Backports for 4.9.13-12 release:
- Add ipa-idrange-fix Resolves: RHEL-56920 - Unconditionally add MS-PAC to global config on update Resolves: RHEL-49437 - ipatests: Update ipa-adtrust-install test Resolves: RHEL-40894 - Require python-qrcode version 5.3 or later Related: RHEL-15090 Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
This commit is contained in:
parent
880d21b828
commit
e2ceb15ca1
1539
0034-Add-ipa-idrange-fix_rhel#56920.patch
Normal file
1539
0034-Add-ipa-idrange-fix_rhel#56920.patch
Normal file
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,87 @@
|
||||
diff --git a/install/updates/50-krbenctypes.update b/install/updates/50-krbenctypes.update
|
||||
index 1058a92..1bf2bf3 100644
|
||||
--- a/install/updates/50-krbenctypes.update
|
||||
+++ b/install/updates/50-krbenctypes.update
|
||||
@@ -7,3 +7,5 @@ add: krbSupportedEncSaltTypes: aes128-sha2:normal
|
||||
add: krbSupportedEncSaltTypes: aes128-sha2:special
|
||||
add: krbSupportedEncSaltTypes: aes256-sha2:normal
|
||||
add: krbSupportedEncSaltTypes: aes256-sha2:special
|
||||
+remove: krbDefaultEncSaltTypes: des3-hmac-sha1:special
|
||||
+remove: krbDefaultEncSaltTypes: arcfour-hmac:special
|
||||
diff --git a/install/updates/60-trusts.update b/install/updates/60-trusts.update
|
||||
index 56e3920..b2fdcca 100644
|
||||
--- a/install/updates/60-trusts.update
|
||||
+++ b/install/updates/60-trusts.update
|
||||
@@ -54,4 +54,4 @@ add:aci: (target="ldap:///krbprincipalname=cifs/($$dn),cn=services,cn=accounts,$
|
||||
|
||||
# Add the default PAC type to configuration
|
||||
dn: cn=ipaConfig,cn=etc,$SUFFIX
|
||||
-addifnew: ipaKrbAuthzData: MS-PAC
|
||||
+add: ipaKrbAuthzData: MS-PAC
|
||||
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
|
||||
index d41c1ee..ef0727e 100644
|
||||
--- a/ipatests/test_integration/test_installation.py
|
||||
+++ b/ipatests/test_integration/test_installation.py
|
||||
@@ -1188,6 +1188,21 @@ class TestInstallMaster(IntegrationTest):
|
||||
expected_stdout=f'href="https://{self.master.hostname}/'
|
||||
)
|
||||
|
||||
+ def test_pac_configuration_enabled(self):
|
||||
+ """
|
||||
+ This testcase checks that the default PAC type
|
||||
+ is added to configuration.
|
||||
+ """
|
||||
+ base_dn = str(self.master.domain.basedn)
|
||||
+ dn = DN(
|
||||
+ ("cn", "ipaConfig"),
|
||||
+ ("cn", "etc"),
|
||||
+ base_dn
|
||||
+ )
|
||||
+ result = tasks.ldapsearch_dm(self.master, str(dn),
|
||||
+ ["ipaKrbAuthzData"])
|
||||
+ assert 'ipaKrbAuthzData: MS-PAC' in result.stdout_text
|
||||
+
|
||||
def test_hostname_parameter(self, server_cleanup):
|
||||
"""
|
||||
Test that --hostname parameter is respected in interactive mode.
|
||||
diff --git a/ipatests/test_integration/test_upgrade.py b/ipatests/test_integration/test_upgrade.py
|
||||
index 182e3b5..8465cf9 100644
|
||||
--- a/ipatests/test_integration/test_upgrade.py
|
||||
+++ b/ipatests/test_integration/test_upgrade.py
|
||||
@@ -165,7 +165,6 @@ class TestUpgrade(IntegrationTest):
|
||||
ldap.update_entry(location_krb_rec)
|
||||
|
||||
yield _setup_locations
|
||||
-
|
||||
ldap = self.master.ldap_connect()
|
||||
|
||||
modified = False
|
||||
@@ -477,3 +476,28 @@ class TestUpgrade(IntegrationTest):
|
||||
self.master.run_command(['ipa-server-upgrade'])
|
||||
assert self.master.transport.file_exists(
|
||||
paths.SYSTEMD_PKI_TOMCAT_IPA_CONF)
|
||||
+
|
||||
+ def test_mspac_attribute_set(self):
|
||||
+ """
|
||||
+ This testcase deletes the already existing attribute
|
||||
+ 'ipaKrbAuthzData: MS-PAC'.
|
||||
+ The test then runs ipa-server-upgrade and checks that
|
||||
+ the attribute 'ipaKrbAuthzData: MS-PAC' is added again.
