import ipa-4.9.11-5.module+el8.8.0+18147+84fe6ec1

.gitignore

@@ -1 +1 @@
-SOURCES/freeipa-4.9.10.tar.gz
+SOURCES/freeipa-4.9.11.tar.gz

.ipa.metadata

@@ -1 +1 @@
-8f2b6a7f52348421fa7c67048dd5ae454f2642fb SOURCES/freeipa-4.9.10.tar.gz
+4ef188d43f5f2a09e214dd2bae68595a5977bb61 SOURCES/freeipa-4.9.11.tar.gz

SOURCES/0001-ipa-otpd-Fix-build-on-older-versions-of-gcc.patch

@@ -1,33 +0,0 @@
-From ff54fe2fdfbab11e08a138cdfd0da900ee865e3d Mon Sep 17 00:00:00 2001
-From: Rafael Guterres Jeffman <rjeffman@redhat.com>
-Date: Fri, 17 Jun 2022 11:22:32 -0300
-Subject: [PATCH] ipa-otpd: Fix build on older versions of gcc.
-
-Older versions of gcc do not support unnamed parameters.
-
-This patch fixes the build on older gcc by applying the same idiom for
-unsued parameters as used by other functions in the same module.
-
-Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
----
- daemons/ipa-otpd/oauth2.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/daemons/ipa-otpd/oauth2.c b/daemons/ipa-otpd/oauth2.c
-index df1ffd50d..11d5c135f 100644
---- a/daemons/ipa-otpd/oauth2.c
-+++ b/daemons/ipa-otpd/oauth2.c
-@@ -319,8 +319,9 @@ static int check_access_token_reply(struct child_ctx *child_ctx,
-     return ret;
- }
- 
--static void oauth2_on_child_readable(verto_ctx *, verto_ev *ev)
-+static void oauth2_on_child_readable(verto_ctx *vctx, verto_ev *ev)
- {
-+    (void)vctx; /* Unused */
-     static char buf[10240];
-     ssize_t io = 0;
-     struct child_ctx *child_ctx = NULL;
--- 
-2.36.1
-

SOURCES/0001-updates-fix-memberManager-ACI-to-allow-managers-from-a-specified-group_rhbz#2056009.patch

@@ -0,0 +1,41 @@
+From 651e28c1fb6b86ad1fbd4ea98644e00b7042499c Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Dec 02 2022 12:21:22 +0000
+Subject: updates: fix memberManager ACI to allow managers from a specified group
+
+
+The original implementation of the member manager added support for both
+user and group managers but left out upgrade scenario. This means when
+upgrading existing installation a manager whose rights defined by the
+group membership would not be able to add group members until the ACI is
+fixed.
+
+Remove old ACI and add a full one during upgrade step.
+
+Fixes: https://pagure.io/freeipa/issue/9286
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+
+---
+
+diff --git a/install/updates/20-aci.update b/install/updates/20-aci.update
+index a168bb9..4a7ba13 100644
+--- a/install/updates/20-aci.update
++++ b/install/updates/20-aci.update
+@@ -141,11 +141,13 @@ add:aci:(targetattr = "usercertificate")(version 3.0;acl "selfservice:Users can 
+ 
+ # Allow member managers to modify members of user groups
+ dn: cn=groups,cn=accounts,$SUFFIX
+-add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN";)
++remove:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN";)
++add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaUserGroup)")(version 3.0; acl "Allow member managers to modify members of user groups"; allow (write) userattr = "memberManager#USERDN" or userattr = "memberManager#GROUPDN";)
+ 
+ # Allow member managers to modify members of host groups
+ dn: cn=hostgroups,cn=accounts,$SUFFIX
+-add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to modify members of host groups"; allow (write) userattr = "memberManager#USERDN";)
++remove:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to modify members of host groups"; allow (write) userattr = "memberManager#USERDN";)
++add:aci: (targetattr = "member")(targetfilter = "(objectclass=ipaHostGroup)")(version 3.0; acl "Allow member managers to modify members of host groups"; allow (write) userattr = "memberManager#USERDN" or userattr = "memberManager#GROUPDN";)
+ 
+ # Hosts can add and delete their own services
+ dn: cn=services,cn=accounts,$SUFFIX
+

SOURCES/0002-trust-add-handle-missing-msSFU30MaxGidNumber_rhbz#2162355.patch

@@ -0,0 +1,46 @@
+From 703ab8c4dfb7f8fd1540c3849ad469d39695a26f Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Jan 25 2023 16:57:02 +0000
+Subject: trust-add: handle missing msSFU30MaxGidNumber
+
+
+When ipa trust-add is executed with --range-type ad-trust-posix,
+the server tries to find the max uidnumber and max gidnumber
+from AD domain controller.
+The values are extracted from the entry
+CN=<domain>,CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System,<AD suffix>
+in the msSFU30MaxUidNumber and msSFU30MaxGidNumber attributes.
+
+msSFU30MaxUidNumber is required but not msSFU30MaxGidNumber.
+In case msSFU30MaxGidNumber is missing, the code is currently assigning
+a "None" value and later on evaluates the max between this value and
+msSFU30MaxUidNumber. The max function cannot compare None and a list
+of string and triggers an exception.
+
+To avoid the exception, assign [b'0'] to max gid if msSFU30MaxGidNumber
+is missing. This way, the comparison succeeds and max returns the
+value from msSFU30MaxUidNumber.
+
+Fixes: https://pagure.io/freeipa/issue/9310
+Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+
+---
+
+diff --git a/ipaserver/plugins/trust.py b/ipaserver/plugins/trust.py
+index c074f6d..79264b8 100644
+--- a/ipaserver/plugins/trust.py
++++ b/ipaserver/plugins/trust.py
+@@ -379,7 +379,10 @@ def add_range(myapi, trustinstance, range_name, dom_sid, *keys, **options):
+                 range_type = u'ipa-ad-trust-posix'
+ 
+                 max_uid = info.get('msSFU30MaxUidNumber')
+-                max_gid = info.get('msSFU30MaxGidNumber', None)
++                # if max_gid is missing, assume 0 and the max will
++                # be obtained from max_uid. We just checked that
++                # msSFU30MaxUidNumber is defined
++                max_gid = info.get('msSFU30MaxGidNumber', [b'0'])
+                 max_id = int(max(max_uid, max_gid)[0])
+ 
+                 base_id = int(info.get('msSFU30OrderNumber')[0])
+

