalName not found.\n"; -+ err_msg = "PrincipalName not found."; - rc = LDAP_NO_SUCH_OBJECT; - goto free_and_return; - } -@@ -1690,7 +1696,7 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) - if (!acl_ok) { - LOG_FATAL("Not allowed to retrieve keytab on [%s] as user [%s]!\n", - service_name, bind_dn); -- err_msg = "Insufficient access rights\n"; -+ err_msg = "Insufficient access rights"; - rc = LDAP_INSUFFICIENT_ACCESS; - goto free_and_return; - } -@@ -1701,6 +1707,8 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) - /* if password was passed-in, check its length */ - rc = ipapwd_check_max_pwd_len(strlen(password), &err_msg); - if (rc) { -+ LOG_PWDPOLICY("Failed to set password credentials for '%s': %s\n", -+ bind_dn, err_msg); - goto free_and_return; - } - } -@@ -1712,7 +1720,7 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) - if (!acl_ok) { - LOG_FATAL("Not allowed to set keytab on [%s]!\n", - service_name); -- err_msg = "Insufficient access rights\n"; -+ err_msg = "Insufficient access rights"; - rc = LDAP_INSUFFICIENT_ACCESS; - goto free_and_return; - } -@@ -1745,7 +1753,7 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) - if (!svals) { - rc = LDAP_OPERATIONS_ERROR; - LOG_FATAL("encrypt_encode_keys failed!\n"); -- err_msg = "Internal error while encrypting keys\n"; -+ err_msg = "Internal error while encrypting keys"; - goto free_and_return; - } - -@@ -1765,7 +1773,7 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) - rc = encode_getkeytab_reply(krbctx, krbcfg->kmkey, mkvno, - keys, num_keys, &bvp); - if (rc != LDAP_SUCCESS) { -- err_msg = "Internal Error.\n"; -+ err_msg = "Internal Error."; - goto free_and_return; - } - -@@ -1776,7 +1784,7 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) - - free_and_return: - if (rc == LDAP_SUCCESS) err_msg = NULL; -- LOG("%s", err_msg ? err_msg : "success"); -+ LOG("%s\n", err_msg ? err_msg : "success"); - slapi_send_ldap_result(pb, rc, NULL, err_msg, 0, NULL); - - /* Free anything that we allocated above */ -@@ -1787,7 +1795,7 @@ free_and_return: - if (target_entry) slapi_entry_free(target_entry); - if (keys) ipa_krb5_free_key_data(keys, num_keys); - if (svals) { -- for (int i = 0; svals[i]; i++) { -+ for (size_t i = 0; svals[i]; i++) { - slapi_value_free(&svals[i]); - } - free(svals); -@@ -2031,7 +2039,7 @@ int ipapwd_init( Slapi_PBlock *pb ) - "ipapwd_post_init_betxn", ipapwd_post_init_betxn, - "IPA pwd post ops betxn", NULL, - ipapwd_plugin_id); -- } -+ } - - slapi_register_plugin("preoperation", 1, - "ipapwd_pre_init", ipapwd_pre_init, -diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c -index 45626523ffa1030cdff4f3e0ccdfa1618a51ccaf..6898e6596e1cbbb2cc69ba592401619ce86899d8 100644 ---- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c -+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c -@@ -33,7 +33,7 @@ - * Authors: - * Simo Sorce - * -- * Copyright (C) 2007-2010 Red Hat, Inc. -+ * Copyright (C) 2007-2023 Red Hat, Inc. - * All rights reserved. - * END COPYRIGHT BLOCK **/ - -@@ -248,6 +248,13 @@ static int ipapwd_pre_add(Slapi_PBlock *pb) - return 0; - } - -+ /* Get target DN */ -+ ret = slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn); -+ if (ret) { -+ rc = LDAP_OPERATIONS_ERROR; -+ goto done; -+ } -+ - /* Ok this is interesting, - * Check this is a clear text password, or refuse operation */ - if ('{' == userpw[0]) { -@@ -280,6 +287,8 @@ static int ipapwd_pre_add(Slapi_PBlock *pb) - } else { - rc = ipapwd_check_max_pwd_len(strlen(userpw_clear), &errMesg); - if (rc) { -+ LOG_PWDPOLICY("Failed to set password credentials for '%s': %s\n", -+ slapi_sdn_get_dn(sdn), errMesg); - goto done; - } - userpw = slapi_ch_strdup(userpw_clear); -@@ -329,13 +338,6 @@ static int ipapwd_pre_add(Slapi_PBlock *pb) - goto done; - } - -- /* Get target DN */ -- ret = slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn); -- if (ret) { -- rc = LDAP_OPERATIONS_ERROR; -- goto done; -- } -- - /* time to get the operation handler */ - ret = slapi_pblock_get(pb, SLAPI_OPERATION, &op); - if (ret != 0) { -@@ -359,7 +361,6 @@ static int ipapwd_pre_add(Slapi_PBlock *pb) - pwdop->pwdata.changetype = IPA_CHANGETYPE_DSMGR; - } else { - char *binddn; -- int i; - - pwdop->pwdata.changetype = IPA_CHANGETYPE_ADMIN; - -@@ -367,7 +368,7 @@ static int ipapwd_pre_add(Slapi_PBlock *pb) - slapi_pblock_get(pb, SLAPI_CONN_DN, &binddn); - - /* if it is a passsync manager we also need to skip resets */ -- for (i = 0; i < krbcfg->num_passsync_mgrs; i++) { -+ for (size_t i = 0; i < krbcfg->num_passsync_mgrs; i++) { - if (strcasecmp(krbcfg->passsync_mgrs[i], binddn) == 0) { - pwdop->pwdata.changetype = IPA_CHANGETYPE_DSMGR; - break; -@@ -385,6 +386,8 @@ static int ipapwd_pre_add(Slapi_PBlock *pb) - if ((pwdop->pwdata.changetype != IPA_CHANGETYPE_DSMGR) && - (ret != 0) ) { - errMesg = ipapwd_error2string(ret); -+ LOG_PWDPOLICY("Failed to add password credentials for '%s': %s\n", -+ slapi_sdn_get_dn(sdn), errMesg); - rc = LDAP_CONSTRAINT_VIOLATION; - goto done; - } -@@ -507,6 +510,13 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb) - goto done; - } - -+ /* Get target DN */ -+ ret = slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn); -+ if (ret) { -+ rc = LDAP_OPERATIONS_ERROR; -+ goto done; -+ } -+ - /* grab the mods - we'll put them back later with - * our modifications appended - */ -@@ -568,6 +578,8 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb) - - rc = ipapwd_check_max_pwd_len(bv->bv_len, &errMesg); - if (rc) { -+ LOG_PWDPOLICY("Failed to set password credentials for '%s': %s\n", -+ slapi_sdn_get_dn(sdn), errMesg); - goto done; - } - slapi_ch_free_string(&unhashedpw); -@@ -591,14 +603,6 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb) - - /* OK we have something interesting here, start checking for - * pre-requisites */ -- -- /* Get target DN */ -- ret = slapi_pblock_get(pb, SLAPI_TARGET_SDN, &sdn); -- if (ret) { -- rc = LDAP_OPERATIONS_ERROR; -- goto done; -- } -- - tmp_sdn = slapi_sdn_dup(sdn); - if (tmp_sdn) { - /* xxxPAR: Ideally SLAPI_MODIFY_EXISTING_ENTRY should be -@@ -795,6 +799,8 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb) - const char *userpw_clear = &userpw[strlen("{CLEAR}")]; - rc = ipapwd_check_max_pwd_len(strlen(userpw_clear), &errMesg); - if (rc) { -+ LOG_PWDPOLICY("Failed to set password credentials for '%s': %s\n", -+ slapi_sdn_get_dn(sdn), errMesg); - goto done; - } - unhashedpw = slapi_ch_strdup(userpw_clear); -@@ -806,9 +812,8 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb) - slapi_ch_free_string(&userpw); - - } else if (slapi_is_encoded(userpw)) { -- -- LOG("Pre-Encoded passwords are not valid\n"); -- errMesg = "Pre-Encoded passwords are not valid\n"; -+ errMesg = "Pre-Encoded passwords are not valid"; -+ LOG("%s (%s)\n", errMesg, slapi_sdn_get_dn(sdn)); - rc = LDAP_CONSTRAINT_VIOLATION; - goto done; - } -@@ -843,7 +848,6 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb) - } else { - char *binddn; - Slapi_DN *bdn, *tdn; -- int i; - - /* Check Bind DN */ - slapi_pblock_get(pb, SLAPI_CONN_DN, &binddn); -@@ -857,18 +861,16 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb) - pwdop->pwdata.changetype = IPA_CHANGETYPE_ADMIN; - - /* if it is a passsync manager we also need to skip resets */ -- for (i = 0; i < krbcfg->num_passsync_mgrs; i++) { -+ for (size_t i = 0; i < krbcfg->num_passsync_mgrs; i++) { - if (strcasecmp(krbcfg->passsync_mgrs[i], binddn) == 0) { - pwdop->pwdata.changetype = IPA_CHANGETYPE_DSMGR; - break; - } - } -- - } - - slapi_sdn_free(&bdn); - slapi_sdn_free(&tdn); -- - } - - pwdop->pwdata.dn = slapi_ch_strdup(slapi_sdn_get_dn(sdn)); -@@ -884,6 +886,8 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb) - if ((pwdop->pwdata.changetype != IPA_CHANGETYPE_DSMGR) && - (ret != 0)) { - errMesg = ipapwd_error2string(ret); -+ LOG_PWDPOLICY("Check Password Policy failed for (%s) - %s/n", -+ pwdop->pwdata.dn, errMesg); - rc = LDAP_CONSTRAINT_VIOLATION; - goto done; - } -@@ -976,7 +980,6 @@ static int ipapwd_regen_nthash(Slapi_PBlock *pb, Slapi_Mods *smods, - int num_keys; - int mkvno; - int ret; -- int i; - - ret = slapi_entry_attr_find(entry, "ipaNTHash", &attr); - if (ret == 0) { -@@ -1008,7 +1011,7 @@ static int ipapwd_regen_nthash(Slapi_PBlock *pb, Slapi_Mods *smods, - - ret = LDAP_UNWILLING_TO_PERFORM; - -- for (i = 0; i < num_keys; i++) { -+ for (size_t i = 0; i < num_keys; i++) { - char nthash[16]; - krb5_enc_data cipher; - krb5_data plain; -@@ -1511,6 +1514,8 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb) - } else { - rc = ipapwd_check_max_pwd_len(credentials->bv_len, &errMesg); - if (rc) { -+ LOG_PWDPOLICY("Failed to set password credentials for '%s': %s\n", -+ slapi_sdn_get_dn(sdn), errMesg); - goto invalid_creds; - } - } --- -2.43.0 - diff --git a/0023-Issue-9497-update-debug-logging-in-ipa_uuid.patch b/0023-Issue-9497-update-debug-logging-in-ipa_uuid.patch deleted file mode 100644 index 660c715..0000000 --- a/0023-Issue-9497-update-debug-logging-in-ipa_uuid.patch +++ /dev/null @@ -1,47 +0,0 @@ -From a2fcfb9e17c4e7f2b4c57fa1eccdfe27d0c085d3 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Tue, 12 Dec 2023 08:41:43 -0500 -Subject: [PATCH] Issue 9497 - update debug logging in ipa_uuid - -Fixes: https://pagure.io/freeipa/issue/9497 - -Signed-off-by: Mark Reynolds -Reviewed-By: Alexander Bokovoy ---- - daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c b/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c -index 87d8be2d88d9ff9bbf7d47eab57b765063f7a230..2fa84f5167341667050e3cfd4bda4c4a4991d06d 100644 ---- a/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c -+++ b/daemons/ipa-slapi-plugins/ipa-uuid/ipa_uuid.c -@@ -30,7 +30,7 @@ - * Program may make changes or additions to the list of Approved - * Interfaces. - * -- * Copyright (C) 2010 Red Hat, Inc. -+ * Copyright (C) 2010-2023 Red Hat, Inc. - * All rights reserved. - * END COPYRIGHT BLOCK **/ - -@@ -1185,7 +1185,7 @@ static int ipauuid_pre_op(Slapi_PBlock *pb, int modtype) - * enforce is enabled. */ - errstr = slapi_ch_smprintf("Only the Directory Manager " - "can set arbitrary values " -- "for %s\n", cfgentry->attr); -+ "for %s", cfgentry->attr); - ret = LDAP_INSUFFICIENT_ACCESS; - goto done; - } -@@ -1221,7 +1221,7 @@ done: - } - - if (ret) { -- LOG("operation failure [%d]\n", ret); -+ LOG("operation failure [%d] - %s\n", ret, errstr); - slapi_send_ldap_result(pb, ret, NULL, errstr, 0, NULL); - slapi_ch_free((void **)&errstr); - ret = EFAIL; --- -2.43.0 - diff --git a/0024-hbactest-was-not-collecting-or-returning-messages.patch b/0024-hbactest-was-not-collecting-or-returning-messages.patch deleted file mode 100644 index c04ee23..0000000 --- a/0024-hbactest-was-not-collecting-or-returning-messages.patch +++ /dev/null @@ -1,82 +0,0 @@ -From 9e950f89bedeb83267369d60b4a83c77f89e71d6 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Mon, 27 Nov 2023 16:11:08 -0500 -Subject: [PATCH] hbactest was not collecting or returning messages - -hbactest does a number of internal searches, one of which -can exceed the configured sizelimit: hbacrule-find - -Collect any messages returned from thsi call and display them -to the user on the cli. - -Fixes: https://pagure.io/freeipa/issue/9486 - -Signed-off-by: Rob Crittenden -Reviewed-By: Florence Blanc-Renaud ---- - ipaclient/plugins/hbactest.py | 2 ++ - ipaserver/plugins/hbactest.py | 14 +++++++++++--- - 2 files changed, 13 insertions(+), 3 deletions(-) - -diff --git a/ipaclient/plugins/hbactest.py b/ipaclient/plugins/hbactest.py -index 1b54530b236cf654bc8ece7ab4e329850f5a6815..e0f93b9c265a176cb872fcf2728dbb3a66a264d9 100644 ---- a/ipaclient/plugins/hbactest.py -+++ b/ipaclient/plugins/hbactest.py -@@ -38,6 +38,8 @@ class hbactest(CommandOverride): - # Note that we don't actually use --detail below to see if details need - # to be printed as our execute() method will return None for corresponding - # entries and None entries will be skipped. -+ self.log_messages(output) -+ - for o in self.output: - if o == 'value': - continue -diff --git a/ipaserver/plugins/hbactest.py b/ipaserver/plugins/hbactest.py -index 887a35b7e67b257a2e54d51990af953ff8fbb316..568c13174ba617f2742b8f42c11b36dbde549cc2 100644 ---- a/ipaserver/plugins/hbactest.py -+++ b/ipaserver/plugins/hbactest.py -@@ -24,6 +24,8 @@ from ipalib import Command, Str, Flag, Int - from ipalib import _ - from ipapython.dn import DN - from ipalib.plugable import Registry -+from ipalib.messages import VersionMissing -+ - if api.env.in_server: - try: - import ipaserver.dcerpc -@@ -323,6 +325,9 @@ class hbactest(Command): - # 2. Required options are (user, target host, service) - # 3. Options: rules to test (--rules, --enabled, --disabled), request for detail output - rules = [] -+ result = { -+ 'warning':None, 'matched':None, 'notmatched':None, 'error':None -+ } - - # Use all enabled IPA rules by default - all_enabled = True -@@ -351,8 +356,12 @@ class hbactest(Command): - - hbacset = [] - if len(testrules) == 0: -- hbacset = self.api.Command.hbacrule_find( -- sizelimit=sizelimit, no_members=False)['result'] -+ hbacrules = self.api.Command.hbacrule_find( -+ sizelimit=sizelimit, no_members=False) -+ hbacset = hbacrules['result'] -+ for message in hbacrules['messages']: -+ if message['code'] != VersionMissing.errno: -+ result.setdefault('messages', []).append(message) - else: - for rule in testrules: - try: -@@ -469,7 +478,6 @@ class hbactest(Command): - error_rules = [] - warning_rules = [] - -- result = {'warning':None, 'matched':None, 'notmatched':None, 'error':None} - if not options['nodetail']: - # Validate runs rules one-by-one and reports failed ones - for ipa_rule in rules: --- -2.43.0 - diff --git a/0025-ipatests-Verify-that-hbactest-will-return-messages.patch b/0025-ipatests-Verify-that-hbactest-will-return-messages.patch deleted file mode 100644 index 9cd1660..0000000 --- a/0025-ipatests-Verify-that-hbactest-will-return-messages.patch +++ /dev/null @@ -1,56 +0,0 @@ -From e8810696a38b70af286a2a2aae464ba4294e1fb5 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Tue, 28 Nov 2023 13:35:13 -0500 -Subject: [PATCH] ipatests: Verify that hbactest will return messages - -Limit the sizelimit of the hbactest request to confirm that -the output includes a SearchResultTruncated message. - -Fixes: https://pagure.io/freeipa/issue/9486 - -Signed-off-by: Rob Crittenden -Reviewed-By: Florence Blanc-Renaud ---- - ipatests/test_xmlrpc/test_hbactest_plugin.py | 19 ++++++++++++++++++- - 1 file changed, 18 insertions(+), 1 deletion(-) - -diff --git a/ipatests/test_xmlrpc/test_hbactest_plugin.py b/ipatests/test_xmlrpc/test_hbactest_plugin.py -index 73c4ce232066dd7e45bc9a636f9fd955d50d6818..e2e66c759ab4bd1ac3e6dd2ab380c6359fc90042 100644 ---- a/ipatests/test_xmlrpc/test_hbactest_plugin.py -+++ b/ipatests/test_xmlrpc/test_hbactest_plugin.py -@@ -134,6 +134,7 @@ class test_hbactest(XMLRPC_test): - assert ret['value'] - assert ret['error'] is None - assert ret['matched'] is None -+ assert 'messages' not in ret - assert ret['notmatched'] is None - - def test_c_hbactest_check_rules_enabled_detail(self): -@@ -200,7 +201,23 @@ class test_hbactest(XMLRPC_test): - nodetail=True - ) - -- def test_g_hbactest_clear_testing_data(self): -+ def test_g_hbactest_searchlimit_message(self): -+ """ -+ Test running 'ipa hbactest' with limited --sizelimit -+ -+ We know there are at least 6 rules, 4 created here + 2 default. -+ """ -+ ret = api.Command['hbactest']( -+ user=self.test_user, -+ targethost=self.test_host, -+ service=self.test_service, -+ nodetail=True, -+ sizelimit=2, -+ ) -+ -+ assert ret['messages'] is not None -+ -+ def test_h_hbactest_clear_testing_data(self): - """ - Clear data for HBAC test plugin testing. - """ --- -2.43.0 - diff --git a/0026-ipa-kdb-add-better-detection-of-allowed-user-auth-ty.patch b/0026-ipa-kdb-add-better-detection-of-allowed-user-auth-ty.patch deleted file mode 100644 index 4f6c600..0000000 --- a/0026-ipa-kdb-add-better-detection-of-allowed-user-auth-ty.patch +++ /dev/null @@ -1,126 +0,0 @@ -From c90ba9478b663bd5bcac9bb3af4272ee1406816b Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Fri, 24 Nov 2023 11:46:19 +0200 -Subject: [PATCH] ipa-kdb: add better detection of allowed user auth type - -If default user authentication type is set to a list that does not -include a password or a hardened credential, the resulting configuration -might be incorrect for special service principals, including a krbtgt/.. -one. - -Add detection of special principals to avoid these situations and always -allow password or hardened for services. - -Special handling is needed for the following principals: - - - krbtgt/.. -- TGT service principals - - K/M -- master key principal - - kadmin/changepw -- service for changing passwords - - kadmin/kadmin -- kadmin service principal - - kadmin/history -- key used to encrypt history - -Additionally, implicitly allow password or hardened credential use for -IPA services and IPA hosts since applications typically use keytabs for -that purpose. - -Fixes: https://pagure.io/freeipa/issue/9485 - -Signed-off-by: Alexander Bokovoy -Reviewed-By: Francisco Trivino ---- - daemons/ipa-kdb/ipa_kdb.c | 62 ++++++++++++++++++++++++++++++++++----- - 1 file changed, 54 insertions(+), 8 deletions(-) - -diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c -index 06d511c762006f6a1e6e7a0ec663bc059489cf64..dbb98dba6d6d273e86e39e8ca8b8877d13f4299b 100644 ---- a/daemons/ipa-kdb/ipa_kdb.c -+++ b/daemons/ipa-kdb/ipa_kdb.c -@@ -26,6 +26,7 @@ - #include "ipa_kdb.h" - #include "ipa_krb5.h" - #include "ipa_hostname.h" -+#include - - #define IPADB_GLOBAL_CONFIG_CACHE_TIME 60 - -@@ -207,6 +208,19 @@ static const struct { - { "idp", IPADB_USER_AUTH_IDP }, - { "passkey", IPADB_USER_AUTH_PASSKEY }, - { } -+}, -+ objclass_table[] = { -+ { "ipaservice", IPADB_USER_AUTH_PASSWORD }, -+ { "ipahost", IPADB_USER_AUTH_PASSWORD }, -+ { } -+}, -+ princname_table[] = { -+ { KRB5_TGS_NAME, IPADB_USER_AUTH_PASSWORD }, -+ { KRB5_KDB_M_NAME, IPADB_USER_AUTH_PASSWORD }, -+ { KADM5_ADMIN_SERVICE, IPADB_USER_AUTH_PASSWORD }, -+ { KADM5_CHANGEPW_SERVICE, IPADB_USER_AUTH_PASSWORD }, -+ { KADM5_HIST_PRINCIPAL, IPADB_USER_AUTH_PASSWORD }, -+ { } - }; - - void ipadb_parse_user_auth(LDAP *lcontext, LDAPMessage *le, -@@ -217,17 +231,49 @@ void ipadb_parse_user_auth(LDAP *lcontext, LDAPMessage *le, - - *userauth = IPADB_USER_AUTH_NONE; - vals = ldap_get_values_len(lcontext, le, IPA_USER_AUTH_TYPE); -- if (!vals) -- return; -- -- for (i = 0; vals[i]; i++) { -- for (j = 0; userauth_table[j].name; j++) { -- if (strcasecmp(vals[i]->bv_val, userauth_table[j].name) == 0) { -- *userauth |= userauth_table[j].flag; -- break; -+ if (!vals) { -+ /* if there is no explicit ipaUserAuthType set, use objectclass */ -+ vals = ldap_get_values_len(lcontext, le, "objectclass"); -+ if (!vals) -+ return; -+ -+ for (i = 0; vals[i]; i++) { -+ for (j = 0; objclass_table[j].name; j++) { -+ if (strcasecmp(vals[i]->bv_val, objclass_table[j].name) == 0) { -+ *userauth |= objclass_table[j].flag; -+ break; -+ } -+ } -+ } -+ } else { -+ for (i = 0; vals[i]; i++) { -+ for (j = 0; userauth_table[j].name; j++) { -+ if (strcasecmp(vals[i]->bv_val, userauth_table[j].name) == 0) { -+ *userauth |= userauth_table[j].flag; -+ break; -+ } - } - } - } -+ -+ /* If neither ipaUserAuthType nor objectClass were definitive, -+ * check the krbPrincipalName to see if it is krbtgt/ or K/M one */ -+ if (*userauth == IPADB_USER_AUTH_NONE) { -+ ldap_value_free_len(vals); -+ vals = ldap_get_values_len(lcontext, le, "krbprincipalname"); -+ if (!vals) -+ return; -+ for (i = 0; vals[i]; i++) { -+ for (j = 0; princname_table[j].name; j++) { -+ if (strncmp(vals[i]->bv_val, princname_table[j].name, -+ strlen(princname_table[j].name)) == 0) { -+ *userauth |= princname_table[j].flag; -+ break; -+ } -+ } -+ } -+ -+ } - /* If password auth is enabled, enable hardened policy too. */ - if (*userauth & IPADB_USER_AUTH_PASSWORD) { - *userauth |= IPADB_USER_AUTH_HARDENED; --- -2.43.0 - diff --git a/0027-ipa-kdb-when-applying-ticket-policy-do-not-deny-PKIN.patch b/0027-ipa-kdb-when-applying-ticket-policy-do-not-deny-PKIN.patch deleted file mode 100644 index ef2ac93..0000000 --- a/0027-ipa-kdb-when-applying-ticket-policy-do-not-deny-PKIN.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 1fb026105ef397612a504722b2bcac29fbc69676 Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Fri, 24 Nov 2023 11:54:04 +0200 -Subject: [PATCH] ipa-kdb: when applying ticket policy, do not deny PKINIT - -PKINIT differs from other pre-authentication methods by the fact that it -can be matched indepedently of the user authentication types via certmap -plugin in KDC. - -Since PKINIT is a strong authentication method, allow its authentication -indicator and only apply the ticket policy. - -Fixes: https://pagure.io/freeipa/issue/9485 - -Signed-off-by: Alexander Bokovoy -Reviewed-By: Francisco Trivino ---- - daemons/ipa-kdb/ipa_kdb_kdcpolicy.c | 7 ++----- - 1 file changed, 2 insertions(+), 5 deletions(-) - -diff --git a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c -index 436ee0e62665594062e7be37e5b7925f76e921a0..2802221c79fe63ab4bd33bfbe4859517f3d91ec5 100644 ---- a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c -+++ b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c -@@ -119,11 +119,8 @@ ipa_kdcpolicy_check_as(krb5_context context, krb5_kdcpolicy_moddata moddata, - pol_limits = &(ied->pol_limits[IPADB_USER_AUTH_IDX_RADIUS]); - } else if (strcmp(auth_indicator, "pkinit") == 0) { - valid_auth_indicators++; -- if (!(ua & IPADB_USER_AUTH_PKINIT)) { -- *status = "PKINIT pre-authentication not allowed for this user."; -- kerr = KRB5KDC_ERR_POLICY; -- goto done; -- } -+ /* allow PKINIT unconditionally -- it has passed already at this -+ * point so some certificate was useful, only apply the limits */ - pol_limits = &(ied->pol_limits[IPADB_USER_AUTH_IDX_PKINIT]); - } else if (strcmp(auth_indicator, "hardened") == 0) { - valid_auth_indicators++; --- -2.43.0 - diff --git a/0028-ipa-kdb-clarify-user-auth-table-mapping-use-of-_AUTH.patch b/0028-ipa-kdb-clarify-user-auth-table-mapping-use-of-_AUTH.patch deleted file mode 100644 index d56a1fd..0000000 --- a/0028-ipa-kdb-clarify-user-auth-table-mapping-use-of-_AUTH.patch +++ /dev/null @@ -1,31 +0,0 @@ -From fab08337dac0eb6322dc5ebe730b2541f4bb6111 Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Fri, 24 Nov 2023 12:20:55 +0200 -Subject: [PATCH] ipa-kdb: clarify user auth table mapping use of - _AUTH_PASSWORD - -Related: https://pagure.io/freeipa/issue/9485 - -Signed-off-by: Alexander Bokovoy -Reviewed-By: Francisco Trivino ---- - daemons/ipa-kdb/ipa_kdb.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c -index dbb98dba6d6d273e86e39e8ca8b8877d13f4299b..4e6cacf24e27b05538db2c95ab85400bb83e3d58 100644 ---- a/daemons/ipa-kdb/ipa_kdb.c -+++ b/daemons/ipa-kdb/ipa_kdb.c -@@ -195,6 +195,9 @@ done: - return base; - } - -+/* In this table all _AUTH_PASSWORD entries will be -+ * expanded to include _AUTH_HARDENED in ipadb_parse_user_auth() -+ * which means there is no need to explicitly add it here */ - static const struct { - const char *name; - enum ipadb_user_auth flag; --- -2.43.0 - diff --git a/0029-ipatests-make-sure-PKINIT-enrollment-works-with-a-st.patch b/0029-ipatests-make-sure-PKINIT-enrollment-works-with-a-st.patch deleted file mode 100644 index bfbe6bb..0000000 --- a/0029-ipatests-make-sure-PKINIT-enrollment-works-with-a-st.