<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<html lang="en">
<head>
<meta content="text/html; charset=US-ASCII" http-equiv="Content-Type">
<title>
GitLab
</title>
<style>img {
max-width: 100%; height: auto;
}
</style>
</head>
<body>
<div class="content">
<h3>
Timo Aaltonen pushed to branch upstream
at <a href="https://salsa.debian.org/freeipa-team/freeipa">FreeIPA packaging / freeipa</a>
</h3>
<h4>
Commits:
</h4>
<ul>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2422970c34849192b15d1798eae9b11a400e7119">2422970c</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2019-11-13T08:38:17+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Use default ssh host key algorithms
ipa-client-install no longer overrides SSH client settings for
HostKeyAlgorithms. It's no longer necessary to configure
HostKeyAlgorithms. The setting was disabling modern algorithms and
enabled a weak algorithm that is blocked in FIPS code.
The ipa-client package removes IPA's custom HostKeyAlgorithm from
/etc/ssh/ssh_config during package update. Non-IPA settings are not
touched.
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1756432
Fixes: https://pagure.io/freeipa/issue/8082
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/0cd2f4ee337595c7e39e00cfef5e99f5d87768c9">0cd2f4ee</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2019-11-14T17:56:55+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Test installation with (fake) userspace FIPS
Based on userspace FIPS mode by Ondrej Moris.
Userspace FIPS mode fakes a Kernel in FIPS enforcing mode. User space
programs behave like the Kernel was booted in FIPS enforcing mode. Kernel
space code still runs in standard mode.
Fixes: https://pagure.io/freeipa/issue/8118
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/444df81a3de320ebfabfa90c3e6c7a17d986f1b1">444df81a</a></strong>
<div>
<span>by Serhii Tsymbaliuk</span>
<i>at 2019-11-19T17:43:17+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">WebUI: Fix adding member manager for groups and host groups
- fix API method call for adding member manager
- fix regressions in host group associated tables
Ticket: https://pagure.io/freeipa/issue/8123
Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2c98d76042ca37c499b4751e305d86b4a85d9286">2c98d760</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2019-11-20T18:51:15+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Show group-add/remove-member-manager failures
Commands like ipa group-add-member-manager now show permission
errors on failed operations.
Fixes: https://pagure.io/freeipa/issue/8122
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/e011906af7c5274ddcc551c68ba5438b6180b3cd">e011906a</a></strong>
<div>
<span>by Cédric Jeanneret</span>
<i>at 2019-11-21T10:38:49+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update selinux-policy minimal requirement
Since 6c2710446718828e6840ac34ea6fc704ae6790db we need a new selinux
policy in order to ensure /etc/named directory content has the correct
selinux flags.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/18540386230e295087296e58761ced2b781ae4e3">18540386</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2019-11-21T10:44:37+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Do not run trust upgrade code if master lacks Samba bindings
If a replica has no Samba bindings but there are trust agreements
configured on some trust controller, skip trust upgrade code on this
replica.
Resolves: https://pagure.io/freeipa/issue/8001
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d26429ea285857b55a4c78b63eea436618a861f5">d26429ea</a></strong>
<div>
<span>by Serhii Tsymbaliuk</span>
<i>at 2019-11-22T12:30:26+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">WebUI: Fix notification area layout
The fix prevents blocking elements in the right side near notification area.
Notification area now has fixed width and it isn't offset.
Also notification icon is aligned to notification text.
Ticket: https://pagure.io/freeipa/issue/8120
Signed-off-by: Serhii Tsymbaliuk <stsymbal@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/4dbd689e301a20d38a40e827ba58bc5c667ff0d8">4dbd689e</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2019-11-25T13:18:36+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Allow presence of LDAP attribute options
LDAP attribute options aren't enforced in the LDAP schema. They
represent server- and client-side treatment of attribute values but the
schema definition knows nothing about them.
When we check attribute presence in the entry, we should strip options
before comparing attribute names with the schema.
