From c5446247742b207b3b598208777890120c358882 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Wed, 20 Nov 2024 13:20:07 +0000 Subject: [PATCH] import RHEL 10 Beta ipa-4.12.2-1.1.el10 --- .gitignore | 2 +- .ipa.metadata | 1 - 0002-freeipa-disable-nis.patch | 900 +++ ...nding-to-IPA-and-Identity-Management.patch | 0 ...mba-exception-type-change_rhel#17623.patch | 73 - ...-HTTP-Referer-header-on-all-requests.patch | 121 - ...s-for-verifying-Referer-header-in-th.patch | 359 -- ...-Detect-and-block-Bronze-Bit-attacks.patch | 265 - ...y-for-ca-less-deployments_rhel#22283.patch | 212 - ...ge-Host-Keytab-permission_rhel#22286.patch | 97 - ...defaults-are-set-properly_rhel#21938.patch | 32 - ...ogbuffering-is-set-to-off_rhel#19672.patch | 175 - ...ical-principal-is-missing_rhel#23630.patch | 45 - ...k-during-PAC-verification_rhel#22644.patch | 89 - ...Fix-session-cookie-access_rhel#23622.patch | 238 - ...ed-users-in-sidgen-plugin_rhel#23626.patch | 109 - ...heck-if-PAC-not-available_rhel#22313.patch | 310 - ...-otp-auth-type-are-enabled_rhel#4874.patch | 272 - ...ing-or-returning-messages_rhel#12780.patch | 139 - ...r-replica-update-in-test_dns_locatio.patch | 43 - ...17-ipa-kdb-Rework-ipadb_reinit_mspac.patch | 707 --- ...it_for_replication-method_rhel#25708.patch | 34 - ...d-support-for-RSA-OAEP-wrapping-algo.patch | 127 - ...ult-server-archival-retrieval-calls-.patch | 88 - ...-as-default-wrapping-algo-when-FIPS-.patch | 98 - ...ix-double-free-in-ipadb_reinit_mspac.patch | 29 - ...name-before-running-kinit_rhel#26153.patch | 392 -- ...to-RSA-OAEP-wrapping-algo_rhel#28259.patch | 43 - ...ltering-out-realm-domains_rhel#28559.patch | 50 - .../0026-backport-test-fixes_rhel#29908.patch | 335 - ...-vulnerability-in-GCD-rules-handling.patch | 341 -- ...combinatorial-logic-for-ticket-flags.patch | 615 -- ...admin_user_to_be_disabled_rhel#34756.patch | 127 - ...e-key-file-in-binary-mode_rhel#39616.patch | 13 - ...tatus-task-execution-time_rhel#30280.patch | 114 - ...389ds-restart-is-required_rhel#28996.patch | 337 - ...-renewal-on-hidden-replica_rhel#4913.patch | 58 - ...ipa.spec-depend-on-bind-dnssec-utils.patch | 69 - ...-arrow-notation-due-to-uglify-js-lim.patch | 60 - ...er-Fix-use-of-nameservers-with-ports.patch | 120 - SOURCES/freeipa-4.9.13.tar.gz.asc | 16 - SPECS/ipa.spec | 5401 ----------------- freeipa-4.12.2.tar.gz.asc | 16 + freeipa.spec | 3360 ++++++++++ ...63D716D76AC080A4A33513F40800B6298EB963.asc | 272 + sources | 1 + 46 files changed, 4550 insertions(+), 11755 deletions(-) delete mode 100644 .ipa.metadata create mode 100644 0002-freeipa-disable-nis.patch rename SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch => 1001-Change-branding-to-IPA-and-Identity-Management.patch (100%) delete mode 100644 SOURCES/0001-Handle-samba-exception-type-change_rhel#17623.patch delete mode 100644 SOURCES/0002-Check-the-HTTP-Referer-header-on-all-requests.patch delete mode 100644 SOURCES/0003-Integration-tests-for-verifying-Referer-header-in-th.patch delete mode 100644 SOURCES/0004-ipa-kdb-Detect-and-block-Bronze-Bit-attacks.patch delete mode 100644 SOURCES/0005-Improve-server-affinity-for-ca-less-deployments_rhel#22283.patch delete mode 100644 SOURCES/0006-host-update-System-Manage-Host-Keytab-permission_rhel#22286.patch delete mode 100644 SOURCES/0007-adtrustinstance-make-sure-NetBIOS-name-defaults-are-set-properly_rhel#21938.patch delete mode 100644 SOURCES/0008-ipatests-Fix-healthcheck-report-when-nsslapd-accesslog-logbuffering-is-set-to-off_rhel#19672.patch delete mode 100644 SOURCES/0009-kdb-PAC-generator-do-not-fail-if-canonical-principal-is-missing_rhel#23630.patch delete mode 100644 SOURCES/0010-ipa-kdb-Fix-memory-leak-during-PAC-verification_rhel#22644.patch delete mode 100644 SOURCES/0011-Fix-session-cookie-access_rhel#23622.patch delete mode 100644 SOURCES/0012-Do-not-ignore-staged-users-in-sidgen-plugin_rhel#23626.patch delete mode 100644 SOURCES/0013-ipa-kdb-Disable-Bronze-Bit-check-if-PAC-not-available_rhel#22313.patch delete mode 100644 SOURCES/0014-krb5kdc-Fix-start-when-pkinit-and-otp-auth-type-are-enabled_rhel#4874.patch delete mode 100644 SOURCES/0015-hbactest-was-not-collecting-or-returning-messages_rhel#12780.patch delete mode 100644 SOURCES/0016-ipatests-wait-for-replica-update-in-test_dns_locatio.patch delete mode 100644 SOURCES/0017-ipa-kdb-Rework-ipadb_reinit_mspac.patch delete mode 100644 SOURCES/0018-ipatests-fix-tasks-wait_for_replication-method_rhel#25708.patch delete mode 100644 SOURCES/0019-Vault-add-support-for-RSA-OAEP-wrapping-algo.patch delete mode 100644 SOURCES/0020-Vault-improve-vault-server-archival-retrieval-calls-.patch delete mode 100644 SOURCES/0021-kra-set-RSA-OAEP-as-default-wrapping-algo-when-FIPS-.patch delete mode 100644 SOURCES/0022-ipa-kdb-Fix-double-free-in-ipadb_reinit_mspac.patch delete mode 100644 SOURCES/0023-rpcserver-validate-Kerberos-principal-name-before-running-kinit_rhel#26153.patch delete mode 100644 SOURCES/0024-Vault-add-additional-fallback-to-RSA-OAEP-wrapping-algo_rhel#28259.patch delete mode 100644 SOURCES/0025-dcerpc-invalidate-forest-trust-intfo-cache-when-filtering-out-realm-domains_rhel#28559.patch delete mode 100644 SOURCES/0026-backport-test-fixes_rhel#29908.patch delete mode 100644 SOURCES/0027-kdb-fix-vulnerability-in-GCD-rules-handling.patch delete mode 100644 SOURCES/0028-kdb-apply-combinatorial-logic-for-ticket-flags.patch delete mode 100644 SOURCES/0029-Allow_the_admin_user_to_be_disabled_rhel#34756.patch delete mode 100644 SOURCES/0030-ipa-otptoken-import-open-the-key-file-in-binary-mode_rhel#39616.patch delete mode 100644 SOURCES/0031-ipa-crlgen-manage-manage-the-cert-status-task-execution-time_rhel#30280.patch delete mode 100644 SOURCES/0032-idrange-add-add-a-warning-because-389ds-restart-is-required_rhel#28996.patch delete mode 100644 SOURCES/0033-PKINIT-certificate-fix-renewal-on-hidden-replica_rhel#4913.patch delete mode 100644 SOURCES/1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch delete mode 100644 SOURCES/1003-webui-IdP-Remove-arrow-notation-due-to-uglify-js-lim.patch delete mode 100644 SOURCES/1004-Revert-DNSResolver-Fix-use-of-nameservers-with-ports.patch delete mode 100644 SOURCES/freeipa-4.9.13.tar.gz.asc delete mode 100644 SPECS/ipa.spec create mode 100644 freeipa-4.12.2.tar.gz.asc create mode 100644 freeipa.spec create mode 100644 gpgkey-0E63D716D76AC080A4A33513F40800B6298EB963.asc create mode 100644 sources diff --git a/.gitignore b/.gitignore index dbce2de..581bcd3 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/freeipa-4.9.13.tar.gz +freeipa-4.12.2.tar.gz diff --git a/.ipa.metadata b/.ipa.metadata deleted file mode 100644 index ee9bea0..0000000 --- a/.ipa.metadata +++ /dev/null @@ -1 +0,0 @@ -da1bb0220894d8dc06afb98dcf087fea38076a79 SOURCES/freeipa-4.9.13.tar.gz diff --git a/0002-freeipa-disable-nis.patch b/0002-freeipa-disable-nis.patch new file mode 100644 index 0000000..bd4e270 --- /dev/null +++ b/0002-freeipa-disable-nis.patch @@ -0,0 +1,900 @@ +From da1ec155fb5d5afc29b70ff4d68f0d774aa7f245 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Mon, 29 Apr 2024 10:10:08 +0300 +Subject: [PATCH] Remove NIS server support + + RHEL 8.3+ already deprecated support for NIS protocol. + RHEL 9 does not ship NIS client side + RHEL 10 removes NIS server emulator support + +Remove NIS server integration from the migration and +management tools. + +Fixes: https://pagure.io/freeipa/issue/9363 + +Signed-off-by: Alexander Bokovoy +--- + freeipa.spec.in | 2 - + install/share/Makefile.am | 2 - + install/share/nis-update.uldif | 38 ---- + install/share/nis.uldif | 96 ---------- + install/tools/Makefile.am | 2 - + install/tools/ipa-compat-manage.in | 17 +- + install/tools/ipa-nis-manage.in | 205 --------------------- + install/tools/man/Makefile.am | 1 - + install/tools/man/ipa-nis-manage.1 | 51 ----- + install/updates/10-enable-betxn.update | 3 - + install/updates/50-nis.update | 3 - + install/updates/Makefile.am | 1 - + ipaplatform/base/paths.py | 2 - + ipaserver/install/ipa_migrate.py | 27 +-- + ipaserver/install/ipa_migrate_constants.py | 24 --- + ipaserver/install/plugins/update_nis.py | 92 --------- + ipatests/test_cmdline/test_cli.py | 1 - + ipatests/test_integration/test_commands.py | 87 --------- + 18 files changed, 16 insertions(+), 638 deletions(-) + delete mode 100644 install/share/nis-update.uldif + delete mode 100644 install/share/nis.uldif + delete mode 100644 install/tools/ipa-nis-manage.in + delete mode 100644 install/tools/man/ipa-nis-manage.1 + delete mode 100644 install/updates/50-nis.update + delete mode 100644 ipaserver/install/plugins/update_nis.py + +diff --git a/freeipa.spec.in b/freeipa.spec.in +index e370290bc..b5e33a6ac 100755 +--- a/freeipa.spec.in ++++ b/freeipa.spec.in +@@ -1508,7 +1508,6 @@ fi + %{_sbindir}/ipa-ldap-updater + %{_sbindir}/ipa-otptoken-import + %{_sbindir}/ipa-compat-manage +-%{_sbindir}/ipa-nis-manage + %{_sbindir}/ipa-managed-entries + %{_sbindir}/ipactl + %{_sbindir}/ipa-advise +@@ -1583,7 +1582,6 @@ fi + %{_mandir}/man1/ipa-ca-install.1* + %{_mandir}/man1/ipa-kra-install.1* + %{_mandir}/man1/ipa-compat-manage.1* +-%{_mandir}/man1/ipa-nis-manage.1* + %{_mandir}/man1/ipa-managed-entries.1* + %{_mandir}/man1/ipa-ldap-updater.1* + %{_mandir}/man8/ipactl.8* +diff --git a/install/share/Makefile.am b/install/share/Makefile.am +index 4029297b7..24664ca3b 100644 +--- a/install/share/Makefile.am ++++ b/install/share/Makefile.am +@@ -67,8 +67,6 @@ dist_app_DATA = \ + master-entry.ldif \ + memberof-task.ldif \ + memberof-conf.ldif \ +- nis.uldif \ +- nis-update.uldif \ + opendnssec_conf.template \ + opendnssec_kasp.template \ + unique-attributes.ldif \ +diff --git a/install/share/nis-update.uldif b/install/share/nis-update.uldif +deleted file mode 100644 +index e602c1de0..000000000 +--- a/install/share/nis-update.uldif ++++ /dev/null +@@ -1,38 +0,0 @@ +-# Updates for NIS +- +-# Correct syntax error that caused users to not appear +-dn: nis-domain=$DOMAIN+nis-map=netgroup, cn=NIS Server, cn=plugins, cn=config +-replace:nis-value-format: %merge(" ","%{memberNisNetgroup}","(%link(\"%ifeq(\\\"hostCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%{externalHost}\\\\\\\",\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"-\",\",\",\"%ifeq(\\\"userCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\"%deref(\\\\\\\"memberUser\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\",\\\"%deref_r(\\\\\\\"memberUser\\\\\\\",\\\\\\\"member\\\\\\\",\\\\\\\"uid\\\\\\\")\\\")\\\")\",\"-\"),%{nisDomainName:-})")::%merge(" ","%{memberNisNetgroup}","(%link(\"%ifeq(\\\"hostCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%{externalHost}\\\\\\\",\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"-\",\",\",\"%ifeq(\\\"userCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"-\"),%{nisDomainName:-})") +- +-# Correct syntax error that caused nested netgroups to not work +-# https://bugzilla.redhat.com/show_bug.cgi?id=788625 +-dn: nis-domain=$DOMAIN+nis-map=netgroup, cn=NIS Server, cn=plugins, cn=config +-replace:nis-value-format: %merge(" ","%{memberNisNetgroup}","(%link(\"%ifeq(\\\"hostCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%{externalHost}\\\\\\\",\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"-\",\",\",\"%ifeq(\\\"userCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"-\"),%{nisDomainName:-})")::%merge(" ","%deref_f(\"member\",\"(objectclass=ipanisNetgroup)\",\"cn\")","(%link(\"%ifeq(\\\"hostCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%{externalHost}\\\\\\\",\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"-\",\",\",\"%ifeq(\\\"userCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"-\"),%{nisDomainName:-})") +- +-# Make the padding an expression so usercat and hostcat always gets +-# evaluated when displaying entries. +-# https://bugzilla.redhat.com/show_bug.cgi?id=767372 +-dn: nis-domain=$DOMAIN+nis-map=netgroup, cn=NIS Server, cn=plugins, cn=config +-replace:nis-value-format: %merge(" ","%deref_f(\"member\",\"(objectclass=ipanisNetgroup)\",\"cn\")","(%link(\"%ifeq(\\\"hostCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%{externalHost}\\\\\\\",\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"-\",\",\",\"%ifeq(\\\"userCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"-\"),%{nisDomainName:-})")::%merge(" ","%deref_f(\"member\",\"(objectclass=ipanisNetgroup)\",\"cn\")","(%link(\"%ifeq(\\\"hostCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%{externalHost}\\\\\\\",\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"%ifeq(\\\"hostCategory\\\",\\\"all\\\",\\\"\\\",\\\"-\\\")\",\",\",\"%ifeq(\\\"userCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"%ifeq(\\\"userCategory\\\",\\\"all\\\",\\\"\\\",\\\"-\\\")\"),%{nisDomainName:-})") +- +-dn: nis-domain=$DOMAIN+nis-map=ethers.byaddr, cn=NIS Server, cn=plugins, cn=config +-default:objectclass: top +-default:objectclass: extensibleObject +-default:nis-domain: $DOMAIN +-default:nis-map: ethers.byaddr +-default:nis-base: cn=computers, cn=accounts, $SUFFIX +-default:nis-filter: (&(macAddress=*)(fqdn=*)(objectClass=ipaHost)) +-default:nis-keys-format: %mregsub("%{macAddress} %{fqdn}","(..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..) (.*)","%1:%2:%3:%4:%5:%6") +-default:nis-values-format: %mregsub("%{macAddress} %{fqdn}","(..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..) (.*)","%1:%2:%3:%4:%5:%6 %7") +-default:nis-secure: no +- +-dn: nis-domain=$DOMAIN+nis-map=ethers.byname, cn=NIS Server, cn=plugins, cn=config +-default:objectclass: top +-default:objectclass: extensibleObject +-default:nis-domain: $DOMAIN +-default:nis-map: ethers.byname +-default:nis-base: cn=computers, cn=accounts, $SUFFIX +-default:nis-filter: (&(macAddress=*)(fqdn=*)(objectClass=ipaHost)) +-default:nis-keys-format: %mregsub("%{macAddress} %{fqdn}","(..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..) (.*)","%7") +-default:nis-values-format: %mregsub("%{macAddress} %{fqdn}","(..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..) (.*)","%1:%2:%3:%4:%5:%6 %7") +-default:nis-secure: no +diff --git a/install/share/nis.uldif b/install/share/nis.uldif +deleted file mode 100644 +index 1735fb552..000000000 +--- a/install/share/nis.uldif ++++ /dev/null +@@ -1,96 +0,0 @@ +-dn: cn=NIS Server, cn=plugins, cn=config +-default:objectclass: top +-default:objectclass: nsSlapdPlugin +-default:objectclass: extensibleObject +-default:cn: NIS Server +-default:nsslapd-pluginpath: /usr/lib$LIBARCH/dirsrv/plugins/nisserver-plugin.so +-default:nsslapd-plugininitfunc: nis_plugin_init +-default:nsslapd-plugintype: object +-default:nsslapd-pluginbetxn: on +-default:nsslapd-pluginenabled: on +-default:nsslapd-pluginid: nis-server +-default:nsslapd-pluginversion: 0.10 +-default:nsslapd-pluginvendor: redhat.com +-default:nsslapd-plugindescription: NIS Server Plugin +-default:nis-tcp-wrappers-name: nis-server +- +-dn: nis-domain=$DOMAIN+nis-map=passwd.byname, cn=NIS Server, cn=plugins, cn=config +-default:objectclass: top +-default:objectclass: extensibleObject +-default:nis-domain: $DOMAIN +-default:nis-map: passwd.byname +-default:nis-base: cn=users, cn=accounts, $SUFFIX +-default:nis-secure: no +- +-dn: nis-domain=$DOMAIN+nis-map=passwd.byuid, cn=NIS Server, cn=plugins, cn=config +-default:objectclass: top +-default:objectclass: extensibleObject +-default:nis-domain: $DOMAIN +-default:nis-map: passwd.byuid +-default:nis-base: cn=users, cn=accounts, $SUFFIX +-default:nis-secure: no +- +-dn: nis-domain=$DOMAIN+nis-map=group.byname, cn=NIS Server, cn=plugins, cn=config +-default:objectclass: top +-default:objectclass: extensibleObject +-default:nis-domain: $DOMAIN +-default:nis-map: group.byname +-default:nis-base: cn=groups, cn=accounts, $SUFFIX +-default:nis-secure: no +- +-dn: nis-domain=$DOMAIN+nis-map=group.bygid, cn=NIS Server, cn=plugins, cn=config +-default:objectclass: top +-default:objectclass: extensibleObject +-default:nis-domain: $DOMAIN +-default:nis-map: group.bygid +-default:nis-base: cn=groups, cn=accounts, $SUFFIX +-default:nis-secure: no +- +-dn: nis-domain=$DOMAIN+nis-map=netid.byname, cn=NIS Server, cn=plugins, cn=config +-default:objectclass: top +-default:objectclass: extensibleObject +-default:nis-domain: $DOMAIN +-default:nis-map: netid.byname +-default:nis-base: cn=users, cn=accounts, $SUFFIX +-default:nis-secure: no +- +-# Note that the escapes in this entry can be quite confusing. The trick +-# is that each level of nesting requires (2^n) - 1 escapes. So the +-# first level is \", the second is \\\", the third is \\\\\\\", etc. +-# (1, 3, 7, 15, more than that and you'll go insane) +- +-# Note that this configuration mirrors the Schema Compat configuration for +-# triples. +-dn: nis-domain=$DOMAIN+nis-map=netgroup, cn=NIS Server, cn=plugins, cn=config +-default:objectclass: top +-default:objectclass: extensibleObject +-default:nis-domain: $DOMAIN +-default:nis-map: netgroup +-default:nis-base: cn=ng, cn=alt, $SUFFIX +-default:nis-filter: (objectClass=ipanisNetgroup) +-default:nis-key-format: %{cn} +-default:nis-value-format:%merge(" ","%deref_f(\"member\",\"(objectclass=ipanisNetgroup)\",\"cn\")","(%link(\"%ifeq(\\\"hostCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%{externalHost}\\\\\\\",\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberHost\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"fqdn\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"%ifeq(\\\"hostCategory\\\",\\\"all\\\",\\\"\\\",\\\"-\\\")\",\",\",\"%ifeq(\\\"userCategory\\\",\\\"all\\\",\\\"\\\",\\\"%collect(\\\\\\\"%deref(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\",\\\\\\\"%deref_r(\\\\\\\\\\\\\\\"memberUser\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"member\\\\\\\\\\\\\\\",\\\\\\\\\\\\\\\"uid\\\\\\\\\\\\\\\")\\\\\\\")\\\")\",\"%ifeq(\\\"userCategory\\\",\\\"all\\\",\\\"\\\",\\\"-\\\")\"),%{nisDomainName:-})") +-default:nis-secure: no +- +-dn: nis-domain=$DOMAIN+nis-map=ethers.byaddr, cn=NIS Server, cn=plugins, cn=config +-default:objectclass: top +-default:objectclass: extensibleObject +-default:nis-domain: $DOMAIN +-default:nis-map: ethers.byaddr +-default:nis-base: cn=computers, cn=accounts, $SUFFIX +-default:nis-filter: (&(macAddress=*)(fqdn=*)(objectClass=ipaHost)) +-default:nis-keys-format: %mregsub("%{macAddress} %{fqdn}","(..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..) (.*)","%1:%2:%3:%4:%5:%6") +-default:nis-values-format: %mregsub("%{macAddress} %{fqdn}","(..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..) (.*)","%1:%2:%3:%4:%5:%6 %7") +-default:nis-secure: no +- +-dn: nis-domain=$DOMAIN+nis-map=ethers.byname, cn=NIS Server, cn=plugins, cn=config +-default:objectclass: top +-default:objectclass: extensibleObject +-default:nis-domain: $DOMAIN +-default:nis-map: ethers.byname +-default:nis-base: cn=computers, cn=accounts, $SUFFIX +-default:nis-filter: (&(macAddress=*)(fqdn=*)(objectClass=ipaHost)) +-default:nis-keys-format: %mregsub("%{macAddress} %{fqdn}","(..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..) (.*)","%7") +-default:nis-values-format: %mregsub("%{macAddress} %{fqdn}","(..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..)[:\\\|-](..) (.*)","%1:%2:%3:%4:%5:%6 %7") +-default:nis-secure: no +- +diff --git a/install/tools/Makefile.am b/install/tools/Makefile.am +index c454fad97..a5306ffe9 100644 +--- a/install/tools/Makefile.am ++++ b/install/tools/Makefile.am +@@ -19,7 +19,6 @@ dist_noinst_DATA = \ + ipa-server-upgrade.in \ + ipactl.in \ + ipa-compat-manage.in \ +- ipa-nis-manage.in \ + ipa-managed-entries.in \ + ipa-ldap-updater.in \ + ipa-otptoken-import.in \ +@@ -56,7 +55,6 @@ nodist_sbin_SCRIPTS = \ + ipa-server-upgrade \ + ipactl \ + ipa-compat-manage \ +- ipa-nis-manage \ + ipa-managed-entries \ + ipa-ldap-updater \ + ipa-otptoken-import \ +diff --git a/install/tools/ipa-compat-manage.in b/install/tools/ipa-compat-manage.in +index 459f39fc8..70dd7c451 100644 +--- a/install/tools/ipa-compat-manage.in ++++ b/install/tools/ipa-compat-manage.in +@@ -26,6 +26,7 @@ from ipaplatform.paths import paths + try: + from optparse import OptionParser # pylint: disable=deprecated-module + from ipapython import ipautil, config ++ from ipapython.ipaldap import realm_to_serverid + from ipaserver.install import installutils + from ipaserver.install.ldapupdate import LDAPUpdate + from ipalib import api, errors +@@ -150,9 +151,19 @@ def main(): + try: + entry = get_entry(nis_config_dn) + # We can't disable schema compat if the NIS plugin is enabled +- if entry is not None and entry.get('nsslapd-pluginenabled', [''])[0].lower() == 'on': +- print("The NIS plugin is configured, cannot disable compatibility.", file=sys.stderr) +- print("Run 'ipa-nis-manage disable' first.", file=sys.stderr) ++ if ( ++ entry is not None ++ and entry.get("nsslapd-pluginenabled", [""])[0].lower() == "on" ++ ): ++ instance = realm_to_serverid(api.env.realm) ++ print( ++ "The NIS plugin is configured, cannot " ++ "disable compatibility.", file=sys.stderr, ++ ) ++ print( ++ f"Run \"dsconf {instance} plugin set --enabled off " ++ "'NIS Server'\" first.", file=sys.stderr, ++ ) + retval = 2 + except errors.ExecutionError as lde: + print("An error occurred while talking to the server.") +diff --git a/install/tools/ipa-nis-manage.in b/install/tools/ipa-nis-manage.in +deleted file mode 100644 +index 6b156ce6a..000000000 +--- a/install/tools/ipa-nis-manage.in ++++ /dev/null +@@ -1,205 +0,0 @@ +-#!/usr/bin/python3 +-# Authors: Rob Crittenden +-# Authors: Simo Sorce +-# +-# Copyright (C) 2009 Red Hat +-# see file 'COPYING' for use and warranty information +-# +-# This program is free software; you can redistribute it and/or modify +-# it under the terms of the GNU General Public License as published by +-# the Free Software Foundation, either version 3 of the License, or +-# (at your option) any later version. +-# +-# This program is distributed in the hope that it will be useful, +-# but WITHOUT ANY WARRANTY; without even the implied warranty of +-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +-# GNU General Public License for more details. +-# +-# You should have received a copy of the GNU General Public License +-# along with this program. If not, see . +-# +- +-from __future__ import print_function +- +-import sys +-import os +-from ipaplatform.paths import paths +-try: +- from optparse import OptionParser # pylint: disable=deprecated-module +- from ipapython import ipautil, config +- from ipaserver.install import installutils +- from ipaserver.install.ldapupdate import LDAPUpdate +- from ipalib import api, errors +- from ipapython.ipa_log_manager import standard_logging_setup +- from ipapython.dn import DN +- from ipaplatform import services +-except ImportError as e: +- print("""\ +-There was a problem importing one of the required Python modules. The +-error was: +- +- %s +-""" % e, file=sys.stderr) +- sys.exit(1) +- +-nis_config_dn = DN(('cn', 'NIS Server'), ('cn', 'plugins'), ('cn', 'config')) +-compat_dn = DN(('cn', 'Schema Compatibility'), ('cn', 'plugins'), ('cn', 'config')) +- +-def parse_options(): +- usage = "%prog [options] \n" +- usage += "%prog [options]\n" +- parser = OptionParser(usage=usage, formatter=config.IPAFormatter()) +- +- parser.add_option("-d", "--debug", action="store_true", dest="debug", +- help="Display debugging information about the update(s)") +- parser.add_option("-y", dest="password", +- help="File containing the Directory Manager password") +- +- config.add_standard_options(parser) +- options, args = parser.parse_args() +- +- return options, args +- +-def get_dirman_password(): +- """Prompt the user for the Directory Manager password and verify its +- correctness. +- """ +- password = installutils.read_password("Directory Manager", confirm=False, validate=False, retry=False) +- +- return password +- +-def get_entry(dn): +- """ +- Return the entry for the given DN. If the entry is not found return +- None. +- """ +- entry = None +- try: +- entry = api.Backend.ldap2.get_entry(dn) +- except errors.NotFound: +- pass +- return entry +- +-def main(): +- retval = 0 +- files = [paths.NIS_ULDIF] +- servicemsg = "" +- +- if os.getegid() != 0: +- sys.exit('Must be root to use this tool.') +- +- installutils.check_server_configuration() +- +- options, args = parse_options() +- +- if len(args) != 1: +- sys.exit("You must specify one action: enable | disable | status") +- elif args[0] not in {"enable", "disable", "status"}: +- sys.exit("Unrecognized action [" + args[0] + "]") +- +- standard_logging_setup(None, debug=options.debug) +- dirman_password = "" +- if options.password: +- try: +- pw = ipautil.template_file(options.password, []) +- except IOError: +- sys.exit("File \"%s\" not found or not readable" % options.password) +- dirman_password = pw.strip() +- else: +- dirman_password = get_dirman_password() +- if dirman_password is None: +- sys.exit("Directory Manager password required") +- +- if not dirman_password: +- sys.exit("No password supplied") +- +- api.bootstrap( +- context='cli', confdir=paths.ETC_IPA, +- debug=options.debug, in_server=True) +- api.finalize() +- api.Backend.ldap2.connect(bind_pw=dirman_password) +- +- if args[0] == "enable": +- compat = get_entry(compat_dn) +- if compat is None or compat.get('nsslapd-pluginenabled', [''])[0].lower() == 'off': +- sys.exit("The compat plugin needs to be enabled: ipa-compat-manage enable") +- entry = None +- try: +- entry = get_entry(nis_config_dn) +- except errors.ExecutionError as lde: +- print("An error occurred while talking to the server.") +- print(lde) +- retval = 1 +- +- # Enable either the portmap or rpcbind service +- portmap = services.knownservices.portmap +- rpcbind = services.knownservices.rpcbind +- +- if portmap.is_installed(): +- portmap.enable() +- servicemsg = portmap.service_name +- elif rpcbind.is_installed(): +- rpcbind.enable() +- servicemsg = rpcbind.service_name +- else: +- print("Unable to enable either %s or %s" % (portmap.service_name, rpcbind.service_name)) +- retval = 3 +- +- # The cn=config entry for the plugin may already exist but it +- # could be turned off, handle both cases. +- if entry is None: +- print("Enabling plugin") +- ld = LDAPUpdate() +- if ld.update(files) != True: +- retval = 1 +- elif entry.get('nsslapd-pluginenabled', [''])[0].lower() == 'off': +- print("Enabling plugin") +- # Already configured, just enable the plugin +- entry['nsslapd-pluginenabled'] = ['on'] +- api.Backend.ldap2.update_entry(entry) +- else: +- print("Plugin already Enabled") +- retval = 2 +- +- elif args[0] == "disable": +- try: +- entry = api.Backend.ldap2.get_entry(nis_config_dn, ['nsslapd-pluginenabled']) +- entry['nsslapd-pluginenabled'] = ['off'] +- api.Backend.ldap2.update_entry(entry) +- except (errors.NotFound, errors.EmptyModlist): +- print("Plugin is already disabled") +- retval = 2 +- except errors.LDAPError as lde: +- print("An error occurred while talking to the server.") +- print(lde) +- retval = 1 +- +- elif args[0] == "status": +- nis_entry = get_entry(nis_config_dn) +- enabled = (nis_entry and +- nis_entry.get( +- 'nsslapd-pluginenabled', '')[0].lower() == "on") +- if enabled: +- print("Plugin is enabled") +- retval = 0 +- else: +- print("Plugin is not enabled") +- retval = 4 +- +- else: +- retval = 1 +- +- if retval == 0: +- if args[0] in {"enable", "disable"}: +- print("This setting will not take effect until you restart " +- "Directory Server.") +- +- if args[0] == "enable": +- print("The %s service may need to be started." % servicemsg) +- +- api.Backend.ldap2.disconnect() +- +- return retval +- +-if __name__ == '__main__': +- installutils.run_script(main, operation_name='ipa-nis-manage') +diff --git a/install/tools/man/Makefile.am b/install/tools/man/Makefile.am +index 34f359863..282407602 100644 +--- a/install/tools/man/Makefile.am ++++ b/install/tools/man/Makefile.am +@@ -18,7 +18,6 @@ dist_man1_MANS = \ + ipa-kra-install.1 \ + ipa-ldap-updater.1 \ + ipa-compat-manage.1 \ +- ipa-nis-manage.1 \ + ipa-managed-entries.1 \ + ipa-backup.1 \ + ipa-restore.1 \ +diff --git a/install/tools/man/ipa-nis-manage.1 b/install/tools/man/ipa-nis-manage.1 +deleted file mode 100644 +index 1107b7790..000000000 +--- a/install/tools/man/ipa-nis-manage.1 ++++ /dev/null +@@ -1,51 +0,0 @@ +-.\" A man page for ipa-nis-manage +-.\" Copyright (C) 2009 Red Hat, Inc. +-.\" +-.\" This program is free software; you can redistribute it and/or modify +-.\" it under the terms of the GNU General Public License as published by +-.\" the Free Software Foundation, either version 3 of the License, or +-.\" (at your option) any later version. +-.\" +-.\" This program is distributed in the hope that it will be useful, but +-.\" WITHOUT ANY WARRANTY; without even the implied warranty of +-.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +-.\" General Public License for more details. +-.\" +-.\" You should have received a copy of the GNU General Public License +-.\" along with this program. If not, see . +-.\" +-.\" Author: Rob Crittenden +-.\" +-.TH "ipa-nis-manage" "1" "April 25 2016" "IPA" "IPA Manual Pages" +-.SH "NAME" +-ipa\-nis\-manage \- Enables or disables the NIS listener plugin +-.SH "SYNOPSIS" +-ipa\-nis\-manage [options] +-.SH "DESCRIPTION" +-Run the command with the \fBenable\fR option to enable the NIS plugin. +- +-Run the command with the \fBdisable\fR option to disable the NIS plugin. +- +-Run the command with the \fBstatus\fR option to read status of the NIS plugin. Return code 0 indicates enabled plugin, return code 4 indicates disabled plugin. +- +-In all cases the user will be prompted to provide the Directory Manager's password unless option \fB\-y\fR is used. +- +-Directory Server will need to be restarted after the NIS listener plugin has been enabled. +- +-.SH "OPTIONS" +-.TP +-\fB\-d\fR, \fB\-\-debug\fR +-Enable debug logging when more verbose output is needed +-.TP +-\fB\-y\fR \fIfile\fR +-File containing the Directory Manager password +-.SH "EXIT STATUS" +-0 if the command was successful +- +-1 if an error occurred +- +-2 if the plugin is already in the required status (enabled or disabled) +- +-3 if RPC services cannot be enabled. +- +-4 if status command detected plugin in disabled state. +diff --git a/install/updates/10-enable-betxn.update b/install/updates/10-enable-betxn.update +index 1f89341c7..9525292cb 100644 +--- a/install/updates/10-enable-betxn.update ++++ b/install/updates/10-enable-betxn.update +@@ -44,6 +44,3 @@ only: nsslapd-pluginbetxn: on + + dn: cn=Schema Compatibility, cn=plugins, cn=config + onlyifexist: nsslapd-pluginbetxn: on +- +-dn: cn=NIS Server, cn=plugins, cn=config +-onlyifexist: nsslapd-pluginbetxn: on +diff --git a/install/updates/50-nis.update b/install/updates/50-nis.update +deleted file mode 100644 +index 05a166f00..000000000 +--- a/install/updates/50-nis.update ++++ /dev/null +@@ -1,3 +0,0 @@ +-# Updates are applied only if NIS plugin has been configured +-# update definitions are located in install/share/nis-update.uldif +-plugin: update_nis_configuration +diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am +index fd96831d8..cce2670a6 100644 +--- a/install/updates/Makefile.am ++++ b/install/updates/Makefile.am +@@ -52,7 +52,6 @@ app_DATA = \ + 50-groupuuid.update \ + 50-hbacservice.update \ + 50-krbenctypes.update \ +- 50-nis.update \ + 50-ipaconfig.update \ + 55-pbacmemberof.update \ + 59-trusts-sysacount.update \ +diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py +index b339d2202..aed293845 100644 +--- a/ipaplatform/base/paths.py ++++ b/ipaplatform/base/paths.py +@@ -295,8 +295,6 @@ class BasePathNamespace: + KRB_CON = "/usr/share/ipa/html/krb.con" + HTML_KRB5_INI = "/usr/share/ipa/html/krb5.ini" + HTML_KRBREALM_CON = "/usr/share/ipa/html/krbrealm.con" +- NIS_ULDIF = "/usr/share/ipa/nis.uldif" +- NIS_UPDATE_ULDIF = "/usr/share/ipa/nis-update.uldif" + SCHEMA_COMPAT_ULDIF = "/usr/share/ipa/updates/91-schema_compat.update" + SCHEMA_COMPAT_POST_ULDIF = "/usr/share/ipa/schema_compat_post.uldif" + IPA_JS_PLUGINS_DIR = "/usr/share/ipa/ui/js/plugins" +diff --git a/ipaserver/install/ipa_migrate.py b/ipaserver/install/ipa_migrate.py +index e21937401..a889143ec 100644 +--- a/ipaserver/install/ipa_migrate.py ++++ b/ipaserver/install/ipa_migrate.py +@@ -31,7 +31,7 @@ from ipapython.ipa_log_manager import standard_logging_setup + from ipaserver.install.ipa_migrate_constants import ( + DS_CONFIG, DB_OBJECTS, DS_INDEXES, BIND_DN, LOG_FILE_NAME, + STRIP_OP_ATTRS, STRIP_ATTRS, STRIP_OC, PROD_ATTRS, +- DNA_REGEN_VAL, DNA_REGEN_ATTRS, NIS_PLUGIN, IGNORE_ATTRS, ++ DNA_REGEN_VAL, DNA_REGEN_ATTRS, IGNORE_ATTRS, + DB_EXCLUDE_TREES + ) + +@@ -718,8 +718,7 @@ class IPAMigrate(): + self.log_info(title) + self.log_info('-' * (len(title) - 1)) + logged_something = self.log_stats(DS_CONFIG) +- if self.args.verbose or NIS_PLUGIN['count'] > 0: +- self.log_info(f" - NIS Server Plugin: {NIS_PLUGIN['count']}") ++ if self.args.verbose: + logged_something = True + if not self.log_stats(DS_INDEXES) and not logged_something: + self.log_info(" - No updates") +@@ -1847,28 +1846,6 @@ class IPAMigrate(): + add_missing=True) + stats['config_processed'] += 1 + +- # Slapi NIS Plugin +- if DN(NIS_PLUGIN['dn']) == DN(entry['dn']): +- # Parent plugin entry +- self.process_config_entry( +- entry['dn'], entry['attrs'], NIS_PLUGIN, +- add_missing=True) +- stats['config_processed'] += 1 +- elif DN(NIS_PLUGIN['dn']) in DN(entry['dn']): +- # Child NIS plugin entry +- nis_dn = entry['dn'] +- lc_remote_realm = self.remote_realm.lower() +- lc_realm = self.realm.lower() +- nis_dn = nis_dn.replace(lc_remote_realm, lc_realm) +- if 'nis-domain' in entry['attrs']: +- value = entry['attrs']['nis-domain'][0] +- value = value.replace(lc_remote_realm, lc_realm) +- entry['attrs']['nis-domain'][0] = value +- # Process the entry +- self.process_config_entry(nis_dn, entry['attrs'], NIS_PLUGIN, +- add_missing=True) +- stats['config_processed'] += 1 +- + # + # Migration + # +diff --git a/ipaserver/install/ipa_migrate_constants.py b/ipaserver/install/ipa_migrate_constants.py +index 0e26c7549..e0e504741 100644 +--- a/ipaserver/install/ipa_migrate_constants.py ++++ b/ipaserver/install/ipa_migrate_constants.py +@@ -502,30 +502,6 @@ DS_CONFIG = { + }, + } + +-# +-# Slpai NIS is an optional plugin. It requires special handling +-# +-NIS_PLUGIN = { +- 'dn': 'cn=NIS Server,cn=plugins,cn=config', +- 'attrs': [ +- 'nis-domain', +- 'nis-base', +- 'nis-map', +- 'nis-filter', +- 'nis-key-format:', +- 'nis-values-format:', +- 'nis-secure', +- 'nis-disallowed-chars', +- # Parent plugin entry +- 'nsslapd-pluginarg0', +- 'nsslapd-pluginenabled' +- ], +- 'multivalued': [], +- 'label': 'NIS Server Plugin', +- 'mode': 'all', +- 'count': 0, +-} +- + # + # This mapping is simliar to above but it handles container entries + # This could be built into the above mapping using the "comma" approach +diff --git a/ipaserver/install/plugins/update_nis.py b/ipaserver/install/plugins/update_nis.py +deleted file mode 100644 +index c02eb5f83..000000000 +--- a/ipaserver/install/plugins/update_nis.py ++++ /dev/null +@@ -1,92 +0,0 @@ +-# +-# Copyright (C) 2015 FreeIPA Contributors see COPYING for license +-# +- +-from __future__ import absolute_import +- +-import logging +- +-from ipalib.plugable import Registry +-from ipalib import errors +-from ipalib import Updater +-from ipaplatform.paths import paths +-from ipapython.dn import DN +-from ipaserver.install import sysupgrade +-from ipaserver.install.ldapupdate import LDAPUpdate +- +-logger = logging.getLogger(__name__) +- +-register = Registry() +- +- +-@register() +-class update_nis_configuration(Updater): +- """Update NIS configuration +- +- NIS configuration can be updated only if NIS Server was configured via +- ipa-nis-manage command. +- """ +- +- def __recover_from_missing_maps(self, ldap): +- # https://fedorahosted.org/freeipa/ticket/5507 +- # if all following DNs are missing, but 'NIS Server' container exists +- # we are experiencig bug and maps should be fixed +- +- if sysupgrade.get_upgrade_state('nis', +- 'done_recover_from_missing_maps'): +- # this recover must be done only once, a user may deleted some +- # maps, we do not want to restore them again +- return +- +- logger.debug("Recovering from missing NIS maps bug") +- +- suffix = "cn=NIS Server,cn=plugins,cn=config" +- domain = self.api.env.domain +- missing_dn_list = [ +- DN(nis_map.format(domain=domain, suffix=suffix)) for nis_map in [ +- "nis-domain={domain}+nis-map=passwd.byname,{suffix}", +- "nis-domain={domain}+nis-map=passwd.byuid,{suffix}", +- "nis-domain={domain}+nis-map=group.byname,{suffix}", +- "nis-domain={domain}+nis-map=group.bygid,{suffix}", +- "nis-domain={domain}+nis-map=netid.byname,{suffix}", +- "nis-domain={domain}+nis-map=netgroup,{suffix}", +- ] +- ] +- +- for dn in missing_dn_list: +- try: +- ldap.get_entry(dn, attrs_list=['cn']) +- except errors.NotFound: +- pass +- else: +- # bug is not effective, at least one of 'possible missing' +- # maps was detected +- return +- +- sysupgrade.set_upgrade_state('nis', 'done_recover_from_missing_maps', +- True) +- +- # bug is effective run update to recreate missing maps +- ld = LDAPUpdate(api=self.api) +- ld.update([paths.NIS_ULDIF]) +- +- def execute(self, **options): +- ldap = self.api.Backend.ldap2 +- dn = DN(('cn', 'NIS Server'), ('cn', 'plugins'), ('cn', 'config')) +- try: +- ldap.get_entry(dn, attrs_list=['cn']) +- except errors.NotFound: +- # NIS is not configured on system, do not execute update +- logger.debug("Skipping NIS update, NIS Server is not configured") +- +- # container does not exist, bug #5507 is not effective +- sysupgrade.set_upgrade_state( +- 'nis', 'done_recover_from_missing_maps', True) +- else: +- self.__recover_from_missing_maps(ldap) +- +- logger.debug("Executing NIS Server update") +- ld = LDAPUpdate(api=self.api) +- ld.update([paths.NIS_UPDATE_ULDIF]) +- +- return False, () +diff --git a/ipatests/test_cmdline/test_cli.py b/ipatests/test_cmdline/test_cli.py +index ae0d059ce..718798d68 100644 +--- a/ipatests/test_cmdline/test_cli.py ++++ b/ipatests/test_cmdline/test_cli.py +@@ -385,7 +385,6 @@ IPA_CLIENT_NOT_CONFIGURED = b'IPA client is not configured on this system' + '/usr/share/ipa/updates/05-pre_upgrade_plugins.update'], + 2, None, IPA_NOT_CONFIGURED), + (['ipa-managed-entries'], 2, None, IPA_NOT_CONFIGURED), +- (['ipa-nis-manage'], 2, None, IPA_NOT_CONFIGURED), + (['ipa-pkinit-manage'], 2, None, IPA_NOT_CONFIGURED), + (['ipa-replica-manage', 'list'], 1, IPA_NOT_CONFIGURED, None), + (['ipa-server-certinstall'], 2, None, IPA_NOT_CONFIGURED), +diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py +index fd34defe5..e00b0f3bb 100644 +--- a/ipatests/test_integration/test_commands.py ++++ b/ipatests/test_integration/test_commands.py +@@ -1269,93 +1269,6 @@ class TestIPACommand(IntegrationTest): + serverid = realm_to_serverid(self.master.domain.realm) + return ("dirsrv@%s.service" % serverid) + +- def test_ipa_nis_manage_enable(self): +- """ +- This testcase checks if ipa-nis-manage enable +- command enables plugin on an IPA master +- """ +- dirsrv_service = self.get_dirsrv_id() +- console_msg = ( +- "Enabling plugin\n" +- "This setting will not take effect until " +- "you restart Directory Server.\n" +- "The rpcbind service may need to be started" +- ) +- status_msg = "Plugin is enabled" +- tasks.kinit_admin(self.master) +- result = self.master.run_command( +- ["ipa-nis-manage", "enable"], +- stdin_text=self.master.config.admin_password, +- ) +- assert console_msg in result.stdout_text +- # verify using backend +- conn = self.master.ldap_connect() +- dn = DN(('cn', 'NIS Server'), ('cn', 'plugins'), ('cn', 'config')) +- entry = conn.get_entry(dn) +- nispluginstring = entry.get('nsslapd-pluginEnabled') +- assert 'on' in nispluginstring +- # restart for changes to take effect +- self.master.run_command(["systemctl", "restart", dirsrv_service]) +- self.master.run_command(["systemctl", "restart", "rpcbind"]) +- time.sleep(DIRSRV_SLEEP) +- # check status msg on the console +- result = self.master.run_command( +- ["ipa-nis-manage", "status"], +- stdin_text=self.master.config.admin_password, +- ) +- assert status_msg in result.stdout_text +- +- def test_ipa_nis_manage_disable(self): +- """ +- This testcase checks if ipa-nis-manage disable +- command disable plugin on an IPA Master +- """ +- dirsrv_service = self.get_dirsrv_id() +- msg = ( +- "This setting will not take effect " +- "until you restart Directory Server." +- ) +- status_msg = "Plugin is not enabled" +- tasks.kinit_admin(self.master) +- result = self.master.run_command( +- ["ipa-nis-manage", "disable"], +- stdin_text=self.master.config.admin_password, +- ) +- assert msg in result.stdout_text +- # verify using backend +- conn = self.master.ldap_connect() +- dn = DN(('cn', 'NIS Server'), ('cn', 'plugins'), ('cn', 'config')) +- entry = conn.get_entry(dn) +- nispluginstring = entry.get('nsslapd-pluginEnabled') +- assert 'off' in nispluginstring +- # restart dirsrv for changes to take effect +- self.master.run_command(["systemctl", "restart", dirsrv_service]) +- time.sleep(DIRSRV_SLEEP) +- # check status msg on the console +- result = self.master.run_command( +- ["ipa-nis-manage", "status"], +- stdin_text=self.master.config.admin_password, +- raiseonerr=False, +- ) +- assert result.returncode == 4 +- assert status_msg in result.stdout_text +- +- def test_ipa_nis_manage_enable_incorrect_password(self): +- """ +- This testcase checks if ipa-nis-manage enable +- command throws error on console for invalid DS admin password +- """ +- msg1 = "Insufficient access: " +- msg2 = "Invalid credentials" +- result = self.master.run_command( +- ["ipa-nis-manage", "enable"], +- stdin_text='Invalid_pwd', +- raiseonerr=False, +- ) +- assert result.returncode == 1 +- assert msg1 in result.stderr_text +- assert msg2 in result.stderr_text +- + def test_pkispawn_log_is_present(self): + """ + This testcase checks if pkispawn logged properly. +-- +2.45.2 + + diff --git a/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch b/1001-Change-branding-to-IPA-and-Identity-Management.patch similarity index 100% rename from SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch rename to 1001-Change-branding-to-IPA-and-Identity-Management.patch diff --git a/SOURCES/0001-Handle-samba-exception-type-change_rhel#17623.patch b/SOURCES/0001-Handle-samba-exception-type-change_rhel#17623.patch deleted file mode 100644 index b36187f..0000000 --- a/SOURCES/0001-Handle-samba-exception-type-change_rhel#17623.patch +++ /dev/null @@ -1,73 +0,0 @@ -From 06b4c61b4484efe2093501caf21b03f1fc14093b Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Thu, 19 Oct 2023 12:47:03 +0200 -Subject: [PATCH] group-add-member fails with an external member - -The command ipa group-add-member --external aduser@addomain.test -fails with an internal error when used with samba 4.19. - -The command internally calls samba.security.dom_sid(sid) which -used to raise a TypeError but now raises a ValueError -(commit 9abdd67 on https://github.com/samba-team/samba). - -IPA source code needs to handle properly both exception types. - -Fixes: https://pagure.io/freeipa/issue/9466 - -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Rob Crittenden ---- - ipaserver/dcerpc.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py -index c1db2f9a499..ee0a229d1f0 100644 ---- a/ipaserver/dcerpc.py -+++ b/ipaserver/dcerpc.py -@@ -303,7 +303,7 @@ def get_domain_by_sid(self, sid, exact_match=False): - # Parse sid string to see if it is really in a SID format - try: - test_sid = security.dom_sid(sid) -- except TypeError: -+ except (TypeError, ValueError): - raise errors.ValidationError(name='sid', - error=_('SID is not valid')) - -From aa3397378acf1a03fc8bbe34b9fae33e84588b34 Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Fri, 20 Oct 2023 10:20:57 +0200 -Subject: [PATCH] Handle samba changes in samba.security.dom_sid() - -samba.security.dom_sid() in 4.19 now raises ValueError instead of -TypeError. Fix the expected exception. - -Related: https://pagure.io/freeipa/issue/9466 - -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Alexander Bokovoy ---- - ipaserver/dcerpc.py | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py -index ee0a229d1f0..3e4c71d9976 100644 ---- a/ipaserver/dcerpc.py -+++ b/ipaserver/dcerpc.py -@@ -97,7 +97,7 @@ - def is_sid_valid(sid): - try: - security.dom_sid(sid) -- except TypeError: -+ except (TypeError, ValueError): - return False - else: - return True -@@ -457,7 +457,7 @@ def get_trusted_domain_object_sid(self, object_name, - try: - test_sid = security.dom_sid(sid) - return unicode(test_sid) -- except TypeError: -+ except (TypeError, ValueError): - raise errors.ValidationError(name=_('trusted domain object'), - error=_('Trusted domain did not ' - 'return a valid SID for ' diff --git a/SOURCES/0002-Check-the-HTTP-Referer-header-on-all-requests.patch b/SOURCES/0002-Check-the-HTTP-Referer-header-on-all-requests.patch deleted file mode 100644 index cf512eb..0000000 --- a/SOURCES/0002-Check-the-HTTP-Referer-header-on-all-requests.patch +++ /dev/null @@ -1,121 +0,0 @@ -From ae006b436cfb4ccee5972cf1db0a309fcd80e669 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Fri, 6 Oct 2023 20:16:29 +0000 -Subject: [PATCH] Check the HTTP Referer header on all requests - -The referer was only checked in WSGIExecutioner classes: - - - jsonserver - - KerberosWSGIExecutioner - - xmlserver - - jsonserver_kerb - -This left /i18n_messages, /session/login_kerberos, -/session/login_x509, /session/login_password, -/session/change_password and /session/sync_token unprotected -against CSRF attacks. - -CVE-2023-5455 - -Signed-off-by: Rob Crittenden ---- - ipaserver/rpcserver.py | 34 +++++++++++++++++++++++++++++++--- - 1 file changed, 31 insertions(+), 3 deletions(-) - -diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py -index 4e8a08b66..3555014ca 100644 ---- a/ipaserver/rpcserver.py -+++ b/ipaserver/rpcserver.py -@@ -156,6 +156,19 @@ _success_template = """ - """ - - class HTTP_Status(plugable.Plugin): -+ def check_referer(self, environ): -+ if "HTTP_REFERER" not in environ: -+ logger.error("Rejecting request with missing Referer") -+ return False -+ if (not environ["HTTP_REFERER"].startswith( -+ "https://%s/ipa" % self.api.env.host) -+ and not self.env.in_tree): -+ logger.error("Rejecting request with bad Referer %s", -+ environ["HTTP_REFERER"]) -+ return False -+ logger.debug("Valid Referer %s", environ["HTTP_REFERER"]) -+ return True -+ - def not_found(self, environ, start_response, url, message): - """ - Return a 404 Not Found error. -@@ -331,9 +344,6 @@ class wsgi_dispatch(Executioner, HTTP_Status): - self.__apps[key] = app - - -- -- -- - class WSGIExecutioner(Executioner): - """ - Base class for execution backends with a WSGI application interface. -@@ -897,6 +907,9 @@ class jsonserver_session(jsonserver, KerberosSession): - - logger.debug('WSGI jsonserver_session.__call__:') - -+ if not self.check_referer(environ): -+ return self.bad_request(environ, start_response, 'denied') -+ - # Redirect to login if no Kerberos credentials - ccache_name = self.get_environ_creds(environ) - if ccache_name is None: -@@ -949,6 +962,9 @@ class KerberosLogin(Backend, KerberosSession): - def __call__(self, environ, start_response): - logger.debug('WSGI KerberosLogin.__call__:') - -+ if not self.check_referer(environ): -+ return self.bad_request(environ, start_response, 'denied') -+ - # Redirect to login if no Kerberos credentials - user_ccache_name = self.get_environ_creds(environ) - if user_ccache_name is None: -@@ -967,6 +983,9 @@ class login_x509(KerberosLogin): - def __call__(self, environ, start_response): - logger.debug('WSGI login_x509.__call__:') - -+ if not self.check_referer(environ): -+ return self.bad_request(environ, start_response, 'denied') -+ - if 'KRB5CCNAME' not in environ: - return self.unauthorized( - environ, start_response, 'KRB5CCNAME not set', -@@ -1015,6 +1034,9 @@ class login_password(Backend, KerberosSession): - - logger.debug('WSGI login_password.__call__:') - -+ if not self.check_referer(environ): -+ return self.bad_request(environ, start_response, 'denied') -+ - # Get the user and password parameters from the request - content_type = environ.get('CONTENT_TYPE', '').lower() - if not content_type.startswith('application/x-www-form-urlencoded'): -@@ -1147,6 +1169,9 @@ class change_password(Backend, HTTP_Status): - def __call__(self, environ, start_response): - logger.info('WSGI change_password.__call__:') - -+ if not self.check_referer(environ): -+ return self.bad_request(environ, start_response, 'denied') -+ - # Get the user and password parameters from the request - content_type = environ.get('CONTENT_TYPE', '').lower() - if not content_type.startswith('application/x-www-form-urlencoded'): -@@ -1364,6 +1389,9 @@ class xmlserver_session(xmlserver, KerberosSession): - - logger.debug('WSGI xmlserver_session.__call__:') - -+ if not self.check_referer(environ): -+ return self.bad_request(environ, start_response, 'denied') -+ - ccache_name = environ.get('KRB5CCNAME') - - # Redirect to /ipa/xml if no Kerberos credentials --- -2.41.0 - diff --git a/SOURCES/0003-Integration-tests-for-verifying-Referer-header-in-th.patch b/SOURCES/0003-Integration-tests-for-verifying-Referer-header-in-th.patch deleted file mode 100644 index cbe9eb7..0000000 --- a/SOURCES/0003-Integration-tests-for-verifying-Referer-header-in-th.patch +++ /dev/null @@ -1,359 +0,0 @@ -From f1f8b16def3e809f5773bb8aa40aefb21699347b Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Thu, 12 Oct 2023 20:34:01 +0000 -Subject: [PATCH] Integration tests for verifying Referer header in the UI - -Validate that the change_password and login_password endpoints -verify the HTTP Referer header. There is some overlap in the -tests: belt and suspenders. - -All endpoints except session/login_x509 are covered, sometimes -having to rely on expected bad results (see the i18n endpoint). - -session/login_x509 is not tested yet as it requires significant -additional setup in order to associate a user certificate with -a user entry, etc. - -This can be manually verified by modifying /etc/httpd/conf.d/ipa.conf -and adding: - -Satisfy Any -Require all granted - -Then comment out Auth and SSLVerify, etc. and restart httpd. - -With a valid Referer will fail with a 401 and log that there is no -KRB5CCNAME. This comes after the referer check. - -With an invalid Referer it will fail with a 400 Bad Request as -expected. - -CVE-2023-5455 - -Signed-off-by: Rob Crittenden ---- - ipatests/test_ipaserver/httptest.py | 7 +- - ipatests/test_ipaserver/test_changepw.py | 12 +- - .../test_ipaserver/test_login_password.py | 88 ++++++++++++ - ipatests/test_ipaserver/test_referer.py | 136 ++++++++++++++++++ - ipatests/util.py | 4 +- - 5 files changed, 242 insertions(+), 5 deletions(-) - create mode 100644 ipatests/test_ipaserver/test_login_password.py - create mode 100644 ipatests/test_ipaserver/test_referer.py - -diff --git a/ipatests/test_ipaserver/httptest.py b/ipatests/test_ipaserver/httptest.py -index 6cd034a71..8924798fc 100644 ---- a/ipatests/test_ipaserver/httptest.py -+++ b/ipatests/test_ipaserver/httptest.py -@@ -36,7 +36,7 @@ class Unauthorized_HTTP_test: - content_type = 'application/x-www-form-urlencoded' - accept_language = 'en-us' - -- def send_request(self, method='POST', params=None): -+ def send_request(self, method='POST', params=None, host=None): - """ - Send a request to HTTP server - -@@ -45,7 +45,10 @@ class Unauthorized_HTTP_test: - if params is not None: - if self.content_type == 'application/x-www-form-urlencoded': - params = urllib.parse.urlencode(params, True) -- url = 'https://' + self.host + self.app_uri -+ if host: -+ url = 'https://' + host + self.app_uri -+ else: -+ url = 'https://' + self.host + self.app_uri - - headers = {'Content-Type': self.content_type, - 'Accept-Language': self.accept_language, -diff --git a/ipatests/test_ipaserver/test_changepw.py b/ipatests/test_ipaserver/test_changepw.py -index c3a47ab26..df38ddb3d 100644 ---- a/ipatests/test_ipaserver/test_changepw.py -+++ b/ipatests/test_ipaserver/test_changepw.py -@@ -53,10 +53,11 @@ class test_changepw(XMLRPC_test, Unauthorized_HTTP_test): - - request.addfinalizer(fin) - -- def _changepw(self, user, old_password, new_password): -+ def _changepw(self, user, old_password, new_password, host=None): - return self.send_request(params={'user': str(user), - 'old_password' : str(old_password), - 'new_password' : str(new_password)}, -+ host=host - ) - - def _checkpw(self, user, password): -@@ -89,6 +90,15 @@ class test_changepw(XMLRPC_test, Unauthorized_HTTP_test): - # make sure that password is NOT changed - self._checkpw(testuser, old_password) - -+ def test_invalid_referer(self): -+ response = self._changepw(testuser, old_password, new_password, -+ 'attacker.test') -+ -+ assert_equal(response.status, 400) -+ -+ # make sure that password is NOT changed -+ self._checkpw(testuser, old_password) -+ - def test_pwpolicy_error(self): - response = self._changepw(testuser, old_password, '1') - -diff --git a/ipatests/test_ipaserver/test_login_password.py b/ipatests/test_ipaserver/test_login_password.py -new file mode 100644 -index 000000000..9425cb797 ---- /dev/null -+++ b/ipatests/test_ipaserver/test_login_password.py -@@ -0,0 +1,88 @@ -+# Copyright (C) 2023 Red Hat -+# see file 'COPYING' for use and warranty information -+# -+# This program is free software; you can redistribute it and/or modify -+# it under the terms of the GNU General Public License as published by -+# the Free Software Foundation, either version 3 of the License, or -+# (at your option) any later version. -+# -+# This program is distributed in the hope that it will be useful, -+# but WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+# GNU General Public License for more details. -+# -+# You should have received a copy of the GNU General Public License -+# along with this program. If not, see . -+ -+import os -+import pytest -+import uuid -+ -+from ipatests.test_ipaserver.httptest import Unauthorized_HTTP_test -+from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test -+from ipatests.util import assert_equal -+from ipalib import api, errors -+from ipapython.ipautil import run -+ -+testuser = u'tuser' -+password = u'password' -+ -+ -+@pytest.mark.tier1 -+class test_login_password(XMLRPC_test, Unauthorized_HTTP_test): -+ app_uri = '/ipa/session/login_password' -+ -+ @pytest.fixture(autouse=True) -+ def login_setup(self, request): -+ ccache = os.path.join('/tmp', str(uuid.uuid4())) -+ try: -+ api.Command['user_add'](uid=testuser, givenname=u'Test', sn=u'User') -+ api.Command['passwd'](testuser, password=password) -+ run(['kinit', testuser], stdin='{0}\n{0}\n{0}\n'.format(password), -+ env={"KRB5CCNAME": ccache}) -+ except errors.ExecutionError as e: -+ pytest.skip( -+ 'Cannot set up test user: %s' % e -+ ) -+ -+ def fin(): -+ try: -+ api.Command['user_del']([testuser]) -+ except errors.NotFound: -+ pass -+ os.unlink(ccache) -+ -+ request.addfinalizer(fin) -+ -+ def _login(self, user, password, host=None): -+ return self.send_request(params={'user': str(user), -+ 'password' : str(password)}, -+ host=host) -+ -+ def test_bad_options(self): -+ for params in ( -+ None, # no params -+ {"user": "foo"}, # missing options -+ {"user": "foo", "password": ""}, # empty option -+ ): -+ response = self.send_request(params=params) -+ assert_equal(response.status, 400) -+ assert_equal(response.reason, 'Bad Request') -+ -+ def test_invalid_auth(self): -+ response = self._login(testuser, 'wrongpassword') -+ -+ assert_equal(response.status, 401) -+ assert_equal(response.getheader('X-IPA-Rejection-Reason'), -+ 'invalid-password') -+ -+ def test_invalid_referer(self): -+ response = self._login(testuser, password, 'attacker.test') -+ -+ assert_equal(response.status, 400) -+ -+ def test_success(self): -+ response = self._login(testuser, password) -+ -+ assert_equal(response.status, 200) -+ assert response.getheader('X-IPA-Rejection-Reason') is None -diff --git a/ipatests/test_ipaserver/test_referer.py b/ipatests/test_ipaserver/test_referer.py -new file mode 100644 -index 000000000..4eade8bba ---- /dev/null -+++ b/ipatests/test_ipaserver/test_referer.py -@@ -0,0 +1,136 @@ -+# Copyright (C) 2023 Red Hat -+# see file 'COPYING' for use and warranty information -+# -+# This program is free software; you can redistribute it and/or modify -+# it under the terms of the GNU General Public License as published by -+# the Free Software Foundation, either version 3 of the License, or -+# (at your option) any later version. -+# -+# This program is distributed in the hope that it will be useful, -+# but WITHOUT ANY WARRANTY; without even the implied warranty of -+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+# GNU General Public License for more details. -+# -+# You should have received a copy of the GNU General Public License -+# along with this program. If not, see . -+ -+import os -+import pytest -+import uuid -+ -+from ipatests.test_ipaserver.httptest import Unauthorized_HTTP_test -+from ipatests.test_xmlrpc.xmlrpc_test import XMLRPC_test -+from ipatests.util import assert_equal -+from ipalib import api, errors -+from ipapython.ipautil import run -+ -+testuser = u'tuser' -+password = u'password' -+ -+ -+@pytest.mark.tier1 -+class test_referer(XMLRPC_test, Unauthorized_HTTP_test): -+ -+ @pytest.fixture(autouse=True) -+ def login_setup(self, request): -+ ccache = os.path.join('/tmp', str(uuid.uuid4())) -+ tokenid = None -+ try: -+ api.Command['user_add'](uid=testuser, givenname=u'Test', sn=u'User') -+ api.Command['passwd'](testuser, password=password) -+ run(['kinit', testuser], stdin='{0}\n{0}\n{0}\n'.format(password), -+ env={"KRB5CCNAME": ccache}) -+ result = api.Command["otptoken_add"]( -+ type='HOTP', description='testotp', -+ ipatokenotpalgorithm='sha512', ipatokenowner=testuser, -+ ipatokenotpdigits='6') -+ tokenid = result['result']['ipatokenuniqueid'][0] -+ except errors.ExecutionError as e: -+ pytest.skip( -+ 'Cannot set up test user: %s' % e -+ ) -+ -+ def fin(): -+ try: -+ api.Command['user_del']([testuser]) -+ api.Command['otptoken_del']([tokenid]) -+ except errors.NotFound: -+ pass -+ os.unlink(ccache) -+ -+ request.addfinalizer(fin) -+ -+ def _request(self, params={}, host=None): -+ # implicit is that self.app_uri is set to the appropriate value -+ return self.send_request(params=params, host=host) -+ -+ def test_login_password_valid(self): -+ """Valid authentication of a user""" -+ self.app_uri = "/ipa/session/login_password" -+ response = self._request( -+ params={'user': 'tuser', 'password': password}) -+ assert_equal(response.status, 200, self.app_uri) -+ -+ def test_change_password_valid(self): -+ """This actually changes the user password""" -+ self.app_uri = "/ipa/session/change_password" -+ response = self._request( -+ params={'user': 'tuser', -+ 'old_password': password, -+ 'new_password': 'new_password'} -+ ) -+ assert_equal(response.status, 200, self.app_uri) -+ -+ def test_sync_token_valid(self): -+ """We aren't testing that sync works, just that we can get there""" -+ self.app_uri = "/ipa/session/sync_token" -+ response = self._request( -+ params={'user': 'tuser', -+ 'first_code': '1234', -+ 'second_code': '5678', -+ 'password': 'password'}) -+ assert_equal(response.status, 200, self.app_uri) -+ -+ def test_i18n_messages_valid(self): -+ # i18n_messages requires a valid JSON request and we send -+ # nothing. If we get a 500 error then it got past the -+ # referer check. -+ self.app_uri = "/ipa/i18n_messages" -+ response = self._request() -+ assert_equal(response.status, 500, self.app_uri) -+ -+ # /ipa/session/login_x509 is not tested yet as it requires -+ # significant additional setup. -+ # This can be manually verified by adding -+ # Satisfy Any and Require all granted to the configuration -+ # section and comment out all Auth directives. The request -+ # will fail and log that there is no KRB5CCNAME which comes -+ # after the referer check. -+ -+ def test_endpoints_auth_required(self): -+ """Test endpoints that require pre-authorization which will -+ fail before we even get to the Referer check -+ """ -+ self.endpoints = { -+ "/ipa/xml", -+ "/ipa/session/login_kerberos", -+ "/ipa/session/json", -+ "/ipa/session/xml" -+ } -+ for self.app_uri in self.endpoints: -+ response = self._request(host="attacker.test") -+ -+ # referer is checked after auth -+ assert_equal(response.status, 401, self.app_uri) -+ -+ def notest_endpoints_invalid(self): -+ """Pass in a bad Referer, expect a 400 Bad Request""" -+ self.endpoints = { -+ "/ipa/session/login_password", -+ "/ipa/session/change_password", -+ "/ipa/session/sync_token", -+ } -+ for self.app_uri in self.endpoints: -+ response = self._request(host="attacker.test") -+ -+ assert_equal(response.status, 400, self.app_uri) -diff --git a/ipatests/util.py b/ipatests/util.py -index 5c0152b90..c69d98790 100644 ---- a/ipatests/util.py -+++ b/ipatests/util.py -@@ -163,12 +163,12 @@ class ExceptionNotRaised(Exception): - return self.msg % self.expected.__name__ - - --def assert_equal(val1, val2): -+def assert_equal(val1, val2, msg=''): - """ - Assert ``val1`` and ``val2`` are the same type and of equal value. - """ - assert type(val1) is type(val2), '%r != %r' % (val1, val2) -- assert val1 == val2, '%r != %r' % (val1, val2) -+ assert val1 == val2, '%r != %r %r' % (val1, val2, msg) - - - def assert_not_equal(val1, val2): --- -2.41.0 - diff --git a/SOURCES/0004-ipa-kdb-Detect-and-block-Bronze-Bit-attacks.patch b/SOURCES/0004-ipa-kdb-Detect-and-block-Bronze-Bit-attacks.patch deleted file mode 100644 index e7abc58..0000000 --- a/SOURCES/0004-ipa-kdb-Detect-and-block-Bronze-Bit-attacks.patch +++ /dev/null @@ -1,265 +0,0 @@ -From 013be398bced31f567ef01ac2471cb7529789b4a Mon Sep 17 00:00:00 2001 -From: Julien Rische -Date: Mon, 9 Oct 2023 15:47:03 +0200 -Subject: [PATCH] ipa-kdb: Detect and block Bronze-Bit attacks - -The C8S/RHEL8 version of FreeIPA is vulnerable to the Bronze-Bit attack -because it does not implement PAC ticket signature to protect the -"forwardable" flag. However, it does implement the PAC extended KDC -signature, which protects against PAC spoofing. - -Based on information available in the PAC and the -"ok-to-auth-as-delegate" attribute in the database. It is possible to -detect and reject requests where the "forwardable" flag was flipped by -the attacker in the evidence ticket. ---- - daemons/ipa-kdb/ipa_kdb.h | 13 +++ - daemons/ipa-kdb/ipa_kdb_kdcpolicy.c | 6 + - daemons/ipa-kdb/ipa_kdb_mspac.c | 173 ++++++++++++++++++++++++++++ - ipaserver/install/server/install.py | 8 ++ - 4 files changed, 200 insertions(+) - -diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h -index 7aa5be494..02b2cb631 100644 ---- a/daemons/ipa-kdb/ipa_kdb.h -+++ b/daemons/ipa-kdb/ipa_kdb.h -@@ -367,6 +367,19 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext, - const char *test_realm, size_t size, - char **trusted_realm); - -+/* Try to detect a Bronze-Bit attack based on the content of the request and -+ * data from the KDB. -+ * -+ * context krb5 context -+ * request KDB request -+ * detected Set to "true" if a bronze bit attack is detected and the -+ * pointer is not NULL. Remains unset otherwise. -+ * status If the call fails and the pointer is not NULL, set it with a -+ * message describing the cause of the failure. */ -+krb5_error_code -+ipadb_check_for_bronze_bit_attack(krb5_context context, krb5_kdc_req *request, -+ bool *detected, const char **status); -+ - /* DELEGATION CHECKS */ - - krb5_error_code ipadb_check_allowed_to_delegate(krb5_context kcontext, -diff --git a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c -index f2804c9b2..1032dff0b 100644 ---- a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c -+++ b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c -@@ -185,6 +185,12 @@ ipa_kdcpolicy_check_tgs(krb5_context context, krb5_kdcpolicy_moddata moddata, - const char **status, krb5_deltat *lifetime_out, - krb5_deltat *renew_lifetime_out) - { -+ krb5_error_code kerr; -+ -+ kerr = ipadb_check_for_bronze_bit_attack(context, request, NULL, status); -+ if (kerr) -+ return KRB5KDC_ERR_POLICY; -+ - *status = NULL; - *lifetime_out = 0; - *renew_lifetime_out = 0; -diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c -index 83cb9914d..b4e22d431 100644 ---- a/daemons/ipa-kdb/ipa_kdb_mspac.c -+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c -@@ -3298,3 +3298,176 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext, - - return KRB5_KDB_NOENTRY; - } -+ -+krb5_error_code -+ipadb_check_for_bronze_bit_attack(krb5_context context, krb5_kdc_req *request, -+ bool *detected, const char **status) -+{ -+ krb5_error_code kerr; -+ const char *st = NULL; -+ size_t i, j; -+ krb5_ticket *evidence_tkt; -+ krb5_authdata **authdata, **ifrel = NULL; -+ krb5_pac pac = NULL; -+ TALLOC_CTX *tmpctx = NULL; -+ krb5_data fullsign = { 0, 0, NULL }, linfo_blob = { 0, 0, NULL }; -+ DATA_BLOB linfo_data; -+ struct PAC_LOGON_INFO_CTR linfo; -+ enum ndr_err_code ndr_err; -+ struct dom_sid asserted_identity_sid; -+ bool evtkt_is_s4u2self = false; -+ krb5_db_entry *proxy_entry = NULL; -+ -+ /* If no additional ticket, this is not a constrained delegateion request. -+ * Skip checks. */ -+ if (!(request->kdc_options & KDC_OPT_CNAME_IN_ADDL_TKT)) { -+ kerr = 0; -+ goto end; -+ } -+ -+ evidence_tkt = request->second_ticket[0]; -+ -+ /* No need to check the Forwardable flag. If it was not set, this request -+ * would have failed earlier. */ -+ -+ /* We only support general constrained delegation (not RBCD), which is not -+ * available for cross-realms. */ -+ if (!krb5_realm_compare(context, evidence_tkt->server, request->server)) { -+ st = "S4U2PROXY_NOT_SUPPORTED_FOR_CROSS_REALMS"; -+ kerr = ENOTSUP; -+ goto end; -+ } -+ -+ authdata = evidence_tkt->enc_part2->authorization_data; -+ -+ /* Search for the PAC. */ -+ for (i = 0; authdata != NULL && authdata[i] != NULL; i++) { -+ if (authdata[i]->ad_type != KRB5_AUTHDATA_IF_RELEVANT) -+ continue; -+ -+ kerr = krb5_decode_authdata_container(context, -+ KRB5_AUTHDATA_IF_RELEVANT, -+ authdata[i], &ifrel); -+ if (kerr) { -+ st = "S4U2PROXY_CANNOT_DECODE_EVIDENCE_TKT_AUTHDATA"; -+ goto end; -+ } -+ -+ for (j = 0; ifrel[j] != NULL; j++) { -+ if (ifrel[j]->ad_type == KRB5_AUTHDATA_WIN2K_PAC) -+ break; -+ } -+ if (ifrel[j] != NULL) -+ break; -+ -+ krb5_free_authdata(context, ifrel); -+ ifrel = NULL; -+ } -+ -+ if (ifrel == NULL) { -+ st = "S4U2PROXY_EVIDENCE_TKT_WITHOUT_PAC"; -+ kerr = ENOENT; -+ goto end; -+ } -+ -+ /* Parse the PAC. */ -+ kerr = krb5_pac_parse(context, ifrel[j]->contents, ifrel[j]->length, &pac); -+ if (kerr) { -+ st = "S4U2PROXY_CANNOT_DECODE_EVICENCE_TKT_PAC"; -+ goto end; -+ } -+ -+ /* Check that the PAC extanded KDC signature is present. If it is, it was -+ * already tested. -+ * If absent, the context of the PAC cannot be trusted. */ -+ kerr = krb5_pac_get_buffer(context, pac, KRB5_PAC_FULL_CHECKSUM, &fullsign); -+ if (kerr) { -+ st = "S4U2PROXY_MISSING_EXTENDED_KDC_SIGN_IN_EVIDENCE_TKT_PAC"; -+ goto end; -+ } -+ -+ /* Get the PAC Logon Info. */ -+ kerr = krb5_pac_get_buffer(context, pac, KRB5_PAC_LOGON_INFO, &linfo_blob); -+ if (kerr) { -+ st = "S4U2PROXY_NO_PAC_LOGON_INFO_IN_EVIDENCE_TKT"; -+ goto end; -+ } -+ -+ /* Parse the PAC Logon Info. */ -+ tmpctx = talloc_new(NULL); -+ if (!tmpctx) { -+ st = "OUT_OF_MEMORY"; -+ kerr = ENOMEM; -+ goto end; -+ } -+ -+ linfo_data.length = linfo_blob.length; -+ linfo_data.data = (uint8_t *)linfo_blob.data; -+ ndr_err = ndr_pull_union_blob(&linfo_data, tmpctx, &linfo, -+ PAC_TYPE_LOGON_INFO, -+ (ndr_pull_flags_fn_t)ndr_pull_PAC_INFO); -+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { -+ st = "S4U2PROXY_CANNOT_PARSE_ENVIDENCE_TKT_PAC_LOGON_INFO"; -+ kerr = EINVAL; -+ goto end; -+ } -+ -+ /* Check that the extra SIDs array is not empty. */ -+ if (linfo.info->info3.sidcount == 0) { -+ st = "S4U2PROXY_NO_EXTRA_SID"; -+ kerr = ENOENT; -+ goto end; -+ } -+ -+ /* Search for the S-1-18-2 domain SID, which indicates the ticket was -+ * obtained using S4U2Self */ -+ kerr = ipadb_string_to_sid("S-1-18-2", &asserted_identity_sid); -+ if (kerr) { -+ st = "S4U2PROXY_CANNOT_CREATE_ASSERTED_IDENTITY_SID"; -+ goto end; -+ } -+ -+ for (i = 0; i < linfo.info->info3.sidcount; i++) { -+ if (dom_sid_check(&asserted_identity_sid, -+ linfo.info->info3.sids[0].sid, true)) { -+ evtkt_is_s4u2self = true; -+ break; -+ } -+ } -+ -+ /* If the ticket was obtained using S4U2Self, the proxy principal entry must -+ * have the "ok_to_auth_as_delegate" attribute set to true. */ -+ if (evtkt_is_s4u2self) { -+ kerr = ipadb_get_principal(context, evidence_tkt->server, 0, -+ &proxy_entry); -+ if (kerr) { -+ st = "S4U2PROXY_CANNOT_FIND_PROXY_PRINCIPAL"; -+ goto end; -+ } -+ -+ if (!(proxy_entry->attributes & KRB5_KDB_OK_TO_AUTH_AS_DELEGATE)) { -+ /* This evidence ticket cannot be forwardable given the privileges -+ * of the proxy principal. -+ * This is a Bronze Bit attack. */ -+ if (detected) -+ *detected = true; -+ st = "S4U2PROXY_BRONZE_BIT_ATTACK_DETECTED"; -+ kerr = EBADE; -+ goto end; -+ } -+ } -+ -+ kerr = 0; -+ -+end: -+ if (st && status) -+ *status = st; -+ -+ krb5_free_authdata(context, ifrel); -+ krb5_pac_free(context, pac); -+ krb5_free_data_contents(context, &linfo_blob); -+ krb5_free_data_contents(context, &fullsign); -+ talloc_free(tmpctx); -+ ipadb_free_principal(context, proxy_entry); -+ return kerr; -+} -diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py -index 4e4076410..bfbb83bcb 100644 ---- a/ipaserver/install/server/install.py -+++ b/ipaserver/install/server/install.py -@@ -981,6 +981,14 @@ def install(installer): - # Set the admin user kerberos password - ds.change_admin_password(admin_password) - -+ # Force KDC to refresh the cached value of ipaKrbAuthzData by restarting. -+ # ipaKrbAuthzData has to be set with "MS-PAC" to trigger PAC generation, -+ # which is required to handle S4U2Proxy with the Bronze-Bit fix. -+ # Not doing so would cause API malfunction for around a minute, which is -+ # long enough to cause the hereafter client installation to fail. -+ service.print_msg("Restarting the KDC") -+ krb.restart() -+ - # Call client install script - service.print_msg("Configuring client side components") - try: --- -2.41.0 - diff --git a/SOURCES/0005-Improve-server-affinity-for-ca-less-deployments_rhel#22283.patch b/SOURCES/0005-Improve-server-affinity-for-ca-less-deployments_rhel#22283.patch deleted file mode 100644 index 000591c..0000000 --- a/SOURCES/0005-Improve-server-affinity-for-ca-less-deployments_rhel#22283.patch +++ /dev/null @@ -1,212 +0,0 @@ -From 3add9ba03a0af913d03b1f5ecaa8e48e46a93f91 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Jan 15 2024 13:42:08 +0000 -Subject: Server affinity: Retain user-requested remote server - - -We want to avoid splitting a replica server installation between -two hosts where possible so if a CA or KRA is requested then -we only try to install against a remote server that also provides -those capabilities. This avoids race conditions. - -If a CA or KRA is not requested and the user has provided a -server to install against then use that instead of overriding it. - -Extend the logic of picking the remote Custodia mode -(KRA, CA, *MASTER*) to include considering whether the -CA and KRA services are requested. If the service(s) are -not requested the the associated hostname may not be -reliable. - -Fixes: https://pagure.io/freeipa/issue/9491 -Related: https://pagure.io/freeipa/issue/9289 - -Signed-off-by: Rob Crittenden -Reviewed-By: Florence Blanc-Renaud - ---- - -diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py -index 27fbdef..8096b6a 100644 ---- a/ipaserver/install/server/replicainstall.py -+++ b/ipaserver/install/server/replicainstall.py -@@ -782,6 +782,7 @@ def promotion_check_host_principal_auth_ind(conn, hostdn): - - - def remote_connection(config): -+ logger.debug("Creating LDAP connection to %s", config.master_host_name) - ldapuri = 'ldaps://%s' % ipautil.format_netloc(config.master_host_name) - xmlrpc_uri = 'https://{}/ipa/xml'.format( - ipautil.format_netloc(config.master_host_name)) -@@ -1087,7 +1088,7 @@ def promote_check(installer): - 'CA', conn, preferred_cas - ) - if ca_host is not None: -- if config.master_host_name != ca_host: -+ if options.setup_ca and config.master_host_name != ca_host: - conn.disconnect() - del remote_api - config.master_host_name = ca_host -@@ -1096,8 +1097,7 @@ def promote_check(installer): - conn = remote_api.Backend.ldap2 - conn.connect(ccache=installer._ccache) - config.ca_host_name = ca_host -- config.master_host_name = ca_host -- ca_enabled = True -+ ca_enabled = True # There is a CA somewhere in the topology - if options.dirsrv_cert_files: - logger.error("Certificates could not be provided when " - "CA is present on some master.") -@@ -1135,7 +1135,7 @@ def promote_check(installer): - 'KRA', conn, preferred_kras - ) - if kra_host is not None: -- if config.master_host_name != kra_host: -+ if options.setup_kra and config.master_host_name != kra_host: - conn.disconnect() - del remote_api - config.master_host_name = kra_host -@@ -1143,10 +1143,9 @@ def promote_check(installer): - installer._remote_api = remote_api - conn = remote_api.Backend.ldap2 - conn.connect(ccache=installer._ccache) -- config.kra_host_name = kra_host -- config.ca_host_name = kra_host -- config.master_host_name = kra_host -- kra_enabled = True -+ config.kra_host_name = kra_host -+ config.ca_host_name = kra_host -+ kra_enabled = True # There is a KRA somewhere in the topology - if options.setup_kra and options.server and \ - kra_host != options.server: - # Installer was provided with a specific master -@@ -1372,10 +1371,10 @@ def install(installer): - otpd.create_instance('OTPD', config.host_name, - ipautil.realm_to_suffix(config.realm_name)) - -- if kra_enabled: -+ if options.setup_kra and kra_enabled: - # A KRA peer always provides a CA, too. - mode = custodiainstance.CustodiaModes.KRA_PEER -- elif ca_enabled: -+ elif options.setup_ca and ca_enabled: - mode = custodiainstance.CustodiaModes.CA_PEER - else: - mode = custodiainstance.CustodiaModes.MASTER_PEER - -From 701339d4fed539713eb1a13495992879f56a6daa Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Jan 18 2024 14:53:28 +0000 -Subject: Server affinity: Don't rely just on [ca|kra]_enabled for installs - - -ca_enable and kra_enabled are intended to be used to identify that -a CA or KRA is available in the topology. It was also being used -to determine whether a CA or KRA service is desired on a replica -install, rather than options.setup_[ca|kra] - -Fixes: https://pagure.io/freeipa/issue/9510 - -Signed-off-by: Rob Crittenden -Reviewed-By: Florence Blanc-Renaud - ---- - -diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py -index 8096b6a..191913d 100644 ---- a/ipaserver/install/server/replicainstall.py -+++ b/ipaserver/install/server/replicainstall.py -@@ -1143,7 +1143,8 @@ def promote_check(installer): - installer._remote_api = remote_api - conn = remote_api.Backend.ldap2 - conn.connect(ccache=installer._ccache) -- config.kra_host_name = kra_host -+ config.kra_host_name = kra_host -+ if options.setup_kra: # only reset ca_host if KRA is requested - config.ca_host_name = kra_host - kra_enabled = True # There is a KRA somewhere in the topology - if options.setup_kra and options.server and \ -@@ -1381,7 +1382,7 @@ def install(installer): - custodia = custodiainstance.get_custodia_instance(config, mode) - custodia.create_instance() - -- if ca_enabled: -+ if options.setup_ca and ca_enabled: - options.realm_name = config.realm_name - options.domain_name = config.domain_name - options.host_name = config.host_name -@@ -1397,7 +1398,7 @@ def install(installer): - service.print_msg("Finalize replication settings") - ds.finalize_replica_config() - -- if kra_enabled: -+ if options.setup_kra and kra_enabled: - kra.install(api, config, options, custodia=custodia) - - service.print_msg("Restarting the KDC") - -From e6014a5c1996528b255480b67fe2937203bff81b Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Jan 23 2024 15:32:58 +0000 -Subject: Server affinity: call ca.install() if there is a CA in the topology - - -This should not have been gated on options.setup_ca because we need -the RA agent on all servers if there is a CA in the topology otherwise -the non-CA servers won't be able to communicate with the CA. - -Fixes: https://pagure.io/freeipa/issue/9510 - -Signed-off-by: Rob Crittenden -Reviewed-By: Florence Blanc-Renaud - ---- - -diff --git a/ipaserver/install/ca.py b/ipaserver/install/ca.py -index c93ae1f..187f803 100644 ---- a/ipaserver/install/ca.py -+++ b/ipaserver/install/ca.py -@@ -387,9 +387,10 @@ def install_step_0(standalone, replica_config, options, custodia): - promote = False - else: - cafile = os.path.join(replica_config.dir, 'cacert.p12') -- custodia.get_ca_keys( -- cafile, -- replica_config.dirman_password) -+ if replica_config.setup_ca: -+ custodia.get_ca_keys( -+ cafile, -+ replica_config.dirman_password) - - ca_signing_algorithm = None - ca_type = None -diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py -index f8d4733..4c1c07c 100644 ---- a/ipaserver/install/server/replicainstall.py -+++ b/ipaserver/install/server/replicainstall.py -@@ -1359,11 +1359,13 @@ def install(installer): - custodia = custodiainstance.get_custodia_instance(config, mode) - custodia.create_instance() - -- if options.setup_ca and ca_enabled: -+ if ca_enabled: - options.realm_name = config.realm_name - options.domain_name = config.domain_name - options.host_name = config.host_name - options.dm_password = config.dirman_password -+ # Always call ca.install() if there is a CA in the topology -+ # to ensure the RA agent is present. - ca.install(False, config, options, custodia=custodia) - - # configure PKINIT now that all required services are in place -@@ -1375,7 +1377,8 @@ def install(installer): - service.print_msg("Finalize replication settings") - ds.finalize_replica_config() - -- if options.setup_kra and kra_enabled: -+ if kra_enabled: -+ # The KRA installer checks for itself the status of setup_kra - kra.install(api, config, options, custodia=custodia) - - service.print_msg("Restarting the KDC") - diff --git a/SOURCES/0006-host-update-System-Manage-Host-Keytab-permission_rhel#22286.patch b/SOURCES/0006-host-update-System-Manage-Host-Keytab-permission_rhel#22286.patch deleted file mode 100644 index 05b6a46..0000000 --- a/SOURCES/0006-host-update-System-Manage-Host-Keytab-permission_rhel#22286.patch +++ /dev/null @@ -1,97 +0,0 @@ -From 3842116185de6ae8714f30b57bd75c7eddde53d8 Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Jan 15 2024 13:50:10 +0000 -Subject: host: update System: Manage Host Keytab permission - - -Since commit 5c0e7a5fb420377dcc06a956695afdcb35196444, a new extended -operation to get a keytab is supposed to be used. This keytab -setting/retrieval extended operation checks access rights of the bound -DN to write to a virtual attribute 'ipaProtectedOperation;write_keys'. - -If the write isn't allowed, the operation is rejected and ipa-getkeytab -tool falls back to an older code that generates the keytab on the client -and forcibly sets to the LDAP entry. For the latter, a check is done to -make sure the bound DN is allowed to write to 'krbPrincipalKey' attribute. - -This fallback should never happen for newer deployments. When enrollemnt -operation is delegated to non-administrative user with the help of 'Host -Enrollment' role, a host can be pre-created or created at enrollment -time, if this non-administrative user has 'Host Administrators' role. In -the latter case a system permission 'System: Manage Host Keytab' grants -write access to 'krbPrincipalKey' attribute but lacks any access to the -virtual attributes expected by the new extended operation. - -There is a second virtual attribute, 'ipaProtectedOperation;read_keys', -that allows to retrieve existing keys for a host. However, during -initial enrollment we do not allow to retrieve and reuse existing -Kerberos key: while 'ipa-getkeytab -r' would give ability to retrieve -the existing key, 'ipa-join' has no way to trigger that operation. -Hence, permission 'System: Manage Host Keytab' will not grant the right -to read the Kerberos key via extended operation used by 'ipa-getkeytab --r'. Such operation can be done later by utilizing 'ipa -service/host-allow-retrieve-keytab' commands. - -Fix 'System: Manage Host Keytab' permission and extend a permission test -to see that we do not fallback to the old extended operation. - -Fixes: https://pagure.io/freeipa/issue/9496 - -Signed-off-by: Alexander Bokovoy -Reviewed-By: Rob Crittenden - ---- - -diff --git a/ACI.txt b/ACI.txt -index e6d6e3d..236bb43 100644 ---- a/ACI.txt -+++ b/ACI.txt -@@ -147,7 +147,7 @@ aci: (targetattr = "usercertificate")(targetfilter = "(objectclass=ipahost)")(ve - dn: cn=computers,cn=accounts,dc=ipa,dc=example - aci: (targetattr = "userpassword")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Manage Host Enrollment Password";allow (write) groupdn = "ldap:///cn=System: Manage Host Enrollment Password,cn=permissions,cn=pbac,dc=ipa,dc=example";) - dn: cn=computers,cn=accounts,dc=ipa,dc=example --aci: (targetattr = "krblastpwdchange || krbprincipalkey")(targetfilter = "(&(!