diff --git a/.gitignore b/.gitignore index 0e4e65c..fa506d7 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,4 @@ -SOURCES/freeipa-4.6.6.tar.gz +SOURCES/freeipa-4.6.8.tar.gz SOURCES/header-logo.png SOURCES/login-screen-background.jpg SOURCES/product-name.png diff --git a/.ipa.metadata b/.ipa.metadata index 0dfcd18..6ec5281 100644 --- a/.ipa.metadata +++ b/.ipa.metadata @@ -1,4 +1,4 @@ -2ed9f8319600bb22b7b252b1ed787883173d9ca4 SOURCES/freeipa-4.6.6.tar.gz +8c95c8ce7c7eef230ba215d5f5a7d74dd3974adc SOURCES/freeipa-4.6.8.tar.gz 77c318cf1f4fc25cf847de0692a77859a767c0e3 SOURCES/header-logo.png 8727245558422bf966d60677568925f081b8e299 SOURCES/login-screen-background.jpg af82b7b7d327bd683c7d062a6f15713ea91ebedf SOURCES/product-name.png diff --git a/SOURCES/0001-Add-interactive-prompt-for-the-LDAP-bind-password-to.patch b/SOURCES/0001-Add-interactive-prompt-for-the-LDAP-bind-password-to.patch new file mode 100644 index 0000000..4599c3e --- /dev/null +++ b/SOURCES/0001-Add-interactive-prompt-for-the-LDAP-bind-password-to.patch @@ -0,0 +1,174 @@ +From 6dcf7dcc04af4b77829f182a698beb59fc6f4341 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Fri, 5 Apr 2019 11:17:22 -0400 +Subject: [PATCH] Add interactive prompt for the LDAP bind password to + ipa-getkeytab + +This provides a mechanism to bind over LDAP without exposing +the password on the command-line. + +https://pagure.io/freeipa/issue/631 + +Signed-off-by: Rob Crittenden +Reviewed-By: Alexander Bokovoy +Reviewed-By: Robbie Harwood +Reviewed-By: Christian Heimes +Reviewed-By: Florence Blanc-Renaud +Reviewed-By: Simo Sorce +--- + client/ipa-getkeytab.c | 53 ++++++++++++++++++++++++++++++-------- + client/man/ipa-getkeytab.1 | 9 ++++--- + 2 files changed, 48 insertions(+), 14 deletions(-) + +diff --git a/client/ipa-getkeytab.c b/client/ipa-getkeytab.c +index 6713a0c5f6352dc63dc0ec24d4ccaec4c3ba31ae..8a5e98bed1947344247f9d6146e595d5f7f7a963 100644 +--- a/client/ipa-getkeytab.c ++++ b/client/ipa-getkeytab.c +@@ -626,7 +626,16 @@ done: + return ret; + } + +-static char *ask_password(krb5_context krbctx) ++/* Prompt for either a password. ++ * This can be either asking for a new or existing password. ++ * ++ * To set a new password provide values for both prompt1 and prompt2 and ++ * set match=true to enforce that the two entered passwords match. ++ * ++ * To prompt for an existing password provide prompt1 and set match=false. ++ */ ++static char *ask_password(krb5_context krbctx, char *prompt1, char *prompt2, ++ bool match) + { + krb5_prompt ap_prompts[2]; + krb5_data k5d_pw0; +@@ -634,24 +643,27 @@ static char *ask_password(krb5_context krbctx) + char pw0[256]; + char pw1[256]; + char *password; ++ int num_prompts = match ? 2:1; + + k5d_pw0.length = sizeof(pw0); + k5d_pw0.data = pw0; +- ap_prompts[0].prompt = _("New Principal Password"); ++ ap_prompts[0].prompt = prompt1; + ap_prompts[0].hidden = 1; + ap_prompts[0].reply = &k5d_pw0; + +- k5d_pw1.length = sizeof(pw1); +- k5d_pw1.data = pw1; +- ap_prompts[1].prompt = _("Verify Principal Password"); +- ap_prompts[1].hidden = 1; +- ap_prompts[1].reply = &k5d_pw1; ++ if (match) { ++ k5d_pw1.length = sizeof(pw1); ++ k5d_pw1.data = pw1; ++ ap_prompts[1].prompt = prompt2; ++ ap_prompts[1].hidden = 1; ++ ap_prompts[1].reply = &k5d_pw1; ++ } + + krb5_prompter_posix(krbctx, NULL, + NULL, NULL, +- 2, ap_prompts); ++ num_prompts, ap_prompts); + +- if (strcmp(pw0, pw1)) { ++ if (match && (strcmp(pw0, pw1))) { + fprintf(stderr, _("Passwords do not match!")); + return NULL; + } +@@ -752,6 +764,7 @@ int main(int argc, const char *argv[]) + static const char *ca_cert_file = NULL; + int quiet = 0; + int askpass = 0; ++ int askbindpw = 0; + int permitted_enctypes = 0; + int retrieve = 0; + struct poptOption options[] = { +@@ -778,6 +791,8 @@ int main(int argc, const char *argv[]) + _("LDAP DN"), _("DN to bind as if not using kerberos") }, + { "bindpw", 'w', POPT_ARG_STRING, &bindpw, 0, + _("LDAP password"), _("password to use if not using kerberos") }, ++ { NULL, 'W', POPT_ARG_NONE, &askbindpw, 0, ++ _("Prompt for LDAP password"), NULL }, + { "cacert", 0, POPT_ARG_STRING, &ca_cert_file, 0, + _("Path to the IPA CA certificate"), _("IPA CA certificate")}, + { "ldapuri", 'H', POPT_ARG_STRING, &ldap_uri, 0, +@@ -849,9 +864,24 @@ int main(int argc, const char *argv[]) + exit(2); + } + ++ if (askbindpw && bindpw != NULL) { ++ fprintf(stderr, _("Bind password already provided (-w).\n")); ++ if (!quiet) { ++ poptPrintUsage(pc, stderr, 0); ++ } ++ exit(2); ++ } ++ ++ if (askbindpw) { ++ bindpw = ask_password(krbctx, _("Enter LDAP password"), NULL, false); ++ if (!bindpw) { ++ exit(2); ++ } ++ } ++ + if (NULL!=binddn && NULL==bindpw) { + fprintf(stderr, +- _("Bind password required when using a bind DN.\n")); ++ _("Bind password required when using a bind DN (-w or -W).\n")); + if (!quiet) + poptPrintUsage(pc, stderr, 0); + exit(10); +@@ -915,7 +945,8 @@ int main(int argc, const char *argv[]) + } + + if (askpass) { +- password = ask_password(krbctx); ++ password = ask_password(krbctx, _("New Principal Password"), ++ _("Verify Principal Password"), true); + if (!password) { + exit(2); + } +diff --git a/client/man/ipa-getkeytab.1 b/client/man/ipa-getkeytab.1 +index 39ff0d5da85b5a641328a512feeb06bc9c1ab9d7..6e7fdf39ee4e28772365edafd4c7e86d0c37d343 100644 +--- a/client/man/ipa-getkeytab.1 ++++ b/client/man/ipa-getkeytab.1 +@@ -21,7 +21,7 @@ + .SH "NAME" + ipa\-getkeytab \- Get a keytab for a Kerberos principal + .SH "SYNOPSIS" +-ipa\-getkeytab \fB\-p\fR \fIprincipal\-name\fR \fB\-k\fR \fIkeytab\-file\fR [ \fB\-e\fR \fIencryption\-types\fR ] [ \fB\-s\fR \fIipaserver\fR ] [ \fB\-q\fR ] [ \fB\-D\fR|\fB\-\-binddn\fR \fIBINDDN\fR ] [ \fB\-w|\-\-bindpw\fR ] [ \fB\-P\fR|\fB\-\-password\fR \fIPASSWORD\fR ] [ \fB\-\-cacert \fICACERT\fR ] [ \fB\-H|\-\-ldapuri \fIURI\fR ] [ \fB\-Y|\-\-mech \fIGSSAPI|EXTERNAL\fR ] [ \fB\-r\fR ] ++ipa\-getkeytab \fB\-p\fR \fIprincipal\-name\fR \fB\-k\fR \fIkeytab\-file\fR [ \fB\-e\fR \fIencryption\-types\fR ] [ \fB\-s\fR \fIipaserver\fR ] [ \fB\-q\fR ] [ \fB\-D\fR|\fB\-\-binddn\fR \fIBINDDN\fR ] [ \fB\-w|\-\-bindpw\fR ] [ \fB-W\fR ] [ \fB\-P\fR|\fB\-\-password\fR \fIPASSWORD\fR ] [ \fB\-\-cacert \fICACERT\fR ] [ \fB\-H|\-\-ldapuri \fIURI\fR ] [ \fB\-Y|\-\-mech \fIGSSAPI|EXTERNAL\fR ] [ \fB\-r\fR ] + + .SH "DESCRIPTION" + Retrieves a Kerberos \fIkeytab\fR. +@@ -44,7 +44,7 @@ provided, so the principal name is just the service + name and hostname (ldap/foo.example.com from the + example above). + +-ipa-getkeytab is used during IPA client enrollment to retrieve a host service principal and store it in /etc/krb5.keytab. It is possible to retrieve the keytab without Kerberos credentials if the host was pre\-created with a one\-time password. The keytab can be retrieved by binding as the host and authenticating with this one\-time password. The \fB\-D|\-\-binddn\fR and \fB\-w|\-\-bindpw\fR options are used for this authentication. ++ipa-getkeytab is used during IPA client enrollment to retrieve a host service principal and store it in /etc/krb5.keytab. It is possible to retrieve the keytab without Kerberos credentials if the host was pre\-created with a one\-time password. The keytab can be retrieved by binding as the host and authenticating with this one\-time password. The \fB\-D|\-\-binddn\fR \fB\-w|\-\-bindpw\fR options are used for this authentication. \fB-W\fR can be used instead of \fB\-w|\-\-bindpw\fR to interactively prompt for the bind password. + + \fBWARNING:\fR retrieving the keytab resets the secret for the Kerberos principal. + This renders all other keytabs for that principal invalid. +@@ -98,11 +98,14 @@ DES cbc mode with RSA\-MD4 + Use this password for the key instead of one randomly generated. + .TP + \fB\-D, \-\-binddn\fR +-The LDAP DN to bind as when retrieving a keytab without Kerberos credentials. Generally used with the \fB\-w\fR option. ++The LDAP DN to bind as when retrieving a keytab without Kerberos credentials. Generally used with the \fB\-w\fR or \fB\-W\fR options. + .TP + \fB\-w, \-\-bindpw\fR + The LDAP password to use when not binding with Kerberos. \fB\-D\fR and \fB\-w\fR can not be used together with \fB\-Y\fR. + .TP ++\fB\-W\fR ++Interactive prompt for the bind password. \fB\-D\fR and \fB\-W\fR can not be used together with \fB\-Y\fR ++.TP + \fB\-\-cacert\fR + The path to the IPA CA certificate used to validate LDAPS/STARTTLS connections. + Defaults to /etc/ipa/ca.crt +-- +2.25.2 + diff --git a/SOURCES/0001-extdom-unify-error-code-handling.patch b/SOURCES/0001-extdom-unify-error-code-handling.patch deleted file mode 100644 index b2f6f72..0000000 --- a/SOURCES/0001-extdom-unify-error-code-handling.patch +++ /dev/null @@ -1,352 +0,0 @@ -From 574a615e61ca74b08e2bd7e1e820757f88150418 Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Fri, 14 Jun 2019 11:13:54 +0200 -Subject: [PATCH 1/2] extdom: unify error code handling especially - LDAP_NO_SUCH_OBJECT - -A return code LDAP_NO_SUCH_OBJECT will tell SSSD on the IPA client to -remove the searched object from the cache. As a consequence -LDAP_NO_SUCH_OBJECT should only be returned if the object really does -not exists otherwise the data of existing objects might be removed form -the cache of the clients causing unexpected behaviour like -authentication errors. - -Currently some code-paths use LDAP_NO_SUCH_OBJECT as default error code. -With this patch LDAP_NO_SUCH_OBJECT is only returned if the related -lookup functions return ENOENT. Timeout related error code will lead to -LDAP_TIMELIMIT_EXCEEDED and LDAP_OPERATIONS_ERROR is used as default -error code. - -Fixes: https://pagure.io/freeipa/issue/8044 -Reviewed-By: Alexander Bokovoy ---- - .../ipa-extdom-extop/back_extdom_sss_idmap.c | 4 +- - .../ipa-extdom-extop/ipa_extdom_common.c | 77 ++++++++++++++----- - .../ipa-extdom-extop/ipa_extdom_extop.c | 2 + - 3 files changed, 61 insertions(+), 22 deletions(-) - -diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/back_extdom_sss_idmap.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/back_extdom_sss_idmap.c -index 89c58ca2d..64b90e3ae 100644 ---- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/back_extdom_sss_idmap.c -+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/back_extdom_sss_idmap.c -@@ -47,10 +47,10 @@ static enum nss_status __convert_sss_nss2nss_status(int errcode) { - return NSS_STATUS_SUCCESS; - case ENOENT: - return NSS_STATUS_NOTFOUND; -- case ETIME: -- /* fall-through */ - case ERANGE: - return NSS_STATUS_TRYAGAIN; -+ case ETIME: -+ /* fall-through */ - case ETIMEDOUT: - /* fall-through */ - default: -diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c -index 1b93dce18..134b62377 100644 ---- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c -+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c -@@ -523,7 +523,7 @@ int pack_ber_user(struct ipa_extdom_ctx *ctx, - if (strcasecmp(locat+1, domain_name) == 0 ) { - locat[0] = '\0'; - } else { -- ret = LDAP_NO_SUCH_OBJECT; -+ ret = LDAP_INVALID_SYNTAX; - goto done; - } - } -@@ -568,10 +568,12 @@ int pack_ber_user(struct ipa_extdom_ctx *ctx, - ret = getgrgid_r_wrapper(ctx, - groups[c], &grp, &buf, &buf_len); - if (ret != 0) { -- if (ret == ENOMEM || ret == ERANGE) { -- ret = LDAP_OPERATIONS_ERROR; -- } else { -+ if (ret == ENOENT) { - ret = LDAP_NO_SUCH_OBJECT; -+ } else if (ret == ETIMEDOUT) { -+ ret = LDAP_TIMELIMIT_EXCEEDED; -+ } else { -+ ret = LDAP_OPERATIONS_ERROR; - } - goto done; - } -@@ -634,7 +636,7 @@ int pack_ber_group(enum response_types response_type, - if (strcasecmp(locat+1, domain_name) == 0 ) { - locat[0] = '\0'; - } else { -- ret = LDAP_NO_SUCH_OBJECT; -+ ret = LDAP_INVALID_SYNTAX; - goto done; - } - } -@@ -836,6 +838,8 @@ static int handle_uid_request(struct ipa_extdom_ctx *ctx, - || id_type == SSS_ID_TYPE_BOTH)) { - if (ret == ENOENT) { - ret = LDAP_NO_SUCH_OBJECT; -+ } else if (ret == ETIMEDOUT || ret == ETIME) { -+ ret = LDAP_TIMELIMIT_EXCEEDED; - } else { - set_err_msg(req, "Failed to lookup SID by UID"); - ret = LDAP_OPERATIONS_ERROR; -@@ -847,10 +851,12 @@ static int handle_uid_request(struct ipa_extdom_ctx *ctx, - } else { - ret = getpwuid_r_wrapper(ctx, uid, &pwd, &buf, &buf_len); - if (ret != 0) { -- if (ret == ENOMEM || ret == ERANGE) { -- ret = LDAP_OPERATIONS_ERROR; -- } else { -+ if (ret == ENOENT) { - ret = LDAP_NO_SUCH_OBJECT; -+ } else if (ret == ETIMEDOUT) { -+ ret = LDAP_TIMELIMIT_EXCEEDED; -+ } else { -+ ret = LDAP_OPERATIONS_ERROR; - } - goto done; - } -@@ -862,6 +868,8 @@ static int handle_uid_request(struct ipa_extdom_ctx *ctx, - set_err_msg(req, "Failed to read original data"); - if (ret == ENOENT) { - ret = LDAP_NO_SUCH_OBJECT; -+ } else if (ret == ETIMEDOUT || ret == ETIME) { -+ ret = LDAP_TIMELIMIT_EXCEEDED; - } else { - ret = LDAP_OPERATIONS_ERROR; - } -@@ -907,6 +915,8 @@ static int handle_gid_request(struct ipa_extdom_ctx *ctx, - if (ret != 0 || id_type != SSS_ID_TYPE_GID) { - if (ret == ENOENT) { - ret = LDAP_NO_SUCH_OBJECT; -+ } else if (ret == ETIMEDOUT || ret == ETIME) { -+ ret = LDAP_TIMELIMIT_EXCEEDED; - } else { - set_err_msg(req, "Failed to lookup SID by GID"); - ret = LDAP_OPERATIONS_ERROR; -@@ -918,10 +928,12 @@ static int handle_gid_request(struct ipa_extdom_ctx *ctx, - } else { - ret = getgrgid_r_wrapper(ctx, gid, &grp, &buf, &buf_len); - if (ret != 0) { -- if (ret == ENOMEM || ret == ERANGE) { -- ret = LDAP_OPERATIONS_ERROR; -- } else { -+ if (ret == ENOENT) { - ret = LDAP_NO_SUCH_OBJECT; -+ } else if (ret == ETIMEDOUT) { -+ ret = LDAP_TIMELIMIT_EXCEEDED; -+ } else { -+ ret = LDAP_OPERATIONS_ERROR; - } - goto done; - } -@@ -933,6 +945,8 @@ static int handle_gid_request(struct ipa_extdom_ctx *ctx, - set_err_msg(req, "Failed to read original data"); - if (ret == ENOENT) { - ret = LDAP_NO_SUCH_OBJECT; -+ } else if (ret == ETIMEDOUT || ret == ETIME) { -+ ret = LDAP_TIMELIMIT_EXCEEDED; - } else { - ret = LDAP_OPERATIONS_ERROR; - } -@@ -976,6 +990,8 @@ static int handle_cert_request(struct ipa_extdom_ctx *ctx, - if (ret != 0) { - if (ret == ENOENT) { - ret = LDAP_NO_SUCH_OBJECT; -+ } else if (ret == ETIMEDOUT || ret == ETIME) { -+ ret = LDAP_TIMELIMIT_EXCEEDED; - } else { - set_err_msg(req, "Failed to lookup name by certificate"); - ret = LDAP_OPERATIONS_ERROR; -@@ -1020,6 +1036,8 @@ static int handle_sid_request(struct ipa_extdom_ctx *ctx, - if (ret != 0) { - if (ret == ENOENT) { - ret = LDAP_NO_SUCH_OBJECT; -+ } else if (ret == ETIMEDOUT || ret == ETIME) { -+ ret = LDAP_TIMELIMIT_EXCEEDED; - } else { - set_err_msg(req, "Failed to lookup name by SID"); - ret = LDAP_OPERATIONS_ERROR; -@@ -1057,10 +1075,12 @@ static int handle_sid_request(struct ipa_extdom_ctx *ctx, - case SSS_ID_TYPE_BOTH: - ret = getpwnam_r_wrapper(ctx, fq_name, &pwd, &buf, &buf_len); - if (ret != 0) { -- if (ret == ENOMEM || ret == ERANGE) { -- ret = LDAP_OPERATIONS_ERROR; -- } else { -+ if (ret == ENOENT) { - ret = LDAP_NO_SUCH_OBJECT; -+ } else if (ret == ETIMEDOUT) { -+ ret = LDAP_TIMELIMIT_EXCEEDED; -+ } else { -+ ret = LDAP_OPERATIONS_ERROR; - } - goto done; - } -@@ -1072,6 +1092,8 @@ static int handle_sid_request(struct ipa_extdom_ctx *ctx, - set_err_msg(req, "Failed to read original data"); - if (ret == ENOENT) { - ret = LDAP_NO_SUCH_OBJECT; -+ } else if (ret == ETIMEDOUT || ret == ETIME) { -+ ret = LDAP_TIMELIMIT_EXCEEDED; - } else { - ret = LDAP_OPERATIONS_ERROR; - } -@@ -1089,10 +1111,12 @@ static int handle_sid_request(struct ipa_extdom_ctx *ctx, - case SSS_ID_TYPE_GID: - ret = getgrnam_r_wrapper(ctx, fq_name, &grp, &buf, &buf_len); - if (ret != 0) { -- if (ret == ENOMEM || ret == ERANGE) { -- ret = LDAP_OPERATIONS_ERROR; -- } else { -+ if (ret == ENOENT) { - ret = LDAP_NO_SUCH_OBJECT; -+ } else if (ret == ETIMEDOUT) { -+ ret = LDAP_TIMELIMIT_EXCEEDED; -+ } else { -+ ret = LDAP_OPERATIONS_ERROR; - } - goto done; - } -@@ -1104,6 +1128,8 @@ static int handle_sid_request(struct ipa_extdom_ctx *ctx, - set_err_msg(req, "Failed to read original data"); - if (ret == ENOENT) { - ret = LDAP_NO_SUCH_OBJECT; -+ } else if (ret == ETIMEDOUT || ret == ETIME) { -+ ret = LDAP_TIMELIMIT_EXCEEDED; - } else { - ret = LDAP_OPERATIONS_ERROR; - } -@@ -1167,6 +1193,8 @@ static int handle_name_request(struct ipa_extdom_ctx *ctx, - if (ret != 0) { - if (ret == ENOENT) { - ret = LDAP_NO_SUCH_OBJECT; -+ } else if (ret == ETIMEDOUT || ret == ETIME) { -+ ret = LDAP_TIMELIMIT_EXCEEDED; - } else { - set_err_msg(req, "Failed to lookup SID by name"); - ret = LDAP_OPERATIONS_ERROR; -@@ -1190,6 +1218,8 @@ static int handle_name_request(struct ipa_extdom_ctx *ctx, - set_err_msg(req, "Failed to read original data"); - if (ret == ENOENT) { - ret = LDAP_NO_SUCH_OBJECT; -+ } else if (ret == ETIMEDOUT || ret == ETIME) { -+ ret = LDAP_TIMELIMIT_EXCEEDED; - } else { - ret = LDAP_OPERATIONS_ERROR; - } -@@ -1205,6 +1235,9 @@ static int handle_name_request(struct ipa_extdom_ctx *ctx, - } else if (ret == ENOMEM || ret == ERANGE) { - ret = LDAP_OPERATIONS_ERROR; - goto done; -+ } else if (ret == ETIMEDOUT) { -+ ret = LDAP_TIMELIMIT_EXCEEDED; -+ goto done; - } else { /* no user entry found */ - /* according to the getpwnam() man page there are a couple of - * error codes which can indicate that the user was not found. To -@@ -1212,10 +1245,12 @@ static int handle_name_request(struct ipa_extdom_ctx *ctx, - * errors. */ - ret = getgrnam_r_wrapper(ctx, fq_name, &grp, &buf, &buf_len); - if (ret != 0) { -- if (ret == ENOMEM || ret == ERANGE) { -- ret = LDAP_OPERATIONS_ERROR; -- } else { -+ if (ret == ENOENT) { - ret = LDAP_NO_SUCH_OBJECT; -+ } else if (ret == ETIMEDOUT) { -+ ret = LDAP_TIMELIMIT_EXCEEDED; -+ } else { -+ ret = LDAP_OPERATIONS_ERROR; - } - goto done; - } -@@ -1226,6 +1261,8 @@ static int handle_name_request(struct ipa_extdom_ctx *ctx, - || id_type == SSS_ID_TYPE_BOTH)) { - if (ret == ENOENT) { - ret = LDAP_NO_SUCH_OBJECT; -+ } else if (ret == ETIMEDOUT || ret == ETIME) { -+ ret = LDAP_TIMELIMIT_EXCEEDED; - } else { - set_err_msg(req, "Failed to read original data"); - ret = LDAP_OPERATIONS_ERROR; -diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c -index 10d3f86eb..48fcecc1e 100644 ---- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c -+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c -@@ -242,6 +242,8 @@ static int ipa_extdom_extop(Slapi_PBlock *pb) - if (ret != LDAP_SUCCESS) { - if (ret == LDAP_NO_SUCH_OBJECT) { - rc = LDAP_NO_SUCH_OBJECT; -+ } else if (ret == LDAP_TIMELIMIT_EXCEEDED) { -+ rc = LDAP_TIMELIMIT_EXCEEDED; - } else { - rc = LDAP_OPERATIONS_ERROR; - err_msg = "Failed to handle the request.