From baaf4e605c6890e30fe3682d18ad4a334a9f98db Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Tue, 15 May 2018 16:22:52 -0400 Subject: [PATCH] Update to upstream 4.6.90.pre2 Resolves: #1562606 --- .gitignore | 2 + ...rver-roles-should-ignore-errors.Empt.patch | 53 -------- ...directory-with-new-variables-when-up.patch | 41 ------- ...iguration-upgrade-under-empty-ccache.patch | 75 ------------ ...i-command-when-creating-an-OTP-token.patch | 49 -------- ...grade-when-named.conf-does-not-exist.patch | 114 ------------------ freeipa.spec | 97 +++++++++------ sources | 4 +- 8 files changed, 62 insertions(+), 373 deletions(-) delete mode 100644 0001-Processing-of-server-roles-should-ignore-errors.Empt.patch delete mode 100644 0002-Update-template-directory-with-new-variables-when-up.patch delete mode 100644 0003-upgrade-Run-configuration-upgrade-under-empty-ccache.patch delete mode 100644 0004-use-LDAP-Whoami-command-when-creating-an-OTP-token.patch delete mode 100644 0005-Fix-upgrade-when-named.conf-does-not-exist.patch diff --git a/.gitignore b/.gitignore index ae59ccc..b9e4043 100644 --- a/.gitignore +++ b/.gitignore @@ -64,3 +64,5 @@ /freeipa-4.6.90.pre1-1.fc29.src.rpm /freeipa-4.6.90.pre1.tar.gz /freeipa-4.6.90.pre1.tar.gz.asc +/freeipa-4.6.90.pre2.tar.gz +/freeipa-4.6.90.pre2.tar.gz.asc diff --git a/0001-Processing-of-server-roles-should-ignore-errors.Empt.patch b/0001-Processing-of-server-roles-should-ignore-errors.Empt.patch deleted file mode 100644 index 20f176e..0000000 --- a/0001-Processing-of-server-roles-should-ignore-errors.Empt.patch +++ /dev/null @@ -1,53 +0,0 @@ -From e161bce61819fbc8fd1b2a0bdfb01ecf9947b733 Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Mon, 19 Mar 2018 21:48:04 +0200 -Subject: [PATCH 1/2] Processing of server roles should ignore - errors.EmptyResult - -When non-admin user issues a command that utilizes -api.Object.config.show_servroles_attributes(), some server roles might -return errors.EmptyResult, indicating that a role is not visible to this -identity. - -Most of the callers to api.Object.config.show_servroles_attributes() do -not process errors.EmptyResult so it goes up to an API caller. In case -of Web UI it breaks retrieval of the initial configuration due to ipa -config-show failing completely rather than avoiding to show available -server roles. - -Fixes: https://pagure.io/freeipa/issue/7452 -Signed-off-by: Alexander Bokovoy ---- - ipaserver/plugins/config.py | 15 +++++++++++++-- - 1 file changed, 13 insertions(+), 2 deletions(-) - -diff --git a/ipaserver/plugins/config.py b/ipaserver/plugins/config.py -index 33ed38ba0..dd235a4e1 100644 ---- a/ipaserver/plugins/config.py -+++ b/ipaserver/plugins/config.py -@@ -276,9 +276,20 @@ class config(LDAPObject): - def update_entry_with_role_config(self, role_name, entry_attrs): - backend = self.api.Backend.serverroles - -- role_config = backend.config_retrieve(role_name) -+ try: -+ role_config = backend.config_retrieve(role_name) -+ except errors.EmptyResult: -+ # No role config means current user identity -+ # has no rights to see it, return with no action -+ return -+ - for key, value in role_config.items(): -- entry_attrs.update({key: value}) -+ try: -+ entry_attrs.update({key: value}) -+ except errors.EmptyResult: -+ # An update that doesn't change an entry is fine here -+ # Just ignore and move to the next key pair -+ pass - - - def show_servroles_attributes(self, entry_attrs, *roles, **options): --- -2.14.3 - diff --git a/0002-Update-template-directory-with-new-variables-when-up.patch b/0002-Update-template-directory-with-new-variables-when-up.patch deleted file mode 100644 index 8026a76..0000000 --- a/0002-Update-template-directory-with-new-variables-when-up.patch +++ /dev/null @@ -1,41 +0,0 @@ -From ae35587582f0e4ae1e9fac3270d2f6942f4f7a31 Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Tue, 20 Mar 2018 09:35:51 +0200 -Subject: [PATCH 2/2] Update template directory with new variables when - upgrading ipa.conf.template - -With e6c707b168067ebb3705c21efc377acd29b23fff we changed httpd -configuration to use abstracted out variables in the template. -However, during upgrade we haven't resolved these variables so an -upgrade from pre-e6c707b168067ebb3705c21efc377acd29b23fff install will -fail. - -Add all missing variables to the upgrade code. - -Fixes https://pagure.io/freeipa/issue/7454 -Signed-off-by: Alexander Bokovoy ---- - ipaserver/install/server/upgrade.py | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py -index a38f4115c..5654cc32d 100644 ---- a/ipaserver/install/server/upgrade.py -+++ b/ipaserver/install/server/upgrade.py -@@ -1617,7 +1617,12 @@ def upgrade_configuration(): - AUTOREDIR='' if auto_redirect else '#', - CRL_PUBLISH_PATH=paths.PKI_CA_PUBLISH_DIR, - DOGTAG_PORT=8009, -- CLONE='#' -+ CLONE='#', -+ WSGI_PREFIX_DIR=paths.WSGI_PREFIX_DIR, -+ GSSAPI_SESSION_KEY=paths.GSSAPI_SESSION_KEY, -+ FONTS_DIR=paths.FONTS_DIR, -+ IPA_CCACHES=paths.IPA_CCACHES, -+ IPA_CUSTODIA_SOCKET=paths.IPA_CUSTODIA_SOCKET - ) - - subject_base = find_subject_base() --- -2.14.3 - diff --git a/0003-upgrade-Run-configuration-upgrade-under-empty-ccache.patch b/0003-upgrade-Run-configuration-upgrade-under-empty-ccache.patch deleted file mode 100644 index f38f289..0000000 --- a/0003-upgrade-Run-configuration-upgrade-under-empty-ccache.patch +++ /dev/null @@ -1,75 +0,0 @@ -From cd81ffbd7b9657e6715e3dc1b69bd9499036675b Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Wed, 21 Mar 2018 10:33:32 +0200 -Subject: [PATCH] upgrade: Run configuration upgrade under empty ccache - collection - -Use temporary empty DIR-based ccache collection to prevent upgrade -failures in case KCM: or KEYRING: ccache type is used by default in -krb5.conf and is not available. We don't need any user credentials -during upgrade procedure but kadmin.local would attempt to resolve -default ccache and if that's not available, kadmin.local will fail. - -Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1558818 -Signed-off-by: Alexander Bokovoy ---- - ipaserver/install/server/upgrade.py | 29 ++++++++++++++++++++++++++++- - 1 file changed, 28 insertions(+), 1 deletion(-) - -diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py -index a38f4115c..4844350dc 100644 ---- a/ipaserver/install/server/upgrade.py -+++ b/ipaserver/install/server/upgrade.py -@@ -11,6 +11,8 @@ import shutil - import pwd - import fileinput - import sys -+import tempfile -+from contextlib import contextmanager - from augeas import Augeas - import dns.exception - from ipalib import api, x509 -@@ -1926,6 +1928,30 @@ def upgrade_check(options): - logger.warning("Upgrade without version check may break your system") - - -+@contextmanager -+def empty_ccache(): -+ # Create temporary directory and use it as a DIR: ccache collection -+ # instead of whatever is a default in /etc/krb5.conf -+ # -+ # In Fedora 28 KCM: became a default credentials cache collection -+ # but if KCM daemon (part of SSSD) is not running, libkrb5 will fail -+ # to initialize. This causes kadmin.local to fail. -+ # Since we are in upgrade, we cannot kinit anyway (KDC is offline). -+ # Bug https://bugzilla.redhat.com/show_bug.cgi?id=1558818 -+ kpath_dir = tempfile.mkdtemp(prefix="upgrade_ccaches", dir=paths.IPA_CCACHES) -+ kpath = "DIR:{dir}s".format(dir=kpath_dir) -+ old_path = os.getenv('KRB5CCNAME') -+ try: -+ os.environ['KRB5CCNAME'] = kpath -+ yield -+ finally: -+ if old_path: -+ os.environ['KRB5CCNAME'] = old_path -+ for f in os.listdir(kpath_dir): -+ os.remove(os.path.join(kpath_dir, f)) -+ os.rmdir(kpath_dir) -+ -+ - def upgrade(): - realm = api.env.realm - schema_files = [os.path.join(paths.USR_SHARE_IPA_DIR, f) for f -@@ -1950,7 +1976,8 @@ def upgrade(): - - print('Upgrading IPA services') - logger.info('Upgrading the configuration of the IPA services') -- upgrade_configuration() -+ with empty_ccache(): -+ upgrade_configuration() - logger.info('The IPA services were upgraded') - - # store new data version after upgrade --- -2.14.3 - diff --git a/0004-use-LDAP-Whoami-command-when-creating-an-OTP-token.patch b/0004-use-LDAP-Whoami-command-when-creating-an-OTP-token.patch deleted file mode 100644 index 8fddf24..0000000 --- a/0004-use-LDAP-Whoami-command-when-creating-an-OTP-token.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 585250368a8841e69176006acb6876abc54843cb Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Tue, 20 Mar 2018 16:40:24 +0200 -Subject: [PATCH] use LDAP Whoami command when creating an OTP token - -ipa user-find --whoami is used by ipa otptoken-add to populate -ipaTokenOwner and managedBy attributes. These attributes, in turn are -checked by the self-service ACI which allows to create OTP tokens -assigned to the creator. - -With 389-ds-base 1.4.0.6-2.fc28 in Fedora 28 beta there is a bug in -searches with scope 'one' that result in ipa user-find --whoami -returning 0 results. - -Because ipa user-find --whoami does not work, non-admin user cannot -create a token. This is a regression that can be fixed by using LDAP -Whoami command. - -Fixes: https://pagure.io/freeipa/issue/7456 -Signed-off-by: Alexander Bokovoy ---- - ipaserver/plugins/otptoken.py | 9 ++++----- - 1 file changed, 4 insertions(+), 5 deletions(-) - -diff --git a/ipaserver/plugins/otptoken.py b/ipaserver/plugins/otptoken.py -index d94ae49ff..17b32094d 100644 ---- a/ipaserver/plugins/otptoken.py -+++ b/ipaserver/plugins/otptoken.py -@@ -311,13 +311,12 @@ class otptoken_add(LDAPCreate): - # If owner was not specified, default to the person