Compare commits
No commits in common. "c8-stream-DL1" and "c8-beta-stream-DL1" have entirely different histories.
c8-stream-
...
c8-beta-st
|
@ -1,392 +0,0 @@
|
||||||
From b039f3087a13de3f34b230dbe29a7cfb1965700d Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Date: Feb 23 2024 09:49:27 +0000
|
|
||||||
Subject: rpcserver: validate Kerberos principal name before running kinit
|
|
||||||
|
|
||||||
|
|
||||||
Do minimal validation of the Kerberos principal name when passing it to
|
|
||||||
kinit command line tool. Also pass it as the final argument to prevent
|
|
||||||
option injection.
|
|
||||||
|
|
||||||
Accepted Kerberos principals are:
|
|
||||||
- user names, using the following regexp
|
|
||||||
(username with optional @realm, no spaces or slashes in the name):
|
|
||||||
"(?!^[0-9]+$)^[a-zA-Z0-9_.][a-zA-Z0-9_.-]*[a-zA-Z0-9_.$-]?@?[a-zA-Z0-9.-]*$"
|
|
||||||
|
|
||||||
- service names (with slash in the name but no spaces). Validation of
|
|
||||||
the hostname is done. There is no validation of the service name.
|
|
||||||
|
|
||||||
The regular expression above also covers cases where a principal name
|
|
||||||
starts with '-'. This prevents option injection as well.
|
|
||||||
|
|
||||||
This fixes CVE-2024-1481
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/9541
|
|
||||||
|
|
||||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
||||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
diff --git a/ipalib/install/kinit.py b/ipalib/install/kinit.py
|
|
||||||
index cc839ec..4ad4eaa 100644
|
|
||||||
--- a/ipalib/install/kinit.py
|
|
||||||
+++ b/ipalib/install/kinit.py
|
|
||||||
@@ -6,12 +6,16 @@ from __future__ import absolute_import
|
|
||||||
|
|
||||||
import logging
|
|
||||||
import os
|
|
||||||
+import re
|
|
||||||
import time
|
|
||||||
|
|
||||||
import gssapi
|
|
||||||
|
|
||||||
from ipaplatform.paths import paths
|
|
||||||
from ipapython.ipautil import run
|
|
||||||
+from ipalib.constants import PATTERN_GROUPUSER_NAME
|
|
||||||
+from ipalib.util import validate_hostname
|
|
||||||
+from ipalib import api
|
|
||||||
|
|
||||||
logger = logging.getLogger(__name__)
|
|
||||||
|
|
||||||
@@ -21,6 +25,40 @@ KRB5_KDC_UNREACH = 2529639068
|
|
||||||
# A service is not available that s required to process the request
|
|
||||||
KRB5KDC_ERR_SVC_UNAVAILABLE = 2529638941
|
|
||||||
|
|
||||||
+PATTERN_REALM = '@?([a-zA-Z0-9.-]*)$'
|
|
||||||
+PATTERN_PRINCIPAL = '(' + PATTERN_GROUPUSER_NAME[:-1] + ')' + PATTERN_REALM
|
|
||||||
+PATTERN_SERVICE = '([a-zA-Z0-9.-]+)/([a-zA-Z0-9.-]+)' + PATTERN_REALM
|
|
||||||
+
|
|
||||||
+user_pattern = re.compile(PATTERN_PRINCIPAL)
|
|
||||||
+service_pattern = re.compile(PATTERN_SERVICE)
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+def validate_principal(principal):
|
|
||||||
+ if not isinstance(principal, str):
|
|
||||||
+ raise RuntimeError('Invalid principal: not a string')
|
|
||||||
+ if ('/' in principal) and (' ' in principal):
|
|
||||||
+ raise RuntimeError('Invalid principal: bad spacing')
|
|
||||||
+ else:
|
|
||||||
+ realm = None
|
|
||||||
+ match = user_pattern.match(principal)
|
|
||||||
+ if match is None:
|
|
||||||
+ match = service_pattern.match(principal)
|
|
||||||
+ if match is None:
|
|
||||||
+ raise RuntimeError('Invalid principal: cannot parse')
|
|
||||||
+ else:
|
|
||||||
+ # service = match[1]
|
|
||||||
+ hostname = match[2]
|
|
||||||
+ realm = match[3]
|
|
||||||
+ try:
|
|
||||||
+ validate_hostname(hostname)
|
|
||||||
+ except ValueError as e:
|
|
||||||
+ raise RuntimeError(str(e))
|
|
||||||
+ else: # user match, validate realm
|
|
||||||
+ # username = match[1]
|
|
||||||
+ realm = match[2]
|
|
||||||
+ if realm and 'realm' in api.env and realm != api.env.realm:
|
|
||||||
+ raise RuntimeError('Invalid principal: realm mismatch')
|
|
||||||
+
|
|
||||||
|
|
||||||
def kinit_keytab(principal, keytab, ccache_name, config=None, attempts=1):
|
|
||||||
"""
|
|
||||||
@@ -29,6 +67,7 @@ def kinit_keytab(principal, keytab, ccache_name, config=None, attempts=1):
|
|
||||||
The optional parameter 'attempts' specifies how many times the credential
|
|
||||||
initialization should be attempted in case of non-responsive KDC.
|
|
||||||
"""
|
|
||||||
+ validate_principal(principal)
|
|
||||||
errors_to_retry = {KRB5KDC_ERR_SVC_UNAVAILABLE,
|
|
||||||
KRB5_KDC_UNREACH}
|
|
||||||
logger.debug("Initializing principal %s using keytab %s",
|
|
||||||
@@ -65,6 +104,7 @@ def kinit_keytab(principal, keytab, ccache_name, config=None, attempts=1):
|
|
||||||
|
|
||||||
return None
|
|
||||||
|
|
||||||
+
|
|
||||||
def kinit_password(principal, password, ccache_name, config=None,
|
|
||||||
armor_ccache_name=None, canonicalize=False,
|
|
||||||
enterprise=False, lifetime=None):
|
|
||||||
@@ -73,8 +113,9 @@ def kinit_password(principal, password, ccache_name, config=None,
|
|
||||||
web-based authentication, use armor_ccache_path to specify http service
|
|
||||||
ccache.
