diff --git a/SOURCES/0003-Allow-kernel-keyring-CCACHE-when-supported.patch b/SOURCES/0003-Allow-kernel-keyring-CCACHE-when-supported.patch index ee5a7db..d205d06 100644 --- a/SOURCES/0003-Allow-kernel-keyring-CCACHE-when-supported.patch +++ b/SOURCES/0003-Allow-kernel-keyring-CCACHE-when-supported.patch @@ -1,18 +1,18 @@ -From a66fc51f69b0d19ecb63a5a78d2a052e810913c9 Mon Sep 17 00:00:00 2001 +From 7726ddeb7506b9b68720f55c410d7c53b7098d91 Mon Sep 17 00:00:00 2001 From: Martin Kosek -Date: Wed, 6 Nov 2013 12:48:26 +0100 -Subject: [PATCH] Allow kernel keyring CCACHE when supported +Date: Fri, 29 Nov 2013 13:29:20 +0100 +Subject: [PATCH 03/10] Allow kernel keyring CCACHE when supported -Allow ipa-server-install and ipa-client-install to allow kernel keyring -ccache when supported. +Server and client installer should allow kernel keyring ccache when +supported. https://fedorahosted.org/freeipa/ticket/4013 --- install/share/krb5.conf.template | 2 +- - ipa-client/ipa-install/ipa-client-install | 11 +++++++++++ - ipapython/kernel_keyring.py | 6 ++++++ - ipaserver/install/krbinstance.py | 16 ++++++++++++++++ - 4 files changed, 34 insertions(+), 1 deletion(-) + ipa-client/ipa-install/ipa-client-install | 7 +++++++ + ipapython/kernel_keyring.py | 17 +++++++++++++++++ + ipaserver/install/krbinstance.py | 10 ++++++++++ + 4 files changed, 35 insertions(+), 1 deletion(-) diff --git a/install/share/krb5.conf.template b/install/share/krb5.conf.template index 01e66881b0a38e342886727ec205ea9b7c057ad2..7c82083e3331cfacccc1995cd9dfa6ddd88edd1f 100644 @@ -28,7 +28,7 @@ index 01e66881b0a38e342886727ec205ea9b7c057ad2..7c82083e3331cfacccc1995cd9dfa6dd $REALM = { kdc = $FQDN:88 diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install -index 8e4695b42e9178725353dee2a4797a8da9b635b3..9b99953551fcffa64b16605d701831a49ba0e087 100755 +index 8e4695b42e9178725353dee2a4797a8da9b635b3..a898d388ee039752044008f8525424370098580a 100755 --- a/ipa-client/ipa-install/ipa-client-install +++ b/ipa-client/ipa-install/ipa-client-install @@ -43,6 +43,7 @@ try: @@ -39,17 +39,13 @@ index 8e4695b42e9178725353dee2a4797a8da9b635b3..9b99953551fcffa64b16605d701831a4 from ipapython.config import IPAOptionParser from ipalib import api, errors from ipalib import x509 -@@ -926,6 +927,16 @@ def configure_krb5_conf(cli_realm, cli_domain, cli_server, cli_kdc, dnsok, +@@ -926,6 +927,12 @@ def configure_krb5_conf(cli_realm, cli_domain, cli_server, cli_kdc, dnsok, libopts.append({'name':'ticket_lifetime', 'type':'option', 'value':'24h'}) libopts.append({'name':'forwardable', 'type':'option', 'value':'yes'}) + # Configure KEYRING CCACHE if supported -+ uid = os.geteuid() -+ try: -+ kernel_keyring.get_persistent_key(str(uid)) -+ except ValueError: -+ pass -+ else: ++ if kernel_keyring.is_persistent_keyring_supported(): ++ root_logger.debug("Enabling persistent keyring CCACHE") + libopts.append({'name':'default_ccache_name', 'type':'option', + 'value':'KEYRING:persistent:%{uid}'}) + @@ -57,10 +53,19 @@ index 8e4695b42e9178725353dee2a4797a8da9b635b3..9b99953551fcffa64b16605d701831a4 opts.append({'name':'empty', 'type':'empty'}) diff --git a/ipapython/kernel_keyring.py b/ipapython/kernel_keyring.py -index 547dd3de6b45295910b66982e99886135c06335b..c6670c4ade48e9dc9b503f937cbcaead143f19fc 100644 +index 547dd3de6b45295910b66982e99886135c06335b..d30531cabaee5c12376f0821a21a6f63cd60397c 100644 --- a/ipapython/kernel_keyring.py +++ b/ipapython/kernel_keyring.py -@@ -47,6 +47,12 @@ def get_real_key(key): +@@ -17,6 +17,8 @@ + # along with this program. If not, see . + # + ++import os ++ + from ipapython.ipautil import run + + # NOTE: Absolute path not required for keyctl since we reset the environment +@@ -47,6 +49,21 @@ def get_real_key(key): raise ValueError('key %s not found' % key) return stdout.rstrip() @@ -70,11 +75,20 @@ index 547dd3de6b45295910b66982e99886135c06335b..c6670c4ade48e9dc9b503f937cbcaead + raise ValueError('persistent key %s not found' % key) + return stdout.rstrip() + ++def is_persistent_keyring_supported(): ++ uid = os.geteuid() ++ try: ++ get_persistent_key(str(uid)) ++ except ValueError: ++ return False ++ ++ return True ++ def has_key(key): """ Returns True/False whether the key exists in the keyring. diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py -index 98687a4002cd7b19faea03acc552759e962d8832..48407edb9b0e237cf86e8d4e9059208e52b9c165 100644 +index 98687a4002cd7b19faea03acc552759e962d8832..f1fa827d89a31f9d6d4cb7f7a78a2680f983565a 100644 --- a/ipaserver/install/krbinstance.py +++ b/ipaserver/install/krbinstance.py @@ -31,6 +31,7 @@ @@ -85,23 +99,17 @@ index 98687a4002cd7b19faea03acc552759e962d8832..48407edb9b0e237cf86e8d4e9059208e from ipalib import errors from ipapython.ipa_log_manager import * from ipapython.dn import DN -@@ -252,6 +253,21 @@ def __setup_sub_dict(self): +@@ -252,6 +253,15 @@ def __setup_sub_dict(self): dr_map = "" self.sub_dict['OTHER_DOMAIN_REALM_MAPS'] = dr_map + # Configure KEYRING CCACHE if supported -+ uid = os.geteuid() -+ try: -+ kernel_keyring.get_persistent_key(str(uid)) -+ except ValueError: -+ keyring_ccache_supported = False -+ else: -+ keyring_ccache_supported = True -+ -+ if keyring_ccache_supported: ++ if kernel_keyring.is_persistent_keyring_supported(): ++ root_logger.debug("Enabling persistent keyring CCACHE") + self.sub_dict['OTHER_LIBDEFAULTS'] = \ + " default_ccache_name = KEYRING:persistent:%{uid}\n" + else: ++ root_logger.debug("Persistent keyring CCACHE is not enabled") + self.sub_dict['OTHER_LIBDEFAULTS'] = '' + def __configure_sasl_mappings(self): diff --git a/SOURCES/0007-Remove-mod_ssl-port-workaround.patch b/SOURCES/0007-Remove-mod_ssl-port-workaround.patch new file mode 100644 index 0000000..020ca87 --- /dev/null +++ b/SOURCES/0007-Remove-mod_ssl-port-workaround.patch @@ -0,0 +1,98 @@ +From 940afde411eb9ba52252ae80188f4fdbb87a9554 Mon Sep 17 00:00:00 2001 +From: Jan Cholasta +Date: Tue, 26 Nov 2013 08:53:34 +0000 +Subject: [PATCH 07/10] Remove mod_ssl port workaround. + +https://fedorahosted.org/freeipa/ticket/4021 +--- + freeipa.spec.in | 8 ++++++-- + install/tools/ipa-upgradeconfig | 2 +- + ipaserver/install/httpinstance.py | 17 ++++++++--------- + 3 files changed, 15 insertions(+), 12 deletions(-) + +diff --git a/freeipa.spec.in b/freeipa.spec.in +index a091164907735d659be61fe29221cbce6934c77d..69ec29d9ff58bf3a25e25b35d5f3ba1d43741124 100644 +--- a/freeipa.spec.in ++++ b/freeipa.spec.in +@@ -114,14 +114,14 @@ Requires: krb5-server >= 1.10 + Requires: krb5-pkinit-openssl + Requires: cyrus-sasl-gssapi%{?_isa} + Requires: ntp +-Requires: httpd ++Requires: httpd >= 2.4.6-6 + Requires: mod_wsgi + %if 0%{?fedora} >= 18 + Requires: mod_auth_kerb >= 5.4-16 + %else + Requires: mod_auth_kerb >= 5.4-8 + %endif +-Requires: mod_nss >= 1.0.8-24 ++Requires: mod_nss >= 1.0.8-26 + Requires: python-ldap + Requires: python-krbV + Requires: acl +@@ -832,6 +832,10 @@ fi + %endif # ONLY_CLIENT + + %changelog ++* Tue Nov 26 2013 Jan Cholasta - 3.3.2-2 ++- Set minimum version of httpd to 2.4.6-6 ++- Set minimum version of mod_nss to 1.0.8-26 ++ + * Fri Oct 25 2013 Martin Kosek - 3.3.2-1 + - Remove mod_ssl conflict, it can now live with mod_nss installed + +diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig +index 41c51263d5fc8b3a0e2f28bab89fc9d2d184fdca..10526f226798c78ae75972b82a2f72b200a8aacf 100644 +--- a/install/tools/ipa-upgradeconfig ++++ b/install/tools/ipa-upgradeconfig +@@ -1047,7 +1047,7 @@ def main(): + http.remove_httpd_ccache() + http.configure_selinux_for_httpd() + http.configure_httpd_ccache() +- http.change_mod_nss_port_to_http() ++ http.change_mod_nss_port_from_http() + + ds = dsinstance.DsInstance() + ds.configure_dirsrv_ccache() +diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py +index 689e657e291b93d90038937a61f67915c0d582ec..e61a0c6d1526f29acb4647710e559a5bb32a58c0 100644 +--- a/ipaserver/install/httpinstance.py ++++ b/ipaserver/install/httpinstance.py +@@ -253,25 +253,24 @@ def __configure_http(self): + http_fd.close() + os.chmod(target_fname, 0644) + +- def change_mod_nss_port_to_http(self): ++ def change_mod_nss_port_from_http(self): + # mod_ssl enforces SSLEngine on for vhost on 443 even though + # the listener is mod_nss. This then crashes the httpd as mod_nss + # listened port obviously does not match mod_ssl requirements. + # +- # Change port to http to workaround the mod_ssl check, the SSL is +- # enforced in the vhost later, so it is benign. ++ # The workaround for this was to change port to http. It is no longer ++ # necessary, as mod_nss now ships with default configuration which ++ # sets SSLEngine off when mod_ssl is installed. + # +- # Remove when https://bugzilla.redhat.com/show_bug.cgi?id=1023168 +- # is fixed. +- if not sysupgrade.get_upgrade_state('nss.conf', 'listen_port_updated'): +- installutils.set_directive(NSS_CONF, 'Listen', '443 http', quotes=False) +- sysupgrade.set_upgrade_state('nss.conf', 'listen_port_updated', True) ++ # Remove the workaround. ++ if sysupgrade.get_upgrade_state('nss.conf', 'listen_port_updated'): ++ installutils.set_directive(NSS_CONF, 'Listen', '443', quotes=False) ++ sysupgrade.set_upgrade_state('nss.conf', 'listen_port_updated', False) + + def __set_mod_nss_port(self): + self.fstore.backup_file(NSS_CONF) + if installutils.update_file(NSS_CONF, '8443', '443') != 0: + print "Updating port in %s failed." % NSS_CONF +- self.change_mod_nss_port_to_http() + + def __set_mod_nss_nickname(self, nickname): + installutils.set_directive(NSS_CONF, 'NSSNickname', nickname) +-- +1.8.3.1 + diff --git a/SOURCES/0008-subdomains-Use-AD-admin-credentials-when-trust-is-be.patch b/SOURCES/0008-subdomains-Use-AD-admin-credentials-when-trust-is-be.patch new file mode 100644 index 0000000..f2f1a4e --- /dev/null +++ b/SOURCES/0008-subdomains-Use-AD-admin-credentials-when-trust-is-be.patch @@ -0,0 +1,147 @@ +From 7c4828f3eb0e7b1f246f6263bdf22592d51824df Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Wed, 27 Nov 2013 12:17:43 +0200 +Subject: [PATCH 08/10] subdomains: Use AD admin credentials when trust is + being established + +When AD administrator credentials passed, they stored in realm_passwd, +not realm_password in the options. + +When passing credentials to ipaserver.dcerpc.fetch_domains(), make sure +to normalize them. + +Additionally, force Samba auth module to use NTLMSSP in case we have +credentials because at the point when trust is established, KDC is not +yet ready to issue tickets to a service in the other realm due to +MS-PAC information caching effects. The logic is a bit fuzzy because +credentials code makes decisions on what to use based on the smb.conf +parameters and Python bindings to set parameters to smb.conf make it so +that auth module believes these parameters were overidden by the user +through the command line and ignore some of options. We have to do calls +in the right order to force NTLMSSP use instead of Kerberos. + +Fixes https://fedorahosted.org/freeipa/ticket/4046 +--- + ipalib/plugins/trust.py | 13 ++++++++++--- + ipaserver/dcerpc.py | 42 ++++++++++++++++++++++++++++-------------- + 2 files changed, 38 insertions(+), 17 deletions(-) + +diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py +index 5ba0905030c700c7f63003eef25891c52330934b..3b1b2fc67ce333751556a5c3a59a7f89efc608f9 100644 +--- a/ipalib/plugins/trust.py ++++ b/ipalib/plugins/trust.py +@@ -1231,10 +1231,17 @@ def execute(self, *keys, **options): + def fetch_domains_from_trust(self, trustinstance, trust_entry, **options): + trust_name = trust_entry['cn'][0] + creds = None +- password = options.get('realm_password', None) ++ password = options.get('realm_passwd', None) + if password: +- creds = u"%s%%%s" % (options.get('realm_admin'), password) +- domains = ipaserver.dcerpc.fetch_domains(self.api, trustinstance.local_flatname, trust_name, creds=creds) ++ admin_name = options.get('realm_admin') ++ sp = admin_name.split('\\') ++ if len(sp) == 1: ++ sp.insert(0, trustinstance.remote_domain.info['name']) ++ creds = u"{name}%{password}".format(name="\\".join(sp), ++ password=password) ++ domains = ipaserver.dcerpc.fetch_domains(self.api, ++ trustinstance.local_flatname, ++ trust_name, creds=creds) + result = [] + if not domains: + return None +diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py +index 0dde3473b12b857ff269a936ad9a07d098405c45..d809c416baac072a2489fbd3c167f08665b7a24e 100644 +--- a/ipaserver/dcerpc.py ++++ b/ipaserver/dcerpc.py +@@ -655,7 +655,7 @@ def __gen_lsa_connection(self, binding): + except RuntimeError, (num, message): + raise assess_dcerpc_exception(num=num, message=message) + +- def __init_lsa_pipe(self, remote_host): ++ def init_lsa_pipe(self, remote_host): + """ + Try to initialize connection to the LSA pipe at remote host. + This method tries consequently all possible transport options +@@ -692,7 +692,7 @@ def __gen_lsa_bindings(self, remote_host): + """ + There are multiple transports to issue LSA calls. However, depending on a + system in use they may be blocked by local operating system policies. +- Generate all we can use. __init_lsa_pipe() will try them one by one until ++ Generate all we can use. init_lsa_pipe() will try them one by one until + there is one working. + + We try NCACN_NP before NCACN_IP_TCP and signed sessions before unsigned. +@@ -753,7 +753,7 @@ def parse_naming_context(self, context): + return naming_ref.match(context).group(1) + + def retrieve(self, remote_host): +- self.__init_lsa_pipe(remote_host) ++ self.init_lsa_pipe(remote_host) + + objectAttribute = lsa.ObjectAttribute() + objectAttribute.sec_qos = lsa.QosInfo() +@@ -964,34 +964,48 @@ def fetch_domains(api, mydomain, trustdomain, creds=None): + NETR_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL = 0x00000040) + + def communicate(td): +- td.creds.guess(td.parm) +- netrc = net.Net(creds=td.creds, lp=td.parm) +- try: +- result = netrc.finddc(domain=trustdomain, flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS) +- except RuntimeError, e: +- raise assess_dcerpc_exception(message=str(e)) +- if not result: +- return None +- td.retrieve(unicode(result.pdc_dns_name)) +- ++ td.init_lsa_pipe(td.info['dc']) + netr_pipe = netlogon.netlogon(td.binding, td.parm, td.creds) + domains = netr_pipe.netr_DsrEnumerateDomainTrusts(td.binding, 1) + return domains + + domains = None ++ domain_validator = DomainValidator(api) ++ configured = domain_validator.is_configured() ++ if not configured: ++ return None ++ + td = TrustDomainInstance('') + td.parm.set('workgroup', mydomain) +- td.creds = credentials.Credentials() ++ cr = credentials.Credentials() ++ cr.set_kerberos_state(credentials.DONT_USE_KERBEROS) ++ cr.guess(td.parm) ++ cr.set_anonymous() ++ cr.set_workstation(domain_validator.flatname) ++ netrc = net.Net(creds=cr, lp=td.parm) ++ try: ++ result = netrc.finddc(domain=trustdomain, ++ flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS) ++ except RuntimeError, e: ++ raise assess_dcerpc_exception(message=str(e)) ++ ++ td.info['dc'] = unicode(result.pdc_dns_name) + if creds is None: + domval = DomainValidator(api) + (ccache_name, principal) = domval.kinit_as_http(trustdomain) ++ td.creds = credentials.Credentials() + td.creds.set_kerberos_state(credentials.MUST_USE_KERBEROS) + if ccache_name: + with installutils.private_ccache(path=ccache_name): ++ td.creds.guess(td.parm) ++ td.creds.set_workstation(domain_validator.flatname) + domains = communicate(td) + else: ++ td.creds = credentials.Credentials() + td.creds.set_kerberos_state(credentials.DONT_USE_KERBEROS) ++ td.creds.guess(td.parm) + td.creds.parse_string(creds) ++ td.creds.set_workstation(domain_validator.flatname) + domains = communicate(td) + + if domains is None: +-- +1.8.3.1 + diff --git a/SOURCES/0009-trusts-Always-stop-and-disable-smb-service-on-uninst.patch b/SOURCES/0009-trusts-Always-stop-and-disable-smb-service-on-uninst.patch new file mode 100644 index 0000000..d5a4486 --- /dev/null +++ b/SOURCES/0009-trusts-Always-stop-and-disable-smb-service-on-uninst.patch @@ -0,0 +1,47 @@ +From a7fffdc2685b82546c620c19fbbda545ba1b8e90 Mon Sep 17 00:00:00 2001 +From: Tomas Babej +Date: Thu, 21 Nov 2013 15:25:27 +0100 +Subject: [PATCH 09/10] trusts: Always stop and disable smb service on + uninstall + +https://fedorahosted.org/freeipa/ticket/4042 +--- + ipaserver/install/adtrustinstance.py | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py +index 6a1ede0d7eb46a824d6e9eaf7ad1226120d08809..4aa8322e3e2cfb6fbc07696097c3e6e21fc7f665 100644 +--- a/ipaserver/install/adtrustinstance.py ++++ b/ipaserver/install/adtrustinstance.py +@@ -881,11 +881,16 @@ def uninstall(self): + if self.is_configured(): + self.print_msg("Unconfiguring %s" % self.service_name) + +- running = self.restore_state("running") +- enabled = self.restore_state("enabled") ++ # Call restore_state so that we do not leave mess in the statestore ++ # Otherwise this does nothing ++ self.restore_state("running") ++ self.restore_state("enabled") + ++ # Always try to stop and disable smb service, since we do not leave ++ # working configuration after uninstall + try: + self.stop() ++ self.disable() + except: + pass + +@@ -917,9 +922,3 @@ def uninstall(self): + + # Remove our keys from samba's keytab + self.clean_samba_keytab() +- +- if not enabled is None and not enabled: +- self.disable() +- +- if not running is None and running: +- self.start() +-- +1.8.3.1 + diff --git a/SOURCES/0010-Use-hardening-flags-for-ipa-optd.patch b/SOURCES/0010-Use-hardening-flags-for-ipa-optd.patch new file mode 100644 index 0000000..68e1c3c --- /dev/null +++ b/SOURCES/0010-Use-hardening-flags-for-ipa-optd.patch @@ -0,0 +1,277 @@ +From d55551c763d29ddd92156829fb2ae6b4f89b5184 Mon Sep 17 00:00:00 2001 +From: Jan Cholasta +Date: Wed, 27 Nov 2013 13:13:16 +0000 +Subject: [PATCH 10/11] Use hardening flags for ipa-optd. + +https://fedorahosted.org/freeipa/ticket/4010 + +Martin Kosek: note that this patch contains both Jan's original work +and squashed additional patches 206.2, 207.2, 208.2, 209.2, 212.2 +implemented to fix some of the problems introduced by the original +patch. +--- + Makefile | 3 +++ + daemons/ipa-otpd/Makefile.am | 4 ++-- + daemons/ipa-sam/Makefile.am | 1 - + daemons/ipa-slapi-plugins/ipa-cldap/Makefile.am | 1 - + daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap.c | 4 +++- + daemons/ipa-slapi-plugins/ipa-dns/Makefile.am | 1 - + daemons/ipa-slapi-plugins/ipa-enrollment/Makefile.am | 1 - + daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am | 1 - + daemons/ipa-slapi-plugins/ipa-lockout/Makefile.am | 1 - + daemons/ipa-slapi-plugins/ipa-modrdn/Makefile.am | 1 - + daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am | 3 +-- + daemons/ipa-slapi-plugins/ipa-range-check/Makefile.am | 1 - + daemons/ipa-slapi-plugins/ipa-sidgen/Makefile.am | 1 - + daemons/ipa-slapi-plugins/ipa-uuid/Makefile.am | 1 - + daemons/ipa-slapi-plugins/ipa-version/Makefile.am | 1 - + daemons/ipa-slapi-plugins/ipa-winsync/Makefile.am | 1 - + freeipa.spec.in | 8 ++++++-- + ipa-client/Makefile.am | 1 - + 18 files changed, 15 insertions(+), 20 deletions(-) + +diff --git a/Makefile b/Makefile +index a21cf7e33275fd1a783e89baf237c8dcd8db6508..9ed3bb59a0f1d52e1b40430bb9516d9438b0fcb4 100644 +--- a/Makefile ++++ b/Makefile +@@ -52,6 +52,9 @@ endif + + PYTHON ?= $(shell rpm -E %__python) + ++CFLAGS := -g -O2 -Werror -Wall -Wextra -Wformat-security -Wno-unused-parameter -Wno-sign-compare -Wno-missing-field-initializers $(CFLAGS) ++export CFLAGS ++ + all: bootstrap-autogen server tests + @for subdir in $(SUBDIRS); do \ + (cd $$subdir && $(MAKE) $@) || exit 1; \ +diff --git a/daemons/ipa-otpd/Makefile.am b/daemons/ipa-otpd/Makefile.am +index ed99c3ecbdf6507d18243a665daa1418f978eea1..af82a5fe08856573d2d245608ba1dbaad171c7fe 100644 +--- a/daemons/ipa-otpd/Makefile.am ++++ b/daemons/ipa-otpd/Makefile.am +@@ -1,5 +1,5 @@ +-AM_CFLAGS := $(CFLAGS) @LDAP_CFLAGS@ @LIBVERTO_CFLAGS@ +-AM_LDFLAGS := $(LDFLAGS) @LDAP_LIBS@ @LIBVERTO_LIBS@ @KRAD_LIBS@ ++AM_CFLAGS := @LDAP_CFLAGS@ @LIBVERTO_CFLAGS@ ++AM_LDFLAGS := @LDAP_LIBS@ @LIBVERTO_LIBS@ @KRAD_LIBS@ + + noinst_HEADERS = internal.h + libexec_PROGRAMS = ipa-otpd +diff --git a/daemons/ipa-sam/Makefile.am b/daemons/ipa-sam/Makefile.am +index e8e22503a4d8e3821d6f455bac337feae8b34bfc..d55a187708eb5dda8ffc4c87abb2fcc854940ade 100644 +--- a/daemons/ipa-sam/Makefile.am ++++ b/daemons/ipa-sam/Makefile.am +@@ -20,7 +20,6 @@ AM_CPPFLAGS = \ + -DLDAPIDIR=\""$(localstatedir)/run"\" \ + -DHAVE_LDAP \ + -I $(KRB5_UTIL_DIR) \ +- $(AM_CFLAGS) \ + $(LDAP_CFLAGS) \ + $(KRB5_CFLAGS) \ + $(WARN_CFLAGS) \ +diff --git a/daemons/ipa-slapi-plugins/ipa-cldap/Makefile.am b/daemons/ipa-slapi-plugins/ipa-cldap/Makefile.am +index f669d6b561482e165bedc1c1b2904b7f67a49a95..70b08835e5629026c80c21c83e0c749a387b73a4 100644 +--- a/daemons/ipa-slapi-plugins/ipa-cldap/Makefile.am ++++ b/daemons/ipa-slapi-plugins/ipa-cldap/Makefile.am +@@ -12,7 +12,6 @@ AM_CPPFLAGS = \ + -DLIBDIR=\""$(libdir)"\" \ + -DLIBEXECDIR=\""$(libexecdir)"\" \ + -DDATADIR=\""$(datadir)"\" \ +- $(AM_CFLAGS) \ + $(LDAP_CFLAGS) \ + $(WARN_CFLAGS) \ + $(NDRNBT_CFLAGS) \ +diff --git a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap.c b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap.c +index 54d44ebf64b1efa0dda06773736d3413a6b70977..64ec80665de5f5b0c5c1a8605e05e34e7199a23d 100644 +--- a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap.c ++++ b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap.c +@@ -82,7 +82,9 @@ static int ipa_cldap_stop(Slapi_PBlock *pb) + } + + /* send stop signal to terminate worker thread */ +- write(ctx->stopfd[1], "", 1); ++ do { ++ ret = write(ctx->stopfd[1], "", 1); ++ } while (ret == -1 && errno == EINTR); + close(ctx->stopfd[1]); + + ret = pthread_join(ctx->tid, &retval); +diff --git a/daemons/ipa-slapi-plugins/ipa-dns/Makefile.am b/daemons/ipa-slapi-plugins/ipa-dns/Makefile.am +index 6d09c8d9c73755e89d91fea83ac66f088d9be553..31b7485e39af30224d97e4a759dbc5779bd61373 100644 +--- a/daemons/ipa-slapi-plugins/ipa-dns/Makefile.am ++++ b/daemons/ipa-slapi-plugins/ipa-dns/Makefile.am +@@ -12,7 +12,6 @@ AM_CPPFLAGS = \ + -DLIBDIR=\""$(libdir)"\" \ + -DLIBEXECDIR=\""$(libexecdir)"\" \ + -DDATADIR=\""$(datadir)"\" \ +- $(AM_CFLAGS) \ + $(LDAP_CFLAGS) \ + $(WARN_CFLAGS) \ + $(NULL) +diff --git a/daemons/ipa-slapi-plugins/ipa-enrollment/Makefile.am b/daemons/ipa-slapi-plugins/ipa-enrollment/Makefile.am +index 7ba754a48269f5c4ad9d2f08bc8cd7a0f8e6243c..3ce37ac10ad7d1ee077caa55a2f128f688388561 100644 +--- a/daemons/ipa-slapi-plugins/ipa-enrollment/Makefile.am ++++ b/daemons/ipa-slapi-plugins/ipa-enrollment/Makefile.am +@@ -11,7 +11,6 @@ AM_CPPFLAGS = \ + -DLIBDIR=\""$(libdir)"\" \ + -DLIBEXECDIR=\""$(libexecdir)"\" \ + -DDATADIR=\""$(datadir)"\" \ +- $(AM_CFLAGS) \ + $(LDAP_CFLAGS) \ + $(KRB5_CFLAGS) \ + $(WARN_CFLAGS) \ +diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am b/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am +index df0c30562f09bf0e29464c9bb05f7befbd3997e1..7099a988878e2bc0cf840eab0b14fa9f40805a51 100644 +--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am ++++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am +@@ -13,7 +13,6 @@ AM_CPPFLAGS = \ + -DLIBDIR=\""$(libdir)"\" \ + -DLIBEXECDIR=\""$(libexecdir)"\" \ + -DDATADIR=\""$(datadir)"\" \ +- $(AM_CFLAGS) \ + $(LDAP_CFLAGS) \ + $(WARN_CFLAGS) \ + $(SSSIDMAP_CFLAGS) \ +diff --git a/daemons/ipa-slapi-plugins/ipa-lockout/Makefile.am b/daemons/ipa-slapi-plugins/ipa-lockout/Makefile.am +index 0c69f4d7fd79a08d98c3b967e5ed35e3668cccc2..6e4c31aa591c37d3b7fdd7110f66303af3005605 100644 +--- a/daemons/ipa-slapi-plugins/ipa-lockout/Makefile.am ++++ b/daemons/ipa-slapi-plugins/ipa-lockout/Makefile.am +@@ -12,7 +12,6 @@ AM_CPPFLAGS = \ + -DLIBDIR=\""$(libdir)"\" \ + -DLIBEXECDIR=\""$(libexecdir)"\" \ + -DDATADIR=\""$(datadir)"\" \ +- $(AM_CFLAGS) \ + $(LDAP_CFLAGS) \ + $(WARN_CFLAGS) \ + $(NULL) +diff --git a/daemons/ipa-slapi-plugins/ipa-modrdn/Makefile.am b/daemons/ipa-slapi-plugins/ipa-modrdn/Makefile.am +index 9fbd03397cf36097e3c38280330cdeda1bf5950e..a3f8d4f7b0886fd7e03f425d27fb1ee98d868913 100644 +--- a/daemons/ipa-slapi-plugins/ipa-modrdn/Makefile.am ++++ b/daemons/ipa-slapi-plugins/ipa-modrdn/Makefile.am +@@ -12,7 +12,6 @@ AM_CPPFLAGS = \ + -DLIBDIR=\""$(libdir)"\" \ + -DLIBEXECDIR=\""$(libexecdir)"\" \ + -DDATADIR=\""$(datadir)"\" \ +- $(AM_CFLAGS) \ + $(LDAP_CFLAGS) \ + $(WARN_CFLAGS) \ + $(NULL) +diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am b/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am +index b53b2e1e445ccc9e756aa1ecb2656f19980cd001..8bd89653de51ab33e295fc6b1f1d6d93576d3c64 100644 +--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am ++++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am +@@ -18,13 +18,12 @@ AM_CPPFLAGS = \ + -DLIBDIR=\""$(libdir)"\" \ + -DLIBEXECDIR=\""$(libexecdir)"\" \ + -DDATADIR=\""$(datadir)"\" \ +- $(AM_CFLAGS) \ + $(LDAP_CFLAGS) \ + $(KRB5_CFLAGS) \ + $(SSL_CFLAGS) \ + $(WARN_CFLAGS) \ + $(NULL) +- ++ + AM_LDFLAGS = \ + $(KRB5_LIBS) \ + $(SSL_LIBS) \ +diff --git a/daemons/ipa-slapi-plugins/ipa-range-check/Makefile.am b/daemons/ipa-slapi-plugins/ipa-range-check/Makefile.am +index f23a24ed8b2c8845e7bddbce86abe5a4a2fcd8cd..5aa9b5485211dc5ac699692d8c46cf59c53a9546 100644 +--- a/daemons/ipa-slapi-plugins/ipa-range-check/Makefile.am ++++ b/daemons/ipa-slapi-plugins/ipa-range-check/Makefile.am +@@ -12,7 +12,6 @@ AM_CPPFLAGS = \ + -DLIBDIR=\""$(libdir)"\" \ + -DLIBEXECDIR=\""$(libexecdir)"\" \ + -DDATADIR=\""$(datadir)"\" \ +- $(AM_CFLAGS) \ + $(LDAP_CFLAGS) \ + $(WARN_CFLAGS) \ + $(NULL) +diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/Makefile.am b/daemons/ipa-slapi-plugins/ipa-sidgen/Makefile.am +index 4bfb0185ec589797125df747cc02dcf8a7ef30cd..642fdd599b9a3e8204232199e1cc4a5ee8b013ba 100644 +--- a/daemons/ipa-slapi-plugins/ipa-sidgen/Makefile.am ++++ b/daemons/ipa-slapi-plugins/ipa-sidgen/Makefile.am +@@ -12,7 +12,6 @@ AM_CPPFLAGS = \ + -DLIBDIR=\""$(libdir)"\" \ + -DLIBEXECDIR=\""$(libexecdir)"\" \ + -DDATADIR=\""$(datadir)"\" \ +- $(AM_CFLAGS) \ + $(LDAP_CFLAGS) \ + $(WARN_CFLAGS) \ + $(NULL) +diff --git a/daemons/ipa-slapi-plugins/ipa-uuid/Makefile.am b/daemons/ipa-slapi-plugins/ipa-uuid/Makefile.am +index 738290170da587b0bbee96d8abcda2762264ee0e..061d8483310b686db844059deb82b1465d498652 100644 +--- a/daemons/ipa-slapi-plugins/ipa-uuid/Makefile.am ++++ b/daemons/ipa-slapi-plugins/ipa-uuid/Makefile.am +@@ -12,7 +12,6 @@ AM_CPPFLAGS = \ + -DLIBDIR=\""$(libdir)"\" \ + -DLIBEXECDIR=\""$(libexecdir)"\" \ + -DDATADIR=\""$(datadir)"\" \ +- $(AM_CFLAGS) \ + $(LDAP_CFLAGS) \ + $(WARN_CFLAGS) \ + $(NULL) +diff --git a/daemons/ipa-slapi-plugins/ipa-version/Makefile.am b/daemons/ipa-slapi-plugins/ipa-version/Makefile.am +index 5396bda99c64e66428a15a17a520227f790bff00..afce915a0d76ff607c116e18ea98f959aed46d32 100644 +--- a/daemons/ipa-slapi-plugins/ipa-version/Makefile.am ++++ b/daemons/ipa-slapi-plugins/ipa-version/Makefile.am +@@ -13,7 +13,6 @@ AM_CPPFLAGS = \ + -DLIBDIR=\""$(libdir)"\" \ + -DLIBEXECDIR=\""$(libexecdir)"\" \ + -DDATADIR=\""$(datadir)"\" \ +- $(AM_CFLAGS) \ + $(LDAP_CFLAGS) \ + $(KRB5_CFLAGS) \ + $(WARN_CFLAGS) \ +diff --git a/daemons/ipa-slapi-plugins/ipa-winsync/Makefile.am b/daemons/ipa-slapi-plugins/ipa-winsync/Makefile.am +index c41692864557e890d388e42c404c23e91ae8b1e9..3108f3c152c08d8b9883974a4c999f7bb89acc8e 100644 +--- a/daemons/ipa-slapi-plugins/ipa-winsync/Makefile.am ++++ b/daemons/ipa-slapi-plugins/ipa-winsync/Makefile.am +@@ -11,7 +11,6 @@ AM_CPPFLAGS = \ + -DLIBDIR=\""$(libdir)"\" \ + -DLIBEXECDIR=\""$(libexecdir)"\" \ + -DDATADIR=\""$(datadir)"\" \ +- $(AM_CFLAGS) \ + $(LDAP_CFLAGS) \ + $(WARN_CFLAGS) \ + $(NULL) +diff --git a/freeipa.spec.in b/freeipa.spec.in +index 69ec29d9ff58bf3a25e25b35d5f3ba1d43741124..ae8ee57f3ba2c0746bb0f7a1e65dab1da83cca22 100644 +--- a/freeipa.spec.in ++++ b/freeipa.spec.in +@@ -5,6 +5,10 @@ + %global POLICYCOREUTILSVER 2.1.12-5 + %global gettext_domain ipa + ++%if (0%{?fedora} > 15 || 0%{?rhel} >= 7) ++%define _hardened_build 1 ++%endif ++ + Name: freeipa + Version: __VERSION__ + Release: __RELEASE__%{?dist} +@@ -316,8 +320,8 @@ This package contains tests that verify IPA functionality. + %setup -n freeipa-%{version} -q + + %build +-export CFLAGS="$CFLAGS %{optflags}" +-export CPPFLAGS="$CPPFLAGS %{optflags}" ++export CFLAGS="%{optflags} $CFLAGS" ++export LDFLAGS="%{__global_ldflags} $LDFLAGS" + %if 0%{?fedora} >= 18 + # use fedora18 platform which is based on fedora16 platform with systemd + # support + fedora18 changes +diff --git a/ipa-client/Makefile.am b/ipa-client/Makefile.am +index b7d70fd8d0d4383cac497b2978196e25893f9fe1..73076315d496d8f2be47ed18f726e5c9a6cb572f 100644 +--- a/ipa-client/Makefile.am ++++ b/ipa-client/Makefile.am +@@ -25,7 +25,6 @@ AM_CPPFLAGS = \ + -DLIBEXECDIR=\""$(libexecdir)"\" \ + -DDATADIR=\""$(datadir)"\" \ + -DLOCALEDIR=\""$(localedir)"\" \ +- $(AM_CFLAGS) \ + $(KRB5_CFLAGS) \ + $(OPENLDAP_CFLAGS) \ + $(SASL_CFLAGS) \ +-- +1.8.3.1 + diff --git a/SOURCES/0011-test_integration-Support-external-names-for-hosts.patch b/SOURCES/0011-test_integration-Support-external-names-for-hosts.patch new file mode 100644 index 0000000..202b024 --- /dev/null +++ b/SOURCES/0011-test_integration-Support-external-names-for-hosts.patch @@ -0,0 +1,108 @@ +From 36c14bf16eba793f37585b697bd1cb2750d68e36 Mon Sep 17 00:00:00 2001 +From: Petr Viktorin +Date: Thu, 24 Oct 2013 12:14:58 +0200 +Subject: [PATCH 11/11] test_integration: Support external names for hosts + +The framework had a concept of external hostnames, +which the controller uses to contact the test machines, +but they were not loaded from configuration. + +Load external names from configuration. + +This makes tests pass in setups where internal and external +hostnames are different, and the internal hostnames are not +initially resolvable from the controller. + +Martin Kosek: this patch also contains squashed patch +"test_integration: Log external hostname in Host.ldap_connect" from +Petr Viktorin aiming for better debugability of the beaker tests. +--- + ipatests/test_integration/config.py | 14 ++++++++++---- + ipatests/test_integration/host.py | 11 +++++++---- + 2 files changed, 17 insertions(+), 8 deletions(-) + +diff --git a/ipatests/test_integration/config.py b/ipatests/test_integration/config.py +index 3aa4d05d6cb5758cd0d6be64a1ac582adcc971b4..b8c5fdc7f9ce1877e34491964418a8d806168e73 100644 +--- a/ipatests/test_integration/config.py ++++ b/ipatests/test_integration/config.py +@@ -236,8 +236,10 @@ def env_normalize(env): + """Fill env variables from alternate variable names + + MASTER_env1 <- MASTER +- REPLICA_env1 <- REPLICA +- CLIENT_env1 <- CLIENT, SLAVE ++ REPLICA_env1 <- REPLICA, SLAVE ++ CLIENT_env1 <- CLIENT ++ similarly for BEAKER* variants: BEAKERMASTER1_env1 <- BEAKERMASTER, etc. ++ + CLIENT_env1 gets extended with CLIENT2 or CLIENT2_env1 + """ + def coalesce(name, *other_names): +@@ -253,8 +255,12 @@ def coalesce(name, *other_names): + else: + env[name] = '' + coalesce('MASTER_env1', 'MASTER') +- coalesce('REPLICA_env1', 'REPLICA') +- coalesce('CLIENT_env1', 'CLIENT', 'SLAVE') ++ coalesce('REPLICA_env1', 'REPLICA', 'SLAVE') ++ coalesce('CLIENT_env1', 'CLIENT') ++ ++ coalesce('BEAKERMASTER1_env1', 'BEAKERMASTER') ++ coalesce('BEAKERREPLICA1_env1', 'BEAKERREPLICA', 'BEAKERSLAVE') ++ coalesce('BEAKERCLIENT1_env1', 'BEAKERCLIENT') + + def extend(name, name2): + value = env.get(name2) +diff --git a/ipatests/test_integration/host.py b/ipatests/test_integration/host.py +index 02c82b372ce2805c0ca922319f5de1cd29b0ed82..507e19ed62b3d0a76e6e2ff6286fd83f17a68627 100644 +--- a/ipatests/test_integration/host.py ++++ b/ipatests/test_integration/host.py +@@ -32,7 +32,8 @@ class BaseHost(object): + """Representation of a remote IPA host""" + transport_class = None + +- def __init__(self, domain, hostname, role, index, ip=None): ++ def __init__(self, domain, hostname, role, index, ip=None, ++ external_hostname=None): + self.domain = domain + self.role = role + self.index = index +@@ -40,7 +41,7 @@ def __init__(self, domain, hostname, role, index, ip=None): + shortname, dot, ext_domain = hostname.partition('.') + self.shortname = shortname + self.hostname = shortname + '.' + self.domain.name +- self.external_hostname = hostname ++ self.external_hostname = external_hostname or hostname + + self.netbios = self.domain.name.split('.')[0].upper() + +@@ -96,6 +97,8 @@ def remove_log_collector(self, collector): + def from_env(cls, env, domain, hostname, role, index): + ip = env.get('BEAKER%s%s_IP_env%s' % + (role.upper(), index, domain.index), None) ++ external_hostname = env.get( ++ 'BEAKER%s%s_env%s' % (role.upper(), index, domain.index), None) + + # We need to determine the type of the host, this depends on the domain + # type, as we assume all Unix machines are in the Unix domain and +@@ -106,7 +109,7 @@ def from_env(cls, env, domain, hostname, role, index): + else: + cls = Host + +- self = cls(domain, hostname, role, index, ip) ++ self = cls(domain, hostname, role, index, ip, external_hostname) + return self + + @property +@@ -157,7 +160,7 @@ def put_file_contents(self, filename, contents): + def ldap_connect(self): + """Return an LDAPClient authenticated to this host as directory manager + """ +- self.log.info('Connecting to LDAP') ++ self.log.info('Connecting to LDAP at %s', self.external_hostname) + ldap = IPAdmin(self.external_hostname) + binddn = self.config.dirman_dn + self.log.info('LDAP bind as %s' % binddn) +-- +1.8.3.1 + diff --git a/SOURCES/0012-ipa-client-install-Always-pass-hostname-to-the-ipa-j.patch b/SOURCES/0012-ipa-client-install-Always-pass-hostname-to-the-ipa-j.patch new file mode 100644 index 0000000..cf4e3e1 --- /dev/null +++ b/SOURCES/0012-ipa-client-install-Always-pass-hostname-to-the-ipa-j.patch @@ -0,0 +1,42 @@ +From ab33d06556e607b4477500f77d97f6ec7ee536c3 Mon Sep 17 00:00:00 2001 +From: Tomas Babej +Date: Tue, 26 Nov 2013 12:15:33 +0100 +Subject: [PATCH] ipa-client-install: Always pass hostname to the ipa-join + +The ipa-client-install script and ipa-join use different methods +of resolving the hostname, the former uses gethostbyaddr() call, +while the latter reads the "uinfo.nodename". + +This can result ipa-client-install failures in case of broken PTR +records. + +https://fedorahosted.org/freeipa/ticket/4027 +--- + ipa-client/ipa-install/ipa-client-install | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install +index a898d388ee039752044008f8525424370098580a..5e966a3ae9fb9d5881d0fd4e8c2509f92e665d44 100755 +--- a/ipa-client/ipa-install/ipa-client-install ++++ b/ipa-client/ipa-install/ipa-client-install +@@ -2119,13 +2119,13 @@ def install(options, env, fstore, statestore): + (ccache_fd, ccache_name) = tempfile.mkstemp() + os.close(ccache_fd) + env['KRB5CCNAME'] = os.environ['KRB5CCNAME'] = ccache_name +- join_args = ["/usr/sbin/ipa-join", "-s", cli_server[0], "-b", str(realm_to_suffix(cli_realm))] ++ join_args = ["/usr/sbin/ipa-join", ++ "-s", cli_server[0], ++ "-b", str(realm_to_suffix(cli_realm)), ++ "-h", hostname] + if options.debug: + join_args.append("-d") + env['XMLRPC_TRACE_CURL'] = 'yes' +- if options.hostname: +- join_args.append("-h") +- join_args.append(options.hostname) + if options.force_join: + join_args.append("-f") + if options.principal is not None: +-- +1.8.3.1 + diff --git a/SOURCES/0013-trust-fix-get_dn-to-distinguish-creating-and-re-addi.patch b/SOURCES/0013-trust-fix-get_dn-to-distinguish-creating-and-re-addi.patch new file mode 100644 index 0000000..434f2b5 --- /dev/null +++ b/SOURCES/0013-trust-fix-get_dn-to-distinguish-creating-and-re-addi.patch @@ -0,0 +1,43 @@ +From 51f46b7acd00b324e66e5fffd8646a48dc70aa2d Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Thu, 5 Dec 2013 13:47:37 +0200 +Subject: [PATCH 13/14] trust: fix get_dn() to distinguish creating and + re-adding trusts + +Latest support for subdomains introduced regression that masked +difference between newly added trust and re-added one. + +Additionally, in case no new subdomains were found, the code was +returning None instead of an empty list which later could confuse +trustdomain-find command. + +https://fedorahosted.org/freeipa/ticket/4067 +--- + ipalib/plugins/trust.py | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py +index 3b1b2fc67ce333751556a5c3a59a7f89efc608f9..76d609fd4de33edd96715deaaf7842c1de3ddaf4 100644 +--- a/ipalib/plugins/trust.py ++++ b/ipalib/plugins/trust.py +@@ -262,7 +262,7 @@ def get_dn(self, *keys, **kwargs): + result = ldap.get_entries(DN(self.container_dn, self.env.basedn), + ldap.SCOPE_SUBTREE, filter, ['']) + except errors.NotFound: +- trust_type = u'ad' ++ return None + else: + if len(result) > 1: + raise errors.OnlyOneValueAllowed(attr='trust domain') +@@ -1244,7 +1244,7 @@ def fetch_domains_from_trust(self, trustinstance, trust_entry, **options): + trust_name, creds=creds) + result = [] + if not domains: +- return None ++ return result + + for dom in domains: + dom['trust_type'] = u'ad' +-- +1.8.4.2 + diff --git a/SOURCES/0014-ipa-cldap-Cut-NetBIOS-name-after-15-characters.patch b/SOURCES/0014-ipa-cldap-Cut-NetBIOS-name-after-15-characters.patch new file mode 100644 index 0000000..ad174dc --- /dev/null +++ b/SOURCES/0014-ipa-cldap-Cut-NetBIOS-name-after-15-characters.patch @@ -0,0 +1,48 @@ +From 03bfce26c944e2bf4d3073d959ed1e26d8f390a1 Mon Sep 17 00:00:00 2001 +From: Tomas Babej +Date: Tue, 26 Nov 2013 12:14:39 +0100 +Subject: [PATCH 14/14] ipa-cldap: Cut NetBIOS name after 15 characters + +The CLDAP DS plugin uses the uppercased first segment of the fully +qualified hostname as the NetBIOS name. We need to limit its size +to 15 characters. + +https://fedorahosted.org/freeipa/ticket/4028 +--- + daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap.h | 1 + + daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c | 6 +++++- + 2 files changed, 6 insertions(+), 1 deletion(-) + +diff --git a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap.h b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap.h +index 7b0c2aad1991f5f5958db62844f5777f71534794..3f420ff2c5acc7bd75bff7f042f76b9c61144461 100644 +--- a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap.h ++++ b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap.h +@@ -59,6 +59,7 @@ + #define IPA_PLUGIN_NAME IPA_CLDAP_PLUGIN_NAME + #define CLDAP_PORT 389 + #define MAX_DG_SIZE 4096 ++#define NETBIOS_NAME_MAX 15 + + #ifndef MAXHOSTNAMELEN + #define MAXHOSTNAMELEN 64 +diff --git a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c +index 7d29fe559be55607fcb6b83fa521372e5197b848..9ba05829418a0d1de46f2c7776cc15c54a9eab1c 100644 +--- a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c ++++ b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c +@@ -161,8 +161,12 @@ static int ipa_cldap_encode_netlogon(char *fq_hostname, char *domain, + nlr->dns_domain = domain; + nlr->pdc_dns_name = fq_hostname; + nlr->domain_name = name; +- pdc_name = talloc_asprintf(nlr, "\\\\%s", fq_hostname); ++ ++ /* copy the first 15 characters of the fully qualified hostname*/ ++ pdc_name = talloc_asprintf(nlr, "\\\\%.*s", NETBIOS_NAME_MAX, fq_hostname); ++ + for (p = pdc_name; *p; p++) { ++ /* Create the NetBIOS name from the first segment of the hostname */ + if (*p == '.') { + *p = '\0'; + break; +-- +1.8.4.2 + diff --git a/SOURCES/0015-Prevent-garbage-from-readline-on-standard-output-of-.patch b/SOURCES/0015-Prevent-garbage-from-readline-on-standard-output-of-.patch new file mode 100644 index 0000000..f35e96a --- /dev/null +++ b/SOURCES/0015-Prevent-garbage-from-readline-on-standard-output-of-.patch @@ -0,0 +1,29 @@ +From 57bf3ea34f2b727ffe1977de1010fdf0f62c354a Mon Sep 17 00:00:00 2001 +From: Jan Cholasta +Date: Tue, 10 Dec 2013 16:32:08 +0100 +Subject: [PATCH] Prevent garbage from readline on standard output of + dogtag-ipa-retrieve-agent. + +https://fedorahosted.org/freeipa/ticket/4064 +--- + install/certmonger/dogtag-ipa-retrieve-agent-submit | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/install/certmonger/dogtag-ipa-retrieve-agent-submit b/install/certmonger/dogtag-ipa-retrieve-agent-submit +index 3781fc5d01da12ce2dc01e17fc60143e82fbedc6..70cbd82d7d5cc392a2877e7478f459cc8b4a570f 100644 +--- a/install/certmonger/dogtag-ipa-retrieve-agent-submit ++++ b/install/certmonger/dogtag-ipa-retrieve-agent-submit +@@ -23,6 +23,10 @@ + # retrieve the updated certificate from IPA. + + import os ++# Prevent garbage from readline on standard output ++# (see https://fedorahosted.org/freeipa/ticket/4064) ++if not os.isatty(1): ++ os.environ['TERM'] = 'dumb' + import sys + import shutil + import tempfile +-- +1.8.4.2 + diff --git a/SOURCES/0016-Do-not-build-tests.patch b/SOURCES/0016-Do-not-build-tests.patch new file mode 100644 index 0000000..3717767 --- /dev/null +++ b/SOURCES/0016-Do-not-build-tests.patch @@ -0,0 +1,35 @@ +From 0c1c338accaf23b993781535c68bdaf93ba05430 Mon Sep 17 00:00:00 2001 +From: Martin Kosek +Date: Mon, 6 Jan 2014 10:47:19 +0100 +Subject: [PATCH] Do not build tests + +Tests have been moved to other SRPM. +--- + Makefile | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/Makefile b/Makefile +index 9ed3bb59a0f1d52e1b40430bb9516d9438b0fcb4..7a1e7fd9dcf916d2a238c44ec34bd33fe8989c03 100644 +--- a/Makefile ++++ b/Makefile +@@ -55,7 +55,7 @@ PYTHON ?= $(shell rpm -E %__python) + CFLAGS := -g -O2 -Werror -Wall -Wextra -Wformat-security -Wno-unused-parameter -Wno-sign-compare -Wno-missing-field-initializers $(CFLAGS) + export CFLAGS + +-all: bootstrap-autogen server tests ++all: bootstrap-autogen server + @for subdir in $(SUBDIRS); do \ + (cd $$subdir && $(MAKE) $@) || exit 1; \ + done +@@ -77,7 +77,7 @@ client-autogen: version-update + tests-man-autogen: version-update + cd ipatests/man; if [ ! -e Makefile ]; then ../../autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=$(LIBDIR); fi + +-install: all server-install tests-install ++install: all server-install + @for subdir in $(SUBDIRS); do \ + (cd $$subdir && $(MAKE) $@) || exit 1; \ + done +-- +1.8.4.2 + diff --git a/SOURCES/0017-PKI-service-restart-after-CA-renewal-failed.patch b/SOURCES/0017-PKI-service-restart-after-CA-renewal-failed.patch new file mode 100644 index 0000000..947e53a --- /dev/null +++ b/SOURCES/0017-PKI-service-restart-after-CA-renewal-failed.patch @@ -0,0 +1,198 @@ +From 34c054ea9203ffa804bafb20afa236af867ce572 Mon Sep 17 00:00:00 2001 +From: Jan Cholasta +Date: Tue, 15 Oct 2013 17:47:12 +0000 +Subject: [PATCH] PKI service restart after CA renewal failed + +Fix both the service restart procedure and registration of old +pki-cad well known service name. + +This patch was adapted from original patch of Jan Cholasta 178 to +fix ticket 4092. + +https://fedorahosted.org/freeipa/ticket/4092 +--- + install/restart_scripts/renew_ca_cert | 16 +++++++++------- + install/restart_scripts/restart_pkicad | 30 ++++++++++++++++++------------ + install/restart_scripts/stop_pkicad | 16 ++++++++-------- + ipapython/dogtag.py | 4 ++++ + ipapython/platform/base/__init__.py | 2 +- + ipaserver/install/cainstance.py | 4 ++-- + 6 files changed, 42 insertions(+), 30 deletions(-) + +diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert +index ab394b970eaee28bc386d4d1ba737643414e2680..b10e4b842f3b9a54962402cddce8710eae4538b8 100644 +--- a/install/restart_scripts/renew_ca_cert ++++ b/install/restart_scripts/renew_ca_cert +@@ -49,6 +49,7 @@ api.finalize() + + configured_constants = dogtag.configured_constants(api) + alias_dir = configured_constants.ALIAS_DIR ++dogtag_service = ipaservices.knownservices[configured_constants.SERVICE_NAME] + dogtag_instance = configured_constants.PKI_INSTANCE_NAME + + # Fetch the new certificate +@@ -106,12 +107,13 @@ if nickname == 'auditSigningCert cert-pki-ca': + # off the servlet to verify that the CA is actually up and responding so + # when this returns it should be good-to-go. The CA was stopped in the + # pre-save state. +-syslog.syslog(syslog.LOG_NOTICE, 'Starting %sd' % dogtag_instance) ++syslog.syslog(syslog.LOG_NOTICE, 'Starting %s' % dogtag_service.service_name) + try: +- if configured_constants.DOGTAG_VERSION == 9: +- ipaservices.knownservices.pki_cad.start(dogtag_instance) +- else: +- ipaservices.knownservices.pki_tomcatd.start(dogtag_instance) ++ dogtag_service.start(dogtag_instance) + except Exception, e: +- syslog.syslog(syslog.LOG_ERR, "Cannot start %sd: %s" % +- (dogtag_instance, str(e))) ++ syslog.syslog( ++ syslog.LOG_ERR, ++ "Cannot start %s: %s" % (dogtag_service.service_name, e)) ++else: ++ syslog.syslog( ++ syslog.LOG_NOTICE, "Started %s" % dogtag_service.service_name) +diff --git a/install/restart_scripts/restart_pkicad b/install/restart_scripts/restart_pkicad +index a58c3f31e1bd288587842ba5fc4335c967b9405e..f840aeb1a228aee88b1c498700f733f1b90686f0 100644 +--- a/install/restart_scripts/restart_pkicad ++++ b/install/restart_scripts/restart_pkicad +@@ -33,18 +33,25 @@ api.finalize() + + configured_constants = dogtag.configured_constants(api) + alias_dir = configured_constants.ALIAS_DIR ++dogtag_service = ipaservices.knownservices[configured_constants.SERVICE_NAME] + dogtag_instance = configured_constants.PKI_INSTANCE_NAME + + # dogtag opens its NSS database in read/write mode so we need it + # shut down so certmonger can open it read/write mode. This avoids + # database corruption. It should already be stopped by the pre-command + # but lets be sure. +-if ipaservices.knownservices.pki_cad.is_running(dogtag_instance): ++if dogtag_service.is_running(dogtag_instance): ++ syslog.syslog( ++ syslog.LOG_NOTICE, "Stopping %s" % dogtag_service.service_name) + try: +- ipaservices.knownservices.pki_cad.stop(dogtag_instance) ++ dogtag_service.stop(dogtag_instance) + except Exception, e: +- syslog.syslog(syslog.LOG_ERR, "Cannot stop %sd: %s" % +- (dogtag_instance, str(e))) ++ syslog.syslog( ++ syslog.LOG_ERR, ++ "Cannot stop %s: %s" % (dogtag_service.service_name, e)) ++ else: ++ syslog.syslog( ++ syslog.LOG_NOTICE, "Stopped %s" % dogtag_service.service_name) + + # Fix permissions on the audit cert if we're updating it + if nickname == 'auditSigningCert cert-pki-ca': +@@ -55,14 +62,13 @@ if nickname == 'auditSigningCert cert-pki-ca': + ] + db.run_certutil(args) + ++syslog.syslog(syslog.LOG_NOTICE, 'Starting %s' % dogtag_service.service_name) + try: +- if configured_constants.DOGTAG_VERSION == 9: +- ipaservices.knownservices.pki_cad.start(dogtag_instance) +- else: +- ipaservices.knownservices.pki_tomcatd.start(dogtag_instance) ++ dogtag_service.start(dogtag_instance) + except Exception, e: +- syslog.syslog(syslog.LOG_ERR, "Cannot start %sd: %s" % +- (dogtag_instance, str(e))) ++ syslog.syslog( ++ syslog.LOG_ERR, ++ "Cannot start %s: %s" % (dogtag_service.service_name, e)) + else: +- syslog.syslog(syslog.LOG_NOTICE, "certmonger started %sd, nickname '%s'" % +- (dogtag_instance, nickname)) ++ syslog.syslog( ++ syslog.LOG_NOTICE, "Started %s" % dogtag_service.service_name) +diff --git a/install/restart_scripts/stop_pkicad b/install/restart_scripts/stop_pkicad +index c8589b286eefbe1c3d79e2a6dab7adfd3ff56b2a..bbaf8895e3a86899ee5bd794eb595fd43316028b 100644 +--- a/install/restart_scripts/stop_pkicad ++++ b/install/restart_scripts/stop_pkicad +@@ -29,15 +29,15 @@ api.bootstrap(context='restart') + api.finalize() + + configured_constants = dogtag.configured_constants(api) ++dogtag_service = ipaservices.knownservices[configured_constants.SERVICE_NAME] + dogtag_instance = configured_constants.PKI_INSTANCE_NAME + +-syslog.syslog(syslog.LOG_NOTICE, "certmonger stopping %sd" % dogtag_instance) +- ++syslog.syslog(syslog.LOG_NOTICE, "Stopping %s" % dogtag_service.service_name) + try: +- if configured_constants.DOGTAG_VERSION == 9: +- ipaservices.knownservices.pki_cad.stop(dogtag_instance) +- else: +- ipaservices.knownservices.pki_tomcatd.stop(dogtag_instance) ++ dogtag_service.stop(dogtag_instance) + except Exception, e: +- syslog.syslog(syslog.LOG_ERR, "Cannot stop %sd: %s" % +- (dogtag_instance, str(e))) ++ syslog.syslog( ++ syslog.LOG_ERR, "Cannot stop %s: %s" % (dogtag_service.service_name, e)) ++else: ++ syslog.syslog( ++ syslog.LOG_NOTICE, "Stopped %s" % dogtag_service.service_name) +diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py +index ea769b0275c4642d5da457996165e5a348cb7299..f829b9340d1ce55b2adae4817018de11b894c92d 100644 +--- a/ipapython/dogtag.py ++++ b/ipapython/dogtag.py +@@ -62,6 +62,8 @@ class Dogtag10Constants(object): + SERVICE_PROFILE_DIR = '%s/ca/profiles/ca' % PKI_ROOT + ALIAS_DIR = '/etc/pki/pki-tomcat/alias' + ++ SERVICE_NAME = 'pki_tomcatd' ++ + RACERT_LINE_SEP = '\n' + + IPA_SERVICE_PROFILE = '%s/caIPAserviceCert.cfg' % SERVICE_PROFILE_DIR +@@ -92,6 +94,8 @@ class Dogtag9Constants(object): + SERVICE_PROFILE_DIR = '%s/profiles/ca' % PKI_ROOT + ALIAS_DIR = '%s/alias' % PKI_ROOT + ++ SERVICE_NAME = 'pki-cad' ++ + RACERT_LINE_SEP = '\r\n' + + ADMIN_SECURE_PORT = 9445 +diff --git a/ipapython/platform/base/__init__.py b/ipapython/platform/base/__init__.py +index e2aa33faf9ccf182c778dfdbd8fd68d3686deae0..d76bc73a7d159c2dd43e281fa9916f245d88aaf3 100644 +--- a/ipapython/platform/base/__init__.py ++++ b/ipapython/platform/base/__init__.py +@@ -27,7 +27,7 @@ + wellknownservices = ['certmonger', 'dirsrv', 'httpd', 'ipa', 'krb5kdc', + 'messagebus', 'nslcd', 'nscd', 'ntpd', 'portmap', + 'rpcbind', 'kadmin', 'sshd', 'autofs', 'rpcgssd', +- 'rpcidmapd', 'pki_tomcatd', 'pki-cad', 'chronyd'] ++ 'rpcidmapd', 'pki_tomcatd', 'pki_cad', 'chronyd'] + + # System may support more time&date services. FreeIPA supports ntpd only, other + # services will be disabled during IPA installation +diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py +index ac5c81de8c57194160cbfd2fa79c776bf2f39625..52c91b68c2d073a9b1c6aedc1811aa26db046e6b 100644 +--- a/ipaserver/install/cainstance.py ++++ b/ipaserver/install/cainstance.py +@@ -1283,7 +1283,7 @@ def enable_client_auth_to_db(self): + """ + caconfig = dogtag.install_constants.CS_CFG_PATH + +- with stopped_service('pki_tomcatd', ++ with stopped_service(self.dogtag_constants.SERVICE_NAME, + instance_name=self.dogtag_constants.PKI_INSTANCE_NAME): + + # Enable file publishing, disable LDAP +@@ -1723,7 +1723,7 @@ def update_cert_config(nickname, cert, dogtag_constants=None): + 'subsystemCert cert-pki-ca': 'ca.subsystem.cert', + 'Server-Cert cert-pki-ca': 'ca.sslserver.cert'} + +- with stopped_service('pki_tomcatd', ++ with stopped_service(dogtag_constants.SERVICE_NAME, + instance_name=dogtag_constants.PKI_INSTANCE_NAME): + + installutils.set_directive(dogtag.configured_constants().CS_CFG_PATH, +-- +1.8.4.2 + diff --git a/SOURCES/0018-hbactest-does-not-work-for-external-users.patch b/SOURCES/0018-hbactest-does-not-work-for-external-users.patch new file mode 100644 index 0000000..4961b8b --- /dev/null +++ b/SOURCES/0018-hbactest-does-not-work-for-external-users.patch @@ -0,0 +1,43 @@ +From 01e98be318caa921302726b48f05166b0ce00f21 Mon Sep 17 00:00:00 2001 +From: Martin Kosek +Date: Fri, 10 Jan 2014 12:41:29 +0100 +Subject: [PATCH] hbactest does not work for external users + +Original patch for ticket #3803 implemented support to resolve SIDs +through SSSD. However, it also broke hbactest for external users. The +result of the updated external member group search must be local +non-external groups, not the external ones. Otherwise the rule is not +matched. + +https://fedorahosted.org/freeipa/ticket/3803 +--- + ipalib/plugins/hbactest.py | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/ipalib/plugins/hbactest.py b/ipalib/plugins/hbactest.py +index fed39b05d8ac75254575cf211d338ab85b093cb8..cc18890ce3ca589a0d086aa263795f9c4ff61cb6 100644 +--- a/ipalib/plugins/hbactest.py ++++ b/ipalib/plugins/hbactest.py +@@ -400,14 +400,16 @@ def execute(self, *args, **options): + ldap = self.api.Backend.ldap2 + group_container = DN(api.env.container_group, api.env.basedn) + try: +- entries, truncated = ldap.find_entries(filter_sids, ['cn'], group_container) ++ entries, truncated = ldap.find_entries(filter_sids, ['memberof'], group_container) + except errors.NotFound: + request.user.groups = [] + else: + groups = [] + for dn, entry in entries: +- if dn.endswith(group_container): +- groups.append(dn[0][0].value) ++ memberof_dns = entry.get('memberof', []) ++ for memberof_dn in memberof_dns: ++ if memberof_dn.endswith(group_container): ++ groups.append(memberof_dn[0][0].value) + request.user.groups = sorted(set(groups)) + else: + # try searching for a local user +-- +1.8.4.2 + diff --git a/SOURCES/0019-Change-the-way-we-determine-if-the-host-has-a-passwo.patch b/SOURCES/0019-Change-the-way-we-determine-if-the-host-has-a-passwo.patch new file mode 100644 index 0000000..118ee8a --- /dev/null +++ b/SOURCES/0019-Change-the-way-we-determine-if-the-host-has-a-passwo.patch @@ -0,0 +1,72 @@ +From b574423a54dbff7dbca89c6cee49f0304f2393e1 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Tue, 14 Jan 2014 14:23:47 -0500 +Subject: [PATCH 19/25] Change the way we determine if the host has a password + set. + +When creating a host with a password we don't set a Kerberos +principal or add the Kerberos objectclasses. Those get added when the +host is enrolled. If one passed in --password= (so no password) then +we incorrectly thought the user was in fact setting a password, so the +principal and objectclasses weren't updated. + +https://fedorahosted.org/freeipa/ticket/4102 +--- + ipalib/plugins/host.py | 2 +- + ipatests/test_xmlrpc/test_host_plugin.py | 27 +++++++++++++++++++++++++++ + 2 files changed, 28 insertions(+), 1 deletion(-) + +diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py +index 7aa94aa95ba9be17c308546d5d2fe247f27a07b3..9d45e270ff8221e4b9380684cb56112db4af4f52 100644 +--- a/ipalib/plugins/host.py ++++ b/ipalib/plugins/host.py +@@ -425,7 +425,7 @@ def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + entry_attrs['l'] = entry_attrs['locality'] + entry_attrs['cn'] = keys[-1] + entry_attrs['serverhostname'] = keys[-1].split('.', 1)[0] +- if 'userpassword' not in entry_attrs and not options.get('random', False): ++ if not entry_attrs.get('userpassword', False) and not options.get('random', False): + entry_attrs['krbprincipalname'] = 'host/%s@%s' % ( + keys[-1], self.api.env.realm + ) +diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py +index a23a34112f5c041a8325d5090580b535d93c7a72..7b64398fadd236b9b06723ef561cb19d61bca6d5 100644 +--- a/ipatests/test_xmlrpc/test_host_plugin.py ++++ b/ipatests/test_xmlrpc/test_host_plugin.py +@@ -863,6 +863,33 @@ class test_host(Declarative): + ), + ), + ++ ++ dict( ++ desc='Create a host with a NULL password', ++ command=('host_add', [fqdn3], ++ dict( ++ description=u'Test host 3', ++ force=True, ++ userpassword=None, ++ ), ++ ), ++ expected=dict( ++ value=fqdn3, ++ summary=u'Added host "%s"' % fqdn3, ++ result=dict( ++ dn=dn3, ++ fqdn=[fqdn3], ++ description=[u'Test host 