Update to upstream 4.1.3

- see http://www.freeipa.org/page/Releases/4.1.3

.gitignore

@@ -36,3 +36,4 @@
 /freeipa-4.1.0.tar.gz
 /freeipa-4.1.1.tar.gz
 /freeipa-4.1.2.tar.gz
+/freeipa-4.1.3.tar.gz

0001-Support-Samba-PASSDB-0.2.0-aka-interface-version-24.patch

@@ -1,112 +0,0 @@
-From 8f9a26e11b8a7f023de85cf4069f7ab72b2c92f7 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Mon, 12 Jan 2015 13:36:36 +0200
-Subject: [PATCH] Support Samba PASSDB 0.2.0 aka interface version 24
-
-1. Samba project renamed libpdb to libsamba-passdb
-   https://bugzilla.samba.org/show_bug.cgi?id=10355
-
-2. With interface version 24, Samba removed uid_to_sid()/gid_to_sid()
-   from the PASSDB interface and united them as id_to_sid().
-
-Make sure FreeIPA ipa_sam code supports new and old versions of
-the PASSDB API.
-
-https://fedorahosted.org/freeipa/ticket/4778
----
- daemons/configure.ac        | 20 ++++++++++++++++----
- daemons/ipa-sam/Makefile.am |  3 ++-
- daemons/ipa-sam/ipa_sam.c   | 21 +++++++++++++++++++++
- 3 files changed, 39 insertions(+), 5 deletions(-)
-
-diff --git a/daemons/configure.ac b/daemons/configure.ac
-index e81aa60..a62897e 100644
---- a/daemons/configure.ac
-+++ b/daemons/configure.ac
-@@ -170,12 +170,24 @@ PKG_CHECK_MODULES([SAMBAUTIL], [samba-util])
- SAMBA40EXTRA_LIBPATH="-L`$PKG_CONFIG --variable=libdir samba-util`/samba -Wl,-rpath=`$PKG_CONFIG --variable=libdir samba-util`/samba"
- AC_SUBST(SAMBA40EXTRA_LIBPATH)
- 
--AC_CHECK_LIB([pdb],
-+LIBPDB_NAME=""
-+AC_CHECK_LIB([samba-passdb],
-              [make_pdb_method],
--             [HAVE_LIBPDB=1],
--             [AC_MSG_ERROR([libpdb does not have make_pdb_method])],
-+             [LIBPDB_NAME="samba-passdb"; HAVE_LIBPDB=1],
-+             [LIBPDB_NAME="pdb"],
-              [$SAMBA40EXTRA_LIBPATH])
--AC_CHECK_LIB([pdb],[pdb_enum_upn_suffixes],
-+
-+if test "x$LIB_PDB_NAME" = "xpdb" ; then
-+  AC_CHECK_LIB([$LIBPDB_NAME],
-+               [make_pdb_method],
-+               [HAVE_LIBPDB=1],
-+               [AC_MSG_ERROR([Neither libpdb nor libsamba-passdb does have make_pdb_method])],
-+               [$SAMBA40EXTRA_LIBPATH])
-+fi
-+
-+AC_SUBST(LIBPDB_NAME)
-+
-+AC_CHECK_LIB([$LIBPDB_NAME],[pdb_enum_upn_suffixes],
-              [AC_DEFINE([HAVE_PDB_ENUM_UPN_SUFFIXES], [1], [Ability to enumerate UPN suffixes])],
-              [AC_MSG_WARN([libpdb does not have pdb_enum_upn_suffixes, no support for realm domains in ipasam])],
-              [$SAMBA40EXTRA_LIBPATH])
-diff --git a/daemons/ipa-sam/Makefile.am b/daemons/ipa-sam/Makefile.am
-index d55a187..46c813a 100644
---- a/daemons/ipa-sam/Makefile.am
-+++ b/daemons/ipa-sam/Makefile.am
-@@ -1,7 +1,8 @@
- NULL =
-+LIBPDB_NAME = @LIBPDB_NAME@
- SAMBA40EXTRA_LIBS = $(SAMBA40EXTRA_LIBPATH)	\
- 			-lsmbldap		\
--			-lpdb			\
-+			-l$(LIBPDB_NAME)			\
- 			-lsmbconf		\
- 			$(NULL)
- 
-diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
-index e711299..07249fd 100644
---- a/daemons/ipa-sam/ipa_sam.c
-+++ b/daemons/ipa-sam/ipa_sam.c
-@@ -1007,6 +1007,22 @@ done:
- 	return ret;
- }
- 
-+#if PASSDB_INTERFACE_VERSION >= 24
-+/* Since version 24, uid_to_sid() and gid_to_sid() were removed in favor of id_to_sid() */
-+static bool ipasam_id_to_sid(struct pdb_methods *methods, struct unixid *id, struct dom_sid *sid)
-+{
-+	bool result = false;
-+
-+	if (id->type != ID_TYPE_GID) {
-+		result = ldapsam_uid_to_sid(methods, id->id, sid);
-+	}
-+	if (!result && id->type != ID_TYPE_UID) {
-+		result = ldapsam_gid_to_sid(methods, id->id, sid);
-+	}
-+
-+	return result;
-+}
-+#endif
- 
- static char *get_ldap_filter(TALLOC_CTX *mem_ctx, const char *username)
- {
-@@ -4579,8 +4595,13 @@ static NTSTATUS pdb_init_ipasam(struct pdb_methods **pdb_method,
- 	(*pdb_method)->search_aliases = ldapsam_search_aliases;
- 	(*pdb_method)->lookup_rids = ldapsam_lookup_rids;
- 	(*pdb_method)->sid_to_id = ldapsam_sid_to_id;
-+#if PASSDB_INTERFACE_VERSION >= 24
-+/* Since version 24, uid_to_sid() and gid_to_sid() were removed in favor of id_to_sid() */
-+	(*pdb_method)->id_to_sid = ipasam_id_to_sid;
-+#else
- 	(*pdb_method)->uid_to_sid = ldapsam_uid_to_sid;
- 	(*pdb_method)->gid_to_sid = ldapsam_gid_to_sid;
-+#endif
- 
- 	(*pdb_method)->capabilities = pdb_ipasam_capabilities;
- 	(*pdb_method)->get_domain_info = pdb_ipasam_get_domain_info;
--- 
-2.1.0
-