(memberOf=cn=ipaservers,cn=hostgroups,cn=accounts,dc=ipa,dc=example))(objectclass=ipahost))")(version 3.0;acl "permission:System: Manage Host Keytab";allow (write) groupdn = "ldap:///cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=ipa,dc=example";) -+aci: (targetattr = "ipaprotectedoperation;write_keys || krblastpwdchange || krbprincipalkey")(targetfilter = "(&(!(memberOf=cn=ipaservers,cn=hostgroups,cn=accounts,dc=ipa,dc=example))(objectclass=ipahost))")(version 3.0;acl "permission:System: Manage Host Keytab";allow (write) groupdn = "ldap:///cn=System: Manage Host Keytab,cn=permissions,cn=pbac,dc=ipa,dc=example";) - dn: cn=computers,cn=accounts,dc=ipa,dc=example - aci: (targetattr = "createtimestamp || entryusn || ipaallowedtoperform;read_keys || ipaallowedtoperform;write_keys || modifytimestamp || objectclass")(targetfilter = "(objectclass=ipahost)")(version 3.0;acl "permission:System: Manage Host Keytab Permissions";allow (compare,read,search,write) groupdn = "ldap:///cn=System: Manage Host Keytab Permissions,cn=permissions,cn=pbac,dc=ipa,dc=example";) - dn: cn=computers,cn=accounts,dc=ipa,dc=example -diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py -index 3ef510e..b02c8b5 100644 ---- a/ipaserver/plugins/host.py -+++ b/ipaserver/plugins/host.py -@@ -409,7 +409,8 @@ class host(LDAPObject): - api.env.container_hostgroup, - api.env.basedn), - ], -- 'ipapermdefaultattr': {'krblastpwdchange', 'krbprincipalkey'}, -+ 'ipapermdefaultattr': {'krblastpwdchange', 'krbprincipalkey', -+ 'ipaprotectedoperation;write_keys'}, - 'replaces': [ - '(targetattr = "krbprincipalkey || krblastpwdchange")(target = "ldap:///fqdn=*,cn=computers,cn=accounts,$SUFFIX")(version 3.0;acl "permission:Manage host keytab";allow (write) groupdn = "ldap:///cn=Manage host keytab,cn=permissions,cn=pbac,$SUFFIX";)', - ], -diff --git a/ipatests/test_integration/test_user_permissions.py b/ipatests/test_integration/test_user_permissions.py -index 3333a4f..cd1096f 100644 ---- a/ipatests/test_integration/test_user_permissions.py -+++ b/ipatests/test_integration/test_user_permissions.py -@@ -277,6 +277,9 @@ class TestInstallClientNoAdmin(IntegrationTest): - self.master.run_command(['ipa', 'privilege-add-permission', - '--permissions', 'System: Add Hosts', - 'Add Hosts']) -+ self.master.run_command(['ipa', 'privilege-add-permission', -+ '--permissions', 'System: Manage Host Keytab', -+ 'Add Hosts']) - - self.master.run_command(['ipa', 'role-add-privilege', 'useradmin', - '--privileges', 'Host Enrollment']) -@@ -301,6 +304,10 @@ class TestInstallClientNoAdmin(IntegrationTest): - encoding='utf-8') - assert msg in install_log - -+ # Make sure we do not fallback to an old keytab retrieval method anymore -+ msg = "Retrying with pre-4.0 keytab retrieval method..." -+ assert msg not in install_log -+ - # check that user is able to request a host cert, too - result = tasks.run_certutil(client, ['-L'], paths.IPA_NSSDB_DIR) - assert 'Local IPA host' in result.stdout_text - diff --git a/SOURCES/0007-adtrustinstance-make-sure-NetBIOS-name-defaults-are-set-properly_rhel#21938.patch b/SOURCES/0007-adtrustinstance-make-sure-NetBIOS-name-defaults-are-set-properly_rhel#21938.patch deleted file mode 100644 index 09b62e0..0000000 --- a/SOURCES/0007-adtrustinstance-make-sure-NetBIOS-name-defaults-are-set-properly_rhel#21938.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 2f17319df6147832dceff7c06154363f8d58b194 Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Jan 18 2024 09:07:31 +0000 -Subject: adtrustinstance: make sure NetBIOS name defaults are set properly - - -Some tools may pass None as NetBIOS name if not put explicitly by a -user. This meant to use default NetBIOS name generator based on the -domain (realm) name. However, this wasn't done properly, so None is -passed later to python-ldap and it rejects such LDAP entry. - -Fixes: https://pagure.io/freeipa/issue/9514 - -Signed-off-by: Alexander Bokovoy -Reviewed-By: Florence Blanc-Renaud - ---- - -diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py -index bf0cc3b..bb5b61a 100644 ---- a/ipaserver/install/adtrustinstance.py -+++ b/ipaserver/install/adtrustinstance.py -@@ -189,6 +189,8 @@ class ADTRUSTInstance(service.Service): - self.fqdn = self.fqdn or api.env.host - self.host_netbios_name = make_netbios_name(self.fqdn) - self.realm = self.realm or api.env.realm -+ if not self.netbios_name: -+ self.netbios_name = make_netbios_name(self.realm) - - self.suffix = ipautil.realm_to_suffix(self.realm) - self.ldapi_socket = "%%2fvar%%2frun%%2fslapd-%s.socket" % \ - diff --git a/SOURCES/0008-ipatests-Fix-healthcheck-report-when-nsslapd-accesslog-logbuffering-is-set-to-off_rhel#19672.patch b/SOURCES/0008-ipatests-Fix-healthcheck-report-when-nsslapd-accesslog-logbuffering-is-set-to-off_rhel#19672.patch deleted file mode 100644 index f47a11f..0000000 --- a/SOURCES/0008-ipatests-Fix-healthcheck-report-when-nsslapd-accesslog-logbuffering-is-set-to-off_rhel#19672.patch +++ /dev/null @@ -1,175 +0,0 @@ -From 5afda72afc6fd626359411b55f092989fdd7d82d Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Jan 15 2024 13:39:21 +0000 -Subject: ipatests: ignore nsslapd-accesslog-logbuffering WARN in healthcheck - - -Log buffering is disabled in the integration tests so we can have all -the logs at the end. This is causing a warning to show in the 389-ds -checks and causing tests to fail that expect all SUCCESS. - -Add an exclude for this specific key so tests will pass again. - -We may eventually want a more sophisiticated mechanism to handle -excludes, or updating the config in general, but this is fine for now. - -Fixes: https://pagure.io/freeipa/issue/9400 - -Signed-off-by: Rob Crittenden -Reviewed-By: Florence Blanc-Renaud -Reviewed-By: Michal Polovka -Reviewed-By: Florence Blanc-Renaud -Reviewed-By: Michal Polovka - ---- - -diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py -index 7fb8e40..14fba26 100644 ---- a/ipatests/test_integration/test_ipahealthcheck.py -+++ b/ipatests/test_integration/test_ipahealthcheck.py -@@ -9,6 +9,7 @@ from __future__ import absolute_import - - from configparser import RawConfigParser, NoOptionError - from datetime import datetime, timedelta -+import io - import json - import os - import re -@@ -208,6 +209,28 @@ def run_healthcheck(host, source=None, check=None, output_type="json", - return result.returncode, data - - -+def set_excludes(host, option, value, -+ config_file='/etc/ipahealthcheck/ipahealthcheck.conf'): -+ """Mark checks that should be excluded from the results -+ -+ This will set in the [excludes] section on host: -+ option=value -+ """ -+ EXCLUDES = "excludes" -+ -+ conf = host.get_file_contents(config_file, encoding='utf-8') -+ cfg = RawConfigParser() -+ cfg.read_string(conf) -+ if not cfg.has_section(EXCLUDES): -+ cfg.add_section(EXCLUDES) -+ if not cfg.has_option(EXCLUDES, option): -+ cfg.set(EXCLUDES, option, value) -+ out = io.StringIO() -+ cfg.write(out) -+ out.seek(0) -+ host.put_file_contents(config_file, out.read()) -+ -+ - @pytest.fixture - def restart_service(): - """Shut down and restart a service as a fixture""" -@@ -265,6 +288,7 @@ class TestIpaHealthCheck(IntegrationTest): - setup_dns=True, - extra_args=['--no-dnssec-validation'] - ) -+ set_excludes(cls.master, "key", "DSCLE0004") - - def test_ipa_healthcheck_install_on_master(self): - """ -@@ -552,6 +576,7 @@ class TestIpaHealthCheck(IntegrationTest): - setup_dns=True, - extra_args=['--no-dnssec-validation'] - ) -+ set_excludes(self.replicas[0], "key", "DSCLE0004") - - # Init a user on replica to assign a DNA range - tasks.kinit_admin(self.replicas[0]) -@@ -692,6 +717,7 @@ class TestIpaHealthCheck(IntegrationTest): - 'output_type=human' - ]) - ) -+ set_excludes(self.master, "key", "DSCLE0004", config_file) - returncode, output = run_healthcheck( - self.master, failures_only=True, config=config_file - ) -@@ -707,6 +733,7 @@ class TestIpaHealthCheck(IntegrationTest): - 'output_file=%s' % HC_LOG, - ]) - ) -+ set_excludes(self.master, "key", "DSCLE0004") - returncode, _unused = run_healthcheck( - self.master, config=config_file - ) -@@ -2396,6 +2423,7 @@ class TestIpaHealthCLI(IntegrationTest): - cls.master, setup_dns=True, extra_args=['--no-dnssec-validation'] - ) - tasks.install_packages(cls.master, HEALTHCHECK_PKG) -+ set_excludes(cls.master, "key", "DSCLE0004") - - def test_indent(self): - """ -diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py -index d477c3a..b71f2d5 100644 ---- a/ipatests/test_integration/test_replica_promotion.py -+++ b/ipatests/test_integration/test_replica_promotion.py -@@ -13,7 +13,7 @@ import pytest - - from ipatests.test_integration.base import IntegrationTest - from ipatests.test_integration.test_ipahealthcheck import ( -- run_healthcheck, HEALTHCHECK_PKG -+ run_healthcheck, set_excludes, HEALTHCHECK_PKG - ) - from ipatests.pytest_ipa.integration import tasks - from ipatests.pytest_ipa.integration.tasks import ( -@@ -983,6 +983,9 @@ class TestHiddenReplicaPromotion(IntegrationTest): - # manually install KRA to verify that hidden state is synced - tasks.install_kra(cls.replicas[0]) - -+ set_excludes(cls.master, "key", "DSCLE0004") -+ set_excludes(cls.replicas[0], "key", "DSCLE0004") -+ - def _check_dnsrecords(self, hosts_expected, hosts_unexpected=()): - domain = DNSName(self.master.domain.name).make_absolute() - rset = [ - -From f1cfe7d9ff2489dbb6cad70999b0e1bd433c0537 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Jan 15 2024 13:39:21 +0000 -Subject: ipatests: fix expected output for ipahealthcheck.ipa.host - - -ipa-healthcheck commit e69589d5 changed the output when a service -keytab is missing to not report the GSSAPI error but to report -that the keytab doesn't exist at all. This distinguishes from real -Kerberos issues like kvno. - -Fixes: https://pagure.io/freeipa/issue/9482 - -Signed-off-by: Rob Crittenden -Reviewed-By: Florence Blanc-Renaud -Reviewed-By: Michal Polovka -Reviewed-By: Florence Blanc-Renaud -Reviewed-By: Michal Polovka - ---- - -diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py -index 14fba26..8aae9fa 100644 ---- a/ipatests/test_integration/test_ipahealthcheck.py -+++ b/ipatests/test_integration/test_ipahealthcheck.py -@@ -629,9 +629,15 @@ class TestIpaHealthCheck(IntegrationTest): - ipahealthcheck.ipa.host when GSSAPI credentials cannot be obtained - from host's keytab. - """ -- msg = ( -- "Minor (2529639107): No credentials cache found" -- ) -+ version = tasks.get_healthcheck_version(self.master) -+ if parse_version(version) >= parse_version("0.15"): -+ msg = ( -+ "Service {service} keytab {path} does not exist." -+ ) -+ else: -+ msg = ( -+ "Minor (2529639107): No credentials cache found" -+ ) - - with tasks.FileBackup(self.master, paths.KRB5_KEYTAB): - self.master.run_command(["rm", "-f", paths.KRB5_KEYTAB]) - diff --git a/SOURCES/0009-kdb-PAC-generator-do-not-fail-if-canonical-principal-is-missing_rhel#23630.patch b/SOURCES/0009-kdb-PAC-generator-do-not-fail-if-canonical-principal-is-missing_rhel#23630.patch deleted file mode 100644 index e37ead8..0000000 --- a/SOURCES/0009-kdb-PAC-generator-do-not-fail-if-canonical-principal-is-missing_rhel#23630.patch +++ /dev/null @@ -1,45 +0,0 @@ -From dcb9d6edc7ae4278cd552e87f644705faa13d558 Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Jan 31 2024 08:31:13 +0000 -Subject: kdb: PAC generator: do not fail if canonical principal is missing - - -krbCanonicalName is mandatory for services but IPA services created -before commit e6ff83e (FreeIPA 4.4.0, ~2016) had no normalization done -to set krbCanonicalName; services created after that version were -upgraded to do have krbCanonicalName. - -Accept krbPrincipalName alone since they have no alias either */ - -Fixes: https://pagure.io/freeipa/issue/9465 - -Signed-off-by: Alexander Bokovoy -Reviewed-By: Florence Blanc-Renaud -Reviewed-By: Thierry Bordaz - ---- - -diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c -index 9e1431c..8035036 100644 ---- a/daemons/ipa-kdb/ipa_kdb_mspac.c -+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c -@@ -496,8 +496,16 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, - ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, - "krbCanonicalName", &strres); - if (ret) { -- /* krbCanonicalName is mandatory for services */ -- return ret; -+ /* krbCanonicalName is mandatory for services but IPA services -+ * created before commit e6ff83e (FreeIPA 4.4.0, ~2016) had no -+ * normalization to set krbCanonicalName; services created after -+ * that version were upgraded to do have krbCanonicalName. -+ * -+ * Accept krbPrincipalName alone since they have no alias either */ -+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, -+ "krbPrincipalName", &strres); -+ if (ret) -+ return ret; - } - - ret = krb5_parse_name(ipactx->kcontext, strres, &princ); - diff --git a/SOURCES/0010-ipa-kdb-Fix-memory-leak-during-PAC-verification_rhel#22644.patch b/SOURCES/0010-ipa-kdb-Fix-memory-leak-during-PAC-verification_rhel#22644.patch deleted file mode 100644 index d4ba709..0000000 --- a/SOURCES/0010-ipa-kdb-Fix-memory-leak-during-PAC-verification_rhel#22644.patch +++ /dev/null @@ -1,89 +0,0 @@ -From bac601b7f35827236a106f7137f378e4888260da Mon Sep 17 00:00:00 2001 -From: Julien Rische -Date: Jan 30 2024 15:17:44 +0000 -Subject: ipa-kdb: Fix memory leak during PAC verification - - -Commit 0022bd70d93708d325855d5271516d6cd894d6e8 introduced a memory leak -during the copy of some PAC buffers, because of an unfreed memory -allocation context. - -Fixes: https://pagure.io/freeipa/issue/9520 - -Signed-off-by: Julien Rische -Reviewed-By: Alexander Bokovoy - ---- - -diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c -index a18beff..9e1431c 100644 ---- a/daemons/ipa-kdb/ipa_kdb_mspac.c -+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c -@@ -2316,6 +2316,7 @@ krb5_error_code ipadb_common_verify_pac(krb5_context context, - size_t i; - struct dom_sid *requester_sid = NULL; - struct dom_sid req_sid; -+ TALLOC_CTX *tmpctx = NULL; - - if (signing_krbtgt != NULL && - ipadb_is_cross_realm_krbtgt(signing_krbtgt->princ)) { -@@ -2371,6 +2372,12 @@ krb5_error_code ipadb_common_verify_pac(krb5_context context, - goto done; - } - -+ tmpctx = talloc_new(NULL); -+ if (tmpctx == NULL) { -+ kerr = ENOMEM; -+ goto done; -+ } -+ - for (i = 0; i < num_buffers; i++) { - if (types[i] == KRB5_PAC_SERVER_CHECKSUM || - types[i] == KRB5_PAC_PRIVSVR_CHECKSUM || -@@ -2395,32 +2402,21 @@ krb5_error_code ipadb_common_verify_pac(krb5_context context, - DATA_BLOB pac_attrs_data; - krb5_boolean pac_requested; - -- TALLOC_CTX *tmpctx = talloc_new(NULL); -- if (tmpctx == NULL) { -- kerr = ENOMEM; -- goto done; -- } -- - kerr = ipadb_client_requested_pac(context, old_pac, tmpctx, &pac_requested); -- if (kerr != 0) { -- talloc_free(tmpctx); -+ if (kerr) - goto done; -- } - - kerr = ipadb_get_pac_attrs_blob(tmpctx, &pac_requested, &pac_attrs_data); -- if (kerr) { -- talloc_free(tmpctx); -+ if (kerr) - goto done; -- } -+ - data.magic = KV5M_DATA; - data.data = (char *)pac_attrs_data.data; - data.length = pac_attrs_data.length; - - kerr = krb5_pac_add_buffer(context, new_pac, PAC_TYPE_ATTRIBUTES_INFO, &data); -- if (kerr) { -- talloc_free(tmpctx); -+ if (kerr) - goto done; -- } - - continue; - } -@@ -2467,6 +2463,8 @@ done: - if (kerr != 0 && (new_pac != *pac)) { - krb5_pac_free(context, new_pac); - } -+ if (tmpctx) -+ talloc_free(tmpctx); - krb5_free_data_contents(context, &pac_blob); - free(types); - return kerr; - diff --git a/SOURCES/0011-Fix-session-cookie-access_rhel#23622.patch b/SOURCES/0011-Fix-session-cookie-access_rhel#23622.patch deleted file mode 100644 index 87a33f0..0000000 --- a/SOURCES/0011-Fix-session-cookie-access_rhel#23622.patch +++ /dev/null @@ -1,238 +0,0 @@ -From 381af470779ea87335f57038dcbe72cd042ae6bb Mon Sep 17 00:00:00 2001 -From: Stanislav Levin -Date: Jan 30 2024 15:11:05 +0000 -Subject: ipapython: Clean up krb5_error - - -`krb5_error` has different definition in MIT krb. -https://web.mit.edu/kerberos/krb5-latest/doc/appdev/refs/types/krb5_error.html - -> Error message structure. -> -> Declaration: -> typedef struct _krb5_error krb5_error - -While `krb5_error_code` -https://web.mit.edu/kerberos/www/krb5-latest/doc/appdev/refs/types/krb5_error_code.html#c.krb5_error_code - -> krb5_error_code -> Used to convey an operation status. -> -> The value 0 indicates success; any other values are com_err codes. Use krb5_get_error_message() to obtain a string describing the error. -> -> Declaration -> typedef krb5_int32 krb5_error_code - -And this is what was actually used. - -To prevent confusion of types `krb5_error` was replaced with -`krb5_error_code`. - -Fixes: https://pagure.io/freeipa/issue/9519 -Signed-off-by: Stanislav Levin -Reviewed-By: Alexander Bokovoy - ---- - -diff --git a/ipapython/session_storage.py b/ipapython/session_storage.py -index c43ef7d..371cf15 100644 ---- a/ipapython/session_storage.py -+++ b/ipapython/session_storage.py -@@ -111,7 +111,7 @@ class KRB5Error(Exception): - - - def krb5_errcheck(result, func, arguments): -- """Error checker for krb5_error return value""" -+ """Error checker for krb5_error_code return value""" - if result != 0: - raise KRB5Error(result, func.__name__, arguments) - -@@ -119,14 +119,13 @@ def krb5_errcheck(result, func, arguments): - krb5_context = ctypes.POINTER(_krb5_context) - krb5_ccache = ctypes.POINTER(_krb5_ccache) - krb5_data_p = ctypes.POINTER(_krb5_data) --krb5_error = ctypes.c_int32 - krb5_creds = _krb5_creds - krb5_pointer = ctypes.c_void_p - krb5_cc_cursor = krb5_pointer - - krb5_init_context = LIBKRB5.krb5_init_context - krb5_init_context.argtypes = (ctypes.POINTER(krb5_context), ) --krb5_init_context.restype = krb5_error -+krb5_init_context.restype = krb5_error_code - krb5_init_context.errcheck = krb5_errcheck - - krb5_free_context = LIBKRB5.krb5_free_context -@@ -143,30 +142,30 @@ krb5_free_data_contents.restype = None - - krb5_cc_default = LIBKRB5.krb5_cc_default - krb5_cc_default.argtypes = (krb5_context, ctypes.POINTER(krb5_ccache), ) --krb5_cc_default.restype = krb5_error -+krb5_cc_default.restype = krb5_error_code - krb5_cc_default.errcheck = krb5_errcheck - - krb5_cc_close = LIBKRB5.krb5_cc_close - krb5_cc_close.argtypes = (krb5_context, krb5_ccache, ) --krb5_cc_close.restype = krb5_error -+krb5_cc_close.restype = krb5_error_code - krb5_cc_close.errcheck = krb5_errcheck - - krb5_parse_name = LIBKRB5.krb5_parse_name - krb5_parse_name.argtypes = (krb5_context, ctypes.c_char_p, - ctypes.POINTER(krb5_principal), ) --krb5_parse_name.restype = krb5_error -+krb5_parse_name.restype = krb5_error_code - krb5_parse_name.errcheck = krb5_errcheck - - krb5_cc_set_config = LIBKRB5.krb5_cc_set_config - krb5_cc_set_config.argtypes = (krb5_context, krb5_ccache, krb5_principal, - ctypes.c_char_p, krb5_data_p, ) --krb5_cc_set_config.restype = krb5_error -+krb5_cc_set_config.restype = krb5_error_code - krb5_cc_set_config.errcheck = krb5_errcheck - - krb5_cc_get_principal = LIBKRB5.krb5_cc_get_principal - krb5_cc_get_principal.argtypes = (krb5_context, krb5_ccache, - ctypes.POINTER(krb5_principal), ) --krb5_cc_get_principal.restype = krb5_error -+krb5_cc_get_principal.restype = krb5_error_code - krb5_cc_get_principal.errcheck = krb5_errcheck - - # krb5_build_principal is a variadic function but that can't be expressed -@@ -177,26 +176,26 @@ krb5_build_principal.argtypes = (krb5_context, ctypes.POINTER(krb5_principal), - ctypes.c_uint, ctypes.c_char_p, - ctypes.c_char_p, ctypes.c_char_p, - ctypes.c_char_p, ctypes.c_char_p, ) --krb5_build_principal.restype = krb5_error -+krb5_build_principal.restype = krb5_error_code - krb5_build_principal.errcheck = krb5_errcheck - - krb5_cc_start_seq_get = LIBKRB5.krb5_cc_start_seq_get - krb5_cc_start_seq_get.argtypes = (krb5_context, krb5_ccache, - ctypes.POINTER(krb5_cc_cursor), ) --krb5_cc_start_seq_get.restype = krb5_error -+krb5_cc_start_seq_get.restype = krb5_error_code - krb5_cc_start_seq_get.errcheck = krb5_errcheck - - krb5_cc_next_cred = LIBKRB5.krb5_cc_next_cred - krb5_cc_next_cred.argtypes = (krb5_context, krb5_ccache, - ctypes.POINTER(krb5_cc_cursor), - ctypes.POINTER(krb5_creds), ) --krb5_cc_next_cred.restype = krb5_error -+krb5_cc_next_cred.restype = krb5_error_code - krb5_cc_next_cred.errcheck = krb5_errcheck - - krb5_cc_end_seq_get = LIBKRB5.krb5_cc_end_seq_get - krb5_cc_end_seq_get.argtypes = (krb5_context, krb5_ccache, - ctypes.POINTER(krb5_cc_cursor), ) --krb5_cc_end_seq_get.restype = krb5_error -+krb5_cc_end_seq_get.restype = krb5_error_code - krb5_cc_end_seq_get.errcheck = krb5_errcheck - - krb5_free_cred_contents = LIBKRB5.krb5_free_cred_contents -@@ -212,7 +211,7 @@ krb5_principal_compare.restype = krb5_boolean - krb5_unparse_name = LIBKRB5.krb5_unparse_name - krb5_unparse_name.argtypes = (krb5_context, krb5_principal, - ctypes.POINTER(ctypes.c_char_p), ) --krb5_unparse_name.restype = krb5_error -+krb5_unparse_name.restype = krb5_error_code - krb5_unparse_name.errcheck = krb5_errcheck - - krb5_free_unparsed_name = LIBKRB5.krb5_free_unparsed_name - -From 2a4bad8bb3295c5c0f5a760ecd41871c4c5a0c56 Mon Sep 17 00:00:00 2001 -From: Stanislav Levin -Date: Jan 30 2024 15:11:05 +0000 -Subject: ipapython: Correct return type of krb5_free_cred_contents - - -According to https://web.mit.edu/kerberos/krb5-latest/doc/appdev/refs/api/krb5_free_cred_contents.html - -> krb5_free_cred_contents - Free the contents of a krb5_creds structure. -> -> void krb5_free_cred_contents(krb5_context context, krb5_creds * val) -> param: -> [in] context - Library context -> -> [in] val - Credential structure to free contents of -> -> This function frees the contents of val , but not the structure itself. - -https://github.com/krb5/krb5/blob/5b00197227231943bd2305328c8260dd0b0dbcf0/src/lib/krb5/krb/kfree.c#L166 - -This leads to undefined behavior and `krb5_free_cred_contents` can -raise KRB5Error (because of garbage data) while actually its foreign -function doesn't. - -Fixes: https://pagure.io/freeipa/issue/9519 -Signed-off-by: Stanislav Levin -Reviewed-By: Alexander Bokovoy - ---- - -diff --git a/ipapython/session_storage.py b/ipapython/session_storage.py -index 371cf15..dc36f54 100644 ---- a/ipapython/session_storage.py -+++ b/ipapython/session_storage.py -@@ -200,8 +200,7 @@ krb5_cc_end_seq_get.errcheck = krb5_errcheck - - krb5_free_cred_contents = LIBKRB5.krb5_free_cred_contents - krb5_free_cred_contents.argtypes = (krb5_context, ctypes.POINTER(krb5_creds)) --krb5_free_cred_contents.restype = krb5_error --krb5_free_cred_contents.errcheck = krb5_errcheck -+krb5_free_cred_contents.restype = None - - krb5_principal_compare = LIBKRB5.krb5_principal_compare - krb5_principal_compare.argtypes = (krb5_context, krb5_principal, - -From beb402afdbf32c01eed860e9416356f7b492ad74 Mon Sep 17 00:00:00 2001 -From: Stanislav Levin -Date: Jan 30 2024 15:11:05 +0000 -Subject: ipapython: Propagate KRB5Error exceptions on iterating ccache - - -`ipapython.session_storage.get_data` iterates over -credentials in a credential cache till `krb5_cc_next_cred` returns -an error. This function doesn't expect any error on calling -other kerberos foreign functions during iteration. But that can -actually happen and KRB5Error exceptions stop an iteration while -they should be propagated. - -With this change iteration will exactly stop on `krb5_cc_next_cred` -error as it was supposed to be. - -Fixes: https://pagure.io/freeipa/issue/9519 -Signed-off-by: Stanislav Levin -Reviewed-By: Alexander Bokovoy - ---- - -diff --git a/ipapython/session_storage.py b/ipapython/session_storage.py -index dc36f54..e890dc9 100644 ---- a/ipapython/session_storage.py -+++ b/ipapython/session_storage.py -@@ -312,8 +312,12 @@ def get_data(princ_name, key): - checkcreds = krb5_creds() - # the next function will throw an error and break out of the - # while loop when we try to access past the last cred -- krb5_cc_next_cred(context, ccache, ctypes.byref(cursor), -- ctypes.byref(checkcreds)) -+ try: -+ krb5_cc_next_cred(context, ccache, ctypes.byref(cursor), -+ ctypes.byref(checkcreds)) -+ except KRB5Error: -+ break -+ - if (krb5_principal_compare(context, principal, - checkcreds.client) == 1 and - krb5_principal_compare(context, srv_princ, -@@ -328,8 +332,6 @@ def get_data(princ_name, key): - else: - krb5_free_cred_contents(context, - ctypes.byref(checkcreds)) -- except KRB5Error: -- pass - finally: - krb5_cc_end_seq_get(context, ccache, ctypes.byref(cursor)) - - diff --git a/SOURCES/0012-Do-not-ignore-staged-users-in-sidgen-plugin_rhel#23626.patch b/SOURCES/0012-Do-not-ignore-staged-users-in-sidgen-plugin_rhel#23626.patch deleted file mode 100644 index b5eb5be..0000000 --- a/SOURCES/0012-Do-not-ignore-staged-users-in-sidgen-plugin_rhel#23626.patch +++ /dev/null @@ -1,109 +0,0 @@ -From b56a80581ef388e19d5761020454e51463036cd6 Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Tue, 23 Jan 2024 14:47:50 +0200 -Subject: [PATCH] sidgen: ignore staged users when generating SIDs - -Staged users have - - uidNumber: -1 - gidNumber: -1 - ipaUniqueID: autogenerate - -We cannot generate ipaSecurityIdentifier based on those UID/GID numbers. -However, '-1' value will trigger an error - - find_sid_for_ldap_entry - [file ipa_sidgen_common.c, line 483]: ID value too large. - -And that, in turn, will cause stopping SID generation for all users. - -Detect 'ipaUniqueID: autogenerate' situation and ignore these entries. - -Fixes: https://pagure.io/freeipa/issue/9517 - -Signed-off-by: Alexander Bokovoy -Reviewed-By: Florence Blanc-Renaud -Reviewed-By: Thierry Bordaz ---- - daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h | 2 ++ - .../ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c | 12 ++++++++++++ - 2 files changed, 14 insertions(+) - -diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h -index 0feff7eec..bd46982d0 100644 ---- a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h -+++ b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h -@@ -45,6 +45,8 @@ - #define UID_NUMBER "uidnumber" - #define GID_NUMBER "gidnumber" - #define IPA_SID "ipantsecurityidentifier" -+#define IPA_UNIQUEID "ipauniqueid" -+#define IPA_UNIQUEID_AUTOGENERATE "autogenerate" - #define DOM_ATTRS_FILTER OBJECTCLASS"=ipantdomainattrs" - #define DOMAIN_ID_RANGE_FILTER OBJECTCLASS"=ipadomainidrange" - #define POSIX_ACCOUNT "posixaccount" -diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c -index 6f784804c..cb763ebf8 100644 ---- a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c -+++ b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen_common.c -@@ -454,6 +454,7 @@ int find_sid_for_ldap_entry(struct slapi_entry *entry, - uint32_t id; - char *sid = NULL; - char **objectclasses = NULL; -+ char *uniqueid = NULL; - Slapi_PBlock *mod_pb = NULL; - Slapi_Mods *smods = NULL; - int result; -@@ -479,6 +480,16 @@ int find_sid_for_ldap_entry(struct slapi_entry *entry, - goto done; - } - -+ uniqueid = slapi_entry_attr_get_charptr(entry, IPA_UNIQUEID); -+ if (uniqueid != NULL && -+ strncmp(IPA_UNIQUEID_AUTOGENERATE, uniqueid, -+ sizeof(IPA_UNIQUEID_AUTOGENERATE)) == 0) { -+ LOG("Staged entry [%s] does not have Posix IDs, nothing to do.\n", -+ dn_str); -+ ret = 0; -+ goto done; -+ } -+ - if (uid_number >= UINT32_MAX || gid_number >= UINT32_MAX) { - LOG_FATAL("ID value too large.\n"); - ret = LDAP_CONSTRAINT_VIOLATION; -@@ -554,6 +565,7 @@ int find_sid_for_ldap_entry(struct slapi_entry *entry, - } - - done: -+ slapi_ch_free_string(&uniqueid); - slapi_ch_free_string(&sid); - slapi_pblock_destroy(mod_pb); - slapi_mods_free(&smods); --- -2.43.0 - -From 07150b71537744f491d022c737ef04775c72a10a Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Tue, 23 Jan 2024 14:53:39 +0200 -Subject: [PATCH] sidgen: fix missing prototypes - -Signed-off-by: Alexander Bokovoy -Reviewed-By: Florence Blanc-Renaud -Reviewed-By: Thierry Bordaz ---- - daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h -index bd46982d0..aec862796 100644 ---- a/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h -+++ b/daemons/ipa-slapi-plugins/ipa-sidgen/ipa_sidgen.h -@@ -106,3 +106,6 @@ int find_sid_for_ldap_entry(struct slapi_entry *entry, - const char *base_dn, - const char *dom_sid, - struct range_info **ranges); -+ -+int sidgen_task_init(Slapi_PBlock *pb); -+int ipa_sidgen_init(Slapi_PBlock *pb); --- -2.43.0 - diff --git a/SOURCES/0013-ipa-kdb-Disable-Bronze-Bit-check-if-PAC-not-available_rhel#22313.patch b/SOURCES/0013-ipa-kdb-Disable-Bronze-Bit-check-if-PAC-not-available_rhel#22313.patch deleted file mode 100644 index 14aa1e0..0000000 --- a/SOURCES/0013-ipa-kdb-Disable-Bronze-Bit-check-if-PAC-not-available_rhel#22313.patch +++ /dev/null @@ -1,310 +0,0 @@ -From 67ca47ba4092811029eec02f8af9c34ba7662924 Mon Sep 17 00:00:00 2001 -From: Julien Rische -Date: Mon, 9 Oct 2023 15:47:03 +0200 -Subject: [PATCH] ipa-kdb: Ensure Bronze-Bit check can be enabled - -MIT krb5 1.19 and older do not implement support for PAC ticket -signature to protect the encrypted part of tickets. This is the cause of -the Bronze-Bit vulnerability (CVE-2020-17043). The Bronze-Bit attack -detection mechanism introduced in a847e248 relies on the content of the -PAC. - -However, since CVE-2022-37967, the content of the PAC can no longer be -trusted if the KDC does not support PAC extended KDC signature (aka. -PAC full checksum). This signature is supported in MIT krb5 since -version 1.21. - -Support for the PAC extended KDC signature was backported downstream to -krb5 1.18.2 for CentOS 8 Stream (dist-git commit 7d215a54). This makes -the content of the PAC still trustworthy there. - -This commit disables the Bronze-Bit attack detection mechanism at build -time in case krb5 does not provide the krb5_pac_full_sign_compat() -function. - -Reviewed-By: Alexander Bokovoy ---- - daemons/ipa-kdb/ipa_kdb.h | 4 ++++ - daemons/ipa-kdb/ipa_kdb_kdcpolicy.c | 7 +++++++ - daemons/ipa-kdb/ipa_kdb_mspac.c | 4 ++++ - 3 files changed, 15 insertions(+) - -diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h -index 02b2cb631..c6926f7d5 100644 ---- a/daemons/ipa-kdb/ipa_kdb.h -+++ b/daemons/ipa-kdb/ipa_kdb.h -@@ -367,6 +367,8 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext, - const char *test_realm, size_t size, - char **trusted_realm); - -+#if KRB5_KDB_DAL_MAJOR_VERSION <= 8 -+# ifdef HAVE_KRB5_PAC_FULL_SIGN_COMPAT - /* Try to detect a Bronze-Bit attack based on the content of the request and - * data from the KDB. - * -@@ -379,6 +381,8 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext, - krb5_error_code - ipadb_check_for_bronze_bit_attack(krb5_context context, krb5_kdc_req *request, - bool *detected, const char **status); -+# endif -+#endif - - /* DELEGATION CHECKS */ - -diff --git a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c -index 1032dff0b..ee0546c01 100644 ---- a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c -+++ b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c -@@ -185,11 +185,18 @@ ipa_kdcpolicy_check_tgs(krb5_context context, krb5_kdcpolicy_moddata moddata, - const char **status, krb5_deltat *lifetime_out, - krb5_deltat *renew_lifetime_out) - { -+#if KRB5_KDB_DAL_MAJOR_VERSION <= 8 -+# ifdef HAVE_KRB5_PAC_FULL_SIGN_COMPAT - krb5_error_code kerr; - - kerr = ipadb_check_for_bronze_bit_attack(context, request, NULL, status); - if (kerr) - return KRB5KDC_ERR_POLICY; -+# else -+# warning Support for Kerberos PAC extended KDC signature is missing.\ -+ This makes FreeIPA vulnerable to the Bronze-Bit exploit (CVE-2020-17049). -+# endif -+#endif - - *status = NULL; - *lifetime_out = 0; -diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c -index b4e22d431..05d5b407d 100644 ---- a/daemons/ipa-kdb/ipa_kdb_mspac.c -+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c -@@ -3299,6 +3299,8 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext, - return KRB5_KDB_NOENTRY; - } - -+#if KRB5_KDB_DAL_MAJOR_VERSION <= 8 -+# ifdef HAVE_KRB5_PAC_FULL_SIGN_COMPAT - krb5_error_code - ipadb_check_for_bronze_bit_attack(krb5_context context, krb5_kdc_req *request, - bool *detected, const char **status) -@@ -3471,3 +3473,5 @@ end: - ipadb_free_principal(context, proxy_entry); - return kerr; - } -+# endif -+#endif --- -2.43.0 - -From 27b96c17dd51d076e04d97662b7c788658a5094a Mon Sep 17 00:00:00 2001 -From: Julien Rische -Date: Jan 26 2024 09:35:57 +0000 -Subject: ipa-kdb: Disable Bronze-Bit check if PAC not available - - -The Bronze-Bit check introduced in commit -a847e2483b4c4832ee5129901da169f4eb0d1392 requires the MS-PAC to be -present in the evidence ticket in order for S4U2Proxy requests to be -accepted. This actually requires SIDs to be set. - -However, domains that were initialized before commit -e527857d000e558b3288a7a210400abaf2171237 may still not have SIDs -configured. This would results in all S4U2Proxy requests to fail -(including all the HTTP API requests). - -This present commit disables the check for the Bronze-Bit exploit -(CVE-2020-17049) in case the domain is not able to generate PACs. -Instead, it prints a warning message in the KDC logs each time a -S4U2Proxy request is processed. - -Fixes: https://pagure.io/freeipa/issue/9521 - -Signed-off-by: Julien Rische -Reviewed-By: Alexander Bokovoy - ---- - -diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h -index c6926f7..621c235 100644 ---- a/daemons/ipa-kdb/ipa_kdb.h -+++ b/daemons/ipa-kdb/ipa_kdb.h -@@ -370,17 +370,21 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext, - #if KRB5_KDB_DAL_MAJOR_VERSION <= 8 - # ifdef HAVE_KRB5_PAC_FULL_SIGN_COMPAT - /* Try to detect a Bronze-Bit attack based on the content of the request and -- * data from the KDB. -+ * data from the KDB. This check will work only if the domain supports MS-PAC. - * - * context krb5 context - * request KDB request -- * detected Set to "true" if a bronze bit attack is detected and the -- * pointer is not NULL. Remains unset otherwise. -+ * supported If not NULL, set to "false" in case the Bronze-Bit exploit -+ * detection process silently failed to complete because the -+ * domain does not meet requirements. Set to "true" otherwise. -+ * detected If not NULL, set to "true" if a Bronze-Bit attack is detected. -+ * Set to "false" otherwise. - * status If the call fails and the pointer is not NULL, set it with a - * message describing the cause of the failure. */ - krb5_error_code - ipadb_check_for_bronze_bit_attack(krb5_context context, krb5_kdc_req *request, -- bool *detected, const char **status); -+ bool *supported, bool *detected, -+ const char **status); - # endif - #endif - -diff --git a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c -index ee0546c..713e9a0 100644 ---- a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c -+++ b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c -@@ -188,10 +188,18 @@ ipa_kdcpolicy_check_tgs(krb5_context context, krb5_kdcpolicy_moddata moddata, - #if KRB5_KDB_DAL_MAJOR_VERSION <= 8 - # ifdef HAVE_KRB5_PAC_FULL_SIGN_COMPAT - krb5_error_code kerr; -+ bool supported; - -- kerr = ipadb_check_for_bronze_bit_attack(context, request, NULL, status); -+ kerr = ipadb_check_for_bronze_bit_attack(context, request, supported, NULL, -+ status); - if (kerr) - return KRB5KDC_ERR_POLICY; -+ -+ if (!supported) -+ krb5_klog_syslog(LOG_WARNING, "MS-PAC not available. This makes " -+ "FreeIPA vulnerable to the Bronze-Bit exploit " -+ "(CVE-2020-17049). Please generate SIDs to enable " -+ "PAC support."); - # else - # warning Support for Kerberos PAC extended KDC signature is missing.\ - This makes FreeIPA vulnerable to the Bronze-Bit exploit (CVE-2020-17049). -diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c -index 05d5b40..a18beff 100644 ---- a/daemons/ipa-kdb/ipa_kdb_mspac.c -+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c -@@ -3303,11 +3303,14 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext, - # ifdef HAVE_KRB5_PAC_FULL_SIGN_COMPAT - krb5_error_code - ipadb_check_for_bronze_bit_attack(krb5_context context, krb5_kdc_req *request, -- bool *detected, const char **status) -+ bool *supported, bool *detected, -+ const char **status) - { - krb5_error_code kerr; - const char *st = NULL; - size_t i, j; -+ bool in_supported = true, in_detected = false; -+ struct ipadb_context *ipactx; - krb5_ticket *evidence_tkt; - krb5_authdata **authdata, **ifrel = NULL; - krb5_pac pac = NULL; -@@ -3327,6 +3330,21 @@ ipadb_check_for_bronze_bit_attack(krb5_context context, krb5_kdc_req *request, - goto end; - } - -+ ipactx = ipadb_get_context(context); -+ if (!ipactx) { -+ kerr = KRB5_KDB_DBNOTINITED; -+ goto end; -+ } -+ -+ /* Handle the case where the domain is not able to generate PACs (probably -+ * because SIDs are not set). In this case, we just skip the Bronze-Bit -+ * check. */ -+ if (!ipactx->mspac) { -+ in_supported = false; -+ kerr = 0; -+ goto end; -+ } -+ - evidence_tkt = request->second_ticket[0]; - - /* No need to check the Forwardable flag. If it was not set, this request -@@ -3451,8 +3469,7 @@ ipadb_check_for_bronze_bit_attack(krb5_context context, krb5_kdc_req *request, - /* This evidence ticket cannot be forwardable given the privileges - * of the proxy principal. - * This is a Bronze Bit attack. */ -- if (detected) -- *detected = true; -+ in_detected = true; - st = "S4U2PROXY_BRONZE_BIT_ATTACK_DETECTED"; - kerr = EBADE; - goto end; -@@ -3464,6 +3481,10 @@ ipadb_check_for_bronze_bit_attack(krb5_context context, krb5_kdc_req *request, - end: - if (st && status) - *status = st; -+ if (supported) -+ *supported = in_supported; -+ if (detected) -+ *detected = in_detected; - - krb5_free_authdata(context, ifrel); - krb5_pac_free(context, pac); - -From 81aa6ef695838a4b2fb5a53e773ea379a492913d Mon Sep 17 00:00:00 2001 -From: Julien Rische -Date: Fri, 9 Feb 2024 16:36:03 +0100 -Subject: [PATCH] ipd-kdb: Fix some mistakes in - ipadb_check_for_bronze_bit_attack() - -Fixes: https://pagure.io/freeipa/issue/9521 -Signed-off-by: Julien Rische -Reviewed-By: Alexander Bokovoy ---- - daemons/ipa-kdb/ipa_kdb.h | 3 ++- - daemons/ipa-kdb/ipa_kdb_kdcpolicy.c | 2 +- - daemons/ipa-kdb/ipa_kdb_mspac.c | 5 +++-- - 3 files changed, 6 insertions(+), 4 deletions(-) - -diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h -index 621c23591..5de5ea7a5 100644 ---- a/daemons/ipa-kdb/ipa_kdb.h -+++ b/daemons/ipa-kdb/ipa_kdb.h -@@ -382,7 +382,8 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext, - * status If the call fails and the pointer is not NULL, set it with a - * message describing the cause of the failure. */ - krb5_error_code --ipadb_check_for_bronze_bit_attack(krb5_context context, krb5_kdc_req *request, -+ipadb_check_for_bronze_bit_attack(krb5_context context, -+ const krb5_kdc_req *request, - bool *supported, bool *detected, - const char **status); - # endif -diff --git a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c -index 713e9a0c8..44959f3de 100644 ---- a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c -+++ b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c -@@ -190,7 +190,7 @@ ipa_kdcpolicy_check_tgs(krb5_context context, krb5_kdcpolicy_moddata moddata, - krb5_error_code kerr; - bool supported; - -- kerr = ipadb_check_for_bronze_bit_attack(context, request, supported, NULL, -+ kerr = ipadb_check_for_bronze_bit_attack(context, request, &supported, NULL, - status); - if (kerr) - return KRB5KDC_ERR_POLICY; -diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c -index 80350364a..886ed7785 100644 ---- a/daemons/ipa-kdb/ipa_kdb_mspac.c -+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c -@@ -3308,13 +3308,14 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext, - #if KRB5_KDB_DAL_MAJOR_VERSION <= 8 - # ifdef HAVE_KRB5_PAC_FULL_SIGN_COMPAT - krb5_error_code --ipadb_check_for_bronze_bit_attack(krb5_context context, krb5_kdc_req *request, -+ipadb_check_for_bronze_bit_attack(krb5_context context, -+ const krb5_kdc_req *request, - bool *supported, bool *detected, - const char **status) - { - krb5_error_code kerr; - const char *st = NULL; -- size_t i, j; -+ size_t i, j = 0; - bool in_supported = true, in_detected = false; - struct ipadb_context *ipactx; - krb5_ticket *evidence_tkt; --- -2.43.0 - diff --git a/SOURCES/0014-krb5kdc-Fix-start-when-pkinit-and-otp-auth-type-are-enabled_rhel#4874.patch b/SOURCES/0014-krb5kdc-Fix-start-when-pkinit-and-otp-auth-type-are-enabled_rhel#4874.patch deleted file mode 100644 index e0d2386..0000000 --- a/SOURCES/0014-krb5kdc-Fix-start-when-pkinit-and-otp-auth-type-are-enabled_rhel#4874.patch +++ /dev/null @@ -1,272 +0,0 @@ -From 00f8ddbfd2795228b343e1c39c1944b44d482c18 Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Fri, 24 Nov 2023 11:46:19 +0200 -Subject: [PATCH 1/4] ipa-kdb: add better detection of allowed user auth type - -If default user authentication type is set to a list that does not -include a password or a hardened credential, the resulting configuration -might be incorrect for special service principals, including a krbtgt/.. -one. - -Add detection of special principals to avoid these situations and always -allow password or hardened for services. - -Special handling is needed for the following principals: - - - krbtgt/.. -- TGT service principals - - K/M -- master key principal - - kadmin/changepw -- service for changing passwords - - kadmin/kadmin -- kadmin service principal - - kadmin/history -- key used to encrypt history - -Additionally, implicitly allow password or hardened credential use for -IPA services and IPA hosts since applications typically use keytabs for -that purpose. - -Fixes: https://pagure.io/freeipa/issue/9485 - -Signed-off-by: Alexander Bokovoy -Reviewed-By: Francisco Trivino ---- - daemons/ipa-kdb/ipa_kdb.c | 62 ++++++++++++++++++++++++++++++++++----- - 1 file changed, 54 insertions(+), 8 deletions(-) - -diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c -index 06d511c76..dbb98dba6 100644 ---- a/daemons/ipa-kdb/ipa_kdb.c -+++ b/daemons/ipa-kdb/ipa_kdb.c -@@ -26,6 +26,7 @@ - #include "ipa_kdb.h" - #include "ipa_krb5.h" - #include "ipa_hostname.h" -+#include - - #define IPADB_GLOBAL_CONFIG_CACHE_TIME 60 - -@@ -207,6 +208,19 @@ static const struct { - { "idp", IPADB_USER_AUTH_IDP }, - { "passkey", IPADB_USER_AUTH_PASSKEY }, - { } -+}, -+ objclass_table[] = { -+ { "ipaservice", IPADB_USER_AUTH_PASSWORD }, -+ { "ipahost", IPADB_USER_AUTH_PASSWORD }, -+ { } -+}, -+ princname_table[] = { -+ { KRB5_TGS_NAME, IPADB_USER_AUTH_PASSWORD }, -+ { KRB5_KDB_M_NAME, IPADB_USER_AUTH_PASSWORD }, -+ { KADM5_ADMIN_SERVICE, IPADB_USER_AUTH_PASSWORD }, -+ { KADM5_CHANGEPW_SERVICE, IPADB_USER_AUTH_PASSWORD }, -+ { KADM5_HIST_PRINCIPAL, IPADB_USER_AUTH_PASSWORD }, -+ { } - }; - - void ipadb_parse_user_auth(LDAP *lcontext, LDAPMessage *le, -@@ -217,17 +231,49 @@ void ipadb_parse_user_auth(LDAP *lcontext, LDAPMessage *le, - - *userauth = IPADB_USER_AUTH_NONE; - vals = ldap_get_values_len(lcontext, le, IPA_USER_AUTH_TYPE); -- if (!vals) -- return; -- -- for (i = 0; vals[i]; i++) { -- for (j = 0; userauth_table[j].name; j++) { -- if (strcasecmp(vals[i]->bv_val, userauth_table[j].name) == 0) { -- *userauth |= userauth_table[j].flag; -- break; -+ if (!vals) { -+ /* if there is no explicit ipaUserAuthType set, use objectclass */ -+ vals = ldap_get_values_len(lcontext, le, "objectclass"); -+ if (!vals) -+ return; -+ -+ for (i = 0; vals[i]; i++) { -+ for (j = 0; objclass_table[j].name; j++) { -+ if (strcasecmp(vals[i]->bv_val, objclass_table[j].name) == 0) { -+ *userauth |= objclass_table[j].flag; -+ break; -+ } -+ } -+ } -+ } else { -+ for (i = 0; vals[i]; i++) { -+ for (j = 0; userauth_table[j].name; j++) { -+ if (strcasecmp(vals[i]->bv_val, userauth_table[j].name) == 0) { -+ *userauth |= userauth_table[j].flag; -+ break; -+ } - } - } - } -+ -+ /* If neither ipaUserAuthType nor objectClass were definitive, -+ * check the krbPrincipalName to see if it is krbtgt/ or K/M one */ -+ if (*userauth == IPADB_USER_AUTH_NONE) { -+ ldap_value_free_len(vals); -+ vals = ldap_get_values_len(lcontext, le, "krbprincipalname"); -+ if (!vals) -+ return; -+ for (i = 0; vals[i]; i++) { -+ for (j = 0; princname_table[j].name; j++) { -+ if (strncmp(vals[i]->bv_val, princname_table[j].name, -+ strlen(princname_table[j].name)) == 0) { -+ *userauth |= princname_table[j].flag; -+ break; -+ } -+ } -+ } -+ -+ } - /* If password auth is enabled, enable hardened policy too. */ - if (*userauth & IPADB_USER_AUTH_PASSWORD) { - *userauth |= IPADB_USER_AUTH_HARDENED; --- -2.43.0 - - -From 69ae9febfb4462766b3bfe3e07e76550ece97b42 Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Fri, 24 Nov 2023 11:54:04 +0200 -Subject: [PATCH 2/4] ipa-kdb: when applying ticket policy, do not deny PKINIT - -PKINIT differs from other pre-authentication methods by the fact that it -can be matched indepedently of the user authentication types via certmap -plugin in KDC. - -Since PKINIT is a strong authentication method, allow its authentication -indicator and only apply the ticket policy. - -Fixes: https://pagure.io/freeipa/issue/9485 - -Signed-off-by: Alexander Bokovoy -Reviewed-By: Francisco Trivino ---- - daemons/ipa-kdb/ipa_kdb_kdcpolicy.c | 7 ++----- - 1 file changed, 2 insertions(+), 5 deletions(-) - -diff --git a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c -index 436ee0e62..2802221c7 100644 ---- a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c -+++ b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c -@@ -119,11 +119,8 @@ ipa_kdcpolicy_check_as(krb5_context context, krb5_kdcpolicy_moddata moddata, - pol_limits = &(ied->pol_limits[IPADB_USER_AUTH_IDX_RADIUS]); - } else if (strcmp(auth_indicator, "pkinit") == 0) { - valid_auth_indicators++; -- if (!(ua & IPADB_USER_AUTH_PKINIT)) { -- *status = "PKINIT pre-authentication not allowed for this user."; -- kerr = KRB5KDC_ERR_POLICY; -- goto done; -- } -+ /* allow PKINIT unconditionally -- it has passed already at this -+ * point so some certificate was useful, only apply the limits */ - pol_limits = &(ied->pol_limits[IPADB_USER_AUTH_IDX_PKINIT]); - } else if (strcmp(auth_indicator, "hardened") == 0) { - valid_auth_indicators++; --- -2.43.0 - - -From 62c44c9e69aa2721990ca3628434713e1af6f59b Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Fri, 24 Nov 2023 12:20:55 +0200 -Subject: [PATCH 3/4] ipa-kdb: clarify user auth table mapping use of - _AUTH_PASSWORD - -Related: https://pagure.io/freeipa/issue/9485 - -Signed-off-by: Alexander Bokovoy -Reviewed-By: Francisco Trivino ---- - daemons/ipa-kdb/ipa_kdb.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c -index dbb98dba6..4e6cacf24 100644 ---- a/daemons/ipa-kdb/ipa_kdb.c -+++ b/daemons/ipa-kdb/ipa_kdb.c -@@ -195,6 +195,9 @@ done: - return base; - } - -+/* In this table all _AUTH_PASSWORD entries will be -+ * expanded to include _AUTH_HARDENED in ipadb_parse_user_auth() -+ * which means there is no need to explicitly add it here */ - static const struct { - const char *name; - enum ipadb_user_auth flag; --- -2.43.0 - - -From c3bc938650b19a51706d8ccd98cdf8deaa26dc28 Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Fri, 24 Nov 2023 13:00:48 +0200 -Subject: [PATCH 4/4] ipatests: make sure PKINIT enrollment works with a strict - policy - -Previously, for a global policy which does not include -'password', krb5kdc restart was failing. Now it should succeed. - -We set admin user authentication type to PASSWORD to simplify -configuration in the test. - -What matters here is that global policy does not include PKINIT and that -means a code in the ticket policy check will allow PKINIT implicitly -rather than explicitly. - -Related: https://pagure.io/freeipa/issue/9485 - -Signed-off-by: Alexander Bokovoy -Reviewed-By: Francisco Trivino ---- - .../test_integration/test_pkinit_install.py | 26 +++++++++++++++++++ - 1 file changed, 26 insertions(+) - -diff --git a/ipatests/test_integration/test_pkinit_install.py b/ipatests/test_integration/test_pkinit_install.py -index caa0e6a34..5c2e7af02 100644 ---- a/ipatests/test_integration/test_pkinit_install.py -+++ b/ipatests/test_integration/test_pkinit_install.py -@@ -23,6 +23,24 @@ class TestPkinitClientInstall(IntegrationTest): - def install(cls, mh): - tasks.install_master(cls.master) - -+ def enforce_password_and_otp(self): -+ """enforce otp by default and password for admin """ -+ self.master.run_command( -+ [ -+ "ipa", -+ "config-mod", -+ "--user-auth-type=otp", -+ ] -+ ) -+ self.master.run_command( -+ [ -+ "ipa", -+ "user-mod", -+ "admin", -+ "--user-auth-type=password", -+ ] -+ ) -+ - def add_certmaperule(self): - """add certmap rule to map SAN dNSName to host entry""" - self.master.run_command( -@@ -86,6 +104,14 @@ class TestPkinitClientInstall(IntegrationTest): - cabundle = self.master.get_file_contents(paths.KDC_CA_BUNDLE_PEM) - client.put_file_contents(self.tmpbundle, cabundle) - -+ def test_restart_krb5kdc(self): -+ tasks.kinit_admin(self.master) -+ self.enforce_password_and_otp() -+ self.master.run_command(['systemctl', 'stop', 'krb5kdc.service']) -+ self.master.run_command(['systemctl', 'start', 'krb5kdc.service']) -+ self.master.run_command(['systemctl', 'stop', 'kadmin.service']) -+ self.master.run_command(['systemctl', 'start', 'kadmin.service']) -+ - def test_client_install_pkinit(self): - tasks.kinit_admin(self.master) - self.add_certmaperule() --- -2.43.0 - diff --git a/SOURCES/0015-hbactest-was-not-collecting-or-returning-messages_rhel#12780.patch b/SOURCES/0015-hbactest-was-not-collecting-or-returning-messages_rhel#12780.patch deleted file mode 100644 index 1adc33f..0000000 --- a/SOURCES/0015-hbactest-was-not-collecting-or-returning-messages_rhel#12780.patch +++ /dev/null @@ -1,139 +0,0 @@ -From 48846e98e5e988d600ddf81c937f353fcecdea1a Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Mon, 27 Nov 2023 16:11:08 -0500 -Subject: [PATCH 1/2] hbactest was not collecting or returning messages - -hbactest does a number of internal searches, one of which -can exceed the configured sizelimit: hbacrule-find - -Collect any messages returned from thsi call and display them -to the user on the cli. - -Fixes: https://pagure.io/freeipa/issue/9486 - -Signed-off-by: Rob Crittenden -Reviewed-By: Florence Blanc-Renaud ---- - ipaclient/plugins/hbactest.py | 2 ++ - ipaserver/plugins/hbactest.py | 14 +++++++++++--- - 2 files changed, 13 insertions(+), 3 deletions(-) - -diff --git a/ipaclient/plugins/hbactest.py b/ipaclient/plugins/hbactest.py -index 1b54530b2..e0f93b9c2 100644 ---- a/ipaclient/plugins/hbactest.py -+++ b/ipaclient/plugins/hbactest.py -@@ -38,6 +38,8 @@ class hbactest(CommandOverride): - # Note that we don't actually use --detail below to see if details need - # to be printed as our execute() method will return None for corresponding - # entries and None entries will be skipped. -+ self.log_messages(output) -+ - for o in self.output: - if o == 'value': - continue -diff --git a/ipaserver/plugins/hbactest.py b/ipaserver/plugins/hbactest.py -index 887a35b7e..568c13174 100644 ---- a/ipaserver/plugins/hbactest.py -+++ b/ipaserver/plugins/hbactest.py -@@ -24,6 +24,8 @@ from ipalib import Command, Str, Flag, Int - from ipalib import _ - from ipapython.dn import DN - from ipalib.plugable import Registry -+from ipalib.messages import VersionMissing -+ - if api.env.in_server: - try: - import ipaserver.dcerpc -@@ -323,6 +325,9 @@ class hbactest(Command): - # 2. Required options are (user, target host, service) - # 3. Options: rules to test (--rules, --enabled, --disabled), request for detail output - rules = [] -+ result = { -+ 'warning':None, 'matched':None, 'notmatched':None, 'error':None -+ } - - # Use all enabled IPA rules by default - all_enabled = True -@@ -351,8 +356,12 @@ class hbactest(Command): - - hbacset = [] - if len(testrules) == 0: -- hbacset = self.api.Command.hbacrule_find( -- sizelimit=sizelimit, no_members=False)['result'] -+ hbacrules = self.api.Command.hbacrule_find( -+ sizelimit=sizelimit, no_members=False) -+ hbacset = hbacrules['result'] -+ for message in hbacrules['messages']: -+ if message['code'] != VersionMissing.errno: -+ result.setdefault('messages', []).append(message) - else: - for rule in testrules: - try: -@@ -469,7 +478,6 @@ class hbactest(Command): - error_rules = [] - warning_rules = [] - -- result = {'warning':None, 'matched':None, 'notmatched':None, 'error':None} - if not options['nodetail']: - # Validate runs rules one-by-one and reports failed ones - for ipa_rule in rules: --- -2.43.0 - - -From d1e09c68af8ac77f656dd639af5d9a7f07c41f9d Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Tue, 28 Nov 2023 13:35:13 -0500 -Subject: [PATCH 2/2] ipatests: Verify that hbactest will return messages - -Limit the sizelimit of the hbactest request to confirm that -the output includes a SearchResultTruncated message. - -Fixes: https://pagure.io/freeipa/issue/9486 - -Signed-off-by: Rob Crittenden -Reviewed-By: Florence Blanc-Renaud ---- - ipatests/test_xmlrpc/test_hbactest_plugin.py | 19 ++++++++++++++++++- - 1 file changed, 18 insertions(+), 1 deletion(-) - -diff --git a/ipatests/test_xmlrpc/test_hbactest_plugin.py b/ipatests/test_xmlrpc/test_hbactest_plugin.py -index 73c4ce232..e2e66c759 100644 ---- a/ipatests/test_xmlrpc/test_hbactest_plugin.py -+++ b/ipatests/test_xmlrpc/test_hbactest_plugin.py -@@ -134,6 +134,7 @@ class test_hbactest(XMLRPC_test): - assert ret['value'] - assert ret['error'] is None - assert ret['matched'] is None -+ assert 'messages' not in ret - assert ret['notmatched'] is None - - def test_c_hbactest_check_rules_enabled_detail(self): -@@ -200,7 +201,23 @@ class test_hbactest(XMLRPC_test): - nodetail=True - ) - -- def test_g_hbactest_clear_testing_data(self): -+ def test_g_hbactest_searchlimit_message(self): -+ """ -+ Test running 'ipa hbactest' with limited --sizelimit -+ -+ We know there are at least 6 rules, 4 created here + 2 default. -+ """ -+ ret = api.Command['hbactest']( -+ user=self.test_user, -+ targethost=self.test_host, -+ service=self.test_service, -+ nodetail=True, -+ sizelimit=2, -+ ) -+ -+ assert ret['messages'] is not None -+ -+ def test_h_hbactest_clear_testing_data(self): - """ - Clear data for HBAC test plugin testing. - """ --- -2.43.0 - diff --git a/SOURCES/0016-ipatests-wait-for-replica-update-in-test_dns_locatio.patch b/SOURCES/0016-ipatests-wait-for-replica-update-in-test_dns_locatio.patch deleted file mode 100644 index 0a6f6b7..0000000 --- a/SOURCES/0016-ipatests-wait-for-replica-update-in-test_dns_locatio.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 16a739e0260f97705827f972d53c828809dbfdb2 Mon Sep 17 00:00:00 2001 -From: Masahiro Matsuya -Date: Tue, 9 Jan 2024 23:12:11 +0900 -Subject: [PATCH] ipatests: wait for replica update in test_dns_locations - -test_ipa_ca_records and test_adtrust_system_records can fail with -NXDOMAIN, because it doesn't wait enough for the update on replica. -It can be resolved by waiting for the update with wait_for_replication. - -Fixes: https://pagure.io/freeipa/issue/9504 -Reviewed-By: Florence Blanc-Renaud -(cherry picked from commit 905a55a4ef926068630ebd2ab375f58c24dedcd1) ---- - ipatests/test_integration/test_dns_locations.py | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/ipatests/test_integration/test_dns_locations.py b/ipatests/test_integration/test_dns_locations.py -index 44900af80..89a310892 100644 ---- a/ipatests/test_integration/test_dns_locations.py -+++ b/ipatests/test_integration/test_dns_locations.py -@@ -534,6 +534,9 @@ class TestDNSLocations(IntegrationTest): - - expected_servers = (self.master.ip, self.replicas[1].ip) - -+ ldap = self.master.ldap_connect() -+ tasks.wait_for_replication(ldap) -+ - for ip in (self.master.ip, self.replicas[0].ip, self.replicas[1].ip): - self._test_A_rec_against_server(ip, self.domain, expected_servers) - -@@ -557,6 +560,9 @@ class TestDNSLocations(IntegrationTest): - (self.PRIO_HIGH, self.WEIGHT, DNSName(self.master.hostname)), - ) - -+ ldap = self.master.ldap_connect() -+ tasks.wait_for_replication(ldap) -+ - for ip in (self.master.ip, self.replicas[0].ip, self.replicas[1].ip): - self._test_SRV_rec_against_server( - ip, self.domain, expected_servers, --- -2.43.0 - diff --git a/SOURCES/0017-ipa-kdb-Rework-ipadb_reinit_mspac.patch b/SOURCES/0017-ipa-kdb-Rework-ipadb_reinit_mspac.patch deleted file mode 100644 index b3fbfdb..0000000 --- a/SOURCES/0017-ipa-kdb-Rework-ipadb_reinit_mspac.patch +++ /dev/null @@ -1,707 +0,0 @@ -From c3ac69e9cf8dfcc31ed11fc988c37bd99d3ec3cf Mon Sep 17 00:00:00 2001 -From: Julien Rische -Date: Wed, 14 Feb 2024 17:47:00 +0100 -Subject: [PATCH] ipa-kdb: Rework ipadb_reinit_mspac() - -Modify ipadb_reinit_mspac() to allocate and initialize ipactx->mspac -only if all its attributes can be set. If not, ipactx->mspac is set to -NULL. This makes easier to determine if the KDC is able to generate PACs -or not. - -Also ipadb_reinit_mspac() is now able to return a status message -explaining why initialization of the PAC generator failed. This message -is printed in KDC logs. - -Fixes: https://pagure.io/freeipa/issue/9535 - -Signed-off-by: Julien Rische -Reviewed-By: Alexander Bokovoy -(cherry picked from commit 7f072e348d318e928f6270a182ca04dee8716677) ---- - daemons/ipa-kdb/ipa_kdb.c | 14 +- - daemons/ipa-kdb/ipa_kdb.h | 4 +- - daemons/ipa-kdb/ipa_kdb_mspac.c | 340 +++++++++++++----------- - daemons/ipa-kdb/ipa_kdb_mspac_private.h | 2 +- - daemons/ipa-kdb/ipa_kdb_mspac_v6.c | 5 +- - daemons/ipa-kdb/ipa_kdb_mspac_v9.c | 16 +- - daemons/ipa-kdb/ipa_kdb_principals.c | 6 +- - 7 files changed, 218 insertions(+), 169 deletions(-) - -diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c -index 0c6325df9..fcadb8ee7 100644 ---- a/daemons/ipa-kdb/ipa_kdb.c -+++ b/daemons/ipa-kdb/ipa_kdb.c -@@ -443,6 +443,7 @@ int ipadb_get_connection(struct ipadb_context *ipactx) - struct timeval tv = { 5, 0 }; - LDAPMessage *res = NULL; - LDAPMessage *first; -+ const char *stmsg; - int ret; - int v3; - -@@ -522,16 +523,9 @@ int ipadb_get_connection(struct ipadb_context *ipactx) - } - - /* get adtrust options using default refresh interval */ -- ret = ipadb_reinit_mspac(ipactx, false); -- if (ret && ret != ENOENT) { -- /* TODO: log that there is an issue with adtrust settings */ -- if (ipactx->lcontext == NULL) { -- /* for some reason ldap connection was reset in ipadb_reinit_mspac -- * and is no longer established => failure of ipadb_get_connection -- */ -- goto done; -- } -- } -+ ret = ipadb_reinit_mspac(ipactx, false, &stmsg); -+ if (ret && stmsg) -+ krb5_klog_syslog(LOG_WARNING, "MS-PAC generator: %s", stmsg); - - ret = 0; - -diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h -index 5de5ea7a5..7baf4697f 100644 ---- a/daemons/ipa-kdb/ipa_kdb.h -+++ b/daemons/ipa-kdb/ipa_kdb.h -@@ -352,7 +352,9 @@ krb5_error_code ipadb_v9_issue_pac(krb5_context context, unsigned int flags, - krb5_data ***auth_indicators); - #endif - --krb5_error_code ipadb_reinit_mspac(struct ipadb_context *ipactx, bool force_reinit); -+krb5_error_code ipadb_reinit_mspac(struct ipadb_context *ipactx, -+ bool force_reinit, -+ const char **stmsg); - - void ipadb_mspac_struct_free(struct ipadb_mspac **mspac); - krb5_error_code ipadb_check_transited_realms(krb5_context kcontext, -diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c -index 886ed7785..deed513b9 100644 ---- a/daemons/ipa-kdb/ipa_kdb_mspac.c -+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c -@@ -793,16 +793,16 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, - return ret; - } - -+ if (!ipactx->mspac) { -+ /* can't give a PAC without server NetBIOS name or primary group RID */ -+ return ENOENT; -+ } -+ - if (info3->base.primary_gid == 0) { - if (is_host || is_service) { - info3->base.primary_gid = 515; /* Well known RID for domain computers group */ - } else { -- if (ipactx->mspac->fallback_rid) { -- info3->base.primary_gid = ipactx->mspac->fallback_rid; -- } else { -- /* can't give a pack without a primary group rid */ -- return ENOENT; -- } -+ info3->base.primary_gid = ipactx->mspac->fallback_rid; - } - } - -@@ -812,26 +812,16 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, - /* always zero out, not used for Krb, only NTLM */ - memset(&info3->base.key, '\0', sizeof(info3->base.key)); - -- if (ipactx->mspac->flat_server_name) { -- info3->base.logon_server.string = -- talloc_strdup(memctx, ipactx->mspac->flat_server_name); -- if (!info3->base.logon_server.string) { -- return ENOMEM; -- } -- } else { -- /* can't give a pack without Server NetBIOS Name :-| */ -- return ENOENT; -+ info3->base.logon_server.string = -+ talloc_strdup(memctx, ipactx->mspac->flat_server_name); -+ if (!info3->base.logon_server.string) { -+ return ENOMEM; - } - -- if (ipactx->mspac->flat_domain_name) { -- info3->base.logon_domain.string = -- talloc_strdup(memctx, ipactx->mspac->flat_domain_name); -- if (!info3->base.logon_domain.string) { -- return ENOMEM; -- } -- } else { -- /* can't give a pack without Domain NetBIOS Name :-| */ -- return ENOENT; -+ info3->base.logon_domain.string = -+ talloc_strdup(memctx, ipactx->mspac->flat_domain_name); -+ if (!info3->base.logon_domain.string) { -+ return ENOMEM; - } - - if (is_host || is_service) { -@@ -1044,6 +1034,11 @@ krb5_error_code ipadb_get_pac(krb5_context kcontext, - return KRB5_KDB_DBNOTINITED; - } - -+ /* Check if PAC generator is initialized */ -+ if (!ipactx->mspac) { -+ return ENOENT; -+ } -+ - ied = (struct ipadb_e_data *)client->e_data; - if (ied->magic != IPA_E_DATA_MAGIC) { - return EINVAL; -@@ -1626,14 +1621,14 @@ static struct ipadb_adtrusts *get_domain_from_realm(krb5_context context, - { - struct ipadb_context *ipactx; - struct ipadb_adtrusts *domain; -- int i; -+ size_t i; - - ipactx = ipadb_get_context(context); - if (!ipactx) { - return NULL; - } - -- if (ipactx->mspac == NULL) { -+ if (!ipactx->mspac) { - return NULL; - } - -@@ -1655,6 +1650,7 @@ static struct ipadb_adtrusts *get_domain_from_realm_update(krb5_context context, - { - struct ipadb_context *ipactx; - struct ipadb_adtrusts *domain; -+ const char *stmsg = NULL; - krb5_error_code kerr; - - ipactx = ipadb_get_context(context); -@@ -1663,8 +1659,10 @@ static struct ipadb_adtrusts *get_domain_from_realm_update(krb5_context context, - } - - /* re-init MS-PAC info using default update interval */ -- kerr = ipadb_reinit_mspac(ipactx, false); -+ kerr = ipadb_reinit_mspac(ipactx, false, &stmsg); - if (kerr != 0) { -+ if (stmsg) -+ krb5_klog_syslog(LOG_WARNING, "MS-PAC generator: %s", stmsg); - return NULL; - } - domain = get_domain_from_realm(context, realm); -@@ -1717,6 +1715,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context, - struct ipadb_e_data *ied = NULL; - int flags = 0; - struct dom_sid client_sid; -+ const char *stmsg = NULL; - #ifdef KRB5_KDB_FLAG_ALIAS_OK - flags = KRB5_KDB_FLAG_ALIAS_OK; - #endif -@@ -1730,10 +1729,14 @@ static krb5_error_code check_logon_info_consistent(krb5_context context, - * check that our own view on the PAC details is up to date */ - if (ipactx->mspac->domsid.num_auths == 0) { - /* Force re-init of KDB's view on our domain */ -- kerr = ipadb_reinit_mspac(ipactx, true); -+ kerr = ipadb_reinit_mspac(ipactx, true, &stmsg); - if (kerr != 0) { -- krb5_klog_syslog(LOG_ERR, -- "PAC issue: unable to update realm's view on PAC info"); -+ if (stmsg) { -+ krb5_klog_syslog(LOG_ERR, "MS-PAC generator: %s", stmsg); -+ } else { -+ krb5_klog_syslog(LOG_ERR, "PAC issue: unable to update " \ -+ "realm's view on PAC info"); -+ } - return KRB5KDC_ERR_POLICY; - } - } -@@ -1746,7 +1749,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context, - if (is_s4u && (ipactx->mspac->trusts != NULL)) { - /* Iterate through list of trusts and check if this SID belongs to - * one of the domains we trust */ -- for(int i = 0 ; i < ipactx->mspac->num_trusts ; i++) { -+ for(size_t i = 0 ; i < ipactx->mspac->num_trusts ; i++) { - result = dom_sid_check(&ipactx->mspac->trusts[i].domsid, - info->info->info3.base.domain_sid, true); - if (result) { -@@ -1858,11 +1861,11 @@ krb5_error_code filter_logon_info(krb5_context context, - struct ipadb_mspac *mspac_ctx = ipactx->mspac; - result = FALSE; - /* Didn't match but perhaps the original PAC was issued by a child domain's DC? */ -- for (k = 0; k < mspac_ctx->num_trusts; k++) { -- result = dom_sid_check(&mspac_ctx->trusts[k].domsid, -+ for (size_t m = 0; m < mspac_ctx->num_trusts; m++) { -+ result = dom_sid_check(&mspac_ctx->trusts[m].domsid, - info->info->info3.base.domain_sid, true); - if (result) { -- domain = &mspac_ctx->trusts[k]; -+ domain = &mspac_ctx->trusts[m]; - break; - } - } -@@ -2091,10 +2094,10 @@ static krb5_error_code ipadb_check_logon_info(krb5_context context, - return KRB5_KDB_DBNOTINITED; - } - /* In S4U case we might be dealing with the PAC issued by the trusted domain */ -- if ((ipactx->mspac->trusts != NULL)) { -+ if (ipactx->mspac->trusts) { - /* Iterate through list of trusts and check if this SID belongs to - * one of the domains we trust */ -- for(int i = 0 ; i < ipactx->mspac->num_trusts ; i++) { -+ for(size_t i = 0 ; i < ipactx->mspac->num_trusts ; i++) { - result = dom_sid_check(&ipactx->mspac->trusts[i].domsid, - &client_sid, false); - if (result) { -@@ -2631,7 +2634,7 @@ static char *get_server_netbios_name(struct ipadb_context *ipactx) - - void ipadb_mspac_struct_free(struct ipadb_mspac **mspac) - { -- int i, j; -+ size_t i, j; - - if (!*mspac) return; - -@@ -2786,7 +2789,8 @@ ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx) - LDAPDN dn = NULL; - char **sid_blocklist_incoming = NULL; - char **sid_blocklist_outgoing = NULL; -- int ret, n, i; -+ size_t i, n; -+ int ret; - - ret = asprintf(&base, "cn=ad,cn=trusts,%s", ipactx->base); - if (ret == -1) { -@@ -2871,7 +2875,7 @@ ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx) - - t[n].upn_suffixes_len = NULL; - if (t[n].upn_suffixes != NULL) { -- int len = 0; -+ size_t len = 0; - - for (; t[n].upn_suffixes[len] != NULL; len++); - -@@ -2986,108 +2990,114 @@ done: - return ret; - } - --krb5_error_code ipadb_reinit_mspac(struct ipadb_context *ipactx, bool force_reinit) -+krb5_error_code -+ipadb_reinit_mspac(struct ipadb_context *ipactx, bool force_reinit, -+ const char **stmsg) - { - char *dom_attrs[] = { "ipaNTFlatName", - "ipaNTFallbackPrimaryGroup", - "ipaNTSecurityIdentifier", - NULL }; - char *grp_attrs[] = { "ipaNTSecurityIdentifier", NULL }; -- krb5_error_code kerr; - LDAPMessage *result = NULL; - LDAPMessage *lentry; -- struct dom_sid gsid; -- char *resstr; -- int ret; -+ struct dom_sid gsid, domsid; -+ char *resstr = NULL; -+ char *flat_domain_name = NULL; -+ char *flat_server_name = NULL; -+ char *fallback_group = NULL; -+ uint32_t fallback_rid; - time_t now; -+ const char *in_stmsg = NULL; -+ int err; -+ krb5_error_code trust_kerr = 0; -+ - - /* Do not update the mspac struct more than once a minute. This would - * avoid heavy load on the directory server if there are lots of requests - * from domains which we do not trust. */ - now = time(NULL); - -- if (ipactx->mspac != NULL && -- (force_reinit == false) && -- (now > ipactx->mspac->last_update) && -- (now - ipactx->mspac->last_update) < 60) { -- return 0; -- } -- -- if (ipactx->mspac && ipactx->mspac->num_trusts == 0) { -- /* Check if there is any trust configured. If not, just return -- * and do not re-initialize the MS-PAC structure. */ -- kerr = ipadb_mspac_check_trusted_domains(ipactx); -- if (kerr == KRB5_KDB_NOENTRY) { -- kerr = 0; -- goto done; -- } else if (kerr != 0) { -- goto done; -+ if (ipactx->mspac) { -+ if (!force_reinit && -+ (now > ipactx->mspac->last_update) && -+ (now - ipactx->mspac->last_update) < 60) { -+ /* SKIP */ -+ err = 0; -+ goto end; - } -- } -- -- /* clean up in case we had old values around */ -- ipadb_mspac_struct_free(&ipactx->mspac); - -- ipactx->mspac = calloc(1, sizeof(struct ipadb_mspac)); -- if (!ipactx->mspac) { -- kerr = ENOMEM; -- goto done; -+ if (ipactx->mspac->num_trusts == 0) { -+ /* Check if there is any trust configured. If not, just return -+ * and do not re-initialize the MS-PAC structure. */ -+ err = ipadb_mspac_check_trusted_domains(ipactx); -+ if (err) { -+ if (err == KRB5_KDB_NOENTRY) { -+ /* SKIP */ -+ err = 0; -+ } else { -+ in_stmsg = "Failed to fetch trusted domains information"; -+ } -+ goto end; -+ } -+ } - } - -- ipactx->mspac->last_update = now; -- -- kerr = ipadb_simple_search(ipactx, ipactx->base, LDAP_SCOPE_SUBTREE, -- "(objectclass=ipaNTDomainAttrs)", dom_attrs, -- &result); -- if (kerr == KRB5_KDB_NOENTRY) { -- return ENOENT; -- } else if (kerr != 0) { -- return EIO; -+ err = ipadb_simple_search(ipactx, ipactx->base, LDAP_SCOPE_SUBTREE, -+ "(objectclass=ipaNTDomainAttrs)", dom_attrs, -+ &result); -+ if (err == KRB5_KDB_NOENTRY) { -+ err = ENOENT; -+ in_stmsg = "Local domain NT attributes not configured"; -+ goto end; -+ } else if (err) { -+ err = EIO; -+ in_stmsg = "Failed to fetch local domain NT attributes"; -+ goto end; - } - - lentry = ldap_first_entry(ipactx->lcontext, result); - if (!lentry) { -- kerr = ENOENT; -- goto done; -+ err = ENOENT; -+ in_stmsg = "Local domain NT attributes not configured"; -+ goto end; - } - -- ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, -- "ipaNTFlatName", -- &ipactx->mspac->flat_domain_name); -- if (ret) { -- kerr = ret; -- goto done; -+ err = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, "ipaNTFlatName", -+ &flat_domain_name); -+ if (err) { -+ in_stmsg = "Local domain NT flat name not configured"; -+ goto end; - } - -- ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, -- "ipaNTSecurityIdentifier", -- &resstr); -- if (ret) { -- kerr = ret; -- goto done; -+ err = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, -+ "ipaNTSecurityIdentifier", &resstr); -+ if (err) { -+ in_stmsg = "Local domain SID not configured"; -+ goto end; - } - -- ret = ipadb_string_to_sid(resstr, &ipactx->mspac->domsid); -- if (ret) { -- kerr = ret; -- free(resstr); -- goto done; -+ err = ipadb_string_to_sid(resstr, &domsid); -+ if (err) { -+ in_stmsg = "Malformed local domain SID"; -+ goto end; - } -+ - free(resstr); - -- free(ipactx->mspac->flat_server_name); -- ipactx->mspac->flat_server_name = get_server_netbios_name(ipactx); -- if (!ipactx->mspac->flat_server_name) { -- kerr = ENOMEM; -- goto done; -+ flat_server_name = get_server_netbios_name(ipactx); -+ if (!flat_server_name) { -+ err = ENOMEM; -+ goto end; - } - -- ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, -- "ipaNTFallbackPrimaryGroup", -- &ipactx->mspac->fallback_group); -- if (ret && ret != ENOENT) { -- kerr = ret; -- goto done; -+ err = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, -+ "ipaNTFallbackPrimaryGroup", &fallback_group); -+ if (err) { -+ in_stmsg = (err == ENOENT) -+ ? "Local fallback primary group not configured" -+ : "Failed to fetch local fallback primary group"; -+ goto end; - } - - /* result and lentry not valid any more from here on */ -@@ -3095,53 +3105,81 @@ krb5_error_code ipadb_reinit_mspac(struct ipadb_context *ipactx, bool force_rein - result = NULL; - lentry = NULL; - -- if (ret != ENOENT) { -- kerr = ipadb_simple_search(ipactx, ipactx->mspac->fallback_group, -- LDAP_SCOPE_BASE, -- "(objectclass=posixGroup)", -- grp_attrs, &result); -- if (kerr && kerr != KRB5_KDB_NOENTRY) { -- kerr = ret; -- goto done; -- } -+ err = ipadb_simple_search(ipactx, fallback_group, LDAP_SCOPE_BASE, -+ "(objectclass=posixGroup)", grp_attrs, &result); -+ if (err) { -+ in_stmsg = (err == KRB5_KDB_NOENTRY) -+ ? "Local fallback primary group has no POSIX definition" -+ : "Failed to fetch SID of POSIX group mapped as local fallback " \ -+ "primary group"; -+ goto end; -+ } - -- lentry = ldap_first_entry(ipactx->lcontext, result); -- if (!lentry) { -- kerr = ENOENT; -- goto done; -- } -+ lentry = ldap_first_entry(ipactx->lcontext, result); -+ if (!lentry) { -+ err = ENOENT; -+ goto end; -+ } - -- if (kerr == 0) { -- ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, -- "ipaNTSecurityIdentifier", -- &resstr); -- if (ret && ret != ENOENT) { -- kerr = ret; -- goto done; -- } -- if (ret == 0) { -- ret = ipadb_string_to_sid(resstr, &gsid); -- if (ret) { -- free(resstr); -- kerr = ret; -- goto done; -- } -- ret = sid_split_rid(&gsid, &ipactx->mspac->fallback_rid); -- if (ret) { -- free(resstr); -- kerr = ret; -- goto done; -- } -- free(resstr); -- } -- } -+ err = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, -+ "ipaNTSecurityIdentifier", &resstr); -+ if (err) { -+ in_stmsg = (err == ENOENT) -+ ? "The POSIX group set as fallback primary group has no SID " \ -+ "configured" -+ : "Failed to fetch SID of POSIX group set as local fallback " \ -+ "primary group"; -+ goto end; - } - -- kerr = ipadb_mspac_get_trusted_domains(ipactx); -+ err = ipadb_string_to_sid(resstr, &gsid); -+ if (err) { -+ in_stmsg = "Malformed SID of POSIX group set as local fallback " \ -+ "primary group"; -+ goto end; -+ } - --done: -+ err = sid_split_rid(&gsid, &fallback_rid); -+ if (err) { -+ in_stmsg = "Malformed SID of POSIX group mapped as local fallback " \ -+ "primary group"; -+ goto end; -+ } -+ -+ /* clean up in case we had old values around */ -+ ipadb_mspac_struct_free(&ipactx->mspac); -+ -+ ipactx->mspac = calloc(1, sizeof(struct ipadb_mspac)); -+ if (!ipactx->mspac) { -+ err = ENOMEM; -+ goto end; -+ } -+ -+ ipactx->mspac->last_update = now; -+ ipactx->mspac->flat_domain_name = flat_domain_name; -+ ipactx->mspac->flat_server_name = flat_server_name; -+ ipactx->mspac->domsid = domsid; -+ ipactx->mspac->fallback_group = fallback_group; -+ ipactx->mspac->fallback_rid = fallback_rid; -+ -+ trust_kerr = ipadb_mspac_get_trusted_domains(ipactx); -+ if (trust_kerr) -+ in_stmsg = "Failed to assemble trusted domains information"; -+ -+end: -+ if (stmsg) -+ *stmsg = in_stmsg; -+ -+ if (resstr) free(resstr); - ldap_msgfree(result); -- return kerr; -+ -+ if (err) { -+ if (flat_domain_name) free(flat_domain_name); -+ if (flat_server_name) free(flat_server_name); -+ if (fallback_group) free(fallback_group); -+ } -+ -+ return err ? (krb5_error_code)err : trust_kerr; - } - - krb5_error_code ipadb_check_transited_realms(krb5_context kcontext, -@@ -3151,11 +3189,11 @@ krb5_error_code ipadb_check_transited_realms(krb5_context kcontext, - { - struct ipadb_context *ipactx; - bool has_transited_contents, has_client_realm, has_server_realm; -- int i; -+ size_t i; - krb5_error_code ret; - - ipactx = ipadb_get_context(kcontext); -- if (!ipactx || !ipactx->mspac) { -+ if (!ipactx) { - return KRB5_KDB_DBNOTINITED; - } - -@@ -3217,7 +3255,7 @@ krb5_error_code ipadb_is_princ_from_trusted_realm(krb5_context kcontext, - char **trusted_realm) - { - struct ipadb_context *ipactx; -- int i, j, length; -+ size_t i, j, length; - const char *name; - bool result = false; - -diff --git a/daemons/ipa-kdb/ipa_kdb_mspac_private.h b/daemons/ipa-kdb/ipa_kdb_mspac_private.h -index 7f0ca7a79..e650cfa73 100644 ---- a/daemons/ipa-kdb/ipa_kdb_mspac_private.h -+++ b/daemons/ipa-kdb/ipa_kdb_mspac_private.h -@@ -31,7 +31,7 @@ struct ipadb_mspac { - char *fallback_group; - uint32_t fallback_rid; - -- int num_trusts; -+ size_t num_trusts; - struct ipadb_adtrusts *trusts; - time_t last_update; - }; -diff --git a/daemons/ipa-kdb/ipa_kdb_mspac_v6.c b/daemons/ipa-kdb/ipa_kdb_mspac_v6.c -index faf47ad1b..96cd50e4c 100644 ---- a/daemons/ipa-kdb/ipa_kdb_mspac_v6.c -+++ b/daemons/ipa-kdb/ipa_kdb_mspac_v6.c -@@ -233,6 +233,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context, - krb5_db_entry *client_entry = NULL; - krb5_boolean is_equal; - bool force_reinit_mspac = false; -+ const char *stmsg = NULL; - - - is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0); -@@ -309,7 +310,9 @@ krb5_error_code ipadb_sign_authdata(krb5_context context, - force_reinit_mspac = true; - } - -- (void)ipadb_reinit_mspac(ipactx, force_reinit_mspac); -+ kerr = ipadb_reinit_mspac(ipactx, force_reinit_mspac, &stmsg); -+ if (kerr && stmsg) -+ krb5_klog_syslog(LOG_WARNING, "MS-PAC generator: %s", stmsg); - - kerr = ipadb_get_pac(context, flags, client, server, NULL, authtime, &pac); - if (kerr != 0 && kerr != ENOENT) { -diff --git a/daemons/ipa-kdb/ipa_kdb_mspac_v9.c b/daemons/ipa-kdb/ipa_kdb_mspac_v9.c -index 3badd5b08..60db048e1 100644 ---- a/daemons/ipa-kdb/ipa_kdb_mspac_v9.c -+++ b/daemons/ipa-kdb/ipa_kdb_mspac_v9.c -@@ -46,6 +46,7 @@ ipadb_v9_issue_pac(krb5_context context, unsigned int flags, - bool with_pad; - krb5_error_code kerr = 0; - bool is_as_req = flags & CLIENT_REFERRALS_FLAGS; -+ const char *stmsg = NULL; - - if (is_as_req) { - get_authz_data_types(context, client, &with_pac, &with_pad); -@@ -110,12 +111,19 @@ ipadb_v9_issue_pac(krb5_context context, unsigned int flags, - force_reinit_mspac = TRUE; - } - } -- (void)ipadb_reinit_mspac(ipactx, force_reinit_mspac); - -- /* MS-PAC needs proper configuration and if it is missing, we simply skip issuing one */ -- if (ipactx->mspac->flat_server_name == NULL) { -+ /* MS-PAC generator has to be initalized */ -+ kerr = ipadb_reinit_mspac(ipactx, force_reinit_mspac, &stmsg); -+ if (kerr && stmsg) -+ krb5_klog_syslog(LOG_ERR, "MS-PAC generator: %s", stmsg); -+ -+ /* Continue even if initilization of PAC generator failed. -+ * It may caused by the trust objects part only. */ -+ -+ /* At least the core part of the PAC generator is required. */ -+ if (!ipactx->mspac) - return KRB5_PLUGIN_OP_NOTSUPP; -- } -+ - kerr = ipadb_get_pac(context, flags, - client, server, replaced_reply_key, - authtime, &new_pac); -diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c -index fadb132ed..07cc87746 100644 ---- a/daemons/ipa-kdb/ipa_kdb_principals.c -+++ b/daemons/ipa-kdb/ipa_kdb_principals.c -@@ -1495,6 +1495,7 @@ static krb5_error_code dbget_alias(krb5_context kcontext, - krb5_db_entry *kentry = NULL; - krb5_data *realm; - krb5_boolean check = FALSE; -+ const char *stmsg = NULL; - - /* TODO: also support hostbased aliases */ - -@@ -1562,8 +1563,11 @@ static krb5_error_code dbget_alias(krb5_context kcontext, - if (kerr == KRB5_KDB_NOENTRY) { - /* If no trusted realm found, refresh trusted domain data and try again - * because it might be a freshly added trust to AD */ -- kerr = ipadb_reinit_mspac(ipactx, false); -+ kerr = ipadb_reinit_mspac(ipactx, false, &stmsg); - if (kerr != 0) { -+ if (stmsg) -+ krb5_klog_syslog(LOG_WARNING, "MS-PAC generator: %s", -+ stmsg); - kerr = KRB5_KDB_NOENTRY; - goto done; - } --- -2.43.0 - diff --git a/SOURCES/0018-ipatests-fix-tasks-wait_for_replication-method_rhel#25708.patch b/SOURCES/0018-ipatests-fix-tasks-wait_for_replication-method_rhel#25708.patch deleted file mode 100644 index c433849..0000000 --- a/SOURCES/0018-ipatests-fix-tasks-wait_for_replication-method_rhel#25708.