Related: https://pagure.io/freeipa/issue/8001
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/14ff82f3b86ceeb0836b0354b7edb965db72b494">14ff82f3</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2019-11-25T13:18:36+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add Authentication Indicator Kerberos ticket policy options
For the authentication indicators 'otp', 'radius', 'pkinit', and
'hardened', allow specifying maximum ticket life and maximum renewable
age in Kerberos ticket policy.
The policy extensions are now loaded when a Kerberos principal data is
requested by the KDC and evaluated in AS_REQ KDC policy check. If one of
the authentication indicators mentioned above is present in the AS_REQ,
corresponding policy is applied to the ticket.
Related: https://pagure.io/freeipa/issue/8001
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/bc007eca9361709f65bb9da0a8cc101a0b978ef1">bc007eca</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2019-11-25T13:18:36+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add integration test for Kerberos ticket policy
This also exercises the Authentication Indicator Kerberos ticket
policy options by testing a specific indicator type.
Related: https://pagure.io/freeipa/issue/8001
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/1ca93942b852285c81fb6b951051446841b4af8f">1ca93942</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2019-11-25T13:56:20+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Debian: Fix font-awesome path.
Signed-off-by: Timo Aaltonen <tjaalton@debian.org>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/04cfaa1861d4c88eab6b3d29fbb68e2ae2223214">04cfaa18</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2019-11-25T17:24:46+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Nightly definition: use right template for krbtpolicy
The ipaserver template triggers the installation of IPA server
before the tests are launched and should not be used for
test_integration tests
Switch to master_1repl template.
Related: https://pagure.io/freeipa/issue/8001
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d5be38a5bb4263a6e67552b5dd9b606aceec3d41">d5be38a5</a></strong>
<div>
<span>by François Cami</span>
<i>at 2019-11-26T10:12:17+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">DSU: add Design for Disable Stale Users
Add disable-stale-users.md: feature document for the upcoming DSU feature..
Fixes: https://pagure.io/freeipa/issue/8104
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/8cbf47ae668c1cdff64b91bb0cda272b1c93b99e">8cbf47ae</a></strong>
<div>
<span>by Sergey Orlov</span>
<i>at 2019-11-26T13:45:14+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: add check that ipa-adtrust-install generates sane smb.conf
Related to: https://pagure.io/freeipa/issue/6951
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d2e0d94521893bc5f002a335a8c0b99601e1afd6">d2e0d945</a></strong>
<div>
<span>by Simo Sorce</span>
<i>at 2019-11-26T13:52:12+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Make sure to have storage space for tag
ber_scanf expects a pointer to a ber_tag_t to return the tag pointed at
by "t", if that is not provided the pointer will be store in whatever
memory location is pointed by the stack at that time causeing a crash.
Note that this is effectively unused code because in ipa-kdb the only
party that can write a key_data structure to be stored is te kdb_driver
itself and we never encode these s2kparam data.
But we need to handle this for future proofing.
Fixes #8071
Signed-off-by: Simo Sorce <simo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/7db2000e12b217126febb6bcaf11acfe52388926">7db2000e</a></strong>
<div>
<span>by Rob Crittenden</span>
<i>at 2019-11-26T15:25:20+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">CVE-2019-10195: Don't log passwords embedded in commands in calls using batch
A raw batch request was fully logged which could expose parameters
we don't want logged, like passwords.
Override _repr_iter to use the individual commands to log the
values so that values are properly obscured.
In case of errors log the full value on when the server is in
debug mode.
Reported by Jamison Bennett from Cloudera
Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-by: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/11be139069d1c4312858cddccb6c3f578f256109">11be1390</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2019-11-26T15:28:16+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Become FreeIPA 4.8.3
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/90f2866163b6fb4ec7f533e8d4820089b804d707">90f28661</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2019-11-29T11:44:43+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix otptoken_sync plugin
The plugin had two bugs:
For one it did not work under Python 3 because urlencode() returns a string
but HTTPSHandler expects bytes as data argument.
The primary key field name is not available in client plugins. Just pass
the token name and let server code convert the name to DN.
