diff --git a/SOURCES/0038-Add-a-notice-to-restart-ipa-services-after-certs-are.patch b/SOURCES/0038-Add-a-notice-to-restart-ipa-services-after-certs-are.patch new file mode 100644 index 0000000..e94b45c --- /dev/null +++ b/SOURCES/0038-Add-a-notice-to-restart-ipa-services-after-certs-are.patch @@ -0,0 +1,59 @@ +From accc490a5f1db734c94e739d9b9638d44d60d21c Mon Sep 17 00:00:00 2001 +From: Aleksei Slaikovskii +Date: Mon, 23 Oct 2017 11:17:32 +0200 +Subject: [PATCH] Add a notice to restart ipa services after certs are + installed + +Adding notice for user to restart services after +ipa-server-certinstall. + +https://pagure.io/freeipa/issue/7016 + +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Rob Crittenden +Reviewed-By: Alexander Bokovoy +--- + install/tools/man/ipa-server-certinstall.1 | 3 ++- + ipaserver/install/ipa_server_certinstall.py | 5 +++++ + 2 files changed, 7 insertions(+), 1 deletion(-) + +diff --git a/install/tools/man/ipa-server-certinstall.1 b/install/tools/man/ipa-server-certinstall.1 +index 35cd8c6c711119d7c782c6a89ac78b4894cec073..00fd03b6bc2184ec2bbc099fd9799551c07d2390 100644 +--- a/install/tools/man/ipa-server-certinstall.1 ++++ b/install/tools/man/ipa-server-certinstall.1 +@@ -28,7 +28,8 @@ PKCS#12 is a file format used to safely transport SSL certificates and public/pr + + They may be generated and managed using the NSS pk12util command or the OpenSSL pkcs12 command. + +-The service(s) are not automatically restarted. In order to use the newly installed certificate(s) you will need to manually restart the Directory and/or Apache servers. ++The service(s) are not automatically restarted. In order to use the newly installed certificate(s) you will need to manually restart the Directory, Apache and/or Krb5kdc servers. ++ + .SH "OPTIONS" + .TP + \fB\-d\fR, \fB\-\-dirsrv\fR +diff --git a/ipaserver/install/ipa_server_certinstall.py b/ipaserver/install/ipa_server_certinstall.py +index 9c8f6e81a802e1a87bab1fd15f729e10676fe3a3..ec283705a4038239ddf0c6bacaac200936ed04e8 100644 +--- a/ipaserver/install/ipa_server_certinstall.py ++++ b/ipaserver/install/ipa_server_certinstall.py +@@ -17,6 +17,7 @@ + # You should have received a copy of the GNU General Public License + # along with this program. If not, see . + # ++from __future__ import print_function + + import os + import os.path +@@ -121,6 +122,10 @@ class ServerCertInstall(admintool.AdminTool): + if self.options.kdc: + self.install_kdc_cert() + ++ print( ++ "Please restart ipa services after installing certificate " ++ "(ipactl restart)") ++ + api.Backend.ldap2.disconnect() + + def install_dirsrv_cert(self): +-- +2.14.3 + diff --git a/SOURCES/0039-Fix-OTP-validation-in-FIPS-mode.patch b/SOURCES/0039-Fix-OTP-validation-in-FIPS-mode.patch new file mode 100644 index 0000000..0c0e1b7 --- /dev/null +++ b/SOURCES/0039-Fix-OTP-validation-in-FIPS-mode.patch @@ -0,0 +1,93 @@ +From 20ab0c731eea95327c8c2dc296461b612c6e98ae Mon Sep 17 00:00:00 2001 +From: Nathaniel McCallum +Date: Wed, 21 Feb 2018 23:39:55 -0500 +Subject: [PATCH] Fix OTP validation in FIPS mode + +NSS doesn't allow keys to be loaded directly in FIPS mode. To work around +this, we encrypt the input key using an ephemeral key and then unwrap the +encrypted key. + +https://pagure.io/freeipa/issue/7168 + +Reviewed-By: Rob Crittenden +Reviewed-By: Christian Heimes +Reviewed-By: Rob Crittenden +--- + daemons/ipa-slapi-plugins/libotp/hotp.c | 47 +++++++++++++++++++++++++++++++-- + 1 file changed, 45 insertions(+), 2 deletions(-) + +diff --git a/daemons/ipa-slapi-plugins/libotp/hotp.c b/daemons/ipa-slapi-plugins/libotp/hotp.c +index 619bc63ab1bee99d71c2f0fb887809762107c94c..0c9de96d37183e597867b736d6324db60fa1b3bb 100644 +--- a/daemons/ipa-slapi-plugins/libotp/hotp.c ++++ b/daemons/ipa-slapi-plugins/libotp/hotp.c +@@ -46,6 +46,7 @@ + #include + + #include ++#include + #include + #include + #include +@@ -66,6 +67,49 @@ static const struct { + { } + }; + ++static PK11SymKey * ++import_key(PK11SlotInfo *slot, CK_MECHANISM_TYPE mech, SECItem *key) ++{ ++ uint8_t ct[(key->len / AES_BLOCK_SIZE + 1) * AES_BLOCK_SIZE]; ++ uint8_t iv[AES_BLOCK_SIZE] = {}; ++ SECItem ivitem = { .data = iv, .len = sizeof(iv), .type = siBuffer }; ++ SECItem ctitem = { .data = ct, .len = sizeof(ct), .type = siBuffer }; ++ PK11SymKey *ekey = NULL; ++ PK11SymKey *skey = NULL; ++ ++ /* Try to import the key directly. */ ++ skey = PK11_ImportSymKey(slot, mech, PK11_OriginUnwrap, ++ CKA_SIGN, key, NULL); ++ if (skey) ++ return skey; ++ ++ /* If we get here, we are probably in FIPS mode. Let's encrypt the key so ++ * that we can unseal it instead of loading it directly. */ ++ ++ /* Generate an ephemeral key. */ ++ ekey = PK11_TokenKeyGenWithFlags(slot, CKM_AES_CBC_PAD, NULL, ++ AES_128_KEY_LENGTH, NULL, ++ CKF_ENCRYPT | CKF_UNWRAP, ++ PK11_ATTR_SESSION | ++ PK11_ATTR_PRIVATE | ++ PK11_ATTR_SENSITIVE, NULL); ++ if (!ekey) ++ goto egress; ++ ++ /* Encrypt the input key. */ ++ if (PK11_Encrypt(ekey, CKM_AES_CBC_PAD, &ivitem, ctitem.data, &ctitem.len, ++ ctitem.len, key->data, key->len) != SECSuccess) ++ goto egress; ++ ++ /* Unwrap the input key. */ ++ skey = PK11_UnwrapSymKey(ekey, CKM_AES_CBC_PAD, &ivitem, ++ &ctitem, mech, CKA_SIGN, key->len); ++ ++egress: ++ PK11_FreeSymKey(ekey); ++ return skey; ++} ++ + /* + * This code is mostly cargo-cult taken from here: + * http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn5.html +@@ -90,8 +134,7 @@ static bool hmac(SECItem *key, CK_MECHANISM_TYPE mech, const SECItem *in, + } + } + +- symkey = PK11_ImportSymKey(slot, mech, PK11_OriginUnwrap, +- CKA_SIGN, key, NULL); ++ symkey = import_key(slot, mech, key); + if (symkey == NULL) + goto done; + +-- +2.14.3 + diff --git a/SOURCES/0040-Increase-the-default-token-key-size.patch b/SOURCES/0040-Increase-the-default-token-key-size.patch new file mode 100644 index 0000000..77a44f8 --- /dev/null +++ b/SOURCES/0040-Increase-the-default-token-key-size.patch @@ -0,0 +1,34 @@ +From ab2eaf607dd3746dd239595315dbaaebade06320 Mon Sep 17 00:00:00 2001 +From: Nathaniel McCallum +Date: Thu, 22 Feb 2018 14:04:10 -0500 +Subject: [PATCH] Increase the default token key size + +The previous default token key size would fail in FIPS mode for the sha384 +and sha512 algorithms. With the updated key size, the default will work in +all cases. + +https://pagure.io/freeipa/issue/7168 + +Reviewed-By: Rob Crittenden +Reviewed-By: Christian Heimes +Reviewed-By: Rob Crittenden +--- + ipaserver/plugins/otptoken.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ipaserver/plugins/otptoken.py b/ipaserver/plugins/otptoken.py +index c66f0980f0fc2ed49b4224be40a18ce528a6da7b..a6e423f949659d8157c8471d0fbc3ee8a299ac98 100644 +--- a/ipaserver/plugins/otptoken.py ++++ b/ipaserver/plugins/otptoken.py +@@ -72,7 +72,7 @@ TOKEN_TYPES = { + } + + # NOTE: For maximum compatibility, KEY_LENGTH % 5 == 0 +-KEY_LENGTH = 20 ++KEY_LENGTH = 35 + + class OTPTokenKey(Bytes): + """A binary password type specified in base32.""" +-- +2.14.3 + diff --git a/SOURCES/0041-Revert-Don-t-allow-OTP-or-RADIUS-in-FIPS-mode.patch b/SOURCES/0041-Revert-Don-t-allow-OTP-or-RADIUS-in-FIPS-mode.patch new file mode 100644 index 0000000..a8818c2 --- /dev/null +++ b/SOURCES/0041-Revert-Don-t-allow-OTP-or-RADIUS-in-FIPS-mode.patch @@ -0,0 +1,86 @@ +From 6d813f6b03811a285c3c6dae85942c0086b619a6 Mon Sep 17 00:00:00 2001 +From: Nathaniel McCallum +Date: Mon, 26 Feb 2018 09:48:22 -0500 +Subject: [PATCH] Revert "Don't allow OTP or RADIUS in FIPS mode" + +This reverts commit 16a952a0a44a0ebee97029ea1d2f6b7593dd2622. + +OTP now works in FIPS mode. RADIUS can be made to be compliant by wrapping +traffic in a VPN. + +https://pagure.io/freeipa/issue/7168 +https://pagure.io/freeipa/issue/7243 + +Reviewed-By: Rob Crittenden +Reviewed-By: Christian Heimes +Reviewed-By: Rob Crittenden +--- + ipaserver/plugins/baseuser.py | 3 --- + ipaserver/plugins/config.py | 16 ---------------- + 2 files changed, 19 deletions(-) + +diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py +index bb8a73ded0fed135d5829ec0b0829a936f2196fb..bf24dbf542d3b481671dfe4e8cee14a2edcc26e0 100644 +--- a/ipaserver/plugins/baseuser.py ++++ b/ipaserver/plugins/baseuser.py +@@ -32,7 +32,6 @@ from .baseldap import ( + add_missing_object_class) + from ipaserver.plugins.service import ( + validate_certificate, validate_realm, normalize_principal) +-from ipaserver.plugins.config import check_fips_auth_opts + from ipalib.request import context + from ipalib