diff --git a/SOURCES/0067-ipaserver-dcerpc.py-if-search-of-a-closest-GC-failed.patch b/SOURCES/0067-ipaserver-dcerpc.py-if-search-of-a-closest-GC-failed.patch
new file mode 100644
index 0000000..8a6db38
--- /dev/null
+++ b/SOURCES/0067-ipaserver-dcerpc.py-if-search-of-a-closest-GC-failed.patch
@@ -0,0 +1,33 @@
+From f2acf0d67bab3f3797c387705f93c3a3d0164134 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Tue, 19 Aug 2014 16:19:45 +0300
+Subject: [PATCH] ipaserver/dcerpc.py: if search of a closest GC failed, try to
+ find any GC
+
+https://fedorahosted.org/freeipa/ticket/4458
+
+Reviewed-By: Sumit Bose <sbose@redhat.com>
+---
+ ipaserver/dcerpc.py | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
+index f1c75089b875787debcee22316a4898b424d923f..b11476a262ccce4315131b9ffbd93b625de940e7 100644
+--- a/ipaserver/dcerpc.py
++++ b/ipaserver/dcerpc.py
+@@ -588,7 +588,11 @@ class DomainValidator(object):
+ try:
+ result = netrc.finddc(domain=domain, flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_GC | nbt.NBT_SERVER_CLOSEST)
+ except RuntimeError, e:
+- finddc_error = e
++ try:
++ # If search of closest GC failed, attempt to find any one
++ result = netrc.finddc(domain=domain, flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_GC)
++ except RuntimeError, e:
++ finddc_error = e
+
+ if not self._domains:
+ self._domains = self.get_trusted_domains()
+--
+1.9.3
+
diff --git a/SOURCES/0068-ipaserver-dcerpc.py-make-PDC-discovery-more-robust.patch b/SOURCES/0068-ipaserver-dcerpc.py-make-PDC-discovery-more-robust.patch
new file mode 100644
index 0000000..a1ba8b9
--- /dev/null
+++ b/SOURCES/0068-ipaserver-dcerpc.py-make-PDC-discovery-more-robust.patch
@@ -0,0 +1,80 @@
+From 41b252a5b47f57919bf98c41947d5927ed0d5aaf Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Tue, 19 Aug 2014 16:21:21 +0300
+Subject: [PATCH] ipaserver/dcerpc.py: make PDC discovery more robust
+
+Certain operations against AD domain controller can only be done if its
+FSMO role is primary domain controller. We need to use writable DC and
+PDC when creating trust and updating name suffix routing information.
+
+https://fedorahosted.org/freeipa/ticket/4479
+
+Reviewed-By: Sumit Bose <sbose@redhat.com>
+---
+ ipaserver/dcerpc.py | 21 ++++++++++++++++-----
+ 1 file changed, 16 insertions(+), 5 deletions(-)
+
+diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
+index b11476a262ccce4315131b9ffbd93b625de940e7..78bfc5dbefc778519c5db0ac12d6551710257ba9 100644
+--- a/ipaserver/dcerpc.py
++++ b/ipaserver/dcerpc.py
+@@ -706,16 +706,19 @@ class TrustDomainInstance(object):
+ binding_template=lambda x,y,z: u'%s:%s[%s]' % (x, y, z)
+ return [binding_template(t, remote_host, o) for t in transports for o in options]
+
+- def retrieve_anonymously(self, remote_host, discover_srv=False):
++ def retrieve_anonymously(self, remote_host, discover_srv=False, search_pdc=False):
+ """
+ When retrieving DC information anonymously, we can't get SID of the domain
+ """
+ netrc = net.Net(creds=self.creds, lp=self.parm)
++ flags = nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS | nbt.NBT_SERVER_WRITABLE
++ if search_pdc:
++ flags = flags | nbt.NBT_SERVER_PDC
+ try:
+ if discover_srv:
+- result = netrc.finddc(domain=remote_host, flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS)
++ result = netrc.finddc(domain=remote_host, flags=flags)
+ else:
+- result = netrc.finddc(address=remote_host, flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS)
++ result = netrc.finddc(address=remote_host, flags=flags)
+ except RuntimeError, e:
+ raise assess_dcerpc_exception(message=str(e))
+
+@@ -726,6 +729,7 @@ class TrustDomainInstance(object):
+ self.info['dns_forest'] = unicode(result.forest)
+ self.info['guid'] = unicode(result.domain_uuid)
+ self.info['dc'] = unicode(result.pdc_dns_name)
++ self.info['is_pdc'] = (result.server_type & nbt.NBT_SERVER_PDC) != 0
+
+ # Netlogon response doesn't contain SID of the domain.
