ipa-4.13.1-1
- Resolves: RHEL-140587 Support replaceable WebUI artwork for RHEL and CentOS - Resolves: RHEL-113778 Command that retrieve and install new CA certificates - Resolves: RHEL-141296 AddressSanitizer: SEGV ipa-pwd-extop/common.c:584 in ipapwd_gen_checks - Resolves: RHEL-141011 Include latest fixes in python3-ipatests package - Resolves: RHEL-119339 Memory leaks in IPA plugins Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
This commit is contained in:
Florence Blanc-Renaud
parent
2afa3fe731
commit
fd81c0a70e
2
.gitignore
vendored
2
.gitignore
vendored
@ -140,3 +140,5 @@
|
||||
/freeipa-4.12.2.tar.gz.asc
|
||||
/freeipa-4.13.0.tar.gz
|
||||
/freeipa-4.13.0.tar.gz.asc
|
||||
/freeipa-4.13.1.tar.gz
|
||||
/freeipa-4.13.1.tar.gz.asc
|
||||
|
||||
@ -1,51 +0,0 @@
|
||||
From f274df651ff8c352527c78f837cdff02e8eaa8f6 Mon Sep 17 00:00:00 2001
|
||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Date: Thu, 4 Dec 2025 13:13:21 +0100
|
||||
Subject: [PATCH] Trust: fix tdo with WITH_FOREST
|
||||
|
||||
When a trust was established pre samba 4.23, the trust domain object
|
||||
could contain ipanttrustattributes: 8 (LSA_TRUST_ATTRIBUTE_WITHIN_FOREST)
|
||||
This value prevents winbind restart.
|
||||
|
||||
The current code replaces 0 with LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE
|
||||
but should also handle the case for LSA_TRUST_ATTRIBUTE_WITHIN_FOREST.
|
||||
In this case we should drop the bit and replace it by FOREST_TRANSITIVE
|
||||
one because otherwise Samba will skip the domain. Do not change the LDAP
|
||||
representation to allow older replicas to continue operations.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9892
|
||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
|
||||
---
|
||||
daemons/ipa-sam/ipa_sam.c | 15 +++++++++++----
|
||||
1 file changed, 11 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
|
||||
index c43ffddbbdd69123b5d568a937fbc12d138243d1..ea25934d569f378f41b386bbb57d33eaf2bb19c0 100644
|
||||
--- a/daemons/ipa-sam/ipa_sam.c
|
||||
+++ b/daemons/ipa-sam/ipa_sam.c
|
||||
@@ -2545,10 +2545,17 @@ static bool fill_pdb_trusted_domain(TALLOC_CTX *mem_ctx,
|
||||
if (!res) {
|
||||
goto done;
|
||||
}
|
||||
- if (td->trust_attributes == 0 && (td->domain_name != dns_domain)) {
|
||||
- /* attribute wasn't present and this is not a subdomain within
|
||||
- * the parent forest */
|
||||
- td->trust_attributes = LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE;
|
||||
+ if (td->domain_name != dns_domain) {
|
||||
+ if ((td->trust_attributes & LSA_TRUST_ATTRIBUTE_WITHIN_FOREST) != 0 ||
|
||||
+ (td->trust_attributes == 0)) {
|
||||
+ /* when trust attribute is not present or contains WITHIN_FOREST,
|
||||
+ * we should drop the bit and replace it by FOREST_TRANSITIVE
|
||||
+ * one because otherwise Samba will skip the domain.
