diff --git a/.gitignore b/.gitignore
index 34c1a4e..d9c893f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/freeipa-4.9.6.tar.gz
+SOURCES/freeipa-4.9.8.tar.gz
diff --git a/.ipa.metadata b/.ipa.metadata
index ab790ce..15ef586 100644
--- a/.ipa.metadata
+++ b/.ipa.metadata
@@ -1 +1 @@
-b7b91082908db35e4acbcd0221b8df4044913dc1 SOURCES/freeipa-4.9.6.tar.gz
+38641a7f95779ba35089fcc10e25ec82a9b0248e SOURCES/freeipa-4.9.8.tar.gz
diff --git a/README.debrand b/README.debrand
deleted file mode 100644
index 01c46d2..0000000
--- a/README.debrand
+++ /dev/null
@@ -1,2 +0,0 @@
-Warning: This package was configured for automatic debranding, but the changes
-failed to apply.
diff --git a/SOURCES/0001-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch b/SOURCES/0001-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch
new file mode 100644
index 0000000..943e986
--- /dev/null
+++ b/SOURCES/0001-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch
@@ -0,0 +1,70 @@
+From 0d44e959e5bbe822b51137a8e7cf48fa25533805 Mon Sep 17 00:00:00 2001
+From: Rafael Guterres Jeffman <rjeffman@redhat.com>
+Date: Fri, 10 Dec 2021 12:15:36 -0300
+Subject: [PATCH] Revert "freeipa.spec: depend on bind-dnssec-utils"
+
+This reverts commit f89d59b6e18b54967682f6a37ce92ae67ab3fcda.
+---
+ freeipa.spec.in | 4 +---
+ ipaplatform/base/paths.py | 2 +-
+ ipaplatform/fedora/paths.py | 1 +
+ ipaserver/dnssec/bindmgr.py | 1 -
+ 4 files changed, 3 insertions(+), 5 deletions(-)
+
+diff --git a/freeipa.spec.in b/freeipa.spec.in
+index 8f5c370e5..e20edb7bc 100755
+--- a/freeipa.spec.in
++++ b/freeipa.spec.in
+@@ -576,11 +576,9 @@ Requires: %{name}-server = %{version}-%{release}
+ Requires: bind-dyndb-ldap >= 11.2-2
+ Requires: bind >= %{bind_version}
+ Requires: bind-utils >= %{bind_version}
+-# bind-dnssec-utils is required by the OpenDNSSec integration
+-# https://pagure.io/freeipa/issue/9026
+-Requires: bind-dnssec-utils >= %{bind_version}
+ %if %{with bind_pkcs11}
+ Requires: bind-pkcs11 >= %{bind_version}
++Requires: bind-pkcs11-utils >= %{bind_version}
+ %else
+ Requires: softhsm >= %{softhsm_version}
+ Requires: openssl-pkcs11 >= %{openssl_pkcs11_version}
+diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
+index 7d21367ec..42a47f1df 100644
+--- a/ipaplatform/base/paths.py
++++ b/ipaplatform/base/paths.py
+@@ -259,7 +259,7 @@ class BasePathNamespace:
+ IPA_PKI_RETRIEVE_KEY = "/usr/libexec/ipa/ipa-pki-retrieve-key"
+ IPA_HTTPD_PASSWD_READER = "/usr/libexec/ipa/ipa-httpd-pwdreader"
+ IPA_PKI_WAIT_RUNNING = "/usr/libexec/ipa/ipa-pki-wait-running"
+- DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel"
++ DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel-pkcs11"
+ GETSEBOOL = "/usr/sbin/getsebool"
+ GROUPADD = "/usr/sbin/groupadd"
+ USERMOD = "/usr/sbin/usermod"
+diff --git a/ipaplatform/fedora/paths.py b/ipaplatform/fedora/paths.py
+index 4e993c063..92a948966 100644
+--- a/ipaplatform/fedora/paths.py
++++ b/ipaplatform/fedora/paths.py
+@@ -36,6 +36,7 @@ class FedoraPathNamespace(RedHatPathNamespace):
+ NAMED_CRYPTO_POLICY_FILE = "/etc/crypto-policies/back-ends/bind.config"
+ if HAS_NFS_CONF:
+ SYSCONFIG_NFS = '/etc/nfs.conf'
++ DNSSEC_KEYFROMLABEL = "/usr/sbin/dnssec-keyfromlabel"
+
+
+ paths = FedoraPathNamespace()
+diff --git a/ipaserver/dnssec/bindmgr.py b/ipaserver/dnssec/bindmgr.py
+index 0c79cc03d..a15c0e601 100644
+--- a/ipaserver/dnssec/bindmgr.py
++++ b/ipaserver/dnssec/bindmgr.py
+@@ -127,7 +127,6 @@ class BINDMgr:
+ )
+ cmd = [
+ paths.DNSSEC_KEYFROMLABEL,
+- '-E', 'pkcs11',
+ '-K', workdir,
+ '-a', attrs['idnsSecAlgorithm'][0],
+ '-l', uri
+--
+2.31.1
+
diff --git a/SOURCES/0001-rpcserver.py-perf_counter_ns-is-Python-3.7_rhbz#1974822.patch b/SOURCES/0001-rpcserver.py-perf_counter_ns-is-Python-3.7_rhbz#1974822.patch
deleted file mode 100644
index 22f37ad..0000000
--- a/SOURCES/0001-rpcserver.py-perf_counter_ns-is-Python-3.7_rhbz#1974822.patch
+++ /dev/null
@@ -1,136 +0,0 @@
-From e713c227bb420a841ce3ae146bca55a84a1b0dbf Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
-Date: Tue, 22 Jun 2021 14:36:51 +0200
-Subject: [PATCH] paths: add IPA_SERVER_CONF
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Related: https://pagure.io/freeipa/issue/8891
-Signed-off-by: François Cami <fcami@redhat.com>
-Reviewed-By: Stanislav Levin <slev@altlinux.org>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
----
- ipaplatform/base/paths.py | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
-index 91423b332..de217d9ef 100644
---- a/ipaplatform/base/paths.py
-+++ b/ipaplatform/base/paths.py
-@@ -71,6 +71,7 @@ class BasePathNamespace:
- IPA_DEFAULT_CONF = "/etc/ipa/default.conf"
- IPA_DNSKEYSYNCD_KEYTAB = "/etc/ipa/dnssec/ipa-dnskeysyncd.keytab"
- IPA_ODS_EXPORTER_KEYTAB = "/etc/ipa/dnssec/ipa-ods-exporter.keytab"
-+ IPA_SERVER_CONF = "/etc/ipa/server.conf"
- DNSSEC_OPENSSL_CONF = "/etc/ipa/dnssec/openssl.cnf"
- DNSSEC_SOFTHSM2_CONF = "/etc/ipa/dnssec/softhsm2.conf"
- DNSSEC_SOFTHSM_PIN_SO = "/etc/ipa/dnssec/softhsm_pin_so"
---
-2.31.1
-
-From ee4be290e1583834a573c3896ee1d97b3fbb6c24 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
-Date: Tue, 22 Jun 2021 14:45:49 +0200
-Subject: [PATCH] ipatests: smoke test for server debug mode.
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Add a smoke test to make sure the server can be set in debug mode
-without issue.
-
-Related: https://pagure.io/freeipa/issue/8891
-Signed-off-by: François Cami <fcami@redhat.com>
-Reviewed-By: Stanislav Levin <slev@altlinux.org>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
----
- .../test_integration/test_installation.py | 27 +++++++++++++++++++
- 1 file changed, 27 insertions(+)
-
-diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
-index 301767b8d..0c96536f0 100644
---- a/ipatests/test_integration/test_installation.py
-+++ b/ipatests/test_integration/test_installation.py
-@@ -703,6 +703,33 @@ class TestInstallMaster(IntegrationTest):
- def test_install_master(self):
- tasks.install_master(self.master, setup_dns=False)
-
-+ @pytest.mark.skip_if_platform(
-+ "debian", reason="This test hardcodes the httpd service name"
-+ )
-+ def test_smoke_test_for_debug_mode(self):
-+ """Test if an IPA server works in debug mode.
-+ Related: https://pagure.io/freeipa/issue/8891
-+
-+ Note: this test hardcodes the "httpd" service name.
-+ """
-+
-+ target_fname = paths.IPA_SERVER_CONF
-+ assert not self.master.transport.file_exists(target_fname)
-+
-+ # set the IPA server in debug mode
-+ server_conf = "[global]\ndebug=True"
-+ self.master.put_file_contents(target_fname, server_conf)
-+ self.master.run_command(["systemctl", "restart", "httpd"])
-+
-+ # smoke test in debug mode
-+ tasks.kdestroy_all(self.master)
-+ tasks.kinit_admin(self.master)
-+ self.master.run_command(["ipa", "user-show", "admin"])
-+
-+ # rollback
-+ self.master.run_command(["rm", target_fname])
-+ self.master.run_command(["systemctl", "restart", "httpd"])
-+
- def test_schema_compat_attribute_and_tree_disable(self):
- """Test if schema-compat-entry-attribute is set
-
---
-2.31.1
-
-From 1539c7383116647ad9c5b125b343f972e9c9653b Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Fran=C3=A7ois=20Cami?= <fcami@redhat.com>
-Date: Wed, 23 Jun 2021 06:35:19 +0200
-Subject: [PATCH] rpcserver.py: perf_counter_ns is Python 3.7+
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-perf_counter_ns is only available in Python 3.7 and later.
-Define a lambda for 3.6 and lower.
-
-Fixes: https://pagure.io/freeipa/issue/8891
-Signed-off-by: François Cami <fcami@redhat.com>
-Reviewed-By: Stanislav Levin <slev@altlinux.org>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
----
- ipaserver/rpcserver.py | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
-index b121316bf..e612528e0 100644
---- a/ipaserver/rpcserver.py
-+++ b/ipaserver/rpcserver.py
-@@ -31,6 +31,7 @@ import os
- import time
- import traceback
- from io import BytesIO
-+from sys import version_info
- from urllib.parse import parse_qs
- from xmlrpc.client import Fault
-
-@@ -72,6 +73,10 @@ from requests.auth import AuthBase
- if six.PY3:
- unicode = str
-
-+# time.perf_counter_ns appeared in Python 3.7.
-+if version_info < (3, 7):
-+ time.perf_counter_ns = lambda: int(time.perf_counter() * 10**9)
-+
- logger = logging.getLogger(__name__)
-
- HTTP_STATUS_SUCCESS = '200 Success'
---
-2.31.1
-
diff --git a/SOURCES/0002-Add-checks-to-prevent-adding-auth-indicators-to-inte_rhbz#1979625.patch b/SOURCES/0002-Add-checks-to-prevent-adding-auth-indicators-to-inte_rhbz#1979625.patch
deleted file mode 100644
index 81b6c45..0000000
--- a/SOURCES/0002-Add-checks-to-prevent-adding-auth-indicators-to-inte_rhbz#1979625.patch
+++ /dev/null
@@ -1,272 +0,0 @@
-From a5d2857297cfcf87ed8973df96e89ebcef22850d Mon Sep 17 00:00:00 2001
-From: Antonio Torres <antorres@redhat.com>
-Date: Mon, 8 Mar 2021 18:15:50 +0100
-Subject: [PATCH] Add checks to prevent adding auth indicators to internal IPA
- services
-
-Authentication indicators should not be enforced against internal
-IPA services, since not all users of those services are able to produce
-Kerberos tickets with all the auth indicator options. This includes
-host, ldap, HTTP and cifs in IPA server and cifs in IPA clients.
-If a client that is being promoted to replica has an auth indicator
-in its host principal then the promotion is aborted.
-
-Fixes: https://pagure.io/freeipa/issue/8206
-Signed-off-by: Antonio Torres <antorres@redhat.com>
----
- ipaserver/install/server/replicainstall.py | 13 ++++++++++++
- ipaserver/plugins/host.py | 5 ++++-
- ipaserver/plugins/service.py | 24 ++++++++++++++++++++++
- 3 files changed, 41 insertions(+), 1 deletion(-)
-
-diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
-index 73967a224..f1fb91036 100644
---- a/ipaserver/install/server/replicainstall.py
-+++ b/ipaserver/install/server/replicainstall.py
-@@ -770,6 +770,15 @@ def promotion_check_ipa_domain(master_ldap_conn, basedn):
- ))
-
-
-+def promotion_check_host_principal_auth_ind(conn, hostdn):
-+ entry = conn.get_entry(hostdn, ['krbprincipalauthind'])
-+ if 'krbprincipalauthind' in entry:
-+ raise RuntimeError(
-+ "Client cannot be promoted to a replica if the host principal "
-+ "has an authentication indicator set."
-+ )
-+
-+
- @common_cleanup
- @preserve_enrollment_state
- def promote_check(installer):
-@@ -956,6 +965,10 @@ def promote_check(installer):
- config.master_host_name, None)
-
- promotion_check_ipa_domain(conn, remote_api.env.basedn)
-+ hostdn = DN(('fqdn', api.env.host),
-+ api.env.container_host,
-+ api.env.basedn)
-+ promotion_check_host_principal_auth_ind(conn, hostdn)
-
- # Make sure that domain fulfills minimal domain level
- # requirement
-diff --git a/ipaserver/plugins/host.py b/ipaserver/plugins/host.py
-index eb1f8ef04..41fa933e2 100644
---- a/ipaserver/plugins/host.py
-+++ b/ipaserver/plugins/host.py
-@@ -38,7 +38,7 @@ from .baseldap import (LDAPQuery, LDAPObject, LDAPCreate,
- LDAPAddAttributeViaOption,
- LDAPRemoveAttributeViaOption)
- from .service import (
-- validate_realm, normalize_principal,
-+ validate_realm, validate_auth_indicator, normalize_principal,
- set_certificate_attrs, ticket_flags_params, update_krbticketflags,
- set_kerberos_attrs, rename_ipaallowedtoperform_from_ldap,
- rename_ipaallowedtoperform_to_ldap, revoke_certs)
-@@ -735,6 +735,8 @@ class host_add(LDAPCreate):
- update_krbticketflags(ldap, entry_attrs, attrs_list, options, False)
- if 'krbticketflags' in entry_attrs:
- entry_attrs['objectclass'].append('krbticketpolicyaux')
-+ validate_auth_indicator(entry_attrs)
-+
- return dn
-
- def post_callback(self, ldap, dn, entry_attrs, *keys, **options):
-@@ -993,6 +995,7 @@ class host_mod(LDAPUpdate):
- if 'krbprincipalaux' not in (item.lower() for item in
- entry_attrs['objectclass']):
- entry_attrs['objectclass'].append('krbprincipalaux')
-+ validate_auth_indicator(entry_attrs)
-
- add_sshpubkey_to_attrs_pre(self.context, attrs_list)
-
-diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py
-index 1c9347804..cfbbff3c6 100644
---- a/ipaserver/plugins/service.py
-+++ b/ipaserver/plugins/service.py
-@@ -201,6 +201,28 @@ def validate_realm(ugettext, principal):
- raise errors.RealmMismatch()
-
-
-+def validate_auth_indicator(entry):
-+ new_value = entry.get('krbprincipalauthind', None)
-+ if not new_value:
-+ return
-+ # The following services are considered internal IPA services
-+ # and shouldn't be allowed to have auth indicators.
-+ # https://pagure.io/freeipa/issue/8206
-+ pkey = api.Object['service'].get_primary_key_from_dn(entry.dn)
-+ principal = kerberos.Principal(pkey)
-+ server = api.Command.server_find(principal.hostname)['result']
-+ if server:
-+ prefixes = ("host", "cifs", "ldap", "HTTP")
-+ else:
-+ prefixes = ("cifs",)
-+ if principal.service_name in prefixes:
-+ raise errors.ValidationError(
-+ name='krbprincipalauthind',
-+ error=_('authentication indicators not allowed '
-+ 'in service "%s"' % principal.service_name)
-+ )
-+
-+
- def normalize_principal(value):
- """
- Ensure that the name in the principal is lower-case. The realm is
-@@ -652,6 +674,7 @@ class service_add(LDAPCreate):
- hostname)
-
- self.obj.validate_ipakrbauthzdata(entry_attrs)
-+ validate_auth_indicator(entry_attrs)
-
- if not options.get('force', False):
- # We know the host exists if we've gotten this far but we
-@@ -846,6 +869,7 @@ class service_mod(LDAPUpdate):
- assert isinstance(dn, DN)
-
- self.obj.validate_ipakrbauthzdata(entry_attrs)
-+ validate_auth_indicator(entry_attrs)
-
- # verify certificates
- certs = entry_attrs.get('usercertificate') or []
---
-2.31.1
-
-From 28484c3dee225662e41acc691bfe6b1c1cee99c8 Mon Sep 17 00:00:00 2001
-From: Antonio Torres <antorres@redhat.com>
-Date: Mon, 8 Mar 2021 18:20:35 +0100
-Subject: [PATCH] ipatests: ensure auth indicators can't be added to internal
- IPA services
-
-Authentication indicators should not be added to internal IPA services,
-since this can lead to a broken IPA setup. In case a client with
-an auth indicator set in its host principal, promoting it to a replica
-should fail.
-
-Related: https://pagure.io/freeipa/issue/8206
-Signed-off-by: Antonio Torres <antorres@redhat.com>
----
- .../test_replica_promotion.py | 38 +++++++++++++++++++
- ipatests/test_xmlrpc/test_host_plugin.py | 10 +++++
- ipatests/test_xmlrpc/test_service_plugin.py | 21 ++++++++++
- 3 files changed, 69 insertions(+)
-
-diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
-index 0a137dbdc..b9c56f775 100644
---- a/ipatests/test_integration/test_replica_promotion.py
-+++ b/ipatests/test_integration/test_replica_promotion.py
-@@ -101,6 +101,44 @@ class TestReplicaPromotionLevel1(ReplicaPromotionBase):
- assert result.returncode == 1
- assert expected_err in result.stderr_text
-
-+ @replicas_cleanup
-+ def test_install_with_host_auth_ind_set(self):
-+ """ A client shouldn't be able to be promoted if it has
-+ any auth indicator set in the host principal.
-+ https://pagure.io/freeipa/issue/8206
-+ """
-+
-+ client = self.replicas[0]
-+ # Configure firewall first
-+ Firewall(client).enable_services(["freeipa-ldap",
-+ "freeipa-ldaps"])
-+
-+ client.run_command(['ipa-client-install', '-U',
-+ '--domain', self.master.domain.name,
-+ '--realm', self.master.domain.realm,
-+ '-p', 'admin',
-+ '-w', self.master.config.admin_password,
-+ '--server', self.master.hostname,
-+ '--force-join'])
-+
-+ tasks.kinit_admin(client)
-+
-+ client.run_command(['ipa', 'host-mod', '--auth-ind=otp',
-+ client.hostname])
-+
-+ res = client.run_command(['ipa-replica-install', '-U', '-w',
-+ self.master.config.dirman_password],
-+ raiseonerr=False)
-+
-+ client.run_command(['ipa', 'host-mod', '--auth-ind=',
-+ client.hostname])
-+
-+ expected_err = ("Client cannot be promoted to a replica if the host "
-+ "principal has an authentication indicator set.")
-+ assert res.returncode == 1
-+ assert expected_err in res.stderr_text
-+
-+
- @replicas_cleanup
- def test_one_command_installation(self):
- """
-diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py
-index c66bbc865..9cfde3565 100644
---- a/ipatests/test_xmlrpc/test_host_plugin.py
-+++ b/ipatests/test_xmlrpc/test_host_plugin.py
-@@ -605,6 +605,16 @@ class TestProtectedMaster(XMLRPC_test):
- error=u'An IPA master host cannot be deleted or disabled')):
- command()
-
-+ def test_try_add_auth_ind_master(self, this_host):
-+ command = this_host.make_update_command({
-+ u'krbprincipalauthind': u'radius'})
-+ with raises_exact(errors.ValidationError(
-+ name='krbprincipalauthind',
-+ error=u'authentication indicators not allowed '
-+ 'in service "host"'
-+ )):
-+ command()
-+
-
- @pytest.mark.tier1
- class TestValidation(XMLRPC_test):
-diff --git a/ipatests/test_xmlrpc/test_service_plugin.py b/ipatests/test_xmlrpc/test_service_plugin.py
-index 4c845938c..ed634a045 100644
---- a/ipatests/test_xmlrpc/test_service_plugin.py
-+++ b/ipatests/test_xmlrpc/test_service_plugin.py
-@@ -25,6 +25,7 @@ from ipalib import api, errors
- from ipatests.test_xmlrpc.xmlrpc_test import Declarative, fuzzy_uuid, fuzzy_hash
- from ipatests.test_xmlrpc.xmlrpc_test import fuzzy_digits, fuzzy_date, fuzzy_issuer
- from ipatests.test_xmlrpc.xmlrpc_test import fuzzy_hex, XMLRPC_test
-+from ipatests.test_xmlrpc.xmlrpc_test import raises_exact
- from ipatests.test_xmlrpc import objectclasses
- from ipatests.test_xmlrpc.testcert import get_testcert, subject_base
- from ipatests.test_xmlrpc.test_user_plugin import get_user_result, get_group_dn
-@@ -1552,6 +1553,15 @@ def indicators_host(request):
- return tracker.make_fixture(request)
-
-
-+@pytest.fixture(scope='function')
-+def this_host(request):
-+ """Fixture for the current master"""
-+ tracker = HostTracker(name=api.env.host.partition('.')[0],
-+ fqdn=api.env.host)
-+ tracker.exists = True
-+ return tracker
-+
-+
- @pytest.fixture(scope='function')
- def indicators_service(request):
- tracker = ServiceTracker(
-@@ -1587,6 +1597,17 @@ class TestAuthenticationIndicators(XMLRPC_test):
- expected_updates={u'krbprincipalauthind': [u'radius']}
- )
-
-+ def test_update_indicator_internal_service(self, this_host):
-+ command = this_host.make_command('service_mod',
-+ 'ldap/' + this_host.fqdn,
-+ **dict(krbprincipalauthind='otp'))
-+ with raises_exact(errors.ValidationError(
-+ name='krbprincipalauthind',
-+ error=u'authentication indicators not allowed '
-+ 'in service "ldap"'
-+ )):
-+ command()
-+
-
- @pytest.fixture(scope='function')
- def managing_host(request):
---
-2.31.1
-
diff --git a/SOURCES/0002-Config-plugin-return-EmptyModlist-when-no-change-is-applied_rhbz#2031825.patch b/SOURCES/0002-Config-plugin-return-EmptyModlist-when-no-change-is-applied_rhbz#2031825.patch
new file mode 100644
index 0000000..f5f3cf3
--- /dev/null
+++ b/SOURCES/0002-Config-plugin-return-EmptyModlist-when-no-change-is-applied_rhbz#2031825.patch
@@ -0,0 +1,75 @@
+From b9c42fed9b6f60801f908c368d0d97a2a69f7bb2 Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Wed, 15 Dec 2021 10:47:02 +0100
+Subject: [PATCH] Config plugin: return EmptyModlist when no change is applied
+
+When ipa config-mod is called with the option --enable-sid,
+the code needs to trap EmptyModlist exception (it is expected
+that no LDAP attribute is modified by this operation).
+The code had a flaw and was checking:
+ 'enable_sid' in options
+instead of
+ options['enable_sid']
+
+"'enable_sid' in options" always returns true as this option
+is a Flag with a default value, hence always present even if
+not specified on the command line.
+
+Fixes: https://pagure.io/freeipa/issue/9063
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+---
+ ipaserver/plugins/config.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ipaserver/plugins/config.py b/ipaserver/plugins/config.py
+index eae401fc3..24446beb0 100644
+--- a/ipaserver/plugins/config.py
++++ b/ipaserver/plugins/config.py
+@@ -707,7 +707,7 @@ class config_mod(LDAPUpdate):
+ if (isinstance(exc, errors.EmptyModlist) and
+ call_func.__name__ == 'update_entry' and
+ ('ca_renewal_master_server' in options or
+- 'enable_sid' in options)):
++ options['enable_sid'])):
+ return
+
+ super(config_mod, self).exc_callback(
+--
+2.34.1
+
+From cd735099e86304294217147ed578ac902fcf3dd3 Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Wed, 15 Dec 2021 10:51:05 +0100
+Subject: [PATCH] config plugin: add a test ensuring EmptyModlist is returned
+
+Add a test to test_config_plugin, that calls ipa config-mod
+with the same value as already present in LDAP.
+The call must return EmptyModlist.
+
+Related: https://pagure.io/freeipa/issue/9063
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+---
+ ipatests/test_xmlrpc/test_config_plugin.py | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/ipatests/test_xmlrpc/test_config_plugin.py b/ipatests/test_xmlrpc/test_config_plugin.py
+index e981bb4a0..a8ec9f0e5 100644
+--- a/ipatests/test_xmlrpc/test_config_plugin.py
++++ b/ipatests/test_xmlrpc/test_config_plugin.py
+@@ -312,4 +312,13 @@ class test_config(Declarative):
+ 'value': None,
+ },
+ ),
++ dict(
++ desc='Set the value to the already set value, no modifications',
++ command=(
++ 'config_mod', [], {
++ 'ipasearchrecordslimit': u'100',
++ },
++ ),
++ expected=errors.EmptyModlist(),
++ ),
+ ]
+--
+2.34.1
+
diff --git a/SOURCES/0003-Custodia-use-a-stronger-encryption-algo-when-exporting-keys_rhbz#2032806.patch b/SOURCES/0003-Custodia-use-a-stronger-encryption-algo-when-exporting-keys_rhbz#2032806.patch
new file mode 100644
index 0000000..f6cf756
--- /dev/null
+++ b/SOURCES/0003-Custodia-use-a-stronger-encryption-algo-when-exporting-keys_rhbz#2032806.patch
@@ -0,0 +1,47 @@
+From 653a7fe02880c168755984133ee143567cc7bb4e Mon Sep 17 00:00:00 2001
+From: Francisco Trivino <ftrivino@redhat.com>
+Date: Wed, 26 Jan 2022 15:43:39 +0100
+Subject: [PATCH] Custodia: use a stronger encryption algo when exporting keys
+
+The Custodia key export handler is using the default's OpenSSL encryption
+scheme for PKCS#12.
+
+This represents an issue when performing a migration from CentOS Stream 8 (C8S)
+to CentOS Steam 9 (C9S) where the Custodia client running in the new C9S
+replica talks to the Custodia server on C8S source server. The later creates an
+encrypted PKCS#12 file that contains the cert and the key using the OpenSSL's
+default encryption scheme, which is no longer supported on C9S.
+
+This commit enforces a stronger encryption algorigthm by adding following
+arguments to the Custodia server handler:
+
+-keypbe AES-256-CBC -certpbe AES-256-CBC -macalg sha384
+
+The new arguments enforce stronger PBEv2 instead of the insecure PBEv1.
+
+Fixes: https://pagure.io/freeipa/issue/9101
+
+Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
+Reviewed-By: Christian Heimes <cheimes@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+---
+ ipaserver/secrets/handlers/pemfile.py | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/ipaserver/secrets/handlers/pemfile.py b/ipaserver/secrets/handlers/pemfile.py
+index 4e8eff0e3..ad36bd020 100644
+--- a/ipaserver/secrets/handlers/pemfile.py
++++ b/ipaserver/secrets/handlers/pemfile.py
+@@ -31,6 +31,9 @@ def export_key(args, tmpdir):
+ '-out', pk12file,
+ '-inkey', args.keyfile,
+ '-password', 'file:{pk12pwfile}'.format(pk12pwfile=pk12pwfile),
++ '-keypbe', 'AES-256-CBC',
++ '-certpbe', 'AES-256-CBC',
++ '-macalg', 'sha384',
+ ])
+
+ with open(pk12file, 'rb') as f:
+--
+2.34.1
+
diff --git a/SOURCES/0003-stageuser-add-ipauserauthtypeclass-when-required_rhbz#1979605.patch b/SOURCES/0003-stageuser-add-ipauserauthtypeclass-when-required_rhbz#1979605.patch
deleted file mode 100644
index 7934afd..0000000
--- a/SOURCES/0003-stageuser-add-ipauserauthtypeclass-when-required_rhbz#1979605.patch
+++ /dev/null
@@ -1,89 +0,0 @@
-From 06468b2f604c56b02231904072cb57412966a701 Mon Sep 17 00:00:00 2001
-From: Florence Blanc-Renaud <flo@redhat.com>
-Date: Mon, 5 Jul 2021 09:51:41 +0200
-Subject: [PATCH] stageuser: add ipauserauthtypeclass when required
-
-The command
-ipa stageuser-add --user-auth-type=xxx
-is currently failing because the objectclass ipauserauthtypeclass
-is missing from the created entry.
-
-There is code adding the missing objectclass in the
-pre_common_callback method of user_add, and this code should
-be common to user_add and stageuser_add. In order to avoid code
-duplication, it makes more sense to move the existing code to
-pre_common_callback of baseuser_add, that is called by both
-classes.
-
-Fixes: https://pagure.io/freeipa/issue/8909
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
----
- ipaserver/plugins/baseuser.py | 3 +++
- ipaserver/plugins/user.py | 4 ----
- 2 files changed, 3 insertions(+), 4 deletions(-)
-
-diff --git a/ipaserver/plugins/baseuser.py b/ipaserver/plugins/baseuser.py
-index ae16a978a..6035228f1 100644
---- a/ipaserver/plugins/baseuser.py
-+++ b/ipaserver/plugins/baseuser.py
-@@ -539,6 +539,9 @@ class baseuser_add(LDAPCreate):
- if entry_attrs.get('ipatokenradiususername', None):
- add_missing_object_class(ldap, u'ipatokenradiusproxyuser', dn,
- entry_attrs, update=False)
-+ if entry_attrs.get('ipauserauthtype', None):
-+ add_missing_object_class(ldap, u'ipauserauthtypeclass', dn,
-+ entry_attrs, update=False)
-
- def post_common_callback(self, ldap, dn, entry_attrs, *keys, **options):
- assert isinstance(dn, DN)
-diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py
-index 6f7facb53..e4ee572b2 100644
---- a/ipaserver/plugins/user.py
-+++ b/ipaserver/plugins/user.py
-@@ -617,10 +617,6 @@ class user_add(baseuser_add):
- 'ipauser' not in entry_attrs['objectclass']:
- entry_attrs['objectclass'].append('ipauser')
-
-- if 'ipauserauthtype' in entry_attrs and \
-- 'ipauserauthtypeclass' not in entry_attrs['objectclass']:
-- entry_attrs['objectclass'].append('ipauserauthtypeclass')
--
- rcl = entry_attrs.get('ipatokenradiusconfiglink', None)
- if rcl:
- if 'ipatokenradiusproxyuser' not in entry_attrs['objectclass']:
---
-2.31.1
-
-From 4a5a0fe7d25209a41a2eadd159f7f4c771e5d7fc Mon Sep 17 00:00:00 2001
-From: Florence Blanc-Renaud <flo@redhat.com>
-Date: Mon, 5 Jul 2021 10:22:31 +0200
-Subject: [PATCH] XMLRPC test: add a test for stageuser-add --user-auth-type
-
-Related: https://pagure.io/freeipa/issue/8909
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
----
- ipatests/test_xmlrpc/test_stageuser_plugin.py | 6 ++++++
- 1 file changed, 6 insertions(+)
-
-diff --git a/ipatests/test_xmlrpc/test_stageuser_plugin.py b/ipatests/test_xmlrpc/test_stageuser_plugin.py
-index 5586fc607..bc606b093 100644
---- a/ipatests/test_xmlrpc/test_stageuser_plugin.py
-+++ b/ipatests/test_xmlrpc/test_stageuser_plugin.py
-@@ -343,6 +343,12 @@ class TestStagedUser(XMLRPC_test):
- result = command()
- assert result['count'] == 1
-
-+ def test_create_withuserauthtype(self, stageduser):
-+ stageduser.ensure_missing()
-+ command = stageduser.make_create_command(
-+ options={u'ipauserauthtype': u'password'})
-+ command()
-+
-
- @pytest.mark.tier1
- class TestCreateInvalidAttributes(XMLRPC_test):
---
-2.31.1
-
diff --git a/SOURCES/0004-ipa-kdb-do-not-remove-keys-for-hardened-auth-enabled-users_rhbz#2033342.patch b/SOURCES/0004-ipa-kdb-do-not-remove-keys-for-hardened-auth-enabled-users_rhbz#2033342.patch
new file mode 100644
index 0000000..1e342e5
--- /dev/null
+++ b/SOURCES/0004-ipa-kdb-do-not-remove-keys-for-hardened-auth-enabled-users_rhbz#2033342.patch
@@ -0,0 +1,122 @@
+From 6d70421f57d0eca066a922e09416ef7195ee96d4 Mon Sep 17 00:00:00 2001
+From: Julien Rische <jrische@redhat.com>
+Date: Tue, 1 Feb 2022 16:43:09 +0100
+Subject: [PATCH] ipa-kdb: do not remove keys for hardened auth-enabled users
+
+Since 5d51ae5, principal keys were dropped in case user auth indicator
+was not including password. Thereafter, the key removal behavior was
+removed by 15ff9c8 in the context of the kdcpolicy plugin introduction.
+Support for hardened pre-auth methods (FAST and SPAKE) was added in
+d057040, and the removal of principal keys was restored afterwards by
+f0d12b7, but not taking the new hardened auth indicator into account.
+
+Fixes: https://pagure.io/freeipa/issue/9065
+Related to: https://pagure.io/freeipa/issue/8001
+
+Signed-off-by: Julien Rische <jrische@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
+---
+ daemons/ipa-kdb/ipa_kdb_principals.c | 23 ++++++++++++-----------
+ 1 file changed, 12 insertions(+), 11 deletions(-)
+
+diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
+index 15f3df4fe..0d0d3748c 100644
+--- a/daemons/ipa-kdb/ipa_kdb_principals.c
++++ b/daemons/ipa-kdb/ipa_kdb_principals.c
+@@ -788,17 +788,18 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
+ &res_key_data, &result, &mkvno);
+ switch (ret) {
+ case 0:
+- /* Only set a principal's key if password auth can be used. Otherwise
+- * the KDC would add pre-authentication methods to the NEEDED_PREAUTH
+- * reply for AS-REQs which indicate the password authentication is
+- * available. This might confuse applications like e.g. SSSD which try
+- * to determine suitable authentication methods and corresponding
+- * prompts with the help of MIT Kerberos' responder interface which
+- * acts on the returned pre-authentication methods. A typical example
+- * is enforced OTP authentication where of course keys are available
+- * for the first factor but password authentication should not be
+- * advertised by the KDC. */
+- if (!(ua & IPADB_USER_AUTH_PASSWORD) && (ua != IPADB_USER_AUTH_NONE)) {
++ /* Only set a principal's key if password or hardened auth can be used.
++ * Otherwise the KDC would add pre-authentication methods to the
++ * NEEDED_PREAUTH reply for AS-REQs which indicate the password
++ * authentication is available. This might confuse applications like
++ * e.g. SSSD which try to determine suitable authentication methods and
++ * corresponding prompts with the help of MIT Kerberos' responder
++ * interface which acts on the returned pre-authentication methods. A
++ * typical example is enforced OTP authentication where of course keys
++ * are available for the first factor but password authentication
++ * should not be advertised by the KDC. */
++ if (!(ua & (IPADB_USER_AUTH_PASSWORD | IPADB_USER_AUTH_HARDENED)) &&
++ (ua != IPADB_USER_AUTH_NONE)) {
+ /* This is the same behavior as ENOENT below. */
+ ipa_krb5_free_key_data(res_key_data, result);
+ break;
+--
+2.34.1
+
+From 294ae35a61e6ca8816b261c57508e4be21221864 Mon Sep 17 00:00:00 2001
+From: Julien Rische <jrische@redhat.com>
+Date: Tue, 1 Feb 2022 19:38:29 +0100
+Subject: [PATCH] ipatests: add case for hardened-only ticket policy
+
+Signed-off-by: Julien Rische <jrische@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
+---
+ ipatests/test_integration/test_krbtpolicy.py | 30 ++++++++++++++++++--
+ 1 file changed, 28 insertions(+), 2 deletions(-)
+
+diff --git a/ipatests/test_integration/test_krbtpolicy.py b/ipatests/test_integration/test_krbtpolicy.py
+index 63e75ae67..9489fbc97 100644
+--- a/ipatests/test_integration/test_krbtpolicy.py
++++ b/ipatests/test_integration/test_krbtpolicy.py
+@@ -103,8 +103,8 @@ class TestPWPolicy(IntegrationTest):
+ result = master.run_command('klist | grep krbtgt')
+ assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True
+
+- def test_krbtpolicy_hardended(self):
+- """Test a hardened kerberos ticket policy with 10 min tickets"""
++ def test_krbtpolicy_password_and_hardended(self):
++ """Test a pwd and hardened kerberos ticket policy with 10min tickets"""
+ master = self.master
+ master.run_command(['ipa', 'user-mod', USER1,
+ '--user-auth-type', 'password',
+@@ -131,6 +131,32 @@ class TestPWPolicy(IntegrationTest):
+ result = master.run_command('klist | grep krbtgt')
+ assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True
+
++ def test_krbtpolicy_hardended(self):
++ """Test a hardened kerberos ticket policy with 30min tickets"""
++ master = self.master
++ master.run_command(['ipa', 'user-mod', USER1,
++ '--user-auth-type', 'hardened'])
++ master.run_command(['ipa', 'config-mod',
++ '--user-auth-type', 'hardened'])
++ master.run_command(['ipa', 'krbtpolicy-mod', USER1,
++ '--hardened-maxlife', '1800'])
++
++ tasks.kdestroy_all(master)
++
++ master.run_command(['kinit', USER1],
++ stdin_text=PASSWORD + '\n')
++ result = master.run_command('klist | grep krbtgt')
++ assert maxlife_within_policy(result.stdout_text, 1800,
++ slush=1800) is True
++
++ tasks.kdestroy_all(master)
++
++ # Verify that the short policy only applies to USER1
++ master.run_command(['kinit', USER2],
++ stdin_text=PASSWORD + '\n')
++ result = master.run_command('klist | grep krbtgt')
++ assert maxlife_within_policy(result.stdout_text, MAXLIFE) is True
++
+ def test_krbtpolicy_password(self):
+ """Test the kerberos ticket policy which issues 20 min tickets"""
+ master = self.master
+--
+2.34.1
+
diff --git a/SOURCES/0004-man-page-update-ipa-server-upgrade.1_rhbz#1973273.patch b/SOURCES/0004-man-page-update-ipa-server-upgrade.1_rhbz#1973273.patch
deleted file mode 100644
index 83182ce..0000000
--- a/SOURCES/0004-man-page-update-ipa-server-upgrade.1_rhbz#1973273.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 195035cef51a132b2b80df57ed50f2fe620244e6 Mon Sep 17 00:00:00 2001
-From: Florence Blanc-Renaud <flo@redhat.com>
-Date: Wed, 7 Jul 2021 14:11:40 +0200
-Subject: [PATCH] man page: update ipa-server-upgrade.1
-
-The man page needs to clarify in which case the command needs
-to be run.
-
-Fixes: https://pagure.io/freeipa/issue/8913
-Reviewed-By: Francois Cami <fcami@redhat.com>
----
- install/tools/man/ipa-server-upgrade.1 | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/install/tools/man/ipa-server-upgrade.1 b/install/tools/man/ipa-server-upgrade.1
-index 3db19b0f1..f01e21c6b 100644
---- a/install/tools/man/ipa-server-upgrade.1
-+++ b/install/tools/man/ipa-server-upgrade.1
-@@ -8,7 +8,12 @@ ipa\-server\-upgrade \- upgrade IPA server
- .SH "SYNOPSIS"
- ipa\-server\-upgrade [options]
- .SH "DESCRIPTION"
--ipa\-server\-upgrade is used to upgrade IPA server when the IPA packages are being updated. It is not intended to be executed by end\-users.
-+ipa\-server\-upgrade is executed automatically to upgrade IPA server when
-+the IPA packages are being updated. It is not intended to be executed by
-+end\-users, unless the automatic execution reports an error. In this case,
-+the administrator needs to identify and fix the issue that is causing the
-+upgrade failure (with the help of /var/log/ipaupgrade.log)
-+and manually re\-run ipa\-server\-upgrade.
-
- ipa\-server\-upgrade will:
-
---
-2.31.1
-
diff --git a/SOURCES/0005-Fall-back-to-krbprincipalname-when-validating-host-a_rhbz#1979625.patch b/SOURCES/0005-Fall-back-to-krbprincipalname-when-validating-host-a_rhbz#1979625.patch
deleted file mode 100644
index 069d106..0000000
--- a/SOURCES/0005-Fall-back-to-krbprincipalname-when-validating-host-a_rhbz#1979625.patch
+++ /dev/null
@@ -1,69 +0,0 @@
-From 8ad535b618d60fa016061212ff85d0ad28ccae59 Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Mon, 12 Jul 2021 11:02:10 -0400
-Subject: [PATCH] Fall back to krbprincipalname when validating host auth
- indicators
-
-When adding a new host the principal cannot be determined because it
-relies on either:
-
-a) an entry to already exist
-b) krbprincipalname be a component of the dn
-
-As a result the full dn is being passed into ipapython.Kerberos
-which can't parse it.
-
-Look into the entry in validate_validate_auth_indicator() for
-krbprincipalname in this case.
-
-https://pagure.io/freeipa/issue/8206
-
-Signed-off-by: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
----
- ipaserver/plugins/service.py | 5 +++++
- ipatests/test_xmlrpc/test_host_plugin.py | 11 +++++++++++
- 2 files changed, 16 insertions(+)
-
-diff --git a/ipaserver/plugins/service.py b/ipaserver/plugins/service.py
-index cfbbff3c6..498f5e444 100644
---- a/ipaserver/plugins/service.py
-+++ b/ipaserver/plugins/service.py
-@@ -209,6 +209,11 @@ def validate_auth_indicator(entry):
- # and shouldn't be allowed to have auth indicators.
- # https://pagure.io/freeipa/issue/8206
- pkey = api.Object['service'].get_primary_key_from_dn(entry.dn)
-+ if pkey == str(entry.dn):
-+ # krbcanonicalname may not be set yet if this is a host entry,
-+ # try krbprincipalname
-+ if 'krbprincipalname' in entry:
-+ pkey = entry['krbprincipalname']
- principal = kerberos.Principal(pkey)
- server = api.Command.server_find(principal.hostname)['result']
- if server:
-diff --git a/ipatests/test_xmlrpc/test_host_plugin.py b/ipatests/test_xmlrpc/test_host_plugin.py
-index 9cfde3565..ff50e796c 100644
---- a/ipatests/test_xmlrpc/test_host_plugin.py
-+++ b/ipatests/test_xmlrpc/test_host_plugin.py
-@@ -615,6 +615,17 @@ class TestProtectedMaster(XMLRPC_test):
- )):
- command()
-
-+ def test_add_non_master_with_auth_ind(self, host5):
-+ host5.ensure_missing()
-+ command = host5.make_command(
-+ 'host_add', host5.fqdn, krbprincipalauthind=['radius'],
-+ force=True
-+ )
-+ result = command()
-+ # The fact that the command succeeds exercises the change but
-+ # let's check the indicator as well.
