diff --git a/.gitignore b/.gitignore
index 01d0ddf..bed6ed2 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/freeipa-4.9.2.tar.gz
+SOURCES/freeipa-4.9.3.tar.gz
diff --git a/.ipa.metadata b/.ipa.metadata
index 13b7ab7..d9c3e7e 100644
--- a/.ipa.metadata
+++ b/.ipa.metadata
@@ -1 +1 @@
-c7b37727ffbdebe311990f7d31ae3b8bf2d06792 SOURCES/freeipa-4.9.2.tar.gz
+8e8da2d8eb9eae8e2d3561a69452e1b7a98455d8 SOURCES/freeipa-4.9.3.tar.gz
diff --git a/SOURCES/0001-Also-use-uglifyjs-on-CentOS-Stream-8.patch b/SOURCES/0001-Also-use-uglifyjs-on-CentOS-Stream-8.patch
deleted file mode 100644
index 61b74ed..0000000
--- a/SOURCES/0001-Also-use-uglifyjs-on-CentOS-Stream-8.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From 3ab96a9d055e097860a6b18dce5242d231e39235 Mon Sep 17 00:00:00 2001
-From: Carl George <carl@george.computer>
-Date: Wed, 31 Mar 2021 16:26:09 -0500
-Subject: [PATCH] Also use uglifyjs on CentOS Stream 8
-
-This conditional was recently changed to match VERSION_ID "8." to only
-apply to RHEL 8 releases, but it should also match CentOS Stream 8 which
-has VERSION_ID "8".
-
-https://pagure.io/freeipa/c/43f344b931db3f72f50e1620443be9f21623e29a
----
- install/ui/util/compile.sh | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/install/ui/util/compile.sh b/install/ui/util/compile.sh
-index 01a4e6e74..8f29b89ec 100755
---- a/install/ui/util/compile.sh
-+++ b/install/ui/util/compile.sh
-@@ -112,7 +112,7 @@ fi
- echo "Minimizing: $RDIR/$RELEASE/$LAYER.js"
- echo "Target file: $OUTPUT_FILE"
- if [[ ("$ID" == "rhel" || "$ID_LIKE" =~ "rhel")
-- && "$VERSION_ID" =~ "8." ]];
-+ && ("$VERSION_ID" =~ "8." || "$VERSION_ID" == "8") ]];
- then
- echo "Minifier: uglifyjs"
- uglifyjs < $RDIR/$RELEASE/$LAYER.js > $OUTPUT_FILE
---
-2.30.2
-
diff --git a/SOURCES/0001-ipatests_libsss_sudo_and_sudo_pagure#8530_rhbz#1932289.patch b/SOURCES/0001-ipatests_libsss_sudo_and_sudo_pagure#8530_rhbz#1932289.patch
deleted file mode 100644
index 5935601..0000000
--- a/SOURCES/0001-ipatests_libsss_sudo_and_sudo_pagure#8530_rhbz#1932289.patch
+++ /dev/null
@@ -1,381 +0,0 @@
-From b590dcef10680b4ea3181ae1caec183e5967562b Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
-Date: Fri, 11 Dec 2020 07:35:59 +0200
-Subject: [PATCH] ipatests: add TestInstallWithoutSudo
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Test IPA servers and clients behavior when sudo is not installed.
-
-Fixes: https://pagure.io/freeipa/issue/8530
-Signed-off-by: François Cami <fcami@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Armando Neto <abiagion@redhat.com>
-Reviewed-By: Michal Polovka <mpolovka@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Armando Neto <abiagion@redhat.com>
-Reviewed-By: Michal Polovka <mpolovka@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
----
- .../nightly_ipa-4-9_latest.yaml | 12 ++++
- .../nightly_ipa-4-9_latest_selinux.yaml | 13 ++++
- .../nightly_ipa-4-9_previous.yaml | 12 ++++
- .../test_integration/test_installation.py | 66 +++++++++++++++++++
- 4 files changed, 103 insertions(+)
-
-diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
-index 3acd6a13c..d91b16cab 100644
---- a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
-+++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
-@@ -535,6 +535,18 @@ jobs:
- timeout: 10800
- topology: *master_1repl
-
-+ fedora-latest-ipa-4-9/test_installation_TestInstallWithoutSudo:
-+ requires: [fedora-latest-ipa-4-9/build]
-+ priority: 50
-+ job:
-+ class: RunPytest
-+ args:
-+ build_url: '{fedora-latest-ipa-4-9/build_url}'
-+ test_suite: test_integration/test_installation.py::TestInstallWithoutSudo
-+ template: *ci-ipa-4-9-latest
-+ timeout: 4800
-+ topology: *master_1repl_1client
-+
- fedora-latest-ipa-4-9/test_idviews:
- requires: [fedora-latest-ipa-4-9/build]
- priority: 50
-diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
-index c01192cf5..8adb06d0c 100644
---- a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
-+++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
-@@ -575,6 +575,19 @@ jobs:
- timeout: 10800
- topology: *master_1repl
-
-+ fedora-latest-ipa-4-9/test_installation_TestInstallWithoutSudo:
-+ requires: [fedora-latest-ipa-4-9/build]
-+ priority: 50
-+ job:
-+ class: RunPytest
-+ args:
-+ build_url: '{fedora-latest-ipa-4-9/build_url}'
-+ selinux_enforcing: True
-+ test_suite: test_integration/test_installation.py::TestInstallWithoutSudo
-+ template: *ci-ipa-4-9-latest
-+ timeout: 4800
-+ topology: *master_1repl_1client
-+
- fedora-latest-ipa-4-9/test_idviews:
- requires: [fedora-latest-ipa-4-9/build]
- priority: 50
-diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
-index a6ea24f6a..2b5d4fd5e 100644
---- a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
-+++ b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
-@@ -535,6 +535,18 @@ jobs:
- timeout: 10800
- topology: *master_1repl
-
-+ fedora-previous-ipa-4-9/test_installation_TestInstallWithoutSudo:
-+ requires: [fedora-previous-ipa-4-9/build]
-+ priority: 50
-+ job:
-+ class: RunPytest
-+ args:
-+ build_url: '{fedora-previous-ipa-4-9/build_url}'
-+ test_suite: test_integration/test_installation.py::TestInstallWithoutSudo
-+ template: *ci-ipa-4-9-previous
-+ timeout: 4800
-+ topology: *master_1repl_1client
-+
- fedora-previous-ipa-4-9/test_idviews:
- requires: [fedora-previous-ipa-4-9/build]
- priority: 50
-diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
-index eb6f7d78e..6e8af024c 100644
---- a/ipatests/test_integration/test_installation.py
-+++ b/ipatests/test_integration/test_installation.py
-@@ -1537,3 +1537,69 @@ class TestInstallReplicaAgainstSpecificServer(IntegrationTest):
- self.replicas[0].hostname],
- stdin_text=dirman_password)
- assert self.replicas[0].hostname not in cmd.stdout_text
-+
-+
-+class TestInstallWithoutSudo(IntegrationTest):
-+
-+ num_clients = 1
-+ num_replicas = 1
-+ no_sudo_str = "The sudo binary does not seem to be present on this"
-+
-+ @classmethod
-+ def install(cls, mh):
-+ pass
-+
-+ def test_sudo_removal(self):
-+ # ipa-client makes sudo depend on libsss_sudo.
-+
-+ # --nodeps is mandatory because dogtag uses sudo at install
-+ # time until commit 49585867207922479644a03078c29548de02cd03
-+ # which is scheduled to land in 10.10.
-+
-+ # This also means sudo+libsss_sudo cannot be uninstalled on
-+ # IPA servers with a CA.
-+ assert tasks.is_package_installed(self.clients[0], 'sudo')
-+ assert tasks.is_package_installed(self.clients[0], 'libsss_sudo')
-+ tasks.uninstall_packages(
-+ self.clients[0], ['sudo', 'libsss_sudo'], nodeps=True
-+ )
-+
-+ def test_ipa_installation_without_sudo(self):
-+ # FixMe: When Dogtag 10.10 is out, test installation without sudo
-+ tasks.install_master(self.master, setup_dns=True)
-+
-+ def test_replica_installation_without_sudo(self):
-+ # FixMe: When Dogtag 10.10 is out, test replica installation
-+ # without sudo and with CA
-+ tasks.uninstall_packages(
-+ self.replicas[0], ['sudo', 'libsss_sudo'], nodeps=True
-+ )
-+ # One-step install is needed.
-+ # With promote=True, two-step install is done and that only captures
-+ # the ipa-replica-install stdout/stderr, not ipa-client-install's.
-+ result = tasks.install_replica(
-+ self.master, self.replicas[0], promote=False,
-+ setup_dns=True, setup_ca=False
-+ )
-+ assert self.no_sudo_str in result.stderr_text
-+
-+ def test_client_installation_without_sudo(self):
-+ result = tasks.install_client(self.master, self.clients[0])
-+ assert self.no_sudo_str in result.stderr_text
-+
-+ def test_remove_sudo_on_ipa(self):
-+ tasks.uninstall_packages(
-+ self.master, ['sudo', 'libsss_sudo'], nodeps=True
-+ )
-+ self.master.run_command(
-+ ['ipactl', 'restart']
-+ )
-+
-+ def test_install_sudo_on_client(self):
-+ """ Check that installing sudo pulls libsss_sudo in"""
-+ for pkg in ('sudo', 'libsss_sudo'):
-+ assert tasks.is_package_installed(self.clients[0], pkg) is False
-+ tasks.uninstall_client(self.clients[0])
-+ tasks.install_packages(self.clients[0], ['sudo'])
-+ for pkg in ('sudo', 'libsss_sudo'):
-+ assert tasks.is_package_installed(self.clients[0], pkg)
---
-2.29.2
-
-From 0c2741af9f353d2fbb21a5768e6433c0e99da0e9 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
-Date: Thu, 10 Dec 2020 08:35:12 +0200
-Subject: [PATCH] ipatests: tasks: handle uninstalling packages with nodeps
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Handle package removal without taking dependencies into account.
-E.g. add frontends for rpm -e --nodeps.
-
-Related: ipatests/pytest_ipa/integration/tasks.py
-Signed-off-by: François Cami <fcami@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Armando Neto <abiagion@redhat.com>
-Reviewed-By: Michal Polovka <mpolovka@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Armando Neto <abiagion@redhat.com>
-Reviewed-By: Michal Polovka <mpolovka@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
----
- ipatests/pytest_ipa/integration/tasks.py | 51 +++++++++++++++++++-----
- 1 file changed, 41 insertions(+), 10 deletions(-)
-
-diff --git a/ipatests/pytest_ipa/integration/tasks.py b/ipatests/pytest_ipa/integration/tasks.py
-index b91859816..2fe78367f 100755
---- a/ipatests/pytest_ipa/integration/tasks.py
-+++ b/ipatests/pytest_ipa/integration/tasks.py
-@@ -29,6 +29,7 @@ import re
- import collections
- import itertools
- import shutil
-+import shlex
- import copy
- import subprocess
- import tempfile
-@@ -2381,20 +2382,33 @@ def download_packages(host, pkgs):
- return tmpdir
-
-
--def uninstall_packages(host, pkgs):
-+def uninstall_packages(host, pkgs, nodeps=False):
- """Uninstall packages on a remote host.
-- :param host: the host where the uninstallation takes place
-- :param pkgs: packages to uninstall, provided as a list of strings
-+ :param host: the host where the uninstallation takes place.
-+ :param pkgs: packages to uninstall, provided as a list of strings.
-+ :param nodeps: ignore dependencies (dangerous!).
