diff --git a/SOURCES/0062-DL0-replica-install-fix-nsDS5ReplicaBindDN-config.patch b/SOURCES/0062-DL0-replica-install-fix-nsDS5ReplicaBindDN-config.patch new file mode 100644 index 0000000..c54c0a9 --- /dev/null +++ b/SOURCES/0062-DL0-replica-install-fix-nsDS5ReplicaBindDN-config.patch @@ -0,0 +1,57 @@ +From 542297d937d538e3353e06dd052a2e77d594dae8 Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Thu, 13 Jun 2019 21:54:58 +0200 +Subject: [PATCH] DL0 replica install: fix nsDS5ReplicaBindDN config +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +When setting up a 4.x replica in DL0 from a 3.x replica, the first 4.x +replica installation succeeds but if a second 4.x replica is configured, +the replication is not properly set. + +This happens because the replica setup needs to add nsDS5ReplicaBindDN: +krbprincipalname=ldap/replica@DOMAIN to the entry +cn=replica,cn=...,cn=mapping tree,cn=config in order to allow replication +(on the 3.x master, the replication manager group is not supported yet). + +The issue is that this attribute is added only when the entry +cn=replication managers,cn=sysaccounts,cn=etc,$BASEDN +does not exist. This condition is true for the first replica install but +false for the second replica install. + +The fix consists in checking if the remote server has ds version < 1.3.3 +(in this case it is a 3.x server). If it's the case, the installer +will use nsDS5ReplicaBindDN attribute with the replica krbprincipalname. +Otherwise the nsDS5ReplicaBindDN attribute will use the replication manager +group. + +Fixes: https://pagure.io/freeipa/issue/7976 +Reviewed-By: François Cami +--- + ipaserver/install/replication.py | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/ipaserver/install/replication.py b/ipaserver/install/replication.py +index 8644b9ff618d28614a319d6da6a2041fea3c1c1f..c188bd6f5e4d13af7b12f5e0528ee135772af7ab 100644 +--- a/ipaserver/install/replication.py ++++ b/ipaserver/install/replication.py +@@ -1730,9 +1730,14 @@ class ReplicationManager(object): + try: + conn.get_entry(self.repl_man_group_dn) + except errors.NotFound: +- self._add_replica_bind_dn(conn, my_dn) + self._add_replication_managers(conn) + ++ # On IPA 3.x masters (ds version < 1.3.3), ++ # add replica bind DN directly into the replica entry ++ vendor_version = get_ds_version(conn) ++ if vendor_version < (1, 3, 3): ++ self._add_replica_bind_dn(conn, my_dn) ++ + self._add_dn_to_replication_managers(conn, my_dn) + self._add_dn_to_replication_managers(conn, remote_dn) + +-- +2.23.0 + diff --git a/SOURCES/0063-extdom-unify-error-code-handling-especially-LDAP_NO_.patch b/SOURCES/0063-extdom-unify-error-code-handling-especially-LDAP_NO_.patch new file mode 100644 index 0000000..5f74de1 --- /dev/null +++ b/SOURCES/0063-extdom-unify-error-code-handling-especially-LDAP_NO_.patch @@ -0,0 +1,287 @@ +From 85d71239bb974c8d8988c753f63ec12d1b735da3 Mon Sep 17 00:00:00 2001 +From: Sumit Bose +Date: Fri, 14 Jun 2019 11:13:54 +0200 +Subject: [PATCH] extdom: unify error code handling especially + LDAP_NO_SUCH_OBJECT + +A return code LDAP_NO_SUCH_OBJECT will tell SSSD on the IPA client to +remove the searched object from the cache. As a consequence +LDAP_NO_SUCH_OBJECT should only be returned if the object really does +not exists otherwise the data of existing objects might be removed form +the cache of the clients causing unexpected behaviour like +authentication errors. + +Currently some code-paths use LDAP_NO_SUCH_OBJECT as default error code. +With this patch LDAP_NO_SUCH_OBJECT is only returned if the related +lookup functions return ENOENT. Timeout related error code will lead to +LDAP_TIMELIMIT_EXCEEDED and LDAP_OPERATIONS_ERROR is used as default +error code. + +Fixes: https://pagure.io/freeipa/issue/8044 +Reviewed-By: Alexander Bokovoy +--- + .../ipa-extdom-extop/back_extdom_sss_idmap.c | 4 +- + .../ipa-extdom-extop/ipa_extdom_common.c | 77 ++++++++++++++----- + .../ipa-extdom-extop/ipa_extdom_extop.c | 2 + + 3 files changed, 61 insertions(+), 22 deletions(-) + +diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/back_extdom_sss_idmap.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/back_extdom_sss_idmap.c +index 89c58ca2de333b26954d916836b57aed5d7e18fb..64b90e3ae8abc40edaaed91601cdded30db35294 100644 +--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/back_extdom_sss_idmap.c ++++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/back_extdom_sss_idmap.c +@@ -47,10 +47,10 @@ static enum nss_status __convert_sss_nss2nss_status(int errcode) { + return NSS_STATUS_SUCCESS; + case ENOENT: + return NSS_STATUS_NOTFOUND; +- case ETIME: +- /* fall-through */ + case ERANGE: + return NSS_STATUS_TRYAGAIN; ++ case ETIME: ++ /* fall-through */ + case ETIMEDOUT: + /* fall-through */ + default: +diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c +index 1b93dce18671756fe9019378ce61e556697ad902..134b623773df418dc47edaf67045e5f4cfff9782 100644 +--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c ++++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c +@@ -523,7 +523,7 @@ int pack_ber_user(struct ipa_extdom_ctx *ctx, + if (strcasecmp(locat+1, domain_name) == 0 ) { + locat[0] = '\0'; + } else { +- ret = LDAP_NO_SUCH_OBJECT; ++ ret = LDAP_INVALID_SYNTAX; + goto done; + } + } +@@ -568,10 +568,12 @@ int pack_ber_user(struct ipa_extdom_ctx *ctx, + ret = getgrgid_r_wrapper(ctx, + groups[c], &grp, &buf, &buf_len); + if (ret != 0) { +- if (ret == ENOMEM || ret == ERANGE) { +- ret = LDAP_OPERATIONS_ERROR; +- } else { ++ if (ret == ENOENT) { + ret = LDAP_NO_SUCH_OBJECT; ++ } else if (ret == ETIMEDOUT) { ++ ret = LDAP_TIMELIMIT_EXCEEDED; ++ } else { ++ ret = LDAP_OPERATIONS_ERROR; + } + goto done; + } +@@ -634,7 +636,7 @@ int pack_ber_group(enum response_types response_type, + if (strcasecmp(locat+1, domain_name) == 0 ) { + locat[0] = '\0'; + } else { +- ret = LDAP_NO_SUCH_OBJECT; ++ ret = LDAP_INVALID_SYNTAX; + goto done; + } + } +@@ -836,6 +838,8 @@ static int handle_uid_request(struct ipa_extdom_ctx *ctx, + || id_type == SSS_ID_TYPE_BOTH)) { + if (ret == ENOENT) { + ret = LDAP_NO_SUCH_OBJECT; ++ } else if (ret == ETIMEDOUT || ret == ETIME) { ++ ret = LDAP_TIMELIMIT_EXCEEDED; + } else { + set_err_msg(req, "Failed to lookup SID by UID"); + ret = LDAP_OPERATIONS_ERROR; +@@ -847,10 +851,12 @@ static int handle_uid_request(struct ipa_extdom_ctx *ctx, + } else { + ret = getpwuid_r_wrapper(ctx, uid, &pwd, &buf, &buf_len); + if (ret != 0) { +- if (ret == ENOMEM || ret == ERANGE) { +- ret = LDAP_OPERATIONS_ERROR; +- } else { ++ if (ret == ENOENT) { + ret = LDAP_NO_SUCH_OBJECT; ++ } else if (ret == ETIMEDOUT) { ++ ret = LDAP_TIMELIMIT_EXCEEDED; ++ } else { ++ ret = LDAP_OPERATIONS_ERROR; + } + goto done; + } +@@ -862,6 +868,8 @@ static int handle_uid_request(struct ipa_extdom_ctx *ctx, + set_err_msg(req, "Failed to read original data"); + if (ret == ENOENT) { + ret = LDAP_NO_SUCH_OBJECT; ++ } else if (ret == ETIMEDOUT || ret == ETIME) { ++ ret = LDAP_TIMELIMIT_EXCEEDED; + } else { + ret = LDAP_OPERATIONS_ERROR; + } +@@ -907,6 +915,8 @@ static int handle_gid_request(struct ipa_extdom_ctx *ctx, + if (ret != 0 || id_type != SSS_ID_TYPE_GID) { + if (ret == ENOENT) { + ret = LDAP_NO_SUCH_OBJECT; ++ } else if (ret == ETIMEDOUT || ret == ETIME) { ++ ret = LDAP_TIMELIMIT_EXCEEDED; + } else { + set_err_msg(req, "Failed to lookup SID by GID"); + ret = LDAP_OPERATIONS_ERROR; +@@ -918,10 +928,12 @@ static int handle_gid_request(struct ipa_extdom_ctx *ctx, + } else { + ret = getgrgid_r_wrapper(ctx, gid, &grp, &buf, &buf_len); + if (ret != 0) { +- if (ret == ENOMEM || ret == ERANGE) { +- ret = LDAP_OPERATIONS_ERROR; +- } else { ++ if (ret == ENOENT) { + ret = LDAP_NO_SUCH_OBJECT; ++ } else if (ret == ETIMEDOUT) { ++ ret = LDAP_TIMELIMIT_EXCEEDED; ++ } else { ++ ret = LDAP_OPERATIONS_ERROR; + } + goto done; + } +@@ -933,6 +945,8 @@ static int handle_gid_request(struct ipa_extdom_ctx *ctx, + set_err_msg(req, "Failed to read original data"); + if (ret == ENOENT) { + ret = LDAP_NO_SUCH_OBJECT; ++ } else if (ret == ETIMEDOUT || ret == ETIME) { ++ ret = LDAP_TIMELIMIT_EXCEEDED; + } else { + ret = LDAP_OPERATIONS_ERROR; + } +@@ -976,6 +990,8 @@ static int handle_cert_request(struct ipa_extdom_ctx *ctx, + if (ret != 0) { + if (ret == ENOENT) { + ret = LDAP_NO_SUCH_OBJECT; ++ } else if (ret == ETIMEDOUT || ret == ETIME) { ++ ret = LDAP_TIMELIMIT_EXCEEDED; + } else { + set_err_msg(req, "Failed to lookup name by certificate"); + ret = LDAP_OPERATIONS_ERROR; +@@ -1020,6 +1036,8 @@ static int handle_sid_request(struct ipa_extdom_ctx *ctx, + if (ret != 0) { + if (ret == ENOENT) { + ret = LDAP_NO_SUCH_OBJECT; ++ } else if (ret == ETIMEDOUT || ret == ETIME) { ++ ret = LDAP_TIMELIMIT_EXCEEDED; + } else { + set_err_msg(req, "Failed to lookup name by SID"); + ret = LDAP_OPERATIONS_ERROR; +@@ -1057,10 +1075,12 @@ static int handle_sid_request(struct ipa_extdom_ctx *ctx, + case SSS_ID_TYPE_BOTH: + ret = getpwnam_r_wrapper(ctx, fq_name, &pwd, &buf, &buf_len); + if (ret != 0) { +- if (ret == ENOMEM || ret == ERANGE) { +- ret = LDAP_OPERATIONS_ERROR; +- } else { ++ if (ret == ENOENT) { + ret = LDAP_NO_SUCH_OBJECT; ++ } else if (ret == ETIMEDOUT) { ++ ret = LDAP_TIMELIMIT_EXCEEDED; ++ } else { ++ ret = LDAP_OPERATIONS_ERROR; + } + goto done; + } +@@ -1072,6 +1092,8 @@ static int handle_sid_request(struct ipa_extdom_ctx *ctx, + set_err_msg(req, "Failed to read original data"); + if (ret == ENOENT) { + ret = LDAP_NO_SUCH_OBJECT; ++ } else if (ret == ETIMEDOUT || ret == ETIME) { ++ ret = LDAP_TIMELIMIT_EXCEEDED; + } else { + ret = LDAP_OPERATIONS_ERROR; + } +@@ -1089,10 +1111,12 @@ static int handle_sid_request(struct ipa_extdom_ctx *ctx, + case SSS_ID_TYPE_GID: + ret = getgrnam_r_wrapper(ctx, fq_name, &grp, &buf, &buf_len); + if (ret != 0) { +- if (ret == ENOMEM || ret == ERANGE) { +- ret = LDAP_OPERATIONS_ERROR; +- } else { ++ if (ret == ENOENT) { + ret = LDAP_NO_SUCH_OBJECT; ++ } else if (ret == ETIMEDOUT) { ++ ret = LDAP_TIMELIMIT_EXCEEDED; ++ } else { ++ ret = LDAP_OPERATIONS_ERROR; + } + goto done; + } +@@ -1104,6 +1128,8 @@ static int handle_sid_request(struct ipa_extdom_ctx *ctx, + set_err_msg(req, "Failed to read original data"); + if (ret == ENOENT) { + ret = LDAP_NO_SUCH_OBJECT; ++ } else if (ret == ETIMEDOUT || ret == ETIME) { ++ ret = LDAP_TIMELIMIT_EXCEEDED; + } else { + ret = LDAP_OPERATIONS_ERROR; + } +@@ -1167,6 +1193,8 @@ static int handle_name_request(struct ipa_extdom_ctx *ctx, + if (ret != 0) { + if (ret == ENOENT) { + ret = LDAP_NO_SUCH_OBJECT; ++ } else if (ret == ETIMEDOUT || ret == ETIME) { ++ ret = LDAP_TIMELIMIT_EXCEEDED; + } else { + set_err_msg(req, "Failed to lookup SID by name"); + ret = LDAP_OPERATIONS_ERROR; +@@ -1190,6 +1218,8 @@ static int handle_name_request(struct ipa_extdom_ctx *ctx, + set_err_msg(req, "Failed to read original data"); + if (ret == ENOENT) { + ret = LDAP_NO_SUCH_OBJECT; ++ } else if (ret == ETIMEDOUT || ret == ETIME) { ++ ret = LDAP_TIMELIMIT_EXCEEDED; + } else { + ret = LDAP_OPERATIONS_ERROR; + } +@@ -1205,6 +1235,9 @@ static int handle_name_request(struct ipa_extdom_ctx *ctx, + } else if (ret == ENOMEM || ret == ERANGE) { + ret = LDAP_OPERATIONS_ERROR; + goto done; ++ } else if (ret == ETIMEDOUT) { ++ ret = LDAP_TIMELIMIT_EXCEEDED; ++ goto done; + } else { /* no user entry found */ + /* according to the getpwnam() man page there are a couple of + * error codes which can indicate that the user was not found. To +@@ -1212,10 +1245,12 @@ static int handle_name_request(struct ipa_extdom_ctx *ctx, + * errors. */ + ret = getgrnam_r_wrapper(ctx, fq_name, &grp, &buf, &buf_len); + if (ret != 0) { +- if (ret == ENOMEM || ret == ERANGE) { +- ret = LDAP_OPERATIONS_ERROR; +- } else { ++ if (ret == ENOENT) { + ret = LDAP_NO_SUCH_OBJECT; ++ } else if (ret == ETIMEDOUT) { ++ ret = LDAP_TIMELIMIT_EXCEEDED; ++ } else { ++ ret = LDAP_OPERATIONS_ERROR; + } + goto done; + } +@@ -1226,6 +1261,8 @@ static int handle_name_request(struct ipa_extdom_ctx *ctx, + || id_type == SSS_ID_TYPE_BOTH)) { + if (ret == ENOENT) { + ret = LDAP_NO_SUCH_OBJECT; ++ } else if (ret == ETIMEDOUT || ret == ETIME) { ++ ret = LDAP_TIMELIMIT_EXCEEDED; + } else { + set_err_msg(req, "Failed to read original data"); + ret = LDAP_OPERATIONS_ERROR; +diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c +index 10d3f86ebad920fb9c051aa428cbd675b682f14a..48fcecc1eeb8f2ad6a3bc8791fe94f4ed54fe74d 100644 +--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c ++++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_extop.c +@@ -242,6 +242,8 @@ static int ipa_extdom_extop(Slapi_PBlock *pb) + if (ret != LDAP_SUCCESS) { + if (ret == LDAP_NO_SUCH_OBJECT) { + rc = LDAP_NO_SUCH_OBJECT; ++ } else if (ret == LDAP_TIMELIMIT_EXCEEDED) { ++ rc = LDAP_TIMELIMIT_EXCEEDED; + } else { + rc = LDAP_OPERATIONS_ERROR; + err_msg = "Failed to handle the request.\n"; +-- +2.23.0 + diff --git a/SOURCES/0064-ipa-extdom-extop-test-timed-out-getgrgid_r.patch b/SOURCES/0064-ipa-extdom-extop-test-timed-out-getgrgid_r.patch new file mode 100644 index 0000000..265e9da --- /dev/null +++ b/SOURCES/0064-ipa-extdom-extop-test-timed-out-getgrgid_r.patch @@ -0,0 +1,64 @@ +From 52d90782c1a7ebe5bd984b7560d71a06fe3fb76b Mon Sep 17 00:00:00 2001 +From: Alexander Bokovoy +Date: Mon, 19 Aug 2019 10:15:50 +0300 +Subject: [PATCH] ipa-extdom-extop: test timed out getgrgid_r + +Simulate getgrgid_r() timeout when packing list of groups user is a +member of in pack_ber_user(). + +Related: https://pagure.io/freeipa/issue/8044 +Reviewed-By: Alexander Bokovoy +--- + .../ipa_extdom_cmocka_tests.c | 29 +++++++++++++++++++ + 1 file changed, 29 insertions(+) + +diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_cmocka_tests.c b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_cmocka_tests.c +index 29699cfa390f5469d7c009388b90e68616cbf984..1fa4c6af823d290412496b5823b90873375f2769 100644 +--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_cmocka_tests.c ++++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_cmocka_tests.c +@@ -493,6 +493,34 @@ void test_set_err_msg(void **state) + #define TEST_SID "S-1-2-3-4" + #define TEST_DOMAIN_NAME "DOMAIN" + ++/* Always time out for test */ ++static ++enum nss_status getgrgid_r_timeout(gid_t gid, struct group *result, ++ char *buffer, size_t buflen, int *errnop) { ++ return NSS_STATUS_UNAVAIL; ++} ++ ++void test_pack_ber_user_timeout(void **state) ++{ ++ int ret; ++ struct berval *resp_val = NULL; ++ struct test_data *test_data; ++ enum nss_status (*oldgetgrgid_r)(gid_t gid, struct group *result, ++ char *buffer, size_t buflen, int *errnop); ++ ++ test_data = (struct test_data *) *state; ++ ++ oldgetgrgid_r = test_data->ctx->nss_ctx->getgrgid_r; ++ test_data->ctx->nss_ctx->getgrgid_r = getgrgid_r_timeout; ++ ++ ret = pack_ber_user(test_data->ctx, RESP_USER_GROUPLIST, ++ TEST_DOMAIN_NAME, "member001", 12345, 54321, ++ "gecos", "homedir", "shell", NULL, &resp_val); ++ test_data->ctx->nss_ctx->getgrgid_r = oldgetgrgid_r; ++ assert_int_equal(ret, LDAP_TIMELIMIT_EXCEEDED); ++ ber_bvfree(resp_val); ++} ++ + char res_sid[] = {0x30, 0x0e, 0x0a, 0x01, 0x01, 0x04, 0x09, 0x53, 0x2d, 0x31, \ + 0x2d, 0x32, 0x2d, 0x33, 0x2d, 0x34}; + char res_nam[] = {0x30, 0x13, 0x0a, 0x01, 0x02, 0x30, 0x0e, 0x04, 0x06, 0x44, \ +@@ -614,6 +642,7 @@ void test_decode(void **state) + int main(int argc, const char *argv[]) + { + const struct CMUnitTest tests[] = { ++ cmocka_unit_test(test_pack_ber_user_timeout), + cmocka_unit_test(test_getpwnam_r_wrapper), + cmocka_unit_test(test_getpwuid_r_wrapper), + cmocka_unit_test(test_getgrnam_r_wrapper), +-- +2.23.0 + diff --git a/SOURCES/0065-Make-sure-to-have-storage-space-for-tag.patch b/SOURCES/0065-Make-sure-to-have-storage-space-for-tag.patch new file mode 100644 index 0000000..7ebf209 --- /dev/null +++ b/SOURCES/0065-Make-sure-to-have-storage-space-for-tag.patch @@ -0,0 +1,39 @@ +From 61db30080726bfc4832b8516b335734a5246ac0b Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Mon, 16 Sep 2019 11:12:25 -0400 +Subject: [PATCH] Make sure to have storage space for tag + +ber_scanf expects a pointer to a ber_tag_t to return the tag pointed at +by "t", if that is not provided the pointer will be store in whatever +memory location is pointed by the stack at that time causeing a crash. + +Note that this is effectively unused code because in ipa-kdb the only +party that can write a key_data structure to be stored is te kdb_driver +itself and we never encode these s2kparam data. + +But we need to handle this for future proofing. + +Fixes #8071 + +Signed-off-by: Simo Sorce +Reviewed-By: Christian Heimes +--- + util/ipa_krb5.