-+ assert result['result']['krbprincipalauthind'] == ('radius',)
-+
-
- @pytest.mark.tier1
- class TestValidation(XMLRPC_test):
---
-2.31.1
-
diff --git a/SOURCES/0005-ipa-pki-proxy.conf-provide-access-to-kra-admin-kra-getStatus_rhbz#2049167.patch b/SOURCES/0005-ipa-pki-proxy.conf-provide-access-to-kra-admin-kra-getStatus_rhbz#2049167.patch
new file mode 100644
index 0000000..3ac05fa
--- /dev/null
+++ b/SOURCES/0005-ipa-pki-proxy.conf-provide-access-to-kra-admin-kra-getStatus_rhbz#2049167.patch
@@ -0,0 +1,44 @@
+From 9bae5492270d8b695999cd82831cbee62b04626b Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Fri, 28 Jan 2022 16:58:42 +0100
+Subject: [PATCH] ipa-pki-proxy.conf: provide access to
+ /kra/admin/kra/getStatus
+
+The access to /kra/admin/kra/getStatus will be needed
+in order to fix pki-healthcheck.
+Note that this commit is a pre-requisite for the fix
+to be done on PKI side. No test added since the full
+integration test already exists in test_replica_promotion.py,
+in TestHiddenReplicaPromotion::test_ipahealthcheck_hidden_replica
+
+Fixes: https://pagure.io/freeipa/issue/9099
+Related: https://pagure.io/freeipa/issue/8582
+
+Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+---
+ install/share/ipa-pki-proxy.conf.template | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/install/share/ipa-pki-proxy.conf.template b/install/share/ipa-pki-proxy.conf.template
+index 96708482c..7a46f20b9 100644
+--- a/install/share/ipa-pki-proxy.conf.template
++++ b/install/share/ipa-pki-proxy.conf.template
+@@ -1,4 +1,4 @@
+-# VERSION 16 - DO NOT REMOVE THIS LINE
++# VERSION 17 - DO NOT REMOVE THIS LINE
+
+ ProxyRequests Off
+
+@@ -11,7 +11,7 @@ ProxyRequests Off
+ </LocationMatch>
+
+ # matches for admin port and installer
+-<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/tokenAuthenticate|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/updateDomainXML|^/ca/admin/ca/updateConnector|^/ca/admin/ca/getSubsystemCert|^/kra/admin/kra/updateNumberRange|^/kra/admin/kra/getConfigEntries">
++<LocationMatch "^/ca/admin/ca/getCertChain|^/ca/admin/ca/getConfigEntries|^/ca/admin/ca/getCookie|^/ca/admin/ca/getStatus|^/ca/admin/ca/securityDomainLogin|^/ca/admin/ca/getDomainXML|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/tokenAuthenticate|^/ca/admin/ca/updateNumberRange|^/ca/admin/ca/updateDomainXML|^/ca/admin/ca/updateConnector|^/ca/admin/ca/getSubsystemCert|^/kra/admin/kra/updateNumberRange|^/kra/admin/kra/getConfigEntries|^/kra/admin/kra/getStatus">
+ SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
+ SSLVerifyClient none
+ ProxyPassMatch ajp://localhost:$DOGTAG_PORT $DOGTAG_AJP_SECRET
+--
+2.34.1
+
diff --git a/SOURCES/0006-Backport-latest-test-fxes-in-python3-ipatests_rhbz#2048509.patch b/SOURCES/0006-Backport-latest-test-fxes-in-python3-ipatests_rhbz#2048509.patch
new file mode 100644
index 0000000..14d1f0c
--- /dev/null
+++ b/SOURCES/0006-Backport-latest-test-fxes-in-python3-ipatests_rhbz#2048509.patch
@@ -0,0 +1,755 @@
+From 0edf915efbb39fac45c784171dd715ec6b28861a Mon Sep 17 00:00:00 2001
+From: Sumedh Sidhaye <ssidhaye@redhat.com>
+Date: Fri, 14 Jan 2022 19:55:13 +0530
+Subject: [PATCH] Added test automation for SHA384withRSA CSR support
+
+Scenario 1:
+Setup master with --ca-signing-algorithm=SHA384withRSA
+Run certutil and check Signing Algorithm
+
+Scenario 2:
+Setup a master
+Stop services
+Modify default.params.signingAlg in CS.cfg
+Restart services
+Resubmit cert (Resubmitted cert should have new Algorithm)
+
+Pagure Link: https://pagure.io/freeipa/issue/8906
+
+Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Antonio Torres <antorres@redhat.com>
+---
+ .../test_integration/test_installation.py | 63 +++++++++++++++++++
+ 1 file changed, 63 insertions(+)
+
+diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
+index 0947241ae..f2d372c0c 100644
+--- a/ipatests/test_integration/test_installation.py
++++ b/ipatests/test_integration/test_installation.py
+@@ -34,6 +34,7 @@ from ipatests.pytest_ipa.integration import tasks
+ from ipatests.pytest_ipa.integration.env_config import get_global_config
+ from ipatests.test_integration.base import IntegrationTest
+ from ipatests.test_integration.test_caless import CALessBase, ipa_certs_cleanup
++from ipatests.test_integration.test_cert import get_certmonger_fs_id
+ from ipaplatform import services
+
+
+@@ -1916,3 +1917,65 @@ class TestInstallWithoutNamed(IntegrationTest):
+ tasks.install_replica(
+ self.master, self.replicas[0], setup_ca=False, setup_dns=False
+ )
++
++
++class TestInstallwithSHA384withRSA(IntegrationTest):
++ num_replicas = 0
++
++ def test_install_master_withalgo_sha384withrsa(self, server_cleanup):
++ tasks.install_master(
++ self.master,
++ extra_args=['--ca-signing-algorithm=SHA384withRSA'],
++ )
++
++ # check Signing Algorithm post installation
++ dashed_domain = self.master.domain.realm.replace(".", '-')
++ cmd_args = ['certutil', '-L', '-d',
++ '/etc/dirsrv/slapd-{}/'.format(dashed_domain),
++ '-n', 'Server-Cert']
++ result = self.master.run_command(cmd_args)
++ assert 'SHA-384 With RSA Encryption' in result.stdout_text
++
++ def test_install_master_modify_existing(self, server_cleanup):
++ """
++ Setup a master
++ Stop services
++ Modify default.params.signingAlg in CS.cfg
++ Restart services
++ Resubmit cert (Resubmitted cert should have new Algorithm)
++ """
++ tasks.install_master(self.master)
++ self.master.run_command(['ipactl', 'stop'])
++ cs_cfg_content = self.master.get_file_contents(paths.CA_CS_CFG_PATH,
++ encoding='utf-8')
++ new_lines = []
++ replace_str = "ca.signing.defaultSigningAlgorithm=SHA384withRSA"
++ ocsp_rep_str = "ca.ocsp_signing.defaultSigningAlgorithm=SHA384withRSA"
++ for line in cs_cfg_content.split('\n'):
++ if line.startswith('ca.signing.defaultSigningAlgorithm'):
++ new_lines.append(replace_str)
++ elif line.startswith('ca.ocsp_signing.defaultSigningAlgorithm'):
++ new_lines.append(ocsp_rep_str)
++ else:
++ new_lines.append(line)
++ self.master.put_file_contents(paths.CA_CS_CFG_PATH,
++ '\n'.join(new_lines))
++ self.master.run_command(['ipactl', 'start'])
++
++ cmd = ['getcert', 'list', '-f', paths.RA_AGENT_PEM]
++ result = self.master.run_command(cmd)
++ request_id = get_certmonger_fs_id(result.stdout_text)
++
++ # resubmit RA Agent cert
++ cmd = ['getcert', 'resubmit', '-f', paths.RA_AGENT_PEM]
++ self.master.run_command(cmd)
++
++ tasks.wait_for_certmonger_status(self.master,
++ ('CA_WORKING', 'MONITORING'),
++ request_id)
++
++ cmd_args = ['openssl', 'x509', '-in',
++ paths.RA_AGENT_PEM, '-noout', '-text']
++ result = self.master.run_command(cmd_args)
++ assert_str = 'Signature Algorithm: sha384WithRSAEncryption'
++ assert assert_str in result.stdout_text
+--
+2.34.1
+
+From 8b22ee018c3bb7f58a1b6694a7fd611688f8e74f Mon Sep 17 00:00:00 2001
+From: Sumedh Sidhaye <ssidhaye@redhat.com>
+Date: Thu, 25 Nov 2021 17:48:20 +0530
+Subject: [PATCH] Extend test to see if replica is not shown when running
+ `ipa-replica-manage list -v <FQDN>`
+
+Related: https://pagure.io/freeipa/issue/8605
+
+Signed-off-by: Sumedh Sidhaye <ssidhaye@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+---
+ ipatests/test_integration/test_simple_replication.py | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/ipatests/test_integration/test_simple_replication.py b/ipatests/test_integration/test_simple_replication.py
+index 8de385144..17092a499 100644
+--- a/ipatests/test_integration/test_simple_replication.py
++++ b/ipatests/test_integration/test_simple_replication.py
+@@ -111,5 +111,6 @@ class TestSimpleReplication(IntegrationTest):
+ # has to be run with --force, there is no --unattended
+ self.master.run_command(['ipa-replica-manage', 'del',
+ self.replicas[0].hostname, '--force'])
+- result = self.master.run_command(['ipa-replica-manage', 'list'])
++ result = self.master.run_command(
++ ['ipa-replica-manage', 'list', '-v', self.master.hostname])
+ assert self.replicas[0].hostname not in result.stdout_text
+--
+2.34.1
+
+From ba7ec71ba96280da3841ebe47df2a6dc1cd6341e Mon Sep 17 00:00:00 2001
+From: Mohammad Rizwan <myusuf@redhat.com>
+Date: Fri, 26 Nov 2021 12:11:21 +0530
+Subject: [PATCH] ipatests: Fix test_ipa_cert_fix.py::TestCertFixReplica
+ teardown
+
+Fixture `expire_certs` moves date back after renewing the certs.
+This is causing the ipa-replica to fail. This fix first uninstalls
+the server then moves back the date.
+
+Fixes: https://pagure.io/freeipa/issue/9052
+
+Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+---
+ ipatests/test_integration/test_ipa_cert_fix.py | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/ipatests/test_integration/test_ipa_cert_fix.py b/ipatests/test_integration/test_ipa_cert_fix.py
+index 39904d5de..5b56054b4 100644
+--- a/ipatests/test_integration/test_ipa_cert_fix.py
++++ b/ipatests/test_integration/test_ipa_cert_fix.py
+@@ -389,6 +389,12 @@ class TestCertFixReplica(IntegrationTest):
+ setup_dns=False, extra_args=['--no-ntp']
+ )
+
++ @classmethod
++ def uninstall(cls, mh):
++ # Uninstall method is empty as the uninstallation is done in
++ # the fixture
++ pass
++
+ @pytest.fixture
+ def expire_certs(self):
+ # move system date to expire certs
+@@ -398,7 +404,8 @@ class TestCertFixReplica(IntegrationTest):
+ yield
+
+ # move date back on replica and master
+- for host in self.master, self.replicas[0]:
++ for host in self.replicas[0], self.master:
++ tasks.uninstall_master(host)
+ tasks.move_date(host, 'start', '-3years-1days')
+
+ def test_renew_expired_cert_replica(self, expire_certs):
+--
+2.34.1
+
+From 465f1669a6c5abc72da1ecaf9aefa8488f80806c Mon Sep 17 00:00:00 2001
+From: Anuja More <amore@redhat.com>
+Date: Mon, 13 Dec 2021 17:37:05 +0530
+Subject: [PATCH] ipatests: Test default value of nsslapd-sizelimit.
+
+related : https://pagure.io/freeipa/issue/8962
+
+Signed-off-by: Anuja More <amore@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+---
+ ipatests/test_integration/test_installation.py | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
+index 95cfaad54..0947241ae 100644
+--- a/ipatests/test_integration/test_installation.py
++++ b/ipatests/test_integration/test_installation.py
+@@ -1067,6 +1067,19 @@ class TestInstallMaster(IntegrationTest):
+ )
+ assert "nsslapd-db-locks" not in result.stdout_text
+
++ def test_nsslapd_sizelimit(self):
++ """ Test for default value of nsslapd-sizelimit.
++
++ Related : https://pagure.io/freeipa/issue/8962
++ """
++ result = tasks.ldapsearch_dm(
++ self.master,
++ "cn=config",
++ ["nsslapd-sizelimit"],
++ scope="base"
++ )
++ assert "nsslapd-sizelimit: 100000" in result.stdout_text
++
+ def test_admin_root_alias_CVE_2020_10747(self):
+ # Test for CVE-2020-10747 fix
+ # https://bugzilla.redhat.com/show_bug.cgi?id=1810160
+--
+2.34.1
+
+From cbd9ac6ab07dfb60f67da762fdd70856ad35c230 Mon Sep 17 00:00:00 2001
+From: Mohammad Rizwan <myusuf@redhat.com>
+Date: Thu, 25 Nov 2021 13:10:05 +0530
+Subject: [PATCH] ipatests: Test empty cert request doesn't force certmonger to
+ segfault
+
+When empty cert request is submitted to certmonger, it goes to
+segfault. This fix test that if something like this happens,
+certmonger should gracefuly handle it
+
+and some PEP8 fixes
+
+related: https://pagure.io/certmonger/issue/191
+
+Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
+---
+ ipatests/test_integration/test_cert.py | 79 +++++++++++++++++++++++++-
+ 1 file changed, 78 insertions(+), 1 deletion(-)
+
+diff --git a/ipatests/test_integration/test_cert.py b/ipatests/test_integration/test_cert.py
+index 5ffb8c608..0518d7954 100644
+--- a/ipatests/test_integration/test_cert.py
++++ b/ipatests/test_integration/test_cert.py
+@@ -14,6 +14,7 @@ import random
+ import re
+ import string
+ import time
++import textwrap
+
+ from ipaplatform.paths import paths
+ from ipapython.dn import DN
+@@ -193,7 +194,7 @@ class TestInstallMasterClient(IntegrationTest):
+ tasks.kinit_admin(self.master)
+ tasks.user_add(self.master, user)
+
+- for id in (0,1):
++ for id in (0, 1):
+ csr_file = f'{id}.csr'
+ key_file = f'{id}.key'
+ cert_file = f'{id}.crt'
+@@ -584,3 +585,79 @@ class TestCAShowErrorHandling(IntegrationTest):
+ error_msg = 'ipa: ERROR: The certificate for ' \
+ '{} is not available on this server.'.format(lwca)
+ assert error_msg in result.stderr_text
++
++ def test_certmonger_empty_cert_not_segfault(self):
++ """Test empty cert request doesn't force certmonger to segfault
++
++ Test scenario:
++ create a cert request file in /var/lib/certmonger/requests which is
++ missing most of the required information, and ask request a new
++ certificate to certmonger. The wrong request file should not make
++ certmonger crash.
++
++ related: https://pagure.io/certmonger/issue/191
++ """
++ empty_cert_req_content = textwrap.dedent("""
++ id=dogtag-ipa-renew-agent
++ key_type=UNSPECIFIED
++ key_gen_type=UNSPECIFIED
++ key_size=0
++ key_gen_size=0
++ key_next_type=UNSPECIFIED
++ key_next_gen_type=UNSPECIFIED
++ key_next_size=0
++ key_next_gen_size=0
++ key_preserve=0
++ key_storage_type=NONE
++ key_perms=0
++ key_requested_count=0
++ key_issued_count=0
++ cert_storage_type=FILE
++ cert_perms=0
++ cert_is_ca=0
++ cert_ca_path_length=0
++ cert_no_ocsp_check=0
++ last_need_notify_check=19700101000000
++ last_need_enroll_check=19700101000000
++ template_is_ca=0
++ template_ca_path_length=-1
++ template_no_ocsp_check=0
++ state=NEED_KEY_PAIR
++ autorenew=0
++ monitor=0
++ submitted=19700101000000
++ """)
++ # stop certmonger service
++ self.master.run_command(['systemctl', 'stop', 'certmonger'])
++
++ # place an empty cert request file to certmonger request dir
++ self.master.put_file_contents(
++ os.path.join(paths.CERTMONGER_REQUESTS_DIR, '20211125062617'),
++ empty_cert_req_content
++ )
++
++ # start certmonger, it should not fail
++ self.master.run_command(['systemctl', 'start', 'certmonger'])
++
++ # request a new cert, should succeed and certmonger doesn't goes
++ # to segfault
++ result = self.master.run_command([
++ "ipa-getcert", "request",
++ "-f", os.path.join(paths.OPENSSL_CERTS_DIR, "test.pem"),
++ "-k", os.path.join(paths.OPENSSL_PRIVATE_DIR, "test.key"),
++ ])
++ request_id = re.findall(r'\d+', result.stdout_text)
++
++ # check if certificate is in MONITORING state
++ status = tasks.wait_for_request(self.master, request_id[0], 50)
++ assert status == "MONITORING"
++
++ self.master.run_command(
++ ['ipa-getcert', 'stop-tracking', '-i', request_id[0]]
++ )
++ self.master.run_command([
++ 'rm', '-rf',
++ os.path.join(paths.CERTMONGER_REQUESTS_DIR, '20211125062617'),
++ os.path.join(paths.OPENSSL_CERTS_DIR, 'test.pem'),
++ os.path.join(paths.OPENSSL_PRIVATE_DIR, 'test.key')
++ ])
+--
+2.34.1
+
+From edbd8f692a28fc999b92e9032614d366511db323 Mon Sep 17 00:00:00 2001
+From: Anuja More <amore@redhat.com>
+Date: Mon, 6 Dec 2021 20:50:01 +0530
+Subject: [PATCH] ipatests: webui: Tests for subordinate ids.
+
+Added web-ui tests to verify where operations
+using subordinate ids are working as expected.
+
+Related : https://pagure.io/freeipa/issue/8361
+
+Signed-off-by: Anuja More <amore@redhat.com>
+Reviewed-By: Michal Polovka <mpolovka@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+---
+ ipatests/test_webui/test_subid.py | 141 ++++++++++++++++++++++++++++++
+ ipatests/test_webui/ui_driver.py | 28 ++++++
+ 2 files changed, 169 insertions(+)
+ create mode 100644 ipatests/test_webui/test_subid.py
+
+diff --git a/ipatests/test_webui/test_subid.py b/ipatests/test_webui/test_subid.py
+new file mode 100644
+index 000000000..26decdba0
+--- /dev/null
++++ b/ipatests/test_webui/test_subid.py
+@@ -0,0 +1,141 @@
++
++"""
++Tests for subordinateid.
++"""
++
++from ipatests.test_webui.ui_driver import UI_driver
++import ipatests.test_webui.data_config as config_data
++import ipatests.test_webui.data_user as user_data
++from ipatests.test_webui.ui_driver import screenshot
++import re
++
++
++class test_subid(UI_driver):
++
++ def add_user(self, pkey, name, surname):
++ self.add_record('user', {
++ 'pkey': pkey,
++ 'add': [
++ ('textbox', 'uid', pkey),
++ ('textbox', 'givenname', name),
++ ('textbox', 'sn', surname),
++ ]
++ })
++
++ def set_default_subid(self):
++ self.navigate_to_entity(config_data.ENTITY)
++ self.check_option('ipauserdefaultsubordinateid', 'checked')
++ self.facet_button_click('save')
++
++ def get_user_count(self, user_pkey):
++ self.navigate_to_entity('subid', facet='search')
++ self.apply_search_filter(user_pkey)
++ self.wait_for_request()
++ return self.get_rows()
++
++ @screenshot
++ def test_set_defaultsubid(self):
++ """
++ Test to verify that enable/disable is working for
++ adding subids to new users.
++ """
++ self.init_app()
++ self.add_record(user_data.ENTITY, user_data.DATA2)
++ self.navigate_to_entity(config_data.ENTITY)
++ # test subid can be enabled/disabled.
++ self.set_default_subid()
++ assert self.get_field_checked('ipauserdefaultsubordinateid')
++ self.set_default_subid()
++ assert not self.get_field_checked('ipauserdefaultsubordinateid')
++
++ @screenshot
++ def test_user_defaultsubid(self):
++ """
++ Test to verify that subid is generated for new user.
++ """
++ self.init_app()
++ user_pkey = "some-user"
++
++ self.set_default_subid()
++ assert self.get_field_checked('ipauserdefaultsubordinateid')
++
++ before_count = self.get_user_count(user_pkey)
++ assert len(before_count) == 0
++
++ self.add_user(user_pkey, 'Some', 'User')
++ after_count = self.get_user_count(user_pkey)
++ assert len(after_count) == 1
++
++ @screenshot
++ def test_user_subid_mod_desc(self):
++ """
++ Test to verify that auto-assigned subid description is modified.
++ """
++ self.init_app()
++ self.navigate_to_record("some-user")
++ self.switch_to_facet('memberof_subid')
++ rows = self.get_rows()
++ self.navigate_to_row_record(rows[-1])
++ self.fill_textbox("description", "some-user-subid-desc")
++ self.facet_button_click('save')
++
++ @screenshot
++ def test_admin_subid(self):
++ """
++ Test to verify that subid range is created with owner admin.
++ """
++ self.init_app()
++ self.navigate_to_entity('subid', facet='search')
++ self.facet_button_click('add')
++ self.select_combobox('ipaowner', 'admin')
++ self.dialog_button_click('add')
++ self.wait(0.3)
++ self.assert_no_error_dialog()
++
++ @screenshot
++ def test_admin_subid_negative(self):
++ """
++ Test to verify that readding the subid fails with error.
++ """
++ self.init_app()
++ self.navigate_to_entity('subid', facet='search')
++ self.facet_button_click('add')
++ self.select_combobox('ipaowner', 'admin')
++ self.dialog_button_click('add')
++ self.wait(0.3)
++ err_dialog = self.get_last_error_dialog(dialog_name='error_dialog')
++ text = self.get_text('.modal-body div p', err_dialog)
++ text = text.strip()
++ pattern = r'Subordinate id with with name .* already exists.'
++ assert re.search(pattern, text) is not None
++ self.close_all_dialogs()
++
++ @screenshot
++ def test_user_subid_add(self):
++ """
++ Test to verify that subid range is created for given user.
++ """
++ self.init_app()
++ self.navigate_to_entity('subid', facet='search')
++ before_count = self.get_rows()
++ self.facet_button_click('add')
++ self.select_combobox('ipaowner', user_data.PKEY2)
++ self.dialog_button_click('add')
++ self.wait(0.3)
++ self.assert_no_error_dialog()
++ after_count = self.get_rows()
++ assert len(before_count) < len(after_count)
++
++ @screenshot
++ def test_subid_del(self):
++ """
++ Test to remove subordinate id for given user.
++ """
++ self.init_app()
++ self.navigate_to_entity('subid', facet='search')
++ user_uid = self.get_record_pkey("some-user", "ipaowner",
++ table_name="ipauniqueid")
++ before_count = self.get_rows()
++ self.delete_record(user_uid, table_name="ipauniqueid")
++ after_count = self.get_rows()
++ assert len(before_count) > len(after_count)
+diff --git a/ipatests/test_webui/ui_driver.py b/ipatests/test_webui/ui_driver.py
+index 46fd512ae..77fd74e49 100644
+--- a/ipatests/test_webui/ui_driver.py
++++ b/ipatests/test_webui/ui_driver.py
+@@ -1151,6 +1151,34 @@ class UI_driver:
+ return row
+ return None
+
++ def get_row_by_column_value(self, key, column_name, parent=None,
++ table_name=None):
++ """
++ Get the first matched row element of a search table with given key
++ matched against selected column. None if not found
++ """
++ rows = self.get_rows(parent, table_name)
++ s = "td div[name='%s']" % column_name
++ for row in rows:
++ has = self.find(s, By.CSS_SELECTOR, row)
++ if has.text == key:
++ return row
++ return None
++
++ def get_record_pkey(self, key, column, parent=None, table_name=None):
++ """
++ Get record pkey if value of column is known
++ """
++ row = self.get_row_by_column_value(key,
++ column_name=column,
++ parent=parent,
++ table_name=table_name)
++ val = None
++ if row:
++ el = self.find("td input", By.CSS_SELECTOR, row)
++ val = el.get_attribute("value")
++ return val
++
+ def navigate_to_row_record(self, row, pkey_column=None):
+ """
+ Navigate to record by clicking on a link.
+--
+2.34.1
+
+From 419d7fd6e5a9ed2d356ad05eef1043309f5646ef Mon Sep 17 00:00:00 2001
+From: Michal Polovka <mpolovka@redhat.com>
+Date: Fri, 7 Jan 2022 12:12:26 +0100
+Subject: [PATCH] ipatests: webui: Use safe-loader for loading YAML
+ configuration file
+
+FullLoader class for YAML loader was introduced in version 5.1 which
+also deprecated default loader. SafeLoader, however, stays consistent
+across the versions and brings added security.
+
+This fix is necessary as PyYAML > 5.1 is not available in downstream.
+
+Related: https://pagure.io/freeipa/issue/9009
+
+Signed-off-by: Michal Polovka <mpolovka@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+---
+ ipatests/test_webui/ui_driver.py | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ipatests/test_webui/ui_driver.py b/ipatests/test_webui/ui_driver.py
+index 77fd74e49..519efee9b 100644
+--- a/ipatests/test_webui/ui_driver.py
++++ b/ipatests/test_webui/ui_driver.py
+@@ -192,7 +192,7 @@ class UI_driver:
+ if not NO_YAML and os.path.isfile(path):
+ try:
+ with open(path, 'r') as conf:
+- cls.config = yaml.load(stream=conf, Loader=yaml.FullLoader)
++ cls.config = yaml.safe_load(stream=conf)
+ except yaml.YAMLError as e:
+ pytest.skip("Invalid Web UI config.\n%s" % e)
+ except IOError as e:
+--
+2.34.1
+
+From 5444da016edc416c0c9481c660c013053dbb93b5 Mon Sep 17 00:00:00 2001
+From: Mohammad Rizwan <myusuf@redhat.com>
+Date: Thu, 18 Nov 2021 18:43:22 +0530
+Subject: [PATCH] PEP8 Fixes
+
+Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
+---
+ .../test_integration/test_replica_promotion.py | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
+index 1a4e9bc12..c328b1a08 100644
+--- a/ipatests/test_integration/test_replica_promotion.py
++++ b/ipatests/test_integration/test_replica_promotion.py
+@@ -138,7 +138,6 @@ class TestReplicaPromotionLevel1(ReplicaPromotionBase):
+ assert res.returncode == 1
+ assert expected_err in res.stderr_text
+
+-
+ @replicas_cleanup
+ def test_one_command_installation(self):
+ """
+@@ -150,11 +149,11 @@ class TestReplicaPromotionLevel1(ReplicaPromotionBase):
+ Firewall(self.replicas[0]).enable_services(["freeipa-ldap",
+ "freeipa-ldaps"])
+ self.replicas[0].run_command(['ipa-replica-install', '-w',
+- self.master.config.admin_password,
+- '-n', self.master.domain.name,
+- '-r', self.master.domain.realm,
+- '--server', self.master.hostname,
+- '-U'])
++ self.master.config.admin_password,
++ '-n', self.master.domain.name,
++ '-r', self.master.domain.realm,
++ '--server', self.master.hostname,
++ '-U'])
+ # Ensure that pkinit is properly configured, test for 7566
+ result = self.replicas[0].run_command(['ipa-pkinit-manage', 'status'])
+ assert "PKINIT is enabled" in result.stdout_text
+@@ -321,7 +320,7 @@ class TestWrongClientDomain(IntegrationTest):
+ result1 = client.run_command(['ipa-replica-install', '-U', '-w',
+ self.master.config.dirman_password],
+ raiseonerr=False)
+- assert(result1.returncode == 0), (
++ assert (result1.returncode == 0), (
+ 'Failed to promote the client installed with the upcase domain name')
+
+ def test_client_rollback(self):
+@@ -355,6 +354,7 @@ class TestWrongClientDomain(IntegrationTest):
+ assert("An error occurred while removing SSSD" not in
+ result.stdout_text)
+
++
+ class TestRenewalMaster(IntegrationTest):
+
+ topology = 'star'
+--
+2.34.1
+
+From 1d19b860d4cd3bd65a4b143b588425d9a64237fd Mon Sep 17 00:00:00 2001
+From: Mohammad Rizwan <myusuf@redhat.com>
+Date: Thu, 18 Nov 2021 18:36:58 +0530
+Subject: [PATCH] Test cases for ipa-replica-conncheck command
+
+Following test cases would be checked:
+- when called with --principal (it should then prompt for a password)
+- when called with --principal / --password
+- when called without principal and password but with a kerberos TGT,
+ kinit admin done before calling ipa-replica-conncheck
+- when called without principal and password, and without any kerberos
+ TGT (it should default to principal=admin and prompt for a password)
+
+related: https://pagure.io/freeipa/issue/9047
+
+Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
+---
+ .../test_replica_promotion.py | 70 +++++++++++++++++++
+ 1 file changed, 70 insertions(+)
+
+diff --git a/ipatests/test_integration/test_replica_promotion.py b/ipatests/test_integration/test_replica_promotion.py
+index b9c56f775..1a4e9bc12 100644
+--- a/ipatests/test_integration/test_replica_promotion.py
++++ b/ipatests/test_integration/test_replica_promotion.py
+@@ -437,6 +437,76 @@ class TestRenewalMaster(IntegrationTest):
+ self.assertCARenewalMaster(master, replica.hostname)
+ self.assertCARenewalMaster(replica, replica.hostname)
+
++ def test_replica_concheck(self):
++ """Test cases for ipa-replica-conncheck command
++
++ Following test cases would be checked:
++ - when called with --principal (it should then prompt for a password)
++ - when called with --principal / --password
++ - when called without principal and password but with a kerberos TGT,
++ kinit admin done before calling ipa-replica-conncheck
++ - when called without principal and password, and without any kerberos
++ TGT (it should default to principal=admin and prompt for a password)
++
++ related: https://pagure.io/freeipa/issue/9047
++ """
++ exp_str1 = "Connection from replica to master is OK."
++ exp_str2 = "Connection from master to replica is OK"
++ tasks.kdestroy_all(self.replicas[0])
++ # when called with --principal (it should then prompt for a password)
++ result = self.replicas[0].run_command(
++ ['ipa-replica-conncheck', '--auto-master-check',
++ '--master', self.master.hostname,
++ '-r', self.replicas[0].domain.realm,
++ '-p', self.replicas[0].config.admin_name],
++ stdin_text=self.master.config.admin_password
++ )
++ assert result.returncode == 0
++ assert (
++ exp_str1 in result.stderr_text and exp_str2 in result.stderr_text
++ )
++
++ # when called with --principal / --password
++ result = self.replicas[0].run_command([
++ 'ipa-replica-conncheck', '--auto-master-check',
++ '--master', self.master.hostname,
++ '-r', self.replicas[0].domain.realm,
++ '-p', self.replicas[0].config.admin_name,
++ '-w', self.master.config.admin_password
++ ])
++ assert result.returncode == 0
++ assert (
++ exp_str1 in result.stderr_text and exp_str2 in result.stderr_text
++ )
++
++ # when called without principal and password, and without
++ # any kerberos TGT, it should default to principal=admin
++ # and prompt for a password
++ result = self.replicas[0].run_command(
++ ['ipa-replica-conncheck', '--auto-master-check',
++ '--master', self.master.hostname,
++ '-r', self.replicas[0].domain.realm],
++ stdin_text=self.master.config.admin_password
++ )
++ assert result.returncode == 0
++ assert (
++ exp_str1 in result.stderr_text and exp_str2 in result.stderr_text
++ )
++
++ # when called without principal and password but with a kerberos TGT,
++ # kinit admin done before calling ipa-replica-conncheck
++ tasks.kinit_admin(self.replicas[0])
++ result = self.replicas[0].run_command(
++ ['ipa-replica-conncheck', '--auto-master-check',
++ '--master', self.master.hostname,
++ '-r', self.replicas[0].domain.realm]
++ )
++ assert result.returncode == 0
++ assert (
++ exp_str1 in result.stderr_text and exp_str2 in result.stderr_text
++ )
++ tasks.kdestroy_all(self.replicas[0])
++
+ def test_automatic_renewal_master_transfer_ondelete(self):
+ # Test that after replica uninstallation, master overtakes the cert
+ # renewal master role from replica (which was previously set there)
+--
+2.34.1
+
diff --git a/SOURCES/0006-rhel-platform-add-a-named-crypto-policy-support_rhbz#1982956.patch b/SOURCES/0006-rhel-platform-add-a-named-crypto-policy-support_rhbz#1982956.patch
deleted file mode 100644
index 3f83c40..0000000
--- a/SOURCES/0006-rhel-platform-add-a-named-crypto-policy-support_rhbz#1982956.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From 1a5159b216455070eb51b6a11ceaf0033fc8ce4c Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Fri, 16 Jul 2021 09:20:33 +0300
-Subject: [PATCH] rhel platform: add a named crypto-policy support
-
-RHEL 8+ provides bind system-wide crypto policy support, enable it.
-
-Fixes: https://pagure.io/freeipa/issue/8925
-Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
-Reviewed-By: Anuja More <amore@redhat.com>
----
- ipaplatform/rhel/paths.py | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/ipaplatform/rhel/paths.py b/ipaplatform/rhel/paths.py
-index c081ada32..3631550eb 100644
---- a/ipaplatform/rhel/paths.py
-+++ b/ipaplatform/rhel/paths.py
-@@ -30,6 +30,7 @@ from ipaplatform.rhel.constants import HAS_NFS_CONF
-
-
- class RHELPathNamespace(RedHatPathNamespace):
-+ NAMED_CRYPTO_POLICY_FILE = "/etc/crypto-policies/back-ends/bind.config"
- if HAS_NFS_CONF:
- SYSCONFIG_NFS = '/etc/nfs.conf'
-
---
-2.31.1
-
diff --git a/SOURCES/0007-Catch-and-log-errors-when-adding-CA-profiles_rhbz#1999142.patch b/SOURCES/0007-Catch-and-log-errors-when-adding-CA-profiles_rhbz#1999142.patch
deleted file mode 100644
index 34b33c7..0000000
--- a/SOURCES/0007-Catch-and-log-errors-when-adding-CA-profiles_rhbz#1999142.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From a6e708ab4006d6623c37de1692de5362fcdb5dd6 Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Mon, 30 Aug 2021 16:44:47 -0400
-Subject: [PATCH] Catch and log errors when adding CA profiles
-
-Rather than stopping the installer entirely, catch and report
-errors adding new certificate profiles, and remove the
-broken profile entry from LDAP so it may be re-added later.
-
-It was discovered that installing a newer IPA that has the
-ACME profile which requires sanToCNDefault will fail when
-installing a new server against a very old one that lacks
-this class.
-
-Running ipa-server-upgrade post-install will add the profile
-and generate the missing ipa-ca SAN record so that ACME
-can work.
-
-https://pagure.io/freeipa/issue/8974
-
-Signed-off-by: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
----
- ipaserver/install/cainstance.py | 13 +++++++++++--
- 1 file changed, 11 insertions(+), 2 deletions(-)
-
-diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
-index 9e842b33e..8c8bf1b3a 100644
---- a/ipaserver/install/cainstance.py
-+++ b/ipaserver/install/cainstance.py
-@@ -1973,8 +1973,17 @@ def import_included_profiles():
-
- # Create the profile, replacing any existing profile of same name
- profile_data = __get_profile_config(profile_id)
-- _create_dogtag_profile(profile_id, profile_data, overwrite=True)
-- logger.debug("Imported profile '%s'", profile_id)
-+ try:
-+ _create_dogtag_profile(profile_id, profile_data,
-+ overwrite=True)
-+ except errors.HTTPRequestError as e:
-+ logger.warning("Failed to import profile '%s': %s. Running "
-+ "ipa-server-upgrade when installation is "
-+ "completed may resolve this issue.",
-+ profile_id, e)
-+ conn.delete_entry(entry)
-+ else:
-+ logger.debug("Imported profile '%s'", profile_id)
- else:
- logger.debug(
- "Profile '%s' is already in LDAP; skipping", profile_id
---
-2.31.1
-
diff --git a/SOURCES/0007-Don-t-always-override-the-port-in-import_included_profiles_rhbz#2022483.patch b/SOURCES/0007-Don-t-always-override-the-port-in-import_included_profiles_rhbz#2022483.patch
new file mode 100644
index 0000000..f8b3b9f
--- /dev/null
+++ b/SOURCES/0007-Don-t-always-override-the-port-in-import_included_profiles_rhbz#2022483.patch
@@ -0,0 +1,104 @@
+From edb216849e4f47d6cae95981edf0c3fe2653fd7a Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Fri, 28 Jan 2022 16:46:35 -0500
+Subject: [PATCH] Don't always override the port in import_included_profiles
+
+I can only guess to the original purpose of this override. I
+believe it was because this is called in the installer prior
+to Apache being set up. The expectation was that this would
+only be called locally. It predates the RestClient class.
+
+RestClient will attempt to find an available service. In this
+case, during a CA installation, the local server is not
+considered available because it lacks an entry in
+cn=masters. So it will never be returned as an option.
+
+So by overriding the port to 8443 the remote connection will
+likely fail because we don't require that the port be open.
+
+So instead, instantiate a RestClient and see what happens.
+
+There are several use-cases:
+
+1. Installing an initial server. The RestClient connection
+ should fail, so we will fall back to the override port and
+ use the local server. If Apache happens to be running with
+ a globally-issued certificate then the RestClient will
+ succeed. In this case if the connected host and the local
+ hostname are the same, override in that case as well.
+
+2. Installing as a replica. In this case the local server should
+ be ignored in all cases and a remote CA will be picked with
+ no override done.
+
+3. Switching from CA-less to CA-ful. The web server will be
+ trusted but the RestClient login will fail with a 404. Fall
+ back to the override port in this case.
+
+The motivation for this is trying to install an EL 8.x replica
+against an EL 7.9 server. 8.5+ includes the ACME service and
+a new profile is needed which doesn't exist in 7. This was
+failing because the RestClient determined that the local server
+wasn't running a CA so tried the remote one (7.9) on the override
+port 8443. Since this port isn't open: failure.
+
+Chances are that adding the profile is still going to fail
+because again, 7.9 lacks ACME capabilities, but it will fail in
+a way that allows the installation to continue.
+
+I suspect that all of the overrides can similarly handled, or
+handled directly within the RestClient class, but for the sake
+of "do no harm" I'm only changing this instance for now.
+
+https://pagure.io/freeipa/issue/9100
+
+Signed-off-by: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
+---
+ ipaserver/install/cainstance.py | 30 +++++++++++++++++++++++++++++-
+ 1 file changed, 29 insertions(+), 1 deletion(-)
+
+diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
+index 8c8bf1b3a..ad206aad4 100644
+--- a/ipaserver/install/cainstance.py
++++ b/ipaserver/install/cainstance.py
+@@ -1953,7 +1953,35 @@ def import_included_profiles():
+ cn=['certprofiles'],
+ )
+
+- api.Backend.ra_certprofile.override_port = 8443
++ # At this point Apache may or may not be running with a valid
++ # certificate. The local server is not yet recognized as a full
++ # CA yet so it isn't discoverable. So try to do some detection
++ # on what port to use, 443 (remote) or 8443 (local) for importing
++ # the profiles.
++ #
++ # api.Backend.ra_certprofile invokes the RestClient class
++ # which will discover and login to the CA REST API. We can
++ # use this information to detect where to import the profiles.
++ #
++ # If the login is successful (e.g. doesn't raise an exception)
++ # and it returns our hostname (it prefers the local host) then
++ # we override and talk locally.
++ #
++ # Otherwise a NetworkError means we can't connect on 443 (perhaps
++ # a firewall) or we get an HTTP error (valid TLS certificate on
++ # Apache but no CA, login fails with 404) so we override to the
++ # local server.
++ #
++ # When override port was always set to 8443 the RestClient could
++ # pick a remote server and since 8443 isn't in our firewall profile
++ # setting up a new server would fail.
++ try:
++ with api.Backend.ra_certprofile as profile_api:
++ if profile_api.ca_host == api.env.host:
++ api.Backend.ra_certprofile.override_port = 8443
++ except (errors.NetworkError, errors.RemoteRetrieveError) as e:
++ logger.debug('Overriding CA port: %s', e)
++ api.Backend.ra_certprofile.override_port = 8443
+
+ for (profile_id, desc, store_issued) in dogtag.INCLUDED_PROFILES:
+ dn = DN(('cn', profile_id),
+--
+2.34.1
+
diff --git a/SOURCES/0008-Remove-ipa-join-errors-from-behind-the-debug-option_rhbz#2048558.patch b/SOURCES/0008-Remove-ipa-join-errors-from-behind-the-debug-option_rhbz#2048558.patch
new file mode 100644
index 0000000..e083b06
--- /dev/null
+++ b/SOURCES/0008-Remove-ipa-join-errors-from-behind-the-debug-option_rhbz#2048558.patch
@@ -0,0 +1,115 @@
+From 7c5540bb47799b4db95673d22f61995ad5c56440 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Mon, 31 Jan 2022 17:31:50 -0500
+Subject: [PATCH] Remove ipa-join errors from behind the debug option
+
+This brings it inline with the previous XML-RPC output which
+only hid the request and response from the output and not
+any errors returned.
+
+https://pagure.io/freeipa/issue/9103
+
+Signed-off-by: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
+Reviewed-By: Peter Keresztes Schmidt <carbenium@outlook.com>
+---
+ client/ipa-join.c | 27 +++++++++------------------
+ 1 file changed, 9 insertions(+), 18 deletions(-)
+
+diff --git a/client/ipa-join.c b/client/ipa-join.c
+index d98739a9a..5888a33bf 100644
+--- a/client/ipa-join.c
++++ b/client/ipa-join.c
+@@ -743,8 +743,7 @@ jsonrpc_request(const char *ipaserver, const json_t *json, curl_buffer *response
+
+ json_str = json_dumps(json, 0);
+ if (!json_str) {
+- if (debug)
+- fprintf(stderr, _("json_dumps() failed\n"));
++ fprintf(stderr, _("json_dumps() failed\n"));
+
+ rval = 17;
+ goto cleanup;
+@@ -758,8 +757,7 @@ jsonrpc_request(const char *ipaserver, const json_t *json, curl_buffer *response
+ CURLcode res = curl_easy_perform(curl);
+ if (res != CURLE_OK)
+ {
+- if (debug)
+- fprintf(stderr, _("JSON-RPC call failed: %s\n"), curl_easy_strerror(res));
++ fprintf(stderr, _("JSON-RPC call failed: %s\n"), curl_easy_strerror(res));
+
+ rval = 17;
+ goto cleanup;
+@@ -769,8 +767,7 @@ jsonrpc_request(const char *ipaserver, const json_t *json, curl_buffer *response
+ curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &resp_code);
+
+ if (resp_code != 200) {
+- if (debug)
+- fprintf(stderr, _("JSON-RPC call failed with status code: %li\n"), resp_code);
++ fprintf(stderr, _("JSON-RPC call failed with status code: %li\n"), resp_code);
+
+ if (!quiet && resp_code == 401)
+ fprintf(stderr, _("JSON-RPC call was unauthorized. Check your credentials.\n"));
+@@ -848,8 +845,7 @@ jsonrpc_parse_response(const char *payload, json_t** j_result_obj, bool quiet) {
+
+ j_root = json_loads(payload, 0, &j_error);
+ if (!j_root) {
+- if (debug)
+- fprintf(stderr, _("Parsing JSON-RPC response failed: %s\n"), j_error.text);
++ fprintf(stderr, _("Parsing JSON-RPC response failed: %s\n"), j_error.text);
+
+ rval = 17;
+ goto cleanup;
+@@ -864,8 +860,7 @@ jsonrpc_parse_response(const char *payload, json_t** j_result_obj, bool quiet) {
+
+ *j_result_obj = json_object_get(j_root, "result");
+ if (!*j_result_obj) {
+- if (debug)
+- fprintf(stderr, _("Parsing JSON-RPC response failed: no 'result' value found.\n"));
++ fprintf(stderr, _("Parsing JSON-RPC response failed: no 'result' value found.\n"));
+
+ rval = 17;
+ goto cleanup;
+@@ -897,8 +892,7 @@ jsonrpc_parse_join_response(const char *payload, join_info *join_i, bool quiet)
+ &tmp_hostdn,
+ "krbprincipalname", &tmp_princ,
+ "krblastpwdchange", &tmp_pwdch) != 0) {
+- if (debug)
+- fprintf(stderr, _("Extracting the data from the JSON-RPC response failed: %s\n"), j_error.text);
++ fprintf(stderr, _("Extracting the data from the JSON-RPC response failed: %s\n"), j_error.text);
+
+ rval = 17;
+ goto cleanup;
+@@ -941,8 +935,7 @@ join_krb5_jsonrpc(const char *ipaserver, const char *hostname, char **hostdn, co
+ "nshardwareplatform", uinfo.machine);
+
+ if (!json_req) {
+- if (debug)
+- fprintf(stderr, _("json_pack_ex() failed: %s\n"), j_error.text);
++ fprintf(stderr, _("json_pack_ex() failed: %s\n"), j_error.text);
+
+ rval = 17;
+ goto cleanup;
+@@ -990,8 +983,7 @@ jsonrpc_parse_unenroll_response(const char *payload, bool* result, bool quiet) {
+
+ if (json_unpack_ex(j_result_obj, &j_error, 0, "{s:b}",
+ "result", result) != 0) {
+- if (debug)
+- fprintf(stderr, _("Extracting the data from the JSON-RPC response failed: %s\n"), j_error.text);
++ fprintf(stderr, _("Extracting the data from the JSON-RPC response failed: %s\n"), j_error.text);
+
+ rval = 20;
+ goto cleanup;
+@@ -1021,8 +1013,7 @@ jsonrpc_unenroll_host(const char *ipaserver, const char *host, bool quiet) {
+ host);
+
+ if (!json_req) {
+- if (debug)
+- fprintf(stderr, _("json_pack_ex() failed: %s\n"), j_error.text);
++ fprintf(stderr, _("json_pack_ex() failed: %s\n"), j_error.text);
+
+ rval = 17;
+ goto cleanup;
+--
+2.34.1
+
diff --git a/SOURCES/0008-selinux-policy-allow-custodia-to-access-proc-cpuinfo_rhbz#1998129.patch b/SOURCES/0008-selinux-policy-allow-custodia-to-access-proc-cpuinfo_rhbz#1998129.patch
deleted file mode 100644
index 14a8b03..0000000
--- a/SOURCES/0008-selinux-policy-allow-custodia-to-access-proc-cpuinfo_rhbz#1998129.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From 07e2bf732f54f936cccc4e0c7b468d77f97e911a Mon Sep 17 00:00:00 2001
-From: Florence Blanc-Renaud <flo@redhat.com>
-Date: Mon, 30 Aug 2021 18:40:24 +0200
-Subject: [PATCH] selinux policy: allow custodia to access /proc/cpuinfo
-
-On aarch64, custodia creates AVC when accessing /proc/cpuinfo.