+ # We need to do rootDSE search with LDAP_SERVER_EXTENDED_DN_OID control to reveal the SID
+@@ -774,6 +778,13 @@ class TrustDomainInstance(object):
+ self.info['sid'] = unicode(result.sid)
+ self.info['dc'] = remote_host
+
++ try:
++ result = self._pipe.QueryInfoPolicy2(self._policy_handle, lsa.LSA_POLICY_INFO_ROLE)
++ except RuntimeError, (num, message):
++ raise assess_dcerpc_exception(num=num, message=message)
++
++ self.info['is_pdc'] = (result.role == lsa.LSA_ROLE_PRIMARY)
++
+ def generate_auth(self, trustdom_secret):
+ def arcfour_encrypt(key, data):
+ c = RC4.RC4(key)
+@@ -1069,9 +1080,9 @@ class TrustDomainJoins(object):
+ rd.creds.set_anonymous()
+ rd.creds.set_workstation(self.local_domain.hostname)
+ if realm_server is None:
+- rd.retrieve_anonymously(realm, discover_srv=True)
++ rd.retrieve_anonymously(realm, discover_srv=True, search_pdc=True)
+ else:
+- rd.retrieve_anonymously(realm_server, discover_srv=False)
++ rd.retrieve_anonymously(realm_server, discover_srv=False, search_pdc=True)
+ rd.read_only = True
+ if realm_admin and realm_passwd:
+ if 'name' in rd.info:
+--
+1.9.3
+
diff --git a/SOURCES/0069-ipaserver-dcerpc.py-be-more-open-to-what-domains-can.patch b/SOURCES/0069-ipaserver-dcerpc.py-be-more-open-to-what-domains-can.patch
new file mode 100644
index 0000000..595950a
--- /dev/null
+++ b/SOURCES/0069-ipaserver-dcerpc.py-be-more-open-to-what-domains-can.patch
@@ -0,0 +1,29 @@
+From 027f61099c63c91aaac95a6c2b9d9a75e7b1f83e Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Tue, 19 Aug 2014 16:23:58 +0300
+Subject: [PATCH] ipaserver/dcerpc.py: be more open to what domains can be seen
+ through the forest trust
+
+https://fedorahosted.org/freeipa/ticket/4463
+
+Reviewed-By: Sumit Bose <sbose@redhat.com>
+---
+ ipaserver/dcerpc.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
+index 78bfc5dbefc778519c5db0ac12d6551710257ba9..fcf1e4e775868f17220cac3c0203cc67dba2f839 100644
+--- a/ipaserver/dcerpc.py
++++ b/ipaserver/dcerpc.py
+@@ -1031,7 +1031,7 @@ def fetch_domains(api, mydomain, trustdomain, creds=None):
+
+ result = []
+ for t in domains.array:
+- if ((t.trust_attributes & trust_attributes['NETR_TRUST_ATTRIBUTE_WITHIN_FOREST']) and
++ if (not (t.trust_flags & trust_flags['NETR_TRUST_FLAG_PRIMARY']) and
+ (t.trust_flags & trust_flags['NETR_TRUST_FLAG_IN_FOREST'])):
+ res = dict()
+ res['cn'] = unicode(t.dns_name)
+--
+1.9.3
+
diff --git a/SOURCES/0070-ipaserver-dcerpc.py-Make-sure-trust-is-established-o.patch b/SOURCES/0070-ipaserver-dcerpc.py-Make-sure-trust-is-established-o.patch
new file mode 100644
index 0000000..29ca7e5
--- /dev/null
+++ b/SOURCES/0070-ipaserver-dcerpc.py-Make-sure-trust-is-established-o.patch
@@ -0,0 +1,67 @@
+From 079fdf41592559de96465080e81aa91252c01a3d Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Tue, 19 Aug 2014 16:24:27 +0300
+Subject: [PATCH] ipaserver/dcerpc.py: Make sure trust is established only to
+ forest root domain
+
+Part of https://fedorahosted.org/freeipa/ticket/4463
+
+Reviewed-By: Sumit Bose <sbose@redhat.com>
+---
+ ipalib/errors.py | 16 ++++++++++++++++
+ ipaserver/dcerpc.py | 6 ++++++
+ 2 files changed, 22 insertions(+)
+
+diff --git a/ipalib/errors.py b/ipalib/errors.py
+index 716decb2b41baf5470a1dc23c0cfb5d1c995e5ff..405c5c3bfc25d9b024189be9fcf582052dd10dd3 100644
+--- a/ipalib/errors.py
++++ b/ipalib/errors.py
+@@ -810,6 +810,22 @@ class DeprecationError(InvocationError):
+ errno = 3015
+ format = _("Command '%(name)s' has been deprecated")
+
++class NotAForestRootError(InvocationError):
++ """
++ **3016** Raised when an attempt to establish trust is done against non-root domain
++ Forest root domain has the same name as the forest itself
++
++ For example:
++
++ >>> raise NotAForestRootError(forest='example.test', domain='jointops.test')
++ Traceback (most recent call last):
++ ...
