Update to upstream 4.6.90.pre2

Resolves: #1562606

.gitignore

@@ -64,3 +64,5 @@
 /freeipa-4.6.90.pre1-1.fc29.src.rpm
 /freeipa-4.6.90.pre1.tar.gz
 /freeipa-4.6.90.pre1.tar.gz.asc
+/freeipa-4.6.90.pre2.tar.gz
+/freeipa-4.6.90.pre2.tar.gz.asc

0001-Processing-of-server-roles-should-ignore-errors.Empt.patch

@@ -1,53 +0,0 @@
-From e161bce61819fbc8fd1b2a0bdfb01ecf9947b733 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Mon, 19 Mar 2018 21:48:04 +0200
-Subject: [PATCH 1/2] Processing of server roles should ignore
- errors.EmptyResult
-
-When non-admin user issues a command that utilizes
-api.Object.config.show_servroles_attributes(), some server roles might
-return errors.EmptyResult, indicating that a role is not visible to this
-identity.
-
-Most of the callers to api.Object.config.show_servroles_attributes() do
-not process errors.EmptyResult so it goes up to an API caller. In case
-of Web UI it breaks retrieval of the initial configuration due to ipa
-config-show failing completely rather than avoiding to show available
-server roles.
-
-Fixes: https://pagure.io/freeipa/issue/7452
-Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
----
- ipaserver/plugins/config.py | 15 +++++++++++++--
- 1 file changed, 13 insertions(+), 2 deletions(-)
-
-diff --git a/ipaserver/plugins/config.py b/ipaserver/plugins/config.py
-index 33ed38ba0..dd235a4e1 100644
---- a/ipaserver/plugins/config.py
-+++ b/ipaserver/plugins/config.py
-@@ -276,9 +276,20 @@ class config(LDAPObject):
-     def update_entry_with_role_config(self, role_name, entry_attrs):
-         backend = self.api.Backend.serverroles
- 
--        role_config = backend.config_retrieve(role_name)
-+        try:
-+            role_config = backend.config_retrieve(role_name)
-+        except errors.EmptyResult:
-+            # No role config means current user identity
-+            # has no rights to see it, return with no action
-+            return
-+
-         for key, value in role_config.items():
--            entry_attrs.update({key: value})
-+            try:
-+                entry_attrs.update({key: value})
-+            except errors.EmptyResult:
-+                # An update that doesn't change an entry is fine here
-+                # Just ignore and move to the next key pair
-+                pass
- 
- 
-     def show_servroles_attributes(self, entry_attrs, *roles, **options):
--- 
-2.14.3
-

0002-Update-template-directory-with-new-variables-when-up.patch

@@ -1,41 +0,0 @@
-From ae35587582f0e4ae1e9fac3270d2f6942f4f7a31 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Tue, 20 Mar 2018 09:35:51 +0200
-Subject: [PATCH 2/2] Update template directory with new variables when
- upgrading ipa.conf.template
-
-With e6c707b168067ebb3705c21efc377acd29b23fff we changed httpd
-configuration to use abstracted out variables in the template.
-However, during upgrade we haven't resolved these variables so an
-upgrade from pre-e6c707b168067ebb3705c21efc377acd29b23fff install will
-fail.
-
-Add all missing variables to the upgrade code.
-
-Fixes https://pagure.io/freeipa/issue/7454
-Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
----
- ipaserver/install/server/upgrade.py | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
-index a38f4115c..5654cc32d 100644
---- a/ipaserver/install/server/upgrade.py
-+++ b/ipaserver/install/server/upgrade.py
-@@ -1617,7 +1617,12 @@ def upgrade_configuration():
-         AUTOREDIR='' if auto_redirect else '#',
-         CRL_PUBLISH_PATH=paths.PKI_CA_PUBLISH_DIR,
-         DOGTAG_PORT=8009,
--        CLONE='#'
-+        CLONE='#',
-+        WSGI_PREFIX_DIR=paths.WSGI_PREFIX_DIR,
-+        GSSAPI_SESSION_KEY=paths.GSSAPI_SESSION_KEY,
-+        FONTS_DIR=paths.FONTS_DIR,
-+        IPA_CCACHES=paths.IPA_CCACHES,
-+        IPA_CUSTODIA_SOCKET=paths.IPA_CUSTODIA_SOCKET
-     )
- 
-     subject_base = find_subject_base()
--- 
-2.14.3
-