-
-According to gcrypt manual
-(https://gnupg.org/documentation/manuals/gcrypt/Configuration.html),
-/proc/cpuinfo is used on ARM architecture to read the hardware
-capabilities of the CPU. This explains why the issue happens only
-on aarch64.
-
-audit2allow suggests to add the following:
-allow ipa_custodia_t proc_t:file { getattr open read };
-
-but this policy would be too broad. Instead, the patch is using
-the interface kernel_read_system_state.
-
-Fixes: https://pagure.io/freeipa/issue/8972
-Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
----
- selinux/ipa.te | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/selinux/ipa.te b/selinux/ipa.te
-index 68e109419..7492fca04 100644
---- a/selinux/ipa.te
-+++ b/selinux/ipa.te
-@@ -364,6 +364,7 @@ files_tmp_filetrans(ipa_custodia_t, ipa_custodia_tmp_t, { dir file })
-
- kernel_dgram_send(ipa_custodia_t)
- kernel_read_network_state(ipa_custodia_t)
-+kernel_read_system_state(ipa_custodia_t)
-
- auth_read_passwd(ipa_custodia_t)
-
---
-2.31.1
-
diff --git a/SOURCES/0009-Enable-the-ccache-sweep-timer-during-installation_rhbz#2051575.patch b/SOURCES/0009-Enable-the-ccache-sweep-timer-during-installation_rhbz#2051575.patch
new file mode 100644
index 0000000..ef581d8
--- /dev/null
+++ b/SOURCES/0009-Enable-the-ccache-sweep-timer-during-installation_rhbz#2051575.patch
@@ -0,0 +1,118 @@
+From 9b6d0bb1245c4891ccc270f360d0f72a4b1444c1 Mon Sep 17 00:00:00 2001
+From: Rob Crittenden <rcritten@redhat.com>
+Date: Mon, 7 Feb 2022 10:39:55 -0500
+Subject: [PATCH] Enable the ccache sweep timer during installation
+
+The timer was only being enabled during package installation
+if IPA was configured. So effectively only on upgrade.
+
+Add as a separate installation step after the ccache directory
+is configured.
+
+Fixes: https://pagure.io/freeipa/issue/9107
+
+Signed-off-by: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ ipaserver/install/httpinstance.py | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/ipaserver/install/httpinstance.py b/ipaserver/install/httpinstance.py
+index 732bb58d4..50ccf5e50 100644
+--- a/ipaserver/install/httpinstance.py
++++ b/ipaserver/install/httpinstance.py
+@@ -140,6 +140,8 @@ class HTTPInstance(service.Service):
+ self.step("publish CA cert", self.__publish_ca_cert)
+ self.step("clean up any existing httpd ccaches",
+ self.remove_httpd_ccaches)
++ self.step("enable ccache sweep",
++ self.enable_ccache_sweep)
+ self.step("configuring SELinux for httpd", self.configure_selinux_for_httpd)
+ if not self.is_kdcproxy_configured():
+ self.step("create KDC proxy config", self.create_kdcproxy_conf)
+@@ -177,6 +179,11 @@ class HTTPInstance(service.Service):
+ [paths.SYSTEMD_TMPFILES, '--create', '--prefix', paths.IPA_CCACHES]
+ )
+
++ def enable_ccache_sweep(self):
++ ipautil.run(
++ [paths.SYSTEMCTL, 'enable', 'ipa-ccache-sweep.timer']
++ )
++
+ def __configure_http(self):
+ self.update_httpd_service_ipa_conf()
+ self.update_httpd_wsgi_conf()
+--
+2.34.1
+
+From 0d9eb3d515385412abefe9c33e0099ea14f33cbc Mon Sep 17 00:00:00 2001
+From: Mohammad Rizwan <myusuf@redhat.com>
+Date: Wed, 9 Feb 2022 18:56:21 +0530
+Subject: [PATCH] Test ipa-ccache-sweep.timer enabled by default during
+ installation
+
+This test checks that ipa-ccache-sweep.timer is enabled by default
+during the ipa installation.
+
+related: https://pagure.io/freeipa/issue/9107
+
+Signed-off-by: Mohammad Rizwan <myusuf@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+---
+ .../test_integration/test_installation.py | 19 +++++++++++++++++--
+ 1 file changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
+index f2d372c0c..63edbaa2b 100644
+--- a/ipatests/test_integration/test_installation.py
++++ b/ipatests/test_integration/test_installation.py
+@@ -475,7 +475,7 @@ class TestInstallCA(IntegrationTest):
+
+ # Tweak sysrestore.state to drop installation section
+ self.master.run_command(
+- ['sed','-i', r's/\[installation\]/\[badinstallation\]/',
++ ['sed', '-i', r's/\[installation\]/\[badinstallation\]/',
+ os.path.join(paths.SYSRESTORE, SYSRESTORE_STATEFILE)])
+
+ # Re-run installation check and it should fall back to old method
+@@ -485,7 +485,7 @@ class TestInstallCA(IntegrationTest):
+
+ # Restore installation section.
+ self.master.run_command(
+- ['sed','-i', r's/\[badinstallation\]/\[installation\]/',
++ ['sed', '-i', r's/\[badinstallation\]/\[installation\]/',
+ os.path.join(paths.SYSRESTORE, SYSRESTORE_STATEFILE)])
+
+ # Uninstall and confirm that the old method reports correctly
+@@ -690,6 +690,7 @@ def get_pki_tomcatd_pid(host):
+ break
+ return(pid)
+
++
+ def get_ipa_services_pids(host):
+ ipa_services_name = [
+ "krb5kdc", "kadmin", "named", "httpd", "ipa-custodia",
+@@ -1309,6 +1310,20 @@ class TestInstallMasterKRA(IntegrationTest):
+ def test_install_master(self):
+ tasks.install_master(self.master, setup_dns=False, setup_kra=True)
+
++ def test_ipa_ccache_sweep_timer_enabled(self):
++ """Test ipa-ccache-sweep.timer enabled by default during installation
++
++ This test checks that ipa-ccache-sweep.timer is enabled by default
++ during the ipa installation.
++
++ related: https://pagure.io/freeipa/issue/9107
++ """
++ result = self.master.run_command(
++ ['systemctl', 'is-enabled', 'ipa-ccache-sweep.timer'],
++ raiseonerr=False
++ )
++ assert 'enabled' in result.stdout_text
++
+ def test_install_dns(self):
+ tasks.install_dns(self.master)
+
+--
+2.34.1
+
diff --git a/SOURCES/0009-extdom-return-LDAP_NO_SUCH_OBJECT-if-domains-differ_rhbz#2000263.patch b/SOURCES/0009-extdom-return-LDAP_NO_SUCH_OBJECT-if-domains-differ_rhbz#2000263.patch
deleted file mode 100644
index e88902d..0000000
--- a/SOURCES/0009-extdom-return-LDAP_NO_SUCH_OBJECT-if-domains-differ_rhbz#2000263.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From 4fca95751ca32a1ed16a6d8a4e557c5799ec5c78 Mon Sep 17 00:00:00 2001
-From: Sumit Bose <sbose@redhat.com>
-Date: Wed, 25 Aug 2021 17:10:29 +0200
-Subject: [PATCH] extdom: return LDAP_NO_SUCH_OBJECT if domains differ
-
-If a client sends a request to lookup an object from a given trusted
-domain by UID or GID and an object with matching ID is only found in a
-different domain the extdom should return LDAP_NO_SUCH_OBJECT to
-indicate to the client that the requested ID does not exists in the
-given domain.
-
-Resolves: https://pagure.io/freeipa/issue/8965
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
----
- .../ipa-extdom-extop/ipa_extdom_common.c | 8 ++++++--
- 1 file changed, 6 insertions(+), 2 deletions(-)
-
-diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
-index 5d97ff613..6f646b9f4 100644
---- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
-+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
-@@ -542,7 +542,9 @@ int pack_ber_user(struct ipa_extdom_ctx *ctx,
- if (strcasecmp(locat+1, domain_name) == 0 ) {
- locat[0] = '\0';
- } else {
-- ret = LDAP_INVALID_SYNTAX;
-+ /* The found object is from a different domain than requested,
-+ * that means it does not exist in the requested domain */
-+ ret = LDAP_NO_SUCH_OBJECT;
- goto done;
- }
- }
-@@ -655,7 +657,9 @@ int pack_ber_group(enum response_types response_type,
- if (strcasecmp(locat+1, domain_name) == 0 ) {
- locat[0] = '\0';
- } else {
-- ret = LDAP_INVALID_SYNTAX;
-+ /* The found object is from a different domain than requested,
-+ * that means it does not exist in the requested domain */
-+ ret = LDAP_NO_SUCH_OBJECT;
- goto done;
- }
- }
---
-2.31.1
-
diff --git a/SOURCES/0010-ipatests-remove-additional-check-for-failed-units_rhbz#2053024.patch b/SOURCES/0010-ipatests-remove-additional-check-for-failed-units_rhbz#2053024.patch
new file mode 100644
index 0000000..c384f15
--- /dev/null
+++ b/SOURCES/0010-ipatests-remove-additional-check-for-failed-units_rhbz#2053024.patch
@@ -0,0 +1,31 @@
+From b36bcf4ea5ed93baa4dc63f8e2be542d678211fb Mon Sep 17 00:00:00 2001
+From: Anuja More <amore@redhat.com>
+Date: Thu, 10 Feb 2022 18:49:06 +0530
+Subject: [PATCH] ipatests: remove additional check for failed units.
+
+On RHEL tests are randomly failing because of this check
+and the test doesn't need to check this.
+
+Related : https://pagure.io/freeipa/issue/9108
+
+Signed-off-by: Anuja More <amore@redhat.com>
+Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
+---
+ ipatests/test_integration/test_otp.py | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/ipatests/test_integration/test_otp.py b/ipatests/test_integration/test_otp.py
+index d8ce527ca..6e70ddcb3 100644
+--- a/ipatests/test_integration/test_otp.py
++++ b/ipatests/test_integration/test_otp.py
+@@ -316,7 +316,6 @@ class TestOTPToken(IntegrationTest):
+ check_services = self.master.run_command(
+ ['systemctl', 'list-units', '--state=failed']
+ )
+- assert "0 loaded units listed" in check_services.stdout_text
+ assert "ipa-otpd" not in check_services.stdout_text
+ # Be sure no services are running and failed units
+ self.master.run_command(['killall', 'ipa-otpd'], raiseonerr=False)
+--
+2.34.1
+
diff --git a/SOURCES/0010-migrate-ds-workaround-to-detect-compat-tree_rhbz#1999992.patch b/SOURCES/0010-migrate-ds-workaround-to-detect-compat-tree_rhbz#1999992.patch
deleted file mode 100644
index 8ea12a5..0000000
--- a/SOURCES/0010-migrate-ds-workaround-to-detect-compat-tree_rhbz#1999992.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 3c4f9e7347965ff9a887147df34e720224ffa7cc Mon Sep 17 00:00:00 2001
-From: Florence Blanc-Renaud <flo@redhat.com>
-Date: Tue, 7 Sep 2021 17:06:53 +0200
-Subject: [PATCH] migrate-ds: workaround to detect compat tree
-
-Migrate-ds needs to check if compat tree is enabled before
-migrating users and groups. The check is doing a base
-search on cn=compat,$SUFFIX and considers the compat tree
-enabled when the entry exists.
-
-Due to a bug in slapi-nis, the base search may return NotFound
-even though the compat tree is enabled. The workaround is to
-perform a base search on cn=users,cn=compat,$SUFFIX instead.
-
-Fixes: https://pagure.io/freeipa/issue/8984
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
----
- ipaserver/plugins/migration.py | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/ipaserver/plugins/migration.py b/ipaserver/plugins/migration.py
-index db5241915..6ee205fc8 100644
---- a/ipaserver/plugins/migration.py
-+++ b/ipaserver/plugins/migration.py
-@@ -922,7 +922,8 @@ migration process might be incomplete\n''')
- # check whether the compat plugin is enabled
- if not options.get('compat'):
- try:
-- ldap.get_entry(DN(('cn', 'compat'), (api.env.basedn)))
-+ ldap.get_entry(DN(('cn', 'users'), ('cn', 'compat'),
-+ (api.env.basedn)))
- return dict(result={}, failed={}, enabled=True, compat=False)
- except errors.NotFound:
- pass
---
-2.31.1
-
diff --git a/SOURCES/0011-Test-ldapsearch-with-base-scope-works-with-_rhbz#2000553.patch b/SOURCES/0011-Test-ldapsearch-with-base-scope-works-with-_rhbz#2000553.patch
deleted file mode 100644
index 450a75e..0000000
--- a/SOURCES/0011-Test-ldapsearch-with-base-scope-works-with-_rhbz#2000553.patch
+++ /dev/null
@@ -1,89 +0,0 @@
-From a3d71eb72a6125a80a9d7b698f34dcb95dc25184 Mon Sep 17 00:00:00 2001
-From: Anuja More <amore@redhat.com>
-Date: Thu, 5 Aug 2021 20:03:21 +0530
-Subject: [PATCH] ipatests: Test ldapsearch with base scope works with compat
- tree.
-
-Added test to verify that ldapsearch for compat tree
-with scope base and sub is not failing.
-
-Related: https://bugzilla.redhat.com/show_bug.cgi?id=1958909
-
-Signed-off-by: Anuja More <amore@redhat.com>
-Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
----
- ipatests/test_integration/test_commands.py | 13 +++++++++++++
- 1 file changed, 13 insertions(+)
-
-diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
-index 2035ced56..e3a0d867e 100644
---- a/ipatests/test_integration/test_commands.py
-+++ b/ipatests/test_integration/test_commands.py
-@@ -1558,6 +1558,19 @@ class TestIPACommandWithoutReplica(IntegrationTest):
- # Run the command again after cache is removed
- self.master.run_command(['ipa', 'user-show', 'ipauser1'])
-
-+ def test_basesearch_compat_tree(self):
-+ """Test ldapsearch against compat tree is working
-+
-+ This to ensure that ldapsearch with base scope is not failing.
-+
-+ related: https://bugzilla.redhat.com/show_bug.cgi?id=1958909
-+ """
-+ tasks.kinit_admin(self.master)
-+ base_dn = str(self.master.domain.basedn)
-+ base = "cn=admins,cn=groups,cn=compat,{basedn}".format(basedn=base_dn)
-+ tasks.ldapsearch_dm(self.master, base, ldap_args=[], scope='sub')
-+ tasks.ldapsearch_dm(self.master, base, ldap_args=[], scope='base')
-+
-
- class TestIPAautomount(IntegrationTest):
- @classmethod
---
-2.31.1
-
-From d4062e407d242a72b9d4e32f4fdd6aed086ce005 Mon Sep 17 00:00:00 2001
-From: Anuja More <amore@redhat.com>
-Date: Thu, 5 Aug 2021 20:23:15 +0530
-Subject: [PATCH] ipatests: skip test_basesearch_compat_tree on fedora.
-
-slapi-nis with fix is not part of fedora yet.
-test requires with fix:
-https://pagure.io/slapi-nis/c/61ea8f6a104da25329e301a8f56944f860de8177?
-
-Signed-off-by: Anuja More <amore@redhat.com>
-Reviewed-By: Mohammad Rizwan <myusuf@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
----
- ipatests/test_integration/test_commands.py | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
-index e3a0d867e..4d9a81652 100644
---- a/ipatests/test_integration/test_commands.py
-+++ b/ipatests/test_integration/test_commands.py
-@@ -38,6 +38,7 @@ from ipatests.create_external_ca import ExternalCA
- from ipatests.test_ipalib.test_x509 import good_pkcs7, badcert
- from ipapython.ipautil import realm_to_suffix, ipa_generate_password
- from ipaserver.install.installutils import realm_to_serverid
-+from pkg_resources import parse_version
-
- logger = logging.getLogger(__name__)
-
-@@ -1565,6 +1566,12 @@ class TestIPACommandWithoutReplica(IntegrationTest):
-
- related: https://bugzilla.redhat.com/show_bug.cgi?id=1958909
- """
-+ version = self.master.run_command(
-+ ["rpm", "-qa", "--qf", "%{VERSION}", "slapi-nis"]
-+ )
-+ if tasks.get_platform(self.master) == "fedora" and parse_version(
-+ version.stdout_text) <= parse_version("0.56.7"):
-+ pytest.skip("Test requires slapi-nis with fix on fedora")
- tasks.kinit_admin(self.master)
- base_dn = str(self.master.domain.basedn)
- base = "cn=admins,cn=groups,cn=compat,{basedn}".format(basedn=base_dn)
---
-2.31.1
-
diff --git a/SOURCES/0011-ipa_cldap-fix-memory-leak_rhbz#2032738.patch b/SOURCES/0011-ipa_cldap-fix-memory-leak_rhbz#2032738.patch
new file mode 100644
index 0000000..3c8109e
--- /dev/null
+++ b/SOURCES/0011-ipa_cldap-fix-memory-leak_rhbz#2032738.patch
@@ -0,0 +1,38 @@
+From 186ebe311bc9545d7a9860cd5e8c748131bbe41e Mon Sep 17 00:00:00 2001
+From: Francisco Trivino <ftrivino@redhat.com>
+Date: Thu, 10 Feb 2022 14:23:12 +0100
+Subject: [PATCH] ipa_cldap: fix memory leak
+
+ipa_cldap_encode_netlogon() allocates memory to store binary data as part of
+berval (bv_val) when processing a CLDAP packet request from a worker. The
+data is used by ipa_cldap_respond() but bv_val is not freed later on.
+
+This commit is adding the corresponding free() after ipa_cldap_respond()
+is completed.
+
+Discovered by LeakSanitizer
+
+Fixes: https://pagure.io/freeipa/issue/9110
+Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
+Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+Reviewed-By: Thierry Bordaz <tbordaz@redhat.com>
+---
+ daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c
+index db4a3d061..252bcf647 100644
+--- a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c
++++ b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap_worker.c
+@@ -287,6 +287,7 @@ done:
+ ipa_cldap_respond(ctx, req, &reply);
+
+ ipa_cldap_free_kvps(&req->kvps);
++ free(reply.bv_val);
+ free(req);
+ return;
+ }
+--
+2.34.1
+
diff --git a/SOURCES/0012-ipatests-Test-unsecure-nsupdate_rhbz#2000553.patch b/SOURCES/0012-ipatests-Test-unsecure-nsupdate_rhbz#2000553.patch
deleted file mode 100644
index a223c94..0000000
--- a/SOURCES/0012-ipatests-Test-unsecure-nsupdate_rhbz#2000553.patch
+++ /dev/null
@@ -1,162 +0,0 @@
-From 4fdab0c94c4e17e42e5f38a0e671bea39bcc9b74 Mon Sep 17 00:00:00 2001
-From: Anuja More <amore@redhat.com>
-Date: Mon, 9 Aug 2021 20:57:22 +0530
-Subject: [PATCH] ipatests: Test unsecure nsupdate.
-
-The test configures an external bind server on the ipa-server
-(not the IPA-embedded DNS server) that allows unauthenticated nsupdates.
-
-When the IPA client is registered using ipa-client-install,
-DNS records are added for the client in the bind server using nsupdate.
-The first try is using GSS-TIG but fails as expected, and the client
-installer then tries with unauthenticated nsupdate.
-
-Related : https://pagure.io/freeipa/issue/8402
-
-Signed-off-by: Anuja More <amore@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
----
- .../test_installation_client.py | 118 ++++++++++++++++++
- 1 file changed, 118 insertions(+)
-
-diff --git a/ipatests/test_integration/test_installation_client.py b/ipatests/test_integration/test_installation_client.py
-index fa59a5255..014b0f6ab 100644
---- a/ipatests/test_integration/test_installation_client.py
-+++ b/ipatests/test_integration/test_installation_client.py
-@@ -8,10 +8,15 @@ Module provides tests for various options of ipa-client-install.
-
- from __future__ import absolute_import
-
-+import pytest
-+import re
- import shlex
-+import textwrap
-
-+from ipaplatform.paths import paths
- from ipatests.test_integration.base import IntegrationTest
- from ipatests.pytest_ipa.integration import tasks
-+from ipatests.pytest_ipa.integration.firewall import Firewall
-
-
- class TestInstallClient(IntegrationTest):
-@@ -70,3 +75,116 @@ class TestInstallClient(IntegrationTest):
- extra_args=['--ssh-trust-dns'])
- result = self.clients[0].run_command(['cat', '/etc/ssh/ssh_config'])
- assert 'HostKeyAlgorithms' not in result.stdout_text
-+
-+
-+class TestClientInstallBind(IntegrationTest):
-+ """
-+ The test configures an external bind server on the ipa-server
-+ (not the IPA-embedded DNS server) that allows unauthenticated nsupdates.
-+ When the IPA client is registered using ipa-client-install,
-+ DNS records are added for the client in the bind server using nsupdate.
-+ The first try is using GSS-TIG but fails as expected, and the client
-+ installer then tries with unauthenticated nsupdate.
-+ """
-+
-+ num_clients = 1
-+
-+ @classmethod
-+ def install(cls, mh):
-+ cls.client = cls.clients[0]
-+
-+ @pytest.fixture
-+ def setup_bindserver(self):
-+ bindserver = self.master
-+ named_conf_backup = tasks.FileBackup(self.master, paths.NAMED_CONF)
-+ # create a zone in the BIND server that is identical to the IPA
-+ add_zone = textwrap.dedent("""
-+ zone "{domain}" IN {{ type master;
-+ file "{domain}.db"; allow-query {{ any; }};
-+ allow-update {{ any; }}; }};
-+ """).format(domain=bindserver.domain.name)
-+
-+ namedcfg = bindserver.get_file_contents(
-+ paths.NAMED_CONF, encoding='utf-8')
-+ namedcfg += '\n' + add_zone
-+ bindserver.put_file_contents(paths.NAMED_CONF, namedcfg)
-+
-+ def update_contents(path, pattern, replace):
-+ contents = bindserver.get_file_contents(path, encoding='utf-8')
-+ namedcfg_query = re.sub(pattern, replace, contents)
-+ bindserver.put_file_contents(path, namedcfg_query)
-+
-+ update_contents(paths.NAMED_CONF, 'localhost;', 'any;')
-+ update_contents(paths.NAMED_CONF, "listen-on port 53 { 127.0.0.1; };",
-+ "#listen-on port 53 { 127.0.0.1; };")
-+ update_contents(paths.NAMED_CONF, "listen-on-v6 port 53 { ::1; };",
-+ "#listen-on-v6 port 53 { ::1; };")
-+
-+ add_records = textwrap.dedent("""
-+ @ IN SOA {fqdn}. root.{domain}. (
-+ 1001 ;Serial
-+ 3H ;Refresh
-+ 15M ;Retry
-+ 1W ;Expire
-+ 1D ;Minimum 1D
-+ )
-+ @ IN NS {fqdn}.
-+ ns1 IN A {bindserverip}
-+ _kerberos.{domain}. IN TXT {zoneupper}
-+ {fqdn}. IN A {bindserverip}
-+ ipa-ca.{domain}. IN A {bindserverip}
-+ _kerberos-master._tcp.{domain}. IN SRV 0 100 88 {fqdn}.
-+ _kerberos-master._udp.{domain}. IN SRV 0 100 88 {fqdn}.
-+ _kerberos._tcp.{domain}. IN SRV 0 100 88 {fqdn}.
-+ _kerberos._udp.{domain}. IN SRV 0 100 88 {fqdn}.
-+ _kpasswd._tcp.{domain}. IN SRV 0 100 464 {fqdn}.
-+ _kpasswd._udp.{domain}. IN SRV 0 100 464 {fqdn}.
-+ _ldap._tcp.{domain}. IN SRV 0 100 389 {fqdn}.
-+ """).format(
-+ fqdn=bindserver.hostname,
-+ domain=bindserver.domain.name,
-+ bindserverip=bindserver.ip,
-+ zoneupper=bindserver.domain.name.upper()
-+ )
-+ bindserverdb = "/var/named/{0}.db".format(bindserver.domain.name)
-+ bindserver.put_file_contents(bindserverdb, add_records)
-+ bindserver.run_command(['systemctl', 'start', 'named'])
-+ Firewall(bindserver).enable_services(["dns"])
-+ yield
-+ named_conf_backup.restore()
-+ bindserver.run_command(['rm', '-rf', bindserverdb])
-+
-+ def test_client_nsupdate(self, setup_bindserver):
-+ """Test secure nsupdate failed, then try unsecure nsupdate..
-+
-+ Test to verify when bind is configured with dynamic update policy,
-+ and during client-install 'nsupdate -g' fails then it should run with
-+ second call using unauthenticated nsupdate.
-+
-+ Related : https://pagure.io/freeipa/issue/8402
-+ """
-+ # with pre-configured bind server, install ipa-server without dns.
-+ tasks.install_master(self.master, setup_dns=False)
-+ self.client.resolver.backup()
-+ self.client.resolver.setup_resolver(
-+ self.master.ip, self.master.domain.name)
-+ try:
-+ self.client.run_command(['ipa-client-install', '-U',
-+ '--domain', self.client.domain.name,
-+ '--realm', self.client.domain.realm,
-+ '-p', self.client.config.admin_name,
-+ '-w', self.client.config.admin_password,
-+ '--server', self.master.hostname])
-+ # call unauthenticated nsupdate if GSS-TSIG nsupdate failed.
-+ str1 = "nsupdate (GSS-TSIG) failed"
-+ str2 = "'/usr/bin/nsupdate', '/etc/ipa/.dns_update.txt'"
-+ client_log = self.client.get_file_contents(
-+ paths.IPACLIENT_INSTALL_LOG, encoding='utf-8'
-+ )
-+ assert str1 in client_log and str2 in client_log
-+ dig_after = self.client.run_command(
-+ ['dig', '@{0}'.format(self.master.ip), self.client.hostname,
-+ '-t', 'SSHFP'])
-+ assert "ANSWER: 0" not in dig_after.stdout_text.strip()
-+ finally:
-+ self.client.resolver.restore()
---
-2.31.1
-
diff --git a/SOURCES/0012-ipatests-fix-TestOTPToken-test_check_otpd_after_idle_timeout_rhbz#2053024.patch b/SOURCES/0012-ipatests-fix-TestOTPToken-test_check_otpd_after_idle_timeout_rhbz#2053024.patch
new file mode 100644
index 0000000..e7081cd
--- /dev/null
+++ b/SOURCES/0012-ipatests-fix-TestOTPToken-test_check_otpd_after_idle_timeout_rhbz#2053024.patch
@@ -0,0 +1,40 @@
+From 4c54e9d6ddb72eab6f654bf3dc2d29f27498ac96 Mon Sep 17 00:00:00 2001
+From: Florence Blanc-Renaud <flo@redhat.com>
+Date: Sun, 5 Dec 2021 17:38:58 +0100
+Subject: [PATCH] ipatests: fix
+ TestOTPToken::test_check_otpd_after_idle_timeout
+
+The test sets 389-ds nsslapd-idletimeout to 60s, then does a
+kinit with an otp token (which makes ipa-otpd create a LDAP
+connection), then sleeps for 60s. The expectation is that
+ns-slapd will detect that the LDAP conn from ipa-otpd is idle
+and close the connection.
+According to 389ds doc, the idle timeout is enforced when the
+connection table is walked. By doing a ldapsearch, the test
+"wakes up" ns-slapd and forces the detection of ipa-otpd
+idle connection.
+
+Fixes: https://pagure.io/freeipa/issue/9044
+Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
+Reviewed-By: Anuja More <amore@redhat.com>
+---
+ ipatests/test_integration/test_otp.py | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/ipatests/test_integration/test_otp.py b/ipatests/test_integration/test_otp.py
+index 353470897..d8ce527ca 100644
+--- a/ipatests/test_integration/test_otp.py
++++ b/ipatests/test_integration/test_otp.py
+@@ -354,6 +354,9 @@ class TestOTPToken(IntegrationTest):
+ otpvalue = totp.generate(int(time.time())).decode("ascii")
+ kinit_otp(self.master, USER, password=PASSWORD, otp=otpvalue)
+ time.sleep(60)
++ # ldapsearch will wake up slapd and force walking through
++ # the connection list, in order to spot the idle connections
++ tasks.ldapsearch_dm(self.master, "", ldap_args=[], scope="base")
+
+ def test_cb(cmd_jornalctl):
+ # check if LDAP connection is timed out
+--
+2.34.1
+
diff --git a/SOURCES/0013-Don-t-store-entries-with-a-usercertificate-in-the-LD_rhbz#1999893.patch b/SOURCES/0013-Don-t-store-entries-with-a-usercertificate-in-the-LD_rhbz#1999893.patch
deleted file mode 100644
index 739e7c3..0000000
--- a/SOURCES/0013-Don-t-store-entries-with-a-usercertificate-in-the-LD_rhbz#1999893.patch
+++ /dev/null
@@ -1,128 +0,0 @@
-From be1e3bbfc13aff9a583108376f245b81cc3666fb Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Thu, 9 Sep 2021 15:26:55 -0400
-Subject: [PATCH] Don't store entries with a usercertificate in the LDAP cache
-
-usercertificate often has a subclass and both the plain and
-subclassed (binary) values are queried. I'm concerned that
-they are used more or less interchangably in places so not
-caching these entries is the safest path forward for now until
-we can dedicate the time to find all usages, determine their
-safety and/or perhaps handle this gracefully within the cache
-now.
-
-What we see in this bug is that usercertificate;binary holds the
-first certificate value but a user-mod is done with
-setattr usercertificate=<new_cert>. Since there is no
-usercertificate value (remember, it's usercertificate;binary)
-a replace is done and 389-ds wipes the existing value as we've
-asked it to.
-
-I'm not comfortable with simply treating them the same because
-in LDAP they are not.
-
-https://pagure.io/freeipa/issue/8986
-
-Signed-off-by: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Francois Cami <fcami@redhat.com>
-Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
----
- ipapython/ipaldap.py | 14 +++++++++++---
- 1 file changed, 11 insertions(+), 3 deletions(-)
-
-diff --git a/ipapython/ipaldap.py b/ipapython/ipaldap.py
-index f94b784d6..ced8f1bd6 100644
---- a/ipapython/ipaldap.py
-+++ b/ipapython/ipaldap.py
-@@ -1821,9 +1821,17 @@ class LDAPCache(LDAPClient):
- entry=None, exception=None):
- # idnsname - caching prevents delete when mod value to None
- # cospriority - in a Class of Service object, uncacheable
-- # TODO - usercertificate was banned at one point and I don't remember
-- # why...
-- BANNED_ATTRS = {'idnsname', 'cospriority'}
-+ # usercertificate* - caching subtypes is tricky, trade less
-+ # complexity for performance
-+ #
-+ # TODO: teach the cache about subtypes
-+
-+ BANNED_ATTRS = {
-+ 'idnsname',
-+ 'cospriority',
-+ 'usercertificate',
-+ 'usercertificate;binary'
-+ }
- if not self._enable_cache:
- return
-
---
-2.31.1
-
-From 86588640137562b2016fdb0f91142d00bc38e54a Mon Sep 17 00:00:00 2001
-From: Rob Crittenden <rcritten@redhat.com>
-Date: Fri, 10 Sep 2021 09:01:48 -0400
-Subject: [PATCH] ipatests: Test that a user can be issued multiple
- certificates
-
-Prevent regressions in the LDAP cache layer that caused newly
-issued certificates to overwrite existing ones.
-
-https://pagure.io/freeipa/issue/8986
-
-Signed-off-by: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Francois Cami <fcami@redhat.com>
-Reviewed-By: Fraser Tweedale <ftweedal@redhat.com>
----
- ipatests/test_integration/test_cert.py | 29 ++++++++++++++++++++++++++
- 1 file changed, 29 insertions(+)
-
-diff --git a/ipatests/test_integration/test_cert.py b/ipatests/test_integration/test_cert.py
-index 7d51b76ee..b4e85eadc 100644
---- a/ipatests/test_integration/test_cert.py
-+++ b/ipatests/test_integration/test_cert.py
-@@ -16,6 +16,7 @@ import string
- import time
-
- from ipaplatform.paths import paths
-+from ipapython.dn import DN
- from cryptography import x509
- from cryptography.x509.oid import ExtensionOID
- from cryptography.hazmat.backends import default_backend
-@@ -183,6 +184,34 @@ class TestInstallMasterClient(IntegrationTest):
- )
- assert "profile: caServerCert" in result.stdout_text
-
-+ def test_multiple_user_certificates(self):
-+ """Test that a user may be issued multiple certificates"""
-+ ldap = self.master.ldap_connect()
-+
-+ user = 'user1'
-+
-+ tasks.kinit_admin(self.master)
-+ tasks.user_add(self.master, user)
-+
-+ for id in (0,1):
-+ csr_file = f'{id}.csr'
-+ key_file = f'{id}.key'
-+ cert_file = f'{id}.crt'
-+ openssl_cmd = [
-+ 'openssl', 'req', '-newkey', 'rsa:2048', '-keyout', key_file,
-+ '-nodes', '-out', csr_file, '-subj', '/CN=' + user]
-+ self.master.run_command(openssl_cmd)
-+
-+ cmd_args = ['ipa', 'cert-request', '--principal', user,
-+ '--certificate-out', cert_file, csr_file]
-+ self.master.run_command(cmd_args)
-+
-+ # easier to count by pulling the LDAP entry
-+ entry = ldap.get_entry(DN(('uid', user), ('cn', 'users'),
-+ ('cn', 'accounts'), self.master.domain.basedn))
-+
-+ assert len(entry.get('usercertificate')) == 2
-+
- @pytest.fixture
- def test_subca_certs(self):
- """
---
-2.31.1
-
diff --git a/SOURCES/0014-Custodia-use-a-stronger-encryption-algo-when-exporting-keys_rhbz#2062404.patch b/SOURCES/0014-Custodia-use-a-stronger-encryption-algo-when-exporting-keys_rhbz#2062404.patch
deleted file mode 100644
index b4f0431..0000000
--- a/SOURCES/0014-Custodia-use-a-stronger-encryption-algo-when-exporting-keys_rhbz#2062404.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-From 653a7fe02880c168755984133ee143567cc7bb4e Mon Sep 17 00:00:00 2001
-From: Francisco Trivino <ftrivino@redhat.com>
-Date: Feb 01 2022 07:57:24 +0000
-Subject: Custodia: use a stronger encryption algo when exporting keys
-
-
-The Custodia key export handler is using the default's OpenSSL encryption
-scheme for PKCS#12.
-
-This represents an issue when performing a migration from CentOS Stream 8 (C8S)
-to CentOS Steam 9 (C9S) where the Custodia client running in the new C9S
-replica talks to the Custodia server on C8S source server. The later creates an
-encrypted PKCS#12 file that contains the cert and the key using the OpenSSL's
-default encryption scheme, which is no longer supported on C9S.
-
-This commit enforces a stronger encryption algorigthm by adding following
-arguments to the Custodia server handler:
-
--keypbe AES-256-CBC -certpbe AES-256-CBC -macalg sha384
-
-The new arguments enforce stronger PBEv2 instead of the insecure PBEv1.
-
-Fixes: https://pagure.io/freeipa/issue/9101
-
-Signed-off-by: Francisco Trivino <ftrivino@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
-Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
-
----
-
-diff --git a/ipaserver/secrets/handlers/pemfile.py b/ipaserver/secrets/handlers/pemfile.py
-index 4e8eff0..ad36bd0 100644
---- a/ipaserver/secrets/handlers/pemfile.py
-+++ b/ipaserver/secrets/handlers/pemfile.py
-@@ -31,6 +31,9 @@ def export_key(args, tmpdir):
- '-out', pk12file,
- '-inkey', args.keyfile,
- '-password', 'file:{pk12pwfile}'.format(pk12pwfile=pk12pwfile),
-+ '-keypbe', 'AES-256-CBC',
-+ '-certpbe', 'AES-256-CBC',
-+ '-macalg', 'sha384',
- ])
-
- with open(pk12file, 'rb') as f:
-
diff --git a/SOURCES/0015-uninstall-remove-tdb-files_rhbz#2065719.patch b/SOURCES/0015-uninstall-remove-tdb-files_rhbz#2065719.patch
deleted file mode 100644
index b2530eb..0000000
--- a/SOURCES/0015-uninstall-remove-tdb-files_rhbz#2065719.patch
+++ /dev/null
@@ -1,95 +0,0 @@
-From 6302769b83af75f267c76fe6f854d5b42b6b80f5 Mon Sep 17 00:00:00 2001
-From: Florence Blanc-Renaud <flo@redhat.com>
-Date: Oct 21 2021 19:58:19 +0000
-Subject: ipa-server-install uninstall: remove tdb files
-
-
-ipa-server-install uninstaller must remove samba *.tdb files
-in /var/lib/samba, /var/lib/samba/private and /var/lib/samba/lock.
-The current code calls rm on the relative path filename
-instead of building an absolute path filename,
-resulting in failure to remove the tdb files.
-
-Related: https://pagure.io/freeipa/issue/8687
-Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-
----
-
-diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
-index 24e90f3..e034fab 100644
---- a/ipaserver/install/adtrustinstance.py
-+++ b/ipaserver/install/adtrustinstance.py
-@@ -918,11 +918,18 @@ class ADTRUSTInstance(service.Service):
- ipautil.remove_file(self.smb_conf)
-
- # Remove samba's persistent and temporary tdb files
-- if os.path.isdir(paths.SAMBA_DIR):
-- tdb_files = [tdb_file for tdb_file in os.listdir(paths.SAMBA_DIR)
-- if tdb_file.endswith(".tdb")]
-- for tdb_file in tdb_files:
-- ipautil.remove_file(tdb_file)
-+ # in /var/lib/samba and /var/lib/samba/private
-+ for smbpath in (paths.SAMBA_DIR,
-+ os.path.join(paths.SAMBA_DIR, "private"),
-+ os.path.join(paths.SAMBA_DIR, "lock")):
-+ if os.path.isdir(smbpath):
-+ tdb_files = [
-+ os.path.join(smbpath, tdb_file)
-+ for tdb_file in os.listdir(smbpath)
-+ if tdb_file.endswith(".tdb")
-+ ]
-+ for tdb_file in tdb_files:
-+ ipautil.remove_file(tdb_file)
-
- # Remove our keys from samba's keytab
- self.clean_samba_keytab()
-
-From 82eaa2eac454aed75a498d2c6ccd9e921f9c8a89 Mon Sep 17 00:00:00 2001
-From: Florence Blanc-Renaud <flo@redhat.com>
-Date: Oct 21 2021 19:58:19 +0000
-Subject: ipa-client-samba uninstall: remove tdb files
-
-
-ipa-client-samba uninstaller must remove samba *.tdb files
-in /var/lib/samba, /var/lib/samba/private and /var/lib/samba/lock.
-The current code calls rm on the relative path filename
-instead of building an absolute path filename,
-resulting in failure to remove the tdb files.
-
-Fixes: https://pagure.io/freeipa/issue/8687
-Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-
----
-
-diff --git a/ipaclient/install/ipa_client_samba.py b/ipaclient/install/ipa_client_samba.py
-index fd89e59..222ff31 100755
---- a/ipaclient/install/ipa_client_samba.py
-+++ b/ipaclient/install/ipa_client_samba.py
-@@ -446,13 +446,17 @@ def uninstall(fstore, statestore, options):
- fstore.restore_file(paths.SMB_CONF)
-
- # Remove samba's persistent and temporary tdb files
-- tdb_files = [
-- tdb_file
-- for tdb_file in os.listdir(paths.SAMBA_DIR)
-- if tdb_file.endswith(".tdb")
-- ]
-- for tdb_file in tdb_files:
-- ipautil.remove_file(tdb_file)
-+ # in /var/lib/samba and /var/lib/samba/private
-+ for smbpath in (paths.SAMBA_DIR,
-+ os.path.join(paths.SAMBA_DIR, "private"),
-+ os.path.join(paths.SAMBA_DIR, "lock")):
-+ tdb_files = [
-+ os.path.join(smbpath, tdb_file)
-+ for tdb_file in os.listdir(smbpath)
-+ if tdb_file.endswith(".tdb")
-+ ]
-+ for tdb_file in tdb_files:
-+ ipautil.remove_file(tdb_file)
-
- # Remove our keys from samba's keytab
- if os.path.exists(paths.SAMBA_KEYTAB):
-
diff --git a/SOURCES/1101-Harden-FreeIPA-KDC-processing-of-PAC-buffers-20211130.patch b/SOURCES/1101-Harden-FreeIPA-KDC-processing-of-PAC-buffers-20211130.patch
new file mode 100644
index 0000000..48bb8e0
--- /dev/null
+++ b/SOURCES/1101-Harden-FreeIPA-KDC-processing-of-PAC-buffers-20211130.patch
@@ -0,0 +1,122 @@
+From 7d93bda31ce0b4e0e22c6e464c9138800dcf8b1c Mon Sep 17 00:00:00 2001
+From: Alexander Bokovoy <abokovoy@redhat.com>
+Date: Fri, 26 Nov 2021 11:13:51 +0200
+Subject: [PATCH] ipa-kdb: fix requester SID check according to MS-KILE and
+ MS-SFU updates
+
+New versions of MS-KILE and MS-SFU after Windows Server November 2021
+security updates add PAC_REQUESTER_SID buffer check behavior:
+
+ - PAC_REQUESTER_SID should only be added for TGT requests
+
+ - if PAC_REQUESTER_SID is present, KDC must verify that the cname on
+ the ticket resolves to the account with the same SID as the
+ PAC_REQUESTER_SID. If it doesn't KDC must respond with
+ KDC_ERR_TKT_REVOKED
+
+Change requester SID check to skip exact check for non-local
+PAC_REQUESTER_SID but harden to ensure it comes from the trusted domains
+we know about.