SOURCES/0003-Backport-latest-test-fixes-python3-ipatests_rhbz#2166929.patch

@@ -0,0 +1,76 @@
+From e8ef2c2f226704ce510525f07675107179124a95 Mon Sep 17 00:00:00 2001
+From: Sumedh Sidhaye <ssidhaye@redhat.com>
+Date: Feb 02 2023 06:53:56 +0000
+Subject: With the commit #99a74d7, 389-ds changed the message returned in ipa-healthcheck.
+
+
+Previously the message was:
+
+"\n\nIn Directory Server, we offer one hash suitable for this "
+"(PBKDF2_SHA256) and one hash\nfor \"legacy\" support (SSHA512)."
+"\n\nYour configuration does not use these for password storage "
+"or the root password storage\nscheme.\n"
+
+but now the message is:
+
+\n\nIn Directory Server, we offer one hash suitable for this "
+"(PBKDF2-SHA512) and one hash\nfor \"legacy\" support (SSHA512)."
+"\n\nYour configuration does not use these for password storage "
+"or the root password storage\nscheme.\n"
+
+PBKDF2_SHA256 has been replaced with PBKDF2-SHA512
+
+Pagure: https://pagure.io/freeipa/issue/9238
+
+Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Stanislav Levin <slev@altlinux.org>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Stanislav Levin <slev@altlinux.org>
+
+---
+
+diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
+index 18a665e..60e8de9 100644
+--- a/ipatests/test_integration/test_ipahealthcheck.py
++++ b/ipatests/test_integration/test_ipahealthcheck.py
+@@ -1312,9 +1312,6 @@ class TestIpaHealthCheck(IntegrationTest):
+         """
+         error_msg = (
+             "\n\nIn Directory Server, we offer one hash suitable for this "
+-            "(PBKDF2_SHA256) and one hash\nfor \"legacy\" support (SSHA512)."
+-            "\n\nYour configuration does not use these for password storage "
+-            "or the root password storage\nscheme.\n"
+         )
+         returncode, data = run_healthcheck(
+             self.master, "ipahealthcheck.ds.config", "ConfigCheck",
+
+From 1bdd8147e7fa1032025dc6f6868e26f285744ee1 Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Jan 11 2023 11:56:30 +0000
+Subject: ipatests: mark test_smb as xfail
+
+
+Mark the test test_smb.py::TestSMB::test_smb_service_s4u2self as xfail.
+
+Related: https://pagure.io/freeipa/issue/9124
+Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+
+---
+
+diff --git a/ipatests/test_integration/test_smb.py b/ipatests/test_integration/test_smb.py
+index eb3981b..30f8d59 100644
+--- a/ipatests/test_integration/test_smb.py
++++ b/ipatests/test_integration/test_smb.py
+@@ -349,6 +349,7 @@ class TestSMB(IntegrationTest):
+     @pytest.mark.skipif(
+         osinfo.id == 'fedora' and osinfo.version_number <= (31,),
+         reason='Test requires krb 1.18')
++    @pytest.mark.xfail(reason="Pagure ticket 9124", strict=True)
+     def test_smb_service_s4u2self(self):
+         """Test S4U2Self operation by IPA service
+            against both AD and IPA users
+

SOURCES/0003-Preserve-user-fix-the-confusing-summary_rhbz#2022028.patch

@@ -1,131 +0,0 @@
-From ff4152539b96d309dcceaf854a3e0a49f435acff Mon Sep 17 00:00:00 2001
-From: Florence Blanc-Renaud <flo@redhat.com>
-Date: Mon, 20 Jun 2022 09:09:11 +0200
-Subject: [PATCH] Preserve user: fix the confusing summary
-
-When ipa user-del --preserve is called, the command output
-prints a summary with:
-    Deleted user: user1
-although the user was preserved.
-Replace the summary with
-    Preserved user: user1
-to reflect what was actually done.
-
-Fixes: https://pagure.io/freeipa/issue/9187
-Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
-Reviewed-By: Michal Polovka <mpolovka@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
----
- ipaserver/plugins/user.py | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py
-index 25d2bb6aa..fa8a67d3d 100644
---- a/ipaserver/plugins/user.py
-+++ b/ipaserver/plugins/user.py
-@@ -56,6 +56,7 @@ from .idviews import remove_ipaobject_overrides
- from ipalib.plugable import Registry
- from .baseldap import (
-     LDAPObject,
-+    pkey_to_unicode,
-     pkey_to_value,
-     LDAPCreate,
-     LDAPSearch,
-@@ -701,6 +702,7 @@ class user_del(baseuser_del):
-     __doc__ = _('Delete a user.')
- 
-     msg_summary = _('Deleted user "%(value)s"')
-+    msg_summary_preserved = _('Preserved user "%(value)s"')
- 
-     takes_options = baseuser_del.takes_options + (
-         Bool('preserve?',
-@@ -831,6 +833,8 @@ class user_del(baseuser_del):
-                     failed.append(pkey_to_value(pkey, options))
- 
-             val = dict(result=dict(failed=failed), value=preserved)
-+            val['summary'] = self.msg_summary_preserved % dict(
-+                value=pkey_to_unicode(preserved))
-             return val
-         else:
-             return super(user_del, self).execute(*keys, **options)
--- 
-2.36.1
-
-From 4984ff210a169129e4e56b10e54e9c795520855c Mon Sep 17 00:00:00 2001
-From: Florence Blanc-Renaud <flo@redhat.com>
-Date: Mon, 20 Jun 2022 09:12:14 +0200
-Subject: [PATCH] xmlrpc tests: updated expected output for preserved user
-
-Update the expected summary for the command
-ipa user-del --preserve
-
-The command now displays: Preserved user: user1
-instead of                Deleted user: user1
-
-Related: https://pagure.io/freeipa/issue/9187
-
-Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
-Reviewed-By: Michal Polovka <mpolovka@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
----
- ipatests/test_xmlrpc/test_stageuser_plugin.py | 5 ++++-
- ipatests/test_xmlrpc/tracker/user_plugin.py   | 7 ++++++-
- 2 files changed, 10 insertions(+), 2 deletions(-)
-
-diff --git a/ipatests/test_xmlrpc/test_stageuser_plugin.py b/ipatests/test_xmlrpc/test_stageuser_plugin.py
-index bc606b093..fd146876c 100644
---- a/ipatests/test_xmlrpc/test_stageuser_plugin.py
-+++ b/ipatests/test_xmlrpc/test_stageuser_plugin.py
-@@ -479,11 +479,12 @@ class TestActive(XMLRPC_test):
- 
-     def test_delete_preserve(self, user):
-         user.ensure_exists()
--        user.track_delete()
-+        user.track_delete(preserve=True)
-         command = user.make_delete_command(no_preserve=False, preserve=True)
-         result = command()
-         user.check_delete(result)
- 
-+        user.track_delete(preserve=False)
-         command = user.make_delete_command()
-         result = command()
-         user.check_delete(result)
-@@ -622,6 +623,7 @@ class TestCustomAttr(XMLRPC_test):
-         assert 'BusinessCat' in result['result'][u'businesscategory']
- 
-         # delete the user with --preserve
-+        user_customattr.track_delete(preserve=True)
-         command = user_customattr.make_delete_command(no_preserve=False,
-                                                       preserve=True)
-         result = command()
-@@ -763,6 +765,7 @@ class TestGroups(XMLRPC_test):
-         result = command()
-         group.check_retrieve(result)
- 
-+        user.track_delete(preserve=True)
-         command = user.make_delete_command(no_preserve=False, preserve=True)
-         result = command()
-         user.check_delete(result)
-diff --git a/ipatests/test_xmlrpc/tracker/user_plugin.py b/ipatests/test_xmlrpc/tracker/user_plugin.py
-index 03c106250..b04be4c19 100644
---- a/ipatests/test_xmlrpc/tracker/user_plugin.py
-+++ b/ipatests/test_xmlrpc/tracker/user_plugin.py
-@@ -273,9 +273,14 @@ class UserTracker(CertmapdataMixin, KerberosAliasMixin, Tracker):
- 
-     def check_delete(self, result):
-         """ Check 'user-del' command result """
-+        if u'preserved' in self.attrs and self.attrs[u'preserved']:
-+            summary = u'Preserved user "%s"' % self.uid
-+        else:
-+            summary = u'Deleted user "%s"' % self.uid
-+
-         assert_deepequal(dict(
-             value=[self.uid],
--            summary=u'Deleted user "%s"' % self.uid,
-+            summary=summary,
-             result=dict(failed=[]),
-             ), result)
- 
--- 
-2.36.1
-

