diff --git a/SOURCES/0157-Do-not-configure-PKI-ajp-redirection-to-use-1.patch b/SOURCES/0157-Do-not-configure-PKI-ajp-redirection-to-use-1.patch new file mode 100644 index 0000000..c853ae2 --- /dev/null +++ b/SOURCES/0157-Do-not-configure-PKI-ajp-redirection-to-use-1.patch @@ -0,0 +1,65 @@ +From 036d6fbf3d2af9f805f28f03679afc6ae1c25282 Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Fri, 17 Feb 2017 15:59:57 +0100 +Subject: [PATCH] Do not configure PKI ajp redirection to use "::1" + +When ipa-server-install configures PKI, it provides a configuration file +with the parameter pki_ajp_host set to ::1. This parameter is used to configure +Tomcat redirection in /etc/pki/pki-tomcat/server.xml: + +ie all requests to port 8009 are redirected to port 8443 on address ::1. + +If the /etc/hosts config file does not define ::1 for localhost, then AJP +redirection fails and replica install is not able to request a certificate +for the replica. + +Since PKI has been fixed (see PKI ticket 2570) to configure by default the AJP +redirection with "localhost", FreeIPA does not need any more to override +this setting. +The code now depends on pki 10.3.5-11 which provides the fix in the template +and the upgrade. + +https://fedorahosted.org/freeipa/ticket/6575 + +Reviewed-By: Tomas Krizek +--- + freeipa.spec.in | 4 ++-- + ipaserver/install/cainstance.py | 4 ---- + 2 files changed, 2 insertions(+), 6 deletions(-) + +diff --git a/freeipa.spec.in b/freeipa.spec.in +index dba59edc2dc1c6dd12017fbc5c9a6f7bb385e7c3..d5eb76ac3c13fbbfc645bd3e42e72e3e17b4d68c 100644 +--- a/freeipa.spec.in ++++ b/freeipa.spec.in +@@ -159,8 +159,8 @@ Requires(post): systemd-units + Requires: selinux-policy >= %{selinux_policy_version} + Requires(post): selinux-policy-base >= %{selinux_policy_version} + Requires: slapi-nis >= %{slapi_nis_version} +-Requires: pki-ca >= 10.3.4 +-Requires: pki-kra >= 10.3.4 ++Requires: pki-ca >= 10.3.5-11 ++Requires: pki-kra >= 10.3.5-11 + Requires(preun): python systemd-units + Requires(postun): python systemd-units + Requires: zip +diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py +index 6c57aadfcdc2864f8cdc84c16556dce7163737fc..3e0d5fb40356ccf5f8053fb1c8af11c547c4d19c 100644 +--- a/ipaserver/install/cainstance.py ++++ b/ipaserver/install/cainstance.py +@@ -577,10 +577,6 @@ class CAInstance(DogtagInstance): + config.set("CA", "pki_external_ca_cert_chain_path", cert_chain_file.name) + config.set("CA", "pki_external_step_two", "True") + +- # PKI IPv6 Configuration +- config.add_section("Tomcat") +- config.set("Tomcat", "pki_ajp_host", "::1") +- + # Generate configuration file + with open(cfg_file, "wb") as f: + config.write(f) +-- +2.9.3 + diff --git a/SOURCES/0158-added-ssl-verification-using-IPA-trust-anchor.patch b/SOURCES/0158-added-ssl-verification-using-IPA-trust-anchor.patch new file mode 100644 index 0000000..23c6c40 --- /dev/null +++ b/SOURCES/0158-added-ssl-verification-using-IPA-trust-anchor.patch @@ -0,0 +1,27 @@ +From c9e05427f20f79a8304a9874ae6793a0b5f54987 Mon Sep 17 00:00:00 2001 +From: Thorsten Scherf +Date: Fri, 24 Feb 2017 11:53:46 +0100 +Subject: [PATCH] added ssl verification using IPA trust anchor + +https://fedorahosted.org/freeipa/ticket/6686 + +Reviewed-By: Christian Heimes +--- + ipapython/secrets/client.py | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/ipapython/secrets/client.py b/ipapython/secrets/client.py +index d9cc7d0f5b066dfd8efba480feb5f271ed1ebe83..f2f14af694df4468b3eedaac0fc762787b62e623 100644 +--- a/ipapython/secrets/client.py ++++ b/ipapython/secrets/client.py +@@ -94,6 +94,7 @@ class CustodiaClient(object): + + # Perform request + r = requests.get(url, headers=headers, ++ verify=paths.IPA_CA_CRT, + params={'type': 'kem', 'value': request}) + r.raise_for_status() + reply = r.json() +-- +2.9.3 + diff --git a/SOURCES/0159-ca-correctly-authorise-ca-del-ca-enable-and-ca-disab.patch b/SOURCES/0159-ca-correctly-authorise-ca-del-ca-enable-and-ca-disab.patch new file mode 100644 index 0000000..e8a7344 --- /dev/null +++ b/SOURCES/0159-ca-correctly-authorise-ca-del-ca-enable-and-ca-disab.patch @@ -0,0 +1,46 @@ +From 61156c5157ec3f8982f4f6efdbf8dfa281cb5a11 Mon Sep 17 00:00:00 2001 +From: Fraser Tweedale +Date: Fri, 13 Jan 2017 20:33:45 +1000 +Subject: [PATCH] ca: correctly authorise ca-del, ca-enable and ca-disable + +CAs consist of a FreeIPA and a corresponding Dogtag object. When +executing ca-del, ca-enable and ca-disable, changes are made to the +Dogtag object. In the case of ca-del, the corresponding FreeIPA +object is deleted after the Dogtag CA is deleted. + +These operations were not correctly authorised; the FreeIPA +permissions are not checked before the Dogtag operations are +executed. This allows any user to delete, enable or disable a +lightweight CA (except the main IPA CA, for which there are +additional check to prevent deletion or disablement). + +Add the proper authorisation checks to the ca-del, ca-enable and +ca-disable commands. + +https://pagure.io/freeipa/issue/6713 + +Reviewed-By: Jan Cholasta +--- + ipaserver/plugins/ca.py | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py +index 966ae2b1bdb4bb0207dfa58f0e9c951bc930f766..b642a5d1d6e03b415ba562491e8a38569b116563 100644 +--- a/ipaserver/plugins/ca.py ++++ b/ipaserver/plugins/ca.py +@@ -192,6 +192,12 @@ class ca_del(LDAPDelete): + def pre_callback(self, ldap, dn, *keys, **options): + ca_enabled_check() + ++ # ensure operator has permission to delete CA ++ # before contacting Dogtag ++ if not ldap.can_delete(dn): ++ raise errors.ACIError(info=_( ++ "Insufficient privilege to delete a CA.")) ++ + if keys[0] == IPA_CA_CN: + raise errors.ProtectedEntryError( + label=_("CA"), +-- +2.9.3 + diff --git a/SOURCES/0160-compat-fix-Any-params-in-batch-and-dnsrecord.patch b/SOURCES/0160-compat-fix-Any-params-in-batch-and-dnsrecord.patch new file mode 100644 index 0000000..16257b5 --- /dev/null +++ b/SOURCES/0160-compat-fix-Any-params-in-batch-and-dnsrecord.patch @@ -0,0 +1,129 @@ +From e5311fbfd5ad83671c61473d7acf4ddaf157e994 Mon Sep 17 00:00:00 2001 +From: Jan Cholasta +Date: Thu, 23 Feb 2017 13:04:19 +0000 +Subject: [PATCH] compat: fix `Any` params in `batch` and `dnsrecord` + +The `methods` argument of `batch` and `dnsrecords` attribute of `dnsrecord` +were incorrectly defined as `Str` instead of `Any`. + +https://fedorahosted.org/freeipa/ticket/6647 + +Reviewed-By: Martin Basti +--- + ipaclient/remote_plugins/2_114/batch.py | 2 +- + ipaclient/remote_plugins/2_114/dns.py | 2 +- + ipaclient/remote_plugins/2_156/batch.py | 2 +- + ipaclient/remote_plugins/2_156/dns.py | 2 +- + ipaclient/remote_plugins/2_164/batch.py | 2 +- + ipaclient/remote_plugins/2_164/dns.py | 2 +- + ipaclient/remote_plugins/2_49/batch.py | 2 +- + ipaclient/remote_plugins/2_49/dns.py | 2 +- + 8 files changed, 8 insertions(+), 8 deletions(-) + +diff --git a/ipaclient/remote_plugins/2_114/batch.py b/ipaclient/remote_plugins/2_114/batch.py +index 4a613b677bedda447a07d3d0bdc10d38762ccc61..2709e5907f18f254f7e605beff9a7f3c9a2ae18d 100644 +--- a/ipaclient/remote_plugins/2_114/batch.py ++++ b/ipaclient/remote_plugins/2_114/batch.py +@@ -50,7 +50,7 @@ class batch(Command): + NO_CLI = True + + takes_args = ( +- parameters.Str( ++ parameters.Any( + 'methods', + required=False, + multivalue=True, +diff --git a/ipaclient/remote_plugins/2_114/dns.py b/ipaclient/remote_plugins/2_114/dns.py +index 5d91dbcb37fcb42cb67ab76a1871fd3df6217cf8..acb8a658204fb18b088766f947f82839f053cbf3 100644 +--- a/ipaclient/remote_plugins/2_114/dns.py ++++ b/ipaclient/remote_plugins/2_114/dns.py +@@ -326,7 +326,7 @@ class dnsrecord(Object): + 'dnsclass', + required=False, + ), +- parameters.Str( ++ parameters.Any( + 'dnsrecords', + required=False, + label=_(u'Records'), +diff --git a/ipaclient/remote_plugins/2_156/batch.py b/ipaclient/remote_plugins/2_156/batch.py +index 4a613b677bedda447a07d3d0bdc10d38762ccc61..2709e5907f18f254f7e605beff9a7f3c9a2ae18d 100644 +--- a/ipaclient/remote_plugins/2_156/batch.py ++++ b/ipaclient/remote_plugins/2_156/batch.py +@@ -50,7 +50,7 @@ class batch(Command): + NO_CLI = True + + takes_args = ( +- parameters.Str( ++ parameters.Any( + 'methods', + required=False, + multivalue=True, +diff --git a/ipaclient/remote_plugins/2_156/dns.py b/ipaclient/remote_plugins/2_156/dns.py +index 39a0b269533481bcb5b193ad8a463a48146e5275..bbfaa9fd0fb2b582430a5c85761af206d53884f9 100644 +--- a/ipaclient/remote_plugins/2_156/dns.py ++++ b/ipaclient/remote_plugins/2_156/dns.py +@@ -326,7 +326,7 @@ class dnsrecord(Object): + 'dnsclass', + required=False, + ), +- parameters.Str( ++ parameters.Any( + 'dnsrecords', + required=False, + label=_(u'Records'), +diff --git a/ipaclient/remote_plugins/2_164/batch.py b/ipaclient/remote_plugins/2_164/batch.py +index 4a613b677bedda447a07d3d0bdc10d38762ccc61..2709e5907f18f254f7e605beff9a7f3c9a2ae18d 100644 +--- a/ipaclient/remote_plugins/2_164/batch.py ++++ b/ipaclient/remote_plugins/2_164/batch.py +@@ -50,7 +50,7 @@ class batch(Command): + NO_CLI = True + + takes_args = ( +- parameters.Str( ++ parameters.Any( + 'methods', + required=False, + multivalue=True, +diff --git a/ipaclient/remote_plugins/2_164/dns.py b/ipaclient/remote_plugins/2_164/dns.py +index b07a94f1942e3913d6d169b61d84a3b3db268671..244be87f32db6664e5264038b97bc53b704ff166 100644 +--- a/ipaclient/remote_plugins/2_164/dns.py ++++ b/ipaclient/remote_plugins/2_164/dns.py +@@ -326,7 +326,7 @@ class dnsrecord(Object): + 'dnsclass', + required=False, + ), +- parameters.Str( ++ parameters.Any( + 'dnsrecords', + required=False, + label=_(u'Records'), +diff --git a/ipaclient/remote_plugins/2_49/batch.py b/ipaclient/remote_plugins/2_49/batch.py +index a1f351d332d56c959bf8632cb218de8540f45005..67e5978e634b71735c1940086a80943d967ff1f6 100644 +--- a/ipaclient/remote_plugins/2_49/batch.py ++++ b/ipaclient/remote_plugins/2_49/batch.py +@@ -50,7 +50,7 @@ class batch(Command): + NO_CLI = True + + takes_args = ( +- parameters.Str( ++ parameters.Any( + 'methods', + required=False, + multivalue=True, +diff --git a/ipaclient/remote_plugins/2_49/dns.py b/ipaclient/remote_plugins/2_49/dns.py +index 07cef75c2a97c07a77a9ffa3997ec6fa431e3151..4b543a2c2539f7b67467b0a38ab8013a1ebe0840 100644 +--- a/ipaclient/remote_plugins/2_49/dns.py ++++ b/ipaclient/remote_plugins/2_49/dns.py +@@ -256,7 +256,7 @@ class dnsrecord(Object): + label=_(u'Class'), + doc=_(u'DNS class'), + ), +- parameters.Str( ++ parameters.Any( + 'dnsrecords', + required=False, + label=_(u'Records'), +-- +2.9.3 + diff --git a/SOURCES/1011-ca-correctly-authorise-ca-del-ca-enable-and-ca-disab.patch b/SOURCES/1011-ca-correctly-authorise-ca-del-ca-enable-and-ca-disab.patch deleted file mode 100644 index aed3a5a..0000000 --- a/SOURCES/1011-ca-correctly-authorise-ca-del-ca-enable-and-ca-disab.patch +++ /dev/null @@ -1,42 +0,0 @@ -From e4cee2aa50396b18713092ba7f4a9b4f232a3ea0 Mon Sep 17 00:00:00 2001 -From: Fraser Tweedale -Date: Fri, 13 Jan 2017 20:33:45 +1000 -Subject: [PATCH] ca: correctly authorise ca-del, ca-enable and ca-disable - -CAs consist of a FreeIPA and a corresponding Dogtag object. When -executing ca-del, ca-enable and ca-disable, changes are made to the -Dogtag object. In the case of ca-del, the corresponding FreeIPA -object is deleted after the Dogtag CA is deleted. - -These operations were not correctly authorised; the FreeIPA -permissions are not checked before the Dogtag operations are -executed. This allows any user to delete, enable or disable a -lightweight CA (except the main IPA CA, for which there are -additional check to prevent deletion or disablement). - -Add the proper authorisation checks to the ca-del, ca-enable and -ca-disable commands. ---- - ipaserver/plugins/ca.py | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py -index 966ae2b1bdb4bb0207dfa58f0e9c951bc930f766..b642a5d1d6e03b415ba562491e8a38569b116563 100644 ---- a/ipaserver/plugins/ca.py -+++ b/ipaserver/plugins/ca.py -@@ -192,6 +192,12 @@ class ca_del(LDAPDelete): - def pre_callback(self, ldap, dn, *keys, **options): - ca_enabled_check() - -+ # ensure operator has permission to delete CA -+ # before contacting Dogtag -+ if not ldap.can_delete(dn): -+ raise errors.ACIError(info=_( -+ "Insufficient privilege to delete a CA.")) -+ - if keys[0] == IPA_CA_CN: - raise errors.ProtectedEntryError( - label=_("CA"), --- -2.9.3 - diff --git a/SOURCES/1012-Do-not-configure-PKI-ajp-redirection-to-use-1.patch b/SOURCES/1012-Do-not-configure-PKI-ajp-redirection-to-use-1.patch deleted file mode 100644 index 1838e70..0000000 --- a/SOURCES/1012-Do-not-configure-PKI-ajp-redirection-to-use-1.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 1de12ed5ec503708454e76227d646e4bd63802f7 Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Thu, 12 Jan 2017 18:17:15 +0100 -Subject: [PATCH] Do not configure PKI ajp redirection to use "::1" - -When ipa-server-install configures PKI, it provides a configuration file -with the parameter pki_ajp_host set to ::1. This parameter is used to configure -Tomcat redirection in /etc/pki/pki-tomcat/server.xml: - -ie all requests to port 8009 are redirected to port 