Commit Graph

27 Commits

Author SHA1 Message Date
Rafael Guterres Jeffman
e2ceb15ca1 Backports for 4.9.13-12 release:
- Add ipa-idrange-fix
  Resolves: RHEL-56920
- Unconditionally add MS-PAC to global config on update
  Resolves: RHEL-49437
- ipatests: Update ipa-adtrust-install test
  Resolves: RHEL-40894
- Require python-qrcode version 5.3 or later
  Related: RHEL-15090

Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
2024-11-13 17:54:33 -03:00
Rafael Guterres Jeffman
880d21b828 Backports for 4.9.13-9 release:
- Allow the admin user to be disabled
  Resolves: RHEL-34756
- ipa-otptoken-import: open the key file in binary mode
  Resolves: RHEL-39616
- ipa-crlgen-manage: manage the cert status task execution time
  Resolves: RHEL-30280
- idrange-add: add a warning because 389ds restart is required
  Resolves: RHEL-28996
- PKINIT certificate: fix renewal on hidden replica
  Resolves: RHEL-4913, RHEL-45908

Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
2024-07-17 12:33:21 -03:00
Julien Rische
a74c5fe996 ipa release 4.9.13-11
- Add missing part of backported CVE-2024-3183 fix
  Resolves: RHEL-29927

Signed-off-by: Julien Rische <jrische@redhat.com>
2024-06-12 15:33:03 +02:00
Julien Rische
1c57bc6872 ipa release 4.9.13-10
- kdb: apply combinatorial logic for ticket flags (CVE-2024-3183)
  Resolves: RHEL-29927
- kdb: fix vulnerability in GCD rules handling (CVE-2024-2698)
  Resolves: RHEL-29692

Signed-off-by: Julien Rische <jrische@redhat.com>
2024-04-30 16:07:32 +02:00
Rafael Guterres Jeffman
7b21739b0c ipa release 4.9.13-9
- dcerpc: invalidate forest trust intfo cache when filtering out realm domains
  Resolves: RHEL-28559
- Backport latests test fixes in python3-tests
  ipatests: add xfail for autoprivate group test with override
  ipatests: remove xfail thanks to sssd 2.9.4
  ipatests: adapt for new automembership fixup behavior
  ipatests: Fixes for test_ipahealthcheck_ipansschainvalidation testcases
  test_xmlrpc: adopt to automember plugin message changes in 389-ds
  Resolves: RHEL-29908

Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
2024-04-12 12:30:06 -03:00
Rafael Guterres Jeffman
51eeb76a79 ipa release 4.9.13-8
- rpcserver: validate Kerberos principal name before running kinit
  Resolves: RHEL-26153
- Vault: add additional fallback to RSA-OAEP wrapping algo
  Resolves: RHEL-28259

Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
2024-03-07 14:18:08 -03:00
Julien Rische
cab5f5f833 ipa release 4.9.13-7
- ipa-kdb: Fix double free in ipadb_reinit_mspac()
  Resolves: RHEL-25742
- kra: set RSA-OAEP as default wrapping algo when FIPS is enabled
  Resolves: RHEL-12153
- Vault: improve vault server archival/retrieval calls error handling
  Resolves: RHEL-12153
- Vault: add support for RSA-OAEP wrapping algo
  Resolves: RHEL-12153

Signed-off-by: Julien Rische <jrische@redhat.com>
2024-02-20 18:40:24 +01:00
Rafael Guterres Jeffman
535e08e118 ipa release 4.9.13-6
- ipatests: fix tasks.wait_for_replication() method
  Resolves: RHEL-25708

Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
2024-02-16 11:48:41 -03:00
Julien Rische
8d7c3802f3 ipa release 4.9.13-6
- ipa-kdb: Rework ipadb_reinit_mspac()
  Resolves: RHEL-25742
- ipatests: wait for replica update in test_dns_locations
  Resolves: RHEL-22373

Signed-off-by: Julien Rische <jrische@redhat.com>
2024-02-16 10:23:32 +01:00
Rafael Guterres Jeffman
f285979474 ipa-kdb: Fix compilation issues.
Related: RHEL-22313

Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
2024-02-13 12:01:16 -03:00
Rafael Guterres Jeffman
4ced5cbefb IPA build for ITM 24
- kdb: PAC generator: do not fail if canonical principal is missing
  Resolves: RHEL-23630
- ipa-kdb: Fix memory leak during PAC verification
  Resolves: RHEL-22644
- Fix session cookie access
  Resolves: RHEL-23622
- Do not ignore staged users in sidgen plugin\
  Resovlves: RHEL-23626
- ipa-kdb: Disable Bronze-Bit check if PAC not available
  Resolves: RHEL-22313
- krb5kdc: Fix start when pkinit and otp auth type are enabled
  Resolves: RHEL-4874
- hbactest was not collecting or returning messages
  Resolvez: RHEL-12780

Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
2024-02-12 20:27:29 -03:00
Rafael Guterres Jeffman
3b5629ec63 ipa release 4.9.13-4
- Improve server affinity for CA-less deployments
  Resolves: RHEL-22283
- host: update system: Manage Host Keytab permission
  Resolves: RHEL-22286
- adtrustinstance: make sure NetBIOS name defaults are set properly
  Resolves: RHEL-21938
- ipatests: Fix healthcheck report when nsslapd accesslog logbuffering is set to off
  Resolves: RHEL-19672

Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
2024-01-23 18:39:46 -03:00
Julien Rische
a321f34b62 ipa release 4.9.13-3
- ipa-kdb: Detect and block Bronze-Bit attacks
  Resolves: RHEL-9984
- Fix for CVE-2023-5455
  Resolves: RHEL-12578

Signed-off-by: Julien Rische <jrische@redhat.com>
2024-01-10 17:35:52 +01:00
Rafael Guterres Jeffman
2005990bae ipa:
- Remove unused patches.
- Handle new samba exception types.
  Resolves: RHEL-17623
2023-11-30 13:13:35 -03:00
Rafael Guterres Jeffman
4d6406a1a1 ipa:
- Rebase to version 4.9.13
  Resolves: RHEL-16936

Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
2023-11-21 17:12:08 -03:00
Julien Rische
77b1872506 ipa-kdb: Make AD-SIGNEDPATH optional with krb5 DAL 8 and older
Resolves: RHEL-10495

Signed-off-by: Julien Rische <jrische@redhat.com>
2023-10-09 11:01:00 +02:00
Rafael Guterres Jeffman
1f0bd468b3 ipa:
- ipatests: fix test_topology
  Resolves: RHBZ#2232351
- Installer: activate nss and pam services in sssd.conf
  Resolves: RHBZ#2216532

Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
2023-08-16 15:11:42 -03:00
Rafael Guterres Jeffman
ff08f7c5db ipa release 4.9.12-6
- ipa-kdb: fix error handling of is_master_host()
  Resolves: RHBZ#2214638
- ipatests: enable firewall rule for http service on acme client
  Resolves: RHBZ#2230256
- User plugin: improve error related to non existing idp
  Resolves: RHBZ#2224572
- Prevent admin user from being deleted
  Resolves: RHBZ#1821181
- Fix memory leak in the OTP last token plugin
  Resolves: RHBZ#2227783
2023-08-09 15:15:08 -03:00
Rafael Guterres Jeffman
046e99f183 Fix patch 0004 with correct data.
Related: RHBZ#2216551

Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
2023-07-17 14:41:52 -03:00
Rafael Guterres Jeffman
9570499a0c ipa release 4.9.12-4
- kdb: Use-krb5_pac_full_sign_compat() when available
  Resolves: RHBZ#2176406
- OTP: fix-data-type-to-avoid-endianness-issue
  Resolves: RHBZ#2218293
- Upgrade: fix replica agreement
  Resolves: RHBZ#2216551
- Upgrade: add PKI drop-in file if missing
  Resolves: RHBZ#2215336
- Use the python-cryptography parser directly in cert-find
  Resolves: RHBZ#2164349
- Backport test updates
  Resolves: RHBZ#221884

Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
2023-06-30 21:03:35 -03:00
Julien Rische
0d91a32452 Rely on sssd-krb5 to include SSSD-generated krb5 configuration
Resolves: RHBZ#2214563
Signed-off-by: Julien Rische <jrische@redhat.com>
2023-06-21 16:01:26 +02:00
Rafael Guterres Jeffman
a7cb26cedd ipa:
- Use the OpenSSL certificate parser in cert-find.
    Resolves: RHBZ#2209947
2023-05-25 11:48:26 -03:00
Rafael Guterres Jeffman
2d7a6e674e First build for RHEL 8.9
- Rebase ipa to 4.9.12
  Resolves: RHBZ#2196425
- user or group name: explain the supported format
  Resolves: RHBZ#2150217

Signed-off-by: Rafael Guterres Jeffman <rjeffman@redhat.com>
2023-05-24 12:36:12 -03:00
James Antill
4471000467 Import rpm: a249616514dc5d61acb879b22759acf8a0fb5963 2023-02-23 20:03:34 -05:00
James Antill
a3a1bed87f Import rpm: a249616514dc5d61acb879b22759acf8a0fb5963 2023-02-23 12:41:36 -05:00
James Antill
fe3a12eb3a Convert from sha1 to sha512. 2022-08-31 15:27:01 -04:00
James Antill
8de80a61d3 Import rpm: a249616514dc5d61acb879b22759acf8a0fb5963 2022-08-08 12:29:10 -04:00