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 44a762413c83f9637399afeb61b1e4b1ac111260 Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Feb 14 2024 12:24:48 +0000 -Subject: ipatests: fix tasks.wait_for_replication method - - -With the fix for https://pagure.io/freeipa/issue/9171, the -method entry.single_value['nsds5replicaupdateinprogress'] now -returns a Boolean instead of a string "TRUE"/"FALSE". - -The method tasks.wait_for_replication needs to be fixed so that -it properly detects when replication is not done. - -Fixes: https://pagure.io/freeipa/issue/9530 - -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Rob Crittenden - ---- - -diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py -index 9068ba6..952c9e6 100755 ---- a/ipatests/pytest_ipa/integration/tasks.py -+++ b/ipatests/pytest_ipa/integration/tasks.py -@@ -1510,7 +1510,7 @@ def wait_for_replication(ldap, timeout=30, - statuses = [entry.single_value[status_attr] for entry in entries] - wrong_statuses = [s for s in statuses - if not re.match(target_status_re, s)] -- if any(e.single_value[progress_attr] == 'TRUE' for e in entries): -+ if any(e.single_value[progress_attr] for e in entries): - msg = 'Replication not finished' - logger.debug(msg) - elif wrong_statuses: - diff --git a/SOURCES/0019-Vault-add-support-for-RSA-OAEP-wrapping-algo.patch b/SOURCES/0019-Vault-add-support-for-RSA-OAEP-wrapping-algo.patch deleted file mode 100644 index 1daf696..0000000 --- a/SOURCES/0019-Vault-add-support-for-RSA-OAEP-wrapping-algo.patch +++ /dev/null @@ -1,127 +0,0 @@ -From 163f06cab678d517ab30ab6da59ae339f39ee7cf Mon Sep 17 00:00:00 2001 -From: Francisco Trivino -Date: Fri, 27 May 2022 17:31:40 +0200 -Subject: [PATCH] Vault: add support for RSA-OAEP wrapping algo - -None of the FIPS certified modules in RHEL support PKCS#1 v1.5 as FIPS -approved mechanism. This commit adds support for RSA-OAEP padding as a -fallback. - -Fixes: https://pagure.io/freeipa/issue/9191 - -Signed-off-by: Francisco Trivino -Reviewed-By: Rob Crittenden -(cherry picked from commit b1fb31fd20c900c9ff1d5d28dfe136439f6bf605) ---- - ipaclient/plugins/vault.py | 57 ++++++++++++++++++++++++++++++-------- - 1 file changed, 45 insertions(+), 12 deletions(-) - -diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py -index d4c84eb6b..ed16c73ae 100644 ---- a/ipaclient/plugins/vault.py -+++ b/ipaclient/plugins/vault.py -@@ -119,8 +119,8 @@ def encrypt(data, symmetric_key=None, public_key=None): - return public_key_obj.encrypt( - data, - padding.OAEP( -- mgf=padding.MGF1(algorithm=hashes.SHA1()), -- algorithm=hashes.SHA1(), -+ mgf=padding.MGF1(algorithm=hashes.SHA256()), -+ algorithm=hashes.SHA256(), - label=None - ) - ) -@@ -154,8 +154,8 @@ def decrypt(data, symmetric_key=None, private_key=None): - return private_key_obj.decrypt( - data, - padding.OAEP( -- mgf=padding.MGF1(algorithm=hashes.SHA1()), -- algorithm=hashes.SHA1(), -+ mgf=padding.MGF1(algorithm=hashes.SHA256()), -+ algorithm=hashes.SHA256(), - label=None - ) - ) -@@ -705,14 +705,39 @@ class ModVaultData(Local): - return transport_cert, wrapping_algo - - def _do_internal(self, algo, transport_cert, raise_unexpected, -- *args, **options): -+ use_oaep=False, *args, **options): - public_key = transport_cert.public_key() - - # wrap session key with transport certificate -- wrapped_session_key = public_key.encrypt( -- algo.key, -- padding.PKCS1v15() -- ) -+ # KRA may be configured using either the default PKCS1v15 or RSA-OAEP. -+ # there is no way to query this info using the REST interface. -+ if not use_oaep: -+ # PKCS1v15() causes an OpenSSL exception when FIPS is enabled -+ # if so, we fallback to RSA-OAEP -+ try: -+ wrapped_session_key = public_key.encrypt( -+ algo.key, -+ padding.PKCS1v15() -+ ) -+ except ValueError: -+ wrapped_session_key = public_key.encrypt( -+ algo.key, -+ padding.OAEP( -+ mgf=padding.MGF1(algorithm=hashes.SHA256()), -+ algorithm=hashes.SHA256(), -+ label=None -+ ) -+ ) -+ else: -+ wrapped_session_key = public_key.encrypt( -+ algo.key, -+ padding.OAEP( -+ mgf=padding.MGF1(algorithm=hashes.SHA256()), -+ algorithm=hashes.SHA256(), -+ label=None -+ ) -+ ) -+ - options['session_key'] = wrapped_session_key - - name = self.name + '_internal' -@@ -723,7 +748,7 @@ class ModVaultData(Local): - errors.ExecutionError, - errors.GenericError): - _kra_config_cache.remove(self.api.env.domain) -- if raise_unexpected: -+ if raise_unexpected and use_oaep: - raise - return None - -@@ -733,15 +758,23 @@ class ModVaultData(Local): - """ - # try call with cached transport certificate - result = self._do_internal(algo, transport_cert, False, -- *args, **options) -+ False, *args, **options) - if result is not None: - return result - - # retrieve transport certificate (cached by vaultconfig_show) - transport_cert = self._get_vaultconfig(force_refresh=True)[0] -+ - # call with the retrieved transport certificate -+ result = self._do_internal(algo, transport_cert, True, -+ False, *args, **options) -+ -+ if result is not None: -+ return result -+ -+ # call and use_oaep this time, last attempt - return self._do_internal(algo, transport_cert, True, -- *args, **options) -+ True, *args, **options) - - - @register(no_fail=True) --- -2.43.0 - diff --git a/SOURCES/0020-Vault-improve-vault-server-archival-retrieval-calls-.patch b/SOURCES/0020-Vault-improve-vault-server-archival-retrieval-calls-.patch deleted file mode 100644 index 2fed594..0000000 --- a/SOURCES/0020-Vault-improve-vault-server-archival-retrieval-calls-.patch +++ /dev/null @@ -1,88 +0,0 @@ -From 84798137fabf75fe79aebbd97e4b8418de8ab0f2 Mon Sep 17 00:00:00 2001 -From: Francisco Trivino -Date: Fri, 19 Jan 2024 18:15:28 +0100 -Subject: [PATCH] Vault: improve vault server archival/retrieval calls - error handling - -If a vault operation fails, the error message just says "InternalError". This commit -improves error handling of key archival and retrieval calls by catching the PKIException -error and raising it as an IPA error. - -Related: https://pagure.io/freeipa/issue/9191 - -Signed-off-by: Francisco Trivino -Reviewed-By: Rob Crittenden -(cherry picked from commit dc1ab53f0aa0398d493f7440b5ec4d70d9c7d663) ---- - ipaserver/plugins/vault.py | 40 +++++++++++++++++++++++++------------- - 1 file changed, 26 insertions(+), 14 deletions(-) - -diff --git a/ipaserver/plugins/vault.py b/ipaserver/plugins/vault.py -index 574c83a9a..13c4fac9a 100644 ---- a/ipaserver/plugins/vault.py -+++ b/ipaserver/plugins/vault.py -@@ -45,6 +45,7 @@ if api.env.in_server: - import pki.key - from pki.crypto import DES_EDE3_CBC_OID - from pki.crypto import AES_128_CBC_OID -+ from pki import PKIException - - if six.PY3: - unicode = str -@@ -1094,16 +1095,21 @@ class vault_archive_internal(PKQuery): - pki.key.KeyClient.KEY_STATUS_INACTIVE) - - # forward wrapped data to KRA -- kra_client.keys.archive_encrypted_data( -- client_key_id, -- pki.key.KeyClient.PASS_PHRASE_TYPE, -- wrapped_vault_data, -- wrapped_session_key, -- algorithm_oid=algorithm_oid, -- nonce_iv=nonce, -- ) -- -- kra_account.logout() -+ try: -+ kra_client.keys.archive_encrypted_data( -+ client_key_id, -+ pki.key.KeyClient.PASS_PHRASE_TYPE, -+ wrapped_vault_data, -+ wrapped_session_key, -+ algorithm_oid=algorithm_oid, -+ nonce_iv=nonce, -+ ) -+ except PKIException as e: -+ kra_account.logout() -+ raise errors.EncodingError( -+ message=_("Unable to archive key: %s") % e) -+ finally: -+ kra_account.logout() - - response = { - 'value': args[-1], -@@ -1174,11 +1180,17 @@ class vault_retrieve_internal(PKQuery): - kra_client.keys.encrypt_alg_oid = algorithm_oid - - # retrieve encrypted data from KRA -- key = kra_client.keys.retrieve_key( -- key_info.get_key_id(), -- wrapped_session_key) -+ try: - -- kra_account.logout() -+ key = kra_client.keys.retrieve_key( -+ key_info.get_key_id(), -+ wrapped_session_key) -+ except PKIException as e: -+ kra_account.logout() -+ raise errors.EncodingError( -+ message=_("Unable to retrieve key: %s") % e) -+ finally: -+ kra_account.logout() - - response = { - 'value': args[-1], --- -2.43.0 - diff --git a/SOURCES/0021-kra-set-RSA-OAEP-as-default-wrapping-algo-when-FIPS-.patch b/SOURCES/0021-kra-set-RSA-OAEP-as-default-wrapping-algo-when-FIPS-.patch deleted file mode 100644 index 42cc639..0000000 --- a/SOURCES/0021-kra-set-RSA-OAEP-as-default-wrapping-algo-when-FIPS-.patch +++ /dev/null @@ -1,98 +0,0 @@ -From a406fd9aec7d053c044e73f16b05489bebd84bc8 Mon Sep 17 00:00:00 2001 -From: Francisco Trivino -Date: Fri, 19 Jan 2024 17:12:07 +0100 -Subject: [PATCH] kra: set RSA-OAEP as default wrapping algo when FIPS is - enabled - -Vault uses PKCS1v15 as default padding wrapping algo, which is not an approved -FIPS algorithm. This commit ensures that KRA is installed with RSA-OAEP if FIPS -is enabled. It also handles upgrade path. - -Fixes: https://pagure.io/freeipa/issue/9191 - -Signed-off-by: Francisco Trivino -Reviewed-By: Rob Crittenden -(cherry picked from commit f2eec9eb208e62f923375b9eaf34fcc491046a0d) ---- - install/share/ipaca_default.ini | 3 +++ - ipaserver/install/dogtaginstance.py | 4 +++- - ipaserver/install/krainstance.py | 12 ++++++++++++ - ipaserver/install/server/upgrade.py | 12 ++++++++++++ - 4 files changed, 30 insertions(+), 1 deletion(-) - -diff --git a/install/share/ipaca_default.ini b/install/share/ipaca_default.ini -index 082f507b2..691f1e1b7 100644 ---- a/install/share/ipaca_default.ini -+++ b/install/share/ipaca_default.ini -@@ -166,3 +166,6 @@ pki_audit_signing_subject_dn=cn=KRA Audit,%(ipa_subject_base)s - # We will use the dbuser created for the CA. - pki_share_db=True - pki_share_dbuser_dn=uid=pkidbuser,ou=people,o=ipaca -+ -+# KRA padding, set RSA-OAEP in FIPS mode -+pki_use_oaep_rsa_keywrap=%(fips_use_oaep_rsa_keywrap)s -\ No newline at end of file -diff --git a/ipaserver/install/dogtaginstance.py b/ipaserver/install/dogtaginstance.py -index c2c6b3f49..c3c726f68 100644 ---- a/ipaserver/install/dogtaginstance.py -+++ b/ipaserver/install/dogtaginstance.py -@@ -1020,7 +1020,9 @@ class PKIIniLoader: - # for softhsm2 testing - softhsm2_so=paths.LIBSOFTHSM2_SO, - # Configure a more secure AJP password by default -- ipa_ajp_secret=ipautil.ipa_generate_password(special=None) -+ ipa_ajp_secret=ipautil.ipa_generate_password(special=None), -+ # in FIPS mode use RSA-OAEP wrapping padding algo as default -+ fips_use_oaep_rsa_keywrap=tasks.is_fips_enabled() - ) - - @classmethod -diff --git a/ipaserver/install/krainstance.py b/ipaserver/install/krainstance.py -index 13cb2dcaa..0e04840a1 100644 ---- a/ipaserver/install/krainstance.py -+++ b/ipaserver/install/krainstance.py -@@ -277,6 +277,18 @@ class KRAInstance(DogtagInstance): - - # A restart is required - -+ def enable_oaep_wrap_algo(self): -+ """ -+ Enable KRA OAEP key wrap algorithm -+ """ -+ with installutils.stopped_service('pki-tomcatd', 'pki-tomcat'): -+ directivesetter.set_directive( -+ self.config, -+ 'keyWrap.useOAEP', -+ 'true', quotes=False, separator='=') -+ -+ # A restart is required -+ - def update_cert_config(self, nickname, cert): - """ - When renewing a KRA subsystem certificate the configuration file -diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py -index e4dc7ae73..c84516b56 100644 ---- a/ipaserver/install/server/upgrade.py -+++ b/ipaserver/install/server/upgrade.py -@@ -1780,6 +1780,18 @@ def upgrade_configuration(): - else: - logger.info('ephemeralRequest is already enabled') - -+ if tasks.is_fips_enabled(): -+ logger.info('[Ensuring KRA OAEP wrap algo is enabled in FIPS]') -+ value = directivesetter.get_directive( -+ paths.KRA_CS_CFG_PATH, -+ 'keyWrap.useOAEP', -+ separator='=') -+ if value is None or value.lower() != 'true': -+ logger.info('Use the OAEP key wrap algo') -+ kra.enable_oaep_wrap_algo() -+ else: -+ logger.info('OAEP key wrap algo is already enabled') -+ - # several upgrade steps require running CA. If CA is configured, - # always run ca.start() because we need to wait until CA is really ready - # by checking status using http --- -2.43.0 - diff --git a/SOURCES/0022-ipa-kdb-Fix-double-free-in-ipadb_reinit_mspac.patch b/SOURCES/0022-ipa-kdb-Fix-double-free-in-ipadb_reinit_mspac.patch deleted file mode 100644 index 5745101..0000000 --- a/SOURCES/0022-ipa-kdb-Fix-double-free-in-ipadb_reinit_mspac.patch +++ /dev/null @@ -1,29 +0,0 @@ -From a8e433f7c8d844d9f337a34db09b0197f2dbc5af Mon Sep 17 00:00:00 2001 -From: Julien Rische -Date: Tue, 20 Feb 2024 15:14:24 +0100 -Subject: [PATCH] ipa-kdb: Fix double free in ipadb_reinit_mspac() - -Fixes: https://pagure.io/freeipa/issue/9535 - -Signed-off-by: Julien Rische -Reviewed-By: Florence Blanc-Renaud -(cherry picked from commit dd27d225524aa81c038a970961a4f878cf742e2a) ---- - daemons/ipa-kdb/ipa_kdb_mspac.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c -index deed513b9..0964d112a 100644 ---- a/daemons/ipa-kdb/ipa_kdb_mspac.c -+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c -@@ -3084,6 +3084,7 @@ ipadb_reinit_mspac(struct ipadb_context *ipactx, bool force_reinit, - } - - free(resstr); -+ resstr = NULL; - - flat_server_name = get_server_netbios_name(ipactx); - if (!flat_server_name) { --- -2.43.0 - diff --git a/SOURCES/0023-rpcserver-validate-Kerberos-principal-name-before-running-kinit_rhel#26153.patch b/SOURCES/0023-rpcserver-validate-Kerberos-principal-name-before-running-kinit_rhel#26153.patch deleted file mode 100644 index ec62165..0000000 --- a/SOURCES/0023-rpcserver-validate-Kerberos-principal-name-before-running-kinit_rhel#26153.patch +++ /dev/null @@ -1,392 +0,0 @@ -From b039f3087a13de3f34b230dbe29a7cfb1965700d Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Feb 23 2024 09:49:27 +0000 -Subject: rpcserver: validate Kerberos principal name before running kinit - - -Do minimal validation of the Kerberos principal name when passing it to -kinit command line tool. Also pass it as the final argument to prevent -option injection. - -Accepted Kerberos principals are: - - user names, using the following regexp - (username with optional @realm, no spaces or slashes in the name): - "(?!^[0-9]+$)^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*[a-zA-Z0-9_.$-]?@?[a-zA-Z0-9.-]*$" - - - service names (with slash in the name but no spaces). Validation of - the hostname is done. There is no validation of the service name. - -The regular expression above also covers cases where a principal name -starts with '-'. This prevents option injection as well. - -This fixes CVE-2024-1481 - -Fixes: https://pagure.io/freeipa/issue/9541 - -Signed-off-by: Alexander Bokovoy -Signed-off-by: Rob Crittenden -Reviewed-By: Florence Blanc-Renaud -Reviewed-By: Florence Blanc-Renaud - ---- - -diff --git a/ipalib/install/kinit.py b/ipalib/install/kinit.py -index cc839ec..4ad4eaa 100644 ---- a/ipalib/install/kinit.py -+++ b/ipalib/install/kinit.py -@@ -6,12 +6,16 @@ from __future__ import absolute_import - - import logging - import os -+import re - import time - - import gssapi - - from ipaplatform.paths import paths - from ipapython.ipautil import run -+from ipalib.constants import PATTERN_GROUPUSER_NAME -+from ipalib.util import validate_hostname -+from ipalib import api - - logger = logging.getLogger(__name__) - -@@ -21,6 +25,40 @@ KRB5_KDC_UNREACH = 2529639068 - # A service is not available that s required to process the request - KRB5KDC_ERR_SVC_UNAVAILABLE = 2529638941 - -+PATTERN_REALM = '@?([a-zA-Z0-9.-]*)$' -+PATTERN_PRINCIPAL = '(' + PATTERN_GROUPUSER_NAME[:-1] + ')' + PATTERN_REALM -+PATTERN_SERVICE = '([a-zA-Z0-9.-]+)/([a-zA-Z0-9.-]+)' + PATTERN_REALM -+ -+user_pattern = re.compile(PATTERN_PRINCIPAL) -+service_pattern = re.compile(PATTERN_SERVICE) -+ -+ -+def validate_principal(principal): -+ if not isinstance(principal, str): -+ raise RuntimeError('Invalid principal: not a string') -+ if ('/' in principal) and (' ' in principal): -+ raise RuntimeError('Invalid principal: bad spacing') -+ else: -+ realm = None -+ match = user_pattern.match(principal) -+ if match is None: -+ match = service_pattern.match(principal) -+ if match is None: -+ raise RuntimeError('Invalid principal: cannot parse') -+ else: -+ # service = match[1] -+ hostname = match[2] -+ realm = match[3] -+ try: -+ validate_hostname(hostname) -+ except ValueError as e: -+ raise RuntimeError(str(e)) -+ else: # user match, validate realm -+ # username = match[1] -+ realm = match[2] -+ if realm and 'realm' in api.env and realm != api.env.realm: -+ raise RuntimeError('Invalid principal: realm mismatch') -+ - - def kinit_keytab(principal, keytab, ccache_name, config=None, attempts=1): - """ -@@ -29,6 +67,7 @@ def kinit_keytab(principal, keytab, ccache_name, config=None, attempts=1): - The optional parameter 'attempts' specifies how many times the credential - initialization should be attempted in case of non-responsive KDC. - """ -+ validate_principal(principal) - errors_to_retry = {KRB5KDC_ERR_SVC_UNAVAILABLE, - KRB5_KDC_UNREACH} - logger.debug("Initializing principal %s using keytab %s", -@@ -65,6 +104,7 @@ def kinit_keytab(principal, keytab, ccache_name, config=None, attempts=1): - - return None - -+ - def kinit_password(principal, password, ccache_name, config=None, - armor_ccache_name=None, canonicalize=False, - enterprise=False, lifetime=None): -@@ -73,8 +113,9 @@ def kinit_password(principal, password, ccache_name, config=None, - web-based authentication, use armor_ccache_path to specify http service - ccache. - """ -+ validate_principal(principal) - logger.debug("Initializing principal %s using password", principal) -- args = [paths.KINIT, principal, '-c', ccache_name] -+ args = [paths.KINIT, '-c', ccache_name] - if armor_ccache_name is not None: - logger.debug("Using armor ccache %s for FAST webauth", - armor_ccache_name) -@@ -91,6 +132,7 @@ def kinit_password(principal, password, ccache_name, config=None, - logger.debug("Using enterprise principal") - args.append('-E') - -+ args.extend(['--', principal]) - env = {'LC_ALL': 'C'} - if config is not None: - env['KRB5_CONFIG'] = config -@@ -154,6 +196,7 @@ def kinit_pkinit( - - :raises: CalledProcessError if PKINIT fails - """ -+ validate_principal(principal) - logger.debug( - "Initializing principal %s using PKINIT %s", principal, user_identity - ) -@@ -168,7 +211,7 @@ def kinit_pkinit( - assert pkinit_anchor.startswith(("FILE:", "DIR:", "ENV:")) - args.extend(["-X", f"X509_anchors={pkinit_anchor}"]) - args.extend(["-X", f"X509_user_identity={user_identity}"]) -- args.append(principal) -+ args.extend(['--', principal]) - - # this workaround enables us to capture stderr and put it - # into the raised exception in case of unsuccessful authentication -diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py -index 3555014..60bfa61 100644 ---- a/ipaserver/rpcserver.py -+++ b/ipaserver/rpcserver.py -@@ -1134,10 +1134,6 @@ class login_password(Backend, KerberosSession): - canonicalize=True, - lifetime=self.api.env.kinit_lifetime) - -- if armor_path: -- logger.debug('Cleanup the armor ccache') -- ipautil.run([paths.KDESTROY, '-A', '-c', armor_path], -- env={'KRB5CCNAME': armor_path}, raiseonerr=False) - except RuntimeError as e: - if ('kinit: Cannot read password while ' - 'getting initial credentials') in str(e): -@@ -1155,6 +1151,11 @@ class login_password(Backend, KerberosSession): - raise KrbPrincipalWrongFAST(principal=principal) - raise InvalidSessionPassword(principal=principal, - message=unicode(e)) -+ finally: -+ if armor_path: -+ logger.debug('Cleanup the armor ccache') -+ ipautil.run([paths.KDESTROY, '-A', '-c', armor_path], -+ env={'KRB5CCNAME': armor_path}, raiseonerr=False) - - - class change_password(Backend, HTTP_Status): -diff --git a/ipatests/prci_definitions/gating.yaml b/ipatests/prci_definitions/gating.yaml -index 91be057..400a248 100644 ---- a/ipatests/prci_definitions/gating.yaml -+++ b/ipatests/prci_definitions/gating.yaml -@@ -310,3 +310,15 @@ jobs: - template: *ci-ipa-4-9-latest - timeout: 3600 - topology: *master_1repl_1client -+ -+ fedora-latest-ipa-4-9/test_ipalib_install: -+ requires: [fedora-latest-ipa-4-9/build] -+ priority: 100 -+ job: -+ class: RunPytest -+ args: -+ build_url: '{fedora-latest-ipa-4-9/build_url}' -+ test_suite: test_ipalib_install/test_kinit.py -+ template: *ci-ipa-4-9-latest -+ timeout: 600 -+ topology: *master_1repl -diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml -index b2ab765..7c03a48 100644 ---- a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml -+++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml -@@ -1801,3 +1801,15 @@ jobs: - template: *ci-ipa-4-9-latest - timeout: 5000 - topology: *master_2repl_1client -+ -+ fedora-latest-ipa-4-9/test_ipalib_install: -+ requires: [fedora-latest-ipa-4-9/build] -+ priority: 50 -+ job: -+ class: RunPytest -+ args: -+ build_url: '{fedora-latest-ipa-4-9/build_url}' -+ test_suite: test_ipalib_install/test_kinit.py -+ template: *ci-ipa-4-9-latest -+ timeout: 600 -+ topology: *master_1repl -diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml -index b7b3d3b..802bd2a 100644 ---- a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml -+++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml -@@ -1944,3 +1944,16 @@ jobs: - template: *ci-ipa-4-9-latest - timeout: 5000 - topology: *master_2repl_1client -+ -+ fedora-latest-ipa-4-9/test_ipalib_install: -+ requires: [fedora-latest-ipa-4-9/build] -+ priority: 50 -+ job: -+ class: RunPytest -+ args: -+ build_url: '{fedora-latest-ipa-4-9/build_url}' -+ selinux_enforcing: True -+ test_suite: test_ipalib_install/test_kinit.py -+ template: *ci-ipa-4-9-latest -+ timeout: 600 -+ topology: *master_1repl -diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml -index eb3849e..1e1adb8 100644 ---- a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml -+++ b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml -@@ -1801,3 +1801,15 @@ jobs: - template: *ci-ipa-4-9-previous - timeout: 5000 - topology: *master_2repl_1client -+ -+ fedora-previous-ipa-4-9/test_ipalib_install: -+ requires: [fedora-previous-ipa-4-9/build] -+ priority: 50 -+ job: -+ class: RunPytest -+ args: -+ build_url: '{fedora-previous-ipa-4-9/build_url}' -+ test_suite: test_ipalib_install/test_kinit.py -+ template: *ci-ipa-4-9-previous -+ timeout: 600 -+ topology: *master_1repl -diff --git a/ipatests/setup.py b/ipatests/setup.py -index 6217a1b..0aec4a7 100644 ---- a/ipatests/setup.py -+++ b/ipatests/setup.py -@@ -41,6 +41,7 @@ if __name__ == '__main__': - "ipatests.test_integration", - "ipatests.test_ipaclient", - "ipatests.test_ipalib", -+ "ipatests.test_ipalib_install", - "ipatests.test_ipaplatform", - "ipatests.test_ipapython", - "ipatests.test_ipaserver", -diff --git a/ipatests/test_ipalib_install/__init__.py b/ipatests/test_ipalib_install/__init__.py -new file mode 100644 -index 0000000..e69de29 ---- /dev/null -+++ b/ipatests/test_ipalib_install/__init__.py -diff --git a/ipatests/test_ipalib_install/test_kinit.py b/ipatests/test_ipalib_install/test_kinit.py -new file mode 100644 -index 0000000..f89ea17 ---- /dev/null -+++ b/ipatests/test_ipalib_install/test_kinit.py -@@ -0,0 +1,29 @@ -+# -+# Copyright (C) 2024 FreeIPA Contributors see COPYING for license -+# -+"""Tests for ipalib.install.kinit module -+""" -+ -+import pytest -+ -+from ipalib.install.kinit import validate_principal -+ -+ -+# None means no exception is expected -+@pytest.mark.parametrize('principal, exception', [ -+ ('testuser', None), -+ ('testuser@EXAMPLE.TEST', None), -+ ('test/ipa.example.test', None), -+ ('test/ipa.example.test@EXAMPLE.TEST', None), -+ ('test/ipa@EXAMPLE.TEST', RuntimeError), -+ ('test/-ipa.example.test@EXAMPLE.TEST', RuntimeError), -+ ('test/ipa.1example.test@EXAMPLE.TEST', RuntimeError), -+ ('test /ipa.example,test', RuntimeError), -+ ('testuser@OTHER.TEST', RuntimeError), -+ ('test/ipa.example.test@OTHER.TEST', RuntimeError), -+]) -+def test_validate_principal(principal, exception): -+ try: -+ validate_principal(principal) -+ except Exception as e: -+ assert e.__class__ == exception - -From 96a478bbedd49c31e0f078f00f2d1cb55bb952fd Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Feb 23 2024 09:49:27 +0000 -Subject: validate_principal: Don't try to verify that the realm is known - - -The actual value is less important than whether it matches the -regular expression. A number of legal but difficult to know in -context realms could be passed in here (trust for example). - -This fixes CVE-2024-1481 - -Fixes: https://pagure.io/freeipa/issue/9541 - -Signed-off-by: Rob Crittenden -Reviewed-By: Florence Blanc-Renaud - ---- - -diff --git a/ipalib/install/kinit.py b/ipalib/install/kinit.py -index 4ad4eaa..d5fb56b 100644 ---- a/ipalib/install/kinit.py -+++ b/ipalib/install/kinit.py -@@ -15,7 +15,6 @@ from ipaplatform.paths import paths - from ipapython.ipautil import run - from ipalib.constants import PATTERN_GROUPUSER_NAME - from ipalib.util import validate_hostname --from ipalib import api - - logger = logging.getLogger(__name__) - -@@ -39,7 +38,9 @@ def validate_principal(principal): - if ('/' in principal) and (' ' in principal): - raise RuntimeError('Invalid principal: bad spacing') - else: -- realm = None -+ # For a user match in the regex -+ # username = match[1] -+ # realm = match[2] - match = user_pattern.match(principal) - if match is None: - match = service_pattern.match(principal) -@@ -48,16 +49,11 @@ def validate_principal(principal): - else: - # service = match[1] - hostname = match[2] -- realm = match[3] -+ # realm = match[3] - try: - validate_hostname(hostname) - except ValueError as e: - raise RuntimeError(str(e)) -- else: # user match, validate realm -- # username = match[1] -- realm = match[2] -- if realm and 'realm' in api.env and realm != api.env.realm: -- raise RuntimeError('Invalid principal: realm mismatch') - - - def kinit_keytab(principal, keytab, ccache_name, config=None, attempts=1): -diff --git a/ipatests/test_ipalib_install/test_kinit.py b/ipatests/test_ipalib_install/test_kinit.py -index f89ea17..8289c4b 100644 ---- a/ipatests/test_ipalib_install/test_kinit.py -+++ b/ipatests/test_ipalib_install/test_kinit.py -@@ -17,13 +17,16 @@ from ipalib.install.kinit import validate_principal - ('test/ipa.example.test@EXAMPLE.TEST', None), - ('test/ipa@EXAMPLE.TEST', RuntimeError), - ('test/-ipa.example.test@EXAMPLE.TEST', RuntimeError), -- ('test/ipa.1example.test@EXAMPLE.TEST', RuntimeError), -+ ('test/ipa.1example.test@EXAMPLE.TEST', None), - ('test /ipa.example,test', RuntimeError), -- ('testuser@OTHER.TEST', RuntimeError), -- ('test/ipa.example.test@OTHER.TEST', RuntimeError), -+ ('testuser@OTHER.TEST', None), -+ ('test/ipa.example.test@OTHER.TEST', None) - ]) - def test_validate_principal(principal, exception): - try: - validate_principal(principal) - except Exception as e: - assert e.__class__ == exception -+ else: -+ if exception is not None: -+ raise RuntimeError('Test should have failed') - diff --git a/SOURCES/0024-Vault-add-additional-fallback-to-RSA-OAEP-wrapping-algo_rhel#28259.patch b/SOURCES/0024-Vault-add-additional-fallback-to-RSA-OAEP-wrapping-algo_rhel#28259.patch deleted file mode 100644 index f98e287..0000000 --- a/SOURCES/0024-Vault-add-additional-fallback-to-RSA-OAEP-wrapping-algo_rhel#28259.patch +++ /dev/null @@ -1,43 +0,0 @@ -From d7c1ba0672fc8964f7674a526f3019429a551372 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Mar 06 2024 08:34:57 +0000 -Subject: Vault: add additional fallback to RSA-OAEP wrapping algo - - -There is a fallback when creating the wrapping key but one was missing -when trying to use the cached transport_cert. - -This allows, along with forcing keyWrap.useOAEP=true, vault creation -on an nCipher HSM. - -This can be seen in HSMs where the device doesn't support the -PKCS#1 v1.5 mechanism. It will error out with either "invalid -algorithm" or CKR_FUNCTION_FAILED. - -Related: https://pagure.io/freeipa/issue/9191 - -Signed-off-by: Rob Crittenden -Reviewed-By: Florence Blanc-Renaud - ---- - -diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py -index ed16c73..1523187 100644 ---- a/ipaclient/plugins/vault.py -+++ b/ipaclient/plugins/vault.py -@@ -757,8 +757,12 @@ class ModVaultData(Local): - Calls the internal counterpart of the command. - """ - # try call with cached transport certificate -- result = self._do_internal(algo, transport_cert, False, -- False, *args, **options) -+ try: -+ result = self._do_internal(algo, transport_cert, False, -+ False, *args, **options) -+ except errors.EncodingError: -+ result = self._do_internal(algo, transport_cert, False, -+ True, *args, **options) - if result is not None: - return result - - diff --git a/SOURCES/0025-dcerpc-invalidate-forest-trust-intfo-cache-when-filtering-out-realm-domains_rhel#28559.patch b/SOURCES/0025-dcerpc-invalidate-forest-trust-intfo-cache-when-filtering-out-realm-domains_rhel#28559.patch deleted file mode 100644 index 5bd2477..0000000 --- a/SOURCES/0025-dcerpc-invalidate-forest-trust-intfo-cache-when-filtering-out-realm-domains_rhel#28559.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 656a11ae961f8d1afad54567cfe8ccb53e084a67 Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Mar 20 2024 10:06:07 +0000 -Subject: dcerpc: invalidate forest trust info cache when filtering out realm domains - - -When get_realmdomains() method is called, it will filter out subdomains -of the IPA primary domain. This is required because Active Directory -domain controllers are assuming subdomains already covered by the main -domain namespace. - -[MS-LSAD] 3.1.4.7.16.1, 'Forest Trust Collision Generation' defines the -method of validating the forest trust information. They are the same as -rules in [MS-ADTS] section 6.1.6. Specifically, - - - A top-level name must not be superior to an enabled top-level name - for another trusted domain object, unless the current trusted domain - object has a corresponding exclusion record. - -In practice, we filtered those subdomains already but the code wasn't -invalidating a previously retrieved forest trust information. - -Fixes: https://pagure.io/freeipa/issue/9551 - -Signed-off-by: Alexander Bokovoy -Reviewed-By: Florence Blanc-Renaud - ---- - -diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py -index b6139db..7ee553d 100644 ---- a/ipaserver/dcerpc.py -+++ b/ipaserver/dcerpc.py -@@ -1103,6 +1103,7 @@ class TrustDomainInstance: - - info.count = len(ftinfo_records) - info.entries = ftinfo_records -+ another_domain.ftinfo_data = info - return info - - def clear_ftinfo_conflict(self, another_domain, cinfo): -@@ -1778,6 +1779,7 @@ class TrustDomainJoins: - return - - self.local_domain.ftinfo_records = [] -+ self.local_domain.ftinfo_data = None - - realm_domains = self.api.Command.realmdomains_show()['result'] - # Use realmdomains' modification timestamp - diff --git a/SOURCES/0026-backport-test-fixes_rhel#29908.patch b/SOURCES/0026-backport-test-fixes_rhel#29908.patch deleted file mode 100644 index 20aacdd..0000000 --- a/SOURCES/0026-backport-test-fixes_rhel#29908.patch +++ /dev/null @@ -1,335 +0,0 @@ -From 3bba254ccdcf9b62fdd8a6d71baecf37c97c300c Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Mon, 3 Apr 2023 08:37:28 +0200 -Subject: [PATCH] ipatests: mark known failures for autoprivategroup - -Two tests have known issues in test_trust.py with sssd 2.8.2+: -- TestNonPosixAutoPrivateGroup::test_idoverride_with_auto_private_group -(when called with the "hybrid" parameter) -- TestPosixAutoPrivateGroup::test_only_uid_number_auto_private_group_default -(when called with the "true" parameter) - -Related: https://pagure.io/freeipa/issue/9295 -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Rob Crittenden -Reviewed-By: Alexander Bokovoy ---- - ipatests/test_integration/test_trust.py | 17 ++++++++++++----- - 1 file changed, 12 insertions(+), 5 deletions(-) - -diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py -index 0d5b71cb0..12f000c1a 100644 ---- a/ipatests/test_integration/test_trust.py -+++ b/ipatests/test_integration/test_trust.py -@@ -1154,11 +1154,15 @@ class TestNonPosixAutoPrivateGroup(BaseTestTrust): - self.gid_override - ): - self.mod_idrange_auto_private_group(type) -- (uid, gid) = self.get_user_id(self.clients[0], nonposixuser) -- assert (uid == self.uid_override and gid == self.gid_override) -+ sssd_version = tasks.get_sssd_version(self.clients[0]) -+ bad_version = sssd_version >= tasks.parse_version("2.8.2") -+ cond = (type == 'hybrid') and bad_version -+ with xfail_context(condition=cond, -+ reason="https://pagure.io/freeipa/issue/9295"): -+ (uid, gid) = self.get_user_id(self.clients[0], nonposixuser) -+ assert (uid == self.uid_override and gid == self.gid_override) - test_group = self.clients[0].run_command( - ["id", nonposixuser]).stdout_text -- # version = tasks.get_sssd_version(self.clients[0]) - with xfail_context(type == "hybrid", - 'https://github.com/SSSD/sssd/issues/5989'): - assert "domain users@{0}".format(self.ad_domain) in test_group -@@ -1232,8 +1236,11 @@ class TestPosixAutoPrivateGroup(BaseTestTrust): - posixuser = "testuser1@%s" % self.ad_domain - self.mod_idrange_auto_private_group(type) - if type == "true": -- (uid, gid) = self.get_user_id(self.clients[0], posixuser) -- assert uid == gid -+ sssd_version = tasks.get_sssd_version(self.clients[0]) -+ with xfail_context(sssd_version >= tasks.parse_version("2.8.2"), -+ "https://pagure.io/freeipa/issue/9295"): -+ (uid, gid) = self.get_user_id(self.clients[0], posixuser) -+ assert uid == gid - else: - for host in [self.master, self.clients[0]]: - result = host.run_command(['id', posixuser], raiseonerr=False) --- -2.44.0 - -From ed2a8eb0cefadfe0544074114facfef381349ae0 Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Feb 12 2024 10:43:39 +0000 -Subject: ipatests: add xfail for autoprivate group test with override - - -Because of SSSD issue 7169, secondary groups are not -retrieved when autoprivate group is set and an idoverride -replaces the user's primary group. -Mark the known issues as xfail. - -Related: https://github.com/SSSD/sssd/issues/7169 - -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Anuja More - ---- - -diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py -index 3b9f0fb..2b94514 100644 ---- a/ipatests/test_integration/test_trust.py -+++ b/ipatests/test_integration/test_trust.py -@@ -1164,8 +1164,12 @@ class TestNonPosixAutoPrivateGroup(BaseTestTrust): - assert (uid == self.uid_override and gid == self.gid_override) - test_group = self.clients[0].run_command( - ["id", nonposixuser]).stdout_text -- with xfail_context(type == "hybrid", -- 'https://github.com/SSSD/sssd/issues/5989'): -+ cond2 = ((type == 'false' -+ and sssd_version >= tasks.parse_version("2.9.4")) -+ or type == 'hybrid') -+ with xfail_context(cond2, -+ 'https://github.com/SSSD/sssd/issues/5989 ' -+ 'and 7169'): - assert "domain users@{0}".format(self.ad_domain) in test_group - - @pytest.mark.parametrize('type', ['hybrid', 'true', "false"]) -@@ -1287,5 +1291,9 @@ class TestPosixAutoPrivateGroup(BaseTestTrust): - assert(uid == self.uid_override - and gid == self.gid_override) - result = self.clients[0].run_command(['id', posixuser]) -- assert "10047(testgroup@{0})".format( -- self.ad_domain) in result.stdout_text -+ sssd_version = tasks.get_sssd_version(self.clients[0]) -+ bad_version = sssd_version >= tasks.parse_version("2.9.4") -+ with xfail_context(bad_version and type in ('false', 'hybrid'), -+ "https://github.com/SSSD/sssd/issues/7169"): -+ assert "10047(testgroup@{0})".format( -+ self.ad_domain) in result.stdout_text - -From d5392300d77170ea3202ee80690ada8bf81b60b5 Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Feb 12 2024 10:44:47 +0000 -Subject: ipatests: remove xfail thanks to sssd 2.9.4 - - -SSSD 2.9.4 fixes some issues related to auto-private-group - -Related: https://pagure.io/freeipa/issue/9295 -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Anuja More - ---- - -diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py -index 12f000c..3b9f0fb 100644 ---- a/ipatests/test_integration/test_trust.py -+++ b/ipatests/test_integration/test_trust.py -@@ -1155,7 +1155,8 @@ class TestNonPosixAutoPrivateGroup(BaseTestTrust): - ): - self.mod_idrange_auto_private_group(type) - sssd_version = tasks.get_sssd_version(self.clients[0]) -- bad_version = sssd_version >= tasks.parse_version("2.8.2") -+ bad_version = (tasks.parse_version("2.8.2") <= sssd_version -+ < tasks.parse_version("2.9.4")) - cond = (type == 'hybrid') and bad_version - with xfail_context(condition=cond, - reason="https://pagure.io/freeipa/issue/9295"): -@@ -1237,7 +1238,9 @@ class TestPosixAutoPrivateGroup(BaseTestTrust): - self.mod_idrange_auto_private_group(type) - if type == "true": - sssd_version = tasks.get_sssd_version(self.clients[0]) -- with xfail_context(sssd_version >= tasks.parse_version("2.8.2"), -+ bad_version = (tasks.parse_version("2.8.2") <= sssd_version -+ < tasks.parse_version("2.9.4")) -+ with xfail_context(bad_version, - "https://pagure.io/freeipa/issue/9295"): - (uid, gid) = self.get_user_id(self.clients[0], posixuser) - assert uid == gid - -From 34d048ede0c439b3a53e02f8ace96ff91aa1609d Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Mar 14 2023 16:50:25 +0000 -Subject: ipatests: adapt for new automembership fixup behavior - - -The automembership fixup task now needs to be called -with --cleanup argument when the user expects automember -to remove user/hosts from automember groups. -Update the test to call create a cleanup task equivalent to -dsconf plugin automember fixup --cleanup -when it is needed. - -Fixes: https://pagure.io/freeipa/issue/9313 -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Alexander Bokovoy -Reviewed-By: Rob Crittenden - ---- - -diff --git a/ipatests/test_integration/test_automember.py b/ipatests/test_integration/test_automember.py -index 7acd0d7..8b27f4d 100644 ---- a/ipatests/test_integration/test_automember.py -+++ b/ipatests/test_integration/test_automember.py -@@ -4,6 +4,7 @@ - """This covers tests for automemberfeature.""" - - from __future__ import absolute_import -+import uuid - - from ipapython.dn import DN - -@@ -211,11 +212,27 @@ class TestAutounmembership(IntegrationTest): - # Running automember-build so that user is part of correct group - result = self.master.run_command(['ipa', 'automember-rebuild', - '--users=%s' % user2]) -+ assert msg in result.stdout_text -+ -+ # The additional --cleanup argument is required -+ cleanup_ldif = ( -+ "dn: cn={cn},cn=automember rebuild membership," -+ "cn=tasks,cn=config\n" -+ "changetype: add\n" -+ "objectclass: top\n" -+ "objectclass: extensibleObject\n" -+ "basedn: cn=users,cn=accounts,{suffix}\n" -+ "filter: (uid={user})\n" -+ "cleanup: yes\n" -+ "scope: sub" -+ ).format(cn=str(uuid.uuid4()), -+ suffix=str(self.master.domain.basedn), -+ user=user2) -+ tasks.ldapmodify_dm(self.master, cleanup_ldif) -+ - assert self.is_user_member_of_group(user2, group2) - assert not self.is_user_member_of_group(user2, group1) - -- assert msg in result.stdout_text -- - finally: - # testcase cleanup - self.remove_user_automember(user2, raiseonerr=False) -@@ -248,11 +265,27 @@ class TestAutounmembership(IntegrationTest): - result = self.master.run_command( - ['ipa', 'automember-rebuild', '--hosts=%s' % host2] - ) -+ assert msg in result.stdout_text -+ -+ # The additional --cleanup argument is required -+ cleanup_ldif = ( -+ "dn: cn={cn},cn=automember rebuild membership," -+ "cn=tasks,cn=config\n" -+ "changetype: add\n" -+ "objectclass: top\n" -+ "objectclass: extensibleObject\n" -+ "basedn: cn=computers,cn=accounts,{suffix}\n" -+ "filter: (fqdn={fqdn})\n" -+ "cleanup: yes\n" -+ "scope: sub" -+ ).format(cn=str(uuid.uuid4()), -+ suffix=str(self.master.domain.basedn), -+ fqdn=host2) -+ tasks.ldapmodify_dm(self.master, cleanup_ldif) -+ - assert self.is_host_member_of_hostgroup(host2, hostgroup2) - assert not self.is_host_member_of_hostgroup(host2, hostgroup1) - -- assert msg in result.stdout_text -- - finally: - # testcase cleanup - self.remove_host_automember(host2, raiseonerr=False) - -From 9b777390fbb6d4c683bf7d3e5f74d5443209b1d5 Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Fri, 24 Mar 2023 08:15:00 +0200 -Subject: [PATCH] test_xmlrpc: adopt to automember plugin message changes in - 389-ds - -Another change in automember plugin messaging that breaks FreeIPA tests. -Use common substring to match. - -Signed-off-by: Alexander Bokovoy -Reviewed-By: Rob Crittenden ---- - ipatests/test_xmlrpc/xmlrpc_test.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ipatests/test_xmlrpc/xmlrpc_test.py b/ipatests/test_xmlrpc/xmlrpc_test.py -index cf11721bfca..5fe1245dc65 100644 ---- a/ipatests/test_xmlrpc/xmlrpc_test.py -+++ b/ipatests/test_xmlrpc/xmlrpc_test.py -@@ -64,7 +64,7 @@ def test(xs): - - # Matches an automember task finish message - fuzzy_automember_message = Fuzzy( -- r'^Automember rebuild task finished\. Processed \(\d+\) entries\.$' -+ r'^Automember rebuild task finished\. Processed \(\d+\) entries' - ) - - # Matches trusted domain GUID, like u'463bf2be-3456-4a57-979e-120304f2a0eb' -From 8e8b97a2251329aec9633a5c7c644bc5034bc8c2 Mon Sep 17 00:00:00 2001 -From: Sudhir Menon -Date: Wed, 20 Mar 2024 14:29:46 +0530 -Subject: [PATCH] ipatests: Fixes for test_ipahealthcheck_ipansschainvalidation - testcases. - -Currently the test is using IPA_NSSDB_PWDFILE_TXT which is /etc/ipa/nssdb/pwdfile.txt -which causes error in STIG mode. - -[root@master slapd-TESTRELM-TEST]# certutil -M -n 'TESTRELM.TEST IPA CA' -t ',,' -d . -f /etc/ipa/nssdb/pwdfile.txt -Incorrect password/PIN entered. - -Hence modified the test to include paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE/pwd.txt. - -Signed-off-by: Sudhir Menon -Reviewed-By: Florence Blanc-Renaud -Reviewed-By: Rob Crittenden ---- - ipatests/test_integration/test_ipahealthcheck.py | 11 ++++++----- - 1 file changed, 6 insertions(+), 5 deletions(-) - -diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py -index 8aae9fad776..a96de7088aa 100644 ---- a/ipatests/test_integration/test_ipahealthcheck.py -+++ b/ipatests/test_integration/test_ipahealthcheck.py -@@ -2731,17 +2731,18 @@ def remove_server_cert(self): - Fixture to remove Server cert and revert the change. - """ - instance = realm_to_serverid(self.master.domain.realm) -+ instance_dir = paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance - self.master.run_command( - [ - "certutil", - "-L", - "-d", -- paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance, -+ instance_dir, - "-n", - "Server-Cert", - "-a", - "-o", -- paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance -+ instance_dir - + "/Server-Cert.pem", - ] - ) -@@ -2760,15 +2761,15 @@ def remove_server_cert(self): - [ - "certutil", - "-d", -- paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance, -+ instance_dir, - "-A", - "-i", -- paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance -+ instance_dir - + "/Server-Cert.pem", - "-t", - "u,u,u", - "-f", -- paths.IPA_NSSDB_PWDFILE_TXT, -+ "%s/pwdfile.txt" % instance_dir, - "-n", - "Server-Cert", - ] diff --git a/SOURCES/0027-kdb-fix-vulnerability-in-GCD-rules-handling.patch b/SOURCES/0027-kdb-fix-vulnerability-in-GCD-rules-handling.patch deleted file mode 100644 index 028fc04..0000000 --- a/SOURCES/0027-kdb-fix-vulnerability-in-GCD-rules-handling.patch +++ /dev/null @@ -1,341 +0,0 @@ -From 0a48726e104282fb40d8f471ebb306bc9134cb0c Mon Sep 17 00:00:00 2001 -From: Julien Rische -Date: Tue, 19 Mar 2024 12:24:40 +0100 -Subject: [PATCH] kdb: fix vulnerability in GCD rules handling - -The initial implementation of MS-SFU by MIT Kerberos was missing some -a condition for granting the "forwardable" flag on S4U2Self tickets. -Fixing this mistake required to add a special case for the -check_allowed_to_delegate() function: if the target service argument is -NULL, then it means the KDC is probing for general constrained -delegation rules, not actually checking a specific S4U2Proxy request. - -In commit e86807b5, the behavior of ipadb_match_acl() was modified to -match the changes from upstream MIT Kerberos a441fbe3. However, a -mistake resulted in this mechanism to apply in cases where target -service argument is set AND unset. This results in S4U2Proxy requests to -be accepted regardless of the fact there is a matching service -delegation rule or not. - -This vulnerability does not affect services having RBCD (resource-based -constrained delegation) rules. - -This fixes CVE-2024-2698 - -Signed-off-by: Julien Rische ---- - daemons/ipa-kdb/README.s4u2proxy.txt | 19 ++- - daemons/ipa-kdb/ipa_kdb_delegation.c | 191 +++++++++++++++------------ - 2 files changed, 118 insertions(+), 92 deletions(-) - -diff --git a/daemons/ipa-kdb/README.s4u2proxy.txt b/daemons/ipa-kdb/README.s4u2proxy.txt -index 254fcc4d1..ab34aff36 100644 ---- a/daemons/ipa-kdb/README.s4u2proxy.txt -+++ b/daemons/ipa-kdb/README.s4u2proxy.txt -@@ -12,9 +12,7 @@ much more easily managed. - - The grouping mechanism has been built so that lookup is highly optimized - and is basically reduced to a single search that uses the derefernce --control. Speed is very important in this case because KDC operations --time out very quickly and unless we add a caching layer in ipa-kdb we --must keep the number of searches down to avoid client timeouts. -+control. - - The grouping mechanism is very simple a groupOfPrincipals object is - introduced, this Auxiliary class have a single optional attribute called -@@ -112,8 +110,7 @@ kinit -kt /etc/httpd/conf/ipa.keytab HTTP/ipaserver.example.com - kvno -U admin HTTP/ipaserver.example.com - - # Perform S4U2Proxy --kvno -k /etc/httpd/conf/ipa.keytab -U admin -P HTTP/ipaserver.example.com --ldap/ipaserver.example.com -+kvno -U admin -P ldap/ipaserver.example.com - - - If this works it means you successfully impersonated the admin user with -@@ -125,6 +122,18 @@ modprinc -ok_to_auth_as_delegate HTTP/ipaserver.example.com - Simo. - - -+If IPA is compiled with krb5 1.20 and newer (KDB DAL >= 9), then the -+behavior of S4U2Self changes: S4U2Self TGS-REQs produce forwardable -+tickets for all requesters, except if the requester principal is set as -+the proxy (impersonating service) in at least one `servicedelegation` -+rule. In this case, even if the rule has no target, the KDC will -+response to S4U2Self requests with a non-forwardable ticket. Hence, -+granting the `ok_to_auth_as_delegate` permission to the proxy service -+remains the only way for this service to obtain the evidence ticket -+required for general constrained delegation requests if this ticket is -+not provided by the client. -+ -+ - [1] - Note that here I use the term proxy in a different way than it is used in - the krb interfaces. It may seem a bit confusing but I think people will -diff --git a/daemons/ipa-kdb/ipa_kdb_delegation.c b/daemons/ipa-kdb/ipa_kdb_delegation.c -index de82174ad..3581f3c79 100644 ---- a/daemons/ipa-kdb/ipa_kdb_delegation.c -+++ b/daemons/ipa-kdb/ipa_kdb_delegation.c -@@ -91,120 +91,110 @@ static bool ipadb_match_member(char *princ, LDAPDerefRes *dres) - return false; - } - --static krb5_error_code ipadb_match_acl(krb5_context kcontext, -- LDAPMessage *results, -- krb5_const_principal client, -- krb5_const_principal target) -+#if KRB5_KDB_DAL_MAJOR_VERSION >= 9 -+static krb5_error_code -+ipadb_has_acl(krb5_context kcontext, LDAPMessage *ldap_acl, bool *res) - { - struct ipadb_context *ipactx; -- krb5_error_code kerr; -- LDAPMessage *lentry; -- LDAPDerefRes *deref_results; -- LDAPDerefRes *dres; -- char *client_princ = NULL; -- char *target_princ = NULL; -- bool client_missing; -- bool client_found; -- bool target_found; -- bool is_constraint_delegation = false; -- size_t nrules = 0; -- int ret; -+ bool in_res = false; -+ krb5_error_code kerr = 0; - - ipactx = ipadb_get_context(kcontext); -- if (!ipactx) { -+ if (!ipactx) - return KRB5_KDB_DBNOTINITED; -- } - -- if ((client != NULL) && (target != NULL)) { -- kerr = krb5_unparse_name(kcontext, client, &client_princ); -- if (kerr != 0) { -- goto done; -- } -- kerr = krb5_unparse_name(kcontext, target, &target_princ); -- if (kerr != 0) { -- goto done; -- } -- } else { -- is_constraint_delegation = true; -+ switch (ldap_count_entries(ipactx->lcontext, ldap_acl)) { -+ case 0: -+ break; -+ case -1: -+ kerr = EINVAL; -+ goto end; -+ default: -+ in_res = true; -+ goto end; - } - -- lentry = ldap_first_entry(ipactx->lcontext, results); -- if (!lentry) { -- kerr = ENOENT; -- goto done; -- } -+end: -+ if (res) -+ *res = in_res; -+ -+ return kerr; -+} -+#endif -+ -+static krb5_error_code -+ipadb_match_acl(krb5_context kcontext, LDAPMessage *ldap_acl, -+ krb5_const_principal client, krb5_const_principal target) -+{ -+ struct ipadb_context *ipactx; -+ LDAPMessage *rule; -+ LDAPDerefRes *acis, *aci; -+ char *client_princ = NULL, *target_princ= NULL; -+ bool client_missing, client_found, target_found; -+ int lerr; -+ krb5_error_code kerr; -+ -+ ipactx = ipadb_get_context(kcontext); -+ if (!ipactx) -+ return KRB5_KDB_DBNOTINITED; -+ -+ kerr = krb5_unparse_name(kcontext, client, &client_princ); -+ if (kerr) -+ goto end; -+ -+ kerr = krb5_unparse_name(kcontext, target, &target_princ); -+ if (kerr) -+ goto end; - - /* the default is that we fail */ -- kerr = ENOENT; -+ kerr = KRB5KDC_ERR_BADOPTION; - -- while (lentry) { -+ for (rule = ldap_first_entry(ipactx->lcontext, ldap_acl); -+ rule; -+ rule = ldap_next_entry(ipactx->lcontext, rule)) -+ { - /* both client and target must be found in the same ACI */ - client_missing = true; - client_found = false; - target_found = false; - -- ret = ipadb_ldap_deref_results(ipactx->lcontext, lentry, -- &deref_results); -- switch (ret) { -+ lerr = ipadb_ldap_deref_results(ipactx->lcontext, rule, &acis); -+ switch (lerr) { - case 0: -- for (dres = deref_results; dres; dres = dres->next) { -- nrules++; -- if (is_constraint_delegation) { -- /* -- Microsoft revised the S4U2Proxy rules for forwardable -- tickets. All S4U2Proxy operations require forwardable -- evidence tickets, but S4U2Self should issue a -- forwardable ticket if the requesting service has no -- ok-to-auth-as-delegate bit but also no constrained -- delegation privileges for traditional S4U2Proxy. -- Implement these rules, extending the -- check_allowed_to_delegate() DAL method so that the KDC -- can ask if a principal has any delegation privileges. -- -- Since target principal is NULL and client principal is -- NULL in this case, we simply calculate number of rules associated -- with the server principal to decide whether to deny forwardable bit -- */ -- continue; -- } -- if (client_found == false && -- strcasecmp(dres->derefAttr, "ipaAllowToImpersonate") == 0) { -+ for (aci = acis; aci; aci = aci->next) { -+ if (!client_found && -+ 0 == strcasecmp(aci->derefAttr, "ipaAllowToImpersonate")) -+ { - /* NOTE: client_missing is used to signal that the - * attribute was completely missing. This signals that - * ANY client is allowed to be impersonated. - * This logic is valid only for clients, not for targets */ - client_missing = false; -- client_found = ipadb_match_member(client_princ, dres); -+ client_found = ipadb_match_member(client_princ, aci); - } -- if (target_found == false && -- strcasecmp(dres->derefAttr, "ipaAllowedTarget") == 0) { -- target_found = ipadb_match_member(target_princ, dres); -+ if (!target_found && -+ 0 == strcasecmp(aci->derefAttr, "ipaAllowedTarget")) -+ { -+ target_found = ipadb_match_member(target_princ, aci); - } - } - -- ldap_derefresponse_free(deref_results); -+ ldap_derefresponse_free(acis); - break; - case ENOENT: - break; - default: -- kerr = ret; -- goto done; -+ kerr = lerr; -+ goto end; - } - -- if ((client_found == true || client_missing == true) && -- target_found == true) { -+ if ((client_found || client_missing) && target_found) { - kerr = 0; -- goto done; -+ goto end; - } -- -- lentry = ldap_next_entry(ipactx->lcontext, lentry); -- } -- -- if (nrules > 0) { -- kerr = 0; - } - --done: -+end: - krb5_free_unparsed_name(kcontext, client_princ); - krb5_free_unparsed_name(kcontext, target_princ); - return kerr; -@@ -223,7 +213,7 @@ krb5_error_code ipadb_check_allowed_to_delegate(krb5_context kcontext, - char *srv_principal = NULL; - krb5_db_entry *proxy_entry = NULL; - struct ipadb_e_data *ied_server, *ied_proxy; -- LDAPMessage *res = NULL; -+ LDAPMessage *ldap_gcd_acl = NULL; - - if (proxy != NULL) { - /* Handle the case where server == proxy, this is allowed in S4U */ -@@ -261,26 +251,53 @@ krb5_error_code ipadb_check_allowed_to_delegate(krb5_context kcontext, - goto done; - } - -- kerr = ipadb_get_delegation_acl(kcontext, srv_principal, &res); -+ /* Load general constrained delegation rules */ -+ kerr = ipadb_get_delegation_acl(kcontext, srv_principal, &ldap_gcd_acl); - if (kerr) { - goto done; - } - -- kerr = ipadb_match_acl(kcontext, res, client, proxy); -- if (kerr) { -- goto done; -+#if KRB5_KDB_DAL_MAJOR_VERSION >= 9 -+ /* -+ * Microsoft revised the S4U2Proxy rules for forwardable tickets. All -+ * S4U2Proxy operations require forwardable evidence tickets, but -+ * S4U2Self should issue a forwardable ticket if the requesting service -+ * has no ok-to-auth-as-delegate bit but also no constrained delegation -+ * privileges for traditional S4U2Proxy. Implement these rules, -+ * extending the check_allowed_to_delegate() DAL method so that the KDC -+ * can ask if a principal has any delegation privileges. -+ * -+ * If target service principal is NULL, and the impersonating service has -+ * at least one GCD rule, then succeed. -+ */ -+ if (!proxy) { -+ bool has_gcd_rules; -+ -+ kerr = ipadb_has_acl(kcontext, ldap_gcd_acl, &has_gcd_rules); -+ if (!kerr) -+ kerr = has_gcd_rules ? 0 : KRB5KDC_ERR_BADOPTION; -+ } else if (client) { -+#else -+ if (client && proxy) { -+#endif -+ kerr = ipadb_match_acl(kcontext, ldap_gcd_acl, client, proxy); -+ } else { -+ /* client and/or proxy is missing */ -+ kerr = KRB5KDC_ERR_BADOPTION; - } -+ if (kerr) -+ goto done; - - done: - if (kerr) { --#if KRB5_KDB_DAL_MAJOR_VERSION < 9 -- kerr = KRB5KDC_ERR_POLICY; --#else -+#if KRB5_KDB_DAL_MAJOR_VERSION >= 9 - kerr = KRB5KDC_ERR_BADOPTION; -+#else -+ kerr = KRB5KDC_ERR_POLICY; - #endif - } - ipadb_free_principal(kcontext, proxy_entry); - krb5_free_unparsed_name(kcontext, srv_principal); -- ldap_msgfree(res); -+ ldap_msgfree(ldap_gcd_acl); - return kerr; - } --- -2.44.0 - diff --git a/SOURCES/0028-kdb-apply-combinatorial-logic-for-ticket-flags.patch b/SOURCES/0028-kdb-apply-combinatorial-logic-for-ticket-flags.patch deleted file mode 100644 index d4c98a6..0000000 --- a/SOURCES/0028-kdb-apply-combinatorial-logic-for-ticket-flags.patch +++ /dev/null @@ -1,615 +0,0 @@ -From 542e12325afc2f64298f90296760235bfdcef04a Mon Sep 17 00:00:00 2001 -From: Julien Rische -Date: Mon, 25 Mar 2024 18:25:52 +0200 -Subject: [PATCH] kdb: apply combinatorial logic for ticket flags - -The initial design for ticket flags was implementing this logic: -* If a ticket policy is defined for the principal entry, use flags from - this policy if they are set. Otherwise, use default ticket flags. -* If no ticket policy is defined for the principal entry, but there is a - global one, use flags from the global ticket policy if they are set. - Otherwise, use default ticket flags. -* If no policy (principal nor global) is defined, use default ticket - flags. - -However, this logic was broken by a1165ffb which introduced creation of -a principal-level ticket policy in case the ticket flag set is modified. -This was typically the case for the -allow_tix flag, which was set -virtually by the KDB driver when a user was locked until they initialize -their password on first kinit pre-authentication. - -This was causing multiple issues, which are mitigated by the new -approach: - -Now flags from each level are combined together. There flags like -+requires_preauth which are set systematically by the KDB diver, as -well as -allow_tix which is set based on the value of "nsAccountLock". -This commit also adds the implicit -allow_svr ticket flag for user -principals to protect users against Kerberoast-type attacks. None of -these flags are stored in the LDAP database, they are hard-coded in the -KDB driver. - -In addition to these "virtual" ticket flags, flags from both global and -principal ticket policies are applied (if these policies exist). - -Principal ticket policies are not supported for hosts and services, but -this is only an HTTP API limitation. The "krbTicketPolicyAux" object -class is supported for all account types. This is required for ticket -flags like +ok_to_auth_as_delegate. Such flags can be set using "ipa -host-mod" and "ipa serivce-mod", or using kadmin's "modprinc". - -It is possible to ignore flags from the global ticket policy or default -flags like -allow_svr for a user principal by setting the -"final_user_tkt_flags" string attribute to "true" in kadmin. In this -case, any ticket flag can be configured in the principal ticket policy, -except requires_preauth and allow_tix. - -When in IPA setup mode (using the "ipa-setup-override-restrictions" KDB -argument), all the system described above is disabled and ticket flags -are written in the principal ticket policy as they are provided. This is -required to initialize the Kerberos LDAP container during IPA server -installation. - -This fixes CVE-2024-3183 - -Signed-off-by: Julien Rische ---- - daemons/ipa-kdb/ipa_kdb.h | 43 ++++ - daemons/ipa-kdb/ipa_kdb_principals.c | 353 +++++++++++++++++++++++---- - util/ipa_krb5.c | 18 ++ - util/ipa_krb5.h | 4 + - 4 files changed, 365 insertions(+), 53 deletions(-) - -diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h -index 7baf4697f..85cabe142 100644 ---- a/daemons/ipa-kdb/ipa_kdb.h -+++ b/daemons/ipa-kdb/ipa_kdb.h -@@ -94,6 +94,34 @@ - #define IPA_KRB_AUTHZ_DATA_ATTR "ipaKrbAuthzData" - #define IPA_USER_AUTH_TYPE "ipaUserAuthType" - -+/* Virtual managed ticket flags like "-allow_tix", are always controlled by the -+ * "nsAccountLock" attribute, such flags should never be set in the database. -+ * The following expression combine all of them, and is used to filter them -+ * out. */ -+#define IPA_KDB_TKTFLAGS_VIRTUAL_MANAGED_ALL (KRB5_KDB_DISALLOW_ALL_TIX) -+ -+/* Virtual static ticket flags are hard-coded in the KDB driver. */ -+/* Virtual static mandatory flags are set systematically and implicitly for all -+ * principals. They are filtered out from database ticket flags updates. -+ * (However, "KRB5_KDB_REQUIRES_PRE_AUTH" can still be unset by the -+ * "KDC:Disable Default Preauth for SPNs" global setting) */ -+#define IPA_KDB_TKTFLAGS_VIRTUAL_STATIC_MANDATORY (KRB5_KDB_REQUIRES_PRE_AUTH) -+/* Virtual static default ticket flags are implicitly set for user and non-user -+ * (SPN) principals, and not stored in the database. -+ * (Except if the "IPA_KDB_STRATTR_FINAL_TKTFLAGS" string attribute is "true" -+ * the principal) */ -+/* Virtual static default user ticket flags are set for users only. The -+ * "-allow_svr" flag is set to protect them from CVE-2024-3183. */ -+#define IPA_KDB_TKTFLAGS_VIRTUAL_STATIC_DEFAULTS_USER (KRB5_KDB_DISALLOW_SVR) -+#define IPA_KDB_TKTFLAGS_VIRTUAL_STATIC_DEFAULTS_SPN (0) -+ -+/* If this string attribute is set to "true", then only the virtual managed and -+ * virtual static mandatory ticket flags are applied and filtered out from -+ * database read and write operations for the concerned user principal. -+ * Configurable principal ticket flags are applied, but not the configurable -+ * global ticket policy flags. */ -+#define IPA_KDB_STRATTR_FINAL_USER_TKTFLAGS "final_user_tkt_flags" -+ - struct ipadb_mspac; - struct dom_sid; - -@@ -178,6 +206,21 @@ struct ipadb_e_data { - struct dom_sid *sid; - }; - -+inline static krb5_error_code -+ipadb_get_edata(krb5_db_entry *entry, struct ipadb_e_data **ied) -+{ -+ struct ipadb_e_data *in_ied; -+ -+ in_ied = (struct ipadb_e_data *)entry->e_data; -+ if (!in_ied || in_ied->magic != IPA_E_DATA_MAGIC) -+ return EINVAL; -+ -+ if (ied) -+ *ied = in_ied; -+ -+ return 0; -+} -+ - struct ipadb_context *ipadb_get_context(krb5_context kcontext); - int ipadb_get_connection(struct ipadb_context *ipactx); - -diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c -index 07cc87746..6eb542d4f 100644 ---- a/daemons/ipa-kdb/ipa_kdb_principals.c -+++ b/daemons/ipa-kdb/ipa_kdb_principals.c -@@ -706,9 +706,12 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext, - "krbTicketFlags", &result); - if (ret == 0) { - entry->attributes = result; -- } else { -- *polmask |= TKTFLAGS_BIT; - } -+ /* Since principal, global policy, and virtual ticket flags are combined, -+ * they must always be resolved, except if we are in IPA setup mode (because -+ * ticket policies and virtual ticket flags are irrelevant in this case). */ -+ if (!ipactx->override_restrictions) -+ *polmask |= TKTFLAGS_BIT; - - ret = ipadb_ldap_attr_to_int(lcontext, lentry, - "krbMaxTicketLife", &result); -@@ -912,7 +915,12 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext, - goto done; - } - if (ret == 0) { -- ied->ipa_user = true; -+ if (1 == krb5_princ_size(kcontext, entry->princ)) { -+ /* A principal must be a POSIX account AND have only one element to -+ * be considered a user (this is to filter out CIFS principals). */ -+ ied->ipa_user = true; -+ } -+ - ret = ipadb_ldap_attr_to_str(lcontext, lentry, - "uid", &uidstring); - if (ret != 0 && ret != ENOENT) { -@@ -1251,23 +1259,150 @@ done: - return ret; - } - --static krb5_flags maybe_require_preauth(struct ipadb_context *ipactx, -- krb5_db_entry *entry) -+static krb5_error_code -+are_final_tktflags(struct ipadb_context *ipactx, krb5_db_entry *entry, -+ bool *final_tktflags) - { -- const struct ipadb_global_config *config; -+ krb5_error_code kerr; - struct ipadb_e_data *ied; -+ char *str = NULL; -+ bool in_final_tktflags = false; - -- config = ipadb_get_global_config(ipactx); -- if (config && config->disable_preauth_for_spns) { -- ied = (struct ipadb_e_data *)entry->e_data; -- if (ied && ied->ipa_user != true) { -- /* not a user, assume SPN */ -- return 0; -- } -+ kerr = ipadb_get_edata(entry, &ied); -+ if (kerr) -+ goto end; -+ -+ if (!ied->ipa_user) { -+ kerr = 0; -+ goto end; - } - -- /* By default require preauth for all principals */ -- return KRB5_KDB_REQUIRES_PRE_AUTH; -+ kerr = krb5_dbe_get_string(ipactx->kcontext, entry, -+ IPA_KDB_STRATTR_FINAL_USER_TKTFLAGS, &str); -+ if (kerr) -+ goto end; -+ -+ in_final_tktflags = str && ipa_krb5_parse_bool(str); -+ -+end: -+ if (final_tktflags) -+ *final_tktflags = in_final_tktflags; -+ -+ krb5_dbe_free_string(ipactx->kcontext, str); -+ return kerr; -+} -+ -+static krb5_error_code -+add_virtual_static_tktflags(struct ipadb_context *ipactx, krb5_db_entry *entry, -+ krb5_flags *tktflags) -+{ -+ krb5_error_code kerr; -+ krb5_flags vsflg; -+ bool final_tktflags; -+ const struct ipadb_global_config *gcfg; -+ struct ipadb_e_data *ied; -+ -+ vsflg = IPA_KDB_TKTFLAGS_VIRTUAL_STATIC_MANDATORY; -+ -+ kerr = ipadb_get_edata(entry, &ied); -+ if (kerr) -+ goto end; -+ -+ kerr = are_final_tktflags(ipactx, entry, &final_tktflags); -+ if (kerr) -+ goto end; -+ -+ /* In practice, principal ticket flags cannot be final for SPNs. */ -+ if (!final_tktflags) -+ vsflg |= ied->ipa_user ? IPA_KDB_TKTFLAGS_VIRTUAL_STATIC_DEFAULTS_USER -+ : IPA_KDB_TKTFLAGS_VIRTUAL_STATIC_DEFAULTS_SPN; -+ -+ if (!ied->ipa_user) { -+ gcfg = ipadb_get_global_config(ipactx); -+ if (gcfg && gcfg->disable_preauth_for_spns) -+ vsflg &= ~KRB5_KDB_REQUIRES_PRE_AUTH; -+ } -+ -+ if (tktflags) -+ *tktflags |= vsflg; -+ -+end: -+ return kerr; -+} -+ -+static krb5_error_code -+get_virtual_static_tktflags_mask(struct ipadb_context *ipactx, -+ krb5_db_entry *entry, krb5_flags *mask) -+{ -+ krb5_error_code kerr; -+ krb5_flags flags = IPA_KDB_TKTFLAGS_VIRTUAL_MANAGED_ALL; -+ -+ kerr = add_virtual_static_tktflags(ipactx, entry, &flags); -+ if (kerr) -+ goto end; -+ -+ if (mask) -+ *mask = ~flags; -+ -+ kerr = 0; -+ -+end: -+ return kerr; -+} -+ -+/* Add ticket flags from the global ticket policy if it exists, otherwise -+ * succeed. If the global ticket policy is set, the "exists" parameter is set to -+ * true. */ -+static krb5_error_code -+add_global_ticket_policy_flags(struct ipadb_context *ipactx, -+ bool *gtpol_exists, krb5_flags *tktflags) -+{ -+ krb5_error_code kerr; -+ char *policy_dn; -+ char *tktflags_attr[] = { "krbticketflags", NULL }; -+ LDAPMessage *res = NULL, *first; -+ int ec, ldap_tktflags; -+ bool in_gtpol_exists = false; -+ -+ ec = asprintf(&policy_dn, "cn=%s,cn=kerberos,%s", ipactx->realm, -+ ipactx->base); -+ if (-1 == ec) { -+ kerr = ENOMEM; -+ goto end; -+ } -+ -+ kerr = ipadb_simple_search(ipactx, policy_dn, LDAP_SCOPE_BASE, -+ "(objectclass=krbticketpolicyaux)", -+ tktflags_attr, &res); -+ if (kerr) { -+ if (KRB5_KDB_NOENTRY == kerr) -+ kerr = 0; -+ goto end; -+ } -+ -+ first = ldap_first_entry(ipactx->lcontext, res); -+ if (!first) { -+ kerr = 0; -+ goto end; -+ } -+ -+ in_gtpol_exists = true; -+ -+ ec = ipadb_ldap_attr_to_int(ipactx->lcontext, first, "krbticketflags", -+ &ldap_tktflags); -+ if (0 == ec && tktflags) { -+ *tktflags |= (krb5_flags)ldap_tktflags; -+ } -+ -+ kerr = 0; -+ -+end: -+ if (gtpol_exists) -+ *gtpol_exists = in_gtpol_exists; -+ -+ ldap_msgfree(res); -+ free(policy_dn); -+ return kerr; - } - - static krb5_error_code ipadb_fetch_tktpolicy(krb5_context kcontext, -@@ -1280,6 +1415,7 @@ static krb5_error_code ipadb_fetch_tktpolicy(krb5_context kcontext, - char *policy_dn = NULL; - LDAPMessage *res = NULL; - LDAPMessage *first; -+ bool final_tktflags, has_local_tktpolicy = true; - int result; - int ret; - -@@ -1288,12 +1424,18 @@ static krb5_error_code ipadb_fetch_tktpolicy(krb5_context kcontext, - return KRB5_KDB_DBNOTINITED; - } - -+ kerr = are_final_tktflags(ipactx, entry, &final_tktflags); -+ if (kerr) -+ goto done; -+ - ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, - "krbticketpolicyreference", &policy_dn); - switch (ret) { - case 0: - break; - case ENOENT: -+ /* If no principal ticket policy, fallback to the global one. */ -+ has_local_tktpolicy = false; - ret = asprintf(&policy_dn, "cn=%s,cn=kerberos,%s", - ipactx->realm, ipactx->base); - if (ret == -1) { -@@ -1337,12 +1479,13 @@ static krb5_error_code ipadb_fetch_tktpolicy(krb5_context kcontext, - } - } - if (polmask & TKTFLAGS_BIT) { -- ret = ipadb_ldap_attr_to_int(ipactx->lcontext, first, -- "krbticketflags", &result); -- if (ret == 0) { -- entry->attributes |= result; -- } else { -- entry->attributes |= maybe_require_preauth(ipactx, entry); -+ /* If global ticket policy is being applied, set flags only if -+ * user principal ticket flags are not final. */ -+ if (has_local_tktpolicy || !final_tktflags) { -+ ret = ipadb_ldap_attr_to_int(ipactx->lcontext, first, -+ "krbticketflags", &result); -+ if (ret == 0) -+ entry->attributes |= result; - } - } - -@@ -1366,13 +1509,27 @@ static krb5_error_code ipadb_fetch_tktpolicy(krb5_context kcontext, - if (polmask & MAXRENEWABLEAGE_BIT) { - entry->max_renewable_life = 604800; - } -- if (polmask & TKTFLAGS_BIT) { -- entry->attributes |= maybe_require_preauth(ipactx, entry); -- } - - kerr = 0; - } - -+ if (polmask & TKTFLAGS_BIT) { -+ /* If the principal ticket flags were applied, then flags from the -+ * global ticket policy has to be applied atop of them if user principal -+ * ticket flags are not final. */ -+ if (has_local_tktpolicy && !final_tktflags) { -+ kerr = add_global_ticket_policy_flags(ipactx, NULL, -+ &entry->attributes); -+ if (kerr) -+ goto done; -+ } -+ -+ /* Virtual static ticket flags are set regardless of database content */ -+ kerr = add_virtual_static_tktflags(ipactx, entry, &entry->attributes); -+ if (kerr) -+ goto done; -+ } -+ - done: - ldap_msgfree(res); - free(policy_dn); -@@ -1864,6 +2021,36 @@ static void ipadb_mods_free_tip(struct ipadb_mods *imods) - imods->tip--; - } - -+/* Use LDAP REPLACE operation to remove an attribute. -+ * Contrary to the DELETE operation, it will not fail if the attribute does not -+ * exist. */ -+static krb5_error_code -+ipadb_ldap_replace_remove(struct ipadb_mods *imods, char *attribute) -+{ -+ krb5_error_code kerr; -+ LDAPMod *m = NULL; -+ -+ kerr = ipadb_mods_new(imods, &m); -+ if (kerr) -+ return kerr; -+ -+ m->mod_op = LDAP_MOD_REPLACE; -+ m->mod_type = strdup(attribute); -+ if (!m->mod_type) { -+ kerr = ENOMEM; -+ goto end; -+ } -+ -+ m->mod_values = NULL; -+ -+ kerr = 0; -+ -+end: -+ if (kerr) -+ ipadb_mods_free_tip(imods); -+ return kerr; -+} -+ - static krb5_error_code ipadb_get_ldap_mod_str(struct ipadb_mods *imods, - char *attribute, char *value, - int mod_op) -@@ -2275,6 +2462,93 @@ static krb5_error_code ipadb_get_ldap_mod_auth_ind(krb5_context kcontext, - return ret; - } - -+static krb5_error_code -+update_tktflags(krb5_context kcontext, struct ipadb_mods *imods, -+ krb5_db_entry *entry, int mod_op) -+{ -+ krb5_error_code kerr; -+ struct ipadb_context *ipactx; -+ struct ipadb_e_data *ied; -+ bool final_tktflags; -+ krb5_flags tktflags_mask; -+ int tktflags; -+ -+ ipactx = ipadb_get_context(kcontext); -+ if (!ipactx) { -+ kerr = KRB5_KDB_DBNOTINITED; -+ goto end; -+ } -+ -+ if (ipactx->override_restrictions) { -+ /* In IPA setup mode, IPA edata might not be available. In this mode, -+ * ticket flags are written as they are provided. */ -+ tktflags = (int)entry->attributes; -+ } else { -+ kerr = ipadb_get_edata(entry, &ied); -+ if (kerr) -+ goto end; -+ -+ kerr = get_virtual_static_tktflags_mask(ipactx, entry, &tktflags_mask); -+ if (kerr) -+ goto end; -+ -+ kerr = are_final_tktflags(ipactx, entry, &final_tktflags); -+ if (kerr) -+ goto end; -+ -+ /* Flags from the global ticket policy are filtered out only if the user -+ * principal flags are not final. */ -+ if (!final_tktflags) { -+ krb5_flags gbl_tktflags = 0; -+ -+ kerr = add_global_ticket_policy_flags(ipactx, NULL, &gbl_tktflags); -+ if (kerr) -+ goto end; -+ -+ tktflags_mask &= ~gbl_tktflags; -+ } -+ -+ tktflags = (int)(entry->attributes & tktflags_mask); -+ -+ if (LDAP_MOD_REPLACE == mod_op && ied && !ied->has_tktpolaux) { -+ if (0 == tktflags) { -+ /* No point initializing principal ticket policy if there are no -+ * flags left after filtering out virtual and global ticket -+ * policy ones. */ -+ kerr = 0; -+ goto end; -+ } -+ -+ /* if the object does not have the krbTicketPolicyAux class -+ * we need to add it or this will fail, only for modifications. -+ * We always add this objectclass by default when doing an add -+ * from scratch. */ -+ kerr = ipadb_get_ldap_mod_str(imods, "objectclass", -+ "krbTicketPolicyAux", LDAP_MOD_ADD); -+ if (kerr) -+ goto end; -+ } -+ } -+ -+ if (tktflags != 0) { -+ kerr = ipadb_get_ldap_mod_int(imods, "krbTicketFlags", tktflags, -+ mod_op); -+ if (kerr) -+ goto end; -+ } else if (LDAP_MOD_REPLACE == mod_op) { -+ /* If the principal is not being created, and there are no custom ticket -+ * flags to be set, remove the "krbTicketFlags" attribute. */ -+ kerr = ipadb_ldap_replace_remove(imods, "krbTicketFlags"); -+ if (kerr) -+ goto end; -+ } -+ -+ kerr = 0; -+ -+end: -+ return kerr; -+} -+ - static krb5_error_code ipadb_entry_to_mods(krb5_context kcontext, - struct ipadb_mods *imods, - krb5_db_entry *entry, -@@ -2350,36 +2624,9 @@ static krb5_error_code ipadb_entry_to_mods(krb5_context kcontext, - - /* KADM5_ATTRIBUTES */ - if (entry->mask & KMASK_ATTRIBUTES) { -- /* if the object does not have the krbTicketPolicyAux class -- * we need to add it or this will fail, only for modifications. -- * We always add this objectclass by default when doing an add -- * from scratch. */ -- if ((mod_op == LDAP_MOD_REPLACE) && entry->e_data) { -- struct ipadb_e_data *ied; -- -- ied = (struct ipadb_e_data *)entry->e_data; -- if (ied->magic != IPA_E_DATA_MAGIC) { -- kerr = EINVAL; -- goto done; -- } -- -- if (!ied->has_tktpolaux) { -- kerr = ipadb_get_ldap_mod_str(imods, "objectclass", -- "krbTicketPolicyAux", -- LDAP_MOD_ADD); -- if (kerr) { -- goto done; -- } -- } -- } -- -- kerr = ipadb_get_ldap_mod_int(imods, -- "krbTicketFlags", -- (int)entry->attributes, -- mod_op); -- if (kerr) { -+ kerr = update_tktflags(kcontext, imods, entry, mod_op); -+ if (kerr) - goto done; -- } - } - - /* KADM5_MAX_LIFE */ -diff --git a/util/ipa_krb5.c b/util/ipa_krb5.c -index 1ba6d25ee..2e663c506 100644 ---- a/util/ipa_krb5.c -+++ b/util/ipa_krb5.c -@@ -38,6 +38,12 @@ const char *ipapwd_password_max_len_errmsg = \ - TOSTR(IPAPWD_PASSWORD_MAX_LEN) \ - " chars)!"; - -+/* Case-insensitive string values to by parsed as boolean true */ -+static const char *const conf_yes[] = { -+ "y", "yes", "true", "t", "1", "on", -+ NULL, -+}; -+ - /* Salt types */ - #define KRB5P_SALT_SIZE 16 - -@@ -1237,3 +1243,15 @@ done: - } - return ret; - } -+ -+bool ipa_krb5_parse_bool(const char *str) -+{ -+ const char *const *p; -+ -+ for (p = conf_yes; *p; p++) { -+ if (!strcasecmp(*p, str)) -+ return true; -+ } -+ -+ return false; -+} -diff --git a/util/ipa_krb5.h b/util/ipa_krb5.h -index 7d2ebae98..d0280940a 100644 ---- a/util/ipa_krb5.h -+++ b/util/ipa_krb5.h -@@ -174,3 +174,7 @@ static inline bool - krb5_ts_after(krb5_timestamp a, krb5_timestamp b) { - return (uint32_t)a > (uint32_t)b; - } -+ -+/* Implement boolean string parsing function from MIT krb5: -+ * src/lib/krb5/krb/libdef_parse.c:_krb5_conf_boolean() */ -+bool ipa_krb5_parse_bool(const char *str); --- -2.45.1 - diff --git a/SOURCES/0029-Allow_the_admin_user_to_be_disabled_rhel#34756.patch b/SOURCES/0029-Allow_the_admin_user_to_be_disabled_rhel#34756.patch deleted file mode 100644 index 1b5c49f..0000000 --- a/SOURCES/0029-Allow_the_admin_user_to_be_disabled_rhel#34756.patch +++ /dev/null @@ -1,127 +0,0 @@ -diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py -index 6f5e349..febc22f 100644 ---- a/ipaserver/plugins/user.py -+++ b/ipaserver/plugins/user.py -@@ -144,8 +144,7 @@ PROTECTED_USERS = ('admin',) - def check_protected_member(user, protected_group_name=u'admins'): - ''' - Ensure admin and the last enabled member of a protected group cannot -- be deleted or disabled by raising ProtectedEntryError or -- LastMemberError as appropriate. -+ be deleted. - ''' - - if user in PROTECTED_USERS: -@@ -155,6 +154,12 @@ def check_protected_member(user, protected_group_name=u'admins'): - reason=_("privileged user"), - ) - -+ -+def check_last_member(user, protected_group_name=u'admins'): -+ ''' -+ Ensure the last enabled member of a protected group cannot -+ be disabled. -+ ''' - # Get all users in the protected group - result = api.Command.user_find(in_group=protected_group_name) - -@@ -796,6 +801,7 @@ class user_del(baseuser_del): - # If the target entry is a Delete entry, skip the orphaning/removal - # of OTP tokens. - check_protected_member(keys[-1]) -+ check_last_member(keys[-1]) - - preserve = options.get('preserve', False) - -@@ -1128,7 +1134,7 @@ class user_disable(LDAPQuery): - def execute(self, *keys, **options): - ldap = self.obj.backend - -- check_protected_member(keys[-1]) -+ check_last_member(keys[-1]) - - dn, _oc = self.obj.get_either_dn(*keys, **options) - ldap.deactivate_entry(dn) -diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py -index c0cb4d0..c2a55b8 100644 ---- a/ipatests/test_integration/test_commands.py -+++ b/ipatests/test_integration/test_commands.py -@@ -1530,6 +1530,30 @@ class TestIPACommand(IntegrationTest): - - assert 'Discovered server %s' % self.master.hostname in result - -+ def test_delete_last_enabled_admin(self): -+ """ -+ The admin user may be disabled. Don't allow all other -+ members of admins to be removed if the admin user is -+ disabled which would leave the install with no -+ usable admins users -+ """ -+ user = 'adminuser2' -+ passwd = 'Secret123' -+ tasks.create_active_user(self.master, user, passwd) -+ tasks.kinit_admin(self.master) -+ self.master.run_command(['ipa', 'group-add-member', 'admins', -+ '--users', user]) -+ tasks.kinit_user(self.master, user, passwd) -+ self.master.run_command(['ipa', 'user-disable', 'admin']) -+ result = self.master.run_command( -+ ['ipa', 'user-del', user], -+ raiseonerr=False -+ ) -+ self.master.run_command(['ipa', 'user-enable', 'admin']) -+ tasks.kdestroy_all(self.master) -+ assert result.returncode == 1 -+ assert 'cannot be deleted or disabled' in result.stderr_text -+ - - class TestIPACommandWithoutReplica(IntegrationTest): - """ -diff --git a/ipatests/test_xmlrpc/test_user_plugin.py b/ipatests/test_xmlrpc/test_user_plugin.py -index 3c58845..68c6c48 100644 ---- a/ipatests/test_xmlrpc/test_user_plugin.py -+++ b/ipatests/test_xmlrpc/test_user_plugin.py -@@ -1045,8 +1045,8 @@ class TestAdmins(XMLRPC_test): - tracker = Tracker() - command = tracker.make_command('user_disable', admin1) - -- with raises_exact(errors.ProtectedEntryError(label=u'user', -- key=admin1, reason='privileged user')): -+ with raises_exact(errors.LastMemberError(label=u'group', -+ key=admin1, container=admin_group)): - command() - - def test_create_admin2(self, admin2): -@@ -1064,8 +1064,8 @@ class TestAdmins(XMLRPC_test): - admin2.disable() - tracker = Tracker() - -- with raises_exact(errors.ProtectedEntryError(label=u'user', -- key=admin1, reason='privileged user')): -+ with raises_exact(errors.LastMemberError(label=u'group', -+ key=admin1, container=admin_group)): - tracker.run_command('user_disable', admin1) - admin2.delete() - -diff --git a/ipatests/test_webui/test_user.py b/ipatests/test_webui/test_user.py -index a8a92d0..9083e50 100644 ---- a/ipatests/test_webui/test_user.py -+++ b/ipatests/test_webui/test_user.py -@@ -50,6 +50,8 @@ INV_FIRSTNAME = ("invalid 'first': Leading and trailing spaces are " - FIELD_REQ = 'Required field' - ERR_INCLUDE = 'may only include letters, numbers, _, -, . and $' - ERR_MISMATCH = 'Passwords must match' -+ERR_ADMIN_DISABLE = ('admin cannot be deleted or disabled because ' -+ 'it is the last member of group admins') - ERR_ADMIN_DEL = ('user admin cannot be deleted/modified: privileged user') - USR_EXIST = 'user with name "{}" already exists' - ENTRY_EXIST = 'This entry already exists' -@@ -546,7 +548,7 @@ class test_user(user_tasks): - self.select_record('admin') - self.facet_button_click('disable') - self.dialog_button_click('ok') -- self.assert_last_error_dialog(ERR_ADMIN_DEL, details=True) -+ self.assert_last_error_dialog(ERR_ADMIN_DISABLE, details=True) - self.dialog_button_click('ok') - self.assert_record('admin') - diff --git a/SOURCES/0030-ipa-otptoken-import-open-the-key-file-in-binary-mode_rhel#39616.patch b/SOURCES/0030-ipa-otptoken-import-open-the-key-file-in-binary-mode_rhel#39616.patch deleted file mode 100644 index 76a85d5..0000000 --- a/SOURCES/0030-ipa-otptoken-import-open-the-key-file-in-binary-mode_rhel#39616.