diff --git a/.gitignore b/.gitignore
index f3ea5d2..0701480 100644
--- a/.gitignore
+++ b/.gitignore
@@ -57,3 +57,5 @@
/freeipa-4.5.3.tar.gz.asc
/freeipa-4.6.0.tar.gz
/freeipa-4.6.0.tar.gz.asc
+/freeipa-4.6.1.tar.gz
+/freeipa-4.6.1.tar.gz.asc
diff --git a/1044.patch b/1044.patch
deleted file mode 100644
index b60944c..0000000
--- a/1044.patch
+++ /dev/null
@@ -1,84 +0,0 @@
-From 8c242fd2cf2bbe14a4aae5d31d1f945901c72afb Mon Sep 17 00:00:00 2001
-From: Pavel Vomacka <pvomacka@redhat.com>
-Date: Wed, 6 Sep 2017 15:19:58 +0200
-Subject: [PATCH 1/2] WebUI: remove unused parameter from get_whoami_command
-
-The batch param is not used anywhere therefore we can remove it.
-
-https://pagure.io/freeipa/issue/7143
----
- install/ui/src/freeipa/ipa.js | 6 ++----
- 1 file changed, 2 insertions(+), 4 deletions(-)
-
-diff --git a/install/ui/src/freeipa/ipa.js b/install/ui/src/freeipa/ipa.js
-index 2538001c94..3920b8eb0a 100644
---- a/install/ui/src/freeipa/ipa.js
-+++ b/install/ui/src/freeipa/ipa.js
-@@ -191,7 +191,7 @@ var IPA = function () {
- }
- }));
-
-- batch.add_command(that.get_whoami_command(true));
-+ batch.add_command(that.get_whoami_command());
-
- batch.add_command(rpc.command({
- method: 'env',
-@@ -259,10 +259,8 @@ var IPA = function () {
- /**
- * Prepares `user-find --whoami` command
- * @protected
-- * @param {boolean} batch - Specifies if it will be used as single command or
-- * in a batch.
- */
-- that.get_whoami_command = function(batch) {
-+ that.get_whoami_command = function() {
- return rpc.command({
- method: 'whoami',
- on_success: function(data, text_status, xhr) {
-
-From df34476d8bd7ac2de93588b4169e996605c85fe3 Mon Sep 17 00:00:00 2001
-From: Pavel Vomacka <pvomacka@redhat.com>
-Date: Wed, 6 Sep 2017 15:20:07 +0200
-Subject: [PATCH 2/2] WebUI: Fix calling undefined method during reset
- passwords
-
-When calling reset password the whoami command is not called in batch
-command, therefore the result is different then in calling
-during reset password operation. That needs to be handled to properly
-set entity_show method which needs to be called after to gather
-data about logged in entity.
-
-https://pagure.io/freeipa/issue/7143
----
- install/ui/src/freeipa/ipa.js | 11 ++++++-----
- 1 file changed, 6 insertions(+), 5 deletions(-)
-
-diff --git a/install/ui/src/freeipa/ipa.js b/install/ui/src/freeipa/ipa.js
-index 3920b8eb0a..138ca031b8 100644
---- a/install/ui/src/freeipa/ipa.js
-+++ b/install/ui/src/freeipa/ipa.js
-@@ -264,18 +264,19 @@ var IPA = function () {
- return rpc.command({
- method: 'whoami',
- on_success: function(data, text_status, xhr) {
-- that.whoami.metadata = data;
-+ that.whoami.metadata = data.result || data;
-+ var wa_data = that.whoami.metadata;
-
- rpc.command({
-- method: data.details || data.command,
-- args: data.arguments,
-+ method: wa_data.details || wa_data.command,
-+ args: wa_data.arguments,
- options: function() {
-- var options = data.options || [];
-+ var options = wa_data.options || [];
- $.extend(options, {all: true});
- return options;
- }(),
- on_success: function(data, text_status, xhr) {
-- that.whoami.data = false ? data.result[0] : data.result.result;
-+ that.whoami.data = data.result.result;
- var entity = that.whoami.metadata.object;
-
- if (entity === 'user') {
diff --git a/473ddbdb66e563d93a30ac51b1ac559adbd18190.patch b/473ddbdb66e563d93a30ac51b1ac559adbd18190.patch
deleted file mode 100644
index 677647a..0000000
--- a/473ddbdb66e563d93a30ac51b1ac559adbd18190.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-From 473ddbdb66e563d93a30ac51b1ac559adbd18190 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sep 13 2017 14:53:32 +0000
