rpms/ipa
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Update to upstream 4.2.1

Browse Source
This commit is contained in:
Petr Vobornik 2015-09-07 18:41:00 +02:00
parent a944f13c98
commit ece84f751e
9 changed files with 153 additions and 523 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -38,3 +38,4 @@
/freeipa-4.1.2.tar.gz /freeipa-4.1.2.tar.gz
/freeipa-4.1.3.tar.gz /freeipa-4.1.3.tar.gz
/freeipa-4.1.4.tar.gz /freeipa-4.1.4.tar.gz
/freeipa-4.2.1.tar.gz

33
0001-Skip-time-sync-during-client-install-when-using-no-n.patch
View File

@ -1,33 +0,0 @@
From 80514f225f628f7c7993b85e562a851e7ee40644 Mon Sep 17 00:00:00 2001
From: Nathan Kinder <nkinder@redhat.com>
Date: Wed, 25 Feb 2015 14:22:02 -0800
Subject: [PATCH 1/2] Skip time sync during client install when using --no-ntp
When --no-ntp is specified during ipa-client-install, we still
attempt to perform a time sync before obtaining a TGT from the
KDC. We should not be attempting to sync time with the KDC if
we are explicitly told to not configure ntp.
Ticket: https://fedorahosted.org/freeipa/ticket/4842
---
ipa-client/ipa-install/ipa-client-install | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
index ccaab55..a625fbd 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -2324,8 +2324,9 @@ def install(options, env, fstore, statestore):
# hostname if different from system hostname
tasks.backup_and_replace_hostname(fstore, statestore, options.hostname)
- if not options.on_master:
+ if not options.on_master and options.conf_ntp:
# Attempt to sync time with IPA server.
+ # If we're skipping NTP configuration, we also skip the time sync here.
# We assume that NTP servers are discoverable through SRV records in the DNS
# If that fails, we try to sync directly with IPA server, assuming it runs NTP
root_logger.info('Synchronizing time with KDC...')
--
1.9.3

78
0002-Make-lint-work-on-Fedora-22.patch
View File

@ -1,78 +0,0 @@
From a0ffcd6f8ba610c20808a2f863d384b7631c64ac Mon Sep 17 00:00:00 2001
From: David Kupka <dkupka@redhat.com>
Date: Fri, 27 Mar 2015 07:14:27 -0400
Subject: [PATCH] Make lint work on Fedora 22.
pylint added 'confidence' parameter to 'add_message' method of PyLinter.
To be compatible with both, pre- and post- 1.4 IPALinter must accept
the parameter but not pass it over.
Also python3 checker was added and enabled by default. FreeIPA is still
not ready for python3.
Additionally few false-positives was marked.
---
ipalib/plugins/otptoken.py | 1 +
ipapython/dnssec/ldapkeydb.py | 1 +
ipaserver/install/ipa_otptoken_import.py | 1 +
make-lint | 3 ++-
4 files changed, 5 insertions(+), 1 deletion(-)
diff --git a/ipalib/plugins/otptoken.py b/ipalib/plugins/otptoken.py
index b87145df80a3be9b16d596dd4072129c2290f40a..867659ec2a867b2dba79922a4e98b7b6254e81bf 100644
--- a/ipalib/plugins/otptoken.py
+++ b/ipalib/plugins/otptoken.py
@@ -547,6 +547,7 @@ class otptoken_sync(Local):
query = urllib.urlencode(query)
# Sync the token.
+ # pylint: disable=E1101
handler = HTTPSHandler(ca_certs=os.path.join(self.api.env.confdir, 'ca.crt'),
cert_reqs=ssl.CERT_REQUIRED,
ssl_version=ssl.PROTOCOL_TLSv1)
diff --git a/ipapython/dnssec/ldapkeydb.py b/ipapython/dnssec/ldapkeydb.py
index 71c0a95a39b1b460178d0b853ed26bf2cfe5bda1..520b510707d432d2e432c55ca25f2a872d832348 100644
--- a/ipapython/dnssec/ldapkeydb.py
+++ b/ipapython/dnssec/ldapkeydb.py
@@ -23,6 +23,7 @@ def uri_escape(val):
assert len(val) > 0, "zero-length URI component detected"
hexval = hexlify(val)
out = '%'
+ # pylint: disable=E1127
out += '%'.join(hexval[i:i+2] for i in range(0, len(hexval), 2))
return out
diff --git a/ipaserver/install/ipa_otptoken_import.py b/ipaserver/install/ipa_otptoken_import.py
index b78aba93a2edc987450d921c87ea4f61b014b419..c6a69c9975cc113c10d0dee669f9db619422a9d3 100644
--- a/ipaserver/install/ipa_otptoken_import.py
+++ b/ipaserver/install/ipa_otptoken_import.py
@@ -60,6 +60,7 @@ def convertDate(value):
dt = dateutil.parser.parse(value)
+ # pylint: disable=E1101
if dt.tzinfo is None:
dt = datetime.datetime(*dt.timetuple()[0:6],
tzinfo=dateutil.tz.tzlocal())
diff --git a/make-lint b/make-lint
index bd0eb4d75c50c794dbd40444ab035df5a5153d6c..8016d1c3554944d7799aefe0242f4f844e76e32c 100755
--- a/make-lint
+++ b/make-lint
@@ -143,7 +143,7 @@ class IPALinter(PyLinter):
return
super(IPALinter, self).register_checker(checker)
- def add_message(self, msg_id, line=None, node=None, args=None):
+ def add_message(self, msg_id, line=None, node=None, args=None, confidence=None):
if line is None and node is not None:
line = node.fromlineno
@@ -235,6 +235,7 @@ def main():
'{path}:{line}: [{msg_id}({symbol}), {obj}] {msg})')
linter.set_option('reports', False)
linter.set_option('persistent', False)
+ linter.set_option('disable', 'python3')
linter.check(files)
--
2.1.0

40
0003-Remove-unused-part-of-ipa.conf.patch
View File

@ -1,40 +0,0 @@
From 206de2b2b8f46f4c41f7df39c952e445329b9170 Mon Sep 17 00:00:00 2001
From: David Kupka <dkupka@redhat.com>
Date: Mon, 30 Mar 2015 04:11:19 -0400
Subject: [PATCH 1/3] Remove unused part of ipa.conf.
Separate configuration of '/var/www/cgi-bin' is no longer needed legacy from
IPA 1.0.
---
install/conf/ipa.conf | 15 ---------------
1 file changed, 15 deletions(-)
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index 7eede73efc559967925d2bbfeee54e1e2efd3e21..62ee955ecfe0be78a3bd377e5aa35a335681621f 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -174,21 +174,6 @@ Alias /ipa/wsgi "/usr/share/ipa/wsgi"
AddHandler wsgi-script .py
</Directory>
-# Protect our CGIs
-<Directory /var/www/cgi-bin>
- AuthType Kerberos
- AuthName "Kerberos Login"
- KrbMethodNegotiate on
- KrbMethodK5Passwd off
- KrbServiceName HTTP
- KrbAuthRealms $REALM
- Krb5KeyTab /etc/httpd/conf/ipa.keytab
- KrbSaveCredentials on
- Require valid-user
- ErrorDocument 401 /ipa/errors/unauthorized.html
-</Directory>
-
-
# migration related pages
Alias /ipa/migration "/usr/share/ipa/migration"
<Directory "/usr/share/ipa/migration">
--
2.3.4