|
|
||||||
"""
|
|
||||||
+ validate_principal(principal)
|
|
||||||
logger.debug("Initializing principal %s using password", principal)
|
|
||||||
- args = [paths.KINIT, principal, '-c', ccache_name]
|
|
||||||
+ args = [paths.KINIT, '-c', ccache_name]
|
|
||||||
if armor_ccache_name is not None:
|
|
||||||
logger.debug("Using armor ccache %s for FAST webauth",
|
|
||||||
armor_ccache_name)
|
|
||||||
@@ -91,6 +132,7 @@ def kinit_password(principal, password, ccache_name, config=None,
|
|
||||||
logger.debug("Using enterprise principal")
|
|
||||||
args.append('-E')
|
|
||||||
|
|
||||||
+ args.extend(['--', principal])
|
|
||||||
env = {'LC_ALL': 'C'}
|
|
||||||
if config is not None:
|
|
||||||
env['KRB5_CONFIG'] = config
|
|
||||||
@@ -154,6 +196,7 @@ def kinit_pkinit(
|
|
||||||
|
|
||||||
:raises: CalledProcessError if PKINIT fails
|
|
||||||
"""
|
|
||||||
+ validate_principal(principal)
|
|
||||||
logger.debug(
|
|
||||||
"Initializing principal %s using PKINIT %s", principal, user_identity
|
|
||||||
)
|
|
||||||
@@ -168,7 +211,7 @@ def kinit_pkinit(
|
|
||||||
assert pkinit_anchor.startswith(("FILE:", "DIR:", "ENV:"))
|
|
||||||
args.extend(["-X", f"X509_anchors={pkinit_anchor}"])
|
|
||||||
args.extend(["-X", f"X509_user_identity={user_identity}"])
|
|
||||||
- args.append(principal)
|
|
||||||
+ args.extend(['--', principal])
|
|
||||||
|
|
||||||
# this workaround enables us to capture stderr and put it
|
|
||||||
# into the raised exception in case of unsuccessful authentication
|
|
||||||
diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
|
|
||||||
index 3555014..60bfa61 100644
|
|
||||||
--- a/ipaserver/rpcserver.py
|
|
||||||
+++ b/ipaserver/rpcserver.py
|
|
||||||
@@ -1134,10 +1134,6 @@ class login_password(Backend, KerberosSession):
|
|
||||||
canonicalize=True,
|
|
||||||
lifetime=self.api.env.kinit_lifetime)
|
|
||||||
|
|
||||||
- if armor_path:
|
|
||||||
- logger.debug('Cleanup the armor ccache')
|
|
||||||
- ipautil.run([paths.KDESTROY, '-A', '-c', armor_path],
|
|
||||||
- env={'KRB5CCNAME': armor_path}, raiseonerr=False)
|
|
||||||
except RuntimeError as e:
|
|
||||||
if ('kinit: Cannot read password while '
|
|
||||||
'getting initial credentials') in str(e):
|
|
||||||
@@ -1155,6 +1151,11 @@ class login_password(Backend, KerberosSession):
|
|
||||||
raise KrbPrincipalWrongFAST(principal=principal)
|
|
||||||
raise InvalidSessionPassword(principal=principal,
|
|
||||||
message=unicode(e))
|
|
||||||
+ finally:
|
|
||||||
+ if armor_path:
|
|
||||||
+ logger.debug('Cleanup the armor ccache')
|
|
||||||
+ ipautil.run([paths.KDESTROY, '-A', '-c', armor_path],
|
|
||||||
+ env={'KRB5CCNAME': armor_path}, raiseonerr=False)
|
|
||||||
|
|
||||||
|
|
||||||
class change_password(Backend, HTTP_Status):
|
|
||||||
diff --git a/ipatests/prci_definitions/gating.yaml b/ipatests/prci_definitions/gating.yaml
|
|
||||||
index 91be057..400a248 100644
|
|
||||||
--- a/ipatests/prci_definitions/gating.yaml
|
|
||||||
+++ b/ipatests/prci_definitions/gating.yaml
|
|
||||||
@@ -310,3 +310,15 @@ jobs:
|
|
||||||
template: *ci-ipa-4-9-latest
|
|
||||||
timeout: 3600
|
|
||||||
topology: *master_1repl_1client
|
|
||||||
+
|
|
||||||
+ fedora-latest-ipa-4-9/test_ipalib_install:
|
|
||||||
+ requires: [fedora-latest-ipa-4-9/build]
|
|
||||||
+ priority: 100
|
|
||||||
+ job:
|
|
||||||
+ class: RunPytest
|
|
||||||
+ args:
|
|
||||||
+ build_url: '{fedora-latest-ipa-4-9/build_url}'
|
|
||||||
+ test_suite: test_ipalib_install/test_kinit.py
|
|
||||||
+ template: *ci-ipa-4-9-latest
|
|
||||||
+ timeout: 600
|
|
||||||
+ topology: *master_1repl
|
|
||||||
diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
|
|
||||||
index b2ab765..7c03a48 100644
|
|
||||||
--- a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
|
|
||||||
+++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
|
|
||||||
@@ -1801,3 +1801,15 @@ jobs:
|
|
||||||
template: *ci-ipa-4-9-latest
|
|
||||||
timeout: 5000
|
|
||||||
topology: *master_2repl_1client
|
|
||||||
+
|
|
||||||
+ fedora-latest-ipa-4-9/test_ipalib_install:
|
|
||||||
+ requires: [fedora-latest-ipa-4-9/build]
|
|
||||||
+ priority: 50
|
|
||||||
+ job:
|
|
||||||
+ class: RunPytest
|
|
||||||
+ args:
|
|
||||||
+ build_url: '{fedora-latest-ipa-4-9/build_url}'
|
|
||||||
+ test_suite: test_ipalib_install/test_kinit.py
|
|
||||||
+ template: *ci-ipa-4-9-latest
|
|
||||||
+ timeout: 600
|
|
||||||
+ topology: *master_1repl
|
|
||||||
diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
|
|
||||||
index b7b3d3b..802bd2a 100644
|
|
||||||
--- a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
|
|
||||||
+++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
|
|
||||||
@@ -1944,3 +1944,16 @@ jobs:
|
|
||||||
template: *ci-ipa-4-9-latest
|
|
||||||
timeout: 5000
|
|
||||||
topology: *master_2repl_1client
|
|
||||||
+
|
|
||||||
+ fedora-latest-ipa-4-9/test_ipalib_install:
|
|
||||||
+ requires: [fedora-latest-ipa-4-9/build]
|
|
||||||
+ priority: 50
|
|
||||||
+ job:
|
|
||||||
+ class: RunPytest
|
|
||||||
+ args:
|
|
||||||
+ build_url: '{fedora-latest-ipa-4-9/build_url}'
|
|
||||||
+ selinux_enforcing: True
|
|
||||||
+ test_suite: test_ipalib_install/test_kinit.py
|
|
||||||
+ template: *ci-ipa-4-9-latest
|
|
||||||
+ timeout: 600
|
|
||||||
+ topology: *master_1repl
|
|
||||||
diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
|
|
||||||
index eb3849e..1e1adb8 100644
|
|
||||||
--- a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
|
|
||||||
+++ b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
|
|
||||||
@@ -1801,3 +1801,15 @@ jobs:
|
|
||||||
template: *ci-ipa-4-9-previous
|
|
||||||
timeout: 5000
|
|
||||||
topology: *master_2repl_1client
|
|
||||||
+
|
|
||||||
+ fedora-previous-ipa-4-9/test_ipalib_install:
|
|
||||||
+ requires: [fedora-previous-ipa-4-9/build]
|
|
||||||
+ priority: 50
|
|
||||||
+ job:
|
|
||||||
+ class: RunPytest
|
|
||||||
+ args:
|
|
||||||
+ build_url: '{fedora-previous-ipa-4-9/build_url}'
|
|
||||||
+ test_suite: test_ipalib_install/test_kinit.py
|
|
||||||
+ template: *ci-ipa-4-9-previous
|
|
||||||
+ timeout: 600
|
|
||||||
+ topology: *master_1repl
|
|
||||||
diff --git a/ipatests/setup.py b/ipatests/setup.py
|
|
||||||
index 6217a1b..0aec4a7 100644
|
|
||||||
--- a/ipatests/setup.py
|
|
||||||
+++ b/ipatests/setup.py
|
|
||||||
@@ -41,6 +41,7 @@ if __name__ == '__main__':
|
|
||||||
"ipatests.test_integration",
|
|
||||||
"ipatests.test_ipaclient",
|
|
||||||
"ipatests.test_ipalib",
|
|
||||||
+ "ipatests.test_ipalib_install",
|
|
||||||
"ipatests.test_ipaplatform",
|
|
||||||
"ipatests.test_ipapython",
|
|
||||||
"ipatests.test_ipaserver",
|
|
||||||
diff --git a/ipatests/test_ipalib_install/__init__.py b/ipatests/test_ipalib_install/__init__.py
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000..e69de29
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/ipatests/test_ipalib_install/__init__.py
|
|
||||||
diff --git a/ipatests/test_ipalib_install/test_kinit.py b/ipatests/test_ipalib_install/test_kinit.py
|
|
||||||
new file mode 100644
|
|
||||||
index 0000000..f89ea17
|
|
||||||
--- /dev/null
|
|
||||||
+++ b/ipatests/test_ipalib_install/test_kinit.py
|
|
||||||
@@ -0,0 +1,29 @@
|
|
||||||
+#
|
|
||||||
+# Copyright (C) 2024 FreeIPA Contributors see COPYING for license
|
|
||||||
+#
|
|
||||||
+"""Tests for ipalib.install.kinit module
|
|
||||||
+"""
|
|
||||||
+
|
|
||||||
+import pytest
|
|
||||||
+
|
|
||||||
+from ipalib.install.kinit import validate_principal
|
|
||||||
+
|
|
||||||
+
|
|
||||||
+# None means no exception is expected
|
|
||||||
+@pytest.mark.parametrize('principal, exception', [
|
|
||||||
+ ('testuser', None),
|
|
||||||
+ ('testuser@EXAMPLE.TEST', None),
|
|
||||||
+ ('test/ipa.example.test', None),
|
|
||||||
+ ('test/ipa.example.test@EXAMPLE.TEST', None),
|
|
||||||
+ ('test/ipa@EXAMPLE.TEST', RuntimeError),
|
|
||||||
+ ('test/-ipa.example.test@EXAMPLE.TEST', RuntimeError),
|
|
||||||
+ ('test/ipa.1example.test@EXAMPLE.TEST', RuntimeError),
|
|
||||||
+ ('test /ipa.example,test', RuntimeError),
|
|
||||||
+ ('testuser@OTHER.TEST', RuntimeError),
|
|
||||||
+ ('test/ipa.example.test@OTHER.TEST', RuntimeError),
|
|
||||||
+])
|
|
||||||
+def test_validate_principal(principal, exception):
|
|
||||||
+ try:
|
|
||||||
+ validate_principal(principal)
|
|
||||||
+ except Exception as e:
|
|
||||||
+ assert e.__class__ == exception
|
|
||||||
|
|
||||||
From 96a478bbedd49c31e0f078f00f2d1cb55bb952fd Mon Sep 17 00:00:00 2001
|
|
||||||
From: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Date: Feb 23 2024 09:49:27 +0000
|
|
||||||
Subject: validate_principal: Don't try to verify that the realm is known
|
|
||||||
|
|
||||||
|
|
||||||
The actual value is less important than whether it matches the
|
|
||||||
regular expression. A number of legal but difficult to know in
|
|
||||||
context realms could be passed in here (trust for example).
|
|
||||||
|
|
||||||
This fixes CVE-2024-1481
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/9541
|
|
||||||
|
|
||||||
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
diff --git a/ipalib/install/kinit.py b/ipalib/install/kinit.py
|
|
||||||
index 4ad4eaa..d5fb56b 100644
|
|
||||||
--- a/ipalib/install/kinit.py
|
|
||||||
+++ b/ipalib/install/kinit.py
|
|
||||||
@@ -15,7 +15,6 @@ from ipaplatform.paths import paths
|
|
||||||
from ipapython.ipautil import run
|
|
||||||
from ipalib.constants import PATTERN_GROUPUSER_NAME
|
|
||||||
from ipalib.util import validate_hostname
|
|
||||||
-from ipalib import api
|
|
||||||
|
|
||||||
logger = logging.getLogger(__name__)
|
|
||||||
|
|
||||||
@@ -39,7 +38,9 @@ def validate_principal(principal):
|
|
||||||
if ('/' in principal) and (' ' in principal):
|
|
||||||
raise RuntimeError('Invalid principal: bad spacing')
|
|
||||||
else:
|
|
||||||
- realm = None
|
|
||||||
+ # For a user match in the regex
|
|
||||||
+ # username = match[1]
|
|
||||||
+ # realm = match[2]
|
|
||||||
match = user_pattern.match(principal)
|
|
||||||
if match is None:
|
|
||||||
match = service_pattern.match(principal)
|
|
||||||
@@ -48,16 +49,11 @@ def validate_principal(principal):
|
|
||||||
else:
|
|
||||||
# service = match[1]
|
|
||||||
hostname = match[2]
|
|
||||||
- realm = match[3]
|
|
||||||
+ # realm = match[3]
|
|
||||||
try:
|
|
||||||
validate_hostname(hostname)
|
|
||||||
except ValueError as e:
|
|
||||||
raise RuntimeError(str(e))
|
|
||||||
- else: # user match, validate realm
|
|
||||||
- # username = match[1]
|
|
||||||
- realm = match[2]
|
|
||||||
- if realm and 'realm' in api.env and realm != api.env.realm:
|
|
||||||
- raise RuntimeError('Invalid principal: realm mismatch')
|
|
||||||
|
|
||||||
|
|
||||||
def kinit_keytab(principal, keytab, ccache_name, config=None, attempts=1):
|
|
||||||
diff --git a/ipatests/test_ipalib_install/test_kinit.py b/ipatests/test_ipalib_install/test_kinit.py
|
|
||||||
index f89ea17..8289c4b 100644
|
|
||||||
--- a/ipatests/test_ipalib_install/test_kinit.py
|
|
||||||
+++ b/ipatests/test_ipalib_install/test_kinit.py
|
|
||||||
@@ -17,13 +17,16 @@ from ipalib.install.kinit import validate_principal
|
|
||||||
('test/ipa.example.test@EXAMPLE.TEST', None),
|
|
||||||
('test/ipa@EXAMPLE.TEST', RuntimeError),
|
|
||||||
('test/-ipa.example.test@EXAMPLE.TEST', RuntimeError),
|
|
||||||
- ('test/ipa.1example.test@EXAMPLE.TEST', RuntimeError),
|
|
||||||
+ ('test/ipa.1example.test@EXAMPLE.TEST', None),
|
|
||||||
('test /ipa.example,test', RuntimeError),
|
|
||||||
- ('testuser@OTHER.TEST', RuntimeError),
|
|
||||||
- ('test/ipa.example.test@OTHER.TEST', RuntimeError),
|
|
||||||
+ ('testuser@OTHER.TEST', None),
|
|
||||||
+ ('test/ipa.example.test@OTHER.TEST', None)
|
|
||||||
])
|
|
||||||
def test_validate_principal(principal, exception):
|
|
||||||
try:
|
|
||||||
validate_principal(principal)
|
|
||||||
except Exception as e:
|
|
||||||
assert e.__class__ == exception
|
|
||||||
+ else:
|
|
||||||
+ if exception is not None:
|
|
||||||
+ raise RuntimeError('Test should have failed')
|
|
||||||
|
|
|
@ -1,43 +0,0 @@
|
||||||
From d7c1ba0672fc8964f7674a526f3019429a551372 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Date: Mar 06 2024 08:34:57 +0000
|
|
||||||
Subject: Vault: add additional fallback to RSA-OAEP wrapping algo
|
|
||||||
|
|
||||||
|
|
||||||
There is a fallback when creating the wrapping key but one was missing
|
|
||||||
when trying to use the cached transport_cert.
|
|
||||||
|
|
||||||
This allows, along with forcing keyWrap.useOAEP=true, vault creation
|
|
||||||
on an nCipher HSM.
|
|
||||||
|
|
||||||
This can be seen in HSMs where the device doesn't support the
|
|
||||||
PKCS#1 v1.5 mechanism. It will error out with either "invalid
|
|
||||||
algorithm" or CKR_FUNCTION_FAILED.
|
|
||||||
|
|
||||||
Related: https://pagure.io/freeipa/issue/9191
|
|
||||||
|
|
||||||
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
diff --git a/ipaclient/plugins/vault.py b/ipaclient/plugins/vault.py
|
|
||||||
index ed16c73..1523187 100644
|
|
||||||
--- a/ipaclient/plugins/vault.py
|
|
||||||
+++ b/ipaclient/plugins/vault.py
|
|
||||||
@@ -757,8 +757,12 @@ class ModVaultData(Local):
|
|
||||||
Calls the internal counterpart of the command.
|
|
||||||
"""
|
|
||||||
# try call with cached transport certificate
|
|
||||||
- result = self._do_internal(algo, transport_cert, False,
|
|
||||||
- False, *args, **options)
|
|
||||||
+ try:
|
|
||||||
+ result = self._do_internal(algo, transport_cert, False,
|
|
||||||
+ False, *args, **options)
|
|
||||||
+ except errors.EncodingError:
|
|
||||||
+ result = self._do_internal(algo, transport_cert, False,
|
|
||||||
+ True, *args, **options)
|
|
||||||
if result is not None:
|
|
||||||
return result
|
|
||||||
|
|
||||||
|
|
|
@ -1,50 +0,0 @@
|
||||||
From 656a11ae961f8d1afad54567cfe8ccb53e084a67 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Date: Mar 20 2024 10:06:07 +0000
|
|
||||||
Subject: dcerpc: invalidate forest trust info cache when filtering out realm domains
|
|
||||||
|
|
||||||
|
|
||||||
When get_realmdomains() method is called, it will filter out subdomains
|
|
||||||
of the IPA primary domain. This is required because Active Directory
|
|
||||||
domain controllers are assuming subdomains already covered by the main
|
|
||||||
domain namespace.
|
|
||||||
|
|
||||||
[MS-LSAD] 3.1.4.7.16.1, 'Forest Trust Collision Generation' defines the
|
|
||||||
method of validating the forest trust information. They are the same as
|
|
||||||
rules in [MS-ADTS] section 6.1.6. Specifically,
|
|
||||||
|
|
||||||
- A top-level name must not be superior to an enabled top-level name
|
|
||||||
for another trusted domain object, unless the current trusted domain
|
|
||||||
object has a corresponding exclusion record.
|
|
||||||
|
|
||||||
In practice, we filtered those subdomains already but the code wasn't
|
|
||||||
invalidating a previously retrieved forest trust information.
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/9551
|
|
||||||
|
|
||||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
|
|
||||||
index b6139db..7ee553d 100644
|
|
||||||
--- a/ipaserver/dcerpc.py
|
|
||||||
+++ b/ipaserver/dcerpc.py
|
|
||||||
@@ -1103,6 +1103,7 @@ class TrustDomainInstance:
|
|
||||||
|
|
||||||
info.count = len(ftinfo_records)
|
|
||||||
info.entries = ftinfo_records
|
|
||||||
+ another_domain.ftinfo_data = info
|
|
||||||
return info
|
|
||||||
|
|
||||||
def clear_ftinfo_conflict(self, another_domain, cinfo):
|
|
||||||
@@ -1778,6 +1779,7 @@ class TrustDomainJoins:
|
|
||||||
return
|
|
||||||
|
|
||||||
self.local_domain.ftinfo_records = []
|
|
||||||
+ self.local_domain.ftinfo_data = None
|
|
||||||
|
|
||||||
realm_domains = self.api.Command.realmdomains_show()['result']
|
|
||||||
# Use realmdomains' modification timestamp
|
|
||||||
|
|
|
@ -1,335 +0,0 @@
|
||||||
From 3bba254ccdcf9b62fdd8a6d71baecf37c97c300c Mon Sep 17 00:00:00 2001
|
|
||||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
|
||||||
Date: Mon, 3 Apr 2023 08:37:28 +0200
|
|
||||||
Subject: [PATCH] ipatests: mark known failures for autoprivategroup
|
|
||||||
|
|
||||||
Two tests have known issues in test_trust.py with sssd 2.8.2+:
|
|
||||||
- TestNonPosixAutoPrivateGroup::test_idoverride_with_auto_private_group
|
|
||||||
(when called with the "hybrid" parameter)
|
|
||||||
- TestPosixAutoPrivateGroup::test_only_uid_number_auto_private_group_default
|
|
||||||
(when called with the "true" parameter)
|
|
||||||
|
|
||||||
Related: https://pagure.io/freeipa/issue/9295
|
|
||||||
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
---
|
|
||||||
ipatests/test_integration/test_trust.py | 17 ++++++++++++-----
|
|
||||||
1 file changed, 12 insertions(+), 5 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
|
|
||||||
index 0d5b71cb0..12f000c1a 100644
|
|
||||||
--- a/ipatests/test_integration/test_trust.py
|
|
||||||
+++ b/ipatests/test_integration/test_trust.py
|
|
||||||
@@ -1154,11 +1154,15 @@ class TestNonPosixAutoPrivateGroup(BaseTestTrust):
|
|
||||||
self.gid_override
|
|
||||||
):
|
|
||||||
self.mod_idrange_auto_private_group(type)
|
|
||||||
- (uid, gid) = self.get_user_id(self.clients[0], nonposixuser)
|
|
||||||
- assert (uid == self.uid_override and gid == self.gid_override)
|
|
||||||
+ sssd_version = tasks.get_sssd_version(self.clients[0])
|
|
||||||
+ bad_version = sssd_version >= tasks.parse_version("2.8.2")
|
|
||||||
+ cond = (type == 'hybrid') and bad_version
|
|
||||||
+ with xfail_context(condition=cond,
|
|
||||||
+ reason="https://pagure.io/freeipa/issue/9295"):
|
|
||||||
+ (uid, gid) = self.get_user_id(self.clients[0], nonposixuser)
|
|
||||||
+ assert (uid == self.uid_override and gid == self.gid_override)
|
|
||||||
test_group = self.clients[0].run_command(
|
|
||||||
["id", nonposixuser]).stdout_text
|
|
||||||
- # version = tasks.get_sssd_version(self.clients[0])
|
|
||||||
with xfail_context(type == "hybrid",
|
|
||||||
'https://github.com/SSSD/sssd/issues/5989'):
|
|
||||||
assert "domain users@{0}".format(self.ad_domain) in test_group
|
|
||||||
@@ -1232,8 +1236,11 @@ class TestPosixAutoPrivateGroup(BaseTestTrust):
|
|
||||||
posixuser = "testuser1@%s" % self.ad_domain
|
|
||||||
self.mod_idrange_auto_private_group(type)
|
|
||||||
if type == "true":
|
|
||||||
- (uid, gid) = self.get_user_id(self.clients[0], posixuser)
|
|
||||||
- assert uid == gid
|
|
||||||
+ sssd_version = tasks.get_sssd_version(self.clients[0])
|
|
||||||
+ with xfail_context(sssd_version >= tasks.parse_version("2.8.2"),
|
|
||||||
+ "https://pagure.io/freeipa/issue/9295"):
|
|
||||||
+ (uid, gid) = self.get_user_id(self.clients[0], posixuser)
|
|
||||||
+ assert uid == gid
|
|
||||||
else:
|
|
||||||
for host in [self.master, self.clients[0]]:
|
|
||||||
result = host.run_command(['id', posixuser], raiseonerr=False)
|
|
||||||
--
|
|
||||||
2.44.0
|
|
||||||
|
|
||||||
From ed2a8eb0cefadfe0544074114facfef381349ae0 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
|
||||||
Date: Feb 12 2024 10:43:39 +0000
|
|
||||||
Subject: ipatests: add xfail for autoprivate group test with override
|
|
||||||
|
|
||||||
|
|
||||||
Because of SSSD issue 7169, secondary groups are not
|
|
||||||
retrieved when autoprivate group is set and an idoverride
|
|
||||||
replaces the user's primary group.
|
|
||||||
Mark the known issues as xfail.
|
|
||||||
|
|
||||||
Related: https://github.com/SSSD/sssd/issues/7169
|
|
||||||
|
|
||||||
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
|
||||||
Reviewed-By: Anuja More <amore@redhat.com>
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
|
|
||||||
index 3b9f0fb..2b94514 100644
|
|
||||||
--- a/ipatests/test_integration/test_trust.py
|
|
||||||
+++ b/ipatests/test_integration/test_trust.py
|
|
||||||
@@ -1164,8 +1164,12 @@ class TestNonPosixAutoPrivateGroup(BaseTestTrust):
|
|
||||||
assert (uid == self.uid_override and gid == self.gid_override)
|
|
||||||
test_group = self.clients[0].run_command(
|
|
||||||
["id", nonposixuser]).stdout_text
|
|
||||||
- with xfail_context(type == "hybrid",
|
|
||||||
- 'https://github.com/SSSD/sssd/issues/5989'):
|
|
||||||
+ cond2 = ((type == 'false'
|
|
||||||
+ and sssd_version >= tasks.parse_version("2.9.4"))
|
|
||||||
+ or type == 'hybrid')
|
|
||||||
+ with xfail_context(cond2,
|
|
||||||
+ 'https://github.com/SSSD/sssd/issues/5989 '
|
|
||||||
+ 'and 7169'):
|
|
||||||
assert "domain users@{0}".format(self.ad_domain) in test_group
|
|
||||||
|
|
||||||
@pytest.mark.parametrize('type', ['hybrid', 'true', "false"])
|
|
||||||
@@ -1287,5 +1291,9 @@ class TestPosixAutoPrivateGroup(BaseTestTrust):
|
|
||||||
assert(uid == self.uid_override
|
|
||||||
and gid == self.gid_override)
|
|
||||||
result = self.clients[0].run_command(['id', posixuser])
|
|
||||||
- assert "10047(testgroup@{0})".format(
|
|
||||||
- self.ad_domain) in result.stdout_text
|
|
||||||
+ sssd_version = tasks.get_sssd_version(self.clients[0])
|
|
||||||
+ bad_version = sssd_version >= tasks.parse_version("2.9.4")
|
|
||||||
+ with xfail_context(bad_version and type in ('false', 'hybrid'),
|
|
||||||
+ "https://github.com/SSSD/sssd/issues/7169"):
|
|
||||||
+ assert "10047(testgroup@{0})".format(
|
|
||||||
+ self.ad_domain) in result.stdout_text
|
|
||||||
|
|
||||||
From d5392300d77170ea3202ee80690ada8bf81b60b5 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
|
||||||
Date: Feb 12 2024 10:44:47 +0000
|
|
||||||
Subject: ipatests: remove xfail thanks to sssd 2.9.4
|
|
||||||
|
|
||||||
|
|
||||||
SSSD 2.9.4 fixes some issues related to auto-private-group
|
|
||||||
|
|
||||||
Related: https://pagure.io/freeipa/issue/9295
|
|
||||||
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
|
||||||
Reviewed-By: Anuja More <amore@redhat.com>
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
|
|
||||||
index 12f000c..3b9f0fb 100644
|
|
||||||
--- a/ipatests/test_integration/test_trust.py
|
|
||||||
+++ b/ipatests/test_integration/test_trust.py
|
|
||||||
@@ -1155,7 +1155,8 @@ class TestNonPosixAutoPrivateGroup(BaseTestTrust):
|
|
||||||
):
|
|
||||||
self.mod_idrange_auto_private_group(type)
|
|
||||||
sssd_version = tasks.get_sssd_version(self.clients[0])
|
|
||||||
- bad_version = sssd_version >= tasks.parse_version("2.8.2")
|
|
||||||
+ bad_version = (tasks.parse_version("2.8.2") <= sssd_version
|
|
||||||
+ < tasks.parse_version("2.9.4"))
|
|
||||||
cond = (type == 'hybrid') and bad_version
|
|
||||||
with xfail_context(condition=cond,
|
|
||||||
reason="https://pagure.io/freeipa/issue/9295"):
|
|
||||||
@@ -1237,7 +1238,9 @@ class TestPosixAutoPrivateGroup(BaseTestTrust):
|
|
||||||
self.mod_idrange_auto_private_group(type)
|
|
||||||
if type == "true":
|
|
||||||
sssd_version = tasks.get_sssd_version(self.clients[0])
|
|
||||||
- with xfail_context(sssd_version >= tasks.parse_version("2.8.2"),
|
|
||||||
+ bad_version = (tasks.parse_version("2.8.2") <= sssd_version
|
|
||||||
+ < tasks.parse_version("2.9.4"))
|
|
||||||
+ with xfail_context(bad_version,
|
|
||||||
"https://pagure.io/freeipa/issue/9295"):
|
|
||||||
(uid, gid) = self.get_user_id(self.clients[0], posixuser)
|
|
||||||
assert uid == gid
|
|
||||||
|
|
||||||
From 34d048ede0c439b3a53e02f8ace96ff91aa1609d Mon Sep 17 00:00:00 2001
|
|
||||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
|
||||||
Date: Mar 14 2023 16:50:25 +0000
|
|
||||||
Subject: ipatests: adapt for new automembership fixup behavior
|
|
||||||
|
|
||||||
|
|
||||||
The automembership fixup task now needs to be called
|
|
||||||
with --cleanup argument when the user expects automember
|
|
||||||
to remove user/hosts from automember groups.
|
|
||||||
Update the test to call create a cleanup task equivalent to
|
|
||||||
dsconf plugin automember fixup --cleanup
|
|
||||||
when it is needed.
|
|
||||||
|
|
||||||
Fixes: https://pagure.io/freeipa/issue/9313
|
|
||||||
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
|
||||||
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
|
|
||||||
---
|
|
||||||
|
|
||||||
diff --git a/ipatests/test_integration/test_automember.py b/ipatests/test_integration/test_automember.py
|
|
||||||
index 7acd0d7..8b27f4d 100644
|
|
||||||
--- a/ipatests/test_integration/test_automember.py
|
|
||||||
+++ b/ipatests/test_integration/test_automember.py
|
|
||||||
@@ -4,6 +4,7 @@
|
|
||||||
"""This covers tests for automemberfeature."""
