diff --git a/SOURCES/0029-Fix-cert_request-for-KDC-cert.patch b/SOURCES/0029-Fix-cert_request-for-KDC-cert.patch
new file mode 100644
index 0000000..1efb36c
--- /dev/null
+++ b/SOURCES/0029-Fix-cert_request-for-KDC-cert.patch
@@ -0,0 +1,32 @@
+From b5e033ed72f4cc824b7ab71887bb88453f5d2775 Mon Sep 17 00:00:00 2001
+From: Christian Heimes <cheimes@redhat.com>
+Date: Fri, 29 Jan 2021 09:42:01 +0100
+Subject: [PATCH] Fix cert_request for KDC cert
+
+ca_kdc_check() expects an API object, not an LDAP connection. Issue was
+introduced in commit 8f4abf7bc1607fc44f528b8a443b69cb82269e69.
+
+See: https://pagure.io/freeipa/issue/6739
+Fixes: https://pagure.io/freeipa/issue/8686
+Signed-off-by: Christian Heimes <cheimes@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+---
+ ipaserver/plugins/cert.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ipaserver/plugins/cert.py b/ipaserver/plugins/cert.py
+index 4af5c97f5722a7799509764df93c2433661dba20..158dfa84f22cb887eb9a101cc34b1c6cdc590ee2 100644
+--- a/ipaserver/plugins/cert.py
++++ b/ipaserver/plugins/cert.py
+@@ -860,7 +860,7 @@ class cert_request(Create, BaseCertMethod, VirtualCommand):
+ "with subject alt name '%s'.") % name)
+ if not bypass_caacl:
+ if principal_type == KRBTGT:
+- ca_kdc_check(ldap, alt_principal.hostname)
++ ca_kdc_check(self.api, alt_principal.hostname)
+ else:
+ caacl_check(alt_principal, ca, profile_id)
+
+--
+2.31.1
+
diff --git a/SOURCES/0030-SMB-switch-IPA-domain-controller-role.patch b/SOURCES/0030-SMB-switch-IPA-domain-controller-role.patch
new file mode 100644
index 0000000..bf5778a
--- /dev/null
+++ b/SOURCES/0030-SMB-switch-IPA-domain-controller-role.patch
@@ -0,0 +1,106 @@
+From f0c2f5fdce0ae5dde20abdcf964e3825bb8939c6 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Sat, 30 Oct 2021 10:49:37 +0300
+Subject: [PATCH] SMB: switch IPA domain controller role
+
+As a part of CVE-2020-25717 mitigations, Samba now assumes 'CLASSIC
+PRIMARY DOMAIN CONTROLLER' server role does not support Kerberos
+operations. This is the role that IPA domain controller was using for
+its hybrid NT4/AD-like operation.
+
+Instead, 'IPA PRIMARY DOMAIN CONTROLLER' server role was introduced in
+Samba. Switch to this role for new installations and during the upgrade
+of servers running ADTRUST role.
+
+Fixes: https://pagure.io/freeipa/issue/9031
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-by: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+---
+ install/share/smb.conf.template | 1 +
+ ipaserver/install/adtrustinstance.py | 16 ++++++++++++++--
+ ipaserver/install/server/upgrade.py | 14 ++++++++++++++
+ 3 files changed, 29 insertions(+), 2 deletions(-)
+
+diff --git a/install/share/smb.conf.template b/install/share/smb.conf.template
+index 1370b1e144174f08ad8bc8024e825176d4c74860..1d1d12161661a19c1cc7fc3f74889acace738a79 100644
+--- a/install/share/smb.conf.template
++++ b/install/share/smb.conf.template
+@@ -5,6 +5,7 @@ realm = $REALM
+ kerberos method = dedicated keytab
+ dedicated keytab file = /etc/samba/samba.keytab
+ create krb5 conf = no
++server role = $SERVER_ROLE
+ security = user
+ domain master = yes
+ domain logons = yes
+diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
+index 67dadf9b9c26af30f5b75b513d4d9f845379f4c9..8202de25ed32f42c751f79f2a5709e5642301c24 100644
+--- a/ipaserver/install/adtrustinstance.py
++++ b/ipaserver/install/adtrustinstance.py
+@@ -148,6 +148,8 @@ class ADTRUSTInstance(service.Service):
+ OBJC_GROUP = "ipaNTGroupAttrs"
+ OBJC_DOMAIN = "ipaNTDomainAttrs"
+ FALLBACK_GROUP_NAME = u'Default SMB Group'
++ SERVER_ROLE_OLD = "CLASSIC PRIMARY DOMAIN CONTROLLER"
++ SERVER_ROLE_NEW = "IPA PRIMARY DOMAIN CONTROLLER"
+
+ def __init__(self, fstore=None):
+ self.netbios_name = None
+@@ -548,7 +550,16 @@ class ADTRUSTInstance(service.Service):
+ with tempfile.NamedTemporaryFile(mode='w') as tmp_conf:
+ tmp_conf.write(conf)
+ tmp_conf.flush()
+- ipautil.run([paths.NET, "conf", "import", tmp_conf.name])
++ try:
++ ipautil.run([paths.NET, "conf", "import", tmp_conf.name])
++ except ipautil.CalledProcessError as e:
++ if e.returncode == 255:
++ # We have old Samba that doesn't support IPA DC server role
++ # re-try again with the older variant, upgrade code will
++ # take care to change the role later when Samba is upgraded
++ # as well.