+
+If requester SID is the same as in PAC, we already do cname vs PAC SID
+verification.
+
+With these changes FreeIPA works against Windows Server 2019 with
+November 2021 security fixes in cross-realm S4U2Self operations.
+
+Fixes: https://pagure.io/freeipa/issue/9031
+
+Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
+Reviewed-By: Rob Crittenden <rcritten@redhat.com>
+---
+ daemons/ipa-kdb/ipa_kdb_mspac.c | 47 ++++++++++++++++++++++++---------
+ 1 file changed, 34 insertions(+), 13 deletions(-)
+
+diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
+index 538cfbba9..1b972c167 100644
+--- a/daemons/ipa-kdb/ipa_kdb_mspac.c
++++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
+@@ -1697,7 +1697,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,
+ "local [%s], PAC [%s]",
+ dom ? dom : "<failed to display>",
+ sid ? sid : "<failed to display>");
+- return KRB5KDC_ERR_POLICY;
++ return KRB5KDC_ERR_TGT_REVOKED;
+ }
+ }
+
+@@ -1709,7 +1709,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,
+ kerr = ipadb_get_principal(context, client_princ, flags, &client_actual);
+ if (kerr != 0) {
+ krb5_klog_syslog(LOG_ERR, "PAC issue: ipadb_get_principal failed.");
+- return KRB5KDC_ERR_POLICY;
++ return KRB5KDC_ERR_TGT_REVOKED;
+ }
+
+ ied = (struct ipadb_e_data *)client_actual->e_data;
+@@ -1743,7 +1743,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,
+ "local [%s] vs PAC [%s]",
+ local_sid ? local_sid : "<failed to display>",
+ pac_sid ? pac_sid : "<failed to display>");
+- kerr = KRB5KDC_ERR_POLICY;
++ kerr = KRB5KDC_ERR_TGT_REVOKED;
+ goto done;
+ }
+
+@@ -2005,22 +2005,43 @@ static krb5_error_code ipadb_check_logon_info(krb5_context context,
+ /* Check that requester SID is the same as in the PAC entry */
+ if (requester_sid != NULL) {
+ struct dom_sid client_sid;
++ bool is_from_trusted_domain = false;
+ kerr = ipadb_get_sid_from_pac(tmpctx, info.info, &client_sid);
+ if (kerr) {
+ goto done;
+ }
+ result = dom_sid_check(&client_sid, requester_sid, true);
+ if (!result) {
+- /* memctx is freed by the caller */
+- char *pac_sid = dom_sid_string(tmpctx, &client_sid);
+- char *req_sid = dom_sid_string(tmpctx, requester_sid);
+- krb5_klog_syslog(LOG_ERR, "PAC issue: PAC has a SID "
+- "different from what PAC requester claims. "
+- "PAC [%s] vs PAC requester [%s]",
+- pac_sid ? pac_sid : "<failed to display>",
+- req_sid ? req_sid : "<failed to display>");
+- kerr = KRB5KDC_ERR_POLICY;
+- goto done;
++ struct ipadb_context *ipactx = ipadb_get_context(context);
++ if (!ipactx || !ipactx->mspac) {
++ return KRB5_KDB_DBNOTINITED;
++ }
++ /* In S4U case we might be dealing with the PAC issued by the trusted domain */
++ if (is_s4u && (ipactx->mspac->trusts != NULL)) {
++ /* Iterate through list of trusts and check if this SID belongs to
++ * one of the domains we trust */
++ for(int i = 0 ; i < ipactx->mspac->num_trusts ; i++) {
++ result = dom_sid_check(&ipactx->mspac->trusts[i].domsid,
++ requester_sid, false);
++ if (result) {
++ is_from_trusted_domain = true;
++ break;
++ }
++ }
++ }
++
++ if (!is_from_trusted_domain) {
++ /* memctx is freed by the caller */
++ char *pac_sid = dom_sid_string(tmpctx, &client_sid);
++ char *req_sid = dom_sid_string(tmpctx, requester_sid);
++ krb5_klog_syslog(LOG_ERR, "PAC issue: PAC has a SID "
++ "different from what PAC requester claims. "
++ "PAC [%s] vs PAC requester [%s]",
++ pac_sid ? pac_sid : "<failed to display>",
++ req_sid ? req_sid : "<failed to display>");
++ kerr = KRB5KDC_ERR_TGT_REVOKED;
++ goto done;
++ }
+ }
+ }
+
+--
+2.31.1
+
diff --git a/SOURCES/freeipa-4.9.6-bf-2.patch b/SOURCES/freeipa-4.9.6-bf-2.patch
deleted file mode 100644
index abfc547..0000000
--- a/SOURCES/freeipa-4.9.6-bf-2.patch
+++ /dev/null
@@ -1,222 +0,0 @@
-From fe59e6a0b06926a3d71c6b6f361714d1422d5b0f Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Thu, 11 Nov 2021 09:58:09 +0200
-Subject: [PATCH 1/2] ipa-kdb: honor SID from the host or service entry
-
-If the SID was explicitly set for the host or service entry, honor it
-when issuing PAC. For normal services and hosts we don't allocate
-individual SIDs but for cifs/... principals on domain members we do as
-they need to login to Samba domain controller.
-
-Related: https://pagure.io/freeipa/issue/9031
-
-Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
----
- daemons/ipa-kdb/ipa_kdb_mspac.c | 46 ++++++++++++++++++++-------------
- 1 file changed, 28 insertions(+), 18 deletions(-)
-
-diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
-index 0e0ee3616..6f272f9fe 100644
---- a/daemons/ipa-kdb/ipa_kdb_mspac.c
-+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
-@@ -653,6 +653,28 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
- * clear it after detecting the changes */
- info3->base.acct_flags = ACB_USE_AES_KEYS;
-
-+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
-+ "ipaNTSecurityIdentifier", &strres);
-+ if (ret) {
-+ /* SID is mandatory for all but host/services */
-+ if (!(is_host || is_service)) {
-+ return ret;
-+ }
-+ info3->base.rid = 0;
-+ } else {
-+ ret = ipadb_string_to_sid(strres, &sid);
-+ free(strres);
-+ if (ret) {
-+ return ret;
-+ }
-+ ret = sid_split_rid(&sid, &info3->base.rid);
-+ if (ret) {
-+ return ret;
-+ }
-+ }
-+
-+ /* If SID was present prefer using it even for hosts and services
-+ * but we still need to set the account flags correctly */
- if ((is_host || is_service)) {
- /* it is either host or service, so get the hostname first */
- char *sep = strchr(info3->base.account_name.string, '/');
-@@ -661,29 +683,17 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
- sep ? sep + 1 : info3->base.account_name.string);
- if (is_master) {
- /* Well known RID of domain controllers group */
-- info3->base.rid = 516;
-+ if (info3->base.rid == 0) {
-+ info3->base.rid = 516;
-+ }
- info3->base.acct_flags |= ACB_SVRTRUST;
- } else {
- /* Well known RID of domain computers group */
-- info3->base.rid = 515;
-+ if (info3->base.rid == 0) {
-+ info3->base.rid = 515;
-+ }
- info3->base.acct_flags |= ACB_WSTRUST;
- }
-- } else {
-- ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
-- "ipaNTSecurityIdentifier", &strres);
-- if (ret) {
-- /* SID is mandatory */
-- return ret;
-- }
-- ret = ipadb_string_to_sid(strres, &sid);
-- free(strres);
-- if (ret) {
-- return ret;
-- }
-- ret = sid_split_rid(&sid, &info3->base.rid);
-- if (ret) {
-- return ret;
-- }
- }
-
- ret = ipadb_ldap_deref_results(ipactx->lcontext, lentry, &deref_results);
---
-2.33.1
-
-
-From 21af43550aa0a31e1ec5240578bd64fcbdd4ee24 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Thu, 11 Nov 2021 10:16:47 +0200
-Subject: [PATCH 2/2] ipa-kdb: validate domain SID in incoming PAC for trusted
- domains for S4U
-
-Previously, ipadb_check_logon_info() was called only for cross-realm
-case. Now we call it for both in-realm and cross-realm cases. In case of
-the S4U2Proxy, we would be passed a PAC of the original caller which
-might be a principal from the trusted realm. We cannot validate that PAC
-against our local client DB entry because this is the proxy entry which
-is guaranteed to have different SID.
-
-In such case, validate the SID of the domain in PAC against our realm
-and any trusted doman but skip an additional check of the DB entry in
-the S4U2Proxy case.
-
-Related: https://pagure.io/freeipa/issue/9031
-
-Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
----
- daemons/ipa-kdb/ipa_kdb_mspac.c | 54 ++++++++++++++++++++++++++-------
- 1 file changed, 43 insertions(+), 11 deletions(-)
-
-diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
-index 6f272f9fe..6f7d1ac15 100644
---- a/daemons/ipa-kdb/ipa_kdb_mspac.c
-+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
-@@ -1637,11 +1637,13 @@ static void filter_logon_info_log_message_rid(struct dom_sid *sid, uint32_t rid)
- static krb5_error_code check_logon_info_consistent(krb5_context context,
- TALLOC_CTX *memctx,
- krb5_const_principal client_princ,
-+ krb5_boolean is_s4u,
- struct PAC_LOGON_INFO_CTR *info)
- {
- krb5_error_code kerr = 0;
- struct ipadb_context *ipactx;
- bool result;
-+ bool is_from_trusted_domain = false;
- krb5_db_entry *client_actual = NULL;
- struct ipadb_e_data *ied = NULL;
- int flags = 0;
-@@ -1671,14 +1673,36 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,
- result = dom_sid_check(&ipactx->mspac->domsid,
- info->info->info3.base.domain_sid, true);
- if (!result) {
-- /* memctx is freed by the caller */
-- char *sid = dom_sid_string(memctx, info->info->info3.base.domain_sid);
-- char *dom = dom_sid_string(memctx, &ipactx->mspac->domsid);
-- krb5_klog_syslog(LOG_ERR, "PAC issue: PAC record claims domain SID different "
-- "to local domain SID: local [%s], PAC [%s]",
-- dom ? dom : "<failed to display>",
-- sid ? sid : "<failed to display>");
-- return KRB5KDC_ERR_POLICY;
-+ /* In S4U case we might be dealing with the PAC issued by the trusted domain */
-+ if (is_s4u && (ipactx->mspac->trusts != NULL)) {
-+ /* Iterate through list of trusts and check if this SID belongs to
-+ * one of the domains we trust */
-+ for(int i = 0 ; i < ipactx->mspac->num_trusts ; i++) {
-+ result = dom_sid_check(&ipactx->mspac->trusts[i].domsid,
-+ info->info->info3.base.domain_sid, true);
-+ if (result) {
-+ is_from_trusted_domain = true;
-+ break;
-+ }
-+ }
-+ }
-+
-+ if (!result) {
-+ /* memctx is freed by the caller */
-+ char *sid = dom_sid_string(memctx, info->info->info3.base.domain_sid);
-+ char *dom = dom_sid_string(memctx, &ipactx->mspac->domsid);
-+ krb5_klog_syslog(LOG_ERR, "PAC issue: PAC record claims domain SID different "
-+ "to local domain SID or any trusted domain SID: "
-+ "local [%s], PAC [%s]",
-+ dom ? dom : "<failed to display>",
-+ sid ? sid : "<failed to display>");
-+ return KRB5KDC_ERR_POLICY;
-+ }
-+ }
-+
-+ if (is_s4u && is_from_trusted_domain) {
-+ /* If the PAC belongs to a user from the trusted domain, we cannot compare SIDs */
-+ return 0;
- }
-
- kerr = ipadb_get_principal(context, client_princ, flags, &client_actual);
-@@ -1703,6 +1727,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,
- goto done;
- }
-
-+
- kerr = ipadb_get_sid_from_pac(memctx, info->info, &client_sid);
- if (kerr) {
- goto done;
-@@ -1956,6 +1981,7 @@ krb5_error_code filter_logon_info(krb5_context context,
- static krb5_error_code ipadb_check_logon_info(krb5_context context,
- krb5_const_principal client_princ,
- krb5_boolean is_cross_realm,
-+ krb5_boolean is_s4u,
- krb5_data *pac_blob,
- struct dom_sid *requester_sid)
- {
-@@ -1999,8 +2025,11 @@ static krb5_error_code ipadb_check_logon_info(krb5_context context,
-
- if (!is_cross_realm) {
- /* For local realm case we need to check whether the PAC is for our user
-- * but we don't need to process further */
-- kerr = check_logon_info_consistent(context, tmpctx, client_princ, &info);
-+ * but we don't need to process further. In S4U2Proxy case when the client
-+ * is ours but operates on behalf of the cross-realm principal, we will
-+ * search through the trusted domains but otherwise skip the exact SID check
-+ * as we are not responsible for the principal from the trusted domain */
-+ kerr = check_logon_info_consistent(context, tmpctx, client_princ, is_s4u, &info);
- goto done;
- }
-
-@@ -2251,7 +2280,10 @@ static krb5_error_code ipadb_verify_pac(krb5_context context,
- #endif
-
- kerr = ipadb_check_logon_info(context,
-- client_princ, is_cross_realm, &pac_blob,
-+ client_princ,
-+ is_cross_realm,
-+ (flags & KRB5_KDB_FLAGS_S4U),
-+ &pac_blob,
- requester_sid);
- if (kerr != 0) {
- goto done;
---
-2.33.1
-
diff --git a/SOURCES/freeipa-4.9.6-bf-3.patch b/SOURCES/freeipa-4.9.6-bf-3.patch
deleted file mode 100644
index 48bb8e0..0000000
--- a/SOURCES/freeipa-4.9.6-bf-3.patch
+++ /dev/null
@@ -1,122 +0,0 @@
-From 7d93bda31ce0b4e0e22c6e464c9138800dcf8b1c Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Fri, 26 Nov 2021 11:13:51 +0200
-Subject: [PATCH] ipa-kdb: fix requester SID check according to MS-KILE and
- MS-SFU updates
-
-New versions of MS-KILE and MS-SFU after Windows Server November 2021
-security updates add PAC_REQUESTER_SID buffer check behavior:
-
- - PAC_REQUESTER_SID should only be added for TGT requests
-
- - if PAC_REQUESTER_SID is present, KDC must verify that the cname on
- the ticket resolves to the account with the same SID as the
- PAC_REQUESTER_SID. If it doesn't KDC must respond with
- KDC_ERR_TKT_REVOKED
-
-Change requester SID check to skip exact check for non-local
-PAC_REQUESTER_SID but harden to ensure it comes from the trusted domains
-we know about.
-
-If requester SID is the same as in PAC, we already do cname vs PAC SID
-verification.
-
-With these changes FreeIPA works against Windows Server 2019 with
-November 2021 security fixes in cross-realm S4U2Self operations.
-
-Fixes: https://pagure.io/freeipa/issue/9031
-
-Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
----
- daemons/ipa-kdb/ipa_kdb_mspac.c | 47 ++++++++++++++++++++++++---------
- 1 file changed, 34 insertions(+), 13 deletions(-)
-
-diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
-index 538cfbba9..1b972c167 100644
---- a/daemons/ipa-kdb/ipa_kdb_mspac.c
-+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
-@@ -1697,7 +1697,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,
- "local [%s], PAC [%s]",
- dom ? dom : "<failed to display>",
- sid ? sid : "<failed to display>");
-- return KRB5KDC_ERR_POLICY;
-+ return KRB5KDC_ERR_TGT_REVOKED;
- }
- }
-
-@@ -1709,7 +1709,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,
- kerr = ipadb_get_principal(context, client_princ, flags, &client_actual);
- if (kerr != 0) {
- krb5_klog_syslog(LOG_ERR, "PAC issue: ipadb_get_principal failed.");
-- return KRB5KDC_ERR_POLICY;
-+ return KRB5KDC_ERR_TGT_REVOKED;
- }
-
- ied = (struct ipadb_e_data *)client_actual->e_data;
-@@ -1743,7 +1743,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,
- "local [%s] vs PAC [%s]",
- local_sid ? local_sid : "<failed to display>",
- pac_sid ? pac_sid : "<failed to display>");
-- kerr = KRB5KDC_ERR_POLICY;
-+ kerr = KRB5KDC_ERR_TGT_REVOKED;
- goto done;
- }
-
-@@ -2005,22 +2005,43 @@ static krb5_error_code ipadb_check_logon_info(krb5_context context,
- /* Check that requester SID is the same as in the PAC entry */
- if (requester_sid != NULL) {
- struct dom_sid client_sid;
-+ bool is_from_trusted_domain = false;
- kerr = ipadb_get_sid_from_pac(tmpctx, info.info, &client_sid);
- if (kerr) {
- goto done;
- }
- result = dom_sid_check(&client_sid, requester_sid, true);
- if (!result) {
-- /* memctx is freed by the caller */
-- char *pac_sid = dom_sid_string(tmpctx, &client_sid);
-- char *req_sid = dom_sid_string(tmpctx, requester_sid);
-- krb5_klog_syslog(LOG_ERR, "PAC issue: PAC has a SID "
-- "different from what PAC requester claims. "
-- "PAC [%s] vs PAC requester [%s]",
-- pac_sid ? pac_sid : "<failed to display>",
-- req_sid ? req_sid : "<failed to display>");
-- kerr = KRB5KDC_ERR_POLICY;
-- goto done;
-+ struct ipadb_context *ipactx = ipadb_get_context(context);
-+ if (!ipactx || !ipactx->mspac) {
-+ return KRB5_KDB_DBNOTINITED;
-+ }
-+ /* In S4U case we might be dealing with the PAC issued by the trusted domain */
-+ if (is_s4u && (ipactx->mspac->trusts != NULL)) {
-+ /* Iterate through list of trusts and check if this SID belongs to
-+ * one of the domains we trust */
-+ for(int i = 0 ; i < ipactx->mspac->num_trusts ; i++) {
-+ result = dom_sid_check(&ipactx->mspac->trusts[i].domsid,
-+ requester_sid, false);
-+ if (result) {
-+ is_from_trusted_domain = true;
-+ break;
-+ }
-+ }
-+ }
-+
-+ if (!is_from_trusted_domain) {
-+ /* memctx is freed by the caller */
-+ char *pac_sid = dom_sid_string(tmpctx, &client_sid);
-+ char *req_sid = dom_sid_string(tmpctx, requester_sid);
-+ krb5_klog_syslog(LOG_ERR, "PAC issue: PAC has a SID "
-+ "different from what PAC requester claims. "
-+ "PAC [%s] vs PAC requester [%s]",
-+ pac_sid ? pac_sid : "<failed to display>",
-+ req_sid ? req_sid : "<failed to display>");
-+ kerr = KRB5KDC_ERR_TGT_REVOKED;
-+ goto done;
-+ }
- }
- }
-
---
-2.31.1
-
diff --git a/SOURCES/freeipa-4.9.6-bf.patch b/SOURCES/freeipa-4.9.6-bf.patch
deleted file mode 100644
index b6e3174..0000000
--- a/SOURCES/freeipa-4.9.6-bf.patch
+++ /dev/null
@@ -1,3979 +0,0 @@
-From 2ab6c0fc96adb90880f9bc23661ed3997b0a7023 Mon Sep 17 00:00:00 2001
-From: Florence Blanc-Renaud <flo@redhat.com>
-Date: Mon, 27 Sep 2021 17:07:13 +0200
-Subject: [PATCH 01/22] Design: Integrate SID configuration into base IPA
- installers
-
-Add design doc for the feature.
-
-Related: https://pagure.io/freeipa/issue/8995
-Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
----
- doc/designs/adtrust/sidconfig.md | 301 +++++++++++++++++++++++++++++++
- doc/designs/index.rst | 1 +
- 2 files changed, 302 insertions(+)
- create mode 100644 doc/designs/adtrust/sidconfig.md
-
-diff --git a/doc/designs/adtrust/sidconfig.md b/doc/designs/adtrust/sidconfig.md
-new file mode 100644
-index 000000000..f65d10529
---- /dev/null
-+++ b/doc/designs/adtrust/sidconfig.md
-@@ -0,0 +1,301 @@
-+# Integrate SID configuration into base IPA installers
-+
-+## Overview
-+
-+FreeIPA is able to issue Kerberos tickets with PAC data when it is configured
-+for trust. The goal of this feature is to allow PAC generation in the
-+general use case, even without trust, as it is a first step towards
-+IPA-IPA trust.
-+
-+Reference: https://pagure.io/freeipa/issue/8995
-+
-+In order to generate PAC data for a kerberos principal, IPA needs to assign
-+a SID to the users and groups. IPA installers (`ipa-server-install`,
-+`ipa-replica-install`) must handle the configuration related to SID:
-+- assign a NetBIOS name to the server
-+- assign a domain SID to the IPA domain
-+- configure the local id range with primary RID base and secondary RID base
-+- enable the sidgen plugin on 389ds server
-+
-+The code handling these steps is already available in ipa-adtrust-install
-+and needs to be moved to the general installers.
-+
-+## Use Cases
-+
-+### Fresh install
-+As administrator, I want to deploy an IPA topology that automatically
-+assigns SIDs to users and groups and issues kerberos tickets with PAC data,
-+without the need to configure IPA for trust.
-+
-+If I later decide to configure IPA for trust, I can still run the command
-+`ipa-adtrust-install`.
-+
-+### Existing installation, no trust
-+
-+As IPA administrator, I am managing an existing IPA installation without any
-+trust. I want to update IPA and have the choice of enabling (or not) the
-+generation of SIDs and PAC data.
-+
-+If I choose to enable PAC data, I just need to run a command that requires
-+an admin kerberos ticket. The command handles the SID-related configuration
-+and prompts me whether I want to immediately generate SIDs for
-+existing users/groups or run that task later.
-+
-+### Existing installation, trust configured
-+
-+In this topology with trust configured (the command `ipa-adtrust-install` has
-+been executed), IPA is already able to issue Kerberos tickets with PAC data.
-+Update does not modify the configuration.
-+
-+### Mixed topology
-+
-+As IPA administrator, I am managing an existing server setup without trust and
-+without PAC data. I want to add a replica into my existing topology and
-+automatically enable PAC data generation, without the need to configure IPA
-+for trust.
-+
-+## How to Use
-+
-+### Fresh installation
-+Run `ipa-server-install`, with the ability to define:
-+- NetBIOS Name: if not specified, the default value is generated from
-+the IPA domain name (transform the left-most label into uppercase, keep only
-+ascii characters, digits and dashes).
-+- Primary RID base (default if not set: 1000)
-+- Secondary RID base (default if not set: 1000000)
-+
-+On a replica: run `ipa-replica-install`, with the ability to define the same
-+parameters as `ipa-server-install`, plus the following parameter:
-+- Run SIDgen task immediately: yes/no (default=no)
-+
-+If conflicting values are specified in `ipa-replica-install`, the installer
-+must warn that existing values will be overwritten (same message as when
-+`ipa-adtrust-install` is run multiple times with conflicting values).
-+
-+### Upgrade
-+
-+- Run `dnf update *ipa-server`. The upgrade doesn't configure SID-related
-+options and doesn't enable PAC generation.
-+- Obtain a ticket for the admin (or any member of the admins group).
-+- Run the new command allowing to setup the SID-related configuration.
-+- Run the existing command to modify base RID and secondary base RID:
-+```
-+ipa idrange-mod --rid-base INT --secondary-rid-base INT RANGENAME
-+```
-+
-+### Mixed topology
-+
-+The existing server is not setup for PAC data generation. The future replica
-+is installed with the latest packages, containing the updated installers.
-+
-+Run `ipa-replica-install`, with the ability to define:
-+- NetBIOS Name: if not specified, the default value is generated from
-+the IPA domain name (transform the left-most label into uppercase, keep only
-+ascii characters, digits and dashes).
-+- Primary RID base (default if not set: 1000)
-+- Secondary RID base (default if not set: 1000000)
-+- Run SIDgen task immediately: yes/no (default=no)
-+
-+
-+## Design
-+
-+Installers and SID-related options:
-+- the options `--add-sids`, `--netbios-name`, `--rid-base` and
-+`--secondary-rid-base` are moved from ADTrustInstallInterface to a separate
-+new InstallInterface: SIDInstallInterface.
-+- ADTrustInstallInterface now inherits from SIDInstallInterface.
-+- `adtrustinstance.ADTRUSTInstance.__init__` now accepts an additional
-+parameter: `fulltrust`. When set to True, the class ADTRUSTInstance configures
-+the trust as usual. When set to False, only the SID-related part is executed.
-+- `ipa-server-install` and `ipa-replica-install` now always call
-+`adtrust.install_check` and `adtrust.install`, but the method is using the
-+provided options (especially `options.setup_adtrust`) to know if full
-+configuration is required or only the SID-related part.
-+
-+The `ipa-adtrust-install` code is already written in order to be
-+idempotent (can be called multiple times, even with different values), and
-+this property is of great value for this feature. It allows to keep
-+the changes as minimal as possible to the existing installers, and
-+call `ipa-adtrust-install` even if the SID-part is already setup.
-+
-+New command to enable SID generation after an upgrade:
-+as we don't want to automatically enable SID generation during an upgrade,
-+a new command is provided in order to manually enable the feature. The command
-+only requires an admin ticket (no need to be root) and relies on the admin
-+framework.
-+
-+The command uses a mechanism similar to server_conncheck:
-+- the user must have Replication Administrators privilege
-+- the user launches an ipa command communicating with IPA framework
-+- the admin framework uses Dbus to get access a DBus interface that
-+launches a command through oddjob, allowing the command to run as root.
-+The oddjob command is a wrapper around `adtrustinstance.ADTRUSTInstance`.
-+
-+## Implementation
-+
-+- Dependencies: no additional dependency on ipa-server package
-+- Backup and Restore: no new file to backup
-+
-+## Feature Management
-+
-+### UI
-+
-+No new UI for server/replica installation.
-+
-+`IPA server / ID ranges` tab is already available and displays Primary and
-+Secondary RID base.
-+
-+`IPA Server / Trusts / Global Trust Configuration` tab already displays the
-+NetBIOS Name and Security Identifier.
-+
-+These values can also be added in the `IPA Server / Configuration` tab.
-+
-+The User View displays SMB attributes if they exist and could be enhanced
-+with a note if the user entry does not have any SID, pointing the admin
-+to a procedure in order to generate the missing SIDs.
-+
-+### CLI
-+
-+| Command | Options |
-+| --- | ----- |
-+| ipa-server-install | [--netbios-name=NETBIOS_NAME] [--rid-base=RID_BASE] [--secondary-rid-base=SECONDARY_RID_BASE] |
-+| ipa-replica-install | [--netbios-name=NETBIOS_NAME] [--rid-base=RID_BASE] [--secondary-rid-base=SECONDARY_RID_BASE] [--add-sids] |
-+| ipa config-mod | --enable-sid [--add-sids] [--netbios-name=NETBIOS_NAME] |
-+
-+#### `ipa config-mod --enable-sid` details:
-+
-+The `--enable-sid` option turns the feature on, and `--add-sids` triggers
-+the SIDgen task in order to immediately generate SID for existing users or
-+groups.
-+
-+`--add-sids` requires the `--enable-sid`option.
-+
-+The `--netbios-name` option specifies the NetBIOS Name and is optional. If
-+not provided, the NetBIOS Name is generated from the leading part of the
-+DNS name.
-+
-+`--netbios-name` requires the `--enable-sid` option.
-+
-+
-+### Configuration
-+
-+When the feature is turned on, it is possible to modify the primary and
-+secondary RID bases for the local id range with the existing
-+`ipa idrange-mod` command.
-+
-+The NetBIOS Name can be overwritten (with warning) when `ipa-adtrust-install`
-+is run.
-+
-+## Upgrade
-+
-+The upgrade does not turn on the feature. If the admin wants to enable
-+SID generation, he needs to update the packages and run the new command
-+`ipa config-mod --enable-sid`.
-+
-+
-+## Test plan
-+
-+Note: PRCI currently doesn't have the ability to test upgrade.
-+
-+Scenarios to be tested: fresh install, test PAC generation
-+- Add active user testuser (reinitialize password)
-+- On IPA server run `kinit -k` to get a ticket for `host/fqdn@REALM`
-+- On IPA server run `/usr/libexec/ipa/ipa-print-pac ticket testuser` and
-+ensure that PAC data is properly displayed.
-+- Same test on IPA replica
-+
-+Tests outside of PRCI:
-+- Existing topology without trust, update one server, ensure SID generation
-+hasn't been automatically enabled
-+- Existing topology without trust, update one server, manually enable SID
-+generation with the new command
-+- Existing topology without trust, insert a new replica, ensure SID generation
-+has been automatically enabled
-+- Existing topology with trust, update one server, ensure SID generation is
-+still working
-+- Existing topology with trust, insert a new replica, ensure SID generation
-+is still working
-+- Ensure that `ipa-adtrust-install` is still working with the previous
-+scenarios.
-+
-+## Troubleshooting and debugging
-+
-+When the feature is turned on (whatever the path, either through fresh
-+server installation, fresh replica installation, or with the new command), the
-+following LDAP entries are expected:
-+
-+- `cn=ad,cn=trusts,dc=ipa,dc=test` which is a simple `nsContainer`
-+- `cn=ad,cn=etc,dc=ipa,dc=test` which is a simple `nsContainer`
-+- `cn=ipa.test,cn=ad,cn=etc,dc=ipa,dc=test`: must define the NetBIOS Name in
-+`ipaNTFlatName`, the SID in `ipaNTSecurityIdentifier` and the default SMB
-+group in `ipaNTFallbackPrimaryGroup`
-+- `cn=Default SMB Group,cn=groups,cn=accounts,dc=ipa,dc=test`: must define
-+a SID belonging to the IPA domain SID in `ipaNTSecurityIdentifier`
-+
-+(replace ipa.test with the actual domain name and dc=ipa,dc=test with the
-+actual base DN).
-+
-+The admin user must have a SID ending with -500 (well-known SID for the
-+domain administrator):
-+```
-+# ipa user-show admin --all | grep ipantsecurityidentifier
-+ ipantsecurityidentifier: S-1-5-21-2633809701-976279387-419745629-500
-+```
-+
-+The admins group must have a SID ending with -512 (well-known SID for domain
-+administrators group):
-+```
-+# ipa group-show admins --all | grep ipantsecurityidentifier
-+ ipantsecurityidentifier: S-1-5-21-2633809701-976279387-419745629-512
-+```
-+
-+The sidgen plugin must be enabled in /etc/dirsrv/slapd-IPA-TEST/dse.ldif:
-+```
-+dn: cn=IPA SIDGEN,cn=plugins,cn=config
-+cn: IPA SIDGEN
-+nsslapd-basedn: dc=ipa,dc=test
-+nsslapd-plugin-depends-on-type: database
-+nsslapd-pluginDescription: Add a SID to newly added or modified objects with u
-+ id pr gid numbers
-+nsslapd-pluginEnabled: on
-+nsslapd-pluginId: IPA SIDGEN postop plugin
-+nsslapd-pluginInitfunc: ipa_sidgen_init
-+nsslapd-pluginPath: libipa_sidgen
-+nsslapd-pluginType: postoperation
-+nsslapd-pluginVendor: FreeIPA project
-+nsslapd-pluginVersion: FreeIPA/1.0
-+objectClass: top
-+objectClass: nsSlapdPlugin
-+objectClass: extensibleObject
-+
-+```
-+
-+If the PAC data is not generated for a user, ensure that the user contains a
-+SID in its `ipantsecurityidentifier` attribute. If the SID is missing, run
-+the SIDgen task in order to generate SID for existing users and groups:
-+- Find ipa base DN with: `grep basedn /etc/ipa/default.conf | cut -d= -f2-`
-+- Copy `/usr/share/ipa/ipa-sidgen-task-run.ldif` to
-+`/tmp/ipa-sidgen-task-run.ldif`
-+- Edit the copy `/tmp/ipa-sidgen-task-run.ldif` and replace $SUFFIX with
-+IPA base DN
-+- As root, launch the task (replace IPA-TEST with the proper value):
-+`ldapmodify -H ldapi://%2Frun%2Fslapd-IPA-TEST.socket -f /tmp/ipa-sidgen-task-run.ldif`
-+
-+In order to check if the PAC data gets added to the user ticket, on a server:
-+```
-+# kinit -k
-+# /usr/libexec/ipa/ipa-print-pac ticket USERNAME
-+```
-+
-+If the PAC data is properly added, the `ipa-print-pac` command displays:
-+```
-+# /usr/libexec/ipa/ipa-print-pac ticket testuser
-+Password:
-+Acquired credentials for testuser
-+PAC_DATA: struct PAC_DATA
-+ num_buffers : 0x00000005 (5)
-+ version : 0x00000000 (0)
-+ buffers: ARRAY(5)
-+ buffers: struct PAC_BUFFER
-+...
-+```
-\ No newline at end of file
-diff --git a/doc/designs/index.rst b/doc/designs/index.rst
-index cbec1096c..9f7185dc2 100644
---- a/doc/designs/index.rst
-+++ b/doc/designs/index.rst
-@@ -10,6 +10,7 @@ FreeIPA design documentation
- adtrust/admin-ipa-as-trusted-user.md
- adtrust/sudorules-with-ad-objects.md
- adtrust/auto-private-groups.md
-+ adtrust/sidconfig.md
- krb-ticket-policy.md
- extdom-plugin-protocol.md
- expiring-password-notification.md
---
-2.33.1
-
-
-From 559b5f305b7dd1f4e6436d09074397a4a780fe8b Mon Sep 17 00:00:00 2001
-From: Florence Blanc-Renaud <flo@redhat.com>
-Date: Mon, 27 Sep 2021 08:36:32 +0200
-Subject: [PATCH 02/22] SID generation: define SIDInstallInterface
-
-Move the SID-related options into a separate InstallInterface
-(--add-sids, --netbios-name, --rid-base and --secondary-rid-base),
-make ADTrustInstallInterface inherit from SIDInstallInterface.
-
-Related: https://pagure.io/freeipa/issue/8995
-Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
----
- ipaserver/install/adtrust.py | 56 ++++++++++++++++++++++--------------
- 1 file changed, 35 insertions(+), 21 deletions(-)
-
-diff --git a/ipaserver/install/adtrust.py b/ipaserver/install/adtrust.py
-index ea279b56b..0409743ee 100644
---- a/ipaserver/install/adtrust.py
-+++ b/ipaserver/install/adtrust.py
-@@ -530,43 +530,26 @@ def generate_dns_service_records_help(api):
-
-
- @group
--class ADTrustInstallInterface(ServiceAdminInstallInterface):
-+class SIDInstallInterface(ServiceAdminInstallInterface):
- """
-- Interface for the AD trust installer
-+ Interface for the SID generation Installer
-
- Knobs defined here will be available in:
- * ipa-server-install
- * ipa-replica-install
- * ipa-adtrust-install
- """
-- description = "AD trust"
--
-- # the following knobs are provided on top of those specified for
-- # admin credentials
-+ description = "SID generation"
- add_sids = knob(
- None,
- description="Add SIDs for existing users and groups as the final step"
- )
-- add_agents = knob(
-- None,
-- description="Add IPA masters to a list of hosts allowed to "
-- "serve information about users from trusted forests"
-- )
-- add_agents = replica_install_only(add_agents)
-- enable_compat = knob(
-- None,
-- description="Enable support for trusted domains for old clients"
-- )
-+ add_sids = replica_install_only(add_sids)
- netbios_name = knob(
- str,
- None,
- description="NetBIOS name of the IPA domain"
- )
-- no_msdcs = knob(
-- None,
-- description="Deprecated: has no effect",
-- deprecated=True
-- )
- rid_base = knob(
- int,
- 1000,
-@@ -578,3 +561,34 @@ class ADTrustInstallInterface(ServiceAdminInstallInterface):
- description="Start value of the secondary range for mapping "
- "UIDs and GIDs to RIDs"
- )
-+
-+
-+@group
-+class ADTrustInstallInterface(SIDInstallInterface):
-+ """
-+ Interface for the AD trust installer
-+
-+ Knobs defined here will be available in:
-+ * ipa-server-install
-+ * ipa-replica-install
-+ * ipa-adtrust-install
-+ """
-+ description = "AD trust"
-+
-+ # the following knobs are provided on top of those specified for
-+ # admin credentials
-+ add_agents = knob(
-+ None,
-+ description="Add IPA masters to a list of hosts allowed to "
-+ "serve information about users from trusted forests"
-+ )
-+ add_agents = replica_install_only(add_agents)
-+ enable_compat = knob(
-+ None,
-+ description="Enable support for trusted domains for old clients"
-+ )
-+ no_msdcs = knob(
-+ None,
-+ description="Deprecated: has no effect",
-+ deprecated=True
-+ )
---
-2.33.1
-
-
-From 32ba72a5dd9ceafd332083898b20deac812ec49d Mon Sep 17 00:00:00 2001
-From: Florence Blanc-Renaud <flo@redhat.com>
-Date: Mon, 27 Sep 2021 11:44:43 +0200
-Subject: [PATCH 03/22] Installers: configure sid generation in server/replica
- installer
-
-ADTRUSTInstance performs only sid configuration when it is
-called without --setup-adtrust.
-
-Update man pages for ipa-server-install and ipa-replica-install
-with the SID-related options.
-
-Related: https://pagure.io/freeipa/issue/8995
-Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
----
- install/tools/ipa-adtrust-install.in | 2 +
- install/tools/man/ipa-replica-install.1 | 30 ++++----
- install/tools/man/ipa-server-install.1 | 11 +--
- ipaserver/install/adtrust.py | 45 +++++------
- ipaserver/install/adtrustinstance.py | 86 +++++++++++++---------
- ipaserver/install/server/__init__.py | 5 --
- ipaserver/install/server/install.py | 11 ++-
- ipaserver/install/server/replicainstall.py | 10 ++-
- 8 files changed, 113 insertions(+), 87 deletions(-)
-
-diff --git a/install/tools/ipa-adtrust-install.in b/install/tools/ipa-adtrust-install.in
-index 03efc8dec..9cb89ea11 100644
---- a/install/tools/ipa-adtrust-install.in
-+++ b/install/tools/ipa-adtrust-install.in
-@@ -209,6 +209,8 @@ def main():
- raise ScriptError(
- "Unrecognized error during check of admin rights: %s" % e)
-
-+ # Force options.setup_adtrust
-+ options.setup_adtrust = True
- adtrust.install_check(True, options, api)
- adtrust.install(True, options, fstore, api)
-
-diff --git a/install/tools/man/ipa-replica-install.1 b/install/tools/man/ipa-replica-install.1
-index 44fce10ba..7f88303d2 100644
---- a/install/tools/man/ipa-replica-install.1
-+++ b/install/tools/man/ipa-replica-install.1
-@@ -205,10 +205,7 @@ Do not automatically create DNS SSHFP records.
- \fB\-\-no\-dnssec\-validation\fR
- Disable DNSSEC validation on this server.
-
--.SS "AD TRUST OPTIONS"
--.TP
--\fB\-\-setup\-adtrust\fR
--Configure AD Trust capability on a replica.
-+.SS "SID GENERATION OPTIONS"
- .TP
- \fB\-\-netbios\-name\fR=\fINETBIOS_NAME\fR
- The NetBIOS name for the IPA domain. If not provided then this is determined
-@@ -227,6 +224,21 @@ ipa\-adtrust\-install is run and scheduled independently. To start this task
- you have to load an edited version of ipa-sidgen-task-run.ldif with the
- ldapmodify command info the directory server.
- .TP
-+\fB\-\-rid-base\fR=\fIRID_BASE\fR
-+First RID value of the local domain. The first Posix ID of the local domain will
-+be assigned to this RID, the second to RID+1 etc. See the online help of the
-+idrange CLI for details.
-+.TP
-+\fB\-\-secondary-rid-base\fR=\fISECONDARY_RID_BASE\fR
-+Start value of the secondary RID range, which is only used in the case a user
-+and a group share numerically the same Posix ID. See the online help of the
-+idrange CLI for details.
-+
-+.SS "AD TRUST OPTIONS"
-+.TP
-+\fB\-\-setup\-adtrust\fR
-+Configure AD Trust capability on a replica.
-+.TP
- \fB\-\-add\-agents\fR
- Add IPA masters to the list that allows to serve information about
- users from trusted forests. Starting with IPA 4.2, a regular IPA master
-@@ -240,16 +252,6 @@ information about users from trusted forests only if they are enabled
- via \ipa-adtrust\-install run on any other IPA master. At least SSSD
- version 1.13 on IPA master is required to be able to perform as a trust agent.
- .TP
--\fB\-\-rid-base\fR=\fIRID_BASE\fR
--First RID value of the local domain. The first Posix ID of the local domain will
--be assigned to this RID, the second to RID+1 etc. See the online help of the
--idrange CLI for details.
--.TP
--\fB\-\-secondary-rid-base\fR=\fISECONDARY_RID_BASE\fR
--Start value of the secondary RID range, which is only used in the case a user
--and a group share numerically the same Posix ID. See the online help of the
--idrange CLI for details.
--.TP
- \fB\-\-enable\-compat\fR
- Enables support for trusted domains users for old clients through Schema Compatibility plugin.
- SSSD supports trusted domains natively starting with version 1.9. For platforms that
-diff --git a/install/tools/man/ipa-server-install.1 b/install/tools/man/ipa-server-install.1
-index fdb0f4cb3..e2829ad23 100644
---- a/install/tools/man/ipa-server-install.1
-+++ b/install/tools/man/ipa-server-install.1
-@@ -230,11 +230,7 @@ Disable DNSSEC validation on this server.
- \fB\-\-allow\-zone\-overlap\fR
- Allow creation of (reverse) zone even if the zone is already resolvable. Using this option is discouraged as it result in later problems with domain name resolution.
-
--.SS "AD TRUST OPTIONS"
--
--.TP
--\fB\-\-setup\-adtrust\fR
--Configure AD Trust capability.
-+.SS "SID GENERATION OPTIONS"
- .TP
- \fB\-\-netbios\-name\fR=\fINETBIOS_NAME\fR
- The NetBIOS name for the IPA domain. If not provided, this is determined
-@@ -252,6 +248,11 @@ idrange CLI for details.
- Start value of the secondary RID range, which is only used in the case a user
- and a group share numerically the same POSIX ID. See the online help of the
- idrange CLI for details.
-+
-+.SS "AD TRUST OPTIONS"
-+.TP
-+\fB\-\-setup\-adtrust\fR
-+Configure AD Trust capability.
- .TP
- \fB\-\-enable\-compat\fR
- Enables support for trusted domains users for old clients through Schema Compatibility plugin.
-diff --git a/ipaserver/install/adtrust.py b/ipaserver/install/adtrust.py
-index 0409743ee..c01748bc0 100644
---- a/ipaserver/install/adtrust.py
-+++ b/ipaserver/install/adtrust.py
-@@ -413,7 +413,7 @@ def install_check(standalone, options, api):
- global netbios_name
- global reset_netbios_name
-
-- if not standalone:
-+ if options.setup_adtrust and not standalone:
- check_for_installed_deps()
-
- realm_not_matching_domain = (api.env.domain.upper() != api.env.realm)
-@@ -432,26 +432,27 @@ def install_check(standalone, options, api):
- # Check if /etc/samba/smb.conf already exists. In case it was not generated
- # by IPA, print a warning that we will break existing configuration.
