diff --git a/SOURCES/0127-ipa-kdb-use-proper-memory-chunk-size-when-moving-sid.patch b/SOURCES/0127-ipa-kdb-use-proper-memory-chunk-size-when-moving-sid.patch
new file mode 100644
index 0000000..f1497b5
--- /dev/null
+++ b/SOURCES/0127-ipa-kdb-use-proper-memory-chunk-size-when-moving-sid.patch
@@ -0,0 +1,55 @@
+From 3a4057a37254d6dbb0191da32cd110f7cd50d4e4 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Wed, 20 May 2015 18:24:52 +0300
+Subject: [PATCH] ipa-kdb: use proper memory chunk size when moving sids
+
+Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1222475
+Reviewed-By: Tomas Babej <tbabej@redhat.com>
+---
+ daemons/ipa-kdb/ipa_kdb_mspac.c | 20 +++++++++++++++++---
+ 1 file changed, 17 insertions(+), 3 deletions(-)
+
+diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
+index e3215db4ea11632dce8f039fc6b89c4a09acd87a..74ee2f3fd4b81bd3433c9ff9c77f7434b72e7f4d 100644
+--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
++++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
+@@ -1397,7 +1397,15 @@ static krb5_error_code filter_logon_info(krb5_context context,
+ if (result) {
+ filter_logon_info_log_message(info->info->info3.sids[i].sid);
+ } else {
++ /* Go over incoming SID blacklist */
+ for(k = 0; k < domain->len_sid_blacklist_incoming; k++) {
++ /* if SID is an exact match, filter it out */
++ result = dom_sid_check(&domain->sid_blacklist_incoming[k], info->info->info3.sids[i].sid, true);
++ if (result) {
++ filter_logon_info_log_message(info->info->info3.sids[i].sid);
++ break;
++ }
++ /* if SID is a suffix of the blacklist element, filter it out*/
+ result = dom_sid_is_prefix(&domain->sid_blacklist_incoming[k], info->info->info3.sids[i].sid);
+ if (result) {
+ filter_logon_info_log_message(info->info->info3.sids[i].sid);
+@@ -1406,11 +1414,17 @@ static krb5_error_code filter_logon_info(krb5_context context,
+ }
+ }
+ if (result) {
++ k = count - i - j - 1;
++ if (k != 0) {
++ memmove(info->info->info3.sids+i,
++ info->info->info3.sids+i+1,
++ sizeof(struct netr_SidAttr)*k);
++ }
+ j++;
+- memmove(info->info->info3.sids+i, info->info->info3.sids+i+1, count-i-1);
++ } else {
++ i++;
+ }
+- i++;
+- } while (i < count);
++ } while ((i + j) < count);
+
+ if (j != 0) {
+ count = count-j;
+--
+2.1.0
+
diff --git a/SOURCES/0128-ipa-kdb-filter-out-group-membership-from-MS-PAC-for-.patch b/SOURCES/0128-ipa-kdb-filter-out-group-membership-from-MS-PAC-for-.patch
new file mode 100644
index 0000000..18009ed
--- /dev/null
+++ b/SOURCES/0128-ipa-kdb-filter-out-group-membership-from-MS-PAC-for-.patch
@@ -0,0 +1,155 @@
+From 32b7c1d012a0904420edc61bf94be66253a6c84a Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Thu, 28 May 2015 08:33:51 +0000
+Subject: [PATCH] ipa-kdb: filter out group membership from MS-PAC for exact
+ SID matches too
+
+When incoming SID blacklist contains exact SIDs of users and groups,
+attempt to filter them out as well, according to [MS-PAC] 4.1.1.2.
+
+Note that we treat user's SID and primary group RID filtering as violation
+of the KDC policy because the resulting MS-PAC will have no user SID or
+primary group and thus will be invalid.
+
+For group RIDs we filter them out. According to [MS-KILE] 3.3.5.6.3.1
+it is OK to have empty group RIDs array as GroupCount SHOULD be
+equal to Groups.MembershipCount returned by SamrGetGroupsForUser
+[MS-SAMR] 3.1.5.9.1, not MUST, thus it may be empty.
