diff --git a/.gitignore b/.gitignore
index 34c1a4e..d9c893f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/freeipa-4.9.6.tar.gz
+SOURCES/freeipa-4.9.8.tar.gz
diff --git a/.ipa.metadata b/.ipa.metadata
index ab790ce..15ef586 100644
--- a/.ipa.metadata
+++ b/.ipa.metadata
@@ -1 +1 @@
-b7b91082908db35e4acbcd0221b8df4044913dc1 SOURCES/freeipa-4.9.6.tar.gz
+38641a7f95779ba35089fcc10e25ec82a9b0248e SOURCES/freeipa-4.9.8.tar.gz
diff --git a/SOURCES/0001-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch b/SOURCES/0001-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch
new file mode 100644
index 0000000..943e986
--- /dev/null
+++ b/SOURCES/0001-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch
@@ -0,0 +1,70 @@
+From 0d44e959e5bbe822b51137a8e7cf48fa25533805 Mon Sep 17 00:00:00 2001
+From: Rafael Guterres Jeffman <rjeffman@redhat.com>
+Date: Fri, 10 Dec 2021 12:15:36 -0300
+Subject: [PATCH] Revert "freeipa.spec: depend on bind-dnssec-utils"
+
+This reverts commit f89d59b6e18b54967682f6a37ce92ae67ab3fcda.
+---
+ freeipa.spec.in | 4 +---
+ ipaplatform/base/paths.py | 2 +-
+ ipaplatform/fedora/paths.py | 1 +
+ ipaserver/dnssec/bindmgr.py | 1 -
+ 4 files changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/freeipa.spec.in b/freeipa.spec.in
+index 8f5c370e5..e20edb7bc 100755
+--- a/freeipa.spec.in
++++ b/freeipa.spec.in
+@@ -576,11 +576,9 @@ Requires: %{name}-server = %{version}-%{release}
+ Requires: bind-dyndb-ldap >= 11.2-2
+ Requires: bind >= %{bind_version}
+ Requires: bind-utils >= %{bind_version}
+-# bind-dnssec-utils is required by the OpenDNSSec integration
+-# https://pagure.io/freeipa/issue/9026
+-Requires: bind-dnssec-utils >= %{bind_version}
+ %if %{with bind_pkcs11}
+ Requires: bind-pkcs11 >= %{bind_version}
++Requires: bind-pkcs11-utils >= %{bind_version}
+ %else
+ Requires: softhsm >= %{softhsm_version}
+ Requires: openssl-pkcs11 >= %{openssl_pkcs11_version}
+diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
+index 7d21367ec..42a47f1df 100644
+--- a/ipaplatform/base/paths.py
++++ b/ipaplatform/base/paths.py
+@@ -259,7 +259,7 @@ class BasePathNamespace:
+ IPA_PKI_RETRIEVE_KEY = "/usr/libexec/ipa/ipa-pki-retrieve-key"
+ IPA_HTTPD_PASSWD_READER = "/usr/libexec/ipa/ipa-httpd-pwdreader"
+ IPA_PKI_WAIT_RUNNING = "/usr/libexec/ipa/ipa-pki-wait-running"
+- DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel"
++ DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel-pkcs11"
+ GETSEBOOL = "/usr/sbin/getsebool"
+ GROUPADD = "/usr/sbin/groupadd"
+ USERMOD = "/usr/sbin/usermod"
+diff --git a/ipaplatform/fedora/paths.py b/ipaplatform/fedora/paths.py
+index 4e993c063..92a948966 100644
+--- a/ipaplatform/fedora/paths.py
++++ b/ipaplatform/fedora/paths.py
+@@ -36,6 +36,7 @@ class FedoraPathNamespace(RedHatPathNamespace):
+ NAMED_CRYPTO_POLICY_FILE = "/etc/crypto-policies/back-ends/bind.config"
+ if HAS_NFS_CONF:
+ SYSCONFIG_NFS = '/etc/nfs.conf'
++ DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel"
+
+
+ paths = FedoraPathNamespace()
+diff --git a/ipaserver/dnssec/bindmgr.py b/ipaserver/dnssec/bindmgr.py
+index 0c79cc03d..a15c0e601 100644
+--- a/ipaserver/dnssec/bindmgr.py
++++ b/ipaserver/dnssec/bindmgr.py
+@@ -127,7 +127,6 @@ class BINDMgr:
+ )
+ cmd = [
+ paths.DNSSEC_KEYFROMLABEL,
+- '-E', 'pkcs11',
+ '-K', workdir,
+ '-a', attrs['idnsSecAlgorithm'][0],
+ '-l', uri
+--
+2.31.1
+
diff --git a/SOURCES/0001-rpcserver.py-perf_counter_ns-is-Python-3.7_rhbz#1974822.patch b/SOURCES/0001-rpcserver.py-perf_counter_ns-is-Python-3.7_rhbz#1974822.patch
deleted file mode 100644
index 22f37ad..0000000
--- a/SOURCES/0001-rpcserver.py-perf_counter_ns-is-Python-3.7_rhbz#1974822.patch
+++ /dev/null
@@ -1,136 +0,0 @@
-From e713c227bb420a841ce3ae146bca55a84a1b0dbf Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
-Date: Tue, 22 Jun 2021 14:36:51 +0200
-Subject: [PATCH] paths: add IPA_SERVER_CONF
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Related: https://pagure.io/freeipa/issue/8891
-Signed-off-by: François Cami <fcami@redhat.com>
-Reviewed-By: Stanislav Levin <slev@altlinux.org>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
----
- ipaplatform/base/paths.py | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
-index 91423b332..de217d9ef 100644
---- a/ipaplatform/base/paths.py
-+++ b/ipaplatform/base/paths.py
-@@ -71,6 +71,7 @@ class BasePathNamespace:
- IPA_DEFAULT_CONF = "/etc/ipa/default.conf"
- IPA_DNSKEYSYNCD_KEYTAB = "/etc/ipa/dnssec/ipa-dnskeysyncd.keytab"
- IPA_ODS_EXPORTER_KEYTAB = "/etc/ipa/dnssec/ipa-ods-exporter.keytab"
-+ IPA_SERVER_CONF = "/etc/ipa/server.conf"
- DNSSEC_OPENSSL_CONF = "/etc/ipa/dnssec/openssl.cnf"
- DNSSEC_SOFTHSM2_CONF = "/etc/ipa/dnssec/softhsm2.conf"
- DNSSEC_SOFTHSM_PIN_SO = "/etc/ipa/dnssec/softhsm_pin_so"
---
-2.31.1
-
-From ee4be290e1583834a573c3896ee1d97b3fbb6c24 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
-Date: Tue, 22 Jun 2021 14:45:49 +0200
-Subject: [PATCH] ipatests: smoke test for server debug mode.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Add a smoke test to make sure the server can be set in debug mode
-without issue.
-
-Related: https://pagure.io/freeipa/issue/8891
-Signed-off-by: François Cami <fcami@redhat.com>
-Reviewed-By: Stanislav Levin <slev@altlinux.org>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
----
- .../test_integration/test_installation.py | 27 +++++++++++++++++++
- 1 file changed, 27 insertions(+)
-
-diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
-index 301767b8d..0c96536f0 100644
---- a/ipatests/test_integration/test_installation.py
-+++ b/ipatests/test_integration/test_installation.py
-@@ -703,6 +703,33 @@ class TestInstallMaster(IntegrationTest):
- def test_install_master(self):
- tasks.install_master(self.master, setup_dns=False)
-
-+ @pytest.mark.skip_if_platform(
-+ "debian", reason="This test hardcodes the httpd service name"
-+ )
-+ def test_smoke_test_for_debug_mode(self):
-+ """Test if an IPA server works in debug mode.
-+ Related: https://pagure.io/freeipa/issue/8891
-+
-+ Note: this test hardcodes the "httpd" service name.
-+ """
-+
-+ target_fname = paths.IPA_SERVER_CONF
-+ assert not self.master.transport.file_exists(target_fname)
-+
-+ # set the IPA server in debug mode
-+ server_conf = "[global]\ndebug=True"
-+ self.master.put_file_contents(target_fname, server_conf)
-+ self.master.run_command(["systemctl", "restart", "httpd"])
-+
-+ # smoke test in debug mode
-+ tasks.kdestroy_all(self.master)
-+ tasks.kinit_admin(self.master)
-+ self.master.run_command(["ipa", "user-show", "admin"])
-+
-+ # rollback
-+ self.master.run_command(["rm", target_fname])
-+ self.master.run_command(["systemctl", "restart", "httpd"])
-+
- def test_schema_compat_attribute_and_tree_disable(self):
- """Test if schema-compat-entry-attribute is set
-
---
-2.31.1
-
-From 1539c7383116647ad9c5b125b343f972e9c9653b Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
-Date: Wed, 23 Jun 2021 06:35:19 +0200
-Subject: [PATCH] rpcserver.py: perf_counter_ns is Python 3.7+
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-perf_counter_ns is only available in Python 3.7 and later.
-Define a lambda for 3.6 and lower.
-
-Fixes: https://pagure.io/freeipa/issue/8891
-Signed-off-by: François Cami <fcami@redhat.com>
-Reviewed-By: Stanislav Levin <slev@altlinux.org>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
----
- ipaserver/rpcserver.py | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
-index b121316bf..e612528e0 100644
---- a/ipaserver/rpcserver.py
-+++ b/ipaserver/rpcserver.py
-@@ -31,6 +31,7 @@ import os
- import time
- import traceback
- from io import BytesIO
-+from sys import version_info
- from urllib.parse import parse_qs
- from xmlrpc.client import Fault
-
-@@ -72,6 +73,10 @@ from requests.auth import AuthBase
- if six.PY3:
- unicode = str
-
-+# time.perf_counter_ns appeared in Python 3.7.
