diff --git a/0001-Set-client-keytab-location-for-389ds.patch b/0001-Set-client-keytab-location-for-389ds.patch deleted file mode 100644 index a22f4d2..0000000 --- a/0001-Set-client-keytab-location-for-389ds.patch +++ /dev/null @@ -1,29 +0,0 @@ -From df411f00a3d1db2fcb0d122a54b9e13a57e35f3f Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Fri, 8 Jan 2021 11:43:31 -0500 -Subject: [PATCH] Set client keytab location for 389ds - -Handles behavior change in -https://github.com/389ds/389-ds-base/pull/4523 - -Fixes: https://pagure.io/freeipa/issue/8656 -Signed-off-by: Robbie Harwood -Reviewed-By: Rob Crittenden -Reviewed-By: Alexander Bokovoy ---- - install/share/ds-ipa-env.conf.template | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/install/share/ds-ipa-env.conf.template b/install/share/ds-ipa-env.conf.template -index f5ce11a9a..c059aae15 100644 ---- a/install/share/ds-ipa-env.conf.template -+++ b/install/share/ds-ipa-env.conf.template -@@ -3,4 +3,5 @@ - [Service] - Environment=LC_ALL=C.UTF-8 - Environment=KRB5_KTNAME=$KRB5_KTNAME -+Environment=KRB5_CLIENT_KTNAME=$KRB5_KTNAME - Environment=KRB5CCNAME=$KRB5CCNAME --- -2.26.2 - diff --git a/5212.patch b/5212.patch deleted file mode 100644 index cc8f64a..0000000 --- a/5212.patch +++ /dev/null @@ -1,56 +0,0 @@ -From 2695789db45c2e7fe92e53a49521dc22fdffe317 Mon Sep 17 00:00:00 2001 -From: Mark Reynolds -Date: Wed, 28 Oct 2020 10:34:31 -0400 -Subject: [PATCH] New validation efforts in 389-ds-base require that the - backend entry for a database be created before the mapping tree entry. This - enforces that the mapping tree entry (the suffix) actually belongs to an - existing backend. - -For IPA we simply need to reverse the order of the backend vs mapping tree -creation in cainstance.py -> __create_ds_db() - -Fixes: https://pagure.io/freeipa/issue/8558 ---- - ipaserver/install/cainstance.py | 22 +++++++++++----------- - 1 file changed, 11 insertions(+), 11 deletions(-) - -diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py -index fca829de094..1c2fab1dffb 100644 ---- a/ipaserver/install/cainstance.py -+++ b/ipaserver/install/cainstance.py -@@ -1162,17 +1162,6 @@ def __create_ds_db(self): - backend = 'ipaca' - suffix = DN(('o', 'ipaca')) - -- # replication -- dn = DN(('cn', str(suffix)), ('cn', 'mapping tree'), ('cn', 'config')) -- entry = api.Backend.ldap2.make_entry( -- dn, -- objectclass=["top", "extensibleObject", "nsMappingTree"], -- cn=[suffix], -- ) -- entry['nsslapd-state'] = ['Backend'] -- entry['nsslapd-backend'] = [backend] -- api.Backend.ldap2.add_entry(entry) -- - # database - dn = DN(('cn', 'ipaca'), ('cn', 'ldbm database'), ('cn', 'plugins'), - ('cn', 'config')) -@@ -1184,6 +1173,17 @@ def __create_ds_db(self): - entry['nsslapd-suffix'] = [suffix] - api.Backend.ldap2.add_entry(entry) - -+ # replication -+ dn = DN(('cn', str(suffix)), ('cn', 'mapping tree'), ('cn', 'config')) -+ entry = api.Backend.ldap2.make_entry( -+ dn, -+ objectclass=["top", "extensibleObject", "nsMappingTree"], -+ cn=[suffix], -+ ) -+ entry['nsslapd-state'] = ['Backend'] -+ entry['nsslapd-backend'] = [backend] -+ api.Backend.ldap2.add_entry(entry) -+ - def __setup_replication(self): - repl = replication.CAReplicationManager(self.realm, self.fqdn) - repl.setup_cs_replication(self.master_host) diff --git a/5273.patch b/5273.patch deleted file mode 100644 index 0b6970a..0000000 --- a/5273.patch +++ /dev/null @@ -1,107 +0,0 @@ -From 87813eb6404ae0aa15b95b1af788db0d37e2efa5 Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Wed, 