diff --git a/.gitignore b/.gitignore index 0d79b72..eb2d875 100644 --- a/.gitignore +++ b/.gitignore @@ -42,3 +42,4 @@ /freeipa-4.2.2.tar.gz /freeipa-4.2.3.tar.gz /freeipa-4.3.0.tar.gz +/freeipa-4.3.1.tar.gz diff --git a/0002-IPA-SAM-Fix-build-with-samba-4.4.patch b/0002-IPA-SAM-Fix-build-with-samba-4.4.patch deleted file mode 100644 index bb97546..0000000 --- a/0002-IPA-SAM-Fix-build-with-samba-4.4.patch +++ /dev/null @@ -1,54 +0,0 @@ ->From f9057ca98557094a4db84ac072ee9efd02a4ff79 Mon Sep 17 00:00:00 2001 -From: Lukas Slebodnik -Date: Fri, 29 Jan 2016 10:40:18 +0100 -Subject: [PATCH 1/3] IPA-SAM: Fix build with samba 4.4 - -samba_util.h is not shipped with samba-4.4 -and it was indirectly included by "ndr.h" - -Some functions have prototypes in different header file -"util/talloc_stack.h" and other does not have declarations -in other header file. But they are still part of libsamba-util.so - -sh$ objdump -T /usr/lib64/libsamba-util.so.0.0.1 | grep -E "trim_s|xstrdup" -0000000000022200 g DF .text 000000000000001f SAMBA_UTIL_0.0.1 smb_xstrdup -00000000000223b0 g DF .text 000000000000019d SAMBA_UTIL_0.0.1 trim_string - -ipa_sam.c: In function 'ldapsam_uid_to_sid': -ipa_sam.c:836:24: warning: implicit declaration of function 'talloc_stackframe' - [-Wimplicit-function-declaration] - TALLOC_CTX *tmp_ctx = talloc_stackframe(); - ^ -ipa_sam.c: In function 'pdb_init_ipasam': -ipa_sam.c:4493:2: warning: implicit declaration of function 'trim_string' - [-Wimplicit-function-declaration] - trim_string( uri, "\"", "\"" ); - ^ -ipa_sam.c:4580:26: warning: implicit declaration of function 'smb_xstrdup' - [-Wimplicit-function-declaration] - ldap_state->domain_dn = smb_xstrdup(dn); - ^ ---- - daemons/ipa-sam/ipa_sam.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c -index 7274d600b532f1066661e8a614a47eea7632ed70..871775b0a19e9c273652ff7a0b497d86bb866aa6 100644 ---- a/daemons/ipa-sam/ipa_sam.c -+++ b/daemons/ipa-sam/ipa_sam.c -@@ -19,6 +19,12 @@ - #include - #include - #include -+#include -+ -+#ifndef _SAMBA_UTIL_H_ -+bool trim_string(char *s, const char *front, const char *back); -+char *smb_xstrdup(const char *s); -+#endif - - #include - #include --- -2.5.0 - diff --git a/0003-replica-promotion-fix-AVC-denials-in-remote-connecti.patch b/0003-replica-promotion-fix-AVC-denials-in-remote-connecti.patch deleted file mode 100644 index 33c2a75..0000000 --- a/0003-replica-promotion-fix-AVC-denials-in-remote-connecti.patch +++ /dev/null @@ -1,61 +0,0 @@ -From af50dbca408aa83be2356f81b0e531f5cf8ca4b2 Mon Sep 17 00:00:00 2001 -From: Jan Cholasta -Date: Fri, 15 Jan 2016 08:07:21 +0100 -Subject: [PATCH] replica promotion: fix AVC denials in remote connection check - -Also move com.redhat.idm.trust-fetch-domains to /usr/libexec/ipa/oddjob. - -https://fedorahosted.org/freeipa/ticket/5550 ---- - freeipa.spec.in | 7 ++----- - install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf | 2 +- - 2 files changed, 3 insertions(+), 6 deletions(-) - -diff --git a/freeipa.spec.in b/freeipa.spec.in -index c8a5216..54a11bf 100644 ---- a/freeipa.spec.in -+++ b/freeipa.spec.in -@@ -14,7 +14,7 @@ - %global selinux_policy_version 3.12.1-153 - %else - %global samba_version 2:4.0.5-1 --%global selinux_policy_version 3.13.1-128.6 -+%global selinux_policy_version 3.13.1-158.4 - %endif - - %define krb5_base_version %(LC_ALL=C rpm -q --qf '%%{VERSION}' krb5-devel | grep -Eo '^[^.]+\.[^.]