3'], ++ krbprincipalname=[u'host/%s@%s' % (fqdn3, api.env.realm)], ++ objectclass=objectclasses.host, ++ ipauniqueid=[fuzzy_uuid], ++ managedby_host=[u'%s' % fqdn3], ++ has_keytab=False, ++ has_password=False, ++ ), ++ ), ++ ), ++ + ] + + class test_host_false_pwd_change(XMLRPC_test): +-- +1.8.4.2 + diff --git a/SOURCES/0020-sudoOrder-missing-in-sudoers.patch b/SOURCES/0020-sudoOrder-missing-in-sudoers.patch new file mode 100644 index 0000000..6f81e52 --- /dev/null +++ b/SOURCES/0020-sudoOrder-missing-in-sudoers.patch @@ -0,0 +1,27 @@ +From 4e5f306c4a544d449a763b46baea0ebfdb0d5785 Mon Sep 17 00:00:00 2001 +From: Martin Kosek +Date: Wed, 15 Jan 2014 08:58:16 +0100 +Subject: [PATCH 20/25] sudoOrder missing in sudoers + +sudoers compat plugin configuration missed the sudoOrder attribute +and it thus did not show up in ou=sudoers. Add the definion to update +file. + +https://fedorahosted.org/freeipa/ticket/4107 +--- + install/updates/10-schema_compat.update | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/install/updates/10-schema_compat.update b/install/updates/10-schema_compat.update +index e65e67afc40f10eee342afc12e2132d36e9c2a1a..1199ef3861fb60e204cd0cd6272a829b495cdde7 100644 +--- a/install/updates/10-schema_compat.update ++++ b/install/updates/10-schema_compat.update +@@ -21,3 +21,5 @@ dn: cn=computers, cn=Schema Compatibility, cn=plugins, + default:schema-compat-entry-attribute: cn=%{fqdn} + default:schema-compat-entry-attribute: macAddress=%{macAddress} + ++dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config ++add:schema-compat-entry-attribute: sudoOrder=%{sudoOrder} +-- +1.8.4.2 + diff --git a/SOURCES/0021-Add-missing-example-to-sudorule.patch b/SOURCES/0021-Add-missing-example-to-sudorule.patch new file mode 100644 index 0000000..5bae186 --- /dev/null +++ b/SOURCES/0021-Add-missing-example-to-sudorule.patch @@ -0,0 +1,45 @@ +From f85b3ba942c0347c197cd738fab444fe9a697a62 Mon Sep 17 00:00:00 2001 +From: Martin Kosek +Date: Wed, 15 Jan 2014 09:31:37 +0100 +Subject: [PATCH 21/25] Add missing example to sudorule + +https://fedorahosted.org/freeipa/ticket/4090 +--- + ipalib/plugins/sudorule.py | 21 ++++++++++++++++++++- + 1 file changed, 20 insertions(+), 1 deletion(-) + +diff --git a/ipalib/plugins/sudorule.py b/ipalib/plugins/sudorule.py +index a89941cb6ab9b258de26bb7cf3632dc0acc7e20e..9644aafa263b4790c8123d177f0ccd10b572f0f0 100644 +--- a/ipalib/plugins/sudorule.py ++++ b/ipalib/plugins/sudorule.py +@@ -52,7 +52,26 @@ + -h ipa.example.com -ZZ -D "cn=Directory Manager" \ + uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com + +-For more information, see the FreeIPA Documentation to Sudo. ++EXAMPLES: ++ ++ Create a new rule: ++ ipa sudorule-add readfiles ++ ++ Add sudo command object and add it as allowed command in the rule: ++ ipa sudocmd-add /usr/bin/less ++ ipa sudorule-add-allow-command readfiles --sudocmds /usr/bin/less ++ ++ Add a host to the rule: ++ ipa sudorule-add-host readfiles --hosts server.example.com ++ ++ Add a user to the rule: ++ ipa sudorule-add-user readfiles --users jsmith ++ ++ Add a special Sudo rule for default Sudo server configuration: ++ ipa sudorule-add defaults ++ ++ Set a default Sudo option: ++ ipa sudorule-add-option defaults --sudooption '!authenticate' + """) + + topic = ('sudo', _('Commands for controlling sudo configuration')) +-- +1.8.4.2 + diff --git a/SOURCES/0022-Fix-ipa-client-automount-uninstall-when-fstore-is-em.patch b/SOURCES/0022-Fix-ipa-client-automount-uninstall-when-fstore-is-em.patch new file mode 100644 index 0000000..e478189 --- /dev/null +++ b/SOURCES/0022-Fix-ipa-client-automount-uninstall-when-fstore-is-em.patch @@ -0,0 +1,27 @@ +From 8782235cff60229051c82880131fb11c82659a0b Mon Sep 17 00:00:00 2001 +From: Jan Cholasta +Date: Wed, 15 Jan 2014 10:48:10 +0100 +Subject: [PATCH 22/25] Fix ipa-client-automount uninstall when fstore is + empty. + +https://fedorahosted.org/freeipa/ticket/4091 +--- + ipa-client/ipa-install/ipa-client-automount | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ipa-client/ipa-install/ipa-client-automount b/ipa-client/ipa-install/ipa-client-automount +index 2ce31dcb9605941fa8734caad7ed5ba9b5ce1e01..62531bfe1d923b1705aed1187da6766b54c90a0c 100755 +--- a/ipa-client/ipa-install/ipa-client-automount ++++ b/ipa-client/ipa-install/ipa-client-automount +@@ -360,7 +360,7 @@ def main(): + + fstore = sysrestore.FileStore('/var/lib/ipa-client/sysrestore') + statestore = sysrestore.StateFile('/var/lib/ipa-client/sysrestore') +- if not fstore.has_files(): ++ if not fstore.has_files() and not os.path.exists('/etc/ipa/default.conf'): + sys.exit('IPA client is not configured on this system.\n') + + options, args = parse_options() +-- +1.8.4.2 + diff --git a/SOURCES/0023-trust-fetch-domains-create-ranges-for-new-child-doma.patch b/SOURCES/0023-trust-fetch-domains-create-ranges-for-new-child-doma.patch new file mode 100644 index 0000000..fca1bd3 --- /dev/null +++ b/SOURCES/0023-trust-fetch-domains-create-ranges-for-new-child-doma.patch @@ -0,0 +1,346 @@ +From f446cde6f626f5a4b086a542121486bde42d0dc7 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Tue, 14 Jan 2014 13:55:56 +0200 +Subject: [PATCH 23/25] trust-fetch-domains: create ranges for new child + domains + +When trust is added, we do create ranges for discovered child domains. +However, this functionality was not available through +'trust-fetch-domains' command. + +Additionally, make sure non-existing trust will report proper error in +trust-fetch-domains. + +https://fedorahosted.org/freeipa/ticket/4111 +https://fedorahosted.org/freeipa/ticket/4104 +--- + ipalib/plugins/trust.py | 256 +++++++++++++++++++++++++----------------------- + 1 file changed, 135 insertions(+), 121 deletions(-) + +diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py +index 76d609fd4de33edd96715deaaf7842c1de3ddaf4..a16c23083662fd674c45ba54b9dfb9f4837160df 100644 +--- a/ipalib/plugins/trust.py ++++ b/ipalib/plugins/trust.py +@@ -188,6 +188,114 @@ def make_trust_dn(env, trust_type, dn): + return DN(dn, container_dn) + return dn + ++def add_range(self, range_name, dom_sid, *keys, **options): ++ """ ++ First, we try to derive the parameters of the ID range based on the ++ information contained in the Active Directory. ++ ++ If that was not successful, we go for our usual defaults (random base, ++ range size 200 000, ipa-ad-trust range type). ++ ++ Any of these can be overriden by passing appropriate CLI options ++ to the trust-add command. ++ """ ++ ++ range_size = None ++ range_type = None ++ base_id = None ++ ++ # First, get information about ID space from AD ++ # However, we skip this step if other than ipa-ad-trust-posix ++ # range type is enforced ++ ++ if options.get('range_type', None) in (None, u'ipa-ad-trust-posix'): ++ ++ # Get the base dn ++ domain = keys[-1] ++ basedn = realm_to_suffix(domain) ++ ++ # Search for information contained in ++ # CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System ++ info_filter = '(objectClass=msSFU30DomainInfo)' ++ info_dn = DN('CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System')\ ++ + basedn ++ ++ # Get the domain validator ++ domain_validator = ipaserver.dcerpc.DomainValidator(self.api) ++ if not domain_validator.is_configured(): ++ raise errors.NotFound( ++ reason=_('Cannot search in trusted domains without own ' ++ 'domain configured. Make sure you have run ' ++ 'ipa-adtrust-install on the IPA server first')) ++ ++ # KDC might not get refreshed data at the first time, ++ # retry several times ++ for retry in range(10): ++ info_list = domain_validator.search_in_dc(domain, ++ info_filter, ++ None, ++ SCOPE_SUBTREE, ++ basedn=info_dn, ++ quiet=True) ++ ++ if info_list: ++ info = info_list[0] ++ break ++ else: ++ sleep(2) ++ ++ required_msSFU_attrs = ['msSFU30MaxUidNumber', 'msSFU30OrderNumber'] ++ ++ if not info_list: ++ # We were unable to gain UNIX specific info from the AD ++ self.log.debug("Unable to gain POSIX info from the AD") ++ else: ++ if all(attr in info for attr in required_msSFU_attrs): ++ self.log.debug("Able to gain POSIX info from the AD") ++ range_type = u'ipa-ad-trust-posix' ++ ++ max_uid = info.get('msSFU30MaxUidNumber') ++ max_gid = info.get('msSFU30MaxGidNumber', None) ++ max_id = int(max(max_uid, max_gid)[0]) ++ ++ base_id = int(info.get('msSFU30OrderNumber')[0]) ++ range_size = (1 + (max_id - base_id) / DEFAULT_RANGE_SIZE)\ ++ * DEFAULT_RANGE_SIZE ++ ++ # Second, options given via the CLI options take precedence to discovery ++ if options.get('range_type', None): ++ range_type = options.get('range_type', None) ++ elif not range_type: ++ range_type = u'ipa-ad-trust' ++ ++ if options.get('range_size', None): ++ range_size = options.get('range_size', None) ++ elif not range_size: ++ range_size = DEFAULT_RANGE_SIZE ++ ++ if options.get('base_id', None): ++ base_id = options.get('base_id', None) ++ elif not base_id: ++ # Generate random base_id if not discovered nor given via CLI ++ base_id = DEFAULT_RANGE_SIZE + ( ++ pysss_murmur.murmurhash3( ++ dom_sid, ++ len(dom_sid), 0xdeadbeefL ++ ) % 10000 ++ ) * DEFAULT_RANGE_SIZE ++ ++ # Finally, add new ID range ++ self.api.Command['idrange_add'](range_name, ++ ipabaseid=base_id, ++ ipaidrangesize=range_size, ++ ipabaserid=0, ++ iparangetype=range_type, ++ ipanttrusteddomainsid=dom_sid) ++ ++ # Return the values that were generated inside this function ++ return range_type, range_size, base_id ++ ++ + class trust(LDAPObject): + """ + Trust object. +@@ -258,15 +366,11 @@ def get_dn(self, *keys, **kwargs): + filter = ldap.make_filter({'objectclass': ['ipaNTTrustedDomain'], 'cn': [keys[-1]] }, + rules=ldap.MATCH_ALL) + filter = ldap.combine_filters((filter, "ipaNTSIDBlacklistIncoming=*"), rules=ldap.MATCH_ALL) +- try: +- result = ldap.get_entries(DN(self.container_dn, self.env.basedn), +- ldap.SCOPE_SUBTREE, filter, ['']) +- except errors.NotFound: +- return None +- else: +- if len(result) > 1: +- raise errors.OnlyOneValueAllowed(attr='trust domain') +- return result[0].dn ++ result = ldap.get_entries(DN(self.container_dn, self.env.basedn), ++ ldap.SCOPE_SUBTREE, filter, ['']) ++ if len(result) > 1: ++ raise errors.OnlyOneValueAllowed(attr='trust domain') ++ return result[0].dn + + dn=make_trust_dn(self.env, trust_type, DN(*sdn)) + return dn +@@ -341,8 +445,8 @@ def execute(self, *keys, **options): + # Store the created range type, since for POSIX trusts no + # ranges for the subdomains should be added, POSIX attributes + # provide a global mapping across all subdomains +- (created_range_type, _, _) = self.add_range(range_name, dom_sid, +- *keys, **options) ++ (created_range_type, _, _) = add_range(self, range_name, dom_sid, ++ *keys, **options) + else: + created_range_type = old_range['result']['iparangetype'][0] + +@@ -382,8 +486,8 @@ def execute(self, *keys, **options): + + # Try to add the range for each subdomain + try: +- self.add_range(range_name, dom_sid, *keys, +- **passed_options) ++ add_range(self, range_name, dom_sid, *keys, ++ **passed_options) + except errors.DuplicateEntry: + pass + +@@ -549,120 +653,17 @@ def validate_range(self, *keys, **options): + + return old_range, range_name, dom_sid + +- def add_range(self, range_name, dom_sid, *keys, **options): +- """ +- First, we try to derive the parameters of the ID range based on the +- information contained in the Active Directory. +- +- If that was not successful, we go for our usual defaults (random base, +- range size 200 000, ipa-ad-trust range type). +- +- Any of these can be overriden by passing appropriate CLI options +- to the trust-add command. +- """ +- +- range_size = None +- range_type = None +- base_id = None +- +- # First, get information about ID space from AD +- # However, we skip this step if other than ipa-ad-trust-posix +- # range type is enforced +- +- if options.get('range_type', None) in (None, u'ipa-ad-trust-posix'): +- +- # Get the base dn +- domain = keys[-1] +- basedn = realm_to_suffix(domain) +- +- # Search for information contained in +- # CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System +- info_filter = '(objectClass=msSFU30DomainInfo)' +- info_dn = DN('CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System')\ +- + basedn +- +- # Get the domain validator +- domain_validator = ipaserver.dcerpc.DomainValidator(self.api) +- if not domain_validator.is_configured(): +- raise errors.NotFound( +- reason=_('Cannot search in trusted domains without own ' +- 'domain configured. Make sure you have run ' +- 'ipa-adtrust-install on the IPA server first')) +- +- # KDC might not get refreshed data at the first time, +- # retry several times +- for retry in range(10): +- info_list = domain_validator.search_in_dc(domain, +- info_filter, +- None, +- SCOPE_SUBTREE, +- basedn=info_dn, +- quiet=True) +- +- if info_list: +- info = info_list[0] +- break +- else: +- sleep(2) +- +- required_msSFU_attrs = ['msSFU30MaxUidNumber', 'msSFU30OrderNumber'] +- +- if not info_list: +- # We were unable to gain UNIX specific info from the AD +- self.log.debug("Unable to gain POSIX info from the AD") +- else: +- if all(attr in info for attr in required_msSFU_attrs): +- self.log.debug("Able to gain POSIX info from the AD") +- range_type = u'ipa-ad-trust-posix' +- +- max_uid = info.get('msSFU30MaxUidNumber') +- max_gid = info.get('msSFU30MaxGidNumber', None) +- max_id = int(max(max_uid, max_gid)[0]) +- +- base_id = int(info.get('msSFU30OrderNumber')[0]) +- range_size = (1 + (max_id - base_id) / DEFAULT_RANGE_SIZE)\ +- * DEFAULT_RANGE_SIZE +- +- # Second, options given via the CLI options take precedence to discovery +- if options.get('range_type', None): +- range_type = options.get('range_type', None) +- elif not range_type: +- range_type = u'ipa-ad-trust' +- +- if options.get('range_size', None): +- range_size = options.get('range_size', None) +- elif not range_size: +- range_size = DEFAULT_RANGE_SIZE +- +- if options.get('base_id', None): +- base_id = options.get('base_id', None) +- elif not base_id: +- # Generate random base_id if not discovered nor given via CLI +- base_id = DEFAULT_RANGE_SIZE + ( +- pysss_murmur.murmurhash3( +- dom_sid, +- len(dom_sid), 0xdeadbeefL +- ) % 10000 +- ) * DEFAULT_RANGE_SIZE +- +- # Finally, add new ID range +- api.Command['idrange_add'](range_name, +- ipabaseid=base_id, +- ipaidrangesize=range_size, +- ipabaserid=0, +- iparangetype=range_type, +- ipanttrusteddomainsid=dom_sid) +- +- # Return the values that were generated inside this function +- return range_type, range_size, base_id +- + def execute_ad(self, full_join, *keys, **options): + # Join domain using full credentials and with random trustdom + # secret (will be generated by the join method) + + # First see if the trust is already in place + # Force retrieval of the trust object by not passing trust_type +- dn = self.obj.get_dn(keys[-1]) ++ try: ++ dn = self.obj.get_dn(keys[-1]) ++ except errors.NotFound: ++ dn = None ++ + if dn: + summary = _('Re-established trust to domain "%(value)s"') + else: +@@ -794,6 +795,7 @@ class trust_show(LDAPRetrieve): + + def post_callback(self, ldap, dn, entry_attrs, *keys, **options): + ++ assert isinstance(dn, DN) + # Translate ipanttrusttype to trusttype + # and ipanttrustdirection to trustdirection + # if --raw not used +@@ -1246,6 +1248,11 @@ def fetch_domains_from_trust(self, trustinstance, trust_entry, **options): + if not domains: + return result + ++ # trust range must exist by the time fetch_domains_from_trust is called ++ range_name = trust_name.upper() + '_id_range' ++ old_range = api.Command.idrange_show(range_name, raw=True)['result'] ++ idrange_type = old_range['iparangetype'] ++ + for dom in domains: + dom['trust_type'] = u'ad' + try: +@@ -1255,8 +1262,15 @@ def fetch_domains_from_trust(self, trustinstance, trust_entry, **options): + dom['all'] = options['all'] + if 'raw' in options: + dom['raw'] = options['raw'] ++ + res = self.api.Command.trustdomain_add(trust_name, name, **dom) + result.append(res['result']) ++ ++ if idrange_type != u'ipa-ad-trust-posix': ++ range_name = name.upper() + '_id_range' ++ dom['range_type'] = u'ipa-ad-trust' ++ add_range(self, range_name, dom['ipanttrusteddomainsid'], ++ trust_name, name, **dom) + except errors.DuplicateEntry: + # Ignore updating duplicate entries + pass +-- +1.8.4.2 + diff --git a/SOURCES/0024-trustdomain-find-report-status-of-the-sub-domain.patch b/SOURCES/0024-trustdomain-find-report-status-of-the-sub-domain.patch new file mode 100644 index 0000000..7c94776 --- /dev/null +++ b/SOURCES/0024-trustdomain-find-report-status-of-the-sub-domain.patch @@ -0,0 +1,57 @@ +From c805cd76acc8fbc9c2cb689deaf6e5eae78700c5 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Wed, 15 Jan 2014 15:42:10 +0200 +Subject: [PATCH 24/25] trustdomain-find: report status of the (sub)domain + +Show status of each enumerated domain + +trustdomain-find shows list of domains associated with the trust. +Each domain except the trust forest root can be enabled or disabled +with the help of trustdomain-enable and trustdomain-disable commands. + +https://fedorahosted.org/freeipa/ticket/4096 +--- + ipalib/plugins/trust.py | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py +index a16c23083662fd674c45ba54b9dfb9f4837160df..3d412c9c9f518347769e88ddc9089d6d92ccc4be 100644 +--- a/ipalib/plugins/trust.py ++++ b/ipalib/plugins/trust.py +@@ -21,7 +21,7 @@ + from ipalib.plugins.baseldap import * + from ipalib.plugins.dns import dns_container_exists + from ipapython.ipautil import realm_to_suffix +-from ipalib import api, Str, StrEnum, Password, _, ngettext ++from ipalib import api, Str, StrEnum, Password, Bool, _, ngettext + from ipalib import Command + from ipalib import errors + from ldap import SCOPE_SUBTREE +@@ -1183,8 +1183,24 @@ def get_dn(self, *keys, **kwargs): + class trustdomain_find(LDAPSearch): + __doc__ = _('Search domains of the trust') + ++ has_output_params = LDAPSearch.has_output_params + ( ++ Flag('domain_enabled', label= _('Domain enabled')), ++ ) + def pre_callback(self, ldap, filters, attrs_list, base_dn, scope, *args, **options): + return (filters, base_dn, ldap.SCOPE_SUBTREE) ++ ++ def post_callback(self, ldap, entries, truncated, *args, **options): ++ trust_dn = self.obj.get_dn(args[0], trust_type=u'ad') ++ trust_entry = ldap.get_entry(trust_dn) ++ for entry in entries: ++ sid = entry['ipanttrusteddomainsid'][0] ++ if sid in trust_entry['ipantsidblacklistincoming']: ++ entry['domain_enabled'] = [False] ++ else: ++ entry['domain_enabled'] = [True] ++ return truncated ++ ++ + api.register(trustdomain_find) + + class trustdomain_mod(LDAPUpdate): +-- +1.8.4.2 + diff --git a/SOURCES/0025-CLDAP-do-not-prepend.patch b/SOURCES/0025-CLDAP-do-not-prepend.patch new file mode 100644 index 0000000..fc97f15 --- /dev/null +++ b/SOURCES/0025-CLDAP-do-not-prepend.patch @@ -0,0 +1,31 @@ +From 198f16c26e36bd8b4b7d55a74bb679a6daa85084 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Mon, 13 Jan 2014 10:43:33 +0100 +Subject: [PATCH 25/25] CLDAP: do not prepend \\ + +For NETLOGON_NT_VERSION_5EX requests the prepended \\ is not expected in +the PDC NetBIOS name. In general AD seems to be smart enough to handle +the two \ signs. But if the NetBIOS name reaches the maximum of 15 +character AD does not accept the responses anymore. + +Fixes https://fedorahosted.org/freeipa/ticket/4028 +--- + daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c +index 9ba05829418a0d1de46f2c7776cc15c54a9eab1c..c03172d474589ddee84f1cfa5395c23fdba83bcb 100644 +--- a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c ++++ b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c +@@ -163,7 +163,7 @@ static int ipa_cldap_encode_netlogon(char *fq_hostname, char *domain, + nlr->domain_name = name; + + /* copy the first 15 characters of the fully qualified hostname*/ +- pdc_name = talloc_asprintf(nlr, "\\\\%.*s", NETBIOS_NAME_MAX, fq_hostname); ++ pdc_name = talloc_asprintf(nlr, "%.*s", NETBIOS_NAME_MAX, fq_hostname); + + for (p = pdc_name; *p; p++) { + /* Create the NetBIOS name from the first segment of the hostname */ +-- +1.8.4.2 + diff --git a/SOURCES/0026-ipaserver-install-installutils-clean-up-properly-aft.patch b/SOURCES/0026-ipaserver-install-installutils-clean-up-properly-aft.patch new file mode 100644 index 0000000..d80e27b --- /dev/null +++ b/SOURCES/0026-ipaserver-install-installutils-clean-up-properly-aft.patch @@ -0,0 +1,56 @@ +From fcd4ec48c2515aff7c10f10653628631d832146b Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Wed, 15 Jan 2014 17:26:10 +0100 +Subject: [PATCH 26/27] ipaserver/install/installutils: clean up properly after + yield + +When a context to which we yield generates exception, the code in +private_ccache() and stopped_service() didn't get called for cleanup. +--- + ipaserver/install/installutils.py | 25 ++++++++++++++----------- + 1 file changed, 14 insertions(+), 11 deletions(-) + +diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py +index c26f072f2f44149746d55b1160d09ebce8394fd5..3770432cae79f653fd57f726de43787dec8dd7d1 100644 +--- a/ipaserver/install/installutils.py ++++ b/ipaserver/install/installutils.py +@@ -784,15 +784,16 @@ def private_ccache(path=None): + + os.environ['KRB5CCNAME'] = path + +- yield ++ try: ++ yield ++ finally: ++ if original_value is not None: ++ os.environ['KRB5CCNAME'] = original_value ++ else: ++ os.environ.pop('KRB5CCNAME') + +- if original_value is not None: +- os.environ['KRB5CCNAME'] = original_value +- else: +- os.environ.pop('KRB5CCNAME') +- +- if os.path.exists(path): +- os.remove(path) ++ if os.path.exists(path): ++ os.remove(path) + + + @contextmanager +@@ -825,6 +826,8 @@ def stopped_service(service, instance_name=""): + # Stop the service, do the required stuff and start it again + root_logger.debug('Stopping %s%s.', service, log_instance_name) + ipaservices.knownservices[service].stop(instance_name) +- yield +- root_logger.debug('Starting %s%s.', service, log_instance_name) +- ipaservices.knownservices[service].start(instance_name) ++ try: ++ yield ++ finally: ++ root_logger.debug('Starting %s%s.', service, log_instance_name) ++ ipaservices.knownservices[service].start(instance_name) +-- +1.8.4.2 + diff --git a/SOURCES/0027-Do-not-start-the-service-in-stopped_service-if-it-wa.patch b/SOURCES/0027-Do-not-start-the-service-in-stopped_service-if-it-wa.patch new file mode 100644 index 0000000..28749e4 --- /dev/null +++ b/SOURCES/0027-Do-not-start-the-service-in-stopped_service-if-it-wa.patch @@ -0,0 +1,28 @@ +From a923cedc1aedafe7f58d480a633257bd19809d72 Mon Sep 17 00:00:00 2001 +From: Jan Cholasta +Date: Tue, 15 Oct 2013 17:49:07 +0000 +Subject: [PATCH 27/27] Do not start the service in stopped_service if it was + not running before. + +This fixes a possible NSS database corruption in renew_ca_cert. +--- + ipaserver/install/installutils.py | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py +index 3770432cae79f653fd57f726de43787dec8dd7d1..32671adc895b0cb2632729e8bdb44b5df02c1314 100644 +--- a/ipaserver/install/installutils.py ++++ b/ipaserver/install/installutils.py +@@ -819,9 +819,6 @@ def stopped_service(service, instance_name=""): + root_logger.debug('Service %s%s is not running, continue.', service, + log_instance_name) + yield +- root_logger.debug('Starting %s%s.', service, log_instance_name) +- ipaservices.knownservices[service].start(instance_name) +- return + else: + # Stop the service, do the required stuff and start it again + root_logger.debug('Stopping %s%s.', service, log_instance_name) +-- +1.8.4.2 + diff --git a/SOURCES/0028-Harmonize-policy-discovery-to-kdb-driver.patch b/SOURCES/0028-Harmonize-policy-discovery-to-kdb-driver.patch new file mode 100644 index 0000000..6e2a1f2 --- /dev/null +++ b/SOURCES/0028-Harmonize-policy-discovery-to-kdb-driver.patch @@ -0,0 +1,180 @@ +From 8ee0ea62d669f59246c8727d89a860bb6d6082f8 Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Tue, 14 Jan 2014 10:09:37 -0500 +Subject: [PATCH 28/34] Harmonize policy discovery to kdb driver + +The KDB driver does not walk the tree back like the original password plugin. +Also we do not store the default policy in the base DN as we used to do in the +past anymore. +So doing a full subtree search and walking back the tree is just a waste of +time. +Instead hardcode the default policy like we do in the kdb driver. + +Fixes: https://fedorahosted.org/freeipa/ticket/4085 +--- + daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c | 106 ++++------------------- + 1 file changed, 17 insertions(+), 89 deletions(-) + +diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c +index 2538a4094bd9a166e61b0911e5ea93426092d88a..ef20c4c61bd764bffc426208ff8b99f5d0b782ec 100644 +--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c ++++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c +@@ -436,75 +436,44 @@ static void pwd_values_free(Slapi_ValueSet** results, + slapi_vattr_values_free(results, actual_type_name, buffer_flags); + } + +-static int ipapwd_rdn_count(const char *dn) +-{ +- int rdnc = 0; +- LDAPDN ldn; +- int ret; +- +- ret = ldap_str2dn(dn, &ldn, LDAP_DN_FORMAT_LDAPV3); +- if (ret != LDAP_SUCCESS) { +- LOG_TRACE("ldap_str2dn(dn) failed ?!"); +- return -1; +- } +- +- for (rdnc = 0; ldn != NULL && ldn[rdnc]; rdnc++) /* count */ ; +- ldap_dnfree(ldn); +- +- return rdnc; +-} +- + int ipapwd_getPolicy(const char *dn, + Slapi_Entry *target, + struct ipapwd_policy *policy) + { + const char *krbPwdPolicyReference; +- const char *pdn; +- const Slapi_DN *psdn; +- Slapi_Backend *be; ++ char *pdn = NULL; + Slapi_PBlock *pb = NULL; + char *attrs[] = { "krbMaxPwdLife", "krbMinPwdLife", + "krbPwdMinDiffChars", "krbPwdMinLength", + "krbPwdHistoryLength", NULL}; + Slapi_Entry **es = NULL; + Slapi_Entry *pe = NULL; +- int ret, res, dist, rdnc, scope, i; +- Slapi_DN *sdn = NULL; ++ int ret, res, scope, i; + int buffer_flags=0; + Slapi_ValueSet* results = NULL; +- char* actual_type_name = NULL; ++ char *actual_type_name = NULL; + int tmpint; + + LOG_TRACE("Searching policy for [%s]\n", dn); + +- sdn = slapi_sdn_new_dn_byref(dn); +- if (sdn == NULL) { +- LOG_OOM(); +- ret = -1; +- goto done; +- } +- + pwd_get_values(target, "krbPwdPolicyReference", + &results, &actual_type_name, &buffer_flags); + if (results) { + Slapi_Value *sv; + slapi_valueset_first_value(results, &sv); + krbPwdPolicyReference = slapi_value_get_string(sv); +- pdn = krbPwdPolicyReference; +- scope = LDAP_SCOPE_BASE; +- LOG_TRACE("using policy reference: %s\n", pdn); ++ pdn = slapi_ch_strdup(krbPwdPolicyReference); + } else { +- /* Find ancestor base DN */ +- be = slapi_be_select(sdn); +- psdn = slapi_be_getsuffix(be, 0); +- if (psdn == NULL) { +- LOG_FATAL("Invalid DN [%s]\n", dn); +- ret = -1; +- goto done; +- } +- pdn = slapi_sdn_get_dn(psdn); +- scope = LDAP_SCOPE_SUBTREE; ++ /* Fallback to hardcoded value */ ++ pdn = slapi_ch_smprintf("cn=global_policy,%s", ipa_realm_dn); + } ++ if (pdn == NULL) { ++ LOG_OOM(); ++ ret = -1; ++ goto done; ++ } ++ LOG_TRACE("Using policy at [%s]\n", pdn); ++ scope = LDAP_SCOPE_BASE; + + pb = slapi_pblock_new(); + slapi_search_internal_set_pb(pb, +@@ -539,54 +508,13 @@ int ipapwd_getPolicy(const char *dn, + /* if there is only one, return that */ + if (i == 1) { + pe = es[0]; +- goto fill; +- } +- +- /* count number of RDNs in DN */ +- rdnc = ipapwd_rdn_count(dn); +- if (rdnc == -1) { +- LOG_TRACE("ipapwd_rdn_count(dn) failed"); +- ret = -1; +- goto done; +- } +- +- pe = NULL; +- dist = -1; +- +- /* find closest entry */ +- for (i = 0; es[i]; i++) { +- const Slapi_DN *esdn; +- +- esdn = slapi_entry_get_sdn_const(es[i]); +- if (esdn == NULL) continue; +- if (0 == slapi_sdn_compare(esdn, sdn)) { +- pe = es[i]; +- dist = 0; +- break; +- } +- if (slapi_sdn_issuffix(sdn, esdn)) { +- const char *dn1; +- int c1; +- +- dn1 = slapi_sdn_get_dn(esdn); +- if (!dn1) continue; +- c1 = ipapwd_rdn_count(dn1); +- if (c1 == -1) continue; +- if ((dist == -1) || +- ((rdnc - c1) < dist)) { +- dist = rdnc - c1; +- pe = es[i]; +- } +- } +- if (dist == 0) break; /* found closest */ +- } +- +- if (pe == NULL) { ++ } else { ++ LOG_TRACE("Multiple entries from a base search ?!"); + ret = -1; + goto done; + } + +-fill: ++ /* read data out of policy object */ + policy->min_pwd_life = slapi_entry_attr_get_int(pe, "krbMinPwdLife"); + + tmpint = slapi_entry_attr_get_int(pe, "krbMaxPwdLife"); +@@ -615,7 +543,7 @@ done: + slapi_free_search_results_internal(pb); + slapi_pblock_destroy(pb); + } +- if (sdn) slapi_sdn_free(&sdn); ++ slapi_ch_free_string(&pdn); + return ret; + } + +-- +1.8.4.2 + diff --git a/SOURCES/0029-Stop-adding-a-default-password-policy-reference.patch b/SOURCES/0029-Stop-adding-a-default-password-policy-reference.patch new file mode 100644 index 0000000..4e325d2 --- /dev/null +++ b/SOURCES/0029-Stop-adding-a-default-password-policy-reference.patch @@ -0,0 +1,409 @@ +From 46ad7d5e76929d5744355374c1e56c5004bf5281 Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Thu, 16 Jan 2014 09:06:18 +0100 +Subject: [PATCH 29/34] Stop adding a default password policy reference + +Both the password plugin and the kdb driver code automatically fall +back to the default password policy. +so stop adding an explicit reference to user objects and instead rely on the +fallback. +This way users created via the framework and users created via winsync plugin +behave the same way wrt password policies and no surprises will happen. + +Also in case we need to change the default password policy DN this will allow +just code changes instead of having to change each user entry created, and +distinguish between the default policy and explicit admin changes. + +Related: https://fedorahosted.org/freeipa/ticket/4085 + +Patch backported/updated by Martin Kosek to accomodate different ipatests +structure in ipa-3-3 branch. +--- + ipalib/plugins/user.py | 3 -- + ipatests/test_xmlrpc/test_attr.py | 2 -- + ipatests/test_xmlrpc/test_automember_plugin.py | 4 --- + ipatests/test_xmlrpc/test_group_plugin.py | 4 --- + ipatests/test_xmlrpc/test_krbtpolicy.py | 2 -- + ipatests/test_xmlrpc/test_nesting.py | 8 ----- + ipatests/test_xmlrpc/test_netgroup_plugin.py | 4 --- + ipatests/test_xmlrpc/test_range_plugin.py | 2 -- + ipatests/test_xmlrpc/test_replace.py | 2 -- + ipatests/test_xmlrpc/test_selinuxusermap_plugin.py | 5 --- + ipatests/test_xmlrpc/test_user_plugin.py | 40 ---------------------- + 11 files changed, 76 deletions(-) + +diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py +index 471981f48204209753eda2fb994d4c653dca0fa2..9b212005ef522920a86deacc8f9b3e658a088ec1 100644 +--- a/ipalib/plugins/user.py ++++ b/ipalib/plugins/user.py +@@ -498,9 +498,6 @@ def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options): + homes_root = config.get('ipahomesrootdir', ['/home'])[0] + # build user's home directory based on his uid + entry_attrs['homedirectory'] = posixpath.join(homes_root, keys[-1]) +- entry_attrs.setdefault('krbpwdpolicyreference', +- DN(('cn', 'global_policy'), ('cn', api.env.realm), ('cn', 'kerberos'), +- api.env.basedn)) + entry_attrs.setdefault('krbprincipalname', '%s@%s' % (entry_attrs['uid'], api.env.realm)) + + if entry_attrs.get('gidnumber') is None: +diff --git a/ipatests/test_xmlrpc/test_attr.py b/ipatests/test_xmlrpc/test_attr.py +index 118eabdeb5c8f6e86c0a9fc7dcdf9fc73a0a9ad2..a9e2956947109efcdcd132dff3807b7400d95a09 100644 +--- a/ipatests/test_xmlrpc/test_attr.py ++++ b/ipatests/test_xmlrpc/test_attr.py +@@ -71,8 +71,6 @@ class test_attr(Declarative): + cn=[u'Test User1'], + initials=[u'TU'], + ipauniqueid=[fuzzy_uuid], +- krbpwdpolicyreference=[DN(('cn','global_policy'),('cn',api.env.realm), +- ('cn','kerberos'),api.env.basedn)], + mepmanagedentry=[DN(('cn',user1),('cn','groups'),('cn','accounts'), + api.env.basedn)], + memberof_group=[u'ipausers'], +diff --git a/ipatests/test_xmlrpc/test_automember_plugin.py b/ipatests/test_xmlrpc/test_automember_plugin.py +index 2c38b6463bfc684dbe23904f54b7107bb4ce3ff2..32fc59bac70d0f2e16d5d988835772f894bd78a9 100644 +--- a/ipatests/test_xmlrpc/test_automember_plugin.py ++++ b/ipatests/test_xmlrpc/test_automember_plugin.py +@@ -812,8 +812,6 @@ class test_automember(Declarative): + cn=[u'Michael Scott'], + initials=[u'MS'], + ipauniqueid=[fuzzy_uuid], +- krbpwdpolicyreference=[DN(('cn', 'global_policy'), ('cn', api.env.realm), ('cn', 'kerberos'), +- api.env.basedn)], + mepmanagedentry=[DN(('cn', manager1), ('cn', 'groups'), ('cn', 'accounts'), + api.env.basedn)], + memberof_group=[u'defaultgroup1', u'ipausers'], +@@ -851,8 +849,6 @@ class test_automember(Declarative): + cn=[u'Test User1'], + initials=[u'TU'], + ipauniqueid=[fuzzy_uuid], +- krbpwdpolicyreference=[DN(('cn', 'global_policy'), ('cn', api.env.realm), ('cn', 'kerberos'), +- api.env.basedn)], + mepmanagedentry=[DN(('cn', user1), ('cn', 'groups'), ('cn', 'accounts'), + api.env.basedn)], + memberof_group=[u'group1', u'ipausers'], +diff --git a/ipatests/test_xmlrpc/test_group_plugin.py b/ipatests/test_xmlrpc/test_group_plugin.py +index be31af453bbd28d420c5e9f301bef6eb56388f61..9cc337db2a5f80abc960f5bc8a226372bf16b980 100644 +--- a/ipatests/test_xmlrpc/test_group_plugin.py ++++ b/ipatests/test_xmlrpc/test_group_plugin.py +@@ -812,8 +812,6 @@ class test_group(Declarative): + cn=[u'Test User1'], + initials=[u'TU'], + ipauniqueid=[fuzzy_uuid], +- krbpwdpolicyreference=[DN(('cn','global_policy'),('cn',api.env.realm), +- ('cn','kerberos'),api.env.basedn)], + mepmanagedentry=[get_group_dn(user1)], + memberof_group=[u'ipausers'], + dn=DN(('uid',user1),('cn','users'),('cn','accounts'), +@@ -932,8 +930,6 @@ class test_group(Declarative): + ipauniqueid=[fuzzy_uuid], + dn=DN(('uid','tuser1'),('cn','users'),('cn','accounts'), + api.env.basedn), +- krbpwdpolicyreference=[DN(('cn','global_policy'),('cn',api.env.realm), +- ('cn','kerberos'),api.env.basedn)], + memberof_group=[u'ipausers'], + has_keytab=False, + has_password=False, +diff --git a/ipatests/test_xmlrpc/test_krbtpolicy.py b/ipatests/test_xmlrpc/test_krbtpolicy.py +index 2fac11f1854037aa197f2df42c72a9d7ae947ccd..fb66e8a6ca72bee7dcfc595f3b89badc2608ca09 100644 +--- a/ipatests/test_xmlrpc/test_krbtpolicy.py ++++ b/ipatests/test_xmlrpc/test_krbtpolicy.py +@@ -110,8 +110,6 @@ class test_krbtpolicy(Declarative): + cn=[u'Test User1'], + initials=[u'TU'], + ipauniqueid=[fuzzy_uuid], +- krbpwdpolicyreference=[DN(('cn','global_policy'),('cn',api.env.realm), +- ('cn','kerberos'),api.env.basedn)], + mepmanagedentry=[DN(('cn',user1),('cn','groups'),('cn','accounts'), + api.env.basedn)], + memberof_group=[u'ipausers'], +diff --git a/ipatests/test_xmlrpc/test_nesting.py b/ipatests/test_xmlrpc/test_nesting.py +index 850010b8797734406aa81a911a64bb1d051b7196..5be05688973f9ee39425f1bfc9cdedaa1a193c25 100644 +--- a/ipatests/test_xmlrpc/test_nesting.py ++++ b/ipatests/test_xmlrpc/test_nesting.py +@@ -176,8 +176,6 @@ class test_nesting(Declarative): + cn=[u'Test User1'], + initials=[u'TU'], + ipauniqueid=[fuzzy_uuid], +- krbpwdpolicyreference=[DN(('cn','global_policy'),('cn',api.env.realm), +- ('cn','kerberos'),api.env.basedn)], + mepmanagedentry=[DN(('cn',user1),('cn','groups'),('cn','accounts'), + api.env.basedn)], + memberof_group=[u'ipausers'], +@@ -214,8 +212,6 @@ class test_nesting(Declarative): + cn=[u'Test User2'], + initials=[u'TU'], + ipauniqueid=[fuzzy_uuid], +- krbpwdpolicyreference=[DN(('cn','global_policy'),('cn',api.env.realm), +- ('cn','kerberos'),api.env.basedn)], + mepmanagedentry=[DN(('cn',user2),('cn','groups'),('cn','accounts'), + api.env.basedn)], + memberof_group=[u'ipausers'], +@@ -252,8 +248,6 @@ class test_nesting(Declarative): + cn=[u'Test User3'], + initials=[u'TU'], + ipauniqueid=[fuzzy_uuid], +- krbpwdpolicyreference=[DN(('cn','global_policy'),('cn',api.env.realm), +- ('cn','kerberos'),api.env.basedn)], + mepmanagedentry=[DN(('cn',user3),('cn','groups'),('cn','accounts'), + api.env.basedn)], + memberof_group=[u'ipausers'], +@@ -290,8 +284,6 @@ class test_nesting(Declarative): + cn=[u'Test User4'], + initials=[u'TU'], + ipauniqueid=[fuzzy_uuid], +- krbpwdpolicyreference=[DN(('cn','global_policy'),('cn',api.env.realm), +- ('cn','kerberos'),api.env.basedn)], + mepmanagedentry=[DN(('cn',user4),('cn','groups'),('cn','accounts'), + api.env.basedn)], + memberof_group=[u'ipausers'], +diff --git a/ipatests/test_xmlrpc/test_netgroup_plugin.py b/ipatests/test_xmlrpc/test_netgroup_plugin.py +index 09241a7d691aeb7d967e549d14ff5d87a80b6a9b..15453bd3cfd45dce9be43cc5003b67a87a7915ac 100644 +--- a/ipatests/test_xmlrpc/test_netgroup_plugin.py ++++ b/ipatests/test_xmlrpc/test_netgroup_plugin.py +@@ -288,8 +288,6 @@ class test_netgroup(Declarative): + cn=[u'Test User1'], + initials=[u'TU'], + ipauniqueid=[fuzzy_uuid], +- krbpwdpolicyreference=[DN(('cn','global_policy'),('cn',api.env.realm), +- ('cn','kerberos'),api.env.basedn)], + mepmanagedentry=[DN(('cn',user1),('cn','groups'),('cn','accounts'), + api.env.basedn)], + memberof_group=[u'ipausers'], +@@ -325,8 +323,6 @@ class test_netgroup(Declarative): + cn=[u'Test User2'], + initials=[u'TU'], + ipauniqueid=[fuzzy_uuid], +- krbpwdpolicyreference=[DN(('cn','global_policy'),('cn',api.env.realm), +- ('cn','kerberos'),api.env.basedn)], + mepmanagedentry=[DN(('cn',user2),('cn','groups'),('cn','accounts'), + api.env.basedn)], + memberof_group=[u'ipausers'], +diff --git a/ipatests/test_xmlrpc/test_range_plugin.py b/ipatests/test_xmlrpc/test_range_plugin.py +index df80e2fb72725c52d13be7a661364cbeafa3f84f..8c7b5f26e70283db62f18b152378d1b7d31bcc96 100644 +--- a/ipatests/test_xmlrpc/test_range_plugin.py ++++ b/ipatests/test_xmlrpc/test_range_plugin.py +@@ -248,8 +248,6 @@ def tearDownClass(cls): + initials=[u'TU'], + mail=[u'%s@%s' % (user1, api.env.domain)], + ipauniqueid=[fuzzy_uuid], +- krbpwdpolicyreference=[DN(('cn','global_policy'),('cn',api.env.realm), +- ('cn','kerberos'),api.env.basedn)], + mepmanagedentry=[DN(('cn',user1),('cn','groups'),('cn','accounts'), + api.env.basedn)], + memberof_group=[u'ipausers'], +diff --git a/ipatests/test_xmlrpc/test_replace.py b/ipatests/test_xmlrpc/test_replace.py +index 1b946b76cb9ecccc3452b3714d1647b0a09ec831..691918f5857827365323ed1d20835a15dd899a4f 100644 +--- a/ipatests/test_xmlrpc/test_replace.py ++++ b/ipatests/test_xmlrpc/test_replace.py +@@ -66,8 +66,6 @@ class test_replace(Declarative): + initials=[u'TU'], + mail=[u'test1@example.com', u'test2@example.com'], + ipauniqueid=[fuzzy_uuid], +- krbpwdpolicyreference=[DN(('cn','global_policy'),('cn',api.env.realm),('cn','kerberos'), +- api.env.basedn)], + mepmanagedentry=[DN(('cn',user1),('cn','groups'),('cn','accounts'), + api.env.basedn)], + memberof_group=[u'ipausers'], +diff --git a/ipatests/test_xmlrpc/test_selinuxusermap_plugin.py b/ipatests/test_xmlrpc/test_selinuxusermap_plugin.py +index d1fedf1f0ff603a702089651db7f226ea58a98cd..9438bd01227c3ed0317976a38de8f67ec4ae425f 100644 +--- a/ipatests/test_xmlrpc/test_selinuxusermap_plugin.py ++++ b/ipatests/test_xmlrpc/test_selinuxusermap_plugin.py +@@ -216,11 +216,6 @@ class test_selinuxusermap(Declarative): + cn=[u'Test User1'], + initials=[u'TU'], + ipauniqueid=[fuzzy_uuid], +- krbpwdpolicyreference=[DN(('cn', 'global_policy'), +- ('cn', api.env.realm), +- ('cn', 'kerberos'), +- api.env.basedn) +- ], + mepmanagedentry=[DN(('cn', user1), ('cn', 'groups'), + ('cn', 'accounts'), api.env.basedn)], + memberof_group=[u'ipausers'], +diff --git a/ipatests/test_xmlrpc/test_user_plugin.py b/ipatests/test_xmlrpc/test_user_plugin.py +index 98e1965a4fbd3c2e77363495d0391be580bd0805..6a5ba50034fd2c9b63db63eeaa0061657574342d 100644 +--- a/ipatests/test_xmlrpc/test_user_plugin.py ++++ b/ipatests/test_xmlrpc/test_user_plugin.py +@@ -125,8 +125,6 @@ class test_user(Declarative): + mail=[u'%s@%s' % (user1, api.env.domain)], + initials=[u'TU'], + ipauniqueid=[fuzzy_uuid], +- krbpwdpolicyreference=[DN(('cn','global_policy'),('cn',api.env.realm), +- ('cn','kerberos'),api.env.basedn)], + mepmanagedentry=[get_group_dn(user1)], + memberof_group=[u'ipausers'], + has_keytab=False, +@@ -199,8 +197,6 @@ class test_user(Declarative): + 'gidnumber': [fuzzy_digits], + 'ipauniqueid': [fuzzy_uuid], + 'mepmanagedentry': [get_group_dn(user1)], +- 'krbpwdpolicyreference': [DN(('cn','global_policy'),('cn',api.env.realm), +- ('cn','kerberos'),api.env.basedn)], + 'nsaccountlock': False, + 'has_keytab': False, + 'has_password': False, +@@ -594,8 +590,6 @@ class test_user(Declarative): + ipasshpubkey=[sshpubkey], + sshpubkeyfp=[sshpubkeyfp], + ipauniqueid=[fuzzy_uuid], +- krbpwdpolicyreference=[DN(('cn','global_policy'),('cn',api.env.realm), +- ('cn','kerberos'),api.env.basedn)], + mepmanagedentry=[get_group_dn(user1)], + memberof_group=[u'ipausers'], + has_keytab=False, +@@ -650,8 +644,6 @@ class test_user(Declarative): + mail=[u'%s@%s' % (user1, api.env.domain)], + initials=[u'TU'], + ipauniqueid=[fuzzy_uuid], +- krbpwdpolicyreference=[DN(('cn','global_policy'),('cn',api.env.realm), +- ('cn','kerberos'),api.env.basedn)], + mepmanagedentry=[get_group_dn(user1)], + memberof_group=[u'ipausers'], + has_keytab=False, +@@ -687,8 +679,6 @@ class test_user(Declarative): + mail=[u'%s@%s' % (user2, api.env.domain)], + initials=[u'TU'], + ipauniqueid=[fuzzy_uuid], +- krbpwdpolicyreference=[DN(('cn','global_policy'),('cn',api.env.realm), +- ('cn','kerberos'),api.env.basedn)], + mepmanagedentry=[get_group_dn(user2)], + memberof_group=[u'ipausers'], + has_keytab=False, +@@ -908,8 +898,6 @@ class test_user(Declarative): + postalcode=[u'01234-5678'], + telephonenumber=[u'410-555-1212'], + ipauniqueid=[fuzzy_uuid], +- krbpwdpolicyreference=[DN(('cn','global_policy'),('cn',api.env.realm), +- ('cn','kerberos'),api.env.basedn)], + mepmanagedentry=[get_group_dn(user1)], + memberof_group=[u'ipausers'], + has_keytab=False, +@@ -954,8 +942,6 @@ class test_user(Declarative): + mail=[u'%s@%s' % (user1, api.env.domain)], + initials=[u'TU'], + ipauniqueid=[fuzzy_uuid], +- krbpwdpolicyreference=[DN(('cn','global_policy'),('cn',api.env.realm), +- ('cn','kerberos'),api.env.basedn)], + mepmanagedentry=[get_group_dn(user1)], + memberof_group=[u'ipausers'], + has_keytab=True, +@@ -1003,8 +989,6 @@ class test_user(Declarative): + mail=[u'%s@%s' % (user2, api.env.domain)], + initials=[u'TU'], + ipauniqueid=[fuzzy_uuid], +- krbpwdpolicyreference=[DN(('cn','global_policy'),('cn',api.env.realm), +- ('cn','kerberos'),api.env.basedn)], + mepmanagedentry=[get_group_dn(user2)], + memberof_group=[u'ipausers'], + has_keytab=False, +@@ -1075,8 +1059,6 @@ class test_user(Declarative): + mail=[u'%s@%s' % (user1, api.env.domain)], + initials=[u'TU'], + ipauniqueid=[fuzzy_uuid], +- krbpwdpolicyreference=[DN(('cn','global_policy'),('cn',api.env.realm), +- ('cn','kerberos'),api.env.basedn)], + mepmanagedentry=[get_group_dn(user1)], + memberof_group=[u'ipausers'], + has_keytab=False, +@@ -1148,8 +1130,6 @@ class test_user(Declarative): + mail=[u'%s@%s' % (user1, api.env.domain)], + initials=[u'TU'], + ipauniqueid=[fuzzy_uuid], +- krbpwdpolicyreference=[DN(('cn','global_policy'),('cn',api.env.realm), +- ('cn','kerberos'),api.env.basedn)], + mepmanagedentry=[get_group_dn(user1)], + memberof_group=[u'ipausers'], + has_keytab=False, +@@ -1210,8 +1190,6 @@ class test_user(Declarative): + initials=[u'TU'], + mail=[u'%s@%s' % (user1, api.env.domain)], + ipauniqueid=[fuzzy_uuid], +- krbpwdpolicyreference=[DN(('cn','global_policy'),('cn',api.env.realm), +- ('cn','kerberos'),api.env.basedn)], + mepmanagedentry=[get_group_dn(user1)], + memberof_group=[u'ipausers'], + has_keytab=False, +@@ -1273,8 +1251,6 @@ class test_user(Declarative): + mail=[u'%s@%s' % (user2, api.env.domain)], + initials=[u'TU'], + ipauniqueid=[fuzzy_uuid], +- krbpwdpolicyreference=[DN(('cn','global_policy'),('cn',api.env.realm), +- ('cn','kerberos'),api.env.basedn)], + memberof_group=[u'ipausers'], + has_keytab=False, + has_password=False, +@@ -1327,8 +1303,6 @@ class test_user(Declarative): + mail=[u'%s@%s' % (user1, api.env.domain)], + initials=[u'TU'], + ipauniqueid=[fuzzy_uuid], +- krbpwdpolicyreference=[DN(('cn','global_policy'),('cn',api.env.realm), +- ('cn','kerberos'),api.env.basedn)], + memberof_group=[group1], + has_keytab=False, + has_password=False, +@@ -1364,8 +1338,6 @@ class test_user(Declarative): + mail=[u'%s@%s' % (user2, api.env.domain)], + initials=[u'TU'], + ipauniqueid=[fuzzy_uuid], +- krbpwdpolicyreference=[DN(('cn','global_policy'),('cn',api.env.realm), +- ('cn','kerberos'),api.env.basedn)], + memberof_group=[group1], + has_keytab=False, + has_password=False, +@@ -1446,8 +1418,6 @@ class test_user(Declarative): + mail=[u'%s@%s' % (user2, api.env.domain)], + initials=[u'TU'], + ipauniqueid=[fuzzy_uuid], +- krbpwdpolicyreference=[DN(('cn','global_policy'),('cn',api.env.realm), +- ('cn','kerberos'),api.env.basedn)], + memberof_group=[group1], + nsaccountlock=False, + has_keytab=False, +@@ -1493,8 +1463,6 @@ class test_user(Declarative): + mail=[u'%s@%s' % (user2, api.env.domain)], + initials=[u'TU'], + ipauniqueid=[fuzzy_uuid], +- krbpwdpolicyreference=[DN(('cn','global_policy'),('cn',api.env.realm), +- ('cn','kerberos'),api.env.basedn)], + memberof_group=[group1], + nsaccountlock=False, + has_keytab=False, +@@ -1553,8 +1521,6 @@ class test_user(Declarative): + initials=[u'SA'], + mail=[u'%s@%s' % (admin2, api.env.domain)], + ipauniqueid=[fuzzy_uuid], +- krbpwdpolicyreference=[DN(('cn','global_policy'),('cn',api.env.realm), +- ('cn','kerberos'),api.env.basedn)], + mepmanagedentry=[get_group_dn(admin2)], + memberof_group=[u'ipausers'], + has_keytab=False, +@@ -1744,8 +1710,6 @@ class test_user(Declarative): + cn=[u'Test User2'], + initials=[u'TU'], + ipauniqueid=[fuzzy_uuid], +- krbpwdpolicyreference=[DN(('cn', 'global_policy'), ('cn', api.env.realm), ('cn', 'kerberos'), +- api.env.basedn)], + mepmanagedentry=[DN(('cn', user2), ('cn', 'groups'), ('cn', 'accounts'), + api.env.basedn)], + memberof_group=[u'ipausers'], +@@ -1780,8 +1744,6 @@ class test_user(Declarative): + mail=[u'%s@%s' % (user1, api.env.domain)], + initials=[u'TU'], + ipauniqueid=[fuzzy_uuid], +- krbpwdpolicyreference=[DN(('cn','global_policy'),('cn',api.env.realm), +- ('cn','kerberos'),api.env.basedn)], + mepmanagedentry=[get_group_dn(user1)], + memberof_group=[u'ipausers'], + has_keytab=False, +@@ -1828,8 +1790,6 @@ class test_user(Declarative): + mail=[u'%s@%s' % (user1, api.env.domain)], + initials=[u'TU'], + ipauniqueid=[fuzzy_uuid], +- krbpwdpolicyreference=[DN(('cn','global_policy'),('cn',api.env.realm), +- ('cn','kerberos'),api.env.basedn)], + mepmanagedentry=[get_group_dn(user1)], + memberof_group=[u'ipausers'], + has_keytab=False, +-- +1.8.4.2 + diff --git a/SOURCES/0030-Increase-service-startup-timeout-default.patch b/SOURCES/0030-Increase-service-startup-timeout-default.patch new file mode 100644 index 0000000..e4790a7 --- /dev/null +++ b/SOURCES/0030-Increase-service-startup-timeout-default.patch @@ -0,0 +1,26 @@ +From b3d3abfa3adcfc8b1f5ea09e52a0bd8a519571e6 Mon Sep 17 00:00:00 2001 +From: Jan Cholasta +Date: Wed, 15 Jan 2014 09:41:15 +0100 +Subject: [PATCH 30/34] Increase service startup timeout default. + +https://fedorahosted.org/freeipa/ticket/4078 +--- + ipalib/constants.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ipalib/constants.py b/ipalib/constants.py +index 79885a33a3008bd83908fc34a7340e78ab25e31f..6d4088be9a958eb5cb3b2725f8696fb4a7926e57 100644 +--- a/ipalib/constants.py ++++ b/ipalib/constants.py +@@ -116,7 +116,7 @@ + ('rpc_json_uri', 'http://localhost:8888/ipa/json'), + ('ldap_uri', 'ldap://localhost:389'), + # Time to wait for a service to start, in seconds +- ('startup_timeout', 120), ++ ('startup_timeout', 300), + + # Web Application mount points + ('mount_ipa', '/ipa/'), +-- +1.8.4.2 + diff --git a/SOURCES/0031-cli.print_attribute-Convert-values-to-strings.patch b/SOURCES/0031-cli.print_attribute-Convert-values-to-strings.patch new file mode 100644 index 0000000..343a418 --- /dev/null +++ b/SOURCES/0031-cli.print_attribute-Convert-values-to-strings.patch @@ -0,0 +1,30 @@ +From 32d3d38edfd47f3cc5425d3c2e7d42a38ea4a95b Mon Sep 17 00:00:00 2001 +From: Petr Viktorin +Date: Tue, 26 Nov 2013 23:31:05 +0100 +Subject: [PATCH 31/34] cli.print_attribute: Convert values to strings + +When output_for_cli was called directly, rather than for values +received through XML or JSON API, joining multiple values failed +on non-strings such as DN objects. + +Convert output to strings before printing it out. +--- + ipalib/cli.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ipalib/cli.py b/ipalib/cli.py +index 5f02e929fe0df7051f4bb925a960678d780d4883..41e1b4752a2a549ea687632e60eb8003d0cad95f 100644 +--- a/ipalib/cli.py ++++ b/ipalib/cli.py +@@ -293,7 +293,7 @@ def print_attribute(self, attr, value, format='%s: %s', indent=1, one_value_per_ + return + else: + if len(value) > 0: +- text = ', '.join(value) ++ text = ', '.join(str(v) for v in value) + else: + return + line_len = self.get_tty_width() +-- +1.8.4.2 + diff --git a/SOURCES/0032-group-show-resolve-external-members-of-the-groups.patch b/SOURCES/0032-group-show-resolve-external-members-of-the-groups.patch new file mode 100644 index 0000000..609d8ba --- /dev/null +++ b/SOURCES/0032-group-show-resolve-external-members-of-the-groups.patch @@ -0,0 +1,43 @@ +From 2d1a85606d61128611f49101854bb8efe4abd638 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Thu, 16 Jan 2014 20:31:37 +0200 +Subject: [PATCH 32/34] group-show: resolve external members of the groups + +Perform SID to name conversion for existing external members of the +groups if trust is configured. + +https://bugzilla.redhat.com/show_bug.cgi?id=1054391 +https://fedorahosted.org/freeipa/ticket/4123 +--- + ipalib/plugins/group.py | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py +index 02eeb10ca2ca2a5710e88d6e3c11f1d1cdaa4a7b..dac55003e5a4291e8a3b7db58ae9b3c9c76e271e 100644 +--- a/ipalib/plugins/group.py ++++ b/ipalib/plugins/group.py +@@ -387,6 +387,21 @@ def pre_callback(self, ldap, filter, attrs_list, base_dn, scope, *args, **option + class group_show(LDAPRetrieve): + __doc__ = _('Display information about a named group.') + has_output_params = LDAPRetrieve.has_output_params + (ipaexternalmember_param,) ++ def post_callback(self, ldap, dn, entry_attrs, *keys, **options): ++ assert isinstance(dn, DN) ++ if ('ipaexternalmember' in entry_attrs and ++ len(entry_attrs['ipaexternalmember']) > 0 and ++ 'trust_resolve' in self.Command and ++ not options.get('raw', False)): ++ sids = entry_attrs['ipaexternalmember'] ++ result = self.Command.trust_resolve(sids=sids) ++ for entry in result['result']: ++ try: ++ idx = sids.index(entry['sid'][0]) ++ sids[idx] = entry['name'][0] ++ except ValueError: ++ pass ++ return dn + api.register(group_show) + + +-- +1.8.4.2 + diff --git a/SOURCES/0033-Remove-SID-resolve-call-from-Web-UI.patch b/SOURCES/0033-Remove-SID-resolve-call-from-Web-UI.patch new file mode 100644 index 0000000..35fee47 --- /dev/null +++ b/SOURCES/0033-Remove-SID-resolve-call-from-Web-UI.patch @@ -0,0 +1,87 @@ +From ff15df8bd58bddd4c53644867f8ee340febdc198 Mon Sep 17 00:00:00 2001 +From: Petr Vobornik +Date: Mon, 20 Jan 2014 09:50:56 +0100 +Subject: [PATCH 33/34] Remove SID resolve call from Web UI + +- it's called in group-show + +https://bugzilla.redhat.com/show_bug.cgi?id=1054391 +https://fedorahosted.org/freeipa/ticket/4123 +--- + install/ui/src/freeipa/association.js | 47 ----------------------------------- + install/ui/src/freeipa/group.js | 1 - + 2 files changed, 48 deletions(-) + +diff --git a/install/ui/src/freeipa/association.js b/install/ui/src/freeipa/association.js +index ad427d66b6b98119b2eb577ae98e4b7c2f1a6932..8d81e495a153c06cdbcfa9917bdf04d70916f997 100644 +--- a/install/ui/src/freeipa/association.js ++++ b/install/ui/src/freeipa/association.js +@@ -1455,53 +1455,6 @@ exp.attribute_facet = IPA.attribute_facet = function(spec, no_init) { + return that; + }; + +-IPA.sid_facet = function(spec, no_init) { +- +- spec.name = spec.name || 'sid_facet'; +- +- var that = IPA.attribute_facet(spec, no_init); +- +- that.load_records = function(value) { +- var xlate = {}; +- var sidxlate_command = IPA.command({ +- entity: 'trust', +- method: 'resolve', +- options: { +- sids: '' +- } +- }); +- sidxlate_command.on_success = function(data, text_status, xhr) { +- for (var i=0; i< data.result.result.length; i++) { +- var entry = data.result.result[i]; +- if (entry.sid[0] in xlate) { +- xlate[entry.sid[0]].resolve(entry.name[0]); +- } +- } +- }; +- that.table.empty(); +- +- if (value.length === 0) return; +- +- var sids = []; +- for (var i=0; i< value.length; i++) { +- var sid = value[i][that.attribute]; +- var deferred = new Deferred(); +- value[i][that.attribute] = { +- promise: deferred.promise, +- temp: sid +- }; +- xlate[sid] = deferred; +- sids.push(sid); +- that.add_record(value[i]); +- } +- sidxlate_command.options.sids = sids; +- sidxlate_command.execute(); +- }; +- +- return that; +-}; +- +- + IPA.attr_read_only_evaluator = function(spec) { + + spec.name = spec.name || 'attr_read_only_evaluator'; +diff --git a/install/ui/src/freeipa/group.js b/install/ui/src/freeipa/group.js +index 5e8cdf991cdaf4f52e3f49dca431e999a72f2089..bb12d902fcba8228098b667aa6fbd3fa7daee34d 100644 +--- a/install/ui/src/freeipa/group.js ++++ b/install/ui/src/freeipa/group.js +@@ -112,7 +112,6 @@ return { + }, + { + $type: 'attribute', +- $factory: IPA.sid_facet, + name: 'member_external', + attribute: 'ipaexternalmember', + tab_label: 'External', +-- +1.8.4.2 + diff --git a/SOURCES/0034-ipa-adtrust-install-configure-host-netbios-name-by-d.patch b/SOURCES/0034-ipa-adtrust-install-configure-host-netbios-name-by-d.patch new file mode 100644 index 0000000..f0ccd4a --- /dev/null +++ b/SOURCES/0034-ipa-adtrust-install-configure-host-netbios-name-by-d.patch @@ -0,0 +1,56 @@ +From 7358fdd85215b9ee9becb2e352480abd2789691f Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Fri, 17 Jan 2014 14:09:34 +0200 +Subject: [PATCH 34/34] ipa-adtrust-install: configure host netbios name by + default + +Ensure we set host netbios name by default in smb.conf + +https://fedorahosted.org/freeipa/ticket/4116 +--- + install/share/smb.conf.template | 1 + + ipaserver/install/adtrustinstance.py | 3 +++ + 2 files changed, 4 insertions(+) + +diff --git a/install/share/smb.conf.template b/install/share/smb.conf.template +index 086b0fcfe5cff2bc3582f2a89962a99c9095b4bb..2908b998cc85fcb84f60847135aaa4b008e121f8 100644 +--- a/install/share/smb.conf.template ++++ b/install/share/smb.conf.template +@@ -1,5 +1,6 @@ + [global] + workgroup = $NETBIOS_NAME ++netbios name = $HOST_NETBIOS_NAME + realm = $REALM + kerberos method = dedicated keytab + dedicated keytab file = FILE:/etc/samba/samba.keytab +diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py +index 4aa8322e3e2cfb6fbc07696097c3e6e21fc7f665..621e3fd46780beb15f3d642cb9e3eb1c5fa721ad 100644 +--- a/ipaserver/install/adtrustinstance.py ++++ b/ipaserver/install/adtrustinstance.py +@@ -124,6 +124,7 @@ def __init__(self, fstore=None): + self.secondary_rid_base = None + + self.fqdn = None ++ self.host_netbios_name = None + self.realm = None + self.domain_name = None + +@@ -151,6 +152,7 @@ def __setup_default_attributes(self): + + # Values obtained from API.env + self.fqdn = self.fqdn or api.env.host ++ self.host_netbios_name = make_netbios_name(self.fqdn) + self.realm = self.realm or api.env.realm + self.domain_name = self.domain_name or api.env.domain + +@@ -769,6 +771,7 @@ def __setup_sub_dict(self): + self.sub_dict = dict(REALM = self.realm, + SUFFIX = self.suffix, + NETBIOS_NAME = self.netbios_name, ++ HOST_NETBIOS_NAME = self.host_netbios_name, + SMB_DN = self.smb_dn, + LDAPI_SOCKET = self.ldapi_socket, + FQDN = self.fqdn) +-- +1.8.4.2 + diff --git a/SOURCES/0035-Remove-missing-VERSION-warning-in-dnsrecord-mod.patch b/SOURCES/0035-Remove-missing-VERSION-warning-in-dnsrecord-mod.patch new file mode 100644 index 0000000..876fa45 --- /dev/null +++ b/SOURCES/0035-Remove-missing-VERSION-warning-in-dnsrecord-mod.patch @@ -0,0 +1,30 @@ +From a8cc1ff0dbf3de89b78c8d382779433658286750 Mon Sep 17 00:00:00 2001 +From: Martin Kosek +Date: Fri, 17 Jan 2014 09:26:35 +0100 +Subject: [PATCH] Remove missing VERSION warning in dnsrecord-mod + +dnsrecord-mod may call dnsrecord-delentry command when all records +are deleted. However, the version was not passwd to delentry and +it resulted in a warning. + +https://fedorahosted.org/freeipa/ticket/4120 +--- + ipalib/plugins/dns.