Fixes: https://pagure.io/freeipa/issue/7804
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/dfa356e3d60468fab9eb873adfa0b08a7f8fd842">dfa356e3</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2019-11-29T11:44:43+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add test case for OTP login
Add integration tests to verify HOTP, TOTP, service with OTP auth
indicator, and OTP token sync.
Related: https://pagure.io/freeipa/issue/7804
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/84592e32c5b59b7b654a0a74b5cc8c1350af6451">84592e32</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2019-11-29T13:05:56+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">covscan: free encryption types in case there is an error
Even when a number of translated encryption types is zero, the array
might still be allocated. Call free() in any case as free(NULL) does
nothing.
Fixes: https://pagure.io/freeipa/issue/8131
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/eebabb5c5fe7478b391770a857fb9be4f0d60a9c">eebabb5c</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2019-11-29T13:05:56+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">covscan: free ucs2-encoded password copy when generating NTLM hash
On successful code path we leak internal copy of the ucs2-encoded
password.
Fixes: https://pagure.io/freeipa/issue/8131
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/c77b06265bfb08d85bb4bd875cdb104ce239356d">c77b0626</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2019-11-29T16:52:26+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: generic uninstall should call ipa server-del
At the end of any integration test, the method uninstall is called and
uninstalls master, replicas and clients.
Usually the master is the CA renewal master and DNSSec master, and
uninstallation may fail.
This commits modifies the uninstall method in order to:
- call 'ipa server-del replica' before running uninstall on a replica
- uninstall the replicas before uninstalling the master
Fixes: https://pagure.io/freeipa/issue/7985
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/ab67e0ed35a7a9f23e1b61f61ec6503a3a97231d">ab67e0ed</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2019-11-29T16:52:26+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: fix teardown
The uninstall method of some tests can be skipped as the cleanup is
already done before.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/dd06dfc97c24ba31e102d675558561ddba5ca216">dd06dfc9</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2019-11-29T16:52:26+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: fix test_crlgen_manage
The goal of the last test in test_crlgen_manage is to ensure that
ipa-server-install --uninstall can proceed if the server is the last one
in the topology, even if it is the CRL generation master.
The current code is wrong because it tries to uninstall the master
(which has already been uninstalled in the prev test), It should rather
uninstall replicas[0].
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/6ce6b53de376ff6338df318d37330d531725e1be">6ce6b53d</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2019-12-02T11:02:28+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Remove FIPS noise from SSHd
When a system is in FIPS mode, SSHd can prints some noise to stderr:
FIPS mode initialized\r\n
This noise causes interference and breakage of some tests. Remove the
noise from stderr_bytes, which automatically fixes stderr_text, too.
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/9091290a3e813f491f99626db3d07cbfe99a1d99">9091290a</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2019-12-02T11:02:28+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">FIPS: server key has different name in FIPS mode
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/82a4faefd2c719a1e269733280f4141241d89b68">82a4faef</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2019-12-02T11:02:28+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Skip paramiko tests in FIPS mode
Paramiko is not compatible with FIPS mode. It uses MD5 on the client
side and does not support rsa-sha2 connections for RSA auth.
See: https://pagure.io/freeipa/issue/8129
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/f7de64c38b11d8fb22d313853b6113da1df449be">f7de64c3</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2019-12-02T17:54:24+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Enable TLS 1.3 support on the server
urllib3 now supports post-handshake authentication with TLS 1.3. Enable
TLS 1.3 support for Apache HTTPd.
The update depends on bug fixes for TLS 1.3 PHA support in urllib3 and
Apache HTTPd. New builds are available in freeipa-master COPR and in
F30/F31.
Overwrite crypto-policy on Fedora only. Fedora 31 and earlier have TLS
1.0 and 1.1 still enabled by default.