184
0004-Use-mod_auth_gssapi-instead-of-mod_auth_kerb.patch
View File

@ -1,184 +0,0 @@
From d7a856097039b37e77a59aad66d6cdedc3eb6aee Mon Sep 17 00:00:00 2001
From: David Kupka <dkupka@redhat.com>
Date: Mon, 30 Mar 2015 04:17:55 -0400
Subject: [PATCH 2/3] Use mod_auth_gssapi instead of mod_auth_kerb.
https://fedorahosted.org/freeipa/ticket/4190
---
freeipa.spec.in | 4 +++-
init/systemd/ipa.conf.tmpfiles | 1 +
install/conf/ipa.conf | 16 +++++-----------
ipalib/session.py | 20 ++++++++++----------
ipaserver/rpcserver.py | 2 +-
5 files changed, 20 insertions(+), 23 deletions(-)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 546f3473c5ac8885c6df128b2e3793d76795e85b..8d58f2568e1de418c25cb1bd34fc7d4736a15e54 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -118,7 +118,7 @@ Requires: cyrus-sasl-gssapi%{?_isa}
Requires: ntp
Requires: httpd >= 2.4.6-6
Requires: mod_wsgi
-Requires: mod_auth_kerb >= 5.4-16
+Requires: mod_auth_gssapi >= 1.1.0-2
Requires: mod_nss >= 1.0.8-26
Requires: python-ldap >= 2.4.15
Requires: python-krbV
@@ -463,6 +463,7 @@ install -m 0644 init/systemd/ipa.conf.tmpfiles %{buildroot}%{_tmpfilesdir}/%{nam
mkdir -p %{buildroot}%{_localstatedir}/run/
install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa_memcached/
install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa/
+install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/clientcaches
mkdir -p %{buildroot}%{_libdir}/krb5/plugins/libkrb5
touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
@@ -680,6 +681,7 @@ fi
%config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter
%dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/
%dir %attr(0700,root,root) %{_localstatedir}/run/ipa/
+%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/clientcaches/
# NOTE: systemd specific section
%{_tmpfilesdir}/%{name}.conf
%attr(644,root,root) %{_unitdir}/ipa.service
diff --git a/init/systemd/ipa.conf.tmpfiles b/init/systemd/ipa.conf.tmpfiles
index 1e7a896ed8df00c97f2d092504e2a65960bb341d..b4503cc673f3407421cd194091f5373ba204a483 100644
--- a/init/systemd/ipa.conf.tmpfiles
+++ b/init/systemd/ipa.conf.tmpfiles
@@ -1,2 +1,3 @@
d /var/run/ipa_memcached 0700 apache apache
d /var/run/ipa 0700 root root
+d /var/run/httpd/clientcaches 0700 apache apache
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index 62ee955ecfe0be78a3bd377e5aa35a335681621f..871fab8248fcc1c3793ce71bdcb86720a7e31c61 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -3,7 +3,6 @@
#
# This file may be overwritten on upgrades.
#
-# LoadModule auth_kerb_module modules/mod_auth_kerb.so
ProxyRequests Off
@@ -61,19 +60,14 @@ WSGIScriptReloading Off
SetHandler None
</Location>
-KrbConstrainedDelegationLock ipa
-
# Protect /ipa and everything below it in webspace with Apache Kerberos auth
<Location "/ipa">
- AuthType Kerberos
+ AuthType GSSAPI
AuthName "Kerberos Login"
- KrbMethodNegotiate on
- KrbMethodK5Passwd off
- KrbServiceName HTTP
- KrbAuthRealms $REALM
- Krb5KeyTab /etc/httpd/conf/ipa.keytab
- KrbSaveCredentials on
- KrbConstrainedDelegation on
+ GssapiCredStore keytab:/etc/httpd/conf/ipa.keytab
+ GssapiCredStore client_keytab:/etc/httpd/conf/ipa.keytab
+ GssapiDelegCcacheDir /var/run/httpd/clientcaches
+ GssapiUseS4U2Proxy on
Require valid-user
ErrorDocument 401 /ipa/errors/unauthorized.html
</Location>
diff --git a/ipalib/session.py b/ipalib/session.py
index ae40fdfe189b3bfd5f0437c04efaab73ac31f88a..2f732b333375c837b931c6b16ccfc535e11d7e4c 100644
--- a/ipalib/session.py
+++ b/ipalib/session.py
@@ -484,7 +484,7 @@ improve authentication performance. First some definitions.
There are 4 major players:
1. client
- 2. mod_auth_kerb (in Apache process)
+ 2. mod_auth_gssapi (in Apache process)
3. wsgi handler (in IPA wsgi python process)
4. ds (directory server)
@@ -506,12 +506,12 @@ This describes how things work in our current system for the web UI.
2. Client sends post to /ipa/json.
- 3. mod_auth_kerb is configured to protect /ipa/json, replies 401
+ 3. mod_auth_gssapi is configured to protect /ipa/json, replies 401
authenticate negotiate.
4. Client resends with credentials
- 5. mod_auth_kerb validates credentials
+ 5. mod_auth_gssapi validates credentials
a. if invalid replies 403 access denied (stops here)
@@ -550,7 +550,7 @@ A few notes about the session implementation.
Changes to Apache's resource protection
---------------------------------------
- * /ipa/json is no longer protected by mod_auth_kerb. This is
+ * /ipa/json is no longer protected by mod_auth_gssapi. This is
necessary to avoid the negotiate expense in steps 3,4,5
above. Instead the /ipa/json resource will be protected in our wsgi
handler via the session cookie.
@@ -583,15 +583,15 @@ The new sequence is:
5. client sends request to /ipa/login to obtain session credentials
- 6. mod_auth_kerb replies 401 negotiate on /ipa/login
+ 6. mod_auth_gssapi replies 401 negotiate on /ipa/login
7. client sends credentials to /ipa/login
- 8. mod_auth_kerb validates credentials
+ 8. mod_auth_gssapi validates credentials
a. if valid
- - mod_auth_kerb permits access to /ipa/login. wsgi handler is
+ - mod_auth_gssapi permits access to /ipa/login. wsgi handler is
invoked and does the following:
* establishes session for client
@@ -600,7 +600,7 @@ The new sequence is:
a. if invalid
- - mod_auth_kerb sends 403 access denied (processing stops)
+ - mod_auth_gssapi sends 403 access denied (processing stops)
9. client now posts the same data again to /ipa/json including
session cookie. Processing repeats starting at step 2 and since
@@ -617,12 +617,12 @@ and xmlrpc API's are the same, they differ only on how their procedure
calls are marshalled and unmarshalled.
Under the new scheme /ipa/xml will continue to be Kerberos protected
-at all times. Apache's mod_auth_kerb will continue to require the
+at all times. Apache's mod_auth_gssapi will continue to require the
client provides valid Kerberos credentials.
When the WSGI handler routes to /ipa/xml the Kerberos credentials will
be extracted from the KRB5CCNAME environment variable as provided by
-mod_auth_kerb. Everything else remains the same.
+mod_auth_gssapi. Everything else remains the same.
'''
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
index d6bc955b9d9910a24eec5df1def579310eb54786..4173ed918d2ce992aa79d18b2ac3338b35388918 100644
--- a/ipaserver/rpcserver.py
+++ b/ipaserver/rpcserver.py
@@ -858,7 +858,7 @@ class login_kerberos(Backend, KerberosSession, HTTP_Status):
def __call__(self, environ, start_response):
self.debug('WSGI login_kerberos.__call__:')
- # Get the ccache created by mod_auth_kerb
+ # Get the ccache created by mod_auth_gssapi
user_ccache_name=environ.get('KRB5CCNAME')
if user_ccache_name is None:
return self.internal_error(environ, start_response,
--
2.3.4