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 02b17c8560a6aabb4be1109a3a794412f527c83c Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Fri, 24 Nov 2023 13:00:48 +0200 -Subject: [PATCH] ipatests: make sure PKINIT enrollment works with a strict - policy - -Previously, for a global policy which does not include -'password', krb5kdc restart was failing. Now it should succeed. - -We set admin user authentication type to PASSWORD to simplify -configuration in the test. - -What matters here is that global policy does not include PKINIT and that -means a code in the ticket policy check will allow PKINIT implicitly -rather than explicitly. - -Related: https://pagure.io/freeipa/issue/9485 - -Signed-off-by: Alexander Bokovoy -Reviewed-By: Francisco Trivino ---- - .../test_integration/test_pkinit_install.py | 26 +++++++++++++++++++ - 1 file changed, 26 insertions(+) - -diff --git a/ipatests/test_integration/test_pkinit_install.py b/ipatests/test_integration/test_pkinit_install.py -index caa0e6a34dc7e50359a41314e419a0d5be0c3aa8..5c2e7af0231677d4653ea2f82fa3dffed711a10d 100644 ---- a/ipatests/test_integration/test_pkinit_install.py -+++ b/ipatests/test_integration/test_pkinit_install.py -@@ -23,6 +23,24 @@ class TestPkinitClientInstall(IntegrationTest): - def install(cls, mh): - tasks.install_master(cls.master) - -+ def enforce_password_and_otp(self): -+ """enforce otp by default and password for admin """ -+ self.master.run_command( -+ [ -+ "ipa", -+ "config-mod", -+ "--user-auth-type=otp", -+ ] -+ ) -+ self.master.run_command( -+ [ -+ "ipa", -+ "user-mod", -+ "admin", -+ "--user-auth-type=password", -+ ] -+ ) -+ - def add_certmaperule(self): - """add certmap rule to map SAN dNSName to host entry""" - self.master.run_command( -@@ -86,6 +104,14 @@ class TestPkinitClientInstall(IntegrationTest): - cabundle = self.master.get_file_contents(paths.KDC_CA_BUNDLE_PEM) - client.put_file_contents(self.tmpbundle, cabundle) - -+ def test_restart_krb5kdc(self): -+ tasks.kinit_admin(self.master) -+ self.enforce_password_and_otp() -+ self.master.run_command(['systemctl', 'stop', 'krb5kdc.service']) -+ self.master.run_command(['systemctl', 'start', 'krb5kdc.service']) -+ self.master.run_command(['systemctl', 'stop', 'kadmin.service']) -+ self.master.run_command(['systemctl', 'start', 'kadmin.service']) -+ - def test_client_install_pkinit(self): - tasks.kinit_admin(self.master) - self.add_certmaperule() --- -2.43.0 - diff --git a/0030-Check-the-HTTP-Referer-header-on-all-requests.patch b/0030-Check-the-HTTP-Referer-header-on-all-requests.patch deleted file mode 100644 index ce9cbc1..0000000 --- a/0030-Check-the-HTTP-Referer-header-on-all-requests.patch +++ /dev/null @@ -1,121 +0,0 @@ -From 2c52a7dfd26ac561786e72e4304acbf9585698b6 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Fri, 6 Oct 2023 20:16:29 +0000 -Subject: [PATCH] Check the HTTP Referer header on all requests - -The referer was only checked in WSGIExecutioner classes: - - - jsonserver - - KerberosWSGIExecutioner - - xmlserver - - jsonserver_kerb - -This left /i18n_messages, /session/login_kerberos, -/session/login_x509, /session/login_password, -/session/change_password and /session/sync_token unprotected -against CSRF attacks. - -CVE-2023-5455 - -Signed-off-by: Rob Crittenden ---- - ipaserver/rpcserver.py | 34 +++++++++++++++++++++++++++++++--- - 1 file changed, 31 insertions(+), 3 deletions(-) - -diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py -index b7116469d73f9a8595dbb2d1a3f39abe851f4fc3..198fc9e7dbae281f797dcccf96d21d475ff31e8c 100644 ---- a/ipaserver/rpcserver.py -+++ b/ipaserver/rpcserver.py -@@ -156,6 +156,19 @@ _success_template = """ - """ - - class HTTP_Status(plugable.Plugin): -+ def check_referer(self, environ): -+ if "HTTP_REFERER" not in environ: -+ logger.error("Rejecting request with missing Referer") -+ return False -+ if (not environ["HTTP_REFERER"].startswith( -+ "https://%s/ipa" % self.api.env.host) -+ and not self.env.in_tree): -+ logger.error("Rejecting request with bad Referer %s", -+ environ["HTTP_REFERER"]) -+ return False -+ logger.debug("Valid Referer %s", environ["HTTP_REFERER"]) -+ return True -+ - def not_found(self, environ, start_response, url, message): - """ - Return a 404 Not Found error. -@@ -331,9 +344,6 @@ class wsgi_dispatch(Executioner, HTTP_Status): - self.__apps[key] = app - - -- -- -- - class WSGIExecutioner(Executioner): - """ - Base class for execution backends with a WSGI application interface. -@@ -898,6 +908,9 @@ class jsonserver_session(jsonserver, KerberosSession): - - logger.debug('WSGI jsonserver_session.__call__:') - -+ if not self.check_referer(environ): -+ return self.bad_request(environ, start_response, 'denied') -+ - # Redirect to login if no Kerberos credentials - ccache_name = self.get_environ_creds(environ) - if ccache_name is None: -@@ -950,6 +963,9 @@ class KerberosLogin(Backend, KerberosSession): - def __call__(self, environ, start_response): - logger.debug('WSGI KerberosLogin.__call__:') - -+ if not self.check_referer(environ): -+ return self.bad_request(environ, start_response, 'denied') -+ - # Redirect to login if no Kerberos credentials - user_ccache_name = self.get_environ_creds(environ) - if user_ccache_name is None: -@@ -968,6 +984,9 @@ class login_x509(KerberosLogin): - def __call__(self, environ, start_response): - logger.debug('WSGI login_x509.__call__:') - -+ if not self.check_referer(environ): -+ return self.bad_request(environ, start_response, 'denied') -+ - if 'KRB5CCNAME' not in environ: - return self.unauthorized( - environ, start_response, 'KRB5CCNAME not set', -@@ -1016,6 +1035,9 @@ class login_password(Backend, KerberosSession): - - logger.debug('WSGI login_password.__call__:') - -+ if not self.check_referer(environ): -+ return self.bad_request(environ, start_response, 'denied') -+ - # Get the user and password parameters from the request - content_type = environ.get('CONTENT_TYPE', '').lower() - if not content_type.startswith('application/x-www-form-urlencoded'): -@@ -1148,6 +1170,9 @@ class change_password(Backend, HTTP_Status): - def __call__(self, environ, start_response): - logger.info('WSGI change_password.__call__:') - -+ if not self.check_referer(environ): -+ return self.bad_request(environ, start_response, 'denied') -+ - # Get the user and password parameters from the request - content_type = environ.get('CONTENT_TYPE', '').lower() - if not content_type.startswith('application/x-www-form-urlencoded'): -@@ -1365,6 +1390,9 @@ class xmlserver_session(xmlserver, KerberosSession): - - logger.debug('WSGI xmlserver_session.__call__:') - -+ if not self.check_referer(environ): -+ return self.bad_request(environ, start_response, 'denied') -+ - ccache_name = environ.get('KRB5CCNAME') - - # Redirect to /ipa/xml if no Kerberos credentials --- -2.43.0 - diff --git a/0031-Integration-tests-for-verifying-Referer-header-in-th.patch b/0031-Integration-tests-for-verifying-Referer-header-in-th.patch deleted file mode 100644 index 068d77a..0000000 --- a/0031-Integration-tests-for-verifying-Referer-header-in-th.patch +++ /dev/null @@ -1,359 +0,0 @@ -From 14720c7690bda2b538dfc1d742eb4eb152dfd8a2 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Thu, 12 Oct 2023 20:34:01 +0000 -Subject: [PATCH] Integration tests for verifying Referer header in the UI - -Validate that the change_password and login_password endpoints -verify the HTTP Referer header. There is some overlap in the -tests: belt and suspenders. - -All endpoints except session/login_x509 are covered, sometimes -having to rely on expected bad results (see the i18n endpoint). - -session/login_x509 is not tested yet as it requires significant -additional setup in order to associate a user certificate with -a user entry, etc. - -This can be manually verified by modifying /etc/httpd/conf.d/ipa.conf -and adding: - -Satisfy Any -Require all granted - -Then comment out Auth and SSLVerify, etc. and restart httpd. - -With a valid Referer will fail with a 401 and log that there is no -KRB5CCNAME. This comes after the referer check. - -With an invalid Referer it will fail with a 400 Bad Request as -expected. - -CVE-2023-5455 - -Signed-off-by: Rob Crittenden ---- - ipatests/test_ipaserver/httptest.py | 7 +- - ipatests/test_ipaserver/test_changepw.py | 12 +- - .../test_ipaserver/test_login_password.py | 88 ++++++++++++ - ipatests/test_ipaserver/test_referer.py | 136 ++++++++++++++++++ - ipatests/util.py | 4 +- - 5 files changed, 242 insertions(+), 5 deletions(-) - create mode 100644 ipatests/test_ipaserver/test_login_password.py - create mode 100644 ipatests/test_ipaserver/test_referer.py - -diff --git a/ipatests/test_ipaserver/httptest.py b/ipatests/test_ipaserver/httptest.py -index 6cd034a719690646ee9238a5c6061e791e1c6fb5..8924798fc93c14e45beaf232a958d22398f61954 100644 ---- a/ipatests/test_ipaserver/httptest.py -+++ b/ipatests/test_ipaserver/httptest.py -@@ -36,7 +36,7 @@ class Unauthorized_HTTP_test: - content_type = 'application/x-www-form-urlencoded' - accept_language = 'en-us' - -- def send_request(self, method='POST', params=None): -+ def send_request(self, method='POST', params=None, host=None): - """ - Send a request to HTTP server - -@@ -45,7 +45,10 @@ class Unauthorized_HTTP_test: - if params is not None: - if self.content_type == 'application/x-www-form-urlencoded': - params = urllib.parse.urlencode(params, True) -- url = 'https://' + self.host + self.app_uri -+ if host: -+ url = 'https://' + host + self.app_uri -+ else: -+ url = 'https://' + self.host + self.app_uri - - headers = {'Content-Type': self.content_type, - 'Accept-Language': self.accept_language, -diff --git a/ipatests/test_ipaserver/test_changepw.py b/ipatests/test_ipaserver/test_changepw.py -index c3a47ab265f08db11ddfee2182401ccba90cf8df..df38ddb3d9e74baf908372be0780fcefbb258a5d 100644 ---- a/ipatests/test_ipaserver/test_changepw.py -+++ b/ipatests/test_ipaserver/test_changepw.py -@@ -53,10 +53,11 @@ class test_changepw(XMLRPC_test, Unauthorized_HTTP_test): - - request.addfinalizer(fin) - -- def _changepw(self, user, old_password, new_password): -+ def _changepw(self, user, old_password, new_password, host=None): - return self.send_request(params={'user': str(user), - 'old_password' : str(old_password), - 'new_password' : str(new_password)}, -+ host=host - ) - - def _checkpw(self, user, password): -@@ -89,6 +90,15 @@ class test_changepw(XMLRPC_test, Unauthorized_HTTP_test): - # make sure that password is NOT changed - self._checkpw(testuser, old_password) - -+ def test_invalid_referer(self): -+ response = self._changepw(testuser, old_password, new_password, -+ 'attacker.test') -+ -+ assert_equal(response.status, 400) -+ -+ # make sure that password is NOT changed -+ self._checkpw(testuser, old_password) -+ - def test_pwpolicy_error(self): - response = self._changepw(testuser, old_password, '1') - -diff --git a/ipatests/test_ipaserver/test_login_password.py b/ipatests/test_ipaserver/test_login_password.py -new file mode 100644 -index 0000000000000000000000000000000000000000..9425cb7977fbc87210bf91464e0257830a938baf ---- /dev/null -+++ b/ipatests/test_ipaserver/test_login_password.py -@@ -0,0 +1,88 @@ -+# Copyright (C) 2023 Red Hat -+# see file 'COPYING' for use and warranty information -+# -+# This program is free software; you can redistribute it and/or modify -+# it under the terms of the GNU General Public License as published by -+# the Free Software Foundation, either version 3 of the License, or -+# (at your option) any later version. -+# -+# This program is distributed in the hope that it will be useful, -+# but WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+# GNU General Public License for more details. -+# -+# You should have received a copy of the GNU General Public License -+# along with this program. If not, see . -+ -+import os -+import pytest -+import uuid -+ -+from ipatests.test_ipaserver.httptest import Unauthorized_HTTP_test -+from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test -+from ipatests.util import assert_equal -+from ipalib import api, errors -+from ipapython.ipautil import run -+ -+testuser = u'tuser' -+password = u'password' -+ -+ -+@pytest.mark.tier1 -+class test_login_password(XMLRPC_test, Unauthorized_HTTP_test): -+ app_uri = '/ipa/session/login_password' -+ -+ @pytest.fixture(autouse=True) -+ def login_setup(self, request): -+ ccache = os.path.join('/tmp', str(uuid.uuid4())) -+ try: -+ api.Command['user_add'](uid=testuser, givenname=u'Test', sn=u'User') -+ api.Command['passwd'](testuser, password=password) -+ run(['kinit', testuser], stdin='{0}\n{0}\n{0}\n'.format(password), -+ env={"KRB5CCNAME": ccache}) -+ except errors.ExecutionError as e: -+ pytest.skip( -+ 'Cannot set up test user: %s' % e -+ ) -+ -+ def fin(): -+ try: -+ api.Command['user_del']([testuser]) -+ except errors.NotFound: -+ pass -+ os.unlink(ccache) -+ -+ request.addfinalizer(fin) -+ -+ def _login(self, user, password, host=None): -+ return self.send_request(params={'user': str(user), -+ 'password' : str(password)}, -+ host=host) -+ -+ def test_bad_options(self): -+ for params in ( -+ None, # no params -+ {"user": "foo"}, # missing options -+ {"user": "foo", "password": ""}, # empty option -+ ): -+ response = self.send_request(params=params) -+ assert_equal(response.status, 400) -+ assert_equal(response.reason, 'Bad Request') -+ -+ def test_invalid_auth(self): -+ response = self._login(testuser, 'wrongpassword') -+ -+ assert_equal(response.status, 401) -+ assert_equal(response.getheader('X-IPA-Rejection-Reason'), -+ 'invalid-password') -+ -+ def test_invalid_referer(self): -+ response = self._login(testuser, password, 'attacker.test') -+ -+ assert_equal(response.status, 400) -+ -+ def test_success(self): -+ response = self._login(testuser, password) -+ -+ assert_equal(response.status, 200) -+ assert response.getheader('X-IPA-Rejection-Reason') is None -diff --git a/ipatests/test_ipaserver/test_referer.py b/ipatests/test_ipaserver/test_referer.py -new file mode 100644 -index 0000000000000000000000000000000000000000..4eade8bbaf304c48bf71c16892858d899b43cf88 ---- /dev/null -+++ b/ipatests/test_ipaserver/test_referer.py -@@ -0,0 +1,136 @@ -+# Copyright (C) 2023 Red Hat -+# see file 'COPYING' for use and warranty information -+# -+# This program is free software; you can redistribute it and/or modify -+# it under the terms of the GNU General Public License as published by -+# the Free Software Foundation, either version 3 of the License, or -+# (at your option) any later version. -+# -+# This program is distributed in the hope that it will be useful, -+# but WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+# GNU General Public License for more details. -+# -+# You should have received a copy of the GNU General Public License -+# along with this program. If not, see . -+ -+import os -+import pytest -+import uuid -+ -+from ipatests.test_ipaserver.httptest import Unauthorized_HTTP_test -+from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test -+from ipatests.util import assert_equal -+from ipalib import api, errors -+from ipapython.ipautil import run -+ -+testuser = u'tuser' -+password = u'password' -+ -+ -+@pytest.mark.tier1 -+class test_referer(XMLRPC_test, Unauthorized_HTTP_test): -+ -+ @pytest.fixture(autouse=True) -+ def login_setup(self, request): -+ ccache = os.path.join('/tmp', str(uuid.uuid4())) -+ tokenid = None -+ try: -+ api.Command['user_add'](uid=testuser, givenname=u'Test', sn=u'User') -+ api.Command['passwd'](testuser, password=password) -+ run(['kinit', testuser], stdin='{0}\n{0}\n{0}\n'.format(password), -+ env={"KRB5CCNAME": ccache}) -+ result = api.Command["otptoken_add"]( -+ type='HOTP', description='testotp', -+ ipatokenotpalgorithm='sha512', ipatokenowner=testuser, -+ ipatokenotpdigits='6') -+ tokenid = result['result']['ipatokenuniqueid'][0] -+ except errors.ExecutionError as e: -+ pytest.skip( -+ 'Cannot set up test user: %s' % e -+ ) -+ -+ def fin(): -+ try: -+ api.Command['user_del']([testuser]) -+ api.Command['otptoken_del']([tokenid]) -+ except errors.NotFound: -+ pass -+ os.unlink(ccache) -+ -+ request.addfinalizer(fin) -+ -+ def _request(self, params={}, host=None): -+ # implicit is that self.app_uri is set to the appropriate value -+ return self.send_request(params=params, host=host) -+ -+ def test_login_password_valid(self): -+ """Valid authentication of a user""" -+ self.app_uri = "/ipa/session/login_password" -+ response = self._request( -+ params={'user': 'tuser', 'password': password}) -+ assert_equal(response.status, 200, self.app_uri) -+ -+ def test_change_password_valid(self): -+ """This actually changes the user password""" -+ self.app_uri = "/ipa/session/change_password" -+ response = self._request( -+ params={'user': 'tuser', -+ 'old_password': password, -+ 'new_password': 'new_password'} -+ ) -+ assert_equal(response.status, 200, self.app_uri) -+ -+ def test_sync_token_valid(self): -+ """We aren't testing that sync works, just that we can get there""" -+ self.app_uri = "/ipa/session/sync_token" -+ response = self._request( -+ params={'user': 'tuser', -+ 'first_code': '1234', -+ 'second_code': '5678', -+ 'password': 'password'}) -+ assert_equal(response.status, 200, self.app_uri) -+ -+ def test_i18n_messages_valid(self): -+ # i18n_messages requires a valid JSON request and we send -+ # nothing. If we get a 500 error then it got past the -+ # referer check. -+ self.app_uri = "/ipa/i18n_messages" -+ response = self._request() -+ assert_equal(response.status, 500, self.app_uri) -+ -+ # /ipa/session/login_x509 is not tested yet as it requires -+ # significant additional setup. -+ # This can be manually verified by adding -+ # Satisfy Any and Require all granted to the configuration -+ # section and comment out all Auth directives. The request -+ # will fail and log that there is no KRB5CCNAME which comes -+ # after the referer check. -+ -+ def test_endpoints_auth_required(self): -+ """Test endpoints that require pre-authorization which will -+ fail before we even get to the Referer check -+ """ -+ self.endpoints = { -+ "/ipa/xml", -+ "/ipa/session/login_kerberos", -+ "/ipa/session/json", -+ "/ipa/session/xml" -+ } -+ for self.app_uri in self.endpoints: -+ response = self._request(host="attacker.test") -+ -+ # referer is checked after auth -+ assert_equal(response.status, 401, self.app_uri) -+ -+ def notest_endpoints_invalid(self): -+ """Pass in a bad Referer, expect a 400 Bad Request""" -+ self.endpoints = { -+ "/ipa/session/login_password", -+ "/ipa/session/change_password", -+ "/ipa/session/sync_token", -+ } -+ for self.app_uri in self.endpoints: -+ response = self._request(host="attacker.test") -+ -+ assert_equal(response.status, 400, self.app_uri) -diff --git a/ipatests/util.py b/ipatests/util.py -index 929c3e899c3317acf59f2030b069898f4b282abc..61af0c40d07b31ef9e8ce1f069b05b2088605231 100644 ---- a/ipatests/util.py -+++ b/ipatests/util.py -@@ -163,12 +163,12 @@ class ExceptionNotRaised(Exception): - return self.msg % self.expected.__name__ - - --def assert_equal(val1, val2): -+def assert_equal(val1, val2, msg=''): - """ - Assert ``val1`` and ``val2`` are the same type and of equal value. - """ - assert type(val1) is type(val2), '%r != %r' % (val1, val2) -- assert val1 == val2, '%r != %r' % (val1, val2) -+ assert val1 == val2, '%r != %r %r' % (val1, val2, msg) - - - def assert_not_equal(val1, val2): --- -2.43.0 - diff --git a/0032-ipatests-Skip-ds_encryption-tests-on-RHEL9-SUT.patch b/0032-ipatests-Skip-ds_encryption-tests-on-RHEL9-SUT.patch deleted file mode 100644 index 8e2efe5..0000000 --- a/0032-ipatests-Skip-ds_encryption-tests-on-RHEL9-SUT.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 8bdfbe8d2b203c64444390985011b2372f3bc08e Mon Sep 17 00:00:00 2001 -From: Sudhir Menon -Date: Wed, 20 Dec 2023 18:42:25 +0530 -Subject: [PATCH] ipatests: Skip ds_encryption tests on RHEL9 SUT. - -test_ipahealthcheck_ds_encryption tests are failing -in RHEL9 SUT because in this test tls protocol version -is set to TLS1.0 using the below command, but its -reset to TLS1.2 causing the test to fail. - -'dsconf', 'slapd-TESTREALM-TEST', 'security', 'set', '--tls-protocol-min=TLS1.0' - -Hence the test is skipped to be run on RHEL9.0 SUT. - -Signed-off-by: Sudhir Menon -Reviewed-By: Florence Blanc-Renaud ---- - ipatests/test_integration/test_ipahealthcheck.py | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py -index 785e9abbae3b807f100a3d875e0c0b23f868be83..40c84898894681d8daf386b522118a6a7f793227 100644 ---- a/ipatests/test_integration/test_ipahealthcheck.py -+++ b/ipatests/test_integration/test_ipahealthcheck.py -@@ -158,7 +158,6 @@ TOMCAT_CONFIG_FILES = ( - paths.CA_CS_CFG_PATH, - ) - -- - def run_healthcheck(host, source=None, check=None, output_type="json", - failures_only=False, config=None): - """ -@@ -1262,6 +1261,10 @@ class TestIpaHealthCheck(IntegrationTest): - ) - self.master.run_command(cmd) - -+ @pytest.mark.skipif((osinfo.id == 'rhel' -+ and osinfo.version_number >= (9,0)), -+ reason=" TLS versions below 1.2 are not " -+ "supported anymore in RHEL9.0 and above.") - def test_ipahealthcheck_ds_encryption(self, modify_tls): - """ - This testcase modifies the default TLS version of --- -2.43.0 - diff --git a/0033-ACME-Don-t-treat-pki-server-ca-config-show-failures-.patch b/0033-ACME-Don-t-treat-pki-server-ca-config-show-failures-.patch deleted file mode 100644 index 559ee5f..0000000 --- a/0033-ACME-Don-t-treat-pki-server-ca-config-show-failures-.patch +++ /dev/null @@ -1,61 +0,0 @@ -From b465cf6ea596907a2845c38df9c2446efe8e65ae Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Thu, 4 Jan 2024 17:32:45 -0500 -Subject: [PATCH] ACME: Don't treat pki-server ca-config-show failures as fatal - -Up to PKI 11.5.0 even when a pki-server call failed it had a -return value of 0. This was fixed in 11.5.0 which breaks -ipa-acme-manage pruning. If a configuration value is not set -then the call fails and the tool gives up with an error like: - -ERROR: No such parameter: jobsScheduler.job.pruning.certRetentionUnit - -In previous versions this resulted in an empty string so the tool -displayed the default value. - -So now upon failure look in the stderr output for "No such parameter" -and return an empty string so the behavior is consistent between -both old and new PKI server versions. - -Fixes: https://pagure.io/freeipa/issue/9503 - -Signed-off-by: Rob Crittenden -Reviewed-By: Florence Blanc-Renaud ---- - ipaserver/install/ipa_acme_manage.py | 12 ++++++++---- - 1 file changed, 8 insertions(+), 4 deletions(-) - -diff --git a/ipaserver/install/ipa_acme_manage.py b/ipaserver/install/ipa_acme_manage.py -index e7c35ff6fb5b7a30ac9e2c0c18f8db805cf06ee9..dc2359f49dfdd5c8f44ab96ee11a7240f8937e11 100644 ---- a/ipaserver/install/ipa_acme_manage.py -+++ b/ipaserver/install/ipa_acme_manage.py -@@ -261,8 +261,13 @@ class IPAACMEManage(AdminTool): - result = run(args, raiseonerr=False, capture_output=True, - capture_error=True) - if result.returncode != 0: -+ # See if the parameter doesn't exist. If not then no -+ # user-specified value has been set. -+ # ERROR: No such parameter: jobsScheduler... -+ if 'No such parameter' in result.error_output: -+ return '' - raise RuntimeError(result.error_output) -- return result -+ return result.output.strip() - - def ca_config_set(directive, value, - prefix='jobsScheduler.job.pruning'): -@@ -274,9 +279,8 @@ class IPAACMEManage(AdminTool): - raise RuntimeError('Updating %s failed' % directive) - - def ca_config_show(directive): -- result = run_pki_server('ca-config-show', directive, -- prefix='jobsScheduler.job.pruning') -- return result.output.strip() -+ return run_pki_server('ca-config-show', directive, -+ prefix='jobsScheduler.job.pruning') - - def config_show(): - status = ca_config_show('enabled') --- -2.43.0 - diff --git a/0034-Fix-ipa-client-automount-install-uninstall-with-new-.patch b/0034-Fix-ipa-client-automount-install-uninstall-with-new-.patch deleted file mode 100644 index 891632c..0000000 --- a/0034-Fix-ipa-client-automount-install-uninstall-with-new-.patch +++ /dev/null @@ -1,125 +0,0 @@ -From 6340e88341b09b06391b35e50e8c4d7619b12dab Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Fri, 1 Dec 2023 08:51:05 -0500 -Subject: [PATCH] Fix ipa-client-automount install/uninstall with new install - states - -Issue 8384 introduced a new installation state for the statestore -to identify when client/server installation is completely finished -rather than relying on has_files(). - -The problem is that ipa-client-automount may be called during -ipa-client-install and since installation is not complete at that -point the automount install was failing with "IPA client not -configured". - -Add a new state, 'automount', to designate that automount installation -is in process. If check_client_configuration() fails it checks to -see if [installation] automount is True. If so it continues with the -installation. - -This also addresses an issue where the filestore and statestore are -shared between the client and automount installers but the client -wasn't refreshing state after automount completed. This resulted in -an incomplete state and index file of backed-up files which caused -files to not be restored on uninstall and the state file to be -orphaned. - -Fixes: https://pagure.io/freeipa/issue/9487 - -Signed-off-by: Rob Crittenden -Reviewed-By: Christian Heimes -Reviewed-By: Florence Blanc-Renaud ---- - ipaclient/install/client.py | 14 ++++++++++++-- - ipaclient/install/ipa_client_automount.py | 14 ++++++++------ - 2 files changed, 20 insertions(+), 8 deletions(-) - -diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py -index 7e3adee351ae31ed9fcbba422fcc03a1f904e1f9..976d3821dd6d66b5b7653298c628a2bc267fa8c6 100644 ---- a/ipaclient/install/client.py -+++ b/ipaclient/install/client.py -@@ -1273,7 +1273,7 @@ def