Fixes: https://pagure.io/freeipa/issue/8125
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/ae9e41baddbf30ab2002455b06886be9e12ae453">ae9e41ba</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2019-12-02T17:54:24+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Update Apache HTTPd for RHBZ#1775146
Fedora 30 update FEDORA-2019-d54e892077 httpd-2.4.41-6.1.fc30
Fedora 31 update FEDORA-2019-ae1dd32c5f httpd-2.4.41-9.fc31
RHEL 8.2 RHEA-2019:47297-02 httpd-2.4.37-21
Fixes: https://pagure.io/freeipa/issue/8125
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/b655586225c8587fc9e4522d1e25458f10c63f86">b6555862</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2019-12-02T17:54:24+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Don't hard-code client's TLS versions and ciphers
Client connections no longer override TLS version range and ciphers by
default. Instead clients use the default settings from the system's
crypto policy.
Minimum TLS version is now TLS 1.2. The default crypto policy on
RHEL 8 sets TLS 1.2 as minimum version, while Fedora 31 sets TLS 1.0 as
minimum version. The minimum version is configured with OpenSSL 1.1.1
APIs. Python 3.6 lacks the setters to override the system policy.
The effective minimum version is always TLS 1.2, because FreeIPA
reconfigures Apache HTTPd on Fedora.
Fixes: https://pagure.io/freeipa/issue/8125
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/6486b1aa4c52f765ed0f10a4d055be7eff479f1c">6486b1aa</a></strong>
<div>
<span>by Armando Neto</span>
<i>at 2019-12-02T20:11:02-03:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">travis: Remove CI integration
Removing Travis CI in favour of Azure Pipelines.
All tests previously tested by Travis are also configured in Azure.
Repos [1] and [2] were used to build Docker images for Travis, thus
they are no longer required for branches master and ipa-4-8.
Branches ipa-4-7 and ipa-4-6 don't have Azure pipelines configured,
so Travis will continue to be used by them.
1 - https://github.com/freeipa/ipa-docker-test-runner
2 - https://github.com/freeipa/freeipa-builder
Related: https://pagure.io/freeipa/issue/7323
Signed-off-by: Armando Neto <abiagion@redhat.com>
Reviewed-By: Francisco Trivino <ftrivino@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/b21128c2d7575c6eba6a52fa4448a9a2c7b56913">b21128c2</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2019-12-04T10:41:46+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">trust upgrade: ensure that host is member of adtrust agents
After an upgrade, the group cn=adtrust agents may be missing some members.
Each ad trust controller must appear twice as member:
- krbprincipalname=cifs/hostname@realm,cn=services,cn=accounts,basedn
- fqdn=hostname,cn=computers,cn=accounts,basedn
Add an upgrade plugin that builds a list of hostnames from the cifs
principals and adds if needed fqdn=hostname...
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1778777
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Alexander Bokovoy <abbra@users.noreply.github.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/0785a032dfec0537aa90616fa0853abfe5ec058a">0785a032</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2019-12-05T17:47:17+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Optimize user-add by caching ldap2.has_upg()
The method has_upg returns if user private groups are enabled or
disabled. has_upg() is called three times by user-add. The setting is
now cached on the request local variable context to speed up batch
processing of user imports.
context is cleared after every request.
Related: https://pagure.io/freeipa/issue/8134
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/5d847cfb1d3779524e28d186c260db438bdf1369">5d847cfb</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2019-12-05T17:47:45+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix logic of check_client_configuration
The helper function ipalib.util.check_client_configuration() now
considers a client configured when either:
* confdir is overridden (e.g. with IPA_CONFDIR) and the conf_default
file exists.
* confdir is /etc/ipa, /etc/ipa/default.conf exists and client
sysrestore state exists.
The check for sysrestore state is faster than checking for the presence
of the directory and presence of files in the directory. The sysrestore
state is always presence. sysrestore.index may be missing if no files
were backed up.
Fixes: https://pagure.io/freeipa/issue/8133
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/bb8da7d388b1ff4077a443c04dbbf440d8f76b06">bb8da7d3</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2019-12-06T10:28:07+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: fix TestMigrateDNSSECMaster teardown
The test is installing master +DNSSEC, then replica and migrates the DNSSEC
to the replica.