18 Nov 2020 12:35:38 +0200 -Subject: [PATCH] util: Fix client-only build - -Commit 26b9a697844c3bb66bdf83dad3a9738b3cb65361 did not fully fix the -client-only build as util/ipa_pwd.c unconditionally includes -pwquality.h. - -Make sure we define USE_PWQUALITY in the full server configuration and -if that one is defined, include libpwquality use. - -Fixes: https://pagure.io/freeipa/issue/8587 -Signed-off-by: Alexander Bokovoy ---- - configure.ac | 4 +++- - util/Makefile.am | 10 +++++++--- - util/ipa_pwd.c | 9 ++++++++- - 3 files changed, 18 insertions(+), 5 deletions(-) - -diff --git a/configure.ac b/configure.ac -index ef1a1c6867e..5d04d446e0a 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -117,7 +117,9 @@ dnl --------------------------------------------------------------------------- - dnl - Check for pwquality library - dnl --------------------------------------------------------------------------- - AM_COND_IF([ENABLE_SERVER], [ -- PKG_CHECK_MODULES([PWQUALITY], [pwquality]) -+ PKG_CHECK_MODULES([PWQUALITY], [pwquality], -+ [AC_DEFINE(USE_PWQUALITY,1,[Use password quality checks])] -+ ) - ]) - - dnl --------------------------------------------------------------------------- -diff --git a/util/Makefile.am b/util/Makefile.am -index 5e21c098f14..b3803777809 100644 ---- a/util/Makefile.am -+++ b/util/Makefile.am -@@ -21,7 +21,11 @@ libutil_la_SOURCES = \ - - libutil_la_LIBADD = $(CRYPTO_LIBS) $(KRB5_LIBS) $(LDAP_LIBS) $(PWQUALITY_LIBS) - --check_PROGRAMS = t_pwd t_policy --TESTS = $(check_PROGRAMS) -+check_PROGRAMS = t_pwd - t_pwd_LDADD = libutil.la --t_policy_LDADD = libutil.la -+if ENABLE_SERVER -+check_PROGRAMS += t_policy -+t_policy_LDADD = libutil.la -+endif -+ -+TESTS = $(check_PROGRAMS) -diff --git a/util/ipa_pwd.c b/util/ipa_pwd.c -index dbff5ef1cba..8fa413c69cf 100644 ---- a/util/ipa_pwd.c -+++ b/util/ipa_pwd.c -@@ -23,6 +23,7 @@ - #ifndef _GNU_SOURCE - #define _GNU_SOURCE - #endif -+#include "config.h" - #include - #include - #include -@@ -31,7 +32,9 @@ - #include - #include - #include -+#if defined(USE_PWQUALITY) - #include -+#endif - #include - #include - #include -@@ -417,11 +420,13 @@ int ipapwd_check_policy(struct ipapwd_policy *policy, - { - int pwdlen, blen; - int ret; -+#if defined(USE_PWQUALITY) - pwquality_settings_t *pwq; - int check_pwquality = 0; -- int entropy; -+ int entropy = 0; - char buf[PWQ_MAX_ERROR_MESSAGE_LEN]; - void *auxerror; -+#endif - - if (!policy || !password) { - return IPAPWD_POLICY_ERROR; -@@ -534,6 +539,7 @@ int ipapwd_check_policy(struct ipapwd_policy *policy, - } - } - -+#if defined(USE_PWQUALITY) - /* Only call into libpwquality if at least one setting is made - * because there are a number of checks that don't have knobs - * so preserve the previous behavior. -@@ -601,6 +607,7 @@ int ipapwd_check_policy(struct ipapwd_policy *policy, - #endif - } - } -+#endif /* USE_PWQUALITY */ - - if (pwd_history) { - char *hash; diff --git a/freeipa-4.8.10-systemd-resolved-configuration.patch b/freeipa-4.8.10-systemd-resolved-configuration.patch deleted file mode 100644 index 7d03fcc..0000000 --- a/freeipa-4.8.10-systemd-resolved-configuration.patch +++ /dev/null @@ -1,74 +0,0 @@ -From 2e4f9ef1552d1ef784bb91918aa60de0f05e453a Mon Sep 17 00:00:00 2001 -From: Christian Heimes -Date: Mon, 28 Sep 2020 12:00:01 +0200 -Subject: [PATCH 1/2] Ensure that resolved.conf.d is accessible - -systemd-resolved runs as user systemd-resolve. Ensure that -resolved.conf.d drop-in directory is accessible when installer runs with -restricted