rpms/ipa
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Update to upstream 4.6.90.pre2

Browse Source 
Resolves: #1562606
This commit is contained in:
Rob Crittenden 2018-05-15 16:22:52 -04:00
parent 21c066104d
commit baaf4e605c
8 changed files with 62 additions and 373 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -64,3 +64,5 @@
/freeipa-4.6.90.pre1-1.fc29.src.rpm
/freeipa-4.6.90.pre1.tar.gz
/freeipa-4.6.90.pre1.tar.gz.asc
/freeipa-4.6.90.pre2.tar.gz
/freeipa-4.6.90.pre2.tar.gz.asc

53
0001-Processing-of-server-roles-should-ignore-errors.Empt.patch
View File

@ -1,53 +0,0 @@
From e161bce61819fbc8fd1b2a0bdfb01ecf9947b733 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Mon, 19 Mar 2018 21:48:04 +0200
Subject: [PATCH 1/2] Processing of server roles should ignore
errors.EmptyResult
When non-admin user issues a command that utilizes
api.Object.config.show_servroles_attributes(), some server roles might
return errors.EmptyResult, indicating that a role is not visible to this
identity.
Most of the callers to api.Object.config.show_servroles_attributes() do
not process errors.EmptyResult so it goes up to an API caller. In case
of Web UI it breaks retrieval of the initial configuration due to ipa
config-show failing completely rather than avoiding to show available
server roles.
Fixes: https://pagure.io/freeipa/issue/7452
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
---
ipaserver/plugins/config.py | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
diff --git a/ipaserver/plugins/config.py b/ipaserver/plugins/config.py
index 33ed38ba0..dd235a4e1 100644
--- a/ipaserver/plugins/config.py
+++ b/ipaserver/plugins/config.py
@@ -276,9 +276,20 @@ class config(LDAPObject):
def update_entry_with_role_config(self, role_name, entry_attrs):
backend = self.api.Backend.serverroles
- role_config = backend.config_retrieve(role_name)
+ try:
+ role_config = backend.config_retrieve(role_name)
+ except errors.EmptyResult:
+ # No role config means current user identity
+ # has no rights to see it, return with no action
+ return
+
for key, value in role_config.items():
- entry_attrs.update({key: value})
+ try:
+ entry_attrs.update({key: value})
+ except errors.EmptyResult:
+ # An update that doesn't change an entry is fine here
+ # Just ignore and move to the next key pair
+ pass
def show_servroles_attributes(self, entry_attrs, *roles, **options):
--
2.14.3

41
0002-Update-template-directory-with-new-variables-when-up.patch
View File

@ -1,41 +0,0 @@
From ae35587582f0e4ae1e9fac3270d2f6942f4f7a31 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Tue, 20 Mar 2018 09:35:51 +0200
Subject: [PATCH 2/2] Update template directory with new variables when
upgrading ipa.conf.template
With e6c707b168067ebb3705c21efc377acd29b23fff we changed httpd
configuration to use abstracted out variables in the template.
However, during upgrade we haven't resolved these variables so an
upgrade from pre-e6c707b168067ebb3705c21efc377acd29b23fff install will
fail.
Add all missing variables to the upgrade code.
Fixes https://pagure.io/freeipa/issue/7454
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
---
ipaserver/install/server/upgrade.py | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index a38f4115c..5654cc32d 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1617,7 +1617,12 @@ def upgrade_configuration():
AUTOREDIR='' if auto_redirect else '#',
CRL_PUBLISH_PATH=paths.PKI_CA_PUBLISH_DIR,
DOGTAG_PORT=8009,
- CLONE='#'
+ CLONE='#',
+ WSGI_PREFIX_DIR=paths.WSGI_PREFIX_DIR,
+ GSSAPI_SESSION_KEY=paths.GSSAPI_SESSION_KEY,
+ FONTS_DIR=paths.FONTS_DIR,
+ IPA_CCACHES=paths.IPA_CCACHES,
+ IPA_CUSTODIA_SOCKET=paths.IPA_CUSTODIA_SOCKET
)
subject_base = find_subject_base()
--
2.14.3