0003-upgrade-Run-configuration-upgrade-under-empty-ccache.patch

@@ -1,75 +0,0 @@
-From cd81ffbd7b9657e6715e3dc1b69bd9499036675b Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Wed, 21 Mar 2018 10:33:32 +0200
-Subject: [PATCH] upgrade: Run configuration upgrade under empty ccache
- collection
-
-Use temporary empty DIR-based ccache collection to prevent upgrade
-failures in case KCM: or KEYRING: ccache type is used by default in
-krb5.conf and is not available. We don't need any user credentials
-during upgrade procedure but kadmin.local would attempt to resolve
-default ccache and if that's not available, kadmin.local will fail.
-
-Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1558818
-Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
----
- ipaserver/install/server/upgrade.py | 29 ++++++++++++++++++++++++++++-
- 1 file changed, 28 insertions(+), 1 deletion(-)
-
-diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
-index a38f4115c..4844350dc 100644
---- a/ipaserver/install/server/upgrade.py
-+++ b/ipaserver/install/server/upgrade.py
-@@ -11,6 +11,8 @@ import shutil
- import pwd
- import fileinput
- import sys
-+import tempfile
-+from contextlib import contextmanager
- from augeas import Augeas
- import dns.exception
- from ipalib import api, x509
-@@ -1926,6 +1928,30 @@ def upgrade_check(options):
-         logger.warning("Upgrade without version check may break your system")
- 
- 
-+@contextmanager
-+def empty_ccache():
-+    # Create temporary directory and use it as a DIR: ccache collection
-+    # instead of whatever is a default in /etc/krb5.conf
-+    #
-+    # In Fedora 28 KCM: became a default credentials cache collection
-+    # but if KCM daemon (part of SSSD) is not running, libkrb5 will fail
-+    # to initialize. This causes kadmin.local to fail.
-+    # Since we are in upgrade, we cannot kinit anyway (KDC is offline).
-+    # Bug https://bugzilla.redhat.com/show_bug.cgi?id=1558818
-+    kpath_dir = tempfile.mkdtemp(prefix="upgrade_ccaches", dir=paths.IPA_CCACHES)
-+    kpath = "DIR:{dir}s".format(dir=kpath_dir)
-+    old_path = os.getenv('KRB5CCNAME')
-+    try:
-+        os.environ['KRB5CCNAME'] = kpath
-+        yield
-+    finally:
-+        if old_path:
-+            os.environ['KRB5CCNAME'] = old_path
-+        for f in os.listdir(kpath_dir):
-+            os.remove(os.path.join(kpath_dir, f))
-+        os.rmdir(kpath_dir)
-+
-+
- def upgrade():
-     realm = api.env.realm
-     schema_files = [os.path.join(paths.USR_SHARE_IPA_DIR, f) for f
-@@ -1950,7 +1976,8 @@ def upgrade():
- 
-     print('Upgrading IPA services')
-     logger.info('Upgrading the configuration of the IPA services')
--    upgrade_configuration()
-+    with empty_ccache():
-+        upgrade_configuration()
-     logger.info('The IPA services were upgraded')
- 
-     # store new data version after upgrade
--- 
-2.14.3
-

