From b7b64b11d50bd9e9b76fdc8e959ae75addadd5a3 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Mar 29 2022 10:03:15 +0000 Subject: import ipa-4.9.8-6.module+el8.6.0+14300+0c339766 --- diff --git a/.gitignore b/.gitignore index 34c1a4e..d9c893f 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/freeipa-4.9.6.tar.gz +SOURCES/freeipa-4.9.8.tar.gz diff --git a/.ipa.metadata b/.ipa.metadata index ab790ce..15ef586 100644 --- a/.ipa.metadata +++ b/.ipa.metadata @@ -1 +1 @@ -b7b91082908db35e4acbcd0221b8df4044913dc1 SOURCES/freeipa-4.9.6.tar.gz +38641a7f95779ba35089fcc10e25ec82a9b0248e SOURCES/freeipa-4.9.8.tar.gz diff --git a/README.debrand b/README.debrand deleted file mode 100644 index 01c46d2..0000000 --- a/README.debrand +++ /dev/null @@ -1,2 +0,0 @@ -Warning: This package was configured for automatic debranding, but the changes -failed to apply. diff --git a/SOURCES/0001-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch b/SOURCES/0001-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch new file mode 100644 index 0000000..943e986 --- /dev/null +++ b/SOURCES/0001-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch @@ -0,0 +1,70 @@ +From 0d44e959e5bbe822b51137a8e7cf48fa25533805 Mon Sep 17 00:00:00 2001 +From: Rafael Guterres Jeffman +Date: Fri, 10 Dec 2021 12:15:36 -0300 +Subject: [PATCH] Revert "freeipa.spec: depend on bind-dnssec-utils" + +This reverts commit f89d59b6e18b54967682f6a37ce92ae67ab3fcda. +--- + freeipa.spec.in | 4 +--- + ipaplatform/base/paths.py | 2 +- + ipaplatform/fedora/paths.py | 1 + + ipaserver/dnssec/bindmgr.py | 1 - + 4 files changed, 3 insertions(+), 5 deletions(-) + +diff --git a/freeipa.spec.in b/freeipa.spec.in +index 8f5c370e5..e20edb7bc 100755 +--- a/freeipa.spec.in ++++ b/freeipa.spec.in +@@ -576,11 +576,9 @@ Requires: %{name}-server = %{version}-%{release} + Requires: bind-dyndb-ldap >= 11.2-2 + Requires: bind >= %{bind_version} + Requires: bind-utils >= %{bind_version} +-# bind-dnssec-utils is required by the OpenDNSSec integration +-# https://pagure.io/freeipa/issue/9026 +-Requires: bind-dnssec-utils >= %{bind_version} + %if %{with bind_pkcs11} + Requires: bind-pkcs11 >= %{bind_version} ++Requires: bind-pkcs11-utils >= %{bind_version} + %else + Requires: softhsm >= %{softhsm_version} + Requires: openssl-pkcs11 >= %{openssl_pkcs11_version} +diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py +index 7d21367ec..42a47f1df 100644 +--- a/ipaplatform/base/paths.py ++++ b/ipaplatform/base/paths.py +@@ -259,7 +259,7 @@ class BasePathNamespace: + IPA_PKI_RETRIEVE_KEY = "/usr/libexec/ipa/ipa-pki-retrieve-key" + IPA_HTTPD_PASSWD_READER = "/usr/libexec/ipa/ipa-httpd-pwdreader" + IPA_PKI_WAIT_RUNNING = "/usr/libexec/ipa/ipa-pki-wait-running" +- DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel" ++ DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel-pkcs11" + GETSEBOOL = "/usr/sbin/getsebool" + GROUPADD = "/usr/sbin/groupadd" + USERMOD = "/usr/sbin/usermod" +diff --git a/ipaplatform/fedora/paths.py b/ipaplatform/fedora/paths.py +index 4e993c063..92a948966 100644 +--- a/ipaplatform/fedora/paths.py ++++ b/ipaplatform/fedora/paths.py +@@ -36,6 +36,7 @@ class FedoraPathNamespace(RedHatPathNamespace): + NAMED_CRYPTO_POLICY_FILE = "/etc/crypto-policies/back-ends/bind.config" + if HAS_NFS_CONF: + SYSCONFIG_NFS = '/etc/nfs.conf' ++ DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel" + + + paths = FedoraPathNamespace() +diff --git a/ipaserver/dnssec/bindmgr.py b/ipaserver/dnssec/bindmgr.py +index 0c79cc03d..a15c0e601 100644 +--- a/ipaserver/dnssec/bindmgr.py ++++ b/ipaserver/dnssec/bindmgr.py +@@ -127,7 +127,6 @@ class BINDMgr: + ) + cmd = [ + paths.DNSSEC_KEYFROMLABEL, +- '-E', 'pkcs11', + '-K', workdir, + '-a', attrs['idnsSecAlgorithm'][0], + '-l', uri +-- +2.31.1 + diff --git a/SOURCES/0001-rpcserver.py-perf_counter_ns-is-Python-3.7_rhbz#1974822.patch b/SOURCES/0001-rpcserver.py-perf_counter_ns-is-Python-3.7_rhbz#1974822.patch deleted file mode 100644 index 22f37ad..0000000 --- a/SOURCES/0001-rpcserver.py-perf_counter_ns-is-Python-3.7_rhbz#1974822.patch +++ /dev/null @@ -1,136 +0,0 @@ -From e713c227bb420a841ce3ae146bca55a84a1b0dbf Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= -Date: Tue, 22 Jun 2021 14:36:51 +0200 -Subject: [PATCH] paths: add IPA_SERVER_CONF -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Related: https://pagure.io/freeipa/issue/8891 -Signed-off-by: François Cami -Reviewed-By: Stanislav Levin -Reviewed-By: Rob Crittenden ---- - ipaplatform/base/paths.py | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py -index 91423b332..de217d9ef 100644 ---- a/ipaplatform/base/paths.py -+++ b/ipaplatform/base/paths.py -@@ -71,6 +71,7 @@ class BasePathNamespace: - IPA_DEFAULT_CONF = "/etc/ipa/default.conf" - IPA_DNSKEYSYNCD_KEYTAB = "/etc/ipa/dnssec/ipa-dnskeysyncd.keytab" - IPA_ODS_EXPORTER_KEYTAB = "/etc/ipa/dnssec/ipa-ods-exporter.keytab" -+ IPA_SERVER_CONF = "/etc/ipa/server.conf" - DNSSEC_OPENSSL_CONF = "/etc/ipa/dnssec/openssl.cnf" - DNSSEC_SOFTHSM2_CONF = "/etc/ipa/dnssec/softhsm2.conf" - DNSSEC_SOFTHSM_PIN_SO = "/etc/ipa/dnssec/softhsm_pin_so" --- -2.31.1 - -From ee4be290e1583834a573c3896ee1d97b3fbb6c24 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= -Date: Tue, 22 Jun 2021 14:45:49 +0200 -Subject: [PATCH] ipatests: smoke test for server debug mode. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Add a smoke test to make sure the server can be set in debug mode -without issue. - -Related: https://pagure.io/freeipa/issue/8891 -Signed-off-by: François Cami -Reviewed-By: Stanislav Levin -Reviewed-By: Rob Crittenden ---- - .../test_integration/test_installation.py | 27 +++++++++++++++++++ - 1 file changed, 27 insertions(+) - -diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py -index 301767b8d..0c96536f0 100644 ---- a/ipatests/test_integration/test_installation.py -+++ b/ipatests/test_integration/test_installation.py -@@ -703,6 +703,33 @@ class TestInstallMaster(IntegrationTest): - def test_install_master(self): - tasks.install_master(self.master, setup_dns=False) - -+ @pytest.mark.skip_if_platform( -+ "debian", reason="This test hardcodes the httpd service name" -+ ) -+ def test_smoke_test_for_debug_mode(self): -+ """Test if an IPA server works in debug mode. -+ Related: https://pagure.io/freeipa/issue/8891 -+ -+ Note: this test hardcodes the "httpd" service name. -+ """ -+ -+ target_fname = paths.IPA_SERVER_CONF -+ assert not self.master.transport.file_exists(target_fname) -+ -+ # set the IPA server in debug mode -+ server_conf = "[global]\ndebug=True" -+ self.master.put_file_contents(target_fname, server_conf) -+ self.master.run_command(["systemctl", "restart", "httpd"]) -+ -+ # smoke test in debug mode -+ tasks.kdestroy_all(self.master) -+ tasks.kinit_admin(self.master) -+ self.master.run_command(["ipa", "user-show", "admin"]) -+ -+ # rollback -+ self.master.run_command(["rm", target_fname]) -+ self.master.run_command(["systemctl", "restart", "httpd"]) -+ - def test_schema_compat_attribute_and_tree_disable(self): - """Test if schema-compat-entry-attribute is set - --- -2.31.1 - -From 1539c7383116647ad9c5b125b343f972e9c9653b Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= -Date: Wed, 23 Jun 2021 06:35:19 +0200 -Subject: [PATCH] rpcserver.py: perf_counter_ns is Python 3.7+ -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -perf_counter_ns is only available in Python 3.7 and later. -Define a lambda for 3.6 and lower. - -Fixes: https://pagure.io/freeipa/issue/8891 -Signed-off-by: François Cami -Reviewed-By: Stanislav Levin -Reviewed-By: Rob Crittenden ---- - ipaserver/rpcserver.py | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py -index b121316bf..e612528e0 100644 ---- a/ipaserver/rpcserver.py -+++ b/ipaserver/rpcserver.py -@@ -31,6 +31,7 @@ import os - import time - import traceback - from io import BytesIO -+from sys import version_info - from urllib.parse import parse_qs - from xmlrpc.client import Fault - -@@ -72,6 +73,10 @@ from requests.auth import AuthBase - if six.PY3: - unicode = str - -+# time.perf_counter_ns appeared in Python 3.7. -+if version_info < (3, 7): -+ time.perf_counter_ns = lambda: int(time.perf_counter() * 10**9) -+ - logger = logging.getLogger(__name__) - - HTTP_STATUS_SUCCESS = '200 Success' --- -2.31.1 - diff --git a/SOURCES/0002-Add-checks-to-prevent-adding-auth-indicators-to-inte_rhbz#1979625.patch b/SOURCES/0002-Add-checks-to-prevent-adding-auth-indicators-to-inte_rhbz#1979625.patch deleted file mode 100644 index 81b6c45..0000000 --- a/SOURCES/0002-Add-checks-to-prevent-adding-auth-indicators-to-inte_rhbz#1979625.patch +++ /dev/null @@ -1,272 +0,0 @@ -From a5d2857297cfcf87ed8973df96e89ebcef22850d Mon Sep 17 00:00:00 2001 -From: Antonio Torres -Date: Mon, 8 Mar 2021 18:15:50 +0100 -Subject: [PATCH] Add checks to prevent adding auth indicators to internal IPA - services - -Authentication indicators should not be enforced against internal -IPA services, since not all users of those services are able to produce -Kerberos tickets with all the auth indicator options. This includes -host, ldap, HTTP and cifs in IPA server and cifs in IPA clients. -If a client that is being promoted to replica has an auth indicator -in its host principal then the promotion is aborted. - -Fixes: https://pagure.io/freeipa/issue/8206 -Signed-off-by: Antonio Torres ---- - ipaserver/install/server/replicainstall.py | 13 ++++++++++++ - ipaserver/plugins/host.py | 5 ++++- - ipaserver/plugins/service.py | 24 ++++++++++++++++++++++ - 3 files changed, 41 insertions(+), 1 deletion(-) - -diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py -index 73967a224..f1fb91036 100644 ---- a/ipaserver/install/server/replicainstall.py -+++ b/ipaserver/install/server/replicainstall.py -@@ -770,6 +770,15 @@ def promotion_check_ipa_domain(master_ldap_conn, basedn): - )) - - -+def promotion_check_host_principal_auth_ind(conn, hostdn): -+ entry = conn.get_entry(hostdn, ['krbprincipalauthind']) -+ if 'krbprincipalauthind' in entry: -+ raise RuntimeError( -+ "Client cannot be promoted to a replica if the host principal " -+ "has an authentication indicator set." -+ ) -+ -+ - @common_cleanup - @preserve_enrollment_state - def promote_check(installer): -@@ -956,6 +965,10 @@ def promote_check(installer): - config.master_host_name, None) - - promotion_check_ipa_domain(conn, remote_api.env.basedn) -+ hostdn = DN(('fqdn', api.env.host), -+ api.env.container_host, -+ api.env.basedn) -+ promotion_check_host_principal_auth_ind(conn, hostdn) - - # Make sure that domain fulfills minimal domain level - # requirement -diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py -index eb1f8ef04..41fa933e2 100644 ---- a/ipaserver/plugins/host.py -+++ b/ipaserver/plugins/host.py -@@ -38,7 +38,7 @@ from .baseldap import (LDAPQuery, LDAPObject, LDAPCreate, - LDAPAddAttributeViaOption, - LDAPRemoveAttributeViaOption) - from .service import ( -- validate_realm, normalize_principal, -+ validate_realm, validate_auth_indicator, normalize_principal, - set_certificate_attrs, ticket_flags_params, update_krbticketflags, - set_kerberos_attrs, rename_ipaallowedtoperform_from_ldap, - rename_ipaallowedtoperform_to_ldap, revoke_certs) -@@ -735,6 +735,8 @@ class host_add(LDAPCreate): - update_krbticketflags(ldap, entry_attrs, attrs_list, options, False) - if 'krbticketflags' in entry_attrs: - entry_attrs['objectclass'].append('krbticketpolicyaux') -+ validate_auth_indicator(entry_attrs) -+ - return dn - - def post_callback(self, ldap, dn, entry_attrs, *keys, **options): -@@ -993,6 +995,7 @@ class host_mod(LDAPUpdate): - if 'krbprincipalaux' not in (item.lower() for item in - entry_attrs['objectclass']): - entry_attrs['objectclass'].append('krbprincipalaux') -+ validate_auth_indicator(entry_attrs) - - add_sshpubkey_to_attrs_pre(self.context, attrs_list) - -diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py -index 1c9347804..cfbbff3c6 100644 ---- a/ipaserver/plugins/service.py -+++ b/ipaserver/plugins/service.py -@@ -201,6 +201,28 @@ def validate_realm(ugettext, principal): - raise errors.RealmMismatch() - - -+def validate_auth_indicator(entry): -+ new_value = entry.get('krbprincipalauthind', None) -+ if not new_value: -+ return -+ # The following services are considered internal IPA services -+ # and shouldn't be allowed to have auth indicators. -+ # https://pagure.io/freeipa/issue/8206 -+ pkey = api.Object['service'].get_primary_key_from_dn(entry.dn) -+ principal = kerberos.Principal(pkey) -+ server = api.Command.server_find(principal.hostname)['result'] -+ if server: -+ prefixes = ("host", "cifs", "ldap", "HTTP") -+ else: -+ prefixes = ("cifs",) -+ if principal.service_name in prefixes: -+ raise errors.ValidationError( -+ name='krbprincipalauthind', -+ error=_('authentication indicators not allowed ' -+ 'in service "%s"' % principal.service_name) -+ ) -+ -+ - def normalize_principal(value): - """ - Ensure that the name in the principal is lower-case. The realm is -@@ -652,6 +674,7 @@ class service_add(LDAPCreate): - hostname) - - self.obj.validate_ipakrbauthzdata(entry_attrs) -+ validate_auth_indicator(entry_attrs) - - if not options.get('force', False): - # We know the host exists if we've gotten this far but we -@@ -846,6 +869,7 @@ class service_mod(LDAPUpdate): - assert isinstance(dn, DN) - - self.obj.validate_ipakrbauthzdata(entry_attrs) -+ validate_auth_indicator(entry_attrs) - - # verify certificates - certs = entry_attrs.get('usercertificate') or [] --- -2.31.1 - -From 28484c3dee225662e41acc691bfe6b1c1cee99c8 Mon Sep 17 00:00:00 2001 -From: Antonio Torres -Date: Mon, 8 Mar 2021 18:20:35 +0100 -Subject: [PATCH] ipatests: ensure auth indicators can't be added to internal - IPA services - -Authentication indicators should not be added to internal IPA services, -since this can lead to a broken IPA setup. In case a client with -an auth indicator set in its host principal, promoting it to a replica -should fail. - -Related: https://pagure.io/freeipa/issue/8206 -Signed-off-by: Antonio Torres ---- - .../test_replica_promotion.py | 38 +++++++++++++++++++ - ipatests/test_xmlrpc/test_host_plugin.py | 10 +++++ - ipatests/test_xmlrpc/test_service_plugin.py | 21 ++++++++++ - 3 files changed, 69 insertions(+) - -diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py -index 0a137dbdc..b9c56f775 100644 ---- a/ipatests/test_integration/test_replica_promotion.py -+++ b/ipatests/test_integration/test_replica_promotion.py -@@ -101,6 +101,44 @@ class TestReplicaPromotionLevel1(ReplicaPromotionBase): - assert result.returncode == 1 - assert expected_err in result.stderr_text - -+ @replicas_cleanup -+ def test_install_with_host_auth_ind_set(self): -+ """ A client shouldn't be able to be promoted if it has -+ any auth indicator set in the host principal. -+ https://pagure.io/freeipa/issue/8206 -+ """ -+ -+ client = self.replicas[0] -+ # Configure firewall first -+ Firewall(client).enable_services(["freeipa-ldap", -+ "freeipa-ldaps"]) -+ -+ client.run_command(['ipa-client-install', '-U', -+ '--domain', self.master.domain.name, -+ '--realm', self.master.domain.realm, -+ '-p', 'admin', -+ '-w', self.master.config.admin_password, -+ '--server', self.master.hostname, -+ '--force-join']) -+ -+ tasks.kinit_admin(client) -+ -+ client.run_command(['ipa', 'host-mod', '--auth-ind=otp', -+ client.hostname]) -+ -+ res = client.run_command(['ipa-replica-install', '-U', '-w', -+ self.master.config.dirman_password], -+ raiseonerr=False) -+ -+ client.run_command(['ipa', 'host-mod', '--auth-ind=', -+ client.hostname]) -+ -+ expected_err = ("Client cannot be promoted to a replica if the host " -+ "principal has an authentication indicator set.") -+ assert res.returncode == 1 -+ assert expected_err in res.stderr_text -+ -+ - @replicas_cleanup - def test_one_command_installation(self): - """ -diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py -index c66bbc865..9cfde3565 100644 ---- a/ipatests/test_xmlrpc/test_host_plugin.py -+++ b/ipatests/test_xmlrpc/test_host_plugin.py -@@ -605,6 +605,16 @@ class TestProtectedMaster(XMLRPC_test): - error=u'An IPA master host cannot be deleted or disabled')): - command() - -+ def test_try_add_auth_ind_master(self, this_host): -+ command = this_host.make_update_command({ -+ u'krbprincipalauthind': u'radius'}) -+ with raises_exact(errors.ValidationError( -+ name='krbprincipalauthind', -+ error=u'authentication indicators not allowed ' -+ 'in service "host"' -+ )): -+ command() -+ - - @pytest.mark.tier1 - class TestValidation(XMLRPC_test): -diff --git a/ipatests/test_xmlrpc/test_service_plugin.py b/ipatests/test_xmlrpc/test_service_plugin.py -index 4c845938c..ed634a045 100644 ---- a/ipatests/test_xmlrpc/test_service_plugin.py -+++ b/ipatests/test_xmlrpc/test_service_plugin.py -@@ -25,6 +25,7 @@ from ipalib import api, errors - from ipatests.test_xmlrpc.xmlrpc_test import Declarative, fuzzy_uuid, fuzzy_hash - from ipatests.test_xmlrpc.xmlrpc_test import fuzzy_digits, fuzzy_date, fuzzy_issuer - from ipatests.test_xmlrpc.xmlrpc_test import fuzzy_hex, XMLRPC_test -+from ipatests.test_xmlrpc.xmlrpc_test import raises_exact - from ipatests.test_xmlrpc import objectclasses - from ipatests.test_xmlrpc.testcert import get_testcert, subject_base - from ipatests.test_xmlrpc.test_user_plugin import get_user_result, get_group_dn -@@ -1552,6 +1553,15 @@ def indicators_host(request): - return tracker.make_fixture(request) - - -+@pytest.fixture(scope='function') -+def this_host(request): -+ """Fixture for the current master""" -+ tracker = HostTracker(name=api.env.host.partition('.')[0], -+ fqdn=api.env.host) -+ tracker.exists = True -+ return tracker -+ -+ - @pytest.fixture(scope='function') - def indicators_service(request): - tracker = ServiceTracker( -@@ -1587,6 +1597,17 @@ class TestAuthenticationIndicators(XMLRPC_test): - expected_updates={u'krbprincipalauthind': [u'radius']} - ) - -+ def test_update_indicator_internal_service(self, this_host): -+ command = this_host.make_command('service_mod', -+ 'ldap/' + this_host.fqdn, -+ **dict(krbprincipalauthind='otp')) -+ with raises_exact(errors.ValidationError( -+ name='krbprincipalauthind', -+ error=u'authentication indicators not allowed ' -+ 'in service "ldap"' -+ )): -+ command() -+ - - @pytest.fixture(scope='function') - def managing_host(request): --- -2.31.1 - diff --git a/SOURCES/0002-Config-plugin-return-EmptyModlist-when-no-change-is-applied_rhbz#2031825.patch b/SOURCES/0002-Config-plugin-return-EmptyModlist-when-no-change-is-applied_rhbz#2031825.patch new file mode 100644 index 0000000..f5f3cf3 --- /dev/null +++ b/SOURCES/0002-Config-plugin-return-EmptyModlist-when-no-change-is-applied_rhbz#2031825.patch @@ -0,0 +1,75 @@ +From b9c42fed9b6f60801f908c368d0d97a2a69f7bb2 Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Wed, 15 Dec 2021 10:47:02 +0100 +Subject: [PATCH] Config plugin: return EmptyModlist when no change is applied + +When ipa config-mod is called with the option --enable-sid, +the code needs to trap EmptyModlist exception (it is expected +that no LDAP attribute is modified by this operation). +The code had a flaw and was checking: + 'enable_sid' in options +instead of + options['enable_sid'] + +"'enable_sid' in options" always returns true as this option +is a Flag with a default value, hence always present even if +not specified on the command line. + +Fixes: https://pagure.io/freeipa/issue/9063 +Reviewed-By: Rob Crittenden +--- + ipaserver/plugins/config.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ipaserver/plugins/config.py b/ipaserver/plugins/config.py +index eae401fc3..24446beb0 100644 +--- a/ipaserver/plugins/config.py ++++ b/ipaserver/plugins/config.py +@@ -707,7 +707,7 @@ class config_mod(LDAPUpdate): + if (isinstance(exc, errors.EmptyModlist) and + call_func.__name__ == 'update_entry' and + ('ca_renewal_master_server' in options or +- 'enable_sid' in options)): ++ options['enable_sid'])): + return + + super(config_mod, self).exc_callback( +-- +2.34.1 + +From cd735099e86304294217147ed578ac902fcf3dd3 Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Wed, 15 Dec 2021 10:51:05 +0100 +Subject: [PATCH] config plugin: add a test ensuring EmptyModlist is returned + +Add a test to test_config_plugin, that calls ipa config-mod +with the same value as already present in LDAP. +The call must return EmptyModlist. + +Related: https://pagure.io/freeipa/issue/9063 +Reviewed-By: Rob Crittenden +--- + ipatests/test_xmlrpc/test_config_plugin.py | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/ipatests/test_xmlrpc/test_config_plugin.py b/ipatests/test_xmlrpc/test_config_plugin.py +index e981bb4a0..a8ec9f0e5 100644 +--- a/ipatests/test_xmlrpc/test_config_plugin.py ++++ b/ipatests/test_xmlrpc/test_config_plugin.py +@@ -312,4 +312,13 @@ class test_config(Declarative): + 'value': None, + }, + ), ++ dict( ++ desc='Set the value to the already set value, no modifications', ++ command=( ++ 'config_mod', [], { ++ 'ipasearchrecordslimit': u'100', ++ }, ++ ), ++ expected=errors.EmptyModlist(), ++ ), + ] +-- +2.34.1 + diff --git a/SOURCES/0003-Custodia-use-a-stronger-encryption-algo-when-exporting-keys_rhbz#2032806.patch b/SOURCES/0003-Custodia-use-a-stronger-encryption-algo-when-exporting-keys_rhbz#2032806.patch new file mode 100644 index 0000000..f6cf756 --- /dev/null +++ b/SOURCES/0003-Custodia-use-a-stronger-encryption-algo-when-exporting-keys_rhbz#2032806.patch @@ -0,0 +1,47 @@ +From 653a7fe02880c168755984133ee143567cc7bb4e Mon Sep 17 00:00:00 2001 +From: Francisco Trivino +Date: Wed, 26 Jan 2022 15:43:39 +0100 +Subject: [PATCH] Custodia: use a stronger encryption algo when exporting keys + +The Custodia key export handler is using the default's OpenSSL encryption +scheme for PKCS#12. + +This represents an issue when performing a migration from CentOS Stream 8 (C8S) +to CentOS Steam 9 (C9S) where the Custodia client running in the new C9S +replica talks to the Custodia server on C8S source server. The later creates an +encrypted PKCS#12 file that contains the cert and the key using the OpenSSL's +default encryption scheme, which is no longer supported on C9S. + +This commit enforces a stronger encryption algorigthm by adding following +arguments to the Custodia server handler: + +-keypbe AES-256-CBC -certpbe AES-256-CBC -macalg sha384 + +The new arguments enforce stronger PBEv2 instead of the insecure PBEv1. + +Fixes: https://pagure.io/freeipa/issue/9101 + +Signed-off-by: Francisco Trivino +Reviewed-By: Christian Heimes +Reviewed-By: Florence Blanc-Renaud +--- + ipaserver/secrets/handlers/pemfile.py | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/ipaserver/secrets/handlers/pemfile.py b/ipaserver/secrets/handlers/pemfile.py +index 4e8eff0e3..ad36bd020 100644 +--- a/ipaserver/secrets/handlers/pemfile.py ++++ b/ipaserver/secrets/handlers/pemfile.py +@@ -31,6 +31,9 @@ def export_key(args, tmpdir): + '-out', pk12file, + '-inkey', args.keyfile, + '-password', 'file:{pk12pwfile}'.format(pk12pwfile=pk12pwfile), ++ '-keypbe', 'AES-256-CBC', ++ '-certpbe', 'AES-256-CBC', ++ '-macalg', 'sha384', + ]) + + with open(pk12file, 'rb') as f: +-- +2.34.1 + diff --git a/SOURCES/0003-stageuser-add-ipauserauthtypeclass-when-required_rhbz#1979605.patch b/SOURCES/0003-stageuser-add-ipauserauthtypeclass-when-required_rhbz#1979605.patch deleted file mode 100644 index 7934afd..0000000 --- a/SOURCES/0003-stageuser-add-ipauserauthtypeclass-when-required_rhbz#1979605.patch +++ /dev/null @@ -1,89 +0,0 @@ -From 06468b2f604c56b02231904072cb57412966a701 Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Mon, 5 Jul 2021 09:51:41 +0200 -Subject: [PATCH] stageuser: add ipauserauthtypeclass when required - -The command -ipa stageuser-add --user-auth-type=xxx -is currently failing because the objectclass ipauserauthtypeclass -is missing from the created entry. - -There is code adding the missing objectclass in the -pre_common_callback method of user_add, and this code should -be common to user_add and stageuser_add. In order to avoid code -duplication, it makes more sense to move the existing code to -pre_common_callback of baseuser_add, that is called by both -classes. - -Fixes: https://pagure.io/freeipa/issue/8909 -Reviewed-By: Rob Crittenden -Reviewed-By: Alexander Bokovoy ---- - ipaserver/plugins/baseuser.py | 3 +++ - ipaserver/plugins/user.py | 4 ---- - 2 files changed, 3 insertions(+), 4 deletions(-) - -diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py -index ae16a978a..6035228f1 100644 ---- a/ipaserver/plugins/baseuser.py -+++ b/ipaserver/plugins/baseuser.py -@@ -539,6 +539,9 @@ class baseuser_add(LDAPCreate): - if entry_attrs.get('ipatokenradiususername', None): - add_missing_object_class(ldap, u'ipatokenradiusproxyuser', dn, - entry_attrs, update=False) -+ if entry_attrs.get('ipauserauthtype', None): -+ add_missing_object_class(ldap, u'ipauserauthtypeclass', dn, -+ entry_attrs, update=False) - - def post_common_callback(self, ldap, dn, entry_attrs, *keys, **options): - assert isinstance(dn, DN) -diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py -index 6f7facb53..e4ee572b2 100644 ---- a/ipaserver/plugins/user.py -+++ b/ipaserver/plugins/user.py -@@ -617,10 +617,6 @@ class user_add(baseuser_add): - 'ipauser' not in entry_attrs['objectclass']: - entry_attrs['objectclass'].append('ipauser') - -- if 'ipauserauthtype' in entry_attrs and \ -- 'ipauserauthtypeclass' not in entry_attrs['objectclass']: -- entry_attrs['objectclass'].append('ipauserauthtypeclass') -- - rcl = entry_attrs.get('ipatokenradiusconfiglink', None) - if rcl: - if 'ipatokenradiusproxyuser' not in entry_attrs['objectclass']: --- -2.31.1 - -From 4a5a0fe7d25209a41a2eadd159f7f4c771e5d7fc Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Mon, 5 Jul 2021 10:22:31 +0200 -Subject: [PATCH] XMLRPC test: add a test for stageuser-add --user-auth-type - -Related: https://pagure.io/freeipa/issue/8909 -Reviewed-By: Rob Crittenden -Reviewed-By: Alexander Bokovoy ---- - ipatests/test_xmlrpc/test_stageuser_plugin.py | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/ipatests/test_xmlrpc/test_stageuser_plugin.py b/ipatests/test_xmlrpc/test_stageuser_plugin.py -index 5586fc607..bc606b093 