import _ + from ipalib.constants import PATTERN_GROUPUSER_NAME +@@ -478,7 +477,6 @@ class baseuser_add(LDAPCreate): + **options): + assert isinstance(dn, DN) + set_krbcanonicalname(entry_attrs) +- check_fips_auth_opts(fips_mode=self.api.env.fips_mode, **options) + self.obj.convert_usercertificate_pre(entry_attrs) + + def post_common_callback(self, ldap, dn, entry_attrs, *keys, **options): +@@ -602,7 +600,6 @@ class baseuser_mod(LDAPUpdate): + assert isinstance(dn, DN) + add_sshpubkey_to_attrs_pre(self.context, attrs_list) + +- check_fips_auth_opts(fips_mode=self.api.env.fips_mode, **options) + self.check_namelength(ldap, **options) + + self.check_mail(entry_attrs) +diff --git a/ipaserver/plugins/config.py b/ipaserver/plugins/config.py +index c9033fa8e7a2a0bfe77464fa4f9c62278bd814f6..ce15e6096f5b84dc45ee21d5aecc73ecf86eba07 100644 +--- a/ipaserver/plugins/config.py ++++ b/ipaserver/plugins/config.py +@@ -85,20 +85,6 @@ EXAMPLES: + + register = Registry() + +- +-def check_fips_auth_opts(fips_mode, **options): +- """ +- OTP and RADIUS are not allowed in FIPS mode since they use MD5 +- checksums (OTP uses our RADIUS responder daemon ipa-otpd). +- """ +- if 'ipauserauthtype' in options and fips_mode: +- if ('otp' in options['ipauserauthtype'] or +- 'radius' in options['ipauserauthtype']): +- raise errors.InvocationError( +- 'OTP and RADIUS authentication in FIPS is ' +- 'not yet supported') +- +- + @register() + class config(LDAPObject): + """ +@@ -412,8 +398,6 @@ class config_mod(LDAPUpdate): + + def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + assert isinstance(dn, DN) +- check_fips_auth_opts(fips_mode=self.api.env.fips_mode, **options) +- + if 'ipadefaultprimarygroup' in entry_attrs: + group=entry_attrs['ipadefaultprimarygroup'] + try: +-- +2.14.3 + diff --git a/SOURCES/0042-Log-errors-from-NSS-during-FIPS-OTP-key-import.patch b/SOURCES/0042-Log-errors-from-NSS-during-FIPS-OTP-key-import.patch new file mode 100644 index 0000000..4ee49e1 --- /dev/null +++ b/SOURCES/0042-Log-errors-from-NSS-during-FIPS-OTP-key-import.patch @@ -0,0 +1,59 @@ +From b9194a0292ce57418b3c9f5faf2ee5509f0fb749 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Thu, 1 Mar 2018 14:25:55 -0500 +Subject: [PATCH] Log errors from NSS during FIPS OTP key import + +Signed-off-by: Robbie Harwood +Reviewed-By: Christian Heimes +Reviewed-By: Petr Vobornik +--- + daemons/ipa-slapi-plugins/libotp/hotp.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/daemons/ipa-slapi-plugins/libotp/hotp.c b/daemons/ipa-slapi-plugins/libotp/hotp.c +index 0c9de96d37183e597867b736d6324db60fa1b3bb..1b9110ebf89a705c9c670d4d33fc7ed615ad25f3 100644 +--- a/daemons/ipa-slapi-plugins/libotp/hotp.c ++++ b/daemons/ipa-slapi-plugins/libotp/hotp.c +@@ -49,7 +49,9 @@ + #include + #include + #include ++#include + #include ++#include + + struct digest_buffer { + uint8_t buf[SHA512_LENGTH]; +@@ -93,17 +95,27 @@ import_key(PK11SlotInfo *slot, CK_MECHANISM_TYPE mech, SECItem *key) + PK11_ATTR_SESSION | + PK11_ATTR_PRIVATE | + PK11_ATTR_SENSITIVE, NULL); +- if (!ekey) ++ if (!ekey) { ++ syslog(LOG_ERR, "libotp: in FIPS, PK11_TokenKeyGenWithFlags failed: %d", ++ PR_GetError()); + goto egress; ++ } + + /* Encrypt the input key. */ + if (PK11_Encrypt(ekey, CKM_AES_CBC_PAD, &ivitem, ctitem.data, &ctitem.len, +- ctitem.len, key->data, key->len) != SECSuccess) ++ ctitem.len, key->data, key->len) != SECSuccess) { ++ syslog(LOG_ERR, "libotp: in FIPS, PK11_Encrypt failed: %d", ++ PR_GetError()); + goto egress; ++ } + + /* Unwrap the input key. */ + skey = PK11_UnwrapSymKey(ekey, CKM_AES_CBC_PAD, &ivitem, + &ctitem, mech, CKA_SIGN, key->len); ++ if (!skey) { ++ syslog(LOG_ERR, "libotp: in FIPS, PK11_UnwrapSymKey failed: %d", ++ PR_GetError()); ++ } + + egress: + PK11_FreeSymKey(ekey); +-- +2.14.3 + diff --git a/SOURCES/0043-ipa-replica-install-make-sure-that-certmonger-picks-.patch b/SOURCES/0043-ipa-replica-install-make-sure-that-certmonger-picks-.patch new file mode 100644 index 0000000..0a475e2 --- /dev/null +++ b/SOURCES/0043-ipa-replica-install-make-sure-that-certmonger-picks-.patch @@ -0,0 +1,111 @@ +From 13d111faedfd5cbd0a7382e566edda7bd9ffc7ad Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Wed, 14 Mar 2018 16:13:17 +0100 +Subject: [PATCH] ipa-replica-install: make sure that certmonger picks the + right master + +During ipa-replica-install, http installation first creates a service +principal for http/hostname (locally on the soon-to-be-replica), then +waits for this entry to be replicated on the master picked for the +install. +In a later step, the installer requests a certificate for HTTPd. The local +certmonger first tries the master defined in xmlrpc_uri (which is +pointing to the soon-to-be-replica), but fails because the service is not +up yet. Then certmonger tries to find a master by using the DNS and looking +for a ldap service. This step can pick a different master, where the +principal entry has not always be replicated yet. +As the certificate request adds the principal if it does not exist, we can +end by re-creating the principal and have a replication conflict. + +The replication conflict later causes kerberos issues, preventing +from installing a new replica. + +The proposed fix forces xmlrpc_uri to point to the same master as the one +picked for the installation, in order to make sure that the master already +contains the principal entry. + +https://pagure.io/freeipa/issue/7041 + +Reviewed-By: Rob Crittenden +Reviewed-By: Rob Crittenden +--- + ipaserver/install/server/replicainstall.py | 42 +++++++++++++++++++++++++++--- + 1 file changed, 39 insertions(+), 3 deletions(-) + +diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py +index 6aa1157133423e854514de61a69810433e436d2f..5a37aea0ac913d5c9cb88346345ba5760a9e923d 100644 +--- a/ipaserver/install/server/replicainstall.py ++++ b/ipaserver/install/server/replicainstall.py +@@ -194,7 +194,16 @@ def install_dns_records(config, options, remote_api): + 'on master: %s', str(e)) + + +-def create_ipa_conf(fstore, config, ca_enabled): ++def create_ipa_conf(fstore, config, ca_enabled, master=None): ++ """ ++ Create /etc/ipa/default.conf master configuration ++ :param fstore: sysrestore file store used for backup and restore of ++ the server configuration ++ :param config: replica config ++ :param ca_enabled: True if the topology includes a CA ++ :param master: if set, the xmlrpc_uri parameter will use the provided ++ master instead of this host ++ """ + # Save client file on Domain Level 1 + target_fname = paths.IPA_DEFAULT_CONF + fstore.backup_file(target_fname) +@@ -203,8 +212,12 @@ def create_ipa_conf(fstore, config, ca_enabled): + ipaconf.setOptionAssignment(" = ") + ipaconf.setSectionNameDelimiters(("[", "]")) + +- xmlrpc_uri = 'https://{0}/ipa/xml'.format( +- ipautil.format_netloc(config.host_name)) ++ if master: ++ xmlrpc_uri = 'https://{0}/ipa/xml'.format( ++ ipautil.format_netloc(master)) ++ else: ++ xmlrpc_uri = 'https://{0}/ipa/xml'.format( ++ ipautil.format_netloc(config.host_name)) + ldapi_uri = 'ldapi://%2fvar%2frun%2fslapd-{0}.socket\n'.format( + installutils.realm_to_serverid(config.realm_name)) + +@@ -1431,6 +1444,25 @@ def install(installer): + # we now need to enable ssl on the ds + ds.enable_ssl() + ++ if promote: ++ # We need to point to the master when certmonger asks for ++ # HTTP certificate. ++ # During http installation, the HTTP/hostname principal is created ++ # locally then the installer waits for the entry to appear on the ++ # master selected for the installation. ++ # In a later step, the installer requests a SSL certificate through ++ # Certmonger (and the op adds the principal if it does not exist yet). ++ # If xmlrpc_uri points to the soon-to-be replica, ++ # the httpd service is not ready yet to handle certmonger requests ++ # and certmonger tries to find another master. The master can be ++ # different from the one selected for the installation, and it is ++ # possible that the principal has not been replicated yet. This ++ # may lead to a replication conflict. ++ # This is why we need to force the use of the same master by ++ # setting xmlrpc_uri ++ create_ipa_conf(fstore, config, ca_enabled, ++ master=config.master_host_name) ++ + install_http( + config, + auto_redirect=not options.no_ui_redirect, +@@ -1439,6 +1471,10 @@ def install(installer): + ca_is_configured=ca_enabled, + ca_file=cafile) + ++ if promote: ++ # Need to point back to ourself after the cert for HTTP is