From 403b09ab980c02ef36095973349a13e0181c794a Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Thu, 03 Nov 2016 06:01:28 +0000
Subject: [PATCH] import ipa-4.4.0-12.el7

---
 SPECS/ipa.spec | 1866 ++++++++++++++++++++++++++++++++++++++++-----------------
 1 files changed, 1,303 insertions(+), 563 deletions(-)

diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec
index 18d9ba6..5fda12c 100644
--- a/SPECS/ipa.spec
+++ b/SPECS/ipa.spec
@@ -2,22 +2,30 @@
 # subpackages
 %{!?ONLY_CLIENT:%global ONLY_CLIENT 0}
 
+%if 0%{?rhel}
+%global with_python3 0
+%else
+%global with_python3 1
+%endif
+
 # RHEL spec file only: START
 %ifarch x86_64 %{ix86}
 # Nothing, we want to force just building client on non-Intel
 %else
 %global ONLY_CLIENT 1
 %endif
-%global VERSION 4.2.0
+%global VERSION 4.4.0
 # RHEL spec file only: END
 
 %global alt_name freeipa
 %if 0%{?rhel}
 %global samba_version 4.2.10-1
-%global selinux_policy_version 3.13.1-32
+%global selinux_policy_version 3.13.1-70
+%global slapi_nis_version 0.56.0-4
 %else
-%global samba_version 2:4.2.10-1
-%global selinux_policy_version 3.13.1-128.6
+%global samba_version 2:4.0.5-1
+%global selinux_policy_version 3.13.1-158.4
+%global slapi_nis_version 0.56.1
 %endif
 
 %define krb5_base_version %(LC_ALL=C rpm -q --qf '%%{VERSION}' krb5-devel | grep -Eo '^[^.]+\.[^.]+')
@@ -34,8 +42,8 @@
 %define _hardened_build 1
 
 Name:           ipa
-Version:        4.2.0
-Release:        15%{?dist}.19
+Version:        4.4.0
+Release:        12%{?dist}
 Summary:        The Identity, Policy and Audit system
 