\n"; --- -2.21.0 - - -From 387ed98e59ba4df8d3fd435cfc84f055970c064e Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Mon, 19 Aug 2019 10:15:50 +0300 -Subject: [PATCH 2/2] ipa-extdom-extop: test timed out getgrgid_r - -Simulate getgrgid_r() timeout when packing list of groups user is a -member of in pack_ber_user(). - -Related: https://pagure.io/freeipa/issue/8044 -Reviewed-By: Alexander Bokovoy ---- - .../ipa_extdom_cmocka_tests.c | 29 +++++++++++++++++++ - 1 file changed, 29 insertions(+) - -diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_cmocka_tests.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_cmocka_tests.c -index 29699cfa3..1fa4c6af8 100644 ---- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_cmocka_tests.c -+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_cmocka_tests.c -@@ -493,6 +493,34 @@ void test_set_err_msg(void **state) - #define TEST_SID "S-1-2-3-4" - #define TEST_DOMAIN_NAME "DOMAIN" - -+/* Always time out for test */ -+static -+enum nss_status getgrgid_r_timeout(gid_t gid, struct group *result, -+ char *buffer, size_t buflen, int *errnop) { -+ return NSS_STATUS_UNAVAIL; -+} -+ -+void test_pack_ber_user_timeout(void **state) -+{ -+ int ret; -+ struct berval *resp_val = NULL; -+ struct test_data *test_data; -+ enum nss_status (*oldgetgrgid_r)(gid_t gid, struct group *result, -+ char *buffer, size_t buflen, int *errnop); -+ -+ test_data = (struct test_data *) *state; -+ -+ oldgetgrgid_r = test_data->ctx->nss_ctx->getgrgid_r; -+ test_data->ctx->nss_ctx->getgrgid_r = getgrgid_r_timeout; -+ -+ ret = pack_ber_user(test_data->ctx, RESP_USER_GROUPLIST, -+ TEST_DOMAIN_NAME, "member001", 12345, 54321, -+ "gecos", "homedir", "shell", NULL, &resp_val); -+ test_data->ctx->nss_ctx->getgrgid_r = oldgetgrgid_r; -+ assert_int_equal(ret, LDAP_TIMELIMIT_EXCEEDED); -+ ber_bvfree(resp_val); -+} -+ - char res_sid[] = {0x30, 0x0e, 0x0a, 0x01, 0x01, 0x04, 0x09, 0x53, 0x2d, 0x31, \ - 0x2d, 0x32, 0x2d, 0x33, 0x2d, 0x34}; - char res_nam[] = {0x30, 0x13, 0x0a, 0x01, 0x02, 0x30, 0x0e, 0x04, 0x06, 0x44, \ -@@ -614,6 +642,7 @@ void test_decode(void **state) - int main(int argc, const char *argv[]) - { - const struct CMUnitTest tests[] = { -+ cmocka_unit_test(test_pack_ber_user_timeout), - cmocka_unit_test(test_getpwnam_r_wrapper), - cmocka_unit_test(test_getpwuid_r_wrapper), - cmocka_unit_test(test_getgrnam_r_wrapper), --- -2.21.0 - diff --git a/SOURCES/0002-CVE-2020-1722-prevent-use-of-too-long-passwords.patch b/SOURCES/0002-CVE-2020-1722-prevent-use-of-too-long-passwords.patch new file mode 100644 index 0000000..8b9bf10 --- /dev/null +++ b/SOURCES/0002-CVE-2020-1722-prevent-use-of-too-long-passwords.patch @@ -0,0 +1,428 @@ +From a8611e205bfe7b7538523ec492069987f5d7de64 Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Wed, 8 Apr 2020 15:00:38 +0300 +Subject: [PATCH] CVE-2020-1722: prevent use of too long passwords + +NIST SP 800-63-3B sets a recommendation to have password length upper bound limited in A.2: + +https://pages.nist.gov/800-63-3/sp800-63b.html#appA + + Users should be encouraged to make their passwords as lengthy as they + want, within reason. Since the size of a hashed password is independent + of its length, there is no reason not to permit the use of lengthy + passwords (or pass phrases) if the user wishes. Extremely long passwords + (perhaps megabytes in length) could conceivably require excessive + processing time to hash, so it is reasonable to have some limit. + +FreeIPA already applied 256 characters limit for non-random passwords +set through ipa-getkeytab tool. The limit was not, however, enforced in +other places. + +MIT Kerberos limits the length of the password to 1024 characters in its +tools. However, these tools (kpasswd and 'cpw' command of kadmin) do not +differentiate between a password larger than 1024 and a password of 1024 +characters. As a result, longer passwords are silently cut off. + +To prevent silent cut off for user passwords, use limit of 1000 +characters. + +Thus, this patch enforces common limit of 1000 characters everywhere: + - LDAP-based password changes + - LDAP password change control + - LDAP ADD and MOD operations on clear-text userPassword + - Keytab setting with ipa-getkeytab + - Kerberos password setting and changing + +Fixes: https://pagure.io/freeipa/issue/8268 + +Signed-off-by: Alexander Bokovoy +Signed-off-by: Rob Crittenden +Reviewed-by: Simo Sorce +Reviewed-By: Simo Sorce +--- + client/ipa-getkeytab.c | 19 ++++- + client/man/ipa-getkeytab.1 | 2 +- + daemons/ipa-kdb/ipa_kdb_passwords.c | 6 ++ + .../ipa-slapi-plugins/ipa-pwd-extop/common.c | 9 +++ + .../ipa-pwd-extop/ipa_pwd_extop.c | 13 +++ + .../ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h | 1 + + .../ipa-slapi-plugins/ipa-pwd-extop/prepost.c | 29 ++++++- + ipatests/test_integration/test_commands.py | 79 +++++++++++++++++++ + util/ipa_krb5.c | 18 +++++ + util/ipa_krb5.h | 3 + + 10 files changed, 171 insertions(+), 8 deletions(-) + +diff --git a/client/ipa-getkeytab.c b/client/ipa-getkeytab.c +index 8a5e98bed1947344247f9d6146e595d5f7f7a963..b174093d3762f8a6bfa27045bed393c2cd422fe0 100644 +--- a/client/ipa-getkeytab.c ++++ b/client/ipa-getkeytab.c +@@ -633,6 +633,11 @@ done: + * set match=true to enforce that the two entered passwords match. + * + * To prompt for an existing password provide prompt1 and set match=false. ++ * ++ * Implementation details: ++ * krb5_prompter_posix() does not differentiate between too long entry or ++ * an entry exactly the size of a buffer. Thus, allocate a bigger buffer ++ * and do the check for a too long password afterwards. + */ + static char *ask_password(krb5_context krbctx, char *prompt1, char *prompt2, + bool match) +@@ -640,8 +645,10 @@ static char *ask_password(krb5_context krbctx, char *prompt1, char *prompt2, + krb5_prompt ap_prompts[2]; + krb5_data k5d_pw0; + krb5_data k5d_pw1; +- char pw0[256]; +- char pw1[256]; ++#define MAX(a,b) (((a)>(b))?(a):(b)) ++#define PWD_BUFFER_SIZE MAX((IPAPWD_PASSWORD_MAX_LEN + 2), 1024) ++ char pw0[PWD_BUFFER_SIZE]; ++ char pw1[PWD_BUFFER_SIZE]; + char *password; + int num_prompts = match ? 2:1; + +@@ -664,7 +671,12 @@ static char *ask_password(krb5_context krbctx, char *prompt1, char *prompt2, + num_prompts, ap_prompts); + + if (match && (strcmp(pw0, pw1))) { +- fprintf(stderr, _("Passwords do not match!")); ++ fprintf(stderr, _("Passwords do not match!\n")); ++ return NULL; ++ } ++ ++ if (k5d_pw0.length > IPAPWD_PASSWORD_MAX_LEN) { ++ fprintf(stderr, "%s\n", ipapwd_password_max_len_errmsg); + return NULL; + } + +@@ -1017,6 +1029,7 @@ int main(int argc, const char *argv[]) + } + + fprintf(stderr, _("Failed to create key material\n")); ++ free_keys_contents(krbctx, &keys); + exit(8); + } + +diff --git a/client/man/ipa-getkeytab.1 b/client/man/ipa-getkeytab.1 +index 6e7fdf39ee4e28772365edafd4c7e86d0c37d343..21ba651c4ac78d09bc57d498b38591fdbfd1d151 100644 +--- a/client/man/ipa-getkeytab.1 ++++ b/client/man/ipa-getkeytab.1 +@@ -95,7 +95,7 @@ DES cbc mode with RSA\-MD5 + DES cbc mode with RSA\-MD4 + .TP + \fB\-P, \-\-password\fR +-Use this password for the key instead of one randomly generated. ++Use this password for the key instead of one randomly generated. The length of the password is limited by 1024 characters. Note that MIT Kerberos also limits passwords entered through kpasswd and kadmin commands to the same length. + .TP + \fB\-D, \-\-binddn\fR + The LDAP DN to bind as when retrieving a keytab without Kerberos credentials. Generally used with the \fB\-w\fR or \fB\-W\fR options. +diff --git a/daemons/ipa-kdb/ipa_kdb_passwords.c b/daemons/ipa-kdb/ipa_kdb_passwords.c +index a3d4fe2436da60d081040754780d3e815acb1473..9362f4305d9973004a8c890540b5fa1622de772b 100644 +--- a/daemons/ipa-kdb/ipa_kdb_passwords.c ++++ b/daemons/ipa-kdb/ipa_kdb_passwords.c +@@ -80,6 +80,12 @@ static krb5_error_code ipadb_check_pw_policy(krb5_context context, + return EINVAL; + } + ++ if (strlen(passwd) > IPAPWD_PASSWORD_MAX_LEN) { ++ krb5_set_error_message(context, E2BIG, "%s", ++ ipapwd_password_max_len_errmsg); ++ return E2BIG; ++ } ++ + ied->passwd = strdup(passwd); + if (!ied->passwd) { + return ENOMEM; +diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c +index ba5c54e58e9b0b5dcc657d88c530c237e321495c..716b71333050f1d05063289f9890918b86ddb108 100644 +--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c ++++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/common.c +@@ -1087,3 +1087,12 @@ void free_ipapwd_krbcfg(struct ipapwd_krbcfg **cfg) + *cfg = NULL; + }; + ++int ipapwd_check_max_pwd_len(size_t len, char **errMesg) { ++ if (len > IPAPWD_PASSWORD_MAX_LEN) { ++ LOG("%s\n", ipapwd_password_max_len_errmsg); ++ *errMesg = ipapwd_password_max_len_errmsg; ++ return LDAP_CONSTRAINT_VIOLATION; ++ } ++ return 0; ++} ++ +diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c +index f92706810d875cc6c7d8bc7a676c13ecc5d50e54..be413742cd2d54ab8bc7c51e6600b3dbbd26cec7 100644 +--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c ++++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c +@@ -318,6 +318,11 @@ parse_req_done: + goto free_and_return; + } + ++ rc = ipapwd_check_max_pwd_len(strlen(newPasswd), &errMesg); ++ if (rc) { ++ goto free_and_return; ++ } ++ + if (oldPasswd == NULL || *oldPasswd == '\0') { + /* If user is authenticated, they already gave their password during + the bind operation (or used sasl or client cert auth or OS creds) */ +@@ -1661,6 +1666,14 @@ static int ipapwd_getkeytab(Slapi_PBlock *pb, struct ipapwd_krbcfg *krbcfg) + + } else { + ++ if (password != NULL) { ++ /* if password was passed-in, check its length */ ++ rc = ipapwd_check_max_pwd_len(strlen(password), &err_msg); ++ if (rc) { ++ goto free_and_return; ++ } ++ } ++ + /* check if we are allowed to *write* keys */ + acl_ok = is_allowed_to_access_attr(pb, bind_dn, target_entry, + WRITEKEYS_OP_CHECK, NULL, +diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h +index 31c76b3f1a3854a5126bf6c7bbb9bf7b3bcf02e7..5a49fa7e6c787f15b641da794ec5ee3e7a525292 100644 +--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h ++++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h +@@ -133,6 +133,7 @@ int ipapwd_set_extradata(const char *dn, + time_t unixtime); + void ipapwd_free_slapi_value_array(Slapi_Value ***svals); + void free_ipapwd_krbcfg(struct ipapwd_krbcfg **cfg); ++int ipapwd_check_max_pwd_len(size_t len, char **errMesg); + + /* from encoding.c */ + struct ipapwd_keyset { +diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c +index 001f615ecdb87ac62fe237d5d9a932f0292c2e24..04cd2b10f3ba4375e6a278afe87cbd9d257d528f 100644 +--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c ++++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c +@@ -278,6 +278,10 @@ static int ipapwd_pre_add(Slapi_PBlock *pb) + rc = LDAP_CONSTRAINT_VIOLATION; + slapi_ch_free_string(&userpw); + } else { ++ rc = ipapwd_check_max_pwd_len(strlen(userpw_clear), &errMesg); ++ if (rc) { ++ goto done; ++ } + userpw = slapi_ch_strdup(userpw_clear); + } + +@@ -560,6 +564,11 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb) + goto done; + } + bv = lmod->mod_bvalues[0]; ++ ++ rc = ipapwd_check_max_pwd_len(bv->bv_len, &errMesg); ++ if (rc) { ++ goto done; ++ } + slapi_ch_free_string(&unhashedpw); + unhashedpw = slapi_ch_malloc(bv->bv_len+1); + if (!unhashedpw) { +@@ -782,7 +791,12 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb) + if (! unhashedpw && (gen_krb_keys || is_smb || is_ipant)) { + if ((userpw != NULL) && ('{' == userpw[0])) { + if (0 == strncasecmp(userpw, "{CLEAR}", strlen("{CLEAR}"))) { +- unhashedpw = slapi_ch_strdup(&userpw[strlen("{CLEAR}")]); ++ const char *userpw_clear = &userpw[strlen("{CLEAR}")]; ++ rc = ipapwd_check_max_pwd_len(strlen(userpw_clear), &errMesg); ++ if (rc) { ++ goto done; ++ } ++ unhashedpw = slapi_ch_strdup(userpw_clear); + if (NULL == unhashedpw) { + LOG_OOM(); + rc = LDAP_OPERATIONS_ERROR; +@@ -1416,6 +1430,8 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb) + time_t expire_time; + char *principal_expire = NULL; + struct tm expire_tm; ++ int rc = LDAP_INVALID_CREDENTIALS; ++ char *errMesg = NULL; + + /* get BIND parameters */ + ret |= slapi_pblock_get(pb, SLAPI_BIND_TARGET_SDN, &target_sdn); +@@ -1477,8 +1493,14 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb) + goto invalid_creds; + + /* Ensure that there is a password. */ +- if (credentials->bv_len == 0) ++ if (credentials->bv_len == 0) { + goto invalid_creds; ++ } else { ++ rc = ipapwd_check_max_pwd_len(credentials->bv_len, &errMesg); ++ if (rc) { ++ goto invalid_creds; ++ } ++ } + + /* Authenticate the user. */ + ret = ipapwd_authenticate(dn, entry, credentials); +@@ -1502,8 +1524,7 @@ static int ipapwd_pre_bind(Slapi_PBlock *pb) + invalid_creds: + slapi_entry_free(entry); + slapi_sdn_free(&sdn); +- slapi_send_ldap_result(pb, LDAP_INVALID_CREDENTIALS, +- NULL, NULL, 0, NULL); ++ slapi_send_ldap_result(pb, rc, NULL, errMesg, 0, NULL); + return 1; + } + +diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py +index a14a324ec2db26400aa67d2fc61f9c30b9b1d045..715a1f1a8f4105a470cc6f205a6bb9bc9db030e0 100644 +--- a/ipatests/test_integration/test_commands.py ++++ b/ipatests/test_integration/test_commands.py +@@ -33,6 +33,7 @@ from ipatests.test_integration.base import IntegrationTest + from ipatests.pytest_ipa.integration import tasks + from ipaplatform.tasks import tasks as platform_tasks + from ipatests.pytest_ipa.integration.create_external_ca import ExternalCA ++from ipapython.ipautil import ipa_generate_password + + logger = logging.getLogger(__name__) + +@@ -337,6 +338,84 @@ class TestIPACommand(IntegrationTest): + except CalledProcessError: + pytest.fail("Password change failed when it should not") + ++ def test_huge_password(self): ++ user = 'toolonguser' ++ hostname = 'toolong.{}'.format(self.master.domain.name) ++ huge_password = ipa_generate_password(min_len=1536) ++ original_passwd = 'Secret123' ++ master = self.master ++ base_dn = str(master.domain.basedn) # pylint: disable=no-member ++ ++ # Create a user with a password that is too long ++ tasks.kinit_admin(master) ++ add_password_stdin_text = "{pwd}\n{pwd}".format(pwd=huge_password) ++ result = master.run_command(['ipa', 'user-add', user, ++ '--first', user, ++ '--last', user, ++ '--password'], ++ stdin_text=add_password_stdin_text, ++ raiseonerr=False) ++ assert result.returncode != 0 ++ ++ # Try again with a normal password ++ add_password_stdin_text = "{pwd}\n{pwd}".format(pwd=original_passwd) ++ master.run_command(['ipa', 'user-add', user, ++ '--first', user, ++ '--last', user, ++ '--password'], ++ stdin_text=add_password_stdin_text) ++ ++ # kinit as that user in order to modify the pwd ++ user_kinit_stdin_text = "{old}\n%{new}\n%{new}\n".format( ++ old=original_passwd, ++ new=original_passwd) ++ master.run_command(['kinit', user], stdin_text=user_kinit_stdin_text) ++ # sleep 1 sec (krblastpwdchange and krbpasswordexpiration have at most ++ # a 1s precision) ++ time.sleep(1) ++ # perform ldapmodify on userpassword as dir mgr ++ entry_ldif = textwrap.dedent(""" ++ dn: uid={user},cn=users,cn=accounts,{base_dn} ++ changetype: modify ++ replace: userpassword ++ userpassword: {new_passwd} ++ """).format( ++ user=user, ++ base_dn=base_dn, ++ new_passwd=huge_password) ++ ++ result = tasks.ldapmodify_dm(master, entry_ldif, raiseonerr=False) ++ assert result.returncode != 0 ++ ++ # ask_password in ipa-getkeytab will complain about too long password ++ keytab_file = os.path.join(self.master.config.test_dir, ++ 'user.keytab') ++ password_stdin_text = "{pwd}\n{pwd}".format(pwd=huge_password) ++ result = self.master.run_command(['ipa-getkeytab', ++ '-p', user, ++ '-P', ++ '-k', keytab_file, ++ '-s', self.master.hostname], ++ stdin_text=password_stdin_text, ++ raiseonerr=False) ++ assert result.returncode != 0 ++ assert "clear-text password is too long" in result.stderr_text ++ ++ # Create a host with a user-set OTP that is too long ++ tasks.kinit_admin(master) ++ result = master.run_command(['ipa', 'host-add', '--force', ++ hostname, ++ '--password', huge_password], ++ raiseonerr=False) ++ assert result.returncode != 0 ++ ++ # Try again with a valid password ++ result = master.run_command(['ipa', 'host-add', '--force', ++ hostname, ++ '--password', original_passwd], ++ raiseonerr=False) ++ assert result.returncode == 0 ++ + def test_change_selinuxusermaporder(self): + """ + An update file meant to ensure a more sane default was +diff --git a/util/ipa_krb5.c b/util/ipa_krb5.c +index c09c3daa505655f2e5292a79c03683faa75ad244..1ba6d25eecb27935ffb14923015f08745aad20fe 100644 +--- a/util/ipa_krb5.c ++++ b/util/ipa_krb5.c +@@ -31,6 +31,13 @@ + + #include "ipa_krb5.h" + ++#define TOSTR(x) STR(x) ++#define STR(x) #x ++const char *ipapwd_password_max_len_errmsg = \ ++ "clear-text password is too long (max " \ ++ TOSTR(IPAPWD_PASSWORD_MAX_LEN) \ ++ " chars)!"; ++ + /* Salt types */ + #define KRB5P_SALT_SIZE 16 + +@@ -125,6 +132,13 @@ krb5_error_code ipa_krb5_generate_key_data(krb5_context krbctx, + int num_keys; + int i; + ++ if ((pwd.data != NULL) && (pwd.length > IPAPWD_PASSWORD_MAX_LEN)) { ++ kerr = E2BIG; ++ krb5_set_error_message(krbctx, kerr, "%s", ++ ipapwd_password_max_len_errmsg); ++ return kerr; ++ } ++ + num_keys = num_encsalts; + keys = calloc(num_keys, sizeof(krb5_key_data)); + if (!keys) { +@@ -970,6 +984,10 @@ int create_keys(krb5_context krbctx, + if (password) { + key_password.data = password; + key_password.length = strlen(password); ++ if (key_password.length > IPAPWD_PASSWORD_MAX_LEN) { ++ *err_msg = _("Password is too long!