diff --git a/SOURCES/0003-Allow-kernel-keyring-CCACHE-when-supported.patch b/SOURCES/0003-Allow-kernel-keyring-CCACHE-when-supported.patch
index ee5a7db..d205d06 100644
--- a/SOURCES/0003-Allow-kernel-keyring-CCACHE-when-supported.patch
+++ b/SOURCES/0003-Allow-kernel-keyring-CCACHE-when-supported.patch
@@ -1,18 +1,18 @@
-From a66fc51f69b0d19ecb63a5a78d2a052e810913c9 Mon Sep 17 00:00:00 2001
+From 7726ddeb7506b9b68720f55c410d7c53b7098d91 Mon Sep 17 00:00:00 2001
From: Martin Kosek <mkosek@redhat.com>
-Date: Wed, 6 Nov 2013 12:48:26 +0100
-Subject: [PATCH] Allow kernel keyring CCACHE when supported
+Date: Fri, 29 Nov 2013 13:29:20 +0100
+Subject: [PATCH 03/10] Allow kernel keyring CCACHE when supported
-Allow ipa-server-install and ipa-client-install to allow kernel keyring
-ccache when supported.
+Server and client installer should allow kernel keyring ccache when
+supported.
https://fedorahosted.org/freeipa/ticket/4013
---
install/share/krb5.conf.template | 2 +-
- ipa-client/ipa-install/ipa-client-install | 11 +++++++++++
- ipapython/kernel_keyring.py | 6 ++++++
- ipaserver/install/krbinstance.py | 16 ++++++++++++++++
- 4 files changed, 34 insertions(+), 1 deletion(-)
+ ipa-client/ipa-install/ipa-client-install | 7 +++++++
+ ipapython/kernel_keyring.py | 17 +++++++++++++++++
+ ipaserver/install/krbinstance.py | 10 ++++++++++
+ 4 files changed, 35 insertions(+), 1 deletion(-)
diff --git a/install/share/krb5.conf.template b/install/share/krb5.conf.template
index 01e66881b0a38e342886727ec205ea9b7c057ad2..7c82083e3331cfacccc1995cd9dfa6ddd88edd1f 100644
@@ -28,7 +28,7 @@ index 01e66881b0a38e342886727ec205ea9b7c057ad2..7c82083e3331cfacccc1995cd9dfa6dd
$REALM = {
kdc = $FQDN:88
diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
-index 8e4695b42e9178725353dee2a4797a8da9b635b3..9b99953551fcffa64b16605d701831a49ba0e087 100755
+index 8e4695b42e9178725353dee2a4797a8da9b635b3..a898d388ee039752044008f8525424370098580a 100755
--- a/ipa-client/ipa-install/ipa-client-install
+++ b/ipa-client/ipa-install/ipa-client-install
@@ -43,6 +43,7 @@ try:
@@ -39,17 +39,13 @@ index 8e4695b42e9178725353dee2a4797a8da9b635b3..9b99953551fcffa64b16605d701831a4
from ipapython.config import IPAOptionParser
from ipalib import api, errors
from ipalib import x509
-@@ -926,6 +927,16 @@ def configure_krb5_conf(cli_realm, cli_domain, cli_server, cli_kdc, dnsok,
+@@ -926,6 +927,12 @@ def configure_krb5_conf(cli_realm, cli_domain, cli_server, cli_kdc, dnsok,
libopts.append({'name':'ticket_lifetime', 'type':'option', 'value':'24h'})
libopts.append({'name':'forwardable', 'type':'option', 'value':'yes'})
+ # Configure KEYRING CCACHE if supported
-+ uid = os.geteuid()
-+ try:
-+ kernel_keyring.get_persistent_key(str(uid))
-+ except ValueError:
-+ pass
-+ else:
++ if kernel_keyring.is_persistent_keyring_supported():
++ root_logger.debug("Enabling persistent keyring CCACHE")
+ libopts.append({'name':'default_ccache_name', 'type':'option',
+ 'value':'KEYRING:persistent:%{uid}'})
+
@@ -57,10 +53,19 @@ index 8e4695b42e9178725353dee2a4797a8da9b635b3..9b99953551fcffa64b16605d701831a4
opts.append({'name':'empty', 'type':'empty'})
diff --git a/ipapython/kernel_keyring.py b/ipapython/kernel_keyring.py
-index 547dd3de6b45295910b66982e99886135c06335b..c6670c4ade48e9dc9b503f937cbcaead143f19fc 100644
+index 547dd3de6b45295910b66982e99886135c06335b..d30531cabaee5c12376f0821a21a6f63cd60397c 100644
--- a/ipapython/kernel_keyring.py
+++ b/ipapython/kernel_keyring.py
-@@ -47,6 +47,12 @@ def get_real_key(key):
+@@ -17,6 +17,8 @@
+ # along with this program. If not, see <http://www.gnu.org/licenses/>.
+ #
+
++import os
++
+ from ipapython.ipautil import run
+
+ # NOTE: Absolute path not required for keyctl since we reset the environment
+@@ -47,6 +49,21 @@ def get_real_key(key):
raise ValueError('key %s not found' % key)
return stdout.rstrip()
@@ -70,11 +75,20 @@ index 547dd3de6b45295910b66982e99886135c06335b..c6670c4ade48e9dc9b503f937cbcaead
+ raise ValueError('persistent key %s not found' % key)
+ return stdout.rstrip()
+
++def is_persistent_keyring_supported():
++ uid = os.geteuid()
++ try:
++ get_persistent_key(str(uid))
++ except ValueError:
++ return False
++
++ return True
++
def has_key(key):
"""
Returns True/False whether the key exists in the keyring.
diff --git a/ipaserver/install/krbinstance.py b/ipaserver/install/krbinstance.py
-index 98687a4002cd7b19faea03acc552759e962d8832..48407edb9b0e237cf86e8d4e9059208e52b9c165 100644
+index 98687a4002cd7b19faea03acc552759e962d8832..f1fa827d89a31f9d6d4cb7f7a78a2680f983565a 100644
--- a/ipaserver/install/krbinstance.py
+++ b/ipaserver/install/krbinstance.py
@@ -31,6 +31,7 @@
@@ -85,23 +99,17 @@ index 98687a4002cd7b19faea03acc552759e962d8832..48407edb9b0e237cf86e8d4e9059208e
from ipalib import errors
from ipapython.ipa_log_manager import *
from ipapython.dn import DN
-@@ -252,6 +253,21 @@ def __setup_sub_dict(self):
+@@ -252,6 +253,15 @@ def __setup_sub_dict(self):
dr_map = ""
self.sub_dict['OTHER_DOMAIN_REALM_MAPS'] = dr_map
+ # Configure KEYRING CCACHE if supported
-+ uid = os.geteuid()
-+ try:
-+ kernel_keyring.get_persistent_key(str(uid))
-+ except ValueError:
-+ keyring_ccache_supported = False
-+ else:
-+ keyring_ccache_supported = True
-+
-+ if keyring_ccache_supported:
++ if kernel_keyring.is_persistent_keyring_supported():
++ root_logger.debug("Enabling persistent keyring CCACHE")
+ self.sub_dict['OTHER_LIBDEFAULTS'] = \
+ " default_ccache_name = KEYRING:persistent:%{uid}\n"
+ else:
++ root_logger.debug("Persistent keyring CCACHE is not enabled")
+ self.sub_dict['OTHER_LIBDEFAULTS'] = ''
+
def __configure_sasl_mappings(self):
diff --git a/SOURCES/0007-Remove-mod_ssl-port-workaround.patch b/SOURCES/0007-Remove-mod_ssl-port-workaround.patch
new file mode 100644
index 0000000..020ca87
--- /dev/null
+++ b/SOURCES/0007-Remove-mod_ssl-port-workaround.patch
@@ -0,0 +1,98 @@
+From 940afde411eb9ba52252ae80188f4fdbb87a9554 Mon Sep 17 00:00:00 2001
+From: Jan Cholasta <jcholast@redhat.com>
+Date: Tue, 26 Nov 2013 08:53:34 +0000
+Subject: [PATCH 07/10] Remove mod_ssl port workaround.
+
+https://fedorahosted.org/freeipa/ticket/4021
+---
+ freeipa.spec.in | 8 ++++++--
+ install/tools/ipa-upgradeconfig | 2 +-
+ ipaserver/install/httpinstance.py | 17 ++++++++---------
+ 3 files changed, 15 insertions(+), 12 deletions(-)
+
+diff --git a/freeipa.spec.in b/freeipa.spec.in
+index a091164907735d659be61fe29221cbce6934c77d..69ec29d9ff58bf3a25e25b35d5f3ba1d43741124 100644
+--- a/freeipa.spec.in
++++ b/freeipa.spec.in
+@@ -114,14 +114,14 @@ Requires: krb5-server >= 1.10
+ Requires: krb5-pkinit-openssl
+ Requires: cyrus-sasl-gssapi%{?_isa}
+ Requires: ntp
+-Requires: httpd
++Requires: httpd >= 2.4.6-6
+ Requires: mod_wsgi
+ %if 0%{?fedora} >= 18
+ Requires: mod_auth_kerb >= 5.4-16
+ %else
+ Requires: mod_auth_kerb >= 5.4-8
+ %endif
+-Requires: mod_nss >= 1.0.8-24
++Requires: mod_nss >= 1.0.8-26
+ Requires: python-ldap
+ Requires: python-krbV
+ Requires: acl
+@@ -832,6 +832,10 @@ fi
+ %endif # ONLY_CLIENT
+
+ %changelog
++* Tue Nov 26 2013 Jan Cholasta <jcholast@redhat.com> - 3.3.2-2
++- Set minimum version of httpd to 2.4.6-6
++- Set minimum version of mod_nss to 1.0.8-26
++
+ * Fri Oct 25 2013 Martin Kosek <mkosek@redhat.com> - 3.3.2-1
+ - Remove mod_ssl conflict, it can now live with mod_nss installed
+
+diff --git a/install/tools/ipa-upgradeconfig b/install/tools/ipa-upgradeconfig
+index 41c51263d5fc8b3a0e2f28bab89fc9d2d184fdca..10526f226798c78ae75972b82a2f72b200a8aacf 100644
+--- a/install/tools/ipa-upgradeconfig
++++ b/install/tools/ipa-upgradeconfig
+@@ -1047,7 +1047,7 @@ def main():
+ http.remove_httpd_ccache()
+ http.configure_selinux_for_httpd()
+ http.configure_httpd_ccache()
+- http.change_mod_nss_port_to_http()
++ http.change_mod_nss_port_from_http()
+
+ ds = dsinstance.DsInstance()
+ ds.configure_dirsrv_ccache()
+diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
+index 689e657e291b93d90038937a61f67915c0d582ec..e61a0c6d1526f29acb4647710e559a5bb32a58c0 100644
+--- a/ipaserver/install/httpinstance.py
++++ b/ipaserver/install/httpinstance.py
+@@ -253,25 +253,24 @@ def __configure_http(self):
+ http_fd.close()
+ os.chmod(target_fname, 0644)
+
+- def change_mod_nss_port_to_http(self):
++ def change_mod_nss_port_from_http(self):
+ # mod_ssl enforces SSLEngine on for vhost on 443 even though
+ # the listener is mod_nss. This then crashes the httpd as mod_nss
+ # listened port obviously does not match mod_ssl requirements.
+ #
+- # Change port to http to workaround the mod_ssl check, the SSL is
+- # enforced in the vhost later, so it is benign.
++ # The workaround for this was to change port to http. It is no longer
++ # necessary, as mod_nss now ships with default configuration which
++ # sets SSLEngine off when mod_ssl is installed.
+ #
+- # Remove when https://bugzilla.redhat.com/show_bug.cgi?id=1023168
+- # is fixed.
+- if not sysupgrade.get_upgrade_state('nss.conf', 'listen_port_updated'):
+- installutils.set_directive(NSS_CONF, 'Listen', '443 http', quotes=False)
+- sysupgrade.set_upgrade_state('nss.conf', 'listen_port_updated', True)
++ # Remove the workaround.
++ if sysupgrade.get_upgrade_state('nss.conf', 'listen_port_updated'):
++ installutils.set_directive(NSS_CONF, 'Listen', '443', quotes=False)
++ sysupgrade.set_upgrade_state('nss.conf', 'listen_port_updated', False)
+
+ def __set_mod_nss_port(self):
+ self.fstore.backup_file(NSS_CONF)
+ if installutils.update_file(NSS_CONF, '8443', '443') != 0:
+ print "Updating port in %s failed." % NSS_CONF
+- self.change_mod_nss_port_to_http()
+
+ def __set_mod_nss_nickname(self, nickname):
+ installutils.set_directive(NSS_CONF, 'NSSNickname', nickname)
+--
+1.8.3.1
+
diff --git a/SOURCES/0008-subdomains-Use-AD-admin-credentials-when-trust-is-be.patch b/SOURCES/0008-subdomains-Use-AD-admin-credentials-when-trust-is-be.patch
new file mode 100644
index 0000000..f2f1a4e
--- /dev/null
+++ b/SOURCES/0008-subdomains-Use-AD-admin-credentials-when-trust-is-be.patch
@@ -0,0 +1,147 @@
+From 7c4828f3eb0e7b1f246f6263bdf22592d51824df Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Wed, 27 Nov 2013 12:17:43 +0200
+Subject: [PATCH 08/10] subdomains: Use AD admin credentials when trust is
+ being established
+
+When AD administrator credentials passed, they stored in realm_passwd,
+not realm_password in the options.
+
+When passing credentials to ipaserver.dcerpc.fetch_domains(), make sure
+to normalize them.
+
+Additionally, force Samba auth module to use NTLMSSP in case we have
+credentials because at the point when trust is established, KDC is not
+yet ready to issue tickets to a service in the other realm due to
+MS-PAC information caching effects. The logic is a bit fuzzy because
+credentials code makes decisions on what to use based on the smb.conf
+parameters and Python bindings to set parameters to smb.conf make it so
+that auth module believes these parameters were overidden by the user
+through the command line and ignore some of options. We have to do calls
+in the right order to force NTLMSSP use instead of Kerberos.
+
+Fixes https://fedorahosted.org/freeipa/ticket/4046
+---
+ ipalib/plugins/trust.py | 13 ++++++++++---
+ ipaserver/dcerpc.py | 42 ++++++++++++++++++++++++++++--------------
+ 2 files changed, 38 insertions(+), 17 deletions(-)
+
+diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
+index 5ba0905030c700c7f63003eef25891c52330934b..3b1b2fc67ce333751556a5c3a59a7f89efc608f9 100644
+--- a/ipalib/plugins/trust.py
++++ b/ipalib/plugins/trust.py
+@@ -1231,10 +1231,17 @@ def execute(self, *keys, **options):
+ def fetch_domains_from_trust(self, trustinstance, trust_entry, **options):
+ trust_name = trust_entry['cn'][0]
+ creds = None
+- password = options.get('realm_password', None)
++ password = options.get('realm_passwd', None)
+ if password:
+- creds = u"%s%%%s" % (options.get('realm_admin'), password)
+- domains = ipaserver.dcerpc.fetch_domains(self.api, trustinstance.local_flatname, trust_name, creds=creds)
++ admin_name = options.get('realm_admin')
++ sp = admin_name.split('\\')
++ if len(sp) == 1:
++ sp.insert(0, trustinstance.remote_domain.info['name'])
++ creds = u"{name}%{password}".format(name="\\".join(sp),
++ password=password)
++ domains = ipaserver.dcerpc.fetch_domains(self.api,
++ trustinstance.local_flatname,
++ trust_name, creds=creds)
+ result = []
+ if not domains:
+ return None
+diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
+index 0dde3473b12b857ff269a936ad9a07d098405c45..d809c416baac072a2489fbd3c167f08665b7a24e 100644
+--- a/ipaserver/dcerpc.py
++++ b/ipaserver/dcerpc.py
+@@ -655,7 +655,7 @@ def __gen_lsa_connection(self, binding):
+ except RuntimeError, (num, message):
+ raise assess_dcerpc_exception(num=num, message=message)
+
+- def __init_lsa_pipe(self, remote_host):
++ def init_lsa_pipe(self, remote_host):
+ """
+ Try to initialize connection to the LSA pipe at remote host.
+ This method tries consequently all possible transport options
+@@ -692,7 +692,7 @@ def __gen_lsa_bindings(self, remote_host):
+ """
+ There are multiple transports to issue LSA calls. However, depending on a
+ system in use they may be blocked by local operating system policies.
+- Generate all we can use. __init_lsa_pipe() will try them one by one until
++ Generate all we can use. init_lsa_pipe() will try them one by one until
+ there is one working.
+
+ We try NCACN_NP before NCACN_IP_TCP and signed sessions before unsigned.
+@@ -753,7 +753,7 @@ def parse_naming_context(self, context):
+ return naming_ref.match(context).group(1)
+
+ def retrieve(self, remote_host):
+- self.__init_lsa_pipe(remote_host)
++ self.init_lsa_pipe(remote_host)
+
+ objectAttribute = lsa.ObjectAttribute()
+ objectAttribute.sec_qos = lsa.QosInfo()
+@@ -964,34 +964,48 @@ def fetch_domains(api, mydomain, trustdomain, creds=None):
+ NETR_TRUST_ATTRIBUTE_TREAT_AS_EXTERNAL = 0x00000040)
+
+ def communicate(td):
+- td.creds.guess(td.parm)
+- netrc = net.Net(creds=td.creds, lp=td.parm)
+- try:
+- result = netrc.finddc(domain=trustdomain, flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS)
+- except RuntimeError, e:
+- raise assess_dcerpc_exception(message=str(e))
+- if not result:
+- return None
+- td.retrieve(unicode(result.pdc_dns_name))
+-
++ td.init_lsa_pipe(td.info['dc'])
+ netr_pipe = netlogon.netlogon(td.binding, td.parm, td.creds)
+ domains = netr_pipe.netr_DsrEnumerateDomainTrusts(td.binding, 1)
+ return domains
+
+ domains = None
++ domain_validator = DomainValidator(api)
++ configured = domain_validator.is_configured()
++ if not configured:
++ return None
++
+ td = TrustDomainInstance('')
+ td.parm.set('workgroup', mydomain)
+- td.creds = credentials.Credentials()
++ cr = credentials.Credentials()
++ cr.set_kerberos_state(credentials.DONT_USE_KERBEROS)
++ cr.guess(td.parm)
++ cr.set_anonymous()
++ cr.set_workstation(domain_validator.flatname)
++ netrc = net.Net(creds=cr, lp=td.parm)
++ try:
++ result = netrc.finddc(domain=trustdomain,
++ flags=nbt.NBT_SERVER_LDAP | nbt.NBT_SERVER_DS)
++ except RuntimeError, e:
++ raise assess_dcerpc_exception(message=str(e))
++
++ td.info['dc'] = unicode(result.pdc_dns_name)
+ if creds is None:
+ domval = DomainValidator(api)
+ (ccache_name, principal) = domval.kinit_as_http(trustdomain)
++ td.creds = credentials.Credentials()
+ td.creds.set_kerberos_state(credentials.MUST_USE_KERBEROS)
+ if ccache_name:
+ with installutils.private_ccache(path=ccache_name):
++ td.creds.guess(td.parm)
++ td.creds.set_workstation(domain_validator.flatname)
+ domains = communicate(td)
+ else:
++ td.creds = credentials.Credentials()
+ td.creds.set_kerberos_state(credentials.DONT_USE_KERBEROS)
++ td.creds.guess(td.parm)
+ td.creds.parse_string(creds)
++ td.creds.set_workstation(domain_validator.flatname)
+ domains = communicate(td)
+
+ if domains is None:
+--
+1.8.3.1
+
diff --git a/SOURCES/0009-trusts-Always-stop-and-disable-smb-service-on-uninst.patch b/SOURCES/0009-trusts-Always-stop-and-disable-smb-service-on-uninst.patch
new file mode 100644
index 0000000..d5a4486
--- /dev/null
+++ b/SOURCES/0009-trusts-Always-stop-and-disable-smb-service-on-uninst.patch
@@ -0,0 +1,47 @@
+From a7fffdc2685b82546c620c19fbbda545ba1b8e90 Mon Sep 17 00:00:00 2001
+From: Tomas Babej <tomasbabej@gmail.com>
+Date: Thu, 21 Nov 2013 15:25:27 +0100
+Subject: [PATCH 09/10] trusts: Always stop and disable smb service on
+ uninstall
+
+https://fedorahosted.org/freeipa/ticket/4042
+---
+ ipaserver/install/adtrustinstance.py | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
+index 6a1ede0d7eb46a824d6e9eaf7ad1226120d08809..4aa8322e3e2cfb6fbc07696097c3e6e21fc7f665 100644
+--- a/ipaserver/install/adtrustinstance.py
++++ b/ipaserver/install/adtrustinstance.py
+@@ -881,11 +881,16 @@ def uninstall(self):
+ if self.is_configured():
+ self.print_msg("Unconfiguring %s" % self.service_name)
+
+- running = self.restore_state("running")
+- enabled = self.restore_state("enabled")
++ # Call restore_state so that we do not leave mess in the statestore
++ # Otherwise this does nothing
++ self.restore_state("running")
++ self.restore_state("enabled")
+
++ # Always try to stop and disable smb service, since we do not leave
++ # working configuration after uninstall
+ try:
+ self.stop()
++ self.disable()
+ except:
+ pass
+
+@@ -917,9 +922,3 @@ def uninstall(self):
+
+ # Remove our keys from samba's keytab
+ self.clean_samba_keytab()
+-
+- if not enabled is None and not enabled:
+- self.disable()
+-
+- if not running is None and running:
+- self.start()
+--
+1.8.3.1
+
diff --git a/SOURCES/0010-Use-hardening-flags-for-ipa-optd.patch b/SOURCES/0010-Use-hardening-flags-for-ipa-optd.patch
new file mode 100644
index 0000000..68e1c3c
--- /dev/null
+++ b/SOURCES/0010-Use-hardening-flags-for-ipa-optd.patch
@@ -0,0 +1,277 @@
+From d55551c763d29ddd92156829fb2ae6b4f89b5184 Mon Sep 17 00:00:00 2001
+From: Jan Cholasta <jcholast@redhat.com>
+Date: Wed, 27 Nov 2013 13:13:16 +0000
+Subject: [PATCH 10/11] Use hardening flags for ipa-optd.
+
+https://fedorahosted.org/freeipa/ticket/4010
+
+Martin Kosek: note that this patch contains both Jan's original work
+and squashed additional patches 206.2, 207.2, 208.2, 209.2, 212.2
+implemented to fix some of the problems introduced by the original
+patch.
+---
+ Makefile | 3 +++
+ daemons/ipa-otpd/Makefile.am | 4 ++--
+ daemons/ipa-sam/Makefile.am | 1 -
+ daemons/ipa-slapi-plugins/ipa-cldap/Makefile.am | 1 -
+ daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap.c | 4 +++-
+ daemons/ipa-slapi-plugins/ipa-dns/Makefile.am | 1 -
+ daemons/ipa-slapi-plugins/ipa-enrollment/Makefile.am | 1 -
+ daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am | 1 -
+ daemons/ipa-slapi-plugins/ipa-lockout/Makefile.am | 1 -
+ daemons/ipa-slapi-plugins/ipa-modrdn/Makefile.am | 1 -
+ daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am | 3 +--
+ daemons/ipa-slapi-plugins/ipa-range-check/Makefile.am | 1 -
+ daemons/ipa-slapi-plugins/ipa-sidgen/Makefile.am | 1 -
+ daemons/ipa-slapi-plugins/ipa-uuid/Makefile.am | 1 -
+ daemons/ipa-slapi-plugins/ipa-version/Makefile.am | 1 -
+ daemons/ipa-slapi-plugins/ipa-winsync/Makefile.am | 1 -
+ freeipa.spec.in | 8 ++++++--
+ ipa-client/Makefile.am | 1 -
+ 18 files changed, 15 insertions(+), 20 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index a21cf7e33275fd1a783e89baf237c8dcd8db6508..9ed3bb59a0f1d52e1b40430bb9516d9438b0fcb4 100644
+--- a/Makefile
++++ b/Makefile
+@@ -52,6 +52,9 @@ endif
+
+ PYTHON ?= $(shell rpm -E %__python)
+
++CFLAGS := -g -O2 -Werror -Wall -Wextra -Wformat-security -Wno-unused-parameter -Wno-sign-compare -Wno-missing-field-initializers $(CFLAGS)
++export CFLAGS
++
+ all: bootstrap-autogen server tests
+ @for subdir in $(SUBDIRS); do \
+ (cd $$subdir && $(MAKE) $@) || exit 1; \
+diff --git a/daemons/ipa-otpd/Makefile.am b/daemons/ipa-otpd/Makefile.am
+index ed99c3ecbdf6507d18243a665daa1418f978eea1..af82a5fe08856573d2d245608ba1dbaad171c7fe 100644
+--- a/daemons/ipa-otpd/Makefile.am
++++ b/daemons/ipa-otpd/Makefile.am
+@@ -1,5 +1,5 @@
+-AM_CFLAGS := $(CFLAGS) @LDAP_CFLAGS@ @LIBVERTO_CFLAGS@
+-AM_LDFLAGS := $(LDFLAGS) @LDAP_LIBS@ @LIBVERTO_LIBS@ @KRAD_LIBS@
++AM_CFLAGS := @LDAP_CFLAGS@ @LIBVERTO_CFLAGS@
++AM_LDFLAGS := @LDAP_LIBS@ @LIBVERTO_LIBS@ @KRAD_LIBS@
+
+ noinst_HEADERS = internal.h
+ libexec_PROGRAMS = ipa-otpd
+diff --git a/daemons/ipa-sam/Makefile.am b/daemons/ipa-sam/Makefile.am
+index e8e22503a4d8e3821d6f455bac337feae8b34bfc..d55a187708eb5dda8ffc4c87abb2fcc854940ade 100644
+--- a/daemons/ipa-sam/Makefile.am
++++ b/daemons/ipa-sam/Makefile.am
+@@ -20,7 +20,6 @@ AM_CPPFLAGS = \
+ -DLDAPIDIR=\""$(localstatedir)/run"\" \
+ -DHAVE_LDAP \
+ -I $(KRB5_UTIL_DIR) \
+- $(AM_CFLAGS) \
+ $(LDAP_CFLAGS) \
+ $(KRB5_CFLAGS) \
+ $(WARN_CFLAGS) \
+diff --git a/daemons/ipa-slapi-plugins/ipa-cldap/Makefile.am b/daemons/ipa-slapi-plugins/ipa-cldap/Makefile.am
+index f669d6b561482e165bedc1c1b2904b7f67a49a95..70b08835e5629026c80c21c83e0c749a387b73a4 100644
+--- a/daemons/ipa-slapi-plugins/ipa-cldap/Makefile.am
++++ b/daemons/ipa-slapi-plugins/ipa-cldap/Makefile.am
+@@ -12,7 +12,6 @@ AM_CPPFLAGS = \
+ -DLIBDIR=\""$(libdir)"\" \
+ -DLIBEXECDIR=\""$(libexecdir)"\" \
+ -DDATADIR=\""$(datadir)"\" \
+- $(AM_CFLAGS) \
+ $(LDAP_CFLAGS) \
+ $(WARN_CFLAGS) \
+ $(NDRNBT_CFLAGS) \
+diff --git a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap.c b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap.c
+index 54d44ebf64b1efa0dda06773736d3413a6b70977..64ec80665de5f5b0c5c1a8605e05e34e7199a23d 100644
+--- a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap.c
++++ b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap.c
+@@ -82,7 +82,9 @@ static int ipa_cldap_stop(Slapi_PBlock *pb)
+ }
+
+ /* send stop signal to terminate worker thread */
+- write(ctx->stopfd[1], "", 1);
++ do {
++ ret = write(ctx->stopfd[1], "", 1);
++ } while (ret == -1 && errno == EINTR);
+ close(ctx->stopfd[1]);
+
+ ret = pthread_join(ctx->tid, &retval);
+diff --git a/daemons/ipa-slapi-plugins/ipa-dns/Makefile.am b/daemons/ipa-slapi-plugins/ipa-dns/Makefile.am
+index 6d09c8d9c73755e89d91fea83ac66f088d9be553..31b7485e39af30224d97e4a759dbc5779bd61373 100644
+--- a/daemons/ipa-slapi-plugins/ipa-dns/Makefile.am
++++ b/daemons/ipa-slapi-plugins/ipa-dns/Makefile.am
+@@ -12,7 +12,6 @@ AM_CPPFLAGS = \
+ -DLIBDIR=\""$(libdir)"\" \
+ -DLIBEXECDIR=\""$(libexecdir)"\" \
+ -DDATADIR=\""$(datadir)"\" \
+- $(AM_CFLAGS) \
+ $(LDAP_CFLAGS) \
+ $(WARN_CFLAGS) \
+ $(NULL)
+diff --git a/daemons/ipa-slapi-plugins/ipa-enrollment/Makefile.am b/daemons/ipa-slapi-plugins/ipa-enrollment/Makefile.am
+index 7ba754a48269f5c4ad9d2f08bc8cd7a0f8e6243c..3ce37ac10ad7d1ee077caa55a2f128f688388561 100644
+--- a/daemons/ipa-slapi-plugins/ipa-enrollment/Makefile.am
++++ b/daemons/ipa-slapi-plugins/ipa-enrollment/Makefile.am
+@@ -11,7 +11,6 @@ AM_CPPFLAGS = \
+ -DLIBDIR=\""$(libdir)"\" \
+ -DLIBEXECDIR=\""$(libexecdir)"\" \
+ -DDATADIR=\""$(datadir)"\" \
+- $(AM_CFLAGS) \
+ $(LDAP_CFLAGS) \
+ $(KRB5_CFLAGS) \
+ $(WARN_CFLAGS) \
+diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am b/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am
+index df0c30562f09bf0e29464c9bb05f7befbd3997e1..7099a988878e2bc0cf840eab0b14fa9f40805a51 100644
+--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am
++++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am
+@@ -13,7 +13,6 @@ AM_CPPFLAGS = \
+ -DLIBDIR=\""$(libdir)"\" \
+ -DLIBEXECDIR=\""$(libexecdir)"\" \
+ -DDATADIR=\""$(datadir)"\" \
+- $(AM_CFLAGS) \
+ $(LDAP_CFLAGS) \
+ $(WARN_CFLAGS) \
+ $(SSSIDMAP_CFLAGS) \
+diff --git a/daemons/ipa-slapi-plugins/ipa-lockout/Makefile.am b/daemons/ipa-slapi-plugins/ipa-lockout/Makefile.am
+index 0c69f4d7fd79a08d98c3b967e5ed35e3668cccc2..6e4c31aa591c37d3b7fdd7110f66303af3005605 100644
+--- a/daemons/ipa-slapi-plugins/ipa-lockout/Makefile.am
++++ b/daemons/ipa-slapi-plugins/ipa-lockout/Makefile.am
+@@ -12,7 +12,6 @@ AM_CPPFLAGS = \
+ -DLIBDIR=\""$(libdir)"\" \
+ -DLIBEXECDIR=\""$(libexecdir)"\" \
+ -DDATADIR=\""$(datadir)"\" \
+- $(AM_CFLAGS) \
+ $(LDAP_CFLAGS) \
+ $(WARN_CFLAGS) \
+ $(NULL)
+diff --git a/daemons/ipa-slapi-plugins/ipa-modrdn/Makefile.am b/daemons/ipa-slapi-plugins/ipa-modrdn/Makefile.am
+index 9fbd03397cf36097e3c38280330cdeda1bf5950e..a3f8d4f7b0886fd7e03f425d27fb1ee98d868913 100644
+--- a/daemons/ipa-slapi-plugins/ipa-modrdn/Makefile.am
++++ b/daemons/ipa-slapi-plugins/ipa-modrdn/Makefile.am
+@@ -12,7 +12,6 @@ AM_CPPFLAGS = \
+ -DLIBDIR=\""$(libdir)"\" \
+ -DLIBEXECDIR=\""$(libexecdir)"\" \
+ -DDATADIR=\""$(datadir)"\" \
+- $(AM_CFLAGS) \
+ $(LDAP_CFLAGS) \
+ $(WARN_CFLAGS) \
+ $(NULL)
+diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am b/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am
+index b53b2e1e445ccc9e756aa1ecb2656f19980cd001..8bd89653de51ab33e295fc6b1f1d6d93576d3c64 100644
+--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am
++++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am
+@@ -18,13 +18,12 @@ AM_CPPFLAGS = \
+ -DLIBDIR=\""$(libdir)"\" \
+ -DLIBEXECDIR=\""$(libexecdir)"\" \
+ -DDATADIR=\""$(datadir)"\" \
+- $(AM_CFLAGS) \
+ $(LDAP_CFLAGS) \
+ $(KRB5_CFLAGS) \
+ $(SSL_CFLAGS) \
+ $(WARN_CFLAGS) \
+ $(NULL)
+-
++
+ AM_LDFLAGS = \
+ $(KRB5_LIBS) \
+ $(SSL_LIBS) \
+diff --git a/daemons/ipa-slapi-plugins/ipa-range-check/Makefile.am b/daemons/ipa-slapi-plugins/ipa-range-check/Makefile.am
+index f23a24ed8b2c8845e7bddbce86abe5a4a2fcd8cd..5aa9b5485211dc5ac699692d8c46cf59c53a9546 100644
+--- a/daemons/ipa-slapi-plugins/ipa-range-check/Makefile.am
++++ b/daemons/ipa-slapi-plugins/ipa-range-check/Makefile.am
+@@ -12,7 +12,6 @@ AM_CPPFLAGS = \
+ -DLIBDIR=\""$(libdir)"\" \
+ -DLIBEXECDIR=\""$(libexecdir)"\" \
+ -DDATADIR=\""$(datadir)"\" \
+- $(AM_CFLAGS) \
+ $(LDAP_CFLAGS) \
+ $(WARN_CFLAGS) \
+ $(NULL)
+diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/Makefile.am b/daemons/ipa-slapi-plugins/ipa-sidgen/Makefile.am
+index 4bfb0185ec589797125df747cc02dcf8a7ef30cd..642fdd599b9a3e8204232199e1cc4a5ee8b013ba 100644
+--- a/daemons/ipa-slapi-plugins/ipa-sidgen/Makefile.am
++++ b/daemons/ipa-slapi-plugins/ipa-sidgen/Makefile.am
+@@ -12,7 +12,6 @@ AM_CPPFLAGS = \
+ -DLIBDIR=\""$(libdir)"\" \
+ -DLIBEXECDIR=\""$(libexecdir)"\" \
+ -DDATADIR=\""$(datadir)"\" \
+- $(AM_CFLAGS) \
+ $(LDAP_CFLAGS) \
+ $(WARN_CFLAGS) \
+ $(NULL)
+diff --git a/daemons/ipa-slapi-plugins/ipa-uuid/Makefile.am b/daemons/ipa-slapi-plugins/ipa-uuid/Makefile.am
+index 738290170da587b0bbee96d8abcda2762264ee0e..061d8483310b686db844059deb82b1465d498652 100644
+--- a/daemons/ipa-slapi-plugins/ipa-uuid/Makefile.am
++++ b/daemons/ipa-slapi-plugins/ipa-uuid/Makefile.am
+@@ -12,7 +12,6 @@ AM_CPPFLAGS = \
+ -DLIBDIR=\""$(libdir)"\" \
+ -DLIBEXECDIR=\""$(libexecdir)"\" \
+ -DDATADIR=\""$(datadir)"\" \
+- $(AM_CFLAGS) \
+ $(LDAP_CFLAGS) \
+ $(WARN_CFLAGS) \
+ $(NULL)
+diff --git a/daemons/ipa-slapi-plugins/ipa-version/Makefile.am b/daemons/ipa-slapi-plugins/ipa-version/Makefile.am
+index 5396bda99c64e66428a15a17a520227f790bff00..afce915a0d76ff607c116e18ea98f959aed46d32 100644
+--- a/daemons/ipa-slapi-plugins/ipa-version/Makefile.am
++++ b/daemons/ipa-slapi-plugins/ipa-version/Makefile.am
+@@ -13,7 +13,6 @@ AM_CPPFLAGS = \
+ -DLIBDIR=\""$(libdir)"\" \
+ -DLIBEXECDIR=\""$(libexecdir)"\" \
+ -DDATADIR=\""$(datadir)"\" \
+- $(AM_CFLAGS) \
+ $(LDAP_CFLAGS) \
+ $(KRB5_CFLAGS) \
+ $(WARN_CFLAGS) \
+diff --git a/daemons/ipa-slapi-plugins/ipa-winsync/Makefile.am b/daemons/ipa-slapi-plugins/ipa-winsync/Makefile.am
+index c41692864557e890d388e42c404c23e91ae8b1e9..3108f3c152c08d8b9883974a4c999f7bb89acc8e 100644
+--- a/daemons/ipa-slapi-plugins/ipa-winsync/Makefile.am
++++ b/daemons/ipa-slapi-plugins/ipa-winsync/Makefile.am
+@@ -11,7 +11,6 @@ AM_CPPFLAGS = \
+ -DLIBDIR=\""$(libdir)"\" \
+ -DLIBEXECDIR=\""$(libexecdir)"\" \
+ -DDATADIR=\""$(datadir)"\" \
+- $(AM_CFLAGS) \
+ $(LDAP_CFLAGS) \
+ $(WARN_CFLAGS) \
+ $(NULL)
+diff --git a/freeipa.spec.in b/freeipa.spec.in
+index 69ec29d9ff58bf3a25e25b35d5f3ba1d43741124..ae8ee57f3ba2c0746bb0f7a1e65dab1da83cca22 100644
+--- a/freeipa.spec.in
++++ b/freeipa.spec.in
+@@ -5,6 +5,10 @@
+ %global POLICYCOREUTILSVER 2.1.12-5
+ %global gettext_domain ipa
+
++%if (0%{?fedora} > 15 || 0%{?rhel} >= 7)
++%define _hardened_build 1
++%endif
++
+ Name: freeipa
+ Version: __VERSION__
+ Release: __RELEASE__%{?dist}
+@@ -316,8 +320,8 @@ This package contains tests that verify IPA functionality.