+
+Part of fix for https://bugzilla.redhat.com/show_bug.cgi?id=1222475
+
+Reviewed-By: Tomas Babej <tbabej@redhat.com>
+---
+ daemons/ipa-kdb/ipa_kdb_mspac.c | 100 +++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 99 insertions(+), 1 deletion(-)
+
+diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
+index 74ee2f3fd4b81bd3433c9ff9c77f7434b72e7f4d..3e6024f55071e95c6d40869e31d879baf627a3b9 100644
+--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
++++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
+@@ -1320,6 +1320,22 @@ static void filter_logon_info_log_message(struct dom_sid *sid)
+ }
+ }
+
++static void filter_logon_info_log_message_rid(struct dom_sid *sid, uint32_t rid)
++{
++ char *domstr = NULL;
++
++ domstr = dom_sid_string(NULL, sid);
++ if (domstr) {
++ krb5_klog_syslog(LOG_ERR, "PAC filtering issue: SID [%s-%d] is not allowed "
++ "from a trusted source and will be excluded.", domstr, rid);
++ talloc_free(domstr);
++ } else {
++ krb5_klog_syslog(LOG_ERR, "PAC filtering issue: SID is not allowed "
++ "from a trusted source and will be excluded."
++ "Unable to allocate memory to display SID.");
++ }
++}
++
+ static krb5_error_code filter_logon_info(krb5_context context,
+ TALLOC_CTX *memctx,
+ krb5_data realm,
+@@ -1331,9 +1347,21 @@ static krb5_error_code filter_logon_info(krb5_context context,
+ * attempt at getting us to sign fake credentials with the help of a
+ * compromised trusted realm */
+
++ /* NOTE: there are two outcomes from filtering:
++ * REJECT TICKET -- ticket is rejected if domain SID of
++ * the principal with MS-PAC is filtered out or
++ * its primary group RID is filtered out
++ *
++ * REMOVE SID -- SIDs are removed from the list of SIDs associated
++ * with the principal if they are filtered out
++ * This applies also to secondary RIDs of the principal
++ * if domain_sid-<secondary RID> is filtered out
++ */
++
+ struct ipadb_context *ipactx;
+ struct ipadb_adtrusts *domain;
+- int i, j, k, count;
++ int i, j, k, l, count;
++ uint32_t rid;
+ bool result;
+ char *domstr = NULL;
+
+@@ -1380,6 +1408,76 @@ static krb5_error_code filter_logon_info(krb5_context context,
+ }
+ }
+
++ /* Check if this user's SIDs membership is filtered too */
++ for(k = 0; k < domain->len_sid_blacklist_incoming; k++) {
++ /* Short-circuit if there are no RIDs. This may happen if we filtered everything already.
++ * In normal situation there would be at least primary gid as RID in the RIDs array
++ * but if we filtered out the primary RID, this MS-PAC is invalid */
++ count = info->info->info3.base.groups.count;
++ result = dom_sid_is_prefix(info->info->info3.base.domain_sid,
++ &domain->sid_blacklist_incoming[k]);
++ if (result) {
++ i = 0;
++ j = 0;
++ if (domain->sid_blacklist_incoming[k].num_auths - info->info->info3.base.domain_sid->num_auths != 1) {
++ krb5_klog_syslog(LOG_ERR, "Incoming SID blacklist element matching domain [%s with SID %s] "
++ "has more than one RID component. Invalid check skipped.",
++ domain->domain_name, domain->domain_sid);
++ break;
++ }
++ rid = domain->sid_blacklist_incoming[k].sub_auths[domain->sid_blacklist_incoming[k].num_auths - 1];
++ if (rid == info->info->info3.base.rid) {
++ filter_logon_info_log_message_rid(info->info->info3.base.domain_sid, rid);
++ /* Actual user's SID is filtered out */