\n"); ++ return 0; ++ } + + realm = krb5_princ_realm(krbctx, princ); + } +diff --git a/util/ipa_krb5.h b/util/ipa_krb5.h +index b039c1a7f3d0bc215376f8f1dd2ac93e75a0c626..8392a85b6740ece1ba7085a4733ea0f2f6b1fe64 100644 +--- a/util/ipa_krb5.h ++++ b/util/ipa_krb5.h +@@ -30,6 +30,9 @@ struct keys_container { + #define KEYTAB_RET_OID "2.16.840.1.113730.3.8.10.2" + #define KEYTAB_GET_OID "2.16.840.1.113730.3.8.10.5" + ++#define IPAPWD_PASSWORD_MAX_LEN 1000 ++extern const char *ipapwd_password_max_len_errmsg; ++ + int krb5_klog_syslog(int, const char *, ...); + + void +-- +2.25.2 + diff --git a/SOURCES/0002-Use-unicode-strings-for-Python-2-version.patch b/SOURCES/0002-Use-unicode-strings-for-Python-2-version.patch deleted file mode 100644 index 394dd1b..0000000 --- a/SOURCES/0002-Use-unicode-strings-for-Python-2-version.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 56b3c4cf7cab07410e026ce695667a2aa0c4ce2d Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Fri, 23 Aug 2019 11:49:53 +0300 -Subject: [PATCH] Use unicode strings for Python 2 version - -Related: https://pagure.io/freeipa/issue/6951 ---- - ipaserver/install/adtrustinstance.py | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py -index 804a04530..67dadf9b9 100644 ---- a/ipaserver/install/adtrustinstance.py -+++ b/ipaserver/install/adtrustinstance.py -@@ -131,7 +131,7 @@ def map_Guests_to_nobody(): - - - def get_idmap_range(realm): -- idrange = api.Command.idrange_show('{}_id_range'.format(realm))['result'] -+ idrange = api.Command.idrange_show(u'{}_id_range'.format(realm))['result'] - range_start = int(idrange['ipabaseid'][0]) - range_size = int(idrange['ipaidrangesize'][0]) - range_fmt = '{} - {}'.format(range_start, range_start + range_size) --- -2.21.0 - diff --git a/SOURCES/0003-ipa_sam-remove-dependency-to-talloc_strackframe.h.patch b/SOURCES/0003-ipa_sam-remove-dependency-to-talloc_strackframe.h.patch deleted file mode 100644 index 2b19a07..0000000 --- a/SOURCES/0003-ipa_sam-remove-dependency-to-talloc_strackframe.h.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 5cceb47667c0665629bb474f73be1d2d8f1e1b5b Mon Sep 17 00:00:00 2001 -From: Sumit Bose -Date: Tue, 19 Feb 2019 12:30:40 +0100 -Subject: [PATCH] ipa_sam: remove dependency to talloc_strackframe.h -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Recent Samba versions removed some header files which did include -non-public APIs. As a result talloc_strackframe.h and memory.h (for -SAFE_FREE) are not available anymore. This patch replaces the use of the -non-public APIs with public ones. - -Reviewed-By: Alexander Bokovoy -Reviewed-By: Rob Crittenden -Reviewed-By: François Cami -(cherry picked from commit d1f5ed64e16d65b9df45cc0eac7d2724dcae7b67) ---- - daemons/ipa-sam/ipa_sam.c | 16 ++++++++++++---- - 1 file changed, 12 insertions(+), 4 deletions(-) - -diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c -index 2251f3ddc..755f44d68 100644 ---- a/daemons/ipa-sam/ipa_sam.c -+++ b/daemons/ipa-sam/ipa_sam.c -@@ -19,7 +19,6 @@ - #include - #include - #include --#include - - #ifndef _SAMBA_UTIL_H_ - bool trim_string(char *s, const char *front, const char *back); -@@ -881,9 +880,13 @@ static bool ipasam_uid_to_sid(struct pdb_methods *methods, uid_t uid, - struct dom_sid *user_sid = NULL; - int rc; - enum idmap_error_code err; -- TALLOC_CTX *tmp_ctx = talloc_stackframe(); - struct unixid id; - -+ TALLOC_CTX *tmp_ctx = talloc_new(priv); -+ if (tmp_ctx == NULL) { -+ goto done; -+ } -+ - /* Fast fail if we get a request for uidNumber=0 because it currently - * will never exist in the directory - * Saves an expensive LDAP call of which failure will never be cached -@@ -968,9 +971,13 @@ static bool ipasam_gid_to_sid(struct pdb_methods *methods, gid_t gid, - size_t c; - int rc; - enum idmap_error_code err; -- TALLOC_CTX *tmp_ctx = talloc_stackframe(); - struct unixid id; - -+ TALLOC_CTX *tmp_ctx = talloc_new(priv); -+ if (tmp_ctx == NULL) { -+ goto done; -+ } -+ - filter = talloc_asprintf(tmp_ctx, - "(|(&(gidNumber=%u)" - "(objectClass=%s))" -@@ -3749,7 +3756,8 @@ static void ipasam_free_private_data(void **vp) - (*ipasam_state)->result = NULL; - } - if ((*ipasam_state)->domain_dn != NULL) { -- SAFE_FREE((*ipasam_state)->domain_dn); -+ free((*ipasam_state)->domain_dn); -+ (*ipasam_state)->domain_dn = NULL; - } - - *ipasam_state = NULL; --- -2.21.0 - diff --git a/SOURCES/0004-Remove-ZERO_STRUCT-call.patch b/SOURCES/0004-Remove-ZERO_STRUCT-call.patch deleted file mode 100644 index 4568d20..0000000 --- a/SOURCES/0004-Remove-ZERO_STRUCT-call.patch +++ /dev/null @@ -1,37 +0,0 @@ -From f4673e9656c16ff383cc6cf1caf523c913f2d3bd Mon Sep 17 00:00:00 2001 -From: Christian Heimes -Date: Thu, 7 Feb 2019 12:11:42 +0100 -Subject: [PATCH 1/2] Remove ZERO_STRUCT() call - -ipa_sam uses Samba's macro ZERO_STRUCT() to safely zero out a block in -memory. On F30 ZERO_STRUCT() is currently broken, because it uses the -undefined C11 function memset_s(). - -During investigation of the bug, it turned out that -ZERO_STRUCT(td->security_identifier) is not needed. The whole td struct -is allocated with talloc_zero(), so td->security_identifier is already -zeroed. - -See: https://bugzilla.redhat.com/show_bug.cgi?id=1672231 -Signed-off-by: Christian Heimes -Reviewed-By: Alexander Bokovoy -(cherry picked from commit 1355588768c7863234c518196f48527e119740e0) ---- - daemons/ipa-sam/ipa_sam.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c -index 755f44d68..2f78f82f9 100644 ---- a/daemons/ipa-sam/ipa_sam.c -+++ b/daemons/ipa-sam/ipa_sam.c -@@ -2266,7 +2266,6 @@ static bool fill_pdb_trusted_domain(TALLOC_CTX *mem_ctx, - if (dummy == NULL) { - DEBUG(9, ("Attribute %s not present.\n", - LDAP_ATTRIBUTE_TRUST_SID)); -- ZERO_STRUCT(td->security_identifier); - } else { - err = sss_idmap_sid_to_smb_sid(ipasam_state->idmap_ctx, - dummy, &sid); --- -2.21.0 - diff --git a/SOURCES/0005-ipasam-use-SID-formatting-calls-to-libsss_idmap.patch b/SOURCES/0005-ipasam-use-SID-formatting-calls-to-libsss_idmap.patch deleted file mode 100644 index 56ee540..0000000 --- a/SOURCES/0005-ipasam-use-SID-formatting-calls-to-libsss_idmap.patch +++ /dev/null @@ -1,158 +0,0 @@ -From 9cb4436694d2fa5f7a56fa774e5283f0b46cc18f Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Sun, 31 Mar 2019 12:37:21 +0300 -Subject: [PATCH 2/2] ipasam: use SID formatting calls to libsss_idmap - -Samba 4.10 moved away to private libraries two functions we used to -convert a binary SID structre to strings: - - sid_talloc_string() - - sid_string_dbg() - -We already used libsss_idmap to convert textual representation of SIDs -to a binary one, use the reverse function too. - -libsss_idmap code operates on talloc structures, so we need to adopt a -bit a place where sid_string_dbg() was used because it assumed a static -buffer was provided by sid_string_dbg(). - -Finally, sid_talloc_string()'s replacement moves allocated memory to the -right context so that a memory will be freed earlier. Our SSSD idmap -context is a long-living one while in all cases where we were using -sid_talloc_string() we free the context much earlier. - -Resolves: https://pagure.io/freeipa/issue/7893 -Reviewed-By: Christian Heimes -(cherry picked from commit 137af1d2c38925404dc92f70321ac0f5fb1cf5eb) ---- - daemons/ipa-sam/ipa_sam.c | 52 ++++++++++++++++++++++++++++----------- - 1 file changed, 37 insertions(+), 15 deletions(-) - -diff --git a/daemons/ipa-sam/ipa_sam.c b/daemons/ipa-sam/ipa_sam.c -index 2f78f82f9..851cbc39a 100644 ---- a/daemons/ipa-sam/ipa_sam.c -+++ b/daemons/ipa-sam/ipa_sam.c -@@ -104,8 +104,6 @@ enum ndr_err_code ndr_pull_trustAuthInOutBlob(struct ndr_pull *ndr, int ndr_flag - bool sid_check_is_builtin(const struct dom_sid *sid); /* available in libpdb.so */ - /* available in libpdb.so, renamed from sid_check_is_domain() in c43505b621725c9a754f0ee98318d451b093f2ed */ - bool sid_linearize(char *outbuf, size_t len, const struct dom_sid *sid); /* available in libsmbconf.so */ --char *sid_string_talloc(TALLOC_CTX *mem_ctx, const struct dom_sid *sid); /* available in libsmbconf.so */ --char *sid_string_dbg(const struct dom_sid *sid); /* available in libsmbconf.so */ - char *escape_ldap_string(TALLOC_CTX *mem_ctx, const char *s); /* available in libsmbconf.so */ - bool secrets_store(const char *key, const void *data, size_t size); /* available in libpdb.so */ - void idmap_cache_set_sid2unixid(const struct dom_sid *sid, struct unixid *unix_id); /* available in libsmbconf.so */ -@@ -261,6 +259,18 @@ static bool sid_compose(struct dom_sid *dst, const struct dom_sid *dom_sid, - return true; - } - -+static char *sid_talloc_string(struct sss_idmap_ctx *ctx, void *final_ctx, const struct dom_sid *dom_sid) -+{ -+ enum idmap_error_code ret; -+ char *result = NULL; -+ ret = sss_idmap_smb_sid_to_sid(ctx, discard_const(dom_sid), &result); -+ if (ret != IDMAP_SUCCESS) { -+ return NULL; -+ } -+ -+ return talloc_move(final_ctx, &result); -+} -+ - static bool is_null_sid(const struct dom_sid *sid) - { - size_t c; -@@ -519,8 +529,18 @@ static bool ldapsam_extract_rid_from_entry(LDAP *ldap_struct, - } - - if (dom_sid_compare_domain(sid, domain_sid) != 0) { -- DEBUG(10, ("SID %s is not in expected domain %s\n", -- str, sid_string_dbg(domain_sid))); -+ char *debug_domain_sid = NULL; -+ err = sss_idmap_smb_sid_to_sid(idmap_ctx, -+ discard_const(domain_sid), -+ &debug_domain_sid); -+ if (err != IDMAP_SUCCESS) { -+ DEBUG(10, ("SID %s is not in expected domain.\n", -+ str)); -+ } else { -+ DEBUG(10, ("SID %s is not in expected domain %s\n", -+ str, debug_domain_sid)); -+ talloc_free(debug_domain_sid); -+ } - res = false; - goto done; - } -@@ -589,7 +609,7 @@ static NTSTATUS ldapsam_lookup_rids(struct pdb_methods *methods, - allsids = talloc_asprintf_append_buffer( - allsids, "(%s=%s)", - LDAP_ATTRIBUTE_SID, -- sid_string_talloc(mem_ctx, &sid)); -+ sid_talloc_string(ipasam_state->idmap_ctx, mem_ctx, &sid)); - if (allsids == NULL) { - goto done; - } -@@ -790,7 +810,8 @@ static bool ldapsam_sid_to_id(struct pdb_methods *methods, - filter = talloc_asprintf(mem_ctx, - "(&(%s=%s)" - "(|(objectClass=%s)(objectClass=%s)))", -- LDAP_ATTRIBUTE_SID, sid_string_talloc(mem_ctx, sid), -+ LDAP_ATTRIBUTE_SID, -+ sid_talloc_string(priv->idmap_ctx, mem_ctx, sid), - LDAP_OBJ_GROUPMAP, LDAP_OBJ_SAMBASAMACCOUNT); - if (filter == NULL) { - DEBUG(5, ("talloc_asprintf failed\n")); -@@ -936,7 +957,7 @@ static bool ipasam_uid_to_sid(struct pdb_methods *methods, uid_t uid, - err = sss_idmap_sid_to_smb_sid(priv->idmap_ctx, - user_sid_string, &user_sid); - if (err != IDMAP_SUCCESS) { -- DEBUG(3, ("Error calling sid_string_talloc for sid '%s'\n", -+ DEBUG(3, ("Error creating sid structure for sid '%s'\n", - user_sid_string)); - goto done; - } -@@ -1052,7 +1073,7 @@ found: - err = sss_idmap_sid_to_smb_sid(priv->idmap_ctx, - group_sid_string, &group_sid); - if (err != IDMAP_SUCCESS) { -- DEBUG(3, ("Error calling sid_string_talloc for sid '%s'\n", -+ DEBUG(3, ("Error creating sid structure for sid '%s'\n", - group_sid_string)); - goto done; - } -@@ -1595,11 +1616,11 @@ static bool ipasam_search_grouptype(struct pdb_methods *methods, - state->base = talloc_strdup(search, ipasam_state->base_dn); - state->connection = ipasam_state->ldap_state; - state->scope = LDAP_SCOPE_SUBTREE; -- state->filter = talloc_asprintf(search, "(&(objectclass=%s)" -- "(%s=%s*))", -- LDAP_OBJ_GROUPMAP, -- LDAP_ATTRIBUTE_SID, -- sid_string_talloc(search, sid)); -+ state->filter = talloc_asprintf(search, "(&(objectclass=%s)(%s=%s*))", -+ LDAP_OBJ_GROUPMAP, LDAP_ATTRIBUTE_SID, -+ sid_talloc_string( -+ ipasam_state->idmap_ctx, -+ search, sid)); - state->attrs = talloc_attrs(search, "cn", LDAP_ATTRIBUTE_SID, - "displayName", "description", - NULL); -@@ -2412,7 +2433,7 @@ static NTSTATUS ipasam_get_trusted_domain_by_sid(struct pdb_methods *methods, - char *sid_str; - bool ok; - -- sid_str = sid_string_talloc(mem_ctx, sid); -+ sid_str = sid_talloc_string(ipasam_state->idmap_ctx, mem_ctx, sid); - if (sid_str == NULL) { - return NT_STATUS_NO_MEMORY; - } -@@ -2593,7 +2614,8 @@ static NTSTATUS ipasam_set_trusted_domain(struct pdb_methods *methods, - if (!is_null_sid(&td->security_identifier)) { - smbldap_make_mod(priv2ld(ipasam_state), entry, &mods, - LDAP_ATTRIBUTE_TRUST_SID, -- sid_string_talloc(tmp_ctx, &td->security_identifier)); -+ sid_talloc_string(ipasam_state->idmap_ctx, -+ tmp_ctx, &td->security_identifier)); - } - - if (td->trust_type != 0) { --- -2.21.0 - diff --git a/SOURCES/0006-user-stage-transfer-all-attributes-from-preserved-to.patch b/SOURCES/0006-user-stage-transfer-all-attributes-from-preserved-to.patch deleted file mode 100644 index a5276e5..0000000 --- a/SOURCES/0006-user-stage-transfer-all-attributes-from-preserved-to.patch +++ /dev/null @@ -1,104 +0,0 @@ -From 5731aa2850d150a90ad84ce5492cd5d8b154e413 Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Tue, 23 Jul 2019 09:31:53 +0200 -Subject: [PATCH] user-stage: transfer all attributes from preserved to stage - user - -The user-stage command is internally implemented as: -- user_show(all=True) in order to read the user attributes -- loop on the attributes defined as possible to add using stageuser-add and -transform them into new options for stageuser_add (for instance stageuser-add -provides the option --shell for the attribute loginshell, but there is no -option for the attribute businesscategory). -- call stageuser_add in order to create a new entry in the active users subtree -- user-del to remove the previous entry in the staged users subtree - -The issue is in the 2nd step. Only the attributes with a stageuser-add option -are processed. -The logic of the code should be slightly modified, so that all the attributes -read in the first step are processed: -- if they correspond to an option of stageuser-add, process them like it's -currently done. For instance if the entry contains displayname, then it -should be processed as --displayName=value in the stageuser-add cmd -- if they do not correspond to an option of stageuser-add, add them with ---setattr== - -Note that some attributes may need to be filtered, for instance user-show -returns has_password or has_keytab, which do not correspond to attributes -in the LDAP entry. - -Fixes: https://pagure.io/freeipa/issue/7597 -Reviewed-By: Alexander Bokovoy -Reviewed-By: Rob Crittenden ---- - ipaserver/plugins/user.py | 44 +++++++++++++++++++++++++++++++++++++++ - 1 file changed, 44 insertions(+) - -diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py -index 980385dc83e93ec4a65726077b34917e21115efa..fbf7b11789c58377366f187211c4e403d0cf7ffe 100644 ---- a/ipaserver/plugins/user.py -+++ b/ipaserver/plugins/user.py -@@ -919,7 +919,29 @@ class user_stage(LDAPMultiQuery): - has_output = output.standard_multi_delete - msg_summary = _('Staged user account "%(value)s"') - -+ # when moving from preserved to stage, some attributes may be -+ # present in the preserved entry but cannot be provided to -+ # stageuser_add -+ # For instance: dn and uid are derived from LOGIN argument -+ # has_keytab, has_password, preserved are virtual attributes -+ # ipauniqueid, krbcanonicalname, sshpubkeyfp, krbextradata -+ # are automatically generated -+ # ipacertmapdata can only be provided with user_add_certmapdata -+ ignore_attrs = [u'dn', u'uid', -+ u'has_keytab', u'has_password', u'preserved', -+ u'ipauniqueid', u'krbcanonicalname', -+ u'sshpubkeyfp', u'krbextradata', -+ u'ipacertmapdata', -+ u'nsaccountlock'] -+ - def execute(self, *keys, **options): -+ -+ def _build_setattr_arg(key, val): -+ if isinstance(val, bytes): -+ return u"{}={}".format(key, val.decode('UTF-8')) -+ else: -+ return u"{}={}".format(key, val) -+ - staged = [] - failed = [] - -@@ -940,8 +962,30 @@ class user_stage(LDAPMultiQuery): - value = value[0] - new_options[param.name] = value - -+ # Some attributes may not be accessible through the Command -+ # options and need to be added with --setattr -+ set_attr = [] -+ for userkey in user.keys(): -+ if userkey in new_options or userkey in self.ignore_attrs: -+ continue -+ value = user[userkey] -+ -+ if isinstance(value, (list, tuple)): -+ for val in value: -+ set_attr.append(_build_setattr_arg(userkey, val)) -+ else: -+ set_attr.append(_build_setattr_arg(userkey, val)) -+ if set_attr: -+ new_options[u'setattr'] = set_attr -+ - try: - self.api.Command.stageuser_add(*single_keys, **new_options) -+ # special handling for certmapdata -+ certmapdata = user.get(u'ipacertmapdata') -+ if certmapdata: -+ self.api.Command.stageuser_add_certmapdata( -+ *single_keys, -+ ipacertmapdata=certmapdata) - try: - self.api.Command.user_del(*multi_keys, preserve=False) - except errors.ExecutionError: --- -2.20.1 - diff --git a/SOURCES/0007-xmlrpc-test-add-test-for-preserved-stage-user.patch b/SOURCES/0007-xmlrpc-test-add-test-for-preserved-stage-user.patch deleted file mode 100644 index b82f87b..0000000 --- a/SOURCES/0007-xmlrpc-test-add-test-for-preserved-stage-user.patch +++ /dev/null @@ -1,128 +0,0 @@ -From bcfbeef0ca7f69ff50f40990e783d58fb9a83d30 Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Fri, 26 Jul 2019 15:44:58 +0200 -Subject: [PATCH] xmlrpc test: add test for preserved > stage user - -When moving a preserved user to the stage area, check that the -custom attributes are not lost ( = the attr for which there is -no specific user_stage option). - -Test scenario: -- add a stage user with --setattr "businesscategory=value" -- activate the user, check that businesscategory is still present -- delete (preserve) the user, check that attr is still present -- stage the user, check that attr is still present - -Related: https://pagure.io/freeipa/issue/7597 -Reviewed-By: Alexander Bokovoy -Reviewed-By: Rob Crittenden ---- - ipatests/test_xmlrpc/test_stageuser_plugin.py | 64 +++++++++++++++++++ - .../test_xmlrpc/tracker/stageuser_plugin.py | 5 +- - 2 files changed, 67 insertions(+), 2 deletions(-) - -diff --git a/ipatests/test_xmlrpc/test_stageuser_plugin.py b/ipatests/test_xmlrpc/test_stageuser_plugin.py -index 9a869259d06a65722f019a19405baf53c03917e1..cc6a3b1a880acab1ffba06061be6eae229f80237 100644 ---- a/ipatests/test_xmlrpc/test_stageuser_plugin.py -+++ b/ipatests/test_xmlrpc/test_stageuser_plugin.py -@@ -128,6 +128,17 @@ def stageduser_notposix(request): - return tracker.make_fixture(request) - - -+@pytest.fixture(scope='class') -+def stageduser_customattr(request): -+ tracker = StageUserTracker(u'customattr', u'customattr', u'customattr', -+ setattr=u'businesscategory=BusinessCat') -+ tracker.track_create() -+ tracker.attrs.update( -+ businesscategory=[u'BusinessCat'] -+ ) -+ return tracker.make_fixture(request) -+ -+ - @pytest.fixture(scope='class') - def user(request): - tracker = UserTracker(u'auser1', u'active', u'user') -@@ -573,6 +584,59 @@ class TestPreserved(XMLRPC_test): - stageduser.delete() - - -+@pytest.mark.tier1 -+class TestCustomAttr(XMLRPC_test): -+ """Test for pagure ticket 7597 -+ -+ When a staged user is activated, preserved and finally staged again, -+ the custom attributes are lost. -+ """ -+ def test_stageduser_customattr(self, stageduser_customattr): -+ # Create a staged user with attributes not accessible -+ # through the options -+ # --setattr is needed here -+ command = stageduser_customattr.make_create_command() -+ result = command() -+ stageduser_customattr.check_create(result, [u'businesscategory']) -+ -+ # Activate the staged user -+ user_customattr = UserTracker( -+ stageduser_customattr.uid, stageduser_customattr.givenname, -+ stageduser_customattr.sn) -+ user_customattr.create_from_staged(stageduser_customattr) -+ user_customattr.attrs[u'businesscategory'] = [u'BusinessCat'] -+ -+ command = stageduser_customattr.make_activate_command() -+ result = command() -+ user_customattr.check_activate(result) -+ -+ # Check that the user contains businesscategory -+ command = user_customattr.make_retrieve_command(all=True) -+ result = command() -+ assert 'BusinessCat' in result['result'][u'businesscategory'] -+ -+ # delete the user with --preserve -+ command = user_customattr.make_delete_command(no_preserve=False, -+ preserve=True) -+ result = command() -+ user_customattr.check_delete(result) -+ -+ # Check that the preserved user contains businesscategory -+ command = user_customattr.make_retrieve_command(all=True) -+ result = command() -+ assert 'BusinessCat' in result['result'][u'businesscategory'] -+ -+ # Move the user from preserved to stage -+ command = user_customattr.make_stage_command() -+ result = command() -+ stageduser_customattr.check_restore_preserved(result) -+ -+ # Check that the stage user contains businesscategory -+ command = stageduser_customattr.make_retrieve_command(all=True) -+ result = command() -+ assert 'BusinessCat' in result['result'][u'businesscategory'] -+ -+ - @pytest.mark.tier1 - class TestManagers(XMLRPC_test): - def test_staged_manager(self, user, stageduser): -diff --git a/ipatests/test_xmlrpc/tracker/stageuser_plugin.py b/ipatests/test_xmlrpc/tracker/stageuser_plugin.py -index c2ab1d35c0b64980eae37f75db081b948c992b00..7609664ab4f3dc3d17b33c9ba4fa855f61a8b106 100644 ---- a/ipatests/test_xmlrpc/tracker/stageuser_plugin.py -+++ b/ipatests/test_xmlrpc/tracker/stageuser_plugin.py -@@ -176,12 +176,13 @@ class StageUserTracker(KerberosAliasMixin, Tracker): - - self.exists = True - -- def check_create(self, result): -+ def check_create(self, result, extra_keys=()): - """ Check 'stageuser-add' command result """ -+ expected = self.filter_attrs(self.create_keys | set(extra_keys)) - assert_deepequal(dict( - value=self.uid, - summary=u'Added stage user "%s"' % self.uid, -- result=self.filter_attrs(self.create_keys), -+ result=self.filter_attrs(expected), - ), result) - - def check_delete(self, result): --- -2.20.1 - diff --git a/SOURCES/0008-Don-t-return-SSH-keys-with-ipa-host-find-pkey-only.patch b/SOURCES/0008-Don-t-return-SSH-keys-with-ipa-host-find-pkey-only.patch deleted file mode 100644 index 216c128..0000000 --- a/SOURCES/0008-Don-t-return-SSH-keys-with-ipa-host-find-pkey-only.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 6672b67ee145db6ed368b50a49bec00f49eccf91 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Thu, 1 Aug 2019 13:53:44 -0400 -Subject: [PATCH] Don't return SSH keys with ipa host-find --pkey-only - -This was introduced in 14ee02dcbd6cbb6c221ac7526e471a9fc58fcc82 - -https://pagure.io/freeipa/issue/8029 - -Reviewed-By: Alexander Bokovoy ---- - ipaserver/plugins/host.py | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py -index c74a3e58f8af6b33e284ba54b5763a684d91bac3..d6172599d30ec0b2c7b475e59dec22e111e79328 100644 ---- a/ipaserver/plugins/host.py -+++ b/ipaserver/plugins/host.py -@@ -1050,7 +1050,8 @@ class host_find(LDAPSearch): - (filter, hosts_filter), ldap.MATCH_ALL - ) - -- add_sshpubkey_to_attrs_pre(self.context, attrs_list) -+ if not options.get('pkey_only', False): -+ add_sshpubkey_to_attrs_pre(self.context, attrs_list) - - return (filter.replace('locality', 'l'), base_dn, scope) - --- -2.20.1 - diff --git a/SOURCES/0009-check-for-single-label-domains-only-during-server-in.patch b/SOURCES/0009-check-for-single-label-domains-only-during-server-in.patch deleted file mode 100644 index 81a8177..0000000 --- a/SOURCES/0009-check-for-single-label-domains-only-during-server-in.patch +++ /dev/null @@ -1,112 +0,0 @@ -From 12d456a12d0029833059fe28d3bb1cea338fef16 Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Thu, 5 Sep 2019 15:49:05 +0200 -Subject: [PATCH] check for single-label domains only during server install - -The fix for https://pagure.io/freeipa/issue/7207 and -https://pagure.io/freeipa/issue/7598 added checks against single-label -domains in client, server and replica installs. This prevents client -enrollment to existing topologies with single-label domain. - -This commit removes those fixes on ipa-4-6 branch. Server installation -with single-label domain will still be refused, but client enrollment -will succeed. - -Fixes: https://pagure.io/freeipa/issue/8058 -Reviewed-By: Francois Cami ---- - ipalib/util.py | 5 +++-- - ipaserver/install/server/install.py | 16 ++++++++-------- - ipaserver/plugins/config.py | 2 +- - ipaserver/plugins/realmdomains.py | 2 +- - 4 files changed, 13 insertions(+), 12 deletions(-) - -diff --git a/ipalib/util.py b/ipalib/util.py -index 1aa94d97b440110fe55584048d468b9c014ec67b..8b6ec564aa6299a6dd149e9afa1bdc04ac770bf2 100644 ---- a/ipalib/util.py -+++ b/ipalib/util.py -@@ -406,14 +406,15 @@ def validate_dns_label(dns_label, allow_underscore=False, allow_slash=False): - - def validate_domain_name( - domain_name, allow_underscore=False, -- allow_slash=False, entity='domain' -+ allow_slash=False, entity='domain', -+ check_sld=False - ): - if domain_name.endswith('.'): - domain_name = domain_name[:-1] - - domain_name = domain_name.split(".") - -- if len(domain_name) < 2: -+ if check_sld and len(domain_name) < 2: - raise ValueError(_( - 'single label {}s are not supported'.format(entity))) - -diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py -index c1e593e467cdb856a4ab3251ee103f3da3386a82..5ea4f2e1cc80c995997888aaf44f500524beb796 100644 ---- a/ipaserver/install/server/install.py -+++ b/ipaserver/install/server/install.py -@@ -471,25 +471,25 @@ def install_check(installer): - domain_name = read_domain_name(host_name[host_name.find(".")+1:], - not installer.interactive) - logger.debug("read domain_name: %s\n", domain_name) -- try: -- validate_domain_name(domain_name) -- except ValueError as e: -- raise ScriptError("Invalid domain name: %s" % unicode(e)) - else: - domain_name = options.domain_name - - domain_name = domain_name.lower() -+ try: -+ validate_domain_name(domain_name, check_sld=True) -+ except ValueError as e: -+ raise ScriptError("Invalid domain name: %s" % unicode(e)) - - if not options.realm_name: - realm_name = read_realm_name(domain_name, not installer.interactive) - logger.debug("read realm_name: %s\n", realm_name) - -- try: -- validate_domain_name(realm_name, entity="realm") -- except ValueError as e: -- raise ScriptError("Invalid realm name: {}".format(unicode(e))) - else: - realm_name = options.realm_name.upper() -+ try: -+ validate_domain_name(realm_name, entity="realm", check_sld=True) -+ except ValueError as e: -+ raise ScriptError("Invalid realm name: {}".format(unicode(e))) - - if not options.subject_base: - options.subject_base = installutils.default_subject_base(realm_name) -diff --git a/ipaserver/plugins/config.py b/ipaserver/plugins/config.py -index 58b48935c2c7471ff2ce0bb3f5ce92a9fb47a503..b6349f03b7347b696c4e38480440a31db6757de8 100644 ---- a/ipaserver/plugins/config.py -+++ b/ipaserver/plugins/config.py -@@ -400,7 +400,7 @@ class config(LDAPObject): - ) - - try: -- validate_domain_name(domain) -+ validate_domain_name(domain, check_sld=True) - except ValueError as e: - raise errors.ValidationError( - name=attr_name, -diff --git a/ipaserver/plugins/realmdomains.py b/ipaserver/plugins/realmdomains.py -index 80c5c298372f1c3f773150622c708f0286cc87a2..414dfae5090c4cd2e694bdfd3839a39783dd95fc 100644 ---- a/ipaserver/plugins/realmdomains.py -+++ b/ipaserver/plugins/realmdomains.py -@@ -59,7 +59,7 @@ def _domain_name_normalizer(d): - - def _domain_name_validator(ugettext, value): - try: -- validate_domain_name(value, allow_slash=False) -+ validate_domain_name(value, allow_slash=False, check_sld=True) - except ValueError as e: - return unicode(e) - return None --- -2.20.1 - diff --git a/SOURCES/0010-Don-t-configure-KEYRING-ccache-in-containers.patch b/SOURCES/0010-Don-t-configure-KEYRING-ccache-in-containers.patch deleted file mode 100644 index f417ec0..0000000 --- a/SOURCES/0010-Don-t-configure-KEYRING-ccache-in-containers.patch +++ /dev/null @@ -1,166 +0,0 @@ -From 7e9d17ca027b377c54288eb06ead7602a2a5136b Mon Sep 17 00:00:00 2001 -From: Christian Heimes -Date: Wed, 12 Dec 2018 17:32:06 +0100 -Subject: [PATCH] Don't configure KEYRING ccache in containers - -Kernel keyrings are not namespaced yet. Keyrings can leak into other -containers. Therefore keyrings should not be used in containerized -environment. - -Don't configure Kerberos to use KEYRING ccache backen when a container -environment is detected by systemd-detect-virt --container. - -Fixes: https://pagure.io/freeipa/issue/7807 -Signed-off-by: Christian Heimes -Reviewed-By: Rob Crittenden -Reviewed-By: Tibor Dudlak -Reviewed-By: Oleg Kozlov -Reviewed-By: Florence Blanc-Renaud ---- - ipaplatform/base/paths.py | 1 + - ipaplatform/base/tasks.py | 8 +++++++ - ipaplatform/redhat/tasks.py | 21 ++++++++++++++++ - ipapython/kernel_keyring.py | 10 +++++++- - ipatests/test_ipaplatform/test_tasks.py | 32 +++++++++++++++++++++++++ - 5 files changed, 71 insertions(+), 1 deletion(-) - create mode 100644 ipatests/test_ipaplatform/test_tasks.py - -diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py -index 435d1b7de9083ee74e80da6fef5c3e3cdad654bb..0395e40b7fb624cd6f625a0cd959c4a216731f6d 100644 ---- a/ipaplatform/base/paths.py -+++ b/ipaplatform/base/paths.py -@@ -30,6 +30,7 @@ class BasePathNamespace(object): - LS = "/bin/ls" - SH = "/bin/sh" - SYSTEMCTL = "/bin/systemctl" -+ SYSTEMD_DETECT_VIRT = "/bin/systemd-detect-virt" - TAR = "/bin/tar" - AUTOFS_LDAP_AUTH_CONF = "/etc/autofs_ldap_auth.conf" - ETC_DIRSRV = "/etc/dirsrv" -diff --git a/ipaplatform/base/tasks.py b/ipaplatform/base/tasks.py -index cd0427197aaecde0139781a564be443e59f3f9df..49c39e99b475cef2945354b2aaadf20239421d34 100644 ---- a/ipaplatform/base/tasks.py -+++ b/ipaplatform/base/tasks.py -@@ -116,6 +116,14 @@ class BaseTaskNamespace(object): - - raise NotImplementedError() - -+ def detect_container(self): -+ """Check if running inside a container -+ -+ :returns: container runtime or None -+ :rtype: str, None -+ """ -+ raise NotImplementedError -+ - def restore_hostname(self, fstore, statestore): - """ - Restores the original hostname as backed up in the -diff --git a/ipaplatform/redhat/tasks.py b/ipaplatform/redhat/tasks.py -index 9ce0d8375c88cb3281149ef82c975d14f150e5a4..8f6dc9a0370c59a3d4a33e8699bbc8c228ca0e1d 100644 ---- a/ipaplatform/redhat/tasks.py -+++ b/ipaplatform/redhat/tasks.py -@@ -30,6 +30,7 @@ import os - import socket - import traceback - import errno -+import subprocess - import sys - - from ctypes.util import find_library -@@ -168,6 +169,26 @@ class RedHatTaskNamespace(BaseTaskNamespace): - "resolution to 'lo' interface. You might need to enable IPv6 " - "on the interface 'lo' in sysctl.conf.") - -+ def detect_container(self): -+ """Check if running inside a container -+ -+ :returns: container runtime or None -+ :rtype: str, None -+ """ -+ try: -+ output = subprocess.check_output( -+ [paths.SYSTEMD_DETECT_VIRT, '--container'], -+ stderr=subprocess.STDOUT -+ ) -+ except subprocess.CalledProcessError as e: -+ if e.returncode == 1: -+ # No container runtime detected -+ return None -+ else: -+ raise -+ else: -+ return output.decode('utf-8').strip() -+ - def restore_pre_ipa_client_configuration(self, fstore, statestore, - was_sssd_installed, - was_sssd_configured): -diff --git a/ipapython/kernel_keyring.py b/ipapython/kernel_keyring.py -index 6ae1e74493810fa25093fe134447dd4ba0f5da74..cd47108e5846bc2f78e45f222bdfbd0ca11b7d81 100644 ---- a/ipapython/kernel_keyring.py -+++ b/ipapython/kernel_keyring.py -@@ -24,6 +24,7 @@ import six - - from ipapython.ipautil import run - from ipaplatform.paths import paths -+from ipaplatform.tasks import tasks - - # NOTE: Absolute path not required for keyctl since we reset the environment - # in ipautil.run. -@@ -68,7 +69,14 @@ def get_persistent_key(key): - return result.raw_output.rstrip() - - --def is_persistent_keyring_supported(): -+def is_persistent_keyring_supported(check_container=True): -+ """Returns True if the kernel persistent keyring is supported. -+ -+ If check_container is True and a containerized environment is detected, -+ return False. There is no support for keyring namespace isolation yet. -+ """ -+ if check_container and tasks.detect_container() is not None: -+ return False - uid = os.geteuid() - try: - get_persistent_key(str(uid)) -diff --git a/ipatests/test_ipaplatform/test_tasks.py b/ipatests/test_ipaplatform/test_tasks.py -new file mode 100644 -index 0000000000000000000000000000000000000000..524490c78defb6ce14bf76ea296a9a33db0cbf0a ---- /dev/null -+++ b/ipatests/test_ipaplatform/test_tasks.py -@@ -0,0 +1,32 @@ -+# -+# Copyright (C) 2017 FreeIPA Contributors see COPYING for license -+# -+from __future__ import absolute_import -+ -+import os -+ -+from ipaplatform.tasks import tasks -+ -+ -+def test_detect_container(): -+ container = None -+ # naive detection, may fail for OpenVZ and other container runtimes -+ if os.path.isfile('/run/systemd/container'): -+ with open('/run/systemd/container') as f: -+ container = f.read().strip() -+ elif os.geteuid() == 0: -+ with open('/proc/1/environ') as f: -+ environ = f.read() -+ for item in environ.split('\x00'): -+ if not item: -+ continue -+ k, v = item.split('=', 1) -+ if k == 'container': -+ container = v -+ -+ detected = tasks.detect_container() -+ if container == 'oci': -+ # systemd doesn't know about podman -+ assert detected in {'container-other', container} -+ else: -+ assert detected == container --- -2.20.1 - diff --git a/SOURCES/0011-Add-container-environment-check-to-replicainstall.patch b/SOURCES/0011-Add-container-environment-check-to-replicainstall.patch deleted file mode 100644 index 5eba40e..0000000 --- a/SOURCES/0011-Add-container-environment-check-to-replicainstall.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 734a39d52cf738bfce7ad97deab74f368387a83b Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Tibor=20Dudl=C3=A1k?= -Date: Tue, 10 Sep 2019 18:54:53 +0200 -Subject: [PATCH] Add container environment check to replicainstall - -Inside the container environment master's IP address -does not resolve to its name. - -Resolves: https://pagure.io/freeipa/issue/6210 -Reviewed-By: Rob Crittenden ---- - ipaserver/install/server/replicainstall.py | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py -index e13b7f18c4d4df7efde50ac9cb7d2f71bfa765cc..bd82a9d1483545d478e790a727e48eaa9ac22cfc 100644 ---- a/ipaserver/install/server/replicainstall.py -+++ b/ipaserver/install/server/replicainstall.py -@@ -1134,7 +1134,11 @@ def promote_check(installer): - "certificate") - - installutils.verify_fqdn(config.host_name, options.no_host_dns) -- installutils.verify_fqdn(config.master_host_name, options.no_host_dns) -+ # Inside the container environment master's IP address does not -+ # resolve to its name. See https://pagure.io/freeipa/issue/6210 -+ container_environment = tasks.detect_container() is not None -+ installutils.verify_fqdn(config.master_host_name, options.no_host_dns, -+ local_hostname=not container_environment) - - ccache = os.environ['KRB5CCNAME'] - kinit_keytab('host/{env.host}@{env.realm}'.format(env=api.env), --- -2.20.1 - diff --git a/SOURCES/0012-add-default-access-control-when-migrating-trust-obje.patch b/SOURCES/0012-add-default-access-control-when-migrating-trust-obje.patch deleted file mode 100644 index bad7801..0000000 --- a/SOURCES/0012-add-default-access-control-when-migrating-trust-obje.