diff --git a/SOURCES/0067-ipaserver-dcerpc.py-if-search-of-a-closest-GC-failed.patch b/SOURCES/0067-ipaserver-dcerpc.py-if-search-of-a-closest-GC-failed.patch new file mode 100644 index 0000000..8a6db38 --- /dev/null +++ b/SOURCES/0067-ipaserver-dcerpc.py-if-search-of-a-closest-GC-failed.patch @@ -0,0 +1,33 @@ +From f2acf0d67bab3f3797c387705f93c3a3d0164134 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Tue, 19 Aug 2014 16:19:45 +0300 +Subject: [PATCH] ipaserver/dcerpc.py: if search of a closest GC failed, try to + find any GC + +https://fedorahosted.org/freeipa/ticket/4458 + +Reviewed-By: Sumit Bose +--- + ipaserver/dcerpc.py | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py +index f1c75089b875787debcee22316a4898b424d923f..b11476a262ccce4315131b9ffbd93b625de940e7 100644 +--- a/ipaserver/dcerpc.py ++++ b/ipaserver/dcerpc.py +@@ -588,7 +588,11 @@ class DomainValidator(object): + try: + result = netrc.finddc(domain=domain, flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_GC | nbt.NBT_SERVER_CLOSEST) + except RuntimeError, e: +- finddc_error = e ++ try: ++ # If search of closest GC failed, attempt to find any one ++ result = netrc.finddc(domain=domain, flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_GC) ++ except RuntimeError, e: ++ finddc_error = e + + if not self._domains: + self._domains = self.get_trusted_domains() +-- +1.9.3 + diff --git a/SOURCES/0068-ipaserver-dcerpc.py-make-PDC-discovery-more-robust.patch b/SOURCES/0068-ipaserver-dcerpc.py-make-PDC-discovery-more-robust.patch new file mode 100644 index 0000000..a1ba8b9 --- /dev/null +++ b/SOURCES/0068-ipaserver-dcerpc.py-make-PDC-discovery-more-robust.patch @@ -0,0 +1,80 @@ +From 41b252a5b47f57919bf98c41947d5927ed0d5aaf Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Tue, 19 Aug 2014 16:21:21 +0300 +Subject: [PATCH] ipaserver/dcerpc.py: make PDC discovery more robust + +Certain operations against AD domain controller can only be done if its +FSMO role is primary domain controller. We need to use writable DC and +PDC when creating trust and updating name suffix routing information. + +https://fedorahosted.org/freeipa/ticket/4479 + +Reviewed-By: Sumit Bose +--- + ipaserver/dcerpc.py | 21 ++++++++++++++++----- + 1 file changed, 16 insertions(+), 5 deletions(-) + +diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py +index b11476a262ccce4315131b9ffbd93b625de940e7..78bfc5dbefc778519c5db0ac12d6551710257ba9 100644 +--- a/ipaserver/dcerpc.py ++++ b/ipaserver/dcerpc.py +@@ -706,16 +706,19 @@ class TrustDomainInstance(object): + binding_template=lambda x,y,z: u'%s:%s[%s]' % (x, y, z) + return [binding_template(t, remote_host, o) for t in transports for o in options] + +- def retrieve_anonymously(self, remote_host, discover_srv=False): ++ def retrieve_anonymously(self, remote_host, discover_srv=False, search_pdc=False): + """ + When retrieving DC information anonymously, we can't get SID of the domain + """ + netrc = net.Net(creds=self.creds, lp=self.parm) ++ flags = nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS | nbt.NBT_SERVER_WRITABLE ++ if search_pdc: ++ flags = flags | nbt.NBT_SERVER_PDC + try: + if discover_srv: +- result = netrc.finddc(domain=remote_host, flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS) ++ result = netrc.finddc(domain=remote_host, flags=flags) + else: +- result = netrc.finddc(address=remote_host, flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS) ++ result = netrc.finddc(address=remote_host, flags=flags) + except RuntimeError, e: + raise assess_dcerpc_exception(message=str(e)) + +@@ -726,6 +729,7 @@ class TrustDomainInstance(object): + self.info['dns_forest'] = unicode(result.forest) + self.info['guid'] = unicode(result.domain_uuid) + self.info['dc'] = unicode(result.pdc_dns_name) ++ self.info['is_pdc'] = (result.server_type & nbt.NBT_SERVER_PDC) != 0 + + # Netlogon response doesn't contain SID of the domain. + # We need to do rootDSE search with LDAP_SERVER_EXTENDED_DN_OID control to reveal the SID +@@ -774,6 +778,13 @@ class TrustDomainInstance(object): + self.info['sid'] = unicode(result.sid) + self.info['dc'] = remote_host + ++ try: ++ result = self._pipe.QueryInfoPolicy2(self._policy_handle, lsa.LSA_POLICY_INFO_ROLE) ++ except RuntimeError, (num, message): ++ raise assess_dcerpc_exception(num=num, message=message) ++ ++ self.info['is_pdc'] = (result.role == lsa.LSA_ROLE_PRIMARY) ++ + def generate_auth(self, trustdom_secret): + def arcfour_encrypt(key, data): + c = RC4.RC4(key) +@@ -1069,9 +1080,9 @@ class TrustDomainJoins(object): + rd.creds.set_anonymous() + rd.creds.set_workstation(self.local_domain.hostname) + if realm_server is None: +- rd.retrieve_anonymously(realm, discover_srv=True) ++ rd.retrieve_anonymously(realm, discover_srv=True, search_pdc=True) + else: +- rd.retrieve_anonymously(realm_server, discover_srv=False) ++ rd.retrieve_anonymously(realm_server, discover_srv=False, search_pdc=True) + rd.read_only = True + if realm_admin and realm_passwd: + if 'name' in rd.info: +-- +1.9.3 + diff --git a/SOURCES/0069-ipaserver-dcerpc.py-be-more-open-to-what-domains-can.patch b/SOURCES/0069-ipaserver-dcerpc.py-be-more-open-to-what-domains-can.patch new file mode 100644 index 0000000..595950a --- /dev/null +++ b/SOURCES/0069-ipaserver-dcerpc.py-be-more-open-to-what-domains-can.patch @@ -0,0 +1,29 @@ +From 027f61099c63c91aaac95a6c2b9d9a75e7b1f83e Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Tue, 19 Aug 2014 16:23:58 +0300 +Subject: [PATCH] ipaserver/dcerpc.py: be more open to what domains can be seen + through the forest trust + +https://fedorahosted.org/freeipa/ticket/4463 + +Reviewed-By: Sumit Bose +--- + ipaserver/dcerpc.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py +index 78bfc5dbefc778519c5db0ac12d6551710257ba9..fcf1e4e775868f17220cac3c0203cc67dba2f839 100644 +--- a/ipaserver/dcerpc.py ++++ b/ipaserver/dcerpc.py +@@ -1031,7 +1031,7 @@ def fetch_domains(api, mydomain, trustdomain, creds=None): + + result = [] + for t in domains.array: +- if ((t.trust_attributes & trust_attributes['NETR_TRUST_ATTRIBUTE_WITHIN_FOREST']) and ++ if (not (t.trust_flags & trust_flags['NETR_TRUST_FLAG_PRIMARY']) and + (t.trust_flags & trust_flags['NETR_TRUST_FLAG_IN_FOREST'])): + res = dict() + res['cn'] = unicode(t.dns_name) +-- +1.9.3 + diff --git a/SOURCES/0070-ipaserver-dcerpc.py-Make-sure-trust-is-established-o.patch b/SOURCES/0070-ipaserver-dcerpc.py-Make-sure-trust-is-established-o.patch new file mode 100644 index 0000000..29ca7e5 --- /dev/null +++ b/SOURCES/0070-ipaserver-dcerpc.py-Make-sure-trust-is-established-o.patch @@ -0,0 +1,67 @@ +From 079fdf41592559de96465080e81aa91252c01a3d Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Tue, 19 Aug 2014 16:24:27 +0300 +Subject: [PATCH] ipaserver/dcerpc.py: Make sure trust is established only to + forest root domain + +Part of https://fedorahosted.org/freeipa/ticket/4463 + +Reviewed-By: Sumit Bose +--- + ipalib/errors.py | 16 ++++++++++++++++ + ipaserver/dcerpc.py | 6 ++++++ + 2 files changed, 22 insertions(+) + +diff --git a/ipalib/errors.py b/ipalib/errors.py +index 716decb2b41baf5470a1dc23c0cfb5d1c995e5ff..405c5c3bfc25d9b024189be9fcf582052dd10dd3 100644 +--- a/ipalib/errors.py ++++ b/ipalib/errors.py +@@ -810,6 +810,22 @@ class DeprecationError(InvocationError): + errno = 3015 + format = _("Command '%(name)s' has been deprecated") + ++class