 Group:          System Environment/Base
@@ -43,220 +51,148 @@
 URL:            http://www.freeipa.org/
 Source0:        http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz
 # RHEL spec file only: START: Change branding to IPA and Identity-Management
-#Source1:        header-logo.png
-#Source2:        login-screen-background.jpg
-#Source3:        login-screen-logo.png
-#Source4:        product-name.png
+Source1:        header-logo.png
+Source2:        login-screen-background.jpg
+Source3:        login-screen-logo.png
+Source4:        product-name.png
 # RHEL spec file only: END: Change branding to IPA and Identity-Management
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 # RHEL spec file only: START
-Patch0001:      0001-Start-dirsrv-for-kdcproxy-upgrade.patch
-Patch0002:      0002-Fix-DNS-records-installation-for-replicas.patch
-Patch0003:      0003-Prevent-to-rename-certprofile-profile-id.patch
-Patch0004:      0004-Stageusedr-activate-show-username-instead-of-DN.patch
-Patch0005:      0005-copy-schema-to-ca-allow-to-overwrite-schema-files.patch
-Patch0006:      0006-spec-file-Update-minimum-required-version-of-krb5.patch
-Patch0007:      0007-do-not-import-memcache-on-client.patch
-Patch0008:      0008-selinux-enable-httpd_run_ipa-to-allow-communicating-.patch
-Patch0009:      0009-oddjob-avoid-chown-keytab-to-sssd-if-sssd-user-does-.patch
-Patch0010:      0010-webui-fix-user-reset-password-dialog.patch
-Patch0011:      0011-fix-hbac-rule-search-for-non-admin-users.patch
-Patch0012:      0012-fix-selinuxusermap-search-for-non-admin-users.patch
-Patch0013:      0013-Validate-adding-privilege-to-a-permission.patch
-Patch0014:      0014-migration-Use-api.env-variables.patch
-Patch0015:      0015-sysrestore-copy-files-instead-of-moving-them-to-avoi.patch
-Patch0016:      0016-Allow-value-no-for-replica-certify-all-attr-in-abort.patch
-Patch0017:      0017-trusts-Check-for-AD-root-domain-among-our-trusted-do.patch
-Patch0018:      0018-enable-debugging-of-ntpd-during-client-installation.patch
-Patch0019:      0019-cermonger-Use-private-unix-socket-when-DBus-SystemBu.patch
-Patch0020:      0020-ipa-client-install-Do-not-re-start-certmonger-and-DB.patch
-Patch0021:      0021-DNS-Consolidate-DNS-RR-types-in-API-and-schema.patch
-Patch0022:      0022-ipaplatform-Add-constants-submodule.patch
-Patch0023:      0023-DNS-check-if-DNS-package-is-installed.patch
-Patch0024:      0024-dcerpc-Expand-explanation-for-WERR_ACCESS_DENIED.patch
-Patch0025:      0025-dcerpc-Fix-UnboundLocalError-for-ccache_name.patch
-Patch0026:      0026-fix-broken-search-for-users-by-their-manager.patch
-Patch0027:      0027-dcerpc-Add-get_trusted_domain_object_type-method.patch
-Patch0028:      0028-idviews-Restrict-anchor-to-name-and-name-to-anchor-c.patch
-Patch0029:      0029-idviews-Enforce-objectclass-check-in-idoverride-del.patch
-Patch0030:      0030-idviews-Check-for-the-Default-Trust-View-only-if-app.patch
-Patch0031:      0031-replication-Fix-incorrect-exception-invocation.patch
-Patch0032:      0032-webui-add-Kerberos-configuration-instructions-for-Ch.patch
-Patch0033:      0033-Remove-ico-files-from-Makefile.patch
-Patch0034:      0034-ACI-plugin-correctly-parse-bind-rules-enclosed-in-pa.patch
-Patch0035:      0035-ULC-Fix-stageused-add-from-delete-command.patch
-Patch0036:      0036-webui-fix-regressions-failed-auth-messages.patch
-Patch0037:      0037-Validate-vault-s-file-parameters.patch
-Patch0038:      0038-certprofile-import-do-not-require-profileId-in-profi.patch
-Patch0039:      0039-user-show-add-out-option-to-save-certificates-to-fil.patch
-Patch0040:      0040-store-certificates-issued-for-user-entries-as-userCe.patch
-Patch0041:      0041-Fix-incorrect-type-comparison-in-trust-fetch-domains.patch
-Patch0042:      0042-Fix-selector-of-protocol-for-LSA-RPC-binding-string.patch
-Patch0043:      0043-dcerpc-Simplify-generation-of-LSA-RPC-binding-string.patch
-Patch0044:      0044-Fixed-missing-KRA-agent-cert-on-replica.patch
-Patch0045:      0045-webui-add-LDAP-vs-Kerberos-behavior-description-to-u.patch
-Patch0046:      0046-Fix-upgrade-of-sidgen-and-extdom-plugins.patch
-Patch0047:      0047-Give-more-info-on-virtual-command-access-denial.patch
-Patch0048:      0048-Allow-SAN-extension-for-cert-request-self-service.patch
-Patch0049:      0049-Add-profile-for-DNP3-IEC-62351-8-certificates.patch
-Patch0050:      0050-Work-around-python-nss-bug-on-unrecognised-OIDs.patch
-Patch0051:      0051-adtrust-install-Correctly-determine-4.2-FreeIPA-serv.patch
-Patch0052:      0052-certprofile-import-improve-profile-format-documentat.patch
-Patch0053:      0053-Fix-default-CA-ACL-added-during-upgrade.patch
-Patch0054:      0054-Fix-KRB5PrincipalName-UPN-SAN-comparison.patch
-Patch0055:      0055-adjust-search-so-that-it-works-for-non-admin-users.patch
-Patch0056:      0056-validate-mutually-exclusive-options-in-vault-add.patch
-Patch0057:      0057-idranges-raise-an-error-when-local-IPA-ID-range-is-b.patch
-Patch0058:      0058-install-Fix-server-and-replica-install-options.patch
-Patch0059:      0059-certprofile-add-profile-format-explanation.patch
-Patch0060:      0060-ULC-Prevent-preserved-users-from-being-assigned-memb.patch
-Patch0061:      0061-Asymmetric-vault-validate-public-key-in-client.patch
-Patch0062:      0062-add-permission-System-Manage-User-Certificates.patch
-Patch0063:      0063-Add-permission-for-bypassing-CA-ACL-enforcement.patch
-Patch0064:      0064-Added-CLI-param-and-ACL-for-vault-service-operations.patch
-Patch0065:      0065-trusts-Detect-missing-Samba-instance.patch
-Patch0066:      0066-winsync-migrate-Add-warning-about-passsync.patch
-Patch0067:      0067-winsync-migrate-Expand-the-man-page.patch
-Patch0068:      0068-fix-typo-in-BasePathNamespace-member-pointing-to-ods.patch
-Patch0069:      0069-ipa-backup-archive-DNSSEC-zone-file-and-kasp.db.patch
-Patch0070:      0070-baseldap-Allow-overriding-member-param-label-in-LDAP.patch
-Patch0071:      0071-vault-Fix-param-labels-in-output-of-vault-owner-comm.patch
-Patch0072:      0072-Fixed-vault-container-ownership.patch
-Patch0073:      0073-vault-normalize-service-principal-in-service-vault-o.patch
-Patch0074:      0074-vault-validate-vault-type.patch
-Patch0075:      0075-install-Fix-replica-install-with-custom-certificates.patch
-Patch0076:      0076-trusts-harden-trust-fetch-domains-oddjobd-based-scri.patch
-Patch0077:      0077-user-undel-Fix-error-messages.patch
-Patch0078:      0078-Prohibit-deletion-of-predefined-profiles.patch
-Patch0079:      0079-improve-the-handling-of-krb5-related-errors-in-dnsse.patch
-Patch0080:      0080-client-Add-support-for-multiple-IP-addresses-during-.patch
-Patch0081:      0081-vault-Fix-vault-find-with-criteria.patch
-Patch0082:      0082-vault-Add-container-information-to-vault-command-res.patch
-Patch0083:      0083-Server-Upgrade-Start-DS-before-CA-is-started.patch
-Patch0084:      0084-cert-request-remove-allowed-extensions-check.patch
-Patch0085:      0085-client-Add-description-of-ip-address-and-all-ip-addr.patch
-Patch0086:      0086-Backup-resore-authentication-control-configuration.patch
-Patch0087:      0087-Add-flag-to-list-all-service-and-user-vaults.patch
-Patch0088:      0088-Add-user-stage-command.patch
-Patch0089:      0089-trusts-format-Kerberos-principal-properly-when-fetch.patch
-Patch0090:      0090-Change-internal-rsa_-public-private-_key-variable-na.patch
-Patch0091:      0091-improve-the-usability-of-ipa-user-del-preserve-comma.patch
-Patch0092:      0092-DNSSEC-fix-forward-zone-forwarders-checks.patch
-Patch0093:      0093-Added-support-for-changing-vault-encryption.patch
-Patch0094:      0094-vault-change-default-vault-type-to-symmetric.patch
-Patch0095:      0095-fix-missing-information-in-object-metadata.patch
-Patch0096:      0096-webui-add-option-to-establish-bidirectional-trust.patch
-Patch0097:      0097-Removed-clear-text-passwords-from-KRA-install-log.patch
-Patch0098:      0098-certprofile-prevent-rename-modrdn.patch
-Patch0099:      0099-vault-Limit-size-of-data-stored-in-vault.patch
-Patch0100:      0100-ipactl-Do-not-start-stop-restart-single-service-mult.patch
-Patch0101:      0101-cert-renewal-Include-KRA-users-in-Dogtag-LDAP-update.patch
-Patch0102:      0102-cert-renewal-Automatically-update-KRA-agent-PEM-file.patch
-Patch0103:      0103-DNSSEC-remove-DNSSEC-is-experimental-warnings.patch
-Patch0104:      0104-Backup-back-up-the-hosts-file.patch
-Patch0105:      0105-certprofile-remove-rename-option.patch
-Patch0106:      0106-Installer-do-not-modify-etc-hosts-before-user-agreem.patch
-Patch0107:      0107-DNSSEC-backup-and-restore-opendnssec-zone-list-file.patch
-Patch0108:      0108-DNSSEC-remove-ccache-and-keytab-of-ipa-ods-exporter.patch
-Patch0109:      0109-DNSSEC-prevent-ipa-ods-exporter-from-looping-after-s.patch
-Patch0110:      0110-DNSSEC-Fix-deadlock-in-ipa-ods-exporter-ods-enforcer.patch
-Patch0111:      0111-DNSSEC-Fix-HSM-synchronization-in-ipa-dnskeysyncd-wh.patch
-Patch0112:      0112-DNSSEC-Fix-key-metadata-export.patch
-Patch0113:      0113-DNSSEC-Wrap-master-key-using-RSA-OAEP-instead-of-old.patch
-Patch0114:      0114-ldap-Make-ldap2-connection-management-thread-safe-ag.patch
-Patch0115:      0115-Using-LDAPI-to-setup-CA-and-KRA-agents.patch
-Patch0116:      0116-load-RA-backend-plugins-during-standalone-CA-install.patch
-Patch0117:      0117-Handle-timeout-error-in-ipa-httpd-kdcproxy.patch
-Patch0118:      0118-Server-Upgrade-backup-CS.cfg-when-dogtag-is-turned-o.patch
-Patch0119:      0119-IPA-Restore-allows-to-specify-files-that-should-be-r.patch
-Patch0120:      0120-config-allow-user-host-attributes-with-tagging-optio.patch
-Patch0121:      0121-winsync-Add-inetUser-objectclass-to-the-passsync-sys.patch
-Patch0122:      0122-baseldap-make-subtree-deletion-optional-in-LDAPDelet.patch
-Patch0123:      0123-vault-add-vault-container-commands.patch
-Patch0124:      0124-vault-set-owner-to-current-user-on-container-creatio.patch
-Patch0125:      0125-vault-update-access-control.patch
-Patch0126:      0126-vault-add-permissions-and-administrator-privilege.patch
-Patch0127:      0127-install-support-KRA-update.patch
-Patch0128:      0128-webui-use-manual-Firefox-configuration-for-Firefox-4.patch
-Patch0129:      0129-ipa-backup-Add-mechanism-to-store-empty-directory-st.patch
-Patch0130:      0130-install-create-kdcproxy-user-during-server-install.patch
-Patch0131:      0131-destroy-httpd-ccache-after-stopping-the-service.patch
-Patch0132:      0132-platform-add-option-to-create-home-directory-when-ad.patch
-Patch0133:      0133-install-fix-kdcproxy-user-home-directory.patch
-Patch0134:      0134-winsync-migrate-Convert-entity-names-to-posix-friend.patch
-Patch0135:      0135-winsync-migrate-Properly-handle-collisions-in-the-na.patch
-Patch0136:      0136-Fix-an-integer-underflow-bug-in-libotp.patch
-Patch0137:      0137-do-not-overwrite-files-with-local-users-groups-when-.patch
-Patch0138:      0138-install-fix-KRA-agent-PEM-file-permissions.patch
-Patch0139:      0139-install-always-export-KRA-agent-PEM-file.patch
-Patch0140:      0140-vault-select-a-server-with-KRA-for-vault-operations.patch
-Patch0141:      0141-schema-do-not-derive-ipaVaultPublicKey-from-ipaPubli.patch
-Patch0142:      0142-upgrade-make-sure-ldap2-is-connected-in-export_kra_a.patch
-Patch0143:      0143-vault-fix-private-service-vault-creation.patch
-Patch0144:      0144-install-fix-command-line-option-validation.patch
-Patch0145:      0145-install-export-KRA-agent-PEM-file-in-ipa-kra-install.patch
-Patch0146:      0146-cert-renewal-make-renewal-of-ipaCert-atomic.patch
-Patch0147:      0147-suppress-errors-arising-from-adding-existing-LDAP-en.patch
-Patch0148:      0148-fix-caching-in-get_ipa_config.patch
-Patch0149:      0149-client-install-do-not-corrupt-OpenSSH-config-with-Ma.patch
-Patch0150:      0150-upgrade-fix-migration-of-old-dns-forward-zones.patch
-Patch0151:      0151-TLS-and-Dogtag-HTTPS-request-logging-improvements.patch
-Patch0152:      0152-Avoid-race-condition-caused-by-profile-delete-and-re.patch
-Patch0153:      0153-ipa-cacert-renew-Fix-connection-to-ldap.patch
-Patch0154:      0154-ipa-otptoken-import-Fix-connection-to-ldap.patch
-Patch0155:      0155-Do-not-erroneously-reinit-NSS-in-Dogtag-interface.patch
-Patch0156:      0156-Add-profiles-and-default-CA-ACL-on-migration.patch
-Patch0157:      0157-disconnect-ldap2-backend-after-adding-default-CA-ACL.patch
-Patch0158:      0158-do-not-disconnect-when-using-existing-connection-to-.patch
-Patch0159:      0159-Fix-upgrade-of-forwardzones-when-zone-is-in-realmdom.patch
-Patch0160:      0160-Fix-version-comparison.patch
-Patch0161:      0161-DNS-fix-file-permissions.patch
-Patch0162:      0162-Explicitly-call-chmod-on-newly-created-directories.patch
-Patch0163:      0163-Fix-replace-mkdir-with-chmod.patch
-Patch0164:      0164-DNSSEC-Improve-error-reporting-from-ipa-ods-exporter.patch
-Patch0165:      0165-DNSSEC-Make-sure-that-current-state-in-OpenDNSSEC-ma.patch
-Patch0166:      0166-DNSSEC-Make-sure-that-current-key-state-in-LDAP-matc.patch
-Patch0167:      0167-DNSSEC-remove-obsolete-TODO-note.patch
-Patch0168:      0168-DNSSEC-add-debug-mode-to-ldapkeydb.py.patch
-Patch0169:      0169-DNSSEC-logging-improvements-in-ipa-ods-exporter.patch
-Patch0170:      0170-DNSSEC-remove-keys-purged-by-OpenDNSSEC-from-master-.patch
-Patch0171:      0171-DNSSEC-ipa-dnskeysyncd-Skip-zones-with-old-DNSSEC-me.patch
-Patch0172:      0172-DNSSEC-ipa-ods-exporter-add-ldap-cleanup-command.patch
-Patch0173:      0173-DNSSEC-ipa-dnskeysyncd-call-ods-signer-ldap-cleanup-.patch
-Patch0174:      0174-DNSSEC-Log-debug-messages-at-log-level-DEBUG.patch
-Patch0175:      0175-Allow-to-used-mixed-case-for-sysrestore.patch
-Patch0176:      0176-prevent-crash-of-CA-less-server-upgrade-due-to-absen.patch
-Patch0177:      0177-Upgrade-Fix-upgrade-of-NIS-Server-configuration.patch
-Patch0178:      0178-use-FFI-call-to-rpmvercmp-function-for-version-compa.patch
-Patch0179:      0179-ipalib-assume-version-2.0-when-skip_version_check-is.patch
-Patch0180:      0180-always-start-certmonger-during-IPA-server-configurat.patch
-Patch0181:      0181-ipa-kdb-map_groups-consider-all-results.patch
-Patch0182:      0182-ipa-ca-install-print-more-specific-errors-when-CA-is.patch
-Patch0183:      0183-installer-Propagate-option-values-from-components-in.patch
-Patch0184:      0184-installer-Fix-logic-of-reading-option-values-from-ca.patch
-Patch0185:      0185-Fixed-login-error-message-box-in-LoginScreen-page.patch
-Patch0186:      0186-cert-renewal-import-all-external-CA-certs-on-IPA-CA-.patch
-Patch0187:      0187-CA-install-explicitly-set-dogtag_version-to-10.patch
-Patch0188:      0188-fix-standalone-installation-of-externally-signed-CA-.patch
-Patch0189:      0189-replica-install-validate-DS-and-HTTP-server-certific.patch
-Patch0190:      0190-Do-not-decode-HTTP-reason-phrase-from-Dogtag.patch
-Patch0191:      0191-upgrade-unconditional-import-of-certificate-profiles.patch
-Patch0192:      0192-upgrade-fix-config-of-sidgen-and-extdom-plugins.patch
-Patch0193:      0193-trusts-use-ipaNTTrustPartner-attribute-to-detect-tru.patch
-Patch0194:      0194-Warn-user-if-trust-is-broken.patch
-Patch0195:      0195-fix-upgrade-wait-for-proper-DS-socket-after-DS-resta.patch
-Patch0196:      0196-slapi-nis-update-configuration-to-allow-external-mem.patch
-Patch0197:      0197-Insure-the-admin_conn-is-disconnected-on-stop.patch
-Patch0198:      0198-Fix-connections-to-DS-during-installation.patch
-Patch0199:      0199-Fix-broken-trust-warnings.patch
-Patch0200:      0200-replica-install-improvements-in-the-handling-of-CA-r.patch
-Patch0201:      0201-certdb-never-use-the-r-option-of-certutil.patch
-Patch0202:      0202-Prevent-replica-install-from-overwriting-cert-profil.patch
-Patch0203:      0203-Detect-and-repair-incorrect-caIPAserviceCert-config.patch
-Patch0204:      0204-replica-install-do-not-set-CA-renewal-master-flag.patch
-Patch0205:      0205-mod_auth_gssapi-enable-unique-credential-caches-name.patch
-Patch0206:      0206-cert-revoke-fix-permission-check-bypass-CVE-2016-540.patch
+Patch0001:      0001-Fix-incorrect-check-for-principal-type-when-evaluati.patch
+Patch0002:      0002-uninstall-untrack-lightweight-CA-certs.patch
+Patch0003:      0003-ipa-nis-manage-Use-server-API-to-retrieve-plugin-sta.patch
+Patch0004:      0004-ipa-compat-manage-use-server-API-to-retrieve-plugin-.patch
+Patch0005:      0005-ipa-advise-correct-handling-of-plugin-namespace-iter.patch
+Patch0006:      0006-kdb-check-for-local-realm-in-enterprise-principals.patch
+Patch0007:      0007-Enable-vault-commands-on-client.patch
+Patch0008:      0008-vault-add-set-the-default-vault-type-on-the-client-s.patch
+Patch0009:      0009-caacl-expand-plugin-documentation.patch
+Patch0010:      0010-host-find-do-not-show-SSH-key-by-default.patch
+Patch0011:      0011-Removed-unused-method-parameter-from-migrate-ds.patch
+Patch0012:      0012-Preserve-user-principal-aliases-during-rename-operat.patch
+Patch0013:      0013-messages-specify-message-type-for-ResultFormattingEr.patch
+Patch0014:      0014-schema-Fix-subtopic-topic-mapping.patch
+Patch0015:      0015-DNS-install-Ensure-that-DNS-servers-container-exists.patch
+Patch0016:      0016-Heap-corruption-in-ipapwd-plugin.patch
+Patch0017:      0017-Use-server-API-in-com.redhat.idm.trust-fetch-domains.patch
+Patch0018:      0018-frontend-copy-command-arguments-to-output-params-on-.patch
+Patch0019:      0019-Show-full-error-message-for-selinuxusermap-add-hostg.patch
+Patch0020:      0020-allow-value-output-param-in-commands-without-primary.patch
+Patch0021:      0021-server-uninstall-fails-to-remove-krb-principals.patch
+Patch0022:      0022-expose-secret-option-in-radiusproxy-commands.patch
+Patch0023:      0023-prevent-search-for-RADIUS-proxy-servers-by-secret.patch
+Patch0024:      0024-trust-add-handle-all-raw-options-properly.patch
+Patch0025:      0025-unite-log-file-name-of-ipa-ca-install.patch
+Patch0026:      0026-Host-del-fix-behavior-of-updatedns-and-PTR-records.patch
+Patch0027:      0027-help-Add-dnsserver-commands-to-help-topic-dns.patch
+Patch0028:      0028-DNS-Locations-fix-update-system-records-unpacking-er.patch
+Patch0029:      0029-Fix-session-cookies.patch
+Patch0030:      0030-Use-copy-when-replacing-files-to-keep-SELinux-contex.patch
+Patch0031:      0031-baseldap-Fix-MidairCollision-instantiation-during-en.patch
+Patch0032:      0032-Create-indexes-for-krbCanonicalName-attribute.patch
+Patch0033:      0033-harden-the-check-for-trust-namespace-overlap-in-new-.patch
+Patch0034:      0034-Revert-Enable-vault-commands-on-client.patch
+Patch0035:      0035-client-fix-hiding-of-commands-which-lack-server-supp.patch
+Patch0036:      0036-Minor-fix-in-ipa-replica-manage-MAN-page.patch
+Patch0037:      0037-compat-fix-ping-call.patch
+Patch0038:      0038-replica-install-Fix-domain.patch
+Patch0039:      0039-idrange-fix-unassigned-global-variable.patch
+Patch0040:      0040-re-set-canonical-principal-name-on-migrated-users.patch
+Patch0041:      0041-Do-not-initialize-API-in-ipa-client-automount-uninst.patch
+Patch0042:      0042-Correct-path-to-HTTPD-s-systemd-service-directory.patch
+Patch0043:      0043-vault-Catch-correct-exception-in-decrypt.patch
+Patch0044:      0044-Increase-default-length-of-auto-generated-passwords.patch
+Patch0045:      0045-vault-add-missing-salt-option-to-vault_mod.patch
+Patch0046:      0046-Fix-ipa-hbactest-output.patch
+Patch0047:      0047-install-fix-external-CA-cert-validation.patch
+Patch0048:      0048-caacl-fix-regression-in-rule-instantiation.patch
+Patch0049:      0049-Update-ipa-replica-install-documentation.patch
+Patch0050:      0050-ipa-kdb-Fix-unit-test-after-packaging-changes-in-krb.patch
+Patch0051:      0051-Improvements-for-the-ipa-cacert-manage-man-and-help.patch
+Patch0052:      0052-Revert-spec-add-conflict-with-bind-chroot-to-freeipa.patch
+Patch0053:      0053-Fix-unicode-characters-in-ca-and-domain-adders.patch
+Patch0054:      0054-ipa-backup-backup-etc-tmpfiles.d-dirsrv-instance-.co.patch
+Patch0055:      0055-client-RPM-require-initscripts-to-get-domainname.ser.patch
+Patch0056:      0056-parameters-move-the-confirm-kwarg-to-Param.patch
+Patch0057:      0057-client-add-missing-output-params-to-client-side-comm.patch
+Patch0058:      0058-server-install-Fix-hostname-option-to-always-overrid.patch
+Patch0059:      0059-install-Call-hostnamectl-set-hostname-only-if-hostna.patch
+Patch0060:      0060-schema-Speed-up-schema-cache.patch
+Patch0061:      0061-frontend-Change-doc-summary-topic-and-NO_CLI-to-clas.patch
+Patch0062:      0062-schema-Introduce-schema-cache-format.patch
+Patch0063:      0063-schema-Generate-bits-for-help-load-them-on-request.patch
+Patch0064:      0064-help-Do-not-create-instances-to-get-information-abou.patch
+Patch0065:      0065-Fix-ipa-caalc-add-service-error-message.patch
+Patch0066:      0066-Don-t-show-force-ntpd-option-in-replica-install.patch
+Patch0067:      0067-DNS-server-upgrade-do-not-fail-when-DNS-server-did-n.patch
+Patch0068:      0068-DNS-allow-to-add-forward-zone-to-already-broken-sub-.patch
+Patch0069:      0069-cert-speed-up-cert-find.patch
+Patch0070:      0070-cert-do-not-crash-on-invalid-data-in-cert-find.patch
+Patch0071:      0071-Add-warning-about-only-one-existing-CA-server.patch
+Patch0072:      0072-Set-servers-list-as-default-facet-in-topology-facet-.patch
+Patch0073:      0073-schema-cache-Do-not-reset-ServerInfo-dirty-flag.patch
+Patch0074:      0074-schema-cache-Do-not-read-fingerprint-and-format-from.patch
+Patch0075:      0075-Access-data-for-help-separately.patch
+Patch0076:      0076-frontent-Add-summary-class-property-to-CommandOverri.patch
+Patch0077:      0077-schema-cache-Read-server-info-only-once.patch
+Patch0078:      0078-schema-cache-Store-API-schema-cache-in-memory.patch
+Patch0079:      0079-client-Do-not-create-instance-just-to-check-isinstan.patch
+Patch0080:      0080-schema-cache-Read-schema-instead-of-rewriting-it-whe.patch
+Patch0081:      0081-schema-check-Check-current-client-language-against-c.patch
+Patch0082:      0082-Fail-on-topology-disconnect-last-role-removal.patch
+Patch0083:      0083-server-install-do-not-prompt-for-cert-file-PIN-repea.patch
+Patch0084:      0084-service-add-flag-to-allow-S4U2Self.patch
+Patch0085:      0085-Add-trusted-to-auth-as-user-checkbox.patch
+Patch0086:      0086-Added-new-authentication-method.patch
+Patch0087:      0087-schema-cache-Fallback-to-en_us-when-locale-is-not-av.patch
+Patch0088:      0088-cert-revoke-fix-permission-check-bypass-CVE-2016-540.patch
+Patch0089:      0089-Fix-container-owner-should-be-able-to-add-vault.patch
+Patch0090:      0090-ipaserver-dcerpc-reformat-to-make-the-code-closer-to.patch
+Patch0091:      0091-trust-automatically-resolve-DNS-trust-conflicts-for-.patch
+Patch0092:      0092-trust-make-sure-external-trust-topology-is-correctly.patch
+Patch0093:      0093-trust-make-sure-ID-range-is-created-for-the-child-do.patch
+Patch0094:      0094-ipa-kdb-simplify-trusted-domain-parent-search.patch
+Patch0095:      0095-Remove-Custodia-server-keys-from-LDAP.patch
+Patch0096:      0096-Handled-empty-hostname-in-server-del-command.patch
+Patch0097:      0097-Secure-permissions-of-Custodia-server.keys.patch
+Patch0098:      0098-Require-httpd-2.4.6-31-with-mod_proxy-Unix-socket-su.patch
+Patch0099:      0099-Fix-ipa-server-install-in-pure-IPv6-environment.patch
+Patch0100:      0100-support-multiple-uid-values-in-schema-compatibility-.patch
+Patch0101:      0101-custodia-include-known-CA-certs-in-the-PKCS-12-file-.patch
+Patch0102:      0102-otptoken-permission-Convert-custom-type-parameters-o.patch
+Patch0103:      0103-Raise-DuplicatedEnrty-error-when-user-exists-in-dele.patch
+Patch0104:      0104-cert-add-missing-param-values-to-cert-find-output.patch
+Patch0105:      0105-rpcserver-assume-version-1-for-unversioned-command-c.patch
+Patch0106:      0106-custodia-force-reconnect-before-retrieving-CA-certs-.patch
+Patch0107:      0107-rpcserver-fix-crash-in-XML-RPC-system-commands.patch
+Patch0108:      0108-compat-Save-server-s-API-version-in-for-pre-schema-s.patch
+Patch0109:      0109-compat-Fix-ping-command-call.patch
+Patch0110:      0110-Fix-man-page-ipa-replica-manage-remove-duplicate-c-o.patch
+Patch0111:      0111-cert-include-CA-name-in-cert-command-output.patch
+Patch0112:      0112-Fix-CA-ACL-Check-on-SubjectAltNames.patch
+Patch0113:      0113-do-not-use-trusted-forest-name-to-construct-domain-a.patch
+Patch0114:      0114-Always-fetch-forest-info-from-root-DCs-when-establis.patch
+Patch0115:      0115-factor-out-populate_remote_domain-method-into-module.patch
+Patch0116:      0116-Always-fetch-forest-info-from-root-DCs-when-establis.patch
+Patch0117:      0117-cli-use-full-name-when-executing-a-command.patch
+Patch0118:      0118-Use-RSA-OAEP-instead-of-RSA-PKCS-1-v1.5.patch
+Patch0119:      0119-Fix-ipa-certupdate-for-CA-less-installation.patch
+Patch0120:      0120-Track-lightweight-CAs-on-replica-installation.patch
+Patch0121:      0121-dns-normalize-record-type-read-interactively-in-dnsr.patch
+Patch0122:      0122-dns-prompt-for-missing-record-parts-in-CLI.patch
+Patch0123:      0123-dns-fix-crash-in-interactive-mode-against-old-server.patch
+Patch0124:      0124-schema-cache-Store-and-check-info-for-pre-schema-ser.patch
+Patch0125:      0125-Fix-parse-errors-with-link-local-addresses.patch
+Patch0126:      0126-Add-support-for-additional-options-taken-from-table-.patch
+Patch0127:      0127-WebUI-Fix-showing-certificates-issued-by-sub-CA.patch
+Patch0128:      0128-WebUI-add-support-for-sub-CAs-while-revoking-certifi.patch
+Patch0129:      0129-cert-fix-cert-find-certificate-when-the-cert-is-not-.patch
+Patch0130:      0130-Make-host-service-cert-revocation-aware-of-lightweig.patch
+Patch0131:      0131-Fix-regression-introduced-in-ipa-certupdate.patch
+Patch0132:      0132-Start-named-during-configuration-upgrade.patch
+Patch0133:      0133-Catch-DNS-exceptions-during-emptyzones-named.conf-up.patch
+Patch0134:      0134-trust-fetch-domains-contact-forest-DCs-when-fetching.patch
 