adding this token. - # If managedby was not specified, attempt a sensible default. - if 'ipatokenowner' not in entry_attrs or 'managedby' not in entry_attrs: -- result = self.api.Command.user_find( -- whoami=True, no_members=False)['result'] -- if result: -- cur_uid = result[0]['uid'][0] -+ cur_dn = DN(self.api.Backend.ldap2.conn.whoami_s()[4:]) -+ if cur_dn: -+ cur_uid = cur_dn[0].value - prev_uid = entry_attrs.setdefault('ipatokenowner', cur_uid) - if cur_uid == prev_uid: -- entry_attrs.setdefault('managedby', result[0]['dn']) -+ entry_attrs.setdefault('managedby', cur_dn.ldap_text()) - - # Resolve the owner's dn - _normalize_owner(self.api.Object.user, entry_attrs) --- -2.14.3 - diff --git a/0005-Fix-upgrade-when-named.conf-does-not-exist.patch b/0005-Fix-upgrade-when-named.conf-does-not-exist.patch deleted file mode 100644 index 5fb7ded..0000000 --- a/0005-Fix-upgrade-when-named.conf-does-not-exist.patch +++ /dev/null @@ -1,114 +0,0 @@ -commit 421fc376ccb8668c07692d3a3394a5869dc97296 -Author: Fraser Tweedale -Date: Wed Mar 28 16:05:05 2018 +1100 - - Fix upgrade when named.conf does not exist - - Commit aee0d2180c7119bef30ab7cafea81dc3df1170b7 adds an upgrade step - that adds system crypto policy include to named.conf. This step - omitted the named.conf existence check; upgrade fails when it does - not exist. Add the existence check. - - Also update the test to add the IPA-related part of the named.conf - config, because the "existence check" actually does more than just - check that the file exists - it also check that it contains the IPA - bind-dyndb-ldap configuration section. - - Part of: https://pagure.io/freeipa/issue/4853 - - Reviewed-By: Christian Heimes - -diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py -index 5cf537201..cd70cc983 100644 ---- a/ipaserver/install/bindinstance.py -+++ b/ipaserver/install/bindinstance.py -@@ -93,6 +93,10 @@ def create_reverse(): - - - def named_conf_exists(): -+ """ -+ Checks that named.conf exists AND that it contains IPA-related config. -+ -+ """ - try: - with open(paths.NAMED_CONF, 'r') as named_fd: - lines = named_fd.readlines() -diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py -index c192f4fff..07d783445 100644 ---- a/ipaserver/install/server/upgrade.py -+++ b/ipaserver/install/server/upgrade.py -@@ -905,6 +905,10 @@ def named_add_server_id(): - def named_add_crypto_policy(): - """Add crypto policy include - """ -+ if not bindinstance.named_conf_exists(): -+ logger.info('DNS is not configured') -+ return False -+ - if sysupgrade.get_upgrade_state('named.conf', 'add_crypto_policy'): - # upgrade was done already - return False -diff --git a/ipatests/test_ipaserver/test_install/test_bindinstance.py b/ipatests/test_ipaserver/test_install/test_bindinstance.py -index 6b072ad8a..b88b93194 100644 ---- a/ipatests/test_ipaserver/test_install/test_bindinstance.py -+++ b/ipatests/test_ipaserver/test_install/test_bindinstance.py -@@ -24,7 +24,6 @@ options { - include "random/file"; - """ - -- - EXPECTED_CONFIG = """ - options { - \tdnssec-enable yes; -@@ -35,6 +34,12 @@ options { - include "random/file"; - """ - -+# bindinstance.named_conf_exists() looks for a