75
0003-upgrade-Run-configuration-upgrade-under-empty-ccache.patch
View File

@ -1,75 +0,0 @@
From cd81ffbd7b9657e6715e3dc1b69bd9499036675b Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Wed, 21 Mar 2018 10:33:32 +0200
Subject: [PATCH] upgrade: Run configuration upgrade under empty ccache
collection
Use temporary empty DIR-based ccache collection to prevent upgrade
failures in case KCM: or KEYRING: ccache type is used by default in
krb5.conf and is not available. We don't need any user credentials
during upgrade procedure but kadmin.local would attempt to resolve
default ccache and if that's not available, kadmin.local will fail.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1558818
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
---
ipaserver/install/server/upgrade.py | 29 ++++++++++++++++++++++++++++-
1 file changed, 28 insertions(+), 1 deletion(-)
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index a38f4115c..4844350dc 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -11,6 +11,8 @@ import shutil
import pwd
import fileinput
import sys
+import tempfile
+from contextlib import contextmanager
from augeas import Augeas
import dns.exception
from ipalib import api, x509
@@ -1926,6 +1928,30 @@ def upgrade_check(options):
logger.warning("Upgrade without version check may break your system")
+@contextmanager
+def empty_ccache():
+ # Create temporary directory and use it as a DIR: ccache collection
+ # instead of whatever is a default in /etc/krb5.conf
+ #
+ # In Fedora 28 KCM: became a default credentials cache collection
+ # but if KCM daemon (part of SSSD) is not running, libkrb5 will fail
+ # to initialize. This causes kadmin.local to fail.
+ # Since we are in upgrade, we cannot kinit anyway (KDC is offline).
+ # Bug https://bugzilla.redhat.com/show_bug.cgi?id=1558818
+ kpath_dir = tempfile.mkdtemp(prefix="upgrade_ccaches", dir=paths.IPA_CCACHES)
+ kpath = "DIR:{dir}s".format(dir=kpath_dir)
+ old_path = os.getenv('KRB5CCNAME')
+ try:
+ os.environ['KRB5CCNAME'] = kpath
+ yield
+ finally:
+ if old_path:
+ os.environ['KRB5CCNAME'] = old_path
+ for f in os.listdir(kpath_dir):
+ os.remove(os.path.join(kpath_dir, f))
+ os.rmdir(kpath_dir)
+
+
def upgrade():
realm = api.env.realm
schema_files = [os.path.join(paths.USR_SHARE_IPA_DIR, f) for f
@@ -1950,7 +1976,8 @@ def upgrade():
print('Upgrading IPA services')
logger.info('Upgrading the configuration of the IPA services')
- upgrade_configuration()
+ with empty_ccache():
+ upgrade_configuration()
logger.info('The IPA services were upgraded')
# store new data version after upgrade
--
2.14.3