100644 ---- a/ipatests/test_xmlrpc/test_stageuser_plugin.py -+++ b/ipatests/test_xmlrpc/test_stageuser_plugin.py -@@ -343,6 +343,12 @@ class TestStagedUser(XMLRPC_test): - result = command() - assert result['count'] == 1 - -+ def test_create_withuserauthtype(self, stageduser): -+ stageduser.ensure_missing() -+ command = stageduser.make_create_command( -+ options={u'ipauserauthtype': u'password'}) -+ command() -+ - - @pytest.mark.tier1 - class TestCreateInvalidAttributes(XMLRPC_test): --- -2.31.1 - diff --git a/SOURCES/0004-ipa-kdb-do-not-remove-keys-for-hardened-auth-enabled-users_rhbz#2033342.patch b/SOURCES/0004-ipa-kdb-do-not-remove-keys-for-hardened-auth-enabled-users_rhbz#2033342.patch new file mode 100644 index 0000000..1e342e5 --- /dev/null +++ b/SOURCES/0004-ipa-kdb-do-not-remove-keys-for-hardened-auth-enabled-users_rhbz#2033342.patch @@ -0,0 +1,122 @@ +From 6d70421f57d0eca066a922e09416ef7195ee96d4 Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Tue, 1 Feb 2022 16:43:09 +0100 +Subject: [PATCH] ipa-kdb: do not remove keys for hardened auth-enabled users + +Since 5d51ae5, principal keys were dropped in case user auth indicator +was not including password. Thereafter, the key removal behavior was +removed by 15ff9c8 in the context of the kdcpolicy plugin introduction. +Support for hardened pre-auth methods (FAST and SPAKE) was added in +d057040, and the removal of principal keys was restored afterwards by +f0d12b7, but not taking the new hardened auth indicator into account. + +Fixes: https://pagure.io/freeipa/issue/9065 +Related to: https://pagure.io/freeipa/issue/8001 + +Signed-off-by: Julien Rische +Reviewed-By: Alexander Bokovoy +Reviewed-By: Francisco Trivino +--- + daemons/ipa-kdb/ipa_kdb_principals.c | 23 ++++++++++++----------- + 1 file changed, 12 insertions(+), 11 deletions(-) + +diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c +index 15f3df4fe..0d0d3748c 100644 +--- a/daemons/ipa-kdb/ipa_kdb_principals.c ++++ b/daemons/ipa-kdb/ipa_kdb_principals.c +@@ -788,17 +788,18 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext, + &res_key_data, &result, &mkvno); + switch (ret) { + case 0: +- /* Only set a principal's key if password auth can be used. Otherwise +- * the KDC would add pre-authentication methods to the NEEDED_PREAUTH +- * reply for AS-REQs which indicate the password authentication is +- * available. This might confuse applications like e.g. SSSD which try +- * to determine suitable authentication methods and corresponding +- * prompts with the help of MIT Kerberos' responder interface which +- * acts on the returned pre-authentication methods. A typical example +- * is enforced OTP authentication where of course keys are available +- * for the first factor but password authentication should not be +- * advertised by the KDC. */ +- if (!(ua & IPADB_USER_AUTH_PASSWORD) && (ua != IPADB_USER_AUTH_NONE)) { ++ /* Only set a principal's key if password or hardened auth can be used. ++ * Otherwise the KDC would add pre-authentication methods to the ++ * NEEDED_PREAUTH reply for AS-REQs which indicate the password ++ * authentication is available. This might confuse applications like ++ * e.g. SSSD which try to determine suitable authentication methods and ++ * corresponding prompts with the help of MIT Kerberos' responder ++ * interface which acts on the returned pre-authentication methods. A ++ * typical example is enforced OTP authentication where of course keys ++ * are available for the first factor but password authentication ++ * should not be advertised by the KDC. */ ++ if (!(ua & (IPADB_USER_AUTH_PASSWORD | IPADB_USER_AUTH_HARDENED)) && ++ (ua != IPADB_USER_AUTH_NONE)) { + /* This is the same behavior as ENOENT below. */ + ipa_krb5_free_key_data(res_key_data, result); + break; +-- +2.34.1 + +From 294ae35a61e6ca8816b261c57508e4be21221864 Mon Sep 17 00:00:00 2001 +From: Julien Rische +Date: Tue, 1 Feb 2022 19:38:29 +0100 +Subject: [PATCH] ipatests: add case for hardened-only ticket policy + +Signed-off-by: Julien Rische +Reviewed-By: Alexander Bokovoy +Reviewed-By: Francisco Trivino +--- + ipatests/test_integration/test_krbtpolicy.py | 30 ++++++++++++++++++-- + 1 file changed, 28 insertions(+), 2 deletions(-) + +diff --git a/ipatests/test_integration/test_krbtpolicy.py b/ipatests/test_integration/test_krbtpolicy.py +index 63e75ae67..9489fbc97 100644 +--- a/ipatests/test_integration/test_krbtpolicy.py ++++ b/ipatests/test_integration/test_krbtpolicy.py +@@ -103,8 +103,8 @@ class TestPWPolicy(IntegrationTest): + result = master.run_command('klist | grep krbtgt') + assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True + +- def test_krbtpolicy_hardended(self): +- """Test a hardened kerberos ticket policy with 10 min tickets""" ++ def test_krbtpolicy_password_and_hardended(self): ++ """Test a pwd and hardened kerberos ticket policy with 10min tickets""" + master = self.master + master.run_command(['ipa', 'user-mod', USER1, + '--user-auth-type', 'password', +@@ -131,6 +131,32 @@ class TestPWPolicy(IntegrationTest): + result = master.run_command('klist | grep krbtgt') + assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True + ++ def test_krbtpolicy_hardended(self): ++ """Test a hardened kerberos ticket policy with 30min tickets""" ++ master = self.master ++ master.run_command(['ipa', 'user-mod', USER1, ++ '--user-auth-type', 'hardened']) ++ master.run_command(['ipa', 'config-mod', ++ '--user-auth-type', 'hardened']) ++ master.run_command(['ipa', 'krbtpolicy-mod', USER1, ++ '--hardened-maxlife', '1800']) ++ ++ tasks.kdestroy_all(master) ++ ++ master.run_command(['kinit', USER1], ++ stdin_text=PASSWORD + '\n') ++ result = master.run_command('klist | grep krbtgt') ++ assert maxlife_within_policy(result.stdout_text, 1800, ++ slush=1800) is True ++ ++ tasks.kdestroy_all(master) ++ ++ # Verify that the short policy only applies to USER1 ++ master.run_command(['kinit', USER2], ++ stdin_text=PASSWORD + '\n') ++ result = master.run_command('klist | grep krbtgt') ++ assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True ++ + def test_krbtpolicy_password(self): + """Test the kerberos ticket policy which issues 20 min tickets""" + master = self.master +-- +2.34.1 + diff --git a/SOURCES/0004-man-page-update-ipa-server-upgrade.1_rhbz#1973273.patch b/SOURCES/0004-man-page-update-ipa-server-upgrade.1_rhbz#1973273.patch deleted file mode 100644 index 83182ce..0000000 --- a/SOURCES/0004-man-page-update-ipa-server-upgrade.1_rhbz#1973273.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 195035cef51a132b2b80df57ed50f2fe620244e6 Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Wed, 7 Jul 2021 14:11:40 +0200 -Subject: [PATCH] man page: update ipa-server-upgrade.1 - -The man page needs to clarify in which case the command needs -to be run. - -Fixes: https://pagure.io/freeipa/issue/8913 -Reviewed-By: Francois Cami ---- - install/tools/man/ipa-server-upgrade.1 | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/install/tools/man/ipa-server-upgrade.1 b/install/tools/man/ipa-server-upgrade.1 -index 3db19b0f1..f01e21c6b 100644 ---- a/install/tools/man/ipa-server-upgrade.1 -+++ b/install/tools/man/ipa-server-upgrade.1 -@@ -8,7 +8,12 @@ ipa\-server\-upgrade \- upgrade IPA server - .SH "SYNOPSIS" - ipa\-server\-upgrade [options] - .SH "DESCRIPTION" --ipa\-server\-upgrade is used to upgrade IPA server when the IPA packages are being updated. It is not intended to be executed by end\-users. -+ipa\-server\-upgrade is executed automatically to upgrade IPA server when -+the IPA packages are being updated. It is not intended to be executed by -+end\-users, unless the automatic execution reports an error. In this case, -+the administrator needs to identify and fix the issue that is causing the -+upgrade failure (with the help of /var/log/ipaupgrade.log) -+and manually re\-run ipa\-server\-upgrade. - - ipa\-server\-upgrade will: - --- -2.31.1 - diff --git a/SOURCES/0005-Fall-back-to-krbprincipalname-when-validating-host-a_rhbz#1979625.patch b/SOURCES/0005-Fall-back-to-krbprincipalname-when-validating-host-a_rhbz#1979625.patch deleted file mode 100644 index 069d106..0000000 --- a/SOURCES/0005-Fall-back-to-krbprincipalname-when-validating-host-a_rhbz#1979625.patch +++ /dev/null @@ -1,69 +0,0 @@ -From 8ad535b618d60fa016061212ff85d0ad28ccae59 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Mon, 12 Jul 2021 11:02:10 -0400 -Subject: [PATCH] Fall back to krbprincipalname when validating host auth - indicators - -When adding a new host the principal cannot be determined because it -relies on either: - -a) an entry to already exist -b) krbprincipalname be a component of the dn - -As a result the full dn is being passed into ipapython.Kerberos -which can't parse it. - -Look into the entry in validate_validate_auth_indicator() for -krbprincipalname in this case. - -https://pagure.io/freeipa/issue/8206 - -Signed-off-by: Rob Crittenden -Reviewed-By: Alexander Bokovoy -Reviewed-By: Florence Blanc-Renaud ---- - ipaserver/plugins/service.py | 5 +++++ - ipatests/test_xmlrpc/test_host_plugin.py | 11 +++++++++++ - 2 files changed, 16 insertions(+) - -diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py -index cfbbff3c6..498f5e444 100644 ---- a/ipaserver/plugins/service.py -+++ b/ipaserver/plugins/service.py -@@ -209,6 +209,11 @@ def validate_auth_indicator(entry): - # and shouldn't be allowed to have auth indicators. - # https://pagure.io/freeipa/issue/8206 - pkey = api.Object['service'].get_primary_key_from_dn(entry.dn) -+ if pkey == str(entry.dn): -+ # krbcanonicalname may not be set yet if this is a host entry, -+ # try krbprincipalname -+ if 'krbprincipalname' in entry: -+ pkey = entry['krbprincipalname'] - principal = kerberos.Principal(pkey) - server = api.Command.server_find(principal.hostname)['result'] - if server: -diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py -index 9cfde3565..ff50e796c 100644 ---- a/ipatests/test_xmlrpc/test_host_plugin.py -+++ b/ipatests/test_xmlrpc/test_host_plugin.py -@@ -615,6 +615,17 @@ class TestProtectedMaster(XMLRPC_test): - )): - command() - -+ def test_add_non_master_with_auth_ind(self, host5): -+ host5.ensure_missing() -+ command = host5.make_command( -+ 'host_add', host5.fqdn, krbprincipalauthind=['radius'], -+ force=True -+ ) -+ result = command() -+ # The fact that the command succeeds exercises the change but -+ # let's check the indicator as well. -+ assert result['result']['krbprincipalauthind'] == ('radius',) -+ - - @pytest.mark.tier1 - class TestValidation(XMLRPC_test): --- -2.31.1 - diff --git a/SOURCES/0005-ipa-pki-proxy.conf-provide-access-to-kra-admin-kra-getStatus_rhbz#2049167.patch b/SOURCES/0005-ipa-pki-proxy.conf-provide-access-to-kra-admin-kra-getStatus_rhbz#2049167.patch new file mode 100644 index 0000000..3ac05fa --- /dev/null +++ b/SOURCES/0005-ipa-pki-proxy.conf-provide-access-to-kra-admin-kra-getStatus_rhbz#2049167.patch @@ -0,0 +1,44 @@ +From 9bae5492270d8b695999cd82831cbee62b04626b Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Fri, 28 Jan 2022 16:58:42 +0100 +Subject: [PATCH] ipa-pki-proxy.conf: provide access to + /kra/admin/kra/getStatus + +The access to /kra/admin/kra/getStatus will be needed +in order to fix pki-healthcheck. +Note that this commit is a pre-requisite for the fix +to be done on PKI side. No test added since the full +integration test already exists in test_replica_promotion.py, +in TestHiddenReplicaPromotion::test_ipahealthcheck_hidden_replica + +Fixes: https://pagure.io/freeipa/issue/9099 +Related: https://pagure.io/freeipa/issue/8582 + +Signed-off-by: Florence Blanc-Renaud +Reviewed-By: Rob Crittenden +--- + install/share/ipa-pki-proxy.conf.template | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/install/share/ipa-pki-proxy.conf.template b/install/share/ipa-pki-proxy.conf.template +index 96708482c..7a46f20b9 100644 +--- a/install/share/ipa-pki-proxy.conf.template ++++ b/install/share/ipa-pki-proxy.conf.template +@@ -1,4 +1,4 @@ +-# VERSION 16 - DO NOT REMOVE THIS LINE ++# VERSION 17 - DO NOT REMOVE THIS LINE + + ProxyRequests Off + +@@ -11,7 +11,7 @@ ProxyRequests Off + + + # matches for admin port and installer +- ++ + SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate + SSLVerifyClient none + ProxyPassMatch ajp://localhost:$DOGTAG_PORT $DOGTAG_AJP_SECRET +-- +2.34.1 + diff --git a/SOURCES/0006-Backport-latest-test-fxes-in-python3-ipatests_rhbz#2048509.patch b/SOURCES/0006-Backport-latest-test-fxes-in-python3-ipatests_rhbz#2048509.patch new file mode 100644 index 0000000..14d1f0c --- /dev/null +++ b/SOURCES/0006-Backport-latest-test-fxes-in-python3-ipatests_rhbz#2048509.patch @@ -0,0 +1,755 @@ +From 0edf915efbb39fac45c784171dd715ec6b28861a Mon Sep 17 00:00:00 2001 +From: Sumedh Sidhaye +Date: Fri, 14 Jan 2022 19:55:13 +0530 +Subject: [PATCH] Added test automation for SHA384withRSA CSR support + +Scenario 1: +Setup master with --ca-signing-algorithm=SHA384withRSA +Run certutil and check Signing Algorithm + +Scenario 2: +Setup a master +Stop services +Modify default.params.signingAlg in CS.cfg +Restart