+') -@@ -698,9 +698,6 @@ make client-install DESTDIR=%{buildroot} - mkdir -p %{buildroot}%{_usr}/share/ipa - - %if ! %{ONLY_CLIENT} --# FIXME: https://bugzilla.redhat.com/show_bug.cgi?id=1289930 --mv %{buildroot}%{_libexecdir}/ipa/oddjob/com.redhat.idm.trust-fetch-domains %{buildroot}%{_libexecdir}/ipa/com.redhat.idm.trust-fetch-domains -- - # Remove .la files from libtool - we don't want to package - # these files - rm %{buildroot}/%{plugin_dir}/libipa_pwd_extop.la -@@ -1224,7 +1221,7 @@ fi - %ghost %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so - %{_sysconfdir}/dbus-1/system.d/oddjob-ipa-trust.conf - %{_sysconfdir}/oddjobd.conf.d/oddjobd-ipa-trust.conf --%%attr(755,root,root) %{_libexecdir}/ipa/com.redhat.idm.trust-fetch-domains -+%%attr(755,root,root) %{_libexecdir}/ipa/oddjob/com.redhat.idm.trust-fetch-domains - - %endif # ONLY_CLIENT - -diff --git a/install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf b/install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf -index 17817de..bc2e8d1 100644 ---- a/install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf -+++ b/install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf -@@ -10,7 +10,7 @@ - - - -- --- -2.5.0 - diff --git a/freeipa.spec b/freeipa.spec index 85ffe5b..ce71bfc 100644 --- a/freeipa.spec +++ b/freeipa.spec @@ -30,13 +30,13 @@ %global platform_module fedora %endif -%global VERSION 4.3.0 +%global VERSION 4.3.1 %define _hardened_build 1 Name: freeipa Version: %{VERSION} -Release: 3%{?dist} +Release: 1%{?dist} Summary: The Identity, Policy and Audit system Group: System Environment/Base @@ -46,8 +46,6 @@ Source0: http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Patch0001: 0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch -Patch0002: 0002-IPA-SAM-Fix-build-with-samba-4.4.patch -Patch0003: 0003-replica-promotion-fix-AVC-denials-in-remote-connecti.patch %if ! %{ONLY_CLIENT} BuildRequires: 389-ds-base-devel >= 1.3.4.4 @@ -79,7 +77,7 @@ BuildRequires: python-devel BuildRequires: python-ldap BuildRequires: python-setuptools BuildRequires: python-nss -BuildRequires: python-cryptography +BuildRequires: python-cryptography >= 0.9 BuildRequires: m2crypto BuildRequires: python-netaddr BuildRequires: python-gssapi >= 1.1.2 @@ -102,9 +100,7 @@ BuildRequires: systemd BuildRequires: libunistring-devel BuildRequires: python-lesscpy BuildRequires: python-yubico >= 1.2.3 -BuildRequires: softhsm-devel >= 2.0.0rc1-1 BuildRequires: openssl-devel -BuildRequires: p11-kit-devel BuildRequires: pki-base >= 10.2.6 BuildRequires: python-pytest-multihost >= 0.5 BuildRequires: python-pytest-sourceorder @@ -141,7 +137,7 @@ Requires: %{name}-client = %{version}-%{release} Requires: %{name}-admintools = %{version}-%{release} Requires: %{name}-common = %{version}-%{release} Requires: python2-ipaserver = %{version}-%{release} -Requires: 389-ds-base >= 1.3.4.4 +Requires: 389-ds-base >= 1.3.4.6 Requires: openldap-clients > 2.4.35-4 Requires: nss >= 3.14.3-12.0 Requires: nss-tools >= 3.14.3-12.0 @@ -164,16 +160,16 @@ Requires(pre): systemd-units Requires(post): systemd-units Requires: selinux-policy >= %{selinux_policy_version} Requires(post): selinux-policy-base >= %{selinux_policy_version} -Requires: slapi-nis >= 0.54.2-1 -Requires: pki-ca >= 10.2.6-12 -Requires: pki-kra >= 10.2.6-12 +Requires: slapi-nis >= 0.55-1 +Requires: pki-ca >= 10.2.6-13 +Requires: pki-kra >= 10.2.6-13 Requires(preun): python systemd-units