Update to upstream 4.2.1
This commit is contained in:
parent
a944f13c98
commit
ece84f751e
1
.gitignore
vendored
1
.gitignore
vendored
@ -38,3 +38,4 @@
|
||||
/freeipa-4.1.2.tar.gz
|
||||
/freeipa-4.1.3.tar.gz
|
||||
/freeipa-4.1.4.tar.gz
|
||||
/freeipa-4.2.1.tar.gz
|
||||
|
@ -1,33 +0,0 @@
|
||||
From 80514f225f628f7c7993b85e562a851e7ee40644 Mon Sep 17 00:00:00 2001
|
||||
From: Nathan Kinder <nkinder@redhat.com>
|
||||
Date: Wed, 25 Feb 2015 14:22:02 -0800
|
||||
Subject: [PATCH 1/2] Skip time sync during client install when using --no-ntp
|
||||
|
||||
When --no-ntp is specified during ipa-client-install, we still
|
||||
attempt to perform a time sync before obtaining a TGT from the
|
||||
KDC. We should not be attempting to sync time with the KDC if
|
||||
we are explicitly told to not configure ntp.
|
||||
|
||||
Ticket: https://fedorahosted.org/freeipa/ticket/4842
|
||||
---
|
||||
ipa-client/ipa-install/ipa-client-install | 3 ++-
|
||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
|
||||
index ccaab55..a625fbd 100755
|
||||
--- a/ipa-client/ipa-install/ipa-client-install
|
||||
+++ b/ipa-client/ipa-install/ipa-client-install
|
||||
@@ -2324,8 +2324,9 @@ def install(options, env, fstore, statestore):
|
||||
# hostname if different from system hostname
|
||||
tasks.backup_and_replace_hostname(fstore, statestore, options.hostname)
|
||||
|
||||
- if not options.on_master:
|
||||
+ if not options.on_master and options.conf_ntp:
|
||||
# Attempt to sync time with IPA server.
|
||||
+ # If we're skipping NTP configuration, we also skip the time sync here.
|
||||
# We assume that NTP servers are discoverable through SRV records in the DNS
|
||||
# If that fails, we try to sync directly with IPA server, assuming it runs NTP
|
||||
root_logger.info('Synchronizing time with KDC...')
|
||||
--
|
||||
1.9.3
|
||||
|
@ -1,78 +0,0 @@
|
||||
From a0ffcd6f8ba610c20808a2f863d384b7631c64ac Mon Sep 17 00:00:00 2001
|
||||
From: David Kupka <dkupka@redhat.com>
|
||||
Date: Fri, 27 Mar 2015 07:14:27 -0400
|
||||
Subject: [PATCH] Make lint work on Fedora 22.
|
||||
|
||||
pylint added 'confidence' parameter to 'add_message' method of PyLinter.
|
||||
To be compatible with both, pre- and post- 1.4 IPALinter must accept
|
||||
the parameter but not pass it over.
|
||||
Also python3 checker was added and enabled by default. FreeIPA is still
|
||||
not ready for python3.
|
||||
Additionally few false-positives was marked.
|
||||
---
|
||||
ipalib/plugins/otptoken.py | 1 +
|
||||
ipapython/dnssec/ldapkeydb.py | 1 +
|
||||
ipaserver/install/ipa_otptoken_import.py | 1 +
|
||||
make-lint | 3 ++-
|
||||
4 files changed, 5 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/ipalib/plugins/otptoken.py b/ipalib/plugins/otptoken.py
|
||||
index b87145df80a3be9b16d596dd4072129c2290f40a..867659ec2a867b2dba79922a4e98b7b6254e81bf 100644
|
||||
--- a/ipalib/plugins/otptoken.py
|
||||
+++ b/ipalib/plugins/otptoken.py
|
||||
@@ -547,6 +547,7 @@ class otptoken_sync(Local):
|
||||
query = urllib.urlencode(query)
|
||||
|
||||
# Sync the token.
|
||||
+ # pylint: disable=E1101
|
||||
handler = HTTPSHandler(ca_certs=os.path.join(self.api.env.confdir, 'ca.crt'),
|
||||
cert_reqs=ssl.CERT_REQUIRED,
|
||||
ssl_version=ssl.PROTOCOL_TLSv1)
|
||||
diff --git a/ipapython/dnssec/ldapkeydb.py b/ipapython/dnssec/ldapkeydb.py
|
||||
index 71c0a95a39b1b460178d0b853ed26bf2cfe5bda1..520b510707d432d2e432c55ca25f2a872d832348 100644
|
||||
--- a/ipapython/dnssec/ldapkeydb.py
|
||||
+++ b/ipapython/dnssec/ldapkeydb.py
|
||||
@@ -23,6 +23,7 @@ def uri_escape(val):
|
||||
assert len(val) > 0, "zero-length URI component detected"
|
||||
hexval = hexlify(val)
|
||||
out = '%'
|
||||
+ # pylint: disable=E1127
|
||||
out += '%'.join(hexval[i:i+2] for i in range(0, len(hexval), 2))
|
||||
return out
|
||||
|
||||
diff --git a/ipaserver/install/ipa_otptoken_import.py b/ipaserver/install/ipa_otptoken_import.py
|
||||
index b78aba93a2edc987450d921c87ea4f61b014b419..c6a69c9975cc113c10d0dee669f9db619422a9d3 100644
|
||||
--- a/ipaserver/install/ipa_otptoken_import.py
|
||||
+++ b/ipaserver/install/ipa_otptoken_import.py
|
||||
@@ -60,6 +60,7 @@ def convertDate(value):
|
||||
|
||||
dt = dateutil.parser.parse(value)
|
||||
|
||||
+ # pylint: disable=E1101
|
||||
if dt.tzinfo is None:
|
||||
dt = datetime.datetime(*dt.timetuple()[0:6],
|
||||
tzinfo=dateutil.tz.tzlocal())
|
||||
diff --git a/make-lint b/make-lint
|
||||
index bd0eb4d75c50c794dbd40444ab035df5a5153d6c..8016d1c3554944d7799aefe0242f4f844e76e32c 100755
|
||||
--- a/make-lint
|
||||
+++ b/make-lint
|
||||
@@ -143,7 +143,7 @@ class IPALinter(PyLinter):
|
||||
return
|
||||
super(IPALinter, self).register_checker(checker)
|
||||
|
||||
- def add_message(self, msg_id, line=None, node=None, args=None):
|
||||
+ def add_message(self, msg_id, line=None, node=None, args=None, confidence=None):
|
||||
if line is None and node is not None:
|
||||
line = node.fromlineno
|
||||
|
||||
@@ -235,6 +235,7 @@ def main():
|
||||
'{path}:{line}: [{msg_id}({symbol}), {obj}] {msg})')
|
||||
linter.set_option('reports', False)
|
||||
linter.set_option('persistent', False)
|
||||
+ linter.set_option('disable', 'python3')
|
||||
|
||||
linter.check(files)
|
||||
|
||||
--
|
||||
2.1.0
|
||||
|
@ -1,40 +0,0 @@
|
||||
From 206de2b2b8f46f4c41f7df39c952e445329b9170 Mon Sep 17 00:00:00 2001
|
||||
From: David Kupka <dkupka@redhat.com>
|
||||
Date: Mon, 30 Mar 2015 04:11:19 -0400
|
||||
Subject: [PATCH 1/3] Remove unused part of ipa.conf.
|
||||
|
||||
Separate configuration of '/var/www/cgi-bin' is no longer needed legacy from
|
||||
IPA 1.0.