|
|
||||||
|
|
||||||
from __future__ import absolute_import
|
|
||||||
+import uuid
|
|
||||||
|
|
||||||
from ipapython.dn import DN
|
|
||||||
|
|
||||||
@@ -211,11 +212,27 @@ class TestAutounmembership(IntegrationTest):
|
|
||||||
# Running automember-build so that user is part of correct group
|
|
||||||
result = self.master.run_command(['ipa', 'automember-rebuild',
|
|
||||||
'--users=%s' % user2])
|
|
||||||
+ assert msg in result.stdout_text
|
|
||||||
+
|
|
||||||
+ # The additional --cleanup argument is required
|
|
||||||
+ cleanup_ldif = (
|
|
||||||
+ "dn: cn={cn},cn=automember rebuild membership,"
|
|
||||||
+ "cn=tasks,cn=config\n"
|
|
||||||
+ "changetype: add\n"
|
|
||||||
+ "objectclass: top\n"
|
|
||||||
+ "objectclass: extensibleObject\n"
|
|
||||||
+ "basedn: cn=users,cn=accounts,{suffix}\n"
|
|
||||||
+ "filter: (uid={user})\n"
|
|
||||||
+ "cleanup: yes\n"
|
|
||||||
+ "scope: sub"
|
|
||||||
+ ).format(cn=str(uuid.uuid4()),
|
|
||||||
+ suffix=str(self.master.domain.basedn),
|
|
||||||
+ user=user2)
|
|
||||||
+ tasks.ldapmodify_dm(self.master, cleanup_ldif)
|
|
||||||
+
|
|
||||||
assert self.is_user_member_of_group(user2, group2)
|
|
||||||
assert not self.is_user_member_of_group(user2, group1)
|
|
||||||
|
|
||||||
- assert msg in result.stdout_text
|
|
||||||
-
|
|
||||||
finally:
|
|
||||||
# testcase cleanup
|
|
||||||
self.remove_user_automember(user2, raiseonerr=False)
|
|
||||||
@@ -248,11 +265,27 @@ class TestAutounmembership(IntegrationTest):
|
|
||||||
result = self.master.run_command(
|
|
||||||
['ipa', 'automember-rebuild', '--hosts=%s' % host2]
|
|
||||||
)
|
|
||||||
+ assert msg in result.stdout_text
|
|
||||||
+
|
|
||||||
+ # The additional --cleanup argument is required
|
|
||||||
+ cleanup_ldif = (
|
|
||||||
+ "dn: cn={cn},cn=automember rebuild membership,"
|
|
||||||
+ "cn=tasks,cn=config\n"
|
|
||||||
+ "changetype: add\n"
|
|
||||||
+ "objectclass: top\n"
|
|
||||||
+ "objectclass: extensibleObject\n"
|
|
||||||
+ "basedn: cn=computers,cn=accounts,{suffix}\n"
|
|
||||||
+ "filter: (fqdn={fqdn})\n"
|
|
||||||
+ "cleanup: yes\n"
|
|
||||||
+ "scope: sub"
|
|
||||||
+ ).format(cn=str(uuid.uuid4()),
|
|
||||||
+ suffix=str(self.master.domain.basedn),
|
|
||||||
+ fqdn=host2)
|
|
||||||
+ tasks.ldapmodify_dm(self.master, cleanup_ldif)
|
|
||||||
+
|
|
||||||
assert self.is_host_member_of_hostgroup(host2, hostgroup2)
|
|
||||||
assert not self.is_host_member_of_hostgroup(host2, hostgroup1)
|
|
||||||
|
|
||||||
- assert msg in result.stdout_text
|
|
||||||
-
|
|
||||||
finally:
|
|
||||||
# testcase cleanup
|
|
||||||
self.remove_host_automember(host2, raiseonerr=False)
|
|
||||||
|
|
||||||
From 9b777390fbb6d4c683bf7d3e5f74d5443209b1d5 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Date: Fri, 24 Mar 2023 08:15:00 +0200
|
|
||||||
Subject: [PATCH] test_xmlrpc: adopt to automember plugin message changes in
|
|
||||||
389-ds
|
|
||||||
|
|
||||||
Another change in automember plugin messaging that breaks FreeIPA tests.
|
|
||||||
Use common substring to match.
|
|
||||||
|
|
||||||
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
---
|
|
||||||
ipatests/test_xmlrpc/xmlrpc_test.py | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/ipatests/test_xmlrpc/xmlrpc_test.py b/ipatests/test_xmlrpc/xmlrpc_test.py
|
|
||||||
index cf11721bfca..5fe1245dc65 100644
|
|
||||||
--- a/ipatests/test_xmlrpc/xmlrpc_test.py
|
|
||||||
+++ b/ipatests/test_xmlrpc/xmlrpc_test.py
|
|
||||||
@@ -64,7 +64,7 @@ def test(xs):
|
|
||||||
|
|
||||||
# Matches an automember task finish message
|
|
||||||
fuzzy_automember_message = Fuzzy(
|
|
||||||
- r'^Automember rebuild task finished\. Processed \(\d+\) entries\.$'
|
|
||||||
+ r'^Automember rebuild task finished\. Processed \(\d+\) entries'
|
|
||||||
)
|
|
||||||
|
|
||||||
# Matches trusted domain GUID, like u'463bf2be-3456-4a57-979e-120304f2a0eb'
|
|
||||||
From 8e8b97a2251329aec9633a5c7c644bc5034bc8c2 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Sudhir Menon <sumenon@redhat.com>
|
|
||||||
Date: Wed, 20 Mar 2024 14:29:46 +0530
|
|
||||||
Subject: [PATCH] ipatests: Fixes for test_ipahealthcheck_ipansschainvalidation
|
|
||||||
testcases.
|
|
||||||
|
|
||||||
Currently the test is using IPA_NSSDB_PWDFILE_TXT which is /etc/ipa/nssdb/pwdfile.txt
|
|
||||||
which causes error in STIG mode.
|
|
||||||
|
|
||||||
[root@master slapd-TESTRELM-TEST]# certutil -M -n 'TESTRELM.TEST IPA CA' -t ',,' -d . -f /etc/ipa/nssdb/pwdfile.txt
|
|
||||||
Incorrect password/PIN entered.
|
|
||||||
|
|
||||||
Hence modified the test to include paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE/pwd.txt.
|
|
||||||
|
|
||||||
Signed-off-by: Sudhir Menon <sumenon@redhat.com>
|
|
||||||
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
|
|
||||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
|
||||||
---
|
|
||||||
ipatests/test_integration/test_ipahealthcheck.py | 11 ++++++-----
|
|
||||||
1 file changed, 6 insertions(+), 5 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/ipatests/test_integration/test_ipahealthcheck.py b/ipatests/test_integration/test_ipahealthcheck.py
|
|
||||||
index 8aae9fad776..a96de7088aa 100644
|
|
||||||
--- a/ipatests/test_integration/test_ipahealthcheck.py
|
|
||||||
+++ b/ipatests/test_integration/test_ipahealthcheck.py
|
|
||||||
@@ -2731,17 +2731,18 @@ def remove_server_cert(self):
|
|
||||||
Fixture to remove Server cert and revert the change.
