[Pkg-freeipa-devel] [Git][freeipa-team/freeipa][upstream] 89 commits: Back to git snapshots

Timo Aaltonen (@tjaalton) gitlab at salsa.debian.org
Fri Nov 26 08:49:11 GMT 2021



Timo Aaltonen pushed to branch upstream at FreeIPA packaging / freeipa


Commits:
60745116 by François Cami at 2021-08-19T19:00:08+02:00
Back to git snapshots

Signed-off-by: François Cami <fcami at redhat.com>

- - - - -
210c53dd by François Cami at 2021-08-20T16:02:28+02:00
freeipa.spec.in: update 389-DS version

Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Antonio Torres <antorres at redhat.com>

- - - - -
e0aef529 by Mohammad Rizwan at 2021-08-20T16:04:42+02:00
ipatests: test to renew certs on replica using ipa-cert-fix

This test checks if ipa-cert-fix renews the certs on replica
after cert renewal on master.

related: https://pagure.io/freeipa/issue/7885

ipatests: refactor expire_cert_critical fixture

Defined method to move the date and refactor
expire_cert_critical fixture using it

ipatests: PEP8 fixes

Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
a620e5e9 by Mohammad Rizwan at 2021-08-20T16:04:42+02:00
ipatests: wait while http/ldap/pkinit cert get renew on replica

LDAP/HTTP/PKINIT certificates should be renewd on replica after
moving system date. Test was failing because ipa-cert-fix ran
while these cert was not renewd and it tried to fix it.

This test adds check for replication before calling ipa-cert-fix
on replica.

Fixes: https://pagure.io/freeipa/issue/8815

Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
1b38afc0 by Mohammad Rizwan at 2021-08-20T16:04:42+02:00
ipatests: update the timemout for test_ipa_cert_fix.py in nightlies

Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
4a3a15f4 by François Cami at 2021-08-20T16:04:42+02:00
ipatests: refactor test_ipa_cert_fix with tasks

Fixes: https://pagure.io/freeipa/issue/8932
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Michal Polovka <mpolovka at redhat.com>
Reviewed-By: Armando Neto <abiagion at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
0b359fbd by Stanislav Levin at 2021-08-24T18:32:14+02:00
Azure: Run pycodestyle check in Lint job

- previously, fastlint make's target includes both the Pylint task
and pycodestyle one. The purpose of this target is a fast checking
only for changed Python files. This makes sense for pycodestyle, but
limits Pylint due to a context(file) checking. The clients which
call the code being linted are not checked at all. In Azure Pylint
(for the whole codebase) is run in the Lint task, this makes fastlint
extra for Azure.

- `Quick code style check` task used distro's Pylint, while `Lint`
task PyPI's one. This may cause different results and confuse a
user.

- `Build` task takes time longer than `Lint` one, so this change
doesn't lead to increased CI time.

- all Azure tests depend on Build and Lint tasks. Mostly it's no need
to run tests due to a probably broken code.

Fixes: https://pagure.io/freeipa/issue/8961
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: François Cami <fcami at redhat.com>

- - - - -
31afc004 by Stanislav Levin at 2021-08-24T18:32:14+02:00
pycodestyle: Check *.in Python files

Many of IPA Python scripts are shebang configurable scripts and
have special suffix '.in' for that. Pycodestyle by default check
only '*.py' files [0].

[0]: https://pycodestyle.pycqa.org/en/latest/intro.html

Fixes: https://pagure.io/freeipa/issue/8961
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: François Cami <fcami at redhat.com>

- - - - -
b5036b5c by Florence Blanc-Renaud at 2021-08-25T13:59:07+02:00
ipatests: use whole date for journalctl --since

When a test is executed around midnight and is checking the
journal content with --since=date, it needs to specify the
whole date (with day and time) to avoid missing entries.

If for instance --since=23:59:00 is used and the current time is
now 00:01:00, --since=23:59:00 would refer to a date in the
future and no journal entry will be found.

Fixes: https://pagure.io/freeipa/issue/8953
Reviewed-By: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
939d0f5d by Stanislav Levin at 2021-08-25T18:54:35+02:00
schema plugin: Generate stable fingerprint

If some Param defines several values for `exclude` or `include`
attributes then API schema hash will be unstable.

First, these Param's attributes are converted to frozenset
(ipalib/parameters.py), then `ipaserver.plugins.schema` plugin
converts `exclude` and `include` attrs to list. Set/frozenset in
turn, is unordered collection [0]. So, the end order of values is
undefined.
But due to the nature of sets:
> two sets are equal if and only if every element of each set is
contained in the other (each is a subset of the other)

the order of values can be ignored.

Note: other Param's attrs with type frozenset are not affected because
they are not processed by the schema plugin.

[0]: https://docs.python.org/3/library/stdtypes.html#set-types-set-frozenset

Fixes: https://pagure.io/freeipa/issue/8955
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
14ad5223 by Stanislav Levin at 2021-08-25T18:54:35+02:00
ipatests: Add tests for `schema` Command

- the base testing of this command is made by ipaclient `schema`
remote plugin, but some specifics are not covered

- allow testing of the plugin in `development` mode(locked API).

Fixes: https://pagure.io/freeipa/issue/8955
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
5abf1bc7 by Endi S. Dewata at 2021-08-27T09:46:01+02:00
Specify PKI installation log paths

The DogtagInstance.spawn_instance() and uninstall() have
been modified to specify the paths of PKI installation
logs using --log-file option on PKI 11.0.0 or later.

This allows IPA to have a full control over the log files
instead of relying on PKI's default log files.

Fixes: https://pagure.io/freeipa/issue/8966
Signed-off-by: Endi Sukma Dewata <edewata at redhat.com>

- - - - -
07e2bf73 by Florence Blanc-Renaud at 2021-08-31T16:47:16+02:00
selinux policy: allow custodia to access /proc/cpuinfo

On aarch64, custodia creates AVC when accessing /proc/cpuinfo.