- """
- platform = get_platform(host)
-- # Only supports RHEL 8+ and Fedora for now
-- if platform in ('rhel', 'fedora'):
-- install_cmd = ['/usr/bin/dnf', 'remove', '-y']
-- elif platform in ('ubuntu'):
-- install_cmd = ['apt-get', 'remove', '-y']
-+ if platform not in ('rhel', 'fedora', 'ubuntu'):
-+ raise ValueError('uninstall_packages: unknown platform %s' % platform)
-+ if nodeps:
-+ if platform in ('rhel', 'fedora'):
-+ cmd = "rpm -e --nodeps"
-+ elif platform in ('ubuntu'):
-+ cmd = "dpkg -P --force-depends"
-+ for package in pkgs:
-+ uninstall_cmd = shlex.split(cmd)
-+ uninstall_cmd.append(package)
-+ # keep raiseonerr=True here. --fcami
-+ host.run_command(uninstall_cmd)
- else:
-- raise ValueError('install_packages: unknown platform %s' % platform)
-- host.run_command(install_cmd + pkgs, raiseonerr=False)
-+ if platform in ('rhel', 'fedora'):
-+ cmd = "/usr/bin/dnf remove -y"
-+ elif platform in ('ubuntu'):
-+ cmd = "apt-get remove -y"
-+ uninstall_cmd = shlex.split(cmd)
-+ uninstall_cmd.extend(pkgs)
-+ host.run_command(uninstall_cmd, raiseonerr=False)
-
-
- def wait_for_request(host, request_id, timeout=120):
-@@ -2649,3 +2663,20 @@ def run_ssh_cmd(
- assert "Authentication succeeded" not in stderr
- assert "No more authentication methods to try." in stderr
- return (return_code, stdout, stderr)
-+
-+
-+def is_package_installed(host, pkg):
-+ platform = get_platform(host)
-+ if platform in ('rhel', 'fedora'):
-+ result = host.run_command(
-+ ['rpm', '-q', pkg], raiseonerr=False
-+ )
-+ elif platform in ['ubuntu']:
-+ result = host.run_command(
-+ ['dpkg', '-s', pkg], raiseonerr=False
-+ )
-+ else:
-+ raise ValueError(
-+ 'is_package_installed: unknown platform %s' % platform
-+ )
-+ return result.returncode == 0
---
-2.29.2
-
-From fe157ca349e3146a53884e90e6e588efb4e97eeb Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
-Date: Thu, 10 Dec 2020 08:15:22 +0200
-Subject: [PATCH] ipa-client-install: output a warning if sudo is not present
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Fixes: https://pagure.io/freeipa/issue/8530
-Signed-off-by: François Cami <fcami@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Armando Neto <abiagion@redhat.com>
-Reviewed-By: Michal Polovka <mpolovka@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Armando Neto <abiagion@redhat.com>
-Reviewed-By: Michal Polovka <mpolovka@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
----
- ipaclient/install/client.py | 14 +++++++++++++-
- 1 file changed, 13 insertions(+), 1 deletion(-)
-
-diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
-index 8acfa0cd1..0e478fa26 100644
---- a/ipaclient/install/client.py
-+++ b/ipaclient/install/client.py
-@@ -24,6 +24,7 @@ import re
- import SSSDConfig
- import shutil
- import socket
-+import subprocess
- import sys
- import tempfile
- import textwrap
-@@ -2200,7 +2201,18 @@ def install_check(options):
- "authentication resources",
- rval=CLIENT_INSTALL_ERROR)
-
-- # when installing with '--no-sssd' option, check whether nss-ldap is
-+ # When installing without the "--no-sudo" option, check whether sudo is
-+ # available.
-+ if options.conf_sudo:
-+ try:
-+ subprocess.Popen(['sudo -V'])
-+ except FileNotFoundError:
-+ logger.info(
-+ "The sudo binary does not seem to be present on this "
-+ "system. Please consider installing sudo if required."
-+ )
-+
-+ # when installing with the '--no-sssd' option, check whether nss-ldap is
- # installed
- if not options.sssd:
- if not os.path.exists(paths.PAM_KRB5_SO):
---
-2.29.2
-
-From ee0ba2df41cf545b82d3d26e7e7e42447bb0f63e Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
-Date: Thu, 10 Dec 2020 07:55:16 +0200
-Subject: [PATCH] freeipa.spec: client: depend on libsss_sudo and sudo
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-On 10.10+ releases of Dogtag, the PKI installer will not depend
-on sudo anymore. This opens the possibility of creating IPA servers
-without a properly configured sudo.
-In fact, even IPA clients should have sudo and libsss_sudo installed
-in most cases, so add a weak dependency on both of them to the client
-subpackage.
-Also make sure libsss_sudo is installed if sudo is present.
-
-Fixes: https://pagure.io/freeipa/issue/8530
-Signed-off-by: François Cami <fcami@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Armando Neto <abiagion@redhat.com>
-Reviewed-By: Michal Polovka <mpolovka@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Armando Neto <abiagion@redhat.com>
-Reviewed-By: Michal Polovka <mpolovka@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
----
- freeipa.spec.in | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/freeipa.spec.in b/freeipa.spec.in
-index ba52a3834..93e473ac4 100755
---- a/freeipa.spec.in
-+++ b/freeipa.spec.in
-@@ -640,6 +640,11 @@ Requires: nfs-utils
- Requires: sssd-tools >= %{sssd_version}
- Requires(post): policycoreutils
-
-+# https://pagure.io/freeipa/issue/8530
-+Recommends: libsss_sudo
-+Recommends: sudo
-+Requires: (libsss_sudo if sudo)
-+
- Provides: %{alt_name}-client = %{version}
- Conflicts: %{alt_name}-client
- Obsoletes: %{alt_name}-client < %{version}
---
-2.29.2
-
diff --git a/SOURCES/0002-ipatests-error-message-check-in-uninstall-log-for-KR_rhbz#1932289.patch b/SOURCES/0002-ipatests-error-message-check-in-uninstall-log-for-KR_rhbz#1932289.patch
deleted file mode 100644
index 62e3fef..0000000
--- a/SOURCES/0002-ipatests-error-message-check-in-uninstall-log-for-KR_rhbz#1932289.patch
+++ /dev/null
@@ -1,60 +0,0 @@
-From 6b25cd3241a5609b4d903d5697b8947fab403c90 Mon Sep 17 00:00:00 2001
-From: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
-Date: Wed, 17 Feb 2021 19:43:00 +0530
-Subject: [PATCH] ipatests: error message check in uninstall log for KRA
-
-This test checks that there is no error message in uninstall
-log for KRA instance when IPA was installed with KRA.
-
-related: https://pagure.io/freeipa/issue/8550
-
-Signed-off-by: Kaleemullah Siddiqui <ksiddiqu@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
----
- .../test_backup_and_restore.py | 22 ++++++++++++++++---
- 1 file changed, 19 insertions(+), 3 deletions(-)
-
-diff --git a/ipatests/test_integration/test_backup_and_restore.py b/ipatests/test_integration/test_backup_and_restore.py
-index f13dfb5cb..6890ef201 100644
---- a/ipatests/test_integration/test_backup_and_restore.py
-+++ b/ipatests/test_integration/test_backup_and_restore.py
-@@ -451,9 +451,11 @@ class BaseBackupAndRestoreWithKRA(IntegrationTest):
-
- backup_path = tasks.get_backup_dir(self.master)
-
-- self.master.run_command(['ipa-server-install',
-- '--uninstall',
-- '-U'])
-+ # check that no error message in uninstall log for KRA instance
-+ cmd = self.master.run_command(['ipa-server-install',
-+ '--uninstall',
-+ '-U'])
-+ assert "failed to uninstall KRA" not in cmd.stderr_text
-
- if reinstall:
- tasks.install_master(self.master, setup_dns=True)
-@@ -482,6 +484,20 @@ class TestBackupReinstallRestoreWithKRA(BaseBackupAndRestoreWithKRA):
- """backup, uninstall, reinstall, restore"""
- self._full_backup_restore_with_vault(reinstall=True)
-
-+ def test_no_error_message_with_uninstall_ipa_with_kra(self):
-+ """Test there is no error message in uninstall log for KRA instance
-+
-+ There was error message in uninstall log when IPA with KRA was
-+ uninstalled. This test check that there is no error message in
-+ uninstall log for kra instance.
-+
-+ related: https://pagure.io/freeipa/issue/8550
-+ """
-+ cmd = self.master.run_command(['ipa-server-install',
-+ '--uninstall',
-+ '-U'])
-+ assert "failed to uninstall KRA" not in cmd.stderr_text
-+
-
- class TestBackupAndRestoreWithReplica(IntegrationTest):
- """Regression tests for issues 7234 and 7455
---
-2.29.2
-
diff --git a/SOURCES/0003-ipatests-skip-tests-for-AD-trust-with-shared-secret-_rhbz#1932289.patch b/SOURCES/0003-ipatests-skip-tests-for-AD-trust-with-shared-secret-_rhbz#1932289.patch
deleted file mode 100644
index 151805c..0000000
--- a/SOURCES/0003-ipatests-skip-tests-for-AD-trust-with-shared-secret-_rhbz#1932289.patch
+++ /dev/null
@@ -1,119 +0,0 @@
-From 6d7b2d7d1b4711255ea72d62d27b5c5f4ec7c6e1 Mon Sep 17 00:00:00 2001
-From: Sergey Orlov <sorlov@redhat.com>
-Date: Tue, 16 Feb 2021 12:32:55 +0100
-Subject: [PATCH] ipatests: skip tests for AD trust with shared secret in FIPS
- mode
-
-Related to https://pagure.io/freeipa/issue/8715
-
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
----
- ipatests/test_integration/test_trust.py | 22 ++++++++++++++++++++++
- 1 file changed, 22 insertions(+)
-
-diff --git a/ipatests/test_integration/test_trust.py b/ipatests/test_integration/test_trust.py
-index 3e522617d..c8a348212 100644
---- a/ipatests/test_integration/test_trust.py
-+++ b/ipatests/test_integration/test_trust.py
-@@ -5,6 +5,7 @@ from __future__ import absolute_import
- import re
- import textwrap
- import time
-+import functools
-
- import pytest
-
-@@ -13,6 +14,7 @@ from ipaplatform.paths import paths
-
- from ipatests.test_integration.base import IntegrationTest
- from ipatests.pytest_ipa.integration import tasks
-+from ipatests.pytest_ipa.integration import fips
- from ipapython.dn import DN
- from collections import namedtuple
- from contextlib import contextmanager
-@@ -20,6 +22,18 @@ from contextlib import contextmanager
- TestDataRule = namedtuple('TestDataRule',
- ['name', 'ruletype', 'user', 'subject'])
-
-+
-+def skip_in_fips_mode_due_to_issue_8715(test_method):
-+ @functools.wraps(test_method)
-+ def wrapper(instance):
-+ if fips.is_fips_enabled(instance.master):
-+ pytest.skip('Skipping in FIPS mode due to '
-+ 'https://pagure.io/freeipa/issue/8715')
-+ else:
-+ test_method(instance)
-+ return wrapper
-+
-+
- class BaseTestTrust(IntegrationTest):
- num_clients = 1
- topology = 'line'
-@@ -751,6 +765,7 @@ class TestTrust(BaseTestTrust):
-
- # Test for one-way forest trust with shared secret
-
-+ @skip_in_fips_mode_due_to_issue_8715
- def test_establish_forest_trust_with_shared_secret(self):
- tasks.configure_dns_for_trust(self.master, self.ad)
- tasks.configure_windows_dns_for_trust(self.ad, self.master)
-@@ -775,6 +790,7 @@ class TestTrust(BaseTestTrust):
- tasks.establish_trust_with_ad(
- self.master, self.ad_domain, shared_secret=self.shared_secret)
-
-+ @skip_in_fips_mode_due_to_issue_8715
- def test_trustdomains_found_in_forest_trust_with_shared_secret(self):
- result = self.master.run_command(
- ['ipa', 'trust-fetch-domains', self.ad.domain.name],
-@@ -783,6 +799,7 @@ class TestTrust(BaseTestTrust):
- self.check_trustdomains(
- self.ad_domain, [self.ad_domain, self.ad_subdomain])
-
-+ @skip_in_fips_mode_due_to_issue_8715
- def test_user_gid_uid_resolution_in_forest_trust_with_shared_secret(self):
- """Check that user has SID-generated UID"""
- # Using domain name since it is lowercased realm name for AD domains
-@@ -801,6 +818,7 @@ class TestTrust(BaseTestTrust):
- assert re.search(
- testuser_regex, result.stdout_text), result.stdout_text
-
-+ @skip_in_fips_mode_due_to_issue_8715
- def test_remove_forest_trust_with_shared_secret(self):
- ps_cmd = (
- '[System.DirectoryServices.ActiveDirectory.Forest]'
-@@ -823,6 +841,7 @@ class TestTrust(BaseTestTrust):
-
- # Test for one-way external trust with shared secret
-
-+ @skip_in_fips_mode_due_to_issue_8715
- def test_establish_external_trust_with_shared_secret(self):
- tasks.configure_dns_for_trust(self.master, self.ad)
- tasks.configure_windows_dns_for_trust(self.ad, self.master)
-@@ -838,6 +857,7 @@ class TestTrust(BaseTestTrust):
- self.master, self.ad_domain, shared_secret=self.shared_secret,
- extra_args=['--range-type', 'ipa-ad-trust', '--external=True'])
-
-+ @skip_in_fips_mode_due_to_issue_8715
- def test_trustdomains_found_in_external_trust_with_shared_secret(self):
- result = self.master.run_command(
- ['ipa', 'trust-fetch-domains', self.ad.domain.name],
-@@ -846,6 +866,7 @@ class TestTrust(BaseTestTrust):
- self.check_trustdomains(
- self.ad_domain, [self.ad_domain])
-
-+ @skip_in_fips_mode_due_to_issue_8715
- def test_user_uid_resolution_in_external_trust_with_shared_secret(self):
- """Check that user has SID-generated UID"""
- # Using domain name since it is lowercased realm name for AD domains
-@@ -864,6 +885,7 @@ class TestTrust(BaseTestTrust):
- assert re.search(
- testuser_regex, result.stdout_text), result.stdout_text
-
-+ @skip_in_fips_mode_due_to_issue_8715
- def test_remove_external_trust_with_shared_secret(self):
- self.ad.run_command(
- ['netdom.exe', 'trust', self.master.domain.name,
---
-2.29.2
-
diff --git a/SOURCES/0004-ipatests-ipa-cert-fix_pagure#8600_rhbz#1932289.patch b/SOURCES/0004-ipatests-ipa-cert-fix_pagure#8600_rhbz#1932289.patch
deleted file mode 100644
index fe28854..0000000
--- a/SOURCES/0004-ipatests-ipa-cert-fix_pagure#8600_rhbz#1932289.patch
+++ /dev/null
@@ -1,347 +0,0 @@
-From a0626e09b3eaf5d030982e2ff03e95841ad1b4b9 Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Wed, 3 Feb 2021 15:52:05 -0500
-Subject: [PATCH] ipa-cert-fix: Don't hardcode the NSS certificate nickname
-
-The nickname of the 389-ds certificate was hardcoded as
-Server-Cert which failed if the user had installed a
-third-party certificate using ipa-server-certinstall.