SOURCES/0004-Only-calculate-LDAP-password-grace-when-the-password_rhbz#782917.patch

@@ -1,56 +0,0 @@
-From 3675bd1d7aca443832bb9bb2f521cc4d3a088aec Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Wed, 29 Jun 2022 13:25:55 +0000
-Subject: [PATCH] Only calculate LDAP password grace when the password is
- expired
-
-The user's pwd expiration was retrieved but inadvertently was never
-compared to current time. So any LDAP bind, including from the
-IPA API, counted against the grace period. There is no need to go
-through the graceperiod code for non-expired passwords.
-
-https://pagure.io/freeipa/issue/1539
-
-Signed-off-by: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
----
- .../ipa-graceperiod/ipa_graceperiod.c                | 12 +++++++++---
- 1 file changed, 9 insertions(+), 3 deletions(-)
-
-diff --git a/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c b/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
-index 0860b5c20..a3f57cb4b 100644
---- a/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
-+++ b/daemons/ipa-slapi-plugins/ipa-graceperiod/ipa_graceperiod.c
-@@ -359,7 +359,8 @@ static int ipagraceperiod_preop(Slapi_PBlock *pb)
-     Slapi_ValueSet *values = NULL;
-     long grace_limit = 0;
-     int grace_user_time;
--    char *pwd_expiration = NULL;
-+    char *tmpstr = NULL;
-+    time_t pwd_expiration;
-     int pwresponse_requested = 0;
-     Slapi_PBlock *pbtm = NULL;
-     Slapi_Mods *smods = NULL;
-@@ -414,12 +415,17 @@ static int ipagraceperiod_preop(Slapi_PBlock *pb)
-     }
-     slapi_value_free(&objectclass);
- 
--    pwd_expiration = slapi_entry_attr_get_charptr(target_entry, "krbPasswordExpiration");
--    if (pwd_expiration == NULL) {
-+    tmpstr = slapi_entry_attr_get_charptr(target_entry, "krbPasswordExpiration");
-+    if (tmpstr == NULL) {
-         /* No expiration means nothing to do */
-         LOG_TRACE("No krbPasswordExpiration for %s, nothing to do\n", dn);
-         goto done;
-     }
-+    pwd_expiration = ipapwd_gentime_to_time_t(tmpstr);
-+    if (pwd_expiration > time(NULL)) {
-+        /* Not expired, nothing to see here */
-+        goto done;
-+    }
- 
-     ldrc = ipagraceperiod_getpolicy(target_entry, &policy_entry,
-                                     &values, &actual_type_name,
--- 
-2.36.1
-

SOURCES/0004-server-install-remove-error-log-about-missing-bkup-file_rhbz#2160389.patch

@@ -0,0 +1,52 @@
+From 6f50b00953c0000d6da8db0f5e8974ae33d7b5d5 Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Jan 16 2023 07:44:50 +0000
+Subject: server install: remove error log about missing bkup file
+
+
+The client installer code can be called in 3 different ways:
+- from ipa-client-install CLI
+- from ipa-replica-install CLI if the client is not already installed
+- from ipa-server-install
+
+In the last case, the client installer is called with
+options.on_master=True
+As a result, it's skipping the part that is creating the krb5
+configuration:
+    if not options.on_master:
+        nolog = tuple()
+        configure_krb5_conf(...)
+
+The configure_krb5_conf method is the place where the krb5.conf file is
+backup'ed with the extention ".ipabkp". For a master installation, this
+code is not called and the ipabkp file does not exist => delete raises
+an error.
+
+When delete fails because the file does not exist, no need to log an
+error message.
+
+Fixes: https://pagure.io/freeipa/issue/9306
+Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+
+---
+
+diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
+index e5d3e82..6e7f17d 100644
+--- a/ipaclient/install/client.py
++++ b/ipaclient/install/client.py
+@@ -124,10 +124,9 @@ def cleanup(func):
+             os.rmdir(ccache_dir)
+         except OSError:
+             pass
+-        try:
+-            os.remove(krb_name + ".ipabkp")
+-        except OSError:
+-            logger.error("Could not remove %s.ipabkp", krb_name)
++        # During master installation, the .ipabkp file is not created
++        # Ignore the delete error if it is "file does not exist"
++        remove_file(krb_name + ".ipabkp")
+ 
+     return inner
+ 
+

SOURCES/0005-automember-rebuild-add-a-notice-about-high-CPU-usage_rhbz#2018198.patch

@@ -0,0 +1,64 @@
+From 2deaaa788cbdde22d5b15566599fdcf7a10f02c6 Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Feb 02 2023 10:08:26 +0000
+Subject: automember-rebuild: add a notice about high CPU usage
+
+
+The automember-rebuild task may require high CPU usage
+if many users/hosts/groups are processed.
+Add a note in the ipa automember-rebuild CLI output
+and in the WebUI confirmation message.
+
+Fixes: https://pagure.io/freeipa/issue/9320
+Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
+
+---
+
+diff --git a/install/ui/test/data/i18n_messages.json b/install/ui/test/data/i18n_messages.json
+index 49d2883..5b73548 100644
+--- a/install/ui/test/data/i18n_messages.json
++++ b/install/ui/test/data/i18n_messages.json
+@@ -7,7 +7,7 @@
+             "actions": {
+                 "apply": "Apply", 
+                 "automember_rebuild": "Rebuild auto membership", 
+-                "automember_rebuild_confirm": "Are you sure you want to rebuild auto membership?", 
++                "automember_rebuild_confirm": "Are you sure you want to rebuild auto membership? In case of a high number of users, hosts or groups, the operation may require high CPU usage.",
+                 "automember_rebuild_success": "Automember rebuild membership task completed", 
+                 "confirm": "Are you sure you want to proceed with the action?", 
+                 "delete_confirm": "Are you sure you want to delete ${object}?", 
+diff --git a/ipaclient/plugins/automember.py b/ipaclient/plugins/automember.py
+index df4a2e5..7108dc9 100644
+--- a/ipaclient/plugins/automember.py
++++ b/ipaclient/plugins/automember.py
+@@ -34,3 +34,11 @@ class automember_add_condition(MethodOverride):
+             flags=['suppress_empty'],
+         ),
+     )
++
++
++@register(override=True, no_fail=True)
++class automember_rebuild(MethodOverride):
++    def interactive_prompt_callback(self, kw):
++        msg = _('IMPORTANT: In case of a high number of users, hosts or '
++                'groups, the operation may require high CPU usage.')
++        self.Backend.textui.print_plain(msg)
+diff --git a/ipaserver/plugins/internal.py b/ipaserver/plugins/internal.py
+index 5ffa7a2..e1e920f 100644
+--- a/ipaserver/plugins/internal.py
++++ b/ipaserver/plugins/internal.py
+@@ -160,7 +160,11 @@ class i18n_messages(Command):
+         "actions": {
+             "apply": _("Apply"),
+             "automember_rebuild": _("Rebuild auto membership"),
+-            "automember_rebuild_confirm": _("Are you sure you want to rebuild auto membership?"),
++            "automember_rebuild_confirm": _(
++                "Are you sure you want to rebuild auto membership? In case of "
++                "a high number of users, hosts or groups, the operation "
++                "may require high CPU usage."
++            ),
+             "automember_rebuild_success": _("Automember rebuild membership task completed"),
+             "confirm": _("Are you sure you want to proceed with the action?"),
+             "delete_confirm": _("Are you sure you want to delete ${object}?"),
+