49
0004-use-LDAP-Whoami-command-when-creating-an-OTP-token.patch
View File

@ -1,49 +0,0 @@
From 585250368a8841e69176006acb6876abc54843cb Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Tue, 20 Mar 2018 16:40:24 +0200
Subject: [PATCH] use LDAP Whoami command when creating an OTP token
ipa user-find --whoami is used by ipa otptoken-add to populate
ipaTokenOwner and managedBy attributes. These attributes, in turn are
checked by the self-service ACI which allows to create OTP tokens
assigned to the creator.
With 389-ds-base 1.4.0.6-2.fc28 in Fedora 28 beta there is a bug in
searches with scope 'one' that result in ipa user-find --whoami
returning 0 results.
Because ipa user-find --whoami does not work, non-admin user cannot
create a token. This is a regression that can be fixed by using LDAP
Whoami command.
Fixes: https://pagure.io/freeipa/issue/7456
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
---
ipaserver/plugins/otptoken.py | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/ipaserver/plugins/otptoken.py b/ipaserver/plugins/otptoken.py
index d94ae49ff..17b32094d 100644
--- a/ipaserver/plugins/otptoken.py
+++ b/ipaserver/plugins/otptoken.py
@@ -311,13 +311,12 @@ class otptoken_add(LDAPCreate):
# If owner was not specified, default to the person adding this token.
# If managedby was not specified, attempt a sensible default.
if 'ipatokenowner' not in entry_attrs or 'managedby' not in entry_attrs:
- result = self.api.Command.user_find(
- whoami=True, no_members=False)['result']
- if result:
- cur_uid = result[0]['uid'][0]
+ cur_dn = DN(self.api.Backend.ldap2.conn.whoami_s()[4:])
+ if cur_dn:
+ cur_uid = cur_dn[0].value
prev_uid = entry_attrs.setdefault('ipatokenowner', cur_uid)
if cur_uid == prev_uid:
- entry_attrs.setdefault('managedby', result[0]['dn'])
+ entry_attrs.setdefault('managedby', cur_dn.ldap_text())
# Resolve the owner's dn
_normalize_owner(self.api.Object.user, entry_attrs)
--
2.14.3

114
0005-Fix-upgrade-when-named.conf-does-not-exist.patch
View File

@ -1,114 +0,0 @@
commit 421fc376ccb8668c07692d3a3394a5869dc97296
Author: Fraser Tweedale <ftweedal@redhat.com>
Date: Wed Mar 28 16:05:05 2018 +1100
Fix upgrade when named.conf does not exist
Commit aee0d2180c7119bef30ab7cafea81dc3df1170b7 adds an upgrade step
that adds system crypto policy include to named.conf. This step
omitted the named.conf existence check; upgrade fails when it does
not exist. Add the existence check.
Also update the test to add the IPA-related part of the named.conf
config, because the "existence check" actually does more than just
check that the file exists - it also check that it contains the IPA
bind-dyndb-ldap configuration section.
Part of: https://pagure.io/freeipa/issue/4853
Reviewed-By: Christian Heimes <cheimes@redhat.com>
diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
index 5cf537201..cd70cc983 100644
--- a/ipaserver/install/bindinstance.py
+++ b/ipaserver/install/bindinstance.py
@@ -93,6 +93,10 @@ def create_reverse():
def named_conf_exists():
+ """
+ Checks that named.conf exists AND that it contains IPA-related config.
+
+ """
try:
with open(paths.NAMED_CONF, 'r') as named_fd:
lines = named_fd.readlines()
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index c192f4fff..07d783445 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -905,6 +905,10 @@ def named_add_server_id():
def named_add_crypto_policy():
"""Add crypto policy include
"""
+ if not bindinstance.named_conf_exists():
+ logger.info('DNS is not configured')
+ return False
+
if sysupgrade.get_upgrade_state('named.conf', 'add_crypto_policy'):
# upgrade was done already
return False
diff --git a/ipatests/test_ipaserver/test_install/test_bindinstance.py b/ipatests/test_ipaserver/test_install/test_bindinstance.py
index 6b072ad8a..b88b93194 100644
--- a/ipatests/test_ipaserver/test_install/test_bindinstance.py
+++ b/ipatests/test_ipaserver/test_install/test_bindinstance.py
@@ -24,7 +24,6 @@ options {
include "random/file";
"""
-
EXPECTED_CONFIG = """
options {
\tdnssec-enable yes;
@@ -35,6 +34,12 @@ options {
include "random/file";
"""
+# bindinstance.named_conf_exists() looks for a section like this
+IPA_DYNDB_CONFIG = """
+dyndb "ipa" "/usr/lib/bind/ldap.so" {
+};
+"""
+
POLICY_FILE = "/etc/crypto-policies/back-ends/bind.config"
@@ -53,14 +58,16 @@ def test_add_crypto_policy(m_set, m_get, namedconf):
m_get.return_value = False
with open(namedconf, 'w') as f:
f.write(TEST_CONFIG)
+ f.write(IPA_DYNDB_CONFIG)
- named_add_crypto_policy()
+ result = named_add_crypto_policy()
+ assert result
m_get.assert_called_with('named.conf', 'add_crypto_policy')
m_set.assert_called_with('named.conf', 'add_crypto_policy', True)
with open(namedconf) as f:
content = f.read()
- assert content == EXPECTED_CONFIG
+ assert content == ''.join([EXPECTED_CONFIG, IPA_DYNDB_CONFIG])
m_get.reset_mock()
m_set.reset_mock()
@@ -69,3 +76,19 @@ def test_add_crypto_policy(m_set, m_get, namedconf):
named_add_crypto_policy()
m_get.assert_called_with('named.conf', 'add_crypto_policy')
m_set.assert_not_called()
+
+
+@patch('ipaserver.install.sysupgrade.get_upgrade_state')
+@patch('ipaserver.install.sysupgrade.set_upgrade_state')
+def test_add_crypto_policy_no_ipa(m_set, m_get, namedconf):
+ # Test if the update step is skipped when named.conf doesn't contain
+ # IPA related settings.
+ m_get.return_value = False
+ with open(namedconf, 'w') as f:
+ f.write(TEST_CONFIG)
+
+ result = named_add_crypto_policy()
+ assert not result
+
+ m_get.assert_not_called()
+ m_set.assert_not_called()