During teardown, the replica is removed with ipa server-del. This operation
deletes the entries cn=DNS and cn=DNSSEC on the master, but if the
replication is stopped before the operations are replicated on the replica,
the replica may end up with a dangling cn=DNSSEC entry and no cn=DNS entry.
In this case ipa-server-install --uninstall on the replica will fail.
The fix: uninstall the DNSSec master as the last step of teardown
Related: https://pagure.io/freeipa/issue/7985
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/fa952666df448df89aa6f96758c4c1593a30e79f">fa952666</a></strong>
<div>
<span>by Anuja More</span>
<i>at 2019-12-10T16:21:31+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests : Login via ssh using private-key for ipa-user should work.
Added test for : https://pagure.io/SSSD/sssd/issue/3937
Signed-off-by: Anuja More <amore@redhat.com>
Reviewed-By: Sergey Orlov <sorlov@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/9f726a20d947b7d4a87a6f96a6967cfc85fbc2de">9f726a20</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2019-12-11T14:29:12+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix lite-server to work with GSS_NAME
The lite-server does no longer work correctly since rpcserver is also
using GSS_NAME. Set up GSS_NAME from ccache.
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/999ebc176b50d5a097c72b0ef50d62acb8702f6d">999ebc17</a></strong>
<div>
<span>by MIZUTA Takeshi</span>
<i>at 2019-12-11T14:29:52+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Add config that maintains existing content to ipa-client-install manpage
If --no-ssh and --no-sshd are not specified in ipa-client-install,
/etc/ssh/{ssh, sshd}_config is updated and existing content is maintained..
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/2fc5990a73007bfc1273228efa09755b1db2983f">2fc5990a</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2019-12-11T14:30:25+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Check valid before/after of external certs
verify_server_cert_validity() and verify_ca_cert_validity() now check
the validity time range of external certificates. The check fails if the
certificate is not valid yet or will expire in less than an hour.
Fixes: https://pagure.io/freeipa/issue/8142
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/6a953733f577f4e065a3bd2fa7c5597950d39f6f">6a953733</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2019-12-11T14:31:50+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Require idstart to be larger than UID_MAX
ipa-server-install fails if idstart is set to 0. There might be
additional issues when idstart overlaps with local users. Ensure that
idstart is larger than UID_MAX or GID_MAX from /etc/login.defs.
Fixes: https://pagure.io/freeipa/issue/8137
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/b39ee3e1721b6d8234dd209343a8b01dbeaf3d3a">b39ee3e1</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2019-12-11T14:32:19+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix service ldap_disable()
Fix comparison bug that prevents ldap_disable to actually disable a
service.
Fixes: https://pagure.io/freeipa/issue/8143
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/9462e4c4b6e37fd1178f96d6d901db8d115c4cfb">9462e4c4</a></strong>
<div>
<span>by Christian Heimes</span>
<i>at 2019-12-12T13:38:34+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Fix get_trusted_domain_object_from_sid()
DomainValidator.get_trusted_domain_object_from_sid() was using
escape_filter_chars() with bytes. The function only works with text.
This caused idview to fail under some circumstances. Reimplement
backslash hex quoting for bytes.
Fixes: https://pagure.io/freeipa/issue/7958
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/62f0bd0bb8194b0998fca0e582725a6f63bc9154">62f0bd0b</a></strong>
<div>
<span>by François Cami</span>
<i>at 2019-12-12T11:39:32-05:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">adtrust.py: mention restarting sssd when adding trust agents
After adding a replica to AD trust agent, the warning
message does not mention that restarting sssd is mantatory
for the trust agent to work. Fix the string.
Fixes: https://pagure.io/freeipa/issue/8148
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/4cf01e72ad2ab67229a7122aee24f6c4ebd40604">4cf01e72</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2019-12-13T03:52:00+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">DNS install check: allow overlapping zone to be from the master itself
When re-running `ipa-server-install --setup-dns` on already installed
server, we do not get to the check of being already installed because
DNS zone overlap forces us to fail earlier.