SOURCES/0006-ipa-kdb-PAC-consistency-checker-needs-to-handle-child-domains-as-well_rhbz#2166324.patch

@@ -0,0 +1,185 @@
+From 2a0868fccbc9f4dfc540a7d3bb5dfa22c0bdce4e Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Mon, 30 Jan 2023 14:22:30 +0200
+Subject: [PATCH 1/2] ipa-kdb: PAC consistency checker needs to handle child
+ domains as well
+
+When PAC check is performed, we might get a signing TGT instead of the
+client DB entry. This means it is a principal from a trusted domain but
+we don't know which one exactly because we only have a krbtgt for the
+forest root. This happens in MIT Kerberos 1.20 or later where KDB's
+issue_pac() callback never gets the original client principal directly.
+
+Look into known child domains as well and make pass the check if both
+NetBIOS name and SID correspond to one of the trusted domains under this
+forest root. Move check for the SID before NetBIOS name check because we
+can use SID of the domain in PAC to find out the right child domain in
+our trusted domains' topology list.
+
+Fixes: https://pagure.io/freeipa/issue/9316
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ daemons/ipa-kdb/ipa_kdb_mspac.c | 51 +++++++++++++++++++++------------
+ 1 file changed, 32 insertions(+), 19 deletions(-)
+
+diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
+index a15050e2166..476d1cb558a 100644
+--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
++++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
+@@ -1827,11 +1827,43 @@ krb5_error_code filter_logon_info(krb5_context context,
+     bool result;
+     char *domstr = NULL;
+ 
++    ipactx = ipadb_get_context(context);
++    if (!ipactx || !ipactx->mspac) {
++        return KRB5_KDB_DBNOTINITED;
++    }
++
+     domain = get_domain_from_realm_update(context, realm);
+     if (!domain) {
+         return EINVAL;
+     }
+ 
++    /* check exact sid */
++    result = dom_sid_check(&domain->domsid, info->info->info3.base.domain_sid, true);
++    if (!result) {
++        struct ipadb_mspac *mspac_ctx = ipactx->mspac;
++        result = FALSE;
++        /* Didn't match but perhaps the original PAC was issued by a child domain's DC? */
++        for (k = 0; k < mspac_ctx->num_trusts; k++) {
++            result = dom_sid_check(&mspac_ctx->trusts[k].domsid,
++                             info->info->info3.base.domain_sid, true);
++            if (result) {
++                domain = &mspac_ctx->trusts[k];
++                break;
++            }
++        }
++        if (!result) {
++            domstr = dom_sid_string(NULL, info->info->info3.base.domain_sid);
++            krb5_klog_syslog(LOG_ERR, "PAC Info mismatch: domain = %s, "
++                                      "expected domain SID = %s, "
++                                      "found domain SID = %s",
++                                      domain->domain_name, domain->domain_sid,
++                                      domstr ? domstr : "<failed to display>");
++            talloc_free(domstr);
++            return EINVAL;
++        }
++    }
++
++    /* At this point we may have changed the domain we look at, */
+     /* check netbios/flat name */
+     if (strcasecmp(info->info->info3.base.logon_domain.string,
+                    domain->flat_name) != 0) {
+@@ -1843,21 +1875,6 @@ krb5_error_code filter_logon_info(krb5_context context,
+         return EINVAL;
+     }
+ 
+-    /* check exact sid */
+-    result = dom_sid_check(&domain->domsid, info->info->info3.base.domain_sid, true);
+-    if (!result) {
+-        domstr = dom_sid_string(NULL, info->info->info3.base.domain_sid);
+-        if (!domstr) {
+-            return EINVAL;
+-        }
+-        krb5_klog_syslog(LOG_ERR, "PAC Info mismatch: domain = %s, "
+-                                  "expected domain SID = %s, "
+-                                  "found domain SID = %s",
+-                                  domain->domain_name, domain->domain_sid, domstr);
+-        talloc_free(domstr);
+-        return EINVAL;
+-    }
+-
+     /* Check if this domain has been filtered out by the trust itself*/
+     if (domain->parent != NULL) {
+         for(k = 0; k < domain->parent->len_sid_blocklist_incoming; k++) {
+@@ -1944,10 +1961,6 @@ krb5_error_code filter_logon_info(krb5_context context,
+      * should include different possibilities into account
+      * */
+     if (info->info->info3.sidcount != 0) {
+-        ipactx = ipadb_get_context(context);
+-        if (!ipactx || !ipactx->mspac) {
+-            return KRB5_KDB_DBNOTINITED;
+-        }
+         count = info->info->info3.sidcount;
+         i = 0;
+         j = 0;
+
+From 1a4f2597253c750696f6cd34613b375dc30fe456 Mon Sep 17 00:00:00 2001
+From: Anuja More <amore@redhat.com>
+Date: Mon, 30 Jan 2023 19:27:49 +0530
+Subject: [PATCH 2/2] Add test for SSH with GSSAPI auth.
+
+Added test for aduser with GSSAPI authentication.
+
+Related : https://pagure.io/freeipa/issue/9316
+
+Signed-off-by: Anuja More <amore@redhat.com>
+---
+ ipatests/test_integration/test_trust.py | 46 +++++++++++++++++++++++++
+ 1 file changed, 46 insertions(+)
+
+diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
+index 21c814ff1a9..a1ed906c6ae 100644
+--- a/ipatests/test_integration/test_trust.py
++++ b/ipatests/test_integration/test_trust.py
+@@ -527,6 +527,35 @@ def test_subordinate_suffix(self):
+                    .format(self.ad_domain, subordinate_suffix))
+             self.ad.run_command(['powershell', '-c', cmd])
+ 
++    def test_ssh_aduser(self):
++        """Test ssh with GSSAPI is working with aduser
++
++        When kerberos ticket is obtained for child domain user
++        and ssh with this ticket should be successful
++        with no password prompt.
++
++        Related : https://pagure.io/freeipa/issue/9316
++        """
++        testuser = 'testuser@{0}'.format(self.ad_domain)
++        testusersub = 'subdomaintestuser@{0}'.format(self.ad_subdomain)
++
++        def sshuser(host, user):
++            tasks.kdestroy_all(host)
++            try:
++                tasks.kinit_as_user(host, user,
++                                    host.config.ad_admin_password
++                                    )
++                ssh_cmd = "ssh -q -K -l {user} {host} hostname"
++                valid_ssh = host.run_command(
++                    ssh_cmd.format(user=user, host=host.hostname)
++                )
++                assert host.hostname in valid_ssh.stdout_text
++            finally:
++                tasks.kdestroy_all(host)
++
++        sshuser(self.master, testuser)
++        sshuser(self.master, testusersub)
++
+     def test_remove_nonposix_trust(self):
+         self.remove_trust(self.ad)
+         tasks.unconfigure_dns_for_trust(self.master, self.ad)
+@@ -784,6 +813,23 @@ def test_user_gid_uid_resolution_in_external_treedomain_trust(self):
+         assert re.search(
+             testuser_regex, result.stdout_text), result.stdout_text
+ 
++    def test_ssh_adtreeuser(self):
++        testuser = 'treetestuser@{0}'.format(self.ad_treedomain)
++        self.master.run_command(["id", testuser])
++        tasks.clear_sssd_cache(self.master)
++        tasks.kdestroy_all(self.master)
++        try:
++            tasks.kinit_as_user(self.master, testuser,
++                                password="Secret123456"
++                                )
++            ssh_cmd = "ssh -q -K -l {user} {host} hostname"
++            valid_ssh = self.master.run_command(
++                ssh_cmd.format(user=testuser, host=self.master.hostname)
++            )
++            assert self.master.hostname in valid_ssh.stdout_text
++        finally:
++            tasks.kdestroy_all(self.master)
++
+     def test_remove_external_treedomain_trust(self):
+         self.remove_trust(self.tree_ad)
+         tasks.unconfigure_dns_for_trust(self.master, self.ad, self.tree_ad)