services +Resubmit cert (Resubmitted cert should have new Algorithm) + +Pagure Link: https://pagure.io/freeipa/issue/8906 + +Signed-off-by: Sumedh Sidhaye +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Rob Crittenden +Reviewed-By: Antonio Torres +--- + .../test_integration/test_installation.py | 63 +++++++++++++++++++ + 1 file changed, 63 insertions(+) + +diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py +index 0947241ae..f2d372c0c 100644 +--- a/ipatests/test_integration/test_installation.py ++++ b/ipatests/test_integration/test_installation.py +@@ -34,6 +34,7 @@ from ipatests.pytest_ipa.integration import tasks + from ipatests.pytest_ipa.integration.env_config import get_global_config + from ipatests.test_integration.base import IntegrationTest + from ipatests.test_integration.test_caless import CALessBase, ipa_certs_cleanup ++from ipatests.test_integration.test_cert import get_certmonger_fs_id + from ipaplatform import services + + +@@ -1916,3 +1917,65 @@ class TestInstallWithoutNamed(IntegrationTest): + tasks.install_replica( + self.master, self.replicas[0], setup_ca=False, setup_dns=False + ) ++ ++ ++class TestInstallwithSHA384withRSA(IntegrationTest): ++ num_replicas = 0 ++ ++ def test_install_master_withalgo_sha384withrsa(self, server_cleanup): ++ tasks.install_master( ++ self.master, ++ extra_args=['--ca-signing-algorithm=SHA384withRSA'], ++ ) ++ ++ # check Signing Algorithm post installation ++ dashed_domain = self.master.domain.realm.replace(".", '-') ++ cmd_args = ['certutil', '-L', '-d', ++ '/etc/dirsrv/slapd-{}/'.format(dashed_domain), ++ '-n', 'Server-Cert'] ++ result = self.master.run_command(cmd_args) ++ assert 'SHA-384 With RSA Encryption' in result.stdout_text ++ ++ def test_install_master_modify_existing(self, server_cleanup): ++ """ ++ Setup a master ++ Stop services ++ Modify default.params.signingAlg in CS.cfg ++ Restart services ++ Resubmit cert (Resubmitted cert should have new Algorithm) ++ """ ++ tasks.install_master(self.master) ++ self.master.run_command(['ipactl', 'stop']) ++ cs_cfg_content = self.master.get_file_contents(paths.CA_CS_CFG_PATH, ++ encoding='utf-8') ++ new_lines = [] ++ replace_str = "ca.signing.defaultSigningAlgorithm=SHA384withRSA" ++ ocsp_rep_str = "ca.ocsp_signing.defaultSigningAlgorithm=SHA384withRSA" ++ for line in cs_cfg_content.split('\n'): ++ if line.startswith('ca.signing.defaultSigningAlgorithm'): ++ new_lines.append(replace_str) ++ elif line.startswith('ca.ocsp_signing.defaultSigningAlgorithm'): ++ new_lines.append(ocsp_rep_str) ++ else: ++ new_lines.append(line) ++ self.master.put_file_contents(paths.CA_CS_CFG_PATH, ++ '\n'.join(new_lines)) ++ self.master.run_command(['ipactl', 'start']) ++ ++ cmd = ['getcert', 'list', '-f', paths.RA_AGENT_PEM] ++ result = self.master.run_command(cmd) ++ request_id = get_certmonger_fs_id(result.stdout_text) ++ ++ # resubmit RA Agent cert ++ cmd = ['getcert', 'resubmit', '-f', paths.RA_AGENT_PEM] ++ self.master.run_command(cmd) ++ ++ tasks.wait_for_certmonger_status(self.master, ++ ('CA_WORKING', 'MONITORING'), ++ request_id) ++ ++ cmd_args = ['openssl', 'x509', '-in', ++ paths.RA_AGENT_PEM, '-noout', '-text'] ++ result = self.master.run_command(cmd_args) ++ assert_str = 'Signature Algorithm: sha384WithRSAEncryption' ++ assert assert_str in result.stdout_text +-- +2.34.1 + +From 8b22ee018c3bb7f58a1b6694a7fd611688f8e74f Mon Sep 17 00:00:00 2001 +From: Sumedh Sidhaye +Date: Thu, 25 Nov 2021 17:48:20 +0530 +Subject: [PATCH] Extend test to see if replica is not shown when running + `ipa-replica-manage list -v ` + +Related: https://pagure.io/freeipa/issue/8605 + +Signed-off-by: Sumedh Sidhaye +Reviewed-By: Florence Blanc-Renaud +--- + ipatests/test_integration/test_simple_replication.py | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/ipatests/test_integration/test_simple_replication.py b/ipatests/test_integration/test_simple_replication.py +index 8de385144..17092a499 100644 +--- a/ipatests/test_integration/test_simple_replication.py ++++ b/ipatests/test_integration/test_simple_replication.py +@@ -111,5 +111,6 @@ class TestSimpleReplication(IntegrationTest): + # has to be run with --force, there is no --unattended + self.master.run_command(['ipa-replica-manage', 'del', + self.replicas[0].hostname, '--force']) +- result = self.master.run_command(['ipa-replica-manage', 'list']) ++ result = self.master.run_command( ++ ['ipa-replica-manage', 'list', '-v', self.master.hostname]) + assert self.replicas[0].hostname not in result.stdout_text +-- +2.34.1 + +From ba7ec71ba96280da3841ebe47df2a6dc1cd6341e Mon Sep 17 00:00:00 2001 +From: Mohammad Rizwan +Date: Fri, 26 Nov 2021 12:11:21 +0530 +Subject: [PATCH] ipatests: Fix test_ipa_cert_fix.py::TestCertFixReplica + teardown + +Fixture `expire_certs` moves date back after renewing the certs. +This is causing the ipa-replica to fail. This fix first uninstalls +the server then moves back the date. + +Fixes: https://pagure.io/freeipa/issue/9052 + +Signed-off-by: Mohammad Rizwan +Reviewed-By: Florence Blanc-Renaud +--- + ipatests/test_integration/test_ipa_cert_fix.py | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py +index 39904d5de..5b56054b4 100644 +--- a/ipatests/test_integration/test_ipa_cert_fix.py ++++ b/ipatests/test_integration/test_ipa_cert_fix.py +@@ -389,6 +389,12 @@ class TestCertFixReplica(IntegrationTest): + setup_dns=False, extra_args=['--no-ntp'] + ) + ++ @classmethod ++ def uninstall(cls, mh): ++ # Uninstall method is empty as the uninstallation is done in ++ # the fixture ++ pass ++ + @pytest.fixture + def expire_certs(self): + # move system date to expire certs +@@ -398,7 +404,8 @@ class TestCertFixReplica(IntegrationTest): + yield + + # move date back on replica and master +- for host in self.master, self.replicas[0]: ++ for host in self.replicas[0], self.master: ++ tasks.uninstall_master(host) + tasks.move_date(host, 'start', '-3years-1days') + + def test_renew_expired_cert_replica(self, expire_certs): +-- +2.34.1 + +From 465f1669a6c5abc72da1ecaf9aefa8488f80806c Mon Sep 17 00:00:00 2001 +From: Anuja More +Date: Mon, 13 Dec 2021 17:37:05 +0530 +Subject: [PATCH] ipatests: Test default value of nsslapd-sizelimit. + +related : https://pagure.io/freeipa/issue/8962 + +Signed-off-by: Anuja More +Reviewed-By: Florence Blanc-Renaud +--- + ipatests/test_integration/test_installation.py | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py +index 95cfaad54..0947241ae 100644 +--- a/ipatests/test_integration/test_installation.py ++++ b/ipatests/test_integration/test_installation.py +@@ -1067,6 +1067,19 @@ class TestInstallMaster(IntegrationTest): + ) + assert "nsslapd-db-locks" not in result.stdout_text + ++ def test_nsslapd_sizelimit(self): ++ """ Test for default value of nsslapd-sizelimit. ++ ++ Related : https://pagure.io/freeipa/issue/8962 ++ """ ++ result = tasks.ldapsearch_dm( ++ self.master, ++ "cn=config", ++ ["nsslapd-sizelimit"], ++ scope="base" ++ ) ++ assert "nsslapd-sizelimit: 100000" in result.stdout_text ++ + def test_admin_root_alias_CVE_2020_10747(self): + # Test for CVE-2020-10747 fix + # https://bugzilla.redhat.com/show_bug.cgi?id=1810160 +-- +2.34.1 + +From cbd9ac6ab07dfb60f67da762fdd70856ad35c230 Mon Sep 17 00:00:00 2001 +From: Mohammad Rizwan +Date: Thu, 25 Nov 2021 13:10:05 +0530 +Subject: [PATCH] ipatests: Test empty cert request doesn't force certmonger to + segfault + +When empty cert request is submitted to certmonger, it goes to +segfault. This fix test that if something like this happens, +certmonger should gracefuly handle it + +and some PEP8 fixes + +related: https://pagure.io/certmonger/issue/191 + +Signed-off-by: Mohammad Rizwan +--- + ipatests/test_integration/test_cert.py | 79 +++++++++++++++++++++++++- + 1 file changed, 78 insertions(+), 1 deletion(-) + +diff --git a/ipatests/test_integration/test_cert.py b/ipatests/test_integration/test_cert.py +index 5ffb8c608..0518d7954 100644 +--- a/ipatests/test_integration/test_cert.py ++++ b/ipatests/test_integration/test_cert.py +@@ -14,6 +14,7 @@ import random + import re + import string + import time ++import textwrap + + from ipaplatform.paths import paths + from ipapython.dn import DN +@@ -193,7 +194,7 @@ class TestInstallMasterClient(IntegrationTest): + tasks.kinit_admin(self.master) + tasks.user_add(self.master, user) + +- for id in (0,1): ++ for id in (0, 1): + csr_file = f'{id}.csr' + key_file = f'{id}.key' + cert_file = f'{id}.crt' +@@ -584,3 +585,79 @@ class TestCAShowErrorHandling(IntegrationTest): + error_msg = 'ipa: ERROR: The certificate for ' \ + '{} is not available on this server.'.format(lwca) + assert error_msg in result.stderr_text ++ ++ def test_certmonger_empty_cert_not_segfault(self): ++ """Test empty cert request doesn't force certmonger to segfault ++ ++ Test scenario: ++ create a cert request file in /var/lib/certmonger/requests which is ++ missing most of the required information, and ask request a new ++ certificate to certmonger. The wrong request file should not make ++ certmonger crash. ++ ++ related: https://pagure.io/certmonger/issue/191 ++ """ ++ empty_cert_req_content = textwrap.dedent(""" ++ id=dogtag-ipa-renew-agent ++ key_type=UNSPECIFIED ++ key_gen_type=UNSPECIFIED ++ key_size=0 ++ key_gen_size=0 ++ key_next_type=UNSPECIFIED ++ key_next_gen_type=UNSPECIFIED ++ key_next_size=0 ++ key_next_gen_size=0 ++ key_preserve=0 ++ key_storage_type=NONE ++ key_perms=0 ++ key_requested_count=0 ++ key_issued_count=0 ++ cert_storage_type=FILE ++ cert_perms=0 ++ cert_is_ca=0 ++ cert_ca_path_length=0 ++ cert_no_ocsp_check=0 ++ last_need_notify_check=19700101000000 ++ last_need_enroll_check=19700101000000 ++ template_is_ca=0 ++ template_ca_path_length=-1 ++ template_no_ocsp_check=0 ++ state=NEED_KEY_PAIR ++ autorenew=0 ++ monitor=0 ++ submitted=19700101000000 ++ """) ++ # stop certmonger service ++ self.master.run_command(['systemctl', 'stop', 'certmonger']) ++ ++ # place an empty cert request file to certmonger request dir ++ self.master.put_file_contents( ++ os.path.join(paths.CERTMONGER_REQUESTS_DIR, '20211125062617'), ++ empty_cert_req_content ++ ) ++ ++ # start certmonger, it should not fail ++ self.master.run_command(['systemctl', 'start', 'certmonger']) ++ ++ # request a new cert, should succeed and certmonger doesn't goes ++ # to segfault ++ result = self.master.run_command([ ++ "ipa-getcert", "request", ++ "-f", os.path.join(paths.OPENSSL_CERTS_DIR, "test.pem"), ++ "-k", os.path.join(paths.OPENSSL_PRIVATE_DIR, "test.key"), ++ ]) ++ request_id = re.findall(r'\d+', result.stdout_text) ++ ++ # check if certificate is in MONITORING state ++ status = tasks.wait_for_request(self.master, request_id[0], 50) ++ assert status == "MONITORING" ++ ++ self.master.run_command( ++ ['ipa-getcert', 'stop-tracking', '-i', request_id[0]] ++ ) ++ self.master.run_command([ ++ 'rm', '-rf', ++ os.path.join(paths.CERTMONGER_REQUESTS_DIR, '20211125062617'), ++ os.path.join(paths.OPENSSL_CERTS_DIR, 'test.pem'), ++ os.path.join(paths.OPENSSL_PRIVATE_DIR, 'test.key') ++ ]) +-- +2.34.1 + +From edbd8f692a28fc999b92e9032614d366511db323 Mon Sep 17 00:00:00 2001 +From: Anuja More +Date: Mon, 6 Dec 2021 20:50:01 +0530 +Subject: [PATCH] ipatests: webui: Tests for subordinate ids. + +Added web-ui tests to verify where operations +using subordinate ids are working as expected. + +Related : https://pagure.io/freeipa/issue/8361 + +Signed-off-by: Anuja More +Reviewed-By: Michal Polovka +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Florence Blanc-Renaud +--- + ipatests/test_webui/test_subid.py | 141 ++++++++++++++++++++++++++++++ + ipatests/test_webui/ui_driver.py | 28 ++++++ + 2 files changed, 169 insertions(+) + create mode 100644 ipatests/test_webui/test_subid.py + +diff --git a/ipatests/test_webui/test_subid.py b/ipatests/test_webui/test_subid.py +new file mode 100644 +index 000000000..26decdba0 +--- /dev/null ++++ b/ipatests/test_webui/test_subid.py +@@ -0,0 +1,141 @@ ++ ++""" ++Tests for subordinateid. ++""" ++ ++from ipatests.test_webui.ui_driver import UI_driver ++import ipatests.test_webui.data_config as config_data ++import ipatests.test_webui.data_user as user_data ++from ipatests.test_webui.ui_driver import screenshot ++import re ++ ++ ++class test_subid(UI_driver): ++ ++ def add_user(self, pkey, name, surname): ++ self.add_record('user', { ++ 'pkey': pkey, ++ 'add': [ ++ ('textbox', 'uid', pkey), ++ ('textbox', 'givenname', name), ++ ('textbox', 'sn', surname), ++ ] ++ }) ++ ++ def set_default_subid(self): ++ self.navigate_to_entity(config_data.ENTITY) ++ self.check_option('ipauserdefaultsubordinateid', 'checked') ++ self.facet_button_click('save') ++ ++ def get_user_count(self, user_pkey): ++ self.navigate_to_entity('subid', facet='search') ++ self.apply_search_filter(user_pkey) ++ self.wait_for_request() ++ return self.get_rows() ++ ++ @screenshot ++ def test_set_defaultsubid(self): ++ """ ++ Test to verify that enable/disable is working for ++ adding subids to new users. ++ """ ++ self.init_app() ++ self.add_record(user_data.ENTITY, user_data.DATA2) ++ self.navigate_to_entity(config_data.ENTITY) ++ # test subid can be enabled/disabled. ++ self.set_default_subid() ++ assert self.get_field_checked('ipauserdefaultsubordinateid') ++ self.set_default_subid() ++ assert not self.get_field_checked('ipauserdefaultsubordinateid') ++ ++ @screenshot ++ def test_user_defaultsubid(self): ++ """ ++ Test to verify that subid is generated for new user. ++ """ ++ self.init_app() ++ user_pkey = "some-user" ++ ++ self.set_default_subid() ++ assert self.get_field_checked('ipauserdefaultsubordinateid') ++ ++ before_count = self.get_user_count(user_pkey) ++ assert len(before_count) == 0 ++ ++ self.add_user(user_pkey, 'Some', 'User') ++ after_count = self.get_user_count(user_pkey) ++ assert len(after_count) == 1 ++ ++ @screenshot ++ def test_user_subid_mod_desc(self): ++ """ ++ Test to verify that auto-assigned subid description is modified. ++ """ ++ self.init_app() ++ self.navigate_to_record("some-user") ++ self.switch_to_facet('memberof_subid') ++ rows = self.get_rows() ++ self.navigate_to_row_record(rows[-1]) ++ self.fill_textbox("description", "some-user-subid-desc") ++ self.facet_button_click('save') ++ ++ @screenshot ++ def test_admin_subid(self): ++ """ ++ Test to verify that subid range is created with owner admin. ++ """ ++ self.init_app() ++ self.navigate_to_entity('subid', facet='search') ++ self.facet_button_click('add') ++ self.select_combobox('ipaowner', 'admin') ++ self.dialog_button_click('add') ++ self.wait(0.3) ++ self.assert_no_error_dialog() ++ ++ @screenshot ++ def test_admin_subid_negative(self): ++ """ ++ Test to verify that readding the subid fails with error. ++ """ ++ self.init_app() ++ self.navigate_to_entity('subid', facet='search') ++ self.facet_button_click('add') ++ self.select_combobox('ipaowner', 'admin') ++ self.dialog_button_click('add') ++ self.wait(0.3) ++ err_dialog = self.get_last_error_dialog(dialog_name='error_dialog') ++ text = self.get_text('.modal-body div p', err_dialog) ++ text = text.strip() ++ pattern = r'Subordinate id with with name .* already exists.' ++ assert re.search(pattern, text) is not None ++ self.close_all_dialogs() ++ ++ @screenshot ++ def test_user_subid_add(self): ++ """ ++ Test to verify that subid range is created for given user. ++ """ ++ self.init_app() ++ self.navigate_to_entity('subid', facet='search') ++ before_count = self.get_rows() ++ self.facet_button_click('add') ++ self.select_combobox('ipaowner', user_data.PKEY2) ++ self.dialog_button_click('add') ++ self.wait(0.3) ++ self.assert_no_error_dialog() ++ after_count = self.get_rows() ++ assert len(before_count) < len(after_count) ++ ++ @screenshot ++ def test_subid_del(self): ++ """ ++ Test to remove subordinate id for given user. ++ """ ++ self.init_app() ++ self.navigate_to_entity('subid', facet='search') ++ user_uid = self.get_record_pkey("some-user", "ipaowner", ++ table_name="ipauniqueid") ++ before_count = self.get_rows() ++ self.delete_record(user_uid, table_name="ipauniqueid") ++ after_count = self.get_rows() ++ assert len(before_count) > len(after_count) +diff --git a/ipatests/test_webui/ui_driver.py b/ipatests/test_webui/ui_driver.py +index 46fd512ae..77fd74e49 100644 +--- a/ipatests/test_webui/ui_driver.py ++++ b/ipatests/test_webui/ui_driver.py +@@ -1151,6 +1151,34 @@ class UI_driver: + return row + return None + ++ def get_row_by_column_value(self, key, column_name, parent=None, ++ table_name=None): ++ """ ++ Get the first matched row element of a search table with given key ++ matched against selected column. None if not found ++ """ ++ rows = self.get_rows(parent, table_name) ++ s = "td div[name='%s']" % column_name ++ for row in rows: ++ has = self.find(s, By.CSS_SELECTOR, row) ++ if has.text == key: ++ return row ++ return None ++ ++ def get_record_pkey(self, key, column, parent=None, table_name=None): ++ """ ++ Get record pkey if value of column is known ++ """ ++ row = self.get_row_by_column_value(key, ++ column_name=column, ++ parent=parent, ++ table_name=table_name) ++ val = None ++ if row: ++ el = self.find("td input", By.CSS_SELECTOR, row) ++ val = el.get_attribute("value") ++ return val ++ + def navigate_to_row_record(self, row, pkey_column=None): + """ + Navigate to record by clicking on a link. +-- +2.34.1 + +From 419d7fd6e5a9ed2d356ad05eef1043309f5646ef Mon Sep 17 00:00:00 2001 +From: Michal Polovka +Date: Fri, 7 Jan 2022 12:12:26 +0100 +Subject: [PATCH] ipatests: webui: Use safe-loader for loading YAML + configuration file + +FullLoader class for YAML loader was introduced in version 5.1 which +also deprecated default loader. SafeLoader, however, stays consistent +across the versions and brings added security. + +This fix is necessary as PyYAML > 5.1 is not available in downstream. + +Related: https://pagure.io/freeipa/issue/9009 + +Signed-off-by: Michal Polovka +Reviewed-By: Rob Crittenden +--- + ipatests/test_webui/ui_driver.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ipatests/test_webui/ui_driver.py b/ipatests/test_webui/ui_driver.py +index 77fd74e49..519efee9b 100644 +--- a/ipatests/test_webui/ui_driver.py ++++ b/ipatests/test_webui/ui_driver.py +@@ -192,7 +192,7 @@ class UI_driver: + if not NO_YAML and os.path.isfile(path): + try: + with open(path, 'r') as conf: +- cls.config = yaml.load(stream=conf, Loader=yaml.FullLoader) ++ cls.config = yaml.safe_load(stream=conf) + except yaml.YAMLError as e: + pytest.skip("Invalid Web UI config.\n%s" % e) + except IOError as e: +-- +2.34.1 + +From 5444da016edc416c0c9481c660c013053dbb93b5 Mon Sep 17 00:00:00 2001 +From: Mohammad Rizwan +Date: Thu, 18 Nov 2021 18:43:22 +0530 +Subject: [PATCH] PEP8 Fixes + +Signed-off-by: Mohammad Rizwan +--- + .../test_integration/test_replica_promotion.py | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py +index 1a4e9bc12..c328b1a08 100644 +--- a/ipatests/test_integration/test_replica_promotion.py ++++ b/ipatests/test_integration/test_replica_promotion.py +@@ -138,7 +138,6 @@ class TestReplicaPromotionLevel1(ReplicaPromotionBase): + assert res.returncode == 1 + assert expected_err in res.stderr_text + +- + @replicas_cleanup + def test_one_command_installation(self): + """ +@@ -150,11 +149,11 @@ class TestReplicaPromotionLevel1(ReplicaPromotionBase): + Firewall(self.replicas[0]).enable_services(["freeipa-ldap", + "freeipa-ldaps"]) + self.replicas[0].run_command(['ipa-replica-install', '-w', +- self.master.config.admin_password, +- '-n', self.master.domain.name, +- '-r', self.master.domain.realm, +- '--server', self.master.hostname, +- '-U']) ++ self.master.config.admin_password, ++ '-n', self.master.domain.name, ++ '-r', self.master.domain.realm, ++ '--server', self.master.hostname, ++ '-U']) + # Ensure that pkinit is properly configured, test for 7566 + result = self.replicas[0].run_command(['ipa-pkinit-manage', 'status']) + assert "PKINIT is enabled" in result.stdout_text +@@ -321,7 +320,7 @@ class TestWrongClientDomain(IntegrationTest): + result1 = client.run_command(['ipa-replica-install', '-U', '-w', + self.master.config.dirman_password], + raiseonerr=False) +- assert(result1.returncode == 0), ( ++ assert (result1.returncode == 0), ( + 'Failed to promote the client installed with the upcase domain name') + + def test_client_rollback(self): +@@ -355,6 +354,7 @@ class TestWrongClientDomain(IntegrationTest): + assert("An error occurred while removing SSSD" not in + result.stdout_text) + ++ + class TestRenewalMaster(IntegrationTest): + + topology = 'star' +-- +2.34.1 + +From 1d19b860d4cd3bd65a4b143b588425d9a64237fd Mon Sep 17 00:00:00 2001 +From: Mohammad Rizwan +Date: Thu, 18 Nov 2021 18:36:58 +0530 +Subject: [PATCH] Test cases for ipa-replica-conncheck command + +Following test cases would be checked: +- when called with --principal (it should then prompt for a password) +- when called with --principal / --password +- when called without principal and password but with a kerberos TGT, + kinit admin done before calling ipa-replica-conncheck +- when called without principal and password, and without any kerberos + TGT (it should default to principal=admin and prompt for a password) + +related: https://pagure.io/freeipa/issue/9047 + +Signed-off-by: Mohammad Rizwan +--- + .../test_replica_promotion.py | 70 +++++++++++++++++++ + 1 file changed, 70 insertions(+) + +diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py +index b9c56f775..1a4e9bc12 100644 +--- a/ipatests/test_integration/test_replica_promotion.py ++++ b/ipatests/test_integration/test_replica_promotion.py +@@ -437,6 +437,76 @@ class TestRenewalMaster(IntegrationTest): + self.assertCARenewalMaster(master, replica.hostname) + self.assertCARenewalMaster(replica, replica.hostname) + ++ def test_replica_concheck(self): ++ """Test cases for ipa-replica-conncheck command ++ ++ Following test cases would be checked: ++ - when called with --principal (it should then prompt for a password) ++ - when called with --principal / --password ++ - when called without principal and password but with a kerberos TGT, ++ kinit admin done before calling ipa-replica-conncheck ++ - when called without principal and password, and without any kerberos ++ TGT (it should default to principal=admin and prompt for a password) ++ ++ related: https://pagure.io/freeipa/issue/9047 ++ """ ++ exp_str1 = "Connection from replica to master is OK." ++ exp_str2 = "Connection from master to replica is OK" ++ tasks.kdestroy_all(self.replicas[0]) ++ # when called with --principal (it should then prompt for a password) ++ result = self.replicas[0].run_command( ++ ['ipa-replica-conncheck', '--auto-master-check', ++ '--master', self.master.hostname, ++ '-r', self.replicas[0].domain.realm, ++ '-p', self.replicas[0].config.admin_name], ++ stdin_text=self.master.config.admin_password ++ ) ++ assert result.returncode == 0 ++ assert ( ++ exp_str1 in result.stderr_text and exp_str2 in result.stderr_text ++ ) ++ ++ # when called with --principal / --password ++ result = self.replicas[0].run_command([ ++ 'ipa-replica-conncheck', '--auto-master-check', ++ '--master', self.master.hostname, ++ '-r', self.replicas[0].domain.realm, ++ '-p', self.replicas[0].config.admin_name, ++ '-w', self.master.config.admin_password ++ ]) ++ assert result.returncode == 0 ++ assert ( ++ exp_str1 in result.stderr_text and exp_str2 in result.stderr_text ++ ) ++ ++ # when called without principal and password, and without ++ # any kerberos TGT, it should default to principal=admin ++ # and prompt for a password ++ result = self.replicas[0].run_command( ++ ['ipa-replica-conncheck', '--auto-master-check', ++ '--master', self.master.hostname, ++ '-r', self.replicas[0].domain.realm], ++ stdin_text=self.master.config.admin_password ++ ) ++ assert result.returncode == 0 ++ assert ( ++ exp_str1 in result.stderr_text and exp_str2 in result.stderr_text ++ ) ++ ++ # when called without principal and password but with a kerberos TGT, ++ # kinit admin done before calling ipa-replica-conncheck ++ tasks.kinit_admin(self.replicas[0]) ++ result = self.replicas[0].run_command( ++ ['ipa-replica-conncheck', '--auto-master-check', ++ '--master', self.master.hostname, ++ '-r', self.replicas[0].domain.realm] ++ ) ++ assert result.returncode == 0 ++ assert ( ++ exp_str1 in result.stderr_text and exp_str2 in result.stderr_text ++ ) ++ tasks.kdestroy_all(self.replicas[0]) ++ + def test_automatic_renewal_master_transfer_ondelete(self): + # Test that after replica uninstallation, master overtakes the cert + # renewal master role from replica (which was previously set there) +-- +2.34.1 + diff --git a/SOURCES/0007-Don-t-always-override-the-port-in-import_included_profiles_rhbz#2022483.patch b/SOURCES/0007-Don-t-always-override-the-port-in-import_included_profiles_rhbz#2022483.patch new file mode 100644 index 0000000..f8b3b9f --- /dev/null +++ b/SOURCES/0007-Don-t-always-override-the-port-in-import_included_profiles_rhbz#2022483.patch @@ -0,0 +1,104 @@ +From edb216849e4f47d6cae95981edf0c3fe2653fd7a Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Fri, 28 Jan 2022 16:46:35 -0500 +Subject: [PATCH] Don't always override the port in import_included_profiles + +I can only guess to the original purpose of this override. I +believe it was because this is called in the installer prior +to Apache being set up. The expectation was that this would +only be called locally. It predates the RestClient class. + +RestClient will attempt to find an available service. In this +case, during a CA installation, the local server is not +considered available because it lacks an entry in +cn=masters. So it will never be returned as an option. + +So by overriding the port to 8443 the remote connection will +likely fail because we don't require that the port be open. + +So instead, instantiate a RestClient and see what happens. + +There are several use-cases: + +1. Installing an initial server. The RestClient connection + should fail, so we will fall back to the override port and + use the local server. If Apache happens to be running with + a globally-issued certificate then the RestClient will + succeed. In this case if the connected host and the local + hostname are the same, override in that case as well. + +2. Installing as a replica. In this case the local server should + be ignored in all cases and a remote CA will be picked with + no override done. + +3. Switching from CA-less to CA-ful. The web server will be + trusted but the RestClient login will fail with a 404. Fall + back to the override port in this case. + +The motivation for this is trying to install an EL 8.x replica +against an EL 7.9 server. 