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py +index 07523dc72466892f0e7d5fdd9261024d0e898548..94ae92ba5d1ae42e31ebb6100c743a2334f29e70 100644 +--- a/ipalib/plugins/dns.py ++++ b/ipalib/plugins/dns.py +@@ -2636,7 +2636,7 @@ def execute(self, *keys, **options): + break + + if del_all: +- return self.obj.methods.delentry(*keys) ++ return self.obj.methods.delentry(*keys, version=options['version']) + return result + + def post_callback(self, ldap, dn, entry_attrs, *keys, **options): +-- +1.8.4.2 + diff --git a/SOURCES/0036-Hide-trust-resolve-command.patch b/SOURCES/0036-Hide-trust-resolve-command.patch new file mode 100644 index 0000000..3e8c387 --- /dev/null +++ b/SOURCES/0036-Hide-trust-resolve-command.patch @@ -0,0 +1,33 @@ +From 94888d83efbbd3b3ddf194e35d4d10f03bb47bb2 Mon Sep 17 00:00:00 2001 +From: Martin Kosek +Date: Fri, 17 Jan 2014 16:13:17 +0100 +Subject: [PATCH] Hide trust-resolve command + +We do not need to expose a public FreeIPA specific interface to resolve +SIDs to names. The interface is only used internally to resolve SIDs +when external group members are listed. Additionally, the command interface +is not prepared for regular user and can give rather confusing results. + +Hide it from CLI. The API itself is still accessible and compatible with +older clients. + +https://fedorahosted.org/freeipa/ticket/4113 +--- + ipalib/plugins/trust.py | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py +index 3d412c9c9f518347769e88ddc9089d6d92ccc4be..0b6db27c696cd169c8f4b33128520961c20e3015 100644 +--- a/ipalib/plugins/trust.py ++++ b/ipalib/plugins/trust.py +@@ -978,6 +978,7 @@ def idmap_type_string(level): + return unicode(string) + + class trust_resolve(Command): ++ NO_CLI = True + __doc__ = _('Resolve security identifiers of users and groups in trusted domains') + + takes_options = ( +-- +1.8.4.2 + diff --git a/SOURCES/0037-Trust-domains-Web-UI.patch b/SOURCES/0037-Trust-domains-Web-UI.patch new file mode 100644 index 0000000..a7b76fb --- /dev/null +++ b/SOURCES/0037-Trust-domains-Web-UI.patch @@ -0,0 +1,188 @@ +From 8dcaa8f17b94fd7056340622e49d8ab505694603 Mon Sep 17 00:00:00 2001 +From: Petr Vobornik +Date: Wed, 15 Jan 2014 18:01:02 +0100 +Subject: [PATCH] Trust domains Web UI + +Add Web UI counterpart of following CLI commands: + +* trust-fetch-domains Refresh list of the domains associated with the trust +* trustdomain-del Remove infromation about the domain associated with the trust. +* trustdomain-disable Disable use of IPA resources by the domain of the trust +* trustdomain-enable Allow use of IPA resources by the domain of the trust +* trustdomain-find Search domains of the trust + +https://fedorahosted.org/freeipa/ticket/4119 +--- + install/ui/src/freeipa/search.js | 11 +++--- + install/ui/src/freeipa/trust.js | 68 ++++++++++++++++++++++++++++++++++++++ + install/ui/test/data/ipa_init.json | 1 + + ipalib/plugins/internal.py | 1 + + 4 files changed, 77 insertions(+), 4 deletions(-) + +diff --git a/install/ui/src/freeipa/search.js b/install/ui/src/freeipa/search.js +index c2e678a35e7d7d5179c1b766eea88599710593c3..3f7fdf9b1e6716c73e0657dc678abe332f6fc8c0 100644 +--- a/install/ui/src/freeipa/search.js ++++ b/install/ui/src/freeipa/search.js +@@ -470,20 +470,23 @@ IPA.batch_items_action = function(spec) { + that.execute_action = function(facet, on_success, on_error) { + + var entity = facet.managed_entity; +- var pkeys = facet.get_selected_values(); ++ var selected_keys = facet.get_selected_values(); ++ var pkeys = facet.get_pkeys(); ++ if (!pkeys[0]) pkeys = []; // correction for search facet + + that.batch = IPA.batch_command({ + name: entity.name + '_batch_'+ that.method, + on_success: that.get_on_success(facet, on_success) + }); + +- for (var i=0; i +Date: Mon, 20 Jan 2014 16:42:48 +0200 +Subject: [PATCH] ipasam: delete trusted child domains before removing the + trust + +LDAP protocol doesn't allow deleting non-leaf entries. One needs to +remove all leaves first before removing the tree node. + +https://fedorahosted.org/freeipa/ticket/4126 +--- + daemons/ipa-sam/ipa_sam.c | 45 ++++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 44 insertions(+), 1 deletion(-) + +diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c +index 674085d2a14c67359df16458dbbb098414a24d8b..1ca504db4e442c834ebe44d7e3503abafd6f9602 100644 +--- a/daemons/ipa-sam/ipa_sam.c ++++ b/daemons/ipa-sam/ipa_sam.c +@@ -2437,6 +2437,44 @@ done: + return status; + } + ++static int delete_subtree(struct ldapsam_privates *ldap_state, char* dn) ++{ ++ LDAP *state = priv2ld(ldap_state); ++ int rc; ++ char *filter = NULL; ++ int scope = LDAP_SCOPE_SUBTREE; ++ LDAPMessage *result = NULL; ++ LDAPMessage *entry = NULL; ++ char *entry_dn = NULL; ++ ++ /* use 'dn' for a temporary talloc context */ ++ filter = talloc_asprintf(dn, "(objectClass=*)"); ++ if (filter == NULL) { ++ return LDAP_NO_MEMORY; ++ } ++ ++ rc = smbldap_search(ldap_state->smbldap_state, dn, scope, filter, NULL, 0, &result); ++ TALLOC_FREE(filter); ++ ++ if (result != NULL) { ++ smbldap_talloc_autofree_ldapmsg(dn, result); ++ } ++ ++ for (entry = ldap_first_entry(state, result); ++ entry != NULL; ++ entry = ldap_next_entry(state, entry)) { ++ entry_dn = get_dn(dn, state, entry); ++ /* remove child entries */ ++ if ((entry_dn != NULL) && (strcmp(entry_dn, dn) != 0)) { ++ rc = smbldap_delete(ldap_state->smbldap_state, entry_dn); ++ } ++ } ++ rc = smbldap_delete(ldap_state->smbldap_state, dn); ++ ++ /* caller will destroy dn */ ++ return rc; ++} ++ + static NTSTATUS ipasam_del_trusted_domain(struct pdb_methods *methods, + const char *domain) + { +@@ -2444,7 +2482,7 @@ static NTSTATUS ipasam_del_trusted_domain(struct pdb_methods *methods, + struct ldapsam_privates *ldap_state = + (struct ldapsam_privates *)methods->private_data; + LDAPMessage *entry = NULL; +- const char *dn; ++ char *dn; + const char *domain_name; + TALLOC_CTX *tmp_ctx; + NTSTATUS status; +@@ -2490,6 +2528,11 @@ static NTSTATUS ipasam_del_trusted_domain(struct pdb_methods *methods, + } + + ret = smbldap_delete(ldap_state->smbldap_state, dn); ++ if (ret == LDAP_NOT_ALLOWED_ON_NONLEAF) { ++ /* delete_subtree will use 'dn' as temporary context too */ ++ ret = delete_subtree(ldap_state, dn); ++ } ++ + if (ret != LDAP_SUCCESS) { + status = NT_STATUS_UNSUCCESSFUL; + goto done; +-- +1.8.4.2 + diff --git a/SOURCES/0039-CLDAP-generate-NetBIOS-name-like-ipa-adtrust-install.patch b/SOURCES/0039-CLDAP-generate-NetBIOS-name-like-ipa-adtrust-install.patch new file mode 100644 index 0000000..7bcceae --- /dev/null +++ b/SOURCES/0039-CLDAP-generate-NetBIOS-name-like-ipa-adtrust-install.patch @@ -0,0 +1,104 @@ +From c57ff0a9aae8e51de1de8671dc6c8d91a1f1af66 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Thu, 23 Jan 2014 14:39:24 +0100 +Subject: [PATCH] CLDAP: generate NetBIOS name like ipa-adtrust-install does + +Fixes https://fedorahosted.org/freeipa/ticket/4116 +--- + daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap.h | 2 + + .../ipa-cldap/ipa_cldap_netlogon.c | 47 +++++++++++++++------- + 2 files changed, 35 insertions(+), 14 deletions(-) + +diff --git a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap.h b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap.h +index 3f420ff2c5acc7bd75bff7f042f76b9c61144461..5e963e3f8557d468d646e6343366921d17242e2d 100644 +--- a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap.h ++++ b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap.h +@@ -51,6 +51,7 @@ + #include + #include + #include ++#include + #include "util.h" + + #define IPA_CLDAP_PLUGIN_NAME "CLDAP Server" +@@ -106,4 +107,5 @@ int ipa_cldap_netlogon(struct ipa_cldap_ctx *ctx, + struct ipa_cldap_req *req, + struct berval *reply); + ++char *make_netbios_name(TALLOC_CTX *mem_ctx, const char *s); + #endif /* _IPA_CLDAP_H_ */ +diff --git a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c +index c03172d474589ddee84f1cfa5395c23fdba83bcb..1d16de7be09cf9675c2ee1a602ddfb800cd6e7af 100644 +--- a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c ++++ b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c +@@ -121,6 +121,38 @@ done: + return ret; + } + ++char *make_netbios_name(TALLOC_CTX *mem_ctx, const char *s) ++{ ++ char *nb_name; ++ const char *p; ++ size_t c = 0; ++ ++ if (s == NULL) { ++ return NULL; ++ } ++ ++ nb_name = talloc_zero_size(mem_ctx, NETBIOS_NAME_MAX + 1); ++ if (nb_name == NULL) { ++ return NULL; ++ } ++ ++ for (p = s; *p && c < NETBIOS_NAME_MAX; p++) { ++ /* Create the NetBIOS name from the first segment of the hostname */ ++ if (*p == '.') { ++ break; ++ } else if (isalnum(*p)) { ++ nb_name[c++] = toupper(*p); ++ } ++ } ++ ++ if (*nb_name == '\0') { ++ talloc_free(nb_name); ++ return NULL; ++ } ++ ++ return nb_name; ++} ++ + #define NETLOGON_SAM_LOGON_RESPONSE_EX_pusher \ + (ndr_push_flags_fn_t)ndr_push_NETLOGON_SAM_LOGON_RESPONSE_EX + +@@ -131,8 +163,6 @@ static int ipa_cldap_encode_netlogon(char *fq_hostname, char *domain, + struct NETLOGON_SAM_LOGON_RESPONSE_EX *nlr; + enum ndr_err_code ndr_err; + DATA_BLOB blob; +- char *pdc_name; +- char *p; + int ret; + + nlr = talloc_zero(NULL, struct NETLOGON_SAM_LOGON_RESPONSE_EX); +@@ -162,18 +192,7 @@ static int ipa_cldap_encode_netlogon(char *fq_hostname, char *domain, + nlr->pdc_dns_name = fq_hostname; + nlr->domain_name = name; + +- /* copy the first 15 characters of the fully qualified hostname*/ +- pdc_name = talloc_asprintf(nlr, "%.*s", NETBIOS_NAME_MAX, fq_hostname); +- +- for (p = pdc_name; *p; p++) { +- /* Create the NetBIOS name from the first segment of the hostname */ +- if (*p == '.') { +- *p = '\0'; +- break; +- } +- *p = toupper(*p); +- } +- nlr->pdc_name = pdc_name; ++ nlr->pdc_name = make_netbios_name(nlr, fq_hostname); + nlr->user_name = ""; + nlr->server_site = "Default-First-Site-Name"; + nlr->client_site = "Default-First-Site-Name"; +-- +1.8.3.1 + diff --git a/SOURCES/0040-Fallback-to-global-policy-in-ipa-lockout-plugin.patch b/SOURCES/0040-Fallback-to-global-policy-in-ipa-lockout-plugin.patch new file mode 100644 index 0000000..5483f37 --- /dev/null +++ b/SOURCES/0040-Fallback-to-global-policy-in-ipa-lockout-plugin.patch @@ -0,0 +1,108 @@ +From 2392ccb4ff9f0310512a6313240749900567d831 Mon Sep 17 00:00:00 2001 +From: Martin Kosek +Date: Thu, 30 Jan 2014 16:58:25 +0100 +Subject: [PATCH] Fallback to global policy in ipa-lockout plugin + +krbPwdPolicyReference is no longer filled default users. Instead, plugins +fallback to hardcoded global policy reference. + +Fix ipa-lockout plugin to fallback to it instead of failing to apply +the policy. + +https://fedorahosted.org/freeipa/ticket/4085 +--- + .../ipa-slapi-plugins/ipa-lockout/ipa_lockout.c | 34 ++++++++++++++++++++++ + 1 file changed, 34 insertions(+) + +diff --git a/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c b/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c +index fd6602fdee9b2fd95c154fd512fcba4f37e56bad..5a24359d319aaea28773daa01d268d2d46583270 100644 +--- a/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c ++++ b/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c +@@ -49,6 +49,7 @@ + #include + #include "slapi-plugin.h" + #include "nspr.h" ++#include + + #include "util.h" + +@@ -81,6 +82,8 @@ static int g_plugin_started = 0; + + static struct ipa_context *global_ipactx = NULL; + ++static char *ipa_global_policy = NULL; ++ + #define GENERALIZED_TIME_LENGTH 15 + + /** +@@ -142,8 +145,11 @@ ipalockout_get_global_config(struct ipa_context *ipactx) + Slapi_Attr *attr = NULL; + char *dn = NULL; + char *basedn = NULL; ++ char *realm = NULL; + Slapi_DN *sdn; + Slapi_Entry *config_entry; ++ krb5_context krbctx = NULL; ++ krb5_error_code krberr; + int ret; + + /* Get cn=config so we can get the default naming context */ +@@ -167,6 +173,28 @@ ipalockout_get_global_config(struct ipa_context *ipactx) + goto done; + } + ++ krberr = krb5_init_context(&krbctx); ++ if (krberr) { ++ LOG_FATAL("krb5_init_context failed (%d)\n", krberr); ++ ret = LDAP_OPERATIONS_ERROR; ++ goto done; ++ } ++ ++ krberr = krb5_get_default_realm(krbctx, &realm); ++ if (krberr) { ++ LOG_FATAL("Failed to get default realm (%d)\n", krberr); ++ ret = LDAP_OPERATIONS_ERROR; ++ goto done; ++ } ++ ++ ipa_global_policy = slapi_ch_smprintf("cn=global_policy,cn=%s,cn=kerberos,%s", ++ realm, basedn); ++ if (!ipa_global_policy) { ++ LOG_OOM(); ++ ret = LDAP_OPERATIONS_ERROR; ++ goto done; ++ } ++ + ret = asprintf(&dn, "cn=ipaConfig,cn=etc,%s", basedn); + if (ret == -1) { + LOG_OOM(); +@@ -221,6 +249,8 @@ ipalockout_get_global_config(struct ipa_context *ipactx) + done: + if (config_entry) + slapi_entry_free(config_entry); ++ free(realm); ++ krb5_free_context(krbctx); + free(dn); + free(basedn); + return ret; +@@ -248,6 +278,8 @@ int ipalockout_getpolicy(Slapi_Entry *target_entry, Slapi_Entry **policy_entry, + slapi_valueset_first_value(*values, &sv); + *policy_dn = slapi_value_get_string(sv); + } ++ } else { ++ *policy_dn = ipa_global_policy; + } + + if (*policy_dn == NULL) { +@@ -376,6 +408,8 @@ ipalockout_close(Slapi_PBlock * pb) + { + LOG_TRACE( "--in-->\n"); + ++ slapi_ch_free_string(&ipa_global_policy); ++ + LOG_TRACE("<--out--\n"); + + return EOK; +-- +1.8.5.3 + diff --git a/SOURCES/0041-Migration-does-not-add-users-to-default-group.patch b/SOURCES/0041-Migration-does-not-add-users-to-default-group.patch new file mode 100644 index 0000000..10c292c --- /dev/null +++ b/SOURCES/0041-Migration-does-not-add-users-to-default-group.patch @@ -0,0 +1,59 @@ +From 8b7a17d19428fa13dcd76893d758863adb9f515e Mon Sep 17 00:00:00 2001 +From: Martin Kosek +Date: Mon, 27 Jan 2014 12:28:12 +0100 +Subject: [PATCH] Migration does not add users to default group + +When users with missing default group were searched, IPA suffix was +not passed so these users were searched in a wrong base DN. Thus, +no user was detected and added to default group. + +https://fedorahosted.org/freeipa/ticket/4141 +--- + ipalib/plugins/migration.py | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +diff --git a/ipalib/plugins/migration.py b/ipalib/plugins/migration.py +index 83bf40dbfa4cf2310b2501c28cf095299711331d..0ed65f7015f458aa1cf96efb0e36e28c5019cbd2 100644 +--- a/ipalib/plugins/migration.py ++++ b/ipalib/plugins/migration.py +@@ -286,19 +286,21 @@ def _update_default_group(ldap, pkey, config, ctx, force): + searchfilter = "(&(objectclass=posixAccount)(!(memberof=%s)))" % group_dn + try: + (result, truncated) = ldap.find_entries(searchfilter, +- [''], api.env.container_user, scope=ldap.SCOPE_SUBTREE, +- time_limit = -1) ++ [''], DN(api.env.container_user, api.env.basedn), ++ scope=ldap.SCOPE_SUBTREE, time_limit = -1) + except errors.NotFound: ++ api.log.debug('All users have default group set') + return + new_members = [] + (group_dn, group_entry_attrs) = ldap.get_entry(group_dn, ['member']) ++ existing_members = set(group_entry_attrs.get('member', [])) + for m in result: +- if m[0] not in group_entry_attrs.get('member', []): ++ if m[0] not in existing_members: + new_members.append(m[0]) +- if len(new_members) > 0: +- members = group_entry_attrs.get('member', []) ++ ++ if new_members: ++ members = group_entry_attrs.setdefault('member', []) + members.extend(new_members) +- group_entry_attrs['member'] = members + + try: + ldap.update_entry(group_dn, group_entry_attrs) +@@ -308,7 +310,8 @@ def _update_default_group(ldap, pkey, config, ctx, force): + e = datetime.datetime.now() + d = e - s + mode = " (forced)" if force else "" +- api.log.debug('Adding %d users to group%s duration %s' % (len(new_members), mode, d)) ++ api.log.debug('Adding %d users to group%s duration %s', ++ len(new_members), mode, d) + + # GROUP MIGRATION CALLBACKS AND VARS + +-- +1.8.5.3 + diff --git a/SOURCES/0042-ipa-lockout-do-not-fail-when-default-realm-cannot-be.patch b/SOURCES/0042-ipa-lockout-do-not-fail-when-default-realm-cannot-be.patch new file mode 100644 index 0000000..3020bec --- /dev/null +++ b/SOURCES/0042-ipa-lockout-do-not-fail-when-default-realm-cannot-be.patch @@ -0,0 +1,65 @@ +From c41034f5ab587023d9941409618bdf5dc9046fae Mon Sep 17 00:00:00 2001 +From: Martin Kosek +Date: Tue, 4 Feb 2014 11:02:34 +0100 +Subject: [PATCH] ipa-lockout: do not fail when default realm cannot be read + +When ipa-lockout plugin is started during FreeIPA server installation, +the default realm may not be available and plugin should then not end +with failure. + +Similarly to other plugins, start in degraded mode in this situation. +Operation is fully restored during the final services restart. + +https://fedorahosted.org/freeipa/ticket/4085 +--- + .../ipa-slapi-plugins/ipa-lockout/ipa_lockout.c | 34 +++++++++++----------- + 1 file changed, 17 insertions(+), 17 deletions(-) + +diff --git a/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c b/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c +index 5a24359d319aaea28773daa01d268d2d46583270..265c2701c36fe78486a2bdd4a66366b0b05472a0 100644 +--- a/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c ++++ b/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c +@@ -176,23 +176,23 @@ ipalockout_get_global_config(struct ipa_context *ipactx) + krberr = krb5_init_context(&krbctx); + if (krberr) { + LOG_FATAL("krb5_init_context failed (%d)\n", krberr); +- ret = LDAP_OPERATIONS_ERROR; +- goto done; +- } +- +- krberr = krb5_get_default_realm(krbctx, &realm); +- if (krberr) { +- LOG_FATAL("Failed to get default realm (%d)\n", krberr); +- ret = LDAP_OPERATIONS_ERROR; +- goto done; +- } +- +- ipa_global_policy = slapi_ch_smprintf("cn=global_policy,cn=%s,cn=kerberos,%s", +- realm, basedn); +- if (!ipa_global_policy) { +- LOG_OOM(); +- ret = LDAP_OPERATIONS_ERROR; +- goto done; ++ /* Yes, we failed, but it is because /etc/krb5.conf doesn't exist ++ * or is misconfigured. Start up in a degraded mode. ++ */ ++ } else { ++ krberr = krb5_get_default_realm(krbctx, &realm); ++ if (krberr) { ++ LOG_FATAL("Failed to get default realm (%d)\n", krberr); ++ } else { ++ ipa_global_policy = ++ slapi_ch_smprintf("cn=global_policy,cn=%s,cn=kerberos,%s", ++ realm, basedn); ++ if (!ipa_global_policy) { ++ LOG_OOM(); ++ ret = LDAP_OPERATIONS_ERROR; ++ goto done; ++ } ++ } + } + + ret = asprintf(&dn, "cn=ipaConfig,cn=etc,%s", basedn); +-- +1.8.5.3 + diff --git a/SOURCES/0043-ipa-tool-Print-the-name-of-the-server-we-are-connect.patch b/SOURCES/0043-ipa-tool-Print-the-name-of-the-server-we-are-connect.patch new file mode 100644 index 0000000..9f66da8 --- /dev/null +++ b/SOURCES/0043-ipa-tool-Print-the-name-of-the-server-we-are-connect.patch @@ -0,0 +1,72 @@ +From 09a2ae5368abce22e397fef29d3acf3c16b8b96c Mon Sep 17 00:00:00 2001 +From: Petr Viktorin +Date: Wed, 5 Feb 2014 09:24:22 +0100 +Subject: [PATCH 43/46] ipa tool: Print the name of the server we are + connecting to with -v +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The logging level for these messages was decreaed so that they +do not show up in ipa-advise output. +Reset the log level to INFO and configure ipa-advise to not display +INFO messages from xmlclient by default. + +Partially reverts commit efe5a96725d3ddcd05b03a1ca9df5597eee693be + +https://fedorahosted.org/freeipa/ticket/4135 + +Reviewed-By: Tomáš Babej +--- + ipalib/rpc.py | 4 ++-- + ipaserver/advise/base.py | 5 +++++ + 2 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/ipalib/rpc.py b/ipalib/rpc.py +index 81e7aa35fdf780b3dcd850cfcc3ba5285d71e461..1eec1134617dd49395c2b36f11f304c473067a5d 100644 +--- a/ipalib/rpc.py ++++ b/ipalib/rpc.py +@@ -621,7 +621,7 @@ def create_connection(self, ccache=None, verbose=False, fallback=True, + kw['transport'] = KerbTransport() + else: + kw['transport'] = LanguageAwareTransport() +- self.log.debug('trying %s' % url) ++ self.log.info('trying %s' % url) + setattr(context, 'request_url', url) + serverproxy = ServerProxy(url, **kw) + if len(urls) == 1: +@@ -697,7 +697,7 @@ def forward(self, name, *args, **kw): + '%s.forward(): %r not in api.Command' % (self.name, name) + ) + server = getattr(context, 'request_url', None) +- self.debug("Forwarding '%s' to server '%s'", name, server) ++ self.log.info("Forwarding '%s' to server '%s'", name, server) + command = getattr(self.conn, name) + params = [args, kw] + try: +diff --git a/ipaserver/advise/base.py b/ipaserver/advise/base.py +index 92dbb4e9e30c6d624eca95609568ae62bd9ea7fe..056cb808d24805202f16b4afd60356163ca9006a 100644 +--- a/ipaserver/advise/base.py ++++ b/ipaserver/advise/base.py +@@ -22,6 +22,7 @@ + from ipalib.errors import ValidationError + from ipapython import admintool + from textwrap import wrap ++from ipapython.ipa_log_manager import log_mgr + + + """ +@@ -173,6 +174,10 @@ def run(self): + + api.bootstrap(in_server=False, context='advise') + api.finalize() ++ if not self.options.verbose: ++ # Do not print connection information by default ++ logger_name = r'ipa\.ipalib\.rpc\.xmlclient' ++ log_mgr.configure(dict(logger_regexps=[(logger_name, 'warning')])) + + # With no argument, print the list out and exit + if not self.args: +-- +1.8.5.3 + diff --git a/SOURCES/0044-Remove-sourcehostcategory-from-the-default-HBAC-rule.patch b/SOURCES/0044-Remove-sourcehostcategory-from-the-default-HBAC-rule.patch new file mode 100644 index 0000000..b2822e3 --- /dev/null +++ b/SOURCES/0044-Remove-sourcehostcategory-from-the-default-HBAC-rule.patch @@ -0,0 +1,41 @@ +From b3d761fb187f08d910df0bee420e9ed3b23d035f Mon Sep 17 00:00:00 2001 +From: Jan Cholasta +Date: Thu, 6 Feb 2014 12:33:43 +0100 +Subject: [PATCH 44/46] Remove sourcehostcategory from the default HBAC rule. + +https://fedorahosted.org/freeipa/ticket/4158 + +Reviewed-By: Martin Kosek +--- + install/share/default-hbac.ldif | 1 - + ipalib/plugins/hbacrule.py | 2 +- + 2 files changed, 1 insertion(+), 2 deletions(-) + +diff --git a/install/share/default-hbac.ldif b/install/share/default-hbac.ldif +index b7b6ba28453b867fa142d038b1e35e162dac800f..52fd30ec9ac4e01f68d9cc6a94fb4cc15177e10b 100644 +--- a/install/share/default-hbac.ldif ++++ b/install/share/default-hbac.ldif +@@ -7,7 +7,6 @@ dn: + accessruletype: allow + usercategory: all + hostcategory: all +-sourcehostcategory: all + servicecategory: all + ipaenabledflag: TRUE + description: Allow all users to access any host from any host +diff --git a/ipalib/plugins/hbacrule.py b/ipalib/plugins/hbacrule.py +index 5cc8bc1a34de38ce5c5f6faf8ea24ee6873bf0b7..daf165346ba67c6525f7ab2034519c7a03fd3394 100644 +--- a/ipalib/plugins/hbacrule.py ++++ b/ipalib/plugins/hbacrule.py +@@ -118,7 +118,7 @@ class hbacrule(LDAPObject): + default_attributes = [ + 'cn', 'ipaenabledflag', + 'description', 'usercategory', 'hostcategory', +- 'sourcehostcategory', 'servicecategory', 'ipaenabledflag', ++ 'servicecategory', 'ipaenabledflag', + 'memberuser', 'sourcehost', 'memberhost', 'memberservice', + 'memberhostgroup', 'externalhost', + ] +-- +1.8.5.3 + diff --git a/SOURCES/0045-DNS-classless-support-for-reverse-domains.patch b/SOURCES/0045-DNS-classless-support-for-reverse-domains.patch new file mode 100644 index 0000000..3611dcc --- /dev/null +++ b/SOURCES/0045-DNS-classless-support-for-reverse-domains.patch @@ -0,0 +1,229 @@ +From c884a56c2d9996fc54c054c78d56eae50f696997 Mon Sep 17 00:00:00 2001 +From: Martin Basti +Date: Fri, 31 Jan 2014 15:42:31 +0100 +Subject: [PATCH 45/46] DNS classless support for reverse domains + +Now users can add reverse zones in classless form: +0/25.1.168.192.in-addr.arpa. +0-25.1.168.192.in-addr.arpa. + +128/25 NS ns.example.com. +10 CNAME 10.128/25.1.168.192.in-addr.arpa. + +Ticket: https://fedorahosted.org/freeipa/ticket/4143 +Reviewed-By: Jan Cholasta +--- + ipalib/plugins/dns.py | 45 +++++++++++++++++++++++++++---------- + ipalib/util.py | 61 ++++++++++++++++++++++++++++++--------------------- + 2 files changed, 70 insertions(+), 36 deletions(-) + +diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py +index 94ae92ba5d1ae42e31ebb6100c743a2334f29e70..a78dc9e90a04a00a731541f8a04db5c0f0dd12bb 100644 +--- a/ipalib/plugins/dns.py ++++ b/ipalib/plugins/dns.py +@@ -368,25 +368,31 @@ def _normalize_bind_aci(bind_acis): + acis += u';' + return acis + +-def _bind_hostname_validator(ugettext, value): ++def _bind_hostname_validator(ugettext, value, allow_slash=False): + if value == _dns_zone_record: + return + try: + # Allow domain name which is not fully qualified. These are supported + # in bind and then translated as .. +- validate_hostname(value, check_fqdn=False, allow_underscore=True) ++ validate_hostname(value, check_fqdn=False, allow_underscore=True, allow_slash=allow_slash) + except ValueError, e: + return _('invalid domain-name: %s') \ + % unicode(e) + + return None + ++def _bind_cname_hostname_validator(ugettext, value): ++ """ ++ Validator for CNAME allows classless domain names (25/0.0.10.in-addr.arpa.) ++ """ ++ return _bind_hostname_validator(ugettext, value, allow_slash=True) ++ + def _dns_record_name_validator(ugettext, value): + if value == _dns_zone_record: + return + + try: +- map(lambda label:validate_dns_label(label, allow_underscore=True), \ ++ map(lambda label:validate_dns_label(label, allow_underscore=True, allow_slash=True), \ + value.split(u'.')) + except ValueError, e: + return unicode(e) +@@ -411,7 +417,10 @@ def _validate_bind_forwarder(ugettext, forwarder): + + def _domain_name_validator(ugettext, value): + try: +- validate_domain_name(value) ++ #classless reverse zones can contain slash '/' ++ normalized_zone = normalize_zone(value) ++ validate_domain_name(value, allow_slash=zone_is_reverse(normalized_zone)) ++ + except ValueError, e: + return unicode(e) + +@@ -939,7 +948,7 @@ class CNAMERecord(DNSRecord): + rfc = 1035 + parts = ( + Str('hostname', +- _bind_hostname_validator, ++ _bind_cname_hostname_validator, + label=_('Hostname'), + doc=_('A hostname which this alias hostname points to'), + ), +@@ -960,7 +969,7 @@ class DNAMERecord(DNSRecord): + rfc = 2672 + parts = ( + Str('target', +- _bind_hostname_validator, ++ _bind_cname_hostname_validator, + label=_('Target'), + ), + ) +@@ -2119,6 +2128,14 @@ class dnsrecord(LDAPObject): + doc=_('Parse all raw DNS records and return them in a structured way'), + ) + ++ def _idnsname_pre_callback(self, ldap, dn, entry_attrs, *keys, **options): ++ if not self.is_pkey_zone_record(*keys): ++ zone, addr = normalize_zone(keys[-2]), keys[-1] ++ try: ++ validate_domain_name(addr, allow_underscore=True, allow_slash=zone_is_reverse(zone)) ++ except ValueError, e: ++ raise errors.ValidationError(name='idnsname', error=unicode(e)) ++ + def _nsrecord_pre_callback(self, ldap, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) + nsrecords = entry_attrs.get('nsrecord') +@@ -2132,6 +2149,7 @@ def _ptrrecord_pre_callback(self, ldap, dn, entry_attrs, *keys, **options): + ptrrecords = entry_attrs.get('ptrrecord') + if ptrrecords is None: + return ++ + zone = keys[-2] + if self.is_pkey_zone_record(*keys): + addr = u'' +@@ -2150,11 +2168,16 @@ def _ptrrecord_pre_callback(self, ldap, dn, entry_attrs, *keys, **options): + error=unicode(_('Reverse zone for PTR record should be a sub-zone of one the following fully qualified domains: %s') % allowed_zones)) + + addr_len = len(addr.split('.')) if addr else 0 +- ip_addr_comp_count = addr_len + len(zone.split('.')) +- if ip_addr_comp_count != zone_len: +- raise errors.ValidationError(name='ptrrecord', +- error=unicode(_('Reverse zone %(name)s requires exactly %(count)d IP address components, %(user_count)d given') +- % dict(name=zone_name, count=zone_len, user_count=ip_addr_comp_count))) ++ ++ #Classless zones (0/25.0.0.10.in-addr.arpa.) -> skip check ++ #zone has to be checked without reverse domain suffix (in-addr.arpa.) ++ if ('/' not in addr and '/' not in zone and ++ '-' not in addr and '-' not in zone): ++ ip_addr_comp_count = addr_len + len(zone.split('.')) ++ if ip_addr_comp_count != zone_len: ++ raise errors.ValidationError(name='ptrrecord', ++ error=unicode(_('Reverse zone %(name)s requires exactly %(count)d IP address components, %(user_count)d given') ++ % dict(name=zone_name, count=zone_len, user_count=ip_addr_comp_count))) + + def run_precallback_validators(self, dn, entry_attrs, *keys, **options): + assert isinstance(dn, DN) +diff --git a/ipalib/util.py b/ipalib/util.py +index 3c52e4fd9a3e08d160dd4ae7076590be8b869d2c..17851294a78507aba7035390c3695184b7d641b1 100644 +--- a/ipalib/util.py ++++ b/ipalib/util.py +@@ -215,34 +215,45 @@ def normalize_zone(zone): + else: + return zone + +-def validate_dns_label(dns_label, allow_underscore=False): +- label_chars = r'a-z0-9' +- underscore_err_msg = '' +- if allow_underscore: +- label_chars += "_" +- underscore_err_msg = u' _,' +- label_regex = r'^[%(chars)s]([%(chars)s-]?