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/ipaserver/install/ipa_otptoken_import.py b/ipaserver/install/ipa_otptoken_import.py -index b3f9347..75e8680 100644 ---- a/ipaserver/install/ipa_otptoken_import.py -+++ b/ipaserver/install/ipa_otptoken_import.py -@@ -539,7 +539,7 @@ class OTPTokenImport(admintool.AdminTool): - - # Load the keyfile. - keyfile = self.safe_options.keyfile -- with open(keyfile) as f: -+ with open(keyfile, "rb") as f: - self.doc.setKey(f.read()) - - def run(self): diff --git a/SOURCES/0031-ipa-crlgen-manage-manage-the-cert-status-task-execution-time_rhel#30280.patch b/SOURCES/0031-ipa-crlgen-manage-manage-the-cert-status-task-execution-time_rhel#30280.patch deleted file mode 100644 index addb493..0000000 --- a/SOURCES/0031-ipa-crlgen-manage-manage-the-cert-status-task-execution-time_rhel#30280.patch +++ /dev/null @@ -1,114 +0,0 @@ -diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py -index 38693c9..35cec89 100644 ---- a/ipaserver/install/cainstance.py -+++ b/ipaserver/install/cainstance.py -@@ -1327,6 +1327,8 @@ class CAInstance(DogtagInstance): - generation master: - - in CS.cfg ca.crl.MasterCRL.enableCRLCache=true - - in CS.cfg ca.crl.MasterCRL.enableCRLUpdates=true -+ - in CS.cfg ca.listenToCloneModifications=true -+ - in CS.cfg ca.certStatusUpdateInterval != 0 - - in /etc/httpd/conf.d/ipa-pki-proxy.conf the RewriteRule - ^/ipa/crl/MasterCRL.bin is disabled (commented or removed) - -@@ -1342,15 +1344,30 @@ class CAInstance(DogtagInstance): - updates = directivesetter.get_directive( - self.config, 'ca.crl.MasterCRL.enableCRLUpdates', '=') - enableCRLUpdates = updates.lower() == 'true' -+ listen = directivesetter.get_directive( -+ self.config, 'ca.listenToCloneModifications', '=') -+ enableToClone = listen.lower() == 'true' -+ updateinterval = directivesetter.get_directive( -+ self.config, 'ca.certStatusUpdateInterval', '=') - - # If the values are different, the config is inconsistent -- if enableCRLCache != enableCRLUpdates: -+ if not (enableCRLCache == enableCRLUpdates == enableToClone): - raise InconsistentCRLGenConfigException( - "Configuration is inconsistent, please check " -- "ca.crl.MasterCRL.enableCRLCache and " -- "ca.crl.MasterCRL.enableCRLUpdates in {} and " -+ "ca.crl.MasterCRL.enableCRLCache, " -+ "ca.crl.MasterCRL.enableCRLUpdates and " -+ "ca.listenToCloneModifications in {} and " - "run ipa-crlgen-manage [enable|disable] to repair".format( - self.config)) -+ # If they are the same then we are the CRL renewal master. Ensure -+ # the update task is configured. -+ if enableCRLCache and updateinterval == '0': -+ raise InconsistentCRLGenConfigException( -+ "Configuration is inconsistent, please check " -+ "ca.certStatusUpdateInterval in {}. It should " -+ "be either not present or not zero. Run " -+ "ipa-crlgen-manage [enable|disable] to repair".format( -+ self.config)) - except IOError: - raise RuntimeError( - "Unable to read {}".format(self.config)) -@@ -1407,6 +1424,11 @@ class CAInstance(DogtagInstance): - str_value = str(setup_crlgen).lower() - ds.set('ca.crl.MasterCRL.enableCRLCache', str_value) - ds.set('ca.crl.MasterCRL.enableCRLUpdates', str_value) -+ ds.set('ca.listenToCloneModifications', str_value) -+ if setup_crlgen: -+ ds.set('ca.certStatusUpdateInterval', None) -+ else: -+ ds.set('ca.certStatusUpdateInterval', '0') - - # Start pki-tomcat - logger.info("Starting %s", self.service_name) -diff --git a/ipatests/test_integration/test_crlgen_manage.py b/ipatests/test_integration/test_crlgen_manage.py -index 2a733bd..c6f41eb 100644 ---- a/ipatests/test_integration/test_crlgen_manage.py -+++ b/ipatests/test_integration/test_crlgen_manage.py -@@ -61,6 +61,16 @@ def check_crlgen_status(host, rc=0, msg=None, enabled=True, check_crl=False): - ext.value.crl_number) - assert number_msg in result.stdout_text - -+ try: -+ value = get_CS_cfg_value(host, 'ca.certStatusUpdateInterval') -+ except IOError: -+ return -+ -+ if enabled: -+ assert value is None -+ else: -+ assert value == '0' -+ - - def check_crlgen_enable(host, rc=0, msg=None, check_crl=False): - """Check ipa-crlgen-manage enable command -@@ -125,6 +135,23 @@ def break_crlgen_with_CS_cfg(host): - check_crlgen_status(host, rc=1, msg="Configuration is inconsistent") - - -+def get_CS_cfg_value(host, directive): -+ """Retrieve and return the a directive from the CA CS.cfg -+ -+ This returns None if the directives is not found. -+ """ -+ content = host.get_file_contents(paths.CA_CS_CFG_PATH, -+ encoding='utf-8') -+ value = None -+ for line in content.split('\n'): -+ l = line.lower() -+ -+ if l.startswith(directive.lower()): -+ value = line.split('=', 1)[1] -+ -+ return value -+ -+ - class TestCRLGenManage(IntegrationTest): - """Tests the ipa-crlgen-manage command. - -@@ -196,6 +223,9 @@ class TestCRLGenManage(IntegrationTest): - - Install a CA clone and enable CRLgen""" - tasks.install_ca(self.replicas[0]) -+ value = get_CS_cfg_value(self.replicas[0], -+ 'ca.certStatusUpdateInterval') -+ assert value == '0' - check_crlgen_enable( - self.replicas[0], rc=0, - msg="make sure to have only a single CRL generation master", diff --git a/SOURCES/0032-idrange-add-add-a-warning-because-389ds-restart-is-required_rhel#28996.patch b/SOURCES/0032-idrange-add-add-a-warning-because-389ds-restart-is-required_rhel#28996.patch deleted file mode 100644 index 50a891b..0000000 --- a/SOURCES/0032-idrange-add-add-a-warning-because-389ds-restart-is-required_rhel#28996.patch +++ /dev/null @@ -1,337 +0,0 @@ -diff --git a/ipaserver/plugins/idrange.py b/ipaserver/plugins/idrange.py -index d5b184f..b38ea73 100644 ---- a/ipaserver/plugins/idrange.py -+++ b/ipaserver/plugins/idrange.py -@@ -549,6 +549,12 @@ class idrange_add(LDAPCreate): - self.obj.handle_ipabaserid(entry_attrs, options) - self.obj.handle_iparangetype(entry_attrs, options, - keep_objectclass=True) -+ self.add_message( -+ messages.ServiceRestartRequired( -+ service=services.knownservices.dirsrv.service_instance(""), -+ server=_('') -+ ) -+ ) - return dn - - -diff --git a/ipatests/test_xmlrpc/test_range_plugin.py b/ipatests/test_xmlrpc/test_range_plugin.py -index f912e04..e3f4c23 100644 ---- a/ipatests/test_xmlrpc/test_range_plugin.py -+++ b/ipatests/test_xmlrpc/test_range_plugin.py -@@ -372,6 +372,8 @@ IPA_LOCAL_RANGE_MOD_ERR = ( - "domain. Run `ipa help idrange` for more information" - ) - -+dirsrv_instance = services.knownservices.dirsrv.service_instance("") -+ - - @pytest.mark.tier1 - class test_range(Declarative): -@@ -464,6 +466,11 @@ class test_range(Declarative): - ), - value=testrange1, - summary=u'Added ID range "%s"' % (testrange1), -+ messages=( -+ messages.ServiceRestartRequired( -+ service=dirsrv_instance, -+ server='').to_dict(), -+ ), - ), - ), - -@@ -633,6 +640,11 @@ class test_range(Declarative): - ), - value=testrange2, - summary=u'Added ID range "%s"' % (testrange2), -+ messages=( -+ messages.ServiceRestartRequired( -+ service=dirsrv_instance, -+ server='').to_dict(), -+ ), - ), - ), - -@@ -792,6 +804,11 @@ class test_range(Declarative): - ), - value=unicode(domain7range1), - summary=u'Added ID range "%s"' % (domain7range1), -+ messages=( -+ messages.ServiceRestartRequired( -+ service=dirsrv_instance, -+ server='').to_dict(), -+ ), - ), - ), - -@@ -1079,6 +1096,11 @@ class test_range(Declarative): - ), - value=testrange9, - summary=u'Added ID range "%s"' % (testrange9), -+ messages=( -+ messages.ServiceRestartRequired( -+ service=dirsrv_instance, -+ server='').to_dict(), -+ ), - ), - ), - -diff --git a/ipaserver/plugins/idrange.py b/ipaserver/plugins/idrange.py -index b38ea73..b12e1b8 100644 ---- a/ipaserver/plugins/idrange.py -+++ b/ipaserver/plugins/idrange.py -@@ -549,12 +549,15 @@ class idrange_add(LDAPCreate): - self.obj.handle_ipabaserid(entry_attrs, options) - self.obj.handle_iparangetype(entry_attrs, options, - keep_objectclass=True) -- self.add_message( -- messages.ServiceRestartRequired( -- service=services.knownservices.dirsrv.service_instance(""), -- server=_('') -+ -+ if entry_attrs.single_value.get('iparangetype') in ( -+ 'ipa-local', self.obj.range_types.get('ipa-local', None)): -+ self.add_message( -+ messages.ServiceRestartRequired( -+ service=services.knownservices.dirsrv.service_instance(""), -+ server=_('') -+ ) - ) -- ) - return dn - - -@@ -568,7 +571,8 @@ class idrange_del(LDAPDelete): - try: - old_attrs = ldap.get_entry(dn, ['ipabaseid', - 'ipaidrangesize', -- 'ipanttrusteddomainsid']) -+ 'ipanttrusteddomainsid', -+ 'iparangetype']) - except errors.NotFound: - raise self.obj.handle_not_found(*keys) - -@@ -602,6 +606,20 @@ class idrange_del(LDAPDelete): - key=keys[0], - dependent=trust_domains[0].dn[0].value) - -+ self.add_message( -+ messages.ServiceRestartRequired( -+ service=services.knownservices['sssd'].systemd_name, -+ server=_('') -+ ) -+ ) -+ -+ if old_attrs.single_value.get('iparangetype') == 'ipa-local': -+ self.add_message( -+ messages.ServiceRestartRequired( -+ service=services.knownservices.dirsrv.service_instance(""), -+ server=_('') -+ ) -+ ) - - return dn - -@@ -804,10 +822,20 @@ class idrange_mod(LDAPUpdate): - assert isinstance(dn, DN) - self.obj.handle_ipabaserid(entry_attrs, options) - self.obj.handle_iparangetype(entry_attrs, options) -+ -+ if entry_attrs.single_value.get('iparangetype') in ( -+ 'ipa-local', self.obj.range_types.get('ipa-local', None)): -+ self.add_message( -+ messages.ServiceRestartRequired( -+ service=services.knownservices.dirsrv.service_instance(""), -+ server=_('') -+ ) -+ ) -+ - self.add_message( - messages.ServiceRestartRequired( - service=services.knownservices['sssd'].systemd_name, -- server=keys[0] -+ server=_('') - ) - ) - return dn -diff --git a/ipatests/test_xmlrpc/test_range_plugin.py b/ipatests/test_xmlrpc/test_range_plugin.py -index e3f4c23..531fe4a 100644 ---- a/ipatests/test_xmlrpc/test_range_plugin.py -+++ b/ipatests/test_xmlrpc/test_range_plugin.py -@@ -26,7 +26,8 @@ import six - from ipalib import api, errors, messages - from ipalib import constants - from ipaplatform import services --from ipatests.test_xmlrpc.xmlrpc_test import Declarative, fuzzy_uuid -+from ipatests.test_xmlrpc.xmlrpc_test import ( -+ Declarative, fuzzy_uuid, Fuzzy, fuzzy_sequence_of) - from ipatests.test_xmlrpc import objectclasses - from ipatests.util import MockLDAP - from ipapython.dn import DN -@@ -374,6 +375,8 @@ IPA_LOCAL_RANGE_MOD_ERR = ( - - dirsrv_instance = services.knownservices.dirsrv.service_instance("") - -+fuzzy_restart_messages = fuzzy_sequence_of(Fuzzy(type=dict)) -+ - - @pytest.mark.tier1 - class test_range(Declarative): -@@ -610,7 +613,8 @@ class test_range(Declarative): - desc='Delete ID range %r' % testrange1, - command=('idrange_del', [testrange1], {}), - expected=dict( -- result=dict(failed=[]), -+ result=dict(failed=[], -+ messages=fuzzy_restart_messages), - value=[testrange1], - summary=u'Deleted ID range "%s"' % testrange1, - ), -@@ -714,7 +718,8 @@ class test_range(Declarative): - desc='Delete ID range %r' % testrange2, - command=('idrange_del', [testrange2], {}), - expected=dict( -- result=dict(failed=[]), -+ result=dict(failed=[], -+ messages=fuzzy_restart_messages), - value=[testrange2], - summary=u'Deleted ID range "%s"' % testrange2, - ), -diff --git a/ipatests/test_xmlrpc/test_range_plugin.py b/ipatests/test_xmlrpc/test_range_plugin.py -index 531fe4a..3646952 100644 ---- a/ipatests/test_xmlrpc/test_range_plugin.py -+++ b/ipatests/test_xmlrpc/test_range_plugin.py -@@ -613,8 +613,8 @@ class test_range(Declarative): - desc='Delete ID range %r' % testrange1, - command=('idrange_del', [testrange1], {}), - expected=dict( -- result=dict(failed=[], -- messages=fuzzy_restart_messages), -+ result=dict(failed=[]), -+ messages=fuzzy_restart_messages, - value=[testrange1], - summary=u'Deleted ID range "%s"' % testrange1, - ), -@@ -718,8 +718,8 @@ class test_range(Declarative): - desc='Delete ID range %r' % testrange2, - command=('idrange_del', [testrange2], {}), - expected=dict( -- result=dict(failed=[], -- messages=fuzzy_restart_messages), -+ result=dict(failed=[]), -+ messages=fuzzy_restart_messages, - value=[testrange2], - summary=u'Deleted ID range "%s"' % testrange2, - ), -@@ -809,11 +809,6 @@ class test_range(Declarative): - ), - value=unicode(domain7range1), - summary=u'Added ID range "%s"' % (domain7range1), -- messages=( -- messages.ServiceRestartRequired( -- service=dirsrv_instance, -- server='').to_dict(), -- ), - ), - ), - -@@ -836,6 +831,7 @@ class test_range(Declarative): - result=dict(failed=[]), - value=[domain1range1], - summary=u'Deleted ID range "%s"' % domain1range1, -+ messages=fuzzy_restart_messages, - ), - ), - -@@ -862,12 +858,7 @@ class test_range(Declarative): - command=('idrange_mod', [domain3range2], - dict(ipabaseid=domain3range1_base_id)), - expected=dict( -- messages=( -- messages.ServiceRestartRequired( -- service=services.knownservices['sssd'].systemd_name, -- server=domain3range2 -- ).to_dict(), -- ), -+ messages=fuzzy_restart_messages, - result=dict( - cn=[domain3range2], - ipabaseid=[unicode(domain3range1_base_id)], -@@ -933,12 +924,7 @@ class test_range(Declarative): - command=('idrange_mod', [domain2range1], - dict(ipabaserid=domain5range1_base_rid)), - expected=dict( -- messages=( -- messages.ServiceRestartRequired( -- service=services.knownservices['sssd'].systemd_name, -- server=domain2range1 -- ).to_dict(), -- ), -+ messages=fuzzy_restart_messages, - result=dict( - cn=[domain2range1], - ipabaseid=[unicode(domain2range1_base_id)], -@@ -973,12 +959,7 @@ class test_range(Declarative): - command=('idrange_mod', [domain2range1], - dict(ipaautoprivategroups='true')), - expected=dict( -- messages=( -- messages.ServiceRestartRequired( -- service=services.knownservices['sssd'].systemd_name, -- server=domain2range1 -- ).to_dict(), -- ), -+ messages=fuzzy_restart_messages, - result=dict( - cn=[domain2range1], - ipabaseid=[unicode(domain2range1_base_id)], -@@ -1000,12 +981,7 @@ class test_range(Declarative): - command=('idrange_mod', [domain2range1], - dict(ipaautoprivategroups='false')), - expected=dict( -- messages=( -- messages.ServiceRestartRequired( -- service=services.knownservices['sssd'].systemd_name, -- server=domain2range1 -- ).to_dict(), -- ), -+ messages=fuzzy_restart_messages, - result=dict( - cn=[domain2range1], - ipabaseid=[unicode(domain2range1_base_id)], -@@ -1027,12 +1003,7 @@ class test_range(Declarative): - command=('idrange_mod', [domain2range1], - dict(ipaautoprivategroups='hybrid')), - expected=dict( -- messages=( -- messages.ServiceRestartRequired( -- service=services.knownservices['sssd'].systemd_name, -- server=domain2range1 -- ).to_dict(), -- ), -+ messages=fuzzy_restart_messages, - result=dict( - cn=[domain2range1], - ipabaseid=[unicode(domain2range1_base_id)], -@@ -1054,12 +1025,7 @@ class test_range(Declarative): - command=('idrange_mod', [domain2range1], - dict(ipaautoprivategroups='')), - expected=dict( -- messages=( -- messages.ServiceRestartRequired( -- service=services.knownservices['sssd'].systemd_name, -- server=domain2range1 -- ).to_dict(), -- ), -+ messages=fuzzy_restart_messages, - result=dict( - cn=[domain2range1], - ipabaseid=[unicode(domain2range1_base_id)], -@@ -1116,6 +1082,7 @@ class test_range(Declarative): - result=dict(failed=[]), - value=[testrange9], - summary=u'Deleted ID range "%s"' % testrange9, -+ messages=fuzzy_restart_messages, - ), - ), - diff --git a/SOURCES/0033-PKINIT-certificate-fix-renewal-on-hidden-replica_rhel#4913.patch b/SOURCES/0033-PKINIT-certificate-fix-renewal-on-hidden-replica_rhel#4913.patch deleted file mode 100644 index d272dda..0000000 --- a/SOURCES/0033-PKINIT-certificate-fix-renewal-on-hidden-replica_rhel#4913.patch +++ /dev/null @@ -1,58 +0,0 @@ -diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py -index 619be83..9be1b67 100644 ---- a/ipaserver/plugins/cert.py -+++ b/ipaserver/plugins/cert.py -@@ -55,7 +55,7 @@ from ipapython.dn import DN - from ipapython.ipautil import datetime_from_utctimestamp - from ipaserver.plugins.service import normalize_principal, validate_realm - from ipaserver.masters import ( -- ENABLED_SERVICE, CONFIGURED_SERVICE, is_service_enabled -+ ENABLED_SERVICE, CONFIGURED_SERVICE, HIDDEN_SERVICE, is_service_enabled - ) - - try: -@@ -300,7 +300,7 @@ def caacl_check(principal, ca, profile_id): - def ca_kdc_check(api_instance, hostname): - master_dn = api_instance.Object.server.get_dn(unicode(hostname)) - kdc_dn = DN(('cn', 'KDC'), master_dn) -- wanted = {ENABLED_SERVICE, CONFIGURED_SERVICE} -+ wanted = {ENABLED_SERVICE, CONFIGURED_SERVICE, HIDDEN_SERVICE} - try: - kdc_entry = api_instance.Backend.ldap2.get_entry( - kdc_dn, ['ipaConfigString']) -diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py -index b71f2d5..7ef44c5 100644 ---- a/ipatests/test_integration/test_replica_promotion.py -+++ b/ipatests/test_integration/test_replica_promotion.py -@@ -26,6 +26,7 @@ from ipalib.constants import ( - ) - from ipaplatform.paths import paths - from ipapython import certdb -+from ipatests.test_integration.test_cert import get_certmonger_fs_id - from ipatests.test_integration.test_dns_locations import ( - resolve_records_from_server, IPA_DEFAULT_MASTER_SRV_REC - ) -@@ -1241,6 +1242,23 @@ class TestHiddenReplicaPromotion(IntegrationTest): - 'ipa-crlgen-manage', 'status']) - assert "CRL generation: enabled" in result.stdout_text - -+ def test_hidden_replica_renew_pkinit_cert(self): -+ """Renew the PKINIT cert on a hidden replica. -+ -+ Test for https://pagure.io/freeipa/issue/9611 -+ """ -+ # Get Request ID -+ cmd = ['getcert', 'list', '-f', paths.KDC_CERT] -+ result = self.replicas[0].run_command(cmd) -+ req_id = get_certmonger_fs_id(result.stdout_text) -+ -+ self.replicas[0].run_command([ -+ 'getcert', 'resubmit', '-f', paths.KDC_CERT -+ ]) -+ tasks.wait_for_certmonger_status( -+ self.replicas[0], ('MONITORING'), req_id, timeout=600 -+ ) -+ - - class TestHiddenReplicaKRA(IntegrationTest): - """Test KRA & hidden replica features. diff --git a/SOURCES/1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch b/SOURCES/1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch deleted file mode 100644 index e1a74ff..0000000 --- a/SOURCES/1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch +++ /dev/null @@ -1,69 +0,0 @@ -From 0d44e959e5bbe822b51137a8e7cf48fa25533805 Mon Sep 17 00:00:00 2001 -From: Rafael Guterres Jeffman -Date: Fri, 10 Dec 2021 12:15:36 -0300 -Subject: [PATCH] Revert "freeipa.spec: depend on bind-dnssec-utils" - -This reverts commit f89d59b6e18b54967682f6a37ce92ae67ab3fcda. ---- - freeipa.spec.in | 4 +--- - ipaplatform/base/paths.py | 2 +- - ipaplatform/fedora/paths.py | 1 + - ipaserver/dnssec/bindmgr.py | 1 - - 4 files changed, 3 insertions(+), 5 deletions(-) - -diff --git a/freeipa.spec.in b/freeipa.spec.in -index 8f5c370e5..e20edb7bc 100755 ---- a/freeipa.spec.in -+++ b/freeipa.spec.in -@@ -576,11 +576,9 @@ Requires: %{name}-server = %{version}-%{release} - Requires: bind-dyndb-ldap >= 11.2-2 - Requires: bind >= %{bind_version} - Requires: bind-utils >= %{bind_version} --# bind-dnssec-utils is required by the OpenDNSSec integration --# https://pagure.io/freeipa/issue/9026 --Requires: bind-dnssec-utils >= %{bind_version} - %if %{with bind_pkcs11} - Requires: bind-pkcs11 >= %{bind_version} -+Requires: bind-pkcs11-utils >= %{bind_version} - %else - Requires: softhsm >= %{softhsm_version} - Requires: openssl-pkcs11 >= %{openssl_pkcs11_version} -diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py -index 7d21367ec..42a47f1df 100644 ---- a/ipaplatform/base/paths.py -+++ b/ipaplatform/base/paths.py -@@ -259,7 +259,6 @@ class BasePathNamespace: - IPA_PKI_RETRIEVE_KEY = "/usr/libexec/ipa/ipa-pki-retrieve-key" - IPA_HTTPD_PASSWD_READER = "/usr/libexec/ipa/ipa-httpd-pwdreader" - IPA_PKI_WAIT_RUNNING = "/usr/libexec/ipa/ipa-pki-wait-running" -- DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel" -+ DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel-pkcs11" -- DNSSEC_KEYFROMLABEL_9_17 = "/usr/bin/dnssec-keyfromlabel" - GETSEBOOL = "/usr/sbin/getsebool" - GROUPADD = "/usr/sbin/groupadd" -diff --git a/ipaplatform/fedora/paths.py b/ipaplatform/fedora/paths.py -index 4e993c063..92a948966 100644 ---- a/ipaplatform/fedora/paths.py -+++ b/ipaplatform/fedora/paths.py -@@ -36,6 +36,7 @@ class FedoraPathNamespace(RedHatPathNamespace): - NAMED_CRYPTO_POLICY_FILE = "/etc/crypto-policies/back-ends/bind.config" - if HAS_NFS_CONF: - SYSCONFIG_NFS = '/etc/nfs.conf' -+ DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel" - - - paths = FedoraPathNamespace() -diff --git a/ipaserver/dnssec/bindmgr.py b/ipaserver/dnssec/bindmgr.py -index 0c79cc03d..a15c0e601 100644 ---- a/ipaserver/dnssec/bindmgr.py -+++ b/ipaserver/dnssec/bindmgr.py -@@ -127,7 +127,6 @@ class BINDMgr: - ) - cmd = [ - paths.DNSSEC_KEYFROMLABEL, -- '-E', 'pkcs11', - '-K', workdir, - '-a', attrs['idnsSecAlgorithm'][0], - '-l', uri --- -2.31.1 diff --git a/SOURCES/1003-webui-IdP-Remove-arrow-notation-due-to-uglify-js-lim.patch b/SOURCES/1003-webui-IdP-Remove-arrow-notation-due-to-uglify-js-lim.patch deleted file mode 100644 index 7928884..0000000 --- a/SOURCES/1003-webui-IdP-Remove-arrow-notation-due-to-uglify-js-lim.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 7807bcc55b4927fc327830d2237200772d2e1106 Mon Sep 17 00:00:00 2001 -From: Rafael Guterres Jeffman -Date: Fri, 17 Jun 2022 15:40:04 -0300 -Subject: [PATCH] webui IdP: Remove arrow notation due to uglify-js limitation. - -uglify-js 2.x series do not support ECMAScript 6 arrow notation ('=>') -for callback definition. - -This patch changes the arrow definition callbacks for regular anonymous -function definitions. ---- - install/ui/src/freeipa/idp.js | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/install/ui/src/freeipa/idp.js b/install/ui/src/freeipa/idp.js -index ada09c075..be3c4f0e6 100644 ---- a/install/ui/src/freeipa/idp.js -+++ b/install/ui/src/freeipa/idp.js -@@ -227,7 +227,7 @@ IPA.add_idp_policy = function() { - // For custom template we show custom fields - // and mark all of them required and passed to the RPC - // If show_custom is false, the opposite happens -- custom_fields.forEach(fname => { -+ custom_fields.forEach(function(fname) { - widget_f = that.container.fields.get_field(fname); - widget_f.set_required(show_custom); - widget_f.set_enabled(show_custom); -@@ -235,7 +235,7 @@ IPA.add_idp_policy = function() { - }); - - // For template fields we show them if custom aren't shown -- template_fields.forEach(fname => { -+ template_fields.forEach(function(fname) { - widget_f = that.container.fields.get_field(fname); - widget_f.set_enabled(!show_custom); - widget_f.widget.set_visible(!show_custom); -@@ -252,7 +252,7 @@ IPA.add_idp_policy = function() { - var value = prov_f.get_value()[0]; - - // First, clear template fields from the previous provider choice -- template_fields.forEach(fname => { -+ template_fields.forEach(function(fname) { - widget_f = that.container.fields.get_field(fname); - widget_f.widget.set_visible(false); - widget_f.set_required(false); -@@ -260,9 +260,9 @@ IPA.add_idp_policy = function() { - }); - - // Second, enable and get required template-specific fields -- idp.templates.forEach(idp_v => { -+ idp.templates.forEach(function(idp_v) { - if (idp_v['value'] == value) { -- idp_v['fields'].forEach(fname => { -+ idp_v['fields'].forEach(function(fname) { - widget_f = that.container.fields.get_field(fname); - widget_f.set_required(true); - widget_f.set_enabled(true); --- -2.36.1 - diff --git a/SOURCES/1004-Revert-DNSResolver-Fix-use-of-nameservers-with-ports.patch b/SOURCES/1004-Revert-DNSResolver-Fix-use-of-nameservers-with-ports.patch deleted file mode 100644 index ef09a82..0000000 --- a/SOURCES/1004-Revert-DNSResolver-Fix-use-of-nameservers-with-ports.patch +++ /dev/null @@ -1,120 +0,0 @@ -From 9a33838407f244e481523fe643bc0626874e8b1a Mon Sep 17 00:00:00 2001 -From: Rafael Guterres Jeffman -Date: Mon, 19 Dec 2022 14:57:03 -0300 -Subject: [PATCH] Revert "DNSResolver: Fix use of nameservers with ports" - -This reverts commit 5e2e4664aec641886923c2bec61ce25b96edb62a. - -diff --git a/ipapython/dnsutil.py b/ipapython/dnsutil.py -index 58de365ab..4baeaf8cc 100644 ---- a/ipapython/dnsutil.py 2023-05-19 05:12:52.471239297 -0300 -+++ b/ipapython/dnsutil.py 2023-05-24 12:20:13.588867053 -0300 -@@ -145,55 +145,6 @@ - nameservers.remove(ipv4_loopback) - self.nameservers = nameservers - -- @property -- def nameservers(self): -- return self._nameservers -- -- @nameservers.setter -- def nameservers(self, nameservers): -- """ -- *nameservers*, a ``list`` of nameservers with optional ports: -- "SERVER_IP port PORT_NUMBER". -- -- Overloads dns.resolver.Resolver.nameservers setter to split off ports -- into nameserver_ports after setting nameservers successfully with the -- setter in dns.resolver.Resolver. -- """ -- # Get nameserver_ports if it is already set -- if hasattr(self, "nameserver_ports"): -- nameserver_ports = self.nameserver_ports -- else: -- nameserver_ports = {} -- -- # Check nameserver items in list and split out converted port number -- # into nameserver_ports: { nameserver: port } -- if isinstance(nameservers, list): -- _nameservers = [] -- for nameserver in nameservers: -- splits = nameserver.split() -- if len(splits) == 3 and splits[1] == "port": -- nameserver = splits[0] -- try: -- port = int(splits[2]) -- if port < 0 or port > 65535: -- raise ValueError() -- except ValueError: -- raise ValueError( -- "invalid nameserver: %s is not a valid port" % -- splits[2]) -- nameserver_ports[nameserver] = port -- _nameservers.append(nameserver) -- nameservers = _nameservers -- -- # Call dns.resolver.Resolver.nameservers setter -- if hasattr(dns.resolver.Resolver, "nameservers"): -- dns.resolver.Resolver.nameservers.__set__(self, nameservers) -- else: -- # old dnspython (<2) doesn't have 'nameservers' property -- self._nameservers = nameservers -- # Set nameserver_ports after successfull call to setter -- self.nameserver_ports = nameserver_ports -- - - class DNSZoneAlreadyExists(dns.exception.DNSException): - supp_kwargs = {'zone', 'ns'} -diff --git a/ipatests/test_ipapython/test_dnsutil.py b/ipatests/test_ipapython/test_dnsutil.py -index 9070d89ad..5e7a46197 100644 ---- a/ipatests/test_ipapython/test_dnsutil.py -+++ b/ipatests/test_ipapython/test_dnsutil.py -@@ -101,48 +101,3 @@ class TestSortURI: - assert dnsutil.sort_prio_weight([h3, h2, h1]) == [h1, h2, h3] - assert dnsutil.sort_prio_weight([h3, h3, h3]) == [h3] - assert dnsutil.sort_prio_weight([h2, h2, h1, h1]) == [h1, h2] -- -- --class TestDNSResolver: -- @pytest.fixture(name="res") -- def resolver(self): -- """Resolver that doesn't read /etc/resolv.conf -- -- /etc/resolv.conf is not mandatory on systems -- """ -- return dnsutil.DNSResolver(configure=False) -- -- def test_nameservers(self, res): -- res.nameservers = ["4.4.4.4", "8.8.8.8"] -- assert res.nameservers == ["4.4.4.4", "8.8.8.8"] -- -- def test_nameservers_with_ports(self, res): -- res.nameservers = ["4.4.4.4 port 53", "8.8.8.8 port 8053"] -- assert res.nameservers == ["4.4.4.4", "8.8.8.8"] -- assert res.nameserver_ports == {"4.4.4.4": 53, "8.8.8.8": 8053} -- -- res.nameservers = ["4.4.4.4 port 53", "8.8.8.8 port 8053"] -- assert res.nameservers == ["4.4.4.4", "8.8.8.8"] -- assert res.nameserver_ports == {"4.4.4.4": 53, "8.8.8.8": 8053} -- -- def test_nameservers_with_bad_ports(self, res): -- try: -- res.nameservers = ["4.4.4.4 port a"] -- except ValueError: -- pass -- else: -- pytest.fail("No fail on bad port a") -- -- try: -- res.nameservers = ["4.4.4.4 port -1"] -- except ValueError: -- pass -- else: -- pytest.fail("No fail on bad port -1") -- -- try: -- res.nameservers = ["4.4.4.4 port 65536"] -- except ValueError: -- pass -- else: -- pytest.fail("No fail on bad port 65536") diff --git a/SOURCES/freeipa-4.9.13.tar.gz.asc b/SOURCES/freeipa-4.9.13.tar.gz.asc deleted file mode 100644 index cdb062f..0000000 --- a/SOURCES/freeipa-4.9.13.tar.gz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCAAdFiEE11Z2TU1+KXxtrRFyaYdvcqbi008FAmVbZU0ACgkQaYdvcqbi -009Fgw/+PzHGNOJPs67TtoYITV/3ZCzMyrYTcazVACjD61Zw7JBgbZzZpQXxBSbj -7QWpNJa3P2JFtv2qOUXJto40mOGpMynyYpuYs4CtyJ86eHTUJyYTFppBmCzzozhT -2C2BeKKjzV8OOWQ7yO/2BTEZ7KtOcIr4ZI7iZCnLJF9Yt8x7TURjGRqxsHwT62Ip -vcrtm0LkkYv/fQ6pFZZfinKU1OBrZphwHMCU4Mlv411iQg4+NOxLSsVU/kegeKIO -adp4Y9g5dfAfdXEXb2Zt7gkmLaWMgf+XNSFDL/wkzRYt74HKwvbIPJQlTZ6pqLxQ -yTtiHGuMb7xNDWolpoueo1/lbxaHRRGJaSPs7zUht3IBxb7hiF65Gm3UaJhoeAXc -gVleZf/+0titOdkRfTD2N0P0hli7gaiRrbpw8K4joxMFpYrQGUxD8SI376gkOj6o -5RWSioPoG9txNM7Co+lVpci7WHhL+Tmhf1SlHyVJGKoNe/z4VHnjHeYlFWRVdDEI -OOupZzJQoLnso3lTwR5VEN8xGURnhbGV4MdUfD/6FhwmyHiPlYkytdZIsGsNDOab -978PPaKcIpbsZ4gUhshcbn7qaY809lNSpMtg8saYOP4J/5Nu+i9X5bJqOmoX0rKa -gAJDY5har+lExRnTEdYEGVB8qen5lqi8r1oYjnDpkSpq6BRoAHA= -=uQom ------END PGP SIGNATURE----- diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec deleted file mode 100644 index 6a331f7..0000000 --- a/SPECS/ipa.spec +++ /dev/null @@ -1,5401 +0,0 @@ -# ipatests enabled by default, can be disabled with --without ipatests -%bcond_without ipatests -# default to not use XML-RPC in Rawhide, can be turned around with --with ipa_join_xml -# On RHEL 8 we should use --with ipa_join_xml -%bcond_with ipa_join_xml - -# Linting is disabled by default, needed for upstream testing -%bcond_with lint - -# Build documentation with sphinx -%bcond_with doc - -# Build Python wheels -%bcond_with wheels - -# 389-ds-base 1.4 no longer supports i686 platform, build only client -# packages, https://bugzilla.redhat.com/show_bug.cgi?id=1544386 -%ifarch %{ix86} - %{!?ONLY_CLIENT:%global ONLY_CLIENT 1} -%endif - -# Define ONLY_CLIENT to only make the ipa-client and ipa-python -# subpackages -%{!?ONLY_CLIENT:%global ONLY_CLIENT 0} -%if %{ONLY_CLIENT} - %global enable_server_option --disable-server -%else - %global enable_server_option --enable-server -%endif - -%if %{ONLY_CLIENT} - %global with_ipatests 0 -%endif - -# Whether to build ipatests -%if %{with ipatests} - %global with_ipatests_option --with-ipatests -%else - %global with_ipatests_option --without-ipatests -%endif - -# Whether to use XML-RPC with ipa-join -%if %{with ipa_join_xml} - %global with_ipa_join_xml_option --with-ipa-join-xml -%else - %global with_ipa_join_xml_option --without-ipa-join-xml -%endif - -# lint is not executed during rpmbuild -# %%global with_lint 1 -%if %{with lint} - %global linter_options --enable-pylint --without-jslint --enable-rpmlint -%else - %global linter_options --disable-pylint --without-jslint --disable-rpmlint -%endif - -# Include SELinux subpackage -%if 0%{?fedora} >= 30 || 0%{?rhel} >= 8 - %global with_selinux 1 - %global selinuxtype targeted - %global modulename ipa -%endif - -%if 0%{?rhel} -%global package_name ipa -%global alt_name freeipa -%global krb5_version 1.18.2-26 -%global krb5_kdb_version 8.0 -# 0.7.16: https://github.com/drkjam/netaddr/issues/71 -%global python_netaddr_version 0.7.19 -%global samba_version 4.17.2-1 -%global selinux_policy_version 3.14.3-52 -%global slapi_nis_version 0.56.4 -%global python_ldap_version 3.1.0-1 -%if 0%{?rhel} < 9 -# Bug 1929067 - PKI instance creation failed with new 389-ds-base build -%global ds_version 1.4.3.16-12 -%else -%global ds_version 2.0.3-3 -%endif - -# Fix for TLS 1.3 PHA, RHBZ#1775158 -%global httpd_version 2.4.37-21 -# Fix for RHEL-25649 -%global bind_version 9.11.36-14 - -%else -# Fedora -%global package_name freeipa -%global alt_name ipa -# Fix for CVE-2020-28196 -%global krb5_version 1.18.2-29 -# 0.7.16: https://github.com/drkjam/netaddr/issues/71 -%global python_netaddr_version 0.7.16 - -%global samba_version 2:4.17.2 - -# 3.14.5-45 or later includes a number of interfaces fixes for IPA interface -%global selinux_policy_version 3.14.5-45 -%global slapi_nis_version 0.56.5 - -%global krb5_kdb_version 8.0 - -# fix for segfault in python3-ldap, https://pagure.io/freeipa/issue/7324 -%global python_ldap_version 3.1.0-1 - -# Make sure to use 389-ds-base versions that fix https://github.com/389ds/389-ds-base/issues/4609 -%if 0%{?fedora} < 34 -%global ds_version %{lua: local v={}; v['32']='1.4.3.20-2'; v['33']='1.4.4.13-2'; print(v[rpm.expand('%{fedora}')])} -%else -%global ds_version 2.0.4-1 -%endif - -# Fix for TLS 1.3 PHA, RHBZ#1775146 -%global httpd_version 2.4.41-9 - -%global bind_version 9.11.24-1 -# Don't use Fedora's Python dependency generator on Fedora 30/rawhide yet. -# Some packages don't provide new dist aliases. -# https://docs.fedoraproject.org/en-US/packaging-guidelines/Python/ -%{?python_disable_dependency_generator} -# Fedora -%endif - -# BIND employs 'pkcs11' OpenSSL engine instead of native PKCS11 -# Fedora 31+ uses OpenSSL engine, as well as Fedora ELN (RHEL9) -%if 0%{?fedora} || 0%{?rhel} >= 9 - %global openssl_pkcs11_version 0.4.10-6 - %global softhsm_version 2.5.0-4 -%else - %global with_bind_pkcs11 1 -%endif - -%if 0%{?rhel} == 8 -# Make sure to use PKI versions that work with 389-ds fix for https://github.com/389ds/389-ds-base/issues/4609 -%global pki_version 10.10.5 -%else -# Make sure to use PKI versions that work with 389-ds fix for https://github.com/389ds/389-ds-base/issues/4609 -%global pki_version 10.10.5 -%endif - -# RHEL 8.3+, F32+ has 0.79.13 -%global certmonger_version 0.79.7-3 - -# RHEL 8.2+, F32+ has 3.58 -%global nss_version 3.44.0-4 - -# RHEL 8.7+, F35+, adds IdP integration -%global sssd_version 2.7.0 - -%define krb5_base_version %(LC_ALL=C /usr/bin/pkgconf --modversion krb5 | grep -Eo '^[^.]+\.[^.]+' || echo %krb5_version) -%global kdcproxy_version 0.4-3 - -%if 0%{?fedora} >= 33 || 0%{?rhel} >= 9 -# systemd with resolved enabled -# see https://pagure.io/freeipa/issue/8275 -%global systemd_version 246.6-3 -%else -%global systemd_version 239 -%endif - -# augeas support for new chrony options -# see https://pagure.io/freeipa/issue/8676 -# Note: will need to be updated for RHEL9 when a fix is available for -# https://bugzilla.redhat.com/show_bug.cgi?id=1931787 -%if 0%{?fedora} >= 33 -%global augeas_version 1.12.0-6 -%else -%global augeas_version 1.12.0-3 -%endif - -%global plugin_dir %{_libdir}/dirsrv/plugins -%global etc_systemd_dir %{_sysconfdir}/systemd/system -%global gettext_domain ipa - -%define _hardened_build 1 - -# Work-around fact that RPM SPEC parser does not accept -# "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement -%define IPA_VERSION 4.9.13 -# Release candidate version -- uncomment with one percent for RC versions -#%%global rc_version %%nil -%define AT_SIGN @ -# redefine IPA_VERSION only if its value matches the Autoconf placeholder -%if "%{IPA_VERSION}" == "%{AT_SIGN}VERSION%{AT_SIGN}" - %define IPA_VERSION nonsense.to.please.RPM.SPEC.parser -%endif - -%define NON_DEVELOPER_BUILD ("%{lua: print(rpm.expand('%{suffix:%IPA_VERSION}'):find('^dev'))}" == "nil") - -Name: %{package_name} -Version: %{IPA_VERSION} -Release: 12%{?rc_version:.%rc_version}%{?dist} -Summary: The Identity, Policy and Audit system - -License: GPLv3+ -URL: http://www.freeipa.org/ -Source0: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_version}.tar.gz -# Only use detached signature for the distribution builds. If it is a developer build, skip it -%if %{NON_DEVELOPER_BUILD} -Source1: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_version}.tar.gz.asc -%endif - -# RHEL spec file only: START: Change branding to IPA and Identity Management -# Moved branding logos and background to redhat-logos-ipa-80.4: -# header-logo.png, login-screen-background.jpg, login-screen-logo.png, -# product-name.png -# RHEL spec file only: END: Change branding to IPA and Identity Management - -# RHEL spec file only: START -%if %{NON_DEVELOPER_BUILD} -Patch0001: 0001-Handle-samba-exception-type-change_rhel#17623.patch -Patch0002: 0002-Check-the-HTTP-Referer-header-on-all-requests.patch -Patch0003: 0003-Integration-tests-for-verifying-Referer-header-in-th.patch -Patch0004: 0004-ipa-kdb-Detect-and-block-Bronze-Bit-attacks.patch -Patch0005: 0005-Improve-server-affinity-for-ca-less-deployments_rhel#22283.patch -Patch0006: 0006-host-update-System-Manage-Host-Keytab-permission_rhel#22286.patch -Patch0007: 0007-adtrustinstance-make-sure-NetBIOS-name-defaults-are-set-properly_rhel#21938.patch -Patch0008: 0008-ipatests-Fix-healthcheck-report-when-nsslapd-accesslog-logbuffering-is-set-to-off_rhel#19672.patch -Patch0009: 0009-kdb-PAC-generator-do-not-fail-if-canonical-principal-is-missing_rhel#23630.patch -Patch0010: 0010-ipa-kdb-Fix-memory-leak-during-PAC-verification_rhel#22644.patch -Patch0011: 0011-Fix-session-cookie-access_rhel#23622.patch -Patch0012: 0012-Do-not-ignore-staged-users-in-sidgen-plugin_rhel#23626.patch -Patch0013: 0013-ipa-kdb-Disable-Bronze-Bit-check-if-PAC-not-available_rhel#22313.patch -Patch0014: 0014-krb5kdc-Fix-start-when-pkinit-and-otp-auth-type-are-enabled_rhel#4874.patch -Patch0015: 0015-hbactest-was-not-collecting-or-returning-messages_rhel#12780.patch -Patch0016: 0016-ipatests-wait-for-replica-update-in-test_dns_locatio.patch -Patch0017: 0017-ipa-kdb-Rework-ipadb_reinit_mspac.patch -Patch0018: 0018-ipatests-fix-tasks-wait_for_replication-method_rhel#25708.patch -Patch0019: 0019-Vault-add-support-for-RSA-OAEP-wrapping-algo.patch -Patch0020: 0020-Vault-improve-vault-server-archival-retrieval-calls-.patch -Patch0021: 0021-kra-set-RSA-OAEP-as-default-wrapping-algo-when-FIPS-.patch -Patch0022: 0022-ipa-kdb-Fix-double-free-in-ipadb_reinit_mspac.patch -Patch0023: 0023-rpcserver-validate-Kerberos-principal-name-before-running-kinit_rhel#26153.patch -Patch0024: 0024-Vault-add-additional-fallback-to-RSA-OAEP-wrapping-algo_rhel#28259.patch -Patch0025: 0025-dcerpc-invalidate-forest-trust-intfo-cache-when-filtering-out-realm-domains_rhel#28559.patch -Patch0026: 0026-backport-test-fixes_rhel#29908.patch -Patch0027: 0027-kdb-fix-vulnerability-in-GCD-rules-handling.patch -Patch0028: 0028-kdb-apply-combinatorial-logic-for-ticket-flags.patch -Patch0029: 0029-Allow_the_admin_user_to_be_disabled_rhel#34756.patch -Patch0030: 0030-ipa-otptoken-import-open-the-key-file-in-binary-mode_rhel#39616.patch -Patch0031: 0031-ipa-crlgen-manage-manage-the-cert-status-task-execution-time_rhel#30280.patch -Patch0032: 0032-idrange-add-add-a-warning-because-389ds-restart-is-required_rhel#28996.patch -Patch0033: 0033-PKINIT-certificate-fix-renewal-on-hidden-replica_rhel#4913.patch -%if 0%{?rhel} >= 8 -Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch -Patch1002: 1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch -Patch1003: 1003-webui-IdP-Remove-arrow-notation-due-to-uglify-js-lim.patch -# Due to behavior changes in python3-dns 2.2.0, IPA overrides the setting of the -# nameserver property inherited from dns.resolver.Resolver class to allow the -# setting of nameservers with custom ports. The method used is only needed, and -# only works, on version 2.2.0, or later, of python3-dns. For RHEL 8, which uses -# series 1.xx, the method override is not needed to provide the same behavior. -Patch1004: 1004-Revert-DNSResolver-Fix-use-of-nameservers-with-ports.patch -%endif -%endif -# RHEL spec file only: END - -# For the timestamp trick in patch application -BuildRequires: diffstat - -BuildRequires: openldap-devel -# For KDB DAL version, make explicit dependency so that increase of version -# will cause the build to fail due to unsatisfied dependencies. -# DAL version change may cause code crash or memory leaks, it is better to fail early. -BuildRequires: krb5-kdb-version = %{krb5_kdb_version} -BuildRequires: krb5-kdb-devel-version = %{krb5_kdb_version} -BuildRequires: krb5-devel >= %{krb5_version} -BuildRequires: pkgconfig(krb5) -%if %{with ipa_join_xml} -# 1.27.4: xmlrpc_curl_xportparms.gssapi_delegation -BuildRequires: xmlrpc-c-devel >= 1.27.4 -%else -BuildRequires: libcurl-devel -BuildRequires: jansson-devel -%endif -BuildRequires: popt-devel -BuildRequires: gcc -BuildRequires: make -BuildRequires: pkgconfig -BuildRequires: pkgconf -BuildRequires: autoconf -BuildRequires: automake -BuildRequires: make -BuildRequires: libtool -BuildRequires: gettext -BuildRequires: gettext-devel -BuildRequires: python3-devel -BuildRequires: python3-setuptools -BuildRequires: systemd >= %{systemd_version} -# systemd-tmpfiles which is executed from make install requires apache user -BuildRequires: httpd -BuildRequires: nspr-devel -BuildRequires: openssl-devel -BuildRequires: libini_config-devel -BuildRequires: cyrus-sasl-devel -%if ! %{ONLY_CLIENT} -BuildRequires: 389-ds-base-devel >= %{ds_version} -BuildRequires: samba-devel >= %{samba_version} -BuildRequires: libtalloc-devel -BuildRequires: libtevent-devel -BuildRequires: libuuid-devel -BuildRequires: libpwquality-devel -BuildRequires: libsss_idmap-devel -BuildRequires: libsss_certmap-devel -BuildRequires: libsss_nss_idmap-devel >= %{sssd_version} -BuildRequires: nodejs(abi) -# use old dependency on RHEL 8 for now -%if 0%{?fedora} >= 31 || 0%{?rhel} >= 9 -BuildRequires: python3-rjsmin -%else -BuildRequires: uglify-js -%endif -BuildRequires: libverto-devel -BuildRequires: libunistring-devel -# 0.13.0: https://bugzilla.redhat.com/show_bug.cgi?id=1584773 -# 0.13.0-2: fix for missing dependency on python-six -BuildRequires: python3-lesscpy >= 0.13.0-2 -BuildRequires: cracklib-dicts -# ONLY_CLIENT -%endif - -# -# Build dependencies for makeapi/makeaci -# -BuildRequires: python3-cffi -# RHEL 8 packages will not work with python3-dns 2.2.0 or newer. -BuildRequires: python3-dns -BuildRequires: python3-ldap >= %{python_ldap_version} -BuildRequires: python3-libsss_nss_idmap -BuildRequires: python3-netaddr >= %{python_netaddr_version} -BuildRequires: python3-pyasn1 -BuildRequires: python3-pyasn1-modules -BuildRequires: python3-six -BuildRequires: python3-psutil - -# -# Build dependencies for wheel packaging and PyPI upload -# -%if %{with wheels} -BuildRequires: dbus-glib-devel -BuildRequires: libffi-devel -BuildRequires: python3-tox -%if 0%{?fedora} <= 28 -BuildRequires: python3-twine -%else -BuildRequires: twine -%endif -BuildRequires: python3-wheel -# with_wheels -%endif - -%if %{with doc} -BuildRequires: python3-sphinx -BuildRequires: plantum1 -BuildRequires: fontconfig -BuildRequires: google-noto-sans-vf-fonts -%endif - -# -# Build dependencies for lint and fastcheck -# -%if %{with lint} -BuildRequires: git -%if 0%{?fedora} < 34 -# jsl is orphaned in Fedora 34+ -BuildRequires: jsl -%endif -BuildRequires: nss-tools -BuildRequires: rpmlint -BuildRequires: softhsm - -BuildRequires: keyutils -BuildRequires: python3-augeas -BuildRequires: python3-cffi -BuildRequires: python3-cryptography >= 1.6 -BuildRequires: python3-custodia >= 0.3.1 -BuildRequires: python3-dateutil -BuildRequires: python3-dbus -# RHEL 8 packages will not work with python3-dns 2.2.0 or newer. -BuildRequires: python3-dns >= 1.15 -BuildRequires: python3-docker -BuildRequires: python3-gssapi >= 1.2.0 -BuildRequires: python3-jinja2 -BuildRequires: python3-jwcrypto >= 0.4.2 -BuildRequires: python3-ldap >= %{python_ldap_version} -BuildRequires: python3-ldap >= %{python_ldap_version} -BuildRequires: python3-lib389 >= %{ds_version} -BuildRequires: python3-libipa_hbac -BuildRequires: python3-libsss_nss_idmap -BuildRequires: python3-lxml -BuildRequires: python3-netaddr >= %{python_netaddr_version} -BuildRequires: python3-netifaces -BuildRequires: python3-paste -BuildRequires: python3-pexpect -BuildRequires: python3-pki >= %{pki_version} -BuildRequires: python3-polib -BuildRequires: python3-pyasn1 -BuildRequires: python3-pyasn1-modules -BuildRequires: python3-pycodestyle -# .wheelconstraints.in limits pylint version in Azure and tox tests -BuildRequires: python3-pylint -BuildRequires: python3-pytest-multihost -BuildRequires: python3-pytest-sourceorder -BuildRequires: python3-qrcode-core >= 5.0.0 -BuildRequires: python3-samba -BuildRequires: python3-six -BuildRequires: python3-sss -BuildRequires: python3-sss-murmur -BuildRequires: python3-sssdconfig >= %{sssd_version} -BuildRequires: python3-systemd -BuildRequires: python3-yaml -BuildRequires: python3-yubico -# with_lint -%endif - -# -# Build dependencies for unit tests -# -%if ! %{ONLY_CLIENT} -BuildRequires: libcmocka-devel -# Required by ipa_kdb_tests -BuildRequires: krb5-server >= %{krb5_version} -# ONLY_CLIENT -%endif - -# Build dependencies for SELinux policy -%if %{with selinux} -BuildRequires: selinux-policy-devel >= %{selinux_policy_version} -%endif - -%description -IPA is an integrated solution to provide centrally managed Identity (users, -hosts, services), Authentication (SSO, 2FA), and Authorization -(host access control, SELinux user roles, services). The solution provides -features for further integration with Linux based clients (SUDO, automount) -and integration with Active Directory based infrastructures (Trusts). - - -%if ! %{ONLY_CLIENT} - -%package server -Summary: The IPA authentication server -Requires: %{name}-server-common = %{version}-%{release} -Requires: %{name}-client = %{version}-%{release} -Requires: %{name}-common = %{version}-%{release} -Requires: python3-ipaserver = %{version}-%{release} -Requires: python3-ldap >= %{python_ldap_version} -Requires: 389-ds-base >= %{ds_version} -Requires: openldap-clients > 2.4.35-4 -Requires: nss-tools >= %{nss_version} -Requires(post): krb5-server >= %{krb5_version} -Requires(post): krb5-server >= %{krb5_base_version} -Requires: krb5-kdb-version = %{krb5_kdb_version} -Requires: cyrus-sasl-gssapi%{?_isa} -Requires: chrony -Requires: httpd >= %{httpd_version} -Requires(preun): python3 -Requires(postun): python3 -Requires: python3-gssapi >= 1.2.0-5 -Requires: python3-systemd -Requires: python3-mod_wsgi -Requires: mod_auth_gssapi >= 1.5.0 -Requires: mod_ssl >= %{httpd_version} -Requires: mod_session >= %{httpd_version} -# 0.9.9: https://github.com/adelton/mod_lookup_identity/pull/3 -Requires: mod_lookup_identity >= 0.9.9 -Requires: acl -Requires: systemd-units >= %{systemd_version} -Requires(pre): systemd-units >= %{systemd_version} -Requires(post): systemd-units >= %{systemd_version} -Requires(preun): systemd-units >= %{systemd_version} -Requires(postun): systemd-units >= %{systemd_version} -Requires(pre): shadow-utils -Requires: selinux-policy >= %{selinux_policy_version} -Requires(post): selinux-policy-base >= %{selinux_policy_version} -Requires: slapi-nis >= %{slapi_nis_version} -Requires: pki-ca >= %{pki_version} -Requires: pki-kra >= %{pki_version} -# pki-acme package was split out in pki-10.10.0 -Requires: (pki-acme >= %{pki_version} if pki-ca >= 10.10.0) -Requires: policycoreutils >= 2.1.12-5 -Requires: tar -Requires(pre): certmonger >= %{certmonger_version} -Requires(pre): 389-ds-base >= %{ds_version} -Requires: fontawesome-fonts -Requires: open-sans-fonts -%if 0%{?fedora} >= 32 || 0%{?rhel} >= 9 -# https://pagure.io/freeipa/issue/8632 -Requires: openssl > 1.1.1i -%else -Requires: openssl -%endif -Requires: softhsm >= 2.0.0rc1-1 -Requires: p11-kit -Requires: %{etc_systemd_dir} -Requires: gzip -Requires: oddjob -# 0.7.0-2: https://pagure.io/gssproxy/pull-request/172 -Requires: gssproxy >= 0.7.0-2 -Requires: sssd-dbus >= %{sssd_version} -Requires: libpwquality -Requires: cracklib-dicts -# NDR libraries are internal in Samba and change with version without changing SONAME -Requires: samba-client-libs >= %{samba_version} -# Due to RHBZ#2100916, libvert-libev is required by ipa-otp. -Requires: libverto-libev >= 0.3.2-1 - -Provides: %{alt_name}-server = %{version} -Conflicts: %{alt_name}-server -Obsoletes: %{alt_name}-server < %{version} - -# With FreeIPA 3.3, package freeipa-server-selinux was obsoleted as the -# entire SELinux policy is stored in the system policy -Obsoletes: freeipa-server-selinux < 3.3.0 - -# upgrade path from monolithic -server to -server + -server-dns -Obsoletes: %{name}-server <= 4.2.0 - -# Versions of nss-pam-ldapd < 0.8.4 require a mapping from uniqueMember to -# member. -Conflicts: nss-pam-ldapd < 0.8.4 - -# RHEL spec file only: START: Do not build tests -%if 0%{?rhel} == 8 -# ipa-tests subpackage was moved to separate srpm -Conflicts: ipa-tests < 3.3.3-9 -%endif -# RHEL spec file only: END: Do not build tests - -%description server -IPA is an integrated solution to provide centrally managed Identity (users, -hosts, services), Authentication (SSO, 2FA), and Authorization -(host access control, SELinux user roles, services). The solution provides -features for further integration with Linux based clients (SUDO, automount) -and integration with Active Directory based infrastructures (Trusts). -If you are installing an IPA server, you need to install this package. - - -%package -n python3-ipaserver -Summary: Python libraries used by IPA server -BuildArch: noarch -%{?python_provide:%python_provide python3-ipaserver} -Requires: %{name}-server-common = %{version}-%{release} -Requires: %{name}-common = %{version}-%{release} -# we need pre-requires since earlier versions may break upgrade -Requires(pre): python3-ldap >= %{python_ldap_version} -Requires: python3-augeas -Requires: augeas-libs >= %{augeas_version} -Requires: python3-custodia >= 0.3.1 -Requires: python3-dbus -# RHEL 8 packages will not work with python3-dns 2.2.0 or newer. -Requires: python3-dns >= 1.15 -Requires: python3-gssapi >= 1.2.0 -Requires: python3-ipaclient = %{version}-%{release} -Requires: python3-kdcproxy >= %{kdcproxy_version} -Requires: python3-lxml -Requires: python3-pki >= %{pki_version} -Requires: python3-pyasn1 >= 0.3.2-2 -Requires: python3-sssdconfig >= %{sssd_version} -Requires: python3-psutil -Requires: rpm-libs -# Indirect dependency: use newer urllib3 with TLS 1.3 PHA support -%if 0%{?rhel} -Requires: python3-urllib3 >= 1.24.2-3 -%else -Requires: python3-urllib3 >= 1.25.7 -%endif - -%description -n python3-ipaserver -IPA is an integrated solution to provide centrally managed Identity (users, -hosts, services), Authentication (SSO, 2FA), and Authorization -(host access control, SELinux user roles, services). The solution provides -features for further integration with Linux based clients (SUDO, automount) -and integration with Active Directory based infrastructures (Trusts). -If you are installing an IPA server, you need to install this package. - - -%package server-common -Summary: Common files used by IPA server -BuildArch: noarch -Requires: %{name}-client-common = %{version}-%{release} -Requires: httpd >= %{httpd_version} -Requires: systemd-units >= %{systemd_version} -Requires: custodia >= 0.3.1 -%if 0%{?rhel} >= 8 && ! 0%{?eln} -Requires: system-logos-ipa >= 80.4 -%endif - -Provides: %{alt_name}-server-common = %{version} -Conflicts: %{alt_name}-server-common -Obsoletes: %{alt_name}-server-common < %{version} - -%description server-common -IPA is an integrated solution to provide centrally managed Identity (users, -hosts, services), Authentication (SSO, 2FA), and Authorization -(host access control, SELinux user roles, services). The solution provides -features for further integration with Linux based clients (SUDO, automount) -and integration with Active Directory based infrastructures (Trusts). -If you are installing an IPA server, you need to install this package. - - -%package server-dns -Summary: IPA integrated DNS server with support for automatic DNSSEC signing -BuildArch: noarch -Requires: %{name}-server = %{version}-%{release} -Requires: bind-dyndb-ldap >= 11.2-2 -Requires: bind >= %{bind_version} -Requires: bind-utils >= %{bind_version} -%if %{with bind_pkcs11} -Requires: bind-pkcs11 >= %{bind_version} -Requires: bind-pkcs11-utils >= %{bind_version} -%else -Requires: softhsm >= %{softhsm_version} -Requires: openssl-pkcs11 >= %{openssl_pkcs11_version} -%endif -# See https://bugzilla.redhat.com/show_bug.cgi?id=1825812 -# RHEL 8.3+ and Fedora 32+ have 2.1 -Requires: opendnssec >= 2.1.6-5 -%{?systemd_requires} - -Provides: %{alt_name}-server-dns = %{version} -Conflicts: %{alt_name}-server-dns -Obsoletes: %{alt_name}-server-dns < %{version} - -# upgrade path from monolithic -server to -server + -server-dns -Obsoletes: %{name}-server <= 4.2.0 - -%description server-dns -IPA integrated DNS server with support for automatic DNSSEC signing. -Integrated DNS server is BIND 9. OpenDNSSEC provides key management. - - -%package server-trust-ad -Summary: Virtual package to install packages required for Active Directory trusts -Requires: %{name}-server = %{version}-%{release} -Requires: %{name}-common = %{version}-%{release} - -Requires: samba >= %{samba_version} -Requires: samba-winbind -Requires: sssd-winbind-idmap -Requires: libsss_idmap -%if 0%{?rhel} -Obsoletes: ipa-idoverride-memberof-plugin <= 0.1 -%endif -Requires(post): python3 -Requires: python3-samba -Requires: python3-libsss_nss_idmap -Requires: python3-sss - -# We use alternatives to divert winbind_krb5_locator.so plugin to libkrb5 -# on the installes where server-trust-ad subpackage is installed because -# IPA AD trusts cannot be used at the same time with the locator plugin -# since Winbindd will be configured in a different mode -Requires(post): %{_sbindir}/update-alternatives -Requires(postun): %{_sbindir}/update-alternatives -Requires(preun): %{_sbindir}/update-alternatives - -Provides: %{alt_name}-server-trust-ad = %{version} -Conflicts: %{alt_name}-server-trust-ad -Obsoletes: %{alt_name}-server-trust-ad < %{version} - -%description server-trust-ad -Cross-realm trusts with Active Directory in IPA require working Samba 4 -installation. This package is provided for convenience to install all required -dependencies at once. - -# ONLY_CLIENT -%endif - - -%package client -Summary: IPA authentication for use on clients -Requires: %{name}-client-common = %{version}-%{release} -Requires: %{name}-common = %{version}-%{release} -Requires: python3-gssapi >= 1.2.0-5 -Requires: python3-ipaclient = %{version}-%{release} -Requires: python3-ldap >= %{python_ldap_version} -Requires: python3-sssdconfig >= %{sssd_version} -Requires: cyrus-sasl-gssapi%{?_isa} -Requires: chrony -Requires: krb5-workstation >= %{krb5_version} -# Support pkinit with client install -Requires: krb5-pkinit-openssl >= %{krb5_version} -# authselect: sssd profile with-subid -%if 0%{?fedora} >= 36 -Requires: authselect >= 1.4.0 -%else -Requires: authselect >= 1.2.5 -%endif -Requires: curl -# NIS domain name config: /usr/lib/systemd/system/*-domainname.service -# All Fedora 28+ and RHEL8+ contain the service in hostname package -Requires: hostname -Requires: libcurl >= 7.21.7-2 -%if %{with ipa_join_xml} -Requires: xmlrpc-c >= 1.27.4 -%else -Requires: jansson -%endif -Requires: sssd-ipa >= %{sssd_version} -Requires: sssd-idp >= %{sssd_version} -Requires: sssd-krb5 >= %{sssd_version} -Requires: certmonger >= %{certmonger_version} -Requires: nss-tools >= %{nss_version} -Requires: bind-utils -Requires: oddjob-mkhomedir -Requires: libsss_autofs -Requires: autofs -Requires: libnfsidmap -Requires: nfs-utils -Requires: sssd-tools >= %{sssd_version} -Requires(post): policycoreutils - -# https://pagure.io/freeipa/issue/8530 -Recommends: libsss_sudo -Recommends: sudo -Requires: (libsss_sudo if sudo) - -Provides: %{alt_name}-client = %{version} -Conflicts: %{alt_name}-client -Obsoletes: %{alt_name}-client < %{version} - -Provides: %{alt_name}-admintools = %{version} -Conflicts: %{alt_name}-admintools -Obsoletes: %{alt_name}-admintools < 4.4.1 - -Obsoletes: %{name}-admintools < 4.4.1 -Provides: %{name}-admintools = %{version}-%{release} - -%if 0%{?rhel} == 8 -# Conflict with crypto-policies < 20200629-1 to get AD-SUPPORT policy module -Conflicts: crypto-policies < 20200629-1 -%endif - -%description client -IPA is an integrated solution to provide centrally managed Identity (users, -hosts, services), Authentication (SSO, 2FA), and Authorization -(host access control, SELinux user roles, services). The solution provides -features for further integration with Linux based clients (SUDO, automount) -and integration with Active Directory based infrastructures (Trusts). -If your network uses IPA for authentication, this package should be -installed on every client machine. -This package provides command-line tools for IPA administrators. - -%package client-samba -Summary: Tools to configure Samba on IPA client -Group: System Environment/Base -Requires: %{name}-client = %{version}-%{release} -Requires: python3-samba -Requires: samba-client -Requires: samba-winbind -Requires: samba-common-tools -Requires: samba -Requires: sssd-winbind-idmap -Requires: tdb-tools -Requires: cifs-utils - -%description client-samba -This package provides command-line tools to deploy Samba domain member -on the machine enrolled into a FreeIPA environment - -%package client-epn -Summary: Tools to configure Expiring Password Notification in IPA -Group: System Environment/Base -Requires: %{name}-client = %{version}-%{release} -Requires: systemd-units >= %{systemd_version} -Requires(post): systemd-units >= %{systemd_version} -Requires(preun): systemd-units >= %{systemd_version} -Requires(postun): systemd-units >= %{systemd_version} - -%description client-epn -This package provides a service to collect and send expiring password -notifications via email (SMTP). - -%package -n python3-ipaclient -Summary: Python libraries used by IPA client -BuildArch: noarch -%{?python_provide:%python_provide python3-ipaclient} -Requires: %{name}-client-common = %{version}-%{release} -Requires: %{name}-common = %{version}-%{release} -Requires: python3-ipalib = %{version}-%{release} -Requires: python3-augeas -Requires: augeas-libs >= %{augeas_version} -# RHEL 8 packages will not work with python3-dns 2.2.0 or newer. -Requires: python3-dns >= 1.15 -Requires: python3-jinja2 - -%description -n python3-ipaclient -IPA is an integrated solution to provide centrally managed Identity (users, -hosts, services), Authentication (SSO, 2FA), and Authorization -(host access control, SELinux user roles, services). The solution provides -features for further integration with Linux based clients (SUDO, automount) -and integration with Active Directory based infrastructures (Trusts). -If your network uses IPA for authentication, this package should be -installed on every client machine. - -%package client-common -Summary: Common files used by IPA client -BuildArch: noarch - -Provides: %{alt_name}-client-common = %{version} -Conflicts: %{alt_name}-client-common -Obsoletes: %{alt_name}-client-common < %{version} -# python2-ipa* packages are no longer available in 4.8. -Obsoletes: python2-ipaclient < 4.8.0-1 -Obsoletes: python2-ipalib < 4.8.0-1 -Obsoletes: python2-ipaserver < 4.8.0-1 -Obsoletes: python2-ipatests < 4.8.0-1 - - -%description client-common -IPA is an integrated solution to provide centrally managed Identity (users, -hosts, services), Authentication (SSO, 2FA), and Authorization -(host access control, SELinux user roles, services). The solution provides -features for further integration with Linux based clients (SUDO, automount) -and integration with Active Directory based infrastructures (Trusts). -If your network uses IPA for authentication, this package should be -installed on every client machine. - - -%package python-compat -Summary: Compatiblity package for Python libraries used by IPA -BuildArch: noarch -Obsoletes: %{name}-python < 4.2.91 -Provides: %{name}-python = %{version}-%{release} -Requires: %{name}-common = %{version}-%{release} -Requires: python3-ipalib = %{version}-%{release} - -Provides: %{alt_name}-python-compat = %{version} -Conflicts: %{alt_name}-python-compat -Obsoletes: %{alt_name}-python-compat < %{version} - -Obsoletes: %{alt_name}-python < 4.2.91 -Provides: %{alt_name}-python = %{version} - -%description python-compat -IPA is an integrated solution to provide centrally managed Identity (users, -hosts, services), Authentication (SSO, 2FA), and Authorization -(host access control, SELinux user roles, services). The solution provides -features for further integration with Linux based clients (SUDO, automount) -and integration with Active Directory based infrastructures (Trusts). -This is a compatibility package to accommodate %{name}-python split into -python3-ipalib and %{name}-common. Packages still depending on -%{name}-python should be fixed to depend on python2-ipaclient or -%{name}-common instead. - - -%package -n python3-ipalib -Summary: Python3 libraries used by IPA -BuildArch: noarch -%{?python_provide:%python_provide python3-ipalib} -Provides: python3-ipapython = %{version}-%{release} -%{?python_provide:%python_provide python3-ipapython} -Provides: python3-ipaplatform = %{version}-%{release} -%{?python_provide:%python_provide python3-ipaplatform} -Requires: %{name}-common = %{version}-%{release} -# we need pre-requires since earlier versions may break upgrade -Requires(pre): python3-ldap >= %{python_ldap_version} -Requires: gnupg2 -Requires: keyutils -Requires: python3-cffi -Requires: python3-cryptography >= 1.6 -Requires: python3-dateutil -Requires: python3-dbus -# RHEL 8 packages will not work with python3-dns 2.2.0 or newer. -Requires: python3-dns >= 1.15 -Requires: python3-gssapi >= 1.2.0 -Requires: python3-jwcrypto >= 0.4.2 -Requires: python3-libipa_hbac -Requires: python3-netaddr >= %{python_netaddr_version} -Requires: python3-netifaces >= 0.10.4 -Requires: python3-pyasn1 >= 0.3.2-2 -Requires: python3-pyasn1-modules >= 0.3.2-2 -Requires: python3-pyusb -Requires: python3-qrcode-core >= 5.0.0 -Requires: python3-requests -Requires: python3-six -Requires: python3-sss-murmur -Requires: python3-yubico >= 1.3.2-7 -%if 0%{?rhel} && 0%{?rhel} == 8 -Requires: platform-python-setuptools -%else -Requires: python3-setuptools -%endif - -%description -n python3-ipalib -IPA is an integrated solution to provide centrally managed Identity (users, -hosts, services), Authentication (SSO, 2FA), and Authorization -(host access control, SELinux user roles, services). The solution provides -features for further integration with Linux based clients (SUDO, automount) -and integration with Active Directory based infrastructures (Trusts). -If you are using IPA with Python 3, you need to install this package. - - -%package common -Summary: Common files used by IPA -BuildArch: noarch -Conflicts: %{name}-python < 4.2.91 - -Provides: %{alt_name}-common = %{version} -Conflicts: %{alt_name}-common -Obsoletes: %{alt_name}-common < %{version} - -Conflicts: %{alt_name}-python < %{version} - -%if %{with selinux} -# This ensures that the *-selinux package and all it’s dependencies are not -# pulled into containers and other systems that do not use SELinux. The -# policy defines types and file contexts for client and server. -Requires: (%{name}-selinux if selinux-policy-%{selinuxtype}) -%endif - -%description common -IPA is an integrated solution to provide centrally managed Identity (users, -hosts, services), Authentication (SSO, 2FA), and Authorization -(host access control, SELinux user roles, services). The solution provides -features for further integration with Linux based clients (SUDO, automount) -and integration with Active Directory based infrastructures (Trusts). -If you are using IPA, you need to install this package. - - -%if %{with ipatests} - -%package -n python3-ipatests -Summary: IPA tests and test tools -BuildArch: noarch -%{?python_provide:%python_provide python3-ipatests} -Requires: python3-ipaclient = %{version}-%{release} -Requires: python3-ipaserver = %{version}-%{release} -Requires: iptables -Requires: python3-coverage -Requires: python3-cryptography >= 1.6 -Requires: python3-pexpect -%if 0%{?fedora} -# These packages do not exist on RHEL and for ipatests use -# they are installed on the controller through other means -Requires: ldns-utils -# update-crypto-policies -Requires: crypto-policies-scripts -Requires: python3-polib -Requires: python3-pytest >= 3.9.1 -Requires: python3-pytest-multihost >= 0.5 -Requires: python3-pytest-sourceorder -Requires: sshpass -%endif -Requires: python3-sssdconfig >= %{sssd_version} -Requires: tar -Requires: xz -Requires: openssh-clients -%if 0%{?rhel} -AutoReqProv: no -%endif - -%description -n python3-ipatests -IPA is an integrated solution to provide centrally managed Identity (users, -hosts, services), Authentication (SSO, 2FA), and Authorization -(host access control, SELinux user roles, services). The solution provides -features for further integration with Linux based clients (SUDO, automount) -and integration with Active Directory based infrastructures (Trusts). -This package contains tests that verify IPA functionality under Python 3. - -# with ipatests -%endif - - -%if %{with selinux} -# SELinux subpackage -%package selinux -Summary: FreeIPA SELinux policy -BuildArch: noarch -Requires: selinux-policy-%{selinuxtype} -Requires(post): selinux-policy-%{selinuxtype} -%{?selinux_requires} - -%description selinux -Custom SELinux policy module for FreeIPA -# with selinux -%endif - - -%prep -# Update timestamps on the files touched by a patch, to avoid non-equal -# .pyc/.pyo files across the multilib peers within a build, where "Level" -# is the patch prefix option (e.g. -p1) -# Taken from specfile for sssd and python-simplejson -UpdateTimestamps() { - Level=$1 - PatchFile=$2 - - # Locate the affected files: - for f in $(diffstat $Level -l $PatchFile); do - # Set the files to have the same timestamp as that of the patch: - touch -c -r $PatchFile $f - done -} - -%setup -n freeipa-%{version}%{?rc_version} -q - -# To allow proper application patches to the stripped po files, strip originals -pushd po -for i in *.po ; do - msgattrib --translated --no-fuzzy --no-location -s $i > $i.tmp || exit 1 - mv $i.tmp $i || exit 1 -done -popd - -for p in %patches ; do - %__patch -p1 -i $p - UpdateTimestamps -p1 $p -done - -%build -# PATH is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1005235 -export PATH=/usr/bin:/usr/sbin:$PATH - -export PYTHON=%{__python3} -autoreconf -ivf -%configure --with-vendor-suffix=-%{release} \ - %{enable_server_option} \ - %{with_ipatests_option} \ - %{with_ipa_join_xml_option} \ - %{linter_options} - -# run build in default dir -# -Onone is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1398405 -%make_build -Onone - - -%check -make %{?_smp_mflags} check VERBOSE=yes LIBDIR=%{_libdir} - - -%install -# Please put as much logic as possible into make install. It allows: -# - easier porting to other distributions -# - rapid devel & install cycle using make install -# (instead of full RPM build and installation each time) -# -# All files and directories created by spec install should be marked as ghost. -# (These are typically configuration files created by IPA installer.) -# All other artifacts should be created by make install. - -%make_install - -# don't package ipasphinx for now -rm -rf %{buildroot}%{python3_sitelib}/ipasphinx* - -%if %{with ipatests} -mv %{buildroot}%{_bindir}/ipa-run-tests %{buildroot}%{_bindir}/ipa-run-tests-%{python3_version} -mv %{buildroot}%{_bindir}/ipa-test-config %{buildroot}%{_bindir}/ipa-test-config-%{python3_version} -mv %{buildroot}%{_bindir}/ipa-test-task %{buildroot}%{_bindir}/ipa-test-task-%{python3_version} -ln -rs %{buildroot}%{_bindir}/ipa-run-tests-%{python3_version} %{buildroot}%{_bindir}/ipa-run-tests-3 -ln -rs %{buildroot}%{_bindir}/ipa-test-config-%{python3_version} %{buildroot}%{_bindir}/ipa-test-config-3 -ln -rs %{buildroot}%{_bindir}/ipa-test-task-%{python3_version} %{buildroot}%{_bindir}/ipa-test-task-3 -ln -frs %{buildroot}%{_bindir}/ipa-run-tests-%{python3_version} %{buildroot}%{_bindir}/ipa-run-tests -ln -frs %{buildroot}%{_bindir}/ipa-test-config-%{python3_version} %{buildroot}%{_bindir}/ipa-test-config -ln -frs %{buildroot}%{_bindir}/ipa-test-task-%{python3_version} %{buildroot}%{_bindir}/ipa-test-task -# with_ipatests -%endif - -# remove files which are useful only for make uninstall -find %{buildroot} -wholename '*/site-packages/*/install_files.txt' -exec rm {} \; - -%if 0%{?rhel} -# RHEL spec file only: START -# Moved branding logos and background to redhat-logos-ipa-80.4: -# header-logo.png, login-screen-background.jpg, login-screen-logo.png, -# product-name.png -rm -f %{buildroot}%{_usr}/share/ipa/ui/images/header-logo.png -rm -f %{buildroot}%{_usr}/share/ipa/ui/images/login-screen-background.jpg -rm -f %{buildroot}%{_usr}/share/ipa/ui/images/login-screen-logo.png -rm -f %{buildroot}%{_usr}/share/ipa/ui/images/product-name.png -%endif -# RHEL spec file only: END - -%find_lang %{gettext_domain} - -%if ! %{ONLY_CLIENT} -# Remove .la files from libtool - we don't want to package -# these files -rm %{buildroot}/%{plugin_dir}/libipa_pwd_extop.la -rm %{buildroot}/%{plugin_dir}/libipa_enrollment_extop.la -rm %{buildroot}/%{plugin_dir}/libipa_winsync.la -rm %{buildroot}/%{plugin_dir}/libipa_repl_version.la -rm %{buildroot}/%{plugin_dir}/libipa_uuid.la -rm %{buildroot}/%{plugin_dir}/libipa_modrdn.la -rm %{buildroot}/%{plugin_dir}/libipa_lockout.la -rm %{buildroot}/%{plugin_dir}/libipa_cldap.la -rm %{buildroot}/%{plugin_dir}/libipa_dns.la -rm %{buildroot}/%{plugin_dir}/libipa_sidgen.la -rm %{buildroot}/%{plugin_dir}/libipa_sidgen_task.la -rm %{buildroot}/%{plugin_dir}/libipa_extdom_extop.la -rm %{buildroot}/%{plugin_dir}/libipa_range_check.la -rm %{buildroot}/%{plugin_dir}/libipa_otp_counter.la -rm %{buildroot}/%{plugin_dir}/libipa_otp_lasttoken.la -rm %{buildroot}/%{plugin_dir}/libipa_graceperiod.la -rm %{buildroot}/%{plugin_dir}/libtopology.la -rm %{buildroot}/%{_libdir}/krb5/plugins/kdb/ipadb.la -rm %{buildroot}/%{_libdir}/samba/pdb/ipasam.la - -# So we can own our Apache configuration -mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d/ -/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa.conf -/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-kdc-proxy.conf -/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf -/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf -/bin/touch %{buildroot}%{_usr}/share/ipa/html/ca.crt -/bin/touch %{buildroot}%{_usr}/share/ipa/html/krb.con -/bin/touch %{buildroot}%{_usr}/share/ipa/html/krb5.ini -/bin/touch %{buildroot}%{_usr}/share/ipa/html/krbrealm.con - -mkdir -p %{buildroot}%{_libdir}/krb5/plugins/libkrb5 -touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so - -# ONLY_CLIENT -%endif - -/bin/touch %{buildroot}%{_sysconfdir}/ipa/default.conf -/bin/touch %{buildroot}%{_sysconfdir}/ipa/ca.crt - -%if ! %{ONLY_CLIENT} -mkdir -p %{buildroot}%{_sysconfdir}/cron.d -# ONLY_CLIENT -%endif - -%if ! %{ONLY_CLIENT} - -%post server -# NOTE: systemd specific section - /bin/systemctl --system daemon-reload 2>&1 || : -# END -if [ $1 -gt 1 ] ; then - /bin/systemctl condrestart certmonger.service 2>&1 || : -fi -/bin/systemctl reload-or-try-restart dbus -/bin/systemctl reload-or-try-restart oddjobd - -%tmpfiles_create ipa.conf - -%posttrans server -# don't execute upgrade and restart of IPA when server is not installed -%{__python3} -c "import sys; from ipalib import facts; sys.exit(0 if facts.is_ipa_configured() else 1);" > /dev/null 2>&1 - -if [ $? -eq 0 ]; then - # This is necessary for Fedora system upgrades which by default - # work with the network being offline - /bin/systemctl start network-online.target - - # Restart IPA processes. This must be also run in postrans so that plugins - # and software is in consistent state. This will also perform the - # system upgrade. - # NOTE: systemd specific section - - /bin/systemctl is-enabled ipa.service >/dev/null 2>&1 - if [ $? -eq 0 ]; then - /bin/systemctl restart ipa.service >/dev/null - fi - - /bin/systemctl is-enabled ipa-ccache-sweep.timer >/dev/null 2>&1 - if [ $? -eq 1 ]; then - /bin/systemctl enable ipa-ccache-sweep.timer>/dev/null - fi -fi -# END - - -%preun server -if [ $1 = 0 ]; then -# NOTE: systemd specific section - /bin/systemctl --quiet stop ipa.service || : - /bin/systemctl --quiet disable ipa.service || : - /bin/systemctl reload-or-try-restart dbus - /bin/systemctl reload-or-try-restart oddjobd -# END -fi - - -%pre server -# Stop ipa_kpasswd if it exists before upgrading so we don't have a -# zombie process when we're done. -if [ -e /usr/sbin/ipa_kpasswd ]; then -# NOTE: systemd specific section - /bin/systemctl stop ipa_kpasswd.service >/dev/null 2>&1 || : -# END -fi - - -%pre server-common -# create users and groups -# create kdcproxy group and user -getent group kdcproxy >/dev/null || groupadd -f -r kdcproxy -getent passwd kdcproxy >/dev/null || useradd -r -g kdcproxy -s /sbin/nologin -d / -c "IPA KDC Proxy User" kdcproxy -# create ipaapi group and user -getent group ipaapi >/dev/null || groupadd -f -r ipaapi -getent passwd ipaapi >/dev/null || useradd -r -g ipaapi -s /sbin/nologin -d / -c "IPA Framework User" ipaapi -# add apache to ipaaapi group -id -Gn apache | grep '\bipaapi\b' >/dev/null || usermod apache -a -G ipaapi - - -%post server-dns -%systemd_post ipa-dnskeysyncd.service ipa-ods-exporter.socket ipa-ods-exporter.service - -%preun server-dns -%systemd_preun ipa-dnskeysyncd.service ipa-ods-exporter.socket ipa-ods-exporter.service - -%postun server-dns -%systemd_postun ipa-dnskeysyncd.service ipa-ods-exporter.socket ipa-ods-exporter.service - - -%postun server-trust-ad -if [ "$1" -ge "1" ]; then - if [ "`readlink %{_sysconfdir}/alternatives/winbind_krb5_locator.so`" == "/dev/null" ]; then - %{_sbindir}/alternatives --set winbind_krb5_locator.so /dev/null - fi -fi - - -%post server-trust-ad -%{_sbindir}/update-alternatives --install %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so \ - winbind_krb5_locator.so /dev/null 90 -/bin/systemctl reload-or-try-restart dbus -/bin/systemctl reload-or-try-restart oddjobd - - -%posttrans server-trust-ad -%{__python3} -c "import sys; from ipalib import facts; sys.exit(0 if facts.is_ipa_configured() else 1);" > /dev/null 2>&1 -if [ $? -eq 0 ]; then -# NOTE: systemd specific section - /bin/systemctl try-restart httpd.service >/dev/null 2>&1 || : -# END -fi - - -%preun server-trust-ad -if [ $1 -eq 0 ]; then - %{_sbindir}/update-alternatives --remove winbind_krb5_locator.so /dev/null - /bin/systemctl reload-or-try-restart dbus - /bin/systemctl reload-or-try-restart oddjobd -fi - -# ONLY_CLIENT -%endif - -%preun client-epn -%systemd_preun ipa-epn.service -%systemd_preun ipa-epn.timer - -%postun client-epn -%systemd_postun ipa-epn.service -%systemd_postun ipa-epn.timer - -%post client-epn -%systemd_post ipa-epn.service -%systemd_post ipa-epn.timer - -%post client -if [ $1 -gt 1 ] ; then - # Has the client been configured? - restore=0 - test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}') - - if [ -f '/etc/sssd/sssd.conf' -a $restore -ge 2 ]; then - if grep -E -q '/var/lib/sss/pubconf/krb5.include.d/' /etc/krb5.conf 2>/dev/null ; then - sed -i '\;includedir /var/lib/sss/pubconf/krb5.include.d;d' /etc/krb5.conf - fi - fi - - if [ $restore -ge 2 ]; then - if grep -E -q '\s*pkinit_anchors = FILE:/etc/ipa/ca.crt$' /etc/krb5.conf 2>/dev/null; then - sed -E 's|(\s*)pkinit_anchors = FILE:/etc/ipa/ca.crt$|\1pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem\n\1pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem|' /etc/krb5.conf >/etc/krb5.conf.ipanew - mv -Z /etc/krb5.conf.ipanew /etc/krb5.conf - cp /etc/ipa/ca.crt /var/lib/ipa-client/pki/kdc-ca-bundle.pem - cp /etc/ipa/ca.crt /var/lib/ipa-client/pki/ca-bundle.pem - fi - - %{__python3} -c 'from ipaclient.install.client import configure_krb5_snippet; configure_krb5_snippet()' >>/var/log/ipaupgrade.log 2>&1 - %{__python3} -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' >>/var/log/ipaupgrade.log 2>&1 - chmod 0600 /var/log/ipaupgrade.log - SSH_CLIENT_SYSTEM_CONF="/etc/ssh/ssh_config" - if [ -f "$SSH_CLIENT_SYSTEM_CONF" ]; then - sed -E --in-place=.orig 's/^(HostKeyAlgorithms ssh-rsa,ssh-dss)$/# disabled by ipa-client update\n# \1/' "$SSH_CLIENT_SYSTEM_CONF" - fi - fi -fi - - -%if %{with selinux} -# SELinux contexts are saved so that only affected files can be -# relabeled after the policy module installation -%pre selinux -%selinux_relabel_pre -s %{selinuxtype} - -%post selinux -semodule -d ipa_custodia &> /dev/null || true; -%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2 - -%postun selinux -if [ $1 -eq 0 ]; then - %selinux_modules_uninstall -s %{selinuxtype} %{modulename} - semodule -e ipa_custodia &> /dev/null || true; -fi - -%posttrans selinux -%selinux_relabel_post -s %{selinuxtype} -# with_selinux -%endif - - -%triggerin client -- openssh-server < 8.2 -# Has the client been configured? -restore=0 -test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}') - -if [ -f '/etc/ssh/sshd_config' -a $restore -ge 2 ]; then - if grep -E -q '^(AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys|PubKeyAgent /usr/bin/sss_ssh_authorizedkeys %u)$' /etc/ssh/sshd_config 2>/dev/null; then - sed -r ' - /^(AuthorizedKeysCommand(User|RunAs)|PubKeyAgentRunAs)[ \t]/ d - ' /etc/ssh/sshd_config >/etc/ssh/sshd_config.ipanew - - if /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandUser=nobody' 2>/dev/null; then - sed -ri ' - s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/ - s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandUser nobody/ - ' /etc/ssh/sshd_config.ipanew - elif /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandRunAs=nobody' 2>/dev/null; then - sed -ri ' - s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/ - s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandRunAs nobody/ - ' /etc/ssh/sshd_config.ipanew - elif /usr/sbin/sshd -t -f /dev/null -o 'PubKeyAgent=/usr/bin/sss_ssh_authorizedkeys %u' -o 'PubKeyAgentRunAs=nobody' 2>/dev/null; then - sed -ri ' - s/^AuthorizedKeysCommand (.+)$/PubKeyAgent \1 %u/ - s/^PubKeyAgent .