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 06eb54e3e8e645a64d915602a64834cc26bc8924 Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Tue, 10 Sep 2019 13:39:39 +0300 -Subject: [PATCH] add default access control when migrating trust objects - -It looks like for some cases we do not have proper set up keytab -retrieval configuration in the old trusted domain object. This mostly -affects two-way trust cases. In such cases, create default configuration -as ipasam would have created when trust was established. - -Resolves: https://pagure.io/freeipa/issue/8067 - -Signed-off-by: Alexander Bokovoy -Reviewed-By: Florence Blanc-Renaud -Reviewed-By: Rob Crittenden -Reviewed-By: Florence Blanc-Renaud ---- - ipaserver/install/plugins/adtrust.py | 14 ++++++++++++-- - 1 file changed, 12 insertions(+), 2 deletions(-) - -diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py -index 12596d5bfe71c16a2cb87acb755a88051676e3e5..0dd2c840899abe3b51b9308d38a9d0f4d1fb2f9b 100644 ---- a/ipaserver/install/plugins/adtrust.py -+++ b/ipaserver/install/plugins/adtrust.py -@@ -28,6 +28,9 @@ logger = logging.getLogger(__name__) - register = Registry() - - DEFAULT_ID_RANGE_SIZE = 200000 -+trust_read_keys_template = \ -+ ["cn=adtrust agents,cn=sysaccounts,cn=etc,{basedn}", -+ "cn=trust admins,cn=groups,cn=accounts,{basedn}"] - - - @register() -@@ -575,8 +578,15 @@ class update_tdo_to_new_layout(Updater): - 'krbprincipalkey') - entry_data['krbextradata'] = en.single_value.get( - 'krbextradata') -- entry_data['ipaAllowedToPerform;read_keys'] = en.get( -- 'ipaAllowedToPerform;read_keys', []) -+ read_keys = en.get('ipaAllowedToPerform;read_keys', []) -+ if not read_keys: -+ # Old style, no ipaAllowedToPerform;read_keys in the entry, -+ # use defaults that ipasam should have set when creating a -+ # trust -+ read_keys = list(map( -+ lambda x: x.format(basedn=self.api.env.basedn), -+ trust_read_keys_template)) -+ entry_data['ipaAllowedToPerform;read_keys'] = read_keys - - entry.update(entry_data) - try: --- -2.20.1 - diff --git a/SOURCES/0013-adtrust-add-default-read_keys-permission-for-TDO-obj.patch b/SOURCES/0013-adtrust-add-default-read_keys-permission-for-TDO-obj.patch deleted file mode 100644 index 6868b4c..0000000 --- a/SOURCES/0013-adtrust-add-default-read_keys-permission-for-TDO-obj.patch +++ /dev/null @@ -1,105 +0,0 @@ -From 847e3d053fc5243a9fce7af673cb138983a3255c Mon Sep 17 00:00:00 2001 -From: Alexander Bokovoy -Date: Thu, 12 Sep 2019 11:21:51 +0300 -Subject: [PATCH] adtrust: add default read_keys permission for TDO objects - -If trusted domain object (TDO) is lacking ipaAllowedToPerform;read_keys -attribute values, it cannot be used by SSSD to retrieve TDO keys and the -whole communication with Active Directory domain controllers will not be -possible. - -This seems to affect trusts which were created before -ipaAllowedToPerform;read_keys permission granting was introduced -(FreeIPA 4.2). Add back the default setting for the permissions which -grants access to trust agents and trust admins. - -Resolves: https://pagure.io/freeipa/issue/8067 - -Signed-off-by: Alexander Bokovoy -Reviewed-By: Florence Blanc-Renaud -Reviewed-By: Rob Crittenden -Reviewed-By: Florence Blanc-Renaud ---- - .../updates/90-post_upgrade_plugins.update | 1 + - ipaserver/install/plugins/adtrust.py | 56 +++++++++++++++++++ - 2 files changed, 57 insertions(+) - -diff --git a/install/updates/90-post_upgrade_plugins.update b/install/updates/90-post_upgrade_plugins.update -index 6cd87a4226e34839ba7625fa03893cd8fb902386..e3afb3423ccaf1598bc0a0e982a5264781fd81a4 100644 ---- a/install/updates/90-post_upgrade_plugins.update -+++ b/install/updates/90-post_upgrade_plugins.update -@@ -12,6 +12,7 @@ plugin: update_default_range - plugin: update_default_trust_view - plugin: update_tdo_gidnumber - plugin: update_tdo_to_new_layout -+plugin: update_tdo_default_read_keys_permissions - plugin: update_ca_renewal_master - plugin: update_idrange_type - plugin: update_pacs -diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py -index 0dd2c840899abe3b51b9308d38a9d0f4d1fb2f9b..fca83aa6df2cc3fafca91f2ed55339dba016a1fa 100644 ---- a/ipaserver/install/plugins/adtrust.py -+++ b/ipaserver/install/plugins/adtrust.py -@@ -727,3 +727,59 @@ class update_tdo_to_new_layout(Updater): - self.KRB_PRINC_CREATE_DISABLED) - - return False, [] -+ -+ -+@register() -+class update_tdo_default_read_keys_permissions(Updater): -+ trust_filter = \ -+ "(&(objectClass=krbPrincipal)(krbPrincipalName=krbtgt/{nbt}@*))" -+ -+ def execute(self, **options): -+ ldap = self.api.Backend.ldap2 -+ -+ # First, see if trusts are enabled on the server -+ if not self.api.Command.adtrust_is_enabled()['result']: -+ logger.debug('AD Trusts are not enabled on this server') -+ return False, [] -+ -+ result = self.api.Command.trustconfig_show()['result'] -+ our_nbt_name = result.get('ipantflatname', [None])[0] -+ if not our_nbt_name: -+ return False, [] -+ -+ trusts_dn = self.api.env.container_adtrusts + self.api.env.basedn -+ trust_filter = self.trust_filter.format(nbt=our_nbt_name) -+ -+ # We might be in a situation when no trusts exist yet -+ # In such case there is nothing to upgrade but we have to catch -+ # an exception or it will abort the whole upgrade process -+ try: -+ tdos = ldap.get_entries( -+ base_dn=trusts_dn, -+ scope=ldap.SCOPE_SUBTREE, -+ filter=trust_filter, -+ attrs_list=['*']) -+ except errors.EmptyResult: -+ tdos = [] -+ -+ for tdo in tdos: -+ updates = dict() -+ oc = tdo.get('objectClass', []) -+ if 'ipaAllowedOperations' not in oc: -+ updates['objectClass'] = oc + ['ipaAllowedOperations'] -+ -+ read_keys = tdo.get('ipaAllowedToPerform;read_keys', []) -+ if not read_keys: -+ read_keys_values = list(map( -+ lambda x: x.format(basedn=self.api.env.basedn), -+ trust_read_keys_template)) -+ updates['ipaAllowedToPerform;read_keys'] = read_keys_values -+ -+ tdo.update(updates) -+ try: -+ ldap.update_entry(tdo) -+ except errors.EmptyModlist: -+ logger.debug("No update was required for TDO %s", -+ tdo.single_value.get('krbCanonicalName')) -+ -+ return False, [] --- -2.20.1 - diff --git a/SOURCES/0014-Disable-deprecated-lambda-check-in-adtrust-upgrade-c.patch b/SOURCES/0014-Disable-deprecated-lambda-check-in-adtrust-upgrade-c.patch deleted file mode 100644 index 4f0f10f..0000000 --- a/SOURCES/0014-Disable-deprecated-lambda-check-in-adtrust-upgrade-c.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 78c4838bcf3528018b06d73d1b82bde7f575f2db Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Mon, 16 Sep 2019 09:38:19 -0400 -Subject: [PATCH] Disable deprecated-lambda check in adtrust upgrade code - -It is interesting that we don't have this problem with newer -Python and pylint versions. Ignoring to try to keep the code -more in line with newer releases. - -Reviewed-By: Rob Crittenden -Reviewed-By: Florence Blanc-Renaud ---- - ipaserver/install/plugins/adtrust.py | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py -index fca83aa6df2cc3fafca91f2ed55339dba016a1fa..950b7b9c82f1b0e115675ff8093d1bd02e913ae2 100644 ---- a/ipaserver/install/plugins/adtrust.py -+++ b/ipaserver/install/plugins/adtrust.py -@@ -583,6 +583,7 @@ class update_tdo_to_new_layout(Updater): - # Old style, no ipaAllowedToPerform;read_keys in the entry, - # use defaults that ipasam should have set when creating a - # trust -+ # pylint: disable=deprecated-lambda - read_keys = list(map( - lambda x: x.format(basedn=self.api.env.basedn), - trust_read_keys_template)) -@@ -770,6 +771,7 @@ class update_tdo_default_read_keys_permissions(Updater): - - read_keys = tdo.get('ipaAllowedToPerform;read_keys', []) - if not read_keys: -+ # pylint: disable=deprecated-lambda - read_keys_values = list(map( - lambda x: x.format(basedn=self.api.env.basedn), - trust_read_keys_template)) --- -2.20.1 - diff --git a/SOURCES/0015-Fix-segfault-in-ipadb_parse_ldap_entry.patch b/SOURCES/0015-Fix-segfault-in-ipadb_parse_ldap_entry.patch deleted file mode 100644 index 0dd39f3..0000000 --- a/SOURCES/0015-Fix-segfault-in-ipadb_parse_ldap_entry.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 480f8a40e9ff8d7f344faac1a9af64972cf2288a Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Thu, 5 Sep 2019 13:00:27 -0400 -Subject: [PATCH] Fix segfault in ipadb_parse_ldap_entry() - -lcontext may be NULL here, probably due to a restarted 389ds. Based on -a patch by Rob Crittenden. - -Signed-off-by: Robbie Harwood -Reviewed-By: Alexander Bokovoy ---- - daemons/ipa-kdb/ipa_kdb_principals.c | 13 +++++++++++++ - 1 file changed, 13 insertions(+) - -diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c -index b27612258bbe198154dea5b5d79e551caf9857d1..0fe8e396b9bc011b77b183851389f6c57c70a2c9 100644 ---- a/daemons/ipa-kdb/ipa_kdb_principals.c -+++ b/daemons/ipa-kdb/ipa_kdb_principals.c -@@ -21,7 +21,9 @@ - */ - - #include "ipa_kdb.h" -+#include "ipa_krb5.h" - #include -+#include - - /* - * During TGS request search by ipaKrbPrincipalName (case-insensitive) -@@ -554,6 +556,17 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext, - return KRB5_KDB_DBNOTINITED; - } - lcontext = ipactx->lcontext; -+ if (!lcontext) { -+ krb5_klog_syslog(LOG_INFO, -+ "No LDAP connection in ipadb_parse_ldap_entry(); retrying...\n"); -+ ret = ipadb_get_connection(ipactx); -+ if (ret != 0) { -+ krb5_klog_syslog(LOG_ERR, -+ "No LDAP connection on retry in ipadb_parse_ldap_entry()!\n"); -+ kerr = KRB5_KDB_INTERNAL_ERROR; -+ goto done; -+ } -+ } - - entry->magic = KRB5_KDB_MAGIC_NUMBER; - entry->len = KRB5_KDB_V1_BASE_LENGTH; --- -2.20.1 - diff --git a/SOURCES/0016-ipa-restore-Restore-ownership-and-perms-on-389-ds-lo.patch b/SOURCES/0016-ipa-restore-Restore-ownership-and-perms-on-389-ds-lo.patch deleted file mode 100644 index c375293..0000000 --- a/SOURCES/0016-ipa-restore-Restore-ownership-and-perms-on-389-ds-lo.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 24f33237eda1fddd82010b88fe1e8033a4c27976 Mon Sep 17 00:00:00 2001 -From: Rob Crittenden -Date: Fri, 20 Sep 2019 15:36:36 -0400 -Subject: [PATCH] ipa-restore: Restore ownership and perms on 389-ds log - directory - -Previously it would end up being owned by root:root mode 0755 -instead of dirsrv:dirsrv mode 0770. - -https://pagure.io/freeipa/issue/7725 - -Signed-off-by: Rob Crittenden -Reviewed-By: Florence Blanc-Renaud -Reviewed-By: Florence Blanc-Renaud ---- - ipaserver/install/ipa_restore.py | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/ipaserver/install/ipa_restore.py b/ipaserver/install/ipa_restore.py -index 4941831585f473c4937b23b3f59d8ff99a654b0e..917f516c8fa414b23dcb451c9105c59e0afeec51 100644 ---- a/ipaserver/install/ipa_restore.py -+++ b/ipaserver/install/ipa_restore.py -@@ -592,11 +592,15 @@ class Restore(admintool.AdminTool): - logger.info("Waiting for LDIF to finish") - wait_for_task(conn, dn) - else: -+ template_dir = paths.VAR_LOG_DIRSRV_INSTANCE_TEMPLATE % instance - try: -- os.makedirs(paths.VAR_LOG_DIRSRV_INSTANCE_TEMPLATE % instance) -+ os.makedirs(template_dir) - except OSError as e: - pass - -+ os.chown(template_dir, pent.pw_uid, pent.pw_gid) -+ os.chmod(template_dir, 0o770) -+ - args = [paths.LDIF2DB, - '-Z', instance, - '-i', ldiffile, --- -2.20.1 - diff --git a/SOURCES/0017-replica-install-enforce-server-arg.patch b/SOURCES/0017-replica-install-enforce-server-arg.patch deleted file mode 100644 index 014e04f..0000000 --- a/SOURCES/0017-replica-install-enforce-server-arg.patch +++ /dev/null @@ -1,123 +0,0 @@ -From 6953cecad70fc183ca4a8eddc467a7efa7ff83d3 Mon Sep 17 00:00:00 2001 -From: Florence Blanc-Renaud -Date: Mon, 9 Sep 2019 12:58:48 +0200 -Subject: [PATCH] replica install: enforce --server arg - -When the --server option is provided to ipa-replica-install (1-step -install), make sure that the server offers all the required roles -(CA, KRA). If it's not the case, refuse the installation. - -Note that the --server option is ignored when promoting from client to -replica (2-step install with ipa-client-install and ipa-replica-install), -meaning that the existing behavior is not changed in this use case: -by default the host specified in default.conf as server is used for -enrollment, but if it does not provide a required role, another host can -be picked for CA or KRA setup. - -Fixes: https://pagure.io/freeipa/issue/7566 -Signed-off-by: Florence Blanc-Renaud -Reviewed-By: Rob Crittenden -Reviewed-By: Mohammad Rizwan Yusuf -Reviewed-By: Rob Crittenden -Reviewed-By: Mohammad Rizwan Yusuf ---- - install/tools/man/ipa-replica-install.1 | 4 ++- - ipaserver/install/server/replicainstall.py | 36 ++++++++++++++++++++-- - 2 files changed, 37 insertions(+), 3 deletions(-) - -diff --git a/install/tools/man/ipa-replica-install.1 b/install/tools/man/ipa-replica-install.1 -index a1284135ac67de2b67b322aec3f6bbfb05f1a8ec..12764b8994a04bf56e80492bdcc66578a1f991e0 100644 ---- a/install/tools/man/ipa-replica-install.1 -+++ b/install/tools/man/ipa-replica-install.1 -@@ -51,7 +51,7 @@ One Time Password for joining a machine to the IPA realm. - Path to host keytab. - .TP - \fB\-\-server\fR --The fully qualified domain name of the IPA server to enroll to. -+The fully qualified domain name of the IPA server to enroll to. The IPA server must provide the CA role if \fB\-\-setup-ca\fR option is specified, and the KRA role if \fB\-\-setup-kra\fR option is specified. - .TP - \fB\-n\fR, \fB\-\-domain\fR=\fIDOMAIN\fR - The primary DNS domain of an existing IPA deployment, e.g. example.com. -@@ -281,3 +281,5 @@ path. - 1 if an error occurred - - 3 if the host exists in the IPA server or a replication agreement to the remote master already exists -+ -+4 if the remote master specified for enrollment does not provide required services such as CA or KRA -diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py -index bd82a9d1483545d478e790a727e48eaa9ac22cfc..14e8b2c3a76525c6ec2a16ca26fa032aab694a59 100644 ---- a/ipaserver/install/server/replicainstall.py -+++ b/ipaserver/install/server/replicainstall.py -@@ -1024,6 +1024,8 @@ def promote_check(installer): - print("IPA client is already configured on this system, ignoring " - "the --domain, --server, --realm, --hostname, --password " - "and --keytab options.") -+ # Make sure options.server is not used -+ options.server = None - - sstore = sysrestore.StateFile(paths.SYSRESTORE) - -@@ -1269,8 +1271,15 @@ def promote_check(installer): - config.subject_base = DN(subject_base) - - # Find any server with a CA -+ # The order of preference is -+ # 1. the first server specified in --server, if any -+ # 2. the server specified in the config file -+ # 3. any other -+ preferred_cas = [config.ca_host_name] -+ if options.server: -+ preferred_cas.insert(0, options.server) - ca_host = find_providing_server( -- 'CA', conn, [config.ca_host_name] -+ 'CA', conn, preferred_cas - ) - if ca_host is not None: - config.ca_host_name = ca_host -@@ -1279,6 +1288,14 @@ def promote_check(installer): - logger.error("Certificates could not be provided when " - "CA is present on some master.") - raise ScriptError(rval=3) -+ if options.setup_ca and options.server and \ -+ ca_host != options.server: -+ # Installer was provided with a specific master -+ # but this one doesn't provide CA -+ logger.error("The specified --server %s does not provide CA, " -+ "please provide a server with the CA role", -+ options.server) -+ raise ScriptError(rval=4) - else: - if options.setup_ca: - logger.error("The remote master does not have a CA " -@@ -1293,12 +1310,27 @@ def promote_check(installer): - raise ScriptError(rval=3) - - # Find any server with a KRA -+ # The order of preference is -+ # 1. the first server specified in --server, if any -+ # 2. the server specified in the config file -+ # 3. any other -+ preferred_kras = [config.kra_host_name] -+ if options.server: -+ preferred_kras.insert(0, options.server) - kra_host = find_providing_server( -- 'KRA', conn, [config.kra_host_name] -+ 'KRA', conn, preferred_kras - ) - if kra_host is not None: - config.kra_host_name = kra_host - kra_enabled = True -+ if options.setup_kra and options.server and \ -+ kra_host != options.server: -+ # Installer was provided with a specific master -+ # but this one doesn't provide KRA -+ logger.error("The specified --server %s does not provide KRA, " -+ "please provide a server with the KRA role", -+ options.server) -+ raise ScriptError(rval=4) - else: - if options.setup_kra: - logger.error("There is no active KRA server in the domain, " --- -2.20.1 - diff --git a/SOURCES/0018-Log-INFO-message-when-LDAP-connection-fails-on-start.patch b/SOURCES/0018-Log-INFO-message-when-LDAP-connection-fails-on-start.patch deleted file mode 100644 index 01c3822..0000000 --- a/SOURCES/0018-Log-INFO-message-when-LDAP-connection-fails-on-start.patch +++ /dev/null @@ -1,94 +0,0 @@ -From 349014688322df67509f44d51f232237e2a7ca7d Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Fri, 2 Aug 2019 15:55:20 -0400 -Subject: [PATCH] Log INFO message when LDAP connection fails on startup - -Since krb5_klog_syslog() always needs parameters from syslog.h, move the -include into ipa_krb5.h. - -Signed-off-by: Robbie Harwood -Reviewed-By: Christian Heimes -Reviewed-By: Rob Crittenden ---- - daemons/ipa-kdb/ipa_kdb.c | 6 ++++-- - daemons/ipa-kdb/ipa_kdb_audit_as.c | 1 - - daemons/ipa-kdb/ipa_kdb_certauth.c | 1 - - daemons/ipa-kdb/ipa_kdb_mspac.c | 1 - - util/ipa_krb5.h | 1 + - 5 files changed, 5 insertions(+), 5 deletions(-) - -diff --git a/daemons/ipa-kdb/ipa_kdb.c b/daemons/ipa-kdb/ipa_kdb.c -index c90f8d9caf247874c6bda58eb33c7733c4709b02..0dcc74263263423da6b1f4d8441ee149bce24c58 100644 ---- a/daemons/ipa-kdb/ipa_kdb.c -+++ b/daemons/ipa-kdb/ipa_kdb.c -@@ -24,6 +24,7 @@ - #include - - #include "ipa_kdb.h" -+#include "ipa_krb5.h" - - #define IPADB_GLOBAL_CONFIG_CACHE_TIME 60 - -@@ -586,8 +587,9 @@ static krb5_error_code ipadb_init_module(krb5_context kcontext, - - ret = ipadb_get_connection(ipactx); - if (ret != 0) { -- /* not a fatal failure, as the LDAP server may be temporarily down */ -- /* TODO: spam syslog with this error */ -+ /* Not a fatal failure, as the LDAP server may be temporarily down. */ -+ krb5_klog_syslog(LOG_INFO, -+ "Didn't connect to LDAP on startup: %d", ret); - } - - kerr = krb5_db_set_context(kcontext, ipactx); -diff --git a/daemons/ipa-kdb/ipa_kdb_audit_as.c b/daemons/ipa-kdb/ipa_kdb_audit_as.c -index c68a67aa2a0ca9a2dc9e7a2d39c60d8b105fcc06..77748a75d6b16ee4d080a5f53213cc58c81660dc 100644 ---- a/daemons/ipa-kdb/ipa_kdb_audit_as.c -+++ b/daemons/ipa-kdb/ipa_kdb_audit_as.c -@@ -20,7 +20,6 @@ - * along with this program. If not, see . - */ - --#include - #include "ipa_kdb.h" - #include "ipa_pwd.h" - -diff --git a/daemons/ipa-kdb/ipa_kdb_certauth.c b/daemons/ipa-kdb/ipa_kdb_certauth.c -index 82589f2f92096400b2f586a65eec962229c3daf7..47911aa3ded56efe4d47acb78d94ccdbcdca7339 100644 ---- a/daemons/ipa-kdb/ipa_kdb_certauth.c -+++ b/daemons/ipa-kdb/ipa_kdb_certauth.c -@@ -39,7 +39,6 @@ - - #include - //#include --#include - #include - - #include "ipa_krb5.h" -diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c -index 329a5c11586ccd7004dd17e503133f9fda7e8395..74cbb77cccb45188f7bd8a1a33085f8ef964930f 100644 ---- a/daemons/ipa-kdb/ipa_kdb_mspac.c -+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c -@@ -25,7 +25,6 @@ - #include "ipa_kdb.h" - #include "ipa_mspac.h" - #include --#include - #include - #include "util/time.h" - #include "gen_ndr/ndr_krb5pac.h" -diff --git a/util/ipa_krb5.h b/util/ipa_krb5.h -index 60a8ced5d8a63532254b3703801d2aeb9ff45892..b039c1a7f3d0bc215376f8f1dd2ac93e75a0c626 100644 ---- a/util/ipa_krb5.h -+++ b/util/ipa_krb5.h -@@ -3,6 +3,7 @@ - #include - #include - #include -+#include - - struct krb_key_salt { - krb5_enctype enctype; --- -2.20.1 - diff --git a/SOURCES/0019-Fix-NULL-pointer-dereference-in-maybe_require_preaut.patch b/SOURCES/0019-Fix-NULL-pointer-dereference-in-maybe_require_preaut.patch deleted file mode 100644 index f5cb38f..0000000 --- a/SOURCES/0019-Fix-NULL-pointer-dereference-in-maybe_require_preaut.patch +++ /dev/null @@ -1,30 +0,0 @@ -From e3206de9fb0d25691b35568723ad67a60ca01165 Mon Sep 17 00:00:00 2001 -From: Robbie Harwood -Date: Wed, 4 Sep 2019 13:48:14 -0400 -Subject: [PATCH] Fix NULL pointer dereference in maybe_require_preauth() - -ipadb_get_global_config() is permitted to return NULL. - -Signed-off-by: Robbie Harwood -Reviewed-By: Christian Heimes -Reviewed-By: Rob Crittenden ---- - daemons/ipa-kdb/ipa_kdb_principals.