0004-use-LDAP-Whoami-command-when-creating-an-OTP-token.patch

@@ -1,49 +0,0 @@
-From 585250368a8841e69176006acb6876abc54843cb Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Tue, 20 Mar 2018 16:40:24 +0200
-Subject: [PATCH] use LDAP Whoami command when creating an OTP token
-
-ipa user-find --whoami is used by ipa otptoken-add to populate
-ipaTokenOwner and managedBy attributes. These attributes, in turn are
-checked by the self-service ACI which allows to create OTP tokens
-assigned to the creator.
-
-With 389-ds-base 1.4.0.6-2.fc28 in Fedora 28 beta there is a bug in
-searches with scope 'one' that result in ipa user-find --whoami
-returning 0 results.
-
-Because ipa user-find --whoami does not work, non-admin user cannot
-create a token. This is a regression that can be fixed by using LDAP
-Whoami command.
-
-Fixes: https://pagure.io/freeipa/issue/7456
-Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
----
- ipaserver/plugins/otptoken.py | 9 ++++-----
- 1 file changed, 4 insertions(+), 5 deletions(-)
-
-diff --git a/ipaserver/plugins/otptoken.py b/ipaserver/plugins/otptoken.py
-index d94ae49ff..17b32094d 100644
---- a/ipaserver/plugins/otptoken.py
-+++ b/ipaserver/plugins/otptoken.py
-@@ -311,13 +311,12 @@ class otptoken_add(LDAPCreate):
-         # If owner was not specified, default to the person adding this token.
-         # If managedby was not specified, attempt a sensible default.
-         if 'ipatokenowner' not in entry_attrs or 'managedby' not in entry_attrs:
--            result = self.api.Command.user_find(
--                whoami=True, no_members=False)['result']
--            if result:
--                cur_uid = result[0]['uid'][0]
-+            cur_dn = DN(self.api.Backend.ldap2.conn.whoami_s()[4:])
-+            if cur_dn:
-+                cur_uid = cur_dn[0].value
-                 prev_uid = entry_attrs.setdefault('ipatokenowner', cur_uid)
-                 if cur_uid == prev_uid:
--                    entry_attrs.setdefault('managedby', result[0]['dn'])
-+                    entry_attrs.setdefault('managedby', cur_dn.ldap_text())
- 
-         # Resolve the owner's dn
-         _normalize_owner(self.api.Object.user, entry_attrs)
--- 
-2.14.3
-

0005-Fix-upgrade-when-named.conf-does-not-exist.patch

@@ -1,114 +0,0 @@
-commit 421fc376ccb8668c07692d3a3394a5869dc97296
-Author: Fraser Tweedale <ftweedal@redhat.com>
-Date:   Wed Mar 28 16:05:05 2018 +1100
-
-    Fix upgrade when named.conf does not exist
-    
-    Commit aee0d2180c7119bef30ab7cafea81dc3df1170b7 adds an upgrade step
-    that adds system crypto policy include to named.conf.  This step
-    omitted the named.conf existence check; upgrade fails when it does
-    not exist.  Add the existence check.
-    
-    Also update the test to add the IPA-related part of the named.conf
-    config, because the "existence check" actually does more than just
-    check that the file exists - it also check that it contains the IPA
-    bind-dyndb-ldap configuration section.
-    
-    Part of: https://pagure.io/freeipa/issue/4853
-    
-    Reviewed-By: Christian Heimes <cheimes@redhat.com>
-
-diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
-index 5cf537201..cd70cc983 100644
---- a/ipaserver/install/bindinstance.py
-+++ b/ipaserver/install/bindinstance.py
-@@ -93,6 +93,10 @@ def create_reverse():
- 
- 
- def named_conf_exists():
-+    """
-+    Checks that named.conf exists AND that it contains IPA-related config.
-+
-+    """
-     try:
-         with open(paths.NAMED_CONF, 'r') as named_fd:
-             lines = named_fd.readlines()
-diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
-index c192f4fff..07d783445 100644
---- a/ipaserver/install/server/upgrade.py
-+++ b/ipaserver/install/server/upgrade.py
-@@ -905,6 +905,10 @@ def named_add_server_id():
- def named_add_crypto_policy():
-     """Add crypto policy include
-     """
-+    if not bindinstance.named_conf_exists():
-+        logger.info('DNS is not configured')
-+        return False
-+
-     if sysupgrade.get_upgrade_state('named.conf', 'add_crypto_policy'):
-         # upgrade was done already
-         return False
-diff --git a/ipatests/test_ipaserver/test_install/test_bindinstance.py b/ipatests/test_ipaserver/test_install/test_bindinstance.py
-index 6b072ad8a..b88b93194 100644
---- a/ipatests/test_ipaserver/test_install/test_bindinstance.py
-+++ b/ipatests/test_ipaserver/test_install/test_bindinstance.py
-@@ -24,7 +24,6 @@ options {
- include "random/file";
- """
- 
--
- EXPECTED_CONFIG = """
- options {
- \tdnssec-enable yes;
-@@ -35,6 +34,12 @@ options {
- include "random/file";
- """
- 
-+# bindinstance.named_conf_exists() looks for a section like this
-+IPA_DYNDB_CONFIG = """
-+dyndb "ipa" "/usr/lib/bind/ldap.so" {
-+};
-+"""
-+
- POLICY_FILE = "/etc/crypto-policies/back-ends/bind.config"
- 
- 
-@@ -53,14 +58,16 @@ def test_add_crypto_policy(m_set, m_get, namedconf):
-     m_get.return_value = False
-     with open(namedconf, 'w') as f:
-         f.write(TEST_CONFIG)
-+        f.write(IPA_DYNDB_CONFIG)
- 
--    named_add_crypto_policy()
-+    result = named_add_crypto_policy()
-+    assert result
-     m_get.assert_called_with('named.conf', 'add_crypto_policy')
-     m_set.assert_called_with('named.conf', 'add_crypto_policy', True)
- 
-     with open(namedconf) as f:
-         content = f.read()
--    assert content == EXPECTED_CONFIG
-+    assert content == ''.join([EXPECTED_CONFIG, IPA_DYNDB_CONFIG])
- 
-     m_get.reset_mock()
-     m_set.reset_mock()
-@@ -69,3 +76,19 @@ def test_add_crypto_policy(m_set, m_get, namedconf):
-     named_add_crypto_policy()
-     m_get.assert_called_with('named.conf', 'add_crypto_policy')
-     m_set.assert_not_called()
-+
-+
-+@patch('ipaserver.install.sysupgrade.get_upgrade_state')
-+@patch('ipaserver.install.sysupgrade.set_upgrade_state')
-+def test_add_crypto_policy_no_ipa(m_set, m_get, namedconf):
-+    # Test if the update step is skipped when named.conf doesn't contain
-+    # IPA related settings.
-+    m_get.return_value = False
-+    with open(namedconf, 'w') as f:
-+        f.write(TEST_CONFIG)
-+
-+    result = named_add_crypto_policy()
-+    assert not result
-+
-+    m_get.assert_not_called()
-+    m_set.assert_not_called()