-
-- if adtrustinstance.ipa_smb_conf_exists():
-- if not options.unattended:
-- print("IPA generated smb.conf detected.")
-- if not ipautil.user_input("Overwrite smb.conf?",
-- default=False,
-- allow_empty=False):
-- raise ScriptError("Aborting installation.")
--
-- elif os.path.exists(paths.SMB_CONF):
-- print("WARNING: The smb.conf already exists. Running "
-- "ipa-adtrust-install will break your existing samba "
-- "configuration.\n\n")
-- if not options.unattended:
-- if not ipautil.user_input("Do you wish to continue?",
-- default=False,
-- allow_empty=False):
-- raise ScriptError("Aborting installation.")
--
-- if not options.unattended and not options.enable_compat:
-- options.enable_compat = enable_compat_tree()
-+ if options.setup_adtrust:
-+ if adtrustinstance.ipa_smb_conf_exists():
-+ if not options.unattended:
-+ print("IPA generated smb.conf detected.")
-+ if not ipautil.user_input("Overwrite smb.conf?",
-+ default=False,
-+ allow_empty=False):
-+ raise ScriptError("Aborting installation.")
-+
-+ elif os.path.exists(paths.SMB_CONF):
-+ print("WARNING: The smb.conf already exists. Running "
-+ "ipa-adtrust-install will break your existing samba "
-+ "configuration.\n\n")
-+ if not options.unattended:
-+ if not ipautil.user_input("Do you wish to continue?",
-+ default=False,
-+ allow_empty=False):
-+ raise ScriptError("Aborting installation.")
-+
-+ if not options.unattended and not options.enable_compat:
-+ options.enable_compat = enable_compat_tree()
-
- netbios_name, reset_netbios_name = set_and_check_netbios_name(
- options.netbios_name, options.unattended, api)
-@@ -467,7 +468,7 @@ def install(standalone, options, fstore, api):
- print("Please wait until the prompt is returned.")
- print("")
-
-- smb = adtrustinstance.ADTRUSTInstance(fstore)
-+ smb = adtrustinstance.ADTRUSTInstance(fstore, options.setup_adtrust)
- smb.realm = api.env.realm
- smb.autobind = ipaldap.AUTOBIND_ENABLED
- smb.setup(api.env.host, api.env.realm,
-diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
-index a7a403f37..abf5d7faf 100644
---- a/ipaserver/install/adtrustinstance.py
-+++ b/ipaserver/install/adtrustinstance.py
-@@ -148,7 +148,7 @@ class ADTRUSTInstance(service.Service):
- OBJC_DOMAIN = "ipaNTDomainAttrs"
- FALLBACK_GROUP_NAME = u'Default SMB Group'
-
-- def __init__(self, fstore=None):
-+ def __init__(self, fstore=None, fulltrust=True):
- self.netbios_name = None
- self.reset_netbios_name = None
- self.add_sids = None
-@@ -162,10 +162,15 @@ class ADTRUSTInstance(service.Service):
-
- self.fqdn = None
- self.host_netbios_name = None
-+ self.fulltrust = fulltrust
-
-- super(ADTRUSTInstance, self).__init__(
-- "smb", service_desc="CIFS", fstore=fstore, service_prefix=u'cifs',
-- keytab=paths.SAMBA_KEYTAB)
-+ if self.fulltrust:
-+ super(ADTRUSTInstance, self).__init__(
-+ "smb", service_desc="CIFS", fstore=fstore,
-+ service_prefix=u'cifs',
-+ keytab=paths.SAMBA_KEYTAB)
-+ else:
-+ super(ADTRUSTInstance, self).__init__("SID generation")
-
- self.__setup_default_attributes()
-
-@@ -199,12 +204,13 @@ class ADTRUSTInstance(service.Service):
- api.env.container_cifsdomains,
- self.suffix)
-
-- self.cifs_agent = DN(('krbprincipalname', self.principal.lower()),
-- api.env.container_service,
-- self.suffix)
-- self.host_princ = DN(('fqdn', self.fqdn),
-- api.env.container_host,
-- self.suffix)
-+ if self.fulltrust:
-+ self.cifs_agent = DN(('krbprincipalname', self.principal.lower()),
-+ api.env.container_service,
-+ self.suffix)
-+ self.host_princ = DN(('fqdn', self.fqdn),
-+ api.env.container_host,
-+ self.suffix)
-
-
- def __gen_sid_string(self):
-@@ -527,7 +533,7 @@ class ADTRUSTInstance(service.Service):
- try:
- current = api.Backend.ldap2.get_entry(targets_dn)
- members = current.get('memberPrincipal', [])
-- if not(self.principal in members):
-+ if self.principal not in members:
- current["memberPrincipal"] = members + [self.principal]
- api.Backend.ldap2.update_entry(current)
- else:
-@@ -819,45 +825,59 @@ class ADTRUSTInstance(service.Service):
- self.sub_dict['IPA_LOCAL_RANGE'] = get_idmap_range(self.realm)
-
- def create_instance(self):
-- self.step("validate server hostname",
-- self.__validate_server_hostname)
-- self.step("stopping smbd", self.__stop)
-+ if self.fulltrust:
-+ self.step("validate server hostname",
-+ self.__validate_server_hostname)
-+ self.step("stopping smbd", self.__stop)
- self.step("creating samba domain object", \
- self.__create_samba_domain_object)
-- self.step("retrieve local idmap range", self.__retrieve_local_range)
-- self.step("writing samba config file", self.__write_smb_conf)
-- self.step("creating samba config registry", self.__write_smb_registry)
-- self.step("adding cifs Kerberos principal",
-- self.request_service_keytab)
-- self.step("adding cifs and host Kerberos principals to the adtrust agents group", \
-+ if self.fulltrust:
-+ self.step("retrieve local idmap range",
-+ self.__retrieve_local_range)
-+ self.step("writing samba config file", self.__write_smb_conf)
-+ self.step("creating samba config registry",
-+ self.__write_smb_registry)
-+ self.step("adding cifs Kerberos principal",
-+ self.request_service_keytab)
-+ self.step("adding cifs and host Kerberos principals to the "
-+ "adtrust agents group",
- self.__setup_group_membership)
-- self.step("check for cifs services defined on other replicas", self.__check_replica)
-- self.step("adding cifs principal to S4U2Proxy targets", self.__add_s4u2proxy_target)
-+ self.step("check for cifs services defined on other replicas",
-+ self.__check_replica)
-+ self.step("adding cifs principal to S4U2Proxy targets",
-+ self.__add_s4u2proxy_target)
- self.step("adding admin(group) SIDs", self.__add_admin_sids)
- self.step("adding RID bases", self.__add_rid_bases)
- self.step("updating Kerberos config", self.__update_krb5_conf)
-- self.step("activating CLDAP plugin", self.__add_cldap_module)
-+ if self.fulltrust:
-+ self.step("activating CLDAP plugin", self.__add_cldap_module)
- self.step("activating sidgen task", self.__add_sidgen_task)
-- self.step("map BUILTIN\\Guests to nobody group",
-- self.__map_Guests_to_nobody)
-- self.step("configuring smbd to start on boot", self.__enable)
-+ if self.fulltrust:
-+ self.step("map BUILTIN\\Guests to nobody group",
-+ self.__map_Guests_to_nobody)
-+ self.step("configuring smbd to start on boot", self.__enable)
-
- if self.enable_compat:
-- self.step("enabling trusted domains support for older clients via Schema Compatibility plugin",
-+ self.step("enabling trusted domains support for older clients via "
-+ "Schema Compatibility plugin",
- self.__enable_compat_tree)
-
-- self.step("restarting Directory Server to take MS PAC and LDAP plugins changes into account", \
-+ self.step("restarting Directory Server to take MS PAC and LDAP "
-+ "plugins changes into account",
- self.__restart_dirsrv)
- self.step("adding fallback group", self.__add_fallback_group)
-- self.step("adding Default Trust View", self.__add_default_trust_view)
-- self.step("setting SELinux booleans", \
-- self.__configure_selinux_for_smbd)
-- self.step("starting CIFS services", self.__start)
-+ if self.fulltrust:
-+ self.step("adding Default Trust View",
-+ self.__add_default_trust_view)
-+ self.step("setting SELinux booleans",
-+ self.__configure_selinux_for_smbd)
-+ self.step("starting CIFS services", self.__start)
-
- if self.add_sids:
- self.step("adding SIDs to existing users and groups",
- self.__add_sids)
-- self.step("restarting smbd", self.__restart_smb)
-+ if self.fulltrust:
-+ self.step("restarting smbd", self.__restart_smb)
-
- self.start_creation(show_service_name=False)
-
-diff --git a/ipaserver/install/server/__init__.py b/ipaserver/install/server/__init__.py
-index f9150ee4e..dd104fa0a 100644
---- a/ipaserver/install/server/__init__.py
-+++ b/ipaserver/install/server/__init__.py
-@@ -432,11 +432,6 @@ class ServerInstallInterface(ServerCertificateInstallInterface,
- "You cannot specify an --enable-compat option without the "
- "--setup-adtrust option")
-
-- if self.netbios_name:
-- raise RuntimeError(
-- "You cannot specify a --netbios-name option without the "
-- "--setup-adtrust option")
--
- if self.no_msdcs:
- raise RuntimeError(
- "You cannot specify a --no-msdcs option without the "
-diff --git a/ipaserver/install/server/install.py b/ipaserver/install/server/install.py
-index b01fd85a5..5ac68e757 100644
---- a/ipaserver/install/server/install.py
-+++ b/ipaserver/install/server/install.py
-@@ -443,6 +443,7 @@ def install_check(installer):
- print(" * Configure KRA (dogtag) for secret management")
- if options.setup_dns:
- print(" * Configure DNS (bind)")
-+ print(" * Configure SID generation")
- if options.setup_adtrust:
- print(" * Configure Samba (smb) and winbind for managing AD trusts")
- if not options.no_pkinit:
-@@ -703,8 +704,9 @@ def install_check(installer):
- logger.debug('Starting Directory Server')
- services.knownservices.dirsrv.start(instance_name)
-
-- if options.setup_adtrust:
-- adtrust.install_check(False, options, api)
-+ # Always call adtrust.install_check
-+ # if --setup-adtrust is not specified, only the SID part is executed
-+ adtrust.install_check(False, options, api)
-
- # installer needs to update hosts file when DNS subsystem will be
- # installed or custom addresses are used
-@@ -966,8 +968,9 @@ def install(installer):
- if options.setup_dns:
- dns.install(False, False, options)
-
-- if options.setup_adtrust:
-- adtrust.install(False, options, fstore, api)
-+ # Always call adtrust installer to configure SID generation
-+ # if --setup-adtrust is not specified, only the SID part is executed
-+ adtrust.install(False, options, fstore, api)
-
- # Set the admin user kerberos password
- ds.change_admin_password(admin_password)
-diff --git a/ipaserver/install/server/replicainstall.py b/ipaserver/install/server/replicainstall.py
-index f1fb91036..1857813c0 100644
---- a/ipaserver/install/server/replicainstall.py
-+++ b/ipaserver/install/server/replicainstall.py
-@@ -1158,8 +1158,9 @@ def promote_check(installer):
- # check addresses here, dns module is doing own check
- no_matching_interface_for_ip_address_warning(config.ips)
-
-- if options.setup_adtrust:
-- adtrust.install_check(False, options, remote_api)
-+ # Always call adtrust.install_check
-+ # if --setup-adtrust is not specified, only the SID part is executed
-+ adtrust.install_check(False, options, remote_api)
-
- except errors.ACIError:
- logger.debug("%s", traceback.format_exc())
-@@ -1365,8 +1366,9 @@ def install(installer):
- if options.setup_dns:
- dns.install(False, True, options, api)
-
-- if options.setup_adtrust:
-- adtrust.install(False, options, fstore, api)
-+ # Always call adtrust.install
-+ # if --setup-adtrust is not specified, only the SID part is executed
-+ adtrust.install(False, options, fstore, api)
-
- if options.hidden_replica:
- # Set services to hidden
---
-2.33.1
-
-
-From 38efe74bd115658b34259c4dc106565a549bd78b Mon Sep 17 00:00:00 2001
-From: Florence Blanc-Renaud <flo@redhat.com>
-Date: Fri, 8 Oct 2021 11:37:26 +0200
-Subject: [PATCH 04/22] adtrust install: define constants for rid bases
-
-Define constants for DEFAULT_PRIMARY_RID_BASE = 1000 and
-DEFAULT_SECONDARY_RID_BASE = 100000000
-
-Related: https://pagure.io/freeipa/issue/8995
-Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
----
- install/tools/ipa-adtrust-install.in | 5 +++--
- ipaserver/install/adtrust.py | 7 +++++--
- 2 files changed, 8 insertions(+), 4 deletions(-)
-
-diff --git a/install/tools/ipa-adtrust-install.in b/install/tools/ipa-adtrust-install.in
-index 9cb89ea11..f245ab342 100644
---- a/install/tools/ipa-adtrust-install.in
-+++ b/install/tools/ipa-adtrust-install.in
-@@ -64,10 +64,11 @@ def parse_options():
- parser.add_option("--no-msdcs", dest="no_msdcs", action="store_true",
- default=False, help=SUPPRESS_HELP)
-
-- parser.add_option("--rid-base", dest="rid_base", type=int, default=1000,
-+ parser.add_option("--rid-base", dest="rid_base", type=int,
-+ default=adtrust.DEFAULT_PRIMARY_RID_BASE,
- help="Start value for mapping UIDs and GIDs to RIDs")
- parser.add_option("--secondary-rid-base", dest="secondary_rid_base",
-- type=int, default=100000000,
-+ type=int, default=adtrust.DEFAULT_SECONDARY_RID_BASE,
- help="Start value of the secondary range for mapping "
- "UIDs and GIDs to RIDs")
- parser.add_option("-U", "--unattended", dest="unattended",
-diff --git a/ipaserver/install/adtrust.py b/ipaserver/install/adtrust.py
-index c01748bc0..6eb6a25ee 100644
---- a/ipaserver/install/adtrust.py
-+++ b/ipaserver/install/adtrust.py
-@@ -39,6 +39,9 @@ logger = logging.getLogger(__name__)
- netbios_name = None
- reset_netbios_name = False
-
-+DEFAULT_PRIMARY_RID_BASE = 1000
-+DEFAULT_SECONDARY_RID_BASE = 100000000
-+
-
- def netbios_name_error(name):
- logger.error("\nIllegal NetBIOS name [%s].\n", name)
-@@ -553,12 +556,12 @@ class SIDInstallInterface(ServiceAdminInstallInterface):
- )
- rid_base = knob(
- int,
-- 1000,
-+ DEFAULT_PRIMARY_RID_BASE,
- description="Start value for mapping UIDs and GIDs to RIDs"
- )
- secondary_rid_base = knob(
- int,
-- 100000000,
-+ DEFAULT_SECONDARY_RID_BASE,
- description="Start value of the secondary range for mapping "
- "UIDs and GIDs to RIDs"
- )
---
-2.33.1
-
-
-From 03247e12e512f882fb7f54ac175719f0f19fed11 Mon Sep 17 00:00:00 2001
-From: Florence Blanc-Renaud <flo@redhat.com>
-Date: Fri, 8 Oct 2021 15:47:06 +0200
-Subject: [PATCH 05/22] ipa config: add --enable-sid option
-
-Add new options to ipa config-mod, allowing to enable
-SID generation on upgraded servers:
-ipa config-mod --enable-sid --add-sids --netbios-name NAME
-
-The new option uses Dbus to launch an oddjob command,
-org.freeipa.server.config-enable-sid
-that runs the installation steps related to SID generation.
-
---add-sids is optional and triggers the sid generation task that
-populates SID for existing users / groups.
---netbios-name is optional and allows to specify the NetBIOS Name.
-When not provided, the NetBIOS name is generated based on the leading
-component of the DNS domain name.
-
-This command can be run multiple times.
-
-Fixes: https://pagure.io/freeipa/issue/8995
-Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
----
- API.txt | 5 +-
- VERSION.m4 | 4 +-
- freeipa.spec.in | 1 +
- install/oddjob/Makefile.am | 2 +
- .../etc/oddjobd.conf.d/ipa-server.conf.in | 6 ++
- .../org.freeipa.server.config-enable-sid.in | 76 ++++++++++++++
- ipaplatform/base/paths.py | 1 +
- ipaserver/install/adtrustinstance.py | 2 +
- ipaserver/plugins/config.py | 99 ++++++++++++++++++-
- ipaserver/rpcserver.py | 2 +
- selinux/ipa.te | 3 +
- 11 files changed, 196 insertions(+), 5 deletions(-)
- create mode 100644 install/oddjob/org.freeipa.server.config-enable-sid.in
-
-diff --git a/API.txt b/API.txt
-index 212ef807c..39c179a47 100644
---- a/API.txt
-+++ b/API.txt
-@@ -1076,11 +1076,13 @@ args: 0,1,1
- option: Str('version?')
- output: Output('result')
- command: config_mod/1
--args: 0,28,3
-+args: 0,31,3
-+option: Flag('add_sids?', autofill=True, default=False)
- option: Str('addattr*', cli_name='addattr')
- option: Flag('all', autofill=True, cli_name='all', default=False)
- option: Str('ca_renewal_master_server?', autofill=False)
- option: Str('delattr*', cli_name='delattr')
-+option: Flag('enable_sid?', autofill=True, default=False)
- option: StrEnum('ipaconfigstring*', autofill=False, cli_name='ipaconfigstring', values=[u'AllowNThash', u'KDC:Disable Last Success', u'KDC:Disable Lockout', u'KDC:Disable Default Preauth for SPNs'])
- option: Str('ipadefaultemaildomain?', autofill=False, cli_name='emaildomain')
- option: Str('ipadefaultloginshell?', autofill=False, cli_name='defaultshell')
-@@ -1101,6 +1103,7 @@ option: Str('ipaselinuxusermaporder?', autofill=False)
- option: StrEnum('ipauserauthtype*', autofill=False, cli_name='user_auth_type', values=[u'password', u'radius', u'otp', u'pkinit', u'hardened', u'disabled'])
- option: Str('ipauserobjectclasses*', autofill=False, cli_name='userobjectclasses')
- option: IA5Str('ipausersearchfields?', autofill=False, cli_name='usersearch')
-+option: Str('netbios_name?', autofill=False)
- option: Flag('raw', autofill=True, cli_name='raw', default=False)
- option: Flag('rights', autofill=True, default=False)
- option: Str('setattr*', cli_name='setattr')
-diff --git a/VERSION.m4 b/VERSION.m4
-index 9f024675f..80260953c 100644
---- a/VERSION.m4
-+++ b/VERSION.m4
-@@ -86,8 +86,8 @@ define(IPA_DATA_VERSION, 20100614120000)
- # #
- ########################################################
- define(IPA_API_VERSION_MAJOR, 2)
--define(IPA_API_VERSION_MINOR, 242)
--# Last change: add status options for cert-find
-+# Last change: add enable_sid to config
-+define(IPA_API_VERSION_MINOR, 245)
-
-
- ########################################################
-diff --git a/freeipa.spec.in b/freeipa.spec.in
-index fdca43a24..1d1383578 100755
---- a/freeipa.spec.in
-+++ b/freeipa.spec.in
-@@ -1367,6 +1367,7 @@ fi
- %dir %{_libexecdir}/ipa/oddjob
- %attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.conncheck
- %attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.trust-enable-agent
-+%attr(0755,root,root) %{_libexecdir}/ipa/oddjob/org.freeipa.server.config-enable-sid
- %config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.freeipa.server.conf
- %config(noreplace) %{_sysconfdir}/oddjobd.conf.d/ipa-server.conf
- %dir %{_libexecdir}/ipa/certmonger
-diff --git a/install/oddjob/Makefile.am b/install/oddjob/Makefile.am
-index 7aeb406a2..bd968eaba 100644
---- a/install/oddjob/Makefile.am
-+++ b/install/oddjob/Makefile.am
-@@ -7,6 +7,7 @@ dbusconfdir = $(sysconfdir)/dbus-1/system.d
- dist_noinst_DATA = \
- com.redhat.idm.trust-fetch-domains.in \
- org.freeipa.server.trust-enable-agent.in \
-+ org.freeipa.server.config-enable-sid.in \
- etc/oddjobd.conf.d/oddjobd-ipa-trust.conf.in \
- etc/oddjobd.conf.d/ipa-server.conf.in \
- $(NULL)
-@@ -18,6 +19,7 @@ dist_oddjob_SCRIPTS = \
- nodist_oddjob_SCRIPTS = \
- com.redhat.idm.trust-fetch-domains \
- org.freeipa.server.trust-enable-agent \
-+ org.freeipa.server.config-enable-sid \
- $(NULL)
-
-
-diff --git a/install/oddjob/etc/oddjobd.conf.d/ipa-server.conf.in b/install/oddjob/etc/oddjobd.conf.d/ipa-server.conf.in
-index 640b510aa..a79640f88 100644
---- a/install/oddjob/etc/oddjobd.conf.d/ipa-server.conf.in
-+++ b/install/oddjob/etc/oddjobd.conf.d/ipa-server.conf.in
-@@ -17,6 +17,12 @@
- prepend_user_name="no"
- argument_passing_method="cmdline"/>
- </method>
-+ <method name="config_enable_sid">
-+ <helper exec="@ODDJOBDIR@/org.freeipa.server.config-enable-sid"
-+ arguments="10"
-+ prepend_user_name="no"
-+ argument_passing_method="cmdline"/>
-+ </method>
- </interface>
- <interface name="org.freedesktop.DBus.Introspectable">
- <allow min_uid="0" max_uid="0"/>
-diff --git a/install/oddjob/org.freeipa.server.config-enable-sid.in b/install/oddjob/org.freeipa.server.config-enable-sid.in
-new file mode 100644
-index 000000000..ff5fb49e2
---- /dev/null
-+++ b/install/oddjob/org.freeipa.server.config-enable-sid.in
-@@ -0,0 +1,76 @@
-+#!/usr/bin/python3
-+#
-+# Copyright (C) 2021 FreeIPA Contributors see COPYING for license
-+#
-+
-+import logging
-+
-+from ipalib import api
-+from ipalib.install import sysrestore
-+from ipaplatform.paths import paths
-+from ipapython import ipaldap
-+from ipapython.admintool import AdminTool
-+from ipaserver.install import adtrust, adtrustinstance
-+
-+logger = logging.getLogger(__name__)
-+
-+class IPAConfigEnableSid(AdminTool):
-+ command_name = "ipa-enable-sid"
-+ log_file_name = paths.IPASERVER_ENABLESID_LOG
-+ usage = "%prog"
-+ description = "Enable SID generation"
-+
-+ @classmethod
-+ def add_options(cls, parser):
-+ super(IPAConfigEnableSid, cls).add_options(parser)
-+
-+ parser.add_option(
-+ "--add-sids",
-+ dest="add_sids", default=False, action="store_true",
-+ help="Add SIDs for existing users and groups as the final step"
-+ )
-+
-+ parser.add_option(
-+ "--netbios-name",
-+ dest="netbios_name", default=None,
-+ help="NetBIOS name of the IPA domain"
-+ )
-+
-+ parser.add_option(
-+ "--reset-netbios-name",
-+ dest="reset_netbios_name", default=False, action="store_true",
-+ help="Force reset of the existing NetBIOS name"
-+ )
-+
-+
-+ def validate_options(self):
-+ super(IPAConfigEnableSid, self).validate_options(needs_root=True)
-+
-+ def run(self):
-+ api.bootstrap(in_server=True, confdir=paths.ETC_IPA)
-+ api.finalize()
-+
-+ try:
-+ api.Backend.ldap2.connect()
-+ fstore = sysrestore.FileStore(paths.SYSRESTORE)
-+
-+ smb = adtrustinstance.ADTRUSTInstance(fstore, False)
-+ smb.realm = api.env.realm
-+ smb.autobind = ipaldap.AUTOBIND_ENABLED
-+ smb.setup(api.env.host, api.env.realm,
-+ self.options.netbios_name,
-+ self.options.reset_netbios_name,
-+ adtrust.DEFAULT_PRIMARY_RID_BASE,
-+ adtrust.DEFAULT_SECONDARY_RID_BASE,
-+ self.options.add_sids,
-+ enable_compat=False)
-+ smb.find_local_id_range()
-+ smb.create_instance()
-+
-+ finally:
-+ if api.Backend.ldap2.isconnected():
-+ api.Backend.ldap2.disconnect()
-+
-+ return 0
-+
-+IPAConfigEnableSid.run_cli()
-diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
-index de217d9ef..42a47f1df 100644
---- a/ipaplatform/base/paths.py
-+++ b/ipaplatform/base/paths.py
-@@ -364,6 +364,7 @@ class BasePathNamespace:
- IPAREPLICA_CONNCHECK_LOG = "/var/log/ipareplica-conncheck.log"
- IPAREPLICA_INSTALL_LOG = "/var/log/ipareplica-install.log"
- IPARESTORE_LOG = "/var/log/iparestore.log"
-+ IPASERVER_ENABLESID_LOG = "/var/log/ipaserver-enable-sid.log"
- IPASERVER_INSTALL_LOG = "/var/log/ipaserver-install.log"
- IPASERVER_ADTRUST_INSTALL_LOG = "/var/log/ipaserver-adtrust-install.log"
- IPASERVER_DNS_INSTALL_LOG = "/var/log/ipaserver-dns-install.log"
-diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
-index abf5d7faf..6575e4525 100644
---- a/ipaserver/install/adtrustinstance.py
-+++ b/ipaserver/install/adtrustinstance.py
-@@ -334,6 +334,8 @@ class ADTRUSTInstance(service.Service):
- # _ldap_mod does not return useful error codes, so we must check again
- # if the fallback group was created properly.
- try:
-+ # Remove entry from cache otherwise get_entry won't find it
-+ api.Backend.ldap2.remove_cache_entry(fb_group_dn)
- api.Backend.ldap2.get_entry(fb_group_dn)
- except errors.NotFound:
- self.print_msg("Failed to add fallback group.")
-diff --git a/ipaserver/plugins/config.py b/ipaserver/plugins/config.py
-index ace66e589..909dc082f 100644
---- a/ipaserver/plugins/config.py
-+++ b/ipaserver/plugins/config.py
-@@ -17,12 +17,16 @@
- #
- # You should have received a copy of the GNU General Public License
- # along with this program. If not, see <http://www.gnu.org/licenses/>.
-+import dbus
-+import dbus.mainloop.glib
-+import logging
-
- from ipalib import api
--from ipalib import Bool, Int, Str, IA5Str, StrEnum, DNParam
-+from ipalib import Bool, Int, Str, IA5Str, StrEnum, DNParam, Flag
- from ipalib import errors
- from ipalib.constants import MAXHOSTNAMELEN
- from ipalib.plugable import Registry
-+from ipalib.request import context
- from ipalib.util import validate_domain_name
- from .baseldap import (
- LDAPObject,
-@@ -30,7 +34,12 @@ from .baseldap import (
- LDAPRetrieve)
- from .selinuxusermap import validate_selinuxuser
- from ipalib import _
-+from ipapython.admintool import ScriptError
- from ipapython.dn import DN
-+from ipaserver.plugins.privilege import principal_has_privilege
-+from ipaserver.install.adtrust import set_and_check_netbios_name
-+
-+logger = logging.getLogger(__name__)
-
- # 389-ds attributes that should be skipped in attribute checks
- OPERATIONAL_ATTRIBUTES = ('nsaccountlock', 'member', 'memberof',
-@@ -334,6 +343,24 @@ class config(LDAPObject):
- doc=_('DNSec key master'),
- flags={'virtual_attribute', 'no_create', 'no_update'}
- ),
-+ Flag(
-+ 'enable_sid?',
-+ label=_('Setup SID configuration'),
-+ doc=_('New users and groups automatically get a SID assigned'),
-+ flags={'virtual_attribute', 'no_create'}
-+ ),
-+ Flag(
-+ 'add_sids?',
-+ label=_('Add SIDs'),
-+ doc=_('Add SIDs for existing users and groups'),
-+ flags={'virtual_attribute', 'no_create'}
-+ ),
-+ Str(
-+ 'netbios_name?',
-+ label=_('NetBIOS name of the IPA domain'),
-+ doc=_('NetBIOS name of the IPA domain'),
-+ flags={'virtual_attribute', 'no_create'}
-+ ),
- )
-
- def get_dn(self, *keys, **kwargs):
-@@ -473,6 +500,60 @@ class config(LDAPObject):
- class config_mod(LDAPUpdate):
- __doc__ = _('Modify configuration options.')
-
-+ def _enable_sid(self, ldap, options):
-+ # the user must have the Replication Administrators privilege
-+ privilege = 'Replication Administrators'
-+ if not principal_has_privilege(self.api, context.principal, privilege):
-+ raise errors.ACIError(
-+ info=_("not allowed to enable SID generation"))
-+
-+ # NetBIOS name is either taken from options or generated
-+ try:
-+ netbios_name, reset_netbios_name = set_and_check_netbios_name(
-+ options.get('netbios_name', None), True, self.api)
-+ except ScriptError:
-+ raise errors.ValidationError(name="NetBIOS name",
-+ error=_('Up to 15 characters and only uppercase ASCII letters'
-+ ', digits and dashes are allowed. Empty string is '
-+ 'not allowed.'))
-+
-+ _ret = 0
-+ _stdout = ''
-+ _stderr = ''
-+
-+ dbus.mainloop.glib.DBusGMainLoop(set_as_default=True)
-+
-+ method_options = []
-+ if options.get('add_sids', False):
-+ method_options.extend(["--add-sids"])
-+ method_options.extend(["--netbios-name", netbios_name])
-+ if reset_netbios_name:
-+ method_options.append("--reset-netbios-name")
-+ # Dbus definition expects up to 10 arguments
-+ method_options.extend([''] * (10 - len(method_options)))
-+
-+ try:
-+ bus = dbus.SystemBus()
-+ obj = bus.get_object('org.freeipa.server', '/',
-+ follow_name_owner_changes=True)
-+ server = dbus.Interface(obj, 'org.freeipa.server')
-+ _ret, _stdout, _stderr = server.config_enable_sid(*method_options)
-+ except dbus.DBusException as e:
-+ logger.error('Failed to call org.freeipa.server.config_enable_sid.'
-+ 'DBus exception is %s', str(e))
-+ raise errors.ExecutionError(message=_('Failed to call DBus'))
-+
-+ # The oddjob restarts dirsrv, we need to re-establish the conn
-+ if self.api.Backend.ldap2.isconnected():
-+ self.api.Backend.ldap2.disconnect()
-+ self.api.Backend.ldap2.connect(ccache=context.ccache_name)
-+
-+ if _ret != 0:
-+ logger.error("Helper config_enable_sid return code is %d", _ret)
-+ raise errors.ExecutionError(
-+ message=_('Configuration of SID failed. '
-+ 'See details in the error log'))
-+
- def pre_callback(self, ldap, dn, entry_attrs, attrs_list, *keys, **options):
- assert isinstance(dn, DN)
- if 'ipadefaultprimarygroup' in entry_attrs:
-@@ -600,13 +681,27 @@ class config_mod(LDAPUpdate):
-
- self.obj.validate_domain_resolution_order(entry_attrs)
-
-+ # The options add_sids or netbios_name need the enable_sid option
-+ for sid_option in ['add_sids', 'netbios_name']:
-+ if options.get(sid_option, None) and not options['enable_sid']:
-+ opt = "--" + sid_option.replace("_", "-")
-+ error_message = _("You cannot specify %s without "
-+ "the --enable-sid option" % opt)
-+ raise errors.ValidationError(
-+ name=opt,
-+ error=error_message)
-+
-+ if options['enable_sid']:
-+ self._enable_sid(ldap, options)
-+
- return dn
-
- def exc_callback(self, keys, options, exc, call_func,
- *call_args, **call_kwargs):
- if (isinstance(exc, errors.EmptyModlist) and
- call_func.__name__ == 'update_entry' and
-- 'ca_renewal_master_server' in options):
-+ ('ca_renewal_master_server' in options or
-+ 'enable_sid' in options)):
- return
-
- super(config_mod, self).exc_callback(
-diff --git a/ipaserver/rpcserver.py b/ipaserver/rpcserver.py
-index e612528e0..20c536e4d 100644
---- a/ipaserver/rpcserver.py
-+++ b/ipaserver/rpcserver.py
-@@ -383,6 +383,8 @@ class WSGIExecutioner(Executioner):
- if self.api.env.debug:
- time_start = time.perf_counter_ns()
- try:
-+ if 'KRB5CCNAME' in environ:
-+ setattr(context, "ccache_name", environ['KRB5CCNAME'])
- if ('HTTP_ACCEPT_LANGUAGE' in environ):
- lang_reg_w_q = environ['HTTP_ACCEPT_LANGUAGE'].split(',')[0]
- lang_reg = lang_reg_w_q.split(';')[0]
-diff --git a/selinux/ipa.te b/selinux/ipa.te
-index 68e109419..cfca2e7c3 100644
---- a/selinux/ipa.te
-+++ b/selinux/ipa.te
-@@ -155,6 +155,9 @@ manage_dirs_pattern(ipa_helper_t, ipa_var_run_t, ipa_var_run_t)
- manage_files_pattern(ipa_helper_t, ipa_var_run_t, ipa_var_run_t)
- files_pid_filetrans(ipa_helper_t, ipa_var_run_t, { dir file })
-
-+manage_files_pattern(ipa_helper_t, ipa_tmp_t, ipa_tmp_t)
-+files_tmp_filetrans(ipa_helper_t, ipa_tmp_t, { file })
-+
- kernel_read_system_state(ipa_helper_t)
- kernel_read_network_state(ipa_helper_t)
-
---
-2.33.1
-
-
-From 1c91d6ce8e9d57796145f31dc3c62d5c404d44a4 Mon Sep 17 00:00:00 2001
-From: Florence Blanc-Renaud <flo@redhat.com>
-Date: Fri, 8 Oct 2021 17:43:15 +0200
-Subject: [PATCH 06/22] ipatests: add test ensuring SIDs are generated for new
- installs
-
-The standard installer now configures all the items needed
-for SID generation. Add a new test with the following scenario:
-- install IPA server
-- create an active user
-- ensure the user's entry has an attribute ipantsecurityidentifier
-- ensure that the kerberos ticket for the user contains PAC data
-by using the utility ipa-print-pac
-
-Related: https://pagure.io/freeipa/issue/8995
-Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
----
- ipatests/test_integration/test_commands.py | 40 ++++++++++++++++++++++
- 1 file changed, 40 insertions(+)
-
-diff --git a/ipatests/test_integration/test_commands.py b/ipatests/test_integration/test_commands.py
-index 5d755998e..803340f31 100644
---- a/ipatests/test_integration/test_commands.py
-+++ b/ipatests/test_integration/test_commands.py
-@@ -1499,3 +1499,43 @@ class TestIPACommandWithoutReplica(IntegrationTest):
- )
- # Run the command again after cache is removed
- self.master.run_command(['ipa', 'user-show', 'ipauser1'])
-+
-+ def test_sid_generation(self):
-+ """
-+ Test SID generation
-+
-+ Check that new users are created with a SID and PAC data is
-+ added in their Kerberos tickets.
-+ """
-+ user = "pacuser"
-+ passwd = "Secret123"
-+
-+ try:
-+ # Create a nonadmin user
-+ tasks.create_active_user(
-+ self.master, user, passwd, first=user, last=user,
-+ krb5_trace=True)
-+
-+ # Check SID is present in the new entry
-+ base_dn = str(self.master.domain.basedn)
-+ result = tasks.ldapsearch_dm(
-+ self.master,
-+ 'uid={user},cn=users,cn=accounts,{base_dn}'.format(
-+ user=user, base_dn=base_dn),
-+ ['ipantsecurityidentifier'],
-+ scope='base'
-+ )
-+ assert 'ipantsecurityidentifier' in result.stdout_text
-+
-+ # Defaults: host/... principal for service
-+ # keytab in /etc/krb5.keytab
-+ self.master.run_command(["kinit", '-k'])
-+ result = self.master.run_command(
-+ [os.path.join(paths.LIBEXEC_IPA_DIR, "ipa-print-pac"),
-+ "ticket", user],
-+ stdin_text=(passwd + '\n')
-+ )
-+ assert "PAC_DATA" in result.stdout_text
-+ finally:
-+ tasks.kinit_admin(self.master)
-+ self.master.run_command(['ipa', 'user-del', user])
---
-2.33.1
-
-
-From 7682fa42f1964640ac9718c27570056b59574209 Mon Sep 17 00:00:00 2001
-From: Florence Blanc-Renaud <flo@redhat.com>
-Date: Tue, 12 Oct 2021 09:57:27 +0200
-Subject: [PATCH 07/22] ipatests: interactive install prompts for netbios name
-
-The interactive server installation now prompts for netbios
-name confirmation.
-Add expected prompt and send response to the installer.
-
-Related: https://pagure.io/freeipa/issue/8995
-Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
----
- ipalib/constants.py | 3 +++
- ipaserver/install/adtrustinstance.py | 5 ++---
- ipatests/test_integration/test_caless.py | 1 +
- .../test_integration/test_installation.py | 19 +++++++++++++++++++
- ipatests/test_integration/test_ntp_options.py | 3 +++
- 5 files changed, 28 insertions(+), 3 deletions(-)
-
-diff --git a/ipalib/constants.py b/ipalib/constants.py
-index 79ea36f08..719a524d6 100644
---- a/ipalib/constants.py
-+++ b/ipalib/constants.py
-@@ -23,6 +23,7 @@ All constants centralised in one file.
- """
-
- import os
-+import string
-
- from ipaplatform.constants import constants as _constants
- from ipapython.dn import DN
-@@ -343,3 +344,5 @@ SOFTHSM_DNSSEC_TOKEN_LABEL = u'ipaDNSSEC'
- # Apache's mod_ssl SSLVerifyDepth value (Maximum depth of CA
- # Certificates in Client Certificate verification)
- MOD_SSL_VERIFY_DEPTH = '5'
-+
-+ALLOWED_NETBIOS_CHARS = string.ascii_uppercase + string.digits + '-'
-diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
-index 6575e4525..776e7e587 100644
---- a/ipaserver/install/adtrustinstance.py
-+++ b/ipaserver/install/adtrustinstance.py
-@@ -25,7 +25,6 @@ import errno
- import ldap
- import tempfile
- import uuid
--import string
- import struct
- import re
- import socket
-@@ -36,6 +35,8 @@ from ipaserver.install import service
- from ipaserver.install import installutils
- from ipaserver.install.replication import wait_for_task
- from ipalib import errors, api
-+from ipalib.constants import ALLOWED_NETBIOS_CHARS
-+
- from ipalib.util import normalize_zone
- from ipapython.dn import DN
- from ipapython import ipachangeconf
-@@ -53,8 +54,6 @@ if six.PY3:
-
- logger = logging.getLogger(__name__)
-
--ALLOWED_NETBIOS_CHARS = string.ascii_uppercase + string.digits + '-'
--
- UPGRADE_ERROR = """
- Entry %(dn)s does not exist.
- This means upgrade from IPA 2.x to 3.x did not went well and required S4U2Proxy
-diff --git a/ipatests/test_integration/test_caless.py b/ipatests/test_integration/test_caless.py
-index 16dfbb320..4481845da 100644
---- a/ipatests/test_integration/test_caless.py
-+++ b/ipatests/test_integration/test_caless.py
-@@ -60,6 +60,7 @@ def get_install_stdin(cert_passwords=()):
- '', # Server host name (has default)
- ]
- lines.extend(cert_passwords) # Enter foo.p12 unlock password
-+ lines.extend('IPA') # NetBios name
- lines += [
- 'no', # configure chrony with NTP server or pool address?
- 'yes', # Continue with these values?
-diff --git a/ipatests/test_integration/test_installation.py b/ipatests/test_integration/test_installation.py
-index 0c96536f0..334279fcd 100644
---- a/ipatests/test_integration/test_installation.py
-+++ b/ipatests/test_integration/test_installation.py
-@@ -22,6 +22,7 @@ from cryptography import x509 as crypto_x509
- from ipalib import x509
- from ipalib.constants import DOMAIN_LEVEL_0
- from ipalib.constants import IPA_CA_RECORD
-+from ipalib.constants import ALLOWED_NETBIOS_CHARS
- from ipalib.sysrestore import SYSRESTORE_STATEFILE, SYSRESTORE_INDEXFILE
- from ipapython.dn import DN
- from ipaplatform.constants import constants
-@@ -69,6 +70,17 @@ def server_cleanup(request):
- tasks.uninstall_master(host)
-
-
-+def create_netbios_name(host):
-+ """
-+ Create a NetBIOS name based on the provided host
-+ """
-+ netbios = ''.join(
-+ c for c in host.domain.name.split('.')[0].upper() \
-+ if c in ALLOWED_NETBIOS_CHARS
-+ )[:15]
-+ return netbios
-+
-+
- class InstallTestBase1(IntegrationTest):
-
- num_replicas = 3
-@@ -1171,6 +1183,8 @@ class TestInstallMaster(IntegrationTest):
- hosts = self.master.get_file_contents(paths.HOSTS, encoding='utf-8')
- new_hosts = hosts.replace(original_hostname, new_hostname)
- self.master.put_file_contents(paths.HOSTS, new_hosts)
-+ netbios = create_netbios_name(self.master)
-+
- try:
- cmd = ['ipa-server-install', '--hostname', new_hostname]
- with self.master.spawn_expect(cmd) as e:
-@@ -1193,6 +1207,8 @@ class TestInstallMaster(IntegrationTest):
- e.sendline(self.master.config.admin_password)
- e.expect_exact('Password (confirm): ')
- e.sendline(self.master.config.admin_password)
-+ e.expect_exact('NetBIOS domain name [{}]: '.format(netbios))
-+ e.sendline(netbios)
- e.expect_exact('Do you want to configure chrony with '
- 'NTP server or pool address? [no]: ')
- e.sendline('no')
-@@ -1368,6 +1384,7 @@ class TestInstallMasterDNS(IntegrationTest):
- https://pagure.io/freeipa/issue/2575
- """
- cmd = ['ipa-server-install']
-+ netbios = create_netbios_name(self.master)
- with self.master.spawn_expect(cmd) as e:
- e.expect_exact('Do you want to configure integrated '
- 'DNS (BIND)? [no]: ')
-@@ -1399,6 +1416,8 @@ class TestInstallMasterDNS(IntegrationTest):
- e.expect_exact('Do you want to search for missing reverse '
- 'zones? [yes]: ')
- e.sendline('no') # irrelevant for this test
-+ e.expect_exact('NetBIOS domain name [{}]: '.format(netbios))
-+ e.sendline(netbios)
- e.expect_exact('Do you want to configure chrony with NTP '
- 'server or pool address? [no]: ')
- e.sendline('no') # irrelevant for this test
-diff --git a/ipatests/test_integration/test_ntp_options.py b/ipatests/test_integration/test_ntp_options.py
-index 27d35043e..efd950991 100644
---- a/ipatests/test_integration/test_ntp_options.py
-+++ b/ipatests/test_integration/test_ntp_options.py
-@@ -260,6 +260,8 @@ class TestNTPoptions(IntegrationTest):
- "No\n"
- # Server host name [hostname]:
- "\n"
-+ # Enter the NetBIOS name for the IPA domain
-+ "IPA\n"
- # Do you want to configure chrony with NTP server
- # or pool address? [no]:
- "Yes\n"
-@@ -372,6 +374,7 @@ class TestNTPoptions(IntegrationTest):
- server_input = (
- "\n" +
- "\n"
-+ "IPA\n"
- "No\n"
- "Yes"
- )
---
-2.33.1
-
-
-From 80e29da65ad3731b8db262fb0d00c70cfe7db0d4 Mon Sep 17 00:00:00 2001
-From: Florence Blanc-Renaud <flo@redhat.com>
-Date: Fri, 15 Oct 2021 12:46:36 +0200
-Subject: [PATCH 08/22] ipatests: adapt expected output with SID
-
-From now on, new users/groups automatically get a SID.