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c -index 0fe8e396b9bc011b77b183851389f6c57c70a2c9..259a0d2563f4b9c038b041781b2580fe72d7ed7e 100644 ---- a/daemons/ipa-kdb/ipa_kdb_principals.c -+++ b/daemons/ipa-kdb/ipa_kdb_principals.c -@@ -1070,7 +1070,7 @@ static krb5_flags maybe_require_preauth(struct ipadb_context *ipactx, - struct ipadb_e_data *ied; - - config = ipadb_get_global_config(ipactx); -- if (config->disable_preauth_for_spns) { -+ if (config && config->disable_preauth_for_spns) { - ied = (struct ipadb_e_data *)entry->e_data; - if (ied && ied->ipa_user != true) { - /* not a user, assume SPN */ --- -2.20.1 - diff --git a/SOURCES/0020-Handle-missing-LWCA-certificate-or-chain.patch b/SOURCES/0020-Handle-missing-LWCA-certificate-or-chain.patch deleted file mode 100644 index 81001b4..0000000 --- a/SOURCES/0020-Handle-missing-LWCA-certificate-or-chain.patch +++ /dev/null @@ -1,196 +0,0 @@ -From f830f450c0c5818090eba9f9f0e0cec5551a1cef Mon Sep 17 00:00:00 2001 -From: Fraser Tweedale -Date: Thu, 30 May 2019 20:57:10 +1000 -Subject: [PATCH] Handle missing LWCA certificate or chain - -If lightweight CA key replication has not completed, requests for -the certificate or chain will return 404**. This can occur in -normal operation, and should be a temporary condition. Detect this -case and handle it by simply omitting the 'certificate' and/or -'certificate_out' fields in the response, and add a warning message -to the response. - -Also update the client-side plugin that handles the ---certificate-out option. Because the CLI will automatically print -the warning message, if the expected field is missing from the -response, just ignore it and continue processing. - -** after the Dogtag NullPointerException gets fixed! - -Part of: https://pagure.io/freeipa/issue/7964 - -Reviewed-By: Christian Heimes -Reviewed-By: Fraser Tweedale -Reviewed-By: Alexander Bokovoy -Reviewed-By: Rob Crittenden ---- - ipaclient/plugins/ca.py | 19 +++++++++++--- - ipalib/messages.py | 9 +++++++ - ipaserver/plugins/ca.py | 57 +++++++++++++++++++++++++++++++---------- - 3 files changed, 68 insertions(+), 17 deletions(-) - -diff --git a/ipaclient/plugins/ca.py b/ipaclient/plugins/ca.py -index f0e7d5ced0d3d9318e34aba84cbc37cf42b9410d..ab47ae85df398e1dc40191691a26639eb3772493 100644 ---- a/ipaclient/plugins/ca.py -+++ b/ipaclient/plugins/ca.py -@@ -33,13 +33,24 @@ class WithCertOutArgs(MethodOverride): - error=str(e)) - - result = super(WithCertOutArgs, self).forward(*keys, **options) -+ - if filename: -+ # if result certificate / certificate_chain not present in result, -+ # it means Dogtag did not provide it (probably due to LWCA key -+ # replication lag or failure. The server transmits a warning -+ # message in this case, which the client automatically prints. -+ # So in this section we just ignore it and move on. -+ certs = None - if options.get('chain', False): -- certs = result['result']['certificate_chain'] -+ if 'certificate_chain' in result['result']: -+ certs = result['result']['certificate_chain'] - else: -- certs = [base64.b64decode(result['result']['certificate'])] -- certs = (x509.load_der_x509_certificate(cert) for cert in certs) -- x509.write_certificate_list(certs, filename) -+ if 'certificate' in result['result']: -+ certs = [base64.b64decode(result['result']['certificate'])] -+ if certs: -+ x509.write_certificate_list( -+ (x509.load_der_x509_certificate(cert) for cert in certs), -+ filename) - - return result - -diff --git a/ipalib/messages.py b/ipalib/messages.py -index 9e2c990d6db8ee41daf3fba6085eed8355dccbe7..646662795648b5a44a5ce25b7610982d5500cfac 100644 ---- a/ipalib/messages.py -+++ b/ipalib/messages.py -@@ -487,6 +487,15 @@ class FailedToAddHostDNSRecords(PublicMessage): - "%(reason)s") - - -+class LightweightCACertificateNotAvailable(PublicMessage): -+ """ -+ **13031** Certificate is not available -+ """ -+ errno = 13031 -+ type = "error" -+ format = _("The certificate for %(ca)s is not available on this server.") -+ -+ - def iter_messages(variables, base): - """Return a tuple with all subclasses - """ -diff --git a/ipaserver/plugins/ca.py b/ipaserver/plugins/ca.py -index 88e7ec2a9f50a3c4f90947c8e3d38e327627a878..c8f1630c65d55ee9e820ea50ef34e08f92c66f4a 100644 ---- a/ipaserver/plugins/ca.py -+++ b/ipaserver/plugins/ca.py -@@ -6,7 +6,7 @@ import base64 - - import six - --from ipalib import api, errors, output, Bytes, DNParam, Flag, Str -+from ipalib import api, errors, messages, output, Bytes, DNParam, Flag, Str - from ipalib.constants import IPA_CA_CN - from ipalib.plugable import Registry - from ipapython.dn import ATTR_NAME_BY_OID -@@ -163,28 +163,53 @@ class ca(LDAPObject): - - - def set_certificate_attrs(entry, options, want_cert=True): -+ """ -+ Set certificate attributes into the entry. Depending on -+ options, this may contact Dogtag to retrieve certificate or -+ chain. If the retrieval fails with 404 (which can occur under -+ normal operation due to lightweight CA key replication delay), -+ return a message object that should be set in the response. -+ -+ """ - try: - ca_id = entry['ipacaid'][0] - except KeyError: -- return -+ return None - full = options.get('all', False) - want_chain = options.get('chain', False) - - want_data = want_cert or want_chain or full - if not want_data: -- return -+ return None -+ -+ msg = None - - with api.Backend.ra_lightweight_ca as ca_api: - if want_cert or full: -- der = ca_api.read_ca_cert(ca_id) -- entry['certificate'] = base64.b64encode(der).decode('ascii') -+ try: -+ der = ca_api.read_ca_cert(ca_id) -+ entry['certificate'] = base64.b64encode(der).decode('ascii') -+ except errors.HTTPRequestError as e: -+ if e.status == 404: # pylint: disable=no-member -+ msg = messages.LightweightCACertificateNotAvailable( -+ ca=entry['cn'][0]) -+ else: -+ raise e - - if want_chain or full: -- pkcs7_der = ca_api.read_ca_chain(ca_id) -- certs = x509.pkcs7_to_certs(pkcs7_der, x509.DER) -- ders = [cert.public_bytes(x509.Encoding.DER) for cert in certs] -- entry['certificate_chain'] = ders -- -+ try: -+ pkcs7_der = ca_api.read_ca_chain(ca_id) -+ certs = x509.pkcs7_to_certs(pkcs7_der, x509.DER) -+ ders = [cert.public_bytes(x509.Encoding.DER) for cert in certs] -+ entry['certificate_chain'] = ders -+ except errors.HTTPRequestError as e: -+ if e.status == 404: # pylint: disable=no-member -+ msg = messages.LightweightCACertificateNotAvailable( -+ ca=entry['cn'][0]) -+ else: -+ raise e -+ -+ return msg - - @register() - class ca_find(LDAPSearch): -@@ -198,7 +223,9 @@ class ca_find(LDAPSearch): - result = super(ca_find, self).execute(*keys, **options) - if not options.get('pkey_only', False): - for entry in result['result']: -- set_certificate_attrs(entry, options, want_cert=False) -+ msg = set_certificate_attrs(entry, options, want_cert=False) -+ if msg: -+ self.add_message(msg) - return result - - -@@ -220,7 +247,9 @@ class ca_show(LDAPRetrieve): - def execute(self, *keys, **options): - ca_enabled_check(self.api) - result = super(ca_show, self).execute(*keys, **options) -- set_certificate_attrs(result['result'], options) -+ msg = set_certificate_attrs(result['result'], options) -+ if msg: -+ self.add_message(msg) - return result - - -@@ -284,7 +313,9 @@ class ca_add(LDAPCreate): - return dn - - def post_callback(self, ldap, dn, entry_attrs, *keys, **options): -- set_certificate_attrs(entry_attrs, options) -+ msg = set_certificate_attrs(entry_attrs, options) -+ if msg: -+ self.add_message(msg) - return dn - - --- -2.20.1 - diff --git a/SOURCES/0021-Fix-CustodiaClient-ccache-handling.patch b/SOURCES/0021-Fix-CustodiaClient-ccache-handling.patch deleted file mode 100644 index ca91578..0000000 --- a/SOURCES/0021-Fix-CustodiaClient-ccache-handling.patch +++ /dev/null @@ -1,275 +0,0 @@ -From 384225411c41c74157eccbe1ae8d1800026f413e Mon Sep 17 00:00:00 2001 -From: Christian Heimes -Date: Wed, 12 Jun 2019 22:02:52 +0200 -Subject: [PATCH] Fix CustodiaClient ccache handling - -A CustodiaClient object has to the process environment a bit, e.g. set -up GSSAPI credentials. To reuse the credentials in libldap connections, -it is also necessary to set up a custom ccache store and to set the -environment variable KRBCCNAME temporarily. - -Fixes: https://pagure.io/freeipa/issue/7964 -Co-Authored-By: Fraser Tweedale -Signed-off-by: Christian Heimes -Reviewed-By: Christian Heimes -Reviewed-By: Fraser Tweedale -Reviewed-By: Alexander Bokovoy -Reviewed-By: Rob Crittenden ---- - install/tools/ipa-pki-retrieve-key | 33 ++++--- - ipaserver/secrets/client.py | 143 ++++++++++++++++------------- - 2 files changed, 100 insertions(+), 76 deletions(-) - -diff --git a/install/tools/ipa-pki-retrieve-key b/install/tools/ipa-pki-retrieve-key -index 5056682c3cdaa734be2dadcffd7de0b2d80afaf9..192022b9b40f076e88fd95d5cc8cf8305901dcf5 100755 ---- a/install/tools/ipa-pki-retrieve-key -+++ b/install/tools/ipa-pki-retrieve-key -@@ -2,9 +2,8 @@ - - from __future__ import print_function - -+import argparse - import os --import sys --import traceback - - from ipalib import constants - from ipalib.config import Env -@@ -16,27 +15,37 @@ def main(): - env = Env() - env._finalize() - -- keyname = "ca_wrapped/" + sys.argv[1] -- servername = sys.argv[2] -+ parser = argparse.ArgumentParser("ipa-pki-retrieve-key") -+ parser.add_argument("keyname", type=str) -+ parser.add_argument("servername", type=str) -+ -+ args = parser.parse_args() -+ keyname = "ca_wrapped/{}".format(args.keyname) - - service = constants.PKI_GSSAPI_SERVICE_NAME - client_keyfile = os.path.join(paths.PKI_TOMCAT, service + '.keys') - client_keytab = os.path.join(paths.PKI_TOMCAT, service + '.keytab') - -+ for filename in [client_keyfile, client_keytab]: -+ if not os.access(filename, os.R_OK): -+ parser.error( -+ "File '{}' missing or not readable.\n".format(filename) -+ ) -+ - # pylint: disable=no-member - client = CustodiaClient( -- client_service='%s@%s' % (service, env.host), server=servername, -- realm=env.realm, ldap_uri="ldaps://" + env.host, -- keyfile=client_keyfile, keytab=client_keytab, -- ) -+ client_service="{}@{}".format(service, env.host), -+ server=args.servername, -+ realm=env.realm, -+ ldap_uri="ldaps://" + env.host, -+ keyfile=client_keyfile, -+ keytab=client_keytab, -+ ) - - # Print the response JSON to stdout; it is already in the format - # that Dogtag's ExternalProcessKeyRetriever expects - print(client.fetch_key(keyname, store=False)) - - --try: -+if __name__ == '__main__': - main() --except BaseException: -- traceback.print_exc() -- sys.exit(1) -diff --git a/ipaserver/secrets/client.py b/ipaserver/secrets/client.py -index 16e7856185aa9786007d3b7f8be0652f70fb4518..40df6c4e69cd673dd8e3c36fbf33f2cda8544a67 100644 ---- a/ipaserver/secrets/client.py -+++ b/ipaserver/secrets/client.py -@@ -1,93 +1,106 @@ - # Copyright (C) 2015 IPA Project Contributors, see COPYING for license - - from __future__ import print_function, absolute_import -+ -+import contextlib -+import os -+from base64 import b64encode -+ -+ - # pylint: disable=relative-import - from custodia.message.kem import KEMClient, KEY_USAGE_SIG, KEY_USAGE_ENC - # pylint: enable=relative-import - from jwcrypto.common import json_decode - from jwcrypto.jwk import JWK -+from ipalib.krb_utils import krb5_format_service_principal_name - from ipaserver.secrets.kem import IPAKEMKeys --from ipaserver.secrets.store import iSecStore -+from ipaserver.secrets.store import IPASecStore - from ipaplatform.paths import paths --from base64 import b64encode --import ldapurl - import gssapi --import os --import urllib3 - import requests - - --class CustodiaClient(object): -- -- def _client_keys(self): -- return self.ikk.server_keys -- -- def _server_keys(self, server, realm): -- principal = 'host/%s@%s' % (server, realm) -- sk = JWK(**json_decode(self.ikk.find_key(principal, KEY_USAGE_SIG))) -- ek = JWK(**json_decode(self.ikk.find_key(principal, KEY_USAGE_ENC))) -- return (sk, ek) -- -- def _ldap_uri(self, realm): -- dashrealm = '-'.join(realm.split('.')) -- socketpath = paths.SLAPD_INSTANCE_SOCKET_TEMPLATE % (dashrealm,) -- return 'ldapi://' + ldapurl.ldapUrlEscape(socketpath) -- -- def _keystore(self, realm, ldap_uri, auth_type): -- config = dict() -- if ldap_uri is None: -- config['ldap_uri'] = self._ldap_uri(realm) -- else: -- config['ldap_uri'] = ldap_uri -- if auth_type is not None: -- config['auth_type'] = auth_type -+@contextlib.contextmanager -+def ccache_env(ccache): -+ """Temporarily set KRB5CCNAME environment variable -+ """ -+ orig_ccache = os.environ.get('KRB5CCNAME') -+ os.environ['KRB5CCNAME'] = ccache -+ try: -+ yield -+ finally: -+ os.environ.pop('KRB5CCNAME', None) -+ if orig_ccache is not None: -+ os.environ['KRB5CCNAME'] = orig_ccache - -- return iSecStore(config) - -- def __init__( -- self, client_service, keyfile, keytab, server, realm, -- ldap_uri=None, auth_type=None): -+class CustodiaClient(object): -+ def __init__(self, client_service, keyfile, keytab, server, realm, -+ ldap_uri=None, auth_type=None): -+ if client_service.endswith(realm) or "@" not in client_service: -+ raise ValueError( -+ "Client service name must be a GSS name (service@host), " -+ "not '{}'.".format(client_service) -+ ) - self.client_service = client_service - self.keytab = keytab -- -- # Init creds immediately to make sure they are valid. Creds -- # can also be re-inited by _auth_header to avoid expiry. -- # -- self.creds = self.init_creds() -- -- self.service_name = gssapi.Name('HTTP@%s' % (server,), -- gssapi.NameType.hostbased_service) - self.server = server -+ self.realm = realm -+ self.ldap_uri = ldap_uri -+ self.auth_type = auth_type -+ self.service_name = gssapi.Name( -+ 'HTTP@{}'.format(server), gssapi.NameType.hostbased_service -+ ) -+ self.keystore = IPASecStore() -+ # use in-process MEMORY ccache. Handler process don't need a TGT. -+ token = b64encode(os.urandom(8)).decode('ascii') -+ self.ccache = 'MEMORY:Custodia_{}'.format(token) -+ -+ with ccache_env(self.ccache): -+ # Init creds immediately to make sure they are valid. Creds -+ # can also be re-inited by _auth_header to avoid expiry. -+ self.creds = self._init_creds() -+ -+ self.ikk = IPAKEMKeys( -+ {'server_keys': keyfile, 'ldap_uri': ldap_uri} -+ ) -+ self.kemcli = KEMClient( -+ self._server_keys(), self._client_keys() -+ ) - -- self.ikk = IPAKEMKeys({'server_keys': keyfile, 'ldap_uri': ldap_uri}) -- -- self.kemcli = KEMClient(self._server_keys(server, realm), -- self._client_keys()) -- -- self.keystore = self._keystore(realm, ldap_uri, auth_type) -- -- # FIXME: Remove warnings about missing subjAltName for the -- # requests module -- urllib3.disable_warnings() -+ def _client_keys(self): -+ return self.ikk.server_keys - -- def init_creds(self): -- name = gssapi.Name(self.client_service, -- gssapi.NameType.hostbased_service) -- store = {'client_keytab': self.keytab, -- 'ccache': 'MEMORY:Custodia_%s' % b64encode( -- os.urandom(8)).decode('ascii')} -+ def _server_keys(self): -+ principal = krb5_format_service_principal_name( -+ 'host', self.server, self.realm -+ ) -+ sk = JWK(**json_decode(self.ikk.find_key(principal, KEY_USAGE_SIG))) -+ ek = JWK(**json_decode(self.ikk.find_key(principal, KEY_USAGE_ENC))) -+ return sk, ek -+ -+ def _init_creds(self): -+ name = gssapi.Name( -+ self.client_service, gssapi.NameType.hostbased_service -+ ) -+ store = { -+ 'client_keytab': self.keytab, -+ 'ccache': self.ccache -+ } - return gssapi.Credentials(name=name, store=store, usage='initiate') - - def _auth_header(self): -- if not self.creds or self.creds.lifetime < 300: -- self.creds = self.init_creds() -- ctx = gssapi.SecurityContext(name=self.service_name, creds=self.creds) -+ if self.creds.lifetime < 300: -+ self.creds = self._init_creds() -+ ctx = gssapi.SecurityContext( -+ name=self.service_name, -+ creds=self.creds -+ ) - authtok = ctx.step() - return {'Authorization': 'Negotiate %s' % b64encode( - authtok).decode('ascii')} - - def fetch_key(self, keyname, store=True): -- - # Prepare URL - url = 'https://%s/ipa/keys/%s' % (self.server, keyname) - -@@ -99,9 +112,11 @@ class CustodiaClient(object): - headers = self._auth_header() - - # Perform request -- r = requests.get(url, headers=headers, -- verify=paths.IPA_CA_CRT, -- params={'type': 'kem', 'value': request}) -+ r = requests.get( -+ url, headers=headers, -+ verify=paths.IPA_CA_CRT, -+ params={'type': 'kem', 'value': request} -+ ) - r.raise_for_status() - reply = r.json() - --- -2.20.1 - diff --git a/SOURCES/0022-CustodiaClient-use-ldapi-when-ldap_uri-not-specified.patch b/SOURCES/0022-CustodiaClient-use-ldapi-when-ldap_uri-not-specified.patch deleted file mode 100644 index db4220c..0000000 --- a/SOURCES/0022-CustodiaClient-use-ldapi-when-ldap_uri-not-specified.