0002-ipa-cldap-support-NETLOGON_NT_VERSION_5EX_WITH_IP-pr-1.patch

@@ -1,74 +0,0 @@
-From f21579f3ce38656e6fb9ffeb1d14c28967d202cf Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Thu, 15 Jan 2015 13:11:01 +0200
-Subject: [PATCH 2/3] ipa-cldap: support NETLOGON_NT_VERSION_5EX_WITH_IP
- properly
-
-According to MS-ADTS 6.3.3.2, "Domain Controller Response to an LDAP Ping",
-if NETLOGON_NT_VERSION_5EX_WITH_IP is requested in NtVer, we should fill the
-socket address of the server and set the NtVer of the response accordingly.
-
-The behavior is a bit unclear from 6.3.3.2 but Samba expects LDAP ping to behave
-the same way as a mailslot ping, described in 6.3.5, where socket address of the
-server is included only if _WITH_IP variant was requested in NtVer.  If NtVer
-only contains NETLOGON_NT_VERSION_5EX (without _WITH_IP bit), socket
-address should not be filled in.
-
-Additionally, this means we should use special variant of
-ndr_push_NETLOGON_SAM_LOGON_RESPONSE_EX helper named
-ndr_push_NETLOGON_SAM_LOGON_RESPONSE_EX_with_flags to properly handle optional
-existence of the socket address in the response.
-
-https://fedorahosted.org/freeipa/ticket/4827
----
- .../ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c  | 19 ++++++++++++-------
- 1 file changed, 12 insertions(+), 7 deletions(-)
-
-diff --git a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c
-index 1d16de7..5863f66 100644
---- a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c
-+++ b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c
-@@ -154,7 +154,7 @@ char *make_netbios_name(TALLOC_CTX *mem_ctx, const char *s)
- }
- 
- #define NETLOGON_SAM_LOGON_RESPONSE_EX_pusher \
--            (ndr_push_flags_fn_t)ndr_push_NETLOGON_SAM_LOGON_RESPONSE_EX
-+            (ndr_push_flags_fn_t)ndr_push_NETLOGON_SAM_LOGON_RESPONSE_EX_with_flags
- 
- static int ipa_cldap_encode_netlogon(char *fq_hostname, char *domain,
-                                      char *guid, char *sid, char *name,
-@@ -170,7 +170,7 @@ static int ipa_cldap_encode_netlogon(char *fq_hostname, char *domain,
-         return ENOMEM;
-     }
- 
--    if (!(ntver & NETLOGON_NT_VERSION_5EX)) {
-+    if (!(ntver & (NETLOGON_NT_VERSION_5EX|NETLOGON_NT_VERSION_5EX_WITH_IP))) {
-         ret = EINVAL;
-         goto done;
-     }
-@@ -197,12 +197,17 @@ static int ipa_cldap_encode_netlogon(char *fq_hostname, char *domain,
-     nlr->server_site = "Default-First-Site-Name";
-     nlr->client_site = "Default-First-Site-Name";
-     /* nlr->sockaddr_size (filled in by ndr_push) */
--    nlr->sockaddr.sockaddr_family = 2;
--    nlr->sockaddr.pdc_ip = "127.0.0.1";
--    nlr->sockaddr.remaining.length = 8;
--    nlr->sockaddr.remaining.data = talloc_zero_size(nlr, 8);
--    /* nlr->next_closest_site */
-+
-     nlr->nt_version = NETLOGON_NT_VERSION_5EX|NETLOGON_NT_VERSION_1;
-+    if (ntver & NETLOGON_NT_VERSION_5EX_WITH_IP) {
-+        nlr->nt_version |= NETLOGON_NT_VERSION_5EX_WITH_IP;
-+        nlr->sockaddr.sockaddr_family = 2;
-+        nlr->sockaddr.pdc_ip = "127.0.0.1";
-+        nlr->sockaddr.remaining.length = 8;
-+        nlr->sockaddr.remaining.data = talloc_zero_size(nlr, 8);
-+    }
-+
-+    /* nlr->next_closest_site */
-     nlr->lmnt_token = 0xFFFF;
-     nlr->lm20_token = 0xFFFF;
- 
--- 
-2.1.0
-