97
freeipa.spec
View File

@ -59,6 +59,7 @@
%global selinux_policy_version 3.12.1-153
%global slapi_nis_version 0.56.0-4
%global python2_ldap_version 2.4.15
%global ds_version 1.3.7.9-1
%else
# 1.15.1-7: certauth (http://krbdev.mit.edu/rt/Ticket/Display.html?id=8561)
%global krb5_version 1.15.1-7
@ -83,8 +84,26 @@
%global python3_ldap_version 2.4.35.1-2
%endif
%if 0%{?fedora} >= 28
# Fix for "Crash when failing to read from SASL connection"
# https://pagure.io/389-ds-base/issue/49639
%global ds_version 1.4.0.8-1
%else
# 1.3.7.9-1: https://bugzilla.redhat.com/show_bug.cgi?id=1459946
# https://bugzilla.redhat.com/show_bug.cgi?id=1511462
# https://bugzilla.redhat.com/show_bug.cgi?id=1514033
%global ds_version 1.3.7.9-1
%endif
%endif
# Require Dogtag PKI 10.6.1 with Python 3 and SQL NSSDB fixes for external
# CA support, https://bugzilla.redhat.com/show_bug.cgi?id=1573094
%global pki_version 10.6.1
# NSS release with fix for CKA_LABEL import bug in shared SQL database.
# https://bugzilla.redhat.com/show_bug.cgi?id=1568271
%global nss_version 3.36.1-1.1
# Require Dogtag PKI 10.6.0 with Python 3 and SQL NSSDB fixes
%global pki_version 10.6.0-0.2
@ -94,13 +113,13 @@
%global etc_systemd_dir %{_sysconfdir}/systemd/system
%global gettext_domain ipa
%global VERSION 4.6.90.pre1
%global VERSION 4.6.90.pre2
%define _hardened_build 1
Name: freeipa
Version: %{VERSION}
Release: 7%{?dist}
Release: 1%{?dist}
Summary: The Identity, Policy and Audit system
Group: System Environment/Base
@ -108,11 +127,6 @@ License: GPLv3+
URL: https://www.freeipa.org/
Source0: https://releases.pagure.org/freeipa/freeipa-%{VERSION}.tar.gz
Source1: https://releases.pagure.org/freeipa/freeipa-%{VERSION}.tar.gz.asc
Patch0001: 0001-Processing-of-server-roles-should-ignore-errors.Empt.patch
Patch0002: 0002-Update-template-directory-with-new-variables-when-up.patch
Patch0003: 0003-upgrade-Run-configuration-upgrade-under-empty-ccache.patch
Patch0004: 0004-use-LDAP-Whoami-command-when-creating-an-OTP-token.patch
Patch0005: 0005-Fix-upgrade-when-named.conf-does-not-exist.patch
# For the timestamp trick in patch application
BuildRequires: diffstat
@ -143,18 +157,16 @@ BuildRequires: python2-setuptools
BuildRequires: python3-devel
BuildRequires: python3-setuptools
%endif # with_python3
# %{_unitdir}, %{_tmpfilesdir}
BuildRequires: systemd
# systemd-tmpfiles which is executed from make install requires apache user
BuildRequires: httpd
BuildRequires: nspr-devel
BuildRequires: nss-devel
BuildRequires: nss-devel >= %{nss_version}
BuildRequires: openssl-devel
BuildRequires: libini_config-devel
BuildRequires: cyrus-sasl-devel
%if ! %{ONLY_CLIENT}
# 1.3.3.9: DS_Sleep (https://fedorahosted.org/389/ticket/48005)
BuildRequires: 389-ds-base-devel >= 1.3.3.9