-Subject: dsinstance: Restore context after changing dse.ldif
-
-
-Fixes https://pagure.io/freeipa/issue/7150
-
-Reviewed-By: Stanislav Laznicka <slaznick@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-
----
-
-diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py
-index d823635..3eeb7f7 100644
---- a/ipaserver/install/dsinstance.py
-+++ b/ipaserver/install/dsinstance.py
-@@ -596,6 +596,7 @@ class DsInstance(service.Service):
- parser.parse()
- new_dse_ldif.flush()
- shutil.copy2(temp_filename, dse_filename)
-+ tasks.restore_context(dse_filename)
- try:
- os.remove(temp_filename)
- except OSError as e:
-
diff --git a/ba4386599331cf81d222687d658f5ce54e923478.patch b/ba4386599331cf81d222687d658f5ce54e923478.patch
deleted file mode 100644
index 5960451..0000000
--- a/ba4386599331cf81d222687d658f5ce54e923478.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From ba4386599331cf81d222687d658f5ce54e923478 Mon Sep 17 00:00:00 2001
-From: Stanislav Laznicka <slaznick@redhat.com>
-Date: Sep 13 2017 10:41:36 +0000
-Subject: client: fix retrieving certs from HTTP
-
-
-We're applying bytes regex on the result of a command but were
-using decoded stdout instead of raw.
-
-https://pagure.io/freeipa/issue/7131
-
-Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
-
----
-
-diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
-index e971aea..8d70519 100644
---- a/ipaclient/install/client.py
-+++ b/ipaclient/install/client.py
-@@ -1615,7 +1615,7 @@ def get_ca_certs_from_http(url, warn=True):
- result = run([paths.BIN_CURL, "-o", "-", url], capture_output=True)
- except CalledProcessError:
- raise errors.NoCertificateError(entry=url)
-- stdout = result.output
-+ stdout = result.raw_output
-
- try:
- certs = x509.load_certificate_list(stdout)
-
diff --git a/freeipa.spec b/freeipa.spec
index d0fe758..497a896 100644
--- a/freeipa.spec
+++ b/freeipa.spec
@@ -39,8 +39,8 @@
%global krb5_version 1.15.1-4
# 0.7.16: https://github.com/drkjam/netaddr/issues/71
%global python_netaddr_version 0.7.5-8
-# Require 4.6.0-4 which brings RC4 for FIPS + trust fixes to priv. separation
-%global samba_version 4.6.0-4
+# Require 4.7.0 which brings Python 3 bindings
+%global samba_version 4.7.0
%global samba_build_version %{samba_version}
%global selinux_policy_version 3.12.1-153
%global slapi_nis_version 0.56.0-4
@@ -49,8 +49,8 @@
%global krb5_version 1.15.1-7
# 0.7.16: https://github.com/drkjam/netaddr/issues/71
%global python_netaddr_version 0.7.16
-# Require 4.6.0-4 which brings RC4 for FIPS + trust fixes to priv. separation
-%global samba_version 2:4.6.0-4
+# Require 4.7.0 which brings Python 3 bindings
+%global samba_version 2:4.7.0
%global samba_build_version 2:4.2.1
%global selinux_policy_version 3.13.1-158.4
%global slapi_nis_version 0.56.1
@@ -62,13 +62,13 @@
%global etc_systemd_dir %{_sysconfdir}/systemd/system
%global gettext_domain ipa
-%global VERSION 4.6.0
+%global VERSION 4.6.1
%define _hardened_build 1
Name: freeipa
Version: %{VERSION}
-Release: 3%{?dist}
+Release: 1%{?dist}
Summary: The Identity, Policy and Audit system
Group: System Environment/Base
@@ -79,19 +79,6 @@ Source1: https://releases.pagure.org/freeipa/freeipa-%{VERSION}.tar.gz.as
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Patch0001: 0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch
-# Fix issue with password change in web UI:
-# https://github.com/freeipa/freeipa/pull/1044
-# https://bugzilla.redhat.com/show_bug.cgi?id=1488640
-Patch0002: 1044.patch
-# Restore context after changing dse.ldif in ipa-server-install
-# https://github.com/freeipa/freeipa/pull/1062