Requires(postun): python systemd-units Requires: zip Requires: policycoreutils >= 2.1.12-5 Requires: tar Requires(pre): certmonger >= 0.78 -Requires(pre): 389-ds-base >= 1.3.4.4 +Requires(pre): 389-ds-base >= 1.3.4.6 Requires: fontawesome-fonts Requires: open-sans-fonts Requires: openssl @@ -223,6 +219,7 @@ Requires: python-pyasn1 Requires: dbus-python Requires: python-dns >= 1.11.1 Requires: python-kdcproxy >= 0.3 +Requires: rpm-libs %description -n python2-ipaserver IPA is an integrated solution to provide centrally managed Identity (users, @@ -281,6 +278,9 @@ Obsoletes: %{alt_name}-server-dns < %{version} # upgrade path from monolithic -server to -server + -server-dns Obsoletes: %{name}-server <= 4.2.0 +# FreeIPA does not support running integrated BIND in chroot jail +Conflicts: bind-chroot + %description server-dns IPA integrated DNS server with support for automatic DNSSEC signing. Integrated DNS server is BIND 9. OpenDNSSEC provides key management. @@ -333,7 +333,7 @@ Requires: pam_krb5 Requires: curl Requires: libcurl >= 7.21.7-2 Requires: xmlrpc-c >= 1.27.4 -Requires: sssd >= 1.13.1 +Requires: sssd >= 1.13.3-5 Requires: python-sssdconfig Requires: certmonger >= 0.78 Requires: nss-tools @@ -380,6 +380,30 @@ If your network uses IPA for authentication, this package should be installed on every client machine. +%if 0%{?with_python3} + +%package -n python3-ipaclient +Summary: Python libraries used by IPA client +Group: System Environment/Libraries +BuildArch: noarch +%{?python_provide:%python_provide python3-ipaclient} +Requires: %{name}-client-common = %{version}-%{release} +Requires: %{name}-common = %{version}-%{release} +Requires: python3-ipalib = %{version}-%{release} +Requires: python3-dns >= 1.11.1 + +%description -n python3-ipaclient +IPA is an integrated solution to provide centrally managed Identity (users, +hosts, services), Authentication (SSO, 2FA), and Authorization +(host access control, SELinux user roles, services). The solution provides +features for further integration with Linux based clients (SUDO, automount) +and integration with Active Directory based infrastructures (Trusts). +If your network uses IPA for authentication, this package should be +installed on every client machine. + +%endif # with_python3 + + %package client-common Summary: Common files used by IPA client Group: System Environment/Base @@ -451,9 +475,9 @@ python2-ipalib and %{name}-common. Packages still depending on %package -n python2-ipalib Summary: Python libraries used by IPA Group: System Environment/Libraries +BuildArch: noarch Conflicts: %{name}-python < %{version}-%{release} %{?python_provide:%python_provide python2-ipalib} -%{?python_provide:%{?_isa:%python_provide python2-ipalib%{_isa}}} Provides: python2-ipapython = %{version}-%{release} %{?python_provide:%python_provide python2-ipapython} Provides: python2-ipaplatform = %{version}-%{release} @@ -465,7 +489,7 @@ Requires: iproute Requires: keyutils Requires: pyOpenSSL Requires: python-nss >= 0.16 -Requires: python-cryptography +Requires: python-cryptography >= 0.9 Requires: m2crypto Requires: python-lxml Requires: python-netaddr @@ -480,6 +504,7 @@ Requires: dbus-python Requires: python-setuptools Requires: python-six Requires: python-jwcrypto +Requires: python-cffi Conflicts: %{alt_name}-python < %{version} @@ -497,8 +522,8 @@ If you are using IPA, you need to install this package. %package -n python3-ipalib Summary: Python3 libraries used by IPA Group: System Environment/Libraries +BuildArch: noarch %{?python_provide:%python_provide python3-ipalib} -%{?python_provide:%{?