[%(chars)s])*$' % dict(chars=label_chars) +- regex = re.compile(label_regex, re.IGNORECASE) +- +- if not dns_label: +- raise ValueError(_('empty DNS label')) +- +- if len(dns_label) > 63: +- raise ValueError(_('DNS label cannot be longer that 63 characters')) +- +- if not regex.match(dns_label): +- raise ValueError(_('only letters, numbers,%(underscore)s and - are allowed. ' \ +- 'DNS label may not start or end with -') \ +- % dict(underscore=underscore_err_msg)) +- +-def validate_domain_name(domain_name, allow_underscore=False): ++ ++def validate_dns_label(dns_label, allow_underscore=False, allow_slash=False): ++ base_chars = 'a-z0-9' ++ extra_chars = '' ++ middle_chars = '' ++ ++ if allow_underscore: ++ extra_chars += '_' ++ if allow_slash: ++ middle_chars += '/' ++ ++ middle_chars = middle_chars + '-' #has to be always the last in the regex [....-] ++ ++ label_regex = r'^[%(base)s%(extra)s]([%(base)s%(extra)s%(middle)s]?[%(base)s%(extra)s])*$' \ ++ % dict(base=base_chars, extra=extra_chars, middle=middle_chars) ++ regex = re.compile(label_regex, re.IGNORECASE) ++ ++ if not dns_label: ++ raise ValueError(_('empty DNS label')) ++ ++ if len(dns_label) > 63: ++ raise ValueError(_('DNS label cannot be longer that 63 characters')) ++ ++ if not regex.match(dns_label): ++ chars = ', '.join("'%s'" % c for c in extra_chars + middle_chars) ++ chars2 = ', '.join("'%s'" % c for c in middle_chars) ++ raise ValueError(_("only letters, numbers, %(chars)s are allowed. " \ ++ "DNS label may not start or end with %(chars2)s") \ ++ % dict(chars=chars, chars2=chars2)) ++ ++ ++def validate_domain_name(domain_name, allow_underscore=False, allow_slash=False): + if domain_name.endswith('.'): + domain_name = domain_name[:-1] + + domain_name = domain_name.split(".") + + # apply DNS name validator to every name part +- map(lambda label:validate_dns_label(label,allow_underscore), domain_name) ++ map(lambda label:validate_dns_label(label, allow_underscore, allow_slash), domain_name) + + + def validate_zonemgr(zonemgr): +@@ -287,7 +298,7 @@ def validate_zonemgr(zonemgr): + local_part.split(local_part_sep)): + raise ValueError(local_part_errmsg) + +-def validate_hostname(hostname, check_fqdn=True, allow_underscore=False): ++def validate_hostname(hostname, check_fqdn=True, allow_underscore=False, allow_slash=False): + """ See RFC 952, 1123 + + :param hostname Checked value +@@ -305,9 +316,9 @@ def validate_hostname(hostname, check_fqdn=True, allow_underscore=False): + if '.' not in hostname: + if check_fqdn: + raise ValueError(_('not fully qualified')) +- validate_dns_label(hostname,allow_underscore) ++ validate_dns_label(hostname, allow_underscore, allow_slash) + else: +- validate_domain_name(hostname,allow_underscore) ++ validate_domain_name(hostname, allow_underscore, allow_slash) + + def normalize_sshpubkey(value): + return SSHPublicKey(value).openssh() +-- +1.8.5.3 + diff --git a/SOURCES/0046-Move-ipa-otpd-socket-directory.patch b/SOURCES/0046-Move-ipa-otpd-socket-directory.patch new file mode 100644 index 0000000..87a59bf --- /dev/null +++ b/SOURCES/0046-Move-ipa-otpd-socket-directory.patch @@ -0,0 +1,84 @@ +From e7d5a0c79e780fddb97bcbf2763a19a2c0b244c7 Mon Sep 17 00:00:00 2001 +From: Nathaniel McCallum +Date: Fri, 7 Feb 2014 11:56:33 -0500 +Subject: [PATCH 46/46] Move ipa-otpd socket directory + +https://fedorahosted.org/freeipa/ticket/4167 +Reviewed-By: Martin Kosek +--- + daemons/configure.ac | 6 +++--- + daemons/ipa-otpd/Makefile.am | 2 +- + daemons/ipa-otpd/ipa-otpd.socket.in | 4 ++-- + freeipa.spec.in | 2 +- + 4 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/daemons/configure.ac b/daemons/configure.ac +index e57dad27614f268d3e5bbafc99b739a5cfa2589b..5646c3873beee996999e4f1d87aea653f4b5dd1b 100644 +--- a/daemons/configure.ac ++++ b/daemons/configure.ac +@@ -60,10 +60,10 @@ AC_CHECK_LIB(k5crypto, main, [krb5crypto=k5crypto], [krb5crypto=crypto]) + AC_CHECK_LIB(krad, main, [], [AC_MSG_ERROR([libkrad not found])]) + KRB5_LIBS="-lkrb5 -l$krb5crypto -lcom_err" + KRAD_LIBS="-lkrad" +-krb5kdcdir="${localstatedir}/kerberos/krb5kdc" ++krb5rundir="${localstatedir}/run/krb5kdc" + AC_SUBST(KRB5_LIBS) + AC_SUBST(KRAD_LIBS) +-AC_SUBST(krb5kdcdir) ++AC_SUBST(krb5rundir) + + dnl --------------------------------------------------------------------------- + dnl - Check for Mozilla LDAP and OpenLDAP SDK +@@ -337,7 +337,7 @@ echo " + sysconfdir: ${sysconfdir} + localstatedir: ${localstatedir} + datadir: ${datadir} +- krb5kdcdir: ${krb5kdcdir} ++ krb5rundir: ${krb5rundir} + systemdsystemunitdir: ${systemdsystemunitdir} + source code location: ${srcdir} + compiler: ${CC} +diff --git a/daemons/ipa-otpd/Makefile.am b/daemons/ipa-otpd/Makefile.am +index af82a5fe08856573d2d245608ba1dbaad171c7fe..83921748426d801e1edeec23f956689be5fe98b5 100644 +--- a/daemons/ipa-otpd/Makefile.am ++++ b/daemons/ipa-otpd/Makefile.am +@@ -9,7 +9,7 @@ systemdsystemunit_DATA = ipa-otpd.socket ipa-otpd@.service + ipa_otpd_SOURCES = bind.c forward.c main.c parse.c query.c queue.c stdio.c + + %.socket: %.socket.in +- @sed -e 's|@krb5kdcdir[@]|$(krb5kdcdir)|g' \ ++ @sed -e 's|@krb5rundir[@]|$(krb5rundir)|g' \ + -e 's|@UNLINK[@]|@UNLINK@|g' \ + $< > $@ + +diff --git a/daemons/ipa-otpd/ipa-otpd.socket.in b/daemons/ipa-otpd/ipa-otpd.socket.in +index b968beaa7b9e68c43b2c5386b62c096fa8b97764..ce3596d9f01b26e3e8bd63f447f85a486c8e0dff 100644 +--- a/daemons/ipa-otpd/ipa-otpd.socket.in ++++ b/daemons/ipa-otpd/ipa-otpd.socket.in +@@ -2,8 +2,8 @@ + Description=ipa-otpd socket + + [Socket] +-ListenStream=@krb5kdcdir@/DEFAULT.socket +-ExecStopPre=@UNLINK@ @krb5kdcdir@/DEFAULT.socket ++ListenStream=@krb5rundir@/DEFAULT.socket ++ExecStopPre=@UNLINK@ @krb5rundir@/DEFAULT.socket + SocketMode=0600 + Accept=true + +diff --git a/freeipa.spec.in b/freeipa.spec.in +index ae8ee57f3ba2c0746bb0f7a1e65dab1da83cca22..cff79843d76a7251ae6065dba7341465733bb7cc 100644 +--- a/freeipa.spec.in ++++ b/freeipa.spec.in +@@ -105,7 +105,7 @@ Requires: nss >= 3.14.3-12.0 + Requires: nss-tools >= 3.14.3-12.0 + %endif + %if 0%{?krb5_dal_version} >= 4 +-Requires: krb5-server >= 1.11.2-1 ++Requires: krb5-server >= 1.11.5-3 + %else + %if 0%{krb5_dal_version} == 3 + # krb5 1.11 bumped DAL interface major version, a rebuild is needed +-- +1.8.5.3 + diff --git a/SOURCES/0047-bindinstance-make-sure-zone-manager-is-initialized-i.patch b/SOURCES/0047-bindinstance-make-sure-zone-manager-is-initialized-i.patch new file mode 100644 index 0000000..7a023ac --- /dev/null +++ b/SOURCES/0047-bindinstance-make-sure-zone-manager-is-initialized-i.patch @@ -0,0 +1,31 @@ +From ea96ad03312cecad4ff6853aafc30d3cf2c618a9 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Wed, 26 Feb 2014 11:06:29 +0200 +Subject: [PATCH 47/51] bindinstance: make sure zone manager is initialized in + add_master_dns_records + +Bind instance is configured using a short-circuited way when replica is set up. +Make sure required properties are in place for that. + +https://fedorahosted.org/freeipa/ticket/4186 + +Reviewed-By: Petr Viktorin +--- + ipaserver/install/bindinstance.py | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py +index 6d5a1d44d30c89278c24fe7ab5278355cb65b0b4..4dc4103f7cb94877d0652f0094b41feec56cee94 100644 +--- a/ipaserver/install/bindinstance.py ++++ b/ipaserver/install/bindinstance.py +@@ -828,6 +828,7 @@ def add_master_dns_records(self, fqdn, ip_address, realm_name, domain_name, + self.reverse_zone = reverse_zone + self.ca_configured = ca_configured + self.first_instance = False ++ self.zonemgr = 'hostmaster.%s' % self.domain + + self.__add_self() + self.__add_ipa_ca_record() +-- +1.8.5.3 + diff --git a/SOURCES/0048-trustdomain_find-make-sure-we-skip-short-entries-whe.patch b/SOURCES/0048-trustdomain_find-make-sure-we-skip-short-entries-whe.patch new file mode 100644 index 0000000..b1718fb --- /dev/null +++ b/SOURCES/0048-trustdomain_find-make-sure-we-skip-short-entries-whe.patch @@ -0,0 +1,32 @@ +From a11cfd34e2f92c3c71a0b568d758f7d5221b4e94 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Wed, 26 Feb 2014 17:59:05 +0200 +Subject: [PATCH 48/51] trustdomain_find: make sure we skip short entries when + --pkey-only is specified + +With --pkey-only only primary key is returned. It makes no sense to check and +replace boolean values then. + +https://fedorahosted.org/freeipa/ticket/4196 + +Reviewed-By: Martin Kosek +--- + ipalib/plugins/trust.py | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py +index 0b6db27c696cd169c8f4b33128520961c20e3015..bd71253607d6009414ff8a24b042175f0cb08d66 100644 +--- a/ipalib/plugins/trust.py ++++ b/ipalib/plugins/trust.py +@@ -1191,6 +1191,8 @@ def pre_callback(self, ldap, filters, attrs_list, base_dn, scope, *args, **optio + return (filters, base_dn, ldap.SCOPE_SUBTREE) + + def post_callback(self, ldap, entries, truncated, *args, **options): ++ if options.get('pkey_only', False): ++ return truncated + trust_dn = self.obj.get_dn(args[0], trust_type=u'ad') + trust_entry = ldap.get_entry(trust_dn) + for entry in entries: +-- +1.8.5.3 + diff --git a/SOURCES/0049-ipa-kdb-in-case-of-delegation-use-original-client-s-.patch b/SOURCES/0049-ipa-kdb-in-case-of-delegation-use-original-client-s-.patch new file mode 100644 index 0000000..a3c7c45 --- /dev/null +++ b/SOURCES/0049-ipa-kdb-in-case-of-delegation-use-original-client-s-.patch @@ -0,0 +1,67 @@ +From ede01c14e58a98af728152635e5d75be0deb389d Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Tue, 25 Feb 2014 17:50:55 +0200 +Subject: [PATCH 49/51] ipa-kdb: in case of delegation use original client's + database entry, not the proxy +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +https://fedorahosted.org/freeipa/ticket/4195 + +Reviewed-By: Tomáš Babej +Reviewed-By: Simo Sorce +--- + daemons/ipa-kdb/ipa_kdb_mspac.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c +index ff67391538234e2272ea1ec886ec96fa88ea579b..2a0480fff029d29fb56286d85108936f6c579901 100644 +--- a/daemons/ipa-kdb/ipa_kdb_mspac.c ++++ b/daemons/ipa-kdb/ipa_kdb_mspac.c +@@ -1983,12 +1983,14 @@ krb5_error_code ipadb_sign_authdata(krb5_context context, + bool with_pac; + bool with_pad; + int result; ++ krb5_db_entry *client_entry = NULL; + + /* When using s4u2proxy client_princ actually refers to the proxied user + * while client->princ to the proxy service asking for the TGS on behalf + * of the proxied user. So always use client_princ in preference */ + if (client_princ != NULL) { + ks_client_princ = client_princ; ++ kerr = ipadb_get_principal(context, client_princ, flags, &client_entry); + } else { + ks_client_princ = client->princ; + } +@@ -2025,7 +2027,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context, + } + } + +- kerr = ipadb_get_pac(context, client, &pac); ++ kerr = ipadb_get_pac(context, client_entry ? client_entry : client, &pac); + if (kerr != 0 && kerr != ENOENT) { + goto done; + } +@@ -2041,7 +2043,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context, + /* check or generate pac data */ + if ((pac_auth_data == NULL) || (pac_auth_data[0] == NULL)) { + if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) { +- kerr = ipadb_get_pac(context, client, &pac); ++ kerr = ipadb_get_pac(context, client_entry ? client_entry : client, &pac); + if (kerr != 0 && kerr != ENOENT) { + goto done; + } +@@ -2094,6 +2096,9 @@ krb5_error_code ipadb_sign_authdata(krb5_context context, + kerr = 0; + + done: ++ if (client_entry != NULL) { ++ ipadb_free_principal(context, client_entry); ++ } + krb5_pac_free(context, pac); + return kerr; + } +-- +1.8.5.3 + diff --git a/SOURCES/0050-ipa-kdb-make-sure-we-don-t-produce-MS-PAC-in-case-of.patch b/SOURCES/0050-ipa-kdb-make-sure-we-don-t-produce-MS-PAC-in-case-of.patch new file mode 100644 index 0000000..a4909d1 --- /dev/null +++ b/SOURCES/0050-ipa-kdb-make-sure-we-don-t-produce-MS-PAC-in-case-of.patch @@ -0,0 +1,42 @@ +From 817e83837d249a63395d90ac47dc975a23f00c6c Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Tue, 25 Feb 2014 20:53:49 +0200 +Subject: [PATCH 50/51] ipa-kdb: make sure we don't produce MS-PAC in case of + authdata flag cleared by admin +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When admin clears authdata flag for the service principal, KDC will pass +NULL client pointer (service proxy) to the DAL driver. + +Make sure we bail out correctly. + +Reviewed-By: Tomáš Babej +Reviewed-By: Simo Sorce +--- + daemons/ipa-kdb/ipa_kdb_mspac.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c +index 2a0480fff029d29fb56286d85108936f6c579901..9137cd5ad1e6166fd5d6e765fab2c8178ca0587c 100644 +--- a/daemons/ipa-kdb/ipa_kdb_mspac.c ++++ b/daemons/ipa-kdb/ipa_kdb_mspac.c +@@ -1985,6 +1985,14 @@ krb5_error_code ipadb_sign_authdata(krb5_context context, + int result; + krb5_db_entry *client_entry = NULL; + ++ ++ /* When client is NULL, authdata flag on the service principal was cleared ++ * by an admin. We don't generate MS-PAC in this case */ ++ if (client == NULL) { ++ *signed_auth_data = NULL; ++ return 0; ++ } ++ + /* When using s4u2proxy client_princ actually refers to the proxied user + * while client->princ to the proxy service asking for the TGS on behalf + * of the proxied user. So always use client_princ in preference */ +-- +1.8.5.3 + diff --git a/SOURCES/0051-Too-big-font-in-input-fields.patch b/SOURCES/0051-Too-big-font-in-input-fields.patch new file mode 100644 index 0000000..89a369c --- /dev/null +++ b/SOURCES/0051-Too-big-font-in-input-fields.patch @@ -0,0 +1,42 @@ +From 92cb7c52b3a6241c9a0e5bc4e0c91705723d118f Mon Sep 17 00:00:00 2001 +From: Adam Misnyovszki +Date: Wed, 26 Feb 2014 18:16:45 +0100 +Subject: [PATCH 51/51] Too big font in input fields + +In Firefox 27, default font size has bigger priority than body css, +text input font size is therefore explicitly set to 1em. Also +checkbox/radiobutton styling fixed. + +https://fedorahosted.org/freeipa/ticket/4180 + +Reviewed-By: Petr Vobornik +--- + install/ui/ipa.css | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/install/ui/ipa.css b/install/ui/ipa.css +index ad3d1aa1f8f8898ad8dff8f8ecc175238fad1181..29dfe80aacfa1e508f59d3008b2aa57f9477a448 100644 +--- a/install/ui/ipa.css ++++ b/install/ui/ipa.css +@@ -1243,6 +1243,18 @@ table.scrollable tbody { + width: 250px; + } + ++input, select, textarea { ++ font-size: 1em; ++ font-family: "Liberation Sans",Arial,Sans; ++} ++ ++input[type=radio], input[type=checkbox], ++.ui-widget input[type=radio], .ui-widget input[type=checkbox]{ ++ margin-right: 5px; ++ position: relative; ++ top: 3px; ++} ++ + .multivalued-widget [name=value] { + margin-bottom: 1em; + } +-- +1.8.5.3 + diff --git a/SOURCES/0052-trust-make-sure-we-always-discover-topology-of-the-f.patch b/SOURCES/0052-trust-make-sure-we-always-discover-topology-of-the-f.patch new file mode 100644 index 0000000..93b27ce --- /dev/null +++ b/SOURCES/0052-trust-make-sure-we-always-discover-topology-of-the-f.patch @@ -0,0 +1,75 @@ +From bbba8c95ed2f5e551b4e468b394f5e0839be9f6f Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Thu, 27 Feb 2014 13:43:17 +0200 +Subject: [PATCH 52/53] trust: make sure we always discover topology of the + forest trust + +Even though we are creating idranges for subdomains only in case +there is algorithmic ID mapping in use, we still need to fetch +list of subdomains for all other cases. + +https://fedorahosted.org/freeipa/ticket/4205 +--- + ipalib/plugins/trust.py | 37 ++++++------------------------------- + 1 file changed, 6 insertions(+), 31 deletions(-) + +diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py +index bd71253607d6009414ff8a24b042175f0cb08d66..f2b00a6f58f5890e37aaa033a35dcf9bc39ccbc4 100644 +--- a/ipalib/plugins/trust.py ++++ b/ipalib/plugins/trust.py +@@ -458,38 +458,13 @@ def execute(self, *keys, **options): + + result['result'] = entry_to_dict(trusts[0][1], **options) + +- # For AD trusts with algorithmic mapping, we need to add a separate +- # range for each subdomain. +- if (options.get('trust_type') == u'ad' and +- created_range_type != u'ipa-ad-trust-posix'): +- ++ # Fetch topology of the trust forest -- we need always to do it ++ # for AD trusts, regardless of the type of idranges associated with it ++ # Note that fetch_domains_from_trust will add needed ranges for ++ # the algorithmic ID mapping case. ++ if options.get('trust_type') == u'ad': + domains = fetch_domains_from_trust(self, self.trustinstance, + result['result'], **options) +- if domains and len(domains) > 0: +- for dom in domains: +- range_name = dom['cn'][0].upper() + '_id_range' +- dom_sid = dom['ipanttrusteddomainsid'][0] +- +- # Enforce the same range type as the range for the root +- # level domain. +- +- # This will skip the detection of the POSIX attributes if +- # they are not available, since it has been already +- # detected when creating the range for the root level domain +- passed_options = options +- passed_options.update(range_type=created_range_type) +- +- # Do not pass the base id to the subdomains since it would +- # clash with the root level domain +- if 'base_id' in passed_options: +- del passed_options['base_id'] +- +- # Try to add the range for each subdomain +- try: +- add_range(self, range_name, dom_sid, *keys, +- **passed_options) +- except errors.DuplicateEntry: +- pass + + # Format the output into human-readable values + result['result']['trusttype'] = [trust_type_string( +@@ -1270,7 +1245,7 @@ def fetch_domains_from_trust(self, trustinstance, trust_entry, **options): + # trust range must exist by the time fetch_domains_from_trust is called + range_name = trust_name.upper() + '_id_range' + old_range = api.Command.idrange_show(range_name, raw=True)['result'] +- idrange_type = old_range['iparangetype'] ++ idrange_type = old_range['iparangetype'][0] + + for dom in domains: + dom['trust_type'] = u'ad' +-- +1.8.5.3 + diff --git a/SOURCES/0053-ipaserver-dcerpc-catch-the-case-of-insuffient-permis.patch b/SOURCES/0053-ipaserver-dcerpc-catch-the-case-of-insuffient-permis.patch new file mode 100644 index 0000000..eeccfc1 --- /dev/null +++ b/SOURCES/0053-ipaserver-dcerpc-catch-the-case-of-insuffient-permis.patch @@ -0,0 +1,40 @@ +From 504e8701fd7870b18febe9b544244d5d2744bb16 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Wed, 26 Feb 2014 17:43:34 +0200 +Subject: [PATCH 53/53] ipaserver/dcerpc: catch the case of insuffient + permissions when establishing trust + +We attempt to delete the trust that might exist already. If there are not enough +privileges to do so, we wouldn't be able to create trust at the next step and it will fail. +However, failure to create trust will be due to the name collision as we already had +the trust with the same name before. Thus, raise access denied exception here +to properly indicate wrong access level instead of returning NT_STATUS_OBJECT_NAME_COLLISION. + +https://fedorahosted.org/freeipa/ticket/4202 + +Reviewed-By: Martin Kosek +--- + ipaserver/dcerpc.py | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py +index d809c416baac072a2489fbd3c167f08665b7a24e..5972e622292a033d4fc979cbf5401fa02151f35c 100644 +--- a/ipaserver/dcerpc.py ++++ b/ipaserver/dcerpc.py +@@ -892,8 +892,11 @@ def establish_trust(self, another_domain, trustdom_secret): + dname.string = another_domain.info['dns_domain'] + res = self._pipe.QueryTrustedDomainInfoByName(self._policy_handle, dname, lsa.LSA_TRUSTED_DOMAIN_INFO_FULL_INFO) + self._pipe.DeleteTrustedDomain(self._policy_handle, res.info_ex.sid) +- except RuntimeError, e: +- pass ++ except RuntimeError, (num, message): ++ # Ignore anything but access denied (NT_STATUS_ACCESS_DENIED) ++ if num == -1073741790: ++ raise access_denied_error ++ + try: + trustdom_handle = self._pipe.CreateTrustedDomainEx2(self._policy_handle, info, self.auth_info, security.SEC_STD_DELETE) + except RuntimeError, (num, message): +-- +1.8.5.3 + diff --git a/SOURCES/0054-fix-filtering-of-subdomain-based-trust-users.patch b/SOURCES/0054-fix-filtering-of-subdomain-based-trust-users.patch new file mode 100644 index 0000000..4b094ce --- /dev/null +++ b/SOURCES/0054-fix-filtering-of-subdomain-based-trust-users.patch @@ -0,0 +1,100 @@ +From 4b7059b4f29832d98b4ff4f266007d007ca07a19 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Fri, 28 Feb 2014 22:03:29 +0200 +Subject: [PATCH] fix filtering of subdomain-based trust users + +https://fedorahosted.org/freeipa/ticket/4207 +--- + daemons/ipa-kdb/ipa_kdb_mspac.c | 41 ++++++++++++++++++++++++++++++++--------- + 1 file changed, 32 insertions(+), 9 deletions(-) + +diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c +index 9137cd5ad1e6166fd5d6e765fab2c8178ca0587c..68f27f0e2d9028cdaece80c4bd3440d0438d20db 100644 +--- a/daemons/ipa-kdb/ipa_kdb_mspac.c ++++ b/daemons/ipa-kdb/ipa_kdb_mspac.c +@@ -806,6 +806,12 @@ static krb5_error_code ipadb_get_pac(krb5_context kcontext, + krb5_error_code kerr; + enum ndr_err_code ndr_err; + ++ /* When no client entry is there, we cannot generate MS-PAC */ ++ if (!client) { ++ *pac = NULL; ++ return 0; ++ } ++ + ipactx = ipadb_get_context(kcontext); + if (!ipactx) { + return KRB5_KDB_DBNOTINITED; +@@ -1534,6 +1540,12 @@ static krb5_error_code ipadb_add_transited_service(krb5_context context, + uint32_t i; + char *tmpstr; + ++ /* When proxy is NULL, authdata flag on the service principal was cleared ++ * by an admin. We don't generate MS-PAC in this case */ ++ if (proxy == NULL) { ++ return 0; ++ } ++ + tmpctx = talloc_new(NULL); + if (!tmpctx) { + kerr = ENOMEM; +@@ -1731,6 +1743,12 @@ static krb5_error_code ipadb_verify_pac(krb5_context context, + } + + if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) { ++ if (proxy == NULL) { ++ *pac = NULL; ++ kerr = 0; ++ goto done; ++ } ++ + kerr = ipadb_add_transited_service(context, proxy, server, + old_pac, new_pac); + if (kerr) { +@@ -1986,20 +2004,27 @@ krb5_error_code ipadb_sign_authdata(krb5_context context, + krb5_db_entry *client_entry = NULL; + + +- /* When client is NULL, authdata flag on the service principal was cleared +- * by an admin. We don't generate MS-PAC in this case */ +- if (client == NULL) { +- *signed_auth_data = NULL; +- return 0; +- } ++ is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0); + + /* When using s4u2proxy client_princ actually refers to the proxied user + * while client->princ to the proxy service asking for the TGS on behalf + * of the proxied user. So always use client_princ in preference */ + if (client_princ != NULL) { + ks_client_princ = client_princ; +- kerr = ipadb_get_principal(context, client_princ, flags, &client_entry); ++ if (!is_as_req) { ++ kerr = ipadb_get_principal(context, client_princ, flags, &client_entry); ++ /* If we didn't find client_princ in our database, it might be: ++ * - a principal from another realm, handle it down in ipadb_get/verify_pac() ++ */ ++ if (!kerr) { ++ client_entry = NULL; ++ } ++ } + } else { ++ if (client == NULL) { ++ *signed_auth_data = NULL; ++ return 0; ++ } + ks_client_princ = client->princ; + } + +@@ -2014,8 +2039,6 @@ krb5_error_code ipadb_sign_authdata(krb5_context context, + "currently not supported."); + } + +- is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0); +- + if (is_as_req && with_pac && (flags & KRB5_KDB_FLAG_INCLUDE_PAC)) { + /* Be aggressive here: special case for discovering range type + * immediately after establishing the trust by IPA framework */ +-- +1.8.5.3 + diff --git a/SOURCES/0055-ipa-kdb-do-not-fetch-client-principal-if-it-is-the-s.patch b/SOURCES/0055-ipa-kdb-do-not-fetch-client-principal-if-it-is-the-s.patch new file mode 100644 index 0000000..a736514 --- /dev/null +++ b/SOURCES/0055-ipa-kdb-do-not-fetch-client-principal-if-it-is-the-s.patch @@ -0,0 +1,62 @@ +From 278b347c6f84140b4fc58d7c11749bbf6c44a50c Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Thu, 6 Mar 2014 10:26:29 +0200 +Subject: [PATCH] ipa-kdb: do not fetch client principal if it is the same as + existing entry + +When client principal is the same as supplied client entry, don't fetch it +again. + +Note that when client principal is not NULL, client entry might be NULL for +cross-realm case, so we need to make sure to not dereference NULL pointer here. + +Also fix reverted condition for case when we didn't find the client principal +in the database, preventing a memory leak. + +https://fedorahosted.org/freeipa/ticket/4223 + +Reviewed-By: Sumit Bose +--- + daemons/ipa-kdb/ipa_kdb_mspac.