+ %setup -n freeipa-%{version} -q
+
+ %build
+-export CFLAGS="$CFLAGS %{optflags}"
+-export CPPFLAGS="$CPPFLAGS %{optflags}"
++export CFLAGS="%{optflags} $CFLAGS"
++export LDFLAGS="%{__global_ldflags} $LDFLAGS"
+ %if 0%{?fedora} >= 18
+ # use fedora18 platform which is based on fedora16 platform with systemd
+ # support + fedora18 changes
+diff --git a/ipa-client/Makefile.am b/ipa-client/Makefile.am
+index b7d70fd8d0d4383cac497b2978196e25893f9fe1..73076315d496d8f2be47ed18f726e5c9a6cb572f 100644
+--- a/ipa-client/Makefile.am
++++ b/ipa-client/Makefile.am
+@@ -25,7 +25,6 @@ AM_CPPFLAGS = \
+ -DLIBEXECDIR=\""$(libexecdir)"\" \
+ -DDATADIR=\""$(datadir)"\" \
+ -DLOCALEDIR=\""$(localedir)"\" \
+- $(AM_CFLAGS) \
+ $(KRB5_CFLAGS) \
+ $(OPENLDAP_CFLAGS) \
+ $(SASL_CFLAGS) \
+--
+1.8.3.1
+
diff --git a/SOURCES/0011-test_integration-Support-external-names-for-hosts.patch b/SOURCES/0011-test_integration-Support-external-names-for-hosts.patch
new file mode 100644
index 0000000..202b024
--- /dev/null
+++ b/SOURCES/0011-test_integration-Support-external-names-for-hosts.patch
@@ -0,0 +1,108 @@
+From 36c14bf16eba793f37585b697bd1cb2750d68e36 Mon Sep 17 00:00:00 2001
+From: Petr Viktorin <pviktori@redhat.com>
+Date: Thu, 24 Oct 2013 12:14:58 +0200
+Subject: [PATCH 11/11] test_integration: Support external names for hosts
+
+The framework had a concept of external hostnames,
+which the controller uses to contact the test machines,
+but they were not loaded from configuration.
+
+Load external names from configuration.
+
+This makes tests pass in setups where internal and external
+hostnames are different, and the internal hostnames are not
+initially resolvable from the controller.
+
+Martin Kosek: this patch also contains squashed patch
+"test_integration: Log external hostname in Host.ldap_connect" from
+Petr Viktorin aiming for better debugability of the beaker tests.
+---
+ ipatests/test_integration/config.py | 14 ++++++++++----
+ ipatests/test_integration/host.py | 11 +++++++----
+ 2 files changed, 17 insertions(+), 8 deletions(-)
+
+diff --git a/ipatests/test_integration/config.py b/ipatests/test_integration/config.py
+index 3aa4d05d6cb5758cd0d6be64a1ac582adcc971b4..b8c5fdc7f9ce1877e34491964418a8d806168e73 100644
+--- a/ipatests/test_integration/config.py
++++ b/ipatests/test_integration/config.py
+@@ -236,8 +236,10 @@ def env_normalize(env):
+ """Fill env variables from alternate variable names
+
+ MASTER_env1 <- MASTER
+- REPLICA_env1 <- REPLICA
+- CLIENT_env1 <- CLIENT, SLAVE
++ REPLICA_env1 <- REPLICA, SLAVE
++ CLIENT_env1 <- CLIENT
++ similarly for BEAKER* variants: BEAKERMASTER1_env1 <- BEAKERMASTER, etc.
++
+ CLIENT_env1 gets extended with CLIENT2 or CLIENT2_env1
+ """
+ def coalesce(name, *other_names):
+@@ -253,8 +255,12 @@ def coalesce(name, *other_names):
+ else:
+ env[name] = ''
+ coalesce('MASTER_env1', 'MASTER')
+- coalesce('REPLICA_env1', 'REPLICA')
+- coalesce('CLIENT_env1', 'CLIENT', 'SLAVE')
++ coalesce('REPLICA_env1', 'REPLICA', 'SLAVE')
++ coalesce('CLIENT_env1', 'CLIENT')
++
++ coalesce('BEAKERMASTER1_env1', 'BEAKERMASTER')
++ coalesce('BEAKERREPLICA1_env1', 'BEAKERREPLICA', 'BEAKERSLAVE')
++ coalesce('BEAKERCLIENT1_env1', 'BEAKERCLIENT')
+
+ def extend(name, name2):
+ value = env.get(name2)
+diff --git a/ipatests/test_integration/host.py b/ipatests/test_integration/host.py
+index 02c82b372ce2805c0ca922319f5de1cd29b0ed82..507e19ed62b3d0a76e6e2ff6286fd83f17a68627 100644
+--- a/ipatests/test_integration/host.py
++++ b/ipatests/test_integration/host.py
+@@ -32,7 +32,8 @@ class BaseHost(object):
+ """Representation of a remote IPA host"""
+ transport_class = None
+
+- def __init__(self, domain, hostname, role, index, ip=None):
++ def __init__(self, domain, hostname, role, index, ip=None,
++ external_hostname=None):
+ self.domain = domain
+ self.role = role
+ self.index = index
+@@ -40,7 +41,7 @@ def __init__(self, domain, hostname, role, index, ip=None):
+ shortname, dot, ext_domain = hostname.partition('.')
+ self.shortname = shortname
+ self.hostname = shortname + '.' + self.domain.name
+- self.external_hostname = hostname
++ self.external_hostname = external_hostname or hostname
+
+ self.netbios = self.domain.name.split('.')[0].upper()
+
+@@ -96,6 +97,8 @@ def remove_log_collector(self, collector):
+ def from_env(cls, env, domain, hostname, role, index):
+ ip = env.get('BEAKER%s%s_IP_env%s' %
+ (role.upper(), index, domain.index), None)
++ external_hostname = env.get(
++ 'BEAKER%s%s_env%s' % (role.upper(), index, domain.index), None)
+
+ # We need to determine the type of the host, this depends on the domain
+ # type, as we assume all Unix machines are in the Unix domain and
+@@ -106,7 +109,7 @@ def from_env(cls, env, domain, hostname, role, index):
+ else:
+ cls = Host
+
+- self = cls(domain, hostname, role, index, ip)
++ self = cls(domain, hostname, role, index, ip, external_hostname)
+ return self
+
+ @property
+@@ -157,7 +160,7 @@ def put_file_contents(self, filename, contents):
+ def ldap_connect(self):
+ """Return an LDAPClient authenticated to this host as directory manager
+ """
+- self.log.info('Connecting to LDAP')
++ self.log.info('Connecting to LDAP at %s', self.external_hostname)
+ ldap = IPAdmin(self.external_hostname)
+ binddn = self.config.dirman_dn
+ self.log.info('LDAP bind as %s' % binddn)
+--
+1.8.3.1
+
diff --git a/SOURCES/0012-ipa-client-install-Always-pass-hostname-to-the-ipa-j.patch b/SOURCES/0012-ipa-client-install-Always-pass-hostname-to-the-ipa-j.patch
new file mode 100644
index 0000000..cf4e3e1
--- /dev/null
+++ b/SOURCES/0012-ipa-client-install-Always-pass-hostname-to-the-ipa-j.patch
@@ -0,0 +1,42 @@
+From ab33d06556e607b4477500f77d97f6ec7ee536c3 Mon Sep 17 00:00:00 2001
+From: Tomas Babej <tbabej@redhat.com>
+Date: Tue, 26 Nov 2013 12:15:33 +0100
+Subject: [PATCH] ipa-client-install: Always pass hostname to the ipa-join
+
+The ipa-client-install script and ipa-join use different methods
+of resolving the hostname, the former uses gethostbyaddr() call,
+while the latter reads the "uinfo.nodename".
+
+This can result ipa-client-install failures in case of broken PTR
+records.
+
+https://fedorahosted.org/freeipa/ticket/4027
+---
+ ipa-client/ipa-install/ipa-client-install | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/ipa-client/ipa-install/ipa-client-install b/ipa-client/ipa-install/ipa-client-install
+index a898d388ee039752044008f8525424370098580a..5e966a3ae9fb9d5881d0fd4e8c2509f92e665d44 100755
+--- a/ipa-client/ipa-install/ipa-client-install
++++ b/ipa-client/ipa-install/ipa-client-install
+@@ -2119,13 +2119,13 @@ def install(options, env, fstore, statestore):
+ (ccache_fd, ccache_name) = tempfile.mkstemp()
+ os.close(ccache_fd)
+ env['KRB5CCNAME'] = os.environ['KRB5CCNAME'] = ccache_name
+- join_args = ["/usr/sbin/ipa-join", "-s", cli_server[0], "-b", str(realm_to_suffix(cli_realm))]
++ join_args = ["/usr/sbin/ipa-join",
++ "-s", cli_server[0],
++ "-b", str(realm_to_suffix(cli_realm)),
++ "-h", hostname]
+ if options.debug:
+ join_args.append("-d")
+ env['XMLRPC_TRACE_CURL'] = 'yes'
+- if options.hostname:
+- join_args.append("-h")
+- join_args.append(options.hostname)
+ if options.force_join:
+ join_args.append("-f")
+ if options.principal is not None:
+--
+1.8.3.1
+
diff --git a/SOURCES/0013-trust-fix-get_dn-to-distinguish-creating-and-re-addi.patch b/SOURCES/0013-trust-fix-get_dn-to-distinguish-creating-and-re-addi.patch
new file mode 100644
index 0000000..434f2b5
--- /dev/null
+++ b/SOURCES/0013-trust-fix-get_dn-to-distinguish-creating-and-re-addi.patch
@@ -0,0 +1,43 @@
+From 51f46b7acd00b324e66e5fffd8646a48dc70aa2d Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Thu, 5 Dec 2013 13:47:37 +0200
+Subject: [PATCH 13/14] trust: fix get_dn() to distinguish creating and
+ re-adding trusts
+
+Latest support for subdomains introduced regression that masked
+difference between newly added trust and re-added one.
+
+Additionally, in case no new subdomains were found, the code was
+returning None instead of an empty list which later could confuse
+trustdomain-find command.
+
+https://fedorahosted.org/freeipa/ticket/4067
+---
+ ipalib/plugins/trust.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
+index 3b1b2fc67ce333751556a5c3a59a7f89efc608f9..76d609fd4de33edd96715deaaf7842c1de3ddaf4 100644
+--- a/ipalib/plugins/trust.py
++++ b/ipalib/plugins/trust.py
+@@ -262,7 +262,7 @@ def get_dn(self, *keys, **kwargs):
+ result = ldap.get_entries(DN(self.container_dn, self.env.basedn),
+ ldap.SCOPE_SUBTREE, filter, [''])
+ except errors.NotFound:
+- trust_type = u'ad'
++ return None
+ else:
+ if len(result) > 1:
+ raise errors.OnlyOneValueAllowed(attr='trust domain')
+@@ -1244,7 +1244,7 @@ def fetch_domains_from_trust(self, trustinstance, trust_entry, **options):
+ trust_name, creds=creds)
+ result = []
+ if not domains:
+- return None
++ return result
+
+ for dom in domains:
+ dom['trust_type'] = u'ad'
+--
+1.8.4.2
+
diff --git a/SOURCES/0014-ipa-cldap-Cut-NetBIOS-name-after-15-characters.patch b/SOURCES/0014-ipa-cldap-Cut-NetBIOS-name-after-15-characters.patch
new file mode 100644
index 0000000..ad174dc
--- /dev/null
+++ b/SOURCES/0014-ipa-cldap-Cut-NetBIOS-name-after-15-characters.patch
@@ -0,0 +1,48 @@
+From 03bfce26c944e2bf4d3073d959ed1e26d8f390a1 Mon Sep 17 00:00:00 2001
+From: Tomas Babej <tbabej@redhat.com>
+Date: Tue, 26 Nov 2013 12:14:39 +0100
+Subject: [PATCH 14/14] ipa-cldap: Cut NetBIOS name after 15 characters
+
+The CLDAP DS plugin uses the uppercased first segment of the fully
+qualified hostname as the NetBIOS name. We need to limit its size
+to 15 characters.
+
+https://fedorahosted.org/freeipa/ticket/4028
+---
+ daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap.h | 1 +
+ daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c | 6 +++++-
+ 2 files changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap.h b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap.h
+index 7b0c2aad1991f5f5958db62844f5777f71534794..3f420ff2c5acc7bd75bff7f042f76b9c61144461 100644
+--- a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap.h
++++ b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap.h
+@@ -59,6 +59,7 @@
+ #define IPA_PLUGIN_NAME IPA_CLDAP_PLUGIN_NAME
+ #define CLDAP_PORT 389
+ #define MAX_DG_SIZE 4096
++#define NETBIOS_NAME_MAX 15
+
+ #ifndef MAXHOSTNAMELEN
+ #define MAXHOSTNAMELEN 64
+diff --git a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c
+index 7d29fe559be55607fcb6b83fa521372e5197b848..9ba05829418a0d1de46f2c7776cc15c54a9eab1c 100644
+--- a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c
++++ b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c
+@@ -161,8 +161,12 @@ static int ipa_cldap_encode_netlogon(char *fq_hostname, char *domain,
+ nlr->dns_domain = domain;
+ nlr->pdc_dns_name = fq_hostname;
+ nlr->domain_name = name;
+- pdc_name = talloc_asprintf(nlr, "\\\\%s", fq_hostname);
++
++ /* copy the first 15 characters of the fully qualified hostname*/
++ pdc_name = talloc_asprintf(nlr, "\\\\%.*s", NETBIOS_NAME_MAX, fq_hostname);
++
+ for (p = pdc_name; *p; p++) {
++ /* Create the NetBIOS name from the first segment of the hostname */
+ if (*p == '.') {
+ *p = '\0';
+ break;
+--
+1.8.4.2
+
diff --git a/SOURCES/0015-Prevent-garbage-from-readline-on-standard-output-of-.patch b/SOURCES/0015-Prevent-garbage-from-readline-on-standard-output-of-.patch
new file mode 100644
index 0000000..f35e96a
--- /dev/null
+++ b/SOURCES/0015-Prevent-garbage-from-readline-on-standard-output-of-.patch
@@ -0,0 +1,29 @@
+From 57bf3ea34f2b727ffe1977de1010fdf0f62c354a Mon Sep 17 00:00:00 2001
+From: Jan Cholasta <jcholast@redhat.com>
+Date: Tue, 10 Dec 2013 16:32:08 +0100
+Subject: [PATCH] Prevent garbage from readline on standard output of
+ dogtag-ipa-retrieve-agent.
+
+https://fedorahosted.org/freeipa/ticket/4064
+---
+ install/certmonger/dogtag-ipa-retrieve-agent-submit | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/install/certmonger/dogtag-ipa-retrieve-agent-submit b/install/certmonger/dogtag-ipa-retrieve-agent-submit
+index 3781fc5d01da12ce2dc01e17fc60143e82fbedc6..70cbd82d7d5cc392a2877e7478f459cc8b4a570f 100644
+--- a/install/certmonger/dogtag-ipa-retrieve-agent-submit
++++ b/install/certmonger/dogtag-ipa-retrieve-agent-submit
+@@ -23,6 +23,10 @@
+ # retrieve the updated certificate from IPA.
+
+ import os
++# Prevent garbage from readline on standard output
++# (see https://fedorahosted.org/freeipa/ticket/4064)
++if not os.isatty(1):
++ os.environ['TERM'] = 'dumb'
+ import sys
+ import shutil
+ import tempfile
+--
+1.8.4.2
+
diff --git a/SOURCES/0016-Do-not-build-tests.patch b/SOURCES/0016-Do-not-build-tests.patch
new file mode 100644
index 0000000..3717767
--- /dev/null
+++ b/SOURCES/0016-Do-not-build-tests.patch
@@ -0,0 +1,35 @@
+From 0c1c338accaf23b993781535c68bdaf93ba05430 Mon Sep 17 00:00:00 2001
+From: Martin Kosek <mkosek@redhat.com>
+Date: Mon, 6 Jan 2014 10:47:19 +0100
+Subject: [PATCH] Do not build tests
+
+Tests have been moved to other SRPM.
+---
+ Makefile | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/Makefile b/Makefile
+index 9ed3bb59a0f1d52e1b40430bb9516d9438b0fcb4..7a1e7fd9dcf916d2a238c44ec34bd33fe8989c03 100644
+--- a/Makefile
++++ b/Makefile
+@@ -55,7 +55,7 @@ PYTHON ?= $(shell rpm -E %__python)
+ CFLAGS := -g -O2 -Werror -Wall -Wextra -Wformat-security -Wno-unused-parameter -Wno-sign-compare -Wno-missing-field-initializers $(CFLAGS)
+ export CFLAGS
+
+-all: bootstrap-autogen server tests
++all: bootstrap-autogen server
+ @for subdir in $(SUBDIRS); do \
+ (cd $$subdir && $(MAKE) $@) || exit 1; \
+ done
+@@ -77,7 +77,7 @@ client-autogen: version-update
+ tests-man-autogen: version-update
+ cd ipatests/man; if [ ! -e Makefile ]; then ../../autogen.sh --prefix=/usr --sysconfdir=/etc --localstatedir=/var --libdir=$(LIBDIR); fi
+
+-install: all server-install tests-install
++install: all server-install
+ @for subdir in $(SUBDIRS); do \
+ (cd $$subdir && $(MAKE) $@) || exit 1; \
+ done
+--
+1.8.4.2
+
diff --git a/SOURCES/0017-PKI-service-restart-after-CA-renewal-failed.patch b/SOURCES/0017-PKI-service-restart-after-CA-renewal-failed.patch
new file mode 100644
index 0000000..947e53a
--- /dev/null
+++ b/SOURCES/0017-PKI-service-restart-after-CA-renewal-failed.patch
@@ -0,0 +1,198 @@
+From 34c054ea9203ffa804bafb20afa236af867ce572 Mon Sep 17 00:00:00 2001
+From: Jan Cholasta <jcholast@redhat.com>
+Date: Tue, 15 Oct 2013 17:47:12 +0000
+Subject: [PATCH] PKI service restart after CA renewal failed
+
+Fix both the service restart procedure and registration of old
+pki-cad well known service name.
+
+This patch was adapted from original patch of Jan Cholasta 178 to
+fix ticket 4092.
+
+https://fedorahosted.org/freeipa/ticket/4092
+---
+ install/restart_scripts/renew_ca_cert | 16 +++++++++-------
+ install/restart_scripts/restart_pkicad | 30 ++++++++++++++++++------------
+ install/restart_scripts/stop_pkicad | 16 ++++++++--------
+ ipapython/dogtag.py | 4 ++++
+ ipapython/platform/base/__init__.py | 2 +-
+ ipaserver/install/cainstance.py | 4 ++--
+ 6 files changed, 42 insertions(+), 30 deletions(-)
+
+diff --git a/install/restart_scripts/renew_ca_cert b/install/restart_scripts/renew_ca_cert
+index ab394b970eaee28bc386d4d1ba737643414e2680..b10e4b842f3b9a54962402cddce8710eae4538b8 100644
+--- a/install/restart_scripts/renew_ca_cert
++++ b/install/restart_scripts/renew_ca_cert
+@@ -49,6 +49,7 @@ api.finalize()
+
+ configured_constants = dogtag.configured_constants(api)
+ alias_dir = configured_constants.ALIAS_DIR
++dogtag_service = ipaservices.knownservices[configured_constants.SERVICE_NAME]
+ dogtag_instance = configured_constants.PKI_INSTANCE_NAME
+
+ # Fetch the new certificate
+@@ -106,12 +107,13 @@ if nickname == 'auditSigningCert cert-pki-ca':
+ # off the servlet to verify that the CA is actually up and responding so
+ # when this returns it should be good-to-go. The CA was stopped in the
+ # pre-save state.
+-syslog.syslog(syslog.LOG_NOTICE, 'Starting %sd' % dogtag_instance)
++syslog.syslog(syslog.LOG_NOTICE, 'Starting %s' % dogtag_service.service_name)
+ try:
+- if configured_constants.DOGTAG_VERSION == 9:
+- ipaservices.knownservices.pki_cad.start(dogtag_instance)
+- else:
+- ipaservices.knownservices.pki_tomcatd.start(dogtag_instance)
++ dogtag_service.start(dogtag_instance)
+ except Exception, e:
+- syslog.syslog(syslog.LOG_ERR, "Cannot start %sd: %s" %
+- (dogtag_instance, str(e)))
++ syslog.syslog(
++ syslog.LOG_ERR,
++ "Cannot start %s: %s" % (dogtag_service.service_name, e))
++else:
++ syslog.syslog(
++ syslog.LOG_NOTICE, "Started %s" % dogtag_service.service_name)
+diff --git a/install/restart_scripts/restart_pkicad b/install/restart_scripts/restart_pkicad
+index a58c3f31e1bd288587842ba5fc4335c967b9405e..f840aeb1a228aee88b1c498700f733f1b90686f0 100644
+--- a/install/restart_scripts/restart_pkicad
++++ b/install/restart_scripts/restart_pkicad
+@@ -33,18 +33,25 @@ api.finalize()
+
+ configured_constants = dogtag.configured_constants(api)
+ alias_dir = configured_constants.ALIAS_DIR
++dogtag_service = ipaservices.knownservices[configured_constants.SERVICE_NAME]
+ dogtag_instance = configured_constants.PKI_INSTANCE_NAME
+
+ # dogtag opens its NSS database in read/write mode so we need it
+ # shut down so certmonger can open it read/write mode. This avoids
+ # database corruption. It should already be stopped by the pre-command
+ # but lets be sure.
+-if ipaservices.knownservices.pki_cad.is_running(dogtag_instance):
++if dogtag_service.is_running(dogtag_instance):
++ syslog.syslog(
++ syslog.LOG_NOTICE, "Stopping %s" % dogtag_service.service_name)
+ try:
+- ipaservices.knownservices.pki_cad.stop(dogtag_instance)
++ dogtag_service.stop(dogtag_instance)
+ except Exception, e:
+- syslog.syslog(syslog.LOG_ERR, "Cannot stop %sd: %s" %
+- (dogtag_instance, str(e)))
++ syslog.syslog(
++ syslog.LOG_ERR,
++ "Cannot stop %s: %s" % (dogtag_service.service_name, e))
++ else:
++ syslog.syslog(
++ syslog.LOG_NOTICE, "Stopped %s" % dogtag_service.service_name)
+
+ # Fix permissions on the audit cert if we're updating it
+ if nickname == 'auditSigningCert cert-pki-ca':
+@@ -55,14 +62,13 @@ if nickname == 'auditSigningCert cert-pki-ca':
+ ]
+ db.run_certutil(args)
+
++syslog.syslog(syslog.LOG_NOTICE, 'Starting %s' % dogtag_service.service_name)
+ try:
+- if configured_constants.DOGTAG_VERSION == 9:
+- ipaservices.knownservices.pki_cad.start(dogtag_instance)
+- else:
+- ipaservices.knownservices.pki_tomcatd.start(dogtag_instance)
++ dogtag_service.start(dogtag_instance)
+ except Exception, e:
+- syslog.syslog(syslog.LOG_ERR, "Cannot start %sd: %s" %
+- (dogtag_instance, str(e)))
++ syslog.syslog(
++ syslog.LOG_ERR,
++ "Cannot start %s: %s" % (dogtag_service.service_name, e))
+ else:
+- syslog.syslog(syslog.LOG_NOTICE, "certmonger started %sd, nickname '%s'" %
+- (dogtag_instance, nickname))
++ syslog.syslog(
++ syslog.LOG_NOTICE, "Started %s" % dogtag_service.service_name)
+diff --git a/install/restart_scripts/stop_pkicad b/install/restart_scripts/stop_pkicad
+index c8589b286eefbe1c3d79e2a6dab7adfd3ff56b2a..bbaf8895e3a86899ee5bd794eb595fd43316028b 100644
+--- a/install/restart_scripts/stop_pkicad
++++ b/install/restart_scripts/stop_pkicad
+@@ -29,15 +29,15 @@ api.bootstrap(context='restart')
+ api.finalize()
+
+ configured_constants = dogtag.configured_constants(api)
++dogtag_service = ipaservices.knownservices[configured_constants.SERVICE_NAME]
+ dogtag_instance = configured_constants.PKI_INSTANCE_NAME
+
+-syslog.syslog(syslog.LOG_NOTICE, "certmonger stopping %sd" % dogtag_instance)
+-
++syslog.syslog(syslog.LOG_NOTICE, "Stopping %s" % dogtag_service.service_name)
+ try:
+- if configured_constants.DOGTAG_VERSION == 9:
+- ipaservices.knownservices.pki_cad.stop(dogtag_instance)
+- else:
+- ipaservices.knownservices.pki_tomcatd.stop(dogtag_instance)
++ dogtag_service.stop(dogtag_instance)
+ except Exception, e:
+- syslog.syslog(syslog.LOG_ERR, "Cannot stop %sd: %s" %
+- (dogtag_instance, str(e)))
++ syslog.syslog(
++ syslog.LOG_ERR, "Cannot stop %s: %s" % (dogtag_service.service_name, e))
++else:
++ syslog.syslog(
++ syslog.LOG_NOTICE, "Stopped %s" % dogtag_service.service_name)
+diff --git a/ipapython/dogtag.py b/ipapython/dogtag.py
+index ea769b0275c4642d5da457996165e5a348cb7299..f829b9340d1ce55b2adae4817018de11b894c92d 100644
+--- a/ipapython/dogtag.py
++++ b/ipapython/dogtag.py
+@@ -62,6 +62,8 @@ class Dogtag10Constants(object):
+ SERVICE_PROFILE_DIR = '%s/ca/profiles/ca' % PKI_ROOT
+ ALIAS_DIR = '/etc/pki/pki-tomcat/alias'
+
++ SERVICE_NAME = 'pki_tomcatd'
++
+ RACERT_LINE_SEP = '\n'
+
+ IPA_SERVICE_PROFILE = '%s/caIPAserviceCert.cfg' % SERVICE_PROFILE_DIR
+@@ -92,6 +94,8 @@ class Dogtag9Constants(object):
+ SERVICE_PROFILE_DIR = '%s/profiles/ca' % PKI_ROOT
+ ALIAS_DIR = '%s/alias' % PKI_ROOT
+
++ SERVICE_NAME = 'pki-cad'
++
+ RACERT_LINE_SEP = '\r\n'
+
+ ADMIN_SECURE_PORT = 9445
+diff --git a/ipapython/platform/base/__init__.py b/ipapython/platform/base/__init__.py
+index e2aa33faf9ccf182c778dfdbd8fd68d3686deae0..d76bc73a7d159c2dd43e281fa9916f245d88aaf3 100644
+--- a/ipapython/platform/base/__init__.py
++++ b/ipapython/platform/base/__init__.py
+@@ -27,7 +27,7 @@
+ wellknownservices = ['certmonger', 'dirsrv', 'httpd', 'ipa', 'krb5kdc',
+ 'messagebus', 'nslcd', 'nscd', 'ntpd', 'portmap',
+ 'rpcbind', 'kadmin', 'sshd', 'autofs', 'rpcgssd',
+- 'rpcidmapd', 'pki_tomcatd', 'pki-cad', 'chronyd']
++ 'rpcidmapd', 'pki_tomcatd', 'pki_cad', 'chronyd']
+
+ # System may support more time&date services. FreeIPA supports ntpd only, other
+ # services will be disabled during IPA installation
+diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
+index ac5c81de8c57194160cbfd2fa79c776bf2f39625..52c91b68c2d073a9b1c6aedc1811aa26db046e6b 100644
+--- a/ipaserver/install/cainstance.py
++++ b/ipaserver/install/cainstance.py
+@@ -1283,7 +1283,7 @@ def enable_client_auth_to_db(self):
+ """
+ caconfig = dogtag.install_constants.CS_CFG_PATH
+
+- with stopped_service('pki_tomcatd',
++ with stopped_service(self.dogtag_constants.SERVICE_NAME,
+ instance_name=self.dogtag_constants.PKI_INSTANCE_NAME):
+
+ # Enable file publishing, disable LDAP
+@@ -1723,7 +1723,7 @@ def update_cert_config(nickname, cert, dogtag_constants=None):
+ 'subsystemCert cert-pki-ca': 'ca.subsystem.cert',
+ 'Server-Cert cert-pki-ca': 'ca.sslserver.cert'}
+
+- with stopped_service('pki_tomcatd',
++ with stopped_service(dogtag_constants.SERVICE_NAME,
+ instance_name=dogtag_constants.PKI_INSTANCE_NAME):
+
+ installutils.set_directive(dogtag.configured_constants().CS_CFG_PATH,
+--
+1.8.4.2
+
diff --git a/SOURCES/0018-hbactest-does-not-work-for-external-users.patch b/SOURCES/0018-hbactest-does-not-work-for-external-users.patch
new file mode 100644
index 0000000..4961b8b
--- /dev/null
+++ b/SOURCES/0018-hbactest-does-not-work-for-external-users.patch
@@ -0,0 +1,43 @@
+From 01e98be318caa921302726b48f05166b0ce00f21 Mon Sep 17 00:00:00 2001
+From: Martin Kosek <mkosek@redhat.com>
+Date: Fri, 10 Jan 2014 12:41:29 +0100
+Subject: [PATCH] hbactest does not work for external users
+
+Original patch for ticket #3803 implemented support to resolve SIDs
+through SSSD. However, it also broke hbactest for external users. The
+result of the updated external member group search must be local
+non-external groups, not the external ones. Otherwise the rule is not
+matched.
+
+https://fedorahosted.org/freeipa/ticket/3803
+---
+ ipalib/plugins/hbactest.py | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git a/ipalib/plugins/hbactest.py b/ipalib/plugins/hbactest.py
+index fed39b05d8ac75254575cf211d338ab85b093cb8..cc18890ce3ca589a0d086aa263795f9c4ff61cb6 100644
+--- a/ipalib/plugins/hbactest.py
++++ b/ipalib/plugins/hbactest.py
+@@ -400,14 +400,16 @@ def execute(self, *args, **options):
+ ldap = self.api.Backend.ldap2
+ group_container = DN(api.env.container_group, api.env.basedn)
+ try:
+- entries, truncated = ldap.find_entries(filter_sids, ['cn'], group_container)
++ entries, truncated = ldap.find_entries(filter_sids, ['memberof'], group_container)
+ except errors.NotFound:
+ request.user.groups = []
+ else:
+ groups = []
+ for dn, entry in entries:
+- if dn.endswith(group_container):
+- groups.append(dn[0][0].value)
++ memberof_dns = entry.get('memberof', [])
++ for memberof_dn in memberof_dns:
++ if memberof_dn.endswith(group_container):
++ groups.append(memberof_dn[0][0].value)
+ request.user.groups = sorted(set(groups))
+ else:
+ # try searching for a local user
+--
+1.8.4.2
+
diff --git a/SOURCES/0019-Change-the-way-we-determine-if-the-host-has-a-passwo.patch b/SOURCES/0019-Change-the-way-we-determine-if-the-host-has-a-passwo.patch
new file mode 100644
index 0000000..118ee8a
--- /dev/null
+++ b/SOURCES/0019-Change-the-way-we-determine-if-the-host-has-a-passwo.patch
@@ -0,0 +1,72 @@
+From b574423a54dbff7dbca89c6cee49f0304f2393e1 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Tue, 14 Jan 2014 14:23:47 -0500
+Subject: [PATCH 19/25] Change the way we determine if the host has a password
+ set.
+
+When creating a host with a password we don't set a Kerberos
+principal or add the Kerberos objectclasses. Those get added when the
+host is enrolled. If one passed in --password= (so no password) then
+we incorrectly thought the user was in fact setting a password, so the
+principal and objectclasses weren't updated.
