Update to upstream 4.3.1

.gitignore

@@ -42,3 +42,4 @@
 /freeipa-4.2.2.tar.gz
 /freeipa-4.2.3.tar.gz
 /freeipa-4.3.0.tar.gz
+/freeipa-4.3.1.tar.gz

0002-IPA-SAM-Fix-build-with-samba-4.4.patch

@@ -1,54 +0,0 @@
->From f9057ca98557094a4db84ac072ee9efd02a4ff79 Mon Sep 17 00:00:00 2001
-From: Lukas Slebodnik <lslebodn@redhat.com>
-Date: Fri, 29 Jan 2016 10:40:18 +0100
-Subject: [PATCH 1/3] IPA-SAM: Fix build with samba 4.4
-
-samba_util.h is not shipped with samba-4.4
-and it was indirectly included by "ndr.h"
-
-Some functions have prototypes in different header file
-"util/talloc_stack.h" and other does not have declarations
-in other header file. But they are still part of libsamba-util.so
-
-sh$ objdump -T /usr/lib64/libsamba-util.so.0.0.1 | grep -E "trim_s|xstrdup"
-0000000000022200 g    DF .text  000000000000001f  SAMBA_UTIL_0.0.1 smb_xstrdup
-00000000000223b0 g    DF .text  000000000000019d  SAMBA_UTIL_0.0.1 trim_string
-
-ipa_sam.c: In function 'ldapsam_uid_to_sid':
-ipa_sam.c:836:24: warning: implicit declaration of function 'talloc_stackframe'
-                  [-Wimplicit-function-declaration]
-  TALLOC_CTX *tmp_ctx = talloc_stackframe();
-                        ^
-ipa_sam.c: In function 'pdb_init_ipasam':
-ipa_sam.c:4493:2: warning: implicit declaration of function 'trim_string'
-                  [-Wimplicit-function-declaration]
-  trim_string( uri, "\"", "\"" );
-  ^
-ipa_sam.c:4580:26: warning: implicit declaration of function 'smb_xstrdup'
-                   [-Wimplicit-function-declaration]
-  ldap_state->domain_dn = smb_xstrdup(dn);
-                          ^
----
- daemons/ipa-sam/ipa_sam.c | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
-index 7274d600b532f1066661e8a614a47eea7632ed70..871775b0a19e9c273652ff7a0b497d86bb866aa6 100644
---- a/daemons/ipa-sam/ipa_sam.c
-+++ b/daemons/ipa-sam/ipa_sam.c
-@@ -19,6 +19,12 @@
- #include <util/data_blob.h>
- #include <util/time.h>
- #include <util/debug.h>
-+#include <util/talloc_stack.h>
-+
-+#ifndef _SAMBA_UTIL_H_
-+bool trim_string(char *s, const char *front, const char *back);
-+char *smb_xstrdup(const char *s);
-+#endif
- 
- #include <core/ntstatus.h>
- #include <gen_ndr/security.h>
--- 
-2.5.0
-