BuildRequires: 389-ds-base-devel >= %{ds_version}
BuildRequires: svrcore-devel
BuildRequires: samba-devel >= %{samba_build_version}
BuildRequires: libtalloc-devel
@ -225,7 +237,7 @@ BuildRequires: python2-dns >= 1.15
BuildRequires: jsl
BuildRequires: python2-yubico
# pki Python package
BuildRequires: pki-base-python2 >= %{pki_version}
BuildRequires: python2-pki >= %{pki_version}
BuildRequires: python2-pytest-multihost
BuildRequires: python2-pytest-sourceorder
# 0.4.2: Py3 fix https://bugzilla.redhat.com/show_bug.cgi?id=1476150
@ -266,7 +278,7 @@ BuildRequires: python3-qrcode-core >= 5.0.0
BuildRequires: python3-dns >= 1.15
BuildRequires: python3-yubico
# pki Python package
BuildRequires: pki-base-python3 >= %{pki_version}
BuildRequires: python3-pki >= %{pki_version}
BuildRequires: python3-pytest-multihost
BuildRequires: python3-pytest-sourceorder
# 0.4.2: Py3 fix https://bugzilla.redhat.com/show_bug.cgi?id=1476150
@ -324,18 +336,15 @@ Requires: python3-pyldap >= %{python3_ldap_version}
Requires: python2-ipaserver = %{version}-%{release}
Requires: python2-ldap >= %{python2_ldap_version}
%endif
# 1.3.7.9-1: https://bugzilla.redhat.com/show_bug.cgi?id=1459946
# https://bugzilla.redhat.com/show_bug.cgi?id=1511462
# https://bugzilla.redhat.com/show_bug.cgi?id=1514033
Requires: 389-ds-base >= 1.3.7.9-1
Requires: 389-ds-base >= %{ds_version}
Requires: openldap-clients > 2.4.35-4
Requires: nss >= 3.14.3-12.0
Requires: nss-tools >= 3.14.3-12.0
Requires: nss >= %{nss_version}
Requires: nss-tools >= %{nss_version}
Requires(post): krb5-server >= %{krb5_version}
Requires(post): krb5-server >= %{krb5_base_version}, krb5-server < %{krb5_base_version}.100
Requires: krb5-pkinit-openssl >= %{krb5_version}
Requires: cyrus-sasl-gssapi%{?_isa}
Requires: ntp
Requires: chrony
Requires: httpd >= 2.4.6-31
%if 0%{with_python3}
Requires(preun): python3
@ -371,10 +380,7 @@ Requires(postun): systemd-units
Requires: policycoreutils >= 2.1.12-5
Requires: tar
Requires(pre): certmonger >= 0.79.5-1
# 1.3.7.9-1: https://bugzilla.redhat.com/show_bug.cgi?id=1459946
# https://bugzilla.redhat.com/show_bug.cgi?id=1511462
# https://bugzilla.redhat.com/show_bug.cgi?id=1514033
Requires(pre): 389-ds-base >= 1.3.7.9-1
Requires(pre): 389-ds-base >= %{ds_version}
Requires: fontawesome-fonts
Requires: open-sans-fonts
Requires: openssl
@ -435,7 +441,7 @@ BuildRequires: dbus-python
Requires: python2-dns >= 1.15
Requires: python2-kdcproxy >= 0.3
Requires: rpm-libs
Requires: pki-base-python2 >= %{pki_version}
Requires: python2-pki >= %{pki_version}
Requires: python2-augeas
%description -n python2-ipaserver
@ -469,7 +475,7 @@ Requires: python3-dns >= 1.15
Requires: python3-kdcproxy >= 0.3
Requires: python3-augeas
Requires: rpm-libs