obtained ++ create_ipa_conf(fstore, config, ca_enabled) ++ + otpd = otpdinstance.OtpdInstance() + otpd.create_instance('OTPD', config.host_name, + ipautil.realm_to_suffix(config.realm_name)) +-- +2.14.3 + diff --git a/SOURCES/0044-replica-install-pass-ip-address-to-client-install.patch b/SOURCES/0044-replica-install-pass-ip-address-to-client-install.patch new file mode 100644 index 0000000..cdb3af3 --- /dev/null +++ b/SOURCES/0044-replica-install-pass-ip-address-to-client-install.patch @@ -0,0 +1,38 @@ +From d1506d6a44b4c4b85772cd0764113f2b20a147fe Mon Sep 17 00:00:00 2001 +From: Stanislav Laznicka +Date: Fri, 6 Apr 2018 09:10:20 +0200 +Subject: [PATCH] replica-install: pass --ip-address to client install + +In replica DL1 installation, the --ip-address option was not passed +down to the ipa-client-install script (when not promoting client). +This resulted in creating DNS records for all of the host's interface +IP adresses instead of just those specified. + +This patch passes all the --ip-address options down to the client +installation script. + +https://pagure.io/freeipa/issue/7405 + +Reviewed-By: Stanislav Laznicka +--- + ipaserver/install/server/replicainstall.py | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py +index 5a37aea0ac913d5c9cb88346345ba5760a9e923d..42e4615ad2dc1f604f5d8d14f8e57e3e4674bcb9 100644 +--- a/ipaserver/install/server/replicainstall.py ++++ b/ipaserver/install/server/replicainstall.py +@@ -942,6 +942,10 @@ def ensure_enrolled(installer): + args.append("--mkhomedir") + if installer.force_join: + args.append("--force-join") ++ if installer.ip_addresses: ++ for ip in installer.ip_addresses: ++ # installer.ip_addresses is of type [CheckedIPAddress] ++ args.extend(("--ip-address", str(ip))) + + try: + # Call client install script +-- +2.14.3 + diff --git a/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch b/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch index a577d73..c62497d 100644 --- a/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch +++ b/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch @@ -1,4 +1,4 @@ -From 70850c65eaefffc73d4f39cd9cc5490a6a5bb785 Mon Sep 17 00:00:00 2001 +From 0efc9d0a7e4c04d44eee4c408d426f91dc76be9c Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Tue, 14 Mar 2017 15:48:07 +0000 Subject: [PATCH] Change branding to IPA and Identity Management @@ -113,7 +113,7 @@ index 319952cb6ffe82339b578e8d7fe3eb7a83d53169..e631b89c6774b8ea43f5156293fee137 ipa\-client\-install \- Configure an IPA client .SH "SYNOPSIS" diff --git a/client/man/ipa-getkeytab.1 b/client/man/ipa-getkeytab.1 -index 08f6ec40d362b88a974e6ec735ed37c271e01882..3db48cc9204908dc63fdee6b3917331da43cd424 100644 +index 39ff0d5da85b5a641328a512feeb06bc9c1ab9d7..bf1e72a3672a72554f9563a41d4eeed88bfd272b 100644 --- a/client/man/ipa-getkeytab.1 +++ b/client/man/ipa-getkeytab.1 @@ -17,7 +17,7 @@ @@ -125,7 +125,7 @@ index 08f6ec40d362b88a974e6ec735ed37c271e01882..3db48cc9204908dc63fdee6b3917331d .SH "NAME" ipa\-getkeytab \- Get a keytab for a Kerberos principal .SH "SYNOPSIS" -@@ -112,7 +112,7 @@ GSSAPI or EXTERNAL. +@@ -117,7 +117,7 @@ GSSAPI or EXTERNAL. \fB\-r\fR Retrieve mode. Retrieve an existing key from the server instead of generating a new one. This is incompatibile with the \-\-password option, and will work only @@ -545,7 +545,7 @@ index 4fc55e8bf585f3612310f31282e9d3705c824dd1..6c4d94b7d67da016ec37a89b040ec819 ipa\-replica\-conncheck \- Check a replica\-master network connection before installation .SH "SYNOPSIS" diff --git a/install/tools/man/ipa-replica-install.1 b/install/tools/man/ipa-replica-install.1 -index 7d241324818dd3a5294da5e84b67a19d0d9a31b6..f1ed8860d7ecebd7a23d60a621adea0947eca9da 100644 +index a1284135ac67de2b67b322aec3f6bbfb05f1a8ec..4301128afc65780ab73654d8c213a4f8ce4763a2 100644 --- a/install/tools/man/ipa-replica-install.1 +++ b/install/tools/man/ipa-replica-install.1 @@ -1,7 +1,7 @@ @@ -566,7 +566,7 @@ index 7d241324818dd3a5294da5e84b67a19d0d9a31b6..f1ed8860d7ecebd7a23d60a621adea09 If you're starting with an existing IPA client, simply run ipa\-replica\-install to have it promoted into a replica. -@@ -229,7 +229,7 @@ ldapmodify command info the directory server. +@@ -232,7 +232,7 @@ ldapmodify command