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 531b0b66a74b100986ba086fc134fb5f2e587c69 Mon Sep 17 00:00:00 2001 -From: Fraser Tweedale -Date: Wed, 19 Jun 2019 19:11:39 +1000 -Subject: [PATCH] CustodiaClient: use ldapi when ldap_uri not specified - -Reinstate ldap_uri selection behaviour that was lost during the -refactor in the previous commit. This is required because, on the -ipa-4-7 branch at least, the IPASecStore needs to use LDAPI to set -the Directory Manager passphrase digest. Use LDAPI when the -ldap_uri has not been explicity specified. - -Part of: https://pagure.io/freeipa/issue/7964 - -Reviewed-By: Alexander Bokovoy -Reviewed-By: Rob Crittenden ---- - ipaserver/secrets/client.py | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/ipaserver/secrets/client.py b/ipaserver/secrets/client.py -index 40df6c4e69cd673dd8e3c36fbf33f2cda8544a67..4c03ef8e4140dd507156d88941600a234b71184e 100644 ---- a/ipaserver/secrets/client.py -+++ b/ipaserver/secrets/client.py -@@ -13,6 +13,7 @@ from custodia.message.kem import KEMClient, KEY_USAGE_SIG, KEY_USAGE_ENC - from jwcrypto.common import json_decode - from jwcrypto.jwk import JWK - from ipalib.krb_utils import krb5_format_service_principal_name -+from ipaserver.install.installutils import realm_to_ldapi_uri - from ipaserver.secrets.kem import IPAKEMKeys - from ipaserver.secrets.store import IPASecStore - from ipaplatform.paths import paths -@@ -46,7 +47,7 @@ class CustodiaClient(object): - self.keytab = keytab - self.server = server - self.realm = realm -- self.ldap_uri = ldap_uri -+ self.ldap_uri = ldap_uri or realm_to_ldapi_uri(realm) - self.auth_type = auth_type - self.service_name = gssapi.Name( - 'HTTP@{}'.format(server), gssapi.NameType.hostbased_service --- -2.20.1 - diff --git a/SOURCES/0023-CustodiaClient-fix-IPASecStore-config-on-ipa-4-7.patch b/SOURCES/0023-CustodiaClient-fix-IPASecStore-config-on-ipa-4-7.patch deleted file mode 100644 index 66f78ae..0000000 --- a/SOURCES/0023-CustodiaClient-fix-IPASecStore-config-on-ipa-4-7.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 457131218990e7c6a9de21de0e3fb9e9ecf6a6fe Mon Sep 17 00:00:00 2001 -From: Fraser Tweedale -Date: Tue, 30 Jul 2019 16:21:35 +1000 -Subject: [PATCH] CustodiaClient: fix IPASecStore config on ipa-4-7 - -The backport of a Custodia client fix for f30 and related refactors -and improvements, to the ipa-4-7 branch, had no conflicts. But -there is a change on newer branches that broke the backport. The -running of Custodia handlers in separate processes simplified the -configuration of the ISecStore. For ipa-4-7 we need to continue to -explicitly configure it, so restore the old configuration behaviour. - -Part of: https://pagure.io/freeipa/issue/7964 - -Reviewed-By: Alexander Bokovoy -Reviewed-By: Rob Crittenden ---- - ipaserver/secrets/client.py | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/ipaserver/secrets/client.py b/ipaserver/secrets/client.py -index 4c03ef8e4140dd507156d88941600a234b71184e..2363b081dbbf3671e8147497bb52811825bdf1a4 100644 ---- a/ipaserver/secrets/client.py -+++ b/ipaserver/secrets/client.py -@@ -52,7 +52,12 @@ class CustodiaClient(object): - self.service_name = gssapi.Name( - 'HTTP@{}'.format(server), gssapi.NameType.hostbased_service - ) -- self.keystore = IPASecStore() -+ -+ config = {'ldap_uri': self.ldap_uri} -+ if auth_type is not None: -+ config['auth_type'] = auth_type -+ self.keystore = IPASecStore(config) -+ - # use in-process MEMORY ccache. Handler process don't need a TGT. - token = b64encode(os.urandom(8)).decode('ascii') - self.ccache = 'MEMORY:Custodia_{}'.format(token) --- -2.20.1 - diff --git a/SOURCES/0024-Bump-krb5-min-version.patch b/SOURCES/0024-Bump-krb5-min-version.patch deleted file mode 100644 index 4da8584..0000000 --- a/SOURCES/0024-Bump-krb5-min-version.patch +++ /dev/null @@ -1,34 +0,0 @@ -From fc937b3b5ecc2743546cd2e0fa0193c390113579 Mon Sep 17 00:00:00 2001 -From: Fraser Tweedale -Date: Wed, 25 Sep 2019 16:43:25 +1000 -Subject: [PATCH] Bump krb5 min version - -krb5-1.15.1-36 introduced a ccache behavioural change that broke -lightweight CA key replication. The preceding commits (backported -from the ipa-4-7 branch) fix this issue but this commit ensure that -the correct version of krb5 is used with the updated FreeIPA code. - -Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1755223 -Reviewed-By: Rob Crittenden ---- - freeipa.spec.in | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/freeipa.spec.in b/freeipa.spec.in -index 4cca8b5159e8e38f79bad8df8af76ac7b8ed5387..0f96778f758cb21c01e31ff35e70c79f020aa2d3 100644 ---- a/freeipa.spec.in -+++ b/freeipa.spec.in -@@ -49,8 +49,8 @@ - - %global alt_name ipa - %if 0%{?rhel} --# 1.15.1-7: certauth (http://krbdev.mit.edu/rt/Ticket/Display.html?id=8561) --%global krb5_version 1.15.1-4 -+# 1.15.1-36: https://bugzilla.redhat.com/show_bug.cgi?id=1755223 -+%global krb5_version 1.15.1-36 - # 0.7.16: https://github.com/drkjam/netaddr/issues/71 - %global python_netaddr_version 0.7.5-8 - # Require 4.7.0 which brings Python 3 bindings --- -2.20.1 - diff --git a/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch b/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch index e0e69ef..343474a 100644 --- a/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch +++ b/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch @@ -1,4 +1,4 @@ -From 4565a6730faa3eb5ea5da1e226d7a624930f86c5 Mon Sep 17 00:00:00 2001 +From d8fd3c7d8b326fc51a601bd00172a44c1adbe810 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Tue, 14 Mar 2017 15:48:07 +0000 Subject: [PATCH] Change branding to IPA and Identity Management @@ -20,7 +20,7 @@ Subject: [PATCH] Change branding to IPA and Identity Management install/share/schema.d/README | 4 +- install/tools/ipa-adtrust-install | 4 +- install/tools/ipa-replica-conncheck | 2 +- - install/tools/man/ipa-adtrust-install.1 | 2 +- + install/tools/man/ipa-adtrust-install.1 | 4 +- install/tools/man/ipa-advise.1 | 4 +- install/tools/man/ipa-backup.1 | 2 +- install/tools/man/ipa-ca-install.1 | 2 +- @@ -61,7 +61,7 @@ Subject: [PATCH] Change branding to IPA and Identity Management ipaserver/install/server/replicainstall.py | 2 +- ipaserver/plugins/certprofile.py | 2 +- ipaserver/plugins/sudorule.py | 4 +- - 57 files changed, 171 insertions(+), 126 deletions(-) + 57 files changed, 172 insertions(+), 127 deletions(-) diff --git a/client/man/default.conf.5 b/client/man/default.conf.5 index f21d9d5b7a02e9c9858bb44cf3f2f4c16655901a..d6c1e42d1af3a2085451f43240d7e719143bb10b 100644 @@ -116,7 +116,7 @@ index b669b175af7df909f7b62dbce56cc219e154b153..9547288615698232458877afcd10a0de ipa\-client\-install \- Configure an IPA client .SH "SYNOPSIS" diff --git a/client/man/ipa-getkeytab.1 b/client/man/ipa-getkeytab.1 -index 39ff0d5da85b5a641328a512feeb06bc9c1ab9d7..bf1e72a3672a72554f9563a41d4eeed88bfd272b 100644 +index 21ba651c4ac78d09bc57d498b38591fdbfd1d151..acfc41ae1bd0a1b23536aa7d8a7fed4aa2ef5ed0 100644 --- a/client/man/ipa-getkeytab.1 +++ b/client/man/ipa-getkeytab.1 @@ -17,7 +17,7 @@ @@ -128,7 +128,7 @@ index 39ff0d5da85b5a641328a512feeb06bc9c1ab9d7..bf1e72a3672a72554f9563a41d4eeed8 .SH "NAME" ipa\-getkeytab \- Get a keytab for a Kerberos principal .SH "SYNOPSIS" -@@ -117,7 +117,7 @@ GSSAPI or EXTERNAL. +@@ -120,7 +120,7 @@ GSSAPI or EXTERNAL. \fB\-r\fR Retrieve mode. Retrieve an existing key from the server instead of generating a new one. This is incompatibile with the \-\-password option, and will work only @@ -315,7 +315,7 @@ index a91a2a7e7b18a9c78a1a7bb6daf59a13b72799fc..f63b6792aabbc6c08231176931703031 self.ports_open_cond = threading.Condition() diff --git a/install/tools/man/ipa-adtrust-install.1 b/install/tools/man/ipa-adtrust-install.1 -index b11065806f37174f0f2a0f84f9b606d981e0415d..9d535b72a382d6882263c17a2fec1646b890549c 100644 +index b11065806f37174f0f2a0f84f9b606d981e0415d..f70f316f6a49bd12f845941ba7f75d17c7054b90 100644 --- a/install/tools/man/ipa-adtrust-install.1 +++ b/install/tools/man/ipa-adtrust-install.1 @@ -16,7 +16,7 @@ @@ -327,6 +327,15 @@ index b11065806f37174f0f2a0f84f9b606d981e0415d..9d535b72a382d6882263c17a2fec1646 .SH "NAME" ipa\-adtrust\-install \- Prepare an IPA server to be able to establish trust relationships with AD domains .SH "SYNOPSIS" +@@ -87,7 +87,7 @@ ldapmodify command info the directory server. + .TP + \fB\-\-add\-agents\fR + Add IPA masters to the list that allows to serve information about +-users from trusted forests. Starting with FreeIPA 4.2, a regular IPA master ++users from trusted forests. Starting with IPA 4.2, a regular IPA master + can provide this information to SSSD clients. IPA masters aren't added + to the list automatically as restart of the LDAP service on each of them + is required. The host where ipa\-adtrust\-install is being run is added diff --git a/install/tools/man/ipa-advise.1 b/install/tools/man/ipa-advise.1 index 4c494aab90fe307bf0a2bf82677efda4b5e67e3e..515bbddbe4de8a38a2797d6aa5e95c1ae76fb718 100644 --- a/install/tools/man/ipa-advise.1 @@ -374,7 +383,7 @@ index 99ff918789f2178c7b1132b2e7d911900430f3cf..fb6382fcdddcb7358671b67e72c72a4d ipa\-ca\-install \- Install a CA on a server .SH "SYNOPSIS" diff --git a/install/tools/man/ipa-cacert-manage.1 b/install/tools/man/ipa-cacert-manage.1 -index 0cd34ee77e8b007073af2fbc66875c0e6c11bbfd..84fbc1a7cbe9715b8bdbd1aa9952605ed9bc5719 100644 +index 31df3d1973f4bf813e09b97561a3be654dd14a48..a08c8f76fb1c94c1baf3b26c8b165d5c7cd22c38 100644 --- a/install/tools/man/ipa-cacert-manage.1 +++ b/install/tools/man/ipa-cacert-manage.1 @@ -16,7 +16,7 @@ @@ -640,7 +649,7 @@ index 5f401818a47b64854c2f25fcab4ebb8f96cd3b9e..80a1e70bff1871678259c8436915420c ipa\-restore \- Restore an IPA master .SH "SYNOPSIS" diff --git a/install/tools/man/ipa-server-certinstall.1 b/install/tools/man/ipa-server-certinstall.1 -index 00fd03b6bc2184ec2bbc099fd9799551c07d2390..aa9bb7b8567beadcd068e03f7de21043373af281 100644 +index 79bd7c885d11423e86e77e76f3e9e3c06bbedb4c..3f12a5af275f769353812903d0ac6bcbe297903c 100644 --- a/install/tools/man/ipa-server-certinstall.1 +++ b/install/tools/man/ipa-server-certinstall.1 @@ -16,7 +16,7 @@ @@ -1049,7 +1058,7 @@ index 5ea4f2e1cc80c995997888aaf44f500524beb796..8bea61fd7ddeff0790b9d875afd24680 print("This includes:") if setup_ca: diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py -index 14e8b2c3a76525c6ec2a16ca26fa032aab694a59..bff4a0b501ac519c373ea045a721efaeb2d74e13 100644 +index cc349ae409cbe5106d69a5e5c96f2817caecff5a..e7efc52466679419ee38e44d5aa2fdfa5581f584 100644 --- a/ipaserver/install/server/replicainstall.py +++ b/ipaserver/install/server/replicainstall.py @@ -628,7 +628,7 @@ def check_domain_level_is_supported(current): @@ -1097,5 +1106,5 @@ index 643215985e932cae6e8d954596194032655b25d4..68baa0174ed88ede3f42092fb68150b5 """) + _(""" To enable the binddn run the following command to set the password: -- -2.20.1 +2.25.2 diff --git a/SOURCES/1002-Package-copy-schema-to-ca.py.patch b/SOURCES/1002-Package-copy-schema-to-ca.py.patch index 5c92c3a..8e7834e 100644 --- a/SOURCES/1002-Package-copy-schema-to-ca.py.patch +++ b/SOURCES/1002-Package-copy-schema-to-ca.py.patch @@ -1,4 +1,4 @@ -From bfc6576c84600adfd8a54acc773a23961e60e98c Mon Sep 17 00:00:00 2001 +From 963d491e7427c8d7513ed3ca1345e25b7fe7b377 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Tue, 14 Mar 2017 16:07:15 +0000 Subject: [PATCH] Package copy-schema-to-ca.py @@ -10,10 +10,10 @@ This reverts commit f4c7f1dd8a9ce530a8291219a904686ee47e59c7. 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/freeipa.spec.in b/freeipa.spec.in -index 0f96778f758cb21c01e31ff35e70c79f020aa2d3..c71b257cd9a28c083c8bc95d13a4c1351916a385 100644 +index 8f10f383d2bbb66f460af599f23d6b310dbd4de6..fe0d0c4a9f1945fda49337d97433e1f0945b16fd 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in -@@ -1489,6 +1489,7 @@ fi +@@ -1495,6 +1495,7 @@ fi # END %dir %{_usr}/share/ipa %{_usr}/share/ipa/wsgi.py* @@ -22,10 +22,10 @@ index 0f96778f758cb21c01e31ff35e70c79f020aa2d3..c71b257cd9a28c083c8bc95d13a4c135 %{_usr}/share/ipa/*.ldif %{_usr}/share/ipa/*.uldif diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py -index 1f22d120478a6d4019663281d3191a27a5ee09ea..6f49b8bfa88e00388aec17f26169aa3df399193d 100644 +index 922185c4b948fa7a5d1bcab6b2be3b34e99f66d4..8fead26f50cb4f045db6d60f9ca71dd9312f0aea 100644 --- a/ipaserver/install/cainstance.py +++ b/ipaserver/install/cainstance.py -@@ -1579,9 +1579,11 @@ def replica_ca_install_check(config, promote): +@@ -1581,9 +1581,11 @@ def replica_ca_install_check(config, promote): else: logger.critical( 'The master CA directory server does not have necessary schema. ' @@ -40,5 +40,5 @@ index 1f22d120478a6d4019663281d3191a27a5ee09ea..6f49b8bfa88e00388aec17f26169aa3d -- -2.20.1 +2.25.2 diff --git a/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch b/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch index 1b8bb83..5c0e99f 100644 --- a/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch +++ b/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch @@ -1,4 +1,4 @@ -From 7f019c946a611ee6413e2620b94f9f5d8f721cc0 Mon Sep 17 00:00:00 2001 +From 31849721ba8daaa80cc00f831397279e199bf7b5 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Wed, 22 Jun 2016 13:53:46 +0200 Subject: [PATCH] Revert "Increased mod_wsgi socket-timeout" @@ -24,5 +24,5 @@ index 912a63c2240e0681dfbeeac223a902b15b304716..c5fc518f803d379287043b405efeb46d WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py -- -2.20.1 +2.25.2 diff --git a/SOURCES/1004-Remove-csrgen.patch b/SOURCES/1004-Remove-csrgen.patch index 61157d8..964a4c3 100644 --- a/SOURCES/1004-Remove-csrgen.patch +++ b/SOURCES/1004-Remove-csrgen.patch @@ -1,4 +1,4 @@ -From 132f0306e339e960ef4ab365a78f5cc2ac64cec6 Mon Sep 17 00:00:00 2001 +From 948eb2b86079a9c183cb693b2bc05633c975c2eb Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Thu, 16 Mar 2017 09:44:21 +0000 Subject: [PATCH] Remove csrgen @@ -39,7 +39,7 @@ https://bugzilla.redhat.com/show_bug.cgi?id=1432630 delete mode 100644 ipatests/test_ipaclient/data/test_csrgen/templates/identity_base.tmpl diff --git a/freeipa.spec.in b/freeipa.spec.in -index c71b257cd9a28c083c8bc95d13a4c1351916a385..8182b67e56fa16d636046a45b8fbc873a908cf45 100644 +index fe0d0c4a9f1945fda49337d97433e1f0945b16fd..779d517e98b2f7a8d422b2f727e3b45225c9d270 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -248,7 +248,6 @@ BuildRequires: python2-sssdconfig @@ -74,7 +74,7 @@ index c71b257cd9a28c083c8bc95d13a4c1351916a385..8182b67e56fa16d636046a45b8fbc873 %description -n python3-ipaclient IPA is an integrated solution to provide centrally managed Identity (users, -@@ -1623,13 +1619,6 @@ fi +@@ -1629,13 +1625,6 @@ fi %{python_sitelib}/ipaclient/remote_plugins/*.py* %dir %{python_sitelib}/ipaclient/remote_plugins/2_* %{python_sitelib}/ipaclient/remote_plugins/2_*/*.py* @@ -88,7 +88,7 @@ index c71b257cd9a28c083c8bc95d13a4c1351916a385..8182b67e56fa16d636046a45b8fbc873 %{python_sitelib}/ipaclient-*.egg-info -@@ -1654,13 +1643,6 @@ fi +@@ -1660,13 +1649,6 @@ fi %dir %{python3_sitelib}/ipaclient/remote_plugins/2_* %{python3_sitelib}/ipaclient/remote_plugins/2_*/*.py %{python3_sitelib}/ipaclient/remote_plugins/2_*/__pycache__/*.py* @@ -403,5 +403,5 @@ index 79111ab686b4fe25227796509b3cd3fcb54af728..00000000000000000000000000000000 @@ -1 +0,0 @@ -{{ options|join(";") }} -- -2.20.1 +2.25.2 diff --git a/SOURCES/1005-Removing-filesystem-encoding-check.patch b/SOURCES/1005-Removing-filesystem-encoding-check.patch index 84eaf60..2be4fd2 100644 --- a/SOURCES/1005-Removing-filesystem-encoding-check.patch +++ b/SOURCES/1005-Removing-filesystem-encoding-check.patch @@ -1,4 +1,4 @@ -From 71c6e313993ff468d3c5c58a2555825bebc09083 Mon Sep 17 00:00:00 2001 +From 7e066641bbb3407ec024aae0ef1c69cc188f6f36 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tibor=20Dudl=C3=A1k?= Date: Fri, 10 Aug 2018 13:16:38 +0200 Subject: [PATCH] Removing filesystem encoding check @@ -62,7 +62,7 @@ index 6356d523e8c0ac63e8892292dd9991c9ee8211aa..ae940798779d20cb83b7f96a625c6fac # 1000 - 1999: Authentication errors class AuthenticationError(PublicError): diff --git a/ipalib/plugable.py b/ipalib/plugable.py -index 3a5a322f4b753302c58af9cfcb5a29f09e8350bb..535df5c007d99b73e5ff31f5fc4813c0fcf956ac 100644 +index 7d141fc43da731a59db42827ca6acae7f069bb09..4cfed1601378c9d5b33cdf57ae224c5015869e91 100644 --- a/ipalib/plugable.py +++ b/ipalib/plugable.py @@ -491,11 +491,6 @@ class API(ReadOnly): @@ -126,5 +126,5 @@ index b660532bd6e8db964b8287845ed1b5ebbcb43b9b..60309c58f250a263c8c3d13b0b47773b IPA_NOT_CONFIGURED = b'IPA is not configured on this system' IPA_CLIENT_NOT_CONFIGURED = b'IPA client is not configured on this system' -- -2.20.1 +2.25.2 diff --git a/SOURCES/ipa-centos-branding.patch b/SOURCES/ipa-centos-branding.patch deleted file mode 100644 index 673cd2f..0000000 --- a/SOURCES/ipa-centos-branding.