+
+https://fedorahosted.org/freeipa/ticket/4102
+---
+ ipalib/plugins/host.py | 2 +-
+ ipatests/test_xmlrpc/test_host_plugin.py | 27 +++++++++++++++++++++++++++
+ 2 files changed, 28 insertions(+), 1 deletion(-)
+
+diff --git a/ipalib/plugins/host.py b/ipalib/plugins/host.py
+index 7aa94aa95ba9be17c308546d5d2fe247f27a07b3..9d45e270ff8221e4b9380684cb56112db4af4f52 100644
+--- a/ipalib/plugins/host.py
++++ b/ipalib/plugins/host.py
+@@ -425,7 +425,7 @@ def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
+ entry_attrs['l'] = entry_attrs['locality']
+ entry_attrs['cn'] = keys[-1]
+ entry_attrs['serverhostname'] = keys[-1].split('.', 1)[0]
+- if 'userpassword' not in entry_attrs and not options.get('random', False):
++ if not entry_attrs.get('userpassword', False) and not options.get('random', False):
+ entry_attrs['krbprincipalname'] = 'host/%s@%s' % (
+ keys[-1], self.api.env.realm
+ )
+diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py
+index a23a34112f5c041a8325d5090580b535d93c7a72..7b64398fadd236b9b06723ef561cb19d61bca6d5 100644
+--- a/ipatests/test_xmlrpc/test_host_plugin.py
++++ b/ipatests/test_xmlrpc/test_host_plugin.py
+@@ -863,6 +863,33 @@ class test_host(Declarative):
+ ),
+ ),
+
++
++ dict(
++ desc='Create a host with a NULL password',
++ command=('host_add', [fqdn3],
++ dict(
++ description=u'Test host 3',
++ force=True,
++ userpassword=None,
++ ),
++ ),
++ expected=dict(
++ value=fqdn3,
++ summary=u'Added host "%s"' % fqdn3,
++ result=dict(
++ dn=dn3,
++ fqdn=[fqdn3],
++ description=[u'Test host 3'],
++ krbprincipalname=[u'host/%s@%s' % (fqdn3, api.env.realm)],
++ objectclass=objectclasses.host,
++ ipauniqueid=[fuzzy_uuid],
++ managedby_host=[u'%s' % fqdn3],
++ has_keytab=False,
++ has_password=False,
++ ),
++ ),
++ ),
++
+ ]
+
+ class test_host_false_pwd_change(XMLRPC_test):
+--
+1.8.4.2
+
diff --git a/SOURCES/0020-sudoOrder-missing-in-sudoers.patch b/SOURCES/0020-sudoOrder-missing-in-sudoers.patch
new file mode 100644
index 0000000..6f81e52
--- /dev/null
+++ b/SOURCES/0020-sudoOrder-missing-in-sudoers.patch
@@ -0,0 +1,27 @@
+From 4e5f306c4a544d449a763b46baea0ebfdb0d5785 Mon Sep 17 00:00:00 2001
+From: Martin Kosek <mkosek@redhat.com>
+Date: Wed, 15 Jan 2014 08:58:16 +0100
+Subject: [PATCH 20/25] sudoOrder missing in sudoers
+
+sudoers compat plugin configuration missed the sudoOrder attribute
+and it thus did not show up in ou=sudoers. Add the definion to update
+file.
+
+https://fedorahosted.org/freeipa/ticket/4107
+---
+ install/updates/10-schema_compat.update | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/install/updates/10-schema_compat.update b/install/updates/10-schema_compat.update
+index e65e67afc40f10eee342afc12e2132d36e9c2a1a..1199ef3861fb60e204cd0cd6272a829b495cdde7 100644
+--- a/install/updates/10-schema_compat.update
++++ b/install/updates/10-schema_compat.update
+@@ -21,3 +21,5 @@ dn: cn=computers, cn=Schema Compatibility, cn=plugins,
+ default:schema-compat-entry-attribute: cn=%{fqdn}
+ default:schema-compat-entry-attribute: macAddress=%{macAddress}
+
++dn: cn=sudoers,cn=Schema Compatibility,cn=plugins,cn=config
++add:schema-compat-entry-attribute: sudoOrder=%{sudoOrder}
+--
+1.8.4.2
+
diff --git a/SOURCES/0021-Add-missing-example-to-sudorule.patch b/SOURCES/0021-Add-missing-example-to-sudorule.patch
new file mode 100644
index 0000000..5bae186
--- /dev/null
+++ b/SOURCES/0021-Add-missing-example-to-sudorule.patch
@@ -0,0 +1,45 @@
+From f85b3ba942c0347c197cd738fab444fe9a697a62 Mon Sep 17 00:00:00 2001
+From: Martin Kosek <mkosek@redhat.com>
+Date: Wed, 15 Jan 2014 09:31:37 +0100
+Subject: [PATCH 21/25] Add missing example to sudorule
+
+https://fedorahosted.org/freeipa/ticket/4090
+---
+ ipalib/plugins/sudorule.py | 21 ++++++++++++++++++++-
+ 1 file changed, 20 insertions(+), 1 deletion(-)
+
+diff --git a/ipalib/plugins/sudorule.py b/ipalib/plugins/sudorule.py
+index a89941cb6ab9b258de26bb7cf3632dc0acc7e20e..9644aafa263b4790c8123d177f0ccd10b572f0f0 100644
+--- a/ipalib/plugins/sudorule.py
++++ b/ipalib/plugins/sudorule.py
+@@ -52,7 +52,26 @@
+ -h ipa.example.com -ZZ -D "cn=Directory Manager" \
+ uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com
+
+-For more information, see the FreeIPA Documentation to Sudo.
++EXAMPLES:
++
++ Create a new rule:
++ ipa sudorule-add readfiles
++
++ Add sudo command object and add it as allowed command in the rule:
++ ipa sudocmd-add /usr/bin/less
++ ipa sudorule-add-allow-command readfiles --sudocmds /usr/bin/less
++
++ Add a host to the rule:
++ ipa sudorule-add-host readfiles --hosts server.example.com
++
++ Add a user to the rule:
++ ipa sudorule-add-user readfiles --users jsmith
++
++ Add a special Sudo rule for default Sudo server configuration:
++ ipa sudorule-add defaults
++
++ Set a default Sudo option:
++ ipa sudorule-add-option defaults --sudooption '!authenticate'
+ """)
+
+ topic = ('sudo', _('Commands for controlling sudo configuration'))
+--
+1.8.4.2
+
diff --git a/SOURCES/0022-Fix-ipa-client-automount-uninstall-when-fstore-is-em.patch b/SOURCES/0022-Fix-ipa-client-automount-uninstall-when-fstore-is-em.patch
new file mode 100644
index 0000000..e478189
--- /dev/null
+++ b/SOURCES/0022-Fix-ipa-client-automount-uninstall-when-fstore-is-em.patch
@@ -0,0 +1,27 @@
+From 8782235cff60229051c82880131fb11c82659a0b Mon Sep 17 00:00:00 2001
+From: Jan Cholasta <jcholast@redhat.com>
+Date: Wed, 15 Jan 2014 10:48:10 +0100
+Subject: [PATCH 22/25] Fix ipa-client-automount uninstall when fstore is
+ empty.
+
+https://fedorahosted.org/freeipa/ticket/4091
+---
+ ipa-client/ipa-install/ipa-client-automount | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ipa-client/ipa-install/ipa-client-automount b/ipa-client/ipa-install/ipa-client-automount
+index 2ce31dcb9605941fa8734caad7ed5ba9b5ce1e01..62531bfe1d923b1705aed1187da6766b54c90a0c 100755
+--- a/ipa-client/ipa-install/ipa-client-automount
++++ b/ipa-client/ipa-install/ipa-client-automount
+@@ -360,7 +360,7 @@ def main():
+
+ fstore = sysrestore.FileStore('/var/lib/ipa-client/sysrestore')
+ statestore = sysrestore.StateFile('/var/lib/ipa-client/sysrestore')
+- if not fstore.has_files():
++ if not fstore.has_files() and not os.path.exists('/etc/ipa/default.conf'):
+ sys.exit('IPA client is not configured on this system.\n')
+
+ options, args = parse_options()
+--
+1.8.4.2
+
diff --git a/SOURCES/0023-trust-fetch-domains-create-ranges-for-new-child-doma.patch b/SOURCES/0023-trust-fetch-domains-create-ranges-for-new-child-doma.patch
new file mode 100644
index 0000000..fca1bd3
--- /dev/null
+++ b/SOURCES/0023-trust-fetch-domains-create-ranges-for-new-child-doma.patch
@@ -0,0 +1,346 @@
+From f446cde6f626f5a4b086a542121486bde42d0dc7 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Tue, 14 Jan 2014 13:55:56 +0200
+Subject: [PATCH 23/25] trust-fetch-domains: create ranges for new child
+ domains
+
+When trust is added, we do create ranges for discovered child domains.
+However, this functionality was not available through
+'trust-fetch-domains' command.
+
+Additionally, make sure non-existing trust will report proper error in
+trust-fetch-domains.
+
+https://fedorahosted.org/freeipa/ticket/4111
+https://fedorahosted.org/freeipa/ticket/4104
+---
+ ipalib/plugins/trust.py | 256 +++++++++++++++++++++++++-----------------------
+ 1 file changed, 135 insertions(+), 121 deletions(-)
+
+diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
+index 76d609fd4de33edd96715deaaf7842c1de3ddaf4..a16c23083662fd674c45ba54b9dfb9f4837160df 100644
+--- a/ipalib/plugins/trust.py
++++ b/ipalib/plugins/trust.py
+@@ -188,6 +188,114 @@ def make_trust_dn(env, trust_type, dn):
+ return DN(dn, container_dn)
+ return dn
+
++def add_range(self, range_name, dom_sid, *keys, **options):
++ """
++ First, we try to derive the parameters of the ID range based on the
++ information contained in the Active Directory.
++
++ If that was not successful, we go for our usual defaults (random base,
++ range size 200 000, ipa-ad-trust range type).
++
++ Any of these can be overriden by passing appropriate CLI options
++ to the trust-add command.
++ """
++
++ range_size = None
++ range_type = None
++ base_id = None
++
++ # First, get information about ID space from AD
++ # However, we skip this step if other than ipa-ad-trust-posix
++ # range type is enforced
++
++ if options.get('range_type', None) in (None, u'ipa-ad-trust-posix'):
++
++ # Get the base dn
++ domain = keys[-1]
++ basedn = realm_to_suffix(domain)
++
++ # Search for information contained in
++ # CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System
++ info_filter = '(objectClass=msSFU30DomainInfo)'
++ info_dn = DN('CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System')\
++ + basedn
++
++ # Get the domain validator
++ domain_validator = ipaserver.dcerpc.DomainValidator(self.api)
++ if not domain_validator.is_configured():
++ raise errors.NotFound(
++ reason=_('Cannot search in trusted domains without own '
++ 'domain configured. Make sure you have run '
++ 'ipa-adtrust-install on the IPA server first'))
++
++ # KDC might not get refreshed data at the first time,
++ # retry several times
++ for retry in range(10):
++ info_list = domain_validator.search_in_dc(domain,
++ info_filter,
++ None,
++ SCOPE_SUBTREE,
++ basedn=info_dn,
++ quiet=True)
++
++ if info_list:
++ info = info_list[0]
++ break
++ else:
++ sleep(2)
++
++ required_msSFU_attrs = ['msSFU30MaxUidNumber', 'msSFU30OrderNumber']
++
++ if not info_list:
++ # We were unable to gain UNIX specific info from the AD
++ self.log.debug("Unable to gain POSIX info from the AD")
++ else:
++ if all(attr in info for attr in required_msSFU_attrs):
++ self.log.debug("Able to gain POSIX info from the AD")
++ range_type = u'ipa-ad-trust-posix'
++
++ max_uid = info.get('msSFU30MaxUidNumber')
++ max_gid = info.get('msSFU30MaxGidNumber', None)
++ max_id = int(max(max_uid, max_gid)[0])
++
++ base_id = int(info.get('msSFU30OrderNumber')[0])
++ range_size = (1 + (max_id - base_id) / DEFAULT_RANGE_SIZE)\
++ * DEFAULT_RANGE_SIZE
++
++ # Second, options given via the CLI options take precedence to discovery
++ if options.get('range_type', None):
++ range_type = options.get('range_type', None)
++ elif not range_type:
++ range_type = u'ipa-ad-trust'
++
++ if options.get('range_size', None):
++ range_size = options.get('range_size', None)
++ elif not range_size:
++ range_size = DEFAULT_RANGE_SIZE
++
++ if options.get('base_id', None):
++ base_id = options.get('base_id', None)
++ elif not base_id:
++ # Generate random base_id if not discovered nor given via CLI
++ base_id = DEFAULT_RANGE_SIZE + (
++ pysss_murmur.murmurhash3(
++ dom_sid,
++ len(dom_sid), 0xdeadbeefL
++ ) % 10000
++ ) * DEFAULT_RANGE_SIZE
++
++ # Finally, add new ID range
++ self.api.Command['idrange_add'](range_name,
++ ipabaseid=base_id,
++ ipaidrangesize=range_size,
++ ipabaserid=0,
++ iparangetype=range_type,
++ ipanttrusteddomainsid=dom_sid)
++
++ # Return the values that were generated inside this function
++ return range_type, range_size, base_id
++
++
+ class trust(LDAPObject):
+ """
+ Trust object.
+@@ -258,15 +366,11 @@ def get_dn(self, *keys, **kwargs):
+ filter = ldap.make_filter({'objectclass': ['ipaNTTrustedDomain'], 'cn': [keys[-1]] },
+ rules=ldap.MATCH_ALL)
+ filter = ldap.combine_filters((filter, "ipaNTSIDBlacklistIncoming=*"), rules=ldap.MATCH_ALL)
+- try:
+- result = ldap.get_entries(DN(self.container_dn, self.env.basedn),
+- ldap.SCOPE_SUBTREE, filter, [''])
+- except errors.NotFound:
+- return None
+- else:
+- if len(result) > 1:
+- raise errors.OnlyOneValueAllowed(attr='trust domain')
+- return result[0].dn
++ result = ldap.get_entries(DN(self.container_dn, self.env.basedn),
++ ldap.SCOPE_SUBTREE, filter, [''])
++ if len(result) > 1:
++ raise errors.OnlyOneValueAllowed(attr='trust domain')
++ return result[0].dn
+
+ dn=make_trust_dn(self.env, trust_type, DN(*sdn))
+ return dn
+@@ -341,8 +445,8 @@ def execute(self, *keys, **options):
+ # Store the created range type, since for POSIX trusts no
+ # ranges for the subdomains should be added, POSIX attributes
+ # provide a global mapping across all subdomains
+- (created_range_type, _, _) = self.add_range(range_name, dom_sid,
+- *keys, **options)
++ (created_range_type, _, _) = add_range(self, range_name, dom_sid,
++ *keys, **options)
+ else:
+ created_range_type = old_range['result']['iparangetype'][0]
+
+@@ -382,8 +486,8 @@ def execute(self, *keys, **options):
+
+ # Try to add the range for each subdomain
+ try:
+- self.add_range(range_name, dom_sid, *keys,
+- **passed_options)
++ add_range(self, range_name, dom_sid, *keys,
++ **passed_options)
+ except errors.DuplicateEntry:
+ pass
+
+@@ -549,120 +653,17 @@ def validate_range(self, *keys, **options):
+
+ return old_range, range_name, dom_sid
+
+- def add_range(self, range_name, dom_sid, *keys, **options):
+- """
+- First, we try to derive the parameters of the ID range based on the
+- information contained in the Active Directory.
+-
+- If that was not successful, we go for our usual defaults (random base,
+- range size 200 000, ipa-ad-trust range type).
+-
+- Any of these can be overriden by passing appropriate CLI options
+- to the trust-add command.
+- """
+-
+- range_size = None
+- range_type = None
+- base_id = None
+-
+- # First, get information about ID space from AD
+- # However, we skip this step if other than ipa-ad-trust-posix
+- # range type is enforced
+-
+- if options.get('range_type', None) in (None, u'ipa-ad-trust-posix'):
+-
+- # Get the base dn
+- domain = keys[-1]
+- basedn = realm_to_suffix(domain)
+-
+- # Search for information contained in
+- # CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System
+- info_filter = '(objectClass=msSFU30DomainInfo)'
+- info_dn = DN('CN=ypservers,CN=ypServ30,CN=RpcServices,CN=System')\
+- + basedn
+-
+- # Get the domain validator
+- domain_validator = ipaserver.dcerpc.DomainValidator(self.api)
+- if not domain_validator.is_configured():
+- raise errors.NotFound(
+- reason=_('Cannot search in trusted domains without own '
+- 'domain configured. Make sure you have run '
+- 'ipa-adtrust-install on the IPA server first'))
+-
+- # KDC might not get refreshed data at the first time,
+- # retry several times
+- for retry in range(10):
+- info_list = domain_validator.search_in_dc(domain,
+- info_filter,
+- None,
+- SCOPE_SUBTREE,
+- basedn=info_dn,
+- quiet=True)
+-
+- if info_list:
+- info = info_list[0]
+- break
+- else:
+- sleep(2)
+-
+- required_msSFU_attrs = ['msSFU30MaxUidNumber', 'msSFU30OrderNumber']
+-
+- if not info_list:
+- # We were unable to gain UNIX specific info from the AD
+- self.log.debug("Unable to gain POSIX info from the AD")
+- else:
+- if all(attr in info for attr in required_msSFU_attrs):
+- self.log.debug("Able to gain POSIX info from the AD")
+- range_type = u'ipa-ad-trust-posix'
+-
+- max_uid = info.get('msSFU30MaxUidNumber')
+- max_gid = info.get('msSFU30MaxGidNumber', None)
+- max_id = int(max(max_uid, max_gid)[0])
+-
+- base_id = int(info.get('msSFU30OrderNumber')[0])
+- range_size = (1 + (max_id - base_id) / DEFAULT_RANGE_SIZE)\
+- * DEFAULT_RANGE_SIZE
+-
+- # Second, options given via the CLI options take precedence to discovery
+- if options.get('range_type', None):
+- range_type = options.get('range_type', None)
+- elif not range_type:
+- range_type = u'ipa-ad-trust'
+-
+- if options.get('range_size', None):
+- range_size = options.get('range_size', None)
+- elif not range_size:
+- range_size = DEFAULT_RANGE_SIZE
+-
+- if options.get('base_id', None):
+- base_id = options.get('base_id', None)
+- elif not base_id:
+- # Generate random base_id if not discovered nor given via CLI
+- base_id = DEFAULT_RANGE_SIZE + (
+- pysss_murmur.murmurhash3(
+- dom_sid,
+- len(dom_sid), 0xdeadbeefL
+- ) % 10000
+- ) * DEFAULT_RANGE_SIZE
+-
+- # Finally, add new ID range
+- api.Command['idrange_add'](range_name,
+- ipabaseid=base_id,
+- ipaidrangesize=range_size,
+- ipabaserid=0,
+- iparangetype=range_type,
+- ipanttrusteddomainsid=dom_sid)
+-
+- # Return the values that were generated inside this function
+- return range_type, range_size, base_id
+-
+ def execute_ad(self, full_join, *keys, **options):
+ # Join domain using full credentials and with random trustdom
+ # secret (will be generated by the join method)
+
+ # First see if the trust is already in place
+ # Force retrieval of the trust object by not passing trust_type
+- dn = self.obj.get_dn(keys[-1])
++ try:
++ dn = self.obj.get_dn(keys[-1])
++ except errors.NotFound:
++ dn = None
++
+ if dn:
+ summary = _('Re-established trust to domain "%(value)s"')
+ else:
+@@ -794,6 +795,7 @@ class trust_show(LDAPRetrieve):
+
+ def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
+
++ assert isinstance(dn, DN)
+ # Translate ipanttrusttype to trusttype
+ # and ipanttrustdirection to trustdirection
+ # if --raw not used
+@@ -1246,6 +1248,11 @@ def fetch_domains_from_trust(self, trustinstance, trust_entry, **options):
+ if not domains:
+ return result
+
++ # trust range must exist by the time fetch_domains_from_trust is called
++ range_name = trust_name.upper() + '_id_range'
++ old_range = api.Command.idrange_show(range_name, raw=True)['result']
++ idrange_type = old_range['iparangetype']
++
+ for dom in domains:
+ dom['trust_type'] = u'ad'
+ try:
+@@ -1255,8 +1262,15 @@ def fetch_domains_from_trust(self, trustinstance, trust_entry, **options):
+ dom['all'] = options['all']
+ if 'raw' in options:
+ dom['raw'] = options['raw']
++
+ res = self.api.Command.trustdomain_add(trust_name, name, **dom)
+ result.append(res['result'])
++
++ if idrange_type != u'ipa-ad-trust-posix':
++ range_name = name.upper() + '_id_range'
++ dom['range_type'] = u'ipa-ad-trust'
++ add_range(self, range_name, dom['ipanttrusteddomainsid'],
++ trust_name, name, **dom)
+ except errors.DuplicateEntry:
+ # Ignore updating duplicate entries
+ pass
+--
+1.8.4.2
+
diff --git a/SOURCES/0024-trustdomain-find-report-status-of-the-sub-domain.patch b/SOURCES/0024-trustdomain-find-report-status-of-the-sub-domain.patch
new file mode 100644
index 0000000..7c94776
--- /dev/null
+++ b/SOURCES/0024-trustdomain-find-report-status-of-the-sub-domain.patch
@@ -0,0 +1,57 @@
+From c805cd76acc8fbc9c2cb689deaf6e5eae78700c5 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Wed, 15 Jan 2014 15:42:10 +0200
+Subject: [PATCH 24/25] trustdomain-find: report status of the (sub)domain
+
+Show status of each enumerated domain
+
+trustdomain-find shows list of domains associated with the trust.
+Each domain except the trust forest root can be enabled or disabled
+with the help of trustdomain-enable and trustdomain-disable commands.
+
+https://fedorahosted.org/freeipa/ticket/4096
+---
+ ipalib/plugins/trust.py | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
+index a16c23083662fd674c45ba54b9dfb9f4837160df..3d412c9c9f518347769e88ddc9089d6d92ccc4be 100644
+--- a/ipalib/plugins/trust.py
++++ b/ipalib/plugins/trust.py
+@@ -21,7 +21,7 @@
+ from ipalib.plugins.baseldap import *
+ from ipalib.plugins.dns import dns_container_exists
+ from ipapython.ipautil import realm_to_suffix
+-from ipalib import api, Str, StrEnum, Password, _, ngettext
++from ipalib import api, Str, StrEnum, Password, Bool, _, ngettext
+ from ipalib import Command
+ from ipalib import errors
+ from ldap import SCOPE_SUBTREE
+@@ -1183,8 +1183,24 @@ def get_dn(self, *keys, **kwargs):
+ class trustdomain_find(LDAPSearch):
+ __doc__ = _('Search domains of the trust')
+
++ has_output_params = LDAPSearch.has_output_params + (
++ Flag('domain_enabled', label= _('Domain enabled')),
++ )
+ def pre_callback(self, ldap, filters, attrs_list, base_dn, scope, *args, **options):
+ return (filters, base_dn, ldap.SCOPE_SUBTREE)
++
++ def post_callback(self, ldap, entries, truncated, *args, **options):
++ trust_dn = self.obj.get_dn(args[0], trust_type=u'ad')
++ trust_entry = ldap.get_entry(trust_dn)
++ for entry in entries:
++ sid = entry['ipanttrusteddomainsid'][0]
++ if sid in trust_entry['ipantsidblacklistincoming']:
++ entry['domain_enabled'] = [False]
++ else:
++ entry['domain_enabled'] = [True]
++ return truncated
++
++
+ api.register(trustdomain_find)
+
+ class trustdomain_mod(LDAPUpdate):
+--
+1.8.4.2
+
diff --git a/SOURCES/0025-CLDAP-do-not-prepend.patch b/SOURCES/0025-CLDAP-do-not-prepend.patch
new file mode 100644
index 0000000..fc97f15
--- /dev/null
+++ b/SOURCES/0025-CLDAP-do-not-prepend.patch
@@ -0,0 +1,31 @@
+From 198f16c26e36bd8b4b7d55a74bb679a6daa85084 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Mon, 13 Jan 2014 10:43:33 +0100
+Subject: [PATCH 25/25] CLDAP: do not prepend \\
+
+For NETLOGON_NT_VERSION_5EX requests the prepended \\ is not expected in
+the PDC NetBIOS name. In general AD seems to be smart enough to handle
+the two \ signs. But if the NetBIOS name reaches the maximum of 15
+character AD does not accept the responses anymore.
+
+Fixes https://fedorahosted.org/freeipa/ticket/4028
+---
+ daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c
+index 9ba05829418a0d1de46f2c7776cc15c54a9eab1c..c03172d474589ddee84f1cfa5395c23fdba83bcb 100644
+--- a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c
++++ b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c
+@@ -163,7 +163,7 @@ static int ipa_cldap_encode_netlogon(char *fq_hostname, char *domain,
+ nlr->domain_name = name;
+
+ /* copy the first 15 characters of the fully qualified hostname*/
+- pdc_name = talloc_asprintf(nlr, "\\\\%.*s", NETBIOS_NAME_MAX, fq_hostname);
++ pdc_name = talloc_asprintf(nlr, "%.*s", NETBIOS_NAME_MAX, fq_hostname);
+
+ for (p = pdc_name; *p; p++) {
+ /* Create the NetBIOS name from the first segment of the hostname */
+--
+1.8.4.2
+
diff --git a/SOURCES/0026-ipaserver-install-installutils-clean-up-properly-aft.patch b/SOURCES/0026-ipaserver-install-installutils-clean-up-properly-aft.patch
new file mode 100644
index 0000000..d80e27b
--- /dev/null
+++ b/SOURCES/0026-ipaserver-install-installutils-clean-up-properly-aft.patch
@@ -0,0 +1,56 @@
+From fcd4ec48c2515aff7c10f10653628631d832146b Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Wed, 15 Jan 2014 17:26:10 +0100
+Subject: [PATCH 26/27] ipaserver/install/installutils: clean up properly after
+ yield
+
+When a context to which we yield generates exception, the code in
+private_ccache() and stopped_service() didn't get called for cleanup.
+---
+ ipaserver/install/installutils.py | 25 ++++++++++++++-----------
+ 1 file changed, 14 insertions(+), 11 deletions(-)
+
+diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
+index c26f072f2f44149746d55b1160d09ebce8394fd5..3770432cae79f653fd57f726de43787dec8dd7d1 100644
+--- a/ipaserver/install/installutils.py
++++ b/ipaserver/install/installutils.py
+@@ -784,15 +784,16 @@ def private_ccache(path=None):
+
+ os.environ['KRB5CCNAME'] = path
+
+- yield
++ try:
++ yield
++ finally:
++ if original_value is not None:
++ os.environ['KRB5CCNAME'] = original_value
++ else:
++ os.environ.pop('KRB5CCNAME')
+
+- if original_value is not None:
+- os.environ['KRB5CCNAME'] = original_value
+- else:
+- os.environ.pop('KRB5CCNAME')
+-
+- if os.path.exists(path):
+- os.remove(path)
++ if os.path.exists(path):
++ os.remove(path)
+
+
+ @contextmanager
+@@ -825,6 +826,8 @@ def stopped_service(service, instance_name=""):
+ # Stop the service, do the required stuff and start it again
+ root_logger.debug('Stopping %s%s.', service, log_instance_name)
+ ipaservices.knownservices[service].stop(instance_name)
+- yield
+- root_logger.debug('Starting %s%s.', service, log_instance_name)
+- ipaservices.knownservices[service].start(instance_name)
++ try:
++ yield
++ finally:
++ root_logger.debug('Starting %s%s.', service, log_instance_name)
++ ipaservices.knownservices[service].start(instance_name)
+--
+1.8.4.2
+
diff --git a/SOURCES/0027-Do-not-start-the-service-in-stopped_service-if-it-wa.patch b/SOURCES/0027-Do-not-start-the-service-in-stopped_service-if-it-wa.patch
new file mode 100644
index 0000000..28749e4
--- /dev/null
+++ b/SOURCES/0027-Do-not-start-the-service-in-stopped_service-if-it-wa.patch
@@ -0,0 +1,28 @@
+From a923cedc1aedafe7f58d480a633257bd19809d72 Mon Sep 17 00:00:00 2001
+From: Jan Cholasta <jcholast@redhat.com>
+Date: Tue, 15 Oct 2013 17:49:07 +0000
+Subject: [PATCH 27/27] Do not start the service in stopped_service if it was
+ not running before.
+
+This fixes a possible NSS database corruption in renew_ca_cert.
+---
+ ipaserver/install/installutils.py | 3 ---
+ 1 file changed, 3 deletions(-)
+
+diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
+index 3770432cae79f653fd57f726de43787dec8dd7d1..32671adc895b0cb2632729e8bdb44b5df02c1314 100644
+--- a/ipaserver/install/installutils.py
++++ b/ipaserver/install/installutils.py
+@@ -819,9 +819,6 @@ def stopped_service(service, instance_name=""):
+ root_logger.debug('Service %s%s is not running, continue.', service,
+ log_instance_name)
+ yield
+- root_logger.debug('Starting %s%s.', service, log_instance_name)
+- ipaservices.knownservices[service].start(instance_name)
+- return
+ else:
+ # Stop the service, do the required stuff and start it again
+ root_logger.debug('Stopping %s%s.', service, log_instance_name)
+--
+1.8.4.2
+
diff --git a/SOURCES/0028-Harmonize-policy-discovery-to-kdb-driver.patch b/SOURCES/0028-Harmonize-policy-discovery-to-kdb-driver.patch
new file mode 100644
index 0000000..6e2a1f2
--- /dev/null
+++ b/SOURCES/0028-Harmonize-policy-discovery-to-kdb-driver.patch
@@ -0,0 +1,180 @@
+From 8ee0ea62d669f59246c8727d89a860bb6d6082f8 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Tue, 14 Jan 2014 10:09:37 -0500
+Subject: [PATCH 28/34] Harmonize policy discovery to kdb driver
+
+The KDB driver does not walk the tree back like the original password plugin.
+Also we do not store the default policy in the base DN as we used to do in the
+past anymore.
+So doing a full subtree search and walking back the tree is just a waste of
+time.
+Instead hardcode the default policy like we do in the kdb driver.
+
+Fixes: https://fedorahosted.org/freeipa/ticket/4085
+---
+ daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c | 106 ++++-------------------
+ 1 file changed, 17 insertions(+), 89 deletions(-)
+
+diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
+index 2538a4094bd9a166e61b0911e5ea93426092d88a..ef20c4c61bd764bffc426208ff8b99f5d0b782ec 100644
+--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
++++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c
+@@ -436,75 +436,44 @@ static void pwd_values_free(Slapi_ValueSet** results,
+ slapi_vattr_values_free(results, actual_type_name, buffer_flags);
+ }
+
+-static int ipapwd_rdn_count(const char *dn)
+-{
+- int rdnc = 0;
+- LDAPDN ldn;
+- int ret;
+-
+- ret = ldap_str2dn(dn, &ldn, LDAP_DN_FORMAT_LDAPV3);
+- if (ret != LDAP_SUCCESS) {
+- LOG_TRACE("ldap_str2dn(dn) failed ?!");
+- return -1;
+- }
+-
+- for (rdnc = 0; ldn != NULL && ldn[rdnc]; rdnc++) /* count */ ;
+- ldap_dnfree(ldn);
+-
+- return rdnc;
+-}
+-
+ int ipapwd_getPolicy(const char *dn,
+ Slapi_Entry *target,
+ struct ipapwd_policy *policy)
+ {
+ const char *krbPwdPolicyReference;
+- const char *pdn;
+- const Slapi_DN *psdn;
+- Slapi_Backend *be;
++ char *pdn = NULL;
+ Slapi_PBlock *pb = NULL;
+ char *attrs[] = { "krbMaxPwdLife", "krbMinPwdLife",
+ "krbPwdMinDiffChars", "krbPwdMinLength",
+ "krbPwdHistoryLength", NULL};
+ Slapi_Entry **es = NULL;
+ Slapi_Entry *pe = NULL;
+- int ret, res, dist, rdnc, scope, i;
+- Slapi_DN *sdn = NULL;
++ int ret, res, scope, i;
+ int buffer_flags=0;
+ Slapi_ValueSet* results = NULL;
+- char* actual_type_name = NULL;
++ char *actual_type_name = NULL;
+ int tmpint;
+
+ LOG_TRACE("Searching policy for [%s]\n", dn);
+
+- sdn = slapi_sdn_new_dn_byref(dn);
+- if (sdn == NULL) {
+- LOG_OOM();
+- ret = -1;
+- goto done;
+- }
+-
+ pwd_get_values(target, "krbPwdPolicyReference",
+ &results, &actual_type_name, &buffer_flags);
+ if (results) {
+ Slapi_Value *sv;
+ slapi_valueset_first_value(results, &sv);
+ krbPwdPolicyReference = slapi_value_get_string(sv);
+- pdn = krbPwdPolicyReference;
+- scope = LDAP_SCOPE_BASE;
+- LOG_TRACE("using policy reference: %s\n", pdn);
++ pdn = slapi_ch_strdup(krbPwdPolicyReference);
+ } else {
+- /* Find ancestor base DN */
+- be = slapi_be_select(sdn);
+- psdn = slapi_be_getsuffix(be, 0);
+- if (psdn == NULL) {
+- LOG_FATAL("Invalid DN [%s]\n", dn);
+- ret = -1;
+- goto done;
+- }
+- pdn = slapi_sdn_get_dn(psdn);
+- scope = LDAP_SCOPE_SUBTREE;
++ /* Fallback to hardcoded value */
++ pdn = slapi_ch_smprintf("cn=global_policy,%s", ipa_realm_dn);
+ }
++ if (pdn == NULL) {
++ LOG_OOM();
++ ret = -1;
++ goto done;
++ }
++ LOG_TRACE("Using policy at [%s]\n", pdn);
++ scope = LDAP_SCOPE_BASE;
+
+ pb = slapi_pblock_new();
+ slapi_search_internal_set_pb(pb,
+@@ -539,54 +508,13 @@ int ipapwd_getPolicy(const char *dn,
+ /* if there is only one, return that */
+ if (i == 1) {
+ pe = es[0];
+- goto fill;
+- }
+-
+- /* count number of RDNs in DN */
+- rdnc = ipapwd_rdn_count(dn);
+- if (rdnc == -1) {
+- LOG_TRACE("ipapwd_rdn_count(dn) failed");
+- ret = -1;
+- goto done;
+- }
+-
+- pe = NULL;
+- dist = -1;
+-
+- /* find closest entry */
+- for (i = 0; es[i]; i++) {
+- const Slapi_DN *esdn;
+-
+- esdn = slapi_entry_get_sdn_const(es[i]);
+- if (esdn == NULL) continue;
+- if (0 == slapi_sdn_compare(esdn, sdn)) {
+- pe = es[i];
+- dist = 0;
+- break;
+- }
+- if (slapi_sdn_issuffix(sdn, esdn)) {
+- const char *dn1;
+- int c1;
+-
+- dn1 = slapi_sdn_get_dn(esdn);
+- if (!dn1) continue;
+- c1 = ipapwd_rdn_count(dn1);
+- if (c1 == -1) continue;
+- if ((dist == -1) ||
+- ((rdnc - c1) < dist)) {
+- dist = rdnc - c1;
+- pe = es[i];
+- }
+- }
+- if (dist == 0) break; /* found closest */
+- }
+-
+- if (pe == NULL) {
++ } else {
++ LOG_TRACE("Multiple entries from a base search ?!");
+ ret = -1;
+ goto done;
+ }
+
+-fill:
++ /* read data out of policy object */
+ policy->min_pwd_life = slapi_entry_attr_get_int(pe, "krbMinPwdLife");
+
+ tmpint = slapi_entry_attr_get_int(pe, "krbMaxPwdLife");
+@@ -615,7 +543,7 @@ done:
+ slapi_free_search_results_internal(pb);
+ slapi_pblock_destroy(pb);
+ }
+- if (sdn) slapi_sdn_free(&sdn);
++ slapi_ch_free_string(&pdn);
+ return ret;
+ }
+
+--
+1.8.4.2
+
diff --git a/SOURCES/0029-Stop-adding-a-default-password-policy-reference.patch b/SOURCES/0029-Stop-adding-a-default-password-policy-reference.patch
new file mode 100644
index 0000000..4e325d2
--- /dev/null
+++ b/SOURCES/0029-Stop-adding-a-default-password-policy-reference.patch
@@ -0,0 +1,409 @@
+From 46ad7d5e76929d5744355374c1e56c5004bf5281 Mon Sep 17 00:00:00 2001
+From: Simo Sorce <simo@redhat.com>
+Date: Thu, 16 Jan 2014 09:06:18 +0100
+Subject: [PATCH 29/34] Stop adding a default password policy reference
+
+Both the password plugin and the kdb driver code automatically fall
+back to the default password policy.