info the directory server. .TP \fB\-\-add\-agents\fR Add IPA masters to the list that allows to serve information about @@ -615,7 +615,7 @@ index 5f401818a47b64854c2f25fcab4ebb8f96cd3b9e..80a1e70bff1871678259c8436915420c ipa\-restore \- Restore an IPA master .SH "SYNOPSIS" diff --git a/install/tools/man/ipa-server-certinstall.1 b/install/tools/man/ipa-server-certinstall.1 -index 35cd8c6c711119d7c782c6a89ac78b4894cec073..7ba159b29d005337d806b38b7c35de07a2d5d71e 100644 +index 00fd03b6bc2184ec2bbc099fd9799551c07d2390..aa9bb7b8567beadcd068e03f7de21043373af281 100644 --- a/install/tools/man/ipa-server-certinstall.1 +++ b/install/tools/man/ipa-server-certinstall.1 @@ -16,7 +16,7 @@ @@ -998,7 +998,7 @@ index 3e08f4da94651b49876e1427daddbd957f0027ae..c2af9f8462d776d452e4b90d9779f38c ''' diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py -index 97cbc6d8c84ee8fc21b6f8983c7897dc5d30c42d..eb42d1aa905a30ddc83de5a145d4e8d1348fbab9 100644 +index 422474fa915b4876530f304ef9424f6b31cf26cc..8f2cca4f6096fc4093f180c84da7888e8710765a 100644 --- a/ipaserver/install/server/install.py +++ b/ipaserver/install/server/install.py @@ -373,7 +373,7 @@ def install_check(installer): @@ -1011,10 +1011,10 @@ index 97cbc6d8c84ee8fc21b6f8983c7897dc5d30c42d..eb42d1aa905a30ddc83de5a145d4e8d1 print("This includes:") if setup_ca: diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py -index 6aa1157133423e854514de61a69810433e436d2f..1b3fdb238db46e6cd15dccb7d8d88b08f70d3066 100644 +index 42e4615ad2dc1f604f5d8d14f8e57e3e4674bcb9..7726b782f36f884e098ca4a5f5a136f7742e5e97 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py -@@ -601,7 +601,7 @@ def check_domain_level_is_supported(current): +@@ -614,7 +614,7 @@ def check_domain_level_is_supported(current): above_upper_bound = current > constants.MAX_DOMAIN_LEVEL if under_lower_bound or above_upper_bound: @@ -1046,5 +1046,5 @@ index 28c3f21f113fd14160abd518663f2d582f8653fd..f70943576d861ce7b3a8bc4c29e9ded8 """) + _(""" To enable the binddn run the following command to set the password: -- -2.9.5 +2.14.3 diff --git a/SOURCES/1002-Package-copy-schema-to-ca.py.patch b/SOURCES/1002-Package-copy-schema-to-ca.py.patch index 744cd83..f3a2a0c 100644 --- a/SOURCES/1002-Package-copy-schema-to-ca.py.patch +++ b/SOURCES/1002-Package-copy-schema-to-ca.py.patch @@ -1,4 +1,4 @@ -From 0cb701b1b4492b8e7234991eef30b5ac77dbd328 Mon Sep 17 00:00:00 2001 +From 154c041a95be7e6cdbcc8e116ff0fc2a785d730f Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Tue, 14 Mar 2017 16:07:15 +0000 Subject: [PATCH] Package copy-schema-to-ca.py @@ -10,10 +10,10 @@ This reverts commit f4c7f1dd8a9ce530a8291219a904686ee47e59c7. 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in -index a8b5ce81fcf9bdb61cd3707e6b68b6f2196e0776..5fc0982188da4f7a3a1438bd5c67aac7bed195a8 100644 +index 80ae98c5515f64a8df8d981ad5e91b05c84e31c1..86189d56ded05dac695d3a7a19f726e197979dc5 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in -@@ -1293,6 +1293,7 @@ fi +@@ -1292,6 +1292,7 @@ fi # END %dir %{_usr}/share/ipa %{_usr}/share/ipa/wsgi.py* @@ -22,10 +22,10 @@ index a8b5ce81fcf9bdb61cd3707e6b68b6f2196e0776..5fc0982188da4f7a3a1438bd5c67aac7 %{_usr}/share/ipa/*.uldif %{_usr}/share/ipa/*.template diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py -index 62f79b28000b015edb66f4c39a270097ab3ed666..d876c5b385a250f3bd9c2689f9794ef7f89720a6 100644 +index 20635eae22268ff72de73b8b9c430050114bb45b..190f8d851b3567638f8a41e2a4ce10e40e2ec1af 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py -@@ -1311,9 +1311,11 @@ def replica_ca_install_check(config, promote): +@@ -1321,9 +1321,11 @@ def replica_ca_install_check(config, promote): else: root_logger.critical( 'The master CA directory server does not have necessary schema. ' @@ -40,5 +40,5 @@ index 62f79b28000b015edb66f4c39a270097ab3ed666..d876c5b385a250f3bd9c2689f9794ef7 -- -2.9.5 +2.14.3 diff --git a/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch b/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch index d4638ad..8a9757c 100644 --- a/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch +++ b/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch @@ -1,4 +1,4 @@ -From cf83189d36e1615444b83dc2bf3b27fad215b322 Mon Sep 17 00:00:00 