 Patch1001:      1001-Hide-pkinit-functionality-from-production-version.patch
 Patch1002:      1002-Remove-pkinit-plugin.patch
@@ -266,19 +202,17 @@
 Patch1006:      1006-Remove-i18test-from-build-process.patch
 Patch1007:      1007-Do-not-build-tests.patch
 Patch1008:      1008-RCUE.patch
-Patch1009:      1009-Do-not-allow-installation-in-FIPS-mode.patch
-Patch1010:      1010-WebUI-add-API-browser-is-experimental-warning.patch
-Patch1011:      ipa-centos-branding.patch
+Patch1009:      1009-Revert-Increased-mod_wsgi-socket-timeout.patch
+Patch1010:      1010-WebUI-add-API-browser-is-tech-preview-warning.patch
 # RHEL spec file only: END
 
 %if ! %{ONLY_CLIENT}
-BuildRequires:  389-ds-base-devel >= 1.3.4.0
+BuildRequires:  389-ds-base-devel >= 1.3.5.6
 BuildRequires:  svrcore-devel
 BuildRequires:  policycoreutils >= 2.1.14-37
 BuildRequires:  systemd-units
 BuildRequires:  samba-devel >= %{samba_version}
 BuildRequires:  samba-python
-BuildRequires:  libwbclient-devel
 BuildRequires:  libtalloc-devel
 BuildRequires:  libtevent-devel
 %endif # ONLY_CLIENT
@@ -300,26 +234,22 @@
 BuildRequires:  python-devel
 BuildRequires:  python-ldap
 BuildRequires:  python-setuptools
-BuildRequires:  python-krbV
 BuildRequires:  python-nss
-BuildRequires:  python-cryptography
+BuildRequires:  python-cryptography >= 0.9
 BuildRequires:  python-netaddr
-BuildRequires:  python-kerberos >= 1.1-15
+BuildRequires:  python-gssapi >= 1.1.2
 BuildRequires:  python-rhsm
 BuildRequires:  pyOpenSSL
 # RHEL spec file only: DELETED: Remove pylint from build process
 # RHEL spec file only: DELETED: Remove i18test from build process
 BuildRequires:  python-libipa_hbac
 BuildRequires:  python-memcached
-BuildRequires:  sssd >= 1.13.0-6
 BuildRequires:  python-lxml
 BuildRequires:  python-pyasn1 >= 0.0.9a
 BuildRequires:  python-qrcode-core >= 5.0.0
 BuildRequires:  python-dns >= 1.11.1-2
-BuildRequires:  m2crypto
-BuildRequires:  check
 BuildRequires:  libsss_idmap-devel
-BuildRequires:  libsss_nss_idmap-devel >= 1.12.2
+BuildRequires:  libsss_nss_idmap-devel >= 1.14.0
 BuildRequires:  java-headless
 BuildRequires:  rhino
 BuildRequires:  libverto-devel
@@ -330,30 +260,46 @@
 # RHEL spec file only: END
 BuildRequires:  python-lesscpy
 BuildRequires:  python-yubico >= 1.2.3
-# RHEL spec file only: START
-BuildRequires:  python-backports-ssl_match_hostname
-# RHEL spec file only: END
-BuildRequires:  softhsm-devel >= 2.0.0rc1-1
 BuildRequires:  openssl-devel
-BuildRequires:  p11-kit-devel
-BuildRequires:  pki-base >= 10.2.5-5
+BuildRequires:  pki-base >= 10.3.3-7
 # RHEL spec file only: DELETED: Do not build tests
 BuildRequires:  python-kdcproxy >= 0.3
+BuildRequires:  python-six
+BuildRequires:  python-jwcrypto
+BuildRequires:  custodia
+BuildRequires:  libini_config-devel >= 1.2.0
+BuildRequires:  dbus-python
+BuildRequires:  python-netifaces >= 0.10.4
+
+# Build dependencies for unit tests
+BuildRequires:  libcmocka-devel
+BuildRequires:  nss_wrapper
+# Required by ipa_kdb_tests
+BuildRequires:  %{_libdir}/krb5/plugins/kdb/db2.so
+
+%if 0%{?with_python3}
+BuildRequires:  python3-devel
+%endif  # with_python3
 
 %description
-IPA is an integrated solution to provide centrally managed Identity (machine,
-user, virtual machines, groups, authentication credentials), Policy
-(configuration settings, access control information) and Audit (events,
-logs, analysis thereof).
+IPA is an integrated solution to provide centrally managed Identity (users,
+hosts, services), Authentication (SSO, 2FA), and Authorization
+(host access control, SELinux user roles, services). The solution provides
+features for further integration with Linux based clients (SUDO, automount)
+and integration with Active Directory based infrastructures (Trusts).
+
 
 %if ! %{ONLY_CLIENT}
+
 %package server
 Summary: The IPA authentication server
 Group: System Environment/Base
-Requires: %{name}-python = %{version}-%{release}
+Requires: %{name}-server-common = %{version}-%{release}
 Requires: %{name}-client = %{version}-%{release}
 Requires: %{name}-admintools = %{version}-%{release}
-Requires: 389-ds-base >= 1.3.4.0
+Requires: %{name}-common = %{version}-%{release}
+Requires: python2-ipaserver = %{version}-%{release}
+Requires: 389-ds-base >= 1.3.5.6
 Requires: openldap-clients > 2.4.35-4
 Requires: nss >= 3.14.3-12.0
 Requires: nss-tools >= 3.14.3-12.0
@@ -361,51 +307,42 @@
 Requires: krb5-pkinit-openssl
 Requires: cyrus-sasl-gssapi%{?_isa}
 Requires: ntp
-Requires: httpd >= 2.4.6-7
+Requires: httpd >= 2.4.6-31
 Requires: mod_wsgi
-Requires: mod_auth_gssapi >= 1.3.1-2
+Requires: mod_auth_gssapi >= 1.4.0
 Requires: mod_nss >= 1.0.8-26
 Requires: python-ldap >= 2.4.15
-Requires: python-krbV
-Requires: python-sssdconfig
+Requires: python-gssapi >= 1.1.2
 Requires: acl
-Requires: python-pyasn1
 Requires: memcached
 Requires: python-memcached
-Requires: dbus-python
 Requires: systemd-units >= 38
 Requires(pre): shadow-utils
 Requires(pre): systemd-units
 Requires(post): systemd-units
 Requires: selinux-policy >= %{selinux_policy_version}
 Requires(post): selinux-policy-base >= %{selinux_policy_version}
-Requires: slapi-nis >= 0.54-8
-Requires: pki-ca >= 10.2.5-5
-Requires: pki-kra >= 10.2.5-5
+Requires: slapi-nis >= %{slapi_nis_version}
+Requires: pki-ca >= 10.3.3-7
+Requires: pki-kra >= 10.3.3-7
 Requires(preun): python systemd-units
 Requires(postun): python systemd-units
-Requires: python-dns >= 1.11.1-2
-Requires: python-kdcproxy >= 0.3
 Requires: zip
 Requires: policycoreutils >= 2.1.14-37
 Requires: tar
 Requires(pre): certmonger >= 0.78
-Requires(pre): 389-ds-base >= 1.3.4.0
+Requires(pre): 389-ds-base >= 1.3.5.6
 Requires: fontawesome-fonts
 Requires: open-sans-fonts
-# RHEL spec file only: START
-Requires(pre): openssl >= 1:1.0.1e-42
-# RHEL spec file only: END
 Requires: openssl >= 1:1.0.1e-42
 Requires: softhsm >= 2.0.0rc1-1
 Requires: p11-kit
 Requires: systemd-python
 Requires: %{etc_systemd_dir}
 Requires: gzip
-# RHEL spec file only: START
-# Requires: redhat-access-plugin-ipa
-# RHEL spec file only: END
+Requires: oddjob
 
+Provides: %{alt_name}-server = %{version}
 Conflicts: %{alt_name}-server
 Obsoletes: %{alt_name}-server < %{version}
 
@@ -423,20 +360,75 @@
 Conflicts: ipa-tests < 3.3.3-9
 # RHEL spec file only: END: Do not build tests
 
+# RHEL spec file only: START
+# https://bugzilla.redhat.com/show_bug.cgi?id=1296140
+Obsoletes: redhat-access-plugin-ipa
+Conflicts: redhat-access-plugin-ipa
+# RHEL spec file only: END
+
 %description server
-IPA is an integrated solution to provide centrally managed Identity (machine,
-user, virtual machines, groups, authentication credentials), Policy
-(configuration settings, access control information) and Audit (events,
-logs, analysis thereof). If you are installing an IPA server you need
-to install this package (in other words, most people should NOT install
-this package).
+IPA is an integrated solution to provide centrally managed Identity (users,
+hosts, services), Authentication (SSO, 2FA), and Authorization
+(host access control, SELinux user roles, services). The solution provides
+features for further integration with Linux based clients (SUDO, automount)
+and integration with Active Directory based infrastructures (Trusts).
+If you are installing an IPA server, you need to install this package.
+
+
+%package -n python2-ipaserver
+Summary: Python libraries used by IPA server
+Group: System Environment/Libraries
+BuildArch: noarch
+Provides: python-ipaserver = %{version}-%{release}
+Requires: %{name}-server-common = %{version}-%{release}
+Requires: %{name}-common = %{version}-%{release}
+Requires: python2-ipaclient = %{version}-%{release}
+Requires: python-ldap >= 2.4.15
+Requires: python-gssapi >= 1.1.2
+Requires: python-sssdconfig
+Requires: python-pyasn1
+Requires: dbus-python
+Requires: python-dns >= 1.11.1-2
+Requires: python-kdcproxy >= 0.3
+Requires: rpm-libs
+
+%description -n python2-ipaserver
+IPA is an integrated solution to provide centrally managed Identity (users,
+hosts, services), Authentication (SSO, 2FA), and Authorization
+(host access control, SELinux user roles, services). The solution provides
+features for further integration with Linux based clients (SUDO, automount)
+and integration with Active Directory based infrastructures (Trusts).
+If you are installing an IPA server, you need to install this package.
+
+
+%package server-common
+Summary: Common files used by IPA server
+Group: System Environment/Base
+BuildArch: noarch
+Requires: %{name}-client-common = %{version}-%{release}
+Requires: httpd >= 2.4.6-31
+Requires: systemd-units >= 38
+Requires: custodia
+
+Provides: %{alt_name}-server-common = %{version}
+Conflicts: %{alt_name}-server-common
+Obsoletes: %{alt_name}-server-common < %{version}
+
+%description server-common
+IPA is an integrated solution to provide centrally managed Identity (users,
+hosts, services), Authentication (SSO, 2FA), and Authorization
+(host access control, SELinux user roles, services). The solution provides
+features for further integration with Linux based clients (SUDO, automount)
+and integration with Active Directory based infrastructures (Trusts).
+If you are installing an IPA server, you need to install this package.
 
 
 %package server-dns
 Summary: IPA integrated DNS server with support for automatic DNSSEC signing
 Group: System Environment/Base
+BuildArch: noarch
 Requires: %{name}-server = %{version}-%{release}
-Requires: bind-dyndb-ldap >= 6.0-4
+Requires: bind-dyndb-ldap >= 10.0
 %if 0%{?fedora} >= 21
 Requires: bind >= 9.9.6-3
 Requires: bind-utils >= 9.9.6-3
@@ -450,6 +442,7 @@
 %endif
 Requires: opendnssec >= 1.4.6-4
 
+Provides: %{alt_name}-server-dns = %{version}
 Conflicts: %{alt_name}-server-dns
 Obsoletes: %{alt_name}-server-dns < %{version}
 
@@ -464,14 +457,13 @@
 %package server-trust-ad
 Summary: Virtual package to install packages required for Active Directory trusts
 Group: System Environment/Base
-Requires: %{name}-server = %version-%release
-Requires: m2crypto
+Requires: %{name}-server = %{version}-%{release}
+Requires: %{name}-common = %{version}-%{release}
 Requires: samba-python
 Requires: samba >= %{samba_version}
 Requires: samba-winbind
 Requires: libsss_idmap
 Requires: python-libsss_nss_idmap
-Requires: oddjob
 Requires: python-sss
 # We use alternatives to divert winbind_krb5_locator.so plugin to libkrb5
 # on the installes where server-trust-ad subpackage is installed because
@@ -482,6 +474,7 @@
 Requires(postun): %{_sbindir}/update-alternatives
 Requires(preun): %{_sbindir}/update-alternatives
 
+Provides: %{alt_name}-server-trust-ad = %{version}
 Conflicts: %{alt_name}-server-trust-ad
 Obsoletes: %{alt_name}-server-trust-ad < %{version}
 
@@ -496,72 +489,174 @@
 %package client
 Summary: IPA authentication for use on clients
 Group: System Environment/Base
-Requires: %{name}-python = %{version}-%{release}
+Requires: %{name}-client-common = %{version}-%{release}
+Requires: %{name}-common = %{version}-%{release}
+Requires: python2-ipaclient = %{version}-%{release}
 Requires: python-ldap
 Requires: cyrus-sasl-gssapi%{?_isa}
 Requires: ntp
 Requires: krb5-workstation
 Requires: authconfig
 Requires: pam_krb5
-Requires: wget
+Requires: curl
+# NIS domain name config: /usr/lib/systemd/system/*-domainname.service
+Requires: initscripts
 Requires: libcurl >= 7.21.7-2
 Requires: xmlrpc-c >= 1.27.4
-Requires: sssd >= 1.13.0-40.el7_2.2
+Requires: sssd >= 1.14.0
 Requires: python-sssdconfig
 Requires: certmonger >= 0.78
 Requires: nss-tools
 Requires: bind-utils
 Requires: oddjob-mkhomedir
-Requires: python-krbV
-Requires: python-dns >= 1.11.1
+Requires: python-gssapi >= 1.1.2
 Requires: libsss_autofs
 Requires: autofs
 Requires: libnfsidmap
 Requires: nfs-utils
-# RHEL spec file only: START
-Requires: python-backports-ssl_match_hostname
-# RHEL spec file only: END
 Requires(post): policycoreutils
 
+Provides: %{alt_name}-client = %{version}
 Conflicts: %{alt_name}-client
 Obsoletes: %{alt_name}-client < %{version}
 
 %description client
-IPA is an integrated solution to provide centrally managed Identity (machine,
-user, virtual machines, groups, authentication credentials), Policy
-(configuration settings, access control information) and Audit (events,
-logs, analysis thereof). If your network uses IPA for authentication,
-this package should be installed on every client machine.
+IPA is an integrated solution to provide centrally managed Identity (users,
+hosts, services), Authentication (SSO, 2FA), and Authorization
+(host access control, SELinux user roles, services). The solution provides
+features for further integration with Linux based clients (SUDO, automount)
+and integration with Active Directory based infrastructures (Trusts).
+If your network uses IPA for authentication, this package should be
+installed on every client machine.
+
+
+%package -n python2-ipaclient
+Summary: Python libraries used by IPA client
+Group: System Environment/Libraries
+BuildArch: noarch
+Provides: python-ipaclient = %{version}-%{release}
+Requires: %{name}-client-common = %{version}-%{release}
+Requires: %{name}-common = %{version}-%{release}
+Requires: python2-ipalib = %{version}-%{release}
+Requires: python-dns >= 1.11.1-2
+
+%description -n python2-ipaclient
+IPA is an integrated solution to provide centrally managed Identity (users,
+hosts, services), Authentication (SSO, 2FA), and Authorization
+(host access control, SELinux user roles, services). The solution provides
+features for further integration with Linux based clients (SUDO, automount)
+and integration with Active Directory based infrastructures (Trusts).
+If your network uses IPA for authentication, this package should be
+installed on every client machine.
+
+
+%if 0%{?with_python3}
+
+%package -n python3-ipaclient
+Summary: Python libraries used by IPA client
+Group: System Environment/Libraries
+BuildArch: noarch
+Requires: %{name}-client-common = %{version}-%{release}
+Requires: %{name}-common = %{version}-%{release}
+Requires: python3-ipalib = %{version}-%{release}
+Requires: python3-dns >= 1.11.1
+
+%description -n python3-ipaclient
+IPA is an integrated solution to provide centrally managed Identity (users,
+hosts, services), Authentication (SSO, 2FA), and Authorization
+(host access control, SELinux user roles, services). The solution provides
+features for further integration with Linux based clients (SUDO, automount)
+and integration with Active Directory based infrastructures (Trusts).
+If your network uses IPA for authentication, this package should be
+installed on every client machine.
+
+%endif  # with_python3
+
+
+%package client-common
+Summary: Common files used by IPA client
+Group: System Environment/Base
+BuildArch: noarch
+
+Provides: %{alt_name}-client-common = %{version}
+Conflicts: %{alt_name}-client-common
+Obsoletes: %{alt_name}-client-common < %{version}
+
+%description client-common
+IPA is an integrated solution to provide centrally managed Identity (users,
+hosts, services), Authentication (SSO, 2FA), and Authorization
+(host access control, SELinux user roles, services). The solution provides
+features for further integration with Linux based clients (SUDO, automount)
+and integration with Active Directory based infrastructures (Trusts).
+If your network uses IPA for authentication, this package should be
+installed on every client machine.
 