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/util/ipa_krb5.c b/util/ipa_krb5.c +index a27cd4a4e538c738c6ab2157a4daabf8fea7661c..c09c3daa505655f2e5292a79c03683faa75ad244 100644 +--- a/util/ipa_krb5.c ++++ b/util/ipa_krb5.c +@@ -554,7 +554,7 @@ int ber_decode_krb5_key_data(struct berval *encoded, int *m_kvno, + retag = ber_peek_tag(be, &setlen); + if (retag == (LBER_CONSTRUCTED | LBER_CLASS_CONTEXT | 2)) { + /* not supported yet, skip */ +- retag = ber_scanf(be, "t[x]}"); ++ retag = ber_scanf(be, "t[x]}", &tag); + } else { + retag = ber_scanf(be, "}"); + } +-- +2.23.0 + diff --git a/SOURCES/0066-CVE-2019-10195-Don-t-log-passwords-embedded-in-comma.patch b/SOURCES/0066-CVE-2019-10195-Don-t-log-passwords-embedded-in-comma.patch new file mode 100644 index 0000000..d376429 --- /dev/null +++ b/SOURCES/0066-CVE-2019-10195-Don-t-log-passwords-embedded-in-comma.patch @@ -0,0 +1,147 @@ +From 84317f86f9c96805cf365784794142e65cfbb310 Mon Sep 17 00:00:00 2001 +From: Rob Crittenden +Date: Tue, 2 Jul 2019 13:44:48 -0400 +Subject: [PATCH] CVE-2019-10195: Don't log passwords embedded in commands in + calls using batch + +A raw batch request was fully logged which could expose parameters +we don't want logged, like passwords. + +Override _repr_iter to use the individual commands to log the +values so that values are properly obscured. + +In case of errors log the full value on when the server is in +debug mode. + +Reported by Jamison Bennett from Cloudera + +Signed-off-by: Rob Crittenden +Reviewed-by: Florence Blanc-Renaud +--- + ipaserver/plugins/batch.py | 96 ++++++++++++++++++++++++++++---------- + 1 file changed, 72 insertions(+), 24 deletions(-) + +diff --git a/ipaserver/plugins/batch.py b/ipaserver/plugins/batch.py +index 2794db895a014a6129654889289815d4286cf7f4..9df367d16234d1840a2e5297cdd5c3c59fa4828f 100644 +--- a/ipaserver/plugins/batch.py ++++ b/ipaserver/plugins/batch.py +@@ -92,35 +92,82 @@ class batch(Command): + Output('results', (list, tuple), doc='') + ) + ++ def _validate_request(self, request): ++ """ ++ Check that an individual request in a batch is parseable and the ++ commands exists. ++ """ ++ if 'method' not in request: ++ raise errors.RequirementError(name='method') ++ if 'params' not in request: ++ raise errors.RequirementError(name='params') ++ name = request['method'] ++ if (name not in self.api.Command or ++ isinstance(self.api.Command[name], Local)): ++ raise errors.CommandError(name=name) ++ ++ # If params are not formated as a tuple(list, dict) ++ # the following lines will raise an exception ++ # that triggers an internal server error ++ # Raise a ConversionError instead to report the issue ++ # to the client ++ try: ++ a, kw = request['params'] ++ newkw = dict((str(k), v) for k, v in kw.items()) ++ api.Command[name].args_options_2_params(*a, **newkw) ++ except (AttributeError, ValueError, TypeError): ++ raise errors.ConversionError( ++ name='params', ++ error=_(u'must contain a tuple (list, dict)')) ++ except Exception as e: ++ raise errors.ConversionError( ++ name='params', ++ error=str(e)) ++ ++ def _repr_iter(self, **params): ++ """ ++ Iterate through the request and use the Command _repr_intr so ++ that sensitive information (passwords) is not exposed. ++ ++ In case of a malformatted request redact the entire thing. ++ """ ++ exceptions = False ++ for arg in (params.get('methods', [])): ++ try: ++ self._validate_request(arg) ++ except Exception: ++ # redact the whole request since we don't know what's in it ++ exceptions = True ++ yield u'********' ++ continue ++ ++ name = arg['method'] ++ a, kw = arg['params'] ++ newkw = dict((str(k), v) for k, v in kw.items()) ++ param = api.Command[name].args_options_2_params( ++ *a, **newkw) ++ ++ yield '{}({})'.format( ++ api.Command[name].name, ++ ', '.join(api.Command[name]._repr_iter(**param)) ++ ) ++ ++ if exceptions: ++ logger.debug('batch: %s', ++ ', '.join(super(batch, self)._repr_iter(**params))) ++ + def execute(self, methods=None, **options): + results = [] + for arg in (methods or []): + params = dict() + name = None + try: +- if 'method' not in arg: +- raise errors.RequirementError(name='method') +- if 'params' not in arg: +- raise errors.RequirementError(name='params') ++ self._validate_request(arg) + name = arg['method'] +- if (name not in self.api.Command or +- isinstance(self.api.Command[name], Local)): +- raise errors.CommandError(name=name) +- +- # If params are not formated as a tuple(list, dict) +- # the following lines will raise an exception +- # that triggers an internal server error +- # Raise a ConversionError instead to report the issue +- # to the client +- try: +- a, kw = arg['params'] +- newkw = dict((str(k), v) for k, v in kw.items()) +- params = api.Command[name].args_options_2_params( +- *a, **newkw) +- except (AttributeError, ValueError, TypeError): +- raise errors.ConversionError( +- name='params', +- error=_(u'must contain a tuple (list, dict)')) ++ a, kw = arg['params'] ++ newkw = dict((str(k), v) for k, v in kw.items()) ++ params = api.Command[name].args_options_2_params( ++ *a, **newkw) + newkw.setdefault('version', options['version']) + + result = api.Command[name](*a, **newkw) +@@ -132,8 +179,9 @@ class batch(Command): + ) + result['error']=None + except Exception as e: +- if isinstance(e, errors.RequirementError) or \ +- isinstance(e, errors.CommandError): ++ if (isinstance(e, errors.RequirementError) or ++ isinstance(e, errors.CommandError) or ++ isinstance(e, errors.ConversionError)): + logger.info( + '%s: batch: %s', + context.principal, # pylint: disable=no-member +-- +2.23.0 + diff --git a/SOURCES/0067-trust-upgrade-ensure-that-host-is-member-of-adtrust-.patch b/SOURCES/0067-trust-upgrade-ensure-that-host-is-member-of-adtrust-.patch new file mode 100644 index 0000000..1775c62 --- /dev/null +++ b/SOURCES/0067-trust-upgrade-ensure-that-host-is-member-of-adtrust-.patch @@ -0,0 +1,110 @@ +From de19fe67c341d99171afda61f6419a80c757b0f7 Mon Sep 17 00:00:00 2001 +From: Florence Blanc-Renaud +Date: Tue, 3 Dec 2019 12:56:22 +0100 +Subject: [PATCH] trust upgrade: ensure that host is member of adtrust agents + +After an upgrade, the group cn=adtrust agents may be missing some members. +Each ad trust controller must appear twice as member: +- krbprincipalname=cifs/hostname@realm,cn=services,cn=accounts,basedn +- fqdn=hostname,cn=computers,cn=accounts,basedn + +Add an upgrade plugin that builds a list of hostnames from the cifs +principals and adds if needed fqdn=hostname... + +Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1778777 +Signed-off-by: Florence Blanc-Renaud +Reviewed-By: Alexander Bokovoy +Reviewed-By: Alexander Bokovoy +--- + .../updates/90-post_upgrade_plugins.update | 1 + + ipaserver/install/plugins/adtrust.py | 55 +++++++++++++++++++ + 2 files changed, 56 insertions(+) + +diff --git a/install/updates/90-post_upgrade_plugins.update b/install/updates/90-post_upgrade_plugins.update +index 77b910fc26858611e44a5ba3f4f4c18f4895c95e..1d9e8bba8486df197fc9a3e9f83df360f55ca251 100644 +--- a/install/updates/90-post_upgrade_plugins.update ++++ b/install/updates/90-post_upgrade_plugins.update +@@ -13,6 +13,7 @@ plugin: update_default_trust_view + plugin: update_tdo_gidnumber + plugin: update_tdo_to_new_layout + plugin: update_tdo_default_read_keys_permissions ++plugin: update_adtrust_agents_members + plugin: update_ca_renewal_master + plugin: update_idrange_type + plugin: update_pacs +diff --git a/ipaserver/install/plugins/adtrust.py b/ipaserver/install/plugins/adtrust.py +index 950b7b9c82f1b0e115675ff8093d1bd02e913ae2..3da8c9e2021c1ee9cb59a90e9fe269d86e9c337a 100644 +--- a/ipaserver/install/plugins/adtrust.py ++++ b/ipaserver/install/plugins/adtrust.py +@@ -8,9 +8,11 @@ from ipalib import Updater + from ipapython.dn import DN + from ipapython import ipautil + from ipaplatform.paths import paths ++from ipaserver.install import service + from ipaserver.install import sysupgrade + from ipaserver.install.adtrustinstance import ( + ADTRUSTInstance, map_Guests_to_nobody) ++ + from ipaserver.dcerpc_common import TRUST_BIDIRECTIONAL + + try: +@@ -785,3 +787,56 @@ class update_tdo_default_read_keys_permissions(Updater): + tdo.single_value.get('krbCanonicalName')) + + return False, [] ++ ++ ++@register() ++class update_adtrust_agents_members(Updater): ++ """ Ensure that each adtrust agent is a member of the adtrust agents group ++ ++ cn=adtrust agents,cn=sysaccounts,cn=etc,$BASEDN must contain: ++ - member: krbprincipalname=cifs/master@realm,cn=services,cn=accounts,base ++ - member: fqdn=master,cn=computers,cn=accounts,base ++ """ ++ def execute(self, **options): ++ ldap = self.api.Backend.ldap2 ++ ++ # First, see if trusts are enabled on the server ++ if not self.api.Command.adtrust_is_enabled()['result']: ++ logger.debug('AD Trusts are not enabled on this server') ++ return False, [] ++ ++ agents_dn = DN( ++ ('cn', 'adtrust agents'), ('cn', 'sysaccounts'), ++ ('cn', 'etc'), self.api.env.basedn) ++ ++ try: ++ agents_entry = ldap.get_entry(agents_dn, ['member']) ++ except errors.NotFound: ++ logger.error("No adtrust agents group found") ++ return False, [] ++ ++ # Build a list of agents from the cifs/.. members ++ agents_list = [] ++ members = agents_entry.get('member', []) ++ suffix = '@{}'.format(self.api.env.realm).lower() ++ ++ for amember in members: ++ if amember[0].attr.lower() == 'krbprincipalname': ++ # Extract krbprincipalname=cifs/hostname@realm from the DN ++ value = amember[0].value ++ if (value.lower().startswith('cifs/') and ++ value.lower().endswith(suffix)): ++ # 5 = length of 'cifs/' ++ hostname = value[5:-len(suffix)] ++ agents_list.append(DN(('fqdn', hostname), ++ self.api.env.container_host, ++ self.api.env.basedn)) ++ ++ # Add the fqdn=hostname... to the group ++ service.add_principals_to_group( ++ ldap, ++ agents_dn, ++ "member", ++ agents_list) ++ ++ return False, [] +-- +2.23.0 + diff --git a/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch b/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch index 2aaf85a..24b7c73 100644 --- a/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch +++ b/SOURCES/1001-Change-branding-to-IPA-and-Identity-Management.patch @@ -1,4 +1,4 @@ -From 6a6ce48f49a66edaead21c491cc1b09ae137e63f Mon Sep 17 00:00:00 2001 +From 1a992ce1275797ef376e6c137d10f412b92db9db Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Tue, 14 Mar 2017 15:48:07 +0000 Subject: [PATCH] Change branding to IPA and Identity Management @@ -1097,5 +1097,5 @@ index 6037938330f13a30d0ccfbedcaac59c567bda0d6..b8a0c82d394edb8744de34394895b86f """) + _(""" To enable the binddn run the following command to set the password: -- -2.20.1 +2.23.0 diff --git a/SOURCES/1002-Package-copy-schema-to-ca.py.patch b/SOURCES/1002-Package-copy-schema-to-ca.py.patch index c6e1baf..22b39aa 100644 --- a/SOURCES/1002-Package-copy-schema-to-ca.py.patch +++ b/SOURCES/1002-Package-copy-schema-to-ca.py.patch @@ -1,4 +1,4 @@ -From 13af793c9216b956b8fb6e398727f6c24a8865cc Mon Sep 17 00:00:00 2001 +From b2dadbd58f3203c5d798286e9a3d8da339a5d9ed Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Tue, 14 Mar 2017 16:07:15 +0000 Subject: [PATCH] Package copy-schema-to-ca.py @@ -40,5 +40,5 @@ index 1f22d120478a6d4019663281d3191a27a5ee09ea..6f49b8bfa88e00388aec17f26169aa3d -- -2.20.1 +2.23.0 diff --git a/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch b/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch index 857ed39..91deb73 100644 --- a/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch +++ b/SOURCES/1003-Revert-Increased-mod_wsgi-socket-timeout.patch @@ -1,4 +1,4 @@ -From 6c381a943b76f56b3785b0288c6d8e6d6a3a43ff Mon Sep 17 00:00:00 2001 +From c0e54fa7d42af945fd42261be4ebac90c9641316 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Wed, 22 Jun 2016 13:53:46 +0200 Subject: [PATCH] Revert "Increased mod_wsgi socket-timeout" @@ -24,5 +24,5 @@ index 912a63c2240e0681dfbeeac223a902b15b304716..c5fc518f803d379287043b405efeb46d WSGIImportScript /usr/share/ipa/wsgi.py process-group=ipa application-group=ipa WSGIScriptAlias /ipa /usr/share/ipa/wsgi.py -- -2.20.1 +2.23.0 diff --git a/SOURCES/1004-Remove-csrgen.patch b/SOURCES/1004-Remove-csrgen.patch index e1b6be8..23d1a61 100644 --- a/SOURCES/1004-Remove-csrgen.patch +++ b/SOURCES/1004-Remove-csrgen.patch @@ -1,4 +1,4 @@ -From 9c081314d0d6bd4d06b8982e575808cc31dcf81e Mon Sep 17 00:00:00 2001 +From 376335dad5438a082e411daf34edb39e738861a5 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Thu, 16 Mar 2017 09:44:21 +0000 Subject: [PATCH] Remove csrgen @@ -403,5 +403,5 @@ index 79111ab686b4fe25227796509b3cd3fcb54af728..00000000000000000000000000000000 @@ -1 +0,0 @@ -{{ options|join(";") }} -- -2.20.1 +2.23.0 diff --git a/SOURCES/1005-Removing-filesystem-encoding-check.patch b/SOURCES/1005-Removing-filesystem-encoding-check.patch index 805a6b3..0791d59 100644 --- a/SOURCES/1005-Removing-filesystem-encoding-check.patch +++ b/SOURCES/1005-Removing-filesystem-encoding-check.patch @@ -1,4 +1,4 @@ -From dbb765507f3c691e437cf6284fb388d91ab630dd Mon Sep 17 00:00:00 2001 +From 53dea5370de10eef64a11fede6e2033f13fd2b25 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tibor=20Dudl=C3=A1k?= Date: Fri, 10 Aug 2018 13:16:38 +0200 Subject: [PATCH] Removing filesystem encoding check @@ -126,5 +126,5 @@ index b660532bd6e8db964b8287845ed1b5ebbcb43b9b..60309c58f250a263c8c3d13b0b47773b IPA_NOT_CONFIGURED = b'IPA is not configured on this system' IPA_CLIENT_NOT_CONFIGURED = b'IPA client is not configured on this system' -- -2.20.1 +2.23.0 diff --git a/SOURCES/ipa-centos-branding.patch b/SOURCES/ipa-centos-branding.patch deleted file mode 100644 index 673cd2f..0000000 --- a/SOURCES/ipa-centos-branding.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 99efecaf87dc1fc9517efaff441a6a7ce46444eb Mon Sep 17 00:00:00 2001 -From: Jim Perrin -Date: Wed, 11 Mar 2015 10:37:03 -0500 -Subject: [PATCH] update for new ntp server method - ---- - ipaplatform/base/paths.py | 1 + - ipaserver/install/ntpinstance.py | 2 ++ - 2 files changed, 3 insertions(+) - -diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py -index af50262..5090062 100644 ---- a/ipaplatform/base/paths.py -+++ b/ipaplatform/base/paths.py -@@ -99,6 +99,7 @@ class BasePathNamespace(object): - PKI_TOMCAT_ALIAS_DIR = "/etc/pki/pki-tomcat/alias/" - PKI_TOMCAT_PASSWORD_CONF = "/etc/pki/pki-tomcat/password.conf" - ETC_REDHAT_RELEASE = "/etc/redhat-release" -+ ETC_CENTOS_RELEASE = "/etc/centos-release" - RESOLV_CONF = "/etc/resolv.conf" - SAMBA_KEYTAB = "/etc/samba/samba.keytab" - SMB_CONF = "/etc/samba/smb.conf" -diff --git a/ipaserver/install/ntpinstance.py b/ipaserver/install/ntpinstance.py -index c653525..4b0578b 100644 ---- a/ipaserver/install/ntpinstance.py -+++ b/ipaserver/install/ntpinstance.py -@@ -44,6 +44,8 @@ class NTPInstance(service.Service): - os = "" - if ipautil.file_exists(paths.ETC_FEDORA_RELEASE): - os = "fedora" -+ elif ipautil.file_exists(paths.ETC_CENTOS_RELEASE): -+ os = "centos" - elif ipautil.file_exists(paths.ETC_REDHAT_RELEASE): - os = "rhel" - --- -1.8.3.1 - diff --git a/SPECS/ipa.spec b/SPECS/ipa.spec index c8c75ab..fedd58d 100644 --- a/SPECS/ipa.spec +++ b/SPECS/ipa.spec @@ -102,7 +102,7 @@ Name: ipa Version: %{IPA_VERSION} -Release: 11%{?dist}.3 +Release: 11%{?dist}.4 Summary: The Identity, Policy and Audit system Group: System Environment/Base @@ -110,9 +110,9 @@ License: GPLv3+ URL: http://www.freeipa.org/ Source0: https://releases.pagure.org/freeipa/freeipa-%{version}.tar.gz # RHEL spec file only: START: Change branding to IPA and Identity Management -#Source1: header-logo.png -#Source2: login-screen-background.jpg -#Source4: product-name.png +Source1: header-logo.png +Source2: login-screen-background.jpg +Source4: product-name.png # RHEL spec file only: END: Change branding to IPA and Identity Management BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -178,6 +178,12 @@ Patch0058: 0058-Fix-CustodiaClient-ccache-handling.patch Patch0059: 0059-CustodiaClient-use-ldapi-when-ldap_uri-not-specified.patch Patch0060: 0060-CustodiaClient-fix-IPASecStore-config-on-ipa-4-7.patch Patch0061: 0061-Bump-krb5-min-version.patch +Patch0062: 0062-DL0-replica-install-fix-nsDS5ReplicaBindDN-config.patch +Patch0063: 0063-extdom-unify-error-code-handling-especially-LDAP_NO_.patch +Patch0064: 0064-ipa-extdom-extop-test-timed-out-getgrgid_r.patch +Patch0065: 0065-Make-sure-to-have-storage-space-for-tag.patch +Patch0066: 0066-CVE-2019-10195-Don-t-log-passwords-embedded-in-comma.patch +Patch0067: 0067-trust-upgrade-ensure-that-host-is-member-of-adtrust-.patch Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch Patch1002: 1002-Package-copy-schema-to-ca.py.patch Patch1003: 1003-Revert-Increased-mod_wsgi-socket-timeout.patch @@ -207,7 +213,8 @@ BuildRequires: python-setuptools %if 0%{?with_python3} BuildRequires: python3-devel BuildRequires: python3-setuptools -%endif # with_python3 +%endif +# with_python3 BuildRequires: systemd # systemd-tmpfiles which is executed from make install requires apache user BuildRequires: httpd @@ -244,7 +251,8 @@ BuildRequires: rhino BuildRequires: libverto-devel BuildRequires: libunistring-devel BuildRequires: python-lesscpy -%endif # ONLY_CLIENT +%endif +# ONLY_CLIENT # # Build dependencies for makeapi/makeaci @@ -270,7 +278,8 @@ BuildRequires: python2-wheel BuildRequires: python3-twine BuildRequires: python3-wheel %endif -%endif # with_wheels +%endif +# with_wheels # # Build dependencies for lint and fastcheck @@ -354,8 +363,10 @@ BuildRequires: python3-systemd # python-augeas >= 0.5 supports replace method BuildRequires: python3-augeas >= 0.5 BuildRequires: python3-ldap >= %{python3_ldap_version} -%endif # with_python3 -%endif # with_lint +%endif +# with_python3 +%endif +# with_lint # # Build dependencies for unit tests @@ -364,7 +375,8 @@ BuildRequires: python3-ldap >= %{python3_ldap_version} BuildRequires: libcmocka-devel # Required by ipa_kdb_tests BuildRequires: %{_libdir}/krb5/plugins/kdb/db2.so -%endif # ONLY_CLIENT +%endif +# ONLY_CLIENT %description IPA is an integrated solution to provide centrally managed Identity (users, @@ -431,10 +443,7 @@ Requires: oddjob Requires: gssproxy >= 0.7.0-2 # 1.15.2: FindByNameAndCertificate (https://pagure.io/SSSD/sssd/issue/3050) Requires: sssd-dbus >= 1.15.2 - -%if 0%{?centos} == 0 Requires: system-logos >= 70.7.0 -%endif Provides: %{alt_name}-server = %{version} Conflicts: %{alt_name}-server @@ -534,7 +543,8 @@ features for further integration with Linux based clients (SUDO, automount) and integration with Active Directory based infrastructures (Trusts). If you are installing an IPA server, you need to install this package. -%endif # with_python3 +%endif +# with_python3 %package server-common @@ -613,7 +623,8 @@ Cross-realm trusts with Active Directory in IPA require working Samba 4 installation. This package is provided for convenience to install all required dependencies at once. -%endif # ONLY_CLIENT +%endif +# ONLY_CLIENT %package client @@ -711,7 +722,8 @@ and integration with Active Directory based infrastructures (Trusts). If your network uses IPA for authentication, this package should be installed on every client machine. -%endif # with_python3 +%endif +# with_python3 %package client-common @@ -857,7 +869,8 @@ features for further integration with Linux based clients (SUDO, automount) and integration with Active Directory based infrastructures (Trusts). If you are using IPA with Python 3, you need to install this package. -%endif # with_python3 +%endif +# with_python3 %package common @@ -948,9 +961,11 @@ features for further integration with Linux based clients (SUDO, automount) and integration with Active Directory based infrastructures (Trusts). This package contains tests that verify IPA functionality under Python 3. -%endif # with_python3 +%endif +# with_python3 -%endif # with_ipatests +%endif +# with_ipatests %prep @@ -981,12 +996,13 @@ done # Workaround: We want to build Python things twice. To be sure we do not mess # up something, do two separate builds in separate directories. cp -r %{_builddir}/freeipa-%{version} %{_builddir}/freeipa-%{version}-python3 -%endif # with_python3 +%endif +# with_python3 # RHEL spec file only: START: Change branding to IPA and Identity Management -#cp %SOURCE1 install/ui/images/header-logo.png -#cp %SOURCE2 install/ui/images/login-screen-background.jpg -#cp %SOURCE4 install/ui/images/product-name.png +cp %SOURCE1 install/ui/images/header-logo.png +cp %SOURCE2 install/ui/images/login-screen-background.jpg +cp %SOURCE4 install/ui/images/product-name.png # RHEL spec file only: END: Change branding to IPA and Identity Management @@ -1010,8 +1026,7 @@ find \ %configure --with-vendor-suffix=-%{release} \ %{enable_server_option} \ %{with_ipatests_option} \ - %{linter_options} \ - --with-ipaplatform=rhel + %{linter_options} %make_build @@ -1032,10 +1047,10 @@ find \ %configure --with-vendor-suffix=-%{release} \ %{enable_server_option} \ %{with_ipatests_option} \ - %{linter_options} \ - --with-ipaplatform=rhel + %{linter_options} popd -%endif # with_python3 +%endif +# with_python3 %check make %{?