umask. Also ensure the file and directory has correct SELinux -context. - -The parent directory /etc/systemd exists on all platforms. - -Fixes: https://pagure.io/freeipa/issue/8275 -Signed-off-by: Christian Heimes ---- - ipaplatform/base/tasks.py | 10 +++++++++- - 1 file changed, 9 insertions(+), 1 deletion(-) - -diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py -index a39857e869..adf320b700 100644 ---- a/ipaplatform/base/tasks.py -+++ b/ipaplatform/base/tasks.py -@@ -336,7 +336,11 @@ def configure_dns_resolver(self, nameservers, searchdomains, *, - from ipaplatform.services import knownservices - - confd = os.path.dirname(paths.SYSTEMD_RESOLVED_IPA_CONF) -- os.makedirs(confd, exist_ok=True) -+ if not os.path.isdir(confd): -+ os.mkdir(confd) -+ # owned by root, readable by systemd-resolve user -+ os.chmod(confd, 0o755) -+ tasks.restore_context(confd, force=True) - - cfg = RESOLVE1_IPA_CONF.format( - searchdomains=" ".join(searchdomains) -@@ -345,6 +349,10 @@ def configure_dns_resolver(self, nameservers, searchdomains, *, - os.fchmod(f.fileno(), 0o644) - f.write(cfg) - -+ tasks.restore_context( -+ paths.SYSTEMD_RESOLVED_IPA_CONF, force=True -+ ) -+ - knownservices["systemd-resolved"].reload_or_restart() - - def unconfigure_dns_resolver(self, fstore=None): - -From 8b193f09018c3be283e0a3ecdfd1a58d49af360a Mon Sep 17 00:00:00 2001 -From: Christian Heimes -Date: Mon, 28 Sep 2020 12:29:00 +0200 -Subject: [PATCH 2/2] Also backup DNS config drop-ins - -/etc/NetworkManager/conf.d and /etc/systemd/resolved.conf.d drop-in -files were not backed up. - -Related: https://pagure.io/freeipa/issue/8275 -Signed-off-by: Christian Heimes ---- - ipaserver/install/ipa_backup.py | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/ipaserver/install/ipa_backup.py b/ipaserver/install/ipa_backup.py -index 39347643d3..d472990afe 100644 ---- a/ipaserver/install/ipa_backup.py -+++ b/ipaserver/install/ipa_backup.py -@@ -194,6 +194,8 @@ class Backup(admintool.AdminTool): - paths.GSSPROXY_CONF, - paths.HOSTS, - paths.SYSTEMD_PKI_TOMCAT_IPA_CONF, -+ paths.NETWORK_MANAGER_IPA_CONF, -+ paths.SYSTEMD_RESOLVED_IPA_CONF, - ) + tuple( - os.path.join(paths.IPA_NSSDB_DIR, file) - for file in (certdb.NSS_DBM_FILES + certdb.NSS_SQL_FILES) diff --git a/freeipa-4.8.10-systemd-resolved-selinux-fixes.patch b/freeipa-4.8.10-systemd-resolved-selinux-fixes.patch deleted file mode 100644 index e629a5d..0000000 --- a/freeipa-4.8.10-systemd-resolved-selinux-fixes.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 8b2002cc7e2e0400e1afa3a21963a22947c7a908 Mon Sep 17 00:00:00 2001 -From: Christian Heimes -Date: Tue, 29 Sep 2020 10:39:01 +0200 -Subject: [PATCH] configure_dns_resolver: call self.restore_context - -Use the platform implementation of restore_context() instead of the base -implementation. - -Fixes: https://pagure.io/freeipa/issue/8518 -Signed-off-by: Christian Heimes ---- - ipaplatform/base/tasks.py | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py -index adf320b700..4387e0e12f 100644 ---- a/ipaplatform/base/tasks.py -+++ b/ipaplatform/base/tasks.py -@@ -340,7 +340,7 @@ def configure_dns_resolver(self, nameservers, searchdomains, *, - os.mkdir(confd) - # owned by root, readable by systemd-resolve user - os.chmod(confd, 0o755) -- tasks.restore_context(confd, force=True) -+ self.restore_context(confd, force=True) - - cfg = RESOLVE1_IPA_CONF.format( - searchdomains=" ".join(searchdomains) -@@ -349,7 +349,7 @@ def configure_dns_resolver(self, nameservers, searchdomains, *, - os.fchmod(f.fileno(), 0o644) - f.write(cfg) - -- tasks.restore_context( -+ self.restore_context( - paths.SYSTEMD_RESOLVED_IPA_CONF, force=True - ) - diff --git a/freeipa-4.8.10-systemd-resolved.patch b/freeipa-4.8.10-systemd-resolved.patch deleted file mode 100644 index 5147654..0000000 --- a/freeipa-4.8.10-systemd-resolved.patch +++ /dev/null @@ -1,37 +0,0 @@ -From f9900ef2401070351353724ef92111ec541e67f0 Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Sat, 26 Sep 2020 16:30:58 +0300 -Subject: [PATCH] Pre-populate IP addresses for the name server upgrades - -Setting up resolv.conf in BIND instance expects IP addresses of the -server to be provided. This is done wiht BindInstance.setup() method -call. However, when reusing resolver setup during upgrade BIND instance -has no IP addresses configured and fails with an assert in -tasks.configure_dns_resolver(). - -Pass through the server's IP addresses during upgrade. - -Fixes: https://pagure.io/freeipa/issue/8518 - -Signed-off-by: Alexander Bokovoy ---- - ipaserver/install/server/upgrade.py | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py -index 332f8b251..144b340a4 100644 ---- a/ipaserver/install/server/upgrade.py -+++ b/ipaserver/install/server/upgrade.py -@@ -1451,6 +1451,9 @@ def upgrade_bind(fstore): - # resolve1's stub resolver config file. - has_resolved_ipa_conf = os.path.isfile(paths.SYSTEMD_RESOLVED_IPA_CONF) - if not has_resolved_ipa_conf and detect_resolve1_resolv_conf(): -+ ip_addresses = installutils.get_server_ip_address( -+ api.env.host, True, False, []) -+ bind.ip_addresses = ip_addresses - bind.setup_resolv_conf() - logger.info("Updated systemd-resolved configuration") - --- -2.28.0 - diff --git a/freeipa-4.8.9-support-older-installations.patch b/freeipa-4.8.9-support-older-installations.patch deleted file mode 100644 index 04561fa..0000000 --- a/freeipa-4.8.9-support-older-installations.patch +++ /dev/null @@ -1,282 +0,0 @@ -From 071e283b19e925bea596a25b4758ab2cbc657914 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Tue, 11 Aug 2020 10:47:05 -0400 -Subject: [PATCH 1/3] Fall back to old server installation detection when - needed - -If there is no installation section the the install pre-dated -this new method of detecting a successful installation, fall back -to that. - -https://pagure.io/freeipa/issue/8458 - -Reviewed-By: Florence Blanc-Renaud -Reviewed-By: Stanislav Levin -Reviewed-By: Alexander Bokovoy ---- - ipalib/facts.py | 31 ++++++++++++++++++++++++++++- - ipaserver/install/installutils.py | 4 ---- - ipaserver/install/server/install.py | 3 ++- - ipaserver/install/server/upgrade.py | 7 +++++-- - 4 files changed, 37 insertions(+), 8 deletions(-) - -diff --git a/ipalib/facts.py b/ipalib/facts.py -index 5106fc2ac5..d78c1a2275 100644 ---- a/ipalib/facts.py -+++ b/ipalib/facts.py -@@ -6,17 +6,46 @@ - Facts about the installation - """ - -+import logging - import os - from . import sysrestore - from ipaplatform.paths import paths - -+logger = logging.getLogger(__name__) -+ -+# Used to determine install status -+IPA_MODULES = [ -+ 'httpd', 'kadmin', 'dirsrv', 'pki-tomcatd', 'install', 'krb5kdc', 'named'] -+ - - def is_ipa_configured(): - """ - Use the state to determine if IPA has been configured. - """ - sstore = sysrestore.StateFile(paths.SYSRESTORE) -- return sstore.get_state('installation', 'complete') -+ if sstore.has_state('installation'): -+ return sstore.get_state('installation', 'complete') -+ -+ # Fall back to older method in case this is an existing installation -+ -+ installed = False -+ -+ fstore = sysrestore.FileStore(paths.SYSRESTORE) -+ -+ for module in IPA_MODULES: -+ if sstore.has_state(module): -+ logger.debug('%s is configured', module) -+ installed = True -+ else: -+ logger.debug('%s is not configured', module) -+ -+ if fstore.has_files(): -+ logger.debug('filestore has files') -+ installed = True -+ else: -+ logger.debug('filestore is tracking no files') -+ -+ return installed - - - def is_ipa_client_configured(on_master=False): -diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py -index 583b1aca0b..13baf494cd 100644 ---- a/ipaserver/install/installutils.py -+++ b/ipaserver/install/installutils.py -@@ -63,10 +63,6 @@ - - logger = logging.getLogger(__name__) - --# Used to determine install status --IPA_MODULES = [ -- 'httpd', 'kadmin', 'dirsrv', 'pki-tomcatd', 'install', 'krb5kdc', 'named'] -- - - class BadHostError(Exception): - pass -diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py -index b86c3fec15..4d8e3ad78f 100644 ---- a/ipaserver/install/server/install.py -+++ b/ipaserver/install/server/install.py -@@ -37,13 +37,14 @@ - validate_domain_name, - no_matching_interface_for_ip_address_warning, - ) -+from ipalib.facts import IPA_MODULES - from ipaserver.install import ( - adtrust, adtrustinstance, bindinstance, ca, dns, dsinstance, - httpinstance, installutils, kra, krbinstance, - otpdinstance, custodiainstance, replication, service, - sysupgrade) - from ipaserver.install.installutils import ( -- IPA_MODULES, BadHostError, get_fqdn, get_server_ip_address, -+ BadHostError, get_fqdn, get_server_ip_address, - load_pkcs12, read_password, verify_fqdn, update_hosts_file, - validate_mask) - -diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py -index f0d9b746cd..109d1e100e 100644 ---- a/ipaserver/install/server/upgrade.py -+++ b/ipaserver/install/server/upgrade.py -@@ -1455,8 +1455,11 @@ def upgrade_configuration(): - fstore = sysrestore.FileStore(paths.SYSRESTORE) - sstore = sysrestore.StateFile(paths.SYSRESTORE) - -- if is_ipa_configured() is None: -- sstore.backup_state('installation', 'complete', True) -+ if not sstore.has_state('installation'): -+ if is_ipa_configured(): -+ sstore.backup_state('installation', 'complete', True) -+ else: -+ sstore.backup_state('installation', 'complete', False) - - fqdn = api.env.host - - -From 7d84d919a8f5767ade1dcc380ce4eebadac6a8b5 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Tue, 11 Aug 2020 11:12:55 -0400 -Subject: [PATCH 2/3] Use is_ipa_configured from ipalib.facts - -A couple of places still used the deprecated installutils version. - -https://pagure.io/freeipa/issue/8458 - -Reviewed-By: Florence Blanc-Renaud -Reviewed-By: Stanislav Levin -Reviewed-By: Alexander Bokovoy ---- - ipaserver/install/installutils.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py -index 13baf494cd..a3274d5797 100644 ---- a/ipaserver/install/installutils.py -+++ b/ipaserver/install/installutils.py -@@ -665,7 +665,7 @@ def check_server_configuration(): - Most convenient use case for the function is in install tools that require - configured IPA for its function. - """ -- if not is_ipa_configured(): -+ if not facts.is_ipa_configured(): - raise ScriptError("IPA is not configured on this system.", - rval=SERVER_NOT_CONFIGURED) - - -From 36ecfdbfe4ceedcfe056816cbb22162842fae975 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Tue, 11 Aug 2020 13:55:54 -0400 -Subject: [PATCH 3/3] ipatests: Add test for is_ipa_configured - -Validate that is_ipa_configured() returns True