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 99efecaf87dc1fc9517efaff441a6a7ce46444eb Mon Sep 17 00:00:00 2001 -From: Jim Perrin -Date: Wed, 11 Mar 2015 10:37:03 -0500 -Subject: [PATCH] update for new ntp server method - ---- - ipaplatform/base/paths.py | 1 + - ipaserver/install/ntpinstance.py | 2 ++ - 2 files changed, 3 insertions(+) - -diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py -index af50262..5090062 100644 ---- a/ipaplatform/base/paths.py -+++ b/ipaplatform/base/paths.py -@@ -99,6 +99,7 @@ class BasePathNamespace(object): - PKI_TOMCAT_ALIAS_DIR = "/etc/pki/pki-tomcat/alias/" - PKI_TOMCAT_PASSWORD_CONF = "/etc/pki/pki-tomcat/password.conf" - ETC_REDHAT_RELEASE = "/etc/redhat-release" -+ ETC_CENTOS_RELEASE = "/etc/centos-release" - RESOLV_CONF = "/etc/resolv.conf" - SAMBA_KEYTAB = "/etc/samba/samba.keytab" - SMB_CONF = "/etc/samba/smb.conf" -diff --git a/ipaserver/install/ntpinstance.py b/ipaserver/install/ntpinstance.py -index c653525..4b0578b 100644 ---- a/ipaserver/install/ntpinstance.py -+++ b/ipaserver/install/ntpinstance.py -@@ -44,6 +44,8 @@ class NTPInstance(service.Service): - os = "" - if ipautil.file_exists(paths.ETC_FEDORA_RELEASE): - os = "fedora" -+ elif ipautil.file_exists(paths.ETC_CENTOS_RELEASE): -+ os = "centos" - elif ipautil.file_exists(paths.ETC_REDHAT_RELEASE): - os = "rhel" - --- -1.8.3.1 - diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec index 0dd6e1a..eca3448 100644 --- a/SPECS/ipa.spec +++ b/SPECS/ipa.spec @@ -93,7 +93,7 @@ # Work-around fact that RPM SPEC parser does not accept # "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement -%define IPA_VERSION 4.6.6 +%define IPA_VERSION 4.6.8 %define AT_SIGN @ # redefine IPA_VERSION only if its value matches the Autoconf placeholder %if "%{IPA_VERSION}" == "%{AT_SIGN}VERSION%{AT_SIGN}" @@ -102,7 +102,7 @@ Name: ipa Version: %{IPA_VERSION} -Release: 8%{?dist} +Release: 2%{?dist} Summary: The Identity, Policy and Audit system Group: System Environment/Base @@ -110,43 +110,20 @@ License: GPLv3+ URL: http://www.freeipa.org/ Source0: https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz # RHEL spec file only: START: Change branding to IPA and Identity Management -#Source1: header-logo.png -#Source2: login-screen-background.jpg -#Source4: product-name.png +Source1: header-logo.png +Source2: login-screen-background.jpg +Source4: product-name.png # RHEL spec file only: END: Change branding to IPA and Identity Management BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) # RHEL spec file only: START -Patch0001: 0001-extdom-unify-error-code-handling.patch -Patch0002: 0002-Use-unicode-strings-for-Python-2-version.patch -Patch0003: 0003-ipa_sam-remove-dependency-to-talloc_strackframe.h.patch -Patch0004: 0004-Remove-ZERO_STRUCT-call.patch -Patch0005: 0005-ipasam-use-SID-formatting-calls-to-libsss_idmap.patch -Patch0006: 0006-user-stage-transfer-all-attributes-from-preserved-to.patch -Patch0007: 0007-xmlrpc-test-add-test-for-preserved-stage-user.patch -Patch0008: 0008-Don-t-return-SSH-keys-with-ipa-host-find-pkey-only.patch -Patch0009: 0009-check-for-single-label-domains-only-during-server-in.patch -Patch0010: 0010-Don-t-configure-KEYRING-ccache-in-containers.patch -Patch0011: 0011-Add-container-environment-check-to-replicainstall.patch -Patch0012: 0012-add-default-access-control-when-migrating-trust-obje.patch -Patch0013: 0013-adtrust-add-default-read_keys-permission-for-TDO-obj.patch -Patch0014: 0014-Disable-deprecated-lambda-check-in-adtrust-upgrade-c.patch -Patch0015: 0015-Fix-segfault-in-ipadb_parse_ldap_entry.patch -Patch0016: 0016-ipa-restore-Restore-ownership-and-perms-on-389-ds-lo.patch -Patch0017: 0017-replica-install-enforce-server-arg.patch -Patch0018: 0018-Log-INFO-message-when-LDAP-connection-fails-on-start.patch -Patch0019: 0019-Fix-NULL-pointer-dereference-in-maybe_require_preaut.patch -Patch0020: 0020-Handle-missing-LWCA-certificate-or-chain.patch -Patch0021: 0021-Fix-CustodiaClient-ccache-handling.patch -Patch0022: 0022-CustodiaClient-use-ldapi-when-ldap_uri-not-specified.patch -Patch0023: 0023-CustodiaClient-fix-IPASecStore-config-on-ipa-4-7.patch -Patch0024: 0024-Bump-krb5-min-version.patch +Patch0001: 0001-Add-interactive-prompt-for-the-LDAP-bind-password-to.patch +Patch0002: 0002-CVE-2020-1722-prevent-use-of-too-long-passwords.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch Patch1002: 1002-Package-copy-schema-to-ca.py.patch Patch1003: 1003-Revert-Increased-mod_wsgi-socket-timeout.patch Patch1004: 1004-Remove-csrgen.patch Patch1005: 1005-Removing-filesystem-encoding-check.patch -Patch1006: ipa-centos-branding.patch # RHEL spec file only: END BuildRequires: libtool, automake, autoconf @@ -171,7 +148,8 @@ BuildRequires: python-setuptools %if 0%{?with_python3} BuildRequires: python3-devel BuildRequires: python3-setuptools -%endif # with_python3 +%endif +# with_python3 BuildRequires: systemd # systemd-tmpfiles which is executed from make install requires apache user BuildRequires: httpd @@ -208,7 +186,8 @@ BuildRequires: rhino BuildRequires: libverto-devel BuildRequires: libunistring-devel BuildRequires: python-lesscpy -%endif # ONLY_CLIENT +%endif +# ONLY_CLIENT # # Build dependencies for makeapi/makeaci @@ -234,7 +213,8 @@ BuildRequires: python2-wheel BuildRequires: python3-twine BuildRequires: python3-wheel %endif -%endif # with_wheels +%endif +# with_wheels # # Build dependencies for lint and fastcheck @@ -318,8 +298,10 @@ BuildRequires: python3-systemd # python-augeas >= 0.5 supports replace method BuildRequires: python3-augeas >= 0.5 BuildRequires: python3-ldap >= %{python3_ldap_version} -%endif # with_python3 -%endif # with_lint +%endif +# with_python3 +%endif +# with_lint # # Build dependencies for unit tests @@ -328,7 +310,8 @@ BuildRequires: python3-ldap >= %{python3_ldap_version} BuildRequires: libcmocka-devel # Required by ipa_kdb_tests BuildRequires: %{_libdir}/krb5/plugins/kdb/db2.so -%endif # ONLY_CLIENT +%endif +# ONLY_CLIENT %description IPA is an integrated solution to provide centrally managed Identity (users, @@ -350,8 +333,9 @@ Requires: python2-ipaserver = %{version}-%{release} Requires: python-ldap >= %{python2_ldap_version} Requires: 389-ds-base >= %{ds_version} Requires: openldap-clients > 2.4.35-4 -Requires: nss >= 3.14.3-12.0 -Requires: nss-tools >= 3.14.3-12.0 +# nss 3.44: https://bugzilla.redhat.com/show_bug.cgi?id=1754902 +Requires: nss >= 3.44.0-7 +Requires: nss-tools >= 3.44.0-7 Requires(post): krb5-server >= %{krb5_version} Requires(post): krb5-server >= %{krb5_base_version}, krb5-server < %{krb5_base_version}.100 Requires: krb5-pkinit-openssl >= %{krb5_version} @@ -417,7 +401,7 @@ Conflicts: ipa-tests < 3.3.3-9 # RHEL spec file only: START # https://bugzilla.redhat.com/show_bug.cgi?id=1296140 -Obsoletes: redhat-access-plugin-ipa +Obsoletes: redhat-access-plugin-ipa <= 0.9.1-2 Conflicts: redhat-access-plugin-ipa # RHEL spec file only: END @@ -495,7 +479,8 @@ features for further integration with Linux based clients (SUDO, automount) and integration with Active Directory based infrastructures (Trusts). If you are installing an IPA server, you need to install this package. -%endif # with_python3 +%endif +# with_python3 %package server-common @@ -574,7 +559,8 @@ Cross-realm trusts with Active Directory in IPA require working Samba 4 installation. This package is provided for convenience to install all required dependencies at once. -%endif # ONLY_CLIENT +%endif +# ONLY_CLIENT %package client @@ -672,7 +658,8 @@ and integration with Active Directory based infrastructures (Trusts). If your network uses IPA for authentication, this package should be installed on every client machine. -%endif # with_python3 +%endif +# with_python3 %package client-common @@ -818,7 +805,8 @@ features for further integration with Linux based clients (SUDO, automount) and integration with Active Directory based infrastructures (Trusts). If you are using IPA with Python 3, you need to install this package. -%endif # with_python3 +%endif +# with_python3 %package common @@ -909,9 +897,11 @@ features for further integration with Linux based clients (SUDO, automount) and integration with Active Directory based infrastructures (Trusts). This package contains tests that verify IPA functionality under Python 3. -%endif # with_python3 +%endif +# with_python3 -%endif # with_ipatests +%endif +# with_ipatests %prep @@ -942,12 +932,13 @@ done # Workaround: We want to build Python things twice. To be sure we do not mess # up something, do two separate builds in separate directories. cp -r %{_builddir}/freeipa-%{version} %{_builddir}/freeipa-%{version}-python3 -%endif # with_python3 +%endif +# with_python3 # RHEL spec file only: START: Change branding to IPA and Identity Management -#cp %SOURCE1 install/ui/images/header-logo.png -#cp %SOURCE2 install/ui/images/login-screen-background.jpg -#cp %SOURCE4 install/ui/images/product-name.png +cp %SOURCE1 install/ui/images/header-logo.png +cp %SOURCE2 install/ui/images/login-screen-background.jpg +cp %SOURCE4 install/ui/images/product-name.png # RHEL spec file only: END: Change branding to IPA and Identity Management @@ -994,7 +985,8 @@ find \ %{with_ipatests_option} \ %{linter_options} popd -%endif # with_python3 +%endif +# with_python3 %check make %{?_smp_mflags} check VERBOSE=yes LIBDIR=%{_libdir} @@ -1024,10 +1016,12 @@ pushd %{_builddir}/freeipa-%{version}-python3 (cd ipapython && %make_install) %if ! %{ONLY_CLIENT} (cd ipaserver && %make_install) -%endif # ONLY_CLIENT +%endif +# ONLY_CLIENT %if 0%{?with_ipatests} (cd ipatests && %make_install) -%endif # with_ipatests +%endif +# with_ipatests popd %if 0%{?with_ipatests} @@ -1037,9 +1031,11 @@ mv %{buildroot}%{_bindir}/ipa-test-task %{buildroot}%{_bindir}/ipa-test-task-%{p ln -s %{_bindir}/ipa-run-tests-%{python3_version} %{buildroot}%{_bindir}/ipa-run-tests-3 ln -s %{_bindir}/ipa-test-config-%{python3_version} %{buildroot}%{_bindir}/ipa-test-config-3 ln -s %{_bindir}/ipa-test-task-%{python3_version} %{buildroot}%{_bindir}/ipa-test-task-3 -%endif # with_ipatests +%endif +# with_ipatests -%endif # with_python3 +%endif +# with_python3 # Python 2 installation %make_install @@ -1051,7 +1047,8 @@ mv %{buildroot}%{_bindir}/ipa-test-task %{buildroot}%{_bindir}/ipa-test-task-%{p ln -s %{_bindir}/ipa-run-tests-%{python2_version} %{buildroot}%{_bindir}/ipa-run-tests-2 ln -s %{_bindir}/ipa-test-config-%{python2_version} %{buildroot}%{_bindir}/ipa-test-config-2 ln -s %{_bindir}/ipa-test-task-%{python2_version} %{buildroot}%{_bindir}/ipa-test-task-2 -%endif # with_ipatests +%endif +# with_ipatests # Decide which Python (2 or 3) should be used as default for tests %if 0%{?with_ipatests} @@ -1065,8 +1062,10 @@ ln -s %{_bindir}/ipa-test-task-%{python3_version} %{buildroot}%{_bindir}/ipa-tes ln -s %{_bindir}/ipa-run-tests-%{python2_version} %{buildroot}%{_bindir}/ipa-run-tests ln -s %{_bindir}/ipa-test-config-%{python2_version} %{buildroot}%{_bindir}/ipa-test-config ln -s %{_bindir}/ipa-test-task-%{python2_version} %{buildroot}%{_bindir}/ipa-test-task -%endif # with_python3 -%endif # with_ipatests +%endif +# with_python3 +%endif +# with_ipatests # remove files which are useful only for make uninstall find %{buildroot} -wholename '*/site-packages/*/install_files.txt' -exec rm {} \; @@ -1117,14 +1116,16 @@ touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so cp contrib/copy-schema-to-ca-RHEL6.py %{buildroot}%{_usr}/share/ipa/copy-schema-to-ca.py # RHEL spec file only: END: Package copy-schema-to-ca.py -%endif # ONLY_CLIENT +%endif +# ONLY_CLIENT /bin/touch %{buildroot}%{_sysconfdir}/ipa/default.conf /bin/touch %{buildroot}%{_sysconfdir}/ipa/ca.crt %if ! %{ONLY_CLIENT} mkdir -p %{buildroot}%{_sysconfdir}/cron.d -%endif # ONLY_CLIENT +%endif +# ONLY_CLIENT %clean @@ -1223,7 +1224,8 @@ if [ $1 -eq 0 ]; then /bin/systemctl reload-or-try-restart oddjobd fi -%endif # ONLY_CLIENT +%endif +# ONLY_CLIENT %post client @@ -1261,6 +1263,10 @@ if [ $1 -gt 1 ] ; then if [ $restore -ge 2 ]; then python2 -c 'from ipaclient.install.client import update_ipa_nssdb; update_ipa_nssdb()' >/var/log/ipaupgrade.log 2>&1 fi + + if [ $restore -ge 2 ]; then + sed -E --in-place=.orig 's/^(HostKeyAlgorithms ssh-rsa,ssh-dss)$/# disabled by ipa-client update\n# \1/' /etc/ssh/ssh_config + fi fi @@ -1343,6 +1349,7 @@ fi %{_libexecdir}/ipa/ipa-otpd %dir %{_libexecdir}/ipa/oddjob %attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.conncheck +%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.trust-enable-agent %config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freeipa.server.conf %config(noreplace) %{_sysconfdir}/oddjobd.conf.d/ipa-server.conf %dir %{_libexecdir}/ipa/certmonger @@ -1414,7 +1421,8 @@ fi %{python3_sitelib}/ipaserver %{python3_sitelib}/ipaserver-*.egg-info -%endif # with_python3 +%endif +# with_python3 %files server-common @@ -1531,7 +1539,8 @@ fi %{_sysconfdir}/oddjobd.conf.d/oddjobd-ipa-trust.conf %%attr(755,root,root) %{_libexecdir}/ipa/oddjob/com.redhat.idm.trust-fetch-domains -%endif # ONLY_CLIENT +%endif +# ONLY_CLIENT %files client @@ -1597,7 +1606,8 @@ fi # RHEL spec file only: DELETED: Remove csrgen %{python3_sitelib}/ipaclient-*.egg-info -%endif # with_python3 +%endif +# with_python3 %files client-common @@ -1612,7 +1622,6 @@ fi %ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/cert8.db %ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/key3.db %ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/secmod.db -%ghost %attr(600,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/pwdfile.txt # new sql format %ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/cert9.db %ghost %attr(644,root,root) %config(noreplace) %{_sysconfdir}/ipa/nssdb/key4.db @@ -1672,7 +1681,8 @@ fi %{python3_sitelib}/ipaplatform-*.egg-info %{python3_sitelib}/ipaplatform-*-nspkg.pth -%endif # with_python3 +%endif +# with_python3 %if 0%{?with_ipatests} @@ -1711,14 +1721,85 @@ fi %{_bindir}/ipa-test-config-%{python3_version} %{_bindir}/ipa-test-task-%{python3_version} -%endif # with_python3 +%endif +# with_python3 -%endif # with_ipatests +%endif +# with_ipatests %changelog -* Sat Nov 02 2019 CentOS Sources - 4.6.6-8.el7.centos -- Roll in CentOS Branding +* Wed Apr 15 2020 Florence Blanc-Renaud - 4.6.8-2.el7 +- Resolves: #1802408 CVE-2020-1722 ipa: No password length restriction leads to denial of service + - Add interactive prompt for the LDAP bind password to ipa-getkeytab + - CVE-2020-1722: prevent use of too long passwords + +* Thu Apr 2 2020 Florence Blanc-Renaud - 4.6.8-1.el7 +- Resolves: #1819725 - Rebase IPA to latest 4.6.x version +- Resolves: #1817927 - host-add --password logs cleartext userpassword to Apache error log +- Resolves: #1817923 - IPA upgrade is failing with error "Failed to get request: bus, object_path and dbus_interface must not be None." +- Resolves: #1817922 - covscan memory leaks report +- Resolves: #1817919 - Enable compat tree to provide information about AD users and groups on trust agents +- Resolves: #1817918 - Secure tomcat AJP connector +- Resolves: #1817886 - ipa group-add-member: prevent adding IPA objects as external members +- Resolves: #1788718 - ipa-server-install incorrectly setting slew mode (-x) when setting up ntpd + +* Tue Mar 24 2020 Florence Blanc-Renaud - 4.6.6-12.el7 +- Resolves: #1754902 - Running ipa-server-install fails when RHEL 7.7 packages are installed on RHEL 7.6 +- Resolves: #1404770 - ID Views: do not allow custom Views for the masters + - idviews: prevent applying to a master +- Resolves: #1801791 - Compatibility Schema difference in functionality for systems following RHEL 7.5 -> 7.6 upgrade path as opposed to new RHEL 7.6 systems + - install/updates: move external members past schema compat update +- Resolves: #1795890 - ipa-pkinit-manage enable fails on replica if it doesn't host the CA + - pkinit setup: fix regression on master install + - pkinit enable: use local dogtag only if host has CA +- Resolves: #1788907 - Renewed certs are not picked up by IPA CAs + - Allow an empty cookie in dogtag-ipa-ca-renew-agent-submit +- Resolves: #1780548 - Man page ipa-cacert-manage does not display correctly on RHEL + - ipa-cacert-manage man page: fix indentation +- Resolves: #1782587 - add "systemctl restart sssd" to warning message when adding trust agents to replicas + - adtrust.py: mention restarting sssd when adding trust agents +- Resolves: #1771356 - Default client configuration breaks ssh in FIPS mode + - Use default ssh host key algorithms +- Resolves: #1755535 - ipa-advise on a RHEL7 IdM server is not able to generate a configuration script for a RHEL8 IdM client + - smartcard: make the ipa-advise script compatible with authselect/authconfig +- Resolves: #1758406 - KRA authentication fails when IPA CA has custom Subject DN + - upgrade: fix ipakra people entry 'description' attribute + - krainstance: set correct issuer DN in uid=ipakra entry +- Resolves: #1756568 - ipa-server-certinstall man page does not match built-in help + - ipa-server-certinstall manpage: add missing options +- Resolves: #1206690 - UPG not being enforced properly + - ipa user_add: do not check group if UPG is disabled +- Resolves: #1811982 - CVE-2018-14042 ipa: bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip. +- Resolves: #1811978 - CVE-2018-14040 ipa: bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute +- Resolves: #1811972 - CVE-2016-10735 ipa: bootstrap: XSS in the data-target attribute +- Resolves: #1811969 -CVE-2018-20676 ipa: bootstrap: XSS in the tooltip data-viewport attribute +- Resolves: #1811966 - CVE-2018-20677 ipa: bootstrap: XSS in the affix configuration target property +- Resolves: #1811962 - CVE-2019-8331 ipa: bootstrap: XSS in the tooltip or popover data-template attribute + - Web UI: Upgrade Bootstrap version 3.3.7 -> 3.4.1 +- Resolves: #1769791 - Invisible part of notification area in Web UI intercepts clicks of some page elements + - WebUI: Fix notification area layout +- Resolves: #1545755 - ipa-replica-prepare should not update pki admin password + - Fix indentation levels + - ipa-pwd-extop: use SLAPI_BIND_TARGET_SDN + - ipa-pwd-extop: don't check password policy for non-Kerberos account set by DM or a passsync manager + - Don't save password history on non-Kerberos accounts + +* Wed Dec 4 2019 Florence Blanc-Renaud - 4.6.6-11.el7 +- Resolves: #1778777 - After upgrade AD Trust Agents were removed from LDAP + - trust upgrade: ensure that host is member of adtrust agents + +* Tue Nov 26 2019 Florence Blanc-Renaud - 4.6.6-10.el7 +- Resolves: #1728123 - EMBARGOED CVE-2019-10195 ipa: FreeIPA: batch API logging user passwords to /var/log/httpd/error_log [rhel-7] + - CVE-2019-10195: Don't log passwords embedded in commands in calls using batch +- Resolves: #1773550 - IPA upgrade fails for latest ipa package when adtrust is installed + - Do not run trust upgrade code if master lacks Samba bindings +- Resolves: #1767302 - EMBARGOED CVE-2019-14867 ipa: Denial of service in IPA server due to wrong use of ber_scanf() [rhel-7.8] + - Make sure to have storage space for tag + +* Wed Oct 30 2019 Florence Blanc-Renaud - 4.6.6-9.el7 +- Resolves: #1762317 - ipa-backup command is failing on rhel-7.8 + - ipa-backup: fix python2 issue with os.mkdir * Mon Sep 30 2019 Florence Blanc-Renaud - 4.6.6-8.el7 - Resolves: #1755223 - Sub-CA key replication failure