|
||||
+ * Do not change the LDAP representation to allow older replicas
|
||||
+ * to continue operations. */
|
||||
+ td->trust_attributes &= ~LSA_TRUST_ATTRIBUTE_WITHIN_FOREST;
|
||||
+ td->trust_attributes |= LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE;
|
||||
+ }
|
||||
}
|
||||
|
||||
res = get_uint32_t_from_ldap_msg(ipasam_state, entry,
|
||||
--
|
||||
2.52.0
|
||||
|
||||
@ -1,65 +0,0 @@
|
||||
From 41067f9506e8548a4f5ef11dca675fee741a4436 Mon Sep 17 00:00:00 2001
|
||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Date: Thu, 4 Dec 2025 12:58:38 +0100
|
||||
Subject: [PATCH] ipatest: add an integration test for samba upgrade
|
||||
|
||||
When a trust was establish pre samba 4.23, the trust domain object
|
||||
could contain ipanttrustattributes = 40 (LSA_TRUST_ATTRIBUTE_WITHIN_FOREST)
|
||||
and winbind would fail to restart after an upgrade to samba 4.23.
|
||||
|
||||
Add a test simulating the situation and calling ipa-server-upgrade
|
||||
|
||||
Related: https://pagure.io/freeipa/issue/9892
|
||||
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
|
||||
---
|
||||
ipatests/test_integration/test_trust.py | 33 +++++++++++++++++++++++++
|
||||
1 file changed, 33 insertions(+)
|
||||
|
||||
diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
|
||||
index 7bb74e2f5821719ffe2ceaf2bdcd8e7d46a6cd1f..13ad0afa4c1fb032d50f40cf7cb9b79283203225 100644
|
||||
--- a/ipatests/test_integration/test_trust.py
|
||||
+++ b/ipatests/test_integration/test_trust.py
|
||||
@@ -1009,6 +1009,39 @@ class TestTrust(BaseTestTrust):
|
||||
tasks.unconfigure_windows_dns_for_trust(self.ad, self.master)
|
||||
tasks.unconfigure_dns_for_trust(self.master, self.ad)
|
||||
|
||||
+ def test_upgrade_within_forest(self):
|
||||
+ """
|
||||
+ Simulate an upgrade from a trust established with samba pre 4.23
|
||||
+
|
||||
+ With older samba version, the trust domain object had
|
||||
+ ipanttrustattributes: 8
|
||||
+ corresponding to LSA_TRUST_ATTRIBUTE_WITHIN_FOREST
|
||||
+ and this breaks ipa-upgrade (winbind fails to restart)
|
||||
+ """
|
||||
+
|
||||
+ tasks.configure_dns_for_trust(self.master, self.ad)
|
||||
+ tasks.configure_windows_dns_for_trust(self.ad, self.master)
|
||||
+ tasks.establish_trust_with_ad(
|
||||
+ self.master, self.ad_domain,
|
||||
+ extra_args=['--range-type', 'ipa-ad-trust'])
|
||||
+
|
||||
+ conn = self.master.ldap_connect()
|
||||
+ trust_dn = DN("cn={},cn=ad,cn=trusts,{}".format(
|
||||
+ self.ad.domain.name, self.master.domain.basedn
|
||||
+ ))
|
||||
+ entry = conn.get_entry(trust_dn)
|
||||
+
|
||||
+ # set the trust attributes to LSA_TRUST_ATTRIBUTE_WITHIN_FOREST
|
||||
+ entry.single_value['ipanttrustattributes'] = '40'
|
||||
+ conn.update_entry(entry)
|
||||
+ self.master.run_command(['ipa-server-upgrade'])
|
||||
+ self.master.run_command(['ipactl', 'restart'])
|
||||
+
|
||||
+ # cleanup for next test
|
||||