 
 %package admintools
 Summary: IPA administrative tools
 Group: System Environment/Base
-Requires: %{name}-python = %{version}-%{release}
-Requires: %{name}-client = %{version}-%{release}
-Requires: python-krbV
+BuildArch: noarch
+Requires: python2-ipaclient = %{version}-%{release}
 Requires: python-ldap
 
+Provides: %{alt_name}-admintools = %{version}
 Conflicts: %{alt_name}-admintools
 Obsoletes: %{alt_name}-admintools < %{version}
 
 %description admintools
-IPA is an integrated solution to provide centrally managed Identity (machine,
-user, virtual machines, groups, authentication credentials), Policy
-(configuration settings, access control information) and Audit (events,
-logs, analysis thereof). This package provides command-line tools for
-IPA administrators.
+IPA is an integrated solution to provide centrally managed Identity (users,
+hosts, services), Authentication (SSO, 2FA), and Authorization
+(host access control, SELinux user roles, services). The solution provides
+features for further integration with Linux based clients (SUDO, automount)
+and integration with Active Directory based infrastructures (Trusts).
+This package provides command-line tools for IPA administrators.
 
-%package python
+
+%package python-compat
+Summary: Compatiblity package for Python libraries used by IPA
+Group: System Environment/Libraries
+BuildArch: noarch
+Obsoletes: %{name}-python < 4.2.91
+Provides: %{name}-python = %{version}-%{release}
+Requires: %{name}-common = %{version}-%{release}
+Requires: python2-ipalib = %{version}-%{release}
+
+Provides: %{alt_name}-python-compat = %{version}
+Conflicts: %{alt_name}-python-compat
+Obsoletes: %{alt_name}-python-compat < %{version}
+
+Obsoletes: %{alt_name}-python < 4.2.91
+Provides: %{alt_name}-python = %{version}
+
+%description python-compat
+IPA is an integrated solution to provide centrally managed Identity (users,
+hosts, services), Authentication (SSO, 2FA), and Authorization
+(host access control, SELinux user roles, services). The solution provides
+features for further integration with Linux based clients (SUDO, automount)
+and integration with Active Directory based infrastructures (Trusts).
+This is a compatibility package to accommodate %{name}-python split into
+python2-ipalib and %{name}-common. Packages still depending on
+%{name}-python should be fixed to depend on python2-ipaclient or
+%{name}-common instead.
+
+
+%package -n python2-ipalib
 Summary: Python libraries used by IPA
 Group: System Environment/Libraries
-Requires: python-kerberos >= 1.1-15
+BuildArch: noarch
+Conflicts: %{name}-python < 4.2.91
+Provides: python-ipalib = %{version}-%{release}
+Provides: python2-ipapython = %{version}-%{release}
+Provides: python-ipapython = %{version}-%{release}
+Provides: python2-ipaplatform = %{version}-%{release}
+Provides: python-ipaplatform = %{version}-%{release}
+Requires: %{name}-common = %{version}-%{release}
+Requires: python-gssapi >= 1.1.2
 Requires: gnupg
-Requires: iproute
 Requires: keyutils
 Requires: pyOpenSSL
 Requires: python-nss >= 0.16
-Requires: python-cryptography
+Requires: python-cryptography >= 0.9
 Requires: python-lxml
 Requires: python-netaddr
 Requires: python-libipa_hbac
@@ -570,19 +665,95 @@
 Requires: python-dateutil
 Requires: python-yubico >= 1.2.3
 Requires: python-sss-murmur
-Requires: wget
 Requires: dbus-python
 Requires: python-setuptools
+Requires: python-six
+Requires: python-jwcrypto
+Requires: python-cffi
+Requires: python-ldap >= 2.4.15
+Requires: python-requests
+Requires: python-custodia
+Requires: python-dns >= 1.11.1-2
+Requires: python-netifaces >= 0.10.4
+Requires: pyusb
 
-Conflicts: %{alt_name}-python
-Obsoletes: %{alt_name}-python < %{version}
+Conflicts: %{alt_name}-python < %{version}
 
-%description python
-IPA is an integrated solution to provide centrally managed Identity (machine,
-user, virtual machines, groups, authentication credentials), Policy
-(configuration settings, access control information) and Audit (events,
-logs, analysis thereof). If you are using IPA you need to install this
-package.
+%description -n python2-ipalib
+IPA is an integrated solution to provide centrally managed Identity (users,
+hosts, services), Authentication (SSO, 2FA), and Authorization
+(host access control, SELinux user roles, services). The solution provides
+features for further integration with Linux based clients (SUDO, automount)
+and integration with Active Directory based infrastructures (Trusts).
+If you are using IPA, you need to install this package.
+
+
+%if 0%{?with_python3}
+
+%package -n python3-ipalib
+Summary: Python3 libraries used by IPA
+Group: System Environment/Libraries
+BuildArch: noarch
+Provides: python3-ipapython = %{version}-%{release}
+Provides: python3-ipaplatform = %{version}-%{release}
+Requires: %{name}-common = %{version}-%{release}
+Requires: python3-gssapi >= 1.1.2
+Requires: gnupg
+Requires: keyutils
+Requires: python3-pyOpenSSL
+Requires: python3-nss >= 0.16
+Requires: python3-cryptography
+Requires: python3-lxml
+Requires: python3-netaddr
+Requires: python3-libipa_hbac
+Requires: python3-qrcode-core >= 5.0.0
+Requires: python3-pyasn1
+Requires: python3-dateutil
+Requires: python3-yubico >= 1.2.3
+Requires: python3-sss-murmur
+Requires: python3-dbus
+Requires: python3-setuptools
+Requires: python3-six
+Requires: python3-jwcrypto
+Requires: python3-cffi
+Requires: python3-pyldap >= 2.4.15
+Requires: python3-custodia
+Requires: python3-requests
+Requires: python3-dns >= 1.11.1
+Requires: python3-netifaces >= 0.10.4
+Requires: python3-pyusb
+
+%description -n python3-ipalib
+IPA is an integrated solution to provide centrally managed Identity (users,
+hosts, services), Authentication (SSO, 2FA), and Authorization
+(host access control, SELinux user roles, services). The solution provides
+features for further integration with Linux based clients (SUDO, automount)
+and integration with Active Directory based infrastructures (Trusts).
+If you are using IPA with Python 3, you need to install this package.
+
+%endif # with_python3
+
+
+%package common
+Summary: Common files used by IPA
+Group: System Environment/Libraries
+BuildArch: noarch
+Conflicts: %{name}-python < 4.2.91
+
+Provides: %{alt_name}-common = %{version}
+Conflicts: %{alt_name}-common
+Obsoletes: %{alt_name}-common < %{version}
+
+Conflicts: %{alt_name}-python < %{version}
+
+%description common
+IPA is an integrated solution to provide centrally managed Identity (users,
+hosts, services), Authentication (SSO, 2FA), and Authorization
+(host access control, SELinux user roles, services). The solution provides
+features for further integration with Linux based clients (SUDO, automount)
+and integration with Active Directory based infrastructures (Trusts).
+If you are using IPA, you need to install this package.
+
 
 # RHEL spec file only: DELETED: Do not build tests
 
@@ -612,11 +783,12 @@
 done
 
 # Red Hat's Identity Management branding
-#cp %SOURCE1 install/ui/images/header-logo.png
-#cp %SOURCE2 install/ui/images/login-screen-background.jpg
-#cp %SOURCE3 install/ui/images/login-screen-logo.png
-#cp %SOURCE4 install/ui/images/product-name.png
+cp %SOURCE1 install/ui/images/header-logo.png
+cp %SOURCE2 install/ui/images/login-screen-background.jpg
+cp %SOURCE3 install/ui/images/login-screen-logo.png
+cp %SOURCE4 install/ui/images/product-name.png
 # RHEL spec file only: END
+
 
 %build
 # UI compilation segfaulted on some arches when the stack was lower (#1040576)
@@ -634,7 +806,7 @@
 rm -f ipaplatform/paths.py
 rm -f ipaplatform/constants.py
 make version-update
-cd ipa-client; ../autogen.sh --prefix=%{_usr} --sysconfdir=%{_sysconfdir} --localstatedir=%{_localstatedir} --libdir=%{_libdir} --mandir=%{_mandir}; cd ..
+cd client; ../autogen.sh --prefix=%{_usr} --sysconfdir=%{_sysconfdir} --localstatedir=%{_localstatedir} --libdir=%{_libdir} --mandir=%{_mandir}; cd ..
 %if ! %{ONLY_CLIENT}
 # RHEL SPEC file only: START: Force re-generation of the makefiles
 find daemons -name Makefile.in |egrep -v '(libotp|lockout|otp-counter|lasttoken)'|xargs rm -f
@@ -649,6 +821,15 @@
 make IPA_VERSION_IS_GIT_SNAPSHOT=no %{?_smp_mflags} client
 %endif # ONLY_CLIENT
 
+
+%check
+%if ! %{ONLY_CLIENT}
+make %{?_smp_mflags} check VERBOSE=yes
+%else
+make %{?_smp_mflags} client-check VERBOSE=yes
+%endif # ONLY_CLIENT
+
+
 %install
 rm -rf %{buildroot}
 export SUPPORTED_PLATFORM=%{platform_module}
@@ -662,11 +843,26 @@
 make version-update
 %if ! %{ONLY_CLIENT}
 make install DESTDIR=%{buildroot}
+
+# RHEL spec file only: DELETED: Do not build tests
+
 %else
 make client-install DESTDIR=%{buildroot}
 %endif # ONLY_CLIENT
-%find_lang %{gettext_domain}
 
+%if 0%{?with_python3}
+(cd ipalib && make PYTHON=%{__python3} IPA_VERSION_IS_GIT_SNAPSHOT=no %{?_smp_mflags} DESTDIR=%{buildroot} install)
+(cd ipapython && make PYTHON=%{__python3} IPA_VERSION_IS_GIT_SNAPSHOT=no %{?_smp_mflags} DESTDIR=%{buildroot} install)
+(cd ipaplatform && %{__python3} setup.py install --root %{buildroot})
+(cd ipaclient && %{__python3} setup.py install --root %{buildroot})
+%endif # with_python3
+
+# Switch shebang of /usr/bin/ipa
+# XXX: ipa cli is not stable enough for enabling py3 support, keep it in py2
+# in any case
+sed -i -e'1s/python\(3\|$\)/python2/' %{buildroot}%{_bindir}/ipa
+
+%find_lang %{gettext_domain}
 
 mkdir -p %{buildroot}%{_usr}/share/ipa
 
@@ -717,13 +913,11 @@
 /bin/touch %{buildroot}%{_sysconfdir}/httpd/conf.d/ipa-rewrite.conf
 mkdir -p %{buildroot}%{_usr}/share/ipa/html/
 /bin/touch %{buildroot}%{_usr}/share/ipa/html/ca.crt
-/bin/touch %{buildroot}%{_usr}/share/ipa/html/configure.jar
 /bin/touch %{buildroot}%{_usr}/share/ipa/html/kerberosauth.xpi
 /bin/touch %{buildroot}%{_usr}/share/ipa/html/krb.con
 /bin/touch %{buildroot}%{_usr}/share/ipa/html/krb.js
 /bin/touch %{buildroot}%{_usr}/share/ipa/html/krb5.ini
 /bin/touch %{buildroot}%{_usr}/share/ipa/html/krbrealm.con
-/bin/touch %{buildroot}%{_usr}/share/ipa/html/preferences.html
 mkdir -p %{buildroot}%{_initrddir}
 mkdir %{buildroot}%{_sysconfdir}/sysconfig/
 install -m 644 init/ipa_memcached.conf %{buildroot}%{_sysconfdir}/sysconfig/ipa_memcached
@@ -741,6 +935,9 @@
 
 # Web UI plugin dir
 mkdir -p %{buildroot}%{_usr}/share/ipa/ui/js/plugins
+
+# DNSSEC config
+mkdir -p %{buildroot}%{_sysconfdir}/ipa/dnssec
 
 # KDC proxy config (Apache config sets KDCPROXY_CONFIG to load this file)
 mkdir -p %{buildroot}%{_sysconfdir}/ipa/kdcproxy/
@@ -766,7 +963,7 @@
 mkdir -p %{buildroot}%{etc_systemd_dir}
 install -m 644 init/systemd/ipa.service %{buildroot}%{_unitdir}/ipa.service
 install -m 644 init/systemd/ipa_memcached.service %{buildroot}%{_unitdir}/ipa_memcached.service
-install -m 644 init/systemd/httpd.service %{buildroot}%{etc_systemd_dir}/httpd.service
+install -m 644 init/systemd/ipa-custodia.service %{buildroot}%{_unitdir}/ipa-custodia.service
 # END
 mkdir -p %{buildroot}/%{_localstatedir}/lib/ipa/backup
 %endif # ONLY_CLIENT
@@ -774,7 +971,6 @@
 mkdir -p %{buildroot}%{_sysconfdir}/ipa/
 /bin/touch %{buildroot}%{_sysconfdir}/ipa/default.conf
 /bin/touch %{buildroot}%{_sysconfdir}/ipa/ca.crt
-mkdir -p %{buildroot}%{_sysconfdir}/ipa/dnssec
 mkdir -p %{buildroot}%{_sysconfdir}/ipa/nssdb
 mkdir -p %{buildroot}/%{_localstatedir}/lib/ipa-client/sysrestore
 mkdir -p %{buildroot}%{_sysconfdir}/bash_completion.d
@@ -784,17 +980,22 @@
 mkdir -p %{buildroot}%{_sysconfdir}/cron.d
 
 (cd %{buildroot}/%{python_sitelib}/ipaserver && find . -type f  | \
-    grep -v dcerpc | grep -v adtrustinstance | \
     sed -e 's,\.py.*$,.*,g' | sort -u | \
     sed -e 's,\./,%%{python_sitelib}/ipaserver/,g' ) >server-python.list
 
 # RHEL spec file only: DELETED: Do not build tests
+
+mkdir -p %{buildroot}%{_sysconfdir}/ipa/custodia
+
 %endif # ONLY_CLIENT
+
 
 %clean
 rm -rf %{buildroot}
 
+
 %if ! %{ONLY_CLIENT}
+
 %post server
 # NOTE: systemd specific section
     /bin/systemctl --system daemon-reload 2>&1 || :
@@ -802,17 +1003,23 @@
 if [ $1 -gt 1 ] ; then
     /bin/systemctl condrestart certmonger.service 2>&1 || :
 fi
+/bin/systemctl reload-or-try-restart dbus
+/bin/systemctl reload-or-try-restart oddjobd
+
 
 %posttrans server
-# This must be run in posttrans so that updates from previous
-# execution that may no longer be shipped are not applied.
-/usr/sbin/ipa-server-upgrade --quiet >/dev/null || :
-
-# Restart IPA processes. This must be also run in postrans so that plugins
-# and software is in consistent state
+# don't execute upgrade and restart of IPA when server is not installed
 python2 -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1
-# NOTE: systemd specific section
+
 if [  $? -eq 0 ]; then
+    # This must be run in posttrans so that updates from previous
+    # execution that may no longer be shipped are not applied.
+    /usr/sbin/ipa-server-upgrade --quiet >/dev/null || :
+
+    # Restart IPA processes. This must be also run in postrans so that plugins
+    # and software is in consistent state
+    # NOTE: systemd specific section
+
     /bin/systemctl is-enabled ipa.service >/dev/null 2>&1
     if [  $? -eq 0 ]; then
         /bin/systemctl restart ipa.service >/dev/null 2>&1 || :
@@ -820,13 +1027,17 @@
 fi
 # END
 