-
-Instead pull the nickname from the DS configuration and
-retrieve it based on that.
-
-https://pagure.io/freeipa/issue/8600
-
-Signed-off-by: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
----
- ipaserver/install/ipa_cert_fix.py | 17 +++++++++++------
- 1 file changed, 11 insertions(+), 6 deletions(-)
-
-diff --git a/ipaserver/install/ipa_cert_fix.py b/ipaserver/install/ipa_cert_fix.py
-index 2f2c15613..29af89cd5 100644
---- a/ipaserver/install/ipa_cert_fix.py
-+++ b/ipaserver/install/ipa_cert_fix.py
-@@ -203,9 +203,12 @@ def expired_ipa_certs(now):
- certs.append((IPACertType.HTTPS, cert))
-
- # LDAPS
-- ds_dbdir = dsinstance.config_dirname(realm_to_serverid(api.env.realm))
-+ serverid = realm_to_serverid(api.env.realm)
-+ ds = dsinstance.DsInstance(realm_name=api.env.realm)
-+ ds_dbdir = dsinstance.config_dirname(serverid)
-+ ds_nickname = ds.get_server_cert_nickname(serverid)
- db = NSSDatabase(nssdir=ds_dbdir)
-- cert = db.get_cert('Server-Cert')
-+ cert = db.get_cert(ds_nickname)
- if cert.not_valid_after <= now:
- certs.append((IPACertType.LDAPS, cert))
-
-@@ -344,11 +347,13 @@ def install_ipa_certs(subject_base, ca_subject_dn, certs):
- elif certtype is IPACertType.HTTPS:
- shutil.copyfile(cert_path, paths.HTTPD_CERT_FILE)
- elif certtype is IPACertType.LDAPS:
-- ds_dbdir = dsinstance.config_dirname(
-- realm_to_serverid(api.env.realm))
-+ serverid = realm_to_serverid(api.env.realm)
-+ ds = dsinstance.DsInstance(realm_name=api.env.realm)
-+ ds_dbdir = dsinstance.config_dirname(serverid)
- db = NSSDatabase(nssdir=ds_dbdir)
-- db.delete_cert('Server-Cert')
-- db.import_pem_cert('Server-Cert', EMPTY_TRUST_FLAGS, cert_path)
-+ ds_nickname = ds.get_server_cert_nickname(serverid)
-+ db.delete_cert(ds_nickname)
-+ db.import_pem_cert(ds_nickname, EMPTY_TRUST_FLAGS, cert_path)
- elif certtype is IPACertType.KDC:
- shutil.copyfile(cert_path, paths.KDC_CERT)
-
---
-2.29.2
-
-From 660507fda2394b17d709c47a05ce5df548a47990 Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Thu, 4 Feb 2021 08:25:48 -0500
-Subject: [PATCH] ipatests: test third-party 389-ds cert with ipa-cert-fix
-
-ipa-cert-fix was hardcoded to use Server-Cert as the nickname
-so would fail if a third-party certificate was installed for DS.
-
-https://pagure.io/freeipa/issue/8600
-
-Signed-off-by: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
----
- .../test_integration/test_ipa_cert_fix.py | 57 +++++++++++++++++++
- 1 file changed, 57 insertions(+)
-
-diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
-index 2f7de5526..f9e5fe6e2 100644
---- a/ipatests/test_integration/test_ipa_cert_fix.py
-+++ b/ipatests/test_integration/test_ipa_cert_fix.py
-@@ -11,6 +11,17 @@ import time
- from ipaplatform.paths import paths
- from ipatests.pytest_ipa.integration import tasks
- from ipatests.test_integration.base import IntegrationTest
-+from ipatests.test_integration.test_caless import CALessBase, ipa_certs_cleanup
-+
-+
-+def server_install_teardown(func):
-+ def wrapped(*args):
-+ master = args[0].master
-+ try:
-+ func(*args)
-+ finally:
-+ ipa_certs_cleanup(master)
-+ return wrapped
-
-
- class TestIpaCertFix(IntegrationTest):
-@@ -94,3 +105,49 @@ class TestIpaCertFix(IntegrationTest):
- else:
- # timeout
- raise AssertionError('Timeout: Failed to renew all the certs')
-+
-+
-+class TestIpaCertFixThirdParty(CALessBase):
-+ """
-+ Test that ipa-cert-fix works with an installation with custom certs.
-+ """
-+
-+ @classmethod
-+ def install(cls, mh):
-+ cls.nickname = 'ca1/server'
-+
-+ super(TestIpaCertFixThirdParty, cls).install(mh)
-+ tasks.install_master(cls.master, setup_dns=True)
-+
-+ @server_install_teardown
-+ def test_third_party_certs(self):
-+ self.create_pkcs12(self.nickname,
-+ password=self.cert_password,
-+ filename='server.p12')
-+ self.prepare_cacert('ca1')
-+
-+ # We have a chain length of one. If this is extended then the
-+ # additional cert names will need to be calculated.
-+ nick_chain = self.nickname.split('/')
-+ ca_cert = '%s.crt' % nick_chain[0]
-+
-+ # Add the CA to the IPA store
-+ self.copy_cert(self.master, ca_cert)
-+ self.master.run_command(['ipa-cacert-manage', 'install', ca_cert])
-+
-+ # Apply the new cert chain otherwise ipa-server-certinstall will fail
-+ self.master.run_command(['ipa-certupdate'])
-+
-+ # Install the updated certs and restart the world
-+ self.copy_cert(self.master, 'server.p12')
-+ args = ['ipa-server-certinstall',
-+ '-p', self.master.config.dirman_password,
-+ '--pin', self.master.config.admin_password,
-+ '-d', 'server.p12']
-+ self.master.run_command(args)
-+ self.master.run_command(['ipactl', 'restart',])
-+
-+ # Run ipa-cert-fix. This is basically a no-op but tests that
-+ # the DS nickname is used and not a hardcoded value.
-+ result = self.master.run_command(['ipa-cert-fix', '-v'],)
-+ assert self.nickname in result.stderr_text
---
-2.29.2
-
-From 4cb6f0ba0df928eea60b20892a6fc85373627946 Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Fri, 5 Feb 2021 09:00:54 -0500
-Subject: [PATCH] Set pki-core dependency to 10.3.3 for pki-server cert-fix bug
-
-Related: https://github.com/dogtagpki/pki/issues/3387
-Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
----
- freeipa.spec.in | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/freeipa.spec.in b/freeipa.spec.in
-index 93e473ac4..0e261285b 100755
---- a/freeipa.spec.in
-+++ b/freeipa.spec.in
-@@ -128,11 +128,11 @@
- %if 0%{?rhel} == 8
- # PKIConnection has been modified to always validate certs.
- # https://pagure.io/freeipa/issue/8379
--%global pki_version 10.9.0-0.4
-+%global pki_version 10.10.4-1
- %else
- # New KRA profile, ACME support
- # https://pagure.io/freeipa/issue/8545
--%global pki_version 10.10.0-2
-+%global pki_version 10.10.3-1
- %endif
-
- # RHEL 8.3+, F32+ has 0.79.13
---
-2.29.2
-
-From f3463728f2196589d36e14cedccb26c03730a7c0 Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Wed, 10 Feb 2021 16:07:13 -0500
-Subject: [PATCH] Don't renew non-IPA issued certs in ipa-cert-fix
-
-If the Apache, 389-ds or KDC certificate was issued by
-a third party there is nothing we can do, regardless of
-whether it is expired or not.
-
-Report which certificates will not be renewed so the
-admin can manually do do (likely in the event of a
-third-party certificate).
-
-https://pagure.io/freeipa/issue/8600
-
-Signed-off-by: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
----
- ipaserver/install/ipa_cert_fix.py | 53 +++++++++++++++++++++++++------
- 1 file changed, 43 insertions(+), 10 deletions(-)
-
-diff --git a/ipaserver/install/ipa_cert_fix.py b/ipaserver/install/ipa_cert_fix.py
-index 29af89cd5..210cf80f1 100644
---- a/ipaserver/install/ipa_cert_fix.py
-+++ b/ipaserver/install/ipa_cert_fix.py
-@@ -43,6 +43,7 @@ from ipapython.certdb import NSSDatabase, EMPTY_TRUST_FLAGS
- from ipapython.dn import DN
- from ipapython.ipaldap import realm_to_serverid
- from ipaserver.install import ca, cainstance, dsinstance
-+from ipaserver.install.certs import is_ipa_issued_cert
- from ipapython import directivesetter
- from ipapython import ipautil
-
-@@ -104,6 +105,13 @@ class IPACertFix(AdminTool):
-
- api.bootstrap(in_server=True, confdir=paths.ETC_IPA)
- api.finalize()
-+
-+ if not dsinstance.is_ds_running(realm_to_serverid(api.env.realm)):
-+ print(
-+ "The LDAP server is not running; cannot proceed."
-+ )
-+ return 1
-+
- api.Backend.ldap2.connect() # ensure DS is up
-
- subject_base = dsinstance.DsInstance().find_subject_base()
-@@ -113,7 +121,7 @@ class IPACertFix(AdminTool):
- ca_subject_dn = ca.lookup_ca_subject(api, subject_base)
-
- now = datetime.datetime.now() + datetime.timedelta(weeks=2)
-- certs, extra_certs = expired_certs(now)
-+ certs, extra_certs, non_renewed = expired_certs(now)
-
- if not certs and not extra_certs:
- print("Nothing to do.")
-@@ -121,7 +129,7 @@ class IPACertFix(AdminTool):
-
- print(msg)
-
-- print_intentions(certs, extra_certs)
-+ print_intentions(certs, extra_certs, non_renewed)
-
- response = ipautil.user_input('Enter "yes" to proceed')
- if response.lower() != 'yes':
-@@ -133,7 +141,10 @@ class IPACertFix(AdminTool):
- fix_certreq_directives(certs)
- run_cert_fix(certs, extra_certs)
- except ipautil.CalledProcessError:
-- if any(x[0] is IPACertType.LDAPS for x in extra_certs):
-+ if any(
-+ x[0] is IPACertType.LDAPS
-+ for x in extra_certs + non_renewed
-+ ):
- # The DS cert was expired. This will cause
- # 'pki-server cert-fix' to fail at the final
- # restart. Therefore ignore the CalledProcessError
-@@ -152,13 +163,15 @@ class IPACertFix(AdminTool):
- print("Becoming renewal master.")