0003-replica-promotion-fix-AVC-denials-in-remote-connecti.patch

@@ -1,61 +0,0 @@
-From af50dbca408aa83be2356f81b0e531f5cf8ca4b2 Mon Sep 17 00:00:00 2001
-From: Jan Cholasta <jcholast@redhat.com>
-Date: Fri, 15 Jan 2016 08:07:21 +0100
-Subject: [PATCH] replica promotion: fix AVC denials in remote connection check
-
-Also move com.redhat.idm.trust-fetch-domains to /usr/libexec/ipa/oddjob.
-
-https://fedorahosted.org/freeipa/ticket/5550
----
- freeipa.spec.in                                          | 7 ++-----
- install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf | 2 +-
- 2 files changed, 3 insertions(+), 6 deletions(-)
-
-diff --git a/freeipa.spec.in b/freeipa.spec.in
-index c8a5216..54a11bf 100644
---- a/freeipa.spec.in
-+++ b/freeipa.spec.in
-@@ -14,7 +14,7 @@
- %global selinux_policy_version 3.12.1-153
- %else
- %global samba_version 2:4.0.5-1
--%global selinux_policy_version 3.13.1-128.6
-+%global selinux_policy_version 3.13.1-158.4
- %endif
- 
- %define krb5_base_version %(LC_ALL=C rpm -q --qf '%%{VERSION}' krb5-devel | grep -Eo '^[^.]+\.[^.]+')
-@@ -698,9 +698,6 @@ make client-install DESTDIR=%{buildroot}
- mkdir -p %{buildroot}%{_usr}/share/ipa
- 
- %if ! %{ONLY_CLIENT}
--# FIXME: https://bugzilla.redhat.com/show_bug.cgi?id=1289930
--mv %{buildroot}%{_libexecdir}/ipa/oddjob/com.redhat.idm.trust-fetch-domains %{buildroot}%{_libexecdir}/ipa/com.redhat.idm.trust-fetch-domains
--
- # Remove .la files from libtool - we don't want to package
- # these files
- rm %{buildroot}/%{plugin_dir}/libipa_pwd_extop.la
-@@ -1224,7 +1221,7 @@ fi
- %ghost %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
- %{_sysconfdir}/dbus-1/system.d/oddjob-ipa-trust.conf
- %{_sysconfdir}/oddjobd.conf.d/oddjobd-ipa-trust.conf
--%%attr(755,root,root) %{_libexecdir}/ipa/com.redhat.idm.trust-fetch-domains
-+%%attr(755,root,root) %{_libexecdir}/ipa/oddjob/com.redhat.idm.trust-fetch-domains
- 
- %endif # ONLY_CLIENT
- 
-diff --git a/install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf b/install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf
-index 17817de..bc2e8d1 100644
---- a/install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf
-+++ b/install/oddjob/etc/oddjobd.conf.d/oddjobd-ipa-trust.conf
-@@ -10,7 +10,7 @@
-       </interface>
-       <interface name="com.redhat.idm.trust">
-         <method name="fetch_domains">
--          <helper exec="/usr/libexec/ipa/com.redhat.idm.trust-fetch-domains"
-+          <helper exec="/usr/libexec/ipa/oddjob/com.redhat.idm.trust-fetch-domains"
- 		  arguments="1"
-                   argument_passing_method="cmdline"
- 		  prepend_user_name="no"/>
--- 
-2.5.0
-

freeipa.spec

@@ -30,13 +30,13 @@
 %global platform_module fedora
 %endif
 
-%global VERSION 4.3.0
+%global VERSION 4.3.1
 
 %define _hardened_build 1
 
 Name:           freeipa
 Version:        %{VERSION}
-Release:        3%{?dist}
+Release:        1%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 Group:          System Environment/Base
@@ -46,8 +46,6 @@ Source0:        http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 Patch0001:      0001-Workarounds-for-SELinux-execmem-violations-in-crypto.patch
-Patch0002:      0002-IPA-SAM-Fix-build-with-samba-4.4.patch
-Patch0003:      0003-replica-promotion-fix-AVC-denials-in-remote-connecti.patch
 
 %if ! %{ONLY_CLIENT}
 BuildRequires:  389-ds-base-devel >= 1.3.4.4
@@ -79,7 +77,7 @@ BuildRequires:  python-devel
 BuildRequires:  python-ldap
 BuildRequires:  python-setuptools
 BuildRequires:  python-nss
-BuildRequires:  python-cryptography
+BuildRequires:  python-cryptography >= 0.9
 BuildRequires:  m2crypto
 BuildRequires:  python-netaddr
 BuildRequires:  python-gssapi >= 1.1.2
@@ -102,9 +100,7 @@ BuildRequires:  systemd
 BuildRequires:  libunistring-devel
 BuildRequires:  python-lesscpy
 BuildRequires:  python-yubico >= 1.2.3
-BuildRequires:  softhsm-devel >= 2.0.0rc1-1
 BuildRequires:  openssl-devel
-BuildRequires:  p11-kit-devel
 BuildRequires:  pki-base >= 10.2.6
 BuildRequires:  python-pytest-multihost >= 0.5
 BuildRequires:  python-pytest-sourceorder
@@ -141,7 +137,7 @@ Requires: %{name}-client = %{version}-%{release}
 Requires: %{name}-admintools = %{version}-%{release}
 Requires: %{name}-common = %{version}-%{release}
 Requires: python2-ipaserver = %{version}-%{release}
-Requires: 389-ds-base >= 1.3.4.4
+Requires: 389-ds-base >= 1.3.4.6
 Requires: openldap-clients > 2.4.35-4
 Requires: nss >= 3.14.3-12.0
 Requires: nss-tools >= 3.14.3-12.0
@@ -164,16 +160,16 @@ Requires(pre): systemd-units
 Requires(post): systemd-units
 Requires: selinux-policy >= %{selinux_policy_version}
 Requires(post): selinux-policy-base >= %{selinux_policy_version}
-Requires: slapi-nis >= 0.54.2-1
+Requires: slapi-nis >= 0.55-1
-Requires: pki-ca >= 10.2.6-12
+Requires: pki-ca >= 10.2.6-13
-Requires: pki-kra >= 10.2.6-12
+Requires: pki-kra >= 10.2.6-13
 Requires(preun): python systemd-units
 Requires(postun): python systemd-units
 Requires: zip
 Requires: policycoreutils >= 2.1.12-5
 Requires: tar
 Requires(pre): certmonger >= 0.78
-Requires(pre): 389-ds-base >= 1.3.4.4
+Requires(pre): 389-ds-base >= 1.3.4.6
 Requires: fontawesome-fonts
 Requires: open-sans-fonts
 Requires: openssl
@@ -223,6 +219,7 @@ Requires: python-pyasn1
 Requires: dbus-python
 Requires: python-dns >= 1.11.1
 Requires: python-kdcproxy >= 0.3
+Requires: rpm-libs
 