According to gcrypt manual
(https://gnupg.org/documentation/manuals/gcrypt/Configuration.html),
/proc/cpuinfo is used on ARM architecture to read the hardware
capabilities of the CPU. This explains why the issue happens only
on aarch64.

audit2allow suggests to add the following:
allow ipa_custodia_t proc_t:file { getattr open read };

but this policy would be too broad. Instead, the patch is using
the interface kernel_read_system_state.

Fixes: https://pagure.io/freeipa/issue/8972
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>

- - - - -
2cf0ad5c by Christian Heimes at 2021-09-01T09:18:20+02:00
Add URI system records for KDC

MIT KRB5 1.15 introduced KDC service discovery with URI records.
_kerberos and _kpasswd URI records can provide TCP, UDP, and Kerberos
KDC-Proxy references. URI lookups take precedence over SRV lookups,
falling back to SRV lookups if no URI records are found.

Also reduce TTL for system records from one day to one hour. It allows
users to remove or update discovery entries in a timely fashion.

See: https://web.mit.edu/kerberos/krb5-latest/doc/admin/realm_config.html#kdc-discovery
Fixes: https://pagure.io/freeipa/issue/8968
Signed-off-by: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
4fca9575 by Sumit Bose at 2021-09-02T20:48:41+02:00
extdom: return LDAP_NO_SUCH_OBJECT if domains differ

If a client sends a request to lookup an object from a given trusted
domain by UID or GID and an object with matching ID is only found in a
different domain the extdom should return LDAP_NO_SUCH_OBJECT to
indicate to the client that the requested ID does not exists in the
given domain.

Resolves: https://pagure.io/freeipa/issue/8965
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
a6e708ab by Rob Crittenden at 2021-09-02T21:09:29+02:00
Catch and log errors when adding CA profiles

Rather than stopping the installer entirely, catch and report
errors adding new certificate profiles, and remove the
broken profile entry from LDAP so it may be re-added later.

It was discovered that installing a newer IPA that has the
ACME profile which requires sanToCNDefault will fail when
installing a new server against a very old one that lacks
this class.

Running ipa-server-upgrade post-install will add the profile
and generate the missing ipa-ca SAN record so that ACME
can work.

https://pagure.io/freeipa/issue/8974

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
4785a909 by François Cami at 2021-09-03T09:33:22+02:00
subid: subid-match: display the owner's ID not DN

Previously, the subid-match command would output the full
DN of the owner of the matched range.
With this change, the UID of the owner is displayed, just like
for other subid- commands.

Fixes: https://github.com/freeipa/freeipa/pull/6001
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
3fb0f533 by Rob Crittenden at 2021-09-05T11:53:10+02:00
Increase default limit on LDAP searches to 100k

A similar change was attempted years ago in commit
9724251292e4c0797367fcc351a9f16f30c6aefe but it was
never applied because it used the wrong DN and because
nsslapd-timelimit is already present in the entry
the default keyword won't trigger.

Use replace instead to increase the value to 100k from
the default as originally intended.

nsslapd-sizelimit can be changed only with a MOD_REPLACE
otherwise a LDAP_NO_SUCH_ATTRIBUTE error is thrown. IPA
only uses MOD_REPLACE for single-value attributes but
nsslapd-sizelimit is not yet in schema. Add it to
the known set of exceptions for single-value attributes.

https://pagure.io/freeipa/issue/8962

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
395b0d26 by Florence Blanc-Renaud at 2021-09-08T10:34:00+02:00
ipatests: rpcclient now uses --use-kerberos=desired

The integration tests are using rpcclient delivered
by samba package. With samba 4.15, the options have
been renamed and "--use-kerberos=desired" must be
used instead of "-k".
(see
https://download.samba.org/pub/samba/rc/samba-4.15.0rc4.WHATSNEW.txt)

Adapt the test to be compatible with both old and new versions.

Fixes: https://pagure.io/freeipa/issue/8979
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>

- - - - -
3c4f9e73 by Florence Blanc-Renaud at 2021-09-08T14:47:14+02:00
migrate-ds: workaround to detect compat tree

Migrate-ds needs to check if compat tree is enabled before
migrating users and groups. The check is doing a base
search on cn=compat,$SUFFIX and considers the compat tree
enabled when the entry exists.

Due to a bug in slapi-nis, the base search may return NotFound
even though the compat tree is enabled. The workaround is to
perform a base search on cn=users,cn=compat,$SUFFIX instead.

Fixes: https://pagure.io/freeipa/issue/8984
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
4f569c68 by Florence Blanc-Renaud at 2021-09-09T07:53:48+02:00
ipatests: fix logic waiting for repl in TestIPACommand

The logic of test_reset_password_unlock is twisted.
Currently it's doing:
- reset password on replicas[0]
- wait for replication on master
- kinit on master

The call to wait_for_replication should be done on
replicas[0], not on master, according to the method doc:
    Note that this waits for updates originating on this host, not those
    coming from other hosts.

Fixes: https://pagure.io/freeipa/issue/8975

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Sergey Orlov <sorlov at redhat.com>

- - - - -
d1343e8f by Stanislav Levin at 2021-09-09T07:56:09+02:00
docs: Make use of `text` highlighting

As of 4.9.7 FreeIPA makes use of raw lexer in doc/designs/subordinate-ids.md.

raw alias has been removed in Pygments 2.8.0:
https://pygments.org/docs/changelog/#version-2-8-0
https://github.com/pygments/pygments/pull/1643

This causes the failure of Azure Docs job.

I think that the original goal of `raw` was the disabling of block
highlighting, which can be done with `text` lexer:
https://pygments.org/docs/lexers/#pygments.lexers.special.TextLexer

Fixes: https://pagure.io/freeipa/issue/8985
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
ef58efe7 by Florence Blanc-Renaud at 2021-09-15T09:50:09+02:00
ipatests: fix expected msg in tasks.run_ssh_cmd

OpenSSH 8.7p1 changed the message logged on successful
authentication (see commit 9e1882ef6489a7dd16b6d7794af96629cae61a53).

As a result, the method run_ssh_cmd is failing and needs to be
adapted in order to be compatible with old and new openssh versions.