_isa:%python_provide python3-ipalib%{_isa}}} Provides: python3-ipapython = %{version}-%{release} %{?python_provide:%python_provide python3-ipapython} Provides: python3-ipaplatform = %{version}-%{release} @@ -524,6 +549,7 @@ Requires: python3-dbus Requires: python3-setuptools Requires: python3-six Requires: python3-jwcrypto +Requires: python3-cffi %description -n python3-ipalib IPA is an integrated solution to provide centrally managed Identity (users, @@ -576,6 +602,7 @@ Requires: python-coverage Requires: python-polib Requires: python-pytest-multihost >= 0.5 Requires: python-pytest-sourceorder +Requires: ldns-utils Provides: %{alt_name}-tests = %{version} Conflicts: %{alt_name}-tests @@ -606,6 +633,7 @@ Requires: python3-coverage Requires: python3-polib Requires: python3-pytest-multihost >= 0.5 Requires: python3-pytest-sourceorder +Requires: ldns-utils %description -n python3-ipatests IPA is an integrated solution to provide centrally managed Identity (users, @@ -662,16 +690,12 @@ rm -f ipaplatform/tasks.py rm -f ipaplatform/paths.py rm -f ipaplatform/constants.py make version-update -cd ipa-client; ../autogen.sh --prefix=%{_usr} --sysconfdir=%{_sysconfdir} --localstatedir=%{_localstatedir} --libdir=%{_libdir} --mandir=%{_mandir}; cd .. +cd client; ../autogen.sh --prefix=%{_usr} --sysconfdir=%{_sysconfdir} --localstatedir=%{_localstatedir} --libdir=%{_libdir} --mandir=%{_mandir}; cd .. %if ! %{ONLY_CLIENT} cd daemons; ../autogen.sh --prefix=%{_usr} --sysconfdir=%{_sysconfdir} --localstatedir=%{_localstatedir} --libdir=%{_libdir} --mandir=%{_mandir} --with-openldap; cd .. cd install; ../autogen.sh --prefix=%{_usr} --sysconfdir=%{_sysconfdir} --localstatedir=%{_localstatedir} --libdir=%{_libdir} --mandir=%{_mandir}; cd .. %endif # ONLY_CLIENT -%if 0%{?with_python3} -(cd ipapython/ipap11helper && make PYTHON=%{__python3} IPA_VERSION_IS_GIT_SNAPSHOT=no %{?_smp_mflags} all) -%endif - %if ! %{ONLY_CLIENT} make IPA_VERSION_IS_GIT_SNAPSHOT=no %{?_smp_mflags} all %else @@ -726,6 +750,7 @@ make client-install DESTDIR=%{buildroot} (cd ipalib && make PYTHON=%{__python3} IPA_VERSION_IS_GIT_SNAPSHOT=no %{?_smp_mflags} DESTDIR=%{buildroot} install) (cd ipapython && make PYTHON=%{__python3} IPA_VERSION_IS_GIT_SNAPSHOT=no %{?_smp_mflags} DESTDIR=%{buildroot} install) (cd ipaplatform && %{__python3} setup.py install --root %{buildroot}) +(cd ipaclient && %{__python3} setup.py install --root %{buildroot}) %endif # with_python3 %find_lang %{gettext_domain} @@ -877,15 +902,18 @@ fi %posttrans server -# This must be run in posttrans so that updates from previous -# execution that may no longer be shipped are not applied. -/usr/sbin/ipa-server-upgrade --quiet >/dev/null || : - -# Restart IPA processes. This must be also run in postrans so that plugins -# and software is in consistent state +# don't execute upgrade and restart of IPA when server is not installed python2 -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1 -# NOTE: systemd specific section + if [ $? -eq 0 ]; then + # This must be run in posttrans so that updates from previous + # execution that may no longer be shipped are not applied. + /usr/sbin/ipa-server-upgrade --quiet >/dev/null || : + + # Restart IPA processes. This must be also run in postrans