create_sshd_ipa_config(options): - logger.info('Configured %s', paths.SSHD_IPA_CONFIG) - - --def configure_automount(options): -+def configure_automount(options, statestore): - logger.info('\nConfiguring automount:') - - args = [ -@@ -1286,12 +1286,15 @@ def configure_automount(options): - if not options.sssd: - args.append('--no-sssd') - -+ statestore.backup_state('installation', 'automount', True) - try: - result = run(args) - except Exception as e: - logger.error('Automount configuration failed: %s', str(e)) - else: - logger.info('%s', result.output_log) -+ finally: -+ statestore.delete_state('installation', 'automount') - - - def configure_nisdomain(options, domain, statestore): -@@ -3305,7 +3308,11 @@ def _install(options, tdict): - configure_sshd_config(fstore, options) - - if options.location: -- configure_automount(options) -+ configure_automount(options, statestore) -+ -+ # Reload the state as automount install may have modified it -+ fstore._load() -+ statestore._load() - - if options.configure_firefox: - configure_firefox(options, statestore, cli_domain) -@@ -3368,12 +3375,15 @@ def uninstall(options): - fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE) - statestore = sysrestore.StateFile(paths.IPA_CLIENT_SYSRESTORE) - -+ statestore.backup_state('installation', 'automount', True) - try: - run([paths.IPA_CLIENT_AUTOMOUNT, "--uninstall", "--debug"]) - except CalledProcessError as e: - if e.returncode != CLIENT_NOT_CONFIGURED: - logger.error( - "Unconfigured automount client failed: %s", str(e)) -+ finally: -+ statestore.delete_state('installation', 'automount') - - # Reload the state as automount unconfigure may have modified it - fstore._load() -diff --git a/ipaclient/install/ipa_client_automount.py b/ipaclient/install/ipa_client_automount.py -index b4b3387530afa9e80d13dd69e9d80080702f9e07..ee27872868b9ceaffdc58a9cf3fa89938e045526 100644 ---- a/ipaclient/install/ipa_client_automount.py -+++ b/ipaclient/install/ipa_client_automount.py -@@ -340,14 +340,16 @@ def configure_nfs(fstore, statestore, options): - - - def configure_automount(): -- try: -- check_client_configuration() -- except ScriptError as e: -- print(e.msg) -- sys.exit(e.rval) -+ statestore = sysrestore.StateFile(paths.IPA_CLIENT_SYSRESTORE) -+ if not statestore.get_state('installation', 'automount'): -+ # not called from ipa-client-install -+ try: -+ check_client_configuration() -+ except ScriptError as e: -+ print(e.msg) -+ sys.exit(e.rval) - - fstore = sysrestore.FileStore(paths.IPA_CLIENT_SYSRESTORE) -- statestore = sysrestore.StateFile(paths.IPA_CLIENT_SYSRESTORE) - - options, _args = parse_options() - --- -2.43.0 - diff --git a/0035-ipatests-Test-client-install-uninstall-with-automoun.patch b/0035-ipatests-Test-client-install-uninstall-with-automoun.patch deleted file mode 100644 index f275038..0000000 --- a/0035-ipatests-Test-client-install-uninstall-with-automoun.patch +++ /dev/null @@ -1,73 +0,0 @@ -From 18764964b72ba237eba5f7b1078185b2f0393d72 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Fri, 1 Dec 2023 10:47:24 -0500 -Subject: [PATCH] ipatests: Test client install/uninstall with automount - enabled - -The automount installation was failing. Confirm that it is fixed. - -The uninstall was not restoring all files/configuration. Verify -that the index and state files are gone which means that all state -and files were restored. - -Fixes: https://pagure.io/freeipa/issue/9487 - -Signed-off-by: Rob Crittenden -Reviewed-By: Christian Heimes -Reviewed-By: Florence Blanc-Renaud ---- - .../test_installation_client.py | 25 +++++++++++++++++++ - 1 file changed, 25 insertions(+) - -diff --git a/ipatests/test_integration/test_installation_client.py b/ipatests/test_integration/test_installation_client.py -index 56e1593bfcfa3eb7f9918fc6f2993d836884ea38..f8567b39eead4dffd522aad504fa72a086969257 100644 ---- a/ipatests/test_integration/test_installation_client.py -+++ b/ipatests/test_integration/test_installation_client.py -@@ -8,12 +8,14 @@ Module provides tests for various options of ipa-client-install. - - from __future__ import absolute_import - -+import os - import pytest - import re - import shlex - import textwrap - - from ipaplatform.paths import paths -+from ipalib.sysrestore import SYSRESTORE_STATEFILE, SYSRESTORE_INDEXFILE - from ipatests.test_integration.base import IntegrationTest - from ipatests.pytest_ipa.integration import tasks - from ipatests.pytest_ipa.integration.firewall import Firewall -@@ -90,6 +92,29 @@ class TestInstallClient(IntegrationTest): - assert 'includedir {dir}'.format( - dir=paths.SSSD_PUBCONF_KRB5_INCLUDE_D_DIR - ).encode() not in krb5_cfg -+ tasks.uninstall_client(self.clients[0]) -+ -+ def test_install_with_automount(self): -+ """Test that installation with automount is successful""" -+ tasks.install_client(self.master, self.clients[0], -+ extra_args=['--automount-location', 'default']) -+ -+ def test_uninstall_with_automount(self): -+ """Test that uninstall with automount is successful and complete""" -+ tasks.uninstall_client(self.clients[0]) -+ index = os.path.join( -+ paths.IPA_CLIENT_SYSRESTORE, SYSRESTORE_INDEXFILE -+ ) -+ state = os.path.join( -+ paths.IPA_CLIENT_SYSRESTORE, SYSRESTORE_STATEFILE -+ ) -+ for filepath in (index, state): -+ try: -+ self.clients[0].get_file_contents(filepath) -+ except IOError: -+ pass -+ else: -+ pytest.fail("The client file %s was not removed" % filepath) - - - class TestClientInstallBind(IntegrationTest): --- -2.43.0 - diff --git a/0036-ipa-client-automount-Don-t-use-deprecated-ipadiscove.patch b/0036-ipa-client-automount-Don-t-use-deprecated-ipadiscove.patch deleted file mode 100644 index 1c93282..0000000 --- a/0036-ipa-client-automount-Don-t-use-deprecated-ipadiscove.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 526147ec9362124191a54c9ae8debd0234af3d49 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Fri, 1 Dec 2023 09:08:48 -0500 -Subject: [PATCH] ipa-client-automount: Don't use deprecated - ipadiscovery.IPADiscovery - -This class was moved to ipaclient/discovery.py in e6d560af66 to make -it available to PyPI. - -Related: https://pagure.io/freeipa/issue/9487 - -Signed-off-by: Rob Crittenden -Reviewed-By: Christian Heimes -Reviewed-By: Florence Blanc-Renaud ---- - ipaclient/install/ipa_client_automount.py | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/ipaclient/install/ipa_client_automount.py b/ipaclient/install/ipa_client_automount.py -index ee27872868b9ceaffdc58a9cf3fa89938e045526..297a784c4e1b6f1d29d51b6d3fd4b91d05672b9c 100644 ---- a/ipaclient/install/ipa_client_automount.py -+++ b/ipaclient/install/ipa_client_automount.py -@@ -36,7 +36,7 @@ from six.moves.urllib.parse import urlsplit - - from optparse import OptionParser # pylint: disable=deprecated-module - from ipapython import ipachangeconf --from ipaclient.install import ipadiscovery -+from ipaclient import discovery - from ipaclient.install.client import ( - CLIENT_NOT_CONFIGURED, - CLIENT_ALREADY_CONFIGURED, -@@ -384,12 +384,12 @@ def configure_automount(): - sys.exit(CLIENT_ALREADY_CONFIGURED) - - autodiscover = False -- ds = ipadiscovery.IPADiscovery() -+ ds = discovery.IPADiscovery() - if not options.server: - print("Searching for IPA server...") - ret = ds.search(ca_cert_path=ca_cert_path) - logger.debug('Executing DNS discovery') -- if ret == ipadiscovery.NO_LDAP_SERVER: -+ if ret == discovery.NO_LDAP_SERVER: - logger.debug('Autodiscovery did not find LDAP server') - s = urlsplit(api.env.xmlrpc_uri) - server = [s.netloc] -@@ -409,14 +409,14 @@ def configure_automount(): - server = options.server - logger.debug("Verifying that %s is an IPA server", server) - ldapret = ds.ipacheckldap(server, api.env.realm, ca_cert_path) -- if ldapret[0] == ipadiscovery.NO_ACCESS_TO_LDAP: -+ if ldapret[0] == discovery.NO_ACCESS_TO_LDAP: - print("Anonymous access to the LDAP server is disabled.") - print("Proceeding without strict verification.") - print( - "Note: This is not an error if anonymous access has been " - "explicitly restricted." - ) -- elif ldapret[0] == ipadiscovery.NO_TLS_LDAP: -+ elif ldapret[0] == discovery.NO_TLS_LDAP: - logger.warning("Unencrypted access to LDAP is not supported.") - elif ldapret[0] != 0: - sys.exit('Unable to confirm that %s is an IPA server' % server) --- -2.43.0 - diff --git a/0037-Server-affinity-Retain-user-requested-remote-server.patch b/0037-Server-affinity-Retain-user-requested-remote-server.patch deleted file mode 100644 index 66a939b..0000000 --- a/0037-Server-affinity-Retain-user-requested-remote-server.patch +++ /dev/null @@ -1,98 +0,0 @@ -From d2ffa10df62bba45aa63232d3ad9a5ebf7158eea Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Tue, 5 Dec 2023 14:34:31 -0500 -Subject: [PATCH] Server affinity: Retain user-requested remote server - -We want to avoid splitting a replica server installation between -two hosts where possible so if a CA or KRA is requested then -we only try to install against a remote server that also provides -those capabilities. This avoids race conditions. - -If a CA or KRA is not requested and the user has provided a -server to install against then use that instead of overriding it. - -Extend the logic of picking the remote Custodia mode -(KRA, CA, *MASTER*) to include considering whether the -CA and KRA services are requested. If the service(s) are -not requested the the associated hostname may not be -reliable. - -Fixes: https://pagure.io/freeipa/issue/9491 -Related: https://pagure.io/freeipa/issue/9289 - -Signed-off-by: Rob Crittenden -Reviewed-By: Florence Blanc-Renaud ---- - ipaserver/install/server/replicainstall.py | 19 +++++++++---------- - 1 file changed, 9 insertions(+), 10 deletions(-) - -diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py -index 27fbdef8ec9aa5ae343352ebf3c61d74d65c8958..8096b6accb4c94fefdfcc06f19584c63c24d7baf 100644 ---- a/ipaserver/install/server/replicainstall.py -+++ b/ipaserver/install/server/replicainstall.py -@@ -782,6 +782,7 @@ def promotion_check_host_principal_auth_ind(conn, hostdn): - - - def remote_connection(config): -+ logger.debug("Creating LDAP connection to %s", config.master_host_name) - ldapuri = 'ldaps://%s' % ipautil.format_netloc(config.master_host_name) - xmlrpc_uri = 'https://{}/ipa/xml'.format( - ipautil.format_netloc(config.master_host_name)) -@@ -1087,7 +1088,7 @@ def promote_check(installer): - 'CA', conn, preferred_cas - ) - if ca_host is not None: -- if config.master_host_name != ca_host: -+ if options.setup_ca and config.master_host_name != ca_host: - conn.disconnect() - del remote_api - config.master_host_name = ca_host -@@ -1096,8 +1097,7 @@ def promote_check(installer): - conn = remote_api.Backend.ldap2 - conn.connect(ccache=installer._ccache) - config.ca_host_name = ca_host -- config.master_host_name = ca_host -- ca_enabled = True -+ ca_enabled = True # There is a CA somewhere in the topology - if options.dirsrv_cert_files: - logger.error("Certificates could not be provided when " - "CA is present on some master.") -@@ -1135,7 +1135,7 @@ def promote_check(installer): - 'KRA', conn, preferred_kras - ) - if kra_host is not None: -- if config.master_host_name != kra_host: -+ if options.setup_kra and config.master_host_name != kra_host: - conn.disconnect() - del remote_api - config.master_host_name = kra_host -@@ -1143,10 +1143,9 @@ def promote_check(installer): - installer._remote_api = remote_api - conn = remote_api.Backend.ldap2 - conn.connect(ccache=installer._ccache) -- config.kra_host_name = kra_host -- config.ca_host_name = kra_host -- config.master_host_name = kra_host -- kra_enabled = True -+ config.kra_host_name = kra_host -+ config.ca_host_name = kra_host -+ kra_enabled = True # There is a KRA somewhere in the topology - if options.setup_kra and options.server and \ - kra_host != options.server: - # Installer was provided with a specific master -@@ -1372,10 +1371,10 @@ def install(installer): - otpd.create_instance('OTPD', config.host_name, - ipautil.realm_to_suffix(config.realm_name)) - -- if kra_enabled: -+ if options.setup_kra and kra_enabled: - # A KRA peer always provides a CA, too. - mode = custodiainstance.CustodiaModes.KRA_PEER -- elif ca_enabled: -+ elif options.setup_ca and ca_enabled: - mode = custodiainstance.CustodiaModes.CA_PEER - else: - mode = custodiainstance.CustodiaModes.MASTER_PEER --- -2.43.0 - diff --git a/0038-get_directive-don-t-error-out-on-substring-mismatch.patch b/0038-get_directive-don-t-error-out-on-substring-mismatch.patch deleted file mode 100644 index 1447e72..0000000 --- a/0038-get_directive-don-t-error-out-on-substring-mismatch.patch +++ /dev/null @@ -1,120 +0,0 @@ -From 95b066d629de935bfb52e732ce52026e18e9c64d Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Wed, 10 Jan 2024 16:45:12 -0500 -Subject: [PATCH] get_directive: don't error out on substring mismatch - -This function is designed to retrieve a value from an -ini-like file. In particular PKI CS.cfg. - -In an attempt to be more efficient a substring search, -using startswith(), is used before calling a regular -expression match. - -The problem is that if the requested directive is a -substring of a different one then it will pass the -startswith() and fail the regular expression match -with a ValueError, assuming it is malformed. - -There is no need for this. The caller must be able to -handle None as a response anyway. So continue if -no match is found. - -This was seen when PKI dropped storing certificate blobs -in CS.cfg. The CA certificate is stored in ca.signing.cert. -If it isn't present then ca.signing.certnickname will match -the substring but not the directive. This should not be -treated as an error. - -Fixes: https://pagure.io/freeipa/issue/9506 - -Signed-off-by: Rob Crittenden -Reviewed-By: Florence Blanc-Renaud ---- - ipapython/directivesetter.py | 5 ++- - .../test_ipapython/test_directivesetter.py | 33 +++++++++++++++++++ - 2 files changed, 37 insertions(+), 1 deletion(-) - -diff --git a/ipapython/directivesetter.py b/ipapython/directivesetter.py -index f4e496c7f0f785a909bfb5b8196582fb5dd865ea..732e1c239ca375e6ec08882e4731f97cb1ff58a9 100644 ---- a/ipapython/directivesetter.py -+++ b/ipapython/directivesetter.py -@@ -182,6 +182,9 @@ def get_directive(filename, directive, separator=' '): - if separator == ' ': - separator = '[ \t]+' - -+ if directive is None: -+ return None -+ - result = None - with open(filename, "r") as fd: - for line in fd: -@@ -193,7 +196,7 @@ def get_directive(filename, directive, separator=' '): - if match: - value = match.group(1) - else: -- raise ValueError("Malformed directive: {}".format(line)) -+ continue - - result = unquote_directive_value(value.strip(), '"') - result = result.strip(' ') -diff --git a/ipatests/test_ipapython/test_directivesetter.py b/ipatests/test_ipapython/test_directivesetter.py -index 08a30124b12c3bd8edf8fa7930377faf7b181f5d..ff86559e0a3eb018e4a26a489c190a0da380ce1f 100644 ---- a/ipatests/test_ipapython/test_directivesetter.py -+++ b/ipatests/test_ipapython/test_directivesetter.py -@@ -18,6 +18,10 @@ WHITESPACE_CONFIG = [ - 'foobar\t2\n', - ] - -+SUBSTRING_CONFIG = [ -+ 'foobar=2\n', -+] -+ - - class test_set_directive_lines: - def test_remove_directive(self): -@@ -88,6 +92,7 @@ class test_set_directive: - - class test_get_directive: - def test_get_directive(self, tmpdir): -+ """Test retrieving known values from a config file""" - configfile = tmpdir.join('config') - configfile.write(''.join(EXAMPLE_CONFIG)) - -@@ -97,6 +102,34 @@ class test_get_directive: - assert '2' == directivesetter.get_directive(str(configfile), - 'foobar', - separator='=') -+ assert None is directivesetter.get_directive(str(configfile), -+ 'notfound', -+ separator='=') -+ -+ def test_get_directive_substring(self, tmpdir): -+ """Test retrieving values from a config file where there is -+ a similar substring that is not present. -+ """ -+ configfile = tmpdir.join('config') -+ configfile.write(''.join(SUBSTRING_CONFIG)) -+ -+ assert None is directivesetter.get_directive(str(configfile), -+ 'foo', -+ separator='=') -+ assert '2' == directivesetter.get_directive(str(configfile), -+ 'foobar', -+ separator='=') -+ -+ def test_get_directive_none(self, tmpdir): -+ """Test retrieving a value from a config file where the -+ directive is None. i.e. don't fail. -+ """ -+ configfile = tmpdir.join('config') -+ configfile.write(''.join(EXAMPLE_CONFIG)) -+ -+ assert None is directivesetter.get_directive(str(configfile), -+ None, -+ separator='=') - - - class test_get_directive_whitespace: --- -2.43.0 - diff --git a/0039-host-update-System-Manage-Host-Keytab-permission.patch b/0039-host-update-System-Manage-Host-Keytab-permission.patch deleted file mode 100644 index a4c46a9..0000000 --- a/0039-host-update-System-Manage-Host-Keytab-permission.patch +++ /dev/null @@ -1,101 +0,0 @@ -From 3842116185de6ae8714f30b57bd75c7eddde53d8 Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Thu, 21 Dec 2023 09:38:57 +0200 -Subject: [PATCH] host: update System: Manage Host Keytab permission - -Since commit 5c0e7a5fb420377dcc06a956695afdcb35196444, a new extended -operation to get a keytab is supposed to be used. This keytab -setting/retrieval extended operation checks access rights of the bound -DN to write to a virtual attribute 'ipaProtectedOperation;write_keys'. - -If the write isn't allowed, the operation is rejected and ipa-getkeytab -tool falls back to an older code that generates the keytab on the client -and forcibly sets to the LDAP entry. For the latter, a check is done to -make sure the bound DN is allowed to write to 'krbPrincipalKey' attribute. - -This fallback should never happen for newer deployments. When enrollemnt -operation is delegated to non-administrative user with the help of 'Host -Enrollment' role, a host can be pre-created or created at enrollment -time, if this non-administrative user has 'Host Administrators' role. In -the latter case a system permission 'System: Manage Host Keytab' grants -write access to 'krbPrincipalKey' attribute but lacks any access to the -virtual attributes expected by the new extended operation. - -There is a second virtual attribute, 'ipaProtectedOperation;read_keys', -that allows to retrieve existing keys for a host. However, during -initial enrollment we do not allow to retrieve and reuse existing -Kerberos key: while 'ipa-getkeytab -r' would give ability to retrieve -the existing key, 'ipa-join' has no way to trigger that operation. -Hence, permission 'System: Manage Host Keytab' will not grant the right -to read the Kerberos key via extended operation used by 'ipa-getkeytab --r'. Such operation can be done later by utilizing 'ipa -service/host-allow-retrieve-keytab' commands. - -Fix 'System: Manage Host Keytab' permission and extend a permission test -to see that we do not fallback to the old extended operation. - -Fixes: https://pagure.io/freeipa/issue/9496 - -Signed-off-by: Alexander Bokovoy -Reviewed-By: Rob Crittenden ---- - ACI.txt | 2 +- - ipaserver/plugins/host.py | 3 ++- - ipatests/test_integration/test_user_permissions.py | 7 +++++++ - 3 files changed, 10 insertions(+), 2 deletions(-) - -diff --git a/ACI.txt b/ACI.txt -index e6d6e3d1586c098f528d17fe940a1364b415654f..236bb43677bd9d84798a7ab418412b337fbf5c59 100644 ---- a/ACI.txt -+++ b/ACI.txt -@@ -147,7 +147,7 @@ aci: (targetattr = "usercertificate")(targetfilter = "(objectclass=ipahost)")(ve - dn: cn=computers,cn=accounts,dc=ipa,dc=example - aci: (targetattr = "userpassword")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Manage Host Enrollment Password";allow (write) groupdn = "ldap:///cn=System: Manage Host Enrollment Password,cn=permissions,cn=pbac,dc=ipa,dc=example";) - dn: cn=computers,cn=accounts,dc=ipa,dc=example --aci: (targetattr = "krblastpwdchange || krbprincipalkey")(targetfilter = "(&(!(memberOf=cn=ipaservers,cn=hostgroups,cn=accounts,dc=ipa,dc=example))(objectclass=ipahost))")(version 3.0;acl "permission:System: Manage Host Keytab";allow (write) groupdn = "ldap:///cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=ipa,dc=example";) -+aci: (targetattr = "ipaprotectedoperation;write_keys || krblastpwdchange || krbprincipalkey")(targetfilter = "(&(!(memberOf=cn=ipaservers,cn=hostgroups,cn=accounts,dc=ipa,dc=example))(objectclass=ipahost))")(version 3.0;acl "permission:System: Manage Host Keytab";allow (write) groupdn = "ldap:///cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=ipa,dc=example";) - dn: cn=computers,cn=accounts,dc=ipa,dc=example - aci: (targetattr = "createtimestamp || entryusn || ipaallowedtoperform;read_keys || ipaallowedtoperform;write_keys || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Manage Host Keytab Permissions";allow (compare,read,search,write) groupdn = "ldap:///cn=System: Manage Host Keytab Permissions,cn=permissions,cn=pbac,dc=ipa,dc=example";) - dn: cn=computers,cn=accounts,dc=ipa,dc=example -diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py -index 3ef510edc77a07ad504f07614d0c5524a3c34646..b02c8b55fde037c5fa0a9c73575b22e3c7177806 100644 ---- a/ipaserver/plugins/host.py -+++ b/ipaserver/plugins/host.py -@@ -409,7 +409,8 @@ class host(LDAPObject): - api.env.container_hostgroup, - api.env.basedn), - ], -- 'ipapermdefaultattr': {'krblastpwdchange', 'krbprincipalkey'}, -+ 'ipapermdefaultattr': {'krblastpwdchange', 'krbprincipalkey', -+ 'ipaprotectedoperation;write_keys'}, - 'replaces': [ - '(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,$SUFFIX";)', - ], -diff --git a/ipatests/test_integration/test_user_permissions.py b/ipatests/test_integration/test_user_permissions.py -index 3333a4f6b961961aea7dadf2eb36d7ed3b31e410..cd1096ff3582f9c0cfdb16b5ed876164139f1a1b 100644 ---- a/ipatests/test_integration/test_user_permissions.py -+++ b/ipatests/test_integration/test_user_permissions.py -@@ -277,6 +277,9 @@ class TestInstallClientNoAdmin(IntegrationTest): - self.master.run_command(['ipa', 'privilege-add-permission', - '--permissions', 'System: Add Hosts', - 'Add Hosts']) -+ self.master.run_command(['ipa', 'privilege-add-permission', -+ '--permissions', 'System: Manage Host Keytab', -+ 'Add Hosts']) - - self.master.run_command(['ipa', 'role-add-privilege', 'useradmin', - '--privileges', 'Host Enrollment']) -@@ -301,6 +304,10 @@ class TestInstallClientNoAdmin(IntegrationTest): - encoding='utf-8') - assert msg in install_log - -+ # Make sure we do not fallback to an old keytab retrieval method anymore -+ msg = "Retrying with pre-4.0 keytab retrieval method..." -+ assert msg not in install_log -+ - # check that user is able to request a host cert, too - result = tasks.run_certutil(client, ['-L'], paths.IPA_NSSDB_DIR) - assert 'Local IPA host' in result.stdout_text --- -2.43.0 - diff --git a/0040-adtrustinstance-make-sure-NetBIOS-name-defaults-are-.patch b/0040-adtrustinstance-make-sure-NetBIOS-name-defaults-are-.patch deleted file mode 100644 index fbd49d7..0000000 --- a/0040-adtrustinstance-make-sure-NetBIOS-name-defaults-are-.patch +++ /dev/null @@ -1,35 +0,0 @@ -From eab52d3cda9bbec716008c040551bd11facd0e11 Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Wed, 17 Jan 2024 12:27:26 +0200 -Subject: [PATCH] adtrustinstance: make sure NetBIOS name defaults are set - properly - -Some tools may pass None as NetBIOS name if not put explicitly by a -user. This meant to use default NetBIOS name generator based on the -domain (realm) name. However, this wasn't done properly, so None is -passed later to python-ldap and it rejects such LDAP entry. - -Fixes: https://pagure.io/freeipa/issue/9514 - -Signed-off-by: Alexander Bokovoy -Reviewed-By: Florence Blanc-Renaud ---- - ipaserver/install/adtrustinstance.py | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py -index d55ba849157bee8e335e2e0772514fc15ec11193..2ff68dfb46371a6118eb67515347eb762a37e1ec 100644 ---- a/ipaserver/install/adtrustinstance.py -+++ b/ipaserver/install/adtrustinstance.py -@@ -189,6 +189,8 @@ class ADTRUSTInstance(service.Service): - self.fqdn = self.fqdn or api.env.host - self.host_netbios_name = make_netbios_name(self.fqdn) - self.realm = self.realm or api.env.realm -+ if not self.netbios_name: -+ self.netbios_name = make_netbios_name(self.realm) - - self.suffix = ipautil.realm_to_suffix(self.realm) - self.ldapi_socket = "%%2fvar%%2frun%%2fslapd-%s.socket" % \ --- -2.43.0 - diff --git a/0041-Server-affinity-Don-t-rely-just-on-ca-kra-_enabled-f.patch b/0041-Server-affinity-Don-t-rely-just-on-ca-kra-_enabled-f.patch deleted file mode 100644 index e6aed29..0000000 --- a/0041-Server-affinity-Don-t-rely-just-on-ca-kra-_enabled-f.