++ return KRB5KDC_ERR_POLICY;
++ }
++ if (rid == info->info->info3.base.primary_gid) {
++ /* User's primary group SID is filtered out */
++ return KRB5KDC_ERR_POLICY;
++ }
++ if (count == 0) {
++ /* Having checked actual user's SID and primary group SID, and having no other RIDs,
++ * skip checks below and continue to next blacklist element */
++ continue;
++ }
++
++ do {
++ if (rid == info->info->info3.base.groups.rids[i].rid) {
++ filter_logon_info_log_message_rid(info->info->info3.base.domain_sid, rid);
++ /* If this is just a non-primary RID, we simply remove it from the array of RIDs */
++ l = count - i - j - 1;
++ if (l != 0) {
++ memmove(info->info->info3.base.groups.rids+i,
++ info->info->info3.base.groups.rids+i+1,
++ sizeof(struct samr_RidWithAttribute)*l);
++ }
++ j++;
++ } else {
++ i++;
++ }
++ } while ((i + j) < count);
++
++ if (j != 0) {
++ count = count-j;
++ if (count == 0) {
++ /* All RIDs were filtered out. Unusual but MS-KILE 3.3.5.6.3.1 says SHOULD, not MUST for GroupCount */
++ info->info->info3.base.groups.count = 0;
++ talloc_free(info->info->info3.base.groups.rids);
++ info->info->info3.base.groups.rids = NULL;
++ } else {
++ info->info->info3.base.groups.rids = talloc_realloc(memctx,
++ info->info->info3.base.groups.rids,
++ struct samr_RidWithAttribute, count);
++ if (!info->info->info3.base.groups.rids) {
++ info->info->info3.base.groups.count = 0;
++ return ENOMEM;
++ }
++ info->info->info3.base.groups.count = count;
++ }
++ }
++ }
++ }
++
+ /* According to MS-KILE 25.0, info->info->info3.sids may be non zero, so check
+ * should include different possibilities into account
+ * */
+--
+2.1.0
+
diff --git a/SOURCES/ipa-centos-branding.patch b/SOURCES/ipa-centos-branding.patch
deleted file mode 100644
index 673cd2f..0000000
--- a/SOURCES/ipa-centos-branding.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From 99efecaf87dc1fc9517efaff441a6a7ce46444eb Mon Sep 17 00:00:00 2001
-From: Jim Perrin <jperrin@centos.org>
-Date: Wed, 11 Mar 2015 10:37:03 -0500
-Subject: [PATCH] update for new ntp server method
-
----
- ipaplatform/base/paths.py | 1 +
- ipaserver/install/ntpinstance.py | 2 ++
- 2 files changed, 3 insertions(+)
-
-diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
-index af50262..5090062 100644
---- a/ipaplatform/base/paths.py
-+++ b/ipaplatform/base/paths.py
-@@ -99,6 +99,7 @@ class BasePathNamespace(object):
- PKI_TOMCAT_ALIAS_DIR = "/etc/pki/pki-tomcat/alias/"
- PKI_TOMCAT_PASSWORD_CONF = "/etc/pki/pki-tomcat/password.conf"
- ETC_REDHAT_RELEASE = "/etc/redhat-release"
-+ ETC_CENTOS_RELEASE = "/etc/centos-release"
- RESOLV_CONF = "/etc/resolv.conf"
- SAMBA_KEYTAB = "/etc/samba/samba.keytab"
- SMB_CONF = "/etc/samba/smb.conf"
-diff --git a/ipaserver/install/ntpinstance.py b/ipaserver/install/ntpinstance.py
-index c653525..4b0578b 100644
---- a/ipaserver/install/ntpinstance.py
-+++ b/ipaserver/install/ntpinstance.py
-@@ -44,6 +44,8 @@ class NTPInstance(service.Service):
- os = ""
- if ipautil.file_exists(paths.ETC_FEDORA_RELEASE):
- os = "fedora"
-+ elif ipautil.file_exists(paths.ETC_CENTOS_RELEASE):
-+ os = "centos"
- elif ipautil.file_exists(paths.ETC_REDHAT_RELEASE):
- os = "rhel"
-
---
-1.8.3.1
-
diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec
index ad0fdfa..401c99c 100644
--- a/SPECS/ipa.spec
+++ b/SPECS/ipa.spec