++ NotAForestRootError: Domain 'jointops.test' is not a root domain for forest 'example.test'
++ """
++
++ errno = 3016
++ format = _("Domain '%(domain)s' is not a root domain for forest '%(forest)s'")
++
+
+ ##############################################################################
+ # 4000 - 4999: Execution errors
+diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
+index fcf1e4e775868f17220cac3c0203cc67dba2f839..41f373df3cc4365727200f3ca4667faac2f9e19c 100644
+--- a/ipaserver/dcerpc.py
++++ b/ipaserver/dcerpc.py
+@@ -1143,6 +1143,9 @@ class TrustDomainJoins(object):
+ realm_passwd
+ )
+
++ if self.remote_domain.info['dns_domain'] != self.remote_domain.info['dns_forest']:
++ raise errors.NotAForestRootError(forest=self.remote_domain.info['dns_forest'], domain=self.remote_domain.info['dns_domain'])
++
+ if not self.remote_domain.read_only:
+ trustdom_pass = samba.generate_random_password(128, 128)
+ self.get_realmdomains()
+@@ -1159,5 +1162,8 @@ class TrustDomainJoins(object):
+ if not(isinstance(self.remote_domain, TrustDomainInstance)):
+ self.populate_remote_domain(realm, realm_server, realm_passwd=None)
+
++ if self.remote_domain.info['dns_domain'] != self.remote_domain.info['dns_forest']:
++ raise errors.NotAForestRootError(forest=self.remote_domain.info['dns_forest'], domain=self.remote_domain.info['dns_domain'])
++
+ self.local_domain.establish_trust(self.remote_domain, trustdom_passwd)
+ return dict(local=self.local_domain, remote=self.remote_domain, verified=False)
+--
+1.9.3
+
diff --git a/SOURCES/0071-ipaserver-dcerpc.py-Avoid-hitting-issue-with-transit.patch b/SOURCES/0071-ipaserver-dcerpc.py-Avoid-hitting-issue-with-transit.patch
new file mode 100644
index 0000000..565c6ec
--- /dev/null
+++ b/SOURCES/0071-ipaserver-dcerpc.py-Avoid-hitting-issue-with-transit.patch
@@ -0,0 +1,54 @@
+From ba2a63da8bada8af988d8fb8931c0cdba2c7ceee Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Tue, 19 Aug 2014 16:22:54 +0300
+Subject: [PATCH] ipaserver/dcerpc.py: Avoid hitting issue with transitive
+ trusts on Windows Server prior to 2012
+
+http://msdn.microsoft.com/en-us/library/2a769a08-e023-459f-aebe-4fb3f595c0b7#id83
+
+Reviewed-By: Sumit Bose <sbose@redhat.com>
+---
+ ipaserver/dcerpc.py | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
+index 41f373df3cc4365727200f3ca4667faac2f9e19c..e779a12bae52ec8dac52e4a43854a8a3c601a043 100644
+--- a/ipaserver/dcerpc.py
++++ b/ipaserver/dcerpc.py
+@@ -900,7 +900,7 @@ class TrustDomainInstance(object):
+ info.sid = security.dom_sid(another_domain.info['sid'])
+ info.trust_direction = lsa.LSA_TRUST_DIRECTION_INBOUND | lsa.LSA_TRUST_DIRECTION_OUTBOUND
+ info.trust_type = lsa.LSA_TRUST_TYPE_UPLEVEL
+- info.trust_attributes = lsa.LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE
++ info.trust_attributes = 0
+
+ try:
+ dname = lsa.String()
+@@ -917,8 +917,6 @@ class TrustDomainInstance(object):
+ except RuntimeError, (num, message):
+ raise assess_dcerpc_exception(num=num, message=message)
+
+- self.update_ftinfo(another_domain)
+-
+ # We should use proper trustdom handle in order to modify the
+ # trust settings. Samba insists this has to be done with LSA
+ # OpenTrustedDomain* calls, it is not enough to have a handle
+@@ -937,6 +935,15 @@ class TrustDomainInstance(object):
+ # server as that one doesn't support AES encryption types
+ pass
+
++ try:
++ info.trust_attributes = lsa.LSA_TRUST_ATTRIBUTE_FOREST_TRANSITIVE
++ self._pipe.SetInformationTrustedDomain(trustdom_handle, lsa.LSA_TRUSTED_DOMAIN_INFO_INFO_EX, info)
++ except RuntimeError, e:
++ root_logger.error('unable to set trust to transitive: %s' % (str(e)))
++ pass
++ if self.info['is_pdc']:
++ self.update_ftinfo(another_domain)
++
+ def verify_trust(self, another_domain):
+ def retrieve_netlogon_info_2(domain, function_code, data):
+ try:
+--
+1.9.3
+
diff --git a/SOURCES/ipa-centos-branding.patch b/SOURCES/ipa-centos-branding.patch
deleted file mode 100644
index 33b4609..0000000
--- a/SOURCES/ipa-centos-branding.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-diff -uNrp freeipa-3.3.3.orig/ipaserver/install/ntpinstance.py freeipa-3.3.3/ipaserver/install/ntpinstance.py
---- freeipa-3.3.3.orig/ipaserver/install/ntpinstance.py 2013-11-01 10:34:30.000000000 -0500
-+++ freeipa-3.3.3/ipaserver/install/ntpinstance.py 2014-06-26 07:27:19.644718099 -0500
-@@ -43,6 +43,8 @@ class NTPInstance(service.Service):
- os = ""
- if ipautil.file_exists("/etc/fedora-release"):
- os = "fedora"
-+ elif ipautil.file_exists("/etc/centos-release"):
-+ os = "centos"
- elif ipautil.file_exists("/etc/redhat-release"):
- os = "rhel"
-
diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec
index 6d5bc80..b732bd2 100644
--- a/SPECS/ipa.spec
+++ b/SPECS/ipa.spec
@@ -18,7 +18,7 @@
Name: ipa
Version: 3.3.3
-Release: 28%{?dist}.1
+Release: 28%{?dist}.3
Summary: The Identity, Policy and Audit system
Group: System Environment/Base
@@ -94,6 +94,11 @@ Patch0063: 0063-extdom-do-not-return-results-from-the-wrong-domain.patch
Patch0064: 0064-Proxy-PKI-clone-ca-ee-ca-profileSubmit-URI.patch
Patch0065: 0065-Make-ipa-client-automount-backwards-compatible.patch
Patch0066: 0066-Convert-external-CA-chain-to-PKCS-7-before-passing-i.patch
+Patch0067: 0067-ipaserver-dcerpc.py-if-search-of-a-closest-GC-failed.patch
+Patch0068: 0068-ipaserver-dcerpc.py-make-PDC-discovery-more-robust.patch
+Patch0069: 0069-ipaserver-dcerpc.py-be-more-open-to-what-domains-can.patch
+Patch0070: 0070-ipaserver-dcerpc.py-Make-sure-trust-is-established-o.patch
+Patch0071: 0071-ipaserver-dcerpc.py-Avoid-hitting-issue-with-transit.patch
Patch1001: 1001-Hide-pkinit-functionality-from-production-version.patch
Patch1002: 1002-Remove-pkinit-plugin.patch
@@ -102,7 +107,6 @@ Patch1004: 1004-Change-branding-to-IPA-and-Identity-Management.patch
Patch1005: 1005-Remove-pylint-from-build-process.patch
Patch1006: 1006-Remove-i18test-from-build-process.patch
Patch1007: 1007-Remove-ipa-backup-and-ipa-restore-functionality.patch
-Patch1008: ipa-centos-branding.patch
%if ! %{ONLY_CLIENT}
BuildRequires: 389-ds-base-devel >= 1.3.1
@@ -209,6 +213,9 @@ Requires: selinux-policy >= 3.12.1-65
Requires(post): selinux-policy-base
Requires: slapi-nis >= 0.47.7
Requires: pki-ca >= 10.0.4
+%if 0%{?rhel}
+Requires: subscription-manager
+%endif
Requires(preun): python systemd-units
Requires(postun): python systemd-units
Requires: python-dns
@@ -844,8 +851,15 @@ fi
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
%changelog
-* Tue Sep 02 2014 CentOS Sources <bugs@centos.org> - 3.3.3-28.el7.centos.1
-- Roll in CentOS Branding
+* Fri Sep 19 2014 Jan Cholasta <jcholast@redhat.com> - 3.3.3-28.3
+- Add one missing patch for #1144031
+
+* Fri Sep 19 2014 Jan Cholasta <jcholast@redhat.com> - 3.3.3-28.2
+- Implement a fallback for situation where no closest server available during
+ trust setup (#1143779)
+- trust-add should not be run with DCs without PDC role (#1144030)
+- Improve handling of forest trust domains when establishing a cross-forest
+ trust (#1144031)
* Thu Aug 14 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-28.1
- Server installation fails using external signed certificates with