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 851ce93ac07044172a7db56d54ab9e1d7c7ec79f Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Mon, 15 Jan 2024 09:05:58 -0500 -Subject: [PATCH] Server affinity: Don't rely just on [ca|kra]_enabled for - installs - -ca_enable and kra_enabled are intended to be used to identify that -a CA or KRA is available in the topology. It was also being used -to determine whether a CA or KRA service is desired on a replica -install, rather than options.setup_[ca|kra] - -Fixes: https://pagure.io/freeipa/issue/9510 - -Signed-off-by: Rob Crittenden -Reviewed-By: Florence Blanc-Renaud ---- - ipaserver/install/server/replicainstall.py | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py -index 8096b6accb4c94fefdfcc06f19584c63c24d7baf..191913ddb973b94bcd8ad920570edcee27349ffd 100644 ---- a/ipaserver/install/server/replicainstall.py -+++ b/ipaserver/install/server/replicainstall.py -@@ -1143,7 +1143,8 @@ def promote_check(installer): - installer._remote_api = remote_api - conn = remote_api.Backend.ldap2 - conn.connect(ccache=installer._ccache) -- config.kra_host_name = kra_host -+ config.kra_host_name = kra_host -+ if options.setup_kra: # only reset ca_host if KRA is requested - config.ca_host_name = kra_host - kra_enabled = True # There is a KRA somewhere in the topology - if options.setup_kra and options.server and \ -@@ -1381,7 +1382,7 @@ def install(installer): - custodia = custodiainstance.get_custodia_instance(config, mode) - custodia.create_instance() - -- if ca_enabled: -+ if options.setup_ca and ca_enabled: - options.realm_name = config.realm_name - options.domain_name = config.domain_name - options.host_name = config.host_name -@@ -1397,7 +1398,7 @@ def install(installer): - service.print_msg("Finalize replication settings") - ds.finalize_replica_config() - -- if kra_enabled: -+ if options.setup_kra and kra_enabled: - kra.install(api, config, options, custodia=custodia) - - service.print_msg("Restarting the KDC") --- -2.43.0 - diff --git a/0042-ipatests-wait-for-replica-update-in-test_dns_locatio.patch b/0042-ipatests-wait-for-replica-update-in-test_dns_locatio.patch deleted file mode 100644 index 61926ae..0000000 --- a/0042-ipatests-wait-for-replica-update-in-test_dns_locatio.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 3b2f3d41e4de0bcb78bfaecb32e06cbd22b809c2 Mon Sep 17 00:00:00 2001 -From: Masahiro Matsuya -Date: Tue, 9 Jan 2024 23:12:11 +0900 -Subject: [PATCH] ipatests: wait for replica update in test_dns_locations - -test_ipa_ca_records and test_adtrust_system_records can fail with -NXDOMAIN, because it doesn't wait enough for the update on replica. -It can be resolved by waiting for the update with wait_for_replication. - -Fixes: https://pagure.io/freeipa/issue/9504 -Reviewed-By: Florence Blanc-Renaud ---- - ipatests/test_integration/test_dns_locations.py | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/ipatests/test_integration/test_dns_locations.py b/ipatests/test_integration/test_dns_locations.py -index 44900af8015ff62728f64bc626eedfcead41e214..89a310892954cbee88d1cf38683e80a2e47122ef 100644 ---- a/ipatests/test_integration/test_dns_locations.py -+++ b/ipatests/test_integration/test_dns_locations.py -@@ -534,6 +534,9 @@ class TestDNSLocations(IntegrationTest): - - expected_servers = (self.master.ip, self.replicas[1].ip) - -+ ldap = self.master.ldap_connect() -+ tasks.wait_for_replication(ldap) -+ - for ip in (self.master.ip, self.replicas[0].ip, self.replicas[1].ip): - self._test_A_rec_against_server(ip, self.domain, expected_servers) - -@@ -557,6 +560,9 @@ class TestDNSLocations(IntegrationTest): - (self.PRIO_HIGH, self.WEIGHT, DNSName(self.master.hostname)), - ) - -+ ldap = self.master.ldap_connect() -+ tasks.wait_for_replication(ldap) -+ - for ip in (self.master.ip, self.replicas[0].ip, self.replicas[1].ip): - self._test_SRV_rec_against_server( - ip, self.domain, expected_servers, --- -2.43.0 - diff --git a/0043-Server-affinity-call-ca.install-if-there-is-a-CA-in-.patch b/0043-Server-affinity-call-ca.install-if-there-is-a-CA-in-.patch deleted file mode 100644 index 2d463e6..0000000 --- a/0043-Server-affinity-call-ca.install-if-there-is-a-CA-in-.patch +++ /dev/null @@ -1,69 +0,0 @@ -From 5dbb3101cee7a96ec8eef40be8e802d456c0d06c Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Mon, 22 Jan 2024 08:36:27 -0500 -Subject: [PATCH] Server affinity: call ca.install() if there is a CA in the - topology - -This should not have been gated on options.setup_ca because we need -the RA agent on all servers if there is a CA in the topology otherwise -the non-CA servers won't be able to communicate with the CA. - -Fixes: https://pagure.io/freeipa/issue/9510 - -Signed-off-by: Rob Crittenden -Reviewed-By: Florence Blanc-Renaud ---- - ipaserver/install/ca.py | 7 ++++--- - ipaserver/install/server/replicainstall.py | 7 +++++-- - 2 files changed, 9 insertions(+), 5 deletions(-) - -diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py -index c93ae1fce4c8848d493677eafee7952740e51631..187f8032b6190799027135d5d3932dbdee4dea8a 100644 ---- a/ipaserver/install/ca.py -+++ b/ipaserver/install/ca.py -@@ -387,9 +387,10 @@ def install_step_0(standalone, replica_config, options, custodia): - promote = False - else: - cafile = os.path.join(replica_config.dir, 'cacert.p12') -- custodia.get_ca_keys( -- cafile, -- replica_config.dirman_password) -+ if replica_config.setup_ca: -+ custodia.get_ca_keys( -+ cafile, -+ replica_config.dirman_password) - - ca_signing_algorithm = None - ca_type = None -diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py -index 191913ddb973b94bcd8ad920570edcee27349ffd..b3fd27e6a15db298f9a97d514d24662c83141013 100644 ---- a/ipaserver/install/server/replicainstall.py -+++ b/ipaserver/install/server/replicainstall.py -@@ -1382,11 +1382,13 @@ def install(installer): - custodia = custodiainstance.get_custodia_instance(config, mode) - custodia.create_instance() - -- if options.setup_ca and ca_enabled: -+ if ca_enabled: - options.realm_name = config.realm_name - options.domain_name = config.domain_name - options.host_name = config.host_name - options.dm_password = config.dirman_password -+ # Always call ca.install() if there is a CA in the topology -+ # to ensure the RA agent is present. - ca.install(False, config, options, custodia=custodia) - - # configure PKINIT now that all required services are in place -@@ -1398,7 +1400,8 @@ def install(installer): - service.print_msg("Finalize replication settings") - ds.finalize_replica_config() - -- if options.setup_kra and kra_enabled: -+ if kra_enabled: -+ # The KRA installer checks for itself the status of setup_kra - kra.install(api, config, options, custodia=custodia) - - service.print_msg("Restarting the KDC") --- -2.43.0 - diff --git a/0044-ipapython-Clean-up-krb5_error.patch b/0044-ipapython-Clean-up-krb5_error.patch deleted file mode 100644 index a022956..0000000 --- a/0044-ipapython-Clean-up-krb5_error.patch +++ /dev/null @@ -1,144 +0,0 @@ -From 33638de180a8157e369ad6c61f9e3406d9e85404 Mon Sep 17 00:00:00 2001 -From: Stanislav Levin -Date: Tue, 23 Jan 2024 19:12:53 +0300 -Subject: [PATCH] ipapython: Clean up krb5_error - -`krb5_error` has different definition in MIT krb. -https://web.mit.edu/kerberos/krb5-latest/doc/appdev/refs/types/krb5_error.html - -> Error message structure. -> -> Declaration: -> typedef struct _krb5_error krb5_error - -While `krb5_error_code` -https://web.mit.edu/kerberos/www/krb5-latest/doc/appdev/refs/types/krb5_error_code.html#c.krb5_error_code - -> krb5_error_code -> Used to convey an operation status. -> -> The value 0 indicates success; any other values are com_err codes. Use krb5_get_error_message() to obtain a string describing the error. -> -> Declaration -> typedef krb5_int32 krb5_error_code - -And this is what was actually used. - -To prevent confusion of types `krb5_error` was replaced with -`krb5_error_code`. - -Fixes: https://pagure.io/freeipa/issue/9519 -Signed-off-by: Stanislav Levin -Reviewed-By: Alexander Bokovoy ---- - ipapython/session_storage.py | 25 ++++++++++++------------- - 1 file changed, 12 insertions(+), 13 deletions(-) - -diff --git a/ipapython/session_storage.py b/ipapython/session_storage.py -index c43ef7d4e8ef5931f6d74d360be131fe46159dc7..371cf152472d54c9a59b60bece9559323ede78b7 100644 ---- a/ipapython/session_storage.py -+++ b/ipapython/session_storage.py -@@ -111,7 +111,7 @@ class KRB5Error(Exception): - - - def krb5_errcheck(result, func, arguments): -- """Error checker for krb5_error return value""" -+ """Error checker for krb5_error_code return value""" - if result != 0: - raise KRB5Error(result, func.__name__, arguments) - -@@ -119,14 +119,13 @@ def krb5_errcheck(result, func, arguments): - krb5_context = ctypes.POINTER(_krb5_context) - krb5_ccache = ctypes.POINTER(_krb5_ccache) - krb5_data_p = ctypes.POINTER(_krb5_data) --krb5_error = ctypes.c_int32 - krb5_creds = _krb5_creds - krb5_pointer = ctypes.c_void_p - krb5_cc_cursor = krb5_pointer - - krb5_init_context = LIBKRB5.krb5_init_context - krb5_init_context.argtypes = (ctypes.POINTER(krb5_context), ) --krb5_init_context.restype = krb5_error -+krb5_init_context.restype = krb5_error_code - krb5_init_context.errcheck = krb5_errcheck - - krb5_free_context = LIBKRB5.krb5_free_context -@@ -143,30 +142,30 @@ krb5_free_data_contents.restype = None - - krb5_cc_default = LIBKRB5.krb5_cc_default - krb5_cc_default.argtypes = (krb5_context, ctypes.POINTER(krb5_ccache), ) --krb5_cc_default.restype = krb5_error -+krb5_cc_default.restype = krb5_error_code - krb5_cc_default.errcheck = krb5_errcheck - - krb5_cc_close = LIBKRB5.krb5_cc_close - krb5_cc_close.argtypes = (krb5_context, krb5_ccache, ) --krb5_cc_close.restype = krb5_error -+krb5_cc_close.restype = krb5_error_code - krb5_cc_close.errcheck = krb5_errcheck - - krb5_parse_name = LIBKRB5.krb5_parse_name - krb5_parse_name.argtypes = (krb5_context, ctypes.c_char_p, - ctypes.POINTER(krb5_principal), ) --krb5_parse_name.restype = krb5_error -+krb5_parse_name.restype = krb5_error_code - krb5_parse_name.errcheck = krb5_errcheck - - krb5_cc_set_config = LIBKRB5.krb5_cc_set_config - krb5_cc_set_config.argtypes = (krb5_context, krb5_ccache, krb5_principal, - ctypes.c_char_p, krb5_data_p, ) --krb5_cc_set_config.restype = krb5_error -+krb5_cc_set_config.restype = krb5_error_code - krb5_cc_set_config.errcheck = krb5_errcheck - - krb5_cc_get_principal = LIBKRB5.krb5_cc_get_principal - krb5_cc_get_principal.argtypes = (krb5_context, krb5_ccache, - ctypes.POINTER(krb5_principal), ) --krb5_cc_get_principal.restype = krb5_error -+krb5_cc_get_principal.restype = krb5_error_code - krb5_cc_get_principal.errcheck = krb5_errcheck - - # krb5_build_principal is a variadic function but that can't be expressed -@@ -177,26 +176,26 @@ krb5_build_principal.argtypes = (krb5_context, ctypes.POINTER(krb5_principal), - ctypes.c_uint, ctypes.c_char_p, - ctypes.c_char_p, ctypes.c_char_p, - ctypes.c_char_p, ctypes.c_char_p, ) --krb5_build_principal.restype = krb5_error -+krb5_build_principal.restype = krb5_error_code - krb5_build_principal.errcheck = krb5_errcheck - - krb5_cc_start_seq_get = LIBKRB5.krb5_cc_start_seq_get - krb5_cc_start_seq_get.argtypes = (krb5_context, krb5_ccache, - ctypes.POINTER(krb5_cc_cursor), ) --krb5_cc_start_seq_get.restype = krb5_error -+krb5_cc_start_seq_get.restype = krb5_error_code - krb5_cc_start_seq_get.errcheck = krb5_errcheck - - krb5_cc_next_cred = LIBKRB5.krb5_cc_next_cred - krb5_cc_next_cred.argtypes = (krb5_context, krb5_ccache, - ctypes.POINTER(krb5_cc_cursor), - ctypes.POINTER(krb5_creds), ) --krb5_cc_next_cred.restype = krb5_error -+krb5_cc_next_cred.restype = krb5_error_code - krb5_cc_next_cred.errcheck = krb5_errcheck - - krb5_cc_end_seq_get = LIBKRB5.krb5_cc_end_seq_get - krb5_cc_end_seq_get.argtypes = (krb5_context, krb5_ccache, - ctypes.POINTER(krb5_cc_cursor), ) --krb5_cc_end_seq_get.restype = krb5_error -+krb5_cc_end_seq_get.restype = krb5_error_code - krb5_cc_end_seq_get.errcheck = krb5_errcheck - - krb5_free_cred_contents = LIBKRB5.krb5_free_cred_contents -@@ -212,7 +211,7 @@ krb5_principal_compare.restype = krb5_boolean - krb5_unparse_name = LIBKRB5.krb5_unparse_name - krb5_unparse_name.argtypes = (krb5_context, krb5_principal, - ctypes.POINTER(ctypes.c_char_p), ) --krb5_unparse_name.restype = krb5_error -+krb5_unparse_name.restype = krb5_error_code - krb5_unparse_name.errcheck = krb5_errcheck - - krb5_free_unparsed_name = LIBKRB5.krb5_free_unparsed_name --- -2.43.0 - diff --git a/0045-ipapython-Correct-return-type-of-krb5_free_cred_cont.patch b/0045-ipapython-Correct-return-type-of-krb5_free_cred_cont.patch deleted file mode 100644 index ed6743d..0000000 --- a/0045-ipapython-Correct-return-type-of-krb5_free_cred_cont.patch +++ /dev/null @@ -1,47 +0,0 @@ -From f8a616dc6196324145372713da772fe9b2352e53 Mon Sep 17 00:00:00 2001 -From: Stanislav Levin -Date: Tue, 23 Jan 2024 19:19:43 +0300 -Subject: [PATCH] ipapython: Correct return type of krb5_free_cred_contents - -According to https://web.mit.edu/kerberos/krb5-latest/doc/appdev/refs/api/krb5_free_cred_contents.html - -> krb5_free_cred_contents - Free the contents of a krb5_creds structure. -> -> void krb5_free_cred_contents(krb5_context context, krb5_creds * val) -> param: -> [in] context - Library context -> -> [in] val - Credential structure to free contents of -> -> This function frees the contents of val , but not the structure itself. - -https://github.com/krb5/krb5/blob/5b00197227231943bd2305328c8260dd0b0dbcf0/src/lib/krb5/krb/kfree.c#L166 - -This leads to undefined behavior and `krb5_free_cred_contents` can -raise KRB5Error (because of garbage data) while actually its foreign -function doesn't. - -Fixes: https://pagure.io/freeipa/issue/9519 -Signed-off-by: Stanislav Levin -Reviewed-By: Alexander Bokovoy ---- - ipapython/session_storage.py | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/ipapython/session_storage.py b/ipapython/session_storage.py -index 371cf152472d54c9a59b60bece9559323ede78b7..dc36f54939a838bcb933dfb0089410d9b00f9e4d 100644 ---- a/ipapython/session_storage.py -+++ b/ipapython/session_storage.py -@@ -200,8 +200,7 @@ krb5_cc_end_seq_get.errcheck = krb5_errcheck - - krb5_free_cred_contents = LIBKRB5.krb5_free_cred_contents - krb5_free_cred_contents.argtypes = (krb5_context, ctypes.POINTER(krb5_creds)) --krb5_free_cred_contents.restype = krb5_error --krb5_free_cred_contents.errcheck = krb5_errcheck -+krb5_free_cred_contents.restype = None - - krb5_principal_compare = LIBKRB5.krb5_principal_compare - krb5_principal_compare.argtypes = (krb5_context, krb5_principal, --- -2.43.0 - diff --git a/0046-ipapython-Propagate-KRB5Error-exceptions-on-iteratin.patch b/0046-ipapython-Propagate-KRB5Error-exceptions-on-iteratin.patch deleted file mode 100644 index 1043528..0000000 --- a/0046-ipapython-Propagate-KRB5Error-exceptions-on-iteratin.patch +++ /dev/null @@ -1,53 +0,0 @@ -From 59b8a9fb7169561c7ba9168fe84f47ae94e5ce23 Mon Sep 17 00:00:00 2001 -From: Stanislav Levin -Date: Tue, 23 Jan 2024 19:52:34 +0300 -Subject: [PATCH] ipapython: Propagate KRB5Error exceptions on iterating ccache - -`ipapython.session_storage.get_data` iterates over -credentials in a credential cache till `krb5_cc_next_cred` returns -an error. This function doesn't expect any error on calling -other kerberos foreign functions during iteration. But that can -actually happen and KRB5Error exceptions stop an iteration while -they should be propagated. - -With this change iteration will exactly stop on `krb5_cc_next_cred` -error as it was supposed to be. - -Fixes: https://pagure.io/freeipa/issue/9519 -Signed-off-by: Stanislav Levin -Reviewed-By: Alexander Bokovoy ---- - ipapython/session_storage.py | 10 ++++++---- - 1 file changed, 6 insertions(+), 4 deletions(-) - -diff --git a/ipapython/session_storage.py b/ipapython/session_storage.py -index dc36f54939a838bcb933dfb0089410d9b00f9e4d..e890dc9b11475cc26d212ccbe040df3cfbfba6e8 100644 ---- a/ipapython/session_storage.py -+++ b/ipapython/session_storage.py -@@ -312,8 +312,12 @@ def get_data(princ_name, key): - checkcreds = krb5_creds() - # the next function will throw an error and break out of the - # while loop when we try to access past the last cred -- krb5_cc_next_cred(context, ccache, ctypes.byref(cursor), -- ctypes.byref(checkcreds)) -+ try: -+ krb5_cc_next_cred(context, ccache, ctypes.byref(cursor), -+ ctypes.byref(checkcreds)) -+ except KRB5Error: -+ break -+ - if (krb5_principal_compare(context, principal, - checkcreds.client) == 1 and - krb5_principal_compare(context, srv_princ, -@@ -328,8 +332,6 @@ def get_data(princ_name, key): - else: - krb5_free_cred_contents(context, - ctypes.byref(checkcreds)) -- except KRB5Error: -- pass - finally: - krb5_cc_end_seq_get(context, ccache, ctypes.byref(cursor)) - --- -2.43.0 - diff --git a/0047-ipa-kdb-Fix-memory-leak-during-PAC-verification.patch b/0047-ipa-kdb-Fix-memory-leak-during-PAC-verification.patch deleted file mode 100644 index 71bfd51..0000000 --- a/0047-ipa-kdb-Fix-memory-leak-during-PAC-verification.patch +++ /dev/null @@ -1,91 +0,0 @@ -From 34b58d8ee93ab385c1f3ba1166377fc1008a9c17 Mon Sep 17 00:00:00 2001 -From: Julien Rische -Date: Wed, 24 Jan 2024 15:50:17 +0100 -Subject: [PATCH] ipa-kdb: Fix memory leak during PAC verification - -Commit 0022bd70d93708d325855d5271516d6cd894d6e8 introduced a memory leak -during the copy of some PAC buffers, because of an unfreed memory -allocation context. - -Fixes: https://pagure.io/freeipa/issue/9520 - -Signed-off-by: Julien Rische -Reviewed-By: Alexander Bokovoy ---- - daemons/ipa-kdb/ipa_kdb_mspac.c | 28 +++++++++++++--------------- - 1 file changed, 13 insertions(+), 15 deletions(-) - -diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c -index 1558e2bead288d9d00014e9b3b059934e80b54e4..2866304e1e374fb6a8dc3400dd1f56583d9d9197 100644 ---- a/daemons/ipa-kdb/ipa_kdb_mspac.c -+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c -@@ -2316,6 +2316,7 @@ krb5_error_code ipadb_common_verify_pac(krb5_context context, - size_t i; - struct dom_sid *requester_sid = NULL; - struct dom_sid req_sid; -+ TALLOC_CTX *tmpctx = NULL; - - if (signing_krbtgt != NULL && - ipadb_is_cross_realm_krbtgt(signing_krbtgt->princ)) { -@@ -2371,6 +2372,12 @@ krb5_error_code ipadb_common_verify_pac(krb5_context context, - goto done; - } - -+ tmpctx = talloc_new(NULL); -+ if (tmpctx == NULL) { -+ kerr = ENOMEM; -+ goto done; -+ } -+ - for (i = 0; i < num_buffers; i++) { - if (types[i] == KRB5_PAC_SERVER_CHECKSUM || - types[i] == KRB5_PAC_PRIVSVR_CHECKSUM || -@@ -2398,32 +2405,21 @@ krb5_error_code ipadb_common_verify_pac(krb5_context context, - DATA_BLOB pac_attrs_data; - krb5_boolean pac_requested; - -- TALLOC_CTX *tmpctx = talloc_new(NULL); -- if (tmpctx == NULL) { -- kerr = ENOMEM; -- goto done; -- } -- - kerr = ipadb_client_requested_pac(context, old_pac, tmpctx, &pac_requested); -- if (kerr != 0) { -- talloc_free(tmpctx); -+ if (kerr) - goto done; -- } - - kerr = ipadb_get_pac_attrs_blob(tmpctx, &pac_requested, &pac_attrs_data); -- if (kerr) { -- talloc_free(tmpctx); -+ if (kerr) - goto done; -- } -+ - data.magic = KV5M_DATA; - data.data = (char *)pac_attrs_data.data; - data.length = pac_attrs_data.length; - - kerr = krb5_pac_add_buffer(context, new_pac, PAC_TYPE_ATTRIBUTES_INFO, &data); -- if (kerr) { -- talloc_free(tmpctx); -+ if (kerr) - goto done; -- } - - continue; - } -@@ -2470,6 +2466,8 @@ done: - if (kerr != 0 && (new_pac != *pac)) { - krb5_pac_free(context, new_pac); - } -+ if (tmpctx) -+ talloc_free(tmpctx); - krb5_free_data_contents(context, &pac_blob); - free(types); - return kerr; --- -2.43.0 - diff --git a/0048-sidgen-ignore-staged-users-when-generating-SIDs.patch b/0048-sidgen-ignore-staged-users-when-generating-SIDs.patch deleted file mode 100644 index 9621b29..0000000 --- a/0048-sidgen-ignore-staged-users-when-generating-SIDs.patch +++ /dev/null @@ -1,83 +0,0 @@ -From 37dfe80132d665b1fced67540457362c3ee00a7b Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Tue, 23 Jan 2024 14:47:50 +0200 -Subject: [PATCH] sidgen: ignore staged users when generating SIDs - -Staged users have - - uidNumber: -1 - gidNumber: -1 - ipaUniqueID: autogenerate - -We cannot generate ipaSecurityIdentifier based on those UID/GID numbers. -However, '-1' value will trigger an error - - find_sid_for_ldap_entry - [file ipa_sidgen_common.c, line 483]: ID value too large. - -And that, in turn, will cause stopping SID generation for all users. - -Detect 'ipaUniqueID: autogenerate' situation and ignore these entries. - -Fixes: https://pagure.io/freeipa/issue/9517 - -Signed-off-by: Alexander Bokovoy -Reviewed-By: Florence Blanc-Renaud -Reviewed-By: Thierry Bordaz ---- - daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h | 2 ++ - .../ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c | 12 ++++++++++++ - 2 files changed, 14 insertions(+) - -diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h -index 0feff7eec9999a76bf950b8b9fc9fa25b3a2fa88..bd46982d06b3272874f256a8b0c2293fa4829f5b 100644 ---- a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h -+++ b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h -@@ -45,6 +45,8 @@ - #define UID_NUMBER "uidnumber" - #define GID_NUMBER "gidnumber" - #define IPA_SID "ipantsecurityidentifier" -+#define IPA_UNIQUEID "ipauniqueid" -+#define IPA_UNIQUEID_AUTOGENERATE "autogenerate" - #define DOM_ATTRS_FILTER OBJECTCLASS"=ipantdomainattrs" - #define DOMAIN_ID_RANGE_FILTER OBJECTCLASS"=ipadomainidrange" - #define POSIX_ACCOUNT "posixaccount" -diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c -index 6f784804cd39acdf88ceceb0e21b272a04fa13fc..cb763ebf8c733e50483c23856a248eb536c796f1 100644 ---- a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c -+++ b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c -@@ -454,6 +454,7 @@ int find_sid_for_ldap_entry(struct slapi_entry *entry, - uint32_t id; - char *sid = NULL; - char **objectclasses = NULL; -+ char *uniqueid = NULL; - Slapi_PBlock *mod_pb = NULL; - Slapi_Mods *smods = NULL; - int result; -@@ -479,6 +480,16 @@ int find_sid_for_ldap_entry(struct slapi_entry *entry, - goto done; - } - -+ uniqueid = slapi_entry_attr_get_charptr(entry, IPA_UNIQUEID); -+ if (uniqueid != NULL && -+ strncmp(IPA_UNIQUEID_AUTOGENERATE, uniqueid, -+ sizeof(IPA_UNIQUEID_AUTOGENERATE)) == 0) { -+ LOG("Staged entry [%s] does not have Posix IDs, nothing to do.\n", -+ dn_str); -+ ret = 0; -+ goto done; -+ } -+ - if (uid_number >= UINT32_MAX || gid_number >= UINT32_MAX) { - LOG_FATAL("ID value too large.\n"); - ret = LDAP_CONSTRAINT_VIOLATION; -@@ -554,6 +565,7 @@ int find_sid_for_ldap_entry(struct slapi_entry *entry, - } - - done: -+ slapi_ch_free_string(&uniqueid); - slapi_ch_free_string(&sid); - slapi_pblock_destroy(mod_pb); - slapi_mods_free(&smods); --- -2.43.0 - diff --git a/0049-sidgen-fix-missing-prototypes.patch b/0049-sidgen-fix-missing-prototypes.patch deleted file mode 100644 index 4430148..0000000 --- a/0049-sidgen-fix-missing-prototypes.patch +++ /dev/null @@ -1,26 +0,0 @@ -From a1f42f0258d9e84928a112e4c39419aad0cebb3b Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Tue, 23 Jan 2024 14:53:39 +0200 -Subject: [PATCH] sidgen: fix missing prototypes - -Signed-off-by: Alexander Bokovoy -Reviewed-By: Florence Blanc-Renaud -Reviewed-By: Thierry Bordaz ---- - daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h -index bd46982d06b3272874f256a8b0c2293fa4829f5b..aec862796a8364de84e26fbca96a270a8fb508fc 100644 ---- a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h -+++ b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h -@@ -106,3 +106,6 @@ int find_sid_for_ldap_entry(struct slapi_entry *entry, - const char *base_dn, - const char *dom_sid, - struct range_info **ranges); -+ -+int sidgen_task_init(Slapi_PBlock *pb); -+int ipa_sidgen_init(Slapi_PBlock *pb); --- -2.43.0 - diff --git a/0050-kdb-PAC-generator-do-not-fail-if-canonical-principal.patch b/0050-kdb-PAC-generator-do-not-fail-if-canonical-principal.patch deleted file mode 100644 index 415ae95..0000000 --- a/0050-kdb-PAC-generator-do-not-fail-if-canonical-principal.patch +++ /dev/null @@ -1,48 +0,0 @@ -From d09acb5869c5d0faa35b8784c1fea1c1be3f014f Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Fri, 26 Jan 2024 20:53:39 +0200 -Subject: [PATCH] kdb: PAC generator: do not fail if canonical principal is - missing - -krbCanonicalName is mandatory for services but IPA services created -before commit e6ff83e (FreeIPA 4.4.0, ~2016) had no normalization done -to set krbCanonicalName; services created after that version were -upgraded to do have krbCanonicalName. - -Accept krbPrincipalName alone since they have no alias either */ - -Fixes: https://pagure.io/freeipa/issue/9465 - -Signed-off-by: Alexander Bokovoy -Reviewed-By: Florence Blanc-Renaud -Reviewed-By: Thierry Bordaz ---- - daemons/ipa-kdb/ipa_kdb_mspac.c | 12 ++++++++++-- - 1 file changed, 10 insertions(+), 2 deletions(-) - -diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c -index 2866304e1e374fb6a8dc3400dd1f56583d9d9197..16374a59468975ebaea5ce18ac6445ec577e5e6a 100644 ---- a/daemons/ipa-kdb/ipa_kdb_mspac.c -+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c -@@ -496,8 +496,16 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, - ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, - "krbCanonicalName", &strres); - if (ret) { -- /* krbCanonicalName is mandatory for services */ -- return ret; -+ /* krbCanonicalName is mandatory for services but IPA services -+ * created before commit e6ff83e (FreeIPA 4.4.0, ~2016) had no -+ * normalization to set krbCanonicalName; services created after -+ * that version were upgraded to do have krbCanonicalName. -+ * -+ * Accept krbPrincipalName alone since they have no alias either */ -+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, -+ "krbPrincipalName", &strres); -+ if (ret) -+ return ret; - } - - ret = krb5_parse_name(ipactx->kcontext, strres, &princ); --- -2.43.0 - diff --git a/0051-ipatests-Skip-tests-for-ipahealtcheck-tests-for-spec.patch b/0051-ipatests-Skip-tests-for-ipahealtcheck-tests-for-spec.patch deleted file mode 100644 index 85ae84f..0000000 --- a/0051-ipatests-Skip-tests-for-ipahealtcheck-tests-for-spec.