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c +index 68f27f0e2d9028cdaece80c4bd3440d0438d20db..8481278760aba2d5dec5c337813f394633d67e46 100644 +--- a/daemons/ipa-kdb/ipa_kdb_mspac.c ++++ b/daemons/ipa-kdb/ipa_kdb_mspac.c +@@ -2002,6 +2002,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context, + bool with_pad; + int result; + krb5_db_entry *client_entry = NULL; ++ krb5_boolean is_equal; + + + is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0); +@@ -2012,12 +2013,18 @@ krb5_error_code ipadb_sign_authdata(krb5_context context, + if (client_princ != NULL) { + ks_client_princ = client_princ; + if (!is_as_req) { +- kerr = ipadb_get_principal(context, client_princ, flags, &client_entry); +- /* If we didn't find client_princ in our database, it might be: +- * - a principal from another realm, handle it down in ipadb_get/verify_pac() +- */ +- if (!kerr) { +- client_entry = NULL; ++ is_equal = false; ++ if ((client != NULL) && (client->princ != NULL)) { ++ is_equal = krb5_principal_compare(context, client_princ, client->princ); ++ } ++ if (!is_equal) { ++ kerr = ipadb_get_principal(context, client_princ, flags, &client_entry); ++ /* If we didn't find client_princ in our database, it might be: ++ * - a principal from another realm, handle it down in ipadb_get/verify_pac() ++ */ ++ if (kerr != 0) { ++ client_entry = NULL; ++ } + } + } + } else { +-- +1.8.5.3 + diff --git a/SOURCES/0056-ipa-replica-install-never-checks-for-7389-port.patch b/SOURCES/0056-ipa-replica-install-never-checks-for-7389-port.patch new file mode 100644 index 0000000..e00e968 --- /dev/null +++ b/SOURCES/0056-ipa-replica-install-never-checks-for-7389-port.patch @@ -0,0 +1,220 @@ +From c088cccb0b27e0defd5457f756a2d4c68e8eff55 Mon Sep 17 00:00:00 2001 +From: Martin Kosek +Date: Tue, 11 Mar 2014 16:28:19 +0100 +Subject: [PATCH 56/58] ipa-replica-install never checks for 7389 port + +When creating replica from a Dogtag 9 based IPA server, the port 7389 +which is required for the installation is never checked by +ipa-replica-conncheck even though it knows that it is being installed +from the Dogtag 9 based FreeIPA. If the 7389 port would be blocked by +firewall, installation would stuck with no hint to user. + +Make sure that the port configuration parsed from replica info file +is used consistently in the installers. + +https://fedorahosted.org/freeipa/ticket/4240 + +Reviewed-By: Petr Viktorin +--- + install/tools/ipa-ca-install | 17 +++++------------ + install/tools/ipa-replica-install | 18 ++++++------------ + ipaserver/install/cainstance.py | 12 +++++------- + ipaserver/install/installutils.py | 16 ++++++++++++++++ + 4 files changed, 32 insertions(+), 31 deletions(-) + +diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install +index 4edd26d337a50eebe686daae539c257f706e0158..bb3e595a3df47f00b3929f546db7b04dd7eda32a 100755 +--- a/install/tools/ipa-ca-install ++++ b/install/tools/ipa-ca-install +@@ -30,7 +30,7 @@ from ipaserver.install import installutils, service + from ipaserver.install import certs + from ipaserver.install.installutils import (HostnameLocalhost, ReplicaConfig, + expand_replica_info, read_replica_info, get_host_name, BadHostError, +- private_ccache) ++ private_ccache, read_replica_info_dogtag_port) + from ipaserver.install import dsinstance, cainstance, bindinstance + from ipaserver.install.replication import replica_conn_check + from ipapython import version +@@ -159,31 +159,24 @@ def main(): + sys.exit(0) + config.dir = dir + config.setup_ca = True ++ config.ca_ds_port = read_replica_info_dogtag_port(config.dir) + + if not ipautil.file_exists(config.dir + "/cacert.p12"): + print 'CA cannot be installed in CA-less setup.' + sys.exit(1) + +- portfile = config.dir + "/dogtag_directory_port.txt" +- if not ipautil.file_exists(portfile): +- dogtag_master_ds_port = str(dogtag.Dogtag9Constants.DS_PORT) +- else: +- with open(portfile) as fd: +- dogtag_master_ds_port = fd.read() +- + if not options.skip_conncheck: + replica_conn_check( + config.master_host_name, config.host_name, config.realm_name, True, +- dogtag_master_ds_port, options.admin_password) ++ config.ca_ds_port, options.admin_password) + + if options.skip_schema_check: + root_logger.info("Skipping CA DS schema check") + else: +- cainstance.replica_ca_install_check(config, dogtag_master_ds_port) ++ cainstance.replica_ca_install_check(config) + + # Configure the CA if necessary +- CA = cainstance.install_replica_ca( +- config, dogtag_master_ds_port, postinstall=True) ++ CA = cainstance.install_replica_ca(config, postinstall=True) + + # We need to ldap_enable the CA now that DS is up and running + CA.ldap_enable('CA', config.host_name, config.dirman_password, +diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install +index 0e7aefef48d47fefa290607e0604c014d9469fdd..e039fd1e7cb213b3269d0a5d2305a96f68e36e29 100755 +--- a/install/tools/ipa-replica-install ++++ b/install/tools/ipa-replica-install +@@ -37,8 +37,8 @@ from ipaserver.install import memcacheinstance + from ipaserver.install import otpdinstance + from ipaserver.install.replication import replica_conn_check, ReplicationManager + from ipaserver.install.installutils import (ReplicaConfig, expand_replica_info, +- read_replica_info ,get_host_name, +- BadHostError, private_ccache) ++ read_replica_info, get_host_name, BadHostError, private_ccache, ++ read_replica_info_dogtag_port) + from ipaserver.plugins.ldap2 import ldap2 + from ipaserver.install import cainstance + from ipalib import api, errors, util +@@ -534,6 +534,7 @@ def main(): + sys.exit(0) + config.dir = dir + config.setup_ca = options.setup_ca ++ config.ca_ds_port = read_replica_info_dogtag_port(config.dir) + + if config.setup_ca and not ipautil.file_exists(config.dir + "/cacert.p12"): + print 'CA cannot be installed in CA-less setup.' +@@ -541,18 +542,11 @@ def main(): + + installutils.verify_fqdn(config.master_host_name, options.no_host_dns) + +- portfile = config.dir + "/dogtag_directory_port.txt" +- if not ipautil.file_exists(portfile): +- dogtag_master_ds_port = str(dogtag.Dogtag9Constants.DS_PORT) +- else: +- with open(portfile) as fd: +- dogtag_master_ds_port = fd.read() +- + # check connection + if not options.skip_conncheck: + replica_conn_check( + config.master_host_name, config.host_name, config.realm_name, +- options.setup_ca, dogtag_master_ds_port, options.admin_password) ++ options.setup_ca, config.ca_ds_port, options.admin_password) + + + # check replica host IP resolution +@@ -657,7 +651,7 @@ def main(): + if options.skip_schema_check: + root_logger.info("Skipping CA DS schema check") + else: +- cainstance.replica_ca_install_check(config, dogtag_master_ds_port) ++ cainstance.replica_ca_install_check(config) + + # Configure ntpd + if options.conf_ntp: +@@ -669,7 +663,7 @@ def main(): + ds = install_replica_ds(config) + + # Configure the CA if necessary +- CA = cainstance.install_replica_ca(config, dogtag_master_ds_port) ++ CA = cainstance.install_replica_ca(config) + + # Always try to install DNS records + install_dns_records(config, options) +diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py +index 52c91b68c2d073a9b1c6aedc1811aa26db046e6b..126bbae66e8a9ae8d9cc6e624745ab1cc37bf4c1 100644 +--- a/ipaserver/install/cainstance.py ++++ b/ipaserver/install/cainstance.py +@@ -1574,7 +1574,7 @@ def is_master(self): + return master == 'New' + + +-def replica_ca_install_check(config, master_ds_port): ++def replica_ca_install_check(config): + if not config.setup_ca: + return + +@@ -1583,8 +1583,6 @@ def replica_ca_install_check(config, master_ds_port): + # Replica of old "self-signed" master - CA won't be installed + return + +- master_ds_port = int(master_ds_port) +- + # Exit if we have an old-style (Dogtag 9) CA already installed + ca = CAInstance(config.realm_name, certs.NSS_DIR, + dogtag_constants=dogtag.Dogtag9Constants) +@@ -1592,13 +1590,13 @@ def replica_ca_install_check(config, master_ds_port): + root_logger.info('Dogtag 9 style CA instance found') + sys.exit("A CA is already configured on this system.") + +- if master_ds_port != dogtag.Dogtag9Constants.DS_PORT: ++ if config.ca_ds_port != dogtag.Dogtag9Constants.DS_PORT: + root_logger.debug( + 'Installing CA Replica from master with a merged database') + return + + # Check if the master has the necessary schema in its CA instance +- ca_ldap_url = 'ldap://%s:%s' % (config.master_host_name, master_ds_port) ++ ca_ldap_url = 'ldap://%s:%s' % (config.master_host_name, config.ca_ds_port) + objectclass = 'ipaObject' + root_logger.debug('Checking if IPA schema is present in %s', ca_ldap_url) + try: +@@ -1627,7 +1625,7 @@ def replica_ca_install_check(config, master_ds_port): + exit('IPA schema missing on master CA directory server') + + +-def install_replica_ca(config, master_ds_port, postinstall=False): ++def install_replica_ca(config, postinstall=False): + """ + Install a CA on a replica. + +@@ -1676,7 +1674,7 @@ def install_replica_ca(config, master_ds_port, postinstall=False): + config.dirman_password, config.dirman_password, + pkcs12_info=(cafile,), + master_host=config.master_host_name, +- master_replication_port=master_ds_port, ++ master_replication_port=config.ca_ds_port, + subject_base=config.subject_base) + + # Restart httpd since we changed it's config and added ipa-pki-proxy.conf +diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py +index 32671adc895b0cb2632729e8bdb44b5df02c1314..8be8cd3ffa86256c096ddc99227210f2daeb3185 100644 +--- a/ipaserver/install/installutils.py ++++ b/ipaserver/install/installutils.py +@@ -538,6 +538,22 @@ def read_replica_info(dir, rconfig): + except NoOptionError: + pass + ++def read_replica_info_dogtag_port(config_dir): ++ portfile = config_dir + "/dogtag_directory_port.txt" ++ default_port = dogtag.Dogtag9Constants.DS_PORT ++ if not ipautil.file_exists(portfile): ++ dogtag_master_ds_port = default_port ++ else: ++ with open(portfile) as fd: ++ try: ++ dogtag_master_ds_port = int(fd.read()) ++ except (ValueError, IOError), e: ++ root_logger.debug('Cannot parse dogtag DS port: %s', e) ++ root_logger.debug('Default to %d', default_port) ++ dogtag_master_ds_port = default_port ++ ++ return dogtag_master_ds_port ++ + def check_server_configuration(): + """ + Check if IPA server is configured on the system. +-- +1.8.5.3 + diff --git a/SOURCES/0057-Avoid-passing-non-terminated-string-to-is_master_hos.patch b/SOURCES/0057-Avoid-passing-non-terminated-string-to-is_master_hos.patch new file mode 100644 index 0000000..006eb6a --- /dev/null +++ b/SOURCES/0057-Avoid-passing-non-terminated-string-to-is_master_hos.patch @@ -0,0 +1,40 @@ +From a8fde83022360a02e53b70fd7bd4d61de1ccc7cb Mon Sep 17 00:00:00 2001 +From: Martin Kosek +Date: Fri, 7 Mar 2014 10:06:52 +0100 +Subject: [PATCH 57/58] Avoid passing non-terminated string to is_master_host + +When string is not terminated, queries with corrupted base may be sent +to LDAP: + +... cn=ipa1.example.com,cn=masters... + +https://fedorahosted.org/freeipa/ticket/4214 + +Reviewed-By: Alexander Bokovoy +--- + daemons/ipa-kdb/ipa_kdb_mspac.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c +index 8481278760aba2d5dec5c337813f394633d67e46..a73a3cb46e104b43493177e333deb2b0d6226c2a 100644 +--- a/daemons/ipa-kdb/ipa_kdb_mspac.c ++++ b/daemons/ipa-kdb/ipa_kdb_mspac.c +@@ -488,13 +488,14 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx, + } + + data = krb5_princ_component(ipactx->context, princ, 1); +- strres = malloc(data->length); ++ strres = malloc(data->length+1); + if (strres == NULL) { + krb5_free_principal(ipactx->kcontext, princ); + return ENOENT; + } + + memcpy(strres, data->data, data->length); ++ strres[data->length] = '\0'; + krb5_free_principal(ipactx->kcontext, princ); + + /* Only add PAC to TGT to services on IPA masters to allow querying +-- +1.8.5.3 + diff --git a/SOURCES/0058-ipa-sam-cache-gid-to-sid-and-uid-to-sid-requests-in-.patch b/SOURCES/0058-ipa-sam-cache-gid-to-sid-and-uid-to-sid-requests-in-.patch new file mode 100644 index 0000000..cd202e4 --- /dev/null +++ b/SOURCES/0058-ipa-sam-cache-gid-to-sid-and-uid-to-sid-requests-in-.patch @@ -0,0 +1,303 @@ +From e5bd495a9a7d71f5dde5661d960e372bb2609965 Mon Sep 17 00:00:00 2001 +From: Jason Woods +Date: Fri, 7 Mar 2014 16:38:24 +0000 +Subject: [PATCH 58/58] ipa-sam: cache gid to sid and uid to sid requests in + idmap cache + +Add idmap_cache calls to ipa-sam to prevent huge numbers of LDAP calls to the +directory service for gid/uid<->sid resolution. + +Additionally, this patch further reduces number of queries by: + - fast fail on uidNumber=0 which doesn't exist in FreeIPA, + - return fallback group correctly when looking up user primary group as is + done during init, + - checking for group objectclass in case insensitive way + +Patch by Jason Woods + +Reviewed-by: Alexander Bokovoy + +https://fedorahosted.org/freeipa/ticket/4234 +and +https://bugzilla.redhat.com/show_bug.cgi?id=1073829 +https://bugzilla.redhat.com/show_bug.cgi?id=1074314 + +Reviewed-By: Sumit Bose +--- + daemons/ipa-sam/ipa_sam.c | 128 +++++++++++++++++++++++++++++++++++++++++----- + 1 file changed, 114 insertions(+), 14 deletions(-) + +diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c +index 1ca504db4e442c834ebe44d7e3503abafd6f9602..3b69f9e8255490aac17d08033e2a3584c6bf9e24 100644 +--- a/daemons/ipa-sam/ipa_sam.c ++++ b/daemons/ipa-sam/ipa_sam.c +@@ -82,6 +82,18 @@ struct trustAuthInOutBlob { + struct AuthenticationInformationArray previous;/* [subcontext(0),flag(LIBNDR_FLAG_REMAINING)] */ + }/* [gensize,public,nopush] */; + ++/* from generated idmap.h - hopefully OK */ ++enum id_type { ++ ID_TYPE_NOT_SPECIFIED, ++ ID_TYPE_UID, ++ ID_TYPE_GID, ++ ID_TYPE_BOTH ++}; ++ ++struct unixid { ++ uint32_t id; ++ enum id_type type; ++}/* [public] */; + + enum ndr_err_code ndr_pull_trustAuthInOutBlob(struct ndr_pull *ndr, int ndr_flags, struct trustAuthInOutBlob *r); /*available in libndr-samba.so */ + bool sid_check_is_builtin(const struct dom_sid *sid); /* available in libpdb.so */ +@@ -91,6 +103,7 @@ char *sid_string_talloc(TALLOC_CTX *mem_ctx, const struct dom_sid *sid); /* avai + char *sid_string_dbg(const struct dom_sid *sid); /* available in libsmbconf.so */ + char *escape_ldap_string(TALLOC_CTX *mem_ctx, const char *s); /* available in libsmbconf.so */ + bool secrets_store(const char *key, const void *data, size_t size); /* available in libpdb.so */ ++void idmap_cache_set_sid2unixid(const struct dom_sid *sid, struct unixid *unix_id); /* available in libsmbconf.so */ + + #define LDAP_PAGE_SIZE 1024 + #define LDAP_OBJ_SAMBASAMACCOUNT "ipaNTUserAttrs" +@@ -750,8 +763,8 @@ static bool ldapsam_sid_to_id(struct pdb_methods *methods, + } + + for (c = 0; values[c] != NULL; c++) { +- if (strncmp(LDAP_OBJ_GROUPMAP, values[c]->bv_val, +- values[c]->bv_len) == 0) { ++ if (strncasecmp(LDAP_OBJ_GROUPMAP, values[c]->bv_val, ++ values[c]->bv_len) == 0) { + break; + } + } +@@ -769,6 +782,9 @@ static bool ldapsam_sid_to_id(struct pdb_methods *methods, + } + + unixid_from_gid(id, strtoul(gid_str, NULL, 10)); ++ ++ idmap_cache_set_sid2unixid(sid, id); ++ + ret = true; + goto done; + } +@@ -785,8 +801,11 @@ static bool ldapsam_sid_to_id(struct pdb_methods *methods, + + unixid_from_uid(id, strtoul(value, NULL, 10)); + ++ idmap_cache_set_sid2unixid(sid, id); ++ + ret = true; + done: ++ + TALLOC_FREE(mem_ctx); + return ret; + } +@@ -806,6 +825,18 @@ static bool ldapsam_uid_to_sid(struct pdb_methods *methods, uid_t uid, + int rc; + enum idmap_error_code err; + TALLOC_CTX *tmp_ctx = talloc_stackframe(); ++ struct unixid id; ++ ++ /* Fast fail if we get a request for uidNumber=0 because it currently ++ * will never exist in the directory ++ * Saves an expensive LDAP call of which failure will never be cached ++ */ ++ if (uid == 0) { ++ DEBUG(3, ("ERROR: Received request for uid %u, " ++ "fast failing as it will never exist\n", ++ (unsigned int)uid)); ++ goto done; ++ } + + filter = talloc_asprintf(tmp_ctx, + "(&(uidNumber=%u)" +@@ -852,6 +883,10 @@ static bool ldapsam_uid_to_sid(struct pdb_methods *methods, uid_t uid, + + sid_copy(sid, user_sid); + ++ unixid_from_uid(&id, uid); ++ ++ idmap_cache_set_sid2unixid(sid, &id); ++ + ret = true; + + done: +@@ -866,21 +901,30 @@ static bool ldapsam_gid_to_sid(struct pdb_methods *methods, gid_t gid, + struct ldapsam_privates *priv = + (struct ldapsam_privates *)methods->private_data; + char *filter; +- const char *attrs[] = { LDAP_ATTRIBUTE_SID, NULL }; ++ const char *attrs[] = { LDAP_ATTRIBUTE_SID, LDAP_ATTRIBUTE_OBJECTCLASS, NULL }; + LDAPMessage *result = NULL; + LDAPMessage *entry = NULL; + bool ret = false; +- char *group_sid_string; ++ char *group_sid_string = NULL; + struct dom_sid *group_sid = NULL; ++ struct berval **values; ++ size_t c; + int rc; + enum idmap_error_code err; + TALLOC_CTX *tmp_ctx = talloc_stackframe(); ++ struct unixid id; + + filter = talloc_asprintf(tmp_ctx, +- "(&(gidNumber=%u)" +- "(objectClass=%s))", ++ "(|(&(gidNumber=%u)" ++ "(objectClass=%s))" ++ "(&(uidNumber=%u)" ++ "(objectClass=%s)" ++ "(objectClass=%s)))", + (unsigned int)gid, +- LDAP_OBJ_GROUPMAP); ++ LDAP_OBJ_GROUPMAP, ++ (unsigned int)gid, ++ LDAP_OBJ_POSIXACCOUNT, ++ LDAP_OBJ_SAMBASAMACCOUNT); + if (filter == NULL) { + DEBUG(3, ("talloc_asprintf failed\n")); + goto done; +@@ -892,14 +936,46 @@ static bool ldapsam_gid_to_sid(struct pdb_methods *methods, gid_t gid, + } + smbldap_talloc_autofree_ldapmsg(tmp_ctx, result); + +- if (ldap_count_entries(priv2ld(priv), result) != 1) { +- DEBUG(3, ("ERROR: Got %d entries for gid %u, expected one\n", ++ if (ldap_count_entries(priv2ld(priv), result) == 0) { ++ DEBUG(3, ("ERROR: Got %d entries for gid %u, expected at least one\n", + ldap_count_entries(priv2ld(priv), result), + (unsigned int)gid)); + goto done; + } + +- entry = ldap_first_entry(priv2ld(priv), result); ++ for (entry = ldap_first_entry(priv2ld(priv), result); ++ entry != NULL; ++ entry = ldap_next_entry(priv2ld(priv), entry)) { ++ ++ values = ldap_get_values_len(priv2ld(priv), entry, "objectClass"); ++ if (values == NULL) { ++ DEBUG(10, ("Cannot find any objectclasses.\n")); ++ goto done; ++ } ++ ++ for (c = 0; values[c] != NULL; c++) { ++ if (strncasecmp(LDAP_OBJ_GROUPMAP, values[c]->bv_val, ++ values[c]->bv_len) == 0) { ++ goto found; ++ } ++ } ++ ++ } ++ ++found: ++ /* If we didn't find a group we found a user - so this is a primary group ++ * For user private group, use fallback group */ ++ if (entry == NULL) { ++ ++ DEBUG(10, ("Did not find user private group %u, " ++ "returning fallback group.\n", (unsigned int)gid)); ++ ++ sid_copy(sid, ++ &priv->ipasam_privates->fallback_primary_group); ++ ret = true; ++ goto done; ++ ++ } + + group_sid_string = get_single_attribute(tmp_ctx, priv2ld(priv), entry, + LDAP_ATTRIBUTE_SID); +@@ -910,7 +986,7 @@ static bool ldapsam_gid_to_sid(struct pdb_methods *methods, gid_t gid, + } + + err = sss_idmap_sid_to_smb_sid(priv->ipasam_privates->idmap_ctx, +- group_sid_string, &group_sid); ++ group_sid_string, &group_sid); + if (err != IDMAP_SUCCESS) { + DEBUG(3, ("Error calling sid_string_talloc for sid '%s'\n", + group_sid_string)); +@@ -919,6 +995,10 @@ static bool ldapsam_gid_to_sid(struct pdb_methods *methods, gid_t gid, + + sid_copy(sid, group_sid); + ++ unixid_from_gid(&id, gid); ++ ++ idmap_cache_set_sid2unixid(sid, &id); ++ + ret = true; + + done: +@@ -2456,10 +2536,16 @@ static int delete_subtree(struct ldapsam_privates *ldap_state, char* dn) + rc = smbldap_search(ldap_state->smbldap_state, dn, scope, filter, NULL, 0, &result); + TALLOC_FREE(filter); + +- if (result != NULL) { +- smbldap_talloc_autofree_ldapmsg(dn, result); ++ if (rc != LDAP_SUCCESS) { ++ return rc; + } + ++ if (result == NULL) { ++ return LDAP_NO_MEMORY; ++ } ++ ++ smbldap_talloc_autofree_ldapmsg(dn, result); ++ + for (entry = ldap_first_entry(state, result); + entry != NULL; + entry = ldap_next_entry(state, entry)) { +@@ -2467,6 +2553,9 @@ static int delete_subtree(struct ldapsam_privates *ldap_state, char* dn) + /* remove child entries */ + if ((entry_dn != NULL) && (strcmp(entry_dn, dn) != 0)) { + rc = smbldap_delete(ldap_state->smbldap_state, entry_dn); ++ if (rc != LDAP_SUCCESS) { ++ return rc; ++ } + } + } + rc = smbldap_delete(ldap_state->smbldap_state, dn); +@@ -2856,6 +2945,7 @@ static int ipasam_get_sid_by_gid(struct ldapsam_privates *ldap_state, + struct dom_sid *sid = NULL; + int count; + enum idmap_error_code err; ++ struct unixid id; + + tmp_ctx = talloc_new("ipasam_get_sid_by_gid"); + if (tmp_ctx == NULL) { +@@ -2910,6 +3000,10 @@ static int ipasam_get_sid_by_gid(struct ldapsam_privates *ldap_state, + } + sid_copy(_sid, sid); + ++ unixid_from_gid(&id, gid); ++ ++ idmap_cache_set_sid2unixid(sid, &id); ++ + ret = 0; + + done: +@@ -2929,6 +3023,7 @@ static int ipasam_get_primary_group_sid(TALLOC_CTX *mem_ctx, + uint32_t uid; + uint32_t gid; + struct dom_sid *group_sid; ++ struct unixid id; + + TALLOC_CTX *tmp_ctx = talloc_init("ipasam_get_primary_group_sid"); + if (tmp_ctx == NULL) { +@@ -2967,8 +3062,13 @@ static int ipasam_get_primary_group_sid(TALLOC_CTX *mem_ctx, + } + } + +- ret = 0; ++ unixid_from_gid(&id, gid); ++ ++ idmap_cache_set_sid2unixid(group_sid, &id); ++ ++ ret = 0; + done: ++ + if (ret == 0) { + *_group_sid = talloc_steal(mem_ctx, group_sid); + } +-- +1.8.5.3 + diff --git a/SOURCES/0059-ipaserver-dcerpc-make-sure-to-always-return-unicode-.patch b/SOURCES/0059-ipaserver-dcerpc-make-sure-to-always-return-unicode-.patch new file mode 100644 index 0000000..0289984 --- /dev/null +++ b/SOURCES/0059-ipaserver-dcerpc-make-sure-to-always-return-unicode-.patch @@ -0,0 +1,33 @@ +From 1a5cf5b28ca3143c72abaa85db59cf827d25a379 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Wed, 12 Mar 2014 17:51:43 +0200 +Subject: [PATCH 59/60] ipaserver/dcerpc: make sure to always return unicode + SID of the trust domain + +Trusted domain SID could be obtained through different means. When it is +fetched from the AD DC via LDAP, it needs to be extracted from a default +context and explicitly converted to unicode. + +https://fedorahosted.org/freeipa/ticket/4246 + +Reviewed-By: Martin Kosek +--- + ipaserver/dcerpc.py | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py +index 5972e622292a033d4fc979cbf5401fa02151f35c..f1c75089b875787debcee22316a4898b424d923f 100644 +--- a/ipaserver/dcerpc.py ++++ b/ipaserver/dcerpc.py +@@ -750,7 +750,7 @@ def retrieve_anonymously(self, remote_host, discover_srv=False): + + def parse_naming_context(self, context): + naming_ref = re.compile('.*.*') +- return naming_ref.match(context).group(1) ++ return unicode(naming_ref.match(context).group(1)) + + def retrieve(self, remote_host): + self.init_lsa_pipe(remote_host) +-- +1.8.5.3 + diff --git a/SOURCES/0060-trust-do-not-fetch-subdomains-in-case-shared-secret-.patch b/SOURCES/0060-trust-do-not-fetch-subdomains-in-case-shared-secret-.patch new file mode 100644 index 0000000..f2d8e65 --- /dev/null +++ b/SOURCES/0060-trust-do-not-fetch-subdomains-in-case-shared-secret-.patch @@ -0,0 +1,44 @@ +From f06e746602f34a1c60580fe3bbb105a8a1cab8a2 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Wed, 12 Mar 2014 19:01:00 +0200 +Subject: [PATCH 60/60] trust: do not fetch subdomains in case shared secret + was used to set up the trust + +Until incoming trust is validated from AD side, we cannot run any operations +against AD using the trust. Also, Samba currently does not suport verifying +trust against the other party (returns WERR_NOT_SUPPORTED). + +This needs to be added to the documentation: + + When using 'ipa trust-add ad.domain --trust-secret', one has to manually + validate incoming trust using forest trust properties in AD Domains and + Trusts tool. + + Once incoming trust is validated at AD side, use IPA command + 'ipa trust-fetch-domains ad.domain' to retrieve topology of the AD forest. + From this point on the trust should be usable. + +https://fedorahosted.org/freeipa/ticket/4246 + +Reviewed-By: Martin Kosek +--- + ipalib/plugins/trust.py | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py +index f2b00a6f58f5890e37aaa033a35dcf9bc39ccbc4..fe2795cad86e173a150f35db6301119930463a10 100644 +--- a/ipalib/plugins/trust.py ++++ b/ipalib/plugins/trust.py +@@ -462,7 +462,8 @@ def execute(self, *keys, **options): + # for AD trusts, regardless of the type of idranges associated with it + # Note that fetch_domains_from_trust will add needed ranges for + # the algorithmic ID mapping case. +- if options.get('trust_type') == u'ad': ++ if (options.get('trust_type') == u'ad' and ++ options.get('trust_secret') is None): + domains = fetch_domains_from_trust(self, self.trustinstance, + result['result'], **options) + +-- +1.8.5.3 + diff --git a/SOURCES/0061-Update-Dogtag-9-database-during-replica-installation.patch b/SOURCES/0061-Update-Dogtag-9-database-during-replica-installation.patch new file mode 100644 index 0000000..fc97678 --- /dev/null +++ b/SOURCES/0061-Update-Dogtag-9-database-during-replica-installation.patch @@ -0,0 +1,101 @@ +From 2e031c9469f0313014dbe8c47d0be3fee370f287 Mon Sep 17 00:00:00 2001 +From: Martin Kosek +Date: Thu, 13 Mar 2014 08:25:11 +0100 +Subject: [PATCH] Update Dogtag 9 database during replica installation + +When Dogtag 10 based FreeIPA replica is being installed for a Dogtag 9 +based master, the PKI database is not updated and miss several ACLs +which prevent some of the PKI functions, e.g. an ability to create +other clones. + +Add an update file to do the database update. Content is based on +recommendation from PKI team: + * https://bugzilla.redhat.com/show_bug.cgi?id=1075118#c9 + +This update file can be removed when Dogtag database upgrades are done +in PKI component. Upstream tickets: + * https://fedorahosted.org/pki/ticket/710 (database upgrade framework) + * https://fedorahosted.org/pki/ticket/906 (checking database version) + +Also make sure that PKI service is restarted in the end of the installation +as the other services to make sure it picks changes done during LDAP +updates. + +https://fedorahosted.org/freeipa/ticket/4243 +--- + install/tools/ipa-replica-install | 4 ++++ + install/tools/ipa-server-install | 4 ++++ + install/updates/50-dogtag10-migration.update | 18 ++++++++++++++++++ + install/updates/Makefile.am | 1 + + 4 files changed, 27 insertions(+) + create mode 100644 install/updates/50-dogtag10-migration.update + +diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install +index e039fd1e7cb213b3269d0a5d2305a96f68e36e29..4418b41784313121e73b560ee84715ddeba8bc54 100755 +--- a/install/tools/ipa-replica-install ++++ b/install/tools/ipa-replica-install +@@ -704,6 +704,10 @@ def main(): + service.print_msg("Restarting the KDC") + krb.restart() + ++ if CA and config.setup_ca: ++ service.print_msg("Restarting the certificate server") ++ CA.restart(dogtag.configured_constants().PKI_INSTANCE_NAME) ++ + if options.setup_dns: + install_bind(config, options) + +diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install +index 458ebba550d0fe7675bd874e23c7d730c53297e6..dfbbb91bf3bb8461333193b5a3e72c3ec06d4582 100755 +--- a/install/tools/ipa-server-install ++++ b/install/tools/ipa-server-install +@@ -1186,6 +1186,10 @@ def main(): + service.print_msg("Restarting the KDC") + krb.restart() + ++ if setup_ca: ++ service.print_msg("Restarting the certificate server") ++ ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME) ++ + # Create a BIND instance + bind = bindinstance.BindInstance(fstore, dm_password) + bind.setup(host_name, ip_address, realm_name, domain_name, dns_forwarders, +diff --git a/install/updates/50-dogtag10-migration.update b/install/updates/50-dogtag10-migration.update +new file mode 100644 +index 0000000000000000000000000000000000000000..d718923544f0cb00f61b7b56940695e3891c4780 +--- /dev/null ++++ b/install/updates/50-dogtag10-migration.update +@@ -0,0 +1,18 @@ ++# PKI/Dogtag