diff --git a/SOURCES/0233-Less-confusing-message-for-PKINIT-configuration-duri.patch b/SOURCES/0233-Less-confusing-message-for-PKINIT-configuration-duri.patch new file mode 100644 index 0000000..6cbca7b --- /dev/null +++ b/SOURCES/0233-Less-confusing-message-for-PKINIT-configuration-duri.patch @@ -0,0 +1,50 @@ +From ad0f85945daa0b0bfbddbcde992c5388c170518f Mon Sep 17 00:00:00 2001 +From: Aleksei Slaikovskii +Date: Wed, 18 Oct 2017 09:52:08 +0200 +Subject: [PATCH] Less confusing message for PKINIT configuration during + install + +The message about an error during replica setup was causing the +users to think the installation gone wrong even though this was +an expected behavior when ipa-replica-install was ran without +--no-pkinit flag and CA somehow is not reachable which defines +that there is something wrong in a topology but does not lead +to failure of the replica's installation. So now installation +will not print error messages to stdout but rather will give a +recomendation to user and write the old error message to log +as a warning so it still will be easy to find if needed. + +https://pagure.io/freeipa/issue/7179 + +Reviewed-By: Tomas Krizek +--- + ipaserver/install/krbinstance.py | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py +index 6b51e65d1ec985bfc01f167aea3fe3ca11c7ec29..34fe46aa8ef297bf69eb74953c956ad9c3d30def 100644 +--- a/ipaserver/install/krbinstance.py ++++ b/ipaserver/install/krbinstance.py +@@ -494,8 +494,17 @@ class KrbInstance(service.Service): + self._install_pkinit_ca_bundle() + self.pkinit_enable() + except RuntimeError as e: +- root_logger.error("PKINIT certificate request failed: %s", e) +- root_logger.error("Failed to configure PKINIT") ++ root_logger.warning("PKINIT certificate request failed: %s", e) ++ root_logger.warning("Failed to configure PKINIT") ++ ++ self.print_msg("Full PKINIT configuration did not succeed") ++ self.print_msg( ++ "The setup will only install bits " ++ "essential to the server functionality") ++ self.print_msg( ++ "You can enable PKINIT after the " ++ "setup completed using 'ipa-pkinit-manage'") ++ + self.stop_tracking_certs() + self.issue_selfsigned_pkinit_certs() + +-- +2.13.5 + diff --git a/SOURCES/0234-server.py-Removes-dns-server-configuration-from-ldap.patch b/SOURCES/0234-server.py-Removes-dns-server-configuration-from-ldap.patch new file mode 100644 index 0000000..fe12f23 --- /dev/null +++ b/SOURCES/0234-server.py-Removes-dns-server-configuration-from-ldap.patch @@ -0,0 +1,45 @@ +From d71488fd450615ade6c10978af38d0dda27ec859 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Tibor=20Dudl=C3=A1k?= +Date: Tue, 6 Jun 2017 15:13:26 +0200 +Subject: [PATCH] server.py: Removes dns-server configuration from ldap + +After invocation of the ipa server-del +command there was still record in ldap if DNS +was installed on the server. + +Fixes: https://pagure.io/freeipa/issue/6572 +Reviewed-By: Martin Basti +--- + ipaserver/plugins/server.py | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/ipaserver/plugins/server.py b/ipaserver/plugins/server.py +index b1ee4722841509f4614c688ac39095c723aff167..e0dc953a1ef870c95fdcdb629fb6ab3103e8f999 100644 +--- a/ipaserver/plugins/server.py ++++ b/ipaserver/plugins/server.py +@@ -692,6 +692,12 @@ class server_del(LDAPDelete): + message=_("You may need to manually remove them from the " + "tree"))) + ++ def _cleanup_server_dns_config(self, hostname): ++ try: ++ self.api.Command.dnsserver_del(hostname) ++ except errors.NotFound: ++ pass ++ + def pre_callback(self, ldap, dn, *keys, **options): + pkey = self.obj.get_primary_key_from_dn(dn) + +@@ -731,6 +737,9 @@ class server_del(LDAPDelete): + # try to clean up the leftover DNS entries + self._cleanup_server_dns_records(pkey) + ++ # try to clean up the DNS config from ldap ++ self._cleanup_server_dns_config(pkey) ++ + return dn + + def exc_callback(self, keys, options, exc, call_func, *call_args, +-- +2.13.5 + diff --git a/SOURCES/0235-Include-the-CA-basic-constraint-in-CSRs-when-renewin.patch b/SOURCES/0235-Include-the-CA-basic-constraint-in-CSRs-when-renewin.patch new file mode 100644 index 0000000..2ff94ff --- /dev/null +++ b/SOURCES/0235-Include-the-CA-basic-constraint-in-CSRs-when-renewin.patch @@ -0,0 +1,75 @@ +From a6b7f433c1c8c30e455f345fcd97e7428ae63322 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Wed, 9 Aug 2017 17:28:35 -0400 +Subject: [PATCH] Include the CA basic constraint in CSRs when renewing a CA + +The CSR generated by `ipa-cacert-manage renew --external-ca` did +not include the CA basic constraint: + + X509v3 Basic Constraints: critical + CA:TRUE + +Add a flag to certmonger::resubmit_request to specify that a +CA is being requested. + +Note that this also sets pathlen to -1 which means an unlimited +pathlen. Leave it up to the issuing CA to set this. + +https://pagure.io/freeipa/issue/7088 + +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Florence Blanc-Renaud +--- + ipalib/install/certmonger.py | 13 +++++++++++-- + ipaserver/install/ipa_cacert_manage.py | 3 ++- + 2 files changed, 13 insertions(+), 3 deletions(-) + +diff --git a/ipalib/install/certmonger.py b/ipalib/install/certmonger.py +index c286996ee2318e241b4af190d1a01f42e28aa9f3..d2b782ddb0c746a3dfd96d0222bb31c6a960fdff 100644 +--- a/ipalib/install/certmonger.py ++++ b/ipalib/install/certmonger.py +@@ -519,16 +519,25 @@ def modify(request_id, ca=None, profile=None): + request.obj_if.modify(update) + + +-def resubmit_request(request_id, ca=None, profile=None): ++def resubmit_request(request_id, ca=None, profile=None, is_ca=False): ++ """ ++ :param request_id: the certmonger numeric request ID ++ :param ca: the nickname for the certmonger CA, e.g. IPA or SelfSign ++ :param profile: the dogtag template profile to use, e.g. SubCA ++ :param is_ca: boolean that if True adds the CA basic constraint ++ """ + request = _get_request({'nickname': request_id}) + if request: +- if ca or profile: ++ if ca or profile or is_ca: + update = {} + if ca is not None: + cm = _certmonger() + update['CA'] = cm.obj_if.find_ca_by_nickname(ca) + if profile is not None: + update['template-profile'] = profile ++ if is_ca: ++ update['template-is-ca'] = True ++ update['template-ca-path-length'] = -1 # no path length + request.obj_if.modify(update) + request.obj_if.resubmit() + +diff --git a/ipaserver/install/ipa_cacert_manage.py b/ipaserver/install/ipa_cacert_manage.py +index fcbf09155a3abc9ce9481aa2519ed39aaa6aa9bb..9607620d6c3e63b70b9e586f94282bf478c8c53e 100644 +--- a/ipaserver/install/ipa_cacert_manage.py ++++ b/ipaserver/install/ipa_cacert_manage.py +@@ -310,7 +310,8 @@ class CACertManage(admintool.AdminTool): + timeout = api.env.startup_timeout + 60 + + self.log.debug("resubmitting certmonger request '%s'", self.request_id) +- certmonger.resubmit_request(self.request_id, ca=ca, profile=profile) ++ certmonger.resubmit_request(self.request_id, ca=ca, profile=profile, ++ is_ca=True) + try: + state = certmonger.wait_for_request(self.request_id, timeout) + except RuntimeError: +-- +2.13.5 + diff --git a/SOURCES/0236-Checks-if-replica-s4u2proxy.ldif-should-be-applied.patch b/SOURCES/0236-Checks-if-replica-s4u2proxy.ldif-should-be-applied.patch new file mode 100644 index 0000000..54a13e6 --- /dev/null +++ b/SOURCES/0236-Checks-if-replica-s4u2proxy.ldif-should-be-applied.patch @@ -0,0 +1,51 @@ +From f6ce0099adc7c8508b3bf2f82102c1dd70fa08dc Mon Sep 17 00:00:00 2001 +From: Felipe Barreto +Date: Fri, 13 Oct 2017 09:19:43 +0200 +Subject: [PATCH] Checks if replica-s4u2proxy.ldif should be applied + +Before applying replica-s3u2proxy.ldif, we check +if the values are already there. The values can be +there if a replica installation was done in the past +and some info was left behind. Also, the code checks +the values independently. + +https://pagure.io/freeipa/issue/7174 + +Reviewed-By: Rob Crittenden +--- + ipaserver/install/dsinstance.py | 19 ++++++++++++++++++- + 1 file changed, 18 insertions(+), 1 deletion(-) + +diff --git a/ipaserver/install/dsinstance.py b/ipaserver/install/dsinstance.py +index c9db8ac28c3ca10539b745ca09f4d8aaece02e0c..f7edcffc5904d8c9ce46f5862d496a4df3ad8d75 100644 +--- a/ipaserver/install/dsinstance.py ++++ b/ipaserver/install/dsinstance.py +@@ -930,7 +930,24 @@ class DsInstance(service.Service): + self._ldap_mod("replica-acis.ldif", self.sub_dict) + + def __setup_s4u2proxy(self): +- self._ldap_mod("replica-s4u2proxy.ldif", self.sub_dict) ++ ++ def __add_principal(last_cn, principal, self): ++ dn = DN(('cn', last_cn), ('cn', 's4u2proxy'), ++ ('cn', 'etc'), self.suffix) ++ ++ value = '{principal}/{fqdn}@{realm}'.format(fqdn=self.fqdn, ++ realm=self.realm, ++ principal=principal) ++ ++ entry = api.Backend.ldap2.get_entry(dn, ['memberPrincipal']) ++ try: ++ entry['memberPrincipal'].append(value) ++ api.Backend.ldap2.update_entry(entry) ++ except errors.EmptyModlist: ++ pass ++ ++ __add_principal('ipa-http-delegation', 'HTTP', self) ++ __add_principal('ipa-ldap-delegation-targets', 'ldap', self) + + def __create_indices(self): + self._ldap_mod("indices.ldif") +-- +2.13.5 + diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec index 20d4d8b..cdf3266 100644 --- a/SPECS/ipa.spec +++ b/SPECS/ipa.spec @@ -68,7 +68,7 @@ Name: ipa Version: %{IPA_VERSION} -Release: 21%{?dist}.2.2 +Release: 22%{?dist} Summary: The Identity, Policy and Audit system Group: System Environment/Base @@ -76,10 +76,10 @@ License: GPLv3+ URL: http://www.freeipa.org/ Source0: https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz # RHEL spec file only: START: Change branding to IPA and Identity Management -#Source1: header-logo.png -#Source2: login-screen-background.jpg -#Source3: login-screen-logo.png -#Source4: product-name.png +Source1: header-logo.png +Source2: login-screen-background.jpg +Source3: login-screen-logo.png +Source4: product-name.png # RHEL spec file only: END: Change branding to IPA and Identity Management BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -316,6 +316,10 @@ Patch0229: 0229-control-logging-of-host_port_open-from-caller.patch Patch0230: 0230-log-progress-of-wait_for_open_ports.patch Patch0231: 0231-Store-help-in-Schema-before-writing-to-disk.patch Patch0232: 0232-Disable-pylint-in-get_help-function-because-of-type-.patch +Patch0233: 0233-Less-confusing-message-for-PKINIT-configuration-duri.patch +Patch0234: 0234-server.py-Removes-dns-server-configuration-from-ldap.patch +Patch0235: 0235-Include-the-CA-basic-constraint-in-CSRs-when-renewin.patch +Patch0236: 0236-Checks-if-replica-s4u2proxy.ldif-should-be-applied.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch Patch1002: 1002-Package-copy-schema-to-ca.py.patch @@ -1117,10 +1121,10 @@ cp -r %{_builddir}/freeipa-%{version} %{_builddir}/freeipa-%{version}-python3 %endif # with_python3 # RHEL spec file only: START: Change branding to IPA and Identity Management -#cp %SOURCE1 install/ui/images/header-logo.png -#cp %SOURCE2 install/ui/images/login-screen-background.jpg -#cp %SOURCE3 install/ui/images/login-screen-logo.png -#cp %SOURCE4 install/ui/images/product-name.png +cp %SOURCE1 install/ui/images/header-logo.png +cp %SOURCE2 install/ui/images/login-screen-background.jpg +cp %SOURCE3 install/ui/images/login-screen-logo.png +cp %SOURCE4 install/ui/images/product-name.png # RHEL spec file only: END: Change branding to IPA and Identity Management @@ -1144,8 +1148,7 @@ find \ %configure --with-vendor-suffix=-%{release} \ %{enable_server_option} \ %{with_ipatests_option} \ - %{linter_options} \ - --with-ipaplatform=rhel + %{linter_options} %make_build @@ -1869,11 +1872,19 @@ fi %changelog -* Thu Oct 19 2017 Johnny Hughes - 4.5.0-21.el7.centos.2.2 -- set ipaplatform to rhel for compatibilty for updates - -* Thu Oct 19 2017 CentOS Sources - 4.5.0-21.el7.centos.2.2 -- Roll in CentOS Branding +* Fri Oct 27 2017 Felipe Barreto - 4.5.0-22.el7 +- Resolves: #1506528 In case full PKINIT configuration is failing during + server/replica install the error message should be more meaningful. + - Less confusing message for PKINIT configuration during install +- Resolves: #1506526 Use X509v3 Basic Constraints "CA:TRUE" instead of + "CA:FALSE" IPA CA CSR + - Include the CA basic constraint in CSRs when renewing a CA +- Resolves: #1506913 ipa-replica-install might fail because of an already + existing entry cn=ipa-http-delegation,cn=s4u2proxy,cn=etc,$SUFFIX + - Checks if replica-s4u2proxy.ldif should be applied +- Resolves: #1506525 server-del doesn't remove dns-server configuration + from ldap + - server.py: Removes dns-server configuration from ldap * Wed Sep 20 2017 Felipe Barreto - 4.5.0-21.el7.2.2 - Resolves: #1493410 ipa-server-upgrade timeouts on wait_for_open ports