Fixes: https://pagure.io/freeipa/issue/8989
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
dfe94640 by Stanislav Levin at 2021-09-15T12:08:36+02:00
azure: Ignore tar errors

Sometimes tar fails on changed in process files:
```
[2021-09-07 11:03:33] + tar --ignore-failed-read -czf ipaserver_install_logs.tar.gz --warning=no-failed-read /var/log/dirsrv /var/log/httpd2 /var/log/ipa /var/log/ipaclient-install.log /var/log/ipa-custodia.audit.log /var/log/ipaserver-install.log /var/log/krb5kdc.log /var/log/pki /var/log/samba /var/lib/bind/data systemd_journal.log
[2021-09-07 11:03:33] tar: Removing leading `/' from member names
[2021-09-07 11:03:33] tar: Removing leading `/' from hard link targets
[2021-09-07 11:03:33] tar: /var/log/dirsrv/slapd-IPA-TEST/access: file changed as we read it
[2021-09-07 11:03:33] + tests_result=1
```

This is expected failure since processes are not stopped during logs
collection and can flush their logs.

Fixes: https://pagure.io/freeipa/issue/8983
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
8fcc0f07 by Stanislav Levin at 2021-09-15T12:10:25+02:00
krb5: Pin kpasswd server to a primary one

There are time gaps in which kinit requests may fail due to
offlined SSSD's locator and replication delays.

Since `IPA` provider or SSSD offline the locator plugin for libkrb5
(man 8 sssd_krb5_locator_plugin) can do nothing about this and kinit
fallbacks to the standard libkrb5 algorithm described in `man 5 krb5.conf`.
`krb5.conf` on IPA server doesn't include `kpasswd_server` and kinit
fallbacks to DNS way. DNS (URI or SRV) RRs don't preserve any order
and kinit may contact either master or replica kpasswd servers.
This may result in a password was changed on a replica but was not
replicated to master:
master(kinit)->master(initial)->replica(kpasswd)->master(can't
obtain initial creds with new password)

So, `kpasswd_server` serves as fallback for the offlined locator.

Note: primary_kdc(the former master_kdc) doesn't help here because
it is only used if the initial credentials obtaining fails (see
`krb5_get_init_creds_password` in libkrb5) and not a password change.

Fixes: https://pagure.io/freeipa/issue/8353
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
12ebc658 by Stanislav Levin at 2021-09-15T12:10:25+02:00
ipatests: Log debug messages for locator plugin

SSSD provides Kerberos plugin
> to tell the Kerberos libraries what Realm and which KDC to use.

It's useful to see what is happening during kinit in case of any
issues.

Related: https://pagure.io/freeipa/issue/8353
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
be1e3bbf by Rob Crittenden at 2021-09-16T15:04:41-04:00
Don't store entries with a usercertificate in the LDAP cache

usercertificate often has a subclass and both the plain and
subclassed (binary) values are queried. I'm concerned that
they are used more or less interchangably in places so not
caching these entries is the safest path forward for now until
we can dedicate the time to find all usages, determine their
safety and/or perhaps handle this gracefully within the cache
now.

What we see in this bug is that usercertificate;binary holds the
first certificate value but a user-mod is done with
setattr usercertificate=<new_cert>. Since there is no
usercertificate value (remember, it's usercertificate;binary)
a replace is done and 389-ds wipes the existing value as we've
asked it to.

I'm not comfortable with simply treating them the same because
in LDAP they are not.

https://pagure.io/freeipa/issue/8986

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>

- - - - -
86588640 by Rob Crittenden at 2021-09-16T15:04:41-04:00
ipatests: Test that a user can be issued multiple certificates

Prevent regressions in the LDAP cache layer that caused newly
issued certificates to overwrite existing ones.

https://pagure.io/freeipa/issue/8986

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>
Reviewed-By: Fraser Tweedale <ftweedal at redhat.com>

- - - - -
a9f73007 by Stanislav Levin at 2021-09-21T08:28:41+02:00
schema plugin: Fix commands without metaobject arg

Previously, all the commands of schema plugin derived from
BaseMetaSearch require metaobject as their argument
(by implementation), but the spec for some of them only optionally
asks for search criteria arg. This patch fixes this inconsistency.

Fixes: https://pagure.io/freeipa/issue/8954
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
e4839b04 by Stanislav Levin at 2021-09-21T08:28:41+02:00
command_defaults: Don't crash on nonexistent command

It's common for ipa commands to raise NotFound in such a case.

Fixes: https://pagure.io/freeipa/issue/8954
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
83405a75 by Stanislav Levin at 2021-09-21T08:28:41+02:00
test_schema_plugin: Drop dependency on Tracker

Tracker is the best for testing plugins dealing with LDAP.
The tests in test_schema_plugin are not used LDAP at all.

Fixes: https://pagure.io/freeipa/issue/8954
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
973334c9 by Stanislav Levin at 2021-09-21T08:28:41+02:00
test_schema_plugin: Add missing tests for command, class and topic commands

Fixes: https://pagure.io/freeipa/issue/8954
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
bdf479e8 by Pavel Březina at 2021-09-22T13:02:02+02:00
kdb: fix typo in ipa_kdcpolicy_check_as

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
186497cb by Vit Mojzis at 2021-09-27T11:45:17-04:00
selinux: Fix file context definition for /var/run

There is a file context equivalence rule assigning /run the same
contexts as /var/run. Because of it it's necessary to use /var/run
instead of /run in file context definitions.

See:
https://fedoraproject.org/wiki/SELinux/IndependentPolicy#File_contexts_and_equivalency_rules

Signed-off-by: Vit Mojzis <vmojzis at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
01dfce68 by Florence Blanc-Renaud at 2021-09-29T17:31:26+02:00
ipatests: update expected error message for openssl verify

The test TestIpaHealthCheckWithExternalCA::test_ipahealthcheck_ipaopensslchainvalidation
needs to be adapted with the new error message returned by
openssl verify when the provided certificate file does not exist.
The message changed with openssl3.