does not automatically upgrade it's database. When Dogtag 10 ++# based replica is being installed from a Dogtag 9 based replica, ++# the database will miss ACLs added in Dogtag 10 resulting in limited ++# functionality. ++# ++# This update file can be removed when Dogtag database upgrades are done ++# in PKI component. Upstream tickets: ++# * https://fedorahosted.org/pki/ticket/710 (database upgrade framework) ++# * https://fedorahosted.org/pki/ticket/906 (checking database version) ++ ++dn: cn=aclResources,o=ipaca ++addifexist:resourceACLS:'certServer.ca.account:login,logout:allow (login,logout) user="anybody":Anybody can login and logout' ++addifexist:resourceACLS:'certServer.ca.certrequests:execute:allow (execute) group="Certificate Manager Agents":Agents may execute cert request operations' ++addifexist:resourceACLS:'certServer.ca.certs:execute:allow (execute) group="Certificate Manager Agents":Agents may execute cert operations' ++addifexist:resourceACLS:'certServer.ca.groups:execute:allow (execute) group="Administrators":Admins may execute group operations' ++addifexist:resourceACLS:'certServer.ca.users:execute:allow (execute) group="Administrators":Admins may execute user operations' ++replace:resourceACLS:'certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group":Anybody is allowed to read domain.xml but only Subsystem group is allowed to modify the domain.xml::certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators":Anybody is allowed to read domain.xml but only Subsystem group and Enterprise Administrators are allowed to modify the domain.xml' ++replace:resourceACLS:'certServer.ca.connectorInfo:read,modify:allow (modify,read) group="Enterprise KRA Administrators":Only Enterprise Administrators are allowed to update the connector information::certServer.ca.connectorInfo:read,modify:allow (read) group="Enterprise KRA Administrators";allow (modify) group="Enterprise KRA Administrators" || group="Subsystem Group":Only Enterprise Administrators and Subsystem Group are allowed to update the connector information' +diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am +index 40c3b3c8916faa267254a29d0f458ca53201950c..fb73c410dbcd1978c3a5deeb184dc10cdba866ae 100644 +--- a/install/updates/Makefile.am ++++ b/install/updates/Makefile.am +@@ -36,6 +36,7 @@ app_DATA = \ + 40-otp.update \ + 45-roles.update \ + 50-7_bit_check.update \ ++ 50-dogtag10-migration.update \ + 50-lockout-policy.update \ + 50-groupuuid.update \ + 50-hbacservice.update \ +-- +1.8.5.3 + diff --git a/SOURCES/0062-Prohibit-deletion-of-active-subdomain-range.patch b/SOURCES/0062-Prohibit-deletion-of-active-subdomain-range.patch new file mode 100644 index 0000000..3820074 --- /dev/null +++ b/SOURCES/0062-Prohibit-deletion-of-active-subdomain-range.patch @@ -0,0 +1,54 @@ +From 35916294df8acc87e70c6b6796c644824caed64a Mon Sep 17 00:00:00 2001 +From: Tomas Babej +Date: Thu, 13 Mar 2014 12:36:17 +0100 +Subject: [PATCH] Prohibit deletion of active subdomain range + +Changes the code in the idrange_del method to not only check for +the root domains that match the SID in the IDRange, but for the +SIDs of subdomains of trusts as well. + +https://fedorahosted.org/freeipa/ticket/4247 + +Reviewed-By: Alexander Bokovoy +--- + ipalib/plugins/idrange.py | 20 ++++++++++++++++---- + 1 file changed, 16 insertions(+), 4 deletions(-) + +diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py +index cf74a75ffda42b2d2e40d2ab35c79ed069dd0f52..56ef4bba3ad0203d7d2462db6c4de90e1cb555cd 100644 +--- a/ipalib/plugins/idrange.py ++++ b/ipalib/plugins/idrange.py +@@ -567,14 +567,26 @@ class idrange_del(LDAPDelete): + range_sid = old_attrs.get('ipanttrusteddomainsid') + + if range_sid is not None: ++ # Search for trusted domain with SID specified in the ID range entry + range_sid = range_sid[0] +- result = api.Command['trust_find'](ipanttrusteddomainsid=range_sid) ++ domain_filter=('(&(objectclass=ipaNTTrustedDomain)' ++ '(ipanttrusteddomainsid=%s))' % range_sid) + +- if result['count'] > 0: ++ try: ++ (trust_domains, truncated) = ldap.find_entries( ++ base_dn=DN(api.env.container_trusts, api.env.basedn), ++ filter=domain_filter) ++ except errors.NotFound: ++ pass ++ else: ++ # If there's an entry, it means that there's active domain ++ # of a trust that this range belongs to, so raise a ++ # DependentEntry error + raise errors.DependentEntry( +- label='Active Trust', ++ label='Active Trust domain', + key=keys[0], +- dependent=result['result'][0]['cn'][0]) ++ dependent=trust_domains[0].dn[0].value) ++ + + return dn + +-- +1.8.5.3 + diff --git a/SOURCES/0063-extdom-do-not-return-results-from-the-wrong-domain.patch b/SOURCES/0063-extdom-do-not-return-results-from-the-wrong-domain.patch new file mode 100644 index 0000000..fdaa145 --- /dev/null +++ b/SOURCES/0063-extdom-do-not-return-results-from-the-wrong-domain.patch @@ -0,0 +1,58 @@ +From 8d8cbc740af171a24e768fd6e4af17013d1fa261 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Tue, 25 Mar 2014 11:29:58 +0100 +Subject: [PATCH] extdom: do not return results from the wrong domain + +Resolves: https://fedorahosted.org/freeipa/ticket/4264 +Reviewed-By: Tomas Babej +--- + .../ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c +index 675fc368042373314e9416dcf7d5866cb8c9871e..025d37dc5eda05c8db43d4e8176fd7898ed32fe7 100644 +--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c ++++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c +@@ -359,6 +359,9 @@ int create_response(struct extdom_req *req, struct pwd_grp *pg_data, + if ((locat = strchr(pg_data->data.pwd.pw_name, SSSD_DOMAIN_SEPARATOR)) != NULL) { + if (strcasecmp(locat+1, domain_name) == 0 ) { + locat[0] = 0; ++ } else { ++ ret = LDAP_NO_SUCH_OBJECT; ++ goto done; + } + } + res->data.name.object_name = +@@ -368,6 +371,9 @@ int create_response(struct extdom_req *req, struct pwd_grp *pg_data, + if ((locat = strchr(pg_data->data.grp.gr_name, SSSD_DOMAIN_SEPARATOR)) != NULL) { + if (strcasecmp(locat+1, domain_name) == 0) { + locat[0] = 0; ++ } else { ++ ret = LDAP_NO_SUCH_OBJECT; ++ goto done; + } + } + res->data.name.object_name = +@@ -408,6 +414,9 @@ int create_response(struct extdom_req *req, struct pwd_grp *pg_data, + if ((locat = strchr(pg_data->data.pwd.pw_name, SSSD_DOMAIN_SEPARATOR)) != NULL) { + if (strcasecmp(locat+1, domain_name) == 0) { + locat[0] = 0; ++ } else { ++ ret = LDAP_NO_SUCH_OBJECT; ++ goto done; + } + } + res->data.user.user_name = +@@ -428,6 +437,9 @@ int create_response(struct extdom_req *req, struct pwd_grp *pg_data, + if ((locat = strchr(pg_data->data.grp.gr_name, SSSD_DOMAIN_SEPARATOR)) != NULL) { + if (strcasecmp(locat+1, domain_name) == 0) { + locat[0] = 0; ++ } else { ++ ret = LDAP_NO_SUCH_OBJECT; ++ goto done; + } + } + res->data.group.group_name = +-- +1.8.5.3 + diff --git a/SOURCES/0064-Proxy-PKI-clone-ca-ee-ca-profileSubmit-URI.patch b/SOURCES/0064-Proxy-PKI-clone-ca-ee-ca-profileSubmit-URI.patch new file mode 100644 index 0000000..ab22fb9 --- /dev/null +++ b/SOURCES/0064-Proxy-PKI-clone-ca-ee-ca-profileSubmit-URI.patch @@ -0,0 +1,37 @@ +From 8e8a020f8d2476cca321349fa24db4bee95270d8 Mon Sep 17 00:00:00 2001 +From: Martin Kosek +Date: Thu, 20 Mar 2014 09:34:53 +0100 +Subject: [PATCH] Proxy PKI clone /ca/ee/ca/profileSubmit URI + +PKI change done in ticket https://fedorahosted.org/pki/ticket/816 +requires the PKI Clone's SSL Server certificate to be issued by +it's associated PKI master. + +Allow this call on IPA master. + +https://fedorahosted.org/freeipa/ticket/4265 + +Reviewed-By: Jan Cholasta +--- + install/conf/ipa-pki-proxy.conf | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/install/conf/ipa-pki-proxy.conf b/install/conf/ipa-pki-proxy.conf +index 6f0463242b75a58cf63a38e62c23fa372aeacf64..224cdd45b5b5f72671a179570fd15772fe8cfaab 100644 +--- a/install/conf/ipa-pki-proxy.conf ++++ b/install/conf/ipa-pki-proxy.conf +@@ -1,9 +1,9 @@ +-# VERSION 3 - DO NOT REMOVE THIS LINE ++# VERSION 4 - DO NOT REMOVE THIS LINE + + ProxyRequests Off + + # matches for ee port +- ++ + NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate + NSSVerifyClient none + ProxyPassMatch ajp://localhost:$DOGTAG_PORT +-- +1.8.5.3 + diff --git a/SOURCES/0065-Make-ipa-client-automount-backwards-compatible.patch b/SOURCES/0065-Make-ipa-client-automount-backwards-compatible.patch new file mode 100644 index 0000000..dd62f62 --- /dev/null +++ b/SOURCES/0065-Make-ipa-client-automount-backwards-compatible.patch @@ -0,0 +1,39 @@ +From cebfd91869bdc22fa8f72c4e47d32cac73487e45 Mon Sep 17 00:00:00 2001 +From: Martin Kosek +Date: Tue, 1 Apr 2014 16:23:14 +0200 +Subject: [PATCH] Make ipa-client-automount backwards compatible + +ipa-client-automount calls automountlocation-show command during the +process. Unfortunately, FreeIPA commands are forward compatible only +and thus fail the installer. + +Similarly to ipa-client-install, call XML-RPC interface directly +with version fixed to 2.0 (command was already available at that +version) to fix the failure. + +https://fedorahosted.org/freeipa/ticket/4290 +--- + ipa-client/ipa-install/ipa-client-automount | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/ipa-client/ipa-install/ipa-client-automount b/ipa-client/ipa-install/ipa-client-automount +index 62531bfe1d923b1705aed1187da6766b54c90a0c..77829b927e8c1772598d1a4e590c3f99977aa8eb 100755 +--- a/ipa-client/ipa-install/ipa-client-automount ++++ b/ipa-client/ipa-install/ipa-client-automount +@@ -440,7 +440,12 @@ def main(): + except errors.KerberosError, e: + sys.exit('Cannot connect to the server due to ' + str(e)) + try: +- api.Command['automountlocation_show'](unicode(options.location)) ++ # Use the RPC directly so older servers are supported ++ result = api.Backend.xmlclient.forward( ++ 'automountlocation_show', ++ unicode(options.location), ++ version=u'2.0', ++ ) + except errors.VersionError, e: + sys.exit('This client is incompatible: ' + str(e)) + except errors.NotFound: +-- +1.8.5.3 + diff --git a/SOURCES/1007-Remove-ipa-backup-and-ipa-restore-functionality.patch b/SOURCES/1007-Remove-ipa-backup-and-ipa-restore-functionality.patch new file mode 100644 index 0000000..2241ab2 --- /dev/null +++ b/SOURCES/1007-Remove-ipa-backup-and-ipa-restore-functionality.patch @@ -0,0 +1,40 @@ +From fb6ff1a18bc4ffe88a98fb7b5ffe23fefe103da9 Mon Sep 17 00:00:00 2001 +From: Martin Kosek +Date: Mon, 23 Sep 2013 13:10:26 +0200 +Subject: [PATCH] Remove ipa-backup and ipa-restore functionality + +https://bugzilla.redhat.com/show_bug.cgi?id=1003933 +--- + install/tools/Makefile.am | 2 -- + install/tools/man/Makefile.am | 2 -- + 2 files changed, 4 deletions(-) + +diff --git a/install/tools/Makefile.am b/install/tools/Makefile.am +index 2cf66c6dfc1c272bb423253902e7339e7d159567..0eb3a6b6122b3eea8539ae9a913a0f2c6cb23698 100644 +--- a/install/tools/Makefile.am ++++ b/install/tools/Makefile.am +@@ -21,8 +21,6 @@ sbin_SCRIPTS = \ + ipa-managed-entries \ + ipa-ldap-updater \ + ipa-upgradeconfig \ +- ipa-backup \ +- ipa-restore \ + ipa-advise \ + $(NULL) + +diff --git a/install/tools/man/Makefile.am b/install/tools/man/Makefile.am +index 33e8a9e4b3408cc5447c8cad9a289ddd6ae1ebd7..ee208783ccb9daa600610abd4a83236ede92066a 100644 +--- a/install/tools/man/Makefile.am ++++ b/install/tools/man/Makefile.am +@@ -19,8 +19,6 @@ man1_MANS = \ + ipa-compat-manage.1 \ + ipa-nis-manage.1 \ + ipa-managed-entries.1 \ +- ipa-backup.1 \ +- ipa-restore.1 \ + ipa-advise.1 \ + $(NULL) + +-- +1.8.3.1 + diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec index 806ab5b..13a4ac1 100644 --- a/SPECS/ipa.spec +++ b/SPECS/ipa.spec @@ -12,9 +12,13 @@ %global gettext_domain ipa %global VERSION 3.3.3 +%if (0%{?fedora} > 15 || 0%{?rhel} >= 7) +%define _hardened_build 1 +%endif + Name: ipa Version: 3.3.3 -Release: 5%{?dist} +Release: 28%{?dist} Summary: The Identity, Policy and Audit system Group: System Environment/Base @@ -30,6 +34,65 @@ Patch0003: 0003-Allow-kernel-keyring-CCACHE-when-supported.patch Patch0004: 0004-Fix-regression-which-prevents-creating-a-winsync-agr.patch Patch0005: 0005-trusts-Do-not-pass-base-id-to-the-subdomain-ranges.patch Patch0006: 0006-Map-NT_STATUS_INVALID_PARAMETER-to-most-likely-error.patch +Patch0007: 0007-Remove-mod_ssl-port-workaround.patch +Patch0008: 0008-subdomains-Use-AD-admin-credentials-when-trust-is-be.patch +Patch0009: 0009-trusts-Always-stop-and-disable-smb-service-on-uninst.patch +Patch0010: 0010-Use-hardening-flags-for-ipa-optd.patch +Patch0011: 0011-test_integration-Support-external-names-for-hosts.patch +Patch0012: 0012-ipa-client-install-Always-pass-hostname-to-the-ipa-j.patch +Patch0013: 0013-trust-fix-get_dn-to-distinguish-creating-and-re-addi.patch +Patch0014: 0014-ipa-cldap-Cut-NetBIOS-name-after-15-characters.patch +Patch0015: 0015-Prevent-garbage-from-readline-on-standard-output-of-.patch +Patch0016: 0016-Do-not-build-tests.patch +Patch0017: 0017-PKI-service-restart-after-CA-renewal-failed.patch +Patch0018: 0018-hbactest-does-not-work-for-external-users.patch +Patch0019: 0019-Change-the-way-we-determine-if-the-host-has-a-passwo.patch +Patch0020: 0020-sudoOrder-missing-in-sudoers.patch +Patch0021: 0021-Add-missing-example-to-sudorule.patch +Patch0022: 0022-Fix-ipa-client-automount-uninstall-when-fstore-is-em.patch +Patch0023: 0023-trust-fetch-domains-create-ranges-for-new-child-doma.patch +Patch0024: 0024-trustdomain-find-report-status-of-the-sub-domain.patch +Patch0025: 0025-CLDAP-do-not-prepend.patch +Patch0026: 0026-ipaserver-install-installutils-clean-up-properly-aft.patch +Patch0027: 0027-Do-not-start-the-service-in-stopped_service-if-it-wa.patch +Patch0028: 0028-Harmonize-policy-discovery-to-kdb-driver.patch +Patch0029: 0029-Stop-adding-a-default-password-policy-reference.patch +Patch0030: 0030-Increase-service-startup-timeout-default.patch +Patch0031: 0031-cli.print_attribute-Convert-values-to-strings.patch +Patch0032: 0032-group-show-resolve-external-members-of-the-groups.patch +Patch0033: 0033-Remove-SID-resolve-call-from-Web-UI.patch +Patch0034: 0034-ipa-adtrust-install-configure-host-netbios-name-by-d.patch +Patch0035: 0035-Remove-missing-VERSION-warning-in-dnsrecord-mod.patch +Patch0036: 0036-Hide-trust-resolve-command.patch +Patch0037: 0037-Trust-domains-Web-UI.patch +Patch0038: 0038-ipasam-delete-trusted-child-domains-before-removing-.patch +Patch0039: 0039-CLDAP-generate-NetBIOS-name-like-ipa-adtrust-install.patch +Patch0040: 0040-Fallback-to-global-policy-in-ipa-lockout-plugin.patch +Patch0041: 0041-Migration-does-not-add-users-to-default-group.patch +Patch0042: 0042-ipa-lockout-do-not-fail-when-default-realm-cannot-be.patch +Patch0043: 0043-ipa-tool-Print-the-name-of-the-server-we-are-connect.patch +Patch0044: 0044-Remove-sourcehostcategory-from-the-default-HBAC-rule.patch +Patch0045: 0045-DNS-classless-support-for-reverse-domains.patch +Patch0046: 0046-Move-ipa-otpd-socket-directory.patch +Patch0047: 0047-bindinstance-make-sure-zone-manager-is-initialized-i.patch +Patch0048: 0048-trustdomain_find-make-sure-we-skip-short-entries-whe.patch +Patch0049: 0049-ipa-kdb-in-case-of-delegation-use-original-client-s-.patch +Patch0050: 0050-ipa-kdb-make-sure-we-don-t-produce-MS-PAC-in-case-of.patch +Patch0051: 0051-Too-big-font-in-input-fields.patch +Patch0052: 0052-trust-make-sure-we-always-discover-topology-of-the-f.patch +Patch0053: 0053-ipaserver-dcerpc-catch-the-case-of-insuffient-permis.patch +Patch0054: 0054-fix-filtering-of-subdomain-based-trust-users.patch +Patch0055: 0055-ipa-kdb-do-not-fetch-client-principal-if-it-is-the-s.patch +Patch0056: 0056-ipa-replica-install-never-checks-for-7389-port.patch +Patch0057: 0057-Avoid-passing-non-terminated-string-to-is_master_hos.patch +Patch0058: 0058-ipa-sam-cache-gid-to-sid-and-uid-to-sid-requests-in-.patch +Patch0059: 0059-ipaserver-dcerpc-make-sure-to-always-return-unicode-.patch +Patch0060: 0060-trust-do-not-fetch-subdomains-in-case-shared-secret-.patch +Patch0061: 0061-Update-Dogtag-9-database-during-replica-installation.patch +Patch0062: 0062-Prohibit-deletion-of-active-subdomain-range.patch +Patch0063: 0063-extdom-do-not-return-results-from-the-wrong-domain.patch +Patch0064: 0064-Proxy-PKI-clone-ca-ee-ca-profileSubmit-URI.patch +Patch0065: 0065-Make-ipa-client-automount-backwards-compatible.patch Patch1001: 1001-Hide-pkinit-functionality-from-production-version.patch Patch1002: 1002-Remove-pkinit-plugin.patch @@ -37,6 +100,7 @@ Patch1003: 1003-Remove-pkinit-references-from-tool-man-pages.patch Patch1004: 1004-Change-branding-to-IPA-and-Identity-Management.patch Patch1005: 1005-Remove-pylint-from-build-process.patch Patch1006: 1006-Remove-i18test-from-build-process.patch +Patch1007: 1007-Remove-ipa-backup-and-ipa-restore-functionality.patch %if ! %{ONLY_CLIENT} BuildRequires: 389-ds-base-devel >= 1.3.1 @@ -112,7 +176,7 @@ Requires: openldap-clients > 2.4.35-4 Requires: nss >= 3.14.3-12.0 Requires: nss-tools >= 3.14.3-12.0 %if 0%{?krb5_dal_version} >= 4 -Requires: krb5-server >= 1.11.2-1 +Requires: krb5-server >= 1.11.3-46 %else %if 0%{krb5_dal_version} == 3 # krb5 1.11 bumped DAL interface major version, a rebuild is needed @@ -125,10 +189,10 @@ Requires: krb5-server >= 1.10 Requires: krb5-pkinit-openssl Requires: cyrus-sasl-gssapi%{?_isa} Requires: ntp -Requires: httpd +Requires: httpd >= 2.4.6-7 Requires: mod_wsgi Requires: mod_auth_kerb >= 5.4-16 -Requires: mod_nss >= 1.0.8-24 +Requires: mod_nss >= 1.0.8-26 Requires: python-ldap Requires: python-krbV Requires: acl @@ -164,6 +228,9 @@ Conflicts: bind < 9.8.2-0.4.rc2 # member. Conflicts: nss-pam-ldapd < 0.8.4 +# ipa-tests subpackage was moved to separate srpm +Conflicts: ipa-tests < 3.3.3-9 + %description server IPA is an integrated solution to provide centrally managed Identity (machine, user, virtual machines, groups, authentication credentials), Policy @@ -271,28 +338,6 @@ user, virtual machines, groups, authentication credentials), Policy logs, analysis thereof). If you are using IPA you need to install this package. -%if ! %{ONLY_CLIENT} -%package tests -Summary: IPA tests and test tools -Requires: %{name}-client = %{version}-%{release} -Requires: %{name}-python = %{version}-%{release} -Requires: tar -Requires: xz -Requires: python-nose -Requires: python-paste -Requires: python-coverage -Requires: openssh-clients - -%description tests -IPA is an integrated solution to provide centrally managed Identity (machine, -user, virtual machines, groups, authentication credentials), Policy -(configuration settings, access control information) and Audit (events, -logs, analysis thereof). -This package contains tests that verify IPA functionality. - -%endif # ONLY_CLIENT - - %prep # RHEL spec file only: START # Update timestamps on the files touched by a patch, to avoid non-equal @@ -319,8 +364,8 @@ done # RHEL spec file only: END %build -export CFLAGS="$CFLAGS %{optflags}" -export CPPFLAGS="$CPPFLAGS %{optflags}" +export CFLAGS="%{optflags} $CFLAGS" +export LDFLAGS="%{__global_ldflags} $LDFLAGS" # use fedora18 platform which is based on fedora16 platform with systemd # support + fedora18 changes export SUPPORTED_PLATFORM=fedora18 @@ -433,8 +478,6 @@ mkdir -p %{buildroot}%{_unitdir} install -m 644 init/systemd/ipa.service %{buildroot}%{_unitdir}/ipa.service install -m 644 init/systemd/ipa_memcached.service %{buildroot}%{_unitdir}/ipa_memcached.service # END - -mkdir -p %{buildroot}/%{_localstatedir}/lib/ipa/backup %endif # ONLY_CLIENT mkdir -p %{buildroot}%{_sysconfdir}/ipa/ @@ -451,10 +494,6 @@ mkdir -p %{buildroot}%{_sysconfdir}/cron.d grep -v dcerpc | grep -v adtrustinstance | \ sed -e 's,\.py.*$,.*,g' | sort -u | \ sed -e 's,\./,%%{python_sitelib}/ipaserver/,g' ) >server-python.list - -(cd %{buildroot}/%{python_sitelib}/ipatests && find . -type f | \ - sed -e 's,\.py.*$,.*,g' | sort -u | \ - sed -e 's,\./,%%{python_sitelib}/ipatests/,g' ) >tests-python.list %endif # ONLY_CLIENT %clean @@ -582,8 +621,6 @@ fi %files server -f server-python.list %defattr(-,root,root,-) %doc COPYING README Contributors.txt -%{_sbindir}/ipa-backup -%{_sbindir}/ipa-restore %{_sbindir}/ipa-ca-install %{_sbindir}/ipa-dns-install %{_sbindir}/ipa-server-install @@ -664,6 +701,7 @@ fi %{_usr}/share/ipa/ui/*.svg %{_usr}/share/ipa/ui/*.ttf %{_usr}/share/ipa/ui/*.woff +%dir %{_usr}/share/ipa/ui/js %dir %{_usr}/share/ipa/ui/js/dojo %{_usr}/share/ipa/ui/js/dojo/dojo.js %dir %{_usr}/share/ipa/ui/js/libs @@ -712,7 +750,6 @@ fi %attr(755,root,root) %{plugin_dir}/libipa_dns.so %attr(755,root,root) %{plugin_dir}/libipa_range_check.so %dir %{_localstatedir}/lib/ipa -%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/backup %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysrestore %attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysupgrade %attr(755,root,root) %dir %{_localstatedir}/lib/ipa/pki-ca @@ -733,8 +770,6 @@ fi %{_mandir}/man1/ipa-ldap-updater.1.gz %{_mandir}/man8/ipactl.8.gz %{_mandir}/man8/ipa-upgradeconfig.8.gz -%{_mandir}/man1/ipa-backup.1.gz -%{_mandir}/man1/ipa-restore.1.gz %{_mandir}/man1/ipa-advise.1.gz %files server-trust-ad @@ -808,30 +843,117 @@ fi %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf %ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt -%if ! %{ONLY_CLIENT} -%files tests -f tests-python.list -%defattr(-,root,root,-) -%doc COPYING README Contributors.txt -%dir %{python_sitelib}/ipatests -%dir %{python_sitelib}/ipatests/test_cmdline -%dir %{python_sitelib}/ipatests/test_install -%dir %{python_sitelib}/ipatests/test_ipalib -%dir %{python_sitelib}/ipatests/test_ipapython -%dir %{python_sitelib}/ipatests/test_ipaserver -%dir %{python_sitelib}/ipatests/test_ipaserver/install -%dir %{python_sitelib}/ipatests/test_pkcs10 -%dir %{python_sitelib}/ipatests/test_webui -%dir %{python_sitelib}/ipatests/test_xmlrpc -%{_bindir}/ipa-run-tests -%{_bindir}/ipa-test-config -%{_bindir}/ipa-test-task -%{python_sitelib}/ipatests-*.egg-info -%{_mandir}/man1/ipa-run-tests.1.gz -%{_mandir}/man1/ipa-test-config.1.gz -%{_mandir}/man1/ipa-test-task.1.gz -%endif # ONLY_CLIENT - %changelog +* Tue Apr 1 2014 Martin Kosek - 3.3.3-28 +- ipa-client-automount fails with incompatibility error when installed against + older IPA server (#1083108) + +* Wed Mar 26 2014 Martin Kosek - 3.3.3-27 +- Proxy PKI URI /ca/ee/ca/profileSubmit to enable replication with future + PKI versions (#1080865) + +* Tue Mar 25 2014 Martin Kosek - 3.3.3-26 +- When IdM server trusts multiple AD forests, IPA client returns invalid group + membership info (#1079498) + +* Thu Mar 13 2014 Martin Kosek - 3.3.3-25 +- Deletion of active subdomain range should not be allowed (#1075615) + +* Thu Mar 13 2014 Martin Kosek - 3.3.3-24 +- PKI database is ugraded during replica installation (#1075118) + +* Wed Mar 12 2014 Martin Kosek - 3.3.3-23 +- Unable to add trust successfully with --trust-secret (#1075704) + +* Wed Mar 12 2014 Martin Kosek - 3.3.3-22 +- ipa-replica-install never checks for 7389 port (#1075165) +- Non-terminated string may be passed to LDAP search (#1075091) +- ipa-sam may fail to translate group SID into GID (#1073829) +- Excessive LDAP calls by ipa-sam during Samba FS operations (#1075132) + +* Thu Mar 6 2014 Martin Kosek - 3.3.3-21 +- Do not fetch a principal two times, remove potential memory leak (#1070924) + +* Wed Mar 5 2014 Martin Kosek - 3.3.3-20 +- trustdomain-find with pkey-only fails (#1068611) +- Invalid credential cache in trust-add (#1069182) +- ipa-replica-install prints unexpected error (#1069722) +- Too big font in input fields in details facet in Firefox (#1069720) +- trust-add for POSIX AD does not fetch trustdomains (#1070925) +- Misleading trust-add error message in some cases (#1070926) +- Access is not rejected for disabled domain (#1070924) + +* Wed Feb 26 2014 Martin Kosek - 3.3.3-19 +- Remove ipa-backup and ipa-restore functionality from RHEL (#1003933) + +* Wed Feb 12 2014 Martin Kosek - 3.3.3-18 +- Display server name in ipa command's verbose mode (#1061703) +- Remove sourcehostcategory from default HBAC rule (#1061187) +- dnszone-add cannot add classless PTR zones (#1058688) +- Move ipa-otpd socket directory to /var/run/krb5kdc (#1063850) + +* Tue Feb 4 2014 Martin Kosek - 3.3.3-17 +- Lockout plugin crashed during ipa-server-install (#912725) + +* Fri Jan 31 2014 Martin Kosek - 3.3.3-16 +- Fallback to global policy in ipa lockout plugin (#912725) +- Migration does not add users to default group (#903232) + +* Fri Jan 24 2014 Daniel Mach - 3.3.3-15 +- Mass rebuild 2014-01-24 + +* Thu Jan 23 2014 Martin Kosek - 3.3.3-14 +- Fix NetBIOS name generation in CLDAP plugin (#1030517) + +* Mon Jan 20 2014 Martin Kosek - 3.3.3-13 +- Do not add krbPwdPolicyReference for new accounts, hardcode it (#1045218) +- Increase default timeout for IPA services (#1033273) +- Error while running trustdomain-find (#1054376) +- group-show lists SID instead of name for external groups (#1054391) +- Fix IPA server NetBIOS name in samba configuration (#1030517) +- dnsrecord-mod produces missing API version warning (#1054869) +- Hide trust-resolve command as internal (#1052860) +- Add Trust domain Web UI (#1054870) +- ipasam cannot delete multiple child trusted domains (#1056120) + +* Wed Jan 15 2014 Martin Kosek - 3.3.3-12 +- Missing objectclasses when empty password passed to host-add (#1052979) +- sudoOrder missing in sudoers (#1052983) +- Missing examples in sudorule help (#1049464) +- Client automount does not uninstall when fstore is empty (#910899) +- Error not clear for invalid realm given to trust-fetch-domains (#1052981) +- trust-fetch-domains does not add idrange for subdomains found (#1049926) +- Add option to show if an AD subdomain is enabled/disabled (#1052973) +- ipa-adtrust-install still failed with long NetBIOS names (#1030517) +- Error not clear for invalid relam given to trustdomain-find (#1049455) +- renewed client cert not recognized during IPA CA renewal (#1033273) + +* Fri Jan 10 2014 Martin Kosek - 3.3.3-11 +- hbactest does not work for external users (#848531) + +* Wed Jan 08 2014 Martin Kosek - 3.3.3-10 +- PKI service restart after CA renewal failed (#1040018) + +* Mon Jan 06 2014 Martin Kosek - 3.3.3-9 +- Move ipa-tests package to separate srpm (#1032668) + +* Fri Jan 3 2014 Martin Kosek - 3.3.3-8 +- Fix status trust-add command status message (#910453) +- NetBIOS was not trimmed at 15 characters (#1030517) +- Harden CA subsystem certificate renewal on CA clones (#1040018) + +* Fri Dec 27 2013 Daniel Mach - 3.3.3-7 +- Mass rebuild 2013-12-27 + +* Mon Dec 2 2013 Martin Kosek - 3.3.3-6 +- Remove "Listen 443 http" hack from deployed nss.conf (#1029046) +- Re-adding existing trust fails (#1033216) +- IPA uninstall exits with a samba error (#1033075) +- Added RELRO hardening on /usr/libexec/ipa-otpd (#1026260) +- Fixed ownership of /usr/share/ipa/ui/js (#1026260) +- ipa-tests: support external names for hosts (#1032668) +- ipa-client-install fail due fail to obtain host TGT (#1029354) + * Fri Nov 22 2013 Martin Kosek - 3.3.3-5 - Trust add tries to add same value of --base-id for sub domain, causing an error (#1033068) @@ -920,7 +1042,7 @@ fi - Remove ipa-server-selinux obsoletes as upgrades from version prior to 3.3.0 are not allowed - Wrap server-trust-ad subpackage description better -- Add (noreplace) flag for \%{_sysconfdir}/tmpfiles.d/ipa.conf +- Add (noreplace) flag for %%{_sysconfdir}/tmpfiles.d/ipa.conf - Change permissions on default_encoding_utf8.so to fix ipa-python Provides * Thu Aug 8 2013 Martin Kosek - 3.3.0-1