freeipa.spec

@@ -59,6 +59,7 @@
 %global selinux_policy_version 3.12.1-153
 %global slapi_nis_version 0.56.0-4
 %global python2_ldap_version 2.4.15
+%global ds_version 1.3.7.9-1
 %else
 # 1.15.1-7: certauth (http://krbdev.mit.edu/rt/Ticket/Display.html?id=8561)
 %global krb5_version 1.15.1-7
@@ -83,8 +84,26 @@
 %global python3_ldap_version 2.4.35.1-2
 %endif
 
+%if 0%{?fedora} >= 28
+# Fix for "Crash when failing to read from SASL connection"
+# https://pagure.io/389-ds-base/issue/49639
+%global ds_version 1.4.0.8-1
+%else
+# 1.3.7.9-1: https://bugzilla.redhat.com/show_bug.cgi?id=1459946
+#            https://bugzilla.redhat.com/show_bug.cgi?id=1511462
+#            https://bugzilla.redhat.com/show_bug.cgi?id=1514033
+%global ds_version 1.3.7.9-1
 %endif
 
+%endif
+
+# Require Dogtag PKI 10.6.1 with Python 3 and SQL NSSDB fixes for external
+# CA support, https://bugzilla.redhat.com/show_bug.cgi?id=1573094
+%global pki_version 10.6.1
+
+# NSS release with fix for CKA_LABEL import bug in shared SQL database.
+# https://bugzilla.redhat.com/show_bug.cgi?id=1568271
+%global nss_version 3.36.1-1.1
 # Require Dogtag PKI 10.6.0 with Python 3 and SQL NSSDB fixes
 %global pki_version 10.6.0-0.2
 
@@ -94,13 +113,13 @@
 %global etc_systemd_dir %{_sysconfdir}/systemd/system
 %global gettext_domain ipa
 
-%global VERSION 4.6.90.pre1
+%global VERSION 4.6.90.pre2
 
 %define _hardened_build 1
 
 Name:           freeipa
 Version:        %{VERSION}
-Release:        7%{?dist}
+Release:        1%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 Group:          System Environment/Base
@@ -108,11 +127,6 @@ License:        GPLv3+
 URL:            https://www.freeipa.org/
 Source0:        https://releases.pagure.org/freeipa/freeipa-%{VERSION}.tar.gz
 Source1:        https://releases.pagure.org/freeipa/freeipa-%{VERSION}.tar.gz.asc
-Patch0001:      0001-Processing-of-server-roles-should-ignore-errors.Empt.patch
-Patch0002:      0002-Update-template-directory-with-new-variables-when-up.patch
-Patch0003:      0003-upgrade-Run-configuration-upgrade-under-empty-ccache.patch
-Patch0004:      0004-use-LDAP-Whoami-command-when-creating-an-OTP-token.patch  
-Patch0005:      0005-Fix-upgrade-when-named.conf-does-not-exist.patch
 