+ self.remove_trust(self.ad)
|
||||
+ tasks.unconfigure_windows_dns_for_trust(self.ad, self.master)
|
||||
+ tasks.unconfigure_dns_for_trust(self.master, self.ad)
|
||||
+
|
||||
def test_server_option_with_unreachable_ad(self):
|
||||
"""
|
||||
Check trust can be established with partially unreachable AD topology
|
||||
--
|
||||
2.52.0
|
||||
|
||||
32
freeipa.spec
32
freeipa.spec
@ -221,7 +221,7 @@
|
||||
|
||||
# Work-around fact that RPM SPEC parser does not accept
|
||||
# "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement
|
||||
%define IPA_VERSION 4.13.0
|
||||
%define IPA_VERSION 4.13.1
|
||||
# Release candidate version -- uncomment with one percent for RC versions
|
||||
#%%global rc_version
|
||||
%define AT_SIGN @
|
||||
@ -262,8 +262,6 @@ Source2: gpgkey-0E63D716D76AC080A4A33513F40800B6298EB963.asc
|
||||
# RHEL spec file only: START
|
||||
%if %{NON_DEVELOPER_BUILD}
|
||||
%if 0%{?rhel} >= 9
|
||||
Patch0001: 0001-Trust-fix-tdo-with-WITH_FOREST.patch
|
||||
Patch0002: 0002-ipatest-add-an-integration-test-for-samba-upgrade.patch
|
||||
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
|
||||
%endif
|
||||
%endif
|
||||
@ -610,18 +608,18 @@ Provides: bundled(npm(cookie)) = 1.0.2
|
||||
Provides: bundled(npm(csstype)) = 3.1.3
|
||||
Provides: bundled(npm(file-selector)) = 2.1.2
|
||||
Provides: bundled(npm(focus-trap)) = 7.6.4
|
||||
Provides: bundled(npm(freeipa-webui)) = 0.1.6
|
||||
Provides: bundled(npm(freeipa-webui)) = 0.1.9
|
||||
Provides: bundled(npm(immer)) = 10.1.1
|
||||
Provides: bundled(npm(js-tokens)) = 4.0.0
|
||||
Provides: bundled(npm(lodash)) = 4.17.21
|
||||
Provides: bundled(npm(loose-envify)) = 1.4.0
|
||||
Provides: bundled(npm(object-assign)) = 4.1.1
|
||||
Provides: bundled(npm(@patternfly/patternfly)) = 6.3.0
|
||||
Provides: bundled(npm(@patternfly/react-core)) = 6.3.0
|
||||
Provides: bundled(npm(@patternfly/react-icons)) = 6.3.0
|
||||
Provides: bundled(npm(@patternfly/react-styles)) = 6.3.0
|
||||
Provides: bundled(npm(@patternfly/react-table)) = 6.3.0
|
||||
Provides: bundled(npm(@patternfly/react-tokens)) = 6.3.0
|
||||
Provides: bundled(npm(@patternfly/patternfly)) = 6.3.1
|
||||
Provides: bundled(npm(@patternfly/react-core)) = 6.3.1
|
||||
Provides: bundled(npm(@patternfly/react-icons)) = 6.3.1
|
||||
Provides: bundled(npm(@patternfly/react-styles)) = 6.3.1
|
||||
Provides: bundled(npm(@patternfly/react-table)) = 6.3.1
|
||||
Provides: bundled(npm(@patternfly/react-tokens)) = 6.3.1
|
||||
Provides: bundled(npm(prop-types)) = 15.8.1
|
||||
Provides: bundled(npm(qrcode.react)) = 4.2.0
|
||||
Provides: bundled(npm(react)) = 18.3.1
|
||||
@ -629,8 +627,7 @@ Provides: bundled(npm(react-dom)) = 18.3.1
|
||||
Provides: bundled(npm(react-dropzone)) = 14.3.8
|
||||
Provides: bundled(npm(react-is)) = 16.13.1
|
||||
Provides: bundled(npm(react-redux)) = 9.2.0
|
||||
Provides: bundled(npm(react-router)) = 7.6.2
|
||||