Change exception returned for this case from check_zone_overlap() to
return structured information that allows to understand whether we are
finding a conflict with ourselves.
Use the returned information to only fail DNS check at this point if DNS
zone overlap is generated by a different name server than ourselves.
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/ba28073c19cf28d48911bf384da0257a27319a67">ba28073c</a></strong>
<div>
<span>by Thomas Woerner</span>
<i>at 2019-12-13T03:52:00+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Test repeated installation of the primary with DNS enabled and domain set
Test that a repeated installation of the primary with DNS enabled
will lead to a already installed message and not in "DNS zone X
already exists in DNS" in check_zone_overlap.
The error is only occuring if domain is set explicitly in the command
line installer as check_zone_overlap is used in the domain_name validator..
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/71ea25c60b2de3888a6b66dbfc8afc2c7882687a">71ea25c6</a></strong>
<div>
<span>by Thomas Woerner</span>
<i>at 2019-12-13T03:52:00+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Enable TestInstallMasterDNSRepeatedly in prci_definitions
For fedora-latest, pki-fedora, fedora-previous and fedora-rawhide
Reviewed-By: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/aaf8fccbb65e82d33c6e3675f3195163feb8af34">aaf8fccb</a></strong>
<div>
<span>by Sumit Bose</span>
<i>at 2019-12-13T11:21:17+01:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-kdb: Remove keys if password auth is disabled
With commit 15ff9c8 a check was removed and as a result Kerberos keys
are unconditionally added to the user entry struct if they are
available. As a result the password related pre-authentication methods
PA-ENC-TIMESTAMP and PA-ETYPE-INFO2 are advertised in the NEEDED_PREAUTH
reply to an AS_REQ.
With respect to the KDC policies this does not matter much because if
password authentication is disabled for the given principal the policy
will reject the AS_REQ if the user tries password authentication. This
is possible because with commit 15ff9c8 kinit will ask for a password if
called without any additional options (e.g. armor ticket or PKINIT
identity). Before 15ff9c8 was committed it just failed with 'kinit:
Pre-authentication failed: Invalid argument while getting initial
credentials' because no suitable pre-authentication method was
available. This is the same behavior as if no password was set for the
given principal.
But with this change SSSD fails to detect the available authentication
types for the given principal properly. As described in
https://docs.pagure.org/SSSD.sssd/design_pages/prompting_for_multiple_authentication_types.html
SSSD uses the MIT Kerberos responder interface to determine the
available authentication methods for the principal and does not check
the ipaUserAuthType LDAP attribute. As a result if a user has 2FA (otp)
authentication configured, which implies that a password is set as the
first factor, the responder interface will always indicate that password
authentication is available even if only opt is enabled for the user.
In this case SSSD will use a prompting which indicates that the second
factor might be optional. Additionally if prompting the user directly is
not possible (e.g. ssh with ChallengeResponseAuthentication /
KbdInteractiveAuthentication disabled) the single string entered by the
user will always be assumed as a password and not as a combination of
password and otp-token value. As a consequence authentication will
always fail because password authentication is disabled for the user and
since SSSD does not do try-and-error 2FA is not tried.
This patch add back the check so that if password authentication is not
available for the principal the Kerberos will not be added to the entry
struct and the KDC will not advertise PA-ENC-TIMESTAMP or
PA-ETYPE-INFO2. If you think this is wrong and the behavior added by
15ff9c8 should be preferred SSSD handing of the available authentication
types must be extended to read ipaUserAuthType as well to restore the
user experience with respect to 2FA prompting and ssh behavior.
Related to https://pagure.io/freeipa/issue/8001
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/c00ec940db5ec759e152a646a7ee10f73f31bdfb">c00ec940</a></strong>
<div>
<span>by François Cami</span>
<i>at 2019-12-13T17:46:27+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests/test_nfs.py: wait before umount
umount calls including in cleanup do not wait.
The test failed once with:
"umount.nfs4: /home: device is busy"
which looks like a leftover open file descriptor.
