rpms/ipa
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Remove unused patches

Browse Source
This commit is contained in:
Alexander Bokovoy 2021-02-01 09:45:35 +02:00
parent 179e81bf0a
commit e98c2f2a47
9 changed files with 0 additions and 794 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
0001-Set-client-keytab-location-for-389ds.patch
View File

@ -1,29 +0,0 @@
From df411f00a3d1db2fcb0d122a54b9e13a57e35f3f Mon Sep 17 00:00:00 2001
From: Robbie Harwood <rharwood@redhat.com>
Date: Fri, 8 Jan 2021 11:43:31 -0500
Subject: [PATCH] Set client keytab location for 389ds
Handles behavior change in
https://github.com/389ds/389-ds-base/pull/4523
Fixes: https://pagure.io/freeipa/issue/8656
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
---
install/share/ds-ipa-env.conf.template | 1 +
1 file changed, 1 insertion(+)
diff --git a/install/share/ds-ipa-env.conf.template b/install/share/ds-ipa-env.conf.template
index f5ce11a9a..c059aae15 100644
--- a/install/share/ds-ipa-env.conf.template
+++ b/install/share/ds-ipa-env.conf.template
@@ -3,4 +3,5 @@
[Service]
Environment=LC_ALL=C.UTF-8
Environment=KRB5_KTNAME=$KRB5_KTNAME
+Environment=KRB5_CLIENT_KTNAME=$KRB5_KTNAME
Environment=KRB5CCNAME=$KRB5CCNAME
--
2.26.2

56
5212.patch
View File

@ -1,56 +0,0 @@
From 2695789db45c2e7fe92e53a49521dc22fdffe317 Mon Sep 17 00:00:00 2001
From: Mark Reynolds <mreynolds@redhat.com>
Date: Wed, 28 Oct 2020 10:34:31 -0400
Subject: [PATCH] New validation efforts in 389-ds-base require that the
backend entry for a database be created before the mapping tree entry. This
enforces that the mapping tree entry (the suffix) actually belongs to an
existing backend.
For IPA we simply need to reverse the order of the backend vs mapping tree
creation in cainstance.py -> __create_ds_db()
Fixes: https://pagure.io/freeipa/issue/8558
---
ipaserver/install/cainstance.py | 22 +++++++++++-----------
1 file changed, 11 insertions(+), 11 deletions(-)
diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
index fca829de094..1c2fab1dffb 100644
--- a/ipaserver/install/cainstance.py
+++ b/ipaserver/install/cainstance.py
@@ -1162,17 +1162,6 @@ def __create_ds_db(self):
backend = 'ipaca'
suffix = DN(('o', 'ipaca'))
- # replication
- dn = DN(('cn', str(suffix)), ('cn', 'mapping tree'), ('cn', 'config'))
- entry = api.Backend.ldap2.make_entry(
- dn,
- objectclass=["top", "extensibleObject", "nsMappingTree"],
- cn=[suffix],
- )
- entry['nsslapd-state'] = ['Backend']
- entry['nsslapd-backend'] = [backend]
- api.Backend.ldap2.add_entry(entry)
-
# database
dn = DN(('cn', 'ipaca'), ('cn', 'ldbm database'), ('cn', 'plugins'),
('cn', 'config'))
@@ -1184,6 +1173,17 @@ def __create_ds_db(self):
entry['nsslapd-suffix'] = [suffix]
api.Backend.ldap2.add_entry(entry)
+ # replication
+ dn = DN(('cn', str(suffix)), ('cn', 'mapping tree'), ('cn', 'config'))
+ entry = api.Backend.ldap2.make_entry(
+ dn,
+ objectclass=["top", "extensibleObject", "nsMappingTree"],
+ cn=[suffix],
+ )
+ entry['nsslapd-state'] = ['Backend']
+ entry['nsslapd-backend'] = [backend]
+ api.Backend.ldap2.add_entry(entry)
+
def __setup_replication(self):
repl = replication.CAReplicationManager(self.realm, self.fqdn)
repl.setup_cs_replication(self.master_host)