+so stop adding an explicit reference to user objects and instead rely on the
+fallback.
+This way users created via the framework and users created via winsync plugin
+behave the same way wrt password policies and no surprises will happen.
+
+Also in case we need to change the default password policy DN this will allow
+just code changes instead of having to change each user entry created, and
+distinguish between the default policy and explicit admin changes.
+
+Related: https://fedorahosted.org/freeipa/ticket/4085
+
+Patch backported/updated by Martin Kosek to accomodate different ipatests
+structure in ipa-3-3 branch.
+---
+ ipalib/plugins/user.py | 3 --
+ ipatests/test_xmlrpc/test_attr.py | 2 --
+ ipatests/test_xmlrpc/test_automember_plugin.py | 4 ---
+ ipatests/test_xmlrpc/test_group_plugin.py | 4 ---
+ ipatests/test_xmlrpc/test_krbtpolicy.py | 2 --
+ ipatests/test_xmlrpc/test_nesting.py | 8 -----
+ ipatests/test_xmlrpc/test_netgroup_plugin.py | 4 ---
+ ipatests/test_xmlrpc/test_range_plugin.py | 2 --
+ ipatests/test_xmlrpc/test_replace.py | 2 --
+ ipatests/test_xmlrpc/test_selinuxusermap_plugin.py | 5 ---
+ ipatests/test_xmlrpc/test_user_plugin.py | 40 ----------------------
+ 11 files changed, 76 deletions(-)
+
+diff --git a/ipalib/plugins/user.py b/ipalib/plugins/user.py
+index 471981f48204209753eda2fb994d4c653dca0fa2..9b212005ef522920a86deacc8f9b3e658a088ec1 100644
+--- a/ipalib/plugins/user.py
++++ b/ipalib/plugins/user.py
+@@ -498,9 +498,6 @@ def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
+ homes_root = config.get('ipahomesrootdir', ['/home'])[0]
+ # build user's home directory based on his uid
+ entry_attrs['homedirectory'] = posixpath.join(homes_root, keys[-1])
+- entry_attrs.setdefault('krbpwdpolicyreference',
+- DN(('cn', 'global_policy'), ('cn', api.env.realm), ('cn', 'kerberos'),
+- api.env.basedn))
+ entry_attrs.setdefault('krbprincipalname', '%s@%s' % (entry_attrs['uid'], api.env.realm))
+
+ if entry_attrs.get('gidnumber') is None:
+diff --git a/ipatests/test_xmlrpc/test_attr.py b/ipatests/test_xmlrpc/test_attr.py
+index 118eabdeb5c8f6e86c0a9fc7dcdf9fc73a0a9ad2..a9e2956947109efcdcd132dff3807b7400d95a09 100644
+--- a/ipatests/test_xmlrpc/test_attr.py
++++ b/ipatests/test_xmlrpc/test_attr.py
+@@ -71,8 +71,6 @@ class test_attr(Declarative):
+ cn=[u'Test User1'],
+ initials=[u'TU'],
+ ipauniqueid=[fuzzy_uuid],
+- krbpwdpolicyreference=[DN(('cn','global_policy'),('cn',api.env.realm),
+- ('cn','kerberos'),api.env.basedn)],
+ mepmanagedentry=[DN(('cn',user1),('cn','groups'),('cn','accounts'),
+ api.env.basedn)],
+ memberof_group=[u'ipausers'],
+diff --git a/ipatests/test_xmlrpc/test_automember_plugin.py b/ipatests/test_xmlrpc/test_automember_plugin.py
+index 2c38b6463bfc684dbe23904f54b7107bb4ce3ff2..32fc59bac70d0f2e16d5d988835772f894bd78a9 100644
+--- a/ipatests/test_xmlrpc/test_automember_plugin.py
++++ b/ipatests/test_xmlrpc/test_automember_plugin.py
+@@ -812,8 +812,6 @@ class test_automember(Declarative):
+ cn=[u'Michael Scott'],
+ initials=[u'MS'],
+ ipauniqueid=[fuzzy_uuid],
+- krbpwdpolicyreference=[DN(('cn', 'global_policy'), ('cn', api.env.realm), ('cn', 'kerberos'),
+- api.env.basedn)],
+ mepmanagedentry=[DN(('cn', manager1), ('cn', 'groups'), ('cn', 'accounts'),
+ api.env.basedn)],
+ memberof_group=[u'defaultgroup1', u'ipausers'],
+@@ -851,8 +849,6 @@ class test_automember(Declarative):
+ cn=[u'Test User1'],
+ initials=[u'TU'],
+ ipauniqueid=[fuzzy_uuid],
+- krbpwdpolicyreference=[DN(('cn', 'global_policy'), ('cn', api.env.realm), ('cn', 'kerberos'),
+- api.env.basedn)],
+ mepmanagedentry=[DN(('cn', user1), ('cn', 'groups'), ('cn', 'accounts'),
+ api.env.basedn)],
+ memberof_group=[u'group1', u'ipausers'],
+diff --git a/ipatests/test_xmlrpc/test_group_plugin.py b/ipatests/test_xmlrpc/test_group_plugin.py
+index be31af453bbd28d420c5e9f301bef6eb56388f61..9cc337db2a5f80abc960f5bc8a226372bf16b980 100644
+--- a/ipatests/test_xmlrpc/test_group_plugin.py
++++ b/ipatests/test_xmlrpc/test_group_plugin.py
+@@ -812,8 +812,6 @@ class test_group(Declarative):
+ cn=[u'Test User1'],
+ initials=[u'TU'],
+ ipauniqueid=[fuzzy_uuid],
+- krbpwdpolicyreference=[DN(('cn','global_policy'),('cn',api.env.realm),
+- ('cn','kerberos'),api.env.basedn)],
+ mepmanagedentry=[get_group_dn(user1)],
+ memberof_group=[u'ipausers'],
+ dn=DN(('uid',user1),('cn','users'),('cn','accounts'),
+@@ -932,8 +930,6 @@ class test_group(Declarative):
+ ipauniqueid=[fuzzy_uuid],
+ dn=DN(('uid','tuser1'),('cn','users'),('cn','accounts'),
+ api.env.basedn),
+- krbpwdpolicyreference=[DN(('cn','global_policy'),('cn',api.env.realm),
+- ('cn','kerberos'),api.env.basedn)],
+ memberof_group=[u'ipausers'],
+ has_keytab=False,
+ has_password=False,
+diff --git a/ipatests/test_xmlrpc/test_krbtpolicy.py b/ipatests/test_xmlrpc/test_krbtpolicy.py
+index 2fac11f1854037aa197f2df42c72a9d7ae947ccd..fb66e8a6ca72bee7dcfc595f3b89badc2608ca09 100644
+--- a/ipatests/test_xmlrpc/test_krbtpolicy.py
++++ b/ipatests/test_xmlrpc/test_krbtpolicy.py
+@@ -110,8 +110,6 @@ class test_krbtpolicy(Declarative):
+ cn=[u'Test User1'],
+ initials=[u'TU'],
+ ipauniqueid=[fuzzy_uuid],
+- krbpwdpolicyreference=[DN(('cn','global_policy'),('cn',api.env.realm),
+- ('cn','kerberos'),api.env.basedn)],
+ mepmanagedentry=[DN(('cn',user1),('cn','groups'),('cn','accounts'),
+ api.env.basedn)],
+ memberof_group=[u'ipausers'],
+diff --git a/ipatests/test_xmlrpc/test_nesting.py b/ipatests/test_xmlrpc/test_nesting.py
+index 850010b8797734406aa81a911a64bb1d051b7196..5be05688973f9ee39425f1bfc9cdedaa1a193c25 100644
+--- a/ipatests/test_xmlrpc/test_nesting.py
++++ b/ipatests/test_xmlrpc/test_nesting.py
+@@ -176,8 +176,6 @@ class test_nesting(Declarative):
+ cn=[u'Test User1'],
+ initials=[u'TU'],
+ ipauniqueid=[fuzzy_uuid],
+- krbpwdpolicyreference=[DN(('cn','global_policy'),('cn',api.env.realm),
+- ('cn','kerberos'),api.env.basedn)],
+ mepmanagedentry=[DN(('cn',user1),('cn','groups'),('cn','accounts'),
+ api.env.basedn)],
+ memberof_group=[u'ipausers'],
+@@ -214,8 +212,6 @@ class test_nesting(Declarative):
+ cn=[u'Test User2'],
+ initials=[u'TU'],
+ ipauniqueid=[fuzzy_uuid],
+- krbpwdpolicyreference=[DN(('cn','global_policy'),('cn',api.env.realm),
+- ('cn','kerberos'),api.env.basedn)],
+ mepmanagedentry=[DN(('cn',user2),('cn','groups'),('cn','accounts'),
+ api.env.basedn)],
+ memberof_group=[u'ipausers'],
+@@ -252,8 +248,6 @@ class test_nesting(Declarative):
+ cn=[u'Test User3'],
+ initials=[u'TU'],
+ ipauniqueid=[fuzzy_uuid],
+- krbpwdpolicyreference=[DN(('cn','global_policy'),('cn',api.env.realm),
+- ('cn','kerberos'),api.env.basedn)],
+ mepmanagedentry=[DN(('cn',user3),('cn','groups'),('cn','accounts'),
+ api.env.basedn)],
+ memberof_group=[u'ipausers'],
+@@ -290,8 +284,6 @@ class test_nesting(Declarative):
+ cn=[u'Test User4'],
+ initials=[u'TU'],
+ ipauniqueid=[fuzzy_uuid],
+- krbpwdpolicyreference=[DN(('cn','global_policy'),('cn',api.env.realm),
+- ('cn','kerberos'),api.env.basedn)],
+ mepmanagedentry=[DN(('cn',user4),('cn','groups'),('cn','accounts'),
+ api.env.basedn)],
+ memberof_group=[u'ipausers'],
+diff --git a/ipatests/test_xmlrpc/test_netgroup_plugin.py b/ipatests/test_xmlrpc/test_netgroup_plugin.py
+index 09241a7d691aeb7d967e549d14ff5d87a80b6a9b..15453bd3cfd45dce9be43cc5003b67a87a7915ac 100644
+--- a/ipatests/test_xmlrpc/test_netgroup_plugin.py
++++ b/ipatests/test_xmlrpc/test_netgroup_plugin.py
+@@ -288,8 +288,6 @@ class test_netgroup(Declarative):
+ cn=[u'Test User1'],
+ initials=[u'TU'],
+ ipauniqueid=[fuzzy_uuid],
+- krbpwdpolicyreference=[DN(('cn','global_policy'),('cn',api.env.realm),
+- ('cn','kerberos'),api.env.basedn)],
+ mepmanagedentry=[DN(('cn',user1),('cn','groups'),('cn','accounts'),
+ api.env.basedn)],
+ memberof_group=[u'ipausers'],
+@@ -325,8 +323,6 @@ class test_netgroup(Declarative):
+ cn=[u'Test User2'],
+ initials=[u'TU'],
+ ipauniqueid=[fuzzy_uuid],
+- krbpwdpolicyreference=[DN(('cn','global_policy'),('cn',api.env.realm),
+- ('cn','kerberos'),api.env.basedn)],
+ mepmanagedentry=[DN(('cn',user2),('cn','groups'),('cn','accounts'),
+ api.env.basedn)],
+ memberof_group=[u'ipausers'],
+diff --git a/ipatests/test_xmlrpc/test_range_plugin.py b/ipatests/test_xmlrpc/test_range_plugin.py
+index df80e2fb72725c52d13be7a661364cbeafa3f84f..8c7b5f26e70283db62f18b152378d1b7d31bcc96 100644
+--- a/ipatests/test_xmlrpc/test_range_plugin.py
++++ b/ipatests/test_xmlrpc/test_range_plugin.py
+@@ -248,8 +248,6 @@ def tearDownClass(cls):
+ initials=[u'TU'],
+ mail=[u'%s@%s' % (user1, api.env.domain)],
+ ipauniqueid=[fuzzy_uuid],
+- krbpwdpolicyreference=[DN(('cn','global_policy'),('cn',api.env.realm),
+- ('cn','kerberos'),api.env.basedn)],
+ mepmanagedentry=[DN(('cn',user1),('cn','groups'),('cn','accounts'),
+ api.env.basedn)],
+ memberof_group=[u'ipausers'],
+diff --git a/ipatests/test_xmlrpc/test_replace.py b/ipatests/test_xmlrpc/test_replace.py
+index 1b946b76cb9ecccc3452b3714d1647b0a09ec831..691918f5857827365323ed1d20835a15dd899a4f 100644
+--- a/ipatests/test_xmlrpc/test_replace.py
++++ b/ipatests/test_xmlrpc/test_replace.py
+@@ -66,8 +66,6 @@ class test_replace(Declarative):
+ initials=[u'TU'],
+ mail=[u'test1@example.com', u'test2@example.com'],
+ ipauniqueid=[fuzzy_uuid],
+- krbpwdpolicyreference=[DN(('cn','global_policy'),('cn',api.env.realm),('cn','kerberos'),
+- api.env.basedn)],
+ mepmanagedentry=[DN(('cn',user1),('cn','groups'),('cn','accounts'),
+ api.env.basedn)],
+ memberof_group=[u'ipausers'],
+diff --git a/ipatests/test_xmlrpc/test_selinuxusermap_plugin.py b/ipatests/test_xmlrpc/test_selinuxusermap_plugin.py
+index d1fedf1f0ff603a702089651db7f226ea58a98cd..9438bd01227c3ed0317976a38de8f67ec4ae425f 100644
+--- a/ipatests/test_xmlrpc/test_selinuxusermap_plugin.py
++++ b/ipatests/test_xmlrpc/test_selinuxusermap_plugin.py
+@@ -216,11 +216,6 @@ class test_selinuxusermap(Declarative):
+ cn=[u'Test User1'],
+ initials=[u'TU'],
+ ipauniqueid=[fuzzy_uuid],
+- krbpwdpolicyreference=[DN(('cn', 'global_policy'),
+- ('cn', api.env.realm),
+- ('cn', 'kerberos'),
+- api.env.basedn)
+- ],
+ mepmanagedentry=[DN(('cn', user1), ('cn', 'groups'),
+ ('cn', 'accounts'), api.env.basedn)],
+ memberof_group=[u'ipausers'],
+diff --git a/ipatests/test_xmlrpc/test_user_plugin.py b/ipatests/test_xmlrpc/test_user_plugin.py
+index 98e1965a4fbd3c2e77363495d0391be580bd0805..6a5ba50034fd2c9b63db63eeaa0061657574342d 100644
+--- a/ipatests/test_xmlrpc/test_user_plugin.py
++++ b/ipatests/test_xmlrpc/test_user_plugin.py
+@@ -125,8 +125,6 @@ class test_user(Declarative):
+ mail=[u'%s@%s' % (user1, api.env.domain)],
+ initials=[u'TU'],
+ ipauniqueid=[fuzzy_uuid],
+- krbpwdpolicyreference=[DN(('cn','global_policy'),('cn',api.env.realm),
+- ('cn','kerberos'),api.env.basedn)],
+ mepmanagedentry=[get_group_dn(user1)],
+ memberof_group=[u'ipausers'],
+ has_keytab=False,
+@@ -199,8 +197,6 @@ class test_user(Declarative):
+ 'gidnumber': [fuzzy_digits],
+ 'ipauniqueid': [fuzzy_uuid],
+ 'mepmanagedentry': [get_group_dn(user1)],
+- 'krbpwdpolicyreference': [DN(('cn','global_policy'),('cn',api.env.realm),
+- ('cn','kerberos'),api.env.basedn)],
+ 'nsaccountlock': False,
+ 'has_keytab': False,
+ 'has_password': False,
+@@ -594,8 +590,6 @@ class test_user(Declarative):
+ ipasshpubkey=[sshpubkey],
+ sshpubkeyfp=[sshpubkeyfp],
+ ipauniqueid=[fuzzy_uuid],
+- krbpwdpolicyreference=[DN(('cn','global_policy'),('cn',api.env.realm),
+- ('cn','kerberos'),api.env.basedn)],
+ mepmanagedentry=[get_group_dn(user1)],
+ memberof_group=[u'ipausers'],
+ has_keytab=False,
+@@ -650,8 +644,6 @@ class test_user(Declarative):
+ mail=[u'%s@%s' % (user1, api.env.domain)],
+ initials=[u'TU'],
+ ipauniqueid=[fuzzy_uuid],
+- krbpwdpolicyreference=[DN(('cn','global_policy'),('cn',api.env.realm),
+- ('cn','kerberos'),api.env.basedn)],
+ mepmanagedentry=[get_group_dn(user1)],
+ memberof_group=[u'ipausers'],
+ has_keytab=False,
+@@ -687,8 +679,6 @@ class test_user(Declarative):
+ mail=[u'%s@%s' % (user2, api.env.domain)],
+ initials=[u'TU'],
+ ipauniqueid=[fuzzy_uuid],
+- krbpwdpolicyreference=[DN(('cn','global_policy'),('cn',api.env.realm),
+- ('cn','kerberos'),api.env.basedn)],
+ mepmanagedentry=[get_group_dn(user2)],
+ memberof_group=[u'ipausers'],
+ has_keytab=False,
+@@ -908,8 +898,6 @@ class test_user(Declarative):
+ postalcode=[u'01234-5678'],
+ telephonenumber=[u'410-555-1212'],
+ ipauniqueid=[fuzzy_uuid],
+- krbpwdpolicyreference=[DN(('cn','global_policy'),('cn',api.env.realm),
+- ('cn','kerberos'),api.env.basedn)],
+ mepmanagedentry=[get_group_dn(user1)],
+ memberof_group=[u'ipausers'],
+ has_keytab=False,
+@@ -954,8 +942,6 @@ class test_user(Declarative):
+ mail=[u'%s@%s' % (user1, api.env.domain)],
+ initials=[u'TU'],
+ ipauniqueid=[fuzzy_uuid],
+- krbpwdpolicyreference=[DN(('cn','global_policy'),('cn',api.env.realm),
+- ('cn','kerberos'),api.env.basedn)],
+ mepmanagedentry=[get_group_dn(user1)],
+ memberof_group=[u'ipausers'],
+ has_keytab=True,
+@@ -1003,8 +989,6 @@ class test_user(Declarative):
+ mail=[u'%s@%s' % (user2, api.env.domain)],
+ initials=[u'TU'],
+ ipauniqueid=[fuzzy_uuid],
+- krbpwdpolicyreference=[DN(('cn','global_policy'),('cn',api.env.realm),
+- ('cn','kerberos'),api.env.basedn)],
+ mepmanagedentry=[get_group_dn(user2)],
+ memberof_group=[u'ipausers'],
+ has_keytab=False,
+@@ -1075,8 +1059,6 @@ class test_user(Declarative):
+ mail=[u'%s@%s' % (user1, api.env.domain)],
+ initials=[u'TU'],
+ ipauniqueid=[fuzzy_uuid],
+- krbpwdpolicyreference=[DN(('cn','global_policy'),('cn',api.env.realm),
+- ('cn','kerberos'),api.env.basedn)],
+ mepmanagedentry=[get_group_dn(user1)],
+ memberof_group=[u'ipausers'],
+ has_keytab=False,
+@@ -1148,8 +1130,6 @@ class test_user(Declarative):
+ mail=[u'%s@%s' % (user1, api.env.domain)],
+ initials=[u'TU'],
+ ipauniqueid=[fuzzy_uuid],
+- krbpwdpolicyreference=[DN(('cn','global_policy'),('cn',api.env.realm),
+- ('cn','kerberos'),api.env.basedn)],
+ mepmanagedentry=[get_group_dn(user1)],
+ memberof_group=[u'ipausers'],
+ has_keytab=False,
+@@ -1210,8 +1190,6 @@ class test_user(Declarative):
+ initials=[u'TU'],
+ mail=[u'%s@%s' % (user1, api.env.domain)],
+ ipauniqueid=[fuzzy_uuid],
+- krbpwdpolicyreference=[DN(('cn','global_policy'),('cn',api.env.realm),
+- ('cn','kerberos'),api.env.basedn)],
+ mepmanagedentry=[get_group_dn(user1)],
+ memberof_group=[u'ipausers'],
+ has_keytab=False,
+@@ -1273,8 +1251,6 @@ class test_user(Declarative):
+ mail=[u'%s@%s' % (user2, api.env.domain)],
+ initials=[u'TU'],
+ ipauniqueid=[fuzzy_uuid],
+- krbpwdpolicyreference=[DN(('cn','global_policy'),('cn',api.env.realm),
+- ('cn','kerberos'),api.env.basedn)],
+ memberof_group=[u'ipausers'],
+ has_keytab=False,
+ has_password=False,
+@@ -1327,8 +1303,6 @@ class test_user(Declarative):
+ mail=[u'%s@%s' % (user1, api.env.domain)],
+ initials=[u'TU'],
+ ipauniqueid=[fuzzy_uuid],
+- krbpwdpolicyreference=[DN(('cn','global_policy'),('cn',api.env.realm),
+- ('cn','kerberos'),api.env.basedn)],
+ memberof_group=[group1],
+ has_keytab=False,
+ has_password=False,
+@@ -1364,8 +1338,6 @@ class test_user(Declarative):
+ mail=[u'%s@%s' % (user2, api.env.domain)],
+ initials=[u'TU'],
+ ipauniqueid=[fuzzy_uuid],
+- krbpwdpolicyreference=[DN(('cn','global_policy'),('cn',api.env.realm),
+- ('cn','kerberos'),api.env.basedn)],
+ memberof_group=[group1],
+ has_keytab=False,
+ has_password=False,
+@@ -1446,8 +1418,6 @@ class test_user(Declarative):
+ mail=[u'%s@%s' % (user2, api.env.domain)],
+ initials=[u'TU'],
+ ipauniqueid=[fuzzy_uuid],
+- krbpwdpolicyreference=[DN(('cn','global_policy'),('cn',api.env.realm),
+- ('cn','kerberos'),api.env.basedn)],
+ memberof_group=[group1],
+ nsaccountlock=False,
+ has_keytab=False,
+@@ -1493,8 +1463,6 @@ class test_user(Declarative):
+ mail=[u'%s@%s' % (user2, api.env.domain)],
+ initials=[u'TU'],
+ ipauniqueid=[fuzzy_uuid],
+- krbpwdpolicyreference=[DN(('cn','global_policy'),('cn',api.env.realm),
+- ('cn','kerberos'),api.env.basedn)],
+ memberof_group=[group1],
+ nsaccountlock=False,
+ has_keytab=False,
+@@ -1553,8 +1521,6 @@ class test_user(Declarative):
+ initials=[u'SA'],
+ mail=[u'%s@%s' % (admin2, api.env.domain)],
+ ipauniqueid=[fuzzy_uuid],
+- krbpwdpolicyreference=[DN(('cn','global_policy'),('cn',api.env.realm),
+- ('cn','kerberos'),api.env.basedn)],
+ mepmanagedentry=[get_group_dn(admin2)],
+ memberof_group=[u'ipausers'],
+ has_keytab=False,
+@@ -1744,8 +1710,6 @@ class test_user(Declarative):
+ cn=[u'Test User2'],
+ initials=[u'TU'],
+ ipauniqueid=[fuzzy_uuid],
+- krbpwdpolicyreference=[DN(('cn', 'global_policy'), ('cn', api.env.realm), ('cn', 'kerberos'),
+- api.env.basedn)],
+ mepmanagedentry=[DN(('cn', user2), ('cn', 'groups'), ('cn', 'accounts'),
+ api.env.basedn)],
+ memberof_group=[u'ipausers'],
+@@ -1780,8 +1744,6 @@ class test_user(Declarative):
+ mail=[u'%s@%s' % (user1, api.env.domain)],
+ initials=[u'TU'],
+ ipauniqueid=[fuzzy_uuid],
+- krbpwdpolicyreference=[DN(('cn','global_policy'),('cn',api.env.realm),
+- ('cn','kerberos'),api.env.basedn)],
+ mepmanagedentry=[get_group_dn(user1)],
+ memberof_group=[u'ipausers'],
+ has_keytab=False,
+@@ -1828,8 +1790,6 @@ class test_user(Declarative):
+ mail=[u'%s@%s' % (user1, api.env.domain)],
+ initials=[u'TU'],
+ ipauniqueid=[fuzzy_uuid],
+- krbpwdpolicyreference=[DN(('cn','global_policy'),('cn',api.env.realm),
+- ('cn','kerberos'),api.env.basedn)],
+ mepmanagedentry=[get_group_dn(user1)],
+ memberof_group=[u'ipausers'],
+ has_keytab=False,
+--
+1.8.4.2
+
diff --git a/SOURCES/0030-Increase-service-startup-timeout-default.patch b/SOURCES/0030-Increase-service-startup-timeout-default.patch
new file mode 100644
index 0000000..e4790a7
--- /dev/null
+++ b/SOURCES/0030-Increase-service-startup-timeout-default.patch
@@ -0,0 +1,26 @@
+From b3d3abfa3adcfc8b1f5ea09e52a0bd8a519571e6 Mon Sep 17 00:00:00 2001
+From: Jan Cholasta <jcholast@redhat.com>
+Date: Wed, 15 Jan 2014 09:41:15 +0100
+Subject: [PATCH 30/34] Increase service startup timeout default.
+
+https://fedorahosted.org/freeipa/ticket/4078
+---
+ ipalib/constants.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ipalib/constants.py b/ipalib/constants.py
+index 79885a33a3008bd83908fc34a7340e78ab25e31f..6d4088be9a958eb5cb3b2725f8696fb4a7926e57 100644
+--- a/ipalib/constants.py
++++ b/ipalib/constants.py
+@@ -116,7 +116,7 @@
+ ('rpc_json_uri', 'http://localhost:8888/ipa/json'),
+ ('ldap_uri', 'ldap://localhost:389'),
+ # Time to wait for a service to start, in seconds
+- ('startup_timeout', 120),
++ ('startup_timeout', 300),
+
+ # Web Application mount points
+ ('mount_ipa', '/ipa/'),
+--
+1.8.4.2
+
diff --git a/SOURCES/0031-cli.print_attribute-Convert-values-to-strings.patch b/SOURCES/0031-cli.print_attribute-Convert-values-to-strings.patch
new file mode 100644
index 0000000..343a418
--- /dev/null
+++ b/SOURCES/0031-cli.print_attribute-Convert-values-to-strings.patch
@@ -0,0 +1,30 @@
+From 32d3d38edfd47f3cc5425d3c2e7d42a38ea4a95b Mon Sep 17 00:00:00 2001
+From: Petr Viktorin <pviktori@redhat.com>
+Date: Tue, 26 Nov 2013 23:31:05 +0100
+Subject: [PATCH 31/34] cli.print_attribute: Convert values to strings
+
+When output_for_cli was called directly, rather than for values
+received through XML or JSON API, joining multiple values failed
+on non-strings such as DN objects.
+
+Convert output to strings before printing it out.
+---
+ ipalib/cli.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ipalib/cli.py b/ipalib/cli.py
+index 5f02e929fe0df7051f4bb925a960678d780d4883..41e1b4752a2a549ea687632e60eb8003d0cad95f 100644
+--- a/ipalib/cli.py
++++ b/ipalib/cli.py
+@@ -293,7 +293,7 @@ def print_attribute(self, attr, value, format='%s: %s', indent=1, one_value_per_
+ return
+ else:
+ if len(value) > 0:
+- text = ', '.join(value)
++ text = ', '.join(str(v) for v in value)
+ else:
+ return
+ line_len = self.get_tty_width()
+--
+1.8.4.2
+
diff --git a/SOURCES/0032-group-show-resolve-external-members-of-the-groups.patch b/SOURCES/0032-group-show-resolve-external-members-of-the-groups.patch
new file mode 100644
index 0000000..609d8ba
--- /dev/null
+++ b/SOURCES/0032-group-show-resolve-external-members-of-the-groups.patch
@@ -0,0 +1,43 @@
+From 2d1a85606d61128611f49101854bb8efe4abd638 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Thu, 16 Jan 2014 20:31:37 +0200
+Subject: [PATCH 32/34] group-show: resolve external members of the groups
+
+Perform SID to name conversion for existing external members of the
+groups if trust is configured.
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1054391
+https://fedorahosted.org/freeipa/ticket/4123
+---
+ ipalib/plugins/group.py | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/ipalib/plugins/group.py b/ipalib/plugins/group.py
+index 02eeb10ca2ca2a5710e88d6e3c11f1d1cdaa4a7b..dac55003e5a4291e8a3b7db58ae9b3c9c76e271e 100644
+--- a/ipalib/plugins/group.py
++++ b/ipalib/plugins/group.py
+@@ -387,6 +387,21 @@ def pre_callback(self, ldap, filter, attrs_list, base_dn, scope, *args, **option
+ class group_show(LDAPRetrieve):
+ __doc__ = _('Display information about a named group.')
+ has_output_params = LDAPRetrieve.has_output_params + (ipaexternalmember_param,)
++ def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
++ assert isinstance(dn, DN)
++ if ('ipaexternalmember' in entry_attrs and
++ len(entry_attrs['ipaexternalmember']) > 0 and
++ 'trust_resolve' in self.Command and
++ not options.get('raw', False)):
++ sids = entry_attrs['ipaexternalmember']
++ result = self.Command.trust_resolve(sids=sids)
++ for entry in result['result']:
++ try:
++ idx = sids.index(entry['sid'][0])
++ sids[idx] = entry['name'][0]
++ except ValueError:
++ pass
++ return dn
+ api.register(group_show)
+
+
+--
+1.8.4.2
+
diff --git a/SOURCES/0033-Remove-SID-resolve-call-from-Web-UI.patch b/SOURCES/0033-Remove-SID-resolve-call-from-Web-UI.patch
new file mode 100644
index 0000000..35fee47
--- /dev/null
+++ b/SOURCES/0033-Remove-SID-resolve-call-from-Web-UI.patch
@@ -0,0 +1,87 @@
+From ff15df8bd58bddd4c53644867f8ee340febdc198 Mon Sep 17 00:00:00 2001
+From: Petr Vobornik <pvoborni@redhat.com>
+Date: Mon, 20 Jan 2014 09:50:56 +0100
+Subject: [PATCH 33/34] Remove SID resolve call from Web UI
+
+- it's called in group-show
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1054391
+https://fedorahosted.org/freeipa/ticket/4123
+---
+ install/ui/src/freeipa/association.js | 47 -----------------------------------
+ install/ui/src/freeipa/group.js | 1 -
+ 2 files changed, 48 deletions(-)
+
+diff --git a/install/ui/src/freeipa/association.js b/install/ui/src/freeipa/association.js
+index ad427d66b6b98119b2eb577ae98e4b7c2f1a6932..8d81e495a153c06cdbcfa9917bdf04d70916f997 100644
+--- a/install/ui/src/freeipa/association.js
++++ b/install/ui/src/freeipa/association.js
+@@ -1455,53 +1455,6 @@ exp.attribute_facet = IPA.attribute_facet = function(spec, no_init) {
+ return that;
+ };
+
+-IPA.sid_facet = function(spec, no_init) {
+-
+- spec.name = spec.name || 'sid_facet';
+-
+- var that = IPA.attribute_facet(spec, no_init);
+-
+- that.load_records = function(value) {
+- var xlate = {};
+- var sidxlate_command = IPA.command({
+- entity: 'trust',
+- method: 'resolve',
+- options: {
+- sids: ''
+- }
+- });
+- sidxlate_command.on_success = function(data, text_status, xhr) {
+- for (var i=0; i< data.result.result.length; i++) {
+- var entry = data.result.result[i];
+- if (entry.sid[0] in xlate) {
+- xlate[entry.sid[0]].resolve(entry.name[0]);
+- }
+- }
+- };
+- that.table.empty();
+-
+- if (value.length === 0) return;
+-
+- var sids = [];
+- for (var i=0; i< value.length; i++) {
+- var sid = value[i][that.attribute];
+- var deferred = new Deferred();
+- value[i][that.attribute] = {
+- promise: deferred.promise,
+- temp: sid
+- };
+- xlate[sid] = deferred;
+- sids.push(sid);
+- that.add_record(value[i]);
+- }
+- sidxlate_command.options.sids = sids;
+- sidxlate_command.execute();
+- };
+-
+- return that;
+-};
+-
+-
+ IPA.attr_read_only_evaluator = function(spec) {
+
+ spec.name = spec.name || 'attr_read_only_evaluator';
+diff --git a/install/ui/src/freeipa/group.js b/install/ui/src/freeipa/group.js
+index 5e8cdf991cdaf4f52e3f49dca431e999a72f2089..bb12d902fcba8228098b667aa6fbd3fa7daee34d 100644
+--- a/install/ui/src/freeipa/group.js
++++ b/install/ui/src/freeipa/group.js
+@@ -112,7 +112,6 @@ return {
+ },
+ {
+ $type: 'attribute',
+- $factory: IPA.sid_facet,
+ name: 'member_external',
+ attribute: 'ipaexternalmember',
+ tab_label: 'External',
+--
+1.8.4.2
+
diff --git a/SOURCES/0034-ipa-adtrust-install-configure-host-netbios-name-by-d.patch b/SOURCES/0034-ipa-adtrust-install-configure-host-netbios-name-by-d.patch
new file mode 100644
index 0000000..f0ccd4a
--- /dev/null
+++ b/SOURCES/0034-ipa-adtrust-install-configure-host-netbios-name-by-d.patch
@@ -0,0 +1,56 @@
+From 7358fdd85215b9ee9becb2e352480abd2789691f Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Fri, 17 Jan 2014 14:09:34 +0200
+Subject: [PATCH 34/34] ipa-adtrust-install: configure host netbios name by
+ default
+
+Ensure we set host netbios name by default in smb.conf
+
+https://fedorahosted.org/freeipa/ticket/4116
+---
+ install/share/smb.conf.template | 1 +
+ ipaserver/install/adtrustinstance.py | 3 +++
+ 2 files changed, 4 insertions(+)
+
+diff --git a/install/share/smb.conf.template b/install/share/smb.conf.template
+index 086b0fcfe5cff2bc3582f2a89962a99c9095b4bb..2908b998cc85fcb84f60847135aaa4b008e121f8 100644
+--- a/install/share/smb.conf.template
++++ b/install/share/smb.conf.template
+@@ -1,5 +1,6 @@
+ [global]
+ workgroup = $NETBIOS_NAME
++netbios name = $HOST_NETBIOS_NAME
+ realm = $REALM
+ kerberos method = dedicated keytab
+ dedicated keytab file = FILE:/etc/samba/samba.keytab
+diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
+index 4aa8322e3e2cfb6fbc07696097c3e6e21fc7f665..621e3fd46780beb15f3d642cb9e3eb1c5fa721ad 100644
+--- a/ipaserver/install/adtrustinstance.py
++++ b/ipaserver/install/adtrustinstance.py
+@@ -124,6 +124,7 @@ def __init__(self, fstore=None):
+ self.secondary_rid_base = None
+
+ self.fqdn = None
++ self.host_netbios_name = None
+ self.realm = None
+ self.domain_name = None
+
+@@ -151,6 +152,7 @@ def __setup_default_attributes(self):
+
+ # Values obtained from API.env
+ self.fqdn = self.fqdn or api.env.host
++ self.host_netbios_name = make_netbios_name(self.fqdn)
+ self.realm = self.realm or api.env.realm
+ self.domain_name = self.domain_name or api.env.domain
+
+@@ -769,6 +771,7 @@ def __setup_sub_dict(self):
+ self.sub_dict = dict(REALM = self.realm,
+ SUFFIX = self.suffix,
+ NETBIOS_NAME = self.netbios_name,
++ HOST_NETBIOS_NAME = self.host_netbios_name,
+ SMB_DN = self.smb_dn,
+ LDAPI_SOCKET = self.ldapi_socket,
+ FQDN = self.fqdn)
+--
+1.8.4.2
+
diff --git a/SOURCES/0035-Remove-missing-VERSION-warning-in-dnsrecord-mod.patch b/SOURCES/0035-Remove-missing-VERSION-warning-in-dnsrecord-mod.patch
new file mode 100644
index 0000000..876fa45
--- /dev/null
+++ b/SOURCES/0035-Remove-missing-VERSION-warning-in-dnsrecord-mod.patch
@@ -0,0 +1,30 @@
+From a8cc1ff0dbf3de89b78c8d382779433658286750 Mon Sep 17 00:00:00 2001
+From: Martin Kosek <mkosek@redhat.com>
+Date: Fri, 17 Jan 2014 09:26:35 +0100
+Subject: [PATCH] Remove missing VERSION warning in dnsrecord-mod
+
+dnsrecord-mod may call dnsrecord-delentry command when all records
+are deleted. However, the version was not passwd to delentry and
+it resulted in a warning.