*$/\0\nPubKeyAgentRunAs nobody/ - ' /etc/ssh/sshd_config.ipanew - fi - - mv -Z /etc/ssh/sshd_config.ipanew /etc/ssh/sshd_config - chmod 600 /etc/ssh/sshd_config - - /bin/systemctl condrestart sshd.service 2>&1 || : - fi -fi - - -%triggerin client -- openssh-server >= 8.2 -# Has the client been configured? -restore=0 -test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}') - -if [ -f '/etc/ssh/sshd_config' -a $restore -ge 2 ]; then - # If the snippet already exists, skip - if [ ! -f '/etc/ssh/sshd_config.d/04-ipa.conf' ]; then - # Take the values from /etc/ssh/sshd_config and put them in 04-ipa.conf - grep -E '^(PubkeyAuthentication|KerberosAuthentication|GSSAPIAuthentication|UsePAM|ChallengeResponseAuthentication|AuthorizedKeysCommand|AuthorizedKeysCommandUser)' /etc/ssh/sshd_config 2>/dev/null > /etc/ssh/sshd_config.d/04-ipa.conf - # Remove the values from sshd_conf - sed -ri ' - /^(PubkeyAuthentication|KerberosAuthentication|GSSAPIAuthentication|UsePAM|ChallengeResponseAuthentication|AuthorizedKeysCommand|AuthorizedKeysCommandUser)[ \t]/ d - ' /etc/ssh/sshd_config - - /bin/systemctl condrestart sshd.service 2>&1 || : - fi - # If the snippet has been created, ensure that it is included - # either by /etc/ssh/sshd_config.d/*.conf or directly - if [ -f '/etc/ssh/sshd_config.d/04-ipa.conf' ]; then - if ! grep -E -q '^\s*Include\s*/etc/ssh/sshd_config.d/\*\.conf' /etc/ssh/sshd_config 2> /dev/null ; then - if ! grep -E -q '^\s*Include\s*/etc/ssh/sshd_config.d/04-ipa\.conf' /etc/ssh/sshd_config 2> /dev/null ; then - # Include the snippet - echo "Include /etc/ssh/sshd_config.d/04-ipa.conf" > /etc/ssh/sshd_config.ipanew - cat /etc/ssh/sshd_config >> /etc/ssh/sshd_config.ipanew - mv -fZ --backup=existing --suffix .ipaold /etc/ssh/sshd_config.ipanew /etc/ssh/sshd_config - fi - fi - fi -fi - - -%if ! %{ONLY_CLIENT} - -%files server -%doc README.md Contributors.txt -%license COPYING -%{_sbindir}/ipa-backup -%{_sbindir}/ipa-restore -%{_sbindir}/ipa-ca-install -%{_sbindir}/ipa-kra-install -%{_sbindir}/ipa-server-install -%{_sbindir}/ipa-replica-conncheck -%{_sbindir}/ipa-replica-install -%{_sbindir}/ipa-replica-manage -%{_sbindir}/ipa-csreplica-manage -%{_sbindir}/ipa-server-certinstall -%{_sbindir}/ipa-server-upgrade -%{_sbindir}/ipa-ldap-updater -%{_sbindir}/ipa-otptoken-import -%{_sbindir}/ipa-compat-manage -%{_sbindir}/ipa-nis-manage -%{_sbindir}/ipa-managed-entries -%{_sbindir}/ipactl -%{_sbindir}/ipa-advise -%{_sbindir}/ipa-cacert-manage -%{_sbindir}/ipa-winsync-migrate -%{_sbindir}/ipa-pkinit-manage -%{_sbindir}/ipa-crlgen-manage -%{_sbindir}/ipa-cert-fix -%{_sbindir}/ipa-acme-manage -%{_libexecdir}/certmonger/dogtag-ipa-ca-renew-agent-submit -%{_libexecdir}/certmonger/ipa-server-guard -%dir %{_libexecdir}/ipa -%{_libexecdir}/ipa/ipa-ccache-sweeper -%{_libexecdir}/ipa/ipa-custodia -%{_libexecdir}/ipa/ipa-custodia-check -%{_libexecdir}/ipa/ipa-httpd-kdcproxy -%{_libexecdir}/ipa/ipa-httpd-pwdreader -%{_libexecdir}/ipa/ipa-pki-retrieve-key -%{_libexecdir}/ipa/ipa-pki-wait-running -%{_libexecdir}/ipa/ipa-otpd -%{_libexecdir}/ipa/ipa-print-pac -%{_libexecdir}/ipa/ipa-subids -%dir %{_libexecdir}/ipa/custodia -%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-dmldap -%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-pki-tomcat -%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-pki-tomcat-wrapped -%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-ra-agent -%dir %{_libexecdir}/ipa/oddjob -%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.conncheck -%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.config-enable-sid -%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.trust-enable-agent -%config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freeipa.server.conf -%config(noreplace) %{_sysconfdir}/oddjobd.conf.d/ipa-server.conf -%dir %{_libexecdir}/ipa/certmonger -%attr(755,root,root) %{_libexecdir}/ipa/certmonger/* -# NOTE: systemd specific section -%attr(644,root,root) %{_unitdir}/ipa.service -%attr(644,root,root) %{_unitdir}/ipa-otpd.socket -%attr(644,root,root) %{_unitdir}/ipa-otpd@.service -%attr(644,root,root) %{_unitdir}/ipa-ccache-sweep.service -%attr(644,root,root) %{_unitdir}/ipa-ccache-sweep.timer -# END -%attr(755,root,root) %{plugin_dir}/libipa_pwd_extop.so -%attr(755,root,root) %{plugin_dir}/libipa_enrollment_extop.so -%attr(755,root,root) %{plugin_dir}/libipa_winsync.so -%attr(755,root,root) %{plugin_dir}/libipa_repl_version.so -%attr(755,root,root) %{plugin_dir}/libipa_uuid.so -%attr(755,root,root) %{plugin_dir}/libipa_modrdn.so -%attr(755,root,root) %{plugin_dir}/libipa_lockout.so -%attr(755,root,root) %{plugin_dir}/libipa_dns.so -%attr(755,root,root) %{plugin_dir}/libipa_range_check.so -%attr(755,root,root) %{plugin_dir}/libipa_otp_counter.so -%attr(755,root,root) %{plugin_dir}/libipa_otp_lasttoken.so -%attr(755,root,root) %{plugin_dir}/libtopology.so -%attr(755,root,root) %{plugin_dir}/libipa_sidgen.so -%attr(755,root,root) %{plugin_dir}/libipa_sidgen_task.so -%attr(755,root,root) %{plugin_dir}/libipa_extdom_extop.so -%attr(755,root,root) %{plugin_dir}/libipa_graceperiod.so -%attr(755,root,root) %{_libdir}/krb5/plugins/kdb/ipadb.so -%{_mandir}/man1/ipa-replica-conncheck.1* -%{_mandir}/man1/ipa-replica-install.1* -%{_mandir}/man1/ipa-replica-manage.1* -%{_mandir}/man1/ipa-csreplica-manage.1* -%{_mandir}/man1/ipa-server-certinstall.1* -%{_mandir}/man1/ipa-server-install.1* -%{_mandir}/man1/ipa-server-upgrade.1* -%{_mandir}/man1/ipa-ca-install.1* -%{_mandir}/man1/ipa-kra-install.1* -%{_mandir}/man1/ipa-compat-manage.1* -%{_mandir}/man1/ipa-nis-manage.1* -%{_mandir}/man1/ipa-managed-entries.1* -%{_mandir}/man1/ipa-ldap-updater.1* -%{_mandir}/man8/ipactl.8* -%{_mandir}/man1/ipa-backup.1* -%{_mandir}/man1/ipa-restore.1* -%{_mandir}/man1/ipa-advise.1* -%{_mandir}/man1/ipa-otptoken-import.1* -%{_mandir}/man1/ipa-cacert-manage.1* -%{_mandir}/man1/ipa-winsync-migrate.1* -%{_mandir}/man1/ipa-pkinit-manage.1* -%{_mandir}/man1/ipa-crlgen-manage.1* -%{_mandir}/man1/ipa-cert-fix.1* -%{_mandir}/man1/ipa-acme-manage.1* - - -%files -n python3-ipaserver -%doc README.md Contributors.txt -%license COPYING -%{python3_sitelib}/ipaserver -%{python3_sitelib}/ipaserver-*.egg-info - - -%files server-common -%doc README.md Contributors.txt -%license COPYING -%ghost %verify(not owner group) %dir %{_sharedstatedir}/kdcproxy -%dir %attr(0755,root,root) %{_sysconfdir}/ipa/kdcproxy -%config(noreplace) %{_sysconfdir}/ipa/kdcproxy/kdcproxy.conf -# NOTE: systemd specific section -%{_tmpfilesdir}/ipa.conf -%attr(644,root,root) %{_unitdir}/ipa-custodia.service -%ghost %attr(644,root,root) %{etc_systemd_dir}/httpd.d/ipa.conf -# END -%{_usr}/share/ipa/wsgi.py* -%{_usr}/share/ipa/kdcproxy.wsgi -%{_usr}/share/ipa/ipaca*.ini -%{_usr}/share/ipa/*.ldif -%exclude %{_datadir}/ipa/ipa-cldap-conf.ldif -%{_usr}/share/ipa/*.uldif -%{_usr}/share/ipa/*.template -%dir %{_usr}/share/ipa/advise -%dir %{_usr}/share/ipa/advise/legacy -%{_usr}/share/ipa/advise/legacy/*.template -%dir %{_usr}/share/ipa/profiles -%{_usr}/share/ipa/profiles/README -%{_usr}/share/ipa/profiles/*.cfg -%dir %{_usr}/share/ipa/html -%{_usr}/share/ipa/html/ssbrowser.html -%{_usr}/share/ipa/html/unauthorized.html -%dir %{_usr}/share/ipa/migration -%{_usr}/share/ipa/migration/index.html -%{_usr}/share/ipa/migration/migration.py* -%dir %{_usr}/share/ipa/ui -%{_usr}/share/ipa/ui/index.html -%{_usr}/share/ipa/ui/reset_password.html -%{_usr}/share/ipa/ui/sync_otp.html -%{_usr}/share/ipa/ui/*.ico -%{_usr}/share/ipa/ui/*.css -%dir %{_usr}/share/ipa/ui/css -%{_usr}/share/ipa/ui/css/*.css -%dir %{_usr}/share/ipa/ui/js -%dir %{_usr}/share/ipa/ui/js/dojo -%{_usr}/share/ipa/ui/js/dojo/dojo.js -%dir %{_usr}/share/ipa/ui/js/libs -%{_usr}/share/ipa/ui/js/libs/*.js -%dir %{_usr}/share/ipa/ui/js/freeipa -%{_usr}/share/ipa/ui/js/freeipa/app.js -%{_usr}/share/ipa/ui/js/freeipa/core.js -%dir %{_usr}/share/ipa/ui/js/plugins -%dir %{_usr}/share/ipa/ui/images -%if 0%{?rhel} -%{_usr}/share/ipa/ui/images/facet-*.png -# Moved branding logos and background to redhat-logos-ipa-80.4: -# header-logo.png, login-screen-background.jpg, login-screen-logo.png, -# product-name.png -%else -%{_usr}/share/ipa/ui/images/*.jpg -%{_usr}/share/ipa/ui/images/*.png -%endif -%dir %{_usr}/share/ipa/wsgi -%{_usr}/share/ipa/wsgi/plugins.py* -%dir %{_sysconfdir}/ipa -%dir %{_sysconfdir}/ipa/html -%config(noreplace) %{_sysconfdir}/ipa/html/ssbrowser.html -%config(noreplace) %{_sysconfdir}/ipa/html/unauthorized.html -%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf -%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa.conf -%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-kdc-proxy.conf -%ghost %attr(0640,root,root) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf -%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipa/kdcproxy/ipa-kdc-proxy.conf -%ghost %attr(0644,root,root) %config(noreplace) %{_usr}/share/ipa/html/ca.crt -%ghost %attr(0640,root,named) %config(noreplace) %{_sysconfdir}/named/ipa-ext.conf -%ghost %attr(0640,root,named) %config(noreplace) %{_sysconfdir}/named/ipa-options-ext.conf -%ghost %attr(0644,root,root) %{_usr}/share/ipa/html/krb.con -%ghost %attr(0644,root,root) %{_usr}/share/ipa/html/krb5.ini -%ghost %attr(0644,root,root) %{_usr}/share/ipa/html/krbrealm.con -%dir %{_usr}/share/ipa/updates/ -%{_usr}/share/ipa/updates/* -%dir %{_localstatedir}/lib/ipa -%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/backup -%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/gssproxy -%attr(711,root,root) %dir %{_localstatedir}/lib/ipa/sysrestore -%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysupgrade -%attr(755,root,root) %dir %{_localstatedir}/lib/ipa/pki-ca -%attr(755,root,root) %dir %{_localstatedir}/lib/ipa/certs -%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/private -%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/passwds -%ghost %attr(775,root,pkiuser) %{_localstatedir}/lib/ipa/pki-ca/publish -%ghost %attr(770,named,named) %{_localstatedir}/named/dyndb-ldap/ipa -%dir %attr(0700,root,root) %{_sysconfdir}/ipa/custodia -%dir %{_usr}/share/ipa/schema.d -%attr(0644,root,root) %{_usr}/share/ipa/schema.d/README -%attr(0644,root,root) %{_usr}/share/ipa/gssapi.login -%{_usr}/share/ipa/ipakrb5.aug - -%files server-dns -%doc README.md Contributors.txt -%license COPYING -%config(noreplace) %{_sysconfdir}/sysconfig/ipa-dnskeysyncd -%config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter -%dir %attr(0755,root,root) %{_sysconfdir}/ipa/dnssec -%{_libexecdir}/ipa/ipa-dnskeysyncd -%{_libexecdir}/ipa/ipa-dnskeysync-replica -%{_libexecdir}/ipa/ipa-ods-exporter -%{_sbindir}/ipa-dns-install -%{_mandir}/man1/ipa-dns-install.1* -%attr(644,root,root) %{_unitdir}/ipa-dnskeysyncd.service -%attr(644,root,root) %{_unitdir}/ipa-ods-exporter.socket -%attr(644,root,root) %{_unitdir}/ipa-ods-exporter.service - -%files server-trust-ad -%doc README.md Contributors.txt -%license COPYING -%{_sbindir}/ipa-adtrust-install -%{_usr}/share/ipa/smb.conf.empty -%attr(755,root,root) %{_libdir}/samba/pdb/ipasam.so -%attr(755,root,root) %{plugin_dir}/libipa_cldap.so -%{_datadir}/ipa/ipa-cldap-conf.ldif -%{_mandir}/man1/ipa-adtrust-install.1* -%ghost %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so -%{_sysconfdir}/dbus-1/system.d/oddjob-ipa-trust.conf -%{_sysconfdir}/oddjobd.conf.d/oddjobd-ipa-trust.conf -%attr(755,root,root) %{_libexecdir}/ipa/oddjob/com.redhat.idm.trust-fetch-domains - -# ONLY_CLIENT -%endif - - -%files client -%doc README.md Contributors.txt -%license COPYING -%{_sbindir}/ipa-client-install -%{_sbindir}/ipa-client-automount -%{_sbindir}/ipa-certupdate -%{_sbindir}/ipa-getkeytab -%{_sbindir}/ipa-rmkeytab -%{_sbindir}/ipa-join -%{_bindir}/ipa -%config %{_sysconfdir}/bash_completion.d -%config %{_sysconfdir}/sysconfig/certmonger -%{_mandir}/man1/ipa.1* -%{_mandir}/man1/ipa-getkeytab.1* -%{_mandir}/man1/ipa-rmkeytab.1* -%{_mandir}/man1/ipa-client-install.1* -%{_mandir}/man1/ipa-client-automount.1* -%{_mandir}/man1/ipa-certupdate.1* -%{_mandir}/man1/ipa-join.1* -%dir %{_libexecdir}/ipa/acme -%{_libexecdir}/ipa/acme/certbot-dns-ipa - -%files client-samba -%doc README.md Contributors.txt -%license COPYING -%{_sbindir}/ipa-client-samba -%{_mandir}/man1/ipa-client-samba.1* - - -%files client-epn -%doc README.md Contributors.txt -%dir %{_sysconfdir}/ipa/epn -%license COPYING -%{_sbindir}/ipa-epn -%{_mandir}/man1/ipa-epn.1* -%{_mandir}/man5/epn.conf.5* -%attr(644,root,root) %{_unitdir}/ipa-epn.service -%attr(644,root,root) %{_unitdir}/ipa-epn.timer -%attr(600,root,root) %config(noreplace) %{_sysconfdir}/ipa/epn.conf -%attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/epn/expire_msg.template - - -%files -n python3-ipaclient -%doc README.md Contributors.txt -%license COPYING -%dir %{python3_sitelib}/ipaclient -%{python3_sitelib}/ipaclient/*.py -%{python3_sitelib}/ipaclient/__pycache__/*.py* -%dir %{python3_sitelib}/ipaclient/install -%{python3_sitelib}/ipaclient/install/*.py -%{python3_sitelib}/ipaclient/install/__pycache__/*.py* -%dir %{python3_sitelib}/ipaclient/plugins -%{python3_sitelib}/ipaclient/plugins/*.py -%{python3_sitelib}/ipaclient/plugins/__pycache__/*.py* -%dir %{python3_sitelib}/ipaclient/remote_plugins -%{python3_sitelib}/ipaclient/remote_plugins/*.py -%{python3_sitelib}/ipaclient/remote_plugins/__pycache__/*.py* -%dir %{python3_sitelib}/ipaclient/remote_plugins/2_* -%{python3_sitelib}/ipaclient/remote_plugins/2_*/*.py -%{python3_sitelib}/ipaclient/remote_plugins/2_*/__pycache__/*.py* -%{python3_sitelib}/ipaclient-*.egg-info - - -%files client-common -%doc README.md Contributors.txt -%license COPYING -%dir %attr(0755,root,root) %{_sysconfdir}/ipa/ -%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipa/default.conf -%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipa/ca.crt -%dir %attr(0755,root,root) %{_sysconfdir}/ipa/nssdb -# old dbm format -%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/cert8.db -%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/key3.db -%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/secmod.db -# new sql format -%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/cert9.db -%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/key4.db -%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/pkcs11.txt -%ghost %attr(600,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/pwdfile.txt -%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/pki/ca-trust/source/ipa.p11-kit -%dir %{_localstatedir}/lib/ipa-client -%dir %{_localstatedir}/lib/ipa-client/pki -%dir %{_localstatedir}/lib/ipa-client/sysrestore -%{_mandir}/man5/default.conf.5* -%dir %{_usr}/share/ipa/client -%{_usr}/share/ipa/client/*.template - - -%files python-compat -%doc README.md Contributors.txt -%license COPYING - - -%files common -f %{gettext_domain}.lang -%doc README.md Contributors.txt -%license COPYING -%dir %{_usr}/share/ipa -%dir %{_libexecdir}/ipa - -%files -n python3-ipalib -%doc README.md Contributors.txt -%license COPYING - -%{python3_sitelib}/ipapython/ -%{python3_sitelib}/ipalib/ -%{python3_sitelib}/ipaplatform/ -%{python3_sitelib}/ipapython-*.egg-info -%{python3_sitelib}/ipalib-*.egg-info -%{python3_sitelib}/ipaplatform-*.egg-info - - -%if %{with ipatests} - - -%files -n python3-ipatests -%doc README.md Contributors.txt -%license COPYING -%{python3_sitelib}/ipatests -%{python3_sitelib}/ipatests-*.egg-info -%{_bindir}/ipa-run-tests-3 -%{_bindir}/ipa-test-config-3 -%{_bindir}/ipa-test-task-3 -%{_bindir}/ipa-run-tests-%{python3_version} -%{_bindir}/ipa-test-config-%{python3_version} -%{_bindir}/ipa-test-task-%{python3_version} -%{_bindir}/ipa-run-tests -%{_bindir}/ipa-test-config -%{_bindir}/ipa-test-task -%{_mandir}/man1/ipa-run-tests.1* -%{_mandir}/man1/ipa-test-config.1* -%{_mandir}/man1/ipa-test-task.1* - -# with ipatests -%endif - - -%if %{with selinux} -%files selinux -%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.* -%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename} -# with selinux -%endif - -%changelog -* Wed Jul 17 2024 Rafael Jeffman - 4.9.13-9 -- Allow the admin user to be disabled - Resolves: RHEL-34756 -- ipa-otptoken-import: open the key file in binary mode - Resolves: RHEL-39616 -- ipa-crlgen-manage: manage the cert status task execution time - Resolves: RHEL-30280 -- idrange-add: add a warning because 389ds restart is required - Resolves: RHEL-28996 -- PKINIT certificate: fix renewal on hidden replica - Resolves: RHEL-4913, RHEL-45908 - -* Wed Jun 12 2024 Julien Rische - 4.9.13-11 -- Add missing part of backported CVE-2024-3183 fix - Resolves: RHEL-29927 - -* Tue Apr 30 2024 Julien Rische - 4.9.13-10 -- kdb: apply combinatorial logic for ticket flags (CVE-2024-3183) - Resolves: RHEL-29927 -- kdb: fix vulnerability in GCD rules handling (CVE-2024-2698) - Resolves: RHEL-29692 - -* Fri Apr 12 2024 Rafael Jeffman - 9.4.13-9 -- dcerpc: invalidate forest trust intfo cache when filtering out realm domains - Resolves: RHEL-28559 -- Backport latests test fixes in python3-tests - ipatests: add xfail for autoprivate group test with override - ipatests: remove xfail thanks to sssd 2.9.4 - ipatests: adapt for new automembership fixup behavior - ipatests: Fixes for test_ipahealthcheck_ipansschainvalidation testcases - test_xmlrpc: adopt to automember plugin message changes in 389-ds - Resolves: RHEL-29908 - -* Thu Mar 07 2024 Rafael Jeffman - 4.9.13-8 -- rpcserver: validate Kerberos principal name before running kinit - Resolves: RHEL-26153 -- Vault: add additional fallback to RSA-OAEP wrapping algo - Resolves: RHEL-28259 - -* Tue Feb 20 2024 Julien Rische - 4.9.13-7 -- ipa-kdb: Fix double free in ipadb_reinit_mspac() - Resolves: RHEL-25742 -- kra: set RSA-OAEP as default wrapping algo when FIPS is enabled - Resolves: RHEL-12153 -- Vault: improve vault server archival/retrieval calls error handling - Resolves: RHEL-12153 -- Vault: add support for RSA-OAEP wrapping algo - Resolves: RHEL-12153 - -* Fri Feb 16 2024 Julien Rische - 4.9.13-6 -- ipa-kdb: Rework ipadb_reinit_mspac() - Resolves: RHEL-25742 -- ipatests: wait for replica update in test_dns_locations - Resolves: RHEL-22373 -- ipatests: fix tasks.wait_for_replication() method - Resolves: RHEL-25708 - -* Tue Feb 13 2024 Rafael Jeffman - 4.9.13-5 -- kdb: PAC generator: do not fail if canonical principal is missing - Resolves: RHEL-23630 -- ipa-kdb: Fix memory leak during PAC verification - Resolves: RHEL-22644 -- Fix session cookie access - Resolves: RHEL-23622 -- Do not ignore staged users in sidgen plugin - Resovlves: RHEL-23626 -- ipa-kdb: Disable Bronze-Bit check if PAC not available - Resolves: RHEL-22313 -- krb5kdc: Fix start when pkinit and otp auth type are enabled - Resolves: RHEL-4874 -- hbactest was not collecting or returning messages - Resolves: RHEL-12780 - - -* Tue Jan 23 2024 Rafael Jeffman - 4.9.13-4 -- Improve server affinity for CA-less deployments - Resolves: RHEL-22283 -- host: update system: Manage Host Keytab permission - Resolves: RHEL-22286 -- adtrustinstance: make sure NetBIOS name defaults are set properly - Resolves: RHEL-21938 -- ipatests: Fix healthcheck report when nsslapd accesslog logbuffering is set to off - Resolves: RHEL-19672 - -* Wed Jan 10 2024 Julien Rische - 4.9.13-3 -- ipa-kdb: Detect and block Bronze-Bit attacks - Resolves: RHEL-9984 -- Fix for CVE-2023-5455 - Resolves: RHEL-12578 - -* Thu Nov 30 2023 Rafael Jeffman - 4.9.13-2 -- Handle new samba exception types. - Resolves: RHEL-17623 - -* Tue Nov 21 2023 Rafael Jeffman - 4.9.13-1 -- Rebase ipa to 4.9.13 - Resolves: RHEL-16936 - -* Wed Oct 04 2023 Julien Rische - 4.9.12-9 -- ipa-kdb: Make AD-SIGNEDPATH optional with krb5 DAL 8 and older - Resolves: RHEL-12198 - -* Thu Aug 31 2023 Rafael Jeffman - 4.9.12-8 -- Require krb5 release 1.18.2-25 or later - Resolves: RHBZ#2234711 - -* Wed Aug 16 2023 Rafael Jeffman - 4.9.12-7 -- ipatests: fix test_topology - Resolves: RHBZ#2232351 -- Installer: activate nss and pam services in sssd.conf - Resolves: RHBZ#2216532 - -* Thu Aug 10 2023 Rafael Jeffman - 4.9.12-6 -- ipa-kdb: fix error handling of is_master_host() - Resolves: RHBZ#2214638 -- ipatests: enable firewall rule for http service on acme client - Resolves: RHBZ#2230256 -- User plugin: improve error related to non existing idp - Resolves: RHBZ#2224572 -- Prevent admin user from being deleted - Resolves: RHBZ#1821181 -- Fix memory leak in the OTP last token plugin - Resolves: RHBZ#2227783 - -* Mon Jul 17 2023 Rafael Jeffman - 4.9.12-5 -- Upgrade: fix replica agreement, fix backported patch - Related: RHBZ#2216551 - -* Fri Jun 30 2023 Rafael Jeffman - 4.9.12-4 -- kdb: Use-krb5_pac_full_sign_compat() when available - Resolves: RHBZ#2176406 -- OTP: fix-data-type-to-avoid-endianness-issue - Resolves: RHBZ#2218293 -- Upgrade: fix replica agreement - Resolves: RHBZ#2216551 -- Upgrade: add PKI drop-in file if missing - Resolves: RHBZ#2215336 -- Use the python-cryptography parser directly in cert-find - Resolves: RHBZ#2164349 -- Backport test updates - Resolves: RHBZ#221884 - -* Wed Jun 21 2023 Julien Rische - 4.9.12-3 -- Rely on sssd-krb5 to include SSSD-generated krb5 configuration - Resolves: RHBZ#2214563 - -* Thu May 25 2023 Rafael Jeffman - 4.9.12-2 -- Use the OpenSSL certificate parser in cert-find - Resolves: RHBZ#2209947 - -* Wed May 24 2023 Rafael Jeffman - 4.9.12-1 -- Rebase ipa to 4.9.12 - Resolves: RHBZ#2196425 -- user or group name: explain the supported format - Resolves: RHBZ#2150217 - -* Mon Dec 19 2022 Rafael Jeffman - 4.9.11-3 -- Revert DNSResolver Fix use of nameservers with ports. - Related: RHBZ#2141316 - -* Fri Dec 16 2022 Rafael Jeffman - 4.9.11-2 -- webui IdP: Remove arrow notation due to uglify-js limitation - Related: RHBZ#2141316 - -* Wed Dec 14 2022 Rafael Jeffman - 4.9.11-1 -- Rebase ipa to 4.9.11 - Resolves: RHBZ#2141316 -- updates: fix memberManager ACI to allow managers from a specified group - Resolves: RHBZ#2056009 -- Defer creating the final krb5.conf on clients - Resolves: RHBZ#2148259 -- Exclude installed policy module file from RPM verification - Resolves: RHBZ#2149567 -- Spec file: ipa-client depends on krb5-pkinit-openssl - Resolves: RHBZ#2149889 - -* Thu Nov 24 2022 Rafael Jeffman - 4.9.10-8 -- ipa man page format the EXAMPLES section - Resolves: RHBZ#2129895 -- Fix canonicalization issue in Web UI - Resolves: RHBZ#2127035 -- Remove idnssoaserial argument from dns zone API. - Resolves: RHBZ#2108630 -- Warn for permissions with read/write/search/compare and no attrs - Resolves: RHBZ#2098187 -- Add PKINIT support to ipa-client-install - Resolves: RHBZ#2075452 -- Generate CNAMEs for TXT+URI location krb records - Resolves: RHBZ#2104185 -- Vault: fix interoperability issues with older RHEL systems - Resolves: RHBZ#2144737 -- Fix typo on ipaupgrade.log chmod during RPM %post snipppet - Resolves: RHBZ#2140994 - -* Tue Nov 1 2022 Rafael Jeffman - 4.9.10-7 -- Rebuild to samba 4.17.2. - Related: RHBZ#2132051 - -* Mon Aug 22 2022 Rafael Jeffman - 4.9.10-6 -- webui: Allow grace login limit - Resolves: RHBZ#2109243 -- check_repl_update: in progress is a boolean - Resolves: RHBZ#2117303 -- Disabling gracelimit does not prevent LDAP binds - Resolves: RHBZ#2109236 -- Set passwordgracelimit to match global policy on group pw policies - Resolves: RHBZ#2115475 - -* Tue Jul 19 2022 Rafael Jeffman - 4.9.10-5 -- webui: Do not allow empty pagination size - Resolves: RHBZ#2094672 - -* Tue Jul 12 2022 Rafael Jeffman - 4.9.10-4 -- Add end to end integration tests for external IdP - Resolves: RHBZ#2106346 - -* Thu Jul 07 2022 Rafael Jeffman - 4.9.10-3 -- Add explicit dependency for libvert-libev - Resolves: RHBZ#2104929 - -* Fri Jul 01 2022 Rafael Jeffman - 4.9.10-2 -- Preserve user: fix the confusing summary - Resolves: RHBZ#2022028 -- Only calculate LDAP password grace when the password is expired - Related: RHBZ#782917 - -* Wed Jun 15 2022 Rafael Jeffman - 4.9.10-1 -- Rebase to upstream release 4.9.10 - Remove upstream patches 0002 to 0016 that are part of version 4.9.10 - Remove patches 1101 that is part of version 4.9.10 - Rename patch 0001 to 1002 as it will be used in future RHEL 8 releases - Add patches 0001 and 0002 to fix build on RHEL 8.7 - Resolves: RHBZ#2079466 - Resolves: RHBZ#2063155 - Resolves: RHBZ#1958777 - Resolves: RHBZ#2068088 - Resolves: RHBZ#2004646 - Resolves: RHBZ#782917 - Resolves: RHBZ#2059396 - Resolves: RHBZ#2092015 - -* Tue Apr 5 2022 Rafael Jeffman - 4.9.8-8 -- Backport latest test fixes in python3-ipatests - Resolves: RHBZ#2060841 -- extdom: user getorigby{user|group}name if available - Resolves: RHBZ#2062379 -- Set the mode on ipaupgrade.log during RPM post snipppet - Resolves: RHBZ#2061957 -- test_krbtpolicy: skip SPAKE-related tests in FIPS mode - Resolves: RHBZ#1909630 - -* Thu Feb 24 2022 Rafael Jeffman - 4.9.8-7 -- ipatests: Backport test fixes in python3-ipatests. - Resolves: RHBZ#2057505 - -* Mon Feb 14 2022 Rafael Jeffman - 4.9.8-6 -- ipatests: fix TestOTPToken::test_check_otpd_after_idle_timeout - Related: RHBZ#2053024 - -* Mon Feb 14 2022 Rafael Jeffman - 4.9.8-5 -- ipatests: remove additional check for failed units. - Resolves: RHBZ#2053024 -- ipa-cldap: fix memory leak. - Resolves: RHBZ#2032738 - -* Thu Feb 10 2022 Rafael Jeffman - 4.9.8-4 -- Don't always override the port in import_included_profiles - Fixes: RHBZ#2022483 -- Remove ipa-join errors from behind the debug option - Fixes: RHBZ#2048558 -- Enable the ccache sweep timer during installation - Fixes: RHBZ#2051575 - -* Thu Feb 3 2022 Rafael Jeffman - 4.9.8-3 -- Config plugin: return EmptyModlist when no change is applied. - Resolves: RHBZ#2031825 -- Custodia: use a stronger encryption algo when exporting keys. - Resolves: RHBZ#2032806 -- ipa-kdb: do not remove keys for hardened auth-enabled users. - Resolves: RHBZ#2033342 -- ipa-pki-proxy.conf: provide access to /kra/admin/kra/getStatus - Resolves: RHBZ#2049167 -- Backport latest test fxes in python3 ipatests. - Resolves: RHBZ#2048509 -- Removed unused patch files that were part of 4.9.8 rebase. - -* Fri Dec 10 2021 Rafael Jeffman - 4.9.8-2 -- Revert bind-pkcs11-utils configuration in freeipa.spec. - Resolves: RHBZ#2026732 - -* Tue Nov 30 2021 Rafael Jeffman - 4.9.8-1 -- Upstream release FreeIPA 4.9.8 - Related: RHBZ#2015607 -- Hardening for CVE-2020-25717 - -* Fri Nov 12 2021 Alexander Bokovoy - 4.9.6-9.1 -- Fix S4U2Self regression for cross-realm requester SID buffer -- Related: RHBZ#2021443 - -* Fri Nov 12 2021 Alexander Bokovoy - 4.9.6-9 -- Require samba 4.14.5-13 with IPA DC server role fixes -- Related: RHBZ#2021443 - -* Fri Nov 12 2021 Alexander Bokovoy - 4.9.6-8 -- Add versioned dependency of samba-client-libs to ipa-server -- Related: RHBZ#2021443 - -* Thu Nov 11 2021 Alexander Bokovoy - 4.9.6-7 -- Hardening for CVE-2020-25717 -- Harden processing of trusted domains' users in S4U operations -- Resolves: RHBZ#2021443 - -* Wed Nov 10 2021 Alexander Bokovoy - 4.9.6-6 -- Hardening for CVE-2020-25717 -- Rebuild against samba-4.14.5-11.el8 -- Resolves: RHBZ#2021443 - -* Sun Nov 07 2021 Alexander Bokovoy - 4.9.6-5 -- Hardening for CVE-2020-25717 -- Related: RHBZ#2019668 - -* Thu Jul 22 2021 Thomas Woerner - 4.9.6-4 -- ipatests: NAMED_CRYPTO_POLICY_FILE not defined for RHEL - Resolves: RHBZ#1982956 - -* Thu Jul 15 2021 Thomas Woerner - 4.9.6-3 -- man page: update ipa-server-upgrade.1 - Resolves: RHBZ#1973273 -- Fall back to krbprincipalname when validating host auth indicators - Resolves: RHBZ#1979625 -- Add dependency for sssd-winbind-idmap to server-trust-ad - Resolves: RHBZ#1982211 - -* Thu Jul 8 2021 Thomas Woerner - 4.9.6-2 -- IPA server in debug mode fails to run because time.perf_counter_ns is - Python 3.7+ - Resolves: RHBZ#1974822 -- Add checks to prevent assigning authentication indicators to internal IPA - services - Resolves: RHBZ#1979625 -- Unable to set ipaUserAuthType with stageuser-add - Resolves: RHBZ#1979605 - -* Thu Jul 1 2021 Thomas Woerner - 4.9.6-1 -- Upstream release FreeIPA 4.9.6 - Related: RHBZ#1945038 -- Revise PKINIT upgrade code - Resolves: RHBZ#1886837 -- ipa-cert-fix man page: add note about certmonger renewal - Resolves: RHBZ#1780317 -- Certificate Serial Number issue - Resolves: RHBZ#1919384 - -* Mon Jun 14 2021 Thomas Woerner - 4.9.5-1 -- Upstream release FreeIPA 4.9.5 - Related: RHBZ#1945038 -- IPA to allow setting a new range type - Resolves: RHBZ#1688267 -- ipa-server-install displays debug output when --debug output is not - specified. - Resolves: RHBZ#1943151 -- ACME fails to generate a cert on migrated RHEL8.4 server - Resolves: RHBZ#1934991 -- Switch ipa-client to use the JSON API - Resolves: RHBZ#1937856 -- IDM - Allow specifying permanent logging settings for BIND - Resolves: RHBZ#1951511 -- Cache LDAP data within a request - Resolves: RHBZ#1953656 -- ipa-server-upgrade is failing while upgrading rhel8.3 to rhel8.4 - Resolves: RHBZ#1957768 - -* Wed Mar 31 2021 Thomas Woerner - 4.9.3-1 -- Upstream release FreeIPA 4.9.3 - Resolves: RHBZ#1945038 - -* Mon Feb 15 2021 Alexander Bokovoy - 4.9.2-1 -- Upstream release FreeIPA 4.9.2 - Related: RHBZ#1891832 - -* Wed Jan 27 2021 Alexander Bokovoy - 4.9.1-1 -- Upstream release FreeIPA 4.9.1 - Related: RHBZ#1891832 - -* Mon Jan 4 2021 Thomas Woerner - 4.9.0-1 -- Upstream final release FreeIPA 4.9.0 - Related: RHBZ#1891832 - -* Fri Dec 11 2020 Thomas Woerner - 4.9.0-0.5.rc3 -- Upstream pre release FreeIPA 4.9.0rc3 - Related: RHBZ#1891832 - -* Fri Dec 4 2020 Alexander Bokovoy - 4.9.0-0.3.rc2 -- Remove ipa-server dependency from ipa-selinux subpackage -- Related: RHBZ#1891832 - -* Fri Dec 4 2020 Thomas Woerner - 4.9.0-0.2.rc2 -- Upstream pre release FreeIPA 4.9.0rc2 - Related: RHBZ#1891832 -- Synchronize spec file with upstream and Fedora - Related: RHBZ#1891832 -- Traceback while doing ipa-backup - Resolves: RHBZ#1901068 -- ipa-client-install changes system wide ssh configuration - Resolves: RRBZ#1544379 -- ipa-kdb: support subordinate/superior UPN suffixes - Resolves: RHBZ#1891056 -- KRA Transport and Storage Certificates do not renew - Resolves: RHBZ#1872603 -- Move where the restore state is marked during IPA server upgrade - Resolves: RHBZ#1569011 -- Intermittent IdM Client Registration Failures - Resolves: RHBZ#1812871 -- Nightly test failure in test_acme.py::TestACME::test_third_party_certs - (updates-testing) - Resolves: RHBZ#1903025 -- Add IPA RA Agent to ACME group on the CA - Resolves: RHBZ#1902727 - -* Mon Nov 23 2020 Thomas Woerner - 4.9.0-0.1.rc1 -- Fix requirement for python3-kdcproxy, add no autoreqprov for ipatests sub - package - Related: RHBZ#1891832 - -* Mon Nov 23 2020 Thomas Woerner - 4.9.0-0.rc1 -- Upstream pre release FreeIPA 4.9.0rc1 - Resolves: RHBZ#1891832 -- Requirements and design for libpwquality integration - Resolves: RHBZ#1340463 -- When parsing options require name/value pairs - Resolves: RHBZ#1357495 -- WebUI: Fix issue with opening links in new tab/window - Resolves: RHBZ#1484088 -- Use a state to determine if a 389-ds upgrade is in progress - Resolves: RHBZ#1569011 -- Unlock user accounts after a password reset and replicate that unlock to - all IdM servers - Resolves: RHBZ#1784657 -- Set the certmonger subject with a string, not an object - Resolves: RHBZ#1810148 -- Implement ACME certificate enrolment - Resolves: RHBZ#1851835 -- [WebUI] Backport jQuery patches from newer versions of the library (e.g. - 3.5.0) - Resolves: RHBZ#1859249 -- It is not possible to edit KDC database when the FreeIPA server is running - Resolves: RHBZ#1875001 -- Fix nsslapd-db-lock tuning of BDB backend - Resolves: RHBZ#1882340 -- ipa-kdb: support subordinate/superior UPN suffixes - Resolves: RHBZ#1891056 -- wgi/plugins.py: ignore empty plugin directories - Resolves: RHBZ#1894800 - -* Thu Sep 10 2020 Thomas Woerner - 4.8.7-11 -- SELinux Policy: let custodia replicate keys - Resolves: RHBZ#1868432 - -* Wed Aug 19 2020 Thomas Woerner - 4.8.7-10 -- Set mode of /etc/ipa/ca.crt to 0644 in CA-less installations - Resolves: RHBZ#1870202 - -* Mon Aug 17 2020 Thomas Woerner - 4.8.7-9 -- CAless installation: set the perms on KDC cert file - Resolves: RHBZ#1863616 -- EPN: handle empty attributes - Resolves: RHBZ#1866938 -- IPA-EPN: enhance input validation - Resolves: RHBZ#1866291 -- EPN: enhance input validation - Resolves: RHBZ#1863079 -- Require new samba build 4.12.3-52 - Related: RHBZ#1868558 -- Require new selinux-policy build 3.14.3-52 - Related: RHBZ#1869311 - -* Fri Jul 31 2020 Thomas Woerner - 4.8.7-8 -- [WebUI] IPA Error 3007: RequirmentError" while adding members in - "User ID overrides" tab (updated) - Resolves: RHBZ#1757045 -- ipa-client-install: use the authselect backup during uninstall - Resolves: RHBZ#1810179 -- Replace SSLCertVerificationError with CertificateError for py36 - Resolves: RHBZ#1858318 -- Fix AVC denial during ipa-adtrust-install --add-agents - Resolves: RHBZ#1859213 - -* Wed Jul 15 2020 Thomas Woerner - 4.8.7-7 -- replica install failing with avc denial for custodia component - Resolves: RHBZ#1857157 - -* Tue Jul 14 2020 Thomas Woerner - 4.8.7-6 -- selinux don't audit rules deny fetching trust topology - Resolves: RHBZ#1845596 -- fix iPAddress cert issuance for >1 host/service - Resolves: RHBZ#1846352 -- Specify cert_paths when calling PKIConnection - Resolves: RHBZ#1849155 -- Update crypto policy to allow AD-SUPPORT when installing IPA - Resolves: RHBZ#1851139 -- Add version to ipa-idoverride-memberof obsoletes - Related: RHBZ#1846434 - -* Thu Jul 02 2020 Thomas Woerner - 4.8.7-5 -- Add missing ipa-selinux package - Resolves: RHBZ#1853263 - -* Mon Jun 29 2020 Thomas Woerner - 4.8.7-4 -- Remove client-epn left over files for ONLY_CLIENT - Related: RHBZ#1847999 - -* Mon Jun 29 2020 Thomas Woerner - 4.8.7-3 -- [WebUI] IPA Error 3007: RequirmentError" while adding members in - "User ID overrides" tab - Resolves: RHBZ#1757045 -- EPN does not ship its default configuration ( /etc/ipa/epn.conf ) in - freeipa-client-epn - Resolves: RHBZ#1847999 -- FreeIPA - Utilize 256-bit AJP connector passwords - Resolves: RHBZ#1849914 -- ipa: typo issue in ipanthomedirectoryrive deffinition - Resolves: RHBZ#1851411 - -* Thu Jun 11 2020 Thomas Woerner - 4.8.7-2 -- Remove ipa-idoverride-memberof as superceded by ipa-server 4.8.7 - Resolves: RHBZ#1846434 - -* Thu Jun 11 2020 Thomas Woerner - 4.8.7-1 -- Upstream release FreeIPA 4.8.7 -- Require new samba build 4.12.3-0 - Related: RHBZ#1818765 -- New client-epn sub package - Resolves: RHBZ#913799 - -* Tue Jun 02 2020 Thomas Woerner - 4.8.6-2 -- Support krb5 1.18 - Resolves: RHBZ#1817579 - -* Tue Apr 28 2020 Thomas Woerner - 4.8.6-1 -- Upstream release FreeIPA 4.8.6 -- New SELinux sub package to provide own module -- Depend on selinux-policy-devel 3.14.3-43 for build due to a makefile issue in - SELinux external policy support - Related: RHBZ#1818765 - -* Mon Feb 17 2020 Thomas Woerner - 4.8.4-6 -- Allow an empty cookie in dogtag-ipa-ca-renew-agent-submit - Resolves: RHBZ#1790663 - -* Mon Feb 17 2020 Thomas Woerner - 4.8.4-5 -- Fixed weekday in 4.8.4-2 changelog date - Related: RHBZ#1784003 -- adtrust: print DNS records for external DNS case after role is enabled - Resolves: RHBZ#1665051 -- AD user without override receive InternalServerError with API - Resolves: RHBZ#1782572 -- ipa-client-automount fails after repeated installation/uninstallation - Resolves: RHBZ#1790886 -- install/updates: move external members past schema compat update - Resolves: RHBZ#1803165 -- kdb: make sure audit_as_req callback signature change is preserved - Resolves: RHBZ#1803786 - -* Wed Jan 29 2020 Thomas Woerner - 4.8.4-4 -- Update dependencies for samba, 389-ds and sssd - Resolves: RHBZ#1792848 - -* Fri Jan 17 2020 Alexander Bokovoy - 4.8.4-3 -- Depend on krb5-kdb-version-devel for BuildRequires -- Update nss dependency to 3.44.0-4 -- Reset per-indicator Kebreros policy - Resolves: RHBZ#1784761 - -* Sat Dec 14 2019 Thomas Woerner - 4.8.4-2 -- DNS install check: Fix overlapping DNS zone from the master itself - Resolves: RHBZ#1784003 - -* Sat Dec 14 2019 Thomas Woerner - 4.8.4-1 -- Rebase to upstream release 4.8.4 - - Removed upstream patches 0001 to 0008 that are part of version 4.8.3-3 - Resolves: RHBZ#1782658 - Resolves: RHBZ#1782169 - Resolves: RHBZ#1783046 - Related: RHBZ#1748987 - -* Mon Dec 2 2019 Thomas Woerner - 4.8.3-3 -- Fix otptoken_sync plugin - Resolves: RHBZ#1777811 - -* Mon Dec 2 2019 Thomas Woerner - 4.8.3-2 -- Use default crypto policy for TLS and enable TLS 1.3 support - Resolves: RHBZ#1777809 -- Covscan fixes - Resolves: RHBZ#1777920 -- Change pki_version to 10.8.0 - Related: RHBZ#1748987 - -* Thu Nov 28 2019 Alexander Bokovoy - 4.8.3-1 -- Rebase to security release 4.8.3 (CVE-2019-14867, CVE-2019-10195) - Resolves: RHBZ#1767304 - Resolves: RHBZ#1776939 -- Support KDC ticket policies for authentication indicators - Resolves: RHBZ#1777564 - -* Tue Nov 26 2019 Alexander Bokovoy - 4.8.2-4 -- CVE-2019-14867: Denial of service in IPA server due to wrong use of ber_scanf() - Resolves: RHBZ#1767304 -- CVE-2019-10195: Don't log passwords embedded in commands in calls using batch - Resolves: RHBZ#1776939 - -* Fri Nov 22 2019 Thomas Woerner - 4.8.2-3 -- Use default ssh host key algorithms - Resolves: RHBZ#1756432 -- Do not run trust upgrade code if master lacks Samba bindings - Resolves: RHBZ#1757064 -- Finish group membership management UI - Resolves: RHBZ#1773528 - -* Mon Nov 18 2019 Thomas Woerner - 4.8.2-2 -- Update dependency for bind-dndb-ldap to 11.2-2 - Related: RHBZ#1762813 - -* Thu Nov 14 2019 Thomas Woerner - 4.8.2-1 -- Rebase to upstream release 4.8.2 - - Removed upstream patches 0001 to 0010 that are part of version 4.8.2 - - Updated branding patch - Resolves: RHBZ#1748987 - -* Thu Aug 29 2019 Thomas Woerner - 4.8.0-10 -- Fix automount behavior with authselect - Resolves: RHBZ#1740167 - -* Mon Aug 19 2019 Thomas Woerner - 4.8.0-9 -- extdom: unify error code handling especially LDAP_NO_SUCH_OBJECT - Resolves: RHBZ#1741530 - -* Thu Aug 15 2019 Thomas Woerner - 4.8.0-8 -- FreeIPA 4.8.0 tarball lacks two update files that are in git - Resolves: RHBZ#1741170 - -* Tue Aug 13 2019 Thomas Woerner - 4.8.0-7 -- Allow insecure binds for migration - Resolves: RHBZ#1731963 - -* Fri Aug 2 2019 Thomas Woerner - 4.8.0-6 -- Fix --external-ca-profile not passed to CSR - Resolves: RHBZ#1731813 - -* Tue Jul 30 2019 Thomas Woerner - 4.8.0-5 -- Remove posixAccount from service_find search filter - Resolves: RHBZ#1731437 -- Fix repeated uninstallation of ipa-client-samba crashes - Resolves: RHBZ#1732529 -- WebUI: Add PKINIT status field to 'Configuration' page - Resolves: RHBZ#1518153 - -* Tue Jul 16 2019 Alexander Bokovoy - 4.8.0-4 -- Fix krb5-kdb-server -> krb5-kdb-version - Related: RHBZ#1700121 - -* Mon Jul 15 2019 Alexander Bokovoy - 4.8.0-3 -- Make sure ipa-server depends on krb5-kdb-version to pick up - right MIT Kerberos KDB ABI - Related: RHBZ#1700121 -- User field separator uses '$$' within ipaSELInuxUserMapOrder - Fixes: RHBZ#1729099 - -* Wed Jul 3 2019 Thomas Woerner - 4.8.0-2 -- Fixed kdcproxy_version to 0.4-3 -- Fixed krb5_version to 1.17-7 - Related: RHBZ#1684528 - -* Wed Jul 3 2019 Thomas Woerner - 4.8.0-1 -- New upstream release 4.8.0 - - New subpackage: freeipa-client-samba - - Added command ipa-cert-fix with man page - - New sysconfdir sysconfig/certmonger -- Updated pki_version, certmonger_version, sssd_version and kdcproxy_version - Related: RHBZ#1684528 - -* Tue May 21 2019 Alexander Bokovoy - 4.7.90-3 -- Fix upgrade issue with AD trust when no trust yet established - Fixes: RHBZ#1708874 - Related: RHBZ#1684528 - -* Thu May 9 2019 Alexander Bokovoy - 4.7.90-2 -- Require certmonger 0.79.7-1 - Related: RHBZ#1708095 - -* Mon May 6 2019 Thomas Woerner - 4.7.90-1 -- Update to 4.7.90-pre1 - Related: RHBZ#1684528 -- Removed patches 0002 to 0031 as these are upsteram and part of 4.7.90-pre1 -- Added new patches 0001-revert-minssf-defaults.patch and - 0001-Correct-default-fontawesome-path-broken-by-da2cf1c5.patch - -* Tue Apr 16 2019 Alexander Bokovoy - 4.7.1-12 -- Remove strict dependencies to krb5-server version in order to allow - update of krb5 to 1.17 and change dependency to KDB DAL version. - Resolves: RHBZ#1700121 - -* Wed Feb 27 2019 Rob Crittenden - 4.7.1-11 -- Handle NFS configuration file changes. nfs-utils moved the - configuration file from /etc/sysconfig/nfs to /etc/nfs.conf. - Resolves: RHBZ#1676981 - -* Tue Jan 15 2019 Christian Heimes - 4.7.1-10 -- Fix systemd-user HBAC rule - Resolves: RHBZ#1664974 - -* Mon Jan 14 2019 Thomas Woerner - 4.7.1-9 -- Resolve user/group names in idoverride*-find - Resolves: RHBZ#1657745 - -* Mon Jan 14 2019 Christian Heimes - 4.7.1-8 -- Create systemd-user HBAC service and rule - Resolves: RHBZ#1664974 -- ipaserver/dcerpc: fix exclusion entry with a forest trust domain info returned - Resolves: RHBZ#1664023 - -* Fri Dec 14 2018 Thomas Woerner - 4.7.1-7.el8 -- Fix misleading errors during client install rollback - Resolves: RHBZ#1658283 -- ipa-advise: update url of cacerdir_rehash tool - Resolves: RHBZ#1658287 -- Handle NTP configuration in a replica server installation - Resolves: RHBZ#1651679 -- Fix defects found by static analysis - Resolves: RHBZ#1658182 -- ipa-replica-install --setup-adtrust: check for package ipa-server-trust-ad - Resolves: RHBZ#1658294 -- ipaldap: invalid modlist when attribute encoding can vary - Resolves: RHBZ#1658302 -- Allow ipaapi and Apache user to access SSSD IFP - Resolves: RHBZ#1639910 -- Add sysadm_r to default SELinux user map order - Resolves: RHBZ#1658303 -- certdb: ensure non-empty Subject Key Identifier and validate server cert sig - Resolves: RHBZ#1641988 -- ipa-replica-install: password and admin-password options mutually exclusive - Resolves: RHBZ#1658309 -- ipa upgrade: handle double-encoded certificates - Resolves: RHBZ#1658310 -- PKINIT: fix ipa-pkinit-manage enable|disable - Resolves: RHBZ#1658313 -- Enable LDAP debug output in client to display TLS errors in join - Resolves: RHBZ#1658316 -- rpc: always read response - Resolves: RHBZ#1639890 -- ipa vault-retrieve: fix internal error - Resolves: RHBZ#1658485 -- Move ipa's systemd tmpfiles from /var/run to /run - Resolves: RHBZ#1658487 -- Fix authselect invocations to work with 1.0.2 - Resolves: RHBZ#1654291 -- ipa-client-automount and NFS unit name changes - Resolves: RHBZ#1645501 -- Fix compile issue with new 389-ds - Resolves: RHBZ#1659448 - -* Thu Nov 15 2018 Lumír Balhar - 4.7.1-6.el8 -- Require platform-python-setuptools instead of python3-setuptools -- Resolves: rhbz#1650139 - -* Mon Oct 29 2018 Alexander Bokovoy - 4.7.1-5.el8 -- Fixed: rhbz#1643445 - External CA step 2 fails with pki_client_database_dir is missing -- Fixed: rhbz#1642834 - Smart card advise script uses hard-coded Python interpreter - -* Tue Oct 16 2018 Alexander Bokovoy - 4.7.1-4.el8 -- Fix mapping of BUILTIN\Guests to 'nobody' group during upgrade - to not use generated Samba config at this point -- Related: rhbz#1623895 - -* Mon Oct 15 2018 Thomas Woerner - 4.7.1-3.el8 -- New command automember-find-orphans to find and remove orphan automemeber - rules has been added - Resolves: RHBZ#1638373 -- Moved ipa/idm logos and background to redhat-logos-ipa-80.4: - header-logo.png, login-screen-background.jpg, login-screen-logo.png, - product-name.png - New requirement to redhat-logos-ipa >= 80.4 in ipa-server-common - Resolves: RHBZ#1626507 - -* Wed Oct 10 2018 Alexander Bokovoy - 4.7.1-2.el8 -- Move initialization of Guests mapping after cifs/ principal is created -- Related: rhbz#1623895 - -* Sun Oct 07 2018 Alexander Bokovoy - 4.7.1-1.el8 -- 4.7.1 -- Fixes: rhbz#1633105 - rebase to 4.7.1 - -* Tue Sep 25 2018 Tomas Orsava - 4.7.0-6.el8 -- Require the Python interpreter directly instead of using the package name -- Related: rhbz#1619153 - -* Thu Sep 13 2018 Rob Crittenden - 4.7.0-5.el8 -- sudo rule for "admins" members should be created by default (#1609873) - -* Thu Sep 6 2018 Rob Crittenden - 4.7.0-4.el8 -- ipaclient-install: chmod needs octal permissions (#1609880) - -* Thu Aug 16 2018 Thomas Woerner - 4.7.0-3.1.el8 -- Resolves: #1609883 ipaserver/plugins/cert.py: Add reason to raise of - errors.NotFound -- Resolves: #1615765 do-not-use-RC4-in-FIPS-mode - - Move fips_enabled to a common library to share across different plugins - - ipasam: do not use RC4 in FIPS mode - -* Mon Aug 13 2018 Thomas Woerner - 4.7.0-3.el8 -- Resolves: #1614301 Remove --no-sssd and --noac options -- Resolves: #1613879 Disable Domain Level 0 - - New patch sets to disable domain level 0 - - New adapted patch to disable DL0 specific tests (pytest_ipa vs. - pytest_plugins) - - Adapted branding patch in ipa-replica-install.1 due to DL0 removal - -* Wed Jul 25 2018 Alexander Bokovoy - 4.7.0-2.el8 -- Require 389-ds-base-legacy-tools for setup tools - -* Thu Jul 19 2018 Rob Crittenden - 4.7.0-1.el8 -- Update to upstream 4.7.0 GA - -* Mon May 21 2018 Rob Crittenden - 4.6.90.pre1-2.el8 -- Set krb5 DAL version to 7.0 (#1580711) -- Rebuild aclocal and configure during build - -* Mon Mar 26 2018 Rob Crittenden - 4.6.90.pre1-1.el8 -- Update to upstream 4.6.90.pre1 - -* Mon Jan 29 2018 Troy Dawson - 4.5.4-5.el8.1 -- Use java-1.8.0-openjdk-devel - -* Thu Nov 30 2017 Alexander Bokovoy - 4.5.4-5.el7 -- Resolves: #1415162 ipa-exdom-extop plugin can exhaust DS worker threads - -* Fri Nov 3 2017 Pavel Vomacka - 4.5.4-4.el7 -- Resolves: #1388135 [RFE] limit the retro changelog to dns subtree. - - ldap: limit the retro changelog to dns subtree -- Resolves: #1427798 Use X509v3 Basic Constraints "CA:TRUE" instead - of "CA:FALSE" IPA CA CSR - - Include the CA basic constraint in CSRs when renewing a CA -- Resolves: #1493145 ipa-replica-install might fail because of an already - existing entry cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFIX - - Checks if replica-s4u2proxy.ldif should be applied -- Resolves: #1493150 [RFE] set nsslapd-ignore-time-skew: on by default - - ds: ignore time skew during initial replication step - - ipa-replica-manage: implicitly ignore initial time skew in force-sync -- Resolves: #1500218 Replica installation at domain-level 0 fails against - upgraded ipa-server - - Fix ipa-replica-conncheck when called with --principal -- Resolves: #1506188 server-del doesn't remove dns-server configuration - from ldap - -* Thu Oct 26 2017 Rob Crittenden - 4.5.4-3.el7 -- Drop workaround for building on AArch64 (#1482244) -- Temporarily reduce Requires on python-netaddr to 0.7.5-7 (#1506485) - -* Tue Oct 24 2017 Felipe Barreto - 4.5.4-2.el7 -- Resolves: #1461177 ipa-otptoken-import - XML file is missing PBKDF2 - parameters! -- Resolves: #1464205 NULL LDAP context in call to ldap_search_ext_s during - search in cn=ad, cn=trusts,dc=example,dc=com -- Resolves: #1467887 iommu platform support for ipxe -- Resolves: #1477178 [ipa-replica-install] - 406 Client Error: Failed to - validate message: Incorrect number of results (0) searching forpublic key for - host -- Resolves: #1478251 IPA WebUI does not work after upgrade from IPA 4.4 to - 4.5 -- Resolves: #1480102 ipa-server-upgrade failes with "This entry already - exists" -- Resolves: #1482802 Unable to set ca renewal master on replica -- Resolves: #1484428 Updating from RHEL 7.3 fails with Server-Cert not found - (ipa-server-upgrade) -- Resolves: #1484826 FreeIPA/IdM installations which were upgraded from - versions with 389 DS prior to 1.3.3.0 doesn't have whomai plugin enabled and - thus startup of Web UI fails -- Resolves: #1486283 TypeError in renew_ca_cert prevents from swiching back - to self-signed CA -- Resolves: #1469246 Replica install fails to configure IPA-specific - temporary files/directories -- Resolves: #1469480 bind package is not automatically updated during - ipa-server upgrade process -- Resolves: #1475238 Use CommonNameToSANDefault in default profile (new - installs only) -- Resolves: #1477703 IPA upgrade fails for latest ipa package - -* Fri Oct 20 2017 Pavel Vomacka - 4.5.4-1.el7 -- Use OpenJDK 8 to bootstrap on AArch64 until RH1482244 is resolved in - buildroot -- Resolves: #1470177 - Rebase IPA to latest 4.5.x version -- Resolves: #1398594 ipa topologysuffix-verify should only warn about - maximum number of replication agreements. -- Resolves: #1404236 Web UI: Change "Host Based" and "Role Based" - to "Host-Based" and "Role-Based" -- Resolves: #1409786 Second phase of --external-ca ipa-server-install - setup fails when dirsrv is not running -- Resolves: #1451576 ipa cert-request failed to generate certificate from csr -- Resolves: #1452086 Pagination Size under Customization in IPA WebUI - accepts negative values -- Resolves: #1458169 --force-join option is not mentioned in - ipa-replica-install man page -- Resolves: #1463186 IPA shouldn't allow objectclass if not all in lower case -- Resolves: #1478322 user-show command fails when sizelimit is configured - to number <= number of entity which is user member of -- Resolves: #1496775 Enterprise principals should be able to trigger - a refresh of the trusted domain data in the KDC -- Resolves: #1502533 Changing cert-find to go through the proxy - instead of using the port 8080 -- Resolves: #1502663 pkinit-status command fails after an upgrade from - a pre-4.5 IPA -- Resolves: #1498168 Error when trying to modify a PTR record -- Resolves: #1457876 ipa-backup fails silently -- Resolves: #1493531 In case full PKINIT configuration is failing during - server/replica install the error message should be more meaningful. -- Resolves: #1449985 Suggest CA installation command in KRA installation - warning - -* Wed Sep 20 2017 Felipe Barreto - 4.5.0-21.el7.2.2 -- Resolves: #1477367 ipa-server-upgrade timeouts on wait_for_open ports - expecting IPA services listening on IPv6 ports - - Make sure upgrade also checks for IPv6 stack - - control logging of host_port_open from caller - - log progress of wait_for_open_ports -- Resolves: #1477243 ipa help command returns traceback when no cache - is present - - Store help in Schema before writing to disk - - Disable pylint in get_help function because of type confusion. - -* Tue Sep 19 2017 Felipe Barreto - 4.5.0-21.el7.2 -- Resolves: #1477178 - [ipa-replica-install] - 406 Client Error: Failed to - validate message: Incorrect number of results (0) searching forpublic - key for host - - Always check peer has keys before connecting -- Resolves: #1482802 - Unable to set ca renewal master on replica - - Fix ipa config-mod --ca-renewal-master -- Resolves: #1486283 - TypeError in renew_ca_cert prevents from swiching - back to self-signed CA - - Backport PR 988 to ipa-4-5 Fix Certificate renewal (with ext ca) -- Resolves: #1480102 - ipa-server-upgrade failes with "This entry already exists" - - Backport PR 1008 to ipa-4-5 Fix ipa-server-upgrade: This entry already exists -- Resolves: #1484826 - FreeIPA/IdM installations which were upgraded from - versions with 389 DS prior to 1.3.3.0 doesn't have whomai plugin enabled and - thus startup of Web UI fails - - Adds whoami DS plugin in case that plugin is missing -- Resolves: #1478251 - IPA WebUI does not work after upgrade from IPA 4.4 to 4.5 - - Fixing how sssd.conf is updated when promoting a client to replica -- Resolves: #1461177 - ipa-otptoken-import - XML file is missing PBKDF2 - parameters! - - ipa-otptoken-import: Make PBKDF2 refer to the pkcs5 namespace -- Resolves: #1484428 - Updating from RHEL 7.3 fails with Server-Cert not found - (ipa-server-upgrade) - - Backport 4-5: Fix ipa-server-upgrade with server cert tracking - -* Thu Aug 17 2017 Pavel Vomacka - 4.5.0-21.el7.1.2 -- Resolves: #1477703 IPA upgrade fails for latest ipa package - - Restore old version of caIPAserviceCert for upgrade only - -* Tue Aug 15 2017 Pavel Vomacka - 4.5.0-21.el7.1.1 -- Resolves: #1475238 Use CommonNameToSANDefault in default profile - (new installs only) - - Restore old version of caIPAserviceCert for upgrade only - -* Fri Jul 28 2017 Pavel Vomacka - 4.5.0-21.el7.1 -- Resolves: #1455946 Provide a tooling automating the configuration - of Smart Card authentication on a FreeIPA master - - smart-card advises: configure systemwide NSS DB also on master - - smart-card advises: add steps to store smart card signing CA cert - - Allow to pass in multiple CA cert paths to the smart card advises - - add a class that tracks the indentation in the generated advises - - delegate the indentation handling in advises to dedicated class - - advise: add an infrastructure for formatting Bash compound statements - - delegate formatting of compound Bash statements to dedicated classes - - Fix indentation of statements in Smart card advises - - Use the compound statement formatting API for configuring PKINIT - - smart card advises: use a wrapper around Bash `for` loops - - smart card advise: use password when changing trust flags on HTTP cert - - smart-card-advises: ensure that krb5-pkinit is installed on client -- Resolves: #1475238 Use CommonNameToSANDefault in default profile - (new installs only) - - Add CommonNameToSANDefault to default cert profile -- Resolves: #1464205 NULL LDAP context in call to ldap_search_ext_s - during search in cn=ad,cn=trusts,dc=example,dc=com - - NULL LDAP context in call to ldap_search_ext_s during search - -* Wed Jul 12 2017 Pavel Vomacka - 4.5.0-21.el7 -- Resolves: #1469246 Replica install fails to configure IPA-specific - temporary files/directories - - replica install: drop-in IPA specific config to tmpfiles.d -- Resolves: #1469480 bind package is not automatically updated during - ipa-server upgrade process - - Bumped Required version of bind-dyndb-ldap and bind package - -* Tue Jun 27 2017 Pavel Vomacka - 4.5.0-20.el7 -- Resolves: #1452216 Replica installation grants HTTP principal - access in WebUI - - Make sure we check ccaches in all rpcserver paths - -* Wed Jun 21 2017 Pavel Vomacka - 4.5.0-19.el7 -- Resolves: #1462112 ipaserver installation fails in FIPS mode: OpenSSL - internal error, assertion failed: Digest MD4 forbidden in FIPS mode! - - ipa-sam: replace encode_nt_key() with E_md4hash() - - ipa_pwd_extop: do not generate NT hashes in FIPS mode -- Resolves: #1377973 ipa-server-install fails when the provided or resolved - IP address is not found on local interfaces - - Fix local IP address validation - - ipa-dns-install: remove check for local ip address - - refactor CheckedIPAddress class - - CheckedIPAddress: remove match_local param - - Remove ip_netmask from option parser - - replica install: add missing check for non-local IP address - - Remove network and broadcast address warnings - -* Thu Jun 15 2017 Pavel Vomacka - 4.5.0-18.el7 -- Resolves: #1449189 ipa-kra-install timeouts on replica - - kra: promote: Get ticket before calling custodia - -* Wed Jun 14 2017 Pavel Vomacka - 4.5.0-17.el7 -- Resolve: #1455946 Provide a tooling automating the configuration - of Smart Card authentication on a FreeIPA master - - server certinstall: update KDC master entry - - pkinit manage: introduce ipa-pkinit-manage - - server upgrade: do not enable PKINIT by default - - Extend the advice printing code by some useful abstractions - - Prepare advise plugin for smart card auth configuration -- Resolve: #1461053 allow to modify list of UPNs of a trusted forest - - trust-mod: allow modifying list of UPNs of a trusted forest - - WebUI: add support for changing trust UPN suffixes - -* Wed Jun 7 2017 Pavel Vomacka - 4.5.0-16.el7 -- Resolves: #1377973 ipa-server-install fails when the provided or resolved - IP address is not found on local interfaces - - Only warn when specified server IP addresses don't match intf -- Resolves: #1438016 gssapi errors after IPA server upgrade - - Bump version of python-gssapi -- Resolves: #1457942 certauth: use canonical principal for lookups - - ipa-kdb: use canonical principal in certauth plugin -- Resolves: #1459153 Do not send Max-Age in ipa_session cookie to avoid - breaking older clients - - Add code to be able to set default kinit lifetime - - Revert setting sessionMaxAge for old clients - -* Wed Jun 7 2017 Pavel Vomacka - 4.5.0-15.el7 -- Resolves: #1442233 IPA client commands fail when pointing to replica - - httpinstance: wait until the service entry is replicated -- Resolves: #1456769 ipaAnchorUUID index incorrectly configured and then - not indexed - - Fix index definition for ipaAnchorUUID -- Resolves: #1438016 gssapi errors after IPA server upgrade - - Avoid possible endless recursion in RPC call - - rpc: preparations for recursion fix - - rpc: avoid possible recursion in create_connection -- Resolves: #1446087 services entries missing krbCanonicalName attribute. - - Changing cert-find to do not use only primary key to search in LDAP. -- Resolves: #1452763 ipa certmaprule change not reflected in krb5kdc workers - - ipa-kdb: reload certificate mapping rules periodically -- Resolves: #1455541 after upgrade login from web ui breaks - - kdc.key should not be visible to all -- Resolves: #1435606 Add pkinit_indicator option to KDC configuration - - ipa-kdb: add pkinit authentication indicator in case of a successful - certauth -- Resolves: #1455945 Enabling OCSP checks in mod_nss breaks certificate - issuance when ipa-ca records are not resolvable - - Turn off OCSP check -- Resolves: #1454483 rhel73 ipa ui - cannot del server - IPA Error 903 - - server_del - TypeError: 'NoneType' object is not iterable - - fix incorrect suffix handling in topology checks - -* Wed May 24 2017 Pavel Vomacka - 4.5.0-14.el7 -- Resolves: #1438731 Extend ipa-server-certinstall and ipa-certupdate to - handle PKINIT certificates/anchors - - certdb: add named trust flag constants - - certdb, certs: make trust flags argument mandatory - - certdb: use custom object for trust flags - - install: trust IPA CA for PKINIT - - client install: fix client PKINIT configuration - - install: introduce generic Kerberos Augeas lens - - server install: fix KDC PKINIT configuration - - ipapython.ipautil.run: Add option to set umask before executing command - - certs: do not export keys world-readable in install_key_from_p12 - - certs: do not export CA certs in install_pem_from_p12 - - server install: fix KDC certificate validation in CA-less - - replica install: respect --pkinit-cert-file - - cacert manage: support PKINIT - - server certinstall: support PKINIT -- Resolves: #1444432 CA-less pkinit not installable with --pkinit-cert-file - option - - certs: do not export CA certs in install_pem_from_p12 - - server install: fix KDC certificate validation in CA-less -- Resolves: #1451228 ipa-kra-install fails when primary KRA server has been - decommissioned - - ipa-kra-install: fix pkispawn setting for pki_security_domain_hostname -- Resolves: #1451712 KRA installation fails on server that was originally - installed as CA-less - - ipa-ca-install: append CA cert chain into /etc/ipa/ca.crt -- Resolves: #1441499 ipa cert-show does not raise error if no file name - specified - - ca/cert-show: check certificate_out in options -- Resolves: #1449522 Deprecate `ipa pkinit-anonymous` command in FreeIPA 4.5+ - - Remove pkinit-anonymous command -- Resolves: #1449523 Provide an API command to retrieve PKINIT status - in the FreeIPA topology - - Allow for multivalued server attributes - - Refactor the role/attribute member reporting code - - Add an attribute reporting client PKINIT-capable servers - - Add the list of PKINIT servers as a virtual attribute to global config - - Add `pkinit-status` command - - test_serverroles: Get rid of MockLDAP and use ldap2 instead -- Resolves: #1452216 Replica installation grants HTTP principal access in WebUI - - Fix rare race condition with missing ccache file -- Resolves: #1455045 Simple service uninstallers must be able to handle - missing service files gracefully - - only stop/disable simple service if it is installed -- Resolves: #1455541 after upgrade login from web ui breaks - - krb5: make sure KDC certificate is readable -- Resolves: #1455862 "ipa: ERROR: an internal error has occurred" on executing - command "ipa cert-request --add" after upgrade - - Change python-cryptography to python2-cryptography - -* Thu May 18 2017 Pavel Vomacka - 4.5.0-13.el7 -- Resolves: #1451804 "AttributeError: 'tuple' object has no attribute 'append'" - error observed during ipa upgrade with latest package. - - ipa-server-install: fix uninstall -- Resolves: #1445390 ipa-[ca|kra]-install with invalid DM password break - replica - - ca install: merge duplicated code for DM password - - installutils: add DM password validator - - ca, kra install: validate DM password - -* Tue May 16 2017 Pavel Vomacka - 4.5.0-12.el7 -- Resolves: #1447284 Upgrade from ipa-4.1 fails when enabling KDC proxy - - python2-ipalib: add missing python dependency - - installer service: fix typo in service entry - - upgrade: add missing suffix to http instance -- Resolves: #1444791 Update man page of ipa-kra-install - - ipa-kra-install manpage: document domain-level 1 -- Resolves: #1441493 ipa cert-show raises stack traces when - --certificate-out=/tmp - - cert-show: writable files does not mean dirs -- Resolves: #1441192 Add the name of URL parameter which will be check for - username during cert login - - Bump version of ipa.conf file -- Resolves: #1378797 Web UI must check OCSP and CRL during smartcard login - - Turn on NSSOCSP check in mod_nss conf -- Resolves: #1322963 Errors from AD when trying to sign ipa.csr, conflicting - template on - - renew agent: respect CA renewal master setting - - server upgrade: always fix certmonger tracking request - - cainstance: use correct profile for lightweight CA certificates - - renew agent: allow reusing existing certs - - renew agent: always export CSR on IPA CA certificate renewal - - renew agent: get rid of virtual profiles - - ipa-cacert-manage: add --external-ca-type -- Resolves: #1441593 error adding authenticator indicators to host - - Fixing adding authenticator indicators to host -- Resolves: #1449525 Set directory ownership in spec file - - Added plugins directory to ipaclient subpackages - - ipaclient: fix missing RPM ownership -- Resolves: #1451279 otptoken-add-yubikey KeyError: 'ipatokenotpdigits' - - otptoken-add-yubikey: When --digits not provided use default value - -* Wed May 10 2017 Jan Cholasta - 4.5.0-11.el7 -- Resolves: #1449189 ipa-kra-install timeouts on replica - - ipa-kra-install: fix check_host_keys - -* Wed May 3 2017 Jan Cholasta - 4.5.0-10.el7 -- Resolves: #1438833 [ipa-replica-install] - 406 Client Error: Failed to - validate message: Incorrect number of results (0) searching forpublic key for - host - - Make sure remote hosts have our keys -- Resolves: #1442815 Replica install fails during migration from older IPA - master - - Refresh Dogtag RestClient.ca_host property - - Remove the cachedproperty class -- Resolves: #1444787 Update warning message when KRA installation fails - - kra install: update installation failure message -- Resolves: #1444896 ipa-server-install with external-ca fails in FIPS mode - - ipa-server-install with external CA: fix pkinit cert issuance -- Resolves: #1445397 GET in KerberosSession.finalize_kerberos_acquisition() - must use FreeIPA CA - - kerberos session: use CA cert with full cert chain for obtaining cookie -- Resolves: #1447375 ipa-client-install: extra space in pkinit_anchors - definition - - ipa-client-install: remove extra space in pkinit_anchors definition -- Resolves: #1447703 Fix SELinux contex of http.keytab during upgrade - - Use proper SELinux context with http.keytab - -* Fri Apr 28 2017 Jan Cholasta - 4.5.0-9.el7 -- Resolves: #1200767 [RFE] Allow Kerberos authentication for users with - certificates on smart cards (pkinit) - - spec file: bump krb5 Requires for certauth fixes -- Resolves: #1438729 Configure local PKINIT on DL0 or when '--no-pkinit' option - is used - - separate function to set ipaConfigString values on service entry - - Allow for configuration of all three PKINIT variants when deploying KDC - - API for retrieval of master's PKINIT status and publishing it in LDAP - - Use only anonymous PKINIT to fetch armor ccache - - Stop requesting anonymous keytab and purge all references of it - - Use local anchor when armoring password requests - - Upgrade: configure local/full PKINIT depending on the master status - - Do not test anonymous PKINIT after install/upgrade -- Resolves: #1442427 ipa.ipaserver.install.plugins.adtrust. - update_tdo_gidnumber: ERROR Default SMB Group not found - - upgrade: adtrust update_tdo_gidnumber plugin must check if adtrust is - installed -- Resolves: #1442932 ipa restore fails to restore IPA user - - restore: restart/reload gssproxy after restore -- Resolves: #1444896 ipa-server-install with external-ca fails in FIPS mode - - Fix CA/server cert validation in FIPS -- Resolves: #1444947 Deadlock between topology and schema-compat plugins - - compat-manage: behave the same for all users - - Move the compat plugin setup at the end of install - - compat: ignore cn=topology,cn=ipa,cn=etc subtree -- Resolves: #1445358 ipa vault-add raises TypeError - - vault: piped input for ipa vault-add fails -- Resolves: #1445382 ipa vault-retrieve fails to retrieve data from vault - - Vault: Explicitly default to 3DES CBC -- Resolves: #1445432 uninstall ipa client automount failed with RuntimeWarning - - automount install: fix checking of SSSD functionality on uninstall -- Resolves: #1446137 pki_client_database_password is shown in - ipaserver-install.log - - Hide PKI Client database password in log file - -* Thu Apr 20 2017 Jan Cholasta - 4.5.0-8.el7 -- Resolves: #1443869 Command "openssl pkcs12 ..." failed during IPA upgrade - - Fix CAInstance.import_ra_cert for empty passwords - -* Wed Apr 19 2017 Jan Cholasta - 4.5.0-7.el7 -- Resolves: #1431520 ipa cert-find runs a large number of searches, so IPA - WebUI is slow to display user details page - - cert: defer cert-find result post-processing -- Resolves: #1435611 Tracebacks seen from dogtag-ipa-ca-renew-agent-submit - helper when installing replica - - server-install: No double Kerberos install -- Resolves: #1437502 ipa-replica-install fails with requirement to - use --force-join that is a client install option. - - Add the force-join option to replica install - - replicainstall: better client install exception handling -- Resolves: #1437953 Server CA-less impossible option check - - server-install: remove broken no-pkinit check -- Resolves: #1441160 FreeIPA client <= 4.4 fail to parse 4.5 cookies - - Add debug log in case cookie retrieval went wrong -- Resolves: #1441548 ipa server install fails with --external-ca option - - ext. CA: correctly write the cert chain -- Resolves: #1441718 Conversion of CA-less server to CA fails on CA instance - spawn - - Fix CA-less to CA-full upgrade -- Resolves: #1442133 Do not link libkrad, liblber, libldap_r and - libsss_nss_idmap to every binary in IPA - - configure: fix AC_CHECK_LIB usage -- Resolves: #1442815 Replica install fails during migration from older IPA - master - - Fix RA cert import during DL0 replication -- Related: #1442004 Building IdM/FreeIPA internally on all architectures - - filtering unsupported packages - - Build all subpackages on all architectures - -* Wed Apr 12 2017 Pavel Vomacka - 4.5.0-6.el7 -- Resolves: #1382053 Need to have validation for idrange names - - idrange-add: properly handle empty --dom-name option -- Resolves: #1435611 Tracebacks seen from dogtag-ipa-ca-renew-agent-submit - helper when installing replica - - dsinstance: reconnect ldap2 after DS is restarted by certmonger - - httpinstance: avoid httpd restart during certificate request - - dsinstance, httpinstance: consolidate certificate request code - - install: request service certs after host keytab is set up - - renew agent: revert to host keytab authentication - - renew agent, restart scripts: connect to LDAP after kinit -- Resolves: #1436987 ipasam: gidNumber attribute is not created in the trusted - domain entry - - ipa-sam: create the gidNumber attribute in the trusted domain entry - - Upgrade: add gidnumber to trusted domain entry -- Resolves: #1438679 [ipa-replica-install] - IncorrectPasswordException: - Incorrect client security database password - - Add pki_pin only when needed -- Resolves: #1438348 Console output message while adding trust should be - mapped with texts changed in Samba. - - ipaserver/dcerpc: unify error processing -- Resolves: #1438366 ipa trust-fetch-domains: ValidationError: invalid - 'Credentials': Missing credentials for cross-forest communication - - trust: always use oddjobd helper for fetching trust information -- Resolves: #1441192 Add the name of URL parameter which will be check for - username during cert login - - WebUI: cert login: Configure name of parameter used to pass username -- Resolves: #1437879 [copr] Replica install failing - - Create system users for FreeIPA services during package installation -- Resolves: #1441316 WebUI cert auth fails after ipa-adtrust-install - - Fix s4u2self with adtrust - -* Wed Apr 5 2017 Jan Cholasta - 4.5.0-5.el7 -- Resolves: #1318186 Misleading error message during external-ca IPA master - install - - httpinstance: make sure NSS database is backed up -- Resolves: #1331443 Re-installing ipa-server after uninstall fails with "ERROR - CA certificate chain in ... incomplete" - - httpinstance: make sure NSS database is backed up -- Resolves: #1393726 Enumerate all available request type options in ipa - cert-request help - - Hide request_type doc string in cert-request help -- Resolves: #1402959 [RFE] Universal Smart Card to Identity mapping - - spec file: bump libsss_nss_idmap-devel BuildRequires - - server: make sure we test for sss_nss_getlistbycert -- Resolves: #1437378 ipa-adtrust-install produced an error and failed on - starting smb when hostname is not FQDN - - adtrust: make sure that runtime hostname result is consistent with the - configuration -- Resolves: #1437555 ipa-replica-install with DL0 fails to get annonymous - keytab - - Always check and create anonymous principal during KDC install - - Remove duplicate functionality in upgrade -- Resolves: #1437946 Upgrade to FreeIPA 4.5.0 does not configure anonymous - principal for PKINIT - - Upgrade: configure PKINIT after adding anonymous principal - - Remove unused variable from failed anonymous PKINIT handling - - Split out anonymous PKINIT test to a separate method - - Ensure KDC is propery configured after upgrade -- Resolves: #1437951 Remove pkinit-related options from server/replica-install - on DL0 - - Fix the order of cert-files check - - Don't allow setting pkinit-related options on DL0 - - replica-prepare man: remove pkinit option refs - - Remove redundant option check for cert files -- Resolves: #1438490 CA-less installation fails on publishing CA certificate - - Get correct CA cert nickname in CA-less - - Remove publish_ca_cert() method from NSSDatabase -- Resolves: #1438838 Avoid arch-specific path in /etc/krb5.conf.d/ipa-certmap - - IPA-KDB: use relative path in ipa-certmap config snippet -- Resolves: #1439038 Allow erasing ipaDomainResolutionOrder attribute - - Allow erasing ipaDomainResolutionOrder attribute - -* Wed Mar 29 2017 Jan Cholasta - 4.5.0-4.el7 -- Resolves: #1434032 Run ipa-custodia with custom SELinux context - - Require correct custodia version - -* Tue Mar 28 2017 Jan Cholasta - 4.5.0-3.el7 -- Resolves: #800545 [RFE] Support SUDO command rename - - Reworked the renaming mechanism - - Allow renaming of the sudorule objects -- Resolves: #872671 IPA WebUI login for AD Trusted User fails - - WebUI: check principals in lowercase - - WebUI: add method for disabling item in user dropdown menu - - WebUI: Add support for login for AD users -- Resolves: #1200767 [RFE] Allow Kerberos authentication for users with - certificates on smart cards (pkinit) - - ipa-kdb: add ipadb_fetch_principals_with_extra_filter() - - IPA certauth plugin - - ipa-kdb: do not depend on certauth_plugin.h - - spec file: bump krb5-devel BuildRequires for certauth -- Resolves: #1264370 RFE: disable last successful authentication by default in - ipa. - - Set "KDC:Disable Last Success" by default -- Resolves: #1318186 Misleading error message during external-ca IPA master - install - - certs: do not implicitly create DS pin.txt - - httpinstance: clean up /etc/httpd/alias on uninstall -- Resolves: #1331443 Re-installing ipa-server after uninstall fails with "ERROR - CA certificate chain in ... incomplete" - - certs: do not implicitly create DS pin.txt - - httpinstance: clean up /etc/httpd/alias on uninstall -- Resolves: #1366572 [RFE] Web UI: allow Smart Card authentication - - configure: fix --disable-server with certauth plugin - - rpcserver.login_x509: Actually return reply from __call__ method - - spec file: Bump requires to make Certificate Login in WebUI work -- Resolves: #1402959 [RFE] Universal Smart Card to Identity mapping - - extdom: do reverse search for domain separator - - extdom: improve cert request -- Resolves: #1430363 [RFE] HBAC rule names command rename - - Reworked the renaming mechanism - - Allow renaming of the HBAC rule objects -- Resolves: #1433082 systemctl daemon-reload needs to be called after - httpd.service.d/ipa.conf is manipulated - - tasks: run `systemctl daemon-reload` after httpd.service.d updates -- Resolves: #1434032 Run ipa-custodia with custom SELinux context - - Use Custodia 0.3.1 features -- Resolves: #1434384 RPC client should use HTTP persistent connection - - Use connection keep-alive - - Add debug logging for keep-alive - - Increase Apache HTTPD's default keep alive timeout -- Resolves: #1434729 man ipa-cacert-manage install needs clarification - - man ipa-cacert-manage install needs clarification -- Resolves: #1434910 replica install against IPA v3 master fails with ACIError - - Fixing replica install: fix ldap connection in domlvl 0 -- Resolves: #1435394 Ipa-kra-install fails with weird output when backspace is - used during typing Directory Manager password - - ipapython.ipautil.nolog_replace: Do not replace empty value -- Resolves: #1435397 ipa-replica-install can't install replica file produced by - ipa-replica-prepare on 4.5 - - replica prepare: fix wrong IPA CA nickname in replica file -- Resolves: #1435599 WebUI: in self-service Vault menu item is shown even if - KRA is not installed - - WebUI: Fix showing vault in selfservice view -- Resolves: #1435718 As a ID user I cannot call a command with --rights option - - ldap2: use LDAP whoami operation to retrieve bind DN for current connection -- Resolves: #1436319 "Truncated search results" pop-up appears in user details - in WebUI - - WebUI: Add support for suppressing warnings - - WebUI: suppress truncation warning in select widget -- Resolves: #1436333 Uninstall fails with No such file or directory: - '/var/run/ipa/services.list' - - Create temporaty directories at the begining of uninstall -- Resolves: #1436334 WebUI: Adding certificate mapping data using certificate - fails - - WebUI: Allow to add certs to certmapping with CERT LINES around -- Resolves: #1436338 CLI doesn't work after ipa-restore - - Backup ipa-specific httpd unit-file - - Backup CA cert from kerberos folder -- Resolves: #1436342 Bump samba version, required for FIPS mode and privilege - separation - - Bump samba version for FIPS and priv. separation -- Resolves: #1436642 [ipalib/rpc.py] - "maximum recursion depth exceeded" with - ipa vault commands - - Avoid growing FILE ccaches unnecessarily - - Handle failed authentication via cookie - - Work around issues fetching session data - - Prevent churn on ccaches -- Resolves: #1436657 Add workaround for pki_pin for FIPS - - Generate PIN for PKI to help Dogtag in FIPS -- Resolves: #1436714 [vault] cache KRA transport cert - - Simplify KRA transport cert cache -- Resolves: #1436723 cert-find does not find all certificates without - sizelimit=0 - - cert: do not limit internal searches in cert-find -- Resolves: #1436724 Renewal of IPA RA fails on replica - - dogtag-ipa-ca-renew-agent-submit: fix the is_replicated() function -- Resolves: #1436753 Master tree fails to install - - httpinstance.disable_system_trust: Don't fail if module 'Root Certs' is not - available - -* Tue Mar 21 2017 Jan Cholasta - 4.5.0-2.el7 -- Resolves: #1432630 python2-jinja2 needed for python2-ipaclient - - Remove csrgen -- Resolves: #1432903 Set GssProxy options to enable caching of ldap tickets - - Add options to allow ticket caching - -* Wed Mar 15 2017 Jan Cholasta - 4.5.0-1.el7 -- Resolves: #828866 [RFE] enhance --subject option for ipa-server-install -- Resolves: #1160555 ipa-server-install: Cannot handle double hyphen "--" in - hostname -- Resolves: #1286288 Insufficient 'write' privilege to the 'ipaExternalMember' - attribute -- Resolves: #1321652 ipa-server-install fails when using external certificates - that encapsulate RDN components in double quotes -- Resolves: #1327207 ipa cert-revoke --help doesn't provide enough info on - revocation reasons -- Resolves: #1340880 ipa-server-install: improve prompt on interactive - installation -- Resolves: #1353841 ipa-replica-install fails to install when resolv.conf - incomplete entries -- Resolves: #1356104 cert-show command does not display Subject Alternative - Names -- Resolves: #1357511 Traceback message seen when ipa is provided with invalid - configuration file name -- Resolves: #1358752 ipa-ca-install fails on replica when IPA server is - converted from CA-less to CA-full -- Resolves: #1366572 [RFE] Web UI: allow Smart Card authentication -- Resolves: #1367572 improve error message in ipa migrate-ds: mention ipa - config-mod --enable-migration=TRUE -- Resolves: #1367868 Add options to retrieve lightweight CA certificate/chain -- Resolves: #1371927 Implement ca-enable/disable commands. -- Resolves: #1372202 Add Users into User Group editors fails to show Full names -- Resolves: #1373091 Adding an auth indicator from the CLI creates an extra - check box in the UI -- Resolves: #1375596 Ipa-server WebUI - long user/group name show wrong error - message -- Resolves: #1375905 "Normal" group type in the UI is confusing -- Resolves: #1376040 IPA client ipv6 - invalid --ip-address shows traceback -- Resolves: #1376630 IDM admin password gets written to - /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf -- Resolves: #1376729 ipa-server-install script option --no_hbac_allow should - match other options -- Resolves: #1378461 IPA Allows Password Reuse with History value defined when - admin resets the password. -- Resolves: #1379029 conncheck failing intermittently during single step - replica installs -- Resolves: #1379858 [RFE] better debugging for ipa-replica-conncheck -- Resolves: #1384310 ipa dnsrecord-add fails with Keyerror stack trace -- Resolves: #1392778 Update man page for ipa-adtrust-install by - removing --no-msdcs option -- Resolves: #1392858 Rebase to FreeIPA 4.5+ - - Rebase to 4.5.0 -- Resolves: #1399133 Delete option shouldn't be available for hosts applied to - view. -- Resolves: #1399190 [RFE] Certificates issued by externally signed IdM CA - should contain full trust chain -- Resolves: #1400416 RFE: Provide option to take backup of IPA server before - uninstalling IPA server -- Resolves: #1400529 cert-request is not aware of Kerberos principal aliases -- Resolves: #1401526 IPA WebUI certificates are grayed out on overview page but - not on details page -- Resolves: #1402959 [RFE] Universal Smart Card to Identity mapping -- Resolves: #1404750 ipa-client-install fails to get CA cert via LDAP when - non-FQDN name of IPA server is first in /etc/hosts -- Resolves: #1409628 [RFE] Semi-automatic integration with external DNS using - nsupdate -- Resolves: #1413742 Backport request for bug/issue Change IP address - validation errors to warnings -- Resolves: #1415652 IPA replica install log shows password in plain text -- Resolves: #1427897 different behavior regarding system wide certs in master - and replica. -- Resolves: #1430314 The ipa-managed-entries command failed, exception: - AttributeError: ldap2 - -* Tue Mar 14 2017 Jan Cholasta - 4.4.0-14.7 -- Resolves: #1419735 ipa-replica-install fails promotecustodia.create_replica - with cert errors (untrusted) - - added ssl verification using IPA trust anchor -- Resolves: #1428472 batch param compatibility is incorrect - - compat: fix `Any` params in `batch` and `dnsrecord` -- Renamed patches 1011 and 1012 to 0159 and 0157, as they were merged upstream - -* Tue Jan 31 2017 Jan Cholasta - 4.4.0-14.6 -- Resolves: #1416454 replication race condition prevents IPA to install - - wait_for_entry: use only DN as parameter - - Wait until HTTPS principal entry is replicated to replica - - Use proper logging for error messages - -* Tue Jan 31 2017 Jan Cholasta - 4.4.0-14.5 -- Resolves: #1365858 ipa-ca-install fails on replica when IPA Master is - installed without CA - - Set up DS TLS on replica in CA-less topology -- Resolves: #1398600 IPA replica install fails with dirsrv errors. - - Do not configure PKI ajp redirection to use "::1" -- Resolves: #1413137 CVE-2017-2590 ipa: Insufficient permission check for - ca-del, ca-disable and ca-enable commands - - ca: correctly authorise ca-del, ca-enable and ca-disable - -* Fri Dec 16 2016 Jan Cholasta - 4.4.0-14.4 -- Resolves: #1370493 CVE-2016-7030 ipa: DoS attack against kerberized services - by abusing password policy - - ipa-kdb: search for password policies globally -- Renamed patches 1011 and 1012 to 0151 and 0150, as they were merged upstream - -* Tue Dec 13 2016 Jan Cholasta - 4.4.0-14.3 -- Resolves: #1398670 Check IdM Topology for broken record caused by replication - conflict before upgrading it - - Check for conflict entries before raising domain level - -* Tue Dec 13 2016 Jan Cholasta - 4.4.0-14.2 -- Resolves: #1382812 Creation of replica for disconnected environment is - failing with CA issuance errors; Need good steps. - - gracefully handle setting replica bind dn group on old masters -- Resolves: #1397439 ipa-ca-install on promoted replica hangs on creating a - temporary CA admin - - replication: ensure bind DN group check interval is set on replica config - - add missing attribute to ipaca replica during CA topology update -- Resolves: #1401088 IPA upgrade of replica without DNS fails during restart of - named-pkcs11 - - bindinstance: use data in named.conf to determine configuration status - -* Mon Dec 12 2016 Jan Cholasta - 4.4.0-14.1 -- Resolves: #1370493 CVE-2016-7030 ipa: DoS attack against kerberized services - by abusing password policy - - password policy: Add explicit default password policy for hosts and - services -- Resolves: #1395311 CVE-2016-9575 ipa: Insufficient permission check in - certprofile-mod - - certprofile-mod: correctly authorise config update - -* Tue Nov 1 2016 Jan Cholasta - 4.4.0-14 -- Resolves: #1378353 Replica install fails with old IPA master sometimes during - replication process - - spec file: bump minimal required version of 389-ds-base -- Resolves: #1387779 Make httpd publish CA certificate on Domain Level 1 - - Fix missing file that fails DL1 replica installation -- Resolves: #1387782 WebUI: Services are not displayed correctly after upgrade - - WebUI: services without canonical name are shown correctly -- Resolves: #1389709 Traceback seen in error_log when trustdomain-del is run - - trustdomain-del: fix the way how subdomain is searched - -* Mon Oct 31 2016 Jan Cholasta - 4.4.0-13 -- Resolves: #1318616 CA fails to start after doing ipa-ca-install --external-ca - - Keep NSS trust flags of existing certificates -- Resolves: #1360813 