107
5273.patch
View File

@ -1,107 +0,0 @@
From 87813eb6404ae0aa15b95b1af788db0d37e2efa5 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Wed, 18 Nov 2020 12:35:38 +0200
Subject: [PATCH] util: Fix client-only build
Commit 26b9a697844c3bb66bdf83dad3a9738b3cb65361 did not fully fix the
client-only build as util/ipa_pwd.c unconditionally includes
pwquality.h.
Make sure we define USE_PWQUALITY in the full server configuration and
if that one is defined, include libpwquality use.
Fixes: https://pagure.io/freeipa/issue/8587
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
---
configure.ac | 4 +++-
util/Makefile.am | 10 +++++++---
util/ipa_pwd.c | 9 ++++++++-
3 files changed, 18 insertions(+), 5 deletions(-)
diff --git a/configure.ac b/configure.ac
index ef1a1c6867e..5d04d446e0a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -117,7 +117,9 @@ dnl ---------------------------------------------------------------------------
dnl - Check for pwquality library
dnl ---------------------------------------------------------------------------
AM_COND_IF([ENABLE_SERVER], [
- PKG_CHECK_MODULES([PWQUALITY], [pwquality])
+ PKG_CHECK_MODULES([PWQUALITY], [pwquality],
+ [AC_DEFINE(USE_PWQUALITY,1,[Use password quality checks])]
+ )
])
dnl ---------------------------------------------------------------------------
diff --git a/util/Makefile.am b/util/Makefile.am
index 5e21c098f14..b3803777809 100644
--- a/util/Makefile.am
+++ b/util/Makefile.am
@@ -21,7 +21,11 @@ libutil_la_SOURCES = \
libutil_la_LIBADD = $(CRYPTO_LIBS) $(KRB5_LIBS) $(LDAP_LIBS) $(PWQUALITY_LIBS)
-check_PROGRAMS = t_pwd t_policy
-TESTS = $(check_PROGRAMS)
+check_PROGRAMS = t_pwd
t_pwd_LDADD = libutil.la
-t_policy_LDADD = libutil.la
+if ENABLE_SERVER
+check_PROGRAMS += t_policy
+t_policy_LDADD = libutil.la
+endif
+
+TESTS = $(check_PROGRAMS)
diff --git a/util/ipa_pwd.c b/util/ipa_pwd.c
index dbff5ef1cba..8fa413c69cf 100644
--- a/util/ipa_pwd.c
+++ b/util/ipa_pwd.c
@@ -23,6 +23,7 @@
#ifndef _GNU_SOURCE
#define _GNU_SOURCE
#endif
+#include "config.h"
#include <stdio.h>
#include <string.h>
#include <time.h>
@@ -31,7 +32,9 @@
#include <syslog.h>
#include <unistd.h>
#include <errno.h>
+#if defined(USE_PWQUALITY)
#include <pwquality.h>
+#endif
#include <openssl/evp.h>
#include <openssl/rand.h>
#include <openssl/sha.h>
@@ -417,11 +420,13 @@ int ipapwd_check_policy(struct ipapwd_policy *policy,
{
int pwdlen, blen;
int ret;
+#if defined(USE_PWQUALITY)
pwquality_settings_t *pwq;
int check_pwquality = 0;
- int entropy;
+ int entropy = 0;
char buf[PWQ_MAX_ERROR_MESSAGE_LEN];
void *auxerror;
+#endif
if (!policy || !password) {
return IPAPWD_POLICY_ERROR;
@@ -534,6 +539,7 @@ int ipapwd_check_policy(struct ipapwd_policy *policy,
}
}
+#if defined(USE_PWQUALITY)
/* Only call into libpwquality if at least one setting is made
* because there are a number of checks that don't have knobs
* so preserve the previous behavior.
@@ -601,6 +607,7 @@ int ipapwd_check_policy(struct ipapwd_policy *policy,
#endif
}
}
+#endif /* USE_PWQUALITY */
if (pwd_history) {
char *hash;

