The Identity, Policy and Audit system
CentOS Sources
2014-11-10 8f4e668e5f13f8c069944c4e73ef82980690fdb1
import ipa-3.3.3-28.el7_0.3
5 files added
1 files deleted
1 files modified
297 ■■■■■ changed files
SOURCES/0067-ipaserver-dcerpc.py-if-search-of-a-closest-GC-failed.patch 33 ●●●●● patch | view | raw | blame | history
SOURCES/0068-ipaserver-dcerpc.py-make-PDC-discovery-more-robust.patch 80 ●●●●● patch | view | raw | blame | history
SOURCES/0069-ipaserver-dcerpc.py-be-more-open-to-what-domains-can.patch 29 ●●●●● patch | view | raw | blame | history
SOURCES/0070-ipaserver-dcerpc.py-Make-sure-trust-is-established-o.patch 67 ●●●●● patch | view | raw | blame | history
SOURCES/0071-ipaserver-dcerpc.py-Avoid-hitting-issue-with-transit.patch 54 ●●●●● patch | view | raw | blame | history
SOURCES/ipa-centos-branding.patch 12 ●●●●● patch | view | raw | blame | history
SPECS/ipa.spec 22 ●●●● patch | view | raw | blame | history
SOURCES/0067-ipaserver-dcerpc.py-if-search-of-a-closest-GC-failed.patch
New file
@@ -0,0 +1,33 @@
From f2acf0d67bab3f3797c387705f93c3a3d0164134 Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Tue, 19 Aug 2014 16:19:45 +0300
Subject: [PATCH] ipaserver/dcerpc.py: if search of a closest GC failed, try to
 find any GC
https://fedorahosted.org/freeipa/ticket/4458
Reviewed-By: Sumit Bose <sbose@redhat.com>
---
 ipaserver/dcerpc.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index f1c75089b875787debcee22316a4898b424d923f..b11476a262ccce4315131b9ffbd93b625de940e7 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -588,7 +588,11 @@ class DomainValidator(object):
         try:
             result = netrc.finddc(domain=domain, flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_GC | nbt.NBT_SERVER_CLOSEST)
         except RuntimeError, e:
-            finddc_error = e
+            try:
+                # If search of closest GC failed, attempt to find any one
+                result = netrc.finddc(domain=domain, flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_GC)
+            except RuntimeError, e:
+                finddc_error = e
         if not self._domains:
             self._domains = self.get_trusted_domains()
--
1.9.3
SOURCES/0068-ipaserver-dcerpc.py-make-PDC-discovery-more-robust.patch
New file
@@ -0,0 +1,80 @@
From 41b252a5b47f57919bf98c41947d5927ed0d5aaf Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Tue, 19 Aug 2014 16:21:21 +0300
Subject: [PATCH] ipaserver/dcerpc.py: make PDC discovery more robust
Certain operations against AD domain controller can only be done if its
FSMO role is primary domain controller. We need to use writable DC and
PDC when creating trust and updating name suffix routing information.
https://fedorahosted.org/freeipa/ticket/4479
Reviewed-By: Sumit Bose <sbose@redhat.com>
---
 ipaserver/dcerpc.py | 21 ++++++++++++++++-----
 1 file changed, 16 insertions(+), 5 deletions(-)
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index b11476a262ccce4315131b9ffbd93b625de940e7..78bfc5dbefc778519c5db0ac12d6551710257ba9 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -706,16 +706,19 @@ class TrustDomainInstance(object):
         binding_template=lambda x,y,z: u'%s:%s[%s]' % (x, y, z)
         return [binding_template(t, remote_host, o) for t in transports for o in options]
-    def retrieve_anonymously(self, remote_host, discover_srv=False):
+    def retrieve_anonymously(self, remote_host, discover_srv=False, search_pdc=False):
         """
         When retrieving DC information anonymously, we can't get SID of the domain
         """
         netrc = net.Net(creds=self.creds, lp=self.parm)
+        flags = nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS | nbt.NBT_SERVER_WRITABLE
+        if search_pdc:
+            flags = flags | nbt.NBT_SERVER_PDC
         try:
             if discover_srv:
-                result = netrc.finddc(domain=remote_host, flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS)
+                result = netrc.finddc(domain=remote_host, flags=flags)
             else:
-                result = netrc.finddc(address=remote_host, flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS)
+                result = netrc.finddc(address=remote_host, flags=flags)
         except RuntimeError, e:
             raise assess_dcerpc_exception(message=str(e))
@@ -726,6 +729,7 @@ class TrustDomainInstance(object):
         self.info['dns_forest'] = unicode(result.forest)
         self.info['guid'] = unicode(result.domain_uuid)
         self.info['dc'] = unicode(result.pdc_dns_name)