- cainstance.CAInstance().set_renewal_master()
-
-+ print("Restarting IPA")
- ipautil.run(['ipactl', 'restart'], raiseonerr=True)
-
- return 0
-
-
- def expired_certs(now):
-- return expired_dogtag_certs(now), expired_ipa_certs(now)
-+ expired_ipa, non_renew_ipa = expired_ipa_certs(now)
-+ return expired_dogtag_certs(now), expired_ipa, non_renew_ipa
-
-
- def expired_dogtag_certs(now):
-@@ -191,6 +204,7 @@ def expired_ipa_certs(now):
-
- """
- certs = []
-+ non_renewed = []
-
- # IPA RA
- cert = x509.load_certificate_from_file(paths.RA_AGENT_PEM)
-@@ -200,7 +214,10 @@ def expired_ipa_certs(now):
- # Apache HTTPD
- cert = x509.load_certificate_from_file(paths.HTTPD_CERT_FILE)
- if cert.not_valid_after <= now:
-- certs.append((IPACertType.HTTPS, cert))
-+ if not is_ipa_issued_cert(api, cert):
-+ non_renewed.append((IPACertType.HTTPS, cert))
-+ else:
-+ certs.append((IPACertType.HTTPS, cert))
-
- # LDAPS
- serverid = realm_to_serverid(api.env.realm)
-@@ -210,18 +227,24 @@ def expired_ipa_certs(now):
- db = NSSDatabase(nssdir=ds_dbdir)
- cert = db.get_cert(ds_nickname)
- if cert.not_valid_after <= now:
-- certs.append((IPACertType.LDAPS, cert))
-+ if not is_ipa_issued_cert(api, cert):
-+ non_renewed.append((IPACertType.LDAPS, cert))
-+ else:
-+ certs.append((IPACertType.LDAPS, cert))
-
- # KDC
- cert = x509.load_certificate_from_file(paths.KDC_CERT)
- if cert.not_valid_after <= now:
-- certs.append((IPACertType.KDC, cert))
-+ if not is_ipa_issued_cert(api, cert):
-+ non_renewed.append((IPACertType.HTTPS, cert))
-+ else:
-+ certs.append((IPACertType.KDC, cert))
-
-- return certs
-+ return certs, non_renewed
-
-
--def print_intentions(dogtag_certs, ipa_certs):
-- print("The following certificates will be renewed: ")
-+def print_intentions(dogtag_certs, ipa_certs, non_renewed):
-+ print("The following certificates will be renewed:")
- print()
-
- for certid, cert in dogtag_certs:
-@@ -230,6 +253,16 @@ def print_intentions(dogtag_certs, ipa_certs):
- for certtype, cert in ipa_certs:
- print_cert_info("IPA", certtype.value, cert)
-
-+ if non_renewed:
-+ print(
-+ "The following certificates will NOT be renewed because "
-+ "they were not issued by the IPA CA:"
-+ )
-+ print()
-+
-+ for certtype, cert in non_renewed:
-+ print_cert_info("IPA", certtype.value, cert)
-+
-
- def print_cert_info(context, desc, cert):
- print("{} {} certificate:".format(context, desc))
---
-2.29.2
-
diff --git a/SOURCES/0005-ipatests-test-Samba-mount-with-NTLM-authentication_rhbz#1932289.patch b/SOURCES/0005-ipatests-test-Samba-mount-with-NTLM-authentication_rhbz#1932289.patch
deleted file mode 100644
index ed56ec8..0000000
--- a/SOURCES/0005-ipatests-test-Samba-mount-with-NTLM-authentication_rhbz#1932289.patch
+++ /dev/null
@@ -1,135 +0,0 @@
-From 80ccac79b9d123e158a5ba60f9853611d0854188 Mon Sep 17 00:00:00 2001
-From: Sergey Orlov <sorlov@redhat.com>
-Date: Wed, 17 Feb 2021 16:48:33 +0100
-Subject: [PATCH] ipatests: test Samba mount with NTLM authentication
-
-Related to https://pagure.io/freeipa/issue/8636
-
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
----
- ipatests/pytest_ipa/integration/__init__.py | 17 ++++++
- ipatests/test_integration/test_smb.py | 63 +++++++++++++++++++++
- 2 files changed, 80 insertions(+)
-
-diff --git a/ipatests/pytest_ipa/integration/__init__.py b/ipatests/pytest_ipa/integration/__init__.py
-index 55291ae8b..f62b667bd 100644
---- a/ipatests/pytest_ipa/integration/__init__.py
-+++ b/ipatests/pytest_ipa/integration/__init__.py
-@@ -28,12 +28,14 @@ import os
- import tempfile
- import shutil
- import re
-+import functools
-
- import pytest
- from pytest_multihost import make_multihost_fixture
-
- from ipapython import ipautil
- from ipaplatform.paths import paths
-+from . import fips
- from .config import Config
- from .env_config import get_global_config
- from . import tasks
-@@ -478,3 +480,18 @@ def del_compat_attrs(cls):
- del cls.ad_subdomains
- del cls.ad_treedomains
- del cls.ad_domains
-+
-+
-+def skip_if_fips(reason='Not supported in FIPS mode', host='master'):
-+ if callable(reason):
-+ raise TypeError('Invalid decorator usage, add "()"')
-+
-+ def decorator(test_method):
-+ @functools.wraps(test_method)
-+ def wrapper(instance, *args, **kwargs):
-+ if fips.is_fips_enabled(getattr(instance, host)):
-+ pytest.skip(reason)
-+ else:
-+ test_method(instance, *args, **kwargs)
-+ return wrapper
-+ return decorator
-diff --git a/ipatests/test_integration/test_smb.py b/ipatests/test_integration/test_smb.py
-index 37725ab15..749a96325 100644
---- a/ipatests/test_integration/test_smb.py
-+++ b/ipatests/test_integration/test_smb.py
-@@ -19,6 +19,7 @@ from ipatests.test_integration.base import IntegrationTest
- from ipatests.pytest_ipa.integration import tasks
- from ipaplatform.osinfo import osinfo
- from ipaplatform.paths import paths
-+from ipatests.pytest_ipa.integration import skip_if_fips
-
-
- def wait_smbd_functional(host):
-@@ -378,6 +379,68 @@ class TestSMB(IntegrationTest):
- finally:
- self.cleanup_mount(mountpoint)
-
-+ def check_repeated_smb_mount(self, options):
-+ mountpoint = '/mnt/smb'
-+ unc = '//{}/homes'.format(self.smbserver.hostname)
-+ test_file = 'ntlm_test'
-+ test_file_server_path = '/home/{}/{}'.format(self.ipa_user1, test_file)
-+ test_file_client_path = '{}/{}'.format(mountpoint, test_file)
-+
-+ self.smbclient.run_command(['mkdir', '-p', mountpoint])
-+ self.smbserver.put_file_contents(test_file_server_path, '')
-+ try:
-+ for i in [1, 2]:
-+ res = self.smbclient.run_command([
-+ 'mount', '-t', 'cifs', unc, mountpoint, '-o', options],
-+ raiseonerr=False)
-+ assert res.returncode == 0, (
-+ 'Mount failed at iteration {}. Output: {}'
-+ .format(i, res.stdout_text + res.stderr_text))
-+ assert self.smbclient.transport.file_exists(
-+ test_file_client_path)
-+ self.smbclient.run_command(['umount', mountpoint])
-+ finally:
-+ self.cleanup_mount(mountpoint)
-+ self.smbserver.run_command(['rm', '-f', test_file_server_path])
-+
-+ @skip_if_fips()
-+ def test_ntlm_authentication_with_auto_domain(self):
-+ """Repeatedly try to authenticate with username and password with
-+ automatic domain discovery.
-+
-+ This is a regression test for https://pagure.io/freeipa/issue/8636
-+ """
-+ tasks.kdestroy_all(self.smbclient)
-+
-+ mount_options = 'user={user},pass={password},domainauto'.format(
-+ user=self.ipa_user1,
-+ password=self.ipa_user1_password
-+ )
-+
-+ self.check_repeated_smb_mount(mount_options)
-+
-+ @skip_if_fips()
-+ def test_ntlm_authentication_with_upn_with_lowercase_domain(self):
-+ tasks.kdestroy_all(self.smbclient)
-+
-+ mount_options = 'user={user}@{domain},pass={password}'.format(
-+ user=self.ipa_user1,
-+ password=self.ipa_user1_password,
-+ domain=self.master.domain.name.lower()
-+ )
-+ self.check_repeated_smb_mount(mount_options)
-+
-+ @skip_if_fips()
-+ def test_ntlm_authentication_with_upn_with_uppercase_domain(self):
-+ tasks.kdestroy_all(self.smbclient)
-+
-+ mount_options = 'user={user}@{domain},pass={password}'.format(
-+ user=self.ipa_user1,
-+ password=self.ipa_user1_password,
-+ domain=self.master.domain.name.upper()
-+ )
-+ self.check_repeated_smb_mount(mount_options)
-+
- def test_uninstall_samba(self):
- self.smbserver.run_command(['ipa-client-samba', '--uninstall', '-U'])
- res = self.smbserver.run_command(
---
-2.29.2
-
diff --git a/SOURCES/0006-ipatests_do_not_ignore_zonemgr_pagure#8718_rhbz#1932289.patch b/SOURCES/0006-ipatests_do_not_ignore_zonemgr_pagure#8718_rhbz#1932289.patch
deleted file mode 100644
index 8663740..0000000
--- a/SOURCES/0006-ipatests_do_not_ignore_zonemgr_pagure#8718_rhbz#1932289.patch
+++ /dev/null
@@ -1,79 +0,0 @@
-From 20bb855a57080145d0d5555294381c890ef605bb Mon Sep 17 00:00:00 2001
-From: Antonio Torres <antorres@redhat.com>
-Date: Tue, 16 Feb 2021 16:53:24 +0100
-Subject: [PATCH] ipaserver: don't ignore zonemgr option on install
-
-Fix zonemgr option in ipaserver install being
-ignored because of an incorrect condition.
-
-Fixes: https://pagure.io/freeipa/issue/8718
-Signed-off-by: Antonio Torres <antorres@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
----
- ipaserver/install/bindinstance.py | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
-index 3b446ce76..19941cd00 100644
---- a/ipaserver/install/bindinstance.py
-+++ b/ipaserver/install/bindinstance.py
-@@ -355,7 +355,7 @@ def add_zone(name, zonemgr=None, dns_backup=None, ns_hostname=None,
- else:
- update_policy = get_dns_forward_zone_update_policy(api.env.realm)
-
-- if zonemgr is None:
-+ if not zonemgr:
- zonemgr = 'hostmaster.%s' % name
-
- if ns_hostname:
-@@ -682,7 +682,7 @@ class BindInstance(service.Service):
- self.forward_policy = forward_policy
- self.reverse_zones = reverse_zones
-
-- if zonemgr is not None:
-+ if not zonemgr:
- self.zonemgr = 'hostmaster.%s' % normalize_zone(self.domain)
- else:
- self.zonemgr = normalize_zonemgr(zonemgr)
---
-2.29.2
-
-From 82043e1fd052618608d3b7786473a632478795ee Mon Sep 17 00:00:00 2001
-From: Antonio Torres <antorres@redhat.com>
-Date: Tue, 16 Feb 2021 18:24:26 +0100
-Subject: [PATCH] ipatests: check that zonemgr is set correctly during server
- install
-
-Add test to check that zonemgr is correctly
-set when installing IPA server.
-
-Related: https://pagure.io/freeipa/issue/8718
-Signed-off-by: Antonio Torres <antorres@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
----
- ipatests/test_integration/test_installation.py | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
-index 6e8af024c..18c5bd243 100644
---- a/ipatests/test_integration/test_installation.py
-+++ b/ipatests/test_integration/test_installation.py
-@@ -1171,6 +1171,13 @@ class TestInstallMasterDNS(IntegrationTest):
- extra_args=['--zonemgr', 'me@example.org'],
- )
-
-+ tasks.kinit_admin(self.master)
-+ result = self.master.run_command(
-+ ['ipa', 'dnszone-show', self.master.domain.name]
-+ ).stdout_text
-+
-+ assert "Administrator e-mail address: me.example.org" in result
-+
- def test_server_install_lock_bind_recursion(self):
- """Test if server installer lock Bind9 recursion
-
---
-2.29.2
-
diff --git a/SOURCES/0007-ipatests_ipa-cert-fix_renews_pagure#7885_rhbz#1932289.patch b/SOURCES/0007-ipatests_ipa-cert-fix_renews_pagure#7885_rhbz#1932289.patch
deleted file mode 100644
index 0531b15..0000000
--- a/SOURCES/0007-ipatests_ipa-cert-fix_renews_pagure#7885_rhbz#1932289.patch
+++ /dev/null
@@ -1,318 +0,0 @@
-From 7f30ddb1b7e30c22f9b7d14d2658b58a0ea6b459 Mon Sep 17 00:00:00 2001
-From: Mohammad Rizwan <myusuf@redhat.com>
-Date: Tue, 2 Feb 2021 17:33:57 +0530
-Subject: [PATCH] ipatests: Test if ipa-cert-fix renews expired certs
-
-Test moves system date to expire certs. Then calls ipa-cert-fix
-to renew them. This certs include subsystem, audit-signing,
-OCSP signing, Dogtag HTTPS, IPA RA agent, LDAP and KDC certs.