+
+https://fedorahosted.org/freeipa/ticket/4120
+---
+ ipalib/plugins/dns.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
+index 07523dc72466892f0e7d5fdd9261024d0e898548..94ae92ba5d1ae42e31ebb6100c743a2334f29e70 100644
+--- a/ipalib/plugins/dns.py
++++ b/ipalib/plugins/dns.py
+@@ -2636,7 +2636,7 @@ def execute(self, *keys, **options):
+ break
+
+ if del_all:
+- return self.obj.methods.delentry(*keys)
++ return self.obj.methods.delentry(*keys, version=options['version'])
+ return result
+
+ def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
+--
+1.8.4.2
+
diff --git a/SOURCES/0036-Hide-trust-resolve-command.patch b/SOURCES/0036-Hide-trust-resolve-command.patch
new file mode 100644
index 0000000..3e8c387
--- /dev/null
+++ b/SOURCES/0036-Hide-trust-resolve-command.patch
@@ -0,0 +1,33 @@
+From 94888d83efbbd3b3ddf194e35d4d10f03bb47bb2 Mon Sep 17 00:00:00 2001
+From: Martin Kosek <mkosek@redhat.com>
+Date: Fri, 17 Jan 2014 16:13:17 +0100
+Subject: [PATCH] Hide trust-resolve command
+
+We do not need to expose a public FreeIPA specific interface to resolve
+SIDs to names. The interface is only used internally to resolve SIDs
+when external group members are listed. Additionally, the command interface
+is not prepared for regular user and can give rather confusing results.
+
+Hide it from CLI. The API itself is still accessible and compatible with
+older clients.
+
+https://fedorahosted.org/freeipa/ticket/4113
+---
+ ipalib/plugins/trust.py | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
+index 3d412c9c9f518347769e88ddc9089d6d92ccc4be..0b6db27c696cd169c8f4b33128520961c20e3015 100644
+--- a/ipalib/plugins/trust.py
++++ b/ipalib/plugins/trust.py
+@@ -978,6 +978,7 @@ def idmap_type_string(level):
+ return unicode(string)
+
+ class trust_resolve(Command):
++ NO_CLI = True
+ __doc__ = _('Resolve security identifiers of users and groups in trusted domains')
+
+ takes_options = (
+--
+1.8.4.2
+
diff --git a/SOURCES/0037-Trust-domains-Web-UI.patch b/SOURCES/0037-Trust-domains-Web-UI.patch
new file mode 100644
index 0000000..a7b76fb
--- /dev/null
+++ b/SOURCES/0037-Trust-domains-Web-UI.patch
@@ -0,0 +1,188 @@
+From 8dcaa8f17b94fd7056340622e49d8ab505694603 Mon Sep 17 00:00:00 2001
+From: Petr Vobornik <pvoborni@redhat.com>
+Date: Wed, 15 Jan 2014 18:01:02 +0100
+Subject: [PATCH] Trust domains Web UI
+
+Add Web UI counterpart of following CLI commands:
+
+* trust-fetch-domains Refresh list of the domains associated with the trust
+* trustdomain-del Remove infromation about the domain associated with the trust.
+* trustdomain-disable Disable use of IPA resources by the domain of the trust
+* trustdomain-enable Allow use of IPA resources by the domain of the trust
+* trustdomain-find Search domains of the trust
+
+https://fedorahosted.org/freeipa/ticket/4119
+---
+ install/ui/src/freeipa/search.js | 11 +++---
+ install/ui/src/freeipa/trust.js | 68 ++++++++++++++++++++++++++++++++++++++
+ install/ui/test/data/ipa_init.json | 1 +
+ ipalib/plugins/internal.py | 1 +
+ 4 files changed, 77 insertions(+), 4 deletions(-)
+
+diff --git a/install/ui/src/freeipa/search.js b/install/ui/src/freeipa/search.js
+index c2e678a35e7d7d5179c1b766eea88599710593c3..3f7fdf9b1e6716c73e0657dc678abe332f6fc8c0 100644
+--- a/install/ui/src/freeipa/search.js
++++ b/install/ui/src/freeipa/search.js
+@@ -470,20 +470,23 @@ IPA.batch_items_action = function(spec) {
+ that.execute_action = function(facet, on_success, on_error) {
+
+ var entity = facet.managed_entity;
+- var pkeys = facet.get_selected_values();
++ var selected_keys = facet.get_selected_values();
++ var pkeys = facet.get_pkeys();
++ if (!pkeys[0]) pkeys = []; // correction for search facet
+
+ that.batch = IPA.batch_command({
+ name: entity.name + '_batch_'+ that.method,
+ on_success: that.get_on_success(facet, on_success)
+ });
+
+- for (var i=0; i<pkeys.length; i++) {
+- var pkey = pkeys[i];
++ for (var i=0; i<selected_keys.length; i++) {
++ var item_keys = pkeys.splice(0);
++ item_keys.push(selected_keys[i]);
+
+ var command = IPA.command({
+ entity: entity.name,
+ method: that.method,
+- args: [pkey]
++ args: item_keys
+ });
+
+ that.batch.add_command(command);
+diff --git a/install/ui/src/freeipa/trust.js b/install/ui/src/freeipa/trust.js
+index 2653d3e67c2c5591f000e32c43a3a5878eef28fd..51f2000b47fd7943cb9a200c9bec7ebd3459178a 100644
+--- a/install/ui/src/freeipa/trust.js
++++ b/install/ui/src/freeipa/trust.js
+@@ -48,6 +48,7 @@ return {
+ dest_facet: 'search'
+ }
+ ],
++ facet_groups: [ 'settings', 'trustdomain' ],
+ facets: [
+ {
+ $type: 'search',
+@@ -56,6 +57,63 @@ return {
+ ]
+ },
+ {
++ $type: 'nested_search',
++ $pre_ops: [
++ // trustdomain-add is hidden, remove add button
++ { $del: [[ 'control_buttons', [{ name: 'add'}] ]] }
++ ],
++ nested_entity: 'trustdomain',
++ facet_group: 'trustdomain',
++ name: 'domains',
++ label: '@mo:trustdomain.label',
++ tab_label: '@mo:trustdomain.label',
++ search_all_entries: true,
++ actions: [
++ {
++ $type: 'batch_disable'
++ },
++ {
++ $type: 'batch_enable'
++ },
++ {
++ $type: 'object',
++ name: 'fetch',
++ label: '@i18n:objects.trust.fetch_domains',
++ method: 'fetch_domains'
++ }
++ ],
++ control_buttons: [
++ {
++ name: 'disable',
++ label: '@i18n:buttons.disable',
++ icon: 'fa-minus'
++ },
++ {
++ name: 'enable',
++ label: '@i18n:buttons.enable',
++ icon: 'fa-check'
++ },
++ {
++ name: 'fetch',
++ label: '@i18n:objects.trust.fetch_domains',
++ icon: 'fa-download'
++ }
++ ],
++ columns: [
++ {
++ name: 'cn',
++ link: false
++ },
++ {
++ name: 'domain_enabled',
++ label: '@i18n:status.label',
++ formatter: 'boolean_status'
++ },
++ 'ipantflatname',
++ 'ipanttrusteddomainsid'
++ ]
++ },
++ {
+ $type: 'details',
+ sections: [
+ {
+@@ -261,6 +319,13 @@ IPA.trust.adder_dialog = function(spec) {
+ return that;
+ };
+
++
++var make_trustdomain_spec = function() {
++return {
++ name: 'trustdomain',
++ containing_entity: 'trust'
++};};
++
+ var make_trustconfig_spec = function() {
+ return {
+ name: 'trustconfig',
+@@ -349,14 +414,17 @@ exp.remove_menu_item = function() {
+ };
+
+ exp.trust_spec = make_trust_spec();
++exp.trustdomain_spec = make_trustdomain_spec();
+ exp.trustconfig_spec = make_trustconfig_spec();
+
++
+ IPA.trust.register = function() {
+ var e = reg.entity;
+ var w = reg.widget;
+ var f = reg.field;
+
+ e.register({type: 'trust', spec: exp.trust_spec});
++ e.register({type: 'trustdomain', spec: exp.trustdomain_spec});
+ e.register({type: 'trustconfig', spec: exp.trustconfig_spec});
+
+ w.register('trust_fallbackgroup_select', IPA.trust.fallbackgroup_select_widget);
+diff --git a/install/ui/test/data/ipa_init.json b/install/ui/test/data/ipa_init.json
+index 8e0b2a33cc45d2a68878b7f3ab49b1491ae7c3f5..80a1c08ed3745bdce44676c6f2716e207f653e8d 100644
+--- a/install/ui/test/data/ipa_init.json
++++ b/install/ui/test/data/ipa_init.json
+@@ -464,6 +464,7 @@
+ "details": "Trust Settings",
+ "domain": "Domain",
+ "establish_using": "Establish using",
++ "fetch_domains": "Fetch domains",
+ "ipantflatname": "Domain NetBIOS name",
+ "ipanttrusteddomainsid": "Domain Security Identifier",
+ "preshared_password": "Pre-shared password",
+diff --git a/ipalib/plugins/internal.py b/ipalib/plugins/internal.py
+index 83b505dae1c6349097f7ad5ed20ab25b5a262aa8..dbd40f91ef2b84beb1bb521dcbcdb059cd3b3c7e 100644
+--- a/ipalib/plugins/internal.py
++++ b/ipalib/plugins/internal.py
+@@ -600,6 +600,7 @@ class i18n_messages(Command):
+ "details": _("Trust Settings"),
+ "domain": _("Domain"),
+ "establish_using": _("Establish using"),
++ "fetch_domains": _("Fetch domains"),
+ "ipantflatname": _("Domain NetBIOS name"),
+ "ipanttrusteddomainsid": _("Domain Security Identifier"),
+ "preshared_password": _("Pre-shared password"),
+--
+1.8.4.2
+
diff --git a/SOURCES/0038-ipasam-delete-trusted-child-domains-before-removing-.patch b/SOURCES/0038-ipasam-delete-trusted-child-domains-before-removing-.patch
new file mode 100644
index 0000000..eb13168
--- /dev/null
+++ b/SOURCES/0038-ipasam-delete-trusted-child-domains-before-removing-.patch
@@ -0,0 +1,87 @@
+From 706617eee0f735d2a49fd41f5c86e8b22bbf5434 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Mon, 20 Jan 2014 16:42:48 +0200
+Subject: [PATCH] ipasam: delete trusted child domains before removing the
+ trust
+
+LDAP protocol doesn't allow deleting non-leaf entries. One needs to
+remove all leaves first before removing the tree node.
+
+https://fedorahosted.org/freeipa/ticket/4126
+---
+ daemons/ipa-sam/ipa_sam.c | 45 ++++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 44 insertions(+), 1 deletion(-)
+
+diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
+index 674085d2a14c67359df16458dbbb098414a24d8b..1ca504db4e442c834ebe44d7e3503abafd6f9602 100644
+--- a/daemons/ipa-sam/ipa_sam.c
++++ b/daemons/ipa-sam/ipa_sam.c
+@@ -2437,6 +2437,44 @@ done:
+ return status;
+ }
+
++static int delete_subtree(struct ldapsam_privates *ldap_state, char* dn)
++{
++ LDAP *state = priv2ld(ldap_state);
++ int rc;
++ char *filter = NULL;
++ int scope = LDAP_SCOPE_SUBTREE;
++ LDAPMessage *result = NULL;
++ LDAPMessage *entry = NULL;
++ char *entry_dn = NULL;
++
++ /* use 'dn' for a temporary talloc context */
++ filter = talloc_asprintf(dn, "(objectClass=*)");
++ if (filter == NULL) {
++ return LDAP_NO_MEMORY;
++ }
++
++ rc = smbldap_search(ldap_state->smbldap_state, dn, scope, filter, NULL, 0, &result);
++ TALLOC_FREE(filter);
++
++ if (result != NULL) {
++ smbldap_talloc_autofree_ldapmsg(dn, result);
++ }
++
++ for (entry = ldap_first_entry(state, result);
++ entry != NULL;
++ entry = ldap_next_entry(state, entry)) {
++ entry_dn = get_dn(dn, state, entry);
++ /* remove child entries */
++ if ((entry_dn != NULL) && (strcmp(entry_dn, dn) != 0)) {
++ rc = smbldap_delete(ldap_state->smbldap_state, entry_dn);
++ }
++ }
++ rc = smbldap_delete(ldap_state->smbldap_state, dn);
++
++ /* caller will destroy dn */
++ return rc;
++}
++
+ static NTSTATUS ipasam_del_trusted_domain(struct pdb_methods *methods,
+ const char *domain)
+ {
+@@ -2444,7 +2482,7 @@ static NTSTATUS ipasam_del_trusted_domain(struct pdb_methods *methods,
+ struct ldapsam_privates *ldap_state =
+ (struct ldapsam_privates *)methods->private_data;
+ LDAPMessage *entry = NULL;
+- const char *dn;
++ char *dn;
+ const char *domain_name;
+ TALLOC_CTX *tmp_ctx;
+ NTSTATUS status;
+@@ -2490,6 +2528,11 @@ static NTSTATUS ipasam_del_trusted_domain(struct pdb_methods *methods,
+ }
+
+ ret = smbldap_delete(ldap_state->smbldap_state, dn);
++ if (ret == LDAP_NOT_ALLOWED_ON_NONLEAF) {
++ /* delete_subtree will use 'dn' as temporary context too */
++ ret = delete_subtree(ldap_state, dn);
++ }
++
+ if (ret != LDAP_SUCCESS) {
+ status = NT_STATUS_UNSUCCESSFUL;
+ goto done;
+--
+1.8.4.2
+
diff --git a/SOURCES/0039-CLDAP-generate-NetBIOS-name-like-ipa-adtrust-install.patch b/SOURCES/0039-CLDAP-generate-NetBIOS-name-like-ipa-adtrust-install.patch
new file mode 100644
index 0000000..7bcceae
--- /dev/null
+++ b/SOURCES/0039-CLDAP-generate-NetBIOS-name-like-ipa-adtrust-install.patch
@@ -0,0 +1,104 @@
+From c57ff0a9aae8e51de1de8671dc6c8d91a1f1af66 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Thu, 23 Jan 2014 14:39:24 +0100
+Subject: [PATCH] CLDAP: generate NetBIOS name like ipa-adtrust-install does
+
+Fixes https://fedorahosted.org/freeipa/ticket/4116
+---
+ daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap.h | 2 +
+ .../ipa-cldap/ipa_cldap_netlogon.c | 47 +++++++++++++++-------
+ 2 files changed, 35 insertions(+), 14 deletions(-)
+
+diff --git a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap.h b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap.h
+index 3f420ff2c5acc7bd75bff7f042f76b9c61144461..5e963e3f8557d468d646e6343366921d17242e2d 100644
+--- a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap.h
++++ b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap.h
+@@ -51,6 +51,7 @@
+ #include <stdlib.h>
+ #include <pthread.h>
+ #include <dirsrv/slapi-plugin.h>
++#include <talloc.h>
+ #include "util.h"
+
+ #define IPA_CLDAP_PLUGIN_NAME "CLDAP Server"
+@@ -106,4 +107,5 @@ int ipa_cldap_netlogon(struct ipa_cldap_ctx *ctx,
+ struct ipa_cldap_req *req,
+ struct berval *reply);
+
++char *make_netbios_name(TALLOC_CTX *mem_ctx, const char *s);
+ #endif /* _IPA_CLDAP_H_ */
+diff --git a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c
+index c03172d474589ddee84f1cfa5395c23fdba83bcb..1d16de7be09cf9675c2ee1a602ddfb800cd6e7af 100644
+--- a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c
++++ b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_netlogon.c
+@@ -121,6 +121,38 @@ done:
+ return ret;
+ }
+
++char *make_netbios_name(TALLOC_CTX *mem_ctx, const char *s)
++{
++ char *nb_name;
++ const char *p;
++ size_t c = 0;
++
++ if (s == NULL) {
++ return NULL;
++ }
++
++ nb_name = talloc_zero_size(mem_ctx, NETBIOS_NAME_MAX + 1);
++ if (nb_name == NULL) {
++ return NULL;
++ }
++
++ for (p = s; *p && c < NETBIOS_NAME_MAX; p++) {
++ /* Create the NetBIOS name from the first segment of the hostname */
++ if (*p == '.') {
++ break;
++ } else if (isalnum(*p)) {
++ nb_name[c++] = toupper(*p);
++ }
++ }
++
++ if (*nb_name == '\0') {
++ talloc_free(nb_name);
++ return NULL;
++ }
++
++ return nb_name;
++}
++
+ #define NETLOGON_SAM_LOGON_RESPONSE_EX_pusher \
+ (ndr_push_flags_fn_t)ndr_push_NETLOGON_SAM_LOGON_RESPONSE_EX
+
+@@ -131,8 +163,6 @@ static int ipa_cldap_encode_netlogon(char *fq_hostname, char *domain,
+ struct NETLOGON_SAM_LOGON_RESPONSE_EX *nlr;
+ enum ndr_err_code ndr_err;
+ DATA_BLOB blob;
+- char *pdc_name;
+- char *p;
+ int ret;
+
+ nlr = talloc_zero(NULL, struct NETLOGON_SAM_LOGON_RESPONSE_EX);
+@@ -162,18 +192,7 @@ static int ipa_cldap_encode_netlogon(char *fq_hostname, char *domain,
+ nlr->pdc_dns_name = fq_hostname;
+ nlr->domain_name = name;
+
+- /* copy the first 15 characters of the fully qualified hostname*/
+- pdc_name = talloc_asprintf(nlr, "%.*s", NETBIOS_NAME_MAX, fq_hostname);
+-
+- for (p = pdc_name; *p; p++) {
+- /* Create the NetBIOS name from the first segment of the hostname */
+- if (*p == '.') {
+- *p = '\0';
+- break;
+- }
+- *p = toupper(*p);
+- }
+- nlr->pdc_name = pdc_name;
++ nlr->pdc_name = make_netbios_name(nlr, fq_hostname);
+ nlr->user_name = "";
+ nlr->server_site = "Default-First-Site-Name";
+ nlr->client_site = "Default-First-Site-Name";
+--
+1.8.3.1
+
diff --git a/SOURCES/0040-Fallback-to-global-policy-in-ipa-lockout-plugin.patch b/SOURCES/0040-Fallback-to-global-policy-in-ipa-lockout-plugin.patch
new file mode 100644
index 0000000..5483f37
--- /dev/null
+++ b/SOURCES/0040-Fallback-to-global-policy-in-ipa-lockout-plugin.patch
@@ -0,0 +1,108 @@
+From 2392ccb4ff9f0310512a6313240749900567d831 Mon Sep 17 00:00:00 2001
+From: Martin Kosek <mkosek@redhat.com>
+Date: Thu, 30 Jan 2014 16:58:25 +0100
+Subject: [PATCH] Fallback to global policy in ipa-lockout plugin
+
+krbPwdPolicyReference is no longer filled default users. Instead, plugins
+fallback to hardcoded global policy reference.
+
+Fix ipa-lockout plugin to fallback to it instead of failing to apply
+the policy.
+
+https://fedorahosted.org/freeipa/ticket/4085
+---
+ .../ipa-slapi-plugins/ipa-lockout/ipa_lockout.c | 34 ++++++++++++++++++++++
+ 1 file changed, 34 insertions(+)
+
+diff --git a/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c b/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c
+index fd6602fdee9b2fd95c154fd512fcba4f37e56bad..5a24359d319aaea28773daa01d268d2d46583270 100644
+--- a/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c
++++ b/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c
+@@ -49,6 +49,7 @@
+ #include <time.h>
+ #include "slapi-plugin.h"
+ #include "nspr.h"
++#include <krb5.h>
+
+ #include "util.h"
+
+@@ -81,6 +82,8 @@ static int g_plugin_started = 0;
+
+ static struct ipa_context *global_ipactx = NULL;
+
++static char *ipa_global_policy = NULL;
++
+ #define GENERALIZED_TIME_LENGTH 15
+
+ /**
+@@ -142,8 +145,11 @@ ipalockout_get_global_config(struct ipa_context *ipactx)
+ Slapi_Attr *attr = NULL;
+ char *dn = NULL;
+ char *basedn = NULL;
++ char *realm = NULL;
+ Slapi_DN *sdn;
+ Slapi_Entry *config_entry;
++ krb5_context krbctx = NULL;
++ krb5_error_code krberr;
+ int ret;
+
+ /* Get cn=config so we can get the default naming context */
+@@ -167,6 +173,28 @@ ipalockout_get_global_config(struct ipa_context *ipactx)
+ goto done;
+ }
+
++ krberr = krb5_init_context(&krbctx);
++ if (krberr) {
++ LOG_FATAL("krb5_init_context failed (%d)\n", krberr);
++ ret = LDAP_OPERATIONS_ERROR;
++ goto done;
++ }
++
++ krberr = krb5_get_default_realm(krbctx, &realm);
++ if (krberr) {
++ LOG_FATAL("Failed to get default realm (%d)\n", krberr);
++ ret = LDAP_OPERATIONS_ERROR;
++ goto done;
++ }
++
++ ipa_global_policy = slapi_ch_smprintf("cn=global_policy,cn=%s,cn=kerberos,%s",
++ realm, basedn);
++ if (!ipa_global_policy) {
++ LOG_OOM();
++ ret = LDAP_OPERATIONS_ERROR;
++ goto done;
++ }
++
+ ret = asprintf(&dn, "cn=ipaConfig,cn=etc,%s", basedn);
+ if (ret == -1) {
+ LOG_OOM();
+@@ -221,6 +249,8 @@ ipalockout_get_global_config(struct ipa_context *ipactx)
+ done:
+ if (config_entry)
+ slapi_entry_free(config_entry);
++ free(realm);
++ krb5_free_context(krbctx);
+ free(dn);
+ free(basedn);
+ return ret;
+@@ -248,6 +278,8 @@ int ipalockout_getpolicy(Slapi_Entry *target_entry, Slapi_Entry **policy_entry,
+ slapi_valueset_first_value(*values, &sv);
+ *policy_dn = slapi_value_get_string(sv);
+ }
++ } else {
++ *policy_dn = ipa_global_policy;
+ }
+
+ if (*policy_dn == NULL) {
+@@ -376,6 +408,8 @@ ipalockout_close(Slapi_PBlock * pb)
+ {
+ LOG_TRACE( "--in-->\n");
+
++ slapi_ch_free_string(&ipa_global_policy);
++
+ LOG_TRACE("<--out--\n");
+
+ return EOK;
+--
+1.8.5.3
+
diff --git a/SOURCES/0041-Migration-does-not-add-users-to-default-group.patch b/SOURCES/0041-Migration-does-not-add-users-to-default-group.patch
new file mode 100644
index 0000000..10c292c
--- /dev/null
+++ b/SOURCES/0041-Migration-does-not-add-users-to-default-group.patch
@@ -0,0 +1,59 @@
+From 8b7a17d19428fa13dcd76893d758863adb9f515e Mon Sep 17 00:00:00 2001
+From: Martin Kosek <mkosek@redhat.com>
+Date: Mon, 27 Jan 2014 12:28:12 +0100
+Subject: [PATCH] Migration does not add users to default group
+
+When users with missing default group were searched, IPA suffix was
+not passed so these users were searched in a wrong base DN. Thus,
+no user was detected and added to default group.
+
+https://fedorahosted.org/freeipa/ticket/4141
+---
+ ipalib/plugins/migration.py | 17 ++++++++++-------
+ 1 file changed, 10 insertions(+), 7 deletions(-)
+
+diff --git a/ipalib/plugins/migration.py b/ipalib/plugins/migration.py
+index 83bf40dbfa4cf2310b2501c28cf095299711331d..0ed65f7015f458aa1cf96efb0e36e28c5019cbd2 100644
+--- a/ipalib/plugins/migration.py
++++ b/ipalib/plugins/migration.py
+@@ -286,19 +286,21 @@ def _update_default_group(ldap, pkey, config, ctx, force):
+ searchfilter = "(&(objectclass=posixAccount)(!(memberof=%s)))" % group_dn
+ try:
+ (result, truncated) = ldap.find_entries(searchfilter,
+- [''], api.env.container_user, scope=ldap.SCOPE_SUBTREE,
+- time_limit = -1)
++ [''], DN(api.env.container_user, api.env.basedn),
++ scope=ldap.SCOPE_SUBTREE, time_limit = -1)
+ except errors.NotFound:
++ api.log.debug('All users have default group set')
+ return
+ new_members = []
+ (group_dn, group_entry_attrs) = ldap.get_entry(group_dn, ['member'])
++ existing_members = set(group_entry_attrs.get('member', []))
+ for m in result:
+- if m[0] not in group_entry_attrs.get('member', []):
++ if m[0] not in existing_members:
+ new_members.append(m[0])
+- if len(new_members) > 0:
+- members = group_entry_attrs.get('member', [])
++
++ if new_members:
++ members = group_entry_attrs.setdefault('member', [])
+ members.extend(new_members)
+- group_entry_attrs['member'] = members
+
+ try:
+ ldap.update_entry(group_dn, group_entry_attrs)
+@@ -308,7 +310,8 @@ def _update_default_group(ldap, pkey, config, ctx, force):
+ e = datetime.datetime.now()
+ d = e - s
+ mode = " (forced)" if force else ""
+- api.log.debug('Adding %d users to group%s duration %s' % (len(new_members), mode, d))
++ api.log.debug('Adding %d users to group%s duration %s',
++ len(new_members), mode, d)
+
+ # GROUP MIGRATION CALLBACKS AND VARS
+
+--
+1.8.5.3
+
diff --git a/SOURCES/0042-ipa-lockout-do-not-fail-when-default-realm-cannot-be.patch b/SOURCES/0042-ipa-lockout-do-not-fail-when-default-realm-cannot-be.patch
new file mode 100644
index 0000000..3020bec
--- /dev/null
+++ b/SOURCES/0042-ipa-lockout-do-not-fail-when-default-realm-cannot-be.patch
@@ -0,0 +1,65 @@
+From c41034f5ab587023d9941409618bdf5dc9046fae Mon Sep 17 00:00:00 2001
+From: Martin Kosek <mkosek@redhat.com>
+Date: Tue, 4 Feb 2014 11:02:34 +0100
+Subject: [PATCH] ipa-lockout: do not fail when default realm cannot be read
+
+When ipa-lockout plugin is started during FreeIPA server installation,
+the default realm may not be available and plugin should then not end
+with failure.
+
+Similarly to other plugins, start in degraded mode in this situation.
+Operation is fully restored during the final services restart.
+
+https://fedorahosted.org/freeipa/ticket/4085
+---
+ .../ipa-slapi-plugins/ipa-lockout/ipa_lockout.c | 34 +++++++++++-----------
+ 1 file changed, 17 insertions(+), 17 deletions(-)
+
+diff --git a/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c b/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c
+index 5a24359d319aaea28773daa01d268d2d46583270..265c2701c36fe78486a2bdd4a66366b0b05472a0 100644
+--- a/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c
++++ b/daemons/ipa-slapi-plugins/ipa-lockout/ipa_lockout.c
+@@ -176,23 +176,23 @@ ipalockout_get_global_config(struct ipa_context *ipactx)
+ krberr = krb5_init_context(&krbctx);
+ if (krberr) {
+ LOG_FATAL("krb5_init_context failed (%d)\n", krberr);
+- ret = LDAP_OPERATIONS_ERROR;
+- goto done;
+- }
+-
+- krberr = krb5_get_default_realm(krbctx, &realm);
+- if (krberr) {
+- LOG_FATAL("Failed to get default realm (%d)\n", krberr);
+- ret = LDAP_OPERATIONS_ERROR;
+- goto done;
+- }
+-
+- ipa_global_policy = slapi_ch_smprintf("cn=global_policy,cn=%s,cn=kerberos,%s",
+- realm, basedn);
+- if (!ipa_global_policy) {
+- LOG_OOM();
+- ret = LDAP_OPERATIONS_ERROR;
+- goto done;
++ /* Yes, we failed, but it is because /etc/krb5.conf doesn't exist
++ * or is misconfigured. Start up in a degraded mode.
++ */
++ } else {
++ krberr = krb5_get_default_realm(krbctx, &realm);
++ if (krberr) {
++ LOG_FATAL("Failed to get default realm (%d)\n", krberr);
++ } else {
++ ipa_global_policy =
++ slapi_ch_smprintf("cn=global_policy,cn=%s,cn=kerberos,%s",
++ realm, basedn);
++ if (!ipa_global_policy) {
++ LOG_OOM();
++ ret = LDAP_OPERATIONS_ERROR;
++ goto done;
++ }
++ }
+ }
+
+ ret = asprintf(&dn, "cn=ipaConfig,cn=etc,%s", basedn);
+--
+1.8.5.3
+
diff --git a/SOURCES/0043-ipa-tool-Print-the-name-of-the-server-we-are-connect.patch b/SOURCES/0043-ipa-tool-Print-the-name-of-the-server-we-are-connect.patch
new file mode 100644
index 0000000..9f66da8
--- /dev/null
+++ b/SOURCES/0043-ipa-tool-Print-the-name-of-the-server-we-are-connect.patch
@@ -0,0 +1,72 @@
+From 09a2ae5368abce22e397fef29d3acf3c16b8b96c Mon Sep 17 00:00:00 2001
+From: Petr Viktorin <pviktori@redhat.com>
+Date: Wed, 5 Feb 2014 09:24:22 +0100
+Subject: [PATCH 43/46] ipa tool: Print the name of the server we are
+ connecting to with -v
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The logging level for these messages was decreaed so that they
+do not show up in ipa-advise output.
+Reset the log level to INFO and configure ipa-advise to not display
+INFO messages from xmlclient by default.
+
+Partially reverts commit efe5a96725d3ddcd05b03a1ca9df5597eee693be
+
+https://fedorahosted.org/freeipa/ticket/4135
+
+Reviewed-By: Tomáš Babej <tbabej@redhat.com>
+---
+ ipalib/rpc.py | 4 ++--
+ ipaserver/advise/base.py | 5 +++++
+ 2 files changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/ipalib/rpc.py b/ipalib/rpc.py
+index 81e7aa35fdf780b3dcd850cfcc3ba5285d71e461..1eec1134617dd49395c2b36f11f304c473067a5d 100644
+--- a/ipalib/rpc.py
++++ b/ipalib/rpc.py
+@@ -621,7 +621,7 @@ def create_connection(self, ccache=None, verbose=False, fallback=True,
+ kw['transport'] = KerbTransport()
+ else:
+ kw['transport'] = LanguageAwareTransport()
+- self.log.debug('trying %s' % url)
++ self.log.info('trying %s' % url)
+ setattr(context, 'request_url', url)
+ serverproxy = ServerProxy(url, **kw)
+ if len(urls) == 1:
+@@ -697,7 +697,7 @@ def forward(self, name, *args, **kw):
+ '%s.forward(): %r not in api.Command' % (self.name, name)
+ )
+ server = getattr(context, 'request_url', None)
+- self.debug("Forwarding '%s' to server '%s'", name, server)
++ self.log.info("Forwarding '%s' to server '%s'", name, server)
+ command = getattr(self.conn, name)
+ params = [args, kw]
+ try:
+diff --git a/ipaserver/advise/base.py b/ipaserver/advise/base.py
+index 92dbb4e9e30c6d624eca95609568ae62bd9ea7fe..056cb808d24805202f16b4afd60356163ca9006a 100644
+--- a/ipaserver/advise/base.py
++++ b/ipaserver/advise/base.py
+@@ -22,6 +22,7 @@
+ from ipalib.errors import ValidationError
+ from ipapython import admintool
+ from textwrap import wrap
++from ipapython.ipa_log_manager import log_mgr
+
+
+ """
+@@ -173,6 +174,10 @@ def run(self):
+
+ api.bootstrap(in_server=False, context='advise')
+ api.finalize()
++ if not self.options.verbose:
++ # Do not print connection information by default
++ logger_name = r'ipa\.ipalib\.rpc\.xmlclient'
++ log_mgr.configure(dict(logger_regexps=[(logger_name, 'warning')]))
+
+ # With no argument, print the list out and exit
+ if not self.args:
+--
+1.8.5.3
+
diff --git a/SOURCES/0044-Remove-sourcehostcategory-from-the-default-HBAC-rule.patch b/SOURCES/0044-Remove-sourcehostcategory-from-the-default-HBAC-rule.patch
new file mode 100644
index 0000000..b2822e3
--- /dev/null
+++ b/SOURCES/0044-Remove-sourcehostcategory-from-the-default-HBAC-rule.patch
@@ -0,0 +1,41 @@
+From b3d761fb187f08d910df0bee420e9ed3b23d035f Mon Sep 17 00:00:00 2001
+From: Jan Cholasta <jcholast@redhat.com>
+Date: Thu, 6 Feb 2014 12:33:43 +0100
+Subject: [PATCH 44/46] Remove sourcehostcategory from the default HBAC rule.