8443 on address ::1. - -If the /etc/hosts config file does not define ::1 for localhost, then AJP -redirection fails and replica install is not able to request a certificate -for the replica. - -Since PKI has been fixed (see PKI ticket 2570) to configure by default the AJP -redirection with "localhost", FreeIPA does not need any more to override -this setting. - -https://fedorahosted.org/freeipa/ticket/6575 - -Reviewed-By: Tomas Krizek ---- - freeipa.spec.in | 4 ++-- - ipaserver/install/cainstance.py | 4 ---- - 2 files changed, 2 insertions(+), 6 deletions(-) - -diff --git a/freeipa.spec.in b/freeipa.spec.in -index dba59edc2dc1c6dd12017fbc5c9a6f7bb385e7c3..d5eb76ac3c13fbbfc645bd3e42e72e3e17b4d68c 100644 ---- a/freeipa.spec.in -+++ b/freeipa.spec.in -@@ -159,8 +159,8 @@ Requires(post): systemd-units - Requires: selinux-policy >= %{selinux_policy_version} - Requires(post): selinux-policy-base >= %{selinux_policy_version} - Requires: slapi-nis >= %{slapi_nis_version} --Requires: pki-ca >= 10.3.4 --Requires: pki-kra >= 10.3.4 -+Requires: pki-ca >= 10.3.5-11 -+Requires: pki-kra >= 10.3.5-11 - Requires(preun): python systemd-units - Requires(postun): python systemd-units - Requires: zip -diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py -index 6c57aadfcdc2864f8cdc84c16556dce7163737fc..3e0d5fb40356ccf5f8053fb1c8af11c547c4d19c 100644 ---- a/ipaserver/install/cainstance.py -+++ b/ipaserver/install/cainstance.py -@@ -577,10 +577,6 @@ class CAInstance(DogtagInstance): - config.set("CA", "pki_external_ca_cert_chain_path", cert_chain_file.name) - config.set("CA", "pki_external_step_two", "True") - -- # PKI IPv6 Configuration -- config.add_section("Tomcat") -- config.set("Tomcat", "pki_ajp_host", "::1") -- - # Generate configuration file - with open(cfg_file, "wb") as f: - config.write(f) --- -2.9.3 - diff --git a/SOURCES/ipa-centos-branding.patch b/SOURCES/ipa-centos-branding.patch deleted file mode 100644 index 673cd2f..0000000 --- a/SOURCES/ipa-centos-branding.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 99efecaf87dc1fc9517efaff441a6a7ce46444eb Mon Sep 17 00:00:00 2001 -From: Jim Perrin -Date: Wed, 11 Mar 2015 10:37:03 -0500 -Subject: [PATCH] update for new ntp server method - ---- - ipaplatform/base/paths.py | 1 + - ipaserver/install/ntpinstance.py | 2 ++ - 2 files changed, 3 insertions(+) - -diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py -index af50262..5090062 100644 ---- a/ipaplatform/base/paths.py -+++ b/ipaplatform/base/paths.py -@@ -99,6 +99,7 @@ class BasePathNamespace(object): - PKI_TOMCAT_ALIAS_DIR = "/etc/pki/pki-tomcat/alias/" - PKI_TOMCAT_PASSWORD_CONF = "/etc/pki/pki-tomcat/password.conf" - ETC_REDHAT_RELEASE = "/etc/redhat-release" -+ ETC_CENTOS_RELEASE = "/etc/centos-release" - RESOLV_CONF = "/etc/resolv.conf" - SAMBA_KEYTAB = "/etc/samba/samba.keytab" - SMB_CONF = "/etc/samba/smb.conf" -diff --git a/ipaserver/install/ntpinstance.py b/ipaserver/install/ntpinstance.py -index c653525..4b0578b 100644 ---- a/ipaserver/install/ntpinstance.py -+++ b/ipaserver/install/ntpinstance.py -@@ -44,6 +44,8 @@ class NTPInstance(service.Service): - os = "" - if ipautil.file_exists(paths.ETC_FEDORA_RELEASE): - os = "fedora" -+ elif ipautil.file_exists(paths.ETC_CENTOS_RELEASE): -+ os = "centos" - elif