ipa-server-certinstall does not update all certificate - stores and doesn't set proper trust permissions - - Add cert checks in ipa-server-certinstall -- Resolves: #1371479 cert-find --all does not show information about revocation - - cert: add revocation reason back to cert-find output -- Resolves: #1375133 WinSync users who have First.Last casing creates users who - can have their password set - - ipa passwd: use correct normalizer for user principals -- Resolves: #1377858 Users with 2FA tokens are not able to login to IPA servers - - Properly handle LDAP socket closures in ipa-otpd -- Resolves: #1387779 Make httpd publish CA certificate on Domain Level 1 - - Make httpd publish its CA certificate on DL1 - -* Fri Sep 16 2016 Petr Vobornik - 4.4.0-12 -- Resolves: #1373910 IPA server upgrade fails with DNS timed out errors. -- Resolves: #1375269 ipa trust-fetch-domains throws internal error - -* Tue Sep 13 2016 Jan Cholasta - 4.4.0-11 -- Resolves: #1373359 ipa-certupdate fails with "CA is not configured" - - Fix regression introduced in ipa-certupdate - -* Wed Sep 7 2016 Jan Cholasta - 4.4.0-10 -- Resolves: #1355753 adding two way non transitive(external) trust displays - internal error on the console - - Always fetch forest info from root DCs when establishing two-way trust - - factor out `populate_remote_domain` method into module-level function - - Always fetch forest info from root DCs when establishing one-way trust -- Resolves: #1356101 Lightweight sub-CA certs are not tracked by certmonger - after `ipa-replica-install` - - Track lightweight CAs on replica installation -- Resolves: #1357488 ipa command stuck forever on higher versioned client with - lower versioned server - - compat: Save server's API version in for pre-schema servers - - compat: Fix ping command call - - schema cache: Store and check info for pre-schema servers -- Resolves: #1363905 man page for ipa-replica-manage has a typo in -c flag - - Fix man page ipa-replica-manage: remove duplicate -c option - from --no-lookup -- Resolves: #1367865 webui: cert_revoke should use --cacn to set correct CA - when revoking certificate - - cert: include CA name in cert command output - - WebUI add support for sub-CAs while revoking certificates -- Resolves: #1368424 Unable to view certificates issued by Sub CA in Web UI - - Add support for additional options taken from table facet - - WebUI: Fix showing certificates issued by sub-CA -- Resolves: #1368557 dnsrecord-add does not prompt for missing record parts - internactively - - dns: normalize record type read interactively in dnsrecord_add - - dns: prompt for missing record parts in CLI - - dns: fix crash in interactive mode against old servers -- Resolves: #1370519 Certificate revocation in service-del and host-del isn't - aware of Sub CAs - - cert: fix cert-find --certificate when the cert is not in LDAP - - Make host/service cert revocation aware of lightweight CAs -- Resolves: #1371901 Use OAEP padding with custodia - - Use RSA-OAEP instead of RSA PKCS#1 v1.5 -- Resolves: #1371915 When establishing external two-way trust, forest root - Administrator account is used to fetch domain info - - do not use trusted forest name to construct domain admin principal -- Resolves: #1372597 Incorrect CA ACL evaluation of SAN DNS names in - certificate request - - Fix CA ACL Check on SubjectAltNames -- Resolves: #1373272 CLI always sends default command version - - cli: use full name when executing a command -- Resolves: #1373359 ipa-certupdate fails with "CA is not configured" - - Fix ipa-certupdate for CA-less installation -- Resolves: #1373540 client-install with IPv6 address fails on link-local - address (always) - - Fix parse errors with link-local addresses - -* Fri Sep 2 2016 Jan Cholasta - 4.4.0-9 -- Resolves: #1081561 CA not start during ipa server install in pure IPv6 env - - Fix ipa-server-install in pure IPv6 environment -- Resolves: #1318169 Tree-root domains in a trusted AD forest aren't marked as - reachable via the forest root - - trust: make sure ID range is created for the child domain even if it exists - - ipa-kdb: simplify trusted domain parent search -- Resolves: #1335567 Update Warning in IdM Web UI API browser - - WebUI: add API browser is tech preview warning -- Resolves: #1348560 Mulitple domain Active Directory Trust conflict - - ipaserver/dcerpc: reformat to make the code closer to pep8 - - trust: automatically resolve DNS trust conflicts for triangle trusts -- Resolves: #1351593 CVE-2016-5404 ipa: Insufficient privileges check in - certificate revocation - - cert-revoke: fix permission check bypass (CVE-2016-5404) -- Resolves: #1353936 custodia.conf and server.keys file is world-readable. - - Remove Custodia server keys from LDAP - - Secure permissions of Custodia server.keys -- Resolves: #1358752 ipa-ca-install fails on replica when IPA server is - converted from CA-less to CA-full - - custodia: include known CA certs in the PKCS#12 file for Dogtag - - custodia: force reconnect before retrieving CA certs from LDAP -- Resolves: #1362333 ipa vault container owner cannot add vault - - Fix: container owner should be able to add vault -- Resolves: #1365546 External trust with root domain is transitive - - trust: make sure external trust topology is correctly rendered -- Resolves: #1365572 IPA server broken after upgrade - - Require pki-core-10.3.3-7 -- Resolves: #1367864 Server assumes latest version of command instead of - version 1 for old / 3rd party clients - - rpcserver: assume version 1 for unversioned command calls - - rpcserver: fix crash in XML-RPC system commands -- Resolves: #1367773 thin client ignores locale change - - schema cache: Fallback to 'en_us' when locale is not available -- Resolves: #1368754 ipa server uninstall fails with Python "Global Name error" - - Fail on topology disconnect/last role removal -- Resolves: #1368981 ipa otptoken-add --type=hotp --key creates wrong OTP - - otptoken, permission: Convert custom type parameters on server -- Resolves: #1369414 ipa server-del fails with Python stack trace - - Handled empty hostname in server-del command -- Resolves: #1369761 ipa-server must depend on a version of httpd that support - mod_proxy with UDS - - Require httpd 2.4.6-31 with mod_proxy Unix socket support -- Resolves: #1370512 Received ACIError instead of DuplicatedError in - stageuser_tests - - Raise DuplicatedEnrty error when user exists in delete_container -- Resolves: #1371479 cert-find --all does not show information about revocation - - cert: add missing param values to cert-find output -- Renamed patch 1011 to 0100, as it was merged upstream - -* Wed Aug 17 2016 Jan Cholasta - 4.4.0-8 -- Resolves: #1298288 [RFE] Improve performance in large environments. - - cert: speed up cert-find -- Resolves: #1317379 [EXPERIMENTAL][RFE] Web UI: allow Smart Card - authentication - - service: add flag to allow S4U2Self - - Add 'trusted to auth as user' checkbox - - Added new authentication method -- Resolves: #1353881 ipa-replica-install suggests about - non-existent --force-ntpd option - - Don't show --force-ntpd option in replica install -- Resolves: #1354441 DNS forwarder check is too strict: unable to add - sub-domain to already-broken domain - - DNS: allow to add forward zone to already broken sub-domain -- Resolves: #1356146 performance regression in CLI help - - schema: Speed up schema cache - - frontend: Change doc, summary, topic and NO_CLI to class properties - - schema: Introduce schema cache format - - schema: Generate bits for help load them on request - - help: Do not create instances to get information about commands and topics - - schema cache: Do not reset ServerInfo dirty flag - - schema cache: Do not read fingerprint and format from cache - - Access data for help separately - - frontent: Add summary class property to CommandOverride - - schema cache: Read server info only once - - schema cache: Store API schema cache in memory - - client: Do not create instance just to check isinstance - - schema cache: Read schema instead of rewriting it when SchemaUpToDate -- Resolves: #1360769 ipa-server-certinstall couldnt unlock private key file - - server install: do not prompt for cert file PIN repeatedly -- Resolves: #1364113 ipa-password: ipa: ERROR: RuntimeError: Unable to create - cache directory: [Errno 13] Permission denied: '/home/test_user' - - schema: Speed up schema cache -- Resolves: #1366604 `cert-find` crashes on invalid certificate data - - cert: do not crash on invalid data in cert-find -- Resolves: #1366612 Middle replica uninstallation in line topology works - without '--ignore-topology-disconnect' - - Fail on topology disconnect/last role removal -- Resolves: #1366626 caacl-add-service: incorrect error message when service - does not exists - - Fix ipa-caalc-add-service error message -- Resolves: #1367022 The ipa-server-upgrade command failed when named-pkcs11 - does not happen to run during dnf upgrade - - DNS server upgrade: do not fail when DNS server did not respond -- Resolves: #1367759 [RFE] [webui] warn admin if there is only one IPA server - with CA - - Add warning about only one existing CA server - - Set servers list as default facet in topology facet group -- Resolves: #1367773 thin client ignores locale change - - schema check: Check current client language against cached one - -* Wed Aug 10 2016 Jan Cholasta - 4.4.0-7 -- Resolves: #1361119 UPN-based search for AD users does not match an entry in - slapi-nis map cache - - support multiple uid values in schema compatibility tree - -* Wed Aug 10 2016 Jan Cholasta - 4.4.0-6 -- Resolves: #1309700 Process /usr/sbin/winbindd was killed by signal 6 - - Revert "spec: add conflict with bind-chroot to freeipa-server-dns" -- Resolves: #1341249 Subsequent external CA installation fails - - install: fix external CA cert validation -- Resolves: #1353831 ipa-server-install fails in container because of - hostnamectl set-hostname - - server-install: Fix --hostname option to always override api.env values - - install: Call hostnamectl set-hostname only if --hostname option is used -- Resolves: #1356091 ipa-cacert-manage --help and man differ - - Improvements for the ipa-cacert-manage man and help -- Resolves: #1360631 ipa-backup is not keeping the - /etc/tmpfiles.d/dirsrv-.conf - - ipa-backup: backup /etc/tmpfiles.d/dirsrv-.conf -- Resolves: #1361047 ipa-replica-install --help usage line suggests the replica - file is needed - - Update ipa-replica-install documentation -- Resolves: #1361545 ipa-client-install starts rhel-domainname.service but does - not rpm-require it - - client: RPM require initscripts to get *-domainname.service -- Resolves: #1364197 caacl: error when instantiating rules with service - principals - - caacl: fix regression in rule instantiation -- Resolves: #1364310 ipa otptoken-add bytes object has no attribute confirm - - parameters: move the `confirm` kwarg to Param -- Resolves: #1364464 Topology graph: ca and domain adders shows question marks - instead of plus icon - - Fix unicode characters in ca and domain adders -- Resolves: #1365083 Incomplete output returned for command ipa vault-add - - client: add missing output params to client-side commands -- Resolves: #1365526 build fails during "make check" - - ipa-kdb: Fix unit test after packaging changes in krb5 - -* Fri Aug 5 2016 Jan Cholasta - 4.4.0-5 -- Resolves: #1353829 traceback message seen in ipaserver-uninstall.log file. - - Do not initialize API in ipa-client-automount uninstall -- Resolves: #1356899 com.redhat.idm.trust.fetch_domains need update after thin - client changes - - idrange: fix unassigned global variable -- Resolves: #1360792 Migrating users doesn't update krbCanonicalName - - re-set canonical principal name on migrated users -- Resolves: #1362012 ipa hbactest produces error about cannot concatenate 'str' - and 'bool' objects - - Fix ipa hbactest output -- Resolves: #1362260 ipa vault-mod no longer allows defining salt - - vault: add missing salt option to vault_mod -- Resolves: #1362312 ipa vault-retrieve internal error when using the wrong - public key - - vault: Catch correct exception in decrypt -- Resolves: #1362537 ipa-server-install fails to create symlink from - /etc/ipa/kdcproxy/ to /etc/httpd/conf.d/ - - Correct path to HTTPD's systemd service directory -- Resolves: #1363756 Increase length of passwords generated by installer - - Increase default length of auto generated passwords - -* Fri Jul 29 2016 Jan Cholasta - 4.4.0-4 -- Resolves: #1117306 [RFE] Allow multiple Principals per host entry (Kerberos - aliases) - - harden the check for trust namespace overlap in new principals -- Resolves: #1351142 CLI is not using session cookies for communication with - IPA API - - Fix session cookies -- Resolves: #1353888 Fix the help for ipa otp and other topics - - help: Add dnsserver commands to help topic 'dns' -- Resolves: #1354406 host-del updatedns options complains about missing ptr - record for host - - Host-del: fix behavior of --updatedns and PTR records -- Resolves: #1355718 ipa-replica-manage man page example output differs actual - command output - - Minor fix in ipa-replica-manage MAN page -- Resolves: #1358229 Traceback message should be fixed, seen while editing - winsync migrated user information in Default trust view. - - baseldap: Fix MidairCollision instantiation during entry modification -- Resolves: #1358849 CA replica install logs to wrong log file - - unite log file name of ipa-ca-install -- Resolves: #1359130 ipa-server-install command fails to install IPA server. - - DNS Locations: fix update-system-records unpacking error -- Resolves: #1359237 AVC on dirsrv config caused by IPA installer - - Use copy when replacing files to keep SELinux context -- Resolves: #1359692 ipa-client-install join fail with traceback against - RHEL-6.8 ipa-server - - compat: fix ping call -- Resolves: #1359738 ipa-replica-install --domain= option - does not work - - replica-install: Fix --domain -- Resolves: #1360778 Vault commands are available in CLI even when the server - does not support them - - Revert "Enable vault-* commands on client" - - client: fix hiding of commands which lack server support -- Related: #1281704 Rebase to softhsm 2.1.0 - - Remove the workaround for softhsm bug #1293340 -- Related: #1298288 [RFE] Improve performance in large environments. - - Create indexes for krbCanonicalName attribute - -* Fri Jul 22 2016 Jan Cholasta - 4.4.0-3 -- Resolves: #1296140 Remove redhat-access-plugin-ipa support - - Obsolete and conflict redhat-access-plugin-ipa -- Resolves: #1351119 Multiple issues while uninstalling ipa-server - - server uninstall fails to remove krb principals -- Resolves: #1351758 ipa commands not showing expected error messages - - frontend: copy command arguments to output params on client - - Show full error message for selinuxusermap-add-hostgroup -- Resolves: #1352883 Traceback on adding default automember group and hostgroup - set - - allow 'value' output param in commands without primary key -- Resolves: #1353888 Fix the help for ipa otp and other topics - - schema: Fix subtopic -> topic mapping -- Resolves: #1354348 ipa trustconfig-show throws internal error. - - allow 'value' output param in commands without primary key -- Resolves: #1354381 ipa trust-add with raw option gives internal error. - - trust-add: handle `--all/--raw` options properly -- Resolves: #1354493 Replica install fails with old IPA master - - DNS install: Ensure that DNS servers container exists -- Resolves: #1354628 ipa hostgroup-add-member does not return error message - when adding itself as member - - frontend: copy command arguments to output params on client -- Resolves: #1355856 ipa otptoken-add --type=totp gives internal error - - messages: specify message type for ResultFormattingError -- Resolves: #1356063 "ipa radiusproxy-add" command needs to prompt to enter - secret key - - expose `--secret` option in radiusproxy-* commands - - prevent search for RADIUS proxy servers by secret -- Resolves: #1356099 Bug in the ipapwd plugin - - Heap corruption in ipapwd plugin -- Resolves: #1356899 com.redhat.idm.trust.fetch_domains need update after thin - client changes - - Use server API in com.redhat.idm.trust-fetch-domains oddjob helper -- Resolves: #1356964 Renaming a user removes all of his principal aliases - - Preserve user principal aliases during rename operation - -* Fri Jul 15 2016 Petr Vobornik - 4.4.0-2.1 -- Resolves: #1274524 [RFE] Qualify up to 60 IdM replicas -- Resolves: #1320838 [RFE] Support IdM Client in a DNS domain controlled by AD -- Related: #1356134 'kinit -E' does not work for IPA user - -* Thu Jul 14 2016 Petr Vobornik - 4.4.0-2 -- Resolves: #1356102 Server uninstall does not stop tracking lightweight sub-CA - with certmonger - - uninstall: untrack lightweight CA certs -- Resolves: #1351807 ipa-nis-manage config.get_dn missing - - ipa-nis-manage: Use server API to retrieve plugin status -- Resolves: #1353452 ipa-compat-manage command failed, - exception: NotImplementedError: config.get_dn() - - ipa-compat-manage: use server API to retrieve plugin status -- Resolves: #1353899 ipa-advise: object of type 'type' has no len() - - ipa-advise: correct handling of plugin namespace iteration -- Resolves: #1356134 'kinit -E' does not work for IPA user - - kdb: check for local realm in enterprise principals -- Resolves: #1353072 ipa unknown command vault-add - - Enable vault-* commands on client - - vault-add: set the default vault type on the client side if none was given -- Resolves: #1353995 Default CA can be used without a CA ACL - - caacl: expand plugin documentation -- Resolves: #1356144 host-find should not print SSH keys by default, only - SSH fingerprints - - host-find: do not show SSH key by default -- Resolves: #1353506 ipa migrate-ds command fails for IPA in RHEL 7.3 - - Removed unused method parameter from migrate-ds - -* Fri Jul 1 2016 Jan Cholasta - 4.4.0-1 -- Resolves: #747612 [RFE] IPA should support and manage DNS sites -- Resolves: #826790 Disabling password expiration (--maxlife=0 and --minlife=0) - in the default global_policy in IPA sets user's password expiration - (krbPasswordExpiration) to be 90 days -- Resolves: #896699 ipa-replica-manage -H does not delete DNS SRV records -- Resolves: #1084018 [RFE] Add IdM user password change support for legacy - client compat tree -- Resolves: #1117306 [RFE] Allow multiple Principals per host entry (Kerberos - aliases) - - Fix incorrect check for principal type when evaluating CA ACLs -- Resolves: #1146860 [RFE] Offer OTP generation for host enrollment in the UI -- Resolves: #1238190 ipasam unable to lookup group in directory yet manual - search works -- Resolves: #1250110 search by users which don't have read rights for all attrs - in search_attributes fails -- Resolves: #1263764 Show Certificate displays in useless format -- Resolves: #1272491 [WebUI] Certificate action dropdown does not display all - the options after adding new certificate -- Resolves: #1292141 Rebase to FreeIPA 4.4+ - - Rebase to 4.4.0 -- Resolves: #1294503 IPA fails to issue 3rd party certs -- Resolves: #1298242 [RFE] API compatibility - compatibility of clients -- Resolves: #1298848 [RFE] Centralized topology management -- Resolves: #1298966 [RFE] Extend Smart Card support -- Resolves: #1315146 Multiple clients cannot join domain simultaneously: - /var/run/httpd/ipa/clientcaches race condition? -- Resolves: #1318903 ipa server install failing when SUBCA signs the cert -- Resolves: #1319003 ipa-winsync-migrate: Traceback should be fixed with proper - console output -- Resolves: #1324055 IPA always qualify requests for admin -- Resolves: #1328552 [RFE] Allow users to authenticate with alternative names -- Resolves: #1334582 Inconsistent UI and CLI options for removing certificate - hold -- Resolves: #1346321 Exclude o=ipaca subtree from Retro Changelog (syncrepl) -- Resolves: #1349281 Fix `Conflicts` with ipa-python -- Resolves: #1350695 execution of copy-schema script fails -- Resolves: #1351118 upgrade failed for RHEL-7.3 from RHEL-7.2.z -- Resolves: #1351153 AVC seen on Replica during ipa-server upgrade test - execution to 7.3 -- Resolves: #1351276 ipa-server-install with dns cannot resolve itself to - create ipa-ca entry -- Related: #1343422 [RFE] Add GssapiImpersonate option - -* Wed Jun 22 2016 Jan Cholasta - 4.4.0-0.2.alpha1 -- Resolves: #1348948 IPA server install fails with build - ipa-server-4.4.0-0.el7.1.alpha1 - - Revert "Increased mod_wsgi socket-timeout" - -* Wed Jun 22 2016 Jan Cholasta - 4.4.0-0.1.alpha1 -- Resolves: #712109 "krbExtraData not allowed" is logged in DS error log while - setting password for default sudo binddn. -- Resolves: #747612 [RFE] IPA should support and manage DNS sites -- Resolves: #768316 [RFE] ipa-getkeytab should auto-detect the ipa server name -- Resolves: #825391 [RFE] Replica installation should provide a means for - inheriting nssldap security access settings -- Resolves: #921497 Incorrect *.py[co] files placement -- Resolves: #1029640 RHEL7 IPA to add DNA Plugin config for dnaRemote support -- Resolves: #1029905 389 DS cache sizes not replicated to IPA replicas -- Resolves: #1196958 IPA replica installation failing with high number of users - (160000). -- Resolves: #1219402 IPA suggests to uninstall a client when the user needs to - uninstall a replica -- Resolves: #1224057 [RFE] TGS authorization decisions in KDC based on - Authentication Indicator -- Resolves: #1234222 [WebUI] UI error message is not appropriate for "Kerberos - principal expiration" -- Resolves: #1234223 [WebUI] General invalid password error message appearing - for "Locked user" -- Resolves: #1254267 ipa-server-install failure applying ldap updates with - limits exceeded -- Resolves: #1258626 realmdomains-mod --add-domain command throwing error when - doamin already is in forwardzone. -- Resolves: #1259020 ipa-server-adtrust-install doesn't allow - NetBIOS-name=EXAMPLE-TEST.COM (dash character) -- Resolves: #1260993 DNSSEC signing enablement on dnszone should throw error - message when DNSSEC master not installed -- Resolves: #1262747 dnssec options missing in ipa-dns-install man page -- Resolves: #1265900 Fail installation immediately after dirsrv fails to - install using ipa-server-install -- Resolves: #1265915 idoverrideuser-find fails if any SID anchor is not - resolvable anymore -- Resolves: #1268027 ipa-dnskeysync-replica crash with backtrace - - LimitsExceeded: limits exceeded for this query -- Resolves: #1269089 Certificate of managed-by host/service fails to resubmit -- Resolves: #1269200 ipa-server crashing while trying to preserve admin user -- Resolves: #1271321 Reduce ioblocktimeout and idletimeout defaults -- Resolves: #1271579 Automember rule expressions disappear from tables on - single expression delete -- Resolves: #1275816 Incomplete ports for IPA ad-trust -- Resolves: #1276351 [RFE] Remove - /usr/share/ipa/updates/50-lockout-policy.update file from IPA releases -- Resolves: #1277109 Add tool tips for Revert, Refresh, Undo, and Undo All in - the IPA UI -- Resolves: #1278426 Better error message needed for invalid ca-signing-algo - option -- Resolves: #1279932 ipa-client-install --request-cert needs workaround in - anaconda chroot -- Resolves: #1282521 Creating a user w/o private group fails when doing so in - WebUI -- Resolves: #1283879 ipa-winsync-migrate: Traceback message should be replaced - by "IPA is not configured on this system" -- Resolves: #1285071 ipa-kra-install fails on replica looking for admin cert - file -- Resolves: #1287194 [RFE] Support of UPN for trusted domains -- Resolves: #1288967 Normalize Manager entry in ipa user-add -- Resolves: #1289487 Priority field missing in Password Policy detail tab -- Resolves: #1291140 ipa client should configure kpasswd_server directive in - krb5.conf -- Resolves: #1292141 Rebase to FreeIPA 4.4+ - - Rebase to 4.4.0.alpha1 -- Resolves: #1298848 [RFE] Centralized topology management -- Resolves: #1300576 Browser setup page includes instructions for Internet - Explorer -- Resolves: #1301586 ipa host-del --updatedns should remove related dns - entries. -- Resolves: #1304618 Residual Files After IPA Server Uninstall -- Resolves: #1305144 ipa-python does not require its dependencies -- Resolves: #1309700 Process /usr/sbin/winbindd was killed by signal 6 -- Resolves: #1313798 Console output post ipa-winsync-migrate command should be - corrected. -- Resolves: #1314786 [RFE] External Trust with Active Directory domain -- Resolves: #1319023 Include description for 'status' option in man page for - ipactl command. -- Resolves: #1319912 ipa-server-install does not completely change hostname and - named-pkcs11 fails -- Resolves: #1320891 IPA Error 3009: Validation error: Invalid 'ptrrecord': - Reverse zone in-addr.arpa. requires exactly 4 IP address compnents, 5 given -- Resolves: #1327207 ipa cert-revoke --help doesn't provide enough info on - revocation reasons -- Resolves: #1328549 "ipa-kra-install" command reports incorrect message when - it is executed on server already installed with KRA. -- Resolves: #1329209 ipa-nis-manage enable: change service name from 'portmap' - to 'rpcbind' -- Resolves: #1329275 ipa-nis-manage command should include status option -- Resolves: #1330843 'man ipa' should be updated with latest commands -- Resolves: #1333755 ipa cert-request causes internal server error while - requesting certificate -- Resolves: #1337484 EOF is not handled for ipa-client-install command -- Resolves: #1338031 Insufficient 'write' privilege on some attributes for the - members of the role which has "User Administrators" privilege. -- Resolves: #1343142 IPA DNS should do better verification of DNS zones -- Resolves: #1347928 Frontpage exposes runtime error with no cookies enabled in - browser - -* Wed May 25 2016 Jan Cholasta - 4.3.1-0.201605241723GIT1b427d3.1 -- Resolves: #1339483 ipa-server-install fails with ERROR pkinit_cert_files - - Fix incorrect rebase of patch 1001 - -* Tue May 24 2016 Jan Cholasta - 4.3.1-0.201605241723GIT1b427d3 -- Resolves: #1339233 CA installed on replica is always marked as renewal master -- Related: #1292141 Rebase to FreeIPA 4.4+ - - Rebase to 4.3.1.201605241723GIT1b427d3 - -* Tue May 24 2016 Jan Cholasta - 4.3.1-0.201605191449GITf8edf37.1 -- Resolves: #1332809 ipa-server-4.2.0-15.el7_2.6.1.x86_64 fails to install - because of missing dependencies - - Rebuild with krb5-1.14.1 - -* Fri May 20 2016 Jan Cholasta - 4.3.1-0.201605191449GITf8edf37 -- Resolves: #837369 [RFE] Switch to client promotion to replica model -- Resolves: #1199516 [RFE] Move replication topology to the shared tree -- Resolves: #1206588 [RFE] Visualize FreeIPA server replication topology -- Resolves: #1211602 Hide ipa-server-install KDC master password option (-P) -- Resolves: #1212713 ipa-csreplica-manage: it could be nice to have also - list-ruv / clean-ruv / abort-clean-ruv for o=ipaca backend -- Resolves: #1267206 ipa-server-install uninstall should warn if no - installation found -- Resolves: #1295865 The Domain option is not correctly set in idmapd.conf when - ipa-client-automount is executed. -- Resolves: #1327092 URI details missing and OCSP-URI details are incorrectly - displayed when certificate generated using IPA on RHEL 7.2up2. -- Resolves: #1332809 ipa-server-4.2.0-15.el7_2.6.1.x86_64 fails to install - because of missing dependencies -- Related: #1292141 Rebase to FreeIPA 4.4+ - - Rebase to 4.3.1.201605191449GITf8edf37 - -* Mon Apr 18 2016 Jan Cholasta - 4.2.0-16 -- Resolves: #1277696 IPA certificate auto renewal fail with "Invalid - Credential" - - cert renewal: make renewal of ipaCert atomic -- Resolves: #1278330 installer options are not validated at the beginning of - installation - - install: fix command line option validation -- Resolves: #1282845 sshd_config change on ipa-client-install can prevent sshd - from starting up - - client install: do not corrupt OpenSSH config with Match sections -- Resolves: #1282935 ipa upgrade causes vault internal error - - install: export KRA agent PEM file in ipa-kra-install -- Resolves: #1283429 Default CA ACL rule is not created during - ipa-replica-install - - TLS and Dogtag HTTPS request logging improvements - - Avoid race condition caused by profile delete and recreate - - Do not erroneously reinit NSS in Dogtag interface - - Add profiles and default CA ACL on migration - - disconnect ldap2 backend after adding default CA ACL profiles - - do not disconnect when using existing connection to check default CA ACLs -- Resolves: #1283430 ipa-kra-install: fails to apply updates - - suppress errors arising from adding existing LDAP entries during KRA - install -- Resolves: #1283748 Caching of ipaconfig does not work in framework - - fix caching in get_ipa_config -- Resolves: #1283943 IPA DNS Zone/DNS Forward Zone details missing after - upgrade from RHEL 7.0 to RHEL 7.2 - - upgrade: fix migration of old dns forward zones - - Fix upgrade of forwardzones when zone is in realmdomains -- Resolves: #1284413 ipa-cacert-manage renew fails on nonexistent ldap - connection - - ipa-cacert-renew: Fix connection to ldap. -- Resolves: #1284414 ipa-otptoken-import fails on nonexistent ldap connection - - ipa-otptoken-import: Fix connection to ldap. -- Resolves: #1286635 IPA server upgrade fails from RHEL 7.0 to RHEL 7.2 using - "yum update ipa* sssd" - - Set minimal required version for openssl -- Resolves: #1286781 ipa-nis-manage does not update ldap with all NIS maps - - Upgrade: Fix upgrade of NIS Server configuration -- Resolves: #1289311 umask setting causes named-pkcs11 issue with directory - permissions on /var/lib/ipa/dnssec - - DNS: fix file permissions - - Explicitly call chmod on newly created directories - - Fix: replace mkdir with chmod -- Resolves: #1290142 Broken 7.2.0 to 7.2.z upgrade - flawed version comparison - - Fix version comparison - - use FFI call to rpmvercmp function for version comparison -- Resolves: #1292595 In IPA-AD trust environment some secondary IPA based Posix - groups are missing - - ipa-kdb: map_groups() consider all results -- Resolves: #1293870 User should be notified for wrong password in password - reset page - - Fixed login error message box in LoginScreen page -- Resolves: #1296196 Sysrestore did not restore state if a key is specified in - mixed case - - Allow to used mixed case for sysrestore -- Resolves: #1296214 DNSSEC key purging is not handled properly - - DNSSEC: Improve error reporting from ipa-ods-exporter - - DNSSEC: Make sure that current state in OpenDNSSEC matches key state in - LDAP - - DNSSEC: Make sure that current key state in LDAP matches key state in BIND - - DNSSEC: remove obsolete TODO note - - DNSSEC: add debug mode to ldapkeydb.py - - DNSSEC: logging improvements in ipa-ods-exporter - - DNSSEC: remove keys purged by OpenDNSSEC from master HSM from LDAP - - DNSSEC: ipa-dnskeysyncd: Skip zones with old DNSSEC metadata in LDAP - - DNSSEC: ipa-ods-exporter: add ldap-cleanup command - - DNSSEC: ipa-dnskeysyncd: call ods-signer ldap-cleanup on zone removal - - DNSSEC: Log debug messages at log level DEBUG -- Resolves: #1296216 ipa-server-upgrade fails if certmonger is not running - - prevent crash of CA-less server upgrade due to absent certmonger - - always start certmonger during IPA server configuration upgrade -- Resolves: #1297811 The ipa -e skip_version_check=1 still issues - incompatibility error when called against RHEL 6 server - - ipalib: assume version 2.0 when skip_version_check is enabled -- Resolves: #1298289 install fails when locale is "fr_FR.UTF-8" - - Do not decode HTTP reason phrase from Dogtag -- Resolves: #1300252 shared certificateProfiles container is missing on a - freshly installed RHEL7.2 system - - upgrade: unconditional import of certificate profiles into LDAP -- Resolves: #1301674 --setup-dns and other options is forgotten for using an - external PKI - - installer: Propagate option values from components instead of copying them. - - installer: Fix logic of reading option values from cache. -- Resolves: #1301687 issues with migration from RHEL 6 self-signed to RHEL 7 CA - IPA setup - - ipa-ca-install: print more specific errors when CA is already installed - - cert renewal: import all external CA certs on IPA CA cert renewal - - CA install: explicitly set dogtag_version to 10 - - fix standalone installation of externally signed CA on IPA master - - replica install: validate DS and HTTP server certificates - - replica install: improvements in the handling of CA-related IPA config - entries -- Resolves: #1301901 [RFE] compat tree: show AD members of IPA groups - - slapi-nis: update configuration to allow external members of IPA groups -- Resolves: #1305533 ipa trust-add succeded but after that ipa trust-find - returns "0 trusts matched" - - upgrade: fix config of sidgen and extdom plugins - - trusts: use ipaNTTrustPartner attribute to detect trust entries - - Warn user if trust is broken - - fix upgrade: wait for proper DS socket after DS restart - - Insure the admin_conn is disconnected on stop - - Fix connections to DS during installation - - Fix broken trust warnings -- Resolves: #1321092 Installers fail when there are multiple versions of the - same certificate - - certdb: never use the -r option of certutil -- Related: #1317381 Crash during IPA upgrade due to slapd - - spec file: update minimum required version of slapi-nis -- Related: #1322691 CVE-2015-5370 CVE-2016-2110 CVE-2016-2111 CVE-2016-2112 - CVE-2016-2113 CVE-2016-2114 CVE-2016-2115 CVE-2016-2118 samba: various flaws - [rhel-7.3] - - Rebuild against newer Samba version - -* Tue Oct 13 2015 Jan Cholasta - 4.2.0-15 -- Resolves: #1252556 Missing CLI param and ACL for vault service operations - - vault: fix private service vault creation - -* Mon Oct 12 2015 Jan Cholasta - 4.2.0-14 -- Resolves: #1262996 ipa vault internal error on replica without KRA - - upgrade: make sure ldap2 is connected in export_kra_agent_pem -- Resolves: #1270608 IPA upgrade fails for server with CA cert signed by - external CA - - schema: do not derive ipaVaultPublicKey from ipaPublicKey - -* Thu Oct 8 2015 Jan Cholasta - 4.2.0-13 -- Resolves: #1217009 OTP sync in UI does not work for TOTP tokens - - Fix an integer underflow bug in libotp -- Resolves: #1262996 ipa vault internal error on replica without KRA - - install: always export KRA agent PEM file - - vault: select a server with KRA for vault operations -- Resolves: #1269777 IPA restore overwrites /etc/passwd and /etc/group files - - do not overwrite files with local users/groups when restoring authconfig -- Renamed patch 1011 to 0138, as it was merged upstream - -* Wed Sep 23 2015 Jan Cholasta - 4.2.0-12 -- Resolves: #1204205 [RFE] ID Views: Automated migration tool from Winsync to - Trusts - - winsync-migrate: Convert entity names to posix friendly strings - - winsync-migrate: Properly handle collisions in the names of external groups -- Resolves: #1261074 Adjust Firefox configuration to new extension signing - policy - - webui: use manual Firefox configuration for Firefox >= 40 -- Resolves: #1263337 IPA Restore failed with installed KRA - - ipa-backup: Add mechanism to store empty directory structure -- Resolves: #1264793 CVE-2015-5284 ipa: ipa-kra-install includes certificate - and private key in world readable file [rhel-7.2] - - install: fix KRA agent PEM file permissions -- Resolves: #1265086 Mark IdM API Browser as experimental - - WebUI: add API browser is experimental warning -- Resolves: #1265277 Fix kdcproxy user creation - - install: create kdcproxy user during server install - - platform: add option to create home directory when adding user - - install: fix kdcproxy user home directory -- Resolves: #1265559 GSS failure after ipa-restore - - destroy httpd ccache after stopping the service - -* Thu Sep 17 2015 Jan Cholasta - 4.2.0-11 -- Resolves: #1258965 ipa vault: set owner of vault container - - baseldap: make subtree deletion optional in LDAPDelete - - vault: add vault container commands - - vault: set owner to current user on container creation - - vault: update access control - - vault: add permissions and administrator privilege - - install: support KRA update -- Resolves: #1261586 ipa config-mod addattr fails for ipauserobjectclasses - - config: allow user/host attributes with tagging options -- Resolves: #1262315 Unable to establish winsync replication - - winsync: Add inetUser objectclass to the passsync sysaccount - -* Wed Sep 16 2015 Jan Cholasta - 4.2.0-10 -- Resolves: #1260663 crash of ipa-dnskeysync-replica component during - ipa-restore - - IPA Restore: allows to specify files that should be removed -- Resolves: #1261806 Installing ipa-server package breaks httpd - - Handle timeout error in ipa-httpd-kdcproxy -- Resolves: #1262322 Failed to backup CS.cfg message in upgrade. - - Server Upgrade: backup CS.cfg when dogtag is turned off - -* Wed Sep 9 2015 Jan Cholasta - 4.2.0-9 -- Resolves: #1257074 The KRA agent cert is stored in a PEM file that is not - tracked - - cert renewal: Include KRA users in Dogtag LDAP update - - cert renewal: Automatically update KRA agent PEM file -- Resolves: #1257163 renaming certificatte profile with --rename option leads - to integrity issues - - certprofile: remove 'rename' option -- Resolves: #1257968 kinit stop working after ipa-restore - - Backup: back up the hosts file -- Resolves: #1258926 Remove 'DNSSEC is experimental' warnings - - DNSSEC: remove "DNSSEC is experimental" warnings -- Resolves: #1258929 Uninstallation of IPA leaves extra entry in /etc/hosts - - Installer: do not modify /etc/hosts before user agreement -- Resolves: #1258944 DNSSEC daemons may deadlock when processing more than 1 - zone - - DNSSEC: backup and restore opendnssec zone list file - - DNSSEC: remove ccache and keytab of ipa-ods-exporter - - DNSSEC: prevent ipa-ods-exporter from looping after service auto-restart - - DNSSEC: Fix deadlock in ipa-ods-exporter <-> ods-enforcerd interaction - - DNSSEC: Fix HSM synchronization in ipa-dnskeysyncd when running on DNSSEC - key master - - DNSSEC: Fix key metadata export - - DNSSEC: Wrap master key using RSA OAEP instead of old PKCS v1.5. -- Resolves: #1258964 revert to use ldapi to add kra agent in KRA install - - Using LDAPI to setup CA and KRA agents. -- Resolves: #1259848 server closes connection and refuses commands after - deleting user that is still logged in - - ldap: Make ldap2 connection management thread-safe again -- Resolves: #1259996 AttributeError: 'NameSpace' object has no attribute - 'ra_certprofile' while ipa-ca-install - - load RA backend plugins during standalone CA install on CA-less IPA master - -* Wed Aug 26 2015 Jan Cholasta - 4.2.0-8 -- Resolves: #1254689 Storing big file as a secret in vault raises traceback - - vault: Limit size of data stored in vault -- Resolves: #1255880 ipactl status should distinguish between different - pki-tomcat services - - ipactl: Do not start/stop/restart single service multiple times - -* Wed Aug 26 2015 Jan Cholasta - 4.2.0-7 -- Resolves: #1256840 [webui] majority of required fields is no longer marked as - required - - fix missing information in object metadata -- Resolves: #1256842 [webui] no option to choose trust type when creating a - trust - - webui: add option to establish bidirectional trust -- Resolves: #1256853 Clear text passwords in KRA install log - - Removed clear text passwords from KRA install log. -- Resolves: #1257072 The "Standard Vault" MUST not be the default and must be - discouraged - - vault: change default vault type to symmetric -- Resolves: #1257163 renaming certificatte profile with --rename option leads - to integrity issues - - certprofile: prevent rename (modrdn) - -* Wed Aug 26 2015 Jan Cholasta - 4.2.0-6 -- Resolves: #1249226 IPA dnssec-validation not working for AD dnsforwardzone - - DNSSEC: fix forward zone forwarders checks -- Resolves: #1250190 idrange is not added for sub domain - - trusts: format Kerberos principal properly when fetching trust topology -- Resolves: #1252334 User life cycle: missing ability to provision a stage user - from a preserved user - - Add user-stage command -- Resolves: #1252863 After applying RHBA-2015-1554 errata, IPA service fails to - start. - - spec file: Add Requires(post) on selinux-policy -- Resolves: #1254304 Changing vault encryption attributes - - Change internal rsa_(public|private)_key variable names - - Added support for changing vault encryption. -- Resolves: #1256715 Executing user-del --preserve twice removes the user - pernamently - - improve the usability of `ipa user-del --preserve` command - -* Wed Aug 19 2015 Jan Cholasta - 4.2.0-5 -- Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities - - user-undel: Fix error messages. -- Resolves: #1200694 [RFE] Support for multiple cert profiles - - Prohibit deletion of predefined profiles -- Resolves: #1232819 testing ipa-restore on fresh system install fails - - Backup/resore authentication control configuration -- Resolves: #1243331 pkispawn fails when migrating to 4.2 server from 3.0 - server - - Require Dogtag PKI >= 10.2.6 -- Resolves: #1245225 Asymmetric vault drops traceback when the key is not - proper - - Asymmetric vault: validate public key in client -- Resolves: #1248399 Missing DNSSEC related files in backup - - fix typo in BasePathNamespace member pointing to ods exporter config - - ipa-backup: archive DNSSEC zone file and kasp.db -- Resolves: #1248405 PassSync should be disabled after ipa-winsync-migrate is - finished - - winsync-migrate: Add warning about passsync - - winsync-migrate: Expand the man page -- Resolves: #1248524 User can't find any hosts using "ipa host-find $HOSTNAME" - - adjust search so that it works for non-admin users -- Resolves: #1250093 ipa certprofile-import accepts invalid config - - Require Dogtag PKI >= 10.2.6 -- Resolves: #1250107 IPA framework should not allow modifying trust on AD trust - agents - - trusts: Detect missing Samba instance -- Resolves: #1250111 User lifecycle - preserved users can be assigned - membership - - ULC: Prevent preserved users from being assigned membership -- Resolves: #1250145 Add permission for user to bypass caacl enforcement - - Add permission for bypassing CA ACL enforcement -- Resolves: #1250190 idrange is not added for sub domain - - idranges: raise an error when local IPA ID range is being modified - - trusts: harden trust-fetch-domains oddjobd-based script -- Resolves: #1250928 Man page for ipa-server-install is out of sync - - install: Fix server and replica install options -- Resolves: #1251225 IPA default CAACL does not allow cert-request for services - after upgrade - - Fix default CA ACL added during upgrade -- Resolves: #1251561 ipa vault-add Unknown option: ipavaultpublickey - - validate mutually exclusive options in vault-add -- Resolves: #1251579 ipa vault-add --user should set container owner equal to - user on first run - - Fixed vault container ownership. -- Resolves: #1252517 cert-request rejects request with correct - krb5PrincipalName SAN - - Fix KRB5PrincipalName / UPN SAN comparison -- Resolves: #1252555 ipa vault-find doesn't work for services - - vault: Add container information to vault command results - - Add flag to list all service and user vaults -- Resolves: #1252556 Missing CLI param and ACL for vault service operations - - Added CLI param and ACL for vault service operations. -- Resolves: #1252557 certprofile: improve profile format documentation - - certprofile-import: improve profile format documentation - - certprofile: add profile format explanation -- Resolves: #1253443 ipa vault-add creates vault with invalid type - - vault: validate vault type -- Resolves: #1253480 ipa vault-add-owner does not fail when adding an existing - owner - - baseldap: Allow overriding member param label in LDAPModMember - - vault: Fix param labels in output of vault owner commands -- Resolves: #1253511 ipa vault-find does not use criteria - - vault: Fix vault-find with criteria -- Resolves: #1254038 ipa-replica-install pk12util error returns exit status 10 - - install: Fix replica install with custom certificates -- Resolves: #1254262 ipa-dnskeysync-replica crash cannot contact kdc - - improve the handling of krb5-related errors in dnssec daemons -- Resolves: #1254412 when dirsrv is off ,upgrade from 7.1 to 7.2 fails with - starting CA and named-pkcs11.service - - Server Upgrade: Start DS before CA is started. -- Resolves: #1254637 Add ACI and permission for managing user userCertificate - attribute - - add permission: System: Manage User Certificates -- Resolves: #1254641 Remove CSR allowed-extensions restriction - - cert-request: remove allowed extensions check -- Resolves: #1254693 vault --service does not normalize service principal - - vault: normalize service principal in service vault operations -- Resolves: #1254785 ipa-client-install does not properly handle dual stacked - hosts - - client: Add support for multiple IP addresses during installation. - - Add dependency to SSSD 1.13.1 - - client: Add description of --ip-address and --all-ip-addresses to man page - -* Tue Aug 11 2015 Jan Cholasta - 4.2.0-4 -- Resolves: #1072383 [RFE] Provide ability to map CAC identity certificates to - users in IdM - - store certificates issued for user entries as - - user-show: add --out option to save certificates to file -- Resolves: #1145748 [RFE] IPA running with One Way Trust - - Fix upgrade of sidgen and extdom plugins -- Resolves: #1195339 ipa-client-install changes the label on various files - which causes SELinux denials - - Use 'mv -Z' in specfile to restore SELinux context -- Resolves: #1198796 Text in UI should describe differing LDAP vs Krb behavior - for combinations of "User authentication types" - - webui: add LDAP vs Kerberos behavior description to user auth -- Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities - - ULC: Fix stageused-add --from-delete command -- Resolves: #1200694 [RFE] Support for multiple cert profiles - - certprofile-import: do not require profileId in profile data - - Give more info on virtual command access denial - - Allow SAN extension for cert-request self-service - - Add profile for DNP3 / IEC 62351-8 certificates - - Work around python-nss bug on unrecognised OIDs -- Resolves: #1204501 [RFE] Add Password Vault (KRA) functionality - - Validate vault's file parameters - - Fixed missing KRA agent cert on replica. -- Resolves: #1225866 display browser config options that apply to the browser. - - webui: add Kerberos configuration instructions for Chrome - - Remove ico files from Makefile -- Resolves: #1246342 Unapply idview raises internal error - - idviews: Check for the Default Trust View only if applying the view -- Resolves: #1248102 [webui] regression - incorrect/no failed auth messages - - webui: fix regressions failed auth messages -- Resolves: #1248396 Internal error in DomainValidator.__search_in_dc - - dcerpc: Fix UnboundLocalError for ccache_name -- Resolves: #1249455 ipa trust-add failed CIFS server configuration does not - allow access to \\pipe\lsarpc - - Fix selector of protocol for LSA RPC binding string - - dcerpc: Simplify generation of LSA-RPC binding strings -- Resolves: #1250192 Error in ipa trust-fecth-domains - - Fix incorrect type comparison in trust-fetch-domains -- Resolves: #1251553 Winsync setup fails with unexpected error - - replication: Fix incorrect exception invocation -- Resolves: #1251854 ipa aci plugin is not parsing aci's correctly. - - ACI plugin: correctly parse bind rules enclosed in -- Resolves: #1252414 Trust agent install does not detect available replicas to - add to master - - adtrust-install: Correctly determine 4.2 FreeIPA servers - -* Fri Jul 24 2015 Jan Cholasta - 4.2.0-3 -- Resolves: #1170770 [AD TRUST]IPA should detect inconsistent realm domains - that conflicts with AD DC - - trusts: Check for AD root domain among our trusted domains -- Resolves: #1195339 ipa-client-install changes the label on various files - which causes SELinux denials - - sysrestore: copy files instead of moving them to avoind SELinux issues -- Resolves: #1196656 [ipa-client][rhel71] enable debugging for spawned - commands / ntpd -qgc $tmpfile hangs - - enable debugging of ntpd during client installation -- Resolves: #1205264 Migration UI Does Not Work When Anonymous Bind is Disabled - - migration: Use api.env variables. -- Resolves: #1212719 abort-clean-ruv subcommand should allow - replica-certifyall: no - - Allow value 'no' for replica-certify-all attr in abort-clean-ruv subcommand -- Resolves: #1216935 ipa trust-add shows ipa: ERROR: an internal error has - occurred - - dcerpc: Expand explanation for WERR_ACCESS_DENIED - - dcerpc: Fix UnboundLocalError for ccache_name -- Resolves: #1222778 idoverride group-del can delete user and user-del can - delete group - - dcerpc: Add get_trusted_domain_object_type method - - idviews: Restrict anchor to name and name to anchor conversions - - idviews: Enforce objectclass check in idoverride*-del -- Resolves: #1234919 Be able to request certificates without certmonger service - running - - cermonger: Use private unix socket when DBus SystemBus is not available. - - ipa-client-install: Do not (re)start certmonger and DBus daemons. -- Resolves: #1240939 Please add dependency on bind-pkcs11 - - Create server-dns sub-package. - - ipaplatform: Add constants submodule - - DNS: check if DNS package is installed -- Resolves: #1242914 Bump minimal selinux-policy and add booleans to allow - calling out oddjobd-activated services - - selinux: enable httpd_run_ipa to allow communicating with oddjobd services -- Resolves: #1243261 non-admin users cannot search hbac rules - - fix hbac rule search for non-admin users - - fix selinuxusermap search for non-admin users -- Resolves: #1243652 Client has missing dependency on memcache - - do not import memcache on client -- Resolves: #1243835 [webui] user change password dialog does not work - - webui: fix user reset password dialog -- Resolves: #1244802 spec: selinux denial during kdcproxy user creation - - Fix selinux denial during kdcproxy user creation -- Resolves: #1246132 trust-fetch-domains: Do not chown keytab to the sssd user - - oddjob: avoid chown keytab to sssd if sssd user does not exist -- Resolves: #1246136 Adding a privilege to a permission avoids validation - - Validate adding privilege to a permission -- Resolves: #1246141 DNS Administrators cannot search in zones - - DNS: Consolidate DNS RR types in API and schema -- Resolves: #1246143 User plugin - user-find doesn't work properly with manager - option - - fix broken search for users by their manager - -* Wed Jul 15 2015 Jan Cholasta - 4.2.0-2 -- Resolves: #1131907 [ipa-client-install] cannot write certificate file - '/etc/ipa/ca.crt.new': must be string or buffer, not None -- Resolves: #1195775 unsaved changes dialog internally inconsistent -- Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities - - Stageusedr-activate: show username instead of DN -- Resolves: #1200694 [RFE] Support for multiple cert profiles - - Prevent to rename certprofile profile id -- Resolves: #1222047 IPA to AD Trust: IPA ERROR 4016: Remote Retrieve Error -- Resolves: #1224769 copy-schema-to-ca.py does not overwrites schema files - - copy-schema-to-ca: allow to overwrite schema files -- Resolves: #1241941 kdc component installation of IPA failed - - spec file: Update minimum required version of krb5 -- Resolves: #1242036 Replica install fails to update DNS records - - Fix DNS records installation for replicas -- Resolves: #1242884 Upgrade to 4.2.0 fails when enabling kdc proxy - - Start dirsrv for kdcproxy upgrade - -* Thu Jul 9 2015 Jan Cholasta - 4.2.0-1 -- Resolves: #846033 [RFE] Documentation for JSONRPC IPA API -- Resolves: #989091 Ability to manage IdM/IPA directly from a standard LDAP - client -- Resolves: #1072383 [RFE] Provide ability to map CAC identity certificates to - users in IdM -- Resolves: #1115294 [RFE] Add support for DNSSEC -- Resolves: #1145748 [RFE] IPA running with One Way Trust -- Resolves: #1199520 [RFE] Introduce single upgrade tool - ipa-server-upgrade -- Resolves: #1199530 [RFE] Provide user lifecycle managment capabilities -- Resolves: #1200694 [RFE] Support for multiple cert profiles -- Resolves: #1200728 [RFE] Replicate PKI Profile information -- Resolves: #1200735 [RFE] Allow issuing certificates for user accounts -- Resolves: #1204054 SSSD database is not cleared between installs and - uninstalls of ipa -- Resolves: #1204205 [RFE] ID Views: Automated migration tool from Winsync to - Trusts -- Resolves: #1204501 [RFE] Add Password Vault (KRA) functionality -- Resolves: #1204504 [RFE] Add access control so hosts can create their own - services -- Resolves: #1206534 [RFE] Offer Kerberos over HTTP (kdcproxy) by default -- Resolves: #1206613 [RFE] Configure IPA to be a trust agent by default -- Resolves: #1209476 package ipa-client does not require package dbus-python -- Resolves: #1211589 [RFE] Add option to skip the verify_client_version -- Resolves: #1211608 [RFE] Generic support for unknown DNS RR types (RFC 3597) -- Resolves: #1215735 ipa-replica-prepare automatically adds a DNS zone -- Resolves: #1217010 OTP Manager field is not exposed in the UI -- Resolves: #1222475 krb5kdc : segfault at 0 ip 00007fa9f64d82bb sp - 00007fffd68b2340 error 6 in libc-2.17.so -- Related: #1204809 Rebase ipa to 4.2 - - Update to upstream 4.2.0 - - Move /etc/ipa/kdcproxy to the server subpackage - -* Tue Jun 23 2015 Jan Cholasta - 4.2.0-0.2.alpha1 -- Resolves: #1228671 pkispawn fails in ipa-ca-install and ipa-kra-install -- Related: #1204809 Rebase ipa to 4.2 - - Fix minimum version of slapi-nis - - Require python-sss and python-sss-murmur (provided by sssd-1.13.0) - -* Mon Jun 22 2015 Jan Cholasta - 4.2.0-0.1.alpha1 -- Resolves: #805188 [RFE] "ipa migrate-ds" ldapsearches with scope=1 -- Resolves: #1019272 With 20000+ users, adding a user to a group intermittently - throws Internal server error -- Resolves: #1035494 Unable to add Kerberos principal via kadmin.local -- Resolves: #1045153 ipa-managed-entries --list -p still requires - DM password -- Resolves: #1125950 ipa-server-install --uinstall doesn't remove port 7389 - from ldap_port_t -- Resolves: #1132540 [RFE] Expose service delegation rules in UI and CLI -- Resolves: #1145584 ipaserver/install/cainstance.py creates pkiuser not - matching uidgid -- Resolves: #1176036 IDM client registration failure in a high load environment -- Resolves: #1183116 Remove Requires: subscription-manager -- Resolves: #1186054 permission-add does not prompt to enter --right option in - interactive mode -- Resolves: #1187524 Replication agreement with replica not disabled when - ipa-restore done without IPA installed -- Resolves: #1188195 Fax number not displayed for user-show when kinit'ed as - normal user. -- Resolves: #1189034 "an internal error has occurred" during ipa host-del - --updatedns -- Resolves: #1193554 ipa-client-automount: failing with error LDAP server - returned UNWILLING_TO_PERFORM. This likely means that minssf is enabled. -- Resolves: #1193759 IPA extdom plugin fails when encountering large groups -- Resolves: #1194312 [ipa-python] ipalib.errors.LDAPError: failed to decode - certificate: (SEC_ERROR_INVALID_ARGS) security library: invalid arguments. -- Resolves: #1194633 Default trust view can be deleted in lower case -- Resolves: #1196455 ipa-server-install step [8/27]: starting certificate - server instance - confusing CA staus message on TLS error -- Resolves: #1198263 Limit deadlocks between DS plugin DNA and slapi-nis -- Resolves: #1199527 [RFE] Use datepicker component for datetime fields -- Resolves: #1200867 [RFE] Make OTP validation window configurable -- Resolves: #1200883 [RFE] Switch apache to use mod_auth_gssapi -- Resolves: #1202998 CVE-2015-1827 ipa: memory corruption when using - get_user_grouplist() [rhel-7.2] -- Resolves: #1204637 slow group operations -- Resolves: #1204642 migrate-ds: slow add o users to default group -- Resolves: #1208461 IPA CA master server update stuck on checking getStatus - via https -- Resolves: #1211602 Hide ipa-server-install KDC master password option (-P) -- Resolves: #1211708 ipa-client-install gets stuck during NTP sync -- Resolves: #1215197 ipa-client-install ignores --ntp-server option during time - sync -- Resolves: #1215200 ipa-client-install configures IPA server as NTP source - even if IPA server has not ntpd configured -- Resolves: #1217009 OTP sync in UI does not work for TOTP tokens -- Related: #1204809 Rebase ipa to 4.2 - - Update to upstream 4.2.0.alpha1 - -* Thu Mar 19 2015 Jan Cholasta - 4.1.0-18.3 -- [ipa-python] ipalib.errors.LDAPError: failed to decode certificate: - (SEC_ERROR_INVALID_ARGS) security library: invalid arguments. (#1194312) - -* Wed Mar 18 2015 Alexander Bokovoy - 4.1.0-18.2 -- IPA extdom plugin fails when encountering large groups (#1193759) -- CVE-2015-0283 ipa: slapi-nis: infinite loop in getgrnam_r() and getgrgid_r() - (#1202998) - -* Thu Mar 5 2015 Jan Cholasta - 4.1.0-18.1 -- "an internal error has occurred" during ipa host-del --updatedns (#1198431) -- Renamed patch 1013 to 0114, as it was merged upstream -- Fax number not displayed for user-show when kinit'ed as normal user. - (#1198430) -- Replication agreement with replica not disabled when ipa-restore done without - IPA installed (#1199060) -- Limit deadlocks between DS plugin DNA and slapi-nis (#1199128) - -* Thu Jan 29 2015 Martin Kosek - 4.1.0-18 -- Fix ipa-pwd-extop global configuration caching (#1187342) -- group-detach does not add correct objectclasses (#1187540) - -* Tue Jan 27 2015 Jan Cholasta - 4.1.0-17 -- Wrong directories created on full restore (#1186398) -- ipa-restore crashes if replica is unreachable (#1186396) -- idoverrideuser-add option --sshpubkey does not work (#1185410) - -* Wed Jan 21 2015 Jan Cholasta - 4.1.0-16 -- PassSync does not sync passwords due to missing ACIs (#1181093) -- ipa-replica-manage list does not list synced domain (#1181010) -- Do not assume certmonger is running in httpinstance (#1181767) -- ipa-replica-manage disconnect fails without password (#1183279) -- Put LDIF files to their original location in ipa-restore (#1175277) -- DUA profile not available anonymously (#1184149) -- IPA replica missing data after master upgraded (#1176995) - -* Wed Jan 14 2015 Jan Cholasta - 4.1.0-15 -- Re-add accidentally removed patches for #1170695 and #1164896 - -* Wed Jan 14 2015 Jan Cholasta - 4.1.0-14 -- IPA Replicate creation fails with error "Update failed! Status: [10 Total - update abortedLDAP error: Referral]" (#1166265) -- running ipa-server-install --setup-dns results in a crash (#1072502) -- DNS zones are not migrated into forward zones if 4.0+ replica is added - (#1175384) -- gid is overridden by uid in default trust view (#1168904) -- When migrating warn user if compat is enabled (#1177133) -- Clean up debug log for trust-add (#1168376) -- No error message thrown on restore(full kind) on replica from full backup - taken on master (#1175287) -- ipa-restore proceed even IPA not configured (#1175326) -- Data replication not working as expected after data restore from full backup - (#1175277) -- IPA externally signed CA cert expiration warning missing from log (#1178128) -- ipa-upgradeconfig fails in CA-less installs (#1181767) -- IPA certs fail to autorenew simultaneouly (#1173207) -- More validation required on ipa-restore's options (#1176034) - -* Wed Dec 17 2014 Jan Cholasta - 4.1.0-13 -- Expand the token auth/sync windows (#919228) -- Access is not rejected for disabled domain (#1172598) -- krb5kdc crash in ldap_pvt_search (#1170695) -- RHEL7.1 IPA server httpd avc denials after upgrade (#1164896) - -* Wed Dec 10 2014 Jan Cholasta - 4.1.0-12 -- RHEL7.1 ipa-cacert-manage renewed certificate from MS ADCS not compatible - (#1169591) -- CLI doesn't show SSHFP records with SHA256 added via nsupdate (regression) - (#1172578) - -* Tue Dec 9 2014 Jan Cholasta - 4.1.0-11 -- Throw zonemgr error message before installation proceeds (#1163849) -- Winsync: Setup is broken due to incorrect import of certificate (#1169867) -- Enable last token deletion when password auth type is configured (#919228) -- ipa-otp-lasttoken loads all user's tokens on every mod/del (#1166641) -- add --hosts and --hostgroup options to allow/retrieve keytab methods - (#1007367) -- Extend host-show to add the view attribute in set of default attributes - (#1168916) -- Prefer TCP connections to UDP in krb5 clients (#919228) -- [WebUI] Not able to unprovisioning service in IPA 4.1 (#1168214) -- webui: increase notification duration (#1171089) -- RHEL7.1 ipa automatic CA cert renewal stuck in submitting state (#1166931) -- RHEL7.1 ipa-cacert-manage cannot change external to self-signed ca cert - (#1170003) -- Improve validation of --instance and --backend options in ipa-restore - (#951581) -- RHEL7.1 ipa replica unable to replicate to rhel6 master (#1167964) -- Disable TLS 1.2 in nss.conf until mod_nss supports it (#1156466) - -* Wed Nov 26 2014 Jan Cholasta - 4.1.0-10 -- Use NSS protocol range API to set available TLS protocols (#1156466) - -* Tue Nov 25 2014 Jan Cholasta - 4.1.0-9 -- schema update on RHEL-6.6 using latest copy-schema-to-ca.py from RHEL-7.1 - build fails (#1167196) -- Investigate & fix Coverity defects in IPA DS/KDC plugins (#1160756) -- "ipa trust-add ... " cmd says : (Trust status: Established and verified) - while in the logs we see "WERR_ACCESS_DENIED" during verification step. - (#1144121) -- POODLE: force using safe ciphers (non-SSLv3) in IPA client and server - (#1156466) -- Add support/hooks for a one-time password system like SecureID in IPA - (#919228) -- Tracebacks with latest build for --zonemgr cli option (#1167270) -- ID Views: Support migration from the sync solution to the trust solution - (#891984) - -* Mon Nov 24 2014 Jan Cholasta - 4.1.0-8 -- Improve otptoken help messages (#919228) -- Ensure users exist when assigning tokens to them (#919228) -- Enable QR code display by default in otptoken-add (#919228) -- Show warning instead of error if CA did not start (#1158410) -- CVE-2014-7850 freeipa: XSS flaw can be used to escalate privileges (#1165774) -- Traceback when adding zone with long name (#1164859) -- Backup & Restore mechanism (#951581) -- ignoring user attributes in migrate-ds does not work if uppercase characters - are returned by ldap (#1159816) -- Allow ipa-getkeytab to optionally fetch existing keys (#1007367) -- Failure when installing on dual stacked system with external ca (#1128380) -- ipa-server should keep backup of CS.cfg (#1059135) -- Tracebacks with latest build for --zonemgr cli option (#1167270) -- webui: use domain name instead of domain SID in idrange adder dialog - (#891984) -- webui: normalize idview tab labels (#891984) - -* Wed Nov 19 2014 Jan Cholasta - 4.1.0-7 -- ipa-csreplica-manage connect fails (#1157735) -- error message which is not understandable when IDNA2003 characters are - present in --zonemgr (#1163849) -- Fix warning message should not contain CLI commands (#1114013) -- Renewing the CA signing certificate does not extend its validity period end - (#1163498) -- RHEL7.1 ipa-server-install --uninstall Could not set SELinux booleans for - httpd (#1159330) - -* Thu Nov 13 2014 Jan Cholasta - 4.1.0-6 -- Fix: DNS installer adds invalid zonemgr email (#1056202) -- ipaplatform: Use the dirsrv service, not target (#951581) -- Fix: DNS policy upgrade raises asertion error (#1161128) -- Fix upgrade referint plugin (#1161128) -- Upgrade: fix trusts objectclass violationi (#1161128) -- group-add doesn't accept gid parameter (#1149124) - -* Tue Nov 11 2014 Jan Cholasta - 4.1.0-5 -- Update slapi-nis dependency to pull 0.54-2 (#891984) -- ipa-restore: Don't crash if AD trust is not installed (#951581) -- Prohibit setting --rid-base for ranges of ipa-trust-ad-posix type (#1138791) -- Trust setting not restored for CA cert with ipa-restore command (#1159011) -- ipa-server-install fails when restarting named (#1162340) - -* Thu Nov 06 2014 Jan Cholasta - 4.1.0-4 -- Update Requires on pki-ca to 10.1.2-4 (#1129558) -- build: increase java stack size for all arches -- Add ipaSshPubkey and gidNumber to the ACI to read ID user overrides (#891984) -- Fix dns zonemgr validation regression (#1056202) -- Handle profile changes in dogtag-ipa-ca-renew-agent (#886645) -- Do not wait for new CA certificate to appear in LDAP in ipa-certupdate - (#886645) -- Add bind-dyndb-ldap working dir to IPA specfile -- Fail if certmonger can't see new CA certificate in LDAP in ipa-cacert-manage - (#886645) -- Investigate & fix Coverity defects in IPA DS/KDC plugins (#1160756) -- Deadlock in schema compat plugin (#1161131) -- ipactl stop should stop dirsrv last (#1161129) -- Upgrade 3.3.5 to 4.1 failed (#1161128) -- CVE-2014-7828 freeipa: password not required when OTP in use (#1160877) - -* Wed Oct 22 2014 Jan Cholasta - 4.1.0-3 -- Do not check if port 8443 is available in step 2 of external CA install - (#1129481) - -* Wed Oct 22 2014 Jan Cholasta - 4.1.0-2 -- Update Requires on selinux-policy to 3.13.1-4 - -* Tue Oct 21 2014 Jan Cholasta - 4.1.0-1 -- Update to upstream 4.1.0 (#1109726) - -* Mon Sep 29 2014 Jan Cholasta - 4.1.0-0.1.alpha1 -- Update to upstream 4.1.0 Alpha 1 (#1109726) - -* Fri Sep 26 2014 Petr Vobornik - 4.0.3-3 -- Add redhat-access-plugin-ipa dependency - -* Thu Sep 25 2014 Jan Cholasta - 4.0.3-2 -- Re-enable otptoken_yubikey plugin - -* Mon Sep 15 2014 Jan Cholasta - 4.0.3-1 -- Update to upstream 4.0.3 (#1109726) - -* Thu Aug 14 2014 Martin Kosek - 3.3.3-29 -- Server installation fails using external signed certificates with - "IndexError: list index out of range" (#1111320) -- Add rhino to BuildRequires to fix Web UI build error - -* Tue Apr 1 2014 Martin Kosek - 3.3.3-28 -- ipa-client-automount fails with incompatibility error when installed against - older IPA server (#1083108) - -* Wed Mar 26 2014 Martin Kosek - 3.3.3-27 -- Proxy PKI URI /ca/ee/ca/profileSubmit to enable replication with future - PKI versions (#1080865) - -* Tue Mar 25 2014 Martin Kosek - 3.3.3-26 -- When IdM server trusts multiple AD forests, IPA client returns invalid group - membership info (#1079498) - -* Thu Mar 13 2014 Martin Kosek - 3.3.3-25 -- Deletion of active subdomain range should not be allowed (#1075615) - -* Thu Mar 13 2014 Martin Kosek - 3.3.3-24 -- PKI database is ugraded during replica installation (#1075118) - -* Wed Mar 12 2014 Martin Kosek - 3.3.3-23 -- Unable to add trust successfully with --trust-secret (#1075704) - -* Wed Mar 12 2014 Martin Kosek - 3.3.3-22 -- ipa-replica-install never checks for 7389 port (#1075165) -- Non-terminated string may be passed to LDAP search (#1075091) -- ipa-sam may fail to translate group SID into GID (#1073829) -- Excessive LDAP calls by ipa-sam during Samba FS operations (#1075132) - -* Thu Mar 6 2014 Martin Kosek - 3.3.3-21 -- Do not fetch a principal two times, remove potential memory leak (#1070924) - -* Wed Mar 5 2014 Martin Kosek - 3.3.3-20 -- trustdomain-find with pkey-only fails (#1068611) -- Invalid credential cache in trust-add (#1069182) -- ipa-replica-install prints unexpected error (#1069722) -- Too big font in input fields in details facet in Firefox (#1069720) -- trust-add for POSIX AD does not fetch trustdomains (#1070925) -- Misleading trust-add error message in some cases (#1070926) -- Access is not rejected for disabled domain (#1070924) - -* Wed Feb 26 2014 Martin Kosek - 3.3.3-19 -- Remove ipa-backup and ipa-restore functionality from RHEL (#1003933) - -* Wed Feb 12 2014 Martin Kosek - 3.3.3-18 -- Display server name in ipa command's verbose mode (#1061703) -- Remove sourcehostcategory from default HBAC rule (#1061187) -- dnszone-add cannot add classless PTR zones (#1058688) -- Move ipa-otpd socket directory to /var/run/krb5kdc (#1063850) - -* Tue Feb 4 2014 Martin Kosek - 3.3.3-17 -- Lockout plugin crashed during ipa-server-install (#912725) - -* Fri Jan 31 2014 Martin Kosek - 3.3.3-16 -- Fallback to global policy in ipa lockout plugin (#912725) -- Migration does not add users to default group (#903232) - -* Fri Jan 24 2014 Daniel Mach - 3.3.3-15 -- Mass rebuild 2014-01-24 - -* Thu Jan 23 2014 Martin Kosek - 3.3.3-14 -- Fix NetBIOS name generation in CLDAP plugin (#1030517) - -* Mon Jan 20 2014 Martin Kosek - 3.3.3-13 -- Do not add krbPwdPolicyReference for new accounts, hardcode it (#1045218) -- Increase default timeout for IPA services (#1033273) -- Error while running trustdomain-find (#1054376) -- group-show lists SID instead of name for external groups (#1054391) -- Fix IPA server NetBIOS name in samba configuration (#1030517) -- dnsrecord-mod produces missing API version warning (#1054869) -- Hide trust-resolve command as internal (#1052860) -- Add Trust domain Web UI (#1054870) -- ipasam cannot delete multiple child trusted domains (#1056120) - -* Wed Jan 15 2014 Martin Kosek - 3.3.3-12 -- Missing objectclasses when empty password passed to host-add (#1052979) -- sudoOrder missing in sudoers (#1052983) -- Missing examples in sudorule help (#1049464) -- Client automount does not uninstall when fstore is empty (#910899) -- Error not clear for invalid realm given to trust-fetch-domains (#1052981) -- trust-fetch-domains does not add idrange for subdomains found (#1049926) -- Add option to show if an AD subdomain is enabled/disabled (#1052973) -- ipa-adtrust-install still failed with long NetBIOS names (#1030517) -- Error not clear for invalid relam given to trustdomain-find (#1049455) -- renewed client cert not recognized during IPA CA renewal (#1033273) - -* Fri Jan 10 2014 Martin Kosek - 3.3.3-11 -- hbactest does not work for external users (#848531) - -* Wed Jan 08 2014 Martin Kosek - 3.3.3-10 -- PKI service restart after CA renewal failed (#1040018) - -* Mon Jan 06 2014 Martin Kosek - 3.3.3-9 -- Move ipa-tests package to separate srpm (#1032668) - -* Fri Jan 3 2014 Martin Kosek - 3.3.3-8 -- Fix status trust-add command status message (#910453) -- NetBIOS was not trimmed at 15 characters (#1030517) -- Harden CA subsystem certificate renewal on CA clones (#1040018) - -* Fri Dec 27 2013 Daniel Mach - 3.3.3-7 -- Mass rebuild 2013-12-27 - -* Mon Dec 2 2013 Martin Kosek - 3.3.3-6 -- Remove "Listen 443 http" hack from deployed nss.conf (#1029046) -- Re-adding existing trust fails (#1033216) -- IPA uninstall exits with a samba error (#1033075) -- Added RELRO hardening on /usr/libexec/ipa-otpd (#1026260) -- Fixed ownership of /usr/share/ipa/ui/js (#1026260) -- ipa-tests: support external names for hosts (#1032668) -- ipa-client-install fail due fail to obtain host TGT (#1029354) - -* Fri Nov 22 2013 Martin Kosek - 3.3.3-5 -- Trust add tries to add same value of --base-id for sub domain, - causing an error (#1033068) -- Improved error reporting for adding trust case (#1029856) - -* Wed Nov 13 2013 Martin Kosek - 3.3.3-4 -- Winsync agreement cannot be created (#1023085) - -* Wed Nov 6 2013 Martin Kosek - 3.3.3-3 -- Installer did not detect different server and IPA domain (#1026845) -- Allow kernel keyring CCACHE when supported (#1026861) - -* Tue Nov 5 2013 Martin Kosek - 3.3.3-2 -- ipa-server-install crashes when AD subpackage is not installed (#1026434) - -* Fri Nov 1 2013 Martin Kosek - 3.3.3-1 -- Update to upstream 3.3.3 (#991064) - -* Tue Oct 29 2013 Martin Kosek - 3.3.2-5 -- Temporarily move ipa-backup and ipa-restore functionality - back to make them available in public Beta (#1003933) - -* Tue Oct 29 2013 Martin Kosek - 3.3.2-4 -- Server install failure during client enrollment shouldn't - roll back (#1023086) -- nsds5ReplicaStripAttrs are not set on agreements (#1023085) -- ipa-server conflicts with mod_ssl (#1018172) - -* Wed Oct 16 2013 Martin Kosek - 3.3.2-3 -- Reinstalling ipa server hangs when configuring certificate - server (#1018804) - -* Fri Oct 11 2013 Martin Kosek - 3.3.2-2 -- Deprecate --serial-autoincrement option (#1016645) -- CA installation always failed on replica (#1005446) -- Re-initializing a winsync connection exited with error (#994980) - -* Fri Oct 4 2013 Martin Kosek - 3.3.2-1 -- Update to upstream 3.3.2 (#991064) -- Add delegation info to MS-PAC (#915799) -- Warn about incompatibility with AD when IPA realm and domain - differs (#1009044) -- Allow PKCS#12 files with empty password in install tools (#1002639) -- Privilege "SELinux User Map Administrators" did not list - permissions (#997085) -- SSH key upload broken when client joins an older server (#1009024) - -* Mon Sep 23 2013 Martin Kosek - 3.3.1-5 -- Remove dependency on python-paramiko (#1002884) -- Broken redirection when deleting last entry of DNS resource - record (#1006360) - -* Tue Sep 10 2013 Martin Kosek - 3.3.1-4 -- Remove ipa-backup and ipa-restore functionality from RHEL (#1003933) - -* Mon Sep 9 2013 Martin Kosek - 3.3.1-3 -- Replica installation fails for RHEL 6.4 master (#1004680) -- Server uninstallation crashes if DS is not available (#998069) - -* Thu Sep 5 2013 Martin Kosek - 3.3.1-2 -- Unable to remove replica by ipa-replica-manage (#1001662) -- Before uninstalling a server, warn about active replicas (#998069) - -* Thu Aug 29 2013 Rob Crittenden - 3.3.1-1 -- Update to upstream 3.3.1 (#991064) -- Update minimum version of bind-dyndb-ldap to 3.5 - -* Tue Aug 20 2013 Rob Crittenden - 3.3.0-7 -- Fix replica installation failing on certificate subject (#983075) - -* Tue Aug 13 2013 Martin Kosek - 3.3.0-6 -- Allow ipa-tests to work with older version (1.7.7) of python-paramiko - -* Tue Aug 13 2013 Martin Kosek - 3.3.0-5 -- Prevent multilib failures in *.pyo and *.pyc files - -* Mon Aug 12 2013 Martin Kosek - 3.3.0-4 -- ipa-server-install fails if --subject parameter is other than default - realm (#983075) -- do not allow configuring bind-dyndb-ldap without persistent search (#967876) - -* Mon Aug 12 2013 Martin Kosek - 3.3.0-3 -- diffstat was missing as a build dependency causing multilib problems - -* Thu Aug 8 2013 Martin Kosek - 3.3.0-2 -- Remove ipa-server-selinux obsoletes as upgrades from version prior to - 3.3.0 are not allowed -- Wrap server-trust-ad subpackage description better -- Add (noreplace) flag for %%{_sysconfdir}/tmpfiles.d/ipa.conf -- Change permissions on default_encoding_utf8.so to fix ipa-python Provides - -* Thu Aug 8 2013 Martin Kosek - 3.3.0-1 -- Update to upstream 3.3.0 (#991064) - -* Thu Aug 8 2013 Martin Kosek - 3.3.0-0.2.beta2 -- Require slapi-nis 0.47.7 delivering a core feature of 3.3.0 release - -* Wed Aug 7 2013 Martin Kosek - 3.3.0-0.1.beta2 -- Update to upstream 3.3.0 Beta 2 (#991064) - -* Thu Jul 18 2013 Martin Kosek - 3.2.2-1 -- Update to upstream 3.2.2 -- Drop ipa-server-selinux subpackage -- Drop redundant directory /var/cache/ipa/sessions -- Do not create /var/lib/ipa/pki-ca/publish, retain reference as ghost -- Run ipa-upgradeconfig and server restart in posttrans to avoid inconsistency - issues when there are still old parts of software (like entitlements plugin) - -* Fri Jun 14 2013 Martin Kosek - 3.2.1-1 -- Update to upstream 3.2.1 -- Drop dogtag-pki-server-theme requires, it won't be build for RHEL-7.0 - -* Tue May 14 2013 Rob Crittenden - 3.2.0-2 -- Add OTP patches -- Add patch to set KRB5CCNAME for 389-ds-base - -* Fri May 10 2013 Rob Crittenden - 3.2.0-1 -- Update to upstream 3.2.0 GA -- ipa-client-install fails if /etc/ipa does not exist (#961483) -- Certificate status is not visible in Service and Host page (#956718) -- ipa-client-install removes needed options from ldap.conf (#953991) -- Handle socket.gethostbyaddr() exceptions when verifying hostnames (#953957) -- Add triggerin scriptlet to support OpenSSH 6.2 (#953617) -- Require nss 3.14.3-12.0 to address certutil certificate import - errors (#953485) -- Require pki-ca 10.0.2-3 to pull in fix for sslget and mixed IPv4/6 - environments. (#953464) -- ipa-client-install removes 'sss' from /etc/nsswitch.conf (#953453) -- ipa-server-install --uninstall doesn't stop dirsrv instances (#953432) -- Add requires for openldap-2.4.35-4 to pickup fixed SASL_NOCANON behavior for - socket based connections (#960222) -- Require libsss_nss_idmap-python -- Add Conflicts on nss-pam-ldapd < 0.8.4. The mapping from uniqueMember to - member is now done automatically and having it in the config file raises - an error. -- Add backup and restore tools, directory. -- require at least systemd 38 which provides the journal (we no longer - need to require syslog.target) -- Update Requires on policycoreutils to 2.1.14-37 -- Update Requires on selinux-policy to 3.12.1-42 -- Update Requires on 389-ds-base to 1.3.1.0 -- Remove a Requires for java-atk-wrapper - -* Tue Apr 23 2013 Rob Crittenden - 3.2.0-0.4.beta1 -- Remove release from krb5-server in strict sub-package to allow for rebuilds. - -* Mon Apr 22 2013 Rob Crittenden - 3.2.0-0.3.beta1 -- Add a Requires for java-atk-wrapper until we can determine which package - should be pulling it in, dogtag or tomcat. - -* Tue Apr 16 2013 Rob Crittenden - 3.2.0-0.2.beta1 -- Update to upstream 3.2.0 Beta 1 - -* Tue Apr 2 2013 Martin Kosek - 3.2.0-0.1.pre1 -- Update to upstream 3.2.0 Prerelease 1 -- Use upstream reference spec file as a base for Fedora spec file - -* Sat Mar 30 2013 Kevin Fenzi 3.1.2-4 -- Rebuild for broken deps -- Fix 389-ds-base strict dep to be 1.3.0.5 and krb5-server 1.11.1 - -* Sat Feb 23 2013 Kevin Fenzi - 3.1.2-3 -- Rebuild for broken deps in rawhide -- Fix 389-ds-base strict dep to be 1.3.0.3 - -* Wed Feb 13 2013 Fedora Release Engineering - 3.1.2-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild - -* Wed Jan 23 2013 Rob Crittenden - 3.1.2-1 -- Update to upstream 3.1.2 -- CVE-2012-4546: Incorrect CRLs publishing -- CVE-2012-5484: MITM Attack during Join process -- CVE-2013-0199: Cross-Realm Trust key leak -- Updated strict dependencies to 389-ds-base = 1.3.0.2 and - pki-ca = 10.0.1 - -* Thu Dec 20 2012 Martin Kosek - 3.1.0-2 -- Remove redundat Requires versions that are already in Fedora 17 -- Replace python-crypto Requires with m2crypto -- Add missing Requires(post) for client and server-trust-ad subpackages -- Restart httpd service when server-trust-ad subpackage is installed -- Bump selinux-policy Requires to pick up PKI/LDAP port labeling fixes - -* Mon Dec 10 2012 Rob Crittenden - 3.1.0-1 -- Updated to upstream 3.1.0 GA -- Set minimum for sssd to 1.9.2 -- Set minimum for pki-ca to 10.0.0-1 -- Set minimum for 389-ds-base to 1.3.0 -- Set minimum for selinux-policy to 3.11.1-60 -- Remove unneeded dogtag package requires - -* Tue Oct 23 2012 Martin Kosek - 3.0.0-3 -- Update Requires on krb5-server to 1.11 - -* Fri Oct 12 2012 Rob Crittenden - 3.0.0-2 -- Configure CA replication to use TLS instead of SSL - -* Fri Oct 12 2012 Rob Crittenden - 3.0.0-1 -- Updated to upstream 3.0.0 GA -- Set minimum for samba to 4.0.0-153. -- Make sure server-trust-ad subpackage alternates winbind_krb5_locator.so - plugin to /dev/null since they cannot be used when trusts are configured -- Restrict krb5-server to 1.10. -- Update BR for 389-ds-base to 1.3.0 -- Add directory /var/lib/ipa/pki-ca/publish for CRL published by pki-ca -- Add Requires on zip for generating FF browser extension - -* Fri Oct 5 2012 Rob Crittenden - 3.0.0-0.10 -- Updated to upstream 3.0.0 rc 2 -- Include new FF configuration extension -- Set minimum Requires of selinux-policy to 3.11.1-33 -- Set minimum Requires dogtag to 10.0.0-0.43.b1 -- Add new optional strict sub-package to allow users to limit other - package upgrades. - -* Tue Oct 2 2012 Martin Kosek - 3.0.0-0.9 -- Require samba packages instead of obsoleted samba4 packages - -* Fri Sep 21 2012 Rob Crittenden - 3.0.0-0.8 -- Updated to upstream 3.0.0 rc 1 -- Update BR for 389-ds-base to 1.2.11.14 -- Update BR for krb5 to 1.10 -- Update BR for samba4-devel