diff --git a/SOURCES/0029-Fix-cert_request-for-KDC-cert.patch b/SOURCES/0029-Fix-cert_request-for-KDC-cert.patch new file mode 100644 index 0000000..1efb36c --- /dev/null +++ b/SOURCES/0029-Fix-cert_request-for-KDC-cert.patch @@ -0,0 +1,32 @@ +From b5e033ed72f4cc824b7ab71887bb88453f5d2775 Mon Sep 17 00:00:00 2001 +From: Christian Heimes +Date: Fri, 29 Jan 2021 09:42:01 +0100 +Subject: [PATCH] Fix cert_request for KDC cert + +ca_kdc_check() expects an API object, not an LDAP connection. Issue was +introduced in commit 8f4abf7bc1607fc44f528b8a443b69cb82269e69. + +See: https://pagure.io/freeipa/issue/6739 +Fixes: https://pagure.io/freeipa/issue/8686 +Signed-off-by: Christian Heimes +Reviewed-By: Rob Crittenden +--- + ipaserver/plugins/cert.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py +index 4af5c97f5722a7799509764df93c2433661dba20..158dfa84f22cb887eb9a101cc34b1c6cdc590ee2 100644 +--- a/ipaserver/plugins/cert.py ++++ b/ipaserver/plugins/cert.py +@@ -860,7 +860,7 @@ class cert_request(Create, BaseCertMethod, VirtualCommand): + "with subject alt name '%s'.") % name) + if not bypass_caacl: + if principal_type == KRBTGT: +- ca_kdc_check(ldap, alt_principal.hostname) ++ ca_kdc_check(self.api, alt_principal.hostname) + else: + caacl_check(alt_principal, ca, profile_id) + +-- +2.31.1 + diff --git a/SOURCES/0030-SMB-switch-IPA-domain-controller-role.patch b/SOURCES/0030-SMB-switch-IPA-domain-controller-role.patch new file mode 100644 index 0000000..bf5778a --- /dev/null +++ b/SOURCES/0030-SMB-switch-IPA-domain-controller-role.patch @@ -0,0 +1,106 @@ +From f0c2f5fdce0ae5dde20abdcf964e3825bb8939c6 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Sat, 30 Oct 2021 10:49:37 +0300 +Subject: [PATCH] SMB: switch IPA domain controller role + +As a part of CVE-2020-25717 mitigations, Samba now assumes 'CLASSIC +PRIMARY DOMAIN CONTROLLER' server role does not support Kerberos +operations. This is the role that IPA domain controller was using for +its hybrid NT4/AD-like operation. + +Instead, 'IPA PRIMARY DOMAIN CONTROLLER' server role was introduced in +Samba. Switch to this role for new installations and during the upgrade +of servers running ADTRUST role. + +Fixes: https://pagure.io/freeipa/issue/9031 + +Signed-off-by: Alexander Bokovoy +Reviewed-by: Rob Crittenden +Reviewed-By: Rob Crittenden +--- + install/share/smb.conf.template | 1 + + ipaserver/install/adtrustinstance.py | 16 ++++++++++++++-- + ipaserver/install/server/upgrade.py | 14 ++++++++++++++ + 3 files changed, 29 insertions(+), 2 deletions(-) + +diff --git a/install/share/smb.conf.template b/install/share/smb.conf.template +index 1370b1e144174f08ad8bc8024e825176d4c74860..1d1d12161661a19c1cc7fc3f74889acace738a79 100644 +--- a/install/share/smb.conf.template ++++ b/install/share/smb.conf.template +@@ -5,6 +5,7 @@ realm = $REALM + kerberos method = dedicated keytab + dedicated keytab file = /etc/samba/samba.keytab + create krb5 conf = no ++server role = $SERVER_ROLE + security = user + domain master = yes + domain logons = yes +diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py +index 67dadf9b9c26af30f5b75b513d4d9f845379f4c9..8202de25ed32f42c751f79f2a5709e5642301c24 100644 +--- a/ipaserver/install/adtrustinstance.py ++++ b/ipaserver/install/adtrustinstance.py +@@ -148,6 +148,8 @@ class ADTRUSTInstance(service.Service): + OBJC_GROUP = "ipaNTGroupAttrs" + OBJC_DOMAIN = "ipaNTDomainAttrs" + FALLBACK_GROUP_NAME = u'Default SMB Group' ++ SERVER_ROLE_OLD = "CLASSIC PRIMARY DOMAIN CONTROLLER" ++ SERVER_ROLE_NEW = "IPA PRIMARY DOMAIN CONTROLLER" + + def __init__(self, fstore=None): + self.netbios_name = None +@@ -548,7 +550,16 @@ class ADTRUSTInstance(service.Service): + with tempfile.NamedTemporaryFile(mode='w') as tmp_conf: + tmp_conf.write(conf) + tmp_conf.flush() +- ipautil.run([paths.NET, "conf", "import", tmp_conf.name]) ++ try: ++ ipautil.run([paths.NET, "conf", "import", tmp_conf.name]) ++ except ipautil.CalledProcessError as e: ++ if e.returncode == 255: ++ # We have old Samba that doesn't support IPA DC server role ++ # re-try again with the older variant, upgrade code will ++ # take care to change the role later when Samba is upgraded ++ # as well. ++ self.sub_dict['SERVER_ROLE'] = self.SERVER_ROLE_OLD ++ self.__write_smb_registry() + + def __map_Guests_to_nobody(self): + map_Guests_to_nobody() +@@ -783,7 +794,8 @@ class ADTRUSTInstance(service.Service): + HOST_NETBIOS_NAME = self.host_netbios_name, + SMB_DN = self.smb_dn, + LDAPI_SOCKET = self.ldapi_socket, +- FQDN = self.fqdn) ++ FQDN = self.fqdn, ++ SERVER_ROLE=self.SERVER_ROLE_NEW) + + def setup(self, fqdn, realm_name, netbios_name, + reset_netbios_name, rid_base, secondary_rid_base, +diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py +index e6ff2b27bfca0377d27b8cd91d7f065a8f62010c..065399eef29ab0a1009cd047443c0a0a5a4dddfe 100644 +--- a/ipaserver/install/server/upgrade.py ++++ b/ipaserver/install/server/upgrade.py +@@ -367,6 +367,20 @@ def upgrade_adtrust_config(): + else: + logger.warning("Error updating Samba registry: %s", e) + ++ logger.info("[Set 'server role' " ++ "to 'IPA PRIMARY DOMAIN CONTROLLER' in Samba configuration]") ++ ++ args = [paths.NET, "conf", "setparm", "global", ++ "server role", "IPA PRIMARY DOMAIN CONTROLLER"] ++ ++ try: ++ ipautil.run(args) ++ except ipautil.CalledProcessError as e: ++ # Only report an error if return code is not 255 ++ # which indicates that the new server role is not supported ++ # and we don't need to do anything ++ if e.returncode != 255: ++ logger.warning("Error updating Samba registry: %s", e) + + def ca_configure_profiles_acl(ca): + logger.info('[Authorizing RA Agent to modify profiles]') +-- +2.31.1 + diff --git a/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch b/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch index dc13b8d..d84bdbe 100644 --- a/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch +++ b/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch @@ -1,4 +1,4 @@ -From 2178218fdb1d1a8fe2c173d09b1a0dafc8504f3b Mon Sep 17 00:00:00 2001 +From 8d6310399c814bfa89fdca2a94b72a5ab09b1c3b Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Tue, 14 Mar 2017 15:48:07 +0000 Subject: [PATCH] Change branding to IPA and Identity Management diff --git a/SOURCES/1002-Package-copy-schema-to-ca.py.patch b/SOURCES/1002-Package-copy-schema-to-ca.py.patch index 868769e..2cc3f3a 100644 --- a/SOURCES/1002-Package-copy-schema-to-ca.py.patch +++ b/SOURCES/1002-Package-copy-schema-to-ca.py.patch @@ -1,4 +1,4 @@ -From 87b561cd11582ac64d10d2fc0288f6dc93eb1786 