Fixes: https://pagure.io/freeipa/issue/8999

- - - - -
fc384b07 by Florence Blanc-Renaud at 2021-09-30T09:08:43+02:00
ipatests: increase sosreport verbosity

With the new version sos-4.2-1, sos report -v prints the
debug messages into sos.log only. In order to see the debug
messages in the console, -vv is needed.
For more info refer to sos report commit
https://github.com/sosreport/sos/commit/1d0729a9dcfe3f3cebb961114c9bc05136cf8cfb

Since the test is looking for messages in stdout, use -vv to
make sure the expected messages are printed in the console.

Fixes: https://pagure.io/freeipa/issue/9000

- - - - -
b706483c by Florence Blanc-Renaud at 2021-10-04T17:47:08+02:00
webui test: close notification after selinux user map update

The test test_undo_refresh_reset_update_cancel is sometimes
failing because a notification obscures the selinuxmap record.

After saving the modification on the record, close any notification
to make sure the test succeeds.

Fixes: https://pagure.io/freeipa/issue/8846
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Anuja More <amore at redhat.com>

- - - - -
e6007669 by Sergey Orlov at 2021-10-05T12:39:40+02:00
ipatests: check for message in sssd log only during actual test action

Get size of the log file immediately before main test action to avoid
capturing messages written to log during environment preparation.

Fixes https://pagure.io/freeipa/issue/8987

Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
bbda3590 by Chris Kelley at 2021-10-08T10:44:58+02:00
Make Dogtag return XML for ipa cert-find

Using JSON by default within Dogtag appears to cause ipa cert-find to
return JSON, when the request was made with XML. We can request that XML
is returned as before by specifying so in the request header.

Fixes: https://pagure.io/freeipa/issue/8980
Signed-off-by: Chris Kelley <ckelley at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
34d6f51f by Florence Blanc-Renaud at 2021-10-08T14:10:46+02:00
ipatests: Update the subca used in TestIPACommand::test_cacert_manage

The above test is installing 2 Let's Encrypt certificates:
the root ISRG Root X1 and a subca. The subca expired Oct 6 and needs to
be replaced with a valid one, otherwise ipa-cacert-manage install
refuses to install it.

Fixes: https://pagure.io/freeipa/issue/9006
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Mohammad Rizwan Yusuf <myusuf at redhat.com>

- - - - -
488fb104 by Stanislav Levin at 2021-10-19T14:01:05-04:00
seccomp profile: Default to ENOSYS instead of EPERM

This allows application to detect whether the kernel supports
syscall or not. Previously, an error was unconditionally EPERM.
There are many issues about glibc failed with new syscalls in containerized
environments if their host run on old kernel.

More about motivation for ENOSYS over EPERM:
https://github.com/opencontainers/runc/issues/2151
https://github.com/opencontainers/runc/pull/2750

See about defaultErrnoRet introduction:
https://github.com/opencontainers/runtime-spec/pull/1087

Previously, FreeIPA profile was vendored from
https://github.com/containers/podman/blob/main/vendor/github.com/containers/common/pkg/seccomp/seccomp.json

Now it is merged directly from
https://github.com/containers/common/blob/main/pkg/seccomp/seccomp.json

Fixes: https://pagure.io/freeipa/issue/9008
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
8dd788da by Stanislav Levin at 2021-10-21T12:38:25+02:00
azure: Don't customize pip's builddir

As of 21.3 pip:

> Remove the --build-dir option and aliases, one last time. (pypa/pip#10485)

https://pip.pypa.io/en/stable/news/#v21-3

Previous versions warn about deprecation.

The builddir is provided to pip via env variable PIP_BUILD in Tox task.
The purpose of changing of default builddir was noexec mount option for
/tmp in Travis (see 17d571c961). Since Travis is no longer used and
Azure lacks this issue the PIP_BUILD can be safely removed.

Note: pip 21.3 just ignores this env variable, which is more than can be
said for the command line option. It's better to clean it up, since the
behaviour may be changed in future.

This is effectively the revert of 17d571c961.

Fixes: https://pagure.io/freeipa/issue/9011
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
17ba2732 by Michal Polovka at 2021-10-21T12:40:19+02:00
ipatests: webui: Specify configuration loader

Default YAML loader has been deprecated in PyYAML-6.0, specify loader explicitly.

Fixes: https://pagure.io/freeipa/issue/9009

Signed-off-by: Michal Polovka <mpolovka at redhat.com>

- - - - -
82eaa2ea by Florence Blanc-Renaud at 2021-10-21T15:58:19-04:00
ipa-client-samba uninstall: remove tdb files

ipa-client-samba uninstaller must remove samba *.tdb files
in /var/lib/samba, /var/lib/samba/private and /var/lib/samba/lock.
The current code calls rm on the relative path filename
instead of building an absolute path filename,
resulting in failure to remove the tdb files.

Fixes: https://pagure.io/freeipa/issue/8687
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
6302769b by Florence Blanc-Renaud at 2021-10-21T15:58:19-04:00
ipa-server-install uninstall: remove tdb files

ipa-server-install uninstaller must remove samba *.tdb files
in /var/lib/samba, /var/lib/samba/private and /var/lib/samba/lock.
The current code calls rm on the relative path filename
instead of building an absolute path filename,
resulting in failure to remove the tdb files.

Related: https://pagure.io/freeipa/issue/8687
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
b3bee9b5 by Sergey Orlov at 2021-11-01T15:14:05+01:00
ipatests: use AD domain name from config instead of hardcoded value

The test fails when test config contains AD domain value other than one
hardcoded in the test code.

Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
c1baae84 by Rob Crittenden at 2021-11-01T11:51:15-04:00
On redhat-based platforms rely on authselect to enable sudo

The default platform task enable_sssd_sudo() writes directly
to nsswitch.conf to enable sudo. This isn't necessary to do on
systems with authselect where we already pass in with-sudo as a
profile option.

Override the default function with does a direct write with a no-op.

https://pagure.io/freeipa/issue/8755

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
74808447 by Stanislav Levin at 2021-11-01T11:55:13-04:00
ipatests: TestMultipleExternalCA: Create tempfiles on remote host

Previously, `test_master_install_ca1` and `test_master_install_ca2`
attempt to create tempdirs on local host and later write some
content into the returned paths on remote host. This fails if
a remote host is a local one.