-+if version_info < (3, 7):
-+ time.perf_counter_ns = lambda: int(time.perf_counter() * 10**9)
-+
- logger = logging.getLogger(__name__)
-
- HTTP_STATUS_SUCCESS = '200 Success'
---
-2.31.1
-
diff --git a/SOURCES/0002-Add-checks-to-prevent-adding-auth-indicators-to-inte_rhbz#1979625.patch b/SOURCES/0002-Add-checks-to-prevent-adding-auth-indicators-to-inte_rhbz#1979625.patch
deleted file mode 100644
index 81b6c45..0000000
--- a/SOURCES/0002-Add-checks-to-prevent-adding-auth-indicators-to-inte_rhbz#1979625.patch
+++ /dev/null
@@ -1,272 +0,0 @@
-From a5d2857297cfcf87ed8973df96e89ebcef22850d Mon Sep 17 00:00:00 2001
-From: Antonio Torres <antorres@redhat.com>
-Date: Mon, 8 Mar 2021 18:15:50 +0100
-Subject: [PATCH] Add checks to prevent adding auth indicators to internal IPA
- services
-
-Authentication indicators should not be enforced against internal
-IPA services, since not all users of those services are able to produce
-Kerberos tickets with all the auth indicator options. This includes
-host, ldap, HTTP and cifs in IPA server and cifs in IPA clients.
-If a client that is being promoted to replica has an auth indicator
-in its host principal then the promotion is aborted.
-
-Fixes: https://pagure.io/freeipa/issue/8206
-Signed-off-by: Antonio Torres <antorres@redhat.com>
----
- ipaserver/install/server/replicainstall.py | 13 ++++++++++++
- ipaserver/plugins/host.py | 5 ++++-
- ipaserver/plugins/service.py | 24 ++++++++++++++++++++++
- 3 files changed, 41 insertions(+), 1 deletion(-)
-
-diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
-index 73967a224..f1fb91036 100644
---- a/ipaserver/install/server/replicainstall.py
-+++ b/ipaserver/install/server/replicainstall.py
-@@ -770,6 +770,15 @@ def promotion_check_ipa_domain(master_ldap_conn, basedn):
- ))
-
-
-+def promotion_check_host_principal_auth_ind(conn, hostdn):
-+ entry = conn.get_entry(hostdn, ['krbprincipalauthind'])
-+ if 'krbprincipalauthind' in entry:
-+ raise RuntimeError(
-+ "Client cannot be promoted to a replica if the host principal "
-+ "has an authentication indicator set."
-+ )
-+
-+
- @common_cleanup
- @preserve_enrollment_state
- def promote_check(installer):
-@@ -956,6 +965,10 @@ def promote_check(installer):
- config.master_host_name, None)
-
- promotion_check_ipa_domain(conn, remote_api.env.basedn)
-+ hostdn = DN(('fqdn', api.env.host),
-+ api.env.container_host,
-+ api.env.basedn)
-+ promotion_check_host_principal_auth_ind(conn, hostdn)
-
- # Make sure that domain fulfills minimal domain level
- # requirement
-diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py
-index eb1f8ef04..41fa933e2 100644
---- a/ipaserver/plugins/host.py
-+++ b/ipaserver/plugins/host.py
-@@ -38,7 +38,7 @@ from .baseldap import (LDAPQuery, LDAPObject, LDAPCreate,
- LDAPAddAttributeViaOption,
- LDAPRemoveAttributeViaOption)
- from .service import (
-- validate_realm, normalize_principal,
-+ validate_realm, validate_auth_indicator, normalize_principal,
- set_certificate_attrs, ticket_flags_params, update_krbticketflags,
- set_kerberos_attrs, rename_ipaallowedtoperform_from_ldap,
- rename_ipaallowedtoperform_to_ldap, revoke_certs)
-@@ -735,6 +735,8 @@ class host_add(LDAPCreate):
- update_krbticketflags(ldap, entry_attrs, attrs_list, options, False)
- if 'krbticketflags' in entry_attrs:
- entry_attrs['objectclass'].append('krbticketpolicyaux')
-+ validate_auth_indicator(entry_attrs)
-+
- return dn
-
- def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
-@@ -993,6 +995,7 @@ class host_mod(LDAPUpdate):
- if 'krbprincipalaux' not in (item.lower() for item in
- entry_attrs['objectclass']):
- entry_attrs['objectclass'].append('krbprincipalaux')
-+ validate_auth_indicator(entry_attrs)
-
- add_sshpubkey_to_attrs_pre(self.context, attrs_list)
-
-diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py
-index 1c9347804..cfbbff3c6 100644
---- a/ipaserver/plugins/service.py
-+++ b/ipaserver/plugins/service.py
-@@ -201,6 +201,28 @@ def validate_realm(ugettext, principal):
- raise errors.RealmMismatch()
-
-
-+def validate_auth_indicator(entry):
-+ new_value = entry.get('krbprincipalauthind', None)
-+ if not new_value:
-+ return
-+ # The following services are considered internal IPA services
-+ # and shouldn't be allowed to have auth indicators.
-+ # https://pagure.io/freeipa/issue/8206
-+ pkey = api.Object['service'].get_primary_key_from_dn(entry.dn)
-+ principal = kerberos.Principal(pkey)
-+ server = api.Command.server_find(principal.hostname)['result']
-+ if server:
-+ prefixes = ("host", "cifs", "ldap", "HTTP")
-+ else:
-+ prefixes = ("cifs",)
-+ if principal.service_name in prefixes:
-+ raise errors.ValidationError(
-+ name='krbprincipalauthind',
-+ error=_('authentication indicators not allowed '
-+ 'in service "%s"' % principal.service_name)
-+ )
-+
-+
- def normalize_principal(value):
- """
- Ensure that the name in the principal is lower-case. The realm is
-@@ -652,6 +674,7 @@ class service_add(LDAPCreate):
- hostname)
-
- self.obj.validate_ipakrbauthzdata(entry_attrs)
-+ validate_auth_indicator(entry_attrs)
-
- if not options.get('force', False):
- # We know the host exists if we've gotten this far but we
-@@ -846,6 +869,7 @@ class service_mod(LDAPUpdate):
- assert isinstance(dn, DN)
-
- self.obj.validate_ipakrbauthzdata(entry_attrs)
-+ validate_auth_indicator(entry_attrs)
-
- # verify certificates
- certs = entry_attrs.get('usercertificate') or []
---
-2.31.1
-
-From 28484c3dee225662e41acc691bfe6b1c1cee99c8 Mon Sep 17 00:00:00 2001
-From: Antonio Torres <antorres@redhat.com>
-Date: Mon, 8 Mar 2021 18:20:35 +0100
-Subject: [PATCH] ipatests: ensure auth indicators can't be added to internal
- IPA services
-
-Authentication indicators should not be added to internal IPA services,
-since this can lead to a broken IPA setup. In case a client with
-an auth indicator set in its host principal, promoting it to a replica
-should fail.
-
-Related: https://pagure.io/freeipa/issue/8206
-Signed-off-by: Antonio Torres <antorres@redhat.com>
----
- .../test_replica_promotion.py | 38 +++++++++++++++++++
- ipatests/test_xmlrpc/test_host_plugin.py | 10 +++++
- ipatests/test_xmlrpc/test_service_plugin.py | 21 ++++++++++
- 3 files changed, 69 insertions(+)
-
-diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
-index 0a137dbdc..b9c56f775 100644
---- a/ipatests/test_integration/test_replica_promotion.py
-+++ b/ipatests/test_integration/test_replica_promotion.py
-@@ -101,6 +101,44 @@ class TestReplicaPromotionLevel1(ReplicaPromotionBase):
- assert result.returncode == 1
- assert expected_err in result.stderr_text
-
-+ @replicas_cleanup
-+ def test_install_with_host_auth_ind_set(self):
-+ """ A client shouldn't be able to be promoted if it has
-+ any auth indicator set in the host principal.
-+ https://pagure.io/freeipa/issue/8206
-+ """
-+
-+ client = self.replicas[0]
-+ # Configure firewall first
-+ Firewall(client).enable_services(["freeipa-ldap",
-+ "freeipa-ldaps"])
-+
-+ client.run_command(['ipa-client-install', '-U',
-+ '--domain', self.master.domain.name,
-+ '--realm', self.master.domain.realm,
-+ '-p', 'admin',
-+ '-w', self.master.config.admin_password,
-+ '--server', self.master.hostname,
-+ '--force-join'])
-+
-+ tasks.kinit_admin(client)
-+
-+ client.run_command(['ipa', 'host-mod', '--auth-ind=otp',
-+ client.hostname])
-+
-+ res = client.run_command(['ipa-replica-install', '-U', '-w',
-+ self.master.config.dirman_password],
-+ raiseonerr=False)
-+
-+ client.run_command(['ipa', 'host-mod', '--auth-ind=',
-+ client.hostname])
-+
-+ expected_err = ("Client cannot be promoted to a replica if the host "
-+ "principal has an authentication indicator set.")