++ self.sub_dict['SERVER_ROLE'] = self.SERVER_ROLE_OLD
++ self.__write_smb_registry()
+
+ def __map_Guests_to_nobody(self):
+ map_Guests_to_nobody()
+@@ -783,7 +794,8 @@ class ADTRUSTInstance(service.Service):
+ HOST_NETBIOS_NAME = self.host_netbios_name,
+ SMB_DN = self.smb_dn,
+ LDAPI_SOCKET = self.ldapi_socket,
+- FQDN = self.fqdn)
++ FQDN = self.fqdn,
++ SERVER_ROLE=self.SERVER_ROLE_NEW)
+
+ def setup(self, fqdn, realm_name, netbios_name,
+ reset_netbios_name, rid_base, secondary_rid_base,
+diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
+index e6ff2b27bfca0377d27b8cd91d7f065a8f62010c..065399eef29ab0a1009cd047443c0a0a5a4dddfe 100644
+--- a/ipaserver/install/server/upgrade.py
++++ b/ipaserver/install/server/upgrade.py
+@@ -367,6 +367,20 @@ def upgrade_adtrust_config():
+ else:
+ logger.warning("Error updating Samba registry: %s", e)
+
++ logger.info("[Set 'server role' "
++ "to 'IPA PRIMARY DOMAIN CONTROLLER' in Samba configuration]")
++
++ args = [paths.NET, "conf", "setparm", "global",
++ "server role", "IPA PRIMARY DOMAIN CONTROLLER"]
++
++ try:
++ ipautil.run(args)
++ except ipautil.CalledProcessError as e:
++ # Only report an error if return code is not 255
++ # which indicates that the new server role is not supported
++ # and we don't need to do anything
++ if e.returncode != 255:
++ logger.warning("Error updating Samba registry: %s", e)
+
+ def ca_configure_profiles_acl(ca):
+ logger.info('[Authorizing RA Agent to modify profiles]')
+--
+2.31.1
+
diff --git a/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch b/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch
index dc13b8d..d84bdbe 100644
--- a/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch
+++ b/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch
@@ -1,4 +1,4 @@
-From 2178218fdb1d1a8fe2c173d09b1a0dafc8504f3b Mon Sep 17 00:00:00 2001
+From 8d6310399c814bfa89fdca2a94b72a5ab09b1c3b Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Tue, 14 Mar 2017 15:48:07 +0000
Subject: [PATCH] Change branding to IPA and Identity Management
diff --git a/SOURCES/1002-Package-copy-schema-to-ca.py.patch b/SOURCES/1002-Package-copy-schema-to-ca.py.patch
index 868769e..2cc3f3a 100644
--- a/SOURCES/1002-Package-copy-schema-to-ca.py.patch
+++ b/SOURCES/1002-Package-copy-schema-to-ca.py.patch
@@ -1,4 +1,4 @@
-From 87b561cd11582ac64d10d2fc0288f6dc93eb1786 Mon Sep 17 00:00:00 2001
+From 80c99f767a503529580d4b14534a3774398ad426 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Tue, 14 Mar 2017 16:07:15 +0000
Subject: [PATCH] Package copy-schema-to-ca.py
diff --git a/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch b/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch
index 7c2f716..c9091c0 100644
--- a/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch
+++ b/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch
@@ -1,4 +1,4 @@
-From 7f8fdb2a050e72f8a8069e572a957f5ade9c11a8 Mon Sep 17 00:00:00 2001