The existent `create_temp_file` function has been extended to
support `suffix` option of `mktemp`.

Fixes: https://pagure.io/freeipa/issue/9013
Signed-off-by: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
dd07db29 by Florence Blanc-Renaud at 2021-11-03T11:02:00+01:00
SID generation: define SIDInstallInterface

Move the SID-related options into a separate InstallInterface
(--add-sids, --netbios-name, --rid-base and --secondary-rid-base),
make ADTrustInstallInterface inherit from SIDInstallInterface.

Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
e527857d by Florence Blanc-Renaud at 2021-11-03T11:02:00+01:00
Installers: configure sid generation in server/replica installer

ADTRUSTInstance performs only sid configuration when it is
called without --setup-adtrust.

Update man pages for ipa-server-install and ipa-replica-install
with the SID-related options.

Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
a91e6712 by Florence Blanc-Renaud at 2021-11-03T11:02:00+01:00
adtrust install: define constants for rid bases

Define constants for DEFAULT_PRIMARY_RID_BASE = 1000 and
DEFAULT_SECONDARY_RID_BASE = 100000000

Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
b98ecabb by Florence Blanc-Renaud at 2021-11-03T11:02:00+01:00
ipa config: add --enable-sid option

Add new options to ipa config-mod, allowing to enable
SID generation on upgraded servers:
ipa config-mod --enable-sid --add-sids --netbios-name NAME

The new option uses Dbus to launch an oddjob command,
org.freeipa.server.config-enable-sid
that runs the installation steps related to SID generation.

--add-sids is optional and triggers the sid generation task that
populates SID for existing users / groups.
--netbios-name is optional and allows to specify the NetBIOS Name.
When not provided, the NetBIOS name is generated based on the leading
component of the DNS domain name.

This command can be run multiple times.

Fixes: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
5bb56f91 by Florence Blanc-Renaud at 2021-11-03T11:02:00+01:00
ipatests: add test ensuring SIDs are generated for new installs

The standard installer now configures all the items needed
for SID generation. Add a new test with the following scenario:
- install IPA server
- create an active user
- ensure the user's entry has an attribute ipantsecurityidentifier
- ensure that the kerberos ticket for the user contains PAC data
by using the utility ipa-print-pac

Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
31d095ea by Florence Blanc-Renaud at 2021-11-03T11:02:00+01:00
ipatests: interactive install prompts for netbios name

The interactive server installation now prompts for netbios
name confirmation.
Add expected prompt and send response to the installer.

Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
efc9df08 by Florence Blanc-Renaud at 2021-11-03T11:02:00+01:00
ipatests: adapt expected output with SID

>From now on, new users/groups automatically get a SID.
Update the expect test outputs.

Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
86d1683e by Florence Blanc-Renaud at 2021-11-03T11:02:00+01:00
User lifecycle: ignore SID when moving from preserved to staged

When a preserved user entry is moved to staged state, the SID
attribute must not be provided to user-stage command (the option
does not exist and the SID will be re-generated anyway).

Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
c6fd0d00 by Florence Blanc-Renaud at 2021-11-03T11:02:00+01:00
ipatests: backup-reinstall-restore needs to clear sssd cache

The integration tests that check backup-reinstall-restore
scenario need to clear sssd cache before checking the uid
of the admin user. For instance:
backup: saves the original admin uid
reinstall: creates a new admin uid, potentially cached by SSSD
restore: restores the original admin uid

Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
9c7e8c66 by Florence Blanc-Renaud at 2021-11-03T11:02:00+01:00
Webui tests: new idrange now requires base RID

Now that SID are always generated, the creation of a new
local idrange is refused if baserid is missing.

Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
61f42aef by Florence Blanc-Renaud at 2021-11-03T11:02:00+01:00
User plugin: do not return the SID on user creation

The SID is not part of the default user attributes and does not
need to be returned in the user-add output.

Related: https://pagure.io/freeipa/issue/8995
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
009a8cdf by Florence Blanc-Renaud at 2021-11-03T11:02:00+01:00
ipatests: update the expected output of user-add cmd

The SID is not expected to be returned by ipa user-add.

Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Christian Heimes <cheimes at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
331cadd8 by Rob Crittenden at 2021-11-04T09:44:39+01:00
Make the schema cache TTL user-configurable

The API schema is not checked for changes until after a TTL
is expired. A one-hour TTL was hardcoded which makes development
tedious because the only way to force a schema update is to
remember to remove files between invocations.

This adds a new environment variable, schema_ttl, to configure
the TTL returned by the server to schema() calls. This can be
set low to ensure a frequent refresh during development.

If the client is in compat mode, that is if client is working
against a server that doesn't support the schema() command,
then use the client's schema_ttl instead so that the user still
has control.

Re-check validity before writing the cache. This saves us both
a disk write and the possibility of updating the expiration
with a ttl of 0. This can happen if the fingerprint is still
valid (not expired, no language change) the schema check is
skipped so we have no server-provided ttl.

https://pagure.io/freeipa/issue/8492

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Stanislav Levin <slev at altlinux.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
d3edc039 by Mohammad Rizwan at 2021-11-04T09:49:18+01:00
ipatests: remove redundant kinit from test

Fixture issue_and_expire_cert() kinit after moving the date to
expire certs. This fix is to rely on kinit from fixture.

Signed-off-by: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
4c14b8cf by Sumedh Sidhaye at 2021-11-09T10:25:13+01:00
Test to verify if the case of a request for /ca/rest/authority/{id}/cert (or .../chain)

where {id} is an unknown authority ID.

Test Steps:
1. Setup a freeipa server and a replica
2. Stop ipa-custodia service on replica
3. Create a LWCA on the replica
4. Verify LWCA is recognized on the server
5. Run `ipa ca-show <LWCA>`

Signed-off-by: Sumedh Sidhaye <ssidhaye at redhat.com>
Reviewed-By: Mohammad Rizwan <myusuf at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
421e1246 by Florence Blanc-Renaud at 2021-11-10T17:17:19+01:00
ipatests: fix get_user_result method

Because the sidgen plugin is a postop plugin, it is not
always triggered before the result of an ADD is returned
and the objectclasses of the user may / may not contain
ipantuserattrs.
Fix the get_user_result method to work in all the cases.