-
-related: https://pagure.io/freeipa/issue/7885
-
-Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
-Reviewed-By: Anuja More <amore@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
-Reviewed-By: Anuja More <amore@redhat.com>
----
- .../test_integration/test_ipa_cert_fix.py | 60 +++++++++++++++++++
- 1 file changed, 60 insertions(+)
-
-diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
-index f9e5fe6e2..da68af573 100644
---- a/ipatests/test_integration/test_ipa_cert_fix.py
-+++ b/ipatests/test_integration/test_ipa_cert_fix.py
-@@ -8,12 +8,16 @@ Module provides tests for ipa-cert-fix CLI.
- import pytest
- import time
-
-+import logging
- from ipaplatform.paths import paths
- from ipatests.pytest_ipa.integration import tasks
- from ipatests.test_integration.base import IntegrationTest
- from ipatests.test_integration.test_caless import CALessBase, ipa_certs_cleanup
-
-
-+logger = logging.getLogger(__name__)
-+
-+
- def server_install_teardown(func):
- def wrapped(*args):
- master = args[0].master
-@@ -24,6 +28,26 @@ def server_install_teardown(func):
- return wrapped
-
-
-+def check_status(host, cert_count, state, timeout=600):
-+ """Helper method to check that if all the certs are in given state
-+ :param host: the host
-+ :param cert_count: no of cert to look for
-+ :param state: state to check for
-+ :param timeout: max time in seconds to wait for the state
-+ """
-+ for _i in range(0, timeout, 10):
-+ result = host.run_command(['getcert', 'list'])
-+ count = result.stdout_text.count(f"status: {state}")
-+ logger.info("cert count in %s state : %s", state, count)
-+ if int(count) == cert_count:
-+ break
-+ time.sleep(10)
-+ else:
-+ raise RuntimeError("request timed out")
-+
-+ return count
-+
-+
- class TestIpaCertFix(IntegrationTest):
- @classmethod
- def uninstall(cls, mh):
-@@ -106,6 +130,42 @@ class TestIpaCertFix(IntegrationTest):
- # timeout
- raise AssertionError('Timeout: Failed to renew all the certs')
-
-+ def test_renew_expired_cert_on_master(self, expire_cert_critical):
-+ """Test if ipa-cert-fix renews expired certs
-+
-+ Test moves system date to expire certs. Then calls ipa-cert-fix
-+ to renew them. This certs include subsystem, audit-signing,
-+ OCSP signing, Dogtag HTTPS, IPA RA agent, LDAP and KDC certs.
-+
-+ related: https://pagure.io/freeipa/issue/7885
-+ """
-+ # wait for cert expiry
-+ check_status(self.master, 8, "CA_UNREACHABLE")
-+
-+ self.master.run_command(['ipa-cert-fix', '-v'], stdin_text='yes\n')
-+
-+ check_status(self.master, 9, "MONITORING")
-+
-+ # second iteration of ipa-cert-fix
-+ result = self.master.run_command(
-+ ['ipa-cert-fix', '-v'],
-+ stdin_text='yes\n'
-+ )
-+ assert "Nothing to do" in result.stdout_text
-+ check_status(self.master, 9, "MONITORING")
-+
-+ def test_ipa_cert_fix_non_ipa(self):
-+ """Test ipa-cert-fix doesn't work on non ipa system
-+
-+ ipa-cert-fix tool should not work on non ipa system.
-+
-+ related: https://pagure.io/freeipa/issue/7885
-+ """
-+ result = self.master.run_command(['ipa-cert-fix', '-v'],
-+ stdin_text='yes\n',
-+ raiseonerr=False)
-+ assert result.returncode == 2
-+
-
- class TestIpaCertFixThirdParty(CALessBase):
- """
---
-2.29.2
-
-From 36a60dbb35cb4429f00528f79bec8b7982a30c74 Mon Sep 17 00:00:00 2001
-From: Mohammad Rizwan <myusuf@redhat.com>
-Date: Thu, 11 Feb 2021 16:54:22 +0530
-Subject: [PATCH] Move fixture outside the class and add setup_kra capability
-
-Moved fixture to use across multiple classes. Added capability
-to install the KRA to the fixture
-
-Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
-Reviewed-By: Anuja More <amore@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
-Reviewed-By: Anuja More <amore@redhat.com>
----
- .../test_integration/test_ipa_cert_fix.py | 46 ++++++++++++-------
- 1 file changed, 30 insertions(+), 16 deletions(-)
-
-diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
-index da68af573..591dc5031 100644
---- a/ipatests/test_integration/test_ipa_cert_fix.py
-+++ b/ipatests/test_integration/test_ipa_cert_fix.py
-@@ -48,6 +48,33 @@ def check_status(host, cert_count, state, timeout=600):
- return count
-
-
-+@pytest.fixture
-+def expire_cert_critical():
-+ """
-+ Fixture to expire the certs by moving the system date using
-+ date -s command and revert it back
-+ """
-+
-+ hosts = dict()
-+
-+ def _expire_cert_critical(host, setup_kra=False):
-+ hosts['host'] = host
-+ # Do not install NTP as the test plays with the date
-+ tasks.install_master(host, setup_dns=False,
-+ extra_args=['--no-ntp'])
-+ if setup_kra:
-+ tasks.install_kra(host)
-+ host.run_command(['systemctl', 'stop', 'chronyd'])
-+ host.run_command(['date', '-s', '+3Years+1day'])
-+
-+ yield _expire_cert_critical
-+
-+ host = hosts.pop('host')
-+ tasks.uninstall_master(host)
-+ host.run_command(['date', '-s', '-3Years-1day'])
-+ host.run_command(['systemctl', 'start', 'chronyd'])
-+
-+
- class TestIpaCertFix(IntegrationTest):
- @classmethod
- def uninstall(cls, mh):
-@@ -55,22 +82,6 @@ class TestIpaCertFix(IntegrationTest):
- # the fixture
- pass
-
-- @pytest.fixture
-- def expire_cert_critical(self):
-- """
-- Fixture to expire the certs by moving the system date using
-- date -s command and revert it back
-- """
-- # Do not install NTP as the test plays with the date
-- tasks.install_master(self.master, setup_dns=False,
-- extra_args=['--no-ntp'])
-- self.master.run_command(['systemctl', 'stop', 'chronyd'])
-- self.master.run_command(['date','-s', '+3Years+1day'])
-- yield
-- tasks.uninstall_master(self.master)
-- self.master.run_command(['date','-s', '-3Years-1day'])
-- self.master.run_command(['systemctl', 'start', 'chronyd'])
--
- def test_missing_csr(self, expire_cert_critical):
- """
- Test that ipa-cert-fix succeeds when CSR is missing from CS.cfg
-@@ -82,6 +93,7 @@ class TestIpaCertFix(IntegrationTest):
- - call getcert resubmit in order to create the CSR in certmonger file
- - use ipa-cert-fix, no issue should be seen
- """
-+ expire_cert_critical(self.master)
- # pki must be stopped in order to edit CS.cfg
- self.master.run_command(['ipactl', 'stop'])
- self.master.run_command(['sed', '-i', r'/ca\.sslserver\.certreq=/d',
-@@ -139,6 +151,8 @@ class TestIpaCertFix(IntegrationTest):
-
- related: https://pagure.io/freeipa/issue/7885
- """
-+ expire_cert_critical(self.master)
-+
- # wait for cert expiry
- check_status(self.master, 8, "CA_UNREACHABLE")
-
---
-2.29.2
-
-From c84e0547e1a693ba0e9edbfeea7bafdb2fb2b4a2 Mon Sep 17 00:00:00 2001
-From: Mohammad Rizwan <myusuf@redhat.com>
-Date: Thu, 11 Feb 2021 16:59:53 +0530
-Subject: [PATCH] ipatests: Test if ipa-cert-fix renews expired certs with kra
- installed
-
-This test check if ipa-cert-fix renews certs with kra
-certificate installed.
-
-related: https://pagure.io/freeipa/issue/7885
-
-Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
-Reviewed-By: Anuja More <amore@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
-Reviewed-By: Anuja More <amore@redhat.com>
----
- .../test_integration/test_ipa_cert_fix.py | 25 +++++++++++++++++++
- 1 file changed, 25 insertions(+)
-
-diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
-index 591dc5031..b2e92d4dc 100644
---- a/ipatests/test_integration/test_ipa_cert_fix.py
-+++ b/ipatests/test_integration/test_ipa_cert_fix.py
-@@ -225,3 +225,28 @@ class TestIpaCertFixThirdParty(CALessBase):
- # the DS nickname is used and not a hardcoded value.
- result = self.master.run_command(['ipa-cert-fix', '-v'],)
- assert self.nickname in result.stderr_text
-+
-+
-+class TestCertFixKRA(IntegrationTest):
-+ @classmethod
-+ def uninstall(cls, mh):
-+ # Uninstall method is empty as the uninstallation is done in
-+ # the fixture
-+ pass
-+
-+ def test_renew_expired_cert_with_kra(self, expire_cert_critical):
-+ """Test if ipa-cert-fix renews expired certs with kra installed
-+
-+ This test check if ipa-cert-fix renews certs with kra
-+ certificate installed.
-+
-+ related: https://pagure.io/freeipa/issue/7885
-+ """
-+ expire_cert_critical(self.master, setup_kra=True)
-+
-+ # check if all subsystem cert expired
-+ check_status(self.master, 11, "CA_UNREACHABLE")
-+
-+ self.master.run_command(['ipa-cert-fix', '-v'], stdin_text='yes\n')
-+
-+ check_status(self.master, 12, "MONITORING")
---
-2.29.2
-
-From 260fbcb03297ef1ed5418b16c0df0587d2989b22 Mon Sep 17 00:00:00 2001
-From: Mohammad Rizwan <myusuf@redhat.com>
-Date: Tue, 2 Mar 2021 11:42:36 +0530
-Subject: [PATCH] ipatests: update nightly definition for ipa_cert_fix suite
-
-Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
-Reviewed-By: Anuja More <amore@redhat.com>
----
- ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml | 2 +-
- ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml | 2 +-
- ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml | 2 +-
- 3 files changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
-index ebd539246..8a88698eb 100644
---- a/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
-+++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest.yaml
-@@ -1687,5 +1687,5 @@ jobs:
- build_url: '{fedora-latest-ipa-4-9/build_url}'
- test_suite: test_integration/test_ipa_cert_fix.py
- template: *ci-ipa-4-9-latest
-- timeout: 3600
-+ timeout: 7200
- topology: *master_1repl
-diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
-index d4b597d6e..14f0c4292 100644
---- a/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
-+++ b/ipatests/prci_definitions/nightly_ipa-4-9_latest_selinux.yaml
-@@ -1821,5 +1821,5 @@ jobs:
- selinux_enforcing: True
- test_suite: test_integration/test_ipa_cert_fix.py
- template: *ci-ipa-4-9-latest
-- timeout: 3600
-+ timeout: 7200
- topology: *master_1repl
-diff --git a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
-index 1fd589e6a..b7f8d2b3e 100644
---- a/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
-+++ b/ipatests/prci_definitions/nightly_ipa-4-9_previous.yaml
-@@ -1687,5 +1687,5 @@ jobs:
- build_url: '{fedora-previous-ipa-4-9/build_url}'
- test_suite: test_integration/test_ipa_cert_fix.py
- template: *ci-ipa-4-9-previous
-- timeout: 3600
-+ timeout: 7200
- topology: *master_1repl
---
-2.29.2
-
diff --git a/SOURCES/0008-ipatests-use-whole-date-when-calling-journalctl-sinc_rhbz#1932289.patch b/SOURCES/0008-ipatests-use-whole-date-when-calling-journalctl-sinc_rhbz#1932289.patch
deleted file mode 100644
index a4e36a9..0000000
--- a/SOURCES/0008-ipatests-use-whole-date-when-calling-journalctl-sinc_rhbz#1932289.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From caf748860860293e010e695d72f6b3b3d8509f8a Mon Sep 17 00:00:00 2001
-From: Florence Blanc-Renaud <flo@redhat.com>
-Date: Tue, 2 Mar 2021 08:44:35 +0100
-Subject: [PATCH] ipatests: use whole date when calling journalctl --since
-
-The test test_commands.py::TestIPACommand::test_ssh_key_connection
-is checking the content of the journal using journalctl --since ...
-but provides only the time, not the whole date with year-month-day.
-As a consequence, if the test is executed around midnight it may
-find nothing in the journal because it's looking for logs after 11:50PM,
-which is a date in the future.
-
-The fix provides a complete date with year-month-day hours:min:sec.