to 4.0.0-139 (rc1) -- Add BR for python-polib -- Update BR and Requires on sssd to 1.9.0 -- Update Requires on policycoreutils to 2.1.12-5 -- Update Requires on 389-ds-base to 1.2.11.14 -- Update Requires on selinux-policy to 3.11.1-21 -- Update Requires on dogtag to 10.0.0-0.33.a1 -- Update Requires on certmonger to 0.60 -- Update Requires on tomcat to 7.0.29 -- Update minimum version of bind to 9.9.1-10.P3 -- Update minimum version of bind-dyndb-ldap to 1.1.0-0.16.rc1 -- Remove Requires on authconfig from python sub-package - -* Wed Sep 5 2012 Rob Crittenden - 3.0.0-0.7 -- Rebuild against samba4 beta8 - -* Fri Aug 31 2012 Rob Crittenden - 3.0.0-0.6 -- Rebuild against samba4 beta7 - -* Wed Aug 22 2012 Alexander Bokovoy - 3.0.0-0.5 -- Adopt to samba4 beta6 (libsecurity -> libsamba-security) -- Add dependency to samba4-winbind - -* Fri Aug 17 2012 Rob Crittenden - 3.0.0-0.4 -- Updated to upstream 3.0.0 beta 2 - -* Mon Aug 6 2012 Martin Kosek - 3.0.0-0.3 -- Updated to current upstream state of 3.0.0 beta 2 development - -* Mon Jul 23 2012 Alexander Bokovoy - 3.0.0-0.2 -- Rebuild against samba4 beta4 - -* Mon Jul 2 2012 Rob Crittenden - 3.0.0-0.1 -- Updated to upstream 3.0.0 beta 1 - -* Thu May 3 2012 Rob Crittenden - 2.2.0-1 -- Updated to upstream 2.2.0 GA -- Update minimum n-v-r of certmonger to 0.53 -- Update minimum n-v-r of slapi-nis to 0.40 -- Add Requires in client to oddjob-mkhomedir and python-krbV -- Update minimum selinux-policy to 3.10.0-110 - -* Mon Mar 19 2012 Rob Crittenden - 2.1.90-0.2 -- Update to upstream 2.2.0 beta 1 (2.1.90.rc1) -- Set minimum n-v-r for pki-ca and pki-silent to 9.0.18. -- Add Conflicts on mod_ssl -- Update minimum n-v-r of 389-ds-base to 1.2.10.4 -- Update minimum n-v-r of sssd to 1.8.0 -- Update minimum n-v-r of slapi-nis to 0.38 -- Update minimum n-v-r of pki-* to 9.0.18 -- Update conflicts on bind-dyndb-ldap to < 1.1.0-0.9.b1 -- Update conflicts on bind to < 9.9.0-1 -- Drop requires on krb5-server-ldap -- Add patch to remove escaping arguments to pkisilent - -* Mon Feb 06 2012 Rob Crittenden - 2.1.90-0.1 -- Update to upstream 2.2.0 alpha 1 (2.1.90.pre1) - -* Wed Feb 01 2012 Alexander Bokovoy - 2.1.4-5 -- Force to use 389-ds 1.2.10-0.8.a7 or above -- Improve upgrade script to handle systemd 389-ds change -- Fix freeipa to work with python-ldap 2.4.6 - -* Wed Jan 11 2012 Martin Kosek - 2.1.4-4 -- Fix ipa-replica-install crashes -- Fix ipa-server-install and ipa-dns-install logging -- Set minimum version of pki-ca to 9.0.17 to fix sslget problem - caused by FEDORA-2011-17400 update (#771357) - -* Wed Dec 21 2011 Alexander Bokovoy - 2.1.4-3 -- Allow Web-based migration to work with tightened SE Linux policy (#769440) -- Rebuild slapi plugins against re-enterant version of libldap - -* Sun Dec 11 2011 Alexander Bokovoy - 2.1.4-2 -- Allow longer dirsrv startup with systemd: - - IPAdmin class will wait until dirsrv instance is available up to 10 seconds - - Helps with restarts during upgrade for ipa-ldap-updater -- Fix pylint warnings from F16 and Rawhide - -* Tue Dec 6 2011 Rob Crittenden - 2.1.4-1 -- Update to upstream 2.1.4 (CVE-2011-3636) - -* Mon Dec 5 2011 Rob Crittenden - 2.1.3-8 -- Update SELinux policy to allow ipa_kpasswd to connect ldap and - read /dev/urandom. (#759679) - -* Wed Nov 30 2011 Alexander Bokovoy - 2.1.3-7 -- Fix wrong path in packaging freeipa-systemd-upgrade - -* Wed Nov 30 2011 Alexander Bokovoy - 2.1.3-6 -- Introduce upgrade script to recover existing configuration after systemd migration - as user has no means to recover FreeIPA from systemd migration -- Upgrade script: - - recovers symlinks in Dogtag instance install - - recovers systemd configuration for FreeIPA's directory server instances - - recovers freeipa.service - - migrates directory server and KDC configs to use proper keytabs for systemd services - -* Wed Oct 26 2011 Fedora Release Engineering - 2.1.3-5 -- Rebuilt for glibc bug#747377 - -* Wed Oct 19 2011 Alexander Bokovoy - 2.1.3-4 -- clean up spec -- Depend on sssd >= 1.6.2 for better user experience - -* Tue Oct 18 2011 Alexander Bokovoy - 2.1.3-3 -- Fix Fedora package changelog after merging systemd changes - -* Tue Oct 18 2011 Alexander Bokovoy - 2.1.3-2 -- Fix postin scriplet for F-15/F-16 - -* Tue Oct 18 2011 Alexander Bokovoy - 2.1.3-1 -- 2.1.3 - -* Mon Oct 17 2011 Alexander Bokovoy - 2.1.2-1 -- Default to systemd for Fedora 16 and onwards - -* Tue Aug 16 2011 Rob Crittenden - 2.1.0-1 -- Update to upstream 2.1.0 - -* Fri May 6 2011 Simo Sorce - 2.0.1-2 -- Fix bug #702633 - -* Mon May 2 2011 Rob Crittenden - 2.0.1-1 -- Update minimum selinux-policy to 3.9.16-18 -- Update minimum pki-ca and pki-selinux to 9.0.7 -- Update minimum 389-ds-base to 1.2.8.0-1 -- Update to upstream 2.0.1 - -* Thu Mar 24 2011 Rob Crittenden - 2.0.0-1 -- Update to upstream GA release -- Automatically apply updates when the package is upgraded - -* Fri Feb 25 2011 Rob Crittenden - 2.0.0-0.4.rc2 -- Update to upstream freeipa-2.0.0.rc2 -- Set minimum version of python-nss to 0.11 to make sure IPv6 support is in -- Set minimum version of sssd to 1.5.1 -- Patch to include SuiteSpotGroup when setting up 389-ds instances -- Move a lot of BuildRequires so this will build with ONLY_CLIENT enabled - -* Tue Feb 15 2011 Rob Crittenden - 2.0.0-0.3.rc1 -- Set the N-V-R so rc1 is an update to beta2. - -* Mon Feb 14 2011 Rob Crittenden - 2.0.0-0.1.rc1 -- Set minimum version of sssd to 1.5.1 -- Update to upstream freeipa-2.0.0.rc1 -- Move server-only binaries from admintools subpackage to server - -* Tue Feb 08 2011 Fedora Release Engineering - 2.0.0-0.2.beta2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild - -* Thu Feb 3 2011 Rob Crittenden - 2.0.0-0.1.beta2 -- Set min version of 389-ds-base to 1.2.8 -- Set min version of mod_nss 1.0.8-10 -- Set min version of selinux-policy to 3.9.7-27 -- Add dogtag themes to Requires -- Update to upstream freeipa-2.0.0.pre2 - -* Thu Jan 27 2011 Rob Crittenden - 2.0.0-0.2.beta.git80e87e7 -- Remove unnecessary moving of v1 CA serial number file in post script -- Add Obsoletes for server-selinxu subpackage -- Using git snapshot 442d6ad30ce1156914e6245aa7502499e50ec0da - -* Wed Jan 26 2011 Rob Crittenden - 2.0.0-0.1.beta.git80e87e7 -- Prepare spec file for release -- Using git snapshot 80e87e75bd6ab56e3e20c49ece55bd4d52f1a503 - -* Tue Jan 25 2011 Rob Crittenden - 1.99-41 -- Re-arrange doc and defattr to clean up rpmlint warnings -- Remove conditionals on older releases -- Move some man pages into admintools subpackage -- Remove some explicit Requires in client that aren't needed -- Consistent use of buildroot vs RPM_BUILD_ROOT - -* Wed Jan 19 2011 Adam Young - 1.99-40 -- Moved directory install/static to install/ui - -* Thu Jan 13 2011 Simo Sorce - 1.99-39 -- Remove dependency on nss_ldap/nss-pam-ldapd -- The official client is sssd and that's what we use by default. - -* Thu Jan 13 2011 Simo Sorce - 1.99-38 -- Remove radius subpackages - -* Thu Jan 13 2011 Rob Crittenden - 1.99-37 -- Set minimum pki-ca and pki-silent versions to 9.0.0 - -* Wed Jan 12 2011 Rob Crittenden - 1.99-36 -- Drop BuildRequires on mozldap-devel - -* Mon Dec 13 2010 Rob Crittenden - 1.99-35 -- Add Requires on krb5-pkinit-openssl - -* Fri Dec 10 2010 Jr Aquino - 1.99-34 -- Add ipa-host-net-manage script - -* Tue Dec 7 2010 Simo Sorce - 1.99-33 -- Add ipa init script - -* Fri Nov 19 2010 Rob Crittenden - 1.99-32 -- Set minimum level of 389-ds-base to 1.2.7 for enhanced memberof plugin - -* Wed Nov 3 2010 Rob Crittenden - 1.99-31 -- remove ipa-fix-CVE-2008-3274 - -* Wed Oct 6 2010 Rob Crittenden - 1.99-30 -- Remove duplicate %%files entries on share/ipa/static -- Add python default encoding shared library - -* Mon Sep 20 2010 Rob Crittenden - 1.99-29 -- Drop requires on python-configobj (not used any more) -- Drop ipa-ldap-updater message, upgrades are done differently now - -* Wed Sep 8 2010 Rob Crittenden - 1.99-28 -- Drop conflicts on mod_nss -- Require nss-pam-ldapd on F-14 or higher instead of nss_ldap (#606847) -- Drop a slew of conditionals on older Fedora releases (< 12) -- Add a few conditionals against RHEL 6 -- Add Requires of nss-tools on ipa-client - -* Fri Aug 13 2010 Rob Crittenden - 1.99-27 -- Set minimum version of certmonger to 0.26 (to pck up #621670) -- Set minimum version of pki-silent to 1.3.4 (adds -key_algorithm) -- Set minimum version of pki-ca to 1.3.6 -- Set minimum version of sssd to 1.2.1 - -* Tue Aug 10 2010 Rob Crittenden - 1.99-26 -- Add BuildRequires for authconfig - -* Mon Jul 19 2010 Rob Crittenden - 1.99-25 -- Bump up minimum version of python-nss to pick up nss_is_initialize() API - -* Thu Jun 24 2010 Adam Young - 1.99-24 -- Removed python-asset based webui - -* Thu Jun 24 2010 Rob Crittenden - 1.99-23 -- Change Requires from fedora-ds-base to 389-ds-base -- Set minimum level of 389-ds-base to 1.2.6 for the replication - version plugin. - -* Tue Jun 1 2010 Rob Crittenden - 1.99-22 -- Drop Requires of python-krbV on ipa-client - -* Mon May 17 2010 Rob Crittenden - 1.99-21 -- Load ipa_dogtag.pp in post install - -* Mon Apr 26 2010 Rob Crittenden - 1.99-20 -- Set minimum level of sssd to 1.1.1 to pull in required hbac fixes. - -* Thu Mar 4 2010 Rob Crittenden - 1.99-19 -- No need to create /var/log/ipa_error.log since we aren't using - TurboGears any more. - -* Mon Mar 1 2010 Jason Gerard DeRose - 1.99-18 -- Fixed share/ipa/wsgi.py so .pyc, .pyo files are included - -* Wed Feb 24 2010 Jason Gerard DeRose - 1.99-17 -- Added Require mod_wsgi, added share/ipa/wsgi.py - -* Thu Feb 11 2010 Jason Gerard DeRose - 1.99-16 -- Require python-wehjit >= 0.2.2 - -* Wed Feb 3 2010 Rob Crittenden - 1.99-15 -- Add sssd and certmonger as a Requires on ipa-client - -* Wed Jan 27 2010 Jason Gerard DeRose - 1.99-14 -- Require python-wehjit >= 0.2.0 - -* Fri Dec 4 2009 Rob Crittenden - 1.99-13 -- Add ipa-rmkeytab tool - -* Tue Dec 1 2009 Rob Crittenden - 1.99-12 -- Set minimum of python-pyasn1 to 0.0.9a so we have support for the ASN.1 - Any type - -* Wed Nov 25 2009 Rob Crittenden - 1.99-11 -- Remove v1-style /etc/ipa/ipa.conf, replacing with /etc/ipa/default.conf - -* Fri Nov 13 2009 Rob Crittenden - 1.99-10 -- Add bash completion script and own /etc/bash_completion.d in case it - doesn't already exist - -* Tue Nov 3 2009 Rob Crittenden - 1.99-9 -- Remove ipa_webgui, its functions rolled into ipa_httpd - -* Mon Oct 12 2009 Jason Gerard DeRose - 1.99-8 -- Removed python-cherrypy from BuildRequires and Requires -- Added Requires python-assets, python-wehjit - -* Mon Aug 24 2009 Rob Crittenden - 1.99-7 -- Added httpd SELinux policy so CRLs can be read - -* Thu May 21 2009 Rob Crittenden - 1.99-6 -- Move ipalib to ipa-python subpackage -- Bump minimum version of slapi-nis to 0.15 - -* Wed May 6 2009 Rob Crittenden - 1.99-5 -- Set 0.14 as minimum version for slapi-nis - -* Wed Apr 22 2009 Rob Crittenden - 1.99-4 -- Add Requires: python-nss to ipa-python sub-package - -* Thu Mar 5 2009 Rob Crittenden - 1.99-3 -- Remove the IPA DNA plugin, use the DS one - -* Wed Mar 4 2009 Rob Crittenden - 1.99-2 -- Build radius separately -- Fix a few minor issues - -* Tue Feb 3 2009 Rob Crittenden - 1.99-1 -- Replace TurboGears requirement with python-cherrypy - -* Sat Jan 17 2009 Tomas Mraz - 1.2.1-3 -- rebuild with new openssl - -* Fri Dec 19 2008 Dan Walsh - 1.2.1-2 -- Fix SELinux code - -* Mon Dec 15 2008 Simo Sorce - 1.2.1-1 -- Fix breakage caused by python-kerberos update to 1.1 - -* Fri Dec 5 2008 Simo Sorce - 1.2.1-0 -- New upstream release 1.2.1 - -* Sat Nov 29 2008 Ignacio Vazquez-Abrams - 1.2.0-4 -- Rebuild for Python 2.6 - -* Fri Nov 14 2008 Simo Sorce - 1.2.0-3 -- Respin after the tarball has been re-released upstream - New hash is 506c9c92dcaf9f227cba5030e999f177 - -* Thu Nov 13 2008 Simo Sorce - 1.2.0-2 -- Conditionally restart also dirsrv and httpd when upgrading - -* Wed Oct 29 2008 Rob Crittenden - 1.2.0-1 -- Update to upstream version 1.2.0 -- Set fedora-ds-base minimum version to 1.1.3 for winsync header -- Set the minimum version for SELinux policy -- Remove references to Fedora 7 - -* Wed Jul 23 2008 Simo Sorce - 1.1.0-3 -- Fix for CVE-2008-3274 -- Fix segfault in ipa-kpasswd in case getifaddrs returns a NULL interface -- Add fix for bug #453185 -- Rebuild against openldap libraries, mozldap ones do not work properly -- TurboGears is currently broken in rawhide. Added patch to not build - the UI locales and removed them from the ipa-server files section. - -* Wed Jun 18 2008 Rob Crittenden - 1.1.0-2 -- Add call to /usr/sbin/upgradeconfig to post install - -* Wed Jun 11 2008 Rob Crittenden - 1.1.0-1 -- Update to upstream version 1.1.0 -- Patch for indexing memberof attribute -- Patch for indexing uidnumber and gidnumber -- Patch to change DNA default values for replicas -- Patch to fix uninitialized variable in ipa-getkeytab - -* Fri May 16 2008 Rob Crittenden - 1.0.0-5 -- Set fedora-ds-base minimum version to 1.1.0.1-4 and mod_nss minimum - version to 1.0.7-4 so we pick up the NSS fixes. -- Add selinux-policy-base(post) to Requires (446496) - -* Tue Apr 29 2008 Rob Crittenden - 1.0.0-4 -- Add missing entry for /var/cache/ipa/kpasswd (444624) -- Added patch to fix permissions problems with the Apache NSS database. -- Added patch to fix problem with DNS querying where the query could be - returned as the answer. -- Fix spec error where patch1 was in the wrong section - -* Fri Apr 25 2008 Rob Crittenden - 1.0.0-3 -- Added patch to fix problem reported by ldapmodify - -* Fri Apr 25 2008 Rob Crittenden - 1.0.0-2 -- Fix Requires for krb5-server that was missing for Fedora versions > 9 -- Remove quotes around test for fedora version to package egg-info - -* Fri Apr 18 2008 Rob Crittenden - 1.0.0-1 -- Update to upstream version 1.0.0 - -* Tue Mar 18 2008 Rob Crittenden 0.99-12 -- Pull upstream changelog 722 -- Add Conflicts mod_ssl (435360) - -* Fri Feb 29 2008 Rob Crittenden 0.99-11 -- Pull upstream changelog 698 -- Fix ownership of /var/log/ipa_error.log during install (435119) -- Add pwpolicy command and man page - -* Thu Feb 21 2008 Rob Crittenden 0.99-10 -- Pull upstream changelog 678 -- Add new subpackage, ipa-server-selinux -- Add Requires: authconfig to ipa-python (bz #433747) -- Package i18n files - -* Mon Feb 18 2008 Rob Crittenden 0.99-9 -- Pull upstream changelog 641 -- Require minimum version of krb5-server on F-7 and F-8 -- Package some new files - -* Thu Jan 31 2008 Rob Crittenden 0.99-8 -- Marked with wrong license. IPA is GPLv2. - -* Tue Jan 29 2008 Rob Crittenden 0.99-7 -- Ensure that /etc/ipa exists before moving user-modifiable html files there -- Put html files into /etc/ipa/html instead of /etc/ipa - -* Tue Jan 29 2008 Rob Crittenden 0.99-6 -- Pull upstream changelog 608 which renamed several files - -* Thu Jan 24 2008 Rob Crittenden 0.99-5 -- package the sessions dir /var/cache/ipa/sessions -- Pull upstream changelog 597 - -* Thu Jan 24 2008 Rob Crittenden 0.99-4 -- Updated upstream pull (596) to fix bug in ipa_webgui that was causing the - UI to not start. - -* Thu Jan 24 2008 Rob Crittenden 0.99-3 -- Included LICENSE and README in all packages for documentation -- Move user-modifiable content to /etc/ipa and linked back to - /usr/share/ipa/html -- Changed some references to /usr to the {_usr} macro and /etc - to {_sysconfdir} -- Added popt-devel to BuildRequires for Fedora 8 and higher and - popt for Fedora 7 -- Package the egg-info for Fedora 9 and higher for ipa-python - -* Tue Jan 22 2008 Rob Crittenden 0.99-2 -- Added auto* BuildRequires - -* Mon Jan 21 2008 Rob Crittenden 0.99-1 -- Unified spec file - -* Thu Jan 17 2008 Rob Crittenden - 0.6.0-2 -- Fixed License in specfile -- Include files from /usr/lib/python*/site-packages/ipaserver - -* Fri Dec 21 2007 Karl MacMillan - 0.6.0-1 -- Version bump for release - -* Wed Nov 21 2007 Karl MacMillan - 0.5.0-1 -- Preverse mode on ipa-keytab-util -- Version bump for relase and rpm name change - -* Thu Nov 15 2007 Rob Crittenden - 0.4.1-2 -- Broke invididual Requires and BuildRequires onto separate lines and - reordered them -- Added python-tgexpandingformwidget as a dependency -- Require at least fedora-ds-base 1.1 - -* Thu Nov 1 2007 Karl MacMillan - 0.4.1-1 -- Version bump for release - -* Wed Oct 31 2007 Karl MacMillan - 0.4.0-6 -- Add dep for freeipa-admintools and acl - -* Wed Oct 24 2007 Rob Crittenden - 0.4.0-5 -- Add dependency for python-krbV - -* Fri Oct 19 2007 Rob Crittenden - 0.4.0-4 -- Require mod_nss-1.0.7-2 for mod_proxy fixes - -* Thu Oct 18 2007 Karl MacMillan - 0.4.0-3 -- Convert to autotools-based build - -* Tue Sep 25 2007 Karl MacMillan - 0.4.0-2 - -* Fri Sep 7 2007 Karl MacMillan - 0.3.0-1 -- Added support for libipa-dna-plugin - -* Fri Aug 10 2007 Karl MacMillan - 0.2.0-1 -- Added support for ipa_kpasswd and ipa_pwd_extop - -* Sun Aug 5 2007 Rob Crittenden - 0.1.0-3 -- Abstracted client class to work directly or over RPC - -* Wed Aug 1 2007 Rob Crittenden - 0.1.0-2 -- Add mod_auth_kerb and cyrus-sasl-gssapi to Requires -- Remove references to admin server in ipa-server-setupssl -- Generate a client certificate for the XML-RPC server to connect to LDAP with -- Create a keytab for Apache -- Create an ldif with a test user -- Provide a certmap.conf for doing SSL client authentication - -* Fri Jul 27 2007 Karl MacMillan - 0.1.0-1 -- Initial rpm version diff --git a/freeipa-4.12.2.tar.gz.asc b/freeipa-4.12.2.tar.gz.asc new file mode 100644 index 0000000..1b665cb --- /dev/null +++ b/freeipa-4.12.2.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEEL88tWdi+3Yi1YO6/QPd0nE8v3u0FAmbGIAgACgkQQPd0nE8v +3u25Hg//cSLyagXQ6cDnpR4TiLBTrbRu8rycJt8qWK2c+VtnjFb5jWHz8P4dyQ2t +liduXvT9SLSuwaDRySNGgWrA1LDxm+VLv0pyjuCBX59T7EHwz3mtmBDA2WHpgOZ1 +q2owCbhZRHtEd53T8bQBi8zUbqOqZoU/yc03Vt8h5XcrA5Pxxlm9sSIzC0RHToud +uTGLNyIUQR5el+kfvUkBuyuRB0LMqZNo/xFcmV4lc0VO37EA07nSleNliYE06fwi +soDR+qrpt4I4vpCVjtbQsJF5dtaFpmHbbshmIudyriBBlukmpXvlFXkBXdZruZKW +x/+abovaGgwdx2BdMBAPXrSByzXPNGQhF0jfC7VUS5NTehWQ3yjoTylOgwyYjsCp +zKAH4KJeDEnn6Epb+DhC8DxQy9JaviALYkYZDw6qt9JkMiZUudnPsEz/KZkk/F5C +VLKTI6vv+6wXUMt0NjUyuvcb3xHpks8RuZ7pbxoS09kceSC4jAsgeFc6JI+F5QC5 +1IO+yrwGj/s22lusb8BPEEM9DQQI27V5Ljeb3NxdASZE4cgJAOIyIe8aUeEf8Q6Z +a696Slrhy8uuQkMXCUMKrrK1E7bHgIZszdy9rNM4JTYVWjLNXstkErqdmbeQ1zUN +VyT+DT8dK/fqvH9NBpyUNbXtzpSm+bfAqWOJKvQrTnyknfIGdKw= +=ReWc +-----END PGP SIGNATURE----- diff --git a/freeipa.spec b/freeipa.spec new file mode 100644 index 0000000..cc35da0 --- /dev/null +++ b/freeipa.spec @@ -0,0 +1,3360 @@ +%define ipa_requires_gt() %(LC_ALL="C" echo '%*' | xargs -r rpm -q --qf 'Requires: %%{name} >= %%{epoch}:%%{version}-%%{release}\\n' | sed -e 's/ (none):/ /' -e 's/ 0:/ /' | grep -v "is not") + +# ipatests enabled by default, can be disabled with --without ipatests +%bcond_without ipatests +# default to not use XML-RPC in Rawhide, can be turned around with --with ipa_join_xml +# On RHEL 8 we should use --with ipa_join_xml +%bcond_with ipa_join_xml + +# Linting is disabled by default, needed for upstream testing +%bcond_with lint + +# Build documentation with sphinx +%bcond_with doc + +# Build Python wheels +%bcond_with wheels + +# 389-ds-base 1.4 no longer supports i686 platform, build only client +# packages, https://bugzilla.redhat.com/show_bug.cgi?id=1544386 +%ifarch %{ix86} + %{!?ONLY_CLIENT:%global ONLY_CLIENT 1} +%endif + +# Define ONLY_CLIENT to only make the ipa-client and ipa-python +# subpackages +%{!?ONLY_CLIENT:%global ONLY_CLIENT 0} +%if %{ONLY_CLIENT} + %global enable_server_option --disable-server +%else + %global enable_server_option --enable-server +%endif + +%if %{ONLY_CLIENT} + %global with_ipatests 0 +%endif + +# Whether to build ipatests +%if %{with ipatests} + %global with_ipatests_option --with-ipatests +%else + %global with_ipatests_option --without-ipatests +%endif + +# Whether to use XML-RPC with ipa-join +%if %{with ipa_join_xml} + %global with_ipa_join_xml_option --with-ipa-join-xml +%else + %global with_ipa_join_xml_option --without-ipa-join-xml +%endif + +# lint is not executed during rpmbuild +# %%global with_lint 1 +%if %{with lint} + %global linter_options --enable-pylint --without-jslint --enable-rpmlint +%else + %global linter_options --disable-pylint --without-jslint --disable-rpmlint +%endif + +# Include SELinux subpackage +%if 0%{?fedora} >= 30 || 0%{?rhel} >= 8 + %global with_selinux 1 + %global selinuxtype targeted + %global modulename ipa +%endif + +%if 0%{?rhel} +%global package_name ipa +%global alt_name freeipa +%global krb5_version 1.20.1-1 +%global krb5_kdb_version 9.0 +# 0.7.16: https://github.com/drkjam/netaddr/issues/71 +%global python_netaddr_version 0.7.19 +%global samba_version 4.20.0 +%global slapi_nis_version 0.70.0 +%global python_ldap_version 3.1.0-1 +%if 0%{?rhel} < 9 +# Bug 1929067 - PKI instance creation failed with new 389-ds-base build +%global ds_version 1.4.3.16-12 +%global selinux_policy_version 3.14.3-107 +%else +# version supporting LMDB and lib389.cli_ctl.dblib.run_dbscan utility +%global ds_version 2.1.0 +%global selinux_policy_version 38.1.1-1 +%endif + +# Fix for TLS 1.3 PHA, RHBZ#1775158 +%global httpd_version 2.4.37-21 +%global bind_version 9.11.20-6 + +# support for passkey +%global sssd_version 2.9.0 + +%else +# Fedora +%global package_name freeipa +%global alt_name ipa +# 0.7.16: https://github.com/drkjam/netaddr/issues/71 +%global python_netaddr_version 0.7.16 +# Require 4.20.0 for libndr4 +%global samba_version 2:4.20.0 + +# 38.28 or later includes passkey-related fixes +%global selinux_policy_version 38.28-1 + +%global slapi_nis_version 0.70.0 + +# Require new KDB ABI +%global krb5_version 1.21.2 +%global krb5_kdb_version 9.0 + +# fix for segfault in python3-ldap, https://pagure.io/freeipa/issue/7324 +%global python_ldap_version 3.1.0-1 + +# Make sure to use 389-ds-base versions that fix https://github.com/389ds/389-ds-base/issues/4700 +# and has DNA interval enabled +# version supporting LMDB and lib389.cli_ctl.dblib.run_dbscan utility +%if 0%{?fedora} < 34 +%global ds_version 1.4.4.16-1 +%else +%global ds_version 2.1.0 +%endif + +# Fix for TLS 1.3 PHA, RHBZ#1775146 +%global httpd_version 2.4.41-9 + +# Fix for RHBZ#2117342 +%global bind_version 32:9.18.7-1 + +# Don't use Fedora's Python dependency generator on Fedora 30/rawhide yet. +# Some packages don't provide new dist aliases. +# https://docs.fedoraproject.org/en-US/packaging-guidelines/Python/ +%{?python_disable_dependency_generator} + +# Support for passkey +%global sssd_version 2.9.2 + +# Fedora +%endif + +# BIND employs 'pkcs11' OpenSSL engine instead of native PKCS11 +# Fedora 31+ uses OpenSSL engine, as well as Fedora ELN (RHEL9) +%if 0%{?fedora} || 0%{?rhel} >= 9 + %global openssl_pkcs11_version 0.4.10-6 + %global softhsm_version 2.5.0-4 +%else + %global with_bind_pkcs11 1 +%endif + +%if 0%{?rhel} == 8 +# Make sure to use PKI versions that work with 389-ds fix for https://github.com/389ds/389-ds-base/issues/4609 +%global pki_version 10.10.5 +%else +# Make sure to use PKI versions that work with 389-ds fix for https://github.com/389ds/389-ds-base/issues/4609 +%global pki_version 10.10.5 +%endif + +# RHEL 8.3+, F32+ has 0.79.13 +%global certmonger_version 0.79.17-1 + +# RHEL 8.2+, F32+ has 3.58 +%global nss_version 3.44.0-4 + +%define krb5_base_version %(LC_ALL=C /usr/bin/pkgconf --modversion krb5 2>/dev/null | grep -Eo '^[^.]+\.[^.]+' || echo %krb5_version) +%global kdcproxy_version 0.4-3 + +%if 0%{?fedora} >= 33 || 0%{?rhel} >= 9 +# systemd with resolved enabled +# see https://pagure.io/freeipa/issue/8275 +%global systemd_version 246.6-3 +%else +%global systemd_version 239 +%endif + +# augeas support for new chrony options +# see https://pagure.io/freeipa/issue/8676 +# https://bugzilla.redhat.com/show_bug.cgi?id=1931787 +%if 0%{?fedora} >= 33 +%global augeas_version 1.12.0-6 +%else +%if 0%{?rhel} >= 9 +%global augeas_version 1.12.1-0 +%else +%global augeas_version 1.12.0-3 +%endif +%endif + +%global plugin_dir %{_libdir}/dirsrv/plugins +%global etc_systemd_dir %{_sysconfdir}/systemd/system +%global gettext_domain ipa + +%define _hardened_build 1 + +# Work-around fact that RPM SPEC parser does not accept +# "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement +%define IPA_VERSION 4.12.2 +# Release candidate version -- uncomment with one percent for RC versions +#%%global rc_version +%define AT_SIGN @ +# redefine IPA_VERSION only if its value matches the Autoconf placeholder +%if "%{IPA_VERSION}" == "%{AT_SIGN}VERSION%{AT_SIGN}" + %define IPA_VERSION nonsense.to.please.RPM.SPEC.parser +%endif + +%define NON_DEVELOPER_BUILD ("%{lua: print(rpm.expand('%{suffix:%IPA_VERSION}'):find('^dev'))}" == "nil") + +Name: %{package_name} +Version: %{IPA_VERSION} +Release: 1.1%{?rc_version:.%rc_version}%{?dist} +Summary: The Identity, Policy and Audit system + +License: GPL-3.0-or-later +URL: http://www.freeipa.org/ +Source0: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_version}.tar.gz +# Only use detached signature for the distribution builds. If it is a developer build, skip it +%if %{NON_DEVELOPER_BUILD} +Source1: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_version}.tar.gz.asc +# https://www.freeipa.org/page/Verify_Release_Signature +# +# The following commands can be used to fetch the signing key via fingerprint +# and extract it: +# fpr=0E63D716D76AC080A4A33513F40800B6298EB963 +# gpg --keyserver keys.openpgp.org --receive-keys $fpr +# gpg --armor --export-options export-minimal --export $fpr >gpgkey-$fpr.asc +Source2: gpgkey-0E63D716D76AC080A4A33513F40800B6298EB963.asc +%endif + +# RHEL spec file only: START: Change branding to IPA and Identity Management +# Moved branding logos and background to redhat-logos-ipa-80.4: +# header-logo.png, login-screen-background.jpg, login-screen-logo.png, +# product-name.png +# RHEL spec file only: END: Change branding to IPA and Identity Management + +# RHEL spec file only: START +%if %{NON_DEVELOPER_BUILD} +%if 0%{?rhel} == 8 +Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch +Patch1002: 1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch +%endif +%if 0%{?rhel} >= 9 +Patch0002: 0002-freeipa-disable-nis.patch +Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch +%endif +%endif +# RHEL spec file only: END + +BuildRequires: openldap-devel +# For KDB DAL version, make explicit dependency so that increase of version +# will cause the build to fail due to unsatisfied dependencies. +# DAL version change may cause code crash or memory leaks, it is better to fail early. +BuildRequires: krb5-kdb-version = %{krb5_kdb_version} +BuildRequires: krb5-kdb-devel-version = %{krb5_kdb_version} +BuildRequires: krb5-devel >= %{krb5_version} +BuildRequires: pkgconfig(krb5) +%if %{with ipa_join_xml} +# 1.27.4: xmlrpc_curl_xportparms.gssapi_delegation +BuildRequires: xmlrpc-c-devel >= 1.27.4 +%else +BuildRequires: libcurl-devel +BuildRequires: jansson-devel +%endif +BuildRequires: popt-devel +BuildRequires: gcc +BuildRequires: gnupg2 +BuildRequires: make +BuildRequires: pkgconfig +BuildRequires: pkgconf +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: make +BuildRequires: libtool +BuildRequires: gettext +BuildRequires: gettext-devel +BuildRequires: python3-devel +BuildRequires: python3-setuptools +BuildRequires: python3-argcomplete +BuildRequires: systemd >= %{systemd_version} +# systemd-tmpfiles which is executed from make install requires apache user +BuildRequires: httpd +BuildRequires: nspr-devel +BuildRequires: openssl-devel +BuildRequires: libini_config-devel +BuildRequires: cyrus-sasl-devel +%if ! %{ONLY_CLIENT} +BuildRequires: 389-ds-base-devel >= %{ds_version} +BuildRequires: samba-devel >= %{samba_version} +BuildRequires: libtalloc-devel +BuildRequires: libtevent-devel +BuildRequires: libuuid-devel +BuildRequires: libpwquality-devel +BuildRequires: libsss_idmap-devel +BuildRequires: libsss_certmap-devel +BuildRequires: libsss_nss_idmap-devel >= %{sssd_version} +%if 0%{?fedora} >= 41 +# Do not use nodejs22 on fedora < 41, https://pagure.io/freeipa/issue/9643 +BuildRequires: nodejs(abi) +%elif 0%{?fedora} >= 39 || 0%{?rhel} >= 10 +# Do not use nodejs20 on fedora < 39, https://pagure.io/freeipa/issue/9374 +BuildRequires: nodejs(abi) < 127 +%else +BuildRequires: nodejs(abi) < 111 +%endif +# use old dependency on RHEL 8 for now +%if 0%{?fedora} >= 31 || 0%{?rhel} >= 9 +BuildRequires: python3-rjsmin +%else +BuildRequires: uglify-js +%endif +BuildRequires: libverto-devel +BuildRequires: libunistring-devel +# 0.13.0: https://bugzilla.redhat.com/show_bug.cgi?id=1584773 +# 0.13.0-2: fix for missing dependency on python-six +BuildRequires: python3-lesscpy >= 0.13.0-2 +BuildRequires: cracklib-dicts +# ONLY_CLIENT +%endif + +# +# Build dependencies for makeapi/makeaci +# +BuildRequires: python3-cffi +BuildRequires: python3-dns +BuildRequires: python3-ldap >= %{python_ldap_version} +BuildRequires: python3-libsss_nss_idmap +BuildRequires: python3-netaddr >= %{python_netaddr_version} +BuildRequires: python3-pyasn1 +BuildRequires: python3-pyasn1-modules +BuildRequires: python3-six +BuildRequires: python3-psutil + +# +# Build dependencies for wheel packaging and PyPI upload +# +%if %{with wheels} +BuildRequires: dbus-glib-devel +BuildRequires: libffi-devel +BuildRequires: python3-tox +%if 0%{?fedora} <= 28 +BuildRequires: python3-twine +%else +BuildRequires: twine +%endif +BuildRequires: python3-wheel +# with_wheels +%endif + +%if %{with doc} +BuildRequires: python3-sphinx +BuildRequires: plantuml +BuildRequires: fontconfig +BuildRequires: google-noto-sans-vf-fonts +%endif + +# +# Build dependencies for lint and fastcheck +# +%if %{with lint} + +# python3-pexpect might not be available in RHEL9 +%if 0%{?fedora} || 0%{?rhel} < 9 +BuildRequires: python3-pexpect +%endif + +# jsl is orphaned in Fedora 34+ +%if 0%{?fedora} < 34 +BuildRequires: jsl +%endif + +BuildRequires: git +BuildRequires: nss-tools +BuildRequires: rpmlint +BuildRequires: softhsm + +BuildRequires: keyutils +BuildRequires: python3-augeas +BuildRequires: python3-cffi +BuildRequires: python3-cryptography >= 1.6 +BuildRequires: python3-dateutil +BuildRequires: python3-dbus +BuildRequires: python3-dns >= 1.15 +BuildRequires: python3-docker +BuildRequires: python3-gssapi >= 1.2.0 +BuildRequires: python3-jinja2 +BuildRequires: python3-jwcrypto >= 0.4.2 +BuildRequires: python3-ldap >= %{python_ldap_version} +BuildRequires: python3-ldap >= %{python_ldap_version} +BuildRequires: python3-lib389 >= %{ds_version} +BuildRequires: python3-libipa_hbac +BuildRequires: python3-libsss_nss_idmap +BuildRequires: python3-lxml +BuildRequires: python3-netaddr >= %{python_netaddr_version} +BuildRequires: python3-ifaddr +BuildRequires: python3-pki >= %{pki_version} +BuildRequires: python3-polib +BuildRequires: python3-pyasn1 +BuildRequires: python3-pyasn1-modules +BuildRequires: python3-pycodestyle +# .wheelconstraints.in limits pylint version in Azure and tox tests +BuildRequires: python3-pylint +BuildRequires: python3-pytest-multihost +BuildRequires: python3-pytest-sourceorder +BuildRequires: python3-qrcode-core >= 5.0.0 +BuildRequires: python3-samba +BuildRequires: python3-six +BuildRequires: python3-sss +BuildRequires: python3-sss-murmur +BuildRequires: python3-sssdconfig >= %{sssd_version} +BuildRequires: python3-systemd +BuildRequires: python3-yaml +BuildRequires: python3-yubico +# with_lint +%endif + +# +# Build dependencies for unit tests +# +%if ! %{ONLY_CLIENT} +BuildRequires: libcmocka-devel +# Required by ipa_kdb_tests +BuildRequires: krb5-server >= %{krb5_version} +# ONLY_CLIENT +%endif + +# Build dependencies for SELinux policy +%if %{with selinux} +BuildRequires: selinux-policy-devel >= %{selinux_policy_version} +%endif + +%description +IPA is an integrated solution to provide centrally managed Identity (users, +hosts, services), Authentication (SSO, 2FA), and Authorization +(host access control, SELinux user roles, services). The solution provides +features for further integration with Linux based clients (SUDO, automount) +and integration with Active Directory based infrastructures (Trusts). + + +%if ! %{ONLY_CLIENT} + +%package server +Summary: The IPA authentication server +Requires: %{name}-server-common = %{version}-%{release} +Requires: %{name}-client = %{version}-%{release} +Requires: %{name}-common = %{version}-%{release} +Requires: python3-ipaserver = %{version}-%{release} +Requires: python3-ldap >= %{python_ldap_version} +Requires: 389-ds-base >= %{ds_version} +Requires: openldap-clients > 2.4.35-4 +Requires: nss-tools >= %{nss_version} +Requires(post): krb5-server >= %{krb5_version} +Requires(post): krb5-server >= %{krb5_base_version} +Requires: krb5-kdb-version = %{krb5_kdb_version} +Requires: cyrus-sasl-gssapi%{?_isa} +Requires: chrony +Requires: httpd >= %{httpd_version} +Requires(preun): python3 +Requires(postun): python3 +Requires: python3-gssapi >= 1.2.0-5 +Requires: python3-systemd +Requires: python3-mod_wsgi +Requires: mod_auth_gssapi >= 1.5.0 +Requires: mod_ssl >= %{httpd_version} +Requires: mod_session >= %{httpd_version} +# 0.9.9: https://github.com/adelton/mod_lookup_identity/pull/3 +Requires: mod_lookup_identity >= 0.9.9 +Requires: acl +Requires: systemd-units >= %{systemd_version} +Requires(pre): systemd-units >= %{systemd_version} +Requires(post): systemd-units >= %{systemd_version} +Requires(preun): systemd-units >= %{systemd_version} +Requires(postun): systemd-units >= %{systemd_version} +Requires(pre): shadow-utils +Requires: selinux-policy >= %{selinux_policy_version} +Requires(post): selinux-policy-base >= %{selinux_policy_version} +Requires: slapi-nis >= %{slapi_nis_version} +Requires: pki-ca >= %{pki_version} +Requires: pki-kra >= %{pki_version} +# pki-acme package was split out in pki-10.10.0 +Requires: (pki-acme >= %{pki_version} if pki-ca >= 10.10.0) +Requires: policycoreutils >= 2.1.12-5 +Requires: tar +Requires(pre): certmonger >= %{certmonger_version} +Requires(pre): 389-ds-base >= %{ds_version} +Requires: font(fontawesome) +Requires: open-sans-fonts +%if 0%{?fedora} >= 32 || 0%{?rhel} >= 9 +# https://pagure.io/freeipa/issue/8632 +Requires: openssl > 1.1.1i +%else +Requires: openssl +%endif +Requires: softhsm >= 2.0.0rc1-1 +Requires: p11-kit +Requires: %{etc_systemd_dir} +Requires: gzip +Requires: oddjob +# 0.7.0-2: https://pagure.io/gssproxy/pull-request/172 +Requires: gssproxy >= 0.7.0-2 +Requires: sssd-dbus >= %{sssd_version} +Requires: libpwquality +Requires: cracklib-dicts +# NDR libraries are internal in Samba and change with version without changing SONAME +%ipa_requires_gt samba-client-libs + +Provides: %{alt_name}-server = %{version} +Conflicts: %{alt_name}-server +Obsoletes: %{alt_name}-server < %{version} + +# With FreeIPA 3.3, package freeipa-server-selinux was obsoleted as the +# entire SELinux policy is stored in the system policy +Obsoletes: freeipa-server-selinux < 3.3.0 + +# upgrade path from monolithic -server to -server + -server-dns +Obsoletes: %{name}-server <= 4.2.0 + +# Versions of nss-pam-ldapd < 0.8.4 require a mapping from uniqueMember to +# member. +Conflicts: nss-pam-ldapd < 0.8.4 + +# RHEL spec file only: START: Do not build tests +%if 0%{?rhel} == 8 +# ipa-tests subpackage was moved to separate srpm +Conflicts: ipa-tests < 3.3.3-9 +%endif +# RHEL spec file only: END: Do not build tests + +%description server +IPA is an integrated solution to provide centrally managed Identity (users, +hosts, services), Authentication (SSO, 2FA), and Authorization +(host access control, SELinux user roles, services). The solution provides +features for further integration with Linux based clients (SUDO, automount) +and integration with Active Directory based infrastructures (Trusts). +If you are installing an IPA server, you need to install this package. + + +%package -n python3-ipaserver +Summary: Python libraries used by IPA server +BuildArch: noarch +%{?python_provide:%python_provide python3-ipaserver} +Requires: %{name}-server-common = %{version}-%{release} +Requires: %{name}-common = %{version}-%{release} +# we need pre-requires since earlier versions may break upgrade +Requires(pre): python3-ldap >= %{python_ldap_version} +Requires: python3-augeas +Requires: augeas-libs >= %{augeas_version} +Requires: python3-dbus +Requires: python3-dns >= 1.15 +Requires: python3-gssapi >= 1.2.0 +Requires: python3-ipaclient = %{version}-%{release} +Requires: python3-kdcproxy >= %{kdcproxy_version} +Requires: python3-lxml +Requires: python3-pki >= %{pki_version} +Requires: python3-pyasn1 >= 0.3.2-2 +Requires: python3-sssdconfig >= %{sssd_version} +Requires: python3-psutil +Requires: rpm-libs +# For urllib3.util.ssl_match_hostname +Requires: python3-urllib3 >= 1.25.8 + +%description -n python3-ipaserver +IPA is an integrated solution to provide centrally managed Identity (users, +hosts, services), Authentication (SSO, 2FA), and Authorization +(host access control, SELinux user roles, services). The solution provides +features for further integration with Linux based clients (SUDO, automount) +and integration with Active Directory based infrastructures (Trusts). +If you are installing an IPA server, you need to install this package. + + +%package server-common +Summary: Common files used by IPA server +BuildArch: noarch +Requires: %{name}-client-common = %{version}-%{release} +Requires: httpd >= %{httpd_version} +Requires: systemd-units >= %{systemd_version} +%if 0%{?rhel} >= 8 && ! 0%{?eln} +Requires: system-logos-ipa >= 80.4 +%endif + +Provides: %{alt_name}-server-common = %{version} +Conflicts: %{alt_name}-server-common +Obsoletes: %{alt_name}-server-common < %{version} + +%description server-common +IPA is an integrated solution to provide centrally managed Identity (users, +hosts, services), Authentication (SSO, 2FA), and Authorization +(host access control, SELinux user roles, services). The solution provides +features for further integration with Linux based clients (SUDO, automount) +and integration with Active Directory based infrastructures (Trusts). +If you are installing an IPA server, you need to install this package. + + +%package server-dns +Summary: IPA integrated DNS server with support for automatic DNSSEC signing +BuildArch: noarch +Requires: %{name}-server = %{version}-%{release} +Requires: bind-dyndb-ldap >= 11.2-2 +Requires: bind >= %{bind_version} +Requires: bind-utils >= %{bind_version} +# bind-dnssec-utils is required by the OpenDNSSec integration +# https://pagure.io/freeipa/issue/9026 +Requires: bind-dnssec-utils >= %{bind_version} +%if %{with bind_pkcs11} +Requires: bind-pkcs11 >= %{bind_version} +%else +Requires: softhsm >= %{softhsm_version} +Requires: openssl-pkcs11 >= %{openssl_pkcs11_version} +%endif +# See https://bugzilla.redhat.com/show_bug.cgi?id=1825812 +# RHEL 8.3+ and Fedora 32+ have 2.1 +Requires: opendnssec >= 2.1.6-5 +%{?systemd_requires} + +Provides: %{alt_name}-server-dns = %{version} +Conflicts: %{alt_name}-server-dns +Obsoletes: %{alt_name}-server-dns < %{version} + +# upgrade path from monolithic -server to -server + -server-dns +Obsoletes: %{name}-server <= 4.2.0 + +%description server-dns +IPA integrated DNS server with support for automatic DNSSEC signing. +Integrated DNS server is BIND 9. OpenDNSSEC provides key management. + + +%package server-trust-ad +Summary: Virtual package to install packages required for Active Directory trusts +Requires: %{name}-server = %{version}-%{release} +Requires: %{name}-common = %{version}-%{release} + +Requires: samba >= %{samba_version} +Requires: samba-winbind +Requires: sssd-winbind-idmap +Requires: libsss_idmap +%if 0%{?rhel} +Obsoletes: ipa-idoverride-memberof-plugin <= 0.1 +%endif +Requires(post): python3 +Requires: python3-samba +Requires: python3-libsss_nss_idmap +Requires: python3-sss + +# We use alternatives to divert winbind_krb5_locator.so plugin to libkrb5 +# on the installes where server-trust-ad subpackage is installed because +# IPA AD trusts cannot be used at the same time with the locator plugin +# since Winbindd will be configured in a different mode +Requires(post): %{_sbindir}/update-alternatives +Requires(postun): %{_sbindir}/update-alternatives +Requires(preun): %{_sbindir}/update-alternatives + +Provides: %{alt_name}-server-trust-ad = %{version} +Conflicts: %{alt_name}-server-trust-ad +Obsoletes: %{alt_name}-server-trust-ad < %{version} + +%description server-trust-ad +Cross-realm trusts with Active Directory in IPA require working Samba 4 +installation. This package is provided for convenience to install all required +dependencies at once. + +# ONLY_CLIENT +%endif + + +%package client +Summary: IPA authentication for use on clients +Requires: %{name}-client-common = %{version}-%{release} +Requires: %{name}-common = %{version}-%{release} +Requires: python3-gssapi >= 1.2.0-5 +Requires: python3-ipaclient = %{version}-%{release} +Requires: python3-ldap >= %{python_ldap_version} +Requires: python3-sssdconfig >= %{sssd_version} +Requires: cyrus-sasl-gssapi%{?_isa} +Requires: chrony +Requires: krb5-workstation >= %{krb5_version} +# support pkinit with client install +Requires: krb5-pkinit-openssl >= %{krb5_version} +# authselect: sssd profile with-subid +%if 0%{?fedora} >= 36 +Requires: authselect >= 1.4.0 +%else +Requires: authselect >= 1.2.5 +%endif +Requires: curl +# NIS domain name config: /usr/lib/systemd/system/*-domainname.service +# All Fedora 28+ and RHEL8+ contain the service in hostname package +Requires: hostname +Requires: libcurl >= 7.21.7-2 +%if %{with ipa_join_xml} +Requires: xmlrpc-c >= 1.27.4 +%else +Requires: jansson +%endif +Requires: sssd-ipa >= %{sssd_version} +Requires: sssd-idp >= %{sssd_version} +Requires: sssd-krb5 >= %{sssd_version} +Requires: certmonger >= %{certmonger_version} +Requires: nss-tools >= %{nss_version} +Requires: bind-utils +Requires: oddjob-mkhomedir +Requires: libsss_autofs +Requires: autofs +Requires: libnfsidmap +Requires: (nfs-utils or nfsv4-client-utils) +Requires: sssd-tools >= %{sssd_version} +Requires(post): policycoreutils + +# https://pagure.io/freeipa/issue/8530 +Recommends: libsss_sudo +Recommends: sudo +Requires: (libsss_sudo if sudo) + +# Passkey support +Recommends: sssd-passkey + +Provides: %{alt_name}-client = %{version} +Conflicts: %{alt_name}-client +Obsoletes: %{alt_name}-client < %{version} + +Provides: %{alt_name}-admintools = %{version} +Conflicts: %{alt_name}-admintools +Obsoletes: %{alt_name}-admintools < 4.4.1 + +Obsoletes: %{name}-admintools < 4.4.1 +Provides: %{name}-admintools = %{version}-%{release} + +%if 0%{?rhel} == 8 +# Conflict with crypto-policies < 20200629-1 to get AD-SUPPORT policy module +Conflicts: crypto-policies < 20200629-1 +%endif + +%if 0%{?rhel} == 9 +# Conflict with crypto-policies < 20220223-1 to get upgraded AD-SUPPORT and +# AD-SUPPORT-LEGACY policy modules +Conflicts: crypto-policies < 20220223-1 +%endif + +%description client +IPA is an integrated solution to provide centrally managed Identity (users, +hosts, services), Authentication (SSO, 2FA), and Authorization +(host access control, SELinux user roles, services). The solution provides +features for further integration with Linux based clients (SUDO, automount) +and integration with Active Directory based infrastructures (Trusts). +If your network uses IPA for authentication, this package should be +installed on every client machine. +This package provides command-line tools for IPA administrators. + +%package client-samba +Summary: Tools to configure Samba on IPA client +Group: System Environment/Base +Requires: %{name}-client = %{version}-%{release} +Requires: python3-samba +Requires: samba-client +Requires: samba-winbind +Requires: samba-common-tools +Requires: samba +Requires: sssd-winbind-idmap +Requires: tdb-tools +Requires: cifs-utils + +%description client-samba +This package provides command-line tools to deploy Samba domain member +on the machine enrolled into a FreeIPA environment + +%package client-epn +Summary: Tools to configure Expiring Password Notification in IPA +Group: System Environment/Base +Requires: %{name}-client = %{version}-%{release} +Requires: systemd-units >= %{systemd_version} +Requires(post): systemd-units >= %{systemd_version} +Requires(preun): systemd-units >= %{systemd_version} +Requires(postun): systemd-units >= %{systemd_version} + +%description client-epn +This package provides a service to collect and send expiring password +notifications via email (SMTP). + +%package -n python3-ipaclient +Summary: Python libraries used by IPA client +BuildArch: noarch +%{?python_provide:%python_provide python3-ipaclient} +Requires: %{name}-client-common = %{version}-%{release} +Requires: %{name}-common = %{version}-%{release} +Requires: python3-ipalib = %{version}-%{release} +Requires: python3-augeas +Requires: augeas-libs >= %{augeas_version} +Requires: python3-dns >= 1.15 +Requires: python3-jinja2 + +%description -n python3-ipaclient +IPA is an integrated solution to provide centrally managed Identity (users, +hosts, services), Authentication (SSO, 2FA), and Authorization +(host access control, SELinux user roles, services). The solution provides +features for further integration with Linux based clients (SUDO, automount) +and integration with Active Directory based infrastructures (Trusts). +If your network uses IPA for authentication, this package should be +installed on every client machine. + +%package client-common +Summary: Common files used by IPA client +BuildArch: noarch + +Provides: %{alt_name}-client-common = %{version} +Conflicts: %{alt_name}-client-common +Obsoletes: %{alt_name}-client-common < %{version} +# python2-ipa* packages are no longer available in 4.8. +Obsoletes: python2-ipaclient < 4.8.0-1 +Obsoletes: python2-ipalib < 4.8.0-1 +Obsoletes: python2-ipaserver < 4.8.0-1 +Obsoletes: python2-ipatests < 4.8.0-1 + + +%description client-common +IPA is an integrated solution to provide centrally managed Identity (users, +hosts, services), Authentication (SSO, 2FA), and Authorization +(host access control, SELinux user roles, services). The solution provides +features for further integration with Linux based clients (SUDO, automount) +and integration with Active Directory based infrastructures (Trusts). +If your network uses IPA for authentication, this package should be +installed on every client machine. + + +%package python-compat +Summary: Compatiblity package for Python libraries used by IPA +BuildArch: noarch +Obsoletes: %{name}-python < 4.2.91 +Provides: %{name}-python = %{version}-%{release} +Requires: %{name}-common = %{version}-%{release} +Requires: python3-ipalib = %{version}-%{release} + +Provides: %{alt_name}-python-compat = %{version} +Conflicts: %{alt_name}-python-compat +Obsoletes: %{alt_name}-python-compat < %{version} + +Obsoletes: %{alt_name}-python < 4.2.91 +Provides: %{alt_name}-python = %{version} + +%description python-compat +IPA is an integrated solution to provide centrally managed Identity (users, +hosts, services), Authentication (SSO, 2FA), and Authorization +(host access control, SELinux user roles, services). The solution provides +features for further integration with Linux based clients (SUDO, automount) +and integration with Active Directory based infrastructures (Trusts). +This is a compatibility package to accommodate %{name}-python split into +python3-ipalib and %{name}-common. Packages still depending on +%{name}-python should be fixed to depend on python2-ipaclient or +%{name}-common instead. + + +%package -n python3-ipalib +Summary: Python3 libraries used by IPA +BuildArch: noarch +%{?python_provide:%python_provide python3-ipalib} +Provides: python3-ipapython = %{version}-%{release} +%{?python_provide:%python_provide python3-ipapython} +Provides: python3-ipaplatform = %{version}-%{release} +%{?python_provide:%python_provide python3-ipaplatform} +Requires: %{name}-common = %{version}-%{release} +# we need pre-requires since earlier versions may break upgrade +Requires(pre): python3-ldap >= %{python_ldap_version} +Requires: gnupg2 +Requires: keyutils +Requires: python3-argcomplete +Requires: python3-cffi +Requires: python3-cryptography >= 1.6 +Requires: python3-dateutil +Requires: python3-dbus +Requires: python3-dns >= 1.15 +Requires: python3-gssapi >= 1.2.0 +Requires: python3-jwcrypto >= 0.4.2 +Requires: python3-libipa_hbac +Requires: python3-netaddr >= %{python_netaddr_version} +Requires: python3-ifaddr >= 0.1.7 +Requires: python3-pyasn1 >= 0.3.2-2 +Requires: python3-pyasn1-modules >= 0.3.2-2 +Requires: python3-pyusb +Requires: python3-qrcode-core >= 5.0.0 +Requires: python3-requests +Requires: python3-six +Requires: python3-sss-murmur +Requires: python3-yubico >= 1.3.2-7 +%if 0%{?rhel} && 0%{?rhel} == 8 +Requires: platform-python-setuptools +%else +Requires: python3-setuptools +%endif +# For urllib3.util.ssl_match_hostname +Requires: python3-urllib3 >= 1.25.8 +Requires: python3-systemd + +%description -n python3-ipalib +IPA is an integrated solution to provide centrally managed Identity (users, +hosts, services), Authentication (SSO, 2FA), and Authorization +(host access control, SELinux user roles, services). The solution provides +features for further integration with Linux based clients (SUDO, automount) +and integration with Active Directory based infrastructures (Trusts). +If you are using IPA with Python 3, you need to install this package. + + +%package common +Summary: Common files used by IPA +BuildArch: noarch +Conflicts: %{name}-python < 4.2.91 + +Provides: %{alt_name}-common = %{version} +Conflicts: %{alt_name}-common +Obsoletes: %{alt_name}-common < %{version} + +Conflicts: %{alt_name}-python < %{version} + +%if %{with selinux} +# This ensures that the *-selinux package and all it’s dependencies are not +# pulled into containers and other systems that do not use SELinux. The +# policy defines types and file contexts for client and server. +Requires: (%{name}-selinux if selinux-policy-%{selinuxtype}) +%endif + +%description common +IPA is an integrated solution to provide centrally managed Identity (users, +hosts, services), Authentication (SSO, 2FA), and Authorization +(host access control, SELinux user roles, services). The solution provides +features for further integration with Linux based clients (SUDO, automount) +and integration with Active Directory based infrastructures (Trusts). +If you are using IPA, you need to install this package. + + +%if %{with ipatests} + +%package -n python3-ipatests +Summary: IPA tests and test tools +BuildArch: noarch +%{?python_provide:%python_provide python3-ipatests} +Requires: python3-ipaclient = %{version}-%{release} +Requires: python3-ipaserver = %{version}-%{release} +Requires: iptables +Requires: python3-cryptography >= 1.6 +%if 0%{?fedora} +# These packages do not exist on RHEL and for ipatests use +# they are installed on the controller through other means +Requires: ldns-utils +Requires: python3-pexpect +# update-crypto-policies +Requires: crypto-policies-scripts +Requires: python3-polib +Requires: python3-pytest >= 3.9.1 +Requires: python3-pytest-multihost >= 0.5 +Requires: python3-pytest-sourceorder +Requires: sshpass +%endif +Requires: python3-sssdconfig >= %{sssd_version} +Requires: tar +Requires: xz +Requires: openssh-clients +%if 0%{?rhel} +AutoReqProv: no +%endif + +%description -n python3-ipatests +IPA is an integrated solution to provide centrally managed Identity (users, +hosts, services), Authentication (SSO, 2FA), and Authorization +(host access control, SELinux user roles, services). The solution provides +features for further integration with Linux based clients (SUDO, automount) +and integration with Active Directory based infrastructures (Trusts). +This package contains tests that verify IPA functionality under Python 3. + +# with ipatests +%endif + + +%if %{with selinux} +# SELinux subpackage +%package selinux +Summary: FreeIPA SELinux policy +BuildArch: noarch +Requires: selinux-policy-%{selinuxtype} +Requires(post): selinux-policy-%{selinuxtype} +%{?selinux_requires} + +%description selinux +Custom SELinux policy module for FreeIPA + +%package selinux-nfast +Summary: FreeIPA SELinux policy for nCipher nfast HSMs +BuildArch: noarch +Requires: selinux-policy-%{selinuxtype} +Requires(post): selinux-policy-%{selinuxtype} +%{?selinux_requires} + +%description selinux-nfast +Custom SELinux policy module for nCipher nfast HSMs + +%package selinux-luna +Summary: FreeIPA SELinux policy for Thales Luna HSMs +BuildArch: noarch +Requires: selinux-policy-%{selinuxtype} +Requires(post): selinux-policy-%{selinuxtype} +%{?selinux_requires} + +%description selinux-luna +Custom SELinux policy module for Thales Luna HSMs +# with selinux +%endif + + +%prep +# Verify release signature +%if %{NON_DEVELOPER_BUILD} +%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' +%endif + +%autosetup -n freeipa-%{version}%{?rc_version} -N -p1 + +# To allow proper application patches to the stripped po files, strip originals +pushd po +for i in *.po ; do + msgattrib --translated --no-fuzzy --no-location -s $i > $i.tmp || exit 1 + mv $i.tmp $i || exit 1 +done +popd + +%autopatch -p1 + +%build +# PATH is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1005235 +export PATH=/usr/bin:/usr/sbin:$PATH + +export PYTHON=%{__python3} +autoreconf -ivf +%configure --with-vendor-suffix=-%{release} \ + %{enable_server_option} \ + %{with_ipatests_option} \ + %{with_ipa_join_xml_option} \ + %{linter_options} + +# run build in default dir +# -Onone is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1398405 +%make_build -Onone + + +%check +make %{?_smp_mflags} check VERBOSE=yes LIBDIR=%{_libdir} + + +%install +# Please put as much logic as possible into make install. It allows: +# - easier porting to other distributions +# - rapid devel & install cycle using make install +# (instead of full RPM build and installation each time) +# +# All files and directories created by spec install should be marked as ghost. +# (These are typically configuration files created by IPA installer.) +# All other artifacts should be created by make install. + +%make_install + +# don't package ipasphinx for now +rm -rf %{buildroot}%{python3_sitelib}/ipasphinx* + +%if %{with ipatests} +mv %{buildroot}%{_bindir}/ipa-run-tests %{buildroot}%{_bindir}/ipa-run-tests-%{python3_version} +mv %{buildroot}%{_bindir}/ipa-test-config %{buildroot}%{_bindir}/ipa-test-config-%{python3_version} +mv %{buildroot}%{_bindir}/ipa-test-task %{buildroot}%{_bindir}/ipa-test-task-%{python3_version} +ln -rs %{buildroot}%{_bindir}/ipa-run-tests-%{python3_version} %{buildroot}%{_bindir}/ipa-run-tests-3 +ln -rs %{buildroot}%{_bindir}/ipa-test-config-%{python3_version} %{buildroot}%{_bindir}/ipa-test-config-3 +ln -rs %{buildroot}%{_bindir}/ipa-test-task-%{python3_version} %{buildroot}%{_bindir}/ipa-test-task-3 +ln -frs %{buildroot}%{_bindir}/ipa-run-tests-%{python3_version} %{buildroot}%{_bindir}/ipa-run-tests +ln -frs %{buildroot}%{_bindir}/ipa-test-config-%{python3_version} %{buildroot}%{_bindir}/ipa-test-config +ln -frs %{buildroot}%{_bindir}/ipa-test-task-%{python3_version} %{buildroot}%{_bindir}/ipa-test-task +# with_ipatests +%endif + +# remove files which are useful only for make uninstall +find %{buildroot} -wholename '*/site-packages/*/install_files.txt' -exec rm {} \; + +%if 0%{?rhel} +# RHEL spec file only: START +# Moved branding logos and background to redhat-logos-ipa-80.4: +# header-logo.png, login-screen-background.jpg, login-screen-logo.png, +# product-name.png +rm -f %{buildroot}%{_usr}/share/ipa/ui/images/header-logo.png +rm -f %{buildroot}%{_usr}/share/ipa/ui/images/login-screen-background.jpg +rm -f %{buildroot}%{_usr}/share/ipa/ui/images/login-screen-logo.png +rm -f %{buildroot}%{_usr}/share/ipa/ui/images/product-name.png +%endif +# RHEL spec file only: END + +%if ! %{ONLY_CLIENT} +%if 0%{?fedora} >= 38 +# Register CLI tools for bash completion (fedora only) +for clitool in ipa-migrate +do + register-python-argcomplete "${clitool}" > "${clitool}" + install -p -m 0644 -D -t '%{buildroot}%{bash_completions_dir}' "${clitool}" +done +%endif +%endif + +%find_lang %{gettext_domain} + +%if ! %{ONLY_CLIENT} +# Remove .la files from libtool - we don't want to package +# these files +rm %{buildroot}/%{plugin_dir}/libipa_pwd_extop.la +rm %{buildroot}/%{plugin_dir}/libipa_enrollment_extop.la +rm %{buildroot}/%{plugin_dir}/libipa_winsync.la +rm %{buildroot}/%{plugin_dir}/libipa_repl_version.la +rm %{buildroot}/%{plugin_dir}/libipa_uuid.la +rm %{buildroot}/%{plugin_dir}/libipa_modrdn.la +rm %{buildroot}/%{plugin_dir}/libipa_lockout.la +rm %{buildroot}/%{plugin_dir}/libipa_cldap.la +rm %{buildroot}/%{plugin_dir}/libipa_dns.la +rm %{buildroot}/%{plugin_dir}/libipa_sidgen.la +rm %{buildroot}/%{plugin_dir}/libipa_sidgen_task.la +rm %{buildroot}/%{plugin_dir}/libipa_extdom_extop.la +rm %{buildroot}/%{plugin_dir}/libipa_range_check.la +rm %{buildroot}/%{plugin_dir}/libipa_otp_counter.la +rm %{buildroot}/%{plugin_dir}/libipa_otp_lasttoken.la +rm %{buildroot}/%{plugin_dir}/libipa_graceperiod.la +rm %{buildroot}/%{plugin_dir}/libtopology.la +rm %{buildroot}/%{_libdir}/krb5/plugins/kdb/ipadb.la +rm %{buildroot}/%{_libdir}/samba/pdb/ipasam.la + +# So we can own our Apache configuration +mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d/ +/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa.conf +/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-kdc-proxy.conf +/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf +/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf +/bin/touch %{buildroot}%{_usr}/share/ipa/html/ca.crt +/bin/touch %{buildroot}%{_usr}/share/ipa/html/krb.con +/bin/touch %{buildroot}%{_usr}/share/ipa/html/krb5.ini +/bin/touch %{buildroot}%{_usr}/share/ipa/html/krbrealm.con + +mkdir -p %{buildroot}%{_libdir}/krb5/plugins/libkrb5 +touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so + +# ONLY_CLIENT +%endif + +/bin/touch %{buildroot}%{_sysconfdir}/ipa/default.conf +/bin/touch %{buildroot}%{_sysconfdir}/ipa/ca.crt + +%if ! %{ONLY_CLIENT} +mkdir -p %{buildroot}%{_sysconfdir}/cron.d +# ONLY_CLIENT +%endif + +%if ! %{ONLY_CLIENT} + +%post server +# NOTE: systemd specific section + /bin/systemctl --system daemon-reload 2>&1 || : +# END +if [ $1 -gt 1 ] ; then + /bin/systemctl condrestart certmonger.service 2>&1 || : +fi +/bin/systemctl reload-or-try-restart dbus +/bin/systemctl reload-or-try-restart oddjobd + +%tmpfiles_create ipa.conf +%journal_catalog_update + +%postun server +%journal_catalog_update + +%posttrans server +# don't execute upgrade and restart of IPA when server is not installed +%{__python3} -c "import sys; from ipalib import facts; sys.exit(0 if facts.is_ipa_configured() else 1);" > /dev/null 2>&1 + +if [ $? -eq 0 ]; then + # This is necessary for Fedora system upgrades which by default + # work with the network being offline + /bin/systemctl start network-online.target + + # Restart IPA processes. This must be also run in postrans so that plugins + # and software is in consistent state. This will also perform the + # system upgrade. + # NOTE: systemd specific section + + /bin/systemctl is-enabled ipa.service >/dev/null 2>&1 + if [ $? -eq 0 ]; then + /bin/systemctl restart ipa.service >/dev/null + fi + + /bin/systemctl is-enabled ipa-ccache-sweep.timer >/dev/null 2>&1 + if [ $? -eq 1 ]; then + /bin/systemctl enable ipa-ccache-sweep.timer>/dev/null + fi +fi +# END + + +%preun server +if [ $1 = 0 ]; then +# NOTE: systemd specific section + /bin/systemctl --quiet stop ipa.service || : + /bin/systemctl --quiet disable ipa.service || : + /bin/systemctl reload-or-try-restart dbus + /bin/systemctl reload-or-try-restart oddjobd +# END +fi + + +%pre server +# Stop ipa_kpasswd if it exists before upgrading so we don't have a +# zombie process when we're done. +if [ -e /usr/sbin/ipa_kpasswd ]; then +# NOTE: systemd specific section + /bin/systemctl stop ipa_kpasswd.service >/dev/null 2>&1 || : +# END +fi + + +%pre server-common +# create users and groups +# create kdcproxy group and user +getent group kdcproxy >/dev/null || groupadd -f -r kdcproxy +getent passwd kdcproxy >/dev/null || useradd -r -g kdcproxy -s /sbin/nologin -d / -c "IPA KDC Proxy User" kdcproxy +# create ipaapi group and user +getent group ipaapi >/dev/null || groupadd -f -r ipaapi +getent passwd ipaapi >/dev/null || useradd -r -g ipaapi -s /sbin/nologin -d / -c "IPA Framework User" ipaapi +# add apache to ipaaapi group +id -Gn apache | grep '\bipaapi\b' >/dev/null || usermod apache -a -G ipaapi + + +%post server-dns +%systemd_post ipa-dnskeysyncd.service ipa-ods-exporter.socket ipa-ods-exporter.service + +%preun server-dns +%systemd_preun ipa-dnskeysyncd.service ipa-ods-exporter.socket ipa-ods-exporter.service + +%postun server-dns +%systemd_postun ipa-dnskeysyncd.service ipa-ods-exporter.socket ipa-ods-exporter.service + + +%postun server-trust-ad +if [ "$1" -ge "1" ]; then + if [ "`readlink %{_sysconfdir}/alternatives/winbind_krb5_locator.so`" == "/dev/null" ]; then + %{_sbindir}/alternatives --set winbind_krb5_locator.so /dev/null + fi +fi + + +%post server-trust-ad +%{_sbindir}/update-alternatives --install %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so \ + winbind_krb5_locator.so /dev/null 90 +/bin/systemctl reload-or-try-restart dbus +/bin/systemctl reload-or-try-restart oddjobd + + +%posttrans server-trust-ad +%{__python3} -c "import sys; from ipalib import facts; sys.exit(0 if facts.is_ipa_configured() else 1);" > /dev/null 2>&1 +if [ $? -eq 0 ]; then +# NOTE: systemd specific section + /bin/systemctl try-restart httpd.service >/dev/null 2>&1 || : +# END +fi + + +%preun server-trust-ad +if [ $1 -eq 0 ]; then + %{_sbindir}/update-alternatives --remove winbind_krb5_locator.so /dev/null + /bin/systemctl reload-or-try-restart dbus + /bin/systemctl reload-or-try-restart oddjobd +fi + +# ONLY_CLIENT +%endif + +%preun client-epn +%systemd_preun ipa-epn.service +%systemd_preun ipa-epn.timer + +%postun client-epn +%systemd_postun ipa-epn.service +%systemd_postun ipa-epn.timer + +%post client-epn +%systemd_post ipa-epn.service +%systemd_post ipa-epn.timer + +%post client +if [ $1 -gt 1 ] ; then + # Has the client been configured? + restore=0 + test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}') + + if [ -f '/etc/sssd/sssd.conf' -a $restore -ge 2 ]; then + if grep -E -q '/var/lib/sss/pubconf/krb5.include.d/' /etc/krb5.conf 2>/dev/null ; then + sed -i '\;includedir /var/lib/sss/pubconf/krb5.include.d;d' /etc/krb5.conf + fi + fi + + if [ $restore -ge 2 ]; then + if grep -E -q '\s*pkinit_anchors = FILE:/etc/ipa/ca.crt$' /etc/krb5.conf 2>/dev/null; then + sed -E 's|(\s*)pkinit_anchors = FILE:/etc/ipa/ca.crt$|\1pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem\n\1pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem|' /etc/krb5.conf >/etc/krb5.conf.ipanew + mv -Z /etc/krb5.conf.ipanew /etc/krb5.conf + cp /etc/ipa/ca.crt /var/lib/ipa-client/pki/kdc-ca-bundle.pem + cp /etc/ipa/ca.crt /var/lib/ipa-client/pki/ca-bundle.pem + fi + %{__python3} -c 'from ipaclient.install.client import configure_krb5_snippet; configure_krb5_snippet()' >>/var/log/ipaupgrade.log 2>&1 + %{__python3} -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' >>/var/log/ipaupgrade.log 2>&1 + chmod 0600 /var/log/ipaupgrade.log + SSH_CLIENT_SYSTEM_CONF="/etc/ssh/ssh_config" + if [ -f "$SSH_CLIENT_SYSTEM_CONF" ]; then + if grep -E -q '^HostKeyAlgorithms ssh-rsa,ssh-dss' $SSH_CLIENT_SYSTEM_CONF 2>/dev/null; then + sed -E --in-place=.orig 's/^(HostKeyAlgorithms ssh-rsa,ssh-dss)$/# disabled by ipa-client update\n# \1/' "$SSH_CLIENT_SYSTEM_CONF" + fi + # https://pagure.io/freeipa/issue/9536 + # replace sss_ssh_knownhostsproxy with sss_ssh_knownhosts + if [ -f '/usr/bin/sss_ssh_knownhosts' ]; then + if grep -E -q 'Include' $SSH_CLIENT_SYSTEM_CONF 2>/dev/null ; then + SSH_CLIENT_SYSTEM_CONF="/etc/ssh/ssh_config.d/04-ipa.conf" + fi + sed -E --in-place=.orig 's/^(GlobalKnownHostsFile \/var\/lib\/sss\/pubconf\/known_hosts)$/# disabled by ipa-client update\n# \1/' $SSH_CLIENT_SYSTEM_CONF + sed -E --in-place=.orig 's/(ProxyCommand \/usr\/bin\/sss_ssh_knownhostsproxy -p \%p \%h)/# replaced by ipa-client update\n KnownHostsCommand \/usr\/bin\/sss_ssh_knownhosts \%H/' $SSH_CLIENT_SYSTEM_CONF + fi + fi + fi +fi + + +%if %{with selinux} +# SELinux contexts are saved so that only affected files can be +# relabeled after the policy module installation +%pre selinux +%selinux_relabel_pre -s %{selinuxtype} + +%post selinux +semodule -d ipa_custodia &> /dev/null || true; +%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.bz2 + +%post selinux-nfast +%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}-nfast.pp.bz2 + +%post selinux-luna +%selinux_modules_install -s %{selinuxtype} %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}-luna.pp.bz2 + +%postun selinux +if [ $1 -eq 0 ]; then + %selinux_modules_uninstall -s %{selinuxtype} %{modulename} + semodule -e ipa_custodia &> /dev/null || true; +fi + +%postun selinux-nfast +if [ $1 -eq 0 ]; then + %selinux_modules_uninstall -s %{selinuxtype} %{modulename}-nfast +fi + +%postun selinux-luna +if [ $1 -eq 0 ]; then + %selinux_modules_uninstall -s %{selinuxtype} %{modulename}-luna +fi + +%posttrans selinux +%selinux_relabel_post -s %{selinuxtype} +# with_selinux +%endif + +%triggerin client -- sssd-common < 2.10 +# Has the client been configured? +restore=0 +test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}') + +if [ -f '/etc/ssh/sshd_config' -a $restore -ge 2 ]; then + SSH_CLIENT_SYSTEM_CONF="/etc/ssh/ssh_config" + if [ -f "$SSH_CLIENT_SYSTEM_CONF" ]; then + # https://pagure.io/freeipa/issue/9536 + # downgrade sss_ssh_knownhosts with sss_ssh_knownhostsproxy + if [ -f '/usr/bin/sss_ssh_knownhosts' ]; then + if grep -E -q 'Include' $SSH_CLIENT_SYSTEM_CONF 2>/dev/null ; then + SSH_CLIENT_SYSTEM_CONF="/etc/ssh/ssh_config.d/04-ipa.conf" + fi + GLOBALKNOWNHOSTFILE="GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts/" + grep -qF '$GLOBALKNOWNHOSTFILE' $SSH_CLIENT_SYSTEM_CONF + if [ $? -ne 0 ]; then + sed -E --in-place=.orig '/(# IPA-related configuration changes to ssh_config)/a # added by ipa-client update\n'"$GLOBALKNOWNHOSTFILE"'' $SSH_CLIENT_SYSTEM_CONF + fi + sed -E --in-place=.orig 's/(KnownHostsCommand \/usr\/bin\/sss_ssh_knownhosts \%H)/ProxyCommand \/usr\/bin\/sss_ssh_knownhostsproxy -p \%p \%h/' $SSH_CLIENT_SYSTEM_CONF + fi + fi +fi + +%triggerin client -- sssd-common >= 2.10 +# Has the client been configured? +restore=0 +test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}') + +if [ -f '/etc/ssh/sshd_config' -a $restore -ge 2 ]; then + SSH_CLIENT_SYSTEM_CONF="/etc/ssh/ssh_config" + if [ -f "$SSH_CLIENT_SYSTEM_CONF" ]; then + # https://pagure.io/freeipa/issue/9536 + # upgrade sss_ssh_knownhostsproxy with sss_ssh_knownhosts + if [ -f '/usr/bin/sss_ssh_knownhosts' ]; then + if grep -E -q 'Include' $SSH_CLIENT_SYSTEM_CONF 2>/dev/null ; then + SSH_CLIENT_SYSTEM_CONF="/etc/ssh/ssh_config.d/04-ipa.conf" + fi + sed -E --in-place=.orig 's/^(GlobalKnownHostsFile \/var\/lib\/sss\/pubconf\/known_hosts)$/# disabled by ipa-client update\n# \1/' $SSH_CLIENT_SYSTEM_CONF + sed -E --in-place=.orig 's/(ProxyCommand \/usr\/bin\/sss_ssh_knownhostsproxy -p \%p \%h)/# replaced by ipa-client update\n KnownHostsCommand \/usr\/bin\/sss_ssh_knownhosts \%H/' $SSH_CLIENT_SYSTEM_CONF + fi + fi +fi + +%triggerin client -- openssh-server < 8.2 +# Has the client been configured? +restore=0 +test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}') + +if [ -f '/etc/ssh/sshd_config' -a $restore -ge 2 ]; then + if grep -E -q '^(AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys|PubKeyAgent /usr/bin/sss_ssh_authorizedkeys %u)$' /etc/ssh/sshd_config 2>/dev/null; then + sed -r ' + /^(AuthorizedKeysCommand(User|RunAs)|PubKeyAgentRunAs)[ \t]/ d + ' /etc/ssh/sshd_config >/etc/ssh/sshd_config.ipanew + + if /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandUser=nobody' 2>/dev/null; then + sed -ri ' + s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/ + s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandUser nobody/ + ' /etc/ssh/sshd_config.ipanew + elif /usr/sbin/sshd -t -f /dev/null -o 'AuthorizedKeysCommand=/usr/bin/sss_ssh_authorizedkeys' -o 'AuthorizedKeysCommandRunAs=nobody' 2>/dev/null; then + sed -ri ' + s/^PubKeyAgent (.+) %u$/AuthorizedKeysCommand \1/ + s/^AuthorizedKeysCommand .*$/\0\nAuthorizedKeysCommandRunAs nobody/ + ' /etc/ssh/sshd_config.ipanew + elif /usr/sbin/sshd -t -f /dev/null -o 'PubKeyAgent=/usr/bin/sss_ssh_authorizedkeys %u' -o 'PubKeyAgentRunAs=nobody' 2>/dev/null; then + sed -ri ' + s/^AuthorizedKeysCommand (.+)$/PubKeyAgent \1 %u/ + s/^PubKeyAgent .*$/\0\nPubKeyAgentRunAs nobody/ + ' /etc/ssh/sshd_config.ipanew + fi + + mv -Z /etc/ssh/sshd_config.ipanew /etc/ssh/sshd_config + chmod 600 /etc/ssh/sshd_config + + /bin/systemctl condrestart sshd.service 2>&1 || : + fi +fi + + +%triggerin client -- openssh-server >= 8.2 +# Has the client been configured? +restore=0 +test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}') + +if [ -f '/etc/ssh/sshd_config' -a $restore -ge 2 ]; then + # If the snippet already exists, skip + if [ ! -f '/etc/ssh/sshd_config.d/04-ipa.conf' ]; then + # Take the values from /etc/ssh/sshd_config and put them in 04-ipa.conf + grep -E '^(PubkeyAuthentication|KerberosAuthentication|GSSAPIAuthentication|UsePAM|ChallengeResponseAuthentication|AuthorizedKeysCommand|AuthorizedKeysCommandUser)' /etc/ssh/sshd_config 2>/dev/null > /etc/ssh/sshd_config.d/04-ipa.conf + # Remove the values from sshd_conf + sed -ri ' + /^(PubkeyAuthentication|KerberosAuthentication|GSSAPIAuthentication|UsePAM|ChallengeResponseAuthentication|AuthorizedKeysCommand|AuthorizedKeysCommandUser)[ \t]/ d + ' /etc/ssh/sshd_config + + /bin/systemctl condrestart sshd.service 2>&1 || : + fi + # If the snippet has been created, ensure that it is included + # either by /etc/ssh/sshd_config.d/*.conf or directly + if [ -f '/etc/ssh/sshd_config.d/04-ipa.conf' ]; then + if ! grep -E -q '^\s*Include\s*/etc/ssh/sshd_config.d/\*\.conf' /etc/ssh/sshd_config 2> /dev/null ; then + if ! grep -E -q '^\s*Include\s*/etc/ssh/sshd_config.d/04-ipa\.conf' /etc/ssh/sshd_config 2> /dev/null ; then + # Include the snippet + echo "Include /etc/ssh/sshd_config.d/04-ipa.conf" > /etc/ssh/sshd_config.ipanew + cat /etc/ssh/sshd_config >> /etc/ssh/sshd_config.ipanew + mv -fZ --backup=existing --suffix .ipaold /etc/ssh/sshd_config.ipanew /etc/ssh/sshd_config + fi + fi + fi +fi + + +%if ! %{ONLY_CLIENT} + +%files server +%doc README.md Contributors.txt +%license COPYING +%{_sbindir}/ipa-backup +%{_sbindir}/ipa-restore +%{_sbindir}/ipa-ca-install +%{_sbindir}/ipa-kra-install +%{_sbindir}/ipa-server-install +%{_sbindir}/ipa-replica-conncheck +%{_sbindir}/ipa-replica-install +%{_sbindir}/ipa-replica-manage +%{_sbindir}/ipa-csreplica-manage +%{_sbindir}/ipa-server-certinstall +%{_sbindir}/ipa-server-upgrade +%{_sbindir}/ipa-ldap-updater +%{_sbindir}/ipa-otptoken-import +%{_sbindir}/ipa-compat-manage +%{_sbindir}/ipa-managed-entries +%{_sbindir}/ipactl +%{_sbindir}/ipa-advise +%{_sbindir}/ipa-cacert-manage +%{_sbindir}/ipa-winsync-migrate +%{_sbindir}/ipa-pkinit-manage +%{_sbindir}/ipa-crlgen-manage +%{_sbindir}/ipa-cert-fix +%{_sbindir}/ipa-acme-manage +%{_sbindir}/ipa-migrate +%if 0%{?fedora} >= 38 +%{bash_completions_dir}/ipa-migrate +%endif +%{_libexecdir}/certmonger/dogtag-ipa-ca-renew-agent-submit +%{_libexecdir}/certmonger/ipa-server-guard +%dir %{_libexecdir}/ipa +%{_libexecdir}/ipa/ipa-ccache-sweeper +%{_libexecdir}/ipa/ipa-custodia +%{_libexecdir}/ipa/ipa-custodia-check +%{_libexecdir}/ipa/ipa-httpd-kdcproxy +%{_libexecdir}/ipa/ipa-httpd-pwdreader +%{_libexecdir}/ipa/ipa-pki-retrieve-key +%{_libexecdir}/ipa/ipa-pki-wait-running +%{_libexecdir}/ipa/ipa-otpd +%{_libexecdir}/ipa/ipa-print-pac +%{_libexecdir}/ipa/ipa-subids +%dir %{_libexecdir}/ipa/custodia +%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-dmldap +%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-pki-tomcat +%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-pki-tomcat-wrapped +%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-ra-agent +%dir %{_libexecdir}/ipa/oddjob +%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.conncheck +%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.trust-enable-agent +%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.config-enable-sid +%config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freeipa.server.conf +%config(noreplace) %{_sysconfdir}/oddjobd.conf.d/ipa-server.conf +%dir %{_libexecdir}/ipa/certmonger +%attr(755,root,root) %{_libexecdir}/ipa/certmonger/* +# NOTE: systemd specific section +%attr(644,root,root) %{_unitdir}/ipa.service +%attr(644,root,root) %{_unitdir}/ipa-otpd.socket +%attr(644,root,root) %{_unitdir}/ipa-otpd@.service +%attr(644,root,root) %{_unitdir}/ipa-ccache-sweep.service +%attr(644,root,root) %{_unitdir}/ipa-ccache-sweep.timer +%attr(644,root,root) %{_journalcatalogdir}/ipa.catalog +# END +%attr(755,root,root) %{plugin_dir}/libipa_pwd_extop.so +%attr(755,root,root) %{plugin_dir}/libipa_enrollment_extop.so +%attr(755,root,root) %{plugin_dir}/libipa_winsync.so +%attr(755,root,root) %{plugin_dir}/libipa_repl_version.so +%attr(755,root,root) %{plugin_dir}/libipa_uuid.so +%attr(755,root,root) %{plugin_dir}/libipa_modrdn.so +%attr(755,root,root) %{plugin_dir}/libipa_lockout.so +%attr(755,root,root) %{plugin_dir}/libipa_dns.so +%attr(755,root,root) %{plugin_dir}/libipa_range_check.so +%attr(755,root,root) %{plugin_dir}/libipa_otp_counter.so +%attr(755,root,root) %{plugin_dir}/libipa_otp_lasttoken.so +%attr(755,root,root) %{plugin_dir}/libtopology.so +%attr(755,root,root) %{plugin_dir}/libipa_sidgen.so +%attr(755,root,root) %{plugin_dir}/libipa_sidgen_task.so +%attr(755,root,root) %{plugin_dir}/libipa_extdom_extop.so +%attr(755,root,root) %{plugin_dir}/libipa_graceperiod.so +%attr(755,root,root) %{_libdir}/krb5/plugins/kdb/ipadb.so +%{_mandir}/man1/ipa-replica-conncheck.1* +%{_mandir}/man1/ipa-replica-install.1* +%{_mandir}/man1/ipa-replica-manage.1* +%{_mandir}/man1/ipa-csreplica-manage.1* +%{_mandir}/man1/ipa-server-certinstall.1* +%{_mandir}/man1/ipa-server-install.1* +%{_mandir}/man1/ipa-server-upgrade.1* +%{_mandir}/man1/ipa-ca-install.1* +%{_mandir}/man1/ipa-kra-install.1* +%{_mandir}/man1/ipa-compat-manage.1* +%{_mandir}/man1/ipa-managed-entries.1* +%{_mandir}/man1/ipa-ldap-updater.1* +%{_mandir}/man8/ipactl.8* +%{_mandir}/man1/ipa-backup.1* +%{_mandir}/man1/ipa-restore.1* +%{_mandir}/man1/ipa-advise.1* +%{_mandir}/man1/ipa-otptoken-import.1* +%{_mandir}/man1/ipa-cacert-manage.1* +%{_mandir}/man1/ipa-winsync-migrate.1* +%{_mandir}/man1/ipa-pkinit-manage.1* +%{_mandir}/man1/ipa-crlgen-manage.1* +%{_mandir}/man1/ipa-cert-fix.1* +%{_mandir}/man1/ipa-acme-manage.1* +%{_mandir}/man1/ipa-migrate.1* + + +%files -n python3-ipaserver +%doc README.md Contributors.txt +%license COPYING +%{python3_sitelib}/ipaserver +%{python3_sitelib}/ipaserver-*.egg-info + + +%files server-common +%doc README.md Contributors.txt +%license COPYING +%ghost %verify(not owner group) %dir %{_sharedstatedir}/kdcproxy +%dir %attr(0755,root,root) %{_sysconfdir}/ipa/kdcproxy +%config(noreplace) %{_sysconfdir}/ipa/kdcproxy/kdcproxy.conf +# NOTE: systemd specific section +%{_tmpfilesdir}/ipa.conf +%attr(644,root,root) %{_unitdir}/ipa-custodia.service +%ghost %attr(644,root,root) %{etc_systemd_dir}/httpd.d/ipa.conf +# END +%{_usr}/share/ipa/wsgi.py* +%{_usr}/share/ipa/kdcproxy.wsgi +%{_usr}/share/ipa/ipaca*.ini +%{_usr}/share/ipa/*.ldif +%exclude %{_datadir}/ipa/ipa-cldap-conf.ldif +%{_usr}/share/ipa/*.uldif +%{_usr}/share/ipa/*.template +%dir %{_usr}/share/ipa/advise +%dir %{_usr}/share/ipa/advise/legacy +%{_usr}/share/ipa/advise/legacy/*.template +%dir %{_usr}/share/ipa/profiles +%{_usr}/share/ipa/profiles/README +%{_usr}/share/ipa/profiles/*.cfg +%dir %{_usr}/share/ipa/html +%{_usr}/share/ipa/html/ssbrowser.html +%{_usr}/share/ipa/html/unauthorized.html +%dir %{_usr}/share/ipa/migration +%{_usr}/share/ipa/migration/index.html +%{_usr}/share/ipa/migration/migration.py* +%dir %{_usr}/share/ipa/ui +%{_usr}/share/ipa/ui/index.html +%{_usr}/share/ipa/ui/reset_password.html +%{_usr}/share/ipa/ui/sync_otp.html +%{_usr}/share/ipa/ui/*.ico +%{_usr}/share/ipa/ui/*.css +%dir %{_usr}/share/ipa/ui/css +%{_usr}/share/ipa/ui/css/*.css +%dir %{_usr}/share/ipa/ui/js +%dir %{_usr}/share/ipa/ui/js/dojo +%{_usr}/share/ipa/ui/js/dojo/dojo.js +%dir %{_usr}/share/ipa/ui/js/libs +%{_usr}/share/ipa/ui/js/libs/*.js +%dir %{_usr}/share/ipa/ui/js/freeipa +%{_usr}/share/ipa/ui/js/freeipa/app.js +%{_usr}/share/ipa/ui/js/freeipa/core.js +%dir %{_usr}/share/ipa/ui/js/plugins +%dir %{_usr}/share/ipa/ui/images +%if 0%{?rhel} +%{_usr}/share/ipa/ui/images/facet-*.png +# Moved branding logos and background to redhat-logos-ipa-80.4: +# header-logo.png, login-screen-background.jpg, login-screen-logo.png, +# product-name.png +%else +%{_usr}/share/ipa/ui/images/*.jpg +%{_usr}/share/ipa/ui/images/*.png +%endif +%dir %{_usr}/share/ipa/wsgi +%{_usr}/share/ipa/wsgi/plugins.py* +%dir %{_sysconfdir}/ipa +%dir %{_sysconfdir}/ipa/html +%config(noreplace) %{_sysconfdir}/ipa/html/ssbrowser.html +%config(noreplace) %{_sysconfdir}/ipa/html/unauthorized.html +%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf +%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa.conf +%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-kdc-proxy.conf +%ghost %attr(0640,root,root) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf +%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipa/kdcproxy/ipa-kdc-proxy.conf +%ghost %attr(0644,root,root) %config(noreplace) %{_usr}/share/ipa/html/ca.crt +%ghost %attr(0640,root,named) %config(noreplace) %{_sysconfdir}/named/ipa-ext.conf +%ghost %attr(0640,root,named) %config(noreplace) %{_sysconfdir}/named/ipa-options-ext.conf +%ghost %attr(0644,root,root) %{_usr}/share/ipa/html/krb.con +%ghost %attr(0644,root,root) %{_usr}/share/ipa/html/krb5.ini +%ghost %attr(0644,root,root) %{_usr}/share/ipa/html/krbrealm.con +%dir %{_usr}/share/ipa/updates/ +%{_usr}/share/ipa/updates/* +%dir %{_localstatedir}/lib/ipa +%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/backup +%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/gssproxy +%attr(711,root,root) %dir %{_localstatedir}/lib/ipa/sysrestore +%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysupgrade +%attr(755,root,root) %dir %{_localstatedir}/lib/ipa/pki-ca +%attr(755,root,root) %dir %{_localstatedir}/lib/ipa/certs +%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/private +%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/passwds +%ghost %attr(775,root,pkiuser) %{_localstatedir}/lib/ipa/pki-ca/publish +%ghost %attr(770,named,named) %{_localstatedir}/named/dyndb-ldap/ipa +%dir %attr(0700,root,root) %{_sysconfdir}/ipa/custodia +%dir %{_usr}/share/ipa/schema.d +%attr(0644,root,root) %{_usr}/share/ipa/schema.d/README +%attr(0644,root,root) %{_usr}/share/ipa/gssapi.login +%{_usr}/share/ipa/ipakrb5.aug + +%files server-dns +%doc README.md Contributors.txt +%license COPYING +%config(noreplace) %{_sysconfdir}/sysconfig/ipa-dnskeysyncd +%config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter +%dir %attr(0755,root,root) %{_sysconfdir}/ipa/dnssec +%{_libexecdir}/ipa/ipa-dnskeysyncd +%{_libexecdir}/ipa/ipa-dnskeysync-replica +%{_libexecdir}/ipa/ipa-ods-exporter +%{_sbindir}/ipa-dns-install +%{_mandir}/man1/ipa-dns-install.1* +%attr(644,root,root) %{_unitdir}/ipa-dnskeysyncd.service +%attr(644,root,root) %{_unitdir}/ipa-ods-exporter.socket +%attr(644,root,root) %{_unitdir}/ipa-ods-exporter.service + +%files server-trust-ad +%doc README.md Contributors.txt +%license COPYING +%{_sbindir}/ipa-adtrust-install +%{_usr}/share/ipa/smb.conf.empty +%attr(755,root,root) %{_libdir}/samba/pdb/ipasam.so +%attr(755,root,root) %{plugin_dir}/libipa_cldap.so +%{_datadir}/ipa/ipa-cldap-conf.ldif +%{_mandir}/man1/ipa-adtrust-install.1* +%ghost %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so +%{_sysconfdir}/dbus-1/system.d/oddjob-ipa-trust.conf +%{_sysconfdir}/oddjobd.conf.d/oddjobd-ipa-trust.conf +%attr(755,root,root) %{_libexecdir}/ipa/oddjob/com.redhat.idm.trust-fetch-domains + +# ONLY_CLIENT +%endif + + +%files client +%doc README.md Contributors.txt +%license COPYING +%{_sbindir}/ipa-client-install +%{_sbindir}/ipa-client-automount +%{_sbindir}/ipa-certupdate +%{_sbindir}/ipa-getkeytab +%{_sbindir}/ipa-rmkeytab +%{_sbindir}/ipa-join +%{_bindir}/ipa +%config %{_sysconfdir}/bash_completion.d +%config %{_sysconfdir}/sysconfig/certmonger +%{_mandir}/man1/ipa.1* +%{_mandir}/man1/ipa-getkeytab.1* +%{_mandir}/man1/ipa-rmkeytab.1* +%{_mandir}/man1/ipa-client-install.1* +%{_mandir}/man1/ipa-client-automount.1* +%{_mandir}/man1/ipa-certupdate.1* +%{_mandir}/man1/ipa-join.1* +%dir %{_libexecdir}/ipa/acme +%{_libexecdir}/ipa/acme/certbot-dns-ipa + +%files client-samba +%doc README.md Contributors.txt +%license COPYING +%{_sbindir}/ipa-client-samba +%{_mandir}/man1/ipa-client-samba.1* + + +%files client-epn +%doc README.md Contributors.txt +%dir %{_sysconfdir}/ipa/epn +%license COPYING +%{_sbindir}/ipa-epn +%{_mandir}/man1/ipa-epn.1* +%{_mandir}/man5/epn.conf.5* +%attr(644,root,root) %{_unitdir}/ipa-epn.service +%attr(644,root,root) %{_unitdir}/ipa-epn.timer +%attr(600,root,root) %config(noreplace) %{_sysconfdir}/ipa/epn.conf +%attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/epn/expire_msg.template + +%files -n python3-ipaclient +%doc README.md Contributors.txt +%license COPYING +%dir %{python3_sitelib}/ipaclient +%{python3_sitelib}/ipaclient/*.py +%{python3_sitelib}/ipaclient/__pycache__/*.py* +%dir %{python3_sitelib}/ipaclient/install +%{python3_sitelib}/ipaclient/install/*.py +%{python3_sitelib}/ipaclient/install/__pycache__/*.py* +%dir %{python3_sitelib}/ipaclient/plugins +%{python3_sitelib}/ipaclient/plugins/*.py +%{python3_sitelib}/ipaclient/plugins/__pycache__/*.py* +%dir %{python3_sitelib}/ipaclient/remote_plugins +%{python3_sitelib}/ipaclient/remote_plugins/*.py +%{python3_sitelib}/ipaclient/remote_plugins/__pycache__/*.py* +%dir %{python3_sitelib}/ipaclient/remote_plugins/2_* +%{python3_sitelib}/ipaclient/remote_plugins/2_*/*.py +%{python3_sitelib}/ipaclient/remote_plugins/2_*/__pycache__/*.py* +%{python3_sitelib}/ipaclient-*.egg-info + + +%files client-common +%doc README.md Contributors.txt +%license COPYING +%dir %attr(0755,root,root) %{_sysconfdir}/ipa/ +%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipa/default.conf +%ghost %attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ipa/ca.crt +%dir %attr(0755,root,root) %{_sysconfdir}/ipa/nssdb +# old dbm format +%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/cert8.db +%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/key3.db +%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/secmod.db +# new sql format +%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/cert9.db +%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/key4.db +%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/pkcs11.txt +%ghost %attr(600,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/pwdfile.txt +%ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/pki/ca-trust/source/ipa.p11-kit +%dir %{_localstatedir}/lib/ipa-client +%dir %{_localstatedir}/lib/ipa-client/pki +%dir %{_localstatedir}/lib/ipa-client/sysrestore +%{_mandir}/man5/default.conf.5* +%dir %{_usr}/share/ipa/client +%{_usr}/share/ipa/client/*.template + + +%files python-compat +%doc README.md Contributors.txt +%license COPYING + + +%files common -f %{gettext_domain}.lang +%doc README.md Contributors.txt +%license COPYING +%dir %{_usr}/share/ipa +%dir %{_libexecdir}/ipa + +%files -n python3-ipalib +%doc README.md Contributors.txt +%license COPYING + +%{python3_sitelib}/ipapython/ +%{python3_sitelib}/ipalib/ +%{python3_sitelib}/ipaplatform/ +%{python3_sitelib}/ipapython-*.egg-info +%{python3_sitelib}/ipalib-*.egg-info +%{python3_sitelib}/ipaplatform-*.egg-info + + +%if %{with ipatests} + + +%files -n python3-ipatests +%doc README.md Contributors.txt +%license COPYING +%{python3_sitelib}/ipatests +%{python3_sitelib}/ipatests-*.egg-info +%{_bindir}/ipa-run-tests-3 +%{_bindir}/ipa-test-config-3 +%{_bindir}/ipa-test-task-3 +%{_bindir}/ipa-run-tests-%{python3_version} +%{_bindir}/ipa-test-config-%{python3_version} +%{_bindir}/ipa-test-task-%{python3_version} +%{_bindir}/ipa-run-tests +%{_bindir}/ipa-test-config +%{_bindir}/ipa-test-task +%{_mandir}/man1/ipa-run-tests.1* +%{_mandir}/man1/ipa-test-config.1* +%{_mandir}/man1/ipa-test-task.1* + +# with ipatests +%endif + + +%if %{with selinux} +%files selinux +%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.