74
freeipa-4.8.10-systemd-resolved-configuration.patch
View File

@ -1,74 +0,0 @@
From 2e4f9ef1552d1ef784bb91918aa60de0f05e453a Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Mon, 28 Sep 2020 12:00:01 +0200
Subject: [PATCH 1/2] Ensure that resolved.conf.d is accessible
systemd-resolved runs as user systemd-resolve. Ensure that
resolved.conf.d drop-in directory is accessible when installer runs with
restricted umask. Also ensure the file and directory has correct SELinux
context.
The parent directory /etc/systemd exists on all platforms.
Fixes: https://pagure.io/freeipa/issue/8275
Signed-off-by: Christian Heimes <cheimes@redhat.com>
---
ipaplatform/base/tasks.py | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py
index a39857e869..adf320b700 100644
--- a/ipaplatform/base/tasks.py
+++ b/ipaplatform/base/tasks.py
@@ -336,7 +336,11 @@ def configure_dns_resolver(self, nameservers, searchdomains, *,
from ipaplatform.services import knownservices
confd = os.path.dirname(paths.SYSTEMD_RESOLVED_IPA_CONF)
- os.makedirs(confd, exist_ok=True)
+ if not os.path.isdir(confd):
+ os.mkdir(confd)
+ # owned by root, readable by systemd-resolve user
+ os.chmod(confd, 0o755)
+ tasks.restore_context(confd, force=True)
cfg = RESOLVE1_IPA_CONF.format(
searchdomains=" ".join(searchdomains)
@@ -345,6 +349,10 @@ def configure_dns_resolver(self, nameservers, searchdomains, *,
os.fchmod(f.fileno(), 0o644)
f.write(cfg)
+ tasks.restore_context(
+ paths.SYSTEMD_RESOLVED_IPA_CONF, force=True
+ )
+
knownservices["systemd-resolved"].reload_or_restart()
def unconfigure_dns_resolver(self, fstore=None):
From 8b193f09018c3be283e0a3ecdfd1a58d49af360a Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Mon, 28 Sep 2020 12:29:00 +0200
Subject: [PATCH 2/2] Also backup DNS config drop-ins
/etc/NetworkManager/conf.d and /etc/systemd/resolved.conf.d drop-in
files were not backed up.
Related: https://pagure.io/freeipa/issue/8275
Signed-off-by: Christian Heimes <cheimes@redhat.com>
---
ipaserver/install/ipa_backup.py | 2 ++
1 file changed, 2 insertions(+)
diff --git a/ipaserver/install/ipa_backup.py b/ipaserver/install/ipa_backup.py
index 39347643d3..d472990afe 100644
--- a/ipaserver/install/ipa_backup.py
+++ b/ipaserver/install/ipa_backup.py
@@ -194,6 +194,8 @@ class Backup(admintool.AdminTool):
paths.GSSPROXY_CONF,
paths.HOSTS,
paths.SYSTEMD_PKI_TOMCAT_IPA_CONF,
+ paths.NETWORK_MANAGER_IPA_CONF,
+ paths.SYSTEMD_RESOLVED_IPA_CONF,
) + tuple(
os.path.join(paths.IPA_NSSDB_DIR, file)
for file in (certdb.NSS_DBM_FILES + certdb.NSS_SQL_FILES)