SOURCES/0007-Wipe-the-ipa-ca-DNS-record-when-updating-system-records_rhbz#2158775.patch

@@ -0,0 +1,64 @@
+From b35c75d864040b98ed3f9214d5d17d32f06d6ee1 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Mon, 11 Jul 2022 14:20:32 -0400
+Subject: [PATCH] Wipe the ipa-ca DNS record when updating system records
+
+If a server with a CA has been marked as hidden and
+contains the last A or AAAA address then that address
+would remain in the ipa-ca entry.
+
+This is because update-dns-system-records did not delete
+values, it just re-computed them. So if no A or AAAA
+records were found then the existing value was left.
+
+Fixes: https://pagure.io/freeipa/issue/9195
+
+Signed-off-by: Rob Crittenden <rcritten@redhat.com>
+---
+ ipaserver/dns_data_management.py | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/ipaserver/dns_data_management.py b/ipaserver/dns_data_management.py
+index e2bc530ee8a..aaae5446856 100644
+--- a/ipaserver/dns_data_management.py
++++ b/ipaserver/dns_data_management.py
+@@ -19,6 +19,7 @@
+ from time import sleep, time
+ 
+ from ipalib import errors
++from ipalib.constants import IPA_CA_RECORD
+ from ipalib.dns import record_name_format
+ from ipapython.dnsutil import DNSName
+ from ipaserver.install import installutils
+@@ -187,7 +188,7 @@ def __add_uri_records(
+ 
+     def __add_ca_records_from_hostname(self, zone_obj, hostname):
+         assert isinstance(hostname, DNSName) and hostname.is_absolute()
+-        r_name = DNSName('ipa-ca') + self.domain_abs
++        r_name = DNSName(IPA_CA_RECORD) + self.domain_abs
+         rrsets = None
+         end_time = time() + CA_RECORDS_DNS_TIMEOUT
+         while True:
+@@ -210,6 +211,7 @@ def __add_ca_records_from_hostname(self, zone_obj, hostname):
+ 
+         for rrset in rrsets:
+             for rd in rrset:
++                logger.debug("Adding CA IP %s for %s", rd.to_text(), hostname)
+                 rdataset = zone_obj.get_rdataset(
+                     r_name, rd.rdtype, create=True)
+                 rdataset.add(rd, ttl=self.TTL)
+@@ -461,6 +463,14 @@ def update_base_records(self):
+             )
+         )
+ 
++        # Remove the ipa-ca record(s). They will be reconstructed in
++        # get_base_records().
++        r_name = DNSName(IPA_CA_RECORD) + self.domain_abs
++        try:
++            self.api_instance.Command.dnsrecord_del(
++                self.domain_abs, r_name, del_all=True)
++        except errors.NotFound:
++            pass
+         base_zone = self.get_base_records()
+         for record_name, node in base_zone.items():
+             set_cname_template = record_name in names_requiring_cname_templates

SOURCES/1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch

@@ -15,7 +15,7 @@ diff --git a/freeipa.spec.in b/freeipa.spec.in
 index 8f5c370e5..e20edb7bc 100755
 --- a/freeipa.spec.in
 +++ b/freeipa.spec.in
-@@ -576,11 +576,9 @@ Requires: %{name}-server = %{version}-%{release}
+@@ -585,11 +585,9 @@ Requires: %{name}-server = %{version}-%{release}
  Requires: bind-dyndb-ldap >= 11.2-2
  Requires: bind >= %{bind_version}
  Requires: bind-utils >= %{bind_version}
@@ -32,15 +32,16 @@ diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
 index 7d21367ec..42a47f1df 100644
 --- a/ipaplatform/base/paths.py
 +++ b/ipaplatform/base/paths.py
-@@ -259,7 +259,6 @@ class BasePathNamespace:
+@@ -258,8 +258,7 @@ class BasePathNamespace:
      IPA_PKI_RETRIEVE_KEY = "/usr/libexec/ipa/ipa-pki-retrieve-key"
      IPA_HTTPD_PASSWD_READER = "/usr/libexec/ipa/ipa-httpd-pwdreader"
      IPA_PKI_WAIT_RUNNING = "/usr/libexec/ipa/ipa-pki-wait-running"
 -    DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel"
-+    DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel-pkcs11"
 -    DNSSEC_KEYFROMLABEL_9_17 = "/usr/bin/dnssec-keyfromlabel"
++    DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel-pkcs11"
      GETSEBOOL = "/usr/sbin/getsebool"
      GROUPADD = "/usr/sbin/groupadd"
+     USERMOD = "/usr/sbin/usermod"
 diff --git a/ipaplatform/fedora/paths.py b/ipaplatform/fedora/paths.py
 index 4e993c063..92a948966 100644
 --- a/ipaplatform/fedora/paths.py