23
0005-Bump-ipa.conf-version-to-17.patch
View File

@ -1,23 +0,0 @@
From 12f1eaf7feeb2ee3f50c2e90cffd0849a42a2c81 Mon Sep 17 00:00:00 2001
From: David Kupka <dkupka@redhat.com>
Date: Mon, 30 Mar 2015 04:18:11 -0400
Subject: [PATCH 3/3] Bump ipa.conf version to 17.
---
install/conf/ipa.conf | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/install/conf/ipa.conf b/install/conf/ipa.conf
index 871fab8248fcc1c3793ce71bdcb86720a7e31c61..92637c04d4f961a0b7f016fe125341c63f400285 100644
--- a/install/conf/ipa.conf
+++ b/install/conf/ipa.conf
@@ -1,5 +1,5 @@
#
-# VERSION 16 - DO NOT REMOVE THIS LINE
+# VERSION 17 - DO NOT REMOVE THIS LINE
#
# This file may be overwritten on upgrades.
#
--
2.3.4

88
0006-ipaserver-dcerpc-Ensure-LSA-pipe-has-session-key-bef.patch
View File

@ -1,88 +0,0 @@
From 28fccac07760764acc86f9c91850481ef2c1e1ae Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Fri, 8 May 2015 12:09:13 +0000
Subject: [PATCH 2/3] ipaserver/dcerpc: Ensure LSA pipe has session key before
using it
With Samba 4.2 there is a bug that prevents Samba to consider Kerberos
credentials used by IPA httpd process when talking to smbd. As result,
LSA RPC connection is seen as anonymous by Samba client code and we cannot
derive session key to use for encrypting trust secrets before transmitting
them.
Additionally, rewrite of the SMB protocol support in Samba caused previously
working logic of choosing DCE RPC binding string to fail. We need to try
a different set of priorities until they fail or succeed.
Requires Samba fixes from https://bugzilla.redhat.com/show_bug.cgi?id=1219832
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1219834
---
ipaserver/dcerpc.py | 19 ++++++++++++++-----
1 file changed, 14 insertions(+), 5 deletions(-)
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index e342c49..44689cc 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -89,6 +89,10 @@ dcerpc_error_codes = {
-1073741811: # NT_STATUS_INVALID_PARAMETER
errors.RemoteRetrieveError(
reason=_('AD domain controller complains about communication sequence. It may mean unsynchronized time on both sides, for example')),
+ -1073741776: # NT_STATUS_INVALID_PARAMETER_MIX, we simply will skip the binding
+ access_denied_error,
+ -1073741772: # NT_STATUS_OBJECT_NAME_NOT_FOUND
+ errors.RemoteRetrieveError(reason=_('CIFS server configuration does not allow access to \\\\pipe\\lsarpc')),
}
dcerpc_error_messages = {
@@ -728,16 +732,20 @@ class TrustDomainInstance(object):
return
attempts = 0
+ session_attempts = 0
bindings = self.__gen_lsa_bindings(remote_host)
for binding in bindings:
try:
self._pipe = self.__gen_lsa_connection(binding)
- if self._pipe:
+ if self._pipe and self._pipe.session_key:
break
except errors.ACIError, e:
attempts = attempts + 1
+ except RuntimeError, e:
+ # When session key is not available, we just skip this binding
+ session_attempts = session_attempts + 1
- if self._pipe is None and attempts == len(bindings):
+ if self._pipe is None and (attempts + session_attempts) == len(bindings):
raise errors.ACIError(
info=_('CIFS server %(host)s denied your credentials') % dict(host=remote_host))
@@ -745,6 +753,7 @@ class TrustDomainInstance(object):
raise errors.RemoteRetrieveError(
reason=_('Cannot establish LSA connection to %(host)s. Is CIFS server running?') % dict(host=remote_host))
self.binding = binding
+ self.session_key = self._pipe.session_key
def __gen_lsa_bindings(self, remote_host):
"""
@@ -753,11 +762,11 @@ class TrustDomainInstance(object):
Generate all we can use. init_lsa_pipe() will try them one by one until
there is one working.
- We try NCACN_NP before NCACN_IP_TCP and signed sessions before unsigned.
+ We try NCACN_NP before NCACN_IP_TCP and use SMB2 before SMB1 or defaults.
"""
transports = (u'ncacn_np', u'ncacn_ip_tcp')
- options = ( u',', u'')
- binding_template=lambda x,y,z: u'%s:%s[%s]' % (x, y, z)
+ options = ( u'smb2', u'smb1', u'')
+ binding_template=lambda x,y,z: u'%s:%s[%s,print]' % (x, y, z)
return [binding_template(t, remote_host, o) for t in transports for o in options]
def retrieve_anonymously(self, remote_host, discover_srv=False, search_pdc=False):
--
2.4.0