36
freeipa-4.8.10-systemd-resolved-selinux-fixes.patch
View File

@ -1,36 +0,0 @@
From 8b2002cc7e2e0400e1afa3a21963a22947c7a908 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Tue, 29 Sep 2020 10:39:01 +0200
Subject: [PATCH] configure_dns_resolver: call self.restore_context
Use the platform implementation of restore_context() instead of the base
implementation.
Fixes: https://pagure.io/freeipa/issue/8518
Signed-off-by: Christian Heimes <cheimes@redhat.com>
---
ipaplatform/base/tasks.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py
index adf320b700..4387e0e12f 100644
--- a/ipaplatform/base/tasks.py
+++ b/ipaplatform/base/tasks.py
@@ -340,7 +340,7 @@ def configure_dns_resolver(self, nameservers, searchdomains, *,
os.mkdir(confd)
# owned by root, readable by systemd-resolve user
os.chmod(confd, 0o755)
- tasks.restore_context(confd, force=True)
+ self.restore_context(confd, force=True)
cfg = RESOLVE1_IPA_CONF.format(
searchdomains=" ".join(searchdomains)
@@ -349,7 +349,7 @@ def configure_dns_resolver(self, nameservers, searchdomains, *,
os.fchmod(f.fileno(), 0o644)
f.write(cfg)
- tasks.restore_context(
+ self.restore_context(
paths.SYSTEMD_RESOLVED_IPA_CONF, force=True
)

37
freeipa-4.8.10-systemd-resolved.patch
View File

@ -1,37 +0,0 @@
From f9900ef2401070351353724ef92111ec541e67f0 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Sat, 26 Sep 2020 16:30:58 +0300
Subject: [PATCH] Pre-populate IP addresses for the name server upgrades
Setting up resolv.conf in BIND instance expects IP addresses of the
server to be provided. This is done wiht BindInstance.setup() method
call. However, when reusing resolver setup during upgrade BIND instance
has no IP addresses configured and fails with an assert in
tasks.configure_dns_resolver().
Pass through the server's IP addresses during upgrade.
Fixes: https://pagure.io/freeipa/issue/8518
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
---
ipaserver/install/server/upgrade.py | 3 +++
1 file changed, 3 insertions(+)
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 332f8b251..144b340a4 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1451,6 +1451,9 @@ def upgrade_bind(fstore):
# resolve1's stub resolver config file.
has_resolved_ipa_conf = os.path.isfile(paths.SYSTEMD_RESOLVED_IPA_CONF)
if not has_resolved_ipa_conf and detect_resolve1_resolv_conf():
+ ip_addresses = installutils.get_server_ip_address(
+ api.env.host, True, False, [])
+ bind.ip_addresses = ip_addresses
bind.setup_resolv_conf()
logger.info("Updated systemd-resolved configuration")
--
2.28.0