when using either -the original and the new configuration methods. This will allow -older installs to successfully upgrade. - -https://pagure.io/freeipa/issue/8458 - -Reviewed-By: Florence Blanc-Renaud -Reviewed-By: Stanislav Levin -Reviewed-By: Alexander Bokovoy ---- - .../test_integration/test_installation.py | 88 +++++++++++++++++++ - 1 file changed, 88 insertions(+) - -diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py -index fb19900838..98bdc98ab8 100644 ---- a/ipatests/test_integration/test_installation.py -+++ b/ipatests/test_integration/test_installation.py -@@ -21,6 +21,7 @@ - - from ipalib import x509 - from ipalib.constants import DOMAIN_LEVEL_0 -+from ipalib.sysrestore import SYSRESTORE_STATEFILE, SYSRESTORE_INDEXFILE - from ipapython.dn import DN - from ipaplatform.constants import constants - from ipaplatform.osinfo import osinfo -@@ -357,6 +358,93 @@ def test_ipa_ca_crt_permissions(self): - assert owner == "root" - assert group == "root" - -+ def test_is_ipa_configured(self): -+ """Verify that the old and new methods of is_ipa_installed works -+ -+ If there is an installation section then it is the status. -+ -+ If not then it will fall back to looking for configured -+ services and files and use that for determination. -+ """ -+ def set_installation_state(host, state): -+ """ -+ Update the complete value in the installation section -+ """ -+ host.run_command( -+ ['python3', '-c', -+ 'from ipalib.install import sysrestore; ' -+ 'from ipaplatform.paths import paths;' -+ 'sstore = sysrestore.StateFile(paths.SYSRESTORE); ' -+ 'sstore.backup_state("installation", "complete", ' -+ '{state})'.format(state=state)]) -+ -+ def get_installation_state(host): -+ """ -+ Retrieve the installation state from new install method -+ """ -+ result = host.run_command( -+ ['python3', '-c', -+ 'from ipalib.install import sysrestore; ' -+ 'from ipaplatform.paths import paths;' -+ 'sstore = sysrestore.StateFile(paths.SYSRESTORE); ' -+ 'print(sstore.get_state("installation", "complete"))']) -+ return result.stdout_text.strip() # a string -+ -+ # This comes from freeipa.spec and is used to determine whether -+ # an upgrade is required. -+ cmd = ['python3', '-c', -+ 'import sys; from ipalib import facts; sys.exit(0 ' -+ 'if facts.is_ipa_configured() else 1);'] -+ -+ # This will use the new method since this is a fresh install, -+ # verify that it is true. -+ self.master.run_command(cmd) -+ assert get_installation_state(self.master) == 'True' -+ -+ # Set complete to False which should cause the command to fail -+ # This tests the state of a failed or in-process installation. -+ set_installation_state(self.master, False) -+ result = self.master.run_command(cmd, raiseonerr=False) -+ assert result.returncode == 1 -+ set_installation_state(self.master, True) -+ -+ # Tweak sysrestore.state to drop installation section -+ self.master.run_command( -+ ['sed','-i', r's/\[installation\]/\[badinstallation\]/', -+ os.path.join(paths.SYSRESTORE, SYSRESTORE_STATEFILE)]) -+ -+ # Re-run installation check and it should fall back to old method -+ # and be successful. -+ self.master.run_command(cmd) -+ assert get_installation_state(self.master) == 'None' -+ -+ # Restore installation section. -+ self.master.run_command( -+ ['sed','-i', r's/\[badinstallation\]/\[installation\]/', -+ os.path.join(paths.SYSRESTORE, SYSRESTORE_STATEFILE)]) -+ -+ # Uninstall and confirm that the old method reports correctly -+ # on uninstalled servers. It will exercise the old method since -+ # there is