freeipa.spec

@@ -19,25 +19,23 @@
 %global platform_module fedora
 %endif
 
-%global VERSION 4.1.2
+%global VERSION 4.1.3
 
 %define _hardened_build 1
 
 Name:           freeipa
 Version:        %{VERSION}
-Release:        2%{?dist}
+Release:        1%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 Group:          System Environment/Base
 License:        GPLv3+
 URL:            http://www.freeipa.org/
 Source0:        http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz
-Patch0:         0001-Support-Samba-PASSDB-0.2.0-aka-interface-version-24.patch
-Patch1:         0002-ipa-cldap-support-NETLOGON_NT_VERSION_5EX_WITH_IP-pr-1.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 %if ! %{ONLY_CLIENT}
-BuildRequires:  389-ds-base-devel >= 1.3.3.5
+BuildRequires:  389-ds-base-devel >= 1.3.3.8
 BuildRequires:  svrcore-devel
 BuildRequires:  policycoreutils >= 2.1.12-5
 BuildRequires:  systemd-units
@@ -110,7 +108,7 @@ Group: System Environment/Base
 Requires: %{name}-python = %{version}-%{release}
 Requires: %{name}-client = %{version}-%{release}
 Requires: %{name}-admintools = %{version}-%{release}
-Requires: 389-ds-base >= 1.3.3.5
+Requires: 389-ds-base >= 1.3.3.8
 Requires: openldap-clients > 2.4.35-4
 Requires: nss >= 3.14.3-12.0
 Requires: nss-tools >= 3.14.3-12.0
@@ -139,12 +137,9 @@ Requires: slapi-nis >= 0.54.1-1
 # pki-ca 10.1.2-4 contains patches required by FreeIPA 4.1
 # The goal is to lower the requirement of pki-ca in Fedora 20
 # and CentOS until packaging of it's requirements is finished.
-Requires: pki-ca >= 10.1.2-4
+Requires: pki-ca >= 10.1.2-5
 %else
-Requires: pki-ca >= 10.2.0-3
+Requires: pki-ca >= 10.2.1-0.2
-%endif
-%if 0%{?rhel}
-Requires: subscription-manager
 %endif
 Requires(preun): python systemd-units
 Requires(postun): python systemd-units
@@ -153,7 +148,7 @@ Requires: zip
 Requires: policycoreutils >= 2.1.12-5
 Requires: tar
 Requires(pre): certmonger >= 0.76.8
-Requires(pre): 389-ds-base >= 1.3.3.5
+Requires(pre): 389-ds-base >= 1.3.3.8
 Requires: fontawesome-fonts
 Requires: open-sans-fonts
 Requires: openssl
@@ -238,7 +233,7 @@ Requires: pam_krb5
 Requires: wget
 Requires: libcurl >= 7.21.7-2
 Requires: xmlrpc-c >= 1.27.4
-Requires: sssd >= 1.12.2
+Requires: sssd >= 1.12.3
 Requires: certmonger >= 0.76.8
 Requires: nss-tools
 Requires: bind-utils
@@ -295,8 +290,10 @@ Requires: python-netaddr
 Requires: libipa_hbac-python
 Requires: python-qrcode-core >= 5.0.0
 Requires: python-pyasn1
-Requires: python-dateutil15
+Requires: python-dateutil
 Requires: python-yubico
+Requires: wget
+Requires: dbus-python
 
 Conflicts: %{alt_name}-python
 Obsoletes: %{alt_name}-python < %{version}
@@ -689,6 +686,7 @@ fi
 %{_sbindir}/ipa-advise
 %{_sbindir}/ipa-cacert-manage
 %{_libexecdir}/certmonger/dogtag-ipa-ca-renew-agent-submit
+%{_libexecdir}/certmonger/ipa-server-guard
 %{_libexecdir}/ipa-otpd
 %dir %{_libexecdir}/ipa
 %{_libexecdir}/ipa/ipa-dnskeysyncd
@@ -932,6 +930,9 @@ fi
 %endif # ONLY_CLIENT
 
 %changelog
+* Wed Feb 18 2015 Petr Vobornik <pvoborni@redhat.com> - 4.1.3-1
+- Update to upstream 4.1.3 - see http://www.freeipa.org/page/Releases/4.1.3
+
 * Mon Jan 19 2015 Alexander Bokovoy <abokovoy@redhat.com> - 4.1.2-2
 - Fix broken build after Samba ABI change and rename of libpdb to libsamba-passdb
 - Use python-dateutil15 until we validate python-dateutil 2.x

sources

@@ -1 +1 @@
-f40681838166b72a038380a7ad623dae  freeipa-4.1.2.tar.gz
+b416ad6738440c3f112820e227e4e7b6  freeipa-4.1.3.tar.gz