-+ assert res.returncode == 1
-+ assert expected_err in res.stderr_text
-+
-+
- @replicas_cleanup
- def test_one_command_installation(self):
- """
-diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py
-index c66bbc865..9cfde3565 100644
---- a/ipatests/test_xmlrpc/test_host_plugin.py
-+++ b/ipatests/test_xmlrpc/test_host_plugin.py
-@@ -605,6 +605,16 @@ class TestProtectedMaster(XMLRPC_test):
- error=u'An IPA master host cannot be deleted or disabled')):
- command()
-
-+ def test_try_add_auth_ind_master(self, this_host):
-+ command = this_host.make_update_command({
-+ u'krbprincipalauthind': u'radius'})
-+ with raises_exact(errors.ValidationError(
-+ name='krbprincipalauthind',
-+ error=u'authentication indicators not allowed '
-+ 'in service "host"'
-+ )):
-+ command()
-+
-
- @pytest.mark.tier1
- class TestValidation(XMLRPC_test):
-diff --git a/ipatests/test_xmlrpc/test_service_plugin.py b/ipatests/test_xmlrpc/test_service_plugin.py
-index 4c845938c..ed634a045 100644
---- a/ipatests/test_xmlrpc/test_service_plugin.py
-+++ b/ipatests/test_xmlrpc/test_service_plugin.py
-@@ -25,6 +25,7 @@ from ipalib import api, errors
- from ipatests.test_xmlrpc.xmlrpc_test import Declarative, fuzzy_uuid, fuzzy_hash
- from ipatests.test_xmlrpc.xmlrpc_test import fuzzy_digits, fuzzy_date, fuzzy_issuer
- from ipatests.test_xmlrpc.xmlrpc_test import fuzzy_hex, XMLRPC_test
-+from ipatests.test_xmlrpc.xmlrpc_test import raises_exact
- from ipatests.test_xmlrpc import objectclasses
- from ipatests.test_xmlrpc.testcert import get_testcert, subject_base
- from ipatests.test_xmlrpc.test_user_plugin import get_user_result, get_group_dn
-@@ -1552,6 +1553,15 @@ def indicators_host(request):
- return tracker.make_fixture(request)
-
-
-+@pytest.fixture(scope='function')
-+def this_host(request):
-+ """Fixture for the current master"""
-+ tracker = HostTracker(name=api.env.host.partition('.')[0],
-+ fqdn=api.env.host)
-+ tracker.exists = True
-+ return tracker
-+
-+
- @pytest.fixture(scope='function')
- def indicators_service(request):
- tracker = ServiceTracker(
-@@ -1587,6 +1597,17 @@ class TestAuthenticationIndicators(XMLRPC_test):
- expected_updates={u'krbprincipalauthind': [u'radius']}
- )
-
-+ def test_update_indicator_internal_service(self, this_host):
-+ command = this_host.make_command('service_mod',
-+ 'ldap/' + this_host.fqdn,
-+ **dict(krbprincipalauthind='otp'))
-+ with raises_exact(errors.ValidationError(
-+ name='krbprincipalauthind',
-+ error=u'authentication indicators not allowed '
-+ 'in service "ldap"'
-+ )):
-+ command()
-+
-
- @pytest.fixture(scope='function')
- def managing_host(request):
---
-2.31.1
-
diff --git a/SOURCES/0003-stageuser-add-ipauserauthtypeclass-when-required_rhbz#1979605.patch b/SOURCES/0003-stageuser-add-ipauserauthtypeclass-when-required_rhbz#1979605.patch
deleted file mode 100644
index 7934afd..0000000
--- a/SOURCES/0003-stageuser-add-ipauserauthtypeclass-when-required_rhbz#1979605.patch
+++ /dev/null
@@ -1,89 +0,0 @@
-From 06468b2f604c56b02231904072cb57412966a701 Mon Sep 17 00:00:00 2001
-From: Florence Blanc-Renaud <flo@redhat.com>
-Date: Mon, 5 Jul 2021 09:51:41 +0200
-Subject: [PATCH] stageuser: add ipauserauthtypeclass when required
-
-The command
-ipa stageuser-add --user-auth-type=xxx
-is currently failing because the objectclass ipauserauthtypeclass
-is missing from the created entry.
-
-There is code adding the missing objectclass in the
-pre_common_callback method of user_add, and this code should
-be common to user_add and stageuser_add. In order to avoid code
-duplication, it makes more sense to move the existing code to
-pre_common_callback of baseuser_add, that is called by both
-classes.
-
-Fixes: https://pagure.io/freeipa/issue/8909
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
----
- ipaserver/plugins/baseuser.py | 3 +++
- ipaserver/plugins/user.py | 4 ----
- 2 files changed, 3 insertions(+), 4 deletions(-)
-
-diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py
-index ae16a978a..6035228f1 100644
---- a/ipaserver/plugins/baseuser.py
-+++ b/ipaserver/plugins/baseuser.py
-@@ -539,6 +539,9 @@ class baseuser_add(LDAPCreate):
- if entry_attrs.get('ipatokenradiususername', None):
- add_missing_object_class(ldap, u'ipatokenradiusproxyuser', dn,
- entry_attrs, update=False)
-+ if entry_attrs.get('ipauserauthtype', None):
-+ add_missing_object_class(ldap, u'ipauserauthtypeclass', dn,
-+ entry_attrs, update=False)
-
- def post_common_callback(self, ldap, dn, entry_attrs, *keys, **options):
- assert isinstance(dn, DN)
-diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py
-index 6f7facb53..e4ee572b2 100644
---- a/ipaserver/plugins/user.py
-+++ b/ipaserver/plugins/user.py
-@@ -617,10 +617,6 @@ class user_add(baseuser_add):
- 'ipauser' not in entry_attrs['objectclass']:
- entry_attrs['objectclass'].append('ipauser')
-
-- if 'ipauserauthtype' in entry_attrs and \
-- 'ipauserauthtypeclass' not in entry_attrs['objectclass']:
-- entry_attrs['objectclass'].append('ipauserauthtypeclass')
--
- rcl = entry_attrs.get('ipatokenradiusconfiglink', None)
- if rcl:
- if 'ipatokenradiusproxyuser' not in entry_attrs['objectclass']:
---
-2.31.1
-
-From 4a5a0fe7d25209a41a2eadd159f7f4c771e5d7fc Mon Sep 17 00:00:00 2001
-From: Florence Blanc-Renaud <flo@redhat.com>
-Date: Mon, 5 Jul 2021 10:22:31 +0200
-Subject: [PATCH] XMLRPC test: add a test for stageuser-add --user-auth-type
-
-Related: https://pagure.io/freeipa/issue/8909
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
----
- ipatests/test_xmlrpc/test_stageuser_plugin.py | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/ipatests/test_xmlrpc/test_stageuser_plugin.py b/ipatests/test_xmlrpc/test_stageuser_plugin.py
-index 5586fc607..bc606b093 100644
---- a/ipatests/test_xmlrpc/test_stageuser_plugin.py
-+++ b/ipatests/test_xmlrpc/test_stageuser_plugin.py
-@@ -343,6 +343,12 @@ class TestStagedUser(XMLRPC_test):
- result = command()
- assert result['count'] == 1
-
-+ def test_create_withuserauthtype(self, stageduser):
-+ stageduser.ensure_missing()
-+ command = stageduser.make_create_command(
-+ options={u'ipauserauthtype': u'password'})
-+ command()
-+
-
- @pytest.mark.tier1
- class TestCreateInvalidAttributes(XMLRPC_test):
---
-2.31.1
-
diff --git a/SOURCES/0004-man-page-update-ipa-server-upgrade.1_rhbz#1973273.patch b/SOURCES/0004-man-page-update-ipa-server-upgrade.1_rhbz#1973273.patch
deleted file mode 100644
index 83182ce..0000000
--- a/SOURCES/0004-man-page-update-ipa-server-upgrade.1_rhbz#1973273.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 195035cef51a132b2b80df57ed50f2fe620244e6 Mon Sep 17 00:00:00 2001
-From: Florence Blanc-Renaud <flo@redhat.com>
-Date: Wed, 7 Jul 2021 14:11:40 +0200
-Subject: [PATCH] man page: update ipa-server-upgrade.1
-
-The man page needs to clarify in which case the command needs
-to be run.
-
-Fixes: https://pagure.io/freeipa/issue/8913
-Reviewed-By: Francois Cami <fcami@redhat.com>
----
- install/tools/man/ipa-server-upgrade.1 | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/install/tools/man/ipa-server-upgrade.1 b/install/tools/man/ipa-server-upgrade.1
-index 3db19b0f1..f01e21c6b 100644
---- a/install/tools/man/ipa-server-upgrade.1
-+++ b/install/tools/man/ipa-server-upgrade.1
-@@ -8,7 +8,12 @@ ipa\-server\-upgrade \- upgrade IPA server
- .SH "SYNOPSIS"
- ipa\-server\-upgrade [options]
- .SH "DESCRIPTION"
--ipa\-server\-upgrade is used to upgrade IPA server when the IPA packages are being updated. It is not intended to be executed by end\-users.
-+ipa\-server\-upgrade is executed automatically to upgrade IPA server when
-+the IPA packages are being updated. It is not intended to be executed by
-+end\-users, unless the automatic execution reports an error. In this case,
-+the administrator needs to identify and fix the issue that is causing the
-+upgrade failure (with the help of /var/log/ipaupgrade.log)
-+and manually re\-run ipa\-server\-upgrade.