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 8c1f56dbab5de1c06fc424f3c58d366274d70688 Mon Sep 17 00:00:00 2001 -From: Sudhir Menon -Date: Mon, 29 Jan 2024 22:07:43 +0530 -Subject: [PATCH] ipatests: Skip tests for ipahealtcheck tests for specific pki - version - -CADogtagCertsConfigCheck is no more available on RHEL9, hence the -respective tests are skipped. - -Check 'CADogtagCertsConfigCheck' not found in Source 'pki.server.healthcheck.meta.csconfig' - -Ref: https://issues.redhat.com/browse/RHEL-21367 - -Signed-off-by: Sudhir Menon -Reviewed-By: Florence Blanc-Renaud ---- - .../test_integration/test_ipahealthcheck.py | 23 +++++++++++++++---- - 1 file changed, 18 insertions(+), 5 deletions(-) - -diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py -index 28200e0961a23996935c7b1c2b76f2b4b127e066..7323b073273bd95d7b62d19fd5afe03edb2a21da 100644 ---- a/ipatests/test_integration/test_ipahealthcheck.py -+++ b/ipatests/test_integration/test_ipahealthcheck.py -@@ -507,6 +507,11 @@ class TestIpaHealthCheck(IntegrationTest): - Testcase checks behaviour of check DogtagCertsConfigCheck in - ipahealthcheck.dogtag.ca when tomcat config file is removed - """ -+ version = tasks.get_pki_version(self.master) -+ if version >= parse_version("11.5"): -+ pytest.skip("Skipping test for 11.5 pki version, since the " -+ "check CADogtagCertsConfigCheck itself is skipped " -+ "See ipa-healthcheck ticket 317") - returncode, data = run_healthcheck( - self.master, - "ipahealthcheck.dogtag.ca", -@@ -1453,13 +1458,21 @@ class TestIpaHealthCheck(IntegrationTest): - This testcase checks that CADogtagCertsConfigCheck can handle - cert renewal, when there can be two certs with the same nickname - """ -- if (tasks.get_pki_version(self.master) < tasks.parse_version('11.4.0')): -+ if (tasks.get_pki_version( -+ self.master) < tasks.parse_version('11.4.0')): - raise pytest.skip("PKI known issue #2022561") -- self.master.run_command(['ipa-cacert-manage', 'renew', '--self-signed']) -+ elif (tasks.get_pki_version( -+ self.master) >= tasks.parse_version('11.5.0')): -+ raise pytest.skip("Skipping test for 11.5 pki version, since " -+ "check CADogtagCertsConfigCheck is " -+ "not present in source " -+ "pki.server.healthcheck.meta.csconfig") -+ self.master.run_command( -+ ['ipa-cacert-manage', 'renew', '--self-signed'] -+ ) - returncode, data = run_healthcheck( -- self.master, -- "pki.server.healthcheck.meta.csconfig", -- "CADogtagCertsConfigCheck", -+ self.master, "pki.server.healthcheck.meta.csconfig", -+ "CADogtagCertsConfigCheck" - ) - assert returncode == 0 - for check in data: --- -2.43.0 - diff --git a/0052-ipatests-remove-xfail-thanks-to-sssd-2.9.4.patch b/0052-ipatests-remove-xfail-thanks-to-sssd-2.9.4.patch deleted file mode 100644 index d65cf4e..0000000 --- a/0052-ipatests-remove-xfail-thanks-to-sssd-2.9.4.patch +++ /dev/null @@ -1,42 +0,0 @@ -From b00fd308831428400b96442290ec7bc90bde348f Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Tue, 30 Jan 2024 10:43:00 +0100 -Subject: [PATCH] ipatests: remove xfail thanks to sssd 2.9.4 - -SSSD 2.9.4 fixes some issues related to auto-private-group - -Related: https://pagure.io/freeipa/issue/9295 -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Anuja More ---- - ipatests/test_integration/test_trust.py | 7 +++++-- - 1 file changed, 5 insertions(+), 2 deletions(-) - -diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py -index 12f000c1ad1cbce2710900b0e364a501ed6b8e52..3b9f0fbd51f11ff2c97fed50f7bb61a67326b183 100644 ---- a/ipatests/test_integration/test_trust.py -+++ b/ipatests/test_integration/test_trust.py -@@ -1155,7 +1155,8 @@ class TestNonPosixAutoPrivateGroup(BaseTestTrust): - ): - self.mod_idrange_auto_private_group(type) - sssd_version = tasks.get_sssd_version(self.clients[0]) -- bad_version = sssd_version >= tasks.parse_version("2.8.2") -+ bad_version = (tasks.parse_version("2.8.2") <= sssd_version -+ < tasks.parse_version("2.9.4")) - cond = (type == 'hybrid') and bad_version - with xfail_context(condition=cond, - reason="https://pagure.io/freeipa/issue/9295"): -@@ -1237,7 +1238,9 @@ class TestPosixAutoPrivateGroup(BaseTestTrust): - self.mod_idrange_auto_private_group(type) - if type == "true": - sssd_version = tasks.get_sssd_version(self.clients[0]) -- with xfail_context(sssd_version >= tasks.parse_version("2.8.2"), -+ bad_version = (tasks.parse_version("2.8.2") <= sssd_version -+ < tasks.parse_version("2.9.4")) -+ with xfail_context(bad_version, - "https://pagure.io/freeipa/issue/9295"): - (uid, gid) = self.get_user_id(self.clients[0], posixuser) - assert uid == gid --- -2.43.0 - diff --git a/0053-ipatests-add-xfail-for-autoprivate-group-test-with-o.patch b/0053-ipatests-add-xfail-for-autoprivate-group-test-with-o.patch deleted file mode 100644 index b94ed43..0000000 --- a/0053-ipatests-add-xfail-for-autoprivate-group-test-with-o.patch +++ /dev/null @@ -1,52 +0,0 @@ -From ed2a8eb0cefadfe0544074114facfef381349ae0 Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Fri, 9 Feb 2024 10:42:59 +0100 -Subject: [PATCH] ipatests: add xfail for autoprivate group test with override - -Because of SSSD issue 7169, secondary groups are not -retrieved when autoprivate group is set and an idoverride -replaces the user's primary group. -Mark the known issues as xfail. - -Related: https://github.com/SSSD/sssd/issues/7169 - -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Anuja More ---- - ipatests/test_integration/test_trust.py | 16 ++++++++++++---- - 1 file changed, 12 insertions(+), 4 deletions(-) - -diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py -index 3b9f0fbd51f11ff2c97fed50f7bb61a67326b183..2b945140dbc477f8bcd0d3b26513000d2006fa82 100644 ---- a/ipatests/test_integration/test_trust.py -+++ b/ipatests/test_integration/test_trust.py -@@ -1164,8 +1164,12 @@ class TestNonPosixAutoPrivateGroup(BaseTestTrust): - assert (uid == self.uid_override and gid == self.gid_override) - test_group = self.clients[0].run_command( - ["id", nonposixuser]).stdout_text -- with xfail_context(type == "hybrid", -- 'https://github.com/SSSD/sssd/issues/5989'): -+ cond2 = ((type == 'false' -+ and sssd_version >= tasks.parse_version("2.9.4")) -+ or type == 'hybrid') -+ with xfail_context(cond2, -+ 'https://github.com/SSSD/sssd/issues/5989 ' -+ 'and 7169'): - assert "domain users@{0}".format(self.ad_domain) in test_group - - @pytest.mark.parametrize('type', ['hybrid', 'true', "false"]) -@@ -1287,5 +1291,9 @@ class TestPosixAutoPrivateGroup(BaseTestTrust): - assert(uid == self.uid_override - and gid == self.gid_override) - result = self.clients[0].run_command(['id', posixuser]) -- assert "10047(testgroup@{0})".format( -- self.ad_domain) in result.stdout_text -+ sssd_version = tasks.get_sssd_version(self.clients[0]) -+ bad_version = sssd_version >= tasks.parse_version("2.9.4") -+ with xfail_context(bad_version and type in ('false', 'hybrid'), -+ "https://github.com/SSSD/sssd/issues/7169"): -+ assert "10047(testgroup@{0})".format( -+ self.ad_domain) in result.stdout_text --- -2.43.0 - diff --git a/0054-ipatests-fix-tasks.wait_for_replication-method.patch b/0054-ipatests-fix-tasks.wait_for_replication-method.patch deleted file mode 100644 index 663ce37..0000000 --- a/0054-ipatests-fix-tasks.wait_for_replication-method.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 7f1142504d41a821357168acd2484c7cb7c1a4c2 Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Tue, 13 Feb 2024 13:30:15 +0100 -Subject: [PATCH] ipatests: fix tasks.wait_for_replication method - -With the fix for https://pagure.io/freeipa/issue/9171, the -method entry.single_value['nsds5replicaupdateinprogress'] now -returns a Boolean instead of a string "TRUE"/"FALSE". - -The method tasks.wait_for_replication needs to be fixed so that -it properly detects when replication is not done. - -Fixes: https://pagure.io/freeipa/issue/9530 - -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Rob Crittenden ---- - ipatests/pytest_ipa/integration/tasks.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py -index ee6dec7a1d2416b442a6ce20e41b09d84f43b5c7..418c63f2c17e4fc0a2f625bca9a02879c1a1566f 100755 ---- a/ipatests/pytest_ipa/integration/tasks.py -+++ b/ipatests/pytest_ipa/integration/tasks.py -@@ -1520,7 +1520,7 @@ def wait_for_replication(ldap, timeout=30, - statuses = [entry.single_value[status_attr] for entry in entries] - wrong_statuses = [s for s in statuses - if not re.match(target_status_re, s)] -- if any(e.single_value[progress_attr] == 'TRUE' for e in entries): -+ if any(e.single_value[progress_attr] for e in entries): - msg = 'Replication not finished' - logger.debug(msg) - elif wrong_statuses: --- -2.43.0 - diff --git a/0055-ipa-kdb-Rework-ipadb_reinit_mspac.patch b/0055-ipa-kdb-Rework-ipadb_reinit_mspac.patch deleted file mode 100644 index 55abf54..0000000 --- a/0055-ipa-kdb-Rework-ipadb_reinit_mspac.patch +++ /dev/null @@ -1,707 +0,0 @@ -From febfd9c64d748a435a9d0756d4710898a0e2aa49 Mon Sep 17 00:00:00 2001 -From: Julien Rische -Date: Wed, 14 Feb 2024 17:47:00 +0100 -Subject: [PATCH] ipa-kdb: Rework ipadb_reinit_mspac() - -Modify ipadb_reinit_mspac() to allocate and initialize ipactx->mspac -only if all its attributes can be set. If not, ipactx->mspac is set to -NULL. This makes easier to determine if the KDC is able to generate PACs -or not. - -Also ipadb_reinit_mspac() is now able to return a status message -explaining why initialization of the PAC generator failed. This message -is printed in KDC logs. - -Fixes: https://pagure.io/freeipa/issue/9535 - -Signed-off-by: Julien Rische -Reviewed-By: Alexander Bokovoy ---- - daemons/ipa-kdb/ipa_kdb.c | 14 +- - daemons/ipa-kdb/ipa_kdb.h | 4 +- - daemons/ipa-kdb/ipa_kdb_mspac.c | 342 +++++++++++++----------- - daemons/ipa-kdb/ipa_kdb_mspac_private.h | 2 +- - daemons/ipa-kdb/ipa_kdb_mspac_v6.c | 5 +- - daemons/ipa-kdb/ipa_kdb_mspac_v9.c | 16 +- - daemons/ipa-kdb/ipa_kdb_principals.c | 6 +- - 7 files changed, 219 insertions(+), 170 deletions(-) - -diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c -index 4e6cacf24e27b05538db2c95ab85400bb83e3d58..903e19e83bbe383b878a3b9261dd501f96058d51 100644 ---- a/daemons/ipa-kdb/ipa_kdb.c -+++ b/daemons/ipa-kdb/ipa_kdb.c -@@ -449,6 +449,7 @@ int ipadb_get_connection(struct ipadb_context *ipactx) - struct timeval tv = { 5, 0 }; - LDAPMessage *res = NULL; - LDAPMessage *first; -+ const char *stmsg; - int ret; - int v3; - -@@ -528,16 +529,9 @@ int ipadb_get_connection(struct ipadb_context *ipactx) - } - - /* get adtrust options using default refresh interval */ -- ret = ipadb_reinit_mspac(ipactx, false); -- if (ret && ret != ENOENT) { -- /* TODO: log that there is an issue with adtrust settings */ -- if (ipactx->lcontext == NULL) { -- /* for some reason ldap connection was reset in ipadb_reinit_mspac -- * and is no longer established => failure of ipadb_get_connection -- */ -- goto done; -- } -- } -+ ret = ipadb_reinit_mspac(ipactx, false, &stmsg); -+ if (ret && stmsg) -+ krb5_klog_syslog(LOG_WARNING, "MS-PAC generator: %s", stmsg); - - ret = 0; - -diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h -index 59484d8bb69236a4ef59aeefdf9658a71c8cd520..8459ab8e0bb76c8da5c18101b0521bea86e8aecc 100644 ---- a/daemons/ipa-kdb/ipa_kdb.h -+++ b/daemons/ipa-kdb/ipa_kdb.h -@@ -371,7 +371,9 @@ krb5_error_code ipadb_v9_issue_pac(krb5_context context, unsigned int flags, - krb5_data ***auth_indicators); - #endif - --krb5_error_code ipadb_reinit_mspac(struct ipadb_context *ipactx, bool force_reinit); -+krb5_error_code ipadb_reinit_mspac(struct ipadb_context *ipactx, -+ bool force_reinit, -+ const char **stmsg); - - void ipadb_mspac_struct_free(struct ipadb_mspac **mspac); - krb5_error_code ipadb_check_transited_realms(krb5_context kcontext, -diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c -index 16374a59468975ebaea5ce18ac6445ec577e5e6a..b0eb3324bf4b7d8eeb7b332c39de4023784f6337 100644 ---- a/daemons/ipa-kdb/ipa_kdb_mspac.c -+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c -@@ -793,16 +793,16 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, - return ret; - } - -+ if (!ipactx->mspac) { -+ /* can't give a PAC without server NetBIOS name or primary group RID */ -+ return ENOENT; -+ } -+ - if (info3->base.primary_gid == 0) { - if (is_host || is_service) { - info3->base.primary_gid = 515; /* Well known RID for domain computers group */ - } else { -- if (ipactx->mspac->fallback_rid) { -- info3->base.primary_gid = ipactx->mspac->fallback_rid; -- } else { -- /* can't give a pack without a primary group rid */ -- return ENOENT; -- } -+ info3->base.primary_gid = ipactx->mspac->fallback_rid; - } - } - -@@ -812,26 +812,16 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, - /* always zero out, not used for Krb, only NTLM */ - memset(&info3->base.key, '\0', sizeof(info3->base.key)); - -- if (ipactx->mspac->flat_server_name) { -- info3->base.logon_server.string = -- talloc_strdup(memctx, ipactx->mspac->flat_server_name); -- if (!info3->base.logon_server.string) { -- return ENOMEM; -- } -- } else { -- /* can't give a pack without Server NetBIOS Name :-| */ -- return ENOENT; -+ info3->base.logon_server.string = -+ talloc_strdup(memctx, ipactx->mspac->flat_server_name); -+ if (!info3->base.logon_server.string) { -+ return ENOMEM; - } - -- if (ipactx->mspac->flat_domain_name) { -- info3->base.logon_domain.string = -- talloc_strdup(memctx, ipactx->mspac->flat_domain_name); -- if (!info3->base.logon_domain.string) { -- return ENOMEM; -- } -- } else { -- /* can't give a pack without Domain NetBIOS Name :-| */ -- return ENOENT; -+ info3->base.logon_domain.string = -+ talloc_strdup(memctx, ipactx->mspac->flat_domain_name); -+ if (!info3->base.logon_domain.string) { -+ return ENOMEM; - } - - if (is_host || is_service) { -@@ -1044,6 +1034,11 @@ krb5_error_code ipadb_get_pac(krb5_context kcontext, - return KRB5_KDB_DBNOTINITED; - } - -+ /* Check if PAC generator is initialized */ -+ if (!ipactx->mspac) { -+ return ENOENT; -+ } -+ - ied = (struct ipadb_e_data *)client->e_data; - if (ied->magic != IPA_E_DATA_MAGIC) { - return EINVAL; -@@ -1626,14 +1621,14 @@ static struct ipadb_adtrusts *get_domain_from_realm(krb5_context context, - { - struct ipadb_context *ipactx; - struct ipadb_adtrusts *domain; -- int i; -+ size_t i; - - ipactx = ipadb_get_context(context); - if (!ipactx) { - return NULL; - } - -- if (ipactx->mspac == NULL) { -+ if (!ipactx->mspac) { - return NULL; - } - -@@ -1655,6 +1650,7 @@ static struct ipadb_adtrusts *get_domain_from_realm_update(krb5_context context, - { - struct ipadb_context *ipactx; - struct ipadb_adtrusts *domain; -+ const char *stmsg = NULL; - krb5_error_code kerr; - - ipactx = ipadb_get_context(context); -@@ -1663,8 +1659,10 @@ static struct ipadb_adtrusts *get_domain_from_realm_update(krb5_context context, - } - - /* re-init MS-PAC info using default update interval */ -- kerr = ipadb_reinit_mspac(ipactx, false); -+ kerr = ipadb_reinit_mspac(ipactx, false, &stmsg); - if (kerr != 0) { -+ if (stmsg) -+ krb5_klog_syslog(LOG_WARNING, "MS-PAC generator: %s", stmsg); - return NULL; - } - domain = get_domain_from_realm(context, realm); -@@ -1717,6 +1715,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context, - struct ipadb_e_data *ied = NULL; - int flags = 0; - struct dom_sid client_sid; -+ const char *stmsg = NULL; - #ifdef KRB5_KDB_FLAG_ALIAS_OK - flags = KRB5_KDB_FLAG_ALIAS_OK; - #endif -@@ -1730,10 +1729,14 @@ static krb5_error_code check_logon_info_consistent(krb5_context context, - * check that our own view on the PAC details is up to date */ - if (ipactx->mspac->domsid.num_auths == 0) { - /* Force re-init of KDB's view on our domain */ -- kerr = ipadb_reinit_mspac(ipactx, true); -+ kerr = ipadb_reinit_mspac(ipactx, true, &stmsg); - if (kerr != 0) { -- krb5_klog_syslog(LOG_ERR, -- "PAC issue: unable to update realm's view on PAC info"); -+ if (stmsg) { -+ krb5_klog_syslog(LOG_ERR, "MS-PAC generator: %s", stmsg); -+ } else { -+ krb5_klog_syslog(LOG_ERR, "PAC issue: unable to update " \ -+ "realm's view on PAC info"); -+ } - return KRB5KDC_ERR_POLICY; - } - } -@@ -1746,7 +1749,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context, - if (is_s4u && (ipactx->mspac->trusts != NULL)) { - /* Iterate through list of trusts and check if this SID belongs to - * one of the domains we trust */ -- for(int i = 0 ; i < ipactx->mspac->num_trusts ; i++) { -+ for(size_t i = 0 ; i < ipactx->mspac->num_trusts ; i++) { - result = dom_sid_check(&ipactx->mspac->trusts[i].domsid, - info->info->info3.base.domain_sid, true); - if (result) { -@@ -1858,11 +1861,11 @@ krb5_error_code filter_logon_info(krb5_context context, - struct ipadb_mspac *mspac_ctx = ipactx->mspac; - result = FALSE; - /* Didn't match but perhaps the original PAC was issued by a child domain's DC? */ -- for (k = 0; k < mspac_ctx->num_trusts; k++) { -- result = dom_sid_check(&mspac_ctx->trusts[k].domsid, -+ for (size_t m = 0; m < mspac_ctx->num_trusts; m++) { -+ result = dom_sid_check(&mspac_ctx->trusts[m].domsid, - info->info->info3.base.domain_sid, true); - if (result) { -- domain = &mspac_ctx->trusts[k]; -+ domain = &mspac_ctx->trusts[m]; - break; - } - } -@@ -2091,10 +2094,10 @@ static krb5_error_code ipadb_check_logon_info(krb5_context context, - return KRB5_KDB_DBNOTINITED; - } - /* In S4U case we might be dealing with the PAC issued by the trusted domain */ -- if ((ipactx->mspac->trusts != NULL)) { -+ if (ipactx->mspac->trusts) { - /* Iterate through list of trusts and check if this SID belongs to - * one of the domains we trust */ -- for(int i = 0 ; i < ipactx->mspac->num_trusts ; i++) { -+ for(size_t i = 0 ; i < ipactx->mspac->num_trusts ; i++) { - result = dom_sid_check(&ipactx->mspac->trusts[i].domsid, - &client_sid, false); - if (result) { -@@ -2634,7 +2637,7 @@ static char *get_server_netbios_name(struct ipadb_context *ipactx) - - void ipadb_mspac_struct_free(struct ipadb_mspac **mspac) - { -- int i, j; -+ size_t i, j; - - if (!*mspac) return; - -@@ -2789,7 +2792,8 @@ ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx) - LDAPDN dn = NULL; - char **sid_blocklist_incoming = NULL; - char **sid_blocklist_outgoing = NULL; -- int ret, n, i; -+ size_t i, n; -+ int ret; - - ret = asprintf(&base, "cn=ad,cn=trusts,%s", ipactx->base); - if (ret == -1) { -@@ -2874,7 +2878,7 @@ ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx) - - t[n].upn_suffixes_len = NULL; - if (t[n].upn_suffixes != NULL) { -- int len = 0; -+ size_t len = 0; - - for (; t[n].upn_suffixes[len] != NULL; len++); - -@@ -2989,108 +2993,114 @@ done: - return ret; - } - --krb5_error_code ipadb_reinit_mspac(struct ipadb_context *ipactx, bool force_reinit) -+krb5_error_code -+ipadb_reinit_mspac(struct ipadb_context *ipactx, bool force_reinit, -+ const char **stmsg) - { - char *dom_attrs[] = { "ipaNTFlatName", - "ipaNTFallbackPrimaryGroup", - "ipaNTSecurityIdentifier", - NULL }; - char *grp_attrs[] = { "ipaNTSecurityIdentifier", NULL }; -- krb5_error_code kerr; - LDAPMessage *result = NULL; - LDAPMessage *lentry; -- struct dom_sid gsid; -- char *resstr; -- int ret; -+ struct dom_sid gsid, domsid; -+ char *resstr = NULL; -+ char *flat_domain_name = NULL; -+ char *flat_server_name = NULL; -+ char *fallback_group = NULL; -+ uint32_t fallback_rid; - time_t now; -+ const char *in_stmsg = NULL; -+ int err; -+ krb5_error_code trust_kerr = 0; -+ - - /* Do not update the mspac struct more than once a minute. This would - * avoid heavy load on the directory server if there are lots of requests - * from domains which we do not trust. */ - now = time(NULL); - -- if (ipactx->mspac != NULL && -- (force_reinit == false) && -- (now > ipactx->mspac->last_update) && -- (now - ipactx->mspac->last_update) < 60) { -- return 0; -- } -- -- if (ipactx->mspac && ipactx->mspac->num_trusts == 0) { -- /* Check if there is any trust configured. If not, just return -- * and do not re-initialize the MS-PAC structure. */ -- kerr = ipadb_mspac_check_trusted_domains(ipactx); -- if (kerr == KRB5_KDB_NOENTRY) { -- kerr = 0; -- goto done; -- } else if (kerr != 0) { -- goto done; -+ if (ipactx->mspac) { -+ if (!force_reinit && -+ (now > ipactx->mspac->last_update) && -+ (now - ipactx->mspac->last_update) < 60) { -+ /* SKIP */ -+ err = 0; -+ goto end; -+ } -+ -+ if (ipactx->mspac->num_trusts == 0) { -+ /* Check if there is any trust configured. If not, just return -+ * and do not re-initialize the MS-PAC structure. */ -+ err = ipadb_mspac_check_trusted_domains(ipactx); -+ if (err) { -+ if (err == KRB5_KDB_NOENTRY) { -+ /* SKIP */ -+ err = 0; -+ } else { -+ in_stmsg = "Failed to fetch trusted domains information"; -+ } -+ goto end; -+ } - } - } - -- /* clean up in case we had old values around */ -- ipadb_mspac_struct_free(&ipactx->mspac); -- -- ipactx->mspac = calloc(1, sizeof(struct ipadb_mspac)); -- if (!ipactx->mspac) { -- kerr = ENOMEM; -- goto done; -- } -- -- ipactx->mspac->last_update = now; -- -- kerr = ipadb_simple_search(ipactx, ipactx->base, LDAP_SCOPE_SUBTREE, -- "(objectclass=ipaNTDomainAttrs)", dom_attrs, -- &result); -- if (kerr == KRB5_KDB_NOENTRY) { -- return ENOENT; -- } else if (kerr != 0) { -- return EIO; -+ err = ipadb_simple_search(ipactx, ipactx->base, LDAP_SCOPE_SUBTREE, -+ "(objectclass=ipaNTDomainAttrs)", dom_attrs, -+ &result); -+ if (err == KRB5_KDB_NOENTRY) { -+ err = ENOENT; -+ in_stmsg = "Local domain NT attributes not configured"; -+ goto end; -+ } else if (err) { -+ err = EIO; -+ in_stmsg = "Failed to fetch local domain NT attributes"; -+ goto end; - } - - lentry = ldap_first_entry(ipactx->lcontext, result); - if (!lentry) { -- kerr = ENOENT; -- goto done; -+ err = ENOENT; -+ in_stmsg = "Local domain NT attributes not configured"; -+ goto end; - } - -- ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, -- "ipaNTFlatName", -- &ipactx->mspac->flat_domain_name); -- if (ret) { -- kerr = ret; -- goto done; -+ err = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, "ipaNTFlatName", -+ &flat_domain_name); -+ if (err) { -+ in_stmsg = "Local domain NT flat name not configured"; -+ goto end; - } - -- ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, -- "ipaNTSecurityIdentifier", -- &resstr); -- if (ret) { -- kerr = ret; -- goto done; -+ err = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, -+ "ipaNTSecurityIdentifier", &resstr); -+ if (err) { -+ in_stmsg = "Local domain SID not configured"; -+ goto end; - } - -- ret = ipadb_string_to_sid(resstr, &ipactx->mspac->domsid); -- if (ret) { -- kerr = ret; -- free(resstr); -- goto done; -+ err = ipadb_string_to_sid(resstr, &domsid); -+ if (err) { -+ in_stmsg = "Malformed local domain SID"; -+ goto end; - } -+ - free(resstr); - -- free(ipactx->mspac->flat_server_name); -- ipactx->mspac->flat_server_name = get_server_netbios_name(ipactx); -- if (!ipactx->mspac->flat_server_name) { -- kerr = ENOMEM; -- goto done; -+ flat_server_name = get_server_netbios_name(ipactx); -+ if (!flat_server_name) { -+ err = ENOMEM; -+ goto end; - } - -- ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, -- "ipaNTFallbackPrimaryGroup", -- &ipactx->mspac->fallback_group); -- if (ret && ret != ENOENT) { -- kerr = ret; -- goto done; -+ err = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, -+ "ipaNTFallbackPrimaryGroup", &fallback_group); -+ if (err) { -+ in_stmsg = (err == ENOENT) -+ ? "Local fallback primary group not configured" -+ : "Failed to fetch local fallback primary group"; -+ goto end; - } - - /* result and lentry not valid any more from here on */ -@@ -3098,53 +3108,81 @@ krb5_error_code ipadb_reinit_mspac(struct ipadb_context *ipactx, bool force_rein - result = NULL; - lentry = NULL; - -- if (ret != ENOENT) { -- kerr = ipadb_simple_search(ipactx, ipactx->mspac->fallback_group, -- LDAP_SCOPE_BASE, -- "(objectclass=posixGroup)", -- grp_attrs, &result); -- if (kerr && kerr != KRB5_KDB_NOENTRY) { -- kerr = ret; -- goto done; -- } -+ err = ipadb_simple_search(ipactx, fallback_group, LDAP_SCOPE_BASE, -+ "(objectclass=posixGroup)", grp_attrs, &result); -+ if (err) { -+ in_stmsg = (err == KRB5_KDB_NOENTRY) -+ ? "Local fallback primary group has no POSIX definition" -+ : "Failed to fetch SID of POSIX group mapped as local fallback " \ -+ "primary group"; -+ goto end; -+ } - -- lentry = ldap_first_entry(ipactx->lcontext, result); -- if (!lentry) { -- kerr = ENOENT; -- goto done; -- } -+ lentry = ldap_first_entry(ipactx->lcontext, result); -+ if (!lentry) { -+ err = ENOENT; -+ goto end; -+ } - -- if (kerr == 0) { -- ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, -- "ipaNTSecurityIdentifier", -- &resstr); -- if (ret && ret != ENOENT) { -- kerr = ret; -- goto done; -- } -- if (ret == 0) { -- ret = ipadb_string_to_sid(resstr, &gsid); -- if (ret) { -- free(resstr); -- kerr = ret; -- goto done; -- } -- ret = sid_split_rid(&gsid, &ipactx->mspac->fallback_rid); -- if (ret) { -- free(resstr); -- kerr = ret; -- goto done; -- } -- free(resstr); -- } -- } -+ err = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, -+ "ipaNTSecurityIdentifier", &resstr); -+ if (err) { -+ in_stmsg = (err == ENOENT) -+ ? "The POSIX group set as fallback primary group has no SID " \ -+ "configured" -+ : "Failed to fetch SID of POSIX group set as local fallback " \ -+ "primary group"; -+ goto end; - } - -- kerr = ipadb_mspac_get_trusted_domains(ipactx); -+ err = ipadb_string_to_sid(resstr, &gsid); -+ if (err) { -+ in_stmsg = "Malformed SID of POSIX group set as local fallback " \ -+ "primary group"; -+ goto end; -+ } - --done: -+ err = sid_split_rid(&gsid, &fallback_rid); -+ if (err) { -+ in_stmsg = "Malformed SID of POSIX group mapped as local fallback " \ -+ "primary group"; -+ goto end; -+ } -+ -+ /* clean up in case we had old values around */ -+ ipadb_mspac_struct_free(&ipactx->mspac); -+ -+ ipactx->mspac = calloc(1, sizeof(struct ipadb_mspac)); -+ if (!ipactx->mspac) { -+ err = ENOMEM; -+ goto end; -+ } -+ -+ ipactx->mspac->last_update = now; -+ ipactx->mspac->flat_domain_name = flat_domain_name; -+ ipactx->mspac->flat_server_name = flat_server_name; -+ ipactx->mspac->domsid = domsid; -+ ipactx->mspac->fallback_group = fallback_group; -+ ipactx->mspac->fallback_rid = fallback_rid; -+ -+ trust_kerr = ipadb_mspac_get_trusted_domains(ipactx); -+ if (trust_kerr) -+ in_stmsg = "Failed to assemble trusted domains information"; -+ -+end: -+ if (stmsg) -+ *stmsg = in_stmsg; -+ -+ if (resstr) free(resstr); - ldap_msgfree(result); -- return kerr; -+ -+ if (err) { -+ if (flat_domain_name) free(flat_domain_name); -+ if (flat_server_name) free(flat_server_name); -+ if (fallback_group) free(fallback_group); -+ } -+ -+ return err ? (krb5_error_code)err : trust_kerr; - } - - krb5_error_code ipadb_check_transited_realms(krb5_context kcontext, -@@ -3154,11 +3192,11 @@ krb5_error_code ipadb_check_transited_realms(krb5_context kcontext, - { - struct ipadb_context *ipactx; - bool has_transited_contents, has_client_realm, has_server_realm; -- int i; -+ size_t i; - krb5_error_code ret; - - ipactx = ipadb_get_context(kcontext); -- if (!ipactx || !ipactx->mspac) { -+ if (!ipactx) { - return KRB5_KDB_DBNOTINITED; - } - -@@ -3220,7 +3258,7 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext, - char **trusted_realm) - { - struct ipadb_context *ipactx; -- int i, j, length; -+ size_t i, j, length; - const char *name; - bool result = false; - -diff --git a/daemons/ipa-kdb/ipa_kdb_mspac_private.h b/daemons/ipa-kdb/ipa_kdb_mspac_private.h -index 7f0ca7a7966ff159828f81283f8d067476abc594..e650cfa73c558c53b28f75de26d83132e8c4b234 100644 ---- a/daemons/ipa-kdb/ipa_kdb_mspac_private.h -+++ b/daemons/ipa-kdb/ipa_kdb_mspac_private.h -@@ -31,7 +31,7 @@ struct ipadb_mspac { - char *fallback_group; - uint32_t fallback_rid; - -- int num_trusts; -+ size_t num_trusts; - struct ipadb_adtrusts *trusts; - time_t last_update; - }; -diff --git a/daemons/ipa-kdb/ipa_kdb_mspac_v6.c b/daemons/ipa-kdb/ipa_kdb_mspac_v6.c -index faf47ad1b9b979a9acb8020eff5d663124b250ac..96cd50e4c8afe141880dd7e2e9472623cef667d8 100644 ---- a/daemons/ipa-kdb/ipa_kdb_mspac_v6.c -+++ b/daemons/ipa-kdb/ipa_kdb_mspac_v6.c -@@ -233,6 +233,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context, - krb5_db_entry *client_entry = NULL; - krb5_boolean is_equal; - bool force_reinit_mspac = false; -+ const char *stmsg = NULL; - - - is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0); -@@ -309,7 +310,9 @@ krb5_error_code ipadb_sign_authdata(krb5_context context, - force_reinit_mspac = true; - } - -- (void)ipadb_reinit_mspac(ipactx, force_reinit_mspac); -+ kerr = ipadb_reinit_mspac(ipactx, force_reinit_mspac, &stmsg); -+ if (kerr && stmsg) -+ krb5_klog_syslog(LOG_WARNING, "MS-PAC generator: %s", stmsg); - - kerr = ipadb_get_pac(context, flags, client, server, NULL, authtime, &pac); - if (kerr != 0 && kerr != ENOENT) { -diff --git a/daemons/ipa-kdb/ipa_kdb_mspac_v9.c b/daemons/ipa-kdb/ipa_kdb_mspac_v9.c -index 3badd5b088b3f017546d5df3cecbf7427fedd59d..60db048e1f328c3a31b58d2a3b17d9cac615467c 100644 ---- a/daemons/ipa-kdb/ipa_kdb_mspac_v9.c -+++ b/daemons/ipa-kdb/ipa_kdb_mspac_v9.c -@@ -46,6 +46,7 @@ ipadb_v9_issue_pac(krb5_context context, unsigned int flags, - bool with_pad; - krb5_error_code kerr = 0; - bool is_as_req = flags & CLIENT_REFERRALS_FLAGS; -+ const char *stmsg = NULL; - - if (is_as_req) { - get_authz_data_types(context, client, &with_pac, &with_pad); -@@ -110,12 +111,19 @@ ipadb_v9_issue_pac(krb5_context context, unsigned int flags, - force_reinit_mspac = TRUE; - } - } -- (void)ipadb_reinit_mspac(ipactx, force_reinit_mspac); - -- /* MS-PAC needs proper configuration and if it is missing, we simply skip issuing one */ -- if (ipactx->mspac->flat_server_name == NULL) { -+ /* MS-PAC generator has to be initalized */ -+ kerr = ipadb_reinit_mspac(ipactx, force_reinit_mspac, &stmsg); -+ if (kerr && stmsg) -+ krb5_klog_syslog(LOG_ERR, "MS-PAC generator: %s", stmsg); -+ -+ /* Continue even if initilization of PAC generator failed. -+ * It may caused by the trust objects part only. */ -+ -+ /* At least the core part of the PAC generator is required. */ -+ if (!ipactx->mspac) - return KRB5_PLUGIN_OP_NOTSUPP; -- } -+ - kerr = ipadb_get_pac(context, flags, - client, server, replaced_reply_key, - authtime, &new_pac); -diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c -index 139f091aa9f920af14a9ba91f4d83151e23a6a20..16a15748fb94ff31d91aa656532a7b40fa4f195a 100644 ---- a/daemons/ipa-kdb/ipa_kdb_principals.c -+++ b/daemons/ipa-kdb/ipa_kdb_principals.c -@@ -1598,6 +1598,7 @@ static krb5_error_code dbget_alias(krb5_context kcontext, - -1, - }; - size_t i = 0; -+ const char *stmsg = NULL; - - /* For TGS-REQ server principal lookup, KDC asks with KRB5_KDB_FLAG_REFERRAL_OK - * and client usually asks for an KRB5_NT_PRINCIPAL type principal. */ -@@ -1685,8 +1686,11 @@ static krb5_error_code dbget_alias(krb5_context kcontext, - if (kerr == KRB5_KDB_NOENTRY) { - /* If no trusted realm found, refresh trusted domain data and try again - * because it might be a freshly added trust to AD */ -- kerr = ipadb_reinit_mspac(ipactx, false); -+ kerr = ipadb_reinit_mspac(ipactx, false, &stmsg); - if (kerr != 0) { -+ if (stmsg) -+ krb5_klog_syslog(LOG_WARNING, "MS-PAC generator: %s", -+ stmsg); - kerr = KRB5_KDB_NOENTRY; - goto done; - } --- -2.43.0 - diff --git a/0056-Vault-add-support-for-RSA-OAEP-wrapping-algo.patch b/0056-Vault-add-support-for-RSA-OAEP-wrapping-algo.patch deleted file mode 100644 index 992df1f..0000000 --- a/0056-Vault-add-support-for-RSA-OAEP-wrapping-algo.patch +++ /dev/null @@ -1,126 +0,0 @@ -From b1390d1ad7e94256148a6b26431ff1e97fb8b7b3 Mon Sep 17 00:00:00 2001 -From: Francisco Trivino -Date: Fri, 27 May 2022 17:31:40 +0200 -Subject: [PATCH] Vault: add support for RSA-OAEP wrapping algo - -None of the FIPS certified modules in RHEL support PKCS#1 v1.5 as FIPS -approved mechanism. This commit adds support for RSA-OAEP padding as a -fallback. - -Fixes: https://pagure.io/freeipa/issue/9191 - -Signed-off-by: Francisco Trivino -Reviewed-By: Rob Crittenden ---- - ipaclient/plugins/vault.py | 57 ++++++++++++++++++++++++++++++-------- - 1 file changed, 45 insertions(+), 12 deletions(-) - -diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py -index bdd988ad186c1d773b454608e63c585c332af22a..a29bd6e5f437d9d07f2d995d7bc884e7f2419c27 100644 ---- a/ipaclient/plugins/vault.py -+++ b/ipaclient/plugins/vault.py -@@ -119,8 +119,8 @@ def encrypt(data, symmetric_key=None, public_key=None): - return public_key_obj.encrypt( - data, - padding.OAEP( -- mgf=padding.MGF1(algorithm=hashes.SHA1()), -- algorithm=hashes.SHA1(), -+ mgf=padding.MGF1(algorithm=hashes.SHA256()), -+ algorithm=hashes.SHA256(), - label=None - ) - ) -@@ -154,8 +154,8 @@ def decrypt(data, symmetric_key=None, private_key=None): - return private_key_obj.decrypt( - data, - padding.OAEP( -- mgf=padding.MGF1(algorithm=hashes.SHA1()), -- algorithm=hashes.SHA1(), -+ mgf=padding.MGF1(algorithm=hashes.SHA256()), -+ algorithm=hashes.SHA256(), - label=None - ) - ) -@@ -703,14 +703,39 @@ class ModVaultData(Local): - return transport_cert, wrapping_algo - - def _do_internal(self, algo, transport_cert, raise_unexpected, -- *args, **options): -+ use_oaep=False, *args, **options): - public_key = transport_cert.public_key() - - # wrap session key with transport certificate -- wrapped_session_key = public_key.encrypt( -- algo.key, -- padding.PKCS1v15() -- ) -+ # KRA may be configured using either the default PKCS1v15 or RSA-OAEP. -+ # there is no way to query this info using the REST interface. -+ if not use_oaep: -+ # PKCS1v15() causes an OpenSSL exception when FIPS is enabled -+ # if so, we fallback to RSA-OAEP -+ try: -+ wrapped_session_key = public_key.encrypt( -+ algo.key, -+ padding.PKCS1v15() -+ ) -+ except ValueError: -+ wrapped_session_key = public_key.encrypt( -+ algo.key, -+ padding.OAEP( -+ mgf=padding.MGF1(algorithm=hashes.SHA256()), -+ algorithm=hashes.SHA256(), -+ label=None -+ ) -+ ) -+ else: -+ wrapped_session_key = public_key.encrypt( -+ algo.key, -+ padding.OAEP( -+ mgf=padding.MGF1(algorithm=hashes.SHA256()), -+ algorithm=hashes.SHA256(), -+ label=None -+ ) -+ ) -+ - options['session_key'] = wrapped_session_key - - name = self.name + '_internal' -@@ -721,7 +746,7 @@ class ModVaultData(Local): - errors.ExecutionError, - errors.GenericError): - _kra_config_cache.remove(self.api.env.domain) -- if raise_unexpected: -+ if raise_unexpected and use_oaep: - raise - return None - -@@ -731,15 +756,23 @@ class ModVaultData(Local): - """ - # try call with cached transport certificate - result = self._do_internal(algo, transport_cert, False, -- *args, **options) -+ False, *args, **options) - if result is not None: - return result - - # retrieve transport certificate (cached by vaultconfig_show) - transport_cert = self._get_vaultconfig(force_refresh=True)[0] -+ - # call with the retrieved transport certificate -+ result = self._do_internal(algo, transport_cert, True, -+ False, *args, **options) -+ -+ if result is not None: -+ return result -+ -+ # call and use_oaep this time, last attempt - return self._do_internal(algo, transport_cert, True, -- *args, **options) -+ True, *args, **options) - - - @register(no_fail=True) --- -2.43.0 - diff --git a/0057-Vault-improve-vault-server-archival-retrieval-calls-.patch b/0057-Vault-improve-vault-server-archival-retrieval-calls-.patch deleted file mode 100644 index a5bd8af..0000000 --- a/0057-Vault-improve-vault-server-archival-retrieval-calls-.patch +++ /dev/null @@ -1,87 +0,0 @@ -From c6f79e0453c9d417173ca7ecfbd5e233c6a89a9f Mon Sep 17 00:00:00 2001 -From: Francisco Trivino -Date: Fri, 19 Jan 2024 18:15:28 +0100 -Subject: [PATCH] Vault: improve vault server archival/retrieval calls error - handling - -If a vault operation fails, the error message just says "InternalError". This commit -improves error handling of key archival and retrieval calls by catching the PKIException -error and raising it as an IPA error. - -Related: https://pagure.io/freeipa/issue/9191 - -Signed-off-by: Francisco Trivino -Reviewed-By: Rob Crittenden ---- - ipaserver/plugins/vault.py | 40 +++++++++++++++++++++++++------------- - 1 file changed, 26 insertions(+), 14 deletions(-) - -diff --git a/ipaserver/plugins/vault.py b/ipaserver/plugins/vault.py -index a47cf7bd306154b24fd6dc0223718faf55440489..0bcc2a1ce4bb5f61b3a69fd0cc8d2b4516e20b63 100644 ---- a/ipaserver/plugins/vault.py -+++ b/ipaserver/plugins/vault.py -@@ -45,6 +45,7 @@ if api.env.in_server: - import pki.key - from pki.crypto import DES_EDE3_CBC_OID - from pki.crypto import AES_128_CBC_OID -+ from pki import PKIException - - if six.PY3: - unicode = str -@@ -1096,16 +1097,21 @@ class vault_archive_internal(PKQuery): - pki.key.KeyClient.KEY_STATUS_INACTIVE) - - # forward wrapped data to KRA -- kra_client.keys.archive_encrypted_data( -- client_key_id, -- pki.key.KeyClient.PASS_PHRASE_TYPE, -- wrapped_vault_data, -- wrapped_session_key, -- algorithm_oid=algorithm_oid, -- nonce_iv=nonce, -- ) -- -- kra_account.logout() -+ try: -+ kra_client.keys.archive_encrypted_data( -+ client_key_id, -+ pki.key.KeyClient.PASS_PHRASE_TYPE, -+ wrapped_vault_data, -+ wrapped_session_key, -+ algorithm_oid=algorithm_oid, -+ nonce_iv=nonce, -+ ) -+ except PKIException as e: -+ kra_account.logout() -+ raise errors.EncodingError( -+ message=_("Unable to archive key: %s") % e) -+ finally: -+ kra_account.logout() - - response = { - 'value': args[-1], -@@ -1176,11 +1182,17 @@ class vault_retrieve_internal(PKQuery): - kra_client.keys.encrypt_alg_oid = algorithm_oid - - # retrieve encrypted data from KRA -- key = kra_client.keys.retrieve_key( -- key_info.get_key_id(), -- wrapped_session_key) -+ try: - -- kra_account.logout() -+ key = kra_client.keys.retrieve_key( -+ key_info.get_key_id(), -+ wrapped_session_key) -+ except PKIException as e: -+ kra_account.logout() -+ raise errors.EncodingError( -+ message=_("Unable to retrieve key: %s") % e) -+ finally: -+ kra_account.logout() - - response = { - 'value': args[-1], --- -2.43.0 - diff --git a/0058-kra-set-RSA-OAEP-as-default-wrapping-algo-when-FIPS-.patch b/0058-kra-set-RSA-OAEP-as-default-wrapping-algo-when-FIPS-.patch deleted file mode 100644 index 85515f8..0000000 --- a/0058-kra-set-RSA-OAEP-as-default-wrapping-algo-when-FIPS-.patch +++ /dev/null @@ -1,97 +0,0 @@ -From 601de6985ce0efdd701bfd8361cea72c4b87f39b Mon Sep 17 00:00:00 2001 -From: Francisco Trivino -Date: Fri, 19 Jan 2024 17:12:07 +0100 -Subject: [PATCH] kra: set RSA-OAEP as default wrapping algo when FIPS is - enabled - -Vault uses PKCS1v15 as default padding wrapping algo, which is not an approved -FIPS algorithm. This commit ensures that KRA is installed with RSA-OAEP if FIPS -is enabled. It also handles upgrade path. - -Fixes: https://pagure.io/freeipa/issue/9191 - -Signed-off-by: Francisco Trivino -Reviewed-By: Rob Crittenden ---- - install/share/ipaca_default.ini | 3 +++ - ipaserver/install/dogtaginstance.py | 4 +++- - ipaserver/install/krainstance.py | 12 ++++++++++++ - ipaserver/install/server/upgrade.py | 12 ++++++++++++ - 4 files changed, 30 insertions(+), 1 deletion(-) - -diff --git a/install/share/ipaca_default.ini b/install/share/ipaca_default.ini -index 62e0729d1b6332fce142cd1d85ccc461539d06ae..44cda15920176c9eebb9a3d16f089210ff17dcdd 100644 ---- a/install/share/ipaca_default.ini -+++ b/install/share/ipaca_default.ini -@@ -166,3 +166,6 @@ pki_audit_signing_subject_dn=cn=KRA Audit,%(ipa_subject_base)s - # We will use the dbuser created for the CA. - pki_share_db=True - pki_share_dbuser_dn=uid=pkidbuser,ou=people,o=ipaca -+ -+# KRA padding, set RSA-OAEP in FIPS mode -+pki_use_oaep_rsa_keywrap=%(fips_use_oaep_rsa_keywrap)s -\ No newline at end of file -diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py -index 7fdf2e0ed0f3ed99a6672f527d38dda0ce5ef8bb..e0aa129ad3b0114afc4d1eae7f1ed76bb41276ae 100644 ---- a/ipaserver/install/dogtaginstance.py -+++ b/ipaserver/install/dogtaginstance.py -@@ -1020,7 +1020,9 @@ class PKIIniLoader: - # for softhsm2 testing - softhsm2_so=paths.LIBSOFTHSM2_SO, - # Configure a more secure AJP password by default -- ipa_ajp_secret=ipautil.ipa_generate_password(special=None) -+ ipa_ajp_secret=ipautil.ipa_generate_password(special=None), -+ # in FIPS mode use RSA-OAEP wrapping padding algo as default -+ fips_use_oaep_rsa_keywrap=tasks.is_fips_enabled() - ) - - @classmethod -diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py -index d0636a56c3d2c09a5c83c08cc1fc12768212ac3e..0fd148697dadd59ad87eb401528761010a1555de 100644 ---- a/ipaserver/install/krainstance.py -+++ b/ipaserver/install/krainstance.py -@@ -284,6 +284,18 @@ class KRAInstance(DogtagInstance): - - # A restart is required - -+ def enable_oaep_wrap_algo(self): -+ """ -+ Enable KRA OAEP key wrap algorithm -+ """ -+ with installutils.stopped_service('pki-tomcatd', 'pki-tomcat'): -+ directivesetter.set_directive( -+ self.config, -+ 'keyWrap.useOAEP', -+ 'true', quotes=False, separator='=') -+ -+ # A restart is required -+ - def update_cert_config(self, nickname, cert): - """ - When renewing a KRA subsystem certificate the configuration file -diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py -index f42faea049c720c931ce7ea865e3c35acbc08b5d..31d4f8398cfb0251cc59ada909eb55635b83e960 100644 ---- a/ipaserver/install/server/upgrade.py -+++ b/ipaserver/install/server/upgrade.py -@@ -1794,6 +1794,18 @@ def upgrade_configuration(): - else: - logger.info('ephemeralRequest is already enabled') - -+ if tasks.is_fips_enabled(): -+ logger.info('[Ensuring KRA OAEP wrap algo is enabled in FIPS]') -+ value = directivesetter.get_directive( -+ paths.KRA_CS_CFG_PATH, -+ 'keyWrap.useOAEP', -+ separator='=') -+ if value is None or value.lower() != 'true': -+ logger.info('Use the OAEP key wrap algo') -+ kra.enable_oaep_wrap_algo() -+ else: -+ logger.info('OAEP key wrap algo is already enabled') -+ - # several upgrade steps require running CA. If CA is configured, - # always run ca.start() because we need to wait until CA is really ready - # by checking status using http --- -2.43.0 - diff --git a/0059-ipa-kdb-Fix-double-free-in-ipadb_reinit_mspac.patch b/0059-ipa-kdb-Fix-double-free-in-ipadb_reinit_mspac.patch deleted file mode 100644 index 91131ed..0000000 --- a/0059-ipa-kdb-Fix-double-free-in-ipadb_reinit_mspac.patch +++ /dev/null @@ -1,28 +0,0 @@ -From ac44c3d0a69aa2b3f8230c3ab13dca5ab5a78dd0 Mon Sep 17 00:00:00 2001 -From: Julien Rische -Date: Tue, 20 Feb 2024 15:14:24 +0100 -Subject: [PATCH] ipa-kdb: Fix double free in ipadb_reinit_mspac() - -Fixes: https://pagure.io/freeipa/issue/9535 - -Signed-off-by: Julien Rische -Reviewed-By: Florence Blanc-Renaud ---- - daemons/ipa-kdb/ipa_kdb_mspac.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c -index b0eb3324bf4b7d8eeb7b332c39de4023784f6337..9723103d8a77294ed7457d9b48bfc0d98b9ccef1 100644 ---- a/daemons/ipa-kdb/ipa_kdb_mspac.c -+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c -@@ -3087,6 +3087,7 @@ ipadb_reinit_mspac(struct ipadb_context *ipactx, bool force_reinit, - } - - free(resstr); -+ resstr = NULL; - - flat_server_name = get_server_netbios_name(ipactx); - if (!flat_server_name) { --- -2.43.0 - diff --git a/0060-rpcserver-validate-Kerberos-principal-name-before-ru.patch b/0060-rpcserver-validate-Kerberos-principal-name-before-ru.patch deleted file mode 100644 index 32c913b..0000000 --- a/0060-rpcserver-validate-Kerberos-principal-name-before-ru.patch +++ /dev/null @@ -1,233 +0,0 @@ -From 8b598814d1e51466ebbe3e0a392af92370d0c93b Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Wed, 7 Feb 2024 13:09:54 +0200 -Subject: [PATCH] rpcserver: validate Kerberos principal name before running - kinit - -Do minimal validation of the Kerberos principal name when passing it to -kinit command line tool. Also pass it as the final argument to prevent -option injection. - -Accepted Kerberos principals are: - - user names, using the following regexp - (username with optional @realm, no spaces or slashes in the name): - "(?!^[0-9]+$)^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*[a-zA-Z0-9_.$-]?@?[a-zA-Z0-9.-]*$" - - - service names (with slash in the name but no spaces). Validation of - the hostname is done. There is no validation of the service name. - -The regular expression above also covers cases where a principal name -starts with '-'. This prevents option injection as well. - -This fixes CVE-2024-1481 - -Fixes: https://pagure.io/freeipa/issue/9541 - -Signed-off-by: Alexander Bokovoy -Signed-off-by: Rob Crittenden -Reviewed-By: Florence Blanc-Renaud -Reviewed-By: Florence Blanc-Renaud ---- - ipalib/install/kinit.py | 47 ++++++++++++++++++- - ipaserver/rpcserver.py | 9 ++-- - ipatests/setup.py | 1 + - ipatests/test_ipalib_install/__init__.py | 0 - ipatests/test_ipalib_install/test_kinit.py | 29 ++++++++++++ - 5 files changed, 80 insertions(+), 6 deletions(-) - create mode 100644 ipatests/test_ipalib_install/__init__.py - create mode 100644 ipatests/test_ipalib_install/test_kinit.py - -diff --git a/ipalib/install/kinit.py b/ipalib/install/kinit.py -index cc839ec38d1dbcb1cf3b0334592d04baf0dba23b..4ad4eaa1c30f2fb0ab02be411917e304eb527d32 100644 ---- a/ipalib/install/kinit.py -+++ b/ipalib/install/kinit.py -@@ -6,12 +6,16 @@ from __future__ import absolute_import - - import logging - import os -+import re - import time - - import gssapi - - from ipaplatform.paths import paths - from ipapython.ipautil import run -+from ipalib.constants import PATTERN_GROUPUSER_NAME -+from ipalib.util import validate_hostname -+from ipalib import api - - logger = logging.getLogger(__name__) - -@@ -21,6 +25,40 @@ KRB5_KDC_UNREACH = 2529639068 - # A service is not available that s required to process the request - KRB5KDC_ERR_SVC_UNAVAILABLE = 2529638941 - -+PATTERN_REALM = '@?([a-zA-Z0-9.-]*)$' -+PATTERN_PRINCIPAL = '(' + PATTERN_GROUPUSER_NAME[:-1] + ')' + PATTERN_REALM -+PATTERN_SERVICE = '([a-zA-Z0-9.-]+)/([a-zA-Z0-9.