no state. -+ tasks.uninstall_master(self.master) -+ -+ # ensure there is no stale state -+ result = self.master.run_command(r'test -f {}'.format( -+ os.path.join(paths.SYSRESTORE, SYSRESTORE_STATEFILE)), -+ raiseonerr=False -+ ) -+ assert result.returncode == 1 -+ result = self.master.run_command(r'test -f {}'.format( -+ os.path.join(paths.SYSRESTORE, SYSRESTORE_INDEXFILE)), -+ raiseonerr=False -+ ) -+ assert result.returncode == 1 -+ -+ # Now run is_ipa_configured() and it should be False -+ result = self.master.run_command(cmd, raiseonerr=False) -+ assert result.returncode == 1 -+ -+ - class TestInstallWithCA_KRA1(InstallTestBase1): - - @classmethod diff --git a/freeipa-4.9.0-rc2-fixes.patch b/freeipa-4.9.0-rc2-fixes.patch deleted file mode 100644 index 2914d5f..0000000 --- a/freeipa-4.9.0-rc2-fixes.patch +++ /dev/null @@ -1,98 +0,0 @@ -From cd2fe2947589aaf8de0e9e64839c8840b68e9664 Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Wed, 9 Dec 2020 11:15:20 +0200 -Subject: [PATCH 1/2] Allow mod_auth_gssapi to create and access ccaches in - /run/ipa/ccaches - -With commit c6644b8566f747fa80e2c1925b79bad9f8c92bd7 we default to -create unique credential caches in /run/ipa/ccaches for every client -that connects to IPA with a new session. On F34, mod_auth_gssapi process -running as 'apache' cannot create the ccache in /run/ipa/ccaches because -it has no access rights. - -The core of the problem is that we have two different paths to obtaining -a ccache: one where 'apache' running httpd process creates it directly -and one where an internal redirect from 'ipaapi' running httpd process -is happening. - -Use SUID and SGID to 'ipaapi'/'ipaapi' and allow 'apache' group to write -to '/run/ipa/ccaches'. This fixes the problem. - -Note that we cannot completely remove 'GssapiDelegCcachePerms'. If we'd -do so, mod_auth_gssapi will do redirects and fail. - -Fixes: https://pagure.io/freeipa/issue/8613 - -Signed-off-by: Alexander Bokovoy ---- - init/tmpfilesd/ipa.conf.in | 3 ++- - install/share/ipa.conf.template | 4 ++-- - 2 files changed, 4 insertions(+), 3 deletions(-) - -diff --git a/init/tmpfilesd/ipa.conf.in b/init/tmpfilesd/ipa.conf.in -index 183ceeda6..6467e1b93 100644 ---- a/init/tmpfilesd/ipa.conf.in -+++ b/init/tmpfilesd/ipa.conf.in -@@ -1,2 +1,3 @@ - d /run/ipa 0711 root root --d /run/ipa/ccaches 0770 ipaapi ipaapi -+d /run/ipa/ccaches 6770 ipaapi ipaapi -+a+ /run/ipa/ccaches - - - - g:apache:rwx -diff --git a/install/share/ipa.conf.template b/install/share/ipa.conf.template -index ca51d2ea3..d74e14d4f 100644 ---- a/install/share/ipa.conf.template -+++ b/install/share/ipa.conf.template -@@ -75,7 +75,7 @@ WSGIScriptReloading Off - - GssapiImpersonate On - GssapiDelegCcacheDir $IPA_CCACHES -- GssapiDelegCcachePerms mode:0660 gid:ipaapi -+ GssapiDelegCcachePerms mode:0660 - GssapiDelegCcacheUnique On - GssapiUseS4U2Proxy on - GssapiAllowedMech krb5 -@@ -117,7 +117,7 @@ Alias /ipa/session/cookie "/usr/share/ipa/gssapi.login" - - AuthType none - GssapiDelegCcacheDir $IPA_CCACHES -- GssapiDelegCcachePerms mode:0660 gid:ipaapi -+ GssapiDelegCcachePerms mode:0660 - GssapiDelegCcacheUnique On - SSLVerifyClient require - SSLUserName SSL_CLIENT_CERT --- -2.29.2 - - -From 786e0823cdc58ad232b8320af94ea9ad89df88d6 Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Wed, 9 Dec 2020 13:26:05 +0200 -Subject: [PATCH 2/2] upgrade: provide DOMAIN to the server upgrade dictionary - -Rules in ipa-rewrite.conf use $DOMAIN variable but it is not available -in the dictionary. Regression