Add wait periods before umount.
Fixes: https://pagure.io/freeipa/issue/8144
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Thomas Woerner <twoerner@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/d7a2c71742c62ce87d04b78542314b51247ba54c">d7a2c717</a></strong>
<div>
<span>by François Cami</span>
<i>at 2019-12-13T17:47:43+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipatests: fix pr-ci templates' indentation
temp_commit.yaml among others have wrong indentation:
expected 4 but found 3.
Fix indentation.
Signed-off-by: François Cami <fcami@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
Reviewed-By: Armando Neto <abiagion@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/e1d11aa6b1b03b57adf8deba681aa0fa25861c5e">e1d11aa6</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2019-12-13T20:24:56+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-client-samba: map domain sid of trust domain properly for display
Trusted domain object in LDAP uses ipaNTTrustedDomainSID attribute to
store SID of the trusted domain while IPA domain itself uses
ipaNTSecurityIdentifier. When mapping the values for printing out a
summary table, use the right mapping according to the object.
Fixes: https://pagure.io/freeipa/issue/8149
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/668a6410373c39508e5e4c95f11c9e62efa0135c">668a6410</a></strong>
<div>
<span>by Florence Blanc-Renaud</span>
<i>at 2019-12-14T14:18:19+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">ipa-cacert-manage man page: fix indentation
Fix the indentation of the SYNPOSIS section
Fixes: https://pagure.io/freeipa/issue/8138
Reviewed-By: Francois Cami <fcami@redhat.com>
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/60c12a993110150f000a34888b7c43aa7db5ac30">60c12a99</a></strong>
<div>
<span>by Alexander Bokovoy</span>
<i>at 2019-12-14T14:41:40+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Become FreeIPA 4.8.4
</pre>
</li>
<li>
<strong><a href="https://salsa.debian.org/freeipa-team/freeipa/-/commit/83db8ab1754b52cd6143e0f01e520bbc9e9ff454">83db8ab1</a></strong>
<div>
<span>by Timo Aaltonen</span>
<i>at 2020-02-06T10:44:18+02:00</i>
</div>
<pre class="commit-message" style="white-space: pre-wrap; margin: 0;">Merge tag 'release-4-8-4' into upstream
tagging FreeIPA 4.8.4
</pre>
</li>
</ul>
<h4>30 changed files:</h4>
<ul>
<li class="file-stats">
<a href="#b9d1853a1785388cebd4dc3ba4a473c163eed9f5">
<span class="deleted-file">
−
.test_runner_config.yaml
</span>
</a>
</li>
<li class="file-stats">
<a href="#dea01dd89a3b602828e630677fde5d77c06441c8">
<span class="deleted-file">
−
.travis.yml
</span>
</a>
</li>
<li class="file-stats">
<a href="#b0bdd6bd019961475f1feba50bf1618195b21467">
<span class="deleted-file">
−
.travis_run_task.sh
</span>
</a>
</li>
<li class="file-stats">
<a href="#4831b637d596df850dfe2919331d9904c0403eaa">
ACI.txt
</a>
</li>
<li class="file-stats">
<a href="#9dcdfc1feccc97e073d5d4710f3da3b5f37ad1f5">
API.txt
</a>
</li>
<li class="file-stats">
<a href="#d5b4de16d947214ec306bd57bed1bd23a939b5f9">
Makefile.am
</a>
</li>
<li class="file-stats">
<a href="#438c41c93b7f0c8b476c65c3eb42284f234bd810">
VERSION.m4
</a>
</li>
<li class="file-stats">