-]+)' + PATTERN_REALM -+ -+user_pattern = re.compile(PATTERN_PRINCIPAL) -+service_pattern = re.compile(PATTERN_SERVICE) -+ -+ -+def validate_principal(principal): -+ if not isinstance(principal, str): -+ raise RuntimeError('Invalid principal: not a string') -+ if ('/' in principal) and (' ' in principal): -+ raise RuntimeError('Invalid principal: bad spacing') -+ else: -+ realm = None -+ match = user_pattern.match(principal) -+ if match is None: -+ match = service_pattern.match(principal) -+ if match is None: -+ raise RuntimeError('Invalid principal: cannot parse') -+ else: -+ # service = match[1] -+ hostname = match[2] -+ realm = match[3] -+ try: -+ validate_hostname(hostname) -+ except ValueError as e: -+ raise RuntimeError(str(e)) -+ else: # user match, validate realm -+ # username = match[1] -+ realm = match[2] -+ if realm and 'realm' in api.env and realm != api.env.realm: -+ raise RuntimeError('Invalid principal: realm mismatch') -+ - - def kinit_keytab(principal, keytab, ccache_name, config=None, attempts=1): - """ -@@ -29,6 +67,7 @@ def kinit_keytab(principal, keytab, ccache_name, config=None, attempts=1): - The optional parameter 'attempts' specifies how many times the credential - initialization should be attempted in case of non-responsive KDC. - """ -+ validate_principal(principal) - errors_to_retry = {KRB5KDC_ERR_SVC_UNAVAILABLE, - KRB5_KDC_UNREACH} - logger.debug("Initializing principal %s using keytab %s", -@@ -65,6 +104,7 @@ def kinit_keytab(principal, keytab, ccache_name, config=None, attempts=1): - - return None - -+ - def kinit_password(principal, password, ccache_name, config=None, - armor_ccache_name=None, canonicalize=False, - enterprise=False, lifetime=None): -@@ -73,8 +113,9 @@ def kinit_password(principal, password, ccache_name, config=None, - web-based authentication, use armor_ccache_path to specify http service - ccache. - """ -+ validate_principal(principal) - logger.debug("Initializing principal %s using password", principal) -- args = [paths.KINIT, principal, '-c', ccache_name] -+ args = [paths.KINIT, '-c', ccache_name] - if armor_ccache_name is not None: - logger.debug("Using armor ccache %s for FAST webauth", - armor_ccache_name) -@@ -91,6 +132,7 @@ def kinit_password(principal, password, ccache_name, config=None, - logger.debug("Using enterprise principal") - args.append('-E') - -+ args.extend(['--', principal]) - env = {'LC_ALL': 'C'} - if config is not None: - env['KRB5_CONFIG'] = config -@@ -154,6 +196,7 @@ def kinit_pkinit( - - :raises: CalledProcessError if PKINIT fails - """ -+ validate_principal(principal) - logger.debug( - "Initializing principal %s using PKINIT %s", principal, user_identity - ) -@@ -168,7 +211,7 @@ def kinit_pkinit( - assert pkinit_anchor.startswith(("FILE:", "DIR:", "ENV:")) - args.extend(["-X", f"X509_anchors={pkinit_anchor}"]) - args.extend(["-X", f"X509_user_identity={user_identity}"]) -- args.append(principal) -+ args.extend(['--', principal]) - - # this workaround enables us to capture stderr and put it - # into the raised exception in case of unsuccessful authentication -diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py -index 198fc9e7dbae281f797dcccf96d21d475ff31e8c..4f65b7e057c3d184ffadd4f28872ec3cceb73077 100644 ---- a/ipaserver/rpcserver.py -+++ b/ipaserver/rpcserver.py -@@ -1135,10 +1135,6 @@ class login_password(Backend, KerberosSession): - canonicalize=True, - lifetime=self.api.env.kinit_lifetime) - -- if armor_path: -- logger.debug('Cleanup the armor ccache') -- ipautil.run([paths.KDESTROY, '-A', '-c', armor_path], -- env={'KRB5CCNAME': armor_path}, raiseonerr=False) - except RuntimeError as e: - if ('kinit: Cannot read password while ' - 'getting initial credentials') in str(e): -@@ -1156,6 +1152,11 @@ class login_password(Backend, KerberosSession): - raise KrbPrincipalWrongFAST(principal=principal) - raise InvalidSessionPassword(principal=principal, - message=unicode(e)) -+ finally: -+ if armor_path: -+ logger.debug('Cleanup the armor ccache') -+ ipautil.run([paths.KDESTROY, '-A', '-c', armor_path], -+ env={'KRB5CCNAME': armor_path}, raiseonerr=False) - - - class change_password(Backend, HTTP_Status): -diff --git a/ipatests/setup.py b/ipatests/setup.py -index 6217a1ba5d82ba7fa79cc4c073270abe307cd2ed..0aec4a70dbd75d416e4288e1204130daf46bda94 100644 ---- a/ipatests/setup.py -+++ b/ipatests/setup.py -@@ -41,6 +41,7 @@ if __name__ == '__main__': - "ipatests.test_integration", - "ipatests.test_ipaclient", - "ipatests.test_ipalib", -+ "ipatests.test_ipalib_install", - "ipatests.test_ipaplatform", - "ipatests.test_ipapython", - "ipatests.test_ipaserver", -diff --git a/ipatests/test_ipalib_install/__init__.py b/ipatests/test_ipalib_install/__init__.py -new file mode 100644 -index 0000000000000000000000000000000000000000..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 -diff --git a/ipatests/test_ipalib_install/test_kinit.py b/ipatests/test_ipalib_install/test_kinit.py -new file mode 100644 -index 0000000000000000000000000000000000000000..f89ea17d7874c28bad2524ebf456d2caeafddd1f ---- /dev/null -+++ b/ipatests/test_ipalib_install/test_kinit.py -@@ -0,0 +1,29 @@ -+# -+# Copyright (C) 2024 FreeIPA Contributors see COPYING for license -+# -+"""Tests for ipalib.install.kinit module -+""" -+ -+import pytest -+ -+from ipalib.install.kinit import validate_principal -+ -+ -+# None means no exception is expected -+@pytest.mark.parametrize('principal, exception', [ -+ ('testuser', None), -+ ('testuser@EXAMPLE.TEST', None), -+ ('test/ipa.example.test', None), -+ ('test/ipa.example.test@EXAMPLE.TEST', None), -+ ('test/ipa@EXAMPLE.TEST', RuntimeError), -+ ('test/-ipa.example.test@EXAMPLE.TEST', RuntimeError), -+ ('test/ipa.1example.test@EXAMPLE.TEST', RuntimeError), -+ ('test /ipa.example,test', RuntimeError), -+ ('testuser@OTHER.TEST', RuntimeError), -+ ('test/ipa.example.test@OTHER.TEST', RuntimeError), -+]) -+def test_validate_principal(principal, exception): -+ try: -+ validate_principal(principal) -+ except Exception as e: -+ assert e.__class__ == exception --- -2.44.0 - diff --git a/0061-validate_principal-Don-t-try-to-verify-that-the-real.patch b/0061-validate_principal-Don-t-try-to-verify-that-the-real.patch deleted file mode 100644 index 1eb82f1..0000000 --- a/0061-validate_principal-Don-t-try-to-verify-that-the-real.patch +++ /dev/null @@ -1,89 +0,0 @@ -From 5781369e78fd83cee64a4d306198423c7a126ba0 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Thu, 22 Feb 2024 08:29:31 -0500 -Subject: [PATCH] validate_principal: Don't try to verify that the realm is - known - -The actual value is less important than whether it matches the -regular expression. A number of legal but difficult to know in -context realms could be passed in here (trust for example). - -This fixes CVE-2024-1481 - -Fixes: https://pagure.io/freeipa/issue/9541 - -Signed-off-by: Rob Crittenden -Reviewed-By: Florence Blanc-Renaud ---- - ipalib/install/kinit.py | 12 ++++-------- - ipatests/test_ipalib_install/test_kinit.py | 9 ++++++--- - 2 files changed, 10 insertions(+), 11 deletions(-) - -diff --git a/ipalib/install/kinit.py b/ipalib/install/kinit.py -index 4ad4eaa1c30f2fb0ab02be411917e304eb527d32..d5fb56bf041c6f61515fc3ce4cc1ca1cfbcdbab7 100644 ---- a/ipalib/install/kinit.py -+++ b/ipalib/install/kinit.py -@@ -15,7 +15,6 @@ from ipaplatform.paths import paths - from ipapython.ipautil import run - from ipalib.constants import PATTERN_GROUPUSER_NAME - from ipalib.util import validate_hostname --from ipalib import api - - logger = logging.getLogger(__name__) - -@@ -39,7 +38,9 @@ def validate_principal(principal): - if ('/' in principal) and (' ' in principal): - raise RuntimeError('Invalid principal: bad spacing') - else: -- realm = None -+ # For a user match in the regex -+ # username = match[1] -+ # realm = match[2] - match = user_pattern.match(principal) - if match is None: - match = service_pattern.match(principal) -@@ -48,16 +49,11 @@ def validate_principal(principal): - else: - # service = match[1] - hostname = match[2] -- realm = match[3] -+ # realm = match[3] - try: - validate_hostname(hostname) - except ValueError as e: - raise RuntimeError(str(e)) -- else: # user match, validate realm -- # username = match[1] -- realm = match[2] -- if realm and 'realm' in api.env and realm != api.env.realm: -- raise RuntimeError('Invalid principal: realm mismatch') - - - def kinit_keytab(principal, keytab, ccache_name, config=None, attempts=1): -diff --git a/ipatests/test_ipalib_install/test_kinit.py b/ipatests/test_ipalib_install/test_kinit.py -index f89ea17d7874c28bad2524ebf456d2caeafddd1f..8289c4b75c9de3b17748a6abffe0538d08f2698f 100644 ---- a/ipatests/test_ipalib_install/test_kinit.py -+++ b/ipatests/test_ipalib_install/test_kinit.py -@@ -17,13 +17,16 @@ from ipalib.install.kinit import validate_principal - ('test/ipa.example.test@EXAMPLE.TEST', None), - ('test/ipa@EXAMPLE.TEST', RuntimeError), - ('test/-ipa.example.test@EXAMPLE.TEST', RuntimeError), -- ('test/ipa.1example.test@EXAMPLE.TEST', RuntimeError), -+ ('test/ipa.1example.test@EXAMPLE.TEST', None), - ('test /ipa.example,test', RuntimeError), -- ('testuser@OTHER.TEST', RuntimeError), -- ('test/ipa.example.test@OTHER.TEST', RuntimeError), -+ ('testuser@OTHER.TEST', None), -+ ('test/ipa.example.test@OTHER.TEST', None) - ]) - def test_validate_principal(principal, exception): - try: - validate_principal(principal) - except Exception as e: - assert e.__class__ == exception -+ else: -+ if exception is not None: -+ raise RuntimeError('Test should have failed') --- -2.44.0 - diff --git a/0062-Vault-add-additional-fallback-to-RSA-OAEP-wrapping-a.patch b/0062-Vault-add-additional-fallback-to-RSA-OAEP-wrapping-a.patch deleted file mode 100644 index 5e424d0..0000000 --- a/0062-Vault-add-additional-fallback-to-RSA-OAEP-wrapping-a.patch +++ /dev/null @@ -1,45 +0,0 @@ -From ca561f72d05b937e727db76c42d807ba07661494 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Fri, 1 Mar 2024 15:12:33 -0500 -Subject: [PATCH] Vault: add additional fallback to RSA-OAEP wrapping algo - -There is a fallback when creating the wrapping key but one was missing -when trying to use the cached transport_cert. - -This allows, along with forcing keyWrap.useOAEP=true, vault creation -on an nCipher HSM. - -This can be seen in HSMs where the device doesn't support the -PKCS#1 v1.5 mechanism. It will error out with either "invalid -algorithm" or CKR_FUNCTION_FAILED. - -Related: https://pagure.io/freeipa/issue/9191 - -Signed-off-by: Rob Crittenden -Reviewed-By: Florence Blanc-Renaud ---- - ipaclient/plugins/vault.py | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py -index a29bd6e5f437d9d07f2d995d7bc884e7f2419c27..96edf09a2060e7b39e1e96c6fa65ae095ec18e73 100644 ---- a/ipaclient/plugins/vault.py -+++ b/ipaclient/plugins/vault.py -@@ -755,8 +755,12 @@ class ModVaultData(Local): - Calls the internal counterpart of the command. - """ - # try call with cached transport certificate -- result = self._do_internal(algo, transport_cert, False, -- False, *args, **options) -+ try: -+ result = self._do_internal(algo, transport_cert, False, -+ False, *args, **options) -+ except errors.EncodingError: -+ result = self._do_internal(algo, transport_cert, False, -+ True, *args, **options) - if result is not None: - return result - --- -2.44.0 - diff --git a/0063-ipa-pwd-extop-allow-enforcing-2FA-only-over-LDAP-bin.patch b/0063-ipa-pwd-extop-allow-enforcing-2FA-only-over-LDAP-bin.patch deleted file mode 100644 index 98c8778..0000000 --- a/0063-ipa-pwd-extop-allow-enforcing-2FA-only-over-LDAP-bin.patch +++ /dev/null @@ -1,294 +0,0 @@ -From 82eca6c0a994c4db8f85ea0d5c012cd4d80edefe Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Tue, 30 Jan 2024 11:17:27 +0200 -Subject: [PATCH] ipa-pwd-extop: allow enforcing 2FA-only over LDAP bind - -When authentication indicators were introduced in 2016, ipa-pwd-extop -plugin gained ability to reject LDAP BIND when an LDAP client insists -the authentication must use an OTP token. This is used by ipa-otpd to -ensure Kerberos authentication using OTP method is done with at least -two factors (the token and the password). - -This enfrocement is only possible when an LDAP client sends the LDAP -control. There are cases when LDAP clients cannot be configured to send -a custom LDAP control during BIND operation. For these clients an LDAP -BIND against an account that only has password and no valid token would -succeed even if admins intend it to fail. - -Ability to do LDAP BIND without a token was added to allow users to add -their own OTP tokens securely. If administrators require full -enforcement over LDAP BIND, it is cannot be achieved with LDAP without -sending the LDAP control to do so. - -Add IPA configuration string, EnforceLDAPOTP, to allow administrators to -prevent LDAP BIND with a password only if user is required to have OTP -tokens. With this configuration enabled, it will be not possible for -users to add OTP token if one is missing, thus ensuring no user can -authenticate without OTP and admins will have to add initial OTP tokens -to users explicitly. - -Fixes: https://pagure.io/freeipa/issue/5169 - -Signed-off-by: Alexander Bokovoy -Reviewed-By: Florence Blanc-Renaud ---- - API.txt | 2 +- - .../ipa-slapi-plugins/ipa-pwd-extop/common.c | 47 +++++++++++++------ - .../ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h | 2 + - .../ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 14 ++++++ - doc/api/config_mod.md | 2 +- - ipaserver/plugins/config.py | 3 +- - ipatests/test_integration/test_otp.py | 46 ++++++++++++++++++ - 7 files changed, 98 insertions(+), 18 deletions(-) - -diff --git a/API.txt b/API.txt -index 7d91077fc340ababee5c9a4b8a695290728b9135..5ed1f5327d9154bf2b301a781b723213c7677ed9 100644 ---- a/API.txt -+++ b/API.txt -@@ -1082,7 +1082,7 @@ option: Flag('all', autofill=True, cli_name='all', default=False) - option: Str('ca_renewal_master_server?', autofill=False) - option: Str('delattr*', cli_name='delattr') - option: Flag('enable_sid?', autofill=True, default=False) --option: StrEnum('ipaconfigstring*', autofill=False, cli_name='ipaconfigstring', values=[u'AllowNThash', u'KDC:Disable Last Success', u'KDC:Disable Lockout', u'KDC:Disable Default Preauth for SPNs']) -+option: StrEnum('ipaconfigstring*', autofill=False, cli_name='ipaconfigstring', values=[u'AllowNThash', u'KDC:Disable Last Success', u'KDC:Disable Lockout', u'KDC:Disable Default Preauth for SPNs', u'EnforceLDAPOTP']) - option: Str('ipadefaultemaildomain?', autofill=False, cli_name='emaildomain') - option: Str('ipadefaultloginshell?', autofill=False, cli_name='defaultshell') - option: Str('ipadefaultprimarygroup?', autofill=False, cli_name='defaultgroup') -diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c -index d30764bb2a05c7ca4a33ea114a2dc19af39e216f..1355f20d3ab990c81b5b41875d659a9bc9f97085 100644 ---- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c -+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c -@@ -83,6 +83,7 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void) - char *tmpstr; - int ret; - size_t i; -+ bool fips_enabled = false; - - config = calloc(1, sizeof(struct ipapwd_krbcfg)); - if (!config) { -@@ -241,28 +242,35 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void) - config->allow_nt_hash = false; - if (ipapwd_fips_enabled()) { - LOG("FIPS mode is enabled, NT hashes are not allowed.\n"); -+ fips_enabled = true; -+ } -+ -+ sdn = slapi_sdn_new_dn_byval(ipa_etc_config_dn); -+ ret = ipapwd_getEntry(sdn, &config_entry, NULL); -+ slapi_sdn_free(&sdn); -+ if (ret != LDAP_SUCCESS) { -+ LOG_FATAL("No config Entry?\n"); -+ goto free_and_error; - } else { -- sdn = slapi_sdn_new_dn_byval(ipa_etc_config_dn); -- ret = ipapwd_getEntry(sdn, &config_entry, NULL); -- slapi_sdn_free(&sdn); -- if (ret != LDAP_SUCCESS) { -- LOG_FATAL("No config Entry?\n"); -- goto free_and_error; -- } else { -- tmparray = slapi_entry_attr_get_charray(config_entry, -- "ipaConfigString"); -- for (i = 0; tmparray && tmparray[i]; i++) { -+ tmparray = slapi_entry_attr_get_charray(config_entry, -+ "ipaConfigString"); -+ for (i = 0; tmparray && tmparray[i]; i++) { -+ if (strcasecmp(tmparray[i], "EnforceLDAPOTP") == 0) { -+ config->enforce_ldap_otp = true; -+ continue; -+ } -+ if (!fips_enabled) { - if (strcasecmp(tmparray[i], "AllowNThash") == 0) { - config->allow_nt_hash = true; - continue; - } - } -- if (tmparray) slapi_ch_array_free(tmparray); - } -- -- slapi_entry_free(config_entry); -+ if (tmparray) slapi_ch_array_free(tmparray); - } - -+ slapi_entry_free(config_entry); -+ - return config; - - free_and_error: -@@ -571,6 +579,13 @@ int ipapwd_gen_checks(Slapi_PBlock *pb, char **errMesg, - rc = LDAP_OPERATIONS_ERROR; - } - -+ /* do not return the master key if asked */ -+ if (check_flags & IPAPWD_CHECK_ONLY_CONFIG) { -+ free((*config)->kmkey->contents); -+ free((*config)->kmkey); -+ (*config)->kmkey = NULL; -+ } -+ - done: - return rc; - } -@@ -1103,8 +1118,10 @@ void free_ipapwd_krbcfg(struct ipapwd_krbcfg **cfg) - - krb5_free_default_realm(c->krbctx, c->realm); - krb5_free_context(c->krbctx); -- free(c->kmkey->contents); -- free(c->kmkey); -+ if (c->kmkey) { -+ free(c->kmkey->contents); -+ free(c->kmkey); -+ } - free(c->supp_encsalts); - free(c->pref_encsalts); - slapi_ch_array_free(c->passsync_mgrs); -diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h -index 79606a8c795d166590c4655f9021aa414c3684d9..97697000674d8fbbe3a924af63261482db173852 100644 ---- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h -+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h -@@ -70,6 +70,7 @@ - - #define IPAPWD_CHECK_CONN_SECURE 0x00000001 - #define IPAPWD_CHECK_DN 0x00000002 -+#define IPAPWD_CHECK_ONLY_CONFIG 0x00000004 - - #define IPA_CHANGETYPE_NORMAL 0 - #define IPA_CHANGETYPE_ADMIN 1 -@@ -109,6 +110,7 @@ struct ipapwd_krbcfg { - char **passsync_mgrs; - int num_passsync_mgrs; - bool allow_nt_hash; -+ bool enforce_ldap_otp; - }; - - int ipapwd_entry_checks(Slapi_PBlock *pb, struct slapi_entry *e, -diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c -index 6898e6596e1cbbb2cc69ba592401619ce86899d8..69023515018d522651bccb984ddd8e9174c22f59 100644 ---- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c -+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c -@@ -1431,6 +1431,7 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb) - "krbPasswordExpiration", "krblastpwchange", - NULL - }; -+ struct ipapwd_krbcfg *krbcfg = NULL; - struct berval *credentials = NULL; - Slapi_Entry *entry = NULL; - Slapi_DN *target_sdn = NULL; -@@ -1505,6 +1506,18 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb) - /* Try to do OTP first. */ - syncreq = otpctrl_present(pb, OTP_SYNC_REQUEST_OID); - otpreq = otpctrl_present(pb, OTP_REQUIRED_OID); -+ if (!syncreq && !otpreq) { -+ ret = ipapwd_gen_checks(pb, &errMesg, &krbcfg, IPAPWD_CHECK_ONLY_CONFIG); -+ if (ret != 0) { -+ LOG_FATAL("ipapwd_gen_checks failed!?\n"); -+ slapi_entry_free(entry); -+ slapi_sdn_free(&sdn); -+ return 0; -+ } -+ if (krbcfg->enforce_ldap_otp) { -+ otpreq = true; -+ } -+ } - if (!syncreq && !ipapwd_pre_bind_otp(dn, entry, credentials, otpreq)) - goto invalid_creds; - -@@ -1543,6 +1556,7 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb) - return 0; - - invalid_creds: -+ free_ipapwd_krbcfg(&krbcfg); - slapi_entry_free(entry); - slapi_sdn_free(&sdn); - slapi_send_ldap_result(pb, rc, NULL, errMesg, 0, NULL); -diff --git a/doc/api/config_mod.md b/doc/api/config_mod.md -index c479a034416068c72c0d70deabb149acf8002e44..b3203c350605af5a386544c858a9a5f7f724342f 100644 ---- a/doc/api/config_mod.md -+++ b/doc/api/config_mod.md -@@ -27,7 +27,7 @@ No arguments. - * ipauserobjectclasses : :ref:`Str` - * ipapwdexpadvnotify : :ref:`Int` - * ipaconfigstring : :ref:`StrEnum` -- * Values: ('AllowNThash', 'KDC:Disable Last Success', 'KDC:Disable Lockout', 'KDC:Disable Default Preauth for SPNs') -+ * Values: ('AllowNThash', 'KDC:Disable Last Success', 'KDC:Disable Lockout', 'KDC:Disable Default Preauth for SPNs', 'EnforceLDAPOTP') - * ipaselinuxusermaporder : :ref:`Str` - * ipaselinuxusermapdefault : :ref:`Str` - * ipakrbauthzdata : :ref:`StrEnum` -diff --git a/ipaserver/plugins/config.py b/ipaserver/plugins/config.py -index eface545def441d1a6fe9bdb054ab62eaa6589d3..45bd0c108dc958e3e141055901ea3872bc30d511 100644 ---- a/ipaserver/plugins/config.py -+++ b/ipaserver/plugins/config.py -@@ -247,7 +247,8 @@ class config(LDAPObject): - doc=_('Extra hashes to generate in password plug-in'), - values=(u'AllowNThash', - u'KDC:Disable Last Success', u'KDC:Disable Lockout', -- u'KDC:Disable Default Preauth for SPNs'), -+ u'KDC:Disable Default Preauth for SPNs', -+ u'EnforceLDAPOTP'), - ), - Str('ipaselinuxusermaporder', - label=_('SELinux user map order'), -diff --git a/ipatests/test_integration/test_otp.py b/ipatests/test_integration/test_otp.py -index 8e2ea563f1190e39fab0cab2f54da1f382c29356..d2dfca4cbf8c60955e888b6f92bd88a2608bb265 100644 ---- a/ipatests/test_integration/test_otp.py -+++ b/ipatests/test_integration/test_otp.py -@@ -21,6 +21,9 @@ from ipaplatform.paths import paths - from ipatests.pytest_ipa.integration import tasks - from ipapython.dn import DN - -+from ldap.controls.simple import BooleanControl -+ -+from ipalib import errors - - PASSWORD = "DummyPassword123" - USER = "opttestuser" -@@ -450,3 +453,46 @@ class TestOTPToken(IntegrationTest): - assert "ipa-otpd" not in failed_services.stdout_text - finally: - del_otptoken(self.master, otpuid) -+ -+ def test_totp_ldap(self): -+ master = self.master -+ basedn = master.domain.basedn -+ USER1 = 'user-forced-otp' -+ binddn = DN(f"uid={USER1},cn=users,cn=accounts,{basedn}") -+ -+ tasks.create_active_user(master, USER1, PASSWORD) -+ tasks.kinit_admin(master) -+ # Enforce use of OTP token for this user -+ master.run_command(['ipa', 'user-mod', USER1, -+ '--user-auth-type=otp']) -+ try: -+ conn = master.ldap_connect() -+ # First, attempt authenticating with a password but without LDAP -+ # control to enforce OTP presence and without server-side -+ # enforcement of the OTP presence check. -+ conn.simple_bind(binddn, f"{PASSWORD}") -+ # Add an OTP token now -+ otpuid, totp = add_otptoken(master, USER1, otptype="totp") -+ # Next, enforce Password+OTP for a user with OTP token -+ master.run_command(['ipa', 'config-mod', '--addattr', -+ 'ipaconfigstring=EnforceLDAPOTP']) -+ # Next, authenticate with Password+OTP and with the LDAP control -+ # this operation should succeed -+ otpvalue = totp.generate(int(time.time())).decode("ascii") -+ conn.simple_bind(binddn, f"{PASSWORD}{otpvalue}", -+ client_controls=[ -+ BooleanControl( -+ controlType="2.16.840.1.113730.3.8.10.7", -+ booleanValue=True)]) -+ # Remove token -+ del_otptoken(self.master, otpuid) -+ # Now, try to authenticate without otp and without control -+ # this operation should fail -+ try: -+ conn.simple_bind(binddn, f"{PASSWORD}") -+ except errors.ACIError: -+ pass -+ master.run_command(['ipa', 'config-mod', '--delattr', -+ 'ipaconfigstring=EnforceLDAPOTP']) -+ finally: -+ master.run_command(['ipa', 'user-del', USER1]) --- -2.44.0 - diff --git a/0064-ipa-pwd-extop-add-MFA-note-in-case-of-a-successful-L.patch b/0064-ipa-pwd-extop-add-MFA-note-in-case-of-a-successful-L.patch deleted file mode 100644 index cb4de30..0000000 --- a/0064-ipa-pwd-extop-add-MFA-note-in-case-of-a-successful-L.patch +++ /dev/null @@ -1,63 +0,0 @@ -From a319811747b44dc9b06294df0270b17dbd2b2026 Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Sat, 2 Mar 2024 09:31:46 +0200 -Subject: [PATCH] ipa-pwd-extop: add MFA note in case of a successful LDAP bind - with OTP - -In case there is a successful OTP authentication attempt, register it as -an operation note on the BIND operation in LDAP. 389-ds then will print -a multi-factor authentication note in both access and security logs -according to https://www.port389.org/docs/389ds/design/mfa-operation-note-design.html - -Fixes: https://pagure.io/freeipa/issue/5169 - -Signed-off-by: Alexander Bokovoy -Reviewed-By: Florence Blanc-Renaud ---- - daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 10 ++++++++++ - server.m4 | 8 ++++++++ - 2 files changed, 18 insertions(+) - -diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c -index 69023515018d522651bccb984ddd8e9174c22f59..43a7f54778382edd66da8f18c20de443ed98ab3d 100644 ---- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c -+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c -@@ -1551,6 +1551,16 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb) - /* Attempt to write out kerberos keys for the user. */ - ipapwd_write_krb_keys(pb, discard_const(dn), entry, credentials); - -+#ifdef USE_OP_NOTE_MFA_AUTH -+ /* If it was a successful authentication with OTP required, mark it -+ * for access log to notice multi-factor authentication has happened -+ * https://www.port389.org/docs/389ds/design/mfa-operation-note-design.html -+ */ -+ if (!syncreq && otpreq) { -+ slapi_pblock_set_flag_operation_notes(pb, SLAPI_OP_NOTE_MFA_AUTH); -+ } -+#endif -+ - slapi_entry_free(entry); - slapi_sdn_free(&sdn); - return 0; -diff --git a/server.m4 b/server.m4 -index f97ceddea0388067f4353fd9a03a5e5d27b1672b..4918edc762ef9987625a10348bd4bad59ed9beb3 100644 ---- a/server.m4 -+++ b/server.m4 -@@ -31,6 +31,14 @@ PKG_CHECK_MODULES([DIRSRV], [dirsrv >= 1.3.0]) - # slapi-plugin.h includes nspr.h - DIRSRV_CFLAGS="$DIRSRV_CFLAGS $NSPR_CFLAGS" - -+bck_cflags="$CFLAGS" -+CFLAGS="$CFLAGS $DIRSRV_CFLAGS" -+AC_CHECK_DECL([SLAPI_OP_NOTE_MFA_AUTH], [ -+ AC_DEFINE(USE_OP_NOTE_MFA_AUTH,1, -+ [Use LDAP operation note for multi-factor LDAP BIND])], -+ [], [[#include ]]) -+CFLAGS="$bck_cflags" -+ - dnl -- sss_idmap is needed by the extdom exop -- - PKG_CHECK_MODULES([SSSIDMAP], [sss_idmap]) - PKG_CHECK_MODULES([SSSNSSIDMAP], [sss_nss_idmap >= 1.15.2]) --- -2.44.0 - diff --git a/0065-ipa-pwd-extop-declare-operation-notes-support-from-3.patch b/0065-ipa-pwd-extop-declare-operation-notes-support-from-3.patch deleted file mode 100644 index ad83976..0000000 --- a/0065-ipa-pwd-extop-declare-operation-notes-support-from-3.patch +++ /dev/null @@ -1,42 +0,0 @@ -From db804280eff7ab7dea50c797c3c951ae790af2e2 Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Thu, 14 Mar 2024 12:19:12 +0200 -Subject: [PATCH] ipa-pwd-extop: declare operation notes support from 389-ds - locally - -The function slapi_pblock_set_flag_operation_notes(); is defined in -ldap/servers/slapd/pblock.c in 389-ds but is only available through -slapi-private.h header, not through slapi-plugin.h public API. - -It was introduced in ~1.4.1.7 (~2019) via https://pagure.io/389-ds-base/issue/50349. - -Since we only use it with an MFA note, all versions of the 389-ds that -will support MFA note will have this function. - -Fixes: https://pagure.io/freeipa/issue/9554 - -Signed-off-by: Alexander Bokovoy -Reviewed-By: Florence Blanc-Renaud ---- - daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c -index 43a7f54778382edd66da8f18c20de443ed98ab3d..cc170fc4b81f8ecad88f4ff4401b5651c43aaf55 100644 ---- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c -+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c -@@ -1414,6 +1414,11 @@ done: - } - - -+#ifdef USE_OP_NOTE_MFA_AUTH -+/* defined in ldap/servers/slapd/pblock.c in 389-ds but not exposed via slapi-plugin.h */ -+extern void slapi_pblock_set_flag_operation_notes(Slapi_PBlock *pb, uint32_t opflag); -+#endif -+ - /* PRE BIND Operation - * - * Used for: --- -2.44.0 - diff --git a/0066-dcerpc-invalidate-forest-trust-info-cache-when-filte.patch b/0066-dcerpc-invalidate-forest-trust-info-cache-when-filte.patch deleted file mode 100644 index a96d278..0000000 --- a/0066-dcerpc-invalidate-forest-trust-info-cache-when-filte.patch +++ /dev/null @@ -1,53 +0,0 @@ -From e95201fe2f816fc5cc795793782ea71642994a94 Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Mon, 11 Mar 2024 11:48:01 +0200 -Subject: [PATCH] dcerpc: invalidate forest trust info cache when filtering out - realm domains - -When get_realmdomains() method is called, it will filter out subdomains -of the IPA primary domain. This is required because Active Directory -domain controllers are assuming subdomains already covered by the main -domain namespace. - -[MS-LSAD] 3.1.4.7.16.1, 'Forest Trust Collision Generation' defines the -method of validating the forest trust information. They are the same as -rules in [MS-ADTS] section 6.1.6. Specifically, - - - A top-level name must not be superior to an enabled top-level name - for another trusted domain object, unless the current trusted domain - object has a corresponding exclusion record. - -In practice, we filtered those subdomains already but the code wasn't -invalidating a previously retrieved forest trust information. - -Fixes: https://pagure.io/freeipa/issue/9551 - -Signed-off-by: Alexander Bokovoy -Reviewed-By: Florence Blanc-Renaud ---- - ipaserver/dcerpc.py | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py -index ed9f0c0469d5f43da198c8447138530fb32c03c6..691da0332d60f51cd4e21e99625aa273be566baf 100644 ---- a/ipaserver/dcerpc.py -+++ b/ipaserver/dcerpc.py -@@ -1103,6 +1103,7 @@ class TrustDomainInstance: - - info.count = len(ftinfo_records) - info.entries = ftinfo_records -+ another_domain.ftinfo_data = info - return info - - def clear_ftinfo_conflict(self, another_domain, cinfo): -@@ -1778,6 +1779,7 @@ class TrustDomainJoins: - return - - self.local_domain.ftinfo_records = [] -+ self.local_domain.ftinfo_data = None - - realm_domains = self.api.Command.realmdomains_show()['result'] - # Use realmdomains' modification timestamp --- -2.44.0 - diff --git a/0067-ipatests-Fixes-for-test_ipahealthcheck_ipansschainva.patch b/0067-ipatests-Fixes-for-test_ipahealthcheck_ipansschainva.patch deleted file mode 100644 index 6b0faa6..0000000 --- a/0067-ipatests-Fixes-for-test_ipahealthcheck_ipansschainva.patch +++ /dev/null @@ -1,68 +0,0 @@ -From a1aa66dc59b55fef641dcf0539de0d3602f6a8a0 Mon Sep 17 00:00:00 2001 -From: Sudhir Menon -Date: Wed, 20 Mar 2024 14:29:46 +0530 -Subject: [PATCH] ipatests: Fixes for test_ipahealthcheck_ipansschainvalidation - testcases. - -Currently the test is using IPA_NSSDB_PWDFILE_TXT which is /etc/ipa/nssdb/pwdfile.txt -which causes error in STIG mode. - -[root@master slapd-TESTRELM-TEST]# certutil -M -n 'TESTRELM.TEST IPA CA' -t ',,' -d . -f /etc/ipa/nssdb/pwdfile.txt -Incorrect password/PIN entered. - -Hence modified the test to include paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE/pwd.txt. - -Signed-off-by: Sudhir Menon -Reviewed-By: Florence Blanc-Renaud -Reviewed-By: Rob Crittenden ---- - ipatests/test_integration/test_ipahealthcheck.py | 11 ++++++----- - 1 file changed, 6 insertions(+), 5 deletions(-) - -diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py -index 7323b073273bd95d7b62d19fd5afe03edb2a21da..7e8f7da3664a88f927ff80ae222780156676c40b 100644 ---- a/ipatests/test_integration/test_ipahealthcheck.py -+++ b/ipatests/test_integration/test_ipahealthcheck.py -@@ -2766,17 +2766,18 @@ class TestIpaHealthCheckWithExternalCA(IntegrationTest): - Fixture to remove Server cert and revert the change. - """ - instance = realm_to_serverid(self.master.domain.realm) -+ instance_dir = paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance - self.master.run_command( - [ - "certutil", - "-L", - "-d", -- paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance, -+ instance_dir, - "-n", - "Server-Cert", - "-a", - "-o", -- paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance -+ instance_dir - + "/Server-Cert.pem", - ] - ) -@@ -2795,15 +2796,15 @@ class TestIpaHealthCheckWithExternalCA(IntegrationTest): - [ - "certutil", - "-d", -- paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance, -+ instance_dir, - "-A", - "-i", -- paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance -+ instance_dir - + "/Server-Cert.pem", - "-t", - "u,u,u", - "-f", -- paths.IPA_NSSDB_PWDFILE_TXT, -+ "%s/pwdfile.txt" % instance_dir, - "-n", - "Server-Cert", - ] --- -2.44.0 - diff --git a/0068-ipa-kdb-support-Samba-4.20-private-libraries.patch b/0068-ipa-kdb-support-Samba-4.20-private-libraries.patch deleted file mode 100644 index f4386b6..0000000 --- a/0068-ipa-kdb-support-Samba-4.20-private-libraries.patch +++ /dev/null @@ -1,51 +0,0 @@ -From b514e16495b7b2d65f02f95bfa1a21531bc37b3a Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Tue, 30 Jan 2024 19:58:05 +0200 -Subject: [PATCH] ipa-kdb: support Samba 4.20 private libraries - -Samba 4.20 will change name extension of the private libraries from -'samba4' to 'private-samba'. Detect private extension through configure -step and make sure to use the right library name in Makefile. - -Signed-off-by: Alexander Bokovoy -Reviewed-By: Florence Blanc-Renaud ---- - daemons/ipa-kdb/Makefile.am | 2 +- - server.m4 | 8 ++++++++ - 2 files changed, 9 insertions(+), 1 deletion(-) - -diff --git a/daemons/ipa-kdb/Makefile.am b/daemons/ipa-kdb/Makefile.am -index 777c6b4bd6b9399d12860c1577534b6505361bb4..ca1593bc801ab1942a6a31f4c79bfdc897dc447d 100644 ---- a/daemons/ipa-kdb/Makefile.am -+++ b/daemons/ipa-kdb/Makefile.am -@@ -116,7 +116,7 @@ ipa_kdb_tests_LDADD = \ - $(top_builddir)/util/libutil.la \ - -lkdb5 \ - -lsss_idmap \ -- -lsamba-security-samba4 \ -+ -l$(SAMBA_SECURITY_LIBS)\ - -lsamba-errors \ - $(NULL) - -diff --git a/server.m4 b/server.m4 -index 2ee2cf5191d74c8b82a55b7a62be08c00944e399..f97ceddea0388067f4353fd9a03a5e5d27b1672b 100644 ---- a/server.m4 -+++ b/server.m4 -@@ -182,6 +182,14 @@ AC_CHECK_LIB([smbldap],[smbldap_set_bind_callback], - [AC_DEFINE([HAVE_SMBLDAP_SET_BIND_CALLBACK], [1], [struct smbldap_state is opaque])], - [AC_MSG_WARN([libsmbldap is not opaque, not using smbldap_set_bind_callback])], - [$SAMBA40EXTRA_LIBPATH]) -+AC_CHECK_LIB([samba-security-private-samba],[dom_sid_string], -+ [SAMBA_SECURITY_LIBS=samba-security-private-samba], -+ [AC_CHECK_LIB([samba-security-samba4],[dom_sid_string], -+ [SAMBA_SECURITY_LIBS=samba-security-samba4], -+ [AC_MSG_ERROR([Cannot find private samba-security library])], -+ [$SAMBA40EXTRA_LIBPATH])], -+ [$SAMBA40EXTRA_LIBPATH]) -+AC_SUBST(SAMBA_SECURITY_LIBS) - - dnl --------------------------------------------------------------------------- - dnl Check for libunistring --- -2.44.0 - diff --git a/freeipa.spec b/freeipa.spec index 7674161..cfbd645 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -78,8 +78,8 @@ %global ds_version 1.4.3.16-12 %global selinux_policy_version 3.14.3-107 %else -# DNA interval enabled -%global ds_version 2.0.5-1 +# version supporting LMDB and lib389.cli_ctl.dblib.run_dbscan utility +%global ds_version 2.1.0 %global selinux_policy_version 38.1.1-1 %endif @@ -124,10 +124,11 @@ # Make sure to use 389-ds-base versions that fix https://github.com/389ds/389-ds-base/issues/4700 # and has DNA interval enabled +# version supporting LMDB and lib389.cli_ctl.dblib.run_dbscan utility %if 0%{?fedora} < 34 %global ds_version 1.4.4.16-1 %else -%global ds_version 2.0.7-1 +%global ds_version 2.1.0 %endif # Fix for TLS 1.3 PHA, RHBZ#1775146 @@ -173,7 +174,7 @@ %endif # RHEL 8.3+, F32+ has 0.79.13 -%global certmonger_version 0.79.7-3 +%global certmonger_version 0.79.17-1 # RHEL 8.2+, F32+ has 3.58 %global nss_version 3.44.0-4 @@ -210,7 +211,7 @@ # Work-around fact that RPM SPEC parser does not accept # "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement -%define IPA_VERSION 4.11.0 +%define IPA_VERSION 4.12.0 # Release candidate version -- uncomment with one percent for RC versions #%%global rc_version %%nil %define AT_SIGN @ @@ -223,7 +224,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 11%{?rc_version:.%rc_version}%{?dist} +Release: 1%{?rc_version:.%rc_version}%{?dist} Summary: The Identity, Policy and Audit system License: GPL-3.0-or-later @@ -247,74 +248,6 @@ Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch Patch1002: 1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch %endif %if 0%{?rhel} == 9 -Patch0001: 0001-ipatests-fix-healthcheck-test-without-DNS.patch -Patch0002: 0002-ipatests-fix-healthcheck-test-for-indent-option.patch -Patch0003: 0003-ipatests-fix-test_ipactl_scenario_check.patch -Patch0004: 0004-ipalib-fix-the-IPACertificate-validity-dates.patch -Patch0005: 0005-Allow-password-policy-minlength-to-be-removed-like-o.patch -Patch0006: 0006-ipatests-Skip-the-test-failing-due-to-FIPS-policy.patch -Patch0007: 0007-The-PKI-JSON-API-the-revocation-reason-key-may-be-ca.patch -Patch0008: 0008-WIP-Get-the-PKI-version-from-the-remote-to-determine.patch -Patch0009: 0009-ipatests-fix-expected-output-for-ipahealthcheck.meta.patch -Patch0010: 0010-ipatests-ignore-nsslapd-accesslog-logbuffering-WARN-.patch -Patch0011: 0011-ipatests-fix-expected-output-for-ipahealthcheck.ipa..patch -Patch0012: 0012-group-add-member-fails-with-an-external-member.patch -Patch0013: 0013-Handle-samba-changes-in-samba.security.dom_sid.patch -Patch0014: 0014-test_install-restart-services-after-date-change.patch -Patch0015: 0015-Issue-9497-Add-new-password-policy-logging-function.patch -Patch0016: 0016-Issue-9497-Update-logging-in-ipa_enrollment.patch -Patch0017: 0017-Issue-9497-update-debug-logging-in-ipa_graceperiod.patch -Patch0018: 0018-Issue-9497-update-debug-logging-in-ipa_lockout.patch -Patch0019: 0019-Issue-9497-update-debug-logging-in-ipa_modrdn.patch -Patch0020: 0020-Issue-9497-update-debug-logging-in-ipa_otp_counter.patch -Patch0021: 0021-Issue-9497-update-debug-logging-in-ipa_otp_lasttoken.patch -Patch0022: 0022-Issue-9497-update-debug-logging-in-ipa-pwd-extop.patch -Patch0023: 0023-Issue-9497-update-debug-logging-in-ipa_uuid.patch -Patch0024: 0024-hbactest-was-not-collecting-or-returning-messages.patch -Patch0025: 0025-ipatests-Verify-that-hbactest-will-return-messages.patch -Patch0026: 0026-ipa-kdb-add-better-detection-of-allowed-user-auth-ty.patch -Patch0027: 0027-ipa-kdb-when-applying-ticket-policy-do-not-deny-PKIN.patch -Patch0028: 0028-ipa-kdb-clarify-user-auth-table-mapping-use-of-_AUTH.patch -Patch0029: 0029-ipatests-make-sure-PKINIT-enrollment-works-with-a-st.patch -Patch0030: 0030-Check-the-HTTP-Referer-header-on-all-requests.patch -Patch0031: 0031-Integration-tests-for-verifying-Referer-header-in-th.patch -Patch0032: 0032-ipatests-Skip-ds_encryption-tests-on-RHEL9-SUT.patch -Patch0033: 0033-ACME-Don-t-treat-pki-server-ca-config-show-failures-.patch -Patch0034: 0034-Fix-ipa-client-automount-install-uninstall-with-new-.patch -Patch0035: 0035-ipatests-Test-client-install-uninstall-with-automoun.patch -Patch0036: 0036-ipa-client-automount-Don-t-use-deprecated-ipadiscove.patch -Patch0037: 0037-Server-affinity-Retain-user-requested-remote-server.patch -Patch0038: 0038-get_directive-don-t-error-out-on-substring-mismatch.patch -Patch0039: 0039-host-update-System-Manage-Host-Keytab-permission.patch -Patch0040: 0040-adtrustinstance-make-sure-NetBIOS-name-defaults-are-.patch -Patch0041: 0041-Server-affinity-Don-t-rely-just-on-ca-kra-_enabled-f.patch -Patch0042: 0042-ipatests-wait-for-replica-update-in-test_dns_locatio.patch -Patch0043: 0043-Server-affinity-call-ca.install-if-there-is-a-CA-in-.patch -Patch0044: 0044-ipapython-Clean-up-krb5_error.patch -Patch0045: 0045-ipapython-Correct-return-type-of-krb5_free_cred_cont.patch -Patch0046: 0046-ipapython-Propagate-KRB5Error-exceptions-on-iteratin.patch -Patch0047: 0047-ipa-kdb-Fix-memory-leak-during-PAC-verification.patch -Patch0048: 0048-sidgen-ignore-staged-users-when-generating-SIDs.patch -Patch0049: 0049-sidgen-fix-missing-prototypes.patch -Patch0050: 0050-kdb-PAC-generator-do-not-fail-if-canonical-principal.patch -Patch0051: 0051-ipatests-Skip-tests-for-ipahealtcheck-tests-for-spec.patch -Patch0052: 0052-ipatests-remove-xfail-thanks-to-sssd-2.9.4.patch -Patch0053: 0053-ipatests-add-xfail-for-autoprivate-group-test-with-o.patch -Patch0054: 0054-ipatests-fix-tasks.wait_for_replication-method.patch -Patch0055: 0055-ipa-kdb-Rework-ipadb_reinit_mspac.patch -Patch0056: 0056-Vault-add-support-for-RSA-OAEP-wrapping-algo.patch -Patch0057: 0057-Vault-improve-vault-server-archival-retrieval-calls-.patch -Patch0058: 0058-kra-set-RSA-OAEP-as-default-wrapping-algo-when-FIPS-.patch -Patch0059: 0059-ipa-kdb-Fix-double-free-in-ipadb_reinit_mspac.patch -Patch0060: 0060-rpcserver-validate-Kerberos-principal-name-before-ru.patch -Patch0061: 0061-validate_principal-Don-t-try-to-verify-that-the-real.patch -Patch0062: 0062-Vault-add-additional-fallback-to-RSA-OAEP-wrapping-a.patch -Patch0063: 0063-ipa-pwd-extop-allow-enforcing-2FA-only-over-LDAP-bin.patch -Patch0064: 0064-ipa-pwd-extop-add-MFA-note-in-case-of-a-successful-L.patch -Patch0065: 0065-ipa-pwd-extop-declare-operation-notes-support-from-3.patch -Patch0066: 0066-dcerpc-invalidate-forest-trust-info-cache-when-filte.patch -Patch0067: 0067-ipatests-Fixes-for-test_ipahealthcheck_ipansschainva.patch -Patch0068: 0068-ipa-kdb-support-Samba-4.20-private-libraries.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch %endif %endif @@ -348,6 +281,7 @@ BuildRequires: gettext BuildRequires: gettext-devel BuildRequires: python3-devel BuildRequires: python3-setuptools +BuildRequires: python3-argcomplete BuildRequires: systemd >= %{systemd_version} # systemd-tmpfiles which is executed from make install requires apache user BuildRequires: httpd @@ -460,7 +394,7 @@ BuildRequires: python3-libipa_hbac BuildRequires: python3-libsss_nss_idmap BuildRequires: python3-lxml BuildRequires: python3-netaddr >= %{python_netaddr_version} -BuildRequires: python3-netifaces +BuildRequires: python3-ifaddr BuildRequires: python3-pki >= %{pki_version} BuildRequires: python3-polib BuildRequires: python3-pyasn1 @@ -769,7 +703,7 @@ Requires: oddjob-mkhomedir Requires: libsss_autofs Requires: autofs Requires: libnfsidmap -Requires: nfs-utils +Requires: (nfs-utils or nfsv4-client-utils) Requires: sssd-tools >= %{sssd_version} Requires(post): policycoreutils @@ -928,6 +862,7 @@ Requires: %{name}-common = %{version}-%{release} Requires(pre): python3-ldap >= %{python_ldap_version} Requires: gnupg2 Requires: keyutils +Requires: python3-argcomplete Requires: python3-cffi Requires: python3-cryptography >= 1.6 Requires: python3-dateutil @@ -937,7 +872,7 @@ Requires: python3-gssapi >= 1.2.0 Requires: python3-jwcrypto >= 0.4.2 Requires: python3-libipa_hbac Requires: python3-netaddr >= %{python_netaddr_version} -Requires: python3-netifaces >= 0.10.4 +Requires: python3-ifaddr Requires: python3-pyasn1 >= 0.3.2-2 Requires: python3-pyasn1-modules >= 0.3.2-2 Requires: python3-pyusb @@ -953,6 +888,7 @@ Requires: python3-setuptools %endif # For urllib3.util.ssl_match_hostname Requires: python3-urllib3 >= 1.25.8 +Requires: python3-systemd %description -n python3-ipalib IPA is an integrated solution to provide centrally managed Identity (users, @@ -1044,6 +980,26 @@ Requires(post): selinux-policy-%{selinuxtype} %description selinux Custom SELinux policy module for FreeIPA + +%package selinux-nfast +Summary: FreeIPA SELinux policy for nCipher nfast HSMs +BuildArch: noarch +Requires: selinux-policy-%{selinuxtype} +Requires(post): selinux-policy-%{selinuxtype} +%{?selinux_requires} + +%description selinux-nfast +Custom SELinux policy module for nCipher nfast HSMs + +%package selinux-luna +Summary: FreeIPA SELinux policy for Thales Luna HSMs +BuildArch: noarch +Requires: selinux-policy-%{selinuxtype} +Requires(post): selinux-policy-%{selinuxtype} +%{?selinux_requires} + +%description selinux-luna +Custom SELinux policy module for Thales Luna HSMs # with selinux %endif @@ -1125,6 +1081,17 @@ rm -f %{buildroot}%{_usr}/share/ipa/ui/images/product-name.png %endif # RHEL spec file only: END +%if ! %{ONLY_CLIENT} +%if 0%{?fedora} >= 38 +# Register CLI tools for bash completion (fedora only) +for clitool in ipa-migrate +do + register-python-argcomplete "${clitool}" > "${clitool}" + install -p -m 0644 -D -t '%{buildroot}%{bash_completions_dir}' "${clitool}" +done +%endif +%endif + %find_lang %{gettext_domain} %if ! %{ONLY_CLIENT} @@ -1188,6 +1155,10 @@ fi /bin/systemctl reload-or-try-restart oddjobd %tmpfiles_create ipa.conf +%journal_catalog_update + +%postun server +%journal_catalog_update %posttrans server # don't execute upgrade and restart of IPA when server is not installed @@ -1324,13 +1295,21 @@ if [ $1 -gt 1 ] ; then cp /etc/ipa/ca.crt /var/lib/ipa-client/pki/kdc-ca-bundle.pem cp /etc/ipa/ca.crt /var/lib/ipa-client/pki/ca-bundle.pem fi - %{__python3} -c 'from ipaclient.install.client import configure_krb5_snippet; configure_krb5_snippet()' >>/var/log/ipaupgrade.log 2>&1 %{__python3} -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' >>/var/log/ipaupgrade.log 2>&1 chmod 0600 /var/log/ipaupgrade.log SSH_CLIENT_SYSTEM_CONF="/etc/ssh/ssh_config" if [ -f "$SSH_CLIENT_SYSTEM_CONF" ]; then sed -E --in-place=.orig 's/^(HostKeyAlgorithms ssh-rsa,ssh-dss)$/# disabled by ipa-client update\n# \1/' "$SSH_CLIENT_SYSTEM_CONF" + # https://pagure.io/freeipa/issue/9536 + # replace sss_ssh_knownhostsproxy with sss_ssh_knownhosts + if [ -f '/usr/bin/sss_ssh_knownhosts' ]; then + if grep -E -q 'Include' $SSH_CLIENT_SYSTEM_CONF 2>/dev/null ; then + SSH_CLIENT_SYSTEM_CONF="/etc/ssh/ssh_config.d/04-ipa.conf" + fi + sed -E --in-place=.orig 's/^(GlobalKnownHostsFile \/var\/lib\/sss\/pubconf\/known_hosts)$/# disabled by ipa-client update\n# \1/' $SSH_CLIENT_SYSTEM_CONF + sed -E --in-place=.orig 's/(ProxyCommand \/usr\/bin\/sss_ssh_knownhostsproxy -p \%p \%h)/# replaced by ipa-client update\n KnownHostsCommand \/usr\/bin\/sss_ssh_knownhosts \%H/' $SSH_CLIENT_SYSTEM_CONF + fi fi fi fi @@ -1346,17 +1325,75 @@ fi semodule -d ipa_custodia &> /dev/null || true; %selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2 +%post selinux-nfast +%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}-nfast.pp.bz2 + +%post selinux-luna +%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}-luna.pp.bz2 + %postun selinux if [ $1 -eq 0 ]; then %selinux_modules_uninstall -s %{selinuxtype} %{modulename} semodule -e ipa_custodia &> /dev/null || true; fi +%postun selinux-nfast +if [ $1 -eq 0 ]; then + %selinux_modules_uninstall -s %{selinuxtype} %{modulename}-nfast +fi + +%postun selinux-luna +if [ $1 -eq 0 ]; then + %selinux_modules_uninstall -s %{selinuxtype} %{modulename}-luna + %posttrans selinux %selinux_relabel_post -s %{selinuxtype} # with_selinux %endif +%triggerin client -- sssd-common < 2.10 +# Has the client been configured? +restore=0 +test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}') + +if [ -f '/etc/ssh/sshd_config' -a $restore -ge 2 ]; then + SSH_CLIENT_SYSTEM_CONF="/etc/ssh/ssh_config" + if [ -f "$SSH_CLIENT_SYSTEM_CONF" ]; then + # https://pagure.io/freeipa/issue/9536 + # downgrade sss_ssh_knownhosts with sss_ssh_knownhostsproxy + if [ -f '/usr/bin/sss_ssh_knownhosts' ]; then + if grep -E -q 'Include' $SSH_CLIENT_SYSTEM_CONF 2>/dev/null ; then + SSH_CLIENT_SYSTEM_CONF="/etc/ssh/ssh_config.d/04-ipa.conf" + fi + GLOBALKNOWNHOSTFILE="GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts/" + grep -qF '$GLOBALKNOWNHOSTFILE' $SSH_CLIENT_SYSTEM_CONF + if [ $? -ne 0 ]; then + sed -E --in-place=.orig '/(# IPA-related configuration changes to ssh_config)/a # added by ipa-client update\n'"$GLOBALKNOWNHOSTFILE"'' $SSH_CLIENT_SYSTEM_CONF + fi + sed -E --in-place=.orig 's/(KnownHostsCommand \/usr\/bin\/sss_ssh_knownhosts \%H)/ProxyCommand \/usr\/bin\/sss_ssh_knownhostsproxy -p \%p \%h/' $SSH_CLIENT_SYSTEM_CONF + fi + fi +fi + +%triggerin client -- sssd-common >= 2.10 +# Has the client been configured? +restore=0 +test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}') + +if [ -f '/etc/ssh/sshd_config' -a $restore -ge 2 ]; then + SSH_CLIENT_SYSTEM_CONF="/etc/ssh/ssh_config" + if [ -f "$SSH_CLIENT_SYSTEM_CONF" ]; then + # https://pagure.io/freeipa/issue/9536 + # upgrade sss_ssh_knownhostsproxy with sss_ssh_knownhosts + if [ -f '/usr/bin/sss_ssh_knownhosts' ]; then + if grep -E -q 'Include' $SSH_CLIENT_SYSTEM_CONF 2>/dev/null ; then + SSH_CLIENT_SYSTEM_CONF="/etc/ssh/ssh_config.d/04-ipa.conf" + fi + sed -E --in-place=.orig 's/^(GlobalKnownHostsFile \/var\/lib\/sss\/pubconf\/known_hosts)$/# disabled by ipa-client update\n# \1/' $SSH_CLIENT_SYSTEM_CONF + sed -E --in-place=.orig 's/(ProxyCommand \/usr\/bin\/sss_ssh_knownhostsproxy -p \%p \%h)/# replaced by ipa-client update\n KnownHostsCommand \/usr\/bin\/sss_ssh_knownhosts \%H/' $SSH_CLIENT_SYSTEM_CONF + fi + fi +fi %triggerin client -- openssh-server < 8.2 # Has the client been configured? @@ -1455,6 +1492,10 @@ fi %{_sbindir}/ipa-crlgen-manage %{_sbindir}/ipa-cert-fix %{_sbindir}/ipa-acme-manage +%{_sbindir}/ipa-migrate +%if 0%{?fedora} >= 38 +%{bash_completions_dir}/ipa-migrate +%endif %{_libexecdir}/certmonger/dogtag-ipa-ca-renew-agent-submit %{_libexecdir}/certmonger/ipa-server-guard %dir %{_libexecdir}/ipa @@ -1487,6 +1528,7 @@ fi %attr(644,root,root) %{_unitdir}/ipa-otpd@.service %attr(644,root,root) %{_unitdir}/ipa-ccache-sweep.service %attr(644,root,root) %{_unitdir}/ipa-ccache-sweep.timer +%attr(644,root,root) %{_journalcatalogdir}/ipa.catalog # END %attr(755,root,root) %{plugin_dir}/libipa_pwd_extop.so %attr(755,root,root) %{plugin_dir}/libipa_enrollment_extop.so @@ -1529,6 +1571,7 @@ fi %{_mandir}/man1/ipa-crlgen-manage.1* %{_mandir}/man1/ipa-cert-fix.1* %{_mandir}/man1/ipa-acme-manage.1* +%{_mandir}/man1/ipa-migrate.1* %files -n python3-ipaserver @@ -1803,10 +1846,29 @@ fi %files selinux %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.* %ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename} + +%files selinux-nfast +%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}-nfast.pp.* +%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}-nfast + +%files selinux-luna +%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}-luna.pp.* +%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}-luna # with selinux %endif %changelog +* Wed May 29 2024 Florence Blanc-Renaud - 4.12.0-1 +- Resolves: RHEL-39140 Rebase ipa to the latest 4.12 version for RHEL 9.5 +- Resolves: RHEL-34757 The change for preventing deletion of the admin user caused a regression in disable +- Resolves: RHEL-30553 Depend on nfsv4-client-utils or nfs-utils +- Resolves: RHEL-29762 IPA sidgen fails to create SID for manually set ID for a new range [rhel-9.5.0] +- Resolves: RHEL-26261 Fix replica connection check for use with AD administrator +- Resolves: RHEL-18062 ipa ca-show NAME --certificate-out=file creates empty file when NAME does not exist +- Resolves: RHEL-12149 traceback in ipaserver/dcerpc.py +- Resolves: RHEL-4810 [RFE] FreeIPA-to-FreeIPA migration +- Resolves: RHEL-4807 [RFE] Support in IPA for HSM boxes + * Tue Apr 30 2024 Florence Blanc-Renaud - 4.11.0-11 - Resolves: RHEL-33645 - Update samba to version 4.20.0 diff --git a/sources b/sources index b86cbff..1d416e7 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (freeipa-4.11.0.tar.gz) = 2af27248bfa1cb39f52eb38d0ffcf76d8eed5397aca89932f6a6cef622fb93875c1b17b79742c6b67a086a84b02dacbc8ea05b3bc481cd296fe983f4ae13a80f -SHA512 (freeipa-4.11.0.tar.gz.asc) = 6464605296e00281cf0e22ff7e479f4100762a2aa2e2ae78a1c9e8f83ff5a7cdf13da610f5a1da4711552aa3268de04cb442bde37ecb5f716937a5f902b66825 +SHA512 (freeipa-4.12.0.tar.gz) = 1e95250a6892e85b4782a1f2451a99d21c90ce82db2be369d9e0e1706575229d4539b20f8dd2b97da0d6f73f4fb59168ab6e05eb2fe185b4bb854f42c1e7fd29 +SHA512 (freeipa-4.12.0.tar.gz.asc) = 896170fee005acc3cf46b22053d9f0f0e75f0af31af5c9fbd993674dc26549e479ea3468412ff35f947f7cf42bb7b9bf96f1ead21d754eec92a27b30d731dbe1