was introduced with -e731b2725a3772cd037683ff2e08c514fd02019f. - -Fixes: https://pagure.io/freeipa/issue/8615 -Related: https://pagure.io/freeipa/issue/8595 - -Signed-off-by: Alexander Bokovoy ---- - ipaserver/install/server/upgrade.py | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py -index 18891d53c..00a133a4d 100644 ---- a/ipaserver/install/server/upgrade.py -+++ b/ipaserver/install/server/upgrade.py -@@ -1578,6 +1578,7 @@ def upgrade_configuration(): - IPA_CCACHES=paths.IPA_CCACHES, - IPA_CUSTODIA_SOCKET=paths.IPA_CUSTODIA_SOCKET, - KDCPROXY_CONFIG=paths.KDCPROXY_CONFIG, -+ DOMAIN=api.env.domain, - ) - - subject_base = find_subject_base() --- -2.29.2 - diff --git a/freeipa-refactor-dnssec-paths.patch b/freeipa-refactor-dnssec-paths.patch deleted file mode 100644 index f13d4f1..0000000 --- a/freeipa-refactor-dnssec-paths.patch +++ /dev/null @@ -1,75 +0,0 @@ -From 44669a5a35970020d492cba644d0584bcc68774f Mon Sep 17 00:00:00 2001 -From: Christian Heimes -Date: Mon, 14 Dec 2020 17:44:38 +0100 -Subject: [PATCH] Change mkdir logic in DNSSEC - -- Create /var/named/dyndb-ldap/ipa/master/ early -- Assume that /var/named/dyndb-ldap/ipa/master/ exists in BINDMgr.sync() - -Signed-off-by: Christian Heimes ---- - ipaserver/dnssec/bindmgr.py | 7 +++---- - ipaserver/install/dnskeysyncinstance.py | 19 +++++++++++++------ - ipaserver/install/server/upgrade.py | 1 + - 3 files changed, 17 insertions(+), 10 deletions(-) - -diff --git a/ipaserver/dnssec/bindmgr.py b/ipaserver/dnssec/bindmgr.py -index 4f7cad89344..a15c0e601a2 100644 ---- a/ipaserver/dnssec/bindmgr.py -+++ b/ipaserver/dnssec/bindmgr.py -@@ -182,10 +182,9 @@ def sync_zone(self, zone): - zone_path = os.path.join(paths.BIND_LDAP_DNS_ZONE_WORKDIR, - self.get_zone_dir_name(zone)) - try: -- os.makedirs(zone_path) -- except OSError as e: -- if e.errno != errno.EEXIST: -- raise e -+ os.mkdir(zone_path, 0o770) -+ except FileExistsError: -+ pass - - # fix HSM permissions - # TODO: move out -diff --git a/ipaserver/install/dnskeysyncinstance.py b/ipaserver/install/dnskeysyncinstance.py -index 26c1d9c7516..16870b73b5c 100644 ---- a/ipaserver/install/dnskeysyncinstance.py -+++ b/ipaserver/install/dnskeysyncinstance.py -@@ -66,12 +66,19 @@ def set_dyndb_ldap_workdir_permissions(self): - """ - Setting up correct permissions to allow write/read access for daemons - """ -- if not os.path.exists(paths.BIND_LDAP_DNS_IPA_WORKDIR): -- os.mkdir(paths.BIND_LDAP_DNS_IPA_WORKDIR, 0o770) -- # dnssec daemons require to have access into the directory -- os.chmod(paths.BIND_LDAP_DNS_IPA_WORKDIR, 0o770) -- os.chown(paths.BIND_LDAP_DNS_IPA_WORKDIR, self.named_uid, -- self.named_gid) -+ directories = [ -+ paths.BIND_LDAP_DNS_IPA_WORKDIR, -+ paths.BIND_LDAP_DNS_ZONE_WORKDIR, -+ ] -+ for directory in directories: -+ try: -+ os.mkdir(directory, 0o770) -+ except FileExistsError: -+ pass -+ else: -+ os.chmod(directory, 0o770) -+ # dnssec daemons require to have access into the directory -+ os.chown(directory, self.named_uid, self.named_gid) - - def remove_replica_public_keys(self, replica_fqdn): - ldap = api.Backend.ldap2 -diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py -index 18891d53c7d..c453e16b08a 100644 ---- a/ipaserver/install/server/upgrade.py -+++ b/ipaserver/install/server/upgrade.py -@@ -1749,6 +1749,7 @@ def upgrade_configuration(): - else: - if dnssec_set_openssl_engine(dnskeysyncd): - dnskeysyncd.start_dnskeysyncd() -+ dnskeysyncd.set_dyndb_ldap_workdir_permissions() - - cleanup_kdc(fstore) - cleanup_adtrust(fstore)