 # For the timestamp trick in patch application
 BuildRequires:  diffstat
@@ -143,18 +157,16 @@ BuildRequires:  python2-setuptools
 BuildRequires:  python3-devel
 BuildRequires:  python3-setuptools
 %endif # with_python3
-# %{_unitdir}, %{_tmpfilesdir}
 BuildRequires:  systemd
 # systemd-tmpfiles which is executed from make install requires apache user
 BuildRequires:  httpd
 BuildRequires:  nspr-devel
-BuildRequires:  nss-devel
+BuildRequires:  nss-devel >= %{nss_version}
 BuildRequires:  openssl-devel
 BuildRequires:  libini_config-devel
 BuildRequires:  cyrus-sasl-devel
 %if ! %{ONLY_CLIENT}
-# 1.3.3.9: DS_Sleep (https://fedorahosted.org/389/ticket/48005)
+BuildRequires:  389-ds-base-devel >= %{ds_version}
-BuildRequires:  389-ds-base-devel >= 1.3.3.9
 BuildRequires:  svrcore-devel
 BuildRequires:  samba-devel >= %{samba_build_version}
 BuildRequires:  libtalloc-devel
@@ -225,7 +237,7 @@ BuildRequires:  python2-dns >= 1.15
 BuildRequires:  jsl
 BuildRequires:  python2-yubico
 # pki Python package
-BuildRequires:  pki-base-python2 >= %{pki_version}
+BuildRequires:  python2-pki >= %{pki_version}
 BuildRequires:  python2-pytest-multihost
 BuildRequires:  python2-pytest-sourceorder
 # 0.4.2: Py3 fix https://bugzilla.redhat.com/show_bug.cgi?id=1476150
@@ -266,7 +278,7 @@ BuildRequires:  python3-qrcode-core >= 5.0.0
 BuildRequires:  python3-dns >= 1.15
 BuildRequires:  python3-yubico
 # pki Python package
-BuildRequires:  pki-base-python3 >= %{pki_version}
+BuildRequires:  python3-pki >= %{pki_version}
 BuildRequires:  python3-pytest-multihost
 BuildRequires:  python3-pytest-sourceorder
 # 0.4.2: Py3 fix https://bugzilla.redhat.com/show_bug.cgi?id=1476150
@@ -324,18 +336,15 @@ Requires: python3-pyldap >= %{python3_ldap_version}
 Requires: python2-ipaserver = %{version}-%{release}
 Requires: python2-ldap >= %{python2_ldap_version}
 %endif
-# 1.3.7.9-1: https://bugzilla.redhat.com/show_bug.cgi?id=1459946
+Requires: 389-ds-base >= %{ds_version}
-#            https://bugzilla.redhat.com/show_bug.cgi?id=1511462
-#            https://bugzilla.redhat.com/show_bug.cgi?id=1514033
-Requires: 389-ds-base >= 1.3.7.9-1
 Requires: openldap-clients > 2.4.35-4
-Requires: nss >= 3.14.3-12.0
+Requires: nss >= %{nss_version}
-Requires: nss-tools >= 3.14.3-12.0
+Requires: nss-tools >= %{nss_version}
 Requires(post): krb5-server >= %{krb5_version}
 Requires(post): krb5-server >= %{krb5_base_version}, krb5-server < %{krb5_base_version}.100
 Requires: krb5-pkinit-openssl >= %{krb5_version}
 Requires: cyrus-sasl-gssapi%{?_isa}
-Requires: ntp
+Requires: chrony
 Requires: httpd >= 2.4.6-31
 %if 0%{with_python3}
 Requires(preun): python3
@@ -371,10 +380,7 @@ Requires(postun): systemd-units
 Requires: policycoreutils >= 2.1.12-5
 Requires: tar
 Requires(pre): certmonger >= 0.79.5-1
-# 1.3.7.9-1: https://bugzilla.redhat.com/show_bug.cgi?id=1459946
+Requires(pre): 389-ds-base >= %{ds_version}
-#            https://bugzilla.redhat.com/show_bug.cgi?id=1511462
-#            https://bugzilla.redhat.com/show_bug.cgi?id=1514033
-Requires(pre): 389-ds-base >= 1.3.7.9-1
 Requires: fontawesome-fonts
 Requires: open-sans-fonts
 Requires: openssl
@@ -435,7 +441,7 @@ BuildRequires:  dbus-python
 Requires: python2-dns >= 1.15
 Requires: python2-kdcproxy >= 0.3
 Requires: rpm-libs
-Requires: pki-base-python2 >= %{pki_version}
+Requires: python2-pki >= %{pki_version}
 Requires: python2-augeas
 