|
||||
---
|
||||
install/conf/ipa.conf | 15 ---------------
|
||||
1 file changed, 15 deletions(-)
|
||||
|
||||
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
|
||||
index 7eede73efc559967925d2bbfeee54e1e2efd3e21..62ee955ecfe0be78a3bd377e5aa35a335681621f 100644
|
||||
--- a/install/conf/ipa.conf
|
||||
+++ b/install/conf/ipa.conf
|
||||
@@ -174,21 +174,6 @@ Alias /ipa/wsgi "/usr/share/ipa/wsgi"
|
||||
AddHandler wsgi-script .py
|
||||
</Directory>
|
||||
|
||||
-# Protect our CGIs
|
||||
-<Directory /var/www/cgi-bin>
|
||||
- AuthType Kerberos
|
||||
- AuthName "Kerberos Login"
|
||||
- KrbMethodNegotiate on
|
||||
- KrbMethodK5Passwd off
|
||||
- KrbServiceName HTTP
|
||||
- KrbAuthRealms $REALM
|
||||
- Krb5KeyTab /etc/httpd/conf/ipa.keytab
|
||||
- KrbSaveCredentials on
|
||||
- Require valid-user
|
||||
- ErrorDocument 401 /ipa/errors/unauthorized.html
|
||||
-</Directory>
|
||||
-
|
||||
-
|
||||
# migration related pages
|
||||
Alias /ipa/migration "/usr/share/ipa/migration"
|
||||
<Directory "/usr/share/ipa/migration">
|
||||
--
|
||||
2.3.4
|
||||
|
@ -1,184 +0,0 @@
|
||||
From d7a856097039b37e77a59aad66d6cdedc3eb6aee Mon Sep 17 00:00:00 2001
|
||||
From: David Kupka <dkupka@redhat.com>
|
||||
Date: Mon, 30 Mar 2015 04:17:55 -0400
|
||||
Subject: [PATCH 2/3] Use mod_auth_gssapi instead of mod_auth_kerb.
|
||||
|
||||
https://fedorahosted.org/freeipa/ticket/4190
|
||||
---
|
||||
freeipa.spec.in | 4 +++-
|
||||
init/systemd/ipa.conf.tmpfiles | 1 +
|
||||
install/conf/ipa.conf | 16 +++++-----------
|
||||
ipalib/session.py | 20 ++++++++++----------
|
||||
ipaserver/rpcserver.py | 2 +-
|
||||
5 files changed, 20 insertions(+), 23 deletions(-)
|
||||
|
||||
diff --git a/freeipa.spec.in b/freeipa.spec.in
|
||||
index 546f3473c5ac8885c6df128b2e3793d76795e85b..8d58f2568e1de418c25cb1bd34fc7d4736a15e54 100644
|
||||
--- a/freeipa.spec.in
|
||||
+++ b/freeipa.spec.in
|
||||
@@ -118,7 +118,7 @@ Requires: cyrus-sasl-gssapi%{?_isa}
|
||||
Requires: ntp
|
||||
Requires: httpd >= 2.4.6-6
|
||||
Requires: mod_wsgi
|
||||
-Requires: mod_auth_kerb >= 5.4-16
|
||||
+Requires: mod_auth_gssapi >= 1.1.0-2
|
||||
Requires: mod_nss >= 1.0.8-26
|
||||
Requires: python-ldap >= 2.4.15
|
||||
Requires: python-krbV
|
||||
@@ -463,6 +463,7 @@ install -m 0644 init/systemd/ipa.conf.tmpfiles %{buildroot}%{_tmpfilesdir}/%{nam
|
||||
mkdir -p %{buildroot}%{_localstatedir}/run/
|
||||
install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa_memcached/
|
||||
install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa/
|
||||
+install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/clientcaches
|
||||
|
||||
mkdir -p %{buildroot}%{_libdir}/krb5/plugins/libkrb5
|
||||
touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
|
||||
@@ -680,6 +681,7 @@ fi
|
||||
%config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter
|
||||
%dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/
|
||||
%dir %attr(0700,root,root) %{_localstatedir}/run/ipa/
|
||||
+%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/clientcaches/
|
||||
# NOTE: systemd specific section
|
||||
%{_tmpfilesdir}/%{name}.conf
|
||||
%attr(644,root,root) %{_unitdir}/ipa.service
|
||||
diff --git a/init/systemd/ipa.conf.tmpfiles b/init/systemd/ipa.conf.tmpfiles
|
||||
index 1e7a896ed8df00c97f2d092504e2a65960bb341d..b4503cc673f3407421cd194091f5373ba204a483 100644
|
||||
--- a/init/systemd/ipa.conf.tmpfiles
|
||||
+++ b/init/systemd/ipa.conf.tmpfiles
|
||||
@@ -1,2 +1,3 @@
|
||||
d /var/run/ipa_memcached 0700 apache apache
|
||||
d /var/run/ipa 0700 root root
|
||||
+d /var/run/httpd/clientcaches 0700 apache apache
|
||||
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
|
||||
index 62ee955ecfe0be78a3bd377e5aa35a335681621f..871fab8248fcc1c3793ce71bdcb86720a7e31c61 100644
|
||||
--- a/install/conf/ipa.conf
|
||||
+++ b/install/conf/ipa.conf
|
||||
@@ -3,7 +3,6 @@
|
||||
#
|
||||
# This file may be overwritten on upgrades.
|
||||
#
|
||||
-# LoadModule auth_kerb_module modules/mod_auth_kerb.so
|
||||
|
||||
ProxyRequests Off
|
||||
|
||||
@@ -61,19 +60,14 @@ WSGIScriptReloading Off
|
||||
SetHandler None
|
||||
</Location>
|
||||
|
||||
-KrbConstrainedDelegationLock ipa
|
||||
-
|
||||
# Protect /ipa and everything below it in webspace with Apache Kerberos auth
|
||||
<Location "/ipa">
|
||||
- AuthType Kerberos
|
||||
+ AuthType GSSAPI
|
||||
AuthName "Kerberos Login"
|
||||
- KrbMethodNegotiate on
|
||||
- KrbMethodK5Passwd off
|
||||
- KrbServiceName HTTP
|
||||
- KrbAuthRealms $REALM
|
||||
- Krb5KeyTab /etc/httpd/conf/ipa.keytab
|
||||
- KrbSaveCredentials on
|
||||
- KrbConstrainedDelegation on
|
||||
+ GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab
|
||||
+ GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab
|
||||
+ GssapiDelegCcacheDir /var/run/httpd/clientcaches
|
||||
+ GssapiUseS4U2Proxy on
|
||||
Require valid-user
|
||||
ErrorDocument 401 /ipa/errors/unauthorized.html
|
||||
</Location>
|
||||
diff --git a/ipalib/session.py b/ipalib/session.py
|
||||
index ae40fdfe189b3bfd5f0437c04efaab73ac31f88a..2f732b333375c837b931c6b16ccfc535e11d7e4c 100644
|
||||
--- a/ipalib/session.py
|
||||
+++ b/ipalib/session.py
|
||||
@@ -484,7 +484,7 @@ improve authentication performance. First some definitions.
|
||||
There are 4 major players:
|
||||
|
||||
1. client
|
||||
- 2. mod_auth_kerb (in Apache process)
|
||||
+ 2. mod_auth_gssapi (in Apache process)
|
||||
3. wsgi handler (in IPA wsgi python process)
|
||||
4. ds (directory server)
|
||||
|
||||
@@ -506,12 +506,12 @@ This describes how things work in our current system for the web UI.
|
||||
|
||||
2. Client sends post to /ipa/json.
|
||||
|
||||
- 3. mod_auth_kerb is configured to protect /ipa/json, replies 401
|
||||
+ 3. mod_auth_gssapi is configured to protect /ipa/json, replies 401
|
||||
authenticate negotiate.