NotAForestRootError(InvocationError): ++ """ ++ **3016** Raised when an attempt to establish trust is done against non-root domain ++ Forest root domain has the same name as the forest itself ++ ++ For example: ++ ++ >>> raise NotAForestRootError(forest='example.test', domain='jointops.test') ++ Traceback (most recent call last): ++ ... ++ NotAForestRootError: Domain 'jointops.test' is not a root domain for forest 'example.test' ++ """ ++ ++ errno = 3016 ++ format = _("Domain '%(domain)s' is not a root domain for forest '%(forest)s'") ++ + + ############################################################################## + # 4000 - 4999: Execution errors +diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py +index fcf1e4e775868f17220cac3c0203cc67dba2f839..41f373df3cc4365727200f3ca4667faac2f9e19c 100644 +--- a/ipaserver/dcerpc.py ++++ b/ipaserver/dcerpc.py +@@ -1143,6 +1143,9 @@ class TrustDomainJoins(object): + realm_passwd + ) + ++ if self.remote_domain.info['dns_domain'] != self.remote_domain.info['dns_forest']: ++ raise errors.NotAForestRootError(forest=self.remote_domain.info['dns_forest'], domain=self.remote_domain.info['dns_domain']) ++ + if not self.remote_domain.read_only: + trustdom_pass = samba.generate_random_password(128, 128) + self.get_realmdomains() +@@ -1159,5 +1162,8 @@ class TrustDomainJoins(object): + if not(isinstance(self.remote_domain, TrustDomainInstance)): + self.populate_remote_domain(realm, realm_server, realm_passwd=None) + ++ if self.remote_domain.info['dns_domain'] != self.remote_domain.info['dns_forest']: ++ raise errors.NotAForestRootError(forest=self.remote_domain.info['dns_forest'], domain=self.remote_domain.info['dns_domain']) ++ + self.local_domain.establish_trust(self.remote_domain, trustdom_passwd) + return dict(local=self.local_domain, remote=self.remote_domain, verified=False) +-- +1.9.3 + diff --git a/SOURCES/0071-ipaserver-dcerpc.py-Avoid-hitting-issue-with-transit.patch b/SOURCES/0071-ipaserver-dcerpc.py-Avoid-hitting-issue-with-transit.patch new file mode 100644 index 0000000..565c6ec --- /dev/null +++ b/SOURCES/0071-ipaserver-dcerpc.py-Avoid-hitting-issue-with-transit.patch @@ -0,0 +1,54 @@ +From ba2a63da8bada8af988d8fb8931c0cdba2c7ceee Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Tue, 19 Aug 2014 16:22:54 +0300 +Subject: [PATCH] ipaserver/dcerpc.py: Avoid hitting issue with transitive + trusts on Windows Server prior to 2012 + +http://msdn.microsoft.com/en-us/library/2a769a08-e023-459f-aebe-4fb3f595c0b7#id83 + +Reviewed-By: Sumit Bose +--- + ipaserver/dcerpc.py | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py +index 41f373df3cc4365727200f3ca4667faac2f9e19c..e779a12bae52ec8dac52e4a43854a8a3c601a043 100644 +--- a/ipaserver/dcerpc.py ++++ b/ipaserver/dcerpc.py +@@ -900,7 +900,7 @@ class TrustDomainInstance(object): + info.sid = security.dom_sid(another_domain.info['sid']) + info.trust_direction = lsa.LSA_TRUST_DIRECTION_INBOUND | lsa.LSA_TRUST_DIRECTION_OUTBOUND + info.trust_type = lsa.LSA_TRUST_TYPE_UPLEVEL +- info.trust_attributes = lsa.LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE ++ info.trust_attributes = 0 + + try: + dname = lsa.String() +@@ -917,8 +917,6 @@ class TrustDomainInstance(object): + except RuntimeError, (num, message): + raise assess_dcerpc_exception(num=num, message=message) + +- self.update_ftinfo(another_domain) +- + # We should use proper trustdom handle in order to modify the + # trust settings. Samba insists this has to be done with LSA + # OpenTrustedDomain* calls, it is not enough to have a handle +@@ -937,6 +935,15 @@ class TrustDomainInstance(object): + # server as that one doesn't support AES encryption types + pass + ++ try: ++ info.trust_attributes = lsa.LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE ++ self._pipe.SetInformationTrustedDomain(trustdom_handle, lsa.LSA_TRUSTED_DOMAIN_INFO_INFO_EX, info) ++ except RuntimeError, e: ++ root_logger.error('unable to set trust to transitive: %s' % (str(e))) ++ pass ++ if self.info['is_pdc']: ++ self.update_ftinfo(another_domain) ++ + def verify_trust(self, another_domain): + def retrieve_netlogon_info_2(domain, function_code, data): + try: +-- +1.9.3 + diff --git a/SOURCES/ipa-centos-branding.patch b/SOURCES/ipa-centos-branding.patch deleted file mode 100644 index 33b4609..0000000 --- a/SOURCES/ipa-centos-branding.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -uNrp freeipa-3.3.3.orig/ipaserver/install/ntpinstance.py freeipa-3.3.3/ipaserver/install/ntpinstance.py ---- freeipa-3.3.3.orig/ipaserver/install/ntpinstance.py 2013-11-01 10:34:30.000000000 -0500 -+++ freeipa-3.3.3/ipaserver/install/ntpinstance.py 2014-06-26 07:27:19.644718099 -0500 -@@ -43,6 +43,8 @@ class NTPInstance(service.Service): - os = "" - if ipautil.file_exists("/etc/fedora-release"): - os = "fedora" -+ elif ipautil.file_exists("/etc/centos-release"): -+ os = "centos" - elif ipautil.file_exists("/etc/redhat-release"): - os = "rhel" - diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec index 6d5bc80..b732bd2 100644 --- a/SPECS/ipa.spec +++ b/SPECS/ipa.spec @@ -18,7 +18,7 @@ Name: ipa Version: 3.3.3 -Release: 28%{?dist}.1 +Release: 28%{?dist}.3 Summary: The Identity, Policy and Audit system Group: System Environment/Base @@ -94,6 +94,11 @@ Patch0063: 0063-extdom-do-not-return-results-from-the-wrong-domain.patch Patch0064: 0064-Proxy-PKI-clone-ca-ee-ca-profileSubmit-URI.patch Patch0065: 0065-Make-ipa-client-automount-backwards-compatible.patch Patch0066: 0066-Convert-external-CA-chain-to-PKCS-7-before-passing-i.patch +Patch0067: 0067-ipaserver-dcerpc.py-if-search-of-a-closest-GC-failed.patch +Patch0068: 0068-ipaserver-dcerpc.py-make-PDC-discovery-more-robust.patch +Patch0069: 0069-ipaserver-dcerpc.py-be-more-open-to-what-domains-can.patch +Patch0070: 0070-ipaserver-dcerpc.py-Make-sure-trust-is-established-o.patch +Patch0071: 0071-ipaserver-dcerpc.py-Avoid-hitting-issue-with-transit.patch Patch1001: 1001-Hide-pkinit-functionality-from-production-version.patch Patch1002: 1002-Remove-pkinit-plugin.patch @@ -102,7 +107,6 @@ Patch1004: 1004-Change-branding-to-IPA-and-Identity-Management.patch Patch1005: 1005-Remove-pylint-from-build-process.patch Patch1006: 1006-Remove-i18test-from-build-process.patch Patch1007: 1007-Remove-ipa-backup-and-ipa-restore-functionality.patch -Patch1008: ipa-centos-branding.patch %if ! %{ONLY_CLIENT} BuildRequires: 389-ds-base-devel >= 1.3.1 @@ -209,6 +213,9 @@ Requires: selinux-policy >= 3.12.1-65 Requires(post): selinux-policy-base Requires: slapi-nis >= 0.47.7 Requires: pki-ca >= 10.0.4 +%if 0%{?rhel} +Requires: subscription-manager +%endif Requires(preun): python systemd-units Requires(postun): python systemd-units Requires: python-dns @@ -844,8 +851,15 @@ fi %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt %changelog -* Tue Sep 02 2014 CentOS Sources - 3.3.3-28.el7.centos.1 -- Roll in CentOS Branding +* Fri Sep 19 2014 Jan Cholasta - 3.3.3-28.3 +- Add one missing patch for #1144031 + +* Fri Sep 19 2014 Jan Cholasta - 3.3.3-28.2 +- Implement a fallback for situation where no closest server available during + trust setup (#1143779) +- trust-add should not be run with DCs without PDC role (#1144030) +- Improve handling of forest trust domains when establishing a cross-forest + trust (#1144031) * Thu Aug 14 2014 Martin Kosek - 3.3.3-28.1 - Server installation fails using external signed certificates with