|
|
||||||
"""
|
|
||||||
instance = realm_to_serverid(self.master.domain.realm)
|
|
||||||
+ instance_dir = paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance
|
|
||||||
self.master.run_command(
|
|
||||||
[
|
|
||||||
"certutil",
|
|
||||||
"-L",
|
|
||||||
"-d",
|
|
||||||
- paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance,
|
|
||||||
+ instance_dir,
|
|
||||||
"-n",
|
|
||||||
"Server-Cert",
|
|
||||||
"-a",
|
|
||||||
"-o",
|
|
||||||
- paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance
|
|
||||||
+ instance_dir
|
|
||||||
+ "/Server-Cert.pem",
|
|
||||||
]
|
|
||||||
)
|
|
||||||
@@ -2760,15 +2761,15 @@ def remove_server_cert(self):
|
|
||||||
[
|
|
||||||
"certutil",
|
|
||||||
"-d",
|
|
||||||
- paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance,
|
|
||||||
+ instance_dir,
|
|
||||||
"-A",
|
|
||||||
"-i",
|
|
||||||
- paths.ETC_DIRSRV_SLAPD_INSTANCE_TEMPLATE % instance
|
|
||||||
+ instance_dir
|
|
||||||
+ "/Server-Cert.pem",
|
|
||||||
"-t",
|
|
||||||
"u,u,u",
|
|
||||||
"-f",
|
|
||||||
- paths.IPA_NSSDB_PWDFILE_TXT,
|
|
||||||
+ "%s/pwdfile.txt" % instance_dir,
|
|
||||||
"-n",
|
|
||||||
"Server-Cert",
|
|
||||||
]
|
|
|
@ -81,8 +81,7 @@
|
||||||
|
|
||||||
# Fix for TLS 1.3 PHA, RHBZ#1775158
|
# Fix for TLS 1.3 PHA, RHBZ#1775158
|
||||||
%global httpd_version 2.4.37-21
|
%global httpd_version 2.4.37-21
|
||||||
# Fix for RHEL-25649
|
%global bind_version 9.11.20-6
|
||||||
%global bind_version 9.11.36-14
|
|
||||||
|
|
||||||
%else
|
%else
|
||||||
# Fedora
|
# Fedora
|
||||||
|
@ -190,7 +189,7 @@
|
||||||
|
|
||||||
Name: %{package_name}
|
Name: %{package_name}
|
||||||
Version: %{IPA_VERSION}
|
Version: %{IPA_VERSION}
|
||||||
Release: 9%{?rc_version:.%rc_version}%{?dist}
|
Release: 7%{?rc_version:.%rc_version}%{?dist}
|
||||||
Summary: The Identity, Policy and Audit system
|
Summary: The Identity, Policy and Audit system
|
||||||
|
|
||||||
License: GPLv3+
|
License: GPLv3+
|
||||||
|
@ -231,10 +230,6 @@ Patch0019: 0019-Vault-add-support-for-RSA-OAEP-wrapping-algo.patch
|
||||||
Patch0020: 0020-Vault-improve-vault-server-archival-retrieval-calls-.patch
|
Patch0020: 0020-Vault-improve-vault-server-archival-retrieval-calls-.patch
|
||||||
Patch0021: 0021-kra-set-RSA-OAEP-as-default-wrapping-algo-when-FIPS-.patch
|
Patch0021: 0021-kra-set-RSA-OAEP-as-default-wrapping-algo-when-FIPS-.patch
|
||||||
Patch0022: 0022-ipa-kdb-Fix-double-free-in-ipadb_reinit_mspac.patch
|
Patch0022: 0022-ipa-kdb-Fix-double-free-in-ipadb_reinit_mspac.patch
|
||||||
Patch0023: 0023-rpcserver-validate-Kerberos-principal-name-before-running-kinit_rhel#26153.patch
|
|
||||||
Patch0024: 0024-Vault-add-additional-fallback-to-RSA-OAEP-wrapping-algo_rhel#28259.patch
|
|
||||||
Patch0025: 0025-dcerpc-invalidate-forest-trust-intfo-cache-when-filtering-out-realm-domains_rhel#28559.patch
|
|
||||||
Patch0026: 0026-backport-test-fixes_rhel#29908.patch
|
|
||||||
%if 0%{?rhel} >= 8
|
%if 0%{?rhel} >= 8
|
||||||
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
|
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
|
||||||
Patch1002: 1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch
|
Patch1002: 1002-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch
|
||||||
|
@ -1750,23 +1745,6 @@ fi
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Fri Apr 12 2024 Rafael Jeffman <rjeffman@redhat.com> - 9.4.13-9
|
|
||||||
- dcerpc: invalidate forest trust intfo cache when filtering out realm domains
|
|
||||||
Resolves: RHEL-28559
|
|
||||||
- Backport latests test fixes in python3-tests
|
|
||||||
ipatests: add xfail for autoprivate group test with override
|
|
||||||
ipatests: remove xfail thanks to sssd 2.9.4
|
|
||||||
ipatests: adapt for new automembership fixup behavior
|
|
||||||
ipatests: Fixes for test_ipahealthcheck_ipansschainvalidation testcases
|
|
||||||
test_xmlrpc: adopt to automember plugin message changes in 389-ds
|
|
||||||
Resolves: RHEL-29908
|
|
||||||
|
|
||||||
* Thu Mar 07 2024 Rafael Jeffman <rjeffman@redhat.com> - 4.9.13-8
|
|
||||||
- rpcserver: validate Kerberos principal name before running kinit
|
|
||||||
Resolves: RHEL-26153
|
|
||||||
- Vault: add additional fallback to RSA-OAEP wrapping algo
|
|
||||||
Resolves: RHEL-28259
|
|
||||||
|
|
||||||
* Tue Feb 20 2024 Julien Rische <jrische@redhat.com> - 4.9.13-7
|
* Tue Feb 20 2024 Julien Rische <jrische@redhat.com> - 4.9.13-7
|
||||||
- ipa-kdb: Fix double free in ipadb_reinit_mspac()
|
- ipa-kdb: Fix double free in ipadb_reinit_mspac()
|
||||||
Resolves: RHEL-25742
|
Resolves: RHEL-25742
|
||||||
|
|
Loading…
Reference in New Issue