-Update the expect test outputs.
-
-Related: https://pagure.io/freeipa/issue/8995
-Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
----
- ipatests/test_xmlrpc/mock_trust.py | 45 -------------------
- ipatests/test_xmlrpc/objectclasses.py | 4 +-
- ipatests/test_xmlrpc/test_batch_plugin.py | 7 ++-
- ipatests/test_xmlrpc/test_group_plugin.py | 25 ++++++-----
- ipatests/test_xmlrpc/test_idviews_plugin.py | 19 ++++----
- .../test_kerberos_principal_aliases.py | 6 +--
- ipatests/test_xmlrpc/test_netgroup_plugin.py | 4 +-
- ipatests/test_xmlrpc/test_range_plugin.py | 2 +
- .../test_xmlrpc/test_selinuxusermap_plugin.py | 4 +-
- ipatests/test_xmlrpc/test_service_plugin.py | 7 ++-
- ipatests/test_xmlrpc/test_trust_plugin.py | 4 +-
- ipatests/test_xmlrpc/test_user_plugin.py | 27 ++++++-----
- ipatests/test_xmlrpc/tracker/group_plugin.py | 11 +++--
- ipatests/test_xmlrpc/tracker/user_plugin.py | 9 ++--
- ipatests/test_xmlrpc/xmlrpc_test.py | 12 ++---
- 15 files changed, 85 insertions(+), 101 deletions(-)
-
-diff --git a/ipatests/test_xmlrpc/mock_trust.py b/ipatests/test_xmlrpc/mock_trust.py
-index 08c1c2914..24a26ed1d 100644
---- a/ipatests/test_xmlrpc/mock_trust.py
-+++ b/ipatests/test_xmlrpc/mock_trust.py
-@@ -2,55 +2,10 @@
- #
- # Copyright (C) 2016 FreeIPA Contributors see COPYING for license
- #
--from contextlib import contextmanager
- import six
-
- from ipalib import api
--from ipatests.util import MockLDAP
-
--trust_container_dn = "cn=ad,cn=trusts,{basedn}".format(
-- basedn=api.env.basedn)
--trust_container_add = dict(
-- objectClass=[b"nsContainer", b"top"]
-- )
--
--smb_cont_dn = "{cifsdomains},{basedn}".format(
-- cifsdomains=api.env.container_cifsdomains,
-- basedn=api.env.basedn)
--smb_cont_add = dict(
-- objectClass=[b"nsContainer", b"top"]
-- )
--
--
--def create_mock_trust_containers():
-- with MockLDAP() as ldap:
-- ldap.add_entry(trust_container_dn, trust_container_add)
-- ldap.add_entry(smb_cont_dn, smb_cont_add)
--
--
--def remove_mock_trust_containers():
-- with MockLDAP() as ldap:
-- ldap.del_entry(trust_container_dn)
-- ldap.del_entry(smb_cont_dn)
--
--
--@contextmanager
--def mocked_trust_containers():
-- """Mocked trust containers
--
-- Provides containers for the RPC tests:
-- cn=ad,cn=trusts,BASEDN
-- cn=ad,cn=etc,BASEDN
--
-- Upon exiting, it tries to remove the container entries.
-- If the user of the context manager failed to remove
-- all child entries, exiting the context manager will fail.
-- """
-- create_mock_trust_containers()
-- try:
-- yield
-- finally:
-- remove_mock_trust_containers()
-
- def get_range_dn(name):
- format_str = "cn={name},cn=ranges,cn=etc,{basedn}"
-diff --git a/ipatests/test_xmlrpc/objectclasses.py b/ipatests/test_xmlrpc/objectclasses.py
-index 6a0efdd18..23bc03a07 100644
---- a/ipatests/test_xmlrpc/objectclasses.py
-+++ b/ipatests/test_xmlrpc/objectclasses.py
-@@ -35,7 +35,7 @@ user_base = [
- u'ipaSshGroupOfPubKeys',
- ]
-
--user = user_base + [u'mepOriginEntry']
-+user = user_base + [u'mepOriginEntry', 'ipantuserattrs',]
-
- group = [
- u'top',
-@@ -46,7 +46,7 @@ group = [
- ]
-
- externalgroup = group + [u'ipaexternalgroup']
--posixgroup = group + [u'posixgroup']
-+posixgroup = group + [u'posixgroup', 'ipantgroupattrs']
-
- host = [
- u'ipasshhost',
-diff --git a/ipatests/test_xmlrpc/test_batch_plugin.py b/ipatests/test_xmlrpc/test_batch_plugin.py
-index e475081e3..632dd2c79 100644
---- a/ipatests/test_xmlrpc/test_batch_plugin.py
-+++ b/ipatests/test_xmlrpc/test_batch_plugin.py
-@@ -25,6 +25,7 @@ from ipalib import api
- from ipatests.test_xmlrpc import objectclasses
- from ipatests.util import Fuzzy, assert_deepequal
- from ipatests.test_xmlrpc.xmlrpc_test import (Declarative, fuzzy_digits,
-+ fuzzy_set_optional_oc,
- fuzzy_uuid)
- from ipapython.dn import DN
- import pytest
-@@ -97,7 +98,8 @@ class test_batch(Declarative):
- result=dict(
- cn=[group1],
- description=[u'Test desc 1'],
-- objectclass=objectclasses.group + [u'posixgroup'],
-+ objectclass=fuzzy_set_optional_oc(
-+ objectclasses.posixgroup, 'ipantgroupattrs'),
- ipauniqueid=[fuzzy_uuid],
- gidnumber=[fuzzy_digits],
- dn=DN(('cn', 'testgroup1'),
-@@ -168,7 +170,8 @@ class test_batch(Declarative):
- result=dict(
- cn=[group1],
- description=[u'Test desc 1'],
-- objectclass=objectclasses.group + [u'posixgroup'],
-+ objectclass=fuzzy_set_optional_oc(
-+ objectclasses.posixgroup, 'ipantgroupattrs'),
- ipauniqueid=[fuzzy_uuid],
- gidnumber=[fuzzy_digits],
- dn=DN(('cn', 'testgroup1'),
-diff --git a/ipatests/test_xmlrpc/test_group_plugin.py b/ipatests/test_xmlrpc/test_group_plugin.py
-index 11c85feb4..f9a0e2cfe 100644
---- a/ipatests/test_xmlrpc/test_group_plugin.py
-+++ b/ipatests/test_xmlrpc/test_group_plugin.py
-@@ -27,7 +27,8 @@ import pytest
- from ipalib import errors
- from ipatests.test_xmlrpc import objectclasses
- from ipatests.test_xmlrpc.xmlrpc_test import (
-- fuzzy_digits, fuzzy_uuid, fuzzy_set_ci, add_oc,
-+ fuzzy_digits, fuzzy_uuid, fuzzy_set_ci,
-+ fuzzy_user_or_group_sid,
- XMLRPC_test, raises_exact
- )
- from ipatests.test_xmlrpc.tracker.group_plugin import GroupTracker
-@@ -61,6 +62,8 @@ def managed_group(request, user):
- tracker.exists = True
- # Managed group gets created when user is created
- tracker.track_create()
-+ # Managed groups don't have a SID
-+ del tracker.attrs['ipantsecurityidentifier']
- return tracker
-
-
-@@ -79,7 +82,7 @@ def user_npg2(request, group):
- del tracker.attrs['mepmanagedentry']
- tracker.attrs.update(
- gidnumber=[u'1000'], description=[], memberof_group=[group.cn],
-- objectclass=add_oc(objectclasses.user_base, u'ipantuserattrs')
-+ objectclass=objectclasses.user_base + ['ipantuserattrs']
- )
- return tracker.make_fixture(request)
-
-@@ -314,9 +317,9 @@ class TestFindGroup(XMLRPC_test):
- 'gidnumber': [fuzzy_digits],
- 'cn': [u'admins'],
- 'description': [u'Account administrators group'],
-- 'objectclass': fuzzy_set_ci(add_oc(
-- objectclasses.posixgroup, u'ipantgroupattrs')),
-+ 'objectclass': fuzzy_set_ci(objectclasses.posixgroup),
- 'ipauniqueid': [fuzzy_uuid],
-+ 'ipantsecurityidentifier': [fuzzy_user_or_group_sid],
- },
- {
- 'dn': get_group_dn('editors'),
-@@ -324,27 +327,27 @@ class TestFindGroup(XMLRPC_test):
- 'cn': [u'editors'],
- 'description':
- [u'Limited admins who can edit other users'],
-- 'objectclass': fuzzy_set_ci(add_oc(
-- objectclasses.posixgroup, u'ipantgroupattrs')),
-+ 'objectclass': fuzzy_set_ci(objectclasses.posixgroup),
- 'ipauniqueid': [fuzzy_uuid],
-+ 'ipantsecurityidentifier': [fuzzy_user_or_group_sid],
- },
- {
- 'dn': get_group_dn(group.cn),
- 'cn': [group.cn],
- 'description': [u'Test desc1'],
- 'gidnumber': [fuzzy_digits],
-- 'objectclass': fuzzy_set_ci(add_oc(
-- objectclasses.posixgroup, u'ipantgroupattrs')),
-+ 'objectclass': fuzzy_set_ci(objectclasses.posixgroup),
- 'ipauniqueid': [fuzzy_uuid],
-+ 'ipantsecurityidentifier': [fuzzy_user_or_group_sid],
- },
- {
- 'dn': get_group_dn(group2.cn),
- 'cn': [group2.cn],
- 'description': [u'Test desc2'],
- 'gidnumber': [fuzzy_digits],
-- 'objectclass': fuzzy_set_ci(add_oc(
-- objectclasses.posixgroup, u'ipantgroupattrs')),
-+ 'objectclass': fuzzy_set_ci(objectclasses.posixgroup),
- 'ipauniqueid': [fuzzy_uuid],
-+ 'ipantsecurityidentifier': [fuzzy_user_or_group_sid],
- },
- ]), result)
-
-@@ -498,6 +501,8 @@ class TestExternalGroup(XMLRPC_test):
- group.track_create()
- del group.attrs['gidnumber']
- group.attrs.update(objectclass=objectclasses.externalgroup)
-+ # External group don't have a SID
-+ del group.attrs['ipantsecurityidentifier']
- command = group.make_create_command(**dict(external=True))
- result = command()
- group.check_create(result)
-diff --git a/ipatests/test_xmlrpc/test_idviews_plugin.py b/ipatests/test_xmlrpc/test_idviews_plugin.py
-index be96e27dc..fa535af7a 100644
---- a/ipatests/test_xmlrpc/test_idviews_plugin.py
-+++ b/ipatests/test_xmlrpc/test_idviews_plugin.py
-@@ -27,7 +27,8 @@ import six
-
- from ipalib import api, errors
- from ipatests.test_xmlrpc import objectclasses
--from ipatests.test_xmlrpc.xmlrpc_test import (Declarative, uuid_re, add_oc,
-+from ipatests.test_xmlrpc.xmlrpc_test import (Declarative, uuid_re,
-+ fuzzy_set_optional_oc,
- fuzzy_uuid, fuzzy_digits)
- from ipatests.test_xmlrpc.test_user_plugin import get_user_result
- from ipatests.test_xmlrpc.test_group_plugin import get_group_dn
-@@ -216,10 +217,7 @@ class test_idviews(Declarative):
- u'Test',
- u'User1',
- 'add',
-- objectclass=add_oc(
-- objectclasses.user,
-- u'ipantuserattrs'
-- )
-+ objectclass=objectclasses.user,
- ),
- ),
- ),
-@@ -237,7 +235,8 @@ class test_idviews(Declarative):
- result=dict(
- cn=[idoverridegroup1],
- description=[u'Test desc 1'],
-- objectclass=objectclasses.posixgroup,
-+ objectclass=fuzzy_set_optional_oc(
-+ objectclasses.posixgroup, 'ipantgroupattrs'),
- ipauniqueid=[fuzzy_uuid],
- gidnumber=[fuzzy_digits],
- dn=get_group_dn(idoverridegroup1),
-@@ -1624,10 +1623,7 @@ class test_idviews(Declarative):
- u'Removed',
- u'User',
- 'add',
-- objectclass=add_oc(
-- objectclasses.user,
-- u'ipantuserattrs'
-- )
-+ objectclass=objectclasses.user,
- ),
- ),
- ),
-@@ -1645,7 +1641,8 @@ class test_idviews(Declarative):
- result=dict(
- cn=[idoverridegroup_removed],
- description=[u'Removed group'],
-- objectclass=objectclasses.posixgroup,
-+ objectclass=fuzzy_set_optional_oc(
-+ objectclasses.posixgroup, 'ipantgroupattrs'),
- ipauniqueid=[fuzzy_uuid],
- gidnumber=[fuzzy_digits],
- dn=get_group_dn(idoverridegroup_removed),
-diff --git a/ipatests/test_xmlrpc/test_kerberos_principal_aliases.py b/ipatests/test_xmlrpc/test_kerberos_principal_aliases.py
-index 61d3684bd..91c22b08c 100644
---- a/ipatests/test_xmlrpc/test_kerberos_principal_aliases.py
-+++ b/ipatests/test_xmlrpc/test_kerberos_principal_aliases.py
-@@ -19,7 +19,7 @@ from ipatests.test_xmlrpc.tracker.host_plugin import HostTracker
- from ipatests.test_xmlrpc.tracker.service_plugin import ServiceTracker
- from ipatests.test_xmlrpc.tracker.stageuser_plugin import StageUserTracker
- from ipatests.test_xmlrpc.mock_trust import (
-- mocked_trust_containers, get_trust_dn, get_trusted_dom_dict,
-+ get_trust_dn, get_trusted_dom_dict,
- encode_mockldap_value)
- from ipatests.util import unlock_principal_password, change_principal
-
-@@ -62,7 +62,7 @@ def trusted_domain():
- trusted_dom = TRUSTED_DOMAIN_MOCK
-
- # Write the changes
-- with mocked_trust_containers(), MockLDAP() as ldap:
-+ with MockLDAP() as ldap:
- ldap.add_entry(trusted_dom['dn'], trusted_dom['ldif'])
- yield trusted_dom
- ldap.del_entry(trusted_dom['dn'])
-@@ -83,7 +83,7 @@ def trusted_domain_with_suffix():
- )
-
- # Write the changes
-- with mocked_trust_containers(), MockLDAP() as ldap:
-+ with MockLDAP() as ldap:
- ldap.add_entry(trusted_dom['dn'], trusted_dom['ldif'])
- yield trusted_dom
- ldap.del_entry(trusted_dom['dn'])
-diff --git a/ipatests/test_xmlrpc/test_netgroup_plugin.py b/ipatests/test_xmlrpc/test_netgroup_plugin.py
-index 5004ecbe8..3f1fc0bc1 100644
---- a/ipatests/test_xmlrpc/test_netgroup_plugin.py
-+++ b/ipatests/test_xmlrpc/test_netgroup_plugin.py
-@@ -24,6 +24,7 @@ Test the `ipaserver/plugins/netgroup.py` module.
- from ipalib import api
- from ipalib import errors
- from ipatests.test_xmlrpc.xmlrpc_test import (Declarative, fuzzy_digits,
-+ fuzzy_set_optional_oc,
- fuzzy_uuid, fuzzy_netgroupdn)
- from ipatests.test_xmlrpc import objectclasses
- from ipapython.dn import DN
-@@ -300,7 +301,8 @@ class test_netgroup(Declarative):
- cn=[group1],
- description=[u'Test desc 1'],
- gidnumber=[fuzzy_digits],
-- objectclass=objectclasses.group + [u'posixgroup'],
-+ objectclass=fuzzy_set_optional_oc(
-+ objectclasses.posixgroup, 'ipantgroupattrs'),
- ipauniqueid=[fuzzy_uuid],
- dn=DN(('cn',group1),('cn','groups'),('cn','accounts'),
- api.env.basedn),
-diff --git a/ipatests/test_xmlrpc/test_range_plugin.py b/ipatests/test_xmlrpc/test_range_plugin.py
-index c756bb794..168dbcbf3 100644
---- a/ipatests/test_xmlrpc/test_range_plugin.py
-+++ b/ipatests/test_xmlrpc/test_range_plugin.py
-@@ -495,6 +495,8 @@ class test_range(Declarative):
- user1, u'Test', u'User1', 'add',
- uidnumber=[unicode(user1_uid)],
- gidnumber=[unicode(user1_uid)],
-+ objectclass=objectclasses.user_base + [u'mepOriginEntry'],
-+ omit=['ipantsecurityidentifier'],
- ),
- ),
- ),
-diff --git a/ipatests/test_xmlrpc/test_selinuxusermap_plugin.py b/ipatests/test_xmlrpc/test_selinuxusermap_plugin.py
-index 179b65b6a..662212a63 100644
---- a/ipatests/test_xmlrpc/test_selinuxusermap_plugin.py
-+++ b/ipatests/test_xmlrpc/test_selinuxusermap_plugin.py
-@@ -25,6 +25,7 @@ from ipaplatform.constants import constants as platformconstants
-
- from ipatests.test_xmlrpc import objectclasses
- from ipatests.test_xmlrpc.xmlrpc_test import (Declarative, fuzzy_digits,
-+ fuzzy_set_optional_oc,
- fuzzy_uuid)
- from ipapython.dn import DN
- from ipatests.util import Fuzzy
-@@ -230,7 +231,8 @@ class test_selinuxusermap(Declarative):
- cn=[group1],
- description=[u'Test desc 1'],
- gidnumber=[fuzzy_digits],
-- objectclass=objectclasses.group + [u'posixgroup'],
-+ objectclass=fuzzy_set_optional_oc(
-+ objectclasses.posixgroup, 'ipantgroupattrs'),
- ipauniqueid=[fuzzy_uuid],
- dn=DN(('cn', group1), ('cn', 'groups'), ('cn', 'accounts'),
- api.env.basedn),
-diff --git a/ipatests/test_xmlrpc/test_service_plugin.py b/ipatests/test_xmlrpc/test_service_plugin.py
-index ed634a045..a3e5b740b 100644
---- a/ipatests/test_xmlrpc/test_service_plugin.py
-+++ b/ipatests/test_xmlrpc/test_service_plugin.py
-@@ -25,6 +25,7 @@ from ipalib import api, errors
- from ipatests.test_xmlrpc.xmlrpc_test import Declarative, fuzzy_uuid, fuzzy_hash
- from ipatests.test_xmlrpc.xmlrpc_test import fuzzy_digits, fuzzy_date, fuzzy_issuer
- from ipatests.test_xmlrpc.xmlrpc_test import fuzzy_hex, XMLRPC_test
-+from ipatests.test_xmlrpc.xmlrpc_test import fuzzy_set_optional_oc
- from ipatests.test_xmlrpc.xmlrpc_test import raises_exact
- from ipatests.test_xmlrpc import objectclasses
- from ipatests.test_xmlrpc.testcert import get_testcert, subject_base
-@@ -1113,7 +1114,8 @@ class test_service_allowed_to(Declarative):
- summary=u'Added group "%s"' % group1,
- result=dict(
- cn=[group1],
-- objectclass=objectclasses.group + [u'posixgroup'],
-+ objectclass=fuzzy_set_optional_oc(
-+ objectclasses.posixgroup, 'ipantgroupattrs'),
- ipauniqueid=[fuzzy_uuid],
- gidnumber=[fuzzy_digits],
- dn=group1_dn
-@@ -1165,7 +1167,8 @@ class test_service_allowed_to(Declarative):
- summary=u'Added group "%s"' % group2,
- result=dict(
- cn=[group2],
-- objectclass=objectclasses.group + [u'posixgroup'],
-+ objectclass=fuzzy_set_optional_oc(
-+ objectclasses.posixgroup, 'ipantgroupattrs'),
- ipauniqueid=[fuzzy_uuid],
- gidnumber=[fuzzy_digits],
- dn=group2_dn
-diff --git a/ipatests/test_xmlrpc/test_trust_plugin.py b/ipatests/test_xmlrpc/test_trust_plugin.py
-index 21c170943..9c91db438 100644
---- a/ipatests/test_xmlrpc/test_trust_plugin.py
-+++ b/ipatests/test_xmlrpc/test_trust_plugin.py
-@@ -27,6 +27,7 @@ from ipapython.dn import DN
- from ipatests.test_xmlrpc import objectclasses
- from ipatests.test_xmlrpc.xmlrpc_test import (
- Declarative, fuzzy_guid, fuzzy_domain_sid, fuzzy_string, fuzzy_uuid,
-+ fuzzy_set_optional_oc,
- fuzzy_digits)
- import pytest
-
-@@ -110,7 +111,8 @@ class test_trustconfig(Declarative):
- cn=[testgroup],
- description=[u'Test group'],
- gidnumber=[fuzzy_digits],
-- objectclass=objectclasses.group + [u'posixgroup'],
-+ objectclass=fuzzy_set_optional_oc(
-+ objectclasses.posixgroup, 'ipantgroupattrs'),
- ipauniqueid=[fuzzy_uuid],
- dn=testgroup_dn,
- ),
-diff --git a/ipatests/test_xmlrpc/test_user_plugin.py b/ipatests/test_xmlrpc/test_user_plugin.py
-index 19af031bc..c2b8f79c8 100644
---- a/ipatests/test_xmlrpc/test_user_plugin.py
-+++ b/ipatests/test_xmlrpc/test_user_plugin.py
-@@ -38,7 +38,8 @@ from ipatests.util import (
- assert_deepequal, assert_equal, assert_not_equal, raises)
- from ipatests.test_xmlrpc.xmlrpc_test import (
- XMLRPC_test, fuzzy_digits, fuzzy_uuid, fuzzy_password,
-- Fuzzy, fuzzy_dergeneralizedtime, add_sid, add_oc, raises_exact)
-+ fuzzy_user_or_group_sid,
-+ Fuzzy, fuzzy_dergeneralizedtime, raises_exact)
- from ipapython.dn import DN
- from ipapython.ipaldap import ldap_initialize
-
-@@ -124,7 +125,7 @@ def user_npg(request, group):
- del tracker.attrs['mepmanagedentry']
- tracker.attrs.update(
- description=[], memberof_group=[group.cn],
-- objectclass=add_oc(objectclasses.user_base, u'ipantuserattrs')
-+ objectclass=objectclasses.user_base + [u'ipantuserattrs'],
- )
- return tracker.make_fixture(request)
-
-@@ -138,7 +139,7 @@ def user_npg2(request, group):
- del tracker.attrs['mepmanagedentry']
- tracker.attrs.update(
- gidnumber=[u'1000'], description=[], memberof_group=[group.cn],
-- objectclass=add_oc(objectclasses.user_base, u'ipantuserattrs')
-+ objectclass=objectclasses.user_base + [u'ipantuserattrs'],
- )
- return tracker.make_fixture(request)
-
-@@ -645,7 +646,7 @@ class TestCreate(XMLRPC_test):
- testuser.attrs.update(gidnumber=[u'1000'])
- testuser.attrs.update(
- description=[],
-- objectclass=add_oc(objectclasses.user_base, u'ipantuserattrs')
-+ objectclass=objectclasses.user_base + [u'ipantuserattrs']
- )
- command = testuser.make_create_command()
- result = command()
-@@ -659,9 +660,12 @@ class TestCreate(XMLRPC_test):
- name=u'tuser1', givenname=u'Test', sn=u'Tuser1', uidnumber=999
- )
- testuser.track_create()
-+ # When uid is outside of IPA id range, no SID is generated
-+ del testuser.attrs['ipantsecurityidentifier']
- testuser.attrs.update(
- uidnumber=[u'999'],
-- gidnumber=[u'999']
-+ gidnumber=[u'999'],
-+ objectclass=objectclasses.user_base + ['mepOriginEntry']
- )
- command = testuser.make_create_command()
- result = command()
-@@ -837,7 +841,7 @@ class TestUserWithUPGDisabled(XMLRPC_test):
- testuser.attrs.update(gidnumber=[u'1000'])
- testuser.attrs.update(
- description=[],
-- objectclass=add_oc(objectclasses.user_base, u'ipantuserattrs')
-+ objectclass=objectclasses.user_base + [u'ipantuserattrs'],
- )
- command = testuser.make_create_command()
- result = command()
-@@ -860,7 +864,7 @@ class TestUserWithUPGDisabled(XMLRPC_test):
- testuser.attrs.update(gidnumber=[u'1000'])
- testuser.attrs.update(
- description=[],
-- objectclass=add_oc(objectclasses.user_base, u'ipantuserattrs')
-+ objectclass=objectclasses.user_base + [u'ipantuserattrs'],
- )
- command = testuser.make_create_command()
- result = command()
-@@ -1147,7 +1151,7 @@ def get_user_result(uid, givenname, sn, operation='show', omit=[],
- # sn can be None; this should only be used from `get_admin_result`
- cn = overrides.get('cn', ['%s %s' % (givenname, sn or '')])
- cn[0] = cn[0].strip()
-- result = add_sid(dict(
-+ result = dict(
- homedirectory=[u'/home/%s' % uid],
- loginshell=[platformconstants.DEFAULT_SHELL],
- uid=[uid],
-@@ -1158,7 +1162,7 @@ def get_user_result(uid, givenname, sn, operation='show', omit=[],
- mail=[u'%s@%s' % (uid, api.env.domain)],
- has_keytab=False,
- has_password=False,
-- ))
-+ )
- if sn:
- result['sn'] = [sn]
- if givenname:
-@@ -1175,9 +1179,10 @@ def get_user_result(uid, givenname, sn, operation='show', omit=[],
- initials=[givenname[0] + (sn or '')[:1]],
- ipauniqueid=[fuzzy_uuid],
- mepmanagedentry=[get_group_dn(uid)],
-- objectclass=add_oc(objectclasses.user, u'ipantuserattrs'),
-+ objectclass=objectclasses.user,
- krbprincipalname=[u'%s@%s' % (uid, api.env.realm)],
-- krbcanonicalname=[u'%s@%s' % (uid, api.env.realm)]
-+ krbcanonicalname=[u'%s@%s' % (uid, api.env.realm)],
-+ ipantsecurityidentifier=[fuzzy_user_or_group_sid],
- )
- if operation in ('show', 'show-all', 'find', 'mod'):
- result.update(
-diff --git a/ipatests/test_xmlrpc/tracker/group_plugin.py b/ipatests/test_xmlrpc/tracker/group_plugin.py
-index 8a6f8516e..fb36d7cf1 100644
---- a/ipatests/test_xmlrpc/tracker/group_plugin.py
-+++ b/ipatests/test_xmlrpc/tracker/group_plugin.py
-@@ -4,6 +4,8 @@
-
- from ipatests.test_xmlrpc import objectclasses
- from ipatests.test_xmlrpc.xmlrpc_test import fuzzy_digits, fuzzy_uuid
-+from ipatests.test_xmlrpc.xmlrpc_test import fuzzy_user_or_group_sid
-+from ipatests.test_xmlrpc.xmlrpc_test import fuzzy_set_optional_oc
-
- from ipatests.test_xmlrpc.tracker.base import Tracker
- from ipatests.util import assert_deepequal, get_group_dn
-@@ -21,9 +23,10 @@ class GroupTracker(Tracker):
- 'idoverrideuser'
- }
-
-- retrieve_all_keys = retrieve_keys | {u'ipauniqueid', u'objectclass'}
-+ retrieve_all_keys = retrieve_keys | {u'ipauniqueid', u'objectclass',
-+ 'ipantsecurityidentifier'}
-
-- create_keys = retrieve_all_keys
-+ create_keys = retrieve_all_keys - {u'ipantsecurityidentifier'}
- update_keys = retrieve_keys - {u'dn'}
-
- add_member_keys = retrieve_keys | {u'description'}
-@@ -91,7 +94,9 @@ class GroupTracker(Tracker):
- description=[self.description],
- gidnumber=[fuzzy_digits],
- ipauniqueid=[fuzzy_uuid],
-- objectclass=objectclasses.posixgroup,
-+ objectclass=fuzzy_set_optional_oc(
-+ objectclasses.posixgroup, 'ipantgroupattrs'),
-+ ipantsecurityidentifier=[fuzzy_user_or_group_sid],
- )
- self.exists = True
-
-diff --git a/ipatests/test_xmlrpc/tracker/user_plugin.py b/ipatests/test_xmlrpc/tracker/user_plugin.py
-index d5e9ca893..9adbe8d92 100644
---- a/ipatests/test_xmlrpc/tracker/user_plugin.py
-+++ b/ipatests/test_xmlrpc/tracker/user_plugin.py
-@@ -11,7 +11,7 @@ import six
- from ipatests.util import assert_deepequal, get_group_dn
- from ipatests.test_xmlrpc import objectclasses
- from ipatests.test_xmlrpc.xmlrpc_test import (
-- fuzzy_digits, fuzzy_uuid, raises_exact)
-+ fuzzy_digits, fuzzy_uuid, fuzzy_user_or_group_sid, raises_exact)
- from ipatests.test_xmlrpc.tracker.base import Tracker
- from ipatests.test_xmlrpc.tracker.kerberos_aliases import KerberosAliasMixin
- from ipatests.test_xmlrpc.tracker.certmapdata import CertmapdataMixin
-@@ -40,7 +40,8 @@ class UserTracker(CertmapdataMixin, KerberosAliasMixin, Tracker):
- u'l', u'mobile', u'krbextradata', u'krblastpwdchange',
- u'krbpasswordexpiration', u'pager', u'st', u'manager', u'cn',
- u'ipauniqueid', u'objectclass', u'mepmanagedentry',
-- u'displayname', u'gecos', u'initials', u'preserved'}
-+ u'displayname', u'gecos', u'initials', u'preserved',
-+ 'ipantsecurityidentifier'}
-
- retrieve_preserved_keys = (retrieve_keys - {u'memberof_group'}) | {
- u'preserved'}
-@@ -122,7 +123,8 @@ class UserTracker(CertmapdataMixin, KerberosAliasMixin, Tracker):
- api.env.container_deleteuser,
- api.env.basedn
- )
-- self.attrs[u'objectclass'] = objectclasses.user_base
-+ self.attrs[u'objectclass'] = objectclasses.user_base \
-+ + ['ipantuserattrs']
-
- return self.make_command(
- 'user_del', self.uid,
-@@ -188,6 +190,7 @@ class UserTracker(CertmapdataMixin, KerberosAliasMixin, Tracker):
- mepmanagedentry=[get_group_dn(self.uid)],
- memberof_group=[u'ipausers'],
- nsaccountlock=[u'false'],
-+ ipantsecurityidentifier=[fuzzy_user_or_group_sid],
- )
-
- for key in self.kwargs:
-diff --git a/ipatests/test_xmlrpc/xmlrpc_test.py b/ipatests/test_xmlrpc/xmlrpc_test.py
-index de2357237..8adb3c0d7 100644
---- a/ipatests/test_xmlrpc/xmlrpc_test.py
-+++ b/ipatests/test_xmlrpc/xmlrpc_test.py
-@@ -137,6 +137,12 @@ fuzzy_bytes = Fuzzy(type=bytes)
- def fuzzy_set_ci(s):
- return Fuzzy(test=lambda other: set(x.lower() for x in other) == set(y.lower() for y in s))
-
-+
-+def fuzzy_set_optional_oc(s, oc):
-+ return Fuzzy(test=lambda other: set(x.lower() for x in other if x != oc)
-+ == set(y.lower() for y in s if y != oc))
-+
-+
- try:
- if not api.Backend.rpcclient.isconnected():
- api.Backend.rpcclient.connect()
-@@ -152,12 +158,6 @@ adtrust_is_enabled = api.Command['adtrust_is_enabled']()['result']
- sidgen_was_run = api.Command['sidgen_was_run']()['result']
-
-
--def add_sid(d, check_sidgen=False):
-- if adtrust_is_enabled and (not check_sidgen or sidgen_was_run):
-- d['ipantsecurityidentifier'] = (fuzzy_user_or_group_sid,)
-- return d
--
--
- def add_oc(l, oc, check_sidgen=False):
- if adtrust_is_enabled and (not check_sidgen or sidgen_was_run):
- return l + [oc]
---
-2.33.1
-
-
-From 3162eb19616c3b17c4cbc659043d10e9fcf358bb Mon Sep 17 00:00:00 2001
-From: Florence Blanc-Renaud <flo@redhat.com>
-Date: Fri, 15 Oct 2021 15:55:10 +0200
-Subject: [PATCH 09/22] User lifecycle: ignore SID when moving from preserved
- to staged
-
-When a preserved user entry is moved to staged state, the SID
-attribute must not be provided to user-stage command (the option
-does not exist and the SID will be re-generated anyway).
-
-Related: https://pagure.io/freeipa/issue/8995
-Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
----
- ipaserver/plugins/user.py | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py
-index e4ee572b2..7a4acf66e 100644
---- a/ipaserver/plugins/user.py
-+++ b/ipaserver/plugins/user.py
-@@ -978,6 +978,7 @@ class user_stage(LDAPMultiQuery):
- u'ipauniqueid', u'krbcanonicalname',
- u'sshpubkeyfp', u'krbextradata',
- u'ipacertmapdata',
-+ 'ipantsecurityidentifier',
- u'nsaccountlock']
-
- def execute(self, *keys, **options):
---
-2.33.1
-
-
-From 4ece13844e1b40379f6515418e9ceed03af9a8b4 Mon Sep 17 00:00:00 2001
-From: Florence Blanc-Renaud <flo@redhat.com>
-Date: Wed, 20 Oct 2021 10:43:33 +0200
-Subject: [PATCH 10/22] ipatests: backup-reinstall-restore needs to clear sssd
- cache
-
-The integration tests that check backup-reinstall-restore
-scenario need to clear sssd cache before checking the uid
-of the admin user. For instance:
-backup: saves the original admin uid
-reinstall: creates a new admin uid, potentially cached by SSSD
-restore: restores the original admin uid
-
-Related: https://pagure.io/freeipa/issue/8995
-Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
----
- .../test_integration/test_backup_and_restore.py | 17 +++++++++++++++++
- 1 file changed, 17 insertions(+)
-
-diff --git a/ipatests/test_integration/test_backup_and_restore.py b/ipatests/test_integration/test_backup_and_restore.py
-index dcaddb1a1..a10c96f80 100644
---- a/ipatests/test_integration/test_backup_and_restore.py
-+++ b/ipatests/test_integration/test_backup_and_restore.py
-@@ -311,6 +311,11 @@ class BaseBackupAndRestoreWithDNS(IntegrationTest):
- tasks.install_master(self.master, setup_dns=True)
- self.master.run_command(['ipa-restore', backup_path],
- stdin_text=dirman_password + '\nyes')
-+ if reinstall:
-+ # If the server was reinstalled, reinstall may have changed
-+ # the uid and restore reverts to the original value.
-+ # clear the cache to make sure we get up-to-date values
-+ tasks.clear_sssd_cache(self.master)
- tasks.resolve_record(self.master.ip, self.example_test_zone)
-
- tasks.kinit_admin(self.master)
-@@ -380,6 +385,12 @@ class BaseBackupAndRestoreWithDNSSEC(IntegrationTest):
- self.master.run_command(['ipa-restore', backup_path],
- stdin_text=dirman_password + '\nyes')
-
-+ if reinstall:
-+ # If the server was reinstalled, reinstall may have changed
-+ # the uid and restore reverts to the original value.
-+ # clear the cache to make sure we get up-to-date values
-+ tasks.clear_sssd_cache(self.master)
-+
- assert (
- wait_until_record_is_signed(
- self.master.ip, self.example_test_zone)
-@@ -464,6 +475,12 @@ class BaseBackupAndRestoreWithKRA(IntegrationTest):
- self.master.run_command(['ipa-restore', backup_path],
- stdin_text=dirman_password + '\nyes')
-
-+ if reinstall:
-+ # If the server was reinstalled, reinstall may have changed
-+ # the uid and restore reverts to the original value.
-+ # clear the cache to make sure we get up-to-date values
-+ tasks.clear_sssd_cache(self.master)
-+
- tasks.kinit_admin(self.master)
- # retrieve secret after restore
- self.master.run_command([
---
-2.33.1
-
-
-From ea740e0a752ae8a22bb70e282a5a3e6a77c5f36f Mon Sep 17 00:00:00 2001
-From: Florence Blanc-Renaud <flo@redhat.com>
-Date: Thu, 21 Oct 2021 15:15:45 +0200
-Subject: [PATCH 11/22] Webui tests: new idrange now requires base RID
-
-Now that SID are always generated, the creation of a new
-local idrange is refused if baserid is missing.
-
-Related: https://pagure.io/freeipa/issue/8995
-Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
----
- ipatests/test_webui/test_range.py | 9 +++++++--
- 1 file changed, 7 insertions(+), 2 deletions(-)
-
-diff --git a/ipatests/test_webui/test_range.py b/ipatests/test_webui/test_range.py
-index 239c1c442..a72def452 100644
---- a/ipatests/test_webui/test_range.py
-+++ b/ipatests/test_webui/test_range.py
-@@ -297,8 +297,13 @@ class test_range(range_tasks):
-
- # Without primary and secondary RID bases
- data = self.get_data(pkey, base_rid='', secondary_base_rid='')
-- self.add_record(ENTITY, data, navigate=False)
-- self.delete_record(pkey)
-+ self.add_record(ENTITY, data, navigate=False, negative=True)
-+ try:
-+ assert self.has_form_error('ipabaserid')
-+ finally:
-+ self.delete_record(pkey)
-+
-+ self.dialog_button_click('cancel')
-
- @screenshot
- def test_modify_range_with_invalid_or_missing_values(self):
---
-2.33.1
-
-
-From b8cb1e3da32a326ac0626c2d3c9a988312593f3a Mon Sep 17 00:00:00 2001
-From: Florence Blanc-Renaud <flo@redhat.com>
-Date: Thu, 21 Oct 2021 15:18:12 +0200
-Subject: [PATCH 12/22] User plugin: do not return the SID on user creation
-
-The SID is not part of the default user attributes and does not
-need to be returned in the user-add output.
-
-Related: https://pagure.io/freeipa/issue/8995
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
----
- ipaserver/plugins/user.py | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/ipaserver/plugins/user.py b/ipaserver/plugins/user.py
-index 7a4acf66e..bc3932d39 100644
---- a/ipaserver/plugins/user.py
-+++ b/ipaserver/plugins/user.py
-@@ -658,6 +658,10 @@ class user_add(baseuser_add):
-
- entry_attrs.update(newentry)
-
-+ # delete ipantsecurityidentifier if present
-+ if ('ipantsecurityidentifier' in entry_attrs):
-+ del entry_attrs['ipantsecurityidentifier']
-+
- if options.get('random', False):
- try:
- entry_attrs['randompassword'] = unicode(getattr(context, 'randompassword'))
---
-2.33.1
-
-
-From f00a52ae45b0c0e5fede4e18e2c9c785fd54ff87 Mon Sep 17 00:00:00 2001
-From: Florence Blanc-Renaud <flo@redhat.com>
-Date: Thu, 21 Oct 2021 15:22:25 +0200
-Subject: [PATCH 13/22] ipatests: update the expected output of user-add cmd
-
-The SID is not expected to be returned by ipa user-add.
-
-Related: https://pagure.io/freeipa/issue/8995
-Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
-Reviewed-By: Christian Heimes <cheimes@redhat.com>
-Reviewed-By: Rob Crittenden <rcritten@redhat.com>
-Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
----
- ipatests/test_xmlrpc/test_idviews_plugin.py | 6 ++++--
- ipatests/test_xmlrpc/test_range_plugin.py | 1 -
- ipatests/test_xmlrpc/test_user_plugin.py | 3 +++
- ipatests/test_xmlrpc/tracker/user_plugin.py | 5 ++++-
- 4 files changed, 11 insertions(+), 4 deletions(-)
-
-diff --git a/ipatests/test_xmlrpc/test_idviews_plugin.py b/ipatests/test_xmlrpc/test_idviews_plugin.py
-index fa535af7a..9b31f5d13 100644
---- a/ipatests/test_xmlrpc/test_idviews_plugin.py
-+++ b/ipatests/test_xmlrpc/test_idviews_plugin.py
-@@ -217,7 +217,8 @@ class test_idviews(Declarative):
- u'Test',
- u'User1',
- 'add',
-- objectclass=objectclasses.user,
-+ objectclass=fuzzy_set_optional_oc(
-+ objectclasses.user, 'ipantuserattrs'),
- ),
- ),
- ),
-@@ -1623,7 +1624,8 @@ class test_idviews(Declarative):
- u'Removed',
- u'User',
- 'add',
-- objectclass=objectclasses.user,
-+ objectclass=fuzzy_set_optional_oc(
-+ objectclasses.user, 'ipantuserattrs'),
- ),
- ),
- ),
-diff --git a/ipatests/test_xmlrpc/test_range_plugin.py b/ipatests/test_xmlrpc/test_range_plugin.py
-index 168dbcbf3..bf4deebb2 100644
---- a/ipatests/test_xmlrpc/test_range_plugin.py
-+++ b/ipatests/test_xmlrpc/test_range_plugin.py
-@@ -496,7 +496,6 @@ class test_range(Declarative):
- uidnumber=[unicode(user1_uid)],
- gidnumber=[unicode(user1_uid)],
- objectclass=objectclasses.user_base + [u'mepOriginEntry'],
-- omit=['ipantsecurityidentifier'],
- ),
- ),
- ),
-diff --git a/ipatests/test_xmlrpc/test_user_plugin.py b/ipatests/test_xmlrpc/test_user_plugin.py
-index c2b8f79c8..b093a9f2b 100644
---- a/ipatests/test_xmlrpc/test_user_plugin.py
-+++ b/ipatests/test_xmlrpc/test_user_plugin.py
-@@ -1182,6 +1182,9 @@ def get_user_result(uid, givenname, sn, operation='show', omit=[],
- objectclass=objectclasses.user,
- krbprincipalname=[u'%s@%s' % (uid, api.env.realm)],
- krbcanonicalname=[u'%s@%s' % (uid, api.env.realm)],
-+ )
-+ if operation == 'show-all':
-+ result.update(
- ipantsecurityidentifier=[fuzzy_user_or_group_sid],
- )
- if operation in ('show', 'show-all', 'find', 'mod'):
-diff --git a/ipatests/test_xmlrpc/tracker/user_plugin.py b/ipatests/test_xmlrpc/tracker/user_plugin.py
-index 9adbe8d92..6cfb9518f 100644
---- a/ipatests/test_xmlrpc/tracker/user_plugin.py
-+++ b/ipatests/test_xmlrpc/tracker/user_plugin.py
-@@ -11,6 +11,7 @@ import six
- from ipatests.util import assert_deepequal, get_group_dn
- from ipatests.test_xmlrpc import objectclasses
- from ipatests.test_xmlrpc.xmlrpc_test import (
-+ fuzzy_set_optional_oc,
- fuzzy_digits, fuzzy_uuid, fuzzy_user_or_group_sid, raises_exact)
- from ipatests.test_xmlrpc.tracker.base import Tracker
- from ipatests.test_xmlrpc.tracker.kerberos_aliases import KerberosAliasMixin
-@@ -51,6 +52,7 @@ class UserTracker(CertmapdataMixin, KerberosAliasMixin, Tracker):
- u'krbextradata', u'krbpasswordexpiration', u'krblastpwdchange',
- u'krbprincipalkey', u'userpassword', u'randompassword'}
- create_keys = create_keys - {u'nsaccountlock'}
-+ create_keys = create_keys - {'ipantsecurityidentifier'}
-
- update_keys = retrieve_keys - {u'dn'}
- activate_keys = retrieve_keys
-@@ -175,7 +177,8 @@ class UserTracker(CertmapdataMixin, KerberosAliasMixin, Tracker):
- displayname=[u'%s %s' % (self.givenname, self.sn)],
- cn=[u'%s %s' % (self.givenname, self.sn)],
- initials=[u'%s%s' % (self.givenname[0], self.sn[0])],
-- objectclass=objectclasses.user,
-+ objectclass=fuzzy_set_optional_oc(
-+ objectclasses.user, 'ipantuserattrs'),
- description=[u'__no_upg__'],
- ipauniqueid=[fuzzy_uuid],
- uidnumber=[fuzzy_digits],
---
-2.33.1
-
-
-From a5ac6f27ebc6d47e1aee79b4bb5da039b96e0d52 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Tue, 28 Sep 2021 10:24:32 +0300
-Subject: [PATCH 14/22] ipa-kdb: store SID in the principal entry
-
-If the principal entry in LDAP has SID associated with it, store it to
-be able to quickly assess the SID when processing PAC.