_smp_mflags} check VERBOSE=yes LIBDIR=%{_libdir} @@ -1065,10 +1080,12 @@ pushd %{_builddir}/freeipa-%{version}-python3 (cd ipapython && %make_install) %if ! %{ONLY_CLIENT} (cd ipaserver && %make_install) -%endif # ONLY_CLIENT +%endif +# ONLY_CLIENT %if 0%{?with_ipatests} (cd ipatests && %make_install) -%endif # with_ipatests +%endif +# with_ipatests popd %if 0%{?with_ipatests} @@ -1078,9 +1095,11 @@ mv %{buildroot}%{_bindir}/ipa-test-task %{buildroot}%{_bindir}/ipa-test-task-%{p ln -s %{_bindir}/ipa-run-tests-%{python3_version} %{buildroot}%{_bindir}/ipa-run-tests-3 ln -s %{_bindir}/ipa-test-config-%{python3_version} %{buildroot}%{_bindir}/ipa-test-config-3 ln -s %{_bindir}/ipa-test-task-%{python3_version} %{buildroot}%{_bindir}/ipa-test-task-3 -%endif # with_ipatests +%endif +# with_ipatests -%endif # with_python3 +%endif +# with_python3 # Python 2 installation %make_install @@ -1092,7 +1111,8 @@ mv %{buildroot}%{_bindir}/ipa-test-task %{buildroot}%{_bindir}/ipa-test-task-%{p ln -s %{_bindir}/ipa-run-tests-%{python2_version} %{buildroot}%{_bindir}/ipa-run-tests-2 ln -s %{_bindir}/ipa-test-config-%{python2_version} %{buildroot}%{_bindir}/ipa-test-config-2 ln -s %{_bindir}/ipa-test-task-%{python2_version} %{buildroot}%{_bindir}/ipa-test-task-2 -%endif # with_ipatests +%endif +# with_ipatests # Decide which Python (2 or 3) should be used as default for tests %if 0%{?with_ipatests} @@ -1106,17 +1126,17 @@ ln -s %{_bindir}/ipa-test-task-%{python3_version} %{buildroot}%{_bindir}/ipa-tes ln -s %{_bindir}/ipa-run-tests-%{python2_version} %{buildroot}%{_bindir}/ipa-run-tests ln -s %{_bindir}/ipa-test-config-%{python2_version} %{buildroot}%{_bindir}/ipa-test-config ln -s %{_bindir}/ipa-test-task-%{python2_version} %{buildroot}%{_bindir}/ipa-test-task -%endif # with_python3 -%endif # with_ipatests +%endif +# with_python3 +%endif +# with_ipatests # remove files which are useful only for make uninstall find %{buildroot} -wholename '*/site-packages/*/install_files.txt' -exec rm {} \; -%if 0%{?centos} == 0 # RHEL spec file only: START: Replace login-screen-logo.png with a symlink ln -sf %{_datadir}/pixmaps/fedora-gdm-logo.png %{buildroot}%{_usr}/share/ipa/ui/images/login-screen-logo.png # RHEL spec file only: END: Replace login-screen-logo.png with a symlink -%endif %find_lang %{gettext_domain} @@ -1160,14 +1180,16 @@ touch %{buildroot}%{_libdir}/krb5/plugins/libkrb5/winbind_krb5_locator.so cp contrib/copy-schema-to-ca-RHEL6.py %{buildroot}%{_usr}/share/ipa/copy-schema-to-ca.py # RHEL spec file only: END: Package copy-schema-to-ca.py -%endif # ONLY_CLIENT +%endif +# ONLY_CLIENT /bin/touch %{buildroot}%{_sysconfdir}/ipa/default.conf /bin/touch %{buildroot}%{_sysconfdir}/ipa/ca.crt %if ! %{ONLY_CLIENT} mkdir -p %{buildroot}%{_sysconfdir}/cron.d -%endif # ONLY_CLIENT +%endif +# ONLY_CLIENT %clean @@ -1266,7 +1288,8 @@ if [ $1 -eq 0 ]; then /bin/systemctl reload-or-try-restart oddjobd fi -%endif # ONLY_CLIENT +%endif +# ONLY_CLIENT %post client @@ -1457,7 +1480,8 @@ fi %{python3_sitelib}/ipaserver %{python3_sitelib}/ipaserver-*.egg-info -%endif # with_python3 +%endif +# with_python3 %files server-common @@ -1574,7 +1598,8 @@ fi %{_sysconfdir}/oddjobd.conf.d/oddjobd-ipa-trust.conf %%attr(755,root,root) %{_libexecdir}/ipa/oddjob/com.redhat.idm.trust-fetch-domains -%endif # ONLY_CLIENT +%endif +# ONLY_CLIENT %files client @@ -1640,7 +1665,8 @@ fi # RHEL spec file only: DELETED: Remove csrgen %{python3_sitelib}/ipaclient-*.egg-info -%endif # with_python3 +%endif +# with_python3 %files client-common @@ -1714,7 +1740,8 @@ fi %{python3_sitelib}/ipaplatform-*.egg-info %{python3_sitelib}/ipaplatform-*-nspkg.pth -%endif # with_python3 +%endif +# with_python3 %if 0%{?with_ipatests} @@ -1753,14 +1780,26 @@ fi %{_bindir}/ipa-test-config-%{python3_version} %{_bindir}/ipa-test-task-%{python3_version} -%endif # with_python3 +%endif +# with_python3 -%endif # with_ipatests +%endif +# with_ipatests %changelog -* Tue Oct 15 2019 CentOS Sources - 4.6.5-11.el7.centos.3 -- Roll in CentOS Branding +* Mon Dec 16 2019 Florence Blanc-Renaud - 4.6.5-11.el7_7.4 +- Resolves: #1781153 - After upgrade AD Trust Agents were removed from LDAP + - trust upgrade: ensure that host is member of adtrust agents +- Resolves: #1777303 - CVE-2019-10195 ipa: batch API logging user passwords to /var/log/httpd/error_log + - CVE-2019-10195: Don't log passwords embedded in commands in calls using batch +- Resolves: #1773953 - User incorrectly added to negative cache when backend is reconnecting to IPA service / timed out: error code 32 'No such object' + - extdom: unify error code handling especially LDAP_NO_SUCH_OBJECT + - ipa-extdom-extop: test timed out getgrgid_r +- Resolves: #1770728 - Issue with adding multiple RHEL 7 IPA replica to RHEL 6 IPA master + - DL0 replica install: fix nsDS5ReplicaBindDN config +- Resolves: #1767300 - CVE-2019-14867 ipa: Denial of service in IPA server due to wrong use of ber_scanf() + - Make sure to have storage space for tag * Mon Sep 30 2019 Florence Blanc-Renaud - 4.6.5-11.el7_7.3 - Resolves: #1756914 - Sub-CA key replication failure