+
 %preun server
 if [ $1 = 0 ]; then
 # NOTE: systemd specific section
     /bin/systemctl --quiet stop ipa.service || :
     /bin/systemctl --quiet disable ipa.service || :
+    /bin/systemctl reload-or-try-restart dbus
+    /bin/systemctl reload-or-try-restart oddjobd
 # END
 fi
+
 
 %pre server
 # Stop ipa_kpasswd if it exists before upgrading so we don't have a
@@ -837,6 +1048,7 @@
 # END
 fi
 
+
 %postun server-trust-ad
 if [ "$1" -ge "1" ]; then
     if [ "`readlink %{_sysconfdir}/alternatives/winbind_krb5_locator.so`" == "/dev/null" ]; then
@@ -844,11 +1056,13 @@
     fi
 fi
 
+
 %post server-trust-ad
 %{_sbindir}/update-alternatives --install %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so \
         winbind_krb5_locator.so /dev/null 90
 /bin/systemctl reload-or-try-restart dbus
 /bin/systemctl reload-or-try-restart oddjobd
+
 
 %posttrans server-trust-ad
 python2 -c "import sys; from ipaserver.install import installutils; sys.exit(0 if installutils.is_ipa_configured() else 1);" > /dev/null 2>&1
@@ -858,6 +1072,7 @@
 # END
 fi
 
+
 %preun server-trust-ad
 if [ $1 -eq 0 ]; then
     %{_sbindir}/update-alternatives --remove winbind_krb5_locator.so /dev/null
@@ -866,6 +1081,7 @@
 fi
 
 %endif # ONLY_CLIENT
+
 
 %post client
 if [ $1 -gt 1 ] ; then
@@ -890,19 +1106,13 @@
         fi
     fi
 
-    if [ ! -f '/etc/ipa/nssdb/cert8.db' -a $restore -ge 2 ]; then
-        python2 -c 'from ipapython.certdb import create_ipa_nssdb; create_ipa_nssdb()' >/dev/null 2>&1
-        tempfile=$(mktemp)
-        if certutil -L -d /etc/pki/nssdb -n 'IPA CA' -a >"$tempfile" 2>/var/log/ipaupgrade.log; then
-            certutil -A -d /etc/ipa/nssdb -n 'IPA CA' -t CT,C,C -a -i "$tempfile" >/var/log/ipaupgrade.log 2>&1
-        elif certutil -L -d /etc/pki/nssdb -n 'External CA cert' -a >"$tempfile" 2>/var/log/ipaupgrade.log; then
-            certutil -A -d /etc/ipa/nssdb -n 'External CA cert' -t C,, -a -i "$tempfile" >/var/log/ipaupgrade.log 2>&1
-        fi
-        rm -f "$tempfile"
+    if [ $restore -ge 2 ]; then
+        python2 -c 'from ipapython.certdb import update_ipa_nssdb; update_ipa_nssdb()' >/var/log/ipaupgrade.log 2>&1
     fi
 fi
 
-%triggerin -n %{name}-client -- openssh-server
+
+%triggerin client -- openssh-server
 # Has the client been configured?
 restore=0
 test -f '/var/lib/ipa-client/sysrestore/sysrestore.index' && restore=$(wc -l '/var/lib/ipa-client/sysrestore/sysrestore.index' | awk '{print $1}')
@@ -937,10 +1147,13 @@
     fi
 fi
 
+
 %if ! %{ONLY_CLIENT}
-%files server -f server-python.list
+
+%files server
 %defattr(-,root,root,-)
-%doc COPYING README Contributors.txt
+%doc README Contributors.txt
+%license COPYING
 %{_sbindir}/ipa-backup
 %{_sbindir}/ipa-restore
 %{_sbindir}/ipa-ca-install
@@ -971,6 +1184,80 @@
 %{_libexecdir}/ipa/ipa-dnskeysync-replica
 %{_libexecdir}/ipa/ipa-ods-exporter
 %{_libexecdir}/ipa/ipa-httpd-kdcproxy
+%{_libexecdir}/ipa/ipa-pki-retrieve-key
+%dir %{_libexecdir}/ipa/oddjob
+%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.conncheck
+%config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freeipa.server.conf
+%config(noreplace) %{_sysconfdir}/oddjobd.conf.d/ipa-server.conf
+%dir %{_libexecdir}/ipa/certmonger
+%attr(755,root,root) %{_libexecdir}/ipa/certmonger/*
+# NOTE: systemd specific section
+%attr(644,root,root) %{_unitdir}/ipa.service
+%attr(644,root,root) %{_unitdir}/ipa-otpd.socket
+%attr(644,root,root) %{_unitdir}/ipa-otpd@.service
+%attr(644,root,root) %{_unitdir}/ipa-dnskeysyncd.service
+%attr(644,root,root) %{_unitdir}/ipa-ods-exporter.socket
+%attr(644,root,root) %{_unitdir}/ipa-ods-exporter.service
+# END
+%attr(755,root,root) %{plugin_dir}/libipa_pwd_extop.so
+%attr(755,root,root) %{plugin_dir}/libipa_enrollment_extop.so
+%attr(755,root,root) %{plugin_dir}/libipa_winsync.so
+%attr(755,root,root) %{plugin_dir}/libipa_repl_version.so
+%attr(755,root,root) %{plugin_dir}/libipa_uuid.so
+%attr(755,root,root) %{plugin_dir}/libipa_modrdn.so
+%attr(755,root,root) %{plugin_dir}/libipa_lockout.so
+%attr(755,root,root) %{plugin_dir}/libipa_cldap.so
+%attr(755,root,root) %{plugin_dir}/libipa_dns.so
+%attr(755,root,root) %{plugin_dir}/libipa_range_check.so
+%attr(755,root,root) %{plugin_dir}/libipa_otp_counter.so
+%attr(755,root,root) %{plugin_dir}/libipa_otp_lasttoken.so
+%attr(755,root,root) %{plugin_dir}/libtopology.so
+%attr(755,root,root) %{plugin_dir}/libipa_sidgen.so
+%attr(755,root,root) %{plugin_dir}/libipa_sidgen_task.so
+%attr(755,root,root) %{plugin_dir}/libipa_extdom_extop.so
+%attr(755,root,root) %{_libdir}/krb5/plugins/kdb/ipadb.so
+%{_mandir}/man1/ipa-replica-conncheck.1.gz
+%{_mandir}/man1/ipa-replica-install.1.gz
+%{_mandir}/man1/ipa-replica-manage.1.gz
+%{_mandir}/man1/ipa-csreplica-manage.1.gz
+%{_mandir}/man1/ipa-replica-prepare.1.gz
+%{_mandir}/man1/ipa-server-certinstall.1.gz
+%{_mandir}/man1/ipa-server-install.1.gz
+%{_mandir}/man1/ipa-server-upgrade.1.gz
+%{_mandir}/man1/ipa-ca-install.1.gz
+%{_mandir}/man1/ipa-kra-install.1.gz
+%{_mandir}/man1/ipa-compat-manage.1.gz
+%{_mandir}/man1/ipa-nis-manage.1.gz
+%{_mandir}/man1/ipa-managed-entries.1.gz
+%{_mandir}/man1/ipa-ldap-updater.1.gz
+%{_mandir}/man8/ipactl.8.gz
+%{_mandir}/man8/ipa-upgradeconfig.8.gz
+%{_mandir}/man1/ipa-backup.1.gz
+%{_mandir}/man1/ipa-restore.1.gz
+%{_mandir}/man1/ipa-advise.1.gz
+%{_mandir}/man1/ipa-otptoken-import.1.gz
+%{_mandir}/man1/ipa-cacert-manage.1.gz
+%{_mandir}/man1/ipa-winsync-migrate.1.gz
+
+
+%files -n python2-ipaserver -f server-python.list
+%defattr(-,root,root,-)
+%doc README Contributors.txt
+%license COPYING
+%{python_sitelib}/freeipa-*.egg-info
+%dir %{python_sitelib}/ipaserver
+%dir %{python_sitelib}/ipaserver/install
+%dir %{python_sitelib}/ipaserver/install/plugins
+%dir %{python_sitelib}/ipaserver/install/server
+%dir %{python_sitelib}/ipaserver/advise
+%dir %{python_sitelib}/ipaserver/advise/plugins
+%dir %{python_sitelib}/ipaserver/plugins
+
+
+%files server-common
+%defattr(-,root,root,-)
+%doc README Contributors.txt
+%license COPYING
 %ghost %verify(not owner group) %dir %{_sharedstatedir}/kdcproxy
 %dir %attr(0755,root,root) %{_sysconfdir}/ipa/kdcproxy
 %config(noreplace) %{_sysconfdir}/sysconfig/ipa_memcached
@@ -984,24 +1271,10 @@
 %dir %attr(0700,apache,apache) %{_localstatedir}/run/httpd/ipa/krbcache/
 # NOTE: systemd specific section
 %{_tmpfilesdir}/%{name}.conf
-%attr(644,root,root) %{_unitdir}/ipa.service
 %attr(644,root,root) %{_unitdir}/ipa_memcached.service
-%attr(644,root,root) %{_unitdir}/ipa-otpd.socket
-%attr(644,root,root) %{_unitdir}/ipa-otpd@.service
-%attr(644,root,root) %{_unitdir}/ipa-dnskeysyncd.service
-%attr(644,root,root) %{_unitdir}/ipa-ods-exporter.socket
-%attr(644,root,root) %{_unitdir}/ipa-ods-exporter.service
-%attr(644,root,root) %{etc_systemd_dir}/httpd.service
+%attr(644,root,root) %{_unitdir}/ipa-custodia.service
+%ghost %attr(644,root,root) %{etc_systemd_dir}/httpd.d/ipa.conf
 # END
-%dir %{python_sitelib}/ipaserver
-%dir %{python_sitelib}/ipaserver/install
-%dir %{python_sitelib}/ipaserver/install/plugins
-%dir %{python_sitelib}/ipaserver/install/server
-%dir %{python_sitelib}/ipaserver/advise
-%dir %{python_sitelib}/ipaserver/advise/plugins
-%dir %{python_sitelib}/ipaserver/plugins
-%dir %{_libdir}/ipa/certmonger
-%attr(755,root,root) %{_libdir}/ipa/certmonger/*
 %dir %{_usr}/share/ipa
 %{_usr}/share/ipa/wsgi.py*
 %{_usr}/share/ipa/copy-schema-to-ca.py*
@@ -1070,36 +1343,19 @@
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-kdc-proxy.conf
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/httpd/conf.d/ipa-pki-proxy.conf
 %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/kdcproxy/ipa-kdc-proxy.conf
+%dir %attr(0755,root,root) %{_sysconfdir}/ipa/dnssec
 %{_usr}/share/ipa/ipa.conf
 %{_usr}/share/ipa/ipa-rewrite.conf
 %{_usr}/share/ipa/ipa-pki-proxy.conf
 %{_usr}/share/ipa/kdcproxy.conf
 %ghost %attr(0644,root,apache) %config(noreplace) %{_usr}/share/ipa/html/ca.crt
-%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/configure.jar
 %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/kerberosauth.xpi
 %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb.con
 %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb.js
 %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krb5.ini
 %ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/krbrealm.con
-%ghost %attr(0644,root,apache) %{_usr}/share/ipa/html/preferences.html
 %dir %{_usr}/share/ipa/updates/
 %{_usr}/share/ipa/updates/*
-%attr(755,root,root) %{plugin_dir}/libipa_pwd_extop.so
-%attr(755,root,root) %{plugin_dir}/libipa_enrollment_extop.so
-%attr(755,root,root) %{plugin_dir}/libipa_winsync.so
-%attr(755,root,root) %{plugin_dir}/libipa_repl_version.so
-%attr(755,root,root) %{plugin_dir}/libipa_uuid.so
-%attr(755,root,root) %{plugin_dir}/libipa_modrdn.so
-%attr(755,root,root) %{plugin_dir}/libipa_lockout.so
-%attr(755,root,root) %{plugin_dir}/libipa_cldap.so
-%attr(755,root,root) %{plugin_dir}/libipa_dns.so
-%attr(755,root,root) %{plugin_dir}/libipa_range_check.so
-%attr(755,root,root) %{plugin_dir}/libipa_otp_counter.so
-%attr(755,root,root) %{plugin_dir}/libipa_otp_lasttoken.so
-%attr(755,root,root) %{plugin_dir}/libtopology.so
-%attr(755,root,root) %{plugin_dir}/libipa_sidgen.so
-%attr(755,root,root) %{plugin_dir}/libipa_sidgen_task.so
-%attr(755,root,root) %{plugin_dir}/libipa_extdom_extop.so
 %dir %{_localstatedir}/lib/ipa
 %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/backup
 %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysrestore
@@ -1107,230 +1363,721 @@
 %attr(755,root,root) %dir %{_localstatedir}/lib/ipa/pki-ca
 %ghost %{_localstatedir}/lib/ipa/pki-ca/publish
 %ghost %{_localstatedir}/named/dyndb-ldap/ipa
-%attr(755,root,root) %{_libdir}/krb5/plugins/kdb/ipadb.so
-%{_mandir}/man1/ipa-replica-conncheck.1.gz
-%{_mandir}/man1/ipa-replica-install.1.gz
-%{_mandir}/man1/ipa-replica-manage.1.gz
-%{_mandir}/man1/ipa-csreplica-manage.1.gz
-%{_mandir}/man1/ipa-replica-prepare.1.gz
-%{_mandir}/man1/ipa-server-certinstall.1.gz
-%{_mandir}/man1/ipa-server-install.1.gz
-%{_mandir}/man1/ipa-server-upgrade.1.gz
-%{_mandir}/man1/ipa-ca-install.1.gz
-%{_mandir}/man1/ipa-kra-install.1.gz
-%{_mandir}/man1/ipa-compat-manage.1.gz
-%{_mandir}/man1/ipa-nis-manage.1.gz
-%{_mandir}/man1/ipa-managed-entries.1.gz
-%{_mandir}/man1/ipa-ldap-updater.1.gz
-%{_mandir}/man8/ipactl.8.gz
-%{_mandir}/man8/ipa-upgradeconfig.8.gz
-%{_mandir}/man1/ipa-backup.1.gz
-%{_mandir}/man1/ipa-restore.1.gz
-%{_mandir}/man1/ipa-advise.1.gz
-%{_mandir}/man1/ipa-otptoken-import.1.gz
-%{_mandir}/man1/ipa-cacert-manage.1.gz
-%{_mandir}/man1/ipa-winsync-migrate.1.gz
+%dir %attr(0700,root,root) %{_sysconfdir}/ipa/custodia
+
 
 %files server-dns
+%defattr(-,root,root,-)
+%doc README Contributors.txt
+%license COPYING
 %{_sbindir}/ipa-dns-install
 %{_mandir}/man1/ipa-dns-install.1.gz
 
+
 %files server-trust-ad
+%defattr(-,root,root,-)
+%doc README Contributors.txt
+%license COPYING
 %{_sbindir}/ipa-adtrust-install
 %{_usr}/share/ipa/smb.conf.empty
 %attr(755,root,root) %{_libdir}/samba/pdb/ipasam.so
 %{_mandir}/man1/ipa-adtrust-install.1.gz
-%{python_sitelib}/ipaserver/dcerpc*
-%{python_sitelib}/ipaserver/install/adtrustinstance*
 %ghost %{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so
 %{_sysconfdir}/dbus-1/system.d/oddjob-ipa-trust.conf
 %{_sysconfdir}/oddjobd.conf.d/oddjobd-ipa-trust.conf
-%%attr(755,root,root) %{_libexecdir}/ipa/com.redhat.idm.trust-fetch-domains
+%%attr(755,root,root) %{_libexecdir}/ipa/oddjob/com.redhat.idm.trust-fetch-domains
 