-
-Also rename string_to_sid to IPA-specific version as it uses different
-prototype than Samba version.
-
-Fixes: https://pagure.io/freeipa/issue/9031
-
-Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Robert Crittenden <rcritten@redhat.com>
----
- daemons/ipa-kdb/ipa_kdb.h | 7 ++++++
- daemons/ipa-kdb/ipa_kdb_mspac.c | 31 ++++++++++++++++++-------
- daemons/ipa-kdb/ipa_kdb_mspac_private.h | 1 -
- daemons/ipa-kdb/ipa_kdb_principals.c | 25 ++++++++++++++++++++
- daemons/ipa-kdb/tests/ipa_kdb_tests.c | 30 ++++++++++++------------
- 5 files changed, 69 insertions(+), 25 deletions(-)
-
-diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
-index 66a1d74f1..884dff950 100644
---- a/daemons/ipa-kdb/ipa_kdb.h
-+++ b/daemons/ipa-kdb/ipa_kdb.h
-@@ -79,6 +79,7 @@
- #define IPA_USER_AUTH_TYPE "ipaUserAuthType"
-
- struct ipadb_mspac;
-+struct dom_sid;
-
- enum ipadb_user_auth {
- IPADB_USER_AUTH_NONE = 0,
-@@ -155,6 +156,8 @@ struct ipadb_e_data {
- bool has_tktpolaux;
- enum ipadb_user_auth user_auth;
- struct ipadb_e_pol_limits pol_limits[IPADB_USER_AUTH_IDX_MAX];
-+ bool has_sid;
-+ struct dom_sid *sid;
- };
-
- struct ipadb_context *ipadb_get_context(krb5_context kcontext);
-@@ -366,3 +369,7 @@ int ipadb_get_enc_salt_types(struct ipadb_context *ipactx, LDAPMessage *entry,
- /* CERTAUTH PLUGIN */
- void ipa_certauth_free_moddata(krb5_certauth_moddata *moddata);
- #endif
-+
-+int ipadb_string_to_sid(const char *str, struct dom_sid *sid);
-+void alloc_sid(struct dom_sid **sid);
-+void free_sid(struct dom_sid **sid);
-\ No newline at end of file
-diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
-index 47b12a16f..f3e8657c2 100644
---- a/daemons/ipa-kdb/ipa_kdb_mspac.c
-+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
-@@ -80,7 +80,20 @@ static char *memberof_pac_attrs[] = {
- #define AUTHZ_DATA_TYPE_PAD "PAD"
- #define AUTHZ_DATA_TYPE_NONE "NONE"
-
--int string_to_sid(const char *str, struct dom_sid *sid)
-+void alloc_sid(struct dom_sid **sid)
-+{
-+ *sid = malloc(sizeof(struct dom_sid));
-+}
-+
-+void free_sid(struct dom_sid **sid)
-+{
-+ if (sid != NULL && *sid != NULL) {
-+ free(*sid);
-+ *sid = NULL;
-+ }
-+}
-+
-+int ipadb_string_to_sid(const char *str, struct dom_sid *sid)
- {
- unsigned long val;
- const char *s;
-@@ -372,7 +385,7 @@ static krb5_error_code ipadb_add_asserted_identity(struct ipadb_context *ipactx,
-
- /* For S4U2Self, add Service Asserted Identity SID
- * otherwise, add Authentication Authority Asserted Identity SID */
-- ret = string_to_sid((flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION) ?
-+ ret = ipadb_string_to_sid((flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION) ?
- "S-1-18-2" : "S-1-18-1",
- arr[sidcount].sid);
- if (ret) {
-@@ -655,7 +668,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
- /* SID is mandatory */
- return ret;
- }
-- ret = string_to_sid(strres, &sid);
-+ ret = ipadb_string_to_sid(strres, &sid);
- free(strres);
- if (ret) {
- return ret;
-@@ -700,7 +713,7 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
- }
- }
- if (strcasecmp(dval->type, "ipaNTSecurityIdentifier") == 0) {
-- ret = string_to_sid((char *)dval->vals[0].bv_val, &gsid);
-+ ret = ipadb_string_to_sid((char *)dval->vals[0].bv_val, &gsid);
- if (ret) {
- continue;
- }
-@@ -1189,7 +1202,7 @@ static int map_groups(TALLOC_CTX *memctx, krb5_context kcontext,
- }
- if (strcasecmp(dval->type,
- "ipaNTSecurityIdentifier") == 0) {
-- kerr = string_to_sid((char *)dval->vals[0].bv_val, &sid);
-+ kerr = ipadb_string_to_sid((char *)dval->vals[0].bv_val, &sid);
- if (kerr != 0) {
- continue;
- }
-@@ -2434,7 +2447,7 @@ ipadb_adtrusts_fill_sid_blacklist(char **source_sid_blacklist,
- }
-
- for (i = 0; i < len; i++) {
-- (void) string_to_sid(source[i], &sid_blacklist[i]);
-+ (void) ipadb_string_to_sid(source[i], &sid_blacklist[i]);
- }
-
- *result_sids = sid_blacklist;
-@@ -2594,7 +2607,7 @@ ipadb_mspac_get_trusted_domains(struct ipadb_context *ipactx)
- goto done;
- }
-
-- ret = string_to_sid(t[n].domain_sid, &t[n].domsid);
-+ ret = ipadb_string_to_sid(t[n].domain_sid, &t[n].domsid);
- if (ret && t[n].domain_sid != NULL) {
- ret = EINVAL;
- goto done;
-@@ -2812,7 +2825,7 @@ krb5_error_code ipadb_reinit_mspac(struct ipadb_context *ipactx, bool force_rein
- goto done;
- }
-
-- ret = string_to_sid(resstr, &ipactx->mspac->domsid);
-+ ret = ipadb_string_to_sid(resstr, &ipactx->mspac->domsid);
- if (ret) {
- kerr = ret;
- free(resstr);
-@@ -2865,7 +2878,7 @@ krb5_error_code ipadb_reinit_mspac(struct ipadb_context *ipactx, bool force_rein
- goto done;
- }
- if (ret == 0) {
-- ret = string_to_sid(resstr, &gsid);
-+ ret = ipadb_string_to_sid(resstr, &gsid);
- if (ret) {
- free(resstr);
- kerr = ret;
-diff --git a/daemons/ipa-kdb/ipa_kdb_mspac_private.h b/daemons/ipa-kdb/ipa_kdb_mspac_private.h
-index 8c8a3a001..3696c3c6c 100644
---- a/daemons/ipa-kdb/ipa_kdb_mspac_private.h
-+++ b/daemons/ipa-kdb/ipa_kdb_mspac_private.h
-@@ -51,7 +51,6 @@ struct ipadb_adtrusts {
- size_t *upn_suffixes_len;
- };
-
--int string_to_sid(const char *str, struct dom_sid *sid);
- char *dom_sid_string(TALLOC_CTX *memctx, const struct dom_sid *dom_sid);
- krb5_error_code filter_logon_info(krb5_context context, TALLOC_CTX *memctx,
- krb5_data realm, struct PAC_LOGON_INFO_CTR *info);
-diff --git a/daemons/ipa-kdb/ipa_kdb_principals.c b/daemons/ipa-kdb/ipa_kdb_principals.c
-index 0a98ff054..15f3df4fe 100644
---- a/daemons/ipa-kdb/ipa_kdb_principals.c
-+++ b/daemons/ipa-kdb/ipa_kdb_principals.c
-@@ -79,6 +79,8 @@ static char *std_principal_attrs[] = {
- "ipatokenRadiusConfigLink",
- "krbAuthIndMaxTicketLife",
- "krbAuthIndMaxRenewableAge",
-+ "ipaNTSecurityIdentifier",
-+ "ipaUniqueID",
-
- "objectClass",
- NULL
-@@ -594,6 +596,7 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
- char *restring;
- char *uidstring;
- char **authz_data_list;
-+ char *princ_sid;
- krb5_timestamp restime;
- bool resbool;
- int result;
-@@ -963,6 +966,27 @@ static krb5_error_code ipadb_parse_ldap_entry(krb5_context kcontext,
- ipadb_parse_authind_policies(kcontext, lcontext, lentry, entry, ua);
- }
-
-+ /* Add SID if it is associated with the principal account */
-+ ied->has_sid = false;
-+ ied->sid = NULL;
-+ ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
-+ "ipaNTSecurityIdentifier", &princ_sid);
-+ if (ret == 0 && princ_sid != NULL) {
-+ alloc_sid(&ied->sid);
-+ if (ied->sid == NULL) {
-+ kerr = KRB5_KDB_INTERNAL_ERROR;
-+ free(princ_sid);
-+ goto done;
-+ }
-+ ret = ipadb_string_to_sid(princ_sid, ied->sid);
-+ free(princ_sid);
-+ if (ret != 0) {
-+ kerr = ret;
-+ goto done;
-+ }
-+ ied->has_sid = true;
-+ }
-+
- kerr = 0;
-
- done:
-@@ -1568,6 +1592,7 @@ void ipadb_free_principal_e_data(krb5_context kcontext, krb5_octet *e_data)
- }
- free(ied->authz_data);
- free(ied->pol);
-+ free_sid(&ied->sid);
- free(ied);
- }
- }
-diff --git a/daemons/ipa-kdb/tests/ipa_kdb_tests.c b/daemons/ipa-kdb/tests/ipa_kdb_tests.c
-index 0b51ffb96..d38dfd841 100644
---- a/daemons/ipa-kdb/tests/ipa_kdb_tests.c
-+++ b/daemons/ipa-kdb/tests/ipa_kdb_tests.c
-@@ -105,7 +105,7 @@ static int setup(void **state)
- /* make sure data is not read from LDAP */
- ipa_ctx->mspac->last_update = time(NULL) - 1;
-
-- ret = string_to_sid(DOM_SID, &ipa_ctx->mspac->domsid);
-+ ret = ipadb_string_to_sid(DOM_SID, &ipa_ctx->mspac->domsid);
- assert_int_equal(ret, 0);
-
- ipa_ctx->mspac->num_trusts = 1;
-@@ -121,7 +121,7 @@ static int setup(void **state)
- ipa_ctx->mspac->trusts[0].domain_sid = strdup(DOM_SID_TRUST);
- assert_non_null(ipa_ctx->mspac->trusts[0].domain_sid);
-
-- ret = string_to_sid(DOM_SID_TRUST, &ipa_ctx->mspac->trusts[0].domsid);
-+ ret = ipadb_string_to_sid(DOM_SID_TRUST, &ipa_ctx->mspac->trusts[0].domsid);
- assert_int_equal(ret, 0);
-
- ipa_ctx->mspac->trusts[0].len_sid_blocklist_incoming = 1;
-@@ -129,7 +129,7 @@ static int setup(void **state)
- ipa_ctx->mspac->trusts[0].len_sid_blocklist_incoming,
- sizeof(struct dom_sid));
- assert_non_null(ipa_ctx->mspac->trusts[0].sid_blocklist_incoming);
-- ret = string_to_sid(BLOCKLIST_SID,
-+ ret = ipadb_string_to_sid(BLOCKLIST_SID,
- &ipa_ctx->mspac->trusts[0].sid_blocklist_incoming[0]);
- assert_int_equal(ret, 0);
-
-@@ -216,7 +216,7 @@ static void test_filter_logon_info(void **state)
- assert_int_equal(kerr, EINVAL);
-
- /* wrong domain SID */
-- ret = string_to_sid("S-1-5-21-1-1-1", &dom_sid);
-+ ret = ipadb_string_to_sid("S-1-5-21-1-1-1", &dom_sid);
- assert_int_equal(ret, 0);
- info->info->info3.base.domain_sid = &dom_sid;
-
-@@ -224,7 +224,7 @@ static void test_filter_logon_info(void **state)
- assert_int_equal(kerr, EINVAL);
-
- /* matching domain SID */
-- ret = string_to_sid(DOM_SID_TRUST, &dom_sid);
-+ ret = ipadb_string_to_sid(DOM_SID_TRUST, &dom_sid);
- assert_int_equal(ret, 0);
- info->info->info3.base.domain_sid = &dom_sid;
-
-@@ -292,7 +292,7 @@ static void test_filter_logon_info(void **state)
- }
-
- for (d = 0; d < info->info->info3.sidcount; d++) {
-- ret = string_to_sid(test_data[c].sids[d],
-+ ret = ipadb_string_to_sid(test_data[c].sids[d],
- info->info->info3.sids[d].sid);
- assert_int_equal(ret, 0);
- }
-@@ -434,7 +434,7 @@ static void test_get_authz_data_types(void **state)
- krb5_free_principal(test_ctx->krb5_ctx, non_nfs_princ);
- }
-
--static void test_string_to_sid(void **state)
-+static void test_ipadb_string_to_sid(void **state)
- {
- int ret;
- struct dom_sid sid;
-@@ -442,25 +442,25 @@ static void test_string_to_sid(void **state)
- {21, 2127521184, 1604012920, 1887927527, 72713,
- 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}};
-
-- ret = string_to_sid(NULL, &sid);
-+ ret = ipadb_string_to_sid(NULL, &sid);
- assert_int_equal(ret, EINVAL);
-
-- ret = string_to_sid("abc", &sid);
-+ ret = ipadb_string_to_sid("abc", &sid);
- assert_int_equal(ret, EINVAL);
-
-- ret = string_to_sid("S-", &sid);
-+ ret = ipadb_string_to_sid("S-", &sid);
- assert_int_equal(ret, EINVAL);
-
-- ret = string_to_sid("S-ABC", &sid);
-+ ret = ipadb_string_to_sid("S-ABC", &sid);
- assert_int_equal(ret, EINVAL);
-
-- ret = string_to_sid("S-123", &sid);
-+ ret = ipadb_string_to_sid("S-123", &sid);
- assert_int_equal(ret, EINVAL);
-
-- ret = string_to_sid("S-1-123-1-2-3-4-5-6-7-8-9-0-1-2-3-4-5-6", &sid);
-+ ret = ipadb_string_to_sid("S-1-123-1-2-3-4-5-6-7-8-9-0-1-2-3-4-5-6", &sid);
- assert_int_equal(ret, EINVAL);
-
-- ret = string_to_sid("S-1-5-21-2127521184-1604012920-1887927527-72713",
-+ ret = ipadb_string_to_sid("S-1-5-21-2127521184-1604012920-1887927527-72713",
- &sid);
- assert_int_equal(ret, 0);
- assert_memory_equal(&exp_sid, &sid, sizeof(struct dom_sid));
-@@ -531,7 +531,7 @@ int main(int argc, const char *argv[])
- setup, teardown),
- cmocka_unit_test_setup_teardown(test_filter_logon_info,
- setup, teardown),
-- cmocka_unit_test(test_string_to_sid),
-+ cmocka_unit_test(test_ipadb_string_to_sid),
- cmocka_unit_test_setup_teardown(test_dom_sid_string,
- setup, teardown),
- cmocka_unit_test_setup_teardown(test_check_trusted_realms,
---
-2.33.1
-
-
-From fb9a718c4e65c2da2c95f3dcf43aa2326f41482d Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Tue, 28 Sep 2021 10:26:30 +0300
-Subject: [PATCH 15/22] ipa-kdb: enforce SID checks when generating PAC
-
-Check that a domain SID and a user SID in the PAC passed to us are what
-they should be for the local realm's principal.
-
-Fixes: https://pagure.io/freeipa/issue/9031
-
-Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-by: Andreas Schneider <asn@samba.org>
-Reviewed-by: Robert Crittenden <rcritten@redhat.com>
----
- daemons/ipa-kdb/ipa_kdb.h | 3 +-
- daemons/ipa-kdb/ipa_kdb_mspac.c | 112 ++++++++++++++++++++++++++++----
- 2 files changed, 100 insertions(+), 15 deletions(-)
-
-diff --git a/daemons/ipa-kdb/ipa_kdb.h b/daemons/ipa-kdb/ipa_kdb.h
-index 884dff950..708e9545e 100644
---- a/daemons/ipa-kdb/ipa_kdb.h
-+++ b/daemons/ipa-kdb/ipa_kdb.h
-@@ -372,4 +372,5 @@ void ipa_certauth_free_moddata(krb5_certauth_moddata *moddata);
-
- int ipadb_string_to_sid(const char *str, struct dom_sid *sid);
- void alloc_sid(struct dom_sid **sid);
--void free_sid(struct dom_sid **sid);
-\ No newline at end of file
-+void free_sid(struct dom_sid **sid);
-+bool dom_sid_check(const struct dom_sid *sid1, const struct dom_sid *sid2, bool exact_check);
-\ No newline at end of file
-diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
-index f3e8657c2..59b77f5d8 100644
---- a/daemons/ipa-kdb/ipa_kdb_mspac.c
-+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
-@@ -236,7 +236,7 @@ static struct dom_sid *dom_sid_dup(TALLOC_CTX *memctx,
- * dom_sid_check() is supposed to be used with sid1 representing domain SID
- * and sid2 being either domain or resource SID in the domain
- */
--static bool dom_sid_check(const struct dom_sid *sid1, const struct dom_sid *sid2, bool exact_check)
-+bool dom_sid_check(const struct dom_sid *sid1, const struct dom_sid *sid2, bool exact_check)
- {
- int c, num;
-
-@@ -1404,6 +1404,82 @@ static void filter_logon_info_log_message_rid(struct dom_sid *sid, uint32_t rid)
- }
- }
-
-+static krb5_error_code check_logon_info_consistent(krb5_context context,
-+ TALLOC_CTX *memctx,
-+ krb5_const_principal client_princ,
-+ struct PAC_LOGON_INFO_CTR *info)
-+{
-+ krb5_error_code kerr = 0;
-+ struct ipadb_context *ipactx;
-+ bool result;
-+ krb5_db_entry *client_actual = NULL;
-+ struct ipadb_e_data *ied = NULL;
-+ int flags = 0;
-+#ifdef KRB5_KDB_FLAG_ALIAS_OK
-+ flags = KRB5_KDB_FLAG_ALIAS_OK;
-+#endif
-+
-+ ipactx = ipadb_get_context(context);
-+ if (!ipactx || !ipactx->mspac) {
-+ return KRB5_KDB_DBNOTINITED;
-+ }
-+
-+ /* check exact sid */
-+ result = dom_sid_check(&ipactx->mspac->domsid,
-+ info->info->info3.base.domain_sid, true);
-+ if (!result) {
-+ /* memctx is freed by the caller */
-+ char *sid = dom_sid_string(memctx, info->info->info3.base.domain_sid);
-+ char *dom = dom_sid_string(memctx, &ipactx->mspac->domsid);
-+ krb5_klog_syslog(LOG_ERR, "PAC issue: PAC record claims domain SID different "
-+ "to local domain SID: local [%s], PAC [%s]",
-+ dom ? dom : "<failed to display>",
-+ sid ? sid : "<failed to display>");
-+ return KRB5KDC_ERR_POLICY;
-+ }
-+
-+ kerr = ipadb_get_principal(context, client_princ, flags, &client_actual);
-+ if (kerr != 0) {
-+ krb5_klog_syslog(LOG_ERR, "PAC issue: ipadb_get_principal failed.");
-+ return KRB5KDC_ERR_POLICY;
-+ }
-+
-+ ied = (struct ipadb_e_data *)client_actual->e_data;
-+ if (ied == NULL || ied->magic != IPA_E_DATA_MAGIC) {
-+ krb5_klog_syslog(LOG_ERR, "PAC issue: client e_data fetching failed.");
-+ kerr = EINVAL;
-+ goto done;
-+ }
-+
-+ if (!ied->has_sid || ied->sid == NULL) {
-+ /* Kerberos principal might have no SID associated in the DB entry.
-+ * If this is host or service, we'll associate RID -515 or -516 in PAC
-+ * depending on whether this is a domain member or domain controller
-+ * but since this is not recorded in the DB entry, we the check for
-+ * SID is not needed */
-+ goto done;
-+ }
-+
-+ result = dom_sid_check(ied->sid, info->info->info3.sids[0].sid, true);
-+ if (!result) {
-+ /* memctx is freed by the caller */
-+ char *local_sid = dom_sid_string(memctx, ied->sid);
-+ char *pac_sid = dom_sid_string(memctx, info->info->info3.sids[0].sid);
-+ krb5_klog_syslog(LOG_ERR, "PAC issue: client principal has a SID "
-+ "different from what PAC claims. "
-+ "local [%s] vs PAC [%s]",
-+ local_sid ? local_sid : "<failed to display>",
-+ pac_sid ? pac_sid : "<failed to display>");
-+ kerr = KRB5KDC_ERR_POLICY;
-+ goto done;
-+ }
-+
-+done:
-+ ipadb_free_principal(context, client_actual);
-+
-+ return kerr;
-+}
-+
- krb5_error_code filter_logon_info(krb5_context context,
- TALLOC_CTX *memctx,
- krb5_data realm,
-@@ -1631,12 +1707,14 @@ krb5_error_code filter_logon_info(krb5_context context,
-
-
- static krb5_error_code ipadb_check_logon_info(krb5_context context,
-- krb5_data origin_realm,
-+ krb5_const_principal client_princ,
-+ krb5_boolean is_cross_realm,
- krb5_data *pac_blob)
- {
- struct PAC_LOGON_INFO_CTR info;
- krb5_error_code kerr;
- TALLOC_CTX *tmpctx;
-+ krb5_data origin_realm = client_princ->realm;
-
- tmpctx = talloc_new(NULL);
- if (!tmpctx) {
-@@ -1648,6 +1726,13 @@ static krb5_error_code ipadb_check_logon_info(krb5_context context,
- goto done;
- }
-
-+ if (!is_cross_realm) {
-+ /* For local realm case we need to check whether the PAC is for our user
-+ * but we don't need to process further */
-+ kerr = check_logon_info_consistent(context, tmpctx, client_princ, &info);
-+ goto done;
-+ }
-+
- kerr = filter_logon_info(context, tmpctx, origin_realm, &info);
- if (kerr) {
- goto done;
-@@ -1873,19 +1958,18 @@ static krb5_error_code ipadb_verify_pac(krb5_context context,
- goto done;
- }
-
-- /* Now that the PAC is verified augment it with additional info if
-- * it is coming from a different realm */
-- if (is_cross_realm) {
-- kerr = krb5_pac_get_buffer(context, old_pac,
-- KRB5_PAC_LOGON_INFO, &pac_blob);
-- if (kerr != 0) {
-- goto done;
-- }
-+ /* Now that the PAC is verified, do additional checks.
-+ * Augment it with additional info if it is coming from a different realm */
-+ kerr = krb5_pac_get_buffer(context, old_pac,
-+ KRB5_PAC_LOGON_INFO, &pac_blob);
-+ if (kerr != 0) {
-+ goto done;
-+ }
-
-- kerr = ipadb_check_logon_info(context, client_princ->realm, &pac_blob);
-- if (kerr != 0) {
-- goto done;
-- }
-+ kerr = ipadb_check_logon_info(context,
-+ client_princ, is_cross_realm, &pac_blob);
-+ if (kerr != 0) {
-+ goto done;
- }
- /* extract buffers and rebuilt pac from scratch so that when re-signing
- * with a different cksum type does not cause issues due to mismatching
---
-2.33.1
-
-
-From 8c05cd0ffe74b8ec7943b31571bc11400af54171 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Thu, 14 Oct 2021 11:28:02 +0300
-Subject: [PATCH 16/22] ipa-kdb: use entry DN to compare aliased entries in S4U
- operations
-
-When working with aliased entries, we need a reliable way to detect
-whether two principals reference the same database entry. This is
-important in S4U checks.
-
-Ideally, we should be using SIDs for these checks as S4U requires PAC
-record presence which cannot be issued without a SID associated with an
-entry. This is true for user principals and a number of host/service
-principals associated with Samba. Other service principals do not have
-SIDs because we do not allocate POSIX IDs to them in FreeIPA. When PAC
-is issued for these principals, they get SID of a domain computer or
-domain controller depending on their placement (IPA client or IPA
-server).
-
-Since 389-ds always returns unique entry DN for the same entry, rely on
-this value instead. We could have used ipaUniqueID but for Kerberos
-principals created through the KDB (kadmin/kdb5_util) we don't have
-ipaUniqueID in the entry.
-
-Fixes: https://pagure.io/freeipa/issue/9031
-
-Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-by: Rob Crittenden <rcritten@redhat.com>
----
- daemons/ipa-kdb/ipa_kdb_delegation.c | 36 +++++++++++++++++++++++++++-
- 1 file changed, 35 insertions(+), 1 deletion(-)
-
-diff --git a/daemons/ipa-kdb/ipa_kdb_delegation.c b/daemons/ipa-kdb/ipa_kdb_delegation.c
-index 5ae5e0d9d..bfa344b9f 100644
---- a/daemons/ipa-kdb/ipa_kdb_delegation.c
-+++ b/daemons/ipa-kdb/ipa_kdb_delegation.c
-@@ -21,6 +21,8 @@
- */
-
- #include "ipa_kdb.h"
-+#include <strings.h>
-+#include <unicase.h>
-
- static char *acl_attrs[] = {
- "objectClass",
-@@ -188,10 +190,41 @@ krb5_error_code ipadb_check_allowed_to_delegate(krb5_context kcontext,
- const krb5_db_entry *server,
- krb5_const_principal proxy)
- {
-- krb5_error_code kerr;
-+ krb5_error_code kerr, result;
- char *srv_principal = NULL;
-+ krb5_db_entry *proxy_entry = NULL;
-+ struct ipadb_e_data *ied_server, *ied_proxy;
- LDAPMessage *res = NULL;
-
-+ /* Handle the case where server == proxy, this is allowed in S4U*/
-+ kerr = ipadb_get_principal(kcontext, proxy,
-+ KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY,
-+ &proxy_entry);
-+ if (kerr) {
-+ goto done;
-+ }
-+
-+ ied_server = (struct ipadb_e_data *) server->e_data;
-+ ied_proxy = (struct ipadb_e_data *) proxy_entry->e_data;
-+
-+ /* If we have SIDs for both entries, compare SIDs */
-+ if ((ied_server->has_sid && ied_server->sid != NULL) &&
-+ (ied_proxy->has_sid && ied_proxy->sid != NULL)) {
-+
-+ if (dom_sid_check(ied_server->sid, ied_proxy->sid, true)) {
-+ kerr = 0;
-+ goto done;
-+ }
-+ }
-+
-+ /* Otherwise, compare entry DNs */
-+ kerr = ulc_casecmp(ied_server->entry_dn, strlen(ied_server->entry_dn),
-+ ied_proxy->entry_dn, strlen(ied_proxy->entry_dn),
-+ NULL, NULL, &result);
-+ if (kerr == 0 && result == 0) {
-+ goto done;
-+ }
-+
- kerr = krb5_unparse_name(kcontext, server->princ, &srv_principal);
- if (kerr) {
- goto done;
-@@ -208,6 +241,7 @@ krb5_error_code ipadb_check_allowed_to_delegate(krb5_context kcontext,
- }
-
- done:
-+ ipadb_free_principal(kcontext, proxy_entry);
- krb5_free_unparsed_name(kcontext, srv_principal);
- ldap_msgfree(res);
- return kerr;
---
-2.33.1
-
-
-From 07055573acf1af9d31a2a4da79f1eebc34b805fc Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Thu, 28 Oct 2021 11:01:08 +0300
-Subject: [PATCH 17/22] ipa-kdb: S4U2Proxy target should use a service name
- without realm
-
-According to new Samba Kerberos tests and [MS-SFU] 3.2.5.2.4
-'KDC Replies with Service Ticket', the target should not include the
-realm.
-
-Fixes: https://pagure.io/freeipa/issue/9031
-
-Pair-programmed-with: Andreas Schneider <asn@redhat.com>
-Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
-Signed-off-by: Andreas Schneider <asn@redhat.com>
-Reviewed-by: Rob Crittenden <rcritten@redhat.com>
----
- daemons/ipa-kdb/ipa_kdb_mspac.c | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
-index 59b77f5d8..f729b9f2e 100644
---- a/daemons/ipa-kdb/ipa_kdb_mspac.c
-+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
-@@ -1847,7 +1847,10 @@ static krb5_error_code ipadb_add_transited_service(krb5_context context,
- krb5_free_data_contents(context, &pac_blob);
- memset(&pac_blob, 0, sizeof(krb5_data));
-
-- kerr = krb5_unparse_name(context, proxy->princ, &tmpstr);
-+ kerr = krb5_unparse_name_flags(context, proxy->princ,
-+ KRB5_PRINCIPAL_UNPARSE_NO_REALM |
-+ KRB5_PRINCIPAL_UNPARSE_DISPLAY,
-+ &tmpstr);
- if (kerr != 0) {
- goto done;
- }
---
-2.33.1
-
-
-From d6b97c1b869b511b381e166cc233a1fa7416a928 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sat, 30 Oct 2021 10:08:34 +0300
-Subject: [PATCH 18/22] ipa-kdb: add support for PAC_UPN_DNS_INFO_EX
-
-CVE-2020-25721 mitigation: KDC must provide the new HAS_SAM_NAME_AND_SID
-buffer with sAMAccountName and ObjectSID values associated with the
-principal.
-
-The mitigation only works if NDR library supports the
-PAC_UPN_DNS_INFO_EX buffer type. In case we cannot detect it at compile
-time, a warning will be displayed at configure stage.
-
-Fixes: https://pagure.io/freeipa/issue/9031
-
-Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-by: Rob Crittenden <rcritten@redhat.com>
----
- daemons/ipa-kdb/ipa_kdb_mspac.c | 41 +++++++++++++++++++++++++++++++--
- server.m4 | 7 ++++++
- 2 files changed, 46 insertions(+), 2 deletions(-)
-
-diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
-index f729b9f2e..75cb4f3b7 100644
---- a/daemons/ipa-kdb/ipa_kdb_mspac.c
-+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
-@@ -812,6 +812,25 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
- return ret;
- }
-
-+static krb5_error_code ipadb_get_sid_from_pac(TALLOC_CTX *ctx,
-+ struct PAC_LOGON_INFO *info,
-+ struct dom_sid *sid)
-+{
-+ struct dom_sid *client_sid = NULL;
-+ /* Construct SID from the PAC */
-+ if (info->info3.base.rid == 0) {
-+ client_sid = info->info3.sids[0].sid;
-+ } else {
-+ client_sid = dom_sid_dup(ctx, info->info3.base.domain_sid);
-+ if (!client_sid) {
-+ return ENOMEM;
-+ }
-+ sid_append_rid(client_sid, info->info3.base.rid);
-+ }
-+ *sid = *client_sid;
-+ return 0;
-+}
-+
- static krb5_error_code ipadb_get_pac(krb5_context kcontext,
- krb5_db_entry *client,
- unsigned int flags,
-@@ -830,6 +849,7 @@ static krb5_error_code ipadb_get_pac(krb5_context kcontext,
- enum ndr_err_code ndr_err;
- union PAC_INFO pac_upn;
- char *principal = NULL;
-+ struct dom_sid client_sid;
-
- /* When no client entry is there, we cannot generate MS-PAC */
- if (!client) {
-@@ -930,6 +950,18 @@ static krb5_error_code ipadb_get_pac(krb5_context kcontext,
- pac_upn.upn_dns_info.flags |= PAC_UPN_DNS_FLAG_CONSTRUCTED;
- }
-
-+ kerr = ipadb_get_sid_from_pac(tmpctx, pac_info.logon_info.info, &client_sid);
-+ if (kerr) {
-+ goto done;
-+ }
-+
-+#ifdef HAVE_PAC_UPN_DNS_INFO_EX
-+ /* Add samAccountName and a SID */
-+ pac_upn.upn_dns_info.flags |= PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID;
-+ pac_upn.upn_dns_info.ex.sam_name_and_sid.samaccountname = pac_info.logon_info.info->info3.base.account_name.string;
-+ pac_upn.upn_dns_info.ex.sam_name_and_sid.objectsid = &client_sid;
-+#endif
-+
- ndr_err = ndr_push_union_blob(&pac_data, tmpctx, &pac_upn,
- PAC_TYPE_UPN_DNS_INFO,
- (ndr_push_flags_fn_t)ndr_push_PAC_INFO);
-@@ -1415,6 +1447,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,
- krb5_db_entry *client_actual = NULL;
- struct ipadb_e_data *ied = NULL;
- int flags = 0;
-+ struct dom_sid client_sid;
- #ifdef KRB5_KDB_FLAG_ALIAS_OK
- flags = KRB5_KDB_FLAG_ALIAS_OK;
- #endif
-@@ -1460,11 +1493,15 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,
- goto done;
- }
-
-- result = dom_sid_check(ied->sid, info->info->info3.sids[0].sid, true);
-+ kerr = ipadb_get_sid_from_pac(memctx, info->info, &client_sid);
-+ if (kerr) {
-+ goto done;
-+ }
-+ result = dom_sid_check(ied->sid, &client_sid, true);
- if (!result) {
- /* memctx is freed by the caller */
- char *local_sid = dom_sid_string(memctx, ied->sid);
-- char *pac_sid = dom_sid_string(memctx, info->info->info3.sids[0].sid);
-+ char *pac_sid = dom_sid_string(memctx, &client_sid);
- krb5_klog_syslog(LOG_ERR, "PAC issue: client principal has a SID "
- "different from what PAC claims. "
- "local [%s] vs PAC [%s]",
-diff --git a/server.m4 b/server.m4
-index 3a2c3ae33..65c82d25a 100644
---- a/server.m4
-+++ b/server.m4
-@@ -101,6 +101,13 @@ AC_CHECK_MEMBER(
- [AC_MSG_NOTICE([struct PAC_DOMAIN_GROUP_MEMBERSHIP is not available])],
- [[#include <ndr.h>
- #include <gen_ndr/krb5pac.h>]])
-+AC_CHECK_MEMBER(
-+ [struct PAC_UPN_DNS_INFO.ex],
-+ [AC_DEFINE([HAVE_PAC_UPN_DNS_INFO_EX], [1],
-+ [union PAC_UPN_DNS_INFO_EX is available.])],
-+ [AC_MSG_NOTICE([union PAC_UPN_DNS_INFO_EX is not available, account protection is not active])],
-+ [[#include <ndr.h>
-+ #include <gen_ndr/krb5pac.h>]])
-
- CFLAGS="$bck_cflags"
-
---
-2.33.1
-
-
-From 3e88bc63c919003a46fbf8d018d724bf00928c51 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sat, 30 Oct 2021 10:09:27 +0300
-Subject: [PATCH 19/22] ipa-kdb: add support for PAC_REQUESTER_SID buffer
-
-CVE-2020-25721 mitigation: KDC must provide the new PAC_REQUESTER_SID
-buffer with ObjectSID value associated with the requester's principal.
-
-The mitigation only works if NDR library supports the PAC_REQUESTER_SID
-buffer type. In case we cannot detect it at compile time, a warning will
-be displayed at configure stage.
-
-Fixes: https://pagure.io/freeipa/issue/9031
-
-Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-by: Rob Crittenden <rcritten@redhat.com>
----
- daemons/ipa-kdb/ipa_kdb_mspac.c | 131 +++++++++++++++++++++++++++++++-
- server.m4 | 7 ++
- 2 files changed, 134 insertions(+), 4 deletions(-)
-
-diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
-index 75cb4f3b7..ca6daccf1 100644
---- a/daemons/ipa-kdb/ipa_kdb_mspac.c
-+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
-@@ -812,6 +812,55 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
- return ret;
- }
-
-+#ifdef HAVE_PAC_REQUESTER_SID
-+static krb5_error_code ipadb_get_requester_sid(krb5_context context,
-+ krb5_pac pac,
-+ struct dom_sid *sid)
-+{
-+ enum ndr_err_code ndr_err;
-+ krb5_error_code ret;
-+ DATA_BLOB pac_requester_sid_in;
-+ krb5_data k5pac_requester_sid_in;
-+ union PAC_INFO info;
-+ TALLOC_CTX *tmp_ctx;
-+ struct ipadb_context *ipactx;
-+
-+ ipactx = ipadb_get_context(context);
-+ if (!ipactx) {
-+ return KRB5_KDB_DBNOTINITED;
-+ }
-+
-+ tmp_ctx = talloc_new(NULL);
-+ if (tmp_ctx == NULL) {
-+ return ENOMEM;
-+ }
-+
-+ ret = krb5_pac_get_buffer(context, pac, PAC_TYPE_REQUESTER_SID,
-+ &k5pac_requester_sid_in);
-+ if (ret != 0) {
-+ talloc_free(tmp_ctx);
-+ return ret;
-+ }
-+
-+ pac_requester_sid_in = data_blob_const(k5pac_requester_sid_in.data,
-+ k5pac_requester_sid_in.length);
-+
-+ ndr_err = ndr_pull_union_blob(&pac_requester_sid_in, tmp_ctx, &info,
-+ PAC_TYPE_REQUESTER_SID,
-+ (ndr_pull_flags_fn_t)ndr_pull_PAC_INFO);
-+ krb5_free_data_contents(context, &k5pac_requester_sid_in);
-+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
-+ talloc_free(tmp_ctx);
-+ return EINVAL;
-+ }
-+
-+ *sid = info.requester_sid.sid;
-+
-+ talloc_free(tmp_ctx);
-+ return 0;
-+}
-+#endif
-+
- static krb5_error_code ipadb_get_sid_from_pac(TALLOC_CTX *ctx,
- struct PAC_LOGON_INFO *info,
- struct dom_sid *sid)
-@@ -976,6 +1025,33 @@ static krb5_error_code ipadb_get_pac(krb5_context kcontext,
-
- kerr = krb5_pac_add_buffer(kcontext, *pac, KRB5_PAC_UPN_DNS_INFO, &data);
-
-+#ifdef HAVE_PAC_REQUESTER_SID
-+ {
-+ union PAC_INFO pac_requester_sid;
-+ /* == Package PAC_REQUESTER_SID == */
-+ memset(&pac_requester_sid, 0, sizeof(pac_requester_sid));
-+
-+ pac_requester_sid.requester_sid.sid = client_sid;
-+
-+ ndr_err = ndr_push_union_blob(&pac_data, tmpctx, &pac_requester_sid,
-+ PAC_TYPE_REQUESTER_SID,
-+ (ndr_push_flags_fn_t)ndr_push_PAC_INFO);
-+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
-+ kerr = KRB5_KDB_INTERNAL_ERROR;
-+ goto done;
-+ }
-+
-+ data.magic = KV5M_DATA;
-+ data.data = (char *)pac_data.data;
-+ data.length = pac_data.length;
-+
-+ kerr = krb5_pac_add_buffer(kcontext, *pac, PAC_TYPE_REQUESTER_SID, &data);
-+ if (kerr) {
-+ goto done;
-+ }
-+ }
-+#endif
-+
- done:
- ldap_msgfree(results);
- talloc_free(tmpctx);
-@@ -1457,7 +1533,19 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,
- return KRB5_KDB_DBNOTINITED;
- }
-
-- /* check exact sid */
-+ /* We are asked to verify the PAC for our own principal,
-+ * check that our own view on the PAC details is up to date */
-+ if (ipactx->mspac->domsid.num_auths == 0) {
-+ /* Force re-init of KDB's view on our domain */
-+ kerr = ipadb_reinit_mspac(ipactx, true);
-+ if (kerr != 0) {
-+ krb5_klog_syslog(LOG_ERR,
-+ "PAC issue: unable to update realm's view on PAC info");
-+ return KRB5KDC_ERR_POLICY;
-+ }
-+ }
-+
-+ /* check exact domain SID */
- result = dom_sid_check(&ipactx->mspac->domsid,
- info->info->info3.base.domain_sid, true);
- if (!result) {
-@@ -1466,7 +1554,7 @@ static krb5_error_code check_logon_info_consistent(krb5_context context,
- char *dom = dom_sid_string(memctx, &ipactx->mspac->domsid);
- krb5_klog_syslog(LOG_ERR, "PAC issue: PAC record claims domain SID different "
- "to local domain SID: local [%s], PAC [%s]",
-- dom ? dom : "<failed to display>",
-+ dom ? dom : "<failed to display>",
- sid ? sid : "<failed to display>");
- return KRB5KDC_ERR_POLICY;
- }
-@@ -1746,12 +1834,14 @@ krb5_error_code filter_logon_info(krb5_context context,
- static krb5_error_code ipadb_check_logon_info(krb5_context context,
- krb5_const_principal client_princ,
- krb5_boolean is_cross_realm,
-- krb5_data *pac_blob)
-+ krb5_data *pac_blob,
-+ struct dom_sid *requester_sid)
- {
- struct PAC_LOGON_INFO_CTR info;
- krb5_error_code kerr;
- TALLOC_CTX *tmpctx;
- krb5_data origin_realm = client_princ->realm;
-+ bool result;
-
- tmpctx = talloc_new(NULL);
- if (!tmpctx) {
-@@ -1763,6 +1853,28 @@ static krb5_error_code ipadb_check_logon_info(krb5_context context,
- goto done;
- }
-
-+ /* Check that requester SID is the same as in the PAC entry */
-+ if (requester_sid != NULL) {
-+ struct dom_sid client_sid;
-+ kerr = ipadb_get_sid_from_pac(tmpctx, info.info, &client_sid);
-+ if (kerr) {
-+ goto done;
-+ }
-+ result = dom_sid_check(&client_sid, requester_sid, true);
-+ if (!result) {
-+ /* memctx is freed by the caller */
-+ char *pac_sid = dom_sid_string(tmpctx, &client_sid);
-+ char *req_sid = dom_sid_string(tmpctx, requester_sid);
-+ krb5_klog_syslog(LOG_ERR, "PAC issue: PAC has a SID "
-+ "different from what PAC requester claims. "
-+ "PAC [%s] vs PAC requester [%s]",
-+ pac_sid ? pac_sid : "<failed to display>",
-+ req_sid ? req_sid : "<failed to display>");
-+ kerr = KRB5KDC_ERR_POLICY;
-+ goto done;
-+ }
-+ }
-+
- if (!is_cross_realm) {
- /* For local realm case we need to check whether the PAC is for our user
- * but we don't need to process further */
-@@ -1962,6 +2074,8 @@ static krb5_error_code ipadb_verify_pac(krb5_context context,
- krb5_data pac_blob = { 0 , 0, NULL};
- bool is_cross_realm = false;
- size_t i;
-+ struct dom_sid *requester_sid = NULL;
-+ struct dom_sid req_sid;
-
- kerr = krb5_pac_parse(context,
- authdata[0]->contents,
-@@ -2006,8 +2120,17 @@ static krb5_error_code ipadb_verify_pac(krb5_context context,
- goto done;
- }
-
-+ memset(&req_sid, '\0', sizeof(struct dom_sid));
-+#ifdef HAVE_PAC_REQUESTER_SID
-+ kerr = ipadb_get_requester_sid(context, old_pac, &req_sid);
-+ if (kerr == 0) {
-+ requester_sid = &req_sid;
-+ }
-+#endif
-+
- kerr = ipadb_check_logon_info(context,
-- client_princ, is_cross_realm, &pac_blob);
-+ client_princ, is_cross_realm, &pac_blob,
-+ requester_sid);
- if (kerr != 0) {
- goto done;
- }
-diff --git a/server.m4 b/server.m4
-index 65c82d25a..648423dd4 100644
---- a/server.m4
-+++ b/server.m4
-@@ -109,6 +109,13 @@ AC_CHECK_MEMBER(
- [[#include <ndr.h>
- #include <gen_ndr/krb5pac.h>]])
-
-+AC_CHECK_MEMBER(
-+ [struct PAC_REQUESTER_SID.sid],
-+ [AC_DEFINE([HAVE_PAC_REQUESTER_SID], [1],
-+ [struct PAC_REQUESTER_SID is available.])],
-+ [AC_MSG_NOTICE([struct PAC_REQUESTER_SID is not available, account protection is not active])],
-+ [[#include <ndr.h>
-+ #include <gen_ndr/krb5pac.h>]])
- CFLAGS="$bck_cflags"
-
- LIBPDB_NAME=""
---
-2.33.1
-
-
-From 8a088fd0824d73e43b8ca56c04c5899f77619db9 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sat, 30 Oct 2021 09:10:09 +0300
-Subject: [PATCH 20/22] ipa-kdb: add PAC_ATTRIBUTES_INFO PAC buffer support
-
-PAC_ATTRIBUTES_INFO PAC buffer allows both client and KDC to tell
-whether a PAC structure was requested by the client or it was provided
-by the KDC implicitly. Kerberos service then can continue processing or
-deny access in case client explicitly requested to operate without PAC.