282
freeipa-4.8.9-support-older-installations.patch
View File

@ -1,282 +0,0 @@
From 071e283b19e925bea596a25b4758ab2cbc657914 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 11 Aug 2020 10:47:05 -0400
Subject: [PATCH 1/3] Fall back to old server installation detection when
needed
If there is no installation section the the install pre-dated
this new method of detecting a successful installation, fall back
to that.
https://pagure.io/freeipa/issue/8458
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
---
ipalib/facts.py | 31 ++++++++++++++++++++++++++++-
ipaserver/install/installutils.py | 4 ----
ipaserver/install/server/install.py | 3 ++-
ipaserver/install/server/upgrade.py | 7 +++++--
4 files changed, 37 insertions(+), 8 deletions(-)
diff --git a/ipalib/facts.py b/ipalib/facts.py
index 5106fc2ac5..d78c1a2275 100644
--- a/ipalib/facts.py
+++ b/ipalib/facts.py
@@ -6,17 +6,46 @@
Facts about the installation
"""
+import logging
import os
from . import sysrestore
from ipaplatform.paths import paths
+logger = logging.getLogger(__name__)
+
+# Used to determine install status
+IPA_MODULES = [
+ 'httpd', 'kadmin', 'dirsrv', 'pki-tomcatd', 'install', 'krb5kdc', 'named']
+
def is_ipa_configured():
"""
Use the state to determine if IPA has been configured.
"""
sstore = sysrestore.StateFile(paths.SYSRESTORE)
- return sstore.get_state('installation', 'complete')
+ if sstore.has_state('installation'):
+ return sstore.get_state('installation', 'complete')
+
+ # Fall back to older method in case this is an existing installation
+
+ installed = False
+
+ fstore = sysrestore.FileStore(paths.SYSRESTORE)
+
+ for module in IPA_MODULES:
+ if sstore.has_state(module):
+ logger.debug('%s is configured', module)
+ installed = True
+ else:
+ logger.debug('%s is not configured', module)
+
+ if fstore.has_files():
+ logger.debug('filestore has files')
+ installed = True
+ else:
+ logger.debug('filestore is tracking no files')
+
+ return installed
def is_ipa_client_configured(on_master=False):
diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index 583b1aca0b..13baf494cd 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -63,10 +63,6 @@
logger = logging.getLogger(__name__)
-# Used to determine install status
-IPA_MODULES = [
- 'httpd', 'kadmin', 'dirsrv', 'pki-tomcatd', 'install', 'krb5kdc', 'named']
-
class BadHostError(Exception):
pass
diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
index b86c3fec15..4d8e3ad78f 100644
--- a/ipaserver/install/server/install.py
+++ b/ipaserver/install/server/install.py
@@ -37,13 +37,14 @@
validate_domain_name,
no_matching_interface_for_ip_address_warning,
)
+from ipalib.facts import IPA_MODULES
from ipaserver.install import (
adtrust, adtrustinstance, bindinstance, ca, dns, dsinstance,
httpinstance, installutils, kra, krbinstance,
otpdinstance, custodiainstance, replication, service,
sysupgrade)
from ipaserver.install.installutils import (
- IPA_MODULES, BadHostError, get_fqdn, get_server_ip_address,
+ BadHostError, get_fqdn, get_server_ip_address,
load_pkcs12, read_password, verify_fqdn, update_hosts_file,
validate_mask)
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index f0d9b746cd..109d1e100e 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1455,8 +1455,11 @@ def upgrade_configuration():
fstore = sysrestore.FileStore(paths.SYSRESTORE)
sstore = sysrestore.StateFile(paths.SYSRESTORE)
- if is_ipa_configured() is None:
- sstore.backup_state('installation', 'complete', True)
+ if not sstore.has_state('installation'):
+ if is_ipa_configured():
+ sstore.backup_state('installation', 'complete', True)
+ else:
+ sstore.backup_state('installation', 'complete', False)
fqdn = api.env.host
From 7d84d919a8f5767ade1dcc380ce4eebadac6a8b5 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 11 Aug 2020 11:12:55 -0400
Subject: [PATCH 2/3] Use is_ipa_configured from ipalib.facts
A couple of places still used the deprecated installutils version.
https://pagure.io/freeipa/issue/8458
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
---
ipaserver/install/installutils.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
index 13baf494cd..a3274d5797 100644
--- a/ipaserver/install/installutils.py
+++ b/ipaserver/install/installutils.py
@@ -665,7 +665,7 @@ def check_server_configuration():
Most convenient use case for the function is in install tools that require
configured IPA for its function.
"""
- if not is_ipa_configured():
+ if not facts.is_ipa_configured():