 %description -n python2-ipaserver
 IPA is an integrated solution to provide centrally managed Identity (users,
@@ -281,6 +278,9 @@ Obsoletes: %{alt_name}-server-dns < %{version}
 # upgrade path from monolithic -server to -server + -server-dns
 Obsoletes: %{name}-server <= 4.2.0
 
+# FreeIPA does not support running integrated BIND in chroot jail
+Conflicts: bind-chroot
+
 %description server-dns
 IPA integrated DNS server with support for automatic DNSSEC signing.
 Integrated DNS server is BIND 9. OpenDNSSEC provides key management.
@@ -333,7 +333,7 @@ Requires: pam_krb5
 Requires: curl
 Requires: libcurl >= 7.21.7-2
 Requires: xmlrpc-c >= 1.27.4
-Requires: sssd >= 1.13.1
+Requires: sssd >= 1.13.3-5
 Requires: python-sssdconfig
 Requires: certmonger >= 0.78
 Requires: nss-tools
@@ -380,6 +380,30 @@ If your network uses IPA for authentication, this package should be
 installed on every client machine.
 
 
+%if 0%{?with_python3}
+
+%package -n python3-ipaclient
+Summary: Python libraries used by IPA client
+Group: System Environment/Libraries
+BuildArch: noarch
+%{?python_provide:%python_provide python3-ipaclient}
+Requires: %{name}-client-common = %{version}-%{release}
+Requires: %{name}-common = %{version}-%{release}
+Requires: python3-ipalib = %{version}-%{release}
+Requires: python3-dns >= 1.11.1
+
+%description -n python3-ipaclient
+IPA is an integrated solution to provide centrally managed Identity (users,
+hosts, services), Authentication (SSO, 2FA), and Authorization
+(host access control, SELinux user roles, services). The solution provides
+features for further integration with Linux based clients (SUDO, automount)
+and integration with Active Directory based infrastructures (Trusts).
+If your network uses IPA for authentication, this package should be
+installed on every client machine.
+
+%endif  # with_python3
+
+
 %package client-common
 Summary: Common files used by IPA client
 Group: System Environment/Base
@@ -451,9 +475,9 @@ python2-ipalib and %{name}-common. Packages still depending on
 %package -n python2-ipalib
 Summary: Python libraries used by IPA
 Group: System Environment/Libraries
+BuildArch: noarch
 Conflicts: %{name}-python < %{version}-%{release}
 %{?python_provide:%python_provide python2-ipalib}
-%{?python_provide:%{?_isa:%python_provide python2-ipalib%{_isa}}}
 Provides: python2-ipapython = %{version}-%{release}
 %{?python_provide:%python_provide python2-ipapython}
 Provides: python2-ipaplatform = %{version}-%{release}
@@ -465,7 +489,7 @@ Requires: iproute
 Requires: keyutils
 Requires: pyOpenSSL
 Requires: python-nss >= 0.16
-Requires: python-cryptography
+Requires: python-cryptography >= 0.9
 Requires: m2crypto
 Requires: python-lxml
 Requires: python-netaddr
@@ -480,6 +504,7 @@ Requires: dbus-python
 Requires: python-setuptools
 Requires: python-six
 Requires: python-jwcrypto
+Requires: python-cffi
 
 Conflicts: %{alt_name}-python < %{version}
 
@@ -497,8 +522,8 @@ If you are using IPA, you need to install this package.
 %package -n python3-ipalib
 Summary: Python3 libraries used by IPA
 Group: System Environment/Libraries
+BuildArch: noarch
 %{?python_provide:%python_provide python3-ipalib}
-%{?python_provide:%{?_isa:%python_provide python3-ipalib%{_isa}}}
 Provides: python3-ipapython = %{version}-%{release}
 %{?python_provide:%python_provide python3-ipapython}
 Provides: python3-ipaplatform = %{version}-%{release}
@@ -524,6 +549,7 @@ Requires: python3-dbus
 Requires: python3-setuptools
 Requires: python3-six
 Requires: python3-jwcrypto
+Requires: python3-cffi
 