section like this -+IPA_DYNDB_CONFIG = """ -+dyndb "ipa" "/usr/lib/bind/ldap.so" { -+}; -+""" -+ - POLICY_FILE = "/etc/crypto-policies/back-ends/bind.config" - - -@@ -53,14 +58,16 @@ def test_add_crypto_policy(m_set, m_get, namedconf): - m_get.return_value = False - with open(namedconf, 'w') as f: - f.write(TEST_CONFIG) -+ f.write(IPA_DYNDB_CONFIG) - -- named_add_crypto_policy() -+ result = named_add_crypto_policy() -+ assert result - m_get.assert_called_with('named.conf', 'add_crypto_policy') - m_set.assert_called_with('named.conf', 'add_crypto_policy', True) - - with open(namedconf) as f: - content = f.read() -- assert content == EXPECTED_CONFIG -+ assert content == ''.join([EXPECTED_CONFIG, IPA_DYNDB_CONFIG]) - - m_get.reset_mock() - m_set.reset_mock() -@@ -69,3 +76,19 @@ def test_add_crypto_policy(m_set, m_get, namedconf): - named_add_crypto_policy() - m_get.assert_called_with('named.conf', 'add_crypto_policy') - m_set.assert_not_called() -+ -+ -+@patch('ipaserver.install.sysupgrade.get_upgrade_state') -+@patch('ipaserver.install.sysupgrade.set_upgrade_state') -+def test_add_crypto_policy_no_ipa(m_set, m_get, namedconf): -+ # Test if the update step is skipped when named.conf doesn't contain -+ # IPA related settings. -+ m_get.return_value = False -+ with open(namedconf, 'w') as f: -+ f.write(TEST_CONFIG) -+ -+ result = named_add_crypto_policy() -+ assert not result -+ -+ m_get.assert_not_called() -+ m_set.assert_not_called() diff --git a/freeipa.spec b/freeipa.spec index b29c02d..77a9e6e 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -59,6 +59,7 @@ %global selinux_policy_version 3.12.1-153 %global slapi_nis_version 0.56.0-4 %global python2_ldap_version 2.4.15 +%global ds_version 1.3.7.9-1 %else # 1.15.1-7: certauth (http://krbdev.mit.edu/rt/Ticket/Display.html?id=8561) %global krb5_version 1.15.1-7 @@ -83,8 +84,26 @@ %global python3_ldap_version 2.4.35.1-2 %endif +%if 0%{?fedora} >= 28 +# Fix for "Crash when failing to read from SASL connection" +# https://pagure.io/389-ds-base/issue/49639 +%global ds_version 1.4.0.8-1 +%else +# 1.3.7.9-1: https://bugzilla.redhat.com/show_bug.cgi?id=1459946 +# https://bugzilla.redhat.com/show_bug.cgi?id=1511462 +# https://bugzilla.redhat.com/show_bug.cgi?id=1514033 +%global ds_version 1.3.7.9-1 %endif +%endif + +# Require Dogtag PKI 10.6.1 with Python 3 and SQL NSSDB fixes for external +# CA support, https://bugzilla.redhat.com/show_bug.cgi?id=1573094 +%global pki_version 10.6.1 + +# NSS release with fix for CKA_LABEL import bug in shared SQL database. +# https://bugzilla.redhat.com/show_bug.cgi?id=1568271 +%global nss_version 3.36.1-1.1 # Require Dogtag PKI 10.6.0 with Python 3 and SQL NSSDB fixes %global pki_version 10.6.0-0.2 @@ -94,13 +113,13 @@ %global etc_systemd_dir %{_sysconfdir}/systemd/system %global gettext_domain ipa -%global VERSION 4.6.90.pre1 +%global VERSION 4.6.90.pre2 %define _hardened_build 1 Name: freeipa Version: %{VERSION} -Release: 7%{?dist} +Release: 1%{?dist} Summary: The Identity, Policy and Audit system Group: System Environment/Base @@ -108,11 +127,6 @@ License: GPLv3+ URL: https://www.freeipa.org/ Source0: https://releases.pagure.org/freeipa/freeipa-%{VERSION}.tar.gz