-# https://pagure.io/freeipa/c/473ddbdb66e563d93a30ac51b1ac559adbd18190
-Patch0003: 473ddbdb66e563d93a30ac51b1ac559adbd18190.patch
-# Fix issue with CA cert retrieval via HTTP (kickstart client enrolment):
-# https://github.com/freeipa/freeipa/pull/1071
-# https://pagure.io/freeipa/c/ba4386599331cf81d222687d658f5ce54e923478
-# https://bugzilla.redhat.com/show_bug.cgi?id=1491056
-Patch0004: ba4386599331cf81d222687d658f5ce54e923478.patch
# For the timestamp trick in patch application
BuildRequires: diffstat
@@ -186,7 +173,7 @@ BuildRequires: python-gssapi >= 1.2.0-5
%if 0%{?fedora} >= 26
BuildRequires: python2-pylint
%else
-BuildRequires: pylint >= 1.6
+BuildRequires: pylint >= 1.7
%endif
# workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506
BuildRequires: python2-polib
@@ -220,12 +207,11 @@ BuildRequires: python2-jinja2
BuildRequires: python2-augeas
%if 0%{?with_python3}
-# FIXME: this depedency is missing - server will not work
-#BuildRequires: python3-samba
+BuildRequires: python3-samba
# 1.6: x509.Name.rdns (https://github.com/pyca/cryptography/issues/3199)
BuildRequires: python3-cryptography >= 1.6
BuildRequires: python3-gssapi >= 1.2.0
-BuildRequires: python3-pylint >= 1.6
+BuildRequires: python3-pylint >= 1.7
# workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1096506
BuildRequires: python3-polib
BuildRequires: python3-libipa_hbac
@@ -387,7 +373,7 @@ Requires: python-ldap >= 2.4.15
Requires: python2-lxml
Requires: python-gssapi >= 1.2.0-5
Requires: python2-sssdconfig
-Requires: python2-pyasn1
+Requires: python2-pyasn1 >= 0.3.2-2
Requires: dbus-python
Requires: python2-dns >= 1.15
Requires: python-kdcproxy >= 0.3
@@ -420,7 +406,7 @@ Requires(pre): python3-pyldap >= 2.4.35.1-2
Requires: python3-lxml
Requires: python3-gssapi >= 1.2.0
Requires: python3-sssdconfig
-Requires: python3-pyasn1
+Requires: python3-pyasn1 >= 0.3.2-2
Requires: python3-dbus
Requires: python3-dns >= 1.15
Requires: python3-kdcproxy >= 0.3
@@ -494,12 +480,21 @@ Summary: Virtual package to install packages required for Active Directory trust
Group: System Environment/Base
Requires: %{name}-server = %{version}-%{release}
Requires: %{name}-common = %{version}-%{release}
-Requires: samba-python
+
Requires: samba >= %{samba_version}
Requires: samba-winbind
Requires: libsss_idmap
-Requires: python-libsss_nss_idmap
-Requires: python-sss
+
+%if 0%{?with_python3}
+Requires: python3-samba
+Requires: python3-libsss_nss_idmap
+Requires: python3-sss
+%else
+Requires: python2-samba
+Requires: python2-libsss_nss_idmap
+Requires: python2-sss
+%endif # with_python3
+
# We use alternatives to divert winbind_krb5_locator.so plugin to libkrb5
# on the installes where server-trust-ad subpackage is installed because
# IPA AD trusts cannot be used at the same time with the locator plugin
@@ -699,8 +694,8 @@ Requires: python2-cryptography >= 1.6
Requires: python-netaddr >= %{python_netaddr_version}
Requires: python2-libipa_hbac
Requires: python-qrcode-core >= 5.0.0
-Requires: python2-pyasn1
-Requires: python2-pyasn1-modules
+Requires: python2-pyasn1 >= 0.3.2-2
+Requires: python2-pyasn1-modules >= 0.3.2-2
Requires: python2-dateutil
Requires: python2-yubico >= 1.2.3
Requires: python2-sss-murmur
@@ -748,8 +743,8 @@ Requires: python3-cryptography >= 1.6
Requires: python3-netaddr >= %{python_netaddr_version}
Requires: python3-libipa_hbac
Requires: python3-qrcode-core >= 5.0.0
-Requires: python3-pyasn1
-Requires: python3-pyasn1-modules
+Requires: python3-pyasn1 >= 0.3.2-2
+Requires: python3-pyasn1-modules >= 0.3.2-2
Requires: python3-dateutil
# fixes searching for yubikeys in python3
Requires: python3-yubico >= 1.3.2-7