Requires: pki-base-python3 >= %{pki_version}
Requires: python3-pki >= %{pki_version}
%description -n python3-ipaserver
IPA is an integrated solution to provide centrally managed Identity (users,
@ -590,9 +596,9 @@ Requires: python2-sssdconfig
Requires: python2-sssdconfig
%endif
Requires: cyrus-sasl-gssapi%{?_isa}
Requires: ntp
Requires: chrony
Requires: krb5-workstation >= %{krb5_version}
Requires: authconfig
Requires: authselect >= 0.4-2
Requires: curl
# NIS domain name config: /usr/lib/systemd/system/*-domainname.service
Requires: initscripts
@ -600,13 +606,14 @@ Requires: libcurl >= 7.21.7-2
Requires: xmlrpc-c >= 1.27.4
Requires: sssd >= 1.14.0
Requires: certmonger >= 0.79.5-1
Requires: nss-tools
Requires: nss-tools >= %{nss_version}
Requires: bind-utils
Requires: oddjob-mkhomedir
Requires: libsss_autofs
Requires: autofs
Requires: libnfsidmap
Requires: nfs-utils
Requires: sssd-tools
Requires(post): policycoreutils
Provides: %{alt_name}-client = %{version}
@ -642,6 +649,7 @@ Requires: %{name}-common = %{version}-%{release}
Requires: python2-ipalib = %{version}-%{release}
Requires: python2-dns >= 1.15
Requires: python2-jinja2
Requires: python2-augeas
%description -n python2-ipaclient
IPA is an integrated solution to provide centrally managed Identity (users,
@ -665,6 +673,7 @@ Requires: %{name}-common = %{version}-%{release}
Requires: python3-ipalib = %{version}-%{release}
Requires: python3-dns >= 1.15
Requires: python3-jinja2
Requires: python3-augeas
%description -n python3-ipaclient
IPA is an integrated solution to provide centrally managed Identity (users,
@ -878,6 +887,11 @@ Requires: ldns-utils
Requires: python2-cryptography >= 1.6
Requires: iptables
Requires: python2-mock
%if 0%{?fedora} == 27
# workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1564527
# Tests are failing because ntpd restarts segfaults on some CPU archs.
Requires: glibc >= 2.26-24
%endif
Provides: %{alt_name}-tests = %{version}
Conflicts: %{alt_name}-tests
@ -911,6 +925,11 @@ Requires: ldns-utils
Requires: python3-sssdconfig
Requires: python3-cryptography >= 1.6
Requires: iptables
%if 0%{?fedora} == 27
# workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1564527
# Tests are failing because ntpd restarts segfaults on some CPU archs.
Requires: glibc >= 2.26-24
%endif
%description -n python3-ipatests
IPA is an integrated solution to provide centrally managed Identity (users,
@ -1178,6 +1197,8 @@ if [ -e /usr/sbin/ipa_kpasswd ]; then
# END
fi
%pre server-common
# create users and groups
# create kdcproxy group and user
getent group kdcproxy >/dev/null || groupadd -f -r kdcproxy
@ -1256,15 +1277,6 @@ if [ $1 -gt 1 ] ; then
fi
fi
if [ -f '/etc/sysconfig/ntpd' -a $restore -ge 2 ]; then
if grep -E -q 'OPTIONS=.*-u ntp:ntp' /etc/sysconfig/ntpd 2>/dev/null; then