+From 12ec57b3e8ac5d05fbd28fc9ab9c8f22da13c391 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Wed, 22 Jun 2016 13:53:46 +0200
Subject: [PATCH] Revert "Increased mod_wsgi socket-timeout"
diff --git a/SOURCES/1004-Remove-csrgen.patch b/SOURCES/1004-Remove-csrgen.patch
index 4ab0990..eaccfc3 100644
--- a/SOURCES/1004-Remove-csrgen.patch
+++ b/SOURCES/1004-Remove-csrgen.patch
@@ -1,4 +1,4 @@
-From 117c3b5e46e2ed3cc2e5c74ebe93b6a359c01aba Mon Sep 17 00:00:00 2001
+From 6d108cc59c643b5a9f3acea3a9c5d37fb7ef3252 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Thu, 16 Mar 2017 09:44:21 +0000
Subject: [PATCH] Remove csrgen
diff --git a/SOURCES/1005-Removing-filesystem-encoding-check.patch b/SOURCES/1005-Removing-filesystem-encoding-check.patch
index 1ee4878..36128a3 100644
--- a/SOURCES/1005-Removing-filesystem-encoding-check.patch
+++ b/SOURCES/1005-Removing-filesystem-encoding-check.patch
@@ -1,4 +1,4 @@
-From a3c7afb55ef0ed4542dd59295ba4ac9b8a77f88d Mon Sep 17 00:00:00 2001
+From 0207539df5773e24ce260368b1f696128aead682 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tibor=20Dudl=C3=A1k?= <tdudlak@redhat.com>
Date: Fri, 10 Aug 2018 13:16:38 +0200
Subject: [PATCH] Removing filesystem encoding check
diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec
index 21cae4f..d2d474e 100644
--- a/SPECS/ipa.spec
+++ b/SPECS/ipa.spec
@@ -45,7 +45,7 @@
# 1.15.1-36: https://bugzilla.redhat.com/show_bug.cgi?id=1755223
%global krb5_version 1.15.1-36
# Require 4.10 for change in ABI for DEBUGLEVEL_CLASS (rename)
-%global samba_version 4.10.0
+%global samba_version 4.10.16-17
# 0.7.16: https://github.com/drkjam/netaddr/issues/71
%global python_netaddr_version 0.7.5-9
%global selinux_policy_version 3.13.1-224
@@ -103,7 +103,7 @@
Name: ipa
Version: %{IPA_VERSION}
-Release: 5%{?dist}.9
+Release: 5%{?dist}.10
Summary: The Identity, Policy and Audit system
Group: System Environment/Base
@@ -111,9 +111,9 @@ License: GPLv3+
URL: http://www.freeipa.org/
Source0: https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz
# RHEL spec file only: START: Change branding to IPA and Identity Management
-#Source1: header-logo.png
-#Source2: login-screen-background.jpg
-#Source4: product-name.png
+Source1: header-logo.png
+Source2: login-screen-background.jpg
+Source4: product-name.png
# RHEL spec file only: END: Change branding to IPA and Identity Management
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -146,6 +146,8 @@ Patch0025: 0025-CA-less-installation-non-ASCII-chars-in-CA-subject.patch
Patch0026: 0026-ipatests-use-non-ascii-chars-in-CA-less-install.patch
Patch0027: 0027-Allow-PKINIT-to-be-enabled-when-updating-from-a-pre-.patch
Patch0028: 0028-extdom-return-LDAP_NO_SUCH_OBJECT-if-domains-differ.patch
+Patch0029: 0029-Fix-cert_request-for-KDC-cert.patch
+Patch0030: 0030-SMB-switch-IPA-domain-controller-role.patch
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
Patch1002: 1002-Package-copy-schema-to-ca.py.patch
Patch1003: 1003-Revert-Increased-mod_wsgi-socket-timeout.patch