Source1: https://releases.pagure.org/freeipa/freeipa-%{VERSION}.tar.gz.asc -Patch0001: 0001-Processing-of-server-roles-should-ignore-errors.Empt.patch -Patch0002: 0002-Update-template-directory-with-new-variables-when-up.patch -Patch0003: 0003-upgrade-Run-configuration-upgrade-under-empty-ccache.patch -Patch0004: 0004-use-LDAP-Whoami-command-when-creating-an-OTP-token.patch -Patch0005: 0005-Fix-upgrade-when-named.conf-does-not-exist.patch # For the timestamp trick in patch application BuildRequires: diffstat @@ -143,18 +157,16 @@ BuildRequires: python2-setuptools BuildRequires: python3-devel BuildRequires: python3-setuptools %endif # with_python3 -# %{_unitdir}, %{_tmpfilesdir} BuildRequires: systemd # systemd-tmpfiles which is executed from make install requires apache user BuildRequires: httpd BuildRequires: nspr-devel -BuildRequires: nss-devel +BuildRequires: nss-devel >= %{nss_version} BuildRequires: openssl-devel BuildRequires: libini_config-devel BuildRequires: cyrus-sasl-devel %if ! %{ONLY_CLIENT} -# 1.3.3.9: DS_Sleep (https://fedorahosted.org/389/ticket/48005) -BuildRequires: 389-ds-base-devel >= 1.3.3.9 +BuildRequires: 389-ds-base-devel >= %{ds_version} BuildRequires: svrcore-devel BuildRequires: samba-devel >= %{samba_build_version} BuildRequires: libtalloc-devel @@ -225,7 +237,7 @@ BuildRequires: python2-dns >= 1.15 BuildRequires: jsl BuildRequires: python2-yubico # pki Python package -BuildRequires: pki-base-python2 >= %{pki_version} +BuildRequires: python2-pki >= %{pki_version} BuildRequires: python2-pytest-multihost BuildRequires: python2-pytest-sourceorder # 0.4.2: Py3 fix https://bugzilla.redhat.com/show_bug.cgi?id=1476150 @@ -266,7 +278,7 @@ BuildRequires: python3-qrcode-core >= 5.0.0 BuildRequires: python3-dns >= 1.15 BuildRequires: python3-yubico # pki Python package -BuildRequires: pki-base-python3 >= %{pki_version} +BuildRequires: python3-pki >= %{pki_version} BuildRequires: python3-pytest-multihost BuildRequires: python3-pytest-sourceorder # 0.4.2: Py3 fix https://bugzilla.redhat.com/show_bug.cgi?id=1476150 @@ -324,18 +336,15 @@ Requires: python3-pyldap >= %{python3_ldap_version} Requires: python2-ipaserver = %{version}-%{release} Requires: python2-ldap >= %{python2_ldap_version} %endif -# 1.3.7.9-1: https://bugzilla.redhat.com/show_bug.cgi?id=1459946 -# https://bugzilla.redhat.com/show_bug.cgi?id=1511462 -# https://bugzilla.redhat.com/show_bug.cgi?id=1514033 -Requires: 389-ds-base >= 1.3.7.9-1 +Requires: 389-ds-base >= %{ds_version} Requires: openldap-clients > 2.4.35-4 -Requires: nss >= 3.14.3-12.0 -Requires: nss-tools >= 3.14.3-12.0 +Requires: nss >= %{nss_version} +Requires: nss-tools >= %{nss_version} Requires(post): krb5-server >= %{krb5_version} Requires(post): krb5-server >= %{krb5_base_version}, krb5-server < %{krb5_base_version}.100 Requires: krb5-pkinit-openssl >= %{krb5_version} Requires: cyrus-sasl-gssapi%{?