227
freeipa.spec
View File

@ -10,10 +10,13 @@
%else %else
%global samba_version 2:4.2.1-8 %global samba_version 2:4.2.1-8
%global samba_build_version 2:4.2.1 %global samba_build_version 2:4.2.1
%global selinux_policy_version 3.12.1-179 %global selinux_policy_version 3.13.1-128.6
%endif %endif
%define krb5_base_version %(LC_ALL=C rpm -q --qf '%%{VERSION}' krb5-devel | grep -Eo '^[^.]+\.[^.]+')
%global plugin_dir %{_libdir}/dirsrv/plugins %global plugin_dir %{_libdir}/dirsrv/plugins
%global etc_systemd_dir %{_sysconfdir}/systemd/system
%global gettext_domain ipa %global gettext_domain ipa
%if 0%{?rhel} %if 0%{?rhel}
%global platform_module rhel %global platform_module rhel
@ -21,13 +24,17 @@
%global platform_module fedora %global platform_module fedora
%endif %endif
%global VERSION 4.1.4 %global VERSION 4.2.1
%define _hardened_build 1 %define _hardened_build 1
%define kdcproxy_user kdcproxy
%define kdcproxy_group kdcproxy
%define kdcproxy_home %{_sharedstatedir}/kdcproxy
Name: freeipa Name: freeipa
Version: %{VERSION} Version: %{VERSION}
Release: 5%{?dist} Release: 1%{?dist}
Summary: The Identity, Policy and Audit system Summary: The Identity, Policy and Audit system
Group: System Environment/Base Group: System Environment/Base
@ -36,15 +43,8 @@ URL: http://www.freeipa.org/
Source0: http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz Source0: http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Patch0001: 0001-Skip-time-sync-during-client-install-when-using-no-n.patch
Patch0002: 0002-Make-lint-work-on-Fedora-22.patch
Patch0003: 0003-Remove-unused-part-of-ipa.conf.patch
Patch0004: 0004-Use-mod_auth_gssapi-instead-of-mod_auth_kerb.patch
Patch0005: 0005-Bump-ipa.conf-version-to-17.patch
Patch0006: 0006-ipaserver-dcerpc-Ensure-LSA-pipe-has-session-key-bef.patch
%if ! %{ONLY_CLIENT} %if ! %{ONLY_CLIENT}
BuildRequires: 389-ds-base-devel >= 1.3.3.8 BuildRequires: 389-ds-base-devel >= 1.3.4.0
BuildRequires: svrcore-devel BuildRequires: svrcore-devel
BuildRequires: policycoreutils >= 2.1.12-5 BuildRequires: policycoreutils >= 2.1.12-5
BuildRequires: systemd-units BuildRequires: systemd-units
@ -58,7 +58,7 @@ BuildRequires: nspr-devel
BuildRequires: nss-devel BuildRequires: nss-devel
BuildRequires: openssl-devel BuildRequires: openssl-devel
BuildRequires: openldap-devel BuildRequires: openldap-devel
BuildRequires: krb5-devel >= 1.11 BuildRequires: krb5-devel >= 1.13
BuildRequires: krb5-workstation BuildRequires: krb5-workstation
BuildRequires: libuuid-devel BuildRequires: libuuid-devel
BuildRequires: libcurl-devel >= 7.21.7-2 BuildRequires: libcurl-devel >= 7.21.7-2
@ -74,15 +74,16 @@ BuildRequires: python-ldap
BuildRequires: python-setuptools BuildRequires: python-setuptools
BuildRequires: python-krbV BuildRequires: python-krbV
BuildRequires: python-nss BuildRequires: python-nss
BuildRequires: python-cryptography
BuildRequires: python-netaddr BuildRequires: python-netaddr
BuildRequires: python-kerberos >= 1.1-14 BuildRequires: python-kerberos >= 1.1-14
BuildRequires: python-rhsm BuildRequires: python-rhsm
BuildRequires: pyOpenSSL BuildRequires: pyOpenSSL
BuildRequires: pylint BuildRequires: pylint >= 1.0
BuildRequires: python-polib BuildRequires: python-polib
BuildRequires: libipa_hbac-python BuildRequires: python-libipa_hbac
BuildRequires: python-memcached BuildRequires: python-memcached
BuildRequires: sssd >= 1.9.2 BuildRequires: sssd >= 1.13
BuildRequires: python-lxml BuildRequires: python-lxml
BuildRequires: python-pyasn1 >= 0.0.9a BuildRequires: python-pyasn1 >= 0.0.9a
BuildRequires: python-qrcode-core >= 5.0.0 BuildRequires: python-qrcode-core >= 5.0.0
@ -98,11 +99,14 @@ BuildRequires: systemd
BuildRequires: libunistring-devel BuildRequires: libunistring-devel
BuildRequires: rhino BuildRequires: rhino
BuildRequires: python-lesscpy BuildRequires: python-lesscpy
BuildRequires: python-yubico BuildRequires: python-yubico >= 1.2.3
BuildRequires: python-backports-ssl_match_hostname BuildRequires: softhsm-devel >= 2.0.0rc1-1
BuildRequires: softhsm-devel >= 2.0.0b1-3
BuildRequires: openssl-devel BuildRequires: openssl-devel
BuildRequires: p11-kit-devel BuildRequires: p11-kit-devel
BuildRequires: pki-base >= 10.2.6
BuildRequires: python-pytest-multihost >= 0.5
BuildRequires: python-pytest-sourceorder
BuildRequires: python-kdcproxy >= 0.3
%description %description
IPA is an integrated solution to provide centrally managed Identity (machine, IPA is an integrated solution to provide centrally managed Identity (machine,
@ -117,11 +121,11 @@ Group: System Environment/Base
Requires: %{name}-python = %{version}-%{release} Requires: %{name}-python = %{version}-%{release}
Requires: %{name}-client = %{version}-%{release} Requires: %{name}-client = %{version}-%{release}
Requires: %{name}-admintools = %{version}-%{release} Requires: %{name}-admintools = %{version}-%{release}
Requires: 389-ds-base >= 1.3.3.8 Requires: 389-ds-base >= 1.3.4.0
Requires: openldap-clients > 2.4.35-4 Requires: openldap-clients > 2.4.35-4
Requires: nss >= 3.14.3-12.0 Requires: nss >= 3.14.3-12.0
Requires: nss-tools >= 3.14.3-12.0 Requires: nss-tools >= 3.14.3-12.0
Requires: krb5-server >= 1.11.5-5 Requires(post): krb5-server >= %{krb5_base_version}, krb5-server < %{krb5_base_version}.100
Requires: krb5-pkinit-openssl Requires: krb5-pkinit-openssl
Requires: cyrus-sasl-gssapi%{?_isa} Requires: cyrus-sasl-gssapi%{?_isa}
Requires: ntp Requires: ntp
@ -138,33 +142,30 @@ Requires: memcached
Requires: python-memcached Requires: python-memcached
Requires: dbus-python Requires: dbus-python
Requires: systemd-units >= 38 Requires: systemd-units >= 38
Requires(pre): shadow-utils
Requires(pre): systemd-units Requires(pre): systemd-units
Requires(post): systemd-units Requires(post): systemd-units
Requires: selinux-policy >= %{selinux_policy_version} Requires: selinux-policy >= %{selinux_policy_version}
Requires(post): selinux-policy-base Requires(post): selinux-policy-base >= %{selinux_policy_version}
Requires: slapi-nis >= 0.54.2-1 Requires: slapi-nis >= 0.54.2-1
%if (0%{?fedora} <= 20 || 0%{?rhel}) Requires: pki-ca >= 10.2.6
# pki-ca 10.1.2-4 contains patches required by FreeIPA 4.1 Requires: pki-kra >= 10.2.6
# The goal is to lower the requirement of pki-ca in Fedora 20
# and CentOS until packaging of it's requirements is finished.
Requires: pki-ca >= 10.1.2-5
%else
Requires: pki-ca >= 10.2.1-0.2
%endif
Requires(preun): python systemd-units Requires(preun): python systemd-units
Requires(postun): python systemd-units Requires(postun): python systemd-units
Requires: python-dns >= 1.11.1 Requires: python-dns >= 1.11.1
Requires: python-kdcproxy >= 0.3
Requires: zip Requires: zip