-
- ipa\-server\-upgrade will:
-
---
-2.31.1
-
diff --git a/SOURCES/0005-Fall-back-to-krbprincipalname-when-validating-host-a_rhbz#1979625.patch b/SOURCES/0005-Fall-back-to-krbprincipalname-when-validating-host-a_rhbz#1979625.patch
deleted file mode 100644
index 069d106..0000000
--- a/SOURCES/0005-Fall-back-to-krbprincipalname-when-validating-host-a_rhbz#1979625.patch
+++ /dev/null
@@ -1,69 +0,0 @@
-From 8ad535b618d60fa016061212ff85d0ad28ccae59 Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Mon, 12 Jul 2021 11:02:10 -0400
-Subject: [PATCH] Fall back to krbprincipalname when validating host auth
- indicators
-
-When adding a new host the principal cannot be determined because it
-relies on either:
-
-a) an entry to already exist
-b) krbprincipalname be a component of the dn
-
-As a result the full dn is being passed into ipapython.Kerberos
-which can't parse it.
-
-Look into the entry in validate_validate_auth_indicator() for
-krbprincipalname in this case.
-
-https://pagure.io/freeipa/issue/8206
-
-Signed-off-by: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
----
- ipaserver/plugins/service.py | 5 +++++
- ipatests/test_xmlrpc/test_host_plugin.py | 11 +++++++++++
- 2 files changed, 16 insertions(+)
-
-diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py
-index cfbbff3c6..498f5e444 100644
---- a/ipaserver/plugins/service.py
-+++ b/ipaserver/plugins/service.py
-@@ -209,6 +209,11 @@ def validate_auth_indicator(entry):
- # and shouldn't be allowed to have auth indicators.
- # https://pagure.io/freeipa/issue/8206
- pkey = api.Object['service'].get_primary_key_from_dn(entry.dn)
-+ if pkey == str(entry.dn):
-+ # krbcanonicalname may not be set yet if this is a host entry,
-+ # try krbprincipalname
-+ if 'krbprincipalname' in entry:
-+ pkey = entry['krbprincipalname']
- principal = kerberos.Principal(pkey)
- server = api.Command.server_find(principal.hostname)['result']
- if server:
-diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py
-index 9cfde3565..ff50e796c 100644
---- a/ipatests/test_xmlrpc/test_host_plugin.py
-+++ b/ipatests/test_xmlrpc/test_host_plugin.py
-@@ -615,6 +615,17 @@ class TestProtectedMaster(XMLRPC_test):
- )):
- command()
-
-+ def test_add_non_master_with_auth_ind(self, host5):
-+ host5.ensure_missing()
-+ command = host5.make_command(
-+ 'host_add', host5.fqdn, krbprincipalauthind=['radius'],
-+ force=True
-+ )
-+ result = command()
-+ # The fact that the command succeeds exercises the change but
-+ # let's check the indicator as well.
-+ assert result['result']['krbprincipalauthind'] == ('radius',)
-+
-
- @pytest.mark.tier1
- class TestValidation(XMLRPC_test):
---
-2.31.1
-
diff --git a/SOURCES/0006-rhel-platform-add-a-named-crypto-policy-support_rhbz#1982956.patch b/SOURCES/0006-rhel-platform-add-a-named-crypto-policy-support_rhbz#1982956.patch
deleted file mode 100644
index 3f83c40..0000000
--- a/SOURCES/0006-rhel-platform-add-a-named-crypto-policy-support_rhbz#1982956.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From 1a5159b216455070eb51b6a11ceaf0033fc8ce4c Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Fri, 16 Jul 2021 09:20:33 +0300
-Subject: [PATCH] rhel platform: add a named crypto-policy support
-
-RHEL 8+ provides bind system-wide crypto policy support, enable it.
-
-Fixes: https://pagure.io/freeipa/issue/8925
-Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
-Reviewed-By: Anuja More <amore@redhat.com>
----
- ipaplatform/rhel/paths.py | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/ipaplatform/rhel/paths.py b/ipaplatform/rhel/paths.py
-index c081ada32..3631550eb 100644
---- a/ipaplatform/rhel/paths.py
-+++ b/ipaplatform/rhel/paths.py
-@@ -30,6 +30,7 @@ from ipaplatform.rhel.constants import HAS_NFS_CONF
-
-
- class RHELPathNamespace(RedHatPathNamespace):
-+ NAMED_CRYPTO_POLICY_FILE = "/etc/crypto-policies/back-ends/bind.config"
- if HAS_NFS_CONF:
- SYSCONFIG_NFS = '/etc/nfs.conf'
-
---
-2.31.1
-
diff --git a/SOURCES/0007-Catch-and-log-errors-when-adding-CA-profiles_rhbz#1999142.patch b/SOURCES/0007-Catch-and-log-errors-when-adding-CA-profiles_rhbz#1999142.patch
deleted file mode 100644
index 34b33c7..0000000
--- a/SOURCES/0007-Catch-and-log-errors-when-adding-CA-profiles_rhbz#1999142.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From a6e708ab4006d6623c37de1692de5362fcdb5dd6 Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Mon, 30 Aug 2021 16:44:47 -0400
-Subject: [PATCH] Catch and log errors when adding CA profiles
-
-Rather than stopping the installer entirely, catch and report
-errors adding new certificate profiles, and remove the
-broken profile entry from LDAP so it may be re-added later.
-
-It was discovered that installing a newer IPA that has the
-ACME profile which requires sanToCNDefault will fail when
-installing a new server against a very old one that lacks
-this class.
-
-Running ipa-server-upgrade post-install will add the profile
-and generate the missing ipa-ca SAN record so that ACME
-can work.
-
-https://pagure.io/freeipa/issue/8974
-
-Signed-off-by: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
----
- ipaserver/install/cainstance.py | 13 +++++++++++--
- 1 file changed, 11 insertions(+), 2 deletions(-)
-
-diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
-index 9e842b33e..8c8bf1b3a 100644
---- a/ipaserver/install/cainstance.py
-+++ b/ipaserver/install/cainstance.py
-@@ -1973,8 +1973,17 @@ def import_included_profiles():
-
- # Create the profile, replacing any existing profile of same name
- profile_data = __get_profile_config(profile_id)
-- _create_dogtag_profile(profile_id, profile_data, overwrite=True)
-- logger.debug("Imported profile '%s'", profile_id)
-+ try:
-+ _create_dogtag_profile(profile_id, profile_data,
-+ overwrite=True)
-+ except errors.HTTPRequestError as e:
-+ logger.warning("Failed to import profile '%s': %s. Running "
-+ "ipa-server-upgrade when installation is "
-+ "completed may resolve this issue.",
-+ profile_id, e)
-+ conn.delete_entry(entry)
-+ else:
-+ logger.debug("Imported profile '%s'", profile_id)
- else:
- logger.debug(
- "Profile '%s' is already in LDAP; skipping", profile_id
---
-2.31.1
-
diff --git a/SOURCES/0008-selinux-policy-allow-custodia-to-access-proc-cpuinfo_rhbz#1998129.patch b/SOURCES/0008-selinux-policy-allow-custodia-to-access-proc-cpuinfo_rhbz#1998129.patch
deleted file mode 100644
index 14a8b03..0000000
--- a/SOURCES/0008-selinux-policy-allow-custodia-to-access-proc-cpuinfo_rhbz#1998129.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From 07e2bf732f54f936cccc4e0c7b468d77f97e911a Mon Sep 17 00:00:00 2001
-From: Florence Blanc-Renaud <flo@redhat.com>
-Date: Mon, 30 Aug 2021 18:40:24 +0200
-Subject: [PATCH] selinux policy: allow custodia to access /proc/cpuinfo
-
-On aarch64, custodia creates AVC when accessing /proc/cpuinfo.
-
-According to gcrypt manual
-(https://gnupg.org/documentation/manuals/gcrypt/Configuration.html),
-/proc/cpuinfo is used on ARM architecture to read the hardware
-capabilities of the CPU. This explains why the issue happens only
-on aarch64.
-
-audit2allow suggests to add the following:
-allow ipa_custodia_t proc_t:file { getattr open read };
-
-but this policy would be too broad. Instead, the patch is using
-the interface kernel_read_system_state.
-
-Fixes: https://pagure.io/freeipa/issue/8972
-Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
----
- selinux/ipa.te | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/selinux/ipa.te b/selinux/ipa.te
-index 68e109419..7492fca04 100644
---- a/selinux/ipa.te
-+++ b/selinux/ipa.te
-@@ -364,6 +364,7 @@ files_tmp_filetrans(ipa_custodia_t, ipa_custodia_tmp_t, { dir file })
-
- kernel_dgram_send(ipa_custodia_t)
- kernel_read_network_state(ipa_custodia_t)
-+kernel_read_system_state(ipa_custodia_t)
-
- auth_read_passwd(ipa_custodia_t)
-
---
-2.31.1
-
diff --git a/SOURCES/0009-extdom-return-LDAP_NO_SUCH_OBJECT-if-domains-differ_rhbz#2000263.patch b/SOURCES/0009-extdom-return-LDAP_NO_SUCH_OBJECT-if-domains-differ_rhbz#2000263.patch
deleted file mode 100644
index e88902d..0000000
--- a/SOURCES/0009-extdom-return-LDAP_NO_SUCH_OBJECT-if-domains-differ_rhbz#2000263.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From 4fca95751ca32a1ed16a6d8a4e557c5799ec5c78 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Wed, 25 Aug 2021 17:10:29 +0200
-Subject: [PATCH] extdom: return LDAP_NO_SUCH_OBJECT if domains differ
-
-If a client sends a request to lookup an object from a given trusted
-domain by UID or GID and an object with matching ID is only found in a
-different domain the extdom should return LDAP_NO_SUCH_OBJECT to
-indicate to the client that the requested ID does not exists in the
-given domain.