+        self.info['is_pdc'] = (result.server_type & nbt.NBT_SERVER_PDC) != 0
         # Netlogon response doesn't contain SID of the domain.
         # We need to do rootDSE search with LDAP_SERVER_EXTENDED_DN_OID control to reveal the SID
@@ -774,6 +778,13 @@ class TrustDomainInstance(object):
         self.info['sid'] = unicode(result.sid)
         self.info['dc'] = remote_host
+        try:
+            result = self._pipe.QueryInfoPolicy2(self._policy_handle, lsa.LSA_POLICY_INFO_ROLE)
+        except RuntimeError, (num, message):
+            raise assess_dcerpc_exception(num=num, message=message)
+
+        self.info['is_pdc'] = (result.role == lsa.LSA_ROLE_PRIMARY)
+
     def generate_auth(self, trustdom_secret):
         def arcfour_encrypt(key, data):
             c = RC4.RC4(key)
@@ -1069,9 +1080,9 @@ class TrustDomainJoins(object):
         rd.creds.set_anonymous()
         rd.creds.set_workstation(self.local_domain.hostname)
         if realm_server is None:
-            rd.retrieve_anonymously(realm, discover_srv=True)
+            rd.retrieve_anonymously(realm, discover_srv=True, search_pdc=True)
         else:
-            rd.retrieve_anonymously(realm_server, discover_srv=False)
+            rd.retrieve_anonymously(realm_server, discover_srv=False, search_pdc=True)
         rd.read_only = True
         if realm_admin and realm_passwd:
             if 'name' in rd.info:
--
1.9.3
SOURCES/0069-ipaserver-dcerpc.py-be-more-open-to-what-domains-can.patch
New file
@@ -0,0 +1,29 @@
From 027f61099c63c91aaac95a6c2b9d9a75e7b1f83e Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Tue, 19 Aug 2014 16:23:58 +0300
Subject: [PATCH] ipaserver/dcerpc.py: be more open to what domains can be seen
 through the forest trust
https://fedorahosted.org/freeipa/ticket/4463
Reviewed-By: Sumit Bose <sbose@redhat.com>
---
 ipaserver/dcerpc.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index 78bfc5dbefc778519c5db0ac12d6551710257ba9..fcf1e4e775868f17220cac3c0203cc67dba2f839 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -1031,7 +1031,7 @@ def fetch_domains(api, mydomain, trustdomain, creds=None):
     result = []
     for t in domains.array:
-        if ((t.trust_attributes & trust_attributes['NETR_TRUST_ATTRIBUTE_WITHIN_FOREST']) and
+        if (not (t.trust_flags & trust_flags['NETR_TRUST_FLAG_PRIMARY']) and
             (t.trust_flags & trust_flags['NETR_TRUST_FLAG_IN_FOREST'])):
             res = dict()
             res['cn'] = unicode(t.dns_name)
--
1.9.3
SOURCES/0070-ipaserver-dcerpc.py-Make-sure-trust-is-established-o.patch
New file
@@ -0,0 +1,67 @@
From 079fdf41592559de96465080e81aa91252c01a3d Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Tue, 19 Aug 2014 16:24:27 +0300
Subject: [PATCH] ipaserver/dcerpc.py: Make sure trust is established only to
 forest root domain
Part of https://fedorahosted.org/freeipa/ticket/4463
Reviewed-By: Sumit Bose <sbose@redhat.com>
---
 ipalib/errors.py    | 16 ++++++++++++++++
 ipaserver/dcerpc.py |  6 ++++++
 2 files changed, 22 insertions(+)
diff --git a/ipalib/errors.py b/ipalib/errors.py
index 716decb2b41baf5470a1dc23c0cfb5d1c995e5ff..405c5c3bfc25d9b024189be9fcf582052dd10dd3 100644
--- a/ipalib/errors.py
+++ b/ipalib/errors.py
@@ -810,6 +810,22 @@ class DeprecationError(InvocationError):
     errno = 3015
     format = _("Command '%(name)s' has been deprecated")
+class NotAForestRootError(InvocationError):
+    """
+    **3016** Raised when an attempt to establish trust is done against non-root domain
+             Forest root domain has the same name as the forest itself
+
+    For example:
+
+    >>> raise NotAForestRootError(forest='example.test', domain='jointops.test')
+    Traceback (most recent call last):
+      ...