Requires: policycoreutils >= 2.1.12-5 Requires: policycoreutils >= 2.1.12-5
Requires: tar Requires: tar
Requires(pre): certmonger >= 0.76.8 Requires(pre): certmonger >= 0.78
Requires(pre): 389-ds-base >= 1.3.3.8 Requires(pre): 389-ds-base >= 1.3.4.0
Requires: fontawesome-fonts Requires: fontawesome-fonts
Requires: open-sans-fonts Requires: open-sans-fonts
Requires: openssl Requires: openssl
Requires: softhsm >= 2.0.0b1-3 Requires: softhsm >= 2.0.0rc1-1
Requires: p11-kit Requires: p11-kit
Requires: systemd-python Requires: systemd-python
Requires: %{etc_systemd_dir}
Conflicts: %{alt_name}-server Conflicts: %{alt_name}-server
Obsoletes: %{alt_name}-server < %{version} Obsoletes: %{alt_name}-server < %{version}
@ -173,19 +174,8 @@ Obsoletes: %{alt_name}-server < %{version}
# entire SELinux policy is stored in the system policy # entire SELinux policy is stored in the system policy
Obsoletes: freeipa-server-selinux < 3.3.0 Obsoletes: freeipa-server-selinux < 3.3.0
# We have a soft-requires on bind. It is an optional part of # upgrade path from monolithic -server to -server + -server-dns
# IPA but if it is configured we need a way to require versions Obsoletes: %{name}-server <= 4.2.0.0
# that work for us.
Conflicts: bind-dyndb-ldap < 6.0-4
%if 0%{?fedora} >= 21
Conflicts: bind < 9.9.6-3
Conflicts: bind-utils < 9.9.6-3
%else
Conflicts: bind < 9.9.4-19
Conflicts: bind-utils < 9.9.4-19
%endif
# DNSSEC
Conflicts: opendnssec < 1.4.6-4
# Versions of nss-pam-ldapd < 0.8.4 require a mapping from uniqueMember to # Versions of nss-pam-ldapd < 0.8.4 require a mapping from uniqueMember to
# member. # member.
@ -200,6 +190,35 @@ to install this package (in other words, most people should NOT install
this package). this package).
%package server-dns
Summary: IPA integrated DNS server with support for automatic DNSSEC signing
Group: System Environment/Base
Requires: %{name}-server = %{version}-%{release}
Requires: bind-dyndb-ldap >= 6.0-4
%if 0%{?fedora} >= 21
Requires: bind >= 9.9.6-3
Requires: bind-utils >= 9.9.6-3
Requires: bind-pkcs11 >= 9.9.6-3
Requires: bind-pkcs11-utils >= 9.9.6-3
%else
Requires: bind >= 9.9.4-21
Requires: bind-utils >= 9.9.4-21
Requires: bind-pkcs11 >= 9.9.4-21
Requires: bind-pkcs11-utils >= 9.9.4-21
%endif
Requires: opendnssec >= 1.4.6-4
Conflicts: %{alt_name}-server-dns
Obsoletes: %{alt_name}-server-dns < %{version}
# upgrade path from monolithic -server to -server + -server-dns
Obsoletes: %{name}-server <= 4.2.0.0
%description server-dns
IPA integrated DNS server with support for automatic DNSSEC signing.
Integrated DNS server is BIND 9. OpenDNSSEC provides key management.
%package server-trust-ad %package server-trust-ad
Summary: Virtual package to install packages required for Active Directory trusts Summary: Virtual package to install packages required for Active Directory trusts
Group: System Environment/Base Group: System Environment/Base
@ -209,10 +228,9 @@ Requires: samba-python
Requires: samba >= %{samba_version} Requires: samba >= %{samba_version}
Requires: samba-winbind Requires: samba-winbind
Requires: libsss_idmap Requires: libsss_idmap
Requires: libsss_nss_idmap-python Requires: python-libsss_nss_idmap
%if (0%{?fedora} >= 22) Requires: oddjob
Requires: python-sss Requires: python-sss
%endif
# We use alternatives to divert winbind_krb5_locator.so plugin to libkrb5 # We use alternatives to divert winbind_krb5_locator.so plugin to libkrb5
# on the installes where server-trust-ad subpackage is installed because # on the installes where server-trust-ad subpackage is installed because
# IPA AD trusts cannot be used at the same time with the locator plugin # IPA AD trusts cannot be used at the same time with the locator plugin
@ -246,9 +264,9 @@ Requires: pam_krb5
Requires: wget Requires: wget
Requires: libcurl >= 7.21.7-2 Requires: libcurl >= 7.21.7-2
Requires: xmlrpc-c >= 1.27.4 Requires: xmlrpc-c >= 1.27.4
Requires: sssd >= 1.12.3 Requires: sssd >= 1.13.0-5
Requires: python-sssdconfig Requires: python-sssdconfig
Requires: certmonger >= 0.76.8 Requires: certmonger >= 0.78
Requires: nss-tools Requires: nss-tools
Requires: bind-utils Requires: bind-utils
Requires: oddjob-mkhomedir Requires: oddjob-mkhomedir
@ -258,7 +276,6 @@ Requires: libsss_autofs
Requires: autofs Requires: autofs
Requires: libnfsidmap Requires: libnfsidmap
Requires: nfs-utils Requires: nfs-utils
Requires: python-backports-ssl_match_hostname
Requires(post): policycoreutils Requires(post): policycoreutils
Conflicts: %{alt_name}-client Conflicts: %{alt_name}-client
@ -299,19 +316,19 @@ Requires: iproute
Requires: keyutils Requires: keyutils
Requires: pyOpenSSL Requires: pyOpenSSL
Requires: python-nss >= 0.16 Requires: python-nss >= 0.16
Requires: python-cryptography
Requires: python-lxml Requires: python-lxml
Requires: python-netaddr Requires: python-netaddr
Requires: libipa_hbac-python Requires: python-libipa_hbac
Requires: python-qrcode-core >= 5.0.0 Requires: python-qrcode-core >= 5.0.0
Requires: python-pyasn1 Requires: python-pyasn1
Requires: python-dateutil Requires: python-dateutil
Requires: python-yubico Requires: python-yubico >= 1.2.3
%if (0%{?fedora} >= 22)
Requires: python-sss-murmur Requires: python-sss-murmur
%endif
Requires: libsss_nss_idmap-python Requires: libsss_nss_idmap-python
Requires: wget Requires: wget
Requires: dbus-python Requires: dbus-python
Requires: python-setuptools
Conflicts: %{alt_name}-python Conflicts: %{alt_name}-python
Obsoletes: %{alt_name}-python < %{version} Obsoletes: %{alt_name}-python < %{version}
@ -331,10 +348,12 @@ Requires: %{name}-python = %{version}-%{release}
Requires: tar Requires: tar
Requires: xz Requires: xz
Requires: python-nose Requires: python-nose
Requires: pytest >= 2.6
Requires: python-paste Requires: python-paste
Requires: python-coverage Requires: python-coverage
Requires: python-polib Requires: python-polib
Requires: python-paramiko >= 1.7.7 Requires: python-pytest-multihost >= 0.5
Requires: python-pytest-sourceorder
Conflicts: %{alt_name}-tests Conflicts: %{alt_name}-tests
Obsoletes: %{alt_name}-tests < %{version} Obsoletes: %{alt_name}-tests < %{version}
@ -388,6 +407,7 @@ rm -f ipapython/version.py
rm -f ipaplatform/services.py rm -f ipaplatform/services.py
rm -f ipaplatform/tasks.py rm -f ipaplatform/tasks.py
rm -f ipaplatform/paths.py rm -f ipaplatform/paths.py
rm -f ipaplatform/constants.py
make version-update make version-update
cd ipa-client; ../autogen.sh --prefix=%{_usr} --sysconfdir=%{_sysconfdir} --localstatedir=%{_localstatedir} --libdir=%{_libdir} --mandir=%{_mandir}; cd .. cd ipa-client; ../autogen.sh --prefix=%{_usr} --sysconfdir=%{_sysconfdir} --localstatedir=%{_localstatedir} --libdir=%{_libdir} --mandir=%{_mandir}; cd ..