ipautil.file_exists(paths.ETC_REDHAT_RELEASE): - os = "rhel" - --- -1.8.3.1 - diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec index daaa822..162d988 100644 --- a/SPECS/ipa.spec +++ b/SPECS/ipa.spec @@ -43,7 +43,7 @@ Name: ipa Version: 4.4.0 -Release: 14%{?dist}.6 +Release: 14%{?dist}.7 Summary: The Identity, Policy and Audit system Group: System Environment/Base @@ -51,10 +51,10 @@ License: GPLv3+ URL: http://www.freeipa.org/ Source0: http://www.freeipa.org/downloads/src/freeipa-%{VERSION}.tar.gz # RHEL spec file only: START: Change branding to IPA and Identity-Management -#Source1: header-logo.png -#Source2: login-screen-background.jpg -#Source3: login-screen-logo.png -#Source4: product-name.png +Source1: header-logo.png +Source2: login-screen-background.jpg +Source3: login-screen-logo.png +Source4: product-name.png # RHEL spec file only: END: Change branding to IPA and Identity-Management BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -215,6 +215,10 @@ Patch0153: 0153-Set-up-DS-TLS-on-replica-in-CA-less-topology.patch Patch0154: 0154-wait_for_entry-use-only-DN-as-parameter.patch Patch0155: 0155-Wait-until-HTTPS-principal-entry-is-replicated-to-re.patch Patch0156: 0156-Use-proper-logging-for-error-messages.patch +Patch0157: 0157-Do-not-configure-PKI-ajp-redirection-to-use-1.patch +Patch0158: 0158-added-ssl-verification-using-IPA-trust-anchor.patch +Patch0159: 0159-ca-correctly-authorise-ca-del-ca-enable-and-ca-disab.patch +Patch0160: 0160-compat-fix-Any-params-in-batch-and-dnsrecord.patch Patch1001: 1001-Hide-pkinit-functionality-from-production-version.patch Patch1002: 1002-Remove-pkinit-plugin.patch @@ -226,9 +230,6 @@ Patch1007: 1007-Do-not-build-tests.patch Patch1008: 1008-RCUE.patch Patch1009: 1009-Revert-Increased-mod_wsgi-socket-timeout.patch Patch1010: 1010-WebUI-add-API-browser-is-tech-preview-warning.patch -Patch1011: 1011-ca-correctly-authorise-ca-del-ca-enable-and-ca-disab.patch -Patch1012: 1012-Do-not-configure-PKI-ajp-redirection-to-use-1.patch -Patch1013: ipa-centos-branding.patch # RHEL spec file only: END %if ! %{ONLY_CLIENT} @@ -808,10 +809,10 @@ for p in %patches ; do done # Red Hat's Identity Management branding -#cp %SOURCE1 install/ui/images/header-logo.png -#cp %SOURCE2 install/ui/images/login-screen-background.jpg -#cp %SOURCE3 install/ui/images/login-screen-logo.png -#cp %SOURCE4 install/ui/images/product-name.png +cp %SOURCE1 install/ui/images/header-logo.png +cp %SOURCE2 install/ui/images/login-screen-background.jpg +cp %SOURCE3 install/ui/images/login-screen-logo.png +cp %SOURCE4 install/ui/images/product-name.png # RHEL spec file only: END @@ -1547,8 +1548,13 @@ fi %changelog -* Thu Mar 02 2017 CentOS Sources - 4.4.0-14.el7.centos.6 -- Roll in CentOS Branding +* Tue Mar 14 2017 Jan Cholasta - 4.4.0-14.7 +- Resolves: #1429872 ipa-replica-install fails promotecustodia.create_replica + with cert errors (untrusted) + - added ssl verification using IPA trust anchor +- Resolves: #1430674 batch param compatibility is incorrect + - compat: fix `Any` params in `batch` and `dnsrecord` +- Renamed patches 1011 and 1012 to 0159 and 0157, as they were merged upstream * Tue Jan 31 2017 Jan Cholasta - 4.4.0-14.6 - Resolves: #1416488 replication race condition prevents IPA to install