@@ -1104,9 +1099,7 @@ mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d/
/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf
/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
/bin/touch %{buildroot}%{_usr}/share/ipa/html/ca.crt
-/bin/touch %{buildroot}%{_usr}/share/ipa/html/kerberosauth.xpi
/bin/touch %{buildroot}%{_usr}/share/ipa/html/krb.con
-/bin/touch %{buildroot}%{_usr}/share/ipa/html/krb.js
/bin/touch %{buildroot}%{_usr}/share/ipa/html/krb5.ini
/bin/touch %{buildroot}%{_usr}/share/ipa/html/krbrealm.con
@@ -1444,10 +1437,7 @@ fi
%{_usr}/share/ipa/profiles/README
%{_usr}/share/ipa/profiles/*.cfg
%dir %{_usr}/share/ipa/html
-%{_usr}/share/ipa/html/ffconfig.js
-%{_usr}/share/ipa/html/ffconfig_page.js
%{_usr}/share/ipa/html/ssbrowser.html
-%{_usr}/share/ipa/html/browserconfig.html
%{_usr}/share/ipa/html/unauthorized.html
%dir %{_usr}/share/ipa/migration
%{_usr}/share/ipa/migration/error.html
@@ -1479,11 +1469,8 @@ fi
%{_usr}/share/ipa/wsgi/plugins.py*
%dir %{_sysconfdir}/ipa
%dir %{_sysconfdir}/ipa/html
-%config(noreplace) %{_sysconfdir}/ipa/html/ffconfig.js
-%config(noreplace) %{_sysconfdir}/ipa/html/ffconfig_page.js
%config(noreplace) %{_sysconfdir}/ipa/html/ssbrowser.html
%config(noreplace) %{_sysconfdir}/ipa/html/unauthorized.html
-%config(noreplace) %{_sysconfdir}/ipa/html/browserconfig.html
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa.conf
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-kdc-proxy.conf
@@ -1494,9 +1481,7 @@ fi
%{_usr}/share/ipa/ipa-rewrite.conf
%{_usr}/share/ipa/ipa-pki-proxy.conf
%ghost %attr(0644,root,apache) %config(noreplace) %{_usr}/share/ipa/html/ca.crt
-%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/kerberosauth.xpi
%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb.con
-%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb.js
%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb5.ini
%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krbrealm.con
%dir %{_usr}/share/ipa/updates/
@@ -1504,7 +1489,7 @@ fi
%dir %{_localstatedir}/lib/ipa
%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/backup
%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/gssproxy
-%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysrestore
+%attr(711,root,root) %dir %{_localstatedir}/lib/ipa/sysrestore
%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysupgrade
%attr(755,root,root) %dir %{_localstatedir}/lib/ipa/pki-ca
%ghost %{_localstatedir}/lib/ipa/pki-ca/publish
@@ -1726,6 +1711,10 @@ fi
%endif # with_ipatests
%changelog
+* Fri Sep 22 2017 Tomas Krizek <tkrizek@redhat.com> - 4.6.1-1
+- Fixes #1491053 Firefox reports insecure TLS configuration when visiting
+ FreeIPA web UI after standard server deployment
+
* Wed Sep 13 2017 Adam Williamson <awilliam@redhat.com> - 4.6.0-3
- Fixes #1490762 Ipa-server-install update dse.ldif with wrong SELinux context
- Fixes #1491056 FreeIPA enrolment via kickstart fails
diff --git a/sources b/sources
index 12d99c5..5f513d1 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-SHA512 (freeipa-4.6.0.tar.gz) = 4719fb821b74b76b8159cf9866c386a265e7d821cec70f008c9cf4ad9df9ee9362ca058a59a323e1151660a29938c9c6eb928b922a355bdc49c8b72f33a5dd8f
-SHA512 (freeipa-4.6.0.tar.gz.asc) = 4bf540a36a8c667d1b130bfe6de54eed8d7fdc860089762c91f823af878af1e53acd2032f6fd1518c76e56ac39ca740875c85e81cf4bd41919498ce15333b26e
+SHA512 (freeipa-4.6.1.tar.gz) = 0b2a1bacf8462f92b366c73111b3b04b67f6b9bd4b57a3fd69bd1b531e3d78f26f8fe53dee48b167f2c2803990c8687e8b72c2f85be36b69b3057c2a71e8bfd4
+SHA512 (freeipa-4.6.1.tar.gz.asc) = c1164f7a4e1cfea1d6b7da38a024ba92eee7e3dea52783d691926e8874588f964be27e47754369494afc70bd64aa7b400f5918c11bc7a782c50d15693d4ad245