Provides: bundled(npm(react-router-dom)) = 7.6.2
|
||||
Provides: bundled(npm(react-router)) = 7.12.0
|
||||
Provides: bundled(npm(redux)) = 5.0.1
|
||||
Provides: bundled(npm(@reduxjs/toolkit)) = 2.6.1
|
||||
Provides: bundled(npm(redux-thunk)) = 3.1.0
|
||||
@ -638,6 +635,7 @@ Provides: bundled(npm(reselect)) = 5.1.1
|
||||
Provides: bundled(npm(scheduler)) = 0.23.2
|
||||
Provides: bundled(npm(set-cookie-parser)) = 2.7.1
|
||||
Provides: bundled(npm(tabbable)) = 6.2.0
|
||||
Provides: bundled(npm(tiny-invariant)) = 1.3.3
|
||||
Provides: bundled(npm(tslib)) = 2.8.1
|
||||
Provides: bundled(npm(@types/prop-types)) = 15.7.14
|
||||
Provides: bundled(npm(@types/react)) = 18.3.20
|
||||
@ -1173,6 +1171,9 @@ rm -f %{buildroot}%{_usr}/share/ipa/ui/images/header-logo.png
|
||||
rm -f %{buildroot}%{_usr}/share/ipa/ui/images/login-screen-background.jpg
|
||||
rm -f %{buildroot}%{_usr}/share/ipa/ui/images/login-screen-logo.png
|
||||
rm -f %{buildroot}%{_usr}/share/ipa/ui/images/product-name.png
|
||||
rm -f %{buildroot}%{_usr}/share/ipa/modern-ui/assets/images/header-logo.png
|
||||
rm -f %{buildroot}%{_usr}/share/ipa/modern-ui/assets/images/login-screen-background.jpg
|
||||
rm -f %{buildroot}%{_usr}/share/ipa/modern-ui/assets/images/product-name.png
|
||||
%endif
|
||||
# RHEL spec file only: END
|
||||
|
||||
@ -1978,6 +1979,13 @@ fi
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Fri Jan 16 2026 Florence Blanc-Renaud <flo@redhat.com> - 4.13.1-1
|
||||
- Resolves: RHEL-140587 Support replaceable WebUI artwork for RHEL and CentOS
|
||||
- Resolves: RHEL-113778 Command that retrieve and install new CA certificates
|
||||
- Resolves: RHEL-141296 AddressSanitizer: SEGV ipa-pwd-extop/common.c:584 in ipapwd_gen_checks
|
||||
- Resolves: RHEL-141011 Include latest fixes in python3-ipatests package
|
||||
- Resolves: RHEL-119339 Memory leaks in IPA plugins
|
||||
|
||||
* Mon Dec 08 2025 Florence Blanc-Renaud <flo@redhat.com> - 4.13.0-1
|
||||
- Resolves: RHEL-120956 Rebase ipa to latest 4.13.x version for RHEL 10.2
|
||||
- Resolves: RHEL-90121 Add modern WebUI as submodule and enable routing in Apache
|
||||
|
||||
4
sources
4
sources
@ -1,2 +1,2 @@
|
||||
SHA512 (freeipa-4.13.0.tar.gz) = 4fba303c828e1f0abb42b549ccc7163f0b477e61892f42ed431ed80003d1159b78786500ec56ab8e35eaa3ee27a1c0dd8e8afafa867a23beec387694487fcc5a
|
||||
SHA512 (freeipa-4.13.0.tar.gz.asc) = 870644bb28b7857a891b10f43b403145d07adf510abd0172b29f7e0713ad54263705c547a8f0050d08ef43a1f84a512fafbd0cdb263cf7f03128ab5e49f38ce4
|
||||
SHA512 (freeipa-4.13.1.tar.gz) = 78d7675aa49e9a3323b36fd225e0f2aebfb0df58bff4f232cce96933dbe250a90bf062d64d1838b2ab84cb0764537646a7441c7c643672e2757a5501871d6311
|
||||
SHA512 (freeipa-4.13.1.tar.gz.asc) = ddde77e1bd04440f3aeb0fb1f28b017e8374f586c9287b6805fa482161e44bed7fc502a7dbb38bbf6dc7ac5013c353c950ba27148ffe915b88a7a746fb4e4f95
|
||||
|
||||
Loading…
Reference in New Issue
Block a user