raise ScriptError("IPA is not configured on this system.",
rval=SERVER_NOT_CONFIGURED)
From 36ecfdbfe4ceedcfe056816cbb22162842fae975 Mon Sep 17 00:00:00 2001
From: Rob Crittenden <rcritten@redhat.com>
Date: Tue, 11 Aug 2020 13:55:54 -0400
Subject: [PATCH 3/3] ipatests: Add test for is_ipa_configured
Validate that is_ipa_configured() returns True when using either
the original and the new configuration methods. This will allow
older installs to successfully upgrade.
https://pagure.io/freeipa/issue/8458
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Stanislav Levin <slev@altlinux.org>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
---
.../test_integration/test_installation.py | 88 +++++++++++++++++++
1 file changed, 88 insertions(+)
diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
index fb19900838..98bdc98ab8 100644
--- a/ipatests/test_integration/test_installation.py
+++ b/ipatests/test_integration/test_installation.py
@@ -21,6 +21,7 @@
from ipalib import x509
from ipalib.constants import DOMAIN_LEVEL_0
+from ipalib.sysrestore import SYSRESTORE_STATEFILE, SYSRESTORE_INDEXFILE
from ipapython.dn import DN
from ipaplatform.constants import constants
from ipaplatform.osinfo import osinfo
@@ -357,6 +358,93 @@ def test_ipa_ca_crt_permissions(self):
assert owner == "root"
assert group == "root"
+ def test_is_ipa_configured(self):
+ """Verify that the old and new methods of is_ipa_installed works
+
+ If there is an installation section then it is the status.
+
+ If not then it will fall back to looking for configured
+ services and files and use that for determination.
+ """
+ def set_installation_state(host, state):
+ """
+ Update the complete value in the installation section
+ """
+ host.run_command(
+ ['python3', '-c',
+ 'from ipalib.install import sysrestore; '
+ 'from ipaplatform.paths import paths;'
+ 'sstore = sysrestore.StateFile(paths.SYSRESTORE); '
+ 'sstore.backup_state("installation", "complete", '
+ '{state})'.format(state=state)])
+
+ def get_installation_state(host):
+ """
+ Retrieve the installation state from new install method
+ """
+ result = host.run_command(
+ ['python3', '-c',
+ 'from ipalib.install import sysrestore; '
+ 'from ipaplatform.paths import paths;'
+ 'sstore = sysrestore.StateFile(paths.SYSRESTORE); '
+ 'print(sstore.get_state("installation", "complete"))'])
+ return result.stdout_text.strip() # a string
+
+ # This comes from freeipa.spec and is used to determine whether
+ # an upgrade is required.
+ cmd = ['python3', '-c',
+ 'import sys; from ipalib import facts; sys.exit(0 '
+ 'if facts.is_ipa_configured() else 1);']
+
+ # This will use the new method since this is a fresh install,
+ # verify that it is true.
+ self.master.run_command(cmd)
+ assert get_installation_state(self.master) == 'True'
+
+ # Set complete to False which should cause the command to fail
+ # This tests the state of a failed or in-process installation.
+ set_installation_state(self.master, False)
+ result = self.master.run_command(cmd, raiseonerr=False)
+ assert result.returncode == 1
+ set_installation_state(self.master, True)
+
+ # Tweak sysrestore.state to drop installation section
+ self.master.run_command(
+ ['sed','-i', r's/\[installation\]/\[badinstallation\]/',
+ os.path.join(paths.SYSRESTORE, SYSRESTORE_STATEFILE)])
+
+ # Re-run installation check and it should fall back to old method
+ # and be successful.
+ self.master.run_command(cmd)
+ assert get_installation_state(self.master) == 'None'
+
+ # Restore installation section.
+ self.master.run_command(
+ ['sed','-i', r's/\[badinstallation\]/\[installation\]/',
+ os.path.join(paths.SYSRESTORE, SYSRESTORE_STATEFILE)])
+
+ # Uninstall and confirm that the old method reports correctly
+ # on uninstalled servers. It will exercise the old method since
+ # there is no state.
+ tasks.uninstall_master(self.master)
+
+ # ensure there is no stale state
+ result = self.master.run_command(r'test -f {}'.format(
+ os.path.join(paths.SYSRESTORE, SYSRESTORE_STATEFILE)),
+ raiseonerr=False
+ )
+ assert result.returncode == 1
+ result = self.master.run_command(r'test -f {}'.format(
+ os.path.join(paths.SYSRESTORE, SYSRESTORE_INDEXFILE)),
+ raiseonerr=False
+ )
+ assert result.returncode == 1
+
+ # Now run is_ipa_configured() and it should be False
+ result = self.master.run_command(cmd, raiseonerr=False)
+ assert result.returncode == 1
+
+
class TestInstallWithCA_KRA1(InstallTestBase1):
@classmethod

98
freeipa-4.9.0-rc2-fixes.patch
View File

@ -1,98 +0,0 @@
From cd2fe2947589aaf8de0e9e64839c8840b68e9664 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Wed, 9 Dec 2020 11:15:20 +0200
Subject: [PATCH 1/2] Allow mod_auth_gssapi to create and access ccaches in
/run/ipa/ccaches
With commit c6644b8566f747fa80e2c1925b79bad9f8c92bd7 we default to
create unique credential caches in /run/ipa/ccaches for every client
that connects to IPA with a new session. On F34, mod_auth_gssapi process
running as 'apache' cannot create the ccache in /run/ipa/ccaches because
it has no access rights.
The core of the problem is that we have two different paths to obtaining
a ccache: one where 'apache' running httpd process creates it directly
and one where an internal redirect from 'ipaapi' running httpd process
is happening.
Use SUID and SGID to 'ipaapi'/'ipaapi' and allow 'apache' group to write
to '/run/ipa/ccaches'. This fixes the problem.
Note that we cannot completely remove 'GssapiDelegCcachePerms'. If we'd
do so, mod_auth_gssapi will do redirects and fail.
Fixes: https://pagure.io/freeipa/issue/8613
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
---
init/tmpfilesd/ipa.conf.in | 3 ++-
install/share/ipa.conf.template | 4 ++--
2 files changed, 4 insertions(+), 3 deletions(-)
diff --git a/init/tmpfilesd/ipa.conf.in b/init/tmpfilesd/ipa.conf.in
index 183ceeda6..6467e1b93 100644
--- a/init/tmpfilesd/ipa.conf.in
+++ b/init/tmpfilesd/ipa.conf.in
@@ -1,2 +1,3 @@
d /run/ipa 0711 root root
-d /run/ipa/ccaches 0770 ipaapi ipaapi
+d /run/ipa/ccaches 6770 ipaapi ipaapi
+a+ /run/ipa/ccaches - - - - g:apache:rwx
diff --git a/install/share/ipa.conf.template b/install/share/ipa.conf.template
index ca51d2ea3..d74e14d4f 100644
--- a/install/share/ipa.conf.template
+++ b/install/share/ipa.conf.template
@@ -75,7 +75,7 @@ WSGIScriptReloading Off
GssapiImpersonate On
GssapiDelegCcacheDir $IPA_CCACHES
- GssapiDelegCcachePerms mode:0660 gid:ipaapi
+ GssapiDelegCcachePerms mode:0660
GssapiDelegCcacheUnique On
GssapiUseS4U2Proxy on
GssapiAllowedMech krb5
@@ -117,7 +117,7 @@ Alias /ipa/session/cookie "/usr/share/ipa/gssapi.login"
<Location "/ipa/session/login_x509">
AuthType none
GssapiDelegCcacheDir $IPA_CCACHES
- GssapiDelegCcachePerms mode:0660 gid:ipaapi
+ GssapiDelegCcachePerms mode:0660
GssapiDelegCcacheUnique On
SSLVerifyClient require
SSLUserName SSL_CLIENT_CERT
--
2.29.2
From 786e0823cdc58ad232b8320af94ea9ad89df88d6 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Wed, 9 Dec 2020 13:26:05 +0200
Subject: [PATCH 2/2] upgrade: provide DOMAIN to the server upgrade dictionary
Rules in ipa-rewrite.conf use $DOMAIN variable but it is not available
in the dictionary. Regression was introduced with
e731b2725a3772cd037683ff2e08c514fd02019f.
Fixes: https://pagure.io/freeipa/issue/8615
Related: https://pagure.io/freeipa/issue/8595
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
---
ipaserver/install/server/upgrade.py | 1 +
1 file changed, 1 insertion(+)
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 18891d53c..00a133a4d 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1578,6 +1578,7 @@ def upgrade_configuration():
IPA_CCACHES=paths.IPA_CCACHES,
IPA_CUSTODIA_SOCKET=paths.IPA_CUSTODIA_SOCKET,
KDCPROXY_CONFIG=paths.KDCPROXY_CONFIG,
+ DOMAIN=api.env.domain,
)
subject_base = find_subject_base()
--
2.29.2