<a href="#8a84dc1127a684b319557e6204cc81b9909b144c">
client/ipa-getkeytab.c
</a>
</li>
<li class="file-stats">
<a href="#24d08149069d49a01ad6ec82eec3333757be12bf">
client/man/ipa-client-install.1
</a>
</li>
<li class="file-stats">
<a href="#f7975a30b3715fc8b1d73399eb0b5de9a9cc1307">
contrib/lite-server.py
</a>
</li>
<li class="file-stats">
<a href="#4776aa1d1d01bef820f34e6c2aa41644aa3f18df">
daemons/ipa-kdb/ipa_kdb.h
</a>
</li>
<li class="file-stats">
<a href="#1d425595ea8a5a85f3b1f5486032a0dc5592315b">
daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
</a>
</li>
<li class="file-stats">
<a href="#5cd6be5f06d1be10ed72f46efdd12433a8fda6c0">
daemons/ipa-kdb/ipa_kdb_principals.c
</a>
</li>
<li class="file-stats">
<a href="#d7a109a45d17c6a9a7cf0a3dc6f9c1b5a921dfae">
<span class="new-file">
+
doc/designs/disable-stale-users.md
</span>
</a>
</li>
<li class="file-stats">
<a href="#decef8d9a7b0cd5a87170e0d134df61a978d51d4">
doc/designs/krb-ticket-policy.md
</a>
</li>
<li class="file-stats">
<a href="#866dc5074431bae6d800558b8ed5d65496e9d7d8">
freeipa.spec.in
</a>
</li>
<li class="file-stats">
<a href="#fb3569f6328c4fbedd22873c9473111f7fe1c027">
install/share/60kerberos.ldif
</a>
</li>
<li class="file-stats">
<a href="#a3213f0226815cb51345eef6eb18b9c52bf77f44">
install/tools/man/ipa-cacert-manage.1
</a>
</li>
<li class="file-stats">
<a href="#aecc7f49a66d146817bcdaacbaf762ea28349683">
install/ui/ipa.css
</a>
</li>
<li class="file-stats">
<a href="#f449b5f6a0a06cd3420290bfdfc39f548df324a8">
install/ui/less/alerts.less
</a>
</li>
<li class="file-stats">
<a href="#21a342d8b6a319303bdf4da395e40fb68a53b40d">
install/ui/src/freeipa/group.js
</a>
</li>
<li class="file-stats">
<a href="#2aca66fc50d492ca109a7e7348a4fcd1146d360b">
install/ui/src/freeipa/hostgroup.js
</a>
</li>
<li class="file-stats">
<a href="#232a2659f622fb3fd72d3023954c51f1ea5f97f5">
install/updates/90-post_upgrade_plugins.update
</a>
</li>
<li class="file-stats">
<a href="#698ecc84ae2bed0e1361e2f323833485a3823090">
ipaclient/frontend.py
</a>
</li>
<li class="file-stats">
<a href="#b45fae25573119cb28af94564fae7ce054efd2a5">
ipaclient/install/client.py
</a>
</li>
<li class="file-stats">
<a href="#eb134ad3889c2e35b2ebe6043e06e7558dd5c19b">
ipaclient/install/ipa_client_samba.py
</a>
</li>
<li class="file-stats">
<a href="#4e2066635aa67f67af141965ffe24771c4773008">
ipaclient/plugins/otptoken.py
</a>
</li>
<li class="file-stats">
<a href="#825b617577d48cb5a4f0a291901606254ca157fd">
ipalib/config.py
</a>
</li>
<li class="file-stats">
<a href="#5607cb1f63c6167d423d7e6b21ec94595dd46476">
ipalib/constants.py
</a>
</li>
<li class="file-stats">
<a href="#d654d3095d14fa57e8fdf621e849b69a27a2c61d">
ipalib/util.py
</a>
</li>
</ul>
<h5>The diff was not included because it is too large.</h5>
</div>
<div class="footer" style="margin-top: 10px;">
<p style="font-size: small; color: #777;">
—
<br>
<a href="https://salsa.debian.org/freeipa-team/freeipa/-/compare/4a0017dfdb272f042e12d30c97a5e21dbc0f6624...83db8ab1754b52cd6143e0f01e520bbc9e9ff454">View it on GitLab</a>.
<br>
You're receiving this email because of your account on salsa.debian.org.
If you'd like to receive fewer emails, you can
adjust your notification settings.
</p>
</div>
</body>
</html>