+
+https://fedorahosted.org/freeipa/ticket/4158
+
+Reviewed-By: Martin Kosek <mkosek@redhat.com>
+---
+ install/share/default-hbac.ldif | 1 -
+ ipalib/plugins/hbacrule.py | 2 +-
+ 2 files changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/install/share/default-hbac.ldif b/install/share/default-hbac.ldif
+index b7b6ba28453b867fa142d038b1e35e162dac800f..52fd30ec9ac4e01f68d9cc6a94fb4cc15177e10b 100644
+--- a/install/share/default-hbac.ldif
++++ b/install/share/default-hbac.ldif
+@@ -7,7 +7,6 @@ dn:
+ accessruletype: allow
+ usercategory: all
+ hostcategory: all
+-sourcehostcategory: all
+ servicecategory: all
+ ipaenabledflag: TRUE
+ description: Allow all users to access any host from any host
+diff --git a/ipalib/plugins/hbacrule.py b/ipalib/plugins/hbacrule.py
+index 5cc8bc1a34de38ce5c5f6faf8ea24ee6873bf0b7..daf165346ba67c6525f7ab2034519c7a03fd3394 100644
+--- a/ipalib/plugins/hbacrule.py
++++ b/ipalib/plugins/hbacrule.py
+@@ -118,7 +118,7 @@ class hbacrule(LDAPObject):
+ default_attributes = [
+ 'cn', 'ipaenabledflag',
+ 'description', 'usercategory', 'hostcategory',
+- 'sourcehostcategory', 'servicecategory', 'ipaenabledflag',
++ 'servicecategory', 'ipaenabledflag',
+ 'memberuser', 'sourcehost', 'memberhost', 'memberservice',
+ 'memberhostgroup', 'externalhost',
+ ]
+--
+1.8.5.3
+
diff --git a/SOURCES/0045-DNS-classless-support-for-reverse-domains.patch b/SOURCES/0045-DNS-classless-support-for-reverse-domains.patch
new file mode 100644
index 0000000..3611dcc
--- /dev/null
+++ b/SOURCES/0045-DNS-classless-support-for-reverse-domains.patch
@@ -0,0 +1,229 @@
+From c884a56c2d9996fc54c054c78d56eae50f696997 Mon Sep 17 00:00:00 2001
+From: Martin Basti <mbasti@redhat.com>
+Date: Fri, 31 Jan 2014 15:42:31 +0100
+Subject: [PATCH 45/46] DNS classless support for reverse domains
+
+Now users can add reverse zones in classless form:
+0/25.1.168.192.in-addr.arpa.
+0-25.1.168.192.in-addr.arpa.
+
+128/25 NS ns.example.com.
+10 CNAME 10.128/25.1.168.192.in-addr.arpa.
+
+Ticket: https://fedorahosted.org/freeipa/ticket/4143
+Reviewed-By: Jan Cholasta <jcholast@redhat.com>
+---
+ ipalib/plugins/dns.py | 45 +++++++++++++++++++++++++++----------
+ ipalib/util.py | 61 ++++++++++++++++++++++++++++++---------------------
+ 2 files changed, 70 insertions(+), 36 deletions(-)
+
+diff --git a/ipalib/plugins/dns.py b/ipalib/plugins/dns.py
+index 94ae92ba5d1ae42e31ebb6100c743a2334f29e70..a78dc9e90a04a00a731541f8a04db5c0f0dd12bb 100644
+--- a/ipalib/plugins/dns.py
++++ b/ipalib/plugins/dns.py
+@@ -368,25 +368,31 @@ def _normalize_bind_aci(bind_acis):
+ acis += u';'
+ return acis
+
+-def _bind_hostname_validator(ugettext, value):
++def _bind_hostname_validator(ugettext, value, allow_slash=False):
+ if value == _dns_zone_record:
+ return
+ try:
+ # Allow domain name which is not fully qualified. These are supported
+ # in bind and then translated as <non-fqdn-name>.<domain>.
+- validate_hostname(value, check_fqdn=False, allow_underscore=True)
++ validate_hostname(value, check_fqdn=False, allow_underscore=True, allow_slash=allow_slash)
+ except ValueError, e:
+ return _('invalid domain-name: %s') \
+ % unicode(e)
+
+ return None
+
++def _bind_cname_hostname_validator(ugettext, value):
++ """
++ Validator for CNAME allows classless domain names (25/0.0.10.in-addr.arpa.)
++ """
++ return _bind_hostname_validator(ugettext, value, allow_slash=True)
++
+ def _dns_record_name_validator(ugettext, value):
+ if value == _dns_zone_record:
+ return
+
+ try:
+- map(lambda label:validate_dns_label(label, allow_underscore=True), \
++ map(lambda label:validate_dns_label(label, allow_underscore=True, allow_slash=True), \
+ value.split(u'.'))
+ except ValueError, e:
+ return unicode(e)
+@@ -411,7 +417,10 @@ def _validate_bind_forwarder(ugettext, forwarder):
+
+ def _domain_name_validator(ugettext, value):
+ try:
+- validate_domain_name(value)
++ #classless reverse zones can contain slash '/'
++ normalized_zone = normalize_zone(value)
++ validate_domain_name(value, allow_slash=zone_is_reverse(normalized_zone))
++
+ except ValueError, e:
+ return unicode(e)
+
+@@ -939,7 +948,7 @@ class CNAMERecord(DNSRecord):
+ rfc = 1035
+ parts = (
+ Str('hostname',
+- _bind_hostname_validator,
++ _bind_cname_hostname_validator,
+ label=_('Hostname'),
+ doc=_('A hostname which this alias hostname points to'),
+ ),
+@@ -960,7 +969,7 @@ class DNAMERecord(DNSRecord):
+ rfc = 2672
+ parts = (
+ Str('target',
+- _bind_hostname_validator,
++ _bind_cname_hostname_validator,
+ label=_('Target'),
+ ),
+ )
+@@ -2119,6 +2128,14 @@ class dnsrecord(LDAPObject):
+ doc=_('Parse all raw DNS records and return them in a structured way'),
+ )
+
++ def _idnsname_pre_callback(self, ldap, dn, entry_attrs, *keys, **options):
++ if not self.is_pkey_zone_record(*keys):
++ zone, addr = normalize_zone(keys[-2]), keys[-1]
++ try:
++ validate_domain_name(addr, allow_underscore=True, allow_slash=zone_is_reverse(zone))
++ except ValueError, e:
++ raise errors.ValidationError(name='idnsname', error=unicode(e))
++
+ def _nsrecord_pre_callback(self, ldap, dn, entry_attrs, *keys, **options):
+ assert isinstance(dn, DN)
+ nsrecords = entry_attrs.get('nsrecord')
+@@ -2132,6 +2149,7 @@ def _ptrrecord_pre_callback(self, ldap, dn, entry_attrs, *keys, **options):
+ ptrrecords = entry_attrs.get('ptrrecord')
+ if ptrrecords is None:
+ return
++
+ zone = keys[-2]
+ if self.is_pkey_zone_record(*keys):
+ addr = u''
+@@ -2150,11 +2168,16 @@ def _ptrrecord_pre_callback(self, ldap, dn, entry_attrs, *keys, **options):
+ error=unicode(_('Reverse zone for PTR record should be a sub-zone of one the following fully qualified domains: %s') % allowed_zones))
+
+ addr_len = len(addr.split('.')) if addr else 0
+- ip_addr_comp_count = addr_len + len(zone.split('.'))
+- if ip_addr_comp_count != zone_len:
+- raise errors.ValidationError(name='ptrrecord',
+- error=unicode(_('Reverse zone %(name)s requires exactly %(count)d IP address components, %(user_count)d given')
+- % dict(name=zone_name, count=zone_len, user_count=ip_addr_comp_count)))
++
++ #Classless zones (0/25.0.0.10.in-addr.arpa.) -> skip check
++ #zone has to be checked without reverse domain suffix (in-addr.arpa.)
++ if ('/' not in addr and '/' not in zone and
++ '-' not in addr and '-' not in zone):
++ ip_addr_comp_count = addr_len + len(zone.split('.'))
++ if ip_addr_comp_count != zone_len:
++ raise errors.ValidationError(name='ptrrecord',
++ error=unicode(_('Reverse zone %(name)s requires exactly %(count)d IP address components, %(user_count)d given')
++ % dict(name=zone_name, count=zone_len, user_count=ip_addr_comp_count)))
+
+ def run_precallback_validators(self, dn, entry_attrs, *keys, **options):
+ assert isinstance(dn, DN)
+diff --git a/ipalib/util.py b/ipalib/util.py
+index 3c52e4fd9a3e08d160dd4ae7076590be8b869d2c..17851294a78507aba7035390c3695184b7d641b1 100644
+--- a/ipalib/util.py
++++ b/ipalib/util.py
+@@ -215,34 +215,45 @@ def normalize_zone(zone):
+ else:
+ return zone
+
+-def validate_dns_label(dns_label, allow_underscore=False):
+- label_chars = r'a-z0-9'
+- underscore_err_msg = ''
+- if allow_underscore:
+- label_chars += "_"
+- underscore_err_msg = u' _,'
+- label_regex = r'^[%(chars)s]([%(chars)s-]?[%(chars)s])*$' % dict(chars=label_chars)
+- regex = re.compile(label_regex, re.IGNORECASE)
+-
+- if not dns_label:
+- raise ValueError(_('empty DNS label'))
+-
+- if len(dns_label) > 63:
+- raise ValueError(_('DNS label cannot be longer that 63 characters'))
+-
+- if not regex.match(dns_label):
+- raise ValueError(_('only letters, numbers,%(underscore)s and - are allowed. ' \
+- 'DNS label may not start or end with -') \
+- % dict(underscore=underscore_err_msg))
+-
+-def validate_domain_name(domain_name, allow_underscore=False):
++
++def validate_dns_label(dns_label, allow_underscore=False, allow_slash=False):
++ base_chars = 'a-z0-9'
++ extra_chars = ''
++ middle_chars = ''
++
++ if allow_underscore:
++ extra_chars += '_'
++ if allow_slash:
++ middle_chars += '/'
++
++ middle_chars = middle_chars + '-' #has to be always the last in the regex [....-]
++
++ label_regex = r'^[%(base)s%(extra)s]([%(base)s%(extra)s%(middle)s]?[%(base)s%(extra)s])*$' \
++ % dict(base=base_chars, extra=extra_chars, middle=middle_chars)
++ regex = re.compile(label_regex, re.IGNORECASE)
++
++ if not dns_label:
++ raise ValueError(_('empty DNS label'))
++
++ if len(dns_label) > 63:
++ raise ValueError(_('DNS label cannot be longer that 63 characters'))
++
++ if not regex.match(dns_label):
++ chars = ', '.join("'%s'" % c for c in extra_chars + middle_chars)
++ chars2 = ', '.join("'%s'" % c for c in middle_chars)
++ raise ValueError(_("only letters, numbers, %(chars)s are allowed. " \
++ "DNS label may not start or end with %(chars2)s") \
++ % dict(chars=chars, chars2=chars2))
++
++
++def validate_domain_name(domain_name, allow_underscore=False, allow_slash=False):
+ if domain_name.endswith('.'):
+ domain_name = domain_name[:-1]
+
+ domain_name = domain_name.split(".")
+
+ # apply DNS name validator to every name part
+- map(lambda label:validate_dns_label(label,allow_underscore), domain_name)
++ map(lambda label:validate_dns_label(label, allow_underscore, allow_slash), domain_name)
+
+
+ def validate_zonemgr(zonemgr):
+@@ -287,7 +298,7 @@ def validate_zonemgr(zonemgr):
+ local_part.split(local_part_sep)):
+ raise ValueError(local_part_errmsg)
+
+-def validate_hostname(hostname, check_fqdn=True, allow_underscore=False):
++def validate_hostname(hostname, check_fqdn=True, allow_underscore=False, allow_slash=False):
+ """ See RFC 952, 1123
+
+ :param hostname Checked value
+@@ -305,9 +316,9 @@ def validate_hostname(hostname, check_fqdn=True, allow_underscore=False):
+ if '.' not in hostname:
+ if check_fqdn:
+ raise ValueError(_('not fully qualified'))
+- validate_dns_label(hostname,allow_underscore)
++ validate_dns_label(hostname, allow_underscore, allow_slash)
+ else:
+- validate_domain_name(hostname,allow_underscore)
++ validate_domain_name(hostname, allow_underscore, allow_slash)
+
+ def normalize_sshpubkey(value):
+ return SSHPublicKey(value).openssh()
+--
+1.8.5.3
+
diff --git a/SOURCES/0046-Move-ipa-otpd-socket-directory.patch b/SOURCES/0046-Move-ipa-otpd-socket-directory.patch
new file mode 100644
index 0000000..87a59bf
--- /dev/null
+++ b/SOURCES/0046-Move-ipa-otpd-socket-directory.patch
@@ -0,0 +1,84 @@
+From e7d5a0c79e780fddb97bcbf2763a19a2c0b244c7 Mon Sep 17 00:00:00 2001
+From: Nathaniel McCallum <npmccallum@redhat.com>
+Date: Fri, 7 Feb 2014 11:56:33 -0500
+Subject: [PATCH 46/46] Move ipa-otpd socket directory
+
+https://fedorahosted.org/freeipa/ticket/4167
+Reviewed-By: Martin Kosek <mkosek@redhat.com>
+---
+ daemons/configure.ac | 6 +++---
+ daemons/ipa-otpd/Makefile.am | 2 +-
+ daemons/ipa-otpd/ipa-otpd.socket.in | 4 ++--
+ freeipa.spec.in | 2 +-
+ 4 files changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/daemons/configure.ac b/daemons/configure.ac
+index e57dad27614f268d3e5bbafc99b739a5cfa2589b..5646c3873beee996999e4f1d87aea653f4b5dd1b 100644
+--- a/daemons/configure.ac
++++ b/daemons/configure.ac
+@@ -60,10 +60,10 @@ AC_CHECK_LIB(k5crypto, main, [krb5crypto=k5crypto], [krb5crypto=crypto])
+ AC_CHECK_LIB(krad, main, [], [AC_MSG_ERROR([libkrad not found])])
+ KRB5_LIBS="-lkrb5 -l$krb5crypto -lcom_err"
+ KRAD_LIBS="-lkrad"
+-krb5kdcdir="${localstatedir}/kerberos/krb5kdc"
++krb5rundir="${localstatedir}/run/krb5kdc"
+ AC_SUBST(KRB5_LIBS)
+ AC_SUBST(KRAD_LIBS)
+-AC_SUBST(krb5kdcdir)
++AC_SUBST(krb5rundir)
+
+ dnl ---------------------------------------------------------------------------
+ dnl - Check for Mozilla LDAP and OpenLDAP SDK
+@@ -337,7 +337,7 @@ echo "
+ sysconfdir: ${sysconfdir}
+ localstatedir: ${localstatedir}
+ datadir: ${datadir}
+- krb5kdcdir: ${krb5kdcdir}
++ krb5rundir: ${krb5rundir}
+ systemdsystemunitdir: ${systemdsystemunitdir}
+ source code location: ${srcdir}
+ compiler: ${CC}
+diff --git a/daemons/ipa-otpd/Makefile.am b/daemons/ipa-otpd/Makefile.am
+index af82a5fe08856573d2d245608ba1dbaad171c7fe..83921748426d801e1edeec23f956689be5fe98b5 100644
+--- a/daemons/ipa-otpd/Makefile.am
++++ b/daemons/ipa-otpd/Makefile.am
+@@ -9,7 +9,7 @@ systemdsystemunit_DATA = ipa-otpd.socket ipa-otpd@.service
+ ipa_otpd_SOURCES = bind.c forward.c main.c parse.c query.c queue.c stdio.c
+
+ %.socket: %.socket.in
+- @sed -e 's|@krb5kdcdir[@]|$(krb5kdcdir)|g' \
++ @sed -e 's|@krb5rundir[@]|$(krb5rundir)|g' \
+ -e 's|@UNLINK[@]|@UNLINK@|g' \
+ $< > $@
+
+diff --git a/daemons/ipa-otpd/ipa-otpd.socket.in b/daemons/ipa-otpd/ipa-otpd.socket.in
+index b968beaa7b9e68c43b2c5386b62c096fa8b97764..ce3596d9f01b26e3e8bd63f447f85a486c8e0dff 100644
+--- a/daemons/ipa-otpd/ipa-otpd.socket.in
++++ b/daemons/ipa-otpd/ipa-otpd.socket.in
+@@ -2,8 +2,8 @@
+ Description=ipa-otpd socket
+
+ [Socket]
+-ListenStream=@krb5kdcdir@/DEFAULT.socket
+-ExecStopPre=@UNLINK@ @krb5kdcdir@/DEFAULT.socket
++ListenStream=@krb5rundir@/DEFAULT.socket
++ExecStopPre=@UNLINK@ @krb5rundir@/DEFAULT.socket
+ SocketMode=0600
+ Accept=true
+
+diff --git a/freeipa.spec.in b/freeipa.spec.in
+index ae8ee57f3ba2c0746bb0f7a1e65dab1da83cca22..cff79843d76a7251ae6065dba7341465733bb7cc 100644
+--- a/freeipa.spec.in
++++ b/freeipa.spec.in
+@@ -105,7 +105,7 @@ Requires: nss >= 3.14.3-12.0
+ Requires: nss-tools >= 3.14.3-12.0
+ %endif
+ %if 0%{?krb5_dal_version} >= 4
+-Requires: krb5-server >= 1.11.2-1
++Requires: krb5-server >= 1.11.5-3
+ %else
+ %if 0%{krb5_dal_version} == 3
+ # krb5 1.11 bumped DAL interface major version, a rebuild is needed
+--
+1.8.5.3
+
diff --git a/SOURCES/0047-bindinstance-make-sure-zone-manager-is-initialized-i.patch b/SOURCES/0047-bindinstance-make-sure-zone-manager-is-initialized-i.patch
new file mode 100644
index 0000000..7a023ac
--- /dev/null
+++ b/SOURCES/0047-bindinstance-make-sure-zone-manager-is-initialized-i.patch
@@ -0,0 +1,31 @@
+From ea96ad03312cecad4ff6853aafc30d3cf2c618a9 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Wed, 26 Feb 2014 11:06:29 +0200
+Subject: [PATCH 47/51] bindinstance: make sure zone manager is initialized in
+ add_master_dns_records
+
+Bind instance is configured using a short-circuited way when replica is set up.
+Make sure required properties are in place for that.
+
+https://fedorahosted.org/freeipa/ticket/4186
+
+Reviewed-By: Petr Viktorin <pviktori@redhat.com>
+---
+ ipaserver/install/bindinstance.py | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/ipaserver/install/bindinstance.py b/ipaserver/install/bindinstance.py
+index 6d5a1d44d30c89278c24fe7ab5278355cb65b0b4..4dc4103f7cb94877d0652f0094b41feec56cee94 100644
+--- a/ipaserver/install/bindinstance.py
++++ b/ipaserver/install/bindinstance.py
+@@ -828,6 +828,7 @@ def add_master_dns_records(self, fqdn, ip_address, realm_name, domain_name,
+ self.reverse_zone = reverse_zone
+ self.ca_configured = ca_configured
+ self.first_instance = False
++ self.zonemgr = 'hostmaster.%s' % self.domain
+
+ self.__add_self()
+ self.__add_ipa_ca_record()
+--
+1.8.5.3
+
diff --git a/SOURCES/0048-trustdomain_find-make-sure-we-skip-short-entries-whe.patch b/SOURCES/0048-trustdomain_find-make-sure-we-skip-short-entries-whe.patch
new file mode 100644
index 0000000..b1718fb
--- /dev/null
+++ b/SOURCES/0048-trustdomain_find-make-sure-we-skip-short-entries-whe.patch
@@ -0,0 +1,32 @@
+From a11cfd34e2f92c3c71a0b568d758f7d5221b4e94 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Wed, 26 Feb 2014 17:59:05 +0200
+Subject: [PATCH 48/51] trustdomain_find: make sure we skip short entries when
+ --pkey-only is specified
+
+With --pkey-only only primary key is returned. It makes no sense to check and
+replace boolean values then.
+
+https://fedorahosted.org/freeipa/ticket/4196
+
+Reviewed-By: Martin Kosek <mkosek@redhat.com>
+---
+ ipalib/plugins/trust.py | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
+index 0b6db27c696cd169c8f4b33128520961c20e3015..bd71253607d6009414ff8a24b042175f0cb08d66 100644
+--- a/ipalib/plugins/trust.py
++++ b/ipalib/plugins/trust.py
+@@ -1191,6 +1191,8 @@ def pre_callback(self, ldap, filters, attrs_list, base_dn, scope, *args, **optio
+ return (filters, base_dn, ldap.SCOPE_SUBTREE)
+
+ def post_callback(self, ldap, entries, truncated, *args, **options):
++ if options.get('pkey_only', False):
++ return truncated
+ trust_dn = self.obj.get_dn(args[0], trust_type=u'ad')
+ trust_entry = ldap.get_entry(trust_dn)
+ for entry in entries:
+--
+1.8.5.3
+
diff --git a/SOURCES/0049-ipa-kdb-in-case-of-delegation-use-original-client-s-.patch b/SOURCES/0049-ipa-kdb-in-case-of-delegation-use-original-client-s-.patch
new file mode 100644
index 0000000..a3c7c45
--- /dev/null
+++ b/SOURCES/0049-ipa-kdb-in-case-of-delegation-use-original-client-s-.patch
@@ -0,0 +1,67 @@
+From ede01c14e58a98af728152635e5d75be0deb389d Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Tue, 25 Feb 2014 17:50:55 +0200
+Subject: [PATCH 49/51] ipa-kdb: in case of delegation use original client's
+ database entry, not the proxy
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+https://fedorahosted.org/freeipa/ticket/4195
+
+Reviewed-By: Tomáš Babej <tbabej@redhat.com>
+Reviewed-By: Simo Sorce <ssorce@redhat.com>
+---
+ daemons/ipa-kdb/ipa_kdb_mspac.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
+index ff67391538234e2272ea1ec886ec96fa88ea579b..2a0480fff029d29fb56286d85108936f6c579901 100644
+--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
++++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
+@@ -1983,12 +1983,14 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
+ bool with_pac;
+ bool with_pad;
+ int result;
++ krb5_db_entry *client_entry = NULL;
+
+ /* When using s4u2proxy client_princ actually refers to the proxied user
+ * while client->princ to the proxy service asking for the TGS on behalf
+ * of the proxied user. So always use client_princ in preference */
+ if (client_princ != NULL) {
+ ks_client_princ = client_princ;
++ kerr = ipadb_get_principal(context, client_princ, flags, &client_entry);
+ } else {
+ ks_client_princ = client->princ;
+ }
+@@ -2025,7 +2027,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
+ }
+ }
+
+- kerr = ipadb_get_pac(context, client, &pac);
++ kerr = ipadb_get_pac(context, client_entry ? client_entry : client, &pac);
+ if (kerr != 0 && kerr != ENOENT) {
+ goto done;
+ }
+@@ -2041,7 +2043,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
+ /* check or generate pac data */
+ if ((pac_auth_data == NULL) || (pac_auth_data[0] == NULL)) {
+ if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) {
+- kerr = ipadb_get_pac(context, client, &pac);
++ kerr = ipadb_get_pac(context, client_entry ? client_entry : client, &pac);
+ if (kerr != 0 && kerr != ENOENT) {
+ goto done;
+ }
+@@ -2094,6 +2096,9 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
+ kerr = 0;
+
+ done:
++ if (client_entry != NULL) {
++ ipadb_free_principal(context, client_entry);
++ }
+ krb5_pac_free(context, pac);
+ return kerr;
+ }
+--
+1.8.5.3
+
diff --git a/SOURCES/0050-ipa-kdb-make-sure-we-don-t-produce-MS-PAC-in-case-of.patch b/SOURCES/0050-ipa-kdb-make-sure-we-don-t-produce-MS-PAC-in-case-of.patch
new file mode 100644
index 0000000..a4909d1
--- /dev/null
+++ b/SOURCES/0050-ipa-kdb-make-sure-we-don-t-produce-MS-PAC-in-case-of.patch
@@ -0,0 +1,42 @@
+From 817e83837d249a63395d90ac47dc975a23f00c6c Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Tue, 25 Feb 2014 20:53:49 +0200
+Subject: [PATCH 50/51] ipa-kdb: make sure we don't produce MS-PAC in case of
+ authdata flag cleared by admin
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+When admin clears authdata flag for the service principal, KDC will pass
+NULL client pointer (service proxy) to the DAL driver.
+
+Make sure we bail out correctly.
+
+Reviewed-By: Tomáš Babej <tbabej@redhat.com>
+Reviewed-By: Simo Sorce <ssorce@redhat.com>
+---
+ daemons/ipa-kdb/ipa_kdb_mspac.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
+index 2a0480fff029d29fb56286d85108936f6c579901..9137cd5ad1e6166fd5d6e765fab2c8178ca0587c 100644
+--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
++++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
+@@ -1985,6 +1985,14 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
+ int result;
+ krb5_db_entry *client_entry = NULL;
+
++
++ /* When client is NULL, authdata flag on the service principal was cleared
++ * by an admin. We don't generate MS-PAC in this case */
++ if (client == NULL) {
++ *signed_auth_data = NULL;
++ return 0;
++ }
++
+ /* When using s4u2proxy client_princ actually refers to the proxied user
+ * while client->princ to the proxy service asking for the TGS on behalf
+ * of the proxied user. So always use client_princ in preference */
+--
+1.8.5.3
+
diff --git a/SOURCES/0051-Too-big-font-in-input-fields.patch b/SOURCES/0051-Too-big-font-in-input-fields.patch
new file mode 100644
index 0000000..89a369c
--- /dev/null
+++ b/SOURCES/0051-Too-big-font-in-input-fields.patch
@@ -0,0 +1,42 @@
+From 92cb7c52b3a6241c9a0e5bc4e0c91705723d118f Mon Sep 17 00:00:00 2001
+From: Adam Misnyovszki <amisnyov@redhat.com>
+Date: Wed, 26 Feb 2014 18:16:45 +0100
+Subject: [PATCH 51/51] Too big font in input fields
+
+In Firefox 27, default font size has bigger priority than body css,
+text input font size is therefore explicitly set to 1em. Also
+checkbox/radiobutton styling fixed.
+
+https://fedorahosted.org/freeipa/ticket/4180
+
+Reviewed-By: Petr Vobornik <pvoborni@redhat.com>
+---
+ install/ui/ipa.css | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/install/ui/ipa.css b/install/ui/ipa.css
+index ad3d1aa1f8f8898ad8dff8f8ecc175238fad1181..29dfe80aacfa1e508f59d3008b2aa57f9477a448 100644
+--- a/install/ui/ipa.css
++++ b/install/ui/ipa.css
+@@ -1243,6 +1243,18 @@ table.scrollable tbody {
+ width: 250px;
+ }
+
++input, select, textarea {
++ font-size: 1em;
++ font-family: "Liberation Sans",Arial,Sans;
++}
++
++input[type=radio], input[type=checkbox],
++.ui-widget input[type=radio], .ui-widget input[type=checkbox]{
++ margin-right: 5px;
++ position: relative;
++ top: 3px;
++}
++
+ .multivalued-widget [name=value] {
+ margin-bottom: 1em;
+ }
+--
+1.8.5.3
+
diff --git a/SOURCES/0052-trust-make-sure-we-always-discover-topology-of-the-f.patch b/SOURCES/0052-trust-make-sure-we-always-discover-topology-of-the-f.patch
new file mode 100644
index 0000000..93b27ce
--- /dev/null
+++ b/SOURCES/0052-trust-make-sure-we-always-discover-topology-of-the-f.patch
@@ -0,0 +1,75 @@
+From bbba8c95ed2f5e551b4e468b394f5e0839be9f6f Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Thu, 27 Feb 2014 13:43:17 +0200
+Subject: [PATCH 52/53] trust: make sure we always discover topology of the
+ forest trust
+
+Even though we are creating idranges for subdomains only in case
+there is algorithmic ID mapping in use, we still need to fetch
+list of subdomains for all other cases.
+
+https://fedorahosted.org/freeipa/ticket/4205
+---
+ ipalib/plugins/trust.py | 37 ++++++-------------------------------
+ 1 file changed, 6 insertions(+), 31 deletions(-)
+
+diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
+index bd71253607d6009414ff8a24b042175f0cb08d66..f2b00a6f58f5890e37aaa033a35dcf9bc39ccbc4 100644
+--- a/ipalib/plugins/trust.py
++++ b/ipalib/plugins/trust.py
+@@ -458,38 +458,13 @@ def execute(self, *keys, **options):
+
+ result['result'] = entry_to_dict(trusts[0][1], **options)
+
+- # For AD trusts with algorithmic mapping, we need to add a separate
+- # range for each subdomain.
+- if (options.get('trust_type') == u'ad' and
+- created_range_type != u'ipa-ad-trust-posix'):
+-
++ # Fetch topology of the trust forest -- we need always to do it
++ # for AD trusts, regardless of the type of idranges associated with it
++ # Note that fetch_domains_from_trust will add needed ranges for
++ # the algorithmic ID mapping case.
++ if options.get('trust_type') == u'ad':
+ domains = fetch_domains_from_trust(self, self.trustinstance,
+ result['result'], **options)
+- if domains and len(domains) > 0:
+- for dom in domains:
+- range_name = dom['cn'][0].upper() + '_id_range'
+- dom_sid = dom['ipanttrusteddomainsid'][0]
+-
+- # Enforce the same range type as the range for the root
+- # level domain.
+-
+- # This will skip the detection of the POSIX attributes if
+- # they are not available, since it has been already
+- # detected when creating the range for the root level domain
+- passed_options = options
+- passed_options.update(range_type=created_range_type)
+-
+- # Do not pass the base id to the subdomains since it would
+- # clash with the root level domain
+- if 'base_id' in passed_options:
+- del passed_options['base_id']
+-
+- # Try to add the range for each subdomain
+- try:
+- add_range(self, range_name, dom_sid, *keys,
+- **passed_options)
+- except errors.DuplicateEntry:
+- pass
+
+ # Format the output into human-readable values
+ result['result']['trusttype'] = [trust_type_string(
+@@ -1270,7 +1245,7 @@ def fetch_domains_from_trust(self, trustinstance, trust_entry, **options):
+ # trust range must exist by the time fetch_domains_from_trust is called
+ range_name = trust_name.upper() + '_id_range'
+ old_range = api.Command.idrange_show(range_name, raw=True)['result']
+- idrange_type = old_range['iparangetype']
++ idrange_type = old_range['iparangetype'][0]
+
+ for dom in domains:
+ dom['trust_type'] = u'ad'
+--
+1.8.5.3
+
diff --git a/SOURCES/0053-ipaserver-dcerpc-catch-the-case-of-insuffient-permis.patch b/SOURCES/0053-ipaserver-dcerpc-catch-the-case-of-insuffient-permis.patch
new file mode 100644
index 0000000..eeccfc1
--- /dev/null
+++ b/SOURCES/0053-ipaserver-dcerpc-catch-the-case-of-insuffient-permis.patch
@@ -0,0 +1,40 @@
+From 504e8701fd7870b18febe9b544244d5d2744bb16 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Wed, 26 Feb 2014 17:43:34 +0200
+Subject: [PATCH 53/53] ipaserver/dcerpc: catch the case of insuffient
+ permissions when establishing trust
+
+We attempt to delete the trust that might exist already. If there are not enough
+privileges to do so, we wouldn't be able to create trust at the next step and it will fail.
+However, failure to create trust will be due to the name collision as we already had
+the trust with the same name before. Thus, raise access denied exception here
+to properly indicate wrong access level instead of returning NT_STATUS_OBJECT_NAME_COLLISION.
+
+https://fedorahosted.org/freeipa/ticket/4202
+
+Reviewed-By: Martin Kosek <mkosek@redhat.com>
+---
+ ipaserver/dcerpc.py | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
+index d809c416baac072a2489fbd3c167f08665b7a24e..5972e622292a033d4fc979cbf5401fa02151f35c 100644
+--- a/ipaserver/dcerpc.py
++++ b/ipaserver/dcerpc.py
+@@ -892,8 +892,11 @@ def establish_trust(self, another_domain, trustdom_secret):
+ dname.string = another_domain.info['dns_domain']
+ res = self._pipe.QueryTrustedDomainInfoByName(self._policy_handle, dname, lsa.LSA_TRUSTED_DOMAIN_INFO_FULL_INFO)
+ self._pipe.DeleteTrustedDomain(self._policy_handle, res.info_ex.sid)
+- except RuntimeError, e:
+- pass
++ except RuntimeError, (num, message):
++ # Ignore anything but access denied (NT_STATUS_ACCESS_DENIED)
++ if num == -1073741790:
++ raise access_denied_error
++
+ try:
+ trustdom_handle = self._pipe.CreateTrustedDomainEx2(self._policy_handle, info, self.auth_info, security.SEC_STD_DELETE)
+ except RuntimeError, (num, message):
+--
+1.8.5.3
+
diff --git a/SOURCES/0054-fix-filtering-of-subdomain-based-trust-users.patch b/SOURCES/0054-fix-filtering-of-subdomain-based-trust-users.patch
new file mode 100644
index 0000000..4b094ce
--- /dev/null
+++ b/SOURCES/0054-fix-filtering-of-subdomain-based-trust-users.patch
@@ -0,0 +1,100 @@
+From 4b7059b4f29832d98b4ff4f266007d007ca07a19 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Fri, 28 Feb 2014 22:03:29 +0200
+Subject: [PATCH] fix filtering of subdomain-based trust users
+
+https://fedorahosted.org/freeipa/ticket/4207
+---
+ daemons/ipa-kdb/ipa_kdb_mspac.c | 41 ++++++++++++++++++++++++++++++++---------
+ 1 file changed, 32 insertions(+), 9 deletions(-)
+
+diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
+index 9137cd5ad1e6166fd5d6e765fab2c8178ca0587c..68f27f0e2d9028cdaece80c4bd3440d0438d20db 100644
+--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
++++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
+@@ -806,6 +806,12 @@ static krb5_error_code ipadb_get_pac(krb5_context kcontext,
+ krb5_error_code kerr;
+ enum ndr_err_code ndr_err;
+
++ /* When no client entry is there, we cannot generate MS-PAC */
++ if (!client) {
++ *pac = NULL;
++ return 0;
++ }
++
+ ipactx = ipadb_get_context(kcontext);
+ if (!ipactx) {
+ return KRB5_KDB_DBNOTINITED;
+@@ -1534,6 +1540,12 @@ static krb5_error_code ipadb_add_transited_service(krb5_context context,
+ uint32_t i;
+ char *tmpstr;
+
++ /* When proxy is NULL, authdata flag on the service principal was cleared
++ * by an admin. We don't generate MS-PAC in this case */
++ if (proxy == NULL) {
++ return 0;
++ }
++
+ tmpctx = talloc_new(NULL);
+ if (!tmpctx) {
+ kerr = ENOMEM;
+@@ -1731,6 +1743,12 @@ static krb5_error_code ipadb_verify_pac(krb5_context context,
+ }
+
+ if (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION) {
++ if (proxy == NULL) {
++ *pac = NULL;
++ kerr = 0;
++ goto done;
++ }
++
+ kerr = ipadb_add_transited_service(context, proxy, server,
+ old_pac, new_pac);
+ if (kerr) {
+@@ -1986,20 +2004,27 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
+ krb5_db_entry *client_entry = NULL;
+
+
+- /* When client is NULL, authdata flag on the service principal was cleared
+- * by an admin. We don't generate MS-PAC in this case */
+- if (client == NULL) {
+- *signed_auth_data = NULL;
+- return 0;
+- }
++ is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0);
+
+ /* When using s4u2proxy client_princ actually refers to the proxied user
+ * while client->princ to the proxy service asking for the TGS on behalf
+ * of the proxied user. So always use client_princ in preference */
+ if (client_princ != NULL) {
+ ks_client_princ = client_princ;
+- kerr = ipadb_get_principal(context, client_princ, flags, &client_entry);
++ if (!is_as_req) {
++ kerr = ipadb_get_principal(context, client_princ, flags, &client_entry);
++ /* If we didn't find client_princ in our database, it might be:
++ * - a principal from another realm, handle it down in ipadb_get/verify_pac()
++ */
++ if (!kerr) {
++ client_entry = NULL;
++ }
++ }
+ } else {
++ if (client == NULL) {
++ *signed_auth_data = NULL;
++ return 0;
++ }
+ ks_client_princ = client->princ;
+ }
+
+@@ -2014,8 +2039,6 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
+ "currently not supported.");
+ }
+
+- is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0);
+-
+ if (is_as_req && with_pac && (flags & KRB5_KDB_FLAG_INCLUDE_PAC)) {
+ /* Be aggressive here: special case for discovering range type
+ * immediately after establishing the trust by IPA framework */
+--
+1.8.5.3
+
diff --git a/SOURCES/0055-ipa-kdb-do-not-fetch-client-principal-if-it-is-the-s.patch b/SOURCES/0055-ipa-kdb-do-not-fetch-client-principal-if-it-is-the-s.patch
new file mode 100644
index 0000000..a736514
--- /dev/null
+++ b/SOURCES/0055-ipa-kdb-do-not-fetch-client-principal-if-it-is-the-s.patch
@@ -0,0 +1,62 @@
+From 278b347c6f84140b4fc58d7c11749bbf6c44a50c Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Thu, 6 Mar 2014 10:26:29 +0200
+Subject: [PATCH] ipa-kdb: do not fetch client principal if it is the same as
+ existing entry
+
+When client principal is the same as supplied client entry, don't fetch it
+again.