SOURCES/1004-Revert-DNSResolver-Fix-use-of-nameservers-with-ports.patch

@@ -0,0 +1,114 @@
+From 9a33838407f244e481523fe643bc0626874e8b1a Mon Sep 17 00:00:00 2001
+From: Rafael Guterres Jeffman <rjeffman@redhat.com>
+Date: Mon, 19 Dec 2022 14:57:03 -0300
+Subject: [PATCH] Revert "DNSResolver: Fix use of nameservers with ports"
+
+This reverts commit 5e2e4664aec641886923c2bec61ce25b96edb62a.
+---
+ ipapython/dnsutil.py                    | 41 -------------------------
+ ipatests/test_ipapython/test_dnsutil.py | 40 ------------------------
+ 2 files changed, 81 deletions(-)
+
+diff --git a/ipapython/dnsutil.py b/ipapython/dnsutil.py
+index 58de365ab..4baeaf8cc 100644
+--- a/ipapython/dnsutil.py
++++ b/ipapython/dnsutil.py
+@@ -144,47 +144,6 @@ class DNSResolver(dns.resolver.Resolver):
+             nameservers.remove(ipv4_loopback)
+         self.nameservers = nameservers
+ 
+-    @dns.resolver.Resolver.nameservers.setter
+-    def nameservers(self, nameservers):
+-        """
+-        *nameservers*, a ``list`` of nameservers with optional ports:
+-            "SERVER_IP port PORT_NUMBER".
+-
+-        Overloads dns.resolver.Resolver.nameservers setter to split off ports
+-        into nameserver_ports after setting nameservers successfully with the
+-        setter in dns.resolver.Resolver.
+-        """
+-        # Get nameserver_ports if it is already set
+-        if hasattr(self, "nameserver_ports"):
+-            nameserver_ports = self.nameserver_ports
+-        else:
+-            nameserver_ports = {}
+-
+-        # Check nameserver items in list and split out converted port number
+-        # into nameserver_ports: { nameserver: port }
+-        if isinstance(nameservers, list):
+-            _nameservers = []
+-            for nameserver in nameservers:
+-                splits = nameserver.split()
+-                if len(splits) == 3 and splits[1] == "port":
+-                    nameserver = splits[0]
+-                    try:
+-                        port = int(splits[2])
+-                        if port < 0 or port > 65535:
+-                            raise ValueError()
+-                    except ValueError:
+-                        raise ValueError(
+-                            "invalid nameserver: %s is not a valid port" %
+-                            splits[2])
+-                    nameserver_ports[nameserver] = port
+-                _nameservers.append(nameserver)
+-            nameservers = _nameservers
+-
+-        # Call dns.resolver.Resolver.nameservers setter
+-        dns.resolver.Resolver.nameservers.__set__(self, nameservers)
+-        # Set nameserver_ports after successfull call to setter
+-        self.nameserver_ports = nameserver_ports
+-
+ 
+ class DNSZoneAlreadyExists(dns.exception.DNSException):
+     supp_kwargs = {'zone', 'ns'}
+diff --git a/ipatests/test_ipapython/test_dnsutil.py b/ipatests/test_ipapython/test_dnsutil.py
+index 09463c69d..5e7a46197 100644
+--- a/ipatests/test_ipapython/test_dnsutil.py
++++ b/ipatests/test_ipapython/test_dnsutil.py
+@@ -101,43 +101,3 @@ class TestSortURI:
+         assert dnsutil.sort_prio_weight([h3, h2, h1]) == [h1, h2, h3]
+         assert dnsutil.sort_prio_weight([h3, h3, h3]) == [h3]
+         assert dnsutil.sort_prio_weight([h2, h2, h1, h1]) == [h1, h2]
+-
+-
+-class TestDNSResolver:
+-    def test_nameservers(self):
+-        res = dnsutil.DNSResolver()
+-        res.nameservers = ["4.4.4.4", "8.8.8.8"]
+-        assert res.nameservers == ["4.4.4.4", "8.8.8.8"]
+-
+-    def test_nameservers_with_ports(self):
+-        res = dnsutil.DNSResolver()
+-        res.nameservers = ["4.4.4.4 port 53", "8.8.8.8 port 8053"]
+-        assert res.nameservers == ["4.4.4.4", "8.8.8.8"]
+-        assert res.nameserver_ports == {"4.4.4.4": 53, "8.8.8.8": 8053}
+-
+-        res.nameservers = ["4.4.4.4 port 53", "8.8.8.8  port  8053"]
+-        assert res.nameservers == ["4.4.4.4", "8.8.8.8"]
+-        assert res.nameserver_ports == {"4.4.4.4": 53, "8.8.8.8": 8053}
+-
+-    def test_nameservers_with_bad_ports(self):
+-        res = dnsutil.DNSResolver()
+-        try:
+-            res.nameservers = ["4.4.4.4 port a"]
+-        except ValueError:
+-            pass
+-        else:
+-            pytest.fail("No fail on bad port a")
+-
+-        try:
+-            res.nameservers = ["4.4.4.4 port -1"]
+-        except ValueError:
+-            pass
+-        else:
+-            pytest.fail("No fail on bad port -1")
+-
+-        try:
+-            res.nameservers = ["4.4.4.4 port 65536"]
+-        except ValueError:
+-            pass
+-        else:
+-            pytest.fail("No fail on bad port 65536")
+-- 
+2.38.1
+

SOURCES/freeipa-4.9.10.tar.gz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEE11Z2TU1+KXxtrRFyaYdvcqbi008FAmKp71wACgkQaYdvcqbi
-008rbg/9G5w7KXgJcrhwBx5qqd4fqzSnwJdyN5oaBIEKNsAigMD7LIYawqgnO3g/
-/3FmJTbeCrOj9EoakvE1YNRT+75oxAO+rMFcRvFHlJyfMCa3r3lrS4LrlQiiyNwZ
-IHovcXr0Q3fizhp/V3acyZqx2pbnSh24CK4q5a1CNUs8SPkEFcOfpAJIMQCHeH6t
-ScfxuWOp8R1FnaNQc/9x3vy3ySQbHMxIWLSfJy7pk7FhLGAvgVNQBAz70Bg7BfR1
-R1V6syGeaPmqLOQw0jV05YMxyKwkbnSK/h2DlCg/iNQ/S71rXhOpuk01dDf73CI4
-Fu1H9TX50Indq31+4qbOlKZqDshhNzRRpn2m2qVvzeTfObHlZMbYNyVamovP9fEZ
-pfJcppI8aNDURjqpf/sVy4G8mhI5FQS+Q7bKvv9C04iE3XpTutg8q5mLMXGwWekY
-yeklBAmdygOKsY1uWb7BCH9eoWCVWKIwi4m5uYteZNxBt4aqsa/VFsxCE1P2T7/S
-+yc1Jo7hXWW8v3wm+dIGJj+Lz9YlJxC9SAiC72a6kTwIe2gnKlxoYbqe/18hEWm6
-0jESl2LiXfBhXz0YQlv2HjcPWZMMrNuhSCGTMgzP8KfZB258mtxpbBTk5/e9Wgsk
-29GCfaMWFUqZsrteG10HT/P6cotre6EVffQl9lNlPNQpX+DUKy4=
-=azus
------END PGP SIGNATURE-----