 %description -n python3-ipalib
 IPA is an integrated solution to provide centrally managed Identity (users,
@@ -576,6 +602,7 @@ Requires: python-coverage
 Requires: python-polib
 Requires: python-pytest-multihost >= 0.5
 Requires: python-pytest-sourceorder
+Requires: ldns-utils
 
 Provides: %{alt_name}-tests = %{version}
 Conflicts: %{alt_name}-tests
@@ -606,6 +633,7 @@ Requires: python3-coverage
 Requires: python3-polib
 Requires: python3-pytest-multihost >= 0.5
 Requires: python3-pytest-sourceorder
+Requires: ldns-utils
 
 %description -n python3-ipatests
 IPA is an integrated solution to provide centrally managed Identity (users,
@@ -662,16 +690,12 @@ rm -f ipaplatform/tasks.py
 rm -f ipaplatform/paths.py
 rm -f ipaplatform/constants.py
 make version-update
-cd ipa-client; ../autogen.sh --prefix=%{_usr} --sysconfdir=%{_sysconfdir} --localstatedir=%{_localstatedir} --libdir=%{_libdir} --mandir=%{_mandir}; cd ..
+cd client; ../autogen.sh --prefix=%{_usr} --sysconfdir=%{_sysconfdir} --localstatedir=%{_localstatedir} --libdir=%{_libdir} --mandir=%{_mandir}; cd ..
 %if ! %{ONLY_CLIENT}
 cd daemons; ../autogen.sh --prefix=%{_usr} --sysconfdir=%{_sysconfdir} --localstatedir=%{_localstatedir} --libdir=%{_libdir} --mandir=%{_mandir} --with-openldap; cd ..
 cd install; ../autogen.sh --prefix=%{_usr} --sysconfdir=%{_sysconfdir} --localstatedir=%{_localstatedir} --libdir=%{_libdir} --mandir=%{_mandir}; cd ..
 %endif # ONLY_CLIENT
 
-%if 0%{?with_python3}
-(cd ipapython/ipap11helper && make PYTHON=%{__python3} IPA_VERSION_IS_GIT_SNAPSHOT=no %{?_smp_mflags} all)
-%endif
-
 %if ! %{ONLY_CLIENT}
 make IPA_VERSION_IS_GIT_SNAPSHOT=no %{?_smp_mflags} all
 %else
@@ -726,6 +750,7 @@ make client-install DESTDIR=%{buildroot}
 (cd ipalib && make PYTHON=%{__python3} IPA_VERSION_IS_GIT_SNAPSHOT=no %{?_smp_mflags} DESTDIR=%{buildroot} install)
 (cd ipapython && make PYTHON=%{__python3} IPA_VERSION_IS_GIT_SNAPSHOT=no %{?_smp_mflags} DESTDIR=%{buildroot} install)
 (cd ipaplatform && %{__python3} setup.py install --root %{buildroot})
+(cd ipaclient && %{__python3} setup.py install --root %{buildroot})
 %endif # with_python3
 
 %find_lang %{gettext_domain}
@@ -877,15 +902,18 @@ fi
 
 
 %posttrans server
-# This must be run in posttrans so that updates from previous
+# don't execute upgrade and restart of IPA when server is not installed
-# execution that may no longer be shipped are not applied.
-/usr/sbin/ipa-server-upgrade --quiet >/dev/null || :
-
-# Restart IPA processes. This must be also run in postrans so that plugins
-# and software is in consistent state
 python2 -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1
-# NOTE: systemd specific section
+
 if [  $? -eq 0 ]; then
+    # This must be run in posttrans so that updates from previous
+    # execution that may no longer be shipped are not applied.
+    /usr/sbin/ipa-server-upgrade --quiet >/dev/null || :
+
+    # Restart IPA processes. This must be also run in postrans so that plugins
+    # and software is in consistent state
+    # NOTE: systemd specific section
+
     /bin/systemctl is-enabled ipa.service >/dev/null 2>&1
     if [  $? -eq 0 ]; then
         /bin/systemctl restart ipa.service >/dev/null 2>&1 || :
@@ -972,15 +1000,8 @@ if [ $1 -gt 1 ] ; then
         fi
     fi
 