 %description -n python2-ipaserver
@@ -469,7 +475,7 @@ Requires: python3-dns >= 1.15
 Requires: python3-kdcproxy >= 0.3
 Requires: python3-augeas
 Requires: rpm-libs
-Requires: pki-base-python3 >= %{pki_version}
+Requires: python3-pki >= %{pki_version}
 
 %description -n python3-ipaserver
 IPA is an integrated solution to provide centrally managed Identity (users,
@@ -590,9 +596,9 @@ Requires: python2-sssdconfig
 Requires: python2-sssdconfig
 %endif
 Requires: cyrus-sasl-gssapi%{?_isa}
-Requires: ntp
+Requires: chrony
 Requires: krb5-workstation >= %{krb5_version}
-Requires: authconfig
+Requires: authselect >= 0.4-2
 Requires: curl
 # NIS domain name config: /usr/lib/systemd/system/*-domainname.service
 Requires: initscripts
@@ -600,13 +606,14 @@ Requires: libcurl >= 7.21.7-2
 Requires: xmlrpc-c >= 1.27.4
 Requires: sssd >= 1.14.0
 Requires: certmonger >= 0.79.5-1
-Requires: nss-tools
+Requires: nss-tools >= %{nss_version}
 Requires: bind-utils
 Requires: oddjob-mkhomedir
 Requires: libsss_autofs
 Requires: autofs
 Requires: libnfsidmap
 Requires: nfs-utils
+Requires: sssd-tools
 Requires(post): policycoreutils
 
 Provides: %{alt_name}-client = %{version}
@@ -642,6 +649,7 @@ Requires: %{name}-common = %{version}-%{release}
 Requires: python2-ipalib = %{version}-%{release}
 Requires: python2-dns >= 1.15
 Requires: python2-jinja2
+Requires: python2-augeas
 
 %description -n python2-ipaclient
 IPA is an integrated solution to provide centrally managed Identity (users,
@@ -665,6 +673,7 @@ Requires: %{name}-common = %{version}-%{release}
 Requires: python3-ipalib = %{version}-%{release}
 Requires: python3-dns >= 1.15
 Requires: python3-jinja2
+Requires: python3-augeas
 
 %description -n python3-ipaclient
 IPA is an integrated solution to provide centrally managed Identity (users,
@@ -878,6 +887,11 @@ Requires: ldns-utils
 Requires: python2-cryptography >= 1.6
 Requires: iptables
 Requires: python2-mock
+%if 0%{?fedora} == 27
+# workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1564527
+# Tests are failing because ntpd restarts segfaults on some CPU archs.
+Requires: glibc >= 2.26-24
+%endif
 
 Provides: %{alt_name}-tests = %{version}
 Conflicts: %{alt_name}-tests
@@ -911,6 +925,11 @@ Requires: ldns-utils
 Requires: python3-sssdconfig
 Requires: python3-cryptography >= 1.6
 Requires: iptables
+%if 0%{?fedora} == 27
+# workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1564527
+# Tests are failing because ntpd restarts segfaults on some CPU archs.
+Requires: glibc >= 2.26-24
+%endif
 
 %description -n python3-ipatests
 IPA is an integrated solution to provide centrally managed Identity (users,
@@ -1178,6 +1197,8 @@ if [ -e /usr/sbin/ipa_kpasswd ]; then
 # END
 fi
 
+
+%pre server-common
 # create users and groups
 # create kdcproxy group and user
 getent group kdcproxy >/dev/null || groupadd -f -r kdcproxy
@@ -1256,15 +1277,6 @@ if [ $1 -gt 1 ] ; then
         fi
     fi
 