-
-Resolves: https://pagure.io/freeipa/issue/8965
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
----
- .../ipa-extdom-extop/ipa_extdom_common.c | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
-diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
-index 5d97ff613..6f646b9f4 100644
---- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
-+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
-@@ -542,7 +542,9 @@ int pack_ber_user(struct ipa_extdom_ctx *ctx,
- if (strcasecmp(locat+1, domain_name) == 0 ) {
- locat[0] = '\0';
- } else {
-- ret = LDAP_INVALID_SYNTAX;
-+ /* The found object is from a different domain than requested,
-+ * that means it does not exist in the requested domain */
-+ ret = LDAP_NO_SUCH_OBJECT;
- goto done;
- }
- }
-@@ -655,7 +657,9 @@ int pack_ber_group(enum response_types response_type,
- if (strcasecmp(locat+1, domain_name) == 0 ) {
- locat[0] = '\0';
- } else {
-- ret = LDAP_INVALID_SYNTAX;
-+ /* The found object is from a different domain than requested,
-+ * that means it does not exist in the requested domain */
-+ ret = LDAP_NO_SUCH_OBJECT;
- goto done;
- }
- }
---
-2.31.1
-
diff --git a/SOURCES/0010-migrate-ds-workaround-to-detect-compat-tree_rhbz#1999992.patch b/SOURCES/0010-migrate-ds-workaround-to-detect-compat-tree_rhbz#1999992.patch
deleted file mode 100644
index 8ea12a5..0000000
--- a/SOURCES/0010-migrate-ds-workaround-to-detect-compat-tree_rhbz#1999992.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 3c4f9e7347965ff9a887147df34e720224ffa7cc Mon Sep 17 00:00:00 2001
-From: Florence Blanc-Renaud <flo@redhat.com>
-Date: Tue, 7 Sep 2021 17:06:53 +0200
-Subject: [PATCH] migrate-ds: workaround to detect compat tree
-
-Migrate-ds needs to check if compat tree is enabled before
-migrating users and groups. The check is doing a base
-search on cn=compat,$SUFFIX and considers the compat tree
-enabled when the entry exists.
-
-Due to a bug in slapi-nis, the base search may return NotFound
-even though the compat tree is enabled. The workaround is to
-perform a base search on cn=users,cn=compat,$SUFFIX instead.
-
-Fixes: https://pagure.io/freeipa/issue/8984
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
----
- ipaserver/plugins/migration.py | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/ipaserver/plugins/migration.py b/ipaserver/plugins/migration.py
-index db5241915..6ee205fc8 100644
---- a/ipaserver/plugins/migration.py
-+++ b/ipaserver/plugins/migration.py
-@@ -922,7 +922,8 @@ migration process might be incomplete\n''')
- # check whether the compat plugin is enabled
- if not options.get('compat'):
- try:
-- ldap.get_entry(DN(('cn', 'compat'), (api.env.basedn)))
-+ ldap.get_entry(DN(('cn', 'users'), ('cn', 'compat'),
-+ (api.env.basedn)))
- return dict(result={}, failed={}, enabled=True, compat=False)
- except errors.NotFound:
- pass
---
-2.31.1
-
diff --git a/SOURCES/0011-Test-ldapsearch-with-base-scope-works-with-_rhbz#2000553.patch b/SOURCES/0011-Test-ldapsearch-with-base-scope-works-with-_rhbz#2000553.patch
deleted file mode 100644
index 450a75e..0000000
--- a/SOURCES/0011-Test-ldapsearch-with-base-scope-works-with-_rhbz#2000553.patch
+++ /dev/null
@@ -1,89 +0,0 @@
-From a3d71eb72a6125a80a9d7b698f34dcb95dc25184 Mon Sep 17 00:00:00 2001
-From: Anuja More <amore@redhat.com>
-Date: Thu, 5 Aug 2021 20:03:21 +0530
-Subject: [PATCH] ipatests: Test ldapsearch with base scope works with compat
- tree.
-
-Added test to verify that ldapsearch for compat tree
-with scope base and sub is not failing.
-
-Related: https://bugzilla.redhat.com/show_bug.cgi?id=1958909
-
-Signed-off-by: Anuja More <amore@redhat.com>
-Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
----
- ipatests/test_integration/test_commands.py | 13 +++++++++++++
- 1 file changed, 13 insertions(+)
-
-diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
-index 2035ced56..e3a0d867e 100644
---- a/ipatests/test_integration/test_commands.py
-+++ b/ipatests/test_integration/test_commands.py
-@@ -1558,6 +1558,19 @@ class TestIPACommandWithoutReplica(IntegrationTest):
- # Run the command again after cache is removed
- self.master.run_command(['ipa', 'user-show', 'ipauser1'])
-
-+ def test_basesearch_compat_tree(self):
-+ """Test ldapsearch against compat tree is working
-+
-+ This to ensure that ldapsearch with base scope is not failing.
-+
-+ related: https://bugzilla.redhat.com/show_bug.cgi?id=1958909
-+ """
-+ tasks.kinit_admin(self.master)
-+ base_dn = str(self.master.domain.basedn)
-+ base = "cn=admins,cn=groups,cn=compat,{basedn}".format(basedn=base_dn)
-+ tasks.ldapsearch_dm(self.master, base, ldap_args=[], scope='sub')
-+ tasks.ldapsearch_dm(self.master, base, ldap_args=[], scope='base')
-+
-
- class TestIPAautomount(IntegrationTest):
- @classmethod
---
-2.31.1
-
-From d4062e407d242a72b9d4e32f4fdd6aed086ce005 Mon Sep 17 00:00:00 2001
-From: Anuja More <amore@redhat.com>
-Date: Thu, 5 Aug 2021 20:23:15 +0530
-Subject: [PATCH] ipatests: skip test_basesearch_compat_tree on fedora.
-
-slapi-nis with fix is not part of fedora yet.
-test requires with fix:
-https://pagure.io/slapi-nis/c/61ea8f6a104da25329e301a8f56944f860de8177?
-
-Signed-off-by: Anuja More <amore@redhat.com>
-Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
----
- ipatests/test_integration/test_commands.py | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
-index e3a0d867e..4d9a81652 100644
---- a/ipatests/test_integration/test_commands.py
-+++ b/ipatests/test_integration/test_commands.py
-@@ -38,6 +38,7 @@ from ipatests.create_external_ca import ExternalCA
- from ipatests.test_ipalib.test_x509 import good_pkcs7, badcert
- from ipapython.ipautil import realm_to_suffix, ipa_generate_password
- from ipaserver.install.installutils import realm_to_serverid
-+from pkg_resources import parse_version
-
- logger = logging.getLogger(__name__)
-
-@@ -1565,6 +1566,12 @@ class TestIPACommandWithoutReplica(IntegrationTest):
-
- related: https://bugzilla.redhat.com/show_bug.cgi?id=1958909
- """
-+ version = self.master.run_command(
-+ ["rpm", "-qa", "--qf", "%{VERSION}", "slapi-nis"]
-+ )
-+ if tasks.get_platform(self.master) == "fedora" and parse_version(
-+ version.stdout_text) <= parse_version("0.56.7"):
-+ pytest.skip("Test requires slapi-nis with fix on fedora")
- tasks.kinit_admin(self.master)
- base_dn = str(self.master.domain.basedn)
- base = "cn=admins,cn=groups,cn=compat,{basedn}".format(basedn=base_dn)
---
-2.31.1
-
diff --git a/SOURCES/0012-ipatests-Test-unsecure-nsupdate_rhbz#2000553.patch b/SOURCES/0012-ipatests-Test-unsecure-nsupdate_rhbz#2000553.patch
deleted file mode 100644
index a223c94..0000000
--- a/SOURCES/0012-ipatests-Test-unsecure-nsupdate_rhbz#2000553.patch
+++ /dev/null
@@ -1,162 +0,0 @@
-From 4fdab0c94c4e17e42e5f38a0e671bea39bcc9b74 Mon Sep 17 00:00:00 2001
-From: Anuja More <amore@redhat.com>
-Date: Mon, 9 Aug 2021 20:57:22 +0530
-Subject: [PATCH] ipatests: Test unsecure nsupdate.
-
-The test configures an external bind server on the ipa-server
-(not the IPA-embedded DNS server) that allows unauthenticated nsupdates.
-
-When the IPA client is registered using ipa-client-install,
-DNS records are added for the client in the bind server using nsupdate.
-The first try is using GSS-TIG but fails as expected, and the client
-installer then tries with unauthenticated nsupdate.
-
-Related : https://pagure.io/freeipa/issue/8402
-
-Signed-off-by: Anuja More <amore@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
----
- .../test_installation_client.py | 118 ++++++++++++++++++
- 1 file changed, 118 insertions(+)
-
-diff --git a/ipatests/test_integration/test_installation_client.py b/ipatests/test_integration/test_installation_client.py
-index fa59a5255..014b0f6ab 100644
---- a/ipatests/test_integration/test_installation_client.py
-+++ b/ipatests/test_integration/test_installation_client.py
-@@ -8,10 +8,15 @@ Module provides tests for various options of ipa-client-install.