 %endif # ONLY_CLIENT
 
+
 %files client
 %defattr(-,root,root,-)
-%doc COPYING README Contributors.txt
+%doc README Contributors.txt
+%license COPYING
 %{_sbindir}/ipa-client-install
 %{_sbindir}/ipa-client-automount
 %{_sbindir}/ipa-certupdate
 %{_sbindir}/ipa-getkeytab
 %{_sbindir}/ipa-rmkeytab
 %{_sbindir}/ipa-join
-%dir %{_usr}/share/ipa
-%dir %{_localstatedir}/lib/ipa-client
-%dir %{_localstatedir}/lib/ipa-client/sysrestore
-%dir %{python_sitelib}/ipaclient
-%{python_sitelib}/ipaclient/*.py*
 %{_mandir}/man1/ipa-getkeytab.1.gz
 %{_mandir}/man1/ipa-rmkeytab.1.gz
 %{_mandir}/man1/ipa-client-install.1.gz
 %{_mandir}/man1/ipa-client-automount.1.gz
 %{_mandir}/man1/ipa-certupdate.1.gz
 %{_mandir}/man1/ipa-join.1.gz
+
+
+%files -n python2-ipaclient
+%defattr(-,root,root,-)
+%doc README Contributors.txt
+%license COPYING
+%dir %{python_sitelib}/ipaclient
+%{python_sitelib}/ipaclient/*.py*
+%{python_sitelib}/ipaclient/plugins/*.py*
+%{python_sitelib}/ipaclient/remote_plugins/*.py*
+%{python_sitelib}/ipaclient/remote_plugins/2_*/*.py*
+%{python_sitelib}/ipaclient-*.egg-info
+
+
+%if 0%{?with_python3}
+
+%files -n python3-ipaclient
+%defattr(-,root,root,-)
+%doc README Contributors.txt
+%license COPYING
+%dir %{python3_sitelib}/ipaclient
+%{python3_sitelib}/ipaclient/*.py
+%{python3_sitelib}/ipaclient/__pycache__/*.py*
+%{python3_sitelib}/ipaclient/plugins/*.py
+%{python3_sitelib}/ipaclient/plugins/__pycache__/*.py*
+%{python3_sitelib}/ipaclient/remote_plugins/*.py
+%{python3_sitelib}/ipaclient/remote_plugins/__pycache__/*.py*
+%{python3_sitelib}/ipaclient/remote_plugins/2_*/*.py
+%{python3_sitelib}/ipaclient/remote_plugins/2_*/__pycache__/*.py*
+%{python3_sitelib}/ipaclient-*.egg-info
+
+%endif # with_python3
+
+
+%files client-common
+%defattr(-,root,root,-)
+%doc README Contributors.txt
+%license COPYING
+%dir %attr(0755,root,root) %{_sysconfdir}/ipa/
+%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf
+%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
+%dir %attr(0755,root,root) %{_sysconfdir}/ipa/nssdb
+%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/cert8.db
+%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/key3.db
+%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/secmod.db
+%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/pwdfile.txt
+%ghost %config(noreplace) %{_sysconfdir}/pki/ca-trust/source/ipa.p11-kit
+%dir %{_usr}/share/ipa
+%dir %{_localstatedir}/lib/ipa-client
+%dir %{_localstatedir}/lib/ipa-client/sysrestore
 %{_mandir}/man5/default.conf.5.gz
+
 
 %files admintools
 %defattr(-,root,root,-)
-%doc COPYING README Contributors.txt
+%doc README Contributors.txt
+%license COPYING
 %{_bindir}/ipa
 %config %{_sysconfdir}/bash_completion.d
 %{_mandir}/man1/ipa.1.gz
 
-%files python -f %{gettext_domain}.lang
+
+%files python-compat
 %defattr(-,root,root,-)
-%doc COPYING README Contributors.txt
+%doc README Contributors.txt
+%license COPYING
+
+
+%files -n python2-ipalib
+%defattr(-,root,root,-)
+%doc README Contributors.txt
+%license COPYING
 %dir %{python_sitelib}/ipapython
 %{python_sitelib}/ipapython/*.py*
 %dir %{python_sitelib}/ipapython/dnssec
 %{python_sitelib}/ipapython/dnssec/*.py*
 %dir %{python_sitelib}/ipapython/install
 %{python_sitelib}/ipapython/install/*.py*
+%dir %{python_sitelib}/ipapython/secrets
+%{python_sitelib}/ipapython/secrets/*.py*
 %dir %{python_sitelib}/ipalib
 %{python_sitelib}/ipalib/*
 %dir %{python_sitelib}/ipaplatform
 %{python_sitelib}/ipaplatform/*
-%attr(0644,root,root) %{python_sitearch}/default_encoding_utf8.so
-%attr(0644,root,root) %{python_sitearch}/_ipap11helper.so
 %{python_sitelib}/ipapython-*.egg-info
-%{python_sitelib}/freeipa-*.egg-info
+%{python_sitelib}/ipalib-*.egg-info
 %{python_sitelib}/ipaplatform-*.egg-info
-%{python_sitearch}/python_default_encoding-*.egg-info
-%{python_sitearch}/_ipap11helper-*.egg-info
-%dir %attr(0755,root,root) %{_sysconfdir}/ipa/
-%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf
-%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
-%dir %attr(0755,root,root) %{_sysconfdir}/ipa/nssdb
-%dir %attr(0755,root,root) %{_sysconfdir}/ipa/dnssec
-%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/cert8.db
-%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/key3.db
-%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/secmod.db
-%ghost %config(noreplace) %{_sysconfdir}/ipa/nssdb/pwdfile.txt
-%ghost %config(noreplace) %{_sysconfdir}/pki/ca-trust/source/ipa.p11-kit
+
+
+%files common -f %{gettext_domain}.lang
+%defattr(-,root,root,-)
+%doc README Contributors.txt
+%license COPYING
+
+
+%if 0%{?with_python3}
+
+%files -n python3-ipalib
+%defattr(-,root,root,-)
+%doc README Contributors.txt
+%license COPYING
+
+%{python3_sitelib}/ipapython/
+%{python3_sitelib}/ipalib/
+%{python3_sitelib}/ipaplatform/
+%{python3_sitelib}/ipapython-*.egg-info
+%{python3_sitelib}/ipalib-*.egg-info
+%{python3_sitelib}/ipaplatform-*.egg-info
+
+%endif # with_python3
+
 
 # RHEL spec file only: DELETED: Do not build tests
 
-%changelog
-* Thu Sep 01 2016 CentOS Sources <bugs@centos.org> - 4.2.0-15.el7.centos.19
-- Roll in CentOS Branding
 
-* Mon Aug 22 2016 Jan Cholasta <jcholast@redhat.com> - 4.2.0-15.19
+%changelog
+* Fri Sep 16 2016 Petr Vobornik <pvoborni@redhat.com> - 4.4.0-12
+- Resolves: #1373910 IPA server upgrade fails with DNS timed out errors.
+- Resolves: #1375269 ipa trust-fetch-domains throws internal error
+
+* Tue Sep 13 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-11
+- Resolves: #1373359 ipa-certupdate fails with "CA is not configured"
+  - Fix regression introduced in ipa-certupdate
+
+* Wed Sep  7 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-10
+- Resolves: #1355753 adding two way non transitive(external) trust displays
+  internal error on the console
+  - Always fetch forest info from root DCs when establishing two-way trust
+  - factor out `populate_remote_domain` method into module-level function
+  - Always fetch forest info from root DCs when establishing one-way trust
+- Resolves: #1356101 Lightweight sub-CA certs are not tracked by certmonger
+  after `ipa-replica-install`
+  - Track lightweight CAs on replica installation
+- Resolves: #1357488 ipa command stuck forever on higher versioned client with
+  lower versioned server
+  - compat: Save server's API version in for pre-schema servers
+  - compat: Fix ping command call
+  - schema cache: Store and check info for pre-schema servers
+- Resolves: #1363905 man page for ipa-replica-manage has a typo in -c flag
+  - Fix man page ipa-replica-manage: remove duplicate -c option
+    from --no-lookup
+- Resolves: #1367865 webui: cert_revoke should use --cacn to set correct CA
+  when revoking certificate
+  - cert: include CA name in cert command output
+  - WebUI add support for sub-CAs while revoking certificates
+- Resolves: #1368424 Unable to view certificates issued by Sub CA in Web UI
+  - Add support for additional options taken from table facet
+  - WebUI: Fix showing certificates issued by sub-CA
+- Resolves: #1368557 dnsrecord-add does not prompt for missing record parts
+  internactively
+  - dns: normalize record type read interactively in dnsrecord_add
+  - dns: prompt for missing record parts in CLI
+  - dns: fix crash in interactive mode against old servers
+- Resolves: #1370519 Certificate revocation in service-del and host-del isn't
+  aware of Sub CAs
+  - cert: fix cert-find --certificate when the cert is not in LDAP
+  - Make host/service cert revocation aware of lightweight CAs
+- Resolves: #1371901 Use OAEP padding with custodia
+  - Use RSA-OAEP instead of RSA PKCS#1 v1.5
+- Resolves: #1371915 When establishing external two-way trust, forest root
+  Administrator account is used to fetch domain info
+  - do not use trusted forest name to construct domain admin principal
+- Resolves: #1372597 Incorrect CA ACL evaluation of SAN DNS names in
+  certificate request
+  - Fix CA ACL Check on SubjectAltNames
+- Resolves: #1373272 CLI always sends default command version
+  - cli: use full name when executing a command
+- Resolves: #1373359 ipa-certupdate fails with "CA is not configured"
+  - Fix ipa-certupdate for CA-less installation
+- Resolves: #1373540 client-install with IPv6 address fails on link-local
+  address (always)
+  - Fix parse errors with link-local addresses
+
+* Fri Sep  2 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-9
+- Resolves: #1081561 CA not start during ipa server install in pure IPv6 env
+  - Fix ipa-server-install in pure IPv6 environment
+- Resolves: #1318169 Tree-root domains in a trusted AD forest aren't marked as
+  reachable via the forest root
+  - trust: make sure ID range is created for the child domain even if it exists
+  - ipa-kdb: simplify trusted domain parent search
+- Resolves: #1335567 Update Warning in IdM Web UI API browser
+  - WebUI: add API browser is tech preview warning
+- Resolves: #1348560 Mulitple domain Active Directory Trust conflict
+  - ipaserver/dcerpc: reformat to make the code closer to pep8
+  - trust: automatically resolve DNS trust conflicts for triangle trusts
 - Resolves: #1351593 CVE-2016-5404 ipa: Insufficient privileges check in
   certificate revocation
   - cert-revoke: fix permission check bypass (CVE-2016-5404)
+- Resolves: #1353936 custodia.conf and server.keys file is world-readable.
+  - Remove Custodia server keys from LDAP
+  - Secure permissions of Custodia server.keys
+- Resolves: #1358752 ipa-ca-install fails on replica when IPA server is
+  converted from CA-less to CA-full
+  - custodia: include known CA certs in the PKCS#12 file for Dogtag
+  - custodia: force reconnect before retrieving CA certs from LDAP
+- Resolves: #1362333 ipa vault container owner cannot add vault
+  - Fix: container owner should be able to add vault
+- Resolves: #1365546 External trust with root domain is transitive
+  - trust: make sure external trust topology is correctly rendered
+- Resolves: #1365572 IPA server broken after upgrade
+  - Require pki-core-10.3.3-7
+- Resolves: #1367864 Server assumes latest version of command instead of
+  version 1 for old / 3rd party clients
+  - rpcserver: assume version 1 for unversioned command calls
+  - rpcserver: fix crash in XML-RPC system commands
+- Resolves: #1367773 thin client ignores locale change
+  - schema cache: Fallback to 'en_us' when locale is not available
+- Resolves: #1368754 ipa server uninstall fails with Python "Global Name error"
+  - Fail on topology disconnect/last role removal
+- Resolves: #1368981 ipa otptoken-add --type=hotp --key creates wrong OTP
+  - otptoken, permission: Convert custom type parameters on server
+- Resolves: #1369414 ipa server-del fails with Python stack trace
+  - Handled empty hostname in server-del command
+- Resolves: #1369761 ipa-server must depend on a version of httpd that support
+  mod_proxy with UDS
+  - Require httpd 2.4.6-31 with mod_proxy Unix socket support
+- Resolves: #1370512 Received ACIError instead of DuplicatedError in
+  stageuser_tests
+  - Raise DuplicatedEnrty error when user exists in delete_container
+- Resolves: #1371479 cert-find --all does not show information about revocation
+  - cert: add missing param values to cert-find output
+- Renamed patch 1011 to 0100, as it was merged upstream
 
-* Mon Jun 27 2016 Jan Cholasta <jcholast@redhat.com> - 4.2.0-15.18
-- Resolves: #1350305 Multiple clients cannot join domain simultaneously:
+* Wed Aug 17 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-8
+- Resolves: #1298288 [RFE] Improve performance in large environments.
+  - cert: speed up cert-find
+- Resolves: #1317379 [EXPERIMENTAL][RFE] Web UI: allow Smart Card
+  authentication
+  - service: add flag to allow S4U2Self
+  - Add 'trusted to auth as user' checkbox
+  - Added new authentication method
+- Resolves: #1353881 ipa-replica-install suggests about
+  non-existent --force-ntpd option
+  - Don't show --force-ntpd option in replica install
+- Resolves: #1354441 DNS forwarder check is too strict: unable to add
+  sub-domain to already-broken domain
+  - DNS: allow to add forward zone to already broken sub-domain
+- Resolves: #1356146 performance regression in CLI help
+  - schema: Speed up schema cache
+  - frontend: Change doc, summary, topic and NO_CLI to class properties
+  - schema: Introduce schema cache format
+  - schema: Generate bits for help load them on request
+  - help: Do not create instances to get information about commands and topics
+  - schema cache: Do not reset ServerInfo dirty flag
+  - schema cache: Do not read fingerprint and format from cache
+  - Access data for help separately
+  - frontent: Add summary class property to CommandOverride
+  - schema cache: Read server info only once
+  - schema cache: Store API schema cache in memory
+  - client: Do not create instance just to check isinstance
+  - schema cache: Read schema instead of rewriting it when SchemaUpToDate
+- Resolves: #1360769 ipa-server-certinstall couldnt unlock private key file
+  - server install: do not prompt for cert file PIN repeatedly
+- Resolves: #1364113 ipa-password: ipa: ERROR: RuntimeError: Unable to create
+  cache directory: [Errno 13] Permission denied: '/home/test_user'
+  - schema: Speed up schema cache
+- Resolves: #1366604 `cert-find` crashes on invalid certificate data
+  - cert: do not crash on invalid data in cert-find
+- Resolves: #1366612 Middle replica uninstallation in line topology works
+  without '--ignore-topology-disconnect'
+  - Fail on topology disconnect/last role removal
+- Resolves: #1366626 caacl-add-service: incorrect error message when service
+  does not exists
+  - Fix ipa-caalc-add-service error message
+- Resolves: #1367022 The ipa-server-upgrade command failed when named-pkcs11
+  does not happen to run during dnf upgrade
+  - DNS server upgrade: do not fail when DNS server did not respond
+- Resolves: #1367759 [RFE] [webui] warn admin if there is only one IPA server
+  with CA
+  - Add warning about only one existing CA server
+  - Set servers list as default facet in topology facet group
+- Resolves: #1367773 thin client ignores locale change
+  - schema check: Check current client language against cached one
+
+* Wed Aug 10 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-7
+- Resolves: #1361119 UPN-based search for AD users does not match an entry in
+  slapi-nis map cache
+  - support multiple uid values in schema compatibility tree
+
+* Wed Aug 10 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-6
+- Resolves: #1309700 Process /usr/sbin/winbindd was killed by signal 6
+  - Revert "spec: add conflict with bind-chroot to freeipa-server-dns"
+- Resolves: #1341249 Subsequent external CA installation fails
+  - install: fix external CA cert validation
+- Resolves: #1353831 ipa-server-install fails in container because of
+  hostnamectl set-hostname
+  - server-install: Fix --hostname option to always override api.env values
+  - install: Call hostnamectl set-hostname only if --hostname option is used
+- Resolves: #1356091 ipa-cacert-manage --help and man differ
+  - Improvements for the ipa-cacert-manage man and help
+- Resolves: #1360631 ipa-backup is not keeping the
+  /etc/tmpfiles.d/dirsrv-<instance>.conf
+  - ipa-backup: backup /etc/tmpfiles.d/dirsrv-<instance>.conf
+- Resolves: #1361047 ipa-replica-install --help usage line suggests the replica
+  file is needed
+  - Update ipa-replica-install documentation
+- Resolves: #1361545 ipa-client-install starts rhel-domainname.service but does
+  not rpm-require it
+  - client: RPM require initscripts to get *-domainname.service
+- Resolves: #1364197 caacl: error when instantiating rules with service
+  principals
+  - caacl: fix regression in rule instantiation
+- Resolves: #1364310 ipa otptoken-add bytes object has no attribute confirm
+  - parameters: move the `confirm` kwarg to Param
+- Resolves: #1364464 Topology graph: ca and domain adders shows question marks
+  instead of plus icon
+  - Fix unicode characters in ca and domain adders
+- Resolves: #1365083 Incomplete output returned for command ipa vault-add
+  - client: add missing output params to client-side commands
+- Resolves: #1365526 build fails during "make check"
+  - ipa-kdb: Fix unit test after packaging changes in krb5
+
+* Fri Aug  5 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-5
+- Resolves: #1353829 traceback message seen in ipaserver-uninstall.log file.
+  - Do not initialize API in ipa-client-automount uninstall
+- Resolves: #1356899 com.redhat.idm.trust.fetch_domains need update after thin
+  client changes
+  - idrange: fix unassigned global variable
+- Resolves: #1360792 Migrating users doesn't update krbCanonicalName
+  - re-set canonical principal name on migrated users
+- Resolves: #1362012 ipa hbactest produces error about cannot concatenate 'str'
+  and 'bool' objects
+  - Fix ipa hbactest output
+- Resolves: #1362260 ipa vault-mod no longer allows defining salt
+  - vault: add missing salt option to vault_mod
+- Resolves: #1362312 ipa vault-retrieve internal error when using the wrong
+  public key
+  - vault: Catch correct exception in decrypt
+- Resolves: #1362537 ipa-server-install fails to create symlink from
+  /etc/ipa/kdcproxy/ to /etc/httpd/conf.d/
+  - Correct path to HTTPD's systemd service directory
+- Resolves: #1363756 Increase length of passwords generated by installer
+  - Increase default length of auto generated passwords
+
+* Fri Jul 29 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-4
+- Resolves: #1117306 [RFE] Allow multiple Principals per host entry (Kerberos
+  aliases)
+  - harden the check for trust namespace overlap in new principals
+- Resolves: #1351142 CLI is not using session cookies for communication with
+  IPA API
+  - Fix session cookies
+- Resolves: #1353888 Fix the help for ipa otp and other topics
+  - help: Add dnsserver commands to help topic 'dns'
+- Resolves: #1354406 host-del updatedns options complains about missing ptr
+  record for host
+  - Host-del: fix behavior of --updatedns and PTR records
+- Resolves: #1355718 ipa-replica-manage man page example output differs actual
+  command output
+  - Minor fix in ipa-replica-manage MAN page
+- Resolves: #1358229 Traceback message should be fixed, seen while editing
+  winsync migrated user information in Default trust view.
+  - baseldap: Fix MidairCollision instantiation during entry modification
+- Resolves: #1358849 CA replica install logs to wrong log file
+  - unite log file name of ipa-ca-install
+- Resolves: #1359130 ipa-server-install command fails to install IPA server.
+  - DNS Locations: fix update-system-records unpacking error
+- Resolves: #1359237 AVC on dirsrv config caused by IPA installer
+  - Use copy when replacing files to keep SELinux context
+- Resolves: #1359692 ipa-client-install join fail with traceback against
+  RHEL-6.8 ipa-server
+  - compat: fix ping call
+- Resolves: #1359738 ipa-replica-install --domain=<IPA primary domain> option
+  does not work
+  - replica-install: Fix --domain
+- Resolves: #1360778 Vault commands are available in CLI even when the server
+  does not support them
+  - Revert "Enable vault-* commands on client"
+  - client: fix hiding of commands which lack server support
+- Related: #1281704 Rebase to softhsm 2.1.0
+  - Remove the workaround for softhsm bug #1293340
+- Related: #1298288 [RFE] Improve performance in large environments.
+  - Create indexes for krbCanonicalName attribute
+
+* Fri Jul 22 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-3
+- Resolves: #1296140 Remove redhat-access-plugin-ipa support
+  - Obsolete and conflict redhat-access-plugin-ipa
+- Resolves: #1351119 Multiple issues while uninstalling ipa-server
+  - server uninstall fails to remove krb principals
+- Resolves: #1351758 ipa commands not showing expected error messages
+  - frontend: copy command arguments to output params on client
+  - Show full error message for selinuxusermap-add-hostgroup
+- Resolves: #1352883 Traceback on adding default automember group and hostgroup
+  set
+  - allow 'value' output param in commands without primary key
+- Resolves: #1353888 Fix the help for ipa otp and other topics
+  - schema: Fix subtopic -> topic mapping
+- Resolves: #1354348 ipa trustconfig-show throws internal error.
+  - allow 'value' output param in commands without primary key
+- Resolves: #1354381 ipa trust-add with raw option gives internal error.
+  - trust-add: handle `--all/--raw` options properly
+- Resolves: #1354493 Replica install fails with old IPA master
+  - DNS install: Ensure that DNS servers container exists
+- Resolves: #1354628 ipa hostgroup-add-member does not return error message
+  when adding itself as member
+  - frontend: copy command arguments to output params on client
+- Resolves: #1355856 ipa otptoken-add --type=totp gives internal error
+  - messages: specify message type for ResultFormattingError
+- Resolves: #1356063 "ipa radiusproxy-add" command needs to prompt to enter
+  secret key
+  - expose `--secret` option in radiusproxy-* commands
+  - prevent search for RADIUS proxy servers by secret
+- Resolves: #1356099 Bug in the ipapwd plugin
+  - Heap corruption in ipapwd plugin
+- Resolves: #1356899 com.redhat.idm.trust.fetch_domains need update after thin
+  client changes
+  - Use server API in com.redhat.idm.trust-fetch-domains oddjob helper
+- Resolves: #1356964 Renaming a user removes all of his principal aliases
+  - Preserve user principal aliases during rename operation
+
+* Fri Jul 15 2016 Petr Vobornik <pvoborni@redhat.com> - 4.4.0-2.1
+- Resolves: #1274524 [RFE] Qualify up to 60 IdM replicas
+- Resolves: #1320838 [RFE] Support IdM Client in a DNS domain controlled by AD
+- Related: #1356134 'kinit -E' does not work for IPA user
+
+* Thu Jul 14 2016 Petr Vobornik <pvoborni@redhat.com> - 4.4.0-2
+- Resolves: #1356102 Server uninstall does not stop tracking lightweight sub-CA
+  with certmonger
+  - uninstall: untrack lightweight CA certs
+- Resolves: #1351807 ipa-nis-manage config.get_dn missing
+  - ipa-nis-manage: Use server API to retrieve plugin status
+- Resolves: #1353452 ipa-compat-manage command failed,
+  exception: NotImplementedError: config.get_dn()
+  - ipa-compat-manage: use server API to retrieve plugin status
+- Resolves: #1353899 ipa-advise: object of type 'type' has no len()
+  - ipa-advise: correct handling of plugin namespace iteration
+- Resolves: #1356134 'kinit -E' does not work for IPA user
+  - kdb: check for local realm in enterprise principals
+- Resolves: #1353072 ipa unknown command vault-add
+  - Enable vault-* commands on client
+  - vault-add: set the default vault type on the client side if none was given
+- Resolves: #1353995 Default CA can be used without a CA ACL
+  - caacl: expand plugin documentation
+- Resolves: #1356144 host-find should not print SSH keys by default, only
+  SSH fingerprints
+  - host-find: do not show SSH key by default
+- Resolves: #1353506 ipa migrate-ds command fails for IPA in RHEL 7.3
+  - Removed unused method parameter from migrate-ds
+
+* Fri Jul  1 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-1
+- Resolves: #747612 [RFE] IPA should support and manage DNS sites
+- Resolves: #826790 Disabling password expiration (--maxlife=0 and --minlife=0)
+  in the default global_policy in IPA sets user's password expiration
+  (krbPasswordExpiration) to be 90 days
+- Resolves: #896699 ipa-replica-manage -H does not delete DNS SRV records
+- Resolves: #1084018 [RFE] Add IdM user password change support for legacy
+  client compat tree
+- Resolves: #1117306 [RFE] Allow multiple Principals per host entry (Kerberos
+  aliases)
+  - Fix incorrect check for principal type when evaluating CA ACLs
+- Resolves: #1146860 [RFE] Offer OTP generation for host enrollment in the UI
+- Resolves: #1238190 ipasam unable to lookup group in directory yet manual
+  search works
+- Resolves: #1250110 search by users which don't have read rights for all attrs
+  in search_attributes fails
+- Resolves: #1263764 Show Certificate displays in useless format
+- Resolves: #1272491 [WebUI] Certificate action dropdown does not display all
+  the options after adding new certificate
+- Resolves: #1292141 Rebase to FreeIPA 4.4+
+  - Rebase to 4.4.0
+- Resolves: #1294503 IPA fails to issue 3rd party certs
+- Resolves: #1298242 [RFE] API compatibility - compatibility of clients
+- Resolves: #1298848 [RFE] Centralized topology management
+- Resolves: #1298966 [RFE] Extend Smart Card support
+- Resolves: #1315146 Multiple clients cannot join domain simultaneously:
   /var/run/httpd/ipa/clientcaches race condition?
-  - mod_auth_gssapi: enable unique credential caches names
-- Related: #1347175 Multiple clients cannot join domain simultaneously:
-  /var/run/httpd/ipa/clientcaches race condition?
+- Resolves: #1318903 ipa server install failing when SUBCA signs the cert
+- Resolves: #1319003 ipa-winsync-migrate: Traceback should be fixed with proper
+  console output
+- Resolves: #1324055 IPA always qualify requests for admin
+- Resolves: #1328552 [RFE] Allow users to authenticate with alternative names
+- Resolves: #1334582 Inconsistent UI and CLI options for removing certificate
+  hold
+- Resolves: #1346321 Exclude o=ipaca subtree from Retro Changelog (syncrepl)
+- Resolves: #1349281 Fix `Conflicts` with ipa-python
+- Resolves: #1350695 execution of copy-schema script fails
+- Resolves: #1351118 upgrade failed for RHEL-7.3 from RHEL-7.2.z
+- Resolves: #1351153 AVC seen on Replica during ipa-server upgrade test
+  execution to 7.3
+- Resolves: #1351276 ipa-server-install with dns cannot resolve itself to
+  create ipa-ca entry
+- Related: #1343422 [RFE] Add GssapiImpersonate option
 
-* Tue May 24 2016 Jan Cholasta <jcholast@redhat.com> - 4.2.0-15.17
-- Resolves: #1339304 CA installed on replica is always marked as renewal master
-  - replica install: do not set CA renewal master flag
+* Wed Jun 22 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-0.2.alpha1
+- Resolves: #1348948 IPA server install fails with build
+  ipa-server-4.4.0-0.el7.1.alpha1
+  - Revert "Increased mod_wsgi socket-timeout"
 
-* Fri May 20 2016 Jan Cholasta <jcholast@redhat.com> - 4.2.0-15.16
-- Resolves: #1337820 URI details missing and OCSP-URI details are incorrectly
+* Wed Jun 22 2016 Jan Cholasta <jcholast@redhat.com> - 4.4.0-0.1.alpha1
+- Resolves: #712109 "krbExtraData not allowed" is logged in DS error log while
+  setting password for default sudo binddn.
+- Resolves: #747612 [RFE] IPA should support and manage DNS sites
+- Resolves: #768316 [RFE] ipa-getkeytab should auto-detect the ipa server name
+- Resolves: #825391 [RFE] Replica installation should provide a means for
+  inheriting nssldap security access settings
+- Resolves: #921497 Incorrect *.py[co] files placement
+- Resolves: #1029640 RHEL7 IPA to add DNA Plugin config for dnaRemote support
+- Resolves: #1029905 389 DS cache sizes not replicated to IPA replicas
+- Resolves: #1196958 IPA replica installation failing with high number of users
+  (160000).
+- Resolves: #1219402 IPA suggests to uninstall a client when the user needs to
+  uninstall a replica
+- Resolves: #1224057 [RFE] TGS authorization decisions in KDC based on
+  Authentication Indicator
+- Resolves: #1234222 [WebUI] UI error message is not appropriate for "Kerberos
+  principal expiration"
+- Resolves: #1234223 [WebUI] General invalid password error message appearing
+  for "Locked user"
+- Resolves: #1254267 ipa-server-install failure applying ldap updates with
+  limits exceeded
+- Resolves: #1258626 realmdomains-mod --add-domain command throwing error when
+  doamin already is in forwardzone.
+- Resolves: #1259020 ipa-server-adtrust-install doesn't allow
+  NetBIOS-name=EXAMPLE-TEST.COM (dash character)
+- Resolves: #1260993 DNSSEC signing enablement on dnszone should throw error
+  message when DNSSEC master not installed
+- Resolves: #1262747 dnssec options missing in ipa-dns-install man page
+- Resolves: #1265900 Fail installation immediately after dirsrv fails to
+  install using ipa-server-install
+- Resolves: #1265915 idoverrideuser-find fails if any SID anchor is not
+  resolvable anymore
+- Resolves: #1268027 ipa-dnskeysync-replica crash with backtrace -
+  LimitsExceeded: limits exceeded for this query
+- Resolves: #1269089 Certificate of managed-by host/service fails to resubmit
+- Resolves: #1269200 ipa-server crashing while trying to preserve admin user
+- Resolves: #1271321 Reduce ioblocktimeout and idletimeout defaults
+- Resolves: #1271579 Automember rule expressions disappear from tables on
+  single expression delete
+- Resolves: #1275816 Incomplete ports for IPA ad-trust
+- Resolves: #1276351 [RFE] Remove
+  /usr/share/ipa/updates/50-lockout-policy.update file from IPA releases
+- Resolves: #1277109 Add tool tips for Revert, Refresh, Undo, and Undo All in
+  the IPA UI
+- Resolves: #1278426 Better error message needed for invalid ca-signing-algo
+  option
+- Resolves: #1279932 ipa-client-install --request-cert needs workaround in
+  anaconda chroot
+- Resolves: #1282521 Creating a user w/o private group fails when doing so in
+  WebUI
+- Resolves: #1283879 ipa-winsync-migrate: Traceback message should be replaced
+  by "IPA is not configured on this system"
+- Resolves: #1285071 ipa-kra-install fails on replica looking for admin cert
+  file
+- Resolves: #1287194 [RFE] Support of UPN for trusted domains
+- Resolves: #1288967 Normalize Manager entry in ipa user-add
+- Resolves: #1289487 Priority field missing in Password Policy detail tab
+- Resolves: #1291140 ipa client should configure kpasswd_server directive in
+  krb5.conf
+- Resolves: #1292141 Rebase to FreeIPA 4.4+
+  - Rebase to 4.4.0.alpha1
+- Resolves: #1298848 [RFE] Centralized topology management
+- Resolves: #1300576 Browser setup page includes instructions for Internet
+  Explorer
+- Resolves: #1301586 ipa host-del --updatedns should remove related dns
+  entries.
+- Resolves: #1304618 Residual Files After IPA Server Uninstall
+- Resolves: #1305144 ipa-python does not require its dependencies
+- Resolves: #1309700 Process /usr/sbin/winbindd was killed by signal 6
+- Resolves: #1313798 Console output post ipa-winsync-migrate command should be
+  corrected.
+- Resolves: #1314786 [RFE] External Trust with Active Directory domain
+- Resolves: #1319023 Include description for 'status' option in man page for
+  ipactl command.
+- Resolves: #1319912 ipa-server-install does not completely change hostname and
+  named-pkcs11 fails
+- Resolves: #1320891 IPA Error 3009: Validation error: Invalid 'ptrrecord':
+  Reverse zone in-addr.arpa. requires exactly 4 IP address compnents, 5 given
+- Resolves: #1327207 ipa cert-revoke --help doesn't provide enough info on
+  revocation reasons
+- Resolves: #1328549 "ipa-kra-install" command reports incorrect message when
+  it is executed on server already installed with KRA.
+- Resolves: #1329209 ipa-nis-manage enable: change service name from 'portmap'
+  to 'rpcbind'
+- Resolves: #1329275 ipa-nis-manage command should include status option
+- Resolves: #1330843 'man ipa' should be updated with latest commands
+- Resolves: #1333755 ipa cert-request causes internal server error while
+  requesting certificate
+- Resolves: #1337484 EOF is not handled for ipa-client-install command
+- Resolves: #1338031 Insufficient 'write' privilege on some attributes for the
+  members of the role which has "User Administrators" privilege.
+- Resolves: #1343142 IPA DNS should do better verification of DNS zones
+- Resolves: #1347928 Frontpage exposes runtime error with no cookies enabled in
+  browser
+
+* Wed May 25 2016 Jan Cholasta <jcholast@redhat.com> - 4.3.1-0.201605241723GIT1b427d3.1
+- Resolves: #1339483 ipa-server-install fails with ERROR pkinit_cert_files
+  - Fix incorrect rebase of patch 1001
+
+* Tue May 24 2016 Jan Cholasta <jcholast@redhat.com> - 4.3.1-0.201605241723GIT1b427d3
+- Resolves: #1339233 CA installed on replica is always marked as renewal master
+- Related: #1292141 Rebase to FreeIPA 4.4+
+  - Rebase to 4.3.1.201605241723GIT1b427d3
+
+* Tue May 24 2016 Jan Cholasta <jcholast@redhat.com> - 4.3.1-0.201605191449GITf8edf37.1
+- Resolves: #1332809 ipa-server-4.2.0-15.el7_2.6.1.x86_64 fails to install
+  because of missing dependencies
+  - Rebuild with krb5-1.14.1
+
+* Fri May 20 2016 Jan Cholasta <jcholast@redhat.com> - 4.3.1-0.201605191449GITf8edf37
+- Resolves: #837369 [RFE] Switch to client promotion to replica model
+- Resolves: #1199516 [RFE] Move replication topology to the shared tree
+- Resolves: #1206588 [RFE] Visualize FreeIPA server replication topology
+- Resolves: #1211602 Hide ipa-server-install KDC master password option (-P)
+- Resolves: #1212713 ipa-csreplica-manage: it could be nice to have also
+  list-ruv / clean-ruv / abort-clean-ruv for o=ipaca backend
+- Resolves: #1267206 ipa-server-install uninstall should warn if no
+  installation found
+- Resolves: #1295865 The Domain option is not correctly set in idmapd.conf when
+  ipa-client-automount is executed.
+- Resolves: #1327092 URI details missing and OCSP-URI details are incorrectly
   displayed when certificate generated using IPA on RHEL 7.2up2.
-  - Prevent replica install from overwriting cert profiles
-  - Detect and repair incorrect caIPAserviceCert config
+- Resolves: #1332809 ipa-server-4.2.0-15.el7_2.6.1.x86_64 fails to install
+  because of missing dependencies
+- Related: #1292141 Rebase to FreeIPA 4.4+
+  - Rebase to 4.3.1.201605191449GITf8edf37
 