-
-Fixes: https://pagure.io/freeipa/issue/8728
-Reviewed-By: Francois Cami <fcami@redhat.com>
----
- ipatests/test_integration/test_commands.py | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
-index 45f642bf2..b7ffb926f 100644
---- a/ipatests/test_integration/test_commands.py
-+++ b/ipatests/test_integration/test_commands.py
-@@ -642,7 +642,8 @@ class TestIPACommand(IntegrationTest):
- # start to look at logs a bit before "now"
- # https://pagure.io/freeipa/issue/8432
- since = time.strftime(
-- '%H:%M:%S', (datetime.now() - timedelta(seconds=10)).timetuple()
-+ '%Y-%m-%d %H:%M:%S',
-+ (datetime.now() - timedelta(seconds=10)).timetuple()
- )
-
- tasks.run_ssh_cmd(
---
-2.29.2
-
diff --git a/SOURCES/0009-ipa-kdb-do-not-use-OpenLDAP-functions-with-NULL-LDAP_rhbz#1932784.patch b/SOURCES/0009-ipa-kdb-do-not-use-OpenLDAP-functions-with-NULL-LDAP_rhbz#1932784.patch
deleted file mode 100644
index 128c9c4..0000000
--- a/SOURCES/0009-ipa-kdb-do-not-use-OpenLDAP-functions-with-NULL-LDAP_rhbz#1932784.patch
+++ /dev/null
@@ -1,594 +0,0 @@
-From 2832810891acfaca68142df7271d6f0a50a588eb Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Fri, 19 Feb 2021 15:37:47 +0200
-Subject: [PATCH] ipa-kdb: do not use OpenLDAP functions with NULL LDAP context
-
-Calling to ipadb_get_connection() will remove LDAP context if any error
-happens. This means upper layers must always verify that LDAP context
-exists after such calls.
-
-ipadb_get_user_auth() may re-read global configuration and that may fail
-and cause IPA context to have NULL LDAP context.
-
-Fixes: https://pagure.io/freeipa/issue/8681
-
-Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Robbie Harwood <rharwood@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
----
- daemons/ipa-kdb/ipa_kdb.c | 1 +
- daemons/ipa-kdb/ipa_kdb_mspac.c | 32 +++++++++++++++-------------
- daemons/ipa-kdb/ipa_kdb_principals.c | 26 ++++++++++++++++------
- 3 files changed, 37 insertions(+), 22 deletions(-)
-
-diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c
-index 43ba955ac..6e1e3e351 100644
---- a/daemons/ipa-kdb/ipa_kdb.c
-+++ b/daemons/ipa-kdb/ipa_kdb.c
-@@ -57,6 +57,7 @@ static void ipadb_context_free(krb5_context kcontext,
- /* ldap free lcontext */
- if ((*ctx)->lcontext) {
- ldap_unbind_ext_s((*ctx)->lcontext, NULL, NULL);
-+ (*ctx)->lcontext = NULL;
- }
- free((*ctx)->supp_encs);
- free((*ctx)->def_encs);
-diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
-index 31f617129..81a8fd483 100644
---- a/daemons/ipa-kdb/ipa_kdb_mspac.c
-+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
-@@ -418,7 +418,6 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
- krb5_timestamp authtime,
- struct netr_SamInfo3 *info3)
- {
-- LDAP *lcontext = ipactx->lcontext;
- LDAPDerefRes *deref_results = NULL;
- struct dom_sid sid;
- gid_t prigid = -1;
-@@ -435,7 +434,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
- bool is_idobject = false;
- krb5_principal princ;
-
-- ret = ipadb_ldap_attr_to_strlist(lcontext, lentry, "objectClass",
-+ ret = ipadb_ldap_attr_to_strlist(ipactx->lcontext, lentry, "objectClass",
- &objectclasses);
- if (ret == 0 && objectclasses != NULL) {
- for (c = 0; objectclasses[c] != NULL; c++) {
-@@ -472,13 +471,14 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
- }
-
- if (is_host) {
-- ret = ipadb_ldap_attr_to_str(lcontext, lentry, "fqdn", &strres);
-+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, "fqdn", &strres);
- if (ret) {
- /* fqdn is mandatory for hosts */
- return ret;
- }
- } else if (is_service) {
-- ret = ipadb_ldap_attr_to_str(lcontext, lentry, "krbCanonicalName", &strres);
-+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
-+ "krbCanonicalName", &strres);
- if (ret) {
- /* krbCanonicalName is mandatory for services */
- return ret;
-@@ -498,7 +498,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
- return ENOENT;
- }
- } else {
-- ret = ipadb_ldap_attr_to_str(lcontext, lentry, "uid", &strres);
-+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, "uid", &strres);
- if (ret) {
- /* uid is mandatory */
- return ret;
-@@ -511,7 +511,8 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
- if (is_host || is_service) {
- prigid = 515; /* Well known RID for domain computers group */
- } else {
-- ret = ipadb_ldap_attr_to_int(lcontext, lentry, "gidNumber", &intres);
-+ ret = ipadb_ldap_attr_to_int(ipactx->lcontext, lentry,
-+ "gidNumber", &intres);
- if (ret) {
- /* gidNumber is mandatory */
- return ret;
-@@ -544,7 +545,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
- info3->base.kickoff_time = INT64_MAX;
- #endif
-
-- ret = ipadb_ldap_attr_to_time_t(lcontext, lentry,
-+ ret = ipadb_ldap_attr_to_time_t(ipactx->lcontext, lentry,
- "krbLastPwdChange", &timeres);
- switch (ret) {
- case 0:
-@@ -562,7 +563,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
- info3->base.allow_password_change = info3->base.last_password_change;
- info3->base.force_password_change = INT64_MAX;
-
-- ret = ipadb_ldap_attr_to_str(lcontext, lentry, "cn", &strres);
-+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry, "cn", &strres);
- switch (ret) {
- case 0:
- info3->base.full_name.string = talloc_strdup(memctx, strres);
-@@ -575,7 +576,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
- return ret;
- }
-
-- ret = ipadb_ldap_attr_to_str(lcontext, lentry,
-+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
- "ipaNTLogonScript", &strres);
- switch (ret) {
- case 0:
-@@ -589,7 +590,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
- return ret;
- }
-
-- ret = ipadb_ldap_attr_to_str(lcontext, lentry,
-+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
- "ipaNTProfilePath", &strres);
- switch (ret) {
- case 0:
-@@ -603,7 +604,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
- return ret;
- }
-
-- ret = ipadb_ldap_attr_to_str(lcontext, lentry,
-+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
- "ipaNTHomeDirectory", &strres);
- switch (ret) {
- case 0:
-@@ -617,7 +618,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
- return ret;
- }
-
-- ret = ipadb_ldap_attr_to_str(lcontext, lentry,
-+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
- "ipaNTHomeDirectoryDrive", &strres);
- switch (ret) {
- case 0:
-@@ -648,7 +649,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
- info3->base.rid = 515;
- }
- } else {
-- ret = ipadb_ldap_attr_to_str(lcontext, lentry,
-+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
- "ipaNTSecurityIdentifier", &strres);
- if (ret) {
- /* SID is mandatory */
-@@ -665,7 +666,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
- }
- }
-
-- ret = ipadb_ldap_deref_results(lcontext, lentry, &deref_results);
-+ ret = ipadb_ldap_deref_results(ipactx->lcontext, lentry, &deref_results);
- switch (ret) {
- LDAPDerefRes *dres;
- LDAPDerefVal *dval;
-@@ -2511,7 +2512,7 @@ static void ipadb_free_sid_blacklists(char ***sid_blocklist_incoming, char ***si
- krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
- {
- struct ipadb_adtrusts *t;
-- LDAP *lc = ipactx->lcontext;
-+ LDAP *lc = NULL;
- char *attrs[] = { "cn", "ipaNTTrustPartner", "ipaNTFlatName",
- "ipaNTTrustedDomainSID", "ipaNTSIDBlacklistIncoming",
- "ipaNTSIDBlacklistOutgoing", "ipaNTAdditionalSuffixes", NULL };
-@@ -2545,6 +2546,7 @@ krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
- goto done;
- }
-
-+ lc = ipactx->lcontext;
- for (le = ldap_first_entry(lc, res); le; le = ldap_next_entry(lc, le)) {
- dnstr = ldap_get_dn(lc, le);
-
-diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
-index d1fa51578..cf1b4f53e 100644
---- a/daemons/ipa-kdb/ipa_kdb_principals.c
-+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
-@@ -333,6 +333,11 @@ static enum ipadb_user_auth ipadb_get_user_auth(struct ipadb_context *ipactx,
- if (gcfg != NULL)
- gua = gcfg->user_auth;
-
-+ /* lcontext == NULL means ipadb_get_global_config() failed to load
-+ * global config and cleared the ipactx */
-+ if (ipactx->lcontext == NULL)
-+ return IPADB_USER_AUTH_NONE;
-+
- /* Get the user's user_auth settings if not disabled. */
- if ((gua & IPADB_USER_AUTH_DISABLED) == 0)
- ipadb_parse_user_auth(ipactx->lcontext, lentry, &ua);
-@@ -607,8 +612,16 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
- free(entry);
- return KRB5_KDB_DBNOTINITED;
- }
-- lcontext = ipactx->lcontext;
-- if (!lcontext) {
-+
-+ entry->magic = KRB5_KDB_MAGIC_NUMBER;
-+ entry->len = KRB5_KDB_V1_BASE_LENGTH;
-+
-+ /* Get User Auth configuration. */
-+ ua = ipadb_get_user_auth(ipactx, lentry);
-+
-+ /* ipadb_get_user_auth() calls into ipadb_get_global_config()
-+ * and that might fail, causing lcontext to become NULL */
-+ if (!ipactx->lcontext) {
- krb5_klog_syslog(LOG_INFO,
- "No LDAP connection in ipadb_parse_ldap_entry(); retrying...\n");
- ret = ipadb_get_connection(ipactx);
-@@ -620,11 +633,10 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
- }
- }
-
-- entry->magic = KRB5_KDB_MAGIC_NUMBER;
-- entry->len = KRB5_KDB_V1_BASE_LENGTH;
--
-- /* Get User Auth configuration. */
-- ua = ipadb_get_user_auth(ipactx, lentry);
-+ /* If any code below would result in invalidating ipactx->lcontext,
-+ * lcontext must be updated with the new ipactx->lcontext value.
-+ * We rely on the fact that none of LDAP-parsing helpers does it. */
-+ lcontext = ipactx->lcontext;
-
- /* ignore mask for now */
-
---
-2.29.2
-
-From 0da9de495ca41a1bf0926aef7c9c75c3e53dcd63 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Tue, 23 Feb 2021 10:06:25 +0200
-Subject: [PATCH] ipa-kdb: fix compiler warnings
-
-There are few fields in KDB structures that have 'conflicting' types but
-need to be compared. They come from MIT Kerberos and we have no choice
-here.
-
-In the same way, SID structures have own requirements.
