Backports for 4.9.13-12 release:

- Add ipa-idrange-fix
  Resolves: RHEL-56920
- Unconditionally add MS-PAC to global config on update
  Resolves: RHEL-49437
- ipatests: Update ipa-adtrust-install test
  Resolves: RHEL-40894
- Require python-qrcode version 5.3 or later
  Related: RHEL-15090

Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>

0035-Unconditionally-add-MS-PAC-to-global-config-on-update_rhel#49437.patch

@@ -0,0 +1,87 @@
+diff --git a/install/updates/50-krbenctypes.update b/install/updates/50-krbenctypes.update
+index 1058a92..1bf2bf3 100644
+--- a/install/updates/50-krbenctypes.update
++++ b/install/updates/50-krbenctypes.update
+@@ -7,3 +7,5 @@ add: krbSupportedEncSaltTypes: aes128-sha2:normal
+ add: krbSupportedEncSaltTypes: aes128-sha2:special
+ add: krbSupportedEncSaltTypes: aes256-sha2:normal
+ add: krbSupportedEncSaltTypes: aes256-sha2:special
++remove: krbDefaultEncSaltTypes: des3-hmac-sha1:special
++remove: krbDefaultEncSaltTypes: arcfour-hmac:special
+diff --git a/install/updates/60-trusts.update b/install/updates/60-trusts.update
+index 56e3920..b2fdcca 100644
+--- a/install/updates/60-trusts.update
++++ b/install/updates/60-trusts.update
+@@ -54,4 +54,4 @@ add:aci: (target="ldap:///krbprincipalname=cifs/($$dn),cn=services,cn=accounts,$
+ 
+ # Add the default PAC type to configuration
+ dn: cn=ipaConfig,cn=etc,$SUFFIX
+-addifnew: ipaKrbAuthzData: MS-PAC
++add: ipaKrbAuthzData: MS-PAC
+diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
+index d41c1ee..ef0727e 100644
+--- a/ipatests/test_integration/test_installation.py
++++ b/ipatests/test_integration/test_installation.py
+@@ -1188,6 +1188,21 @@ class TestInstallMaster(IntegrationTest):
+                 expected_stdout=f'href="https://{self.master.hostname}/'
+             )
+ 
++    def test_pac_configuration_enabled(self):
++        """
++        This testcase checks that the default PAC type
++        is added to configuration.
++        """
++        base_dn = str(self.master.domain.basedn)
++        dn = DN(
++            ("cn", "ipaConfig"),
++            ("cn", "etc"),
++            base_dn
++        )
++        result = tasks.ldapsearch_dm(self.master, str(dn),
++                                     ["ipaKrbAuthzData"])
++        assert 'ipaKrbAuthzData: MS-PAC' in result.stdout_text
++
+     def test_hostname_parameter(self, server_cleanup):
+         """
+         Test that --hostname parameter is respected in interactive mode.
+diff --git a/ipatests/test_integration/test_upgrade.py b/ipatests/test_integration/test_upgrade.py
+index 182e3b5..8465cf9 100644
+--- a/ipatests/test_integration/test_upgrade.py
++++ b/ipatests/test_integration/test_upgrade.py
+@@ -165,7 +165,6 @@ class TestUpgrade(IntegrationTest):
+                 ldap.update_entry(location_krb_rec)
+ 
+         yield _setup_locations
+-
+         ldap = self.master.ldap_connect()
+ 
+         modified = False
+@@ -477,3 +476,28 @@ class TestUpgrade(IntegrationTest):
+         self.master.run_command(['ipa-server-upgrade'])
+         assert self.master.transport.file_exists(
+             paths.SYSTEMD_PKI_TOMCAT_IPA_CONF)
++
++    def test_mspac_attribute_set(self):
++        """
++        This testcase deletes the already existing attribute
++        'ipaKrbAuthzData: MS-PAC'.
++        The test then runs ipa-server-upgrade and checks that
++        the attribute 'ipaKrbAuthzData: MS-PAC' is added again.
++        """
++        base_dn = str(self.master.domain.basedn)
++        dn = DN(
++            ("cn", "ipaConfig"),
++            ("cn", "etc"),
++            base_dn
++        )
++        ldif = textwrap.dedent("""
++             dn: cn=ipaConfig,cn=etc,{}
++             changetype: modify
++             delete: ipaKrbAuthzData
++        """).format(base_dn)
++        tasks.ldapmodify_dm(self.master, ldif)
++        tasks.kinit_admin(self.master)
++        self.master.run_command(['ipa-server-upgrade'])
++        result = tasks.ldapsearch_dm(self.master, str(dn),
++                                     ["ipaKrbAuthzData"])
++        assert 'ipaKrbAuthzData: MS-PAC' in result.stdout_text