Mon Sep 17 00:00:00 2001 +From 80c99f767a503529580d4b14534a3774398ad426 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Tue, 14 Mar 2017 16:07:15 +0000 Subject: [PATCH] Package copy-schema-to-ca.py diff --git a/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch b/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch index 7c2f716..c9091c0 100644 --- a/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch +++ b/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch @@ -1,4 +1,4 @@ -From 7f8fdb2a050e72f8a8069e572a957f5ade9c11a8 Mon Sep 17 00:00:00 2001 +From 12ec57b3e8ac5d05fbd28fc9ab9c8f22da13c391 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Wed, 22 Jun 2016 13:53:46 +0200 Subject: [PATCH] Revert "Increased mod_wsgi socket-timeout" diff --git a/SOURCES/1004-Remove-csrgen.patch b/SOURCES/1004-Remove-csrgen.patch index 4ab0990..eaccfc3 100644 --- a/SOURCES/1004-Remove-csrgen.patch +++ b/SOURCES/1004-Remove-csrgen.patch @@ -1,4 +1,4 @@ -From 117c3b5e46e2ed3cc2e5c74ebe93b6a359c01aba Mon Sep 17 00:00:00 2001 +From 6d108cc59c643b5a9f3acea3a9c5d37fb7ef3252 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Thu, 16 Mar 2017 09:44:21 +0000 Subject: [PATCH] Remove csrgen diff --git a/SOURCES/1005-Removing-filesystem-encoding-check.patch b/SOURCES/1005-Removing-filesystem-encoding-check.patch index 1ee4878..36128a3 100644 --- a/SOURCES/1005-Removing-filesystem-encoding-check.patch +++ b/SOURCES/1005-Removing-filesystem-encoding-check.patch @@ -1,4 +1,4 @@ -From a3c7afb55ef0ed4542dd59295ba4ac9b8a77f88d Mon Sep 17 00:00:00 2001 +From 0207539df5773e24ce260368b1f696128aead682 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tibor=20Dudl=C3=A1k?= Date: Fri, 10 Aug 2018 13:16:38 +0200 Subject: [PATCH] Removing filesystem encoding check diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec index 21cae4f..d2d474e 100644 --- a/SPECS/ipa.spec +++ b/SPECS/ipa.spec @@ -45,7 +45,7 @@ # 1.15.1-36: https://bugzilla.redhat.com/show_bug.cgi?id=1755223 %global krb5_version 1.15.1-36 # Require 4.10 for change in ABI for DEBUGLEVEL_CLASS (rename) -%global samba_version 4.10.0 +%global samba_version 4.10.16-17 # 0.7.16: https://github.com/drkjam/netaddr/issues/71 %global python_netaddr_version 0.7.5-9 %global selinux_policy_version 3.13.1-224 @@ -103,7 +103,7 @@ Name: ipa Version: %{IPA_VERSION} -Release: 5%{?dist}.9 +Release: 5%{?dist}.10 Summary: The Identity, Policy and Audit system Group: System Environment/Base @@ -111,9 +111,9 @@ License: GPLv3+ URL: http://www.freeipa.org/ Source0: https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz # RHEL spec file only: START: Change branding to IPA and Identity Management -#Source1: header-logo.png -#Source2: login-screen-background.jpg -#Source4: product-name.png +Source1: header-logo.png +Source2: login-screen-background.jpg +Source4: product-name.png # RHEL spec file only: END: Change branding to IPA and Identity Management BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -146,6 +146,8 @@ Patch0025: 0025-CA-less-installation-non-ASCII-chars-in-CA-subject.patch Patch0026: 0026-ipatests-use-non-ascii-chars-in-CA-less-install.patch Patch0027: 0027-Allow-PKINIT-to-be-enabled-when-updating-from-a-pre-.patch Patch0028: 0028-extdom-return-LDAP_NO_SUCH_OBJECT-if-domains-differ.patch +Patch0029: 0029-Fix-cert_request-for-KDC-cert.patch +Patch0030: 0030-SMB-switch-IPA-domain-controller-role.