|
||||
+ """
|
||||
+ base_dn = str(self.master.domain.basedn)
|
||||
+ dn = DN(
|
||||
+ ("cn", "ipaConfig"),
|
||||
+ ("cn", "etc"),
|
||||
+ base_dn
|
||||
+ )
|
||||
+ ldif = textwrap.dedent("""
|
||||
+ dn: cn=ipaConfig,cn=etc,{}
|
||||
+ changetype: modify
|
||||
+ delete: ipaKrbAuthzData
|
||||
+ """).format(base_dn)
|
||||
+ tasks.ldapmodify_dm(self.master, ldif)
|
||||
+ tasks.kinit_admin(self.master)
|
||||
+ self.master.run_command(['ipa-server-upgrade'])
|
||||
+ result = tasks.ldapsearch_dm(self.master, str(dn),
|
||||
+ ["ipaKrbAuthzData"])
|
||||
+ assert 'ipaKrbAuthzData: MS-PAC' in result.stdout_text
|
@ -0,0 +1,30 @@
|
||||
From f6645ebe5c0c0c030ec2e62e007d8dacd1b4e4cf Mon Sep 17 00:00:00 2001
|
||||
From: Erik Belko <ebelko@redhat.com>
|
||||
Date: Sep 03 2024 12:54:30 +0000
|
||||
Subject: ipatests: Update ipa-adtrust-install test
|
||||
|
||||
|
||||
update test_user_connects_smb_share_if_locked_specific_group with wait
|
||||
for SSSD to be online after ipa-adtrust-install command
|
||||
|
||||
Related: https://pagure.io/freeipa/issue/9655
|
||||
|
||||
Signed-off-by: Erik Belko <ebelko@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
|
||||
---
|
||||
|
||||
diff --git a/ipatests/test_integration/test_adtrust_install.py b/ipatests/test_integration/test_adtrust_install.py
|
||||
index 72e8d87..de252db 100644
|
||||
--- a/ipatests/test_integration/test_adtrust_install.py
|
||||
+++ b/ipatests/test_integration/test_adtrust_install.py
|
||||
@@ -853,6 +853,8 @@ class TestIpaAdTrustInstall(IntegrationTest):
|
||||
self.master.config.admin_password,
|
||||
"-U"]
|
||||
)
|
||||
+ # Wait for SSSD to become online before doing any other check
|
||||
+ tasks.wait_for_sssd_domain_status_online(self.master)
|
||||
self.master.run_command(["mkdir", "/freeipa4234"])
|
||||
self.master.run_command(
|
||||
["chcon", "-t", "samba_share_t",
|
||||
|
21
ipa.spec
21
ipa.spec
@ -190,7 +190,7 @@
|
||||
|
||||
Name: %{package_name}
|
||||
Version: %{IPA_VERSION}
|
||||
Release: 12%{?rc_version:.%rc_version}%{?dist}
|
||||
Release: 13%{?rc_version:.%rc_version}%{?dist}
|
||||
Summary: The Identity, Policy and Audit system
|
||||
|
||||
License: GPLv3+
|
||||
@ -242,6 +242,9 @@ Patch0030: 0030-ipa-otptoken-import-open-the-key-file-in-binary-mode_rhel#3
|
||||
Patch0031: 0031-ipa-crlgen-manage-manage-the-cert-status-task-execution-time_rhel#30280.patch
|
||||
Patch0032: 0032-idrange-add-add-a-warning-because-389ds-restart-is-required_rhel#28996.patch
|
||||
Patch0033: 0033-PKINIT-certificate-fix-renewal-on-hidden-replica_rhel#4913.patch
|
||||
Patch0034: 0034-Add-ipa-idrange-fix_rhel#56920.patch
|
||||
Patch0035: 0035-Unconditionally-add-MS-PAC-to-global-config-on-update_rhel#49437.patch
|
||||
Patch0036: 0036-ipatests-Update-ipa-adtrust-install-test_rhel#40894.patch
|
||||
%if 0%{?rhel} >= 8
|
||||
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
|
||||
Patch1002: 1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch
|
||||
@ -402,7 +405,7 @@ BuildRequires: python3-pycodestyle
|
||||
BuildRequires: python3-pylint
|
||||
BuildRequires: python3-pytest-multihost
|
||||
BuildRequires: python3-pytest-sourceorder
|
||||
BuildRequires: python3-qrcode-core >= 5.0.0
|
||||
BuildRequires: python3-qrcode-core >= 5.3
|
||||
BuildRequires: python3-samba
|
||||
BuildRequires: python3-six
|
||||
BuildRequires: python3-sss
|
||||
@ -1403,6 +1406,7 @@ fi
|
||||
%{_sbindir}/ipa-pkinit-manage
|
||||
%{_sbindir}/ipa-crlgen-manage
|
||||
%{_sbindir}/ipa-cert-fix
|
||||
%{_sbindir}/ipa-idrange-fix
|
||||
%{_sbindir}/ipa-acme-manage
|
||||
%{_libexecdir}/certmonger/dogtag-ipa-ca-renew-agent-submit
|
||||
%{_libexecdir}/certmonger/ipa-server-guard
|
||||
@ -1477,6 +1481,7 @@ fi
|
||||
%{_mandir}/man1/ipa-pkinit-manage.1*
|
||||
%{_mandir}/man1/ipa-crlgen-manage.1*
|
||||
%{_mandir}/man1/ipa-cert-fix.1*
|
||||
%{_mandir}/man1/ipa-idrange-fix.1*
|
||||
%{_mandir}/man1/ipa-acme-manage.1*
|
||||
|
||||
|
||||
@ -1757,7 +1762,17 @@ fi
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Wed Jul 17 2024 Rafael Jeffman <rjeffman@redhat.com> - 4.9.13-9
|
||||
* Thu Nov 14 2024 Rafael Jeffman <rjeffman@redhat.com> - 4.9.13-13
|
||||
- Add ipa-idrange-fix
|
||||
Resolves: RHEL-56920
|
||||
- Unconditionally add MS-PAC to global config on update
|
||||
Resolves: RHEL-49437
|
||||
- ipatests: Update ipa-adtrust-install test
|
||||
Resolves: RHEL-40894
|
||||
- Require python-qrcode version 5.3 or later
|
||||
Related: RHEL-15090
|
||||
|
||||
* Wed Jul 17 2024 Rafael Jeffman <rjeffman@redhat.com> - 4.9.13-12
|
||||
- Allow the admin user to be disabled
|
||||
Resolves: RHEL-34756
|
||||
- ipa-otptoken-import: open the key file in binary mode
|
||||
|
Loading…
Reference in New Issue
Block a user