-    if [ -f '/etc/sysconfig/ntpd' -a $restore -ge 2 ]; then
-        if grep -E -q 'OPTIONS=.*-u ntp:ntp' /etc/sysconfig/ntpd 2>/dev/null; then
-            sed -r '/OPTIONS=/ { s/\s+-u ntp:ntp\s+/ /; s/\s*-u ntp:ntp\s*// }' /etc/sysconfig/ntpd >/etc/sysconfig/ntpd.ipanew
-            mv -Z /etc/sysconfig/ntpd.ipanew /etc/sysconfig/ntpd
-
-            /bin/systemctl condrestart ntpd.service 2>&1 || :
-        fi
-    fi
-
     if [ $restore -ge 2 ]; then
         %{python} -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' >/var/log/ipaupgrade.log 2>&1
     fi
@@ -1341,6 +1353,7 @@ fi
 %{_libexecdir}/ipa/ipa-custodia
 %{_libexecdir}/ipa/ipa-custodia-check
 %{_libexecdir}/ipa/ipa-httpd-kdcproxy
+%{_libexecdir}/ipa/ipa-httpd-pwdreader
 %{_libexecdir}/ipa/ipa-pki-retrieve-key
 %{_libexecdir}/ipa/ipa-otpd
 %dir %{_libexecdir}/ipa/oddjob
@@ -1427,7 +1440,6 @@ fi
 %attr(644,root,root) %{_unitdir}/ipa-custodia.service
 %ghost %attr(644,root,root) %{etc_systemd_dir}/httpd.d/ipa.conf
 # END
-%dir %{_usr}/share/ipa
 %{_usr}/share/ipa/wsgi.py*
 %{_usr}/share/ipa/kdcproxy.wsgi
 %{_usr}/share/ipa/*.ldif
@@ -1492,6 +1504,8 @@ fi
 %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysupgrade
 %attr(755,root,root) %dir %{_localstatedir}/lib/ipa/pki-ca
 %attr(755,root,root) %dir %{_localstatedir}/lib/ipa/certs
+%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/private
+%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/passwds
 %ghost %{_localstatedir}/lib/ipa/pki-ca/publish
 %ghost %{_localstatedir}/named/dyndb-ldap/ipa
 %dir %attr(0700,root,root) %{_sysconfdir}/ipa/custodia
@@ -1632,6 +1646,7 @@ fi
 %dir %{_localstatedir}/lib/ipa-client/pki
 %dir %{_localstatedir}/lib/ipa-client/sysrestore
 %{_mandir}/man5/default.conf.5*
+%{_usr}/share/ipa/freeipa.template
 
 
 %files python-compat
@@ -1664,6 +1679,7 @@ fi
 %defattr(-,root,root,-)
 %doc README.md Contributors.txt
 %license COPYING
+%dir %{_usr}/share/ipa
 
 
 %if 0%{?with_python3}
@@ -1726,6 +1742,9 @@ fi
 %endif # with_ipatests
 
 %changelog
+* Tue May 15 2018 Rob Crittenden <rcritten@redhat.com> - 4.6.90.pre2-1
+- Update to upstream 4.6.90.pre2
+
 * Wed May 02 2018 Alexander Bokovoy <abokovoy@redhat.com> - 4.6.90.pre1-7
 - Fix upgrade when named.conf does not exist
 - Resolves rhbz#1573671

sources

@@ -1,2 +1,2 @@
-SHA512 (freeipa-4.6.90.pre1.tar.gz) = c513923f69145f86edac3168a5b2f7f78823ca64853d8a3df422ea05d3d8f7572e1708fcb8226b9540b8acda73694227b5e555f2cfc144cb4f4237b79cf8d012
+SHA512 (freeipa-4.6.90.pre2.tar.gz) = 3ee250fa4b0bfc3db5890c93563f993ed623de20ad9b32fd1498ca74c328c6da29fa5893f9b44ea65b5c3aa08a18461363b5c04ffda0d1cada8ea69d6f664b3b
-SHA512 (freeipa-4.6.90.pre1.tar.gz.asc) = d76ae8f43ae2203607bbe506cf749e63f89aba94c750549c3a0a23894844babd19ca68bffc51f30446e172eae07632e33e81719117cad43e54d5c51c19bd3946
+SHA512 (freeipa-4.6.90.pre2.tar.gz.asc) = 9e96906f6e9d5a30cb2a5fec88e5e6b8e597c2506fa3cfb9afdd21bc545fb08c1be728e659a77bc19960d335023d7923718208ecf5f3348001be30cbaed1ff8c