-
- from __future__ import absolute_import
-
-+import pytest
-+import re
- import shlex
-+import textwrap
-
-+from ipaplatform.paths import paths
- from ipatests.test_integration.base import IntegrationTest
- from ipatests.pytest_ipa.integration import tasks
-+from ipatests.pytest_ipa.integration.firewall import Firewall
-
-
- class TestInstallClient(IntegrationTest):
-@@ -70,3 +75,116 @@ class TestInstallClient(IntegrationTest):
- extra_args=['--ssh-trust-dns'])
- result = self.clients[0].run_command(['cat', '/etc/ssh/ssh_config'])
- assert 'HostKeyAlgorithms' not in result.stdout_text
-+
-+
-+class TestClientInstallBind(IntegrationTest):
-+ """
-+ The test configures an external bind server on the ipa-server
-+ (not the IPA-embedded DNS server) that allows unauthenticated nsupdates.
-+ When the IPA client is registered using ipa-client-install,
-+ DNS records are added for the client in the bind server using nsupdate.
-+ The first try is using GSS-TIG but fails as expected, and the client
-+ installer then tries with unauthenticated nsupdate.
-+ """
-+
-+ num_clients = 1
-+
-+ @classmethod
-+ def install(cls, mh):
-+ cls.client = cls.clients[0]
-+
-+ @pytest.fixture
-+ def setup_bindserver(self):
-+ bindserver = self.master
-+ named_conf_backup = tasks.FileBackup(self.master, paths.NAMED_CONF)
-+ # create a zone in the BIND server that is identical to the IPA
-+ add_zone = textwrap.dedent("""
-+ zone "{domain}" IN {{ type master;
-+ file "{domain}.db"; allow-query {{ any; }};
-+ allow-update {{ any; }}; }};
-+ """).format(domain=bindserver.domain.name)
-+
-+ namedcfg = bindserver.get_file_contents(
-+ paths.NAMED_CONF, encoding='utf-8')
-+ namedcfg += '\n' + add_zone
-+ bindserver.put_file_contents(paths.NAMED_CONF, namedcfg)
-+
-+ def update_contents(path, pattern, replace):
-+ contents = bindserver.get_file_contents(path, encoding='utf-8')
-+ namedcfg_query = re.sub(pattern, replace, contents)
-+ bindserver.put_file_contents(path, namedcfg_query)
-+
-+ update_contents(paths.NAMED_CONF, 'localhost;', 'any;')
-+ update_contents(paths.NAMED_CONF, "listen-on port 53 { 127.0.0.1; };",
-+ "#listen-on port 53 { 127.0.0.1; };")
-+ update_contents(paths.NAMED_CONF, "listen-on-v6 port 53 { ::1; };",
-+ "#listen-on-v6 port 53 { ::1; };")
-+
-+ add_records = textwrap.dedent("""
-+ @ IN SOA {fqdn}. root.{domain}. (
-+ 1001 ;Serial
-+ 3H ;Refresh
-+ 15M ;Retry
-+ 1W ;Expire
-+ 1D ;Minimum 1D
-+ )
-+ @ IN NS {fqdn}.
-+ ns1 IN A {bindserverip}
-+ _kerberos.{domain}. IN TXT {zoneupper}
-+ {fqdn}. IN A {bindserverip}
-+ ipa-ca.{domain}. IN A {bindserverip}
-+ _kerberos-master._tcp.{domain}. IN SRV 0 100 88 {fqdn}.
-+ _kerberos-master._udp.{domain}. IN SRV 0 100 88 {fqdn}.
-+ _kerberos._tcp.{domain}. IN SRV 0 100 88 {fqdn}.
-+ _kerberos._udp.{domain}. IN SRV 0 100 88 {fqdn}.
-+ _kpasswd._tcp.{domain}. IN SRV 0 100 464 {fqdn}.
-+ _kpasswd._udp.{domain}. IN SRV 0 100 464 {fqdn}.
-+ _ldap._tcp.{domain}. IN SRV 0 100 389 {fqdn}.
-+ """).format(
-+ fqdn=bindserver.hostname,
-+ domain=bindserver.domain.name,
-+ bindserverip=bindserver.ip,
-+ zoneupper=bindserver.domain.name.upper()
-+ )
-+ bindserverdb = "/var/named/{0}.db".format(bindserver.domain.name)
-+ bindserver.put_file_contents(bindserverdb, add_records)
-+ bindserver.run_command(['systemctl', 'start', 'named'])
-+ Firewall(bindserver).enable_services(["dns"])
-+ yield
-+ named_conf_backup.restore()
-+ bindserver.run_command(['rm', '-rf', bindserverdb])
-+
-+ def test_client_nsupdate(self, setup_bindserver):
-+ """Test secure nsupdate failed, then try unsecure nsupdate..
-+
-+ Test to verify when bind is configured with dynamic update policy,
-+ and during client-install 'nsupdate -g' fails then it should run with
-+ second call using unauthenticated nsupdate.
-+
-+ Related : https://pagure.io/freeipa/issue/8402
-+ """
-+ # with pre-configured bind server, install ipa-server without dns.
-+ tasks.install_master(self.master, setup_dns=False)
-+ self.client.resolver.backup()
-+ self.client.resolver.setup_resolver(
-+ self.master.ip, self.master.domain.name)
-+ try:
-+ self.client.run_command(['ipa-client-install', '-U',
-+ '--domain', self.client.domain.name,
-+ '--realm', self.client.domain.realm,
-+ '-p', self.client.config.admin_name,
-+ '-w', self.client.config.admin_password,
-+ '--server', self.master.hostname])
-+ # call unauthenticated nsupdate if GSS-TSIG nsupdate failed.
-+ str1 = "nsupdate (GSS-TSIG) failed"
-+ str2 = "'/usr/bin/nsupdate', '/etc/ipa/.dns_update.txt'"
-+ client_log = self.client.get_file_contents(
-+ paths.IPACLIENT_INSTALL_LOG, encoding='utf-8'
-+ )
-+ assert str1 in client_log and str2 in client_log
-+ dig_after = self.client.run_command(
-+ ['dig', '@{0}'.format(self.master.ip), self.client.hostname,
-+ '-t', 'SSHFP'])
-+ assert "ANSWER: 0" not in dig_after.stdout_text.strip()
-+ finally:
-+ self.client.resolver.restore()
---
-2.31.1
-
diff --git a/SOURCES/0013-Don-t-store-entries-with-a-usercertificate-in-the-LD_rhbz#1999893.patch b/SOURCES/0013-Don-t-store-entries-with-a-usercertificate-in-the-LD_rhbz#1999893.patch
deleted file mode 100644
index 739e7c3..0000000
--- a/SOURCES/0013-Don-t-store-entries-with-a-usercertificate-in-the-LD_rhbz#1999893.patch
+++ /dev/null
@@ -1,128 +0,0 @@
-From be1e3bbfc13aff9a583108376f245b81cc3666fb Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Thu, 9 Sep 2021 15:26:55 -0400
-Subject: [PATCH] Don't store entries with a usercertificate in the LDAP cache
-
-usercertificate often has a subclass and both the plain and
-subclassed (binary) values are queried. I'm concerned that
-they are used more or less interchangably in places so not
-caching these entries is the safest path forward for now until
-we can dedicate the time to find all usages, determine their
-safety and/or perhaps handle this gracefully within the cache
-now.
-
-What we see in this bug is that usercertificate;binary holds the
-first certificate value but a user-mod is done with
-setattr usercertificate=<new_cert>. Since there is no
-usercertificate value (remember, it's usercertificate;binary)
-a replace is done and 389-ds wipes the existing value as we've
-asked it to.
-
-I'm not comfortable with simply treating them the same because
-in LDAP they are not.
-
-https://pagure.io/freeipa/issue/8986
-
-Signed-off-by: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Francois Cami <fcami@redhat.com>
-Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
----
- ipapython/ipaldap.py | 14 +++++++++++---
- 1 file changed, 11 insertions(+), 3 deletions(-)
-
-diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
-index f94b784d6..ced8f1bd6 100644
---- a/ipapython/ipaldap.py
-+++ b/ipapython/ipaldap.py
-@@ -1821,9 +1821,17 @@ class LDAPCache(LDAPClient):
- entry=None, exception=None):
- # idnsname - caching prevents delete when mod value to None
- # cospriority - in a Class of Service object, uncacheable
-- # TODO - usercertificate was banned at one point and I don't remember
-- # why...
-- BANNED_ATTRS = {'idnsname', 'cospriority'}
-+ # usercertificate* - caching subtypes is tricky, trade less
-+ # complexity for performance
-+ #
-+ # TODO: teach the cache about subtypes
-+
-+ BANNED_ATTRS = {
-+ 'idnsname',
-+ 'cospriority',
-+ 'usercertificate',
-+ 'usercertificate;binary'
-+ }
- if not self._enable_cache:
- return
-
---
-2.31.1
-
-From 86588640137562b2016fdb0f91142d00bc38e54a Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Fri, 10 Sep 2021 09:01:48 -0400
-Subject: [PATCH] ipatests: Test that a user can be issued multiple
- certificates
-
-Prevent regressions in the LDAP cache layer that caused newly
-issued certificates to overwrite existing ones.