75
freeipa-refactor-dnssec-paths.patch
View File

@ -1,75 +0,0 @@
From 44669a5a35970020d492cba644d0584bcc68774f Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Mon, 14 Dec 2020 17:44:38 +0100
Subject: [PATCH] Change mkdir logic in DNSSEC
- Create /var/named/dyndb-ldap/ipa/master/ early
- Assume that /var/named/dyndb-ldap/ipa/master/ exists in BINDMgr.sync()
Signed-off-by: Christian Heimes <cheimes@redhat.com>
---
ipaserver/dnssec/bindmgr.py | 7 +++----
ipaserver/install/dnskeysyncinstance.py | 19 +++++++++++++------
ipaserver/install/server/upgrade.py | 1 +
3 files changed, 17 insertions(+), 10 deletions(-)
diff --git a/ipaserver/dnssec/bindmgr.py b/ipaserver/dnssec/bindmgr.py
index 4f7cad89344..a15c0e601a2 100644
--- a/ipaserver/dnssec/bindmgr.py
+++ b/ipaserver/dnssec/bindmgr.py
@@ -182,10 +182,9 @@ def sync_zone(self, zone):
zone_path = os.path.join(paths.BIND_LDAP_DNS_ZONE_WORKDIR,
self.get_zone_dir_name(zone))
try:
- os.makedirs(zone_path)
- except OSError as e:
- if e.errno != errno.EEXIST:
- raise e
+ os.mkdir(zone_path, 0o770)
+ except FileExistsError:
+ pass
# fix HSM permissions
# TODO: move out
diff --git a/ipaserver/install/dnskeysyncinstance.py b/ipaserver/install/dnskeysyncinstance.py
index 26c1d9c7516..16870b73b5c 100644
--- a/ipaserver/install/dnskeysyncinstance.py
+++ b/ipaserver/install/dnskeysyncinstance.py
@@ -66,12 +66,19 @@ def set_dyndb_ldap_workdir_permissions(self):
"""
Setting up correct permissions to allow write/read access for daemons
"""
- if not os.path.exists(paths.BIND_LDAP_DNS_IPA_WORKDIR):
- os.mkdir(paths.BIND_LDAP_DNS_IPA_WORKDIR, 0o770)
- # dnssec daemons require to have access into the directory
- os.chmod(paths.BIND_LDAP_DNS_IPA_WORKDIR, 0o770)
- os.chown(paths.BIND_LDAP_DNS_IPA_WORKDIR, self.named_uid,
- self.named_gid)
+ directories = [
+ paths.BIND_LDAP_DNS_IPA_WORKDIR,
+ paths.BIND_LDAP_DNS_ZONE_WORKDIR,
+ ]
+ for directory in directories:
+ try:
+ os.mkdir(directory, 0o770)
+ except FileExistsError:
+ pass
+ else:
+ os.chmod(directory, 0o770)
+ # dnssec daemons require to have access into the directory
+ os.chown(directory, self.named_uid, self.named_gid)
def remove_replica_public_keys(self, replica_fqdn):
ldap = api.Backend.ldap2
diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
index 18891d53c7d..c453e16b08a 100644
--- a/ipaserver/install/server/upgrade.py
+++ b/ipaserver/install/server/upgrade.py
@@ -1749,6 +1749,7 @@ def upgrade_configuration():
else:
if dnssec_set_openssl_engine(dnskeysyncd):
dnskeysyncd.start_dnskeysyncd()
+ dnskeysyncd.set_dyndb_ldap_workdir_permissions()
cleanup_kdc(fstore)
cleanup_adtrust(fstore)