* +%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename} + +%files selinux-nfast +%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}-nfast.pp.* +%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}-nfast + +%files selinux-luna +%{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}-luna.pp.* +%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}-luna +# with selinux +%endif + +%changelog +* Tue Sep 24 2024 Rafael Guteres Jeffman - 4.12.2-1.1 +- Resolves: RHEL-33818 Remove python3-ipalib's dependency on python3-netifaces + +* Thu Aug 22 2024 Florence Blanc-Renaud - 4.12.2-1 +- Resolves: RHEL-54545 Covscan issues: Resource Leak +- Resolves: RHEL-54304 support for python cryptography 43.0.0 +- Resolves: RHEL-49805 misleading warning for missing ipa-selinux-nfast package on luna hsm h/w +- Resolves: RHEL-46897 With unreachable AD, ipa trust returns an internal error + +* Thu Aug 8 2024 Florence Blanc-Renaud - 4.12.1-4 +- Resolves: RHEL-53501 adtrustinstance only prints issues in check_inst() and does not log them +- Resolves: RHEL-52305 Unconditionally add MS-PAC to global config +- Resolves: RHEL-52223 ipa-replica/server-install with softhsm needs to check permission/ownership of /var/lib/softhsm/tokens to avoid install failure +- Resolves: RHEL-51937 Include latest fixes in python3-ipatests packages +- Resolves: RHEL-50805 ipa-migrate -Z with invalid cert options fails with 'ValueError: option error' +- Resolves: RHEL-49805 misleading warning for missing ipa-selinux-nfast package on luna hsm h/w +- Resolves: RHEL-49592 'Unable to log in as uid=admin-replica.testrealm.test,ou=people,o=ipaca' during replica install +- Resolves: RHEL-4879 RFE - Keep the configured value for the "nsslapd-ignore-time-skew" after a "force-sync" + +* Thu Jul 18 2024 Florence Blanc-Renaud - 4.12.1-3 +- Resolves: RHEL-49452 Include latest fixes in python3-ipatests packages +- Resolves: RHEL-49433 Adjust "ipa config-mod --addattr ipaconfigstring=EnforceLDAPOTP" to allow for non OTP users in some cases +- Resolves: RHEL-49432 ipa-migrate stage-mode is failing with error: Modifying a mapped attribute in a managed entry is not allowed +- Resolves: RHEL-49413 ipa-migrate with -Z option fails with ValueError: option error +- Resolves: RHEL-47157 ipa-migrate -V options fails to display version +- Resolves: RHEL-47148 Pagure #9629: Syntax error uninstalling the selinux-luna subpackage +- Resolves: RHEL-40892 ipa-server-install: token_password_file read in kra.install_check after calling hsm_validator in ca.install_check + +* Mon Jul 08 2024 Florence Blanc-Renaud - 4.12.1-2 +- Resolves: RHEL-46607 kdc.crt certificate not getting automatically renewed by certmonger in IPA Hidden replica +- Resolves: RHEL-46606 ipa-client rpm post script creates always ssh_config.orig even if nothing needs to be changed +- Resolves: RHEL-46605 IPA Web UI not showing replication agreement for non-admin users +- Resolves: RHEL-46592 [RFE] Allow IPA SIDgen task to continue if it finds an entity that SID can't be assigned to +- Resolves: RHEL-46556 Include latest fixes in python3-ipatests packages +- Resolves: RHEL-42705 PSKC.xml issues with ipa_otptoken_import.py + +* Mon Jun 24 2024 Troy Dawson - 4.12.1-1.1 +- Bump release for June 2024 mass rebuild + +* Wed Jun 12 2024 Julien Rische - 4.12.1-1 +- Resolves: RHEL-32233 CVE-2024-3183 freeipa: user can obtain a hash of the passwords of all domain users and perform offline brute force +- Resolves: RHEL-40881 CVE-2024-2698 freeipa: delegation rules allow a proxy service to impersonate any user to access another target service + +* Tue Jun 04 2024 Florence Blanc-Renaud - 4.12.0-1 +- Resolves: RHEL-39144 Rebase ipa to the latest 4.12 version for RHEL 10 +- Resolves: RHEL-30537 ipa: freeipa: argument injection into the username field of the /ipa/session/login_password requests + +* Thu Feb 22 2024 Troy Dawson - 4.11.1-4 +- Bump release to rebuild on correct samba + +* Thu Feb 08 2024 Alexander Bokovoy - 4.11.1-3 +- Support 389-ds with lmdb backend + +* Wed Jan 24 2024 Fedora Release Engineering - 4.11.1-2 +- Rebuild against Samba 4.20rc1 +- Fix memory leak in Kerberos KDC driver +- Fix possible crash in IPA command line tool when accessing Kerberos credentials +- Compatibility fix for Python Cryptography 42.0.0 +- NetBIOS defaults fix +- Fix default host keytab retrieval permissions + +* Wed Jan 24 2024 Fedora Release Engineering - 4.11.1-1.2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Fri Jan 19 2024 Fedora Release Engineering - 4.11.1-1.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Wed Jan 10 2024 Alexander Bokovoy - 4.11.1-1 +- Security release: CVE-2023-5455 +- Resolves: rhbz#2257646 + +* Wed Nov 08 2023 Alexander Bokovoy - 4.11.0-7 +- ipalib: fix the IPACertificate validity dates (python 3.12 compatibility) +- Handle PKI revocation response differences in JSON API +- Allow removal of minimal length from a custom password policy + +* Mon Oct 23 2023 Alexander Bokovoy - 4.11.0-6 +- Adopt trust to AD code to Samba changes in case SIDs are malformed + +* Tue Oct 03 2023 Alexander Bokovoy - 4.11.0-5 +- FreeIPA 4.11.0 release +- Simplify Fedora spec file +- Release notes: https://www.freeipa.org/release-notes/4-11-0.html + +* Mon Sep 18 2023 Alexander Bokovoy - 4.11.0-4.beta1 +- Depend on selinux-policy-38.28-1.fc39 +- Add SELinux policy for passkey_child to be used without ipa-otpd +- Related: rhbz#2238474 + +* Tue Sep 12 2023 Alexander Bokovoy - 4.11.0-3.beta1 +- Restore properly SELinux context during IPA client uninstallation +- Related: rhbz#2238474 + +* Tue Sep 12 2023 Alexander Bokovoy - 4.11.0-2.beta1 +- Set 'sssd_use_usb' SELinux boolean when enrolling IPA client +- Resolves: rhbz#2238474 + +* Mon Aug 21 2023 Alexander Bokovoy - 4.11.0-1.beta1 +- FreeIPA 4.11.0 beta 1 +- Release notes: https://www.freeipa.org/release-notes/4-11-0-beta.html + +* Wed Jul 19 2023 Fedora Release Engineering - 4.10.2-1.3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Wed Jul 05 2023 Miro Hrončok - 4.10.2-1.2 +- Use ssl.match_hostname from urllib3 as it was removed from Python 3.12 + +* Tue Jun 27 2023 Python Maint - 4.10.2-1.1 +- Rebuilt for Python 3.12 + +* Tue Jun 13 2023 Alexander Bokovoy - 4.10.2-1 +- Upstream release FreeIPA 4.10.2 +- Synchronize patches with CentOS 9 Stream + +* Mon May 15 2023 Alexander Bokovoy - 4.10.1-5 +- Support python-cryptography 40.0 + +* Thu Mar 30 2023 Jerry James - 4.10.1-4 +- Change fontawesome-fonts R to match fontawesome 4.x + +* Fri Jan 20 2023 Alexander Bokovoy - 4.10.1-3 +- Rebuild against Samba 4.18.0RC1 + +* Thu Jan 19 2023 Fedora Release Engineering - 4.10.1-2.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Thu Dec 1 2022 Alexander Bokovoy - 4.10.1-2 +- Rebuild against krb5-1.20.1-1 + +* Sun Nov 27 2022 Alexander Bokovoy - 4.10.1-1 +- Upstream release FreeIPA 4.10.1 + +* Wed Sep 14 2022 Alexander Bokovoy - 4.10.0-6 +- Rebuild against final samba 4.17.0 release + +* Wed Aug 24 2022 Adam Williamson - 4.10.0-5 +- Rebuild against new samba-client-libs (for F37) + +* Wed Aug 24 2022 Thomas Woerner - 4.10.0-4 +- Disabling gracelimit does not prevent LDAP binds +- webui: Allow grace login limit +- Fix dns resolver for nameservers with ports +- Set passwordgracelimit to match global policy on group pw policies + +* Tue Aug 09 2022 Adam Williamson - 4.10.0-3 +- Rebuild against new libndr + +* Tue Jul 26 2022 Alexander Bokovoy - 4.10.0-2 +- Rebuild against samba-4.16.3-2.fc37 +- Resolves: rhbz#2110746 + +* Thu Jul 21 2022 Fedora Release Engineering - 4.10.0-1.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Thu Jun 30 2022 Rob Crittenden - 4.10.0-1 +- Upstream release FreeIPA 4.10.0 + +* Thu Jun 16 2022 Python Maint - 4.9.10-1.1 +- Rebuilt for Python 3.11 + +* Thu Jun 16 2022 Alexander Bokovoy - 4.9.10-1 +- Upstream release FreeIPA 4.9.10 + +* Wed Jun 15 2022 Python Maint - 4.9.9-1.1 +- Rebuilt for Python 3.11 + +* Wed Apr 27 2022 Alexander Bokovoy - 4.9.9-1 +- Upstream release FreeIPA 4.9.9 + +* Mon Feb 07 2022 Alexander Bokovoy - 4.9.8-3 +- Use -H option for OpenLDAP client tools as -h and -p are deprecated now +- Resolves: rhbz#2050921 + +* Thu Jan 20 2022 Fedora Release Engineering - 4.9.8-2.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Wed Jan 12 2022 Alexander Bokovoy - 4.9.8-2 +- Make possible to compile FreeIPA against OpenLDAP 2.6 +- Resolves: rhbz#2032701 + +* Fri Nov 26 2021 Alexander Bokovoy - 4.9.8-1 +- Upstream release FreeIPA 4.9.8 + +* Thu Nov 11 2021 Alexander Bokovoy - 4.9.7-4 +- Hardening for CVE-2020-25717 part 2 +- Handle S4U for users from trusted domains + +* Wed Nov 10 2021 Alexander Bokovoy - 4.9.7-3 +- Hardening for CVE-2020-25717 +- Generate SIDs for IPA users and groups by default +- Verify MS-PAC consistency when it is generated or validated +- Rebuild against samba-4.15.2 +- Resolves: rhbz#2021720 + +* Fri Oct 15 2021 Rob Crittenden - 4.9.7-2 +- Make Dogtag return XML for ipa cert-find (#2014658) + +* Tue Sep 14 2021 Sahana Prasad - 4.9.7-1.1 +- Rebuilt with OpenSSL 3.0.0 + +* Thu Aug 19 2021 François Cami - 4.9.7-1 +- Upstream release 4.9.7 +- Resolves: rhbz#1994739 + +* Fri Aug 6 2021 François Cami - 4.9.6-4 +- Remove dependency on python3-pexpect on RHEL9. +- Resolves: rhbz#1980734 + +* Wed Jul 21 2021 Fedora Release Engineering - 4.9.6-3.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Fri Jul 16 2021 Alexander Bokovoy - 4.9.6-3 +- Add dependency on sssd-winbind-idmap for freeipa-server-trust-ad +- Resolves: rhbz#1970168 +- Rebuild against Samba 4.15.0 RC1 (libndr soname bump) + +* Fri Jul 02 2021 Alexander Bokovoy - 4.9.6-2 +- Remove custodia dependencies as the code merged into FreeIPA now +- Resolves: rhbz#1978632 + +* Tue Jun 29 2021 François Cami - 4.9.6-1 +- Upstream release FreeIPA 4.9.6 + +* Mon Jun 14 2021 Alexander Bokovoy - 4.9.4-2 +- Rebuilt for Python 3.10, second part + +* Fri Jun 04 2021 Python Maint - 4.9.4-1.1 +- Rebuilt for Python 3.10 + +* Fri Jun 04 2021 Alexander Bokovoy - 4.9.4-1 +- Upstream release FreeIPA 4.9.4 + +* Tue Jun 01 2021 Alexander Bokovoy - 4.9.3-4 +- Handle upgrade of 389-ds replication plugin rename (part 2) + +* Tue Jun 01 2021 Alexander Bokovoy - 4.9.3-3 +- Handle upgrade of 389-ds replication plugin rename + +* Mon Apr 12 2021 Alexander Bokovoy - 4.9.3-2 +- Handle failures to resolve non-existing reverse zones during deployment with systemd-resolved +- Resolves: rhbz#1948034 + +* Wed Mar 31 2021 Alexander Bokovoy - 4.9.3-1 +- Upstream release FreeIPA 4.9.3 + +* Fri Feb 26 2021 Alexander Bokovoy - 4.9.2-4 +- Rebuild against 389-ds and PKI to fix https://github.com/389ds/389-ds-base/issues/4609 + +* Tue Feb 23 2021 Alexander Bokovoy - 4.9.2-3 +- Only use python-platform on RHEL 8 + +* Mon Feb 15 2021 Alexander Bokovoy - 4.9.2-2 +- Fix ipatests dependency to python3-pexpect + +* Mon Feb 15 2021 Alexander Bokovoy - 4.9.2-1 +- Upstream release FreeIPA 4.9.2 + +* Wed Jan 27 2021 Alexander Bokovoy - 4.9.1-1 +- Upstream release FreeIPA 4.9.1 + +* Tue Jan 26 2021 Fedora Release Engineering - 4.9.0-2.1 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Wed Jan 20 2021 Rob Crittenden - 4.9.0-2 +- Set client keytab location for 389ds (RHBZ#1918075) + +* Wed Dec 23 17:05:00 EET 2020 Alexander Bokovoy - 4.9.0-1 +- FreeIPA 4.9.0 final release + +* Wed Dec 16 07:52:00 EET 2020 Alexander Bokovoy - 4.9.0-0.6.rc3 +- Refactor DNSSEC paths creation code (upstream PR#5340) + +* Thu Dec 10 20:06:03 EET 2020 Alexander Bokovoy - 4.9.0-0.5.rc3 +- FreeIPA 4.9.0 release candidate 3 +- Enforce C.UTF-8 locale in systemd service units +- Fold up fixes from Rawhide and RHEL 8.4 testing + +* Wed Dec 9 20:06:03 EET 2020 Alexander Bokovoy - 4.9.0-0.4.rc2 +- Fix upgrade script for CA rule rewrites +- Fix permissions for /run/ipa/ccaches + +* Fri Dec 4 22:17:00 EET 2020 Alexander Bokovoy - 4.9.0-0.3.rc2 +- Correct SELinux policy requirements + +* Fri Dec 4 13:41:28 EET 2020 Alexander Bokovoy - 4.9.0-0.2.rc2 +- FreeIPA 4.9.0 release candidate 2 + +* Thu Nov 19 2020 Alexander Bokovoy - 4.9.0-0.1.rc1 +- Use correct bind PKCS11 engine dependencies +- Fix SELinux build requirement +- Fix linting requirements + +* Wed Nov 18 2020 Alexander Bokovoy - 4.9.0-0.rc1 +- FreeIPA 4.9.0 release candidate 1 +- Synchronize spec file with upstream and RHEL + +* Wed Oct 28 2020 Adam Williamson - 4.8.10-7 +- Backport #5212 for deployment failures with 389-ds-base 1.4.4.6+ + +* Tue Oct 13 2020 Alexander Bokovoy - 4.8.10-6 +- Handle sshd_config upgrade properly + Fixes: rhbz#1887928 + +* Tue Sep 29 2020 Alexander Bokovoy - 4.8.10-5 +- Properly handle upgrade case when systemd-resolved is enabled + +* Mon Sep 28 2020 Alexander Bokovoy - 4.8.10-4 +- Fix permissions for /etc/systemd/resolved.conf.d/zzz-ipa.conf +- Add NetworkManager and systemd-resolved configuration files to backup + +* Sun Sep 27 2020 Alexander Bokovoy - 4.8.10-3 +- Fix dependency between freeipa-selinux and freeipa-common +- Resolves: rhbz#1883005 + +* Sat Sep 26 2020 Alexander Bokovoy - 4.8.10-2 +- Support upgrade F32 -> F33 with systemd-resolved + +* Sat Sep 26 2020 Alexander Bokovoy - 4.8.10-1 +- Upstream release FreeIPA 4.8.10 + +* Fri Aug 21 2020 Alexander Bokovoy - 4.8.9-2 +- Backport fix for detecting older installations on upgrade + +* Thu Aug 20 2020 François Cami - 4.8.9-1 +- Upstream release FreeIPA 4.8.9 + +* Mon Aug 03 2020 Alexander Bokovoy - 4.8.7-5 +- Make use of unshare+chroot in ipa-extdom-extop unittests to work against glibc 2.32 + +* Sat Aug 01 2020 Fedora Release Engineering - 4.8.7-4 +- Second attempt - Rebuilt for + https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Thu Jul 30 2020 Merlin Mathesius - 4.8.7-3 +- Conditional fixes for ELN to set krb5-kdb version appropriately + +* Mon Jul 27 2020 Fedora Release Engineering - 4.8.7-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild + +* Wed Jun 10 2020 Alexander Bokovoy - 4.8.7-1 +- Upstream release FreeIPA 4.8.7 + +* Tue May 26 2020 Miro Hrončok - 4.8.6-2 +- Rebuilt for Python 3.9 + +* Fri Mar 27 2020 Alexander Bokovoy - 4.8.6-1 +- Upstream release FreeIPA 4.8.6 + +* Sat Mar 21 2020 Alexander Bokovoy - 4.8.5-2 +- Roll up post-release fixes from upstream +- Move freeipa-selinux to be a dependency of freeipa-common + +* Wed Mar 18 2020 Alexander Bokovoy - 4.8.5-1 +- Upstream release FreeIPA 4.8.5 +- Depend on selinux-policy-devel 3.14.6-9 for build due to a makefile issue in + SELinux external policy support + +* Tue Mar 03 2020 Alexander Bokovoy - 4.8.4-8 +- Support opendnssec 2.1 +- Resolves: #1809492 + +* Mon Feb 17 2020 François Cami - 4.8.4-7 +- Fix audit_as_req() callback usage +- Resolves: #1803786 + +* Sat Feb 01 2020 Alexander Bokovoy - 4.8.4-6 +- Fix constraint delegation for krb5 1.18 update +- Resolves: #1797096 + +* Tue Jan 28 2020 Fedora Release Engineering - 4.8.4-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild + +* Tue Jan 28 2020 Alexander Bokovoy - 4.8.4-4 +- Rebuild against krb5 1.18 beta + +* Sun Jan 26 2020 Alexander Bokovoy - 4.8.4-3 +- Rebuild against Samba 4.12RC1 + +* Mon Dec 16 2019 Adam Williamson - 4.8.4-2 +- Backport PR #4045 to fix overlapping DNS zone check bugs + +* Sat Dec 14 2019 Alexander Bokovoy - 4.8.4-1 +- New upstream release 4.8.4 + +* Tue Nov 26 2019 Alexander Bokovoy - 4.8.3-1 +- New upstream release 4.8.3 +- CVE-2019-14867: Denial of service in IPA server due to wrong use of ber_scanf() +- CVE-2019-10195: Don't log passwords embedded in commands in calls using batch + +* Tue Nov 12 2019 Rob Crittenden - 4.8.2-1 +- New upstream release 4.8.2 +- Replace %%{_libdir} macro in BuildRequires (#1746882) +- Restore user-nsswitch.conf before calling authselect (#1746557) +- ipa service-find does not list cifs service created by + ipa-client-samba (#1731433) +- Occasional 'whoami.data is undefined' error in FreeIPA web UI + (#1699109) +- ipa-kra-install fails due to fs.protected_regular=1 (#1698384) + +* Sun Oct 20 2019 Alexander Bokovoy - 4.8.1-5 +- Don't create log files from helper scripts +- Fixes: rhbz#1754189 + +* Tue Oct 08 2019 Christian Heimes - 4.8.1-4 +- Fix compatibility issue with preexec_fn in Python 3.8 +- Fixes: rhbz#1759290 + +* Tue Oct 1 2019 Alexander Bokovoy - 4.8.1-3 +- Fix ipasam for compatibility with Samba 4.11 +- Fixes: rhbz#1757089 + +* Mon Aug 19 2019 Miro Hrončok - 4.8.1-2 +- Rebuilt for Python 3.8 + +* Wed Aug 14 2019 Alexander Bokovoy - 4.8.1-1 +- New upstream release 4.8.1 +- Fixes: rhbz#1732528 +- Fixes: rhbz#1732524 + +* Thu Jul 25 2019 Fedora Release Engineering - 4.8.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Wed Jul 03 2019 Alexander Bokovoy - 4.8.0-1 +- New upstream release 4.8.0 +- New subpackage: freeipa-client-samba + +* Sat May 11 2019 Alexander Bokovoy - 4.7.90.pre1-6 +- Upgrade: handle situation when trusts were configured but not established yet + Fixed: rhbz#1708808 + +* Fri May 3 2019 Alexander Bokovoy - 4.7.90.pre1-5 +- Add krb5-kdb-server dependency provided by krb5-server >= 1.17-17 + +* Fri May 3 2019 Alexander Bokovoy - 4.7.90.pre1-4 +- Rebuild to drop upper limit for Kerberos package + After krb5-server will provide krb5-kdb-version, we'll switch to it + +* Wed May 1 2019 Adam Williamson - 4.7.90.pre1-3 +- Backport PR #3104 to fix a font path error + +* Wed May 1 2019 Alexander Bokovoy - 4.7.90.pre1-2 +- Revert MINSSF defaults because realmd cannot join FreeIPA right now + as it uses anonymous LDAP connection for the discovery and validation + +* Mon Apr 29 2019 Alexander Bokovoy - 4.7.90.pre1-1 +- First release candidate for FreeIPA 4.8.0 + +* Sat Apr 06 2019 Alexander Bokovoy - 4.7.2-8 +- Fixed: rhbz#1696963 (Failed to install replica) + +* Sat Apr 06 2019 Alexander Bokovoy - 4.7.2-7 +- Support Samba 4.10 +- Support 389-ds 1.4.1.2-2.fc30 or later + +* Thu Feb 28 2019 Alexander Bokovoy - 4.7.2-6 +- Support new nfs-utils behavior (#1668836) +- ipa-client-automount now works without /etc/sysconfig/nfs + +* Tue Feb 19 2019 François Cami - 4.7.2-5 +- Fix FTBS due to Samba having removed talloc_strackframe.h + and memory.h (#1678670) +- Fix CA setup when fs.protected_regular=1 (#1677027) + +* Mon Feb 11 2019 Alexander Bokovoy - 4.7.2-4 +- Disable python dependency generator in Rawhide as not all required packages support it yet +- Require python-kdcproxy 0.4.1 or later on Rawhide + +* Fri Feb 8 2019 Alexander Bokovoy - 4.7.2-3 +- Fix compile issues after a mass rebuild using upstream patches + +* Thu Jan 31 2019 Fedora Release Engineering - 4.7.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Mon Dec 03 2018 Alexander Bokovoy - 4.7.2-1 +- Upstream release FreeIPA 4.7.2 + +* Wed Nov 28 2018 Adam Williamson - 4.7.1-4 +- Update PR #2610 patch to tiran's modified version + +* Tue Nov 27 2018 Adam Williamson - 4.7.1-3 +- Backport PR #2610 to fix for authselect 1.0.2+ (see #1645708) + +* Sun Nov 11 2018 Alexander Bokovoy - 4.7.1-2 +- Rebuild for krb5-1.17 (#1648673) +- Bump required SSSD version to 2.0.0-4 to get back pysss.getgrouplist() API + +* Fri Oct 5 2018 Rob Crittenden - 4.7.1-1 +- Update to upstream 4.7.1 + +* Tue Sep 25 2018 Christian Heimes - 4.7.0-5 +- Remove Python 2 support from Fedora 30 +- https://fedoraproject.org/wiki/Changes/FreeIPA_Python_2_Removal + +* Tue Sep 4 2018 Thomas Woerner - 4.7.0-4 +- Enable python2 client packages for f30 for now again + +* Tue Sep 4 2018 Thomas Woerner - 4.7.0-3 +- Force generation of aclocal.m4 and configuration scripts +- Fix only client build for Fedora>=28 and RHEL>7 +- Bring back special patch handling for Fedora + +* Mon Sep 3 2018 Thomas Woerner - 4.7.0-2 +- Restore SELinux context of session_dir /etc/httpd/alias (pagure#7662) +- Restore SELinux context of template_dir /var/log/dirsrv/slapd-X (pagure#7662) +- Add "389-ds-base-legacy-tools" to requires +- Refactor os-release and platform information (#1609475) +- Don't check for systemd service (#1609475) +- Switched to upstream spec file with small adaptions + +* Thu Jul 26 2018 Thomas Woerner - 4.7.0-1 +- Update to upstream 4.7.0 +- New BuildRequires for nodejs and uglify-js +- New Requires for 389-ds-base-legacy-tools in server (RHBZ#1606541) +- Do not build python2-ipaserver and python2-ipatests for Fedora 29 and up +- Do not build any python2 packages for Fedora 30 +- Added ipatest man pages to python3-ipatests packages also +- Added ipatest bindir links to python3-ipatests for Fedora up to 28 +- Dropped explicit copy of freeipa.template, install is doing this now +- Added upstream fix: (f3faecb) Fix $-style format string in ipa_ldap_init +- Added upstream fix: (4b592fe,1a7baa2) Added reason to raise of errors.NotFound + +* Mon Jul 16 2018 Alexander Bokovoy - 4.6.90.pre2-11 +- Use version-aware macros for Python + +* Fri Jul 13 2018 Fedora Release Engineering - 4.6.90.pre2-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Mon Jul 02 2018 Miro Hrončok - 4.6.90.pre2-9 +- Rebuilt for Python 3.7 + +* Wed Jun 27 2018 Rob Crittenden - 4.6.90.pre2-8 +- Build UI using py3-lesscpy + +* Tue Jun 19 2018 Rob Crittenden - 4.6.90.pre2-7 +- *-domainname.service moved to the hostname package in F29 (#1592355) + +* Tue Jun 19 2018 Miro Hrončok - 4.6.90.pre2-6 +- Rebuilt for Python 3.7 + +* Fri Jun 15 2018 Rob Crittenden - 4.6.90.pre2-5 +- Change BuildRequires from python-lesscpy to python3-lesscpy + +* Fri Jun 15 2018 Rob Crittenden - 4.6.90.pre2-4.1 +- Rename service fedora-domainname.service to nis-domainname.service + (#1588192) +- Fix bad date in changelog + +* Wed May 16 2018 Alexander Bokovoy - 4.6.90.pre2-3 +- Fine tune packaging of server templates so that it doesn't include + freeipa.template which always go to freeipa-client-common + +* Tue May 15 2018 Rob Crittenden - 4.6.90.pre2-2 +- Exclude /usr/share from client-only builds + +* Tue May 15 2018 Rob Crittenden - 4.6.90.pre2-1 +- Update to upstream 4.6.90.pre2 + +* Wed May 02 2018 Alexander Bokovoy - 4.6.90.pre1-7 +- Fix upgrade when named.conf does not exist +- Resolves rhbz#1573671 +- Requires newer slapi-nis to avoid hitting rhbz#1573636 + +* Wed Mar 21 2018 Alexander Bokovoy - 4.6.90.pre1-6.1 +- Change upgrade code to use DIR-based ccache and no kinit (#1558818) +- Require pki-symkey until pki-core has proper dependencies + +* Wed Mar 21 2018 Alexander Bokovoy - 4.6.90.pre1-6 +- Change upgrade code to use DIR-based ccache and no kinit (#1558818) + +* Tue Mar 20 2018 Alexander Bokovoy - 4.6.90.pre1-5 +- Apply upstream fix for #1558354 +- Run upgrade under file-based ccache (#1558818) +- Fix OTP token issuance due to regression in https://pagure.io/389-ds-base/issue/49617 + +* Tue Mar 20 2018 Adam Williamson - 4.6.90.pre1-4 +- Fix upgrades harder (extension of -3 patch) (#1558354) + +* Tue Mar 20 2018 Alexander Bokovoy - 4.6.90.pre1-3 +- Fix upgrade from F27 to F28 (#1558354) + +* Mon Mar 19 2018 Rob Crittenden - 4.6.90.pre1-2 +- Patch to fix GUI login for non-admin users (#1557609) + +* Fri Mar 16 2018 Rob Crittenden - 4.6.90.pre1-1 +- Update to upstream 4.6.90.pre1 + +* Tue Feb 20 2018 Rob Crittenden - 4.6.3-5 +- Disable i686 server builds because 389-ds no longer provides + builds on that arch. (#1544386) + +* Fri Feb 09 2018 Igor Gnatenko - 4.6.3-4 +- Escape macros in %%changelog + +* Thu Feb 8 2018 Rob Crittenden - 4.6.3-3 +- Don't fail on upgrades if KRA is not installed +- Remove Conflicts between mod_wsgi and python3-mod_wsgi + +* Wed Feb 07 2018 Fedora Release Engineering - 4.6.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Wed Jan 31 2018 Rob Crittenden - 4.6.3-1 +- Update to upstream 4.6.3 + +* Wed Jan 03 2018 Lumír Balhar - 4.6.1-5 +- Fix directory ownership in python3 subpackage + +* Tue Oct 17 2017 Rob Crittenden - 4.6.1-4 +- Update workaround patch to prevent SELinux execmem AVC (#1491508) + +* Mon Oct 16 2017 Alexander Bokovoy - 4.6.1-3 +- Another attempt at fix for bug #1491053 + +* Fri Oct 06 2017 Tomas Krizek - 4.6.1-2 +- Rebuild against krb5-1.16 + +* Fri Sep 22 2017 Tomas Krizek - 4.6.1-1 +- Fixes #1491053 Firefox reports insecure TLS configuration when visiting + FreeIPA web UI after standard server deployment + +* Wed Sep 13 2017 Adam Williamson - 4.6.0-3 +- Fixes #1490762 Ipa-server-install update dse.ldif with wrong SELinux context +- Fixes #1491056 FreeIPA enrolment via kickstart fails + +* Wed Sep 06 2017 Adam Williamson - 4.6.0-2 +- Fixes #1488640 "unknown command 'undefined'" error when changing password in web UI +- BuildRequires diffstat (for the use in patch application) + +* Mon Sep 04 2017 Tomas Krizek - 4.6.0-1 +- Rebase to upstream 4.6.0 + +* Wed Aug 02 2017 Fedora Release Engineering - 4.5.3-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Wed Jul 26 2017 Fedora Release Engineering - 4.5.3-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Fri Jul 21 2017 Tomas Krizek - 4.5.3-1 +- Update to upstream 4.5.3 - see https://www.freeipa.org/page/Releases/4.5.3 + +* Thu Jul 13 2017 Alexander Bokovoy - 4.5.2-4 +- Make sure tmpfiles.d snippet for replica is in place after install + +* Mon Jul 10 2017 Alexander Bokovoy - 4.5.2-3 +- Fix build with Samba 4.7.0-RC1 +- Increase java stack for rhino calls to get around crashes on ppc64-le + +* Tue Jun 20 2017 Tomas Krizek - 4.5.2-2 +- Patch: Fix IP address checks +- Patch: python-netifaces fix + +* Sun Jun 18 2017 Tomas Krizek - 4.5.2-1 +- Update to upstream 4.5.2 - see https://www.freeipa.org/page/Releases/4.5.2 + +* Thu May 25 2017 Tomas Krizek - 4.5.1-1 +- Update to upstream 4.5.1 - see https://www.freeipa.org/page/Releases/4.5.1 +- Fixes #1168266 UI drops "Enknown Error" when the ipa record in /etc/hosts changes + +* Tue May 23 2017 Tomas Krizek - 4.4.4-2 +- Fixes #1448049 Subpackage freeipa-server-common has unmet dependencies on Rawhide +- Fixes #1430247 FreeIPA server deployment runs ipa-custodia on Python 3, should use Python 2 +- Fixes #1446744 python2-ipaclient subpackage does not own %%{python_sitelib}/ipaclient/plugins +- Fixes #1440525 surplus 'the' in output of `ipa-adtrust-install` +- Fixes #1411810 ipa-replica-install fails with 406 Client Error +- Fixes #1405814 ipa plugins: ERROR an internal error occured + +* Fri Mar 24 2017 Tomas Krizek - 4.4.4-1 +- Update to upstream 4.4.4 - see https://www.freeipa.org/page/Releases/4.4.4 +- Add upstream signature file for tarball + +* Wed Mar 1 2017 Alexander Bokovoy - 4.4.3-8 +- Use different method to keep /usr/bin/ipa on Python 2 +- Fixes #1426847 + +* Mon Feb 27 2017 Tomas Krizek - 4.4.3-7 +- Fixes #1413137 CVE-2017-2590 ipa: Insufficient permission check for + ca-del, ca-disable and ca-enable commands + +* Mon Feb 27 2017 Alexander Bokovoy - 4.4.3-6 +- Rebuild to pick up system-python dependency change +- Fixes #1426847 - Cannot upgrade freeipa-client on rawhide + +* Wed Feb 15 2017 Tomas Krizek - 4.4.3-5 +- Fixes #1403352 - bind-dyndb-ldap: support new named.conf API in BIND 9.11 +- Fixes #1412739 - ipa-kdb: support DAL version 6.1 + +* Fri Feb 10 2017 Fedora Release Engineering - 4.4.3-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Sat Jan 21 2017 Igor Gnatenko - 4.4.3-3 +- Rebuild for xmlrpc-c + +* Thu Dec 22 2016 Miro Hrončok - 4.4.3-2 +- Rebuild for Python 3.6 + +* Fri Dec 16 2016 Pavel Vomacka - 4.4.3-1 +- Update to upstream 4.4.3 - see http://www.freeipa.org/page/Releases/4.4.3 + +* Wed Dec 14 2016 Pavel Vomacka - 4.4.2-4 +- Fixes 1395311 - CVE-2016-9575 ipa: Insufficient permission check in certprofile-mod +- Fixes 1370493 - CVE-2016-7030 ipa: DoS attack against kerberized services + by abusing password policy + +* Tue Nov 29 2016 Petr Vobornik - 4.4.2-3 +- Fixes 1389866 krb5-server: ipadb_change_pwd(): kdb5_util killed by SIGSEGV + +* Fri Oct 21 2016 Petr Vobornik - 4.4.2-2 +- Rebuild against krb5-1.15 + +* Thu Oct 13 2016 Petr Vobornik - 4.4.2-1 +- Update to upstream 4.4.2 - see http://www.freeipa.org/page/Releases/4.4.2 + +* Thu Sep 01 2016 Alexander Bokovoy - 4.4.1-1 +- Update to upstream 4.4.1 - see http://www.freeipa.org/page/Releases/4.4.1 + +* Fri Aug 19 2016 Petr Vobornik - 4.3.2-2 +- Fixes 1365669 - The ipa-server-upgrade command failed when named-pkcs11 does + not happen to run during dnf upgrade +- Fixes 1367883 - CVE-2016-5404 freeipa: ipa: Insufficient privileges check + in certificate revocation +- Fixes 1364338 - Freeipa cannot be build on fedora 25 + +* Fri Jul 22 2016 Petr Vobornik - 4.3.2-1 +- Update to upstream 4.3.2 - see http://www.freeipa.org/page/Releases/4.3.2 + +* Tue Jul 19 2016 Fedora Release Engineering - 4.3.1-2 +- https://fedoraproject.org/wiki/Changes/Automatic_Provides_for_Python_RPM_Packages + +* Thu Mar 24 2016 Petr Vobornik - 4.3.1-1 +- Update to upstream 4.3.1 - see http://www.freeipa.org/page/Releases/4.3.1 + +* Thu Feb 04 2016 Petr Vobornik - 4.3.0-3 +- Fix build with Samba 4.4 +- Update SELinux requires to fix connection check during installation + +* Wed Feb 03 2016 Fedora Release Engineering - 4.3.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Fri Dec 18 2015 Petr Vobornik - 4.3.0-1 +- Update to upstream 4.3.0 - see http://www.freeipa.org/page/Releases/4.3.0 + +* Mon Dec 07 2015 Petr Vobornik - 4.2.3-2 +- Workarounds for SELinux execmem violations in cryptography + +* Mon Nov 02 2015 Petr Vobornik - 4.2.3-1 +- Update to upstream 4.2.3 - see http://www.freeipa.org/page/Releases/4.2.3 +- fix #1274905 + +* Wed Oct 21 2015 Alexander Bokovoy - 4.2.2-2 +- Depend on samba-common-tools for the trust-ad subpackage after + samba package split +- Rebuild against krb5 1.14 to fix bug #1273957 + +* Thu Oct 8 2015 Petr Vobornik - 4.2.2-1 +- Update to upstream 4.2.2 - see http://www.freeipa.org/page/Releases/4.2.2 + +* Mon Sep 7 2015 Petr Vobornik - 4.2.1-1 +- Update to upstream 4.2.1 - see http://www.freeipa.org/page/Releases/4.2.1 + +* Wed Jun 17 2015 Fedora Release Engineering - 4.1.4-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Tue May 12 2015 Alexander Bokovoy - 4.1.4-4 +- Fix typo in the patch to fix bug #1219834 + +* Mon May 11 2015 Alexander Bokovoy - 4.1.4-3 +- Fix FreeIPA trusts to AD feature with Samba 4.2 (#1219834) + +* Mon Mar 30 2015 Petr Vobornik - 4.1.4-2 +- Replace mod_auth_kerb usage with mod_auth_gssapi + +* Thu Mar 26 2015 Alexander Bokovoy - 4.1.4-1 +- Update to upstream 4.1.4 - see http://www.freeipa.org/page/Releases/4.1.4 +- fix CVE-2015-1827 (#1206047) +- Require slapi-nis 0.54.2 and newer for CVE-2015-0283 fixes + +* Tue Mar 17 2015 Petr Vobornik - 4.1.3-3 +- Timeout ipa-client install if ntp server is unreachable #4842 +- Skip time sync during client install when using --no-ntp #4842 + +* Wed Mar 04 2015 Petr Vobornik - 4.1.3-2 +- Add missing sssd python dependencies +- https://bugzilla.redhat.com/show_bug.cgi?id=1197218 + +* Wed Feb 18 2015 Petr Vobornik - 4.1.3-1 +- Update to upstream 4.1.3 - see http://www.freeipa.org/page/Releases/4.1.3 + +* Mon Jan 19 2015 Alexander Bokovoy - 4.1.2-2 +- Fix broken build after Samba ABI change and rename of libpdb to libsamba-passdb +- Use python-dateutil15 until we validate python-dateutil 2.x + +* Tue Nov 25 2014 Petr Vobornik - 4.1.2-1 +- Update to upstream 4.1.2 - see http://www.freeipa.org/page/Releases/4.1.2 +- fix CVE-2014-7850 + +* Thu Nov 20 2014 Simo Sorce - 4.1.1-2 +- Patch blokers and feature freze exceptions +- Resolves: bz1165674 +- Resolves: bz1165856 (CVE-2014-7850) +- Fixes DNS install issue that prevents the server from working + +* Thu Nov 06 2014 Petr Vobornik - 4.1.1-1 +- Update to upstream 4.1.1 - see http://www.freeipa.org/page/Releases/4.1.1 +- fix CVE-2014-7828 + +* Wed Oct 22 2014 Petr Vobornik - 4.1.0-2 +- fix armv7hl stack oversize build failure +- fix https://fedorahosted.org/freeipa/ticket/4660 + +* Tue Oct 21 2014 Petr Vobornik - 4.1.0-1 +- Update to upstream 4.1.0 - see http://www.freeipa.org/page/Releases/4.1.0 + +* Fri Sep 12 2014 Petr Viktorin - 4.0.3-1 +- Update to upstream 4.0.3 - see http://www.freeipa.org/page/Releases/4.0.3 + +* Fri Sep 05 2014 Petr Viktorin - 4.0.2-1 +- Update to upstream 4.0.1 - see http://www.freeipa.org/page/Releases/4.0.2 + +* Tue Sep 02 2014 Pádraig Brady - 4.0.1-3 +- rebuild for libunistring soname bump + +* Sat Aug 16 2014 Fedora Release Engineering - 4.0.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Fri Jul 25 2014 Martin Kosek 4.0.1-1 +- Update to upstream 4.0.1 + +* Mon Jul 07 2014 Petr Viktorin 4.0.0-1 +- Update to upstream 4.0.0 +- Remove the server-strict package + +* Sat Jun 07 2014 Fedora Release Engineering - 3.3.5-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Wed May 21 2014 Petr Vobornik 3.3.5-3 +- Increase Java stack size for Web UI build on aarch64 + +* Wed Apr 16 2014 Peter Robinson 3.3.5-2 +- Add rhino as dependency to fix FTBFS + +* Fri Mar 28 2014 Martin Kosek - 3.3.5-1 +- Update to upstream 3.3.5 + +* Tue Feb 11 2014 Martin Kosek - 3.3.4-3 +- Move ipa-otpd socket directory to /var/run/krb5kdc +- Require krb5-server 1.11.5-3 supporting the new directory +- ipa_lockout plugin did not work with users's without krbPwdPolicyReference + +* Wed Jan 29 2014 Martin Kosek - 3.3.4-2 +- Fix hardened build + +* Tue Jan 28 2014 Martin Kosek - 3.3.4-1 +- Update to upstream 3.3.4 +- Install CA anchor into standard location (#928478) +- ipa-client-install part of ipa-server-install fails on reinstall (#1044994) +- Remove mod_ssl workaround (RHEL bug #1029046) +- Enable syncrepl plugin to support bind-dyndb-ldap 4.0 + +* Fri Jan 3 2014 Martin Kosek - 3.3.3-5 +- Build crashed with rhino exception on s390 architectures (#1040576) + +* Thu Dec 12 2013 Martin Kosek - 3.3.3-4 +- Build crashed with rhino exception on PPC architectures (#1040576) + +* Tue Dec 3 2013 Martin Kosek - 3.3.3-3 +- Fix -Werror=format-security errors (#1037070) + +* Mon Nov 4 2013 Martin Kosek - 3.3.3-2 +- ipa-server-install crashed when freeipa-server-trust-ad subpackage was not + installed + +* Fri Nov 1 2013 Martin Kosek - 3.3.3-1 +- Update to upstream 3.3.3 + +* Fri Oct 4 2013 Martin Kosek - 3.3.2-1 +- Update to upstream 3.3.2 + +* Thu Aug 29 2013 Petr Viktorin - 3.3.1-1 +- Bring back Fedora-only changes + +* Thu Aug 29 2013 Petr Viktorin - 3.3.1-0 +- Update to upstream 3.3.1 + +* Wed Aug 14 2013 Alexander Bokovoy - 3.3.0-2 +- Remove freeipa-systemd-upgrade as non-systemd installs are not supported + anymore by Fedora project + +* Wed Aug 7 2013 Martin Kosek - 3.3.0-1 +- Update to upstream 3.3.0 + +* Sat Aug 03 2013 Fedora Release Engineering - 3.2.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Wed Jul 17 2013 Martin Kosek - 3.2.2-1 +- Update to upstream 3.2.2 +- Drop freeipa-server-selinux subpackage +- Drop redundant directory /var/cache/ipa/sessions +- Do not create /var/lib/ipa/pki-ca/publish, retain reference as ghost +- Run ipa-upgradeconfig and server restart in posttrans to avoid inconsistency + issues when there are still old parts of software (like entitlements plugin) + +* Fri Jun 7 2013 Martin Kosek - 3.2.1-1 +- Update to upstream 3.2.1 + +* Tue May 14 2013 Rob Crittenden - 3.2.0-2 +- Add OTP patches +- Add patch to set KRB5CCNAME for 389-ds-base + +* Fri May 10 2013 Rob Crittenden - 3.2.0-1 +- Update to upstream 3.2.0 GA +- ipa-client-install fails if /etc/ipa does not exist (#961483) +- Certificate status is not visible in Service and Host page (#956718) +- ipa-client-install removes needed options from ldap.conf (#953991) +- Handle socket.gethostbyaddr() exceptions when verifying hostnames (#953957) +- Add triggerin scriptlet to support OpenSSH 6.2 (#953617) +- Require nss 3.14.3-12.0 to address certutil certificate import + errors (#953485) +- Require pki-ca 10.0.2-3 to pull in fix for sslget and mixed IPv4/6 + environments. (#953464) +- ipa-client-install removes 'sss' from /etc/nsswitch.conf (#953453) +- ipa-server-install --uninstall doesn't stop dirsrv instances (#953432) +- Add requires for openldap-2.4.35-4 to pickup fixed SASL_NOCANON behavior for + socket based connections (#960222) +- Require libsss_nss_idmap-python +- Add Conflicts on nss-pam-ldapd < 0.8.4. The mapping from uniqueMember to + member is now done automatically and having it in the config file raises + an error. +- Add backup and restore tools, directory. +- require at least systemd 38 which provides the journal (we no longer + need to require syslog.target) +- Update Requires on policycoreutils to 2.1.14-37 +- Update Requires on selinux-policy to 3.12.1-42 +- Update Requires on 389-ds-base to 1.3.1.0 +- Remove a Requires for java-atk-wrapper + +* Tue Apr 23 2013 Rob Crittenden - 3.2.0-0.4.beta1 +- Remove release from krb5-server in strict sub-package to allow for rebuilds. + +* Mon Apr 22 2013 Rob Crittenden - 3.2.0-0.3.beta1 +- Add a Requires for java-atk-wrapper until we can determine which package + should be pulling it in, dogtag or tomcat. + +* Tue Apr 16 2013 Rob Crittenden - 3.2.0-0.2.beta1 +- Update to upstream 3.2.0 Beta 1 + +* Tue Apr 2 2013 Martin Kosek - 3.2.0-0.1.pre1 +- Update to upstream 3.2.0 Prerelease 1 +- Use upstream reference spec file as a base for Fedora spec file + +* Sat Mar 30 2013 Kevin Fenzi 3.1.2-4 +- Rebuild for broken deps +- Fix 389-ds-base strict dep to be 1.3.0.5 and krb5-server 1.11.1 + +* Sat Feb 23 2013 Kevin Fenzi - 3.1.2-3 +- Rebuild for broken deps in rawhide +- Fix 389-ds-base strict dep to be 1.3.0.3 + +* Wed Feb 13 2013 Fedora Release Engineering - 3.1.2-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Wed Jan 23 2013 Rob Crittenden - 3.1.2-1 +- Update to upstream 3.1.2 +- CVE-2012-4546: Incorrect CRLs publishing +- CVE-2012-5484: MITM Attack during Join process +- CVE-2013-0199: Cross-Realm Trust key leak +- Updated strict dependencies to 389-ds-base = 1.3.0.2 and + pki-ca = 10.0.1 + +* Thu Dec 20 2012 Martin Kosek - 3.1.0-2 +- Remove redundat Requires versions that are already in Fedora 17 +- Replace python-crypto Requires with m2crypto +- Add missing Requires(post) for client and server-trust-ad subpackages +- Restart httpd service when server-trust-ad subpackage is installed +- Bump selinux-policy Requires to pick up PKI/LDAP port labeling fixes + +* Mon Dec 10 2012 Rob Crittenden - 3.1.0-1 +- Updated to upstream 3.1.0 GA +- Set minimum for sssd to 1.9.2 +- Set minimum for pki-ca to 10.0.0-1 +- Set minimum for 389-ds-base to 1.3.0 +- Set minimum for selinux-policy to 3.11.1-60 +- Remove unneeded dogtag package requires + +* Tue Oct 23 2012 Martin Kosek - 3.0.0-3 +- Update Requires on krb5-server to 1.11 + +* Fri Oct 12 2012 Rob Crittenden - 3.0.0-2 +- Configure CA replication to use TLS instead of SSL + +* Fri Oct 12 2012 Rob Crittenden - 3.0.0-1 +- Updated to upstream 3.0.0 GA +- Set minimum for samba to 4.0.0-153. +- Make sure server-trust-ad subpackage alternates winbind_krb5_locator.so + plugin to /dev/null since they cannot be used when trusts are configured +- Restrict krb5-server to 1.10. +- Update BR for 389-ds-base to 1.3.0 +- Add directory /var/lib/ipa/pki-ca/publish for CRL published by pki-ca +- Add Requires on zip for generating FF browser extension + +* Fri Oct 5 2012 Rob Crittenden - 3.0.0-0.10 +- Updated to upstream 3.0.0 rc 2 +- Include new FF configuration extension +- Set minimum Requires of selinux-policy to 3.11.1-33 +- Set minimum Requires dogtag to 10.0.0-0.43.b1 +- Add new optional strict sub-package to allow users to limit other + package upgrades. + +* Tue Oct 2 2012 Martin Kosek - 3.0.0-0.9 +- Require samba packages instead of obsoleted samba4 packages + +* Fri Sep 21 2012 Rob Crittenden - 3.0.0-0.8 +- Updated to upstream 3.0.0 rc 1 +- Update BR for 389-ds-base to 1.2.11.14 +- Update BR for krb5 to 1.10 +- Update BR for samba4-devel to 4.0.0-139 (rc1) +- Add BR for python-polib +- Update BR and Requires on sssd to 1.9.0 +- Update Requires on policycoreutils to 2.1.12-5 +- Update Requires on 389-ds-base to 1.2.11.14 +- Update Requires on selinux-policy to 3.11.1-21 +- Update Requires on dogtag to 10.0.0-0.33.a1 +- Update Requires on certmonger to 0.60 +- Update Requires on tomcat to 7.0.29 +- Update minimum version of bind to 9.9.1-10.P3 +- Update minimum version of bind-dyndb-ldap to 1.1.0-0.16.rc1 +- Remove Requires on authconfig from python sub-package + +* Wed Sep 5 2012 Rob Crittenden - 3.0.0-0.7 +- Rebuild against samba4 beta8 + +* Fri Aug 31 2012 Rob Crittenden - 3.0.0-0.6 +- Rebuild against samba4 beta7 + +* Wed Aug 22 2012 Alexander Bokovoy - 3.0.0-0.5 +- Adopt to samba4 beta6 (libsecurity -> libsamba-security) +- Add dependency to samba4-winbind + +* Fri Aug 17 2012 Rob Crittenden - 3.0.0-0.4 +- Updated to upstream 3.0.0 beta 2 + +* Mon Aug 6 2012 Martin Kosek - 3.0.0-0.3 +- Updated to current upstream state of 3.0.0 beta 2 development + +* Mon Jul 23 2012 Alexander Bokovoy - 3.0.0-0.2 +- Rebuild against samba4 beta4 + +* Mon Jul 2 2012 Rob Crittenden - 3.0.0-0.1 +- Updated to upstream 3.0.0 beta 1 + +* Thu May 3 2012 Rob Crittenden - 2.2.0-1 +- Updated to upstream 2.2.0 GA +- Update minimum n-v-r of certmonger to 0.53 +- Update minimum n-v-r of slapi-nis to 0.40 +- Add Requires in client to oddjob-mkhomedir and python-krbV +- Update minimum selinux-policy to 3.10.0-110 + +* Mon Mar 19 2012 Rob Crittenden - 2.1.90-0.2 +- Update to upstream 2.2.0 beta 1 (2.1.90.rc1) +- Set minimum n-v-r for pki-ca and pki-silent to 9.0.18. +- Add Conflicts on mod_ssl +- Update minimum n-v-r of 389-ds-base to 1.2.10.4 +- Update minimum n-v-r of sssd to 1.8.0 +- Update minimum n-v-r of slapi-nis to 0.38 +- Update minimum n-v-r of pki-* to 9.0.18 +- Update conflicts on bind-dyndb-ldap to < 1.1.0-0.9.b1 +- Update conflicts on bind to < 9.9.0-1 +- Drop requires on krb5-server-ldap +- Add patch to remove escaping arguments to pkisilent + +* Mon Feb 06 2012 Rob Crittenden - 2.1.90-0.1 +- Update to upstream 2.2.0 alpha 1 (2.1.90.pre1) + +* Wed Feb 01 2012 Alexander Bokovoy - 2.1.4-5 +- Force to use 389-ds 1.2.10-0.8.a7 or above +- Improve upgrade script to handle systemd 389-ds change +- Fix freeipa to work with python-ldap 2.4.6 + +* Wed Jan 11 2012 Martin Kosek - 2.1.4-4 +- Fix ipa-replica-install crashes +- Fix ipa-server-install and ipa-dns-install logging +- Set minimum version of pki-ca to 9.0.17 to fix sslget problem + caused by FEDORA-2011-17400 update (#771357) + +* Wed Dec 21 2011 Alexander Bokovoy - 2.1.4-3 +- Allow Web-based migration to work with tightened SE Linux policy (#769440) +- Rebuild slapi plugins against re-enterant version of libldap + +* Sun Dec 11 2011 Alexander Bokovoy - 2.1.4-2 +- Allow longer dirsrv startup with systemd: + - IPAdmin class will wait until dirsrv instance is available up to 10 seconds + - Helps with restarts during upgrade for ipa-ldap-updater +- Fix pylint warnings from F16 and Rawhide + +* Tue Dec 6 2011 Rob Crittenden - 2.1.4-1 +- Update to upstream 2.1.4 (CVE-2011-3636) + +* Mon Dec 5 2011 Rob Crittenden - 2.1.3-8 +- Update SELinux policy to allow ipa_kpasswd to connect ldap and + read /dev/urandom. (#759679) + +* Wed Nov 30 2011 Alexander Bokovoy - 2.1.3-7 +- Fix wrong path in packaging freeipa-systemd-upgrade + +* Wed Nov 30 2011 Alexander Bokovoy - 2.1.3-6 +- Introduce upgrade script to recover existing configuration after systemd migration + as user has no means to recover FreeIPA from systemd migration +- Upgrade script: + - recovers symlinks in Dogtag instance install + - recovers systemd configuration for FreeIPA's directory server instances + - recovers freeipa.service + - migrates directory server and KDC configs to use proper keytabs for systemd services + +* Wed Oct 26 2011 Fedora Release Engineering - 2.1.3-5 +- Rebuilt for glibc bug#747377 + +* Wed Oct 19 2011 Alexander Bokovoy - 2.1.3-4 +- clean up spec +- Depend on sssd >= 1.6.2 for better user experience + +* Tue Oct 18 2011 Alexander Bokovoy - 2.1.3-3 +- Fix Fedora package changelog after merging systemd changes + +* Tue Oct 18 2011 Alexander Bokovoy - 2.1.3-2 +- Fix postin scriplet for F-15/F-16 + +* Tue Oct 18 2011 Alexander Bokovoy - 2.1.3-1 +- 2.1.3 + +* Mon Oct 17 2011 Alexander Bokovoy - 2.1.2-1 +- Default to systemd for Fedora 16 and onwards + +* Tue Aug 16 2011 Rob Crittenden - 2.1.0-1 +- Update to upstream 2.1.0 + +* Fri May 6 2011 Simo Sorce - 2.0.1-2 +- Fix bug #702633 + +* Mon May 2 2011 Rob Crittenden - 2.0.1-1 +- Update minimum selinux-policy to 3.9.16-18 +- Update minimum pki-ca and pki-selinux to 9.0.7 +- Update minimum 389-ds-base to 1.2.8.0-1 +- Update to upstream 2.0.1 + +* Thu Mar 24 2011 Rob Crittenden - 2.0.0-1 +- Update to upstream GA release +- Automatically apply updates when the package is upgraded + +* Fri Feb 25 2011 Rob Crittenden - 2.0.0-0.4.rc2 +- Update to upstream freeipa-2.0.0.rc2 +- Set minimum version of python-nss to 0.11 to make sure IPv6 support is in +- Set minimum version of sssd to 1.5.1 +- Patch to include SuiteSpotGroup when setting up 389-ds instances +- Move a lot of BuildRequires so this will build with ONLY_CLIENT enabled + +* Tue Feb 15 2011 Rob Crittenden - 2.0.0-0.3.rc1 +- Set the N-V-R so rc1 is an update to beta2. + +* Mon Feb 14 2011 Rob Crittenden - 2.0.0-0.1.rc1 +- Set minimum version of sssd to 1.5.1 +- Update to upstream freeipa-2.0.0.rc1 +- Move server-only binaries from admintools subpackage to server + +* Tue Feb 08 2011 Fedora Release Engineering - 2.0.0-0.2.beta2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Thu Feb 3 2011 Rob Crittenden - 2.0.0-0.1.beta2 +- Set min version of 389-ds-base to 1.2.8 +- Set min version of mod_nss 1.0.8-10 +- Set min version of selinux-policy to 3.9.7-27 +- Add dogtag themes to Requires +- Update to upstream freeipa-2.0.0.pre2 + +* Thu Jan 27 2011 Rob Crittenden - 2.0.0-0.2.beta.git80e87e7 +- Remove unnecessary moving of v1 CA serial number file in post script +- Add Obsoletes for server-selinxu subpackage +- Using git snapshot 442d6ad30ce1156914e6245aa7502499e50ec0da + +* Wed Jan 26 2011 Rob Crittenden - 2.0.0-0.1.beta.git80e87e7 +- Prepare spec file for release +- Using git snapshot 80e87e75bd6ab56e3e20c49ece55bd4d52f1a503 + +* Tue Jan 25 2011 Rob Crittenden - 1.99-41 +- Re-arrange doc and defattr to clean up rpmlint warnings +- Remove conditionals on older releases +- Move some man pages into admintools subpackage +- Remove some explicit Requires in client that aren't needed +- Consistent use of buildroot vs RPM_BUILD_ROOT + +* Wed Jan 19 2011 Adam Young - 1.99-40 +- Moved directory install/static to install/ui + +* Thu Jan 13 2011 Simo Sorce - 1.99-39 +- Remove dependency on nss_ldap/nss-pam-ldapd +- The official client is sssd and that's what we use by default. + +* Thu Jan 13 2011 Simo Sorce - 1.99-38 +- Remove radius subpackages + +* Thu Jan 13 2011 Rob Crittenden - 1.99-37 +- Set minimum pki-ca and pki-silent versions to 9.0.0 + +* Wed Jan 12 2011 Rob Crittenden - 1.99-36 +- Drop BuildRequires on mozldap-devel + +* Mon Dec 13 2010 Rob Crittenden - 1.99-35 +- Add Requires on krb5-pkinit-openssl + +* Fri Dec 10 2010 Jr Aquino - 1.99-34 +- Add ipa-host-net-manage script + +* Tue Dec 7 2010 Simo Sorce - 1.99-33 +- Add ipa init script + +* Fri Nov 19 2010 Rob Crittenden - 1.99-32 +- Set minimum level of 389-ds-base to 1.2.7 for enhanced memberof plugin + +* Wed Nov 3 2010 Rob Crittenden - 1.99-31 +- remove ipa-fix-CVE-2008-3274 + +* Wed Oct 6 2010 Rob Crittenden - 1.99-30 +- Remove duplicate %%files entries on share/ipa/static +- Add python default encoding shared library + +* Mon Sep 20 2010 Rob Crittenden - 1.99-29 +- Drop requires on python-configobj (not used any more) +- Drop ipa-ldap-updater message, upgrades are done differently now + +* Wed Sep 8 2010 Rob Crittenden - 1.99-28 +- Drop conflicts on mod_nss +- Require nss-pam-ldapd on F-14 or higher instead of nss_ldap (#606847) +- Drop a slew of conditionals on older Fedora releases (< 12) +- Add a few conditionals against RHEL 6 +- Add Requires of nss-tools on ipa-client + +* Fri Aug 13 2010 Rob Crittenden - 1.99-27 +- Set minimum version of certmonger to 0.26 (to pck up #621670) +- Set minimum version of pki-silent to 1.3.4 (adds -key_algorithm) +- Set minimum version of pki-ca to 1.3.6 +- Set minimum version of sssd to 1.2.1 + +* Tue Aug 10 2010 Rob Crittenden - 1.99-26 +- Add BuildRequires for authconfig + +* Mon Jul 19 2010 Rob Crittenden - 1.99-25 +- Bump up minimum version of python-nss to pick up nss_is_initialize() API + +* Thu Jun 24 2010 Adam Young - 1.99-24 +- Removed python-asset based webui + +* Thu Jun 24 2010 Rob Crittenden - 1.99-23 +- Change Requires from fedora-ds-base to 389-ds-base +- Set minimum level of 389-ds-base to 1.2.6 for the replication + version plugin. + +* Tue Jun 1 2010 Rob Crittenden - 1.99-22 +- Drop Requires of python-krbV on ipa-client + +* Mon May 17 2010 Rob Crittenden - 1.99-21 +- Load ipa_dogtag.pp in post install + +* Mon Apr 26 2010 Rob Crittenden - 1.99-20 +- Set minimum level of sssd to 1.1.1 to pull in required hbac fixes. + +* Thu Mar 4 2010 Rob Crittenden - 1.99-19 +- No need to create /var/log/ipa_error.log since we aren't using + TurboGears any more. + +* Mon Mar 1 2010 Jason Gerard DeRose - 1.99-18 +- Fixed share/ipa/wsgi.py so .pyc, .pyo files are included + +* Wed Feb 24 2010 Jason Gerard DeRose - 1.99-17 +- Added Require mod_wsgi, added share/ipa/wsgi.py + +* Thu Feb 11 2010 Jason Gerard DeRose - 1.99-16 +- Require python-wehjit >= 0.2.2 + +* Wed Feb 3 2010 Rob Crittenden - 1.99-15 +- Add sssd and certmonger as a Requires on ipa-client + +* Wed Jan 27 2010 Jason Gerard DeRose - 1.99-14 +- Require python-wehjit >= 0.2.0 + +* Fri Dec 4 2009 Rob Crittenden - 1.99-13 +- Add ipa-rmkeytab tool + +* Tue Dec 1 2009 Rob Crittenden - 1.99-12 +- Set minimum of python-pyasn1 to 0.0.9a so we have support for the ASN.1 + Any type + +* Wed Nov 25 2009 Rob Crittenden - 1.99-11 +- Remove v1-style /etc/ipa/ipa.conf, replacing with /etc/ipa/default.conf + +* Fri Nov 13 2009 Rob Crittenden - 1.99-10 +- Add bash completion script and own /etc/bash_completion.d in case it + doesn't already exist + +* Tue Nov 3 2009 Rob Crittenden - 1.99-9 +- Remove ipa_webgui, its functions rolled into ipa_httpd + +* Mon Oct 12 2009 Jason Gerard DeRose - 1.99-8 +- Removed python-cherrypy from BuildRequires and Requires +- Added Requires python-assets, python-wehjit + +* Mon Aug 24 2009 Rob Crittenden - 1.99-7 +- Added httpd SELinux policy so CRLs can be read + +* Thu May 21 2009 Rob Crittenden - 1.99-6 +- Move ipalib to ipa-python subpackage +- Bump minimum version of slapi-nis to 0.15 + +* Wed May 6 2009 Rob Crittenden - 1.99-5 +- Set 0.14 as minimum version for slapi-nis + +* Wed Apr 22 2009 Rob Crittenden - 1.99-4 +- Add Requires: python-nss to ipa-python sub-package + +* Thu Mar 5 2009 Rob Crittenden - 1.99-3 +- Remove the IPA DNA plugin, use the DS one + +* Wed Mar 4 2009 Rob Crittenden - 1.99-2 +- Build radius separately +- Fix a few minor issues + +* Tue Feb 3 2009 Rob Crittenden - 1.99-1 +- Replace TurboGears requirement with python-cherrypy + +* Sat Jan 17 2009 Tomas Mraz - 1.2.1-3 +- rebuild with new openssl + +* Fri Dec 19 2008 Dan Walsh - 1.2.1-2 +- Fix SELinux code + +* Mon Dec 15 2008 Simo Sorce - 1.2.1-1 +- Fix breakage caused by python-kerberos update to 1.1 + +* Fri Dec 5 2008 Simo Sorce - 1.2.1-0 +- New upstream release 1.2.1 + +* Sat Nov 29 2008 Ignacio Vazquez-Abrams - 1.2.0-4 +- Rebuild for Python 2.6 + +* Fri Nov 14 2008 Simo Sorce - 1.2.0-3 +- Respin after the tarball has been re-released upstream + New hash is 506c9c92dcaf9f227cba5030e999f177 + +* Thu Nov 13 2008 Simo Sorce - 1.2.0-2 +- Conditionally restart also dirsrv and httpd when upgrading + +* Wed Oct 29 2008 Rob Crittenden - 1.2.0-1 +- Update to upstream version 1.2.0 +- Set fedora-ds-base minimum version to 1.1.3 for winsync header +- Set the minimum version for SELinux policy +- Remove references to Fedora 7 + +* Wed Jul 23 2008 Simo Sorce - 1.1.0-3 +- Fix for CVE-2008-3274 +- Fix segfault in ipa-kpasswd in case getifaddrs returns a NULL interface +- Add fix for bug #453185 +- Rebuild against openldap libraries, mozldap ones do not work properly +- TurboGears is currently broken in rawhide. Added patch to not build + the UI locales and removed them from the ipa-server files section. + +* Wed Jun 18 2008 Rob Crittenden - 1.1.0-2 +- Add call to /usr/sbin/upgradeconfig to post install + +* Wed Jun 11 2008 Rob Crittenden - 1.1.0-1 +- Update to upstream version 1.1.0 +- Patch for indexing memberof attribute +- Patch for indexing uidnumber and gidnumber +- Patch to change DNA default values for replicas +- Patch to fix uninitialized variable in ipa-getkeytab + +* Fri May 16 2008 Rob Crittenden - 1.0.0-5 +- Set fedora-ds-base minimum version to 1.1.0.1-4 and mod_nss minimum + version to 1.0.7-4 so we pick up the NSS fixes. +- Add selinux-policy-base(post) to Requires (446496) + +* Tue Apr 29 2008 Rob Crittenden - 1.0.0-4 +- Add missing entry for /var/cache/ipa/kpasswd (444624) +- Added patch to fix permissions problems with the Apache NSS database. +- Added patch to fix problem with DNS querying where the query could be + returned as the answer. +- Fix spec error where patch1 was in the wrong section + +* Fri Apr 25 2008 Rob Crittenden - 1.0.0-3 +- Added patch to fix problem reported by ldapmodify + +* Fri Apr 25 2008 Rob Crittenden - 1.0.0-2 +- Fix Requires for krb5-server that was missing for Fedora versions > 9 +- Remove quotes around test for fedora version to package egg-info + +* Fri Apr 18 2008 Rob Crittenden - 1.0.0-1 +- Update to upstream version 1.0.0 + +* Tue Mar 18 2008 Rob Crittenden 0.99-12 +- Pull upstream changelog 722 +- Add Conflicts mod_ssl (435360) + +* Fri Feb 29 2008 Rob Crittenden 0.99-11 +- Pull upstream changelog 698 +- Fix ownership of /var/log/ipa_error.log during install (435119) +- Add pwpolicy command and man page + +* Thu Feb 21 2008 Rob Crittenden 0.99-10 +- Pull upstream changelog 678 +- Add new subpackage, ipa-server-selinux +- Add Requires: authconfig to ipa-python (bz #433747) +- Package i18n files + +* Mon Feb 18 2008 Rob Crittenden 0.99-9 +- Pull upstream changelog 641 +- Require minimum version of krb5-server on F-7 and F-8 +- Package some new files + +* Thu Jan 31 2008 Rob Crittenden 0.99-8 +- Marked with wrong license. IPA is GPLv2. + +* Tue Jan 29 2008 Rob Crittenden 0.99-7 +- Ensure that /etc/ipa exists before moving user-modifiable html files there +- Put html files into /etc/ipa/html instead of /etc/ipa + +* Tue Jan 29 2008 Rob Crittenden 0.99-6 +- Pull upstream changelog 608 which renamed several files + +* Thu Jan 24 2008 Rob Crittenden 0.99-5 +- package the sessions dir /var/cache/ipa/sessions +- Pull upstream changelog 597 + +* Thu Jan 24 2008 Rob Crittenden 0.99-4 +- Updated upstream pull (596) to fix bug in ipa_webgui that was causing the + UI to not start. + +* Thu Jan 24 2008 Rob Crittenden 0.99-3 +- Included LICENSE and README in all packages for documentation +- Move user-modifiable content to /etc/ipa and linked back to + /usr/share/ipa/html +- Changed some references to /usr to the {_usr} macro and /etc + to {_sysconfdir} +- Added popt-devel to BuildRequires for Fedora 8 and higher and + popt for Fedora 7 +- Package the egg-info for Fedora 9 and higher for ipa-python + +* Tue Jan 22 2008 Rob Crittenden 0.99-2 +- Added auto* BuildRequires + +* Mon Jan 21 2008 Rob Crittenden 0.99-1 +- Unified spec file + +* Thu Jan 17 2008 Rob Crittenden - 0.6.0-2 +- Fixed License in specfile +- Include files from /usr/lib/python*/site-packages/ipaserver + +* Fri Dec 21 2007 Karl MacMillan - 0.6.0-1 +- Version bump for release + +* Wed Nov 21 2007 Karl MacMillan - 0.5.0-1 +- Preverse mode on ipa-keytab-util +- Version bump for relase and rpm name change + +* Thu Nov 15 2007 Rob Crittenden - 0.4.1-2 +- Broke invididual Requires and BuildRequires onto separate lines and + reordered them +- Added python-tgexpandingformwidget as a dependency +- Require at least fedora-ds-base 1.1 + +* Thu Nov 1 2007 Karl MacMillan - 0.4.1-1 +- Version bump for release + +* Wed Oct 31 2007 Karl MacMillan - 0.4.0-6 +- Add dep for freeipa-admintools and acl + +* Wed Oct 24 2007 Rob Crittenden - 0.4.0-5 +- Add dependency for python-krbV + +* Fri Oct 19 2007 Rob Crittenden - 0.4.0-4 +- Require mod_nss-1.0.7-2 for mod_proxy fixes + +* Thu Oct 18 2007 Karl MacMillan - 0.4.0-3 +- Convert to autotools-based build + +* Tue Sep 25 2007 Karl MacMillan - 0.4.0-2 + +* Fri Sep 7 2007 Karl MacMillan - 0.3.0-1 +- Added support for libipa-dna-plugin + +* Fri Aug 10 2007 Karl MacMillan - 0.2.0-1 +- Added support for ipa_kpasswd and ipa_pwd_extop + +* Sun Aug 5 2007 Rob Crittenden - 0.1.0-3 +- Abstracted client class to work directly or over RPC + +* Wed Aug 1 2007 Rob Crittenden - 0.1.0-2 +- Add mod_auth_kerb and cyrus-sasl-gssapi to Requires +- Remove references to admin server in ipa-server-setupssl +- Generate a client certificate for the XML-RPC server to connect to LDAP with +- Create a keytab for Apache +- Create an ldif with a test user +- Provide a certmap.conf for doing SSL client authentication + +* Fri Jul 27 2007 Karl MacMillan - 0.1.0-1 +- Initial rpm version diff --git a/gpgkey-0E63D716D76AC080A4A33513F40800B6298EB963.asc b/gpgkey-0E63D716D76AC080A4A33513F40800B6298EB963.asc new file mode 100644 index 0000000..4849863 --- /dev/null +++ b/gpgkey-0E63D716D76AC080A4A33513F40800B6298EB963.asc @@ -0,0 +1,272 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBFodY+oBEAC7b3VAzN8Bvhvj+XreexZz6JkKTpMOwkkZ/aY+RF+VY2oXqxje +IIzPh201pnjB5gdPPvoI2kzoZQNXxmavRHJ/4fGj4zdMx9m/tik+hDPsDCOgRxr4 +HjoWJ4u1nYO29+dDMIS75V7aRy/jNqpzLjBuQi1P85Uqr9RWOmgIPSTpXfyREhL1 +53o4CVmPQxQx/AuPNo7RLJdyd748Sv4sUDJGQT1VoZFlu8EOnCgQHpOhfRcPxMpl +qRrpa6UyesleAiSFfH2hDJzgStPQxGuhLKo4nORCc89YWxgh+wWr2Ph/+zIdL1cp +NtAMcCvq7Z9DlU8aRUCxZ92O0fh24KiXmuuL3c0RvnVO7NMX9vslEsCmjo4J73j1 +P73MEocrbxKmVtANFhhfOI9352friI6YzNtU18G+sPZYCZ4jxXH6uecTTl0ut8Lc +cYfxO5FZMarW+kW85OQd8EEW+hJY7CAd6/2K5fnnhbt8mmcomCUPwAQDxptprThz +TZaRPupV1gQuGUN6tRkvSPrcZLSSG8FqqVViH2XoAdiz41TDqrNjHse0Qbb9ZBiu +SawbH/7kPPymEumCJZPfAL6iZz8b0bFFSETz48IEJiRUOlvy+SumO3yK7jepPw2t +NemtWOMKePzOifpN7yg7slmzaGOb/+5wWqx8dzypegpSWiuq0ewPzz+A3wARAQAB +tCpGcmVlSVBBIFJlbGVhc2VzIDxyZWxlYXNlc0BtZy5mcmVlaXBhLm9yZz6JAk4E +EwEIADgWIQQOY9cW12rAgKSjNRP0CAC2KY65YwUCYPZyPgIbAwULCQgHAgYVCgkI +CwIEFgIDAQIeAQIXgAAKCRD0CAC2KY65YzUjEACbVCWndEy3NLzdX4a9X90ADYGq +liOoxY4kABJ2Bw97qcS4kHHar4RurxyH0L0NKJ75Zwkzct72DyS+2HG4yYHBz9QG +YEUqzJdCt3Xhy/NDehYJGevDtC00usLYXiahBf1u884U8Hnufk+2zLiWQ9h32q8S +x9Dn+KL+ySuOidBkG9RykqeV3I3LaUlvMO5cfVmvaM3SWcYwZbkxmsXqjtdZTwxI +ZThKGBJEbjdSCkwPVtv5fFy4gN1/xnxcR+OhXqjpOwj0HOj48LO/bZmJPiKDUlcA +ztIO903sAaVRBhe7lOZ3uiPtNQwEj0dpCSkv8ZdF5/68ctuiwN+9nkpYmuwAw1hT +OqpA2GZdGXCsL+6qKGgUL1l/s8OhqwNAR+GboQ4Yr9sLp51AJvM/z8u3cTk6cvzL +c6L+Yp99u7f3eLOO9gx8ac5na/EksiTiPFNxTGRCvVWA8C4D5JxBpJRpFjJcjg4D +XQf12Mpx0UyUvdE8eDQwjZkwTEQTrilXSwbJG8d9LVVlwodX/4BrzcBZui8zMqVJ +sHq9mlA15A47sWzKoC6GBB90DXQXOIqoyg2KhEDV6qdYbJkCzIqggvlVS9z/r/t0 +8NpisoolIyJOUNdO2IKk/TrT3x8LxcnCqZUx91Iofnwkd1t/3S9HYTQGekuX+uK5 +5Fh7tuEsC59I2bfdVrkCDQRaHWiqARAAmQbtZ/+doF3Kvul2atB9C4RtHpUvLsrs +8hfN5qH4bwt8Ti71KpQBNaAHXp/moywRsOw8D+3aN/yQD9UKSGF/seub+E4fv8T4 +woYpQ6ivZaCkipUj9/cyoJCzoeK14kM1K/3eJ66eMPbNWJ+sC+eK5CEr2cVEOU/S +/gXUOf9gMvK8YIuPX7o3MkhhbnuDDluToQeQPplJMrL+b7lNf0Qc1SqIM5QDfLqQ +PLrhavbnWlqimhOhqT0UuZ57TzvS5J+tezxRpuRx8PADNyfyHgzaX2KVcJo2+FWV +VDQlobcBQoI12ldE634PAExH+xGHteff6LEX32YwVK+WTXMjUDLid48u46owxn5d +o5ktJzD9dCQ84IvL38alSp5M8Ah36sk11/N+5lB4f6VJTwrsJH+RH9xak/oDwFvQ +EQbkS5kuv1a15fPHYaHXjmAKnYuxPEP2Ra69CyWXg/1WzuxHV9iF1hx1fT9mLdRL +lbq2wvfw/H7auEZKOHDk8UYyWpYxz4+k1XCNVzsI8HfajkvGVkSc/LB+hMgrrFHq +LuV9BmnAdVhJZmy4c4EqQp3t7zc0hHUDaxOBThtQxdNbJUAtiVitWTCThD7FTlio +IToZUz+cm4LL4V/qQCdqPu0oE2NrgBj8iWwncyD4tHR97g7pOxJ25CX8YUTy7Kbe +lkDNQ+GsRy8AEQEAAYkEcgQYAQgAJgIbAhYhBA5j1xbXasCApKM1E/QIALYpjrlj +BQJg99tXBQkOX0CtAkAJEPQIALYpjrljwXQgBBkBCAAdFiEETwPD9aLQlPeQsGGZ +jYpQzTKjDeMFAlodaKoACgkQjYpQzTKjDeOfRQ/+L/H7F3sV7nbd508VR4x882DB +w27UdXDHQle8Y1WlnePQFuSW9rddpVxktAeal3dwjOZQXQgBvxaU7zu8euXGlbKc +wV6vf5e20W54q4ODnlKF+yEp37OxWUops1ktB0nXQC7x8qZMH9Lq2yc49SAKPCfG +NJzcEa5aEswq/3e3d1Cc/D/ivP/nnRG0RrVmcnkWZ6udT9YPWcE6S52eE/5U/Gdt +F1bbeWwexqfm0cNSH3TqmQ0GiJO5AhbUVF8vZBOKGN+l3AF2dLHQqO7EzqYgu6Cd +7iuJ5EIv6gs3UKGznFxmwfzZPa7H2dPKx+KpONfdDlqrkd0gy++0BdRoJETIw6ed +I+19hZ6SC4GMYKFuhTGOcBnbjA4x8FUzi7qfNC2IqpW7x8E56CUONG3D4O1Dznrk +VLP1zIZ3d5ja81ntsLSlj7Ue7c8VUihiEowtYvqbsquDF2sqn8IWlf7ykW3edeVB +h6y6mqM3Znr2qaVS8m/NtIJA7TPGrtFs6/6cO16a2s0maxJOSTOG7K7CX8L0+xzK +28LFwTBuGwFSTftOlx+TZGBtEzIPjNssAqHUALTtlg14Z8HkfvtBr/ezJVwnqLqF +lTco9U0vQiASggOGNCY68WC4YSX3XYPDuccxfEk2YFKeAnTOQnTUuN4x26H9Ne75 +HRGlJGlBAs7odCFMPLaC5A/6AmlKGSz/2/6S79IjEwOhX4TQNkkK8XHIKSb0MLhb +TXvHLHPU1dFLsdHvaHDDfSjL0kaq/+puEiusiKMuLiStvJhAyhv1bXjWkgN/ZKBA +kyMwaIR6v7twPLoAeSI6cVu92W3RmV0nLBjDm7Es4MYOjSFcMm8WnhnHLyRLk1Qy +bjOfmAURjNsd5GWrh4+ELwGdPcPDpox0Nr6IqnBcDcJUQSVlU9Yi6WnO1JlfrKi+ +S/bGdqUaEtF9jAElFT26CXPSzNQHde3sQl/sBqhomsstYKleIg2CfQZ0iAvCifg/ +fEqjsYSIpfZIXqOFvWU5uakLaHFNBT5jviWho7JYHrceqEjZxO6oTShGAV4qCRog +g+8ScMw9GNFoBy4k2W4idpTdqm/ntQ/j7AOIYsXiFENWTvmqvTE6ddLiKdyiUN+3 +NJsgK1EjGx5ppb/YnUgw0yPnJD66zTFMdHnxllvNRjI6gpBE2qS3bMutQCJM8rGc +eQaAIb24OXUhGviFOy1RsWx8/wQoGFoYgqjltiZf717Y3nGaAbcW7z4JPm+VCkXX +iSxagGjJuCqC+4Lp1/Jbc5V+AiD3UHLGB1u9eT4+8XIoXJNaUoE22KMphwSaWvdJ +qI5OG2JiYuzQ/empnU+ZtJbuKTtBXanVCn7jwimgCuCosUJQACaHMUXUvDvjvBn4 +OpO5Ag0EWh1pLwEQAKCqeJW3nLIkEHucuHdt2jjVje5arTQm3qXOvq0ul2aIjzK1 +/7vJxs9Ss/AWruf9L+7gOoSdREEOEPyZ6wK6Xdg3un/KkV1m+2W+yNbfQEtZhjH8 +pvWfDldzpLyRcgCv5kThJ4Ax3j6nai6FQXP1QkEbYZfQx0RTwKKGv8txSX3oXyJW +JKpps5WgdHSnG2zc1aM4SG33T37tzLWerlD2t6PTAQUYau6hacoEiV9fKmk1AMvT +pYPkeVj6/Ur5AuDFRkqTZfH2Ih1JUVtPqFX63Z6xan+qXqEQzFesbtQlMeHFRPbM +40xIfBfRd2aJ0JXo/rSbB/wNdtuZkYmlrsBemD/plIHduUMpXh8+uuzaiWDw16vm +8MSZYaeSPQis/jjdvsrNPtkc9MW9F/XdsaUtA0Pgxziqbw3v9S2SGvlxvIa64WqO +kzfoIHCTcNy08TR3nRNgH+iS3NPWLHJlwpR1W554Aqln4YeIW6DT9knG3pnI8mYD +0hAGHPIUdV94wOqbFFkRMzWS2h0iLqPb+l83plLplmI4RBZCjqcCXC272b6JV9Xh +ZNRpiIW37yBnl9dP7TTpyuy3JqYtVbhfrlYxmaVXpPtMNn6FVOTnfHXYUdjbGtRq +mBX5FA/j+TRe590h6uGgvRGh1syJwafpdu+bKYT1snRqreJz4XhHqgbbYYzfABEB +AAGJBHIEGAEIACYCGwIWIQQOY9cW12rAgKSjNRP0CAC2KY65YwUCYPfbVwUJDl9A +KAJACRD0CAC2KY65Y8F0IAQZAQgAHRYhBAIW53hdqPvbo75EVfFTSEDBCz9VBQJa +HWkvAAoJEPFTSEDBCz9VEMcP/RZjUjM09oPCYRjXoWg37Jsm4upZb7dGF+2oQBMn +s+c/xQQnr8OZ9ElSW6L15CtXhsBY+Ji4TdWHCmmbqGIUY5Kd7dP3hon0uHEXPOOP +bRDg6Fg/zs1FgRhyQaFrybx4iAkACF3zNKdsfxrL+fdFiVJiWMZEeZ5u0NYc+OkU +4U7jnSGj/M1nNzzPuQmQRZ8RFVyqFuqCsbvnipbYmrmAgSGLcM/efhIGR5zpQb1O +KtnW8ocrLk1a979bHN8ov6h3IhJQL3+XfCKWFsjnOajoH9MpmBnQY+nO/Nco57ZU +cWajBmY2m+mxAA2mJ0s+oB7sR8oQ2gAQawQq4of2WwVvZUk1bP5NU13UmS6SZWrw +auYD9XZMrUQvCt6PD81eYU9CmFRrpMvqw5Qmw0RfFxOYpj80D0Z/KfRRWhCUivwB +cTpfGZQmoXSfcdZKWfdauGgdY5JOLopRjH40CDipopGT/Kvao3983gJE2eAwCytO +dYmuVP1cvktQNsTg/14S1UXe7AjCOa0/2nPhOlMEWcJdESV1PX71l9nxs3AsxO4c +bLhBNKIXVwi20D47uR/8QNkVaUMSQriFuLgoKlA0P8tRvOFfbhxZVsoRAu2ncE1p +cMzbe332S/4aghxNvMhWgMLTomJBbxmCB2G1ZEFmSu7HgyzNkX5+vkOrwO3XMjgB +xTR/79UP/0Mzm+gyQ6jZmUZGfjbm6lFNLvYfRvUEcjPsBrqXypR0RZ85UMLaQilH +0ZvpmLDNFAIbzORKwOVi5Cmdm99kLtQpaFdrmzip4wKda9ru9gJKc5eBUBjB9Cel +9JF5CVfu3NSjyQN7fAWwFUuv5csHjbLg4uFAX7lN4dWpXlEfdvDM2L3QJqSbzdlo +1W+zBxL5isAkTHj3ivl4MehxSP3lTnPwxIMPUL+zqgX4spQyCOTD4Y5WUjAhCBFu +saakVf9wT2H7x8xgbNk6C6/MiDsDAeLDM8Q/fTK+0zkIalgH+ly+IUs2E9AgrVXG +ik/FHmMyMX9EnfisRF+t0I7pnl+2rVXtRKYdq4dHllOv756wuPxjHC3vAzLSRQYa +9OnntyBVob0C3UC2aIbszqV/SfaxQnh46g7S5Aa5qyS6d9BBogvWolbed2hf6kg1 +9VGOl7SUfSng3G2Q3LfZAK7A6rBbvLx9lZ9rwY5mMxAB2AImqSGptI32xK62NeoS +rDiqUn2FgyAT7zL7E9s2oA91xtX2cOnadhQHNq1Qs66iBITkeURUQzXE0MUuBIsF +XH0MWs4iF+uigWgubg0C1ki1xXTqZxC7W201ln1CSDQQEytgVzIPeO5ifibsenvw +Wv/kyeRIpKlN3UQCi/+izGKQ9YbY3/jLLWajKkDVdrCwfDZd3dkWuQINBGEBiKsB +EACtoHLQR+6IFrLFXnimamfeGNdjma9DUSVB9SW1aCCbEPHZW3gxs+QD2ZsqjQPh +afeMcMy70QWktvF89nDRTCTHHsow5xmPTAGEJWTerNAqX2wUjoeZLXwhq72Ueyjw +U8IRnZSWH7Xu0zRglAAecICAQ/xCexnQhbocgzZfLDcKdqOjxt4UDjYRq8yQcgad +xmHlAaNeodBw20g4nY99ZAPlgcIMGZhTS93krl+HBcBMTBbk9HDdtRFddHAtP+cj +Jlgg2nmLbprLKFhoCRTLnyab56kj0F9QnSs6c8tMudkOX5w2stzPlEd9f5kpJhDE +XrLt7TfTB/11Sm8cVBiSx6XjpWQJqd+0Uc6x5rDl4lb72aegaBrjvY3yRCmq3mrf +DiIZN0ahf3znwfsqpANP2HnqahaPjEElk5NKThArq8HJEHVczfECNMgM/vwVViu0 +gTe/EFk7tvsWlqMmSFc/s6UF7130aoAL3ONKkjKeogRGDC1M6R8VA+vOcPlWE6uI +5dHgHmQvf4sl0kYVLNquZg30iJWYoM8tMCtL/UYJ/6b3YWcCS31Sh2nF5IWOq1kZ +/rSnee/ZtTD3M/1772mrwVGQg9Il4ovZMQiSCiZmBLXNhCr2Pbf7i5mpWlbqFXxe +ivN1NOWo89dPKjH1TtT0OqU48yxDLWIdoHR1PdVNOZCJlQARAQABiQRyBBgBCAAm +FiEEDmPXFtdqwICkozUT9AgAtimOuWMFAmEBiKsCGwIFCQlmAYACQAkQ9AgAtimO +uWPBdCAEGQEIAB0WIQTXVnZNTX4pfG2tEXJph29ypuLTTwUCYQGIqwAKCRBph29y +puLTT3+FD/9uw164iz6PjLj1nsTDqTxnbLkdUCiEAsik4YXbZm4eTjpiW/aAYZ5o +CQW0KckSIdn+7Ph22WB9OGua5iTssxAzzaBzqsibkrcgiVwmpsgGHuG9QQQA52sU +SmXA7qZs2SZvgHjSwcn/1t2Xjaa2YUDbqfM8Syx9klQSbJVgXO6fuZrjJXN+/4EH +Xwpa5T81L4SDOtlXuvyIguu5ZWC5us/DJx6Da20rMggseljot/2Ym3Zt73LmuDia +NBk/ndxv/FfYF+JrmOZDu29rGMPSvfKt9C7rtFQhx+6qaV99dtC9wmzV4+UOzKvH +Ts4abtsOykyb6JaHt5X1C6fcMPDz3XASO0Uw4EGh6P8v3CG0hd5Ac268OmyK3kWs +K0bhYgDAU0mQtbJ5n2axV3Lbjoy1uI2TKpTKmdJI1g1mkk2i3IHO2smRtRx7YJlA +kK5hG/97PSGqoje4fQRe9GGECbAOgYpoae7LdXEUlwHKKjQC2Pm+wbdJ9Z5Z1bLV +wnDQ0ELvtmoSGvGRM62HM6uZxclt3uFrzoPF/NMLgZtFqW2+EZtZMG8sX5GyS76H +Ov3c2KHaNi/+UO7VKE2utNaTGpVbTYE48zeqVSIfhlYSU1tnPWKxtBNrHiqcMsWS +KZscmUjDqu7kTPQursKxZ+8CXrO7zly++IAJhlbhidOqkUBFkgAYwa/iD/9mtzo6 +qCOh6Tz6e7y5UqHVWdrbzrF18fMTQrLU4xU6acj+yHAJiVLlZi8H/K1ldVbIrGGa +BpUBDuPT77UYvbSeQP8kkAKGzOdhXbktk3VovnkDBVXEP+scwgBDzxHAV1xAHpcl +cYM7pvtm37QLMulyLoY1gNqUIdTbxKxmbJ0iX8O5JoAXipXbXFflFTlo1hIPvsT7 +K0+5UM9jbqYXklFXUAUhhVRmPp/gdD+soAjkSnX61YLDgmEOvbs3p9D/AwlVghHD +hpShrumHZvggg5ViWhS4lUdG8WpDk0e6zZvjzxOGAR28ID6FA4C34a3HBhr1wMzo +SJztqVtkWtj53z7VWZ9APQwvaCzeIX8SNk3OXcE2P5Jgca3H6byz0RzvVeZBvKNN +JDdSKEbzAZpjCeUtej4W9JjBfWo6Wgk4kl83poqlWXR6NIn75mICweBJfSJBo+mC +zJ5mDmHXF40qsVWktneSsIxkrnl2qDoNR3R6kKzJnc1lZgHA146kpp2p+tArLZ5n +KTyPmofVUIyzg1XfzkKSRHD/JEDvQHbWYlIBGNiPW3i1O3IlJ/dQFr6gXapHV6rG +U8QKFHczm+umn7HsKHd+Dsfu9M+9tZGewx/e8WymFKi/Gz6ss+SM5OYPWpQFyHCY +j+zrC75oRUeJ/gjLnmZleI3nvVxFdZsbwysv5LkCDQRaHWiAARAAwcfF4B6x0nU5 +KREy0CCv1HsiwHfeEKLgNlFRknZSfdAVVrwz/FHykYPLk/zpGBulf1DwH27v7oEa +mGkLJkRRsAEGzoTvzkU+o5PET0EeKpat1x7d1Qu3P8KsTU98k+s180gzyari4CVo +baArpNEMN3tsEyiwJOcv3Hg9fQOgylOxhMGlys8OrVTvaD8vPrbbgdTESdvOtr9N +gAL2qH4UXPKNrB806zaR4DLLBmOtlivydNa/Ip8TTo1GucVTJ92uZH/0CZi1SxGt +Jid2dCnmFTKcGaCeHKtmMY8jcnJhsRE+zk8fu8809gp5nwzNshU1kjPwN68qMo5O +bS8uuzxcieCvOgTYdZwXW4PQtyaX0Kqo+5OceUYJhA5i3iIC/tOERZ6FZncTNJ2X +DIOuiqIr3I6hlAgxgPAr24cxh26BlexB4VrA2IzgGo528hcnXbr5QJSjWG3DeZKb +jf0kM4ZzE0bw5bnKCw/CDTMydW7QWrecXAoLnOAtkR03vUNYTRessikfDOzGfuYx +vP3foEPKfmAsjcoUOj3I40PjlHtYlCW8jmIf6kB0EsMvQSTU9G4addLW83Mld81t +dIK8iALmZrrTK5Y+7QLz/VGGQ3NDZh6WrAiGscDkm2JB3AMWe0SZxgZ7ooz2yHj0 +KMHdC5q8FQ8sgF24Hag0Mwl56E85RccAEQEAAYkEcgQYAQgAJgIbAhYhBA5j1xbX +asCApKM1E/QIALYpjrljBQJg99tXBQkOX0DXAkAJEPQIALYpjrljwXQgBBkBCAAd +FiEEhAodHH8+xLL+UwQ1RxniuKu/YhoFAlodaIAACgkQRxniuKu/Yhr+EA/8Duvs +QsVbDsXnDyZybrV5bMmnHeJ091Q3u7vRkuWKbCJ9chzowXtjE/yDWyBuia94vcn2 +o4cJ+TsWss1ncrrlwCfX1eQrNCQIjba9ZJynNkJ1YPj4mH6RJFtg+Zau72CCJu5H +GCHKFpoT05Xnp+6gQW/iylse3XhCgY35e7Psz0Qs591jWM4ASIrxQOI5E157uULw +JdZ7n50aoz3ogMObL3v5l4tT1aLEb2sQcfBI1hwAzNi2lGAxkAHFbfjW8Qlo3PNq +0tCouFyuUuckU83A4d4ohwZbryn3N+rTqGZT5Hls9I7MajsuXLF76nJkFDygkibd +C848hX0pkY6GWDhT+RJb1tdYPvOVQFgevzS5F9sABM/6rZYpAjhFsS5YnqrrlNuV +nFrIoSJm6APkg13dfSlhItc6n/K0NS8SrZcISxxVGLH4fv/BM8US1tnb1v0uB1dm +2ekYFOoCBSk6qsBkj4JwB0MHOOHPE8MGXiX7u99Gwi3xzHcBKLfhRDHlK6LVdIgi ++XneAM2QWWE3fHKnDwyK5PgxYLO1Pn/DnK/HHrqh+JEACefvtX6D7HVwonTOIoAL +tO99wh2diWRk0qEbNG9kVrxRnS35hFtTDdrJDOuax3mqjNzaya/+5VnIk8jJJ90l +8QNLuZDX2RmVKDBbzFqnJOsLDvLauUog0yvekXTNRg//Vvg9iwmU+5KBx1P8Fx4T +JRcIjGon6WF76HLH4qVY4/eYGqU7X0v3HkqrPmi4gq7ncKwMfzm4XngYkaydv9Y2 +rbIWx0tcKxsTyMg7VIKqZ7P8kmE5sKXC9kNsOB0+77obIKGin/hJioGxXNHzFwfi +ZSzpjWiyl4wwITuD6Y9Q9+g9yXm//kw4KY14HeWZ4KX0LD6iR+b1QVaeASmnO/4r +DeCvGn/8oZPn/ygHZS9Pn7FLEp6QUB6Y98MXrVFCbtU2uhLWJ0G6VMuyxcawX3mV +N3xzEqhqflpfJaDK7noTJ5aIYopE2NKcYvMeBiljLaw/8eK2reWrj8EgLytfi2VF +nJ/fXxZNzz+QuuGwA+/rSE3KgirWZXTpd/ri80YV9CjXJn6D7fyAnibp1QmCd5RE +PUZ1J3ddyVIhO9/ootqFBqjZm80zfF6QUbsMPJPe72CpFeaLmKojnsJpRERf76Yr +c7vyiePbM7TgilksyrzyS/ogNc/h8zHw3NHZOq9GAeABGPOT7Xpexqw1QDl8r5Y4 +vHKYq6tCDKbWot+PdHPKBbn4nwuS8/R7c4pet5q90+i6XqVdeihL1OhuAfFjywIh +5bCft5emlE6jJFIH0UsalwgrAPACrc1Ptfo6IQMy3CQAOZx1+QQBUbNO8ZPubfrL +7Y8fNmEZnc77I3jKchrBHhe5Ag0EWh1o7wEQAMe9DvNr3jsjJnOwuRBpudWWY09P +y3croZfPT4s4npGO1PfLJ5XOfucU5YtIu1q84RPopWnFjjO1EgPTXhTy5vBmkFzn +5fb7Hk1T6isZzz/hiQ7q7WwcduByoC1ehQQYnCfTQGZWgceNKhKczTbZgJMGtVbz +9QVpw0xg8HnhWXkYFLEQq03gKKNEGaXozKF8VwC/hFOu6BH543Zqd3gLpMVHiU1p +VVKk6AjKXgR35Z39n/0k+/2u8pBUAFgPsMKRp1mZsBjDDeNOnt/qJP55QK3Ln3qX ++ECqB8ZIQud00szC90AxfP/JMCh5+Idz1T/XnmSr081WiyHkfA5KBLXmYk9X4xEY +3rWS1nNU6qLygnp8dJeiNzF+fRa4u7KNDi3mmT+purPzu6WVA/HgVMRoPlYDI/1T +dmYWrREk2FR3K0C2lLBBer/3A4r+I6eMTKRuoqp7P/lFYNCdCWF5KefZmtQ5r5V7 ++Bw9yq/c2p66qiUqHpPZYY+fnlRL6ImP8NNXLmjnqqHVsbqMYGQkjJj73hWqr08m +YTAnVxtKFPJpnnStsnpJd4iarbxO3ri6ejJF8tOtW6i6ALg1w700+XXV/tL82QWS +scGBRds9Khbxltam6f9cJ/0WALYFklaa/VqLG+ixwyCfew/x1Ggi70m/fKXKaQeZ +UZXBnIxVWk5XJBk9ABEBAAGJBHIEGAEIACYCGwIWIQQOY9cW12rAgKSjNRP0CAC2 +KY65YwUCYPfbVwUJDl9AaAJACRD0CAC2KY65Y8F0IAQZAQgAHRYhBC/PLVnYvt2I +tWDuv0D3dJxPL97tBQJaHWjvAAoJEED3dJxPL97tAuYP/32FGXXOFAKir3El4yTL +6xxCfBjlNcafkhT46BC8SkgW9SGUFzHdhMsTgML6iOirZVpnQw6WxoECy/X0FUvH +J5YK9EXYJcUmS8WitKBjNphqcgKdy4RmwKknr/P8g9ZRPmBN+j1Ym/oZDzK5QNBw +syiES6GJmpCs3WCWI29v+BV0bCtqJn9fNZrSzvA6Nv9/KV4I6u0JfEK1TkP43x2+ +Ws+ZoMFnOv02ZoxK2R/Y/WCPnHghNZ+TygUax+1nysP6MYYwKJRP75t3NWum6MZN +94zmpXgVr1pGJVze7nzZH2HBuCK8Q3SSCkUA9rV/tKHrT9FQ4mQJs39BlNii68hu +aOnAJ3jlXPpLWHsStiuxRwxAZOVct+MkDP0TXoBq6MREKBbmImhf88sGnNm7W9Mk +0Kwj6INC6ysQMIDWLGm/4fiixVm524JHkvt2OWumFPxnv4fMdU3rd2v1dyscLMXv +lyJDFzGvEp/dt4qt3fQDpSn0Gn8dJgqTAKDPAVgkTbaNrj0x1i+PCXhnwlKHPJwv +58zgjaSG0xa+6jTNnMorZWBKhTHKmzNGLbQWZn2BT+MO0UxKzu81R5tUHGXiYOfn ++osnT6XFjJSZEB9dCWy6DPL+0n6WU3pGNXSdgj4byu8HTzheqpYk3aeimZOlC+mu +TAR/TDRb6XbrVAA7RZK5KX+dziIP/RBB8mo7P2PM58MQDDsUtvDyHW5cCitEzToo +0H7MSlXMIF1B9ZtSXahdNLj29ibX77Mjd5ITm7ZFAkoOS1zlhs5HHq6weZzo8bDj +9mZqcCX9DGlo5yMdjdYYpkCLfcb72G87JusncMsc9kzJaK4GRntjpUuLSbjM3qKp +ioT/JIzmL9ln8bQHXK3CKdqIsC5BjfkBsMz6v7BTvwZcB3DQRmCF3dyZtIZ6ekzJ +k+fMl5dWsvHfN+IR1SmiXeLYWTUvjAiQ7Fq+Yj2k//fa4HsDFZzO2cba/Q0b9Bom +ZslAnTAAmxAWECG2LXX3mOwaY64cRBViNuC0FEVzsmRXZkTLMAkt78ox/5scYa7K +phMkpogtEUUqk5tt6rMp35y9J+FDs64ECIV1wA/WZ2jgViGZVWzm5YVCbfgxIpc9 +RLgN+mo3tppjHp193cA205PLOIOqkYvSJi7t5tf4WZBt7QjNAQvcMb2hAC4g9hh2 +WG7E6hOBZm1ASoM/xsJ95fg7EuwUr5CWnPbrUKKUt0UoZjjlZyuKU60mITvas7Ry +kjy20+zJLfl6cPwXXKwx7m633engvof7Nhy9jrMNoPh1Gbqn68y/ADj549uSQOOT +mf7eqPHowV9rtNsF3T+EOrS9AoUbVGG6V3EBg6cwoRClIBXjp9stwecYdAED31oo +HW63kq2FuQINBFodaCcBEADPJ2WVrwH6E/sQIADyG0M4T0fGDeZjj6/8ELqA9ePi +9V43WGyvPR6oDuxBfQhdmDJl8Mv3s0bAAdZ0Ua8QScbOWrCVUaS3bNAC1ORype5R +DfNYmlbd8zJPQEfXNC627RXPAxvzuBreYi8ZHEgVuRLDzq7cdDoYy3YxF0gqEgyW +y/2v6+GXySXJ9/hTgzmdGg+NAHqiEggT/V3yR5wD9CnKSkacu7+WwrRHKZxPvHZ+ +72Awn1g00YVbkcSe00AC7OpY3CfRawoc7/44r+7r+DrTn+nRCwJJ782xZY92+XLW +5nnm4OEWwf3i/6R8CXjKt7kEgn2um0pc4YG9UtXvpi5qCx7cP7VslPjgCtX5v8dR +djMTIAsu+DIH10go/Z1OoWuP9SE8y67htnNdozqOGa+y5j5E+ryrYP4LKr3CkmIE +Vih7khfRPg23xiPf8VNRA8uMKArKlsKBusiMMywV4iZTYsYVvIpnnHn2ddRPbkWW +Um/DN+YRoLfCzGwQBnH3Xgd/RaO7JtT/VQkf3kz6f66IZeQGm5wmx0cuWrpno4mR +gj5u7NswameJF5y1WATEuzsE9AdGbWnG6XBTeUyJIU1BV8sTgURcVvwABEhM/ABE +Xc4pSmP8T0uP2vqn+IoRGLHkyoAtMnbkZfqxlYIcBXH2T2kRQp3nJ5BG16LL/Xbh +HwARAQABiQRyBBgBCAAmAhsCFiEEDmPXFtdqwICkozUT9AgAtimOuWMFAmD321cF +CQ5fQTACQAkQ9AgAtimOuWPBdCAEGQEIAB0WIQRA66dScVcpWs8Ls54lyuLm4GBo +6AUCWh1oJwAKCRAlyuLm4GBo6L1MD/0c/keyynX6eP24B2+dP7X7Gj6Oqb3wfL5u +A2jmg9tv66/lDGSqdF63oI7fE/2yBS7bO7WWYzbEiPJ6srosq0oBbqm3yxRFbmkq +VIwuUdv3wFryZWN2Zhep86MSYfMkY0fAr01Q7kkJhfV9S6wem0Nf90POL8OedgSs +RzTZrdngmC6gYk8OGdKpYUVaTilh2o2rV0LvbfYBobVzRPZValC0iayIkQaUn0OA +S+JSnVmopnXtnSNuC4ePyB5agYdgD/EeoW58VkhQYQiQ1UKXPHilZXZKCLS3fpd9 +2Cq5Lu5rzBZano++NWfVkM/x4RHmQT5m5ekBJNIjSVJE3iD1rGAdnVppX9PSnS+P +t3dgvaesin/oQbvc/OEQa0BBYhSqmNTvwmdqBesTYLtKtcZV5iihl7hgwqeiZO6d +k6K6gAofQEhSRVPaPDtuO/nwGuL39oJlN++6TXmM//+AMCnfGEh+pYZIzM+xjUXn +EuUnoj38AKSqx7cR5o1xx79dC/9zI4i5zmn2m/4mmp3oZ/tq2sT3H5ATN6APUCHW +f8pq1uAVXEzfc/BN7LXqXMOpL3uSKAFZrVAF3jsATC6w2lXLB6zwp3/7cZ8tL73Q +8eMQM6KP1ueIoyKjn9/7vc2M95FAFG4g6CSHDAXEWOvTPbzexwaax+dPjlFMth7D +kMm+wV/pI4rlD/0anqJMTfSvKfJwrrIGWeii3hVUTqjEUDDWrNZ1vzyVq99BTjLd +i77EomWk16XCZ/9gCFfcT/WEU+2rwohhoiy+t1TX3pCkRO1wJtGIiWqROi9Nz6aD +NJ/NuDEqJydbZnZQiQUbk6ExsElS2/6wwVop9UWUvnrktmj/XhPlPkUoXVHyrgsz +Bi+MqvIqokOyzuURMwei7FJZSl3oec0ixXpXLZczs4x/YKgtDMeS2aOuKL+HB+Gs +pF1mrZ3BdahdsuttDiz5m4sJdUePy638szZ2JB+NJyDQjOSqF8NqGKyrwZjuxsIL +jbT3xK2lSm4DEUrbyRn3EjcWqYcXQRLFUvGRKQEEt6F5Dp8KBhXQs2FX4ET9XL3L +FSy/UDwv85Bm/Y2PkYckhRX8HTtgwaC2Tv+26z9bIdb7HXL+BHf9SNSx/yMDOgi1 +O+afJ7+e1uRQzAwV2b5RDvN8222Yznkcf+ByNBxlUrSuBQBS+JVaRyoltwNDHPEL +Iw7y7W5StK7WFeANiE+SkngzR+YsTlZuRdLh7Awvil3qyUD5EXQNLPfGpkFt4jx9 +kOrn7JjyfLnoxRuVuBi1D4E6RyCO+4pxyN1cnLQ6RqD+y9WIlv+JX8J5zje+vpTB +H0bAlzrkHPlw1NAJPI1DH1BvIhvWbsUylDVf0cjz11FJRZZ69sqg9D500LkCDQRh +AYhRARAA57HTiyPSvbRmAhGiArcm1/XByTXx08WkvQoexGx0qJc2ON1p/5kabojf +6TZ7FBXjFjSvq1ujneVcN4Oo1CU6GB3SAXW7hv1VIiEA6mpzF7mtzoE+wmqZaw8q ++lBp1cHuCB5O6dkKAln0WqXwx83MoVXK20A4tOmDjYWuuBkYuaUj/08Yi5aKP/Um +YrGT+CNbDX/qHkcOLDTfopXIv3SNJfzvSv9HhMbzlQO2/xQAxCNsS4Kz/vl7P0EN +79Ys6o8RmYghwbS2OkNkzOnxoII+gFJchn3YZ7Zolv3GilqexH0dfEhy+d1nuxOs +po07JVXSPwVV1LOTo4aWfhyTCiJRpnkLEgD1kehtlpTH5lyDFHuzL55EzoUcEffF +8i4u//CBthjO91+b/PFn+Vg7XdJhu7c9NGy+Qxbx2lwQC3D9si3a6bdhH86qbtGy +bj9evcoHMnuJY4YDuyUeynUjQzulEzEqmbAK8bl6jlEiGXhgWitv2Pq/021XB5M0 +0cKlA46jl/HOeZJ15/9nNkBWVj9dAVnuA11BbOPdgxZteT481vlcJRG3pHiMRjRZ +j5by8tTjv0mkumhVU5diK7pQGdWQVVwscOILFTAySuk/3v2DEcBSDkOpHlEVrLYR +IgCUaJom6S3XzBB9fj23wLnc2dU8JFC4pTzXCD84AtD9dbR/8D0AEQEAAYkEcgQY +AQgAJhYhBA5j1xbXasCApKM1E/QIALYpjrljBQJhAYhRAhsCBQkJZgGAAkAJEPQI +ALYpjrljwXQgBBkBCAAdFiEE+vQmaPxCY82Dw2UUn4U98kvC3+EFAmEBiFEACgkQ +n4U98kvC3+GxZRAAm2kJp2XA3tVyaFMDAohB63lChMQN0+imkX6xswTAtwz/B1Sn +hh7QUp6YtWJ4F/1Bg2xnS4y8HLBPw1od94EhXGYzm4+ONFmtjZ2sbca3OwEFuIex ++PSHO7TgCiBks7LIkBM/fEg4UeutTqhzrR1SrmB4RoBtUPgnrfGk+esd8nVMa0gF +GdPsQ8hdmj88cG1OwfQm2D7SgbY9ik2k7pRDzMQOThI6CxIfwE5nvY03CnNi8bNP +IhkKWZF9d96+LTue22vhwl3tvlIryDTFJm0w0HXFNvAdVoOfpLsAtvh7uxpMO7fn +Z3sbVlCdXjYrBbi6eHXRKdUCLBRkKlWI3vajDeXz736y8/Ar/qtsphQ7z1f9LiyM +PP/8DiFIwfHme591jiHIS0C5IEyl4l0VwBpzDpUirM9RX/AIbmvI+1eGXXldTUme +AHuqQuqxwwVxfpzk4sQXxPNfrHiBoPThKuyZdY2aiWyYrVtHXyfhYWMdoHoq0Zrs +3AsNfjoSJ4rivrlOnBMGjOrz97VuC/DqArbNe011PH1ieW3GGeiHDYVUTN2dWpWw +gL7IWk7WwI6b7LhACmGcjhG+9XZLBleh1djkLn7WrvqyA3FQSIVhzz904NhB3pVq +1s8Vn7bUiATkABQVxXXhZveWv6yepSYlqC9CP8ofAcG2K0BM70Z6COUC9PlrsA// +ZWb8+GYHOWCxNS/O2XTCZGk1zZrMZo5MmMlMv5N+TYa5f93sK6Qz9CJt7CBcqnnM +NChc/qQais0tVS5nJ/JJEvB7TnDRKB3sTuMJ8oiTsQXQ1xzRDA5cUkVVYX90Xh1Z +52aEb40L3Vhqk5BaQqLe7vnZphaJUm+HUfOYlqgvrDAFkzUmJS3xExppQiAxbW3h +pvy/UWWE/tI9VLI/+f6V66mkqi698bxXSqXsQ2Id10p2iG5oyvoQZP+yYJBwWazb +UCCpSw+Ghxh5CdsLttDA7lHD2MDunVd2pTFr359WonCTY6J/9yubTnZ2zVqXax3X +9Z4ExbQMnvh3bwqgK72XmrdV1gkcwaiv9mmcdxrYDVLguAluxMK5uQQX2VskuW0/ +eB3/swK2FSmpQRlfhcaipcbAz/53GYUh+LDV7EfoCEJlFZybT/1555Nd1xt1rGfd +gGldtXu//crdcEv3iB9Or4jjAI38mNfL04S+NBPxGTZ5lVw2zj48lF+dD63SHC4G +JGTGsIMmV4FsxA/og/aU13u5ZQ7XcM7ZBfvEafsGPYhQDpKd0ajt3vrjGkv2YFGr +ymsOltPwWWTk1xxOpND0xuO+rzW8dj99Vm3+e4kGfD08P0LXzgpMt8z1S6fxIdzg +7rWspVlv967Of7t6TjfOIj6x8J+njPKXl14S5inazLU= +=MITl +-----END PGP PUBLIC KEY BLOCK----- diff --git a/sources b/sources new file mode 100644 index 0000000..ad56849 --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA512 (freeipa-4.12.2.tar.gz) = 2e1e67dbe73a458db5c59528799649629a1cb462283e4e9a4c56aff46d275782bcb3b0d57de615bbc7020a4350d4d383501e049ac19ed38250896b1e8fd27cb0