From ece84f751e168ba05597b3f15ba3fd13d2d66898 Mon Sep 17 00:00:00 2001 From: Petr Vobornik Date: Mon, 7 Sep 2015 18:41:00 +0200 Subject: [PATCH] Update to upstream 4.2.1 --- .gitignore | 1 + ...uring-client-install-when-using-no-n.patch | 33 --- 0002-Make-lint-work-on-Fedora-22.patch | 78 ------ 0003-Remove-unused-part-of-ipa.conf.patch | 40 --- ...auth_gssapi-instead-of-mod_auth_kerb.patch | 184 -------------- 0005-Bump-ipa.conf-version-to-17.patch | 23 -- ...-Ensure-LSA-pipe-has-session-key-bef.patch | 88 ------- freeipa.spec | 227 ++++++++++++------ sources | 2 +- 9 files changed, 153 insertions(+), 523 deletions(-) delete mode 100644 0001-Skip-time-sync-during-client-install-when-using-no-n.patch delete mode 100644 0002-Make-lint-work-on-Fedora-22.patch delete mode 100644 0003-Remove-unused-part-of-ipa.conf.patch delete mode 100644 0004-Use-mod_auth_gssapi-instead-of-mod_auth_kerb.patch delete mode 100644 0005-Bump-ipa.conf-version-to-17.patch delete mode 100644 0006-ipaserver-dcerpc-Ensure-LSA-pipe-has-session-key-bef.patch diff --git a/.gitignore b/.gitignore index 689bd1a..5116b4d 100644 --- a/.gitignore +++ b/.gitignore @@ -38,3 +38,4 @@ /freeipa-4.1.2.tar.gz /freeipa-4.1.3.tar.gz /freeipa-4.1.4.tar.gz +/freeipa-4.2.1.tar.gz diff --git a/0001-Skip-time-sync-during-client-install-when-using-no-n.patch b/0001-Skip-time-sync-during-client-install-when-using-no-n.patch deleted file mode 100644 index 9004be8..0000000 --- a/0001-Skip-time-sync-during-client-install-when-using-no-n.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 80514f225f628f7c7993b85e562a851e7ee40644 Mon Sep 17 00:00:00 2001 -From: Nathan Kinder -Date: Wed, 25 Feb 2015 14:22:02 -0800 -Subject: [PATCH 1/2] Skip time sync during client install when using --no-ntp - -When --no-ntp is specified during ipa-client-install, we still -attempt to perform a time sync before obtaining a TGT from the -KDC. We should not be attempting to sync time with the KDC if -we are explicitly told to not configure ntp. - -Ticket: https://fedorahosted.org/freeipa/ticket/4842 ---- - ipa-client/ipa-install/ipa-client-install | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install -index ccaab55..a625fbd 100755 ---- a/ipa-client/ipa-install/ipa-client-install -+++ b/ipa-client/ipa-install/ipa-client-install -@@ -2324,8 +2324,9 @@ def install(options, env, fstore, statestore): - # hostname if different from system hostname - tasks.backup_and_replace_hostname(fstore, statestore, options.hostname) - -- if not options.on_master: -+ if not options.on_master and options.conf_ntp: - # Attempt to sync time with IPA server. -+ # If we're skipping NTP configuration, we also skip the time sync here. - # We assume that NTP servers are discoverable through SRV records in the DNS - # If that fails, we try to sync directly with IPA server, assuming it runs NTP - root_logger.info('Synchronizing time with KDC...') --- -1.9.3 - diff --git a/0002-Make-lint-work-on-Fedora-22.patch b/0002-Make-lint-work-on-Fedora-22.patch deleted file mode 100644 index c91ddbc..0000000 --- a/0002-Make-lint-work-on-Fedora-22.patch +++ /dev/null @@ -1,78 +0,0 @@ -From a0ffcd6f8ba610c20808a2f863d384b7631c64ac Mon Sep 17 00:00:00 2001 -From: David Kupka -Date: Fri, 27 Mar 2015 07:14:27 -0400 -Subject: [PATCH] Make lint work on Fedora 22. - -pylint added 'confidence' parameter to 'add_message' method of PyLinter. -To be compatible with both, pre- and post- 1.4 IPALinter must accept -the parameter but not pass it over. -Also python3 checker was added and enabled by default. FreeIPA is still -not ready for python3. -Additionally few false-positives was marked. ---- - ipalib/plugins/otptoken.py | 1 + - ipapython/dnssec/ldapkeydb.py | 1 + - ipaserver/install/ipa_otptoken_import.py | 1 + - make-lint | 3 ++- - 4 files changed, 5 insertions(+), 1 deletion(-) - -diff --git a/ipalib/plugins/otptoken.py b/ipalib/plugins/otptoken.py -index b87145df80a3be9b16d596dd4072129c2290f40a..867659ec2a867b2dba79922a4e98b7b6254e81bf 100644 ---- a/ipalib/plugins/otptoken.py -+++ b/ipalib/plugins/otptoken.py -@@ -547,6 +547,7 @@ class otptoken_sync(Local): - query = urllib.urlencode(query) - - # Sync the token. -+ # pylint: disable=E1101 - handler = HTTPSHandler(ca_certs=os.path.join(self.api.env.confdir, 'ca.crt'), - cert_reqs=ssl.CERT_REQUIRED, - ssl_version=ssl.PROTOCOL_TLSv1) -diff --git a/ipapython/dnssec/ldapkeydb.py b/ipapython/dnssec/ldapkeydb.py -index 71c0a95a39b1b460178d0b853ed26bf2cfe5bda1..520b510707d432d2e432c55ca25f2a872d832348 100644 ---- a/ipapython/dnssec/ldapkeydb.py -+++ b/ipapython/dnssec/ldapkeydb.py -@@ -23,6 +23,7 @@ def uri_escape(val): - assert len(val) > 0, "zero-length URI component detected" - hexval = hexlify(val) - out = '%' -+ # pylint: disable=E1127 - out += '%'.join(hexval[i:i+2] for i in range(0, len(hexval), 2)) - return out - -diff --git a/ipaserver/install/ipa_otptoken_import.py b/ipaserver/install/ipa_otptoken_import.py -index b78aba93a2edc987450d921c87ea4f61b014b419..c6a69c9975cc113c10d0dee669f9db619422a9d3 100644 ---- a/ipaserver/install/ipa_otptoken_import.py -+++ b/ipaserver/install/ipa_otptoken_import.py -@@ -60,6 +60,7 @@ def convertDate(value): - - dt = dateutil.parser.parse(value) - -+ # pylint: disable=E1101 - if dt.tzinfo is None: - dt = datetime.datetime(*dt.timetuple()[0:6], - tzinfo=dateutil.tz.tzlocal()) -diff --git a/make-lint b/make-lint -index bd0eb4d75c50c794dbd40444ab035df5a5153d6c..8016d1c3554944d7799aefe0242f4f844e76e32c 100755 ---- a/make-lint -+++ b/make-lint -@@ -143,7 +143,7 @@ class IPALinter(PyLinter): - return - super(IPALinter, self).register_checker(checker) - -- def add_message(self, msg_id, line=None, node=None, args=None): -+ def add_message(self, msg_id, line=None, node=None, args=None, confidence=None): - if line is None and node is not None: - line = node.fromlineno - -@@ -235,6 +235,7 @@ def main(): - '{path}:{line}: [{msg_id}({symbol}), {obj}] {msg})') - linter.set_option('reports', False) - linter.set_option('persistent', False) -+ linter.set_option('disable', 'python3') - - linter.check(files) - --- -2.1.0 - diff --git a/0003-Remove-unused-part-of-ipa.conf.patch b/0003-Remove-unused-part-of-ipa.conf.patch deleted file mode 100644 index 89d10f2..0000000 --- a/0003-Remove-unused-part-of-ipa.conf.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 206de2b2b8f46f4c41f7df39c952e445329b9170 Mon Sep 17 00:00:00 2001 -From: David Kupka -Date: Mon, 30 Mar 2015 04:11:19 -0400 -Subject: [PATCH 1/3] Remove unused part of ipa.conf. - -Separate configuration of '/var/www/cgi-bin' is no longer needed legacy from -IPA 1.0. ---- - install/conf/ipa.conf | 15 --------------- - 1 file changed, 15 deletions(-) - -diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf -index 7eede73efc559967925d2bbfeee54e1e2efd3e21..62ee955ecfe0be78a3bd377e5aa35a335681621f 100644 ---- a/install/conf/ipa.conf -+++ b/install/conf/ipa.conf -@@ -174,21 +174,6 @@ Alias /ipa/wsgi "/usr/share/ipa/wsgi" - AddHandler wsgi-script .py - - --# Protect our CGIs -- -- AuthType Kerberos -- AuthName "Kerberos Login" -- KrbMethodNegotiate on -- KrbMethodK5Passwd off -- KrbServiceName HTTP -- KrbAuthRealms $REALM -- Krb5KeyTab /etc/httpd/conf/ipa.keytab -- KrbSaveCredentials on -- Require valid-user -- ErrorDocument 401 /ipa/errors/unauthorized.html -- -- -- - # migration related pages - Alias /ipa/migration "/usr/share/ipa/migration" - --- -2.3.4 - diff --git a/0004-Use-mod_auth_gssapi-instead-of-mod_auth_kerb.patch b/0004-Use-mod_auth_gssapi-instead-of-mod_auth_kerb.patch deleted file mode 100644 index dc9e998..0000000 --- a/0004-Use-mod_auth_gssapi-instead-of-mod_auth_kerb.patch +++ /dev/null @@ -1,184 +0,0 @@ -From d7a856097039b37e77a59aad66d6cdedc3eb6aee Mon Sep 17 00:00:00 2001 -From: David Kupka -Date: Mon, 30 Mar 2015 04:17:55 -0400 -Subject: [PATCH 2/3] Use mod_auth_gssapi instead of mod_auth_kerb. - -https://fedorahosted.org/freeipa/ticket/4190 ---- - freeipa.spec.in | 4 +++- - init/systemd/ipa.conf.tmpfiles | 1 + - install/conf/ipa.conf | 16 +++++----------- - ipalib/session.py | 20 ++++++++++---------- - ipaserver/rpcserver.py | 2 +- - 5 files changed, 20 insertions(+), 23 deletions(-) - -diff --git a/freeipa.spec.in b/freeipa.spec.in -index 546f3473c5ac8885c6df128b2e3793d76795e85b..8d58f2568e1de418c25cb1bd34fc7d4736a15e54 100644 ---- a/freeipa.spec.in -+++ b/freeipa.spec.in -@@ -118,7 +118,7 @@ Requires: cyrus-sasl-gssapi%{?_isa} - Requires: ntp - Requires: httpd >= 2.4.6-6 - Requires: mod_wsgi --Requires: mod_auth_kerb >= 5.4-16 -+Requires: mod_auth_gssapi >= 1.1.0-2 - Requires: mod_nss >= 1.0.8-26 - Requires: python-ldap >= 2.4.15 - Requires: python-krbV -@@ -463,6 +463,7 @@ install -m 0644 init/systemd/ipa.conf.tmpfiles %{buildroot}%{_tmpfilesdir}/%{nam - mkdir -p %{buildroot}%{_localstatedir}/run/ - install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa_memcached/ - install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa/ -+install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/clientcaches - - mkdir -p %{buildroot}%{_libdir}/krb5/plugins/libkrb5 - touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so -@@ -680,6 +681,7 @@ fi - %config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter - %dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/ - %dir %attr(0700,root,root) %{_localstatedir}/run/ipa/ -+%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/clientcaches/ - # NOTE: systemd specific section - %{_tmpfilesdir}/%{name}.conf - %attr(644,root,root) %{_unitdir}/ipa.service -diff --git a/init/systemd/ipa.conf.tmpfiles b/init/systemd/ipa.conf.tmpfiles -index 1e7a896ed8df00c97f2d092504e2a65960bb341d..b4503cc673f3407421cd194091f5373ba204a483 100644 ---- a/init/systemd/ipa.conf.tmpfiles -+++ b/init/systemd/ipa.conf.tmpfiles -@@ -1,2 +1,3 @@ - d /var/run/ipa_memcached 0700 apache apache - d /var/run/ipa 0700 root root -+d /var/run/httpd/clientcaches 0700 apache apache -diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf -index 62ee955ecfe0be78a3bd377e5aa35a335681621f..871fab8248fcc1c3793ce71bdcb86720a7e31c61 100644 ---- a/install/conf/ipa.conf -+++ b/install/conf/ipa.conf -@@ -3,7 +3,6 @@ - # - # This file may be overwritten on upgrades. - # --# LoadModule auth_kerb_module modules/mod_auth_kerb.so - - ProxyRequests Off - -@@ -61,19 +60,14 @@ WSGIScriptReloading Off - SetHandler None - - --KrbConstrainedDelegationLock ipa -- - # Protect /ipa and everything below it in webspace