%if ! %{ONLY_CLIENT} %if ! %{ONLY_CLIENT}
@ -410,6 +430,7 @@ rm -f ipapython/version.py
rm -f ipaplatform/services.py rm -f ipaplatform/services.py
rm -f ipaplatform/tasks.py rm -f ipaplatform/tasks.py
rm -f ipaplatform/paths.py rm -f ipaplatform/paths.py
rm -f ipaplatform/constants.py
make version-update make version-update
%if ! %{ONLY_CLIENT} %if ! %{ONLY_CLIENT}
make install DESTDIR=%{buildroot} make install DESTDIR=%{buildroot}
@ -439,6 +460,7 @@ rm %{buildroot}/%{plugin_dir}/libipa_extdom_extop.la
rm %{buildroot}/%{plugin_dir}/libipa_range_check.la rm %{buildroot}/%{plugin_dir}/libipa_range_check.la
rm %{buildroot}/%{plugin_dir}/libipa_otp_counter.la rm %{buildroot}/%{plugin_dir}/libipa_otp_counter.la
rm %{buildroot}/%{plugin_dir}/libipa_otp_lasttoken.la rm %{buildroot}/%{plugin_dir}/libipa_otp_lasttoken.la
rm %{buildroot}/%{plugin_dir}/libtopology.la
rm %{buildroot}/%{_libdir}/krb5/plugins/kdb/ipadb.la rm %{buildroot}/%{_libdir}/krb5/plugins/kdb/ipadb.la
rm %{buildroot}/%{_libdir}/samba/pdb/ipasam.la rm %{buildroot}/%{_libdir}/samba/pdb/ipasam.la
@ -462,6 +484,7 @@ ln -s ../../../..%{_sysconfdir}/ipa/html/browserconfig.html \
# So we can own our Apache configuration # So we can own our Apache configuration
mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d/ mkdir -p %{buildroot}%{_sysconfdir}/httpd/conf.d/
/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa.conf /bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa.conf
/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-kdc-proxy.conf
/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf /bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf
/bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf /bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
mkdir -p %{buildroot}%{_usr}/share/ipa/html/ mkdir -p %{buildroot}%{_usr}/share/ipa/html/
@ -491,6 +514,11 @@ install daemons/dnssec/ipa-ods-exporter %{buildroot}%{_libexecdir}/ipa/ipa-ods-e
# Web UI plugin dir # Web UI plugin dir
mkdir -p %{buildroot}%{_usr}/share/ipa/ui/js/plugins mkdir -p %{buildroot}%{_usr}/share/ipa/ui/js/plugins
# KDC proxy config (Apache config sets KDCPROXY_CONFIG to load this file)
mkdir -p %{buildroot}%{kdcproxy_home}
mkdir -p %{buildroot}%{_sysconfdir}/ipa/kdcproxy/
install -m 644 install/share/kdcproxy.conf %{buildroot}%{_sysconfdir}/ipa/kdcproxy/kdcproxy.conf
# NOTE: systemd specific section # NOTE: systemd specific section
mkdir -p %{buildroot}%{_tmpfilesdir} mkdir -p %{buildroot}%{_tmpfilesdir}
install -m 0644 init/systemd/ipa.conf.tmpfiles %{buildroot}%{_tmpfilesdir}/%{name}.conf install -m 0644 init/systemd/ipa.conf.tmpfiles %{buildroot}%{_tmpfilesdir}/%{name}.conf
@ -499,15 +527,19 @@ install -m 0644 init/systemd/ipa.conf.tmpfiles %{buildroot}%{_tmpfilesdir}/%{nam
mkdir -p %{buildroot}%{_localstatedir}/run/ mkdir -p %{buildroot}%{_localstatedir}/run/
install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa_memcached/ install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa_memcached/
install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa/ install -d -m 0700 %{buildroot}%{_localstatedir}/run/ipa/
install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/clientcaches install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/ipa
install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/ipa/clientcaches
install -d -m 0700 %{buildroot}%{_localstatedir}/run/httpd/ipa/krbcache
mkdir -p %{buildroot}%{_libdir}/krb5/plugins/libkrb5 mkdir -p %{buildroot}%{_libdir}/krb5/plugins/libkrb5
touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
# NOTE: systemd specific section # NOTE: systemd specific section
mkdir -p %{buildroot}%{_unitdir} mkdir -p %{buildroot}%{_unitdir}
mkdir -p %{buildroot}%{etc_systemd_dir}
install -m 644 init/systemd/ipa.service %{buildroot}%{_unitdir}/ipa.service install -m 644 init/systemd/ipa.service %{buildroot}%{_unitdir}/ipa.service
install -m 644 init/systemd/ipa_memcached.service %{buildroot}%{_unitdir}/ipa_memcached.service install -m 644 init/systemd/ipa_memcached.service %{buildroot}%{_unitdir}/ipa_memcached.service
install -m 644 init/systemd/httpd.service %{buildroot}%{etc_systemd_dir}/httpd.service
# END # END
mkdir -p %{buildroot}/%{_localstatedir}/lib/ipa/backup mkdir -p %{buildroot}/%{_localstatedir}/lib/ipa/backup
%endif # ONLY_CLIENT %endif # ONLY_CLIENT
@ -549,8 +581,7 @@ fi
%posttrans server %posttrans server
# This must be run in posttrans so that updates from previous # This must be run in posttrans so that updates from previous
# execution that may no longer be shipped are not applied. # execution that may no longer be shipped are not applied.
/usr/sbin/ipa-ldap-updater --upgrade --quiet >/dev/null || : /usr/sbin/ipa-server-upgrade --quiet >/dev/null || :
/usr/sbin/ipa-upgradeconfig --quiet >/dev/null || :
# Restart IPA processes. This must be also run in postrans so that plugins # Restart IPA processes. This must be also run in postrans so that plugins
# and software is in consistent state # and software is in consistent state
@ -581,6 +612,13 @@ if [ -e /usr/sbin/ipa_kpasswd ]; then
# END # END
fi fi
# create kdcproxy user
getent group %{kdcproxy_group} >/dev/null || groupadd -r %{kdcproxy_group}
getent passwd %{kdcproxy_user} >/dev/null || \
/usr/sbin/useradd -r -c "IPA KDC Proxy User" -s /sbin/nologin \
-g %{kdcproxy_group} -d %{kdcproxy_home} %{kdcproxy_user}
exit 0
%postun server-trust-ad %postun server-trust-ad
if [ "$1" -ge "1" ]; then if [ "$1" -ge "1" ]; then
if [ "`readlink %{_sysconfdir}/alternatives/winbind_krb5_locator.so`" == "/dev/null" ]; then if [ "`readlink %{_sysconfdir}/alternatives/winbind_krb5_locator.so`" == "/dev/null" ]; then
@ -591,6 +629,8 @@ fi
%post server-trust-ad %post server-trust-ad
%{_sbindir}/update-alternatives --install %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so \ %{_sbindir}/update-alternatives --install %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so \
winbind_krb5_locator.so /dev/null 90 winbind_krb5_locator.so /dev/null 90
/bin/systemctl reload-or-try-restart dbus
/bin/systemctl reload-or-try-restart oddjobd
%posttrans server-trust-ad %posttrans server-trust-ad
python2 -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1 python2 -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1
@ -603,6 +643,8 @@ fi
%preun server-trust-ad %preun server-trust-ad
if [ $1 -eq 0 ]; then if [ $1 -eq 0 ]; then
%{_sbindir}/update-alternatives --remove winbind_krb5_locator.so /dev/null %{_sbindir}/update-alternatives --remove winbind_krb5_locator.so /dev/null
/bin/systemctl reload-or-try-restart dbus
/bin/systemctl reload-or-try-restart oddjobd
fi fi
%endif # ONLY_CLIENT %endif # ONLY_CLIENT