8.5+ includes the ACME service and +a new profile is needed which doesn't exist in 7. This was +failing because the RestClient determined that the local server +wasn't running a CA so tried the remote one (7.9) on the override +port 8443. Since this port isn't open: failure. + +Chances are that adding the profile is still going to fail +because again, 7.9 lacks ACME capabilities, but it will fail in +a way that allows the installation to continue. + +I suspect that all of the overrides can similarly handled, or +handled directly within the RestClient class, but for the sake +of "do no harm" I'm only changing this instance for now. + +https://pagure.io/freeipa/issue/9100 + +Signed-off-by: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud +--- + ipaserver/install/cainstance.py | 30 +++++++++++++++++++++++++++++- + 1 file changed, 29 insertions(+), 1 deletion(-) + +diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py +index 8c8bf1b3a..ad206aad4 100644 +--- a/ipaserver/install/cainstance.py ++++ b/ipaserver/install/cainstance.py +@@ -1953,7 +1953,35 @@ def import_included_profiles(): + cn=['certprofiles'], + ) + +- api.Backend.ra_certprofile.override_port = 8443 ++ # At this point Apache may or may not be running with a valid ++ # certificate. The local server is not yet recognized as a full ++ # CA yet so it isn't discoverable. So try to do some detection ++ # on what port to use, 443 (remote) or 8443 (local) for importing ++ # the profiles. ++ # ++ # api.Backend.ra_certprofile invokes the RestClient class ++ # which will discover and login to the CA REST API. We can ++ # use this information to detect where to import the profiles. ++ # ++ # If the login is successful (e.g. doesn't raise an exception) ++ # and it returns our hostname (it prefers the local host) then ++ # we override and talk locally. ++ # ++ # Otherwise a NetworkError means we can't connect on 443 (perhaps ++ # a firewall) or we get an HTTP error (valid TLS certificate on ++ # Apache but no CA, login fails with 404) so we override to the ++ # local server. ++ # ++ # When override port was always set to 8443 the RestClient could ++ # pick a remote server and since 8443 isn't in our firewall profile ++ # setting up a new server would fail. ++ try: ++ with api.Backend.ra_certprofile as profile_api: ++ if profile_api.ca_host == api.env.host: ++ api.Backend.ra_certprofile.override_port = 8443 ++ except (errors.NetworkError, errors.RemoteRetrieveError) as e: ++ logger.debug('Overriding CA port: %s', e) ++ api.Backend.ra_certprofile.override_port = 8443 + + for (profile_id, desc, store_issued) in dogtag.INCLUDED_PROFILES: + dn = DN(('cn', profile_id), +-- +2.34.1 + diff --git a/SOURCES/0008-Remove-ipa-join-errors-from-behind-the-debug-option_rhbz#2048558.patch b/SOURCES/0008-Remove-ipa-join-errors-from-behind-the-debug-option_rhbz#2048558.patch new file mode 100644 index 0000000..e083b06 --- /dev/null +++ b/SOURCES/0008-Remove-ipa-join-errors-from-behind-the-debug-option_rhbz#2048558.patch @@ -0,0 +1,115 @@ +From 7c5540bb47799b4db95673d22f61995ad5c56440 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Mon, 31 Jan 2022 17:31:50 -0500 +Subject: [PATCH] Remove ipa-join errors from behind the debug option + +This brings it inline with the previous XML-RPC output which +only hid the request and response from the output and not +any errors returned. + +https://pagure.io/freeipa/issue/9103 + +Signed-off-by: Rob Crittenden +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Peter Keresztes Schmidt +--- + client/ipa-join.c | 27 +++++++++------------------ + 1 file changed, 9 insertions(+), 18 deletions(-) + +diff --git a/client/ipa-join.c b/client/ipa-join.c +index d98739a9a..5888a33bf 100644 +--- a/client/ipa-join.c ++++ b/client/ipa-join.c +@@ -743,8 +743,7 @@ jsonrpc_request(const char *ipaserver, const json_t *json, curl_buffer *response + + json_str = json_dumps(json, 0); + if (!json_str) { +- if (debug) +- fprintf(stderr, _("json_dumps() failed\n")); ++ fprintf(stderr, _("json_dumps() failed\n")); + + rval = 17; + goto cleanup; +@@ -758,8 +757,7 @@ jsonrpc_request(const char *ipaserver, const json_t *json, curl_buffer *response + CURLcode res = curl_easy_perform(curl); + if (res != CURLE_OK) + { +- if (debug) +- fprintf(stderr, _("JSON-RPC call failed: %s\n"), curl_easy_strerror(res)); ++ fprintf(stderr, _("JSON-RPC call failed: %s\n"), curl_easy_strerror(res)); + + rval = 17; + goto cleanup; +@@ -769,8 +767,7 @@ jsonrpc_request(const char *ipaserver, const json_t *json, curl_buffer *response + curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &resp_code); + + if (resp_code != 200) { +- if (debug) +- fprintf(stderr, _("JSON-RPC call failed with status code: %li\n"), resp_code); ++ fprintf(stderr, _("JSON-RPC call failed with status code: %li\n"), resp_code); + + if (!quiet && resp_code == 401) + fprintf(stderr, _("JSON-RPC call was unauthorized. Check your credentials.\n")); +@@ -848,8 +845,7 @@ jsonrpc_parse_response(const char *payload, json_t** j_result_obj, bool quiet) { + + j_root = json_loads(payload, 0, &j_error); + if (!j_root) { +- if (debug) +- fprintf(stderr, _("Parsing JSON-RPC response failed: %s\n"), j_error.text); ++ fprintf(stderr, _("Parsing JSON-RPC response failed: %s\n"), j_error.text); + + rval = 17; + goto cleanup; +@@ -864,8 +860,7 @@ jsonrpc_parse_response(const char *payload, json_t** j_result_obj, bool quiet) { + + *j_result_obj = json_object_get(j_root, "result"); + if (!*j_result_obj) { +- if (debug) +- fprintf(stderr, _("Parsing JSON-RPC response failed: no 'result' value found.\n")); ++ fprintf(stderr, _("Parsing JSON-RPC response failed: no 'result' value found.\n")); + + rval = 17; + goto cleanup; +@@ -897,8 +892,7 @@ jsonrpc_parse_join_response(const char *payload, join_info *join_i, bool quiet) + &tmp_hostdn, + "krbprincipalname", &tmp_princ, + "krblastpwdchange", &tmp_pwdch) != 0) { +- if (debug) +- fprintf(stderr, _("Extracting the data from the JSON-RPC response failed: %s\n"), j_error.text); ++ fprintf(stderr, _("Extracting the data from the JSON-RPC response failed: %s\n"), j_error.text); + + rval = 17; + goto cleanup; +@@ -941,8 +935,7 @@ join_krb5_jsonrpc(const char *ipaserver, const char *hostname, char **hostdn, co + "nshardwareplatform", uinfo.machine); + + if (!json_req) { +- if (debug) +- fprintf(stderr, _("json_pack_ex() failed: %s\n"), j_error.text); ++ fprintf(stderr, _("json_pack_ex() failed: %s\n"), j_error.text); + + rval = 17; + goto cleanup; +@@ -990,8 +983,7 @@ jsonrpc_parse_unenroll_response(const char *payload, bool* result, bool quiet) { + + if (json_unpack_ex(j_result_obj, &j_error, 0, "{s:b}", + "result", result) != 0) { +- if (debug) +- fprintf(stderr, _("Extracting the data from the JSON-RPC response failed: %s\n"), j_error.text); ++ fprintf(stderr, _("Extracting the data from the JSON-RPC response failed: %s\n"), j_error.text); + + rval = 20; + goto cleanup; +@@ -1021,8 +1013,7 @@ jsonrpc_unenroll_host(const char *ipaserver, const char *host, bool quiet) { + host); + + if (!json_req) { +- if (debug) +- fprintf(stderr, _("json_pack_ex() failed: %s\n"), j_error.text); ++ fprintf(stderr, _("json_pack_ex() failed: %s\n"), j_error.text); + + rval = 17; + goto cleanup; +-- +2.34.1 + diff --git a/SOURCES/0009-Enable-the-ccache-sweep-timer-during-installation_rhbz#2051575.patch b/SOURCES/0009-Enable-the-ccache-sweep-timer-during-installation_rhbz#2051575.patch new file mode 100644 index 0000000..ef581d8 --- /dev/null +++ b/SOURCES/0009-Enable-the-ccache-sweep-timer-during-installation_rhbz#2051575.patch @@ -0,0 +1,118 @@ +From 9b6d0bb1245c4891ccc270f360d0f72a4b1444c1 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Mon, 7 Feb 2022 10:39:55 -0500 +Subject: [PATCH] Enable the ccache sweep timer during installation + +The timer was only being enabled during package installation +if IPA was configured. So effectively only on upgrade. + +Add as a separate installation step after the ccache directory +is configured. + +Fixes: https://pagure.io/freeipa/issue/9107 + +Signed-off-by: Rob Crittenden +Reviewed-By: Alexander Bokovoy +--- + ipaserver/install/httpinstance.py | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py +index 732bb58d4..50ccf5e50 100644 +--- a/ipaserver/install/httpinstance.py ++++ b/ipaserver/install/httpinstance.py +@@ -140,6 +140,8 @@ class HTTPInstance(service.Service): + self.step("publish CA cert", self.__publish_ca_cert) + self.step("clean up any existing httpd ccaches", + self.remove_httpd_ccaches) ++ self.step("enable ccache sweep", ++ self.enable_ccache_sweep) + self.step("configuring SELinux for httpd", self.configure_selinux_for_httpd) + if not self.is_kdcproxy_configured(): + self.step("create KDC proxy config", self.create_kdcproxy_conf) +@@ -177,6 +179,11 @@ class HTTPInstance(service.Service): + [paths.SYSTEMD_TMPFILES, '--create', '--prefix', paths.IPA_CCACHES] + ) + ++ def enable_ccache_sweep(self): ++ ipautil.run( ++ [paths.SYSTEMCTL, 'enable', 'ipa-ccache-sweep.timer'] ++ ) ++ + def __configure_http(self): + self.update_httpd_service_ipa_conf() + self.update_httpd_wsgi_conf() +-- +2.34.1 + +From 0d9eb3d515385412abefe9c33e0099ea14f33cbc Mon Sep 17 00:00:00 2001 +From: Mohammad Rizwan +Date: Wed, 9 Feb 2022 18:56:21 +0530 +Subject: [PATCH] Test ipa-ccache-sweep.timer enabled by default during + installation + +This test checks that ipa-ccache-sweep.timer is enabled by default +during the ipa installation. + +related: https://pagure.io/freeipa/issue/9107 + +Signed-off-by: Mohammad Rizwan +Reviewed-By: Alexander Bokovoy +--- + .../test_integration/test_installation.py | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py +index f2d372c0c..63edbaa2b 100644 +--- a/ipatests/test_integration/test_installation.py ++++ b/ipatests/test_integration/test_installation.py +@@ -475,7 +475,7 @@ class TestInstallCA(IntegrationTest): + + # Tweak sysrestore.state to drop installation section + self.master.run_command( +- ['sed','-i', r's/\[installation\]/\[badinstallation\]/', ++ ['sed', '-i', r's/\[installation\]/\[badinstallation\]/', + os.path.join(paths.SYSRESTORE, SYSRESTORE_STATEFILE)]) + + # Re-run installation check and it should fall back to old method +@@ -485,7 +485,7 @@ class TestInstallCA(IntegrationTest): + + # Restore installation section. + self.master.run_command( +- ['sed','-i', r's/\[badinstallation\]/\[installation\]/', ++ ['sed', '-i', r's/\[badinstallation\]/\[installation\]/', + os.path.join(paths.SYSRESTORE, SYSRESTORE_STATEFILE)]) + + # Uninstall and confirm that the old method reports correctly +@@ -690,6 +690,7 @@ def get_pki_tomcatd_pid(host): + break + return(pid) + ++ + def get_ipa_services_pids(host): + ipa_services_name = [ + "krb5kdc", "kadmin", "named", "httpd", "ipa-custodia", +@@ -1309,6 +1310,20 @@ class TestInstallMasterKRA(IntegrationTest): + def test_install_master(self): + tasks.install_master(self.master, setup_dns=False, setup_kra=True) + ++ def test_ipa_ccache_sweep_timer_enabled(self): ++ """Test ipa-ccache-sweep.timer enabled by default during installation ++ ++ This test checks that ipa-ccache-sweep.timer is enabled by default ++ during the ipa installation. ++ ++ related: https://pagure.io/freeipa/issue/9107 ++ """ ++ result = self.master.run_command( ++ ['systemctl', 'is-enabled', 'ipa-ccache-sweep.timer'], ++ raiseonerr=False ++ ) ++ assert 'enabled' in result.stdout_text ++ + def test_install_dns(self): + tasks.install_dns(self.master) + +-- +2.34.1 + diff --git a/SOURCES/0010-ipatests-remove-additional-check-for-failed-units_rhbz#2053024.patch b/SOURCES/0010-ipatests-remove-additional-check-for-failed-units_rhbz#2053024.patch new file mode 100644 index 0000000..c384f15 --- /dev/null +++ b/SOURCES/0010-ipatests-remove-additional-check-for-failed-units_rhbz#2053024.patch @@ -0,0 +1,31 @@ +From b36bcf4ea5ed93baa4dc63f8e2be542d678211fb Mon Sep 17 00:00:00 2001 +From: Anuja More +Date: Thu, 10 Feb 2022 18:49:06 +0530 +Subject: [PATCH] ipatests: remove additional check for failed units. + +On RHEL tests are randomly failing because of this check +and the test doesn't need to check this. + +Related : https://pagure.io/freeipa/issue/9108 + +Signed-off-by: Anuja More +Reviewed-By: Florence Blanc-Renaud +--- + ipatests/test_integration/test_otp.py | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/ipatests/test_integration/test_otp.py b/ipatests/test_integration/test_otp.py +index d8ce527ca..6e70ddcb3 100644 +--- a/ipatests/test_integration/test_otp.py ++++ b/ipatests/test_integration/test_otp.py +@@ -316,7 +316,6 @@ class TestOTPToken(IntegrationTest): + check_services = self.master.run_command( + ['systemctl', 'list-units', '--state=failed'] + ) +- assert "0 loaded units listed" in check_services.stdout_text + assert "ipa-otpd" not in check_services.stdout_text + # Be sure no services are running and failed units + self.master.run_command(['killall', 'ipa-otpd'], raiseonerr=False) +-- +2.34.1 + diff --git a/SOURCES/0011-ipa_cldap-fix-memory-leak_rhbz#2032738.patch b/SOURCES/0011-ipa_cldap-fix-memory-leak_rhbz#2032738.patch new file mode 100644 index 0000000..3c8109e --- /dev/null +++ b/SOURCES/0011-ipa_cldap-fix-memory-leak_rhbz#2032738.patch @@ -0,0 +1,38 @@ +From 186ebe311bc9545d7a9860cd5e8c748131bbe41e Mon Sep 17 00:00:00 2001 +From: Francisco Trivino +Date: Thu, 10 Feb 2022 14:23:12 +0100 +Subject: [PATCH] ipa_cldap: fix memory leak + +ipa_cldap_encode_netlogon() allocates memory to store binary data as part of +berval (bv_val) when processing a CLDAP packet request from a worker. The +data is used by ipa_cldap_respond() but bv_val is not freed later on. + +This commit is adding the corresponding free() after ipa_cldap_respond() +is completed. + +Discovered by LeakSanitizer + +Fixes: https://pagure.io/freeipa/issue/9110 +Signed-off-by: Francisco Trivino +Reviewed-By: Alexander Bokovoy +Reviewed-By: Rob Crittenden +Reviewed-By: Thierry Bordaz +--- + daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c +index db4a3d061..252bcf647 100644 +--- a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c ++++ b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c +@@ -287,6 +287,7 @@ done: + ipa_cldap_respond(ctx, req, &reply); + + ipa_cldap_free_kvps(&req->kvps); ++ free(reply.bv_val); + free(req); + return; + } +-- +2.34.1 + diff --git a/SOURCES/0012-ipatests-fix-TestOTPToken-test_check_otpd_after_idle_timeout_rhbz#2053024.patch b/SOURCES/0012-ipatests-fix-TestOTPToken-test_check_otpd_after_idle_timeout_rhbz#2053024.patch new file mode 100644 index 0000000..e7081cd --- /dev/null +++ b/SOURCES/0012-ipatests-fix-TestOTPToken-test_check_otpd_after_idle_timeout_rhbz#2053024.patch @@ -0,0 +1,40 @@ +From 4c54e9d6ddb72eab6f654bf3dc2d29f27498ac96 Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Sun, 5 Dec 2021 17:38:58 +0100 +Subject: [PATCH] ipatests: fix + TestOTPToken::test_check_otpd_after_idle_timeout + +The test sets 389-ds nsslapd-idletimeout to 60s, then does a +kinit with an otp token (which makes ipa-otpd create a LDAP +connection), then sleeps for 60s. The expectation is that +ns-slapd will detect that the LDAP conn from ipa-otpd is idle +and close the connection. +According to 389ds doc, the idle timeout is enforced when the +connection table is walked. By doing a ldapsearch, the test +"wakes up" ns-slapd and forces the detection of ipa-otpd +idle connection. + +Fixes: https://pagure.io/freeipa/issue/9044 +Signed-off-by: Florence Blanc-Renaud +Reviewed-By: Anuja More +--- + ipatests/test_integration/test_otp.py | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/ipatests/test_integration/test_otp.py b/ipatests/test_integration/test_otp.py +index 353470897..d8ce527ca 100644 +--- a/ipatests/test_integration/test_otp.py ++++ b/ipatests/test_integration/test_otp.py +@@ -354,6 +354,9 @@ class TestOTPToken(IntegrationTest): + otpvalue = totp.generate(int(time.time())).decode("ascii") + kinit_otp(self.master, USER, password=PASSWORD, otp=otpvalue) + time.sleep(60) ++ # ldapsearch will wake up slapd and force walking through ++ # the connection list, in order to spot the idle connections ++ tasks.ldapsearch_dm(self.master, "", ldap_args=[], scope="base") + + def test_cb(cmd_jornalctl): + # check if LDAP connection is timed out +-- +2.34.1 + diff --git a/SOURCES/1101-Harden-FreeIPA-KDC-processing-of-PAC-buffers-20211130.patch b/SOURCES/1101-Harden-FreeIPA-KDC-processing-of-PAC-buffers-20211130.patch new file mode 100644 index 0000000..48bb8e0 --- /dev/null +++ b/SOURCES/1101-Harden-FreeIPA-KDC-processing-of-PAC-buffers-20211130.patch @@ -0,0 +1,122 @@ +From 7d93bda31ce0b4e0e22c6e464c9138800dcf8b1c Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Fri, 26 Nov 2021 11:13:51 +0200 +Subject: [PATCH] ipa-kdb: fix requester SID check according to MS-KILE and + MS-SFU updates + +New versions of MS-KILE and MS-SFU after Windows Server November 2021 +security updates add PAC_REQUESTER_SID buffer check behavior: + + - PAC_REQUESTER_SID should only be added for TGT requests + + - if PAC_REQUESTER_SID is present, KDC must verify that the cname on + the ticket resolves to the account with the same SID as the + PAC_REQUESTER_SID. If it doesn't KDC must respond with + KDC_ERR_TKT_REVOKED + +Change requester SID check to skip exact check for non-local +PAC_REQUESTER_SID but harden to ensure it comes from the trusted domains +we know about. + +If requester SID is the same as in PAC, we already do cname vs PAC SID +verification. + +With these changes FreeIPA works against Windows Server 2019 with +November 2021 security fixes in cross-realm S4U2Self operations. + +Fixes: https://pagure.io/freeipa/issue/9031 + +Signed-off-by: Alexander Bokovoy +Reviewed-By: Rob Crittenden +--- + daemons/ipa-kdb/ipa_kdb_mspac.c | 47 ++++++++++++++++++++++++--------- + 1 file changed, 34 insertions(+), 13 deletions(-) + +diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c +index 538cfbba9..1b972c167 100644 +--- a/daemons/ipa-kdb/ipa_kdb_mspac.c ++++ b/daemons/ipa-kdb/ipa_kdb_mspac.c +@@ -1697,7 +1697,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context, + "local [%s], PAC [%s]", + dom ? dom : "", + sid ? sid : ""); +- return KRB5KDC_ERR_POLICY; ++ return KRB5KDC_ERR_TGT_REVOKED; + } + } + +@@ -1709,7 +1709,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context, + kerr = ipadb_get_principal(context, client_princ, flags, &client_actual); + if (kerr != 0) { + krb5_klog_syslog(LOG_ERR, "PAC issue: ipadb_get_principal failed."); +- return KRB5KDC_ERR_POLICY; ++ return KRB5KDC_ERR_TGT_REVOKED; + } + + ied = (struct ipadb_e_data *)client_actual->e_data; +@@ -1743,7 +1743,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context, + "local [%s] vs PAC [%s]", + local_sid ? local_sid : "", + pac_sid ? pac_sid : ""); +- kerr = KRB5KDC_ERR_POLICY; ++ kerr = KRB5KDC_ERR_TGT_REVOKED; + goto done; + } + +@@ -2005,22 +2005,43 @@ static krb5_error_code ipadb_check_logon_info(krb5_context context, + /* Check that requester SID is the same as in the PAC entry */ + if (requester_sid != NULL) { + struct dom_sid client_sid; ++ bool is_from_trusted_domain = false; + kerr = ipadb_get_sid_from_pac(tmpctx, info.info, &client_sid); + if (kerr) { + goto done; + } + result = dom_sid_check(&client_sid, requester_sid, true); + if (!result) { +- /* memctx is freed by the caller */ +- char *pac_sid = dom_sid_string(tmpctx, &client_sid); +- char *req_sid = dom_sid_string(tmpctx, requester_sid); +- krb5_klog_syslog(LOG_ERR, "PAC issue: PAC has a SID " +- "different from what PAC requester claims. " +- "PAC [%s] vs PAC requester [%s]", +- pac_sid ? pac_sid : "", +- req_sid ? req_sid : ""); +- kerr = KRB5KDC_ERR_POLICY; +- goto done; ++ struct ipadb_context *ipactx = ipadb_get_context(context); ++ if (!ipactx || !ipactx->mspac) { ++ return KRB5_KDB_DBNOTINITED; ++ } ++ /* In S4U case we might be dealing with the PAC issued by the trusted domain */ ++ if (is_s4u && (ipactx->mspac->trusts != NULL)) { ++ /* Iterate through list of trusts and check if this SID belongs to ++ * one of the domains we trust */ ++ for(int i = 0 ; i < ipactx->mspac->num_trusts ; i++) { ++ result = dom_sid_check(&ipactx->mspac->trusts[i].domsid, ++ requester_sid, false); ++ if (result) { ++ is_from_trusted_domain = true; ++ break; ++ } ++ } ++ } ++ ++ if (!is_from_trusted_domain) { ++ /* memctx is freed by the caller */ ++ char *pac_sid = dom_sid_string(tmpctx, &client_sid); ++ char *req_sid = dom_sid_string(tmpctx, requester_sid); ++ krb5_klog_syslog(LOG_ERR, "PAC issue: PAC has a SID " ++ "different from what PAC requester claims. " ++ "PAC [%s] vs PAC requester [%s]", ++ pac_sid ? pac_sid : "", ++ req_sid ? req_sid : ""); ++ kerr = KRB5KDC_ERR_TGT_REVOKED; ++ goto done; ++ } + } + } + +-- +2.31.1 + diff --git a/SOURCES/freeipa-4.9.6.tar.gz.asc b/SOURCES/freeipa-4.9.6.tar.gz.asc deleted file mode 100644 index f71d351..0000000 --- a/SOURCES/freeipa-4.9.6.tar.gz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCgAdFiEEhAodHH8+xLL+UwQ1RxniuKu/YhoFAmDbPRQACgkQRxniuKu/ -Yhr7uBAAnpF70nH8Cn/HhKKpfafPoN3B9fDNIfAa+jsJ52OyeNMKVNi4MEob32iN -1aMGGFCJUMle/M7v1+w8WH59eiHs1jKHcFZnl2R4Ap5SxVtypYT+ewXbNnSHII2w -qWS5PvLkJwjh6Bw/HlyBwDRSrw9Yah4oZZbJt3zE06+Imr8BpB3IWqyhuAi7FjYO -J9hHCwCvtJvWK4yplZSXCt8OS1JA68/Djgjecm5lUSamuqKaBVhDb+ZAPLDJpBf5 -Pz2JpUF/W/rplt+Q9wAFdhDB9iC0vd3MBkgs4KPsjuyS9+GGNu8LyXs0C1Wm/VgX -liX2pjZmpnTrhH3QQ2nufwH784ZpinXxS2fcbvCfX1Utgr77wNHjwqDt2NBffJl1 -BM7JJr1ZwGOGSki6yjRDXbeSAsiEX9l7f2mv2t/8ZjHMRJ7mJmBbmh5Qhk5qsMou -BptNDE20cG77xcjBtTCDpii/UatETuNAyMd/l2smfe76z8y61fQrvScxRwOCHckw -u/ERChpBZOUlQt59Efj3ja313oXZMxXRw01n/72Hh5rnk+XZf75zQ1zUDBYnwzAr -4cdqyrfpFkQu1sRQvgjT8ZLkP8istjRdVEI/Oj61zb5+6+scQ/Zh/R/mYGCV4/h+ -RzojBwUAXuwUMrj1jTbb5Lkz58+vY3Lk4xNOY2hSAc8rCcDVRZY= -=TQFs ------END PGP SIGNATURE----- diff --git a/SOURCES/freeipa-4.9.8.tar.gz.asc b/SOURCES/freeipa-4.9.8.tar.gz.asc new file mode 100644 index 0000000..c14420c --- /dev/null +++ b/SOURCES/freeipa-4.9.8.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEE11Z2TU1+KXxtrRFyaYdvcqbi008FAmGf1XcACgkQaYdvcqbi +00/kMQ//Vano94V0/L3YsLaqKiFcGo/py5pTq1Os3wB9zzCYSuU0P/eajuHLBYNe +MfxecZihFFlmUdNooNWbewT4CE0ey1qFLwPfGXuLrse6fXVLLaYnAv2mkPUmDSpM +XfXO0PFU0BtdkMAUsdUATngPCpQzYjVUKsAMwPovi3UcLzFZ8tWJKMA55urhwC4q +E042wPLqzcX6Ee5JBSBkfNe35vG2LY7o3Ynh8SVCee2lBJvdWiuFT5XRhybXUsOp +q3eTsVPz68p7CvOrjlLSsWPP0nbGF1O1UQsN+oaDZAav1Nx8lTOlxUCUQXWbs2X6 +BTUAOmZ6VjYu61sNgNSj+BSHlHIT3uRJ55JO5nLH/hLm0Oxn6SGRTVMueqV376QA +CsIk7UrdcX9QUtu70eRxuu1aAWJ5eaF4GDWnFP+62wzd/d6LjWEE+9kXgvrcTF0C +UzjWrmbI8x23bB4kqcROHz8lryMsBpZ94QKPHVppMiPgapDKRkculYkSeRLboADi +q4mh2prkDSq9diWV4HvZTGwPU77oiLrQsvbGuvwD62PAlyQ4rZpfW3FllTL2Lcxy +urA8a9UnQWQtDOsZIyxmMJ7R04gjI5fZfDhq6S09L9MfjFEKjsqO4FzXamj+SbAo +w25sIp1qT0sV1vOt+/R/HYSIyggQyTZpQJu5UB34QLqpfDdUwFg= +=t9up +-----END PGP SIGNATURE----- diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec index 9b6f2eb..c2fd678 100644 --- a/SPECS/ipa.spec +++ b/SPECS/ipa.spec @@ -68,8 +68,8 @@ %global krb5_kdb_version 8.0 # 0.7.16: https://github.com/drkjam/netaddr/issues/71 %global python_netaddr_version 0.7.19 -# Require 4.7.0 which brings Python 3 bindings -%global samba_version 4.12.3-12 +# Require 4.14.5-13 which brings CVE-2020-25717 fixes +%global samba_version 4.14.5-13 %global selinux_policy_version 3.14.3-52 %global slapi_nis_version 0.56.4 %global python_ldap_version 3.1.0-1 @@ -92,9 +92,9 @@ %global krb5_version 1.18.2-29 # 0.7.16: https://github.com/drkjam/netaddr/issues/71 %global python_netaddr_version 0.7.16 -# Require 4.7.0 which brings Python 3 bindings -# Require 4.12 which has DsRGetForestTrustInformation access rights fixes -%global samba_version 2:4.12.10 + +# Require 4.14.6 which brings CVE-2020-25717 fixes +%global samba_version 2:4.14.6 # 3.14.5-45 or later includes a number of interfaces fixes for IPA interface %global selinux_policy_version 3.14.5-45 @@ -178,7 +178,7 @@ # Work-around fact that RPM SPEC parser does not accept # "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement -%define IPA_VERSION 4.9.6 +%define IPA_VERSION 4.9.8 # Release candidate version -- uncomment with one percent for RC versions #%%global rc_version %%nil %define AT_SIGN @ @@ -191,7 +191,7 @@ Name: %{package_name} Version: %{IPA_VERSION} -Release: 3%{?rc_version:.%rc_version}%{?dist} +Release: 6%{?rc_version:.%rc_version}%{?dist} Summary: The Identity, Policy and Audit system License: GPLv3+ @@ -211,15 +211,23 @@ Source1: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_vers # RHEL spec file only: START %if %{NON_DEVELOPER_BUILD} %if 0%{?rhel} >= 8 -Patch0001: 0001-rpcserver.py-perf_counter_ns-is-Python-3.7_rhbz#1974822.patch -Patch0002: 0002-Add-checks-to-prevent-adding-auth-indicators-to-inte_rhbz#1979625.patch -Patch0003: 0003-stageuser-add-ipauserauthtypeclass-when-required_rhbz#1979605.patch -Patch0004: 0004-man-page-update-ipa-server-upgrade.1_rhbz#1973273.patch -Patch0005: 0005-Fall-back-to-krbprincipalname-when-validating-host-a_rhbz#1979625.patch +Patch0001: 0001-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch +Patch0002: 0002-Config-plugin-return-EmptyModlist-when-no-change-is-applied_rhbz#2031825.patch +Patch0003: 0003-Custodia-use-a-stronger-encryption-algo-when-exporting-keys_rhbz#2032806.patch +Patch0004: 0004-ipa-kdb-do-not-remove-keys-for-hardened-auth-enabled-users_rhbz#2033342.patch +Patch0005: 0005-ipa-pki-proxy.conf-provide-access-to-kra-admin-kra-getStatus_rhbz#2049167.patch +Patch0006: 0006-Backport-latest-test-fxes-in-python3-ipatests_rhbz#2048509.patch +Patch0007: 0007-Don-t-always-override-the-port-in-import_included_profiles_rhbz#2022483.patch +Patch0008: 0008-Remove-ipa-join-errors-from-behind-the-debug-option_rhbz#2048558.patch +Patch0009: 0009-Enable-the-ccache-sweep-timer-during-installation_rhbz#2051575.patch +Patch0010: 0010-ipatests-remove-additional-check-for-failed-units_rhbz#2053024.patch +Patch0011: 0011-ipa_cldap-fix-memory-leak_rhbz#2032738.patch +Patch0012: 0012-ipatests-fix-TestOTPToken-test_check_otpd_after_idle_timeout_rhbz#2053024.