_isa} -Requires: ntp +Requires: chrony Requires: httpd >= 2.4.6-31 %if 0%{with_python3} Requires(preun): python3 @@ -371,10 +380,7 @@ Requires(postun): systemd-units Requires: policycoreutils >= 2.1.12-5 Requires: tar Requires(pre): certmonger >= 0.79.5-1 -# 1.3.7.9-1: https://bugzilla.redhat.com/show_bug.cgi?id=1459946 -# https://bugzilla.redhat.com/show_bug.cgi?id=1511462 -# https://bugzilla.redhat.com/show_bug.cgi?id=1514033 -Requires(pre): 389-ds-base >= 1.3.7.9-1 +Requires(pre): 389-ds-base >= %{ds_version} Requires: fontawesome-fonts Requires: open-sans-fonts Requires: openssl @@ -435,7 +441,7 @@ BuildRequires: dbus-python Requires: python2-dns >= 1.15 Requires: python2-kdcproxy >= 0.3 Requires: rpm-libs -Requires: pki-base-python2 >= %{pki_version} +Requires: python2-pki >= %{pki_version} Requires: python2-augeas %description -n python2-ipaserver @@ -469,7 +475,7 @@ Requires: python3-dns >= 1.15 Requires: python3-kdcproxy >= 0.3 Requires: python3-augeas Requires: rpm-libs -Requires: pki-base-python3 >= %{pki_version} +Requires: python3-pki >= %{pki_version} %description -n python3-ipaserver IPA is an integrated solution to provide centrally managed Identity (users, @@ -590,9 +596,9 @@ Requires: python2-sssdconfig Requires: python2-sssdconfig %endif Requires: cyrus-sasl-gssapi%{?_isa} -Requires: ntp +Requires: chrony Requires: krb5-workstation >= %{krb5_version} -Requires: authconfig +Requires: authselect >= 0.4-2 Requires: curl # NIS domain name config: /usr/lib/systemd/system/*-domainname.service Requires: initscripts @@ -600,13 +606,14 @@ Requires: libcurl >= 7.21.7-2 Requires: xmlrpc-c >= 1.27.4 Requires: sssd >= 1.14.0 Requires: certmonger >= 0.79.5-1 -Requires: nss-tools +Requires: nss-tools >= %{nss_version} Requires: bind-utils Requires: oddjob-mkhomedir Requires: libsss_autofs Requires: autofs Requires: libnfsidmap Requires: nfs-utils +Requires: sssd-tools Requires(post): policycoreutils Provides: %{alt_name}-client = %{version} @@ -642,6 +649,7 @@ Requires: %{name}-common = %{version}-%{release} Requires: python2-ipalib = %{version}-%{release} Requires: python2-dns >= 1.15 Requires: python2-jinja2 +Requires: python2-augeas %description -n python2-ipaclient IPA is an integrated solution to provide centrally managed Identity (users, @@ -665,6 +673,7 @@ Requires: %{name}-common = %{version}-%{release} Requires: python3-ipalib = %{version}-%{release} Requires: python3-dns >= 1.15 Requires: python3-jinja2 +Requires: python3-augeas %description -n python3-ipaclient IPA is an integrated solution to provide centrally managed Identity (users, @@ -878,6 +887,11 @@ Requires: ldns-utils Requires: python2-cryptography >= 1.6 Requires: iptables Requires: python2-mock +%if 0%{?fedora} == 27 +# workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1564527 +# Tests are failing because ntpd restarts segfaults on some CPU archs. +Requires: glibc >= 2.26-24 +%endif Provides: %{alt_name}-tests = %{version} Conflicts: %{alt_name}-tests @@ -911,6 +925,11 @@ Requires: ldns-utils Requires: python3-sssdconfig Requires: python3-cryptography >= 1.6 Requires: iptables +%if 0%{?fedora} == 27 +# workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1564527 +# Tests are failing because ntpd restarts segfaults on some CPU archs. +Requires: glibc >= 2.26-24 +%endif %description -n python3-ipatests IPA is an integrated solution to provide centrally managed Identity (users, @@ -1178,6 +1197,8 @@ if [ -e /usr/sbin/ipa_kpasswd ]; then # END fi + +%pre server-common # create users and groups # create kdcproxy group and user getent group kdcproxy >/dev/null || groupadd -f -r kdcproxy @@ -1256,15 +1277,6 @@ if [ $1 -gt 1 ] ; then fi fi - if [ -f '/etc/sysconfig/ntpd' -a $restore -ge 2 ]; then - if grep -E -q 'OPTIONS=.