+
+Note that when client principal is not NULL, client entry might be NULL for
+cross-realm case, so we need to make sure to not dereference NULL pointer here.
+
+Also fix reverted condition for case when we didn't find the client principal
+in the database, preventing a memory leak.
+
+https://fedorahosted.org/freeipa/ticket/4223
+
+Reviewed-By: Sumit Bose <sbose@redhat.com>
+---
+ daemons/ipa-kdb/ipa_kdb_mspac.c | 19 +++++++++++++------
+ 1 file changed, 13 insertions(+), 6 deletions(-)
+
+diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
+index 68f27f0e2d9028cdaece80c4bd3440d0438d20db..8481278760aba2d5dec5c337813f394633d67e46 100644
+--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
++++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
+@@ -2002,6 +2002,7 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
+ bool with_pad;
+ int result;
+ krb5_db_entry *client_entry = NULL;
++ krb5_boolean is_equal;
+
+
+ is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0);
+@@ -2012,12 +2013,18 @@ krb5_error_code ipadb_sign_authdata(krb5_context context,
+ if (client_princ != NULL) {
+ ks_client_princ = client_princ;
+ if (!is_as_req) {
+- kerr = ipadb_get_principal(context, client_princ, flags, &client_entry);
+- /* If we didn't find client_princ in our database, it might be:
+- * - a principal from another realm, handle it down in ipadb_get/verify_pac()
+- */
+- if (!kerr) {
+- client_entry = NULL;
++ is_equal = false;
++ if ((client != NULL) && (client->princ != NULL)) {
++ is_equal = krb5_principal_compare(context, client_princ, client->princ);
++ }
++ if (!is_equal) {
++ kerr = ipadb_get_principal(context, client_princ, flags, &client_entry);
++ /* If we didn't find client_princ in our database, it might be:
++ * - a principal from another realm, handle it down in ipadb_get/verify_pac()
++ */
++ if (kerr != 0) {
++ client_entry = NULL;
++ }
+ }
+ }
+ } else {
+--
+1.8.5.3
+
diff --git a/SOURCES/0056-ipa-replica-install-never-checks-for-7389-port.patch b/SOURCES/0056-ipa-replica-install-never-checks-for-7389-port.patch
new file mode 100644
index 0000000..e00e968
--- /dev/null
+++ b/SOURCES/0056-ipa-replica-install-never-checks-for-7389-port.patch
@@ -0,0 +1,220 @@
+From c088cccb0b27e0defd5457f756a2d4c68e8eff55 Mon Sep 17 00:00:00 2001
+From: Martin Kosek <mkosek@redhat.com>
+Date: Tue, 11 Mar 2014 16:28:19 +0100
+Subject: [PATCH 56/58] ipa-replica-install never checks for 7389 port
+
+When creating replica from a Dogtag 9 based IPA server, the port 7389
+which is required for the installation is never checked by
+ipa-replica-conncheck even though it knows that it is being installed
+from the Dogtag 9 based FreeIPA. If the 7389 port would be blocked by
+firewall, installation would stuck with no hint to user.
+
+Make sure that the port configuration parsed from replica info file
+is used consistently in the installers.
+
+https://fedorahosted.org/freeipa/ticket/4240
+
+Reviewed-By: Petr Viktorin <pviktori@redhat.com>
+---
+ install/tools/ipa-ca-install | 17 +++++------------
+ install/tools/ipa-replica-install | 18 ++++++------------
+ ipaserver/install/cainstance.py | 12 +++++-------
+ ipaserver/install/installutils.py | 16 ++++++++++++++++
+ 4 files changed, 32 insertions(+), 31 deletions(-)
+
+diff --git a/install/tools/ipa-ca-install b/install/tools/ipa-ca-install
+index 4edd26d337a50eebe686daae539c257f706e0158..bb3e595a3df47f00b3929f546db7b04dd7eda32a 100755
+--- a/install/tools/ipa-ca-install
++++ b/install/tools/ipa-ca-install
+@@ -30,7 +30,7 @@ from ipaserver.install import installutils, service
+ from ipaserver.install import certs
+ from ipaserver.install.installutils import (HostnameLocalhost, ReplicaConfig,
+ expand_replica_info, read_replica_info, get_host_name, BadHostError,
+- private_ccache)
++ private_ccache, read_replica_info_dogtag_port)
+ from ipaserver.install import dsinstance, cainstance, bindinstance
+ from ipaserver.install.replication import replica_conn_check
+ from ipapython import version
+@@ -159,31 +159,24 @@ def main():
+ sys.exit(0)
+ config.dir = dir
+ config.setup_ca = True
++ config.ca_ds_port = read_replica_info_dogtag_port(config.dir)
+
+ if not ipautil.file_exists(config.dir + "/cacert.p12"):
+ print 'CA cannot be installed in CA-less setup.'
+ sys.exit(1)
+
+- portfile = config.dir + "/dogtag_directory_port.txt"
+- if not ipautil.file_exists(portfile):
+- dogtag_master_ds_port = str(dogtag.Dogtag9Constants.DS_PORT)
+- else:
+- with open(portfile) as fd:
+- dogtag_master_ds_port = fd.read()
+-
+ if not options.skip_conncheck:
+ replica_conn_check(
+ config.master_host_name, config.host_name, config.realm_name, True,
+- dogtag_master_ds_port, options.admin_password)
++ config.ca_ds_port, options.admin_password)
+
+ if options.skip_schema_check:
+ root_logger.info("Skipping CA DS schema check")
+ else:
+- cainstance.replica_ca_install_check(config, dogtag_master_ds_port)
++ cainstance.replica_ca_install_check(config)
+
+ # Configure the CA if necessary
+- CA = cainstance.install_replica_ca(
+- config, dogtag_master_ds_port, postinstall=True)
++ CA = cainstance.install_replica_ca(config, postinstall=True)
+
+ # We need to ldap_enable the CA now that DS is up and running
+ CA.ldap_enable('CA', config.host_name, config.dirman_password,
+diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
+index 0e7aefef48d47fefa290607e0604c014d9469fdd..e039fd1e7cb213b3269d0a5d2305a96f68e36e29 100755
+--- a/install/tools/ipa-replica-install
++++ b/install/tools/ipa-replica-install
+@@ -37,8 +37,8 @@ from ipaserver.install import memcacheinstance
+ from ipaserver.install import otpdinstance
+ from ipaserver.install.replication import replica_conn_check, ReplicationManager
+ from ipaserver.install.installutils import (ReplicaConfig, expand_replica_info,
+- read_replica_info ,get_host_name,
+- BadHostError, private_ccache)
++ read_replica_info, get_host_name, BadHostError, private_ccache,
++ read_replica_info_dogtag_port)
+ from ipaserver.plugins.ldap2 import ldap2
+ from ipaserver.install import cainstance
+ from ipalib import api, errors, util
+@@ -534,6 +534,7 @@ def main():
+ sys.exit(0)
+ config.dir = dir
+ config.setup_ca = options.setup_ca
++ config.ca_ds_port = read_replica_info_dogtag_port(config.dir)
+
+ if config.setup_ca and not ipautil.file_exists(config.dir + "/cacert.p12"):
+ print 'CA cannot be installed in CA-less setup.'
+@@ -541,18 +542,11 @@ def main():
+
+ installutils.verify_fqdn(config.master_host_name, options.no_host_dns)
+
+- portfile = config.dir + "/dogtag_directory_port.txt"
+- if not ipautil.file_exists(portfile):
+- dogtag_master_ds_port = str(dogtag.Dogtag9Constants.DS_PORT)
+- else:
+- with open(portfile) as fd:
+- dogtag_master_ds_port = fd.read()
+-
+ # check connection
+ if not options.skip_conncheck:
+ replica_conn_check(
+ config.master_host_name, config.host_name, config.realm_name,
+- options.setup_ca, dogtag_master_ds_port, options.admin_password)
++ options.setup_ca, config.ca_ds_port, options.admin_password)
+
+
+ # check replica host IP resolution
+@@ -657,7 +651,7 @@ def main():
+ if options.skip_schema_check:
+ root_logger.info("Skipping CA DS schema check")
+ else:
+- cainstance.replica_ca_install_check(config, dogtag_master_ds_port)
++ cainstance.replica_ca_install_check(config)
+
+ # Configure ntpd
+ if options.conf_ntp:
+@@ -669,7 +663,7 @@ def main():
+ ds = install_replica_ds(config)
+
+ # Configure the CA if necessary
+- CA = cainstance.install_replica_ca(config, dogtag_master_ds_port)
++ CA = cainstance.install_replica_ca(config)
+
+ # Always try to install DNS records
+ install_dns_records(config, options)
+diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
+index 52c91b68c2d073a9b1c6aedc1811aa26db046e6b..126bbae66e8a9ae8d9cc6e624745ab1cc37bf4c1 100644
+--- a/ipaserver/install/cainstance.py
++++ b/ipaserver/install/cainstance.py
+@@ -1574,7 +1574,7 @@ def is_master(self):
+ return master == 'New'
+
+
+-def replica_ca_install_check(config, master_ds_port):
++def replica_ca_install_check(config):
+ if not config.setup_ca:
+ return
+
+@@ -1583,8 +1583,6 @@ def replica_ca_install_check(config, master_ds_port):
+ # Replica of old "self-signed" master - CA won't be installed
+ return
+
+- master_ds_port = int(master_ds_port)
+-
+ # Exit if we have an old-style (Dogtag 9) CA already installed
+ ca = CAInstance(config.realm_name, certs.NSS_DIR,
+ dogtag_constants=dogtag.Dogtag9Constants)
+@@ -1592,13 +1590,13 @@ def replica_ca_install_check(config, master_ds_port):
+ root_logger.info('Dogtag 9 style CA instance found')
+ sys.exit("A CA is already configured on this system.")
+
+- if master_ds_port != dogtag.Dogtag9Constants.DS_PORT:
++ if config.ca_ds_port != dogtag.Dogtag9Constants.DS_PORT:
+ root_logger.debug(
+ 'Installing CA Replica from master with a merged database')
+ return
+
+ # Check if the master has the necessary schema in its CA instance
+- ca_ldap_url = 'ldap://%s:%s' % (config.master_host_name, master_ds_port)
++ ca_ldap_url = 'ldap://%s:%s' % (config.master_host_name, config.ca_ds_port)
+ objectclass = 'ipaObject'
+ root_logger.debug('Checking if IPA schema is present in %s', ca_ldap_url)
+ try:
+@@ -1627,7 +1625,7 @@ def replica_ca_install_check(config, master_ds_port):
+ exit('IPA schema missing on master CA directory server')
+
+
+-def install_replica_ca(config, master_ds_port, postinstall=False):
++def install_replica_ca(config, postinstall=False):
+ """
+ Install a CA on a replica.
+
+@@ -1676,7 +1674,7 @@ def install_replica_ca(config, master_ds_port, postinstall=False):
+ config.dirman_password, config.dirman_password,
+ pkcs12_info=(cafile,),
+ master_host=config.master_host_name,
+- master_replication_port=master_ds_port,
++ master_replication_port=config.ca_ds_port,
+ subject_base=config.subject_base)
+
+ # Restart httpd since we changed it's config and added ipa-pki-proxy.conf
+diff --git a/ipaserver/install/installutils.py b/ipaserver/install/installutils.py
+index 32671adc895b0cb2632729e8bdb44b5df02c1314..8be8cd3ffa86256c096ddc99227210f2daeb3185 100644
+--- a/ipaserver/install/installutils.py
++++ b/ipaserver/install/installutils.py
+@@ -538,6 +538,22 @@ def read_replica_info(dir, rconfig):
+ except NoOptionError:
+ pass
+
++def read_replica_info_dogtag_port(config_dir):
++ portfile = config_dir + "/dogtag_directory_port.txt"
++ default_port = dogtag.Dogtag9Constants.DS_PORT
++ if not ipautil.file_exists(portfile):
++ dogtag_master_ds_port = default_port
++ else:
++ with open(portfile) as fd:
++ try:
++ dogtag_master_ds_port = int(fd.read())
++ except (ValueError, IOError), e:
++ root_logger.debug('Cannot parse dogtag DS port: %s', e)
++ root_logger.debug('Default to %d', default_port)
++ dogtag_master_ds_port = default_port
++
++ return dogtag_master_ds_port
++
+ def check_server_configuration():
+ """
+ Check if IPA server is configured on the system.
+--
+1.8.5.3
+
diff --git a/SOURCES/0057-Avoid-passing-non-terminated-string-to-is_master_hos.patch b/SOURCES/0057-Avoid-passing-non-terminated-string-to-is_master_hos.patch
new file mode 100644
index 0000000..006eb6a
--- /dev/null
+++ b/SOURCES/0057-Avoid-passing-non-terminated-string-to-is_master_hos.patch
@@ -0,0 +1,40 @@
+From a8fde83022360a02e53b70fd7bd4d61de1ccc7cb Mon Sep 17 00:00:00 2001
+From: Martin Kosek <mkosek@redhat.com>
+Date: Fri, 7 Mar 2014 10:06:52 +0100
+Subject: [PATCH 57/58] Avoid passing non-terminated string to is_master_host
+
+When string is not terminated, queries with corrupted base may be sent
+to LDAP:
+
+... cn=ipa1.example.com<garbage>,cn=masters...
+
+https://fedorahosted.org/freeipa/ticket/4214
+
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ daemons/ipa-kdb/ipa_kdb_mspac.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
+index 8481278760aba2d5dec5c337813f394633d67e46..a73a3cb46e104b43493177e333deb2b0d6226c2a 100644
+--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
++++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
+@@ -488,13 +488,14 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
+ }
+
+ data = krb5_princ_component(ipactx->context, princ, 1);
+- strres = malloc(data->length);
++ strres = malloc(data->length+1);
+ if (strres == NULL) {
+ krb5_free_principal(ipactx->kcontext, princ);
+ return ENOENT;
+ }
+
+ memcpy(strres, data->data, data->length);
++ strres[data->length] = '\0';
+ krb5_free_principal(ipactx->kcontext, princ);
+
+ /* Only add PAC to TGT to services on IPA masters to allow querying
+--
+1.8.5.3
+
diff --git a/SOURCES/0058-ipa-sam-cache-gid-to-sid-and-uid-to-sid-requests-in-.patch b/SOURCES/0058-ipa-sam-cache-gid-to-sid-and-uid-to-sid-requests-in-.patch
new file mode 100644
index 0000000..cd202e4
--- /dev/null
+++ b/SOURCES/0058-ipa-sam-cache-gid-to-sid-and-uid-to-sid-requests-in-.patch
@@ -0,0 +1,303 @@
+From e5bd495a9a7d71f5dde5661d960e372bb2609965 Mon Sep 17 00:00:00 2001
+From: Jason Woods <devel@jasonwoods.me.uk>
+Date: Fri, 7 Mar 2014 16:38:24 +0000
+Subject: [PATCH 58/58] ipa-sam: cache gid to sid and uid to sid requests in
+ idmap cache
+
+Add idmap_cache calls to ipa-sam to prevent huge numbers of LDAP calls to the
+directory service for gid/uid<->sid resolution.
+
+Additionally, this patch further reduces number of queries by:
+ - fast fail on uidNumber=0 which doesn't exist in FreeIPA,
+ - return fallback group correctly when looking up user primary group as is
+ done during init,
+ - checking for group objectclass in case insensitive way
+
+Patch by Jason Woods <devel@jasonwoods.me.uk>
+
+Reviewed-by: Alexander Bokovoy <abokovoy@redhat.com>
+
+https://fedorahosted.org/freeipa/ticket/4234
+and
+https://bugzilla.redhat.com/show_bug.cgi?id=1073829
+https://bugzilla.redhat.com/show_bug.cgi?id=1074314
+
+Reviewed-By: Sumit Bose <sbose@redhat.com>
+---
+ daemons/ipa-sam/ipa_sam.c | 128 +++++++++++++++++++++++++++++++++++++++++-----
+ 1 file changed, 114 insertions(+), 14 deletions(-)
+
+diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c
+index 1ca504db4e442c834ebe44d7e3503abafd6f9602..3b69f9e8255490aac17d08033e2a3584c6bf9e24 100644
+--- a/daemons/ipa-sam/ipa_sam.c
++++ b/daemons/ipa-sam/ipa_sam.c
+@@ -82,6 +82,18 @@ struct trustAuthInOutBlob {
+ struct AuthenticationInformationArray previous;/* [subcontext(0),flag(LIBNDR_FLAG_REMAINING)] */
+ }/* [gensize,public,nopush] */;
+
++/* from generated idmap.h - hopefully OK */
++enum id_type {
++ ID_TYPE_NOT_SPECIFIED,
++ ID_TYPE_UID,
++ ID_TYPE_GID,
++ ID_TYPE_BOTH
++};
++
++struct unixid {
++ uint32_t id;
++ enum id_type type;
++}/* [public] */;
+
+ enum ndr_err_code ndr_pull_trustAuthInOutBlob(struct ndr_pull *ndr, int ndr_flags, struct trustAuthInOutBlob *r); /*available in libndr-samba.so */
+ bool sid_check_is_builtin(const struct dom_sid *sid); /* available in libpdb.so */
+@@ -91,6 +103,7 @@ char *sid_string_talloc(TALLOC_CTX *mem_ctx, const struct dom_sid *sid); /* avai
+ char *sid_string_dbg(const struct dom_sid *sid); /* available in libsmbconf.so */
+ char *escape_ldap_string(TALLOC_CTX *mem_ctx, const char *s); /* available in libsmbconf.so */
+ bool secrets_store(const char *key, const void *data, size_t size); /* available in libpdb.so */
++void idmap_cache_set_sid2unixid(const struct dom_sid *sid, struct unixid *unix_id); /* available in libsmbconf.so */
+
+ #define LDAP_PAGE_SIZE 1024
+ #define LDAP_OBJ_SAMBASAMACCOUNT "ipaNTUserAttrs"
+@@ -750,8 +763,8 @@ static bool ldapsam_sid_to_id(struct pdb_methods *methods,
+ }
+
+ for (c = 0; values[c] != NULL; c++) {
+- if (strncmp(LDAP_OBJ_GROUPMAP, values[c]->bv_val,
+- values[c]->bv_len) == 0) {
++ if (strncasecmp(LDAP_OBJ_GROUPMAP, values[c]->bv_val,
++ values[c]->bv_len) == 0) {
+ break;
+ }
+ }
+@@ -769,6 +782,9 @@ static bool ldapsam_sid_to_id(struct pdb_methods *methods,
+ }
+
+ unixid_from_gid(id, strtoul(gid_str, NULL, 10));
++
++ idmap_cache_set_sid2unixid(sid, id);
++
+ ret = true;
+ goto done;
+ }
+@@ -785,8 +801,11 @@ static bool ldapsam_sid_to_id(struct pdb_methods *methods,
+
+ unixid_from_uid(id, strtoul(value, NULL, 10));
+
++ idmap_cache_set_sid2unixid(sid, id);
++
+ ret = true;
+ done:
++
+ TALLOC_FREE(mem_ctx);
+ return ret;
+ }
+@@ -806,6 +825,18 @@ static bool ldapsam_uid_to_sid(struct pdb_methods *methods, uid_t uid,
+ int rc;
+ enum idmap_error_code err;
+ TALLOC_CTX *tmp_ctx = talloc_stackframe();
++ struct unixid id;
++
++ /* Fast fail if we get a request for uidNumber=0 because it currently
++ * will never exist in the directory
++ * Saves an expensive LDAP call of which failure will never be cached
++ */
++ if (uid == 0) {
++ DEBUG(3, ("ERROR: Received request for uid %u, "
++ "fast failing as it will never exist\n",
++ (unsigned int)uid));
++ goto done;
++ }
+
+ filter = talloc_asprintf(tmp_ctx,
+ "(&(uidNumber=%u)"
+@@ -852,6 +883,10 @@ static bool ldapsam_uid_to_sid(struct pdb_methods *methods, uid_t uid,
+
+ sid_copy(sid, user_sid);
+
++ unixid_from_uid(&id, uid);
++
++ idmap_cache_set_sid2unixid(sid, &id);
++
+ ret = true;
+
+ done:
+@@ -866,21 +901,30 @@ static bool ldapsam_gid_to_sid(struct pdb_methods *methods, gid_t gid,
+ struct ldapsam_privates *priv =
+ (struct ldapsam_privates *)methods->private_data;
+ char *filter;
+- const char *attrs[] = { LDAP_ATTRIBUTE_SID, NULL };
++ const char *attrs[] = { LDAP_ATTRIBUTE_SID, LDAP_ATTRIBUTE_OBJECTCLASS, NULL };
+ LDAPMessage *result = NULL;
+ LDAPMessage *entry = NULL;
+ bool ret = false;
+- char *group_sid_string;
++ char *group_sid_string = NULL;
+ struct dom_sid *group_sid = NULL;
++ struct berval **values;
++ size_t c;
+ int rc;
+ enum idmap_error_code err;
+ TALLOC_CTX *tmp_ctx = talloc_stackframe();
++ struct unixid id;
+
+ filter = talloc_asprintf(tmp_ctx,
+- "(&(gidNumber=%u)"
+- "(objectClass=%s))",
++ "(|(&(gidNumber=%u)"
++ "(objectClass=%s))"
++ "(&(uidNumber=%u)"
++ "(objectClass=%s)"
++ "(objectClass=%s)))",
+ (unsigned int)gid,
+- LDAP_OBJ_GROUPMAP);
++ LDAP_OBJ_GROUPMAP,
++ (unsigned int)gid,
++ LDAP_OBJ_POSIXACCOUNT,
++ LDAP_OBJ_SAMBASAMACCOUNT);
+ if (filter == NULL) {
+ DEBUG(3, ("talloc_asprintf failed\n"));
+ goto done;
+@@ -892,14 +936,46 @@ static bool ldapsam_gid_to_sid(struct pdb_methods *methods, gid_t gid,
+ }
+ smbldap_talloc_autofree_ldapmsg(tmp_ctx, result);
+
+- if (ldap_count_entries(priv2ld(priv), result) != 1) {
+- DEBUG(3, ("ERROR: Got %d entries for gid %u, expected one\n",
++ if (ldap_count_entries(priv2ld(priv), result) == 0) {
++ DEBUG(3, ("ERROR: Got %d entries for gid %u, expected at least one\n",
+ ldap_count_entries(priv2ld(priv), result),
+ (unsigned int)gid));
+ goto done;
+ }
+
+- entry = ldap_first_entry(priv2ld(priv), result);
++ for (entry = ldap_first_entry(priv2ld(priv), result);
++ entry != NULL;
++ entry = ldap_next_entry(priv2ld(priv), entry)) {
++
++ values = ldap_get_values_len(priv2ld(priv), entry, "objectClass");
++ if (values == NULL) {
++ DEBUG(10, ("Cannot find any objectclasses.\n"));
++ goto done;
++ }
++
++ for (c = 0; values[c] != NULL; c++) {
++ if (strncasecmp(LDAP_OBJ_GROUPMAP, values[c]->bv_val,
++ values[c]->bv_len) == 0) {
++ goto found;
++ }
++ }
++
++ }
++
++found:
++ /* If we didn't find a group we found a user - so this is a primary group
++ * For user private group, use fallback group */
++ if (entry == NULL) {
++
++ DEBUG(10, ("Did not find user private group %u, "
++ "returning fallback group.\n", (unsigned int)gid));
++
++ sid_copy(sid,
++ &priv->ipasam_privates->fallback_primary_group);
++ ret = true;
++ goto done;
++
++ }
+
+ group_sid_string = get_single_attribute(tmp_ctx, priv2ld(priv), entry,
+ LDAP_ATTRIBUTE_SID);
+@@ -910,7 +986,7 @@ static bool ldapsam_gid_to_sid(struct pdb_methods *methods, gid_t gid,
+ }
+
+ err = sss_idmap_sid_to_smb_sid(priv->ipasam_privates->idmap_ctx,
+- group_sid_string, &group_sid);
++ group_sid_string, &group_sid);
+ if (err != IDMAP_SUCCESS) {
+ DEBUG(3, ("Error calling sid_string_talloc for sid '%s'\n",
+ group_sid_string));
+@@ -919,6 +995,10 @@ static bool ldapsam_gid_to_sid(struct pdb_methods *methods, gid_t gid,
+
+ sid_copy(sid, group_sid);
+
++ unixid_from_gid(&id, gid);
++
++ idmap_cache_set_sid2unixid(sid, &id);
++
+ ret = true;
+
+ done:
+@@ -2456,10 +2536,16 @@ static int delete_subtree(struct ldapsam_privates *ldap_state, char* dn)
+ rc = smbldap_search(ldap_state->smbldap_state, dn, scope, filter, NULL, 0, &result);
+ TALLOC_FREE(filter);
+
+- if (result != NULL) {
+- smbldap_talloc_autofree_ldapmsg(dn, result);
++ if (rc != LDAP_SUCCESS) {
++ return rc;
+ }
+
++ if (result == NULL) {
++ return LDAP_NO_MEMORY;
++ }
++
++ smbldap_talloc_autofree_ldapmsg(dn, result);
++
+ for (entry = ldap_first_entry(state, result);
+ entry != NULL;
+ entry = ldap_next_entry(state, entry)) {
+@@ -2467,6 +2553,9 @@ static int delete_subtree(struct ldapsam_privates *ldap_state, char* dn)
+ /* remove child entries */
+ if ((entry_dn != NULL) && (strcmp(entry_dn, dn) != 0)) {
+ rc = smbldap_delete(ldap_state->smbldap_state, entry_dn);
++ if (rc != LDAP_SUCCESS) {
++ return rc;
++ }
+ }
+ }
+ rc = smbldap_delete(ldap_state->smbldap_state, dn);
+@@ -2856,6 +2945,7 @@ static int ipasam_get_sid_by_gid(struct ldapsam_privates *ldap_state,
+ struct dom_sid *sid = NULL;
+ int count;
+ enum idmap_error_code err;
++ struct unixid id;
+
+ tmp_ctx = talloc_new("ipasam_get_sid_by_gid");
+ if (tmp_ctx == NULL) {
+@@ -2910,6 +3000,10 @@ static int ipasam_get_sid_by_gid(struct ldapsam_privates *ldap_state,
+ }
+ sid_copy(_sid, sid);
+
++ unixid_from_gid(&id, gid);
++
++ idmap_cache_set_sid2unixid(sid, &id);
++
+ ret = 0;
+
+ done:
+@@ -2929,6 +3023,7 @@ static int ipasam_get_primary_group_sid(TALLOC_CTX *mem_ctx,
+ uint32_t uid;
+ uint32_t gid;
+ struct dom_sid *group_sid;
++ struct unixid id;
+
+ TALLOC_CTX *tmp_ctx = talloc_init("ipasam_get_primary_group_sid");
+ if (tmp_ctx == NULL) {
+@@ -2967,8 +3062,13 @@ static int ipasam_get_primary_group_sid(TALLOC_CTX *mem_ctx,
+ }
+ }
+
+- ret = 0;
++ unixid_from_gid(&id, gid);
++
++ idmap_cache_set_sid2unixid(group_sid, &id);
++
++ ret = 0;
+ done:
++
+ if (ret == 0) {
+ *_group_sid = talloc_steal(mem_ctx, group_sid);
+ }
+--
+1.8.5.3
+
diff --git a/SOURCES/0059-ipaserver-dcerpc-make-sure-to-always-return-unicode-.patch b/SOURCES/0059-ipaserver-dcerpc-make-sure-to-always-return-unicode-.patch
new file mode 100644
index 0000000..0289984
--- /dev/null
+++ b/SOURCES/0059-ipaserver-dcerpc-make-sure-to-always-return-unicode-.patch
@@ -0,0 +1,33 @@
+From 1a5cf5b28ca3143c72abaa85db59cf827d25a379 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Wed, 12 Mar 2014 17:51:43 +0200
+Subject: [PATCH 59/60] ipaserver/dcerpc: make sure to always return unicode
+ SID of the trust domain
+
+Trusted domain SID could be obtained through different means. When it is
+fetched from the AD DC via LDAP, it needs to be extracted from a default
+context and explicitly converted to unicode.
+
+https://fedorahosted.org/freeipa/ticket/4246
+
+Reviewed-By: Martin Kosek <mkosek@redhat.com>
+---
+ ipaserver/dcerpc.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ipaserver/dcerpc.py b/ipaserver/dcerpc.py
+index 5972e622292a033d4fc979cbf5401fa02151f35c..f1c75089b875787debcee22316a4898b424d923f 100644
+--- a/ipaserver/dcerpc.py
++++ b/ipaserver/dcerpc.py
+@@ -750,7 +750,7 @@ def retrieve_anonymously(self, remote_host, discover_srv=False):
+
+ def parse_naming_context(self, context):
+ naming_ref = re.compile('.*<SID=(S-.*)>.*')
+- return naming_ref.match(context).group(1)
++ return unicode(naming_ref.match(context).group(1))
+
+ def retrieve(self, remote_host):
+ self.init_lsa_pipe(remote_host)
+--
+1.8.5.3
+
diff --git a/SOURCES/0060-trust-do-not-fetch-subdomains-in-case-shared-secret-.patch b/SOURCES/0060-trust-do-not-fetch-subdomains-in-case-shared-secret-.patch
new file mode 100644
index 0000000..f2d8e65
--- /dev/null
+++ b/SOURCES/0060-trust-do-not-fetch-subdomains-in-case-shared-secret-.patch
@@ -0,0 +1,44 @@
+From f06e746602f34a1c60580fe3bbb105a8a1cab8a2 Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Wed, 12 Mar 2014 19:01:00 +0200
+Subject: [PATCH 60/60] trust: do not fetch subdomains in case shared secret
+ was used to set up the trust
+
+Until incoming trust is validated from AD side, we cannot run any operations
+against AD using the trust. Also, Samba currently does not suport verifying
+trust against the other party (returns WERR_NOT_SUPPORTED).
+
+This needs to be added to the documentation:
+
+ When using 'ipa trust-add ad.domain --trust-secret', one has to manually
+ validate incoming trust using forest trust properties in AD Domains and
+ Trusts tool.
+
+ Once incoming trust is validated at AD side, use IPA command
+ 'ipa trust-fetch-domains ad.domain' to retrieve topology of the AD forest.
+ From this point on the trust should be usable.
+
+https://fedorahosted.org/freeipa/ticket/4246
+
+Reviewed-By: Martin Kosek <mkosek@redhat.com>
+---
+ ipalib/plugins/trust.py | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/ipalib/plugins/trust.py b/ipalib/plugins/trust.py
+index f2b00a6f58f5890e37aaa033a35dcf9bc39ccbc4..fe2795cad86e173a150f35db6301119930463a10 100644
+--- a/ipalib/plugins/trust.py
++++ b/ipalib/plugins/trust.py
+@@ -462,7 +462,8 @@ def execute(self, *keys, **options):
+ # for AD trusts, regardless of the type of idranges associated with it
+ # Note that fetch_domains_from_trust will add needed ranges for
+ # the algorithmic ID mapping case.
+- if options.get('trust_type') == u'ad':
++ if (options.get('trust_type') == u'ad' and
++ options.get('trust_secret') is None):
+ domains = fetch_domains_from_trust(self, self.trustinstance,
+ result['result'], **options)
+
+--
+1.8.5.3
+
diff --git a/SOURCES/0061-Update-Dogtag-9-database-during-replica-installation.patch b/SOURCES/0061-Update-Dogtag-9-database-during-replica-installation.patch
new file mode 100644
index 0000000..fc97678
--- /dev/null
+++ b/SOURCES/0061-Update-Dogtag-9-database-during-replica-installation.patch
@@ -0,0 +1,101 @@
+From 2e031c9469f0313014dbe8c47d0be3fee370f287 Mon Sep 17 00:00:00 2001
+From: Martin Kosek <mkosek@redhat.com>
+Date: Thu, 13 Mar 2014 08:25:11 +0100
+Subject: [PATCH] Update Dogtag 9 database during replica installation
+
+When Dogtag 10 based FreeIPA replica is being installed for a Dogtag 9
+based master, the PKI database is not updated and miss several ACLs
+which prevent some of the PKI functions, e.g. an ability to create
+other clones.
+
+Add an update file to do the database update. Content is based on
+recommendation from PKI team:
+ * https://bugzilla.redhat.com/show_bug.cgi?id=1075118#c9
+
+This update file can be removed when Dogtag database upgrades are done
+in PKI component. Upstream tickets:
+ * https://fedorahosted.org/pki/ticket/710 (database upgrade framework)
+ * https://fedorahosted.org/pki/ticket/906 (checking database version)
+
+Also make sure that PKI service is restarted in the end of the installation
+as the other services to make sure it picks changes done during LDAP
+updates.
+
+https://fedorahosted.org/freeipa/ticket/4243
+---
+ install/tools/ipa-replica-install | 4 ++++
+ install/tools/ipa-server-install | 4 ++++
+ install/updates/50-dogtag10-migration.update | 18 ++++++++++++++++++
+ install/updates/Makefile.am | 1 +
+ 4 files changed, 27 insertions(+)
+ create mode 100644 install/updates/50-dogtag10-migration.update
+
+diff --git a/install/tools/ipa-replica-install b/install/tools/ipa-replica-install
+index e039fd1e7cb213b3269d0a5d2305a96f68e36e29..4418b41784313121e73b560ee84715ddeba8bc54 100755
+--- a/install/tools/ipa-replica-install
++++ b/install/tools/ipa-replica-install
+@@ -704,6 +704,10 @@ def main():
+ service.print_msg("Restarting the KDC")
+ krb.restart()
+
++ if CA and config.setup_ca:
++ service.print_msg("Restarting the certificate server")
++ CA.restart(dogtag.configured_constants().PKI_INSTANCE_NAME)
++
+ if options.setup_dns:
+ install_bind(config, options)
+
+diff --git a/install/tools/ipa-server-install b/install/tools/ipa-server-install
+index 458ebba550d0fe7675bd874e23c7d730c53297e6..dfbbb91bf3bb8461333193b5a3e72c3ec06d4582 100755
+--- a/install/tools/ipa-server-install
++++ b/install/tools/ipa-server-install
+@@ -1186,6 +1186,10 @@ def main():
+ service.print_msg("Restarting the KDC")
+ krb.restart()
+
++ if setup_ca:
++ service.print_msg("Restarting the certificate server")
++ ca.restart(dogtag.configured_constants().PKI_INSTANCE_NAME)
++
+ # Create a BIND instance
+ bind = bindinstance.BindInstance(fstore, dm_password)
+ bind.setup(host_name, ip_address, realm_name, domain_name, dns_forwarders,
+diff --git a/install/updates/50-dogtag10-migration.update b/install/updates/50-dogtag10-migration.update
+new file mode 100644
+index 0000000000000000000000000000000000000000..d718923544f0cb00f61b7b56940695e3891c4780
+--- /dev/null
++++ b/install/updates/50-dogtag10-migration.update
+@@ -0,0 +1,18 @@
++# PKI/Dogtag does not automatically upgrade it's database. When Dogtag 10
++# based replica is being installed from a Dogtag 9 based replica,
++# the database will miss ACLs added in Dogtag 10 resulting in limited
++# functionality.