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch Patch1002: 1002-Package-copy-schema-to-ca.py.patch Patch1003: 1003-Revert-Increased-mod_wsgi-socket-timeout.patch @@ -195,11 +197,7 @@ BuildRequires: java-1.7.0-openjdk-devel # 1.3.3.9: DS_Sleep (https://fedorahosted.org/389/ticket/48005) BuildRequires: 389-ds-base-devel >= %{ds_version} BuildRequires: svrcore-devel -%if 0%{?rhel} -BuildRequires: samba-devel >= 4.10.0 -%else -BuildRequires: samba-devel >= 2:4.10.0 -%endif +BuildRequires: samba-devel >= %{samba_version} BuildRequires: libtalloc-devel BuildRequires: libtevent-devel BuildRequires: libuuid-devel @@ -406,10 +404,7 @@ Requires: oddjob Requires: gssproxy >= 0.7.0-2 # 1.15.2: FindByNameAndCertificate (https://pagure.io/SSSD/sssd/issue/3050) Requires: sssd-dbus >= 1.15.2 - -%if 0%{?centos} == 0 Requires: system-logos >= 70.7.0 -%endif Provides: %{alt_name}-server = %{version} Conflicts: %{alt_name}-server @@ -966,9 +961,9 @@ cp -r %{_builddir}/freeipa-%{version} %{_builddir}/freeipa-%{version}-python3 # with_python3 # RHEL spec file only: START: Change branding to IPA and Identity Management -#cp %SOURCE1 install/ui/images/header-logo.png -#cp %SOURCE2 install/ui/images/login-screen-background.jpg -#cp %SOURCE4 install/ui/images/product-name.png +cp %SOURCE1 install/ui/images/header-logo.png +cp %SOURCE2 install/ui/images/login-screen-background.jpg +cp %SOURCE4 install/ui/images/product-name.png # RHEL spec file only: END: Change branding to IPA and Identity Management @@ -992,8 +987,7 @@ find \ %configure --with-vendor-suffix=-%{release} \ %{enable_server_option} \ %{with_ipatests_option} \ - %{linter_options} \ - --with-ipaplatform=rhel + %{linter_options} %make_build @@ -1014,8 +1008,7 @@ find \ %configure --with-vendor-suffix=-%{release} \ %{enable_server_option} \ %{with_ipatests_option} \ - %{linter_options} \ - --with-ipaplatform=rhel + %{linter_options} popd %endif # with_python3 @@ -1102,11 +1095,9 @@ ln -s %{_bindir}/ipa-test-task-%{python2_version} %{buildroot}%{_bindir}/ipa-tes # remove files which are useful only for make uninstall find %{buildroot} -wholename '*/site-packages/*/install_files.txt' -exec rm {} \; -%if 0%{?centos} == 0 # RHEL spec file only: START: Replace login-screen-logo.png with a symlink ln -sf %{_datadir}/pixmaps/fedora-gdm-logo.png %{buildroot}%{_usr}/share/ipa/ui/images/login-screen-logo.png # RHEL spec file only: END: Replace login-screen-logo.png with a symlink -%endif %find_lang %{gettext_domain} @@ -1763,8 +1754,11 @@ fi %changelog -* Tue Oct 12 2021 CentOS Sources - 4.6.8-5.el7.centos.9 -- Roll in CentOS Branding +* Thu Dec 02 2021 Florence Blanc-Renaud - 4.6.8-5.el7_9.10 +- Resolves: 2025848 - RHEL 8.6 IPA Replica Failed to configure PKINIT setup against a RHEL 7.9 IPA server + - Fix cert_request for KDC cert +- Resolves: 2021444 - CVE-2020-25719 ipa: samba: Samba AD DC did not always rely on the SID and PAC in Kerberos tickets + - SMB: switch IPA domain controller role * Wed Sep 08 2021 Florence Blanc-Renaud - 4.6.8-5.el7_9.9 - Resolves: #2000261 - extdom: LDAP_INVALID_SYNTAX returned instead of LDAP_NO_SUCH_OBJECT