-
-Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Robbie Harwood <rharwood@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
----
- daemons/ipa-kdb/ipa_kdb_audit_as.c | 4 ++--
- daemons/ipa-kdb/ipa_kdb_mspac.c | 6 +++---
- daemons/ipa-kdb/ipa_kdb_principals.c | 6 +++---
- daemons/ipa-kdb/ipa_kdb_pwdpolicy.c | 2 +-
- 4 files changed, 9 insertions(+), 9 deletions(-)
-
-diff --git a/daemons/ipa-kdb/ipa_kdb_audit_as.c b/daemons/ipa-kdb/ipa_kdb_audit_as.c
-index ed48ea758..ec2046bfe 100644
---- a/daemons/ipa-kdb/ipa_kdb_audit_as.c
-+++ b/daemons/ipa-kdb/ipa_kdb_audit_as.c
-@@ -112,13 +112,13 @@ void ipadb_audit_as_req(krb5_context kcontext,
-
- if (krb5_ts_after(krb5_ts_incr(client->last_failed,
- ied->pol->lockout_duration), authtime) &&
-- (client->fail_auth_count >= ied->pol->max_fail &&
-+ (client->fail_auth_count >= (krb5_kvno) ied->pol->max_fail &&
- ied->pol->max_fail != 0)) {
- /* client already locked, nothing more to do */
- break;
- }
- if (ied->pol->max_fail == 0 ||
-- client->fail_auth_count < ied->pol->max_fail) {
-+ client->fail_auth_count < (krb5_kvno) ied->pol->max_fail) {
- /* let's increase the fail counter */
- client->fail_auth_count++;
- client->mask |= KMASK_FAIL_AUTH_COUNT;
-diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
-index 81a8fd483..9691b14f6 100644
---- a/daemons/ipa-kdb/ipa_kdb_mspac.c
-+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
-@@ -148,9 +148,9 @@ int string_to_sid(const char *str, struct dom_sid *sid)
-
- char *dom_sid_string(TALLOC_CTX *memctx, const struct dom_sid *dom_sid)
- {
-- size_t c;
-+ int8_t c;
- size_t len;
-- int ofs;
-+ size_t ofs;
- uint32_t ia;
- char *buf;
-
-@@ -2612,7 +2612,7 @@ krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
-
- t[n].upn_suffixes_len = NULL;
- if (t[n].upn_suffixes != NULL) {
-- size_t len = 0;
-+ int len = 0;
-
- for (; t[n].upn_suffixes[len] != NULL; len++);
-
-diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
-index cf1b4f53e..0a98ff054 100644
---- a/daemons/ipa-kdb/ipa_kdb_principals.c
-+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
-@@ -494,7 +494,7 @@ static krb5_error_code ipadb_get_ldap_auth_ind(krb5_context kcontext,
- l = len;
- for (i = 0; i < count; i++) {
- ret = snprintf(ap, l, "%s ", authinds[i]);
-- if (ret <= 0 || ret > l) {
-+ if (ret <= 0 || ret > (int) l) {
- ret = ENOMEM;
- goto cleanup;
- }
-@@ -2086,7 +2086,7 @@ static krb5_error_code ipadb_get_ldap_mod_auth_ind(krb5_context kcontext,
- char *s = NULL;
- size_t ai_size = 0;
- int cnt = 0;
-- int i = 0;
-+ size_t i = 0;
-
- ret = krb5_dbe_get_string(kcontext, entry, "require_auth", &ais);
- if (ret) {
-@@ -2467,7 +2467,7 @@ static krb5_error_code ipadb_entry_default_attrs(struct ipadb_mods *imods)
- {
- krb5_error_code kerr;
- LDAPMod *m = NULL;
-- int i;
-+ size_t i;
-
- kerr = ipadb_mods_new(imods, &m);
- if (kerr) {
-diff --git a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
-index 4965e6d7f..6f21ef867 100644
---- a/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
-+++ b/daemons/ipa-kdb/ipa_kdb_pwdpolicy.c
-@@ -361,7 +361,7 @@ krb5_error_code ipadb_check_policy_as(krb5_context kcontext,
- }
-
- if (ied->pol->max_fail == 0 ||
-- client->fail_auth_count < ied->pol->max_fail) {
-+ client->fail_auth_count < (krb5_kvno) ied->pol->max_fail) {
- /* still within allowed failures range */
- return 0;
- }
---
-2.29.2
-
-From c7ce801b590e29263e9b1904995c603735007771 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Wed, 24 Feb 2021 20:51:40 +0200
-Subject: [PATCH] ipa-kdb: add missing prototypes
-
-On Fedora 33 GCC defaults to -Wmissing-prototypes and emits warnings
-about function prototypes missing. If -Werror is specified, this breaks
-compilation.
-
-We also default to -Werror=implicit-function-declaration
-
-Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Robbie Harwood <rharwood@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
----
- daemons/ipa-kdb/ipa_kdb_kdcpolicy.c | 4 ++++
- daemons/ipa-kdb/ipa_kdb_mspac.c | 20 ++++++++++++--------
- daemons/ipa-kdb/ipa_kdb_mspac_private.h | 4 ++++
- 3 files changed, 20 insertions(+), 8 deletions(-)
-
-diff --git a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
-index a89f8bbda..aa61a2d1b 100644
---- a/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
-+++ b/daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
-@@ -14,6 +14,10 @@
- #define ONE_DAY_SECONDS (24 * 60 * 60)
- #define JITTER_WINDOW_SECONDS (1 * 60 * 60)
-
-+krb5_error_code kdcpolicy_ipakdb_initvt(krb5_context context,
-+ int maj_ver, int min_ver,
-+ krb5_plugin_vtable vtable);
-+
- static void
- jitter(krb5_deltat baseline, krb5_deltat *lifetime_out)
- {
-diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
-index 9691b14f6..47b12a16f 100644
---- a/daemons/ipa-kdb/ipa_kdb_mspac.c
-+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
-@@ -2408,9 +2408,10 @@ void ipadb_mspac_struct_free(struct ipadb_mspac **mspac)
- *mspac = NULL;
- }
-
--krb5_error_code ipadb_adtrusts_fill_sid_blacklist(char **source_sid_blacklist,
-- struct dom_sid **result_sids,
-- int *result_length)
-+static krb5_error_code
-+ipadb_adtrusts_fill_sid_blacklist(char **source_sid_blacklist,
-+ struct dom_sid **result_sids,
-+ int *result_length)
- {
- int len, i;
- char **source;
-@@ -2441,9 +2442,10 @@ krb5_error_code ipadb_adtrusts_fill_sid_blacklist(char **source_sid_blacklist,
- return 0;
- }
-
--krb5_error_code ipadb_adtrusts_fill_sid_blacklists(struct ipadb_adtrusts *adtrust,
-- char **sid_blocklist_incoming,
-- char **sid_blocklist_outgoing)
-+static krb5_error_code
-+ipadb_adtrusts_fill_sid_blacklists(struct ipadb_adtrusts *adtrust,
-+ char **sid_blocklist_incoming,
-+ char **sid_blocklist_outgoing)
- {
- krb5_error_code kerr;
-
-@@ -2464,7 +2466,8 @@ krb5_error_code ipadb_adtrusts_fill_sid_blacklists(struct ipadb_adtrusts *adtrus
- return 0;
- }
-
--krb5_error_code ipadb_mspac_check_trusted_domains(struct ipadb_context *ipactx)
-+static krb5_error_code
-+ipadb_mspac_check_trusted_domains(struct ipadb_context *ipactx)
- {
- char *attrs[] = { NULL };
- char *filter = "(objectclass=ipaNTTrustedDomain)";
-@@ -2509,7 +2512,8 @@ static void ipadb_free_sid_blacklists(char ***sid_blocklist_incoming, char ***si
- }
- }
-
--krb5_error_code ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
-+static krb5_error_code
-+ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
- {
- struct ipadb_adtrusts *t;
- LDAP *lc = NULL;
-diff --git a/daemons/ipa-kdb/ipa_kdb_mspac_private.h b/daemons/ipa-kdb/ipa_kdb_mspac_private.h
-index d23a14a0b..8c8a3a001 100644
---- a/daemons/ipa-kdb/ipa_kdb_mspac_private.h
-+++ b/daemons/ipa-kdb/ipa_kdb_mspac_private.h
-@@ -53,3 +53,7 @@ struct ipadb_adtrusts {
-
- int string_to_sid(const char *str, struct dom_sid *sid);
- char *dom_sid_string(TALLOC_CTX *memctx, const struct dom_sid *dom_sid);
-+krb5_error_code filter_logon_info(krb5_context context, TALLOC_CTX *memctx,
-+ krb5_data realm, struct PAC_LOGON_INFO_CTR *info);
-+void get_authz_data_types(krb5_context context, krb5_db_entry *entry,
-+ bool *_with_pac, bool *_with_pad);
-\ No newline at end of file
---
-2.29.2
-
-From f340baa4283c76957d9e0a85896c7fa3a994bba6 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Wed, 24 Feb 2021 20:52:15 +0200
-Subject: [PATCH] ipa-kdb: reformat ipa_kdb_certauth
-
-Add prototype to the exported function
-
-Replace few tabs by spaces and mark static code as static.
-
-Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Robbie Harwood <rharwood@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
----
- daemons/ipa-kdb/ipa_kdb_certauth.c | 25 ++++++++++++++-----------
- 1 file changed, 14 insertions(+), 11 deletions(-)
-
-diff --git a/daemons/ipa-kdb/ipa_kdb_certauth.c b/daemons/ipa-kdb/ipa_kdb_certauth.c
-index bc6b26578..3a3060c92 100644
---- a/daemons/ipa-kdb/ipa_kdb_certauth.c
-+++ b/daemons/ipa-kdb/ipa_kdb_certauth.c
-@@ -71,10 +71,13 @@ struct krb5_certauth_moddata_st {
- time_t valid_until;
- };
-
--void ipa_certmap_debug(void *private,
-- const char *file, long line,
-- const char *function,
-- const char *format, ...)
-+krb5_error_code certauth_ipakdb_initvt(krb5_context context,
-+ int maj_ver, int min_ver,
-+ krb5_plugin_vtable vtable);
-+
-+static void ipa_certmap_debug(void *private, const char *file, long line,
-+ const char *function,
-+ const char *format, ...)
- {
- va_list ap;
- char str[255] = { 0 };
-@@ -354,12 +357,12 @@ static krb5_error_code ipa_certauth_authorize(krb5_context context,
- * so there is nothing more to add here. */
- auth_inds = calloc(2, sizeof(char *));
- if (auth_inds != NULL) {
-- ret = asprintf(&auth_inds[0], "pkinit");
-- if (ret != -1) {
-+ ret = asprintf(&auth_inds[0], "pkinit");
-+ if (ret != -1) {
- auth_inds[1] = NULL;
- *authinds_out = auth_inds;
-- } else {
-- free(auth_inds);
-+ } else {
-+ free(auth_inds);
- }
- }
-
-@@ -404,12 +407,12 @@ static void ipa_certauth_free_indicator(krb5_context context,
- size_t i = 0;
-
- if ((authinds == NULL) || (moddata == NULL)) {
-- return;
-+ return;
- }
-
- for(i=0; authinds[i]; i++) {
-- free(authinds[i]);
-- authinds[i] = NULL;
-+ free(authinds[i]);
-+ authinds[i] = NULL;
- }
-
- free(authinds);
---
-2.29.2
-
-From 2968609fd9f8f91b704dc8167d39ecc67beb8ddd Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Wed, 24 Feb 2021 20:55:41 +0200
-Subject: [PATCH] ipa-kdb: mark test functions as static
-
-No need to define missing prototypes to single use test functions.
-
-Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Robbie Harwood <rharwood@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
----
- daemons/ipa-kdb/tests/ipa_kdb_tests.c | 13 +++++--------
- 1 file changed, 5 insertions(+), 8 deletions(-)
-
-diff --git a/daemons/ipa-kdb/tests/ipa_kdb_tests.c b/daemons/ipa-kdb/tests/ipa_kdb_tests.c
-index 2a174ce6b..0b51ffb96 100644
---- a/daemons/ipa-kdb/tests/ipa_kdb_tests.c
-+++ b/daemons/ipa-kdb/tests/ipa_kdb_tests.c
-@@ -181,7 +181,7 @@ extern krb5_error_code filter_logon_info(krb5_context context,
- krb5_data realm,
- struct PAC_LOGON_INFO_CTR *info);
-
--void test_filter_logon_info(void **state)
-+static void test_filter_logon_info(void **state)
- {
- krb5_error_code kerr;
- krb5_data realm = {KV5M_DATA, REALM_LEN, REALM};
-@@ -316,10 +316,7 @@ void test_filter_logon_info(void **state)
-
- }
-
--extern void get_authz_data_types(krb5_context context, krb5_db_entry *entry,
-- bool *with_pac, bool *with_pad);
--
--void test_get_authz_data_types(void **state)
-+static void test_get_authz_data_types(void **state)
- {
- bool with_pac;
- bool with_pad;
-@@ -437,7 +434,7 @@ void test_get_authz_data_types(void **state)
- krb5_free_principal(test_ctx->krb5_ctx, non_nfs_princ);
- }
-
--void test_string_to_sid(void **state)
-+static void test_string_to_sid(void **state)
- {
- int ret;
- struct dom_sid sid;
-@@ -469,7 +466,7 @@ void test_string_to_sid(void **state)
- assert_memory_equal(&exp_sid, &sid, sizeof(struct dom_sid));
- }
-
--void test_dom_sid_string(void **state)
-+static void test_dom_sid_string(void **state)
- {
- struct test_ctx *test_ctx;
- char *str_sid;
-@@ -495,7 +492,7 @@ void test_dom_sid_string(void **state)
- }
-
-
--void test_check_trusted_realms(void **state)
-+static void test_check_trusted_realms(void **state)
- {
- struct test_ctx *test_ctx;
- krb5_error_code kerr = 0;
---
-2.29.2
-
diff --git a/SOURCES/0010-ipa-client-install-output-a-warning-if-sudo-is-not-p_rhbz#1939371.patch b/SOURCES/0010-ipa-client-install-output-a-warning-if-sudo-is-not-p_rhbz#1939371.patch
deleted file mode 100644
index 06b42e5..0000000
--- a/SOURCES/0010-ipa-client-install-output-a-warning-if-sudo-is-not-p_rhbz#1939371.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From 061e0b63ef3a72ba3261b42ec5f2ce290070c613 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
-Date: Mon, 15 Mar 2021 16:55:08 +0100
-Subject: [PATCH] ipa-client-install: output a warning if sudo is not present
- (2)
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Fixes: https://pagure.io/freeipa/issue/8530
-Signed-off-by: François Cami <fcami@redhat.com>
-Reviewed-By: Armando Neto <abiagion@redhat.com>
----
- ipaclient/install/client.py | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/ipaclient/install/client.py b/ipaclient/install/client.py
-index 0e478fa26..9bdfbddaf 100644
---- a/ipaclient/install/client.py
-+++ b/ipaclient/install/client.py
-@@ -2205,7 +2205,7 @@ def install_check(options):
- # available.