|
||||
|
||||
4. Client resends with credentials
|
||||
|
||||
- 5. mod_auth_kerb validates credentials
|
||||
+ 5. mod_auth_gssapi validates credentials
|
||||
|
||||
a. if invalid replies 403 access denied (stops here)
|
||||
|
||||
@@ -550,7 +550,7 @@ A few notes about the session implementation.
|
||||
Changes to Apache's resource protection
|
||||
---------------------------------------
|
||||
|
||||
- * /ipa/json is no longer protected by mod_auth_kerb. This is
|
||||
+ * /ipa/json is no longer protected by mod_auth_gssapi. This is
|
||||
necessary to avoid the negotiate expense in steps 3,4,5
|
||||
above. Instead the /ipa/json resource will be protected in our wsgi
|
||||
handler via the session cookie.
|
||||
@@ -583,15 +583,15 @@ The new sequence is:
|
||||
|
||||
5. client sends request to /ipa/login to obtain session credentials
|
||||
|
||||
- 6. mod_auth_kerb replies 401 negotiate on /ipa/login
|
||||
+ 6. mod_auth_gssapi replies 401 negotiate on /ipa/login
|
||||
|
||||
7. client sends credentials to /ipa/login
|
||||
|
||||
- 8. mod_auth_kerb validates credentials
|
||||
+ 8. mod_auth_gssapi validates credentials
|
||||
|
||||
a. if valid
|
||||
|
||||
- - mod_auth_kerb permits access to /ipa/login. wsgi handler is
|
||||
+ - mod_auth_gssapi permits access to /ipa/login. wsgi handler is
|
||||
invoked and does the following:
|
||||
|
||||
* establishes session for client
|
||||
@@ -600,7 +600,7 @@ The new sequence is:
|
||||
|
||||
a. if invalid
|
||||
|
||||
- - mod_auth_kerb sends 403 access denied (processing stops)
|
||||
+ - mod_auth_gssapi sends 403 access denied (processing stops)
|
||||
|
||||
9. client now posts the same data again to /ipa/json including
|
||||
session cookie. Processing repeats starting at step 2 and since
|
||||
@@ -617,12 +617,12 @@ and xmlrpc API's are the same, they differ only on how their procedure
|
||||
calls are marshalled and unmarshalled.
|
||||
|
||||
Under the new scheme /ipa/xml will continue to be Kerberos protected
|
||||
-at all times. Apache's mod_auth_kerb will continue to require the
|
||||
+at all times. Apache's mod_auth_gssapi will continue to require the
|
||||
client provides valid Kerberos credentials.
|
||||
|
||||
When the WSGI handler routes to /ipa/xml the Kerberos credentials will
|
||||
be extracted from the KRB5CCNAME environment variable as provided by
|
||||
-mod_auth_kerb. Everything else remains the same.
|
||||
+mod_auth_gssapi. Everything else remains the same.
|
||||
|
||||
'''
|
||||
|
||||
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
|
||||
index d6bc955b9d9910a24eec5df1def579310eb54786..4173ed918d2ce992aa79d18b2ac3338b35388918 100644
|
||||
--- a/ipaserver/rpcserver.py
|
||||
+++ b/ipaserver/rpcserver.py
|
||||
@@ -858,7 +858,7 @@ class login_kerberos(Backend, KerberosSession, HTTP_Status):
|
||||
def __call__(self, environ, start_response):
|
||||
self.debug('WSGI login_kerberos.__call__:')
|
||||
|
||||
- # Get the ccache created by mod_auth_kerb
|
||||
+ # Get the ccache created by mod_auth_gssapi
|
||||
user_ccache_name=environ.get('KRB5CCNAME')
|
||||
if user_ccache_name is None:
|
||||
return self.internal_error(environ, start_response,
|
||||
--
|
||||
2.3.4
|
||||
|
@ -1,23 +0,0 @@
|
||||
From 12f1eaf7feeb2ee3f50c2e90cffd0849a42a2c81 Mon Sep 17 00:00:00 2001
|
||||
From: David Kupka <dkupka@redhat.com>
|
||||
Date: Mon, 30 Mar 2015 04:18:11 -0400
|
||||
Subject: [PATCH 3/3] Bump ipa.conf version to 17.
|
||||
|
||||
---
|
||||
install/conf/ipa.conf | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
|
||||
index 871fab8248fcc1c3793ce71bdcb86720a7e31c61..92637c04d4f961a0b7f016fe125341c63f400285 100644
|
||||
--- a/install/conf/ipa.conf
|
||||
+++ b/install/conf/ipa.conf
|
||||
@@ -1,5 +1,5 @@
|
||||
#
|
||||
-# VERSION 16 - DO NOT REMOVE THIS LINE
|
||||
+# VERSION 17 - DO NOT REMOVE THIS LINE
|
||||
#
|
||||
# This file may be overwritten on upgrades.
|
||||
#
|
||||
--
|
||||
2.3.4
|
||||
|
@ -1,88 +0,0 @@
|
||||
From 28fccac07760764acc86f9c91850481ef2c1e1ae Mon Sep 17 00:00:00 2001
|
||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Date: Fri, 8 May 2015 12:09:13 +0000
|
||||
Subject: [PATCH 2/3] ipaserver/dcerpc: Ensure LSA pipe has session key before
|
||||
using it
|
||||
|
||||
With Samba 4.2 there is a bug that prevents Samba to consider Kerberos
|
||||
credentials used by IPA httpd process when talking to smbd. As result,
|
||||
LSA RPC connection is seen as anonymous by Samba client code and we cannot
|
||||
derive session key to use for encrypting trust secrets before transmitting
|
||||
them.
|
||||
|
||||
Additionally, rewrite of the SMB protocol support in Samba caused previously
|
||||
working logic of choosing DCE RPC binding string to fail. We need to try
|
||||
a different set of priorities until they fail or succeed.
|
||||
|
||||
Requires Samba fixes from https://bugzilla.redhat.com/show_bug.cgi?id=1219832
|
||||
|
||||
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1219834
|
||||
|
||||
---
|
||||
ipaserver/dcerpc.py | 19 ++++++++++++++-----
|
||||
1 file changed, 14 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
|
||||
index e342c49..44689cc 100644
|
||||
--- a/ipaserver/dcerpc.py
|
||||
+++ b/ipaserver/dcerpc.py
|
||||
@@ -89,6 +89,10 @@ dcerpc_error_codes = {
|
||||
-1073741811: # NT_STATUS_INVALID_PARAMETER
|
||||
errors.RemoteRetrieveError(
|
||||
reason=_('AD domain controller complains about communication sequence. It may mean unsynchronized time on both sides, for example')),
|
||||
+ -1073741776: # NT_STATUS_INVALID_PARAMETER_MIX, we simply will skip the binding
|
||||
+ access_denied_error,
|
||||
+ -1073741772: # NT_STATUS_OBJECT_NAME_NOT_FOUND
|
||||
+ errors.RemoteRetrieveError(reason=_('CIFS server configuration does not allow access to \\\\pipe\\lsarpc')),
|
||||
}
|
||||
|
||||
dcerpc_error_messages = {
|
||||
@@ -728,16 +732,20 @@ class TrustDomainInstance(object):
|
||||
return
|
||||
|
||||
attempts = 0
|
||||
+ session_attempts = 0
|
||||
bindings = self.__gen_lsa_bindings(remote_host)
|
||||
for binding in bindings:
|
||||
try:
|
||||
self._pipe = self.__gen_lsa_connection(binding)
|
||||
- if self._pipe:
|
||||
+ if self._pipe and self._pipe.session_key:
|
||||
break
|
||||
except errors.ACIError, e:
|
||||
attempts = attempts + 1
|
||||
+ except RuntimeError, e:
|
||||
+ # When session key is not available, we just skip this binding
|
||||
+ session_attempts = session_attempts + 1
|
||||
|
||||
- if self._pipe is None and attempts == len(bindings):
|
||||
+ if self._pipe is None and (attempts + session_attempts) == len(bindings):
|
||||
raise errors.ACIError(
|
||||
info=_('CIFS server %(host)s denied your credentials') % dict(host=remote_host))
|
||||
|
||||
@@ -745,6 +753,7 @@ class TrustDomainInstance(object):
|
||||
raise errors.RemoteRetrieveError(
|
||||
reason=_('Cannot establish LSA connection to %(host)s. Is CIFS server running?') % dict(host=remote_host))
|
||||
self.binding = binding
|
||||
+ self.session_key = self._pipe.session_key
|
||||
|
||||
def __gen_lsa_bindings(self, remote_host):
|
||||
"""
|
||||
@@ -753,11 +762,11 @@ class TrustDomainInstance(object):
|
||||
Generate all we can use. init_lsa_pipe() will try them one by one until
|
||||
there is one working.