@@ -195,11 +197,7 @@ BuildRequires: java-1.7.0-openjdk-devel
# 1.3.3.9: DS_Sleep (https://fedorahosted.org/389/ticket/48005)
BuildRequires: 389-ds-base-devel >= %{ds_version}
BuildRequires: svrcore-devel
-%if 0%{?rhel}
-BuildRequires: samba-devel >= 4.10.0
-%else
-BuildRequires: samba-devel >= 2:4.10.0
-%endif
+BuildRequires: samba-devel >= %{samba_version}
BuildRequires: libtalloc-devel
BuildRequires: libtevent-devel
BuildRequires: libuuid-devel
@@ -406,10 +404,7 @@ Requires: oddjob
Requires: gssproxy >= 0.7.0-2
# 1.15.2: FindByNameAndCertificate (https://pagure.io/SSSD/sssd/issue/3050)
Requires: sssd-dbus >= 1.15.2
-
-%if 0%{?centos} == 0
Requires: system-logos >= 70.7.0
-%endif
Provides: %{alt_name}-server = %{version}
Conflicts: %{alt_name}-server
@@ -966,9 +961,9 @@ cp -r %{_builddir}/freeipa-%{version} %{_builddir}/freeipa-%{version}-python3
# with_python3
# RHEL spec file only: START: Change branding to IPA and Identity Management
-#cp %SOURCE1 install/ui/images/header-logo.png
-#cp %SOURCE2 install/ui/images/login-screen-background.jpg
-#cp %SOURCE4 install/ui/images/product-name.png
+cp %SOURCE1 install/ui/images/header-logo.png
+cp %SOURCE2 install/ui/images/login-screen-background.jpg
+cp %SOURCE4 install/ui/images/product-name.png
# RHEL spec file only: END: Change branding to IPA and Identity Management
@@ -992,8 +987,7 @@ find \
%configure --with-vendor-suffix=-%{release} \
%{enable_server_option} \
%{with_ipatests_option} \
- %{linter_options} \
- --with-ipaplatform=rhel
+ %{linter_options}
%make_build
@@ -1014,8 +1008,7 @@ find \
%configure --with-vendor-suffix=-%{release} \
%{enable_server_option} \
%{with_ipatests_option} \
- %{linter_options} \
- --with-ipaplatform=rhel
+ %{linter_options}
popd
%endif
# with_python3
@@ -1102,11 +1095,9 @@ ln -s %{_bindir}/ipa-test-task-%{python2_version} %{buildroot}%{_bindir}/ipa-tes
# remove files which are useful only for make uninstall
find %{buildroot} -wholename '*/site-packages/*/install_files.txt' -exec rm {} \;
-%if 0%{?centos} == 0
# RHEL spec file only: START: Replace login-screen-logo.png with a symlink
ln -sf %{_datadir}/pixmaps/fedora-gdm-logo.png %{buildroot}%{_usr}/share/ipa/ui/images/login-screen-logo.png
# RHEL spec file only: END: Replace login-screen-logo.png with a symlink
-%endif
%find_lang %{gettext_domain}
@@ -1763,8 +1754,11 @@ fi
%changelog
-* Tue Oct 12 2021 CentOS Sources <bugs@centos.org> - 4.6.8-5.el7.centos.9
-- Roll in CentOS Branding
+* Thu Dec 02 2021 Florence Blanc-Renaud <frenaud@redhat.com> - 4.6.8-5.el7_9.10
+- Resolves: 2025848 - RHEL 8.6 IPA Replica Failed to configure PKINIT setup against a RHEL 7.9 IPA server
+ - Fix cert_request for KDC cert
+- Resolves: 2021444 - CVE-2020-25719 ipa: samba: Samba AD DC did not always rely on the SID and PAC in Kerberos tickets
+ - SMB: switch IPA domain controller role
* Wed Sep 08 2021 Florence Blanc-Renaud <frenaud@redhat.com> - 4.6.8-5.el7_9.9
- Resolves: #2000261 - extdom: LDAP_INVALID_SYNTAX returned instead of LDAP_NO_SUCH_OBJECT