-
-https://pagure.io/freeipa/issue/8986
-
-Signed-off-by: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Francois Cami <fcami@redhat.com>
-Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
----
- ipatests/test_integration/test_cert.py | 29 ++++++++++++++++++++++++++
- 1 file changed, 29 insertions(+)
-
-diff --git a/ipatests/test_integration/test_cert.py b/ipatests/test_integration/test_cert.py
-index 7d51b76ee..b4e85eadc 100644
---- a/ipatests/test_integration/test_cert.py
-+++ b/ipatests/test_integration/test_cert.py
-@@ -16,6 +16,7 @@ import string
- import time
-
- from ipaplatform.paths import paths
-+from ipapython.dn import DN
- from cryptography import x509
- from cryptography.x509.oid import ExtensionOID
- from cryptography.hazmat.backends import default_backend
-@@ -183,6 +184,34 @@ class TestInstallMasterClient(IntegrationTest):
- )
- assert "profile: caServerCert" in result.stdout_text
-
-+ def test_multiple_user_certificates(self):
-+ """Test that a user may be issued multiple certificates"""
-+ ldap = self.master.ldap_connect()
-+
-+ user = 'user1'
-+
-+ tasks.kinit_admin(self.master)
-+ tasks.user_add(self.master, user)
-+
-+ for id in (0,1):
-+ csr_file = f'{id}.csr'
-+ key_file = f'{id}.key'
-+ cert_file = f'{id}.crt'
-+ openssl_cmd = [
-+ 'openssl', 'req', '-newkey', 'rsa:2048', '-keyout', key_file,
-+ '-nodes', '-out', csr_file, '-subj', '/CN=' + user]
-+ self.master.run_command(openssl_cmd)
-+
-+ cmd_args = ['ipa', 'cert-request', '--principal', user,
-+ '--certificate-out', cert_file, csr_file]
-+ self.master.run_command(cmd_args)
-+
-+ # easier to count by pulling the LDAP entry
-+ entry = ldap.get_entry(DN(('uid', user), ('cn', 'users'),
-+ ('cn', 'accounts'), self.master.domain.basedn))
-+
-+ assert len(entry.get('usercertificate')) == 2
-+
- @pytest.fixture
- def test_subca_certs(self):
- """
---
-2.31.1
-
diff --git a/SOURCES/1101-Harden-FreeIPA-KDC-processing-of-PAC-buffers-20211130.patch b/SOURCES/1101-Harden-FreeIPA-KDC-processing-of-PAC-buffers-20211130.patch
new file mode 100644
index 0000000..48bb8e0
--- /dev/null
+++ b/SOURCES/1101-Harden-FreeIPA-KDC-processing-of-PAC-buffers-20211130.patch
@@ -0,0 +1,122 @@
+From 7d93bda31ce0b4e0e22c6e464c9138800dcf8b1c Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Fri, 26 Nov 2021 11:13:51 +0200
+Subject: [PATCH] ipa-kdb: fix requester SID check according to MS-KILE and
+ MS-SFU updates
+
+New versions of MS-KILE and MS-SFU after Windows Server November 2021
+security updates add PAC_REQUESTER_SID buffer check behavior:
+
+ - PAC_REQUESTER_SID should only be added for TGT requests
+
+ - if PAC_REQUESTER_SID is present, KDC must verify that the cname on
+ the ticket resolves to the account with the same SID as the
+ PAC_REQUESTER_SID. If it doesn't KDC must respond with
+ KDC_ERR_TKT_REVOKED
+
+Change requester SID check to skip exact check for non-local
+PAC_REQUESTER_SID but harden to ensure it comes from the trusted domains
+we know about.
+
+If requester SID is the same as in PAC, we already do cname vs PAC SID
+verification.
+
+With these changes FreeIPA works against Windows Server 2019 with
+November 2021 security fixes in cross-realm S4U2Self operations.
+
+Fixes: https://pagure.io/freeipa/issue/9031
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+---
+ daemons/ipa-kdb/ipa_kdb_mspac.c | 47 ++++++++++++++++++++++++---------
+ 1 file changed, 34 insertions(+), 13 deletions(-)
+
+diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
+index 538cfbba9..1b972c167 100644
+--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
++++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
+@@ -1697,7 +1697,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,
+ "local [%s], PAC [%s]",
+ dom ? dom : "<failed to display>",
+ sid ? sid : "<failed to display>");
+- return KRB5KDC_ERR_POLICY;
++ return KRB5KDC_ERR_TGT_REVOKED;
+ }
+ }
+
+@@ -1709,7 +1709,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,
+ kerr = ipadb_get_principal(context, client_princ, flags, &client_actual);
+ if (kerr != 0) {
+ krb5_klog_syslog(LOG_ERR, "PAC issue: ipadb_get_principal failed.");
+- return KRB5KDC_ERR_POLICY;
++ return KRB5KDC_ERR_TGT_REVOKED;
+ }
+
+ ied = (struct ipadb_e_data *)client_actual->e_data;
+@@ -1743,7 +1743,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,
+ "local [%s] vs PAC [%s]",
+ local_sid ? local_sid : "<failed to display>",
+ pac_sid ? pac_sid : "<failed to display>");
+- kerr = KRB5KDC_ERR_POLICY;
++ kerr = KRB5KDC_ERR_TGT_REVOKED;
+ goto done;
+ }
+
+@@ -2005,22 +2005,43 @@ static krb5_error_code ipadb_check_logon_info(krb5_context context,
+ /* Check that requester SID is the same as in the PAC entry */
+ if (requester_sid != NULL) {
+ struct dom_sid client_sid;
++ bool is_from_trusted_domain = false;
+ kerr = ipadb_get_sid_from_pac(tmpctx, info.info, &client_sid);
+ if (kerr) {
+ goto done;
+ }
+ result = dom_sid_check(&client_sid, requester_sid, true);
+ if (!result) {
+- /* memctx is freed by the caller */
+- char *pac_sid = dom_sid_string(tmpctx, &client_sid);
+- char *req_sid = dom_sid_string(tmpctx, requester_sid);
+- krb5_klog_syslog(LOG_ERR, "PAC issue: PAC has a SID "
+- "different from what PAC requester claims. "
+- "PAC [%s] vs PAC requester [%s]",
+- pac_sid ? pac_sid : "<failed to display>",
+- req_sid ? req_sid : "<failed to display>");
+- kerr = KRB5KDC_ERR_POLICY;
+- goto done;
++ struct ipadb_context *ipactx = ipadb_get_context(context);
++ if (!ipactx || !ipactx->mspac) {
++ return KRB5_KDB_DBNOTINITED;
++ }
++ /* In S4U case we might be dealing with the PAC issued by the trusted domain */
++ if (is_s4u && (ipactx->mspac->trusts != NULL)) {
++ /* Iterate through list of trusts and check if this SID belongs to
++ * one of the domains we trust */
++ for(int i = 0 ; i < ipactx->mspac->num_trusts ; i++) {
++ result = dom_sid_check(&ipactx->mspac->trusts[i].domsid,
++ requester_sid, false);
++ if (result) {
++ is_from_trusted_domain = true;
++ break;
++ }
++ }
++ }
++
++ if (!is_from_trusted_domain) {
++ /* memctx is freed by the caller */
++ char *pac_sid = dom_sid_string(tmpctx, &client_sid);
++ char *req_sid = dom_sid_string(tmpctx, requester_sid);
++ krb5_klog_syslog(LOG_ERR, "PAC issue: PAC has a SID "
++ "different from what PAC requester claims. "
++ "PAC [%s] vs PAC requester [%s]",
++ pac_sid ? pac_sid : "<failed to display>",
++ req_sid ? req_sid : "<failed to display>");
++ kerr = KRB5KDC_ERR_TGT_REVOKED;
++ goto done;
++ }
+ }
+ }
+
+--
+2.31.1
+
diff --git a/SOURCES/freeipa-4.9.6.tar.gz.asc b/SOURCES/freeipa-4.9.6.tar.gz.asc
deleted file mode 100644
index f71d351..0000000
--- a/SOURCES/freeipa-4.9.6.tar.gz.asc
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEhAodHH8+xLL+UwQ1RxniuKu/YhoFAmDbPRQACgkQRxniuKu/
-Yhr7uBAAnpF70nH8Cn/HhKKpfafPoN3B9fDNIfAa+jsJ52OyeNMKVNi4MEob32iN
-1aMGGFCJUMle/M7v1+w8WH59eiHs1jKHcFZnl2R4Ap5SxVtypYT+ewXbNnSHII2w
-qWS5PvLkJwjh6Bw/HlyBwDRSrw9Yah4oZZbJt3zE06+Imr8BpB3IWqyhuAi7FjYO
-J9hHCwCvtJvWK4yplZSXCt8OS1JA68/Djgjecm5lUSamuqKaBVhDb+ZAPLDJpBf5
-Pz2JpUF/W/rplt+Q9wAFdhDB9iC0vd3MBkgs4KPsjuyS9+GGNu8LyXs0C1Wm/VgX
-liX2pjZmpnTrhH3QQ2nufwH784ZpinXxS2fcbvCfX1Utgr77wNHjwqDt2NBffJl1
-BM7JJr1ZwGOGSki6yjRDXbeSAsiEX9l7f2mv2t/8ZjHMRJ7mJmBbmh5Qhk5qsMou
-BptNDE20cG77xcjBtTCDpii/UatETuNAyMd/l2smfe76z8y61fQrvScxRwOCHckw
-u/ERChpBZOUlQt59Efj3ja313oXZMxXRw01n/72Hh5rnk+XZf75zQ1zUDBYnwzAr
-4cdqyrfpFkQu1sRQvgjT8ZLkP8istjRdVEI/Oj61zb5+6+scQ/Zh/R/mYGCV4/h+