+    NotAForestRootError: Domain 'jointops.test' is not a root domain for forest 'example.test'
+    """
+
+    errno = 3016
+    format = _("Domain '%(domain)s' is not a root domain for forest '%(forest)s'")
+
 ##############################################################################
 # 4000 - 4999: Execution errors
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index fcf1e4e775868f17220cac3c0203cc67dba2f839..41f373df3cc4365727200f3ca4667faac2f9e19c 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -1143,6 +1143,9 @@ class TrustDomainJoins(object):
                 realm_passwd
             )
+        if self.remote_domain.info['dns_domain'] != self.remote_domain.info['dns_forest']:
+            raise errors.NotAForestRootError(forest=self.remote_domain.info['dns_forest'], domain=self.remote_domain.info['dns_domain'])
+
         if not self.remote_domain.read_only:
             trustdom_pass = samba.generate_random_password(128, 128)
             self.get_realmdomains()
@@ -1159,5 +1162,8 @@ class TrustDomainJoins(object):
         if not(isinstance(self.remote_domain, TrustDomainInstance)):
             self.populate_remote_domain(realm, realm_server, realm_passwd=None)
+        if self.remote_domain.info['dns_domain'] != self.remote_domain.info['dns_forest']:
+            raise errors.NotAForestRootError(forest=self.remote_domain.info['dns_forest'], domain=self.remote_domain.info['dns_domain'])
+
         self.local_domain.establish_trust(self.remote_domain, trustdom_passwd)
         return dict(local=self.local_domain, remote=self.remote_domain, verified=False)
--
1.9.3
SOURCES/0071-ipaserver-dcerpc.py-Avoid-hitting-issue-with-transit.patch
New file
@@ -0,0 +1,54 @@
From ba2a63da8bada8af988d8fb8931c0cdba2c7ceee Mon Sep 17 00:00:00 2001
From: Alexander Bokovoy <abokovoy@redhat.com>
Date: Tue, 19 Aug 2014 16:22:54 +0300
Subject: [PATCH] ipaserver/dcerpc.py: Avoid hitting issue with transitive
 trusts on Windows Server prior to 2012
http://msdn.microsoft.com/en-us/library/2a769a08-e023-459f-aebe-4fb3f595c0b7#id83
Reviewed-By: Sumit Bose <sbose@redhat.com>
---
 ipaserver/dcerpc.py | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
index 41f373df3cc4365727200f3ca4667faac2f9e19c..e779a12bae52ec8dac52e4a43854a8a3c601a043 100644
--- a/ipaserver/dcerpc.py
+++ b/ipaserver/dcerpc.py
@@ -900,7 +900,7 @@ class TrustDomainInstance(object):
         info.sid = security.dom_sid(another_domain.info['sid'])
         info.trust_direction = lsa.LSA_TRUST_DIRECTION_INBOUND | lsa.LSA_TRUST_DIRECTION_OUTBOUND
         info.trust_type = lsa.LSA_TRUST_TYPE_UPLEVEL
-        info.trust_attributes = lsa.LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE
+        info.trust_attributes = 0
         try:
             dname = lsa.String()
@@ -917,8 +917,6 @@ class TrustDomainInstance(object):
         except RuntimeError, (num, message):
             raise assess_dcerpc_exception(num=num, message=message)
-        self.update_ftinfo(another_domain)
-
         # We should use proper trustdom handle in order to modify the
         # trust settings. Samba insists this has to be done with LSA