- if options.conf_sudo:
- try:
-- subprocess.Popen(['sudo -V'])
-+ subprocess.Popen(['sudo', '-V'])
- except FileNotFoundError:
- logger.info(
- "The sudo binary does not seem to be present on this "
---
-2.30.2
-
-From 4b917833fdd62cce2fd72809fd5c963194efba3e Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
-Date: Mon, 15 Mar 2021 17:00:05 +0100
-Subject: [PATCH] ipatests: check for the "no sudo present" string absence
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-When sudo is installed, no warning should be output about sudo not
-being available (obviously). Check that the relevant string is
-not present.
-
-Fixes: https://pagure.io/freeipa/issue/8530
-Signed-off-by: François Cami <fcami@redhat.com>
-Reviewed-By: Armando Neto <abiagion@redhat.com>
----
- ipatests/test_integration/test_installation.py | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
-index a50a59f1a..a5ff17a0d 100644
---- a/ipatests/test_integration/test_installation.py
-+++ b/ipatests/test_integration/test_installation.py
-@@ -1620,3 +1620,5 @@ class TestInstallWithoutSudo(IntegrationTest):
- tasks.install_packages(self.clients[0], ['sudo'])
- for pkg in ('sudo', 'libsss_sudo'):
- assert tasks.is_package_installed(self.clients[0], pkg)
-+ result = tasks.install_client(self.master, self.clients[0])
-+ assert self.no_sudo_str not in result.stderr_text
---
-2.30.2
-
diff --git a/SOURCES/freeipa-4.9.2.tar.gz.asc b/SOURCES/freeipa-4.9.2.tar.gz.asc
deleted file mode 100644
index b84ced9..0000000
--- a/SOURCES/freeipa-4.9.2.tar.gz.asc
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEhAodHH8+xLL+UwQ1RxniuKu/YhoFAmAqwW4ACgkQRxniuKu/
-YhoqEw/+J2+fMEF4qYDnb6LPs0h/xbiMU+WG5SI0Ybcy6FUrCp2utFqO6N8r7K3J
-k9WTcAXweqwEO5aP1fjvbQiIc55lQgN1rlJc+GtnBbPPKabrJB0xgx2VpP2MI8Jl
-JRSAdSNvSghaR1v0MYL3ly7GPRLUrb1+Avln+eJIHRfAuUjf9j4MWh7VNDsSp7pQ
-vMqz8OHEvSSRQYGKyJ5vQlcHRQNot2pZoWHVfEcRXMD6qn2N7yUU4o9wNOYvJMw8
-YEyInE24D13UV33F9K5QrLEaJ7lpIwJ9lmhAFuZoDUC81s5aAmLtNzUWcdwlOSzk
-tY4T+ucpq+0eH1gUiDm6bME7Uw87nc9KuNS3+Q+P2Y7RdUrrbLj8BIsz30VSk8n1
-rH2DZo/1NOFwQ5qDN92QjTeGotqCjwK/j+uRB12HkRgOHkouoZjqwcYRfdxmBhKd
-wk6BdDtvSP4voqqoeuZNCbeOKCYsqE2HlGZE9YiLbBAQs081Ir9Tajpn8sgMVURi
-7kQN7Xq9/jEl7sQ14VkRMQP8A+rRkmLM1sW3vqhMFDSOyi+qQNnzAnR28qxDBXC3
-4gG/yFGgqX7mSXsfvTVrjhcVEO6IsqkkPAcFR3Xivpy146LoONSlIGgtA8mGMIeO
-Zd3awH4T8kAt3d9RBI+R34sZm//uKQgOKDrAx0VjekFkK0tj2qU=
-=XC/f
------END PGP SIGNATURE-----
diff --git a/SOURCES/freeipa-4.9.3.tar.gz.asc b/SOURCES/freeipa-4.9.3.tar.gz.asc
new file mode 100644
index 0000000..9d5543d
--- /dev/null
+++ b/SOURCES/freeipa-4.9.3.tar.gz.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEEhAodHH8+xLL+UwQ1RxniuKu/YhoFAmBkFSoACgkQRxniuKu/
+Yhpz5Q//cbKbxQe2iIpCOyFnWtlwMGonj9OmeLP+dms8OnWvnpGBlLD0ftu+O9tf
+JoCzURMvjfJGMlEbG7FxW9coz4Fe6caDyZ5KJiM15qie75K5nIF44WgVXhTXx7/0
+2H6Q1MIgE8lxr+h4xcYB04KXPwLUpFGttGHDlbl9205M9dJi+WYNWEbHwCNwbl2w
+uXOFQm+AtAnUBuB0I0KJvgZMhtSV2FAx3NsPFO2DkMKB3KVS6cKEzxm8aBzCeNvP
+ndWvo51QFU0AheMt/Cahl97dzTorW8pqjt1+QBil4KxWCf0KyOI3OeTvKZ1bYtUs
+x32JDQP+UMkZ8y9NypK9TMcht3f8Wi7nvzg3kCuwltMr7spTVsqEP//WejdK5gmh
+dyU3qYPWz41SJargYwb8ehj1DOHBsNXEL57I2zY13oM1dC9T2YAc+OhSCWtMyknD
+vatLZSwVm27k79NADKF56RXUPur/m2UHnnYuk09AyDOIGZRM3Tn/10nRZgjs5eM8
+CLa4+5gn96BrkW1kP8mWPtWQqyv3buzj3xC7otmnjDgaxmXA/30wJ+2qebGTRAhf
+qo2rbwJsSkv0sC8l1luZgzgnvrQpri3qS96zhoeusooTqx6dTwUBGV8ea/sqvk0K
+Qu0q+iQk3CCgCfi/i6pc1UsB59tCy3KEZUc58Q6UUNewfcA3WW8=
+=Wgf7
+-----END PGP SIGNATURE-----
diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec
index b890d63..5be6747 100644
--- a/SPECS/ipa.spec
+++ b/SPECS/ipa.spec
@@ -49,9 +49,9 @@
# lint is not executed during rpmbuild
# %%global with_lint 1
%if %{with lint}
- %global linter_options --enable-pylint --with-jslint
+ %global linter_options --enable-pylint --with-jslint --enable-rpmlint
%else
- %global linter_options --disable-pylint --without-jslint
+ %global linter_options --disable-pylint --without-jslint --disable-rpmlint
%endif
# Include SELinux subpackage
@@ -73,10 +73,13 @@
%global selinux_policy_version 3.14.3-52
%global slapi_nis_version 0.56.4
%global python_ldap_version 3.1.0-1
-# python3-lib389
-# Fix for "Installation fails: Replica Busy"
-# https://pagure.io/389-ds-base/issue/49818
-%global ds_version 1.4.2.4-6
+%if 0%{?rhel} < 9
+# Bug 1929067 - PKI instance creation failed with new 389-ds-base build
+%global ds_version 1.4.3.16-12
+%else
+%global ds_version 2.0.3-3
+%endif
+
# Fix for TLS 1.3 PHA, RHBZ#1775158
%global httpd_version 2.4.37-21
%global bind_version 9.11.20-6
@@ -101,9 +104,13 @@
# fix for segfault in python3-ldap, https://pagure.io/freeipa/issue/7324
%global python_ldap_version 3.1.0-1
-# 1.4.3 moved nsslapd-db-locks to cn=bdb sub-entry
-# https://pagure.io/freeipa/issue/8515
-%global ds_version 1.4.3
+
+# Make sure to use 389-ds-base versions that fix https://github.com/389ds/389-ds-base/issues/4609
+%if 0%{?fedora} < 34
+%global ds_version %{lua: local v={}; v['32']='1.4.3.20-2'; v['33']='1.4.4.13-2'; print(v[rpm.expand('%{fedora}')])}
+%else
+%global ds_version 2.0.3-3
+%endif
# Fix for TLS 1.3 PHA, RHBZ#1775146
%global httpd_version 2.4.41-9
@@ -126,13 +133,11 @@
%endif
%if 0%{?rhel} == 8
-# PKIConnection has been modified to always validate certs.
-# https://pagure.io/freeipa/issue/8379
-%global pki_version 10.9.0-0.4
+# Make sure to use PKI versions that work with 389-ds fix for https://github.com/389ds/389-ds-base/issues/4609
+%global pki_version 10.10.5
%else
-# New KRA profile, ACME support
-# https://pagure.io/freeipa/issue/8545
-%global pki_version 10.10.0-2
+# Make sure to use PKI versions that work with 389-ds fix for https://github.com/389ds/389-ds-base/issues/4609
+%global pki_version 10.10.5
%endif
# RHEL 8.3+, F32+ has 0.79.13
@@ -163,7 +168,7 @@
# Work-around fact that RPM SPEC parser does not accept
# "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement
-%define IPA_VERSION 4.9.2
+%define IPA_VERSION 4.9.3
# Release candidate version -- uncomment with one percent for RC versions
#%%global rc_version %%nil
%define AT_SIGN @
@@ -176,7 +181,7 @@
Name: %{package_name}
Version: %{IPA_VERSION}
-Release: 3%{?rc_version:.%rc_version}%{?dist}
+Release: 1%{?rc_version:.%rc_version}%{?dist}
Summary: The Identity, Policy and Audit system
License: GPLv3+
@@ -196,18 +201,7 @@ Source1: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_vers
# RHEL spec file only: START
%if %{NON_DEVELOPER_BUILD}
%if 0%{?rhel} >= 8
-Patch0001: 0001-ipatests_libsss_sudo_and_sudo_pagure#8530_rhbz#1932289.patch
-Patch0002: 0002-ipatests-error-message-check-in-uninstall-log-for-KR_rhbz#1932289.patch
-Patch0003: 0003-ipatests-skip-tests-for-AD-trust-with-shared-secret-_rhbz#1932289.patch
-Patch0004: 0004-ipatests-ipa-cert-fix_pagure#8600_rhbz#1932289.patch
-Patch0005: 0005-ipatests-test-Samba-mount-with-NTLM-authentication_rhbz#1932289.patch
-Patch0006: 0006-ipatests_do_not_ignore_zonemgr_pagure#8718_rhbz#1932289.patch
-Patch0007: 0007-ipatests_ipa-cert-fix_renews_pagure#7885_rhbz#1932289.patch
-Patch0008: 0008-ipatests-use-whole-date-when-calling-journalctl-sinc_rhbz#1932289.patch
-Patch0009: 0009-ipa-kdb-do-not-use-OpenLDAP-functions-with-NULL-LDAP_rhbz#1932784.patch
-Patch0010: 0010-ipa-client-install-output-a-warning-if-sudo-is-not-p_rhbz#1939371.patch
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
-Patch2000: 0001-Also-use-uglifyjs-on-CentOS-Stream-8.patch
%endif
%endif
# RHEL spec file only: END
@@ -646,6 +640,11 @@ Requires: nfs-utils
Requires: sssd-tools >= %{sssd_version}
Requires(post): policycoreutils
+# https://pagure.io/freeipa/issue/8530
+Recommends: libsss_sudo
+Recommends: sudo
+Requires: (libsss_sudo if sudo)
+
Provides: %{alt_name}-client = %{version}
Conflicts: %{alt_name}-client
Obsoletes: %{alt_name}-client < %{version}
@@ -804,7 +803,7 @@ Requires: python3-requests
Requires: python3-six
Requires: python3-sss-murmur
Requires: python3-yubico >= 1.3.2-7
-%if 0%{?rhel} && 0%{?rhel} >= 8
+%if 0%{?rhel} && 0%{?rhel} == 8
Requires: platform-python-setuptools
%else
Requires: python3-setuptools
@@ -1681,16 +1680,9 @@ fi
%changelog
-* Fri Mar 19 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.2-3
-- ipa-client-install displays false message
- 'sudo binary does not seem to be present on this system'
- Resolves: RHBZ#1939371
-
-* Thu Mar 4 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.2-2
-- Sync ipatests from upstream to RHEL packages for FreeIPA 4.9 branch
- Resolves: RHBZ#1932289
-- Fix krb5kdc is crashing intermittently on IPA server
- Resolves: RHBZ#1932784
+* Wed Mar 31 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.3-1
+- Upstream release FreeIPA 4.9.3
+ Resolves: RHBZ#1945038
* Mon Feb 15 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.2-1
- Upstream release FreeIPA 4.9.2