2001 +From c96e727aff6be11c1d90c7b693b77f36d6deeaac Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Wed, 22 Jun 2016 13:53:46 +0200 Subject: [PATCH] Revert "Increased mod_wsgi socket-timeout" @@ -24,5 +24,5 @@ index 01bf9a4f97fc0cf197c0ad12743affa597b54911..d3389ec5d34dba6429986b1c2a6dfb21 WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py WSGIScriptReloading Off -- -2.9.5 +2.14.3 diff --git a/SOURCES/1004-Remove-csrgen.patch b/SOURCES/1004-Remove-csrgen.patch index dabefc9..0ebfcc1 100644 --- a/SOURCES/1004-Remove-csrgen.patch +++ b/SOURCES/1004-Remove-csrgen.patch @@ -1,4 +1,4 @@ -From f6463c332aebb40be39bcfdf458f20f1dc3d2bbe Mon Sep 17 00:00:00 2001 +From 4f3522e47d1a1c26dc8283c6aa4fc72a33d7133e Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Thu, 16 Mar 2017 09:44:21 +0000 Subject: [PATCH] Remove csrgen @@ -75,7 +75,7 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1432630 delete mode 100644 ipatests/test_ipaclient/test_csrgen.py diff --git a/freeipa.spec.in b/freeipa.spec.in -index 5fc0982188da4f7a3a1438bd5c67aac7bed195a8..03ab5d374279ad62d536ac5da636b7654671bcb9 100644 +index 86189d56ded05dac695d3a7a19f726e197979dc5..3cefeeced78de60ced36759acce5ab5c1a0ddd0d 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -198,7 +198,6 @@ BuildRequires: python-sssdconfig @@ -94,7 +94,7 @@ index 5fc0982188da4f7a3a1438bd5c67aac7bed195a8..03ab5d374279ad62d536ac5da636b765 BuildRequires: python3-augeas %endif # with_python3 %endif # with_lint -@@ -545,7 +543,6 @@ Requires: %{name}-client-common = %{version}-%{release} +@@ -544,7 +542,6 @@ Requires: %{name}-client-common = %{version}-%{release} Requires: %{name}-common = %{version}-%{release} Requires: python2-ipalib = %{version}-%{release} Requires: python-dns >= 1.15 @@ -102,7 +102,7 @@ index 5fc0982188da4f7a3a1438bd5c67aac7bed195a8..03ab5d374279ad62d536ac5da636b765 %description -n python2-ipaclient IPA is an integrated solution to provide centrally managed Identity (users, -@@ -568,7 +565,6 @@ Requires: %{name}-client-common = %{version}-%{release} +@@ -567,7 +564,6 @@ Requires: %{name}-client-common = %{version}-%{release} Requires: %{name}-common = %{version}-%{release} Requires: python3-ipalib = %{version}-%{release} Requires: python3-dns >= 1.15 @@ -110,7 +110,7 @@ index 5fc0982188da4f7a3a1438bd5c67aac7bed195a8..03ab5d374279ad62d536ac5da636b765 %description -n python3-ipaclient IPA is an integrated solution to provide centrally managed Identity (users, -@@ -1434,13 +1430,6 @@ fi +@@ -1433,13 +1429,6 @@ fi %{python_sitelib}/ipaclient/remote_plugins/*.py* %dir %{python_sitelib}/ipaclient/remote_plugins/2_* %{python_sitelib}/ipaclient/remote_plugins/2_*/*.py* @@ -124,7 +124,7 @@ index 5fc0982188da4f7a3a1438bd5c67aac7bed195a8..03ab5d374279ad62d536ac5da636b765 %{python_sitelib}/ipaclient-*.egg-info -@@ -1465,13 +1454,6 @@ fi +@@ -1464,13 +1453,6 @@ fi %dir %{python3_sitelib}/ipaclient/remote_plugins/2_* %{python3_sitelib}/ipaclient/remote_plugins/2_*/*.py %{python3_sitelib}/ipaclient/remote_plugins/2_*/__pycache__/*.py* @@ -1649,5 +1649,5 @@ index 556f8e096976387d24057084c06d53bcb9998a69..00000000000000000000000000000000 - _script = generator.csr_script( - principal, {}, 'example', 'identity') -- -2.9.5 +2.14.3 diff --git a/SOURCES/ipa-centos-branding.patch b/SOURCES/ipa-centos-branding.patch deleted file mode 100644 index 673cd2f..0000000 --- a/SOURCES/ipa-centos-branding.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 99efecaf87dc1fc9517efaff441a6a7ce46444eb Mon Sep 17 00:00:00 2001 -From: Jim Perrin -Date: Wed, 11 Mar 2015 10:37:03 -0500 -Subject: [PATCH] update for new ntp server method - ---- - ipaplatform/base/paths.py | 1 + - ipaserver/install/ntpinstance.py | 2 ++ - 2 files changed, 3 insertions(+) - -diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py -index af50262..5090062 100644 ---- a/ipaplatform/base/paths.py -+++ b/ipaplatform/base/paths.py -@@ -99,6 +99,7 @@ class BasePathNamespace(object): - PKI_TOMCAT_ALIAS_DIR = "/etc/pki/pki-tomcat/alias/" - PKI_TOMCAT_PASSWORD_CONF = "/etc/pki/pki-tomcat/password.conf" - ETC_REDHAT_RELEASE = "/etc/redhat-release" -+ ETC_CENTOS_RELEASE = "/etc/centos-release" - RESOLV_CONF = "/etc/resolv.conf" - SAMBA_KEYTAB = "/etc/samba/samba.keytab" - SMB_CONF = "/etc/samba/smb.conf" -diff --git a/ipaserver/install/ntpinstance.py b/ipaserver/install/ntpinstance.py -index c653525..4b0578b 100644 ---- a/ipaserver/install/ntpinstance.py -+++ b/ipaserver/install/ntpinstance.py -@@ -44,6 +44,8 @@ class NTPInstance(service.Service): - os = "" - if ipautil.file_exists(paths.ETC_FEDORA_RELEASE): - os = "fedora" -+ elif ipautil.file_exists(paths.ETC_CENTOS_RELEASE): -+ os = "centos" - elif ipautil.file_exists(paths.ETC_REDHAT_RELEASE): - os = "rhel" - --- -1.8.3.1 - diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec index 6b2a564..3cd06b2 100644 --- a/SPECS/ipa.spec +++ b/SPECS/ipa.spec @@ -72,7 +72,7 @@ Name: ipa Version: %{IPA_VERSION} -Release: 10%{?dist} +Release: 10%{?dist}.1 Summary: The Identity, Policy and Audit system Group: System Environment/Base @@ -80,10 +80,10 @@ License: GPLv3+ URL: http://www.freeipa.org/ Source0: https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz # RHEL spec file only: START: Change branding to IPA and Identity Management -#Source1: header-logo.png -#Source2: login-screen-background.jpg -#Source3: login-screen-logo.png -#Source4: product-name.png +Source1: header-logo.png +Source2: login-screen-background.jpg +Source3: login-screen-logo.png +Source4: product-name.png # RHEL spec file only: END: Change branding to IPA and Identity Management BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -125,12 +125,18 @@ Patch0034: 0034-WebUI-Add-positive-number-validator.patch Patch0035: 0035-WebUI-change-validator-of-page-size-settings.patch Patch0036: 0036-WebUI-fix-jslint-error.patch Patch0037: 0037-ipa-advise-for-smartcards-updated.patch +Patch0038: 0038-Add-a-notice-to-restart-ipa-services-after-certs-are.patch +Patch0039: 0039-Fix-OTP-validation-in-FIPS-mode.patch +Patch0040: 0040-Increase-the-default-token-key-size.patch +Patch0041: 0041-Revert-Don-t-allow-OTP-or-RADIUS-in-FIPS-mode.patch +Patch0042: 0042-Log-errors-from-NSS-during-FIPS-OTP-key-import.patch +Patch0043: 0043-ipa-replica-install-make-sure-that-certmonger-picks-.patch +Patch0044: 0044-replica-install-pass-ip-address-to-client-install.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch Patch1002: 1002-Package-copy-schema-to-ca.py.patch Patch1003: 1003-Revert-Increased-mod_wsgi-socket-timeout.patch Patch1004: 1004-Remove-csrgen.patch -Patch1005: ipa-centos-branding.patch # RHEL spec file only: END BuildRequires: libtool, automake, autoconf @@ -932,10 +938,10 @@ cp -r %{_builddir}/freeipa-%{version} %{_builddir}/freeipa-%{version}-python3 %endif # with_python3 # RHEL spec file only: START: Change branding to IPA and Identity Management -#cp %SOURCE1 install/ui/images/header-logo.png -#cp %SOURCE2 install/ui/images/login-screen-background.jpg -#cp %SOURCE3 install/ui/images/login-screen-logo.png -#cp %SOURCE4 install/ui/images/product-name.png +cp %SOURCE1 install/ui/images/header-logo.png +cp %SOURCE2 install/ui/images/login-screen-background.jpg +cp %SOURCE3 install/ui/images/login-screen-logo.png +cp %SOURCE4 install/ui/images/product-name.png # RHEL spec file only: END: Change branding to IPA and Identity Management @@ -1688,8 +1694,18 @@ fi %changelog -* Tue Apr 10 2018 CentOS Sources - 4.5.4-10.el7.centos -- Roll in CentOS Branding +* Tue Apr 10 2018 Florence Blanc-Renaud - 4.5.4-11.el7 +- Resolves: #1565519 Clarify the need to restart services in ipa-server-certinstall(1) + - Add a notice to restart ipa services after certs are installed +- Resolves: #1564390 OTP and Radius Authentication does not work in FIPS mode + - Fix OTP validation in FIPS mode + - Increase the default token key size + - Revert "Don't allow OTP or RADIUS in FIPS mode" + - Log errors from NSS during FIPS OTP key import +- Resolves: #1565520 ipa client pointing to replica shows KDC has no support for encryption type + - ipa-replica-install: make sure that certmonger picks the right master +- Resolves: #1565605 DNS records updated with all IPAddresses of an interface when IPA server/replica try to install with Specific IP address of that interface + - replica-install: pass --ip-address to client install * Wed Feb 07 2018 Florence Blanc-Renaud - 4.5.4-10.el7 - Resolves: #1540361 ipa-advise for smartcards is out-of-date