         # OpenTrustedDomain* calls, it is not enough to have a handle
@@ -937,6 +935,15 @@ class TrustDomainInstance(object):
             # server as that one doesn't support AES encryption types
             pass
+        try:
+            info.trust_attributes = lsa.LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE
+            self._pipe.SetInformationTrustedDomain(trustdom_handle, lsa.LSA_TRUSTED_DOMAIN_INFO_INFO_EX, info)
+        except RuntimeError, e:
+            root_logger.error('unable to set trust to transitive: %s' % (str(e)))
+            pass
+        if self.info['is_pdc']:
+            self.update_ftinfo(another_domain)
+
     def verify_trust(self, another_domain):
         def retrieve_netlogon_info_2(domain, function_code, data):
             try:
--
1.9.3
SOURCES/ipa-centos-branding.patch
File was deleted
SPECS/ipa.spec
@@ -18,7 +18,7 @@
Name:           ipa
Version:        3.3.3
Release:        28%{?dist}.1
Release:        28%{?dist}.3
Summary:        The Identity, Policy and Audit system
Group:          System Environment/Base
@@ -94,6 +94,11 @@
Patch0064:      0064-Proxy-PKI-clone-ca-ee-ca-profileSubmit-URI.patch
Patch0065:      0065-Make-ipa-client-automount-backwards-compatible.patch
Patch0066:      0066-Convert-external-CA-chain-to-PKCS-7-before-passing-i.patch
Patch0067:      0067-ipaserver-dcerpc.py-if-search-of-a-closest-GC-failed.patch
Patch0068:      0068-ipaserver-dcerpc.py-make-PDC-discovery-more-robust.patch
Patch0069:      0069-ipaserver-dcerpc.py-be-more-open-to-what-domains-can.patch
Patch0070:      0070-ipaserver-dcerpc.py-Make-sure-trust-is-established-o.patch
Patch0071:      0071-ipaserver-dcerpc.py-Avoid-hitting-issue-with-transit.patch
Patch1001:      1001-Hide-pkinit-functionality-from-production-version.patch
Patch1002:      1002-Remove-pkinit-plugin.patch
@@ -102,7 +107,6 @@
Patch1005:      1005-Remove-pylint-from-build-process.patch
Patch1006:      1006-Remove-i18test-from-build-process.patch
Patch1007:      1007-Remove-ipa-backup-and-ipa-restore-functionality.patch
Patch1008:      ipa-centos-branding.patch
%if ! %{ONLY_CLIENT}
BuildRequires:  389-ds-base-devel >= 1.3.1
@@ -209,6 +213,9 @@
Requires(post): selinux-policy-base
Requires: slapi-nis >= 0.47.7
Requires: pki-ca >= 10.0.4
%if 0%{?rhel}
Requires: subscription-manager
%endif
Requires(preun): python systemd-units
Requires(postun): python systemd-units
Requires: python-dns
@@ -844,8 +851,15 @@
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
%changelog
* Tue Sep 02 2014 CentOS Sources <bugs@centos.org> - 3.3.3-28.el7.centos.1
- Roll in CentOS Branding
* Fri Sep 19 2014 Jan Cholasta <jcholast@redhat.com> - 3.3.3-28.3
- Add one missing patch for #1144031
* Fri Sep 19 2014 Jan Cholasta <jcholast@redhat.com> - 3.3.3-28.2
- Implement a fallback for situation where no closest server available during
  trust setup (#1143779)
- trust-add should not be run with DCs without PDC role (#1144030)
- Improve handling of forest trust domains when establishing a cross-forest
  trust (#1144031)
* Thu Aug 14 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-28.1
- Server installation fails using external signed certificates with