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch %endif %endif # RHEL spec file only: END +Patch1101: 1101-Harden-FreeIPA-KDC-processing-of-PAC-buffers-20211130.patch # For the timestamp trick in patch application BuildRequires: diffstat @@ -463,6 +471,8 @@ Requires: gssproxy >= 0.7.0-2 Requires: sssd-dbus >= %{sssd_version} Requires: libpwquality Requires: cracklib-dicts +# NDR libraries are internal in Samba and change with version without changing SONAME +Requires: samba-client-libs >= %{samba_version} Provides: %{alt_name}-server = %{version} Conflicts: %{alt_name}-server @@ -1362,6 +1372,7 @@ fi %{_libexecdir}/ipa/ipa-pki-wait-running %{_libexecdir}/ipa/ipa-otpd %{_libexecdir}/ipa/ipa-print-pac +%{_libexecdir}/ipa/ipa-subids %dir %{_libexecdir}/ipa/custodia %attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-dmldap %attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-pki-tomcat @@ -1369,6 +1380,7 @@ fi %attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-ra-agent %dir %{_libexecdir}/ipa/oddjob %attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.conncheck +%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.config-enable-sid %attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.trust-enable-agent %config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freeipa.server.conf %config(noreplace) %{_sysconfdir}/oddjobd.conf.d/ipa-server.conf @@ -1701,6 +1713,76 @@ fi %changelog +* Mon Feb 14 2022 Rafael Jeffman - 4.9.8-6 +- ipatests: fix TestOTPToken::test_check_otpd_after_idle_timeout + Related: RHBZ#2053024 + +* Mon Feb 14 2022 Rafael Jeffman - 4.9.8-5 +- ipatests: remove additional check for failed units. + Resolves: RHBZ#2053024 +- ipa-cldap: fix memory leak. + Resolves: RHBZ#2032738 + +* Thu Feb 10 2022 Rafael Jeffman - 4.9.8-4 +- Don't always override the port in import_included_profiles + Fixes: RHBZ#2022483 +- Remove ipa-join errors from behind the debug option + Fixes: RHBZ#2048558 +- Enable the ccache sweep timer during installation + Fixes: RHBZ#2051575 + +* Thu Feb 3 2022 Rafael Jeffman - 4.9.8-3 +- Config plugin: return EmptyModlist when no change is applied. + Resolves: RHBZ#2031825 +- Custodia: use a stronger encryption algo when exporting keys. + Resolves: RHBZ#2032806 +- ipa-kdb: do not remove keys for hardened auth-enabled users. + Resolves: RHBZ#2033342 +- ipa-pki-proxy.conf: provide access to /kra/admin/kra/getStatus + Resolves: RHBZ#2049167 +- Backport latest test fxes in python3 ipatests. + Resolves: RHBZ#2048509 +- Removed unused patch files that were part of 4.9.8 rebase. + +* Fri Dec 10 2021 Rafael Jeffman - 4.9.8-2 +- Revert bind-pkcs11-utils configuration in freeipa.spec. + Resolves: RHBZ#2026732 + +* Tue Nov 30 2021 Rafael Jeffman - 4.9.8-1 +- Upstream release FreeIPA 4.9.8 + Related: RHBZ#2015607 +- Hardening for CVE-2020-25717 + +* Fri Nov 12 2021 Alexander Bokovoy - 4.9.6-9.1 +- Fix S4U2Self regression for cross-realm requester SID buffer +- Related: RHBZ#2021443 + +* Fri Nov 12 2021 Alexander Bokovoy - 4.9.6-9 +- Require samba 4.14.5-13 with IPA DC server role fixes +- Related: RHBZ#2021443 + +* Fri Nov 12 2021 Alexander Bokovoy - 4.9.6-8 +- Add versioned dependency of samba-client-libs to ipa-server +- Related: RHBZ#2021443 + +* Thu Nov 11 2021 Alexander Bokovoy - 4.9.6-7 +- Hardening for CVE-2020-25717 +- Harden processing of trusted domains' users in S4U operations +- Resolves: RHBZ#2021443 + +* Wed Nov 10 2021 Alexander Bokovoy - 4.9.6-6 +- Hardening for CVE-2020-25717 +- Rebuild against samba-4.14.5-11.el8 +- Resolves: RHBZ#2021443 + +* Sun Nov 07 2021 Alexander Bokovoy - 4.9.6-5 +- Hardening for CVE-2020-25717 +- Related: RHBZ#2019668 + +* Thu Jul 22 2021 Thomas Woerner - 4.9.6-4 +- ipatests: NAMED_CRYPTO_POLICY_FILE not defined for RHEL + Resolves: RHBZ#1982956 + * Thu Jul 15 2021 Thomas Woerner - 4.9.6-3 - man page: update ipa-server-upgrade.1 Resolves: RHBZ#1973273 @@ -2222,7 +2304,7 @@ fi - Checks if replica-s4u2proxy.ldif should be applied - Resolves: #1493150 [RFE] set nsslapd-ignore-time-skew: on by default - ds: ignore time skew during initial replication step - - ipa-replica-manage: implicitly ignore initial time skew in force-sync + - ipa-replica-manage: implicitly ignore initial time skew in force-sync - Resolves: #1500218 Replica installation at domain-level 0 fails against upgraded ipa-server - Fix ipa-replica-conncheck when called with --principal @@ -2266,29 +2348,29 @@ fi - Use OpenJDK 8 to bootstrap on AArch64 until RH1482244 is resolved in buildroot - Resolves: #1470177 - Rebase IPA to latest 4.5.x version -- Resolves: #1398594 ipa topologysuffix-verify should only warn about - maximum number of replication agreements. -- Resolves: #1404236 Web UI: Change "Host Based" and "Role Based" - to "Host-Based" and "Role-Based" +- Resolves: #1398594 ipa topologysuffix-verify should only warn about + maximum number of replication agreements. +- Resolves: #1404236 Web UI: Change "Host Based" and "Role Based" + to "Host-Based" and "Role-Based" - Resolves: #1409786 Second phase of --external-ca ipa-server-install setup fails when dirsrv is not running -- Resolves: #1451576 ipa cert-request failed to generate certificate from csr -- Resolves: #1452086 Pagination Size under Customization in IPA WebUI +- Resolves: #1451576 ipa cert-request failed to generate certificate from csr +- Resolves: #1452086 Pagination Size under Customization in IPA WebUI accepts negative values -- Resolves: #1458169 --force-join option is not mentioned in - ipa-replica-install man page -- Resolves: #1463186 IPA shouldn't allow objectclass if not all in lower case -- Resolves: #1478322 user-show command fails when sizelimit is configured - to number <= number of entity which is user member of +- Resolves: #1458169 --force-join option is not mentioned in + ipa-replica-install man page +- Resolves: #1463186 IPA shouldn't allow objectclass if not all in lower case +- Resolves: #1478322 user-show command fails when sizelimit is configured + to number <= number of entity which is user member of - Resolves: #1496775 Enterprise principals should be able to trigger a refresh of the trusted domain data in the KDC -- Resolves: #1502533 Changing cert-find to go through the proxy +- Resolves: #1502533 Changing cert-find to go through the proxy instead of using the port 8080 - Resolves: #1502663 pkinit-status command fails after an upgrade from a pre-4.5 IPA - Resolves: #1498168 Error when trying to modify a PTR record - Resolves: #1457876 ipa-backup fails silently -- Resolves: #1493531 In case full PKINIT configuration is failing during +- Resolves: #1493531 In case full PKINIT configuration is failing during server/replica install the error message should be more meaningful. - Resolves: #1449985 Suggest CA installation command in KRA installation warning @@ -2339,7 +2421,7 @@ fi - Restore old version of caIPAserviceCert for upgrade only * Fri Jul 28 2017 Pavel Vomacka - 4.5.0-21.el7.1 -- Resolves: #1455946 Provide a tooling automating the configuration +- Resolves: #1455946 Provide a tooling automating the configuration of Smart Card authentication on a FreeIPA master - smart-card advises: configure systemwide NSS DB also on master - smart-card advises: add steps to store smart card signing CA cert @@ -2353,7 +2435,7 @@ fi - smart card advises: use a wrapper around Bash `for` loops - smart card advise: use password when changing trust flags on HTTP cert - smart-card-advises: ensure that krb5-pkinit is installed on client -- Resolves: #1475238 Use CommonNameToSANDefault in default profile +- Resolves: #1475238 Use CommonNameToSANDefault in default profile (new installs only) - Add CommonNameToSANDefault to default cert profile - Resolves: #1464205 NULL LDAP context in call to ldap_search_ext_s @@ -2376,11 +2458,11 @@ fi * Wed Jun 21 2017 Pavel Vomacka - 4.5.0-19.el7 - Resolves: #1462112 ipaserver installation fails in FIPS mode: OpenSSL internal error, assertion failed: Digest MD4 forbidden in FIPS mode! - - ipa-sam: replace encode_nt_key() with E_md4hash() + - ipa-sam: replace encode_nt_key() with E_md4hash() - ipa_pwd_extop: do not generate NT hashes in FIPS mode - Resolves: #1377973 ipa-server-install fails when the provided or resolved - IP address is not found on local interfaces - - Fix local IP address validation + IP address is not found on local interfaces + - Fix local IP address validation - ipa-dns-install: remove check for local ip address - refactor CheckedIPAddress class - CheckedIPAddress: remove match_local param @@ -2393,7 +2475,7 @@ fi - kra: promote: Get ticket before calling custodia * Wed Jun 14 2017 Pavel Vomacka - 4.5.0-17.el7 -- Resolve: #1455946 Provide a tooling automating the configuration +- Resolve: #1455946 Provide a tooling automating the configuration of Smart Card authentication on a FreeIPA master - server certinstall: update KDC master entry - pkinit manage: introduce ipa-pkinit-manage @@ -2418,7 +2500,7 @@ fi - Revert setting sessionMaxAge for old clients * Wed Jun 7 2017 Pavel Vomacka - 4.5.0-15.el7 -- Resolves: #1442233 IPA client commands fail when pointing to replica +- Resolves: #1442233 IPA client commands fail when pointing to replica - httpinstance: wait until the service entry is replicated - Resolves: #1456769 ipaAnchorUUID index incorrectly configured and then not indexed @@ -2432,7 +2514,7 @@ fi - Resolves: #1452763 ipa certmaprule change not reflected in krb5kdc workers - ipa-kdb: reload certificate mapping rules periodically - Resolves: #1455541 after upgrade login from web ui breaks - - kdc.key should not be visible to all + - kdc.key should not be visible to all - Resolves: #1435606 Add pkinit_indicator option to KDC configuration - ipa-kdb: add pkinit authentication indicator in case of a successful certauth @@ -2444,7 +2526,7 @@ fi - fix incorrect suffix handling in topology checks * Wed May 24 2017 Pavel Vomacka - 4.5.0-14.el7 -- Resolves: #1438731 Extend ipa-server-certinstall and ipa-certupdate to +- Resolves: #1438731 Extend ipa-server-certinstall and ipa-certupdate to handle PKINIT certificates/anchors - certdb: add named trust flag constants - certdb, certs: make trust flags argument mandatory @@ -2466,7 +2548,7 @@ fi - server install: fix KDC certificate validation in CA-less - Resolves: #1451228 ipa-kra-install fails when primary KRA server has been decommissioned - - ipa-kra-install: fix pkispawn setting for pki_security_domain_hostname + - ipa-kra-install: fix pkispawn setting for pki_security_domain_hostname - Resolves: #1451712 KRA installation fails on server that was originally installed as CA-less - ipa-ca-install: append CA cert chain into /etc/ipa/ca.crt @@ -2492,14 +2574,14 @@ fi - krb5: make sure KDC certificate is readable - Resolves: #1455862 "ipa: ERROR: an internal error has occurred" on executing command "ipa cert-request --add" after upgrade - - Change python-cryptography to python2-cryptography + - Change python-cryptography to python2-cryptography * Thu May 18 2017 Pavel Vomacka - 4.5.0-13.el7 - Resolves: #1451804 "AttributeError: 'tuple' object has no attribute 'append'" - error observed during ipa upgrade with latest package. + error observed during ipa upgrade with latest package. - ipa-server-install: fix uninstall - Resolves: #1445390 ipa-[ca|kra]-install with invalid DM password break - replica + replica - ca install: merge duplicated code for DM password - installutils: add DM password validator - ca, kra install: validate DM password @@ -2509,11 +2591,11 @@ fi - python2-ipalib: add missing python dependency - installer service: fix typo in service entry - upgrade: add missing suffix to http instance -- Resolves: #1444791 Update man page of ipa-kra-install +- Resolves: #1444791 Update man page of ipa-kra-install - ipa-kra-install manpage: document domain-level 1 - Resolves: #1441493 ipa cert-show raises stack traces when - --certificate-out=/tmp - - cert-show: writable files does not mean dirs + --certificate-out=/tmp + - cert-show: writable files does not mean dirs - Resolves: #1441192 Add the name of URL parameter which will be check for username during cert login - Bump version of ipa.conf file @@ -2528,9 +2610,9 @@ fi - renew agent: always export CSR on IPA CA certificate renewal - renew agent: get rid of virtual profiles - ipa-cacert-manage: add --external-ca-type -- Resolves: #1441593 error adding authenticator indicators to host +- Resolves: #1441593 error adding authenticator indicators to host - Fixing adding authenticator indicators to host -- Resolves: #1449525 Set directory ownership in spec file +- Resolves: #1449525 Set directory ownership in spec file - Added plugins directory to ipaclient subpackages - ipaclient: fix missing RPM ownership - Resolves: #1451279 otptoken-add-yubikey KeyError: 'ipatokenotpdigits'