with Apache Kerberos auth - -- AuthType Kerberos -+ AuthType GSSAPI - AuthName "Kerberos Login" -- KrbMethodNegotiate on -- KrbMethodK5Passwd off -- KrbServiceName HTTP -- KrbAuthRealms $REALM -- Krb5KeyTab /etc/httpd/conf/ipa.keytab -- KrbSaveCredentials on -- KrbConstrainedDelegation on -+ GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab -+ GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab -+ GssapiDelegCcacheDir /var/run/httpd/clientcaches -+ GssapiUseS4U2Proxy on - Require valid-user - ErrorDocument 401 /ipa/errors/unauthorized.html - -diff --git a/ipalib/session.py b/ipalib/session.py -index ae40fdfe189b3bfd5f0437c04efaab73ac31f88a..2f732b333375c837b931c6b16ccfc535e11d7e4c 100644 ---- a/ipalib/session.py -+++ b/ipalib/session.py -@@ -484,7 +484,7 @@ improve authentication performance. First some definitions. - There are 4 major players: - - 1. client -- 2. mod_auth_kerb (in Apache process) -+ 2. mod_auth_gssapi (in Apache process) - 3. wsgi handler (in IPA wsgi python process) - 4. ds (directory server) - -@@ -506,12 +506,12 @@ This describes how things work in our current system for the web UI. - - 2. Client sends post to /ipa/json. - -- 3. mod_auth_kerb is configured to protect /ipa/json, replies 401 -+ 3. mod_auth_gssapi is configured to protect /ipa/json, replies 401 - authenticate negotiate. - - 4. Client resends with credentials - -- 5. mod_auth_kerb validates credentials -+ 5. mod_auth_gssapi validates credentials - - a. if invalid replies 403 access denied (stops here) - -@@ -550,7 +550,7 @@ A few notes about the session implementation. - Changes to Apache's resource protection - --------------------------------------- - -- * /ipa/json is no longer protected by mod_auth_kerb. This is -+ * /ipa/json is no longer protected by mod_auth_gssapi. This is - necessary to avoid the negotiate expense in steps 3,4,5 - above. Instead the /ipa/json resource will be protected in our wsgi - handler via the session cookie. -@@ -583,15 +583,15 @@ The new sequence is: - - 5. client sends request to /ipa/login to obtain session credentials - -- 6. mod_auth_kerb replies 401 negotiate on /ipa/login -+ 6. mod_auth_gssapi replies 401 negotiate on /ipa/login - - 7. client sends credentials to /ipa/login - -- 8. mod_auth_kerb validates credentials -+ 8. mod_auth_gssapi validates credentials - - a. if valid - -- - mod_auth_kerb permits access to /ipa/login. wsgi handler is -+ - mod_auth_gssapi permits access to /ipa/login. wsgi handler is - invoked and does the following: - - * establishes session for client -@@ -600,7 +600,7 @@ The new sequence is: - - a. if invalid - -- - mod_auth_kerb sends 403 access denied (processing stops) -+ - mod_auth_gssapi sends 403 access denied (processing stops) - - 9. client now posts the same data again to /ipa/json including - session cookie. Processing repeats starting at step 2 and since -@@ -617,12 +617,12 @@ and xmlrpc API's are the same, they differ only on how their procedure - calls are marshalled and unmarshalled. - - Under the new scheme /ipa/xml will continue to be Kerberos protected --at all times. Apache's mod_auth_kerb will continue to require the -+at all times. Apache's mod_auth_gssapi will continue to require the - client provides valid Kerberos credentials. - - When the WSGI handler routes to /ipa/xml the Kerberos credentials will - be extracted from the KRB5CCNAME environment variable as provided by --mod_auth_kerb. Everything else remains the same. -+mod_auth_gssapi. Everything else remains the same. - - ''' - -diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py -index d6bc955b9d9910a24eec5df1def579310eb54786..4173ed918d2ce992aa79d18b2ac3338b35388918 100644 ---- a/ipaserver/rpcserver.py -+++ b/ipaserver/rpcserver.py -@@ -858,7 +858,7 @@ class login_kerberos(Backend, KerberosSession, HTTP_Status): - def __call__(self, environ, start_response): - self.debug('WSGI login_kerberos.__call__:') - -- # Get the ccache created by mod_auth_kerb -+ # Get the ccache created by mod_auth_gssapi - user_ccache_name=environ.get('KRB5CCNAME') - if user_ccache_name is None: - return self.internal_error(environ, start_response, --- -2.3.4 - diff --git a/0005-Bump-ipa.conf-version-to-17.patch b/0005-Bump-ipa.conf-version-to-17.patch deleted file mode 100644 index 7329417..0000000 --- a/0005-Bump-ipa.conf-version-to-17.patch +++ /dev/null @@ -1,23 +0,0 @@ -From 12f1eaf7feeb2ee3f50c2e90cffd0849a42a2c81 Mon Sep 17 00:00:00 2001 -From: David Kupka -Date: Mon, 30 Mar 2015 04:18:11 -0400 -Subject: [PATCH 3/3] Bump ipa.conf version to 17. - ---- - install/conf/ipa.conf | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf -index 871fab8248fcc1c3793ce71bdcb86720a7e31c61..92637c04d4f961a0b7f016fe125341c63f400285 100644 ---- a/install/conf/ipa.conf -+++ b/install/conf/ipa.conf -@@ -1,5 +1,5 @@ - # --# VERSION 16 - DO NOT REMOVE THIS LINE -+# VERSION 17 - DO NOT REMOVE THIS LINE - # - # This file may be overwritten on upgrades. - # --- -2.3.4 - diff --git a/0006-ipaserver-dcerpc-Ensure-LSA-pipe-has-session-key-bef.patch b/0006-ipaserver-dcerpc-Ensure-LSA-pipe-has-session-key-bef.patch deleted file mode 100644 index f31c6da..0000000 --- a/0006-ipaserver-dcerpc-Ensure-LSA-pipe-has-session-key-bef.patch +++ /dev/null @@ -1,88 +0,0 @@ -From 28fccac07760764acc86f9c91850481ef2c1e1ae Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Fri, 8 May 2015 12:09:13 +0000 -Subject: [PATCH 2/3] ipaserver/dcerpc: Ensure LSA pipe has session key before - using it - -With Samba 4.2 there is a bug that prevents Samba to consider Kerberos -credentials used by IPA httpd process when talking to smbd. As result, -LSA RPC connection is seen as anonymous by Samba client code and we cannot -derive session key to use for encrypting trust secrets before transmitting -them. - -Additionally, rewrite of the SMB protocol support in Samba caused previously -working logic of choosing DCE RPC binding string to fail. We need to try -a different set of priorities until they fail or succeed. - -Requires Samba fixes from https://bugzilla.redhat.com/show_bug.cgi?id=1219832 - -Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1219834 - ---- - ipaserver/dcerpc.py | 19 ++++++++++++++----- - 1 file changed, 14 insertions(+), 5 deletions(-) - -diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py -index e342c49..44689cc 100644 ---- a/ipaserver/dcerpc.py -+++ b/ipaserver/dcerpc.py -@@ -89,6 +89,10 @@ dcerpc_error_codes = { - -1073741811: # NT_STATUS_INVALID_PARAMETER - errors.RemoteRetrieveError( - reason=_('AD domain controller complains about communication sequence. It may mean unsynchronized time on both sides, for example')), -+ -1073741776: # NT_STATUS_INVALID_PARAMETER_MIX, we simply will skip the binding -+ access_denied_error, -+ -1073741772: # NT_STATUS_OBJECT_NAME_NOT_FOUND -+ errors.RemoteRetrieveError(reason=_('CIFS server configuration does not allow access to \\\\pipe\\lsarpc')), - } - - dcerpc_error_messages = { -@@ -728,16 +732,20 @@ class TrustDomainInstance(object): - return - - attempts = 0 -+ session_attempts = 0 - bindings = self.__gen_lsa_bindings(remote_host) - for binding in bindings: - try: - self._pipe = self.__gen_lsa_connection(binding) -- if self._pipe: -+ if self._pipe and self._pipe.session_key: - break - except errors.ACIError, e: - attempts = attempts + 1 -+ except RuntimeError, e: -+ # When session key is not available, we just skip this binding -+ session_attempts = session_attempts + 1 - -- if self._pipe is None and attempts == len(bindings): -+ if self._pipe is None and (attempts + session_attempts) == len(bindings): - raise errors.ACIError( - info=_('CIFS server %(host)s denied your credentials') % dict(host=remote_host)) - -@@ -745,6 +753,7 @@ class TrustDomainInstance(object): - raise errors.RemoteRetrieveError( - reason=_('Cannot establish LSA connection to %(host)s. Is CIFS server running?') % dict(host=remote_host)) - self.binding = binding -+ self.session_key = self._pipe.session_key - - def __gen_lsa_bindings(self, remote_host): - """ -@@ -753,11 +762,11 @@ class TrustDomainInstance(object): - Generate all we can use. init_lsa_pipe() will try them one by one until - there is one working. - -- We try NCACN_NP before NCACN_IP_TCP and signed sessions before unsigned. -+ We try NCACN_NP before NCACN_IP_TCP and use SMB2 before SMB1 or defaults. - """ - transports = (u'ncacn_np', u'ncacn_ip_tcp') -- options = ( u',', u'') -- binding_template=lambda x,y,z: u'%s:%s[%s]' % (x, y, z) -+ options = ( u'smb2', u'smb1', u'') -+ binding_template=lambda x,y,z: u'%s:%s[%s,print]' % (x, y, z) - return [binding_template(t, remote_host, o) for t in transports for o in options] - - def retrieve_anonymously(self, remote_host, discover_srv=False, search_pdc=False): --- -2.4.0 - diff --git a/freeipa.spec b/freeipa.spec index e88d4cb..4e63044 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -10,10 +10,13 @@ %else %global samba_version 2:4.2.1-8 %global samba_build_version 2:4.2.1 -%global selinux_policy_version 3.12.1-179 +%global selinux_policy_version 3.13.1-128.6 %endif +%define krb5_base_version %(LC_ALL=C rpm -q --qf '%%{VERSION}' krb5-devel | grep -Eo '^[^.]+\.[^.]+') + %global plugin_dir %{_libdir}/dirsrv/plugins +%global etc_systemd_dir %{_sysconfdir}/systemd/system %global gettext_domain ipa %if 0%{?rhel} %global platform_module rhel @@ -21,13 +24,17 @@ %global platform_module fedora %endif -%global VERSION 4.1.4 +%global VERSION 4.2.1 %define _hardened_build 1 +%define kdcproxy_user kdcproxy +%define kdcproxy_group kdcproxy +%define kdcproxy_home %{_sharedstatedir}/kdcproxy + Name: freeipa Version: %{VERSION} -Release: 5%{?dist} +Release: 1%{?dist} Summary: The Identity, Policy and Audit system Group: System Environment/Base @@ -36,15 +43,8 @@ URL: http://www.freeipa.org/ Source0: http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) -Patch0001: 0001-Skip-time-sync-during-client-install-when-using-no-n.patch -Patch0002: 0002-Make-lint-work-on-Fedora-22.patch -Patch0003: 0003-Remove-unused-part-of-ipa.conf.patch -Patch0004: 0004-Use-mod_auth_gssapi-instead-of-mod_auth_kerb.patch -Patch0005: 0005-Bump-ipa.conf-version-to-17.patch -Patch0006: 0006-ipaserver-dcerpc-Ensure-LSA-pipe-has-session-key-bef.patch - %if ! %{ONLY_CLIENT} -BuildRequires: 389-ds-base-devel >= 1.3.3.8 +BuildRequires: 389-ds-base-devel >= 1.3.4.0 BuildRequires: svrcore-devel BuildRequires: policycoreutils >= 2.1.12-5 BuildRequires: systemd-units @@ -58,7 +58,7 @@ BuildRequires: nspr-devel BuildRequires: nss-devel BuildRequires: openssl-devel BuildRequires: openldap-devel -BuildRequires: krb5-devel >= 1.11 +BuildRequires: krb5-devel >= 1.13 BuildRequires: krb5-workstation BuildRequires: libuuid-devel BuildRequires: libcurl-devel >= 7.21.7-2 @@ -74,15 +74,16 @@ BuildRequires: python-ldap BuildRequires: python-setuptools BuildRequires: python-krbV BuildRequires: python-nss +BuildRequires: python-cryptography BuildRequires: python-netaddr BuildRequires: python-kerberos >= 1.1-14 BuildRequires: python-rhsm BuildRequires: pyOpenSSL -BuildRequires: pylint +BuildRequires: pylint >= 1.0 BuildRequires: python-polib -BuildRequires: libipa_hbac-python +BuildRequires: python-libipa_hbac BuildRequires: python-memcached -BuildRequires: sssd >= 1.9.2 +BuildRequires: sssd >= 1.13 BuildRequires: python-lxml BuildRequires: python-pyasn1 >= 0.0.9a BuildRequires: python-qrcode-core >= 5.0.0 @@ -98,11 +99,14 @@ BuildRequires: systemd BuildRequires: libunistring-devel BuildRequires: rhino BuildRequires: python-lesscpy -BuildRequires: python-yubico -BuildRequires: python-backports-ssl_match_hostname -BuildRequires: softhsm-devel >= 2.0.0b1-3 +BuildRequires: python-yubico >= 1.2.3 +BuildRequires: softhsm-devel >= 2.0.0rc1-1 BuildRequires: openssl-devel BuildRequires: p11-kit-devel +BuildRequires: pki-base >= 10.2.6 +BuildRequires: python-pytest-multihost >= 0.5 +BuildRequires: python-pytest-sourceorder +BuildRequires: python-kdcproxy >= 0.3 %description IPA is an integrated solution to provide centrally managed Identity (machine, @@ -117,11 +121,11 @@ Group: System Environment/Base Requires: %{name}-python = %{version}-%{release} Requires: %{name}-client = %{version}-%{release} Requires: %{name}-admintools = %{version}-%{release} -Requires: 389-ds-base >= 1.3.3.8 +Requires: 389-ds-base >= 1.3.4.0 Requires: openldap-clients > 2.4.35-4 Requires: nss >= 3.14.3-12.0 Requires: nss-tools >= 3.14.3-12.0 -Requires: krb5-server >= 1.11.5-5 +Requires(post): krb5-server >= %{krb5_base_version}, krb5-server < %{krb5_base_version}.100 Requires: krb5-pkinit-openssl Requires: cyrus-sasl-gssapi%{?_isa} Requires: ntp @@ -138,33 +142,30 @@ Requires: memcached Requires: python-memcached Requires: dbus-python Requires: systemd-units >= 38 +Requires(pre): shadow-utils Requires(pre): systemd-units Requires(post): systemd-units Requires: selinux-policy >= %{selinux_policy_version} -Requires(post): selinux-policy-base +Requires(post): selinux-policy-base >= %{selinux_policy_version} Requires: slapi-nis >= 0.54.2-1 -%if (0%{?fedora} <= 20 || 0%{?rhel}) -# pki-ca 10.1.2-4 contains patches required by FreeIPA 4.1 -# The goal is to lower the requirement of pki-ca in Fedora 20 -# and CentOS until packaging of it's requirements is finished. -Requires: pki-ca >= 10.1.2-5 -%else -Requires: pki-ca >= 10.2.1-0.2 -%endif +Requires: pki-ca >= 10.2.6 +Requires: pki-kra >= 10.2.6 Requires(preun): python systemd-units Requires(postun): python systemd-units Requires: python-dns >= 1.11.1 +Requires: python-kdcproxy >= 0.3 Requires: zip Requires: policycoreutils >= 2.1.12-5 Requires: tar -Requires(pre): certmonger >= 0.76.8 -Requires(pre): 389-ds-base >= 1.3.3.8 +Requires(pre): certmonger >= 0.78 +Requires(pre): 389-ds-base >= 1.3.4.0 Requires: fontawesome-fonts Requires: open-sans-fonts Requires: openssl -Requires: softhsm >= 2.0.0b1-3 +Requires: softhsm >= 2.0.0rc1-1 Requires: p11-kit Requires: systemd-python +Requires: %{etc_systemd_dir} Conflicts: %{alt_name}-server Obsoletes: %{alt_name}-server < %{version} @@ -173,19 +174,8 @@ Obsoletes: %{alt_name}-server < %{version} # entire SELinux policy is stored in the system policy Obsoletes: freeipa-server-selinux < 3.3.0 -# We have a soft-requires on bind. It is an optional part of -# IPA but if it is configured we need a way to require versions -# that work for us. -Conflicts: bind-dyndb-ldap < 6.0-4 -%if 0%{?fedora} >= 21 -Conflicts: bind < 9.9.6-3 -Conflicts: bind-utils < 9.9.6-3 -%else -Conflicts: bind < 9.9.4-19 -Conflicts: bind-utils < 9.9.4-19 -%endif -# DNSSEC -Conflicts: opendnssec < 1.4.6-4 +# upgrade path from monolithic -server to -server + -server-dns +Obsoletes: %{name}-server <= 4.2.0.0 # Versions of nss-pam-ldapd < 0.8.4 require a mapping from uniqueMember to # member. @@ -200,6 +190,35 @@ to install this package (in other words, most people should NOT install this package). +%package server-dns +Summary: IPA integrated DNS server with support for automatic DNSSEC signing +Group: System Environment/Base +Requires: %{name}-server = %{version}-%{release} +Requires: bind-dyndb-ldap >= 6.0-4 +%if 0%{?fedora} >= 21 +Requires: bind >= 9.9.6-3 +Requires: bind-utils >= 9.9.6-3 +Requires: bind-pkcs11 >= 9.9.6-3 +Requires: bind-pkcs11-utils >= 9.9.6-3 +%else +Requires: bind >= 9.9.4-21 +Requires: bind-utils >= 9.9.4-21 +Requires: bind-pkcs11 >= 9.9.4-21 +Requires: bind-pkcs11-utils >= 9.9.4-21 +%endif +Requires: opendnssec >= 1.4.6-4 + +Conflicts: %{alt_name}-server-dns +Obsoletes: %{alt_name}-server-dns < %{version} + +# upgrade path from monolithic -server to -server + -server-dns +Obsoletes: %{name}-server <= 4.2.0.0 + +%description server-dns +IPA integrated