-
-Fixes: https://pagure.io/freeipa/issue/9031
-
-Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
-Signed-off-by: Andrew Bartlett <abartlet@samba.org>
----
- daemons/ipa-kdb/Makefile.am | 2 +
- daemons/ipa-kdb/ipa_kdb_mspac.c | 143 ++++++++++++++++++++++++++++++++
- server.m4 | 8 ++
- 3 files changed, 153 insertions(+)
-
-diff --git a/daemons/ipa-kdb/Makefile.am b/daemons/ipa-kdb/Makefile.am
-index 14c0546e0..5775d4086 100644
---- a/daemons/ipa-kdb/Makefile.am
-+++ b/daemons/ipa-kdb/Makefile.am
-@@ -61,6 +61,7 @@ ipadb_la_LIBADD = \
- $(UNISTRING_LIBS) \
- $(SSSCERTMAP_LIBS) \
- $(top_builddir)/util/libutil.la \
-+ -lsamba-errors \
- $(NULL)
-
- if HAVE_CMOCKA
-@@ -104,6 +105,7 @@ ipa_kdb_tests_LDADD = \
- -lkdb5 \
- -lsss_idmap \
- -lsamba-security-samba4 \
-+ -lsamba-errors \
- $(NULL)
-
- appdir = $(libexecdir)/ipa
-diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
-index ca6daccf1..8a77a3538 100644
---- a/daemons/ipa-kdb/ipa_kdb_mspac.c
-+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
-@@ -880,6 +880,87 @@ static krb5_error_code ipadb_get_sid_from_pac(TALLOC_CTX *ctx,
- return 0;
- }
-
-+#ifdef HAVE_PAC_ATTRIBUTES_INFO
-+static krb5_error_code ipadb_client_requested_pac(krb5_context context,
-+ krb5_pac pac,
-+ TALLOC_CTX *mem_ctx,
-+ krb5_boolean *requested_pac)
-+{
-+ enum ndr_err_code ndr_err;
-+ krb5_data k5pac_attrs_in;
-+ DATA_BLOB pac_attrs_in;
-+ union PAC_INFO pac_attrs;
-+ krb5_error_code ret;
-+
-+ *requested_pac = true;
-+
-+ ret = krb5_pac_get_buffer(context, pac, PAC_TYPE_ATTRIBUTES_INFO,
-+ &k5pac_attrs_in);
-+ if (ret != 0) {
-+ return ret == ENOENT ? 0 : ret;
-+ }
-+
-+ pac_attrs_in = data_blob_const(k5pac_attrs_in.data,
-+ k5pac_attrs_in.length);
-+
-+ ndr_err = ndr_pull_union_blob(&pac_attrs_in, mem_ctx, &pac_attrs,
-+ PAC_TYPE_ATTRIBUTES_INFO,
-+ (ndr_pull_flags_fn_t)ndr_pull_PAC_INFO);
-+ krb5_free_data_contents(context, &k5pac_attrs_in);
-+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
-+ NTSTATUS nt_status = ndr_map_error2ntstatus(ndr_err);
-+ krb5_klog_syslog(LOG_ERR, "can't parse the PAC ATTRIBUTES_INFO: %s\n",
-+ nt_errstr(nt_status));
-+ return KRB5_KDB_INTERNAL_ERROR;
-+ }
-+
-+ if (pac_attrs.attributes_info.flags & (PAC_ATTRIBUTE_FLAG_PAC_WAS_GIVEN_IMPLICITLY
-+ | PAC_ATTRIBUTE_FLAG_PAC_WAS_REQUESTED)) {
-+ *requested_pac = true;
-+ } else {
-+ *requested_pac = false;
-+ }
-+
-+ return 0;
-+}
-+
-+static krb5_error_code ipadb_get_pac_attrs_blob(TALLOC_CTX *mem_ctx,
-+ const krb5_boolean *pac_request,
-+ DATA_BLOB *pac_attrs_data)
-+{
-+ union PAC_INFO pac_attrs;
-+ enum ndr_err_code ndr_err;
-+
-+ memset(&pac_attrs, 0, sizeof(pac_attrs));
-+
-+ *pac_attrs_data = data_blob_null;
-+
-+ /* Set the length of the flags in bits. */
-+ pac_attrs.attributes_info.flags_length = 2;
-+
-+ if (pac_request == NULL) {
-+ pac_attrs.attributes_info.flags
-+ |= PAC_ATTRIBUTE_FLAG_PAC_WAS_GIVEN_IMPLICITLY;
-+ } else if (*pac_request) {
-+ pac_attrs.attributes_info.flags
-+ |= PAC_ATTRIBUTE_FLAG_PAC_WAS_REQUESTED;
-+ }
-+
-+ ndr_err = ndr_push_union_blob(pac_attrs_data, mem_ctx, &pac_attrs,
-+ PAC_TYPE_ATTRIBUTES_INFO,
-+ (ndr_push_flags_fn_t)ndr_push_PAC_INFO);
-+ if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
-+ NTSTATUS nt_status = ndr_map_error2ntstatus(ndr_err);
-+ krb5_klog_syslog(LOG_ERR, "can't create PAC ATTRIBUTES_INFO: %s\n",
-+ nt_errstr(nt_status));
-+ return KRB5_KDB_INTERNAL_ERROR;
-+ }
-+
-+ return 0;
-+}
-+
-+#endif
-+
- static krb5_error_code ipadb_get_pac(krb5_context kcontext,
- krb5_db_entry *client,
- unsigned int flags,
-@@ -1025,6 +1106,26 @@ static krb5_error_code ipadb_get_pac(krb5_context kcontext,
-
- kerr = krb5_pac_add_buffer(kcontext, *pac, KRB5_PAC_UPN_DNS_INFO, &data);
-
-+#ifdef HAVE_PAC_ATTRIBUTES_INFO
-+ /* == Add implicit PAC type attributes info as we always try to generate PAC == */
-+ {
-+ DATA_BLOB pac_attrs_data;
-+
-+ kerr = ipadb_get_pac_attrs_blob(tmpctx, NULL, &pac_attrs_data);
-+ if (kerr) {
-+ goto done;
-+ }
-+ data.magic = KV5M_DATA;
-+ data.data = (char *)pac_attrs_data.data;
-+ data.length = pac_attrs_data.length;
-+
-+ kerr = krb5_pac_add_buffer(kcontext, *pac, PAC_TYPE_ATTRIBUTES_INFO, &data);
-+ if (kerr) {
-+ goto done;
-+ }
-+ }
-+#endif
-+
- #ifdef HAVE_PAC_REQUESTER_SID
- {
- union PAC_INFO pac_requester_sid;
-@@ -2165,6 +2266,48 @@ static krb5_error_code ipadb_verify_pac(krb5_context context,
- continue;
- }
-
-+#ifdef HAVE_PAC_ATTRIBUTES_INFO
-+ if (types[i] == PAC_TYPE_ATTRIBUTES_INFO &&
-+ pac_blob.length != 0) {
-+ /* == Check whether PAC was requested or given implicitly == */
-+ DATA_BLOB pac_attrs_data;
-+ krb5_boolean pac_requested;
-+
-+ TALLOC_CTX *tmpctx = talloc_new(NULL);
-+ if (tmpctx == NULL) {
-+ kerr = ENOMEM;
-+ krb5_pac_free(context, new_pac);
-+ goto done;
-+ }
-+
-+ kerr = ipadb_client_requested_pac(context, old_pac, tmpctx, &pac_requested);
-+ if (kerr != 0) {
-+ talloc_free(tmpctx);
-+ krb5_pac_free(context, new_pac);
-+ goto done;
-+ }
-+
-+ kerr = ipadb_get_pac_attrs_blob(tmpctx, &pac_requested, &pac_attrs_data);
-+ if (kerr) {
-+ talloc_free(tmpctx);
-+ krb5_pac_free(context, new_pac);
-+ goto done;
-+ }
-+ data.magic = KV5M_DATA;
-+ data.data = (char *)pac_attrs_data.data;
-+ data.length = pac_attrs_data.length;
-+
-+ kerr = krb5_pac_add_buffer(context, new_pac, PAC_TYPE_ATTRIBUTES_INFO, &data);
-+ if (kerr) {
-+ talloc_free(tmpctx);
-+ krb5_pac_free(context, new_pac);
-+ goto done;
-+ }
-+
-+ continue;
-+ }
-+#endif
-+
- if (types[i] == KRB5_PAC_DELEGATION_INFO &&
- (flags & KRB5_KDB_FLAG_CONSTRAINED_DELEGATION)) {
- /* skip it here, we will add it explicitly later */
-diff --git a/server.m4 b/server.m4
-index 648423dd4..5a14af06a 100644
---- a/server.m4
-+++ b/server.m4
-@@ -116,6 +116,14 @@ AC_CHECK_MEMBER(
- [AC_MSG_NOTICE([struct PAC_REQUESTER_SID is not available, account protection is not active])],
- [[#include <ndr.h>
- #include <gen_ndr/krb5pac.h>]])
-+
-+AC_CHECK_MEMBER(
-+ [struct PAC_ATTRIBUTES_INFO.flags],
-+ [AC_DEFINE([HAVE_PAC_ATTRIBUTES_INFO], [1],
-+ [struct PAC_ATTRIBUTES_INFO is available.])],
-+ [AC_MSG_NOTICE([struct PAC_ATTRIBUTES_INFO is not available, account protection is not active])],
-+ [[#include <ndr.h>
-+ #include <gen_ndr/krb5pac.h>]])
- CFLAGS="$bck_cflags"
-
- LIBPDB_NAME=""
---
-2.33.1
-
-
-From 5e0fe9bff0ad2786f37a718c8b25b85836c8ff82 Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Fri, 29 Oct 2021 22:30:53 +0300
-Subject: [PATCH 21/22] ipa-kdb: Use proper account flags for Kerberos
- principal in PAC
-
-As part of CVE-2020-25717 mitigations, Samba expects correct user
-account flags in the PAC. This means for services and host principals we
-should be using ACB_WSTRUST or ACB_SVRTRUST depending on whether they
-run on IPA clients ("workstation" or "domain member") or IPA servers
-("domain controller").
-
-Fixes: https://pagure.io/freeipa/issue/9031
-
-Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
----
- daemons/ipa-kdb/ipa_kdb_mspac.c | 19 +++++++++++++++----
- 1 file changed, 15 insertions(+), 4 deletions(-)
-
-diff --git a/daemons/ipa-kdb/ipa_kdb_mspac.c b/daemons/ipa-kdb/ipa_kdb_mspac.c
-index 8a77a3538..0e0ee3616 100644
---- a/daemons/ipa-kdb/ipa_kdb_mspac.c
-+++ b/daemons/ipa-kdb/ipa_kdb_mspac.c
-@@ -648,6 +648,11 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
- info3->base.logon_count = 0; /* we do not have this info yet */
- info3->base.bad_password_count = 0; /* we do not have this info yet */
-
-+ /* Use AES keys by default to detect changes.
-+ * This bit is not used by Windows clients and servers so we can
-+ * clear it after detecting the changes */
-+ info3->base.acct_flags = ACB_USE_AES_KEYS;
-+
- if ((is_host || is_service)) {
- /* it is either host or service, so get the hostname first */
- char *sep = strchr(info3->base.account_name.string, '/');
-@@ -655,11 +660,13 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
- ipactx,
- sep ? sep + 1 : info3->base.account_name.string);
- if (is_master) {
-- /* Well know RID of domain controllers group */
-+ /* Well known RID of domain controllers group */
- info3->base.rid = 516;
-+ info3->base.acct_flags |= ACB_SVRTRUST;
- } else {
-- /* Well know RID of domain computers group */
-+ /* Well known RID of domain computers group */
- info3->base.rid = 515;
-+ info3->base.acct_flags |= ACB_WSTRUST;
- }
- } else {
- ret = ipadb_ldap_attr_to_str(ipactx->lcontext, lentry,
-@@ -799,9 +806,13 @@ static krb5_error_code ipadb_fill_info3(struct ipadb_context *ipactx,
- /* always zero out, not used for Krb, only NTLM */
- memset(&info3->base.LMSessKey, '\0', sizeof(info3->base.LMSessKey));
-
-- /* TODO: fill based on objectclass, user vs computer, etc... */
-- info3->base.acct_flags = ACB_NORMAL; /* samr_AcctFlags */
-+ /* If account type was not set before, default to ACB_NORMAL */
-+ if (!(info3->base.acct_flags & ~ACB_USE_AES_KEYS)) {
-+ info3->base.acct_flags |= ACB_NORMAL; /* samr_AcctFlags */
-+ }
-
-+ /* Clear ACB_USE_AES_KEYS as it is not used by Windows */
-+ info3->base.acct_flags &= ~ACB_USE_AES_KEYS;
- info3->base.sub_auth_status = 0;
- info3->base.last_successful_logon = 0;
- info3->base.last_failed_logon = 0;
---
-2.33.1
-
-
-From dae8997fc6ffd2ee7af35209c2876586408a2cde Mon Sep 17 00:00:00 2001
-From: Alexander Bokovoy <abokovoy@redhat.com>
-Date: Sat, 30 Oct 2021 10:49:37 +0300
-Subject: [PATCH 22/22] SMB: switch IPA domain controller role
-
-As a part of CVE-2020-25717 mitigations, Samba now assumes 'CLASSIC
-PRIMARY DOMAIN CONTROLLER' server role does not support Kerberos
-operations. This is the role that IPA domain controller was using for
-its hybrid NT4/AD-like operation.
-
-Instead, 'IPA PRIMARY DOMAIN CONTROLLER' server role was introduced in
-Samba. Switch to this role for new installations and during the upgrade
-of servers running ADTRUST role.
-
-Fixes: https://pagure.io/freeipa/issue/9031
-
-Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
-Reviewed-by: Rob Crittenden <rcritten@redhat.com>
----
- install/share/smb.conf.registry.template | 2 +-
- ipaserver/install/adtrustinstance.py | 14 +++++++++++++-
- ipaserver/install/server/upgrade.py | 15 +++++++++++++++
- 3 files changed, 29 insertions(+), 2 deletions(-)
-
-diff --git a/install/share/smb.conf.registry.template b/install/share/smb.conf.registry.template
-index c55a0c307..1d1d12161 100644
---- a/install/share/smb.conf.registry.template
-+++ b/install/share/smb.conf.registry.template
-@@ -5,7 +5,7 @@ realm = $REALM
- kerberos method = dedicated keytab
- dedicated keytab file = /etc/samba/samba.keytab
- create krb5 conf = no
--server role = CLASSIC PRIMARY DOMAIN CONTROLLER
-+server role = $SERVER_ROLE
- security = user
- domain master = yes
- domain logons = yes
-diff --git a/ipaserver/install/adtrustinstance.py b/ipaserver/install/adtrustinstance.py
-index 776e7e587..ba794f5f1 100644
---- a/ipaserver/install/adtrustinstance.py
-+++ b/ipaserver/install/adtrustinstance.py
-@@ -146,6 +146,8 @@ class ADTRUSTInstance(service.Service):
- OBJC_GROUP = "ipaNTGroupAttrs"
- OBJC_DOMAIN = "ipaNTDomainAttrs"
- FALLBACK_GROUP_NAME = u'Default SMB Group'
-+ SERVER_ROLE_OLD = "CLASSIC PRIMARY DOMAIN CONTROLLER"
-+ SERVER_ROLE_NEW = "IPA PRIMARY DOMAIN CONTROLLER"
-
- def __init__(self, fstore=None, fulltrust=True):
- self.netbios_name = None
-@@ -555,7 +557,16 @@ class ADTRUSTInstance(service.Service):
- with tempfile.NamedTemporaryFile(mode='w') as tmp_conf:
- tmp_conf.write(conf)
- tmp_conf.flush()
-- ipautil.run([paths.NET, "conf", "import", tmp_conf.name])
-+ try:
-+ ipautil.run([paths.NET, "conf", "import", tmp_conf.name])
-+ except ipautil.CalledProcessError as e:
-+ if e.returncode == 255:
-+ # We have old Samba that doesn't support IPA DC server role
-+ # re-try again with the older variant, upgrade code will
-+ # take care to change the role later when Samba is upgraded
-+ # as well.
-+ self.sub_dict['SERVER_ROLE'] = self.SERVER_ROLE_OLD
-+ self.__write_smb_registry()
-
- def __map_Guests_to_nobody(self):
- map_Guests_to_nobody()
-@@ -757,6 +768,7 @@ class ADTRUSTInstance(service.Service):
- LDAPI_SOCKET=self.ldapi_socket,
- FQDN=self.fqdn,
- SAMBA_DIR=paths.SAMBA_DIR,
-+ SERVER_ROLE=self.SERVER_ROLE_NEW,
- )
-
- def setup(self, fqdn, realm_name, netbios_name,
-diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
-index 75bf26b8e..f8a32d468 100644
---- a/ipaserver/install/server/upgrade.py
-+++ b/ipaserver/install/server/upgrade.py
-@@ -358,6 +358,21 @@ def upgrade_adtrust_config():
- else:
- logger.warning("Error updating Samba registry: %s", e)
-
-+ logger.info("[Change 'server role' from "
-+ "'CLASSIC PRIMARY DOMAIN CONTROLLER' "
-+ "to 'IPA PRIMARY DOMAIN CONTROLLER' in Samba configuration]")
-+
-+ args = [paths.NET, "conf", "setparm", "global",
-+ "server role", "IPA PRIMARY DOMAIN CONTROLLER"]
-+
-+ try:
-+ ipautil.run(args)
-+ except ipautil.CalledProcessError as e:
-+ # Only report an error if return code is not 255
-+ # which indicates that the new server role is not supported
-+ # and we don't need to do anything
-+ if e.returncode != 255:
-+ logger.warning("Error updating Samba registry: %s", e)
-
- def ca_configure_profiles_acl(ca):
- logger.info('[Authorizing RA Agent to modify profiles]')
---
-2.33.1
-
diff --git a/SOURCES/freeipa-4.9.6.tar.gz.asc b/SOURCES/freeipa-4.9.6.tar.gz.asc
deleted file mode 100644
index f71d351..0000000
--- a/SOURCES/freeipa-4.9.6.tar.gz.asc
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEEhAodHH8+xLL+UwQ1RxniuKu/YhoFAmDbPRQACgkQRxniuKu/
-Yhr7uBAAnpF70nH8Cn/HhKKpfafPoN3B9fDNIfAa+jsJ52OyeNMKVNi4MEob32iN
-1aMGGFCJUMle/M7v1+w8WH59eiHs1jKHcFZnl2R4Ap5SxVtypYT+ewXbNnSHII2w
-qWS5PvLkJwjh6Bw/HlyBwDRSrw9Yah4oZZbJt3zE06+Imr8BpB3IWqyhuAi7FjYO
-J9hHCwCvtJvWK4yplZSXCt8OS1JA68/Djgjecm5lUSamuqKaBVhDb+ZAPLDJpBf5
-Pz2JpUF/W/rplt+Q9wAFdhDB9iC0vd3MBkgs4KPsjuyS9+GGNu8LyXs0C1Wm/VgX
-liX2pjZmpnTrhH3QQ2nufwH784ZpinXxS2fcbvCfX1Utgr77wNHjwqDt2NBffJl1
-BM7JJr1ZwGOGSki6yjRDXbeSAsiEX9l7f2mv2t/8ZjHMRJ7mJmBbmh5Qhk5qsMou
-BptNDE20cG77xcjBtTCDpii/UatETuNAyMd/l2smfe76z8y61fQrvScxRwOCHckw
-u/ERChpBZOUlQt59Efj3ja313oXZMxXRw01n/72Hh5rnk+XZf75zQ1zUDBYnwzAr
-4cdqyrfpFkQu1sRQvgjT8ZLkP8istjRdVEI/Oj61zb5+6+scQ/Zh/R/mYGCV4/h+
-RzojBwUAXuwUMrj1jTbb5Lkz58+vY3Lk4xNOY2hSAc8rCcDVRZY=
-=TQFs
------END PGP SIGNATURE-----
diff --git a/SOURCES/freeipa-4.9.8.tar.gz.asc b/SOURCES/freeipa-4.9.8.tar.gz.asc
new file mode 100644
index 0000000..c14420c
--- /dev/null
+++ b/SOURCES/freeipa-4.9.8.tar.gz.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEE11Z2TU1+KXxtrRFyaYdvcqbi008FAmGf1XcACgkQaYdvcqbi
+00/kMQ//Vano94V0/L3YsLaqKiFcGo/py5pTq1Os3wB9zzCYSuU0P/eajuHLBYNe
+MfxecZihFFlmUdNooNWbewT4CE0ey1qFLwPfGXuLrse6fXVLLaYnAv2mkPUmDSpM
+XfXO0PFU0BtdkMAUsdUATngPCpQzYjVUKsAMwPovi3UcLzFZ8tWJKMA55urhwC4q
+E042wPLqzcX6Ee5JBSBkfNe35vG2LY7o3Ynh8SVCee2lBJvdWiuFT5XRhybXUsOp
+q3eTsVPz68p7CvOrjlLSsWPP0nbGF1O1UQsN+oaDZAav1Nx8lTOlxUCUQXWbs2X6
+BTUAOmZ6VjYu61sNgNSj+BSHlHIT3uRJ55JO5nLH/hLm0Oxn6SGRTVMueqV376QA
+CsIk7UrdcX9QUtu70eRxuu1aAWJ5eaF4GDWnFP+62wzd/d6LjWEE+9kXgvrcTF0C
+UzjWrmbI8x23bB4kqcROHz8lryMsBpZ94QKPHVppMiPgapDKRkculYkSeRLboADi
+q4mh2prkDSq9diWV4HvZTGwPU77oiLrQsvbGuvwD62PAlyQ4rZpfW3FllTL2Lcxy
+urA8a9UnQWQtDOsZIyxmMJ7R04gjI5fZfDhq6S09L9MfjFEKjsqO4FzXamj+SbAo
+w25sIp1qT0sV1vOt+/R/HYSIyggQyTZpQJu5UB34QLqpfDdUwFg=
+=t9up
+-----END PGP SIGNATURE-----
diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec
index 9c7f181..c2fd678 100644
--- a/SPECS/ipa.spec
+++ b/SPECS/ipa.spec
@@ -68,8 +68,8 @@
%global krb5_kdb_version 8.0
# 0.7.16: https://github.com/drkjam/netaddr/issues/71
%global python_netaddr_version 0.7.19
-# Require 4.14.5-6 which brings CVE-2020-25717 fixes in RHEL 8.5.z
-%global samba_version 4.14.5-6
+# Require 4.14.5-13 which brings CVE-2020-25717 fixes
+%global samba_version 4.14.5-13
%global selinux_policy_version 3.14.3-52
%global slapi_nis_version 0.56.4
%global python_ldap_version 3.1.0-1
@@ -178,7 +178,7 @@
# Work-around fact that RPM SPEC parser does not accept
# "Version: @VERSION@" in freeipa.spec.in used for Autoconf string replacement
-%define IPA_VERSION 4.9.6
+%define IPA_VERSION 4.9.8
# Release candidate version -- uncomment with one percent for RC versions
#%%global rc_version %%nil
%define AT_SIGN @
@@ -191,7 +191,7 @@
Name: %{package_name}
Version: %{IPA_VERSION}
-Release: 12%{?rc_version:.%rc_version}%{?dist}
+Release: 6%{?rc_version:.%rc_version}%{?dist}
Summary: The Identity, Policy and Audit system
License: GPLv3+
@@ -211,30 +211,23 @@ Source1: https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_vers
# RHEL spec file only: START
%if %{NON_DEVELOPER_BUILD}
%if 0%{?rhel} >= 8
-Patch0001: 0001-rpcserver.py-perf_counter_ns-is-Python-3.7_rhbz#1974822.patch
-Patch0002: 0002-Add-checks-to-prevent-adding-auth-indicators-to-inte_rhbz#1979625.patch
-Patch0003: 0003-stageuser-add-ipauserauthtypeclass-when-required_rhbz#1979605.patch
-Patch0004: 0004-man-page-update-ipa-server-upgrade.1_rhbz#1973273.patch
-Patch0005: 0005-Fall-back-to-krbprincipalname-when-validating-host-a_rhbz#1979625.patch
-Patch0006: 0006-rhel-platform-add-a-named-crypto-policy-support_rhbz#1982956.patch
-Patch0007: 0007-Catch-and-log-errors-when-adding-CA-profiles_rhbz#1999142.patch
-Patch0008: 0008-selinux-policy-allow-custodia-to-access-proc-cpuinfo_rhbz#1998129.patch
-Patch0009: 0009-extdom-return-LDAP_NO_SUCH_OBJECT-if-domains-differ_rhbz#2000263.patch
-Patch0010: 0010-migrate-ds-workaround-to-detect-compat-tree_rhbz#1999992.patch
-Patch0011: 0011-Test-ldapsearch-with-base-scope-works-with-_rhbz#2000553.patch
-Patch0012: 0012-ipatests-Test-unsecure-nsupdate_rhbz#2000553.patch
-Patch0013: 0013-Don-t-store-entries-with-a-usercertificate-in-the-LD_rhbz#1999893.patch
-Patch0014: 0014-Custodia-use-a-stronger-encryption-algo-when-exporting-keys_rhbz#2062404.patch
-Patch0015: 0015-uninstall-remove-tdb-files_rhbz#2065719.patch
+Patch0001: 0001-Revert-freeipa.spec-depend-on-bind-dnssec-utils.patch
+Patch0002: 0002-Config-plugin-return-EmptyModlist-when-no-change-is-applied_rhbz#2031825.patch
+Patch0003: 0003-Custodia-use-a-stronger-encryption-algo-when-exporting-keys_rhbz#2032806.patch
+Patch0004: 0004-ipa-kdb-do-not-remove-keys-for-hardened-auth-enabled-users_rhbz#2033342.patch
+Patch0005: 0005-ipa-pki-proxy.conf-provide-access-to-kra-admin-kra-getStatus_rhbz#2049167.patch
+Patch0006: 0006-Backport-latest-test-fxes-in-python3-ipatests_rhbz#2048509.patch
+Patch0007: 0007-Don-t-always-override-the-port-in-import_included_profiles_rhbz#2022483.patch
+Patch0008: 0008-Remove-ipa-join-errors-from-behind-the-debug-option_rhbz#2048558.patch
+Patch0009: 0009-Enable-the-ccache-sweep-timer-during-installation_rhbz#2051575.patch
+Patch0010: 0010-ipatests-remove-additional-check-for-failed-units_rhbz#2053024.patch
+Patch0011: 0011-ipa_cldap-fix-memory-leak_rhbz#2032738.patch
+Patch0012: 0012-ipatests-fix-TestOTPToken-test_check_otpd_after_idle_timeout_rhbz#2053024.patch
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
%endif
%endif
# RHEL spec file only: END
-# SID hardening patches
-Patch1100: freeipa-4.9.6-bf.patch
-Patch1101: freeipa-4.9.6-bf-2.patch
-Patch1102: freeipa-4.9.6-bf-3.patch
-
+Patch1101: 1101-Harden-FreeIPA-KDC-processing-of-PAC-buffers-20211130.patch
# For the timestamp trick in patch application
BuildRequires: diffstat
@@ -1379,6 +1372,7 @@ fi
%{_libexecdir}/ipa/ipa-pki-wait-running
%{_libexecdir}/ipa/ipa-otpd
%{_libexecdir}/ipa/ipa-print-pac
+%{_libexecdir}/ipa/ipa-subids
%dir %{_libexecdir}/ipa/custodia
%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-dmldap
%attr(755,root,root) %{_libexecdir}/ipa/custodia/ipa-custodia-pki-tomcat
@@ -1719,46 +1713,71 @@ fi
%changelog
-* Fri Mar 18 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.6-12
-- ipa-server-install uninstall: remove tdb files
-- ipa-client-samba uninstall: remove tdb files
- Resolves: RHBZ#2065719
+* Mon Feb 14 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.8-6
+- ipatests: fix TestOTPToken::test_check_otpd_after_idle_timeout
+ Related: RHBZ#2053024
+
+* Mon Feb 14 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.8-5
+- ipatests: remove additional check for failed units.
+ Resolves: RHBZ#2053024
+- ipa-cldap: fix memory leak.
+ Resolves: RHBZ#2032738
+
+* Thu Feb 10 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.8-4
+- Don't always override the port in import_included_profiles
+ Fixes: RHBZ#2022483
+- Remove ipa-join errors from behind the debug option
+ Fixes: RHBZ#2048558
+- Enable the ccache sweep timer during installation
+ Fixes: RHBZ#2051575
+
+* Thu Feb 3 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.8-3
+- Config plugin: return EmptyModlist when no change is applied.
+ Resolves: RHBZ#2031825
+- Custodia: use a stronger encryption algo when exporting keys.
+ Resolves: RHBZ#2032806
+- ipa-kdb: do not remove keys for hardened auth-enabled users.
+ Resolves: RHBZ#2033342
+- ipa-pki-proxy.conf: provide access to /kra/admin/kra/getStatus
+ Resolves: RHBZ#2049167
+- Backport latest test fxes in python3 ipatests.
+ Resolves: RHBZ#2048509
+- Removed unused patch files that were part of 4.9.8 rebase.
+
+* Fri Dec 10 2021 Rafael Jeffman <rjeffman@redhat.com> - 4.9.8-2
+- Revert bind-pkcs11-utils configuration in freeipa.spec.
+ Resolves: RHBZ#2026732
+
+* Tue Nov 30 2021 Rafael Jeffman <rjeffman@redhat.com> - 4.9.8-1
+- Upstream release FreeIPA 4.9.8
+ Related: RHBZ#2015607
+- Hardening for CVE-2020-25717
-* Tue Mar 15 2022 Rafael Jeffman <rjeffman@redhat.com> - 4.9.6-11
-- Custodia use a stronger encryption algo when exporting keys
- Resolves: RHBZ#2062404
+* Fri Nov 12 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.6-9.1
+- Fix S4U2Self regression for cross-realm requester SID buffer
+- Related: RHBZ#2021443
-* Thu Nov 30 2021 Rafael Jeffman <rjeffman@redhat.com> - 4.9.6-10
-- Bump realease version due to build issue.
- Related: RHBZ#2021489
+* Fri Nov 12 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.6-9
+- Require samba 4.14.5-13 with IPA DC server role fixes
+- Related: RHBZ#2021443
-* Thu Nov 30 2021 Rafael Jeffman <rjeffman@redhat.com> - 4.9.6-9
-- Hardening for CVE-2020-25717, part 3
- Related: RHBZ#2021489
+* Fri Nov 12 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.6-8
+- Add versioned dependency of samba-client-libs to ipa-server
+- Related: RHBZ#2021443
-* Thu Nov 18 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.6-8
-- Hardening for CVE-2020-25717, part 2
-- Related: RHBZ#2021171
+* Thu Nov 11 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.6-7
+- Hardening for CVE-2020-25717
+- Harden processing of trusted domains' users in S4U operations
+- Resolves: RHBZ#2021443
-* Sun Nov 07 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.6-7
+* Wed Nov 10 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.6-6
- Hardening for CVE-2020-25717
-- Related: RHBZ#2021171
-
-* Fri Sep 17 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.6-6
-- Don't store entries with a usercertificate in the LDAP cache
- Resolves: RHBZ#1999893
-
-* Mon Sep 13 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.6-5
-- Catch and log errors when adding CA profiles
- Resolves: RHBZ#1999142
-- selinux policy: allow custodia to access /proc/cpuinfo
- Resolves: RHBZ#1998129
-- extdom: LDAP_INVALID_SYNTAX returned instead of LDAP_NO_SUCH_OBJECT
- Resolves: RHBZ#2000263
-- ipa migrate-ds command fails to warn when compat plugin is enabled
- Resolves: RHBZ#1999992
-- Backport latest test fixes in python3-ipatests
- Resolves: RHBZ#2000553
+- Rebuild against samba-4.14.5-11.el8
+- Resolves: RHBZ#2021443
+
+* Sun Nov 07 2021 Alexander Bokovoy <abokovoy@redhat.com> - 4.9.6-5
+- Hardening for CVE-2020-25717
+- Related: RHBZ#2019668
* Thu Jul 22 2021 Thomas Woerner <twoerner@redhat.com> - 4.9.6-4
- ipatests: NAMED_CRYPTO_POLICY_FILE not defined for RHEL
@@ -2285,7 +2304,7 @@ fi
- Checks if replica-s4u2proxy.ldif should be applied
- Resolves: #1493150 [RFE] set nsslapd-ignore-time-skew: on by default
- ds: ignore time skew during initial replication step
- - ipa-replica-manage: implicitly ignore initial time skew in force-sync
+ - ipa-replica-manage: implicitly ignore initial time skew in force-sync
- Resolves: #1500218 Replica installation at domain-level 0 fails against
upgraded ipa-server
- Fix ipa-replica-conncheck when called with --principal
@@ -2329,29 +2348,29 @@ fi
- Use OpenJDK 8 to bootstrap on AArch64 until RH1482244 is resolved in
buildroot
- Resolves: #1470177 - Rebase IPA to latest 4.5.x version
-- Resolves: #1398594 ipa topologysuffix-verify should only warn about
- maximum number of replication agreements.
-- Resolves: #1404236 Web UI: Change "Host Based" and "Role Based"
- to "Host-Based" and "Role-Based"
+- Resolves: #1398594 ipa topologysuffix-verify should only warn about
+ maximum number of replication agreements.
+- Resolves: #1404236 Web UI: Change "Host Based" and "Role Based"
+ to "Host-Based" and "Role-Based"
- Resolves: #1409786 Second phase of --external-ca ipa-server-install
setup fails when dirsrv is not running
-- Resolves: #1451576 ipa cert-request failed to generate certificate from csr
-- Resolves: #1452086 Pagination Size under Customization in IPA WebUI
+- Resolves: #1451576 ipa cert-request failed to generate certificate from csr
+- Resolves: #1452086 Pagination Size under Customization in IPA WebUI
accepts negative values
-- Resolves: #1458169 --force-join option is not mentioned in
- ipa-replica-install man page
-- Resolves: #1463186 IPA shouldn't allow objectclass if not all in lower case
-- Resolves: #1478322 user-show command fails when sizelimit is configured
- to number <= number of entity which is user member of
+- Resolves: #1458169 --force-join option is not mentioned in
+ ipa-replica-install man page
+- Resolves: #1463186 IPA shouldn't allow objectclass if not all in lower case
+- Resolves: #1478322 user-show command fails when sizelimit is configured
+ to number <= number of entity which is user member of
- Resolves: #1496775 Enterprise principals should be able to trigger
a refresh of the trusted domain data in the KDC
-- Resolves: #1502533 Changing cert-find to go through the proxy
+- Resolves: #1502533 Changing cert-find to go through the proxy
instead of using the port 8080
- Resolves: #1502663 pkinit-status command fails after an upgrade from
a pre-4.5 IPA
- Resolves: #1498168 Error when trying to modify a PTR record
- Resolves: #1457876 ipa-backup fails silently
-- Resolves: #1493531 In case full PKINIT configuration is failing during
+- Resolves: #1493531 In case full PKINIT configuration is failing during
server/replica install the error message should be more meaningful.
- Resolves: #1449985 Suggest CA installation command in KRA installation
warning
@@ -2402,7 +2421,7 @@ fi
- Restore old version of caIPAserviceCert for upgrade only
* Fri Jul 28 2017 Pavel Vomacka <pvomacka@redhat.com> - 4.5.0-21.el7.1
-- Resolves: #1455946 Provide a tooling automating the configuration
+- Resolves: #1455946 Provide a tooling automating the configuration
of Smart Card authentication on a FreeIPA master
- smart-card advises: configure systemwide NSS DB also on master
- smart-card advises: add steps to store smart card signing CA cert
@@ -2416,7 +2435,7 @@ fi
- smart card advises: use a wrapper around Bash `for` loops
- smart card advise: use password when changing trust flags on HTTP cert
- smart-card-advises: ensure that krb5-pkinit is installed on client
-- Resolves: #1475238 Use CommonNameToSANDefault in default profile
+- Resolves: #1475238 Use CommonNameToSANDefault in default profile
(new installs only)
- Add CommonNameToSANDefault to default cert profile
- Resolves: #1464205 NULL LDAP context in call to ldap_search_ext_s
@@ -2439,11 +2458,11 @@ fi
* Wed Jun 21 2017 Pavel Vomacka <pvomacka@redhat.com> - 4.5.0-19.el7
- Resolves: #1462112 ipaserver installation fails in FIPS mode: OpenSSL
internal error, assertion failed: Digest MD4 forbidden in FIPS mode!
- - ipa-sam: replace encode_nt_key() with E_md4hash()
+ - ipa-sam: replace encode_nt_key() with E_md4hash()
- ipa_pwd_extop: do not generate NT hashes in FIPS mode
- Resolves: #1377973 ipa-server-install fails when the provided or resolved
- IP address is not found on local interfaces
- - Fix local IP address validation
+ IP address is not found on local interfaces
+ - Fix local IP address validation
- ipa-dns-install: remove check for local ip address
- refactor CheckedIPAddress class
- CheckedIPAddress: remove match_local param
@@ -2456,7 +2475,7 @@ fi
- kra: promote: Get ticket before calling custodia
* Wed Jun 14 2017 Pavel Vomacka <pvomacka@redhat.com> - 4.5.0-17.el7
-- Resolve: #1455946 Provide a tooling automating the configuration
+- Resolve: #1455946 Provide a tooling automating the configuration
of Smart Card authentication on a FreeIPA master
- server certinstall: update KDC master entry
- pkinit manage: introduce ipa-pkinit-manage
@@ -2481,7 +2500,7 @@ fi
- Revert setting sessionMaxAge for old clients
* Wed Jun 7 2017 Pavel Vomacka <pvomacka@redhat.com> - 4.5.0-15.el7
-- Resolves: #1442233 IPA client commands fail when pointing to replica
+- Resolves: #1442233 IPA client commands fail when pointing to replica
- httpinstance: wait until the service entry is replicated
- Resolves: #1456769 ipaAnchorUUID index incorrectly configured and then
not indexed
@@ -2495,7 +2514,7 @@ fi
- Resolves: #1452763 ipa certmaprule change not reflected in krb5kdc workers
- ipa-kdb: reload certificate mapping rules periodically
- Resolves: #1455541 after upgrade login from web ui breaks
- - kdc.key should not be visible to all
+ - kdc.key should not be visible to all
- Resolves: #1435606 Add pkinit_indicator option to KDC configuration
- ipa-kdb: add pkinit authentication indicator in case of a successful
certauth
@@ -2507,7 +2526,7 @@ fi
- fix incorrect suffix handling in topology checks
* Wed May 24 2017 Pavel Vomacka <pvomacka@redhat.com> - 4.5.0-14.el7
-- Resolves: #1438731 Extend ipa-server-certinstall and ipa-certupdate to
+- Resolves: #1438731 Extend ipa-server-certinstall and ipa-certupdate to
handle PKINIT certificates/anchors
- certdb: add named trust flag constants
- certdb, certs: make trust flags argument mandatory
@@ -2529,7 +2548,7 @@ fi
- server install: fix KDC certificate validation in CA-less
- Resolves: #1451228 ipa-kra-install fails when primary KRA server has been
decommissioned
- - ipa-kra-install: fix pkispawn setting for pki_security_domain_hostname
+ - ipa-kra-install: fix pkispawn setting for pki_security_domain_hostname
- Resolves: #1451712 KRA installation fails on server that was originally
installed as CA-less
- ipa-ca-install: append CA cert chain into /etc/ipa/ca.crt
@@ -2555,14 +2574,14 @@ fi
- krb5: make sure KDC certificate is readable
- Resolves: #1455862 "ipa: ERROR: an internal error has occurred" on executing
command "ipa cert-request --add" after upgrade
- - Change python-cryptography to python2-cryptography
+ - Change python-cryptography to python2-cryptography
* Thu May 18 2017 Pavel Vomacka <pvomacka@redhat.com> - 4.5.0-13.el7
- Resolves: #1451804 "AttributeError: 'tuple' object has no attribute 'append'"
- error observed during ipa upgrade with latest package.
+ error observed during ipa upgrade with latest package.
- ipa-server-install: fix uninstall
- Resolves: #1445390 ipa-[ca|kra]-install with invalid DM password break
- replica
+ replica
- ca install: merge duplicated code for DM password
- installutils: add DM password validator
- ca, kra install: validate DM password
@@ -2572,11 +2591,11 @@ fi
- python2-ipalib: add missing python dependency
- installer service: fix typo in service entry
- upgrade: add missing suffix to http instance
-- Resolves: #1444791 Update man page of ipa-kra-install
+- Resolves: #1444791 Update man page of ipa-kra-install
- ipa-kra-install manpage: document domain-level 1
- Resolves: #1441493 ipa cert-show raises stack traces when
- --certificate-out=/tmp
- - cert-show: writable files does not mean dirs
+ --certificate-out=/tmp
+ - cert-show: writable files does not mean dirs
- Resolves: #1441192 Add the name of URL parameter which will be check for
username during cert login
- Bump version of ipa.conf file
@@ -2591,9 +2610,9 @@ fi
- renew agent: always export CSR on IPA CA certificate renewal
- renew agent: get rid of virtual profiles
- ipa-cacert-manage: add --external-ca-type
-- Resolves: #1441593 error adding authenticator indicators to host
+- Resolves: #1441593 error adding authenticator indicators to host
- Fixing adding authenticator indicators to host
-- Resolves: #1449525 Set directory ownership in spec file
+- Resolves: #1449525 Set directory ownership in spec file
- Added plugins directory to ipaclient subpackages
- ipaclient: fix missing RPM ownership
- Resolves: #1451279 otptoken-add-yubikey KeyError: 'ipatokenotpdigits'