*-u ntp:ntp' /etc/sysconfig/ntpd 2>/dev/null; then - sed -r '/OPTIONS=/ { s/\s+-u ntp:ntp\s+/ /; s/\s*-u ntp:ntp\s*// }' /etc/sysconfig/ntpd >/etc/sysconfig/ntpd.ipanew - mv -Z /etc/sysconfig/ntpd.ipanew /etc/sysconfig/ntpd - - /bin/systemctl condrestart ntpd.service 2>&1 || : - fi - fi - if [ $restore -ge 2 ]; then %{python} -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' >/var/log/ipaupgrade.log 2>&1 fi @@ -1341,6 +1353,7 @@ fi %{_libexecdir}/ipa/ipa-custodia %{_libexecdir}/ipa/ipa-custodia-check %{_libexecdir}/ipa/ipa-httpd-kdcproxy +%{_libexecdir}/ipa/ipa-httpd-pwdreader %{_libexecdir}/ipa/ipa-pki-retrieve-key %{_libexecdir}/ipa/ipa-otpd %dir %{_libexecdir}/ipa/oddjob @@ -1427,7 +1440,6 @@ fi %attr(644,root,root) %{_unitdir}/ipa-custodia.service %ghost %attr(644,root,root) %{etc_systemd_dir}/httpd.d/ipa.conf # END -%dir %{_usr}/share/ipa %{_usr}/share/ipa/wsgi.py* %{_usr}/share/ipa/kdcproxy.wsgi %{_usr}/share/ipa/*.ldif @@ -1492,6 +1504,8 @@ fi %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysupgrade %attr(755,root,root) %dir %{_localstatedir}/lib/ipa/pki-ca %attr(755,root,root) %dir %{_localstatedir}/lib/ipa/certs +%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/private +%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/passwds %ghost %{_localstatedir}/lib/ipa/pki-ca/publish %ghost %{_localstatedir}/named/dyndb-ldap/ipa %dir %attr(0700,root,root) %{_sysconfdir}/ipa/custodia @@ -1632,6 +1646,7 @@ fi %dir %{_localstatedir}/lib/ipa-client/pki %dir %{_localstatedir}/lib/ipa-client/sysrestore %{_mandir}/man5/default.conf.5* +%{_usr}/share/ipa/freeipa.template %files python-compat @@ -1664,6 +1679,7 @@ fi %defattr(-,root,root,-) %doc README.md Contributors.txt %license COPYING +%dir %{_usr}/share/ipa %if 0%{?with_python3} @@ -1726,6 +1742,9 @@ fi %endif # with_ipatests %changelog +* Tue May 15 2018 Rob Crittenden - 4.6.90.pre2-1 +- Update to upstream 4.6.90.pre2 + * Wed May 02 2018 Alexander Bokovoy - 4.6.90.pre1-7 - Fix upgrade when named.conf does not exist - Resolves rhbz#1573671 diff --git a/sources b/sources index cd91110..6ee62d5 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -SHA512 (freeipa-4.6.90.pre1.tar.gz) = c513923f69145f86edac3168a5b2f7f78823ca64853d8a3df422ea05d3d8f7572e1708fcb8226b9540b8acda73694227b5e555f2cfc144cb4f4237b79cf8d012 -SHA512 (freeipa-4.6.90.pre1.tar.gz.asc) = d76ae8f43ae2203607bbe506cf749e63f89aba94c750549c3a0a23894844babd19ca68bffc51f30446e172eae07632e33e81719117cad43e54d5c51c19bd3946 +SHA512 (freeipa-4.6.90.pre2.tar.gz) = 3ee250fa4b0bfc3db5890c93563f993ed623de20ad9b32fd1498ca74c328c6da29fa5893f9b44ea65b5c3aa08a18461363b5c04ffda0d1cada8ea69d6f664b3b +SHA512 (freeipa-4.6.90.pre2.tar.gz.asc) = 9e96906f6e9d5a30cb2a5fec88e5e6b8e597c2506fa3cfb9afdd21bc545fb08c1be728e659a77bc19960d335023d7923718208ecf5f3348001be30cbaed1ff8c