Related: https://pagure.io/freeipa/issue/8995
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
9ded98b6 by Alexander Bokovoy at 2021-11-11T16:11:05-05:00
ipa-kdb: store SID in the principal entry

If the principal entry in LDAP has SID associated with it, store it to
be able to quickly assess the SID when processing PAC.

Also rename string_to_sid to IPA-specific version as it uses different
prototype than Samba version.

Fixes: https://pagure.io/freeipa/issue/9031

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Robert Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
9ecbdd8e by Alexander Bokovoy at 2021-11-11T16:11:05-05:00
ipa-kdb: enforce SID checks when generating PAC

Check that a domain SID and a user SID in the PAC passed to us are what
they should be for the local realm's principal.

Fixes: https://pagure.io/freeipa/issue/9031

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Robert Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
eb5a93dd by Alexander Bokovoy at 2021-11-11T16:11:05-05:00
ipa-kdb: use entry DN to compare aliased entries in S4U operations

When working with aliased entries, we need a reliable way to detect
whether two principals reference the same database entry. This is
important in S4U checks.

Ideally, we should be using SIDs for these checks as S4U requires PAC
record presence which cannot be issued without a SID associated with an
entry. This is true for user principals and a number of host/service
principals associated with Samba. Other service principals do not have
SIDs because we do not allocate POSIX IDs to them in FreeIPA. When PAC
is issued for these principals, they get SID of a domain computer or
domain controller depending on their placement (IPA client or IPA
server).

Since 389-ds always returns unique entry DN for the same entry, rely on
this value instead. We could have used ipaUniqueID but for Kerberos
principals created through the KDB (kadmin/kdb5_util) we don't have
ipaUniqueID in the entry.

Fixes: https://pagure.io/freeipa/issue/9031

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
8b5e4961 by Alexander Bokovoy at 2021-11-11T16:11:05-05:00
ipa-kdb: S4U2Proxy target should use a service name without realm

According to new Samba Kerberos tests and [MS-SFU] 3.2.5.2.4
'KDC Replies with Service Ticket', the target should not include the
realm.

Fixes: https://pagure.io/freeipa/issue/9031

Pair-programmed-with: Andreas Schneider <asn at redhat.com>
Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Signed-off-by: Andreas Schneider <asn at redhat.com>
Reviewed-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
4cafdac1 by Alexander Bokovoy at 2021-11-11T16:11:05-05:00
ipa-kdb: add support for PAC_UPN_DNS_INFO_EX

CVE-2020-25721 mitigation: KDC must provide the new HAS_SAM_NAME_AND_SID
buffer with sAMAccountName and ObjectSID values associated with the
principal.

The mitigation only works if NDR library supports the
PAC_UPN_DNS_INFO_EX buffer type. In case we cannot detect it at compile
time, a warning will be displayed at configure stage.

Fixes: https://pagure.io/freeipa/issue/9031

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
879ef1b1 by Alexander Bokovoy at 2021-11-11T16:11:05-05:00
ipa-kdb: add support for PAC_REQUESTER_SID buffer

CVE-2020-25721 mitigation: KDC must provide the new PAC_REQUESTER_SID
buffer with ObjectSID value associated with the requester's principal..

The mitigation only works if NDR library supports the PAC_REQUESTER_SID
buffer type. In case we cannot detect it at compile time, a warning will
be displayed at configure stage.

Fixes: https://pagure.io/freeipa/issue/9031

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
b71467e2 by Alexander Bokovoy at 2021-11-11T16:11:05-05:00
ipa-kdb: add PAC_ATTRIBUTES_INFO PAC buffer support

PAC_ATTRIBUTES_INFO PAC buffer allows both client and KDC to tell
whether a PAC structure was requested by the client or it was provided
by the KDC implicitly. Kerberos service then can continue processing or
deny access in case client explicitly requested to operate without PAC.

Fixes: https://pagure.io/freeipa/issue/9031

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
adf5ab73 by Alexander Bokovoy at 2021-11-11T16:11:05-05:00
ipa-kdb: Use proper account flags for Kerberos principal in PAC

As part of CVE-2020-25717 mitigations, Samba expects correct user
account flags in the PAC. This means for services and host principals we
should be using ACB_WSTRUST or ACB_SVRTRUST depending on whether they
run on IPA clients ("workstation" or "domain member") or IPA servers
("domain controller").

Fixes: https://pagure.io/freeipa/issue/9031

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
693c165c by Alexander Bokovoy at 2021-11-11T16:11:05-05:00
SMB: switch IPA domain controller role

As a part of CVE-2020-25717 mitigations, Samba now assumes 'CLASSIC
PRIMARY DOMAIN CONTROLLER' server role does not support Kerberos
operations.  This is the role that IPA domain controller was using for
its hybrid NT4/AD-like operation.

Instead, 'IPA PRIMARY DOMAIN CONTROLLER' server role was introduced in
Samba. Switch to this role for new installations and during the upgrade
of servers running ADTRUST role.

Fixes: https://pagure.io/freeipa/issue/9031

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
a95ccd90 by Alexander Bokovoy at 2021-11-15T14:51:24+01:00
ipa-kdb: honor SID from the host or service entry

If the SID was explicitly set for the host or service entry, honor it
when issuing PAC. For normal services and hosts we don't allocate
individual SIDs but for cifs/... principals on domain members we do as
they need to login to Samba domain controller.

Related: https://pagure.io/freeipa/issue/9031

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
5213c1e4 by Alexander Bokovoy at 2021-11-15T14:51:24+01:00
ipa-kdb: validate domain SID in incoming PAC for trusted domains for S4U

Previously, ipadb_check_logon_info() was called only for cross-realm
case. Now we call it for both in-realm and cross-realm cases. In case of
the S4U2Proxy, we would be passed a PAC of the original caller which
might be a principal from the trusted realm. We cannot validate that PAC
against our local client DB entry because this is the proxy entry which
is guaranteed to have different SID.