-    if [ ! -f '/etc/ipa/nssdb/cert8.db' -a $restore -ge 2 ]; then
+    if [ $restore -ge 2 ]; then
-        python2 -c 'from ipapython.certdb import create_ipa_nssdb; create_ipa_nssdb()' >/dev/null 2>&1
+        python2 -c 'from ipapython.certdb import update_ipa_nssdb; update_ipa_nssdb()' >/var/log/ipaupgrade.log 2>&1
-        tempfile=$(mktemp)
-        if certutil -L -d /etc/pki/nssdb -n 'IPA CA' -a >"$tempfile" 2>/var/log/ipaupgrade.log; then
-            certutil -A -d /etc/ipa/nssdb -n 'IPA CA' -t CT,C,C -a -i "$tempfile" >/var/log/ipaupgrade.log 2>&1
-        elif certutil -L -d /etc/pki/nssdb -n 'External CA cert' -a >"$tempfile" 2>/var/log/ipaupgrade.log; then
-            certutil -A -d /etc/ipa/nssdb -n 'External CA cert' -t C,, -a -i "$tempfile" >/var/log/ipaupgrade.log 2>&1
-        fi
-        rm -f "$tempfile"
     fi
 fi
 
@@ -1061,8 +1082,8 @@ fi
 %attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.conncheck
 %config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freeipa.server.conf
 %config(noreplace) %{_sysconfdir}/oddjobd.conf.d/ipa-server.conf
-%dir %{_libdir}/ipa/certmonger
+%dir %{_libexecdir}/ipa/certmonger
-%attr(755,root,root) %{_libdir}/ipa/certmonger/*
+%attr(755,root,root) %{_libexecdir}/ipa/certmonger/*
 # NOTE: systemd specific section
 %attr(644,root,root) %{_unitdir}/ipa.service
 %attr(644,root,root) %{_unitdir}/ipa-otpd.socket
@@ -1285,6 +1306,21 @@ fi
 %license COPYING
 %dir %{python_sitelib}/ipaclient
 %{python_sitelib}/ipaclient/*.py*
+%{python_sitelib}/ipaclient-*.egg-info
+
+
+%if 0%{?with_python3}
+
+%files -n python3-ipaclient
+%defattr(-,root,root,-)
+%doc README Contributors.txt
+%license COPYING
+%dir %{python3_sitelib}/ipaclient
+%{python3_sitelib}/ipaclient/*.py
+%{python3_sitelib}/ipaclient/__pycache__/*.py*
+%{python3_sitelib}/ipaclient-*.egg-info
+
+%endif # with_python3
 
 
 %files client-common
@@ -1337,14 +1373,10 @@ fi
 %{python_sitelib}/ipalib/*
 %dir %{python_sitelib}/ipaplatform
 %{python_sitelib}/ipaplatform/*
-%attr(0644,root,root) %{python_sitearch}/default_encoding_utf8.so
-%attr(0644,root,root) %{python_sitearch}/_ipap11helper.so
 %{python_sitelib}/ipapython-*.egg-info
 %{python_sitelib}/ipalib-*.egg-info
 %{python_sitelib}/freeipa-*.egg-info
 %{python_sitelib}/ipaplatform-*.egg-info
-%{python_sitearch}/python_default_encoding-*.egg-info
-%{python_sitearch}/_ipap11helper-*.egg-info
 
 
 %files common -f %{gettext_domain}.lang
@@ -1366,8 +1398,6 @@ fi
 %{python3_sitelib}/ipapython-*.egg-info
 %{python3_sitelib}/ipalib-*.egg-info
 %{python3_sitelib}/ipaplatform-*.egg-info
-%attr(0644,root,root) %{python3_sitearch}/_ipap11helper.cpython-*.so
-%{python3_sitearch}/_ipap11helper-*.egg-info
 
 %endif # with_python3
 
@@ -1424,6 +1454,9 @@ fi
 %endif # ONLY_CLIENT
 
 %changelog
+* Thu Mar 24 2016 Petr Vobornik <pvoborni@redhat.com> - 4.3.1-1
+- Update to upstream 4.3.1 - see http://www.freeipa.org/page/Releases/4.3.1
+
 * Thu Feb 04 2016 Petr Vobornik <pvoborni@redhat.com> - 4.3.0-3
 - Fix build with Samba 4.4
 - Update SELinux requires to fix connection check during installation

sources

@@ -1 +1 @@
-e325b4f025e1320d4815734fa0fcd2c7  freeipa-4.3.0.tar.gz
+ec222fd2c7dad6400df60f95222b1edd  freeipa-4.3.1.tar.gz