SOURCES/freeipa-4.9.11.tar.gz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEE11Z2TU1+KXxtrRFyaYdvcqbi008FAmOA8kcACgkQaYdvcqbi
+00887g/9GTvueJCypiuTqxKsbkTbWamOyH3W+AqtHw9Ff+wM/hnkSloGizhQ4EZZ
+4Zs1e6bfM1pGXT7DXU9WbiYtcVtUhY5l9SnT9moCMaG1z4aB7z9UCxsqsSCuy3bG
+KQq6AO2z4DaqHiz6ez3QXi+MUCNnPziWmS3bLdDCrTK0PNxqiMPIotlXMgVFgDL7
+go/TAUvUL27zH4ELvG4parSGEKVEqe//RzXklOwGrInyj/4u42x7lUdO2ugOolCI
+wNod8v+NWQWVgxNyhfTjP5VBZzO9wkGx4xruF2cAjVdjnIUGcG0FR3hI/bpi7Lyv
+EmIozbQMK92MLel63E7Z/d5Jxfmuw/n1t5NrgSth+9hhWnBEpiaKkD2zAmUATqHf
++y4mbrtajmjzewEnfUnQfCvSLDPyTpnQKkRY8hUvk7u/J+/ZFWMQl9RdGNw3M0Zr
+WrsqkKLK/n5IOHYHb/lBRaUidssKjQYFIvyNfHDP/lu6iiyLOpi5MIdk9BakO5wc
+oDMk3w9xY7tPPmoesW40BThnAdOR9U4aad8zVvOxhMfzAYRwu95HGQoHnk7/rNut
+IfzMZVjVTLQ8gyApcBlWzu/buiOoEXTKaMyzs0S9RMptknj5Xf0CGRz3bVrZRfJd
+umyhD6/rNk3eZW/yEIv3IqFev0h1txTBPSTlczYUIz6uc7nx82E=
+=8YVm
+-----END PGP SIGNATURE-----

SPECS/ipa.spec

@@ -68,8 +68,7 @@
 %global krb5_kdb_version 8.0
 # 0.7.16: https://github.com/drkjam/netaddr/issues/71
 %global python_netaddr_version 0.7.19
-# Require 4.14.5-13 which brings CVE-2020-25717 fixes
+%global samba_version 4.17.2-1
-%global samba_version 4.14.5-13
 %global selinux_policy_version 3.14.3-52
 %global slapi_nis_version 0.56.4
 %global python_ldap_version 3.1.0-1
@@ -93,8 +92,7 @@
 # 0.7.16: https://github.com/drkjam/netaddr/issues/71
 %global python_netaddr_version 0.7.16
 
-# Require 4.14.6 which brings CVE-2020-25717 fixes
+%global samba_version 2:4.17.2
-%global samba_version 2:4.14.6
 
 # 3.14.5-45 or later includes a number of interfaces fixes for IPA interface
 %global selinux_policy_version 3.14.5-45
@@ -178,7 +176,7 @@
 
 # Work-around fact that RPM SPEC parser does not accept
 # "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement
-%define IPA_VERSION 4.9.10
+%define IPA_VERSION 4.9.11
 # Release candidate version -- uncomment with one percent for RC versions
 #%%global rc_version %%nil
 %define AT_SIGN @
@@ -191,7 +189,7 @@
 
 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        3%{?rc_version:.%rc_version}%{?dist}
+Release:        5%{?rc_version:.%rc_version}%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 License:        GPLv3+
@@ -211,18 +209,28 @@ Source1:        https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_vers
 # RHEL spec file only: START
 %if %{NON_DEVELOPER_BUILD}
 %if 0%{?rhel} >= 8
-Patch0001:      0001-ipa-otpd-Fix-build-on-older-versions-of-gcc.patch
+Patch0001:      0001-updates-fix-memberManager-ACI-to-allow-managers-from-a-specified-group_rhbz#2056009.patch
-Patch0002:      0002-webui-IdP-Remove-arrow-notation-due-to-uglify-js-lim.patch
+Patch0002:      0002-trust-add-handle-missing-msSFU30MaxGidNumber_rhbz#2162355.patch
-Patch0003:      0003-Preserve-user-fix-the-confusing-summary_rhbz#2022028.patch
+Patch0003:      0003-Backport-latest-test-fixes-python3-ipatests_rhbz#2166929.patch
-Patch0004:      0004-Only-calculate-LDAP-password-grace-when-the-password_rhbz#782917.patch
+Patch0004:      0004-server-install-remove-error-log-about-missing-bkup-file_rhbz#2160389.patch
+Patch0005:      0005-automember-rebuild-add-a-notice-about-high-CPU-usage_rhbz#2018198.patch
+Patch0006:      0006-ipa-kdb-PAC-consistency-checker-needs-to-handle-child-domains-as-well_rhbz#2166324.patch
+Patch0007:      0007-Wipe-the-ipa-ca-DNS-record-when-updating-system-records_rhbz#2158775.patch
 Patch1001:      1001-Change-branding-to-IPA-and-Identity-Management.patch
 Patch1002:      1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch
+Patch1003:      1003-webui-IdP-Remove-arrow-notation-due-to-uglify-js-lim.patch
+# Due to behavior changes in python3-dns 2.2.0, IPA overrides the setting of the
+# nameserver property inherited from dns.resolver.Resolver class to allow the
+# setting of nameservers with custom ports. The method used is only needed, and
+# only works, on version 2.2.0, or later, of python3-dns. For RHEL 8, which uses
+# series 1.xx, the method override is not needed to provide the same behavior.
+Patch1004:      1004-Revert-DNSResolver-Fix-use-of-nameservers-with-ports.patch
 %endif
 %endif
 # RHEL spec file only: END
 
-# For the timestamp trick in patch application
+## For the timestamp trick in patch application
-BuildRequires:  diffstat
+#BuildRequires:  diffstat
 
 BuildRequires:  openldap-devel
 # For KDB DAL version, make explicit dependency so that increase of version
@@ -289,6 +297,7 @@ BuildRequires:  cracklib-dicts
 # Build dependencies for makeapi/makeaci
 #
 BuildRequires:  python3-cffi
+# RHEL 8 packages will not work with python3-dns 2.2.0 or newer.
 BuildRequires:  python3-dns
 BuildRequires:  python3-ldap >= %{python_ldap_version}
 BuildRequires:  python3-libsss_nss_idmap
@@ -341,6 +350,7 @@ BuildRequires:  python3-cryptography >= 1.6
 BuildRequires:  python3-custodia >= 0.3.1
 BuildRequires:  python3-dateutil
 BuildRequires:  python3-dbus
+# RHEL 8 packages will not work with python3-dns 2.2.0 or newer.
 BuildRequires:  python3-dns >= 1.15
 BuildRequires:  python3-docker
 BuildRequires:  python3-gssapi >= 1.2.0
@@ -415,7 +425,6 @@ Requires: nss-tools >= %{nss_version}
 Requires(post): krb5-server >= %{krb5_version}
 Requires(post): krb5-server >= %{krb5_base_version}
 Requires: krb5-kdb-version = %{krb5_kdb_version}
-Requires: krb5-pkinit-openssl >= %{krb5_version}
 Requires: cyrus-sasl-gssapi%{?_isa}
 Requires: chrony
 Requires: httpd >= %{httpd_version}
@@ -513,6 +522,7 @@ Requires: python3-augeas
 Requires: augeas-libs >= %{augeas_version}
 Requires: python3-custodia >= 0.3.1
 Requires: python3-dbus
+# RHEL 8 packages will not work with python3-dns 2.2.0 or newer.
 Requires: python3-dns >= 1.15
 Requires: python3-gssapi >= 1.2.0
 Requires: python3-ipaclient = %{version}-%{release}
@@ -643,6 +653,8 @@ Requires: python3-sssdconfig >= %{sssd_version}
 Requires: cyrus-sasl-gssapi%{?_isa}
 Requires: chrony
 Requires: krb5-workstation >= %{krb5_version}
+# Support pkinit with client install
+Requires: krb5-pkinit-openssl >= %{krb5_version}
 # authselect: sssd profile with-subid
 %if 0%{?fedora} >= 36
 Requires: authselect >= 1.4.0
@@ -742,6 +754,7 @@ Requires: %{name}-common = %{version}-%{release}
 Requires: python3-ipalib = %{version}-%{release}
 Requires: python3-augeas
 Requires: augeas-libs >= %{augeas_version}
+# RHEL 8 packages will not work with python3-dns 2.2.0 or newer.
 Requires: python3-dns >= 1.15
 Requires: python3-jinja2
 