In such case, validate the SID of the domain in PAC against our realm
and any trusted doman but skip an additional check of the DB entry in
the S4U2Proxy case.

Related: https://pagure.io/freeipa/issue/9031

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
8ca5b094 by Florence Blanc-Renaud at 2021-11-18T20:24:03+01:00
ipatests: mark test_installation_TestInstallWithCA_DNS3 as xfail

The test failure is a known issue, happening on f33+. Mark as xfail
until 8700 is fixed.

Related: https://pagure.io/freeipa/issue/8700
Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
c850cd52 by Alexander Bokovoy at 2021-11-18T20:25:24+01:00
freeipa.spec.in: -server subpackage should require samba-client-libs

KDB driver extensively uses NDR parsing and marshalling code provided by
Samba libraries. Since these libraries are internal to Samba, they often
change structures without updating SONAME. Typical changes include
adding new structures, so we should require samba-client-libs we were
built against.

There used to be %requires_eq macros in RPM but it was removed from
Fedora some time ago. We need greater than or equal version of it, thus
%ipa_requires_gt is defined in the spec file.

Related: https://pagure.io/freeipa/issue/9031

Signed-off-by: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
d97250fa by Armando Neto at 2021-11-18T19:59:18-03:00
ipatests: Bump PR-CI latest templates to Fedora 35

Moving 'latest' to Fedora 35 and 'previous' to Fedora 34.

Based on https://github.com/freeipa/freeipa-pr-ci/pull/445.

Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
bb5ef716 by Armando Neto at 2021-11-19T22:14:45+01:00
ipatests: Fix UI_driver method after Selenium upgrade

`WebDriver.switch_to_active_element()` was deprecated in favour of
`driver.switch_to.active_element`.

Method was deprecated a long time ago, however deprecation message and
proxy method were removed recently and are not present in latest
version.

https://selenium-python.readthedocs.io/api.html#selenium.webdriver.remote.webdriver.WebDriver.switch_to_active_element
https://www.selenium.dev/selenium/docs/api/py/webdriver_remote/selenium.webdriver.remote.webdriver.html#selenium.webdriver.remote.webdriver.WebDriver.switch_to

Issue: https://pagure.io/freeipa/issue/9029

Signed-off-by: Armando Neto <abiagion at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
76afa643 by François Cami at 2021-11-22T12:35:55+01:00
pwpolicy: change lifetime error message

ipa pwpolicy-mod --minlife $min --maxlife $max
accepts $max >= $min, yet the error message says:
"Maximum password life must be greater than minimum."

Change the error message so that it conveys the
actual logic.

Fixes: https://pagure.io/freeipa/issue/9038
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>

- - - - -
4f5ed837 by Petr Vobornik at 2021-11-22T17:58:20+01:00
fix(webui): create correct PTR record when navigated from host page

In scenario:
1. make sure that reverse zone doesn't have the desired PTR record
2. open host page of the host with matchnig the A record, e.g.: https://server.pvoborni.test/ipa/ui/#/e/host/details/test2.pvoborni.test
3. click on the "Host name" link, it will bring us to it's DNS record page. E.g., https://server.pvoborni.test/ipa/ui/#/e/dnsrecord/details/pvoborni.test&test2
! notice the missing '.' in the URL after zone name (pvoborni.test)
4. click on the A record , dialog will show up, saying "record not found"
5. click on the "create DNS record"

PTR record created by Web UI doesn't have trailing '.' (is not fully
qualified record) even if the DNS zone is.

This patch is fixing the link to the DNS Record page so that the
page then correctly gets the DNS Zone name and thus creates a correct
fully qualified PTR record.

https://bugzilla.redhat.com/show_bug.cgi?id=2009114
https://pagure.io/freeipa/issue/9036

Signed-off-by: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
a286cd31 by Petr Vobornik at 2021-11-22T17:58:20+01:00
webui tests: remove unnecessary code in add_record

Pkeys are not used anywhere in the method thus can be removed.

Related: https://pagure.io/freeipa/issue/9036

Signed-off-by: Petr Vobornik <pvoborni at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>

- - - - -
1c66226e by Rob Crittenden at 2021-11-23T10:23:09+01:00
Don't limit role-find by hostname when searching for last KRA

The "is this the last KRA" test did a role-find including the
current server. This skewed the result if the server to be
removed has a KRA installed, it would always return "not allowed"
because len(roles) == 1 and the name matched, regardless of
whether other servers also provided a KRA.

https://pagure.io/freeipa/issue/8397

Signed-off-by: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud at redhat.com>

- - - - -
1660cfa3 by Jochen Kellner at 2021-11-23T16:13:00+01:00
Remove duplicate _() in the error path

When running IPA in locale de_DE.UTF-8 I got an internal error:

jochen at freeipa1:~$ ipa server-del freeipa4.example.org
Removing freeipa4.example.org from replication topology, please wait...
ipa: ERROR: Ein interner Fehler ist aufgetreten

This is not the complete messages. Using en_US.UTF-8 would be ok.
In the httpd error_log:

] ipa: ERROR: non-public: TypeError: unhashable type: 'Gettext'
] Traceback (most recent call last):
]   File "/usr/lib/python3.10/site-packags/ipaserver/rpcserver.py", line 407, in wsgi_execute
]     result = command(*args, **options)
]   File "/usr/lib/python3.10/site-packages/ipalib/frontend.py", line 471, in __call__
]     return self.__do_call(*args, **options)
]   File "/usr/lib/python3.10/site-packages/ipalib/frontend.py", line 499, in __do_call
]     ret = self.run(*args, **options)
]   File "/usr/lib/python3.10/site-packages/ipalib/frontend.py", line 821, in run
]     return self.execute(*args, **options)
]   File "/usr/lib/python3.10/site-packages/ipaserver/plugins/baseldap.py", line 1686, in execute]     return self.execute(*args, **options)
]   File "/usr/lib/python3.10/site-packages/ipaserver/plugins/baseldap.py", line 1686, in execute
]     delete_entry(pkey)
]   File "/usr/lib/python3.10/site-packages/ipaserver/plugins/baseldap.py", line 1637, in delete_entry
]     dn = callback(self, ldap, dn, *nkeys, **options)
]   File "/usr/lib/python3.10/site-packages/ipaserver/plugins/server.py", line 755, in pre_callback
]     self._ensure_last_of_role(
] File
"/usr/lib/python3.10/site-packages/ipaserver/plugins/server.py", line
520, in _ensure_last_of_role
]     handler(
]   File "/usr/lib/python3.10/site-packages/ipaserver/plugins/server.py", line 482, in handler
]     raise errors.ServerRemovalError(reason=_(msg))
]   File "/usr/lib/python3.10/site-packages/ipalib/errors.py", line 269, in __init__
]     messages.process_message_arguments(self, format, message, **kw)
]   File "/usr/lib/python3.10/site-packages/ipalib/messages.py", line 55, in process_message_arguments
]     kw[key] = unicode(value)
]   File "/usr/lib/python3.10/site-packages/ipalib/text.py", line 296, in __str__
]     return unicode(self.as_unicode())
]   File "/usr/lib/python3.10/site-packages/ipalib/text.py", line 293, in as_unicode
]     return t.gettext(self.msg)
]   File "/usr/lib64/python3.10/gettext.py", line 498, in gettext
]     tmsg = self._catalog.get(message, missing)
] TypeError: unhashable type: 'Gettext'
] ipa: INFO: [jsonserver_session] admin at EXAMPLE.ORG:
server_del/1(['freeipa4.example.org'], version='2.245'): InternalError

Alexander suggested to remove _() in local handler() function in
_ensure_last_of_role():

            else:
                raise errors.ServerRemovalError(reason=_(msg))

Looks like all the callers give already gettext-enabled message (wrapped
with _() already).

At least for my case I now get a complete error message.

Fixes: https://pagure.io/freeipa/issue/9046
Signed-off-by: Jochen Kellner <jochen at jochen.org>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>

- - - - -
a9c08073 by Florence Blanc-Renaud at 2021-11-23T17:41:13+01:00
ipatests: remove xfail on f35+ for test_number_of_zones

systemd-resolved fixed the issue on f35+
Related: https://pagure.io/freeipa/issue/8700

Signed-off-by: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Francois Cami <fcami at redhat.com>

- - - - -
f89d59b6 by François Cami at 2021-11-25T18:35:13+01:00
freeipa.spec: depend on bind-dnssec-utils

The OpenDNSSec integration code requires:
/usr/sbin/dnssec-keyfromlabel-pkcs11
which is provided by bind-pkcs11-utils, but that package is
only available on RHEL<9.

With this change, freeipa-server-dns depends on bind-dnssec-utils
on all Fedora releases and RHEL==9+, and uses:
/usr/sbin/dnssec-keyfromlabel -E pkcs11
instead of dnssec-keyfromlabel-pkcs11.

Fixes: https://pagure.io/freeipa/issue/9026
Signed-off-by: François Cami <fcami at redhat.com>
Reviewed-By: Rob Crittenden <rcritten at redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo at redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy at redhat.com>
Reviewed-By: Timo Aaltonen <tjaalton at debian.org>
Reviewed-By: Antonio Torres Moríñigo <antorres at redhat.com>

- - - - -
c587db88 by Antonio Torres at 2021-11-25T18:50:24+01:00
Update translations to FreeIPA ipa-4-9 state

Signed-off-by: Antonio Torres <antorres at redhat.com>

- - - - -
b4f9026e by Antonio Torres at 2021-11-25T18:53:53+01:00
Update list of contributors

Signed-off-by: Antonio Torres <antorres at redhat.com>

- - - - -
a9620a5d by Antonio Torres at 2021-11-25T19:17:03+01:00
Become IPA 4.9.8

Signed-off-by: Antonio Torres <antorres at redhat.com>

- - - - -


30 changed files:

- .tox-install.sh
- API.txt
- Contributors.txt
- Makefile.am
- VERSION.m4
- client/man/default.conf.5
- daemons/ipa-kdb/Makefile.am
- daemons/ipa-kdb/ipa_kdb.h
- daemons/ipa-kdb/ipa_kdb_delegation.c
- daemons/ipa-kdb/ipa_kdb_kdcpolicy.c
- daemons/ipa-kdb/ipa_kdb_mspac.c
- daemons/ipa-kdb/ipa_kdb_mspac_private.h
- daemons/ipa-kdb/ipa_kdb_principals.c
- daemons/ipa-kdb/tests/ipa_kdb_tests.c
- daemons/ipa-slapi-plugins/ipa-extdom-extop/ipa_extdom_common.c
- doc/designs/subordinate-ids.md
- freeipa.spec.in
- install/oddjob/Makefile.am
- install/oddjob/etc/oddjobd.conf.d/ipa-server.conf.in
- + install/oddjob/org.freeipa.server.config-enable-sid.in
- install/share/krb5.conf.template
- install/share/smb.conf.registry.template
- install/tools/ipa-adtrust-install.in
- install/tools/man/ipa-replica-install.1
- install/tools/man/ipa-server-install.1
- install/ui/src/freeipa/host.js
- install/ui/src/freeipa/widget.js
- install/updates/10-config.update
- ipaclient/install/ipa_client_samba.py
- ipaclient/remote_plugins/__init__.py


The diff was not included because it is too large.


View it on GitLab: https://salsa.debian.org/freeipa-team/freeipa/-/compare/d2df13d8f0e8b417356fef2af7310b75e46e2699...a9620a5d7171de49f176a9504d1bb32db2d9650e

-- 
View it on GitLab: https://salsa.debian.org/freeipa-team/freeipa/-/compare/d2df13d8f0e8b417356fef2af7310b75e46e2699...a9620a5d7171de49f176a9504d1bb32db2d9650e
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-freeipa-devel/attachments/20211126/f181d030/attachment-0001.htm>


More information about the Pkg-freeipa-devel mailing list