so that plugins + # and software is in consistent state + # NOTE: systemd specific section + /bin/systemctl is-enabled ipa.service >/dev/null 2>&1 if [ $? -eq 0 ]; then /bin/systemctl restart ipa.service >/dev/null 2>&1 || : @@ -972,15 +1000,8 @@ if [ $1 -gt 1 ] ; then fi fi - if [ ! -f '/etc/ipa/nssdb/cert8.db' -a $restore -ge 2 ]; then - python2 -c 'from ipapython.certdb import create_ipa_nssdb; create_ipa_nssdb()' >/dev/null 2>&1 - tempfile=$(mktemp) - if certutil -L -d /etc/pki/nssdb -n 'IPA CA' -a >"$tempfile" 2>/var/log/ipaupgrade.log; then - certutil -A -d /etc/ipa/nssdb -n 'IPA CA' -t CT,C,C -a -i "$tempfile" >/var/log/ipaupgrade.log 2>&1 - elif certutil -L -d /etc/pki/nssdb -n 'External CA cert' -a >"$tempfile" 2>/var/log/ipaupgrade.log; then - certutil -A -d /etc/ipa/nssdb -n 'External CA cert' -t C,, -a -i "$tempfile" >/var/log/ipaupgrade.log 2>&1 - fi - rm -f "$tempfile" + if [ $restore -ge 2 ]; then + python2 -c 'from ipapython.certdb import update_ipa_nssdb; update_ipa_nssdb()' >/var/log/ipaupgrade.log 2>&1 fi fi @@ -1061,8 +1082,8 @@ fi %attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.conncheck %config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freeipa.server.conf %config(noreplace) %{_sysconfdir}/oddjobd.conf.d/ipa-server.conf -%dir %{_libdir}/ipa/certmonger -%attr(755,root,root) %{_libdir}/ipa/certmonger/* +%dir %{_libexecdir}/ipa/certmonger +%attr(755,root,root) %{_libexecdir}/ipa/certmonger/* # NOTE: systemd specific section %attr(644,root,root) %{_unitdir}/ipa.service %attr(644,root,root) %{_unitdir}/ipa-otpd.socket @@ -1285,6 +1306,21 @@ fi %license COPYING %dir %{python_sitelib}/ipaclient %{python_sitelib}/ipaclient/*.py* +%{python_sitelib}/ipaclient-*.egg-info + + +%if 0%{?with_python3} + +%files -n python3-ipaclient +%defattr(-,root,root,-) +%doc README Contributors.txt +%license COPYING +%dir %{python3_sitelib}/ipaclient +%{python3_sitelib}/ipaclient/*.py +%{python3_sitelib}/ipaclient/__pycache__/*.py* +%{python3_sitelib}/ipaclient-*.egg-info + +%endif # with_python3 %files client-common @@ -1337,14 +1373,10 @@ fi %{python_sitelib}/ipalib/* %dir %{python_sitelib}/ipaplatform %{python_sitelib}/ipaplatform/* -%attr(0644,root,root) %{python_sitearch}/default_encoding_utf8.so -%attr(0644,root,root) %{python_sitearch}/_ipap11helper.so %{python_sitelib}/ipapython-*.egg-info %{python_sitelib}/ipalib-*.egg-info %{python_sitelib}/freeipa-*.egg-info %{python_sitelib}/ipaplatform-*.egg-info -%{python_sitearch}/python_default_encoding-*.egg-info -%{python_sitearch}/_ipap11helper-*.egg-info %files common -f %{gettext_domain}.lang @@ -1366,8 +1398,6 @@ fi %{python3_sitelib}/ipapython-*.egg-info %{python3_sitelib}/ipalib-*.egg-info %{python3_sitelib}/ipaplatform-*.egg-info -%attr(0644,root,root) %{python3_sitearch}/_ipap11helper.cpython-*.so -%{python3_sitearch}/_ipap11helper-*.egg-info %endif # with_python3 @@ -1424,6 +1454,9 @@ fi %endif # ONLY_CLIENT %changelog +* Thu Mar 24 2016 Petr Vobornik - 4.3.1-1 +- Update to upstream 4.3.1 - see http://www.freeipa.org/page/Releases/4.3.1 + * Thu Feb 04 2016 Petr Vobornik - 4.3.0-3 - Fix build with Samba 4.4 - Update SELinux requires to fix connection check during installation diff --git a/sources b/sources index 5b729cd..74107c1 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -e325b4f025e1320d4815734fa0fcd2c7 freeipa-4.3.0.tar.gz +ec222fd2c7dad6400df60f95222b1edd freeipa-4.3.1.tar.gz