-* Mon Apr 18 2016 Jan Cholasta <jcholast@redhat.com> - 4.2.0-15.15
-- Related: #1327197 Crash during IPA upgrade due to slapd
-  - spec file: update minimum required version of slapi-nis
-
-* Wed Apr 06 2016 Alexander Bokovoy <abokovoy@redhat.com> - 4.2.0-15.14
-- Rebuild against newer Samba version
-- Related: #1322690
-
-* Tue Apr  5 2016 Jan Cholasta <jcholast@redhat.com> - 4.2.0-15.13
-- Resolves: #1324060 Installers fail when there are multiple versions of the
-  same certificate
-  - certdb: never use the -r option of certutil
-
-* Thu Mar 17 2016 Jan Cholasta <jcholast@redhat.com> - 4.2.0-15.12
-- Resolves: #1309382 issues with migration from RHEL 6 self-signed to RHEL 7 CA
-  IPA setup
-  - replica install: improvements in the handling of CA-related IPA config
-    entries
-
-* Thu Mar 17 2016 Jan Cholasta <jcholast@redhat.com> - 4.2.0-15.11
-- Resolves: #1311470 ipa trust-add succeded but after that ipa trust-find
-  returns "0 trusts matched"
-  - Fix broken trust warnings
-
-* Wed Mar  2 2016 Jan Cholasta <jcholast@redhat.com> - 4.2.0-15.10
-- Resolves: #1311470 ipa trust-add succeded but after that ipa trust-find
-  returns "0 trusts matched"
-  - Insure the admin_conn is disconnected on stop
-  - Fix connections to DS during installation
-- Renamed patch 1011 to 0196, as it was merged upstream
-
-* Wed Feb 24 2016 Jan Cholasta <jcholast@redhat.com> - 4.2.0-15.9
-- Resolves: #1311468 shared certificateProfiles container is missing on a
-  freshly installed RHEL7.2 system
-  - upgrade: unconditional import of certificate profiles into LDAP
-- Resolves: #1311470 ipa trust-add succeded but after that ipa trust-find
-  returns "0 trusts matched"
-  - upgrade: fix config of sidgen and extdom plugins
-  - trusts: use ipaNTTrustPartner attribute to detect trust entries
-  - Warn user if trust is broken
-  - fix upgrade: wait for proper DS socket after DS restart
-- Resolves: #1311502 [RFE] compat tree: show AD members of IPA groups
-  - slapi-nis: update configuration to allow external members of IPA groups
-
-* Tue Feb 23 2016 Jan Cholasta <jcholast@redhat.com> - 4.2.0-15.8
-- Resolves: #1303052 install fails when locale is "fr_FR.UTF-8"
-  - Do not decode HTTP reason phrase from Dogtag
-- Resolves: #1303059 --setup-dns and other options is forgotten for using an
-  external PKI
-  - installer: Propagate option values from components instead of copying them.
-  - installer: Fix logic of reading option values from cache.
-- Resolves: #1309362 User should be notified for wrong password in password
-  reset page
-  - Fixed login error message box in LoginScreen page
-- Resolves: #1309382 issues with migration from RHEL 6 self-signed to RHEL 7 CA
-  IPA setup
-  - ipa-ca-install: print more specific errors when CA is already installed
-  - cert renewal: import all external CA certs on IPA CA cert renewal
-  - CA install: explicitly set dogtag_version to 10
-  - fix standalone installation of externally signed CA on IPA master
-  - replica install: validate DS and HTTP server certificates
-
-* Mon Feb  8 2016 Jan Cholasta <jcholast@redhat.com> - 4.2.0-15.7
-- Resolves: #1304333 In IPA-AD trust environment some secondary IPA based Posix
-  groups are missing
-  - ipa-kdb: map_groups() consider all results
-
-* Tue Feb  2 2016 Jan Cholasta <jcholast@redhat.com> - 4.2.0-15.6
-- Resolves: #1298103 ipa-server-upgrade fails if certmonger is not running
-  - always start certmonger during IPA server configuration upgrade
-
-* Wed Jan 27 2016 Jan Cholasta <jcholast@redhat.com> - 4.2.0-15.5
-- Resolves: #1298097 IPA server upgrade fails from RHEL 7.0 to RHEL 7.2 using
+* Mon Apr 18 2016 Jan Cholasta <jcholast@redhat.com> - 4.2.0-16
+- Resolves: #1277696 IPA certificate auto renewal fail with "Invalid
+  Credential"
+  - cert renewal: make renewal of ipaCert atomic
+- Resolves: #1278330 installer options are not validated at the beginning of
+  installation
+  - install: fix command line option validation
+- Resolves: #1282845 sshd_config change on ipa-client-install can prevent sshd
+  from starting up
+  - client install: do not corrupt OpenSSH config with Match sections
+- Resolves: #1282935 ipa upgrade causes vault internal error
+  - install: export KRA agent PEM file in ipa-kra-install
+- Resolves: #1283429 Default CA ACL rule is not created during
+  ipa-replica-install
+  - TLS and Dogtag HTTPS request logging improvements
+  - Avoid race condition caused by profile delete and recreate
+  - Do not erroneously reinit NSS in Dogtag interface
+  - Add profiles and default CA ACL on migration
+  - disconnect ldap2 backend after adding default CA ACL profiles
+  - do not disconnect when using existing connection to check default CA ACLs
+- Resolves: #1283430 ipa-kra-install: fails to apply updates
+  - suppress errors arising from adding existing LDAP entries during KRA
+    install
+- Resolves: #1283748 Caching of ipaconfig does not work in framework
+  - fix caching in get_ipa_config
+- Resolves: #1283943 IPA DNS Zone/DNS Forward Zone details missing after
+  upgrade from RHEL 7.0 to RHEL 7.2
+  - upgrade: fix migration of old dns forward zones
+  - Fix upgrade of forwardzones when zone is in realmdomains
+- Resolves: #1284413 ipa-cacert-manage renew fails on nonexistent ldap
+  connection
+  - ipa-cacert-renew: Fix connection to ldap.
+- Resolves: #1284414 ipa-otptoken-import fails on nonexistent ldap connection
+  - ipa-otptoken-import: Fix connection to ldap.
+- Resolves: #1286635 IPA server upgrade fails from RHEL 7.0 to RHEL 7.2 using
   "yum update ipa* sssd"
   - Set minimal required version for openssl
-
-* Tue Jan 12 2016 Jan Cholasta <jcholast@redhat.com> - 4.2.0-15.4
-- Resolves: #1298097 IPA server upgrade fails from RHEL 7.0 to RHEL 7.2 using
-  "yum update ipa* sssd"
-  - Set minimal required version for openssl
-- Resolves: #1298098 ipa-nis-manage does not update ldap with all NIS maps
+- Resolves: #1286781 ipa-nis-manage does not update ldap with all NIS maps
   - Upgrade: Fix upgrade of NIS Server configuration
-- Resolves: #1298099 umask setting causes named-pkcs11 issue with directory
+- Resolves: #1289311 umask setting causes named-pkcs11 issue with directory
   permissions on /var/lib/ipa/dnssec
   - DNS: fix file permissions
   - Explicitly call chmod on newly created directories
   - Fix: replace mkdir with chmod
-- Resolves: #1298100 Broken 7.2.0 to 7.2.z upgrade - flawed version comparison
+- Resolves: #1290142 Broken 7.2.0 to 7.2.z upgrade - flawed version comparison
   - Fix version comparison
   - use FFI call to rpmvercmp function for version comparison
-- Resolves: #1298101 Sysrestore did not restore state if a key is specified in
+- Resolves: #1292595 In IPA-AD trust environment some secondary IPA based Posix
+  groups are missing
+  - ipa-kdb: map_groups() consider all results
+- Resolves: #1293870 User should be notified for wrong password in password
+  reset page
+  - Fixed login error message box in LoginScreen page
+- Resolves: #1296196 Sysrestore did not restore state if a key is specified in
   mixed case
   - Allow to used mixed case for sysrestore
-- Resolves: #1298102 DNSSEC key purging is not handled properly
+- Resolves: #1296214 DNSSEC key purging is not handled properly
   - DNSSEC: Improve error reporting from ipa-ods-exporter
   - DNSSEC: Make sure that current state in OpenDNSSEC matches key state in
     LDAP
@@ -1343,57 +2090,50 @@
   - DNSSEC: ipa-ods-exporter: add ldap-cleanup command
   - DNSSEC: ipa-dnskeysyncd: call ods-signer ldap-cleanup on zone removal
   - DNSSEC: Log debug messages at log level DEBUG
-- Resolves: #1298103 ipa-server-upgrade fails if certmonger is not running
+- Resolves: #1296216 ipa-server-upgrade fails if certmonger is not running
   - prevent crash of CA-less server upgrade due to absent certmonger
-- Resolves: #1298104 The ipa -e skip_version_check=1 still issues
+  - always start certmonger during IPA server configuration upgrade
+- Resolves: #1297811 The ipa -e skip_version_check=1 still issues
   incompatibility error when called against RHEL 6 server
   - ipalib: assume version 2.0 when skip_version_check is enabled
-
-* Wed Nov 25 2015 Jan Cholasta <jcholast@redhat.com> - 4.2.0-15.3
-- Resolves: #1284052 IPA DNS Zone/DNS Forward Zone details missing after
-  upgrade from RHEL 7.0 to RHEL 7.2
-  - Fix upgrade of forwardzones when zone is in realmdomains
-
-* Tue Nov 24 2015 Jan Cholasta <jcholast@redhat.com> - 4.2.0-15.2
-- Resolves: #1283890 installer options are not validated at the beginning of
-  installation
-  - Fix incorrectly rebased patch 0144
-- Resolves: #1284803 Default CA ACL rule is not created during
-  ipa-replica-install
-  - disconnect ldap2 backend after adding default CA ACL profiles
-  - do not disconnect when using existing connection to check default CA ACLs
-
-* Tue Nov 24 2015 Jan Cholasta <jcholast@redhat.com> - 4.2.0-15.1
-- Resolves: #1283882 IPA certificate auto renewal fail with "Invalid
-  Credential"
-  - cert renewal: make renewal of ipaCert atomic
-- Resolves: #1283883 ipa upgrade causes vault internal error
-  - install: export KRA agent PEM file in ipa-kra-install
-- Resolves: #1283884 ipa-kra-install: fails to apply updates
-  - suppress errors arising from adding existing LDAP entries during KRA
-    install
-- Resolves: #1283890 installer options are not validated at the beginning of
-  installation
-  - install: fix command line option validation
-- Resolves: #1283915 Caching of ipaconfig does not work in framework
-  - fix caching in get_ipa_config
-- Resolves: #1284025 sshd_config change on ipa-client-install can prevent sshd
-  from starting up
-  - client install: do not corrupt OpenSSH config with Match sections
-- Resolves: #1284052 IPA DNS Zone/DNS Forward Zone details missing after
-  upgrade from RHEL 7.0 to RHEL 7.2
-  - upgrade: fix migration of old dns forward zones
-- Resolves: #1284803 Default CA ACL rule is not created during
-  ipa-replica-install
-  - TLS and Dogtag HTTPS request logging improvements
-  - Avoid race condition caused by profile delete and recreate
-  - Do not erroneously reinit NSS in Dogtag interface
-  - Add profiles and default CA ACL on migration
-- Resolves: #1284811 ipa-cacert-manage renew fails on nonexistent ldap
-  connection
-  - ipa-cacert-renew: Fix connection to ldap.
-- Resolves: #1284813 ipa-otptoken-import fails on nonexistent ldap connection
-  - ipa-otptoken-import: Fix connection to ldap.
+- Resolves: #1298289 install fails when locale is "fr_FR.UTF-8"
+  - Do not decode HTTP reason phrase from Dogtag
+- Resolves: #1300252 shared certificateProfiles container is missing on a
+  freshly installed RHEL7.2 system
+  - upgrade: unconditional import of certificate profiles into LDAP
+- Resolves: #1301674 --setup-dns and other options is forgotten for using an
+  external PKI
+  - installer: Propagate option values from components instead of copying them.
+  - installer: Fix logic of reading option values from cache.
+- Resolves: #1301687 issues with migration from RHEL 6 self-signed to RHEL 7 CA
+  IPA setup
+  - ipa-ca-install: print more specific errors when CA is already installed
+  - cert renewal: import all external CA certs on IPA CA cert renewal
+  - CA install: explicitly set dogtag_version to 10
+  - fix standalone installation of externally signed CA on IPA master
+  - replica install: validate DS and HTTP server certificates
+  - replica install: improvements in the handling of CA-related IPA config
+    entries
+- Resolves: #1301901 [RFE] compat tree: show AD members of IPA groups
+  - slapi-nis: update configuration to allow external members of IPA groups
+- Resolves: #1305533 ipa trust-add succeded but after that ipa trust-find
+  returns "0 trusts matched"
+  - upgrade: fix config of sidgen and extdom plugins
+  - trusts: use ipaNTTrustPartner attribute to detect trust entries
+  - Warn user if trust is broken
+  - fix upgrade: wait for proper DS socket after DS restart
+  - Insure the admin_conn is disconnected on stop
+  - Fix connections to DS during installation
+  - Fix broken trust warnings
+- Resolves: #1321092 Installers fail when there are multiple versions of the
+  same certificate
+  - certdb: never use the -r option of certutil
+- Related: #1317381 Crash during IPA upgrade due to slapd
+  - spec file: update minimum required version of slapi-nis
+- Related: #1322691 CVE-2015-5370 CVE-2016-2110 CVE-2016-2111 CVE-2016-2112
+  CVE-2016-2113 CVE-2016-2114 CVE-2016-2115 CVE-2016-2118 samba: various flaws
+  [rhel-7.3]
+  - Rebuild against newer Samba version
 
 * Tue Oct 13 2015 Jan Cholasta <jcholast@redhat.com> - 4.2.0-15
 - Resolves: #1252556 Missing CLI param and ACL for vault service operations

--
Gitblit v1.8.0