-RzojBwUAXuwUMrj1jTbb5Lkz58+vY3Lk4xNOY2hSAc8rCcDVRZY=
-=TQFs
------END PGP SIGNATURE-----
diff --git a/SOURCES/freeipa-4.9.8.tar.gz.asc b/SOURCES/freeipa-4.9.8.tar.gz.asc
new file mode 100644
index 0000000..c14420c
--- /dev/null
+++ b/SOURCES/freeipa-4.9.8.tar.gz.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEE11Z2TU1+KXxtrRFyaYdvcqbi008FAmGf1XcACgkQaYdvcqbi
+00/kMQ//Vano94V0/L3YsLaqKiFcGo/py5pTq1Os3wB9zzCYSuU0P/eajuHLBYNe
+MfxecZihFFlmUdNooNWbewT4CE0ey1qFLwPfGXuLrse6fXVLLaYnAv2mkPUmDSpM
+XfXO0PFU0BtdkMAUsdUATngPCpQzYjVUKsAMwPovi3UcLzFZ8tWJKMA55urhwC4q
+E042wPLqzcX6Ee5JBSBkfNe35vG2LY7o3Ynh8SVCee2lBJvdWiuFT5XRhybXUsOp
+q3eTsVPz68p7CvOrjlLSsWPP0nbGF1O1UQsN+oaDZAav1Nx8lTOlxUCUQXWbs2X6
+BTUAOmZ6VjYu61sNgNSj+BSHlHIT3uRJ55JO5nLH/hLm0Oxn6SGRTVMueqV376QA
+CsIk7UrdcX9QUtu70eRxuu1aAWJ5eaF4GDWnFP+62wzd/d6LjWEE+9kXgvrcTF0C
+UzjWrmbI8x23bB4kqcROHz8lryMsBpZ94QKPHVppMiPgapDKRkculYkSeRLboADi
+q4mh2prkDSq9diWV4HvZTGwPU77oiLrQsvbGuvwD62PAlyQ4rZpfW3FllTL2Lcxy
+urA8a9UnQWQtDOsZIyxmMJ7R04gjI5fZfDhq6S09L9MfjFEKjsqO4FzXamj+SbAo
+w25sIp1qT0sV1vOt+/R/HYSIyggQyTZpQJu5UB34QLqpfDdUwFg=
+=t9up
+-----END PGP SIGNATURE-----
diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec
index d45b5f0..a237a9b 100644
--- a/SPECS/ipa.spec
+++ b/SPECS/ipa.spec
@@ -68,8 +68,8 @@
%global krb5_kdb_version 8.0
# 0.7.16: https://github.com/drkjam/netaddr/issues/71
%global python_netaddr_version 0.7.19
-# Require 4.7.0 which brings Python 3 bindings
-%global samba_version 4.12.3-12
+# Require 4.14.5-13 which brings CVE-2020-25717 fixes
+%global samba_version 4.14.5-13
%global selinux_policy_version 3.14.3-52
%global slapi_nis_version 0.56.4
%global python_ldap_version 3.1.0-1
@@ -92,9 +92,9 @@
%global krb5_version 1.18.2-29
# 0.7.16: https://github.com/drkjam/netaddr/issues/71
%global python_netaddr_version 0.7.16
-# Require 4.7.0 which brings Python 3 bindings
-# Require 4.12 which has DsRGetForestTrustInformation access rights fixes
-%global samba_version 2:4.12.10
+
+# Require 4.14.6 which brings CVE-2020-25717 fixes
+%global samba_version 2:4.14.6
# 3.14.5-45 or later includes a number of interfaces fixes for IPA interface
%global selinux_policy_version 3.14.5-45
@@ -178,7 +178,7 @@
# Work-around fact that RPM SPEC parser does not accept
# "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement
-%define IPA_VERSION 4.9.6
+%define IPA_VERSION 4.9.8
# Release candidate version -- uncomment with one percent for RC versions
#%%global rc_version %%nil
%define AT_SIGN @
@@ -191,7 +191,7 @@
Name: %{package_name}
Version: %{IPA_VERSION}
-Release: 6%{?rc_version:.%rc_version}%{?dist}
+Release: 2%{?rc_version:.%rc_version}%{?dist}
Summary: The Identity, Policy and Audit system
License: GPLv3+
@@ -211,23 +211,12 @@ Source1: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_vers
# RHEL spec file only: START
%if %{NON_DEVELOPER_BUILD}
%if 0%{?rhel} >= 8
-Patch0001: 0001-rpcserver.py-perf_counter_ns-is-Python-3.7_rhbz#1974822.patch
-Patch0002: 0002-Add-checks-to-prevent-adding-auth-indicators-to-inte_rhbz#1979625.patch
-Patch0003: 0003-stageuser-add-ipauserauthtypeclass-when-required_rhbz#1979605.patch
-Patch0004: 0004-man-page-update-ipa-server-upgrade.1_rhbz#1973273.patch
-Patch0005: 0005-Fall-back-to-krbprincipalname-when-validating-host-a_rhbz#1979625.patch
-Patch0006: 0006-rhel-platform-add-a-named-crypto-policy-support_rhbz#1982956.patch
-Patch0007: 0007-Catch-and-log-errors-when-adding-CA-profiles_rhbz#1999142.patch
-Patch0008: 0008-selinux-policy-allow-custodia-to-access-proc-cpuinfo_rhbz#1998129.patch
-Patch0009: 0009-extdom-return-LDAP_NO_SUCH_OBJECT-if-domains-differ_rhbz#2000263.patch
-Patch0010: 0010-migrate-ds-workaround-to-detect-compat-tree_rhbz#1999992.patch
-Patch0011: 0011-Test-ldapsearch-with-base-scope-works-with-_rhbz#2000553.patch
-Patch0012: 0012-ipatests-Test-unsecure-nsupdate_rhbz#2000553.patch
-Patch0013: 0013-Don-t-store-entries-with-a-usercertificate-in-the-LD_rhbz#1999893.patch
+Patch0001: 0001-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
%endif
%endif
# RHEL spec file only: END
+Patch1101: 1101-Harden-FreeIPA-KDC-processing-of-PAC-buffers-20211130.patch
# For the timestamp trick in patch application
BuildRequires: diffstat
@@ -471,6 +460,8 @@ Requires: gssproxy >= 0.7.0-2
Requires: sssd-dbus >= %{sssd_version}
Requires: libpwquality
Requires: cracklib-dicts
+# NDR libraries are internal in Samba and change with version without changing SONAME
+Requires: samba-client-libs >= %{samba_version}
Provides: %{alt_name}-server = %{version}
Conflicts: %{alt_name}-server
@@ -1370,6 +1361,7 @@ fi
%{_libexecdir}/ipa/ipa-pki-wait-running
%{_libexecdir}/ipa/ipa-otpd
%{_libexecdir}/ipa/ipa-print-pac
+%{_libexecdir}/ipa/ipa-subids
%dir %{_libexecdir}/ipa/custodia
%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-dmldap
%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-pki-tomcat
@@ -1377,6 +1369,7 @@ fi
%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-ra-agent
%dir %{_libexecdir}/ipa/oddjob
%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.conncheck
+%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.config-enable-sid
%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.trust-enable-agent
%config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freeipa.server.conf
%config(noreplace) %{_sysconfdir}/oddjobd.conf.d/ipa-server.conf
@@ -1709,21 +1702,40 @@ fi
%changelog
-* Fri Sep 17 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.6-6
-- Don't store entries with a usercertificate in the LDAP cache
- Resolves: RHBZ#1999893
-
-* Mon Sep 13 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.6-5
-- Catch and log errors when adding CA profiles
- Resolves: RHBZ#1999142
-- selinux policy: allow custodia to access /proc/cpuinfo
- Resolves: RHBZ#1998129
-- extdom: LDAP_INVALID_SYNTAX returned instead of LDAP_NO_SUCH_OBJECT
- Resolves: RHBZ#2000263
-- ipa migrate-ds command fails to warn when compat plugin is enabled
- Resolves: RHBZ#1999992
-- Backport latest test fixes in python3-ipatests
- Resolves: RHBZ#2000553
+* Fri Dec 10 2021 Rafael Jeffman <rjeffman@redhat.com> - 4.9.8-2
+- Revert bind-pkcs11-utils configuration in freeipa.spec.
+ Resolves: RHBZ#2026732
+
+* Tue Nov 30 2021 Rafael Jeffman <rjeffman@redhat.com> - 4.9.8-1
+- Upstream release FreeIPA 4.9.8
+ Related: RHBZ#2015607
+- Hardening for CVE-2020-25717
+
+* Fri Nov 12 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.6-9.1
+- Fix S4U2Self regression for cross-realm requester SID buffer
+- Related: RHBZ#2021443
+
+* Fri Nov 12 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.6-9
+- Require samba 4.14.5-13 with IPA DC server role fixes
+- Related: RHBZ#2021443
+
+* Fri Nov 12 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.6-8
+- Add versioned dependency of samba-client-libs to ipa-server
+- Related: RHBZ#2021443
+
+* Thu Nov 11 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.6-7
+- Hardening for CVE-2020-25717
+- Harden processing of trusted domains' users in S4U operations
+- Resolves: RHBZ#2021443
+
+* Wed Nov 10 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.6-6
+- Hardening for CVE-2020-25717
+- Rebuild against samba-4.14.5-11.el8
+- Resolves: RHBZ#2021443
+
+* Sun Nov 07 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.6-5
+- Hardening for CVE-2020-25717
+- Related: RHBZ#2019668
* Thu Jul 22 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.6-4
- ipatests: NAMED_CRYPTO_POLICY_FILE not defined for RHEL