|
||||
|
||||
- We try NCACN_NP before NCACN_IP_TCP and signed sessions before unsigned.
|
||||
+ We try NCACN_NP before NCACN_IP_TCP and use SMB2 before SMB1 or defaults.
|
||||
"""
|
||||
transports = (u'ncacn_np', u'ncacn_ip_tcp')
|
||||
- options = ( u',', u'')
|
||||
- binding_template=lambda x,y,z: u'%s:%s[%s]' % (x, y, z)
|
||||
+ options = ( u'smb2', u'smb1', u'')
|
||||
+ binding_template=lambda x,y,z: u'%s:%s[%s,print]' % (x, y, z)
|
||||
return [binding_template(t, remote_host, o) for t in transports for o in options]
|
||||
|
||||
def retrieve_anonymously(self, remote_host, discover_srv=False, search_pdc=False):
|
||||
--
|
||||
2.4.0
|
||||
|
227
freeipa.spec
227
freeipa.spec
@ -10,10 +10,13 @@
|
||||
%else
|
||||
%global samba_version 2:4.2.1-8
|
||||
%global samba_build_version 2:4.2.1
|
||||
%global selinux_policy_version 3.12.1-179
|
||||
%global selinux_policy_version 3.13.1-128.6
|
||||
%endif
|
||||
|
||||
%define krb5_base_version %(LC_ALL=C rpm -q --qf '%%{VERSION}' krb5-devel | grep -Eo '^[^.]+\.[^.]+')
|
||||
|
||||
%global plugin_dir %{_libdir}/dirsrv/plugins
|
||||
%global etc_systemd_dir %{_sysconfdir}/systemd/system
|
||||
%global gettext_domain ipa
|
||||
%if 0%{?rhel}
|
||||
%global platform_module rhel
|
||||
@ -21,13 +24,17 @@
|
||||
%global platform_module fedora
|
||||
%endif
|
||||
|
||||
%global VERSION 4.1.4
|
||||
%global VERSION 4.2.1
|
||||
|
||||
%define _hardened_build 1
|
||||
|
||||
%define kdcproxy_user kdcproxy
|
||||
%define kdcproxy_group kdcproxy
|
||||
%define kdcproxy_home %{_sharedstatedir}/kdcproxy
|
||||
|
||||
Name: freeipa
|
||||
Version: %{VERSION}
|
||||
Release: 5%{?dist}
|
||||
Release: 1%{?dist}
|
||||
Summary: The Identity, Policy and Audit system
|
||||
|
||||
Group: System Environment/Base
|
||||
@ -36,15 +43,8 @@ URL: http://www.freeipa.org/
|
||||
Source0: http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||
|
||||
Patch0001: 0001-Skip-time-sync-during-client-install-when-using-no-n.patch
|
||||
Patch0002: 0002-Make-lint-work-on-Fedora-22.patch
|
||||
Patch0003: 0003-Remove-unused-part-of-ipa.conf.patch
|
||||
Patch0004: 0004-Use-mod_auth_gssapi-instead-of-mod_auth_kerb.patch
|
||||
Patch0005: 0005-Bump-ipa.conf-version-to-17.patch
|
||||
Patch0006: 0006-ipaserver-dcerpc-Ensure-LSA-pipe-has-session-key-bef.patch
|
||||
|
||||
%if ! %{ONLY_CLIENT}
|
||||
BuildRequires: 389-ds-base-devel >= 1.3.3.8
|
||||
BuildRequires: 389-ds-base-devel >= 1.3.4.0
|
||||
BuildRequires: svrcore-devel
|
||||
BuildRequires: policycoreutils >= 2.1.12-5
|
||||
BuildRequires: systemd-units
|
||||
@ -58,7 +58,7 @@ BuildRequires: nspr-devel
|
||||
BuildRequires: nss-devel
|
||||
BuildRequires: openssl-devel
|
||||
BuildRequires: openldap-devel
|
||||
BuildRequires: krb5-devel >= 1.11
|
||||
BuildRequires: krb5-devel >= 1.13
|
||||
BuildRequires: krb5-workstation
|
||||
BuildRequires: libuuid-devel
|
||||
BuildRequires: libcurl-devel >= 7.21.7-2
|
||||
@ -74,15 +74,16 @@ BuildRequires: python-ldap
|
||||
BuildRequires: python-setuptools
|
||||
BuildRequires: python-krbV
|
||||
BuildRequires: python-nss
|
||||
BuildRequires: python-cryptography
|
||||
BuildRequires: python-netaddr
|
||||
BuildRequires: python-kerberos >= 1.1-14
|
||||
BuildRequires: python-rhsm
|
||||
BuildRequires: pyOpenSSL
|
||||
BuildRequires: pylint
|
||||
BuildRequires: pylint >= 1.0
|
||||
BuildRequires: python-polib
|
||||
BuildRequires: libipa_hbac-python
|
||||
BuildRequires: python-libipa_hbac
|
||||
BuildRequires: python-memcached
|
||||
BuildRequires: sssd >= 1.9.2
|
||||
BuildRequires: sssd >= 1.13
|
||||
BuildRequires: python-lxml
|
||||
BuildRequires: python-pyasn1 >= 0.0.9a
|
||||
BuildRequires: python-qrcode-core >= 5.0.0
|
||||
@ -98,11 +99,14 @@ BuildRequires: systemd
|
||||
BuildRequires: libunistring-devel
|
||||
BuildRequires: rhino
|
||||
BuildRequires: python-lesscpy
|
||||
BuildRequires: python-yubico
|
||||
BuildRequires: python-backports-ssl_match_hostname
|
||||
BuildRequires: softhsm-devel >= 2.0.0b1-3
|
||||
BuildRequires: python-yubico >= 1.2.3
|
||||
BuildRequires: softhsm-devel >= 2.0.0rc1-1
|
||||
BuildRequires: openssl-devel
|
||||
BuildRequires: p11-kit-devel
|
||||
BuildRequires: pki-base >= 10.2.6
|
||||
BuildRequires: python-pytest-multihost >= 0.5
|
||||
BuildRequires: python-pytest-sourceorder
|
||||
BuildRequires: python-kdcproxy >= 0.3
|
||||
|
||||
%description
|
||||
IPA is an integrated solution to provide centrally managed Identity (machine,
|
||||
@ -117,11 +121,11 @@ Group: System Environment/Base
|
||||
Requires: %{name}-python = %{version}-%{release}
|
||||
Requires: %{name}-client = %{version}-%{release}
|
||||
Requires: %{name}-admintools = %{version}-%{release}
|
||||
Requires: 389-ds-base >= 1.3.3.8
|
||||
Requires: 389-ds-base >= 1.3.4.0
|
||||
Requires: openldap-clients > 2.4.35-4
|
||||
Requires: nss >= 3.14.3-12.0
|
||||
Requires: nss-tools >= 3.14.3-12.0
|
||||
Requires: krb5-server >= 1.11.5-5
|
||||
Requires(post): krb5-server >= %{krb5_base_version}, krb5-server < %{krb5_base_version}.100
|
||||
Requires: krb5-pkinit-openssl
|
||||
Requires: cyrus-sasl-gssapi%{?_isa}
|
||||
Requires: ntp
|
||||
@ -138,33 +142,30 @@ Requires: memcached
|
||||
Requires: python-memcached
|
||||
Requires: dbus-python
|
||||
Requires: systemd-units >= 38
|
||||
Requires(pre): shadow-utils
|
||||
Requires(pre): systemd-units
|
||||
Requires(post): systemd-units
|
||||
Requires: selinux-policy >= %{selinux_policy_version}
|
||||
Requires(post): selinux-policy-base
|
||||
Requires(post): selinux-policy-base >= %{selinux_policy_version}
|
||||
Requires: slapi-nis >= 0.54.2-1
|
||||
%if (0%{?fedora} <= 20 || 0%{?rhel})
|
||||
# pki-ca 10.1.2-4 contains patches required by FreeIPA 4.1
|
||||
# The goal is to lower the requirement of pki-ca in Fedora 20
|
||||
# and CentOS until packaging of it's requirements is finished.
|
||||
Requires: pki-ca >= 10.1.2-5
|
||||
%else
|
||||
Requires: pki-ca >= 10.2.1-0.2
|
||||
%endif
|
||||
Requires: pki-ca >= 10.2.6
|
||||
Requires: pki-kra >= 10.2.6
|
||||
Requires(preun): python systemd-units
|
||||
Requires(postun): python systemd-units
|
||||
Requires: python-dns >= 1.11.1
|
||||
Requires: python-kdcproxy >= 0.3
|
||||
Requires: zip
|
||||
Requires: policycoreutils >= 2.1.12-5
|
||||
Requires: tar
|
||||
Requires(pre): certmonger >= 0.76.8
|
||||
Requires(pre): 389-ds-base >= 1.3.3.8
|
||||
Requires(pre): certmonger >= 0.78
|
||||
Requires(pre): 389-ds-base >= 1.3.4.0
|
||||
Requires: fontawesome-fonts
|
||||
Requires: open-sans-fonts
|
||||
Requires: openssl
|
||||
Requires: softhsm >= 2.0.0b1-3
|
||||
Requires: softhsm >= 2.0.0rc1-1
|
||||
Requires: p11-kit
|
||||
Requires: systemd-python
|
||||
Requires: %{etc_systemd_dir}
|
||||
|
||||
Conflicts: %{alt_name}-server
|
||||
Obsoletes: %{alt_name}-server < %{version}
|
||||
@ -173,19 +174,8 @@ Obsoletes: %{alt_name}-server < %{version}
|
||||
# entire SELinux policy is stored in the system policy
|
||||
Obsoletes: freeipa-server-selinux < 3.3.0
|
||||
|
||||
# We have a soft-requires on bind. It is an optional part of
|
||||
# IPA but if it is configured we need a way to require versions
|
||||
# that work for us.
|
||||
Conflicts: bind-dyndb-ldap < 6.0-4
|
||||
%if 0%{?fedora} >= 21
|
||||
Conflicts: bind < 9.9.6-3
|
||||
Conflicts: bind-utils < 9.9.6-3
|
||||
%else
|
||||
Conflicts: bind < 9.9.4-19
|
||||
Conflicts: bind-utils < 9.9.4-19
|
||||
%endif
|
||||
# DNSSEC
|
||||
Conflicts: opendnssec < 1.4.6-4
|
||||
# upgrade path from monolithic -server to -server + -server-dns
|
||||
Obsoletes: %{name}-server <= 4.2.0.0
|
||||
|
||||
# Versions of nss-pam-ldapd < 0.8.4 require a mapping from uniqueMember to
|
||||
# member.
|
||||
@ -200,6 +190,35 @@ to install this package (in other words, most people should NOT install
|
||||
this package).
|
||||
|
||||
|
||||
%package server-dns
|
||||
Summary: IPA integrated DNS server with support for automatic DNSSEC signing
|
||||
Group: System Environment/Base
|
||||
Requires: %{name}-server = %{version}-%{release}
|
||||
Requires: bind-dyndb-ldap >= 6.0-4
|
||||
%if 0%{?fedora} >= 21
|
||||
Requires: bind >= 9.9.6-3
|
||||
Requires: bind-utils >= 9.9.6-3
|
||||
Requires: bind-pkcs11 >= 9.9.6-3
|
||||
Requires: bind-pkcs11-utils >= 9.9.6-3
|
||||
%else
|
||||
Requires: bind >= 9.9.4-21
|
||||
Requires: bind-utils >= 9.9.4-21
|
||||
Requires: bind-pkcs11 >= 9.9.4-21
|
||||
Requires: bind-pkcs11-utils >= 9.9.4-21
|
||||
%endif
|
||||
Requires: opendnssec >= 1.4.6-4
|
||||
|
||||
Conflicts: %{alt_name}-server-dns
|
||||
Obsoletes: %{alt_name}-server-dns < %{version}
|
||||
|
||||
# upgrade path from monolithic -server to -server + -server-dns
|
||||
Obsoletes: %{name}-server <= 4.2.0.0
|
||||
|
||||
%description server-dns
|
||||
IPA integrated DNS server with support for automatic DNSSEC signing.
|
||||
Integrated DNS server is BIND 9. OpenDNSSEC provides key management.
|
||||
|
||||
|
||||
%package server-trust-ad
|
||||
Summary: Virtual package to install packages required for Active Directory trusts
|
||||
Group: System Environment/Base
|
||||
@ -209,10 +228,9 @@ Requires: samba-python
|
||||
Requires: samba >= %{samba_version}
|
||||
Requires: samba-winbind
|
||||
Requires: libsss_idmap
|
||||
Requires: libsss_nss_idmap-python
|
||||
%if (0%{?fedora} >= 22)
|
||||
Requires: python-libsss_nss_idmap
|
||||
Requires: oddjob
|
||||
Requires: python-sss
|
||||
%endif
|
||||
# We use alternatives to divert winbind_krb5_locator.so plugin to libkrb5
|
||||
# on the installes where server-trust-ad subpackage is installed because
|
||||
# IPA AD trusts cannot be used at the same time with the locator plugin
|
||||
@ -246,9 +264,9 @@ Requires: pam_krb5
|
||||
Requires: wget
|
||||
Requires: libcurl >= 7.21.7-2
|
||||
Requires: xmlrpc-c >= 1.27.4
|
||||
Requires: sssd >= 1.12.3
|
||||
Requires: sssd >= 1.13.0-5
|
||||
Requires: python-sssdconfig
|
||||
Requires: certmonger >= 0.76.8
|
||||
Requires: certmonger >= 0.78
|
||||
Requires: nss-tools
|
||||
Requires: bind-utils
|
||||
Requires: oddjob-mkhomedir
|
||||
@ -258,7 +276,6 @@ Requires: libsss_autofs
|
||||
Requires: autofs
|
||||
Requires: libnfsidmap
|
||||
Requires: nfs-utils
|
||||
Requires: python-backports-ssl_match_hostname
|
||||
Requires(post): policycoreutils
|
||||
|
||||
Conflicts: %{alt_name}-client
|
||||
@ -299,19 +316,19 @@ Requires: iproute
|
||||
Requires: keyutils
|
||||
Requires: pyOpenSSL
|
||||
Requires: python-nss >= 0.16
|
||||
Requires: python-cryptography
|
||||
Requires: python-lxml
|
||||
Requires: python-netaddr
|
||||
Requires: libipa_hbac-python
|
||||
Requires: python-libipa_hbac
|
||||
Requires: python-qrcode-core >= 5.0.0
|
||||
Requires: python-pyasn1
|
||||
Requires: python-dateutil
|
||||
Requires: python-yubico
|
||||
%if (0%{?fedora} >= 22)
|
||||
Requires: python-yubico >= 1.2.3
|
||||
Requires: python-sss-murmur
|
||||
%endif
|
||||
Requires: libsss_nss_idmap-python
|
||||
Requires: wget
|
||||
Requires: dbus-python
|
||||
Requires: python-setuptools
|
||||
|
||||
Conflicts: %{alt_name}-python
|
||||
Obsoletes: %{alt_name}-python < %{version}
|
||||
@ -331,10 +348,12 @@ Requires: %{name}-python = %{version}-%{release}
|
||||
Requires: tar
|
||||
Requires: xz
|
||||
Requires: python-nose
|
||||
Requires: pytest >= 2.6
|
||||
Requires: python-paste
|
||||
Requires: python-coverage
|
||||
Requires: python-polib
|
||||
Requires: python-paramiko >= 1.7.7
|
||||
Requires: python-pytest-multihost >= 0.5
|
||||
Requires: python-pytest-sourceorder
|
||||
|
||||
Conflicts: %{alt_name}-tests
|
||||
Obsoletes: %{alt_name}-tests < %{version}
|
||||
@ -388,6 +407,7 @@ rm -f ipapython/version.py
|
||||
rm -f ipaplatform/services.py
|
||||
rm -f ipaplatform/tasks.py
|
||||
rm -f ipaplatform/paths.py
|
||||
rm -f ipaplatform/constants.py
|
||||
make version-update
|
||||
cd ipa-client; ../autogen.sh --prefix=%{_usr} --sysconfdir=%{_sysconfdir} --localstatedir=%{_localstatedir} --libdir=%{_libdir} --mandir=%{_mandir}; cd ..
|
||||
%if ! %{ONLY_CLIENT}
|
||||
@ -410,6 +430,7 @@ rm -f ipapython/version.py
|
||||
rm -f ipaplatform/services.py
|
||||
rm -f ipaplatform/tasks.py
|
||||
rm -f ipaplatform/paths.py
|
||||
rm -f ipaplatform/constants.py
|
||||
make version-update
|
||||
%if ! %{ONLY_CLIENT}
|
||||
make install DESTDIR=%{buildroot}
|
||||
@ -439,6 +460,7 @@ rm %{buildroot}/%{plugin_dir}/libipa_extdom_extop.la
|
||||
rm %{buildroot}/%{plugin_dir}/libipa_range_check.la
|
||||
rm %{buildroot}/%{plugin_dir}/libipa_otp_counter.la
|
||||
rm %{buildroot}/%{plugin_dir}/libipa_otp_lasttoken.la
|
||||
rm %{buildroot}/%{plugin_dir}/libtopology.la
|
||||
rm %{buildroot}/%{_libdir}/krb5/plugins/kdb/ipadb.la
|
||||
rm %{buildroot}/%{_libdir}/samba/pdb/ipasam.la
|
||||
|
||||
@ -462,6 +484,7 @@ ln -s ../../../..%{_sysconfdir}/ipa/html/browserconfig.html \
|
||||
# So we can own our Apache configuration
|
||||
mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d/
|
||||
/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa.conf
|
||||
/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-kdc-proxy.conf
|
||||
/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf
|
||||
/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
|
||||
mkdir -p %{buildroot}%{_usr}/share/ipa/html/
|
||||
@ -491,6 +514,11 @@ install daemons/dnssec/ipa-ods-exporter %{buildroot}%{_libexecdir}/ipa/ipa-ods-e
|
||||
# Web UI plugin dir
|
||||
mkdir -p %{buildroot}%{_usr}/share/ipa/ui/js/plugins
|
||||
|
||||
# KDC proxy config (Apache config sets KDCPROXY_CONFIG to load this file)
|
||||
mkdir -p %{buildroot}%{kdcproxy_home}
|
||||
mkdir -p %{buildroot}%{_sysconfdir}/ipa/kdcproxy/
|
||||
install -m 644 install/share/kdcproxy.conf %{buildroot}%{_sysconfdir}/ipa/kdcproxy/kdcproxy.conf
|
||||
|
||||
# NOTE: systemd specific section
|
||||
mkdir -p %{buildroot}%{_tmpfilesdir}
|
||||
install -m 0644 init/systemd/ipa.conf.tmpfiles %{buildroot}%{_tmpfilesdir}/%{name}.conf
|
||||
@ -499,15 +527,19 @@ install -m 0644 init/systemd/ipa.conf.tmpfiles %{buildroot}%{_tmpfilesdir}/%{nam
|
||||
mkdir -p %{buildroot}%{_localstatedir}/run/
|
||||
install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa_memcached/
|
||||
install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa/
|
||||
install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/clientcaches
|
||||
install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/ipa
|
||||
install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/ipa/clientcaches
|
||||
install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/ipa/krbcache
|
||||
|
||||
mkdir -p %{buildroot}%{_libdir}/krb5/plugins/libkrb5
|
||||
touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
|
||||
|
||||
# NOTE: systemd specific section
|
||||
mkdir -p %{buildroot}%{_unitdir}
|
||||
mkdir -p %{buildroot}%{etc_systemd_dir}
|
||||
install -m 644 init/systemd/ipa.service %{buildroot}%{_unitdir}/ipa.service
|
||||
install -m 644 init/systemd/ipa_memcached.service %{buildroot}%{_unitdir}/ipa_memcached.service
|
||||
install -m 644 init/systemd/httpd.service %{buildroot}%{etc_systemd_dir}/httpd.service
|
||||
# END
|
||||
mkdir -p %{buildroot}/%{_localstatedir}/lib/ipa/backup
|
||||
%endif # ONLY_CLIENT
|
||||
@ -549,8 +581,7 @@ fi
|
||||
%posttrans server
|
||||
# This must be run in posttrans so that updates from previous
|
||||
# execution that may no longer be shipped are not applied.
|
||||
/usr/sbin/ipa-ldap-updater --upgrade --quiet >/dev/null || :
|
||||
/usr/sbin/ipa-upgradeconfig --quiet >/dev/null || :
|
||||
/usr/sbin/ipa-server-upgrade --quiet >/dev/null || :
|
||||
|
||||
# Restart IPA processes. This must be also run in postrans so that plugins
|
||||
# and software is in consistent state
|
||||
@ -581,6 +612,13 @@ if [ -e /usr/sbin/ipa_kpasswd ]; then
|
||||
# END
|
||||
fi
|
||||
|
||||
# create kdcproxy user
|
||||
getent group %{kdcproxy_group} >/dev/null || groupadd -r %{kdcproxy_group}
|
||||
getent passwd %{kdcproxy_user} >/dev/null || \
|
||||
/usr/sbin/useradd -r -c "IPA KDC Proxy User" -s /sbin/nologin \
|
||||
-g %{kdcproxy_group} -d %{kdcproxy_home} %{kdcproxy_user}
|
||||
exit 0
|
||||
|
||||
%postun server-trust-ad
|
||||
if [ "$1" -ge "1" ]; then
|
||||
if [ "`readlink %{_sysconfdir}/alternatives/winbind_krb5_locator.so`" == "/dev/null" ]; then
|
||||
@ -591,6 +629,8 @@ fi
|
||||
%post server-trust-ad
|
||||
%{_sbindir}/update-alternatives --install %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so \
|
||||
winbind_krb5_locator.so /dev/null 90
|
||||
/bin/systemctl reload-or-try-restart dbus
|
||||
/bin/systemctl reload-or-try-restart oddjobd
|
||||
|
||||
%posttrans server-trust-ad
|
||||
python2 -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1
|
||||
@ -603,6 +643,8 @@ fi
|
||||
%preun server-trust-ad
|
||||
if [ $1 -eq 0 ]; then
|
||||
%{_sbindir}/update-alternatives --remove winbind_krb5_locator.so /dev/null
|
||||
/bin/systemctl reload-or-try-restart dbus
|
||||
/bin/systemctl reload-or-try-restart oddjobd
|
||||
fi
|
||||
|
||||
%endif # ONLY_CLIENT
|
||||
@ -617,16 +659,14 @@ if [ $1 -gt 1 ] ; then
|
||||
if ! grep -E -q '/var/lib/sss/pubconf/krb5.include.d/' /etc/krb5.conf 2>/dev/null ; then
|
||||
echo "includedir /var/lib/sss/pubconf/krb5.include.d/" > /etc/krb5.conf.ipanew
|
||||
cat /etc/krb5.conf >> /etc/krb5.conf.ipanew
|
||||
mv /etc/krb5.conf.ipanew /etc/krb5.conf
|
||||
/sbin/restorecon /etc/krb5.conf
|
||||
mv -Z /etc/krb5.conf.ipanew /etc/krb5.conf
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ -f '/etc/sysconfig/ntpd' -a $restore -ge 2 ]; then
|
||||
if grep -E -q 'OPTIONS=.*-u ntp:ntp' /etc/sysconfig/ntpd 2>/dev/null; then
|
||||
sed -r '/OPTIONS=/ { s/\s+-u ntp:ntp\s+/ /; s/\s*-u ntp:ntp\s*// }' /etc/sysconfig/ntpd >/etc/sysconfig/ntpd.ipanew
|
||||
mv /etc/sysconfig/ntpd.ipanew /etc/sysconfig/ntpd
|
||||
/sbin/restorecon /etc/sysconfig/ntpd
|
||||
mv -Z /etc/sysconfig/ntpd.ipanew /etc/sysconfig/ntpd
|
||||
|
||||
/bin/systemctl condrestart ntpd.service 2>&1 || :
|
||||
fi
|
||||
@ -672,8 +712,7 @@ if [ -f '/etc/ssh/sshd_config' -a $restore -ge 2 ]; then
|
||||
' /etc/ssh/sshd_config.ipanew
|
||||
fi
|
||||
|
||||
mv /etc/ssh/sshd_config.ipanew /etc/ssh/sshd_config
|
||||
/sbin/restorecon /etc/ssh/sshd_config
|
||||
mv -Z /etc/ssh/sshd_config.ipanew /etc/ssh/sshd_config
|
||||
chmod 600 /etc/ssh/sshd_config
|
||||
|
||||
/bin/systemctl condrestart sshd.service 2>&1 || :
|
||||
@ -683,11 +722,12 @@ fi
|
||||
%if ! %{ONLY_CLIENT}
|
||||
%files server -f server-python.list
|
||||
%defattr(-,root,root,-)
|
||||
%doc COPYING README Contributors.txt
|
||||
%doc README Contributors.txt
|
||||
%license COPYING
|
||||
%{_sbindir}/ipa-backup
|
||||
%{_sbindir}/ipa-restore
|
||||
%{_sbindir}/ipa-ca-install
|
||||
%{_sbindir}/ipa-dns-install
|
||||
%{_sbindir}/ipa-kra-install
|
||||
%{_sbindir}/ipa-server-install
|
||||
%{_sbindir}/ipa-replica-conncheck
|
||||
%{_sbindir}/ipa-replica-install
|
||||
@ -695,6 +735,7 @@ fi
|
||||
%{_sbindir}/ipa-replica-manage
|
||||
%{_sbindir}/ipa-csreplica-manage
|
||||
%{_sbindir}/ipa-server-certinstall
|
||||
%{_sbindir}/ipa-server-upgrade
|
||||
%{_sbindir}/ipa-ldap-updater
|
||||
%{_sbindir}/ipa-otptoken-import
|
||||
%{_sbindir}/ipa-compat-manage
|
||||
@ -704,6 +745,7 @@ fi
|
||||
%{_sbindir}/ipa-upgradeconfig
|
||||
%{_sbindir}/ipa-advise
|
||||
%{_sbindir}/ipa-cacert-manage
|
||||
%{_sbindir}/ipa-winsync-migrate
|
||||
%{_libexecdir}/certmonger/dogtag-ipa-ca-renew-agent-submit
|
||||
%{_libexecdir}/certmonger/ipa-server-guard
|
||||
%{_libexecdir}/ipa-otpd
|
||||
@ -711,12 +753,18 @@ fi
|
||||
%{_libexecdir}/ipa/ipa-dnskeysyncd
|
||||
%{_libexecdir}/ipa/ipa-dnskeysync-replica
|
||||
%{_libexecdir}/ipa/ipa-ods-exporter
|
||||
%{_libexecdir}/ipa/ipa-httpd-kdcproxy
|
||||
%dir %attr(0755,root,root) %{_sysconfdir}/ipa/kdcproxy
|
||||
%dir %attr(0700,%{kdcproxy_user},%{kdcproxy_group}) %{kdcproxy_home}
|
||||
%config(noreplace) %{_sysconfdir}/sysconfig/ipa_memcached
|
||||
%config(noreplace) %{_sysconfdir}/sysconfig/ipa-dnskeysyncd
|
||||
%config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter
|
||||
%config(noreplace) %{_sysconfdir}/ipa/kdcproxy/kdcproxy.conf
|
||||
%dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/
|
||||
%dir %attr(0700,root,root) %{_localstatedir}/run/ipa/
|
||||
%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/clientcaches/
|
||||
%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/ipa/
|
||||
%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/ipa/clientcaches/
|
||||
%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/ipa/krbcache/
|
||||
# NOTE: systemd specific section
|
||||
%{_tmpfilesdir}/%{name}.conf
|
||||
%attr(644,root,root) %{_unitdir}/ipa.service
|
||||
@ -726,10 +774,12 @@ fi
|
||||
%attr(644,root,root) %{_unitdir}/ipa-dnskeysyncd.service
|
||||
%attr(644,root,root) %{_unitdir}/ipa-ods-exporter.socket
|
||||
%attr(644,root,root) %{_unitdir}/ipa-ods-exporter.service
|
||||
%attr(644,root,root) %{etc_systemd_dir}/httpd.service
|
||||
# END
|
||||
%dir %{python_sitelib}/ipaserver
|
||||
%dir %{python_sitelib}/ipaserver/install
|
||||
%dir %{python_sitelib}/ipaserver/install/plugins
|
||||
%dir %{python_sitelib}/ipaserver/install/server
|
||||
%dir %{python_sitelib}/ipaserver/advise
|
||||
%dir %{python_sitelib}/ipaserver/advise/plugins
|
||||
%dir %{python_sitelib}/ipaserver/plugins
|
||||
@ -740,10 +790,13 @@ fi
|
||||
%{_usr}/share/ipa/copy-schema-to-ca.py*
|
||||
%{_usr}/share/ipa/*.ldif
|
||||
%{_usr}/share/ipa/*.uldif
|
||||
%{_usr}/share/ipa/*.update
|
||||
%{_usr}/share/ipa/*.template
|
||||
%dir %{_usr}/share/ipa/advise
|
||||
%dir %{_usr}/share/ipa/advise/legacy
|
||||
%{_usr}/share/ipa/advise/legacy/*.template
|
||||
%dir %{_usr}/share/ipa/profiles
|
||||
%{_usr}/share/ipa/profiles/*.cfg
|
||||
%dir %{_usr}/share/ipa/ffextension
|
||||
%{_usr}/share/ipa/ffextension/bootstrap.js
|
||||
%{_usr}/share/ipa/ffextension/install.rdf
|
||||
@ -798,10 +851,13 @@ fi
|
||||
%config(noreplace) %{_sysconfdir}/ipa/html/browserconfig.html
|
||||
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
|
||||
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa.conf
|
||||
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-kdc-proxy.conf
|
||||
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf
|
||||
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/kdcproxy/ipa-kdc-proxy.conf
|
||||
%{_usr}/share/ipa/ipa.conf
|
||||
%{_usr}/share/ipa/ipa-rewrite.conf
|
||||
%{_usr}/share/ipa/ipa-pki-proxy.conf
|
||||
%{_usr}/share/ipa/kdcproxy.conf
|
||||
%ghost %attr(0644,root,apache) %config(noreplace) %{_usr}/share/ipa/html/ca.crt
|
||||
%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/configure.jar
|
||||
%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/kerberosauth.xpi
|
||||
@ -824,6 +880,10 @@ fi
|
||||
%attr(755,root,root) %{plugin_dir}/libipa_range_check.so
|
||||
%attr(755,root,root) %{plugin_dir}/libipa_otp_counter.so
|
||||
%attr(755,root,root) %{plugin_dir}/libipa_otp_lasttoken.so
|
||||
%attr(755,root,root) %{plugin_dir}/libtopology.so
|
||||
%attr(755,root,root) %{plugin_dir}/libipa_sidgen.so
|
||||
%attr(755,root,root) %{plugin_dir}/libipa_sidgen_task.so
|
||||
%attr(755,root,root) %{plugin_dir}/libipa_extdom_extop.so
|
||||
%dir %{_localstatedir}/lib/ipa
|
||||
%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/backup
|
||||
%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysrestore
|
||||
@ -839,8 +899,9 @@ fi
|
||||
%{_mandir}/man1/ipa-replica-prepare.1.gz
|
||||
%{_mandir}/man1/ipa-server-certinstall.1.gz
|
||||
%{_mandir}/man1/ipa-server-install.1.gz
|
||||
%{_mandir}/man1/ipa-dns-install.1.gz
|
||||
%{_mandir}/man1/ipa-server-upgrade.1.gz
|
||||
%{_mandir}/man1/ipa-ca-install.1.gz
|
||||
%{_mandir}/man1/ipa-kra-install.1.gz
|
||||
%{_mandir}/man1/ipa-compat-manage.1.gz
|
||||
%{_mandir}/man1/ipa-nis-manage.1.gz
|
||||
%{_mandir}/man1/ipa-managed-entries.1.gz
|
||||
@ -852,24 +913,30 @@ fi
|
||||
%{_mandir}/man1/ipa-advise.1.gz
|
||||
%{_mandir}/man1/ipa-otptoken-import.1.gz
|
||||
%{_mandir}/man1/ipa-cacert-manage.1.gz
|
||||
%{_mandir}/man1/ipa-winsync-migrate.1.gz
|
||||
|
||||
%files server-dns
|
||||
%{_sbindir}/ipa-dns-install
|
||||
%{_mandir}/man1/ipa-dns-install.1.gz
|
||||
|
||||
%files server-trust-ad
|
||||
%{_sbindir}/ipa-adtrust-install
|
||||
%attr(755,root,root) %{plugin_dir}/libipa_extdom_extop.so
|
||||
%{_usr}/share/ipa/smb.conf.empty
|
||||
%attr(755,root,root) %{_libdir}/samba/pdb/ipasam.so
|
||||
%attr(755,root,root) %{plugin_dir}/libipa_sidgen.so
|
||||
%attr(755,root,root) %{plugin_dir}/libipa_sidgen_task.so
|
||||
%{_mandir}/man1/ipa-adtrust-install.1.gz
|
||||
%{python_sitelib}/ipaserver/dcerpc*
|
||||
%{python_sitelib}/ipaserver/install/adtrustinstance*
|
||||
%ghost %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
|
||||
%{_sysconfdir}/dbus-1/system.d/oddjob-ipa-trust.conf
|
||||
%{_sysconfdir}/oddjobd.conf.d/oddjobd-ipa-trust.conf
|
||||
%%attr(755,root,root) %{_libexecdir}/ipa/com.redhat.idm.trust-fetch-domains
|
||||
|
||||
%endif # ONLY_CLIENT
|
||||
|
||||
%files client
|
||||
%defattr(-,root,root,-)
|
||||
%doc COPYING README Contributors.txt
|
||||
%doc README Contributors.txt
|
||||
%license COPYING
|
||||
%{_sbindir}/ipa-client-install
|
||||
%{_sbindir}/ipa-client-automount
|
||||
%{_sbindir}/ipa-certupdate
|
||||
@ -891,18 +958,22 @@ fi
|
||||
|
||||
%files admintools
|
||||
%defattr(-,root,root,-)
|
||||
%doc COPYING README Contributors.txt
|
||||
%doc README Contributors.txt
|
||||
%license COPYING
|
||||
%{_bindir}/ipa
|
||||
%config %{_sysconfdir}/bash_completion.d
|
||||
%{_mandir}/man1/ipa.1.gz
|
||||
|
||||
%files python -f %{gettext_domain}.lang
|
||||
%defattr(-,root,root,-)
|
||||
%doc COPYING README Contributors.txt
|
||||
%doc README Contributors.txt
|
||||
%license COPYING
|
||||
%dir %{python_sitelib}/ipapython
|
||||
%{python_sitelib}/ipapython/*.py*
|
||||
%dir %{python_sitelib}/ipapython/dnssec
|
||||
%{python_sitelib}/ipapython/dnssec/*.py*
|
||||
%dir %{python_sitelib}/ipapython/install
|
||||
%{python_sitelib}/ipapython/install/*.py*
|
||||
%dir %{python_sitelib}/ipalib
|
||||
%{python_sitelib}/ipalib/*
|
||||
%dir %{python_sitelib}/ipaplatform
|
||||
@ -928,7 +999,8 @@ fi
|
||||
%if ! %{ONLY_CLIENT}
|
||||
%files tests -f tests-python.list
|
||||
%defattr(-,root,root,-)
|
||||
%doc COPYING README Contributors.txt
|
||||
%doc README Contributors.txt
|
||||
%license COPYING
|
||||
%dir %{python_sitelib}/ipatests
|
||||
%dir %{python_sitelib}/ipatests/test_cmdline
|
||||
%dir %{python_sitelib}/ipatests/test_install
|
||||
@ -950,6 +1022,9 @@ fi
|
||||
%endif # ONLY_CLIENT
|
||||
|
||||
%changelog
|
||||
* Mon Sep 7 2015 Petr Vobornik <pvoborni@redhat.com> - 4.2.1-1
|
||||
- Update to upstream 4.2.1 - see http://www.freeipa.org/page/Releases/4.2.1
|
||||
|
||||
* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 4.1.4-5
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user