0036-ipatests-Update-ipa-adtrust-install-test_rhel#40894.patch

@@ -0,0 +1,30 @@
+From f6645ebe5c0c0c030ec2e62e007d8dacd1b4e4cf Mon Sep 17 00:00:00 2001
+From: Erik Belko <ebelko@redhat.com>
+Date: Sep 03 2024 12:54:30 +0000
+Subject: ipatests: Update ipa-adtrust-install test
+
+
+update test_user_connects_smb_share_if_locked_specific_group with wait
+for SSSD to be online after ipa-adtrust-install command
+
+Related: https://pagure.io/freeipa/issue/9655
+
+Signed-off-by: Erik Belko <ebelko@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+
+---
+
+diff --git a/ipatests/test_integration/test_adtrust_install.py b/ipatests/test_integration/test_adtrust_install.py
+index 72e8d87..de252db 100644
+--- a/ipatests/test_integration/test_adtrust_install.py
++++ b/ipatests/test_integration/test_adtrust_install.py
+@@ -853,6 +853,8 @@ class TestIpaAdTrustInstall(IntegrationTest):
+              self.master.config.admin_password,
+              "-U"]
+         )
++        # Wait for SSSD to become online before doing any other check
++        tasks.wait_for_sssd_domain_status_online(self.master)
+         self.master.run_command(["mkdir", "/freeipa4234"])
+         self.master.run_command(
+             ["chcon", "-t", "samba_share_t",
+

ipa.spec

@@ -190,7 +190,7 @@
 
 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        12%{?rc_version:.%rc_version}%{?dist}
+Release:        13%{?rc_version:.%rc_version}%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 License:        GPLv3+
@@ -242,6 +242,9 @@ Patch0030:      0030-ipa-otptoken-import-open-the-key-file-in-binary-mode_rhel#3
 Patch0031:      0031-ipa-crlgen-manage-manage-the-cert-status-task-execution-time_rhel#30280.patch
 Patch0032:      0032-idrange-add-add-a-warning-because-389ds-restart-is-required_rhel#28996.patch
 Patch0033:      0033-PKINIT-certificate-fix-renewal-on-hidden-replica_rhel#4913.patch
+Patch0034:      0034-Add-ipa-idrange-fix_rhel#56920.patch
+Patch0035:      0035-Unconditionally-add-MS-PAC-to-global-config-on-update_rhel#49437.patch
+Patch0036:      0036-ipatests-Update-ipa-adtrust-install-test_rhel#40894.patch
 %if 0%{?rhel} >= 8
 Patch1001:      1001-Change-branding-to-IPA-and-Identity-Management.patch
 Patch1002:      1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch
@@ -402,7 +405,7 @@ BuildRequires:  python3-pycodestyle
 BuildRequires:  python3-pylint
 BuildRequires:  python3-pytest-multihost
 BuildRequires:  python3-pytest-sourceorder
-BuildRequires:  python3-qrcode-core >= 5.0.0
+BuildRequires:  python3-qrcode-core >= 5.3
 BuildRequires:  python3-samba
 BuildRequires:  python3-six
 BuildRequires:  python3-sss
@@ -1403,6 +1406,7 @@ fi
 %{_sbindir}/ipa-pkinit-manage
 %{_sbindir}/ipa-crlgen-manage
 %{_sbindir}/ipa-cert-fix
+%{_sbindir}/ipa-idrange-fix
 %{_sbindir}/ipa-acme-manage
 %{_libexecdir}/certmonger/dogtag-ipa-ca-renew-agent-submit
 %{_libexecdir}/certmonger/ipa-server-guard
@@ -1477,6 +1481,7 @@ fi
 %{_mandir}/man1/ipa-pkinit-manage.1*
 %{_mandir}/man1/ipa-crlgen-manage.1*
 %{_mandir}/man1/ipa-cert-fix.1*
+%{_mandir}/man1/ipa-idrange-fix.1*
 %{_mandir}/man1/ipa-acme-manage.1*
 
 
@@ -1757,7 +1762,17 @@ fi
 %endif
 
 %changelog
-* Wed Jul 17 2024 Rafael Jeffman <rjeffman@redhat.com> - 4.9.13-9
+* Thu Nov 14 2024 Rafael Jeffman <rjeffman@redhat.com> - 4.9.13-13
+- Add ipa-idrange-fix
+  Resolves: RHEL-56920
+- Unconditionally add MS-PAC to global config on update
+  Resolves: RHEL-49437
+- ipatests: Update ipa-adtrust-install test
+  Resolves: RHEL-40894
+- Require python-qrcode version 5.3 or later
+  Related: RHEL-15090
+
+* Wed Jul 17 2024 Rafael Jeffman <rjeffman@redhat.com> - 4.9.13-12
 - Allow the admin user to be disabled
   Resolves: RHEL-34756
 - ipa-otptoken-import: open the key file in binary mode