DNS server with support for automatic DNSSEC signing. +Integrated DNS server is BIND 9. OpenDNSSEC provides key management. + + %package server-trust-ad Summary: Virtual package to install packages required for Active Directory trusts Group: System Environment/Base @@ -209,10 +228,9 @@ Requires: samba-python Requires: samba >= %{samba_version} Requires: samba-winbind Requires: libsss_idmap -Requires: libsss_nss_idmap-python -%if (0%{?fedora} >= 22) +Requires: python-libsss_nss_idmap +Requires: oddjob Requires: python-sss -%endif # We use alternatives to divert winbind_krb5_locator.so plugin to libkrb5 # on the installes where server-trust-ad subpackage is installed because # IPA AD trusts cannot be used at the same time with the locator plugin @@ -246,9 +264,9 @@ Requires: pam_krb5 Requires: wget Requires: libcurl >= 7.21.7-2 Requires: xmlrpc-c >= 1.27.4 -Requires: sssd >= 1.12.3 +Requires: sssd >= 1.13.0-5 Requires: python-sssdconfig -Requires: certmonger >= 0.76.8 +Requires: certmonger >= 0.78 Requires: nss-tools Requires: bind-utils Requires: oddjob-mkhomedir @@ -258,7 +276,6 @@ Requires: libsss_autofs Requires: autofs Requires: libnfsidmap Requires: nfs-utils -Requires: python-backports-ssl_match_hostname Requires(post): policycoreutils Conflicts: %{alt_name}-client @@ -299,19 +316,19 @@ Requires: iproute Requires: keyutils Requires: pyOpenSSL Requires: python-nss >= 0.16 +Requires: python-cryptography Requires: python-lxml Requires: python-netaddr -Requires: libipa_hbac-python +Requires: python-libipa_hbac Requires: python-qrcode-core >= 5.0.0 Requires: python-pyasn1 Requires: python-dateutil -Requires: python-yubico -%if (0%{?fedora} >= 22) +Requires: python-yubico >= 1.2.3 Requires: python-sss-murmur -%endif Requires: libsss_nss_idmap-python Requires: wget Requires: dbus-python +Requires: python-setuptools Conflicts: %{alt_name}-python Obsoletes: %{alt_name}-python < %{version} @@ -331,10 +348,12 @@ Requires: %{name}-python = %{version}-%{release} Requires: tar Requires: xz Requires: python-nose +Requires: pytest >= 2.6 Requires: python-paste Requires: python-coverage Requires: python-polib -Requires: python-paramiko >= 1.7.7 +Requires: python-pytest-multihost >= 0.5 +Requires: python-pytest-sourceorder Conflicts: %{alt_name}-tests Obsoletes: %{alt_name}-tests < %{version} @@ -388,6 +407,7 @@ rm -f ipapython/version.py rm -f ipaplatform/services.py rm -f ipaplatform/tasks.py rm -f ipaplatform/paths.py +rm -f ipaplatform/constants.py make version-update cd ipa-client; ../autogen.sh --prefix=%{_usr} --sysconfdir=%{_sysconfdir} --localstatedir=%{_localstatedir} --libdir=%{_libdir} --mandir=%{_mandir}; cd .. %if ! %{ONLY_CLIENT} @@ -410,6 +430,7 @@ rm -f ipapython/version.py rm -f ipaplatform/services.py rm -f ipaplatform/tasks.py rm -f ipaplatform/paths.py +rm -f ipaplatform/constants.py make version-update %if ! %{ONLY_CLIENT} make install DESTDIR=%{buildroot} @@ -439,6 +460,7 @@ rm %{buildroot}/%{plugin_dir}/libipa_extdom_extop.la rm %{buildroot}/%{plugin_dir}/libipa_range_check.la rm %{buildroot}/%{plugin_dir}/libipa_otp_counter.la rm %{buildroot}/%{plugin_dir}/libipa_otp_lasttoken.la +rm %{buildroot}/%{plugin_dir}/libtopology.la rm %{buildroot}/%{_libdir}/krb5/plugins/kdb/ipadb.la rm %{buildroot}/%{_libdir}/samba/pdb/ipasam.la @@ -462,6 +484,7 @@ ln -s ../../../..%{_sysconfdir}/ipa/html/browserconfig.html \ # So we can own our Apache configuration mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d/ /bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa.conf +/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-kdc-proxy.conf /bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf /bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf mkdir -p %{buildroot}%{_usr}/share/ipa/html/ @@ -491,6 +514,11 @@ install daemons/dnssec/ipa-ods-exporter %{buildroot}%{_libexecdir}/ipa/ipa-ods-e # Web UI plugin dir mkdir -p %{buildroot}%{_usr}/share/ipa/ui/js/plugins +# KDC proxy config (Apache config sets KDCPROXY_CONFIG to load this file) +mkdir -p %{buildroot}%{kdcproxy_home} +mkdir -p %{buildroot}%{_sysconfdir}/ipa/kdcproxy/ +install -m 644 install/share/kdcproxy.conf %{buildroot}%{_sysconfdir}/ipa/kdcproxy/kdcproxy.conf + # NOTE: systemd specific section mkdir -p %{buildroot}%{_tmpfilesdir} install -m 0644 init/systemd/ipa.conf.tmpfiles %{buildroot}%{_tmpfilesdir}/%{name}.conf @@ -499,15 +527,19 @@ install -m 0644 init/systemd/ipa.conf.tmpfiles %{buildroot}%{_tmpfilesdir}/%{nam mkdir -p %{buildroot}%{_localstatedir}/run/ install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa_memcached/ install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa/ -install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/clientcaches +install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/ipa +install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/ipa/clientcaches +install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/ipa/krbcache mkdir -p %{buildroot}%{_libdir}/krb5/plugins/libkrb5 touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so # NOTE: systemd specific section mkdir -p %{buildroot}%{_unitdir} +mkdir -p %{buildroot}%{etc_systemd_dir} install -m 644 init/systemd/ipa.service %{buildroot}%{_unitdir}/ipa.service install -m 644 init/systemd/ipa_memcached.service %{buildroot}%{_unitdir}/ipa_memcached.service +install -m 644 init/systemd/httpd.service %{buildroot}%{etc_systemd_dir}/httpd.service # END mkdir -p %{buildroot}/%{_localstatedir}/lib/ipa/backup %endif # ONLY_CLIENT @@ -549,8 +581,7 @@ fi %posttrans server # This must be run in posttrans so that updates from previous # execution that may no longer be shipped are not applied. -/usr/sbin/ipa-ldap-updater --upgrade --quiet >/dev/null || : -/usr/sbin/ipa-upgradeconfig --quiet >/dev/null || : +/usr/sbin/ipa-server-upgrade --quiet >/dev/null || : # Restart IPA processes. This must be also run in postrans so that plugins # and software is in consistent state @@ -581,6 +612,13 @@ if [ -e /usr/sbin/ipa_kpasswd ]; then # END fi +# create kdcproxy user +getent group %{kdcproxy_group} >/dev/null || groupadd -r %{kdcproxy_group} +getent passwd %{kdcproxy_user} >/dev/null || \ + /usr/sbin/useradd -r -c "IPA KDC Proxy User" -s /sbin/nologin \ + -g %{kdcproxy_group} -d %{kdcproxy_home} %{kdcproxy_user} +exit 0 + %postun server-trust-ad if [ "$1" -ge "1" ]; then if [ "`readlink %{_sysconfdir}/alternatives/winbind_krb5_locator.so`" == "/dev/null" ]; then @@ -591,6 +629,8 @@ fi %post server-trust-ad %{_sbindir}/update-alternatives --install %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so \ winbind_krb5_locator.so /dev/null 90 +/bin/systemctl reload-or-try-restart dbus +/bin/systemctl reload-or-try-restart oddjobd %posttrans server-trust-ad python2 -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1 @@ -603,6 +643,8 @@ fi %preun server-trust-ad if [ $1 -eq 0 ]; then %{_sbindir}/update-alternatives --remove winbind_krb5_locator.so /dev/null + /bin/systemctl reload-or-try-restart dbus + /bin/systemctl reload-or-try-restart oddjobd fi %endif # ONLY_CLIENT @@ -617,16 +659,14 @@ if [ $1 -gt 1 ] ; then if ! grep -E -q '/var/lib/sss/pubconf/krb5.include.d/' /etc/krb5.conf 2>/dev/null ; then echo "includedir /var/lib/sss/pubconf/krb5.include.d/" > /etc/krb5.conf.ipanew cat /etc/krb5.conf >> /etc/krb5.conf.ipanew - mv /etc/krb5.conf.ipanew /etc/krb5.conf - /sbin/restorecon /etc/krb5.conf + mv -Z /etc/krb5.conf.ipanew /etc/krb5.conf fi fi if [ -f '/etc/sysconfig/ntpd' -a $restore -ge 2 ]; then if grep -E -q 'OPTIONS=.*-u ntp:ntp' /etc/sysconfig/ntpd 2>/dev/null; then sed -r '/OPTIONS=/ { s/\s+-u ntp:ntp\s+/ /; s/\s*-u ntp:ntp\s*// }' /etc/sysconfig/ntpd >/etc/sysconfig/ntpd.ipanew - mv /etc/sysconfig/ntpd.ipanew /etc/sysconfig/ntpd - /sbin/restorecon /etc/sysconfig/ntpd + mv -Z /etc/sysconfig/ntpd.ipanew /etc/sysconfig/ntpd /bin/systemctl condrestart ntpd.service 2>&1 || : fi @@ -672,8 +712,7 @@ if [ -f '/etc/ssh/sshd_config' -a $restore -ge 2 ]; then ' /etc/ssh/sshd_config.ipanew fi - mv /etc/ssh/sshd_config.ipanew /etc/ssh/sshd_config - /sbin/restorecon /etc/ssh/sshd_config + mv -Z /etc/ssh/sshd_config.ipanew /etc/ssh/sshd_config chmod 600 /etc/ssh/sshd_config /bin/systemctl condrestart sshd.service 2>&1 || : @@ -683,11 +722,12 @@ fi %if ! %{ONLY_CLIENT} %files server -f server-python.list %defattr(-,root,root,-) -%doc COPYING README Contributors.txt +%doc README Contributors.txt +%license COPYING %{_sbindir}/ipa-backup %{_sbindir}/ipa-restore %{_sbindir}/ipa-ca-install -%{_sbindir}/ipa-dns-install +%{_sbindir}/ipa-kra-install %{_sbindir}/ipa-server-install %{_sbindir}/ipa-replica-conncheck %{_sbindir}/ipa-replica-install @@ -695,6 +735,7 @@ fi %{_sbindir}/ipa-replica-manage %{_sbindir}/ipa-csreplica-manage %{_sbindir}/ipa-server-certinstall +%{_sbindir}/ipa-server-upgrade %{_sbindir}/ipa-ldap-updater %{_sbindir}/ipa-otptoken-import %{_sbindir}/ipa-compat-manage @@ -704,6 +745,7 @@ fi %{_sbindir}/ipa-upgradeconfig %{_sbindir}/ipa-advise %{_sbindir}/ipa-cacert-manage +%{_sbindir}/ipa-winsync-migrate %{_libexecdir}/certmonger/dogtag-ipa-ca-renew-agent-submit %{_libexecdir}/certmonger/ipa-server-guard %{_libexecdir}/ipa-otpd @@ -711,12 +753,18 @@ fi %{_libexecdir}/ipa/ipa-dnskeysyncd %{_libexecdir}/ipa/ipa-dnskeysync-replica %{_libexecdir}/ipa/ipa-ods-exporter +%{_libexecdir}/ipa/ipa-httpd-kdcproxy +%dir %attr(0755,root,root) %{_sysconfdir}/ipa/kdcproxy +%dir %attr(0700,%{kdcproxy_user},%{kdcproxy_group}) %{kdcproxy_home} %config(noreplace) %{_sysconfdir}/sysconfig/ipa_memcached %config(noreplace) %{_sysconfdir}/sysconfig/ipa-dnskeysyncd %config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter +%config(noreplace) %{_sysconfdir}/ipa/kdcproxy/kdcproxy.conf %dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/ %dir %attr(0700,root,root) %{_localstatedir}/run/ipa/ -%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/clientcaches/ +%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/ipa/ +%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/ipa/clientcaches/ +%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/ipa/krbcache/ # NOTE: systemd specific section %{_tmpfilesdir}/%{name}.conf %attr(644,root,root) %{_unitdir}/ipa.service @@ -726,10 +774,12 @@ fi %attr(644,root,root) %{_unitdir}/ipa-dnskeysyncd.service %attr(644,root,root) %{_unitdir}/ipa-ods-exporter.socket %attr(644,root,root) %{_unitdir}/ipa-ods-exporter.service +%attr(644,root,root) %{etc_systemd_dir}/httpd.service # END %dir %{python_sitelib}/ipaserver %dir %{python_sitelib}/ipaserver/install %dir %{python_sitelib}/ipaserver/install/plugins +%dir %{python_sitelib}/ipaserver/install/server %dir %{python_sitelib}/ipaserver/advise %dir %{python_sitelib}/ipaserver/advise/plugins %dir %{python_sitelib}/ipaserver/plugins @@ -740,10 +790,13 @@ fi %{_usr}/share/ipa/copy-schema-to-ca.py* %{_usr}/share/ipa/*.ldif %{_usr}/share/ipa/*.uldif +%{_usr}/share/ipa/*.update %{_usr}/share/ipa/*.template %dir %{_usr}/share/ipa/advise %dir %{_usr}/share/ipa/advise/legacy %{_usr}/share/ipa/advise/legacy/*.template +%dir %{_usr}/share/ipa/profiles +%{_usr}/share/ipa/profiles/*.cfg %dir %{_usr}/share/ipa/ffextension %{_usr}/share/ipa/ffextension/bootstrap.js %{_usr}/share/ipa/ffextension/install.rdf @@ -798,10 +851,13 @@ fi %config(noreplace) %{_sysconfdir}/ipa/html/browserconfig.html %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa.conf +%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-kdc-proxy.conf %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf +%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/kdcproxy/ipa-kdc-proxy.conf %{_usr}/share/ipa/ipa.conf %{_usr}/share/ipa/ipa-rewrite.conf %{_usr}/share/ipa/ipa-pki-proxy.conf +%{_usr}/share/ipa/kdcproxy.conf %ghost %attr(0644,root,apache) %config(noreplace) %{_usr}/share/ipa/html/ca.crt %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/configure.jar %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/kerberosauth.xpi @@ -824,6 +880,10 @@ fi %attr(755,root,root) %{plugin_dir}/libipa_range_check.so %attr(755,root,root) %{plugin_dir}/libipa_otp_counter.so %attr(755,root,root) %{plugin_dir}/libipa_otp_lasttoken.so +%attr(755,root,root) %{plugin_dir}/libtopology.so +%attr(755,root,root) %{plugin_dir}/libipa_sidgen.so +%attr(755,root,root) %{plugin_dir}/libipa_sidgen_task.so +%attr(755,root,root) %{plugin_dir}/libipa_extdom_extop.so %dir %{_localstatedir}/lib/ipa %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/backup %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysrestore @@ -839,8 +899,9 @@ fi %{_mandir}/man1/ipa-replica-prepare.1.gz %{_mandir}/man1/ipa-server-certinstall.1.gz %{_mandir}/man1/ipa-server-install.1.gz -%{_mandir}/man1/ipa-dns-install.1.gz +%{_mandir}/man1/ipa-server-upgrade.1.gz %{_mandir}/man1/ipa-ca-install.1.gz +%{_mandir}/man1/ipa-kra-install.1.gz %{_mandir}/man1/ipa-compat-manage.1.gz %{_mandir}/man1/ipa-nis-manage.1.gz %{_mandir}/man1/ipa-managed-entries.1.gz @@ -852,24 +913,30 @@ fi %{_mandir}/man1/ipa-advise.1.gz %{_mandir}/man1/ipa-otptoken-import.1.gz %{_mandir}/man1/ipa-cacert-manage.1.gz +%{_mandir}/man1/ipa-winsync-migrate.1.gz + +%files server-dns +%{_sbindir}/ipa-dns-install +%{_mandir}/man1/ipa-dns-install.1.gz %files server-trust-ad %{_sbindir}/ipa-adtrust-install -%attr(755,root,root) %{plugin_dir}/libipa_extdom_extop.so %{_usr}/share/ipa/smb.conf.empty %attr(755,root,root) %{_libdir}/samba/pdb/ipasam.so -%attr(755,root,root) %{plugin_dir}/libipa_sidgen.so -%attr(755,root,root) %{plugin_dir}/libipa_sidgen_task.so %{_mandir}/man1/ipa-adtrust-install.1.gz %{python_sitelib}/ipaserver/dcerpc* %{python_sitelib}/ipaserver/install/adtrustinstance* %ghost %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so +%{_sysconfdir}/dbus-1/system.d/oddjob-ipa-trust.conf +%{_sysconfdir}/oddjobd.conf.d/oddjobd-ipa-trust.conf +%%attr(755,root,root) %{_libexecdir}/ipa/com.redhat.idm.trust-fetch-domains %endif # ONLY_CLIENT %files client %defattr(-,root,root,-) -%doc COPYING README Contributors.txt +%doc README Contributors.txt +%license COPYING %{_sbindir}/ipa-client-install %{_sbindir}/ipa-client-automount %{_sbindir}/ipa-certupdate @@ -891,18 +958,22 @@ fi %files admintools %defattr(-,root,root,-) -%doc COPYING README Contributors.txt +%doc README Contributors.txt +%license COPYING %{_bindir}/ipa %config %{_sysconfdir}/bash_completion.d %{_mandir}/man1/ipa.1.gz %files python -f %{gettext_domain}.lang %defattr(-,root,root,-) -%doc COPYING README Contributors.txt +%doc README Contributors.txt +%license COPYING %dir %{python_sitelib}/ipapython %{python_sitelib}/ipapython/*.py* %dir %{python_sitelib}/ipapython/dnssec %{python_sitelib}/ipapython/dnssec/*.py* +%dir %{python_sitelib}/ipapython/install +%{python_sitelib}/ipapython/install/*.py* %dir %{python_sitelib}/ipalib %{python_sitelib}/ipalib/* %dir %{python_sitelib}/ipaplatform @@ -928,7 +999,8 @@ fi %if ! %{ONLY_CLIENT} %files tests -f tests-python.list %defattr(-,root,root,-) -%doc COPYING README Contributors.txt +%doc README Contributors.txt +%license COPYING %dir %{python_sitelib}/ipatests %dir %{python_sitelib}/ipatests/test_cmdline %dir %{python_sitelib}/ipatests/test_install @@ -950,6 +1022,9 @@ fi %endif # ONLY_CLIENT %changelog +* Mon Sep 7 2015 Petr Vobornik - 4.2.1-1 +- Update to upstream 4.2.1 - see http://www.freeipa.org/page/Releases/4.2.1 + * Wed Jun 17 2015 Fedora Release Engineering - 4.1.4-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild diff --git a/sources b/sources index e761582..f855c52 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -377b1e6aaf7606bbf484d8f038380336 freeipa-4.1.4.tar.gz +7fe8b04fc855cf5a4df892c7e5ba1674 freeipa-4.2.1.tar.gz