sed -r '/OPTIONS=/ { s/\s+-u ntp:ntp\s+/ /; s/\s*-u ntp:ntp\s*// }' /etc/sysconfig/ntpd >/etc/sysconfig/ntpd.ipanew
mv -Z /etc/sysconfig/ntpd.ipanew /etc/sysconfig/ntpd
/bin/systemctl condrestart ntpd.service 2>&1 || :
fi
fi
if [ $restore -ge 2 ]; then
%{python} -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' >/var/log/ipaupgrade.log 2>&1
fi
@ -1341,6 +1353,7 @@ fi
%{_libexecdir}/ipa/ipa-custodia
%{_libexecdir}/ipa/ipa-custodia-check
%{_libexecdir}/ipa/ipa-httpd-kdcproxy
%{_libexecdir}/ipa/ipa-httpd-pwdreader
%{_libexecdir}/ipa/ipa-pki-retrieve-key
%{_libexecdir}/ipa/ipa-otpd
%dir %{_libexecdir}/ipa/oddjob
@ -1427,7 +1440,6 @@ fi
%attr(644,root,root) %{_unitdir}/ipa-custodia.service
%ghost %attr(644,root,root) %{etc_systemd_dir}/httpd.d/ipa.conf
# END
%dir %{_usr}/share/ipa
%{_usr}/share/ipa/wsgi.py*
%{_usr}/share/ipa/kdcproxy.wsgi
%{_usr}/share/ipa/*.ldif
@ -1492,6 +1504,8 @@ fi
%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysupgrade
%attr(755,root,root) %dir %{_localstatedir}/lib/ipa/pki-ca
%attr(755,root,root) %dir %{_localstatedir}/lib/ipa/certs
%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/private
%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/passwds
%ghost %{_localstatedir}/lib/ipa/pki-ca/publish
%ghost %{_localstatedir}/named/dyndb-ldap/ipa
%dir %attr(0700,root,root) %{_sysconfdir}/ipa/custodia
@ -1632,6 +1646,7 @@ fi
%dir %{_localstatedir}/lib/ipa-client/pki
%dir %{_localstatedir}/lib/ipa-client/sysrestore
%{_mandir}/man5/default.conf.5*
%{_usr}/share/ipa/freeipa.template
%files python-compat
@ -1664,6 +1679,7 @@ fi
%defattr(-,root,root,-)
%doc README.md Contributors.txt
%license COPYING
%dir %{_usr}/share/ipa
%if 0%{?with_python3}
@ -1726,6 +1742,9 @@ fi
%endif # with_ipatests
%changelog
* Tue May 15 2018 Rob Crittenden <rcritten@redhat.com> - 4.6.90.pre2-1
- Update to upstream 4.6.90.pre2
* Wed May 02 2018 Alexander Bokovoy <abokovoy@redhat.com> - 4.6.90.pre1-7
- Fix upgrade when named.conf does not exist
- Resolves rhbz#1573671

4
sources
View File

@ -1,2 +1,2 @@
SHA512 (freeipa-4.6.90.pre1.tar.gz) = c513923f69145f86edac3168a5b2f7f78823ca64853d8a3df422ea05d3d8f7572e1708fcb8226b9540b8acda73694227b5e555f2cfc144cb4f4237b79cf8d012
SHA512 (freeipa-4.6.90.pre1.tar.gz.asc) = d76ae8f43ae2203607bbe506cf749e63f89aba94c750549c3a0a23894844babd19ca68bffc51f30446e172eae07632e33e81719117cad43e54d5c51c19bd3946
SHA512 (freeipa-4.6.90.pre2.tar.gz) = 3ee250fa4b0bfc3db5890c93563f993ed623de20ad9b32fd1498ca74c328c6da29fa5893f9b44ea65b5c3aa08a18461363b5c04ffda0d1cada8ea69d6f664b3b
SHA512 (freeipa-4.6.90.pre2.tar.gz.asc) = 9e96906f6e9d5a30cb2a5fec88e5e6b8e597c2506fa3cfb9afdd21bc545fb08c1be728e659a77bc19960d335023d7923718208ecf5f3348001be30cbaed1ff8c