@ -617,16 +659,14 @@ if [ $1 -gt 1 ] ; then
if ! grep -E -q '/var/lib/sss/pubconf/krb5.include.d/' /etc/krb5.conf 2>/dev/null ; then if ! grep -E -q '/var/lib/sss/pubconf/krb5.include.d/' /etc/krb5.conf 2>/dev/null ; then
echo "includedir /var/lib/sss/pubconf/krb5.include.d/" > /etc/krb5.conf.ipanew echo "includedir /var/lib/sss/pubconf/krb5.include.d/" > /etc/krb5.conf.ipanew
cat /etc/krb5.conf >> /etc/krb5.conf.ipanew cat /etc/krb5.conf >> /etc/krb5.conf.ipanew
mv /etc/krb5.conf.ipanew /etc/krb5.conf mv -Z /etc/krb5.conf.ipanew /etc/krb5.conf
/sbin/restorecon /etc/krb5.conf
fi fi
fi fi
if [ -f '/etc/sysconfig/ntpd' -a $restore -ge 2 ]; then if [ -f '/etc/sysconfig/ntpd' -a $restore -ge 2 ]; then
if grep -E -q 'OPTIONS=.*-u ntp:ntp' /etc/sysconfig/ntpd 2>/dev/null; then if grep -E -q 'OPTIONS=.*-u ntp:ntp' /etc/sysconfig/ntpd 2>/dev/null; then
sed -r '/OPTIONS=/ { s/\s+-u ntp:ntp\s+/ /; s/\s*-u ntp:ntp\s*// }' /etc/sysconfig/ntpd >/etc/sysconfig/ntpd.ipanew sed -r '/OPTIONS=/ { s/\s+-u ntp:ntp\s+/ /; s/\s*-u ntp:ntp\s*// }' /etc/sysconfig/ntpd >/etc/sysconfig/ntpd.ipanew
mv /etc/sysconfig/ntpd.ipanew /etc/sysconfig/ntpd mv -Z /etc/sysconfig/ntpd.ipanew /etc/sysconfig/ntpd
/sbin/restorecon /etc/sysconfig/ntpd
/bin/systemctl condrestart ntpd.service 2>&1 || : /bin/systemctl condrestart ntpd.service 2>&1 || :
fi fi
@ -672,8 +712,7 @@ if [ -f '/etc/ssh/sshd_config' -a $restore -ge 2 ]; then
' /etc/ssh/sshd_config.ipanew ' /etc/ssh/sshd_config.ipanew
fi fi
mv /etc/ssh/sshd_config.ipanew /etc/ssh/sshd_config mv -Z /etc/ssh/sshd_config.ipanew /etc/ssh/sshd_config
/sbin/restorecon /etc/ssh/sshd_config
chmod 600 /etc/ssh/sshd_config chmod 600 /etc/ssh/sshd_config
/bin/systemctl condrestart sshd.service 2>&1 || : /bin/systemctl condrestart sshd.service 2>&1 || :
@ -683,11 +722,12 @@ fi
%if ! %{ONLY_CLIENT} %if ! %{ONLY_CLIENT}
%files server -f server-python.list %files server -f server-python.list
%defattr(-,root,root,-) %defattr(-,root,root,-)
%doc COPYING README Contributors.txt %doc README Contributors.txt
%license COPYING
%{_sbindir}/ipa-backup %{_sbindir}/ipa-backup
%{_sbindir}/ipa-restore %{_sbindir}/ipa-restore
%{_sbindir}/ipa-ca-install %{_sbindir}/ipa-ca-install
%{_sbindir}/ipa-dns-install %{_sbindir}/ipa-kra-install
%{_sbindir}/ipa-server-install %{_sbindir}/ipa-server-install
%{_sbindir}/ipa-replica-conncheck %{_sbindir}/ipa-replica-conncheck
%{_sbindir}/ipa-replica-install %{_sbindir}/ipa-replica-install
@ -695,6 +735,7 @@ fi
%{_sbindir}/ipa-replica-manage %{_sbindir}/ipa-replica-manage
%{_sbindir}/ipa-csreplica-manage %{_sbindir}/ipa-csreplica-manage
%{_sbindir}/ipa-server-certinstall %{_sbindir}/ipa-server-certinstall
%{_sbindir}/ipa-server-upgrade
%{_sbindir}/ipa-ldap-updater %{_sbindir}/ipa-ldap-updater
%{_sbindir}/ipa-otptoken-import %{_sbindir}/ipa-otptoken-import
%{_sbindir}/ipa-compat-manage %{_sbindir}/ipa-compat-manage
@ -704,6 +745,7 @@ fi
%{_sbindir}/ipa-upgradeconfig %{_sbindir}/ipa-upgradeconfig
%{_sbindir}/ipa-advise %{_sbindir}/ipa-advise
%{_sbindir}/ipa-cacert-manage %{_sbindir}/ipa-cacert-manage
%{_sbindir}/ipa-winsync-migrate
%{_libexecdir}/certmonger/dogtag-ipa-ca-renew-agent-submit %{_libexecdir}/certmonger/dogtag-ipa-ca-renew-agent-submit
%{_libexecdir}/certmonger/ipa-server-guard %{_libexecdir}/certmonger/ipa-server-guard
%{_libexecdir}/ipa-otpd %{_libexecdir}/ipa-otpd
@ -711,12 +753,18 @@ fi
%{_libexecdir}/ipa/ipa-dnskeysyncd %{_libexecdir}/ipa/ipa-dnskeysyncd
%{_libexecdir}/ipa/ipa-dnskeysync-replica %{_libexecdir}/ipa/ipa-dnskeysync-replica
%{_libexecdir}/ipa/ipa-ods-exporter %{_libexecdir}/ipa/ipa-ods-exporter
%{_libexecdir}/ipa/ipa-httpd-kdcproxy
%dir %attr(0755,root,root) %{_sysconfdir}/ipa/kdcproxy
%dir %attr(0700,%{kdcproxy_user},%{kdcproxy_group}) %{kdcproxy_home}
%config(noreplace) %{_sysconfdir}/sysconfig/ipa_memcached %config(noreplace) %{_sysconfdir}/sysconfig/ipa_memcached
%config(noreplace) %{_sysconfdir}/sysconfig/ipa-dnskeysyncd %config(noreplace) %{_sysconfdir}/sysconfig/ipa-dnskeysyncd
%config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter %config(noreplace) %{_sysconfdir}/sysconfig/ipa-ods-exporter
%config(noreplace) %{_sysconfdir}/ipa/kdcproxy/kdcproxy.conf
%dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/ %dir %attr(0700,apache,apache) %{_localstatedir}/run/ipa_memcached/
%dir %attr(0700,root,root) %{_localstatedir}/run/ipa/ %dir %attr(0700,root,root) %{_localstatedir}/run/ipa/
%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/clientcaches/ %dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/ipa/
%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/ipa/clientcaches/
%dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/ipa/krbcache/
# NOTE: systemd specific section # NOTE: systemd specific section
%{_tmpfilesdir}/%{name}.conf %{_tmpfilesdir}/%{name}.conf
%attr(644,root,root) %{_unitdir}/ipa.service %attr(644,root,root) %{_unitdir}/ipa.service
@ -726,10 +774,12 @@ fi
%attr(644,root,root) %{_unitdir}/ipa-dnskeysyncd.service %attr(644,root,root) %{_unitdir}/ipa-dnskeysyncd.service
%attr(644,root,root) %{_unitdir}/ipa-ods-exporter.socket %attr(644,root,root) %{_unitdir}/ipa-ods-exporter.socket
%attr(644,root,root) %{_unitdir}/ipa-ods-exporter.service %attr(644,root,root) %{_unitdir}/ipa-ods-exporter.service
%attr(644,root,root) %{etc_systemd_dir}/httpd.service
# END # END
%dir %{python_sitelib}/ipaserver %dir %{python_sitelib}/ipaserver
%dir %{python_sitelib}/ipaserver/install %dir %{python_sitelib}/ipaserver/install
%dir %{python_sitelib}/ipaserver/install/plugins %dir %{python_sitelib}/ipaserver/install/plugins
%dir %{python_sitelib}/ipaserver/install/server
%dir %{python_sitelib}/ipaserver/advise %dir %{python_sitelib}/ipaserver/advise
%dir %{python_sitelib}/ipaserver/advise/plugins %dir %{python_sitelib}/ipaserver/advise/plugins
%dir %{python_sitelib}/ipaserver/plugins %dir %{python_sitelib}/ipaserver/plugins
@ -740,10 +790,13 @@ fi
%{_usr}/share/ipa/copy-schema-to-ca.py* %{_usr}/share/ipa/copy-schema-to-ca.py*
%{_usr}/share/ipa/*.ldif %{_usr}/share/ipa/*.ldif
%{_usr}/share/ipa/*.uldif %{_usr}/share/ipa/*.uldif
%{_usr}/share/ipa/*.update
%{_usr}/share/ipa/*.template %{_usr}/share/ipa/*.template
%dir %{_usr}/share/ipa/advise %dir %{_usr}/share/ipa/advise
%dir %{_usr}/share/ipa/advise/legacy %dir %{_usr}/share/ipa/advise/legacy
%{_usr}/share/ipa/advise/legacy/*.template %{_usr}/share/ipa/advise/legacy/*.template
%dir %{_usr}/share/ipa/profiles
%{_usr}/share/ipa/profiles/*.cfg
%dir %{_usr}/share/ipa/ffextension %dir %{_usr}/share/ipa/ffextension
%{_usr}/share/ipa/ffextension/bootstrap.js %{_usr}/share/ipa/ffextension/bootstrap.js
%{_usr}/share/ipa/ffextension/install.rdf %{_usr}/share/ipa/ffextension/install.rdf