++#
++# This update file can be removed when Dogtag database upgrades are done
++# in PKI component. Upstream tickets:
++# * https://fedorahosted.org/pki/ticket/710 (database upgrade framework)
++# * https://fedorahosted.org/pki/ticket/906 (checking database version)
++
++dn: cn=aclResources,o=ipaca
++addifexist:resourceACLS:'certServer.ca.account:login,logout:allow (login,logout) user="anybody":Anybody can login and logout'
++addifexist:resourceACLS:'certServer.ca.certrequests:execute:allow (execute) group="Certificate Manager Agents":Agents may execute cert request operations'
++addifexist:resourceACLS:'certServer.ca.certs:execute:allow (execute) group="Certificate Manager Agents":Agents may execute cert operations'
++addifexist:resourceACLS:'certServer.ca.groups:execute:allow (execute) group="Administrators":Admins may execute group operations'
++addifexist:resourceACLS:'certServer.ca.users:execute:allow (execute) group="Administrators":Admins may execute user operations'
++replace:resourceACLS:'certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group":Anybody is allowed to read domain.xml but only Subsystem group is allowed to modify the domain.xml::certServer.securitydomain.domainxml:read,modify:allow (read) user="anybody";allow (modify) group="Subsystem Group" || group="Enterprise CA Administrators" || group="Enterprise KRA Administrators" || group="Enterprise RA Administrators" || group="Enterprise OCSP Administrators" || group="Enterprise TKS Administrators" || group="Enterprise TPS Administrators":Anybody is allowed to read domain.xml but only Subsystem group and Enterprise Administrators are allowed to modify the domain.xml'
++replace:resourceACLS:'certServer.ca.connectorInfo:read,modify:allow (modify,read) group="Enterprise KRA Administrators":Only Enterprise Administrators are allowed to update the connector information::certServer.ca.connectorInfo:read,modify:allow (read) group="Enterprise KRA Administrators";allow (modify) group="Enterprise KRA Administrators" || group="Subsystem Group":Only Enterprise Administrators and Subsystem Group are allowed to update the connector information'
+diff --git a/install/updates/Makefile.am b/install/updates/Makefile.am
+index 40c3b3c8916faa267254a29d0f458ca53201950c..fb73c410dbcd1978c3a5deeb184dc10cdba866ae 100644
+--- a/install/updates/Makefile.am
++++ b/install/updates/Makefile.am
+@@ -36,6 +36,7 @@ app_DATA = \
+ 40-otp.update \
+ 45-roles.update \
+ 50-7_bit_check.update \
++ 50-dogtag10-migration.update \
+ 50-lockout-policy.update \
+ 50-groupuuid.update \
+ 50-hbacservice.update \
+--
+1.8.5.3
+
diff --git a/SOURCES/0062-Prohibit-deletion-of-active-subdomain-range.patch b/SOURCES/0062-Prohibit-deletion-of-active-subdomain-range.patch
new file mode 100644
index 0000000..3820074
--- /dev/null
+++ b/SOURCES/0062-Prohibit-deletion-of-active-subdomain-range.patch
@@ -0,0 +1,54 @@
+From 35916294df8acc87e70c6b6796c644824caed64a Mon Sep 17 00:00:00 2001
+From: Tomas Babej <tbabej@redhat.com>
+Date: Thu, 13 Mar 2014 12:36:17 +0100
+Subject: [PATCH] Prohibit deletion of active subdomain range
+
+Changes the code in the idrange_del method to not only check for
+the root domains that match the SID in the IDRange, but for the
+SIDs of subdomains of trusts as well.
+
+https://fedorahosted.org/freeipa/ticket/4247
+
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ ipalib/plugins/idrange.py | 20 ++++++++++++++++----
+ 1 file changed, 16 insertions(+), 4 deletions(-)
+
+diff --git a/ipalib/plugins/idrange.py b/ipalib/plugins/idrange.py
+index cf74a75ffda42b2d2e40d2ab35c79ed069dd0f52..56ef4bba3ad0203d7d2462db6c4de90e1cb555cd 100644
+--- a/ipalib/plugins/idrange.py
++++ b/ipalib/plugins/idrange.py
+@@ -567,14 +567,26 @@ class idrange_del(LDAPDelete):
+ range_sid = old_attrs.get('ipanttrusteddomainsid')
+
+ if range_sid is not None:
++ # Search for trusted domain with SID specified in the ID range entry
+ range_sid = range_sid[0]
+- result = api.Command['trust_find'](ipanttrusteddomainsid=range_sid)
++ domain_filter=('(&(objectclass=ipaNTTrustedDomain)'
++ '(ipanttrusteddomainsid=%s))' % range_sid)
+
+- if result['count'] > 0:
++ try:
++ (trust_domains, truncated) = ldap.find_entries(
++ base_dn=DN(api.env.container_trusts, api.env.basedn),
++ filter=domain_filter)
++ except errors.NotFound:
++ pass
++ else:
++ # If there's an entry, it means that there's active domain
++ # of a trust that this range belongs to, so raise a
++ # DependentEntry error
+ raise errors.DependentEntry(
+- label='Active Trust',
++ label='Active Trust domain',
+ key=keys[0],
+- dependent=result['result'][0]['cn'][0])
++ dependent=trust_domains[0].dn[0].value)
++
+
+ return dn
+
+--
+1.8.5.3
+
diff --git a/SOURCES/0063-extdom-do-not-return-results-from-the-wrong-domain.patch b/SOURCES/0063-extdom-do-not-return-results-from-the-wrong-domain.patch
new file mode 100644
index 0000000..fdaa145
--- /dev/null
+++ b/SOURCES/0063-extdom-do-not-return-results-from-the-wrong-domain.patch
@@ -0,0 +1,58 @@
+From 8d8cbc740af171a24e768fd6e4af17013d1fa261 Mon Sep 17 00:00:00 2001
+From: Sumit Bose <sbose@redhat.com>
+Date: Tue, 25 Mar 2014 11:29:58 +0100
+Subject: [PATCH] extdom: do not return results from the wrong domain
+
+Resolves: https://fedorahosted.org/freeipa/ticket/4264
+Reviewed-By: Tomas Babej <tbabej@redhat.com>
+---
+ .../ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
+index 675fc368042373314e9416dcf7d5866cb8c9871e..025d37dc5eda05c8db43d4e8176fd7898ed32fe7 100644
+--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
++++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
+@@ -359,6 +359,9 @@ int create_response(struct extdom_req *req, struct pwd_grp *pg_data,
+ if ((locat = strchr(pg_data->data.pwd.pw_name, SSSD_DOMAIN_SEPARATOR)) != NULL) {
+ if (strcasecmp(locat+1, domain_name) == 0 ) {
+ locat[0] = 0;
++ } else {
++ ret = LDAP_NO_SUCH_OBJECT;
++ goto done;
+ }
+ }
+ res->data.name.object_name =
+@@ -368,6 +371,9 @@ int create_response(struct extdom_req *req, struct pwd_grp *pg_data,
+ if ((locat = strchr(pg_data->data.grp.gr_name, SSSD_DOMAIN_SEPARATOR)) != NULL) {
+ if (strcasecmp(locat+1, domain_name) == 0) {
+ locat[0] = 0;
++ } else {
++ ret = LDAP_NO_SUCH_OBJECT;
++ goto done;
+ }
+ }
+ res->data.name.object_name =
+@@ -408,6 +414,9 @@ int create_response(struct extdom_req *req, struct pwd_grp *pg_data,
+ if ((locat = strchr(pg_data->data.pwd.pw_name, SSSD_DOMAIN_SEPARATOR)) != NULL) {
+ if (strcasecmp(locat+1, domain_name) == 0) {
+ locat[0] = 0;
++ } else {
++ ret = LDAP_NO_SUCH_OBJECT;
++ goto done;
+ }
+ }
+ res->data.user.user_name =
+@@ -428,6 +437,9 @@ int create_response(struct extdom_req *req, struct pwd_grp *pg_data,
+ if ((locat = strchr(pg_data->data.grp.gr_name, SSSD_DOMAIN_SEPARATOR)) != NULL) {
+ if (strcasecmp(locat+1, domain_name) == 0) {
+ locat[0] = 0;
++ } else {
++ ret = LDAP_NO_SUCH_OBJECT;
++ goto done;
+ }
+ }
+ res->data.group.group_name =
+--
+1.8.5.3
+
diff --git a/SOURCES/0064-Proxy-PKI-clone-ca-ee-ca-profileSubmit-URI.patch b/SOURCES/0064-Proxy-PKI-clone-ca-ee-ca-profileSubmit-URI.patch
new file mode 100644
index 0000000..ab22fb9
--- /dev/null
+++ b/SOURCES/0064-Proxy-PKI-clone-ca-ee-ca-profileSubmit-URI.patch
@@ -0,0 +1,37 @@
+From 8e8a020f8d2476cca321349fa24db4bee95270d8 Mon Sep 17 00:00:00 2001
+From: Martin Kosek <mkosek@redhat.com>
+Date: Thu, 20 Mar 2014 09:34:53 +0100
+Subject: [PATCH] Proxy PKI clone /ca/ee/ca/profileSubmit URI
+
+PKI change done in ticket https://fedorahosted.org/pki/ticket/816
+requires the PKI Clone's SSL Server certificate to be issued by
+it's associated PKI master.
+
+Allow this call on IPA master.
+
+https://fedorahosted.org/freeipa/ticket/4265
+
+Reviewed-By: Jan Cholasta <jcholast@redhat.com>
+---
+ install/conf/ipa-pki-proxy.conf | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/install/conf/ipa-pki-proxy.conf b/install/conf/ipa-pki-proxy.conf
+index 6f0463242b75a58cf63a38e62c23fa372aeacf64..224cdd45b5b5f72671a179570fd15772fe8cfaab 100644
+--- a/install/conf/ipa-pki-proxy.conf
++++ b/install/conf/ipa-pki-proxy.conf
+@@ -1,9 +1,9 @@
+-# VERSION 3 - DO NOT REMOVE THIS LINE
++# VERSION 4 - DO NOT REMOVE THIS LINE
+
+ ProxyRequests Off
+
+ # matches for ee port
+-<LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL">
++<LocationMatch "^/ca/ee/ca/checkRequest|^/ca/ee/ca/getCertChain|^/ca/ee/ca/getTokenInfo|^/ca/ee/ca/tokenAuthenticate|^/ca/ocsp|^/ca/ee/ca/updateNumberRange|^/ca/ee/ca/getCRL|^/ca/ee/ca/profileSubmit">
+ NSSOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
+ NSSVerifyClient none
+ ProxyPassMatch ajp://localhost:$DOGTAG_PORT
+--
+1.8.5.3
+
diff --git a/SOURCES/0065-Make-ipa-client-automount-backwards-compatible.patch b/SOURCES/0065-Make-ipa-client-automount-backwards-compatible.patch
new file mode 100644
index 0000000..dd62f62
--- /dev/null
+++ b/SOURCES/0065-Make-ipa-client-automount-backwards-compatible.patch
@@ -0,0 +1,39 @@
+From cebfd91869bdc22fa8f72c4e47d32cac73487e45 Mon Sep 17 00:00:00 2001
+From: Martin Kosek <mkosek@redhat.com>
+Date: Tue, 1 Apr 2014 16:23:14 +0200
+Subject: [PATCH] Make ipa-client-automount backwards compatible
+
+ipa-client-automount calls automountlocation-show command during the
+process. Unfortunately, FreeIPA commands are forward compatible only
+and thus fail the installer.
+
+Similarly to ipa-client-install, call XML-RPC interface directly
+with version fixed to 2.0 (command was already available at that
+version) to fix the failure.
+
+https://fedorahosted.org/freeipa/ticket/4290
+---
+ ipa-client/ipa-install/ipa-client-automount | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/ipa-client/ipa-install/ipa-client-automount b/ipa-client/ipa-install/ipa-client-automount
+index 62531bfe1d923b1705aed1187da6766b54c90a0c..77829b927e8c1772598d1a4e590c3f99977aa8eb 100755
+--- a/ipa-client/ipa-install/ipa-client-automount
++++ b/ipa-client/ipa-install/ipa-client-automount
+@@ -440,7 +440,12 @@ def main():
+ except errors.KerberosError, e:
+ sys.exit('Cannot connect to the server due to ' + str(e))
+ try:
+- api.Command['automountlocation_show'](unicode(options.location))
++ # Use the RPC directly so older servers are supported
++ result = api.Backend.xmlclient.forward(
++ 'automountlocation_show',
++ unicode(options.location),
++ version=u'2.0',
++ )
+ except errors.VersionError, e:
+ sys.exit('This client is incompatible: ' + str(e))
+ except errors.NotFound:
+--
+1.8.5.3
+
diff --git a/SOURCES/1007-Remove-ipa-backup-and-ipa-restore-functionality.patch b/SOURCES/1007-Remove-ipa-backup-and-ipa-restore-functionality.patch
new file mode 100644
index 0000000..2241ab2
--- /dev/null
+++ b/SOURCES/1007-Remove-ipa-backup-and-ipa-restore-functionality.patch
@@ -0,0 +1,40 @@
+From fb6ff1a18bc4ffe88a98fb7b5ffe23fefe103da9 Mon Sep 17 00:00:00 2001
+From: Martin Kosek <mkosek@redhat.com>
+Date: Mon, 23 Sep 2013 13:10:26 +0200
+Subject: [PATCH] Remove ipa-backup and ipa-restore functionality
+
+https://bugzilla.redhat.com/show_bug.cgi?id=1003933
+---
+ install/tools/Makefile.am | 2 --
+ install/tools/man/Makefile.am | 2 --
+ 2 files changed, 4 deletions(-)
+
+diff --git a/install/tools/Makefile.am b/install/tools/Makefile.am
+index 2cf66c6dfc1c272bb423253902e7339e7d159567..0eb3a6b6122b3eea8539ae9a913a0f2c6cb23698 100644
+--- a/install/tools/Makefile.am
++++ b/install/tools/Makefile.am
+@@ -21,8 +21,6 @@ sbin_SCRIPTS = \
+ ipa-managed-entries \
+ ipa-ldap-updater \
+ ipa-upgradeconfig \
+- ipa-backup \
+- ipa-restore \
+ ipa-advise \
+ $(NULL)
+
+diff --git a/install/tools/man/Makefile.am b/install/tools/man/Makefile.am
+index 33e8a9e4b3408cc5447c8cad9a289ddd6ae1ebd7..ee208783ccb9daa600610abd4a83236ede92066a 100644
+--- a/install/tools/man/Makefile.am
++++ b/install/tools/man/Makefile.am
+@@ -19,8 +19,6 @@ man1_MANS = \
+ ipa-compat-manage.1 \
+ ipa-nis-manage.1 \
+ ipa-managed-entries.1 \
+- ipa-backup.1 \
+- ipa-restore.1 \
+ ipa-advise.1 \
+ $(NULL)
+
+--
+1.8.3.1
+
diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec
index 806ab5b..13a4ac1 100644
--- a/SPECS/ipa.spec
+++ b/SPECS/ipa.spec
@@ -12,9 +12,13 @@
%global gettext_domain ipa
%global VERSION 3.3.3
+%if (0%{?fedora} > 15 || 0%{?rhel} >= 7)
+%define _hardened_build 1
+%endif
+
Name: ipa
Version: 3.3.3
-Release: 5%{?dist}
+Release: 28%{?dist}
Summary: The Identity, Policy and Audit system
Group: System Environment/Base
@@ -30,6 +34,65 @@ Patch0003: 0003-Allow-kernel-keyring-CCACHE-when-supported.patch
Patch0004: 0004-Fix-regression-which-prevents-creating-a-winsync-agr.patch
Patch0005: 0005-trusts-Do-not-pass-base-id-to-the-subdomain-ranges.patch
Patch0006: 0006-Map-NT_STATUS_INVALID_PARAMETER-to-most-likely-error.patch
+Patch0007: 0007-Remove-mod_ssl-port-workaround.patch
+Patch0008: 0008-subdomains-Use-AD-admin-credentials-when-trust-is-be.patch
+Patch0009: 0009-trusts-Always-stop-and-disable-smb-service-on-uninst.patch
+Patch0010: 0010-Use-hardening-flags-for-ipa-optd.patch
+Patch0011: 0011-test_integration-Support-external-names-for-hosts.patch
+Patch0012: 0012-ipa-client-install-Always-pass-hostname-to-the-ipa-j.patch
+Patch0013: 0013-trust-fix-get_dn-to-distinguish-creating-and-re-addi.patch
+Patch0014: 0014-ipa-cldap-Cut-NetBIOS-name-after-15-characters.patch
+Patch0015: 0015-Prevent-garbage-from-readline-on-standard-output-of-.patch
+Patch0016: 0016-Do-not-build-tests.patch
+Patch0017: 0017-PKI-service-restart-after-CA-renewal-failed.patch
+Patch0018: 0018-hbactest-does-not-work-for-external-users.patch
+Patch0019: 0019-Change-the-way-we-determine-if-the-host-has-a-passwo.patch
+Patch0020: 0020-sudoOrder-missing-in-sudoers.patch
+Patch0021: 0021-Add-missing-example-to-sudorule.patch
+Patch0022: 0022-Fix-ipa-client-automount-uninstall-when-fstore-is-em.patch
+Patch0023: 0023-trust-fetch-domains-create-ranges-for-new-child-doma.patch
+Patch0024: 0024-trustdomain-find-report-status-of-the-sub-domain.patch
+Patch0025: 0025-CLDAP-do-not-prepend.patch
+Patch0026: 0026-ipaserver-install-installutils-clean-up-properly-aft.patch
+Patch0027: 0027-Do-not-start-the-service-in-stopped_service-if-it-wa.patch
+Patch0028: 0028-Harmonize-policy-discovery-to-kdb-driver.patch
+Patch0029: 0029-Stop-adding-a-default-password-policy-reference.patch
+Patch0030: 0030-Increase-service-startup-timeout-default.patch
+Patch0031: 0031-cli.print_attribute-Convert-values-to-strings.patch
+Patch0032: 0032-group-show-resolve-external-members-of-the-groups.patch
+Patch0033: 0033-Remove-SID-resolve-call-from-Web-UI.patch
+Patch0034: 0034-ipa-adtrust-install-configure-host-netbios-name-by-d.patch
+Patch0035: 0035-Remove-missing-VERSION-warning-in-dnsrecord-mod.patch
+Patch0036: 0036-Hide-trust-resolve-command.patch
+Patch0037: 0037-Trust-domains-Web-UI.patch
+Patch0038: 0038-ipasam-delete-trusted-child-domains-before-removing-.patch
+Patch0039: 0039-CLDAP-generate-NetBIOS-name-like-ipa-adtrust-install.patch
+Patch0040: 0040-Fallback-to-global-policy-in-ipa-lockout-plugin.patch
+Patch0041: 0041-Migration-does-not-add-users-to-default-group.patch
+Patch0042: 0042-ipa-lockout-do-not-fail-when-default-realm-cannot-be.patch
+Patch0043: 0043-ipa-tool-Print-the-name-of-the-server-we-are-connect.patch
+Patch0044: 0044-Remove-sourcehostcategory-from-the-default-HBAC-rule.patch
+Patch0045: 0045-DNS-classless-support-for-reverse-domains.patch
+Patch0046: 0046-Move-ipa-otpd-socket-directory.patch
+Patch0047: 0047-bindinstance-make-sure-zone-manager-is-initialized-i.patch
+Patch0048: 0048-trustdomain_find-make-sure-we-skip-short-entries-whe.patch
+Patch0049: 0049-ipa-kdb-in-case-of-delegation-use-original-client-s-.patch
+Patch0050: 0050-ipa-kdb-make-sure-we-don-t-produce-MS-PAC-in-case-of.patch
+Patch0051: 0051-Too-big-font-in-input-fields.patch
+Patch0052: 0052-trust-make-sure-we-always-discover-topology-of-the-f.patch
+Patch0053: 0053-ipaserver-dcerpc-catch-the-case-of-insuffient-permis.patch
+Patch0054: 0054-fix-filtering-of-subdomain-based-trust-users.patch
+Patch0055: 0055-ipa-kdb-do-not-fetch-client-principal-if-it-is-the-s.patch
+Patch0056: 0056-ipa-replica-install-never-checks-for-7389-port.patch
+Patch0057: 0057-Avoid-passing-non-terminated-string-to-is_master_hos.patch
+Patch0058: 0058-ipa-sam-cache-gid-to-sid-and-uid-to-sid-requests-in-.patch
+Patch0059: 0059-ipaserver-dcerpc-make-sure-to-always-return-unicode-.patch
+Patch0060: 0060-trust-do-not-fetch-subdomains-in-case-shared-secret-.patch
+Patch0061: 0061-Update-Dogtag-9-database-during-replica-installation.patch
+Patch0062: 0062-Prohibit-deletion-of-active-subdomain-range.patch
+Patch0063: 0063-extdom-do-not-return-results-from-the-wrong-domain.patch
+Patch0064: 0064-Proxy-PKI-clone-ca-ee-ca-profileSubmit-URI.patch
+Patch0065: 0065-Make-ipa-client-automount-backwards-compatible.patch
Patch1001: 1001-Hide-pkinit-functionality-from-production-version.patch
Patch1002: 1002-Remove-pkinit-plugin.patch
@@ -37,6 +100,7 @@ Patch1003: 1003-Remove-pkinit-references-from-tool-man-pages.patch
Patch1004: 1004-Change-branding-to-IPA-and-Identity-Management.patch
Patch1005: 1005-Remove-pylint-from-build-process.patch
Patch1006: 1006-Remove-i18test-from-build-process.patch
+Patch1007: 1007-Remove-ipa-backup-and-ipa-restore-functionality.patch
%if ! %{ONLY_CLIENT}
BuildRequires: 389-ds-base-devel >= 1.3.1
@@ -112,7 +176,7 @@ Requires: openldap-clients > 2.4.35-4
Requires: nss >= 3.14.3-12.0
Requires: nss-tools >= 3.14.3-12.0
%if 0%{?krb5_dal_version} >= 4
-Requires: krb5-server >= 1.11.2-1
+Requires: krb5-server >= 1.11.3-46
%else
%if 0%{krb5_dal_version} == 3
# krb5 1.11 bumped DAL interface major version, a rebuild is needed
@@ -125,10 +189,10 @@ Requires: krb5-server >= 1.10
Requires: krb5-pkinit-openssl
Requires: cyrus-sasl-gssapi%{?_isa}
Requires: ntp
-Requires: httpd
+Requires: httpd >= 2.4.6-7
Requires: mod_wsgi
Requires: mod_auth_kerb >= 5.4-16
-Requires: mod_nss >= 1.0.8-24
+Requires: mod_nss >= 1.0.8-26
Requires: python-ldap
Requires: python-krbV
Requires: acl
@@ -164,6 +228,9 @@ Conflicts: bind < 9.8.2-0.4.rc2
# member.
Conflicts: nss-pam-ldapd < 0.8.4
+# ipa-tests subpackage was moved to separate srpm
+Conflicts: ipa-tests < 3.3.3-9
+
%description server
IPA is an integrated solution to provide centrally managed Identity (machine,
user, virtual machines, groups, authentication credentials), Policy
@@ -271,28 +338,6 @@ user, virtual machines, groups, authentication credentials), Policy
logs, analysis thereof). If you are using IPA you need to install this
package.
-%if ! %{ONLY_CLIENT}
-%package tests
-Summary: IPA tests and test tools
-Requires: %{name}-client = %{version}-%{release}
-Requires: %{name}-python = %{version}-%{release}
-Requires: tar
-Requires: xz
-Requires: python-nose
-Requires: python-paste
-Requires: python-coverage
-Requires: openssh-clients
-
-%description tests
-IPA is an integrated solution to provide centrally managed Identity (machine,
-user, virtual machines, groups, authentication credentials), Policy
-(configuration settings, access control information) and Audit (events,
-logs, analysis thereof).
-This package contains tests that verify IPA functionality.
-
-%endif # ONLY_CLIENT
-
-
%prep
# RHEL spec file only: START
# Update timestamps on the files touched by a patch, to avoid non-equal
@@ -319,8 +364,8 @@ done
# RHEL spec file only: END
%build
-export CFLAGS="$CFLAGS %{optflags}"
-export CPPFLAGS="$CPPFLAGS %{optflags}"
+export CFLAGS="%{optflags} $CFLAGS"
+export LDFLAGS="%{__global_ldflags} $LDFLAGS"
# use fedora18 platform which is based on fedora16 platform with systemd
# support + fedora18 changes
export SUPPORTED_PLATFORM=fedora18
@@ -433,8 +478,6 @@ mkdir -p %{buildroot}%{_unitdir}
install -m 644 init/systemd/ipa.service %{buildroot}%{_unitdir}/ipa.service
install -m 644 init/systemd/ipa_memcached.service %{buildroot}%{_unitdir}/ipa_memcached.service
# END
-
-mkdir -p %{buildroot}/%{_localstatedir}/lib/ipa/backup
%endif # ONLY_CLIENT
mkdir -p %{buildroot}%{_sysconfdir}/ipa/
@@ -451,10 +494,6 @@ mkdir -p %{buildroot}%{_sysconfdir}/cron.d
grep -v dcerpc | grep -v adtrustinstance | \
sed -e 's,\.py.*$,.*,g' | sort -u | \
sed -e 's,\./,%%{python_sitelib}/ipaserver/,g' ) >server-python.list
-
-(cd %{buildroot}/%{python_sitelib}/ipatests && find . -type f | \
- sed -e 's,\.py.*$,.*,g' | sort -u | \
- sed -e 's,\./,%%{python_sitelib}/ipatests/,g' ) >tests-python.list
%endif # ONLY_CLIENT
%clean
@@ -582,8 +621,6 @@ fi
%files server -f server-python.list
%defattr(-,root,root,-)
%doc COPYING README Contributors.txt
-%{_sbindir}/ipa-backup
-%{_sbindir}/ipa-restore
%{_sbindir}/ipa-ca-install
%{_sbindir}/ipa-dns-install
%{_sbindir}/ipa-server-install
@@ -664,6 +701,7 @@ fi
%{_usr}/share/ipa/ui/*.svg
%{_usr}/share/ipa/ui/*.ttf
%{_usr}/share/ipa/ui/*.woff
+%dir %{_usr}/share/ipa/ui/js
%dir %{_usr}/share/ipa/ui/js/dojo
%{_usr}/share/ipa/ui/js/dojo/dojo.js
%dir %{_usr}/share/ipa/ui/js/libs
@@ -712,7 +750,6 @@ fi
%attr(755,root,root) %{plugin_dir}/libipa_dns.so
%attr(755,root,root) %{plugin_dir}/libipa_range_check.so
%dir %{_localstatedir}/lib/ipa
-%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/backup
%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysrestore
%attr(700,root,root) %dir %{_localstatedir}/lib/ipa/sysupgrade
%attr(755,root,root) %dir %{_localstatedir}/lib/ipa/pki-ca
@@ -733,8 +770,6 @@ fi
%{_mandir}/man1/ipa-ldap-updater.1.gz
%{_mandir}/man8/ipactl.8.gz
%{_mandir}/man8/ipa-upgradeconfig.8.gz
-%{_mandir}/man1/ipa-backup.1.gz
-%{_mandir}/man1/ipa-restore.1.gz
%{_mandir}/man1/ipa-advise.1.gz
%files server-trust-ad
@@ -808,30 +843,117 @@ fi
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/default.conf
%ghost %attr(0644,root,apache) %config(noreplace) %{_sysconfdir}/ipa/ca.crt
-%if ! %{ONLY_CLIENT}
-%files tests -f tests-python.list
-%defattr(-,root,root,-)
-%doc COPYING README Contributors.txt
-%dir %{python_sitelib}/ipatests
-%dir %{python_sitelib}/ipatests/test_cmdline
-%dir %{python_sitelib}/ipatests/test_install
-%dir %{python_sitelib}/ipatests/test_ipalib
-%dir %{python_sitelib}/ipatests/test_ipapython
-%dir %{python_sitelib}/ipatests/test_ipaserver
-%dir %{python_sitelib}/ipatests/test_ipaserver/install
-%dir %{python_sitelib}/ipatests/test_pkcs10
-%dir %{python_sitelib}/ipatests/test_webui
-%dir %{python_sitelib}/ipatests/test_xmlrpc
-%{_bindir}/ipa-run-tests
-%{_bindir}/ipa-test-config
-%{_bindir}/ipa-test-task
-%{python_sitelib}/ipatests-*.egg-info
-%{_mandir}/man1/ipa-run-tests.1.gz
-%{_mandir}/man1/ipa-test-config.1.gz
-%{_mandir}/man1/ipa-test-task.1.gz
-%endif # ONLY_CLIENT
-
%changelog
+* Tue Apr 1 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-28
+- ipa-client-automount fails with incompatibility error when installed against
+ older IPA server (#1083108)
+
+* Wed Mar 26 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-27
+- Proxy PKI URI /ca/ee/ca/profileSubmit to enable replication with future
+ PKI versions (#1080865)
+
+* Tue Mar 25 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-26
+- When IdM server trusts multiple AD forests, IPA client returns invalid group
+ membership info (#1079498)
+
+* Thu Mar 13 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-25
+- Deletion of active subdomain range should not be allowed (#1075615)
+
+* Thu Mar 13 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-24
+- PKI database is ugraded during replica installation (#1075118)
+
+* Wed Mar 12 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-23
+- Unable to add trust successfully with --trust-secret (#1075704)
+
+* Wed Mar 12 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-22
+- ipa-replica-install never checks for 7389 port (#1075165)
+- Non-terminated string may be passed to LDAP search (#1075091)
+- ipa-sam may fail to translate group SID into GID (#1073829)
+- Excessive LDAP calls by ipa-sam during Samba FS operations (#1075132)
+
+* Thu Mar 6 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-21
+- Do not fetch a principal two times, remove potential memory leak (#1070924)
+
+* Wed Mar 5 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-20
+- trustdomain-find with pkey-only fails (#1068611)
+- Invalid credential cache in trust-add (#1069182)
+- ipa-replica-install prints unexpected error (#1069722)
+- Too big font in input fields in details facet in Firefox (#1069720)
+- trust-add for POSIX AD does not fetch trustdomains (#1070925)
+- Misleading trust-add error message in some cases (#1070926)
+- Access is not rejected for disabled domain (#1070924)
+
+* Wed Feb 26 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-19
+- Remove ipa-backup and ipa-restore functionality from RHEL (#1003933)
+
+* Wed Feb 12 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-18
+- Display server name in ipa command's verbose mode (#1061703)
+- Remove sourcehostcategory from default HBAC rule (#1061187)
+- dnszone-add cannot add classless PTR zones (#1058688)
+- Move ipa-otpd socket directory to /var/run/krb5kdc (#1063850)
+
+* Tue Feb 4 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-17
+- Lockout plugin crashed during ipa-server-install (#912725)
+
+* Fri Jan 31 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-16
+- Fallback to global policy in ipa lockout plugin (#912725)
+- Migration does not add users to default group (#903232)
+
+* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 3.3.3-15
+- Mass rebuild 2014-01-24
+
+* Thu Jan 23 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-14
+- Fix NetBIOS name generation in CLDAP plugin (#1030517)
+
+* Mon Jan 20 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-13
+- Do not add krbPwdPolicyReference for new accounts, hardcode it (#1045218)
+- Increase default timeout for IPA services (#1033273)
+- Error while running trustdomain-find (#1054376)
+- group-show lists SID instead of name for external groups (#1054391)
+- Fix IPA server NetBIOS name in samba configuration (#1030517)
+- dnsrecord-mod produces missing API version warning (#1054869)
+- Hide trust-resolve command as internal (#1052860)
+- Add Trust domain Web UI (#1054870)
+- ipasam cannot delete multiple child trusted domains (#1056120)
+
+* Wed Jan 15 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-12
+- Missing objectclasses when empty password passed to host-add (#1052979)
+- sudoOrder missing in sudoers (#1052983)
+- Missing examples in sudorule help (#1049464)
+- Client automount does not uninstall when fstore is empty (#910899)
+- Error not clear for invalid realm given to trust-fetch-domains (#1052981)
+- trust-fetch-domains does not add idrange for subdomains found (#1049926)
+- Add option to show if an AD subdomain is enabled/disabled (#1052973)
+- ipa-adtrust-install still failed with long NetBIOS names (#1030517)
+- Error not clear for invalid relam given to trustdomain-find (#1049455)
+- renewed client cert not recognized during IPA CA renewal (#1033273)
+
+* Fri Jan 10 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-11
+- hbactest does not work for external users (#848531)
+
+* Wed Jan 08 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-10
+- PKI service restart after CA renewal failed (#1040018)
+
+* Mon Jan 06 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-9
+- Move ipa-tests package to separate srpm (#1032668)
+
+* Fri Jan 3 2014 Martin Kosek <mkosek@redhat.com> - 3.3.3-8
+- Fix status trust-add command status message (#910453)
+- NetBIOS was not trimmed at 15 characters (#1030517)
+- Harden CA subsystem certificate renewal on CA clones (#1040018)
+
+* Fri Dec 27 2013 Daniel Mach <dmach@redhat.com> - 3.3.3-7
+- Mass rebuild 2013-12-27
+
+* Mon Dec 2 2013 Martin Kosek <mkosek@redhat.com> - 3.3.3-6
+- Remove "Listen 443 http" hack from deployed nss.conf (#1029046)
+- Re-adding existing trust fails (#1033216)
+- IPA uninstall exits with a samba error (#1033075)
+- Added RELRO hardening on /usr/libexec/ipa-otpd (#1026260)
+- Fixed ownership of /usr/share/ipa/ui/js (#1026260)
+- ipa-tests: support external names for hosts (#1032668)
+- ipa-client-install fail due fail to obtain host TGT (#1029354)
+
* Fri Nov 22 2013 Martin Kosek <mkosek@redhat.com> - 3.3.3-5
- Trust add tries to add same value of --base-id for sub domain,
causing an error (#1033068)
@@ -920,7 +1042,7 @@ fi
- Remove ipa-server-selinux obsoletes as upgrades from version prior to
3.3.0 are not allowed
- Wrap server-trust-ad subpackage description better
-- Add (noreplace) flag for \%{_sysconfdir}/tmpfiles.d/ipa.conf
+- Add (noreplace) flag for %%{_sysconfdir}/tmpfiles.d/ipa.conf
- Change permissions on default_encoding_utf8.so to fix ipa-python Provides
* Thu Aug 8 2013 Martin Kosek <mkosek@redhat.com> - 3.3.0-1