@@ -822,6 +835,7 @@ Requires: python3-cffi
 Requires: python3-cryptography >= 1.6
 Requires: python3-dateutil
 Requires: python3-dbus
+# RHEL 8 packages will not work with python3-dns 2.2.0 or newer.
 Requires: python3-dns >= 1.15
 Requires: python3-gssapi >= 1.2.0
 Requires: python3-jwcrypto >= 0.4.2
@@ -938,22 +952,8 @@ Custom SELinux policy module for FreeIPA
 
 
 %prep
-# Update timestamps on the files touched by a patch, to avoid non-equal
-# .pyc/.pyo files across the multilib peers within a build, where "Level"
-# is the patch prefix option (e.g. -p1)
-# Taken from specfile for sssd and python-simplejson
-UpdateTimestamps() {
-  Level=$1
-  PatchFile=$2
 
-  # Locate the affected files:
+%autosetup -n freeipa-%{version}%{?rc_version} -N -p1
-  for f in $(diffstat $Level -l $PatchFile); do
-    # Set the files to have the same timestamp as that of the patch:
-    touch -c -r $PatchFile $f
-  done
-}
-
-%setup -n freeipa-%{version}%{?rc_version} -q
 
 # To allow proper application patches to the stripped po files, strip originals
 pushd po
@@ -963,10 +963,8 @@ for i in *.po ; do
 done
 popd
 
-for p in %patches ; do
+%autopatch -p1
-    %__patch -p1 -i $p
+
-    UpdateTimestamps -p1 $p
-done
 
 %build
 # PATH is workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1005235
@@ -1236,7 +1234,7 @@ if [ $1 -gt 1 ] ; then
 
         %{__python3} -c 'from ipaclient.install.client import configure_krb5_snippet; configure_krb5_snippet()' >>/var/log/ipaupgrade.log 2>&1
         %{__python3} -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' >>/var/log/ipaupgrade.log 2>&1
-        chmod 0600 /var/log/ipaupgrade.lo
+        chmod 0600 /var/log/ipaupgrade.log
         SSH_CLIENT_SYSTEM_CONF="/etc/ssh/ssh_config"
         if [ -f "$SSH_CLIENT_SYSTEM_CONF" ]; then
             sed -E --in-place=.orig 's/^(HostKeyAlgorithms ssh-rsa,ssh-dss)$/# disabled by ipa-client update\n# \1/' "$SSH_CLIENT_SYSTEM_CONF"
@@ -1712,11 +1710,87 @@ fi
 %if %{with selinux}
 %files selinux
 %{_datadir}/selinux/packages/%{selinuxtype}/%{modulename}.pp.*
-%ghost %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
+%ghost %verify(not md5 size mode mtime) %{_sharedstatedir}/selinux/%{selinuxtype}/active/modules/200/%{modulename}
 # with selinux
 %endif
 
 %changelog
+* Fri Feb 10 2023 Rafael Jeffman <rjeffman@redhat.com> - 4.9.11-5
+- Wipe the ipa-ca DNS record when updating system records
+  Resolves: RHBZ#2158775
+
+* Thu Feb 09 2023 Rafael Jeffman <rjeffman@redhat.com> - 4.9.11-4
+- trust-add: handle missinf msSFU30MaxGidNumber
+  Resolves: RHBZ#2162355
+- Backport latest test fixes for python3-ipatests
+  Resolves: RHBZ#2166929
+- server install: remove error log about missing bkup file
+  Resolves: RHBZ#2160389
+- automember-rebuild: add a notice about high CPU usage
+  Resolves: RHBZ#2018198
+- ipa-kdb: PAC consistency checker needs to handle child domains as well
+  Resolves: RHBZ#2166324
+
+* Mon Dec 19 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.11-3
+- Revert DNSResolver Fix use of nameservers with ports.
+  Related: RHBZ#2141316
+
+* Fri Dec 16 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.11-2
+- webui IdP: Remove arrow notation due to uglify-js limitation
+  Related: RHBZ#2141316
+
+* Wed Dec 14 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.11-1
+- Rebase ipa to 4.9.11
+  Resolves: RHBZ#2141316
+- updates: fix memberManager ACI to allow managers from a specified group
+  Resolves: RHBZ#2056009
+- Defer creating the final krb5.conf on clients
+  Resolves: RHBZ#2148259
+- Exclude installed policy module file from RPM verification
+  Resolves: RHBZ#2149567
+- Spec file: ipa-client depends on krb5-pkinit-openssl
+  Resolves: RHBZ#2149889
+
+* Thu Nov 24 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.10-8
+- ipa man page format the EXAMPLES section
+  Resolves: RHBZ#2129895
+- Fix canonicalization issue in Web UI
+  Resolves: RHBZ#2127035
+- Remove idnssoaserial argument from dns zone API. 
+  Resolves: RHBZ#2108630
+- Warn for permissions with read/write/search/compare and no attrs
+  Resolves: RHBZ#2098187
+- Add PKINIT support to ipa-client-install
+  Resolves: RHBZ#2075452
+- Generate CNAMEs for TXT+URI location krb records
+  Resolves: RHBZ#2104185
+- Vault: fix interoperability issues with older RHEL systems
+  Resolves: RHBZ#2144737
+- Fix typo on ipaupgrade.log chmod during RPM %post snipppet
+  Resolves: RHBZ#2140994
+
+* Tue Nov 1 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.10-7
+- Rebuild to samba 4.17.2.
+  Related: RHBZ#2132051
+
+* Mon Aug 22 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.10-6
+- webui: Allow grace login limit
+  Resolves: RHBZ#2109243
+- check_repl_update: in progress is a boolean
+  Resolves: RHBZ#2117303
+- Disabling gracelimit does not prevent LDAP binds
+  Resolves: RHBZ#2109236
+- Set passwordgracelimit to match global policy on group pw policies
+  Resolves: RHBZ#2115475
+
+* Tue Jul 19 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.10-5
+- webui: Do not allow empty pagination size
+  Resolves: RHBZ#2094672
+
+* Tue Jul 12 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.10-4
+- Add end to end integration tests for external IdP
+  Resolves: RHBZ#2106346
+
 * Thu Jul 07 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.10-3
 - Add explicit dependency for libvert-libev
   Resolves: RHBZ#2104929