@ -798,10 +851,13 @@ fi
%config(noreplace) %{_sysconfdir}/ipa/html/browserconfig.html %config(noreplace) %{_sysconfdir}/ipa/html/browserconfig.html
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa.conf %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa.conf
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-kdc-proxy.conf
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/kdcproxy/ipa-kdc-proxy.conf
%{_usr}/share/ipa/ipa.conf %{_usr}/share/ipa/ipa.conf
%{_usr}/share/ipa/ipa-rewrite.conf %{_usr}/share/ipa/ipa-rewrite.conf
%{_usr}/share/ipa/ipa-pki-proxy.conf %{_usr}/share/ipa/ipa-pki-proxy.conf
%{_usr}/share/ipa/kdcproxy.conf
%ghost %attr(0644,root,apache) %config(noreplace) %{_usr}/share/ipa/html/ca.crt %ghost %attr(0644,root,apache) %config(noreplace) %{_usr}/share/ipa/html/ca.crt
%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/configure.jar %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/configure.jar
%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/kerberosauth.xpi %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/kerberosauth.xpi
@ -824,6 +880,10 @@ fi
%attr(755,root,root) %{plugin_dir}/libipa_range_check.so %attr(755,root,root) %{plugin_dir}/libipa_range_check.so
%attr(755,root,root) %{plugin_dir}/libipa_otp_counter.so %attr(755,root,root) %{plugin_dir}/libipa_otp_counter.so
%attr(755,root,root) %{plugin_dir}/libipa_otp_lasttoken.so %attr(755,root,root) %{plugin_dir}/libipa_otp_lasttoken.so
%attr(755,root,root) %{plugin_dir}/libtopology.so
%attr(755,root,root) %{plugin_dir}/libipa_sidgen.so
%attr(755,root,root) %{plugin_dir}/libipa_sidgen_task.so
%attr(755,root,root) %{plugin_dir}/libipa_extdom_extop.so
%dir %{_localstatedir}/lib/ipa %dir %{_localstatedir}/lib/ipa
%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/backup %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/backup
%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysrestore %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysrestore
@ -839,8 +899,9 @@ fi
%{_mandir}/man1/ipa-replica-prepare.1.gz %{_mandir}/man1/ipa-replica-prepare.1.gz
%{_mandir}/man1/ipa-server-certinstall.1.gz %{_mandir}/man1/ipa-server-certinstall.1.gz
%{_mandir}/man1/ipa-server-install.1.gz %{_mandir}/man1/ipa-server-install.1.gz
%{_mandir}/man1/ipa-dns-install.1.gz %{_mandir}/man1/ipa-server-upgrade.1.gz
%{_mandir}/man1/ipa-ca-install.1.gz %{_mandir}/man1/ipa-ca-install.1.gz
%{_mandir}/man1/ipa-kra-install.1.gz
%{_mandir}/man1/ipa-compat-manage.1.gz %{_mandir}/man1/ipa-compat-manage.1.gz
%{_mandir}/man1/ipa-nis-manage.1.gz %{_mandir}/man1/ipa-nis-manage.1.gz
%{_mandir}/man1/ipa-managed-entries.1.gz %{_mandir}/man1/ipa-managed-entries.1.gz
@ -852,24 +913,30 @@ fi
%{_mandir}/man1/ipa-advise.1.gz %{_mandir}/man1/ipa-advise.1.gz
%{_mandir}/man1/ipa-otptoken-import.1.gz %{_mandir}/man1/ipa-otptoken-import.1.gz
%{_mandir}/man1/ipa-cacert-manage.1.gz %{_mandir}/man1/ipa-cacert-manage.1.gz
%{_mandir}/man1/ipa-winsync-migrate.1.gz
%files server-dns
%{_sbindir}/ipa-dns-install
%{_mandir}/man1/ipa-dns-install.1.gz
%files server-trust-ad %files server-trust-ad
%{_sbindir}/ipa-adtrust-install %{_sbindir}/ipa-adtrust-install
%attr(755,root,root) %{plugin_dir}/libipa_extdom_extop.so
%{_usr}/share/ipa/smb.conf.empty %{_usr}/share/ipa/smb.conf.empty
%attr(755,root,root) %{_libdir}/samba/pdb/ipasam.so %attr(755,root,root) %{_libdir}/samba/pdb/ipasam.so
%attr(755,root,root) %{plugin_dir}/libipa_sidgen.so
%attr(755,root,root) %{plugin_dir}/libipa_sidgen_task.so
%{_mandir}/man1/ipa-adtrust-install.1.gz %{_mandir}/man1/ipa-adtrust-install.1.gz
%{python_sitelib}/ipaserver/dcerpc* %{python_sitelib}/ipaserver/dcerpc*
%{python_sitelib}/ipaserver/install/adtrustinstance* %{python_sitelib}/ipaserver/install/adtrustinstance*
%ghost %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so %ghost %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
%{_sysconfdir}/dbus-1/system.d/oddjob-ipa-trust.conf
%{_sysconfdir}/oddjobd.conf.d/oddjobd-ipa-trust.conf
%%attr(755,root,root) %{_libexecdir}/ipa/com.redhat.idm.trust-fetch-domains
%endif # ONLY_CLIENT %endif # ONLY_CLIENT
%files client %files client
%defattr(-,root,root,-) %defattr(-,root,root,-)
%doc COPYING README Contributors.txt %doc README Contributors.txt
%license COPYING
%{_sbindir}/ipa-client-install %{_sbindir}/ipa-client-install
%{_sbindir}/ipa-client-automount %{_sbindir}/ipa-client-automount
%{_sbindir}/ipa-certupdate %{_sbindir}/ipa-certupdate
@ -891,18 +958,22 @@ fi
%files admintools %files admintools
%defattr(-,root,root,-) %defattr(-,root,root,-)
%doc COPYING README Contributors.txt %doc README Contributors.txt
%license COPYING
%{_bindir}/ipa %{_bindir}/ipa
%config %{_sysconfdir}/bash_completion.d %config %{_sysconfdir}/bash_completion.d
%{_mandir}/man1/ipa.1.gz %{_mandir}/man1/ipa.1.gz
%files python -f %{gettext_domain}.lang %files python -f %{gettext_domain}.lang
%defattr(-,root,root,-) %defattr(-,root,root,-)
%doc COPYING README Contributors.txt %doc README Contributors.txt
%license COPYING
%dir %{python_sitelib}/ipapython %dir %{python_sitelib}/ipapython
%{python_sitelib}/ipapython/*.py* %{python_sitelib}/ipapython/*.py*
%dir %{python_sitelib}/ipapython/dnssec %dir %{python_sitelib}/ipapython/dnssec
%{python_sitelib}/ipapython/dnssec/*.py* %{python_sitelib}/ipapython/dnssec/*.py*
%dir %{python_sitelib}/ipapython/install
%{python_sitelib}/ipapython/install/*.py*
%dir %{python_sitelib}/ipalib %dir %{python_sitelib}/ipalib
%{python_sitelib}/ipalib/* %{python_sitelib}/ipalib/*
%dir %{python_sitelib}/ipaplatform %dir %{python_sitelib}/ipaplatform
@ -928,7 +999,8 @@ fi
%if ! %{ONLY_CLIENT} %if ! %{ONLY_CLIENT}
%files tests -f tests-python.list %files tests -f tests-python.list
%defattr(-,root,root,-) %defattr(-,root,root,-)
%doc COPYING README Contributors.txt %doc README Contributors.txt
%license COPYING
%dir %{python_sitelib}/ipatests %dir %{python_sitelib}/ipatests
%dir %{python_sitelib}/ipatests/test_cmdline %dir %{python_sitelib}/ipatests/test_cmdline
%dir %{python_sitelib}/ipatests/test_install %dir %{python_sitelib}/ipatests/test_install
@ -950,6 +1022,9 @@ fi
%endif # ONLY_CLIENT %endif # ONLY_CLIENT
%changelog %changelog
* Mon Sep 7 2015 Petr Vobornik <pvoborni@redhat.com> - 4.2.1-1
- Update to upstream 4.2.1 - see http://www.freeipa.org/page/Releases/4.2.1
* Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 4.1.4-5 * Wed Jun 17 2015 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 4.1.4-5
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild

2
sources
View File

@ -1 +1 @@
377b1e6aaf7606bbf484d8f038380336 freeipa-4.1.4.tar.gz 7fe8b04fc855cf5a4df892c7e5ba1674 freeipa-4.2.1.tar.gz