@@ -32,7 +32,7 @@
Name: ipa
Version: 4.1.0
-Release: 18%{?dist}.3
+Release: 18%{?dist}.4
Summary: The Identity, Policy and Audit system
Group: System Environment/Base
@@ -40,10 +40,10 @@ License: GPLv3+
URL: http://www.freeipa.org/
Source0: http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz
# RHEL spec file only: START: Change branding to IPA and Identity-Management
-#Source1: header-logo.png
-#Source2: login-screen-background.jpg
-#Source3: login-screen-logo.png
-#Source4: product-name.png
+Source1: header-logo.png
+Source2: login-screen-background.jpg
+Source3: login-screen-logo.png
+Source4: product-name.png
# RHEL spec file only: END: Change branding to IPA and Identity-Management
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -174,6 +174,8 @@ Patch0123: 0123-certstore-Make-certificate-retrieval-more-robust.patch
Patch0124: 0124-client-install-Do-not-crash-on-invalid-CA-certificat.patch
Patch0125: 0125-client-Fix-ca_is_enabled-calls.patch
Patch0126: 0126-upload_cacrt-Fix-empty-cACertificate-in-cn-CAcert.patch
+Patch0127: 0127-ipa-kdb-use-proper-memory-chunk-size-when-moving-sid.patch
+Patch0128: 0128-ipa-kdb-filter-out-group-membership-from-MS-PAC-for-.patch
Patch1001: 1001-Hide-pkinit-functionality-from-production-version.patch
Patch1002: 1002-Remove-pkinit-plugin.patch
@@ -189,7 +191,6 @@ Patch1011: 1011-Disable-TLS-1.2-in-nss.conf-until-mod_nss-supports-i.patch
Patch1012: 1012-Expand-the-token-auth-sync-windows.patch
Patch1013: 1013-extdom-fix-wrong-realloc-size.patch
Patch1014: 1014-fix-Makefile.am-for-daemons.patch
-Patch1015: ipa-centos-branding.patch
# RHEL spec file only: END
%if ! %{ONLY_CLIENT}
@@ -292,6 +293,9 @@ Requires: selinux-policy >= %{selinux_policy_version}
Requires(post): selinux-policy-base
Requires: slapi-nis >= 0.54-2
Requires: pki-ca >= 10.1.2-5
+%if 0%{?rhel}
+Requires: subscription-manager
+%endif
Requires(preun): python systemd-units
Requires(postun): python systemd-units
Requires: python-dns >= 1.11.1-2
@@ -304,7 +308,7 @@ Requires: fontawesome-fonts
Requires: open-sans-fonts
# RHEL spec file only: DELETED: Disable DNSSEC support
# RHEL spec file only: START
-# Requires: redhat-access-plugin-ipa
+Requires: redhat-access-plugin-ipa
# RHEL spec file only: END
Conflicts: %{alt_name}-server
@@ -478,10 +482,10 @@ for p in %patches ; do
done
# Red Hat's Identity Management branding
-# cp %SOURCE1 install/ui/images/header-logo.png
-# cp %SOURCE2 install/ui/images/login-screen-background.jpg
-# cp %SOURCE3 install/ui/images/login-screen-logo.png
-# cp %SOURCE4 install/ui/images/product-name.png
+cp %SOURCE1 install/ui/images/header-logo.png
+cp %SOURCE2 install/ui/images/login-screen-background.jpg
+cp %SOURCE3 install/ui/images/login-screen-logo.png
+cp %SOURCE4 install/ui/images/product-name.png
# RHEL spec file only: END
%build
@@ -1031,8 +1035,9 @@ fi
# RHEL spec file only: DELETED: Do not build tests
%changelog
-* Thu Mar 26 2015 CentOS Sources <bugs@centos.org> - 4.1.0-18.el7.centos.3
-- Roll in CentOS Branding
+* Tue Jul 21 2015 Jan Cholasta <jcholast@redhat.com> - 4.1.0-18.4
+- krb5kdc : segfault at 0 ip 00007fa9f64d82bb sp 00007fffd68b2340 error 6 in
+ libc-2.17.so (#1245097)
* Thu Mar 19 2015 Jan Cholasta <jcholast@redhat.com> - 4.1.0-18.3
- [ipa-python] ipalib.errors.LDAPError: failed to decode certificate: